WA-VERIFY-071 follow-up: Fix EnforceHostMiddleware NameError in Rails 7.0 appraisal boot

[kitcommerce]

Summary

During WA-VERIFY-071 (PR #1049), the Rails 7.0 deprecation baseline capture was blocked because the test suite cannot boot under the Rails 7.0 appraisal.

Error

uninitialized constant Workarea::EnforceHostMiddleware (NameError)
.../core/config/initializers/10_rack_middleware.rb:56

Impact

• Rails 7.0 test suite cannot run at all — no deprecation warnings can be captured
• The deprecation baseline (goal of WA-VERIFY-071) is blocked until this is resolved

Security Note

EnforceHostMiddleware enforces HTTP Host header validation. Its absence in the Rails 7.0 appraisal means the upgrade path currently lacks this protection. Rails 7.0 introduced native config.hosts allowlist enforcement — this investigation should determine whether:

1. The native Rails 7.0 host protection supersedes EnforceHostMiddleware and the middleware can be removed/shimmed
2. Or the middleware needs to be updated for Rails 7.0 compatibility

Steps to Reproduce

BUNDLE_GEMFILE=gemfiles/rails_7_0.gemfile bundle exec rake core_test

Expected: test suite runs
Actual: aborts with NameError for Workarea::EnforceHostMiddleware

Also Noted

The top-level rake test task is incompatible with the Rails 7.0 appraisal — it prints the rails new usage banner instead of running tests. This may be a separate issue with the Rakefile task definition under the appraisal environment.

Acceptance Criteria

• Identify whether EnforceHostMiddleware needs updating or can be replaced by Rails 7.0 native host enforcement
• Rails 7.0 appraisal boots successfully through the test environment initialization
• rake core_test (or equivalent) can run at least one test under Rails 7.0 appraisal
• WA-VERIFY-071 deprecation baseline can be re-attempted

Related

• PR verify: Capture Rails 7.0 appraisal deprecation warning baseline (WA-VERIFY-071) #1049 (WA-VERIFY-071 — documents the blocker)
• Issue WA-VERIFY-071: Capture Rails 7.0 appraisal deprecation warning baseline #1043 (original WA-VERIFY-071 task)

[kitcommerce]

Investigation Results

Root cause: Rails 7.0 uses Zeitwerk autoloading. Unlike Rails 6.x's Classic autoloader, Zeitwerk loads constants lazily (or eagerly at a specific point in boot). Config initializers run before the eager-load phase, so when 10_rack_middleware.rb references Workarea::EnforceHostMiddleware by constant, Zeitwerk hasn't loaded it yet.

Files affected:

• core/config/initializers/10_rack_middleware.rb (the initializer with the NameError)
• core/app/middleware/workarea/enforce_host_middleware.rb (file exists, correct path)

The middleware file exists and is correctly structured — the issue is purely timing/autoload order.

Decision: Keep the middleware, fix autoload

Rails 7.0 native config.hosts does NOT replicate EnforceHostMiddleware's behavior:

• config.hosts raises 403/500 for wrong hosts; EnforceHostMiddleware does a 301 redirect
• EnforceHostMiddleware respects Workarea.config.enforce_host (can be disabled per-deployment)
• EnforceHostMiddleware supports skip_enforce_host proc for per-request bypass

Removing EnforceHostMiddleware would change behavior for downstream clients.

Fix (PR #1066): Add require_relative calls before registering middleware constants. Safe across all Rails versions.

Boot verified: Rails 7.0 appraisal gets past 10_rack_middleware.rb — boot proceeds to 05_scheduled_jobs.rb where it fails with Redis connection error (expected without services running).