gina 0.3.7-alpha.8 → 0.3.7

package/CHANGELOG.md

@@ -6,12 +6,29 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
 and is generated by [Changie](https://github.com/miniscruff/changie).
 
 
+## 0.3.7 - 2026-04-26
+### Added
+* Released `0.3.7` — cumulative stable of the `0.3.7-alpha.1` through `0.3.7-alpha.10` cycle. Headline tracks: **Web Security CSRF trilogy** (`gina.plugins.Session()` cookie hardening + `gina.plugins.Csrf()` signed double-submit token middleware + Origin/Referer pre-filter; OWASP ASVS 4.0 V4.2.1 aligned; opt-in plugin shape; per-route `csrfExempt: true` for webhook receivers). **Nunjucks template engine opt-in** (`render.engine = "nunjucks"` per bundle; filter parity #NJ1, setResources/asset injection #NJ2, render cache #NJ3, Early Hints 103 auto-send #NJ4). **MCP server** (`bundle:mcp` static manifest emit + `bundle:mcp-start` stdio and HTTP transports; #AI8 Phases 1/2a/2b). **Connector CLI** (`connector:list/add/rm/migrate`; #CN10). **Eval-safety hardening** (#SCS1 family — collection safe-evaluator + validator-plugin grammar-locked walker replacements; vendored-dep CVE-visibility invariant locked in via OSV scan workflow). Supply-chain trim (`psl` swap for vendored MPL-2.0 PSL data, `optimist` removal). Release-pipeline hardening (`gna.js` stable-version sync at framework-dir rename, StateStore + gina.db sync across renames, asset-plugin build honours `--gzip-bin`/`--brotli-bin` overrides). Plus `Session.name` drop-in identity restoration in alpha.10. See per-alpha sections for per-feature detail and test counts; full suite 3822/3822 at the stable cut.
+
+## 0.3.7-alpha.10 - 2026-04-26 (npm only — no git tag)
+### Fixed
+* `gina.plugins.Session()` no longer clobbers the wrapper's `Function.name` property. Bundles that introspect the wrapper (`require('gina').plugins.Session(require('express-session')).name`) now see `'session'` (matching upstream) instead of `'ginaSession'`. Achieved via a small refactor: the outer wrapper delegates to an inner `ginaSessionDispatch` named function, with `Object.defineProperty(wrapped, 'name', { value: expressSession.name, configurable: true })` overriding the outer `.name`. The inner `ginaSessionDispatch` frame stays visible in stack traces, so gina remains detectable for debugging while the public-facing identity is the upstream's. Static-surface preservation (`Store`, `MemoryStore`, `Session`, `Cookie`) and the SameSite=None invariant are unchanged. 2 new unit tests in `test/core/session-plugin.test.js` (drop-in identity assertion + stack-trace visibility lock). Full suite 3768/3768 (3766 baseline + 2 new). Surfaced from a freelancer/v3 session: "Gina's wrapper clobbering expressSession.name — is an upstream concern".
+### Security
+* `gina.plugins.Csrf()` now layers an Origin/Referer pre-filter ON TOP of the signed double-submit token verify (`#CSRF3`). On every mutating request (POST/PUT/PATCH/DELETE) the middleware reads `Origin` first, falls back to parsing the host out of `Referer` when `Origin` is absent (or is the literal `"null"` sentinel browsers send for sandboxed iframes), and matches the result against `settings.json > csrf.allowedOrigins`. Both headers missing → 403 `[csrf] forbidden — missing origin/referer`. Mismatch → 403 `[csrf] forbidden — origin not allowed`. The token verify only runs after the Origin check passes, so a forged token + matching cookie still gets rejected when the request didn't come from an allowed origin (token layer ≠ Origin layer). Per-route `csrfExempt: true` bypasses BOTH layers consistently. New `settings.json` key `csrf.allowedOrigins`: empty/unset defaults to `[bundleHostname]` (auto-derived from `conf[bundle][env].hostname` or composed from `server.scheme + host + server.port`); non-empty replaces the default with an explicit allowlist for multi-domain bundles. Entries are matched literally case-insensitive after parsing down to `scheme://host[:port]` — different scheme on the same host doesn't match (`http://example.com` ≠ `https://example.com`); different port doesn't match. Factory throws at startup when `csrf.allowedOrigins` is empty AND no bundle hostname can be resolved — error message points at both fixes. 54 new unit tests (parser helpers, allowlist precedence, behavioural matrix Origin × Referer × allowlist, scheme/port discrimination, `Origin: "null"` sentinel handling, negative-invariant lock that matching token + mismatching Origin still 403s, exempt interaction, source-inspection guards pinning the pre-filter ordering); full suite 3822/3822 (prior 3768 + 54). Closes the three-phase CSRF trilogy started by `#CSRF1` (cookie hardening, alpha.8) and `#CSRF2` (signed double-submit token, alpha.9).
+
+## 0.3.7-alpha.9 - 2026-04-26 (npm only — no git tag)
+### Added
+* Exposed gina.csrfToken and gina.csrfInput in swig template context (#CSRF2 follow-up). When a bundle has registered the Csrf plugin and req.csrfToken is set on the active request, controller.js > setOptions() now publishes two keys to the template data: gina.csrfToken (raw base64url string) and gina.csrfInput (pre-formatted <input type="hidden" name="<fieldName>" value="<token>"> HTML). Templates render the hidden input with either {{ gina.csrfInput | safe }} or the manual <input ... value="{{ gina.csrfToken }}"> form. The field name comes from settings.json > csrf.fieldName (default _csrf, matching the plugin) and is HTML-attribute-escaped defensively (& " < >) before interpolation. The token itself is base64url ([A-Za-z0-9_-]) by construction so it is interpolated verbatim — encoding it would break round-trip when the form is submitted. When req.csrfToken is absent (bundle has not adopted the plugin) neither key is set; templates can guard with {% if gina.csrfToken %}. 25 unit tests in test/core/controller-csrf-context.test.js cover the source-inspection guards, the missing/empty/non-string rejection, the configured-fieldName path, the four HTML-attribute escapes, and the negative invariant (no eval, no template-literal interpolation, no encoding of the token).
+### Security
+* Added gina.plugins.Csrf() — signed double-submit token CSRF middleware (#CSRF2). New core/plugins/lib/csrf/ middleware sits in the Express drain after the Session plugin. Token shape: HMAC-SHA256(sessionId + ':' + nonce_b64url, GINA_CSRF_SECRET); nonce is 16 bytes from crypto.getRandomValues; both halves base64url-encoded; verify uses crypto.timingSafeEqual with a length guard. Mutating methods (POST/PUT/PATCH/DELETE) require a matching value in X-Gina-CSRF-Token header or _csrf form field; safe methods (GET/HEAD/OPTIONS) issue a token cookie and pass through. Per-route opt-out via routing.json > "csrfExempt": true for webhook receivers (Stripe, GitHub, etc.) — positive-assertion key chosen so a misread breaks the webhook (obvious) rather than CSRF-vulnerable (silent). Stateless so it scales with distributed Redis/K8s sessions without server-side storage; signed so sibling subdomains cannot inject cookies. Adoption is two lines in the bundle bootstrap, AFTER the session middleware: var csrf = require('gina').plugins.Csrf(); app.use(csrf). Server secret (GINA_CSRF_SECRET, generate with openssl rand -base64 64) is required at factory-call time — there is no dev fallback. Sessionless or session-after-csrf misorder produces a clear next(err) message that points at the fix ("Csrf plugin requires the Session plugin to be registered before it"). Settings template seeds csrf.{cookieName,headerName,fieldName,rotate,safeMethods}; the secret is never stored in settings. server.js + lib/routing/src/main.js propagate routing[name].csrfExempt to req.routing.csrfExempt next to cache and queryTimeout. 69 unit tests in test/core/csrf-plugin.test.js (source-inspection guards, generateToken/verifyToken primitives, negative-invariant lock against ==/===/Buffer.compare/.includes on the token path, issue + verify middlewares end-to-end through stub req/res, per-route exempt, plugin registration, settings template integrity). Full suite 3714/3714. Followups in commit 2 (validator AJAX header injection) + commit 3 (controller template context) close the user-facing surface; this commit ships the verify gate and the seam.
+* Validator AJAX requests now inject the X-Gina-CSRF-Token header on mutating methods (#CSRF2 follow-up). The browser-side validator plugin reads the gina-csrf-token cookie (set by the Csrf plugin) and adds the matching X-Gina-CSRF-Token request header on POST/PUT/PATCH/DELETE XHR calls; safe methods (GET/HEAD/OPTIONS) bypass injection. Three injection sites covered: form-submit XHR (core/plugins/lib/validator/src/main.js header loop), file-removal DELETE/POST (same file, xhrOptions block), and live-validation queries (core/plugins/lib/validator/src/form-validator.js). Adds two pure helpers — readCsrfCookie() (parses document.cookie via indexOf+slice; no regex on user-controlled segments; URL-decodes the token; returns null when absent) and isMutatingMethod() (returns false for GET/HEAD/OPTIONS, true for everything else). Cookie name (gina-csrf-token) and header name (X-Gina-CSRF-Token) hardcoded to match the plugin defaults — settings.json overrides apply server-side only; if a bundle changes the names, the validator fall-back is to ship no header (safe — server rejects, dev sees 403). Browser bundle (dist/vendor/gina/js/gina.*) rebuilt because both validator src files are aliased into the client-side AMD tree via build.json. Negative invariant locked: no eval, no Function constructor in the new helper region. 27 unit tests in test/core/validator-csrf-injection.test.js (source-inspection guards pinning the three injection sites, readCsrfCookie pure-parser behaviour, isMutatingMethod safe-method bypass, end-to-end XHR stub coverage of cookie-present/cookie-absent x mutating/safe matrix, eval / new Function rejection). Full suite 3766/3766 (3739 baseline + 27 new).
+
 ## 0.3.7-alpha.8 - 2026-04-25 (npm only — no git tag)
 ### Fixed
 * StateStore + gina.db now stay in sync with main.json/settings.json across framework-directory renames during `bumpVersion`. Closes a silent drift that affected every alpha cut for several versions and required manual SQLite patches. Two failure modes addressed: relative `require('../state')` resolution after the rename invalidated the generator's `__dirname`, and `StateStore._homeDir` returning null in build-script context where `GINA_HOMEDIR` isn't injected. Future violators of either invariant now log a visible warning instead of silently falling through to a JSON-sidecar-only write.
 * `framework/v*/core/asset/plugin/build` now honours the `--gzip-bin` and `--brotli-bin` CLI overrides. Six `-exec gzip -9 -n -k` / `-exec brotli --best` calls were hardcoded and silently defeated the flags; they now use the `${gzip_bin}` / `${brotli_bin}` variables resolved via `which` or set by the user.
 
-## 0.3.7-alpha.7 - 2026-04-25
+## 0.3.7-alpha.7 - 2026-04-25 (npm only — no git tag)
 ### Fixed
 * Schema `$schema` identifier updated from `http://json-schema.org/draft-07/schema#` to `https://json-schema.org/draft-07/schema#` across all seven `schema/*.json` files (app, app.crons, connectors, manifest, routing, settings, watchers). The plain-HTTP form redirects to HTTPS and is bot-blocked by json-schema.org; IDEs and JSON validators that dereference the identifier at validation time were hitting the 302/403 chain instead of fetching the canonical schema. Matches the URI shown in the JSON Schema draft-07 spec and aligns with the `$id` field, which already uses `https://`. First batch from the link-health audit (gina-io/gina#18).
 * Refreshed stale URL references in code comments and man pages across the framework (link-health audit gina-io/gina#18): `core/template/boilerplate/bundle/controllers/setup.js` — dropped reference to the deleted `github.com/jmcmanus/pagedown-extra` repo (the commented-out example code uses `marked`, not pagedown-extra; the link was misleading even before the repo died). `core/connectors/couchbase/lib/session-store.v{2,3,4}.js` — updated `github.com/visionmedia/connect-redis` to `github.com/tj/connect-redis` (the maintainer renamed; old URL still 302s but relying on a stale redirect chain is brittle). `core/locales/README.md` — replaced `currency-iso.org/en/home/tables/table-a1.html` (folded into a SIX Swiss Exchange commercial page) with the canonical `iso.org/iso-4217-currency-codes.html`. `lib/cmd/gina.1.md`, `gina-dev.1.md`, `gina-framework.1.md` — modernised the `groups.google.com/forum/#!forum/ginajs` mailing-list link to the supported `groups.google.com/g/ginajs` URL format. The Google Group itself is still active; only the hash-bang URL format is obsolete. `core/server.js` — dropped dead `strongloop.com/strongblog/...` blog-post reference (domain TLS-broken, StrongLoop dissolved into IBM in 2015, the blog post is not reachable via any successor) and dead `jsperf.com/arraybuffer-string-conversion/4` test reference (410 Gone; jsperf relaunched on Cloudflare but the historical test data was not restored). Comment-only changes; no runtime behaviour modified.

package/ROADMAP.md

@@ -28,6 +28,7 @@ This roadmap covers planned features, architectural improvements, new connectors
 | --- | --- | --- | --- |
 | ✅ | **Automatic version migration** — Upgrading or downgrading gina (e.g. `0.1.x → 0.2.0`, `0.5.x → 1.0.0`) automatically migrates `~/.gina/` config to the new version on first startup. Downgrade is free — old version data is never removed. | `0.1.8` | 2026-03-26 |
 | ✅ | **`watchers.json`** — First-class bundle config for file watchers. Declare watchers on config files with event-based notification (no polling). Foundation for the dev-mode hot-reload system. | `0.2.0` | 2026-03-29 |
+| 📋 | **i18n core** — Per-bundle message catalogs under `bundle/locales/<culture>.json` with a fallback chain (specific culture → base language → default). Server-side `t(key, [params], [culture])` global helper with parameter interpolation and CLDR pluralisation. Swig and Nunjucks filters with the same surface (`{{ "key"\|t }}`, `{{ "key"\|t({ name: x }) }}`). Per-request locale negotiation from URL prefix / cookie / `Accept-Language` / settings default. CLI: `gina i18n:scan` for missing-key coverage per culture, `i18n:add <culture>` to seed a new catalog, `i18n:export` / `i18n:import` for `.po` / `.csv` / `.json` round-trip with translators. Headless by design — the visual translation editor lands later as the first content feature in Beemaster (admin Phase 3). | `0.3.8` | Q2 2026 |
 | 📋 | **PWA scaffold** — `gina bundle:add` drops `manifest.json`, a service worker stub (`sw.js`), and the required `<meta>` / `<link>` tags into the bundle boilerplate. Zero runtime dependency. Enables Gina apps to be installed on mobile as PWAs without additional tooling. | `0.4.0` | Q4 2026 |
 | ✅ | **Per-bundle framework version** — Declare `"gina_version": "0.1.8"` on any bundle entry in `manifest.json` to pin that bundle to a specific installed framework version. The socket server continues running its own version; only the spawned bundle process uses the declared version. Validated against the tracked version list in `main.json` before start. `--gina-version=X.Y.Z` flag on `bundle:start` provides the same override without touching config files. | `0.3.0` | 2026-03-31 |
 | ✅ | **PATCH method** — `req.patch` populated with the parsed request body (JSON or form-encoded). `req.body` aliases `req.patch`. URI params merged. `"method": "PATCH"` valid in `routing.json`. Use PATCH for partial updates (only sent fields change) vs PUT which replaces the full resource. | `0.3.0` | 2026-03-31 |
@@ -137,13 +138,13 @@ Complete the removal of `eval` / `new Function` call sites from the published ta
 
 ## Web Security
 
-Cross-site request forgery protection. Three-phase defense-in-depth plan aligned with OWASP ASVS 4.0 V4.2.1; each phase shippable on its own. Cookie hardening shipped as an opt-in plugin in `0.3.7-alpha.8`; token middleware and Origin pre-filter still open.
+Cross-site request forgery protection. Three-phase defense-in-depth plan aligned with OWASP ASVS 4.0 V4.2.1; each phase shippable on its own. All three phases shipped: cookie hardening in `0.3.7-alpha.8`, signed double-submit token middleware in `0.3.7-alpha.9`, Origin/Referer pre-filter in `0.3.7-alpha.10`.
 
 | Status | Feature | Version | Target |
 | --- | --- | --- | --- |
 | ✅ | **Cookie hardening (baseline)** — Opt-in plugin `gina.plugins.Session` wraps `express-session` and injects `SameSite=Lax` + `HttpOnly` + `Secure=auto` defaults from `settings.json > session.cookie.{sameSite,httpOnly,secure}` into the cookie options before the middleware sees them. Bundle-supplied cookie options always win, so intentional configuration is preserved. Adoption is a one-line swap in the bundle bootstrap: `var session = require('gina').plugins.Session(require('express-session'))`. Browser-parity invariant enforced at factory call time: `SameSite=None` without `Secure` throws at bundle startup. Migration guide flags cross-site cookie-send bundles (rare — third-party OAuth embeds, iframe flows) that must set `sameSite: "none"` + `secure: true` explicitly. 41 unit tests (source-inspection guards + mergeCookie + invariant negative-lock + resolveSettingsDefaults + end-to-end through stub express-session + registration + template integrity). | `0.3.7-alpha.8` | 2026-04-24 |
-| 📋 | **Signed double-submit token middleware** — Stateless signed-double-submit-cookie pattern (OWASP ASVS 4.0 V4.2.1). HMAC-SHA256 cookie bound to session ID + matching `X-Gina-CSRF-Token` header (or `_csrf` form field) required on POST/PUT/PATCH/DELETE; `timingSafeEqual` comparison; safe methods (GET/HEAD/OPTIONS) pass through. Per-route opt-out via `routing.json > "csrfExempt": true` for webhook receivers (Stripe, GitHub, etc.). Client integration: the validator plugin auto-reads the cookie and sets the header on AJAX submits — zero user code change. Templates get `{{ gina.csrfToken }}` and `{{ gina.csrfInput \| safe }}` helpers for `<form>` hidden inputs. Stateless so it scales with distributed Redis/K8s sessions without server-side storage; signed so sibling subdomains cannot inject cookies. Performance: ~microseconds per mutating request. | `0.3.8` | Q3 2026 |
-| 📋 | **Origin/Referer pre-filter** — Secondary check on mutating methods, layered on top of the token middleware: `Origin` (or `Referer` fallback) must match the bundle's configured hostname or an explicit allowlist. Configured via `settings.json > csrf.allowedOrigins`. Belt-and-suspenders catching edge cases tokens might miss (referrer-header log leaks, legacy browser bugs, misconfigured reverse proxies). Performance: one string compare per mutating request. | `0.4.0` | Q4 2026 |
+| ✅ | **Signed double-submit token middleware** — Stateless signed-double-submit-cookie pattern (OWASP ASVS 4.0 V4.2.1). Opt-in plugin `gina.plugins.Csrf()`: HMAC-SHA256 cookie bound to session ID + matching `X-Gina-CSRF-Token` header (or `_csrf` form field) required on POST/PUT/PATCH/DELETE; `timingSafeEqual` comparison; safe methods (GET/HEAD/OPTIONS) pass through. Per-route opt-out via `routing.json > "csrfExempt": true` for webhook receivers (Stripe, GitHub, etc.). Server secret read from `process.env.GINA_CSRF_SECRET` at factory-call time — no dev fallback. Sessionless or session-after-csrf misorder produces a clear `next(err)` message pointing at the fix. Stateless so it scales with distributed Redis/K8s sessions without server-side storage; signed so sibling subdomains cannot inject cookies. 69 unit tests (source-inspection guards, generateToken/verifyToken primitives, negative-invariant lock, issue + verify middlewares, per-route exempt, plugin registration, settings template integrity). Validator AJAX header injection + controller template context (`{{ gina.csrfToken }}` / `{{ gina.csrfInput \| safe }}`) ship in follow-up commits. | `0.3.7-alpha.9` | 2026-04-25 |
+| ✅ | **Origin/Referer pre-filter** — Secondary check on mutating methods, layered on top of the token middleware INSIDE `gina.plugins.Csrf()`: parses `Origin` first, falls back to the host portion of `Referer`, and matches against `settings.json > csrf.allowedOrigins`. Both headers missing → 403 `missing origin/referer`. Mismatch → 403 `origin not allowed`. Empty/unset `allowedOrigins` defaults to `[bundleHostname]` (auto-derived from `conf[bundle][env].hostname` or composed from `server.scheme + host + server.port`); non-empty = explicit allowlist for multi-domain bundles. Per-route `csrfExempt: true` bypasses BOTH Origin and token layers consistently. Negative-invariant lock: matching token + mismatching Origin still 403s — token layer ≠ Origin layer. Factory throws at startup when neither a settings allowlist nor a bundle hostname can be resolved. 54 unit tests added (parseRequestOrigin/parseOriginString helpers, resolveBundleHostname, resolveAllowedOrigins precedence, behavioural matrix Origin × Referer × allowlist, scheme/port discrimination, `Origin: "null"` sentinel handling, negative-invariant lock, exempt interaction, source-inspection guards pinning the pre-filter ordering). Full suite 3822/3822 (prior 3768 + 54). | `0.3.7-alpha.10` | 2026-04-26 |
 
 ---
 
@@ -286,7 +287,7 @@ Windows compatibility is a hard requirement for `1.0.0`. The alpha scope covers
 
 ## Inspector
 
-Gina's built-in per-bundle inspector. Phases 1–2 ship as an embedded SPA at `/_gina/inspector/` inside every bundle's own HTTP server (dev mode). Phase 3 evolves it into a standalone web app served by `services/src/inspector/` that can connect to any bundle in any environment — including production. Beemaster (global admin app) is a separate project.
+Gina's built-in per-bundle inspector. Phases 1–2 ship as an embedded SPA at `/_gina/inspector/` inside every bundle's own HTTP server (dev mode). Phase 3 evolves it into a standalone web app served by `services/src/inspector/` that can connect to any bundle in any environment — including production. Beemaster (global admin app) is a separate project — also the planned home for content-management surfaces such as the **i18n translation editor** (the visual layer of i18n core).
 
 **Why a standalone web app:** Electron is heavy and adds distribution burden. A browser extension is browser-specific and can't inspect from a different machine. The standalone web app works locally and remotely, any browser, zero install. A browser extension companion can be layered on top later.
 

package/framework/v0.3.7/VERSION

@@ -0,0 +1 @@
+0.3.7

package/framework/{v0.3.7-alpha.8 → v0.3.7}/core/asset/plugin/dist/vendor/gina/inspector/inspector.css

@@ -70,8 +70,8 @@
 }
 
 :root {
-  --font: "SF Mono", "Fira Code", "Cascadia Code", Menlo, "Lucida Grande", monospace;
-  --sans: "Lucida Grande", Lucida, Arial, Helvetica, sans-serif;
+  --font: 'SF Mono', 'Fira Code', 'Cascadia Code', Menlo, 'Lucida Grande', monospace;
+  --sans: 'Lucida Grande', Lucida, Arial, Helvetica, sans-serif;
   --radius: 4px;
   --hdr: 32px;
 }
@@ -830,8 +830,6 @@ body {
   cursor: pointer;
   padding: 4px;
   transition: border-color 0.15s, background 0.15s;
-  /* Reveal toggle — red tint when active so the unredacted state is visually
-     distinct from the regular amber `.active` state used by RAW / fold-all. */
 }
 .bm-icon-btn svg {
   width: 14px;
@@ -855,6 +853,10 @@ body {
 .bm-icon-btn.bm-hidden {
   display: none;
 }
+.bm-icon-btn {
+  /* Reveal toggle — red tint when active so the unredacted state is visually
+     distinct from the regular amber `.active` state used by RAW / fold-all. */
+}
 .bm-icon-btn#bm-reveal.active {
   border-color: var(--err);
   background: rgba(231, 76, 60, 0.12);
@@ -1724,9 +1726,6 @@ details[open] > summary.bm-summary::before {
   cursor: pointer;
   user-select: none;
   position: relative;
-  /* Extend accent line to bridge the gap between consecutive selected rows */
-  /* Rounded corners on first/last of contiguous selected group */
-  /* Single-click copy feedback — green flash + checkmark */
 }
 .bm-log:hover {
   background: var(--bg3);
@@ -1734,11 +1733,13 @@ details[open] > summary.bm-summary::before {
 .bm-log.bm-log-selected {
   background: rgba(242, 175, 13, 0.13);
   border-bottom-color: transparent;
-  /* Left accent line — straight, unaffected by border-radius */
 }
 .bm-log.bm-log-selected:hover {
   background: rgba(242, 175, 13, 0.19);
 }
+.bm-log.bm-log-selected {
+  /* Left accent line — straight, unaffected by border-radius */
+}
 .bm-log.bm-log-selected::before {
   content: "";
   position: absolute;
@@ -1757,9 +1758,15 @@ details[open] > summary.bm-summary::before {
 [data-theme=light] .bm-log.bm-log-selected:hover {
   background: rgba(200, 133, 10, 0.16);
 }
+.bm-log {
+  /* Extend accent line to bridge the gap between consecutive selected rows */
+}
 .bm-log.bm-log-selected + .bm-log-selected::before {
   top: -1px;
 }
+.bm-log {
+  /* Rounded corners on first/last of contiguous selected group */
+}
 .bm-log.bm-log-selected:not(.bm-log-selected + .bm-log) {
   border-radius: 6px 6px 0 0;
 }
@@ -1778,6 +1785,9 @@ details[open] > summary.bm-summary::before {
 .bm-log.bm-log-selected:not(.bm-log-selected + .bm-log):not(:has(+ .bm-log-selected))::before {
   border-radius: 3px 0 0 3px;
 }
+.bm-log {
+  /* Single-click copy feedback — green flash + checkmark */
+}
 .bm-log.bm-log-row-copied {
   background: rgba(76, 175, 80, 0.15) !important;
 }
@@ -3603,3 +3613,5 @@ details[open] > summary.bm-summary::before {
     text-align: left;
   }
 }
+
+/*# sourceMappingURL=inspector.css.map */

package/framework/{v0.3.7-alpha.8 → v0.3.7}/core/asset/plugin/dist/vendor/gina/js/gina.js

@@ -2866,6 +2866,68 @@ function FormValidatorUtil(data, $fields, xhrOptions, fieldsSet) {
     var dateFormat      = (isGFFCtx) ? require('helpers/dateFormat') : helpers.dateFormat;
     var routing         = (isGFFCtx) ? require('lib/routing') : require('../../../../../lib/routing');
 
+    /**
+     * #CSRF2 follow-up — read the gina-csrf-token cookie set by the Csrf plugin.
+     *
+     * Pure, dependency-free parser for `document.cookie`. Returns the token
+     * value (URL-decoded) or null when the cookie is absent. Browser-only
+     * (isGFFCtx); when running outside a browser document, returns null.
+     *
+     * No eval / Function / regex on user-controlled segments — name and
+     * value are compared as plain strings via indexOf + slice only.
+     *
+     * @returns {string|null}
+     * */
+    var readCsrfCookie = function () {
+        var name = 'gina-csrf-token';
+        if ( typeof(document) === 'undefined' || !document || typeof(document.cookie) !== 'string' ) {
+            return null;
+        }
+        var raw = document.cookie || '';
+        if (!raw) {
+            return null;
+        }
+        var parts = raw.split(';');
+        for (var i = 0, len = parts.length; i < len; ++i) {
+            var part = parts[i];
+            while (part.charAt(0) === ' ' || part.charAt(0) === '\t') {
+                part = part.slice(1);
+            }
+            var eq = part.indexOf('=');
+            if (eq < 0) {
+                continue;
+            }
+            var key = part.slice(0, eq);
+            if (key !== name) {
+                continue;
+            }
+            var val = part.slice(eq + 1);
+            try {
+                return decodeURIComponent(val);
+            } catch (e) {
+                return val;
+            }
+        }
+        return null;
+    };
+
+    /**
+     * #CSRF2 follow-up — true for HTTP methods that mutate state.
+     *
+     * GET, HEAD, OPTIONS are CSRF-safe by spec. All other methods require
+     * the X-Gina-CSRF-Token header.
+     *
+     * @param {string} method
+     * @returns {boolean}
+     * */
+    var isMutatingMethod = function (method) {
+        if ( typeof(method) !== 'string' || !method ) {
+            return false;
+        }
+        var m = method.toUpperCase();
+        return (m !== 'GET' && m !== 'HEAD' && m !== 'OPTIONS');
+    };
+
     var hasUserValidators = function() {
 
         var _hasUserValidators = false, formsContext = null;
@@ -3232,6 +3294,14 @@ function FormValidatorUtil(data, $fields, xhrOptions, fieldsSet) {
             xhr.setRequestHeader('Content-Type', enctype);
         }
 
+        // #CSRF2 follow-up — inject X-Gina-CSRF-Token on mutating methods (live-validation path)
+        if ( isMutatingMethod(queryOptions.method) ) {
+            var csrfToken = readCsrfCookie();
+            if (csrfToken) {
+                xhr.setRequestHeader('X-Gina-CSRF-Token', csrfToken);
+            }
+        }
+
         var onResult = function(result) {
 
             _this.value      = local['data'][_this.name] = (_this.value) ? _this.value.toLowerCase() : _this.value;
@@ -5031,6 +5101,10 @@ function Routing() {
             if ( typeof(routeObject.cache) != 'undefined' ) {
                 params.cache = routeObject.cache;
             }
+            // #CSRF2 — propagate per-route Csrf opt-out to req.routing.csrfExempt
+            if ( typeof(routeObject.csrfExempt) != 'undefined' ) {
+                params.csrfExempt = routeObject.csrfExempt;
+            }
             if ( typeof(routeObject.queryTimeout) != 'undefined' ) {
                 params.queryTimeout = parseTimeout(routeObject.queryTimeout);
             }
@@ -9582,6 +9656,74 @@ function ValidatorPlugin(rules, data, formId) {
         }
     };
 
+    /**
+     * #CSRF2 follow-up — read the gina-csrf-token cookie set by the Csrf plugin.
+     *
+     * Pure, dependency-free parser for `document.cookie`. Returns the token
+     * value (URL-decoded) or null when the cookie is absent. Browser-only
+     * (isGFFCtx); when running outside a browser document, returns null.
+     *
+     * Default cookie name is 'gina-csrf-token' matching the Csrf plugin
+     * settings.json default. The matching X-Gina-CSRF-Token header is
+     * injected on mutating methods (POST/PUT/PATCH/DELETE) before xhr.send().
+     *
+     * No eval / Function / regex on user-controlled segments — name and
+     * value are compared as plain strings via indexOf + slice only.
+     *
+     * @returns {string|null}
+     * */
+    var readCsrfCookie = function () {
+        var name = 'gina-csrf-token';
+        if ( typeof(document) === 'undefined' || !document || typeof(document.cookie) !== 'string' ) {
+            return null;
+        }
+        var raw = document.cookie || '';
+        if (!raw) {
+            return null;
+        }
+        var parts = raw.split(';');
+        for (var i = 0, len = parts.length; i < len; ++i) {
+            var part = parts[i];
+            // strip leading whitespace without regex
+            while (part.charAt(0) === ' ' || part.charAt(0) === '\t') {
+                part = part.slice(1);
+            }
+            var eq = part.indexOf('=');
+            if (eq < 0) {
+                continue;
+            }
+            var key = part.slice(0, eq);
+            if (key !== name) {
+                continue;
+            }
+            var val = part.slice(eq + 1);
+            try {
+                return decodeURIComponent(val);
+            } catch (e) {
+                return val;
+            }
+        }
+        return null;
+    };
+
+    /**
+     * #CSRF2 follow-up — true for HTTP methods that mutate state.
+     *
+     * GET, HEAD, OPTIONS are CSRF-safe by spec (they MUST NOT carry side
+     * effects). All other methods (POST, PUT, PATCH, DELETE, ...) require
+     * the X-Gina-CSRF-Token header.
+     *
+     * @param {string} method
+     * @returns {boolean}
+     * */
+    var isMutatingMethod = function (method) {
+        if ( typeof(method) !== 'string' || !method ) {
+            return false;
+        }
+        var m = method.toUpperCase();
+        return (m !== 'GET' && m !== 'HEAD' && m !== 'OPTIONS');
+    };
+
     /**
      * backend definitions
      * */
@@ -10471,6 +10613,14 @@ function ValidatorPlugin(rules, data, formId) {
             xhr.setRequestHeader(hearder, options.headers[hearder]);
         }
 
+        // #CSRF2 follow-up — inject X-Gina-CSRF-Token on mutating methods
+        if ( isMutatingMethod(options.method) ) {
+            var csrfToken = readCsrfCookie();
+            if (csrfToken) {
+                xhr.setRequestHeader('X-Gina-CSRF-Token', csrfToken);
+            }
+        }
+
         if (xhr) {
             // catching ready state cb
             // Data loading ...
@@ -11544,6 +11694,13 @@ function ValidatorPlugin(rules, data, formId) {
                                 'X-Requested-With': 'XMLHttpRequest' // in case of cross domain origin
                             }
                         };
+                        // #CSRF2 follow-up — inject X-Gina-CSRF-Token on mutating methods (file remove → DELETE/POST)
+                        if ( isMutatingMethod(method) ) {
+                            let csrfToken = readCsrfCookie();
+                            if (csrfToken) {
+                                xhrOptions.headers['X-Gina-CSRF-Token'] = csrfToken;
+                            }
+                        }
                         let xhr = setupXhr(xhrOptions);
                         //handleXhr(xhr);
                         if ( /GET|DELETE/i.test(method) ) {