@rhinostone/swig-core 2.2.0 → 2.4.0

package/lib/ir.js

@@ -1,14 +1,14 @@
 /**
  * Swig IR — intermediate representation for the shared backend.
  *
- * Phase 1: typedef stubs only. No runtime code here — Phase 1 keeps the
- * native frontend emitting JS source directly. Phase 2 ports the native
- * frontend to emit IR, at which point `@rhinostone/swig-core/lib/backend.js`
- * walks an IRTemplate and produces the compiled `new Function(...)` body.
+ * Two halves: the `@typedef` schema for every IR node shape, and the
+ * runtime factories (further down) that build them. Every frontend
+ * (native Swig, Twig, and future flavors) lowers its parse tree into
+ * these shapes; `@rhinostone/swig-core/lib/backend.js` then walks an
+ * IRTemplate and produces the compiled `new Function(...)` body.
  *
- * Every frontend (native Swig, Twig, Jinja2, Django) must lower its
- * parse tree into these shapes. Constructs that cannot lower cleanly
- * must throw at parse time — no silent partial behavior.
+ * Constructs that cannot lower cleanly must throw at parse time — no
+ * silent partial behavior.
  */
 
 /**
@@ -103,11 +103,17 @@
 /**
  * For-loop. `emptyBody` supports Twig/Django `{% for … %}{% else %}`.
  *
+ * `iterable` is typed `IRExpr | string` for Phase 2 — the native
+ * frontend still hands in a raw JS-source string (its `for` tag has
+ * not migrated to expression-level IR), while the Twig frontend lowers
+ * to a real {@link IRExpr}. Backends MUST tolerate both shapes — same
+ * transitional widening as {@link IRSet}'s `target`.
+ *
  * @typedef {Object} IRFor
  * @property {'For'} type
  * @property {string} [key]                   Loop key var (second binding).
  * @property {string} value                   Loop value var (first binding).
- * @property {IRExpr} iterable
+ * @property {IRExpr|string} iterable         Transitional — see note above.
  * @property {IRStatement[]} body
  * @property {IRStatement[]} [emptyBody]
  * @property {IRLoc} [loc]
@@ -279,12 +285,13 @@
  * In sync codegen mode the parser pre-resolves `extends` / `include` /
  * `import` / Twig `from` paths via `swig.parseFile(...)` and inlines
  * the resolved tokens at parse-finalization time. That model can't run
- * against an async-only loader (S3 / Redis / fetch-backed), and it
+ * against an async-only loader (S3 / Redis / network-backed), and it
  * can't handle dynamic paths (`{% extends parent_var %}`) since the
  * value isn't known until render.
  *
  * The deferred shapes carry the unresolved path expression to render
- * time. The async backend (`compileAsync`) emits cb-shaped or
+ * time. In async codegen mode (`backend.compile` with
+ * `options.codegenMode === 'async'`) the backend emits cb-shaped or
  * AsyncFunction-shaped JS that hits a runtime `_swig.getTemplate(...)`
  * call to resolve and apply the parent / included / imported template.
  *
@@ -511,7 +518,7 @@
  */
 
 /* ------------------------------------------------------------------ *
- * Runtime node factories — Phase 2 scaffold (Session 7, 2026-04-14).
+ * Runtime node factories.
  *
  * Each factory returns a plain JSON-serialisable object matching one
  * of the typedefs above. `loc` is always optional; when omitted it is
@@ -519,9 +526,8 @@
  * `'loc' in node`). All other parameters are required unless documented
  * otherwise on the corresponding typedef.
  *
- * No consumers yet — this commit introduces the schema surface only.
- * Subsequent sessions will migrate the native frontend's token-tree
- * production over to these shapes.
+ * Consumed by every frontend's tag handlers and `tokenparser.js` (which
+ * build the IR) and by `backend.js` (which walks it).
  * ------------------------------------------------------------------ */
 
 /*!

package/lib/tokenparser.js

@@ -310,12 +310,39 @@ TokenParser.prototype = {
       self.filterApplyIdx.push(self.out.length - 1);
       break;
 
+    case _t.QMARK:
+      // Ternary `?` — emit a flat operator and mark the state stack so
+      // the matching `:` is recognised as the alternative-branch
+      // separator (not an object-literal colon). The lowerExpr ->
+      // parseExpr IR path does the real ternary codegen for built-in
+      // tags; emitting `?`/`:` flat here just keeps the legacy tag-arg
+      // walk from aborting so `args` is built for every tag.
+      self.out.push(' ? ');
+      self.state.push(token.type);
+      self.filterApplyIdx.pop();
+      break;
+
     case _t.COLON:
-      if (lastState !== _t.CURLYOPEN) {
+      if (lastState === _t.CURLYOPEN) {
+        self.state.push(token.type);
+        self.out.push(':');
+      } else if (lastState === _t.QMARK) {
+        // Ternary alternative branch. Pop the QMARK marker the QMARK
+        // case pushed. A full ternary (`a ? b : c`) has a non-empty
+        // then-branch, so the colon emits as a flat operator. The Elvis
+        // shorthand (`a ?: b`) has an empty then-branch — the `?` we
+        // emitted is still the last fragment — so rewrite it to `||`,
+        // the single-evaluation equivalent of `a ? a : b`. A bare
+        // `a ?  : b` would be invalid JS.
+        self.state.pop();
+        if (self.out[self.out.length - 1] === ' ? ') {
+          self.out[self.out.length - 1] = ' || ';
+        } else {
+          self.out.push(' : ');
+        }
+      } else {
         utils.throwError('Unexpected colon', self.line, self.filename);
       }
-      self.state.push(token.type);
-      self.out.push(':');
       self.filterApplyIdx.pop();
       break;
 
@@ -647,6 +674,37 @@ TokenParser.prototype = {
         var right = parseExpression(info.prec + 1);
         left = ir.binaryOp(info.op, left, right);
       }
+      // Ternary + Elvis — binds looser than every binary op, so it is only
+      // handled at the top-level minPrec === 0 entry. Recursive calls for a
+      // binary op's RHS run at prec + 1 >= 1 and skip this branch, which is
+      // what lets `a + b ? c : d` parse as `(a + b) ? c : d`. Recursive
+      // parseExpression(0) calls (arg-list elements, object-literal values,
+      // grouped sub-expressions) still get ternary via their own entry.
+      //
+      // Elvis shorthand `a ?: b` lowers to Conditional(a, a, b). The `a`
+      // subexpression is evaluated twice by downstream emitters — a
+      // documented consequence of the transliteration.
+      if (minPrec === 0) {
+        var qtok = peek();
+        if (qtok && qtok.type === _t.QMARK) {
+          consume();
+          var afterQ = peek();
+          var elseBranch;
+          if (afterQ && afterQ.type === _t.COLON) {
+            consume();
+            elseBranch = parseExpression(0);
+            left = ir.conditional(left, left, elseBranch);
+          } else {
+            var thenBranch = parseExpression(0);
+            var colon = consume();
+            if (!colon || colon.type !== _t.COLON) {
+              bail('Expected colon in ternary expression');
+            }
+            elseBranch = parseExpression(0);
+            left = ir.conditional(left, thenBranch, elseBranch);
+          }
+        }
+      }
       return left;
     }
 
@@ -706,6 +764,7 @@ TokenParser.prototype = {
     var depth = 0,
       hasTopOp = false,
       hasTopFilter = false,
+      hasTopTernary = false,
       firstTopFilterIdx = -1;
     for (i = 0; i < tokens.length; i += 1) {
       t = tokens[i];
@@ -718,6 +777,9 @@ TokenParser.prototype = {
           hasTopFilter = true;
           if (firstTopFilterIdx < 0) { firstTopFilterIdx = i; }
         }
+        if (t.type === _t.QMARK) {
+          hasTopTernary = true;
+        }
       }
       if (t.type === _t.PARENOPEN || t.type === _t.FUNCTION ||
           t.type === _t.BRACKETOPEN || t.type === _t.CURLYOPEN ||
@@ -779,7 +841,13 @@ TokenParser.prototype = {
       // trailing FILTER / FILTEREMPTY and wraps the atom in an
       // IRFilterCallExpr at the right tree depth. Autoescape remains
       // a top-level wrap (single `e` filterCall appended).
-      if (hasTopOp && hasTopFilter) {
+      //
+      // A top-level ternary (`{{ a ? b : c }}`) takes the same route:
+      // the prefix/filter-drain path below would slice the stream at
+      // the first top-level filter (e.g. a filter inside a branch,
+      // `{{ x ? a|upper : b }}`) and mis-parse it. Full-stream
+      // parseExpr consumes the whole ternary, branch filters included.
+      if (hasTopTernary || (hasTopOp && hasTopFilter)) {
         var exprPO = self.parseExpr(tokens);
         var fcallsPO = escape ? [ir.filterCall('e')] : [];
         return ir.output(exprPO, fcallsPO.length > 0 ? fcallsPO : undefined);
@@ -874,6 +942,12 @@ TokenParser.prototype = {
 
       return ir.output(expr, filterCalls.length > 0 ? filterCalls : undefined);
     } catch (e) {
+      // A top-level ternary cannot be expressed by the legacy parseToken
+      // path (no QMARK handling), so legacyFallback would only throw a
+      // worse error ("Unexpected colon") or emit garbage. Re-throw
+      // parseExpr's own error — including the CVE-2023-25345 guard
+      // message — instead of masking it.
+      if (hasTopTernary) { throw e; }
       return legacyFallback();
     }
   },

package/lib/tokentypes.js

@@ -73,6 +73,8 @@ module.exports = {
   /** End of a method
    * Currently unused
   METHODEND: 26, */
+  /** Ternary question mark (?) */
+  QMARK: 27,
   /** Unknown type */
   UNKNOWN: 100
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rhinostone/swig-core",
-  "version": "2.2.0",
+  "version": "2.4.0",
   "description": "Shared IR, backend, and runtime for the @rhinostone/swig family of template engines.",
   "keywords": [
     "template",