tina4ruby 3.13.36 → 3.13.38

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7266dfb9cb9605c62b61d64de0c2586ff6824f2a22ad87aae74403f1d171c495
-  data.tar.gz: 0f9dffee4f4242c9c03899b79742a314bde065308da3e852c1af76fb1ade6be9
+  metadata.gz: 6ed3d68931d97c88f7d7ea9128420ce4b531da04f47536c3f64abac71f3edbb3
+  data.tar.gz: 4124c02d8ddefcb645eee1d5a52ddef31a4e2ebeecfd11fe81b7999a3784802a
 SHA512:
-  metadata.gz: ad75e74701786bf08fd4fc3c143a0d5f6731dbe0aa5feb5d46afb5c2472a113daa9dd0d2962f616c0a811318fed23091e40248117aee22923ea7fa35a81b6ab5
-  data.tar.gz: c5622aff3bf9fb522969dbe5431ae1a2aa8416712ade87ccd277529418a1aea6a427a25a211198342cfca0bebcff81305db70e6be01a0a11cfd7a2e99ebd6a9a
+  metadata.gz: 6a5f5f009385d5e4ce97d0289db83d2d60d1bb2410019c88892fe5f6c22fc2c358654021965ebe4a8b2d159ac7958dd6b57ba41c8b879cf385cc6632428666c5
+  data.tar.gz: 4a7d3a41ce8ca5e8283318d487745b90c726e03c648c4480807c8e2fd40910d7472e5371e0c910ef6e68e914d057d65faaa4955efaf585bc93d84919ac567de6

data/lib/tina4/auth.rb

@@ -3,11 +3,20 @@ require "openssl"
 require "base64"
 require "json"
 require "fileutils"
+require "securerandom"
 
 module Tina4
   module Auth
     KEYS_DIR = ".keys"
 
+    # Single source of truth for the blank-secret warning, emitted identically
+    # from both the CI/prod boot path (ensure_dev_secret) and the lazy
+    # per-call resolver (hmac_secret). Actionable: names exactly what to set.
+    BLANK_SECRET_WARNING =
+      "Auth: TINA4_SECRET is not set — JWT signing is insecure. Set TINA4_SECRET " \
+      "to a random value (e.g. `openssl rand -hex 32`) in your environment or " \
+      ".env before serving traffic."
+
     class << self
       def setup(root_dir = Dir.pwd)
         @keys_dir = File.join(root_dir, KEYS_DIR)
@@ -15,6 +24,54 @@ module Tina4
         ensure_keys
       end
 
+      # Boot-time bootstrap (run once after env load, before auth is used).
+      #
+      # Mirrors the Python master's tina4_python.auth.ensure_dev_secret:
+      #   - If TINA4_SECRET is already set → no-op (returns nil).
+      #   - Else if NOT dev, OR CI, OR production → emit the actionable
+      #     blank-secret warning and return nil. NEVER generates or persists a
+      #     secret in CI or production. (Hard security constraint.)
+      #   - Else (dev, not CI, not prod, blank secret) → mint a 32-byte
+      #     (64 hex char) random secret, set it in the process env immediately,
+      #     then APPEND it to <root_dir>/.env.local (gitignored, created if
+      #     missing). On ANY write failure keep the in-memory secret and warn —
+      #     never raise (boot must not crash).
+      #
+      # `root_dir` exists only so tests can target a temp dir without chdir;
+      # production callers pass nothing (defaults to Dir.pwd).
+      #
+      # Returns the generated secret (String) when it mints one, else nil.
+      def ensure_dev_secret(root_dir = Dir.pwd)
+        existing = ENV["TINA4_SECRET"]
+        return nil if existing && !existing.empty?
+
+        unless dev? && !ci? && !production?
+          warn_blank_secret
+          return nil
+        end
+
+        new_secret = SecureRandom.hex(32) # 32 bytes -> 64 hex chars
+        ENV["TINA4_SECRET"] = new_secret  # available for this run immediately
+
+        begin
+          local_path = File.join(root_dir, ".env.local")
+          # If the file exists and does not end in a newline, prepend one so the
+          # new key lands on its own line rather than gluing onto the last value.
+          prefix = ""
+          if File.exist?(local_path)
+            content = File.read(local_path)
+            prefix = "\n" if !content.empty? && !content.end_with?("\n")
+          end
+          File.open(local_path, "a") { |f| f.write("#{prefix}TINA4_SECRET=#{new_secret}\n") }
+          log_info("Auth: generated a development secret, saved to .env.local (gitignored)")
+        rescue StandardError => e
+          # Keep the in-memory secret for this run; just warn. Never crash boot.
+          log_warning("Auth: generated a development secret but could not write .env.local (#{e.message}); using it for this run only")
+        end
+
+        new_secret
+      end
+
       # ── HS256 helpers (stdlib only, no gem) ──────────────────────
 
       # Returns true when SECRET env var is set and no RSA keys exist in .keys/
@@ -28,8 +85,13 @@ module Tina4
           File.exist?(File.join(@keys_dir, "public.pem")))
       end
 
+      # Lazy per-call secret resolver. When the secret is blank, emit the
+      # actionable blank-secret warning (the same text the CI/prod bootstrap
+      # path uses) before returning. Parity with Python's _resolve_secret.
       def hmac_secret
-        ENV["TINA4_SECRET"]
+        secret = ENV["TINA4_SECRET"]
+        warn_blank_secret if secret.nil? || secret.empty?
+        secret
       end
 
       # Base64url-encode without padding (JWT spec)
@@ -196,9 +258,12 @@ module Tina4
 
         token = Regexp.last_match(1)
 
-        # API_KEY bypass — matches tina4_python behavior
-        api_key = ENV["TINA4_API_KEY"]
-        if api_key && !api_key.empty? && token == api_key
+        # API_KEY bypass — timing-safe comparison via validate_api_key
+        # (OpenSSL.fixed_length_secure_compare). Parity with Python's
+        # authenticate_request (validate_api_key), PHP (hash_equals) and
+        # Node (timingSafeEqual). Never use a plain `==` here — that leaks the
+        # key length/prefix through comparison timing.
+        if validate_api_key(token)
           return { "api_key" => true }
         end
 
@@ -235,9 +300,12 @@ module Tina4
 
           token = Regexp.last_match(1)
 
-          # API_KEY bypass — matches tina4_python behavior
-          api_key = ENV["TINA4_API_KEY"]
-          if api_key && !api_key.empty? && token == api_key
+          # API_KEY bypass — timing-safe comparison via validate_api_key
+          # (OpenSSL.fixed_length_secure_compare). Parity with Python's
+          # authenticate_request (validate_api_key), PHP (hash_equals) and
+          # Node (timingSafeEqual). Never use a plain `==` here — that leaks the
+          # key length/prefix through comparison timing.
+          if validate_api_key(token)
             env["tina4.auth"] = { "api_key" => true }
             return true
           end
@@ -271,6 +339,49 @@ module Tina4
 
       private
 
+      # ── Dev-secret bootstrap helpers (parity with Python master) ──
+
+      # Dev when the framework debug flag is truthy (TINA4_DEBUG).
+      def dev?
+        Tina4::Env.is_truthy(ENV["TINA4_DEBUG"])
+      end
+
+      # CI when the de-facto CI env var is truthy.
+      def ci?
+        Tina4::Env.is_truthy(ENV["CI"])
+      end
+
+      # Production when TINA4_ENV (default "development") is "production".
+      def production?
+        (ENV["TINA4_ENV"] || "development").to_s.strip.downcase == "production"
+      end
+
+      # Emit the single actionable blank-secret warning. Same text from the
+      # CI/prod bootstrap path and the lazy per-call resolver.
+      def warn_blank_secret
+        log_warning(BLANK_SECRET_WARNING)
+      end
+
+      def log_info(message)
+        if defined?(Tina4::Log)
+          Tina4::Log.info(message)
+        else
+          warn(message)
+        end
+      rescue StandardError
+        warn(message)
+      end
+
+      def log_warning(message)
+        if defined?(Tina4::Log)
+          Tina4::Log.warning(message)
+        else
+          warn(message)
+        end
+      rescue StandardError
+        warn(message)
+      end
+
       def ensure_keys
         @keys_dir ||= File.join(Dir.pwd, KEYS_DIR)
         FileUtils.mkdir_p(@keys_dir)

data/lib/tina4/cli.rb

@@ -5,7 +5,7 @@ require "fileutils"
 
 module Tina4
   class CLI
-    COMMANDS = %w[init start migrate migrate:status migrate:rollback seed seed:create test version routes console generate ai help].freeze
+    COMMANDS = %w[init start migrate migrate:status migrate:rollback seed seed:create test version routes console generate ai metrics help].freeze
 
     # ── Field type mapping ──────────────────────────────────────────────
     FIELD_TYPE_MAP = {
@@ -43,6 +43,7 @@ module Tina4
       when "console"    then cmd_console
       when "generate"   then cmd_generate(argv)
       when "ai"         then cmd_ai(argv)
+      when "metrics"    then cmd_metrics(argv)
       when "help", "-h", "--help" then cmd_help
       else
         puts "Unknown command: #{command}"
@@ -85,7 +86,7 @@ module Tina4
     # Parse --key value and --flag from args. Returns [flags_hash, positional_array]
     def parse_flags(args)
       # Boolean-only flags that never take a value argument
-      boolean_flags = %w[no-browser no-reload production managed all clear dev]
+      boolean_flags = %w[no-browser no-reload production managed all clear dev json]
 
       flags = {}
       positional = []
@@ -488,6 +489,100 @@ module Tina4
       end
     end
 
+    # ── metrics ───────────────────────────────────────────────────────────
+
+    # Report top code-quality offenders (complexity, size, maintainability,
+    # tests). Mirrors the Python-master `tina4python metrics` command.
+    #
+    #   tina4ruby metrics                       # human report, scans src/ (or framework)
+    #   tina4ruby metrics --top 10              # only the worst 10
+    #   tina4ruby metrics --path lib            # scan a specific directory
+    #   tina4ruby metrics --json                # machine-readable for CI
+    #   tina4ruby metrics --fail-on warn        # exit 1 if any warn/error offender
+    #   tina4ruby metrics --fail-on error       # exit 1 only on error-severity
+    def cmd_metrics(argv)
+      require "json"
+      require "set"
+      require_relative "metrics"
+
+      flags, _positional = parse_flags(argv)
+
+      top = (flags["top"].to_s =~ /\A\d+\z/) ? flags["top"].to_i : 20
+      as_json = flags.key?("json")
+      path = flags["path"].is_a?(String) ? flags["path"] : "src"
+      fail_on = flags["fail-on"].is_a?(String) ? flags["fail-on"] : nil
+
+      unless [nil, "warn", "error"].include?(fail_on)
+        puts "  invalid --fail-on '#{fail_on}' (use warn or error)"
+        exit 2
+      end
+
+      result = Tina4::Metrics.offenders(path, top)
+      summary = result["summary"]
+      found = result["offenders"]
+
+      if summary.key?("error")
+        puts "  metrics error: #{summary['error']}"
+        exit 2
+      end
+
+      # Decide exit code from the FULL offender set, not just the printed top-N.
+      # full_analysis is cached, so this reuses the same analysis.
+      all_offenders = Tina4::Metrics.offenders(path, [summary["total_offenders"], 1].max)["offenders"]
+      severities = all_offenders.map { |o| o["severity"] }.to_set
+      exit_code = 0
+      if fail_on == "warn" && !(severities & %w[warn error]).empty?
+        exit_code = 1
+      elsif fail_on == "error" && severities.include?("error")
+        exit_code = 1
+      end
+
+      if as_json
+        puts JSON.pretty_generate({ "summary" => summary, "offenders" => found })
+        exit exit_code
+      end
+
+      # ── Human report ──────────────────────────────────────────────────
+      use_color = $stdout.tty?
+      colorize = lambda do |text, code|
+        use_color ? "\e[#{code}m#{text}\e[0m" : text
+      end
+      sev_color = { "error" => "31", "warn" => "33", "info" => "2" } # red / yellow / dim
+
+      puts
+      puts "  Tina4 Metrics — #{summary['scan_mode']} scan (#{summary['scan_root']})"
+      puts "  files: #{summary['files_analyzed']}   " \
+           "functions: #{summary['total_functions']}   " \
+           "avg complexity: #{summary['avg_complexity']}   " \
+           "avg maintainability: #{summary['avg_maintainability']}"
+      showing = found.empty? ? "" : " (showing top #{found.length})"
+      puts "  offenders: #{summary['total_offenders']} total#{showing}"
+      puts
+
+      if found.empty?
+        puts "  " + colorize.call("✓ no offenders — clean", "32")
+        puts
+        exit exit_code
+      end
+
+      # Compute column widths so the table lines up.
+      locs = found.map { |o| "#{o['file']}:#{o['line']}" }
+      loc_w = [("FILE:LINE".length)].concat(locs.map(&:length)).max
+      kind_w = [("KIND".length)].concat(found.map { |o| o["kind"].length }).max
+
+      header = format("  %3s  %-8s  %-#{kind_w}s  %-#{loc_w}s  DETAIL", "#", "SEVERITY", "KIND", "FILE:LINE")
+      puts colorize.call(header, "1")
+      puts "  " + ("-" * (header.length - 2))
+      found.each_with_index do |o, i|
+        sev = o["severity"]
+        sev_cell = colorize.call(format("%-8s", sev), sev_color[sev])
+        puts format("  %3d  %s  %-#{kind_w}s  %-#{loc_w}s  %s",
+                    i + 1, sev_cell, o["kind"], locs[i], o["detail"])
+      end
+      puts
+      exit exit_code
+    end
+
     # ── generate ────────────────────────────────────────────────────────
 
     def cmd_generate(argv)
@@ -1225,6 +1320,7 @@ module Tina4
           routes             List all registered routes
           console            Start an interactive console
           ai                 Detect AI tools and install context files
+          metrics            Rank top code-quality offenders
           help               Show this help message
 
         Generators:
@@ -1238,6 +1334,13 @@ module Tina4
           generate view <Name> [--fields "..."]   List + detail templates for viewing records
           generate auth                           Login/register/logout routes + User model + templates
 
+        Metrics:
+          metrics [--top N] [--json] [--fail-on warn|error] [--path DIR]
+            --top N        Show only the worst N offenders (default: 20)
+            --json         Print machine-readable JSON ({summary, offenders}) for CI
+            --fail-on      Exit 1 if any offender at/above this severity (warn|error)
+            --path DIR     Scan DIR (default: src/, auto-resolves to the framework)
+
         Field types: string, int, float, bool, text, datetime, blob
         Table names: singular by default (Product -> product)
 
@@ -1346,6 +1449,7 @@ module Tina4
       unless File.exist?(File.join(dir, ".gitignore"))
         File.write(File.join(dir, ".gitignore"), <<~TEXT)
           .env
+          .env.local
           .keys/
           logs/
           sessions/