Documentation: gina.io/docs · Issues: GitHub · Changelog: CHANGELOG.md
Node.js MVC framework with built-in HTTP/2, multi-bundle architecture, and scope-based data isolation — no Express dependency.
- HTTP/2 first. Built-in
isaacserver with TLS, h2c, ALPN, HTTP/1.1 fallback, and full CVE hardening (Rapid Reset, CONTINUATION flood, RST flood, HPACK bomb) — all on by default. - Multi-bundle. One project hosts multiple independent bundles (API, web, admin, …). Each bundle has its own routing, controllers, models, and config. Share code via the project layer.
- Scope isolation. Run
local,beta, andproductionfrom the same codebase. Scopes propagate through routing, config interpolation, and data (every DB record is stamped with_scope).
| Feature | Detail |
|---|---|
| HTTP/2 server | Built-in isaac engine — TLS, h2c, ALPN, HTTP/1.1 fallback, 103 Early Hints, CVE-hardened |
| Multi-bundle | One project, N independent bundles with shared config and project layer |
| Scope isolation | local / beta / production — per-request and per-record |
| MVC routing | routing.json — declare routes in config, not code; O(m) radix trie lookup |
| Async/await | Controller actions can be async; rejections routed to throwError automatically |
| ORM / entities | EventEmitter-based entity system; SQL files auto-wired to entity methods |
| Connectors | Couchbase, MongoDB, ScyllaDB / Cassandra, MySQL, PostgreSQL, Redis, SQLite, AI (LLM) — loaded from project node_modules |
| AI connector | Any LLM provider via named protocol (anthropic://, openai://, ollama://, …) |
| Template engine | @rhinostone/swig 2.7.2 — maintained fork with CVE-2023-25345 patched; streaming SSE/chunked via renderStream(). Nunjucks supported as opt-in via render.engine = "nunjucks" |
| Internationalisation | Per-bundle JSON catalogs, t() helper, swig + nunjucks t filter, CLDR plurals, ICU MessageFormat opt-in via t.icu() |
| Observability | Built-in /_gina/metrics Prometheus endpoint (opt-in, IP-allowlisted) — Node.js process metrics + HTTP counter / duration histogram with cardinality-safe route labels |
| Hot reload | WatcherService evicts require.cache only on file change — zero per-request overhead in dev |
| K8s ready | gina-container, gina-init, SIGTERM drain, JSON stdout logging |
| Dependency injection | Mockable connectors and config for unit testing |
npm install -g gina@latest --prefix=~/.npm-global
gina project:add @myproject --path=$(pwd)/myproject
gina bundle:add api @myproject
gina bundle:start api @myproject
open https://localhost:3100- Async template loaders (opt-in).
settings.template.swig.loader/settings.template.nunjucks.loaderrender templates from a custom backend instead of the local filesystem — built-inmemoryandhttploaders (for templates served from a CDN, object storage or a template service), per-bundle isolated engines, full client-runtime injection on the async path, and an opt-in compiled-template cache (loader.cache) for production. - Native dialog API.
data-gina-dialog="ID"opens an in-page<dialog>,data-gina-dialog-src="URL"loads its content over AJAX; non-modal by default, with per-trigger (data-gina-dialog-modal) or project-wide modal opt-in. Dialog popins now render as native modals in development too (dev/prod parity), and the popin plugin gains an opt-inpreOpenloading skeleton. request.rawBody. The exact unparsed request body is preserved before parsing, so controllers and middlewares can verify inbound webhook signatures (an HMAC computed over the raw bytes).- JSON bodies parsed verbatim.
application/jsonPOST / PUT / PATCH bodies are no longer URL-decoded and form-coerced — string values such as"true"or"50%20off"survive exactly as sent. Urlencoded handling is unchanged, and the browser form-validator now sends its JSON bodies with the matchingapplication/jsonContent-Type. - Hardening. A single request carrying a malformed percent-escape (a bare
%,%zz) can no longer crash a bundle; the default Swig render path keeps the swig-core CVE-2023-25345 path-traversal confinement active; the@rhinostone/swigfloor moved to^2.7.2; and the dead third-party CORS proxy was removed from the popin and link loaders. - CLI & DX.
gina versionreports the bundled template engine; offline project commands skip a stale registered project instead of aborting;project:addand the framework's self-invocations no longer depend on a PATH-resolved gina binary.
See the full Changelog and Roadmap.
Full installation guide, tutorials, configuration reference, and API docs at gina.io/docs.
| Package | Description |
|---|---|
| @rhinostone/swig | Maintained fork of the Swig template engine (upstream abandoned since 2015). CVE-2023-25345 patched. |
| gina-starter | Minimal starter project — one bundle, one route, Docker Compose included |
Gina is co-authored by Martin Luther ETOUMAN NDAMBWE (Rhinostone) and Fabrice DELANEAU (fdelaneau.com). Final decisions on direction, API design, and releases rest with Martin Luther. Community contributions and RFCs are welcome and taken seriously. See GOVERNANCE.md for details.
Copyright © 2009-2026 Rhinostone
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.