oxyroute 0.1.0__tar.gz

oxyroute-0.1.0/.cursor/rules/git-workflow.mdc

@@ -0,0 +1,26 @@
+---
+description: Feature branches and PRs for GitHub issues — never land feature work by committing straight to dev/main
+alwaysApply: true
+---
+
+# Git and GitHub workflow (OxyRoute)
+
+When implementing a **feature, fix, or issue** (including backlog / issue numbers in `.github/ISSUE_BACKLOG`):
+
+1. **Branch**  
+   - Do **not** commit or push feature work directly to `dev` or `main`.  
+   - Create a branch from the current base (usually `dev`): `git fetch origin` then `git checkout -b <branch>`.  
+   - Prefer names like: `feat/<short-slug>`, or `issue-<N>-<short-slug>` (e.g. `issue-20-head-options`).
+
+2. **Pull request**  
+   - Push the branch: `git push -u origin <branch>`.  
+   - Open a **PR** into `dev` (or the repo’s default integration branch).  
+   - In the PR title or description, **link the issue**: `Closes #N` / `Fixes #N` / `Ref #N` as appropriate so GitHub closes or tracks the work.
+
+3. **Before coding**  
+   - Confirm whether an issue already exists; if the user only gave a topic, match it to a backlog file or open an issue, then use the same branch+PR flow.
+
+4. **Exceptions**  
+   - Tiny doc typo or rule-only changes may still use a small branch+PR, or a single “chore:” PR if the team agrees — default is **always branch + PR** for any code or test change.
+
+This applies to all agents and humans working in this repo.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/PRIORITIES.md

@@ -0,0 +1,41 @@
+# Priority and sequencing (OxyRoute backlog)
+
+This file tracks **priority tiers** for the 20 items in [bodies/](bodies/); it does not replace the GitHub milestone—use it when triaging and when batch-creating issues.
+
+## P0 (do first: correctness, safety, and coverage)
+
+| # | File | Rationale |
+|---|------|-----------|
+| 2 | [02.md](bodies/02.md) | **Query decoding** — many clients break without percent-decoding. |
+| 3 | [03.md](bodies/03.md) | **500 and logging** — unhandled `PyErr` and unclear production behavior. |
+| 12 | [12.md](bodies/12.md) | **E2E Granian** — the main integration path (RSGI) is not validated with a real server in CI. |
+
+## P1 (next: API and responses)
+
+| # | File | Rationale |
+|---|------|-----------|
+| 1 | [01.md](bodies/01.md) | **PATCH** — Rust already supports it; Python surface is missing. |
+| 5 | [05.md](bodies/05.md) | **DI chains + request context** — unlocks real dependency patterns. |
+| 6 | [06.md](bodies/06.md) | **JWT `aud` / `iss` / leeway** — expected for production auth. |
+| 10 | [10.md](bodies/10.md) | **Structured `Response` (headers, status)** — required for many APIs. |
+
+## Research and architecture (heavier; schedule after P0/P1)
+
+- **8, 15, 17** — asymmetric JWT / PyO3 upgrade / ASGI hardening: see [bodies/08.md](bodies/08.md), [15.md](bodies/15.md), [17.md](bodies/17.md).
+
+## CI, release, and documentation
+
+- **13, 14, 16** — clippy/CI, PyPI on tag, OpenAPI doc/test consistency.
+
+## Broader feature set
+
+- **4, 7, 9, 11, 18, 19, 20** — performance snapshot, cookies, Pydantic OpenAPI, middleware, lifespan, 405, HEAD/OPTIONS.
+
+## Roadmap phasing (summary)
+
+1. **Hardening:** P0 items + Issue **13** (clippy in CI) where feasible.  
+2. **API surface:** P1 (1, 10) + **20** (HEAD/OPTIONS) as needed.  
+3. **Auth and docs shape:** 6, 9, 16.  
+4. **Scale and DI:** 4, 5.
+
+[← Back to README](README.md)

oxyroute-0.1.0/.github/ISSUE_BACKLOG/README.md

@@ -0,0 +1,67 @@
+# GitHub issue backlog (batch-ready)
+
+This directory holds **20 issue bodies** ([bodies/](bodies/)) and a [PRIORITIES.md](PRIORITIES.md) file. They were generated from the OxyRoute roadmap for **QueryaHub/OxyRoute**.
+
+## Prerequisites
+
+1. [GitHub CLI](https://cli.github.com/) installed (`gh`).
+2. Authenticate: `gh auth login` (the repository cannot create issues in your project without a logged-in `gh` or a `GH_TOKEN` with `issues:write`).
+
+## One-shot: create the milestone, labels, and all issues
+
+From the **repository root**:
+
+```bash
+./scripts/create-github-issues.sh
+```
+
+The script:
+
+- Ensures you are logged into `gh`.
+- Creates labels (`P0`, `P1`, `research`, `enhancement`, `tech-debt`, `ci`, `documentation`, `test`) if missing.
+- Creates milestone **`v0.2.0`** if missing.
+- Opens **20 issues** with titles, bodies, labels, and the milestone (see the script for the exact mapping).
+
+**Warning:** Running the script twice will **duplicate** issues. If you need idempotency, check open issues on GitHub first or add guards (not included).
+
+## Manual: single issue
+
+```bash
+gh issue create --title "feat: expose PATCH routes on Python App" \
+  --body-file .github/ISSUE_BACKLOG/bodies/01.md \
+  -l enhancement -l P1 -m v0.2.0
+```
+
+## Table of issues
+
+| # | Body file | Title (for `gh issue create`) | Labels (suggested) | Milestone |
+|---|-----------|---------------------------------|--------------------|-----------|
+| 1 | [bodies/01.md](bodies/01.md) | feat: expose PATCH routes on Python App | `enhancement`, `P1` | v0.2.0 |
+| 2 | [bodies/02.md](bodies/02.md) | fix: apply URL decoding to query string keys and values | `bug`, `P0` | v0.2.0 |
+| 3 | [bodies/03.md](bodies/03.md) | feat: map Python exceptions in dispatch to HTTP 500 with safe body | `enhancement`, `P0` | v0.2.0 |
+| 4 | [bodies/04.md](bodies/04.md) | perf: reduce lock contention on route match (RWLock or route snapshot) | `tech-debt`, `enhancement` | v0.2.0 |
+| 5 | [bodies/05.md](bodies/05.md) | feat: pass request context into dependencies and support dependency chains | `enhancement`, `P1` | v0.2.0 |
+| 6 | [bodies/06.md](bodies/06.md) | feat: extend JWT Validation with iss/aud and optional leeway | `enhancement`, `P1` | v0.2.0 |
+| 7 | [bodies/07.md](bodies/07.md) | feat: read JWT from Cookie header for require_jwt | `enhancement` | v0.2.0 |
+| 8 | [bodies/08.md](bodies/08.md) | research+feat: JWK/PEM-based JWT verify in Rust (align with oxyjwt) | `enhancement`, `research` | v0.2.0 |
+| 9 | [bodies/09.md](bodies/09.md) | feat: add optional Pydantic / JSON schema hooks for OpenAPI body | `enhancement` | v0.2.0 |
+| 10 | [bodies/10.md](bodies/10.md) | feat: structured Response object for headers and status | `enhancement`, `P1` | v0.2.0 |
+| 11 | [bodies/11.md](bodies/11.md) | feat: optional middleware chain in run_rsgi before route match | `enhancement` | v0.2.0 |
+| 12 | [bodies/12.md](bodies/12.md) | test: e2e HTTP against granian --interface rsgi | `test`, `P0` | v0.2.0 |
+| 13 | [bodies/13.md](bodies/13.md) | ci: add cargo clippy and Rust unit tests to workflow | `ci` | v0.2.0 |
+| 14 | [bodies/14.md](bodies/14.md) | ci: PyPI publish on version tag (trusted publishing) | `ci` | v0.2.0 |
+| 15 | [bodies/15.md](bodies/15.md) | tech-debt: upgrade pyo3 0.21 -> current and validate Granian RSGI | `tech-debt`, `research` | v0.2.0 |
+| 16 | [bodies/16.md](bodies/16.md) | docs+test: clarify include_openapi vs set_openapi_served and 404 for /openapi.json | `documentation`, `test` | v0.2.0 |
+| 17 | [bodies/17.md](bodies/17.md) | fix: review ASGI protocol bridge (run_coroutine_threadsafe) under load | `bug`, `research` | v0.2.0 |
+| 18 | [bodies/18.md](bodies/18.md) | feat: pass app state / lifespan for shared resources (optional design) | `enhancement` | v0.2.0 |
+| 19 | [bodies/19.md](bodies/19.md) | feat: return 405 when path exists for another method | `enhancement` | v0.2.0 |
+| 20 | [bodies/20.md](bodies/20.md) | feat: register HEAD/OPTIONS and sensible defaults | `enhancement` | v0.2.0 |
+
+## Priority tier (P0 / P1)
+
+See [PRIORITIES.md](PRIORITIES.md) for the recommended order: **P0** = 2, 3, 12; **P1** = 1, 5, 6, 10.
+
+## Documentation
+
+- [docs/index.md](../../docs/index.md) — main English docs for contributors and users.
+- [CONTRIBUTING.md](../../CONTRIBUTING.md) — how to build and test locally.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/01.md

@@ -0,0 +1,15 @@
+## Context
+
+- [`src/state.rs`](https://github.com/QueryaHub/OxyRoute/blob/main/src/state.rs) already has `st.patch: Mutex<Router<usize>>` and `map_method_router` supports `"PATCH"`. [`oxyroute/app.py`](https://github.com/QueryaHub/OxyRoute/blob/main/oxyroute/app.py) does not add a `patch()` decorator, so users cannot register PATCH without calling native `add_route` from Python.
+
+## Work
+
+- Add `def patch(self, path, *, ...)` mirroring `put` (default `read_json_body=True`). Register with `add_route` method `"PATCH"`. Extend [docs/routing.md](https://github.com/QueryaHub/OxyRoute/blob/main/docs/routing.md) and [README](https://github.com/QueryaHub/OxyRoute/blob/main/README.md) if needed.
+
+## Acceptance criteria
+
+- `pytest` with `@app.patch("/x")` and httpx/ASGI or a small in-process RSGI test if you add a test helper.
+
+## Research / notes
+
+- None beyond matchit; ensure OpenAPI in [`lib.rs`](https://github.com/QueryaHub/OxyRoute/blob/main/src/lib.rs) `openapi_add_path` still receives `PATCH` lowercase.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/02.md

@@ -0,0 +1,15 @@
+## Problem
+
+- [`parse_query`](https://github.com/QueryaHub/OxyRoute/blob/main/src/params.rs) splits on `&` and `=` but never applies **percent-decoding** ([RFC 3986](https://www.rfc-editor.org/rfc/rfc3986) query; [WHATWG URLSearchParams](https://url.spec.whatwg.org/#urlencoded-parsing) often maps `+` to space in `application/x-www-form-urlencoded`). Current code breaks for `?q=hello%20world` and non-ASCII.
+
+## Options
+
+- (1) `percent_encoding` or `form_urlencoded` crate in `parse_query`; (2) minimal decode for `%XX` and optional `+` → space behind a flag. Unit tests in **Rust** (`#[cfg(test)]` in `params.rs` or `params_tests.rs`) with hex edge cases and UTF-8.
+
+## Acceptance criteria
+
+- Tests pass; document behavior in [docs/handlers.md](https://github.com/QueryaHub/OxyRoute/blob/main/docs/handlers.md) for the `query` dict.
+
+## Research
+
+- Criterion: must not double-decode; empty values; duplicate keys (last-wins vs multi-map—**document** current `HashMap` last-wins or open a follow-up for `MultiMap`).

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/03.md

@@ -0,0 +1,15 @@
+## Context
+
+- [`run_rsgi`](https://github.com/QueryaHub/OxyRoute/blob/main/src/dispatch.rs) uses `?` on `handler.call` and dependency calls. Uncaught `PyErr` may surface as a generic RSGI error depending on Granian. Production APIs need a **500** with optional JSON `{"error":"…"}` and **no stack trace** in the response body when `OXYROUTE_DEBUG=0`.
+
+## Work
+
+- Wrap handler and dependency resolution in `match` on `Result`. On `Err`, use `tracing` or `log` (or Python `logging` via GIL) with request method/path. Response: `text/plain` or `application/json` 500, configurable. Consider `Trace-Id` header from scope if Granian provides it.
+
+## Acceptance criteria
+
+- `pytest` that raises in a handler and asserts 500 and body policy.
+
+## Research
+
+- `pyo3` exception types to string sanitization; avoid leaking PII from exception messages.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/04.md

@@ -0,0 +1,19 @@
+## Context
+
+- `state.lock()` is taken in multiple places per request. [`AppState`](https://github.com/QueryaHub/OxyRoute/blob/main/src/state.rs) bundles routes plus five `Mutex<Router<usize>>` and an `openapi` mutex.
+
+## Direction A
+
+- After `freeze()`, build an **`Arc<CompiledRoutes>`** (clones of routers or a single matchit structure per method) behind `ArcSwap` or `OnceLock` and read with no write path.
+
+## Direction B
+
+- `parking_lot::RwLock` for `openapi` vs `routes`—measure with Criterion microbenches or `wrk` on a hello handler.
+
+## Acceptance criteria
+
+- No functional regression; benchmark numbers in the PR description or `benches/`.
+
+## Research
+
+- [matchit](https://docs.rs/matchit) `Router` and `Sync`—today wrapped in `Mutex`. Consider matchit 0.8 migration if applicable.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/05.md

@@ -0,0 +1,17 @@
+## Context
+
+- [dispatch.rs](https://github.com/QueryaHub/OxyRoute/blob/main/src/dispatch.rs) (dependency section) calls each factory with **no arguments**. FastAPI-style `Depends` usually receives typed values from prior deps.
+
+## Design sketch
+
+1. Introduce an opaque `RequestContext` in Rust (method, path, headers, parsed query pointer) and pass to factories as a single `PyObject` or kwargs dict.
+2. At `freeze()`, build a **DAG** of dep names, validate no cycles, compute topological order.
+3. Per request, walk the order and pass previously resolved values into the next `call`.
+
+## Acceptance criteria
+
+- Test with `dependencies=[("a", a), ("b", b)]` where `b` receives `a` (signature introspection in Python, or an explicit convention).
+
+## Research
+
+- `inspect.signature` from Rust via PyO3 is expensive; consider registering arity at `add_route` or a static convention (`def b(a):`).

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/06.md

@@ -0,0 +1,15 @@
+## Context
+
+- [`jsonwebtoken::Validation`](https://docs.rs/jsonwebtoken/latest/jsonwebtoken/struct.Validation.html) in [dispatch.rs](https://github.com/QueryaHub/OxyRoute/blob/main/src/dispatch.rs) sets `algorithms` and `validate_nbf` but not `iss` / `aud` from the route.
+
+## Work
+
+- Add optional `jwt_issuer: Option<String>`, `jwt_audience: Option<String>` to `add_route` and Python decorators. Map to `val.validate_iss` / `val.validate_aud` in jsonwebtoken 9. Add `leeway: u64` for clock skew.
+
+## Acceptance criteria
+
+- Pytest with tokens where `aud` / `iss` are wrong → 401; parity test with oxyjwt where applicable.
+
+## Research
+
+- jsonwebtoken vs [OxyJWT](https://github.com/QueryaHub/OxyJWT) claim validation defaults—keep golden vectors in [tests/test_jwt_parity.py](https://github.com/QueryaHub/OxyRoute/blob/main/tests/test_jwt_parity.py).

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/07.md

@@ -0,0 +1,15 @@
+## Context
+
+- [`extract_bearer`](https://github.com/QueryaHub/OxyRoute/blob/main/src/token.rs) only inspects `Authorization`. Many SPAs use `access_token=…` in a cookie.
+
+## Work
+
+- Add `jwt_cookie: Option<String>` (cookie name). In dispatch, if Bearer is missing, parse the `Cookie` header (Rust: `cookie` crate or string split) and read the token.
+
+## Security
+
+- `Secure` / `HttpOnly` are browser flags; document server-side CORS. CSRF: out of scope or separate issue.
+
+## Acceptance criteria
+
+- Unit test and one integration test.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/08.md

@@ -0,0 +1,17 @@
+## Context
+
+- [`parse_algorithm`](https://github.com/QueryaHub/OxyRoute/blob/main/src/lib.rs) is HMAC-only. A shared Rust path with [OxyJWT](https://github.com/QueryaHub/OxyJWT) or `jsonwebtoken` with `DecodingKey::from_rsa_pem` was discussed in the project roadmap.
+
+## Phases
+
+1. Prototype decode with `RS256` using PEM from route or environment.
+2. Compare tokens with `oxyjwt.decode` in dev tests.
+3. Consider a `path` / `git` dependency on the OxyJWT library crate if it exposes a `lib` target (inspect upstream `Cargo.toml`).
+
+## Acceptance criteria
+
+- Document supported algorithms; reject unsupported algorithms at route registration time.
+
+## Research
+
+- `jsonwebtoken` 9 RSA/EC API; key rotation via JWKS (heavier—separate issue).

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/09.md

@@ -0,0 +1,16 @@
+## Context
+
+- [`openapi_add_path`](https://github.com/QueryaHub/OxyRoute/blob/main/src/lib.rs) produces a bare `200` with no `content`. Users expect `application/json` schemas for bodies.
+
+## Options
+
+1. **Python-only:** at route time, pass optional `body_model=MyPydanticModel` to the decorator; Rust only stores a JSON Schema string generated in Python (`model_json_schema()`) in `RouteEntry`; merge into the OpenAPI document on `freeze()`.
+2. **Rust-only:** stay minimal. Prefer (1) to avoid reimplementing Pydantic in Rust.
+
+## Acceptance criteria
+
+- `/openapi.json` includes `requestBody` for at least one POST route.
+
+## Research
+
+- Pydantic v2 JSON schema `$defs`; size of inline vs `$ref` in OAS 3.0.3.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/10.md

@@ -0,0 +1,15 @@
+## Context
+
+- Return path only allows dict `{status, body}` for custom status, fixed content types in [dispatch.rs](https://github.com/QueryaHub/OxyRoute/blob/main/src/dispatch.rs) (see response mapping).
+
+## Work
+
+- Python class or `TypedDict`, e.g. `Response(body=, status=, headers=)`, serialized in dispatch to `response_bytes` / `response_str` with a header list. Optional `Set-Cookie` list.
+
+## Acceptance criteria
+
+- Test that sets `content-type: application/json` and a custom header on the response.
+
+## Research
+
+- RSGI header format in Granian (list of pairs, bytes or str)—must match [response.rs](https://github.com/QueryaHub/OxyRoute/blob/main/src/response.rs) `build_headers_ct`.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/11.md

@@ -0,0 +1,19 @@
+## Context
+
+- No hook for metrics, CORS, or auth that runs **before** the router (except per-route JWT). 
+
+## Design
+
+- `App.add_middleware(f)` where `f(scope, protocol) -> Result<ControlFlow, …>` in Rust, or a list of `Py<PyAny>` pre-handlers. Short-circuit to a response (e.g. 204 for OPTIONS preflight).
+
+## Scope
+
+- High complexity; start with a **single** optional Python callable for an MVP.
+
+## Acceptance criteria
+
+- Test that a CORS preflight can return 204 without hitting the route handler.
+
+## Research
+
+- CORS: `Access-Control-Request-Method` / `Origin` ([Fetch](https://fetch.spec.whatwg.org/)).

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/12.md

@@ -0,0 +1,15 @@
+## Context
+
+- [tests/test_asgi.py](https://github.com/QueryaHub/OxyRoute/blob/main/tests/test_asgi.py) uses the ASGI transport; the RSGI path is not exercised end-to-end with a real HTTP server.
+
+## Work
+
+- In CI, `subprocess` to start `granian` on `127.0.0.1:<port>` with a minimal `app` module, `httpx` `GET /`, assert 200, then terminate. Use a sync `httpx` client with retry on port bind races.
+
+## Flakiness
+
+- Port allocation: use a random high port, retries, or `pytest` fixtures; document Windows caveats if the job is Linux-only at first.
+
+## Acceptance criteria
+
+- Green on Linux at minimum; mark optional for Windows if flaky.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/13.md

@@ -0,0 +1,15 @@
+## Context
+
+- Clippy is run manually; [params.rs](https://github.com/QueryaHub/OxyRoute/blob/main/src/params.rs) will gain `#[test]` for query decoding (see related issue on percent-decoding).
+
+## Work
+
+- Add a CI step: `cargo clippy -- -D warnings` (or a documented allowlist). Add `cargo test` for new Rust unit tests. Cache `~/.cargo` and `target` with [Swatinem/rust-cache](https://github.com/Swatinem/rust-cache) or `actions/cache`.
+
+## Acceptance criteria
+
+- CI fails on a clippy warning when using `-D warnings` (or an explicit allowlist in `clippy.toml` with justification).
+
+## Research
+
+- `cross` for ARM if you add more target triples later.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/14.md

@@ -0,0 +1,15 @@
+## Context
+
+- [pyproject.toml](https://github.com/QueryaHub/OxyRoute/blob/main/pyproject.toml) has `version = "0.1.0"`; there is no release workflow.
+
+## Work
+
+- GitHub Action on `v*` tags: `maturin build --release` + `maturin upload` (OIDC to PyPI) per the [Maturin distribution guide](https://www.maturin.rs/distribution). Optional: `CARGO_INCREMENTAL=0` for more reproducible builds.
+
+## Acceptance criteria
+
+- Dry run against TestPyPI first; then production with trusted publishing.
+
+## Research
+
+- [PyPI trusted publishing](https://docs.pypi.org/trusted-publishers/) and package name alignment on PyPI.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/15.md

@@ -0,0 +1,15 @@
+## Context
+
+- PyO3 0.21 is aging; the GIL, `Bound` API, and `pyo3_asyncio` story may have moved ([pyo3-async-runtimes](https://github.com/PyO3/pyo3-async-runtimes) or follow-on crates).
+
+## Work
+
+- Read [PyO3 migration guides](https://pyo3.rs/v0.22.0/migration), bump `pyo3` and the asyncio integration, fix compile errors, run the full pytest suite.
+
+## Acceptance criteria
+
+- No regression on `handle_rsgi` and on ASGI `__call__` behavior.
+
+## Research
+
+- Granian’s Python RSGI expectations (e.g. sync `response_str` on protocol).

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/16.md

@@ -0,0 +1,11 @@
+## Context
+
+- When `include_openapi` is false, [GET /openapi.json](https://github.com/QueryaHub/OxyRoute/blob/main/src/dispatch.rs) can fall through; users may get 404 on a normal route or miss OpenAPI. Behavior should be exact and tested.
+
+## Work
+
+- Document the interaction between `include_openapi`, `set_openapi_served`, and registration order in [docs/openapi.md](https://github.com/QueryaHub/OxyRoute/blob/main/docs/openapi.md). Add a pytest for `include_openapi=False`.
+
+## Acceptance criteria
+
+- Documentation updated; pytest covers disabled OpenAPI.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/17.md

@@ -0,0 +1,11 @@
+## Context
+
+- [oxyroute/asgi.py](https://github.com/QueryaHub/OxyRoute/blob/main/oxyroute/asgi.py) uses `asyncio.run_coroutine_threadsafe` and blocking `fut.result()` from sync `response_*` when native code calls into Python from a Tokio worker. Risk of deadlock under mixed load is documented; needs hardening.
+
+## Work
+
+- Reproduce with concurrent `httpx` requests. If deadlock appears, use a one-shot `asyncio.Queue` in the ASGI task to receive response actions without cross-thread `result()`, or an `anyio` / `trio` bridge.
+
+## Acceptance criteria
+
+- Stress test: 50 concurrent requests without hang; optional `uvicorn` subprocess smoke test.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/18.md

@@ -0,0 +1,17 @@
+## Context
+
+- [`__rsgi_init__`](https://github.com/QueryaHub/OxyRoute/blob/main/oxyroute/app.py) is a no-op. Users need a place to run `create_engine`, Redis client setup, etc.
+
+## Options
+
+1. Subclass `App` and set attributes in `__rsgi_init__` (if Granian calls it in the same process as workers).
+2. **Factory** pattern: `app = create_app()` per worker, documented in docs.
+3. Native `State` on the Rust `App` (larger change).
+
+## Acceptance criteria
+
+- Example in `examples/` with an `asyncio` pool or similar; document caveats for multi-process Granian.
+
+## Research
+
+- How Granian workers fork or spawn relative to RSGI init.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/19.md

@@ -0,0 +1,15 @@
+## Context
+
+- [dispatch.rs](https://github.com/QueryaHub/OxyRoute/blob/main/src/dispatch.rs) returns 404 on no match; it does not distinguish "path exists for another method" without scanning all method routers.
+
+## Work
+
+- On miss, either iterate other methods’ routers for the same path (expensive) or at `freeze()` build a `HashSet` / map from path pattern to allowed methods. If another method has a route for that path → **405** with an `Allow` header listing methods.
+
+## Acceptance criteria
+
+- GET on a POST-only path returns 405 and `Allow: POST` (or the correct list).
+
+## Research
+
+- HTTP [RFC 9110 §15.5.6](https://www.rfc-editor.org/rfc/rfc9110.html#name-405-method-not-allowed) and the `Allow` header.

oxyroute-0.1.0/.github/ISSUE_BACKLOG/bodies/20.md

@@ -0,0 +1,11 @@
+## Context
+
+- Browsers and crawlers use `HEAD`; CORS preflight uses `OPTIONS`. [state.rs](https://github.com/QueryaHub/OxyRoute/blob/main/src/state.rs) has no `head` / `options` `Router` today—extend with new routers or map HEAD to GET without a body.
+
+## Work
+
+- Extend `map_method_router`, `add_route` in Python, `App.head` (strip body from GET?), `App.options` (CORS or 204). Overlaps with the middleware / CORS issue for full preflight.
+
+## Acceptance criteria
+
+- `curl -I` and OPTIONS tests.

oxyroute-0.1.0/.github/ISSUE_TEMPLATE/1_feature_request.yml

@@ -0,0 +1,29 @@
+name: Feature request
+description: Suggest a new feature or an improvement to OxyRoute
+labels: [enhancement]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please read the [docs](https://github.com/QueryaHub/OxyRoute/blob/main/docs/index.md) and check [.github/ISSUE_BACKLOG/PRIORITIES.md](https://github.com/QueryaHub/OxyRoute/blob/main/.github/ISSUE_BACKLOG/PRIORITIES.md) for related plans.
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem or use case
+      description: What are you trying to do? What is missing?
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: Optional design sketch, API shape, or links.
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Context
+      description: RSGI vs ASGI, Python version, Granian version, etc.
+    validations:
+      required: false

oxyroute-0.1.0/.github/ISSUE_TEMPLATE/2_bug_report.yml

@@ -0,0 +1,39 @@
+name: Bug report
+description: Report incorrect behavior, crashes, or documentation mistakes
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        For RSGI/Granian behavior, linking to a **minimal** `app` module and the exact `granian` command line helps a lot.
+  - type: textarea
+    id: what
+    attributes:
+      label: What happened?
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: What did you expect?
+    validations:
+      required: true
+  - type: textarea
+    id: versions
+    attributes:
+      label: Versions
+      description: Python, oxyroute (git / pip), granian, OS.
+      value: |
+        - Python:
+        - oxyroute:
+        - granian (if used):
+        - OS:
+    validations:
+      required: true
+  - type: textarea
+    id: repro
+    attributes:
+      label: Reproduction
+      description: Code, shell commands, and whether the failure is RSGI or ASGI.
+    validations:
+      required: false

oxyroute-0.1.0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,12 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests
+blank_issues_enabled: true
+contact_links:
+  - name: OxyRoute documentation
+    url: https://github.com/QueryaHub/OxyRoute/blob/main/docs/index.md
+    about: RSGI, routing, handlers, JWT, OpenAPI, and local development.
+  - name: Issue backlog and priorities
+    url: https://github.com/QueryaHub/OxyRoute/blob/main/.github/ISSUE_BACKLOG/PRIORITIES.md
+    about: P0 / P1 ordering and pre-written issue bodies in bodies/.
+  - name: Open an issue
+    url: https://github.com/QueryaHub/OxyRoute/issues/new/choose
+    about: Bug reports, features, and questions that fit a GitHub issue.

oxyroute-0.1.0/.github/pull_request_template.md

@@ -0,0 +1,18 @@
+## Summary
+
+- What this PR does (1–3 sentences).
+- If it closes a ticket: `Closes #N` (replace N).
+
+## Base branch
+
+- [ ] This PR targets **`dev`**, not `main` (unless maintainers asked for a hotfix).
+
+## Checklist
+
+- [ ] `cargo build` (and `cargo clippy` if you touched Rust)
+- [ ] `maturin develop` + tests as in [docs/development.md](docs/development.md) (e.g. pytest from a clean cwd / installed wheel)
+- [ ] No unrelated drive-by refactors; commits are [atomic and scoped](https://github.com/QueryaHub/OxyRoute/blob/main/docs/development-workflow.md)
+
+## Note on `.github/ISSUE_BACKLOG/`
+
+If you only touch issue template files under [`.github/ISSUE_BACKLOG/`](.github/ISSUE_BACKLOG/) (not application code), say so in the summary. Prefer a **separate** PR for backlog-only edits when possible.