nothumanallowed 13.5.138 → 13.5.140

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "13.5.138",
+  "version": "13.5.140",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/commands/ui.mjs

@@ -5145,6 +5145,7 @@ module.exports.notFoundHandler = notFoundHandler;
           // Always overwrite — older shim versions may be missing exports like notFoundHandler
           fs.writeFileSync(path.join(sandboxDir, 'server', 'middleware', 'errors.js'), errorsShim, 'utf8');
 
+
           // Models shim — LLM often generates require('../models/User') etc. that don't exist
           // Create a generic User model shim backed by the in-memory DB shim
           const userModelShim = `
@@ -5304,6 +5305,59 @@ module.exports = { validateEmail, sanitizeText, validatePassword, validateUserna
           patchJsFiles(path.join(sandboxDir, 'server'), path.join(sandboxDir, 'server'));
           sendLog('🔧 Shim iniettati: DB (in-memory), Sentinel WAF, Cache — require() patchati');
 
+          // Post-process server/index.js: fix static path + ensure SPA fallback
+          // The LLM sometimes generates a relative path ('public') instead of the absolute
+          // path.join(__dirname, '..', 'public') — causing "Not found: /" when the cwd
+          // differs from the project root.
+          const serverIndexPath = path.join(sandboxDir, 'server', 'index.js');
+          if (fs.existsSync(serverIndexPath)) {
+            let srvSrc = fs.readFileSync(serverIndexPath, 'utf8');
+            let srvChanged = false;
+
+            // Fix: express.static('public') / express.static("public") → absolute path
+            const staticRelRe = /express\.static\s*\(\s*['"]\.?\/?public['"]\s*\)/g;
+            const staticAbsolute = "express.static(path.join(__dirname, '..', 'public'))";
+            if (staticRelRe.test(srvSrc)) {
+              srvSrc = srvSrc.replace(staticRelRe, staticAbsolute);
+              srvChanged = true;
+            }
+
+            // Fix: express.static(path.join(__dirname, 'public')) → go up one level
+            const staticWrongDepth = /express\.static\s*\(\s*path\.join\s*\(\s*__dirname\s*,\s*['"]public['"]\s*\)\s*\)/g;
+            if (staticWrongDepth.test(srvSrc)) {
+              srvSrc = srvSrc.replace(staticWrongDepth, staticAbsolute);
+              srvChanged = true;
+            }
+
+            // Ensure 'path' is required if we injected path.join
+            if (srvChanged && !/require\(['"]path['"]\)/.test(srvSrc)) {
+              srvSrc = "const path = require('path');\n" + srvSrc;
+            }
+
+            // Inject SPA fallback before the 404 / error handler if missing
+            // Detects: app.use((req,res,next)... or app.use(function(err... or app.use(errorHandler)
+            // and inserts the wildcard GET before it
+            const hasSpaFallback = /app\s*\.\s*get\s*\(\s*['"]\*['"]/.test(srvSrc);
+            if (!hasSpaFallback) {
+              const spaFallback = "\n// SPA fallback — serve index.html for all unmatched GET routes\napp.get('*', (req, res) => res.sendFile(path.join(__dirname, '..', 'public', 'index.html')));\n";
+              // Insert before the 404 handler (app.use with 4-arg function) or before app.listen
+              const listenIdx = srvSrc.lastIndexOf('app.listen');
+              const notFoundIdx = srvSrc.search(/app\.use\s*\(\s*(notFoundHandler|\(req,\s*res\)|function\s*\(req,\s*res)/);
+              const insertAt = notFoundIdx !== -1 ? notFoundIdx : listenIdx;
+              if (insertAt !== -1) {
+                srvSrc = srvSrc.slice(0, insertAt) + spaFallback + srvSrc.slice(insertAt);
+              } else {
+                srvSrc += spaFallback;
+              }
+              srvChanged = true;
+            }
+
+            if (srvChanged) {
+              fs.writeFileSync(serverIndexPath, srvSrc, 'utf8');
+              sendLog('🔧 server/index.js: static path corretto + SPA fallback iniettato');
+            }
+          }
+
           // Patch package.json to remove pg, add only what's needed
           const pkgPath = path.join(sandboxDir, 'package.json');
           let pkg = {};

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '13.5.138';
+export const VERSION = '13.5.140';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/services/web-ui.mjs

@@ -8545,7 +8545,7 @@ function wcDiffPanelHtml() {
   var items = _wcDiffQueue.map(function(d, di) {
     var addedLines = (d.after||'').split(String.fromCharCode(10)).length - (d.before||'').split(String.fromCharCode(10)).length;
     var sign = addedLines >= 0 ? '+' : '';
-    return '<details style="border:1px solid var(--border);border-radius:6px;margin-bottom:6px;background:var(--bg3)">' +
+    return '<details open style="border:1px solid var(--border);border-radius:6px;margin-bottom:6px;background:var(--bg3)">' +
       '<summary style="padding:7px 10px;cursor:pointer;font-size:11px;font-family:var(--mono);color:var(--text);list-style:none;display:flex;align-items:center;gap:8px">' +
         '<span style="color:var(--green);font-size:10px">&#9650;</span>' +
         '<span style="flex:1">' + wcEsc(d.file) + '</span>' +
@@ -8764,7 +8764,7 @@ async function wcGenerate() {
     { name: 'server/services/email.js', lang: 'javascript', prompt: 'Generate server/services/email.js: Nodemailer transporter using SMTP from env. Function sendVerificationEmail(to, token, baseUrl): sends HTML email with verification link. Function sendPasswordResetEmail(to, token, baseUrl). Add SendGrid fallback (commented out, predisposed with transporter swap). Never expose credentials.' },
     { name: 'server/routes/auth.js',  lang: 'javascript', prompt: 'Generate server/routes/auth.js: POST /register (validate fields: '+authFieldsDef+', check duplicate email, bcrypt hash password cost 12, insert user, send verification email, return 201), POST /login (validate, check email verified, compare bcrypt, issue JWT access 15min + refresh 7d httpOnly cookie), POST /logout (clear refresh cookie), POST /refresh-token (validate refresh from httpOnly cookie, rotate token), GET /verify-email/:token (mark email verified). Use parameterized queries only. Import authLimiter EXACTLY like this: const { authLimiter } = require("../middleware/security"); — do NOT create or import from ../middleware/rateLimiter (that file does not exist). Apply authLimiter to register and login.' },
     { name: 'server/routes/api.js',   lang: 'javascript', prompt: 'Generate server/routes/api.js: Express router with a verifyToken middleware (validates JWT Bearer). GET /api/me returns authenticated user profile (no password hash). GET /api/health returns {status: ok, timestamp}. Structure ready for adding more routes.' },
-    { name: 'server/index.js',        lang: 'javascript', prompt: 'Generate server/index.js: Express app entry point. Apply applySecurityMiddleware first. Then apply sentinelMiddleware (import from ./middleware/sentinel.js). Use CORS with env CORS_ORIGIN. Parse JSON body (limit 10kb). Mount /api/auth → auth.js, /api → api.js. Serve public/ as static. 404 handler and global error handler (never leak stack traces in production). Start on PORT from env.' },
+    { name: 'server/index.js',        lang: 'javascript', prompt: 'Generate server/index.js: Express app entry point. Apply applySecurityMiddleware first. Then apply sentinelMiddleware (import from ./middleware/sentinel.js). Use CORS with env CORS_ORIGIN. Parse JSON body (limit 10kb). Mount /api/auth to auth.js, /api to api.js. CRITICAL: serve static files using the ABSOLUTE path computed with path.join and __dirname — specifically path.join(__dirname, double-dot, public) so it resolves correctly regardless of cwd. After mounting all API routes and before the 404 handler, add a SPA catch-all: app.get with wildcard star that calls res.sendFile with path.join(__dirname, double-dot, public, index.html). This ensures GET / and any unmatched frontend route returns index.html instead of a 404 JSON error. 404 handler and global error handler (never leak stack traces in production). Start on PORT from env.' },
     { name: 'db/migrations/001_init.sql', lang: 'sql',   prompt: 'Generate PostgreSQL migration 001_init.sql: CREATE TABLE users with id UUID default gen_random_uuid(), fields for '+authFieldsDef+', email_verified BOOLEAN default false, verification_token VARCHAR, reset_token VARCHAR, reset_token_expires TIMESTAMPTZ, refresh_token_hash VARCHAR, created_at TIMESTAMPTZ default now(), updated_at TIMESTAMPTZ default now(). CREATE INDEX on email. CREATE TABLE refresh_tokens (id, user_id FK, token_hash, expires_at, created_at). Add updated_at trigger function.' },
     { name: 'public/css/base.css',    lang: 'css',       prompt: 'Generate public/css/base.css: CSS custom properties (color palette, spacing scale, font scale, border-radius, shadows, transitions). CSS reset (*, box-sizing). Base typography (Inter or system-ui). Utility classes using BEM where applicable. Dark/light mode via prefers-color-scheme.' },
     { name: 'public/css/components.css', lang: 'css',    prompt: 'Generate public/css/components.css following STRICT BEM (block__element--modifier). Components: .btn (--primary, --secondary, --danger, --ghost), .form (form__field, form__label, form__input, form__error, form__hint), .card (card__header, card__body, card__footer), .nav (nav__brand, nav__links, nav__link--active), .alert (--success, --error, --warning, --info), .spinner, .badge, .modal (modal__overlay, modal__content, modal__header, modal__body, modal__footer). Fully accessible (focus states, aria).' },