gina 0.5.3 → 0.5.4

package/CHANGELOG.md

@@ -6,6 +6,30 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
 and is generated by [Changie](https://github.com/miniscruff/changie).
 
 
+## 0.5.4 - 2026-06-19
+### Added
+* Added a `--ignore-ports` flag to `gina bundle:add`: pass a comma-separated list of port numbers (e.g. `--ignore-ports=3000,3001`) to exclude them from the availability scan when creating or importing a bundle, on top of the already-assigned ports and the reserved 4100-4199 range that are skipped automatically. Composable with `--start-port-from`.
+### Changed
+* Widened the supported Node.js version range to include Node 26. The `engine.node` field is now `>= 22 <27`; the full test suite passes on Node 26.3.0 and Node 26 is now part of the CI test matrix.
+### Fixed
+* FormValidator isFloat now accepts string float values (e.g. "1.5") by coercing with Number() before checking finiteness and a fractional part. Previously the strict Number(val) === val gate passed only a real JS number, so server-side validation of form and urlencoded input (always strings) wrongly rejected valid floats. Whole numbers still fail, preserving the rule that an integer is not a float.
+* FormValidator isDate now validates non-ISO date masks (e.g. dd/mm/yyyy). It builds the date from explicit numeric components identified by the mask tokens with a round-trip range check, instead of reformatting a string and handing it to new Date(). Previously a slash mask with a day greater than 12 was parsed as US MM/DD and wrongly rejected; impossible dates such as 2023-02-30 are still rejected.
+* Fixed multipart file uploads ignoring the configured upload directory. The handler read a non-existent `upload.uploadDir` key and always wrote to the OS temp dir, so the documented `upload.tmpPath` and per-group `path` settings had no effect. Uploads now stream to the configured `tmpPath` (or a per-group `path` when the group sets one), falling back to the OS temp dir only when neither is configured; a configured directory that does not exist yet is created automatically.
+* Fixed two multipart upload limits that were declared in settings.json but inert. `upload.maxFields` (default 1000) is now enforced as a global per-request file-count cap — previously it was never read, so a group allowing multiple files accepted an unbounded number. `upload.maxFieldsSize` now honours its unit suffix (B/KB/MB/GB; a bare number is read as MB) instead of dropping it — previously `"512K"` was parsed as 512 and compared as 512 MB. Back-compat note: a `maxFieldsSize` with a non-MB suffix now means what it says (a tighter limit than before); the shipped `"2MB"` default is unchanged.
+* Fixed a dev-mode memory leak: with hot-reload active (NODE_ENV_IS_DEV), the framework evicted and re-required its collection, merge, uuid, cache and archiver libraries on every request, so long-lived code that captured those libraries at startup accumulated dead module references that the per-request prune could not reach — a slow heap climb that ended in an out-of-memory crash under sustained dev traffic (for example a long end-to-end run). These five stable libraries are now loaded once (like the logger, job and state singletons), keeping the dev-mode heap flat. Production was never affected (it does not evict modules per request).
+* Fixed a rare cross-request data mix-up in the dev Inspector and instrumentation-window data feed for Swig-rendered HTML pages: under concurrent requests, one page's captured query log and flow timeline could be attributed to another request. The Swig render path now isolates its per-request state the same way the Nunjucks path already does. This affects Inspector observability only — rendered page output was never affected.
+* Fixed the dev Inspector misrouting its live server-log stream (/_gina/logs) and live database-index lookups (/_gina/indexes) to the wrong bundle in reverse-proxy multi-bundle setups, where several bundles share a host and differ only by a path prefix. Both now resolve the monitored bundle the same way the Data-tab Reveal already did — via the page opener or an explicit ?target= — instead of a bare path strip that hit the proxy default bundle. Single-bundle setups are unaffected. Dev Inspector tooling only.
+* Hardened the dev Inspector SPA against two edge cases: a corrupted or tampered fold-state value in localStorage could throw and break the collapsible tree toggles, and a form-data section label was inserted into the panel without HTML-escaping. Both are now guarded. Dev Inspector tooling only; no impact on application pages.
+* The default (Express) server engine now serves the admin endpoints /_gina/info and /_gina/cache/stats, which previously returned 404 there while the Isaac engine served them. Both engines now expose them with the same always-on, IP-allowlisted behaviour (loopback-only by default; configure via app.json admin.allowFrom), so process/runtime info and cache statistics are available regardless of which server engine a bundle runs.
+* FormValidator's `isDate` rule now returns the field object on its valid path (like every other rule), so it chains — e.g. `field.isDate(mask).isRequired()`; the parsed Date stays available on the field's `value`.
+* Fixed a dev-mode memory retention on the HTTP/2 `self.query()` client path. When an outbound query stream settled at a non-retry outcome — timeout, stream error, premature close, exhausted 502 retries, or normal completion — its event listeners stayed attached, and through them the per-request controller plus the large per-request configuration clone it had captured were retained until the cached HTTP/2 session was eventually torn down. Under sustained bursty inter-service traffic the retained clones accumulated and could push a long-running dev bundle toward its heap limit. The stream is now released at every non-retry terminal (its timeout cancelled, listeners detached, stream closed), which bounds live heap. Production was unaffected — it reuses a single controller class, so retention was already bounded — and the retry paths already destroyed the session.
+* Narrowed the per-request configuration clone in the router so a matched request no longer deep-clones the entire bundle configuration. Only the routing table the request mutates is cloned per request; the large immutable remainder (templates, server configuration, application assets) is shared by reference. Under sustained concurrency this removes a heap high-water-mark proportional to configuration size. No behavior or API change.
+* getRouteByUrl no longer mutates the shared route configuration in place when resolving a parameterised route. It now clones the route param subtree per request and propagates the resolved values onto the returned route, so a :placeholder in a route param field (path, namespace, file or title) no longer leaks the values resolved for one request into later requests for the same route, nor produces stale params across repeat client-side navigations. (#B52-residual)
+* Dev Inspector: the data tabs (Data, View, Forms, Query, Flow) now reliably track the page that opened the Inspector, instead of intermittently showing another browser tab's data. When a bundle's pages set `Cross-Origin-Opener-Policy: same-origin`, the browser severs the Inspector popup's `window.opener`, which previously dropped the Inspector onto bundle-wide channels (the shared `localStorage` snapshot and the worker-wide `/_gina/agent` stream) that any open tab or background XHR could overwrite. The statusbar now opens the Inspector bound to the opener tab via a per-tab BroadcastChannel (`?ch=<tabId>`), so its data follows that one tab's navigation and is immune to other tabs' renders. No change when the Inspector is opened standalone (`?target=`) or directly by URL.
+* Live form validation now shows only the soft warning border while a field is being edited; its error message is revealed once the field is committed (on blur or submit).
+### Security
+* Uploads to an unconfigured upload group are now rejected with HTTP 400 instead of streaming through unchecked, closing a bypass of a group's `allowedExtensions` and `isMultipleAllowed` limits. A file with no group falls back to the default `untagged` group, and `untagged` is no longer exempt from its own configured limits. Back-compat: the shipped `untagged` default now sets `isMultipleAllowed: true`; bundles whose `settings.json` set it to `false`, or that uploaded without configuring `upload.groups`, must add or adjust their upload-group configuration.
+
 ## 0.5.3 - 2026-06-14
 
 _Patch release — no breaking changes. Finishes the released-response crash-family hardening (a late two-/three-argument `throwError()` and the swig / nunjucks render delegates, including their async variants, no longer crash or emit unhandled rejections when invoked on an already-released response) and adds bundle-boot / startup robustness — atomic `~/.gina` state-file writes, framework command-socket hardening, protection of the framework socket port from a bundle's `--port`, and synchronous boot-failure diagnostics under piped output — plus storage `_id` collision hardening, clearer unresolved-`${secret:KEY}` diagnostics, and the new `gina port:set --force`._

package/README.md

@@ -39,15 +39,17 @@ gina bundle:start api @myproject
 open https://localhost:3100
 ```
 
-## What's in 0.5.3
-
-- **Released-response crash family finished (bundle-killing).** The two remaining members are now guarded: a late `self.throwError(statusCode, error)` in its two- and three-argument forms (only the single-argument form was guarded before), and the HTML render delegates (swig and nunjucks, including their async variants) invoked after the response was already released. Both now log-and-ignore or no-op instead of dereferencing the released response — no `uncaughtException`, no SIGTERM, no unhandled promise rejection — matching `renderJSON()` and the streaming delegate.
-- **Atomic `~/.gina` state-file writes.** The five state files (`main.json`, `projects.json`, `settings.json`, `env.json`, `locals.json`) are now written via a temp file plus rename, so a concurrent boot of many bundles or containers against the same home directory can no longer read a partially-written file and crash on startup.
-- **Framework command-socket hardening.** The command socket now accumulates each connection's payload and parses it only once complete; a malformed, partial, or non-JSON payload is ignored instead of throwing an uncaught exception that could drop the command or shut the framework down.
-- **Framework socket port no longer corrupted by bundle flags.** A sub-topic command passed `--port` (e.g. `gina port:set`, `gina bundle:start`) no longer overwrites the framework socket port in `~/.gina/<short>/settings.json` — which previously made later online commands fail with `[ gina ] not started`. The framework-connection flags (`--port`, `--mq-port`, `--host-v4`, `--hostname`, `--debug-port`) now apply as framework settings only for framework-scoped commands.
-- **Boot failures surface their cause.** The `gina-container` launcher and the framework boot path now flush the failure reason synchronously before `process.exit`, so a crash on a piped stdout/stderr (the norm under container log collectors) reports its cause instead of exiting with no message.
-- **`gina port:set --force`.** Reassigns a port already held by another bundle (evicting the prior holder from both port maps); without `--force`, an in-use port is still rejected as before. Enables deterministic per-bundle port pinning for one-bundle-per-container deployments.
-- **Storage `_id` collision hardening** (16 base-62 random suffix, matching the collection ID convention) and **clearer unresolved-`${secret:KEY}` diagnostics** (the failing key name and config path are logged at debug level; the propagated error still omits the key).
+## What's in 0.5.4
+
+- **Node.js 26 support.** The supported range now includes Node 26 — `engine.node` is `>= 22 <27`, the full test suite passes on 26.3.0, and Node 26 is part of the CI matrix.
+- **Form-validation rule fixes (server + client).** `isFloat` now accepts string float values such as `"1.5"`, so server-side validation of form and urlencoded input (always strings) no longer rejects valid floats — whole numbers still fail. `isDate` validates non-ISO masks like `dd/mm/yyyy` (a slash mask with a day past 12 is no longer mis-read as US `MM/DD`) and now returns the field object, so it chains: `field.isDate(mask).isRequired()`.
+- **Quieter live form validation.** While a field is being edited only the soft warning border shows; the error message is revealed once the field is committed (on blur or submit).
+- **File uploads honour their configured directory and limits.** Multipart uploads now write to the configured `upload.tmpPath` (or a per-group `path`), creating the directory if missing, instead of always using the OS temp dir. `upload.maxFields` (a global per-request file-count cap) is now enforced, and `upload.maxFieldsSize` honours its unit suffix (`B`/`KB`/`MB`/`GB`; a bare number is read as MB). **Security:** a file uploaded to an unconfigured group is now rejected with HTTP 400 instead of streaming through unchecked, closing a bypass of a group's `allowedExtensions` / `isMultipleAllowed` limits. **Back-compat:** the `untagged` default now sets `isMultipleAllowed: true`, and a non-MB `maxFieldsSize` suffix now means what it says — see the [migration guide](https://gina.io/docs/migration) if your bundle configures uploads.
+- **Dev-mode heap fixes.** Two retention paths that could push a long-running dev bundle toward an out-of-memory crash under sustained traffic are closed: the hot-reload path no longer accumulates dead module references for five core libraries (now loaded once, like the logger / job / state singletons), and the HTTP/2 `self.query()` client releases a settled stream at every non-retry outcome instead of retaining the per-request controller and its config clone. Production was never affected by either.
+- **Tighter per-request config isolation.** The router now deep-clones only the routing table a matched request mutates, sharing the large immutable remainder by reference — removing a concurrency heap high-water-mark proportional to config size. Relatedly, `getRouteByUrl` no longer mutates the shared route config in place, so a `:placeholder` route can't leak one request's resolved values (path / namespace / file / title) into later requests for the same route.
+- **Dev Inspector reliability.** The data tabs now reliably track the page that opened the Inspector — a per-tab channel survives `Cross-Origin-Opener-Policy: same-origin` severing `window.opener`. The Swig render path isolates per-request query/flow capture (concurrent requests no longer cross data); `/_gina/logs` and `/_gina/indexes` resolve the right bundle in reverse-proxy multi-bundle setups; and the SPA is hardened against a corrupted localStorage fold-state and an unescaped form-data label. Dev tooling only.
+- **Express-engine admin-endpoint parity.** The default (Express) engine now serves `/_gina/info` and `/_gina/cache/stats` with the same always-on, loopback-only, IP-allowlisted behaviour as the Isaac engine (they previously 404'd there).
+- **`gina bundle:add --ignore-ports`.** Exclude specific ports from the availability scan when creating or importing a bundle (e.g. `--ignore-ports=3000,3001`); composable with `--start-port-from`.
 
 See the full [Changelog](./CHANGELOG.md) and [Roadmap](./ROADMAP.md).
 

package/ROADMAP.md

@@ -28,6 +28,7 @@ This roadmap covers planned features, architectural improvements, new connectors
 | **Q2 2026** | `0.5.1` ✅ | Patch: released-response crash family — late `throwError()` and the HTTP/2 inter-bundle query retry / late-response / redirect-intercept paths no longer kill the bundle · dev-mode hot-reload `module.children` heap leak fixed (OOM under sustained load) · inter-bundle proxy JSON bodies keep their `application/json` label · ROADMAP consistency release gate |
 | **Q2 2026** | `0.5.2` ✅ | Patch: released-response crash family completed across the remaining synchronous controller surface — `renderJSON()` / `redirect()` / `store()` / `push()` / `renderStream()` / request-method + form-rule helpers no longer kill the bundle when called on an already-released response · exhausted HTTP/2 502 retries surface a typed `BAD_GATEWAY` error instead of being consumed as success |
 | **Q2 2026** | `0.5.3` ✅ | Patch: released-response crash family finished — late `throwError(status, error)` (2- and 3-argument forms) and the HTML render delegates (swig / nunjucks + async variants) no longer crash or emit unhandled rejections when invoked on an already-released response · atomic `~/.gina` state-file writes (concurrent multi-bundle / multi-container boot can't read a torn file) · framework command-socket hardened against malformed / fragmented payloads · framework socket port no longer corrupted by a bundle's `--port` · synchronous boot-failure diagnostics under piped stdout/stderr · storage `_id` collision hardening · `gina port:set --force` |
+| **Q2 2026** | `0.5.4` ✅ | Node.js 26 support (engine `>= 22 <27`, CI matrix) · FormValidator fixes (`isFloat` accepts string floats · `isDate` non-ISO masks + rule chaining) · quieter live form validation (error message revealed on blur) · file-upload fixes (honour `tmpPath` / per-group `path` · enforce `maxFields` + `maxFieldsSize` unit suffix · **Security**: reject uploads to an unconfigured group, closing an `allowedExtensions` / `isMultipleAllowed` bypass) · two dev-mode heap fixes (hot-reload lib-eviction leak · HTTP/2 `self.query()` settled-stream retention) · tighter per-request config isolation (narrowed router clone · `getRouteByUrl` shared-config mutation) · dev Inspector reliability (per-tab channel under COOP · Swig render-race isolation · multi-bundle proxy log/index routing · SPA hardening) · Express-engine `/_gina/info` + `/_gina/cache/stats` parity · `bundle:add --ignore-ports` |
 | **Q1 2027** | `0.5.x` | HTTP/2 priorities (blocked on Node scheduler hooks) · CLI Tier 3 (project:move, framework:update, backup/restore, man pages) · Beemaster admin + visual translation editor |
 | **Q3 2027** | `1.0.0` | First stable release — Windows alpha compatibility is a hard gate |
 

package/framework/v0.5.4/VERSION

@@ -0,0 +1 @@
+0.5.4

package/framework/{v0.5.3 → v0.5.4}/core/asset/plugin/dist/vendor/gina/html/statusbar.html

@@ -3,6 +3,42 @@
     'use strict';
     var d = window.__ginaData;
     if (!d || !d.user) return;
+
+    // ── Inspector per-tab data channel (#INS) ─────────────────────────────
+    // COOP can sever window.opener for the Inspector popup, dropping the
+    // Inspector onto bundle-global channels (the shared localStorage slot +
+    // the worker-wide /_gina/agent SSE) that ANY tab's render or background
+    // XHR clobbers. A per-tab BroadcastChannel — keyed by a sessionStorage id
+    // that is stable across THIS tab's navigations — lets the Inspector bind
+    // to this tab only. We publish the tab's current __ginaData here (page
+    // load) and on every ginaToolbar.update()/restore() (in-tab XHR/pushState
+    // renders), so the bound Inspector follows this tab and ignores others.
+    var _ginaTabId = null;
+    try {
+        _ginaTabId = sessionStorage.getItem('__gina_tab_id');
+        if (!_ginaTabId) {
+            _ginaTabId = 'gt' + Math.random().toString(36).slice(2) + Date.now().toString(36);
+            sessionStorage.setItem('__gina_tab_id', _ginaTabId);
+        }
+    } catch (e) { _ginaTabId = null; }
+    var _ginaBC = null;
+    try {
+        if (_ginaTabId && typeof BroadcastChannel !== 'undefined') {
+            _ginaBC = new BroadcastChannel('gina-inspector-' + _ginaTabId);
+        }
+    } catch (e) { _ginaBC = null; }
+    function _ginaPublish() {
+        if (!_ginaBC) return;
+        try { _ginaBC.postMessage({ type: 'data', payload: window.__ginaData }); } catch (e) {}
+    }
+    // A freshly-opened Inspector posts {type:'request'} (BroadcastChannel does
+    // not replay past messages) — reply with the current payload.
+    if (_ginaBC) {
+        _ginaBC.onmessage = function (ev) {
+            if (ev && ev.data && ev.data.type === 'request') _ginaPublish();
+        };
+    }
+
     var env     = d.user.environment || {};
     var data    = d.user.data        || {};
     var bundle  = env.bundle  || '?';
@@ -167,6 +203,7 @@
 
             // Sync localStorage for the Inspector's fallback channel
             try { localStorage.setItem('__ginaData', JSON.stringify(window.__ginaData)); } catch (e) {}
+            _ginaPublish();
         },
         restore: function () {
             if (!window.__ginaData) return;
@@ -182,6 +219,7 @@
                 } catch (e) {}
             }
             try { localStorage.setItem('__ginaData', JSON.stringify(window.__ginaData)); } catch (e) {}
+            _ginaPublish();
         },
         hasParsedUrls: false
     };
@@ -213,6 +251,7 @@
 
     // Publish data for Inspector via localStorage (works regardless of opener)
     try { localStorage.setItem('__ginaData', JSON.stringify(d)); } catch (e) {}
+    _ginaPublish();
     var webroot = env.webroot || '/';
     if (webroot.charAt(webroot.length - 1) !== '/') webroot += '/';
     var el      = document.createElement('div');
@@ -264,7 +303,7 @@
                 }
             } catch (e) {}
             window.open(
-                _embeddedUrl,
+                _embeddedUrl + (_ginaTabId ? '?ch=' + encodeURIComponent(_ginaTabId) : ''),
                 'gina-inspector',
                 'width=' + w + ',height=' + h + ',left=' + left + ',top=' + top
                 + ',menubar=no,toolbar=no,location=no,status=no,resizable=yes,scrollbars=yes'

package/framework/{v0.5.3 → v0.5.4}/core/asset/plugin/dist/vendor/gina/inspector/inspector.js

@@ -146,6 +146,22 @@
     // ── State ──────────────────────────────────────────────────────────────
     /** @type {?Window|string} Data source — `Window` (opener), `'localStorage'`, or `null` */
     var source  = null;
+    /**
+     * Bound mode (#INS) — the per-tab BroadcastChannel the Inspector binds to
+     * when the statusbar opened it with `?ch=<tabId>`. Scopes data to the ONE
+     * tab that opened the Inspector (immune to other tabs'/XHR renders that
+     * clobber the bundle-global localStorage + SSE channels COOP forces us onto
+     * when it severs window.opener). `null` outside bound mode.
+     * @type {?BroadcastChannel}
+     */
+    var _boundChannel = null;
+    /**
+     * Latest payload received over {@link _boundChannel}; read by pollData()
+     * (source === 'broadcast'). The channel handler also calls pollData() for an
+     * immediate apply, so the poll timer is only a fallback.
+     * @type {?Object}
+     */
+    var _bcLatest = null;
     /** @type {?Object} Latest parsed `__ginaData` payload */
     var ginaData = null;
     /** @type {LogEntry[]} In-memory log buffer (capped at {@link MAX_LOG_ENTRIES}) */
@@ -329,7 +345,13 @@
     function loadFoldStore() {
         try {
             var raw = localStorage.getItem(FOLD_STORAGE_KEY);
-            return raw ? JSON.parse(raw) : {};
+            var o   = raw ? JSON.parse(raw) : {};
+            // Shape-guard (mirrors getCustomOrder / getHiddenTabs / tryLocalStorage):
+            // a corrupted or tampered key could hold a JSON primitive (42 / true /
+            // "x"); returning it would make the un-try/caught toggle handler run
+            // `store[tab] = {}` on a primitive → strict-mode TypeError, breaking
+            // fold persistence on every <details> toggle.
+            return (o && typeof o === 'object' && !Array.isArray(o)) ? o : {};
         } catch (e) { return {}; }
     }
 
@@ -1399,7 +1421,7 @@
         // Remaining keys (e.g. "validated" — boolean set by gina.js form validator)
         for (var k = 0; k < keys.length; k++) {
             if (sectionOrder.indexOf(keys[k]) >= 0) continue;
-            h += '<h3 class="bm-sub-section-title">' + keys[k] + '</h3>';
+            h += '<h3 class="bm-sub-section-title">' + escHtml(keys[k]) + '</h3>';
             h += renderTree(fd[keys[k]], 0, null, null, ginaFd ? ginaFd[keys[k]] : undefined);
         }
         return h;
@@ -1872,6 +1894,40 @@
         return (bytes / (1024 * 1024)).toFixed(1) + ' MB';
     }
 
+    /**
+     * Resolve the base URL prefix for a per-bundle `/_gina/*` endpoint.
+     *
+     * Three-fallback resolver (the same logic `toggleReveal()` uses): (1) a
+     * `?target=` query param (standalone mode), (2) the opener's pathname
+     * (statusbar-opened mode — routes to the bundle that rendered the current
+     * page), (3) the Inspector's own pathname with `_gina/inspector...` stripped.
+     * Critical in proxy-routed multi-bundle setups where bundles share a host and
+     * differ only by a path prefix: a bare `/_gina/logs` or `/_gina/indexes` would
+     * otherwise hit the proxy's default bundle instead of the monitored one.
+     *
+     * Used by every per-bundle `/_gina/*` consumer: `fetchLiveIndexes()`,
+     * `tryServerLogs()`, `toggleReveal()`, `tryAgentPassive()`, and the
+     * refresh-button re-reveal all resolve their base through this one helper
+     * (pinned by inspector.test.js §54/§55/§56/§79). For `tryAgentPassive()`
+     * the `?target=` branch is inert — it only runs when no `?target=` exists.
+     *
+     * @inner
+     * @returns {string} Base URL prefix (no trailing slash), or '' for host root.
+     */
+    function resolveBundleBase() {
+        try {
+            var params = new URLSearchParams(window.location.search);
+            var target = (params.get('target') || '').replace(/\/+$/, '');
+            if (target) {
+                return target;
+            }
+            if (window.opener && window.opener.location) {
+                return (window.opener.location.pathname || '').replace(/\/+$/, '');
+            }
+        } catch (e) {}
+        return window.location.pathname.replace(/\/_gina\/inspector.*$/, '').replace(/\/+$/, '');
+    }
+
     /**
      * #QI2 — Fetch live index data from the /_gina/indexes endpoint.
      * Called when the Query tab renders queries with N/A index badges.
@@ -1882,7 +1938,10 @@
     function fetchLiveIndexes() {
         if (_liveIndexes !== null || _liveIndexesFetching) return;
         _liveIndexesFetching = true;
-        var base = window.location.pathname.replace(/\/_gina\/inspector.*$/, '');
+        // Route through the shared 3-fallback resolver so /_gina/indexes reaches
+        // the monitored bundle in proxy-routed multi-bundle setups (was a bare
+        // pathname strip that misrouted to the proxy's default bundle).
+        var base = resolveBundleBase();
         var url  = base + '/_gina/indexes';
         try {
             var xhr = new XMLHttpRequest();
@@ -3062,20 +3121,7 @@
         //      one that produced the snapshot.
         //   3. Fallback — strip `_gina/inspector` from the Inspector's own
         //      pathname (same approach as tryServerLogs).
-        var base = '';
-        try {
-            var params = new URLSearchParams(window.location.search);
-            var target = (params.get('target') || '').replace(/\/+$/, '');
-            if (target) {
-                base = target;
-            } else if (window.opener && window.opener.location) {
-                base = (window.opener.location.pathname || '').replace(/\/+$/, '');
-            } else {
-                base = window.location.pathname.replace(/\/_gina\/inspector.*$/, '').replace(/\/+$/, '');
-            }
-        } catch (e) {
-            base = window.location.pathname.replace(/\/_gina\/inspector.*$/, '').replace(/\/+$/, '');
-        }
+        var base = resolveBundleBase();
         var url = base + '/_gina/reveal';
         var xhr  = new XMLHttpRequest();
         try {
@@ -3202,6 +3248,41 @@
         } catch (e) { return false; }
     }
 
+    /**
+     * Bind the Inspector to the opener tab's per-tab BroadcastChannel (#INS).
+     *
+     * Used in "bound mode" — when the statusbar opened the Inspector with a
+     * `?ch=<tabId>` param. The statusbar (running in the opener tab) publishes
+     * that tab's CURRENT `__ginaData` on `gina-inspector-<tabId>` on every page
+     * render and every `ginaToolbar.update()` (in-tab XHR / pushState), so the
+     * data is scoped to exactly that tab and follows its navigation — unaffected
+     * by other tabs' or background-XHR renders that clobber the bundle-global
+     * localStorage / `/_gina/agent` SSE channels COOP forces the Inspector onto
+     * when it severs `window.opener`.
+     *
+     * Sets `source = 'broadcast'` (pollData then reads {@link _bcLatest}). Posts
+     * a `{type:'request'}` on connect so the opener replies with its current
+     * payload (BroadcastChannel does not replay past messages).
+     *
+     * @inner
+     * @param   {string}  ch  The opener tab id from the `?ch=` param.
+     * @returns {boolean} `true` when the channel was established.
+     */
+    function setupBoundChannel(ch) {
+        if (!ch || typeof BroadcastChannel === 'undefined') return false;
+        try {
+            _boundChannel = new BroadcastChannel('gina-inspector-' + ch);
+        } catch (e) { _boundChannel = null; return false; }
+        source = 'broadcast';
+        _boundChannel.onmessage = function (ev) {
+            if (!ev || !ev.data || ev.data.type !== 'data' || !ev.data.payload) return;
+            _bcLatest = ev.data.payload;
+            pollData();   // immediate apply; the poll timer is the fallback
+        };
+        try { _boundChannel.postMessage({ type: 'request' }); } catch (e) {}
+        return true;
+    }
+
     // ── Settings — environment info + memory gauge ────────────────────────
 
     /**
@@ -3335,6 +3416,14 @@
                     if (tab !== 'logs') renderTab(tab);
                 }
                 return;
+            } else if (source === 'broadcast') {
+                // Bound mode (#INS) — data is pushed over the per-tab
+                // BroadcastChannel into _bcLatest (the channel handler calls
+                // pollData() for an immediate apply; this timer re-read is the
+                // fallback). Scoped to the opener tab, so other tabs' renders
+                // never appear here.
+                gd = _bcLatest;
+                if (!gd) return;
             } else if (source === 'localStorage') {
                 var raw = localStorage.getItem('__ginaData');
                 if (!raw) return;
@@ -3400,7 +3489,7 @@
             hideLoader();
         } catch (e) {
             hideLoader();
-            if (source !== 'localStorage') source = null;
+            if (source !== 'localStorage' && source !== 'broadcast') source = null;
             qs('#bm-dot').className = 'bm-dot err';
         }
     }
@@ -3768,9 +3857,10 @@
     function tryServerLogs() {
         if (typeof EventSource === 'undefined') return;
 
-        // Derive the SSE URL from the inspector path:
-        //   /{webroot}/_gina/inspector/  →  /{webroot}/_gina/logs
-        var base = window.location.pathname.replace(/\/_gina\/inspector.*$/, '');
+        // Derive the SSE URL via the shared 3-fallback resolver so /_gina/logs
+        // reaches the monitored bundle in proxy-routed multi-bundle setups (was a
+        // bare pathname strip that misrouted to the proxy's default bundle).
+        var base = resolveBundleBase();
         var url  = base + '/_gina/logs';
 
         try {
@@ -4056,20 +4146,11 @@
         // Agent mode already covers data + logs via the primary tryAgent stream.
         if (source === 'agent') return false;
 
-        // Derive the bundle URL the same way toggleReveal() does: prefer the
-        // opener's pathname so multi-bundle proxy setups route to the bundle
-        // that rendered the current page, falling back to stripping the
-        // inspector path.
-        var base = '';
-        try {
-            if (window.opener && window.opener.location) {
-                base = (window.opener.location.pathname || '').replace(/\/+$/, '');
-            } else {
-                base = window.location.pathname.replace(/\/_gina\/inspector.*$/, '').replace(/\/+$/, '');
-            }
-        } catch (e) {
-            base = window.location.pathname.replace(/\/_gina\/inspector.*$/, '').replace(/\/+$/, '');
-        }
+        // Resolve the bundle base via resolveBundleBase() (the one resolver
+        // every /_gina/* consumer uses). Its ?target= branch is inert here:
+        // tryAgentPassive only runs when source !== 'agent' (i.e. no ?target=),
+        // so this falls through to the opener-pathname fallback as before.
+        var base = resolveBundleBase();
         var url = base + '/_gina/agent';
 
         try {
@@ -5026,20 +5107,7 @@
                 fetchLiveIndexes();
 
                 if (_revealActive) {
-                    var base = '';
-                    try {
-                        var params = new URLSearchParams(window.location.search);
-                        var target = (params.get('target') || '').replace(/\/+$/, '');
-                        if (target) {
-                            base = target;
-                        } else if (window.opener && window.opener.location) {
-                            base = (window.opener.location.pathname || '').replace(/\/+$/, '');
-                        } else {
-                            base = window.location.pathname.replace(/\/_gina\/inspector.*$/, '').replace(/\/+$/, '');
-                        }
-                    } catch (e) {
-                        base = window.location.pathname.replace(/\/_gina\/inspector.*$/, '').replace(/\/+$/, '');
-                    }
+                    var base = resolveBundleBase();
                     try {
                         var xhr = new XMLHttpRequest();
                         xhr.open('GET', base + '/_gina/reveal', true);
@@ -5096,59 +5164,71 @@
         var isAgent = tryAgent();
 
         if (!isAgent) {
-            var ok = tryOpener() || tryLocalStorage();
-            if (!ok) {
-                hideLoader();
-                qs('#bm-no-source').classList.remove('hidden');
-                qs('#bm-dot').className = 'bm-dot err';
-                qs('#bm-label').textContent = 'No source';
-            }
+            // Bound mode (#INS) — the statusbar opened us with ?ch=<tabId>. Bind
+            // to that tab's per-tab BroadcastChannel so the data tabs track THIS
+            // tab only (immune to other tabs'/XHR renders that clobber the
+            // bundle-global localStorage + SSE channels COOP forces us onto when
+            // it severs window.opener). Server logs still arrive via the SSE.
+            var _boundCh = (typeof URLSearchParams !== 'undefined')
+                ? new URLSearchParams(window.location.search).get('ch') : null;
+            if (setupBoundChannel(_boundCh)) {
+                qs('#bm-no-source').classList.add('hidden');
+                tryServerLogs();   // server logs only; data via the bound channel
+            } else {
+                var ok = tryOpener() || tryLocalStorage();
+                if (!ok) {
+                    hideLoader();
+                    qs('#bm-no-source').classList.remove('hidden');
+                    qs('#bm-dot').className = 'bm-dot err';
+                    qs('#bm-label').textContent = 'No source';
+                }
 
-            /**
-             * Manual connect form on the "No source" overlay.
-             *
-             * When the Inspector opens without a `?target=` param and without
-             * `window.opener`, a form is shown allowing the user to type a
-             * bundle URL.  On submit the page reloads with `?target=<url>`,
-             * which activates `tryAgent()` and connects via SSE.
-             *
-             * The handler auto-prefixes `http://` when no scheme is provided
-             * and strips trailing slashes before encoding the target.
-             *
-             * @inner
-             */
-            var connectForm = qs('#bm-connect-form');
-            if (connectForm) {
-                connectForm.addEventListener('submit', function (ev) {
-                    ev.preventDefault();
-                    var urlInput = qs('#bm-connect-url');
-                    var raw = (urlInput.value || '').trim();
-                    if (!raw) return;
-                    // Normalise: add scheme if missing, strip trailing slash
-                    if (!/^https?:\/\//i.test(raw)) raw = 'http://' + raw;
-                    raw = raw.replace(/\/+$/, '');
-                    // Navigate with ?target= to activate agent mode
-                    var loc = window.location.pathname + '?target=' + encodeURIComponent(raw);
-                    // #INS9b — append the optional inspector key (?key=) for an
-                    // auth-gated agent endpoint. Kept in the URL only (ephemeral);
-                    // never persisted to localStorage.
-                    var keyInput = qs('#bm-connect-key');
-                    var keyRaw = keyInput ? (keyInput.value || '').trim() : '';
-                    if (keyRaw) {
-                        loc += '&key=' + encodeURIComponent(keyRaw);
-                    }
-                    window.location.href = loc;
-                });
-            }
+                /**
+                 * Manual connect form on the "No source" overlay.
+                 *
+                 * When the Inspector opens without a `?target=` param and without
+                 * `window.opener`, a form is shown allowing the user to type a
+                 * bundle URL.  On submit the page reloads with `?target=<url>`,
+                 * which activates `tryAgent()` and connects via SSE.
+                 *
+                 * The handler auto-prefixes `http://` when no scheme is provided
+                 * and strips trailing slashes before encoding the target.
+                 *
+                 * @inner
+                 */
+                var connectForm = qs('#bm-connect-form');
+                if (connectForm) {
+                    connectForm.addEventListener('submit', function (ev) {
+                        ev.preventDefault();
+                        var urlInput = qs('#bm-connect-url');
+                        var raw = (urlInput.value || '').trim();
+                        if (!raw) return;
+                        // Normalise: add scheme if missing, strip trailing slash
+                        if (!/^https?:\/\//i.test(raw)) raw = 'http://' + raw;
+                        raw = raw.replace(/\/+$/, '');
+                        // Navigate with ?target= to activate agent mode
+                        var loc = window.location.pathname + '?target=' + encodeURIComponent(raw);
+                        // #INS9b — append the optional inspector key (?key=) for an
+                        // auth-gated agent endpoint. Kept in the URL only (ephemeral);
+                        // never persisted to localStorage.
+                        var keyInput = qs('#bm-connect-key');
+                        var keyRaw = keyInput ? (keyInput.value || '').trim() : '';
+                        if (keyRaw) {
+                            loc += '&key=' + encodeURIComponent(keyRaw);
+                        }
+                        window.location.href = loc;
+                    });
+                }
 
-            tryEngineIO();
-            // Subscribe to /_gina/agent in parallel with opener polling. Opener
-            // polling alone misses SPA (pushState) and XHR renders because
-            // those paths never rewrite window.__ginaData. The passive agent
-            // stream delivers pushed data + log frames from those renders.
-            // It also supersedes tryServerLogs() (same `event: log` frames).
-            var _passiveAgentActive = tryAgentPassive();
-            if (!_passiveAgentActive) tryServerLogs();
+                tryEngineIO();
+                // Subscribe to /_gina/agent in parallel with opener polling. Opener
+                // polling alone misses SPA (pushState) and XHR renders because
+                // those paths never rewrite window.__ginaData. The passive agent
+                // stream delivers pushed data + log frames from those renders.
+                // It also supersedes tryServerLogs() (same `event: log` frames).
+                var _passiveAgentActive = tryAgentPassive();
+                if (!_passiveAgentActive) tryServerLogs();
+            }
         }
 
         // ── Persist window geometry on resize/move ──────────────────────────