nothumanallowed 13.3.1 → 13.3.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "13.3.1",
+  "version": "13.3.2",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/commands/ui.mjs

@@ -2769,42 +2769,135 @@ export async function cmdUI(args) {
           return steps;
         };
 
-        // Use keyword plan directly — only fall back to LLM for genuinely ambiguous tasks
+        // ── Hybrid planning: keyword baseline + LLM refinement ──────────────────
+        //
+        // Strategy (3 tiers):
+        //
+        //   TIER 1 — Keyword baseline (always runs, <1ms, zero LLM):
+        //     Builds a solid plan from regex matches on the task. Reliable for all
+        //     known patterns. Already contains `reason` for each step.
+        //
+        //   TIER 2 — LLM refinement (runs when baseline ≥ 1 step OR task is non-trivial):
+        //     Receives the task + the keyword plan as context. Can ADD missing steps,
+        //     REMOVE wrong ones, REORDER, and ADJUST prompts. Does NOT build from scratch.
+        //     Falls back to keyword plan on any parse/timeout error.
+        //
+        //   TIER 3 — LLM-only fallback (runs when keyword baseline is empty):
+        //     Task had zero keyword matches → pure LLM planning with full task text.
+        //     Same fallback: on error, returns a single WebSearchAgent step.
+        //
+        // Why this is safe now: SENTINEL's /api/studio/ is an intent-aware route.
+        // Prompt injection detection is disabled for this path — the body IS the task.
+        // Encoding attacks, rate limits, and toxicity checks remain fully active.
+
         const keywordSteps = buildKeywordPlan();
-        const taskIsComplex = !hasPdf && !hasEmail && !hasCalendar && !hasSearch && !hasGitHub && !hasSlack && !hasBriefing && !hasStrategy && !hasReputation && !hasCode && !hasWriting && !hasData && keywordSteps.length <= 1;
+        const hasKeywordPlan = keywordSteps.length > 0;
+
+        // Sanitize task for LLM: strip HTML tags and control chars (defensive, not SENTINEL).
+        const sanitizedTask = task.replace(/<[^>]*>/g, ' ').replace(/[\x00-\x08\x0b\x0c\x0e-\x1f]/g, '').trim();
+
+        // Build a compact JSON representation of the keyword plan for the LLM to refine.
+        const keywordPlanJson = hasKeywordPlan
+          ? JSON.stringify(keywordSteps.map(s => ({ agent: s.agent, label: s.label, reason: s.reason || '' })))
+          : '[]';
+
+        const planConfig = Object.assign({}, config, { thinking: 'off' });
 
         try {
-          let steps;
-          if (!taskIsComplex) {
-            // Use keyword plan directly — no LLM, no SENTINEL risk
-            process.stderr.write('[STUDIO PLAN KEYWORD] steps=' + keywordSteps.length + '\n');
-            steps = keywordSteps;
-          } else {
-            // Task is ambiguous — use LLM planner with sanitized short description
-            const shortTask = task.slice(0, 200).replace(/[`'"]/g, ' ');
-            const plannerLangStr = plannerLang;
-            const planPrompt = `Workflow planner. Goal: ${shortTask}\nLanguage: ${plannerLangStr}.\nOutput ONLY JSON:\n{"steps":[{"icon":"EMOJI","agent":"AGENT_NAME","label":"LABEL","prompt":"INSTRUCTION"}]}\nAgents: WebSearchAgent, EmailAgent, CalendarAgent, HERALD, ORACLE, ATHENA, CASSANDRA, MERCURY, QUILL, CanvasAgent (last, only if visual needed). 2-5 steps.`;
-            const planConfig = Object.assign({}, config, { thinking: 'off' });
-            const planRaw = await callLLM(planConfig, 'Output ONLY valid JSON. No explanation.', planPrompt, { max_tokens: 800 });
-            process.stderr.write('[STUDIO PLAN LLM RAW] ' + planRaw.slice(0, 400) + '\n');
+          let steps = keywordSteps;
+
+          // TIER 2 / 3: always attempt LLM if we have a working LLM config
+          if (config && (config.provider || config.apiKey || config.baseUrl)) {
             try {
+              let planPrompt;
+              let planSys;
+
+              if (hasKeywordPlan) {
+                // TIER 2: refine the keyword plan
+                planSys = `You are a workflow planner for NHA Studio. Output ONLY valid JSON — no explanation, no markdown.`;
+                planPrompt = `Task: ${sanitizedTask}
+
+Keyword-detected plan (JSON):
+${keywordPlanJson}
+
+Language for labels: ${plannerLang}.
+
+Review the plan above. You may:
+- ADD steps that are clearly needed but missing
+- REMOVE steps that are wrong for this task
+- REORDER steps to fix logical sequence (e.g. Notion before email)
+- ADJUST the "prompt" field of any step to better match the task
+- KEEP steps that are correct as-is
+
+Available agents: WebSearchAgent, DocumentReaderAgent, EmailAgent, CalendarAgent, GitHubAgent, SlackAgent, NotionAgent, HERALD, ORACLE, ATHENA, CASSANDRA, MERCURY, QUILL, DataAnalystAgent, polyglot, CanvasAgent (last, only if visual output needed).
+
+Output ONLY:
+{"steps":[{"icon":"EMOJI","agent":"AGENT_NAME","label":"LABEL","reason":"WHY THIS AGENT","prompt":"INSTRUCTION"}]}
+
+Rules:
+- 2 to 6 steps maximum
+- CanvasAgent only as the final step and only for complex multi-agent analyses
+- Keep existing reasons where step is unchanged, write a new reason when you add/change a step`;
+              } else {
+                // TIER 3: pure LLM planning — zero keyword matches
+                planSys = `You are a workflow planner for NHA Studio. Output ONLY valid JSON — no explanation, no markdown.`;
+                planPrompt = `Task: ${sanitizedTask}
+
+Language for labels: ${plannerLang}.
+
+Build a workflow plan for this task.
+
+Available agents: WebSearchAgent, DocumentReaderAgent, EmailAgent, CalendarAgent, GitHubAgent, SlackAgent, NotionAgent, HERALD, ORACLE, ATHENA, CASSANDRA, MERCURY, QUILL, DataAnalystAgent, polyglot, CanvasAgent.
+
+Output ONLY:
+{"steps":[{"icon":"EMOJI","agent":"AGENT_NAME","label":"LABEL","reason":"WHY THIS AGENT","prompt":"INSTRUCTION"}]}
+
+Rules:
+- 2 to 5 steps
+- HERALD = executive synthesis when no other specialist fits
+- CanvasAgent only as the final step for complex multi-agent workflows
+- reason = one sentence explaining why this agent was chosen`;
+              }
+
+              const planRaw = await callLLM(planConfig, planSys, planPrompt, { max_tokens: 900 });
+              process.stderr.write('[STUDIO PLAN LLM RAW] mode=' + (hasKeywordPlan ? 'refine' : 'pure') + ' len=' + planRaw.length + '\n');
+
+              // Parse LLM output — strip <think> blocks (Qwen3), markdown fences, extract JSON
               let clean = planRaw;
               let prev = '';
               while (prev !== clean) { prev = clean; clean = clean.replace(/<think>[\s\S]*?<\/think>/g, ''); }
-              clean = clean.trim().replace(/^```[\w]*\r?\n?/,'').replace(/\r?\n?```$/,'').trim();
+              clean = clean.trim().replace(/^```[\w]*\r?\n?/, '').replace(/\r?\n?```$/, '').trim();
               const jsonMatch = clean.match(/\{[\s\S]*\}/);
               const parsed = JSON.parse(jsonMatch ? jsonMatch[0] : clean);
-              steps = parsed.steps;
-            } catch (parseErr) {
-              process.stderr.write('[STUDIO PLAN PARSE ERR] ' + parseErr.message + '\n');
-              steps = keywordSteps;
+
+              if (Array.isArray(parsed.steps) && parsed.steps.length > 0) {
+                // Merge: LLM steps override keyword steps. Preserve `reason` from keyword where LLM kept same agent.
+                const keywordReasonMap = {};
+                keywordSteps.forEach(s => { keywordReasonMap[s.agent] = s.reason || ''; });
+                steps = parsed.steps.map(s => ({
+                  icon: s.icon || '\u{1F916}',
+                  agent: s.agent,
+                  label: s.label,
+                  reason: s.reason || keywordReasonMap[s.agent] || '',
+                  prompt: s.prompt,
+                }));
+                process.stderr.write('[STUDIO PLAN LLM OK] steps=' + steps.length + '\n');
+              } else {
+                process.stderr.write('[STUDIO PLAN LLM EMPTY] falling back to keyword plan\n');
+              }
+            } catch (llmErr) {
+              process.stderr.write('[STUDIO PLAN LLM ERR] ' + llmErr.message + ' — using keyword plan\n');
+              // steps already = keywordSteps, no action needed
             }
+          } else {
+            process.stderr.write('[STUDIO PLAN KEYWORD ONLY] no LLM config, steps=' + keywordSteps.length + '\n');
           }
+
+          // Final safety net: if everything failed and we have nothing, single web search step
           if (!Array.isArray(steps) || !steps.length) {
-            sendJSON(res, 500, { error: 'Empty workflow plan' });
-            logRequest(method, pathname, 500, Date.now() - start);
-            return;
+            steps = [{ icon: '\u{1F50D}', agent: 'WebSearchAgent', label: plannerLang === 'Italian' ? 'Ricerca web' : 'Web search', reason: plannerLang === 'Italian' ? 'Fallback: nessun piano costruito' : 'Fallback: no plan built', prompt: sanitizedTask }];
           }
+
           sendJSON(res, 200, { steps });
           logRequest(method, pathname, 200, Date.now() - start);
         } catch (e) {

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '13.3.1';
+export const VERSION = '13.3.2';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';