ruby-oauth · pboling · May 21, 2026 · May 20, 2026 · May 20, 2026 · May 20, 2026
diff --git a/.rubocop_gradual.lock b/.rubocop_gradual.lock
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,12 +22,16 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Changed
 
+- auth-sanitizer v0.1.3
+
 ### Deprecated
 
 ### Removed
 
 ### Fixed
 
+- Load `auth-sanitizer` through an internal isolated loader so requiring `oauth` does not add top-level `Auth` or `AuthSanitizer` constants that may collide with downstream applications.
+
 ### Security
 
 ## [1.1.4] - 2026-05-16

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,8 +1,8 @@
 PATH
   remote: .
   specs:
-    oauth (1.1.4)
-      auth-sanitizer (~> 0.1, >= 0.1.2)
+    oauth (1.1.5)
+      auth-sanitizer (~> 0.1, >= 0.1.3)
       base64 (~> 0.1)
       cgi
       oauth-tty (~> 1.0, >= 1.0.7)
@@ -94,7 +94,7 @@ GEM
       rake (>= 10)
       thor (>= 0.14)
     ast (2.4.3)
-    auth-sanitizer (0.1.2)
+    auth-sanitizer (0.1.3)
       version_gem (~> 1.1, >= 1.1.9)
     backports (3.25.3)
     base64 (0.3.0)
@@ -227,7 +227,7 @@ GEM
       net-imap
       net-pop
       net-smtp
-    marcel (1.1.0)
+    marcel (1.2.1)
     mime-types (3.7.0)
       logger
       mime-types-data (~> 3.2025, >= 3.2025.0507)
@@ -499,15 +499,15 @@ GEM
       yard
     yard-relative_markdown_links (0.6.0)
       nokogiri (>= 1.14.3, < 2)
-    zeitwerk (2.7.5)
+    zeitwerk (2.8.1)
     zlib (3.2.3)
 
 PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
   addressable (>= 2.8, < 3)
-  appraisal2 (~> 3.0)
+  appraisal2 (~> 3.0, >= 3.0.6)
   backports (~> 3.25, >= 3.25.1)
   benchmark (~> 0.4, >= 0.4.1)
   bundler-audit (~> 0.9.3)
@@ -519,7 +519,7 @@ DEPENDENCIES
   irb (~> 1.15, >= 1.15.2)
   kettle-dev (~> 2.0)
   kettle-soup-cover (~> 1.0, >= 1.0.10)
-  kettle-test (~> 1.0, >= 1.0.6)
+  kettle-test (~> 1.0, >= 1.0.10)
   kramdown (~> 2.5, >= 2.5.1)
   kramdown-parser-gfm (~> 1.1)
   mocha
@@ -540,7 +540,7 @@ DEPENDENCIES
   rubocop-ruby2_3
   ruby-progressbar (~> 1.13)
   standard (>= 1.50)
-  stone_checksums (~> 1.0, >= 1.0.2)
+  stone_checksums (~> 1.0, >= 1.0.3)
   stringio (>= 3.0)
   typhoeus (>= 0.1.13)
   vcr (>= 4)

diff --git a/gemfiles/audit.gemfile b/gemfiles/audit.gemfile
@@ -2,6 +2,6 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs.gemfile")
diff --git a/gemfiles/coverage.gemfile b/gemfiles/coverage.gemfile
@@ -2,7 +2,7 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/coverage.gemfile")
 

diff --git a/gemfiles/current.gemfile b/gemfiles/current.gemfile
@@ -2,6 +2,6 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs.gemfile")
diff --git a/gemfiles/dep_heads.gemfile b/gemfiles/dep_heads.gemfile
@@ -2,8 +2,8 @@
 
 source "https://gem.coop"
 
-gem "oauth-tty", :branch => "main", :git => "https://github.com/ruby-oauth/oauth-tty"
+gem "oauth-tty", branch: "main", git: "https://github.com/ruby-oauth/oauth-tty"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/runtime_heads.gemfile")
diff --git a/gemfiles/head.gemfile b/gemfiles/head.gemfile
@@ -5,6 +5,6 @@ source "https://gem.coop"
 gem "cgi", ">= 0.5"
 gem "benchmark", "~> 0.4", ">= 0.4.1"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs.gemfile")
diff --git a/gemfiles/ruby_2_3.gemfile b/gemfiles/ruby_2_3.gemfile
@@ -2,6 +2,6 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs/r2.3/libs.gemfile")
diff --git a/gemfiles/ruby_2_4.gemfile b/gemfiles/ruby_2_4.gemfile
@@ -2,6 +2,6 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs/r2.4/libs.gemfile")
diff --git a/gemfiles/ruby_2_5.gemfile b/gemfiles/ruby_2_5.gemfile
@@ -2,6 +2,6 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs/r2.6/libs.gemfile")
diff --git a/gemfiles/ruby_2_6.gemfile b/gemfiles/ruby_2_6.gemfile
@@ -2,6 +2,6 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs/r2.6/libs.gemfile")
diff --git a/gemfiles/ruby_2_7.gemfile b/gemfiles/ruby_2_7.gemfile
@@ -2,6 +2,6 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs/r2/libs.gemfile")
diff --git a/gemfiles/ruby_3_0.gemfile b/gemfiles/ruby_3_0.gemfile
@@ -2,6 +2,6 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs/r3.1/libs.gemfile")
diff --git a/gemfiles/ruby_3_1.gemfile b/gemfiles/ruby_3_1.gemfile
@@ -2,6 +2,6 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs/r3.1/libs.gemfile")
diff --git a/gemfiles/ruby_3_2.gemfile b/gemfiles/ruby_3_2.gemfile
@@ -2,6 +2,6 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs/r3/libs.gemfile")
diff --git a/gemfiles/ruby_3_3.gemfile b/gemfiles/ruby_3_3.gemfile
@@ -2,6 +2,6 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/x_std_libs/r3/libs.gemfile")
diff --git a/gemfiles/style.gemfile b/gemfiles/style.gemfile
@@ -2,7 +2,7 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/style.gemfile")
 

diff --git a/gemfiles/unlocked_deps.gemfile b/gemfiles/unlocked_deps.gemfile
@@ -2,7 +2,7 @@
 
 source "https://gem.coop"
 
-gemspec :path => "../"
+gemspec path: "../"
 
 eval_gemfile("modular/coverage.gemfile")
 

diff --git a/lib/oauth.rb b/lib/oauth.rb
@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
 # third party gems
-require "auth/sanitizer"
 require "snaky_hash"
 require "version_gem"
 
 require "oauth/version"
+require "oauth/auth_sanitizer"
 
 require "oauth/oauth"
 

diff --git a/lib/oauth/auth_sanitizer.rb b/lib/oauth/auth_sanitizer.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module OAuth
+  AUTH_SANITIZER = begin
+    auth_sanitizer_requirement = Gem::Requirement.new("~> 0.1", ">= 0.1.3")
+    auth_sanitizer_spec = Gem.loaded_specs["auth-sanitizer"]
+    unless auth_sanitizer_spec && auth_sanitizer_requirement.satisfied_by?(auth_sanitizer_spec.version)
+      # :nocov:
+      auth_sanitizer_spec = Gem::Specification.find_by_name("auth-sanitizer", auth_sanitizer_requirement)
+      # :nocov:
+    end
+
+    auth_sanitizer_loader_path = File.join(
+      auth_sanitizer_spec.full_gem_path,
+      "lib/auth_sanitizer/loader.rb",
+    )
+    unless File.file?(auth_sanitizer_loader_path)
+      # :nocov:
+      raise LoadError, "oauth requires auth-sanitizer #{auth_sanitizer_requirement}; " \
+        "loader not found at #{auth_sanitizer_loader_path}"
+      # :nocov:
+    end
+
+    auth_sanitizer_loader_namespace = Module.new
+    auth_sanitizer_loader_namespace.module_eval(
+      File.read(auth_sanitizer_loader_path),
+      auth_sanitizer_loader_path,
+      1,
+    )
+
+    auth_sanitizer_loader_namespace
+      .const_get(:AuthSanitizer)
+      .const_get(:Loader)
+      .load_isolated
+  end
+end
diff --git a/lib/oauth/consumer.rb b/lib/oauth/consumer.rb
@@ -10,10 +10,10 @@
 module OAuth
   # Consumer credentials and request configuration for OAuth 1.0 / 1.0a flows.
   #
-  # Includes {Auth::Sanitizer::FilteredAttributes} so inspect output redacts the
+  # Includes {OAuth::AUTH_SANITIZER::FilteredAttributes} so inspect output redacts the
   # consumer secret while leaving non-sensitive configuration visible.
   class Consumer
-    include Auth::Sanitizer::FilteredAttributes
+    include OAuth::AUTH_SANITIZER::FilteredAttributes
 
     # Instance attributes exposed by the consumer.
     #

diff --git a/lib/oauth/signature/base.rb b/lib/oauth/signature/base.rb
@@ -9,11 +9,11 @@ module OAuth
   module Signature
     # Base class for OAuth signature implementations.
     #
-    # Includes {Auth::Sanitizer::FilteredAttributes} so inspect output redacts
+    # Includes {OAuth::AUTH_SANITIZER::FilteredAttributes} so inspect output redacts
     # secret-bearing fields captured during signature construction.
     class Base
       include OAuth::Helper
-      include Auth::Sanitizer::FilteredAttributes
+      include OAuth::AUTH_SANITIZER::FilteredAttributes
 
       # Signature construction options.
       #

diff --git a/lib/oauth/tokens/token.rb b/lib/oauth/tokens/token.rb
@@ -3,12 +3,12 @@
 module OAuth
   # Superclass for the various tokens used by OAuth.
   #
-  # Includes {Auth::Sanitizer::FilteredAttributes} so inspect output redacts the
+  # Includes {OAuth::AUTH_SANITIZER::FilteredAttributes} so inspect output redacts the
   # token value and token secret while leaving object identity and non-sensitive
   # fields visible.
   class Token
     include OAuth::Helper
-    include Auth::Sanitizer::FilteredAttributes
+    include OAuth::AUTH_SANITIZER::FilteredAttributes
 
     # Token attributes.
     #

diff --git a/lib/oauth/version.rb b/lib/oauth/version.rb
@@ -2,7 +2,7 @@
 
 module OAuth
   module Version
-    VERSION = "1.1.4"
+    VERSION = "1.1.5"
   end
   VERSION = Version::VERSION # Traditional Constant Location
 end
diff --git a/oauth.gemspec b/oauth.gemspec
@@ -98,9 +98,9 @@ Gem::Specification.new do |spec|
   # "oauth-tty" was extracted from this gem with release 1.1 of this gem
   # It is now a dependency for backward compatibility.
   # The dependency will cease to be a direct dependency with release 2.0.
-  spec.add_dependency("auth-sanitizer", "~> 0.1", ">= 0.1.2")
-  spec.add_dependency("oauth-tty", "~> 1.0", ">= 1.0.7")
-  spec.add_dependency("snaky_hash", "~> 2.0", ">= 2.0.4")
+  spec.add_dependency("auth-sanitizer", "~> 0.1", ">= 0.1.3")           # ruby >= 2.2.0
+  spec.add_dependency("oauth-tty", "~> 1.0", ">= 1.0.7")                # ruby >= 2.3.0
+  spec.add_dependency("snaky_hash", "~> 2.0", ">= 2.0.4")               # ruby >= 2.2.0
 
   # Standard Library Extracted Gems
   spec.add_dependency("base64", "~> 0.1") # became a bundled gem in ruby 3.4 (was default from 3.0 to 3.3)
@@ -141,12 +141,12 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency("require_bench", "~> 1.0", ">= 1.0.4")            # ruby >= 2.2.0
 
   # Testing
-  spec.add_development_dependency("appraisal2", "~> 3.0")                           # ruby >= 1.8.7, for testing against multiple versions of dependencies
-  spec.add_development_dependency("kettle-test", "~> 1.0", ">= 1.0.6")              # ruby >= 2.3
+  spec.add_development_dependency("appraisal2", "~> 3.0", ">= 3.0.6")               # ruby >= 1.8.7, for testing against multiple versions of dependencies
+  spec.add_development_dependency("kettle-test", "~> 1.0", ">= 1.0.10")              # ruby >= 2.3
 
   # Releasing
   spec.add_development_dependency("ruby-progressbar", "~> 1.13")                    # ruby >= 0
-  spec.add_development_dependency("stone_checksums", "~> 1.0", ">= 1.0.2")          # ruby >= 2.2.0
+  spec.add_development_dependency("stone_checksums", "~> 1.0", ">= 1.0.3")          # ruby >= 2.2.0
 
   # Git integration (optional)
   # The 'git' gem is optional; oauth falls back to shelling out to `git` if it is not present.

diff --git a/sig/oauth/consumer.rbs b/sig/oauth/consumer.rbs
@@ -1,6 +1,6 @@
 module OAuth
   class Consumer
-    include Auth::Sanitizer::FilteredAttributes
+    include OAuth::AUTH_SANITIZER::FilteredAttributes
 
     attr_accessor options: untyped
     attr_accessor key: untyped

diff --git a/sig/oauth/signature/base.rbs b/sig/oauth/signature/base.rbs
@@ -1,7 +1,7 @@
 module OAuth
   module Signature
     class Base
-      include Auth::Sanitizer::FilteredAttributes
+      include OAuth::AUTH_SANITIZER::FilteredAttributes
 
       attr_accessor options: untyped
       attr_reader token_secret: untyped

diff --git a/sig/oauth/tokens/token.rbs b/sig/oauth/tokens/token.rbs
@@ -1,6 +1,6 @@
 module OAuth
   class Token
-    include Auth::Sanitizer::FilteredAttributes
+    include OAuth::AUTH_SANITIZER::FilteredAttributes
 
     attr_accessor token: untyped
     attr_accessor secret: untyped