From 6d73d583795f1c4ebddc5c4560c47241302f20f4 Mon Sep 17 00:00:00 2001
From: vanelsas <58037137+avanelsas@users.noreply.github.com>
Date: Tue, 26 May 2026 16:26:06 +0200
Subject: [PATCH] review pass: load-boundary hardening + codegen dedup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Route IDB autosave restore through `project-file/classify-payload` +
`sanitize-doc` so a corrupted or tampered autosave can't bypass the
checks the file-open path uses. Strict-reject unknown `:version` so a
future schema bump fails loud instead of partially installing the
wrong shape. Cancel the watcher-armed 750ms timer on file load so a
stale `save-now!` can't fire after `clear-autosave!`. Surface autosave
write failures as `[:ui :autosave-failed?]` with a hidden ⚠ indicator
in the toolbar.

Extend `unsafe-findings` with an identifier-shape scanner so attr
keys, binding prop names, binding `:field`, trigger `:action-ref`,
payload `:field`, field-def `:name`, and action `:name` that carry
characters unsafe for codegen are refused at the load boundary —
closes the JS / CLJS string-injection vectors in both export plugins.

Extract `action-ref-canonical-ns` + `action-ref-alias` to
`export.model` (single source of truth shared by both plugins). Route
`cljs_project/emit-sub-group-child` through `em/resolve-template-source`
so the legacy fallback that re-derived `stateful-host-for-template` is
gone. Replace the `volatile!` in `dnd/drag/marquee-hits` with an
`into` + `keep` pipeline.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 public/index.html                            |  12 ++
 src/bareforge/dnd/drag.cljs                  |  32 ++---
 src/bareforge/doc/sanitize.cljs              | 118 ++++++++++++++++++-
 src/bareforge/export/cljs_project.cljs       |  65 +++++-----
 src/bareforge/export/model.cljs              |  33 ++++++
 src/bareforge/export/vanilla_js/codegen.cljs |  15 +--
 src/bareforge/main.cljs                      |  29 +++--
 src/bareforge/storage/indexeddb.cljs         |  64 +++++++---
 src/bareforge/storage/project_file.cljs      |  34 +++++-
 src/bareforge/ui/toolbar.cljs                |  41 +++++--
 test/bareforge/doc/sanitize_test.cljs        |  59 ++++++++++
 test/bareforge/export/model_test.cljs        |  16 +++
 test/bareforge/storage/indexeddb_test.cljs   |  13 +-
 test/bareforge/ui/toolbar_test.cljs          |   7 ++
 14 files changed, 429 insertions(+), 109 deletions(-)

diff --git a/public/index.html b/public/index.html
index 6fe25ac..f373b0d 100644
--- a/public/index.html
+++ b/public/index.html
@@ -93,6 +93,18 @@
       background: var(--x-color-border, rgba(127, 127, 127, 0.35));
     }
     .toolbar-icon-button span { font-size: 16px; line-height: 1; }
+    .toolbar-autosave-warn {
+      display: inline-flex;
+      align-items: center;
+      justify-content: center;
+      width: 22px;
+      height: 22px;
+      margin-left: 6px;
+      color: var(--x-color-warning, #c97a00);
+      font-size: 16px;
+      cursor: help;
+    }
+    .toolbar-autosave-warn[hidden] { display: none; }
     .panel {
       border-right: 1px solid var(--x-color-border, rgba(127, 127, 127, 0.2));
       padding: 12px;
diff --git a/src/bareforge/dnd/drag.cljs b/src/bareforge/dnd/drag.cljs
index 2248101..a3cae29 100644
--- a/src/bareforge/dnd/drag.cljs
+++ b/src/bareforge/dnd/drag.cljs
@@ -229,22 +229,22 @@
   (let [^js br    (.getBoundingClientRect host)
         sl        (.-scrollLeft host)
         st        (.-scrollTop  host)
-        ^js nodes (.querySelectorAll host "[data-bareforge-id]")
-        out       (volatile! [])]
-    (dotimes [i (.-length nodes)]
-      (let [^js el (.item nodes i)
-            id     (.getAttribute el "data-bareforge-id")]
-        (when (and id (not= id "root"))
-          (let [^js eb (.getBoundingClientRect el)
-                left   (+ (- (.-left   eb) (.-left br)) sl)
-                top    (+ (- (.-top    eb) (.-top  br)) st)
-                rect   {:left   left
-                        :top    top
-                        :right  (+ left (.-width  eb))
-                        :bottom (+ top  (.-height eb))}]
-            (when (rects-overlap? marquee-rect rect)
-              (vswap! out conj id))))))
-    @out))
+        ^js nodes (.querySelectorAll host "[data-bareforge-id]")]
+    (into []
+          (keep (fn [i]
+                  (let [^js el (.item nodes i)
+                        id     (.getAttribute el "data-bareforge-id")]
+                    (when (and id (not= id "root"))
+                      (let [^js eb (.getBoundingClientRect el)
+                            left   (+ (- (.-left eb) (.-left br)) sl)
+                            top    (+ (- (.-top  eb) (.-top  br)) st)
+                            rect   {:left   left
+                                    :top    top
+                                    :right  (+ left (.-width  eb))
+                                    :bottom (+ top  (.-height eb))}]
+                        (when (rects-overlap? marquee-rect rect)
+                          id))))))
+          (range (.-length nodes)))))
 
 (defn- commit-marquee! [^js e]
   (let [^js host (canvas-el)
diff --git a/src/bareforge/doc/sanitize.cljs b/src/bareforge/doc/sanitize.cljs
index 0131781..6f0d1f4 100644
--- a/src/bareforge/doc/sanitize.cljs
+++ b/src/bareforge/doc/sanitize.cljs
@@ -2,14 +2,20 @@
   "Pure sanitisation helpers for the two doc fields that ship raw
    user-supplied strings into the DOM: `:inner-html` (raw SVG/HTML on
    `:raw-html-slot?` components like x-icon) and `:attrs` URL values
-   (`href`, `src`, …).
+   (`href`, `src`, …). Plus an identifier-shape scanner that guards
+   the export pipeline against doc fields that the codegen later
+   interpolates verbatim into emitted JS / CLJS source.
 
-   Two layers of protection:
+   Three layers of protection:
 
    - **Block-list scanners** (`unsafe-findings`): given a doc, return a
      vector of `[path reason]` entries naming each suspect site. Used at
      the load boundary by `storage/project-file/validate-project` to
      refuse a malicious payload outright with an explanatory message.
+     Covers XSS payloads in `:inner-html` / URL attrs **and** unsafe
+     identifier shapes in attr keys, binding keys, field / action
+     names, and trigger action-refs (everything codegen splices into
+     a JS or CLJS string literal).
 
    - **Best-effort sanitisers** (`sanitize-svg-fragment`,
      `sanitize-doc`): strip the obvious payloads — `<script>` /
@@ -117,6 +123,99 @@
         ;; with javascript-like schemes.
         (str/replace dangerous-url-attr-re ""))))
 
+;; --- identifier safety ---------------------------------------------------
+
+(def ^:private safe-attr-key-re
+  ;; HTML / SVG / ARIA attribute name. Letters or `_` to start; letters,
+  ;; digits, `-`, `_`, `.`, `:` after (covers `xlink:href`, `aria-*`,
+  ;; CSS-variable-shaped attrs). Refuses anything codegen would have to
+  ;; escape — whitespace, quotes, backslash, parens, brackets, `;`, `#`,
+  ;; comment markers, etc.
+  #"^[A-Za-z_][A-Za-z0-9_\-.:]*$")
+
+(def ^:private safe-identifier-name-re
+  ;; Local-name component of a keyword (field / action / action-ref
+  ;; local) emitted into CLJS or JS source. Tighter than attr keys:
+  ;; no colons (colons inside a local keyword name would re-namespace
+  ;; it at the keyword reader; in JS strings they're a syntax hazard
+  ;; on object literals).
+  #"^[A-Za-z][A-Za-z0-9_\-.]*$")
+
+(defn- safe-attr-key? [s]
+  (and (string? s) (boolean (re-matches safe-attr-key-re s))))
+
+(defn- safe-identifier-name? [s]
+  (and (string? s) (boolean (re-matches safe-identifier-name-re s))))
+
+(defn- keyword-name-safe? [kw]
+  (and (keyword? kw) (safe-identifier-name? (cljs.core/name kw))))
+
+(defn- action-ref-safe?
+  "True when a qualified keyword's namespace segments and local name
+   all parse as safe identifiers. Codegen splices each piece into a
+   JS string literal (`dispatch([\"<alias>/<name>\"])`); anything
+   outside `safe-identifier-name-re` can break out of that string."
+  [kw]
+  (and (qualified-keyword? kw)
+       (every? safe-identifier-name? (str/split (namespace kw) #"\."))
+       (safe-identifier-name? (cljs.core/name kw))))
+
+(defn- node-identifier-findings
+  "Collect identifier-shape findings for one node. The codegen splices
+   each of these values into emitted source code; an unsafe character
+   in any of them produces malformed (or malicious) output."
+  [path node]
+  (concat
+   ;; Attribute keys — both static `:attrs` and `:bindings`.
+   (for [[k _] (:attrs node)
+         :when (not (safe-attr-key? k))]
+     {:path    (conj path :attrs k)
+      :reason  (str "attr key " (pr-str k)
+                    " contains characters unsafe for codegen")
+      :preview (pr-str k)})
+   (for [[k _] (:bindings node)
+         :when (not (safe-attr-key? k))]
+     {:path    (conj path :bindings k)
+      :reason  (str "binding prop name " (pr-str k)
+                    " contains characters unsafe for codegen")
+      :preview (pr-str k)})
+   ;; Binding `:field` keywords — emitted as the dispatched setter name.
+   (for [[_ b] (:bindings node)
+         :when (and (:field b) (not (keyword-name-safe? (:field b))))]
+     {:path    (conj path :bindings)
+      :reason  (str "binding :field " (pr-str (:field b))
+                    " contains characters unsafe for codegen")
+      :preview (pr-str (:field b))})
+   ;; Trigger `:action-ref` qualified keywords.
+   (for [t (:events node)
+         :when (and (:action-ref t) (not (action-ref-safe? (:action-ref t))))]
+     {:path    (conj path :events)
+      :reason  (str "trigger :action-ref " (pr-str (:action-ref t))
+                    " contains characters unsafe for codegen")
+      :preview (pr-str (:action-ref t))})
+   ;; Payload entries that reference fields by name.
+   (for [t  (:events node)
+         pe (:payload t)
+         :when (and (:field pe) (not (keyword-name-safe? (:field pe))))]
+     {:path    (conj path :events)
+      :reason  (str "trigger payload :field " (pr-str (:field pe))
+                    " contains characters unsafe for codegen")
+      :preview (pr-str (:field pe))})
+   ;; Field-def names + action names (referenced verbatim by setter
+   ;; / sub / handler emission).
+   (for [fd (:fields node)
+         :when (and (:name fd) (not (keyword-name-safe? (:name fd))))]
+     {:path    (conj path :fields)
+      :reason  (str "field-def :name " (pr-str (:name fd))
+                    " contains characters unsafe for codegen")
+      :preview (pr-str (:name fd))})
+   (for [a (:actions node)
+         :when (and (:name a) (not (keyword-name-safe? (:name a))))]
+     {:path    (conj path :actions)
+      :reason  (str "action :name " (pr-str (:name a))
+                    " contains characters unsafe for codegen")
+      :preview (pr-str (:name a))})))
+
 ;; --- doc walker -----------------------------------------------------------
 
 (defn- walk-nodes-with-path
@@ -137,8 +236,16 @@
 
 (defn unsafe-findings
   "Walk `doc` and return a vector of `{:path :reason :preview}` maps,
-   one per unsafe `:inner-html` or URL-typed attr value. Empty
-   vector means the doc is clean. The load-boundary check uses
+   one per unsafe site. Three families:
+
+   - `:inner-html` carrying a script / event / javascript-url payload.
+   - URL-typed attrs (`href`, `src`, …) with a dangerous scheme.
+   - Identifier-shaped fields the exporter splices into emitted source
+     (attr keys, binding prop names, binding `:field`, trigger
+     `:action-ref`, payload `:field`, field-def `:name`, action
+     `:name`) that contain characters unsafe for codegen.
+
+   Empty vector means the doc is clean. The load-boundary check uses
    this directly: any non-empty result refuses the load."
   [doc]
   (vec
@@ -154,7 +261,8 @@
              :when (and (url-attr? k) (string? v) (not (safe-url? v)))]
          {:path   (conj path :attrs k)
           :reason (str "attr " (pr-str k) " carries unsafe URL scheme")
-          :preview v})))
+          :preview v})
+       (node-identifier-findings path node)))
     (walk-nodes-with-path doc))))
 
 (defn- sanitize-node-attrs
diff --git a/src/bareforge/export/cljs_project.cljs b/src/bareforge/export/cljs_project.cljs
index affe2bb..bbe1d7f 100644
--- a/src/bareforge/export/cljs_project.cljs
+++ b/src/bareforge/export/cljs_project.cljs
@@ -176,24 +176,11 @@
 (def ^:private collect-trigger-payload-fields  em/collect-trigger-payload-fields)
 (def ^:private collect-trigger-action-refs     em/collect-trigger-action-refs)
 
-(defn- action-ref->alias
-  "Turn an action-ref qualified keyword like :app.cart.events/add-to-cart
-   into the require alias string: \"cart.events\". Matches the
-   dot-notation alias convention used elsewhere in the generator.
-
-   The group segment is passed through `actions/name->ns-segment`
-   so an action-ref that was committed before the
-   `bareforge.doc.actions/action-ref` canonicalisation fix (e.g.
-   `:app.Dashboard.events/tick` in an older doc) still emits a
-   lowercase require — `[app.dashboard.events :as dashboard.events]`
-   matching the file at `src/app/dashboard/events.cljs`."
-  [ref]
-  (let [ns         (namespace ref)
-        first-dot  (.indexOf ns ".")
-        last-dot   (.lastIndexOf ns ".")
-        group-seg  (subs ns (inc first-dot) last-dot)
-        suffix     (subs ns last-dot)]   ;; ".events" or ".subs"
-    (str (actions/name->ns-segment group-seg) suffix)))
+(def ^:private action-ref->alias
+  "Shared action-ref → require-alias helper. Lives in the export
+   model so the cljs and vanilla-js plugins agree byte-for-byte on
+   the canonical form (see `em/action-ref-canonical-ns` for why)."
+  em/action-ref-alias)
 
 ;; --- :write / :read-write binding → DOM event handler ---------------------
 ;;
@@ -390,7 +377,12 @@
    template sub-group emits its iteration form; later encounters
    return nil so a parent with N seed-backed clones still emits
    one iteration. Singleton sub-groups return the plain
-   `(<ns>.views/<ns>)` call as a `:raw` value."
+   `(<ns>.views/<ns>)` call as a `:raw` value.
+
+   Template-source resolution routes through
+   `em/resolve-template-source` — single source of truth shared with
+   the vanilla-js plugin, so both targets pick the same source for
+   every instance."
   [ctx child gname tpl? rendered-tpls]
   (let [{:keys [doc all-groups field-owner-ns-map]} ctx]
     (cond
@@ -398,24 +390,23 @@
       [nil rendered-tpls]
 
       tpl?
-      (let [;; Fall back to the (single) collection field that
-            ;; points at this template when the instance has no
-            ;; explicit :source-field / :source-sub set. Lets the
-            ;; user declare a collection + name the template
-            ;; without also having to manually wire the
-            ;; 'Rendered from' source in the inspector.
-            fallback  (when (and (nil? (:source-sub child))
-                                 (nil? (:source-field child)))
-                        (stateful-host-for-template
-                         doc all-groups gname))
-            src-field (or (:source-field child)
-                          (when fallback (keyword (:field-name fallback))))
-            field-ns  (or (get field-owner-ns-map (:source-field child))
-                          (when fallback (:ns-name fallback)))]
-        [(collection-iteration-form gname
-                                    (:source-sub child)
-                                    src-field
-                                    field-ns)
+      (let [src       (em/resolve-template-source
+                       (assoc child :ns-name gname)
+                       doc all-groups field-owner-ns-map)
+            ;; Map the resolver's :kind back onto the three values
+            ;; `collection-iteration-form` already accepts. :source-sub
+            ;; carries the explicit sub keyword; :source-field carries
+            ;; an explicit field + owner; :auto-host is the implicit
+            ;; fallback where the field-name is a string we re-key.
+            [source-sub source-field field-owner-ns]
+            (case (and src (:kind src))
+              :source-sub   [(:sub src) nil nil]
+              :source-field [nil (:field src) (:owner-ns src)]
+              :auto-host    [nil
+                             (keyword (:field-name src))
+                             (:owner-ns src)]
+              [nil nil nil])]
+        [(collection-iteration-form gname source-sub source-field field-owner-ns)
          (conj rendered-tpls gname)])
 
       :else
diff --git a/src/bareforge/export/model.cljs b/src/bareforge/export/model.cljs
index 9d45229..caaf94c 100644
--- a/src/bareforge/export/model.cljs
+++ b/src/bareforge/export/model.cljs
@@ -64,6 +64,39 @@
                ns-name)]
     [pick (conj seen pick)]))
 
+;; --- action-ref canonicalisation -----------------------------------------
+
+(defn action-ref-canonical-ns
+  "Canonicalise an action-ref qualified keyword's namespace so the
+   group segment matches the rest of the generator. An action-ref
+   committed before the canonicalisation fix can carry the raw
+   user-typed name (`:app.Dashboard.events/tick`); every other
+   generator path (file paths, ns forms, db aliases) uses
+   `name->ns-segment` to lowercase / dash-collapse it. Without this
+   pass, dispatch fires on a key the registry doesn't know.
+
+   Single source of truth for both plugins (`cljs_project` and
+   `vanilla_js`). Returns the full canonical namespace string —
+   e.g. `\"app.dashboard.events\"`."
+  [ref]
+  (let [ns        (namespace ref)
+        first-dot (.indexOf ns ".")
+        last-dot  (.lastIndexOf ns ".")
+        app-pref  (subs ns 0 (inc first-dot))
+        grp-seg   (subs ns (inc first-dot) last-dot)
+        suffix    (subs ns last-dot)]
+    (str app-pref (name->ns-segment grp-seg) suffix)))
+
+(defn action-ref-alias
+  "The require-alias string for an action-ref qualified keyword:
+   `action-ref-canonical-ns` with the leading `app.` prefix stripped.
+   Used by the CLJS plugin as the `[<canonical> :as <alias>]` form.
+
+   `:app.Dashboard.events/tick` → `\"dashboard.events\"`."
+  [ref]
+  (let [ns (action-ref-canonical-ns ref)]
+    (subs ns (inc (.indexOf ns ".")))))
+
 ;; --- group detection -----------------------------------------------------
 
 (defn- named-node?
diff --git a/src/bareforge/export/vanilla_js/codegen.cljs b/src/bareforge/export/vanilla_js/codegen.cljs
index df48721..2ba0dc3 100644
--- a/src/bareforge/export/vanilla_js/codegen.cljs
+++ b/src/bareforge/export/vanilla_js/codegen.cljs
@@ -562,18 +562,9 @@
   [trigger {:keys [template-record-sym template-field-syms]
             :as   ctx}]
   (let [aref    (:action-ref trigger)
-        ;; Canonicalise the action-ref's group segment: an older doc
-        ;; can carry `:app.Dashboard.events/tick` (raw user-typed
-        ;; name) while the registry id was built from the lowercased
-        ;; `:ns-name` — without this, `dispatch` fires on a key the
-        ;; registry doesn't know.
-        alias   (let [ns        (namespace aref)
-                      first-dot (.indexOf ns ".")
-                      last-dot  (.lastIndexOf ns ".")
-                      app-pref  (subs ns 0 (inc first-dot))
-                      grp       (subs ns (inc first-dot) last-dot)
-                      suffix    (subs ns last-dot)]
-                  (str app-pref (actions/name->ns-segment grp) suffix))
+        ;; Shared with the CLJS plugin via em/action-ref-canonical-ns,
+        ;; so the two emitters dispatch on identical alias strings.
+        alias   (em/action-ref-canonical-ns aref)
         ename   (cljs.core/name aref)
         payload (:payload trigger)
         args    (cond
diff --git a/src/bareforge/main.cljs b/src/bareforge/main.cljs
index f92c7ad..87ef366 100644
--- a/src/bareforge/main.cljs
+++ b/src/bareforge/main.cljs
@@ -3,6 +3,7 @@
             [bareforge.doc.ops :as ops]
             [bareforge.state :as state]
             [bareforge.storage.indexeddb :as idb]
+            [bareforge.storage.project-file :as pf]
             [bareforge.ui.app :as app]
             [bareforge.ui.inspector.tokens :as inspector-tokens]
             [bareforge.ui.welcome-tour :as welcome-tour]
@@ -23,16 +24,30 @@
                                       :attrs {"variant" "body1"}})]
     (state/commit! doc-2)))
 
+(defn- finish-init! [restored?]
+  (when-not restored? (seed-document!))
+  (idb/install-autosave!)
+  ;; First-run only: opens the tour when the seen flag is missing.
+  ;; Re-launch lives on the File menu.
+  (welcome-tour/maybe-auto-open!))
+
 (defn ^:export init
   []
   (baredom/register!)
   (inspector-tokens/install-token-datalists!)
   (app/mount! (u/by-id "app"))
   (-> (idb/restore!)
-      (.then (fn [restored?]
-               (when-not restored?
-                 (seed-document!))
-               (idb/install-autosave!)
-               ;; First-run only: opens the tour when the seen flag
-               ;; is missing. Re-launch lives on the File menu.
-               (welcome-tour/maybe-auto-open!)))))
+      (.then (fn [parsed]
+               ;; `parsed` is the raw IDB payload (or nil). The
+               ;; load-boundary policy lives in project-file/apply-
+               ;; autosave!, which runs spec + sanitiser before
+               ;; touching state.
+               (let [restored? (boolean (and parsed (pf/apply-autosave! parsed)))]
+                 (finish-init! restored?))))
+      (.catch (fn [^js err]
+                ;; A rejection in the chain (deserialize, validation,
+                ;; or install) shouldn't strand the user on a blank
+                ;; page. Seed the document, install the watcher, and
+                ;; log enough detail for a dev to follow up.
+                (js/console.error "init failed; falling back to empty doc" err)
+                (finish-init! false)))))
diff --git a/src/bareforge/storage/indexeddb.cljs b/src/bareforge/storage/indexeddb.cljs
index a9de375..2126cc3 100644
--- a/src/bareforge/storage/indexeddb.cljs
+++ b/src/bareforge/storage/indexeddb.cljs
@@ -12,24 +12,35 @@
 
 ;; --- pure ----------------------------------------------------------------
 
+(def ^:const supported-version
+  "Schema version this build writes and accepts. Bump in lockstep with
+   any breaking change to `serialize` output. A reader that sees an
+   unknown version refuses to load rather than partially installing the
+   wrong shape — load failure is recoverable (the user falls back to
+   the file-open path), silent corruption is not."
+  1)
+
 (defn serialize
   "Project the persistable slice of app-state. Only :document and
    :theme survive a reload — history, selection, mode, and ui are
    all reset when the page loads."
   [app-state]
   {:format   "bareforge-project"
-   :version  1
+   :version  supported-version
    :document (:document app-state)
    :theme    (:theme app-state)})
 
 (defn deserialize
   "Parse an EDN string previously written by `serialize`. Returns nil
-   for anything that fails to parse or fails the format check."
+   for anything that fails to parse, fails the format check, or
+   carries an unsupported `:version`. Strict version match (no
+   silent fallback) so a future bump fails loud."
   [raw]
   (try
     (let [v (edn/read-string raw)]
       (when (and (map? v)
                  (= "bareforge-project" (:format v))
+                 (= supported-version (:version v))
                  (contains? v :document))
         v))
     (catch :default _ nil)))
@@ -111,13 +122,35 @@
         (fn [^js db]
           (let [payload (pr-str (serialize @state/app-state))]
             (write-value db autosave-key payload))))
-      (.catch (fn [^js err] (js/console.warn "autosave failed" err)))))
+      (.then (fn [_]
+               ;; Clear a previously-set failure flag so the UI's
+               ;; warning indicator disappears as soon as autosave
+               ;; recovers (e.g. user freed quota by deleting old
+               ;; projects in another tab).
+               (when (get-in @state/app-state [:ui :autosave-failed?])
+                 (state/assoc-ui! :autosave-failed? false))))
+      (.catch (fn [^js err]
+                (js/console.warn "autosave failed" err)
+                ;; Surface the failure as a UI flag so a toolbar /
+                ;; status component can warn the user — a silent
+                ;; console.warn lets them believe their work is safe
+                ;; when it isn't.
+                (state/assoc-ui! :autosave-failed? true)))))
 
 (defn- schedule-save! []
   (cancel-timer!)
   (unchecked-set autosave-timer "id"
                  (js/setTimeout save-now! autosave-delay-ms)))
 
+(defn cancel-autosave-timer!
+  "Cancel any pending autosave write. Callers on the load path
+   (`project-file/apply-loaded-project!`) use this to drop the timer
+   the watcher just armed when swapping in a freshly opened file —
+   otherwise the pending `save-now!` fires after `clear-autosave!`
+   completes and re-populates the autosave slot."
+  []
+  (cancel-timer!))
+
 (defn install-autosave!
   "Install the autosave watcher on `state/app-state`. Writes trigger
    on `:document` or `:theme` changes, debounced by 750 ms."
@@ -131,28 +164,25 @@
 ;; --- restore --------------------------------------------------------------
 
 (defn restore!
-  "Attempt to restore the last autosave into `state/app-state`. Returns
-   a JS Promise resolving to true when content was restored, false
-   otherwise (no autosave present or parse/read failure)."
+  "Read the persisted autosave from IDB and resolve to the parsed
+   project payload (already deserialised + version-checked) or nil
+   when nothing is stored, parse fails, or the IDB read errors.
+
+   Does NOT install the result. The caller (see
+   `storage/project-file/apply-autosave!`) is responsible for
+   validating the payload through the same load-boundary checks the
+   file-open path uses, so a corrupted or tampered autosave can't
+   bypass spec + sanitiser."
   []
   (-> (open-db)
       (.then (fn [db]
                (unchecked-set db-ref "db" db)
                (read-value db autosave-key)))
       (.then (fn [raw]
-               (if-let [parsed (and raw (deserialize raw))]
-                 (do
-                   (swap! state/app-state
-                          (fn [s]
-                            (-> s
-                                (assoc :document (:document parsed))
-                                (assoc :theme    (or (:theme parsed) (:theme s)))
-                                (assoc :dirty?   false))))
-                   true)
-                 false)))
+               (when raw (deserialize raw))))
       (.catch (fn [^js err]
                 (js/console.warn "autosave restore failed" err)
-                false))))
+                nil))))
 
 (defn clear-autosave!
   "Remove the autosave key. Called when a fresh project is opened from
diff --git a/src/bareforge/storage/project_file.cljs b/src/bareforge/storage/project_file.cljs
index 791757e..618c849 100644
--- a/src/bareforge/storage/project_file.cljs
+++ b/src/bareforge/storage/project_file.cljs
@@ -71,7 +71,11 @@
                (assoc-in [:history :future] [])
                (assoc    :dirty?    false)
                (assoc-in [:project-file :name]
-                         (or filename "untitled.json"))))))
+                         (or filename "untitled.json")))))
+  ;; The swap above fires the autosave watcher synchronously, arming
+  ;; a 750ms timer. Cancel it so the immediately-following
+  ;; `clear-autosave!` isn't re-clobbered by a stale `save-now!`.
+  (idb/cancel-autosave-timer!))
 
 (defn validate-project
   "Pure: check a deserialized project payload against
@@ -200,3 +204,31 @@
             (-> (state/initial-state)
                 (assoc :theme theme))))
   (idb/clear-autosave!))
+
+(defn apply-autosave!
+  "Install a parsed autosave `parsed` payload into `state/app-state`
+   after the same load-boundary checks the file-open path runs.
+   Returns true on success; false (with a console error naming the
+   findings) when the payload fails spec or sanitiser checks. Unlike
+   `apply-loaded-project!`, this leaves `:selection`, `:history`,
+   `:dirty?`, and `:project-file` alone — the autosave restore runs
+   on a fresh page-load, so there is no other state to clear."
+  [parsed]
+  (let [classification (classify-payload parsed)]
+    (case (:status classification)
+      :ok
+      (let [safe (update parsed :document sanitize/sanitize-doc)]
+        (swap! state/app-state
+               (fn [s]
+                 (-> s
+                     (assoc :document (:document safe))
+                     (assoc :theme    (or (:theme safe) (:theme s)))
+                     (assoc :dirty?   false))))
+        true)
+
+      ;; :unparseable / :invalid / :unsafe all collapse to "refuse and
+      ;; warn" — the page-load path has no UI surface to nag the user
+      ;; with, but a console error names the offending paths so a dev
+      ;; can recover by clearing IDB or opening the original .json.
+      (do (js/console.error "Autosave restore refused" (clj->js classification))
+          false))))
diff --git a/src/bareforge/ui/toolbar.cljs b/src/bareforge/ui/toolbar.cljs
index 0d369eb..50c7475 100644
--- a/src/bareforge/ui/toolbar.cljs
+++ b/src/bareforge/ui/toolbar.cljs
@@ -19,9 +19,10 @@
 (defn toolbar-state
   "Project app-state into the subset of values the toolbar cares about."
   [app-state]
-  {:undo-disabled? (empty? (get-in app-state [:history :past]))
-   :redo-disabled? (empty? (get-in app-state [:history :future]))
-   :preview?       (= :preview (:mode app-state))})
+  {:undo-disabled?   (empty? (get-in app-state [:history :past]))
+   :redo-disabled?   (empty? (get-in app-state [:history :future]))
+   :preview?         (= :preview (:mode app-state))
+   :autosave-failed? (boolean (get-in app-state [:ui :autosave-failed?]))})
 
 ;; --- effectful ------------------------------------------------------------
 
@@ -65,14 +66,17 @@
 
 (defn- apply-toolbar-state!
   "Push derived state onto the toolbar buttons."
-  [{:keys [^js undo-btn ^js redo-btn ^js preview-btn ^js preview-text]}
-   {:keys [undo-disabled? redo-disabled? preview?]}]
+  [{:keys [^js undo-btn ^js redo-btn ^js preview-btn ^js preview-text
+           ^js autosave-warn]}
+   {:keys [undo-disabled? redo-disabled? preview? autosave-failed?]}]
   (u/set-attr! undo-btn :disabled (when undo-disabled? ""))
   (u/set-attr! redo-btn :disabled (when redo-disabled? ""))
   (u/set-attr! preview-btn :pressed (when preview? ""))
   (let [label (if preview? "Edit" "Preview")]
     (u/set-attr! preview-btn :label label)
-    (when preview-text (u/set-text! preview-text label))))
+    (when preview-text (u/set-text! preview-text label)))
+  (when autosave-warn
+    (u/set-attr! autosave-warn :hidden (when-not autosave-failed? ""))))
 
 (defn- toggle-preview! [_]
   (state/set-mode! (if (= :preview (:mode @state/app-state))
@@ -185,6 +189,15 @@
         {preview-btn :el preview-text :text-el}
         (button+text "Preview" toggle-preview!)
         theme-btn     (button "Theme" (fn [_] (when on-theme-toggle (on-theme-toggle))))
+        ;; Hidden by default; the watcher flips `hidden` when
+        ;; `:ui :autosave-failed?` is set so the user sees a quiet
+        ;; warning instead of silent data-loss risk.
+        autosave-warn (u/el :span
+                            {:class      "toolbar-autosave-warn"
+                             :title      "Autosave failed — your work may not be saved."
+                             :aria-label "Autosave failed"
+                             :hidden     ""}
+                            [(u/set-text! (u/el :span) "⚠")])
         ;; data-tour selectors so the welcome tour can target each
         ;; control individually. Avoids polluting the id namespace
         ;; for what are otherwise unique-but-anonymous buttons.
@@ -208,14 +221,15 @@
                              (u/el :img
                                    {:src "assets/bareforge_lightmode.png"
                                     :alt "Bareforge"})])
-        ;; The six top-level controls go into the navbar's "actions"
-        ;; slot. Row order: File, Templates, ↶, ↷, │, Preview, Theme.
+        ;; The seven top-level controls go into the navbar's "actions"
+        ;; slot. Row order: File, Templates, ↶, ↷, │, Preview, Theme,
+        ;; trailed by a hidden-by-default autosave-failed indicator.
         actions       (u/el :div
                             {:class "toolbar-actions"
                              :slot  "actions"}
                             [file-btn templates-btn
                              undo-btn redo-btn divider
-                             preview-btn theme-btn])
+                             preview-btn theme-btn autosave-warn])
         ;; Document title between brand and actions — goes into the
         ;; navbar's default slot. Reflects the loaded project filename
         ;; (without .json), or "untitled" when nothing is loaded.
@@ -227,10 +241,11 @@
                            :variant   "default"
                            :alignment "space-between"}
                           [brand title actions])
-        buttons     {:undo-btn      undo-btn
-                     :redo-btn      redo-btn
-                     :preview-btn   preview-btn
-                     :preview-text  preview-text}]
+        buttons     {:undo-btn       undo-btn
+                     :redo-btn       redo-btn
+                     :preview-btn    preview-btn
+                     :preview-text   preview-text
+                     :autosave-warn  autosave-warn}]
     (apply-toolbar-state! buttons (toolbar-state @state/app-state))
     (add-watch state/app-state ::toolbar
                (fn [_ _ old-state new-state]
diff --git a/test/bareforge/doc/sanitize_test.cljs b/test/bareforge/doc/sanitize_test.cljs
index 9d74fde..8bf8107 100644
--- a/test/bareforge/doc/sanitize_test.cljs
+++ b/test/bareforge/doc/sanitize_test.cljs
@@ -178,3 +178,62 @@
 (deftest sanitize-doc-leaves-clean-doc-unchanged
   (let [doc (doc-with-attr "href" "/page")]
     (is (= doc (sn/sanitize-doc doc)))))
+
+;; --- identifier-shape scanner --------------------------------------------
+;;
+;; Every doc field below is interpolated verbatim into emitted CLJS / JS
+;; source by `bareforge.export.*`. A character outside the identifier
+;; regex can break out of a string literal in the generated artifact —
+;; the load-boundary scanner refuses the file so the export pipeline
+;; never sees the smuggled value.
+
+(defn- doc-with-node [extra-keys]
+  (let [node (merge {:id "n-1" :tag "x-button" :attrs {} :props {} :slots {}
+                     :layout {:placement :flow}}
+                    extra-keys)]
+    (assoc-in (m/empty-document) [:root :slots "default"] [node])))
+
+(deftest unsafe-findings-flags-attr-key-with-quote
+  (let [f (sn/unsafe-findings
+           (doc-with-node {:attrs {"foo\")]; alert('x" "1"}}))]
+    (is (= 1 (count f)))
+    (is (str/includes? (:reason (first f)) "attr key"))))
+
+(deftest unsafe-findings-flags-binding-key-with-paren
+  (let [f (sn/unsafe-findings
+           (doc-with-node {:bindings {"open)bad" {:field :x :direction :read}}}))]
+    (is (= 1 (count f)))
+    (is (str/includes? (:reason (first f)) "binding prop name"))))
+
+(deftest unsafe-findings-flags-action-ref-with-quote
+  (let [aref (keyword "app.cart.events" "foo\"-bar")
+        f    (sn/unsafe-findings
+              (doc-with-node
+               {:events [{:trigger    "click"
+                          :action-ref aref}]}))]
+    (is (seq f))
+    (is (some #(str/includes? (:reason %) "action-ref") f))))
+
+(deftest unsafe-findings-flags-field-name-with-bracket
+  (let [bad-name (keyword "bad-name]; (do-evil)")
+        f        (sn/unsafe-findings
+                  (doc-with-node
+                   {:name   "thing"
+                    :fields [{:name bad-name :type :string}]}))]
+    (is (some #(str/includes? (:reason %) "field-def :name") f))))
+
+(deftest unsafe-findings-accepts-normal-identifiers
+  (is (empty?
+       (sn/unsafe-findings
+        (doc-with-node
+         {:name     "cart"
+          :attrs    {"variant" "primary" "data-foo" "bar"}
+          :bindings {"open" {:field :open :direction :read}
+                     "xlink:href" {:field :the-href :direction :read}}
+          :events   [{:trigger "click"
+                      :action-ref :app.cart.events/add-to-cart
+                      :payload [{:field :item-id}]}]
+          :fields   [{:name :is-open :type :boolean}]
+          :actions  [{:name      :toggle-open
+                      :operation :toggle
+                      :target-field :is-open}]})))))
diff --git a/test/bareforge/export/model_test.cljs b/test/bareforge/export/model_test.cljs
index 4c8d316..17fcd84 100644
--- a/test/bareforge/export/model_test.cljs
+++ b/test/bareforge/export/model_test.cljs
@@ -39,6 +39,22 @@
   (is (= "cart"         (em/name->ns-segment "  Cart  ")))
   (is (= "my-group"     (em/name->ns-segment "My Group!"))))
 
+(deftest action-ref-canonical-ns-lowercases-group-segment
+  (testing "canonical form already lowercase passes through unchanged"
+    (is (= "app.cart.events"
+           (em/action-ref-canonical-ns :app.cart.events/add-to-cart))))
+  (testing "raw user-typed group is normalised via name->ns-segment"
+    (is (= "app.dashboard.events"
+           (em/action-ref-canonical-ns :app.Dashboard.events/tick)))
+    (is (= "app.product-feed.events"
+           (em/action-ref-canonical-ns
+            (keyword "app.Product Feed.events" "load"))))))
+
+(deftest action-ref-alias-strips-app-prefix
+  (is (= "cart.events"      (em/action-ref-alias :app.cart.events/add-to-cart)))
+  (is (= "dashboard.events" (em/action-ref-alias :app.Dashboard.events/tick))
+      "the alias agrees with the canonical ns minus the app. prefix"))
+
 (deftest unique-ns-name-suffix-on-collision
   (let [[n1 seen1] (em/unique-ns-name "cart" #{})
         [n2 seen2] (em/unique-ns-name "cart" seen1)
diff --git a/test/bareforge/storage/indexeddb_test.cljs b/test/bareforge/storage/indexeddb_test.cljs
index 25fd835..697cc4c 100644
--- a/test/bareforge/storage/indexeddb_test.cljs
+++ b/test/bareforge/storage/indexeddb_test.cljs
@@ -50,8 +50,19 @@
   (is (nil? (idb/deserialize "{:format \"other\" :document {}}")))
   (is (nil? (idb/deserialize nil))))
 
+(deftest deserialize-rejects-unsupported-version
+  (is (nil? (idb/deserialize (pr-str {:format "bareforge-project"
+                                      :version 999
+                                      :document (m/empty-document)})))
+      "future version is refused so a build older than the writer fails
+       loud instead of partially installing an unknown shape")
+  (is (nil? (idb/deserialize (pr-str {:format "bareforge-project"
+                                      :document (m/empty-document)})))
+      "missing version is treated as unsupported — version is part of
+       the wire contract, not optional"))
+
 (deftest deserialize-accepts-minimal-valid
   (is (some? (idb/deserialize (pr-str {:format "bareforge-project"
-                                       :version 1
+                                       :version idb/supported-version
                                        :document (m/empty-document)
                                        :theme {}})))))
diff --git a/test/bareforge/ui/toolbar_test.cljs b/test/bareforge/ui/toolbar_test.cljs
index 57ef4a7..88ca988 100644
--- a/test/bareforge/ui/toolbar_test.cljs
+++ b/test/bareforge/ui/toolbar_test.cljs
@@ -23,3 +23,10 @@
 
 (deftest preview-flag-flips
   (is (true? (:preview? (toolbar/toolbar-state (assoc (state/initial-state) :mode :preview))))))
+
+(deftest autosave-failed-flag-tracks-ui-flag
+  (is (false? (:autosave-failed? (toolbar/toolbar-state (state/initial-state))))
+      "fresh state has no autosave failure")
+  (let [s (assoc-in (state/initial-state) [:ui :autosave-failed?] true)]
+    (is (true? (:autosave-failed? (toolbar/toolbar-state s)))
+        "flag bubbles up so the toolbar can show a warning indicator")))