nothumanallowed 12.7.0 → 13.2.13

package/src/config.mjs

@@ -109,16 +109,6 @@ const DEFAULT_CONFIG = {
   slack: {
     token: '',
   },
-  emailAccounts: [
-    // Example:
-    // {
-    //   label: 'Work',
-    //   address: 'you@company.com',
-    //   imap: { host: 'imap.company.com', port: 993, user: 'you@company.com', pass: '', tls: true },
-    //   smtp: { host: 'smtp.company.com', port: 587, user: 'you@company.com', pass: '', tls: false },
-    //   isDefault: false,
-    // }
-  ],
   profile: {
     name: '',
     email: '',
@@ -298,42 +288,6 @@ export function setConfigValue(key, value) {
     'language': 'language',
   };
 
-  // Special handler for email account management
-  if (key.startsWith('email-add')) {
-    // nha config set email-add "label|address|imap-host|imap-port|imap-user|imap-pass|smtp-host|smtp-port|smtp-user|smtp-pass"
-    const parts = value.split('|').map(p => p.trim());
-    if (parts.length < 6) return false;
-    const [label, address, imapHost, imapPort, imapUser, imapPass, smtpHost, smtpPort, smtpUser, smtpPass] = parts;
-    if (!config.emailAccounts) config.emailAccounts = [];
-    config.emailAccounts.push({
-      label: label || 'Email',
-      address: address || imapUser,
-      imap: { host: imapHost, port: parseInt(imapPort) || 993, user: imapUser, pass: imapPass, tls: true },
-      smtp: smtpHost ? { host: smtpHost, port: parseInt(smtpPort) || 587, user: smtpUser || imapUser, pass: smtpPass || imapPass, tls: false } : null,
-      isDefault: config.emailAccounts.length === 0,
-    });
-    saveConfig(config);
-    return true;
-  }
-
-  if (key === 'email-remove') {
-    if (!config.emailAccounts) return false;
-    const idx = parseInt(value);
-    if (isNaN(idx) || idx < 0 || idx >= config.emailAccounts.length) return false;
-    config.emailAccounts.splice(idx, 1);
-    saveConfig(config);
-    return true;
-  }
-
-  if (key === 'email-default') {
-    if (!config.emailAccounts) return false;
-    const idx = parseInt(value);
-    if (isNaN(idx) || idx < 0 || idx >= config.emailAccounts.length) return false;
-    config.emailAccounts.forEach((a, i) => a.isDefault = i === idx);
-    saveConfig(config);
-    return true;
-  }
-
   const resolved = aliases[key] || key;
   const resolvedParts = resolved.split('.');
 

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '12.7.0';
+export const VERSION = '13.2.13';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/services/google-oauth.mjs

@@ -44,14 +44,9 @@ function generatePKCE() {
 function openBrowser(url) {
   const platform = os.platform();
   try {
-    if (platform === 'darwin') {
-      execSync(`open "${url}"`);
-    } else if (platform === 'win32') {
-      // Use rundll32 — more reliable than 'start' in batch/npm contexts
-      execSync(`rundll32 url.dll,FileProtocolHandler "${url}"`);
-    } else {
-      execSync(`xdg-open "${url}"`);
-    }
+    if (platform === 'darwin') execSync(`open "${url}"`);
+    else if (platform === 'win32') execSync(`start "" "${url}"`);
+    else execSync(`xdg-open "${url}"`);
   } catch {
     warn('Could not open browser automatically.');
     info(`Open this URL manually:\n\n  ${url}\n`);

package/src/services/llm.mjs

@@ -252,12 +252,24 @@ export async function callNHA(apiKey, model, systemPrompt, userMessage, stream =
     }
   } catch {}
 
+  // Sanitize content before sending through SENTINEL — strip patterns that trigger WAF
+  // (backticks, template literals, SSTI patterns) without affecting semantics
+  const sanitizeForSentinel = (s) => String(s || '')
+    .replace(/`/g, "'")                         // backtick → single quote
+    .replace(/\$\{([^}]*)\}/g, '[$1]')          // ${expr} → [expr]
+    .replace(/\{\{([^}]*)\}\}/g, '{$1}')        // {{expr}} → {expr}
+    .replace(/\{%([^%]*)%\}/g, '{$1}')          // {% expr %} → { expr }
+    .replace(/<!ENTITY/gi, '&lt;!ENTITY')       // XXE
+    .replace(/SYSTEM\s+["']/gi, 'SYSTEM ')      // XXE SYSTEM
+    .replace(/\|\|\(/g, '||(')                  // LDAP (cosmetic, non-breaking)
+    .replace(/\)\|\|/g, ')||');                 // LDAP
+
   const body = {
     model: model || '/opt/models/qwen3-32b',
     max_tokens: thinkingEnabled ? 8192 : 4096,
     messages: [
-      { role: 'system', content: systemPrompt },
-      { role: 'user', content: userMessage },
+      { role: 'system', content: sanitizeForSentinel(systemPrompt) },
+      { role: 'user', content: sanitizeForSentinel(userMessage) },
     ],
     stream,
     chat_template_kwargs: { enable_thinking: thinkingEnabled },
@@ -318,7 +330,7 @@ export function getApiKey(config, provider) {
  * @returns {Promise<string>} The LLM response text.
  */
 export async function callLLM(config, systemPrompt, userMessage, opts = {}) {
-  const provider = opts.provider || config.llm.provider || 'anthropic';
+  const provider = opts.provider || config.llm.provider || (config.llm.apiKey ? 'anthropic' : 'nha');
   const model = opts.model || config.llm.model || null;
   const apiKey = getApiKey(config, provider);
   if (!apiKey) throw new Error(`No API key for ${provider}`);
@@ -443,7 +455,7 @@ export async function callLLMVision(config, systemPrompt, userMessage, media) {
  * @returns {Promise<string>} The full LLM response text.
  */
 export async function callLLMStream(config, systemPrompt, userMessage, onToken, opts = {}) {
-  const provider = opts.provider || config.llm.provider || 'anthropic';
+  const provider = opts.provider || config.llm.provider || (config.llm.apiKey ? 'anthropic' : 'nha');
   const model = opts.model || config.llm.model || null;
   const apiKey = getApiKey(config, provider);
   if (!apiKey) throw new Error(`No API key for ${provider}`);
@@ -474,6 +486,59 @@ export async function callLLMStream(config, systemPrompt, userMessage, onToken,
     return text;
   }
 
+  // NHA Free tier: delegate entirely to callNHA which handles sanitization,
+  // thinking config, and the proxy correctly — then wrap with callback
+  if (provider === 'nha') {
+    // callNHA with stream=true returns the streamSSE result (async iterable/text)
+    // We need callback-based streaming, so use streamSSEWithCallback directly
+    // after building the sanitized body ourselves
+    const sanitize = (s) => String(s || '')
+      .replace(/`/g, "'")
+      .replace(/\$\{([^}]*)\}/g, '[$1]')
+      .replace(/\{\{([^}]*)\}\}/g, '{$1}')
+      .replace(/\{%([^%]*)%\}/g, '{$1}')
+      .replace(/<!ENTITY/gi, '&lt;!ENTITY')
+      .replace(/SYSTEM\s+["']/gi, 'SYSTEM ')
+      .replace(/\|\|\(/g, '||(')
+      .replace(/\)\|\|/g, ')||');
+
+    let thinkingEnabled = false;
+    try {
+      const fs2 = await import('fs');
+      const path2 = await import('path');
+      const os2 = await import('os');
+      const cfgFile2 = path2.default.join(os2.default.homedir(), '.nha', 'config.json');
+      if (fs2.default.existsSync(cfgFile2)) {
+        const cfg2 = JSON.parse(fs2.default.readFileSync(cfgFile2, 'utf-8'));
+        thinkingEnabled = cfg2.thinking === true || cfg2.thinking === 'on' || cfg2.thinking === 'true';
+      }
+    } catch {}
+
+    const nhaBody = {
+      model: model || '/opt/models/qwen3-32b',
+      max_tokens: thinkingEnabled ? 8192 : 4096,
+      messages: [
+        { role: 'system', content: sanitize(systemPrompt) },
+        { role: 'user', content: sanitize(userMessage) },
+      ],
+      stream: true,
+      chat_template_kwargs: { enable_thinking: thinkingEnabled },
+    };
+    const nhaRes = await fetch('https://nothumanallowed.com/api/v1/liara/chat', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(nhaBody),
+    });
+    if (!nhaRes.ok) {
+      const err = await nhaRes.text();
+      throw new Error(`NHA Free ${nhaRes.status}: ${err}`);
+    }
+    // Node.js native fetch ReadableStream closes after first TCP buffer for SSE.
+    // Use res.text() to get the full response, then parse SSE lines synchronously.
+    const rawText = await nhaRes.text();
+    return parseSSEText(rawText, 'openai', onToken);
+  }
+
   const format = provider === 'anthropic' ? 'anthropic' : 'openai';
   const body = buildRequestBody(provider, model, systemPrompt, userMessage, true);
   const url = getProviderUrl(provider, model, apiKey);
@@ -558,12 +623,62 @@ function getProviderHeaders(provider, apiKey) {
   };
 }
 
+/** Parse a complete SSE text body (already read via res.text()) and call onToken per token. */
+function parseSSEText(text, format, onToken) {
+  let fullText = '';
+  let thinkBuf = '';
+  let inThink = false;
+
+  for (const line of text.split('\n')) {
+    if (!line.startsWith('data: ')) continue;
+    const data = line.slice(6).trim();
+    if (data === '[DONE]') continue;
+
+    try {
+      const json = JSON.parse(data);
+      let chunk = '';
+      if (format === 'anthropic') {
+        if (json.type === 'content_block_delta') chunk = json.delta?.text || '';
+      } else {
+        chunk = json.choices?.[0]?.delta?.content || '';
+      }
+
+      if (chunk) {
+        thinkBuf += chunk;
+        let out = '';
+        while (thinkBuf.length > 0) {
+          if (inThink) {
+            const end = thinkBuf.indexOf('</think>');
+            if (end === -1) { thinkBuf = ''; break; }
+            inThink = false;
+            thinkBuf = thinkBuf.slice(end + 8);
+          } else {
+            const start = thinkBuf.indexOf('<think>');
+            if (start === -1) { out += thinkBuf; thinkBuf = ''; break; }
+            out += thinkBuf.slice(0, start);
+            inThink = true;
+            thinkBuf = thinkBuf.slice(start + 7);
+          }
+        }
+        if (out) {
+          fullText += out;
+          if (onToken) onToken(out);
+        }
+      }
+    } catch {}
+  }
+
+  return fullText;
+}
+
 /** SSE stream parser with onToken callback (does NOT write to stdout directly) */
 async function streamSSEWithCallback(res, format, onToken) {
   const reader = res.body.getReader();
   const decoder = new TextDecoder();
   let buffer = '';
   let fullText = '';
+  let thinkBuf = '';    // accumulates <think>...</think> content to suppress
+  let inThink = false;
 
   while (true) {
     const { done, value } = await reader.read();
@@ -591,8 +706,27 @@ async function streamSSEWithCallback(res, format, onToken) {
         }
 
         if (chunk) {
-          fullText += chunk;
-          if (onToken) onToken(chunk);
+          // Filter out <think>...</think> blocks from Qwen3 thinking mode
+          thinkBuf += chunk;
+          let out = '';
+          while (thinkBuf.length > 0) {
+            if (inThink) {
+              const end = thinkBuf.indexOf('</think>');
+              if (end === -1) { thinkBuf = ''; break; } // still inside think block
+              inThink = false;
+              thinkBuf = thinkBuf.slice(end + 8);
+            } else {
+              const start = thinkBuf.indexOf('<think>');
+              if (start === -1) { out += thinkBuf; thinkBuf = ''; break; }
+              out += thinkBuf.slice(0, start);
+              inThink = true;
+              thinkBuf = thinkBuf.slice(start + 7);
+            }
+          }
+          if (out) {
+            fullText += out;
+            if (onToken) onToken(out);
+          }
         }
       } catch {}
     }

package/src/services/tool-executor.mjs

@@ -55,8 +55,6 @@ export const DESTRUCTIVE_ACTIONS = new Set([
   'gmail_send_attach',
   'gmail_reply',
   'gmail_delete',
-  'email_send',
-  'outreach_campaign',
   'calendar_create',
   'calendar_move',
   'calendar_update',
@@ -94,42 +92,11 @@ CRITICAL: Never output a JSON block as a "suggestion" or "let me try" — every
 
 TOOLS:
 
---- EMAIL (Gmail) ---
+--- EMAIL ---
 
 1. gmail_list(query: string, maxResults?: number)
-   Search Gmail. query uses Gmail search syntax (e.g. "from:boss@co.com", "is:unread subject:invoice").
+   Search emails. query uses Gmail search syntax (e.g. "from:boss@co.com", "is:unread subject:invoice").
    Default maxResults = 10.
-   NOTE: For non-Gmail accounts use email_list instead.
-
---- EMAIL (Multi-Provider IMAP/SMTP) ---
-
-email_accounts()
-  List all configured email accounts (Gmail + IMAP/SMTP).
-
-email_list(account?: string, limit?: number)
-  List recent messages from an IMAP email account. If account not specified, lists all accounts.
-  account can be the label ("Work") or address ("you@company.com") or index (1, 2, 3).
-  Read-only: NEVER deletes or modifies messages on the server.
-
-email_read(messageId: string, account?: string)
-  Read a single message by ID from an IMAP account.
-
-email_send(to: string, subject: string, body: string, from?: string, cc?: string, bcc?: string)
-  Send email via SMTP. If 'from' specified, uses that account's SMTP. Otherwise uses default account.
-  ALWAYS confirm with the user before sending.
-
-find_contact_email(url: string)
-  Scrape a website to find contact email addresses. Checks /contact, /about, /contatti, home page.
-  Returns list of email addresses found.
-
-outreach_campaign(query: string, subject: string, template: string, maxSites?: number)
-  Full market research pipeline: search → find contact emails → prepare campaign.
-  1. Searches the web for businesses matching the query
-  2. Visits each site's contact page to extract emails
-  3. Returns a report with all found emails + template preview
-  Does NOT send automatically — reports findings and waits for user confirmation.
-
---- EMAIL (Gmail) continued ---
 
 2. gmail_read(messageId: string)
    Read the full body of an email by its ID (returned by gmail_list).
@@ -853,149 +820,6 @@ export async function executeTool(action, params, config) {
       return `Email sent to ${params.to} with attachment "${downloaded.name}" (${formatFileSize(downloaded.size)}).`;
     }
 
-    // ── IMAP/SMTP Multi-Provider Email ────────────────────────────────────
-    case 'email_accounts': {
-      const { getEmailAccounts } = await import('./imap-email.mjs');
-      const accounts = getEmailAccounts(config);
-      if (accounts.length === 0) return 'No email accounts configured. Use "nha config set email-add" to add one, or configure in Settings.';
-      return accounts.map((a, i) => `${i + 1}. ${a.label || 'Email'} <${a.address}>${a.isDefault ? ' (default)' : ''}`).join('\n');
-    }
-
-    case 'email_list': {
-      const { listAllInboxes, listImapMessages, getEmailAccounts } = await import('./imap-email.mjs');
-      const accounts = getEmailAccounts(config);
-      if (accounts.length === 0) return 'No email accounts configured.';
-
-      // If account specified, use it; otherwise list all
-      if (params.account) {
-        const acct = accounts.find(a => a.label === params.account || a.address === params.account) || accounts[parseInt(params.account) - 1];
-        if (!acct) return `Account "${params.account}" not found.`;
-        const msgs = await listImapMessages(acct, params.limit || 10);
-        return msgs.length === 0 ? `No messages in ${acct.label || acct.address}.`
-          : `${acct.label || acct.address} (${msgs.length} messages):\n\n` + msgs.map((m, i) =>
-            `${i + 1}. ${m.seen ? '' : '[NEW] '}${m.from}\n   ${m.subject}\n   ${m.date}`).join('\n\n');
-      }
-
-      const all = await listAllInboxes(config, params.limit || 10);
-      return all.map(a => {
-        if (a.error) return `${a.account}: Error — ${a.error}`;
-        if (a.messages.length === 0) return `${a.account}: No messages.`;
-        return `${a.account} (${a.messages.length}):\n` + a.messages.map((m, i) =>
-          `  ${i + 1}. ${m.seen ? '' : '[NEW] '}${m.from} — ${m.subject}`).join('\n');
-      }).join('\n\n');
-    }
-
-    case 'email_read': {
-      const { readImapMessage, getEmailAccounts } = await import('./imap-email.mjs');
-      const accounts = getEmailAccounts(config);
-      if (!params.messageId) return 'messageId required.';
-      const acct = params.account
-        ? accounts.find(a => a.label === params.account || a.address === params.account) || accounts[0]
-        : accounts[0];
-      if (!acct) return 'No email accounts configured.';
-      const body = await readImapMessage(acct, params.messageId);
-      return body || 'Empty message.';
-    }
-
-    case 'email_send': {
-      const { sendSmtpEmail, getEmailAccounts } = await import('./imap-email.mjs');
-      const accounts = getEmailAccounts(config);
-      if (!params.to || !params.subject) return 'to and subject required.';
-
-      // Find the account to send from
-      let acct;
-      if (params.from) {
-        acct = accounts.find(a => a.address === params.from || a.label === params.from);
-      }
-      if (!acct) acct = accounts.find(a => a.isDefault) || accounts[0];
-      if (!acct || !acct.smtp) return 'No SMTP account configured for sending.';
-
-      const result = await sendSmtpEmail(acct, params.to, params.subject, params.body || '', params.cc || '', params.bcc || '');
-      return result.success ? `Email sent from ${acct.address} to ${params.to}.` : 'Send failed.';
-    }
-
-    case 'find_contact_email': {
-      // Scrape a website's contact/about page to find email addresses
-      const url = params.url || params.website;
-      if (!url) return 'url required.';
-
-      const fetchModule = await import('./web-tools.mjs');
-      const contactPaths = ['/contact', '/contacts', '/contatti', '/about', '/about-us', '/chi-siamo', '/impressum', '/kontakt', ''];
-      const emails = new Set();
-
-      for (const contactPath of contactPaths) {
-        try {
-          const fullUrl = url.replace(/\/+$/, '') + contactPath;
-          const result = await fetchModule.fetchUrl(config, fullUrl);
-          if (result.error) continue;
-          const text = result.text || result.content || '';
-          // Extract emails with regex
-          const found = text.match(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g) || [];
-          found.forEach(e => {
-            const lower = e.toLowerCase();
-            // Filter out image/asset emails and common fake ones
-            if (!lower.endsWith('.png') && !lower.endsWith('.jpg') && !lower.endsWith('.gif')
-                && !lower.includes('example.com') && !lower.includes('sentry.io')
-                && !lower.includes('webpack') && !lower.includes('wixpress')) {
-              emails.add(lower);
-            }
-          });
-          if (emails.size > 0) break; // Found emails, stop searching
-        } catch { /* skip failed pages */ }
-      }
-
-      if (emails.size === 0) return `No email addresses found on ${url} (checked contact, about, home pages).`;
-      return `Found ${emails.size} email(s) on ${url}:\n${[...emails].join('\n')}`;
-    }
-
-    case 'outreach_campaign': {
-      // Full pipeline: search → find emails → send template
-      const query = params.query || params.search;
-      const template = params.template || params.body;
-      const subject = params.subject || 'Introduction';
-      if (!query) return 'query required (e.g., "Italian valve manufacturers").';
-      if (!template) return 'template required (email body text).';
-
-      // Step 1: Web search
-      const fetchModule = await import('./web-tools.mjs');
-      const searchResult = await fetchModule.webSearch(config, query, 10);
-      const urls = (searchResult.results || []).map(r => r.url).filter(Boolean).slice(0, params.maxSites || 5);
-
-      if (urls.length === 0) return 'No results found for the search query.';
-
-      // Step 2: Find emails from each site
-      const found = [];
-      for (const siteUrl of urls) {
-        try {
-          const contactPaths = ['/contact', '/contacts', '/contatti', '/about', ''];
-          for (const cp of contactPaths) {
-            const fullUrl = siteUrl.replace(/\/+$/, '') + cp;
-            const result = await fetchModule.fetchUrl(config, fullUrl);
-            const text = result.text || result.content || '';
-            const emails = text.match(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g) || [];
-            const valid = emails.filter(e => !e.endsWith('.png') && !e.includes('example.com')).map(e => e.toLowerCase());
-            if (valid.length > 0) {
-              found.push({ site: siteUrl, emails: [...new Set(valid)] });
-              break;
-            }
-          }
-        } catch { /* skip */ }
-      }
-
-      if (found.length === 0) return `Searched ${urls.length} sites but found no contact emails. Try a different search query.`;
-
-      // Step 3: Report (don't send automatically — user must confirm)
-      let report = `Found ${found.length} sites with contact emails:\n\n`;
-      found.forEach((f, i) => {
-        report += `${i + 1}. ${f.site}\n   ${f.emails.join(', ')}\n`;
-      });
-      report += `\nSubject: "${subject}"\nTemplate preview: ${template.slice(0, 200)}...\n`;
-      report += `\nTo send to all, reply: "send the campaign"`;
-      report += `\nTo send to specific ones, reply: "send to #1 and #3"`;
-
-      return report;
-    }
-
     // ── Calendar ──────────────────────────────────────────────────────────
     case 'calendar_today': {
       const events = await getTodayEvents(config);