plain 0.65.1__py3-none-any.whl → 0.67.0__py3-none-any.whl

plain/CHANGELOG.md

@@ -1,5 +1,30 @@
 # plain changelog
 
+## [0.67.0](https://github.com/dropseed/plain/releases/plain@0.67.0) (2025-09-22)
+
+### What's changed
+
+- `ALLOWED_HOSTS` now defaults to `[]` (empty list) which allows all hosts, making it easier for development setups ([d3cb7712b9](https://github.com/dropseed/plain/commit/d3cb7712b9))
+- Empty `ALLOWED_HOSTS` in production now triggers a preflight error instead of a warning to ensure proper security configuration ([d3cb7712b9](https://github.com/dropseed/plain/commit/d3cb7712b9))
+
+### Upgrade instructions
+
+- No changes required
+
+## [0.66.0](https://github.com/dropseed/plain/releases/plain@0.66.0) (2025-09-22)
+
+### What's changed
+
+- Host validation moved to dedicated middleware and `ALLOWED_HOSTS` setting is now required ([6a4b7be](https://github.com/dropseed/plain/commit/6a4b7be220))
+- Changed `request.get_port()` method to `request.port` cached property ([544f3e1](https://github.com/dropseed/plain/commit/544f3e19f8))
+- Removed internal `request._get_full_path()` method ([50cdb58](https://github.com/dropseed/plain/commit/50cdb58d4e))
+
+### Upgrade instructions
+
+- Add `ALLOWED_HOSTS` setting to your configuration if not already present (required for host validation)
+- Replace any usage of `request.get_host()` with `request.host`
+- Replace any usage of `request.get_port()` with `request.port`
+
 ## [0.65.1](https://github.com/dropseed/plain/releases/plain@0.65.1) (2025-09-22)
 
 ### What's changed

plain/cli/agent/request.py

@@ -46,136 +46,127 @@ def request(path, method, data, user_id, follow, content_type, headers):
             click.secho("This command only works when DEBUG=True", fg="red", err=True)
             return
 
-        # Temporarily add testserver to ALLOWED_HOSTS so the test client can make requests
-        original_allowed_hosts = settings.ALLOWED_HOSTS
-        settings.ALLOWED_HOSTS = ["*"]
+        # Create test client
+        client = Client()
 
-        try:
-            # Create test client
-            client = Client()
+        # If user_id provided, force login
+        if user_id:
+            try:
+                # Get the User model using plain.auth utility
+                from plain.auth import get_user_model
 
-            # If user_id provided, force login
-            if user_id:
-                try:
-                    # Get the User model using plain.auth utility
-                    from plain.auth import get_user_model
-
-                    User = get_user_model()
-
-                    # Get the user
-                    try:
-                        user = User.query.get(id=user_id)
-                        client.force_login(user)
-                        click.secho(
-                            f"Authenticated as user {user_id}", fg="green", dim=True
-                        )
-                    except User.DoesNotExist:
-                        click.secho(f"User {user_id} not found", fg="red", err=True)
-                        return
-
-                except Exception as e:
-                    click.secho(f"Authentication error: {e}", fg="red", err=True)
-                    return
-
-            # Parse additional headers
-            header_dict = {}
-            for header in headers:
-                if ":" in header:
-                    key, value = header.split(":", 1)
-                    header_dict[key.strip()] = value.strip()
+                User = get_user_model()
 
-            # Prepare request data
-            if data and content_type and "json" in content_type.lower():
+                # Get the user
                 try:
-                    # Validate JSON
-                    json.loads(data)
-                except json.JSONDecodeError as e:
-                    click.secho(f"Invalid JSON data: {e}", fg="red", err=True)
+                    user = User.query.get(id=user_id)
+                    client.force_login(user)
+                    click.secho(
+                        f"Authenticated as user {user_id}", fg="green", dim=True
+                    )
+                except User.DoesNotExist:
+                    click.secho(f"User {user_id} not found", fg="red", err=True)
                     return
 
-            # Make the request
-            method = method.upper()
-            kwargs = {
-                "path": path,
-                "follow": follow,
-                "headers": header_dict or None,
-            }
-
-            if method in ("POST", "PUT", "PATCH") and data:
-                kwargs["data"] = data
-                if content_type:
-                    kwargs["content_type"] = content_type
-
-            # Call the appropriate client method
-            if method == "GET":
-                response = client.get(**kwargs)
-            elif method == "POST":
-                response = client.post(**kwargs)
-            elif method == "PUT":
-                response = client.put(**kwargs)
-            elif method == "PATCH":
-                response = client.patch(**kwargs)
-            elif method == "DELETE":
-                response = client.delete(**kwargs)
-            elif method == "HEAD":
-                response = client.head(**kwargs)
-            elif method == "OPTIONS":
-                response = client.options(**kwargs)
-            elif method == "TRACE":
-                response = client.trace(**kwargs)
-            else:
-                click.secho(f"Unsupported HTTP method: {method}", fg="red", err=True)
+            except Exception as e:
+                click.secho(f"Authentication error: {e}", fg="red", err=True)
+                return
+
+        # Parse additional headers
+        header_dict = {}
+        for header in headers:
+            if ":" in header:
+                key, value = header.split(":", 1)
+                header_dict[key.strip()] = value.strip()
+
+        # Prepare request data
+        if data and content_type and "json" in content_type.lower():
+            try:
+                # Validate JSON
+                json.loads(data)
+            except json.JSONDecodeError as e:
+                click.secho(f"Invalid JSON data: {e}", fg="red", err=True)
                 return
 
-            # Display response information
-            click.secho(
-                f"HTTP {response.status_code}",
-                fg="green" if response.status_code < 400 else "red",
-                bold=True,
-            )
-
-            # Show additional response info first
-            if hasattr(response, "user"):
-                click.secho(f"Authenticated user: {response.user}", fg="blue", dim=True)
-
-            if hasattr(response, "resolver_match") and response.resolver_match:
-                match = response.resolver_match
-                url_name = match.namespaced_url_name or match.url_name or "unnamed"
-                click.secho(f"URL pattern matched: {url_name}", fg="blue", dim=True)
-
-            # Show headers
-            if response.headers:
-                click.secho("Response Headers:", fg="yellow", bold=True)
-                for key, value in response.headers.items():
-                    click.echo(f"  {key}: {value}")
-                click.echo()
-
-            # Show response content last
-            if response.content:
-                content_type = response.headers.get("Content-Type", "")
-
-                if "json" in content_type.lower():
-                    try:
-                        json_data = response.json()
-                        click.secho("Response Body (JSON):", fg="yellow", bold=True)
-                        click.echo(json.dumps(json_data, indent=2))
-                    except Exception:
-                        click.secho("Response Body:", fg="yellow", bold=True)
-                        click.echo(response.content.decode("utf-8", errors="replace"))
-                elif "html" in content_type.lower():
-                    click.secho("Response Body (HTML):", fg="yellow", bold=True)
-                    content = response.content.decode("utf-8", errors="replace")
-                    click.echo(content)
-                else:
+        # Make the request
+        method = method.upper()
+        kwargs = {
+            "path": path,
+            "follow": follow,
+            "headers": header_dict or None,
+        }
+
+        if method in ("POST", "PUT", "PATCH") and data:
+            kwargs["data"] = data
+            if content_type:
+                kwargs["content_type"] = content_type
+
+        # Call the appropriate client method
+        if method == "GET":
+            response = client.get(**kwargs)
+        elif method == "POST":
+            response = client.post(**kwargs)
+        elif method == "PUT":
+            response = client.put(**kwargs)
+        elif method == "PATCH":
+            response = client.patch(**kwargs)
+        elif method == "DELETE":
+            response = client.delete(**kwargs)
+        elif method == "HEAD":
+            response = client.head(**kwargs)
+        elif method == "OPTIONS":
+            response = client.options(**kwargs)
+        elif method == "TRACE":
+            response = client.trace(**kwargs)
+        else:
+            click.secho(f"Unsupported HTTP method: {method}", fg="red", err=True)
+            return
+
+        # Display response information
+        click.secho(
+            f"HTTP {response.status_code}",
+            fg="green" if response.status_code < 400 else "red",
+            bold=True,
+        )
+
+        # Show additional response info first
+        if hasattr(response, "user"):
+            click.secho(f"Authenticated user: {response.user}", fg="blue", dim=True)
+
+        if hasattr(response, "resolver_match") and response.resolver_match:
+            match = response.resolver_match
+            url_name = match.namespaced_url_name or match.url_name or "unnamed"
+            click.secho(f"URL pattern matched: {url_name}", fg="blue", dim=True)
+
+        # Show headers
+        if response.headers:
+            click.secho("Response Headers:", fg="yellow", bold=True)
+            for key, value in response.headers.items():
+                click.echo(f"  {key}: {value}")
+            click.echo()
+
+        # Show response content last
+        if response.content:
+            content_type = response.headers.get("Content-Type", "")
+
+            if "json" in content_type.lower():
+                try:
+                    json_data = response.json()
+                    click.secho("Response Body (JSON):", fg="yellow", bold=True)
+                    click.echo(json.dumps(json_data, indent=2))
+                except Exception:
                     click.secho("Response Body:", fg="yellow", bold=True)
-                    content = response.content.decode("utf-8", errors="replace")
-                    click.echo(content)
+                    click.echo(response.content.decode("utf-8", errors="replace"))
+            elif "html" in content_type.lower():
+                click.secho("Response Body (HTML):", fg="yellow", bold=True)
+                content = response.content.decode("utf-8", errors="replace")
+                click.echo(content)
             else:
-                click.secho("(No response body)", fg="yellow", dim=True)
-
-        finally:
-            # Restore original ALLOWED_HOSTS
-            settings.ALLOWED_HOSTS = original_allowed_hosts
+                click.secho("Response Body:", fg="yellow", bold=True)
+                content = response.content.decode("utf-8", errors="replace")
+                click.echo(content)
+        else:
+            click.secho("(No response body)", fg="yellow", dim=True)
 
     except Exception as e:
         click.secho(f"Request failed: {e}", fg="red", err=True)

plain/csrf/middleware.py

@@ -2,7 +2,6 @@ import logging
 import re
 from urllib.parse import urlparse
 
-from plain.exceptions import DisallowedHost
 from plain.logs.utils import log_response
 from plain.runtime import settings
 
@@ -81,8 +80,8 @@ class CsrfViewMiddleware:
         if origin == "null":
             return False, "Cross-origin request detected - null Origin header"
 
-        try:
-            if (parsed_origin := urlparse(origin)) and (host := request.get_host()):
+        if (parsed_origin := urlparse(origin)) and (host := request.host):
+            try:
                 # Scheme-agnostic host:port comparison
                 origin_host = parsed_origin.hostname
                 origin_port = parsed_origin.port or (
@@ -97,7 +96,7 @@ class CsrfViewMiddleware:
                 # Use a fake scheme since we only care about host parsing
                 parsed_host = urlparse(f"http://{host}")
                 request_host = parsed_host.hostname or host
-                request_port = request.get_port()
+                request_port = request.port
 
                 # Compare hostname and port (scheme-agnostic)
                 # Both origin_host and request_host are normalized by urlparse (IPv6 brackets stripped)
@@ -110,8 +109,8 @@ class CsrfViewMiddleware:
                             True,
                             f"Same-origin request - Origin {origin} matches Host {host}",
                         )
-        except (ValueError, DisallowedHost):
-            pass
+            except ValueError:
+                pass
 
         # Origin present but doesn't match host
         return (

plain/exceptions.py

@@ -67,12 +67,6 @@ class SuspiciousFileOperation(SuspiciousOperation):
     pass
 
 
-class DisallowedHost(SuspiciousOperation):
-    """HTTP_HOST header contains invalid value"""
-
-    pass
-
-
 class TooManyFieldsSent(SuspiciousOperation):
     """
     The number of fields in a GET or POST request exceeded

plain/http/request.py

@@ -8,7 +8,6 @@ from itertools import chain
 from urllib.parse import parse_qsl, quote, urlencode, urljoin, urlsplit
 
 from plain.exceptions import (
-    DisallowedHost,
     ImproperlyConfigured,
     RequestDataTooBig,
     TooManyFieldsSent,
@@ -29,8 +28,6 @@ from plain.utils.datastructures import (
 from plain.utils.encoding import iri_to_uri
 from plain.utils.http import parse_header_parameters
 
-from .hosts import split_domain_port, validate_host
-
 
 class UnreadablePostError(OSError):
     pass
@@ -123,10 +120,13 @@ class HttpRequest:
             else:
                 self.encoding = self.content_params["charset"]
 
-    def _get_raw_host(self):
+    @cached_property
+    def host(self):
         """
-        Return the HTTP host using the environment or request headers. Skip
-        allowed hosts protection, so may return an insecure host.
+        Return the HTTP host using the environment or request headers.
+
+        Host validation is performed by HostValidationMiddleware, so this
+        property can safely return the host without any validation.
         """
         # We try three options, in order of decreasing preference.
         if settings.USE_X_FORWARDED_HOST and ("HTTP_X_FORWARDED_HOST" in self.meta):
@@ -136,34 +136,13 @@ class HttpRequest:
         else:
             # Reconstruct the host using the algorithm from PEP 333.
             host = self.meta["SERVER_NAME"]
-            server_port = self.get_port()
+            server_port = self.port
             if server_port != ("443" if self.is_https() else "80"):
                 host = f"{host}:{server_port}"
         return host
 
-    def get_host(self):
-        """Return the HTTP host using the environment or request headers."""
-        host = self._get_raw_host()
-
-        # Allow variants of localhost if ALLOWED_HOSTS is empty and DEBUG=True.
-        allowed_hosts = settings.ALLOWED_HOSTS
-        if settings.DEBUG and not allowed_hosts:
-            allowed_hosts = [".localhost", "127.0.0.1", "[::1]"]
-
-        domain, port = split_domain_port(host)
-        if domain and validate_host(domain, allowed_hosts):
-            return host
-        else:
-            msg = f"Invalid HTTP_HOST header: {host!r}."
-            if domain:
-                msg += f" You may need to add {domain!r} to ALLOWED_HOSTS."
-            else:
-                msg += (
-                    " The domain name provided is not valid according to RFC 1034/1035."
-                )
-            raise DisallowedHost(msg)
-
-    def get_port(self):
+    @cached_property
+    def port(self):
         """Return the port number for the request as a string."""
         if settings.USE_X_FORWARDED_PORT and "HTTP_X_FORWARDED_PORT" in self.meta:
             port = self.meta["HTTP_X_FORWARDED_PORT"]
@@ -172,9 +151,12 @@ class HttpRequest:
         return str(port)
 
     def get_full_path(self, force_append_slash=False):
-        return self._get_full_path(self.path, force_append_slash)
+        """
+        Return the full path for the request, including query string.
 
-    def _get_full_path(self, path, force_append_slash):
+        If force_append_slash is True, append a trailing slash if the path
+        doesn't already end with one.
+        """
         # RFC 3986 requires query string arguments to be in the ASCII range.
         # Rather than crash if this doesn't happen, we encode defensively.
 
@@ -195,8 +177,8 @@ class HttpRequest:
             return quote(path, safe="/:@&+$,-_.!~*'()")
 
         return "{}{}{}".format(
-            escape_uri_path(path),
-            "/" if force_append_slash and not path.endswith("/") else "",
+            escape_uri_path(self.path),
+            "/" if force_append_slash and not self.path.endswith("/") else "",
             ("?" + iri_to_uri(self.meta.get("QUERY_STRING", "")))
             if self.meta.get("QUERY_STRING", "")
             else "",
@@ -220,7 +202,7 @@ class HttpRequest:
             location = str(location)
         bits = urlsplit(location)
         if not (bits.scheme and bits.netloc):
-            current_scheme_host = f"{self.scheme}://{self.get_host()}"
+            current_scheme_host = f"{self.scheme}://{self.host}"
 
             # Handle the simple, most common case. If the location is absolute
             # and a scheme or host (netloc) isn't provided, skip an expensive

plain/internal/handlers/base.py

@@ -4,7 +4,7 @@ import types
 from opentelemetry import baggage, trace
 from opentelemetry.semconv.attributes import http_attributes, url_attributes
 
-from plain.exceptions import DisallowedHost, ImproperlyConfigured
+from plain.exceptions import ImproperlyConfigured
 from plain.logs.utils import log_response
 from plain.runtime import settings
 from plain.urls import get_resolver
@@ -17,6 +17,7 @@ logger = logging.getLogger("plain.request")
 
 # These middleware classes are always used by Plain.
 BUILTIN_BEFORE_MIDDLEWARE = [
+    "plain.internal.middleware.hosts.HostValidationMiddleware",  # Validate Host header first
     "plain.internal.middleware.headers.DefaultHeadersMiddleware",  # Runs after response, to set missing headers
     "plain.internal.middleware.https.HttpsRedirectMiddleware",  # Runs before response, to redirect to HTTPS quickly
     "plain.csrf.middleware.CsrfViewMiddleware",  # Runs before and after get_response...
@@ -78,10 +79,6 @@ class BaseHandler:
         except KeyError:
             # Missing required WSGI environment variables (e.g. in tests)
             pass
-        except DisallowedHost:
-            # Invalid host header - skip URL_FULL for telemetry but let the
-            # exception be handled normally by middleware for proper 400 response
-            pass
 
         # Add query string if present
         if query_string := request.meta.get("QUERY_STRING"):

plain/{http → internal/middleware}/hosts.py

@@ -1,19 +1,65 @@
-"""
-Host validation utilities for ALLOWED_HOSTS functionality.
-
-This module provides functions for validating hosts against allowed patterns,
-including domain patterns, wildcards, and CIDR notation for IP ranges.
-"""
-
 import ipaddress
+import logging
 
+from plain.http import HttpRequest, ResponseBadRequest
+from plain.runtime import settings
 from plain.utils.regex_helper import _lazy_re_compile
 
+logger = logging.getLogger(__name__)
+
 host_validation_re = _lazy_re_compile(
     r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])(:[0-9]+)?$"
 )
 
 
+class HostValidationMiddleware:
+    """
+    Middleware to validate the Host header against ALLOWED_HOSTS.
+
+    This middleware should run first to ensure all subsequent code can trust
+    that the host header is valid. Returns a 400 Bad Request response if the
+    host is not allowed.
+    """
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        if not is_host_valid(request):
+            host = request.host
+            msg = f"Invalid HTTP_HOST header: {host!r}."
+
+            domain, _ = split_domain_port(host)
+            if domain:
+                msg += f" You may need to add {domain!r} to ALLOWED_HOSTS."
+            else:
+                msg += (
+                    " The domain name provided is not valid according to RFC 1034/1035."
+                )
+
+            logger.warning(
+                msg,
+                extra={"status_code": 400, "request": request},
+            )
+
+            return ResponseBadRequest()
+
+        return self.get_response(request)
+
+
+def is_host_valid(request: HttpRequest) -> bool:
+    """
+    Check if the host is valid according to ALLOWED_HOSTS settings.
+    """
+    allowed_hosts = settings.ALLOWED_HOSTS
+
+    if not allowed_hosts:
+        return True  # Allow all hosts if ALLOWED_HOSTS is empty
+
+    domain, _ = split_domain_port(request.host)
+    return bool(domain) and validate_host(domain, allowed_hosts)
+
+
 def split_domain_port(host: str) -> tuple[str, str]:
     """
     Return a (domain, port) tuple from a given host.
@@ -36,7 +82,7 @@ def split_domain_port(host: str) -> tuple[str, str]:
     return domain, port
 
 
-def _is_same_domain(host: str, pattern: str) -> bool:
+def is_same_domain(host: str, pattern: str) -> bool:
     """
     Return ``True`` if the host is either an exact match or a match
     to the wildcard pattern.
@@ -56,7 +102,7 @@ def _is_same_domain(host: str, pattern: str) -> bool:
     )
 
 
-def _parse_ip_address(
+def parse_ip_address(
     host: str,
 ) -> ipaddress.IPv4Address | ipaddress.IPv6Address | None:
     """
@@ -75,7 +121,7 @@ def _parse_ip_address(
         return None
 
 
-def _parse_cidr_pattern(
+def parse_cidr_pattern(
     pattern: str,
 ) -> ipaddress.IPv4Network | ipaddress.IPv6Network | None:
     """
@@ -113,7 +159,6 @@ def validate_host(host: str, allowed_hosts: list[str]) -> bool:
     Check that the host looks valid and matches a host or host pattern in the
     given list of ``allowed_hosts``. Supported patterns:
 
-    - ``*`` matches anything
     - ``.example.com`` matches a domain and all its subdomains
       (e.g. ``example.com`` and ``sub.example.com``)
     - ``example.com`` matches exactly that domain
@@ -127,21 +172,17 @@ def validate_host(host: str, allowed_hosts: list[str]) -> bool:
     Return ``True`` for a valid host, ``False`` otherwise.
     """
     # Parse the host as an IP address if possible
-    host_ip = _parse_ip_address(host)
+    host_ip = parse_ip_address(host)
 
     for pattern in allowed_hosts:
-        # Wildcard matches everything
-        if pattern == "*":
-            return True
-
         # Check CIDR notation patterns using walrus operator
-        if network := _parse_cidr_pattern(pattern):
+        if network := parse_cidr_pattern(pattern):
             if host_ip and host_ip in network:
                 return True
             continue
 
         # For non-CIDR patterns, use existing domain matching logic
-        if _is_same_domain(host, pattern):
+        if is_same_domain(host, pattern):
             return True
 
     return False

plain/internal/middleware/https.py

@@ -21,7 +21,6 @@ class HttpsRedirectMiddleware:
 
     def maybe_https_redirect(self, request):
         if self.https_redirect_enabled and not request.is_https():
-            host = request.get_host()
             return ResponseRedirect(
-                f"https://{host}{request.get_full_path()}", status_code=301
+                f"https://{request.host}{request.get_full_path()}", status_code=301
             )

plain/internal/middleware/slash.py

@@ -65,7 +65,7 @@ class RedirectSlashMiddleware:
                 f"You called this URL via {request.method}, but the URL doesn't end "
                 "in a slash and you have APPEND_SLASH set. Plain can't "
                 f"redirect to the slash URL while maintaining {request.method} data. "
-                f"Change your form to point to {request.get_host() + new_path} (note the trailing "
+                f"Change your form to point to {request.host + new_path} (note the trailing "
                 "slash), or set APPEND_SLASH=False in your Plain settings."
             )
         return new_path

plain/preflight/README.md

@@ -51,11 +51,11 @@ def custom_deploy_check(package_configs, **kwargs):
 
 ## Silencing preflight checks
 
-The `settings.PREFLIGHT_SILENCED_CHECKS` setting can be used to silence individual checks by their ID (ex. `security.W020`).
+The `settings.PREFLIGHT_SILENCED_CHECKS` setting can be used to silence individual checks by their ID (ex. `security.E020`).
 
 ```python
 # app/settings.py
 PREFLIGHT_SILENCED_CHECKS = [
-    "security.W020",
+    "security.E020",  # Allow empty ALLOWED_HOSTS in deployment
 ]
 ```

plain/preflight/security.py

@@ -1,7 +1,7 @@
 from plain.exceptions import ImproperlyConfigured
 from plain.runtime import settings
 
-from .messages import Warning
+from .messages import Error, Warning
 from .registry import register_check
 
 SECRET_KEY_MIN_LENGTH = 50
@@ -81,9 +81,9 @@ def check_allowed_hosts(package_configs, **kwargs):
         []
         if settings.ALLOWED_HOSTS
         else [
-            Warning(
+            Error(
                 "ALLOWED_HOSTS must not be empty in deployment.",
-                id="security.W020",
+                id="security.E020",
             )
         ]
     )

plain/runtime/global_settings.py

@@ -23,8 +23,9 @@ URLS_ROUTER: str
 # MARK: HTTP and Security
 
 # Hosts/domain names that are valid for this site.
-# "*" matches anything, ".example.com" matches example.com and all subdomains
-# "192.168.1.0/24" matches IP addresses in that CIDR range
+# - An empty list [] allows all hosts (useful for development).
+# - ".example.com" matches example.com and all subdomains
+# - "192.168.1.0/24" matches IP addresses in that CIDR range
 ALLOWED_HOSTS: list[str] = []
 
 # Default headers for all responses.

{plain-0.65.1.dist-info → plain-0.67.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain
-Version: 0.65.1
+Version: 0.67.0
 Summary: A web framework for building products with Python.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE

{plain-0.65.1.dist-info → plain-0.67.0.dist-info}/RECORD

@@ -1,9 +1,9 @@
 plain/AGENTS.md,sha256=5XMGBpJgbCNIpp60DPXB7bpAtFk8FAzqiZke95T965o,1038
-plain/CHANGELOG.md,sha256=NlQC7IqcrH9tiUMqkCgyG6Pn7xQiaDUE3Xtfn6g4nIc,15292
+plain/CHANGELOG.md,sha256=8Ljw7VTQP1cn6sUy_1Pum2cmHsnmeRqbL8oBIWvxw-s,16604
 plain/README.md,sha256=5BJyKhf0TDanWVbOQyZ3zsi5Lov9xk-LlJYCDWofM6Y,4078
 plain/__main__.py,sha256=GK39854Lc_LO_JP8DzY9Y2MIQ4cQEl7SXFJy244-lC8,110
 plain/debug.py,sha256=XdjnXcbPGsi0J2SpHGaLthhYU5AjhBlkHdemaP4sbYY,758
-plain/exceptions.py,sha256=ljOLqgVwPKlGWqaNmjHcHQf6y053bZ9ogkLFEGcs-Gg,5973
+plain/exceptions.py,sha256=QepC5UG5IBGW3h2cimOqGtjslAzvYdLYIn6xHdyco-Y,5868
 plain/json.py,sha256=McJdsbMT1sYwkGRG--f2NSZz0hVXPMix9x3nKaaak2o,1262
 plain/paginator.py,sha256=iXiOyt2r_YwNrkqCRlaU7V-M_BKaaQ8XZElUBVa6yeU,5844
 plain/signing.py,sha256=i8Bf12c96u_1BZYjETiixhsLAWMAt_y4CIYZOsI6IVA,8295
@@ -44,9 +44,9 @@ plain/cli/agent/docs.py,sha256=ubX3ZeRHxVaetLk9fjiN9mJ07GZExC-CHUvQoX2DD7c,2464
 plain/cli/agent/llmdocs.py,sha256=AUpNDb1xSOsSpzGOiFvpzUe4f7PUGMiR9cI13aVZouo,5038
 plain/cli/agent/md.py,sha256=7r1II8ckubBFOZNGPASWaPmJdgByWFPINLqIOzRetLQ,2581
 plain/cli/agent/prompt.py,sha256=rugYyQHV7JDNqGrx3_PPShwwqYlnEVbxw8RsczOo8tg,1253
-plain/cli/agent/request.py,sha256=U4acLmpXlbFRjivrPtVv_r8DBts8OXg3m3-qotQxGL4,6547
+plain/cli/agent/request.py,sha256=uUbZoAhSSjOLtzgAAzacvqCS_27H-AvoeqIxpzjUjAA,5800
 plain/csrf/README.md,sha256=ApWpB-qlEf0LkOKm9Yr-6f_lB9XJEvGFDo_fraw8ghI,2391
-plain/csrf/middleware.py,sha256=n5_7v6qwFKgiAnKVyJa7RhwHoWepLkPudzIgZtdku5A,5119
+plain/csrf/middleware.py,sha256=KF8ngFadWdS0MHXC1dTLx-K3VtD6Xs-3RDjFqpiiEjQ,5053
 plain/csrf/views.py,sha256=HwQqfI6KPelHP9gSXhjfZaTLQic71PKsoZ6DPhr1rKI,572
 plain/forms/README.md,sha256=7MJQxNBoKkg0rW16qF6bGpUBxZrMrWjl2DZZk6gjzAU,2258
 plain/forms/__init__.py,sha256=UxqPwB8CiYPCQdHmUc59jadqaXqDmXBH8y4bt9vTPms,226
@@ -57,9 +57,8 @@ plain/forms/forms.py,sha256=hF7Dl8rEaiBTZhFQyfbh1Zf54BSEka8RYpBiGqkTa8I,10441
 plain/http/README.md,sha256=hkjTJJ2_WEGm7vaIxjjNHrzD6EN5VI6pjDJPIR9l1jo,760
 plain/http/__init__.py,sha256=PfmXBIq7onLO_bbOrVdj5rJeHxqJMYqrIobVKupUzUA,1003
 plain/http/cookie.py,sha256=THd7nOl-2ugeBPKgOhbD87aM2oxUbNH8HWrarUn0fpM,1955
-plain/http/hosts.py,sha256=GbvFzle2VgPC2ehtXW8MM_1XD9gKuv7h-8HTOX3RiJA,4567
 plain/http/multipartparser.py,sha256=Z1dFJNAd8N5RHUuF67jh1jBfZOFepORsre_3ee6CgOQ,27266
-plain/http/request.py,sha256=6kimxbIZMK2ckx366fQHDzrNTf6H8ih6YJ4y9yx2aAI,24623
+plain/http/request.py,sha256=4VkejuFitAwlmHs45hV6g-BfZxKM-D9vqnNTTljzj28,23864
 plain/http/response.py,sha256=FM3otFkKEEkAaV_pVB3JUSMhMk7x_zf5JcDWKhOKviM,23223
 plain/internal/__init__.py,sha256=fVBaYLCXEQc-7riHMSlw3vMTTuF7-0Bj2I8aGzv0o0w,171
 plain/internal/files/__init__.py,sha256=VctFgox4Q1AWF3klPaoCC5GIw5KeLafYjY5JmN8mAVw,63
@@ -71,13 +70,14 @@ plain/internal/files/uploadedfile.py,sha256=JRB7T3quQjg-1y3l1ASPxywtSQZhaeMc45uF
 plain/internal/files/uploadhandler.py,sha256=63_QUwAwfq3bevw79i0S7zt2EB2UBoO7MaauvezaVMY,7198
 plain/internal/files/utils.py,sha256=xN4HTJXDRdcoNyrL1dFd528MBwodRlHZM8DGTD_oBIg,2646
 plain/internal/handlers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-plain/internal/handlers/base.py,sha256=rrPq-LqMOsDUP2IQ-d_FUNq8fZfYqbLVMYOeqrftoXQ,6228
+plain/internal/handlers/base.py,sha256=YAfb43PPtkVtBzAlS7UsaCPh10a9h_K7qdIUoNg6LdE,6100
 plain/internal/handlers/exception.py,sha256=TbPYtgZ7ITJahUKhQWkptHK28Lb4zh_nOviNctC2EYs,4815
 plain/internal/handlers/wsgi.py,sha256=dgPT29t_F9llB-c5RYU3SHxGuZNaZ83xRjOfuOmtOl8,8209
 plain/internal/middleware/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 plain/internal/middleware/headers.py,sha256=ENIW1Gwat54hv-ejgp2R8QTZm-PlaI7k44WU01YQrNk,964
-plain/internal/middleware/https.py,sha256=ctW90yJnn-blMb1lv17IsSWlAThHJ4RDku5XFfFNECM,834
-plain/internal/middleware/slash.py,sha256=JWcIfGbXEKH00I7STq1AMdHhFGmQHC8lkKENa6280ko,2846
+plain/internal/middleware/hosts.py,sha256=vKdjElDk1-Ju6FUXtm5t0AfPPN-DPhjS31PkRrhM6vc,5799
+plain/internal/middleware/https.py,sha256=bjysNX6_2l4Rp4DpzF2XYjH-m6gfHNq2x-MN2hHGW78,804
+plain/internal/middleware/slash.py,sha256=qBTJ-yvOM0d8gUISUC7Fx22LG6aj76uhOiNHjvTkAAs,2840
 plain/logs/README.md,sha256=rzOHfngjizLgXL21g0svC1Cdya2s_gBA_E-IljtHpy8,4069
 plain/logs/__init__.py,sha256=gFVMcNn5D6z0JrvUJgGsOeYj1NKNtEXhw0MvPDtkN6w,58
 plain/logs/configure.py,sha256=G5kLP-92hOWE7vlWG3lhSbzOKXobavFbqjohevJF1Jg,1322
@@ -89,16 +89,16 @@ plain/packages/README.md,sha256=iNqMtwFDVNf2TqKUzLKQW5Y4_GsssmdB4cVerzu27Ro,2674
 plain/packages/__init__.py,sha256=OpQny0xLplPdPpozVUUkrW2gB-IIYyDT1b4zMzOcCC4,160
 plain/packages/config.py,sha256=2U7b1cp_kqIuLdSeHGCLrSUV77TdfGRsww3PcXOazaA,2910
 plain/packages/registry.py,sha256=6ogeHZ8t3kBSoLoI7998r0kIbkEPhLGn-7yi-1qVjVo,7969
-plain/preflight/README.md,sha256=Ae7ujHmsJhTpRGX0pghBwGD2CG7SIxngenyb5CSbc2M,1721
+plain/preflight/README.md,sha256=6fA6zXmNUtO5xMrVV-0JLyzSJsIIEEGZyFSAW53nYYE,1764
 plain/preflight/__init__.py,sha256=j4-yPnrM5hmjumrdkBLOQjFHzRHpA6wCjiFpMNBjIqY,619
 plain/preflight/files.py,sha256=D_pBSwRXpXy2-3FWywweozuxrhIaR8w5hpPA2d6XMPs,522
 plain/preflight/messages.py,sha256=B6VyXzu7HTJHaPVK4G1L_1HVHG87CT7JPtcDk8QYSeE,2322
 plain/preflight/registry.py,sha256=vcqzaE1MIneNL_ydKPy_1zrSThnzsrWARSClLCJ-4b8,2331
-plain/preflight/security.py,sha256=oxUZBp2M0bpBfUoLYepIxoex2Y90nyjlrL8XU8UTHYY,2438
+plain/preflight/security.py,sha256=71cW35LMOlciAbtWXf50EhKhQQCZ-2LlQgXJ6Zxhxv4,2443
 plain/preflight/urls.py,sha256=cQ-WnFa_5oztpKdtwhuIGb7pXEml__bHsjs1SWO2YNI,1468
 plain/runtime/README.md,sha256=sTqXXJkckwqkk9O06XMMSNRokAYjrZBnB50JD36BsYI,4873
 plain/runtime/__init__.py,sha256=byFYnHrpUCwkpkHtdNhxr9iUdLDCWJjy92HPj30Ilck,2478
-plain/runtime/global_settings.py,sha256=GxcXFjXui5GLkiLlWe8P8X91ndShnmuJK0Ql6xjn24s,5826
+plain/runtime/global_settings.py,sha256=EZ9mdDkwJkXGWDs0bnYnNmpfX49GP30RyU5HgxlrRPc,5872
 plain/runtime/user_settings.py,sha256=OzMiEkE6ZQ50nxd1WIqirXPiNuMAQULklYHEzgzLWgA,11027
 plain/runtime/utils.py,sha256=p5IuNTzc7Kq-9Ym7etYnt_xqHw5TioxfSkFeq1bKdgk,832
 plain/signals/README.md,sha256=XefXqROlDhzw7Z5l_nx6Mhq6n9jjQ-ECGbH0vvhKWYg,272
@@ -161,8 +161,8 @@ plain/views/forms.py,sha256=ESZOXuo6IeYixp1RZvPb94KplkowRiwO2eGJCM6zJI0,2400
 plain/views/objects.py,sha256=v3Vgvdoc1s0QW6JNWWrO5XXy9zF7vgwndgxX1eOSQoE,4999
 plain/views/redirect.py,sha256=Xpb3cB7nZYvKgkNqcAxf9Jwm2SWcQ0u2xz4oO5M3vP8,1909
 plain/views/templates.py,sha256=oAlebEyfES0rzBhfyEJzFmgLkpkbleA6Eip-8zDp-yk,1863
-plain-0.65.1.dist-info/METADATA,sha256=MnXWc7Ncpu8r1geVUL6uiAorVD_1aJ0CJ5KcUs4jkQI,4488
-plain-0.65.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-plain-0.65.1.dist-info/entry_points.txt,sha256=iGx7EijzXy87htbSv90RhtAcjhSTH_kvE8aeRCn1TRA,129
-plain-0.65.1.dist-info/licenses/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
-plain-0.65.1.dist-info/RECORD,,
+plain-0.67.0.dist-info/METADATA,sha256=w_ZT2zv65VtVbl4yh0tKrVw8q9PeDj0cKWeeLm3pPNU,4488
+plain-0.67.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+plain-0.67.0.dist-info/entry_points.txt,sha256=iGx7EijzXy87htbSv90RhtAcjhSTH_kvE8aeRCn1TRA,129
+plain-0.67.0.dist-info/licenses/LICENSE,sha256=m0D5O7QoH9l5Vz_rrX_9r-C8d9UNr_ciK6Qwac7o6yo,3175
+plain-0.67.0.dist-info/RECORD,,