gina 0.3.9 → 0.3.10

package/.github/scripts/scan-vendored-cves.js

@@ -14,7 +14,7 @@
  * `(name, version)` pairs, queries `api.osv.dev`, and exits non-zero if
  * any vulnerability is matched.
  *
- * Pinning convention (see .claude/architecture/vendored-deps.md): the
+ * Pinning convention (see internal architecture docs): the
  * vendored `package.json` stays byte-identical to upstream until
  * patched; on patch, `version` is bumped to `<upstream>-rhinostone.N`
  * (e.g. `1.6.0-rhinostone.1`). This script strips the

package/.github/workflows/bundle-freshness.yml

@@ -34,15 +34,15 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '22'
 
       - name: Set up Java (for Closure Compiler)
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           java-version: '21'

package/.github/workflows/security.yml

@@ -30,3 +30,55 @@ jobs:
             exit 1
           fi
           echo "OK: no local-tool paths in git index."
+
+  ai-attribution-content-scan:
+    name: AI-attribution content scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      # #S7 — CI mirror of the pre-commit hook's content-scan section.
+      # While #S6 catches LOCAL-TOOL PATHS (file names), #S7 catches
+      # AI-ATTRIBUTION SUBSTRINGS in tracked file CONTENT. Pattern must
+      # stay in sync with .githooks/pre-commit. Documented exceptions:
+      #   - Protocol identifiers used by the AI connector (anthropic://,
+      #     openai://, deepseek://, qwen://, groq://, mistral://, gemini://,
+      #     xai://, perplexity://, ollama://)
+      #   - Vendor SDK package names (@anthropic-ai/sdk, openai npm package)
+      #   - Canonical env-var names (ANTHROPIC_API_KEY, OPENAI_API_KEY)
+      # Files where these patterns appear by design (this workflow, the
+      # local hook, the prepack scanner) and auto-generated dist artefacts
+      # (browser bundles, minified output, source maps) are excluded — the
+      # source-side scan catches the leak before it reaches dist.
+      - name: Scan tracked content for AI-attribution leaks
+        run: |
+          LEAK_RE='\.claude/|\.claudeignore|claude\.ai|claude\.com/claude-code|Co-Authored-By:?[^\n]{0,30}(Claude|Anthropic)|Generated (by|with)[^\n]{0,30}Claude|🤖[^\n]{0,30}Claude'
+          EXCEPTION_RE='anthropic://|openai://|deepseek://|qwen://|groq://|mistral://|gemini://|xai://|perplexity://|ollama://|@anthropic-ai/sdk|ANTHROPIC_API_KEY|OPENAI_API_KEY'
+          EXCLUDED='^(\.githooks/pre-commit|\.github/workflows/security\.yml|script/check_no_local_leak\.js|script/prepare_version\.js|\.gitignore|\.npmignore|framework/v[^/]+/core/asset/plugin/dist/.*|.*\.(min\.(js|css)(\.br|\.gz)?|map))$'
+
+          found=0
+          while IFS= read -r f; do
+              if echo "$f" | grep -qE "$EXCLUDED"; then continue; fi
+              case "$f" in
+                  *.png|*.jpg|*.jpeg|*.gif|*.svg|*.woff|*.woff2|*.ttf|*.ico|*.jar|*.zip|*.tar|*.gz|*.br|*.afdesign|*.pdf|*.mp3|*.mp4|*.heic|*.webp) continue ;;
+              esac
+              size=$(stat -c%s "$f" 2>/dev/null || stat -f%z "$f" 2>/dev/null || echo 0)
+              if [ "$size" -gt 2097152 ]; then continue; fi
+              stripped=$(sed -E "s#$EXCEPTION_RE##gI" "$f" 2>/dev/null || true)
+              if printf '%s' "$stripped" | grep -qiE "$LEAK_RE"; then
+                  echo "::error file=$f::AI-attribution leak in tracked content"
+                  printf '%s' "$stripped" | grep -niE "$LEAK_RE" | head -3 | sed 's/^/    /'
+                  found=1
+              fi
+          done < <(git ls-files)
+
+          if [ "$found" = "1" ]; then
+              echo ""
+              echo "These mentions must not reach a public surface."
+              echo "Allowed exceptions (already filtered): protocol identifiers (anthropic://"
+              echo "and siblings), vendor SDK package names (@anthropic-ai/sdk, openai),"
+              echo "canonical env-var names (ANTHROPIC_API_KEY, OPENAI_API_KEY)."
+              exit 1
+          fi
+          echo "OK: no AI-attribution leaks in tracked content."

package/.github/workflows/vendored-cve.yml

@@ -25,10 +25,10 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '22'
 

package/CHANGELOG.md

@@ -6,6 +6,14 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
 and is generated by [Changie](https://github.com/miniscruff/changie).
 
 
+## 0.3.10 - 2026-05-06
+### Added
+* Reverse-proxy path-prefix awareness via the standard `X-Forwarded-Prefix` request header. When a reverse proxy (nginx, Traefik, etc.) mounts the bundle on a sub-path and forwards `proxy_set_header X-Forwarded-Prefix /sub;`, the framework composes a public webroot (proxy prefix + bundle internal `server.webroot`) and templates that into `gina.config.webroot`. Client-side URL construction (`/_gina/assets/routing.json` fetch, the `gina.min.css` link injection, etc.) now targets the correct upstream through the proxy instead of root-relative URLs that would route to whichever bundle answered `/`. Header value is normalised (leading slash, trailing slashes stripped, empty / "/" dropped); back-compat preserved when the header is absent.
+### Fixed
+* FormValidator binding for HTML5 form-reassociated controls (`form="X"` attribute) — `bindForm` now uses `HTMLFormControlsCollection` (`form.elements`) for owner-aware control collection, attaches per-control listeners on reassociated controls (out-of-tree controls whose events don't bubble to the form), and `unbindForm` symmetrically drains the side-table on cleanup. Parent forms no longer accidentally collect descendants reassociated to other forms.
+* FormValidator radio mutual-exclusion grouping for HTML5 form-reassociated controls (`form="X"` attribute). `updateRadio` now scopes the peer set by form-owner — same-name radios in different form-owners are no longer cross-fired into each other's mutual-exclusion loop — and reconciles the IDL `.checked` property with the `checked` HTML attribute on init when they disagree, recovering author intent for radios that surface the parse-time IDL/attribute desync browsers produce in mixed DOM-tree + form-owner layouts.
+* FormValidator restoring the wrong radio option on form-reset for HTML5 form-reassociated controls — sister fix to the `updateRadio` parse-time IDL/attribute reconciliation. `bindForm`'s `fieldsSet[id].defaultChecked` cache now reads the IDL `defaultChecked` property (which mirrors the HTML `checked` content attribute) instead of the live `.checked`. For form-reassociated radios hit by Chromium's parse-time IDL desync, `.checked` reads FALSE at bind time despite the attribute being present, so the cache would hold the wrong default and a `type="reset"` action on the form would clear the originally-checked option. No-op for the normal single-form-owner shape.
+
 ## 0.3.9 - 2026-05-04
 ### Added
 * Add a `process.gina._bundleFilterWraps[bundleName]` hook so bundles can wrap nunjucks filters at render time. Bundle-level monkey-patches on `lib.nunjucksFilters` do not survive `refreshCore()` (which creates a fresh lib singleton ~per-request in dev mode); the framework now applies registered wraps inside `registerGinaFilters` after the per-request filter factory runs.
@@ -32,7 +40,7 @@ and is generated by [Changie](https://github.com/miniscruff/changie).
 
 ## 0.3.7-alpha.10 - 2026-04-26 (npm only — no git tag)
 ### Fixed
-* `gina.plugins.Session()` no longer clobbers the wrapper's `Function.name` property. Bundles that introspect the wrapper (`require('gina').plugins.Session(require('express-session')).name`) now see `'session'` (matching upstream) instead of `'ginaSession'`. Achieved via a small refactor: the outer wrapper delegates to an inner `ginaSessionDispatch` named function, with `Object.defineProperty(wrapped, 'name', { value: expressSession.name, configurable: true })` overriding the outer `.name`. The inner `ginaSessionDispatch` frame stays visible in stack traces, so gina remains detectable for debugging while the public-facing identity is the upstream's. Static-surface preservation (`Store`, `MemoryStore`, `Session`, `Cookie`) and the SameSite=None invariant are unchanged. 2 new unit tests in `test/core/session-plugin.test.js` (drop-in identity assertion + stack-trace visibility lock). Full suite 3768/3768 (3766 baseline + 2 new). Surfaced from a freelancer/v3 session: "Gina's wrapper clobbering expressSession.name — is an upstream concern".
+* `gina.plugins.Session()` no longer clobbers the wrapper's `Function.name` property. Bundles that introspect the wrapper (`require('gina').plugins.Session(require('express-session')).name`) now see `'session'` (matching upstream) instead of `'ginaSession'`. Achieved via a small refactor: the outer wrapper delegates to an inner `ginaSessionDispatch` named function, with `Object.defineProperty(wrapped, 'name', { value: expressSession.name, configurable: true })` overriding the outer `.name`. The inner `ginaSessionDispatch` frame stays visible in stack traces, so gina remains detectable for debugging while the public-facing identity is the upstream's. Static-surface preservation (`Store`, `MemoryStore`, `Session`, `Cookie`) and the SameSite=None invariant are unchanged. 2 new unit tests in `test/core/session-plugin.test.js` (drop-in identity assertion + stack-trace visibility lock). Full suite 3768/3768 (3766 baseline + 2 new). Surfaced from a consumer-app session: "Gina's wrapper clobbering expressSession.name — is an upstream concern".
 ### Security
 * `gina.plugins.Csrf()` now layers an Origin/Referer pre-filter ON TOP of the signed double-submit token verify (`#CSRF3`). On every mutating request (POST/PUT/PATCH/DELETE) the middleware reads `Origin` first, falls back to parsing the host out of `Referer` when `Origin` is absent (or is the literal `"null"` sentinel browsers send for sandboxed iframes), and matches the result against `settings.json > csrf.allowedOrigins`. Both headers missing → 403 `[csrf] forbidden — missing origin/referer`. Mismatch → 403 `[csrf] forbidden — origin not allowed`. The token verify only runs after the Origin check passes, so a forged token + matching cookie still gets rejected when the request didn't come from an allowed origin (token layer ≠ Origin layer). Per-route `csrfExempt: true` bypasses BOTH layers consistently. New `settings.json` key `csrf.allowedOrigins`: empty/unset defaults to `[bundleHostname]` (auto-derived from `conf[bundle][env].hostname` or composed from `server.scheme + host + server.port`); non-empty replaces the default with an explicit allowlist for multi-domain bundles. Entries are matched literally case-insensitive after parsing down to `scheme://host[:port]` — different scheme on the same host doesn't match (`http://example.com` ≠ `https://example.com`); different port doesn't match. Factory throws at startup when `csrf.allowedOrigins` is empty AND no bundle hostname can be resolved — error message points at both fixes. 54 new unit tests (parser helpers, allowlist precedence, behavioural matrix Origin × Referer × allowlist, scheme/port discrimination, `Origin: "null"` sentinel handling, negative-invariant lock that matching token + mismatching Origin still 403s, exempt interaction, source-inspection guards pinning the pre-filter ordering); full suite 3822/3822 (prior 3768 + 54). Closes the three-phase CSRF trilogy started by `#CSRF1` (cookie hardening, alpha.8) and `#CSRF2` (signed double-submit token, alpha.9).
 
@@ -60,7 +68,7 @@ and is generated by [Changie](https://github.com/miniscruff/changie).
 ## 0.3.7-alpha.6 - 2026-04-24 (npm only — no git tag)
 ### Security
 * Restored CVE visibility on vendored deps. `gina@0.3.7-alpha.5` stripped `dependencies`/`devDependencies`/`scripts` from `core/deps/busboy-1.6.0/package.json` and `core/deps/streamsearch-1.1.0/package.json` to reduce Socket's dep-count display — but the strip also removed the dep-graph edge that Socket, Dependabot, and `npm audit` follow to associate the vendored copies with their CVE records. Vendored copies of upstream packages are supply-chain surface exactly like npm-installed ones; stripping the metadata hid them from the tools meant to alert on them. Both files are now byte-identical to their upstream npm tarballs again. Pinning discipline going forward: the vendored `package.json` stays byte-identical to upstream until a local patch is applied; on patch, bump `version` to `<upstream>-rhinostone.N` (e.g. `1.6.0-rhinostone.1`) so CVE scanners still match the base version and readers see at a glance that the copy has diverged. Also adds an OSV-based CI scan (`.github/workflows/vendored-cve.yml`) that walks every `core/deps/*/package.json` and every `framework/v*/package.json`, queries `api.osv.dev` for each `(name, version)` pair, and fails the build on any matched vulnerability — belt-and-suspenders, independent of whichever third-party scanner happens to be in use. Runs on push to `develop`/`master`, weekly Sunday cron, and manual dispatch.
-* Replaced four `eval(...)` call sites in the validator plugin with safe, grammar-locked equivalents (#SCS1e, bucket (c) partial progress). `core/plugins/lib/validator/src/main.js:2603` — `eval('gina.forms.rules.' + customRule)` replaced with a dot-path walker. `customRule` is read from the user-controlled `data-gina-form-rule` HTML attribute; the old eval executed anything that parsed as JS, so a crafted attribute like `constructor.constructor("return process.exit()")()` would fire on lookup. The walker rejects any character outside `[A-Za-z_$][\w$]*(\.[A-Za-z_$][\w$]*)*` and returns undefined on missing path (falling through to the existing "no rule found" error). `core/plugins/lib/validator/src/form-validator.js:161` — `eval('data.' + localValue)` in `compileError()` replaced with a dot+bracket path walker. `localValue` is derived from `{{...}}` placeholders in error messages; the transforms at lines 152-158 produce `ident (. ident | ["quoted"])*`, and the walker rejects anything outside that shape. `core/plugins/lib/validator/src/form-validator.js:893` — the regex-literal branch of `is()` replaced with `new RegExp(body, flags).test(value)`. Parses `/<body>/<flags>` only; `/<body>/` without flags or any non-regex input throws. `core/plugins/lib/validator/src/form-validator.js:895` — the binary-compare branch of `is()` replaced with a regex-based evaluator over the closed grammar `<operand><op><operand>` where operand is in `{number, "string", true, false, null, undefined}` and op is in `{===, !==, ==, !=, <, >, <=, >=}`. After `$var` substitution (lines 910-920) and paren/return strip (line 925), real Freelancer v3 conditions (15 regex literals + 11 binary comparisons) all match the two grammars. Any input outside the grammars (arithmetic, function calls, semicolon injection, throw injection) is rejected. Seven validator-plugin sites remain deferred pending a separate design pass (`form-validator.js:919`, `:1722`, `main.js:2320`, `:2329`, `:2931`, `:2947`, `:2959`). Verified by +69 tests in `test/lib/validator-scs1e.test.js` (source inspection, behavioural parity against corpus, injection rejection).
+* Replaced four `eval(...)` call sites in the validator plugin with safe, grammar-locked equivalents (#SCS1e, bucket (c) partial progress). `core/plugins/lib/validator/src/main.js:2603` — `eval('gina.forms.rules.' + customRule)` replaced with a dot-path walker. `customRule` is read from the user-controlled `data-gina-form-rule` HTML attribute; the old eval executed anything that parsed as JS, so a crafted attribute like `constructor.constructor("return process.exit()")()` would fire on lookup. The walker rejects any character outside `[A-Za-z_$][\w$]*(\.[A-Za-z_$][\w$]*)*` and returns undefined on missing path (falling through to the existing "no rule found" error). `core/plugins/lib/validator/src/form-validator.js:161` — `eval('data.' + localValue)` in `compileError()` replaced with a dot+bracket path walker. `localValue` is derived from `{{...}}` placeholders in error messages; the transforms at lines 152-158 produce `ident (. ident | ["quoted"])*`, and the walker rejects anything outside that shape. `core/plugins/lib/validator/src/form-validator.js:893` — the regex-literal branch of `is()` replaced with `new RegExp(body, flags).test(value)`. Parses `/<body>/<flags>` only; `/<body>/` without flags or any non-regex input throws. `core/plugins/lib/validator/src/form-validator.js:895` — the binary-compare branch of `is()` replaced with a regex-based evaluator over the closed grammar `<operand><op><operand>` where operand is in `{number, "string", true, false, null, undefined}` and op is in `{===, !==, ==, !=, <, >, <=, >=}`. After `$var` substitution (lines 910-920) and paren/return strip (line 925), real consumer-app conditions (15 regex literals + 11 binary comparisons) all match the two grammars. Any input outside the grammars (arithmetic, function calls, semicolon injection, throw injection) is rejected. Seven validator-plugin sites remain deferred pending a separate design pass (`form-validator.js:919`, `:1722`, `main.js:2320`, `:2329`, `:2931`, `:2947`, `:2959`). Verified by +69 tests in `test/lib/validator-scs1e.test.js` (source inspection, behavioural parity against corpus, injection rejection).
 
 ## 0.3.7-alpha.5 - 2026-04-23 (npm only — no git tag)
 ### Changed
@@ -98,8 +106,8 @@ and is generated by [Changie](https://github.com/miniscruff/changie).
 * `gina bundle:mcp-start --timeout-ms=<n>` — overrides the HTTP dispatch timeout for a single MCP server process. Also reads `mcp.json > server > timeoutMs` when the CLI flag is absent. Precedence: `--timeout-ms` > manifest > 30 000 ms default. Non-numeric / non-positive values at any layer fall through to the next layer with a stderr warning, so a malformed override cannot silently disable the timeout. The resolved value is surfaced in the startup info line (`Dispatch target: <url> (timeout: <n> ms)`) for operator visibility. The previous hardcoded 30 s default still applies when neither override is set.
 * Dual-mode Inspector statusbar link — the dev-mode statusbar now prefers the standalone Inspector SPA when `config/settings.json > inspector.url` is set on a bundle (e.g. `"inspector": {"url": "http://localhost:4200/inspector/"}`), opening it in a new tab with `?target=<this-origin+webroot>` pre-filled. When unset, the link falls back to the legacy embedded popup at `{webroot}/_gina/inspector/` with its persisted geometry — existing behaviour is unchanged. The resolved URL is exposed to the client shim via `window.__ginaData.gina.inspectorUrl`, injected by both `controller.render-swig.js` and `controller.render-json.js` so HTML and XHR-driven pages agree on the target. Cross-origin support for the standalone SPA is rounded out by adding `access-control-allow-origin: *` to the two remaining `/_gina/*` handlers that still lacked it — the Inspector SPA asset route (`/_gina/inspector/*`) and the log stream (`/_gina/logs`) — in both `server.isaac.js` and `server.js` so the SPA can pull CSS/JS/fonts and subscribe to the SSE logs from a different origin than the target bundle.
 * Dual-mode resolution for `gina inspector:open` — the command now picks the Inspector URL the same way the dev-mode statusbar does since `0.3.7-alpha.2`. Resolution order: (1) `--url=<url>` CLI override, (2) the bundle's `config/settings.json > inspector.url` (e.g. `"inspector": {"url": "http://localhost:4200/inspector/"}`), (3) the embedded popup at `<target>/_gina/inspector/` (legacy fallback, unchanged). In every case the target bundle origin is passed as `?target=<origin>` so the standalone SPA knows which bundle to drive. The `--url` flag is the escape hatch when the Inspector is reachable at an address not declared in the bundle config. When `--port` is used alone (no project/bundle context) and `--url` is not passed, the embedded path is kept — there is no config to read.
-* `gina inspector:open` now accepts a full `http(s)://` URL as the positional target — useful when bundles run on Docker or a remote environment while the Inspector SPA runs on the host (e.g. `gina inspector:open https://v3-local.example.com/api/`). The URL is used as the target origin directly; project and bundle resolution are skipped, mirroring the `--port` short-circuit. A new per-user fallback was also added to the Inspector URL resolution chain: `~/.gina/<shortVersion>/settings.json > inspector.url`. Set it once and every invocation without `--url=` uses the same standalone SPA origin. Full resolution order: (1) `--url=<url>`, (2) bundle `config/settings.json > inspector.url`, (3) global `~/.gina/<shortVersion>/settings.json > inspector.url`, (4) embedded popup at `<target>/_gina/inspector/`.
-* `gina service:list` — lists framework-internal services (bundles registered under `@gina`) with their name, preferred dev port, src-existence status, and current running state. Running state is probed from `~/.gina/run/<service>@gina.pid` combined with `process.kill(pid, 0)`; stale pidfiles report the service as stopped without being auto-deleted (clean-up stays with `bundle:stop`). Ports are read from `~/.gina/ports.reverse.json` and the preferred one picked by the `http/2.0 https` → `http/1.1 https` → `http/1.1 http` precedence (dev env first, then the first env present). Supports `--format=json` for scripting, and tolerates a missing or malformed `ports.reverse.json` without erroring. `@gina` is the only project accepted for now — `gina service:list @freelancer` is rejected with a clear message; user-defined services are not a surface yet. Ships with a new cmd group at `framework/v*/lib/cmd/service/` (`list.js`, `help.js`, `help.txt`) registered in the `bin/cli` offline allowlist, and 37 source-inspection unit tests in `test/lib/service-list.test.js`.
+* `gina inspector:open` now accepts a full `http(s)://` URL as the positional target — useful when bundles run on Docker or a remote environment while the Inspector SPA runs on the host (e.g. `gina inspector:open https://local.example.com/api/`). The URL is used as the target origin directly; project and bundle resolution are skipped, mirroring the `--port` short-circuit. A new per-user fallback was also added to the Inspector URL resolution chain: `~/.gina/<shortVersion>/settings.json > inspector.url`. Set it once and every invocation without `--url=` uses the same standalone SPA origin. Full resolution order: (1) `--url=<url>`, (2) bundle `config/settings.json > inspector.url`, (3) global `~/.gina/<shortVersion>/settings.json > inspector.url`, (4) embedded popup at `<target>/_gina/inspector/`.
+* `gina service:list` — lists framework-internal services (bundles registered under `@gina`) with their name, preferred dev port, src-existence status, and current running state. Running state is probed from `~/.gina/run/<service>@gina.pid` combined with `process.kill(pid, 0)`; stale pidfiles report the service as stopped without being auto-deleted (clean-up stays with `bundle:stop`). Ports are read from `~/.gina/ports.reverse.json` and the preferred one picked by the `http/2.0 https` → `http/1.1 https` → `http/1.1 http` precedence (dev env first, then the first env present). Supports `--format=json` for scripting, and tolerates a missing or malformed `ports.reverse.json` without erroring. `@gina` is the only project accepted for now — `gina service:list @otherproject` is rejected with a clear message; user-defined services are not a surface yet. Ships with a new cmd group at `framework/v*/lib/cmd/service/` (`list.js`, `help.js`, `help.txt`) registered in the `bin/cli` offline allowlist, and 37 source-inspection unit tests in `test/lib/service-list.test.js`.
 * `gina connector:list` — lists connectors declared across a project's `shared/config/connectors.json` and every bundle's `config/connectors.json`, with driver install status, range and version-pin info. Three invocation modes: `gina connector:list` (every registered project), `gina connector:list @<project>` (one project, shared + all bundles), `gina connector:list <bundle> @<project>` (merged shared+bundle view that the bundle sees at runtime). Each row shows a status flag (`[ ok ]` installed or Node-builtin, `[ ?! ]` driver declared but not found in `<project>/node_modules/<driver>`, `[ ?? ]` unknown connector type or unrecognised `ai` protocol), the logical name, the resolved connector type, a source label (`[shared]`, `[<bundle>]`, `[<bundle> override]`), and driver details (`<npm>@<range>` + pin + installed version, or `run npm install <npm>` when missing, or `(built-in)` for `node:sqlite`). Driver resolution follows the framework's `peerDependencies`: `couchbase` → `couchbase`, `redis` → `ioredis`, `mysql` → `mysql2`, `postgresql` → `pg`, `mongodb` → `mongodb`, `scylladb` → `@scylladb/scylla-driver`, `sqlite` → built-in `node:sqlite`, `ai` → `@anthropic-ai/sdk` (for `anthropic://`) or `openai` (for `openai://`, `deepseek://`, `qwen://`, `groq://`, `mistral://`, `together://`, `ollama://`, `gemini://`, `xai://`, `perplexity://`). Shared and bundle-level overlay is key-level with bundle winning on conflicting keys, mirroring the runtime merge in `core/config.js`. When two bundles pin the same driver at different `version` values the command emits a trailing `[ !! ] driver \`<name>\` has conflicting \`version\` pins` line — npm resolves `node_modules/<driver>/` to a single version per project, so the first install wins. Supports `--format=json` for scripting with a stable `{project, bundle?, status, connectors: [{project, bundle, name, connector, source, driver, builtin, range, version, installed, installedVersion, note, unresolved}]}` shape. `connectors.json` and `manifest.json` files are parsed with `//` and `/* */` comment tolerance via `requireJSON`. Registered as an offline command — no framework socket required. Ships with a new cmd group at `framework/v*/lib/cmd/connector/` (`list.js`, `help.js`, `help.txt`, `arguments.json`) and 89 source-inspection unit tests in `test/lib/connector-list.test.js`. First of the #CN10 multi-session plan — subsequent sessions add `connector:add`, `connector:rm`, and `connector:migrate`.
 * `gina connector:add` — writes a connector entry to a project's `shared/config/connectors.json` or a bundle's `<bundle-src>/config/connectors.json`. Two invocation modes: `gina connector:add <name> @<project>` (writes to shared) and `gina connector:add <name> <bundle> @<project>` (writes to the bundle, resolved via `manifest.bundles[bundle].src`). Connector type is inferred from `<name>` when it matches one of the six allowed types (`couchbase`, `mysql`, `postgresql`, `sqlite`, `redis`, `ai`), or set explicitly via `--connector=<type>` (or the `--driver=<type>` synonym). Flags cover the common keys: `--host=`, `--connector-port=`, `--database=`, `--username=`, `--password=`, `--scope=` (one of `local`, `beta`, `production`, `testing`), and the AI-specific `--protocol=`, `--model=`, `--api-key=`, `--base-url=`. Driver version pinning via `--driver-version=<range>` writes a `version` field on the entry (new in the `schema/connectors.json`); when set, the printed install hint uses the pin (`npm install ioredis@"^5.0.0"`) instead of the framework's `peerDependencies` range. Preserves any `//` or `/* */` comment header above the first `{`; serialises the body with 4-space indentation; pins `$schema` at the top of the output with the canonical `https://gina.io/schema/connectors.json` URL; preserves existing key order and replaces an overwrite in place (not moved to the bottom). After writing, prints a one-line install hint — `Next: run `npm install <pkg>@"<range>"` inside your project root.` — using `@anthropic-ai/sdk` for `anthropic://` or `openai` for any other OpenAI-compatible AI protocol (`openai://`, `deepseek://`, `qwen://`, `groq://`, `mistral://`, `together://`, `ollama://`, `gemini://`, `xai://`, `perplexity://`). `sqlite` short-circuits to a `No install needed (Node >= 22.5.0 built-in node:sqlite)` note. Refuses to overwrite an existing entry without `--force`. Note on reserved flag names: the CLI uses `--connector-port=` (not `--port=`) because the framework reserves `--port=` for its own socket port, and `--driver-version=` (not `--version=`) because `--version=<value>` would be auto-mapped to `GINA_VERSION` and trigger a framework migration; the written JSON shape still uses `port` and `version` property names. Registered as an offline command — no framework socket required. Ships with 94 source-inspection unit tests in `test/lib/connector-add.test.js`. Second of the #CN10 multi-session plan — follow-ups are `connector:rm` and `connector:migrate` + framework-side auto-migrate hook.
 * `gina connector:rm` — removes a connector entry from a project's `shared/config/connectors.json` or a bundle's `<bundle-src>/config/connectors.json`. Two invocation modes mirror `connector:add`: `gina connector:rm <name> @<project>` (removes from shared) and `gina connector:rm <name> <bundle> @<project>` (removes from the bundle, resolved via `manifest.bundles[bundle].src`). `connector:remove` is accepted as an alias. Flags: `--dry-run` prints what would be removed without touching any file (always exits `0` — includes the sibling-usage warning and driver-retention hint); `--force` skips the project-level usage guard that otherwise refuses to remove a shared connector while any bundle still references it. Bundle-level removals always proceed and leave shared untouched. After removal, prints a driver-retention hint listing any sibling bundles (or shared) that still reference the same driver and a reminder that `gina does not uninstall npm packages`; sqlite is exempt (built-in `node:sqlite`). Attempting to remove from a bundle when the entry lives only in shared prints an "inherited from shared" hint pointing at the right scope. Preserves any `//` or `/* */` comment header above the first `{`; mid-body comments are lost on rewrite (same as `connector:add`). Registered as an offline command — no framework socket required. Ships with 81 source-inspection unit tests in `test/lib/connector-rm.test.js`. Third of the #CN10 multi-session plan — follow-up is `connector:migrate` + framework-side auto-migrate hook.

package/README.md

@@ -22,7 +22,7 @@ Node.js MVC framework with built-in HTTP/2, multi-bundle architecture, and scope
 | ORM / entities | EventEmitter-based entity system; SQL files auto-wired to entity methods |
 | Connectors | Couchbase, MySQL, PostgreSQL, Redis, SQLite, AI (LLM) — loaded from project `node_modules` |
 | AI connector | Any LLM provider via named protocol (`anthropic://`, `openai://`, `ollama://`, …) |
-| Template engine | [`@rhinostone/swig`](https://github.com/gina-io/swig) 1.5.0 — maintained fork with CVE-2023-25345 patched; streaming SSE/chunked via `renderStream()` |
+| Template engine | [`@rhinostone/swig`](https://github.com/gina-io/swig) 1.6.0 — maintained fork with CVE-2023-25345 patched; streaming SSE/chunked via `renderStream()` |
 | Hot reload | WatcherService evicts `require.cache` only on file change — zero per-request overhead in dev |
 | K8s ready | `gina-container`, `gina-init`, SIGTERM drain, JSON stdout logging |
 | Dependency injection | Mockable connectors and config for unit testing |
@@ -37,14 +37,11 @@ gina bundle:start api @myproject
 open https://localhost:3100
 ```
 
-## What's in 0.3.7
+## What's in 0.3.10
 
-- **Model Context Protocol (MCP) support** — `gina bundle:mcp` generates an MCP tool manifest (`mcp.json`) from `routing.json`. `gina bundle:mcp-start` runs a live MCP server over stdio (JSON-RPC 2.0) that dispatches `tools/call` as real HTTP requests against the running bundle. Any Gina app is now consumable by MCP-compatible IDE and agent tooling out of the box. MCP spec revision 2025-06-18
-- **Standalone Inspector SPA + dual-mode resolution** — Inspector can now run as a separate single-page app served from its own origin, with the target bundle passed as `?target=<origin>`. The dev-mode statusbar and `gina inspector:open` both resolve the URL via a 4-level fallback (`--url=` → bundle `config/settings.json > inspector.url` → `~/.gina/<shortVersion>/settings.json > inspector.url` → embedded `<target>/_gina/inspector/`), covering host-SPA + Docker-bundle splits
-- **Inspector Reveal toggle** — dev-mode red-tinted toggle that swaps the redacted `__ginaData` for the unredacted snapshot via `/_gina/reveal`; only bundles running in `local` scope serve it, beta/production/testing return 403. Redactor now tokenizes camelCase so identifiers like `companyName` / `passportRequired` are no longer false-positive-redacted
-- **`service:list` + `bundle:list` port and running-state columns** — both commands now show each bundle's preferred dev port and whether the process is alive, read from `~/.gina/ports.reverse.json` and `~/.gina/run/<bundle>@<project>.pid`
-- **Explicit exports from `require('gina')`** — every framework-injected global (`getContext`, `_`, `requireJSON`, `merge`, …) is now also reachable as a named property on `require('gina')` / `require('gina/gna')`, with JSDoc and auto-generated `types/gna.d.ts`. Runtime globals unchanged
-- See 0.3.6 for Inspector payload redaction + CORS preflight fix, and 0.3.5 for the swig 1.5.0 security extension
+- **FormValidator HTML5 form-reassociation hardening** — trilogy of fixes for `<input form="X">` controls. `bindForm` now uses `HTMLFormControlsCollection` (`form.elements`) for owner-aware control collection and attaches per-control listeners on out-of-tree reassociated controls; `unbindForm` symmetrically drains the side-table on cleanup. `updateRadio` scopes the mutual-exclusion peer set by form-owner — same-name radios in different form-owners are no longer cross-fired into each other's loop — and reconciles the IDL `.checked` with the HTML `checked` attribute on init when they disagree. `bindForm`'s `fieldsSet[id].defaultChecked` cache reads the IDL `defaultChecked` property (which mirrors the HTML attribute regardless of the live IDL state) instead of the live `.checked`, so a `type="reset"` action correctly restores the originally-checked option. No-op for the normal single-form-owner shape — only changes behaviour in the form-reassociation layouts that were broken.
+- **`X-Forwarded-Prefix` reverse-proxy support** — when a reverse proxy (nginx, Traefik) mounts the bundle on a sub-path and forwards `proxy_set_header X-Forwarded-Prefix /sub;`, the framework composes a public webroot (proxy prefix + bundle internal `server.webroot`) and templates it into `gina.config.webroot`. Client-side URL construction (`/_gina/assets/routing.json` fetch, `gina.min.css` link injection, etc.) now targets the correct upstream through the proxy instead of root-relative URLs that route to whichever bundle answered `/`. Header value is normalised (leading slash, trailing slashes stripped, empty / `"/"` dropped); back-compat preserved when the header is absent.
+- See 0.3.9 for the consumer-feedback 11-patch batch (per-request middleware dispatch isolation · Couchbase 4.x JsonTranscoder · `length` filter null safety · `process.env` mirroring · 6 nunjucks render-pipeline patches), and 0.3.8 for the install-script regression hotfix.
 
 See the full [Changelog](./CHANGELOG.md) and [Roadmap](./ROADMAP.md).
 

package/ROADMAP.md

@@ -22,6 +22,7 @@ This roadmap covers planned features, architectural improvements, new connectors
 | **Q4 2026** | `0.3.7` ✅ | Web Security CSRF trilogy (#CSRF1/2/3) · Nunjucks template engine opt-in (#NJ1–#NJ4) · Eval-safety hardening (#SCS1) · MCP server (#AI8 stdio + HTTP transports) · `connector:*` CLI (#CN10) · vendored-dep CVE-visibility lock · psl/optimist removal · Session.name drop-in identity |
 | **Q4 2026** | `0.3.8` ✅ | Patch: `npm install -g gina@latest` regression fix — `psl` + `@rhinostone/swig` promoted to top-level deps · install scripts decoupled from framework `lib` registry · helpers preload guarding `lib/logger` ↔ `framework/v*/helpers` circular dep |
 | **Q2 2026** | `0.3.9` ✅ | Consumer-feedback batch (11 framework patches): per-request middleware dispatch isolation · Couchbase 4.x JsonTranscoder · `length` filter null safety · `process.env` mirroring · 6 nunjucks render-pipeline patches (libRef fallback · namespace prefix drop · bundle filter wraps · top-level userData · `data.data` alias · ginaLoader placeholders) · `getAssets` mid-URL `{{ }}` strip-guard anchor |
+| **Q2 2026** | `0.3.10` ✅ | FormValidator HTML5 form-reassociation hardening trilogy (`HTMLFormControlsCollection`-based `bindForm` + `unbindForm` symmetry · radio mutual-exclusion + IDL/attribute reconciliation · `defaultChecked` cache for reset) · `X-Forwarded-Prefix` reverse-proxy path-prefix awareness |
 | **Q4 2026** | `0.4.0` | AI agents (MCP) · ScyllaDB connector · PWA scaffold · Prometheus metrics · Advanced tutorial · Website redesign · Docs offline ZIP · Bun investigation · Couchbase v2 removal · HTTP/2 hardening · Trailer support · CLI Tier 2 (bundle/project status, rename, copy, protocol:remove, minions) |
 | **Q1 2027** | `0.5.0` | ESM support · Template engine migration · Structured logging · Alt-Svc · HTTP/2 priorities · WebSocket over HTTP/2 · Inspector Production · CLI Tier 3 (project:move, framework:update, backup/restore, man pages) |
 | **Q3 2027** | `1.0.0` | First stable release — Windows alpha compatibility is a hard gate |

package/framework/v0.3.10/VERSION

@@ -0,0 +1 @@
+0.3.10