nothumanallowed 16.0.20 → 16.0.22

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "16.0.20",
+  "version": "16.0.22",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '16.0.20';
+export const VERSION = '16.0.22';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/services/message-responder.mjs

@@ -321,12 +321,47 @@ function isContinuationMessage(text, lastCtx) {
 function isCompletedAction(text) {
   if (!text) return false;
   const lower = text.toLowerCase();
+  // Specific high-confidence signals
   const DONE_SIGNALS = ['cancellato con successo','eliminato con successo','evento eliminato',
     'evento cancellato','deleted successfully','removed successfully','email inviata','email sent',
     'draft created','bozza creata','aggiornato con successo','updated successfully',
     'task completato','task done','creato con successo','created successfully',
     'spostato con successo','moved successfully'];
-  return DONE_SIGNALS.some(s => lower.includes(s));
+  if (DONE_SIGNALS.some(s => lower.includes(s))) return true;
+  // Broader patterns (v16.0.21 guardrail): "è stato X", "l'ho fatto", "ho cancellato".
+  // These catch HERALD-style narrations like "L'appuntamento è stato spostato al 19 maggio".
+  const BROAD = /\b(è\s+(stat[ao]|stat[ei])\s+(cancellat[ao]i?|eliminat[ao]i?|rimoss[ao]i?|spostat[ao]i?|modificat[ao]i?|aggiornat[ao]i?|creat[ao]i?|inviat[ao]i?|inoltrat[ao]i?|archiviat[ao]i?|completat[ao]i?|rinominat[ao]i?|condivis[ao]i?|segnat[ao]i?))/i;
+  if (BROAD.test(text)) return true;
+  const HO = /\b(ho\s+(cancellato|eliminato|rimosso|spostato|modificato|aggiornato|creato|inviato|inoltrato|archiviato|completato|rinominato|condiviso|segnato|fissato|prenotato|programmato|cambiato|risolto))/i;
+  if (HO.test(text)) return true;
+  const EN = /\b(i\s+(have|just)\s+(deleted|removed|moved|created|updated|sent|forwarded|archived|completed|renamed|shared|marked))/i;
+  if (EN.test(text)) return true;
+  return false;
+}
+
+// Tool whitelist for "actually mutated state". If the agent claims a
+// completed mutation but NONE of these were called, we treat it as fake.
+const _MUTATION_TOOLS = new Set([
+  'calendar_create', 'calendar_update', 'calendar_delete', 'calendar_move',
+  'gmail_send', 'gmail_reply', 'gmail_forward', 'gmail_delete', 'gmail_archive',
+  'gmail_label', 'gmail_mark_read', 'gmail_mark_unread', 'gmail_draft',
+  'task_add', 'task_done', 'task_delete', 'task_edit',
+  'note_add', 'note_delete',
+  'reminder_create', 'reminder_cancel',
+  'contact_create', 'contact_update', 'contact_delete',
+  'drive_upload', 'drive_update', 'drive_delete', 'drive_rename', 'drive_move', 'drive_share',
+  'gtask_complete', 'gtask_update', 'gtask_delete',
+  'slack_send', 'notion_update', 'github_create_issue', 'github_close_issue',
+  'imap_send', 'imap_reply', 'imap_delete',
+]);
+function _toolResultLineIsMutation(line) {
+  if (typeof line !== 'string') return false;
+  const m = line.match(/^\[([\w_]+)\]\s+(.*)$/);
+  if (!m) return false;
+  const [, name, rest] = m;
+  if (!_MUTATION_TOOLS.has(name)) return false;
+  if (/Error:|^Error\b/i.test(rest)) return false; // failed → didn't actually mutate
+  return true;
 }
 
 async function callAgentWithTools(config, agentName, userMessage, languageOverride, preHistory, chatId) {
@@ -354,6 +389,9 @@ async function callAgentWithTools(config, agentName, userMessage, languageOverri
   // preHistory: full conversation history from previous turn (for sticky confirmations)
   const history = preHistory ? [...preHistory] : [];
   let finalText = '';
+  // Track EVERY tool call across ALL rounds. The final post-response
+  // guardrail uses this to detect "claimed action without actual tool call".
+  const _allToolResults = [];
 
   for (let round = 0; round < 5; round++) {
     const parts = history.map(h => (h.role === 'user' ? '[User]' : '[Assistant]') + ' ' + h.content);
@@ -409,7 +447,9 @@ async function callAgentWithTools(config, agentName, userMessage, languageOverri
       try {
         const result = await _exec(action, params, config, chatId);
         const resultStr = typeof result === 'string' ? result : JSON.stringify(result);
-        toolResults.push(`[${action}] ${resultStr}`);
+        const line = `[${action}] ${resultStr}`;
+        toolResults.push(line);
+        _allToolResults.push(line);
       } catch (err) {
         // Detect Google/Microsoft OAuth token expiry — give user a clear fix instruction
         const msg = err.message || '';
@@ -418,7 +458,9 @@ async function callAgentWithTools(config, agentName, userMessage, languageOverri
           authError = action.startsWith('gmail') || action.startsWith('imap') || action.startsWith('calendar') || action.startsWith('contact') || action.startsWith('drive') || action.startsWith('gtask')
             ? 'google' : 'microsoft';
         }
-        toolResults.push(`[${action}] Error: ${err.message}`);
+        const errLine = `[${action}] Error: ${err.message}`;
+        toolResults.push(errLine);
+        _allToolResults.push(errLine);
       }
     }
 
@@ -451,6 +493,24 @@ async function callAgentWithTools(config, agentName, userMessage, languageOverri
       `If an action was completed, say so clearly. REMEMBER: reply ONLY in ${language}.`;
   }
 
+  // ── POST-RESPONSE ANTI-HALLUCINATION GUARDRAIL (v16.0.21) ─────────────
+  // If the agent claims a completed mutation ("ho cancellato", "è stato
+  // spostato", "I have deleted") BUT no mutation tool was actually called
+  // across any of the 5 rounds — REPLACE the lie with an honest error.
+  // The user sees the truth: "Non sono riuscito a eseguire l'azione".
+  if (finalText) {
+    const claimsAction = isCompletedAction(finalText);
+    if (claimsAction) {
+      const didMutate = _allToolResults.some(_toolResultLineIsMutation);
+      if (!didMutate) {
+        try { console.warn(`[GUARDRAIL] Mutation claim without tool call. Tools used: [${_allToolResults.map(l => l.match(/^\[([\w_]+)\]/)?.[1]).filter(Boolean).join(', ')}]. Replacing fake response: "${finalText.slice(0, 160)}"`); } catch {}
+        finalText = language === 'Italian'
+          ? `⚠️ Attenzione: avevo dichiarato di aver eseguito un'azione, ma in realtà non ho chiamato nessun tool di modifica. NON è stato fatto nulla.\n\nPer favore ripeti la richiesta in modo specifico — es. "sposta l'appuntamento Tagliando macchina al 19 maggio alle 17:30" — così che io possa eseguire il comando esatto.`
+          : `⚠️ Warning: I claimed an action was completed but did not actually call any modification tool. NOTHING was changed.\n\nPlease restate your request precisely — e.g. "move the Car Service appointment to May 19 at 17:30" — so I can run the exact tool call.`;
+      }
+    }
+  }
+
   // Defensive language post-check: small models sometimes drop back to English
   // even when instructed otherwise (especially after tool execution, where the
   // English tool-result text biases the continuation). If the final reply is
@@ -692,7 +752,9 @@ class TelegramResponder {
   async start() {
     if (!this.enabled) return;
     this.running = true;
-    this.log('[Telegram] Responder started — polling for messages');
+    // Explicit version log at boot so the user can verify what's running.
+    // Critical when chasing "bot still mentes" — answers "are you on v16.0.21?".
+    this.log(`[Telegram] Responder started — VERSION ${VERSION} — polling for messages`);
     this._pollLoop();
     // Check for npm updates after 60s, then every 24h
     this._updateCheckTimer = setTimeout(() => this._scheduleUpdateCheck(), 60 * 1000);
@@ -714,8 +776,41 @@ class TelegramResponder {
 
   async _scheduleUpdateCheck() {
     await this._checkAndNotifyUpdate();
-    // Then every 24h
+    await this._checkLocalUpdateAndRestart();
+    // Then every 24h for the npm registry check + every 5 min for local install check
     this._updateCheckTimer = setInterval(() => this._checkAndNotifyUpdate(), 24 * 60 * 60 * 1000);
+    setInterval(() => this._checkLocalUpdateAndRestart(), 5 * 60 * 1000);
+  }
+
+  /**
+   * Detect that a NEW version of nha-cli has been installed on disk while
+   * this process is still running the OLD code in memory. When detected,
+   * exit cleanly so PM2 / launchd / the dispatcher respawns us on the
+   * latest code. Without this, the user runs `npm i -g nothumanallowed@latest`
+   * but the Telegram bot keeps mentes-ing with the old logic forever.
+   */
+  async _checkLocalUpdateAndRestart() {
+    try {
+      const fileURL = await import('url');
+      const here = fileURL.fileURLToPath(import.meta.url);
+      // ../../package.json relative to this file (services/message-responder.mjs)
+      const pkgPath = path.join(path.dirname(here), '..', '..', 'package.json');
+      if (!fs.existsSync(pkgPath)) return;
+      const onDisk = JSON.parse(fs.readFileSync(pkgPath, 'utf-8')).version;
+      if (!onDisk || onDisk === VERSION) return;
+      this.log(`[Telegram] Detected new install: running v${VERSION}, on-disk v${onDisk}. Restarting to pick up new code…`);
+      // Notify any active chat that we're restarting (best-effort, fire and forget)
+      try {
+        const chatIds = getAllTelegramChatIds();
+        for (const chatId of chatIds.slice(0, 3)) {
+          this._telegramCall('sendMessage', { chat_id: parseInt(chatId, 10), text: `🔄 Aggiornamento NHA v${VERSION} → v${onDisk} in corso. Torno tra 2 secondi.` }).catch(() => {});
+        }
+      } catch {}
+      // Give the message a moment to flush, then exit. PM2 / dispatcher restarts us.
+      setTimeout(() => process.exit(0), 800);
+    } catch (e) {
+      this.log(`[Telegram] Local update check failed: ${e.message}`);
+    }
   }
 
   async _checkAndNotifyUpdate() {

package/src/services/tool-executor.mjs

@@ -2018,11 +2018,45 @@ export async function executeTool(action, params, config) {
 
     case 'calendar_move': {
       const tz = Intl.DateTimeFormat().resolvedOptions().timeZone;
-      await updateEvent(config, 'primary', params.eventId, {
-        start: { dateTime: new Date(params.newStart).toISOString(), timeZone: tz },
-        end: { dateTime: new Date(params.newEnd).toISOString(), timeZone: tz },
+      // ── Resolve eventId from optional query/oldDate (v16.0.22) ──
+      // Agent models often pass {query: 'BMW', newStart} without an eventId.
+      // Instead of failing, resolve it here via listEvents so the move
+      // actually happens. Returns honest error if multiple/no matches.
+      let eventId = params.eventId;
+      if (!eventId && (params.query || params.title || params.oldDate)) {
+        const range = (() => {
+          if (params.oldDate && /^\d{4}-\d{2}-\d{2}$/.test(params.oldDate)) {
+            const [yy, mm, dd] = params.oldDate.split('-').map(n => parseInt(n, 10));
+            const from = new Date(yy, mm - 1, dd);
+            return { from, to: new Date(from.getTime() + 86400000) };
+          }
+          const from = new Date();
+          return { from, to: new Date(from.getTime() + 90 * 86400000) };
+        })();
+        const candidates = await listEvents(config, 'primary', range.from, range.to);
+        const q = String(params.query || params.title || '').toLowerCase();
+        const matching = q
+          ? candidates.filter(e => String(e.summary || '').toLowerCase().includes(q))
+          : candidates;
+        if (matching.length === 0) {
+          return `Error: no event found matching "${q || params.oldDate}" — calendar_move did NOT execute.`;
+        }
+        if (matching.length > 1) {
+          const list = matching.slice(0, 5).map((e, i) =>
+            `${i + 1}. ${(e.start || '').slice(0, 10)} ${e.summary}`).join('\n');
+          return `Error: multiple events match "${q}" — be more specific. Candidates:\n${list}`;
+        }
+        eventId = matching[0].id;
+      }
+      if (!eventId) return 'Error: eventId or query/title required.';
+      if (!params.newStart) return 'Error: newStart required.';
+      const newStartISO = new Date(params.newStart).toISOString();
+      const newEndISO = new Date(params.newEnd || (new Date(params.newStart).getTime() + 3600000)).toISOString();
+      await updateEvent(config, 'primary', eventId, {
+        start: { dateTime: newStartISO, timeZone: tz },
+        end:   { dateTime: newEndISO,   timeZone: tz },
       });
-      return `Event rescheduled to ${formatTime(params.newStart)} - ${formatTime(params.newEnd)}.`;
+      return `Event rescheduled to ${formatTime(newStartISO)} - ${formatTime(newEndISO)}.`;
     }
 
     case 'calendar_week': {