nothumanallowed 13.5.66 → 13.5.68

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "13.5.66",
+  "version": "13.5.68",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/commands/ui.mjs

@@ -4313,6 +4313,13 @@ module.exports = { get, set, del, exists };
             [/require\(['"]\.\.\/\.\.\/config['"]\)/g,                 "{env:process.env}"],
             [/require\(['"]\.\.\/config['"]\)/g,                       "{env:process.env}"],
             [/require\(['"]\.\/config['"]\)/g,                         "{env:process.env}"],
+            // rateLimiter: LLM sometimes creates a separate file instead of importing from security.js
+            [/require\(['"]\.\.\/middleware\/rateLimiter['"]\)/g,      "require('../middleware/security')"],
+            [/require\(['"]\.\/middleware\/rateLimiter['"]\)/g,        "require('./middleware/security')"],
+            [/require\(['"]\.\.\/middleware\/rateLimit['"]\)/g,        "require('../middleware/security')"],
+            [/require\(['"]\.\/middleware\/rateLimit['"]\)/g,          "require('./middleware/security')"],
+            [/require\(['"]\.\.\/middleware\/limiter['"]\)/g,          "require('../middleware/security')"],
+            [/require\(['"]\.\/middleware\/limiter['"]\)/g,            "require('./middleware/security')"],
           ];
           function patchJsFiles(dir) {
             if (!fs.existsSync(dir)) return;

package/src/services/web-ui.mjs

@@ -7118,7 +7118,6 @@ function wcChatKeydown(e) {
 }
 
 function wcStopAll() {
-  // Abort ongoing generation
   if (_wcGenAbortCtrl) { _wcGenAbortCtrl.abort(); _wcGenAbortCtrl = null; }
   wcState.running = false;
   wcChatRunning = false;
@@ -7128,6 +7127,21 @@ function wcStopAll() {
   renderWebCraft(document.getElementById('content'));
 }
 
+function wcOverlayMinimize() {
+  _wcOverlayMinimized = true;
+  renderWebCraft(document.getElementById('content'));
+  if (_wcOverlayTimer) clearTimeout(_wcOverlayTimer);
+  _wcOverlayTimer = setTimeout(function() {
+    if (wcState.running) { _wcOverlayMinimized = false; renderWebCraft(document.getElementById('content')); }
+  }, 10000);
+}
+
+function wcOverlayRestore() {
+  if (_wcOverlayTimer) { clearTimeout(_wcOverlayTimer); _wcOverlayTimer = null; }
+  _wcOverlayMinimized = false;
+  renderWebCraft(document.getElementById('content'));
+}
+
 function wcRemoveAttachment(ai) {
   wcChatAttachments.splice(ai, 1);
   renderWebCraft(document.getElementById('content'));
@@ -7732,7 +7746,7 @@ async function wcGenerate() {
     { name: 'server/middleware/security.js', lang: 'javascript', prompt: 'Generate server/middleware/security.js: detect sandbox via isSandbox = !process.env.NODE_ENV || process.env.NODE_ENV === "development". Use helmet CSP: defaultSrc self, scriptSrc self unsafe-inline, styleSrc self unsafe-inline, imgSrc self data:, connectSrc self, objectSrc none. frameAncestors: if isSandbox use ["self", "http://127.0.0.1:*", "http://localhost:*"] else ["none"]. NO X-Frame-Options DENY (conflicts with frameAncestors). NO HSTS in sandbox (HTTP only). Referrer-Policy strict-origin-when-cross-origin. Add express-rate-limit for general routes (100/15min) and strict limiter for auth (5/15min). Export { applySecurityMiddleware, authLimiter }.' },
     { name: 'server/middleware/validate.js', lang: 'javascript', prompt: 'Generate server/middleware/validate.js using express-validator. Export handleValidationErrors middleware. Export auth field validators: registerValidator (fields: '+authFieldsDef+'), loginValidator (email + password).' },
     { name: 'server/services/email.js', lang: 'javascript', prompt: 'Generate server/services/email.js: Nodemailer transporter using SMTP from env. Function sendVerificationEmail(to, token, baseUrl): sends HTML email with verification link. Function sendPasswordResetEmail(to, token, baseUrl). Add SendGrid fallback (commented out, predisposed with transporter swap). Never expose credentials.' },
-    { name: 'server/routes/auth.js',  lang: 'javascript', prompt: 'Generate server/routes/auth.js: POST /register (validate fields: '+authFieldsDef+', check duplicate email, bcrypt hash password cost 12, insert user, send verification email, return 201), POST /login (validate, check email verified, compare bcrypt, issue JWT access 15min + refresh 7d httpOnly cookie), POST /logout (clear refresh cookie), POST /refresh-token (validate refresh from httpOnly cookie, rotate token), GET /verify-email/:token (mark email verified). Use parameterized queries only. Apply authLimiter to register and login.' },
+    { name: 'server/routes/auth.js',  lang: 'javascript', prompt: 'Generate server/routes/auth.js: POST /register (validate fields: '+authFieldsDef+', check duplicate email, bcrypt hash password cost 12, insert user, send verification email, return 201), POST /login (validate, check email verified, compare bcrypt, issue JWT access 15min + refresh 7d httpOnly cookie), POST /logout (clear refresh cookie), POST /refresh-token (validate refresh from httpOnly cookie, rotate token), GET /verify-email/:token (mark email verified). Use parameterized queries only. Import authLimiter EXACTLY like this: const { authLimiter } = require("../middleware/security"); — do NOT create or import from ../middleware/rateLimiter (that file does not exist). Apply authLimiter to register and login.' },
     { name: 'server/routes/api.js',   lang: 'javascript', prompt: 'Generate server/routes/api.js: Express router with a verifyToken middleware (validates JWT Bearer). GET /api/me returns authenticated user profile (no password hash). GET /api/health returns {status: ok, timestamp}. Structure ready for adding more routes.' },
     { name: 'server/index.js',        lang: 'javascript', prompt: 'Generate server/index.js: Express app entry point. Apply applySecurityMiddleware first. Then apply sentinelMiddleware (import from ./middleware/sentinel.js). Use CORS with env CORS_ORIGIN. Parse JSON body (limit 10kb). Mount /api/auth → auth.js, /api → api.js. Serve public/ as static. 404 handler and global error handler (never leak stack traces in production). Start on PORT from env.' },
     { name: 'db/migrations/001_init.sql', lang: 'sql',   prompt: 'Generate PostgreSQL migration 001_init.sql: CREATE TABLE users with id UUID default gen_random_uuid(), fields for '+authFieldsDef+', email_verified BOOLEAN default false, verification_token VARCHAR, reset_token VARCHAR, reset_token_expires TIMESTAMPTZ, refresh_token_hash VARCHAR, created_at TIMESTAMPTZ default now(), updated_at TIMESTAMPTZ default now(). CREATE INDEX on email. CREATE TABLE refresh_tokens (id, user_id FK, token_hash, expires_at, created_at). Add updated_at trigger function.' },
@@ -7781,22 +7795,6 @@ async function wcGenerate() {
       '<div style="display:flex;gap:4px;margin-top:10px">'+[0,1,2,3,4].map(function(_,idx){ return '<div style="width:6px;height:6px;border-radius:50%;background:var(--green);animation:wcDot 1.1s ease-in-out infinite '+(idx*0.14)+'s"></div>'; }).join('')+'</div>';
   }
 
-  function wcOverlayMinimize() {
-    _wcOverlayMinimized = true;
-    renderWebCraft(document.getElementById('content'));
-    // Restore after 10s of inactivity
-    if (_wcOverlayTimer) clearTimeout(_wcOverlayTimer);
-    _wcOverlayTimer = setTimeout(function() {
-      if (wcState.running) { _wcOverlayMinimized = false; renderWebCraft(document.getElementById('content')); }
-    }, 10000);
-  }
-
-  function wcOverlayRestore() {
-    if (_wcOverlayTimer) { clearTimeout(_wcOverlayTimer); _wcOverlayTimer = null; }
-    _wcOverlayMinimized = false;
-    renderWebCraft(document.getElementById('content'));
-  }
-
   for (var fi = 0; fi < filePlan.length; fi++) {
     var fp = filePlan[fi];
     wcUpdateGenOverlay(fi, filePlan.length, fp.name);