tina4-nodejs 3.11.32 → 3.12.0

package/package.json

@@ -3,7 +3,7 @@
 
 
 
-  "version": "3.11.32",
+  "version": "3.12.0",
 
   "type": "module",
   "description": "Tina4 for Node.js/TypeScript — 54 built-in features, zero dependencies",

package/packages/cli/src/bin.ts

@@ -138,7 +138,7 @@ async function main(): Promise<void> {
 
       loadEnv();
 
-      const dbUrl = process.env.DATABASE_URL;
+      const dbUrl = process.env.TINA4_DATABASE_URL;
       let db: unknown = null;
       if (dbUrl) {
         try {

package/packages/core/public/js/frond.js

@@ -0,0 +1,600 @@
+var _frondModule = (() => {
+  var __defProp = Object.defineProperty;
+  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+  var __getOwnPropNames = Object.getOwnPropertyNames;
+  var __hasOwnProp = Object.prototype.hasOwnProperty;
+  var __export = (target, all) => {
+    for (var name in all)
+      __defProp(target, name, { get: all[name], enumerable: true });
+  };
+  var __copyProps = (to, from, except, desc) => {
+    if (from && typeof from === "object" || typeof from === "function") {
+      for (let key of __getOwnPropNames(from))
+        if (!__hasOwnProp.call(to, key) && key !== except)
+          __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+    }
+    return to;
+  };
+  var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+  // src/js/frond.ts
+  var frond_exports = {};
+  __export(frond_exports, {
+    frond: () => frond
+  });
+  var _token = null;
+  function request(url, options) {
+    let opts;
+    if (typeof options === "function") {
+      opts = { onSuccess: options };
+    } else {
+      opts = options || {};
+    }
+    const method = (opts.method || "GET").toUpperCase();
+    const xhr = new XMLHttpRequest();
+    xhr.open(method, url, true);
+    if (_token !== null) {
+      xhr.setRequestHeader("Authorization", "Bearer " + _token);
+    }
+    if (opts.headers) {
+      for (const key in opts.headers) {
+        if (Object.prototype.hasOwnProperty.call(opts.headers, key)) {
+          xhr.setRequestHeader(key, opts.headers[key]);
+        }
+      }
+    }
+    let body = null;
+    if (opts.body !== void 0 && opts.body !== null) {
+      if (opts.body instanceof FormData) {
+        body = opts.body;
+      } else if (typeof opts.body === "object") {
+        body = JSON.stringify(opts.body);
+        xhr.setRequestHeader("Content-Type", "application/json; charset=UTF-8");
+      } else if (typeof opts.body === "string") {
+        body = opts.body;
+        xhr.setRequestHeader("Content-Type", "text/plain; charset=UTF-8");
+      }
+    }
+    xhr.onload = function() {
+      const freshToken = xhr.getResponseHeader("FreshToken");
+      if (freshToken && freshToken !== "") {
+        _token = freshToken;
+      }
+      let content = xhr.response;
+      try {
+        content = JSON.parse(content);
+      } catch {
+      }
+      if (xhr.responseURL) {
+        const requested = new URL(url, window.location.href).href;
+        if (xhr.responseURL !== requested) {
+          window.location.href = xhr.responseURL;
+          return;
+        }
+      }
+      if (xhr.status >= 200 && xhr.status < 400) {
+        if (opts.onSuccess) opts.onSuccess(content, xhr.status, xhr);
+      } else {
+        if (opts.onError) opts.onError(xhr.status, xhr);
+      }
+    };
+    xhr.onerror = function() {
+      if (opts.onError) opts.onError(xhr.status, xhr);
+    };
+    xhr.send(body);
+  }
+  function inject(html, target) {
+    if (!html) return "";
+    const parser = new DOMParser();
+    const wrapped = html.includes("<html>") ? html : "<body>" + html + "</body></html>";
+    const doc = parser.parseFromString(wrapped, "text/html");
+    const body = doc.querySelector("body");
+    const scripts = body.querySelectorAll("script");
+    scripts.forEach(function(s) {
+      s.remove();
+    });
+    if (target !== null) {
+      const el = document.getElementById(target);
+      if (!el) return "";
+      if (body.children.length > 0) {
+        el.replaceChildren.apply(el, Array.from(body.children));
+      } else {
+        el.innerHTML = body.innerHTML;
+      }
+      scripts.forEach(function(script) {
+        const ns = document.createElement("script");
+        ns.type = "text/javascript";
+        ns.async = true;
+        if (script.src) {
+          ns.src = script.src;
+        } else {
+          ns.textContent = script.textContent;
+        }
+        el.appendChild(ns);
+      });
+      return "";
+    }
+    scripts.forEach(function(script) {
+      const ns = document.createElement("script");
+      ns.type = "text/javascript";
+      ns.async = true;
+      ns.textContent = script.textContent;
+      document.body.appendChild(ns);
+    });
+    return body.innerHTML;
+  }
+  function load(url, target, callback) {
+    const targetId = target || "content";
+    request(url, {
+      method: "GET",
+      onSuccess: function(data, _status) {
+        if (document.getElementById(targetId)) {
+          const html = inject(data, targetId);
+          if (callback) callback(html, data);
+        } else {
+          if (callback) callback(data);
+        }
+      }
+    });
+  }
+  function post(url, data, target, callback) {
+    const targetId = target || "content";
+    request(url, {
+      method: "POST",
+      body: data,
+      onSuccess: function(responseData) {
+        let html = "";
+        if (responseData && responseData.message !== void 0) {
+          html = inject(responseData.message, targetId);
+        } else if (document.getElementById(targetId)) {
+          html = inject(responseData, targetId);
+        } else {
+          if (callback) callback(responseData);
+          return;
+        }
+        if (callback) callback(html, responseData);
+      }
+    });
+  }
+  var form = {
+    /**
+     * Collect all form field values into a FormData object.
+     *
+     * Handles inputs, selects, textareas, file uploads (including
+     * multi-file), checkboxes, and radio buttons. Updates formToken
+     * hidden fields automatically.
+     *
+     * @param formId - DOM id of the form (without '#').
+     * @returns Populated FormData instance.
+     */
+    collect: function(formId) {
+      const fd = new FormData();
+      const elements = document.querySelectorAll("#" + formId + " select, #" + formId + " input, #" + formId + " textarea");
+      for (let i = 0; i < elements.length; i++) {
+        const el = elements[i];
+        if (el.name === "formToken" && _token !== null) {
+          el.value = _token;
+        }
+        if (!el.name) continue;
+        if (el.type === "file") {
+          const files = el.files;
+          if (files) {
+            for (let f = 0; f < files.length; f++) {
+              const file = files[f];
+              if (file !== void 0) {
+                let name = el.name;
+                if (files.length > 1 && !name.includes("[")) {
+                  name = name + "[]";
+                }
+                fd.append(name, file, file.name);
+              }
+            }
+          }
+        } else if (el.type === "checkbox" || el.type === "radio") {
+          if (el.checked) {
+            fd.append(el.name, el.value);
+          } else if (el.type !== "radio") {
+            fd.append(el.name, "0");
+          }
+        } else {
+          fd.append(el.name, el.value === "" ? "" : el.value);
+        }
+      }
+      return fd;
+    },
+    /**
+     * Collect form data and POST it to a URL. Inject response into target.
+     *
+     * @param formId   - DOM id of the form.
+     * @param url      - URL to POST to.
+     * @param target   - DOM id to inject response into (default: "message").
+     * @param callback - Optional callback.
+     */
+    submit: function(formId, url, target, callback) {
+      const data = form.collect(formId);
+      post(url, data, target || "message", callback);
+    },
+    /**
+     * Load a form via the given action and inject response HTML.
+     *
+     * Accepts friendly names: "create", "edit" map to GET; "delete" maps
+     * to DELETE.
+     *
+     * @param action  - HTTP method or friendly name.
+     * @param url     - URL to fetch.
+     * @param target  - DOM id to inject into (default: "form").
+     * @param callback - Optional callback.
+     */
+    show: function(action, url, target, callback) {
+      let method = action.toUpperCase();
+      if (action === "create" || action === "edit") method = "GET";
+      if (action === "delete") method = "DELETE";
+      const targetId = target || "form";
+      request(url, {
+        method,
+        onSuccess: function(data) {
+          let html = "";
+          if (data && data.message !== void 0) {
+            html = inject(data.message, targetId);
+          } else if (document.getElementById(targetId)) {
+            html = inject(data, targetId);
+          } else {
+            if (callback) callback(data);
+            return;
+          }
+          if (callback) callback(html);
+        }
+      });
+    }
+  };
+  function wsConnect(url, options) {
+    const opts = {
+      reconnect: true,
+      reconnectDelay: 1e3,
+      maxReconnectDelay: 3e4,
+      maxReconnectAttempts: Infinity,
+      protocols: [],
+      onOpen: function() {
+      },
+      onClose: function() {
+      },
+      onError: function() {
+      },
+      ...options || {}
+    };
+    let socket = null;
+    let intentionalClose = false;
+    let currentDelay = opts.reconnectDelay;
+    let attempts = 0;
+    let reconnectTimer = null;
+    const listeners = {
+      message: [],
+      open: [],
+      close: [],
+      error: []
+    };
+    const managed = {
+      status: "connecting",
+      send: function(data) {
+        if (!socket || socket.readyState !== WebSocket.OPEN) {
+          throw new Error("[frond] WebSocket is not connected");
+        }
+        socket.send(typeof data === "string" ? data : JSON.stringify(data));
+      },
+      on: function(event, handler) {
+        if (!listeners[event]) listeners[event] = [];
+        listeners[event].push(handler);
+        return function() {
+          const arr = listeners[event];
+          const idx = arr.indexOf(handler);
+          if (idx >= 0) arr.splice(idx, 1);
+        };
+      },
+      close: function(code, reason) {
+        intentionalClose = true;
+        if (reconnectTimer) {
+          clearTimeout(reconnectTimer);
+          reconnectTimer = null;
+        }
+        if (socket) {
+          socket.close(code || 1e3, reason || "");
+        }
+        managed.status = "closed";
+      }
+    };
+    function parseMessage(data) {
+      if (typeof data !== "string") return data;
+      try {
+        return JSON.parse(data);
+      } catch {
+        return data;
+      }
+    }
+    function scheduleReconnect() {
+      if (!opts.reconnect || attempts >= opts.maxReconnectAttempts) return;
+      attempts++;
+      managed.status = "reconnecting";
+      reconnectTimer = setTimeout(function() {
+        reconnectTimer = null;
+        connect();
+      }, currentDelay);
+      currentDelay = Math.min(currentDelay * 2, opts.maxReconnectDelay);
+    }
+    function connect() {
+      managed.status = attempts > 0 ? "reconnecting" : "connecting";
+      try {
+        socket = new WebSocket(url, opts.protocols);
+      } catch {
+        managed.status = "closed";
+        return;
+      }
+      socket.onopen = function() {
+        managed.status = "open";
+        attempts = 0;
+        currentDelay = opts.reconnectDelay;
+        opts.onOpen();
+        for (const fn of listeners.open) fn();
+      };
+      socket.onmessage = function(event) {
+        const parsed = parseMessage(event.data);
+        for (const fn of listeners.message) fn(parsed);
+      };
+      socket.onclose = function(event) {
+        managed.status = "closed";
+        opts.onClose(event.code, event.reason);
+        for (const fn of listeners.close) fn(event.code, event.reason);
+        if (!intentionalClose) {
+          scheduleReconnect();
+        }
+      };
+      socket.onerror = function(event) {
+        opts.onError(event);
+        for (const fn of listeners.error) fn(event);
+      };
+    }
+    connect();
+    return managed;
+  }
+  function sseConnect(url, options) {
+    const opts = {
+      reconnect: true,
+      reconnectDelay: 1e3,
+      maxReconnectDelay: 3e4,
+      maxReconnectAttempts: Infinity,
+      events: [],
+      json: true,
+      onOpen: function() {
+      },
+      onClose: function() {
+      },
+      onError: function() {
+      },
+      ...options || {}
+    };
+    let source = null;
+    let intentionalClose = false;
+    let currentDelay = opts.reconnectDelay;
+    let attempts = 0;
+    let reconnectTimer = null;
+    const listeners = {
+      message: [],
+      open: [],
+      close: [],
+      error: []
+    };
+    const managed = {
+      status: "connecting",
+      on: function(event, handler) {
+        if (!listeners[event]) listeners[event] = [];
+        listeners[event].push(handler);
+        return function() {
+          const arr = listeners[event];
+          const idx = arr.indexOf(handler);
+          if (idx >= 0) arr.splice(idx, 1);
+        };
+      },
+      close: function() {
+        intentionalClose = true;
+        if (reconnectTimer) {
+          clearTimeout(reconnectTimer);
+          reconnectTimer = null;
+        }
+        if (source) {
+          source.close();
+          source = null;
+        }
+        managed.status = "closed";
+      }
+    };
+    function parseData(raw) {
+      if (!opts.json) return raw;
+      try {
+        return JSON.parse(raw);
+      } catch {
+        return raw;
+      }
+    }
+    function dispatch(data, eventName) {
+      for (const fn of listeners.message) fn(data, eventName || void 0);
+    }
+    function scheduleReconnect() {
+      if (!opts.reconnect || attempts >= opts.maxReconnectAttempts) return;
+      attempts++;
+      managed.status = "reconnecting";
+      reconnectTimer = setTimeout(function() {
+        reconnectTimer = null;
+        connect();
+      }, currentDelay);
+      currentDelay = Math.min(currentDelay * 2, opts.maxReconnectDelay);
+    }
+    function connect() {
+      managed.status = attempts > 0 ? "reconnecting" : "connecting";
+      try {
+        source = new EventSource(url);
+      } catch {
+        managed.status = "closed";
+        return;
+      }
+      source.onopen = function() {
+        managed.status = "open";
+        attempts = 0;
+        currentDelay = opts.reconnectDelay;
+        opts.onOpen();
+        for (const fn of listeners.open) fn(null);
+      };
+      source.onmessage = function(event) {
+        dispatch(parseData(event.data), null);
+      };
+      for (const name of opts.events) {
+        source.addEventListener(name, function(e) {
+          dispatch(parseData(e.data), name);
+        });
+      }
+      source.onerror = function(event) {
+        opts.onError(event);
+        for (const fn of listeners.error) fn(event);
+        if (source && source.readyState === 2) {
+          source = null;
+          managed.status = "closed";
+          opts.onClose();
+          for (const fn of listeners.close) fn(null);
+          if (!intentionalClose) {
+            scheduleReconnect();
+          }
+        }
+      };
+    }
+    connect();
+    return managed;
+  }
+  var cookie = {
+    /**
+     * Set a browser cookie.
+     *
+     * @param name  - Cookie name.
+     * @param value - Cookie value.
+     * @param days  - Optional lifetime in days.
+     */
+    set: function(name, value, days) {
+      let expires = "";
+      if (days) {
+        const d = /* @__PURE__ */ new Date();
+        d.setTime(d.getTime() + days * 24 * 60 * 60 * 1e3);
+        expires = "; expires=" + d.toUTCString();
+      }
+      document.cookie = name + "=" + (value || "") + expires + "; path=/";
+    },
+    /**
+     * Retrieve a cookie value by name.
+     *
+     * @param name - Cookie name.
+     * @returns Cookie value, or null if not found.
+     */
+    get: function(name) {
+      const nameEQ = name + "=";
+      const parts = document.cookie.split(";");
+      for (let i = 0; i < parts.length; i++) {
+        let c = parts[i];
+        while (c.charAt(0) === " ") c = c.substring(1);
+        if (c.indexOf(nameEQ) === 0) return c.substring(nameEQ.length);
+      }
+      return null;
+    },
+    /**
+     * Delete a cookie by name.
+     *
+     * @param name - Cookie name.
+     */
+    remove: function(name) {
+      document.cookie = name + "=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/";
+    }
+  };
+  function message(text, type) {
+    const el = document.getElementById("message");
+    if (!el) return;
+    const alertType = type || "info";
+    el.innerHTML = '<div class="alert alert-' + alertType + ' alert-dismissible">' + text + '<button type="button" class="btn-close" data-t4-dismiss="alert">&times;</button></div>';
+  }
+  function popup(url, title, w, h) {
+    const dualLeft = window.screenLeft !== void 0 ? window.screenLeft : window.screenX;
+    const dualTop = window.screenTop !== void 0 ? window.screenTop : window.screenY;
+    const width = window.innerWidth || document.documentElement.clientWidth || screen.width;
+    const height = window.innerHeight || document.documentElement.clientHeight || screen.height;
+    const zoom = width / window.screen.availWidth;
+    const left = (width - w) / 2 / zoom + dualLeft;
+    const top = (height - h) / 2 / zoom + dualTop;
+    const win = window.open(
+      url,
+      title,
+      "directories=no,toolbar=no,location=no,status=no,menubar=no,scrollbars=yes,resizable=yes,width=" + w / zoom + ",height=" + h / zoom + ",top=" + top + ",left=" + left
+    );
+    if (window.focus && win) win.focus();
+    return win;
+  }
+  function report(url) {
+    if (url.indexOf("No data available") >= 0) {
+      window.alert("No data available for this report.");
+      return;
+    }
+    window.open(
+      url,
+      "_blank",
+      "toolbar=no,scrollbars=yes,resizable=yes,width=800,height=600,top=0,left=0"
+    );
+  }
+  function graphql(url, query, variables, callback) {
+    request(url, {
+      method: "POST",
+      body: { query, variables: variables || {} },
+      onSuccess: function(response) {
+        if (callback) {
+          callback(response.data || null, response.errors || void 0);
+        }
+      },
+      onError: function(status) {
+        if (callback) {
+          callback(null, [{ message: "GraphQL request failed with status " + status }]);
+        }
+      }
+    });
+  }
+  var frond = {
+    /** Core HTTP request. */
+    request,
+    /** GET + inject HTML into target element. */
+    load,
+    /** POST + inject HTML into target element. */
+    post,
+    /** Parse HTML string, inject into element, execute scripts. */
+    inject,
+    /** Form helpers: collect, submit, show. */
+    form,
+    /** WebSocket with auto-reconnect. */
+    ws: wsConnect,
+    /** Server-Sent Events with auto-reconnect. */
+    sse: sseConnect,
+    /** Cookie helpers: get, set, remove. */
+    cookie,
+    /** Display alert message in #message element. */
+    message,
+    /** Open centred popup window. */
+    popup,
+    /** Open PDF report in new window. */
+    report,
+    /** Execute a GraphQL query/mutation. */
+    graphql,
+    /** Current bearer token (read/write). */
+    get token() {
+      return _token;
+    },
+    set token(value) {
+      _token = value;
+    }
+  };
+  if (typeof window !== "undefined") {
+    window.frond = frond;
+  }
+  return __toCommonJS(frond_exports);
+})();
+/* Frond v2.1.3 — tina4.com */
+//# sourceMappingURL=frond.js.map

package/packages/core/public/js/frond.min.js

@@ -1,2 +1,2 @@
 var _frondModule=(()=>{var b=Object.defineProperty;var k=Object.getOwnPropertyDescriptor;var x=Object.getOwnPropertyNames;var C=Object.prototype.hasOwnProperty;var O=(o,s)=>{for(var e in s)b(o,e,{get:s[e],enumerable:!0})},M=(o,s,e,t)=>{if(s&&typeof s=="object"||typeof s=="function")for(let n of x(s))!C.call(o,n)&&n!==e&&b(o,n,{get:()=>s[n],enumerable:!(t=k(s,n))||t.enumerable});return o};var q=o=>M(b({},"__esModule",{value:!0}),o);var j={};O(j,{frond:()=>R});var g=null;function w(o,s){let e;typeof s=="function"?e={onSuccess:s}:e=s||{};let t=(e.method||"GET").toUpperCase(),n=new XMLHttpRequest;if(n.open(t,o,!0),g!==null&&n.setRequestHeader("Authorization","Bearer "+g),e.headers)for(let r in e.headers)Object.prototype.hasOwnProperty.call(e.headers,r)&&n.setRequestHeader(r,e.headers[r]);let i=null;e.body!==void 0&&e.body!==null&&(e.body instanceof FormData?i=e.body:typeof e.body=="object"?(i=JSON.stringify(e.body),n.setRequestHeader("Content-Type","application/json; charset=UTF-8")):typeof e.body=="string"&&(i=e.body,n.setRequestHeader("Content-Type","text/plain; charset=UTF-8"))),n.onload=function(){let r=n.getResponseHeader("FreshToken");r&&r!==""&&(g=r);let u=n.response;try{u=JSON.parse(u)}catch{}if(n.responseURL){let c=new URL(o,window.location.href).href;if(n.responseURL!==c){window.location.href=n.responseURL;return}}n.status>=200&&n.status<400?e.onSuccess&&e.onSuccess(u,n.status,n):e.onError&&e.onError(n.status,n)},n.onerror=function(){e.onError&&e.onError(n.status,n)},n.send(i)}function h(o,s){if(!o)return"";let e=new DOMParser,t=o.includes("<html>")?o:"<body>"+o+"</body></html>",i=e.parseFromString(t,"text/html").querySelector("body"),r=i.querySelectorAll("script");if(r.forEach(function(u){u.remove()}),s!==null){let u=document.getElementById(s);return u&&(i.children.length>0?u.replaceChildren.apply(u,Array.from(i.children)):u.innerHTML=i.innerHTML,r.forEach(function(c){let d=document.createElement("script");d.type="text/javascript",d.async=!0,c.src?d.src=c.src:d.textContent=c.textContent,u.appendChild(d)})),""}return r.forEach(function(u){let c=document.createElement("script");c.type="text/javascript",c.async=!0,c.textContent=u.textContent,document.body.appendChild(c)}),i.innerHTML}function H(o,s,e){let t=s||"content";w(o,{method:"GET",onSuccess:function(n,i){if(document.getElementById(t)){let r=h(n,t);e&&e(r,n)}else e&&e(n)}})}function S(o,s,e,t){let n=e||"content";w(o,{method:"POST",body:s,onSuccess:function(i){let r="";if(i&&i.message!==void 0)r=h(i.message,n);else if(document.getElementById(n))r=h(i,n);else{t&&t(i);return}t&&t(r,i)}})}var T={collect:function(o){let s=new FormData,e=document.querySelectorAll("#"+o+" select, #"+o+" input, #"+o+" textarea");for(let t=0;t<e.length;t++){let n=e[t];if(n.name==="formToken"&&g!==null&&(n.value=g),!!n.name)if(n.type==="file"){let i=n.files;if(i)for(let r=0;r<i.length;r++){let u=i[r];if(u!==void 0){let c=n.name;i.length>1&&!c.includes("[")&&(c=c+"[]"),s.append(c,u,u.name)}}}else n.type==="checkbox"||n.type==="radio"?n.checked?s.append(n.name,n.value):n.type!=="radio"&&s.append(n.name,"0"):s.append(n.name,n.value===""?"":n.value)}return s},submit:function(o,s,e,t){let n=T.collect(o);S(s,n,e||"message",t)},show:function(o,s,e,t){let n=o.toUpperCase();(o==="create"||o==="edit")&&(n="GET"),o==="delete"&&(n="DELETE");let i=e||"form";w(s,{method:n,onSuccess:function(r){let u="";if(r&&r.message!==void 0)u=h(r.message,i);else if(document.getElementById(i))u=h(r,i);else{t&&t(r);return}t&&t(u)}})}};function L(o,s){let e={reconnect:!0,reconnectDelay:1e3,maxReconnectDelay:3e4,maxReconnectAttempts:1/0,protocols:[],onOpen:function(){},onClose:function(){},onError:function(){},...s||{}},t=null,n=!1,i=e.reconnectDelay,r=0,u=null,c={message:[],open:[],close:[],error:[]},d={status:"connecting",send:function(l){if(!t||t.readyState!==WebSocket.OPEN)throw new Error("[frond] WebSocket is not connected");t.send(typeof l=="string"?l:JSON.stringify(l))},on:function(l,a){return c[l]||(c[l]=[]),c[l].push(a),function(){let f=c[l],m=f.indexOf(a);m>=0&&f.splice(m,1)}},close:function(l,a){n=!0,u&&(clearTimeout(u),u=null),t&&t.close(l||1e3,a||""),d.status="closed"}};function y(l){if(typeof l!="string")return l;try{return JSON.parse(l)}catch{return l}}function p(){!e.reconnect||r>=e.maxReconnectAttempts||(r++,d.status="reconnecting",u=setTimeout(function(){u=null,v()},i),i=Math.min(i*2,e.maxReconnectDelay))}function v(){d.status=r>0?"reconnecting":"connecting";try{t=new WebSocket(o,e.protocols)}catch{d.status="closed";return}t.onopen=function(){d.status="open",r=0,i=e.reconnectDelay,e.onOpen();for(let l of c.open)l()},t.onmessage=function(l){let a=y(l.data);for(let f of c.message)f(a)},t.onclose=function(l){d.status="closed",e.onClose(l.code,l.reason);for(let a of c.close)a(l.code,l.reason);n||p()},t.onerror=function(l){e.onError(l);for(let a of c.error)a(l)}}return v(),d}function D(o,s){let e={reconnect:!0,reconnectDelay:1e3,maxReconnectDelay:3e4,maxReconnectAttempts:1/0,events:[],json:!0,onOpen:function(){},onClose:function(){},onError:function(){},...s||{}},t=null,n=!1,i=e.reconnectDelay,r=0,u=null,c={message:[],open:[],close:[],error:[]},d={status:"connecting",on:function(a,f){return c[a]||(c[a]=[]),c[a].push(f),function(){let m=c[a],E=m.indexOf(f);E>=0&&m.splice(E,1)}},close:function(){n=!0,u&&(clearTimeout(u),u=null),t&&(t.close(),t=null),d.status="closed"}};function y(a){if(!e.json)return a;try{return JSON.parse(a)}catch{return a}}function p(a,f){for(let m of c.message)m(a,f||void 0)}function v(){!e.reconnect||r>=e.maxReconnectAttempts||(r++,d.status="reconnecting",u=setTimeout(function(){u=null,l()},i),i=Math.min(i*2,e.maxReconnectDelay))}function l(){d.status=r>0?"reconnecting":"connecting";try{t=new EventSource(o)}catch{d.status="closed";return}t.onopen=function(){d.status="open",r=0,i=e.reconnectDelay,e.onOpen();for(let a of c.open)a(null)},t.onmessage=function(a){p(y(a.data),null)};for(let a of e.events)t.addEventListener(a,function(f){p(y(f.data),a)});t.onerror=function(a){e.onError(a);for(let f of c.error)f(a);if(t&&t.readyState===2){t=null,d.status="closed",e.onClose();for(let f of c.close)f(null);n||v()}}}return l(),d}var W={set:function(o,s,e){let t="";if(e){let n=new Date;n.setTime(n.getTime()+e*24*60*60*1e3),t="; expires="+n.toUTCString()}document.cookie=o+"="+(s||"")+t+"; path=/"},get:function(o){let s=o+"=",e=document.cookie.split(";");for(let t=0;t<e.length;t++){let n=e[t];for(;n.charAt(0)===" ";)n=n.substring(1);if(n.indexOf(s)===0)return n.substring(s.length)}return null},remove:function(o){document.cookie=o+"=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/"}};function A(o,s){let e=document.getElementById("message");if(!e)return;let t=s||"info";e.innerHTML='<div class="alert alert-'+t+' alert-dismissible">'+o+'<button type="button" class="btn-close" data-t4-dismiss="alert">&times;</button></div>'}function I(o,s,e,t){let n=window.screenLeft!==void 0?window.screenLeft:window.screenX,i=window.screenTop!==void 0?window.screenTop:window.screenY,r=window.innerWidth||document.documentElement.clientWidth||screen.width,u=window.innerHeight||document.documentElement.clientHeight||screen.height,c=r/window.screen.availWidth,d=(r-e)/2/c+n,y=(u-t)/2/c+i,p=window.open(o,s,"directories=no,toolbar=no,location=no,status=no,menubar=no,scrollbars=yes,resizable=yes,width="+e/c+",height="+t/c+",top="+y+",left="+d);return window.focus&&p&&p.focus(),p}function N(o){if(o.indexOf("No data available")>=0){window.alert("No data available for this report.");return}window.open(o,"_blank","toolbar=no,scrollbars=yes,resizable=yes,width=800,height=600,top=0,left=0")}function U(o,s,e,t){w(o,{method:"POST",body:{query:s,variables:e||{}},onSuccess:function(n){t&&t(n.data||null,n.errors||void 0)},onError:function(n){t&&t(null,[{message:"GraphQL request failed with status "+n}])}})}var R={request:w,load:H,post:S,inject:h,form:T,ws:L,sse:D,cookie:W,message:A,popup:I,report:N,graphql:U,get token(){return g},set token(o){g=o}};typeof window<"u"&&(window.frond=R);return q(j);})();
-/* Frond v2 — tina4.com */
+/* Frond v2.1.3 — tina4.com */

package/packages/core/src/auth.ts

@@ -32,7 +32,7 @@ function base64urlDecode(str: string): Buffer {
 /**
  * Create a signed JWT token.
  *
- * Secret is always read from `process.env.SECRET`.
+ * Secret is always read from `process.env.TINA4_SECRET`.
  * Algorithm is read from `process.env.TINA4_JWT_ALGORITHM` (default "HS256").
  *
  * @param payload          - Claims to encode (e.g. `{ userId: 1, role: "admin" }`)
@@ -50,15 +50,15 @@ export function getToken(
   let resolvedSecret: string;
   let resolvedExpiresIn: number;
   if (typeof secretOrExpiresIn === "number") {
-    resolvedSecret = process.env.SECRET ?? "";
+    resolvedSecret = process.env.TINA4_SECRET ?? "";
     resolvedExpiresIn = secretOrExpiresIn;
   } else {
-    resolvedSecret = secretOrExpiresIn ?? process.env.SECRET ?? "";
+    resolvedSecret = secretOrExpiresIn ?? process.env.TINA4_SECRET ?? "";
     resolvedExpiresIn = expiresIn;
   }
 
   if (!resolvedSecret) {
-    console.warn("Auth: SECRET not set in .env — using blank secret (insecure)");
+    console.warn("Auth: TINA4_SECRET not set in .env — using blank secret (insecure)");
   }
   const resolvedAlgorithm = algorithm ?? process.env.TINA4_JWT_ALGORITHM ?? "HS256";
 
@@ -81,13 +81,13 @@ export function getToken(
 /**
  * Validate a JWT token and return the decoded payload, or false if invalid/expired.
  *
- * Secret is always read from `process.env.SECRET`.
+ * Secret is always read from `process.env.TINA4_SECRET`.
  * Algorithm is read from `process.env.TINA4_JWT_ALGORITHM` (default "HS256").
  */
 export function validToken(token: string, secret?: string, algorithm?: string): boolean {
-  const resolvedSecret = secret ?? process.env.SECRET ?? "";
+  const resolvedSecret = secret ?? process.env.TINA4_SECRET ?? "";
   if (!resolvedSecret) {
-    console.warn("Auth: SECRET not set in .env — using blank secret (insecure)");
+    console.warn("Auth: TINA4_SECRET not set in .env — using blank secret (insecure)");
   }
   const resolvedAlgorithm = algorithm ?? process.env.TINA4_JWT_ALGORITHM ?? "HS256";
   try {
@@ -240,7 +240,7 @@ export function authMiddleware(secret?: string, algorithm: string = "HS256"): Mi
  * Refresh a JWT token — validate the existing token then re-sign
  * with a fresh expiry.
  *
- * Secret is always read from `process.env.SECRET`.
+ * Secret is always read from `process.env.TINA4_SECRET`.
  *
  * @param token     - Existing JWT to refresh
  * @param expiresIn - New lifetime in seconds (default 3600)

package/packages/core/src/devAdmin.ts

@@ -1206,9 +1206,9 @@ function parseEnvFile(): Record<string, string> {
 const handleConnections: RouteHandler = (_req, res) => {
   const env = parseEnvFile();
   res.json({
-    url: env.DATABASE_URL ?? "",
-    username: env.DATABASE_USERNAME ?? "",
-    password: env.DATABASE_PASSWORD ? "***" : "",
+    url: env.TINA4_DATABASE_URL ?? "",
+    username: env.TINA4_DATABASE_USERNAME ?? "",
+    password: env.TINA4_DATABASE_PASSWORD ? "***" : "",
   });
 };
 
@@ -1274,7 +1274,7 @@ const handleConnectionsSave: RouteHandler = (req, res) => {
   try {
     const envPath = join(process.cwd(), ".env");
     const lines = existsSync(envPath) ? readFileSync(envPath, "utf-8").split("\n") : [];
-    const keysFound: Record<string, boolean> = { DATABASE_URL: false, DATABASE_USERNAME: false, DATABASE_PASSWORD: false };
+    const keysFound: Record<string, boolean> = { TINA4_DATABASE_URL: false, TINA4_DATABASE_USERNAME: false, TINA4_DATABASE_PASSWORD: false };
     const newLines: string[] = [];
     for (const line of lines) {
       const trimmed = line.trim();
@@ -1283,12 +1283,12 @@ const handleConnectionsSave: RouteHandler = (req, res) => {
         continue;
       }
       const key = trimmed.split("=", 1)[0].trim();
-      if (key === "DATABASE_URL") { newLines.push(`DATABASE_URL=${url}`); keysFound.DATABASE_URL = true; }
-      else if (key === "DATABASE_USERNAME") { newLines.push(`DATABASE_USERNAME=${username}`); keysFound.DATABASE_USERNAME = true; }
-      else if (key === "DATABASE_PASSWORD") { newLines.push(`DATABASE_PASSWORD=${password}`); keysFound.DATABASE_PASSWORD = true; }
+      if (key === "TINA4_DATABASE_URL") { newLines.push(`TINA4_DATABASE_URL=${url}`); keysFound.TINA4_DATABASE_URL = true; }
+      else if (key === "TINA4_DATABASE_USERNAME") { newLines.push(`TINA4_DATABASE_USERNAME=${username}`); keysFound.TINA4_DATABASE_USERNAME = true; }
+      else if (key === "TINA4_DATABASE_PASSWORD") { newLines.push(`TINA4_DATABASE_PASSWORD=${password}`); keysFound.TINA4_DATABASE_PASSWORD = true; }
       else { newLines.push(line); }
     }
-    const values: Record<string, string> = { DATABASE_URL: url, DATABASE_USERNAME: username, DATABASE_PASSWORD: password };
+    const values: Record<string, string> = { TINA4_DATABASE_URL: url, TINA4_DATABASE_USERNAME: username, TINA4_DATABASE_PASSWORD: password };
     for (const [key, found] of Object.entries(keysFound)) {
       if (!found) newLines.push(`${key}=${values[key]}`);
     }

package/packages/core/src/devMailbox.ts

@@ -57,7 +57,7 @@ export class DevMailbox {
     const message: EmailMessage = {
       id,
       type: "outbox",
-      from: from ?? process.env.SMTP_FROM ?? "dev@localhost",
+      from: from ?? process.env.TINA4_MAIL_FROM ?? "dev@localhost",
       to: toList,
       cc,
       bcc,
@@ -286,7 +286,7 @@ export class DevMailbox {
  *
  * Returns DevMailbox when:
  *   - TINA4_DEBUG is "true", OR
- *   - No SMTP_HOST is configured
+ *   - No TINA4_MAIL_HOST is configured
  *
  * Returns a real Messenger otherwise (SMTP configured + not debug mode).
  *
@@ -294,7 +294,7 @@ export class DevMailbox {
  */
 export function createMessenger(): Messenger | DevMailbox {
   const debug = process.env.TINA4_DEBUG;
-  const smtpHost = process.env.SMTP_HOST;
+  const smtpHost = process.env.TINA4_MAIL_HOST;
 
   // Force dev mode when TINA4_DEBUG is truthy
   if (isTruthy(debug)) {

package/packages/core/src/index.ts

@@ -12,7 +12,7 @@ export type {
   WebSocketRouteDefinition,
 } from "./types.js";
 
-export { startServer, resolvePortAndHost, handle, start, stop } from "./server.js";
+export { startServer, resolvePortAndHost, handle, start, stop, httpReason, resolveTemplate, resetTemplateCache, templateAutoRoutingEnabled } from "./server.js";
 export { background, stopAllBackgroundTasks, backgroundTaskCount } from "./background.js";
 export { Router, RouteGroup, RouteRef, defaultRouter, runRouteMiddlewares } from "./router.js";
 export { get, post, put, patch, del, any, websocket, del as delete } from "./router.js";

package/packages/core/src/mcp.test.ts

@@ -300,25 +300,25 @@ console.log("\nResource Registration and Read");
 console.log("\nLocalhost Detection");
 
 {
-  const oldHost = process.env.HOST_NAME;
+  const oldHost = process.env.TINA4_HOST_NAME;
 
-  process.env.HOST_NAME = "localhost:7148";
+  process.env.TINA4_HOST_NAME = "localhost:7148";
   assert("isLocalhost — localhost", isLocalhost() === true);
 
-  process.env.HOST_NAME = "127.0.0.1:7148";
+  process.env.TINA4_HOST_NAME = "127.0.0.1:7148";
   assert("isLocalhost — 127.0.0.1", isLocalhost() === true);
 
-  process.env.HOST_NAME = "0.0.0.0:7148";
+  process.env.TINA4_HOST_NAME = "0.0.0.0:7148";
   assert("isLocalhost — 0.0.0.0", isLocalhost() === true);
 
-  process.env.HOST_NAME = "myserver.example.com:7148";
+  process.env.TINA4_HOST_NAME = "myserver.example.com:7148";
   assert("isLocalhost — remote false", isLocalhost() === false);
 
   // Restore
   if (oldHost !== undefined) {
-    process.env.HOST_NAME = oldHost;
+    process.env.TINA4_HOST_NAME = oldHost;
   } else {
-    delete process.env.HOST_NAME;
+    delete process.env.TINA4_HOST_NAME;
   }
 }
 

package/packages/core/src/mcp.ts

@@ -157,7 +157,7 @@ export function schemaFromParams(params: McpToolParam[]): JsonSchema {
 // ── Localhost detection ──────────────────────────────────────
 
 export function isLocalhost(): boolean {
-  const hostEnv = process.env.HOST_NAME || "localhost:7148";
+  const hostEnv = process.env.TINA4_HOST_NAME || "localhost:7148";
   const host = hostEnv.split(":")[0];
   return ["localhost", "127.0.0.1", "0.0.0.0", "::1", ""].includes(host);
 }

package/packages/core/src/messenger.ts

@@ -302,28 +302,24 @@ export class Messenger {
   private imapPass: string;
 
   constructor(options?: MessengerOptions) {
-    // Priority: constructor > TINA4_MAIL_* > SMTP_* > sensible default
+    // Priority: constructor > TINA4_MAIL_* > sensible default.
+    // Legacy SMTP_*/IMAP_* env vars were removed in v3.12 — boot guard rejects them.
     this.host = options?.host
       ?? process.env.TINA4_MAIL_HOST
-      ?? process.env.SMTP_HOST
       ?? "localhost";
     this.port = options?.port
-      ?? parseInt(process.env.TINA4_MAIL_PORT ?? process.env.SMTP_PORT ?? "587", 10);
+      ?? parseInt(process.env.TINA4_MAIL_PORT ?? "587", 10);
     this.username = options?.username
       ?? process.env.TINA4_MAIL_USERNAME
-      ?? process.env.SMTP_USERNAME
       ?? "";
     this.password = options?.password
       ?? process.env.TINA4_MAIL_PASSWORD
-      ?? process.env.SMTP_PASSWORD
       ?? "";
     this.fromAddress = options?.fromAddress
       ?? process.env.TINA4_MAIL_FROM
-      ?? process.env.SMTP_FROM
       ?? (this.username || "noreply@localhost");
     this.fromName = options?.fromName
       ?? process.env.TINA4_MAIL_FROM_NAME
-      ?? process.env.SMTP_FROM_NAME
       ?? "";
 
     // Encryption: constructor > .env > backward-compat useTls > default "tls"
@@ -340,15 +336,14 @@ export class Messenger {
 
     this.imapHost = options?.imapHost
       ?? process.env.TINA4_MAIL_IMAP_HOST
-      ?? process.env.IMAP_HOST
       ?? "";
     this.imapPort = options?.imapPort
-      ?? parseInt(process.env.TINA4_MAIL_IMAP_PORT ?? process.env.IMAP_PORT ?? "993", 10);
+      ?? parseInt(process.env.TINA4_MAIL_IMAP_PORT ?? "993", 10);
     this.imapUser = options?.imapUser
-      ?? process.env.IMAP_USER
+      ?? process.env.TINA4_MAIL_IMAP_USERNAME
       ?? this.username;
     this.imapPass = options?.imapPass
-      ?? process.env.IMAP_PASS
+      ?? process.env.TINA4_MAIL_IMAP_PASSWORD
       ?? this.password;
   }
 

package/packages/core/src/server.ts

@@ -47,6 +47,83 @@ const TINA4_VERSION = readPackageVersion();
 /** Cache Frond instances by template directory to avoid repeated instantiation. */
 const frondCache = new Map<string, InstanceType<any>>();
 
+// ─── Legacy env var guard (v3.12 hard rename) ────────────────────────────
+// All framework env vars now require the TINA4_ prefix. If any of these
+// pre-3.12 names are present in the environment we refuse to boot —
+// silently ignoring them would cause auth/db/mail to fall back to
+// defaults with no warning. Each maps to its new TINA4_-prefixed
+// canonical name.
+const _LEGACY_ENV_VARS: Record<string, string> = {
+  DATABASE_URL:           "TINA4_DATABASE_URL",
+  DATABASE_USERNAME:      "TINA4_DATABASE_USERNAME",
+  DATABASE_PASSWORD:      "TINA4_DATABASE_PASSWORD",
+  DB_URL:                 "TINA4_DATABASE_URL",
+  SECRET:                 "TINA4_SECRET",
+  API_KEY:                "TINA4_API_KEY",
+  JWT_ALGORITHM:          "TINA4_JWT_ALGORITHM",
+  SMTP_HOST:              "TINA4_MAIL_HOST",
+  SMTP_PORT:              "TINA4_MAIL_PORT",
+  SMTP_USERNAME:          "TINA4_MAIL_USERNAME",
+  SMTP_PASSWORD:          "TINA4_MAIL_PASSWORD",
+  SMTP_FROM:              "TINA4_MAIL_FROM",
+  SMTP_FROM_NAME:         "TINA4_MAIL_FROM_NAME",
+  IMAP_HOST:              "TINA4_MAIL_IMAP_HOST",
+  IMAP_PORT:              "TINA4_MAIL_IMAP_PORT",
+  IMAP_USER:              "TINA4_MAIL_IMAP_USERNAME",
+  IMAP_PASS:              "TINA4_MAIL_IMAP_PASSWORD",
+  HOST_NAME:              "TINA4_HOST_NAME",
+  SWAGGER_TITLE:          "TINA4_SWAGGER_TITLE",
+  SWAGGER_DESCRIPTION:    "TINA4_SWAGGER_DESCRIPTION",
+  SWAGGER_VERSION:        "TINA4_SWAGGER_VERSION",
+  ORM_PLURAL_TABLE_NAMES: "TINA4_ORM_PLURAL_TABLE_NAMES",
+};
+
+/**
+ * Refuse to boot if pre-3.12 un-prefixed env vars are still set.
+ *
+ * Tina4 v3.12 hard-renamed every framework-specific env var to use the
+ * `TINA4_` prefix. Booting silently with a legacy `DATABASE_URL` or
+ * `SECRET` would let auth, DB, or mail fall back to insecure defaults
+ * while the user thought their config was being read. Better to die
+ * loudly with a list of names to fix.
+ *
+ * Bypass with `TINA4_ALLOW_LEGACY_ENV=true` in CI / migration scripts
+ * that genuinely need both names set during a transition window.
+ */
+export function _checkLegacyEnvVars(): void {
+  if (isTruthy(process.env.TINA4_ALLOW_LEGACY_ENV)) {
+    return;
+  }
+  const found = Object.keys(_LEGACY_ENV_VARS)
+    .filter((name) => process.env[name] !== undefined)
+    .sort();
+  if (found.length === 0) {
+    return;
+  }
+  const bar = "─".repeat(72);
+  const lines: string[] = [
+    "",
+    bar,
+    "Tina4 v3.12 requires TINA4_ prefix on all framework env vars.",
+    "Your environment still has these legacy names:",
+    "",
+  ];
+  for (const old of found) {
+    const next = _LEGACY_ENV_VARS[old];
+    lines.push(`    ${old.padEnd(28)}  →  ${next}`);
+  }
+  lines.push(
+    "",
+    "Run `tina4 env-migrate` to rewrite your .env automatically,",
+    "or rename manually. See https://tina4.com/release/3.12.0",
+    "Set TINA4_ALLOW_LEGACY_ENV=true to bypass during migration.",
+    bar,
+    "",
+  );
+  process.stderr.write(lines.join("\n") + "\n");
+  process.exit(2);
+}
+
 /**
  * Kill whatever process is listening on *port*.
  * Uses lsof on macOS/Linux and netstat + taskkill on Windows.
@@ -231,23 +308,96 @@ function getGalleryDeployedState(): Record<string, boolean> {
   return state;
 }
 
+/**
+ * Auto-routing scans this single subdirectory of src/templates/. Only files
+ * in src/templates/pages/ become URLs — everything else (partials, layouts,
+ * base.twig, errors, components, macros) is never URL-exposed and remains
+ * renderable only via {% include %} / {% extends %} / res.render().
+ *
+ * Convention adapted from Next.js' pages/ directory and Nuxt's pages/ folder.
+ * Explicit, secure by default, no skip lists to maintain.
+ */
+const TEMPLATE_PAGES_DIR = "pages";
+
+/**
+ * Honour TINA4_TEMPLATE_ROUTING=off|false|0|no|disabled as an explicit kill
+ * switch. Default: enabled. Drop a file in src/templates/pages/ and it serves
+ * at the matching URL — the zero-config Tina4 convention. Operators who want
+ * explicit-only routing can set TINA4_TEMPLATE_ROUTING=off and every URL
+ * must be registered via get() / post() (or be a static file).
+ */
+export function templateAutoRoutingEnabled(): boolean {
+  const val = (process.env.TINA4_TEMPLATE_ROUTING ?? "on").trim().toLowerCase();
+  return !["off", "false", "0", "no", "disabled"].includes(val);
+}
+
+/**
+ * RFC 7231 / RFC 9110 status reason phrases. Used to write a correct HTTP
+ * status line — previously some paths wrote "HTTP/1.1 404 OK" because the
+ * canonical phrase wasn't being looked up per code.
+ */
+const HTTP_REASON_PHRASES: Record<number, string> = {
+  100: "Continue", 101: "Switching Protocols",
+  200: "OK", 201: "Created", 202: "Accepted", 204: "No Content",
+  206: "Partial Content",
+  301: "Moved Permanently", 302: "Found", 303: "See Other",
+  304: "Not Modified", 307: "Temporary Redirect", 308: "Permanent Redirect",
+  400: "Bad Request", 401: "Unauthorized", 403: "Forbidden",
+  404: "Not Found", 405: "Method Not Allowed", 406: "Not Acceptable",
+  409: "Conflict", 410: "Gone", 413: "Content Too Large",
+  415: "Unsupported Media Type", 422: "Unprocessable Content",
+  429: "Too Many Requests",
+  500: "Internal Server Error", 501: "Not Implemented",
+  502: "Bad Gateway", 503: "Service Unavailable", 504: "Gateway Timeout",
+};
+
+/**
+ * Return the canonical HTTP reason phrase for `status`. Falls back to a
+ * sensible label when an exotic status is used. Never returns an empty string.
+ */
+export function httpReason(status: number): string {
+  const phrase = HTTP_REASON_PHRASES[status];
+  if (phrase) return phrase;
+  return status >= 200 && status < 300 ? "OK" : "Error";
+}
+
 /** Template cache: url_path -> template_file. Null until first production lookup. */
 let templateCache: Map<string, string> | null = null;
 
 /**
- * Resolve a URL path to a template file in src/templates/.
+ * Reset the production template cache. Tests use this between scenarios so
+ * a fresh scan picks up fixture files in a tmp project.
+ */
+export function resetTemplateCache(): void {
+  templateCache = null;
+}
+
+/**
+ * Resolve a URL path to a template file in src/templates/pages/.
+ *
+ * Only files inside `src/templates/pages/` auto-route from a URL. Anything
+ * in `src/templates/` outside `pages/` (partials, layouts, base.twig,
+ * errors, components) is never served standalone.
+ *
  * Dev mode: checks filesystem every time for live changes.
  * Production: uses a cached lookup built once at startup.
+ *
+ * The whole feature can be turned off with `TINA4_TEMPLATE_ROUTING=off`.
  */
-function resolveTemplate(pathname: string, templatesDir: string): string | null {
-  const cleanPath = pathname.replace(/^\//, "") || "index";
+export function resolveTemplate(pathname: string, templatesDir: string): string | null {
+  if (!templateAutoRoutingEnabled()) return null;
+
+  const cleanPath = pathname.replace(/^\/+/, "").replace(/\/+$/, "") || "index";
   const isDev = (process.env.TINA4_DEBUG ?? "false").toLowerCase() === "true";
 
   if (isDev) {
+    // Skip underscore-prefixed files even within pages/ — they're private
+    // by Hugo/Jekyll convention (helpers, fragments) and shouldn't auto-serve.
+    if (cleanPath.split("/").some((seg) => seg.startsWith("_"))) return null;
+    const pagesDir = resolve(templatesDir, TEMPLATE_PAGES_DIR);
     for (const ext of [".twig", ".html"]) {
-      const candidate = cleanPath + ext;
-      if (existsSync(resolve(templatesDir, candidate))) {
-        return candidate;
+      if (existsSync(resolve(pagesDir, cleanPath + ext))) {
+        return `${TEMPLATE_PAGES_DIR}/${cleanPath}${ext}`;
       }
     }
     return null;
@@ -256,21 +406,24 @@ function resolveTemplate(pathname: string, templatesDir: string): string | null
   // Production: cached lookup
   if (!templateCache) {
     templateCache = new Map();
-    if (existsSync(templatesDir)) {
+    const pagesDir = resolve(templatesDir, TEMPLATE_PAGES_DIR);
+    if (existsSync(pagesDir)) {
       const scan = (dir: string, prefix: string) => {
         for (const entry of readdirSync(dir, { withFileTypes: true })) {
+          // Skip private files even within pages/ (e.g. pages/_helper.twig)
+          if (entry.name.startsWith("_")) continue;
           const rel = prefix ? `${prefix}/${entry.name}` : entry.name;
           if (entry.isDirectory()) {
             scan(resolve(dir, entry.name), rel);
           } else if (entry.name.endsWith(".twig") || entry.name.endsWith(".html")) {
             const urlPath = rel.replace(/\.(twig|html)$/, "");
             if (!templateCache!.has(urlPath)) {
-              templateCache!.set(urlPath, rel);
+              templateCache!.set(urlPath, `${TEMPLATE_PAGES_DIR}/${rel}`);
             }
           }
         }
       };
-      scan(templatesDir, "");
+      scan(pagesDir, "");
     }
   }
   return templateCache.get(cleanPath) ?? null;
@@ -502,6 +655,9 @@ export async function startServer(config?: Tina4Config): Promise<{
   // Load .env early so TINA4_DEBUG is available for cluster decision
   loadEnv();
 
+  // Refuse to boot with pre-3.12 un-prefixed env vars set.
+  _checkLegacyEnvVars();
+
   const resolved = resolvePortAndHost(config);
   const host = resolved.host;
   let port = resolved.port;
@@ -566,6 +722,9 @@ ${reset}
   const modelsDir = resolve(base, config?.modelsDir ?? "src/models");
   const ormDir = resolve(base, "src/orm");
   const staticDir = resolve(base, config?.staticDir ?? "public");
+  // src/public is the second-tier static dir (Python parity). When the user
+  // ships a Vite/SPA build there, src/public/index.html auto-serves at "/".
+  const srcPublicDir = resolve(base, "src/public");
   const templatesDir = resolve(base, config?.templatesDir ?? "src/templates");
 
   // .env already loaded above for cluster decision
@@ -834,10 +993,14 @@ ${reset}
         res.raw.end = wrappedEnd;
       }
 
-      // Try static files first (project public dir, then framework built-in public dir)
+      // Try static files first (project public dir, src/public dir, then framework built-in)
+      // Index resolution: "/" or "/foo/" picks up index.html so SPA builds Just Work.
       if (existsSync(staticDir) && tryServeStatic(staticDir, req, res)) {
         return;
       }
+      if (existsSync(srcPublicDir) && tryServeStatic(srcPublicDir, req, res)) {
+        return;
+      }
       if (tryServeStatic(BUILTIN_PUBLIC_DIR, req, res)) {
         return;
       }
@@ -944,34 +1107,45 @@ ${reset}
         return;
       }
 
-      // Try serving a template file (e.g. /hello -> src/templates/hello.twig or hello.html)
+      // Try serving a template file (e.g. /hello -> src/templates/pages/hello.twig)
       if ((req.method ?? "GET") === "GET") {
         const tplFile = resolveTemplate(pathname, templatesDir);
         if (tplFile) {
-          const html = readFileSync(resolve(templatesDir, tplFile), "utf-8");
-          res.raw.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-          res.raw.end(html);
+          // Render through Frond so {% include %} / {% extends %} work,
+          // not raw readFileSync.
+          if (frondEngine) {
+            const html = frondEngine.render(tplFile, {});
+            res.raw.writeHead(200, undefined, { "Content-Type": "text/html; charset=utf-8" });
+            res.raw.end(html);
+          } else {
+            const html = readFileSync(resolve(templatesDir, tplFile), "utf-8");
+            res.raw.writeHead(200, undefined, { "Content-Type": "text/html; charset=utf-8" });
+            res.raw.end(html);
+          }
           return;
         }
 
-        // Show landing page for "/" when no template exists
-        if (pathname === "/") {
+        // Landing page renders only at "/" AND only when TINA4_DEBUG=true.
+        // In production "/" with no static index.html and no pages/index.twig
+        // falls through to a clean 404 — the framework's branded welcome,
+        // gallery and version never leak to real users.
+        if (pathname === "/" && isDevMode()) {
           const allRoutes = router.getRoutes().map((r) => ({
             method: r.method,
             pattern: r.pattern,
             flags: [] as string[],
           }));
           const html = renderLandingPage(allRoutes, port);
-          res.raw.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+          res.raw.writeHead(200, undefined, { "Content-Type": "text/html; charset=utf-8" });
           res.raw.end(html);
           return;
         }
       }
 
-      // 404
+      // 404 — pass canonical reason phrase so the status line is well-formed
       const html404 = await renderErrorPage(404, { path: pathname }, templatesDir);
       if (html404) {
-        res.raw.writeHead(404, { "Content-Type": "text/html; charset=utf-8" });
+        res.raw.writeHead(404, httpReason(404), { "Content-Type": "text/html; charset=utf-8" });
         res.raw.end(html404);
       } else {
         res({ error: "Not Found", statusCode: 404, message: `No route found for ${req.method} ${pathname}` }, 404);

package/packages/core/src/sessionHandlers/databaseHandler.ts

@@ -42,10 +42,10 @@ export class DatabaseSessionHandler implements SessionHandler {
   }
 
   /**
-   * Resolve the database file path from DATABASE_URL or use the default.
+   * Resolve the database file path from TINA4_DATABASE_URL or use the default.
    */
   private resolveDbPath(): string {
-    const url = process.env.DATABASE_URL;
+    const url = process.env.TINA4_DATABASE_URL;
     if (url && url.startsWith("sqlite://")) {
       // sqlite:///path/to/db  or  sqlite://./relative/path
       return url.replace(/^sqlite:\/\//, "");

package/packages/frond/src/engine.ts

@@ -1271,7 +1271,7 @@ export function setFormTokenSessionId(sessionId: string): void {
 }
 
 function _buildFormTokenJwt(descriptor: string = ""): string {
-  const secret = process.env.SECRET || "tina4-default-secret";
+  const secret = process.env.TINA4_SECRET || "tina4-default-secret";
   const ttlMinutes = parseInt(process.env.TINA4_TOKEN_LIMIT || "60", 10);
 
   const header = { alg: "HS256", typ: "JWT" };

package/packages/orm/src/baseModel.ts

@@ -21,11 +21,11 @@ export function camelToSnake(name: string): string {
 }
 
 /**
- * Check whether ORM_PLURAL_TABLE_NAMES is enabled in .env.
+ * Check whether TINA4_ORM_PLURAL_TABLE_NAMES is enabled in .env.
  * When true, hasMany relationship keys get an "s" suffix (e.g. "posts" instead of "post").
  */
 function _pluralRelKeys(): boolean {
-  const v = process.env.ORM_PLURAL_TABLE_NAMES ?? "";
+  const v = process.env.TINA4_ORM_PLURAL_TABLE_NAMES ?? "";
   return /^(true|1|yes)$/i.test(v);
 }
 
@@ -217,8 +217,8 @@ export class BaseModel {
     try {
       return getAdapter();
     } catch {
-      // No adapter registered — try DATABASE_URL auto-discovery
-      const url = process.env.DATABASE_URL;
+      // No adapter registered — try TINA4_DATABASE_URL auto-discovery
+      const url = process.env.TINA4_DATABASE_URL;
       if (url) {
         const parsed = parseDatabaseUrl(url);
         if (parsed.type === "sqlite") {

package/packages/orm/src/database.ts

@@ -822,21 +822,21 @@ async function createAdapterFromUrl(url: string, username?: string, password?: s
 }
 
 /**
- * Initialize the database from a config object or DATABASE_URL env var.
+ * Initialize the database from a config object or TINA4_DATABASE_URL env var.
  * Now returns a Database wrapper instance.
  *
  * Priority:
  *   1. config.url (explicit URL)
- *   2. process.env.DATABASE_URL
+ *   2. process.env.TINA4_DATABASE_URL
  *   3. config.type + config.path (legacy)
  */
 export async function initDatabase(config?: DatabaseConfig): Promise<Database> {
-  // Resolve credentials: config.user > config.username > env DATABASE_USERNAME
-  const resolvedUser = config?.user ?? config?.username ?? process.env.DATABASE_USERNAME;
-  const resolvedPassword = config?.password ?? process.env.DATABASE_PASSWORD;
+  // Resolve credentials: config.user > config.username > env TINA4_DATABASE_USERNAME
+  const resolvedUser = config?.user ?? config?.username ?? process.env.TINA4_DATABASE_USERNAME;
+  const resolvedPassword = config?.password ?? process.env.TINA4_DATABASE_PASSWORD;
 
   // Resolve from URL if provided
-  const url = config?.url ?? process.env.DATABASE_URL;
+  const url = config?.url ?? process.env.TINA4_DATABASE_URL;
 
   if (url) {
     const adapter = await createAdapterFromUrl(url, resolvedUser, resolvedPassword);

package/packages/swagger/src/generator.ts

@@ -15,9 +15,9 @@ export function generate(
   const spec: OpenAPISpec = {
     openapi: "3.0.3",
     info: {
-      title: process.env.SWAGGER_TITLE ?? "Tina4 API",
-      version: "0.0.1",
-      description: "Auto-generated API documentation",
+      title: process.env.TINA4_SWAGGER_TITLE ?? "Tina4 API",
+      version: process.env.TINA4_SWAGGER_VERSION ?? "0.0.1",
+      description: process.env.TINA4_SWAGGER_DESCRIPTION ?? "Auto-generated API documentation",
     },
     paths: {},
     components: { schemas: {} },