gina 0.4.7-alpha.1 → 0.4.8-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +10 -0
- package/README.md +6 -8
- package/ROADMAP.md +2 -2
- package/framework/v0.4.8-alpha.1/VERSION +1 -0
- package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/csp/README.md +57 -2
- package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/csp/src/main.js +192 -27
- package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/server.isaac.js +153 -5
- package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/server.js +14 -0
- package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/config/settings.server.json +3 -1
- package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/conf/settings.json +15 -2
- package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/index.js +14 -0
- package/framework/v0.4.8-alpha.1/lib/ws-framing/package.json +10 -0
- package/framework/v0.4.8-alpha.1/lib/ws-framing/src/main.js +664 -0
- package/framework/v0.4.8-alpha.1/lib/ws-session/package.json +10 -0
- package/framework/v0.4.8-alpha.1/lib/ws-session/src/main.js +422 -0
- package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/package.json +1 -1
- package/gna.js +4 -4
- package/llms.txt +9 -3
- package/package.json +2 -2
- package/playwright.config.js +4 -2
- package/framework/v0.4.7-alpha.1/VERSION +0 -1
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/AUTHORS +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/LICENSE +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/html/nolayout.html +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/html/static.html +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/img/android-chrome-192x192.png +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/img/android-chrome-512x512.png +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/img/apple-touch-icon.png +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/img/favicon-16x16.png +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/img/favicon-32x32.png +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/img/favicon.ico +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/beemaster/beemaster.css +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/beemaster/beemaster.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/beemaster/index.html +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/css/gina.min.css +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/css/gina.min.css.br +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/css/gina.min.css.gz +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/html/statusbar.html +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/html/statusbar.html.br +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/html/statusbar.html.gz +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/inspector/have_heart_one-webfont.woff2 +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/inspector/index.html +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/inspector/inspector.css +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/inspector/inspector.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/inspector/logo.svg +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/js/gina.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/js/gina.min.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/js/gina.min.js.br +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/js/gina.min.js.gz +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/js/gina.onload.min.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/js/gina.onload.min.js.br +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/asset/plugin/dist/vendor/gina/js/gina.onload.min.js.gz +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/config.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/ai/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/ai/lib/connector.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/couchbase/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/couchbase/lib/connector.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/couchbase/lib/connector.v3.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/couchbase/lib/connector.v4.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/couchbase/lib/n1ql.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/couchbase/lib/session-store.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/couchbase/lib/session-store.v3.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/couchbase/lib/session-store.v4.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/mongodb/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/mongodb/lib/connector.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/mongodb/lib/pipeline-loader.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/mongodb/lib/session-store.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/mysql/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/mysql/lib/connector.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/postgresql/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/postgresql/lib/connector.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/redis/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/redis/lib/session-store.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/scylladb/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/scylladb/lib/connector.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/scylladb/lib/session-store.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/sql-parser.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/sqlite/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/sqlite/lib/connector.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/connectors/sqlite/lib/session-store.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/content.encoding +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/controller/controller.framework.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/controller/controller.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/controller/controller.render-json.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/controller/controller.render-nunjucks-async.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/controller/controller.render-nunjucks.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/controller/controller.render-stream.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/controller/controller.render-swig-async.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/controller/controller.render-swig.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/controller/controller.render-v1.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/controller/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/controller/inspector-window-emit.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/deps/busboy-1.6.0/LICENSE +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/deps/busboy-1.6.0/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/deps/busboy-1.6.0/lib/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/deps/busboy-1.6.0/lib/types/multipart.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/deps/busboy-1.6.0/lib/types/urlencoded.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/deps/busboy-1.6.0/lib/utils.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/deps/busboy-1.6.0/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/deps/streamsearch-1.1.0/LICENSE +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/deps/streamsearch-1.1.0/lib/sbmh.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/deps/streamsearch-1.1.0/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/dev/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/dev/lib/class.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/dev/lib/factory.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/dev/lib/tools.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/gna.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/locales/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/locales/currency.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/locales/dist/language/en.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/locales/dist/language/fr.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/locales/dist/region/en.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/locales/dist/region/fr.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/locales/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/mime.types +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/model/entity.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/model/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/model/template/entityFactory.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/model/template/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/csrf/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/csrf/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/csrf/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/coep/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/coep/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/coep/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/coop/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/coop/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/coop/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/corp/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/corp/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/corp/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/csp/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/hide-powered-by/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/hide-powered-by/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/hide-powered-by/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/hsts/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/hsts/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/hsts/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/origin-agent-cluster/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/origin-agent-cluster/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/origin-agent-cluster/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/referrer-policy/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/referrer-policy/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/referrer-policy/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-content-type-options/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-content-type-options/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-content-type-options/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-dns-prefetch-control/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-dns-prefetch-control/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-dns-prefetch-control/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-download-options/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-download-options/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-download-options/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-frame-options/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-frame-options/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-frame-options/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-permitted-cross-domain-policies/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-permitted-cross-domain-policies/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-permitted-cross-domain-policies/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-xss-protection/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-xss-protection/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/x-xss-protection/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/session/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/session/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/session/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/storage/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/storage/build.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/storage/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/storage/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/validator/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/validator/build.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/validator/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/validator/src/form-validator.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/validator/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/router.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/server.express.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/status.codes +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/_gitignore +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/config/app.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/config/connectors.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/config/routing.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/config/settings.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/config/templates.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/config/watchers.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/controllers/controller.content.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/controllers/controller.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/controllers/setup.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle/locales/en.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_namespace/controllers/controller.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_public/css/default.css +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_public/css/home.css +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_public/css/vendor/readme.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_public/favicon.ico +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_public/js/vendor/readme.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_public/manifest.webmanifest +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_public/readme.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_public/sw.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_templates/handlers/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_templates/html/content/homepage.html +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_templates/html/includes/error-msg-noscript.html +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_templates/html/includes/error-msg-outdated-browser.html +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/boilerplate/bundle_templates/html/layouts/main.html +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/command/gina.bat.tpl +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/command/gina.tpl +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/conf/env.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/conf/manifest.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/conf/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/conf/statics.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/conf/templates.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/error/client/json/401.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/error/client/json/403.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/error/client/json/404.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/error/server/html/50x.html +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/error/server/json/500.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/error/server/json/503.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/template/extensions/logger/config.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/console.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/context.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/data/LICENSE +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/data/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/data/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/data/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/dateFormat.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/json/LICENSE +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/json/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/json/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/json/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/path.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/plugins/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/plugins/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/plugins/src/api-error.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/plugins/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/prototypes.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/task.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/helpers/text.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/archiver/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/archiver/build.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/archiver/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/archiver/src/dep/jszip.min.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/archiver/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/async/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/async/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cache/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cache/build.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cache/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cache/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/aliases.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/add.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/arguments.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/build.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/copy.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/cp.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/inc/name-rewrite.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/list.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/mcp-start.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/mcp.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/oas.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/openapi.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/remove.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/rename.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/restart.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/rm.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/start.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/status.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/bundle/stop.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/cache/stats.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/connector/add.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/connector/arguments.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/connector/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/connector/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/connector/list.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/connector/migrate.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/connector/remove.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/connector/rm.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/env/add.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/env/get.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/env/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/env/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/env/link-dev.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/env/list.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/env/remove.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/env/rm.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/env/set.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/env/unset.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/env/use.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/arguments.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/build.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/dot.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/get.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/init.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/link-node-modules.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/link.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/msg.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/open.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/restart.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/set.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/start.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/status.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/stop.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/tail.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/update.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/framework/version.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/gina-dev.1.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/gina-framework.1.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/gina.1.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/helper.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/i18n/add.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/i18n/arguments.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/i18n/export.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/i18n/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/i18n/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/i18n/import.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/i18n/scan.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/inspector/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/inspector/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/inspector/open.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/minion/arguments.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/minion/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/minion/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/minion/kill.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/minion/list.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/msg.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/port/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/port/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/port/inc/scan.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/port/list.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/port/reset.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/port/set.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/add.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/arguments.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/build.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/import.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/list.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/move.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/remove.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/rename.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/restart.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/rm.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/start.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/status.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/project/stop.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/protocol/arguments.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/protocol/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/protocol/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/protocol/list.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/protocol/remove.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/protocol/set.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/scope/add.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/scope/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/scope/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/scope/link-local.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/scope/link-production.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/scope/list.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/scope/remove.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/scope/rm.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/scope/use.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/secrets/arguments.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/secrets/check.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/secrets/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/secrets/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/secrets/scan.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/service/help.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/service/help.txt +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/service/list.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/service/start.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd/view/add.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd-status-format/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cmd-status-format/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/collection/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/collection/build.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/collection/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/collection/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/config.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/connector-registry/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/connector-registry/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cron/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cron/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/cron/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/domain/LICENSE +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/domain/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/domain/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/domain/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/generator/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/i18n/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/i18n/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/inherits/LICENSE +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/inherits/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/inherits/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/inherits/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/inspector-redact/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/inspector-redact/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/instrument/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/instrument/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/job/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/job/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/logger/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/logger/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/logger/src/containers/default/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/logger/src/containers/file/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/logger/src/containers/file/lib/logrotator/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/logger/src/containers/file/lib/logrotator/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/logger/src/containers/mq/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/logger/src/containers/mq/listener.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/logger/src/containers/mq/speaker.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/logger/src/helper.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/logger/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/math/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/mcp-dispatch/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/mcp-dispatch/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/mcp-http/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/mcp-http/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/mcp-server/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/mcp-server/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/merge/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/merge/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/merge/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/metrics/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/metrics/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/model.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/nunjucks-filters/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/nunjucks-filters/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/nunjucks-filters/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/nunjucks-resolver/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/nunjucks-resolver/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/proc.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/routing/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/routing/build.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/routing/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/routing/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/routing/src/radix.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/routing-introspect/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/routing-introspect/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/secrets/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/secrets/src/backends/env.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/secrets/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/session-store.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/shell.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/state.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/swig-filters/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/swig-filters/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/swig-filters/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/swig-resolver/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/swig-resolver/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/template-loaders/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/template-loaders/src/loaders/http.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/template-loaders/src/loaders/memory.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/template-loaders/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/url/README.md +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/url/index.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/url/routing.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/uuid/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/uuid/src/main.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/validator.js +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/watcher/package.json +0 -0
- /package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/lib/watcher/src/main.js +0 -0
package/CHANGELOG.md
CHANGED
|
@@ -6,6 +6,16 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
|
|
|
6
6
|
and is generated by [Changie](https://github.com/miniscruff/changie).
|
|
7
7
|
|
|
8
8
|
|
|
9
|
+
## 0.4.7 - 2026-06-11
|
|
10
|
+
### Added
|
|
11
|
+
* Csp plugin: new opt-in reportOnlyOmit option — an array of directive names to omit from a Content-Security-Policy-Report-Only header and emit again automatically when reportOnly flips to false, so one directive set covers both modes. Built for engine-divergent directives such as frame-ancestors (reported in report-only by Chrome and Firefox, ignored with a console warning by Safari/WebKit): a bundle can trade the Gecko/Blink report signal for a clean WebKit console as an explicit, lifecycle-managed choice. Entries are validated against the CSP Level 3 whitelist, a factory-time warning names what was dropped, and the default output is unchanged.
|
|
12
|
+
* HTTP/2 server (Isaac engine): opt-in RFC 8441 extended CONNECT enablement via the new settings.json http2Options.enableConnectProtocol flag (strict boolean, default false). When enabled on an http/2 bundle (https or cleartext h2c), the server advertises SETTINGS_ENABLE_CONNECT_PROTOCOL and handles extended CONNECT streams — the WebSocket-over-HTTP/2 handshake transport — with clean HTTP-status refusals as groundwork for the upcoming WebSocket session bridge: plain CONNECT keeps its 405, non-websocket :protocol values and not-yet-consumed websocket streams get 501, and an HTTP/1.1 CONNECT arriving over the allowHTTP1 fallback is refused with a raw 405 instead of an unanswered connection drop. A new extendedConnect counter joins the http2 metrics block in /_gina/info. Deployments that leave the flag off are byte-identical to previous releases.
|
|
13
|
+
* New lib/ws-framing framework library: a dependency-free RFC 6455 WebSocket framing codec — frame encoder (minimal length encoding across the 7/16/64-bit forms, control-frame constraints, optional masking) and incremental per-connection parser (fragmentation reassembly, client-masking enforcement, UTF-8 validation of text payloads and close reasons, close-status-code validation, and DoS caps maxPayload/maxFragments enforced from declared frame lengths before any payload is buffered). Registered on the lib registry as wsFraming; transport-agnostic groundwork for WebSocket over HTTP/2 (RFC 8441 extended CONNECT).
|
|
14
|
+
* WebSocket over HTTP/2 (RFC 8441): bundles can now serve WebSocket endpoints over the extended-CONNECT transport. From onInitialize, app.onWebSocket(path, handler) registers a handler per exact pathname; matched streams are answered with :status 200 and handed to the handler as a lib/ws-session session — send/ping/close API with automatic pong replies, a timed close handshake, backpressure passthrough, full teardown on stream close/error, contained consumer-handler exceptions (a throwing handler closes the session with 1011 instead of crashing the bundle), and graceful SIGTERM drain (live sessions are closed with 1001 going away instead of blocking shutdown). Requires an http/2 bundle (https or cleartext h2c) with http2Options.enableConnectProtocol set to true; unknown pathnames are refused with 404, registrations on a non-HTTP/2 bundle warn instead of crashing, and no express middleware runs on the CONNECT path — authentication is the handler's responsibility from the request it receives.
|
|
15
|
+
### Fixed
|
|
16
|
+
* HTTP/2 server (Isaac engine): cleartext h2c bundles now receive the same hardening options as https bundles — the SETTINGS advert (maxConcurrentStreams, initialWindowSize, maxHeaderListSize, enablePush off) and the session flood caps (maxSessionRejectedStreams, maxSessionInvalidFrames) are passed to http2.createServer instead of a bare allowHTTP1 literal. Previously an h2c bundle (e.g. behind a TLS-terminating reverse proxy) advertised protocol defaults — effectively unlimited concurrent streams with server push enabled — and silently ignored its settings.json http2Options overrides. The RFC 8441 enableConnectProtocol opt-in (WebSocket over HTTP/2) now applies to h2c bundles as well; it remains a strict opt-in defaulting to false.
|
|
17
|
+
* Graceful shutdown: bundles with live WebSocket or engine.io connections no longer block SIGTERM shutdown until the hard timeout — every accepted engine.io socket and every /_gina/agent Inspector WebSocket now registers a per-socket closer in the framework shutdown drain (the same registry the Inspector SSE endpoints and WebSocket-over-HTTP/2 sessions already use), so shutdown closes them before the HTTP server close: engine.io sockets get a graceful transport close, agent WebSockets a clean 1001 going-away close handshake.
|
|
18
|
+
|
|
9
19
|
## 0.4.6 - 2026-06-10
|
|
10
20
|
### Added
|
|
11
21
|
* Added an opt-in async template-loader extension point for the swig engine (settings.template.swig.loader): render templates from a custom backend instead of the local filesystem through an isolated per-bundle engine, with a built-in in-memory loader and a CVE-2023-25345 path-traversal guard. Remote/object-storage loaders and full asset-injection parity land in follow-ups.
|
package/README.md
CHANGED
|
@@ -39,14 +39,12 @@ gina bundle:start api @myproject
|
|
|
39
39
|
open https://localhost:3100
|
|
40
40
|
```
|
|
41
41
|
|
|
42
|
-
## What's in 0.4.
|
|
43
|
-
|
|
44
|
-
- **
|
|
45
|
-
- **
|
|
46
|
-
-
|
|
47
|
-
- **
|
|
48
|
-
- **Hardening.** A single request carrying a malformed percent-escape (a bare `%`, `%zz`) can no longer crash a bundle; the default Swig render path keeps the swig-core CVE-2023-25345 path-traversal confinement active; the `@rhinostone/swig` floor moved to `^2.7.2`; and the dead third-party CORS proxy was removed from the popin and link loaders.
|
|
49
|
-
- **CLI & DX.** `gina version` reports the bundled template engine; offline project commands skip a stale registered project instead of aborting; `project:add` and the framework's self-invocations no longer depend on a PATH-resolved gina binary.
|
|
42
|
+
## What's in 0.4.7
|
|
43
|
+
|
|
44
|
+
- **WebSocket over HTTP/2 (opt-in).** HTTP/2 bundles can serve WebSocket endpoints over the RFC 8441 extended-CONNECT transport, with a built-in dependency-free RFC 6455 framing codec — no external WebSocket library. Enable with `http2Options.enableConnectProtocol: true`, then register handlers from `onInitialize` with `app.onWebSocket(path, handler)`: each accepted stream arrives as a session with a `send`/`ping`/`close` API, automatic pong replies, payload and fragment caps, and a graceful close handshake.
|
|
45
|
+
- **HTTP/2 hardening parity for h2c.** Cleartext HTTP/2 bundles (for example, backends behind a TLS-terminating reverse proxy) now receive the same hardening as `https` bundles — the stream caps, session flood defenses, and `settings.json` `http2Options` overrides all apply, where previously such bundles ran protocol defaults (effectively unlimited concurrent streams with server push enabled) and silently ignored their overrides.
|
|
46
|
+
- **Graceful shutdown for live sockets.** Bundles with open WebSocket or engine.io connections no longer block SIGTERM shutdown until the hard timeout — every live socket is closed cleanly before the HTTP server closes, WebSockets with a `1001 going away` close handshake.
|
|
47
|
+
- **CSP `reportOnlyOmit` (opt-in).** Omit engine-divergent directives such as `frame-ancestors` from `Content-Security-Policy-Report-Only` headers and have them restored automatically when `reportOnly` flips to `false` — one directive set across both modes, validated against the CSP Level 3 whitelist.
|
|
50
48
|
|
|
51
49
|
See the full [Changelog](./CHANGELOG.md) and [Roadmap](./ROADMAP.md).
|
|
52
50
|
|
package/ROADMAP.md
CHANGED
|
@@ -285,9 +285,9 @@ A cold audit of the Couchbase connector identified two critical security vulnera
|
|
|
285
285
|
| ✅ | **Configurable `maxConcurrentStreams` and `initialWindowSize`** — move from hardcoded to `settings.json` `http2Options` | `0.3.0-alpha.1` | 2026-04-05 | All four HTTP/2 server settings configurable: `maxConcurrentStreams` (256), `initialWindowSize` (655350), `maxSessionRejectedStreams` (100), `maxSessionInvalidFrames` (1000). Security guards (`maxHeaderListSize`, `enablePush`) remain hardcoded. |
|
|
286
286
|
| ✅ | **Application-level rapid reset rate limiter** (CVE-2023-44487) — per-session stream creation counter | `0.3.13` | 2026-05-14 | The Isaac HTTP/2 session handler counts new streams in a rolling 1s window per session; over `maxStreamsPerSecond` (default 200) it sends a GOAWAY and closes the session. More targeted than `maxSessionRejectedStreams` (which counts refused streams, not created ones). Configurable via `settings.json` `http2Options.maxStreamsPerSecond`; `/_gina/info` exposes a `rapidResetBlocked` counter. |
|
|
287
287
|
| ✅ | **Trailer support** — `stream.sendTrailers()` + `waitForTrailers: true` | `0.4.0` | 2026-05-22 | Opt-in HTTP/2 response trailers via `self.sendTrailers(fields)`. The render pipeline sets `waitForTrailers` and emits the trailing headers after the body (in the `wantTrailers` event), across all render delegates. Activated only when a controller calls `self.sendTrailers(fields)`; HTTP/1.1 and the no-trailers path are unchanged. For gRPC-style streaming (`grpc-status`) and content-integrity (`Digest`) use cases. |
|
|
288
|
-
| ✅ | **Alt-Svc header** — advertise HTTP/3 availability | `0.
|
|
288
|
+
| ✅ | **Alt-Svc header** — advertise HTTP/3 availability | `0.4.2` | 2026-06-02 | Set `Alt-Svc: h3=":443"; ma=86400` response header to advertise HTTP/3 (QUIC) availability via a QUIC-capable reverse proxy (nginx, Caddy, Cloudflare). Gina does not need to implement QUIC — just announce it. Opt-in via `settings.server.json`. Native HTTP/3 is out of scope: Node.js has no stable QUIC API, and the standard deployment topology (Gina → proxy → client) already delivers HTTP/3 at the edge. |
|
|
289
289
|
| 📋 | **RFC 9218 Extensible Priorities** — read `Priority: u=N, i` request header | `0.5.0` | Q1 2027 | Use the RFC 9218 priority header to order response writes for multiplexed API clients. Low value for typical HTML page loads; high value for parallel API requests with declared urgency. |
|
|
290
|
-
|
|
|
290
|
+
| ✅ | **WebSocket over HTTP/2** (RFC 8441 extended CONNECT) — opt-in via `http2Options.enableConnectProtocol` (default off; https and cleartext h2c HTTP/2 bundles). From `onInitialize`, `app.onWebSocket(path, handler)` registers per-path WebSocket handlers; accepted streams arrive as full sessions backed by a built-in dependency-free RFC 6455 codec (auto-pong, timed close handshake, UTF-8 + close-code validation, payload/fragment DoS caps, backpressure passthrough, graceful shutdown drain). Unknown paths are refused with 404, plain CONNECT keeps its 405, and default-off deployments are byte-identical. | `0.4.7` | 2026-06-11 |
|
|
291
291
|
|
|
292
292
|
---
|
|
293
293
|
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
0.4.8-alpha.1
|
package/framework/{v0.4.7-alpha.1 → v0.4.8-alpha.1}/core/plugins/lib/security-headers/csp/README.md
RENAMED
|
@@ -68,6 +68,8 @@ Settings.json shape — caller-supplied options always win over settings:
|
|
|
68
68
|
|--------------|---------|---------|----------------------------------------------------------------------|
|
|
69
69
|
| `directives` | object | — | **Required.** Throws if missing or empty. See "Directives" below. |
|
|
70
70
|
| `reportOnly` | boolean | `false` | When `true`, emits `Content-Security-Policy-Report-Only` instead. |
|
|
71
|
+
| `reportOnlyOmit` | string[] | `[]` | Directives to *also* omit while `reportOnly` is `true`; emitted again automatically in enforce mode. See "reportOnlyOmit" below. |
|
|
72
|
+
| `useNonce` | boolean | `false` | When `true`, generates a per-response nonce, stamps it on `req._ginaCspNonce`, and appends `'nonce-XXXX'` to `script-src` (fallback `default-src`). See "Per-response CSP nonce" below. |
|
|
71
73
|
|
|
72
74
|
There is no sensible cross-bundle default for `directives`. Every bundle
|
|
73
75
|
has its own resource graph; a default policy would either be too restrictive
|
|
@@ -177,8 +179,9 @@ CSP Level 2 rule — *"The frame-ancestors directive MUST be ignored when
|
|
|
177
179
|
monitoring a policy"* — which CSP Level 3 dropped; CSP3 only restricts `<meta>`
|
|
178
180
|
delivery, which a report-only policy never uses). The plugin keeps it so the
|
|
179
181
|
observation phase still reports on Chrome and Firefox. If you serve a
|
|
180
|
-
WebKit-heavy audience and want a clean Safari console,
|
|
181
|
-
|
|
182
|
+
WebKit-heavy audience and want a clean Safari console, opt it out with
|
|
183
|
+
`reportOnlyOmit: ['frame-ancestors']` (next section) — clickjacking protection
|
|
184
|
+
stays enforced
|
|
182
185
|
by `X-Frame-Options` and/or an enforcing-mode `frame-ancestors`. (Chrome caveat:
|
|
183
186
|
frame-ancestors violation reports are delivered via `report-uri`; known Chromium
|
|
184
187
|
bugs leave them undelivered via `report-to`.) A report-only policy whose every
|
|
@@ -188,6 +191,54 @@ time**, since it would report nothing.
|
|
|
188
191
|
The omitted set is intentionally conservative — `sandbox` is the only directive
|
|
189
192
|
confirmed ignored in report-only across all engines.
|
|
190
193
|
|
|
194
|
+
### `reportOnlyOmit` — opt out engine-divergent directives in report-only
|
|
195
|
+
|
|
196
|
+
For the engine-divergent case above, `reportOnlyOmit` packages the
|
|
197
|
+
hand-managed omission: every directive named in it is omitted from the
|
|
198
|
+
report-only header and emitted again **automatically** when `reportOnly`
|
|
199
|
+
flips to `false` — one directive set across both modes, no
|
|
200
|
+
remove-then-re-add churn.
|
|
201
|
+
|
|
202
|
+
```js
|
|
203
|
+
require('gina').plugins.Csp({
|
|
204
|
+
reportOnly: true,
|
|
205
|
+
directives: {
|
|
206
|
+
'script-src': ["'self'"],
|
|
207
|
+
'frame-ancestors': ["'self'"],
|
|
208
|
+
'report-uri': ['/csp/report']
|
|
209
|
+
},
|
|
210
|
+
reportOnlyOmit: ['frame-ancestors']
|
|
211
|
+
});
|
|
212
|
+
// report-only header: script-src 'self'; report-uri /csp/report
|
|
213
|
+
// after the enforce flip (reportOnly: false): frame-ancestors 'self' returns
|
|
214
|
+
```
|
|
215
|
+
|
|
216
|
+
**The honest trade — the option packages the engine divergence, it does not
|
|
217
|
+
eliminate it.** Listing `frame-ancestors` in `reportOnlyOmit` forgoes its
|
|
218
|
+
Chrome + Firefox (Gecko + Blink) report-only monitoring signal in exchange
|
|
219
|
+
for a clean WebKit console. The header is engine-blind, so gina cannot do
|
|
220
|
+
better — the option just turns the hand-managed comment into an explicit,
|
|
221
|
+
per-bundle, lifecycle-managed choice. Clickjacking stays enforced by
|
|
222
|
+
`X-Frame-Options` and/or an enforcing-mode `frame-ancestors` regardless.
|
|
223
|
+
|
|
224
|
+
Mechanics:
|
|
225
|
+
|
|
226
|
+
- Entries are validated against the same CSP Level 3 whitelist as
|
|
227
|
+
`directives` keys — unknown names throw at factory call time.
|
|
228
|
+
- A factory-time warning names what was dropped, with wording distinct from
|
|
229
|
+
the browser-inert `sandbox` omission — these directives are *not* ignored
|
|
230
|
+
by browsers; you are choosing to forgo their report signal.
|
|
231
|
+
- An entry not present in `directives` warns in report-only mode (likely a
|
|
232
|
+
config mistake) and no-ops.
|
|
233
|
+
- With `reportOnly: false` the option is inert **and silent** — keeping it
|
|
234
|
+
in an enforce-mode config is the expected lifecycle state, not a mistake.
|
|
235
|
+
- If the omissions empty the report-only directive set, the factory throws
|
|
236
|
+
(same as the all-inert case).
|
|
237
|
+
- `useNonce: true` with the nonce-target directive (`script-src` /
|
|
238
|
+
`default-src`) in `reportOnlyOmit` throws at factory call time — the
|
|
239
|
+
nonce would be stamped on the request and the tags but never referenced
|
|
240
|
+
by the emitted policy.
|
|
241
|
+
|
|
191
242
|
## Per-response CSP nonce (`useNonce`)
|
|
192
243
|
|
|
193
244
|
Set `useNonce: true` to drop `'unsafe-inline'` from `script-src` without
|
|
@@ -252,6 +303,10 @@ console at runtime. Gina favours fail-fast.
|
|
|
252
303
|
| All directives resolve to `false` (omitted) | Factory throws — empty CSP is invalid |
|
|
253
304
|
| `reportOnly` is non-boolean | Factory throws |
|
|
254
305
|
| `reportOnly:true` with only report-only-inert directives | Factory throws — a report-only policy would report nothing |
|
|
306
|
+
| `reportOnlyOmit` is non-array / has non-string entries | Factory throws |
|
|
307
|
+
| `reportOnlyOmit` contains an unknown directive name | Factory throws with full whitelist in message |
|
|
308
|
+
| `reportOnlyOmit` empties the report-only directive set | Factory throws — the policy would report nothing |
|
|
309
|
+
| `reportOnlyOmit` omits the nonce target while `useNonce:true` | Factory throws — the header would never reference the nonce |
|
|
255
310
|
| Plugin not registered | Header not emitted; browser applies no CSP |
|
|
256
311
|
| Header already set by an earlier middleware | Existing value preserved (idempotent) |
|
|
257
312
|
| Response already sent (`res.headersSent === true`) | Node's `setHeader` no-ops; request resumes |
|
|
@@ -92,9 +92,30 @@
|
|
|
92
92
|
* a console warning and no report (it retains CSP2's rule that the directive
|
|
93
93
|
* MUST be ignored when monitoring, which CSP3 dropped). Keeping it preserves
|
|
94
94
|
* the observation-phase signal on Chrome + Firefox; WebKit-heavy consumers
|
|
95
|
-
* can
|
|
96
|
-
*
|
|
97
|
-
*
|
|
95
|
+
* can opt it out via `reportOnlyOmit` (below). A report-only policy whose
|
|
96
|
+
* every directive is inert (e.g. only `sandbox`) throws at factory call
|
|
97
|
+
* time.
|
|
98
|
+
*
|
|
99
|
+
* **`reportOnlyOmit: ['frame-ancestors']`** (opt-in, default `[]`) extends
|
|
100
|
+
* the report-only omission to consumer-chosen directives: every directive
|
|
101
|
+
* named is omitted from the report-only header and emitted again
|
|
102
|
+
* automatically when `reportOnly` flips to `false` — one directive set
|
|
103
|
+
* across both modes, no remove-then-re-add churn. Built for the
|
|
104
|
+
* engine-divergent case above: a consumer serving WebKit-heavy audiences can
|
|
105
|
+
* drop `frame-ancestors` for a clean Safari console, explicitly trading away
|
|
106
|
+
* the Chrome + Firefox report-only signal (the header is engine-blind; the
|
|
107
|
+
* option just makes that trade an explicit, lifecycle-managed choice). The
|
|
108
|
+
* factory-time `console.warn` for these uses wording distinct from the
|
|
109
|
+
* browser-inert omission above — they are NOT ignored by browsers. Entries
|
|
110
|
+
* are validated against the same CSP Level 3 whitelist as `directives` keys
|
|
111
|
+
* (unknown names throw); an entry not present in `directives` warns in
|
|
112
|
+
* report-only mode (likely a config mistake) and no-ops; with
|
|
113
|
+
* `reportOnly: false` the option is inert and silent — an enforce-mode
|
|
114
|
+
* config is EXPECTED to keep carrying it.
|
|
115
|
+
* `useNonce: true` with the nonce-target directive (script-src /
|
|
116
|
+
* default-src) in `reportOnlyOmit` throws at factory call time — the nonce
|
|
117
|
+
* would be stamped on the request and the tags but never referenced by the
|
|
118
|
+
* emitted policy.
|
|
98
119
|
*
|
|
99
120
|
* Opens Phase 2 of the gina security-headers track (Phase 1 = HDR1-4 +
|
|
100
121
|
* HDR7 shipped in 0.3.15-alpha). Single-header plugin shape — composes
|
|
@@ -208,9 +229,10 @@ var HYBRID_DIRECTIVES = [
|
|
|
208
229
|
* delivery, which a report-only policy cannot use anyway). Omitting it
|
|
209
230
|
* would discard the observation-phase signal on Chrome + Firefox;
|
|
210
231
|
* consumers serving WebKit-heavy audiences that want a clean Safari
|
|
211
|
-
* console can
|
|
212
|
-
*
|
|
213
|
-
*
|
|
232
|
+
* console can opt it out per-config via `reportOnlyOmit:
|
|
233
|
+
* ['frame-ancestors']` — omitted in report-only, auto-restored in
|
|
234
|
+
* enforce mode (clickjacking stays enforced by X-Frame-Options and/or an
|
|
235
|
+
* enforcing frame-ancestors regardless).
|
|
214
236
|
* - `upgrade-insecure-requests` / `block-all-mixed-content` — not confirmed
|
|
215
237
|
* inert across engines: Chromium ignores-and-warns
|
|
216
238
|
* `upgrade-insecure-requests` in report-only but supports
|
|
@@ -442,6 +464,59 @@ function resolveReportOnly(value) {
|
|
|
442
464
|
}
|
|
443
465
|
|
|
444
466
|
|
|
467
|
+
/**
|
|
468
|
+
* Validate and normalise the `reportOnlyOmit` option — consumer-chosen
|
|
469
|
+
* directives to ALSO omit from a report-only header, on top of the
|
|
470
|
+
* universally-inert `REPORT_ONLY_IGNORED_DIRECTIVES`. Defaults to `[]`.
|
|
471
|
+
*
|
|
472
|
+
* Entries are lowercased and validated against the same CSP Level 3
|
|
473
|
+
* whitelist as `directives` keys; duplicates are dropped. Only consulted
|
|
474
|
+
* when `reportOnly` is true (inert and silent otherwise — keeping it in an
|
|
475
|
+
* enforce-mode config is the expected lifecycle state, not a mistake), but
|
|
476
|
+
* validated unconditionally so a malformed entry fails at boot rather than
|
|
477
|
+
* surfacing on the next `reportOnly` flip.
|
|
478
|
+
*
|
|
479
|
+
* @param {*} value
|
|
480
|
+
* @returns {string[]} normalised, deduplicated directive names.
|
|
481
|
+
* @throws {Error} on non-array shapes, non-string entries, unknown names.
|
|
482
|
+
* @inner
|
|
483
|
+
* @private
|
|
484
|
+
*/
|
|
485
|
+
function resolveReportOnlyOmit(value) {
|
|
486
|
+
if (typeof value === 'undefined' || value === null) {
|
|
487
|
+
return [];
|
|
488
|
+
}
|
|
489
|
+
if (!Array.isArray(value)) {
|
|
490
|
+
throw new Error(
|
|
491
|
+
'[gina.plugins.Csp] reportOnlyOmit must be an array of CSP directive '
|
|
492
|
+
+ 'names to omit from a report-only header (e.g. ["frame-ancestors"]); '
|
|
493
|
+
+ 'received ' + typeof value + '.'
|
|
494
|
+
);
|
|
495
|
+
}
|
|
496
|
+
var out = [];
|
|
497
|
+
for (var i = 0; i < value.length; i++) {
|
|
498
|
+
if (typeof value[i] !== 'string') {
|
|
499
|
+
throw new Error(
|
|
500
|
+
'[gina.plugins.Csp] reportOnlyOmit entries must be strings; '
|
|
501
|
+
+ 'received ' + typeof value[i] + ' at index ' + i + '.'
|
|
502
|
+
);
|
|
503
|
+
}
|
|
504
|
+
var name = String(value[i]).toLowerCase();
|
|
505
|
+
if (VALID_DIRECTIVES.indexOf(name) === -1) {
|
|
506
|
+
throw new Error(
|
|
507
|
+
'[gina.plugins.Csp] unknown directive name "' + value[i] + '" in '
|
|
508
|
+
+ 'reportOnlyOmit. Expected one of: ' + VALID_DIRECTIVES.join(', ')
|
|
509
|
+
+ '. (Per CSP Level 3 — https://www.w3.org/TR/CSP3/#csp-directives.)'
|
|
510
|
+
);
|
|
511
|
+
}
|
|
512
|
+
if (out.indexOf(name) === -1) {
|
|
513
|
+
out.push(name);
|
|
514
|
+
}
|
|
515
|
+
}
|
|
516
|
+
return out;
|
|
517
|
+
}
|
|
518
|
+
|
|
519
|
+
|
|
445
520
|
/**
|
|
446
521
|
* Build the header value string from a normalised directive dict.
|
|
447
522
|
*
|
|
@@ -482,22 +557,26 @@ function buildHeaderValue(normalised, nonce, nonceTarget) {
|
|
|
482
557
|
|
|
483
558
|
/**
|
|
484
559
|
* Return a shallow copy of the normalised directive dict with the
|
|
485
|
-
* report-only-inert directives (`REPORT_ONLY_IGNORED_DIRECTIVES`) removed
|
|
486
|
-
*
|
|
487
|
-
*
|
|
488
|
-
*
|
|
489
|
-
*
|
|
490
|
-
*
|
|
491
|
-
*
|
|
560
|
+
* report-only-inert directives (`REPORT_ONLY_IGNORED_DIRECTIVES`) removed,
|
|
561
|
+
* plus any consumer-chosen `extraOmit` names (the validated `reportOnlyOmit`
|
|
562
|
+
* option). Used only when `reportOnly` is true. Pure — never mutates the
|
|
563
|
+
* input, so the full configured set survives for an enforcing factory built
|
|
564
|
+
* from the same directives. Called with one argument, behaviour is identical
|
|
565
|
+
* to the pre-`reportOnlyOmit` shape (inert set only).
|
|
566
|
+
*
|
|
567
|
+
* @param {object} normalised — validated directive dict from resolveDirectives.
|
|
568
|
+
* @param {string[]} [extraOmit] — validated `reportOnlyOmit` names (default none).
|
|
569
|
+
* @returns {object} a new dict without the omitted directives.
|
|
492
570
|
* @inner
|
|
493
571
|
* @private
|
|
494
572
|
*/
|
|
495
|
-
function stripReportOnlyIgnored(normalised) {
|
|
573
|
+
function stripReportOnlyIgnored(normalised, extraOmit) {
|
|
574
|
+
var omit = extraOmit || [];
|
|
496
575
|
var out = {};
|
|
497
576
|
var keys = Object.keys(normalised);
|
|
498
577
|
for (var i = 0; i < keys.length; i++) {
|
|
499
578
|
var name = keys[i];
|
|
500
|
-
if (REPORT_ONLY_IGNORED_DIRECTIVES.indexOf(name) !== -1) {
|
|
579
|
+
if (REPORT_ONLY_IGNORED_DIRECTIVES.indexOf(name) !== -1 || omit.indexOf(name) !== -1) {
|
|
501
580
|
continue;
|
|
502
581
|
}
|
|
503
582
|
out[name] = normalised[name];
|
|
@@ -604,6 +683,15 @@ function resolveNonceTarget(normalised) {
|
|
|
604
683
|
* Content-Security-Policy-
|
|
605
684
|
* Report-Only instead of
|
|
606
685
|
* Content-Security-Policy.
|
|
686
|
+
* @param {string[]} [opts.reportOnlyOmit=[]] — directive names to ALSO
|
|
687
|
+
* omit when reportOnly is
|
|
688
|
+
* true (validated against
|
|
689
|
+
* the CSP Level 3
|
|
690
|
+
* whitelist); emitted again
|
|
691
|
+
* automatically when
|
|
692
|
+
* reportOnly is false. Inert
|
|
693
|
+
* and silent in enforce
|
|
694
|
+
* mode.
|
|
607
695
|
* @param {boolean} [opts.useNonce=false] — generate a per-response
|
|
608
696
|
* nonce, stamp it on
|
|
609
697
|
* `req._ginaCspNonce`, and
|
|
@@ -616,9 +704,28 @@ function resolveNonceTarget(normalised) {
|
|
|
616
704
|
* @throws {Error} — when `directives` is
|
|
617
705
|
* missing/empty, contains an
|
|
618
706
|
* unknown directive name, has
|
|
619
|
-
* invalid value shapes,
|
|
707
|
+
* invalid value shapes,
|
|
620
708
|
* `useNonce:true` with no
|
|
621
|
-
* script-src/default-src
|
|
709
|
+
* script-src/default-src,
|
|
710
|
+
* `reportOnlyOmit` is
|
|
711
|
+
* malformed or names an
|
|
712
|
+
* unknown directive, the
|
|
713
|
+
* report-only set is empty
|
|
714
|
+
* after omissions, or
|
|
715
|
+
* `reportOnlyOmit` omits the
|
|
716
|
+
* nonce target in report-only
|
|
717
|
+
* mode.
|
|
718
|
+
*
|
|
719
|
+
* @example
|
|
720
|
+
* // Engine-divergent directive opt-out: omit frame-ancestors from the
|
|
721
|
+
* // report-only header (clean WebKit console; forgoes the Gecko + Blink
|
|
722
|
+
* // report signal) — restored automatically at the enforce flip.
|
|
723
|
+
* var csp = require('gina').plugins.Csp({
|
|
724
|
+
* reportOnly: true,
|
|
725
|
+
* directives: { 'script-src': ["'self'"], 'frame-ancestors': ["'self'"] },
|
|
726
|
+
* reportOnlyOmit: ['frame-ancestors']
|
|
727
|
+
* });
|
|
728
|
+
* app.use(csp);
|
|
622
729
|
*/
|
|
623
730
|
function Csp(opts) {
|
|
624
731
|
var defaults = resolveSettingsDefaults();
|
|
@@ -627,20 +734,44 @@ function Csp(opts) {
|
|
|
627
734
|
var directives = resolveDirectives(merged.directives);
|
|
628
735
|
var reportOnly = resolveReportOnly(merged.reportOnly);
|
|
629
736
|
var useNonce = resolveUseNonce(merged.useNonce);
|
|
737
|
+
var reportOnlyOmit = resolveReportOnlyOmit(merged.reportOnlyOmit);
|
|
630
738
|
|
|
631
739
|
// Report-only mode: drop directives browsers ignore in a report-only
|
|
632
|
-
// header (REPORT_ONLY_IGNORED_DIRECTIVES — currently `sandbox`)
|
|
633
|
-
//
|
|
634
|
-
//
|
|
635
|
-
//
|
|
636
|
-
// config still emits them.
|
|
740
|
+
// header (REPORT_ONLY_IGNORED_DIRECTIVES — currently `sandbox`), plus any
|
|
741
|
+
// consumer-chosen `reportOnlyOmit` names (typically engine-divergent
|
|
742
|
+
// directives like frame-ancestors). Both survive in `directives`, so an
|
|
743
|
+
// enforcing factory built from the same config still emits them.
|
|
637
744
|
var emitDirectives = directives;
|
|
638
745
|
if (reportOnly) {
|
|
639
|
-
emitDirectives = stripReportOnlyIgnored(directives);
|
|
746
|
+
emitDirectives = stripReportOnlyIgnored(directives, reportOnlyOmit);
|
|
640
747
|
var dropped = Object.keys(directives).filter(function (d) {
|
|
641
748
|
return !Object.prototype.hasOwnProperty.call(emitDirectives, d);
|
|
642
749
|
});
|
|
750
|
+
// Split by cause — the warn/throw wording must not claim "ignored by
|
|
751
|
+
// browsers" for a directive the consumer chose to drop: an opted-out
|
|
752
|
+
// directive like frame-ancestors IS evaluated + reported by some
|
|
753
|
+
// engines (Gecko, Blink) in report-only mode.
|
|
754
|
+
var droppedInert = dropped.filter(function (d) {
|
|
755
|
+
return REPORT_ONLY_IGNORED_DIRECTIVES.indexOf(d) !== -1;
|
|
756
|
+
});
|
|
757
|
+
var droppedOpted = dropped.filter(function (d) {
|
|
758
|
+
return REPORT_ONLY_IGNORED_DIRECTIVES.indexOf(d) === -1;
|
|
759
|
+
});
|
|
760
|
+
var absentOmit = reportOnlyOmit.filter(function (d) {
|
|
761
|
+
return !Object.prototype.hasOwnProperty.call(directives, d);
|
|
762
|
+
});
|
|
643
763
|
if (Object.keys(emitDirectives).length === 0) {
|
|
764
|
+
if (droppedOpted.length > 0) {
|
|
765
|
+
throw new Error(
|
|
766
|
+
'[gina.plugins.Csp] reportOnly:true but the emitted directive set is '
|
|
767
|
+
+ 'empty after omissions ('
|
|
768
|
+
+ (droppedInert.length > 0 ? 'ignored by browsers: ' + droppedInert.join(', ') + '; ' : '')
|
|
769
|
+
+ 'per reportOnlyOmit: ' + droppedOpted.join(', ') + '). '
|
|
770
|
+
+ 'A report-only policy needs at least one emitted directive that '
|
|
771
|
+
+ 'produces violation reports (e.g. script-src / default-src). '
|
|
772
|
+
+ 'Remove entries from reportOnlyOmit or add directives.'
|
|
773
|
+
);
|
|
774
|
+
}
|
|
644
775
|
// Mirrors the all-omitted throw in resolveDirectives: an empty CSP
|
|
645
776
|
// is invalid, and a report-only policy made entirely of inert
|
|
646
777
|
// directives reports nothing — surface it at factory (boot) time.
|
|
@@ -653,18 +784,39 @@ function Csp(opts) {
|
|
|
653
784
|
+ 'in report-only mode.'
|
|
654
785
|
);
|
|
655
786
|
}
|
|
656
|
-
if (
|
|
787
|
+
if (droppedInert.length > 0) {
|
|
657
788
|
// Transparency: the emitted header diverges from the configured
|
|
658
789
|
// directives. One line at factory (boot) time — per call, no
|
|
659
790
|
// module-level latch — so the operator knows why a configured
|
|
660
791
|
// directive is absent from the wire.
|
|
661
792
|
console.warn(
|
|
662
793
|
'[gina.plugins.Csp] reportOnly:true — omitting directive(s) ignored by '
|
|
663
|
-
+ 'browsers in report-only mode: ' +
|
|
794
|
+
+ 'browsers in report-only mode: ' + droppedInert.join(', ') + '. They apply no '
|
|
664
795
|
+ 'restriction and emit a browser console warning in report-only mode; they '
|
|
665
796
|
+ 'are included automatically when reportOnly is false.'
|
|
666
797
|
);
|
|
667
798
|
}
|
|
799
|
+
if (droppedOpted.length > 0) {
|
|
800
|
+
// Distinct wording — these are NOT browser-inert: some engines
|
|
801
|
+
// (Gecko + Blink for frame-ancestors) evaluate and report them in
|
|
802
|
+
// report-only mode; the consumer is forgoing that signal.
|
|
803
|
+
console.warn(
|
|
804
|
+
'[gina.plugins.Csp] reportOnly:true — omitting directive(s) per '
|
|
805
|
+
+ 'reportOnlyOmit: ' + droppedOpted.join(', ') + '. These are evaluated and '
|
|
806
|
+
+ 'reported by some engines in report-only mode; you are forgoing that '
|
|
807
|
+
+ 'monitoring signal. They are emitted automatically when reportOnly is '
|
|
808
|
+
+ 'false.'
|
|
809
|
+
);
|
|
810
|
+
}
|
|
811
|
+
if (absentOmit.length > 0) {
|
|
812
|
+
// Omitting something you don't emit signals a config mistake.
|
|
813
|
+
// Emitted AFTER the empty-set throws above so a fatally-broken
|
|
814
|
+
// config surfaces only its throw, not a warn-then-throw sequence.
|
|
815
|
+
console.warn(
|
|
816
|
+
'[gina.plugins.Csp] reportOnlyOmit names directive(s) not present in '
|
|
817
|
+
+ 'directives (no-op): ' + absentOmit.join(', ') + '.'
|
|
818
|
+
);
|
|
819
|
+
}
|
|
668
820
|
}
|
|
669
821
|
|
|
670
822
|
var headerName = reportOnly ? HEADER_NAME_REPORT_ONLY : HEADER_NAME;
|
|
@@ -672,9 +824,21 @@ function Csp(opts) {
|
|
|
672
824
|
var headerValue = buildHeaderValue(emitDirectives);
|
|
673
825
|
// Fail-fast at factory time: a nonce needs a script-governing directive.
|
|
674
826
|
// Resolved from `directives` (not emitDirectives) — the nonce target is
|
|
675
|
-
// always script-src/default-src, which
|
|
676
|
-
// the
|
|
827
|
+
// always script-src/default-src, which REPORT_ONLY_IGNORED_DIRECTIVES
|
|
828
|
+
// never contains and the guard below keeps out of reportOnlyOmit, so the
|
|
829
|
+
// two sets agree; the middleware still serialises emitDirectives.
|
|
677
830
|
var nonceTarget = useNonce ? resolveNonceTarget(directives) : null;
|
|
831
|
+
if (nonceTarget && reportOnly && reportOnlyOmit.indexOf(nonceTarget) !== -1) {
|
|
832
|
+
// The nonce would be stamped on req._ginaCspNonce and mirrored onto
|
|
833
|
+
// the framework inline <script> tags, but the emitted report-only
|
|
834
|
+
// policy would never reference it — incoherent header/tag state.
|
|
835
|
+
throw new Error(
|
|
836
|
+
'[gina.plugins.Csp] useNonce:true with reportOnly:true requires the '
|
|
837
|
+
+ 'nonce target directive ("' + nonceTarget + '") to be emitted in the '
|
|
838
|
+
+ 'report-only header, but reportOnlyOmit omits it. Remove "'
|
|
839
|
+
+ nonceTarget + '" from reportOnlyOmit.'
|
|
840
|
+
);
|
|
841
|
+
}
|
|
678
842
|
|
|
679
843
|
return function ginaCsp(req, res, next) {
|
|
680
844
|
if (typeof res.getHeader === 'function' && res.getHeader(headerName)) {
|
|
@@ -707,6 +871,7 @@ Csp._resolveSettingsDefaults = resolveSettingsDefaults;
|
|
|
707
871
|
Csp._mergeOptions = mergeOptions;
|
|
708
872
|
Csp._resolveDirectives = resolveDirectives;
|
|
709
873
|
Csp._resolveReportOnly = resolveReportOnly;
|
|
874
|
+
Csp._resolveReportOnlyOmit = resolveReportOnlyOmit;
|
|
710
875
|
Csp._resolveUseNonce = resolveUseNonce;
|
|
711
876
|
Csp._resolveNonceTarget = resolveNonceTarget;
|
|
712
877
|
Csp._buildHeaderValue = buildHeaderValue;
|