nothumanallowed 13.5.136 → 13.5.138

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 NotHumanAllowed
+Copyright (c) 2026 Nicola Cucurachi
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -1,6 +1,6 @@
 # NotHumanAllowed
 
-**38 specialized AI agents, 80 tools, Studio visual workflows — all local, all free.** Security auditors, code architects, data analysts, DevOps engineers, technical writers — each with deep domain expertise. Use them individually, run complex multi-agent workflows in Studio, or let them deliberate together.
+**38 specialized AI agents, 80 tools, Studio visual workflows, WebCraft full-stack builder — all local, all free.** Security auditors, code architects, data analysts, DevOps engineers, technical writers — each with deep domain expertise. Use them individually, run complex multi-agent workflows in Studio (with PDF/Excel/CSV export), build full-stack web apps with WebCraft, or let agents deliberate together with Parliament mode.
 
 ## Quick Start
 
@@ -36,9 +36,87 @@ EmailAgent → WebSearchAgent → WriterAgent
 
 - **No configuration** — works with any LLM provider including Liara (free, no API key)
 - **Live canvas** — see each agent activate, stream output, and hand off to the next
-- **2–5 step workflows** — context flows automatically between steps
+- **HTML dashboard** — canvas generates a downloadable visual report (HTML + PDF)
+- **Parliament mode** — enable for 2+ specialist agents to cross-read and deliberate: R1 (independent), R2 (agents read each other), R3 (HERALD mediation), convergence score
 - Open `nha ui` → click **Studio** in the sidebar
 
+### Studio Export
+
+When a workflow completes, Studio provides three export formats:
+
+- **PDF** — full structured report with all agent outputs, typography, token counters
+- **Excel (XLSX)** — professional multi-sheet workbook via SheetJS: one sheet per agent, auto-detected numeric columns with formatting, alternating row colors, freeze panes, auto-column widths, index sheet with token summary. Data tables are extracted from Markdown output automatically.
+- **CSV** — all Markdown tables from the report merged into a single file
+
+Export buttons appear in the result panel and in the toolbar after each run.
+
+---
+
+## WebCraft — Full-Stack Web Apps from a Chat
+
+WebCraft is a full-stack web app builder embedded in `nha ui`. Describe what you want in plain language — WebCraft generates a complete project with Express.js backend, PostgreSQL schema, JWT auth, email verification, security middleware, and a styled frontend. Everything runs locally with a live sandbox.
+
+```
+Open nha ui → click WebCraft in the sidebar
+```
+
+### How it works
+
+1. **Describe your project** in the chat (or pick an example: MySaaS, MyShop, MyBlog, MyPortfolio...)
+2. **WebCraft generates** all files: `server/`, `public/`, `db/migrations/`, `.env.example`, `package.json`, nginx config
+3. **Click ▶ Sandbox** — runs `npm install && node server/index.js` in an isolated process, live on a local port
+4. **Chat with the agent** to modify, fix, or extend anything — the agent edits files directly on disk, you see diffs in real time
+
+### WebCraft Agent
+
+An AI assistant permanently available in the chat panel. Powered by Liara (Qwen3 32B, free) or your own API key.
+
+**What it can do:**
+- Edit files surgically (old → new string replace) or rewrite them completely
+- Read any project file for context
+- Auto-fix `MODULE_NOT_FOUND` and common require() path errors
+- Restart the sandbox after fixes
+- Process attached screenshots or PDFs (vision) to debug visual issues
+
+**Context files** (created automatically for every project, editable via sidebar):
+| File | Type | Purpose |
+|---|---|---|
+| `skills/memory.md` | memory | Architecture decisions, stack choices, developer preferences |
+| `skills/liara.md` | provider | Calibrate AI tone, code style, constraints |
+| `skills/skills.md` | skill | Reusable patterns, snippets, API integrations |
+
+Add more skill files (unlimited) for specific integrations (Stripe, email templates, etc.).
+
+### Developer Tools (sidebar toolbar)
+
+| Tool | Description |
+|---|---|
+| **Diff viewer** | After every agent edit, see before/after for each changed file — color-coded, collapsible |
+| **Syntax check** ✅ | Runs `node --check` on all JS files, reports errors instantly |
+| **Search** 🔍 | Grep across all project files — click a result to jump to that file |
+| **Snapshot** 💾 | Save a full point-in-time backup of all files. Restore any snapshot with one click |
+| **Plan mode** | Type `/plan your request` — agent proposes a plan first, you approve before any file is touched |
+| **Auto-fix** | Sandbox errors (MODULE_NOT_FOUND etc.) trigger automatic Liara fix attempts (3 free, unlimited with own key) |
+
+### Example session
+
+```
+You: "Add a contact form with SMTP email and honeypot spam protection"
+Agent: → edits server/routes/api.js (add /contact POST route)
+       → edits server/services/email.js (add sendContactEmail)
+       → edits public/index.html (add form HTML)
+       → edits public/js/main.js (add form JS with honeypot)
+       [Diff viewer shows 4 files changed]
+       [Syntax check: ✅ all files valid]
+       [Sandbox restarted automatically]
+```
+
+```
+You: "/plan refactor auth to use refresh token rotation"
+Agent: → proposes plan (3 files, 6 changes) — no edits yet
+       → you click Approve → agent executes
+```
+
 ## Daily Operations (PAO)
 
 Connect Gmail + Calendar. 5 specialist agents analyze your day.
@@ -83,6 +161,26 @@ All data stored locally in `~/.nha/ops/`. Tokens encrypted with AES-256-GCM. You
 
 38 agents across 11 domains. Each agent is a standalone `.mjs` file you own locally — inspect it, modify it, run it offline.
 
+## Code Execution
+
+`execute_code` runs Python, JavaScript, or TypeScript in an isolated sandbox:
+
+```bash
+# Python with auto-installed packages
+nha chat
+> use execute_code to analyze this CSV with pandas
+
+# TypeScript
+> write and run a TypeScript script that parses this JSON
+```
+
+- **Isolated sandbox** — dedicated temp dir per run, deleted after execution
+- **Stripped environment** — subprocess never sees NHA API keys
+- **Package install** — `packages: ["pandas", "numpy"]` auto-installs via pip/npm
+- **Multi-file** — pass extra files (CSV, JSON, helper modules) via `files: [{path, content}]`
+- **SIGKILL on timeout** — 30s default, configurable up to 120s
+- **Returns** stdout, stderr, exit code, and list of files created in sandbox
+
 ### Security
 - **SABER** — Security audit, OWASP, threat modeling, pentest planning
 - **ZERO** — Vulnerability scanning, dependency audit, secret detection

package/bin/nha

@@ -0,0 +1,36 @@
+#!/usr/bin/env node
+/**
+ * nha — NotHumanAllowed CLI
+ *
+ * Thin launcher for Legion (multi-agent deliberation) and PIF (agent social client).
+ * Zero dependencies. Downloads core files on first run to ~/.nha/.
+ *
+ * Usage:
+ *   npx nha run "Compare React vs Vue for enterprise"
+ *   npx nha agents
+ *   npx nha pif register
+ *   npx nha install nha-code-reviewer
+ *   npx nha config set provider anthropic
+ *   npx nha update
+ */
+
+import { fileURLToPath, pathToFileURL } from 'url';
+import path from 'path';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+// ── Node.js version gate ────────────────────────────────────────────────────
+const major = parseInt(process.version.slice(1), 10);
+if (major < 20) {
+  console.error(`\x1b[31mError: nha requires Node.js 20 or later (found ${process.version}).\x1b[0m`);
+  console.error('Install from https://nodejs.org');
+  process.exit(1);
+}
+
+// ── Launch CLI ──────────────────────────────────────────────────────────────
+// On Windows, dynamic import() requires file:// URLs, not raw paths like C:\...
+const cliPath = path.join(__dirname, '..', 'src', 'cli.mjs');
+const cliUrl = pathToFileURL(cliPath).href;
+const { main } = await import(cliUrl);
+await main(process.argv.slice(2));

package/bin/nha.mjs

@@ -1,2 +1,36 @@
 #!/usr/bin/env node
-import('../src/cli.mjs').then(m => m.main(process.argv.slice(2)));
+/**
+ * nha — NotHumanAllowed CLI
+ *
+ * Thin launcher for Legion (multi-agent deliberation) and PIF (agent social client).
+ * Zero dependencies. Downloads core files on first run to ~/.nha/.
+ *
+ * Usage:
+ *   npx nha run "Compare React vs Vue for enterprise"
+ *   npx nha agents
+ *   npx nha pif register
+ *   npx nha install nha-code-reviewer
+ *   npx nha config set provider anthropic
+ *   npx nha update
+ */
+
+import { fileURLToPath, pathToFileURL } from 'url';
+import path from 'path';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+// ── Node.js version gate ────────────────────────────────────────────────────
+const major = parseInt(process.version.slice(1), 10);
+if (major < 20) {
+  console.error(`\x1b[31mError: nha requires Node.js 20 or later (found ${process.version}).\x1b[0m`);
+  console.error('Install from https://nodejs.org');
+  process.exit(1);
+}
+
+// ── Launch CLI ──────────────────────────────────────────────────────────────
+// On Windows, dynamic import() requires file:// URLs, not raw paths like C:\...
+const cliPath = path.join(__dirname, '..', 'src', 'cli.mjs');
+const cliUrl = pathToFileURL(cliPath).href;
+const { main } = await import(cliUrl);
+await main(process.argv.slice(2));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "13.5.136",
+  "version": "13.5.138",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/commands/ui.mjs

@@ -5643,9 +5643,20 @@ module.exports = { validateEmail, sanitizeText, validatePassword, validateUserna
           // Also include: any file whose name appears in the user message, plus error-related files.
           const msgLower = (message || '').toLowerCase();
           const alwaysInclude = ['package.json', 'server/index.js', '.env.example'];
+
+          // For autofix: extract file paths directly from stack trace (e.g. "at Object.<anonymous> (/path/server/routes/auth.js:11:8)")
+          const stackFileMatches = autofix ? [...(message.matchAll(/\(([^)]+\.(?:js|mjs|cjs|ts)):\d+:\d+\)/g))] : [];
+          const stackFiles = new Set(stackFileMatches.map(m => {
+            const abs = m[1];
+            // Make relative to sandboxDir
+            return abs.startsWith(sandboxDir) ? abs.slice(sandboxDir.length + 1) : abs.split('/').slice(-3).join('/');
+          }));
+
           const relevantFiles = allFiles.filter(f => {
             const nameLower = f.name.toLowerCase();
             if (alwaysInclude.some(a => nameLower.endsWith(a))) return true;
+            // Always include files mentioned in stack trace (autofix)
+            if (stackFiles.size > 0 && [...stackFiles].some(sf => f.name.includes(sf) || sf.includes(f.name))) return true;
             // Include if file name or path fragment mentioned in message
             const parts = f.name.split('/');
             if (parts.some(p => msgLower.includes(p.replace(/\.[^.]+$/, '').toLowerCase()))) return true;
@@ -5691,7 +5702,7 @@ Per leggere un file (se hai bisogno di piu contesto):
 
 REGOLE CRITICHE:
 - Spiega SEMPRE in linguaggio naturale cosa stai facendo PRIMA dei blocchi tool
-- Usa "edit" (old/new) quando possibile, "write" solo per file nuovi o riscritture complete
+- ${autofix ? 'MODALITA AUTO-FIX: usa "write" per riscrivere i file problematici nella loro interezza — è più affidabile di "edit" quando il file ha già subito modifiche. Includi il contenuto COMPLETO del file nel campo "content".' : 'Usa "edit" (old/new) quando possibile, "write" solo per file nuovi o riscritture complete'}
 - old_string deve essere ESATTO come appare nel file (copy-paste)
 - Non inventare moduli npm: usa solo quelli in package.json o standard Node.js
 - Dopo ogni fix spiega brevemente cosa hai cambiato e perche
@@ -5845,7 +5856,24 @@ REGOLE CRITICHE:
                   oldSnippet: (toolCall.old || '').slice(0, 300),
                   newSnippet: (toolCall.new || '').slice(0, 300) });
               } else {
-                sendEv({ type: 'tool', op: 'edit', path: toolCall.path, result: 'old_string non trovato — patch fallita' });
+                // edit fallback: old_string not found → do a second LLM call with the full file
+                // and ask it to rewrite the file correctly. No client loop needed.
+                sendEv({ type: 'tool', op: 'edit', path: toolCall.path, result: 'patch chirurgica fallita — riscrittura automatica in corso...' });
+                try {
+                  const fallbackSys = `Sei un esperto di Node.js. Riscrivi il seguente file correggendo questo problema: ${message.slice(0, 500)}
+Rispondi SOLO con il contenuto completo del file corretto, senza markdown fence, senza spiegazioni.`;
+                  const fallbackUser = `FILE: ${toolCall.path}\n\`\`\`\n${content}\n\`\`\``;
+                  const newContent = await callLLM(config, fallbackSys, fallbackUser, { max_tokens: 4096 });
+                  const cleaned = newContent.replace(/^```[\w]*\n?/m, '').replace(/\n?```\s*$/m, '').trim();
+                  if (cleaned && cleaned.length > 20) {
+                    fs.writeFileSync(fp, cleaned, 'utf8');
+                    toolResults.push({ op: 'write', path: toolCall.path, ok: true });
+                    sendEv({ type: 'tool', op: 'write', path: toolCall.path, result: 'ok (fallback rewrite)',
+                      oldSnippet: content.slice(0, 300), newSnippet: cleaned.slice(0, 300) });
+                  }
+                } catch(fallbackErr) {
+                  sendEv({ type: 'tool', op: 'edit', path: toolCall.path, result: 'fallback rewrite fallito: ' + fallbackErr.message.slice(0, 80) });
+                }
               }
             } else if (toolCall.op === 'write') {
               const fp = path.join(sandboxDir, toolCall.path.replace(/^\/+/, ''));

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '13.5.136';
+export const VERSION = '13.5.138';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/services/web-ui.mjs

@@ -7968,16 +7968,16 @@ function wcChatPanelHtml() {
         var color = isOk ? 'var(--green)' : 'var(--red)';
         var label = isParseErr ? ('JSON err: ' + wcEsc(tool.result)) : wcEsc(tool.path);
         var title = isOk ? tool.op + ': ' + tool.path : (tool.result || '');
-        // Build inline diff block for successful edits
-        if (isOk && tool.op === 'edit' && tool.oldSnippet) {
-          var oldLines = tool.oldSnippet.split(String.fromCharCode(10)).map(function(l){ return '<div style="background:#3f0f0f;color:#fca5a5;font-family:var(--mono);font-size:9px;padding:0 8px;white-space:pre-wrap;word-break:break-all">- '+wcEsc(l)+'</div>'; }).join('');
-          var newLines = tool.newSnippet.split(String.fromCharCode(10)).map(function(l){ return '<div style="background:#0f2f0f;color:#86efac;font-family:var(--mono);font-size:9px;padding:0 8px;white-space:pre-wrap;word-break:break-all">+ '+wcEsc(l)+'</div>'; }).join('');
-          diffBlocks += '<details style="margin:2px 0;border:1px solid rgba(255,255,255,0.08);border-radius:5px;overflow:hidden">' +
-            '<summary style="padding:3px 8px;font-size:9px;font-family:var(--mono);color:var(--dim);cursor:pointer;list-style:none;display:flex;align-items:center;gap:4px">' +
-              '<span style="color:var(--green)">&#9998;</span> '+wcEsc(tool.path)+' <span style="margin-left:auto;opacity:.5">&#9660;</span>' +
-            '</summary>' +
+        // Build inline diff block for successful edits/writes — always visible, no collapse
+        if (isOk && (tool.op === 'edit' || tool.op === 'write') && (tool.oldSnippet || tool.newSnippet)) {
+          var oldLines = tool.oldSnippet ? tool.oldSnippet.split(String.fromCharCode(10)).map(function(l){ return '<div style="background:#3f0f0f;color:#fca5a5;font-family:var(--mono);font-size:9px;padding:1px 8px;white-space:pre-wrap;word-break:break-all">- '+wcEsc(l)+'</div>'; }).join('') : '';
+          var newLines = tool.newSnippet ? tool.newSnippet.split(String.fromCharCode(10)).map(function(l){ return '<div style="background:#0f2f0f;color:#86efac;font-family:var(--mono);font-size:9px;padding:1px 8px;white-space:pre-wrap;word-break:break-all">+ '+wcEsc(l)+'</div>'; }).join('') : '';
+          diffBlocks += '<div style="margin:4px 0;border:1px solid rgba(255,255,255,0.1);border-radius:5px;overflow:hidden">' +
+            '<div style="padding:3px 8px;font-size:9px;font-family:var(--mono);color:var(--dim);background:rgba(255,255,255,0.04);display:flex;align-items:center;gap:4px">' +
+              '<span style="color:var(--green)">&#9998;</span> '+wcEsc(tool.path) +
+            '</div>' +
             oldLines + newLines +
-          '</details>';
+          '</div>';
         }
         return '<span title="'+wcEsc(title)+'" style="display:inline-flex;align-items:center;gap:3px;background:var(--bg3);border:1px solid '+(isOk?'var(--green3)':'var(--red)')+';border-radius:4px;padding:2px 6px;font-size:9px;font-family:var(--mono);color:'+color+'">' +
           icon + ' ' + label + '</span>';
@@ -8371,7 +8371,8 @@ async function wcTriggerCrashFix(errorMsg) {
     });
     if (wcChatRunning) return;
   }
-  var fixMsg = 'CRASH FIX RICHIESTO.' + String.fromCharCode(10) + 'ERRORE:' + String.fromCharCode(10) + errorMsg + String.fromCharCode(10) + String.fromCharCode(10) + 'ISTRUZIONI OBBLIGATORIE:' + String.fromCharCode(10) + '1. Leggi i file coinvolti nello stack trace' + String.fromCharCode(10) + '2. Individua la riga esatta del problema' + String.fromCharCode(10) + '3. Usa OBBLIGATORIAMENTE il tool edit_file o write_file per correggere il codice' + String.fromCharCode(10) + '4. NON limitarti a spiegare il problema - DEVI modificare i file' + String.fromCharCode(10) + '5. Dopo aver modificato, il sandbox verrà riavviato automaticamente';
+  var attemptNum = _wcAutoFixAttempts;
+  var fixMsg = 'CRASH FIX RICHIESTO (tentativo ' + attemptNum + '/3).' + String.fromCharCode(10) + 'ERRORE:' + String.fromCharCode(10) + errorMsg + String.fromCharCode(10) + String.fromCharCode(10) + 'REGOLE OBBLIGATORIE:' + String.fromCharCode(10) + '1. Leggi i file coinvolti nello stack trace con view_file' + String.fromCharCode(10) + '2. Individua la riga esatta del problema' + String.fromCharCode(10) + '3. Usa edit_file per patch chirurgiche. SE edit_file fallisce con "old_string non trovato", usa SUBITO write_file per riscrivere il file intero correttamente' + String.fromCharCode(10) + '4. NON spiegare - MODIFICA i file. Se non usi edit_file o write_file il problema non viene risolto' + String.fromCharCode(10) + (attemptNum > 1 ? '5. ATTENZIONE: tentativi precedenti sono falliti. Usa write_file per riscrivere completamente i file problematici invece di patch parziali.' : '5. Dopo la modifica il sandbox si riavvia automaticamente');
   wcChat.push({ role: 'user', text: '\uD83E\uDD16 Auto-fix crash: ' + errorMsg });
   wcChatRunning = true;
   renderWebCraft(document.getElementById('content'));
@@ -9310,7 +9311,9 @@ async function wcStartSandbox() {
             wcState.sandbox.running = false;
             wcState.sandbox.port = evt.port;
             wcState.sandbox.dir = evt.dir;
-            _wcAutoFixAttempts = 0;
+            // Reset counter only after stable uptime (5s), not immediately on first ready
+            // This prevents infinite loop: crash → fix → restart → crash → reset → crash → ...
+            setTimeout(function() { _wcAutoFixAttempts = 0; }, 5000);
             wcStartAutoFixPoller();
             // Reload skills so newly written log file appears in the panel
             _wcSkillsLoaded = false;