v2.4.4

• Add support for annotated types in OpenAPIHandler return types, by @tyzhnenko. This feature is important to support automatic generation of OpenAPI Documentation when returning instances of Response (e.g. Annotated[Response, ProductDetails]).
• Introduce MiddlewareList and MiddlewareCategory to simplify middleware management and ordering of middlewares (see #620). Middlewares are now automatically sorted by category (INIT, SESSION, AUTH, AUTHZ, BUSINESS, MESSAGE) and optional priority within each category. This ensures proper execution order (e.g., CORS before authentication, authentication before authorization) without requiring developers to manually manage middleware insertion order. The system maintains backward compatibility while providing a more intuitive and error-resistant approach to middleware configuration. The same improvement is applied both to the Application and to the ClientSession classes.
• Add support for list[str] as a value for no-cache and private directives in code handling cache control headers, by @karpetrosyan.
• Fix bug #619, that caused surprising behavior (requiring an explicit fallback or catch-all route to handle web requests that didn't match any route, otherwise middlewares would be bypassed for the defined NotFound exception handler).
• Change the text of Bad Request response body when the input from the client causes a TypeError when trying to bind to an instance of the expected type (it reduces the amount of details sent to the client).
• Improve the user experience by ignoring extra properties in request body by default, when mapping to user-defined dataclasses, Pydantic v2 models, or classes (see #614). Previously, extra properties were not ignored by default and required the user to explicitly code their input classes to allow extra properties. This is also done for sub-properties, lists, and dictionaries. The user can still control how exactly input bodies from clients are converted using custom binders or altering blacksheep.server.bindings.class_converters.
• Add support for specifying OpenAPI tags for controllers. This simplifies handling tags for documentation (#616).
• Improve the build matrix to build wheels for arm64 architecture for Linux and Windows, and use cibuildwheel for Ubuntu and Windows, by @bymoye and @RobertoPrevato.
• Update type annotations to Python >= 3.10.
• Fix bug that would prevent union types described using pipes from being properly represented in OpenAPI specification.
• Add support for alternative programming-style naming for generic types in OpenAPI specification files. When enabled, type names use underscore notation closer to actual type annotations (e.g., PaginatedSet_Address instead of PaginatedSetOfAddress, Dict_str_int instead of DictOfstrAndint). This can be controlled via the programming_names parameter in DefaultSerializer or the APP_OPENAPI_PROGRAMMING_NAMES environment variable, setting it to a truthy value ('1' or 'true').
• Make EnvironmentSettings read-only, refactor to not use dataclass.
• Attach EnvironmentSettings to the Application object for runtime inspection, which is useful for: transparency and debugging, testing (assert app.env_settings.force_https is True), health check endpoints or admin tools can expose configuration.
• Add HTTPSchemeMiddleware to set request scheme when running behind reverse proxies or load balancers with TLS termination. See #631.
• Add support for APP_HTTP_SCHEME environment variable to explicitly set the request scheme to http or https.
• Add support for APP_FORCE_HTTPS environment variable to force HTTPS scheme and automatically enable HSTS (HTTP Strict Transport Security) headers.
• Add automatic scheme middleware configuration via configure_scheme_middleware() - applied during application startup when either APP_HTTP_SCHEME or APP_FORCE_HTTPS is set.
• EnvironmentSettings now includes http_scheme and force_https properties that are automatically populated from environment variables.
• Request scheme is now automatically configured based on environment settings, to simplify correct URL generation in proxied environments (e.g. OIDC redirections).
• Improve the generate_secret to use secrets.token_urlsafe(48) by default.
• Improve OpenIDSettings, CookieAuthentication, and AntiForgeryHandler to handle secrets using the Secret class from essentials.secrets. Passing secrets as str directly issues a deprecation warning and won't be supported in 2.5.x or 2.6.x.

Several issues were reported by @ockan, including issues in the documentation.