chore: ignore .claude/ dir (CLAUDE.md now lives under .claude/)

Signed-off-by: disqualifier <dev@disqualifier.me>

.gitignore

@@ -1,5 +1,5 @@
 # claude
-CLAUDE.md
+.claude/
 
 # python
 __pycache__/

README.md

@@ -11,17 +11,19 @@ and swap the HTTP client while inheriting everything else.
 `requirements.txt`:
 
 ```
-aioweb @ git+ssh://git@git.rethinkstudios.io/rethink-public/aioweb.git@v0.1.0
+aioweb @ git+ssh://git@git.rethinkstudios.io/rethink-public/aioweb.git@v0.1.5
 ```
 
 Direct:
 
 ```bash
-pip install "aioweb @ git+ssh://git@git.rethinkstudios.io/rethink-public/aioweb.git@v0.1.0"
+pip install "aioweb @ git+ssh://git@git.rethinkstudios.io/rethink-public/aioweb.git@v0.1.5"
 ```
 
 Requires `aiohttp` and `yarl` (pulled transitively).
 
+Drop the `@v0.1.5` suffix from the line above to install the latest unpinned.
+
 ## Usage
 
 ```python
@@ -128,6 +130,23 @@ Two changes can't be shimmed without re-introducing the bugs they fix:
   `await s.close()`; a leaked session emits a `ResourceWarning`. The old finalizer-based
   auto-close was unsafe and was removed.
 
+## Changelog
+
+### v0.1.2
+
+- Pinned `commons` to v0.2.1 (retry `attempts` floor fix).
+
+### v0.1.1
+
+- **JSON list bodies** now route to `json=` (were wrongly form-encoded via `data=` —
+  only dicts went to `json=` before).
+- **Exhausted retries return the real last response.** When every attempt hit a
+  retryable status (429/5xx), the loop discarded it and returned a synthetic
+  `FailureResponse` (status 0); now the real last 4xx/5xx `Response` is returned (only a
+  pure-exception failure yields `FailureResponse`).
+- Retry/backoff moved onto `commons.aretry` (shared engine); backoff schedule unchanged.
+  Adds a `commons` dependency.
+
 ## Versioning
 
-Tagged `vX.Y.Z`. Pin the tag in `requirements.txt`.
+Releases are tagged `vX.Y.Z`. The install line above pins a release; drop the `@vX.Y.Z` suffix to install the latest unpinned. Pin deliberately for reproducible installs.

pyproject.toml

@@ -4,13 +4,13 @@ build-backend = "hatchling.build"
 
 [project]
 name = "aioweb"
-version = "0.1.1"
+version = "0.1.5"
 description = "Async HTTP session wrapper over aiohttp — proxies, header overwrites, retries, previews. Config-free, installable."
 requires-python = ">=3.10"
 dependencies = [
     "aiohttp>=3.9",
     "yarl>=1.9",
-    "commons @ git+ssh://git@git.rethinkstudios.io/rethink-public/commons.git@v0.2.0",
+    "commons @ git+ssh://git@git.rethinkstudios.io/rethink-public/commons.git@v0.2.1",
 ]
 
 [tool.hatch.metadata]

src/aioweb/preview.py

@@ -3,6 +3,7 @@ request preview for aioweb — format or export a request without sending it
 """
 
 import json as _json
+import shlex
 
 
 class RequestPreview:
@@ -25,15 +26,22 @@ class RequestPreview:
         return "\n".join(f"{key}: {value}" for key, value in self.details.items())
 
     def as_curl(self):
-        """equivalent cURL command for the request"""
+        """equivalent cURL command for the request
-        parts = [f"curl -X {self.details['method']}"]
+
+        every interpolated value is shell-quoted with shlex.quote, so headers,
+        body, url, or proxy containing quotes/spaces/metacharacters produce a
+        valid, non-injectable command rather than a broken or unsafe one.
+        """
+        parts = [f"curl -X {shlex.quote(self.details['method'])}"]
         for header, value in (self.details["headers"] or {}).items():
-            parts.append(f"-H '{header}: {value}'")
+            parts.append(f"-H {shlex.quote(f'{header}: {value}')}")
-        if self.details["data"]:
+        if self.details["data"] is not None:
-            parts.append(f"--data '{self.details['data']}'")
+            parts.append(f"--data {shlex.quote(str(self.details['data']))}")
-        elif self.details["json"]:
+        elif self.details["json"] is not None:
-            parts.append(f"--data '{_json.dumps(self.details['json'])}'")
+            # is-not-None, not truthiness: an empty-but-valid body ({} / []) must still
-        parts.append(f"'{self.details['url']}'")
+            # render rather than being dropped as falsy
+            parts.append(f"--data {shlex.quote(_json.dumps(self.details['json']))}")
+        parts.append(shlex.quote(str(self.details["url"])))
         if self.details["proxy"]:
-            parts.append(f"--proxy '{self.details['proxy']}'")
+            parts.append(f"--proxy {shlex.quote(str(self.details['proxy']))}")
         return " \\\n  ".join(parts)

src/aioweb/responses.py

@@ -92,7 +92,9 @@ class Response:
         """parsed JSON content, or None if not valid JSON"""
         try:
             return _json.loads(self.text())
-        except _json.JSONDecodeError:
+        except (_json.JSONDecodeError, UnicodeDecodeError):
+            # text() decodes the body and can raise UnicodeDecodeError on a non-UTF-8
+            # payload — that's a "not valid JSON" outcome, not an error to propagate
             return None
 
     def raise_for_status(self):

src/aioweb/session.py

@@ -17,6 +17,7 @@ sessions must be closed explicitly (async with, or await s.close()); there is no
 __del__ auto-close (that pattern is unsafe for async resources).
 """
 
+import asyncio
 import logging
 import warnings
 
@@ -95,9 +96,15 @@ class ExtendedSession:
         proxy/retry/preview logic in this class never touches the session object
         directly (only _raw_request, the cookie methods, and close do), so those
         features work unchanged on any backend.
+
+        `headers` is the session-default header set; the default aiohttp backend
+        does NOT bake it into the ClientSession (which would copy it into an
+        immutable per-session map that update_headers/clear_headers can't touch).
+        instead `_default_headers` is our own mutable layer that request() and
+        preview() merge per call, so the mutable session-header API actually works.
+        a backend that needs the defaults baked at construction may use `headers`.
         """
         return aiohttp.ClientSession(
-            headers=headers,
             timeout=aiohttp.ClientTimeout(
                 total=timeout,
                 connect=timeout / 2,
@@ -117,10 +124,13 @@ class ExtendedSession:
     def _apply_overwrites(self, request_headers):
         """apply static overwrites and ephemeral headers to a request's headers"""
         request_headers = dict(request_headers or {})
-        for header, value in self.header_overwrites.items():
+        # snapshot the shared override dicts so a concurrent mutation (e.g. a command
+        # editing ephemerals on a shared session) can't raise "dict changed size during
+        # iteration" — the loop body is sync, but the snapshot is cheap insurance
+        for header, value in list(self.header_overwrites.items()):
             if self.inject or header in request_headers:
                 request_headers[header] = value
-        for header, value_callable in self.ephemeral_headers.items():
+        for header, value_callable in list(self.ephemeral_headers.items()):
             if self.inject or header in request_headers:
                 value = value_callable()
                 if isinstance(value, dict):
@@ -233,10 +243,8 @@ class ExtendedSession:
     def preview(self, method, url, **kwargs):
         """build a RequestPreview for a request without sending it"""
         proxy = self._get_proxy(url, kwargs.pop("proxies", None))
-        if kwargs.get("headers"):
+        merged = {**self._default_headers, **(kwargs.pop("headers", None) or {})}
-            headers = self._apply_overwrites(kwargs.pop("headers"))
+        headers = self._apply_overwrites(merged)
-        else:
-            headers = dict(self.get_headers())
 
         timeout = kwargs.get("timeout")
         timeout_total = timeout if isinstance(timeout, (int, float)) else None
@@ -291,7 +299,8 @@ class ExtendedSession:
         kwargs["proxy"] = self._get_proxy(url, kwargs.pop("proxies", None))
         debug = kwargs.pop("debug", False)
 
-        kwargs["headers"] = self._apply_overwrites(kwargs.get("headers"))
+        merged = {**self._default_headers, **(kwargs.get("headers") or {})}
+        kwargs["headers"] = self._apply_overwrites(merged)
         kwargs["headers"] = {str(k): str(v) for k, v in kwargs["headers"].items()}
 
         timeout = kwargs.get("timeout")
@@ -307,6 +316,12 @@ class ExtendedSession:
             if debug and result.redirect_chain:
                 log.info("redirect chain: %s", result.redirect_chain)
             return result
+        except asyncio.TimeoutError as error:
+            # a total ClientTimeout raises a bare asyncio.TimeoutError, which is NOT an
+            # aiohttp.ClientError subclass — wrap it as ServerTimeoutError (which IS both
+            # a ClientError AND a TimeoutError) so direct callers get a typed failure and
+            # request_with_retries can still label it a timeout
+            raise aiohttp.ServerTimeoutError(f"timeout for {url}: {error}") from error
         except aiohttp.ClientError as error:
             raise aiohttp.ClientError(f"client error for {url}: {error}") from error
 
@@ -352,6 +367,12 @@ class ExtendedSession:
             log.error("all %d attempts failed for %s (last status %s)",
                       attempts, url, exhausted.response.status_code)
             return exhausted.response
+        except asyncio.TimeoutError:
+            # request() wraps a total timeout as ServerTimeoutError (a ClientError AND a
+            # TimeoutError); catch the timeout case first so it's labeled a timeout rather
+            # than falling into the generic client-error branch below
+            log.error("all %d attempts timed out for %s", attempts, url)
+            return FailureResponse(reason="timeout", url=url)
         except aiohttp.ClientError as error:
             log.error("all %d attempts failed for %s (client error: %s)", attempts, url, error)
             return FailureResponse(reason=f"client error: {error}", url=url)