gina 0.4.6 → 0.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (470) hide show
  1. package/CHANGELOG.md +10 -0
  2. package/README.md +6 -8
  3. package/ROADMAP.md +2 -2
  4. package/framework/v0.4.7/VERSION +1 -0
  5. package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/csp/README.md +57 -2
  6. package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/csp/src/main.js +192 -27
  7. package/framework/{v0.4.6 → v0.4.7}/core/server.isaac.js +153 -5
  8. package/framework/{v0.4.6 → v0.4.7}/core/server.js +14 -0
  9. package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/config/settings.server.json +3 -1
  10. package/framework/{v0.4.6 → v0.4.7}/core/template/conf/settings.json +15 -2
  11. package/framework/{v0.4.6 → v0.4.7}/lib/index.js +14 -0
  12. package/framework/v0.4.7/lib/ws-framing/package.json +10 -0
  13. package/framework/v0.4.7/lib/ws-framing/src/main.js +664 -0
  14. package/framework/v0.4.7/lib/ws-session/package.json +10 -0
  15. package/framework/v0.4.7/lib/ws-session/src/main.js +422 -0
  16. package/framework/{v0.4.6 → v0.4.7}/package.json +1 -1
  17. package/gna.js +4 -4
  18. package/llms.txt +9 -3
  19. package/package.json +2 -2
  20. package/playwright.config.js +4 -2
  21. package/framework/v0.4.6/VERSION +0 -1
  22. /package/framework/{v0.4.6 → v0.4.7}/AUTHORS +0 -0
  23. /package/framework/{v0.4.6 → v0.4.7}/LICENSE +0 -0
  24. /package/framework/{v0.4.6 → v0.4.7}/core/asset/html/nolayout.html +0 -0
  25. /package/framework/{v0.4.6 → v0.4.7}/core/asset/html/static.html +0 -0
  26. /package/framework/{v0.4.6 → v0.4.7}/core/asset/img/android-chrome-192x192.png +0 -0
  27. /package/framework/{v0.4.6 → v0.4.7}/core/asset/img/android-chrome-512x512.png +0 -0
  28. /package/framework/{v0.4.6 → v0.4.7}/core/asset/img/apple-touch-icon.png +0 -0
  29. /package/framework/{v0.4.6 → v0.4.7}/core/asset/img/favicon-16x16.png +0 -0
  30. /package/framework/{v0.4.6 → v0.4.7}/core/asset/img/favicon-32x32.png +0 -0
  31. /package/framework/{v0.4.6 → v0.4.7}/core/asset/img/favicon.ico +0 -0
  32. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/README.md +0 -0
  33. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/beemaster/beemaster.css +0 -0
  34. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/beemaster/beemaster.js +0 -0
  35. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/beemaster/index.html +0 -0
  36. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/css/gina.min.css +0 -0
  37. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/css/gina.min.css.br +0 -0
  38. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/css/gina.min.css.gz +0 -0
  39. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/html/statusbar.html +0 -0
  40. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/html/statusbar.html.br +0 -0
  41. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/html/statusbar.html.gz +0 -0
  42. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/inspector/have_heart_one-webfont.woff2 +0 -0
  43. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/inspector/index.html +0 -0
  44. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/inspector/inspector.css +0 -0
  45. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/inspector/inspector.js +0 -0
  46. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/inspector/logo.svg +0 -0
  47. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/js/gina.js +0 -0
  48. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/js/gina.min.js +0 -0
  49. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/js/gina.min.js.br +0 -0
  50. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/js/gina.min.js.gz +0 -0
  51. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/js/gina.onload.min.js +0 -0
  52. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/js/gina.onload.min.js.br +0 -0
  53. /package/framework/{v0.4.6 → v0.4.7}/core/asset/plugin/dist/vendor/gina/js/gina.onload.min.js.gz +0 -0
  54. /package/framework/{v0.4.6 → v0.4.7}/core/config.js +0 -0
  55. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/ai/index.js +0 -0
  56. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/ai/lib/connector.js +0 -0
  57. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/couchbase/index.js +0 -0
  58. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/couchbase/lib/connector.js +0 -0
  59. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/couchbase/lib/connector.v3.js +0 -0
  60. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/couchbase/lib/connector.v4.js +0 -0
  61. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/couchbase/lib/n1ql.js +0 -0
  62. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/couchbase/lib/session-store.js +0 -0
  63. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/couchbase/lib/session-store.v3.js +0 -0
  64. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/couchbase/lib/session-store.v4.js +0 -0
  65. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/mongodb/index.js +0 -0
  66. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/mongodb/lib/connector.js +0 -0
  67. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/mongodb/lib/pipeline-loader.js +0 -0
  68. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/mongodb/lib/session-store.js +0 -0
  69. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/mysql/index.js +0 -0
  70. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/mysql/lib/connector.js +0 -0
  71. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/postgresql/index.js +0 -0
  72. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/postgresql/lib/connector.js +0 -0
  73. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/redis/index.js +0 -0
  74. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/redis/lib/session-store.js +0 -0
  75. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/scylladb/index.js +0 -0
  76. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/scylladb/lib/connector.js +0 -0
  77. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/scylladb/lib/session-store.js +0 -0
  78. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/sql-parser.js +0 -0
  79. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/sqlite/index.js +0 -0
  80. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/sqlite/lib/connector.js +0 -0
  81. /package/framework/{v0.4.6 → v0.4.7}/core/connectors/sqlite/lib/session-store.js +0 -0
  82. /package/framework/{v0.4.6 → v0.4.7}/core/content.encoding +0 -0
  83. /package/framework/{v0.4.6 → v0.4.7}/core/controller/controller.framework.js +0 -0
  84. /package/framework/{v0.4.6 → v0.4.7}/core/controller/controller.js +0 -0
  85. /package/framework/{v0.4.6 → v0.4.7}/core/controller/controller.render-json.js +0 -0
  86. /package/framework/{v0.4.6 → v0.4.7}/core/controller/controller.render-nunjucks-async.js +0 -0
  87. /package/framework/{v0.4.6 → v0.4.7}/core/controller/controller.render-nunjucks.js +0 -0
  88. /package/framework/{v0.4.6 → v0.4.7}/core/controller/controller.render-stream.js +0 -0
  89. /package/framework/{v0.4.6 → v0.4.7}/core/controller/controller.render-swig-async.js +0 -0
  90. /package/framework/{v0.4.6 → v0.4.7}/core/controller/controller.render-swig.js +0 -0
  91. /package/framework/{v0.4.6 → v0.4.7}/core/controller/controller.render-v1.js +0 -0
  92. /package/framework/{v0.4.6 → v0.4.7}/core/controller/index.js +0 -0
  93. /package/framework/{v0.4.6 → v0.4.7}/core/controller/inspector-window-emit.js +0 -0
  94. /package/framework/{v0.4.6 → v0.4.7}/core/deps/busboy-1.6.0/LICENSE +0 -0
  95. /package/framework/{v0.4.6 → v0.4.7}/core/deps/busboy-1.6.0/README.md +0 -0
  96. /package/framework/{v0.4.6 → v0.4.7}/core/deps/busboy-1.6.0/lib/index.js +0 -0
  97. /package/framework/{v0.4.6 → v0.4.7}/core/deps/busboy-1.6.0/lib/types/multipart.js +0 -0
  98. /package/framework/{v0.4.6 → v0.4.7}/core/deps/busboy-1.6.0/lib/types/urlencoded.js +0 -0
  99. /package/framework/{v0.4.6 → v0.4.7}/core/deps/busboy-1.6.0/lib/utils.js +0 -0
  100. /package/framework/{v0.4.6 → v0.4.7}/core/deps/busboy-1.6.0/package.json +0 -0
  101. /package/framework/{v0.4.6 → v0.4.7}/core/deps/streamsearch-1.1.0/LICENSE +0 -0
  102. /package/framework/{v0.4.6 → v0.4.7}/core/deps/streamsearch-1.1.0/lib/sbmh.js +0 -0
  103. /package/framework/{v0.4.6 → v0.4.7}/core/deps/streamsearch-1.1.0/package.json +0 -0
  104. /package/framework/{v0.4.6 → v0.4.7}/core/dev/index.js +0 -0
  105. /package/framework/{v0.4.6 → v0.4.7}/core/dev/lib/class.js +0 -0
  106. /package/framework/{v0.4.6 → v0.4.7}/core/dev/lib/factory.js +0 -0
  107. /package/framework/{v0.4.6 → v0.4.7}/core/dev/lib/tools.js +0 -0
  108. /package/framework/{v0.4.6 → v0.4.7}/core/gna.js +0 -0
  109. /package/framework/{v0.4.6 → v0.4.7}/core/locales/README.md +0 -0
  110. /package/framework/{v0.4.6 → v0.4.7}/core/locales/currency.json +0 -0
  111. /package/framework/{v0.4.6 → v0.4.7}/core/locales/dist/language/en.json +0 -0
  112. /package/framework/{v0.4.6 → v0.4.7}/core/locales/dist/language/fr.json +0 -0
  113. /package/framework/{v0.4.6 → v0.4.7}/core/locales/dist/region/en.json +0 -0
  114. /package/framework/{v0.4.6 → v0.4.7}/core/locales/dist/region/fr.json +0 -0
  115. /package/framework/{v0.4.6 → v0.4.7}/core/locales/index.js +0 -0
  116. /package/framework/{v0.4.6 → v0.4.7}/core/mime.types +0 -0
  117. /package/framework/{v0.4.6 → v0.4.7}/core/model/entity.js +0 -0
  118. /package/framework/{v0.4.6 → v0.4.7}/core/model/index.js +0 -0
  119. /package/framework/{v0.4.6 → v0.4.7}/core/model/template/entityFactory.js +0 -0
  120. /package/framework/{v0.4.6 → v0.4.7}/core/model/template/index.js +0 -0
  121. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/README.md +0 -0
  122. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/index.js +0 -0
  123. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/csrf/README.md +0 -0
  124. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/csrf/package.json +0 -0
  125. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/csrf/src/main.js +0 -0
  126. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/README.md +0 -0
  127. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/coep/README.md +0 -0
  128. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/coep/package.json +0 -0
  129. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/coep/src/main.js +0 -0
  130. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/coop/README.md +0 -0
  131. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/coop/package.json +0 -0
  132. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/coop/src/main.js +0 -0
  133. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/corp/README.md +0 -0
  134. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/corp/package.json +0 -0
  135. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/corp/src/main.js +0 -0
  136. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/csp/package.json +0 -0
  137. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/hide-powered-by/README.md +0 -0
  138. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/hide-powered-by/package.json +0 -0
  139. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/hide-powered-by/src/main.js +0 -0
  140. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/hsts/README.md +0 -0
  141. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/hsts/package.json +0 -0
  142. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/hsts/src/main.js +0 -0
  143. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/origin-agent-cluster/README.md +0 -0
  144. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/origin-agent-cluster/package.json +0 -0
  145. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/origin-agent-cluster/src/main.js +0 -0
  146. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/package.json +0 -0
  147. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/referrer-policy/README.md +0 -0
  148. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/referrer-policy/package.json +0 -0
  149. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/referrer-policy/src/main.js +0 -0
  150. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/src/main.js +0 -0
  151. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-content-type-options/README.md +0 -0
  152. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-content-type-options/package.json +0 -0
  153. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-content-type-options/src/main.js +0 -0
  154. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-dns-prefetch-control/README.md +0 -0
  155. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-dns-prefetch-control/package.json +0 -0
  156. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-dns-prefetch-control/src/main.js +0 -0
  157. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-download-options/README.md +0 -0
  158. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-download-options/package.json +0 -0
  159. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-download-options/src/main.js +0 -0
  160. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-frame-options/README.md +0 -0
  161. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-frame-options/package.json +0 -0
  162. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-frame-options/src/main.js +0 -0
  163. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-permitted-cross-domain-policies/README.md +0 -0
  164. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-permitted-cross-domain-policies/package.json +0 -0
  165. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-permitted-cross-domain-policies/src/main.js +0 -0
  166. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-xss-protection/README.md +0 -0
  167. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-xss-protection/package.json +0 -0
  168. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/security-headers/x-xss-protection/src/main.js +0 -0
  169. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/session/README.md +0 -0
  170. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/session/package.json +0 -0
  171. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/session/src/main.js +0 -0
  172. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/storage/README.md +0 -0
  173. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/storage/build.json +0 -0
  174. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/storage/package.json +0 -0
  175. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/storage/src/main.js +0 -0
  176. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/validator/README.md +0 -0
  177. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/validator/build.json +0 -0
  178. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/validator/package.json +0 -0
  179. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/validator/src/form-validator.js +0 -0
  180. /package/framework/{v0.4.6 → v0.4.7}/core/plugins/lib/validator/src/main.js +0 -0
  181. /package/framework/{v0.4.6 → v0.4.7}/core/router.js +0 -0
  182. /package/framework/{v0.4.6 → v0.4.7}/core/server.express.js +0 -0
  183. /package/framework/{v0.4.6 → v0.4.7}/core/status.codes +0 -0
  184. /package/framework/{v0.4.6 → v0.4.7}/core/template/_gitignore +0 -0
  185. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/config/app.json +0 -0
  186. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/config/connectors.json +0 -0
  187. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/config/routing.json +0 -0
  188. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/config/settings.json +0 -0
  189. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/config/templates.json +0 -0
  190. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/config/watchers.json +0 -0
  191. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/controllers/controller.content.js +0 -0
  192. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/controllers/controller.js +0 -0
  193. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/controllers/setup.js +0 -0
  194. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/index.js +0 -0
  195. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle/locales/en.json +0 -0
  196. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_namespace/controllers/controller.js +0 -0
  197. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_public/css/default.css +0 -0
  198. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_public/css/home.css +0 -0
  199. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_public/css/vendor/readme.md +0 -0
  200. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_public/favicon.ico +0 -0
  201. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_public/js/vendor/readme.md +0 -0
  202. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_public/manifest.webmanifest +0 -0
  203. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_public/readme.md +0 -0
  204. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_public/sw.js +0 -0
  205. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_templates/handlers/main.js +0 -0
  206. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_templates/html/content/homepage.html +0 -0
  207. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_templates/html/includes/error-msg-noscript.html +0 -0
  208. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_templates/html/includes/error-msg-outdated-browser.html +0 -0
  209. /package/framework/{v0.4.6 → v0.4.7}/core/template/boilerplate/bundle_templates/html/layouts/main.html +0 -0
  210. /package/framework/{v0.4.6 → v0.4.7}/core/template/command/gina.bat.tpl +0 -0
  211. /package/framework/{v0.4.6 → v0.4.7}/core/template/command/gina.tpl +0 -0
  212. /package/framework/{v0.4.6 → v0.4.7}/core/template/conf/env.json +0 -0
  213. /package/framework/{v0.4.6 → v0.4.7}/core/template/conf/manifest.json +0 -0
  214. /package/framework/{v0.4.6 → v0.4.7}/core/template/conf/package.json +0 -0
  215. /package/framework/{v0.4.6 → v0.4.7}/core/template/conf/statics.json +0 -0
  216. /package/framework/{v0.4.6 → v0.4.7}/core/template/conf/templates.json +0 -0
  217. /package/framework/{v0.4.6 → v0.4.7}/core/template/error/client/json/401.json +0 -0
  218. /package/framework/{v0.4.6 → v0.4.7}/core/template/error/client/json/403.json +0 -0
  219. /package/framework/{v0.4.6 → v0.4.7}/core/template/error/client/json/404.json +0 -0
  220. /package/framework/{v0.4.6 → v0.4.7}/core/template/error/server/html/50x.html +0 -0
  221. /package/framework/{v0.4.6 → v0.4.7}/core/template/error/server/json/500.json +0 -0
  222. /package/framework/{v0.4.6 → v0.4.7}/core/template/error/server/json/503.json +0 -0
  223. /package/framework/{v0.4.6 → v0.4.7}/core/template/extensions/logger/config.json +0 -0
  224. /package/framework/{v0.4.6 → v0.4.7}/helpers/console.js +0 -0
  225. /package/framework/{v0.4.6 → v0.4.7}/helpers/context.js +0 -0
  226. /package/framework/{v0.4.6 → v0.4.7}/helpers/data/LICENSE +0 -0
  227. /package/framework/{v0.4.6 → v0.4.7}/helpers/data/README.md +0 -0
  228. /package/framework/{v0.4.6 → v0.4.7}/helpers/data/package.json +0 -0
  229. /package/framework/{v0.4.6 → v0.4.7}/helpers/data/src/main.js +0 -0
  230. /package/framework/{v0.4.6 → v0.4.7}/helpers/dateFormat.js +0 -0
  231. /package/framework/{v0.4.6 → v0.4.7}/helpers/index.js +0 -0
  232. /package/framework/{v0.4.6 → v0.4.7}/helpers/json/LICENSE +0 -0
  233. /package/framework/{v0.4.6 → v0.4.7}/helpers/json/README.md +0 -0
  234. /package/framework/{v0.4.6 → v0.4.7}/helpers/json/package.json +0 -0
  235. /package/framework/{v0.4.6 → v0.4.7}/helpers/json/src/main.js +0 -0
  236. /package/framework/{v0.4.6 → v0.4.7}/helpers/path.js +0 -0
  237. /package/framework/{v0.4.6 → v0.4.7}/helpers/plugins/README.md +0 -0
  238. /package/framework/{v0.4.6 → v0.4.7}/helpers/plugins/package.json +0 -0
  239. /package/framework/{v0.4.6 → v0.4.7}/helpers/plugins/src/api-error.js +0 -0
  240. /package/framework/{v0.4.6 → v0.4.7}/helpers/plugins/src/main.js +0 -0
  241. /package/framework/{v0.4.6 → v0.4.7}/helpers/prototypes.js +0 -0
  242. /package/framework/{v0.4.6 → v0.4.7}/helpers/task.js +0 -0
  243. /package/framework/{v0.4.6 → v0.4.7}/helpers/text.js +0 -0
  244. /package/framework/{v0.4.6 → v0.4.7}/lib/archiver/README.md +0 -0
  245. /package/framework/{v0.4.6 → v0.4.7}/lib/archiver/build.json +0 -0
  246. /package/framework/{v0.4.6 → v0.4.7}/lib/archiver/package.json +0 -0
  247. /package/framework/{v0.4.6 → v0.4.7}/lib/archiver/src/dep/jszip.min.js +0 -0
  248. /package/framework/{v0.4.6 → v0.4.7}/lib/archiver/src/main.js +0 -0
  249. /package/framework/{v0.4.6 → v0.4.7}/lib/async/package.json +0 -0
  250. /package/framework/{v0.4.6 → v0.4.7}/lib/async/src/main.js +0 -0
  251. /package/framework/{v0.4.6 → v0.4.7}/lib/cache/README.md +0 -0
  252. /package/framework/{v0.4.6 → v0.4.7}/lib/cache/build.json +0 -0
  253. /package/framework/{v0.4.6 → v0.4.7}/lib/cache/package.json +0 -0
  254. /package/framework/{v0.4.6 → v0.4.7}/lib/cache/src/main.js +0 -0
  255. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/aliases.json +0 -0
  256. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/add.js +0 -0
  257. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/arguments.json +0 -0
  258. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/build.js +0 -0
  259. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/copy.js +0 -0
  260. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/cp.js +0 -0
  261. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/help.js +0 -0
  262. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/help.txt +0 -0
  263. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/inc/name-rewrite.js +0 -0
  264. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/list.js +0 -0
  265. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/mcp-start.js +0 -0
  266. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/mcp.js +0 -0
  267. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/oas.js +0 -0
  268. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/openapi.js +0 -0
  269. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/remove.js +0 -0
  270. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/rename.js +0 -0
  271. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/restart.js +0 -0
  272. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/rm.js +0 -0
  273. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/start.js +0 -0
  274. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/status.js +0 -0
  275. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/bundle/stop.js +0 -0
  276. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/cache/stats.js +0 -0
  277. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/connector/add.js +0 -0
  278. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/connector/arguments.json +0 -0
  279. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/connector/help.js +0 -0
  280. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/connector/help.txt +0 -0
  281. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/connector/list.js +0 -0
  282. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/connector/migrate.js +0 -0
  283. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/connector/remove.js +0 -0
  284. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/connector/rm.js +0 -0
  285. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/env/add.js +0 -0
  286. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/env/get.js +0 -0
  287. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/env/help.js +0 -0
  288. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/env/help.txt +0 -0
  289. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/env/link-dev.js +0 -0
  290. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/env/list.js +0 -0
  291. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/env/remove.js +0 -0
  292. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/env/rm.js +0 -0
  293. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/env/set.js +0 -0
  294. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/env/unset.js +0 -0
  295. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/env/use.js +0 -0
  296. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/arguments.json +0 -0
  297. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/build.js +0 -0
  298. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/dot.js +0 -0
  299. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/get.js +0 -0
  300. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/help.js +0 -0
  301. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/help.txt +0 -0
  302. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/init.js +0 -0
  303. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/link-node-modules.js +0 -0
  304. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/link.js +0 -0
  305. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/msg.json +0 -0
  306. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/open.js +0 -0
  307. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/restart.js +0 -0
  308. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/set.js +0 -0
  309. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/start.js +0 -0
  310. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/status.js +0 -0
  311. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/stop.js +0 -0
  312. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/tail.js +0 -0
  313. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/update.js +0 -0
  314. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/framework/version.js +0 -0
  315. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/gina-dev.1.md +0 -0
  316. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/gina-framework.1.md +0 -0
  317. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/gina.1.md +0 -0
  318. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/helper.js +0 -0
  319. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/i18n/add.js +0 -0
  320. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/i18n/arguments.json +0 -0
  321. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/i18n/export.js +0 -0
  322. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/i18n/help.js +0 -0
  323. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/i18n/help.txt +0 -0
  324. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/i18n/import.js +0 -0
  325. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/i18n/scan.js +0 -0
  326. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/index.js +0 -0
  327. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/inspector/help.js +0 -0
  328. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/inspector/help.txt +0 -0
  329. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/inspector/open.js +0 -0
  330. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/minion/arguments.json +0 -0
  331. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/minion/help.js +0 -0
  332. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/minion/help.txt +0 -0
  333. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/minion/kill.js +0 -0
  334. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/minion/list.js +0 -0
  335. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/msg.json +0 -0
  336. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/port/help.js +0 -0
  337. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/port/help.txt +0 -0
  338. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/port/inc/scan.js +0 -0
  339. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/port/list.js +0 -0
  340. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/port/reset.js +0 -0
  341. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/port/set.js +0 -0
  342. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/add.js +0 -0
  343. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/arguments.json +0 -0
  344. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/build.js +0 -0
  345. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/help.js +0 -0
  346. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/help.txt +0 -0
  347. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/import.js +0 -0
  348. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/list.js +0 -0
  349. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/move.js +0 -0
  350. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/remove.js +0 -0
  351. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/rename.js +0 -0
  352. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/restart.js +0 -0
  353. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/rm.js +0 -0
  354. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/start.js +0 -0
  355. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/status.js +0 -0
  356. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/project/stop.js +0 -0
  357. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/protocol/arguments.json +0 -0
  358. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/protocol/help.js +0 -0
  359. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/protocol/help.txt +0 -0
  360. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/protocol/list.js +0 -0
  361. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/protocol/remove.js +0 -0
  362. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/protocol/set.js +0 -0
  363. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/scope/add.js +0 -0
  364. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/scope/help.js +0 -0
  365. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/scope/help.txt +0 -0
  366. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/scope/link-local.js +0 -0
  367. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/scope/link-production.js +0 -0
  368. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/scope/list.js +0 -0
  369. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/scope/remove.js +0 -0
  370. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/scope/rm.js +0 -0
  371. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/scope/use.js +0 -0
  372. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/secrets/arguments.json +0 -0
  373. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/secrets/check.js +0 -0
  374. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/secrets/help.js +0 -0
  375. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/secrets/help.txt +0 -0
  376. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/secrets/scan.js +0 -0
  377. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/service/help.js +0 -0
  378. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/service/help.txt +0 -0
  379. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/service/list.js +0 -0
  380. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/service/start.js +0 -0
  381. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd/view/add.js +0 -0
  382. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd-status-format/package.json +0 -0
  383. /package/framework/{v0.4.6 → v0.4.7}/lib/cmd-status-format/src/main.js +0 -0
  384. /package/framework/{v0.4.6 → v0.4.7}/lib/collection/README.md +0 -0
  385. /package/framework/{v0.4.6 → v0.4.7}/lib/collection/build.json +0 -0
  386. /package/framework/{v0.4.6 → v0.4.7}/lib/collection/package.json +0 -0
  387. /package/framework/{v0.4.6 → v0.4.7}/lib/collection/src/main.js +0 -0
  388. /package/framework/{v0.4.6 → v0.4.7}/lib/config.js +0 -0
  389. /package/framework/{v0.4.6 → v0.4.7}/lib/connector-registry/package.json +0 -0
  390. /package/framework/{v0.4.6 → v0.4.7}/lib/connector-registry/src/main.js +0 -0
  391. /package/framework/{v0.4.6 → v0.4.7}/lib/cron/README.md +0 -0
  392. /package/framework/{v0.4.6 → v0.4.7}/lib/cron/package.json +0 -0
  393. /package/framework/{v0.4.6 → v0.4.7}/lib/cron/src/main.js +0 -0
  394. /package/framework/{v0.4.6 → v0.4.7}/lib/domain/LICENSE +0 -0
  395. /package/framework/{v0.4.6 → v0.4.7}/lib/domain/README.md +0 -0
  396. /package/framework/{v0.4.6 → v0.4.7}/lib/domain/package.json +0 -0
  397. /package/framework/{v0.4.6 → v0.4.7}/lib/domain/src/main.js +0 -0
  398. /package/framework/{v0.4.6 → v0.4.7}/lib/generator/index.js +0 -0
  399. /package/framework/{v0.4.6 → v0.4.7}/lib/i18n/package.json +0 -0
  400. /package/framework/{v0.4.6 → v0.4.7}/lib/i18n/src/main.js +0 -0
  401. /package/framework/{v0.4.6 → v0.4.7}/lib/inherits/LICENSE +0 -0
  402. /package/framework/{v0.4.6 → v0.4.7}/lib/inherits/README.md +0 -0
  403. /package/framework/{v0.4.6 → v0.4.7}/lib/inherits/package.json +0 -0
  404. /package/framework/{v0.4.6 → v0.4.7}/lib/inherits/src/main.js +0 -0
  405. /package/framework/{v0.4.6 → v0.4.7}/lib/inspector-redact/package.json +0 -0
  406. /package/framework/{v0.4.6 → v0.4.7}/lib/inspector-redact/src/main.js +0 -0
  407. /package/framework/{v0.4.6 → v0.4.7}/lib/instrument/package.json +0 -0
  408. /package/framework/{v0.4.6 → v0.4.7}/lib/instrument/src/main.js +0 -0
  409. /package/framework/{v0.4.6 → v0.4.7}/lib/job/package.json +0 -0
  410. /package/framework/{v0.4.6 → v0.4.7}/lib/job/src/main.js +0 -0
  411. /package/framework/{v0.4.6 → v0.4.7}/lib/logger/README.md +0 -0
  412. /package/framework/{v0.4.6 → v0.4.7}/lib/logger/package.json +0 -0
  413. /package/framework/{v0.4.6 → v0.4.7}/lib/logger/src/containers/default/index.js +0 -0
  414. /package/framework/{v0.4.6 → v0.4.7}/lib/logger/src/containers/file/index.js +0 -0
  415. /package/framework/{v0.4.6 → v0.4.7}/lib/logger/src/containers/file/lib/logrotator/README.md +0 -0
  416. /package/framework/{v0.4.6 → v0.4.7}/lib/logger/src/containers/file/lib/logrotator/index.js +0 -0
  417. /package/framework/{v0.4.6 → v0.4.7}/lib/logger/src/containers/mq/index.js +0 -0
  418. /package/framework/{v0.4.6 → v0.4.7}/lib/logger/src/containers/mq/listener.js +0 -0
  419. /package/framework/{v0.4.6 → v0.4.7}/lib/logger/src/containers/mq/speaker.js +0 -0
  420. /package/framework/{v0.4.6 → v0.4.7}/lib/logger/src/helper.js +0 -0
  421. /package/framework/{v0.4.6 → v0.4.7}/lib/logger/src/main.js +0 -0
  422. /package/framework/{v0.4.6 → v0.4.7}/lib/math/index.js +0 -0
  423. /package/framework/{v0.4.6 → v0.4.7}/lib/mcp-dispatch/package.json +0 -0
  424. /package/framework/{v0.4.6 → v0.4.7}/lib/mcp-dispatch/src/main.js +0 -0
  425. /package/framework/{v0.4.6 → v0.4.7}/lib/mcp-http/package.json +0 -0
  426. /package/framework/{v0.4.6 → v0.4.7}/lib/mcp-http/src/main.js +0 -0
  427. /package/framework/{v0.4.6 → v0.4.7}/lib/mcp-server/package.json +0 -0
  428. /package/framework/{v0.4.6 → v0.4.7}/lib/mcp-server/src/main.js +0 -0
  429. /package/framework/{v0.4.6 → v0.4.7}/lib/merge/README.md +0 -0
  430. /package/framework/{v0.4.6 → v0.4.7}/lib/merge/package.json +0 -0
  431. /package/framework/{v0.4.6 → v0.4.7}/lib/merge/src/main.js +0 -0
  432. /package/framework/{v0.4.6 → v0.4.7}/lib/metrics/package.json +0 -0
  433. /package/framework/{v0.4.6 → v0.4.7}/lib/metrics/src/main.js +0 -0
  434. /package/framework/{v0.4.6 → v0.4.7}/lib/model.js +0 -0
  435. /package/framework/{v0.4.6 → v0.4.7}/lib/nunjucks-filters/README.md +0 -0
  436. /package/framework/{v0.4.6 → v0.4.7}/lib/nunjucks-filters/package.json +0 -0
  437. /package/framework/{v0.4.6 → v0.4.7}/lib/nunjucks-filters/src/main.js +0 -0
  438. /package/framework/{v0.4.6 → v0.4.7}/lib/nunjucks-resolver/package.json +0 -0
  439. /package/framework/{v0.4.6 → v0.4.7}/lib/nunjucks-resolver/src/main.js +0 -0
  440. /package/framework/{v0.4.6 → v0.4.7}/lib/proc.js +0 -0
  441. /package/framework/{v0.4.6 → v0.4.7}/lib/routing/README.md +0 -0
  442. /package/framework/{v0.4.6 → v0.4.7}/lib/routing/build.json +0 -0
  443. /package/framework/{v0.4.6 → v0.4.7}/lib/routing/package.json +0 -0
  444. /package/framework/{v0.4.6 → v0.4.7}/lib/routing/src/main.js +0 -0
  445. /package/framework/{v0.4.6 → v0.4.7}/lib/routing/src/radix.js +0 -0
  446. /package/framework/{v0.4.6 → v0.4.7}/lib/routing-introspect/package.json +0 -0
  447. /package/framework/{v0.4.6 → v0.4.7}/lib/routing-introspect/src/main.js +0 -0
  448. /package/framework/{v0.4.6 → v0.4.7}/lib/secrets/package.json +0 -0
  449. /package/framework/{v0.4.6 → v0.4.7}/lib/secrets/src/backends/env.js +0 -0
  450. /package/framework/{v0.4.6 → v0.4.7}/lib/secrets/src/main.js +0 -0
  451. /package/framework/{v0.4.6 → v0.4.7}/lib/session-store.js +0 -0
  452. /package/framework/{v0.4.6 → v0.4.7}/lib/shell.js +0 -0
  453. /package/framework/{v0.4.6 → v0.4.7}/lib/state.js +0 -0
  454. /package/framework/{v0.4.6 → v0.4.7}/lib/swig-filters/README.md +0 -0
  455. /package/framework/{v0.4.6 → v0.4.7}/lib/swig-filters/package.json +0 -0
  456. /package/framework/{v0.4.6 → v0.4.7}/lib/swig-filters/src/main.js +0 -0
  457. /package/framework/{v0.4.6 → v0.4.7}/lib/swig-resolver/package.json +0 -0
  458. /package/framework/{v0.4.6 → v0.4.7}/lib/swig-resolver/src/main.js +0 -0
  459. /package/framework/{v0.4.6 → v0.4.7}/lib/template-loaders/package.json +0 -0
  460. /package/framework/{v0.4.6 → v0.4.7}/lib/template-loaders/src/loaders/http.js +0 -0
  461. /package/framework/{v0.4.6 → v0.4.7}/lib/template-loaders/src/loaders/memory.js +0 -0
  462. /package/framework/{v0.4.6 → v0.4.7}/lib/template-loaders/src/main.js +0 -0
  463. /package/framework/{v0.4.6 → v0.4.7}/lib/url/README.md +0 -0
  464. /package/framework/{v0.4.6 → v0.4.7}/lib/url/index.js +0 -0
  465. /package/framework/{v0.4.6 → v0.4.7}/lib/url/routing.json +0 -0
  466. /package/framework/{v0.4.6 → v0.4.7}/lib/uuid/package.json +0 -0
  467. /package/framework/{v0.4.6 → v0.4.7}/lib/uuid/src/main.js +0 -0
  468. /package/framework/{v0.4.6 → v0.4.7}/lib/validator.js +0 -0
  469. /package/framework/{v0.4.6 → v0.4.7}/lib/watcher/package.json +0 -0
  470. /package/framework/{v0.4.6 → v0.4.7}/lib/watcher/src/main.js +0 -0
package/CHANGELOG.md CHANGED
@@ -6,6 +6,16 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
6
6
  and is generated by [Changie](https://github.com/miniscruff/changie).
7
7
 
8
8
 
9
+ ## 0.4.7 - 2026-06-11
10
+ ### Added
11
+ * Csp plugin: new opt-in reportOnlyOmit option — an array of directive names to omit from a Content-Security-Policy-Report-Only header and emit again automatically when reportOnly flips to false, so one directive set covers both modes. Built for engine-divergent directives such as frame-ancestors (reported in report-only by Chrome and Firefox, ignored with a console warning by Safari/WebKit): a bundle can trade the Gecko/Blink report signal for a clean WebKit console as an explicit, lifecycle-managed choice. Entries are validated against the CSP Level 3 whitelist, a factory-time warning names what was dropped, and the default output is unchanged.
12
+ * HTTP/2 server (Isaac engine): opt-in RFC 8441 extended CONNECT enablement via the new settings.json http2Options.enableConnectProtocol flag (strict boolean, default false). When enabled on an http/2 bundle (https or cleartext h2c), the server advertises SETTINGS_ENABLE_CONNECT_PROTOCOL and handles extended CONNECT streams — the WebSocket-over-HTTP/2 handshake transport — with clean HTTP-status refusals as groundwork for the upcoming WebSocket session bridge: plain CONNECT keeps its 405, non-websocket :protocol values and not-yet-consumed websocket streams get 501, and an HTTP/1.1 CONNECT arriving over the allowHTTP1 fallback is refused with a raw 405 instead of an unanswered connection drop. A new extendedConnect counter joins the http2 metrics block in /_gina/info. Deployments that leave the flag off are byte-identical to previous releases.
13
+ * New lib/ws-framing framework library: a dependency-free RFC 6455 WebSocket framing codec — frame encoder (minimal length encoding across the 7/16/64-bit forms, control-frame constraints, optional masking) and incremental per-connection parser (fragmentation reassembly, client-masking enforcement, UTF-8 validation of text payloads and close reasons, close-status-code validation, and DoS caps maxPayload/maxFragments enforced from declared frame lengths before any payload is buffered). Registered on the lib registry as wsFraming; transport-agnostic groundwork for WebSocket over HTTP/2 (RFC 8441 extended CONNECT).
14
+ * WebSocket over HTTP/2 (RFC 8441): bundles can now serve WebSocket endpoints over the extended-CONNECT transport. From onInitialize, app.onWebSocket(path, handler) registers a handler per exact pathname; matched streams are answered with :status 200 and handed to the handler as a lib/ws-session session — send/ping/close API with automatic pong replies, a timed close handshake, backpressure passthrough, full teardown on stream close/error, contained consumer-handler exceptions (a throwing handler closes the session with 1011 instead of crashing the bundle), and graceful SIGTERM drain (live sessions are closed with 1001 going away instead of blocking shutdown). Requires an http/2 bundle (https or cleartext h2c) with http2Options.enableConnectProtocol set to true; unknown pathnames are refused with 404, registrations on a non-HTTP/2 bundle warn instead of crashing, and no express middleware runs on the CONNECT path — authentication is the handler's responsibility from the request it receives.
15
+ ### Fixed
16
+ * HTTP/2 server (Isaac engine): cleartext h2c bundles now receive the same hardening options as https bundles — the SETTINGS advert (maxConcurrentStreams, initialWindowSize, maxHeaderListSize, enablePush off) and the session flood caps (maxSessionRejectedStreams, maxSessionInvalidFrames) are passed to http2.createServer instead of a bare allowHTTP1 literal. Previously an h2c bundle (e.g. behind a TLS-terminating reverse proxy) advertised protocol defaults — effectively unlimited concurrent streams with server push enabled — and silently ignored its settings.json http2Options overrides. The RFC 8441 enableConnectProtocol opt-in (WebSocket over HTTP/2) now applies to h2c bundles as well; it remains a strict opt-in defaulting to false.
17
+ * Graceful shutdown: bundles with live WebSocket or engine.io connections no longer block SIGTERM shutdown until the hard timeout — every accepted engine.io socket and every /_gina/agent Inspector WebSocket now registers a per-socket closer in the framework shutdown drain (the same registry the Inspector SSE endpoints and WebSocket-over-HTTP/2 sessions already use), so shutdown closes them before the HTTP server close: engine.io sockets get a graceful transport close, agent WebSockets a clean 1001 going-away close handshake.
18
+
9
19
  ## 0.4.6 - 2026-06-10
10
20
  ### Added
11
21
  * Added an opt-in async template-loader extension point for the swig engine (settings.template.swig.loader): render templates from a custom backend instead of the local filesystem through an isolated per-bundle engine, with a built-in in-memory loader and a CVE-2023-25345 path-traversal guard. Remote/object-storage loaders and full asset-injection parity land in follow-ups.
package/README.md CHANGED
@@ -39,14 +39,12 @@ gina bundle:start api @myproject
39
39
  open https://localhost:3100
40
40
  ```
41
41
 
42
- ## What's in 0.4.6
43
-
44
- - **Async template loaders (opt-in).** `settings.template.swig.loader` / `settings.template.nunjucks.loader` render templates from a custom backend instead of the local filesystem built-in `memory` and `http` loaders (for templates served from a CDN, object storage or a template service), per-bundle isolated engines, full client-runtime injection on the async path, and an opt-in compiled-template cache (`loader.cache`) for production.
45
- - **Native dialog API.** `data-gina-dialog="ID"` opens an in-page `<dialog>`, `data-gina-dialog-src="URL"` loads its content over AJAX; non-modal by default, with per-trigger (`data-gina-dialog-modal`) or project-wide modal opt-in. Dialog popins now render as native modals in development too (dev/prod parity), and the popin plugin gains an opt-in `preOpen` loading skeleton.
46
- - **`request.rawBody`.** The exact unparsed request body is preserved before parsing, so controllers and middlewares can verify inbound webhook signatures (an HMAC computed over the raw bytes).
47
- - **JSON bodies parsed verbatim.** `application/json` POST / PUT / PATCH bodies are no longer URL-decoded and form-coerced string values such as `"true"` or `"50%20off"` survive exactly as sent. Urlencoded handling is unchanged, and the browser form-validator now sends its JSON bodies with the matching `application/json` Content-Type.
48
- - **Hardening.** A single request carrying a malformed percent-escape (a bare `%`, `%zz`) can no longer crash a bundle; the default Swig render path keeps the swig-core CVE-2023-25345 path-traversal confinement active; the `@rhinostone/swig` floor moved to `^2.7.2`; and the dead third-party CORS proxy was removed from the popin and link loaders.
49
- - **CLI & DX.** `gina version` reports the bundled template engine; offline project commands skip a stale registered project instead of aborting; `project:add` and the framework's self-invocations no longer depend on a PATH-resolved gina binary.
42
+ ## What's in 0.4.7
43
+
44
+ - **WebSocket over HTTP/2 (opt-in).** HTTP/2 bundles can serve WebSocket endpoints over the RFC 8441 extended-CONNECT transport, with a built-in dependency-free RFC 6455 framing codec — no external WebSocket library. Enable with `http2Options.enableConnectProtocol: true`, then register handlers from `onInitialize` with `app.onWebSocket(path, handler)`: each accepted stream arrives as a session with a `send`/`ping`/`close` API, automatic pong replies, payload and fragment caps, and a graceful close handshake.
45
+ - **HTTP/2 hardening parity for h2c.** Cleartext HTTP/2 bundles (for example, backends behind a TLS-terminating reverse proxy) now receive the same hardening as `https` bundles the stream caps, session flood defenses, and `settings.json` `http2Options` overrides all apply, where previously such bundles ran protocol defaults (effectively unlimited concurrent streams with server push enabled) and silently ignored their overrides.
46
+ - **Graceful shutdown for live sockets.** Bundles with open WebSocket or engine.io connections no longer block SIGTERM shutdown until the hard timeout every live socket is closed cleanly before the HTTP server closes, WebSockets with a `1001 going away` close handshake.
47
+ - **CSP `reportOnlyOmit` (opt-in).** Omit engine-divergent directives such as `frame-ancestors` from `Content-Security-Policy-Report-Only` headers and have them restored automatically when `reportOnly` flips to `false` one directive set across both modes, validated against the CSP Level 3 whitelist.
50
48
 
51
49
  See the full [Changelog](./CHANGELOG.md) and [Roadmap](./ROADMAP.md).
52
50
 
package/ROADMAP.md CHANGED
@@ -285,9 +285,9 @@ A cold audit of the Couchbase connector identified two critical security vulnera
285
285
  | ✅ | **Configurable `maxConcurrentStreams` and `initialWindowSize`** — move from hardcoded to `settings.json` `http2Options` | `0.3.0-alpha.1` | 2026-04-05 | All four HTTP/2 server settings configurable: `maxConcurrentStreams` (256), `initialWindowSize` (655350), `maxSessionRejectedStreams` (100), `maxSessionInvalidFrames` (1000). Security guards (`maxHeaderListSize`, `enablePush`) remain hardcoded. |
286
286
  | ✅ | **Application-level rapid reset rate limiter** (CVE-2023-44487) — per-session stream creation counter | `0.3.13` | 2026-05-14 | The Isaac HTTP/2 session handler counts new streams in a rolling 1s window per session; over `maxStreamsPerSecond` (default 200) it sends a GOAWAY and closes the session. More targeted than `maxSessionRejectedStreams` (which counts refused streams, not created ones). Configurable via `settings.json` `http2Options.maxStreamsPerSecond`; `/_gina/info` exposes a `rapidResetBlocked` counter. |
287
287
  | ✅ | **Trailer support** — `stream.sendTrailers()` + `waitForTrailers: true` | `0.4.0` | 2026-05-22 | Opt-in HTTP/2 response trailers via `self.sendTrailers(fields)`. The render pipeline sets `waitForTrailers` and emits the trailing headers after the body (in the `wantTrailers` event), across all render delegates. Activated only when a controller calls `self.sendTrailers(fields)`; HTTP/1.1 and the no-trailers path are unchanged. For gRPC-style streaming (`grpc-status`) and content-integrity (`Digest`) use cases. |
288
- | ✅ | **Alt-Svc header** — advertise HTTP/3 availability | `0.5.0` | Q1 2027 | Set `Alt-Svc: h3=":443"; ma=86400` response header to advertise HTTP/3 (QUIC) availability via a QUIC-capable reverse proxy (nginx, Caddy, Cloudflare). Gina does not need to implement QUIC — just announce it. Opt-in via `settings.server.json`. Native HTTP/3 is out of scope: Node.js has no stable QUIC API, and the standard deployment topology (Gina → proxy → client) already delivers HTTP/3 at the edge. |
288
+ | ✅ | **Alt-Svc header** — advertise HTTP/3 availability | `0.4.2` | 2026-06-02 | Set `Alt-Svc: h3=":443"; ma=86400` response header to advertise HTTP/3 (QUIC) availability via a QUIC-capable reverse proxy (nginx, Caddy, Cloudflare). Gina does not need to implement QUIC — just announce it. Opt-in via `settings.server.json`. Native HTTP/3 is out of scope: Node.js has no stable QUIC API, and the standard deployment topology (Gina → proxy → client) already delivers HTTP/3 at the edge. |
289
289
  | 📋 | **RFC 9218 Extensible Priorities** — read `Priority: u=N, i` request header | `0.5.0` | Q1 2027 | Use the RFC 9218 priority header to order response writes for multiplexed API clients. Low value for typical HTML page loads; high value for parallel API requests with declared urgency. |
290
- | 📋 | **WebSocket over HTTP/2** (RFC 8441 CONNECT method extension) | `0.5.0` | Q1 2027 | Tunnel WebSocket over an HTTP/2 stream without a separate HTTP/1.1 connection. Node.js supports this since v10.19. Enables WebSocket in HTTP/2-only deployments. |
290
+ | | **WebSocket over HTTP/2** (RFC 8441 extended CONNECT) opt-in via `http2Options.enableConnectProtocol` (default off; https and cleartext h2c HTTP/2 bundles). From `onInitialize`, `app.onWebSocket(path, handler)` registers per-path WebSocket handlers; accepted streams arrive as full sessions backed by a built-in dependency-free RFC 6455 codec (auto-pong, timed close handshake, UTF-8 + close-code validation, payload/fragment DoS caps, backpressure passthrough, graceful shutdown drain). Unknown paths are refused with 404, plain CONNECT keeps its 405, and default-off deployments are byte-identical. | `0.4.7` | 2026-06-11 |
291
291
 
292
292
  ---
293
293
 
@@ -0,0 +1 @@
1
+ 0.4.7
@@ -68,6 +68,8 @@ Settings.json shape — caller-supplied options always win over settings:
68
68
  |--------------|---------|---------|----------------------------------------------------------------------|
69
69
  | `directives` | object | — | **Required.** Throws if missing or empty. See "Directives" below. |
70
70
  | `reportOnly` | boolean | `false` | When `true`, emits `Content-Security-Policy-Report-Only` instead. |
71
+ | `reportOnlyOmit` | string[] | `[]` | Directives to *also* omit while `reportOnly` is `true`; emitted again automatically in enforce mode. See "reportOnlyOmit" below. |
72
+ | `useNonce` | boolean | `false` | When `true`, generates a per-response nonce, stamps it on `req._ginaCspNonce`, and appends `'nonce-XXXX'` to `script-src` (fallback `default-src`). See "Per-response CSP nonce" below. |
71
73
 
72
74
  There is no sensible cross-bundle default for `directives`. Every bundle
73
75
  has its own resource graph; a default policy would either be too restrictive
@@ -177,8 +179,9 @@ CSP Level 2 rule — *"The frame-ancestors directive MUST be ignored when
177
179
  monitoring a policy"* — which CSP Level 3 dropped; CSP3 only restricts `<meta>`
178
180
  delivery, which a report-only policy never uses). The plugin keeps it so the
179
181
  observation phase still reports on Chrome and Firefox. If you serve a
180
- WebKit-heavy audience and want a clean Safari console, leave `frame-ancestors`
181
- out of your report-only directive set — clickjacking protection stays enforced
182
+ WebKit-heavy audience and want a clean Safari console, opt it out with
183
+ `reportOnlyOmit: ['frame-ancestors']` (next section) — clickjacking protection
184
+ stays enforced
182
185
  by `X-Frame-Options` and/or an enforcing-mode `frame-ancestors`. (Chrome caveat:
183
186
  frame-ancestors violation reports are delivered via `report-uri`; known Chromium
184
187
  bugs leave them undelivered via `report-to`.) A report-only policy whose every
@@ -188,6 +191,54 @@ time**, since it would report nothing.
188
191
  The omitted set is intentionally conservative — `sandbox` is the only directive
189
192
  confirmed ignored in report-only across all engines.
190
193
 
194
+ ### `reportOnlyOmit` — opt out engine-divergent directives in report-only
195
+
196
+ For the engine-divergent case above, `reportOnlyOmit` packages the
197
+ hand-managed omission: every directive named in it is omitted from the
198
+ report-only header and emitted again **automatically** when `reportOnly`
199
+ flips to `false` — one directive set across both modes, no
200
+ remove-then-re-add churn.
201
+
202
+ ```js
203
+ require('gina').plugins.Csp({
204
+ reportOnly: true,
205
+ directives: {
206
+ 'script-src': ["'self'"],
207
+ 'frame-ancestors': ["'self'"],
208
+ 'report-uri': ['/csp/report']
209
+ },
210
+ reportOnlyOmit: ['frame-ancestors']
211
+ });
212
+ // report-only header: script-src 'self'; report-uri /csp/report
213
+ // after the enforce flip (reportOnly: false): frame-ancestors 'self' returns
214
+ ```
215
+
216
+ **The honest trade — the option packages the engine divergence, it does not
217
+ eliminate it.** Listing `frame-ancestors` in `reportOnlyOmit` forgoes its
218
+ Chrome + Firefox (Gecko + Blink) report-only monitoring signal in exchange
219
+ for a clean WebKit console. The header is engine-blind, so gina cannot do
220
+ better — the option just turns the hand-managed comment into an explicit,
221
+ per-bundle, lifecycle-managed choice. Clickjacking stays enforced by
222
+ `X-Frame-Options` and/or an enforcing-mode `frame-ancestors` regardless.
223
+
224
+ Mechanics:
225
+
226
+ - Entries are validated against the same CSP Level 3 whitelist as
227
+ `directives` keys — unknown names throw at factory call time.
228
+ - A factory-time warning names what was dropped, with wording distinct from
229
+ the browser-inert `sandbox` omission — these directives are *not* ignored
230
+ by browsers; you are choosing to forgo their report signal.
231
+ - An entry not present in `directives` warns in report-only mode (likely a
232
+ config mistake) and no-ops.
233
+ - With `reportOnly: false` the option is inert **and silent** — keeping it
234
+ in an enforce-mode config is the expected lifecycle state, not a mistake.
235
+ - If the omissions empty the report-only directive set, the factory throws
236
+ (same as the all-inert case).
237
+ - `useNonce: true` with the nonce-target directive (`script-src` /
238
+ `default-src`) in `reportOnlyOmit` throws at factory call time — the
239
+ nonce would be stamped on the request and the tags but never referenced
240
+ by the emitted policy.
241
+
191
242
  ## Per-response CSP nonce (`useNonce`)
192
243
 
193
244
  Set `useNonce: true` to drop `'unsafe-inline'` from `script-src` without
@@ -252,6 +303,10 @@ console at runtime. Gina favours fail-fast.
252
303
  | All directives resolve to `false` (omitted) | Factory throws — empty CSP is invalid |
253
304
  | `reportOnly` is non-boolean | Factory throws |
254
305
  | `reportOnly:true` with only report-only-inert directives | Factory throws — a report-only policy would report nothing |
306
+ | `reportOnlyOmit` is non-array / has non-string entries | Factory throws |
307
+ | `reportOnlyOmit` contains an unknown directive name | Factory throws with full whitelist in message |
308
+ | `reportOnlyOmit` empties the report-only directive set | Factory throws — the policy would report nothing |
309
+ | `reportOnlyOmit` omits the nonce target while `useNonce:true` | Factory throws — the header would never reference the nonce |
255
310
  | Plugin not registered | Header not emitted; browser applies no CSP |
256
311
  | Header already set by an earlier middleware | Existing value preserved (idempotent) |
257
312
  | Response already sent (`res.headersSent === true`) | Node's `setHeader` no-ops; request resumes |
@@ -92,9 +92,30 @@
92
92
  * a console warning and no report (it retains CSP2's rule that the directive
93
93
  * MUST be ignored when monitoring, which CSP3 dropped). Keeping it preserves
94
94
  * the observation-phase signal on Chrome + Firefox; WebKit-heavy consumers
95
- * can leave it out of their own report-only directive set. A report-only
96
- * policy whose every directive is inert (e.g. only `sandbox`) throws at
97
- * factory call time.
95
+ * can opt it out via `reportOnlyOmit` (below). A report-only policy whose
96
+ * every directive is inert (e.g. only `sandbox`) throws at factory call
97
+ * time.
98
+ *
99
+ * **`reportOnlyOmit: ['frame-ancestors']`** (opt-in, default `[]`) extends
100
+ * the report-only omission to consumer-chosen directives: every directive
101
+ * named is omitted from the report-only header and emitted again
102
+ * automatically when `reportOnly` flips to `false` — one directive set
103
+ * across both modes, no remove-then-re-add churn. Built for the
104
+ * engine-divergent case above: a consumer serving WebKit-heavy audiences can
105
+ * drop `frame-ancestors` for a clean Safari console, explicitly trading away
106
+ * the Chrome + Firefox report-only signal (the header is engine-blind; the
107
+ * option just makes that trade an explicit, lifecycle-managed choice). The
108
+ * factory-time `console.warn` for these uses wording distinct from the
109
+ * browser-inert omission above — they are NOT ignored by browsers. Entries
110
+ * are validated against the same CSP Level 3 whitelist as `directives` keys
111
+ * (unknown names throw); an entry not present in `directives` warns in
112
+ * report-only mode (likely a config mistake) and no-ops; with
113
+ * `reportOnly: false` the option is inert and silent — an enforce-mode
114
+ * config is EXPECTED to keep carrying it.
115
+ * `useNonce: true` with the nonce-target directive (script-src /
116
+ * default-src) in `reportOnlyOmit` throws at factory call time — the nonce
117
+ * would be stamped on the request and the tags but never referenced by the
118
+ * emitted policy.
98
119
  *
99
120
  * Opens Phase 2 of the gina security-headers track (Phase 1 = HDR1-4 +
100
121
  * HDR7 shipped in 0.3.15-alpha). Single-header plugin shape — composes
@@ -208,9 +229,10 @@ var HYBRID_DIRECTIVES = [
208
229
  * delivery, which a report-only policy cannot use anyway). Omitting it
209
230
  * would discard the observation-phase signal on Chrome + Firefox;
210
231
  * consumers serving WebKit-heavy audiences that want a clean Safari
211
- * console can omit it from their own report-only directive set
212
- * (clickjacking stays enforced by X-Frame-Options and/or an enforcing
213
- * frame-ancestors regardless).
232
+ * console can opt it out per-config via `reportOnlyOmit:
233
+ * ['frame-ancestors']` omitted in report-only, auto-restored in
234
+ * enforce mode (clickjacking stays enforced by X-Frame-Options and/or an
235
+ * enforcing frame-ancestors regardless).
214
236
  * - `upgrade-insecure-requests` / `block-all-mixed-content` — not confirmed
215
237
  * inert across engines: Chromium ignores-and-warns
216
238
  * `upgrade-insecure-requests` in report-only but supports
@@ -442,6 +464,59 @@ function resolveReportOnly(value) {
442
464
  }
443
465
 
444
466
 
467
+ /**
468
+ * Validate and normalise the `reportOnlyOmit` option — consumer-chosen
469
+ * directives to ALSO omit from a report-only header, on top of the
470
+ * universally-inert `REPORT_ONLY_IGNORED_DIRECTIVES`. Defaults to `[]`.
471
+ *
472
+ * Entries are lowercased and validated against the same CSP Level 3
473
+ * whitelist as `directives` keys; duplicates are dropped. Only consulted
474
+ * when `reportOnly` is true (inert and silent otherwise — keeping it in an
475
+ * enforce-mode config is the expected lifecycle state, not a mistake), but
476
+ * validated unconditionally so a malformed entry fails at boot rather than
477
+ * surfacing on the next `reportOnly` flip.
478
+ *
479
+ * @param {*} value
480
+ * @returns {string[]} normalised, deduplicated directive names.
481
+ * @throws {Error} on non-array shapes, non-string entries, unknown names.
482
+ * @inner
483
+ * @private
484
+ */
485
+ function resolveReportOnlyOmit(value) {
486
+ if (typeof value === 'undefined' || value === null) {
487
+ return [];
488
+ }
489
+ if (!Array.isArray(value)) {
490
+ throw new Error(
491
+ '[gina.plugins.Csp] reportOnlyOmit must be an array of CSP directive '
492
+ + 'names to omit from a report-only header (e.g. ["frame-ancestors"]); '
493
+ + 'received ' + typeof value + '.'
494
+ );
495
+ }
496
+ var out = [];
497
+ for (var i = 0; i < value.length; i++) {
498
+ if (typeof value[i] !== 'string') {
499
+ throw new Error(
500
+ '[gina.plugins.Csp] reportOnlyOmit entries must be strings; '
501
+ + 'received ' + typeof value[i] + ' at index ' + i + '.'
502
+ );
503
+ }
504
+ var name = String(value[i]).toLowerCase();
505
+ if (VALID_DIRECTIVES.indexOf(name) === -1) {
506
+ throw new Error(
507
+ '[gina.plugins.Csp] unknown directive name "' + value[i] + '" in '
508
+ + 'reportOnlyOmit. Expected one of: ' + VALID_DIRECTIVES.join(', ')
509
+ + '. (Per CSP Level 3 — https://www.w3.org/TR/CSP3/#csp-directives.)'
510
+ );
511
+ }
512
+ if (out.indexOf(name) === -1) {
513
+ out.push(name);
514
+ }
515
+ }
516
+ return out;
517
+ }
518
+
519
+
445
520
  /**
446
521
  * Build the header value string from a normalised directive dict.
447
522
  *
@@ -482,22 +557,26 @@ function buildHeaderValue(normalised, nonce, nonceTarget) {
482
557
 
483
558
  /**
484
559
  * Return a shallow copy of the normalised directive dict with the
485
- * report-only-inert directives (`REPORT_ONLY_IGNORED_DIRECTIVES`) removed.
486
- * Used only when `reportOnly` is true. Pure — never mutates the input, so the
487
- * full configured set survives for an enforcing factory built from the same
488
- * directives.
489
- *
490
- * @param {object} normalised validated directive dict from resolveDirectives.
491
- * @returns {object} a new dict without the report-only-ignored directives.
560
+ * report-only-inert directives (`REPORT_ONLY_IGNORED_DIRECTIVES`) removed,
561
+ * plus any consumer-chosen `extraOmit` names (the validated `reportOnlyOmit`
562
+ * option). Used only when `reportOnly` is true. Pure never mutates the
563
+ * input, so the full configured set survives for an enforcing factory built
564
+ * from the same directives. Called with one argument, behaviour is identical
565
+ * to the pre-`reportOnlyOmit` shape (inert set only).
566
+ *
567
+ * @param {object} normalised — validated directive dict from resolveDirectives.
568
+ * @param {string[]} [extraOmit] — validated `reportOnlyOmit` names (default none).
569
+ * @returns {object} a new dict without the omitted directives.
492
570
  * @inner
493
571
  * @private
494
572
  */
495
- function stripReportOnlyIgnored(normalised) {
573
+ function stripReportOnlyIgnored(normalised, extraOmit) {
574
+ var omit = extraOmit || [];
496
575
  var out = {};
497
576
  var keys = Object.keys(normalised);
498
577
  for (var i = 0; i < keys.length; i++) {
499
578
  var name = keys[i];
500
- if (REPORT_ONLY_IGNORED_DIRECTIVES.indexOf(name) !== -1) {
579
+ if (REPORT_ONLY_IGNORED_DIRECTIVES.indexOf(name) !== -1 || omit.indexOf(name) !== -1) {
501
580
  continue;
502
581
  }
503
582
  out[name] = normalised[name];
@@ -604,6 +683,15 @@ function resolveNonceTarget(normalised) {
604
683
  * Content-Security-Policy-
605
684
  * Report-Only instead of
606
685
  * Content-Security-Policy.
686
+ * @param {string[]} [opts.reportOnlyOmit=[]] — directive names to ALSO
687
+ * omit when reportOnly is
688
+ * true (validated against
689
+ * the CSP Level 3
690
+ * whitelist); emitted again
691
+ * automatically when
692
+ * reportOnly is false. Inert
693
+ * and silent in enforce
694
+ * mode.
607
695
  * @param {boolean} [opts.useNonce=false] — generate a per-response
608
696
  * nonce, stamp it on
609
697
  * `req._ginaCspNonce`, and
@@ -616,9 +704,28 @@ function resolveNonceTarget(normalised) {
616
704
  * @throws {Error} — when `directives` is
617
705
  * missing/empty, contains an
618
706
  * unknown directive name, has
619
- * invalid value shapes, or
707
+ * invalid value shapes,
620
708
  * `useNonce:true` with no
621
- * script-src/default-src.
709
+ * script-src/default-src,
710
+ * `reportOnlyOmit` is
711
+ * malformed or names an
712
+ * unknown directive, the
713
+ * report-only set is empty
714
+ * after omissions, or
715
+ * `reportOnlyOmit` omits the
716
+ * nonce target in report-only
717
+ * mode.
718
+ *
719
+ * @example
720
+ * // Engine-divergent directive opt-out: omit frame-ancestors from the
721
+ * // report-only header (clean WebKit console; forgoes the Gecko + Blink
722
+ * // report signal) — restored automatically at the enforce flip.
723
+ * var csp = require('gina').plugins.Csp({
724
+ * reportOnly: true,
725
+ * directives: { 'script-src': ["'self'"], 'frame-ancestors': ["'self'"] },
726
+ * reportOnlyOmit: ['frame-ancestors']
727
+ * });
728
+ * app.use(csp);
622
729
  */
623
730
  function Csp(opts) {
624
731
  var defaults = resolveSettingsDefaults();
@@ -627,20 +734,44 @@ function Csp(opts) {
627
734
  var directives = resolveDirectives(merged.directives);
628
735
  var reportOnly = resolveReportOnly(merged.reportOnly);
629
736
  var useNonce = resolveUseNonce(merged.useNonce);
737
+ var reportOnlyOmit = resolveReportOnlyOmit(merged.reportOnlyOmit);
630
738
 
631
739
  // Report-only mode: drop directives browsers ignore in a report-only
632
- // header (REPORT_ONLY_IGNORED_DIRECTIVES — currently `sandbox`). They apply
633
- // no restriction and emit no violation report there, so omitting them is
634
- // functionally identical while silencing the browser console warning. They
635
- // survive in `directives`, so an enforcing factory built from the same
636
- // config still emits them.
740
+ // header (REPORT_ONLY_IGNORED_DIRECTIVES — currently `sandbox`), plus any
741
+ // consumer-chosen `reportOnlyOmit` names (typically engine-divergent
742
+ // directives like frame-ancestors). Both survive in `directives`, so an
743
+ // enforcing factory built from the same config still emits them.
637
744
  var emitDirectives = directives;
638
745
  if (reportOnly) {
639
- emitDirectives = stripReportOnlyIgnored(directives);
746
+ emitDirectives = stripReportOnlyIgnored(directives, reportOnlyOmit);
640
747
  var dropped = Object.keys(directives).filter(function (d) {
641
748
  return !Object.prototype.hasOwnProperty.call(emitDirectives, d);
642
749
  });
750
+ // Split by cause — the warn/throw wording must not claim "ignored by
751
+ // browsers" for a directive the consumer chose to drop: an opted-out
752
+ // directive like frame-ancestors IS evaluated + reported by some
753
+ // engines (Gecko, Blink) in report-only mode.
754
+ var droppedInert = dropped.filter(function (d) {
755
+ return REPORT_ONLY_IGNORED_DIRECTIVES.indexOf(d) !== -1;
756
+ });
757
+ var droppedOpted = dropped.filter(function (d) {
758
+ return REPORT_ONLY_IGNORED_DIRECTIVES.indexOf(d) === -1;
759
+ });
760
+ var absentOmit = reportOnlyOmit.filter(function (d) {
761
+ return !Object.prototype.hasOwnProperty.call(directives, d);
762
+ });
643
763
  if (Object.keys(emitDirectives).length === 0) {
764
+ if (droppedOpted.length > 0) {
765
+ throw new Error(
766
+ '[gina.plugins.Csp] reportOnly:true but the emitted directive set is '
767
+ + 'empty after omissions ('
768
+ + (droppedInert.length > 0 ? 'ignored by browsers: ' + droppedInert.join(', ') + '; ' : '')
769
+ + 'per reportOnlyOmit: ' + droppedOpted.join(', ') + '). '
770
+ + 'A report-only policy needs at least one emitted directive that '
771
+ + 'produces violation reports (e.g. script-src / default-src). '
772
+ + 'Remove entries from reportOnlyOmit or add directives.'
773
+ );
774
+ }
644
775
  // Mirrors the all-omitted throw in resolveDirectives: an empty CSP
645
776
  // is invalid, and a report-only policy made entirely of inert
646
777
  // directives reports nothing — surface it at factory (boot) time.
@@ -653,18 +784,39 @@ function Csp(opts) {
653
784
  + 'in report-only mode.'
654
785
  );
655
786
  }
656
- if (dropped.length > 0) {
787
+ if (droppedInert.length > 0) {
657
788
  // Transparency: the emitted header diverges from the configured
658
789
  // directives. One line at factory (boot) time — per call, no
659
790
  // module-level latch — so the operator knows why a configured
660
791
  // directive is absent from the wire.
661
792
  console.warn(
662
793
  '[gina.plugins.Csp] reportOnly:true — omitting directive(s) ignored by '
663
- + 'browsers in report-only mode: ' + dropped.join(', ') + '. They apply no '
794
+ + 'browsers in report-only mode: ' + droppedInert.join(', ') + '. They apply no '
664
795
  + 'restriction and emit a browser console warning in report-only mode; they '
665
796
  + 'are included automatically when reportOnly is false.'
666
797
  );
667
798
  }
799
+ if (droppedOpted.length > 0) {
800
+ // Distinct wording — these are NOT browser-inert: some engines
801
+ // (Gecko + Blink for frame-ancestors) evaluate and report them in
802
+ // report-only mode; the consumer is forgoing that signal.
803
+ console.warn(
804
+ '[gina.plugins.Csp] reportOnly:true — omitting directive(s) per '
805
+ + 'reportOnlyOmit: ' + droppedOpted.join(', ') + '. These are evaluated and '
806
+ + 'reported by some engines in report-only mode; you are forgoing that '
807
+ + 'monitoring signal. They are emitted automatically when reportOnly is '
808
+ + 'false.'
809
+ );
810
+ }
811
+ if (absentOmit.length > 0) {
812
+ // Omitting something you don't emit signals a config mistake.
813
+ // Emitted AFTER the empty-set throws above so a fatally-broken
814
+ // config surfaces only its throw, not a warn-then-throw sequence.
815
+ console.warn(
816
+ '[gina.plugins.Csp] reportOnlyOmit names directive(s) not present in '
817
+ + 'directives (no-op): ' + absentOmit.join(', ') + '.'
818
+ );
819
+ }
668
820
  }
669
821
 
670
822
  var headerName = reportOnly ? HEADER_NAME_REPORT_ONLY : HEADER_NAME;
@@ -672,9 +824,21 @@ function Csp(opts) {
672
824
  var headerValue = buildHeaderValue(emitDirectives);
673
825
  // Fail-fast at factory time: a nonce needs a script-governing directive.
674
826
  // Resolved from `directives` (not emitDirectives) — the nonce target is
675
- // always script-src/default-src, which are never report-only-stripped, so
676
- // the two sets agree; the middleware still serialises emitDirectives.
827
+ // always script-src/default-src, which REPORT_ONLY_IGNORED_DIRECTIVES
828
+ // never contains and the guard below keeps out of reportOnlyOmit, so the
829
+ // two sets agree; the middleware still serialises emitDirectives.
677
830
  var nonceTarget = useNonce ? resolveNonceTarget(directives) : null;
831
+ if (nonceTarget && reportOnly && reportOnlyOmit.indexOf(nonceTarget) !== -1) {
832
+ // The nonce would be stamped on req._ginaCspNonce and mirrored onto
833
+ // the framework inline <script> tags, but the emitted report-only
834
+ // policy would never reference it — incoherent header/tag state.
835
+ throw new Error(
836
+ '[gina.plugins.Csp] useNonce:true with reportOnly:true requires the '
837
+ + 'nonce target directive ("' + nonceTarget + '") to be emitted in the '
838
+ + 'report-only header, but reportOnlyOmit omits it. Remove "'
839
+ + nonceTarget + '" from reportOnlyOmit.'
840
+ );
841
+ }
678
842
 
679
843
  return function ginaCsp(req, res, next) {
680
844
  if (typeof res.getHeader === 'function' && res.getHeader(headerName)) {
@@ -707,6 +871,7 @@ Csp._resolveSettingsDefaults = resolveSettingsDefaults;
707
871
  Csp._mergeOptions = mergeOptions;
708
872
  Csp._resolveDirectives = resolveDirectives;
709
873
  Csp._resolveReportOnly = resolveReportOnly;
874
+ Csp._resolveReportOnlyOmit = resolveReportOnlyOmit;
710
875
  Csp._resolveUseNonce = resolveUseNonce;
711
876
  Csp._resolveNonceTarget = resolveNonceTarget;
712
877
  Csp._buildHeaderValue = buildHeaderValue;