gina 0.3.7-alpha.5 → 0.3.7-alpha.7

package/.github/scripts/scan-vendored-cves.js

@@ -0,0 +1,188 @@
+#!/usr/bin/env node
+/*
+ * This file is part of the gina package.
+ * Copyright (c) 2009-2026 Rhinostone <contact@gina.io>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+/**
+ * OSV-based CVE scan for vendored deps.
+ *
+ * Walks every `package.json` under `framework/v*\/core/deps/`, extracts
+ * `(name, version)` pairs, queries `api.osv.dev`, and exits non-zero if
+ * any vulnerability is matched.
+ *
+ * Pinning convention (see .claude/architecture/vendored-deps.md): the
+ * vendored `package.json` stays byte-identical to upstream until
+ * patched; on patch, `version` is bumped to `<upstream>-rhinostone.N`
+ * (e.g. `1.6.0-rhinostone.1`). This script strips the
+ * `-rhinostone.N` suffix before querying so OSV still matches the base
+ * upstream version.
+ *
+ * Exit codes:
+ *   0 — clean, no CVEs matched
+ *   1 — at least one vulnerability matched (build fails)
+ *   2 — scan error (malformed package.json, network failure)
+ *
+ * @module .github/scripts/scan-vendored-cves
+ */
+
+'use strict';
+
+var fs    = require('fs');
+var path  = require('path');
+var https = require('https');
+
+var ROOT = path.resolve(__dirname, '..', '..');
+
+/**
+ * Walk every `framework/v*\/core/deps/<dep>/package.json` and return the
+ * list of absolute paths.
+ *
+ * @returns {string[]}
+ */
+function walkDepsPackageJsons() {
+    var frameworkDir = path.join(ROOT, 'framework');
+    if (!fs.existsSync(frameworkDir)) return [];
+    var results = [];
+    var fws = fs.readdirSync(frameworkDir);
+    for (var i = 0; i < fws.length; i++) {
+        var depsDir = path.join(frameworkDir, fws[i], 'core', 'deps');
+        if (!fs.existsSync(depsDir)) continue;
+        if (!fs.statSync(depsDir).isDirectory()) continue;
+        var deps = fs.readdirSync(depsDir);
+        for (var j = 0; j < deps.length; j++) {
+            var pkgPath = path.join(depsDir, deps[j], 'package.json');
+            if (fs.existsSync(pkgPath)) results.push(pkgPath);
+        }
+    }
+    return results;
+}
+
+/**
+ * Strip the local-patch suffix (`-rhinostone.N`) so OSV sees the base
+ * upstream version. If the version has no such suffix, returned as-is.
+ *
+ * @param {string} v
+ * @returns {string}
+ */
+function normalizeVersion(v) {
+    return String(v).replace(/-rhinostone\.\d+$/, '');
+}
+
+/**
+ * POST a single `(name, version)` query to api.osv.dev/v1/query.
+ * Resolves with the parsed JSON response (which may carry `{vulns: [...]}`
+ * or be empty `{}` on a clean match).
+ *
+ * @param {string} name
+ * @param {string} version
+ * @returns {Promise<object>}
+ */
+function queryOSV(name, version) {
+    return new Promise(function (resolve, reject) {
+        var body = JSON.stringify({
+            package: { name: name, ecosystem: 'npm' },
+            version: version
+        });
+        var req = https.request({
+            method:   'POST',
+            hostname: 'api.osv.dev',
+            path:     '/v1/query',
+            headers: {
+                'Content-Type':   'application/json',
+                'Content-Length': Buffer.byteLength(body)
+            }
+        }, function (res) {
+            var data = '';
+            res.on('data', function (chunk) { data += chunk; });
+            res.on('end', function () {
+                if (res.statusCode !== 200) {
+                    return reject(new Error('OSV HTTP ' + res.statusCode + ': ' + data));
+                }
+                try {
+                    resolve(JSON.parse(data));
+                } catch (e) {
+                    reject(e);
+                }
+            });
+        });
+        req.on('error', reject);
+        req.write(body);
+        req.end();
+    });
+}
+
+/**
+ * Scan driver. Walks the target package.jsons, queries OSV for each,
+ * prints a one-line status per dep, exits with the appropriate code.
+ *
+ * @returns {Promise<number>} exit code
+ */
+async function main() {
+    var pkgs = walkDepsPackageJsons();
+    if (pkgs.length === 0) {
+        console.log('[osv] no vendored package.json files found under framework/v*/core/deps/');
+        return 0;
+    }
+
+    var failures = 0;
+    var scanned  = 0;
+    for (var i = 0; i < pkgs.length; i++) {
+        var pkgPath = pkgs[i];
+        var rel     = path.relative(ROOT, pkgPath);
+        var pkg;
+        try {
+            pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+        } catch (e) {
+            console.error('[osv] ' + rel + ': cannot parse (' + e.message + ')');
+            return 2;
+        }
+        if (!pkg.name || !pkg.version) {
+            console.log('[osv] SKIP ' + rel + ': missing name or version');
+            continue;
+        }
+
+        var baseVersion = normalizeVersion(pkg.version);
+        var suffix      = (pkg.version !== baseVersion) ? ' (patched: ' + pkg.version + ')' : '';
+        var result;
+        try {
+            result = await queryOSV(pkg.name, baseVersion);
+        } catch (e) {
+            console.error('[osv] ' + rel + ': query failed — ' + e.message);
+            return 2;
+        }
+
+        scanned++;
+        var vulns = result.vulns || [];
+        if (vulns.length > 0) {
+            failures++;
+            console.error('[osv] VULNERABLE ' + pkg.name + '@' + baseVersion + suffix + ' (' + rel + ')');
+            for (var v = 0; v < vulns.length; v++) {
+                var entry   = vulns[v];
+                var aliases = (entry.aliases || []).join(', ');
+                var summary = (entry.summary || entry.details || '').replace(/\s+/g, ' ').slice(0, 140);
+                console.error('       ' + entry.id + (aliases ? ' (' + aliases + ')' : '') + ' — ' + summary);
+            }
+        } else {
+            console.log('[osv] OK ' + pkg.name + '@' + baseVersion + suffix + ' (' + rel + ')');
+        }
+    }
+
+    console.log('');
+    if (failures > 0) {
+        console.error('[osv] ' + failures + ' vendored dep(s) with matching CVEs — failing the build.');
+        return 1;
+    }
+    console.log('[osv] clean — no CVEs matched across ' + scanned + ' vendored dep(s).');
+    return 0;
+}
+
+main().then(function (code) {
+    process.exit(code);
+}).catch(function (err) {
+    console.error('[osv] uncaught:', err);
+    process.exit(2);
+});

package/.github/workflows/bundle-freshness.yml

@@ -0,0 +1,116 @@
+name: Bundle Freshness
+
+# Verifies that the committed dist/vendor/gina/ bundle matches what would
+# be produced by rebuilding from the current source.  Catches the
+# source-committed-without-rebuild gap that .githooks/pre-commit (cheap,
+# "did you stage dist?") cannot detect — i.e. a stale dist was staged
+# alongside a fresh source change.
+#
+# Precedent: #SCS1e (commit 48b8fd26) shipped four validator walker
+# replacements as source-only.  The bundle was not rebuilt until commit
+# 69fb32fc picked it up as a side effect of toolbar removal.  Any browser
+# loading gina.min.js between those two commits still ran the original
+# eval('data.' + localValue).  See llms.txt §72.
+
+on:
+  push:
+    branches: [develop, master]
+  pull_request:
+    branches: [develop, master]
+  workflow_dispatch:
+
+# Cancel any in-flight check for the same ref when a newer one kicks off.
+concurrency:
+  group: bundle-freshness-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  freshness:
+    name: Verify dist matches source
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Set up Java (for Closure Compiler)
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+
+      - name: Install build prerequisites
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y brotli
+
+      - name: Install dev dependencies
+        run: |
+          # `npm ci` (not `npm install`) — strictly respects package-lock.json
+          # so devDeps like engine.io-client (which gets baked into the bundle
+          # via build.json) don't drift between local rebuilds and CI rebuilds.
+          # See llms.txt §72 / 2026-04-24 incident.
+          npm ci --ignore-scripts
+          ln -sf $(pwd) node_modules/gina
+
+      - name: Prepare framework dependencies
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          FW_DIR="framework/v${VERSION}"
+          if [ ! -f "${FW_DIR}/package.json" ]; then
+            cat > "${FW_DIR}/package.json" <<EOF
+          {
+            "name": "gina-framework",
+            "version": "${VERSION}",
+            "dependencies": {
+              "@rhinostone/swig": "^1.6.0"
+            }
+          }
+          EOF
+          fi
+          (cd "${FW_DIR}" && npm install --ignore-scripts)
+
+      - name: Install Closure Compiler JARs
+        run: bash framework/v*/core/asset/plugin/lib/js/install-closure-compiler.sh
+
+      - name: Rebuild bundle
+        run: |
+          bash framework/v*/core/asset/plugin/build --env=prod \
+            --sass-bin="$PWD/node_modules/.bin/sass" \
+            --csso-bin="$PWD/node_modules/.bin/csso" \
+            --rjs-bin="$PWD/node_modules/.bin/r.js"
+
+      - name: Verify dist is in sync with source
+        run: |
+          # *.gz files are excluded: gzip output is platform-specific (Apple
+          # gzip on the maintainer's Mac vs GNU gzip on Linux runners produce
+          # different deflate bytes for the same input — even Node's zlib
+          # disagrees Mac↔Linux because it links the system zlib). Brotli IS
+          # cross-platform deterministic (single canonical reference impl),
+          # so the .br files remain checked. If a .css/.js/.html source
+          # changes without a rebuild, the .br diff catches it; the .gz
+          # divergence would have been a false positive.
+          if ! git diff --exit-code -- \
+                  'framework/v*/core/asset/plugin/dist/vendor/gina/' \
+                  ':(exclude)framework/v*/core/asset/plugin/dist/vendor/gina/**/*.gz'; then
+            echo ""
+            echo "::error::Bundle is out of sync with source."
+            echo "::error::A source file under one of the AMD-aliased paths in build.json"
+            echo "::error::was modified without a corresponding rebuilt dist staged."
+            echo "::error::"
+            echo "::error::Locally:"
+            echo "::error::  bash framework/v*/core/asset/plugin/build --env=prod"
+            echo "::error::  git add framework/v*/core/asset/plugin/dist/vendor/gina/"
+            echo "::error::"
+            echo "::error::See llms.txt §72 for the rebuild-gate discipline."
+            exit 1
+          fi
+          echo "Bundle is fresh — dist matches source (excluding *.gz, which is platform-divergent)."

package/.github/workflows/vendored-cve.yml

@@ -0,0 +1,36 @@
+name: Vendored CVE Scan
+
+on:
+  push:
+    branches: [develop, master]
+  pull_request:
+    branches: [develop, master]
+  schedule:
+    # Weekly, Sunday 00:00 UTC — catches CVEs disclosed after the last push.
+    - cron: '0 0 * * 0'
+  workflow_dispatch:
+
+# Cancel any in-flight scan for the same ref when a newer one kicks off.
+concurrency:
+  group: vendored-cve-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  scan:
+    name: OSV scan on vendored deps
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Scan vendored package.jsons via api.osv.dev
+        run: node .github/scripts/scan-vendored-cves.js

package/CHANGELOG.md

@@ -6,6 +6,20 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
 and is generated by [Changie](https://github.com/miniscruff/changie).
 
 
+## 0.3.7-alpha.7 - 2026-04-25
+### Fixed
+* Schema `$schema` identifier updated from `http://json-schema.org/draft-07/schema#` to `https://json-schema.org/draft-07/schema#` across all seven `schema/*.json` files (app, app.crons, connectors, manifest, routing, settings, watchers). The plain-HTTP form redirects to HTTPS and is bot-blocked by json-schema.org; IDEs and JSON validators that dereference the identifier at validation time were hitting the 302/403 chain instead of fetching the canonical schema. Matches the URI shown in the JSON Schema draft-07 spec and aligns with the `$id` field, which already uses `https://`. First batch from the link-health audit (gina-io/gina#18).
+* Refreshed stale URL references in code comments and man pages across the framework (link-health audit gina-io/gina#18): `core/template/boilerplate/bundle/controllers/setup.js` — dropped reference to the deleted `github.com/jmcmanus/pagedown-extra` repo (the commented-out example code uses `marked`, not pagedown-extra; the link was misleading even before the repo died). `core/connectors/couchbase/lib/session-store.v{2,3,4}.js` — updated `github.com/visionmedia/connect-redis` to `github.com/tj/connect-redis` (the maintainer renamed; old URL still 302s but relying on a stale redirect chain is brittle). `core/locales/README.md` — replaced `currency-iso.org/en/home/tables/table-a1.html` (folded into a SIX Swiss Exchange commercial page) with the canonical `iso.org/iso-4217-currency-codes.html`. `lib/cmd/gina.1.md`, `gina-dev.1.md`, `gina-framework.1.md` — modernised the `groups.google.com/forum/#!forum/ginajs` mailing-list link to the supported `groups.google.com/g/ginajs` URL format. The Google Group itself is still active; only the hash-bang URL format is obsolete. `core/server.js` — dropped dead `strongloop.com/strongblog/...` blog-post reference (domain TLS-broken, StrongLoop dissolved into IBM in 2015, the blog post is not reachable via any successor) and dead `jsperf.com/arraybuffer-string-conversion/4` test reference (410 Gone; jsperf relaunched on Cloudflare but the historical test data was not restored). Comment-only changes; no runtime behaviour modified.
+* `core/asset/plugin/src/vendor/gina/utils/dom.js` — updated the `@source https://gist.github.com/1129031` comment to the current canonical form `https://gist.github.com/eligrey/1129031`. GitHub now requires the username prefix on gist URLs; the old form 302-redirects. Rebuilt dist artefacts in the same commit per the source-dist alignment rule (llms.txt §72) — `dist/vendor/gina/js/gina.js`, `gina.min.js`, and the sibling `gina.min.js.br`/`gina.min.js.gz` compressed copies regenerate identically except for the updated license header URL. No runtime behaviour change. Link-health audit (gina-io/gina#18).
+### Security
+* Removed the `polyfill.io` example from the popin plugin's HTML documentation (`core/asset/plugin/src/vendor/gina/popin/doc/html.md`). The domain NXDOMAINs as of April 2026 and was famously hijacked mid-2024 after its Chinese owners were reported injecting malicious code into the served polyfills. The surrounding guidance on how to include polyfills yourself (via `js/plugins.js` or `js/vendor/polyfills.js`) is preserved. Documentation-only change; no runtime code path loads the domain. Link-health audit (gina-io/gina#18).
+* Added `gina.plugins.Session` — an opt-in hardened wrapper around `express-session` that injects SameSite/HttpOnly/Secure defaults from `settings.json > session.cookie.*` into the cookie options before the middleware sees them (#CSRF1). Caller-supplied `options.cookie` values always override the defaults, so bundles that rely on `httpOnly: false` (for client-side JS reading `document.cookie`) or other intentional choices are preserved. Adoption is a one-line swap in the bundle bootstrap: `var session = require('gina').plugins.Session(require('express-session'))`. The new `session.cookie.{sameSite, httpOnly, secure}` keys land in `core/template/conf/settings.json` with safe defaults ("lax" / true / "auto"). Browser-parity invariant enforced at session factory call time — `SameSite=None` without `Secure` throws. Baseline for the #CSRF2 / #CSRF3 track.
+
+## 0.3.7-alpha.6 - 2026-04-24 (npm only — no git tag)
+### Security
+* Restored CVE visibility on vendored deps. `gina@0.3.7-alpha.5` stripped `dependencies`/`devDependencies`/`scripts` from `core/deps/busboy-1.6.0/package.json` and `core/deps/streamsearch-1.1.0/package.json` to reduce Socket's dep-count display — but the strip also removed the dep-graph edge that Socket, Dependabot, and `npm audit` follow to associate the vendored copies with their CVE records. Vendored copies of upstream packages are supply-chain surface exactly like npm-installed ones; stripping the metadata hid them from the tools meant to alert on them. Both files are now byte-identical to their upstream npm tarballs again. Pinning discipline going forward: the vendored `package.json` stays byte-identical to upstream until a local patch is applied; on patch, bump `version` to `<upstream>-rhinostone.N` (e.g. `1.6.0-rhinostone.1`) so CVE scanners still match the base version and readers see at a glance that the copy has diverged. Also adds an OSV-based CI scan (`.github/workflows/vendored-cve.yml`) that walks every `core/deps/*/package.json` and every `framework/v*/package.json`, queries `api.osv.dev` for each `(name, version)` pair, and fails the build on any matched vulnerability — belt-and-suspenders, independent of whichever third-party scanner happens to be in use. Runs on push to `develop`/`master`, weekly Sunday cron, and manual dispatch.
+* Replaced four `eval(...)` call sites in the validator plugin with safe, grammar-locked equivalents (#SCS1e, bucket (c) partial progress). `core/plugins/lib/validator/src/main.js:2603` — `eval('gina.forms.rules.' + customRule)` replaced with a dot-path walker. `customRule` is read from the user-controlled `data-gina-form-rule` HTML attribute; the old eval executed anything that parsed as JS, so a crafted attribute like `constructor.constructor("return process.exit()")()` would fire on lookup. The walker rejects any character outside `[A-Za-z_$][\w$]*(\.[A-Za-z_$][\w$]*)*` and returns undefined on missing path (falling through to the existing "no rule found" error). `core/plugins/lib/validator/src/form-validator.js:161` — `eval('data.' + localValue)` in `compileError()` replaced with a dot+bracket path walker. `localValue` is derived from `{{...}}` placeholders in error messages; the transforms at lines 152-158 produce `ident (. ident | ["quoted"])*`, and the walker rejects anything outside that shape. `core/plugins/lib/validator/src/form-validator.js:893` — the regex-literal branch of `is()` replaced with `new RegExp(body, flags).test(value)`. Parses `/<body>/<flags>` only; `/<body>/` without flags or any non-regex input throws. `core/plugins/lib/validator/src/form-validator.js:895` — the binary-compare branch of `is()` replaced with a regex-based evaluator over the closed grammar `<operand><op><operand>` where operand is in `{number, "string", true, false, null, undefined}` and op is in `{===, !==, ==, !=, <, >, <=, >=}`. After `$var` substitution (lines 910-920) and paren/return strip (line 925), real Freelancer v3 conditions (15 regex literals + 11 binary comparisons) all match the two grammars. Any input outside the grammars (arithmetic, function calls, semicolon injection, throw injection) is rejected. Seven validator-plugin sites remain deferred pending a separate design pass (`form-validator.js:919`, `:1722`, `main.js:2320`, `:2329`, `:2931`, `:2947`, `:2959`). Verified by +69 tests in `test/lib/validator-scs1e.test.js` (source inspection, behavioural parity against corpus, injection rejection).
+
 ## 0.3.7-alpha.5 - 2026-04-23 (npm only — no git tag)
 ### Changed
 * Extracted `DRIVER_MAP` + `AI_DRIVER_MAP` into a new `lib/connector-registry/` module — single source of truth for the connector driver → npm package + semver range mapping. Previously duplicated inline in `lib/cmd/connector/add.js` and `lib/cmd/connector/list.js` and kept in sync by hand; the two copies had already drifted (list.js knew about `mongodb` and `scylladb`, add.js did not). Both cmd handlers now read from `lib.connectorRegistry.getDriver(type)` / `.getAIDriver(scheme)` / `.getDriverTypes()` / `.getAISchemes()`, so adding a new connector upstream means editing one table instead of three (root `package.json` `peerDependencies` was the third, removed in the previous commit). Public CLI behaviour is unchanged — the registry exposes the same tables, the install hint and `--install` resolution use the same ranges. 28 new source-inspection + behavioural tests in `test/lib/connector-registry.test.js`; the inline-map tests in `test/lib/connector-add.test.js` and `test/lib/connector-list.test.js` now assert registry consumption instead.

package/ROADMAP.md

@@ -123,6 +123,28 @@ Four focused follow-up sessions to close the deferred gap left by the `0.3.7-alp
 | 📋 | **Static HTML cache parity** — Port the swig disk-write/serve cache path so `cache:` keys in `routing.json` actually produce cached HTML for nunjucks routes. | `0.3.7` | Q4 2026 |
 | 📋 | **Early Hints 103 auto-send for CSS/JS preloads** — Move the 103 path in `controller.js this.render()` to be engine-agnostic. Pure perf optimisation; manual `self.setEarlyHints(linkHeader)` already works. | `0.3.7` | Q4 2026 |
 
+### Eval safety
+
+Complete the removal of `eval` / `new Function` call sites from the published tarball. Four tranches shipped across `0.3.7-alpha.4` / `0.3.7-alpha.5` cleared 13 of 24 catalogued sites; 2 more were removed by deleting orphaned source during the toolbar cleanup (15 of 24 addressed). Three clusters remain, each needing a focused session.
+
+| Status | Feature | Version | Target |
+| --- | --- | --- | --- |
+| 📋 | **Validator structural refactor** — Refactor `makeObjectFromArgs` in the validator plugin to replace the string-accumulator path-build-then-`eval('root=value')` pattern with a segments-array threaded through recursion and a safe setter. Clears 3 eval sites. Test coverage for the validator plugin was bootstrapped in the prior tranche, so the refactor has a safety net. | `0.3.8` | Q1 2027 |
+| 📋 | **Feature-intrinsic eval design pass** — 6 sites eval user-supplied JS by design (user-defined form validators, HTML event callbacks on form data attributes). Decision pass: safe-eval sandbox via `vm.Script`, pre-parse to a restricted AST, or formalise "accept and document" with an explicit trust assumption. Outcome may include dropping unused placeholder features. | `0.3.8` | Q1 2027 |
+| 📋 | **Logger circular-require refactor** — 3 load-bearing `eval(fs.readFileSync(...))` fallbacks in the logger work around a circular `merge → helpers → logger` require chain. Restructure the chain so the fallback is no longer needed. Clears the final 3 sites of the campaign. Regression risk touches every logger-consuming test. | `0.3.8` | Q1 2027 |
+
+---
+
+## Web Security
+
+Cross-site request forgery protection. Three-phase defense-in-depth plan aligned with OWASP ASVS 4.0 V4.2.1; each phase shippable on its own. Cookie hardening shipped as an opt-in plugin in `0.3.7-alpha.8`; token middleware and Origin pre-filter still open.
+
+| Status | Feature | Version | Target |
+| --- | --- | --- | --- |
+| ✅ | **Cookie hardening (baseline)** — Opt-in plugin `gina.plugins.Session` wraps `express-session` and injects `SameSite=Lax` + `HttpOnly` + `Secure=auto` defaults from `settings.json > session.cookie.{sameSite,httpOnly,secure}` into the cookie options before the middleware sees them. Bundle-supplied cookie options always win, so intentional configuration is preserved. Adoption is a one-line swap in the bundle bootstrap: `var session = require('gina').plugins.Session(require('express-session'))`. Browser-parity invariant enforced at factory call time: `SameSite=None` without `Secure` throws at bundle startup. Migration guide flags cross-site cookie-send bundles (rare — third-party OAuth embeds, iframe flows) that must set `sameSite: "none"` + `secure: true` explicitly. 41 unit tests (source-inspection guards + mergeCookie + invariant negative-lock + resolveSettingsDefaults + end-to-end through stub express-session + registration + template integrity). | `0.3.7-alpha.8` | 2026-04-24 |
+| 📋 | **Signed double-submit token middleware** — Stateless signed-double-submit-cookie pattern (OWASP ASVS 4.0 V4.2.1). HMAC-SHA256 cookie bound to session ID + matching `X-Gina-CSRF-Token` header (or `_csrf` form field) required on POST/PUT/PATCH/DELETE; `timingSafeEqual` comparison; safe methods (GET/HEAD/OPTIONS) pass through. Per-route opt-out via `routing.json > "csrfExempt": true` for webhook receivers (Stripe, GitHub, etc.). Client integration: the validator plugin auto-reads the cookie and sets the header on AJAX submits — zero user code change. Templates get `{{ gina.csrfToken }}` and `{{ gina.csrfInput \| safe }}` helpers for `<form>` hidden inputs. Stateless so it scales with distributed Redis/K8s sessions without server-side storage; signed so sibling subdomains cannot inject cookies. Performance: ~microseconds per mutating request. | `0.3.8` | Q3 2026 |
+| 📋 | **Origin/Referer pre-filter** — Secondary check on mutating methods, layered on top of the token middleware: `Origin` (or `Referer` fallback) must match the bundle's configured hostname or an explicit allowlist. Configured via `settings.json > csrf.allowedOrigins`. Belt-and-suspenders catching edge cases tokens might miss (referrer-header log leaks, legacy browser bugs, misconfigured reverse proxies). Performance: one string compare per mutating request. | `0.4.0` | Q4 2026 |
+
 ---
 
 ## Connectors

package/framework/v0.3.7-alpha.7/VERSION

@@ -0,0 +1 @@
+0.3.7-alpha.7

package/framework/v0.3.7-alpha.7/core/asset/plugin/dist/vendor/gina/css/gina.min.css

@@ -0,0 +1 @@
+@font-face{font-family:"have_heart_oneregular";src:url(fonts/have_heart_one-webfont.woff2)format("woff2"),url(fonts/have_heart_one-webfont.woff)format("woff");font-weight:400;font-style:normal}.gina-popin-container{background:#fff}.gina-popins-overlay,div.gina-popin-container{visibility:hidden;opacity:0;z-index:1;transition:opacity .3s,visibility 0 .3s}.gina-popins-overlay.gina-popin-is-active,div.gina-popin-container.gina-popin-is-active{opacity:1;visibility:visible;transition-delay:0}dialog.gina-popin-container{padding:0;border:0;z-index:1}.gina-popins-overlay{position:fixed;left:0;top:0;display:grid;place-items:center;width:100%;height:100%;transition:opacity .3s,visibility .3s;overflow:auto;background:rgba(0,0,0,.75)}.gina-popins-overlay.gina-popin-is-active{backdrop-filter:blur(6px)}dialog::backdrop{background-color:rgba(0,0,0,.75);backdrop-filter:blur(6px)}

package/framework/{v0.3.7-alpha.5 → v0.3.7-alpha.7}/core/asset/plugin/dist/vendor/gina/js/gina.js

@@ -3000,7 +3000,41 @@ function FormValidatorUtil(data, $fields, xhrOptions, fieldsSet) {
                                 .trim();
 
             try {
-                localValue = eval('data.'+ localValue).replace(/^\"|\"$/g, '');
+                // #SCS1e (2026-04-24) — replaced `eval('data.' + localValue)` with a safe
+                // dot+bracket path walker. `localValue` is derived from `{{...}}` placeholders
+                // in error messages; the transforms at lines 152-158 produce
+                // `ident (. ident | ["quoted"])*`. The old eval executed anything that parsed
+                // as JS; a crafted placeholder like `{{constructor.constructor('return
+                // process.exit()')()}}` would reach eval unsanitised (the `[` → `["` / `]` →
+                // `"]` transforms don't neutralise dotted method access). The walker rejects
+                // any segment that isn't a bare identifier or a double-quoted bracket key.
+                // localValue = eval('data.'+ localValue).replace(/^\"|\"$/g, '');
+                let _scsRest = localValue;
+                let _scsSegments = [];
+                let _scsM = _scsRest.match(/^([A-Za-z_$][\w$]*)/);
+                if (!_scsM) { throw new Error('Invalid property path: `' + localValue + '`'); }
+                _scsSegments.push(_scsM[1]);
+                _scsRest = _scsRest.slice(_scsM[0].length);
+                while (_scsRest.length > 0) {
+                    _scsM = _scsRest.match(/^\.([A-Za-z_$][\w$]*)/);
+                    if (_scsM) {
+                        _scsSegments.push(_scsM[1]);
+                        _scsRest = _scsRest.slice(_scsM[0].length);
+                        continue;
+                    }
+                    _scsM = _scsRest.match(/^\["([^"\]]*)"\]/);
+                    if (_scsM) {
+                        _scsSegments.push(_scsM[1]);
+                        _scsRest = _scsRest.slice(_scsM[0].length);
+                        continue;
+                    }
+                    throw new Error('Invalid property path: `' + localValue + '`');
+                }
+                let _scsCur = data;
+                for (let _scsI = 0; _scsCur != null && _scsI < _scsSegments.length; _scsI++) {
+                    _scsCur = _scsCur[_scsSegments[_scsI]];
+                }
+                localValue = _scsCur.replace(/^\"|\"$/g, '');
                 error = error.replace( new RegExp( varArr[v].replace(/\{|\[|\]|\}/g, '\\$&') , 'g'), localValue);
             } catch(e) {}
         }
@@ -3731,10 +3765,59 @@ function FormValidatorUtil(data, $fields, xhrOptions, fieldsSet) {
                         try {
                             // security checks
                             compiledCondition = compiledCondition.replace(/(\(|\)|return)/g, '');
+                            // #SCS1e (2026-04-24) — replaced the two `eval(...)` calls below with
+                            // auditable equivalents. After `$var` substitution (lines 910-920) and
+                            // paren/return strip above, `compiledCondition` is either:
+                            //   (a) a regex literal `/<body>/<flags>` (when `/^\//` matches), or
+                            //   (b) a binary comparison `<operand><op><operand>` where operand ∈
+                            //       {number, "string", true, false, null, undefined} and op ∈
+                            //       {===, !==, ==, !=, <, >, <=, >=}.
+                            // Old eval executed arbitrary JS; any value reaching `$var` substitution
+                            // that contained a quote (e.g. user input `bar"; process.exit();//`)
+                            // could escape the `"..."` wrapper at line 916 and reach eval as
+                            // arbitrary code. Grammar-locked replacements reject any input that
+                            // doesn't fit the two documented shapes.
+                            // if ( /^\//.test(compiledCondition) ) {
+                            //     isValid = eval(compiledCondition + '.test("' + this.value + '")')
+                            // } else {
+                            //     isValid = eval(compiledCondition)
+                            // }
                             if ( /^\//.test(compiledCondition) ) {
-                                isValid = eval(compiledCondition + '.test("' + this.value + '")')
+                                var _scsRegexMatch = compiledCondition.match(/^\/(.+)\/([a-z]*)$/);
+                                if (!_scsRegexMatch) {
+                                    throw new Error('Invalid regex literal: `' + compiledCondition + '`');
+                                }
+                                isValid = new RegExp(_scsRegexMatch[1], _scsRegexMatch[2]).test(this.value);
                             } else {
-                                isValid = eval(compiledCondition)
+                                var _SCS_BINARY_RE = /^\s*(null|undefined|true|false|"[^"]*"|-?\d+(?:\.\d+)?)\s*(===|!==|<=|>=|==|!=|<|>)\s*(null|undefined|true|false|"[^"]*"|-?\d+(?:\.\d+)?)\s*$/;
+                                var _scsBinMatch = (typeof(compiledCondition) == 'string') ? compiledCondition.match(_SCS_BINARY_RE) : null;
+                                if (!_scsBinMatch) {
+                                    throw new Error('Could not evaluate condition `' + compiledCondition + '`.\n(grammar: <operand><op><operand>; operand ∈ number | "string" | true | false | null | undefined; op ∈ === !== == != < > <= >=)');
+                                }
+                                var _scsParseOperand = function(s) {
+                                    var _t = s.replace(/^\s+|\s+$/g, '');
+                                    if (_t === 'null')      return null;
+                                    if (_t === 'undefined') return undefined;
+                                    if (_t === 'true')      return true;
+                                    if (_t === 'false')     return false;
+                                    if (/^"[^"]*"$/.test(_t)) return _t.slice(1, -1);
+                                    var _n = Number(_t);
+                                    if (!isNaN(_n) && _t !== '') return _n;
+                                    throw new Error('Invalid operand: `' + s + '`');
+                                };
+                                var _scsLeft  = _scsParseOperand(_scsBinMatch[1]);
+                                var _scsOp    = _scsBinMatch[2];
+                                var _scsRight = _scsParseOperand(_scsBinMatch[3]);
+                                switch (_scsOp) {
+                                    case '===': isValid = _scsLeft === _scsRight; break;
+                                    case '!==': isValid = _scsLeft !== _scsRight; break;
+                                    case '==':  isValid = _scsLeft ==  _scsRight; break;
+                                    case '!=':  isValid = _scsLeft !=  _scsRight; break;
+                                    case '<':   isValid = _scsLeft <   _scsRight; break;
+                                    case '>':   isValid = _scsLeft >   _scsRight; break;
+                                    case '<=':  isValid = _scsLeft <=  _scsRight; break;
+                                    case '>=':  isValid = _scsLeft >=  _scsRight; break;
+                                }
                             }
 
                         } catch (err) {
@@ -8967,7 +9050,7 @@ function getElementsByAttribute(attribute) {
  * 
  */
 
-/*! @source https://gist.github.com/1129031 */
+/*! @source https://gist.github.com/eligrey/1129031 */
 /*global document, DOMParser*/
 (function(DOMParser) {
 	"use strict";
@@ -11931,8 +12014,27 @@ function ValidatorPlugin(rules, data, formId) {
                         if (customRule) {
                             customRule = customRule.replace(/\-|\//g, '.');
                             if ( typeof(rules) != 'undefined' ) {
-                                instance.$forms[id].rules[customRule] = instance.rules[customRule] = local.rules[customRule] = merge(JSON.clone( eval('gina.forms.rules.'+ customRule)), instance.rules[customRule]);
+                                // #SCS1e (2026-04-24) — replaced `eval('gina.forms.rules.' + customRule)`
+                                // with a safe dot-path walker. `customRule` is user-controlled (read
+                                // from the `data-gina-form-rule` HTML attribute); after the replace at
+                                // line 2601 it is a pure dot-path like `account.signin_scope`. The old
+                                // eval executed anything that parsed as JS — a crafted rule name such
+                                // as `constructor.constructor("return process.exit()")()` would fire on
+                                // lookup. The walker rejects any non-identifier character and returns
+                                // undefined on missing path (the `typeof(local.rules[customRule]) ==
+                                // 'undefined'` check at line 2606 then produces the usual user-facing
+                                // "no rule found" error).
+                                // instance.$forms[id].rules[customRule] = instance.rules[customRule] = local.rules[customRule] = merge(JSON.clone( eval('gina.forms.rules.'+ customRule)), instance.rules[customRule]);
                                 // instance.$forms[id].rules[customRule] = instance.rules[customRule] = local.rules[customRule] = merge(eval('gina.forms.rules.'+ customRule), instance.rules[customRule]);
+                                if (!/^[A-Za-z_$][\w$]*(\.[A-Za-z_$][\w$]*)*$/.test(customRule)) {
+                                    throw new Error('Invalid form rule path: `' + customRule + '`');
+                                }
+                                var _scsSegments = customRule.split('.');
+                                var _scsCur      = gina.forms.rules;
+                                for (var _scsI = 0; _scsCur != null && _scsI < _scsSegments.length; _scsI++) {
+                                    _scsCur = _scsCur[_scsSegments[_scsI]];
+                                }
+                                instance.$forms[id].rules[customRule] = instance.rules[customRule] = local.rules[customRule] = merge(JSON.clone(_scsCur), instance.rules[customRule]);
                             }
                             if ( typeof(local.rules[customRule]) == 'undefined' ) {
                                 throw new Error('['+id+'] no rule found with key: `'+customRule+'`. Please check if json is not malformed @ /forms/rules/' + customRule.replace(/\./g, '/') +'.json');