odac 1.3.0 → 1.4.1

package/src/Database.js

@@ -1,5 +1,5 @@
 'use strict'
-const knex = require('knex')
+const {buildConnections} = require('./Database/ConnectionFactory')
 
 class DatabaseManager {
   constructor() {
@@ -9,41 +9,9 @@ class DatabaseManager {
   async init() {
     if (!Odac.Config.database) return
 
-    let multiple = typeof Odac.Config.database[Object.keys(Odac.Config.database)[0]] === 'object'
-    let dbs = multiple ? Odac.Config.database : {default: Odac.Config.database}
-
-    for (let key of Object.keys(dbs)) {
-      let db = dbs[key]
-      let client = 'mysql2'
-      if (db.type === 'postgres' || db.type === 'pg' || db.type === 'postgresql') client = 'pg'
-      if (db.type === 'sqlite' || db.type === 'sqlite3') client = 'sqlite3'
-
-      let connectionConfig
-
-      if (client === 'sqlite3') {
-        connectionConfig = {
-          filename: db.filename || db.database || './dev.sqlite3'
-        }
-      } else {
-        connectionConfig = {
-          host: db.host || '127.0.0.1',
-          user: db.user,
-          password: db.password,
-          database: db.database,
-          port: db.port
-        }
-      }
-
-      this.connections[key] = knex({
-        client: client,
-        connection: connectionConfig,
-        pool: {
-          min: 0,
-          max: db.connectionLimit || 10
-        },
-        useNullAsDefault: true // For sqlite
-      })
+    this.connections = buildConnections(Odac.Config.database)
 
+    for (const key of Object.keys(this.connections)) {
       // Test connection
       try {
         await this.connections[key].raw('SELECT 1')
@@ -52,6 +20,38 @@ class DatabaseManager {
         console.error(e.message)
       }
     }
+
+    // Auto-migrate: sync schema/ files with the database on every startup.
+    // Why: Zero-config philosophy — deploy and forget. The app always starts with the correct DB state.
+    await this._autoMigrate()
+  }
+
+  /**
+   * Runs the schema-first migration engine against all active connections.
+   * CLUSTER SAFETY: Only runs on the primary process to prevent race conditions.
+   * Workers are forked AFTER Server.init(), which happens after Database.init(),
+   * so migrations are guaranteed to complete before any worker touches the DB.
+   * Silently skips if no schema/ directory exists (no-op for projects without migrations).
+   */
+  async _autoMigrate() {
+    const cluster = require('node:cluster')
+    if (!cluster.isPrimary) return
+
+    const fs = require('node:fs')
+    const path = require('node:path')
+    const schemaDir = path.join(global.__dir, 'schema')
+
+    if (!fs.existsSync(schemaDir)) return
+    if (Object.keys(this.connections).length === 0) return
+
+    const Migration = require('./Database/Migration')
+    Migration.init(global.__dir, this.connections)
+
+    try {
+      await Migration.migrate()
+    } catch (e) {
+      throw new Error(`Odac Migration Error: ${e.message}`, {cause: e})
+    }
   }
 
   nanoid(size = 21) {

package/src/Route/Internal.js

@@ -541,23 +541,13 @@ class Internal {
 
     if (Odac.formConfig.action) {
       const actionParts = Odac.formConfig.action.split('.')
-      if (actionParts.length === 2) {
+      if (actionParts.length >= 2) {
         const controllerName = actionParts[0]
-        const methodName = actionParts[1]
-
-        // Dynamically load controller
-        // We need to access Odac.Route.class to find the controller path/module
-        // Or use require directly if we know the path structure.
-        // Since we are in framework/src/Route/Internal.js, controllers are in framework/controller/ OR app/controller/
-        // Ideally Odac.Route.class has the loaded controllers.
 
         let controllerModule = null
 
         if (Odac.Route && Odac.Route.class && Odac.Route.class[controllerName]) {
           controllerModule = Odac.Route.class[controllerName].module
-        } else {
-          // Try to require it if not loaded (though Route.js should have loaded it)
-          // This fallback might be tricky with absolute paths, relying on Route.class is safer.
         }
 
         if (controllerModule) {
@@ -605,16 +595,29 @@ class Internal {
               }
             }
 
-            // Handle Class-based Controller
+            let method = controllerModule
+            let context = null
+            let isClass = false
+
             if (typeof controllerModule === 'function' && controllerModule.prototype) {
-              const instance = new controllerModule(Odac)
-              if (typeof instance[methodName] === 'function') {
-                return await instance[methodName](formHelper)
+              isClass = true
+              context = new controllerModule(Odac)
+              method = context
+            }
+
+            for (let i = 1; i < actionParts.length; i++) {
+              if (method) {
+                context = method
+                method = method[actionParts[i]]
               }
             }
-            // Handle Object-based Controller (Backwards Compatibility)
-            else if (typeof controllerModule[methodName] === 'function') {
-              return await controllerModule[methodName](Odac, formHelper)
+
+            if (typeof method === 'function') {
+              if (isClass) {
+                return await method.call(context, formHelper)
+              } else {
+                return await method.call(context, Odac, formHelper)
+              }
             }
           } catch (e) {
             console.error(e)

package/src/Route/MimeTypes.js

@@ -0,0 +1,56 @@
+module.exports = {
+  html: 'text/html',
+  css: 'text/css',
+  js: 'text/javascript',
+  json: 'application/json',
+  png: 'image/png',
+  jpg: 'image/jpg',
+  jpeg: 'image/jpeg',
+  svg: 'image/svg+xml',
+  ico: 'image/x-icon',
+  mp3: 'audio/mpeg',
+  mp4: 'video/mp4',
+  webm: 'video/webm',
+  woff: 'font/woff',
+  woff2: 'font/woff2',
+  ttf: 'font/ttf',
+  otf: 'font/otf',
+  eot: 'font/eot',
+  pdf: 'application/pdf',
+  zip: 'application/zip',
+  tar: 'application/x-tar',
+  gz: 'application/gzip',
+  rar: 'application/x-rar-compressed',
+  '7z': 'application/x-7z-compressed',
+  txt: 'text/plain',
+  log: 'text/plain',
+  csv: 'text/csv',
+  xml: 'text/xml',
+  rss: 'application/rss+xml',
+  atom: 'application/atom+xml',
+  yaml: 'application/x-yaml',
+  sh: 'application/x-sh',
+  bat: 'application/x-bat',
+  exe: 'application/x-exe',
+  bin: 'application/x-binary',
+  doc: 'application/msword',
+  docx: 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+  xls: 'application/vnd.ms-excel',
+  xlsx: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+  ppt: 'application/vnd.ms-powerpoint',
+  pptx: 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+  avi: 'video/x-msvideo',
+  wmv: 'video/x-ms-wmv',
+  flv: 'video/x-flv',
+  webp: 'image/webp',
+  gif: 'image/gif',
+  bmp: 'image/bmp',
+  tiff: 'image/tiff',
+  tif: 'image/tiff',
+  weba: 'audio/webm',
+  wav: 'audio/wav',
+  ogg: 'audio/ogg',
+  flac: 'audio/flac',
+  aac: 'audio/aac',
+  midi: 'audio/midi'
+}

package/src/Route.js

@@ -7,62 +7,7 @@ const MiddlewareChain = require('./Route/Middleware.js')
 const {WebSocketServer} = require('./WebSocket.js')
 
 var routes2 = {}
-const mime = {
-  html: 'text/html',
-  css: 'text/css',
-  js: 'text/javascript',
-  json: 'application/json',
-  png: 'image/png',
-  jpg: 'image/jpg',
-  jpeg: 'image/jpeg',
-  svg: 'image/svg+xml',
-  ico: 'image/x-icon',
-  mp3: 'audio/mpeg',
-  mp4: 'video/mp4',
-  webm: 'video/webm',
-  woff: 'font/woff',
-  woff2: 'font/woff2',
-  ttf: 'font/ttf',
-  otf: 'font/otf',
-  eot: 'font/eot',
-  pdf: 'application/pdf',
-  zip: 'application/zip',
-  tar: 'application/x-tar',
-  gz: 'application/gzip',
-  rar: 'application/x-rar-compressed',
-  '7z': 'application/x-7z-compressed',
-  txt: 'text/plain',
-  log: 'text/plain',
-  csv: 'text/csv',
-  xml: 'text/xml',
-  rss: 'application/rss+xml',
-  atom: 'application/atom+xml',
-  yaml: 'application/x-yaml',
-  sh: 'application/x-sh',
-  bat: 'application/x-bat',
-  exe: 'application/x-exe',
-  bin: 'application/x-binary',
-  doc: 'application/msword',
-  docx: 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
-  xls: 'application/vnd.ms-excel',
-  xlsx: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
-  ppt: 'application/vnd.ms-powerpoint',
-  pptx: 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
-  avi: 'video/x-msvideo',
-  wmv: 'video/x-ms-wmv',
-  flv: 'video/x-flv',
-  webp: 'image/webp',
-  gif: 'image/gif',
-  bmp: 'image/bmp',
-  tiff: 'image/tiff',
-  tif: 'image/tiff',
-  weba: 'audio/webm',
-  wav: 'audio/wav',
-  ogg: 'audio/ogg',
-  flac: 'audio/flac',
-  aac: 'audio/aac',
-  midi: 'audio/midi'
-}
+const mime = require('./Route/MimeTypes.js')
 
 class Route {
   loading = false
@@ -122,15 +67,37 @@ class Route {
     if (middlewareResult !== undefined) return middlewareResult
 
     if (controller.action) {
-      const ControllerClass = controller.cache
+      const ControllerModule = controller.cache
+      const actionParts = controller.action.split('.')
+
       try {
-        const instance = new ControllerClass(Odac)
-        if (typeof instance[controller.action] === 'function') {
-          return instance[controller.action](Odac)
+        const instance = new ControllerModule(Odac)
+        let method = instance
+        let context = instance
+
+        for (const segment of actionParts) {
+          if (method) {
+            context = method
+            method = method[segment]
+          }
+        }
+
+        if (typeof method === 'function') {
+          return method.call(context, Odac)
         }
       } catch {
-        if (typeof ControllerClass[controller.action] === 'function') {
-          return ControllerClass[controller.action](Odac)
+        let method = ControllerModule
+        let context = ControllerModule
+
+        for (const segment of actionParts) {
+          if (method) {
+            context = method
+            method = method[segment]
+          }
+        }
+
+        if (typeof method === 'function') {
+          return method.call(context, Odac)
         }
       }
       return Odac.Request.abort(500)
@@ -144,6 +111,9 @@ class Route {
   async check(Odac) {
     let url = Odac.Request.url.split('?')[0]
     if (url.endsWith('/')) url = url.slice(0, -1)
+    // Global Auth Check: Load user if valid tokens exist to simplify DX
+    // This allows calling Odac.Auth.user() anywhere without manual await Odac.Auth.check()
+    if (Odac.Auth) await Odac.Auth.check()
 
     if (url.startsWith('/_odac/')) {
       Odac.Request.route = '_odac_internal'
@@ -882,8 +852,15 @@ class Route {
         }
       })
 
+      // Global Auth Check: Load user if valid tokens exist to simplify DX
+      // This allows calling Odac.Auth.user() anywhere without manual await Odac.Auth.check()
+      if (Odac.Auth) await Odac.Auth.check()
+
       if (requireAuth) {
-        const isAuthenticated = await Odac.Auth.check()
+        let isAuthenticated = false
+        if (Odac.Auth) {
+          isAuthenticated = await Odac.Auth.check()
+        }
         if (!isAuthenticated) {
           ws.close(4001, 'Unauthorized')
           return

package/src/View/Form.js

@@ -3,6 +3,18 @@ const nodeCrypto = require('crypto')
 class Form {
   static FORM_TYPES = ['register', 'login', 'magic-login', 'form']
 
+  static escapeHtml(value) {
+    if (value === null || value === undefined) return ''
+    const map = {
+      '&': '&',
+      '<': '&lt;',
+      '>': '&gt;',
+      '"': '&quot;',
+      "'": '&#39;'
+    }
+    return String(value).replace(/[&<>"']/g, ch => map[ch])
+  }
+
   static parse(content, Odac) {
     for (const type of this.FORM_TYPES) {
       content = this.parseFormType(content, Odac, type)
@@ -14,8 +26,14 @@ class Form {
     const regex = new RegExp(`<odac:${type}[\\s\\S]*?<\\/odac:${type}>`, 'g')
     return content.replace(regex, match => {
       const formConfig = this.extractConfig(match, null, type)
-      const configStr = JSON.stringify(formConfig)
-      const matchStr = JSON.stringify(match)
+      let configStr = JSON.stringify(formConfig)
+      let matchStr = JSON.stringify(match)
+
+      // Unquote dynamic variables to make them live JS expressions in the compiled view
+      // We avoid {{ }} here because View engine would turn them into ${ } which is invalid in naked JS
+      configStr = configStr.replace(/"\{\{([\s\S]*?)\}\}"/g, '(await $1)')
+      matchStr = matchStr.replace(/\{\{([\s\S]*?)\}\}/g, '" + (await Odac.Var(await $1).html()) + "')
+
       return `<script:odac>html += await Odac.View.Form.runtime(Odac, '${type}', ${configStr}, ${matchStr});</script:odac>`
     })
   }
@@ -91,7 +109,7 @@ class Form {
     if (redirectMatch) config.redirect = redirectMatch[1]
     if (autologinMatch) config.autologin = autologinMatch[1] !== 'false'
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -145,22 +163,25 @@ class Form {
       id: null,
       unique: false,
       skip: false,
+      value: null,
       validations: []
     }
 
-    const typeMatch = fieldTag.match(/type=["']([^"']+)["']/)
-    const placeholderMatch = fieldTag.match(/placeholder=["']([^"']+)["']/)
-    const labelMatch = fieldTag.match(/label=["']([^"']+)["']/)
-    const classMatch = fieldTag.match(/class=["']([^"']+)["']/)
-    const idMatch = fieldTag.match(/id=["']([^"']+)["']/)
+    const typeMatch = fieldTag.match(/type=(["'])(.*?)\1/)
+    const placeholderMatch = fieldTag.match(/placeholder=(["'])(.*?)\1/)
+    const labelMatch = fieldTag.match(/label=(["'])(.*?)\1/)
+    const classMatch = fieldTag.match(/class=(["'])(.*?)\1/)
+    const idMatch = fieldTag.match(/id=(["'])(.*?)\1/)
+    const valueMatch = fieldTag.match(/value=(["'])(.*?)\1/)
     const uniqueMatch = fieldTag.match(/unique=["']([^"']+)["']/) || fieldTag.match(/\sunique[\s/>]/)
     const skipMatch = fieldTag.match(/skip=["']([^"']+)["']/) || fieldTag.match(/\sskip[\s/>]/)
 
-    if (typeMatch) field.type = typeMatch[1]
-    if (placeholderMatch) field.placeholder = placeholderMatch[1]
-    if (labelMatch) field.label = labelMatch[1]
-    if (classMatch) field.class = classMatch[1]
-    if (idMatch) field.id = idMatch[1]
+    if (typeMatch) field.type = typeMatch[2]
+    if (placeholderMatch) field.placeholder = placeholderMatch[2]
+    if (labelMatch) field.label = labelMatch[2]
+    if (classMatch) field.class = classMatch[2]
+    if (idMatch) field.id = idMatch[2]
+    if (valueMatch) field.value = valueMatch[2]
     if (uniqueMatch) field.unique = uniqueMatch[1] !== 'false'
     if (skipMatch) field.skip = skipMatch[1] !== 'false'
 
@@ -181,7 +202,7 @@ class Form {
 
     // Capture generic attributes
     const extraAttrs = {}
-    const knownAttrs = ['name', 'type', 'placeholder', 'label', 'class', 'id', 'unique', 'skip']
+    const knownAttrs = ['name', 'type', 'placeholder', 'label', 'class', 'id', 'unique', 'skip', 'value']
     const attrRegex = /(\w+)(?:=(["'])((?:(?!\2).)*)\2|=([^\s>]+))?/g
     let attrMatch
     // Clean tag to just attributes part for safer regex matching if needed,
@@ -203,11 +224,11 @@ class Form {
   }
 
   static parseSet(html) {
-    const nameMatch = html.match(/name=["']([^"']+)["']/)
+    const nameMatch = html.match(/name=(["'])(.*?)\1/)
     if (!nameMatch) return null
 
     const set = {
-      name: nameMatch[1],
+      name: nameMatch[2],
       value: null,
       compute: null,
       callback: null,
@@ -215,14 +236,14 @@ class Form {
     }
 
     const valueMatch = html.match(/value=(["'])(.*?)\1/)
-    const computeMatch = html.match(/compute=["']([^"']+)["']/)
-    const callbackMatch = html.match(/callback=["']([^"']+)["']/)
-    const ifEmptyMatch = html.match(/if-empty=["']([^"']+)["']/) || html.match(/\sif-empty[\s/>]/)
+    const computeMatch = html.match(/compute=(["'])(.*?)\1/)
+    const callbackMatch = html.match(/callback=(["'])(.*?)\1/)
+    const ifEmptyMatch = html.match(/if-empty=(["'])(.*?)\1/) || html.match(/\sif-empty[\s/>]/)
 
     if (valueMatch) set.value = valueMatch[2]
-    if (computeMatch) set.compute = computeMatch[1]
-    if (callbackMatch) set.callback = callbackMatch[1]
-    if (ifEmptyMatch) set.ifEmpty = ifEmptyMatch[1] !== 'false'
+    if (computeMatch) set.compute = computeMatch[2]
+    if (callbackMatch) set.callback = callbackMatch[2]
+    if (ifEmptyMatch) set.ifEmpty = ifEmptyMatch[2] !== 'false'
 
     return set
   }
@@ -253,6 +274,9 @@ class Form {
     innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
       const field = this.parseInput(fieldMatch)
       if (!field) return fieldMatch
+      // Sync with resolved config value if available
+      const configField = config.fields.find(f => f.name === field.name)
+      if (configField) field.value = configField.value
       return this.generateFieldHtml(field)
     })
 
@@ -279,31 +303,38 @@ class Form {
 
   static generateFieldHtml(field) {
     let html = ''
+    const escapedName = this.escapeHtml(field.name)
+    const escapedType = this.escapeHtml(field.type)
+    const escapedPlaceholder = this.escapeHtml(field.placeholder)
 
     if (field.label && field.type !== 'checkbox') {
-      const fieldId = field.id || `odac-${field.name}`
-      html += `<label for="${fieldId}">${field.label}</label>\n`
+      const fieldId = this.escapeHtml(field.id || `odac-${field.name}`)
+      html += `<label for="${fieldId}">${this.escapeHtml(field.label)}</label>\n`
     }
 
-    const classAttr = field.class ? ` class="${field.class}"` : ''
-    const idAttr = field.id ? ` id="${field.id}"` : ` id="odac-${field.name}"`
+    const classAttr = field.class ? ` class="${this.escapeHtml(field.class)}"` : ''
+    const idAttr = field.id ? ` id="${this.escapeHtml(field.id)}"` : ` id="${this.escapeHtml(`odac-${field.name}`)}"`
+    const valueAttr = field.value !== null ? ` value="${this.escapeHtml(field.value)}"` : ''
 
     if (field.type === 'checkbox') {
       const attrs = this.buildHtml5Attributes(field)
+      const checkedAttr = field.value === '1' || field.value === true || field.value === 'true' ? ' checked' : ''
       if (field.label) {
         html += `<label>\n`
-        html += `  <input type="checkbox"${idAttr} name="${field.name}" value="1"${classAttr}${attrs}>\n`
-        html += `  ${field.label}\n`
+        html += `  <input type="checkbox"${idAttr} name="${escapedName}" value="1"${classAttr}${checkedAttr}${attrs}>\n`
+        html += `  ${this.escapeHtml(field.label)}\n`
         html += `</label>\n`
       } else {
-        html += `<input type="checkbox"${idAttr} name="${field.name}" value="1"${classAttr}${attrs}>\n`
+        html += `<input type="checkbox"${idAttr} name="${escapedName}" value="1"${classAttr}${checkedAttr}${attrs}>\n`
       }
     } else if (field.type === 'textarea') {
       const attrs = this.buildHtml5Attributes(field)
-      html += `<textarea${idAttr} name="${field.name}" placeholder="${field.placeholder}"${classAttr}${attrs}></textarea>\n`
+      html += `<textarea${idAttr} name="${escapedName}" placeholder="${escapedPlaceholder}"${classAttr}${attrs}>${this.escapeHtml(
+        field.value || ''
+      )}</textarea>\n`
     } else {
       const attrs = this.buildHtml5Attributes(field)
-      html += `<input type="${field.type}"${idAttr} name="${field.name}" placeholder="${field.placeholder}"${classAttr}${attrs}>\n`
+      html += `<input type="${escapedType}"${idAttr} name="${escapedName}"${valueAttr} placeholder="${escapedPlaceholder}"${classAttr}${attrs}>\n`
     }
 
     return html
@@ -319,7 +350,7 @@ class Form {
         if (val === '') {
           attrs += ` ${key}`
         } else {
-          attrs += ` ${key}="${val.replace(/"/g, '&quot;')}"`
+          attrs += ` ${key}="${this.escapeHtml(val)}"`
         }
       }
     }
@@ -406,11 +437,11 @@ class Form {
     if (html5Rules.max) attrs += ` max="${html5Rules.max}"`
     if (html5Rules.pattern) attrs += ` pattern="${html5Rules.pattern}"`
 
-    if (errorMessages.required) attrs += ` data-error-required="${errorMessages.required.replace(/"/g, '&quot;')}"`
-    if (errorMessages.minlength) attrs += ` data-error-minlength="${errorMessages.minlength.replace(/"/g, '&quot;')}"`
-    if (errorMessages.maxlength) attrs += ` data-error-maxlength="${errorMessages.maxlength.replace(/"/g, '&quot;')}"`
-    if (errorMessages.pattern) attrs += ` data-error-pattern="${errorMessages.pattern.replace(/"/g, '&quot;')}"`
-    if (errorMessages.email) attrs += ` data-error-email="${errorMessages.email.replace(/"/g, '&quot;')}"`
+    if (errorMessages.required) attrs += ` data-error-required="${this.escapeHtml(errorMessages.required)}"`
+    if (errorMessages.minlength) attrs += ` data-error-minlength="${this.escapeHtml(errorMessages.minlength)}"`
+    if (errorMessages.maxlength) attrs += ` data-error-maxlength="${this.escapeHtml(errorMessages.maxlength)}"`
+    if (errorMessages.pattern) attrs += ` data-error-pattern="${this.escapeHtml(errorMessages.pattern)}"`
+    if (errorMessages.email) attrs += ` data-error-email="${this.escapeHtml(errorMessages.email)}"`
 
     attrs = this.appendExtraAttributes(attrs, field)
 
@@ -434,7 +465,7 @@ class Form {
 
     if (redirectMatch) config.redirect = redirectMatch[1]
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -489,6 +520,9 @@ class Form {
     innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
       const field = this.parseInput(fieldMatch)
       if (!field) return fieldMatch
+      // Sync with resolved config value if available
+      const configField = config.fields.find(f => f.name === field.name)
+      if (configField) field.value = configField.value
       return this.generateFieldHtml(field)
     })
 
@@ -551,8 +585,10 @@ class Form {
     if (tableMatch) config.table = tableMatch
     if (redirectMatch) config.redirect = redirectMatch
     if (successMatch) config.successMessage = successMatch
+    const clearMatch = extractAttr('clear')
+    if (clearMatch !== null) config.clear = clearMatch === 'true' || clearMatch === ''
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -618,29 +654,30 @@ class Form {
     innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
       const field = this.parseInput(fieldMatch)
       if (!field) return fieldMatch
+      // Sync with resolved config value if available
+      const configField = config.fields.find(f => f.name === field.name)
+      if (configField) field.value = configField.value
       return this.generateFieldHtml(field)
     })
 
-    const escapeHtml = str =>
-      String(str).replace(/[&<>"']/g, m => ({'&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;'})[m])
-
     const submitMatch = innerContent.match(/<odac:submit[\s\S]*?(?:<\/odac:submit>|\/?>)/)
     if (submitMatch) {
-      let submitAttrs = `type="submit" data-submit-text="${escapeHtml(submitText)}" data-loading-text="${escapeHtml(submitLoading)}"`
-      if (config.submitClass) submitAttrs += ` class="${escapeHtml(config.submitClass)}"`
-      if (config.submitStyle) submitAttrs += ` style="${escapeHtml(config.submitStyle)}"`
-      if (config.submitId) submitAttrs += ` id="${escapeHtml(config.submitId)}"`
-      const submitButton = `<button ${submitAttrs}>${escapeHtml(submitText)}</button>`
+      let submitAttrs = `type="submit" data-submit-text="${this.escapeHtml(submitText)}" data-loading-text="${this.escapeHtml(submitLoading)}"`
+      if (config.submitClass) submitAttrs += ` class="${this.escapeHtml(config.submitClass)}"`
+      if (config.submitStyle) submitAttrs += ` style="${this.escapeHtml(config.submitStyle)}"`
+      if (config.submitId) submitAttrs += ` id="${this.escapeHtml(config.submitId)}"`
+      const submitButton = `<button ${submitAttrs}>${this.escapeHtml(submitText)}</button>`
       innerContent = innerContent.replace(submitMatch[0], submitButton)
     }
 
     innerContent = innerContent.replace(/<odac:set[^>]*\/?>/g, '')
 
-    let formAttrs = `class="odac-custom-form${config.class ? ' ' + escapeHtml(config.class) : ''}" data-odac-form="${escapeHtml(formToken)}" method="${escapeHtml(method)}" action="${escapeHtml(formAction)}" novalidate`
-    if (config.id) formAttrs += ` id="${escapeHtml(config.id)}"`
+    let formAttrs = `class="odac-custom-form${config.class ? ' ' + this.escapeHtml(config.class) : ''}" data-odac-form="${this.escapeHtml(formToken)}" method="${this.escapeHtml(method)}" action="${this.escapeHtml(formAction)}" novalidate`
+    if (config.id) formAttrs += ` id="${this.escapeHtml(config.id)}"`
+    if (config.clear !== undefined) formAttrs += ` clear="${config.clear}"`
 
     let html = `<form ${formAttrs}>\n`
-    html += `  <input type="hidden" name="_odac_form_token" value="${escapeHtml(formToken)}">\n`
+    html += `  <input type="hidden" name="_odac_form_token" value="${this.escapeHtml(formToken)}">\n`
     html += innerContent
     html += `\n  <span class="odac-form-success" style="display:none;"></span>\n`
     html += `</form>`
@@ -693,7 +730,7 @@ class Form {
       })
     }
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -751,6 +788,9 @@ class Form {
       innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
         const field = this.parseInput(fieldMatch)
         if (!field) return fieldMatch
+        // Sync with resolved config value if available
+        const configField = config.fields.find(f => f.name === field.name)
+        if (configField) field.value = configField.value
         return this.generateFieldHtml(field)
       })
     }