gina 0.5.3 → 0.5.4

package/framework/{v0.5.3 → v0.5.4}/core/controller/controller.js

@@ -4023,6 +4023,20 @@ if ( /^local$/i.test(process.env.NODE_SCOPE) ) {
         let httpStatus  = null; // captured from the HTTP/2 HEADERS frame (:status pseudo-header)
         const chunks    = []; // collect Buffer chunks — avoids peak-memory doubling from string concat
 
+        // #B52 — release the settled outbound stream so the cached HTTP/2 session stops
+        // retaining it (and, through the per-request controller it captures, the large
+        // per-request `options.conf` clone made in router.js). Idempotent; invoked at every
+        // NON-retry terminal below (retry paths client.destroy() the session, which tears the
+        // old stream down). Never throws — cleanup must not break the response path.
+        var _finalized = false;
+        var _finalizeStream = function _finalizeStream() {
+            if (_finalized) { return; }
+            _finalized = true;
+            try { req.setTimeout(0); } catch (e) {}
+            try { req.removeAllListeners(); } catch (e) {}
+            try { if (!req.closed && !req.destroyed) { req.close(); } } catch (e) {}
+        };
+
         // Capture the HTTP/2 response status code from the HEADERS frame.
         // Without this, the :status pseudo-header is never read and nginx-level errors
         // (e.g. 502 Bad Gateway) are indistinguishable from JSON parse failures.
@@ -4059,6 +4073,8 @@ if ( /^local$/i.test(process.env.NODE_SCOPE) ) {
             // All retries exhausted — surface the error (H4: typed GinaHttp2Error)
             var _timeoutMsg = '[HTTP2] No response from '+ options[':authority'] +' after '+ (_streamTimeout > 1000 ? (_streamTimeout / 1000) + 's' : _streamTimeout + 'ms') +' (exhausted '+ HTTP2_MAX_RETRIES +' retries)';
             var _timeoutErr = new GinaHttp2Error(_timeoutMsg, { code: 'TIMEOUT', retryable: false, status: 503, retryCount: retryCount });
+            // #B52 — release the settled stream (covers both the swallow-return and the callback below)
+            _finalizeStream();
             // H3: if non-critical, swallow and return
             if (_swallowIfNonCritical(_timeoutErr)) return;
             if (typeof callback === 'function') {
@@ -4143,6 +4159,8 @@ if ( /^local$/i.test(process.env.NODE_SCOPE) ) {
             _ginaErr.cause = error; // preserve original Node error (stack, syscall, etc.)
             if (isConnError && error.accessPoint) { _ginaErr.accessPoint = error.accessPoint; }
 
+            // #B52 — release the settled stream (covers both the swallow-return and the callback below)
+            _finalizeStream();
             // H3: if non-critical, swallow and return
             if (_swallowIfNonCritical(_ginaErr)) return;
             if (typeof callback !== 'undefined') {
@@ -4188,6 +4206,8 @@ if ( /^local$/i.test(process.env.NODE_SCOPE) ) {
                 status     : 503,
                 retryCount : retryCount
             });
+            // #B52 — release the settled stream (covers both the swallow-return and the callback below)
+            _finalizeStream();
             // H3: if non-critical, swallow and return
             if (_swallowIfNonCritical(prematureCloseErr)) return;
             if (typeof callback !== 'undefined') {
@@ -4247,6 +4267,8 @@ if ( /^local$/i.test(process.env.NODE_SCOPE) ) {
                     status     : 502,
                     retryCount : retryCount
                 });
+                // #B52 — release the settled stream (covers both the swallow-return and the callback below)
+                _finalizeStream();
                 // H3: if non-critical, swallow and return
                 if (_swallowIfNonCritical(_badGatewayErr)) return;
                 if (typeof callback !== 'undefined') {
@@ -4257,6 +4279,10 @@ if ( /^local$/i.test(process.env.NODE_SCOPE) ) {
                 return;
             }
 
+            // #B52 — release the settled stream before the remaining onEnd terminals
+            // (ALPN-mismatch, 5xx callback, throwError, success callback, EventEmitter-mode)
+            _finalizeStream();
+
             // 3. Exception filter for ALPN or protocol mismatches
             if (typeof data === 'string' && /^Unknown ALPN Protocol/.test(data)) {
                 const err = { status: 500, error: new Error(data) };

package/framework/{v0.5.3 → v0.5.4}/core/controller/controller.render-swig.js

@@ -12,10 +12,11 @@ var emitInspectorWindowData = require('./inspector-window-emit');
 // Precompiled regex — avoids per-request RegExp allocation (#P3)
 var blacklistRe       = /[<>]/g;
 
-// Inherited from controller
-var self                = null
-    , local             = null
-    , getData           = null
+// Inherited from controller.
+// #INS10 race fix: `self` / `local` are NOT declared module-scoped — they are
+// captured FUNCTION-scoped inside render() (see the deps unpack) so concurrent
+// renders never share them. The refs below stay module-scoped (read pre-await).
+var getData             = null
     , hasViews          = null
     , setResources      = null
     // Default filters
@@ -160,9 +161,16 @@ async function writeCache(bundle, opt, htmlContent, req, res) {
  */
 module.exports = async function render(userData, displayInspector, errOptions, deps) {
 
-    // Inherited from controller
-    self            = deps.self;
-    local           = deps.local;
+    // Inherited from controller.
+    // #INS10 race fix — `self` / `local` are FUNCTION-scoped (`var`), not module-
+    // scoped: render() is async, so a render suspended at an await must not have
+    // its `self` / `local` overwritten by a concurrent render — otherwise the
+    // post-await Inspector emit (prod-window egress + dev `inspector#data`) would
+    // carry the other request's `_queryLog` / `_timeline`. Mirrors render-nunjucks.js.
+    // (getData / hasViews / SwigFilters / headersSent stay module-scoped: read
+    //  before the first await, so they are not the documented race vector.)
+    var self            = deps.self;
+    var local           = deps.local;
     getData         = deps.getData;
     hasViews        = deps.hasViews;
     setResources    = deps.setResources;

package/framework/{v0.5.3 → v0.5.4}/core/plugins/lib/validator/src/form-validator.js

@@ -1504,8 +1504,23 @@ function FormValidatorUtil(data, $fields, xhrOptions, fieldsSet) {
             }
 
             // test if val is strictly a float
-            if ( Number(val) === val && val % 1 !== 0 ) {
-                this.value = local.data[this.name] = Number(val);
+            // #B46 (2026-06-15) — accept STRING floats, not only real JS numbers.
+            // The old gate `Number(val) === val` is true only for a real number,
+            // so a string "1.5" (browser .value and urlencoded bodies are ALWAYS
+            // strings) was rejected server-side. Coerce to Number first, then
+            // require a finite value with a fractional part. Whole numbers ("2", 2)
+            // still fail (no fractional part), preserving isFloat's contract that
+            // an integer is not a float.
+            // was:
+            // if ( Number(val) === val && val % 1 !== 0 ) {
+            //     this.value = local.data[this.name] = Number(val);
+            //     isValid = true
+            // } else {
+            //     isValid = false
+            // }
+            var floatVal = Number(val);
+            if ( Number.isFinite(floatVal) && floatVal % 1 !== 0 ) {
+                this.value = local.data[this.name] = floatVal;
                 isValid = true
             } else {
                 isValid = false
@@ -1686,7 +1701,7 @@ function FormValidatorUtil(data, $fields, xhrOptions, fieldsSet) {
          *
          * @param {string|boolean} [mask] - by default "yyyy-mm-dd"
          *
-         * @returns {date} date - extended by gina::lib::helpers::dateFormat; an adaptation of Steven Levithan's code
+         * @returns {object} field object (chainable). The parsed Date is preserved on the field's `.value` and rendered via the field's own `.format()` method (DateFormatHelper — an adaptation of Steven Levithan's code).
          * */
         self[el]['isDate'] = function(mask) {
             var val         = this.value
@@ -1727,22 +1742,60 @@ function FormValidatorUtil(data, $fields, xhrOptions, fieldsSet) {
                     throw new Error('[FormValidator::isDate] Provided mask not allowed: `'+ mask +'`');
                 }
 
+                // #B47 (2026-06-15) — build the Date from explicit numeric
+                // components identified by the mask tokens (y*/m*/d*), then
+                // range-check via a round-trip. The old path rebuilt the string
+                // FROM THE MASK (keeping its separators) and handed it to
+                // `new Date(str)`, which parses a slash mask (e.g. "15/06/2023")
+                // as US MM/DD -> month 15 -> Invalid Date, so any non-ISO mask
+                // with day>12 (or non-US field order) was wrongly rejected. A
+                // naive `new Date(y, m-1, d)` is not enough either: JS rolls
+                // invalid components over (new Date(2023,12,45) is a valid date),
+                // so the round-trip check (constructed components must equal the
+                // inputs) is what still rejects e.g. 2023-13-45 and 2023-02-30.
+                // was:
+                // try {
+                //     val = val.match(/[^\/\- ]+/g);
+                //     var dic = {}, d, len;
+                //     for (d=0, len=m.length; d<len; ++d) { dic[m[d]] = val[d] }
+                //     var formatedDate = mask;
+                //     for (var v in dic) { formatedDate = formatedDate.replace(new RegExp(v, "g"), dic[v]) }
+                // } catch (err) { throw new Error('...Provided value not allowed...'); }
+                // date = this.value = local.data[this.name] = new Date(formatedDate);
+                var dic = {}, d, len, parts = null,
+                    yNum = NaN, moNum = NaN, dNum = NaN;
                 try {
-                    val = val.match(/[^\/\- ]+/g);
-                    var dic = {}, d, len;
-                    for (d=0, len=m.length; d<len; ++d) {
-                        dic[m[d]] = val[d]
-                    }
-                    var formatedDate = mask;
-                    for (var v in dic) {
-                        formatedDate = formatedDate.replace(new RegExp(v, "g"), dic[v])
+                    parts = val.match(/[^\/\- ]+/g);
+                    for (d = 0, len = m.length; d < len; ++d) {
+                        dic[m[d]] = parts[d];
                     }
                 } catch (err) {
                     throw new Error('[FormValidator::isDate] Provided value not allowed: `'+ val +'`' + err);
                 }
 
+                for (var tok in dic) {
+                    if ( /y/i.test(tok) )      { yNum  = parseInt(dic[tok], 10); }
+                    else if ( /m/i.test(tok) ) { moNum = parseInt(dic[tok], 10); }
+                    else if ( /d/i.test(tok) ) { dNum  = parseInt(dic[tok], 10); }
+                }
 
-                date = this.value = local.data[this.name] = new Date(formatedDate);
+                if (
+                    !Number.isFinite(yNum) || !Number.isFinite(moNum) || !Number.isFinite(dNum)
+                    || moNum < 1 || moNum > 12 || dNum < 1 || dNum > 31
+                ) {
+                    date = this.value = local.data[this.name] = new Date(NaN);
+                } else {
+                    date = new Date(yNum, moNum - 1, dNum);
+                    // reject rolled-over components (e.g. Feb 30 -> Mar 2)
+                    if (
+                        date.getFullYear() !== yNum
+                        || date.getMonth() !== (moNum - 1)
+                        || date.getDate() !== dNum
+                    ) {
+                        date = new Date(NaN);
+                    }
+                    this.value = local.data[this.name] = date;
+                }
 
                 if ( /Invalid Date/i.test(date) || date instanceof Date === false ) {
                     if ( !errors['isRequired'] && this.value == '' ) {
@@ -1762,7 +1815,14 @@ function FormValidatorUtil(data, $fields, xhrOptions, fieldsSet) {
 
             this.valid = isValid;
 
-            return date
+            // #B48 (2026-06-17) — return the field object (chainable), like
+            // every other rule, instead of the raw parsed Date. The Date is
+            // preserved on this.value (set above), so
+            // `field.isDate(mask).format('isoDateTime')` still renders it via
+            // the field's own `format` method; returning the Date here broke
+            // chaining into any validator rule (a Date has no .isX()).
+            // was: return date
+            return self[this.name]
         }
 
         /**

package/framework/{v0.5.3 → v0.5.4}/core/plugins/lib/validator/src/main.js

@@ -886,7 +886,12 @@ function ValidatorPlugin(rules, data, formId) {
 
                         $divs[d].parentElement.removeChild($divs[d]);
                         $err = document.createElement('div');
-                        $err.setAttribute('class', 'form-item-error-message');
+                        // #livecheck — a field being typed in (the active element) surfaces only the
+                        // soft form-item-warning border; its committed error message stays hidden until
+                        // blur. This "refresh" re-create runs AFTER refreshWarning in the live-check
+                        // global pass, so without this focus guard it re-shows the message mid-typing.
+                        // On blur (field no longer active) the message is created shown (focusout commits).
+                        $err.setAttribute('class', ( document.activeElement && document.activeElement.name == name ) ? 'form-item-error-message hidden' : 'form-item-error-message');
 
                         // #A11Y1 (slice 2) — preserve the aria-errormessage wire we own across refresh.
                         if ( _ginaOwnsErrMsg && _ariaErrId ) {

package/framework/{v0.5.3 → v0.5.4}/core/router.js

@@ -533,8 +533,21 @@ function Router(env, scope) {
         options = merge(JSON.clone(options), params);
         // options = merge(options, params);
 
-        // We want to keep original conf untouched
-        options.conf = JSON.clone(conf);
+        // We want to keep original conf untouched.
+        // #B52-residual: deep-cloning the WHOLE bundle conf on every matched request is a
+        // multi-MB per-request allocation (templates / server config / app assets / fonts) that
+        // accumulates under concurrency into a heap high-water-mark. Only conf.content.routing is
+        // mutated through this clone (the [rule].param write below) — every other subtree is
+        // read-only on the per-request path (setOptions reassigns conf.routing/reverseRouting/
+        // forms/locales/locale wholesale, which the shallow top-level copy already isolates; and
+        // plugins/connectors/model read config via their own getConfig clone or the global
+        // singleton, never through this object). So shallow-copy the top level + conf.content and
+        // deep-clone only conf.content.routing; the large immutable remainder is shared by
+        // reference at no per-request heap cost.
+        // options.conf = JSON.clone(conf); // pre-#B52-residual: whole-conf deep clone per request
+        options.conf = Object.assign({}, conf);
+        options.conf.content = Object.assign({}, conf.content);
+        options.conf.content.routing = JSON.clone(conf.content.routing);
         // inheriting from _common
         if (
             options.template

package/framework/{v0.5.3 → v0.5.4}/core/server.isaac.js

@@ -42,42 +42,6 @@ const env               = process.env.NODE_ENV
     , isProductionScope = process.env.NODE_SCOPE_IS_PRODUCTION && process.env.NODE_SCOPE_IS_PRODUCTION.toLowerCase() === 'true'
 ;
 
-/**
- * IP-allowlist check for admin-grade /_gina/* endpoints (/_gina/info,
- * /_gina/cache/stats). #S7.
- *
- * Reads the allowlist from `process.gina._adminAllowList`, which `gna.js`
- * populates at bundle init from `app.json` `admin.allowFrom` (defaults to
- * loopback `['127.0.0.1', '::1']`). Same shape as `lib.metrics.isClientAllowed`
- * but on a separate axis — admin endpoints expose process state (memory,
- * uptime, HTTP/2 session counters, cache contents) and are gated separately
- * from Prometheus scrapes.
- *
- * Reads the client IP from `req.socket.remoteAddress` only — never trusts
- * `X-Forwarded-For` because reverse proxies could spoof it. Normalises
- * `::ffff:IPv4` (IPv6-mapped IPv4) → `IPv4` so listing `127.0.0.1` matches
- * both forms.
- *
- * Empty allowlist (`[]`) denies everyone — explicit lockdown choice.
- * Missing `process.gina._adminAllowList` (init not yet fired) falls back
- * to loopback-only, the safest default.
- *
- * @inner
- * @param {http.IncomingMessage|http2.Http2ServerRequest} req
- * @returns {boolean} true if client IP is allowed, false otherwise
- */
-function isAdminClientAllowed(req) {
-    var list = (typeof process.gina === 'object' && process.gina && Array.isArray(process.gina._adminAllowList))
-        ? process.gina._adminAllowList
-        : ['127.0.0.1', '::1'];
-    if (list.length === 0) return false;
-    var ip = (req.socket && req.socket.remoteAddress)
-          || (req.connection && req.connection.remoteAddress)
-          || '';
-    if (ip.indexOf('::ffff:') === 0) ip = ip.slice(7);
-    return list.indexOf(ip) >= 0;
-}
-
 /**
  * Constant-time API-key check for the /_gina/agent SSE endpoint when it is
  * exposed outside dev mode (#INS9b). The configured key lives on
@@ -1007,7 +971,7 @@ function ServerEngineClass(options) {
 
                 // #S7 — IP allowlist gate. Mirrors the metrics endpoint
                 // gate at L605-621. 403 on deny.
-                if ( !isAdminClientAllowed(request) ) {
+                if ( !lib.admin.isClientAllowed(request) ) {
                     var infoForbiddenBody    = JSON.stringify({ error: 'forbidden', message: '/_gina/info: client IP not in app.json admin.allowFrom' });
                     var infoForbiddenHeaders = _setPoweredByHeader({
                         'cache-control': 'no-cache, no-store, must-revalidate',
@@ -1067,7 +1031,7 @@ function ServerEngineClass(options) {
             if ( request.method.toUpperCase() === 'GET' && /\/_gina\/cache\/stats$/i.test(request.url) ) {
 
                 // #S7 — IP allowlist gate. Same shape as the /_gina/info gate above.
-                if ( !isAdminClientAllowed(request) ) {
+                if ( !lib.admin.isClientAllowed(request) ) {
                     var cacheStatsForbiddenBody    = JSON.stringify({ error: 'forbidden', message: '/_gina/cache/stats: client IP not in app.json admin.allowFrom' });
                     var cacheStatsForbiddenHeaders = _setPoweredByHeader({
                         'cache-control': 'no-cache, no-store, must-revalidate',

package/framework/{v0.5.3 → v0.5.4}/core/server.js

@@ -2910,6 +2910,64 @@ function Server(options) {
                 });
             }
 
+            // ── /_gina/info — process/runtime state (always-on, admin-gated) ─────────
+            // (#S7) Engine-agnostic mirror of the Isaac handler. GET only. The IP
+            // allowlist comes from app.json `admin.allowFrom` (default loopback) via
+            // process.gina._adminAllowList; 403 JSON on deny. The `http2` block is
+            // Isaac-only (the Express engine has no HTTP/2 session metrics —
+            // _h2Metrics is undefined here), so it degrades to omitted under Express.
+            if (
+                request.method.toUpperCase() === 'GET'
+                && /\/_gina\/info$/i.test(request.url)
+            ) {
+                response.setHeader('content-type',  'application/json; charset=utf8');
+                response.setHeader('cache-control', 'no-cache, no-store, must-revalidate');
+                response.setHeader('pragma',  'no-cache');
+                response.setHeader('expires', '0');
+                if ( !lib.admin.isClientAllowed(request) ) {
+                    response.statusCode = 403;
+                    return response.end(JSON.stringify({ error: 'forbidden', message: '/_gina/info: client IP not in app.json admin.allowFrom' }));
+                }
+                var infoPayload = {
+                    "cache-is-enabled": self.instance._cacheIsEnabled,
+                    "memory"  : process.memoryUsage(),
+                    "uptime"  : process.uptime(),
+                    "version" : process.version
+                };
+                if (self.instance._h2Metrics) {
+                    infoPayload["http2"] = {
+                        activeSessions    : self.instance._h2Metrics.activeSessions,
+                        totalStreams      : self.instance._h2Metrics.totalStreams,
+                        goawayCount       : self.instance._h2Metrics.goawayCount,
+                        rstCount          : self.instance._h2Metrics.rstCount,
+                        rapidResetBlocked : self.instance._h2Metrics.rapidResetBlocked,
+                        extendedConnect   : self.instance._h2Metrics.extendedConnect
+                    };
+                }
+                return response.end(JSON.stringify(infoPayload));
+            }
+
+            // ── /_gina/cache/stats — cache statistics (always-on, admin-gated) ───────
+            // (#S7) Engine-agnostic mirror of the Isaac handler. GET only. Same admin
+            // IP allowlist as /_gina/info. Builds a Cache view over the shared
+            // self.instance._cached Map and returns its stats(); 403 JSON on deny.
+            if (
+                request.method.toUpperCase() === 'GET'
+                && /\/_gina\/cache\/stats$/i.test(request.url)
+            ) {
+                response.setHeader('content-type',  'application/json; charset=utf8');
+                response.setHeader('cache-control', 'no-cache, no-store, must-revalidate');
+                response.setHeader('pragma',  'no-cache');
+                response.setHeader('expires', '0');
+                if ( !lib.admin.isClientAllowed(request) ) {
+                    response.statusCode = 403;
+                    return response.end(JSON.stringify({ error: 'forbidden', message: '/_gina/cache/stats: client IP not in app.json admin.allowFrom' }));
+                }
+                var _cacheStatsView = new lib.Cache();
+                _cacheStatsView.from(self.instance._cached);
+                return response.end(JSON.stringify(_cacheStatsView.stats()));
+            }
+
             // ── /_gina/jobs/:id — async-job status (always-on, state-only) ──────────
             // (#AI6 slice 3) Engine-agnostic mirror of the Isaac handler. GET only.
             // Returns lib.job.toStatusView (id + state + timestamps) — never the
@@ -3386,8 +3444,36 @@ function Server(options) {
                     // -> https://github.com/mscdex/busboy
                     var opt = self.conf[self.appName][self.env].content.settings.upload;
                     // checking size
-                    var maxSize     = parseInt(opt.maxFieldsSize);
-                    var fileSize    = request.headers["content-length"]/1024/1024; //MB
+                    // #B51 (2026-06-16) — parse the maxFieldsSize unit suffix into bytes.
+                    // was: var maxSize  = parseInt(opt.maxFieldsSize);
+                    //      var fileSize = request.headers["content-length"]/1024/1024; //MB
+                    // parseInt("512K") => 512, compared against content-length/1024/1024 (MB), so
+                    // "512K" silently meant 512 MB. parseSize reads B/KB/MB/GB (case-insensitive)
+                    // into bytes; a BARE number is treated as MB for back-compat (the shipped "2MB"
+                    // => 2*1024*1024, unchanged). content-length is then compared in bytes directly.
+                    var parseSize = function(value) {
+                        if ( typeof(value) == 'number' ) { return value * 1024 * 1024; } // bare number = MB
+                        if ( typeof(value) != 'string' ) { return NaN; }
+                        var m = value.trim().match(/^([0-9]*\.?[0-9]+)\s*(b|kb|k|mb|m|gb|g)?$/i);
+                        if ( !m ) { return NaN; }
+                        var n = parseFloat(m[1]);
+                        switch ( (m[2] || 'mb').toLowerCase() ) {
+                            case 'b':
+                                return n;
+                            case 'k':
+                            case 'kb':
+                                return n * 1024;
+                            case 'g':
+                            case 'gb':
+                                return n * 1024 * 1024 * 1024;
+                            case 'm':
+                            case 'mb':
+                            default:
+                                return n * 1024 * 1024;
+                        }
+                    };
+                    var maxSize     = parseSize(opt.maxFieldsSize);                     // bytes
+                    var fileSize    = parseInt(request.headers["content-length"], 10);  // bytes
                     var hasAutoTmpCleanupTimeout = (
                         typeof(opt.autoTmpCleanupTimeout) != 'undefined'
                         &&  opt.autoTmpCleanupTimeout != ''
@@ -3396,11 +3482,23 @@ function Server(options) {
                     ) ? true : false;
                     var autoTmpCleanupTimeout = (!hasAutoTmpCleanupTimeout) ? null : parseTimeout(opt.autoTmpCleanupTimeout);
 
-                    if (fileSize > maxSize) {
+                    // #B51 — guard on maxSize so an unset / 0 / invalid maxFieldsSize disables the
+                    // cap (was: `fileSize > maxSize` with maxSize=NaN naturally skipped; maxSize=0
+                    // would have rejected everything — 0 now means "no limit", as for maxFields).
+                    if (maxSize && fileSize > maxSize) {
                         return throwError(response, 431, 'Attachment exceeded maximum file size [ '+ opt.maxFieldsSize +' ]');
                     }
 
-                    var uploadDir = opt.uploadDir || os.tmpdir();
+                    // #B49 (2026-06-16) — honour the configured upload directory.
+                    // was: var uploadDir = opt.uploadDir || os.tmpdir();
+                    // The old line read only `opt.uploadDir`, a key the shipped settings.json
+                    // never sets (it defines `upload.tmpPath`, and nothing maps tmpPath→uploadDir),
+                    // so every upload fell back to os.tmpdir() and the documented `upload.tmpPath`
+                    // / per-group `path` keys were dead. `tmpPath` resolves to an absolute dir at
+                    // config-load (via whisper → <project>/tmp, created at boot), so prefer it;
+                    // `uploadDir` is kept first for back-compat (any operator who set it). A
+                    // per-group `path` overrides this global default at the write site below.
+                    var uploadDir = opt.uploadDir || opt.tmpPath || os.tmpdir();
 
                     /**
                      * str2ab
@@ -3504,43 +3602,108 @@ function Server(options) {
                         file._dataLen = 0;
                         ++fileCount;
 
-                        if (
-                            typeof(group) != 'undefined'
-                            && group != 'untagged'
-                            && typeof(opt.groups[group]) != 'undefined'
-                        ) {
-                            // allowed extensions
-                            if ( typeof(opt.groups[group].allowedExtensions) != 'undefined'
-                                && opt.groups[group].allowedExtensions != '*'
-                            ) {
-                                var ext     = opt.groups[group].allowedExtensions;
-                                var fileExt = filename.substring(filename.lastIndexOf('.')+1)
-                                if ( !Array.isArray(ext) ) {
-                                    ext = [ext]
-                                }
+                        // #B51 (2026-06-16) — enforce the global maxFields file-count cap. It was
+                        // declared in settings.json (default 1000) but read NOWHERE — the only count
+                        // limit was the binary per-group isMultipleAllowed, so an isMultipleAllowed:true
+                        // group (the shipped untagged default) accepted UNBOUNDED files. parseInt reads
+                        // the number or a string; an unset / 0 / NaN value disables the cap. Global only
+                        // (per-group maxFields is not wired, like per-group maxFieldsSize).
+                        var maxFields = parseInt(opt.maxFields, 10);
+                        if ( maxFields && fileCount > maxFields ) {
+                            throwError(response, 400, 'too many upload fields (max '+ maxFields +'). See the `upload.maxFields` definition in settings.json.');
+                            return false;
+                        }
 
-                                if ( ext.indexOf(fileExt) < 0 ) {
-                                    throwError(response, 400, '`'+ fileExt +'` is not an allowed extension. See `'+ group +'` upload group definition.');
-                                    return false;
-                                }
+                        // #B50 (2026-06-16) — every uploaded file must map to a CONFIGURED upload group.
+                        // The old gate (commented below) ran the ext + count checks ONLY for a group that was
+                        // defined, NOT `untagged`, AND present in opt.groups; every other case — no group,
+                        // `untagged`, or an unknown group name — streamed through UNCHECKED, so a client could
+                        // bypass a group's allow-list simply by tagging a file with any unconfigured group.
+                        // Now: a file with no group falls back to the default `untagged`; a group not declared
+                        // in settings.json `upload.groups` is rejected (400); and `untagged` is no longer
+                        // hardcode-exempt — it obeys its own allowedExtensions / isMultipleAllowed like any
+                        // other group (the shipped default is `*` + isMultipleAllowed:true, so single- and
+                        // multi-file untagged uploads are unaffected).
+                        //
+                        // if (
+                        //     typeof(group) != 'undefined'
+                        //     && group != 'untagged'
+                        //     && typeof(opt.groups[group]) != 'undefined'
+                        // ) {
+                        //     // allowed extensions
+                        //     if ( typeof(opt.groups[group].allowedExtensions) != 'undefined'
+                        //         && opt.groups[group].allowedExtensions != '*'
+                        //     ) {
+                        //         var ext     = opt.groups[group].allowedExtensions;
+                        //         var fileExt = filename.substring(filename.lastIndexOf('.')+1)
+                        //         if ( !Array.isArray(ext) ) { ext = [ext] }
+                        //         if ( ext.indexOf(fileExt) < 0 ) {
+                        //             throwError(response, 400, '`'+ fileExt +'` is not an allowed extension. See `'+ group +'` upload group definition.');
+                        //             return false;
+                        //         }
+                        //     }
+                        //     // multiple or single
+                        //     if ( typeof(opt.groups[group].isMultipleAllowed) != 'undefined'
+                        //         && !opt.groups[group].isMultipleAllowed
+                        //         && fileCount > 1
+                        //     ) {
+                        //         throwError(response, 400, 'multiple uploads not allowed. See `'+ group +'` upload group definition.');
+                        //         return false;
+                        //     }
+                        // }
+                        var fileGroup = ( typeof(group) != 'undefined' && group ) ? group : 'untagged';
+
+                        // deny an unconfigured upload group (was: silently streamed through)
+                        if ( typeof(opt.groups) == 'undefined' || typeof(opt.groups[fileGroup]) == 'undefined' ) {
+                            throwError(response, 400, '`'+ fileGroup +'` is not a configured upload group. See the `upload.groups` definition in settings.json.');
+                            return false;
+                        }
+
+                        // allowed extensions
+                        if ( typeof(opt.groups[fileGroup].allowedExtensions) != 'undefined'
+                            && opt.groups[fileGroup].allowedExtensions != '*'
+                        ) {
+                            var ext     = opt.groups[fileGroup].allowedExtensions;
+                            var fileExt = filename.substring(filename.lastIndexOf('.')+1)
+                            if ( !Array.isArray(ext) ) {
+                                ext = [ext]
                             }
 
-                            // multiple or single
-                            if ( typeof(opt.groups[group].isMultipleAllowed) != 'undefined'
-                                && !opt.groups[group].isMultipleAllowed
-                                && fileCount > 1
-                            ) {
-                                throwError(response, 400, 'multiple uploads not allowed. See `'+ group +'` upload group definition.');
+                            if ( ext.indexOf(fileExt) < 0 ) {
+                                throwError(response, 400, '`'+ fileExt +'` is not an allowed extension. See `'+ fileGroup +'` upload group definition.');
                                 return false;
                             }
                         }
 
+                        // multiple or single
+                        if ( typeof(opt.groups[fileGroup].isMultipleAllowed) != 'undefined'
+                            && !opt.groups[fileGroup].isMultipleAllowed
+                            && fileCount > 1
+                        ) {
+                            throwError(response, 400, 'multiple uploads not allowed. See `'+ fileGroup +'` upload group definition.');
+                            return false;
+                        }
+
 
                         // TODO - https://github.com/TooTallNate/node-wav
                         //file._mimetype = mimetype;
 
+                        // #B49 (2026-06-16) — per-group `path` overrides the global uploadDir;
+                        // fall back to the global dir when the group declares no path. The
+                        // configured defaults resolve to dirs that exist (os.tmpdir() always;
+                        // <project>/tmp is created at boot), but a CUSTOM dir may not exist yet —
+                        // and the writeStream 'error' handler is only attached later, in the
+                        // busboy 'finish' loop, so a missing dir would emit an unhandled ENOENT
+                        // here (during streaming) and crash the bundle. mkdir-if-missing guards it.
+                        var fileUploadDir = ( opt.groups[fileGroup] && opt.groups[fileGroup].path )
+                            ? opt.groups[fileGroup].path
+                            : uploadDir;
+                        if ( !fs.existsSync(fileUploadDir) ) {
+                            fs.mkdirSync(fileUploadDir, { recursive: true });
+                        }
+
                         // creating file
-                        writeStreams[index] = fs.createWriteStream( _(uploadDir + '/' + filename) );
+                        writeStreams[index] = fs.createWriteStream( _(fileUploadDir + '/' + filename) );
                         var liner = new require('stream').Transform({objectMode: true});
 
                         liner._transform = function (chunk, encoding, done) {
@@ -3567,7 +3730,9 @@ function Server(options) {
                             //fileObj = Buffer.from(str2ab(this._dataChunk));
                             //delete this._dataChunk;
 
-                            tmpFilename = _(uploadDir + '/' + filename);
+                            // #B49 — mirror the per-group / configured dir chosen at the write site
+                            // above (file.on('end') closes over the same per-file fileUploadDir).
+                            tmpFilename = _(fileUploadDir + '/' + filename);
 
                             request.files.push({
                                 name: fieldname,

package/framework/{v0.5.3 → v0.5.4}/core/template/conf/settings.json

@@ -83,7 +83,7 @@
       "untagged": {
         "path": "${tmpPath}",
         "allowedExtensions": "*", // or [ "jpg", "jpeg", "png", "svg" ]
-        "isMultipleAllowed": false
+        "isMultipleAllowed": true // #B50 — untagged is the permissive default (now enforced); set false to require single-file
         // optional sample
         // ,
         // "filePrefix": "$designId_",

package/framework/v0.5.4/lib/admin/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "gina-lib-admin",
+  "version": "1.0.0",
+  "description": "Admin /_gina/* IP-allowlist gate (isClientAllowed). Single source of truth for the /_gina/info and /_gina/cache/stats access check; previously duplicated byte-identical in server.js and server.isaac.js.",
+  "authors": [
+    {
+      "name": "Martin-Luther ETOUMAN",
+      "email": "contact@gina.io"
+    }
+  ],
+  "copyright": "Copyright (c) 2009-2026 Rhinostone <contact@gina.io>",
+  "engines": {
+    "node": ">=0.10.22"
+  },
+  "main": "src/main",
+  "license": "MIT"
+}