Raise AlreadyConfiguredError when disable! and default conflict

- disable! now raises AlreadyConfiguredError if default has been called
- default now raises AlreadyConfiguredError if disable! has been called
- Updated tests to verify error conditions
- Updated documentation to reflect mutual exclusion

Co-authored-by: fletchto99 <[email protected]>

Author: Copilot

lib/secure_headers/configuration.rb

@@ -11,13 +11,15 @@ class IllegalPolicyModificationError < StandardError; end
     class << self
       # Public: Disable secure_headers entirely. When disabled, no headers will be set.
       #
-      # Note: This should be called before Configuration.default. Calling it after
-      # Configuration.default has been set will clear the default configuration.
+      # Note: This must be called before Configuration.default. Calling it after
+      # Configuration.default has been set will raise an AlreadyConfiguredError.
       #
       # Returns nothing
+      # Raises AlreadyConfiguredError if Configuration.default has already been called
       def disable!
-        # Clear any existing default config to maintain consistency
-        remove_instance_variable(:@default_config) if defined?(@default_config)
+        if defined?(@default_config)
+          raise AlreadyConfiguredError, "Configuration already set, cannot disable"
+        end
 
         @disabled = true
         @noop_config = create_noop_config.freeze
@@ -41,7 +43,12 @@ def disabled?
       # Optionally supply a block to override the defaults set by this library.
       #
       # Returns the newly created config.
+      # Raises AlreadyConfiguredError if Configuration.disable! has already been called
       def default(&block)
+        if disabled?
+          raise AlreadyConfiguredError, "Configuration has been disabled, cannot set default"
+        end
+
         if defined?(@default_config)
           raise AlreadyConfiguredError, "Policy already configured"
         end

spec/lib/secure_headers/configuration_spec.rb

@@ -144,18 +144,27 @@ module SecureHeaders
         expect(Configuration.overrides(Configuration::NOOP_OVERRIDE)).to_not be_nil
       end
 
-      it "clears existing default config when called after default" do
+      it "raises AlreadyConfiguredError when called after default" do
         Configuration.default do |config|
           config.csp = { default_src: %w('self'), script_src: %w('self') }
         end
 
+        expect {
+          Configuration.disable!
+        }.to raise_error(Configuration::AlreadyConfiguredError, "Configuration already set, cannot disable")
+      end
+
+      it "raises AlreadyConfiguredError when default is called after disable!" do
         Configuration.disable!
 
-        expect(Configuration.disabled?).to be true
-        expect(Configuration.instance_variable_defined?(:@default_config)).to be false
+        expect {
+          Configuration.default do |config|
+            config.csp = { default_src: %w('self'), script_src: %w('self') }
+          end
+        }.to raise_error(Configuration::AlreadyConfiguredError, "Configuration has been disabled, cannot set default")
       end
 
-      it "allows default to be called after disable! has been invoked" do
+      it "allows default to be called after disable! and reset_config" do
         Configuration.disable!
         reset_config