nothumanallowed 13.5.150 → 13.5.152

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "13.5.150",
+  "version": "13.5.152",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/commands/google-auth.mjs

@@ -7,12 +7,13 @@ import { fail, info } from '../ui.mjs';
 export async function cmdGoogle(args) {
   const sub = args[0] || 'auth';
   const config = loadConfig();
+  const manual = args.includes('--manual') || args.includes('--headless') || args.includes('--no-browser');
 
   switch (sub) {
     case 'auth':
     case 'login':
     case 'connect':
-      return runAuthFlow(config);
+      return runAuthFlow(config, manual);
 
     case 'status':
       return showStatus();

package/src/commands/ui.mjs

@@ -236,7 +236,7 @@ export async function cmdUI(args) {
       port = parseInt(arg.split('=')[1], 10) || DEFAULT_PORT;
     } else if (arg === '--no-browser') {
       noBrowser = true;
-    } else if (arg === '--lan') {
+    } else if (arg === '--lan' || arg === '--host' || arg === '--host=0.0.0.0') {
       lanMode = true;
     }
   }
@@ -6551,16 +6551,20 @@ CRITICAL WRITING RULES — ENFORCE STRICTLY:
     console.log('');
     console.log(`  ${G}Local:${NC}              ${localUrl}`);
     if (lanUrl) {
-      console.log(`  ${G}Network:${NC}            ${lanUrl}  ${D}(mobile/tablet)${NC}`);
+      console.log(`  ${G}Network:${NC}            ${lanUrl}  ${D}(VM host, phone, tablet)${NC}`);
+    }
+    const providerLabel = config.llm.provider || 'nha';
+    const providerDisplay = providerLabel === 'nha' ? `${G}nha (Liara — free, no key needed)${NC}` : providerLabel;
+    console.log(`  ${D}Provider:${NC}           ${providerDisplay}`);
+    if (providerLabel !== 'nha') {
+      console.log(`  ${D}API Key:${NC}            ${config.llm.apiKey ? config.llm.apiKey.slice(0, 12) + '...' : '\x1b[0;31mnot set — run: nha config set provider nha\x1b[0m'}`);
     }
-    console.log(`  ${D}Provider:${NC}           ${config.llm.provider || 'not set'}`);
-    console.log(`  ${D}API Key:${NC}            ${config.llm.apiKey ? config.llm.apiKey.slice(0, 12) + '...' : '\x1b[0;31mnot set\x1b[0m'}`);
     console.log(`  ${D}Agents loaded:${NC}      ${agentCards.length}`);
     console.log('');
     if (lanUrl) {
-      console.log(`  ${D}Open ${lanUrl} on your phone to use NHA from mobile.${NC}`);
+      console.log(`  ${D}Open ${lanUrl} on your host machine / phone / tablet.${NC}`);
     } else {
-      console.log(`  ${D}Tip: use --lan to access from phone/tablet on same WiFi.${NC}`);
+      console.log(`  ${D}Tip: use --lan to access from VM host, phone or tablet on same network.${NC}`);
     }
     console.log(`  ${D}Press Ctrl+C to stop${NC}`);
     console.log('');

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '13.5.150';
+export const VERSION = '13.5.152';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/services/google-oauth.mjs

@@ -1,11 +1,12 @@
 /**
  * Google OAuth 2.0 with PKCE — browser-based consent flow.
- * Runs ephemeral local HTTP server for callback.
- * Zero dependencies — uses Node.js native http + crypto.
+ * Runs ephemeral local HTTP server for callback, or manual code-paste for headless/VM.
+ * Zero dependencies — uses Node.js native http + crypto + readline.
  */
 
 import http from 'http';
 import crypto from 'crypto';
+import readline from 'readline';
 import { execSync } from 'child_process';
 import os from 'os';
 import { saveTokens, loadTokens, deleteTokens } from './token-store.mjs';
@@ -40,19 +41,71 @@ function generatePKCE() {
 
 /**
  * Open URL in user's default browser.
+ * Returns true if browser opened successfully, false otherwise.
  */
 function openBrowser(url) {
   const platform = os.platform();
   try {
-    if (platform === 'darwin') execSync(`open "${url}"`);
-    else if (platform === 'win32') execSync(`start "" "${url}"`);
-    else execSync(`xdg-open "${url}"`);
+    if (platform === 'darwin') execSync(`open "${url}"`, { stdio: 'ignore' });
+    else if (platform === 'win32') execSync(`start "" "${url}"`, { stdio: 'ignore' });
+    else execSync(`xdg-open "${url}"`, { stdio: 'ignore' });
+    return true;
   } catch {
-    warn('Could not open browser automatically.');
-    info(`Open this URL manually:\n\n  ${url}\n`);
+    return false;
   }
 }
 
+/**
+ * Manual mode: print the auth URL and ask the user to paste back
+ * the full redirect URL (http://127.0.0.1:PORT/callback?code=...&state=...)
+ * that appears in their browser's address bar after Google login.
+ * Works on any headless/VM/SSH setup — no local server needed.
+ */
+function waitForManualCode(authUrl, state) {
+  return new Promise((resolve, reject) => {
+    console.log('\n\x1b[1;33m  MANUAL AUTH MODE\x1b[0m');
+    console.log('\x1b[0;90m  ─────────────────────────────────────────────────────\x1b[0m');
+    console.log('  1. Open this URL on any device with a browser (phone, PC...):');
+    console.log('\n\x1b[0;36m  ' + authUrl + '\x1b[0m\n');
+    console.log('  2. Log in with Google and grant permissions.');
+    console.log('  3. The browser will try to open a page that fails to load.');
+    console.log('     That is expected. Copy the full URL from the address bar.');
+    console.log('     It looks like: \x1b[0;32mhttp://127.0.0.1:19847/callback?code=4/0A...&state=...\x1b[0m');
+    console.log('\x1b[0;90m  ─────────────────────────────────────────────────────\x1b[0m\n');
+
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    rl.question('  Paste the full redirect URL here: ', (answer) => {
+      rl.close();
+      const trimmed = answer.trim();
+      try {
+        // Accept both the full URL and just the code= value
+        let code, returnedState;
+        if (trimmed.startsWith('http')) {
+          const parsed = new URL(trimmed);
+          code = parsed.searchParams.get('code');
+          returnedState = parsed.searchParams.get('state');
+        } else {
+          // Maybe they pasted just the code directly
+          code = trimmed;
+          returnedState = state; // trust them
+        }
+
+        if (!code) {
+          reject(new Error('No authorization code found in the URL you pasted.'));
+          return;
+        }
+        if (returnedState && returnedState !== state) {
+          reject(new Error('State mismatch — the URL does not match this auth session. Try again.'));
+          return;
+        }
+        resolve(code);
+      } catch {
+        reject(new Error('Could not parse the URL. Make sure you copied the full address bar URL.'));
+      }
+    });
+  });
+}
+
 /**
  * Start ephemeral HTTP server and wait for OAuth callback.
  * @returns {Promise<{code: string, port: number}>}
@@ -156,8 +209,9 @@ async function getUserEmail(accessToken) {
 /**
  * Run the full OAuth consent flow.
  * @param {object} config — NHA config
+ * @param {boolean} manual — force manual code-paste mode (for VMs/headless)
  */
-export async function runAuthFlow(config) {
+export async function runAuthFlow(config, manual = false) {
   const clientId = config.google?.clientId || DEFAULT_CLIENT_ID;
   const clientSecret = config.google?.clientSecret || '';
 
@@ -174,8 +228,8 @@ export async function runAuthFlow(config) {
     return false;
   }
 
-  // Find available port
-  let port = 0;
+  // Find available port (used for redirect_uri even in manual mode)
+  let port = CALLBACK_PORTS[0];
   for (const p of CALLBACK_PORTS) {
     try {
       const srv = http.createServer();
@@ -187,10 +241,6 @@ export async function runAuthFlow(config) {
       break;
     } catch { continue; }
   }
-  if (!port) {
-    fail('No available port for OAuth callback (tried 19847-19851)');
-    return false;
-  }
 
   const redirectUri = `http://127.0.0.1:${port}/callback`;
   const { verifier, challenge } = generatePKCE();
@@ -207,14 +257,32 @@ export async function runAuthFlow(config) {
   authUrl.searchParams.set('access_type', 'offline');
   authUrl.searchParams.set('prompt', 'consent');
 
-  info('Opening browser for Google authorization...');
-  openBrowser(authUrl.toString());
-  info('Waiting for authorization (5 min timeout)...\n');
+  const authUrlStr = authUrl.toString();
 
   try {
-    const { code } = await waitForCallback(state, port);
-    info('Authorization code received. Exchanging for tokens...');
+    let code;
+
+    if (manual) {
+      // Explicit manual mode
+      code = await waitForManualCode(authUrlStr, state);
+    } else {
+      // Try to open browser — if it fails, auto-switch to manual mode
+      info('Opening browser for Google authorization...');
+      const browserOpened = openBrowser(authUrlStr);
+
+      if (!browserOpened) {
+        // Headless/VM detected — auto-switch to manual mode
+        warn('No browser found. Switching to manual mode...');
+        code = await waitForManualCode(authUrlStr, state);
+      } else {
+        // Browser opened — wait for local callback
+        info('Waiting for authorization (5 min timeout)...\n');
+        const result = await waitForCallback(state, port);
+        code = result.code;
+      }
+    }
 
+    info('Authorization code received. Exchanging for tokens...');
     const tokenData = await exchangeCode(code, verifier, clientId, clientSecret, redirectUri);
     const email = await getUserEmail(tokenData.access_token);
 
@@ -228,7 +296,7 @@ export async function runAuthFlow(config) {
 
     saveTokens(tokens);
     ok(`Google account connected: ${email || 'unknown'}`);
-    ok('Gmail + Calendar access granted.');
+    ok('Gmail + Calendar + Drive access granted.');
     info('Run "nha plan" to generate your first daily plan.');
     return true;
   } catch (err) {