nothumanallowed 13.5.47 → 13.5.49

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "13.5.47",
+  "version": "13.5.49",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/commands/ui.mjs

@@ -4067,7 +4067,83 @@ async function transaction(cb) {
 module.exports = { pool, query, transaction };
 `;
           fs.writeFileSync(path.join(sandboxDir, 'server', 'db.js'), dbShim, 'utf8');
-          sendLog('🔧 DB shim iniettato (in-memory, no PostgreSQL richiesto)');
+
+          // Sentinel shim — zero external dependencies (no 'ip', 'net', etc.)
+          const sentinelShim = `
+// NHA WebCraft Sandbox — Sentinel WAF shim (zero dependencies)
+const _ipWindows = {};
+function getIP(req) {
+  return (req.headers['x-forwarded-for'] || '').split(',')[0].trim() || req.socket.remoteAddress || '127.0.0.1';
+}
+const SQL_RE = new RegExp('(union[\\\\s\\\\S]+select|drop[\\\\s]+table|insert[\\\\s]+into|delete[\\\\s]+from|update[\\\\s]+set|exec[\\\\s]*\\\\(|xp_cmdshell)', 'i');
+const XSS_RE = new RegExp('(<script|javascript:|onerror=|onload=|eval\\\\()', 'i');
+const PATH_RE = new RegExp('\\\\.\\\\./');
+function sentinelMiddleware(req, res, next) {
+  var ip = getIP(req);
+  var now = Date.now();
+  if (!_ipWindows[ip]) _ipWindows[ip] = [];
+  _ipWindows[ip] = _ipWindows[ip].filter(function(t){ return now - t < 60000; });
+  _ipWindows[ip].push(now);
+  if (_ipWindows[ip].length > 120) {
+    process.stderr.write('[sentinel] rate-limit ' + ip + '\\n');
+    return res.status(429).json({ error: 'Too many requests' });
+  }
+  var check = req.url + JSON.stringify(req.body || '');
+  if (SQL_RE.test(check) || XSS_RE.test(check) || PATH_RE.test(check)) {
+    process.stderr.write('[sentinel] blocked ' + ip + ' ' + req.method + ' ' + req.url + '\\n');
+    return res.status(400).json({ error: 'Request blocked' });
+  }
+  next();
+}
+module.exports = { sentinelMiddleware };
+`;
+          fs.mkdirSync(path.join(sandboxDir, 'server', 'middleware'), { recursive: true });
+          fs.writeFileSync(path.join(sandboxDir, 'server', 'middleware', 'sentinel.js'), sentinelShim, 'utf8');
+
+          // Cache shim — zero dependencies (no ioredis), pure in-memory LRU
+          const cacheShim = `
+// NHA WebCraft Sandbox — Cache shim (in-memory, no Redis required)
+const _store = new Map();
+const _MAX = 1000;
+function evict() { if (_store.size > _MAX) { _store.delete(_store.keys().next().value); } }
+async function get(key) { var e = _store.get(key); if (!e) return null; if (e.exp && Date.now() > e.exp) { _store.delete(key); return null; } return e.val; }
+async function set(key, value, ttlSeconds) { evict(); _store.set(key, { val: value, exp: ttlSeconds ? Date.now() + ttlSeconds * 1000 : null }); }
+async function del(key) { _store.delete(key); }
+async function exists(key) { return (await get(key)) !== null; }
+module.exports = { get, set, del, exists };
+`;
+          fs.mkdirSync(path.join(sandboxDir, 'server', 'services'), { recursive: true });
+          fs.writeFileSync(path.join(sandboxDir, 'server', 'services', 'cache.js'), cacheShim, 'utf8');
+
+          // Patch all generated JS files: fix known wrong require() names
+          // The LLM often uses 'bcrypt' instead of 'bcryptjs', 'pg' instead of nothing, etc.
+          const requireFixes = [
+            [/require\(['"]bcrypt['"]\)/g,           "require('bcryptjs')"],
+            [/require\(['"]node-postgres['"]\)/g,    "require('bcryptjs')"],
+            [/require\(['"]pg['"]\)/g,               "require('./db')"],
+            [/require\(['"]ioredis['"]\)/g,          "require('../services/cache')"],
+            [/require\(['"]redis['"]\)/g,            "require('../services/cache')"],
+            [/require\(['"]ip['"]\)/g,               "({address:()=>'127.0.0.1'})"],
+            [/require\(['"]express-async-errors['"]\)/g, "{}"],
+            [/require\(['"]multer['"]\)/g,           "({single:()=>(r,s,n)=>n(),array:()=>(r,s,n)=>n()})"],
+          ];
+          function patchJsFiles(dir) {
+            if (!fs.existsSync(dir)) return;
+            for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+              const full = path.join(dir, entry.name);
+              if (entry.isDirectory()) { patchJsFiles(full); continue; }
+              if (!entry.name.endsWith('.js')) continue;
+              let src = fs.readFileSync(full, 'utf8');
+              let changed = false;
+              for (const [pat, rep] of requireFixes) {
+                const next = src.replace(pat, rep);
+                if (next !== src) { src = next; changed = true; }
+              }
+              if (changed) fs.writeFileSync(full, src, 'utf8');
+            }
+          }
+          patchJsFiles(path.join(sandboxDir, 'server'));
+          sendLog('🔧 Shim iniettati: DB (in-memory), Sentinel WAF, Cache — require() patchati');
 
           // Patch package.json to remove pg, add only what's needed
           const pkgPath = path.join(sandboxDir, 'package.json');

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '13.5.47';
+export const VERSION = '13.5.49';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/services/web-ui.mjs

@@ -6245,6 +6245,7 @@ var wcState = {
 var wcRightTab = 'files';
 var wcMainTab = 'new';     // 'new' | 'projects'
 var wcProjectsList = [];   // cached list from server
+var wcSandboxExpanded = {};  // { phaseKey: true/false }
 
 function wcEsc(s){return s?String(s).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;'):''}
 
@@ -6375,6 +6376,7 @@ function wcPickExample(i) {
 function wcTabFiles() { wcRightTab = 'files'; renderWebCraft(document.getElementById('content')); }
 function wcTabPreview() { wcRightTab = 'preview'; renderWebCraft(document.getElementById('content')); }
 function wcOpenSandbox() { if (wcState.sandbox.port) window.open('http://127.0.0.1:' + wcState.sandbox.port, '_blank'); }
+function wcTogglePhase(key) { wcSandboxExpanded[key] = !wcSandboxExpanded[key]; renderWebCraft(document.getElementById('content')); }
 
 function wcMainTabNew() { wcMainTab = 'new'; renderWebCraft(document.getElementById('content')); }
 function wcMainTabProjects() {
@@ -6568,38 +6570,127 @@ function wcSandboxPanelHtml() {
   if (!wcState.generatedFiles.length) {
     return '<div style="display:flex;align-items:center;justify-content:center;flex:1;color:var(--dim);font-size:13px">Genera prima il progetto</div>';
   }
-  var logsHtml = sb.logs.length
-    ? '<div id="wcSbLogs" style="flex:1;overflow-y:auto;padding:10px 14px;font-family:var(--mono);font-size:11px;line-height:1.7;color:var(--dim)">' +
-        sb.logs.map(function(l){ return '<div>'+wcEsc(l)+'</div>'; }).join('') +
-      '</div>'
-    : '<div style="flex:1;display:flex;align-items:center;justify-content:center;color:var(--dim);font-size:12px">Premi "Avvia Sandbox" per avviare il server locale</div>';
 
+  // Server ready — show iframe with top bar
   if (sb.port && !sb.running) {
-    // Server ready — show iframe
     return '<div style="display:flex;flex-direction:column;flex:1;min-height:0">' +
-      '<div style="display:flex;align-items:center;gap:8px;padding:8px 12px;border-bottom:1px solid var(--border);flex-shrink:0">' +
-        '<span style="font-size:11px;color:var(--dim);font-family:var(--mono)">http://127.0.0.1:'+sb.port+'</span>' +
-        '<span style="font-size:10px;color:var(--dim)">&#8212; ' + wcEsc(sb.dir || '') + '</span>' +
-        '<button onclick="wcStopSandbox()" style="margin-left:auto;padding:3px 10px;background:var(--bg3);border:1px solid var(--border2);border-radius:5px;color:var(--red);font-size:11px;cursor:pointer">&#9632; Ferma</button>' +
-        '<button onclick="wcOpenSandbox()" style="padding:3px 10px;background:var(--green3);border:none;border-radius:5px;color:var(--bg);font-size:11px;cursor:pointer;font-weight:700">&#8599; Apri</button>' +
+      '<div style="display:flex;align-items:center;gap:8px;padding:8px 12px;border-bottom:1px solid var(--border);flex-shrink:0;background:var(--bg3)">' +
+        '<span style="width:8px;height:8px;border-radius:50%;background:#22c55e;display:inline-block;flex-shrink:0"></span>' +
+        '<span style="font-size:11px;color:var(--text);font-family:var(--mono);font-weight:600">http://127.0.0.1:'+sb.port+'</span>' +
+        '<span style="font-size:10px;color:var(--dim);overflow:hidden;text-overflow:ellipsis;white-space:nowrap;flex:1">'+wcEsc(sb.dir||'')+'</span>' +
+        '<button onclick="wcStopSandbox()" style="padding:3px 10px;background:transparent;border:1px solid var(--border2);border-radius:5px;color:var(--dim);font-size:11px;cursor:pointer;flex-shrink:0">&#9632; Ferma</button>' +
+        '<button onclick="wcOpenSandbox()" style="padding:3px 12px;background:var(--green3);border:none;border-radius:5px;color:var(--bg);font-size:11px;cursor:pointer;font-weight:700;flex-shrink:0">&#8599; Apri nel browser</button>' +
       '</div>' +
       '<iframe src="http://127.0.0.1:'+sb.port+'" style="flex:1;border:none;width:100%;background:#fff" sandbox="allow-scripts allow-forms allow-same-origin allow-popups"></iframe>' +
     '</div>';
   }
 
+  // Pre-launch info panel
+  if (!sb.running && !sb.port && !sb.logs.length) {
+    return '<div style="display:flex;flex-direction:column;flex:1;min-height:0;padding:20px">' +
+      '<div style="background:var(--bg3);border:1px solid var(--border);border-radius:10px;padding:16px;max-width:480px">' +
+        '<div style="font-size:12px;font-weight:700;color:var(--text);margin-bottom:12px">&#9654; Cosa succede quando avvii la sandbox:</div>' +
+        '<div style="display:flex;flex-direction:column;gap:8px;font-size:11px;color:var(--dim)">' +
+          '<div style="display:flex;gap:8px;align-items:flex-start"><span style="color:var(--green);flex-shrink:0">1.</span><span>I file vengono scritti in <span style="font-family:var(--mono);color:var(--green)">~/.nha/webcraft/'+wcEsc(wcState.projectName||'project')+'</span></span></div>' +
+          '<div style="display:flex;gap:8px;align-items:flex-start"><span style="color:var(--green);flex-shrink:0">2.</span><span>npm install delle dipendenze (solo in quella cartella)</span></div>' +
+          '<div style="display:flex;gap:8px;align-items:flex-start"><span style="color:var(--green);flex-shrink:0">3.</span><span>Il server Express parte su una porta locale casuale</span></div>' +
+          '<div style="display:flex;gap:8px;align-items:flex-start"><span style="color:var(--green);flex-shrink:0">4.</span><span>DB in-memory (no PostgreSQL richiesto) — i dati si azzerano al riavvio</span></div>' +
+        '</div>' +
+        '<div style="margin-top:12px;padding:8px 10px;background:var(--amberdim);border:1px solid var(--amber3);border-radius:6px;font-size:10px;color:var(--amber)">&#9888; Solo locale — nessun dato esce dal tuo Mac</div>' +
+      '</div>' +
+    '</div>';
+  }
+
+  // Running — show structured phases log
+  var phases = [
+    { key: 'files',   label: 'Scrittura file',         icon: '&#128196;' },
+    { key: 'shims',   label: 'Shim iniettati',          icon: '&#128295;' },
+    { key: 'pkg',     label: 'package.json',            icon: '&#128230;' },
+    { key: 'env',     label: '.env sandbox',            icon: '&#9881;'   },
+    { key: 'deps',    label: 'Dipendenze',              icon: '&#128230;' },
+    { key: 'install', label: 'npm install',             icon: '&#9203;'   },
+    { key: 'start',   label: 'Avvio server',            icon: '&#9654;'   },
+  ];
+  var logs = sb.logs;
+  // Classify each log line into a phase
+  function phaseOf(l) {
+    if (!l) return 'start';
+    if (l.indexOf('Scrittura') !== -1 || l.indexOf('file...') !== -1 || l[0] === ' ' && l.indexOf('.') !== -1 && l.indexOf('✓') !== -1) return 'files';
+    if (l.indexOf('Shim') !== -1 || l.indexOf('shim') !== -1 || l.indexOf('DB shim') !== -1) return 'shims';
+    if (l.indexOf('package.json') !== -1) return 'pkg';
+    if (l.indexOf('.env') !== -1) return 'env';
+    if (l.indexOf('Dipendenze') !== -1 || l.indexOf('Percorso:') !== -1 || (l.indexOf('•') !== -1 && l.indexOf('@') !== -1)) return 'deps';
+    if (l.indexOf('npm install') !== -1 || l.indexOf('added') !== -1 || l.indexOf('packages') !== -1 || l.indexOf('npm error') !== -1 || l.indexOf('audit') !== -1 || l.indexOf('funding') !== -1 || l.indexOf('vulnerability') !== -1) return 'install';
+    return 'start';
+  }
+  var byPhase = {};
+  logs.forEach(function(l){ var p = phaseOf(l); if (!byPhase[p]) byPhase[p] = []; byPhase[p].push(l); });
+
+  // Check if a phase is done (next phase has lines)
+  var phaseKeys = phases.map(function(p){ return p.key; });
+  function phaseStatus(pk) {
+    var idx = phaseKeys.indexOf(pk);
+    if (!byPhase[pk] || !byPhase[pk].length) return 'pending';
+    // Done if next phase has started or if error
+    for (var i = idx+1; i < phaseKeys.length; i++) {
+      if (byPhase[phaseKeys[i]] && byPhase[phaseKeys[i]].length) return 'done';
+    }
+    if (sb.error) return 'error';
+    return 'active';
+  }
+
+  var statusColor = { done:'var(--green)', active:'var(--amber)', pending:'var(--dim)', error:'var(--red)' };
+  var statusIcon  = { done:'&#10003;', active:'&#9203;', pending:'&#9675;', error:'&#10060;' };
+
+  var phasesHtml = phases.map(function(ph){
+    var st = phaseStatus(ph.key);
+    var lines = byPhase[ph.key] || [];
+    var clean = lines.filter(function(l){ return l.indexOf('npm fund') === -1 && l.indexOf('run ') === -1 && l.indexOf('npm audit') === -1; });
+    var isOpen = !!wcSandboxExpanded[ph.key];
+    var hasContent = clean.length > 0;
+
+    // Summary line (always visible)
+    var summary = '';
+    if (ph.key === 'files') {
+      var cnt = clean.filter(function(l){ return l.indexOf('✓') !== -1; }).length;
+      summary = cnt ? cnt + ' file scritti' : '';
+    } else if (ph.key === 'deps') {
+      var dcnt = clean.filter(function(l){ return l.indexOf('•') !== -1; }).length;
+      summary = dcnt ? dcnt + ' dipendenze' : '';
+    } else if (clean.length > 0) {
+      var last = clean.filter(function(l){ return l.trim(); }).slice(-1)[0] || '';
+      summary = wcEsc(last.trim().slice(0, 60));
+    }
+
+    // Expanded detail — all lines
+    var expandedHtml = '';
+    if (isOpen && hasContent) {
+      expandedHtml = '<div style="margin-top:6px;padding:8px;background:var(--bg);border-radius:6px;max-height:180px;overflow-y:auto">' +
+        clean.map(function(l){
+          var col = l.indexOf('❌') !== -1 || l.indexOf('Error') !== -1 ? 'var(--red)' : l.indexOf('✓') !== -1 || l.indexOf('✅') !== -1 ? 'var(--green)' : 'var(--dim)';
+          return '<div style="font-size:10px;font-family:var(--mono);color:'+col+';line-height:1.6;white-space:pre-wrap;word-break:break-all">'+wcEsc(l)+'</div>';
+        }).join('') +
+      '</div>';
+    }
+
+    var clickable = hasContent && st !== 'pending';
+    return '<div style="border-bottom:1px solid var(--border)">' +
+      '<div onclick="'+( clickable ? 'wcTogglePhase('+JSON.stringify(ph.key)+')' : '' )+'" style="display:flex;gap:10px;align-items:center;padding:9px 12px;cursor:'+(clickable?'pointer':'default')+'">' +
+        '<span style="font-size:13px;flex-shrink:0">'+ph.icon+'</span>' +
+        '<div style="flex:1;min-width:0">' +
+          '<div style="font-size:11px;font-weight:600;color:'+(st==='pending'?'var(--dim)':'var(--text)')+'">'+ph.label+'</div>' +
+          (summary && !isOpen ? '<div style="font-size:10px;color:var(--dim);margin-top:1px;white-space:nowrap;overflow:hidden;text-overflow:ellipsis">'+summary+'</div>' : '') +
+        '</div>' +
+        (clickable ? '<span style="font-size:10px;color:var(--dim);flex-shrink:0">'+(isOpen?'&#9650;':'&#9660;')+'</span>' : '') +
+        '<span style="font-size:13px;color:'+statusColor[st]+';flex-shrink:0;margin-left:4px">'+statusIcon[st]+'</span>' +
+      '</div>' +
+      (isOpen ? '<div style="padding:0 12px 10px">' + expandedHtml + '</div>' : '') +
+    '</div>';
+  }).join('');
+
   return '<div style="display:flex;flex-direction:column;flex:1;min-height:0">' +
-    // Info bar
-    (!sb.running && !sb.port ? '<div style="padding:10px 14px;border-bottom:1px solid var(--border);flex-shrink:0;font-size:11px;color:var(--dim);line-height:1.6">' +
-      '<div style="font-weight:700;color:var(--text);margin-bottom:4px">Sandbox locale — cosa succede quando avvii:</div>' +
-      '<div>&#8226; I file vengono scritti in <span style="font-family:var(--mono);color:var(--green)">~/.nha/webcraft/'+(wcState.projectName||'project')+'</span></div>' +
-      '<div>&#8226; npm install delle dipendenze nella stessa cartella (nessuna installazione globale)</div>' +
-      '<div>&#8226; Il server Express parte su una porta locale casuale (es. 45123)</div>' +
-      '<div>&#8226; Il DB usa un in-memory store (nessun PostgreSQL richiesto)</div>' +
-      '<div>&#8226; I dati sandbox sono temporanei e si azzerano al riavvio</div>' +
-      '<div style="margin-top:6px;color:var(--amber)">&#9888; Sandbox solo locale — nessun dato esce dal tuo Mac</div>' +
-    '</div>' : '') +
-    logsHtml +
-    (sb.error ? '<div style="padding:8px 14px;color:var(--red);font-size:11px;font-family:var(--mono);flex-shrink:0">&#10060; '+wcEsc(sb.error)+'</div>' : '') +
+    phasesHtml +
+    (sb.error ? '<div style="padding:10px 14px;color:var(--red);font-size:11px;font-family:var(--mono);border-top:1px solid var(--border)">&#10060; '+wcEsc(sb.error)+'</div>' : '') +
   '</div>';
 }