tina4ruby 3.13.38 → 3.13.39

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6ed3d68931d97c88f7d7ea9128420ce4b531da04f47536c3f64abac71f3edbb3
-  data.tar.gz: 4124c02d8ddefcb645eee1d5a52ddef31a4e2ebeecfd11fe81b7999a3784802a
+  metadata.gz: 62dc42240a6abd35572f17207f42c631ebf2c36cc73b94adad4b163b3a2924a5
+  data.tar.gz: e9ea35e0aad4bee25bc42f7ee7a37973144265ed538b5e6127e5a546278a62cf
 SHA512:
-  metadata.gz: 6a5f5f009385d5e4ce97d0289db83d2d60d1bb2410019c88892fe5f6c22fc2c358654021965ebe4a8b2d159ac7958dd6b57ba41c8b879cf385cc6632428666c5
-  data.tar.gz: 4a7d3a41ce8ca5e8283318d487745b90c726e03c648c4480807c8e2fd40910d7472e5371e0c910ef6e68e914d057d65faaa4955efaf585bc93d84919ac567de6
+  metadata.gz: 58cf9b41857e5905b5eeda37a6881f812aad230a12533051d4510724222453f344ae1a0e05120e915a69450a05788dad7468eb1b99925e44a5bd8a625dca4c59
+  data.tar.gz: 8ff5447f091aafe2ff0a06c7e23a8f7838190545ec96f99bc2329753ee0a9ed0714cc1a7293d127805efe504552293fbb6f08e3fa7651e8423998cc8939869f5

data/README.md

@@ -2,7 +2,7 @@
   <img src="https://tina4.com/logo.svg" alt="Tina4" width="200">
 </p>
 <h1 align="center">Tina4 Ruby</h1>
-<h3 align="center">TINA4 — The Intelligent Native Application 4ramework</h3>
+<h3 align="center">TINA4: The Intelligent Native Application 4ramework</h3>
 <p align="center"><em>Simple. Fast. Human. &nbsp;|&nbsp; Built for AI. Built for you.</em></p>
 <p align="center">55 built-in features. Zero runtime dependencies. One require, everything works.</p>
 <p align="center">
@@ -18,7 +18,7 @@
 ## Quick Start
 
 ```bash
-# With the Tina4 CLI (recommended — enables SCSS + live reload)
+# With the Tina4 CLI (recommended, enables SCSS + live reload)
 cargo install tina4    # or grab a binary from https://github.com/tina4stack/tina4/releases
 tina4 init ruby ./my-app
 cd my-app && tina4 serve
@@ -56,12 +56,12 @@ db = Tina4::Database.new("sqlite://app.db")
 | Category | Features |
 |----------|----------|
 | **Core HTTP** (7) | Router with path params (`{id:int}`, `{p:path}`), Server, Request/Response, Middleware pipeline, Static file serving, CORS |
-| **Database** (6) | SQLite, PostgreSQL, MySQL, MSSQL, Firebird — unified adapter, connection pooling, query cache, transactions, race-safe ID generation, SQL dialect translation |
+| **Database** (6) | SQLite, PostgreSQL, MySQL, MSSQL, Firebird: unified adapter, connection pooling, query cache, transactions, race-safe ID generation, SQL dialect translation |
 | **ORM** (7) | Active Record with typed fields, relationships (`has_one`/`has_many`/`belongs_to`), soft delete, QueryBuilder + MongoDB support, Auto-CRUD generator, migrations with rollback |
 | **Auth & Security** (5) | JWT (HS256/RS256), password hashing (PBKDF2-SHA256), API key validation, rate limiting, CSRF form tokens |
 | **Templating** (3) | Frond engine (Twig/Jinja2-compatible, pre-compiled 2.8× faster), SCSS auto-compilation, built-in CSS (~24 KB) |
 | **API & Integration** (5) | HTTP client (zero-dep), GraphQL with ORM auto-schema + GraphiQL IDE, WSDL/SOAP with auto WSDL, WebSocket (RFC 6455) + Redis backplane, MCP server (24 dev tools) |
-| **Background** (3) | Job queue (File/RabbitMQ/Kafka/MongoDB) with priority, delay, retry, dead letters — service runner — event system (on/emit/once/off) |
+| **Background** (3) | Job queue (File/RabbitMQ/Kafka/MongoDB) with priority, delay, retry, dead letters; service runner; event system (on/emit/once/off) |
 | **Data & Storage** (4) | Session (File/Redis/Valkey/MongoDB/DB), response cache (LRU, TTL), seeder + 50+ fake data generators, messenger (SMTP/IMAP) |
 | **Developer Tools** (7) | Dev dashboard (11 tabs), dev toolbar, error overlay (Catppuccin Mocha), dev mailbox, hot reload + CSS hot-reload, code metrics (complexity, coupling, maintainability), AI context installer (7 tools) |
 | **Utilities** (7) | DI container (transient + singleton), HtmlElement builder, inline testing (`@tests` decorator), i18n (6 languages), Swagger/OpenAPI auto-generation, CLI scaffolding (`generate model/route/migration/middleware`), structured logging |
@@ -84,14 +84,14 @@ tina4ruby generate model <name>
 
 ## Performance
 
-Benchmarked with `wrk` — 5,000 requests, 50 concurrent, median of 3 runs:
+Benchmarked with `wrk`: 5,000 requests, 50 concurrent, median of 3 runs:
 
 | Framework | JSON req/s | Deps | Features |
 |-----------|-----------|------|----------|
 | **Tina4 Ruby** | **10,243** | 0 | 55 |
 | Sinatra | 9,548 | 5+ | ~4 |
 
-Tina4 Ruby outperforms Sinatra while delivering **55 features vs ~4** — with zero runtime dependencies.
+Tina4 Ruby outperforms Sinatra while delivering **55 features vs ~4**, with zero runtime dependencies.
 
 **Across all 4 Tina4 implementations:**
 
@@ -105,7 +105,7 @@ Tina4 Ruby outperforms Sinatra while delivering **55 features vs ~4** — with z
 
 ## Cross-Framework Parity
 
-Tina4 ships identical features across four languages — same architecture, same conventions, same 55 features:
+Tina4 ships identical features across four languages: same architecture, same conventions, same 55 features:
 
 | | Python | PHP | Ruby | Node.js |
 |---|--------|-----|------|---------|

data/lib/tina4/api.rb

@@ -1,10 +1,17 @@
 # frozen_string_literal: true
 require "net/http"
+require "openssl"
 require "uri"
 require "json"
 require "base64"
 
 module Tina4
+  # Statuses that warrant an automatic retry when max_retries > 0: rate-limit
+  # (429) plus the transient server-side 5xx family. 4xx client errors (401,
+  # 404, …) are NOT retried — a repeat won't succeed. Parity with the Python
+  # master's _RETRY_STATUSES.
+  API_RETRY_STATUSES = [429, 500, 502, 503, 504].freeze
+
   class API
     attr_reader :base_url, :headers
 
@@ -18,9 +25,16 @@ module Tina4
     #     api = Tina4::API.new("https://self-signed.local", verify_ssl: false)
     #
     # Bearer wins over basic-auth when both are passed.
+    #
+    # 3.13.39: +max_retries / +retry_backoff enable opt-in automatic retry with
+    # exponential backoff (default max_retries: 0 = off, non-breaking) on a
+    # transport error (APIResponse#status == 0) or a retryable status
+    # (429/5xx). A retried non-idempotent request (POST/PUT/PATCH/DELETE) may be
+    # re-sent — retries are opt-in for exactly that reason. Parity with the
+    # Python master.
     def initialize(base_url, headers: {}, timeout: 30,
                    bearer_token: nil, username: nil, password: nil,
-                   verify_ssl: nil)
+                   verify_ssl: nil, max_retries: 0, retry_backoff: 0.5)
       @base_url = base_url.chomp("/")
       @headers = {
         "Content-Type" => "application/json",
@@ -28,6 +42,8 @@ module Tina4
       }.merge(headers)
       @timeout = timeout
       @verify_ssl = verify_ssl
+      @max_retries = [0, max_retries.to_i].max
+      @retry_backoff = retry_backoff.to_f
 
       # Bearer wins over basic-auth when both passed
       if bearer_token
@@ -142,9 +158,35 @@ module Tina4
       end
     end
 
+    # Execute the request with opt-in retry/backoff. Returns an APIResponse.
+    #
+    # With @max_retries > 0, a transport error (APIResponse#status == 0, the
+    # existing error sentinel) or a retryable status (429/5xx) is retried up to
+    # @max_retries times with exponential backoff (@retry_backoff seconds base,
+    # doubling each attempt); any other outcome (2xx, 3xx, other 4xx) returns at
+    # once. Parity with the Python master's _request.
     def execute(uri, request)
+      attempts = @max_retries + 1
+      response = nil
+      (0...attempts).each do |attempt|
+        response = attempt_request(uri, request)
+        code = response.status
+        retryable = code.zero? || API_RETRY_STATUSES.include?(code)
+        return response if !retryable || attempt == attempts - 1
+
+        sleep(@retry_backoff * (2**attempt))
+      end
+      response
+    end
+
+    # A single HTTP attempt. Returns the standardized APIResponse.
+    def attempt_request(uri, request)
       http = Net::HTTP.new(uri.host, uri.port)
       http.use_ssl = uri.scheme == "https"
+      # 3.13.39: honour verify_ssl: false (the dead-since-3.13.1 kwarg). Only
+      # disable verification when EXPLICITLY false — nil/true keep the secure
+      # default (OpenSSL::SSL::VERIFY_PEER).
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @verify_ssl == false
       http.open_timeout = @timeout
       http.read_timeout = @timeout
 

data/lib/tina4/cli.rb

@@ -287,6 +287,10 @@ module Tina4
             status_icon = r[:status] == "success" ? "OK" : "FAIL"
             puts "  [#{status_icon}] #{r[:name]}"
           end
+          # FAIL-FAST: a failed migration must give CI a non-zero exit (parity
+          # with the Python master). Only the startup auto-migration hook
+          # swallows failures; the explicit CLI does not.
+          exit 1 if results.any? { |r| r[:status] == "failed" }
         end
       end
     end

data/lib/tina4/database.rb

@@ -255,6 +255,17 @@ module Tina4
         end
       end
 
+      # Autocommit is ON by default — parity with Python/PHP/Node. A standalone
+      # write (execute/insert/update/delete made OUTSIDE an explicit
+      # start_transaction()/commit() block) commits on its own connection before
+      # returning, so a write actually persists. An UNSET TINA4_AUTOCOMMIT is
+      # treated as TRUE; set TINA4_AUTOCOMMIT=false for strict manual mode (every
+      # write needs an explicit commit). Inside an explicit transaction the
+      # framework-issued commit is suppressed (gated on the thread tx-pin), so
+      # explicit transactions stay atomic. Mirrors Python's
+      # DatabaseAdapter._autocommit ("true"/"1"/"yes", default "true").
+      @autocommit = truthy?(ENV.fetch("TINA4_AUTOCOMMIT", "true"))
+
       # Register this connection so Tina4::Database.reset_request_caches can
       # clear its request-scoped entries at the start of every HTTP request.
       Tina4::Database.register_instance(self)
@@ -282,10 +293,11 @@ module Tina4
       @driver.connect(@connection_string, username: @username, password: @password)
       @connected = true
 
-      # Enable autocommit if TINA4_AUTOCOMMIT env var is set
-      if truthy?(ENV["TINA4_AUTOCOMMIT"]) && @driver.respond_to?(:autocommit=)
-        @driver.autocommit = true
-      end
+      # Push the resolved autocommit setting down to the driver when it exposes a
+      # native toggle (default ON — see @autocommit in #initialize). The
+      # framework-level commit in #autocommit_standalone_write covers drivers
+      # that have no native setter.
+      @driver.autocommit = @autocommit if @driver.respond_to?(:autocommit=)
 
       Tina4::Log.info("Database connected: #{@driver_name}")
     rescue => e
@@ -488,7 +500,9 @@ module Tina4
       placeholders = drv.placeholders(columns.length)
       sql = "INSERT INTO #{table} (#{columns.join(', ')}) VALUES (#{placeholders})"
       drv.execute(sql, data.values)
-      { success: true, last_id: drv.last_insert_id }
+      last_id = drv.last_insert_id
+      autocommit_standalone_write(drv)
+      { success: true, last_id: last_id }
     end
 
     def update(table, data, filter = {}, params = nil)
@@ -501,6 +515,7 @@ module Tina4
         sql = "UPDATE #{table} SET #{set_parts.join(', ')}"
         sql += " WHERE #{filter}" unless filter.empty?
         drv.execute(sql, data.values + Array(params))
+        autocommit_standalone_write(drv)
         return { success: true }
       end
 
@@ -510,6 +525,7 @@ module Tina4
       sql += " WHERE #{where_parts.join(' AND ')}" unless filter.empty?
       values = data.values + filter.values
       drv.execute(sql, values)
+      autocommit_standalone_write(drv)
       { success: true }
     end
 
@@ -528,6 +544,7 @@ module Tina4
         sql = "DELETE FROM #{table}"
         sql += " WHERE #{filter}" unless filter.empty?
         drv.execute(sql, Array(params))
+        autocommit_standalone_write(drv)
         return { success: true }
       end
 
@@ -536,6 +553,7 @@ module Tina4
       sql = "DELETE FROM #{table}"
       sql += " WHERE #{where_parts.join(' AND ')}" unless filter.empty?
       drv.execute(sql, filter.values)
+      autocommit_standalone_write(drv)
       { success: true }
     end
 
@@ -582,8 +600,10 @@ module Tina4
     # or a clean { error: } payload respectively.
     def execute(sql, params = [])
       cache_invalidate if @cache_enabled
-      result = current_driver.execute(sql, params)
+      drv = current_driver
+      result = drv.execute(sql, params)
       @last_error = nil
+      autocommit_standalone_write(drv)
       sql_upper = sql.strip.upcase
       if sql_upper.include?("RETURNING") || sql_upper.start_with?("CALL ") ||
          sql_upper.start_with?("EXEC ") || sql_upper.start_with?("SELECT ")
@@ -1104,6 +1124,31 @@ module Tina4
       %w[true 1 yes on].include?((val || "").to_s.strip.downcase)
     end
 
+    # Durability: commit a standalone write so it actually persists.
+    #
+    # Called after a write (execute/insert/update/delete) issued OUTSIDE an
+    # explicit transaction. The commit is suppressed when autocommit is off
+    # (TINA4_AUTOCOMMIT=false, strict manual mode) OR when a transaction is open
+    # on this thread (the thread tx-pin is set) — so an explicit
+    # start_transaction()/commit() block stays atomic and is never broken up by
+    # a per-statement commit. A commit with no transaction in progress is a
+    # harmless no-op on every engine (SQLite swallows the specific
+    # "no transaction is active" error in its driver; PostgreSQL/MySQL/MSSQL emit
+    # at most a benign warning), so this never raises in the common case. Mirrors
+    # the `not self._in_transaction and self.autocommit` gate in the Python
+    # master and PHP's `autoCommit && transaction === null`.
+    def autocommit_standalone_write(drv)
+      return unless @autocommit
+      return unless Thread.current[@tx_pin_key].nil?
+
+      drv.commit
+    rescue StandardError => e
+      # A standalone write already succeeded; a follow-up commit failure here
+      # must not mask that. Capture for #get_error and log, but don't raise.
+      @last_error = e.message
+      Tina4::Log.warning("autocommit commit after standalone write failed: #{e.message}")
+    end
+
     # "persistent" / "request" / "off" — mirrors Python connection.py.
     def cache_mode
       if @cache_persistent

data/lib/tina4/dev_admin.rb

@@ -312,6 +312,19 @@ module Tina4
         @error_tracker ||= ErrorTracker.new
       end
 
+      # Drop the lazily-memoized dev singletons so the next access rebuilds
+      # them from the CURRENT environment. The mailbox in particular resolves
+      # its directory from `TINA4_MAILBOX_DIR`/`data/mailbox` at construction
+      # time, so a singleton built under one env must not leak into a later
+      # caller (or test) running under a different env. Safe to call anytime —
+      # it only nils the caches.
+      def reset_singletons!
+        @message_log = nil
+        @request_inspector = nil
+        @mailbox = nil
+        @error_tracker = nil
+      end
+
       def enabled?
         Tina4::Env.is_truthy(ENV["TINA4_DEBUG"])
       end
@@ -637,13 +650,16 @@ module Tina4
           body = read_json_body(env) || {}
           json_response(mcp_tool_call(body))
         # JSON-RPC + SSE endpoints that real MCP clients (Claude Code/Desktop)
-        # speak. Mounted on the same dispatch as the REST shim above and gated
-        # on the same enabled? (TINA4_DEBUG) check, so disabled → 404. They
+        # speak. The dev tools expose powerful ops (DB query, file read/WRITE,
+        # route listing), so beyond the dev-toolbar's TINA4_DEBUG check they are
+        # gated on Tina4.mcp_enabled? — explicit TINA4_MCP wins on any host, else
+        # dev auto-enable is LOCALHOST-ONLY unless TINA4_MCP_REMOTE=true. Not
+        # enabled → falls through to the `else` (nil), so RackApp 404s it. They
         # share the default MCP server's tool registry with the REST shim.
         when ["POST", "/__dev/mcp"], ["POST", "/__dev/mcp/message"]
-          mcp_jsonrpc(env)
+          Tina4.mcp_enabled? ? mcp_jsonrpc(env) : nil
         when ["GET", "/__dev/mcp/sse"]
-          mcp_sse_handshake
+          Tina4.mcp_enabled? ? mcp_sse_handshake : nil
         when ["GET", "/__dev/api/scaffold"]
           json_response(scaffold_templates)
         when ["POST", "/__dev/api/scaffold/run"]

data/lib/tina4/field_types.rb

@@ -20,8 +20,11 @@ module Tina4
           @table_name = name
         else
           base = self.name.split("::").last.downcase
-          # Pluralize by default (add "s") unless ORM_PLURAL_TABLE_NAMES is explicitly disabled
-          unless ENV.fetch("TINA4_ORM_PLURAL_TABLE_NAMES", "").match?(/\A(false|0|no)\z/i)
+          # Pluralization is OFF by default (canonical, matching the Python
+          # master): the table name is the bare class name lowercased. Opt in by
+          # setting TINA4_ORM_PLURAL_TABLE_NAMES to a truthy value (true/1/yes/on)
+          # to append "s".
+          if ENV.fetch("TINA4_ORM_PLURAL_TABLE_NAMES", "").match?(/\A(true|1|yes|on)\z/i)
             base += "s" unless base.end_with?("s")
           end
           @table_name || base

data/lib/tina4/log.rb

@@ -12,11 +12,12 @@ module Tina4
       "[TINA4_LOG_INFO]" => 1,
       "[TINA4_LOG_WARNING]" => 2,
       "[TINA4_LOG_ERROR]" => 3,
-      "[TINA4_LOG_NONE]" => 4
+      "[TINA4_LOG_CRITICAL]" => 4,
+      "[TINA4_LOG_NONE]" => 5
     }.freeze
 
     SEVERITY_MAP = {
-      debug: 0, info: 1, warn: 2, error: 3
+      debug: 0, info: 1, warn: 2, error: 3, critical: 4
     }.freeze
 
     COLORS = {
@@ -65,15 +66,36 @@ module Tina4
         @format = format_env && !format_env.empty? ? format_env.downcase : (production? ? "json" : "text")
         @json_mode = @format == "json"
 
-        # TINA4_LOG_OUTPUT — "stdout", "file", or "both". Defaults to "both".
+        # TINA4_LOG_OUTPUT — "stdout", "file", or "both".
+        #
+        # Default (UNSET): stdout is ALWAYS on. The log FILE (tina4.log + any
+        # error log) is written ONLY in development — i.e. when TINA4_DEBUG is
+        # truthy. In production / containers (TINA4_DEBUG falsy) the logger is
+        # stdout-only: writing a log file inside a container just bloats the
+        # writable layer + disk, and 12-factor wants logs on stdout for the
+        # platform to capture. An explicit TINA4_LOG_OUTPUT=file/both (or an
+        # explicit TINA4_LOG_FILE path) overrides this and STILL writes a file.
+        # Mirrors the Python master (debug/__init__.py configure()).
+        # An explicit TINA4_LOG_FILE always wins: a path the operator named must
+        # be written even in production (parity with the Python master, where an
+        # explicit log_file builds a writer unconditionally), so the dev-gated
+        # default below resolves to "both" (stdout + file) rather than "stdout".
+        explicit_file = !(log_file_env.nil? || log_file_env.empty?)
+        default_output = if explicit_file || truthy?(ENV["TINA4_DEBUG"])
+                           "both"
+                         else
+                           "stdout"
+                         end
         output_env = ENV["TINA4_LOG_OUTPUT"]
-        @output = output_env && !output_env.empty? ? output_env.downcase : "both"
-        unless %w[stdout file both].include?(@output)
-          @output = "both"
-        end
+        @output = if output_env && !output_env.empty?
+                    output_env.downcase
+                  else
+                    default_output
+                  end
+        @output = default_output unless %w[stdout file both].include?(@output)
 
-        # TINA4_LOG_CRITICAL — when true, raise on log write failures instead of swallowing.
-        @critical = truthy?(ENV["TINA4_LOG_CRITICAL"])
+        # TINA4_LOG_STRICT — when true, raise on log write failures instead of swallowing.
+        @strict = truthy?(ENV["TINA4_LOG_STRICT"])
 
         @console_level = resolve_level
         @request_id = nil
@@ -122,6 +144,28 @@ module Tina4
         @json_mode
       end
 
+      # Would a message at `level` pass the configured MINIMUM CONSOLE LEVEL
+      # (TINA4_LOG_LEVEL)? Returns true iff `log` would print it to stdout —
+      # it reflects CONSOLE visibility only. The log FILE records every level
+      # regardless of this threshold, so this never gates file output.
+      #
+      # `level` accepts a String or Symbol and is case-insensitive
+      # ("INFO", :info, "Warning", :warning all work). Mirrors Python's
+      # Log.is_enabled. It REUSES the exact severity >= @console_level
+      # comparison the console branch in `log` uses (line ~167) via
+      # SEVERITY_MAP / resolve_level — it never re-implements level
+      # comparison, so it can never disagree with what the logger prints.
+      #
+      # "critical" is a FIRST-CLASS top-level severity (4 — above error 3),
+      # not a parity alias for error. It is evaluated with ordinary threshold
+      # logic (critical 4 >= @console_level), so it passes at every level
+      # except none (5) — matching the Python master.
+      def enabled?(level)
+        sym = normalize_level(level)
+        severity = SEVERITY_MAP[sym] || 0
+        severity >= console_level
+      end
+
       def info(message, context = {})
         log(:info, message, context)
       end
@@ -138,6 +182,14 @@ module Tina4
         log(:error, message, context)
       end
 
+      # critical is the HIGHEST severity (4, above error). Like every other
+      # level it ALWAYS emits, subject only to the TINA4_LOG_LEVEL threshold
+      # (which critical passes at every level except none). A critical log is
+      # never a silent no-op. Mirrors the Python master.
+      def critical(message, context = {})
+        log(:critical, message, context)
+      end
+
       # Test/teardown helper — closes the underlying Logger so the file
       # handle is released (Windows / tmpdir cleanup).
       def close_file_logger
@@ -181,6 +233,28 @@ module Tina4
         @current_context = {}
       end
 
+      # The current minimum console level as an integer (the same value
+      # the console branch in `log` compares against). Ensures the logger
+      # is configured so `enabled?` works before any log call has run.
+      def console_level
+        configure unless @initialized
+        @console_level
+      end
+
+      # Map a level (String or Symbol, case-insensitive) onto the symbol
+      # space used by SEVERITY_MAP. Accepts the public method names
+      # (debug/info/warning/error/critical) and the internal :warn symbol.
+      # critical is a FIRST-CLASS level (severity 4), not an alias for error.
+      # Unknown levels fall through to their own symbol and resolve to
+      # severity 0 in `enabled?`.
+      def normalize_level(level)
+        sym = level.to_s.strip.downcase.to_sym
+        case sym
+        when :warning then :warn
+        else sym
+        end
+      end
+
       def resolve_level
         # v3.13.14: default is INFO (was ALL) so a deployed app surfaces
         # request/startup/warn/error without debug noise, matching
@@ -199,6 +273,7 @@ module Tina4
         when :info  then "INFO"
         when :warn  then "WARNING"
         when :error then "ERROR"
+        when :critical then "CRITICAL"
         else level.to_s.upcase
         end
       end
@@ -278,6 +353,7 @@ module Tina4
                 when :info    then COLORS[:green]
                 when :warn    then COLORS[:yellow]
                 when :error   then COLORS[:red]
+                when :critical then COLORS[:magenta]
                 else COLORS[:reset]
                 end
         "#{color}#{line}#{COLORS[:reset]}"
@@ -288,7 +364,7 @@ module Tina4
         # Use << to bypass Logger's severity filtering — we already filtered above.
         @file_logger << "#{line}\n"
       rescue IOError, SystemCallError => e
-        raise if @critical
+        raise if @strict
         # Don't crash on log write failure
       end
     end

data/lib/tina4/mcp.rb

@@ -139,15 +139,35 @@ module Tina4
 
   # Resolve whether the built-in MCP dev server should be active.
   #
-  # Precedence:
-  #   * TINA4_MCP set explicitly → use that (truthy/falsey).
-  #   * Otherwise: enabled only when TINA4_DEBUG=true.
+  # Resolution order (highest priority first):
+  #   1. TINA4_MCP set explicitly → use that (truthy/falsey). Honoured on ANY
+  #      host. An explicit `true` is how a sysadmin opts a remote /
+  #      debug-disabled deployment in (e.g. for a remote AI assistant); an
+  #      explicit `false` force-disables it everywhere.
+  #   2. TINA4_DEBUG=true → implicit on for dev, but LOCALHOST-ONLY unless
+  #      TINA4_MCP_REMOTE=true. The MCP dev tools expose powerful operations
+  #      (DB query, file read/WRITE, route listing), so they never auto-expose
+  #      on a non-localhost host without an explicit opt-in.
+  #   3. Otherwise off.
+  #
+  # Mirrors the Python master (tina4_python/mcp/__init__.py is_enabled). Before
+  # v3.13.39 is_localhost? was dead code and TINA4_MCP_REMOTE was never read, so
+  # the documented localhost guard was not actually enforced — a non-localhost
+  # TINA4_DEBUG=true deployment auto-exposed the dev tools. This wires it.
   def self.mcp_enabled?
     explicit = ENV["TINA4_MCP"]
     if explicit && !explicit.empty?
-      return %w[true 1 yes on].include?(explicit.to_s.strip.downcase)
+      return truthy?(explicit)
     end
-    %w[true 1 yes on].include?(ENV.fetch("TINA4_DEBUG", "").to_s.strip.downcase)
+    return false unless truthy?(ENV["TINA4_DEBUG"])
+
+    # Dev auto-enable: localhost only, unless explicitly opted into remote.
+    is_localhost? || truthy?(ENV["TINA4_MCP_REMOTE"])
+  end
+
+  # Case-insensitive truthiness for env values: true/1/yes/on.
+  def self.truthy?(val)
+    %w[true 1 yes on].include?(val.to_s.strip.downcase)
   end
 
   # Resolve the dedicated MCP port. Defaults to (server port + 2000) — keeps