odac 1.4.5 → 1.4.7

package/.agent/rules/memory.md

@@ -32,6 +32,7 @@ trigger: always_on
 
 ## Dependency Management
 - **Prefer Native Fetch:** Use the native `fetch` API for network requests in both Node.js (18+) and browser environments to reduce dependencies and bundle size.
+- **Hybrid Overrides:** When using `overrides` in `package.json` for security hardening, always verify tool compatibility (especially Jest/Coverage). If a global override (e.g., `minimatch: 10.x`) breaks a critical utility (e.g., `test-exclude`), use a nested override to provide a compatible version (e.g., `3.x`) for that specific tool while keeping the rest of the project secure.
 
 ## Naming & Text Conventions
 - **ODAC Casing:** Always write "ODAC" in uppercase letters when referring to the framework name in strings, comments, log messages, or user-facing text. **EXCEPTION:** The class name itself (`class Odac`) and variable references to it should remain `Odac` (PascalCase) as per code conventions.
@@ -55,6 +56,10 @@ trigger: always_on
 
 ## Security Logic & Authentication
 - **Enterprise Token Rotation:** The `Auth.js` system utilizes a non-blocking refresh token rotation mechanism for cookies (`odac_x`/`odac_y`). To prevent race conditions during concurrent requests in high-throughput SPAs, rotated tokens are **not** immediately deleted. Instead, their `active` timestamp is set to naturally expire in 60 seconds (Grace Period), and their `date` timestamp is set to the Unix Epoch (`new Date(0)`) as an identifier mark. Never delete rotated tokens immediately.
+- **Template String Escaping:** When escaping template strings for inline JavaScript execution or translation payloads, always escape backslashes first before escaping single quotes (e.g., `.replace(/\\/g, '\\\\').replace(/'/g, "\\'")`) to prevent an injected backslash from disabling the quote escape and causing a Template Injection / XSS vulnerability.
 
 ## View Engine & SSR
-- **Auto-Navigation Injection:** The ODAC View engine (`src/View.js`) automatically parses skeleton HTML files and dynamically injects `data-odac-navigate="content"` into the element immediately wrapping `{{ CONTENT }}`. Do NOT manually add this attribute to HTML templates or assume it is missing based on static analysis, as it is handled seamlessly at runtime via SSR.
+- **Auto-Navigation Injection:** The ODAC View engine (`src/View.js`) automatically parses skeleton HTML files and dynamically injects `data-odac-navigate` attributes into ALL elements wrapping `{{ PART_NAME }}` placeholders (e.g. `{{ CONTENT }}`, `{{ SIDEBAR }}`, `{{ FOOTER }}`). Do NOT manually add these attributes to HTML templates.
+- **Smart Part Diffing (AJAX Navigation):** The AJAX navigation system uses a server-driven part diffing mechanism. The client sends its current part values via `X-Odac-Parts` header (e.g. `content=docs/intro,sidebar=docs/nav`). The server compares these with the new page's parts and only renders/returns parts whose view path has changed. Parts that are identical between pages are skipped (no re-render, no DOM update). Parts that exist on the old page but not the new page are cleared. The `parts` manifest is included in every AJAX response for the client to track state. **Exception:** The `content` part is always re-rendered regardless of view path match, since its output is URL-dependent.
+- **Part Refresh Override:** `View.set('partName', 'viewPath', { refresh: true })` forces a part to re-render on every AJAX navigation even if its view path hasn't changed. Useful for parts with request-dependent dynamic content (e.g. active menu state). The `#refresh` Set tracks which parts bypass the diffing comparison.
+- **Initial Parts State:** On first page load, the `<html>` tag receives a `data-odac-parts` JSON attribute containing the current part-to-view mapping. The client reads this to initialize its parts tracking state for subsequent AJAX navigations.

package/.releaserc.js

@@ -135,7 +135,7 @@ Powered by [⚡ ODAC](https://odac.run)
     [
       '@semantic-release/git',
       {
-        assets: ['package.json', 'CHANGELOG.md'],
+        assets: ['package.json', 'package-lock.json', 'CHANGELOG.md'],
         message: '⚡ ODAC.JS v${nextRelease.version} Released'
       }
     ],

package/CHANGELOG.md

@@ -1,3 +1,45 @@
+### ⚙️ Engine Tuning
+
+- **test:** remove unused fsPromises and standardize async I/O in View tests
+
+### 📚 Documentation
+
+- add quick start guide and register in documentation index
+
+### 🛠️ Fixes & Improvements
+
+- add raw attribute support to `<odac get>` tag for unescaped HTML output
+- improve title extraction logic and optimize data-odac-navigate attribute injection in View rendering
+- prevent data-odac-navigate injection into closing HTML tags
+
+
+
+---
+
+Powered by [⚡ ODAC](https://odac.run)
+
+### ⚙️ Engine Tuning
+
+- replace global Odac reference with private instance and update dependency overrides for security hardening
+- **test/view:** remove unused CACHE_DIR variable in parseOdacTag tests
+
+### ✨ What's New
+
+- **client:** log malformed data-odac-parts JSON to ease debugging
+- **view:** smart AJAX part diffing with selective re-render
+
+### 🛠️ Fixes & Improvements
+
+- **route:** encode X-Odac-Parts header values to prevent splitting errors
+- **View:** escape single quotes in template expressions to prevent syntax errors
+- **view:** prevent template injection by escaping backslashes in dynamic parser
+
+
+
+---
+
+Powered by [⚡ ODAC](https://odac.run)
+
 ### security
 
 - **template:** add noopener to external footer links to mitigate reverse tabnabbing

package/client/odac.js

@@ -119,7 +119,7 @@ if (typeof window !== 'undefined') {
     #page = null
     #token = {hash: [], data: false}
     #formSubmitHandlers = new Map()
-    #loader = {elements: {}, callback: null}
+    #loader = {elements: {}, callback: null, parts: {}}
     #isNavigating = false
 
     constructor() {
@@ -772,20 +772,34 @@ if (typeof window !== 'undefined') {
       this.#isNavigating = true
 
       const currentSkeleton = document.documentElement.dataset.odacSkeleton
-      const elements = Object.entries(this.#loader.elements)
+
+      // Merge loader-registered elements with auto-discovered navigate elements
+      const elements = {...this.#loader.elements}
+      document.querySelectorAll('[data-odac-navigate]').forEach(el => {
+        const partName = el.getAttribute('data-odac-navigate')
+        if (!elements[partName]) elements[partName] = `[data-odac-navigate="${partName}"]`
+      })
 
       const elementsToUpdate = []
-      elements.forEach(([key, selector]) => {
+      for (const [key, selector] of Object.entries(elements)) {
         const element = document.querySelector(selector)
-        if (element) elementsToUpdate.push({key, element})
-      })
+        if (element) elementsToUpdate.push({key, element, selector})
+      }
+
+      // Build X-Odac-Parts header from current known parts
+      const partsHeader = Object.entries(this.#loader.parts)
+        .map(([k, v]) => `${k}=${encodeURIComponent(v)}`)
+        .join(',')
+
+      // Collect part keys to request from server
+      const loadKeys = Object.keys(elements)
 
       const useViewTransition = document.startViewTransition && document.querySelectorAll('[odac-transition]').length > 0
 
       if (useViewTransition) {
-        this.#loadWithViewTransition(url, callback, push, currentUrl, currentSkeleton, elementsToUpdate)
+        this.#loadWithViewTransition(url, callback, push, currentUrl, currentSkeleton, elementsToUpdate, partsHeader, loadKeys)
       } else {
-        this.#loadWithFade(url, callback, push, currentUrl, currentSkeleton, elementsToUpdate)
+        this.#loadWithFade(url, callback, push, currentUrl, currentSkeleton, elementsToUpdate, partsHeader, loadKeys)
       }
     }
 
@@ -795,17 +809,20 @@ if (typeof window !== 'undefined') {
      * names, enabling per-element morphing animations orchestrated by the browser.
      * Non-transition elements still update their content within the transition frame.
      */
-    #loadWithViewTransition(url, callback, push, currentUrl, currentSkeleton, elementsToUpdate) {
+    #loadWithViewTransition(url, callback, push, currentUrl, currentSkeleton, elementsToUpdate, partsHeader, loadKeys) {
       const oldTransitionElements = this.#applyTransitionNames()
 
+      const headers = {
+        'X-Odac': 'ajaxload',
+        'X-Odac-Load': loadKeys.join(','),
+        'X-Odac-Skeleton': currentSkeleton || ''
+      }
+      if (partsHeader) headers['X-Odac-Parts'] = partsHeader
+
       this.#ajax({
         url,
         type: 'GET',
-        headers: {
-          'X-Odac': 'ajaxload',
-          'X-Odac-Load': Object.keys(this.#loader.elements).join(','),
-          'X-Odac-Skeleton': currentSkeleton || ''
-        },
+        headers,
         dataType: 'json',
         success: (data, status, xhr) => {
           const finalUrl = xhr.responseURL || url
@@ -815,6 +832,15 @@ if (typeof window !== 'undefined') {
             return
           }
 
+          // Update tracked parts from server manifest
+          if (data.parts) this.#loader.parts = data.parts
+
+          // Determine which parts were removed by the new page
+          const removedParts = []
+          for (const {key, element} of elementsToUpdate) {
+            if (data.parts && !(key in data.parts)) removedParts.push({key, element})
+          }
+
           const transition = document.startViewTransition(() => {
             if (finalUrl !== currentUrl && push) window.history.pushState(null, document.title, finalUrl)
 
@@ -827,10 +853,16 @@ if (typeof window !== 'undefined') {
             if (data.data) this.#data = data.data
             if (data.title) document.title = this.#decodeHtmlEntities(data.title)
 
+            // Update only parts that have new content from server
             elementsToUpdate.forEach(({key, element}) => {
               if (data.output && data.output[key] !== undefined) element.innerHTML = data.output[key]
             })
 
+            // Clear removed parts
+            for (const {element} of removedParts) {
+              element.innerHTML = ''
+            }
+
             this.#applyTransitionNames()
           })
 
@@ -854,78 +886,74 @@ if (typeof window !== 'undefined') {
 
     /**
      * Performs page navigation using the legacy fade-in/fade-out animation.
-     * This is the fallback path when the View Transition API is unavailable
-     * or no `odac-transition` elements exist in the DOM.
+     * Only fades elements whose content actually changed, leaving unchanged
+     * parts (like a shared sidebar) completely untouched and visible.
      */
-    #loadWithFade(url, callback, push, currentUrl, currentSkeleton, elementsToUpdate) {
-      let ajaxData = null,
-        ajaxXhr = null,
-        fadeOutComplete = false,
-        ajaxComplete = false
-
-      const applyUpdate = () => {
-        if (!fadeOutComplete || !ajaxComplete || !ajaxData) return
-
-        const finalUrl = ajaxXhr.responseURL || url
-        if (ajaxData.skeletonChanged) {
-          window.location.href = finalUrl
-          return
-        }
-        if (finalUrl !== currentUrl && push) window.history.pushState(null, document.title, finalUrl)
-
-        const newPage = ajaxXhr.getResponseHeader('X-Odac-Page')
-        if (newPage !== null) {
-          this.#page = newPage
-          document.documentElement.dataset.odacPage = newPage
-        }
-
-        if (ajaxData.data) this.#data = ajaxData.data
-        if (ajaxData.title) document.title = this.#decodeHtmlEntities(ajaxData.title)
-
-        if (elementsToUpdate.length === 0) {
-          this.#handleLoadComplete(ajaxData, callback)
-          return
-        }
-
-        let completed = 0
-        elementsToUpdate.forEach(({key, element}) => {
-          if (ajaxData.output && ajaxData.output[key] !== undefined) element.innerHTML = ajaxData.output[key]
-          this.#fadeIn(element, 200, () => {
-            completed++
-            if (completed === elementsToUpdate.length) this.#handleLoadComplete(ajaxData, callback)
-          })
-        })
-      }
-
-      if (elementsToUpdate.length > 0) {
-        let fadeOutCount = 0
-        elementsToUpdate.forEach(({element}) => {
-          this.#fadeOut(element, 200, () => {
-            fadeOutCount++
-            if (fadeOutCount === elementsToUpdate.length) {
-              fadeOutComplete = true
-              applyUpdate()
-            }
-          })
-        })
-      } else {
-        fadeOutComplete = true
+    #loadWithFade(url, callback, push, currentUrl, currentSkeleton, elementsToUpdate, partsHeader, loadKeys) {
+      const headers = {
+        'X-Odac': 'ajaxload',
+        'X-Odac-Load': loadKeys.join(','),
+        'X-Odac-Skeleton': currentSkeleton || ''
       }
+      if (partsHeader) headers['X-Odac-Parts'] = partsHeader
 
       this.#ajax({
         url,
         type: 'GET',
-        headers: {
-          'X-Odac': 'ajaxload',
-          'X-Odac-Load': Object.keys(this.#loader.elements).join(','),
-          'X-Odac-Skeleton': currentSkeleton || ''
-        },
+        headers,
         dataType: 'json',
         success: (data, status, xhr) => {
-          ajaxData = data
-          ajaxXhr = xhr
-          ajaxComplete = true
-          applyUpdate()
+          const finalUrl = xhr.responseURL || url
+          if (data.skeletonChanged) {
+            window.location.href = finalUrl
+            return
+          }
+          if (finalUrl !== currentUrl && push) window.history.pushState(null, document.title, finalUrl)
+
+          const newPage = xhr.getResponseHeader('X-Odac-Page')
+          if (newPage !== null) {
+            this.#page = newPage
+            document.documentElement.dataset.odacPage = newPage
+          }
+
+          if (data.data) this.#data = data.data
+          if (data.title) document.title = this.#decodeHtmlEntities(data.title)
+          if (data.parts) this.#loader.parts = data.parts
+
+          // Classify elements: changed, removed, or unchanged
+          const changedParts = []
+          const removedParts = []
+
+          for (const {key, element} of elementsToUpdate) {
+            if (data.output && data.output[key] !== undefined) {
+              changedParts.push({key, element})
+            } else if (data.parts && !(key in data.parts)) {
+              removedParts.push({key, element})
+            }
+          }
+
+          // Clear removed parts immediately
+          for (const {element} of removedParts) {
+            element.innerHTML = ''
+          }
+
+          // No changed parts — complete immediately
+          if (changedParts.length === 0) {
+            this.#handleLoadComplete(data, callback)
+            return
+          }
+
+          // Fade out only changed parts, then swap content and fade in
+          let fadeOutCount = 0
+          changedParts.forEach(({key, element}) => {
+            this.#fadeOut(element, 200, () => {
+              element.innerHTML = data.output[key]
+              this.#fadeIn(element, 200, () => {
+                fadeOutCount++
+                if (fadeOutCount === changedParts.length) this.#handleLoadComplete(data, callback)
+              })
+            })
+          })
         },
         error: () => {
           this.#isNavigating = false
@@ -974,9 +1002,10 @@ if (typeof window !== 'undefined') {
       }
     }
 
-    loader(selector, elements, callback) {
+    loader(selector, elements, callback, initialParts) {
       this.#loader.elements = elements
       this.#loader.callback = callback
+      if (initialParts) this.#loader.parts = initialParts
       const odacInstance = this
 
       this.#on(document, 'click', selector, function (e) {
@@ -1152,10 +1181,28 @@ if (typeof window !== 'undefined') {
   window.Odac = new _odac()
   ;(function initAutoNavigate() {
     const init = () => {
-      const contentEl = document.querySelector('[data-odac-navigate="content"]')
-      if (contentEl) {
-        window.Odac.loader('a[href^="/"]:not([data-navigate="false"]):not(.no-navigate)', {content: '[data-odac-navigate="content"]'}, null)
+      const navigateElements = document.querySelectorAll('[data-odac-navigate]')
+      if (navigateElements.length === 0) return
+
+      const elements = {}
+      navigateElements.forEach(el => {
+        const partName = el.getAttribute('data-odac-navigate')
+        elements[partName] = `[data-odac-navigate="${partName}"]`
+      })
+
+      // Initialize parts state from server-rendered data attribute
+      const partsAttr = document.documentElement.dataset.odacParts
+      let initialParts = {}
+      if (partsAttr) {
+        try {
+          initialParts = JSON.parse(partsAttr)
+        } catch (e) {
+          console.error('Odac: Failed to parse data-odac-parts attribute.', e)
+          // Graceful fallback if attribute is malformed
+        }
       }
+
+      window.Odac.loader('a[href^="/"]:not([data-navigate="false"]):not(.no-navigate)', elements, null, initialParts)
     }
     document.readyState === 'loading' ? document.addEventListener('DOMContentLoaded', init) : init()
   })()

package/docs/ai/skills/backend/views.md

@@ -1,45 +1,107 @@
 ---
 name: backend-views-templates-skill
-description: ODAC server-side rendering guidelines for template performance, skeleton layouts, and safe output rendering.
+description: ODAC server-side rendering guidelines for skeleton layouts, smart part diffing, template syntax, and safe output rendering.
 metadata:
-  tags: backend, views, templates, ssr, xss-protection, skeleton, rendering
+  tags: backend, views, templates, ssr, xss-protection, skeleton, rendering, part-diffing, ajax-navigation
 ---
 
 # Backend Views & Templates Skill
 
-High-performance server-side rendering using ODAC's optimized template engine.
+High-performance server-side rendering using ODAC's optimized template engine with smart AJAX part diffing.
 
 ## Architectural Approach
-Views in ODAC are logic-light but powerful. They support automatic XSS protection, high-performance looping, and server-side JavaScript execution via `<script:odac>`.
+Views in ODAC are logic-light but powerful. They support automatic XSS protection, high-performance looping, server-side JavaScript execution via `<script:odac>`, and a smart AJAX navigation system that only updates parts of the page that actually changed.
 
 ## Core Rules
 1.  **Skeleton Architecture**: Use `Odac.View.skeleton('name')` to wrap content in a layout.
-2.  **Data Binding — Two Equivalent Syntaxes**:
+2.  **Part Setting**: Use `Odac.View.set(partName, viewPath)` to fill skeleton placeholders.
+3.  **Data Binding — Two Equivalent Syntaxes**:
     -   `<odac var="key" />`: Tag-based output (HTML-escaped, XSS-safe).
     -   `{{ key }}`: Inline/interpolation output (HTML-escaped, XSS-safe). Identical behavior to `<odac var>`.
-    -   `<odac var="key" raw />` or `{!! key !!}`: Raw output (Use with extreme caution).
-3.  **Choosing the Right Syntax**:
-    -   **Inside HTML attributes** (`src`, `alt`, `href`, `class`, `value`, etc.) → Always prefer `{{ }}`. It reads naturally and keeps markup clean.
+    -   `<odac get="key" />`: Query Parameter output (HTML-escaped, XSS-safe).
+    -   `<odac var="key" raw />`, `<odac get="key" raw />` or `{!! key !!}`: Raw output (use with extreme caution).
+4.  **Choosing the Right Syntax**:
+    -   **Inside HTML attributes** (`src`, `alt`, `href`, `class`, `value`, etc.) → Always prefer `{{ }}`.
     -   **Inline within text or mixed HTML** → Prefer `{{ }}` for short interpolations.
-    -   **Standalone block output** (the variable is the only content of an element) → Prefer `<odac var="" />` for structural clarity and IDE support.
-    -   Both syntaxes compile to the same engine output. The choice is about readability, not functionality.
-4.  **Conditionals**: Use `<odac:if condition="VAR"> ... </odac:if>`.
-5.  **Looping**: Use `<odac:for in="ARRAY" value="ITEM"> ... </odac:for>` or the performance-optimized `[[odac_for ...]]`.
-6.  **Server-Side JS**: Use `<script:odac>` for complex calculations during rendering.
+    -   **Standalone block output** → Prefer `<odac var="" />` for structural clarity.
+5.  **Conditionals**: Use `<odac:if condition="VAR"> ... </odac:if>`.
+6.  **Looping**: Use `<odac:for in="ARRAY" value="ITEM"> ... </odac:for>`.
+7.  **Server-Side JS**: Use `<script:odac>` for complex calculations during rendering.
+
+## Smart Part Diffing (AJAX Navigation)
+
+ODAC uses a **server-driven part diffing** system during AJAX navigation. Understanding this is critical for building multi-section layouts correctly.
+
+### How it works
+- The client tracks which view file each part is currently showing.
+- On every AJAX navigation, it sends this state to the server via `X-Odac-Parts`.
+- The server compares the new page's parts against the client's current state and **only renders parts that changed**.
+- The client only updates DOM elements that received new content.
+
+### Rules
+| Scenario | Behavior |
+|----------|----------|
+| Part view path unchanged | Skipped — not re-rendered, DOM untouched |
+| Part view path changed | Re-rendered and DOM updated |
+| Part removed on new page | DOM element content cleared |
+| Skeleton changed | Full page reload |
+| `content` part | **Always** re-rendered (URL-dependent by nature) |
+
+### Force-refresh a part
+If a part's view path stays the same but its rendered output changes per request (e.g. a sidebar with an active menu state):
+
+```javascript
+// Always re-renders on AJAX navigation even if view path is unchanged
+Odac.View.set('sidebar', 'docs.nav', { refresh: true })
+```
+
+### Skeleton placeholder rules
+- Each `{{ PLACEHOLDER }}` must be wrapped in its own HTML element.
+- The engine auto-injects `data-odac-navigate` on wrapper elements — do not add manually.
+- Unset placeholders are silently removed from the final HTML output.
+
+```html
+<!-- skeleton/main.html -->
+<aside>{{ SIDEBAR }}</aside>   <!-- auto-gets data-odac-navigate="sidebar" -->
+<main>{{ CONTENT }}</main>     <!-- auto-gets data-odac-navigate="content" -->
+```
 
 ## Reference Patterns
 
-### 1. The Controller to View Flow
+### 1. Standard Page with Shared Layout
+```javascript
+// controller/docs/page.js
+module.exports = function (Odac) {
+  Odac.View
+    .skeleton('main')
+    .set('sidebar', 'docs.nav')   // shared — skipped if unchanged on next navigate
+    .set('content', 'docs.intro') // always re-rendered
+}
+```
+
+### 2. Sidebar with Active State (force refresh)
+```javascript
+// controller/docs/page.js
+module.exports = function (Odac) {
+  Odac.View
+    .skeleton('main')
+    .set('sidebar', 'docs.nav', { refresh: true }) // re-renders every navigate
+    .set('content', 'docs.intro')
+}
+```
+
+### 3. Page Without Sidebar
 ```javascript
-// Controller
-Odac.View.skeleton('main');
-Odac.View.set({
-  title: 'Dashboard',
-  stats: { users: 150, orders: 45 }
-});
+// controller/home.js — navigating here clears the sidebar DOM element
+module.exports = function (Odac) {
+  Odac.View
+    .skeleton('main')
+    .set('content', 'home')
+  // sidebar not set → its DOM element is emptied on AJAX navigation
+}
 ```
 
-### 2. Template Syntax Reference
+### 4. Template Syntax Reference
 ```html
 <!-- Standalone block output — prefer <odac var> -->
 <h1><odac var="title" /></h1>
@@ -47,47 +109,37 @@ Odac.View.set({
 <!-- Inside attributes — prefer {{ }} -->
 <img src="{{ product.image }}" alt="{{ product.name }}">
 <a href="/user/{{ user.id }}" class="btn {{ isActive ? 'active' : '' }}">Profile</a>
-<input type="text" value="{{ query }}">
 
-<!-- Inline text interpolation — prefer {{ }} -->
+<!-- Inline text interpolation -->
 <p>Welcome, {{ user.name }}. You have {{ notifications }} new messages.</p>
-<span>${{ product.price }}</span>
+
+<!-- Query parameter from URL (/page?q=search) -->
+<p>Search Results for: <odac get="q" /></p>
+<div class="raw-content"><odac get="htmlContent" raw /></div>
 
 <!-- Conditional -->
 <odac:if condition="stats.users > 100">
   <span class="badge">Popular!</span>
 </odac:if>
 
-<!-- Performance Loop -->
-[[odac_for user in users]]
+<!-- Loop -->
+<odac:for in="users" value="user">
   <li>{{ user.name }}</li>
-[[odac_endfor]]
+</odac:for>
 ```
 
-### 3. Backend JavaScript (`<script:odac>`)
-Perfect for calculations that shouldn't clutter the controller but are too complex for simple tags.
+### 5. Backend JavaScript (`<script:odac>`)
 ```html
 <script:odac>
-  // Runs on the SERVER during rendering
-  const total = items.reduce((sum, i) => sum + i.price, 0);
-  const tax = total * 0.18;
+  const total = items.reduce((sum, i) => sum + i.price, 0)
+  const tax = total * 0.18
 </script:odac>
 
 <p>Subtotal: ${{ total }}</p>
 <p>Tax: ${{ tax }}</p>
 ```
 
-## Syntax Selection Guide
-
-| Context | Preferred Syntax | Example |
-|---------|-----------------|---------|
-| HTML attributes (`src`, `href`, `alt`, `class`, `value`) | `{{ }}` | `<img src="{{ photo.url }}" alt="{{ photo.caption }}">` |
-| Inline text within elements | `{{ }}` | `<p>Hello, {{ user.name }}</p>` |
-| Standalone element content | `<odac var />` | `<h1><odac var="title" /></h1>` |
-| Raw HTML output (trusted only) | `<odac var raw />` or `{!! !!}` | `<div><odac var="content" raw /></div>` |
-
 ## Security Best Practices
--   **Both `{{ }}` and `<odac var>` are XSS-safe**: Both apply HTML escaping by default. Use either with confidence.
+-   **Both `{{ }}` and `<odac var>` are XSS-safe**: Both apply HTML escaping by default.
 -   **Raw output requires trust**: Only use `raw` / `{!! !!}` with content you fully control. Never with user input.
 -   **Limit `<script:odac>`**: Do not perform database queries or API calls inside views; keep them in the controller.
--   **Partial Awareness**: Use `<odac:include view="path.to.view" />` for reusable components.

package/docs/ai/skills/frontend/core.md

@@ -60,11 +60,25 @@ Odac.action({
 ### 3. Data Utilities
 ```javascript
 // Accessing data shared from backend (Odac.share)
-const user = odac.data('user');
+const user = odac.data('user')
 
 // Using Storage wrapper
-odac.storage('theme', 'dark');
-const theme = odac.storage('theme');
+odac.storage('theme', 'dark')
+const theme = odac.storage('theme')
+```
+
+### 4. Programmatic Navigation
+```javascript
+// Navigate to a URL (AJAX, pushes to history)
+Odac.load('/dashboard')
+
+// Navigate without history entry
+Odac.load('/dashboard', null, false)
+
+// Navigate with a post-load callback
+Odac.load('/dashboard', function(page, vars) {
+  console.log('Loaded page:', page)
+})
 ```
 
 ## Best Practices