nothumanallowed 13.5.151 → 13.5.153

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "13.5.151",
+  "version": "13.5.153",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/commands/google-auth.mjs

@@ -7,12 +7,13 @@ import { fail, info } from '../ui.mjs';
 export async function cmdGoogle(args) {
   const sub = args[0] || 'auth';
   const config = loadConfig();
+  const manual = args.includes('--manual') || args.includes('--headless') || args.includes('--no-browser');
 
   switch (sub) {
     case 'auth':
     case 'login':
     case 'connect':
-      return runAuthFlow(config);
+      return runAuthFlow(config, manual);
 
     case 'status':
       return showStatus();

package/src/commands/ui.mjs

@@ -4652,6 +4652,39 @@ ${completedHeadings ? `## SECTIONS ALREADY WRITTEN (headings only):\n${completed
         return;
       }
 
+      // POST /api/studio/webcraft/stream  { system, user, max_tokens }  → SSE token stream
+      // Used by WebCraft generation for live typewriter effect per file
+      if (pathname === '/api/studio/webcraft/stream' && method === 'POST') {
+        const body = await parseBody(req, 131072);
+        if (!body.system || !body.user) {
+          sendJSON(res, 400, { error: 'system and user required' });
+          logRequest(method, pathname, 400, Date.now() - start);
+          return;
+        }
+        res.writeHead(200, {
+          'Content-Type': 'text/event-stream',
+          'Cache-Control': 'no-cache',
+          'Connection': 'keep-alive',
+          'Access-Control-Allow-Origin': '*',
+        });
+        let fullText = '';
+        let tokIn = 0, tokOut = 0;
+        try {
+          await callLLMStream(config, body.system, body.user, (token) => {
+            fullText += token;
+            tokOut++;
+            res.write('data: ' + JSON.stringify({ type: 'token', token }) + '\n\n');
+          }, { max_tokens: body.max_tokens || 16384, temperature: 0.3 });
+          tokIn = Math.round((body.system.length + body.user.length) / 4);
+          res.write('data: ' + JSON.stringify({ type: 'done', text: fullText, usage: { prompt_tokens: tokIn, completion_tokens: tokOut } }) + '\n\n');
+        } catch (e) {
+          res.write('data: ' + JSON.stringify({ type: 'error', message: e.message }) + '\n\n');
+        }
+        res.end();
+        logRequest(method, pathname, 200, Date.now() - start);
+        return;
+      }
+
       // ── WebCraft Projects — list and delete saved projects ──────────────────
       // GET  /api/studio/webcraft/projects         → { projects: [{name, description, fileCount, createdAt, dir}] }
       // DELETE /api/studio/webcraft/projects/:name → { ok }

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '13.5.151';
+export const VERSION = '13.5.153';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/services/google-oauth.mjs

@@ -1,11 +1,12 @@
 /**
  * Google OAuth 2.0 with PKCE — browser-based consent flow.
- * Runs ephemeral local HTTP server for callback.
- * Zero dependencies — uses Node.js native http + crypto.
+ * Runs ephemeral local HTTP server for callback, or manual code-paste for headless/VM.
+ * Zero dependencies — uses Node.js native http + crypto + readline.
  */
 
 import http from 'http';
 import crypto from 'crypto';
+import readline from 'readline';
 import { execSync } from 'child_process';
 import os from 'os';
 import { saveTokens, loadTokens, deleteTokens } from './token-store.mjs';
@@ -40,19 +41,71 @@ function generatePKCE() {
 
 /**
  * Open URL in user's default browser.
+ * Returns true if browser opened successfully, false otherwise.
  */
 function openBrowser(url) {
   const platform = os.platform();
   try {
-    if (platform === 'darwin') execSync(`open "${url}"`);
-    else if (platform === 'win32') execSync(`start "" "${url}"`);
-    else execSync(`xdg-open "${url}"`);
+    if (platform === 'darwin') execSync(`open "${url}"`, { stdio: 'ignore' });
+    else if (platform === 'win32') execSync(`start "" "${url}"`, { stdio: 'ignore' });
+    else execSync(`xdg-open "${url}"`, { stdio: 'ignore' });
+    return true;
   } catch {
-    warn('Could not open browser automatically.');
-    info(`Open this URL manually:\n\n  ${url}\n`);
+    return false;
   }
 }
 
+/**
+ * Manual mode: print the auth URL and ask the user to paste back
+ * the full redirect URL (http://127.0.0.1:PORT/callback?code=...&state=...)
+ * that appears in their browser's address bar after Google login.
+ * Works on any headless/VM/SSH setup — no local server needed.
+ */
+function waitForManualCode(authUrl, state) {
+  return new Promise((resolve, reject) => {
+    console.log('\n\x1b[1;33m  MANUAL AUTH MODE\x1b[0m');
+    console.log('\x1b[0;90m  ─────────────────────────────────────────────────────\x1b[0m');
+    console.log('  1. Open this URL on any device with a browser (phone, PC...):');
+    console.log('\n\x1b[0;36m  ' + authUrl + '\x1b[0m\n');
+    console.log('  2. Log in with Google and grant permissions.');
+    console.log('  3. The browser will try to open a page that fails to load.');
+    console.log('     That is expected. Copy the full URL from the address bar.');
+    console.log('     It looks like: \x1b[0;32mhttp://127.0.0.1:19847/callback?code=4/0A...&state=...\x1b[0m');
+    console.log('\x1b[0;90m  ─────────────────────────────────────────────────────\x1b[0m\n');
+
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    rl.question('  Paste the full redirect URL here: ', (answer) => {
+      rl.close();
+      const trimmed = answer.trim();
+      try {
+        // Accept both the full URL and just the code= value
+        let code, returnedState;
+        if (trimmed.startsWith('http')) {
+          const parsed = new URL(trimmed);
+          code = parsed.searchParams.get('code');
+          returnedState = parsed.searchParams.get('state');
+        } else {
+          // Maybe they pasted just the code directly
+          code = trimmed;
+          returnedState = state; // trust them
+        }
+
+        if (!code) {
+          reject(new Error('No authorization code found in the URL you pasted.'));
+          return;
+        }
+        if (returnedState && returnedState !== state) {
+          reject(new Error('State mismatch — the URL does not match this auth session. Try again.'));
+          return;
+        }
+        resolve(code);
+      } catch {
+        reject(new Error('Could not parse the URL. Make sure you copied the full address bar URL.'));
+      }
+    });
+  });
+}
+
 /**
  * Start ephemeral HTTP server and wait for OAuth callback.
  * @returns {Promise<{code: string, port: number}>}
@@ -156,8 +209,9 @@ async function getUserEmail(accessToken) {
 /**
  * Run the full OAuth consent flow.
  * @param {object} config — NHA config
+ * @param {boolean} manual — force manual code-paste mode (for VMs/headless)
  */
-export async function runAuthFlow(config) {
+export async function runAuthFlow(config, manual = false) {
   const clientId = config.google?.clientId || DEFAULT_CLIENT_ID;
   const clientSecret = config.google?.clientSecret || '';
 
@@ -174,8 +228,8 @@ export async function runAuthFlow(config) {
     return false;
   }
 
-  // Find available port
-  let port = 0;
+  // Find available port (used for redirect_uri even in manual mode)
+  let port = CALLBACK_PORTS[0];
   for (const p of CALLBACK_PORTS) {
     try {
       const srv = http.createServer();
@@ -187,10 +241,6 @@ export async function runAuthFlow(config) {
       break;
     } catch { continue; }
   }
-  if (!port) {
-    fail('No available port for OAuth callback (tried 19847-19851)');
-    return false;
-  }
 
   const redirectUri = `http://127.0.0.1:${port}/callback`;
   const { verifier, challenge } = generatePKCE();
@@ -207,14 +257,32 @@ export async function runAuthFlow(config) {
   authUrl.searchParams.set('access_type', 'offline');
   authUrl.searchParams.set('prompt', 'consent');
 
-  info('Opening browser for Google authorization...');
-  openBrowser(authUrl.toString());
-  info('Waiting for authorization (5 min timeout)...\n');
+  const authUrlStr = authUrl.toString();
 
   try {
-    const { code } = await waitForCallback(state, port);
-    info('Authorization code received. Exchanging for tokens...');
+    let code;
+
+    if (manual) {
+      // Explicit manual mode
+      code = await waitForManualCode(authUrlStr, state);
+    } else {
+      // Try to open browser — if it fails, auto-switch to manual mode
+      info('Opening browser for Google authorization...');
+      const browserOpened = openBrowser(authUrlStr);
+
+      if (!browserOpened) {
+        // Headless/VM detected — auto-switch to manual mode
+        warn('No browser found. Switching to manual mode...');
+        code = await waitForManualCode(authUrlStr, state);
+      } else {
+        // Browser opened — wait for local callback
+        info('Waiting for authorization (5 min timeout)...\n');
+        const result = await waitForCallback(state, port);
+        code = result.code;
+      }
+    }
 
+    info('Authorization code received. Exchanging for tokens...');
     const tokenData = await exchangeCode(code, verifier, clientId, clientSecret, redirectUri);
     const email = await getUserEmail(tokenData.access_token);
 
@@ -228,7 +296,7 @@ export async function runAuthFlow(config) {
 
     saveTokens(tokens);
     ok(`Google account connected: ${email || 'unknown'}`);
-    ok('Gmail + Calendar access granted.');
+    ok('Gmail + Calendar + Drive access granted.');
     info('Run "nha plan" to generate your first daily plan.');
     return true;
   } catch (err) {

package/src/services/web-ui.mjs

@@ -8864,19 +8864,20 @@ async function wcGenerate() {
   }
 
   // Helper: generate one file (with two-pass split for large CSS files)
-  async function wcGenOneFile(fp, signal) {
+  // onLiveUpdate(partialContent) is called on each token for live display
+  async function wcGenOneFile(fp, signal, onLiveUpdate) {
     var _nl2 = String.fromCharCode(10);
     var splitPrompts = WC_CSS_SPLIT[fp.name];
     if (splitPrompts) {
-      // Two-pass generation: call LLM twice and concatenate
-      var part1 = await wcCallLLM(sysPreamble, splitPrompts[0] + _nl2 + _nl2 + 'File: ' + fp.name, signal, fp.lang, 8192);
+      // Two-pass generation: streaming on first pass only
+      var part1 = await wcCallLLM(sysPreamble, splitPrompts[0] + _nl2 + _nl2 + 'File: ' + fp.name, signal, fp.lang, 8192, onLiveUpdate);
       part1 = wcStripFences(part1);
       if (signal && signal.aborted) return part1;
-      var part2 = await wcCallLLM(sysPreamble, splitPrompts[1] + _nl2 + _nl2 + 'File: ' + fp.name, signal, fp.lang, 8192);
+      var part2 = await wcCallLLM(sysPreamble, splitPrompts[1] + _nl2 + _nl2 + 'File: ' + fp.name, signal, fp.lang, 8192, function(p2) { if (onLiveUpdate) onLiveUpdate(part1 + _nl2 + _nl2 + p2); });
       part2 = wcStripFences(part2);
       return part1 + _nl2 + _nl2 + part2;
     }
-    var content = await wcCallLLM(sysPreamble, fp.prompt + _nl2 + _nl2 + 'File to generate: ' + fp.name, signal, fp.lang);
+    var content = await wcCallLLM(sysPreamble, fp.prompt + _nl2 + _nl2 + 'File to generate: ' + fp.name, signal, fp.lang, undefined, onLiveUpdate);
     return wcStripFences(content);
   }
 
@@ -8889,6 +8890,23 @@ async function wcGenerate() {
   wcState.activeFile = 0;
   renderWebCraft(document.getElementById('content'));
 
+  // Live render throttle — update UI at most every 120ms per file during streaming
+  var _wcLiveRenderTimers = {};
+  function wcLiveUpdateFile(fpName, fpLang, partialContent) {
+    for (var li = 0; li < wcState.generatedFiles.length; li++) {
+      if (wcState.generatedFiles[li].name === fpName) {
+        wcState.generatedFiles[li].content = partialContent;
+        wcState.generatedFiles[li]._pending = false;
+        break;
+      }
+    }
+    if (_wcLiveRenderTimers[fpName]) return; // throttle
+    _wcLiveRenderTimers[fpName] = setTimeout(function() {
+      delete _wcLiveRenderTimers[fpName];
+      renderWebCraft(document.getElementById('content'));
+    }, 120);
+  }
+
   // Generate in parallel batches of 4 — each call is independent/fresh to Liara
   var BATCH = 4;
   var doneCount = 0;
@@ -8897,7 +8915,8 @@ async function wcGenerate() {
     var batch = filePlan.slice(bi, bi + BATCH);
     wcUpdateGenOverlay(doneCount, filePlan.length, batch.map(function(f){ return f.name; }).join(', '));
     var results = await Promise.allSettled(batch.map(function(fp) {
-      return wcGenOneFile(fp, _wcGenAbortCtrl ? _wcGenAbortCtrl.signal : null).then(function(c){ return { fp: fp, content: c }; });
+      var liveCallback = function(partial) { wcLiveUpdateFile(fp.name, fp.lang, partial); };
+      return wcGenOneFile(fp, _wcGenAbortCtrl ? _wcGenAbortCtrl.signal : null, liveCallback).then(function(c){ return { fp: fp, content: c }; });
     }));
     results.forEach(function(r) {
       if (r.status === 'fulfilled') {
@@ -9120,7 +9139,57 @@ function wcIsTruncated(content, lang) {
   return false;
 }
 
-async function wcCallLLMRaw(sys, user, signal, maxTok) {
+async function wcCallLLMRaw(sys, user, signal, maxTok, onToken) {
+  // Streaming path: use SSE endpoint so tokens appear live in the file editor
+  if (onToken) {
+    var streamOpts = {
+      method: 'POST',
+      headers: {'Content-Type':'application/json'},
+      body: JSON.stringify({system: sys, user: user, max_tokens: maxTok || 16384})
+    };
+    if (signal) streamOpts.signal = signal;
+    for (var sa = 0; sa < 3; sa++) {
+      if (signal && signal.aborted) throw new DOMException('Aborted', 'AbortError');
+      var sr = await fetch(API + '/api/studio/webcraft/stream', streamOpts);
+      if (!sr.ok) {
+        if (sr.status < 500 || sa === 2) throw new Error('LLM stream error ' + sr.status);
+        await new Promise(function(resolve) { setTimeout(resolve, 2000); });
+        continue;
+      }
+      var sreader = sr.body.getReader();
+      var sdec = new TextDecoder();
+      var sbuf = '';
+      var fullText = '';
+      while (true) {
+        var sres = await sreader.read();
+        if (sres.done) break;
+        sbuf += sdec.decode(sres.value, {stream: true});
+        var sparts = sbuf.split(String.fromCharCode(10) + String.fromCharCode(10));
+        sbuf = sparts.pop();
+        for (var si = 0; si < sparts.length; si++) {
+          var sline = sparts[si].replace(/^data: /, '').trim();
+          if (!sline) continue;
+          try {
+            var sev = JSON.parse(sline);
+            if (sev.type === 'token') {
+              fullText += sev.token;
+              onToken(fullText);
+            } else if (sev.type === 'done') {
+              if (sev.usage) {
+                _wcTokIn  += (sev.usage.prompt_tokens || 0);
+                _wcTokOut += (sev.usage.completion_tokens || 0);
+              }
+            } else if (sev.type === 'error') {
+              throw new Error(sev.message || 'Stream error');
+            }
+          } catch(_) {}
+        }
+      }
+      return fullText;
+    }
+  }
+
+  // Non-streaming fallback (used by repair and continuation passes)
   var fetchOpts = {
     method: 'POST',
     headers: {'Content-Type':'application/json'},
@@ -9132,12 +9201,10 @@ async function wcCallLLMRaw(sys, user, signal, maxTok) {
     var r = await fetch(API + '/api/studio/webcraft', fetchOpts);
     if (r.ok) {
       var d = await r.json();
-      // Accumulate token counts if the server returns usage data
       if (d && d.usage) {
         _wcTokIn  += (d.usage.prompt_tokens || d.usage.input_tokens || 0);
         _wcTokOut += (d.usage.completion_tokens || d.usage.output_tokens || 0);
       } else if (d && d.text) {
-        // Estimate from char count (4 chars ≈ 1 token)
         _wcTokIn  += Math.round((sys.length + user.length) / 4);
         _wcTokOut += Math.round((d.text || '').length / 4);
       }
@@ -9153,9 +9220,9 @@ async function wcCallLLMRaw(sys, user, signal, maxTok) {
   }
 }
 
-async function wcCallLLM(sys, user, signal, lang, maxTok) {
-  var content = await wcCallLLMRaw(sys, user, signal, maxTok);
-  // Continuation loop: if response is truncated, ask model to continue
+async function wcCallLLM(sys, user, signal, lang, maxTok, onToken) {
+  var content = await wcCallLLMRaw(sys, user, signal, maxTok, onToken);
+  // Continuation loop: if response is truncated, ask model to continue (no streaming for continuations)
   var maxContinuations = 2;
   for (var ci = 0; ci < maxContinuations; ci++) {
     if (!wcIsTruncated(content, lang || 'text')) break;
@@ -9166,6 +9233,7 @@ async function wcCallLLM(sys, user, signal, lang, maxTok) {
     var continuation = await wcCallLLMRaw(sys, continuePrompt, signal, maxTok);
     if (!continuation || continuation.trim().length < 5) break;
     content = content + String.fromCharCode(10) + continuation;
+    if (onToken) onToken(content);
   }
   return content;
 }