tina4ruby 3.12.9 → 3.12.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f93732baf6d41660ae5294101c0fc9c619ab642d0b7be03306d462e095ce827
-  data.tar.gz: 93bc70862b49e7d01fe3a8c25233696e25eaf882281fa2964ce60191e0128d48
+  metadata.gz: 65d79f819e3ac62c1e8d3447409b8c75530c239db2bb6a7df9066de4104495ed
+  data.tar.gz: d0b0af5dd0e914b880cc64a7b9aca29e6f46de65dcec3104b18e01ad174509b8
 SHA512:
-  metadata.gz: 5a31af9bbe283e68dc35011e043dc2523d51746bef925125dcd18194c4e5fe97ee131333fc3f786d72ed22ed3640bde67abb9d053505f3a6669315044b00ba52
-  data.tar.gz: 6ea8a2e4fd0392292b33b0842f91e25d4b92a5c35028f07e9e42839729ec679e1a419827312e7287fdd3f1fd281103f147e9bda39129d39166c41699a09b49a7
+  metadata.gz: 2e59eac2e37d78d1f7752cd26680338ff404794f6ff23dbe9ab2a1570ce3f458200fd5f488fefb8ef6f5f0b1764aa355def94dbed13a50149df30b4ea798059a
+  data.tar.gz: 7021e0596f5275b4daf0969f0690400e99222fe10f30547b31fc8ee747f266c88086fb577927953813ac53b52dad9d8ce95a7ecb7ae48bfd2c1aa50fa8ff5e47

data/lib/tina4/cli.rb

@@ -265,7 +265,7 @@ module Tina4
 
       db = Tina4.database
       unless db
-        puts "No database configured. Set DATABASE_URL in your .env file."
+        puts "No database configured. Set TINA4_DATABASE_URL in your .env file."
         return
       end
 
@@ -298,7 +298,7 @@ module Tina4
 
       db = Tina4.database
       unless db
-        puts "No database configured. Set DATABASE_URL in your .env file."
+        puts "No database configured. Set TINA4_DATABASE_URL in your .env file."
         return
       end
 
@@ -341,7 +341,7 @@ module Tina4
 
       db = Tina4.database
       unless db
-        puts "No database configured. Set DATABASE_URL in your .env file."
+        puts "No database configured. Set TINA4_DATABASE_URL in your .env file."
         return
       end
 

data/lib/tina4/dev_admin.rb

@@ -369,6 +369,15 @@ module Tina4
         path = env["PATH_INFO"] || "/"
         method = env["REQUEST_METHOD"]
 
+        # Dynamic-path routes can't live in the case-tuple below — match
+        # them up front. /__dev/api/threads/{id}[/messages] is forwarded
+        # verbatim to the Rust agent's /threads/{id}[/messages] surface
+        # (mirrors Python's `_api_threads_sub`).
+        if path.start_with?("/__dev/api/threads/")
+          suffix = path[("/__dev/api".length)..]  # leaves "/threads/{id}[/messages]"
+          return threads_sub_proxy(env, method, suffix)
+        end
+
         case [method, path]
         when ["GET", "/__dev"], ["GET", "/__dev/"]
           serve_dashboard
@@ -382,6 +391,13 @@ module Tina4
           @reload_file = body["file"] || ""
           reload_type = body["type"] || "reload"
           Tina4::Log.info("External reload trigger: #{reload_type}#{@reload_file.empty? ? '' : " (#{@reload_file})"}")
+          # Re-discover so files dropped into src/routes/ register without
+          # a server restart. Idempotent — already-loaded files are skipped.
+          begin
+            Tina4::Router.rescan_routes!
+          rescue StandardError => e
+            Tina4::Log.error("Re-discover on reload failed: #{e.message}")
+          end
           json_response({ ok: true, type: reload_type })
         when ["GET", "/__dev/api/status"]
           json_response(status_payload)
@@ -509,12 +525,21 @@ module Tina4
           tool = (body && body["tool"]) || ""
           json_response(run_tool(tool))
         when ["POST", "/__dev/api/chat"]
-          body = read_json_body(env)
-          message = (body && body["message"]) || ""
-          json_response({
-            reply: "Chat is not yet connected to an AI backend. You said: \"#{message}\"",
-            timestamp: Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
-          })
+          # Proxy dev-admin chat to the Rust agent's /chat endpoint.
+          # The SPA POSTs {message, thread_id?, active_file?, settings?}
+          # and expects an SSE stream of `event: status/message/done`
+          # chunks. We forward the JSON body verbatim (active_file rides
+          # along) and pipe upstream bytes back as they arrive. Mirrors
+          # Python's `_api_chat` / `_proxy_to_supervisor` SSE path.
+          body = read_json_body(env) || {}
+          chat_proxy(body)
+        when ["GET", "/__dev/api/threads"]
+          # Parity with Python `_api_threads` (GET → list threads).
+          json_response(proxy_supervisor("/threads", method: "GET", query: env["QUERY_STRING"]))
+        when ["POST", "/__dev/api/threads"]
+          # Parity with Python `_api_threads` (POST → create thread).
+          body = read_json_body(env) || {}
+          json_response(proxy_supervisor("/threads", method: "POST", body: body))
         when ["GET", "/__dev/api/connections"]
           handle_connections_get
         when ["POST", "/__dev/api/connections/test"]
@@ -893,10 +918,13 @@ module Tina4
             key, val = line.split("=", 2)
             key = key.strip
             val = (val || "").strip.gsub(/\A["']|["']\z/, "")
+            # v3.12+ env vars are TINA4_-prefixed; the boot guard refuses to
+            # start with bare DATABASE_URL set, so the dashboard must read
+            # and write the prefixed names.
             case key
-            when "DATABASE_URL" then url = val
-            when "DATABASE_USERNAME" then username = val
-            when "DATABASE_PASSWORD" then password = val.empty? ? "" : "***"
+            when "TINA4_DATABASE_URL" then url = val
+            when "TINA4_DATABASE_USERNAME" then username = val
+            when "TINA4_DATABASE_PASSWORD" then password = val.empty? ? "" : "***"
             end
           end
         end
@@ -954,7 +982,13 @@ module Tina4
         begin
           env_path = File.join(Dir.pwd, ".env")
           lines = File.file?(env_path) ? File.readlines(env_path, chomp: true) : []
-          keys_found = { "DATABASE_URL" => false, "DATABASE_USERNAME" => false, "DATABASE_PASSWORD" => false }
+          # v3.12+ env vars are TINA4_-prefixed; saving bare DATABASE_URL
+          # would trip the framework's legacy-env boot guard on next start.
+          keys_found = {
+            "TINA4_DATABASE_URL" => false,
+            "TINA4_DATABASE_USERNAME" => false,
+            "TINA4_DATABASE_PASSWORD" => false,
+          }
           new_lines = []
           lines.each do |line|
             stripped = line.strip
@@ -964,20 +998,24 @@ module Tina4
             end
             key = stripped.split("=", 2).first.strip
             case key
-            when "DATABASE_URL"
-              new_lines << "DATABASE_URL=#{url}"
-              keys_found["DATABASE_URL"] = true
-            when "DATABASE_USERNAME"
-              new_lines << "DATABASE_USERNAME=#{username}"
-              keys_found["DATABASE_USERNAME"] = true
-            when "DATABASE_PASSWORD"
-              new_lines << "DATABASE_PASSWORD=#{password}"
-              keys_found["DATABASE_PASSWORD"] = true
+            when "TINA4_DATABASE_URL"
+              new_lines << "TINA4_DATABASE_URL=#{url}"
+              keys_found["TINA4_DATABASE_URL"] = true
+            when "TINA4_DATABASE_USERNAME"
+              new_lines << "TINA4_DATABASE_USERNAME=#{username}"
+              keys_found["TINA4_DATABASE_USERNAME"] = true
+            when "TINA4_DATABASE_PASSWORD"
+              new_lines << "TINA4_DATABASE_PASSWORD=#{password}"
+              keys_found["TINA4_DATABASE_PASSWORD"] = true
             else
               new_lines << line
             end
           end
-          values = { "DATABASE_URL" => url, "DATABASE_USERNAME" => username, "DATABASE_PASSWORD" => password }
+          values = {
+            "TINA4_DATABASE_URL" => url,
+            "TINA4_DATABASE_USERNAME" => username,
+            "TINA4_DATABASE_PASSWORD" => password,
+          }
           keys_found.each do |key, found|
             new_lines << "#{key}=#{values[key]}" unless found
           end
@@ -1075,6 +1113,21 @@ module Tina4
                   r["Content-Type"] = "application/json"
                   r.body = JSON.generate(body || {})
                   r
+                when "PATCH"
+                  r = Net::HTTP::Patch.new(uri)
+                  r["Content-Type"] = "application/json"
+                  r.body = JSON.generate(body || {})
+                  r
+                when "PUT"
+                  r = Net::HTTP::Put.new(uri)
+                  r["Content-Type"] = "application/json"
+                  r.body = JSON.generate(body || {})
+                  r
+                when "DELETE"
+                  r = Net::HTTP::Delete.new(uri)
+                  r["Content-Type"] = "application/json"
+                  r.body = JSON.generate(body) if body
+                  r
                 else
                   Net::HTTP::Get.new(uri)
                 end
@@ -1089,6 +1142,85 @@ module Tina4
         end
       end
 
+      # Proxy /__dev/api/threads/{id}[/messages] through to the Rust
+      # agent. Mirrors Python's `_api_threads_sub`: we already stripped
+      # the dev-admin prefix in handle_request, so `suffix` is the path
+      # the agent expects (e.g. `/threads/abc` or `/threads/abc/messages`).
+      # PATCH /threads/{id} (archive/rename) and GET /threads/{id}/messages
+      # are the two shapes the SPA actually fires.
+      def threads_sub_proxy(env, method, suffix)
+        case method.upcase
+        when "GET"
+          json_response(proxy_supervisor(suffix, method: "GET", query: env["QUERY_STRING"]))
+        when "POST"
+          body = read_json_body(env) || {}
+          json_response(proxy_supervisor(suffix, method: "POST", body: body))
+        when "PATCH"
+          body = read_json_body(env) || {}
+          json_response(proxy_supervisor(suffix, method: "PATCH", body: body))
+        when "PUT"
+          body = read_json_body(env) || {}
+          json_response(proxy_supervisor(suffix, method: "PUT", body: body))
+        when "DELETE"
+          body = read_json_body(env)
+          json_response(proxy_supervisor(suffix, method: "DELETE", body: body))
+        else
+          [405, { "content-type" => "application/json; charset=utf-8" },
+           [JSON.generate({ error: "method not allowed" })]]
+        end
+      end
+
+      # POST /chat — proxy the SPA's chat payload to the Rust agent and
+      # pipe the upstream SSE response back to the browser. Active-file
+      # content (when present in the body) rides along verbatim.
+      #
+      # NOTE on streaming: Tina4 Ruby's Rack app does not currently
+      # expose a chunk-by-chunk streaming API to handlers (see
+      # response.rb — `response.stream(&block)` is not yet wired through
+      # the case-tuple dispatcher used here). We do the next best thing:
+      # use Net::HTTP#request_get with a block so we receive upstream
+      # SSE chunks as they arrive, buffer them, and return the assembled
+      # body with the upstream content-type intact. The SPA's
+      # EventSource reader works either way (it parses `data:` lines
+      # regardless of arrival cadence) — the TODO below tracks
+      # converting this to a true streamed Rack body once dev_admin
+      # routes are migrated off the case-tuple dispatcher.
+      def chat_proxy(body)
+        base = supervisor_base
+        begin
+          uri = URI.parse("#{base}/chat")
+          req = Net::HTTP::Post.new(uri)
+          req["Content-Type"] = "application/json"
+          req["Accept"] = "text/event-stream"
+          req.body = JSON.generate(body || {})
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.open_timeout = 2
+          # /chat runs the supervisor → planner → coder loop with one or
+          # more LLM round-trips. Matches Python's 600s budget.
+          http.read_timeout = 600
+          chunks = []
+          upstream_status = 200
+          upstream_ct = "text/event-stream"
+          http.request(req) do |resp|
+            upstream_status = resp.code.to_i
+            upstream_ct = resp["content-type"] || upstream_ct
+            # TODO: stream chunks straight into the Rack response once
+            # dev_admin migrates to response.stream(). For now we
+            # buffer — the SPA's SSE reader still parses correctly.
+            resp.read_body { |chunk| chunks << chunk }
+          end
+          [upstream_status, { "content-type" => upstream_ct }, [chunks.join]]
+        rescue StandardError => e
+          body_str = JSON.generate({
+            error: "supervisor unavailable",
+            detail: e.message,
+            hint: "Run `tina4 serve` (starts the agent server) or set TINA4_SUPERVISOR_URL",
+            supervisor: base
+          })
+          [503, { "content-type" => "application/json; charset=utf-8" }, [body_str]]
+        end
+      end
+
       def execute_proxy(body)
         # Proxy POST /execute to the supervisor at framework_port + 2000.
         # Pass through the response stream as-is (SSE or JSON).

data/lib/tina4/error_overlay.rb

@@ -42,12 +42,20 @@ module Tina4
         exc_type = exception.class.name
         exc_msg  = exception.message
 
+        # Stamp captured_at once when the overlay is generated. Each frame
+        # compares its source file's mtime to this single timestamp and
+        # flags itself stale if the file changed afterwards — protects
+        # against the "browser cached an old overlay, then the AI rewrote
+        # the file" confusion where the displayed source no longer matches
+        # what actually raised the error.
+        captured_at = Time.now.to_f
+
         # ── Stack trace ──
         frames_html = +""
         backtrace = exception.backtrace || []
         backtrace.each do |line|
           file, lineno, method = parse_backtrace_line(line)
-          frames_html << format_frame(file, lineno, method)
+          frames_html << format_frame(file, lineno, method, captured_at: captured_at)
         end
 
         # ── Request info ──
@@ -213,8 +221,9 @@ module Tina4
           "#{rows}</div>"
       end
 
-      def format_frame(filename, lineno, func_name)
+      def format_frame(filename, lineno, func_name, captured_at: 0.0)
         source = (filename && lineno.positive?) ? format_source_block(filename, lineno) : ""
+        stale_badge = stale_file_badge(filename, captured_at)
         "<div style=\"margin-bottom:16px;\">" \
           "<div style=\"margin-bottom:4px;\">" \
           "<span style=\"color:#{BLUE};\">#{esc(filename.to_s)}</span>" \
@@ -222,11 +231,32 @@ module Tina4
           "<span style=\"color:#{YELLOW};\">#{lineno}</span>" \
           "<span style=\"color:#{SUBTEXT};\"> in </span>" \
           "<span style=\"color:#{GREEN};\">#{esc(func_name.to_s)}</span>" \
+          "#{stale_badge}" \
           "</div>" \
           "#{source}" \
           "</div>"
       end
 
+      # When the file on disk was modified AFTER the overlay was generated,
+      # emit a peach pill warning that the visible source may not match what
+      # actually failed. 0.5s margin to avoid filesystem-noise false positives.
+      def stale_file_badge(filename, captured_at)
+        return "" if captured_at.nil? || captured_at <= 0
+        return "" if filename.nil? || filename.to_s.empty?
+        return "" unless File.file?(filename)
+
+        mtime = File.mtime(filename).to_f
+        return "" if mtime <= captured_at + 0.5
+
+        mtime_str = Time.at(mtime).utc.strftime("%H:%M:%S")
+        "<span style=\"background:#{PEACH};color:#{BG};padding:1px 8px;" \
+          "border-radius:3px;font-size:11px;font-weight:700;margin-left:6px;\">" \
+          "FILE MODIFIED @ #{mtime_str} UTC &mdash; source may not match what failed" \
+          "</span>"
+      rescue StandardError
+        ""
+      end
+
       def collapsible(title, content, open_by_default: false)
         open_attr = open_by_default ? " open" : ""
         "<details style=\"margin-top:16px;\"#{open_attr}>" \

data/lib/tina4/feedback.rb

@@ -0,0 +1,307 @@
+# frozen_string_literal: true
+
+require "json"
+require "net/http"
+require "uri"
+
+module Tina4
+  # ── Customer feedback widget — server-side plumbing ─────────────────
+  #
+  # Mirrors tina4_python/dev_admin/__init__.py lines 1436-1645. The
+  # widget is for END USERS of a shipped Tina4 app (not developers).
+  # Whitelisted users get a floating bubble that proxies one
+  # conversational turn at a time to the Rust agent's intake endpoint
+  # at <supervisor>/feedback/intake.
+  #
+  # Flow:
+  #   1. Framework middleware injects <script src="/__feedback/widget.js">
+  #      into HTML responses for whitelisted users.
+  #   2. Widget POSTs to /__feedback/api/turn for each conversational turn.
+  #   3. The Ruby handler verifies whitelist + rate-limit, stamps the
+  #      user identity server-side (client cannot fake `sender`), then
+  #      forwards to the Rust agent's /feedback/intake.
+  #   4. Finalised tickets land in .tina4/chat/threads.json with
+  #      kind:"feedback". Developer sees them in the dev admin sidebar.
+  module Feedback
+    RATE_WINDOW = 3600   # 1 hour
+    RATE_MAX = 5         # submissions/turns per user per hour
+
+    # Class-level mutex-guarded hash {user => [timestamps]}. Mirrors the
+    # Python `_FEEDBACK_RATE_LIMIT` dict — process-local, no persistence.
+    @rate_limit = {}
+    @rate_mutex = Mutex.new
+
+    class << self
+      attr_reader :rate_mutex
+
+      # Test/reset helper — clears the in-memory rate-limit table.
+      def reset_rate_limit!
+        @rate_mutex.synchronize { @rate_limit = {} }
+      end
+
+      # Hard master switch.
+      #
+      # Both gates required for the widget to render or the API to
+      # accept submissions:
+      #   - TINA4_ENABLE_FEEDBACK=true (explicit opt-in — off by default)
+      #   - TINA4_FEEDBACK_WHITELIST=... (non-empty list of users)
+      #
+      # Splitting the toggle from the whitelist lets the developer leave
+      # the whitelist intact while pausing the feature in production for
+      # a release (set TINA4_ENABLE_FEEDBACK=false → widget vanishes
+      # everywhere; whitelist comes back online with one env flip).
+      def feedback_enabled?
+        raw = ENV["TINA4_ENABLE_FEEDBACK"].to_s.strip.downcase
+        %w[1 true yes on].include?(raw)
+      end
+
+      # Comma-separated emails / user IDs in env. Empty = no one allowed.
+      def feedback_whitelist
+        return [] unless feedback_enabled?
+        raw = ENV["TINA4_FEEDBACK_WHITELIST"].to_s.strip
+        return [] if raw.empty?
+        raw.split(",").map { |e| e.strip.downcase }.reject(&:empty?)
+      end
+
+      # Best-effort user identity from auth headers.
+      #
+      # Priority:
+      #   1. JWT/Bearer token via Tina4::Auth.authenticate_request —
+      #      pulls email/sub/user_id claim.
+      #   2. TINA4_FEEDBACK_DEV_USER env var override (LOCAL DEV ONLY —
+      #      lets the framework owner test the widget without a full
+      #      auth setup in the test project).
+      def feedback_identify_user(request)
+        begin
+          headers = request_headers(request)
+          payload = Tina4::Auth.authenticate_request(headers)
+          if payload.is_a?(Hash)
+            %w[email sub user_id].each do |key|
+              v = payload[key] || payload[key.to_sym]
+              return v.to_s.strip.downcase if v && !v.to_s.strip.empty?
+            end
+          end
+        rescue StandardError
+          # fall through to dev-user override
+        end
+        dev_user = ENV["TINA4_FEEDBACK_DEV_USER"].to_s.strip
+        return dev_user.downcase unless dev_user.empty?
+        nil
+      end
+
+      # Returns [allowed, identity]. Both halves must be truthy to act.
+      def feedback_is_whitelisted(request)
+        wl = feedback_whitelist
+        return [false, nil] if wl.empty?
+        user = feedback_identify_user(request)
+        return [false, nil] unless user
+        [wl.include?(user), user]
+      end
+
+      # 5 turns/hour per user. Prunes old timestamps lazily.
+      def feedback_rate_limit_ok(user)
+        now = Time.now.to_f
+        @rate_mutex.synchronize do
+          hits = (@rate_limit[user] || []).select { |t| now - t < RATE_WINDOW }
+          if hits.size >= RATE_MAX
+            @rate_limit[user] = hits
+            return false
+          end
+          hits << now
+          @rate_limit[user] = hits
+          true
+        end
+      end
+
+      # Insert the widget <script> into HTML responses for whitelisted users.
+      #
+      # Called from the Rack middleware right before the body is sent.
+      # No-op if:
+      #   - The request is for a /__dev or /__feedback path (developer
+      #     dashboard / widget assets — never inject the customer widget
+      #     on developer pages; the dev admin has its OWN chat trigger).
+      #   - TINA4_ENABLE_FEEDBACK + TINA4_FEEDBACK_WHITELIST not both set
+      #   - Requesting user isn't in the whitelist
+      #   - Response doesn't have a closing </body> tag (fragment, JSON, etc.)
+      # Idempotent: a second call won't double-inject (looks for marker).
+      def inject_feedback_widget(request, html)
+        return html if html.nil? || html.empty?
+        # The customer feedback widget is for END USERS of the shipped
+        # app — injecting on developer-only paths creates a confusing
+        # "two bubbles" UX where the dev chat trigger + customer
+        # feedback bubble sit on top of each other. Hard exclusion at
+        # the framework layer.
+        path = request_path(request)
+        return html if path.start_with?("/__dev") || path.start_with?("/__feedback")
+        allowed, _user = feedback_is_whitelisted(request)
+        return html unless allowed
+        return html if html.include?("data-tina4-feedback")
+        snippet = '<script src="/__feedback/widget.js" data-tina4-feedback></script>'
+        idx = html.rindex("</body>")
+        return html unless idx
+        html[0...idx] + snippet + html[idx..]
+      end
+
+      # POST /__feedback/api/turn — whitelist check + rate-limit + stamp
+      # `sender` server-side, forward to Rust agent
+      # <supervisor>/feedback/intake. Returns a Rack response triple.
+      def handle_turn(env)
+        request = build_request_wrapper(env)
+        allowed, user = feedback_is_whitelisted(request)
+        return json_response({ error: "not authorised for feedback" }, 403) unless allowed
+        unless feedback_rate_limit_ok(user)
+          return json_response({
+            error: "rate limit exceeded",
+            hint: "max #{RATE_MAX} turns per hour"
+          }, 429)
+        end
+
+        body = read_json_body(env)
+        return json_response({ error: "expected JSON body" }, 400) unless body.is_a?(Hash)
+
+        forward_body = body.dup
+        forward_body["sender"] = user  # server-stamped identity
+
+        base = supervisor_base
+        uri = URI.parse("#{base}/feedback/intake")
+        begin
+          req = Net::HTTP::Post.new(uri)
+          req["Content-Type"] = "application/json"
+          req.body = JSON.generate(forward_body)
+          resp = Net::HTTP.start(uri.host, uri.port, open_timeout: 5, read_timeout: 60) { |h| h.request(req) }
+          parsed = begin
+            JSON.parse(resp.body.to_s)
+          rescue JSON::ParserError
+            nil
+          end
+          status_code = resp.code.to_i
+          status_code = 200 if status_code.zero?
+          if parsed
+            json_response(parsed, status_code)
+          else
+            [status_code, { "content-type" => "text/plain; charset=utf-8" }, [resp.body.to_s]]
+          end
+        rescue StandardError => e
+          json_response({
+            error: "agent unreachable",
+            detail: e.message
+          }, 502)
+        end
+      end
+
+      # GET /__feedback/widget.js — serve the bundle at
+      # lib/tina4/public/__feedback/widget.js. Cache-Control: no-cache,
+      # must-revalidate so browsers re-check the bundle on every load.
+      # Without this an old cached bundle (e.g. one that pre-dates the
+      # path-block guard against rendering on /__dev/) can persist for
+      # days and keep painting the bubble on the dev admin even after
+      # the server-side script-tag injection is fixed.
+      def handle_widget_js(_env)
+        js_path = File.expand_path("public/__feedback/widget.js", __dir__)
+        body = if File.file?(js_path)
+                 File.binread(js_path)
+               else
+                 "console.warn('tina4-feedback-widget bundle not built yet');"
+               end
+        headers = {
+          "content-type" => "application/javascript",
+          "cache-control" => "no-cache, must-revalidate",
+          "pragma" => "no-cache"
+        }
+        [200, headers, [body]]
+      end
+
+      # Dispatcher used by RackApp — returns a Rack triple if the path
+      # matches a /__feedback route, else nil.
+      def handle_request(env)
+        path = env["PATH_INFO"] || "/"
+        method = env["REQUEST_METHOD"]
+        case [method, path]
+        when ["GET", "/__feedback/widget.js"]
+          handle_widget_js(env)
+        when ["POST", "/__feedback/api/turn"]
+          handle_turn(env)
+        end
+      end
+
+      private
+
+      # Locate the supervisor (Rust agent) base URL. Mirrors the
+      # Tier 3 helper in dev_admin.rb so both modules agree on the
+      # endpoint resolution rule.
+      def supervisor_base
+        if defined?(Tina4::DevAdmin) && Tina4::DevAdmin.respond_to?(:supervisor_base, true)
+          return Tina4::DevAdmin.send(:supervisor_base)
+        end
+        base = ENV["TINA4_SUPERVISOR_URL"].to_s.strip
+        return base unless base.empty?
+        port = (ENV["TINA4_PORT"] || ENV["PORT"] || "7147").to_i + 2000
+        "http://127.0.0.1:#{port}"
+      end
+
+      def request_path(request)
+        if request.is_a?(Hash)
+          (request["PATH_INFO"] || request[:path] || "").to_s
+        elsif request.respond_to?(:path)
+          request.path.to_s
+        else
+          ""
+        end
+      end
+
+      # Extract Rack-style headers ({"HTTP_AUTHORIZATION" => "..."}) so
+      # Tina4::Auth.authenticate_request can consume them. Accepts a
+      # Rack env hash, a Tina4::Request, or a plain hash of headers.
+      def request_headers(request)
+        if request.is_a?(Hash) && request.keys.any? { |k| k.to_s.start_with?("HTTP_") }
+          return request
+        end
+        if request.respond_to?(:env)
+          return request.env
+        end
+        if request.respond_to?(:headers)
+          h = request.headers || {}
+          # Auth.authenticate_request looks for HTTP_AUTHORIZATION or Authorization
+          rack_like = {}
+          h.each do |k, v|
+            key = k.to_s
+            if key.downcase == "authorization"
+              rack_like["HTTP_AUTHORIZATION"] = v
+            else
+              rack_like[key] = v
+            end
+          end
+          return rack_like
+        end
+        {}
+      end
+
+      # Lightweight request wrapper used by handle_turn so the same
+      # whitelist/identity helpers work whether the caller passes a Rack
+      # env or a Tina4::Request.
+      def build_request_wrapper(env)
+        Struct.new(:path, :env, :headers).new(
+          env["PATH_INFO"] || "/",
+          env,
+          env  # Rack env IS the headers source for Tina4::Auth
+        )
+      end
+
+      def read_json_body(env)
+        input = env["rack.input"]
+        return nil unless input
+        input.rewind if input.respond_to?(:rewind)
+        raw = input.read
+        return nil if raw.nil? || raw.empty?
+        JSON.parse(raw)
+      rescue JSON::ParserError
+        nil
+      end
+
+      def json_response(data, status = 200)
+        [status, { "content-type" => "application/json; charset=utf-8" },
+         [JSON.generate(data)]]
+      end
+    end
+  end
+end

data/lib/tina4/mcp.rb

@@ -21,6 +21,7 @@
 require "json"
 require "socket"
 require "fileutils"
+require "open3"
 
 module Tina4
   # ── JSON-RPC 2.0 codec ────────────────────────────────────────────
@@ -457,7 +458,111 @@ module Tina4
       project_root = File.expand_path(Dir.pwd)
 
       # ── Helpers ────────────────────────────────────────
+      # Append a structured line to `.tina4/agent.log` AND echo to STDERR.
+      # Mirrors the Python `_agent_log` helper so a single log file
+      # captures every agent action regardless of which side of the
+      # stack performed it. Cheap — never blocks the caller on I/O
+      # failure.
+      agent_log = lambda do |category, message|
+        begin
+          log_dir = File.join(project_root, ".tina4")
+          FileUtils.mkdir_p(log_dir)
+          log_path = File.join(log_dir, "agent.log")
+          ts = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+          File.open(log_path, "a") { |f| f.write("#{ts} [#{category}] #{message}\n") }
+        rescue
+          # logging must never fail the actual call
+        end
+        warn "  [agent #{category}] #{message}"
+      end
+
+      # Paths that look like prose rather than filesystem paths. AI
+      # agents occasionally pass natural language ("The plan requires
+      # implementing...") as `path` to file_write and produce folders
+      # with prose for names. Returns an error string on rejection,
+      # nil on acceptance.
+      sane_path_segment = /\A[A-Za-z0-9._\-]+\z/
+      looks_like_prose = lambda do |rel_path|
+        if rel_path.nil? || rel_path.strip.empty?
+          break "path is empty"
+        end
+        if rel_path.length > 300
+          break "path too long (#{rel_path.length} chars); use a real filename"
+        end
+        bad_sequences = ["`", "\n", "\t", "  ", " — ", " (", " [", "?", "*", "<", ">", "|"]
+        bad_hit = bad_sequences.find { |bad| rel_path.include?(bad) }
+        if bad_hit
+          break "path contains illegal character sequence #{bad_hit.inspect} — looks like prose, not a filename"
+        end
+        segment_error = nil
+        rel_path.split("/").each do |seg|
+          next if seg.empty? || seg == "." || seg == ".."
+          if seg.length > 80
+            segment_error = "path segment too long: #{seg[0, 60].inspect}… — use a short filename"
+            break
+          end
+          unless sane_path_segment.match?(seg)
+            segment_error = "path segment #{seg.inspect} contains disallowed characters — stick to [A-Za-z0-9._-]"
+            break
+          end
+        end
+        segment_error
+      end
+
+      # Rewrite bare top-level Tina4-conventional directories into
+      # their `src/<dir>/` canonical form. The framework's
+      # auto-discovery only scans `src/`, so a file at
+      # `templates/foo.twig` is dead weight — the framework never
+      # loads it. Mirrors normalize_coder_path() in the Python agent.
+      normalize_coder_path = lambda do |rel_path|
+        passthrough_prefixes = ["src/", "migrations/", "plan/", "tests/",
+                                "test/", ".tina4/"]
+        passthrough_files = %w[app.py app.ts app.rb index.php composer.json
+                               package.json Gemfile pyproject.toml
+                               requirements.txt .env .env.example]
+        if passthrough_prefixes.any? { |p| rel_path.start_with?(p) }
+          next rel_path
+        end
+        if passthrough_files.include?(rel_path)
+          next rel_path
+        end
+        %w[routes orm templates seeds controllers models middleware].each do |d|
+          if rel_path.start_with?("#{d}/")
+            rewritten = "src/#{rel_path}"
+            agent_log.call("write.path_normalized", "#{rel_path} → #{rewritten}")
+            return rewritten
+          end
+        end
+        rel_path
+      end
+
+      # Copy `target` into `.tina4/backups/` with a timestamped name.
+      # Returns the relative backup path on success, nil on failure.
+      agent_backup = lambda do |target|
+        begin
+          next nil unless File.file?(target)
+          backup_dir = File.join(project_root, ".tina4", "backups")
+          FileUtils.mkdir_p(backup_dir)
+          rel = if target.start_with?("#{project_root}/")
+                  target.sub("#{project_root}/", "")
+                else
+                  File.basename(target)
+                end
+          safe = rel.gsub("/", "__").gsub("\\", "__")
+          ts = Time.now.utc.strftime("%Y-%m-%dT%H-%M-%SZ")
+          backup_name = "#{safe}.#{ts}.bak"
+          backup_path = File.join(backup_dir, backup_name)
+          File.binwrite(backup_path, File.binread(target))
+          ".tina4/backups/#{backup_name}"
+        rescue => e
+          agent_log.call("write.backup_failed", "#{target}: #{e.message}")
+          nil
+        end
+      end
+
       safe_path = lambda do |rel_path|
+        err = looks_like_prose.call(rel_path)
+        raise ArgumentError, "Invalid path #{rel_path.inspect}: #{err}" if err
         resolved = File.expand_path(rel_path, project_root)
         unless resolved.start_with?(project_root)
           raise ArgumentError, "Path escapes project directory: #{rel_path}"
@@ -465,6 +570,52 @@ module Tina4
         resolved
       end
 
+      # Try `ruby -c` on a freshly-written Ruby file to catch syntax
+      # errors BEFORE the next request hits the broken handler.
+      # Mirrors _verify_python_import() in tina4_python/mcp/tools.py.
+      #
+      # Returns nil on success (or when verification is skipped), or
+      # the captured error string on failure. Only checks files under
+      # src/ that end in .rb — skips spec_helper.rb, *_spec.rb, and
+      # test_*.rb because those have their own loading patterns
+      # (mirrors Python's skip of __init__.py / conftest.py / test_*.py).
+      #
+      # Why this matters: the AI coder repeatedly produces Ruby with
+      # unclosed blocks, missing `end`, dangling parens. Running
+      # `ruby -c` right after write catches it inline and surfaces
+      # the real Ruby error in the file_write response — the LLM
+      # sees the error on its next turn and can retry with context.
+      verify_ruby_syntax = lambda do |rel_path|
+        next nil unless rel_path.end_with?(".rb")
+        next nil unless rel_path.start_with?("src/")
+        base = File.basename(rel_path)
+        next nil if base == "spec_helper.rb"
+        next nil if base.end_with?("_spec.rb")
+        next nil if base.start_with?("test_")
+
+        abs_path = File.expand_path(rel_path, project_root)
+        begin
+          stdout, stderr, status = Open3.capture3("ruby", "-c", abs_path)
+        rescue StandardError => e
+          next "verification subprocess failed: #{e.message}"
+        end
+
+        next nil if status.success?
+
+        # Pull the first meaningful stderr line — ruby -c emits
+        # "<file>:<line>: syntax error, ...". Strip the absolute
+        # path prefix for readability.
+        err_lines = (stderr || "").strip.split("\n")
+        if err_lines.empty?
+          next "syntax check failed (exit #{status.exitstatus}, no stderr)"
+        end
+        line = err_lines.first.strip
+        # Strip the absolute project_root prefix so the error reads
+        # as "src/routes/foo.rb:3: syntax error, ..." instead of the
+        # full /Users/... path.
+        line.sub("#{project_root}/", "")
+      end
+
       redact_env = lambda do |key, value|
         sensitive = %w[secret password token key credential api_key]
         if sensitive.any? { |s| key.downcase.include?(s) }
@@ -549,12 +700,55 @@ module Tina4
       }, "Read a project file")
 
       server.register_tool("file_write", lambda { |path:, content:|
+        # 1. Coder-path normalization — rewrite bare top-level Tina4
+        #    directories (templates/, routes/, orm/, ...) into their
+        #    src/ canonical form before resolving.
+        path = normalize_coder_path.call(path)
+        # 2. safe_path runs looks_like_prose then sandbox check.
         p = safe_path.call(path)
+
+        old_bytes = File.file?(p) ? File.binread(p) : ""
+        old_size = old_bytes.bytesize
+        old_lines = old_bytes.count("\n")
+        new_bytes = content.to_s
+        new_size = new_bytes.bytesize
+        new_lines = new_bytes.count("\n")
+        rel = p.start_with?("#{project_root}/") ? p.sub("#{project_root}/", "") : path
+
+        # 3. Truncation guard — refuse suspicious shrinkage on
+        #    non-trivial files (>200B → <30% of size).
+        if old_size > 200 && (new_size * 100) < (old_size * 30)
+          msg = "REFUSED #{rel} (would shrink #{old_size} → #{new_size} bytes / " \
+                "#{old_lines} → #{new_lines} lines, looks truncated)"
+          agent_log.call("write.refused", msg)
+          next { "error" => msg, "refused" => true, "old_bytes" => old_size, "new_bytes" => new_size }
+        end
+
+        # 4. Backup before overwrite.
+        backup_rel = old_size > 0 ? agent_backup.call(p) : nil
+
         FileUtils.mkdir_p(File.dirname(p))
-        File.write(p, content, encoding: "utf-8")
-        rel = p.sub("#{project_root}/", "")
-        { "written" => rel, "bytes" => content.bytesize }
-      }, "Write or update a project file")
+        File.write(p, new_bytes, encoding: "utf-8")
+
+        # 5. Audit log.
+        agent_log.call("write.ok",
+                       "#{rel} (#{old_size}B/#{old_lines}L → #{new_size}B/#{new_lines}L, " \
+                       "backup: #{backup_rel || '(no prior file)'})")
+
+        result = { "written" => rel, "bytes" => new_size }
+        result["backup"] = backup_rel if backup_rel
+
+        # 6. Post-write syntax check — catch hallucinated Ruby
+        #    (missing `end`, unclosed parens, etc.) before the next
+        #    request hits the broken handler.
+        err = verify_ruby_syntax.call(rel)
+        if err
+          result["import_error"] = err
+          agent_log.call("write.import_failed", "#{rel}: #{err}")
+        end
+
+        result
+      }, "Write or update a project file (with backup, truncation guard, audit log)")
 
       server.register_tool("file_list", lambda { |path: "."|
         p = safe_path.call(path)
@@ -706,25 +900,58 @@ module Tina4
 
       # ── File patch ────────────────────────────────────
       server.register_tool("file_patch", lambda { |path:, old_string:, new_string:, count: 1|
+        # 1. Normalize, 2. safe_path (which runs the prose check).
+        path = normalize_coder_path.call(path)
         p = safe_path.call(path)
-        return { "error" => "File not found: #{path}" } unless File.file?(p)
+
+        # 3. Existence check.
+        next { "error" => "File not found: #{path}" } unless File.file?(p)
+
         original = File.read(p, encoding: "utf-8")
         occurrences = original.scan(old_string).size
-        return { "error" => "old_string not found in #{path}" } if occurrences.zero?
+
+        # 4. Match-count guard (already-existing behaviour).
+        next { "error" => "old_string not found in #{path}" } if occurrences.zero?
         if occurrences != count.to_i
-          return { "error" => "old_string appears #{occurrences} times, expected #{count}. Expand old_string to make it unique, or set count explicitly." }
+          next({ "error" => "old_string appears #{occurrences} times, expected #{count}. Expand old_string to make it unique, or set count explicitly." })
         end
+
         updated = original.sub(old_string, new_string)
         # Ruby String#sub replaces first; if count > 1, do N replacements
         if count.to_i > 1
           updated = original.dup
           count.to_i.times { updated.sub!(old_string, new_string) }
         end
+
+        rel = p.start_with?("#{project_root}/") ? p.sub("#{project_root}/", "") : path
+
+        # 5. Backup before overwrite — same path layout as file_write
+        #    so recovery is uniform regardless of which tool touched
+        #    the file.
+        backup_rel = agent_backup.call(p)
+
         File.write(p, updated, encoding: "utf-8")
-        rel = p.sub("#{project_root}/", "")
+
         Tina4::Plan.record_action("patched", rel) if defined?(Tina4::Plan)
-        { "patched" => rel, "replacements" => count.to_i, "bytes" => updated.bytesize }
-      }, "Targeted edit: replace old_string with new_string in a file")
+
+        old_size = original.bytesize
+        new_size = updated.bytesize
+        agent_log.call("patch.ok",
+                       "#{rel} (replaced #{count.to_i}× old_string, " \
+                       "#{old_size}B → #{new_size}B, backup: #{backup_rel || '(none)'})")
+
+        result = { "patched" => rel, "replacements" => count.to_i, "bytes" => new_size }
+        result["backup"] = backup_rel if backup_rel
+
+        # Post-patch syntax check — same rationale as file_write.
+        err = verify_ruby_syntax.call(rel)
+        if err
+          result["import_error"] = err
+          agent_log.call("patch.import_failed", "#{rel}: #{err}")
+        end
+
+        result
+      }, "Targeted edit: replace old_string with new_string in a file (with backup + audit log)")
 
       # ── Docs tools ────────────────────────────────────
       framework_doc_paths = lambda do

data/lib/tina4/plan.rb

@@ -125,23 +125,51 @@ module Tina4
 
       # ── Public API ─────────────────────────────────────────────
 
+      # All plan files — merged from `plan/` (user-curated) and
+      # `.tina4/plans/` (where the Rust supervisor's planner writes).
+      #
+      # Two directories exist because of a historic split: the framework
+      # treats `plan/` as the canonical project location, but the Rust
+      # agent's planner writes to `.tina4/plans/` (alongside other
+      # AI-state artefacts like chat history). Until those are unified we
+      # read both so plans created either way are discoverable. Dedup by
+      # filename — plan/ wins on collision. Sorted newest-first by
+      # filename (filenames start with unix timestamps).
       def list_plans
-        d = plan_dir
         cur = current_name || ""
+        # Order matters for dedup: user-curated plan/ first, then .tina4/plans/.
+        dirs = []
+        primary = File.join(project_root, PLAN_DIR)
+        dirs << primary if Dir.exist?(primary)
+        rust_plans = File.join(project_root, ".tina4", "plans")
+        dirs << rust_plans if Dir.exist?(rust_plans)
+
+        seen = {}
         out = []
-        Dir.glob(File.join(d, "*.md")).sort.each do |path|
-          name = File.basename(path)
-          parsed = parse(File.read(path, encoding: "utf-8"))
-          total = parsed["steps"].size
-          done  = parsed["steps"].count { |s| s["done"] }
-          out << {
-            "name"        => name,
-            "title"       => parsed["title"].to_s.empty? ? File.basename(name, ".md") : parsed["title"],
-            "steps_total" => total,
-            "steps_done"  => done,
-            "is_current"  => name == cur
-          }
+        dirs.each do |dir|
+          Dir.glob(File.join(dir, "*.md")).sort.each do |path|
+            name = File.basename(path)
+            next if seen.key?(name) # plan/ wins over .tina4/plans/ on name clash
+            seen[name] = true
+            parsed = parse(File.read(path, encoding: "utf-8"))
+            total = parsed["steps"].size
+            done  = parsed["steps"].count { |s| s["done"] }
+            out << {
+              "name"        => name,
+              "title"       => parsed["title"].to_s.empty? ? File.basename(name, ".md") : parsed["title"],
+              "steps_total" => total,
+              "steps_done"  => done,
+              "is_current"  => name == cur,
+              # Relative path from project root — lets the SPA open the
+              # right file in the editor regardless of which dir the
+              # plan came from.
+              "path"        => path.sub("#{project_root}/", "")
+            }
+          end
         end
+        # Newest first by name (filenames start with unix timestamps).
+        out.sort_by! { |x| x["name"] }
+        out.reverse!
         out
       end
 

data/lib/tina4/public/__feedback/widget.js

@@ -0,0 +1,96 @@
+(function(){"use strict";(()=>{try{const t=window.location.pathname||"";return t.startsWith("/__dev")||t.startsWith("/__feedback")}catch{return!1}})()?console.info("tina4-feedback-widget: skipping on developer path"):window.__tina4FeedbackLoaded?console.warn("tina4-feedback-widget already loaded; skipping"):(window.__tina4FeedbackLoaded=!0,b());function b(){const c=(getComputedStyle(document.documentElement).getPropertyValue("--primary")||"").trim()||"#3b82f6";h(c);const l=m();document.body.appendChild(l);let e=null,u;const r=[];l.addEventListener("click",()=>{if(e){e.remove(),e=null,l.style.display="";return}e=g(),document.body.appendChild(e),l.style.display="none",setTimeout(()=>e?.querySelector("textarea")?.focus(),0)});function g(){const o=document.createElement("div");o.className="tina4-fb-modal",o.innerHTML=`
+      <div class="tina4-fb-head">
+        <span class="tina4-fb-title">Tell us what's not working</span>
+        <button type="button" class="tina4-fb-close" aria-label="Close">×</button>
+      </div>
+      <div class="tina4-fb-context">
+        <span>📍 ${p(location.pathname+location.search)}</span>
+        <span>📐 ${window.innerWidth}×${window.innerHeight}</span>
+      </div>
+      <div class="tina4-fb-chat" role="log"></div>
+      <form class="tina4-fb-form">
+        <textarea
+          rows="3"
+          placeholder="What's hard to use here? Be specific — which field, which button, what you expected."
+          aria-label="Feedback message"
+        ></textarea>
+        <button type="submit" class="tina4-fb-send">Send</button>
+      </form>
+    `,o.querySelector(".tina4-fb-close")?.addEventListener("click",()=>{o.remove(),e=null,l.style.display=""});const a=o.querySelector("form");return a.addEventListener("submit",n=>{n.preventDefault();const i=a.querySelector("textarea"),f=i.value.trim();f&&(i.value="",x(f))}),s(o),o}function s(o){const a=o.querySelector(".tina4-fb-chat");if(a){if(!r.length){a.innerHTML=`<div class="tina4-fb-hint">Your feedback lands directly with the team — no email loop. We'll ask a quick follow-up if we need to.</div>`;return}a.innerHTML=r.map(n=>`<div class="tina4-fb-msg ${n.role==="user"?"tina4-fb-user":"tina4-fb-ai"}">${p(n.text)}</div>`).join(""),a.scrollTop=a.scrollHeight}}async function x(o){if(!e)return;r.push({role:"user",text:o}),s(e),d(e,!0);const a={message:o,context:{url:location.pathname+location.search,viewport:`${window.innerWidth}x${window.innerHeight}`,ua:navigator.userAgent},conversation_id:u};let n;try{const i=await fetch("/__feedback/api/turn",{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(a)});if(n=await i.json(),!i.ok){const f=n?.error||`HTTP ${i.status}`;r.push({role:"ai",text:`Couldn't send: ${f}`}),s(e),d(e,!1);return}}catch(i){r.push({role:"ai",text:`Network issue: ${i?.message||i}`}),s(e),d(e,!1);return}if("ask"in n)u=n.conversation_id,r.push({role:"ai",text:n.ask}),s(e),d(e,!1),e?.querySelector("textarea")?.focus();else if("final"in n)r.push({role:"ai",text:`Thanks — filed as: "${n.final.title}". The team will take it from here.`}),s(e),d(e,!1),u=void 0,r.length=0,setTimeout(()=>{e?.remove(),e=null,l.style.display=""},4500);else{const i=n?.error||"unexpected response";r.push({role:"ai",text:`Issue: ${i}`}),s(e),d(e,!1)}}function d(o,a){const n=o.querySelector(".tina4-fb-send"),i=o.querySelector("textarea");n&&(n.disabled=a,n.textContent=a?"Sending…":"Send"),i&&(i.disabled=a)}}function m(){const t=document.createElement("button");return t.type="button",t.className="tina4-fb-btn",t.setAttribute("aria-label","Send feedback"),t.innerHTML="💬",t.title="Tell us what's not working",t}function h(t){const c=document.createElement("style");c.id="tina4-fb-styles",c.textContent=`
+    .tina4-fb-btn {
+      position: fixed; bottom: 1.25rem; right: 1.25rem;
+      width: 48px; height: 48px; border-radius: 50%; border: none;
+      background: ${t}; color: white; font-size: 1.4rem;
+      box-shadow: 0 4px 12px rgba(0,0,0,0.18); cursor: pointer;
+      z-index: 2147483646; transition: transform 0.15s, box-shadow 0.15s;
+      display: flex; align-items: center; justify-content: center;
+      line-height: 1; padding: 0;
+    }
+    .tina4-fb-btn:hover { transform: scale(1.06); box-shadow: 0 6px 16px rgba(0,0,0,0.22); }
+    .tina4-fb-btn:active { transform: scale(0.96); }
+    .tina4-fb-modal {
+      position: fixed; bottom: 5rem; right: 1.25rem;
+      width: 340px; max-height: 480px; display: flex; flex-direction: column;
+      background: #1e1e2e; color: #cdd6f4;
+      border: 1px solid #313244; border-radius: 8px;
+      box-shadow: 0 8px 32px rgba(0,0,0,0.35);
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif;
+      font-size: 0.85rem; z-index: 2147483647;
+      animation: tina4-fb-in 0.18s ease-out;
+    }
+    @keyframes tina4-fb-in {
+      from { opacity: 0; transform: translateY(8px); }
+      to   { opacity: 1; transform: translateY(0); }
+    }
+    .tina4-fb-head {
+      display: flex; align-items: center; justify-content: space-between;
+      padding: 0.6rem 0.8rem; border-bottom: 1px solid #313244;
+    }
+    .tina4-fb-title { font-weight: 600; font-size: 0.9rem; }
+    .tina4-fb-close {
+      background: transparent; border: none; color: #9399b2;
+      font-size: 1.4rem; line-height: 1; cursor: pointer; padding: 0 0.2rem;
+    }
+    .tina4-fb-close:hover { color: #cdd6f4; }
+    .tina4-fb-context {
+      display: flex; gap: 0.6rem; padding: 0.4rem 0.8rem;
+      font-size: 0.7rem; color: #9399b2;
+      border-bottom: 1px solid #313244;
+      font-family: ui-monospace, "SF Mono", Menlo, monospace;
+    }
+    .tina4-fb-chat {
+      flex: 1; overflow-y: auto; padding: 0.5rem 0.8rem;
+      display: flex; flex-direction: column; gap: 0.4rem;
+      min-height: 80px; max-height: 280px;
+    }
+    .tina4-fb-hint {
+      font-size: 0.75rem; color: #9399b2; line-height: 1.4; padding: 0.3rem 0;
+    }
+    .tina4-fb-msg {
+      padding: 0.4rem 0.6rem; border-radius: 6px;
+      max-width: 85%; word-wrap: break-word; line-height: 1.35;
+    }
+    .tina4-fb-user { align-self: flex-end; background: ${t}; color: white; }
+    .tina4-fb-ai   { align-self: flex-start; background: #313244; }
+    .tina4-fb-form {
+      display: flex; flex-direction: column; gap: 0.4rem;
+      padding: 0.5rem 0.8rem 0.8rem; border-top: 1px solid #313244;
+    }
+    .tina4-fb-form textarea {
+      width: 100%; box-sizing: border-box; resize: vertical;
+      min-height: 60px; font-family: inherit; font-size: 0.82rem;
+      padding: 0.4rem 0.5rem; border: 1px solid #313244;
+      background: #11111b; color: #cdd6f4; border-radius: 4px;
+      line-height: 1.3;
+    }
+    .tina4-fb-form textarea:focus {
+      outline: none; border-color: ${t};
+    }
+    .tina4-fb-send {
+      align-self: flex-end; padding: 0.35rem 0.9rem;
+      background: ${t}; color: white; border: none; border-radius: 4px;
+      font-size: 0.8rem; font-weight: 500; cursor: pointer;
+    }
+    .tina4-fb-send:disabled { opacity: 0.55; cursor: wait; }
+    .tina4-fb-send:hover:not(:disabled) { filter: brightness(1.1); }
+  `,document.head.appendChild(c)}function p(t){return t.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;").replace(/'/g,"&#39;")}})();

data/lib/tina4/rack_app.rb

@@ -75,6 +75,15 @@ module Tina4
         return dev_response if dev_response
       end
 
+      # Customer feedback widget routes (parity with Python's /__feedback/*
+      # surface — see tina4/feedback.rb). Always available — the master
+      # switch (TINA4_ENABLE_FEEDBACK) is enforced INSIDE handle_request
+      # so route shape stays stable across environments.
+      if path.start_with?("/__feedback")
+        fb_response = Tina4::Feedback.handle_request(env)
+        return fb_response if fb_response
+      end
+
       # Fast-path: API routes skip static file + swagger checks entirely
       unless path.start_with?("/api/")
         # Swagger
@@ -163,6 +172,33 @@ module Tina4
         end
       end
 
+      # Customer feedback widget injection — runs LAST so its <script>
+      # tag survives any earlier post-processing. No-op if disabled
+      # (TINA4_ENABLE_FEEDBACK off), the user isn't whitelisted, the
+      # path is /__dev or /__feedback, or the body isn't text/html with
+      # a closing </body> tag. Mirrors Python's server.py call site —
+      # see tina4_python/core/server.py around line 1543.
+      begin
+        status, headers, body_parts = rack_response
+        content_type = headers["content-type"] || ""
+        if content_type.include?("text/html") && body_parts.respond_to?(:join)
+          joined = body_parts.join
+          if joined.include?("</body>")
+            injected = Tina4::Feedback.inject_feedback_widget(
+              Struct.new(:path, :env).new(path, env),
+              joined
+            )
+            if injected != joined
+              new_headers = headers.dup
+              new_headers["content-length"] = injected.bytesize.to_s if new_headers["content-length"]
+              rack_response = [status, new_headers, [injected]]
+            end
+          end
+        end
+      rescue StandardError
+        # Injection is best-effort — never break the response.
+      end
+
       # Save session and set cookie if session was used
       if result && defined?(rack_response)
         status, headers, body_parts = rack_response

data/lib/tina4/request.rb

@@ -75,13 +75,17 @@ module Tina4
       @body_parsed = nil
     end
 
-    # Full URL reconstruction
+    # Full absolute URL — scheme://host[:port]/path[?query].
+    # Honours X-Forwarded-Proto / X-Forwarded-Host so apps behind a proxy
+    # still see the URL the client used. Matches Python/PHP/Node parity.
     def url
-      scheme = env["rack.url_scheme"] || "http"
-      host = env["HTTP_HOST"] || env["SERVER_NAME"] || "localhost"
+      scheme = env["HTTP_X_FORWARDED_PROTO"] || env["rack.url_scheme"] || "http"
+      host = env["HTTP_X_FORWARDED_HOST"] || env["HTTP_HOST"] || env["SERVER_NAME"] || "localhost"
       port = env["SERVER_PORT"]
       url_str = "#{scheme}://#{host}"
-      url_str += ":#{port}" if port && port != "80" && port != "443"
+      # Only append :port when the host doesn't already include one
+      # (HTTP_HOST often does) and it's not the default for the scheme.
+      url_str += ":#{port}" if port && !host.include?(":") && port.to_s != "80" && port.to_s != "443"
       url_str += @path
       url_str += "?#{@query_string}" unless @query_string.empty?
       url_str

data/lib/tina4/router.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "fileutils"
+require "json"
+
 module Tina4
   class Route
     attr_reader :method, :path, :handler, :auth_handler, :swagger_meta,
@@ -438,17 +441,79 @@ module Tina4
         GroupContext.new(prefix, auth_handler, middleware).instance_eval(&block)
       end
 
-      # Load route files from a directory (file-based route discovery)
+      # Load route files from a directory (file-based route discovery).
+      #
+      # Idempotent: files already loaded by a previous call are skipped, so
+      # calling load_routes repeatedly (e.g. on /__dev/api/reload) only
+      # picks up NEW files. Records the directory so #rescan_routes! can
+      # re-run without re-passing it.
       def load_routes(directory)
         return unless Dir.exist?(directory)
-        Dir.glob(File.join(directory, "**/*.rb")).sort.each do |file|
+
+        @loaded_route_files ||= {}
+        @last_routes_dir = directory
+
+        files = Dir.glob(File.join(directory, "**/*.rb")).sort
+        total = files.length
+        files.each do |file|
+          next if @loaded_route_files[file]
           begin
             load file
+            @loaded_route_files[file] = true
             Tina4::Log.debug("Route loaded: #{file}")
-          rescue => e
+          rescue ScriptError, StandardError => e
+            # ScriptError catches SyntaxError, which is NOT a StandardError —
+            # a bare `rescue => e` would let a syntax-broken route file crash
+            # the whole discovery pass.
             Tina4::Log.error("Failed to load route #{file}: #{e.message}")
+            record_broken_route_import(file, e)
           end
         end
+
+        # Zero-routes warning — src/routes/ has .rb files but the router
+        # is still empty. Almost certainly the user forgot Tina4::Router.get.
+        if total > 0 && routes.empty?
+          Tina4::Log.warning(
+            "Auto-discover found #{total} .rb file(s) in #{directory} but no routes registered. " \
+            "Each route file must call Tina4::Router.get / .post / etc."
+          )
+        end
+      end
+
+      # Re-run the most recent load_routes — called by /__dev/api/reload so
+      # files dropped into src/routes/ after server boot get picked up
+      # without a restart. No-op if load_routes has never been called.
+      def rescan_routes!
+        return [] if @last_routes_dir.nil? || @last_routes_dir.empty?
+        before = routes.length
+        load_routes(@last_routes_dir)
+        added = routes.length - before
+        Tina4::Log.info("Re-discovered #{added} new route(s) on reload") if added.positive?
+        added
+      end
+
+      # Test-only helper — reset the loaded-files state so tests can scan
+      # the same directory multiple times with different file contents.
+      def reset_route_discovery!
+        @loaded_route_files = {}
+        @last_routes_dir = nil
+      end
+
+      # Write a .broken sentinel so /health and the dev dashboard surface
+      # auto-discover failures instead of swallowing them into a log line.
+      def record_broken_route_import(file, error)
+        broken_dir = File.join(Dir.pwd, "data", ".broken")
+        FileUtils.mkdir_p(broken_dir) unless Dir.exist?(broken_dir)
+        slug = file.gsub(%r{[/\\]}, "_")
+        payload = JSON.generate(
+          type: "auto_discover_failure",
+          file: file,
+          error: "#{error.class}: #{error.message}"
+        )
+        File.write(File.join(broken_dir, "discover_#{slug}.broken"), payload)
+      rescue StandardError
+        # If the .broken write itself fails, the original error is already
+        # in the log — nothing more to do.
       end
     end
 

data/lib/tina4/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tina4
-  VERSION = "3.12.9"
+  VERSION = "3.12.13"
 end

data/lib/tina4.rb

@@ -44,6 +44,7 @@ require_relative "tina4/events"
 require_relative "tina4/plan"
 require_relative "tina4/project_index"
 require_relative "tina4/dev_admin"
+require_relative "tina4/feedback"
 require_relative "tina4/messenger"
 require_relative "tina4/dev_mailbox"
 require_relative "tina4/ai"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tina4ruby
 version: !ruby/object:Gem::Version
-  version: 3.12.9
+  version: 3.12.13
 platform: ruby
 authors:
 - Tina4 Team
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-05-13 00:00:00.000000000 Z
+date: 2026-05-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -306,6 +306,7 @@ files:
 - lib/tina4/env.rb
 - lib/tina4/error_overlay.rb
 - lib/tina4/events.rb
+- lib/tina4/feedback.rb
 - lib/tina4/field_types.rb
 - lib/tina4/frond.rb
 - lib/tina4/gallery/auth/meta.json
@@ -337,6 +338,7 @@ files:
 - lib/tina4/orm.rb
 - lib/tina4/plan.rb
 - lib/tina4/project_index.rb
+- lib/tina4/public/__feedback/widget.js
 - lib/tina4/public/css/tina4.css
 - lib/tina4/public/css/tina4.min.css
 - lib/tina4/public/favicon.ico