npm - nothumanallowed - Versions diffs - 13.5.62 → 13.5.63 - Mend

nothumanallowed 13.5.62 → 13.5.63

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "13.5.62",
+  "version": "13.5.63",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/commands/ui.mjs CHANGED Viewed

@@ -4110,6 +4110,32 @@ ${completedHeadings ? `## SECTIONS ALREADY WRITTEN (headings only):\n${completed
             sendLog(`   ✓ ${f.name}`);
           }
+          // Post-process HTML files: remove meta tags that break HTTP iframe sandbox
+          // (Strict-Transport-Security, X-Frame-Options, frame-ancestors CSP meta)
+          // This is system-level sanitization — the generated project code is NOT modified
+          // by hand; the sandbox shim layer strips incompatible production-only headers.
+          const htmlFiles = files.filter(function(f) { return f.name.endsWith('.html'); });
+          if (htmlFiles.length > 0) {
+            sendLog('🔧 Sanitizzazione meta tag sandbox...');
+            for (const f of htmlFiles) {
+              const fp = path.join(sandboxDir, f.name);
+              let html = fs.readFileSync(fp, 'utf8');
+              const before = html.length;
+              // Remove Strict-Transport-Security meta (forces HTTPS, breaks HTTP sandbox)
+              html = html.replace(/<meta[^>]+Strict-Transport-Security[^>]*>/gi, '');
+              // Remove X-Frame-Options meta (blocks iframe embedding)
+              html = html.replace(/<meta[^>]+X-Frame-Options[^>]*>/gi, '');
+              // Remove Content-Security-Policy meta http-equiv (server sets it via helmet with sandbox-safe values)
+              html = html.replace(/<meta[^>]+http-equiv=["']Content-Security-Policy["'][^>]*>/gi, '');
+              // Remove frame-ancestors none/self directives from any remaining CSP meta
+              html = html.replace(/<meta[^>]+content=["'][^"']*frame-ancestors[^"']*["'][^>]*>/gi, '');
+              if (html.length !== before) {
+                fs.writeFileSync(fp, html, 'utf8');
+                sendLog('   ✓ ' + f.name + ' (meta tag produzione rimossi)');
+              }
+            }
+          }
           // Inject sandbox db shim — replaces pg with in-memory SQLite-like store
           const dbShim = `
 // NHA WebCraft Sandbox DB Shim

package/src/services/web-ui.mjs CHANGED Viewed

@@ -7650,7 +7650,7 @@ async function wcGenerate() {
   // Security rules always injected
   var SECURITY_RULES = [
-    'ALWAYS use security headers: X-Content-Type-Options, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy: geolocation=(), microphone=(), camera=(). NEVER set X-Frame-Options: DENY or frame-ancestors: none — the app runs in a sandbox iframe and must be embeddable. HSTS only in production (check NODE_ENV).',
+    'ALWAYS use security headers via Express/helmet server-side only. NEVER add X-Frame-Options, Strict-Transport-Security, frame-ancestors, or Content-Security-Policy as HTML meta http-equiv tags — the app runs inside an HTTP iframe sandbox and these meta tags will break resource loading. Only allowed HTML security meta: viewport, charset, X-UA-Compatible, Permissions-Policy.',
     'NEVER put secrets, API keys, or DB credentials in frontend code. Only in .env server-side.',
     'ALWAYS use prepared statements / parameterized queries. NEVER string-concatenate SQL.',
     'ALWAYS hash passwords with bcrypt (cost factor 12+). NEVER store plain passwords.',
@@ -7681,9 +7681,9 @@ async function wcGenerate() {
     { name: 'public/css/components.css', lang: 'css',    prompt: 'Generate public/css/components.css following STRICT BEM (block__element--modifier). Components: .btn (--primary, --secondary, --danger, --ghost), .form (form__field, form__label, form__input, form__error, form__hint), .card (card__header, card__body, card__footer), .nav (nav__brand, nav__links, nav__link--active), .alert (--success, --error, --warning, --info), .spinner, .badge, .modal (modal__overlay, modal__content, modal__header, modal__body, modal__footer). Fully accessible (focus states, aria).' },
     { name: 'public/css/pages.css',   lang: 'css',       prompt: 'Generate public/css/pages.css: page-level layout classes using BEM. .page-auth (centered card layout for login/register), .page-dashboard (sidebar + content grid), .page-landing (hero section, features grid, pricing cards). Responsive at 768px and 480px breakpoints.' },
     { name: 'public/js/main.js',      lang: 'javascript', prompt: 'Generate public/js/main.js: vanilla JS, no dependencies. authAPI object with methods register(data), login(data), logout(), refreshToken(), getMe(). Cookie banner controller: reads localStorage consent, shows banner if not set, sets consent by category (necessary/analytics/marketing). Form handlers for register and login pages. Global error display utility. Export nothing (IIFE).' },
-    { name: 'public/index.html',      lang: 'html',       prompt: 'Generate public/index.html for "'+projName+'": '+desc+'. Full HTML5. Security meta tags (CSP via meta as fallback, X-UA-Compatible). Include base.css, components.css, pages.css. GDPR cookie banner HTML (class .cookie-banner, .cookie-banner__text, .cookie-banner__actions, .cookie-banner__btn--accept, .cookie-banner__btn--reject). Navigation. Hero section. Include main.js at end of body. Semantic HTML, ARIA roles, lang attribute.' },
-    { name: 'public/login.html',      lang: 'html',       prompt: 'Generate public/login.html: login page for "'+projName+'". Form with email + password fields using .form BEM classes. Link to register.html. Error display area. Include same CSS files. ARIA labels, autocomplete attributes.' },
-    { name: 'public/register.html',   lang: 'html',       prompt: 'Generate public/register.html: registration page for "'+projName+'". Form fields: '+authFieldsDef+'. Use .form BEM classes. Client-side validation hints. Link to login.html. Error/success display. Include same CSS files. ARIA labels, autocomplete attributes.' },
+    { name: 'public/index.html',      lang: 'html',       prompt: 'Generate public/index.html for "'+projName+'": '+desc+'. Full HTML5. IMPORTANT: do NOT add X-Frame-Options, Strict-Transport-Security, or frame-ancestors meta tags — the app runs in an iframe sandbox on HTTP localhost and these will break it. Only add: X-UA-Compatible IE=edge, viewport, charset, Permissions-Policy (geolocation=(), microphone=(), camera=()). Include base.css, components.css, pages.css. GDPR cookie banner HTML (class .cookie-banner, .cookie-banner__text, .cookie-banner__actions, .cookie-banner__btn--accept, .cookie-banner__btn--reject). Navigation. Hero section. Include main.js at end of body. Semantic HTML, ARIA roles, lang attribute.' },
+    { name: 'public/login.html',      lang: 'html',       prompt: 'Generate public/login.html: login page for "'+projName+'". Form with email + password fields using .form BEM classes. Link to register.html. Error display area. Include same CSS files. ARIA labels, autocomplete attributes. Do NOT add X-Frame-Options or Strict-Transport-Security meta tags.' },
+    { name: 'public/register.html',   lang: 'html',       prompt: 'Generate public/register.html: registration page for "'+projName+'". Form fields: '+authFieldsDef+'. Use .form BEM classes. Client-side validation hints. Link to login.html. Error/success display. Include same CSS files. ARIA labels, autocomplete attributes. Do NOT add X-Frame-Options or Strict-Transport-Security meta tags.' },
     { name: 'server/middleware/sentinel.js', lang: 'javascript', prompt: 'Generate server/middleware/sentinel.js: a lightweight WAF middleware for Express. Check request for: SQL injection patterns (UNION SELECT, DROP TABLE, etc.), XSS patterns (<script, javascript:, onerror=), path traversal (../), oversized payloads (>100KB body). Rate limit by IP using an in-memory sliding window (fallback when Redis unavailable). Log blocked requests with IP, method, path, reason to stderr. Export sentinelMiddleware(req, res, next).' },
     { name: 'server/services/cache.js',     lang: 'javascript', prompt: 'Generate server/services/cache.js: Redis/Dragonfly client using ioredis. Connect to REDIS_URL from env. Export: get(key), set(key, value, ttlSeconds), del(key), exists(key). Add circuit breaker pattern: if Redis fails 3+ times in 30s, switch to in-memory LRU fallback (Map with max 1000 entries, LRU eviction). Reconnect Redis in background every 60s. Log circuit state changes. This makes the app resilient when Redis is down.' },
     { name: 'README.md',              lang: 'markdown',   prompt: 'Generate README.md for "'+projName+'": project description, tech stack (Express, PostgreSQL with circuit breaker, Redis/Dragonfly with LRU fallback, JWT auth, Nodemailer SMTP + SendGrid fallback, Sentinel WAF, BEM CSS), folder structure, setup instructions (clone, npm install, copy .env.example to .env, run migrations with psql, optional: start Redis/Dragonfly, npm run dev), environment variables table (including REDIS_URL), API endpoints table, security notes, email configuration guide.' },