@iletai/nzb 1.7.0 → 1.7.4

package/dist/api/server.js

@@ -6,7 +6,7 @@ import { cancelCurrentMessage, getWorkers, sendToOrchestrator } from "../copilot
 import { listSkills, removeSkill } from "../copilot/skills.js";
 import { restartDaemon } from "../daemon.js";
 import { API_TOKEN_PATH, ensureNZBHome } from "../paths.js";
-import { searchMemories } from "../store/db.js";
+import { searchMemories } from "../store/memory.js";
 import { sendPhoto } from "../telegram/bot.js";
 // Ensure token file exists (generate on first run)
 let apiToken = null;
@@ -26,9 +26,9 @@ catch (err) {
 }
 const app = express();
 app.use(express.json());
-// Bearer token authentication middleware (skip /status health check)
+// Bearer token authentication middleware (skip /ping health check only)
 app.use((req, res, next) => {
-    if (!apiToken || req.path === "/status")
+    if (!apiToken || req.path === "/ping")
         return next();
     const auth = req.headers.authorization;
     if (!auth || auth !== `Bearer ${apiToken}`) {
@@ -40,7 +40,11 @@ app.use((req, res, next) => {
 // Active SSE connections
 const sseClients = new Map();
 let connectionCounter = 0;
-// Health check
+// Minimal unauthenticated health check — no internal details
+app.get("/ping", (_req, res) => {
+    res.json({ status: "ok" });
+});
+// Authenticated status with worker details
 app.get("/status", (_req, res) => {
     res.json({
         status: "ok",
@@ -73,8 +77,23 @@ app.get("/stream", (req, res) => {
     sseClients.set(connectionId, res);
     // Heartbeat to keep connection alive
     const heartbeat = setInterval(() => {
-        res.write(`:ping\n\n`);
+        if (res.writableEnded || res.closed) {
+            clearInterval(heartbeat);
+            sseClients.delete(connectionId);
+            return;
+        }
+        try {
+            res.write(`:ping\n\n`);
+        }
+        catch {
+            clearInterval(heartbeat);
+            sseClients.delete(connectionId);
+        }
     }, 20_000);
+    res.on("error", () => {
+        clearInterval(heartbeat);
+        sseClients.delete(connectionId);
+    });
     req.on("close", () => {
         clearInterval(heartbeat);
         sseClients.delete(connectionId);
@@ -175,7 +194,12 @@ app.post("/restart", (_req, res) => {
 app.post("/send-photo", async (req, res) => {
     const { photo, caption } = req.body;
     if (!photo || typeof photo !== "string") {
-        res.status(400).json({ error: "Missing 'photo' (file path or URL) in request body" });
+        res.status(400).json({ error: "Missing 'photo' (file path or HTTPS URL) in request body" });
+        return;
+    }
+    // Basic input validation before passing to sendPhoto
+    if (photo.startsWith("http://")) {
+        res.status(400).json({ error: "Only HTTPS URLs are allowed for photos" });
         return;
     }
     try {
@@ -187,6 +211,13 @@ app.post("/send-photo", async (req, res) => {
         res.status(500).json({ error: msg });
     }
 });
+// Global error handler — catch unhandled Express errors
+app.use((err, _req, res, _next) => {
+    console.error("[nzb] Express error:", err.message);
+    if (!res.headersSent) {
+        res.status(500).json({ error: "Internal server error" });
+    }
+});
 export function startApiServer() {
     return new Promise((resolve, reject) => {
         const server = app.listen(config.apiPort, "127.0.0.1", () => {

package/dist/cli.js

@@ -28,6 +28,7 @@ function getVersion() {
         return pkg.version || "0.0.0";
     }
     catch {
+        // Expected: package.json may not be found in dev/bundled environments
         return "0.0.0";
     }
 }

package/dist/config.js

@@ -38,6 +38,14 @@ if (!Number.isInteger(parsedWorkerTimeout) || parsedWorkerTimeout <= 0) {
 }
 const parsedLogChannelId = raw.LOG_CHANNEL_ID ? raw.LOG_CHANNEL_ID.trim() : undefined;
 export const DEFAULT_MODEL = "claude-sonnet-4.6";
+function validateEnum(value, validValues, defaultValue, name) {
+    if (!value)
+        return defaultValue;
+    if (validValues.includes(value))
+        return value;
+    console.log(`[nzb] Invalid ${name} value "${value}", using default "${defaultValue}"`);
+    return defaultValue;
+}
 let _copilotModel = raw.COPILOT_MODEL || DEFAULT_MODEL;
 export const config = {
     telegramBotToken: raw.TELEGRAM_BOT_TOKEN,
@@ -65,15 +73,15 @@ export const config = {
         process.env.SHOW_REASONING = value ? "true" : "false";
     },
     /** Usage display mode: off | tokens | full */
-    usageMode: (process.env.USAGE_MODE || "off"),
+    usageMode: validateEnum(process.env.USAGE_MODE, ["off", "tokens", "full"], "off", "USAGE_MODE"),
     /** Verbose mode: when on, instructs the AI to be more detailed */
     verboseMode: process.env.VERBOSE_MODE === "true",
     /** Thinking level: off | low | medium | high */
-    thinkingLevel: (process.env.THINKING_LEVEL || "off"),
+    thinkingLevel: validateEnum(process.env.THINKING_LEVEL, ["off", "low", "medium", "high"], "off", "THINKING_LEVEL"),
     /** Group chat: when true, bot only responds when mentioned in groups */
     groupMentionOnly: process.env.GROUP_MENTION_ONLY !== "false",
     /** Reasoning effort: low | medium | high */
-    reasoningEffort: (process.env.REASONING_EFFORT || "medium"),
+    reasoningEffort: validateEnum(process.env.REASONING_EFFORT, ["low", "medium", "high"], "medium", "REASONING_EFFORT"),
 };
 /** Persist an env variable to ~/.nzb/.env */
 export function persistEnvVar(key, value) {
@@ -94,6 +102,7 @@ export function persistEnvVar(key, value) {
         writeFileSync(ENV_PATH, updated.join("\n"));
     }
     catch {
+        // Expected: .env file may not exist yet on first run
         writeFileSync(ENV_PATH, `${key}=${value}\n`);
     }
 }

package/dist/copilot/client.js

@@ -1,4 +1,5 @@
 import { CopilotClient } from "@github/copilot-sdk";
+import { withTimeout } from "../utils.js";
 let client;
 /** Coalesces concurrent resetClient() calls into a single reset operation. */
 let pendingResetPromise;
@@ -7,7 +8,7 @@ export async function getClient() {
         client = new CopilotClient({
             autoStart: true,
         });
-        await client.start();
+        await withTimeout(client.start(), 30_000, "client.start()");
     }
     return client;
 }
@@ -16,27 +17,27 @@ export async function resetClient() {
     if (pendingResetPromise)
         return pendingResetPromise;
     pendingResetPromise = (async () => {
-        if (client) {
-            try {
-                await client.stop();
+        try {
+            if (client) {
+                try {
+                    await withTimeout(client.stop(), 10_000, "client.stop()");
+                }
+                catch (err) {
+                    console.error("[nzb] Error stopping client during reset:", err);
+                }
+                client = undefined;
             }
-            catch {
-                /* best-effort */
-            }
-            client = undefined;
+            return await getClient();
+        }
+        finally {
+            pendingResetPromise = undefined;
         }
-        return getClient();
     })();
-    try {
-        return await pendingResetPromise;
-    }
-    finally {
-        pendingResetPromise = undefined;
-    }
+    return pendingResetPromise;
 }
 export async function stopClient() {
     if (client) {
-        await client.stop();
+        await withTimeout(client.stop(), 10_000, "client.stop()");
         client = undefined;
     }
 }

package/dist/copilot/mcp-config.js

@@ -10,6 +10,7 @@ const isWSL = (() => {
         return readFileSync("/proc/version", "utf-8").toLowerCase().includes("microsoft");
     }
     catch {
+        // Expected: /proc/version may not exist on non-Linux systems
         return false;
     }
 })();
@@ -86,6 +87,7 @@ export function loadMcpConfig() {
         return cachedConfig;
     }
     catch {
+        // Expected: config file may not exist or be malformed
         cachedConfig = {};
         return cachedConfig;
     }