tina4ruby 3.10.18 → 3.10.23

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b0dfa03a5f7986169a14d59895459e7ca50d70f0254789c36dbc29aca80b1b93
-  data.tar.gz: e248121b6577b8c5d0ec172ab47e2f82235b500d3508f75e8e0fedd3071ac657
+  metadata.gz: 3ae8ae6d644a0cb19a5b5fc2f68b02066ecfc41c4f6b6e6bae2415fdbe078fcc
+  data.tar.gz: eb1dd0310b3ed508ea582ec186e64f050be8c4fc8925abd5f038689b20a6f551
 SHA512:
-  metadata.gz: 164505c4f5449c7fbfa15ca1b21fbdffa3beac78a7d84e907407ed11881e3a4335d7df8dd6c46cb4bb4fb11ff3f9b89d2cd4b8cd02a77bdfb72a584b965f942e
-  data.tar.gz: b8797d3fd1abe7baf178c73a752b47357d8e56753a699d833a100940433884d036211cfc9942fcee481ca56d610efcb50169ec086df04f31e549e73971b7fb65
+  metadata.gz: cdcb3bf5c7d76949b51ec90fea3eed309fb0e9ec312f5ed5a02451da2a6953c3eb46524d191c0dee3d0efb587dc50581021dabd65b4432b42b469ccaa53342bf
+  data.tar.gz: ac974932d01d89edff858d9873ac39709f88161958956763757d952d8a3d17e97fccf96cd0cc1ce2678bca88488a357f9a28b7f2243d4bcd158be26f4e7fb541

data/lib/tina4/database.rb

@@ -313,14 +313,18 @@ module Tina4
 
     # Pre-generate the next available primary key ID using engine-aware strategies.
     #
+    # Race-safe implementation using a `tina4_sequences` table for SQLite/MySQL/MSSQL
+    # fallback. Each call atomically increments the stored counter, so concurrent
+    # callers never receive the same value.
+    #
     # - Firebird: auto-creates a generator if missing, then increments via GEN_ID.
-    # - PostgreSQL: tries nextval() on the standard sequence, falls through to MAX+1.
-    # - SQLite/MySQL/MSSQL: uses MAX(pk) + 1.
+    # - PostgreSQL: tries nextval() on the named sequence, auto-creates it if missing.
+    # - SQLite/MySQL/MSSQL: atomic UPDATE on `tina4_sequences` table.
     # - Returns 1 if the table is empty or does not exist.
     #
     # @param table [String] Table name
     # @param pk_column [String] Primary key column name (default: "id")
-    # @param generator_name [String, nil] Firebird generator name override
+    # @param generator_name [String, nil] Override for sequence/generator name
     # @return [Integer] The next available ID
     def get_next_id(table, pk_column: "id", generator_name: nil)
       drv = current_driver
@@ -338,36 +342,101 @@ module Tina4
 
         rows = drv.execute_query("SELECT GEN_ID(#{gen_name}, 1) AS NEXT_ID FROM RDB$DATABASE")
         row = rows.is_a?(Array) ? rows.first : nil
-        return (row && (row["NEXT_ID"] || row["next_id"]))&.to_i || 1
+        val = row_value(row, :NEXT_ID) || row_value(row, :next_id)
+        return val&.to_i || 1
       end
 
-      # PostgreSQL — try sequence first, fall through to MAX
+      # PostgreSQL — try sequence first, auto-create if missing
       if @driver_name == "postgres"
-        seq_name = "#{table.downcase}_#{pk_column.downcase}_seq"
+        seq_name = generator_name || "#{table.downcase}_#{pk_column.downcase}_seq"
         begin
           rows = drv.execute_query("SELECT nextval('#{seq_name}') AS next_id")
           row = rows.is_a?(Array) ? rows.first : nil
-          if row && (row["next_id"] || row["nextval"])
-            return (row["next_id"] || row["nextval"]).to_i
-          end
+          val = row_value(row, :next_id) || row_value(row, :nextval)
+          return val.to_i if val
         rescue
-          # No sequence — fall through to MAX
+          # Sequence does not exist — auto-create it seeded from MAX
+          begin
+            max_rows = drv.execute_query("SELECT COALESCE(MAX(#{pk_column}), 0) AS max_id FROM #{table}")
+            max_row = max_rows.is_a?(Array) ? max_rows.first : nil
+            max_val = row_value(max_row, :max_id)
+            start_val = max_val ? max_val.to_i + 1 : 1
+            drv.execute("CREATE SEQUENCE #{seq_name} START WITH #{start_val}")
+            drv.commit rescue nil
+            rows = drv.execute_query("SELECT nextval('#{seq_name}') AS next_id")
+            row = rows.is_a?(Array) ? rows.first : nil
+            val = row_value(row, :next_id) || row_value(row, :nextval)
+            return val&.to_i || start_val
+          rescue
+            # Fall through to sequence table fallback
+          end
         end
       end
 
-      # SQLite / MySQL / MSSQL / PostgreSQL fallback — MAX + 1
-      begin
-        rows = drv.execute_query("SELECT MAX(#{pk_column}) + 1 AS next_id FROM #{table}")
-        row = rows.is_a?(Array) ? rows.first : nil
-        next_id = row && (row["next_id"] || row["max"])
-        return next_id ? next_id.to_i : 1
-      rescue
-        return 1
-      end
+      # SQLite / MySQL / MSSQL / PostgreSQL fallback — atomic sequence table
+      seq_key = generator_name || "#{table}.#{pk_column}"
+      sequence_next(seq_key, table: table, pk_column: pk_column)
     end
 
     private
 
+    # Ensure the tina4_sequences table exists for race-safe ID generation.
+    def ensure_sequence_table
+      return if table_exists?("tina4_sequences")
+
+      drv = current_driver
+      if @driver_name == "mssql"
+        drv.execute("CREATE TABLE tina4_sequences (seq_name VARCHAR(200) NOT NULL PRIMARY KEY, current_value INTEGER NOT NULL DEFAULT 0)")
+      else
+        drv.execute("CREATE TABLE IF NOT EXISTS tina4_sequences (seq_name VARCHAR(200) NOT NULL PRIMARY KEY, current_value INTEGER NOT NULL DEFAULT 0)")
+      end
+      drv.commit rescue nil
+    end
+
+    # Atomically increment and return the next value for a named sequence.
+    # Seeds from MAX(pk_column) on first use so existing data is respected.
+    def sequence_next(seq_name, table: nil, pk_column: "id")
+      ensure_sequence_table
+      drv = current_driver
+
+      # Check if the sequence key already exists
+      rows = drv.execute_query("SELECT current_value FROM tina4_sequences WHERE seq_name = ?", [seq_name])
+      row = rows.is_a?(Array) ? rows.first : nil
+
+      if row.nil?
+        # Seed from MAX(pk_column) if table data exists
+        seed_value = 0
+        if table
+          begin
+            max_rows = drv.execute_query("SELECT MAX(#{pk_column}) AS max_id FROM #{table}")
+            max_row = max_rows.is_a?(Array) ? max_rows.first : nil
+            val = row_value(max_row, :max_id)
+            seed_value = val.to_i if val
+          rescue
+            # Table may not exist yet — start from 0
+          end
+        end
+        drv.execute("INSERT INTO tina4_sequences (seq_name, current_value) VALUES (?, ?)", [seq_name, seed_value])
+        drv.commit rescue nil
+      end
+
+      # Atomic increment
+      drv.execute("UPDATE tina4_sequences SET current_value = current_value + 1 WHERE seq_name = ?", [seq_name])
+      drv.commit rescue nil
+
+      # Read back the incremented value
+      rows = drv.execute_query("SELECT current_value FROM tina4_sequences WHERE seq_name = ?", [seq_name])
+      row = rows.is_a?(Array) ? rows.first : nil
+      val = row_value(row, :current_value)
+      val ? val.to_i : 1
+    end
+
+    # Safely extract a value from a driver result row, trying both symbol and string keys.
+    def row_value(row, key)
+      return nil unless row
+      row[key.to_sym] || row[key.to_s] || row[key.to_s.upcase] || row[key.to_s.downcase]
+    end
+
     def truthy?(val)
       %w[true 1 yes on].include?((val || "").to_s.strip.downcase)
     end

data/lib/tina4/frond.rb

@@ -13,6 +13,7 @@ require "cgi"
 require "uri"
 require "date"
 require "time"
+require "securerandom"
 
 module Tina4
   # Marker class for strings that should not be auto-escaped in Frond.
@@ -34,6 +35,121 @@ module Tina4
                         '"' => """, "'" => "'" }.freeze
     HTML_ESCAPE_RE  = /[&<>"']/
 
+    # -- Compiled regex constants (optimization: avoid re-compiling in methods) --
+    EXTENDS_RE      = /\{%-?\s*extends\s+["'](.+?)["']\s*-?%\}/
+    BLOCK_RE        = /\{%-?\s*block\s+(\w+)\s*-?%\}(.*?)\{%-?\s*endblock\s*-?%\}/m
+    STRING_LIT_RE   = /\A["'](.*)["']\z/
+    INTEGER_RE      = /\A-?\d+\z/
+    FLOAT_RE        = /\A-?\d+\.\d+\z/
+    ARRAY_LIT_RE    = /\A\[(.+)\]\z/m
+    HASH_LIT_RE     = /\A\{(.+)\}\z/m
+    HASH_PAIR_RE    = /\A\s*["']?(\w+)["']?\s*:\s*(.+)\z/
+    RANGE_LIT_RE    = /\A(\d+)\.\.(\d+)\z/
+    ARITHMETIC_RE   = /\A(.+?)\s*(\+|-|\*|\/|%)\s*(.+)\z/
+    FUNC_CALL_RE    = /\A(\w+)\s*\((.*)\)\z/m
+    FILTER_WITH_ARGS_RE = /\A(\w+)\s*\((.*)\)\z/m
+    FILTER_CMP_RE   = /\A(\w+)\s*(!=|==|>=|<=|>|<)\s*(.+)\z/
+    OR_SPLIT_RE     = /\s+or\s+/
+    AND_SPLIT_RE    = /\s+and\s+/
+    IS_NOT_RE       = /\A(.+?)\s+is\s+not\s+(\w+)(.*)\z/
+    IS_RE           = /\A(.+?)\s+is\s+(\w+)(.*)\z/
+    NOT_IN_RE       = /\A(.+?)\s+not\s+in\s+(.+)\z/
+    IN_RE           = /\A(.+?)\s+in\s+(.+)\z/
+    DIVISIBLE_BY_RE = /\s*by\s*\(\s*(\d+)\s*\)/
+    RESOLVE_SPLIT_RE = /\.|\[([^\]]+)\]/
+    RESOLVE_STRIP_RE = /\A["']|["']\z/
+    DIGIT_RE        = /\A\d+\z/
+    FOR_RE          = /\Afor\s+(\w+)(?:\s*,\s*(\w+))?\s+in\s+(.+)\z/
+    SET_RE          = /\Aset\s+(\w+)\s*=\s*(.+)\z/m
+    INCLUDE_RE      = /\Ainclude\s+["'](.+?)["'](?:\s+with\s+(.+))?\z/
+    MACRO_RE        = /\Amacro\s+(\w+)\s*\(([^)]*)\)/
+    FROM_IMPORT_RE  = /\Afrom\s+["'](.+?)["']\s+import\s+(.+)/
+    CACHE_RE        = /\Acache\s+["'](.+?)["']\s*(\d+)?/
+    SPACELESS_RE    = />\s+</
+    AUTOESCAPE_RE   = /\Aautoescape\s+(false|true)/
+    STRIPTAGS_RE    = /<[^>]+>/
+    THOUSANDS_RE    = /(\d)(?=(\d{3})+(?!\d))/
+    SLUG_CLEAN_RE   = /[^a-z0-9]+/
+    SLUG_TRIM_RE    = /\A-|-\z/
+
+    # Set of common no-arg filter names that can be inlined for speed
+    INLINE_FILTERS = %w[upper lower length trim capitalize title string int escape e].each_with_object({}) { |f, h| h[f] = true }.freeze
+
+    # -- Lazy context overlay for for-loops (avoids full Hash#dup) --
+    class LoopContext
+      def initialize(parent)
+        @parent = parent
+        @local = {}
+      end
+
+      def [](key)
+        @local.key?(key) ? @local[key] : @parent[key]
+      end
+
+      def []=(key, value)
+        @local[key] = value
+      end
+
+      def key?(key)
+        @local.key?(key) || @parent.key?(key)
+      end
+      alias include? key?
+      alias has_key? key?
+
+      def fetch(key, *args, &block)
+        if @local.key?(key)
+          @local[key]
+        elsif @parent.key?(key)
+          @parent[key]
+        elsif block
+          yield key
+        elsif !args.empty?
+          args[0]
+        else
+          raise KeyError, "key not found: #{key.inspect}"
+        end
+      end
+
+      def merge(other)
+        dup_hash = to_h
+        dup_hash.merge!(other)
+        dup_hash
+      end
+
+      def merge!(other)
+        other.each { |k, v| @local[k] = v }
+        self
+      end
+
+      def dup
+        copy = LoopContext.new(@parent)
+        @local.each { |k, v| copy[k] = v }
+        copy
+      end
+
+      def to_h
+        h = @parent.is_a?(LoopContext) ? @parent.to_h : @parent.dup
+        @local.each { |k, v| h[k] = v }
+        h
+      end
+
+      def each(&block)
+        to_h.each(&block)
+      end
+
+      def respond_to_missing?(name, include_private = false)
+        @parent.respond_to?(name, include_private) || super
+      end
+
+      def is_a?(klass)
+        klass == Hash || super
+      end
+
+      def keys
+        (@parent.is_a?(LoopContext) ? @parent.keys : @parent.keys) | @local.keys
+      end
+    end
+
     # -----------------------------------------------------------------------
     # Public API
     # -----------------------------------------------------------------------
@@ -60,6 +176,15 @@ module Tina4
       @compiled         = {}  # {template_name => [tokens, mtime]}
       @compiled_strings = {}  # {md5_hash => tokens}
 
+      # Parsed filter chain cache: expr_string => [variable, filters]
+      @filter_chain_cache = {}
+
+      # Resolved dotted-path split cache: expr_string => parts_array
+      @resolve_cache = {}
+
+      # Sandbox root-var split cache: var_name => root_var_string
+      @dotted_split_cache = {}
+
       # Built-in global functions
       register_builtin_globals
     end
@@ -115,6 +240,9 @@ module Tina4
     def clear_cache
       @compiled.clear
       @compiled_strings.clear
+      @filter_chain_cache.clear
+      @resolve_cache.clear
+      @dotted_split_cache.clear
     end
 
     # Register a custom filter.
@@ -261,7 +389,7 @@ module Tina4
 
     def execute_with_tokens(source, tokens, context)
       # Handle extends first
-      if source =~ /\{%-?\s*extends\s+["'](.+?)["']\s*-?%\}/
+      if source =~ EXTENDS_RE
         parent_name = Regexp.last_match(1)
         parent_source = load_template(parent_name)
         child_blocks = extract_blocks(source)
@@ -273,7 +401,7 @@ module Tina4
 
     def execute(source, context)
       # Handle extends first
-      if source =~ /\{%-?\s*extends\s+["'](.+?)["']\s*-?%\}/
+      if source =~ EXTENDS_RE
         parent_name = Regexp.last_match(1)
         parent_source = load_template(parent_name)
         child_blocks = extract_blocks(source)
@@ -285,14 +413,14 @@ module Tina4
 
     def extract_blocks(source)
       blocks = {}
-      source.scan(/\{%-?\s*block\s+(\w+)\s*-?%\}(.*?)\{%-?\s*endblock\s*-?%\}/m) do
+      source.scan(BLOCK_RE) do
         blocks[Regexp.last_match(1)] = Regexp.last_match(2)
       end
       blocks
     end
 
     def render_with_blocks(parent_source, context, child_blocks)
-      result = parent_source.gsub(/\{%-?\s*block\s+(\w+)\s*-?%\}(.*?)\{%-?\s*endblock\s*-?%\}/m) do
+      result = parent_source.gsub(BLOCK_RE) do
         name = Regexp.last_match(1)
         default_content = Regexp.last_match(2)
         block_source = child_blocks.fetch(name, default_content)
@@ -422,7 +550,7 @@ module Tina4
           # The filter name may include a trailing comparison operator,
           # e.g. "length != 1".  Extract the real filter name and the
           # comparison suffix, apply the filter, then evaluate the comparison.
-          m = fname.match(/\A(\w+)\s*(!=|==|>=|<=|>|<)\s*(.+)\z/)
+          m = fname.match(FILTER_CMP_RE)
           if m
             real_filter = m[1]
             op = m[2]
@@ -455,7 +583,11 @@ module Tina4
 
       # Sandbox: check variable access
       if @sandbox && @allowed_vars
-        root_var = var_name.split(".")[0].split("[")[0].strip
+        root_var = @dotted_split_cache[var_name]
+        unless root_var
+          root_var = var_name.split(".")[0].split("[")[0].strip
+          @dotted_split_cache[var_name] = root_var
+        end
         return "" if !root_var.empty? && !@allowed_vars.include?(root_var) && root_var != "loop"
       end
 
@@ -473,6 +605,23 @@ module Tina4
           next
         end
 
+        # Inline common no-arg filters for speed (skip generic dispatch)
+        if args.empty? && INLINE_FILTERS.include?(fname)
+          value = case fname
+                  when "upper"      then value.to_s.upcase
+                  when "lower"      then value.to_s.downcase
+                  when "length"     then value.respond_to?(:length) ? value.length : value.to_s.length
+                  when "trim"       then value.to_s.strip
+                  when "capitalize" then value.to_s.capitalize
+                  when "title"      then value.to_s.split.map(&:capitalize).join(" ")
+                  when "string"     then value.to_s
+                  when "int"        then value.to_i
+                  when "escape", "e" then Frond.escape_html(value.to_s)
+                  else value
+                  end
+          next
+        end
+
         fn = @filters[fname]
         if fn
           evaluated_args = args.map { |a| eval_filter_arg(a, context) }
@@ -489,9 +638,9 @@ module Tina4
     end
 
     def eval_filter_arg(arg, context)
-      return Regexp.last_match(1) if arg =~ /\A["'](.*)["']\z/
-      return arg.to_i if arg =~ /\A-?\d+\z/
-      return arg.to_f if arg =~ /\A-?\d+\.\d+\z/
+      return Regexp.last_match(1) if arg =~ STRING_LIT_RE
+      return arg.to_i if arg =~ INTEGER_RE
+      return arg.to_f if arg =~ FLOAT_RE
       eval_expr(arg, context)
     end
 
@@ -597,13 +746,16 @@ module Tina4
     # -----------------------------------------------------------------------
 
     def parse_filter_chain(expr)
+      cached = @filter_chain_cache[expr]
+      return cached if cached
+
       parts = split_on_pipe(expr)
       variable = parts[0].strip
       filters = []
 
       parts[1..].each do |f|
         f = f.strip
-        if f =~ /\A(\w+)\s*\((.*)\)\z/m
+        if f =~ FILTER_WITH_ARGS_RE
           name = Regexp.last_match(1)
           raw_args = Regexp.last_match(2).strip
           args = raw_args.empty? ? [] : parse_args(raw_args)
@@ -613,7 +765,9 @@ module Tina4
         end
       end
 
-      [variable, filters]
+      result = [variable, filters].freeze
+      @filter_chain_cache[expr] = result
+      result
     end
 
     # Split expression on | but not inside quotes or parens.
@@ -694,8 +848,8 @@ module Tina4
       end
 
       # Numeric
-      return expr.to_i if expr =~ /\A-?\d+\z/
-      return expr.to_f if expr =~ /\A-?\d+\.\d+\z/
+      return expr.to_i if expr =~ INTEGER_RE
+      return expr.to_f if expr =~ FLOAT_RE
 
       # Boolean/null
       return true  if expr == "true"
@@ -703,17 +857,17 @@ module Tina4
       return nil   if expr == "null" || expr == "none" || expr == "nil"
 
       # Array literal [a, b, c]
-      if expr =~ /\A\[(.+)\]\z/m
+      if expr =~ ARRAY_LIT_RE
         inner = Regexp.last_match(1)
         return split_args_toplevel(inner).map { |item| eval_expr(item.strip, context) }
       end
 
       # Hash literal { key: value, ... }
-      if expr =~ /\A\{(.+)\}\z/m
+      if expr =~ HASH_LIT_RE
         inner = Regexp.last_match(1)
         hash = {}
         split_args_toplevel(inner).each do |pair|
-          if pair =~ /\A\s*["']?(\w+)["']?\s*:\s*(.+)\z/
+          if pair =~ HASH_PAIR_RE
             hash[Regexp.last_match(1)] = eval_expr(Regexp.last_match(2).strip, context)
           end
         end
@@ -721,7 +875,7 @@ module Tina4
       end
 
       # Range literal: 1..5
-      if expr =~ /\A(\d+)\.\.(\d+)\z/
+      if expr =~ RANGE_LIT_RE
         return (Regexp.last_match(1).to_i..Regexp.last_match(2).to_i).to_a
       end
 
@@ -786,7 +940,7 @@ module Tina4
       end
 
       # Arithmetic: +, -, *, /, %
-      if expr =~ /\A(.+?)\s*(\+|-|\*|\/|%)\s*(.+)\z/
+      if expr =~ ARITHMETIC_RE
         left  = eval_expr(Regexp.last_match(1), context)
         op    = Regexp.last_match(2)
         right = eval_expr(Regexp.last_match(3), context)
@@ -794,7 +948,7 @@ module Tina4
       end
 
       # Function call: name(arg1, arg2)
-      if expr =~ /\A(\w+)\s*\((.*)\)\z/m
+      if expr =~ FUNC_CALL_RE
         fn_name  = Regexp.last_match(1)
         raw_args = Regexp.last_match(2).strip
         fn = context[fn_name]
@@ -851,49 +1005,50 @@ module Tina4
     # Comparison / logical evaluator
     # -----------------------------------------------------------------------
 
-    def eval_comparison(expr, context)
+    def eval_comparison(expr, context, eval_fn = nil)
+      eval_fn ||= method(:eval_expr)
       expr = expr.strip
 
       # Handle 'not' prefix
       if expr.start_with?("not ")
-        return !eval_comparison(expr[4..], context)
+        return !eval_comparison(expr[4..], context, eval_fn)
       end
 
       # 'or' (lowest precedence)
-      or_parts = expr.split(/\s+or\s+/)
+      or_parts = expr.split(OR_SPLIT_RE)
       if or_parts.length > 1
-        return or_parts.any? { |p| eval_comparison(p, context) }
+        return or_parts.any? { |p| eval_comparison(p, context, eval_fn) }
       end
 
       # 'and'
-      and_parts = expr.split(/\s+and\s+/)
+      and_parts = expr.split(AND_SPLIT_RE)
       if and_parts.length > 1
-        return and_parts.all? { |p| eval_comparison(p, context) }
+        return and_parts.all? { |p| eval_comparison(p, context, eval_fn) }
       end
 
       # 'is not' test
-      if expr =~ /\A(.+?)\s+is\s+not\s+(\w+)(.*)\z/
+      if expr =~ IS_NOT_RE
         return !eval_test(Regexp.last_match(1).strip, Regexp.last_match(2),
-                          Regexp.last_match(3).strip, context)
+                          Regexp.last_match(3).strip, context, eval_fn)
       end
 
       # 'is' test
-      if expr =~ /\A(.+?)\s+is\s+(\w+)(.*)\z/
+      if expr =~ IS_RE
         return eval_test(Regexp.last_match(1).strip, Regexp.last_match(2),
-                         Regexp.last_match(3).strip, context)
+                         Regexp.last_match(3).strip, context, eval_fn)
       end
 
       # 'not in'
-      if expr =~ /\A(.+?)\s+not\s+in\s+(.+)\z/
-        val = eval_expr(Regexp.last_match(1).strip, context)
-        collection = eval_expr(Regexp.last_match(2).strip, context)
+      if expr =~ NOT_IN_RE
+        val = eval_fn.call(Regexp.last_match(1).strip, context)
+        collection = eval_fn.call(Regexp.last_match(2).strip, context)
         return !(collection.respond_to?(:include?) && collection.include?(val))
       end
 
       # 'in'
-      if expr =~ /\A(.+?)\s+in\s+(.+)\z/
-        val = eval_expr(Regexp.last_match(1).strip, context)
-        collection = eval_expr(Regexp.last_match(2).strip, context)
+      if expr =~ IN_RE
+        val = eval_fn.call(Regexp.last_match(1).strip, context)
+        collection = eval_fn.call(Regexp.last_match(2).strip, context)
         return collection.respond_to?(:include?) ? collection.include?(val) : false
       end
 
@@ -906,8 +1061,8 @@ module Tina4
        ["<",  ->(a, b) { a.to_f < b.to_f }]].each do |op, fn|
         if expr.include?(op)
           left, _, right = expr.partition(op)
-          l = eval_expr(left.strip, context)
-          r = eval_expr(right.strip, context)
+          l = eval_fn.call(left.strip, context)
+          r = eval_fn.call(right.strip, context)
           begin
             return fn.call(l, r)
           rescue
@@ -917,7 +1072,7 @@ module Tina4
       end
 
       # Fall through to simple eval
-      val = eval_expr(expr, context)
+      val = eval_fn.call(expr, context)
       truthy?(val)
     end
 
@@ -925,12 +1080,13 @@ module Tina4
     # Tests ('is' expressions)
     # -----------------------------------------------------------------------
 
-    def eval_test(value_expr, test_name, args_str, context)
-      val = eval_expr(value_expr, context)
+    def eval_test(value_expr, test_name, args_str, context, eval_fn = nil)
+      eval_fn ||= method(:eval_expr)
+      val = eval_fn.call(value_expr, context)
 
       # 'divisible by(n)'
       if test_name == "divisible"
-        if args_str =~ /\s*by\s*\(\s*(\d+)\s*\)/
+        if args_str =~ DIVISIBLE_BY_RE
           n = Regexp.last_match(1).to_i
           return val.is_a?(Integer) && (val % n).zero?
         end
@@ -964,14 +1120,19 @@ module Tina4
     # -----------------------------------------------------------------------
 
     def resolve(expr, context)
-      parts = expr.split(/\.|\[([^\]]+)\]/).reject(&:empty?)
+      parts = @resolve_cache[expr]
+      unless parts
+        parts = expr.split(RESOLVE_SPLIT_RE).reject(&:empty?)
+        @resolve_cache[expr] = parts
+      end
+
       value = context
 
       parts.each do |part|
-        part = part.strip.gsub(/\A["']|["']\z/, "") # strip quotes from bracket access
-        if value.is_a?(Hash)
+        part = part.strip.gsub(RESOLVE_STRIP_RE, "") # strip quotes from bracket access
+        if value.is_a?(Hash) || value.is_a?(LoopContext)
           value = value[part] || value[part.to_sym]
-        elsif value.is_a?(Array) && part =~ /\A\d+\z/
+        elsif value.is_a?(Array) && part =~ DIGIT_RE
           value = value[part.to_i]
         elsif value.respond_to?(part.to_sym)
           value = value.send(part.to_sym)
@@ -1073,7 +1234,7 @@ module Tina4
       end
 
       branches.each do |cond, branch_tokens|
-        if cond.nil? || eval_comparison(cond, context)
+        if cond.nil? || eval_comparison(cond, context, method(:eval_var_raw))
           return [render_tokens(branch_tokens.dup, context), i]
         end
       end
@@ -1084,7 +1245,7 @@ module Tina4
     # {% for item in items %}...{% else %}...{% endfor %}
     def handle_for(tokens, start, context)
       content, _, strip_a_open = strip_tag(tokens[start][1])
-      m = content.match(/\Afor\s+(\w+)(?:\s*,\s*(\w+))?\s+in\s+(.+)\z/)
+      m = content.match(FOR_RE)
       return ["", start + 1] unless m
 
       var1 = m[1]
@@ -1158,7 +1319,7 @@ module Tina4
       total = items.length
 
       items.each_with_index do |item, idx|
-        loop_ctx = context.dup
+        loop_ctx = LoopContext.new(context)
         loop_ctx["loop"] = {
           "index"     => idx + 1,
           "index0"    => idx,
@@ -1196,7 +1357,7 @@ module Tina4
 
     # {% set name = expr %}
     def handle_set(content, context)
-      if content =~ /\Aset\s+(\w+)\s*=\s*(.+)\z/m
+      if content =~ SET_RE
         name = Regexp.last_match(1)
         expr = Regexp.last_match(2).strip
         context[name] = eval_expr(expr, context)
@@ -1208,7 +1369,7 @@ module Tina4
       ignore_missing = content.include?("ignore missing")
       content = content.gsub("ignore missing", "").strip
 
-      m = content.match(/\Ainclude\s+["'](.+?)["'](?:\s+with\s+(.+))?\z/)
+      m = content.match(INCLUDE_RE)
       return "" unless m
 
       filename = m[1]
@@ -1233,7 +1394,7 @@ module Tina4
     # {% macro name(args) %}...{% endmacro %}
     def handle_macro(tokens, start, context)
       content, _, _ = strip_tag(tokens[start][1])
-      m = content.match(/\Amacro\s+(\w+)\s*\(([^)]*)\)/)
+      m = content.match(MACRO_RE)
       unless m
         i = start + 1
         while i < tokens.length
@@ -1276,7 +1437,7 @@ module Tina4
 
     # {% from "file" import macro1, macro2 %}
     def handle_from_import(content, context)
-      m = content.match(/\Afrom\s+["'](.+?)["']\s+import\s+(.+)/)
+      m = content.match(FROM_IMPORT_RE)
       return unless m
 
       filename = m[1]
@@ -1292,7 +1453,7 @@ module Tina4
           tag_content, _, _ = strip_tag(raw)
           tag = (tag_content.split[0] || "")
           if tag == "macro"
-            macro_m = tag_content.match(/\Amacro\s+(\w+)\s*\(([^)]*)\)/)
+            macro_m = tag_content.match(MACRO_RE)
             if macro_m && names.include?(macro_m[1])
               macro_name = macro_m[1]
               param_names = macro_m[2].split(",").map(&:strip).reject(&:empty?)
@@ -1332,7 +1493,7 @@ module Tina4
     # {% cache "key" ttl %}...{% endcache %}
     def handle_cache(tokens, start, context)
       content, _, _ = strip_tag(tokens[start][1])
-      m = content.match(/\Acache\s+["'](.+?)["']\s*(\d+)?/)
+      m = content.match(CACHE_RE)
       cache_key = m ? m[1] : "default"
       ttl = m && m[2] ? m[2].to_i : 60
 
@@ -1420,13 +1581,13 @@ module Tina4
       end
 
       rendered = render_tokens(body_tokens.dup, context)
-      rendered = rendered.gsub(/>\s+</, "><")
+      rendered = rendered.gsub(SPACELESS_RE, "><")
       [rendered, i]
     end
 
     def handle_autoescape(tokens, start, context)
       content, _, _ = strip_tag(tokens[start][1])
-      mode_match = content.match(/\Aautoescape\s+(false|true)/)
+      mode_match = content.match(AUTOESCAPE_RE)
       auto_escape_on = !(mode_match && mode_match[1] == "false")
 
       body_tokens = []
@@ -1497,7 +1658,7 @@ module Tina4
         "ltrim"      => ->(v, *_a) { v.to_s.lstrip },
         "rtrim"      => ->(v, *_a) { v.to_s.rstrip },
         "replace"    => ->(v, *a)  { a.length >= 2 ? v.to_s.gsub(a[0].to_s, a[1].to_s) : v.to_s },
-        "striptags"  => ->(v, *_a) { v.to_s.gsub(/<[^>]+>/, "") },
+        "striptags"  => ->(v, *_a) { v.to_s.gsub(STRIPTAGS_RE, "") },
 
         # -- Encoding --
         "escape"        => ->(v, *_a) { Frond.escape_html(v.to_s) },
@@ -1555,7 +1716,7 @@ module Tina4
           formatted = format("%.#{decimals}f", v.to_f)
           # Add comma thousands separator
           parts = formatted.split(".")
-          parts[0] = parts[0].gsub(/(\d)(?=(\d{3})+(?!\d))/, '\\1,')
+          parts[0] = parts[0].gsub(THOUSANDS_RE, '\\1,')
           parts.join(".")
         },
 
@@ -1660,7 +1821,7 @@ module Tina4
           lines << current unless current.empty?
           lines.join("\n")
         },
-        "slug"   => ->(v, *_a) { v.to_s.downcase.gsub(/[^a-z0-9]+/, "-").gsub(/\A-|-\z/, "") },
+        "slug"   => ->(v, *_a) { v.to_s.downcase.gsub(SLUG_CLEAN_RE, "-").gsub(SLUG_TRIM_RE, "") },
         "nl2br"  => ->(v, *_a) { v.to_s.gsub("\n", "<br>\n") },
         "format" => ->(v, *a) {
           if a.any?
@@ -1679,6 +1840,8 @@ module Tina4
 
     def register_builtin_globals
       @globals["form_token"] = ->(descriptor = "") { Frond.generate_form_token(descriptor.to_s) }
+      @globals["formTokenValue"] = ->(descriptor = "") { Frond.generate_form_token_value(descriptor.to_s) }
+      @globals["form_token_value"] = ->(descriptor = "") { Frond.generate_form_token_value(descriptor.to_s) }
     end
 
     # Generate a JWT form token and return a hidden input element.
@@ -1697,11 +1860,19 @@ module Tina4
       attr_accessor :form_token_session_id
     end
 
-    def self.generate_form_token(descriptor = "")
+    # Generate a raw JWT form token string.
+    #
+    # @param descriptor [String] Optional string to enrich the token payload.
+    #   - Empty: payload is {"type" => "form"}
+    #   - "admin_panel": payload is {"type" => "form", "context" => "admin_panel"}
+    #   - "checkout|order_123": payload is {"type" => "form", "context" => "checkout", "ref" => "order_123"}
+    #
+    # @return [String] The raw JWT token string.
+    def self.generate_form_jwt(descriptor = "")
       require_relative "log"
       require_relative "auth"
 
-      payload = { "type" => "form" }
+      payload = { "type" => "form", "nonce" => SecureRandom.hex(8) }
       if descriptor && !descriptor.empty?
         if descriptor.include?("|")
           parts = descriptor.split("|", 2)
@@ -1718,8 +1889,18 @@ module Tina4
 
       ttl_minutes = (ENV["TINA4_TOKEN_LIMIT"] || "60").to_i
       expires_in = ttl_minutes * 60
-      token = Tina4::Auth.create_token(payload, expires_in: expires_in)
+      Tina4::Auth.create_token(payload, expires_in: expires_in)
+    end
+
+    def self.generate_form_token(descriptor = "")
+      token = generate_form_jwt(descriptor)
       Tina4::SafeString.new(%(<input type="hidden" name="formToken" value="#{CGI.escapeHTML(token)}">))
     end
+
+    # Return just the raw JWT form token string (no <input> wrapper).
+    # Registered as both formTokenValue and form_token_value template globals.
+    def self.generate_form_token_value(descriptor = "")
+      Tina4::SafeString.new(generate_form_jwt(descriptor))
+    end
   end
 end

data/lib/tina4/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tina4
-  VERSION = "3.10.18"
+  VERSION = "3.10.23"
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: tina4ruby
 version: !ruby/object:Gem::Version
-  version: 3.10.18
+  version: 3.10.23
 platform: ruby
 authors:
 - Tina4 Team
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-03-29 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -400,7 +399,6 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://tina4.com
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -415,8 +413,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
-signing_key:
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Simple. Fast. Human. This is not a framework.
 test_files: []