nothumanallowed 13.5.200 → 14.0.1

package/src/server/routes/chat.mjs

@@ -0,0 +1,354 @@
+/**
+ * Chat routes — conversations CRUD + streaming chat with tool execution
+ */
+
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import { sendJSON, sendError, parseBody, sendSSE } from '../index.mjs';
+import { loadConfig } from '../../config.mjs';
+import { NHA_DIR, AGENTS_DIR } from '../../constants.mjs';
+import {
+  createConversation, loadConversation, saveConversation, deleteConversation,
+  listConversations, setActiveId, getHistory, addMessages, retryMessage,
+  addRetryResponse, editMessage, navigateFork, getForkInfo,
+  exportAsMarkdown, exportAsJson, migrateOldHistory,
+} from '../../services/conversations.mjs';
+import { callLLMStream, callLLM, callLLMVision, parseAgentFile } from '../../services/llm.mjs';
+import { buildMemoryContext } from '../../services/memory.mjs';
+import { parseActions, executeTool, buildSystemPrompt } from '../../services/tool-executor.mjs';
+
+// Migrate on import (once)
+migrateOldHistory();
+
+const UI_PERSONA = `You are NHA Chat, a personal operations assistant inside the NotHumanAllowed web UI. \
+You help the user manage their emails, calendar, tasks, GitHub issues, Notion pages, and Slack channels through natural conversation. \
+Be concise, helpful, and proactive. When presenting data, format it clearly. \
+Never output raw JSON to the user.`;
+
+let _chatSystemPrompt = null;
+async function getChatSystemPrompt() {
+  if (!_chatSystemPrompt) {
+    const config = loadConfig();
+    _chatSystemPrompt = await buildSystemPrompt('NHA UI', UI_PERSONA, config);
+  }
+  return _chatSystemPrompt;
+}
+
+async function getImapAccountsContext() {
+  try {
+    const { listAccounts } = await import('../../services/email-db.mjs');
+    const accs = listAccounts();
+    if (!accs.length) return '';
+    let ctx = '\n\n--- IMAP EMAIL ACCOUNTS (custom, already configured) ---\n';
+    ctx += 'Use these accountIds directly in imap_* tools — do NOT call imap_accounts() first.\n';
+    for (const a of accs) {
+      ctx += `accountId: "${a.id}" | email: ${a.email_address} | name: "${a.display_name}" | status: ${a.sync_status}\n`;
+    }
+    return ctx;
+  } catch { return ''; }
+}
+
+const CONV_RE = /^\/api\/conversations\/([a-z0-9-]+)$/;
+const CONV_ACTION_RE = /^\/api\/conversations\/([a-z0-9-]+)\/(export|retry|retry-response|navigate|forks|edit)$/;
+
+export function register(router) {
+
+  // ── Conversations CRUD ──────────────────────────────────────────────────
+
+  router.get('/api/conversations', (_req, res) => {
+    sendJSON(res, 200, { conversations: listConversations() });
+  });
+
+  router.post('/api/conversations', (_req, res) => {
+    const conv = createConversation();
+    setActiveId(conv.id);
+    sendJSON(res, 201, { conversation: conv });
+  });
+
+  // Dynamic: GET/DELETE/PATCH /api/conversations/:id
+  router.get(CONV_RE, (req, res) => {
+    const id = req.url.match(CONV_RE)?.[1];
+    const conv = loadConversation(id);
+    if (!conv) return sendError(res, 404, 'Conversation not found');
+    sendJSON(res, 200, { conversation: conv });
+  });
+
+  router.delete(CONV_RE, (req, res) => {
+    const id = req.url.match(CONV_RE)?.[1];
+    const ok = deleteConversation(id);
+    sendJSON(res, ok ? 200 : 404, { ok });
+  });
+
+  router.patch(CONV_RE, async (req, res) => {
+    const id = req.url.match(CONV_RE)?.[1];
+    const body = await parseBody(req);
+    const conv = loadConversation(id);
+    if (!conv) return sendError(res, 404, 'Not found');
+    if (body.title) conv.title = body.title;
+    saveConversation(conv);
+    sendJSON(res, 200, { conversation: conv });
+  });
+
+  // Dynamic: /api/conversations/:id/export|retry|navigate|forks|edit
+  router.get(CONV_ACTION_RE, async (req, res) => {
+    const m = req.url.match(CONV_ACTION_RE);
+    const [, id, action] = m;
+    if (action === 'export') {
+      const conv = loadConversation(id);
+      if (!conv) return sendError(res, 404, 'Not found');
+      const url = new URL(req.url, 'http://localhost');
+      const fmt = url.searchParams.get('format') || 'md';
+      if (fmt === 'json') {
+        res.writeHead(200, { 'Content-Type': 'application/json', 'Content-Disposition': `attachment; filename="nha-chat-${id}.json"` });
+        res.end(exportAsJson(conv));
+      } else {
+        res.writeHead(200, { 'Content-Type': 'text/markdown', 'Content-Disposition': `attachment; filename="nha-chat-${id}.md"` });
+        res.end(exportAsMarkdown(conv));
+      }
+      return;
+    }
+    if (action === 'forks') {
+      const conv = loadConversation(id);
+      if (!conv) return sendError(res, 404, 'Not found');
+      const messages = getHistory(conv);
+      const forks = {};
+      for (const msg of messages) {
+        const info = getForkInfo(conv, msg.id);
+        if (info) forks[msg.id] = info;
+      }
+      return sendJSON(res, 200, { forks });
+    }
+    sendError(res, 404, 'Not found');
+  });
+
+  router.post(CONV_ACTION_RE, async (req, res) => {
+    const m = req.url.match(CONV_ACTION_RE);
+    const [, id, action] = m;
+    const conv = loadConversation(id);
+    if (!conv) return sendError(res, 404, 'Not found');
+    const body = await parseBody(req);
+
+    if (action === 'retry') {
+      const userNodeId = retryMessage(conv, body.assistantNodeId);
+      if (!userNodeId) return sendError(res, 400, 'Invalid message');
+      return sendJSON(res, 200, { userNodeId, userContent: conv.tree?.[userNodeId]?.content });
+    }
+    if (action === 'retry-response') {
+      const newId = addRetryResponse(conv, body.userNodeId, body.content);
+      return sendJSON(res, 200, { nodeId: newId, messages: getHistory(conv) });
+    }
+    if (action === 'navigate') {
+      const ok = navigateFork(conv, body.nodeId, body.direction);
+      return sendJSON(res, 200, { ok, messages: getHistory(conv) });
+    }
+    if (action === 'edit') {
+      const ok = editMessage(conv, body.nodeId, body.content);
+      return sendJSON(res, 200, { ok, messages: getHistory(conv) });
+    }
+    sendError(res, 404, 'Not found');
+  });
+
+  // ── Streaming Chat ──────────────────────────────────────────────────────
+
+  router.post('/api/chat/stream', async (req, res) => {
+    const body = await parseBody(req);
+    if (!body.message) return sendError(res, 400, 'message required');
+
+    const config = loadConfig();
+    if (!config.llm.provider || (!config.llm.apiKey && config.llm.provider !== 'nha')) {
+      config.llm.provider = 'nha';
+    }
+
+    const msg = body.message.trim();
+    const chatSystemPrompt = await getChatSystemPrompt();
+
+    // @agent inline routing OR body.agent param (from Agents panel)
+    let effectiveSystemPrompt = config._chatAgent?.systemPrompt || null;
+    let effectiveMsg = msg;
+
+    // body.agent takes priority (Agents view sends { agent: 'saber', message: '...' })
+    if (body.agent) {
+      const agentFile = path.join(AGENTS_DIR, `${body.agent.toLowerCase()}.mjs`);
+      if (fs.existsSync(agentFile)) {
+        const parsed = parseAgentFile(fs.readFileSync(agentFile, 'utf-8'), body.agent);
+        if (parsed.systemPrompt) effectiveSystemPrompt = parsed.systemPrompt;
+      }
+      // Fallback: use system prompt sent directly by client (from agent card)
+      if (!effectiveSystemPrompt && body._agentSystemPrompt) {
+        effectiveSystemPrompt = body._agentSystemPrompt;
+      }
+    } else {
+      // @agent inline routing
+      const atMatch = msg.match(/^@(\w+)\s+([\s\S]*)/);
+      if (atMatch) {
+        const agentFile = path.join(AGENTS_DIR, `${atMatch[1].toLowerCase()}.mjs`);
+        if (fs.existsSync(agentFile)) {
+          const parsed = parseAgentFile(fs.readFileSync(agentFile, 'utf-8'), atMatch[1]);
+          if (parsed.systemPrompt) effectiveSystemPrompt = parsed.systemPrompt;
+        }
+        effectiveMsg = atMatch[2];
+      }
+    }
+
+    let enrichedPrompt = effectiveSystemPrompt || chatSystemPrompt;
+    try { const m = buildMemoryContext('chat', effectiveMsg); if (m) enrichedPrompt = enrichedPrompt + m; } catch {}
+    try { const ic = await getImapAccountsContext(); if (ic) enrichedPrompt += ic; } catch {}
+
+    // Rolling context window
+    const rawHistory = (body.history || []).map(h => ({
+      role: h.role,
+      content: (h.content || '').replace(/!\[Screenshot\]\(data:image\/[^)]+\)/g, '[Screenshot taken]'),
+    }));
+    const RECENT = 6;
+    const parts = [];
+    if (rawHistory.length > RECENT) {
+      const older = rawHistory.slice(0, -RECENT);
+      const lines = [];
+      for (let i = 0; i < older.length; i += 2) {
+        const u = older[i]?.content?.slice(0, 150)?.replace(/\n/g, ' ') || '';
+        const a = older[i+1]?.content?.slice(0, 200)?.replace(/\n/g, ' ') || '';
+        if (u) lines.push(`- User: "${u.trim()}${u.length >= 150 ? '...' : ''}" → ${a.trim()}${a.length >= 200 ? '...' : ''}`);
+      }
+      if (lines.length) parts.push(`[CONVERSATION CONTEXT]\n${lines.join('\n')}\n[END CONTEXT]`);
+    }
+    for (const t of rawHistory.slice(-RECENT)) {
+      parts.push(`${t.role === 'user' ? '[User]' : '[Assistant]'} ${t.content.slice(0, 2000)}`);
+    }
+    parts.push(`[User] ${effectiveMsg}`);
+    const userMessage = parts.join('\n\n');
+
+    // Attachments — handle non-streaming
+    if (body.imageBase64 || body.pdfBase64 || body.fileContent) {
+      return sendJSON(res, 200, { error: 'attachments_use_regular', redirect: '/api/chat' });
+    }
+
+    // SSE
+    res.writeHead(200, {
+      'Content-Type': 'text/event-stream',
+      'Cache-Control': 'no-cache',
+      'Connection': 'keep-alive',
+      'Access-Control-Allow-Origin': '*',
+    });
+    const sse = (event, data) => res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
+
+    sse('processing', {});
+
+    let heartbeatInterval = setInterval(() => {
+      try { sse('processing', { ts: Date.now() }); } catch {}
+    }, 3000);
+
+    try {
+      let fullResponse = '';
+      fullResponse = await callLLMStream(config, enrichedPrompt, userMessage, (chunk) => {
+        clearInterval(heartbeatInterval);
+        heartbeatInterval = null;
+        sse('token', { content: chunk });
+      });
+
+      const { textParts, actions } = parseActions(fullResponse);
+      const toolResults = [];
+
+      // Auto-detect intent
+      const wantsScreenshot = /screenshot|screen\s*shot|schermo|cattura|foto|immagine/i.test(msg);
+      const wantsSearch = /\b(cerca|search|find|look\s*up|ricerca|cercare)\b/i.test(msg);
+      if (wantsSearch && !actions.some(a => a.action === 'web_search')) {
+        const q = msg.replace(/\b(cerca|search|find|look\s*up|ricerca|cercare|screenshot|screen\s*shot)\b/gi, '').trim();
+        if (q.length > 2) actions.push({ action: 'web_search', params: { query: q, screenshot: wantsScreenshot } });
+      }
+      // domain → browser_open
+      for (const a of actions) {
+        if (a.action === 'web_search' && /^[a-zA-Z0-9][a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(a.params.query?.trim())) {
+          a.action = 'browser_open';
+          a.params = { url: 'https://' + a.params.query.trim() };
+        }
+      }
+
+      for (const { action, params } of actions) {
+        if (action === 'web_search' && wantsScreenshot) params.screenshot = true;
+        sse('tool', { action, status: 'executing' });
+        try {
+          const result = await executeTool(action, params, config);
+          let resultStr = typeof result === 'object' ? JSON.stringify(result) : String(result);
+          if ((action === 'web_search' || action === 'fetch_url') && resultStr.includes('<')) {
+            resultStr = resultStr
+              .replace(/<style[\s\S]*?<\/style>/gi, '').replace(/<script[\s\S]*?<\/script>/gi, '')
+              .replace(/<[^>]+>/g, ' ').replace(/\s{3,}/g, '\n').trim().slice(0, 6000);
+          }
+          toolResults.push({ action, result: resultStr });
+          sse('tool', { action, status: 'done', result: resultStr.slice(0, 500) });
+        } catch (e) {
+          toolResults.push({ action, result: `Error: ${e.message}` });
+          sse('tool', { action, status: 'error', error: e.message });
+        }
+      }
+
+      // Synthesis round if tools ran
+      if (toolResults.length > 0) {
+        // Strip raw JSON from tool results — present as clean prose summaries
+        const cleanResult = (_action, raw) => {
+          const s = typeof raw === 'string' ? raw : JSON.stringify(raw);
+          // If it's already plain text (web_search returns plain text), return as-is
+          if (!s.startsWith('{') && !s.startsWith('[')) return s.slice(0, 4000);
+          try {
+            const obj = JSON.parse(s);
+            if (Array.isArray(obj)) {
+              // Array of search results — format as numbered list
+              return obj.slice(0, 5).map((r, i) => `${i+1}. ${r.title || r.name || ''}\n   ${r.snippet || r.description || r.url || ''}`).join('\n');
+            }
+            if (obj.results && Array.isArray(obj.results)) {
+              return obj.results.slice(0, 5).map((r, i) => `${i+1}. ${r.title || ''}\n   ${r.snippet || r.url || ''}`).join('\n');
+            }
+            if (obj.content) return String(obj.content).slice(0, 4000);
+            if (obj.text)    return String(obj.text).slice(0, 4000);
+            if (obj.snippet) return String(obj.snippet).slice(0, 2000);
+            if (obj.error)   return `Error: ${obj.error}`;
+            // Generic: format key-value pairs as readable text
+            return Object.entries(obj).slice(0, 20).map(([k, v]) => `${k}: ${typeof v === 'object' ? JSON.stringify(v).slice(0, 200) : v}`).join('\n');
+          } catch {
+            return s.slice(0, 4000);
+          }
+        };
+        const toolContext = toolResults.map(t => `[${t.action} result]:\n${cleanResult(t.action, t.result)}`).join('\n\n---\n\n');
+        const synthesisPrompt = `${enrichedPrompt}\n\n## DATA FROM TOOLS:\n${toolContext}\n\n## STRICT OUTPUT RULES:\n- Write ONLY plain prose or markdown (headers, bullets, bold)\n- NEVER use \`\`\`json, \`\`\`data, or any fenced code block containing data\n- NEVER output raw JSON, arrays, or objects\n- Format numbers/prices as plain text (e.g. "Bitcoin: $103,000")\n- Be concise and human-readable`;
+        const synthesisMsg = `${effectiveMsg}\n\nAnswer using ONLY the data above. Plain text/markdown only — zero JSON, zero code blocks.`;
+        sse('tool_synthesis', {});
+        fullResponse = '';
+        fullResponse = await callLLMStream(config, synthesisPrompt, synthesisMsg, (chunk) => {
+          sse('token', { content: chunk });
+        });
+      }
+
+      // Persist to conversation
+      if (body.conversationId) {
+        try {
+          const conv = loadConversation(body.conversationId);
+          if (conv) {
+            addMessages(conv, msg, fullResponse);
+          }
+        } catch {}
+      }
+
+      if (heartbeatInterval) { clearInterval(heartbeatInterval); heartbeatInterval = null; }
+      sse('done', { content: fullResponse });
+      res.write('data: [DONE]\n\n');
+      res.end();
+    } catch (e) {
+      if (heartbeatInterval) { clearInterval(heartbeatInterval); heartbeatInterval = null; }
+      sse('error', { message: e.message });
+      res.end();
+    }
+  });
+
+  // POST /api/ask — single-turn non-streaming chat
+  router.post('/api/ask', async (req, res) => {
+    try {
+      const body = await parseBody(req);
+      if (!body.message) return sendError(res, 400, 'message required');
+      const config = loadConfig();
+      const chatSystemPrompt = await getChatSystemPrompt();
+      const response = await callLLM(config, chatSystemPrompt, body.message);
+      sendJSON(res, 200, { response });
+    } catch (e) { sendError(res, 500, e.message); }
+  });
+}

package/src/server/routes/collab.mjs

@@ -0,0 +1,97 @@
+/**
+ * Alexandria Collab routes — E2E encrypted messaging
+ */
+
+import crypto from 'crypto';
+import fs from 'fs';
+import path from 'path';
+import { sendJSON, sendError, parseBody } from '../index.mjs';
+import { loadConfig } from '../../config.mjs';
+import { NHA_DIR } from '../../constants.mjs';
+
+const ALEX_API = 'https://nothumanallowed.com/api/v1/alexandria';
+const collabDir = path.join(NHA_DIR, 'collab');
+const idFile = path.join(collabDir, 'identity.json');
+const chFile = path.join(collabDir, 'channels.json');
+
+function getIdentity() {
+  if (fs.existsSync(idFile)) return JSON.parse(fs.readFileSync(idFile, 'utf-8'));
+  fs.mkdirSync(collabDir, { recursive: true });
+  const { publicKey, privateKey } = crypto.generateKeyPairSync('x25519', {
+    publicKeyEncoding: { type: 'spki', format: 'der' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+  });
+  const config = (() => { try { return JSON.parse(fs.readFileSync(path.join(NHA_DIR, 'config.json'), 'utf-8')); } catch { return {}; } })();
+  const identity = {
+    publicKey: publicKey.toString('base64'),
+    privateKey: privateKey.toString('base64'),
+    fingerprint: crypto.createHash('sha256').update(publicKey).digest('hex').slice(0, 16),
+    displayName: config.profile?.name || 'User',
+  };
+  fs.writeFileSync(idFile, JSON.stringify(identity, null, 2), { mode: 0o600 });
+  return identity;
+}
+
+export function register(router) {
+  router.get('/api/collab/channels', (_req, res) => {
+    try {
+      const identity = getIdentity();
+      let channels = [];
+      if (fs.existsSync(chFile)) try { channels = JSON.parse(fs.readFileSync(chFile, 'utf-8')); } catch {}
+      sendJSON(res, 200, { channels, identity: { fingerprint: identity.fingerprint, displayName: identity.displayName } });
+    } catch (e) { sendError(res, 500, e.message); }
+  });
+
+  router.post('/api/collab/channels', async (req, res) => {
+    try {
+      const body = await parseBody(req);
+      let channels = [];
+      if (fs.existsSync(chFile)) try { channels = JSON.parse(fs.readFileSync(chFile, 'utf-8')); } catch {}
+      if (!channels.find(c => c.id === body.id)) {
+        channels.push({ id: body.id, name: body.name, active: true, role: body.role || 'member', createdAt: new Date().toISOString() });
+        channels.forEach(c => { if (c.id !== body.id) c.active = false; });
+        fs.mkdirSync(collabDir, { recursive: true });
+        fs.writeFileSync(chFile, JSON.stringify(channels, null, 2), { mode: 0o600 });
+      }
+      sendJSON(res, 200, { ok: true });
+    } catch (e) { sendError(res, 500, e.message); }
+  });
+
+  router.post('/api/collab/send', async (req, res) => {
+    try {
+      const body = await parseBody(req);
+      const identity = getIdentity();
+      const r = await fetch(`${ALEX_API}/send`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ ...body, senderPublicKey: identity.publicKey, senderFingerprint: identity.fingerprint }),
+      });
+      const data = await r.json();
+      sendJSON(res, r.ok ? 200 : 500, data);
+    } catch (e) { sendError(res, 500, e.message); }
+  });
+
+  router.get('/api/collab/messages', async (req, res) => {
+    try {
+      const url = new URL(req.url, 'http://localhost');
+      const channelId = url.searchParams.get('channelId');
+      const since = url.searchParams.get('since') || '0';
+      const r = await fetch(`${ALEX_API}/messages?channelId=${channelId}&since=${since}`);
+      const data = await r.json();
+      sendJSON(res, r.ok ? 200 : 500, data);
+    } catch (e) { sendError(res, 500, e.message); }
+  });
+
+  router.post('/api/collab/create-channel', async (req, res) => {
+    try {
+      const body = await parseBody(req);
+      const r = await fetch(`${ALEX_API}/create-channel`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(body),
+      });
+      const data = await r.json();
+      sendJSON(res, r.ok ? 200 : 500, data);
+    } catch (e) { sendError(res, 500, e.message); }
+  });
+}

package/src/server/routes/config.mjs

@@ -0,0 +1,179 @@
+/**
+ * Config routes — read/write ~/.nha/config.json + version check + weather + health
+ */
+
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { fileURLToPath } from 'url';
+import { sendJSON, sendError, parseBody } from '../index.mjs';
+import { loadConfig, saveConfig, setConfigValue } from '../../config.mjs';
+import { VERSION } from '../../constants.mjs';
+import { getAuthenticatedProviders, loadTokens } from '../../services/token-store.mjs';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+function _weatherIcon(code) {
+  const c = parseInt(code);
+  if ([113].includes(c)) return '☀️';
+  if ([116].includes(c)) return '⛅';
+  if ([119, 122].includes(c)) return '☁️';
+  if ([143, 248, 260].includes(c)) return '🌫️';
+  if ([176, 263, 266, 293, 296, 299, 302, 305, 308, 353].includes(c)) return '🌧️';
+  if ([179, 182, 185, 227, 230, 320, 323, 326, 329, 332, 335, 338, 350, 362, 365, 368, 371, 374, 377].includes(c)) return '❄️';
+  if ([200, 386, 389, 392, 395].includes(c)) return '⚡';
+  return '🌡️';
+}
+
+export function register(router) {
+
+  // GET /api/health
+  router.get('/api/health', (_req, res) => {
+    sendJSON(res, 200, { ok: true, version: VERSION, ts: Date.now() });
+  });
+
+  // GET /api/version/check
+  router.get('/api/version/check', async (_req, res) => {
+    try {
+      const r = await fetch('https://registry.npmjs.org/nothumanallowed/latest');
+      const data = await r.json();
+      sendJSON(res, 200, { current: VERSION, latest: data.version, hasUpdate: data.version !== VERSION });
+    } catch {
+      sendJSON(res, 200, { current: VERSION, latest: VERSION, hasUpdate: false });
+    }
+  });
+
+  // GET /api/config
+  router.get('/api/config', (_req, res) => {
+    try {
+      const config = loadConfig();
+      // Return a flat view that the UI can consume directly
+      sendJSON(res, 200, {
+        // raw nested (for anything that needs it)
+        ...config,
+        // flat aliases used by Settings.tsx
+        provider:     config.llm?.provider     || 'nha',
+        model:        config.llm?.model        || '',
+        thinking:     config.thinking          || 'off',
+        lang:         config.language          || config.voice?.language || 'en',
+        planTime:     config.ops?.planTime     || '07:00',
+        summaryTime:  config.ops?.summaryTime  || '18:00',
+        meetingAlert: config.ops?.meetingAlertMinutes ?? 30,
+        hasTelegram:  !!(config.responder?.telegram?.token),
+        hasDiscord:   !!(config.responder?.discord?.token),
+        // Key presence flags (never expose the actual key)
+        hasApiKey:    !!(config.llm?.apiKey),
+        hasOpenaiKey: !!(config.llm?.openaiKey),
+        hasGeminiKey: !!(config.llm?.geminiKey),
+        hasDeepseekKey: !!(config.llm?.deepseekKey),
+        hasGrokKey:   !!(config.llm?.grokKey),
+        hasMistralKey: !!(config.llm?.mistralKey),
+        hasCohereKey: !!(config.llm?.cohereKey),
+        // Google / Microsoft — use token-store (encrypted) as source of truth
+        hasGoogle:    !!((() => { try { return getAuthenticatedProviders().google; } catch { return config.google?.accessToken || config.google?.refreshToken; } })()),
+        hasMicrosoft: !!((() => { try { return getAuthenticatedProviders().microsoft; } catch { return config.microsoft?.accessToken || config.microsoft?.refreshToken; } })()),
+        googleEmail:  (() => { try { return loadTokens('google')?.email || null; } catch { return null; } })(),
+        microsoftEmail: (() => { try { return loadTokens('microsoft')?.email || null; } catch { return null; } })(),
+        // Profile (safe)
+        profile: config.profile || {},
+        // Redact sensitive nested fields
+        llm: undefined,
+        agent: undefined,
+        responder: undefined,
+      });
+    } catch (e) { sendError(res, 500, e.message); }
+  });
+
+  // POST /api/config — set one or more config values
+  router.post('/api/config', async (req, res) => {
+    try {
+      const body = await parseBody(req);
+      if (body.key && body.value !== undefined) {
+        const ok = setConfigValue(body.key, body.value);
+        if (!ok) return sendError(res, 400, `Unknown config key: ${body.key}`);
+        return sendJSON(res, 200, { ok: true });
+      }
+      // Bulk update: { updates: [{key, value}] }
+      if (body.updates && Array.isArray(body.updates)) {
+        for (const { key, value } of body.updates) setConfigValue(key, value);
+        return sendJSON(res, 200, { ok: true });
+      }
+      sendError(res, 400, 'Expected { key, value } or { updates: [{key,value}] }');
+    } catch (e) { sendError(res, 500, e.message); }
+  });
+
+  // GET /api/status — system status (provider, version, platform)
+  router.get('/api/status', (_req, res) => {
+    try {
+      const config = loadConfig();
+      sendJSON(res, 200, {
+        version: VERSION,
+        provider: config.llm?.provider || 'nha',
+        platform: process.platform,
+        node: process.version,
+        uptime: process.uptime(),
+        memory: process.memoryUsage(),
+      });
+    } catch (e) { sendError(res, 500, e.message); }
+  });
+
+  // GET /api/weather?location=<city name OR lat,lon>
+  // Uses wttr.in — accepts both "Milan" and "45.46,9.19"
+  router.get('/api/weather', async (req, res) => {
+    try {
+      const url = new URL(req.url, 'http://localhost');
+      const loc = url.searchParams.get('location') || '';
+      if (!loc) return sendError(res, 400, 'Missing location');
+      const encodedLoc = encodeURIComponent(loc);
+      const r = await fetch(
+        `https://wttr.in/${encodedLoc}?format=j1`,
+        { headers: { 'User-Agent': 'nha-ui/1.0' }, signal: AbortSignal.timeout(8000) }
+      );
+      if (!r.ok) return sendError(res, 502, `Weather service error: ${r.status}`);
+      const w = await r.json();
+      const cur = w.current_condition?.[0];
+      const area = w.nearest_area?.[0];
+      if (!cur) return sendError(res, 404, 'No weather data');
+      sendJSON(res, 200, {
+        tempC:    parseFloat(cur.temp_C),
+        feelsC:   parseFloat(cur.FeelsLikeC),
+        humidity: cur.humidity,
+        desc:     cur.weatherDesc?.[0]?.value || '',
+        icon:     _weatherIcon(cur.weatherCode),
+        city:     area?.areaName?.[0]?.value || loc,
+        country:  area?.country?.[0]?.value || '',
+        windKmph: cur.windspeedKmph,
+      });
+    } catch (e) { sendError(res, 500, e.message); }
+  });
+
+  // POST /api/update-npm — run npm install -g nothumanallowed@latest
+  router.post('/api/update-npm', async (_req, res) => {
+    const { exec } = await import('child_process');
+    exec('npm install -g nothumanallowed@latest', { timeout: 60000 }, (err, stdout, stderr) => {
+      if (err) return sendError(res, 500, stderr || err.message);
+      sendJSON(res, 200, { ok: true, output: stdout });
+    });
+  });
+
+  // GET /api/screenshots/:filename — serve screenshot files from ~/.nha/screenshots/
+  router.get(/^\/api\/screenshots\/(?<filename>[^/?]+)/, (req, res) => {
+    const filename = req.params.filename ?? '';
+    if (!filename || filename.includes('..') || filename.includes('/')) {
+      return sendError(res, 400, 'Invalid filename');
+    }
+    const screenshotsDir = path.join(os.homedir(), '.nha', 'screenshots');
+    const abs = path.join(screenshotsDir, filename);
+    if (!abs.startsWith(screenshotsDir)) return sendError(res, 400, 'Path traversal rejected');
+    if (!fs.existsSync(abs)) return sendError(res, 404, 'Screenshot not found');
+    const ext = path.extname(filename).toLowerCase();
+    const mime = ext === '.png' ? 'image/png' : ext === '.jpg' || ext === '.jpeg' ? 'image/jpeg' : ext === '.webp' ? 'image/webp' : 'application/octet-stream';
+    const data = fs.readFileSync(abs);
+    res.writeHead(200, {
+      'Content-Type': mime,
+      'Cache-Control': 'public, max-age=3600',
+      'Access-Control-Allow-Origin': '*',
+    });
+    res.end(data);
+  });
+}