npm - tina4-nodejs - Versions diffs - 3.13.3 → 3.13.5 - Mend

tina4-nodejs 3.13.3 → 3.13.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CLAUDE.md +3 -3
package/package.json +1 -1
package/packages/core/src/index.ts +1 -1
package/packages/core/src/request.ts +35 -1
package/packages/core/src/router.ts +5 -4
package/packages/frond/src/engine.ts +75 -0

package/CLAUDE.md CHANGED Viewed

@@ -1,10 +1,10 @@
-# CLAUDE.md — AI Developer Guide for tina4-nodejs (v3.13.3)
+# CLAUDE.md — AI Developer Guide for tina4-nodejs (v3.13.5)
 > This file helps AI assistants (Claude, Copilot, Cursor, etc.) understand and work on this codebase effectively.
 ## What This Project Is
-Tina4 for Node.js/TypeScript v3.13.3 — The Intelligent Native Application 4ramework. A convention-over-configuration structural paradigm. The developer writes TypeScript; Tina4 is invisible infrastructure.
+Tina4 for Node.js/TypeScript v3.13.5 — The Intelligent Native Application 4ramework. A convention-over-configuration structural paradigm. The developer writes TypeScript; Tina4 is invisible infrastructure.
 The philosophy: zero ceremony, batteries included, file system as source of truth.
@@ -571,7 +571,7 @@ db.delete(table, filter?, params?): DatabaseWriteResult
 db.getLastId(): string | number | null
 db.getError(): string | null
-// Transactions — autoCommit defaults to ON unless TINA4_DB_AUTOCOMMIT=false
+// Transactions — autoCommit defaults to OFF; set TINA4_AUTOCOMMIT=true to enable
 db.startTransaction(): void
 db.commit(): void
 db.rollback(): void

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
-  "version": "3.13.3",
+  "version": "3.13.5",
   "type": "module",
   "description": "Tina4 for Node.js/TypeScript \u2014 54 built-in features, zero dependencies",

package/packages/core/src/index.ts CHANGED Viewed

@@ -20,7 +20,7 @@ export type { RouteInfo } from "./router.js";
 export { discoverRoutes } from "./routeDiscovery.js";
 export { MiddlewareChain, MiddlewareRunner, cors, requestLogger, CorsMiddleware, RateLimiterMiddleware, RequestLogger, SecurityHeadersMiddleware, CsrfMiddleware } from "./middleware.js";
 export type { CorsConfig } from "./middleware.js";
-export { createRequest } from "./request.js";
+export { createRequest, makeCaseInsensitiveHeaders } from "./request.js";
 export { createResponse, errorResponse, setDefaultTemplatesDir, getFrond, setFrond, getFrameworkFrond } from "./response.js";
 export { tryServeStatic } from "./static.js";
 export { loadEnv, getEnv, requireEnv, hasEnv, allEnv, resetEnv, isTruthy } from "./dotenv.js";

package/packages/core/src/request.ts CHANGED Viewed

@@ -1,8 +1,42 @@
-import type { IncomingMessage } from "node:http";
+import type { IncomingMessage, IncomingHttpHeaders } from "node:http";
 import type { Tina4Request, UploadedFile } from "./types.js";
+/**
+ * Wrap Node's `IncomingHttpHeaders` in a Proxy so mixed-case lookups
+ * (`req.headers["Content-Type"]`) work alongside the canonical lowercase
+ * form Node already provides. Parity with PY-10-03 (Python ships a
+ * `CaseInsensitiveDict` for the same reason).
+ *
+ * The raw object is returned as-is by `Object.keys` / iteration — only
+ * string property reads/`in` checks are normalised.
+ */
+export function makeCaseInsensitiveHeaders(
+  raw: IncomingHttpHeaders,
+): IncomingHttpHeaders {
+  return new Proxy(raw, {
+    get(target, prop, receiver) {
+      if (typeof prop === "string") {
+        const lower = prop.toLowerCase();
+        if (lower in target) return (target as Record<string, unknown>)[lower];
+        return Reflect.get(target, prop, receiver);
+      }
+      return Reflect.get(target, prop, receiver);
+    },
+    has(target, prop) {
+      if (typeof prop === "string") {
+        return prop.toLowerCase() in target || Reflect.has(target, prop);
+      }
+      return Reflect.has(target, prop);
+    },
+  }) as IncomingHttpHeaders;
+}
 export function createRequest(req: IncomingMessage): Tina4Request {
   const tReq = req as Tina4Request;
+  // Wrap `req.headers` so mixed-case lookups work — Node's underlying object
+  // is already lower-cased, this just lets readers use any casing they like.
+  (tReq as unknown as { headers: IncomingHttpHeaders }).headers =
+    makeCaseInsensitiveHeaders(req.headers);
   // Resolve scheme + host honouring proxy headers — parity with PHP/Python/Ruby.
   const xfProto = req.headers["x-forwarded-proto"];

package/packages/core/src/router.ts CHANGED Viewed

@@ -131,12 +131,13 @@ export class Router {
       routes.splice(existingIndex, 1);
     }
-    // Write methods (POST/PUT/PATCH/DELETE) are secure by default,
-    // unless custom middleware is registered (developer handles auth themselves)
+    // Write methods (POST/PUT/PATCH/DELETE) are secure by default. Middleware is
+    // purely additive — registering custom middleware must NOT silently disable the
+    // built-in Bearer-token gate (parity with PY-10-02). Use `noAuth()` to open a
+    // write route explicitly.
     const WRITE_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
     const isWrite = WRITE_METHODS.has(method);
-    const hasMiddleware = definition.middlewares && definition.middlewares.length > 0;
-    const secureDefault = isWrite && !hasMiddleware ? (definition.secure ?? true) : definition.secure;
+    const secureDefault = isWrite ? (definition.secure ?? true) : definition.secure;
     const compiled: CompiledRoute = {
       pattern: definition.pattern,

package/packages/frond/src/engine.ts CHANGED Viewed

@@ -1317,6 +1317,56 @@ function _generateFormTokenValue(descriptor: string = ""): SafeString {
 // ── Frond Engine ───────────────────────────────────────────────
 export class Frond {
+  // ── Class-level registries ──────────────────────────────────
+  // Persist globals, filters, and tests across hot-reloads and at
+  // app-startup before any instance exists. When app.ts calls
+  // ``Frond.addFilter("money", fn)`` once, the class remembers it
+  // and every future ``new Frond()`` inherits it automatically.
+  // Mirrors Python's _class_globals / _class_filters / _class_tests.
+  private static classFilters: Map<string, FilterFn> = new Map();
+  private static classGlobals: Map<string, unknown> = new Map();
+  private static classTests: Map<string, TestFn> = new Map();
+  /**
+   * Register a custom filter at the class level — available to every
+   * future ``new Frond()`` instance. Callable as ``Frond.addFilter()``
+   * (static) or ``frond.addFilter()`` (instance). See instance method
+   * below for the dual-call semantics.
+   */
+  static addFilter(name: string, fn: FilterFn): void {
+    Frond.classFilters.set(name, fn);
+  }
+  /**
+   * Register a global variable available in all templates of every
+   * future instance. Callable as ``Frond.addGlobal()`` (static) or
+   * ``frond.addGlobal()`` (instance).
+   */
+  static addGlobal(name: string, value: unknown): void {
+    Frond.classGlobals.set(name, value);
+  }
+  /**
+   * Register a custom test (``{% if x is positive %}``) at the class
+   * level. Callable as ``Frond.addTest()`` (static) or
+   * ``frond.addTest()`` (instance).
+   */
+  static addTest(name: string, fn: TestFn): void {
+    Frond.classTests.set(name, fn);
+  }
+  /**
+   * Clear the class-level globals/filters/tests registries.
+   * Useful in test fixtures to prevent leaking state between tests.
+   * Does NOT affect built-in filters or globals — only user-registered
+   * ones via Frond.addFilter / addGlobal / addTest.
+   */
+  static clearRegistry(): void {
+    Frond.classFilters.clear();
+    Frond.classGlobals.clear();
+    Frond.classTests.clear();
+  }
   private templateDir: string;
   private filters: Record<string, FilterFn>;
   private globals: Record<string, unknown>;
@@ -1362,6 +1412,14 @@ export class Frond {
     // Available alongside the |dump filter so both styles work:
     //   {{ user|dump }}   and   {{ dump(user) }}
     this.globals.dump = (value: unknown) => renderDump(value);
+    // Drain the class-level registry. This is the key to surviving
+    // hot-reloads AND the static-facade pattern: app.ts calls
+    // Frond.addFilter("money", fn) once, the class remembers it,
+    // and every future Frond() instance picks it up automatically.
+    for (const [k, v] of Frond.classFilters) this.filters[k] = v;
+    for (const [k, v] of Frond.classGlobals) this.globals[k] = v;
+    for (const [k, v] of Frond.classTests) this.tests[k] = v;
   }
   sandbox(filters?: string[], tags?: string[], vars?: string[]): Frond {
@@ -1380,15 +1438,32 @@ export class Frond {
     return this;
   }
+  /**
+   * Register a custom filter. The filter is persisted at class level
+   * so new instances created by hot-reload inherit it automatically;
+   * the live instance's local filter map also receives the addition
+   * immediately. Mirrors Python's _ClassOrInstanceMethod dual-call.
+   */
   addFilter(name: string, fn: FilterFn): void {
+    Frond.classFilters.set(name, fn);
     this.filters[name] = fn;
   }
+  /**
+   * Register a global variable available in all templates. Persisted
+   * at class level — see ``addFilter`` for the dual-call semantics.
+   */
   addGlobal(name: string, value: unknown): void {
+    Frond.classGlobals.set(name, value);
     this.globals[name] = value;
   }
+  /**
+   * Register a custom test. Persisted at class level — see
+   * ``addFilter`` for the dual-call semantics.
+   */
   addTest(name: string, fn: TestFn): void {
+    Frond.classTests.set(name, fn);
     this.tests[name] = fn;
   }