tina4ruby 3.11.36 → 3.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9615f251d5bed0d97024c8e061bdf34d26afb2677e5c6ec989005d45d3edc6c9
-  data.tar.gz: 7ef7b684a87906e932f3c929cfe57596f67bf81bf63cf35e79b8d343f2ab297a
+  metadata.gz: 271f281382fed50cadd4ca76a86ecdd5273f5b9f8e80ed721d147e75aa197704
+  data.tar.gz: 10b1b39f0dda79f7fe5af9b42a4903a2d2c4d93e3331b7f7b246a0e890b85ca6
 SHA512:
-  metadata.gz: ecf726e25d06e8ecbed12874fa4f36edf20286ea10c2c9b6c973a2d9d430dd38933a95240b8d50dd4237b82e076b634527e0c28016aa6e94f6f71a7747d126f8
-  data.tar.gz: bc0603a6370d2dc27f26ad5cee86c00f233213d57dc904075f70c5befdf28ff81b78d0c25ffa25a42f34ae9cf48d0a33a322e1147d12bc05db1f125db245538f
+  metadata.gz: ca638ffaba48b33c56a138509991bc3beed2b32cbeb63d4705cefac22b90a63563c6dc24835c71d82eed52b330e46c47953d738d28f1daf9ae5b214ce86ce8ef
+  data.tar.gz: 86a81881255a911e474e662c1b069c50bbf7fc58b1d336d6c36c08c1f5f870a46ee50681879e1248c869317dcf3a80bbccd8694821c8a39e17d19874f413c09c

data/lib/tina4/auth.rb

@@ -19,7 +19,7 @@ module Tina4
 
       # Returns true when SECRET env var is set and no RSA keys exist in .keys/
       def use_hmac?
-        secret = ENV["SECRET"]
+        secret = ENV["TINA4_SECRET"]
         return false if secret.nil? || secret.empty?
 
         # If RSA keys already exist on disk, prefer RS256 for backward compat
@@ -29,7 +29,7 @@ module Tina4
       end
 
       def hmac_secret
-        ENV["SECRET"]
+        ENV["TINA4_SECRET"]
       end
 
       # Base64url-encode without padding (JWT spec)
@@ -191,7 +191,7 @@ module Tina4
         token = Regexp.last_match(1)
 
         # API_KEY bypass — matches tina4_python behavior
-        api_key = ENV["TINA4_API_KEY"] || ENV["API_KEY"]
+        api_key = ENV["TINA4_API_KEY"]
         if api_key && !api_key.empty? && token == api_key
           return { "api_key" => true }
         end
@@ -206,7 +206,7 @@ module Tina4
       end
 
       def validate_api_key(provided, expected: nil)
-        expected ||= ENV["TINA4_API_KEY"] || ENV["API_KEY"]
+        expected ||= ENV["TINA4_API_KEY"]
         return false if expected.nil? || expected.empty?
         return false if provided.nil? || provided.empty?
         return false if provided.length != expected.length
@@ -230,7 +230,7 @@ module Tina4
           token = Regexp.last_match(1)
 
           # API_KEY bypass — matches tina4_python behavior
-          api_key = ENV["TINA4_API_KEY"] || ENV["API_KEY"]
+          api_key = ENV["TINA4_API_KEY"]
           if api_key && !api_key.empty? && token == api_key
             env["tina4.auth"] = { "api_key" => true }
             return true

data/lib/tina4/constants.rb

@@ -43,4 +43,44 @@ module Tina4
   TEXT_PLAIN = "text/plain; charset=utf-8"
   TEXT_CSV = "text/csv"
   TEXT_XML = "text/xml"
+
+  # ── HTTP Reason Phrases (RFC 7231 / RFC 9110) ──
+  #
+  # Used to write a correct HTTP/1.1 status line wherever the framework
+  # emits one manually. Previously code paths that built the status line
+  # by hand wrote "HTTP/1.1 404 OK" regardless of code, which is
+  # malformed. ``Tina4.http_reason(status)`` always returns a non-empty
+  # phrase that matches the status family.
+  HTTP_REASON_PHRASES = {
+    100 => "Continue", 101 => "Switching Protocols",
+    200 => "OK", 201 => "Created", 202 => "Accepted", 204 => "No Content",
+    206 => "Partial Content",
+    301 => "Moved Permanently", 302 => "Found", 303 => "See Other",
+    304 => "Not Modified", 307 => "Temporary Redirect", 308 => "Permanent Redirect",
+    400 => "Bad Request", 401 => "Unauthorized", 403 => "Forbidden",
+    404 => "Not Found", 405 => "Method Not Allowed", 406 => "Not Acceptable",
+    409 => "Conflict", 410 => "Gone", 413 => "Content Too Large",
+    415 => "Unsupported Media Type", 422 => "Unprocessable Content",
+    429 => "Too Many Requests",
+    500 => "Internal Server Error", 501 => "Not Implemented",
+    502 => "Bad Gateway", 503 => "Service Unavailable", 504 => "Gateway Timeout"
+  }.freeze
+
+  # Return the canonical HTTP reason phrase for ``status``.
+  #
+  # Falls back to a sensible label when an exotic status is used. Never
+  # returns an empty string — the HTTP/1.1 status line requires a phrase.
+  # Prefers Rack::Utils::HTTP_STATUS_CODES when Rack is available so the
+  # phrase tracks Rack's mapping, otherwise uses the local table above.
+  def self.http_reason(status)
+    code = status.to_i
+    if defined?(Rack::Utils::HTTP_STATUS_CODES)
+      phrase = Rack::Utils::HTTP_STATUS_CODES[code]
+      return phrase if phrase && !phrase.empty?
+    end
+    phrase = HTTP_REASON_PHRASES[code]
+    return phrase if phrase && !phrase.empty?
+    return "OK" if code >= 200 && code < 300
+    "Error"
+  end
 end

data/lib/tina4/container.rb

@@ -4,7 +4,7 @@ module Tina4
   # Lightweight dependency injection container.
   #
   #   Tina4::Container.register(:mailer) { MailService.new } # transient — new instance each get
-  #   Tina4::Container.singleton(:db) { Database.new(ENV["DB_URL"]) } # singleton — memoised
+  #   Tina4::Container.singleton(:db) { Database.new(ENV["TINA4_DATABASE_URL"]) } # singleton — memoised
   #   Tina4::Container.register(:cache, RedisCacheInstance)  # concrete instance (always same)
   #   Tina4::Container.get(:db)                              # => Database instance
   #

data/lib/tina4/database.rb

@@ -91,20 +91,20 @@ module Tina4
 
     # Construct a Database from environment variables.
     # Returns nil if the named env var is not set.
-    def self.from_env(env_key: "DATABASE_URL", pool: 0)
+    def self.from_env(env_key: "TINA4_DATABASE_URL", pool: 0)
       url = ENV[env_key]
       return nil if url.nil? || url.strip.empty?
 
       new(url,
-          username: ENV["DATABASE_USERNAME"],
-          password: ENV["DATABASE_PASSWORD"],
+          username: ENV["TINA4_DATABASE_USERNAME"],
+          password: ENV["TINA4_DATABASE_PASSWORD"],
           pool: pool)
     end
 
     def initialize(connection_string = nil, username: nil, password: nil, driver_name: nil, pool: 0)
-      @connection_string = connection_string || ENV["DATABASE_URL"]
-      @username = username || ENV["DATABASE_USERNAME"]
-      @password = password || ENV["DATABASE_PASSWORD"]
+      @connection_string = connection_string || ENV["TINA4_DATABASE_URL"]
+      @username = username || ENV["TINA4_DATABASE_USERNAME"]
+      @password = password || ENV["TINA4_DATABASE_PASSWORD"]
       @driver_name = driver_name || detect_driver(@connection_string)
       @pool_size = pool  # 0 = single connection, N>0 = N pooled connections
       @connected = false

data/lib/tina4/dev_admin.rb

@@ -694,7 +694,7 @@ module Tina4
           platform: RUBY_PLATFORM,
           debug: ENV["TINA4_DEBUG"] || "false",
           log_level: ENV["TINA4_LOG_LEVEL"] || "ERROR",
-          database: ENV["DATABASE_URL"] || "not configured",
+          database: ENV["TINA4_DATABASE_URL"] || "not configured",
           db_tables: db_table_count,
           uptime: (Time.now - (defined?(@boot_time) && @boot_time ? @boot_time : (@boot_time = Time.now))).round(1),
           route_count: Tina4::Router.routes.size,

data/lib/tina4/drivers/postgres_driver.rb

@@ -41,10 +41,44 @@ module Tina4
       end
 
       def last_insert_id
-        result = @connection.exec("SELECT lastval()")
-        result.first["lastval"].to_i
-      rescue PG::Error
-        nil
+        # Issue #38: ``SELECT lastval()`` raises on tables with no sequence
+        # (UUID, ULID, hash PKs etc.). The exception itself isn't fatal,
+        # but the pg gem marks the whole transaction as aborted, so every
+        # subsequent statement on this connection fails with
+        # ``PG::InFailedSqlTransaction`` — far away from the real cause.
+        #
+        # Fix: wrap the probe in a SAVEPOINT. If ``lastval()`` raises, we
+        # ROLLBACK TO SAVEPOINT and the outer transaction stays usable;
+        # ``last_insert_id`` just returns ``nil`` (same as before for
+        # tables without a sequence). On success we RELEASE SAVEPOINT.
+        begin
+          @connection.exec("SAVEPOINT _t4_lastval_probe")
+        rescue PG::Error
+          # No active transaction (autocommit/idle) — fall back to a plain
+          # probe; psycopg2-style transaction abort can't happen here.
+          begin
+            result = @connection.exec("SELECT lastval()")
+            return result.first["lastval"].to_i
+          rescue PG::Error
+            return nil
+          end
+        end
+
+        begin
+          result = @connection.exec("SELECT lastval()")
+          @connection.exec("RELEASE SAVEPOINT _t4_lastval_probe")
+          result.first["lastval"].to_i
+        rescue PG::Error
+          begin
+            @connection.exec("ROLLBACK TO SAVEPOINT _t4_lastval_probe")
+            @connection.exec("RELEASE SAVEPOINT _t4_lastval_probe")
+          rescue PG::Error
+            # If even the rollback fails, there's nothing we can do — the
+            # connection is in a state we can't recover. Surface nil so
+            # callers don't get a half-set last_id.
+          end
+          nil
+        end
       end
 
       def placeholder

data/lib/tina4/env.rb

@@ -2,14 +2,85 @@
 require "digest"
 
 module Tina4
+  # Legacy env var names that v3.12 has retired. If any of these are set in
+  # the environment we refuse to boot — silently ignoring them would cause
+  # auth/db/mail to fall back to defaults with no warning. Each maps to its
+  # new TINA4_-prefixed canonical name.
+  LEGACY_ENV_VARS = {
+    "DATABASE_URL"           => "TINA4_DATABASE_URL",
+    "DATABASE_USERNAME"      => "TINA4_DATABASE_USERNAME",
+    "DATABASE_PASSWORD"      => "TINA4_DATABASE_PASSWORD",
+    "DB_URL"                 => "TINA4_DATABASE_URL",
+    "SECRET"                 => "TINA4_SECRET",
+    "API_KEY"                => "TINA4_API_KEY",
+    "JWT_ALGORITHM"          => "TINA4_JWT_ALGORITHM",
+    "SMTP_HOST"              => "TINA4_MAIL_HOST",
+    "SMTP_PORT"              => "TINA4_MAIL_PORT",
+    "SMTP_USERNAME"          => "TINA4_MAIL_USERNAME",
+    "SMTP_PASSWORD"          => "TINA4_MAIL_PASSWORD",
+    "SMTP_FROM"              => "TINA4_MAIL_FROM",
+    "SMTP_FROM_NAME"         => "TINA4_MAIL_FROM_NAME",
+    "IMAP_HOST"              => "TINA4_MAIL_IMAP_HOST",
+    "IMAP_PORT"              => "TINA4_MAIL_IMAP_PORT",
+    "IMAP_USER"              => "TINA4_MAIL_IMAP_USERNAME",
+    "IMAP_PASS"              => "TINA4_MAIL_IMAP_PASSWORD",
+    "HOST_NAME"              => "TINA4_HOST_NAME",
+    "SWAGGER_TITLE"          => "TINA4_SWAGGER_TITLE",
+    "SWAGGER_DESCRIPTION"    => "TINA4_SWAGGER_DESCRIPTION",
+    "SWAGGER_VERSION"        => "TINA4_SWAGGER_VERSION",
+    "ORM_PLURAL_TABLE_NAMES" => "TINA4_ORM_PLURAL_TABLE_NAMES"
+  }.freeze
+
+  # Raised by check_legacy_env_vars! when the caller opts out of process exit.
+  class LegacyEnvError < StandardError; end
+
+  # Refuse to boot if pre-3.12 un-prefixed env vars are still set.
+  #
+  # Tina4 v3.12 hard-renamed every framework-specific env var to use the
+  # TINA4_ prefix. Booting silently with a legacy DATABASE_URL or SECRET
+  # would let auth, DB, or mail fall back to insecure defaults while the
+  # user thought their config was being read. Better to die loudly with a
+  # list of names to fix.
+  #
+  # Bypass with TINA4_ALLOW_LEGACY_ENV=true in CI / migration scripts that
+  # genuinely need both names set during a transition window.
+  def self.check_legacy_env_vars!(io: $stderr, exit_on_error: true)
+    bypass = ENV["TINA4_ALLOW_LEGACY_ENV"].to_s.downcase
+    return if %w[true 1 yes].include?(bypass)
+
+    found = LEGACY_ENV_VARS.keys.select { |name| ENV.key?(name) }.sort
+    return if found.empty?
+
+    sep = "─" * 72
+    lines = ["", sep,
+             "Tina4 v3.12 requires TINA4_ prefix on all framework env vars.",
+             "Your environment still has these legacy names:",
+             ""]
+    found.each do |old|
+      new_name = LEGACY_ENV_VARS[old]
+      lines << format("    %-28s  →  %s", old, new_name)
+    end
+    lines.concat([
+                   "",
+                   "Run `tina4 env-migrate` to rewrite your .env automatically,",
+                   "or rename manually. See https://tina4.com/release/3.12.0",
+                   "Set TINA4_ALLOW_LEGACY_ENV=true to bypass during migration.",
+                   sep, ""
+                 ])
+    io.puts lines.join("\n")
+    raise LegacyEnvError, "Legacy env vars present: #{found.join(', ')}" unless exit_on_error
+
+    exit(2)
+  end
+
   module Env
     DEFAULT_ENV = {
       "PROJECT_NAME" => "Tina4 Ruby Project",
-      "VERSION" => "1.0.0",
+      "TINA4_SWAGGER_VERSION" => "1.0.0",
       "TINA4_LOCALE" => "en",
       "TINA4_DEBUG" => "true",
       "TINA4_LOG_LEVEL" => "[TINA4_LOG_ALL]",
-      "SECRET" => "tina4-secret-change-me"
+      "TINA4_SECRET" => "tina4-secret-change-me"
     }.freeze
 
     # Check if a value is truthy for env boolean checks.
@@ -72,7 +143,7 @@ module Tina4
       def create_default_env(path)
         api_key = Digest::MD5.hexdigest(Time.now.to_s)
         content = DEFAULT_ENV.map { |k, v| "#{k}=\"#{v}\"" }.join("\n")
-        content += "\nAPI_KEY=\"#{api_key}\"\n"
+        content += "\nTINA4_API_KEY=\"#{api_key}\"\n"
         File.write(path, content)
       end
 

data/lib/tina4/field_types.rb

@@ -21,7 +21,7 @@ module Tina4
         else
           base = self.name.split("::").last.downcase
           # Pluralize by default (add "s") unless ORM_PLURAL_TABLE_NAMES is explicitly disabled
-          unless ENV.fetch("ORM_PLURAL_TABLE_NAMES", "").match?(/\A(false|0|no)\z/i)
+          unless ENV.fetch("TINA4_ORM_PLURAL_TABLE_NAMES", "").match?(/\A(false|0|no)\z/i)
             base += "s" unless base.end_with?("s")
           end
           @table_name || base

data/lib/tina4/mcp.rb

@@ -132,7 +132,7 @@ module Tina4
 
   # Check if the server is running on localhost.
   def self.is_localhost?
-    host = ENV.fetch("HOST_NAME", "localhost:7145").split(":").first
+    host = ENV.fetch("TINA4_HOST_NAME", "localhost:7145").split(":").first
     ["localhost", "127.0.0.1", "0.0.0.0", "::1", ""].include?(host)
   end
 

data/lib/tina4/messenger.rb

@@ -18,7 +18,7 @@ module Tina4
   # Tina4 Messenger — Email sending (SMTP) and reading (IMAP).
   #
   # Unified .env-driven configuration with constructor override.
-  # Priority: constructor params > .env (TINA4_MAIL_* with SMTP_* fallback) > sensible defaults
+  # Priority: constructor params > .env (TINA4_MAIL_*) > sensible defaults
   #
   #   # .env
   #   TINA4_MAIL_HOST=smtp.gmail.com
@@ -39,19 +39,19 @@ module Tina4
                 :imap_host, :imap_port, :use_tls, :encryption
 
     # Initialize with SMTP config.
-    # Priority: constructor params > ENV (TINA4_MAIL_* with SMTP_* fallback) > sensible defaults
+    # Priority: constructor params > ENV (TINA4_MAIL_*) > sensible defaults
     def initialize(host: nil, port: nil, username: nil, password: nil,
                    from_address: nil, from_name: nil, encryption: nil, use_tls: nil,
                    imap_host: nil, imap_port: nil)
-      @host         = host         || ENV["TINA4_MAIL_HOST"]     || ENV["SMTP_HOST"]     || "localhost"
-      @port         = (port        || ENV["TINA4_MAIL_PORT"]     || ENV["SMTP_PORT"]     || 587).to_i
-      @username     = username     || ENV["TINA4_MAIL_USERNAME"] || ENV["SMTP_USERNAME"]
-      @password     = password     || ENV["TINA4_MAIL_PASSWORD"] || ENV["SMTP_PASSWORD"]
+      @host         = host         || ENV["TINA4_MAIL_HOST"]     || "localhost"
+      @port         = (port        || ENV["TINA4_MAIL_PORT"]     || 587).to_i
+      @username     = username     || ENV["TINA4_MAIL_USERNAME"]
+      @password     = password     || ENV["TINA4_MAIL_PASSWORD"]
 
-      resolved_from = from_address || ENV["TINA4_MAIL_FROM"]     || ENV["SMTP_FROM"]
+      resolved_from = from_address || ENV["TINA4_MAIL_FROM"]
       @from_address = resolved_from || @username || "noreply@localhost"
 
-      @from_name    = from_name    || ENV["TINA4_MAIL_FROM_NAME"] || ENV["SMTP_FROM_NAME"] || ""
+      @from_name    = from_name    || ENV["TINA4_MAIL_FROM_NAME"] || ""
 
       # Encryption: constructor > .env > backward-compat use_tls > default "tls"
       env_encryption = encryption  || ENV["TINA4_MAIL_ENCRYPTION"]
@@ -64,8 +64,8 @@ module Tina4
       end
       @use_tls = %w[tls starttls].include?(@encryption)
 
-      @imap_host    = imap_host    || ENV["TINA4_MAIL_IMAP_HOST"] || ENV["IMAP_HOST"] || @host
-      @imap_port    = (imap_port   || ENV["TINA4_MAIL_IMAP_PORT"] || ENV["IMAP_PORT"] || 993).to_i
+      @imap_host    = imap_host    || ENV["TINA4_MAIL_IMAP_HOST"] || @host
+      @imap_port    = (imap_port   || ENV["TINA4_MAIL_IMAP_PORT"] || 993).to_i
     end
 
     # Send email using Ruby's Net::SMTP
@@ -542,8 +542,7 @@ module Tina4
   def self.create_messenger(**options)
     dev_mode = Tina4::Env.is_truthy(ENV["TINA4_DEBUG"])
 
-    smtp_configured = (ENV["TINA4_MAIL_HOST"] && !ENV["TINA4_MAIL_HOST"].empty?) ||
-                      (ENV["SMTP_HOST"] && !ENV["SMTP_HOST"].empty?)
+    smtp_configured = ENV["TINA4_MAIL_HOST"] && !ENV["TINA4_MAIL_HOST"].empty?
 
     if dev_mode && !smtp_configured
       mailbox_dir = options.delete(:mailbox_dir) || ENV["TINA4_MAILBOX_DIR"]
@@ -560,8 +559,8 @@ module Tina4
 
     def initialize(mailbox, **options)
       @mailbox = mailbox
-      @from_address = options[:from_address] || ENV["TINA4_MAIL_FROM"] || ENV["SMTP_FROM"] || "dev@localhost"
-      @from_name    = options[:from_name]    || ENV["TINA4_MAIL_FROM_NAME"] || ENV["SMTP_FROM_NAME"] || "Dev Mailer"
+      @from_address = options[:from_address] || ENV["TINA4_MAIL_FROM"] || "dev@localhost"
+      @from_name    = options[:from_name]    || ENV["TINA4_MAIL_FROM_NAME"] || "Dev Mailer"
     end
 
     def send(to:, subject:, body:, html: false, cc: [], bcc: [],

data/lib/tina4/orm.rb

@@ -372,6 +372,34 @@ module Tina4
         select_one(sql, [id])
       end
 
+      # Clear the relationship cache on all loaded instances (class-level helper).
+      # Useful after bulk operations when you want to force relationship re-loads.
+      def clear_rel_cache # -> nil
+        @_rel_cache = {}
+        nil
+      end
+
+      # Return the database connection used by this model.
+      def get_db # -> Database
+        db
+      end
+
+      # Map a Ruby property name to its database column name using field_mapping.
+      # Returns the column name as a symbol.
+      def get_db_column(property) # -> Symbol
+        col = field_mapping[property.to_s] || property
+        col.to_sym
+      end
+
+      private
+
+      def auto_discover_db
+        url = ENV["TINA4_DATABASE_URL"]
+        return nil unless url
+        Tina4.database = Tina4::Database.new(url, username: ENV.fetch("TINA4_DATABASE_USERNAME", ""), password: ENV.fetch("TINA4_DATABASE_PASSWORD", ""))
+        Tina4.database
+      end
+
       def find_by_filter(filter)
         where_parts = filter.keys.map { |k| "#{k} = ?" }
         sql = "SELECT * FROM #{table_name} WHERE #{where_parts.join(' AND ')}"

data/lib/tina4/public/js/frond.js

@@ -0,0 +1,600 @@
+var _frondModule = (() => {
+  var __defProp = Object.defineProperty;
+  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+  var __getOwnPropNames = Object.getOwnPropertyNames;
+  var __hasOwnProp = Object.prototype.hasOwnProperty;
+  var __export = (target, all) => {
+    for (var name in all)
+      __defProp(target, name, { get: all[name], enumerable: true });
+  };
+  var __copyProps = (to, from, except, desc) => {
+    if (from && typeof from === "object" || typeof from === "function") {
+      for (let key of __getOwnPropNames(from))
+        if (!__hasOwnProp.call(to, key) && key !== except)
+          __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+    }
+    return to;
+  };
+  var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+  // src/js/frond.ts
+  var frond_exports = {};
+  __export(frond_exports, {
+    frond: () => frond
+  });
+  var _token = null;
+  function request(url, options) {
+    let opts;
+    if (typeof options === "function") {
+      opts = { onSuccess: options };
+    } else {
+      opts = options || {};
+    }
+    const method = (opts.method || "GET").toUpperCase();
+    const xhr = new XMLHttpRequest();
+    xhr.open(method, url, true);
+    if (_token !== null) {
+      xhr.setRequestHeader("Authorization", "Bearer " + _token);
+    }
+    if (opts.headers) {
+      for (const key in opts.headers) {
+        if (Object.prototype.hasOwnProperty.call(opts.headers, key)) {
+          xhr.setRequestHeader(key, opts.headers[key]);
+        }
+      }
+    }
+    let body = null;
+    if (opts.body !== void 0 && opts.body !== null) {
+      if (opts.body instanceof FormData) {
+        body = opts.body;
+      } else if (typeof opts.body === "object") {
+        body = JSON.stringify(opts.body);
+        xhr.setRequestHeader("Content-Type", "application/json; charset=UTF-8");
+      } else if (typeof opts.body === "string") {
+        body = opts.body;
+        xhr.setRequestHeader("Content-Type", "text/plain; charset=UTF-8");
+      }
+    }
+    xhr.onload = function() {
+      const freshToken = xhr.getResponseHeader("FreshToken");
+      if (freshToken && freshToken !== "") {
+        _token = freshToken;
+      }
+      let content = xhr.response;
+      try {
+        content = JSON.parse(content);
+      } catch {
+      }
+      if (xhr.responseURL) {
+        const requested = new URL(url, window.location.href).href;
+        if (xhr.responseURL !== requested) {
+          window.location.href = xhr.responseURL;
+          return;
+        }
+      }
+      if (xhr.status >= 200 && xhr.status < 400) {
+        if (opts.onSuccess) opts.onSuccess(content, xhr.status, xhr);
+      } else {
+        if (opts.onError) opts.onError(xhr.status, xhr);
+      }
+    };
+    xhr.onerror = function() {
+      if (opts.onError) opts.onError(xhr.status, xhr);
+    };
+    xhr.send(body);
+  }
+  function inject(html, target) {
+    if (!html) return "";
+    const parser = new DOMParser();
+    const wrapped = html.includes("<html>") ? html : "<body>" + html + "</body></html>";
+    const doc = parser.parseFromString(wrapped, "text/html");
+    const body = doc.querySelector("body");
+    const scripts = body.querySelectorAll("script");
+    scripts.forEach(function(s) {
+      s.remove();
+    });
+    if (target !== null) {
+      const el = document.getElementById(target);
+      if (!el) return "";
+      if (body.children.length > 0) {
+        el.replaceChildren.apply(el, Array.from(body.children));
+      } else {
+        el.innerHTML = body.innerHTML;
+      }
+      scripts.forEach(function(script) {
+        const ns = document.createElement("script");
+        ns.type = "text/javascript";
+        ns.async = true;
+        if (script.src) {
+          ns.src = script.src;
+        } else {
+          ns.textContent = script.textContent;
+        }
+        el.appendChild(ns);
+      });
+      return "";
+    }
+    scripts.forEach(function(script) {
+      const ns = document.createElement("script");
+      ns.type = "text/javascript";
+      ns.async = true;
+      ns.textContent = script.textContent;
+      document.body.appendChild(ns);
+    });
+    return body.innerHTML;
+  }
+  function load(url, target, callback) {
+    const targetId = target || "content";
+    request(url, {
+      method: "GET",
+      onSuccess: function(data, _status) {
+        if (document.getElementById(targetId)) {
+          const html = inject(data, targetId);
+          if (callback) callback(html, data);
+        } else {
+          if (callback) callback(data);
+        }
+      }
+    });
+  }
+  function post(url, data, target, callback) {
+    const targetId = target || "content";
+    request(url, {
+      method: "POST",
+      body: data,
+      onSuccess: function(responseData) {
+        let html = "";
+        if (responseData && responseData.message !== void 0) {
+          html = inject(responseData.message, targetId);
+        } else if (document.getElementById(targetId)) {
+          html = inject(responseData, targetId);
+        } else {
+          if (callback) callback(responseData);
+          return;
+        }
+        if (callback) callback(html, responseData);
+      }
+    });
+  }
+  var form = {
+    /**
+     * Collect all form field values into a FormData object.
+     *
+     * Handles inputs, selects, textareas, file uploads (including
+     * multi-file), checkboxes, and radio buttons. Updates formToken
+     * hidden fields automatically.
+     *
+     * @param formId - DOM id of the form (without '#').
+     * @returns Populated FormData instance.
+     */
+    collect: function(formId) {
+      const fd = new FormData();
+      const elements = document.querySelectorAll("#" + formId + " select, #" + formId + " input, #" + formId + " textarea");
+      for (let i = 0; i < elements.length; i++) {
+        const el = elements[i];
+        if (el.name === "formToken" && _token !== null) {
+          el.value = _token;
+        }
+        if (!el.name) continue;
+        if (el.type === "file") {
+          const files = el.files;
+          if (files) {
+            for (let f = 0; f < files.length; f++) {
+              const file = files[f];
+              if (file !== void 0) {
+                let name = el.name;
+                if (files.length > 1 && !name.includes("[")) {
+                  name = name + "[]";
+                }
+                fd.append(name, file, file.name);
+              }
+            }
+          }
+        } else if (el.type === "checkbox" || el.type === "radio") {
+          if (el.checked) {
+            fd.append(el.name, el.value);
+          } else if (el.type !== "radio") {
+            fd.append(el.name, "0");
+          }
+        } else {
+          fd.append(el.name, el.value === "" ? "" : el.value);
+        }
+      }
+      return fd;
+    },
+    /**
+     * Collect form data and POST it to a URL. Inject response into target.
+     *
+     * @param formId   - DOM id of the form.
+     * @param url      - URL to POST to.
+     * @param target   - DOM id to inject response into (default: "message").
+     * @param callback - Optional callback.
+     */
+    submit: function(formId, url, target, callback) {
+      const data = form.collect(formId);
+      post(url, data, target || "message", callback);
+    },
+    /**
+     * Load a form via the given action and inject response HTML.
+     *
+     * Accepts friendly names: "create", "edit" map to GET; "delete" maps
+     * to DELETE.
+     *
+     * @param action  - HTTP method or friendly name.
+     * @param url     - URL to fetch.
+     * @param target  - DOM id to inject into (default: "form").
+     * @param callback - Optional callback.
+     */
+    show: function(action, url, target, callback) {
+      let method = action.toUpperCase();
+      if (action === "create" || action === "edit") method = "GET";
+      if (action === "delete") method = "DELETE";
+      const targetId = target || "form";
+      request(url, {
+        method,
+        onSuccess: function(data) {
+          let html = "";
+          if (data && data.message !== void 0) {
+            html = inject(data.message, targetId);
+          } else if (document.getElementById(targetId)) {
+            html = inject(data, targetId);
+          } else {
+            if (callback) callback(data);
+            return;
+          }
+          if (callback) callback(html);
+        }
+      });
+    }
+  };
+  function wsConnect(url, options) {
+    const opts = {
+      reconnect: true,
+      reconnectDelay: 1e3,
+      maxReconnectDelay: 3e4,
+      maxReconnectAttempts: Infinity,
+      protocols: [],
+      onOpen: function() {
+      },
+      onClose: function() {
+      },
+      onError: function() {
+      },
+      ...options || {}
+    };
+    let socket = null;
+    let intentionalClose = false;
+    let currentDelay = opts.reconnectDelay;
+    let attempts = 0;
+    let reconnectTimer = null;
+    const listeners = {
+      message: [],
+      open: [],
+      close: [],
+      error: []
+    };
+    const managed = {
+      status: "connecting",
+      send: function(data) {
+        if (!socket || socket.readyState !== WebSocket.OPEN) {
+          throw new Error("[frond] WebSocket is not connected");
+        }
+        socket.send(typeof data === "string" ? data : JSON.stringify(data));
+      },
+      on: function(event, handler) {
+        if (!listeners[event]) listeners[event] = [];
+        listeners[event].push(handler);
+        return function() {
+          const arr = listeners[event];
+          const idx = arr.indexOf(handler);
+          if (idx >= 0) arr.splice(idx, 1);
+        };
+      },
+      close: function(code, reason) {
+        intentionalClose = true;
+        if (reconnectTimer) {
+          clearTimeout(reconnectTimer);
+          reconnectTimer = null;
+        }
+        if (socket) {
+          socket.close(code || 1e3, reason || "");
+        }
+        managed.status = "closed";
+      }
+    };
+    function parseMessage(data) {
+      if (typeof data !== "string") return data;
+      try {
+        return JSON.parse(data);
+      } catch {
+        return data;
+      }
+    }
+    function scheduleReconnect() {
+      if (!opts.reconnect || attempts >= opts.maxReconnectAttempts) return;
+      attempts++;
+      managed.status = "reconnecting";
+      reconnectTimer = setTimeout(function() {
+        reconnectTimer = null;
+        connect();
+      }, currentDelay);
+      currentDelay = Math.min(currentDelay * 2, opts.maxReconnectDelay);
+    }
+    function connect() {
+      managed.status = attempts > 0 ? "reconnecting" : "connecting";
+      try {
+        socket = new WebSocket(url, opts.protocols);
+      } catch {
+        managed.status = "closed";
+        return;
+      }
+      socket.onopen = function() {
+        managed.status = "open";
+        attempts = 0;
+        currentDelay = opts.reconnectDelay;
+        opts.onOpen();
+        for (const fn of listeners.open) fn();
+      };
+      socket.onmessage = function(event) {
+        const parsed = parseMessage(event.data);
+        for (const fn of listeners.message) fn(parsed);
+      };
+      socket.onclose = function(event) {
+        managed.status = "closed";
+        opts.onClose(event.code, event.reason);
+        for (const fn of listeners.close) fn(event.code, event.reason);
+        if (!intentionalClose) {
+          scheduleReconnect();
+        }
+      };
+      socket.onerror = function(event) {
+        opts.onError(event);
+        for (const fn of listeners.error) fn(event);
+      };
+    }
+    connect();
+    return managed;
+  }
+  function sseConnect(url, options) {
+    const opts = {
+      reconnect: true,
+      reconnectDelay: 1e3,
+      maxReconnectDelay: 3e4,
+      maxReconnectAttempts: Infinity,
+      events: [],
+      json: true,
+      onOpen: function() {
+      },
+      onClose: function() {
+      },
+      onError: function() {
+      },
+      ...options || {}
+    };
+    let source = null;
+    let intentionalClose = false;
+    let currentDelay = opts.reconnectDelay;
+    let attempts = 0;
+    let reconnectTimer = null;
+    const listeners = {
+      message: [],
+      open: [],
+      close: [],
+      error: []
+    };
+    const managed = {
+      status: "connecting",
+      on: function(event, handler) {
+        if (!listeners[event]) listeners[event] = [];
+        listeners[event].push(handler);
+        return function() {
+          const arr = listeners[event];
+          const idx = arr.indexOf(handler);
+          if (idx >= 0) arr.splice(idx, 1);
+        };
+      },
+      close: function() {
+        intentionalClose = true;
+        if (reconnectTimer) {
+          clearTimeout(reconnectTimer);
+          reconnectTimer = null;
+        }
+        if (source) {
+          source.close();
+          source = null;
+        }
+        managed.status = "closed";
+      }
+    };
+    function parseData(raw) {
+      if (!opts.json) return raw;
+      try {
+        return JSON.parse(raw);
+      } catch {
+        return raw;
+      }
+    }
+    function dispatch(data, eventName) {
+      for (const fn of listeners.message) fn(data, eventName || void 0);
+    }
+    function scheduleReconnect() {
+      if (!opts.reconnect || attempts >= opts.maxReconnectAttempts) return;
+      attempts++;
+      managed.status = "reconnecting";
+      reconnectTimer = setTimeout(function() {
+        reconnectTimer = null;
+        connect();
+      }, currentDelay);
+      currentDelay = Math.min(currentDelay * 2, opts.maxReconnectDelay);
+    }
+    function connect() {
+      managed.status = attempts > 0 ? "reconnecting" : "connecting";
+      try {
+        source = new EventSource(url);
+      } catch {
+        managed.status = "closed";
+        return;
+      }
+      source.onopen = function() {
+        managed.status = "open";
+        attempts = 0;
+        currentDelay = opts.reconnectDelay;
+        opts.onOpen();
+        for (const fn of listeners.open) fn(null);
+      };
+      source.onmessage = function(event) {
+        dispatch(parseData(event.data), null);
+      };
+      for (const name of opts.events) {
+        source.addEventListener(name, function(e) {
+          dispatch(parseData(e.data), name);
+        });
+      }
+      source.onerror = function(event) {
+        opts.onError(event);
+        for (const fn of listeners.error) fn(event);
+        if (source && source.readyState === 2) {
+          source = null;
+          managed.status = "closed";
+          opts.onClose();
+          for (const fn of listeners.close) fn(null);
+          if (!intentionalClose) {
+            scheduleReconnect();
+          }
+        }
+      };
+    }
+    connect();
+    return managed;
+  }
+  var cookie = {
+    /**
+     * Set a browser cookie.
+     *
+     * @param name  - Cookie name.
+     * @param value - Cookie value.
+     * @param days  - Optional lifetime in days.
+     */
+    set: function(name, value, days) {
+      let expires = "";
+      if (days) {
+        const d = /* @__PURE__ */ new Date();
+        d.setTime(d.getTime() + days * 24 * 60 * 60 * 1e3);
+        expires = "; expires=" + d.toUTCString();
+      }
+      document.cookie = name + "=" + (value || "") + expires + "; path=/";
+    },
+    /**
+     * Retrieve a cookie value by name.
+     *
+     * @param name - Cookie name.
+     * @returns Cookie value, or null if not found.
+     */
+    get: function(name) {
+      const nameEQ = name + "=";
+      const parts = document.cookie.split(";");
+      for (let i = 0; i < parts.length; i++) {
+        let c = parts[i];
+        while (c.charAt(0) === " ") c = c.substring(1);
+        if (c.indexOf(nameEQ) === 0) return c.substring(nameEQ.length);
+      }
+      return null;
+    },
+    /**
+     * Delete a cookie by name.
+     *
+     * @param name - Cookie name.
+     */
+    remove: function(name) {
+      document.cookie = name + "=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/";
+    }
+  };
+  function message(text, type) {
+    const el = document.getElementById("message");
+    if (!el) return;
+    const alertType = type || "info";
+    el.innerHTML = '<div class="alert alert-' + alertType + ' alert-dismissible">' + text + '<button type="button" class="btn-close" data-t4-dismiss="alert">&times;</button></div>';
+  }
+  function popup(url, title, w, h) {
+    const dualLeft = window.screenLeft !== void 0 ? window.screenLeft : window.screenX;
+    const dualTop = window.screenTop !== void 0 ? window.screenTop : window.screenY;
+    const width = window.innerWidth || document.documentElement.clientWidth || screen.width;
+    const height = window.innerHeight || document.documentElement.clientHeight || screen.height;
+    const zoom = width / window.screen.availWidth;
+    const left = (width - w) / 2 / zoom + dualLeft;
+    const top = (height - h) / 2 / zoom + dualTop;
+    const win = window.open(
+      url,
+      title,
+      "directories=no,toolbar=no,location=no,status=no,menubar=no,scrollbars=yes,resizable=yes,width=" + w / zoom + ",height=" + h / zoom + ",top=" + top + ",left=" + left
+    );
+    if (window.focus && win) win.focus();
+    return win;
+  }
+  function report(url) {
+    if (url.indexOf("No data available") >= 0) {
+      window.alert("No data available for this report.");
+      return;
+    }
+    window.open(
+      url,
+      "_blank",
+      "toolbar=no,scrollbars=yes,resizable=yes,width=800,height=600,top=0,left=0"
+    );
+  }
+  function graphql(url, query, variables, callback) {
+    request(url, {
+      method: "POST",
+      body: { query, variables: variables || {} },
+      onSuccess: function(response) {
+        if (callback) {
+          callback(response.data || null, response.errors || void 0);
+        }
+      },
+      onError: function(status) {
+        if (callback) {
+          callback(null, [{ message: "GraphQL request failed with status " + status }]);
+        }
+      }
+    });
+  }
+  var frond = {
+    /** Core HTTP request. */
+    request,
+    /** GET + inject HTML into target element. */
+    load,
+    /** POST + inject HTML into target element. */
+    post,
+    /** Parse HTML string, inject into element, execute scripts. */
+    inject,
+    /** Form helpers: collect, submit, show. */
+    form,
+    /** WebSocket with auto-reconnect. */
+    ws: wsConnect,
+    /** Server-Sent Events with auto-reconnect. */
+    sse: sseConnect,
+    /** Cookie helpers: get, set, remove. */
+    cookie,
+    /** Display alert message in #message element. */
+    message,
+    /** Open centred popup window. */
+    popup,
+    /** Open PDF report in new window. */
+    report,
+    /** Execute a GraphQL query/mutation. */
+    graphql,
+    /** Current bearer token (read/write). */
+    get token() {
+      return _token;
+    },
+    set token(value) {
+      _token = value;
+    }
+  };
+  if (typeof window !== "undefined") {
+    window.frond = frond;
+  }
+  return __toCommonJS(frond_exports);
+})();
+/* Frond v2.1.3 — tina4.com */
+//# sourceMappingURL=frond.js.map

data/lib/tina4/public/js/frond.min.js

@@ -1,2 +1,2 @@
 var _frondModule=(()=>{var b=Object.defineProperty;var k=Object.getOwnPropertyDescriptor;var x=Object.getOwnPropertyNames;var C=Object.prototype.hasOwnProperty;var O=(o,s)=>{for(var e in s)b(o,e,{get:s[e],enumerable:!0})},M=(o,s,e,t)=>{if(s&&typeof s=="object"||typeof s=="function")for(let n of x(s))!C.call(o,n)&&n!==e&&b(o,n,{get:()=>s[n],enumerable:!(t=k(s,n))||t.enumerable});return o};var q=o=>M(b({},"__esModule",{value:!0}),o);var j={};O(j,{frond:()=>R});var g=null;function w(o,s){let e;typeof s=="function"?e={onSuccess:s}:e=s||{};let t=(e.method||"GET").toUpperCase(),n=new XMLHttpRequest;if(n.open(t,o,!0),g!==null&&n.setRequestHeader("Authorization","Bearer "+g),e.headers)for(let r in e.headers)Object.prototype.hasOwnProperty.call(e.headers,r)&&n.setRequestHeader(r,e.headers[r]);let i=null;e.body!==void 0&&e.body!==null&&(e.body instanceof FormData?i=e.body:typeof e.body=="object"?(i=JSON.stringify(e.body),n.setRequestHeader("Content-Type","application/json; charset=UTF-8")):typeof e.body=="string"&&(i=e.body,n.setRequestHeader("Content-Type","text/plain; charset=UTF-8"))),n.onload=function(){let r=n.getResponseHeader("FreshToken");r&&r!==""&&(g=r);let u=n.response;try{u=JSON.parse(u)}catch{}if(n.responseURL){let c=new URL(o,window.location.href).href;if(n.responseURL!==c){window.location.href=n.responseURL;return}}n.status>=200&&n.status<400?e.onSuccess&&e.onSuccess(u,n.status,n):e.onError&&e.onError(n.status,n)},n.onerror=function(){e.onError&&e.onError(n.status,n)},n.send(i)}function h(o,s){if(!o)return"";let e=new DOMParser,t=o.includes("<html>")?o:"<body>"+o+"</body></html>",i=e.parseFromString(t,"text/html").querySelector("body"),r=i.querySelectorAll("script");if(r.forEach(function(u){u.remove()}),s!==null){let u=document.getElementById(s);return u&&(i.children.length>0?u.replaceChildren.apply(u,Array.from(i.children)):u.innerHTML=i.innerHTML,r.forEach(function(c){let d=document.createElement("script");d.type="text/javascript",d.async=!0,c.src?d.src=c.src:d.textContent=c.textContent,u.appendChild(d)})),""}return r.forEach(function(u){let c=document.createElement("script");c.type="text/javascript",c.async=!0,c.textContent=u.textContent,document.body.appendChild(c)}),i.innerHTML}function H(o,s,e){let t=s||"content";w(o,{method:"GET",onSuccess:function(n,i){if(document.getElementById(t)){let r=h(n,t);e&&e(r,n)}else e&&e(n)}})}function S(o,s,e,t){let n=e||"content";w(o,{method:"POST",body:s,onSuccess:function(i){let r="";if(i&&i.message!==void 0)r=h(i.message,n);else if(document.getElementById(n))r=h(i,n);else{t&&t(i);return}t&&t(r,i)}})}var T={collect:function(o){let s=new FormData,e=document.querySelectorAll("#"+o+" select, #"+o+" input, #"+o+" textarea");for(let t=0;t<e.length;t++){let n=e[t];if(n.name==="formToken"&&g!==null&&(n.value=g),!!n.name)if(n.type==="file"){let i=n.files;if(i)for(let r=0;r<i.length;r++){let u=i[r];if(u!==void 0){let c=n.name;i.length>1&&!c.includes("[")&&(c=c+"[]"),s.append(c,u,u.name)}}}else n.type==="checkbox"||n.type==="radio"?n.checked?s.append(n.name,n.value):n.type!=="radio"&&s.append(n.name,"0"):s.append(n.name,n.value===""?"":n.value)}return s},submit:function(o,s,e,t){let n=T.collect(o);S(s,n,e||"message",t)},show:function(o,s,e,t){let n=o.toUpperCase();(o==="create"||o==="edit")&&(n="GET"),o==="delete"&&(n="DELETE");let i=e||"form";w(s,{method:n,onSuccess:function(r){let u="";if(r&&r.message!==void 0)u=h(r.message,i);else if(document.getElementById(i))u=h(r,i);else{t&&t(r);return}t&&t(u)}})}};function L(o,s){let e={reconnect:!0,reconnectDelay:1e3,maxReconnectDelay:3e4,maxReconnectAttempts:1/0,protocols:[],onOpen:function(){},onClose:function(){},onError:function(){},...s||{}},t=null,n=!1,i=e.reconnectDelay,r=0,u=null,c={message:[],open:[],close:[],error:[]},d={status:"connecting",send:function(l){if(!t||t.readyState!==WebSocket.OPEN)throw new Error("[frond] WebSocket is not connected");t.send(typeof l=="string"?l:JSON.stringify(l))},on:function(l,a){return c[l]||(c[l]=[]),c[l].push(a),function(){let f=c[l],m=f.indexOf(a);m>=0&&f.splice(m,1)}},close:function(l,a){n=!0,u&&(clearTimeout(u),u=null),t&&t.close(l||1e3,a||""),d.status="closed"}};function y(l){if(typeof l!="string")return l;try{return JSON.parse(l)}catch{return l}}function p(){!e.reconnect||r>=e.maxReconnectAttempts||(r++,d.status="reconnecting",u=setTimeout(function(){u=null,v()},i),i=Math.min(i*2,e.maxReconnectDelay))}function v(){d.status=r>0?"reconnecting":"connecting";try{t=new WebSocket(o,e.protocols)}catch{d.status="closed";return}t.onopen=function(){d.status="open",r=0,i=e.reconnectDelay,e.onOpen();for(let l of c.open)l()},t.onmessage=function(l){let a=y(l.data);for(let f of c.message)f(a)},t.onclose=function(l){d.status="closed",e.onClose(l.code,l.reason);for(let a of c.close)a(l.code,l.reason);n||p()},t.onerror=function(l){e.onError(l);for(let a of c.error)a(l)}}return v(),d}function D(o,s){let e={reconnect:!0,reconnectDelay:1e3,maxReconnectDelay:3e4,maxReconnectAttempts:1/0,events:[],json:!0,onOpen:function(){},onClose:function(){},onError:function(){},...s||{}},t=null,n=!1,i=e.reconnectDelay,r=0,u=null,c={message:[],open:[],close:[],error:[]},d={status:"connecting",on:function(a,f){return c[a]||(c[a]=[]),c[a].push(f),function(){let m=c[a],E=m.indexOf(f);E>=0&&m.splice(E,1)}},close:function(){n=!0,u&&(clearTimeout(u),u=null),t&&(t.close(),t=null),d.status="closed"}};function y(a){if(!e.json)return a;try{return JSON.parse(a)}catch{return a}}function p(a,f){for(let m of c.message)m(a,f||void 0)}function v(){!e.reconnect||r>=e.maxReconnectAttempts||(r++,d.status="reconnecting",u=setTimeout(function(){u=null,l()},i),i=Math.min(i*2,e.maxReconnectDelay))}function l(){d.status=r>0?"reconnecting":"connecting";try{t=new EventSource(o)}catch{d.status="closed";return}t.onopen=function(){d.status="open",r=0,i=e.reconnectDelay,e.onOpen();for(let a of c.open)a(null)},t.onmessage=function(a){p(y(a.data),null)};for(let a of e.events)t.addEventListener(a,function(f){p(y(f.data),a)});t.onerror=function(a){e.onError(a);for(let f of c.error)f(a);if(t&&t.readyState===2){t=null,d.status="closed",e.onClose();for(let f of c.close)f(null);n||v()}}}return l(),d}var W={set:function(o,s,e){let t="";if(e){let n=new Date;n.setTime(n.getTime()+e*24*60*60*1e3),t="; expires="+n.toUTCString()}document.cookie=o+"="+(s||"")+t+"; path=/"},get:function(o){let s=o+"=",e=document.cookie.split(";");for(let t=0;t<e.length;t++){let n=e[t];for(;n.charAt(0)===" ";)n=n.substring(1);if(n.indexOf(s)===0)return n.substring(s.length)}return null},remove:function(o){document.cookie=o+"=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/"}};function A(o,s){let e=document.getElementById("message");if(!e)return;let t=s||"info";e.innerHTML='<div class="alert alert-'+t+' alert-dismissible">'+o+'<button type="button" class="btn-close" data-t4-dismiss="alert">&times;</button></div>'}function I(o,s,e,t){let n=window.screenLeft!==void 0?window.screenLeft:window.screenX,i=window.screenTop!==void 0?window.screenTop:window.screenY,r=window.innerWidth||document.documentElement.clientWidth||screen.width,u=window.innerHeight||document.documentElement.clientHeight||screen.height,c=r/window.screen.availWidth,d=(r-e)/2/c+n,y=(u-t)/2/c+i,p=window.open(o,s,"directories=no,toolbar=no,location=no,status=no,menubar=no,scrollbars=yes,resizable=yes,width="+e/c+",height="+t/c+",top="+y+",left="+d);return window.focus&&p&&p.focus(),p}function N(o){if(o.indexOf("No data available")>=0){window.alert("No data available for this report.");return}window.open(o,"_blank","toolbar=no,scrollbars=yes,resizable=yes,width=800,height=600,top=0,left=0")}function U(o,s,e,t){w(o,{method:"POST",body:{query:s,variables:e||{}},onSuccess:function(n){t&&t(n.data||null,n.errors||void 0)},onError:function(n){t&&t(null,[{message:"GraphQL request failed with status "+n}])}})}var R={request:w,load:H,post:S,inject:h,form:T,ws:L,sse:D,cookie:W,message:A,popup:I,report:N,graphql:U,get token(){return g},set token(o){g=o}};typeof window<"u"&&(window.frond=R);return q(j);})();
-/* Frond v2 — tina4.com */
+/* Frond v2.1.3 — tina4.com */

data/lib/tina4/rack_app.rb

@@ -200,7 +200,7 @@ module Tina4
         end
 
         # API_KEY bypass — matches tina4_python behavior
-        api_key = ENV["TINA4_API_KEY"] || ENV["API_KEY"]
+        api_key = ENV["TINA4_API_KEY"]
         if api_key && !api_key.empty? && token == api_key
           env["tina4.auth_payload"] = { "api_key" => true }
         elsif token
@@ -330,18 +330,28 @@ module Tina4
     end
 
     def handle_404(path)
-      # Try serving a template file (e.g. /hello -> src/templates/hello.twig or hello.html)
+      # Try serving a template file (e.g. /hello -> src/templates/pages/hello.twig)
       template_response = try_serve_template(path)
       return template_response if template_response
 
-      # Show landing page for GET "/"
-      return render_landing_page if path == "/"
+      # Show landing page for GET "/" — but ONLY in dev mode.
+      # Production never shows it, so the framework version, dev-admin link,
+      # and gallery never leak to real users. Symmetric with /__dev/* gating.
+      return render_landing_page if path == "/" && dev_mode?
 
       Tina4::Log.warning("404 Not Found: #{path}")
       body = Tina4::Template.render_error(404, { "path" => path }) rescue "404 Not Found"
       [404, { "content-type" => "text/html" }, [body]]
     end
 
+    # Honour TINA4_TEMPLATE_ROUTING=off|false|0|no|disabled as an explicit
+    # kill switch. Default: enabled. Drop a file in src/templates/pages/ and
+    # it serves at the matching URL — the zero-config Tina4 convention.
+    def template_auto_routing_enabled?
+      val = ENV.fetch("TINA4_TEMPLATE_ROUTING", "on").to_s.strip.downcase
+      !%w[off false 0 no disabled].include?(val)
+    end
+
     def should_show_landing_page?
       # Check if any index template exists in src/templates/
       templates_dir = File.join(@root_dir, "src", "templates")
@@ -357,19 +367,39 @@ module Tina4
       [200, { "content-type" => "text/html" }, [body]]
     end
 
-    # Resolve a URL path to a template file.
+    # Resolve a URL path to a template file in src/templates/pages/.
+    #
+    # Only files inside ``src/templates/pages/`` auto-route from a URL.
+    # Anything in ``src/templates/`` outside ``pages/`` (partials, layouts,
+    # base.twig, errors, components) is never served standalone — those
+    # remain renderable via {% include %} / {% extends %} / explicit render
+    # calls but never auto-serve from a URL.
+    #
+    # Files starting with ``_`` (e.g. pages/_helper.twig) are always skipped
+    # even within pages/ — Hugo/Jekyll convention for private partials.
+    #
     # Dev mode: checks filesystem every time for live changes.
     # Production: uses a cached lookup built once at startup.
+    #
+    # The whole feature can be turned off with ``TINA4_TEMPLATE_ROUTING=off``.
     def resolve_template(path)
+      return nil unless template_auto_routing_enabled?
+
       clean_path = path.sub(%r{^/}, "")
       clean_path = "index" if clean_path.empty?
+
+      # Skip underscore-prefixed segments — private files even within pages/.
+      return nil if clean_path.split("/").any? { |seg| seg.start_with?("_") }
+
       is_dev = %w[true 1 yes].include?(ENV.fetch("TINA4_DEBUG", "false").downcase)
 
       if is_dev
-        templates_dir = File.join(@root_dir, "src", "templates")
+        pages_dir = File.join(@root_dir, "src", "templates", "pages")
         %w[.twig .html].each do |ext|
-          candidate = clean_path + ext
-          return candidate if File.file?(File.join(templates_dir, candidate))
+          candidate_inside_pages = clean_path + ext
+          if File.file?(File.join(pages_dir, candidate_inside_pages))
+            return File.join("pages", candidate_inside_pages)
+          end
         end
         return nil
       end
@@ -379,15 +409,22 @@ module Tina4
       @template_cache[clean_path]
     end
 
+    # Scan src/templates/pages/ once and build url_path -> template_file lookup.
+    # Only files under pages/ are eligible — partials, layouts, base.twig,
+    # errors etc. remain renderable via explicit render calls but never
+    # auto-serve from a URL.
     def build_template_cache
       cache = {}
-      templates_dir = File.join(@root_dir, "src", "templates")
-      return cache unless File.directory?(templates_dir)
-
-      Dir.glob(File.join(templates_dir, "**", "*.{twig,html}")).each do |f|
-        rel = f.sub(templates_dir + File::SEPARATOR, "").tr("\\", "/")
-        url_path = rel.sub(/\.(twig|html)$/, "")
-        cache[url_path] ||= rel
+      pages_dir = File.join(@root_dir, "src", "templates", "pages")
+      return cache unless File.directory?(pages_dir)
+
+      Dir.glob(File.join(pages_dir, "**", "*.{twig,html}")).each do |f|
+        rel_inside_pages = f.sub(pages_dir + File::SEPARATOR, "").tr("\\", "/")
+        # Skip private files even within pages/ (e.g. pages/_helper.twig)
+        next if rel_inside_pages.split("/").any? { |seg| seg.start_with?("_") }
+        url_path = rel_inside_pages.sub(/\.(twig|html)$/, "")
+        rel_from_templates = "pages/#{rel_inside_pages}"
+        cache[url_path] ||= rel_from_templates
       end
       cache
     end

data/lib/tina4/session.rb

@@ -16,7 +16,7 @@ module Tina4
 
     def initialize(env, options = {})
       @options = DEFAULT_OPTIONS.merge(options)
-      @options[:secret] ||= ENV["SECRET"] || "tina4-default-secret"
+      @options[:secret] ||= ENV["TINA4_SECRET"] || "tina4-default-secret"
       @handler = create_handler
       @id = extract_session_id(env) || SecureRandom.hex(32)
       @data = load_session

data/lib/tina4/session_handlers/database_handler.rb

@@ -17,7 +17,7 @@ module Tina4
 
       def initialize(options = {})
         @ttl = options[:ttl] || 86400
-        @db = options[:db] || Tina4::Database.new(ENV["DATABASE_URL"])
+        @db = options[:db] || Tina4::Database.new(ENV["TINA4_DATABASE_URL"])
         ensure_table
       end
 

data/lib/tina4/swagger.rb

@@ -19,9 +19,9 @@ module Tina4
         {
           "openapi" => "3.0.3",
           "info" => {
-            "title" => ENV["SWAGGER_TITLE"] || ENV["PROJECT_NAME"] || "Tina4 API",
-            "version" => ENV["VERSION"] || Tina4::VERSION,
-            "description" => "Auto-generated API documentation"
+            "title" => ENV["TINA4_SWAGGER_TITLE"] || ENV["PROJECT_NAME"] || "Tina4 API",
+            "version" => ENV["TINA4_SWAGGER_VERSION"] || Tina4::VERSION,
+            "description" => ENV["TINA4_SWAGGER_DESCRIPTION"] || "Auto-generated API documentation"
           },
           "servers" => [
             { "url" => "/" }

data/lib/tina4/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tina4
-  VERSION = "3.11.36"
+  VERSION = "3.12.0"
 end

data/lib/tina4/webserver.rb

@@ -54,6 +54,9 @@ module Tina4
     end
 
     def start
+      # Refuse to boot with v3.11 / v2 era un-prefixed env vars set.
+      Tina4.check_legacy_env_vars!
+
       is_managed = ARGV.include?('--managed')
       unless is_managed || ENV['TINA4_OVERRIDE_CLIENT'] == 'true'
         puts

data/lib/tina4.rb

@@ -440,7 +440,7 @@ module Tina4
     end
 
     def setup_database
-      db_url = ENV["DATABASE_URL"] || ENV["DB_URL"]
+      db_url = ENV["TINA4_DATABASE_URL"]
       if db_url && !db_url.empty?
         begin
           @database = Tina4::Database.new(db_url)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: tina4ruby
 version: !ruby/object:Gem::Version
-  version: 3.11.36
+  version: 3.12.0
 platform: ruby
 authors:
 - Tina4 Team
@@ -342,6 +342,7 @@ files:
 - lib/tina4/public/favicon.ico
 - lib/tina4/public/images/logo.svg
 - lib/tina4/public/images/tina4-logo-icon.webp
+- lib/tina4/public/js/frond.js
 - lib/tina4/public/js/frond.min.js
 - lib/tina4/public/js/tina4-dev-admin.js
 - lib/tina4/public/js/tina4-dev-admin.min.js