gina 0.3.6-alpha.2 → 0.3.6

package/CHANGELOG.md

@@ -6,6 +6,21 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
 and is generated by [Changie](https://github.com/miniscruff/changie).
 
 
+## 0.3.6 - 2026-04-16
+### Changed
+* syncDocs now regenerates the docs-site package-lock.json after bumping devDependencies.gina — prevents CI / Vercel / Worker deploy failures on every stable release.
+### Fixed
+* Prevented spurious Whisper Error on the first CLI command after a fresh install (#B12). `gina --version` and `gina framework:*` commands no longer emit a red error stack trace before their output on a brand-new install.
+* Hardening framework:init against missing or mistyped `def_*` keys in ~/.gina/main.json (#B13 — blast-radius follow-up to #B12). `main['def_prefix']`, `def_global_mode`, `def_arch`, `def_platform`, `def_env`, `def_scope`, `def_log_level` reads now short-circuit to undefined instead of throwing TypeError when the key is entirely absent.
+* Surfacing the real cause when `prepare_version.js` is run against a stale `~/.gina/<release>/settings.json` `dir` field. Publish now fails fast with an actionable message instead of wedging at `pushChangesToGitIfNeeded` with a misleading "No branch selected" error.
+* Preventing CORS preflight failure when a bundle's env.json `access-control-allow-headers` list omits a header the client actually sends. `completeHeaders()` no longer overwrites the echo that `checkPreflightRequest()` sets from the incoming `access-control-request-headers` (#B13).
+### Security
+* Added pre-commit hook (.githooks/pre-commit) that blocks Claude-related paths (CLAUDE.md, .claude*) from entering git history. post_install.js installs core.hooksPath=.githooks for contributor clones only (gated on .git presence in gina repo root). #S5 follow-up to #S3.
+* Added GitHub Actions workflow (.github/workflows/security.yml) that greps the git index on every push/PR to develop and master for Claude-related paths (CLAUDE.md, .claude*). Fails the build if any are tracked. Backs up the local pre-commit hook (#S5) and publish-boundary gate (#S3). #S6 follow-up to #S3.
+* Added private-token leak gate (script/check_no_claude_leak.js) wired into the npm prepack hook and the prepare_version.js self.* chain before any git add --all. Fails the publish if the tarball listing contains Claude-related paths OR if pack contents contain private-token patterns (phone, private email, private address, private domain, co-author legal name). #G1 follow-up to #S3/#S4.
+* Added opt-in pre-commit hook (resources/git-hooks/pre-commit) that blocks commits authored under a private-domain git identity (.local hostnames, internal domains). Contributors install it once via cp resources/git-hooks/pre-commit .git/hooks/pre-commit. Complements the CI-side Claude-path guard (#S5/#S6). #G5.
+* Redacting secret-looking fields from the dev-mode Inspector feed before any sink (window.__ginaData, localStorage.__ginaData, /_gina/agent SSE, engine.io push, ginaToolbar forms/XHR overlays). New lib/inspector-redact deep-clones the Inspector payload and replaces values whose keys match the default regex (password, pwd, secret, token, apikey, cvv, ssn, authorization, credentials, private_key) with [redacted]. Two complementary carve-outs preserve validation metadata: (1) NON_SECRET_SUFFIX — keys ending in rule/rules/policy/policies/validator/config/configuration/settings/requirements/strength/constraint/options/schema/definition/spec pass through untouched (e.g. passwordRule, passwordPolicy describe form rules, not user input); (2) primitive-only redaction — when a matched secret key holds an object or array, the walker recurses into it instead of replacing it, because such values are always metadata (e.g. rules.account[password] = {isRequired: true, isString: 7} — an HTML form field name under a rules: section). Nested primitive secrets inside preserved objects are still caught on recursion. Client-side shim in statusbar.html mirrors both carve-outs and additionally redacts any DOM input whose type matches configured types (default: password). Configurable via settings.json inspector.redact.{patterns,types,replacement}. Dev-mode only — the actual HTTP response body is never touched. #R7.
+
 ## 0.3.5 - 2026-04-13
 ### Security
 * Bumped @rhinostone/swig to 1.5.0 — extends CVE-2023-25345 path-traversal guards to bracket notation, set bracket assignment, for loop variables, macro names, and import aliases.

package/README.md

@@ -37,11 +37,12 @@ gina bundle:start api @myproject
 open https://localhost:3100
 ```
 
-## What's in 0.3.5
+## What's in 0.3.6
 
-- **Security (CVE-2023-25345 extension)** — bumped `@rhinostone/swig` to 1.5.0, extending path-traversal guards to bracket-notation access, set-bracket assignment, for-loop variables, macro names, and import aliases
-- **Client-side parity** — updated vendored browser swig (`core/deps/swig-client/`) to the 1.5.0 build; browser-side templating now matches the server-side `__proto__`/`constructor`/`prototype` blocklist
-- See 0.3.4 for the `require('gina/gna')` stale-path fix, and 0.3.3 for feature additions (live index introspection, `bundle:openapi`, `framework:get`, `port:set`, swig migration, internal `lib/uuid`, popin performance, validator fix, Docker fixes, requireJSON resilience)
+- **Inspector payload redaction** — passwords, tokens, API keys, and secret-like fields are automatically stripped from all four Inspector data sinks (`window.__ginaData`, `localStorage`, `/_gina/agent` SSE, `ginaToolbar.update`). Configurable patterns via `inspector.redact` in bundle settings. Metadata carve-outs preserve validation rules and object-valued config under secret keys
+- **CORS preflight fix** — `completeHeaders()` no longer overwrites the echoed `access-control-allow-headers` on preflight responses, fixing browser CORS errors when the bundle's static ACAH list didn't include all client-sent headers
+- **Whisper silent-pass** — `whisper()` no longer emits a red stack trace on missing dictionary keys (first-install UX fix); `post_install.js` now seeds `def_global_mode` so the key is always present
+- See 0.3.5 for the swig 1.5.0 security extension, and 0.3.4 for the `require('gina/gna')` stale-path fix
 
 See the full [Changelog](./CHANGELOG.md) and [Roadmap](./ROADMAP.md).
 

package/framework/v0.3.6/VERSION

@@ -0,0 +1 @@
+0.3.6

package/framework/{v0.3.6-alpha.2 → v0.3.6}/core/asset/plugin/dist/vendor/gina/html/statusbar.html

@@ -9,6 +9,96 @@
     var envName = env.env     || '?';
     var dot     = data.error  ? '#e74c3c' : '#2ecc71';
 
+    // ── Inspector secret redaction (#R7) ──────────────────────────────────
+    // Matches the server-side rules in lib/inspector-redact. Strips secret-
+    // looking fields from anything passed to ginaToolbar.update() before it
+    // touches window.__ginaData or localStorage. Patterns/types/replacement
+    // come from window.__ginaData.gina.inspectorRedact (server-injected).
+    var _rdc      = (d.gina && d.gina.inspectorRedact) || {};
+    var _rdcRepl  = (typeof _rdc.replacement === 'string') ? _rdc.replacement : '[redacted]';
+    var _rdcTypes = {};
+    if (Array.isArray(_rdc.types)) {
+        for (var _ti = 0; _ti < _rdc.types.length; _ti++) {
+            _rdcTypes[String(_rdc.types[_ti]).toLowerCase()] = true;
+        }
+    } else {
+        _rdcTypes['password'] = true;
+    }
+    var _rdcRe = [];
+    var _rdcSrc = Array.isArray(_rdc.patterns) ? _rdc.patterns
+        : ['password','passwd','pwd','secret','token','apikey','api[_-]?key','cvv','cvc','ccv','pan','ssn','authorization','credentials','private[_-]?key'];
+    for (var _ri = 0; _ri < _rdcSrc.length; _ri++) {
+        try { _rdcRe.push(new RegExp(_rdcSrc[_ri], 'i')); } catch (e) { /* skip */ }
+    }
+    // Keys ending in rule/policy/config/validator suffixes describe validation
+    // metadata, not user input — must not be redacted even when the name
+    // contains a secret keyword (e.g. `passwordRule`). Mirrors the server-side
+    // NON_SECRET_SUFFIX regex in lib/inspector-redact.
+    var _rdcNonSecret = /(rule|rules|policy|policies|validator|config|configuration|settings|setting|meta|metadata|format|requirements|strength|constraint|constraints|options|option|schema|definition|definitions|spec|specs)$/i;
+    function _rdcKeyHit(k) {
+        if (typeof k !== 'string') return false;
+        if (_rdcNonSecret.test(k)) return false;
+        for (var i = 0; i < _rdcRe.length; i++) {
+            if (_rdcRe[i].test(k)) return true;
+        }
+        return false;
+    }
+    // Build a Set of secret field names from the form DOM (input[type=password]
+    // etc.). Lets us redact by actual input type, not just by field-name regex.
+    function _rdcDomSecrets(formId) {
+        var hits = {};
+        try {
+            var doc = (window.opener && window.opener.document) || document;
+            var form = formId ? doc.getElementById(formId) : null;
+            var els  = form ? form.querySelectorAll('input,select,textarea') : doc.querySelectorAll('input');
+            for (var i = 0; i < els.length; i++) {
+                var t = (els[i].type || '').toLowerCase();
+                var n = els[i].name || els[i].id || '';
+                if (n && _rdcTypes[t]) hits[n] = true;
+            }
+        } catch (e) { /* cross-origin or detached opener */ }
+        return hits;
+    }
+    function _rdcWalk(v, depth, seen, domHits) {
+        if (depth > 50) return v;
+        if (v === null || typeof v !== 'object') return v;
+        if (seen.indexOf(v) !== -1) return '[circular]';
+        seen.push(v);
+        if (Array.isArray(v)) {
+            var arr = new Array(v.length);
+            for (var i = 0; i < v.length; i++) arr[i] = _rdcWalk(v[i], depth + 1, seen, domHits);
+            return arr;
+        }
+        var out = {};
+        var ks  = Object.keys(v);
+        for (var k = 0; k < ks.length; k++) {
+            var key = ks[k];
+            var val = v[key];
+            if (_rdcKeyHit(key) || (domHits && domHits[key])) {
+                // Only primitive leaf values are redacted. Object/array values
+                // under a secret-like key are metadata (validation rules, error
+                // maps, validator specs keyed by form field name like
+                // `account[password]`) — walk into them so nested primitive
+                // secrets still get caught, but the rule structure itself
+                // passes through.
+                if (val === null || typeof val === 'undefined') {
+                    out[key] = val;
+                } else if (typeof val === 'object') {
+                    out[key] = _rdcWalk(val, depth + 1, seen, domHits);
+                } else {
+                    out[key] = _rdcRepl;
+                }
+            } else {
+                out[key] = _rdcWalk(val, depth + 1, seen, domHits);
+            }
+        }
+        return out;
+    }
+    function _rdc_redact(value, formId) {
+        var domHits = formId ? _rdcDomSecrets(formId) : null;
+        return _rdcWalk(value, 0, [], domHits);
+    }
+
     // ── ginaToolbar shim ──────────────────────────────────────────────────
     // gina.min.js is a stale build that creates its own window.ginaToolbar
     // with a loadData function that accesses removed DOM elements
@@ -29,23 +119,25 @@
 
             if (section === 'data-xhr' || section === 'view-xhr') {
                 if (sectionData) {
-                    u[section] = sectionData;
-                    g[section] = sectionData;
+                    var _safe = _rdc_redact(sectionData, null);
+                    u[section] = _safe;
+                    g[section] = _safe;
                 } else {
                     delete u[section];
                     delete g[section];
                 }
             } else if (section === 'el-xhr') {
-                u['el-xhr'] = sectionData;
+                u['el-xhr'] = _rdc_redact(sectionData, null);
             } else if (section === 'forms') {
                 if (typeof sectionData === 'object' && sectionData !== null && sectionData.id) {
                     if (!u.forms) u.forms = {};
                     if (!u.forms[sectionData.id]) u.forms[sectionData.id] = {};
                     var fd = u.forms[sectionData.id];
-                    var fk = Object.keys(sectionData);
+                    var _safeForm = _rdc_redact(sectionData, sectionData.id);
+                    var fk = Object.keys(_safeForm);
                     for (var i = 0; i < fk.length; i++) {
                         if (fk[i] === 'id') continue;
-                        fd[fk[i]] = sectionData[fk[i]];
+                        fd[fk[i]] = _safeForm[fk[i]];
                     }
                 }
             }

package/framework/{v0.3.6-alpha.2 → v0.3.6}/core/asset/plugin/dist/vendor/gina/js/gina.js

@@ -21435,16 +21435,21 @@ function getDependencies(gina, cb) {
     }
 
     // Gina madatory dependencies are handled here
+    // Webroot is resolved at runtime from `gina.config` (populated by gina.onload.min.js,
+    // which IS whispered server-side). `core.js` ships in `gina.min.js`, which is served
+    // as a static asset without a swig pass — so `{{ page.environment.webroot }}` tokens
+    // embedded here would reach the browser un-interpolated and break the fetch.
+    var _webroot = (gina && gina.config && gina.config.webroot) || '/';
     var arr = [
         // Get routing to populate `window.gina.config.routing`
         // Now fetching routing from gina
         {
             func: loadRoutingConf,
-            args: [ 'routing', {url:  '{{ page.environment.webroot }}_gina/assets/routing.json'} ]
+            args: [ 'routing', {url:  _webroot + '_gina/assets/routing.json'} ]
         }
         // {
         //     func: loadRoutingConf,
-        //     args: [ 'reverseRouting', {url:  '{{ page.environment.webroot }}_gina/assets/reverse-routing.json'} ]
+        //     args: [ 'reverseRouting', {url:  _webroot + '_gina/assets/reverse-routing.json'} ]
         // }
     ];
     depsEventBus.addEventListener('deps.loaded', (event) => {

package/framework/{v0.3.6-alpha.2 → v0.3.6}/core/asset/plugin/dist/vendor/gina/js/gina.min.js

@@ -530,6 +530,6 @@ function readyStateChange(){'complete'===document.readyState&&gina.ready()}
 if('undefined'==typeof window.gina){var gina={_global:{register:function(r){if('undefined'!=typeof r)for(let I in r)window[I]=r[I]},unregister:function(r){if('undefined'==typeof r||!Array.isArray(r))throw Error('`variables` needs to ba an array');for(let I=0,G=r.length;I<G;I++)delete window[r[I]]},initialized:[]},ready:function(r,I){readyFired?setTimeout(function(){r(I)},1):(readyList.push({name:'anonymous',fn:r,ctx:I}),'complete'===document.readyState||!document.attachEvent&&'interactive'===document.readyState?
 setTimeout(ready,1):readyEventHandlersInstalled||(document.addEventListener?(document.addEventListener('DOMContentLoaded',ready,!1),window.addEventListener('load',ready,!1)):(document.attachEvent('onreadystatechange',readyStateChange),window.attachEvent('onload',ready)),readyEventHandlersInstalled=!0))}};window.gina=gina}define('core',['require','gina'],function(r){r('gina')(window.gina)});require.config({packages:['gina']});require('vendor/engine.io core helpers/prototypes helpers/binding helpers/dateFormat gina/link gina/validator gina/popin gina/storage utils/dom utils/events utils/data utils/effects utils/polyfill lib/inherits lib/form-validator lib/collection lib/domain lib/routing'.split(' '));
 function getDependencies(r,I){var G=new EventTarget,O=[{func:async function(C,D){D=D.url;var U=null,B=null,F=null;try{U=await fetch(D),B=await U.text(),'undefined'==typeof r&&(r={}),'undefined'==typeof window.gina.config&&(r.config={}),r.config[C]=JSON.parse(B),G.dispatchEvent(new CustomEvent('deps.loaded',{detail:{data:B,error:F,timestamp:new Date}}))}catch(f){F=Error('[ROUTING] Could not load routing\n'+(f.stack||f.message||f)),G.dispatchEvent(new CustomEvent('deps.loaded',{detail:{data:null,error:F,
-timestamp:new Date}}))}},args:['routing',{url:'{{ page.environment.webroot }}_gina/assets/routing.json'}]}];G.addEventListener('deps.loaded',C=>{O.splice(0,1);O.length||I()});try{for(let C=0,D=O.length;C<D;C++)O[C].func.apply(null,O[C].args)}catch(C){console.error(C.stack|C.message|C)}}
+timestamp:new Date}}))}},args:['routing',{url:(r&&r.config&&r.config.webroot||'/')+'_gina/assets/routing.json'}]}];G.addEventListener('deps.loaded',C=>{O.splice(0,1);O.length||I()});try{for(let C=0,D=O.length;C<D;C++)O[C].func.apply(null,O[C].args)}catch(C){console.error(C.stack|C.message|C)}}
 for(var tags=document.getElementsByTagName('script'),t=0,len=tags.length;t<len;++t)if(/(gina\.min\.js|gina\.js)/.test(tags[t].getAttribute('src'))){tags[t].onload=function(r){console.debug('Core Gina loaded !');getDependencies(gina,function(){if(window.onGinaLoaded)var I=window.onGinaLoaded;document.addEventListener?document.addEventListener('ginaloaded',function(G){window.gina=G.detail;I(G.detail)}):document.attachEvent&&document.attachEvent('ginaloaded',function(G){window.gina=G.detail;I(G.detail)})})}();
 break};

package/framework/{v0.3.6-alpha.2 → v0.3.6}/core/controller/controller.render-json.js

@@ -4,6 +4,8 @@ const lib               = require('./../../lib') || require.cache[require.resolv
 const Collection        = lib.Collection;
 const cache             = new lib.Cache();
 var statusCodes         = requireJSON( _( getPath('gina').core + '/status.codes') );
+// Inspector secret redaction (dev-mode only — never touches the actual response body)
+var inspectorRedact     = require('lib/inspector-redact');
 
 // Inherited from controller
 var self                = null
@@ -270,7 +272,24 @@ module.exports = function renderJSON(jsonObj, deps) {
                     entries      : local._timeline.entries
                 };
             }
-            var __gdPayload = { gina: { environment: _env }, user: _gdUser };
+            // #R7 — redact secret-looking fields from the Inspector clone before
+            // any sink (engine.io push, /_gina/agent SSE). The actual response
+            // body `jsonObj` is never touched — `redact()` returns a deep clone.
+            // The resolved redact config is exposed under `gina.inspectorRedact`
+            // so the standalone Inspector can mirror the same rules client-side.
+            var _jsonRedactConf = inspectorRedact.getConfig(local.options.conf);
+            var __gdPayload = {
+                gina : { environment: _env, inspectorRedact: {
+                    patterns    : _jsonRedactConf.patterns,
+                    types       : _jsonRedactConf.types,
+                    replacement : _jsonRedactConf.replacement
+                }},
+                user : _gdUser
+            };
+            __gdPayload = inspectorRedact.redact(__gdPayload, {
+                compiledPatterns : _jsonRedactConf.compiledPatterns,
+                replacement      : _jsonRedactConf.replacement
+            });
             self.serverInstance._lastGinaData = __gdPayload;
             process.emit('inspector#data', __gdPayload);
         }

package/framework/{v0.3.6-alpha.2 → v0.3.6}/core/controller/controller.render-swig.js

@@ -5,6 +5,8 @@ const lib             = require('./../../lib') || require.cache[require.resolve(
 const Collection      = lib.Collection;
 const cache           = new lib.Cache();
 var statusCodes       = requireJSON( _( getPath('gina').core + '/status.codes') );
+// Inspector secret redaction (dev-mode only — never touches the actual response body)
+var inspectorRedact   = require('lib/inspector-redact');
 // Precompiled regex — avoids per-request RegExp allocation (#P3)
 var blacklistRe       = /[<>]/g;
 
@@ -1046,7 +1048,24 @@ module.exports = async function render(userData, displayInspector, errOptions, d
             __gdUser.view.stylesheets = 'ignored-by-toolbar';
             __gdUser.view.assets      = assets;
 
+            // Inspector secret redaction (#R7) — strip secret-looking fields from
+            // the Inspector clone before any sink (HTML script tag, engine.io push,
+            // /_gina/agent SSE). The actual template `data` is never touched.
+            // Inject the resolved redact config so the statusbar shim can apply
+            // the same rules to validator `ginaToolbar.update()` calls client-side.
+            var _redactConf = inspectorRedact.getConfig(local.options.conf);
+            __gdGina.inspectorRedact = {
+                patterns    : _redactConf.patterns,
+                types       : _redactConf.types,
+                replacement : _redactConf.replacement
+            };
+
             var __gdPayload = { gina: __gdGina, user: __gdUser };
+            __gdPayload = inspectorRedact.redact(__gdPayload, {
+                compiledPatterns : _redactConf.compiledPatterns,
+                replacement      : _redactConf.replacement
+            });
+
             var __gdScript = '<script>window.__ginaData = '
                 + JSON.stringify(__gdPayload)
                     .replace(/<\/script>/gi, '<\\/script>')

package/framework/{v0.3.6-alpha.2 → v0.3.6}/core/server.js

@@ -1454,6 +1454,19 @@ function Server(options) {
                         }
                         sameOrigin = false;
                     } else {
+                        // #B13 — preserve preflight echo of access-control-allow-headers.
+                        // checkPreflightRequest() echoes back the browser's
+                        // access-control-request-headers list so the preflight passes even
+                        // when the bundle's static ACAH config does not list every header
+                        // the client sends (e.g. Content-Type). Without this guard, the
+                        // static value below would overwrite that echo and break CORS.
+                        if (
+                            /^access\-control\-allow\-headers$/i.test(h)
+                            && request.isPreflightRequest
+                            && response.getHeader('access-control-allow-headers')
+                        ) {
+                            continue;
+                        }
                         headerValue = resHeaders[h];
                         try {
                             response.setHeader(h, headerValue);

package/framework/{v0.3.6-alpha.2 → v0.3.6}/helpers/context.js

@@ -691,6 +691,27 @@ function ContextHelper(contexts) {
     //     );
     // }
 
+    /**
+     * Interpolates `${key}` tokens in `replaceable` using values from `dictionary`.
+     *
+     * Handles three passes:
+     *  1. Quoted boolean/null shapes: `"${key}"` → unquoted literal when the value is a boolean or null.
+     *  2. Bare tokens: `${key}` → string value.
+     *  3. Embedded tokens inside a larger string (e.g. `~/.${projectName}`) via a manual
+     *     replace to avoid infinite recursion on the regex engine.
+     *
+     * Unknown keys are left untouched silently — earlier revisions logged a
+     * "Whisper Error" on every first-run CLI command when a default had not yet
+     * been seeded (see #B12). Callers that need strict-mode behaviour must
+     * validate their dictionaries before the call.
+     *
+     * @global
+     * @function whisper
+     * @param {Object} dictionary - Map of `key → replacement` values.
+     * @param {Object|string} replaceable - Object or JSON-serialisable value containing `${key}` tokens.
+     * @param {RegExp} [rule] - Optional custom replace rule; when provided, short-circuits the three-pass logic.
+     * @returns {Object|string} The interpolated object or string. Unknown tokens are preserved verbatim.
+     */
     global.whisper = function(dictionary, replaceable, rule) {
         // 1. Inline rule
         if (typeof(rule) != 'undefined') {
@@ -736,17 +757,12 @@ function ContextHelper(contexts) {
                 if (dictionary[key] !== undefined) {
                     // Manual replace to avoid infinite recursion.
                     return s.replace(new RegExp('\\$\\{' + key + '\\}'), dictionary[key]);
-                } else {
-                    // Generate stack trace to identify the caller
-                    const stack = new Error().stack;
-
-                    console.error(
-                        `[Whisper Error]: The key \${${key}} was not found in the dictionary.\n` +
-                        `Skipping replacement to prevent infinite loop.\n` +
-                        `Stack Trace:\n${stack}`
-                    );
-                    return s;
                 }
+                // Key not in dictionary — leave the token in place silently.
+                // Earlier branches already handled the common shapes; reaching here
+                // means no seeded default exists yet. Emitting an error on every
+                // first-run CLI command was noisy and misleading (see #B12).
+                return s;
             })
             // OS Environment Variables
             .replace(/\"\~\/\"|\"\$([_A-Z0-9]+)\"/g, function(s, key) {

package/framework/{v0.3.6-alpha.2 → v0.3.6}/lib/cmd/framework/init.js

@@ -536,12 +536,12 @@ function Initialize(opt) {
         var main            = require( _(self.opt.homedir + '/main.json', true) )
             , version       = getEnvVar('GINA_VERSION')
             , defFramework  = getEnvVar('GINA_DEF_FRAMEWORK') || main['def_framework']
-            , prefix        = getEnvVar('GINA_PREFIX') || main['def_prefix'][self.release]
-            , globalMode    = getEnvVar('GINA_GLOBAL_MODE') || main['def_global_mode'][self.release]
-            , arch          = getEnvVar('GINA_ARCH') || main['def_arch'][self.release]
-            , platform      = getEnvVar('GINA_PLATFORM') || main['def_platform'][self.release]
-            , env           = getEnvVar('GINA_ENV') || main['def_env'][self.release]
-            , scope         = getEnvVar('GINA_SCOPE') || main['def_scope'][self.release]
+            , prefix        = getEnvVar('GINA_PREFIX') || (main['def_prefix'] && main['def_prefix'][self.release])
+            , globalMode    = getEnvVar('GINA_GLOBAL_MODE') || (main['def_global_mode'] && main['def_global_mode'][self.release])
+            , arch          = getEnvVar('GINA_ARCH') || (main['def_arch'] && main['def_arch'][self.release])
+            , platform      = getEnvVar('GINA_PLATFORM') || (main['def_platform'] && main['def_platform'][self.release])
+            , env           = getEnvVar('GINA_ENV') || (main['def_env'] && main['def_env'][self.release])
+            , scope         = getEnvVar('GINA_SCOPE') || (main['def_scope'] && main['def_scope'][self.release])
             , settings      = requireJSON( _( getPath('gina').root + '/resources/home/settings.json', true ) )
             , userSettings  = {}
             , target        = _(self.opt.homedir +'/'+ self.release +'/settings.json', true)
@@ -690,7 +690,7 @@ function Initialize(opt) {
                 'run_dir' : _( getRunDir(), true ),
                 'tmp_dir' : _( getTmpDir(), true ),
                 'log_dir' : _( getLogDir(), true ),
-                'log_level' : getEnvVar('GINA_LOG_LEVEL') || main['def_log_level'][self.release] || 'info'
+                'log_level' : getEnvVar('GINA_LOG_LEVEL') || (main['def_log_level'] && main['def_log_level'][self.release]) || 'info'
             };
 
             settings = whisper(dic, settings);
@@ -803,7 +803,7 @@ function Initialize(opt) {
         var main    = require( self.opt.homedir + '/main.json' );
         //has registered env ?
         // dev by default
-        var env     = getEnvVar('GINA_ENV') || main['def_env'][self.release];
+        var env     = getEnvVar('GINA_ENV') || (main['def_env'] && main['def_env'][self.release]);
         var readFromMainConf = true;
         if ( typeof(local.projectData) != 'undefined' && local.env) {
             readFromMainConf = false;
@@ -871,7 +871,7 @@ function Initialize(opt) {
         var main    = require( self.opt.homedir + '/main.json' );
         //has registered scope ?
         // scope by default
-        var scope   = getEnvVar('GINA_SCOPE') || main['def_scope'][self.release];
+        var scope   = getEnvVar('GINA_SCOPE') || (main['def_scope'] && main['def_scope'][self.release]);
         var readFromMainConf = true;
         if ( typeof(local.projectData) != 'undefined' && local.scope) {
             readFromMainConf = false;

package/framework/v0.3.6/lib/inspector-redact/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "gina-lib-inspector-redact",
+  "version": "1.0.0",
+  "description": "Redacts secret-looking fields from Inspector payloads (dev-mode only).",
+  "authors": [
+    {
+      "name": "Martin-Luther ETOUMAN",
+      "email": "contact@gina.io"
+    }
+  ],
+  "copyright": "Copyright (c) 2009-2026 Rhinostone <contact@gina.io>",
+  "engines": {
+    "node": ">=0.10.22"
+  },
+  "main": "src/main",
+  "license": "MIT"
+}

package/framework/v0.3.6/lib/inspector-redact/src/main.js

@@ -0,0 +1,184 @@
+/**
+ * @module inspector-redact
+ *
+ * Redacts secret-looking keys from Inspector payloads before they are shipped
+ * to window.__ginaData, localStorage.__ginaData, or /_gina/agent SSE frames.
+ *
+ * Dev-mode only. Never applied to the actual HTTP response body — the template
+ * still receives the real data object; only the Inspector clone is redacted.
+ *
+ * Configuration is read from settings.json:
+ *
+ *   "inspector": {
+ *       "redact": {
+ *           "patterns": ["password", "pwd", "token", ...],   // optional — extends/replaces defaults
+ *           "types":    ["password"],                         // client-side DOM input types
+ *           "replacement": "[redacted]"                        // optional
+ *       }
+ *   }
+ *
+ * When `patterns` or `types` is omitted, the defaults below are used.
+ */
+
+'use strict';
+
+var DEFAULT_PATTERNS = [
+    'password', 'passwd', 'pwd',
+    'secret',
+    'token', 'apikey', 'api[_-]?key',
+    'cvv', 'cvc', 'ccv',
+    'pan', 'ssn',
+    'authorization', 'credentials',
+    'private[_-]?key'
+];
+
+var DEFAULT_TYPES = ['password'];
+var REPLACEMENT   = '[redacted]';
+
+// Keys ending with these suffixes describe validation rules, policies, or
+// config metadata — they do not hold user input. A key like `passwordRule`
+// or `passwordPolicy` must pass through untouched even though it contains
+// the substring "password". Matched case-insensitively at the very end of
+// the key name.
+var NON_SECRET_SUFFIX = /(rule|rules|policy|policies|validator|config|configuration|settings|setting|meta|metadata|format|requirements|strength|constraint|constraints|options|option|schema|definition|definitions|spec|specs)$/i;
+
+/**
+ * Compile an array of regex source strings into RegExp objects. Invalid
+ * entries are dropped silently so a bad config key cannot crash a render.
+ * @param {string[]} patterns
+ * @returns {RegExp[]}
+ */
+function compile(patterns) {
+    var out = [];
+    if (!Array.isArray(patterns)) return out;
+    for (var i = 0; i < patterns.length; i++) {
+        try { out.push(new RegExp(patterns[i], 'i')); } catch (e) { /* skip */ }
+    }
+    return out;
+}
+
+/**
+ * @param {string} key
+ * @param {RegExp[]} compiled
+ * @returns {boolean}
+ */
+function keyMatches(key, compiled) {
+    if (typeof key !== 'string') return false;
+    // Rule/policy/config keys describe validation, not user input — skip them
+    // even when the name contains a secret keyword (e.g. `passwordRule`).
+    if (NON_SECRET_SUFFIX.test(key)) return false;
+    for (var i = 0; i < compiled.length; i++) {
+        if (compiled[i].test(key)) return true;
+    }
+    return false;
+}
+
+function walk(value, compiled, replacement, maxDepth, depth, seen) {
+    if (depth > maxDepth) return value;
+    if (value === null || typeof value !== 'object') return value;
+    if (seen.has(value)) return '[circular]';
+    seen.add(value);
+
+    if (Array.isArray(value)) {
+        var arr = new Array(value.length);
+        for (var i = 0; i < value.length; i++) {
+            arr[i] = walk(value[i], compiled, replacement, maxDepth, depth + 1, seen);
+        }
+        return arr;
+    }
+
+    var out  = {};
+    var keys = Object.keys(value);
+    for (var k = 0; k < keys.length; k++) {
+        var key = keys[k];
+        var v   = value[key];
+        if (keyMatches(key, compiled)) {
+            // Only primitive leaf values are redacted. Object/array values under
+            // a secret-like key are metadata (validation rules, error maps,
+            // validator specs keyed by form field name like `account[password]`)
+            // — walk into them so any primitive secrets nested deeper still get
+            // caught, but the rule structure itself passes through.
+            if (v === null || typeof v === 'undefined') {
+                out[key] = v;
+            } else if (typeof v === 'object') {
+                out[key] = walk(v, compiled, replacement, maxDepth, depth + 1, seen);
+            } else {
+                out[key] = replacement;
+            }
+        } else {
+            out[key] = walk(v, compiled, replacement, maxDepth, depth + 1, seen);
+        }
+    }
+    return out;
+}
+
+/**
+ * Walk `obj` and replace values whose key matches any redaction pattern with
+ * `replacement` (default `[redacted]`). Returns a deep-cloned copy — the
+ * input object is never mutated. Circular references become `'[circular]'`.
+ *
+ * @param {*} obj
+ * @param {object} [options]
+ * @param {string[]} [options.patterns]            - raw regex source strings (ignored if compiledPatterns is set)
+ * @param {RegExp[]} [options.compiledPatterns]
+ * @param {string}   [options.replacement='[redacted]']
+ * @param {number}   [options.maxDepth=50]
+ * @returns {*}
+ */
+function redact(obj, options) {
+    options = options || {};
+    var compiled = options.compiledPatterns
+        || compile(options.patterns || DEFAULT_PATTERNS);
+    var replacement = (typeof options.replacement === 'string') ? options.replacement : REPLACEMENT;
+    var maxDepth    = (typeof options.maxDepth === 'number') ? options.maxDepth : 50;
+    return walk(obj, compiled, replacement, maxDepth, 0, new WeakSet());
+}
+
+/**
+ * Resolve redaction configuration from a bundle's conf object. Accepts either
+ * `conf.inspector.redact` or `conf.content.inspector.redact` — whichever
+ * exists wins. Unknown/invalid keys fall back to defaults.
+ *
+ * @param {object} conf
+ * @returns {{patterns:string[], types:string[], replacement:string, compiledPatterns:RegExp[]}}
+ */
+function getConfig(conf) {
+    var redactConf = null;
+    if (conf) {
+        if (conf.inspector && conf.inspector.redact) {
+            redactConf = conf.inspector.redact;
+        } else if (conf.content && conf.content.settings && conf.content.settings.inspector && conf.content.settings.inspector.redact) {
+            redactConf = conf.content.settings.inspector.redact;
+        } else if (conf.content && conf.content.inspector && conf.content.inspector.redact) {
+            redactConf = conf.content.inspector.redact;
+        } else if (conf.settings && conf.settings.inspector && conf.settings.inspector.redact) {
+            redactConf = conf.settings.inspector.redact;
+        }
+    }
+    redactConf = redactConf || {};
+
+    var patterns = (Array.isArray(redactConf.patterns) && redactConf.patterns.length > 0)
+        ? redactConf.patterns : DEFAULT_PATTERNS;
+    var types = (Array.isArray(redactConf.types) && redactConf.types.length > 0)
+        ? redactConf.types : DEFAULT_TYPES;
+    var replacement = (typeof redactConf.replacement === 'string' && redactConf.replacement)
+        ? redactConf.replacement : REPLACEMENT;
+
+    return {
+        patterns         : patterns,
+        types            : types,
+        replacement      : replacement,
+        compiledPatterns : compile(patterns)
+    };
+}
+
+module.exports = {
+    DEFAULT_PATTERNS    : DEFAULT_PATTERNS,
+    DEFAULT_TYPES       : DEFAULT_TYPES,
+    REPLACEMENT         : REPLACEMENT,
+    NON_SECRET_SUFFIX   : NON_SECRET_SUFFIX,
+    compile             : compile,
+    keyMatches          : keyMatches,
+    redact              : redact,
+    getConfig           : getConfig
+};

package/gna.js

@@ -15,14 +15,14 @@
 'use strict';
 
 // Framework core — the main gna module (lifecycle hooks, lib, etc.)
-var _gna = require('./framework/v0.3.6-alpha.2/core/gna');
+var _gna = require('./framework/v0.3.6/core/gna');
 
 // SuperController and EntitySuper — loaded from their source modules
-var SuperController = require('./framework/v0.3.6-alpha.2/core/controller');
-var EntitySuper     = require('./framework/v0.3.6-alpha.2/core/model/entity');
+var SuperController = require('./framework/v0.3.6/core/controller');
+var EntitySuper     = require('./framework/v0.3.6/core/model/entity');
 
 // uuid — from the lib registry
-var uuid = require('./framework/v0.3.6-alpha.2/lib/uuid');
+var uuid = require('./framework/v0.3.6/lib/uuid');
 
 module.exports = {