npm - @rhinostone/swig-twig - Versions diffs - 2.0.0-alpha.5 → 2.0.0-alpha.7 - Mend

@rhinostone/swig-twig 2.0.0-alpha.5 → 2.0.0-alpha.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md +53 -0
package/lib/filters.js +0 -4
package/lib/index.js +0 -3
package/lib/parser.js +1 -2
package/lib/tags/block.js +1 -2
package/lib/tags/import.js +2 -4
package/lib/tags/macro.js +2 -3
package/lib/tags/set.js +1 -2
package/lib/tokentypes.js +0 -3
package/package.json +2 -2
package/rhinostone-swig-twig-2.0.0-alpha.7.tgz +0 -0

package/README.md ADDED Viewed

@@ -0,0 +1,53 @@
+@rhinostone/swig-twig
+=====================
+[![NPM version](http://img.shields.io/npm/v/@rhinostone/swig-twig.svg?style=flat)](https://www.npmjs.org/package/@rhinostone/swig-twig) [![Socket Badge](https://socket.dev/api/badge/npm/package/@rhinostone/swig-twig)](https://socket.dev/npm/package/@rhinostone/swig-twig)
+> **Experimental alpha.** The render pipeline is wired end-to-end and the Twig render corpus passes, but the IR ABI is not stable across alpha minors. `2.0.0` stable is the target for production use.
+Twig frontend for the [@rhinostone/swig-core](https://www.npmjs.com/package/@rhinostone/swig-core) template engine. See #T16 in [ROADMAP.md](https://github.com/gina-io/swig/blob/develop/ROADMAP.md) for the multi-flavor roadmap.
+Installation
+------------
+    npm install @rhinostone/swig-twig@alpha
+This pulls in `@rhinostone/swig-core` as a peer dependency, pinned to the matching alpha version. Do not mix alpha minors — lockstep only.
+Basic example
+-------------
+```js
+var swig = require('@rhinostone/swig-twig');
+var out = swig.render('Hello, {{ name|upper }}!', {
+  locals: { name: 'world' }
+});
+// => Hello, WORLD!
+```
+Supported surface (as of 2.0.0-alpha.5)
+---------------------------------------
+* **Tags** — `apply`, `block`, `extends`, `for`, `from`, `if`, `import`, `include`, `macro`, `set`, `verbatim`, `with`.
+* **Operators** — `..` range, `??` null-coalescing, `~` string concat, `is <test>` / `is not <test>`.
+* **Built-in `is` tests** — `defined`, `null`, `empty`, `iterable`, `odd`, `even`, `divisibleby`.
+* **Filters** — the Twig core overlaps (length, lower, upper, first, last, join, reverse, sort, striptags, url_encode, json_encode, raw, escape / e, slice, split, batch, trim, number_format, replace, keys, format, merge, date). See `lib/filters.js` for the full list.
+Explicitly unsupported (parse-time throw)
+-----------------------------------------
+* `{% sandbox %}` — security-sandbox tag, out of scope.
+* Macro kwargs — use positional args.
+* `{% use %}` — not implemented.
+* `{% deprecated %}` — not implemented; use comment pragmas.
+Repository
+----------
+Source: [gina-io/swig/packages/swig-twig](https://github.com/gina-io/swig/tree/develop/packages/swig-twig). File issues and PRs at [gina-io/swig](https://github.com/gina-io/swig).
+License
+-------
+MIT. See [LICENSE](https://github.com/gina-io/swig/blob/develop/LICENSE) in the monorepo root.

package/lib/filters.js CHANGED Viewed

@@ -16,10 +16,6 @@ var utils = require('@rhinostone/swig-core/lib/utils'),
  * prototype chain, so CVE-2023-25345 guards don't apply at this layer.
  * Filter arg expressions inherit the expression parser's existing
  * `_dangerousProps` guards.
- *
- * See .claude/architecture/tags-and-filters.md § Filters and
- * .claude/architecture/multi-flavor-ir.md § Filter catalogs stay
- * per-flavor.
  */
 /**

package/lib/index.js CHANGED Viewed

@@ -5,9 +5,6 @@
  * exposes a Twig constructor + default instance via `engine.install(self,
  * frontend)` from @rhinostone/swig-core, so callers can `render(source,
  * locals)` / `renderFile(path, locals, cb)` directly against Twig syntax.
- *
- * See .claude/architecture/multi-flavor-ir.md § Phase 3 for the per-flavor
- * split decision.
  */
 var utils = require('@rhinostone/swig-core/lib/utils'),

package/lib/parser.js CHANGED Viewed

@@ -32,8 +32,7 @@ var _reserved = ['break', 'case', 'catch', 'continue', 'debugger', 'default', 'd
  * CVE-2023-25345 guards (`_dangerousProps`) fire on VAR path segments,
  * DOTKEY matches, STRING-inside-BRACKETOPEN values, and
  * FUNCTION/FUNCTIONEMPTY callee names — same checkpoints as the native
- * frontend. See .claude/security.md § _dangerousProps is duplicated
- * across layers.
+ * frontend.
  *
  * Binding-power table:
  *

package/lib/tags/block.js CHANGED Viewed

@@ -22,8 +22,7 @@
  * `_dangerousProps`. A `{% block __proto__ %}` in native Swig would
  * key the blocks map by that name; the override path does not currently
  * reach the prototype chain but the cross-layer invariant is to guard
- * anyway. See .claude/architecture/multi-flavor-ir.md § Phase 3 —
- * Session 9 native hardening follow-up.
+ * anyway.
  */
 var ir = require('@rhinostone/swig-core/lib/ir');

package/lib/tags/import.js CHANGED Viewed

@@ -26,10 +26,8 @@
  *
  * The alias is a bare identifier — dotted paths are rejected at parse
  * time, and CVE-2023-25345 prototype-chain names are rejected before
- * the namespace assignment. Lexer-folded-path bail per
- * `.claude/conventions.md § Lexer-folded-path bail`: single-name
- * binding slots reject any `.` in the match before the
- * `_dangerousProps` check.
+ * the namespace assignment. Single-name binding slots reject any `.`
+ * in the match before the `_dangerousProps` check.
  */
 var utils = require('@rhinostone/swig-core/lib/utils');

package/lib/tags/macro.js CHANGED Viewed

@@ -13,9 +13,8 @@
  *
  * Param names and the macro name are bare identifiers — dotted paths
  * (`foo.bar`) and CVE-2023-25345 prototype-chain names (`__proto__`,
- * `constructor`, `prototype`) are rejected at parse time. Lexer-folded
- * dotted-path bail per `.claude/conventions.md § Lexer-folded-path bail`:
- * single-name binding slots reject any `.` in the match before the
+ * `constructor`, `prototype`) are rejected at parse time. Single-name
+ * binding slots reject any `.` in the match before the
  * `_dangerousProps` check.
  *
  * Twig kwargs (`{% macro foo(a=1, b="x") %}`) are deferred — Phase 4 with

package/lib/tags/set.js CHANGED Viewed

@@ -32,8 +32,7 @@
  *
  * CVE-2023-25345 checkpoints apply twice — here on the LHS path
  * segments, and again in the backend `checkDangerousSegment` walk —
- * per the duplication invariant in .claude/security.md § _dangerousProps
- * is duplicated across layers.
+ * intentional defense-in-depth during the migration.
  */
 var ir = require('@rhinostone/swig-core/lib/ir');

package/lib/tokentypes.js CHANGED Viewed

@@ -15,9 +15,6 @@
  * rules without renumbering. Keeping the layout stable up front avoids
  * silent ID collisions across in-flight flavor work.
  *
- * See .claude/architecture/multi-flavor-ir.md § Phase 3 for the
- * per-flavor split decision.
- *
  * @readonly
  * @enum {number}
  */

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rhinostone/swig-twig",
-  "version": "2.0.0-alpha.5",
+  "version": "2.0.0-alpha.7",
   "description": "Twig frontend for the @rhinostone/swig-core template engine. Phase 3 of the multi-flavor architecture (see @rhinostone/swig #T16).",
   "keywords": [
     "template",
@@ -22,7 +22,7 @@
     "node": ">=12"
   },
   "peerDependencies": {
-    "@rhinostone/swig-core": "2.0.0-alpha.5"
+    "@rhinostone/swig-core": "2.0.0-alpha.7"
   },
   "publishConfig": {
     "access": "public"

package/rhinostone-swig-twig-2.0.0-alpha.7.tgz ADDED Viewed

Binary file