@tinacms/cli 0.0.0-e6ffde4-20251216055147 → 0.0.0-e797ebd-20260331104743

package/dist/index.js

@@ -2,7 +2,7 @@
 import { Cli, Builtins } from "clipanion";
 
 // package.json
-var version = "2.0.3";
+var version = "2.2.1";
 
 // src/next/commands/dev-command/index.ts
 import path8 from "path";
@@ -124,6 +124,15 @@ var S_SUCCESS = s("\u25C6", "*");
 var S_WARN = s("\u25B2", "!");
 var S_ERROR = s("\u25A0", "x");
 
+// src/utils/host.ts
+var LOCALHOST_ADDRESSES = ["localhost", "127.0.0.1", "::1"];
+function isHostExposed(host) {
+  if (host === true) return true;
+  if (typeof host === "string" && !LOCALHOST_ADDRESSES.includes(host))
+    return true;
+  return false;
+}
+
 // src/utils/spinner.ts
 import { Spinner } from "cli-spinner";
 async function localSpin({
@@ -417,6 +426,38 @@ var loadGraphQLDocuments = async (globPath) => {
 import { transform } from "esbuild";
 import { mapUserFields } from "@tinacms/graphql";
 import normalizePath from "normalize-path";
+
+// src/next/codegen/stripSearchTokenFromConfig.ts
+function stripSearchTokenFromConfig(config2) {
+  const cfg = config2;
+  if (!cfg?.search) {
+    return config2;
+  }
+  const search = cfg.search;
+  const tina = search?.tina;
+  if (tina) {
+    const { indexerToken, ...safeSearchConfig } = tina;
+    const newConfig = {};
+    for (const key of Object.keys(cfg)) {
+      if (key === "search") {
+        newConfig.search = { tina: safeSearchConfig };
+      } else {
+        newConfig[key] = cfg[key];
+      }
+    }
+    return newConfig;
+  } else {
+    const newConfig = {};
+    for (const key of Object.keys(cfg)) {
+      if (key !== "search") {
+        newConfig[key] = cfg[key];
+      }
+    }
+    return newConfig;
+  }
+}
+
+// src/next/codegen/index.ts
 var TINA_HOST = "content.tinajs.io";
 var Codegen = class {
   configManager;
@@ -487,8 +528,9 @@ var Codegen = class {
       "_graphql.json",
       JSON.stringify(this.graphqlSchemaDoc)
     );
-    const { search, ...rest } = this.tinaSchema.schema.config;
-    this.tinaSchema.schema.config = rest;
+    this.tinaSchema.schema.config = stripSearchTokenFromConfig(
+      this.tinaSchema.schema.config
+    );
     await this.writeConfigFile(
       "_schema.json",
       JSON.stringify(this.tinaSchema.schema)
@@ -784,6 +826,14 @@ function stripNativeTrailingSlash(p) {
   }
   return str;
 }
+var PathTraversalError = class extends Error {
+  constructor(attemptedPath) {
+    super(
+      `Path traversal detected: the path "${attemptedPath}" escapes the allowed directory`
+    );
+    this.name = "PathTraversalError";
+  }
+};
 
 // src/next/config-manager.ts
 var TINA_FOLDER = "tina";
@@ -998,13 +1048,15 @@ var ConfigManager = class {
       this.contentRootPath = this.rootPath;
     }
     this.generatedFolderPathContentRepo = path3.join(
-      await this.getTinaFolderPath(this.contentRootPath),
+      await this.getTinaFolderPath(this.contentRootPath, {
+        isContentRoot: this.hasSeparateContentRoot()
+      }),
       GENERATED_FOLDER
     );
     this.spaMainPath = require2.resolve("@tinacms/app");
     this.spaRootPath = path3.join(this.spaMainPath, "..", "..");
   }
-  async getTinaFolderPath(rootPath) {
+  async getTinaFolderPath(rootPath, { isContentRoot } = {}) {
     const tinaFolderPath = path3.join(rootPath, TINA_FOLDER);
     const tinaFolderExists = await fs2.pathExists(tinaFolderPath);
     if (tinaFolderExists) {
@@ -1017,6 +1069,11 @@ var ConfigManager = class {
       this.isUsingLegacyFolder = true;
       return legacyFolderPath;
     }
+    if (isContentRoot) {
+      throw new Error(
+        `Unable to find a ${chalk3.cyan("tina/")} folder in your content root at ${chalk3.cyan(rootPath)}. When using localContentPath, the content directory must contain a ${chalk3.cyan("tina/")} folder for generated files. Create one with: mkdir ${path3.join(rootPath, TINA_FOLDER)}`
+      );
+    }
     throw new Error(
       `Unable to find Tina folder, if you're working in folder outside of the Tina config be sure to specify --rootPath`
     );
@@ -1207,15 +1264,15 @@ var loaders = {
 };
 
 // src/next/database.ts
+import { createServer } from "net";
 import {
-  createDatabaseInternal,
   FilesystemBridge,
-  TinaLevelClient
+  TinaLevelClient,
+  createDatabaseInternal
 } from "@tinacms/graphql";
-import { pipeline } from "readable-stream";
-import { createServer } from "net";
 import { ManyLevelHost } from "many-level";
 import { MemoryLevel } from "memory-level";
+import { pipeline } from "readable-stream";
 var createDBServer = (port) => {
   const levelHost = new ManyLevelHost(
     // @ts-ignore
@@ -1234,7 +1291,7 @@ var createDBServer = (port) => {
       );
     }
   });
-  dbServer.listen(port);
+  dbServer.listen(port, "localhost");
 };
 async function createAndInitializeDatabase(configManager, datalayerPort, bridgeOverride) {
   let database;
@@ -1538,6 +1595,66 @@ import {
   splitVendorChunkPlugin
 } from "vite";
 
+// src/next/vite/cors.ts
+var LOCALHOST_RE = /^https?:\/\/(?:localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/;
+var PRIVATE_NETWORK_RE = /^https?:\/\/(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})(:\d+)?$/;
+function expandOrigins(raw) {
+  const hasPrivate = raw.some((o) => o === "private");
+  const filtered = raw.filter((o) => o !== "private");
+  return hasPrivate ? [...filtered, PRIVATE_NETWORK_RE] : filtered;
+}
+function buildCorsOriginCheck(allowedOrigins = []) {
+  const extra = expandOrigins(allowedOrigins);
+  return (origin, callback) => {
+    if (!origin) {
+      callback(null, true);
+      return;
+    }
+    if (LOCALHOST_RE.test(origin)) {
+      callback(null, true);
+      return;
+    }
+    for (const allowed of extra) {
+      if (typeof allowed === "string") {
+        if (allowed === origin) {
+          callback(null, true);
+          return;
+        }
+      } else {
+        allowed.lastIndex = 0;
+        if (allowed.test(origin)) {
+          callback(null, true);
+          return;
+        }
+      }
+    }
+    callback(null, false);
+  };
+}
+
+// src/next/vite/filterPublicEnv.ts
+function filterPublicEnv(env = process.env) {
+  const publicEnv = {};
+  Object.keys(env).forEach((key) => {
+    if (key.startsWith("TINA_PUBLIC_") || key.startsWith("NEXT_PUBLIC_") || key === "NODE_ENV" || key === "HEAD") {
+      try {
+        const value = env[key];
+        if (typeof value === "string") {
+          publicEnv[key] = value;
+        } else {
+          publicEnv[key] = JSON.stringify(value);
+        }
+      } catch (error) {
+        console.warn(
+          `Could not stringify public env process.env.${key} env variable`
+        );
+        console.warn(error);
+      }
+    }
+  });
+  return publicEnv;
+}
+
 // src/next/vite/tailwind.ts
 import path4 from "node:path";
 import aspectRatio from "@tailwindcss/aspect-ratio";
@@ -1870,23 +1987,7 @@ var createConfig = async ({
   noWatch,
   rollupOptions
 }) => {
-  const publicEnv = {};
-  Object.keys(process.env).forEach((key) => {
-    if (key.startsWith("TINA_PUBLIC_") || key.startsWith("NEXT_PUBLIC_") || key === "NODE_ENV" || key === "HEAD") {
-      try {
-        if (typeof process.env[key] === "string") {
-          publicEnv[key] = process.env[key];
-        } else {
-          publicEnv[key] = JSON.stringify(process.env[key]);
-        }
-      } catch (error) {
-        console.warn(
-          `Could not stringify public env process.env.${key} env variable`
-        );
-        console.warn(error);
-      }
-    }
-  });
+  const publicEnv = filterPublicEnv();
   const staticMediaPath = path5.join(
     configManager.generatedFolderPath,
     "static-media.json"
@@ -1967,6 +2068,13 @@ var createConfig = async ({
     },
     server: {
       host: configManager.config?.build?.host ?? false,
+      // Restrict Vite's built-in CORS to the same origins our custom
+      // middleware allows (localhost + user-configured allowedOrigins).
+      cors: {
+        origin: buildCorsOriginCheck(
+          configManager.config?.server?.allowedOrigins
+        )
+      },
       watch: noWatch ? {
         ignored: ["**/*"]
       } : {
@@ -1976,7 +2084,15 @@ var createConfig = async ({
         ]
       },
       fs: {
-        strict: false
+        strict: true,
+        // Allow serving files from the project root and the SPA package.
+        // Without this, Vite would block access to tina config/generated
+        // files since the Vite root is the @tinacms/app package directory.
+        allow: [
+          configManager.spaRootPath,
+          configManager.rootPath,
+          ...configManager.contentRootPath && configManager.contentRootPath !== configManager.rootPath ? [configManager.contentRootPath] : []
+        ]
       }
     },
     build: {
@@ -2006,19 +2122,19 @@ var createConfig = async ({
 };
 
 // src/next/vite/plugins.ts
-import { createFilter } from "@rollup/pluginutils";
 import fs6 from "fs";
-import { transformWithEsbuild } from "vite";
-import { transform as esbuildTransform } from "esbuild";
 import path7 from "path";
+import { createFilter } from "@rollup/pluginutils";
+import { resolve as gqlResolve } from "@tinacms/graphql";
 import bodyParser from "body-parser";
 import cors from "cors";
-import { resolve as gqlResolve } from "@tinacms/graphql";
+import { transform as esbuildTransform } from "esbuild";
+import { transformWithEsbuild } from "vite";
 
 // src/next/commands/dev-command/server/media.ts
-import fs5 from "fs-extra";
 import path6, { join } from "path";
 import busboy from "busboy";
+import fs5 from "fs-extra";
 var createMediaRouter = (config2) => {
   const mediaFolder = path6.join(
     config2.rootPath,
@@ -2027,31 +2143,68 @@ var createMediaRouter = (config2) => {
   );
   const mediaModel = new MediaModel(config2);
   const handleList = async (req, res) => {
-    const requestURL = new URL(req.url, config2.apiURL);
-    const folder = requestURL.pathname.replace("/media/list/", "");
-    const limit = requestURL.searchParams.get("limit");
-    const cursor = requestURL.searchParams.get("cursor");
-    const media = await mediaModel.listMedia({
-      searchPath: folder,
-      cursor,
-      limit
-    });
-    res.end(JSON.stringify(media));
+    try {
+      const requestURL = new URL(req.url, config2.apiURL);
+      const folder = decodeURIComponent(
+        requestURL.pathname.replace("/media/list/", "")
+      );
+      const limit = requestURL.searchParams.get("limit");
+      const cursor = requestURL.searchParams.get("cursor");
+      const media = await mediaModel.listMedia({
+        searchPath: folder,
+        cursor,
+        limit
+      });
+      res.end(JSON.stringify(media));
+    } catch (error) {
+      if (error instanceof PathTraversalError) {
+        res.statusCode = 403;
+        res.end(JSON.stringify({ error: error.message }));
+        return;
+      }
+      throw error;
+    }
   };
   const handleDelete = async (req, res) => {
-    const file = decodeURIComponent(req.url.slice("/media/".length));
-    const didDelete = await mediaModel.deleteMedia({ searchPath: file });
-    res.end(JSON.stringify(didDelete));
+    try {
+      const file = decodeURIComponent(req.url.slice("/media/".length));
+      const didDelete = await mediaModel.deleteMedia({ searchPath: file });
+      res.end(JSON.stringify(didDelete));
+    } catch (error) {
+      if (error instanceof PathTraversalError) {
+        res.statusCode = 403;
+        res.end(JSON.stringify({ error: error.message }));
+        return;
+      }
+      throw error;
+    }
   };
   const handlePost = async function(req, res) {
     const bb = busboy({ headers: req.headers });
+    let responded = false;
     bb.on("file", async (_name, file, _info) => {
-      const fullPath = decodeURI(req.url?.slice("/media/upload/".length));
-      const saveTo = path6.join(mediaFolder, ...fullPath.split("/"));
+      const fullPath = decodeURIComponent(
+        req.url?.slice("/media/upload/".length)
+      );
+      let saveTo;
+      try {
+        saveTo = resolveStrictlyWithinBase(fullPath, mediaFolder);
+      } catch {
+        responded = true;
+        file.resume();
+        res.statusCode = 403;
+        res.end(
+          JSON.stringify({
+            error: `Path traversal detected: ${fullPath}`
+          })
+        );
+        return;
+      }
       await fs5.ensureDir(path6.dirname(saveTo));
       file.pipe(fs5.createWriteStream(saveTo));
     });
     bb.on("error", (error) => {
+      responded = true;
       res.statusCode = 500;
       if (error instanceof Error) {
         res.end(JSON.stringify({ message: error }));
@@ -2060,6 +2213,7 @@ var createMediaRouter = (config2) => {
       }
     });
     bb.on("close", () => {
+      if (responded) return;
       res.statusCode = 200;
       res.end(JSON.stringify({ success: true }));
     });
@@ -2074,6 +2228,55 @@ var parseMediaFolder = (str) => {
     returnString = returnString.substr(0, returnString.length - 1);
   return returnString;
 };
+var ENCODED_TRAVERSAL_RE = /%2e%2e|%2f|%5c/i;
+function resolveRealPath(candidate) {
+  try {
+    return fs5.realpathSync(candidate);
+  } catch {
+    const parent = path6.dirname(candidate);
+    if (parent === candidate) return candidate;
+    return path6.join(resolveRealPath(parent), path6.basename(candidate));
+  }
+}
+function assertSymlinkWithinBase(resolved, resolvedBase, userPath) {
+  try {
+    const realBase = fs5.realpathSync(resolvedBase);
+    const realResolved = resolveRealPath(resolved);
+    if (realResolved !== realBase && !realResolved.startsWith(realBase + path6.sep)) {
+      throw new PathTraversalError(userPath);
+    }
+  } catch (err) {
+    if (err instanceof PathTraversalError) throw err;
+  }
+}
+function resolveWithinBase(userPath, baseDir) {
+  if (ENCODED_TRAVERSAL_RE.test(userPath)) {
+    throw new PathTraversalError(userPath);
+  }
+  const resolvedBase = path6.resolve(baseDir);
+  const resolved = path6.resolve(path6.join(baseDir, userPath));
+  if (resolved === resolvedBase) {
+    assertSymlinkWithinBase(resolved, resolvedBase, userPath);
+    return resolvedBase;
+  }
+  if (resolved.startsWith(resolvedBase + path6.sep)) {
+    assertSymlinkWithinBase(resolved, resolvedBase, userPath);
+    return resolved;
+  }
+  throw new PathTraversalError(userPath);
+}
+function resolveStrictlyWithinBase(userPath, baseDir) {
+  if (ENCODED_TRAVERSAL_RE.test(userPath)) {
+    throw new PathTraversalError(userPath);
+  }
+  const resolvedBase = path6.resolve(baseDir) + path6.sep;
+  const resolved = path6.resolve(path6.join(baseDir, userPath));
+  if (!resolved.startsWith(resolvedBase)) {
+    throw new PathTraversalError(userPath);
+  }
+  assertSymlinkWithinBase(resolved, path6.resolve(baseDir), userPath);
+  return resolved;
+}
 var MediaModel = class {
   rootPath;
   publicFolder;
@@ -2085,22 +2288,18 @@ var MediaModel = class {
   }
   async listMedia(args) {
     try {
-      const folderPath = join(
-        this.rootPath,
-        this.publicFolder,
-        this.mediaRoot,
-        decodeURIComponent(args.searchPath)
-      );
+      const mediaBase = join(this.rootPath, this.publicFolder, this.mediaRoot);
+      const validatedPath = resolveWithinBase(args.searchPath, mediaBase);
       const searchPath = parseMediaFolder(args.searchPath);
-      if (!await fs5.pathExists(folderPath)) {
+      if (!await fs5.pathExists(validatedPath)) {
         return {
           files: [],
           directories: []
         };
       }
-      const filesStr = await fs5.readdir(folderPath);
+      const filesStr = await fs5.readdir(validatedPath);
       const filesProm = filesStr.map(async (file) => {
-        const filePath = join(folderPath, file);
+        const filePath = join(validatedPath, file);
         const stat = await fs5.stat(filePath);
         let src = `/${file}`;
         const isFile = stat.isFile();
@@ -2147,6 +2346,7 @@ var MediaModel = class {
         cursor
       };
     } catch (error) {
+      if (error instanceof PathTraversalError) throw error;
       console.error(error);
       return {
         files: [],
@@ -2157,16 +2357,13 @@ var MediaModel = class {
   }
   async deleteMedia(args) {
     try {
-      const file = join(
-        this.rootPath,
-        this.publicFolder,
-        this.mediaRoot,
-        decodeURIComponent(args.searchPath)
-      );
+      const mediaBase = join(this.rootPath, this.publicFolder, this.mediaRoot);
+      const file = resolveStrictlyWithinBase(args.searchPath, mediaBase);
       await fs5.stat(file);
       await fs5.remove(file);
       return { ok: true };
     } catch (error) {
+      if (error instanceof PathTraversalError) throw error;
       console.error(error);
       return { ok: false, message: error?.toString() };
     }
@@ -2179,34 +2376,83 @@ var createSearchIndexRouter = ({
   searchIndex
 }) => {
   const put = async (req, res) => {
-    const { docs } = req.body;
+    const docs = req.body?.docs ?? [];
     const result = await searchIndex.PUT(docs);
     res.writeHead(200, { "Content-Type": "application/json" });
     res.end(JSON.stringify({ result }));
   };
   const get = async (req, res) => {
-    const requestURL = new URL(req.url, config2.apiURL);
+    const requestURL = new URL(req.url ?? "", config2.apiURL);
+    const isV2 = requestURL.pathname.startsWith("/v2/searchIndex");
+    res.writeHead(200, { "Content-Type": "application/json" });
+    if (isV2) {
+      const queryParam = requestURL.searchParams.get("query");
+      const collectionParam = requestURL.searchParams.get("collection");
+      const limitParam = requestURL.searchParams.get("limit");
+      const cursorParam = requestURL.searchParams.get("cursor");
+      if (!queryParam) {
+        res.end(JSON.stringify({ RESULT: [], RESULT_LENGTH: 0 }));
+        return;
+      }
+      if (!searchIndex.fuzzySearchWrapper) {
+        res.end(JSON.stringify({ RESULT: [], RESULT_LENGTH: 0 }));
+        return;
+      }
+      try {
+        const paginationOptions = {};
+        if (limitParam) {
+          paginationOptions.limit = parseInt(limitParam, 10);
+        }
+        if (cursorParam) {
+          paginationOptions.cursor = cursorParam;
+        }
+        const searchQuery = collectionParam ? `${queryParam} _collection:${collectionParam}` : queryParam;
+        const result2 = await searchIndex.fuzzySearchWrapper.query(searchQuery, {
+          ...paginationOptions
+        });
+        if (collectionParam) {
+          result2.results = result2.results.filter(
+            (r) => r._id && r._id.startsWith(`${collectionParam}:`)
+          );
+        }
+        res.end(
+          JSON.stringify({
+            RESULT: result2.results,
+            RESULT_LENGTH: result2.total,
+            NEXT_CURSOR: result2.nextCursor,
+            PREV_CURSOR: result2.prevCursor,
+            FUZZY_MATCHES: result2.fuzzyMatches || {}
+          })
+        );
+        return;
+      } catch (error) {
+        console.warn(
+          "[search] v2 fuzzy search failed:",
+          error instanceof Error ? error.message : error
+        );
+        res.end(JSON.stringify({ RESULT: [], RESULT_LENGTH: 0 }));
+        return;
+      }
+    }
     const query = requestURL.searchParams.get("q");
     const optionsParam = requestURL.searchParams.get("options");
-    let options = {
-      DOCUMENTS: false
-    };
+    if (!query) {
+      res.end(JSON.stringify({ RESULT: [] }));
+      return;
+    }
+    let searchIndexOptions = { DOCUMENTS: false };
     if (optionsParam) {
-      options = {
-        ...options,
+      searchIndexOptions = {
+        ...searchIndexOptions,
         ...JSON.parse(optionsParam)
       };
     }
-    res.writeHead(200, { "Content-Type": "application/json" });
-    if (query) {
-      const result = await searchIndex.QUERY(JSON.parse(query), options);
-      res.end(JSON.stringify(result));
-    } else {
-      res.end(JSON.stringify({ RESULT: [] }));
-    }
+    const queryObj = JSON.parse(query);
+    const result = await searchIndex.QUERY(queryObj, searchIndexOptions);
+    res.end(JSON.stringify(result));
   };
   const del = async (req, res) => {
-    const requestURL = new URL(req.url, config2.apiURL);
+    const requestURL = new URL(req.url ?? "", config2.apiURL);
     const docId = requestURL.pathname.split("/").filter(Boolean).slice(1).join("/");
     const result = await searchIndex.DELETE(docId);
     res.writeHead(200, { "Content-Type": "application/json" });
@@ -2240,10 +2486,18 @@ var devServerEndPointsPlugin = ({
   searchIndex,
   databaseLock
 }) => {
+  const corsOriginCheck = buildCorsOriginCheck(
+    configManager.config?.server?.allowedOrigins
+  );
   const plug = {
     name: "graphql-endpoints",
     configureServer(server) {
-      server.middlewares.use(cors());
+      server.middlewares.use(
+        cors({
+          origin: corsOriginCheck,
+          methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"]
+        })
+      );
       server.middlewares.use(bodyParser.json({ limit: "5mb" }));
       server.middlewares.use(async (req, res, next) => {
         const mediaPaths = configManager.config.media?.tina;
@@ -2296,7 +2550,7 @@ var devServerEndPointsPlugin = ({
           res.end(JSON.stringify(result));
           return;
         }
-        if (req.url.startsWith("/searchIndex")) {
+        if (req.url.startsWith("/searchIndex") || req.url.startsWith("/v2/searchIndex")) {
           if (req.method === "POST") {
             await searchIndexRouter.put(req, res);
           } else if (req.method === "GET") {
@@ -2487,7 +2741,8 @@ var DevCommand = class extends BaseCommand {
           );
           if (configManager.hasSeparateContentRoot()) {
             const rootPath = await configManager.getTinaFolderPath(
-              configManager.contentRootPath
+              configManager.contentRootPath,
+              { isContentRoot: true }
             );
             const filePath = path8.join(rootPath, tinaLockFilename);
             await fs7.ensureFile(filePath);
@@ -2577,15 +2832,24 @@ ${dangerText(e.message)}
         configManager.config.search && searchIndexer
       );
     }
+    const searchIndexWithFuzzy = searchIndexClient.searchIndex;
+    if (searchIndexWithFuzzy && searchIndexClient.fuzzySearchWrapper) {
+      searchIndexWithFuzzy.fuzzySearchWrapper = searchIndexClient.fuzzySearchWrapper;
+    }
     const server = await createDevServer(
       configManager,
       database,
-      searchIndexClient.searchIndex,
+      searchIndexWithFuzzy,
       apiURL,
       this.noWatch,
       dbLock
     );
     await server.listen(Number(this.port));
+    if (isHostExposed(server.config.server.host)) {
+      logger.warn(
+        "\u26A0\uFE0F  The TinaCMS dev server is listening on a non-localhost address. It has no authentication and is not intended to be exposed to the internet."
+      );
+    }
     if (!this.noWatch) {
       chokidar.watch(configManager.watchList).on("change", async () => {
         await dbLock(async () => {
@@ -2659,6 +2923,13 @@ ${dangerText(e.message)}
         // },
       ]
     });
+    if (configManager?.config?.telemetry === "anonymous") {
+      logger.info(
+        `
+\u{1F4CA} Note: TinaCMS now collects anonymous telemetry regarding usage. More information on TinaCMS Telemetry: https://tina.io/telemetry
+`
+      );
+    }
     await this.startSubCommand();
   }
   watchContentFiles(configManager, database, databaseLock, searchIndexer) {
@@ -2759,23 +3030,6 @@ async function sleepAndCallFunc({
 // src/next/commands/build-command/server.ts
 import { build as build2 } from "vite";
 var buildProductionSpa = async (configManager, database, apiURL) => {
-  const publicEnv = {};
-  Object.keys(process.env).forEach((key) => {
-    if (key.startsWith("TINA_PUBLIC_") || key.startsWith("NEXT_PUBLIC_") || key === "NODE_ENV" || key === "HEAD") {
-      try {
-        if (typeof process.env[key] === "string") {
-          publicEnv[key] = process.env[key];
-        } else {
-          publicEnv[key] = JSON.stringify(process.env[key]);
-        }
-      } catch (error) {
-        console.warn(
-          `Could not stringify public env process.env.${key} env variable`
-        );
-        console.warn(error);
-      }
-    }
-  });
   const config2 = await createConfig({
     plugins: [transformTsxPlugin({ configManager }), viteTransformExtension()],
     configManager,
@@ -5715,6 +5969,12 @@ import { LocalAuthProvider } from "tinacms";`;
       outputFolder: "admin",
       publicFolder: "${args.publicFolder}",
     },
+    // Uncomment to allow cross-origin requests from non-localhost origins
+    // during local development (e.g. GitHub Codespaces, Gitpod, Docker).
+    // Use 'private' to allow all private-network IPs (WSL2, Docker, etc.)
+    // server: {
+    //   allowedOrigins: ['https://your-codespace.github.dev'],
+    // },
     media: {
       tina: {
         mediaRoot: "",

package/dist/next/codegen/stripSearchTokenFromConfig.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Strips `indexerToken` from `search.tina` before serialization to
+ * _schema.json / tina-lock.json.
+ *
+ * @see https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx
+ */
+export declare function stripSearchTokenFromConfig<T extends object>(config: T): T;

package/dist/next/commands/dev-command/server/media.d.ts

@@ -1,5 +1,5 @@
-import type { Connect } from 'vite';
 import type { ServerResponse } from 'http';
+import type { Connect } from 'vite';
 export declare const createMediaRouter: (config: PathConfig) => {
     handleList: (req: any, res: any) => Promise<void>;
     handleDelete: (req: Connect.IncomingMessage, res: any) => Promise<void>;
@@ -34,6 +34,23 @@ type SuccessRecord = {
     ok: false;
     message: string;
 };
+/**
+ * Handles media file operations (list, delete) for the Vite-based dev server.
+ *
+ * @security Every method that accepts a user-supplied `searchPath` validates
+ * it against the media root using `resolveWithinBase` (list) or
+ * `resolveStrictlyWithinBase` (delete) before any filesystem access.
+ *
+ * - **list** uses `resolveWithinBase` because listing the media root itself
+ *   (empty path / exact base match) is a valid operation.
+ * - **delete** uses `resolveStrictlyWithinBase` because deleting the media
+ *   root directory itself must never be allowed.
+ *
+ * Both methods catch `PathTraversalError` and re-throw it so that the
+ * route handler can return a 403 response. Other errors are caught and
+ * returned as structured error responses (this avoids leaking stack traces
+ * to the client).
+ */
 export declare class MediaModel {
     readonly rootPath: string;
     readonly publicFolder: string;

package/dist/next/commands/dev-command/server/searchIndex.d.ts

@@ -1,12 +1,47 @@
+import type { IncomingMessage, ServerResponse } from 'node:http';
+import type { SearchQueryResponse, SearchResult } from '@tinacms/search';
 export interface PathConfig {
     apiURL: string;
     searchPath: string;
 }
+interface SearchIndexOptions {
+    DOCUMENTS?: boolean;
+    PAGE?: {
+        NUMBER: number;
+        SIZE: number;
+    };
+}
+interface SearchIndexResult {
+    RESULT: SearchResult[];
+    RESULT_LENGTH: number;
+}
+interface FuzzySearchWrapper {
+    query: (query: string, options: {
+        limit?: number;
+        cursor?: string;
+        fuzzyOptions?: Record<string, unknown>;
+    }) => Promise<SearchQueryResponse>;
+}
+interface SearchIndex {
+    PUT: (docs: Record<string, unknown>[]) => Promise<unknown>;
+    DELETE: (id: string) => Promise<unknown>;
+    QUERY: (query: {
+        AND?: string[];
+        OR?: string[];
+    }, options: SearchIndexOptions) => Promise<SearchIndexResult>;
+    fuzzySearchWrapper?: FuzzySearchWrapper;
+}
+interface RequestWithBody extends IncomingMessage {
+    body?: {
+        docs?: Record<string, unknown>[];
+    };
+}
 export declare const createSearchIndexRouter: ({ config, searchIndex, }: {
     config: PathConfig;
-    searchIndex: any;
+    searchIndex: SearchIndex;
 }) => {
-    del: (req: any, res: any) => Promise<void>;
-    get: (req: any, res: any) => Promise<void>;
-    put: (req: any, res: any) => Promise<void>;
+    del: (req: IncomingMessage, res: ServerResponse) => Promise<void>;
+    get: (req: IncomingMessage, res: ServerResponse) => Promise<void>;
+    put: (req: RequestWithBody, res: ServerResponse) => Promise<void>;
 };
+export {};

package/dist/next/config-manager.d.ts

@@ -54,7 +54,9 @@ export declare class ConfigManager {
     hasSeparateContentRoot(): boolean;
     shouldSkipSDK(): boolean;
     processConfig(): Promise<void>;
-    getTinaFolderPath(rootPath: any): Promise<string>;
+    getTinaFolderPath(rootPath: string, { isContentRoot }?: {
+        isContentRoot?: boolean;
+    }): Promise<string>;
     getTinaGraphQLVersion(): {
         fullVersion: string;
         major: string;

package/dist/next/database.d.ts

@@ -1,4 +1,4 @@
-import { Database, Bridge } from '@tinacms/graphql';
+import { Bridge, Database } from '@tinacms/graphql';
 import { ConfigManager } from './config-manager';
 export declare const createDBServer: (port: number) => void;
 export declare function createAndInitializeDatabase(configManager: ConfigManager, datalayerPort: number, bridgeOverride?: Bridge): Promise<Database>;

package/dist/next/vite/cors.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Shared CORS origin-checking logic for the TinaCMS dev server.
+ *
+ * By default only localhost / 127.0.0.1 / [::1] (any port) are allowed.
+ * Users can extend this via `server.allowedOrigins` in their tina config.
+ * The special keyword `'private'` expands to all RFC 1918 private-network
+ * IP ranges (10.x, 172.16-31.x, 192.168.x) — useful for WSL2, Docker
+ * bridge networks, etc.
+ */
+/**
+ * Build a CORS `origin` callback compatible with the `cors` npm package.
+ */
+export declare function buildCorsOriginCheck(allowedOrigins?: (string | RegExp)[]): (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => void;

package/dist/next/vite/filterPublicEnv.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Filters env vars to only those safe for client-side bundles.
+ *
+ * Allows: TINA_PUBLIC_*, NEXT_PUBLIC_*, NODE_ENV, HEAD.
+ * Everything else is excluded to prevent leaking secrets.
+ *
+ * @see https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr
+ */
+export declare function filterPublicEnv(env?: Record<string, string | undefined>): Record<string, string>;

package/dist/next/vite/plugins.d.ts

@@ -1,8 +1,8 @@
-import type { Plugin } from 'vite';
 import { FilterPattern } from '@rollup/pluginutils';
 import type { Config } from '@svgr/core';
-import { transformWithEsbuild } from 'vite';
 import type { Database } from '@tinacms/graphql';
+import type { Plugin } from 'vite';
+import { transformWithEsbuild } from 'vite';
 import type { ConfigManager } from '../config-manager';
 export declare const transformTsxPlugin: ({ configManager: _configManager, }: {
     configManager: ConfigManager;

package/dist/server/models/media.d.ts

@@ -28,6 +28,23 @@ type SuccessRecord = {
     ok: false;
     message: string;
 };
+/**
+ * Handles media file operations (list, delete) for the Express-based server.
+ *
+ * @security Every method that accepts a user-supplied `searchPath` validates
+ * it against the media root using `resolveWithinBase` (list) or
+ * `resolveStrictlyWithinBase` (delete) before any filesystem access.
+ *
+ * - **list** uses `resolveWithinBase` because listing the media root itself
+ *   (empty path / exact base match) is a valid operation.
+ * - **delete** uses `resolveStrictlyWithinBase` because deleting the media
+ *   root directory itself must never be allowed.
+ *
+ * Both methods catch `PathTraversalError` and re-throw it so that the
+ * route handler can return a 403 response. Other errors are caught and
+ * returned as structured error responses (this avoids leaking stack traces
+ * to the client).
+ */
 export declare class MediaModel {
     readonly rootPath: string;
     readonly publicFolder: string;

package/dist/utils/host.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Returns true when the Vite server host config indicates the server is
+ * listening on a non-localhost address (i.e. exposed to the network).
+ */
+export declare function isHostExposed(host: string | boolean | undefined): boolean;

package/dist/utils/path.d.ts

@@ -1,3 +1,29 @@
 /** Removes trailing slash from path. Separator to remove is chosen based on
  *  operating system. */
 export declare function stripNativeTrailingSlash(p: string): string;
+/**
+ * Validates that a user-supplied path does not escape the base directory
+ * via path traversal (CWE-22). Returns the resolved absolute path.
+ *
+ * Allows an exact base match (empty or `.` input) — use this for list/read
+ * operations where referencing the root directory itself is valid. For
+ * delete/write operations where you need to target an actual file, use the
+ * `resolveStrictlyWithinBase` variant (currently inlined in media models).
+ *
+ * As a safety net, also rejects paths that still contain URL-encoded
+ * traversal sequences (`%2e%2e`, `%2f`, `%5c`), catching cases where the
+ * caller forgot to decode.
+ *
+ * @security This is the canonical implementation. Inlined copies exist in
+ * the media model files for CodeQL compatibility — keep them in sync.
+ *
+ * @param userPath - The untrusted path from the request (must already be
+ *   URI-decoded by the caller).
+ * @param baseDir  - The trusted base directory the path must stay within.
+ * @returns The resolved absolute path.
+ * @throws {PathTraversalError} If the path escapes the base directory.
+ */
+export declare function assertPathWithinBase(userPath: string, baseDir: string): string;
+export declare class PathTraversalError extends Error {
+    constructor(attemptedPath: string);
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tinacms/cli",
   "type": "module",
-  "version": "0.0.0-e6ffde4-20251216055147",
+  "version": "0.0.0-e797ebd-20260331104743",
   "main": "dist/index.js",
   "typings": "dist/index.d.ts",
   "files": [
@@ -41,7 +41,7 @@
     "@types/progress": "^2.0.7",
     "@types/prompts": "^2.4.9",
     "jest": "^29.7.0",
-    "@tinacms/scripts": "1.4.2"
+    "@tinacms/scripts": "1.6.0"
   },
   "dependencies": {
     "@graphql-codegen/core": "^2.6.8",
@@ -88,12 +88,12 @@
     "vite": "^4.5.9",
     "yup": "^1.6.1",
     "zod": "^3.24.2",
-    "@tinacms/app": "0.0.0-e6ffde4-20251216055147",
-    "@tinacms/graphql": "2.0.2",
+    "@tinacms/app": "0.0.0-e797ebd-20260331104743",
+    "@tinacms/graphql": "2.2.2",
     "@tinacms/metrics": "2.0.1",
-    "@tinacms/schema-tools": "2.1.0",
-    "tinacms": "0.0.0-e6ffde4-20251216055147",
-    "@tinacms/search": "1.1.6"
+    "@tinacms/schema-tools": "2.7.0",
+    "@tinacms/search": "1.2.8",
+    "tinacms": "0.0.0-e797ebd-20260331104743"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org"