PyPI - cello-framework - Versions diffs - 1.2.1__tar.gz → 1.2.3__tar.gz - Mend

cello-framework 1.2.1tar.gz → 1.2.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (290) hide show

{cello_framework-1.2.1 → cello_framework-1.2.3}/CLAUDE.md RENAMED Viewed

@@ -4,7 +4,7 @@
 **Cello** is an ultra-fast, Rust-powered Python async web framework designed to achieve C-level performance on the hot path while maintaining Python's developer experience. It's the successor to frameworks like FastAPI, Robyn, and Litestar, combining their best features with pure Rust implementation for maximum performance.
-**Version:** 1.1.0
+**Version:** 1.2.3
 **License:** MIT
 **Python Requirement:** 3.12+
 **Author:** Jagadeesh Katla
@@ -346,7 +346,9 @@ def handle_value_error(request, exc):
 ## Version History
-- **v1.2.1**: Bug fixes — server port never bound (`pyo3_asyncio` replaced with native `py.allow_threads` + `tokio::block_on`); `ProblemDetails` was missing from Python module export; `And`/`Or` guards now accept both `*args` and list styles; doc corrections (`type_uri` not `type_url`)
+- **v1.2.3**: Full middleware Python API — `cello.middleware` module with `JwtAuth`, `BasicAuth`, `ApiKeyAuth`, `CsrfConfig`, `AdaptiveRateLimitConfig`; `app.use()` dispatcher; 6 new `enable_*` methods on App (`enable_jwt`, `enable_session`, `enable_security_headers`, `enable_csrf`, `enable_basic_auth`, `enable_api_key`); all docs import paths corrected (`from cello import RoleGuard` not `cello.guards`)
+- **v1.2.2**: Security & bug fixes — CSRF `HttpOnly` on double-submit cookie (critical, broke all AJAX CSRF); all middleware `skip_path` prefix bypass fixed via `path_matches_skip()` helper; `FixedWindowStore` window_start never updated after reset; unused `mut` cleaned in minijinja tests
+- **v1.2.1**: Bug fixes — server port never bound (`pyo3_asyncio` replaced with native `py.allow_threads` + `tokio::block_on`); `ProblemDetails` was missing from Python module export; `And`/`Or` guards now accept both `*args` and list styles; CSRF `HttpOnly` removed from double-submit cookie (JS must read it); `FixedWindowStore` window_start never updated after reset; all middleware `skip_path` used raw `starts_with` allowing prefix bypass; doc corrections (`type_uri` not `type_url`)
 - **v1.2.0**: Bug fixes (shutdown coroutine never awaited, KeyboardInterrupt in shutdown handler, `request.redis` AttributeError); Redis Lua scripting (`eval`, `evalsha`, `script_load`); Rust-native `AsyncClient` backed by `reqwest + Tokio` — GIL never held during HTTP I/O, HTTP/2, gzip, rustls
 - **v1.1.0**: MiniJinja Jinja2-compatible template engine (`MiniJinjaEngine`, `App.enable_templates()`, `App.render()`, `App.render_string()`); minijinja 2 Rust crate; HTML auto-escaping; globals; 47 new tests; 6 examples
 - **v1.0.1**: Cross-platform fixes (Windows multi-worker, signal handling, UNC paths; ARM JSON fallback; Linux-only CPU affinity), async compatibility fixes (handler validation, guards, cache decorator, blueprints), guards and database exports in `__all__`

{cello_framework-1.2.1 → cello_framework-1.2.3}/Cargo.lock RENAMED Viewed

@@ -341,7 +341,7 @@ dependencies = [
 [[package]]
 name = "cello-framework"
-version = "1.2.1"
+version = "1.2.3"
 dependencies = [
  "async-graphql",
  "async-graphql-value",

{cello_framework-1.2.1 → cello_framework-1.2.3}/Cargo.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [package]
 name = "cello-framework"
-version = "1.2.1"
+version = "1.2.3"
 edition = "2021"
 description = "Ultra-fast Rust-powered Python async web framework"
 license = "MIT"

{cello_framework-1.2.1 → cello_framework-1.2.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cello-framework
-Version: 1.2.1
+Version: 1.2.3
 Classifier: Development Status :: 5 - Production/Stable
 Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: MIT License

{cello_framework-1.2.1 → cello_framework-1.2.3}/docs/features/core/async.md RENAMED Viewed

@@ -254,8 +254,7 @@ All Python-side decorators and wrappers in Cello automatically detect whether a
 | Pydantic validation | Yes | Validates the request body, then awaits the handler |
 ```python
-from cello import App, cache
-from cello.guards import RoleGuard
+from cello import App, cache, RoleGuard
 from pydantic import BaseModel
 app = App()

{cello_framework-1.2.1 → cello_framework-1.2.3}/docs/features/core/blueprints.md RENAMED Viewed

@@ -183,8 +183,7 @@ app.register_blueprint(v2)
 Apply middleware to all routes within a blueprint. Async handlers work seamlessly with blueprint-level middleware and per-route guards:
 ```python
-from cello import App, Blueprint
-from cello.guards import RoleGuard, Authenticated
+from cello import App, Blueprint, RoleGuard, Authenticated
 # Public blueprint -- no auth required
 public_bp = Blueprint("/public")

{cello_framework-1.2.1 → cello_framework-1.2.3}/docs/features/middleware/overview.md RENAMED Viewed

@@ -172,8 +172,7 @@ app.use(ApiKeyAuth(keys={"key1": "service-a"}, header="X-API-Key"))
 All Python-side middleware wrappers -- including the `@cache` decorator, guard wrappers, and Pydantic validation -- fully support async handlers. Each wrapper uses `inspect.iscoroutinefunction()` to detect async handlers at decoration time and generates the appropriate sync or async wrapper. This means you can freely use `async def` handlers with any combination of caching, guards, and validation without encountering unawaited coroutine issues.
 ```python
-from cello import App, cache
-from cello.guards import RoleGuard
+from cello import App, cache, RoleGuard
 from pydantic import BaseModel
 class Item(BaseModel):

{cello_framework-1.2.1 → cello_framework-1.2.3}/docs/features/security/overview.md RENAMED Viewed

@@ -261,7 +261,7 @@ app.use(api_auth)
 Control access with composable guards:
 ```python
-from cello.guards import RoleGuard, PermissionGuard, And, Or
+from cello import RoleGuard, PermissionGuard, And, Or
 # Simple role check
 admin_only = RoleGuard(["admin"])

{cello_framework-1.2.1 → cello_framework-1.2.3}/docs/index.md RENAMED Viewed

@@ -37,7 +37,7 @@ hide:
 [:material-package-variant: PyPI](https://pypi.org/project/cello-framework/){ .md-button }
 <div class="hero-badges">
-  <code class="badge-version">v1.2.0</code>
+  <code class="badge-version">v1.2.3</code>
   <code class="badge-tests">441 tests passing</code>
   <code class="badge-license">MIT License</code>
   <code class="badge-python">Python 3.12+</code>
@@ -178,8 +178,7 @@ hide:
 === ":material-api: REST API"
     ```python
-    from cello import App, Response, Blueprint
-    from cello.guards import RoleGuard
+    from cello import App, Response, Blueprint, RoleGuard
     app = App()
     api = Blueprint("api", url_prefix="/api/v1")
@@ -371,21 +370,23 @@ How Cello stacks up against popular Python web frameworks (4 workers, 5 processe
 <!-- ===== WHAT'S NEW ===== -->
-## :material-creation: What's New in v1.2.0
+## :material-creation: What's New in v1.2.3
 <div class="whats-new-box" markdown>
-!!! tip "v1.2.0 -- Bug Fixes & Rust-Native AsyncClient"
+!!! tip "v1.2.3 -- Full Middleware Python API & Correct Import Paths"
-    Cello v1.2.0 ships critical bug fixes and a brand-new Rust-native HTTP client — the GIL is never held during HTTP I/O.
+    Cello v1.2.3 exposes the complete auth & security middleware suite to Python, and fixes all doc import errors.
-    - :material-bug-check: **Critical Bug Fixes** -- Shutdown coroutine now properly awaited, `KeyboardInterrupt` handled cleanly in shutdown handler, `request.redis` AttributeError resolved.
+    - :material-api: **`app.use(middleware)`** -- New universal dispatcher: `app.use(JwtAuth(...))`, `app.use(BasicAuth(...))`, `app.use(ApiKeyAuth(...))`, `app.use(CsrfConfig())`.
-    - :material-language-rust: **Rust-Native AsyncClient** -- Backed by `reqwest + Tokio` with HTTP/2, gzip, and rustls. GIL is never held during HTTP I/O — true async performance.
+    - :material-package: **`cello.middleware` module** -- `from cello.middleware import JwtAuth, BasicAuth, ApiKeyAuth, CsrfConfig` now works.
-    - :material-database: **Redis Lua Scripting** -- New `eval`, `evalsha`, and `script_load` methods for atomic server-side operations.
+    - :material-language-rust: **6 new Rust-backed methods** -- `enable_jwt()`, `enable_session()`, `enable_security_headers()`, `enable_csrf()`, `enable_basic_auth()`, `enable_api_key()` added to App.
-    [:material-tag: Full Release Notes](releases/v1.2.0.md){ .md-button .md-button--primary }
+    - :material-import: **All import paths corrected** -- `from cello import RoleGuard` (not `from cello.guards`). All 9 affected doc pages fixed.
+    [:material-tag: Full Release Notes](releases/v1.2.3.md){ .md-button .md-button--primary }
     [:material-book-open-variant: Migration Guide](releases/migration.md){ .md-button }
 </div>

{cello_framework-1.2.1 → cello_framework-1.2.3}/docs/overrides/main.html RENAMED Viewed

@@ -2,7 +2,7 @@
 {% block announce %}
 <span class="cello-announce">
-  Cello v1.2.0 — Redis Lua scripting, Rust-native AsyncClient, critical bug fixes
+  Cello v1.2.3 — Full middleware Python API (JwtAuth, BasicAuth, ApiKeyAuth, app.use())
   <a href="{{ base_url }}/releases/" class="cello-announce-link">
     Release notes →
   </a>
@@ -37,7 +37,7 @@
     "operatingSystem": "Linux, macOS, Windows",
     "programmingLanguage": ["Python", "Rust"],
     "license": "https://opensource.org/licenses/MIT",
-    "softwareVersion": "1.2.0",
+    "softwareVersion": "1.2.3",
     "author": {
       "@type": "Person",
       "name": "Jagadeesh Katla",

{cello_framework-1.2.1 → cello_framework-1.2.3}/docs/reference/api/app.md RENAMED Viewed

@@ -728,9 +728,9 @@ Add a global guard to all routes.
 > *Since v0.5.0*
 ```python
-from cello.guards import AuthenticatedGuard
+from cello import Authenticated
-app.add_guard(AuthenticatedGuard())
+app.add_guard(Authenticated())
 ```
 | Parameter | Type | Description |

{cello_framework-1.2.1 → cello_framework-1.2.3}/docs/reference/index.md RENAMED Viewed

@@ -78,7 +78,7 @@ The building blocks of every Cello application -- from creating your app to hand
     Role-based and permission-based access control. Composable guards that protect routes and blueprints.
-    **Key classes:** `RoleGuard` `PermissionGuard` `CompositeGuard`
+    **Key classes:** `RoleGuard` `PermissionGuard` `Authenticated` `And` `Or` `Not`
     [:octicons-arrow-right-24: Guards Reference](api/guards.md)
@@ -166,8 +166,8 @@ The most commonly used classes and functions at a glance.
 | [`Response`](api/response.md) | `cello` | HTTP response builder |
 | [`Blueprint`](api/blueprint.md) | `cello` | Route grouping |
 | [`Depends`](api/context.md) | `cello` | Dependency injection marker |
-| [`RoleGuard`](api/guards.md) | `cello.guards` | Role-based access guard |
-| [`PermissionGuard`](api/guards.md) | `cello.guards` | Permission-based access guard |
+| [`RoleGuard`](api/guards.md) | `cello` | Role-based access guard |
+| [`PermissionGuard`](api/guards.md) | `cello` | Permission-based access guard |
 | [`JwtConfig`](config/security.md) | `cello.middleware` | JWT authentication config |
 | [`RateLimitConfig`](config/middleware.md) | `cello.middleware` | Rate limiting config |
 | [`SessionConfig`](config/security.md) | `cello.middleware` | Session management config |
@@ -219,8 +219,7 @@ The most commonly used classes and functions at a glance.
 === "Guards & Auth"
     ```python
-    from cello import App
-    from cello.guards import RoleGuard, PermissionGuard
+    from cello import App, RoleGuard, PermissionGuard
     from cello.middleware import JwtConfig, JwtAuth
     app = App()

{cello_framework-1.2.1 → cello_framework-1.2.3}/docs/releases/v0.5.0.md RENAMED Viewed

@@ -65,14 +65,18 @@ def profile(request, user=Depends(get_current_user)):
 Composable access control guards that run before the handler. Guards inspect the request context and either allow or deny access.
+!!! note "API names updated in v1.x"
+    `RoleGuard`, `PermissionGuard`, `AuthenticatedGuard`, `AndGuard`, `OrGuard`, `NotGuard` were the original v0.5.0 names.
+    Current names: `RoleGuard` → still `RoleGuard` (from `cello`), `PermissionGuard` → still `PermissionGuard` (from `cello`),
+    `AuthenticatedGuard` → `Authenticated`, `AndGuard` → `And`, `OrGuard` → `Or`, `NotGuard` → `Not`.
 ```python
-from cello import App
-from cello.guards import RoleGuard, PermissionGuard, AuthenticatedGuard
+from cello import App, RoleGuard, PermissionGuard, Authenticated
 app = App()
 # Require authentication
-@app.get("/dashboard", guards=[AuthenticatedGuard()])
+@app.get("/dashboard", guards=[Authenticated()])
 def dashboard(request):
     return {"welcome": request.context.get("user_id")}
@@ -90,18 +94,18 @@ def delete_user(request):
 **Composable logic with And, Or, Not:**
 ```python
-from cello.guards import AndGuard, OrGuard, NotGuard
+from cello import And, Or, Not, RoleGuard, PermissionGuard, Authenticated
 # Admin OR has special permission
-flexible = OrGuard([
+flexible = Or([
     RoleGuard(["admin"]),
     PermissionGuard(["elevated:access"]),
 ])
 # Authenticated AND not banned
-safe = AndGuard([
-    AuthenticatedGuard(),
-    NotGuard(RoleGuard(["banned"])),
+safe = And([
+    Authenticated(),
+    Not(RoleGuard(["banned"])),
 ])
 @app.get("/resource", guards=[flexible])

{cello_framework-1.2.1 → cello_framework-1.2.3}/docs/releases/v0.6.0.md RENAMED Viewed

@@ -56,17 +56,10 @@ def create_user(request):
 Rate limits now adjust based on server health:
 ```python
-from cello.middleware import AdaptiveRateLimitConfig
-config = AdaptiveRateLimitConfig(
-    base_requests=100,
-    window=60,
-    cpu_threshold=0.8,      # Reduce limits at 80% CPU
-    memory_threshold=0.9,   # Reduce limits at 90% memory
-    latency_threshold=100,  # Reduce limits if latency > 100ms
-    min_requests=10         # Never go below 10 req/min
-)
+from cello import App, RateLimitConfig
+# Adaptive rate limiting (adjusts based on server load)
+config = RateLimitConfig.adaptive(capacity=100, refill_rate=10)
 app.enable_rate_limit(config)
 ```
@@ -109,18 +102,15 @@ Invalid requests return RFC 7807 Problem Details:
 Protect against cascading failures:
 ```python
-from cello.middleware import CircuitBreaker, CircuitBreakerConfig
+from cello import App
-config = CircuitBreakerConfig(
-    failure_threshold=5,     # Open after 5 failures
-    recovery_timeout=30,     # Try again after 30 seconds
-    half_open_requests=3     # Allow 3 test requests
+app.enable_circuit_breaker(
+    failure_threshold=5,   # Open after 5 failures
+    reset_timeout=30,      # Try again after 30 seconds
+    half_open_target=3,    # Allow 3 test requests in half-open state
 )
-circuit = CircuitBreaker(config)
 @app.get("/external-api")
-@circuit.protect
 async def call_external(request):
     return await external_service.fetch()
 ```
@@ -130,8 +120,7 @@ async def call_external(request):
 Guards can now be applied at multiple levels:
 ```python
-from cello import App, Blueprint
-from cello.guards import RoleGuard, PermissionGuard
+from cello import App, Blueprint, RoleGuard, PermissionGuard
 # Controller-level guard
 admin_bp = Blueprint("/admin", guards=[RoleGuard(["admin"])])
@@ -181,9 +170,7 @@ The cache middleware configuration has changed:
 app.enable_cache(max_age=300)
 # After (v0.6.0)
-from cello.middleware import CacheConfig
-config = CacheConfig(default_ttl=300, max_size=1000)
-app.enable_cache(config)
+app.enable_caching(ttl=300)
 ```
 ### Rate Limit Response

{cello_framework-1.2.1 → cello_framework-1.2.3}/docs/releases/v1.2.1.md RENAMED Viewed

@@ -100,6 +100,64 @@ admin_or_editor = Or(RoleGuard(["admin"]), RoleGuard(["editor"]))
 ---
+### CSRF Cookie Readable by JavaScript (Security)
+**Symptom:** AJAX/SPA applications using CSRF protection failed all POST/PUT/DELETE requests with 403.
+**Root cause:** The CSRF double-submit cookie was set with the `HttpOnly` flag. This prevents
+JavaScript from reading the cookie value, making it impossible for the frontend to copy it into
+the `X-CSRF-Token` header — which is the entire point of the double-submit pattern.
+**Fix:** Removed `HttpOnly` from the CSRF cookie. The CSRF cookie is intentionally readable by
+JavaScript; the session cookie (where sensitive data lives) remains `HttpOnly`.
+```javascript
+// Now works — JS can read the CSRF cookie and send it back
+const csrf = document.cookie.match(/_csrf=([^;]+)/)?.[1];
+fetch("/api/data", {
+    method: "POST",
+    headers: { "X-CSRF-Token": csrf },
+    body: JSON.stringify(data),
+});
+```
+---
+### Rate Limiter Fixed-Window Counter Reset (Bug)
+**Symptom:** After the first rate-limit window expired, the fixed-window counter reset to zero
+on every single subsequent request, making rate limiting completely ineffective.
+**Root cause:** When the time window rolled over, `entry.count` was reset to 0 but
+`entry.window_start` was never updated to the new window. Every request in the new window
+saw `window_start != current_window` and reset the counter again.
+**Fix:** Update `entry.window_start = current_window` alongside the count reset.
+---
+### Auth Skip-Path Prefix Bypass (Security)
+**Symptom:** Calling `skip_path("/health")` to exclude the health endpoint from authentication
+also excluded `/healthz`, `/healthy`, and any other path starting with `/health`.
+**Root cause:** Path matching used `request.path.starts_with(skip_path)` without checking that
+the following character is `/` or end-of-string.
+**Fix:** Path is now only skipped when it equals the pattern exactly or starts with
+`{pattern}/`. Affects `JwtAuth`, `BasicAuth`, `ApiKeyAuth`, `RateLimitMiddleware`,
+`SessionMiddleware`, `CsrfMiddleware`, and `GuardsMiddleware`.
+```python
+# Before: /healthz would also be skipped (security bypass)
+jwt.skip_path("/health")
+# After: only /health and /health/* are skipped
+jwt.skip_path("/health")
+```
+---
 ## Upgrade
 ```bash

cello_framework-1.2.3/docs/releases/v1.2.2.md ADDED Viewed

@@ -0,0 +1,131 @@
+---
+title: v1.2.2 Release Notes
+description: Cello Framework v1.2.2 — Security & Bug Fixes
+tags:
+  - v1.2.2
+  - Release Notes
+  - Security
+  - Bug Fixes
+---
+# Cello v1.2.2 — Security & Bug Fixes
+**Release Date:** June 14, 2026
+**License:** MIT
+**Python:** 3.12+
+---
+## Overview
+Cello v1.2.2 is a patch release that fixes one critical security bug, one security
+vulnerability, and two correctness bugs discovered during a thorough code review of v1.2.1.
+All changes are fully backwards-compatible.
+**Upgrade immediately** if you use CSRF protection or authentication middleware skip-paths.
+---
+## Security Fixes
+### CSRF Double-Submit Cookie Was `HttpOnly` (Critical)
+**Symptom:** AJAX applications and SPAs using `CsrfMiddleware` received 403 on every
+POST/PUT/DELETE request, even when the CSRF token was correctly set.
+**Root cause:** The CSRF double-submit cookie was set with `HttpOnly`, which prevents
+JavaScript from reading cookie values. The double-submit pattern *requires* JavaScript
+to read the cookie and copy its value into the `X-CSRF-Token` request header. With
+`HttpOnly` set, this was impossible — every state-changing request failed CSRF validation.
+**Fix:** Removed `HttpOnly` from the CSRF token cookie. The CSRF cookie is intentionally
+readable by JavaScript (that is the design). Your session cookie, which holds sensitive
+data, remains `HttpOnly`.
+```javascript
+// Now works — JavaScript can read the CSRF cookie
+const csrf = document.cookie.match(/_csrf=([^;]+)/)?.[1];
+fetch("/api/submit", {
+    method: "POST",
+    headers: { "X-CSRF-Token": csrf, "Content-Type": "application/json" },
+    body: JSON.stringify({ name: "Alice" }),
+});
+```
+---
+### Auth Middleware `skip_path` Allowed Prefix Bypass (Security)
+**Symptom:** Calling `jwt.skip_path("/health")` to exclude the health-check endpoint
+from authentication also excluded `/healthz`, `/healthy`, `/health-admin`, and any
+other path whose string representation started with `/health`.
+**Root cause:** All middleware used `request.path.starts_with(skip_path)` with no
+boundary check. An attacker aware of a skipped path could craft a URL that bypasses
+authentication.
+**Affected middleware:** `JwtAuth`, `BasicAuth`, `ApiKeyAuth`, `RateLimitMiddleware`,
+`SessionMiddleware`, `CsrfMiddleware`, `GuardsMiddleware`.
+**Fix:** Paths are now only skipped when:
+- The path **exactly equals** the pattern, or
+- The path **starts with** `{pattern}/` (sub-path match).
+```python
+# Before: /healthz was also skipped — security bypass
+jwt_auth.skip_path("/health")
+# After: only /health and /health/* are skipped
+jwt_auth.skip_path("/health")
+```
+---
+## Bug Fixes
+### Rate Limiter Fixed-Window Counter Broke After First Window
+**Symptom:** After the first time-window expired, the `FixedWindowStore` rate limiter
+stopped enforcing limits entirely — every request was allowed regardless of how many
+had been made.
+**Root cause:** When the window rolled over, the per-client entry's `count` was reset
+to 0 but `window_start` was never updated to the new window ID. Every subsequent
+request also saw `window_start != current_window` and reset the counter to 0 again,
+making the limiter permanently ineffective after the first window.
+**Fix:** `window_start` is now updated to `current_window` alongside the count reset.
+---
+### Unused `mut` Warnings in Template Engine Tests
+Five test functions in `minijinja_engine.rs` declared `let mut env = Environment::new()`
+where `mut` was not needed (the variable was never mutated after construction). These
+were cleaned up to eliminate Clippy warnings.
+---
+## Files Changed
+| File | Change |
+|------|--------|
+| `src/middleware/csrf.rs` | Remove `HttpOnly` from CSRF cookie |
+| `src/middleware/mod.rs` | Add `path_matches_skip()` shared helper |
+| `src/middleware/auth.rs` | Use `path_matches_skip()` in JWT/Basic/ApiKey |
+| `src/middleware/session.rs` | Use `path_matches_skip()` |
+| `src/middleware/rate_limit.rs` | Use `path_matches_skip()`; fix `window_start` reset |
+| `src/middleware/guards.rs` | Use `path_matches_skip()` |
+| `src/minijinja_engine.rs` | Remove unused `mut` from test bindings |
+---
+## Upgrade
+```bash
+pip install --upgrade cello-framework==1.2.2
+```
+Drop-in replacement for v1.2.1. No API changes.

cello_framework-1.2.3/docs/releases/v1.2.3.md ADDED Viewed

@@ -0,0 +1,121 @@
+---
+title: v1.2.3 Release Notes
+description: Cello Framework v1.2.3 — Full Middleware Python API & Docs Fixes
+tags:
+  - v1.2.3
+  - Release Notes
+  - New Features
+  - Bug Fixes
+---
+# Cello v1.2.3 — Full Middleware Python API & Docs Fixes
+**Release Date:** June 14, 2026
+**License:** MIT
+**Python:** 3.12+
+---
+## Overview
+Cello v1.2.3 exposes the complete authentication and security middleware suite to
+Python — functionality that existed in Rust since v0.4.0 but had no Python API.
+It also fixes all incorrect import paths across the documentation.
+Drop-in upgrade from v1.2.2. No breaking changes.
+---
+## New Features
+### Full Middleware Python API
+All authentication and security middleware is now accessible from Python.
+#### `app.use(middleware)` — universal middleware dispatcher
+```python
+from cello import App, JwtConfig
+from cello.middleware import JwtAuth, BasicAuth, ApiKeyAuth, CsrfConfig
+app = App()
+# JWT authentication
+app.use(JwtAuth(JwtConfig(secret="your-32-byte-secret-key!", algorithm="HS256")))
+# Basic auth with credential dict
+app.use(BasicAuth(credentials={"admin": "s3cr3t"}, realm="My API"))
+# API key validation
+app.use(ApiKeyAuth(keys={"key-abc": "service-a", "key-xyz": "service-b"}))
+# CSRF protection
+app.use(CsrfConfig())
+```
+#### New `App` enable methods
+```python
+app.enable_jwt(JwtConfig(secret="...", algorithm="HS256"), skip_paths=["/health"])
+app.enable_session(SessionConfig(cookie_name="sid", max_age=3600))
+app.enable_security_headers(strict=False)
+app.enable_csrf()
+app.enable_basic_auth(credentials={"admin": "secret"}, realm="Protected")
+app.enable_api_key(keys={"key123": "service-a"}, header="X-API-Key")
+```
+### New `cello.middleware` module
+```python
+from cello.middleware import (
+    JwtAuth,               # JWT auth wrapper for app.use()
+    BasicAuth,             # Basic auth wrapper for app.use()
+    ApiKeyAuth,            # API key auth wrapper for app.use()
+    CsrfConfig,            # CSRF middleware config for app.use()
+    AdaptiveRateLimitConfig,  # Convenience wrapper for RateLimitConfig.adaptive()
+    # Also re-exported from cello for convenience:
+    JwtConfig,
+    SessionConfig,
+    SecurityHeadersConfig,
+    RateLimitConfig,
+    CSP,
+)
+```
+---
+## Docs Fixes
+All documentation pages now use correct import paths. Previously, several pages
+showed imports that raised `ImportError` at runtime.
+| Wrong (raised ImportError) | Correct |
+|---------------------------|---------|
+| `from cello.guards import RoleGuard` | `from cello import RoleGuard` |
+| `from cello.guards import PermissionGuard` | `from cello import PermissionGuard` |
+| `from cello.guards import AuthenticatedGuard` | `from cello import Authenticated` |
+| `from cello.guards import AndGuard` | `from cello import And` |
+| `from cello.middleware import CircuitBreaker` | `app.enable_circuit_breaker(...)` |
+| `from cello.middleware import CacheConfig` | `app.enable_caching(ttl=...)` |
+---
+## Files Changed
+| File | Change |
+|------|--------|
+| `src/lib.rs` | Add `enable_jwt`, `enable_session`, `enable_security_headers`, `enable_csrf`, `enable_basic_auth`, `enable_api_key` to Rust `Cello` struct |
+| `python/cello/middleware.py` | **New file** — `JwtAuth`, `BasicAuth`, `ApiKeyAuth`, `CsrfConfig`, `AdaptiveRateLimitConfig` |
+| `python/cello/__init__.py` | Add `App.use()` dispatcher and 6 new `enable_*` methods |
+| `docs/` | 9 pages updated with correct import paths |
+| `docs/overrides/main.html` | Announcement bar updated to v1.2.3 |
+---
+## Upgrade
+```bash
+pip install --upgrade cello-framework==1.2.3
+```
+Drop-in replacement for v1.2.2. No API changes.

{cello_framework-1.2.1 → cello_framework-1.2.3}/mkdocs.yml RENAMED Viewed

@@ -364,6 +364,8 @@ nav:
   - Release Notes:
     - releases/index.md
+    - v1.2.3: releases/v1.2.3.md
+    - v1.2.2: releases/v1.2.2.md
     - v1.2.1: releases/v1.2.1.md
     - v1.2.0: releases/v1.2.0.md
     - v1.1.0: releases/v1.1.0.md

{cello_framework-1.2.1 → cello_framework-1.2.3}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "maturin"
 [project]
 name = "cello-framework"
-version = "1.2.1"
+version = "1.2.3"
 description = "Ultra-fast Rust-powered Python async web framework"
 readme = "README.md"
 license = { text = "MIT" }

cello-framework 1.2.1__tar.gz → 1.2.3__tar.gz

cello-framework 1.2.1tar.gz → 1.2.3tar.gz