nothumanallowed 16.0.23 → 16.0.24

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "16.0.23",
+  "version": "16.0.24",
   "description": "NotHumanAllowed — 38 AI agents, 80 tools, Studio (visual agentic workflows). Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, Alexandria E2E messaging, GitHub, Notion, Slack, voice chat, free AI (Liara), 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '16.0.23';
+export const VERSION = '16.0.24';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/server/routes/webcraft.mjs

@@ -155,19 +155,40 @@ class SandboxManager {
     }
     emit({ type: 'status', msg: `Entry point: ${entryFile}` });
 
-    // ── Phase 2: Dependencies ─────────────────────────────────────────────
+    // ── Phase 2: Dependencies (pre-scan + batch install) ──────────────────
+    // Pre-scan the project source files for require()/import statements and
+    // diff against package.json + node_modules. Install everything missing in
+    // ONE batch BEFORE spawning the sandbox, so the Tier 1 retry-on-crash
+    // becomes a fallback, not the main code path.
     if (fs.existsSync(path.join(projectDir, 'package.json'))) {
+      const scanned = _scanProjectImports(projectDir);
+      const declared = _declaredDeps(projectDir);
+      const installed = _installedDeps(projectDir);
+      const missing = [...scanned].filter(m => !declared.has(m) && !installed.has(m) && !_SHIMMED_MODULES.has(m));
+
+      if (missing.length > 0) {
+        emit({ type: 'phase', phase: 'deps-prescan', msg: `Pre-scan: ${missing.length} missing module${missing.length === 1 ? '' : 's'} → ${missing.slice(0, 8).join(', ')}${missing.length > 8 ? '...' : ''}` });
+      }
+
       emit({ type: 'phase', phase: 'deps', msg: 'Installing dependencies...' });
+      const installCmd = missing.length > 0
+        ? `npm install --save --prefer-offline --no-audit --no-fund ${missing.map(m => JSON.stringify(m)).join(' ')} 2>&1`
+        : 'npm install --prefer-offline --no-audit --no-fund 2>&1';
       try {
-        const { stdout } = await execAsync('npm install --prefer-offline --no-audit --no-fund 2>&1', {
+        const { stdout } = await execAsync(installCmd, {
           cwd: projectDir,
-          timeout: 120_000,
+          timeout: 180_000,
           env: { ...process.env, NODE_ENV: 'development' },
         });
         const added = stdout.match(/added (\d+) package/)?.[1] || '0';
-        emit({ type: 'status', msg: `Dependencies installed (${added} packages)` });
+        emit({ type: 'status', msg: `Dependencies installed (${added} packages${missing.length ? `, batch: ${missing.join(', ')}` : ''})` });
       } catch (e) {
-        emit({ type: 'warn', msg: `npm install warning: ${e.message.slice(0, 300)}` });
+        const diag = _classifyInstallError(e);
+        emit({ type: 'warn', msg: `npm install failed — reason: ${diag.reason}. ${diag.hint}` });
+        if (diag.offlineFallback) {
+          emit({ type: 'status', msg: 'Activating NHA_OFFLINE_SHIM=1 fallback for missing modules.' });
+          this._offlineShim = true;
+        }
       }
     }
 
@@ -201,14 +222,16 @@ class SandboxManager {
 
     // Capture stderr for missing module detection
     let stderrBuf = '';
+    const childEnv = {
+      ...process.env,
+      PORT: String(port),
+      NODE_ENV: 'development',
+      NHA_SANDBOX: '1',
+    };
+    if (this._offlineShim) childEnv.NHA_OFFLINE_SHIM = '1';
     const proc = spawn('node', [patchedEntry], {
       cwd: projectDir,
-      env: {
-        ...process.env,
-        PORT: String(port),
-        NODE_ENV: 'development',
-        NHA_SANDBOX: '1',
-      },
+      env: childEnv,
       detached: true,
       stdio: ['ignore', 'pipe', 'pipe'],
     });
@@ -291,25 +314,38 @@ class SandboxManager {
       emit({ type: 'warn', msg: 'Process exited but stderr is EMPTY — could be: process killed by OS, spawn failed before any output, or stdio mis-routed. Run "node .nha-launcher.js" manually in the project dir to reproduce.' });
     }
 
-    // ── Tier 1: missing module → npm install + retry ─────────────────────
-    const missingMatch = stderrBuf.match(/Cannot find module ['"]([^'"]+)['"]/);
-    if (missingMatch && _attempt < MAX_RETRIES) {
-      const missingMod = missingMatch[1];
-      if (!missingMod.startsWith('.') && !missingMod.startsWith('/') && !missingMod.startsWith('node:')) {
-        const pkgName = missingMod.startsWith('@') ? missingMod.split('/').slice(0, 2).join('/') : missingMod.split('/')[0];
-        emit({ type: 'phase', phase: 'autofix', msg: `Missing module "${pkgName}" — installing...` });
-        try {
-          await execAsync(`npm install --save ${pkgName} --no-audit --no-fund`, {
-            cwd: projectDir,
-            timeout: 60_000,
-            env: { ...process.env, NODE_ENV: 'development' },
-          });
-          emit({ type: 'status', msg: `Installed ${pkgName} — retrying (attempt ${_attempt + 1}/${MAX_RETRIES})...` });
+    // ── Tier 1: missing module → batch install all missing + retry ───────
+    // The pre-scan in Phase 2 catches most cases. Tier 1 here is the safety
+    // net for files generated AFTER pre-scan (e.g. user added a require()
+    // during chat) or for transitive crashes that surface only at runtime.
+    const missingModules = [...stderrBuf.matchAll(/Cannot find module ['"]([^'"]+)['"]/g)]
+      .map(m => m[1])
+      .filter(m => !m.startsWith('.') && !m.startsWith('/') && !m.startsWith('node:'))
+      .map(m => m.startsWith('@') ? m.split('/').slice(0, 2).join('/') : m.split('/')[0]);
+    const uniqueMissing = [...new Set(missingModules)].filter(m => !_SHIMMED_MODULES.has(m));
+    if (uniqueMissing.length > 0 && _attempt < MAX_RETRIES) {
+      emit({ type: 'phase', phase: 'autofix', msg: `Missing module${uniqueMissing.length === 1 ? '' : 's'}: ${uniqueMissing.join(', ')} — batch installing...` });
+      try {
+        await execAsync(`npm install --save --no-audit --no-fund ${uniqueMissing.map(m => JSON.stringify(m)).join(' ')}`, {
+          cwd: projectDir,
+          timeout: 120_000,
+          env: { ...process.env, NODE_ENV: 'development' },
+        });
+        emit({ type: 'status', msg: `Installed ${uniqueMissing.join(', ')} — retrying (attempt ${_attempt + 1}/${MAX_RETRIES})...` });
+        return this.start(projectName, projectDir, emit, _attempt + 1);
+      } catch (installErr) {
+        const diag = _classifyInstallError(installErr);
+        emit({ type: 'warn', msg: `Batch install failed — reason: ${diag.reason}. ${diag.hint}` });
+        if (diag.offlineFallback) {
+          emit({ type: 'status', msg: `Activating NHA_OFFLINE_SHIM=1 fallback — retrying with offline shim...` });
+          this._offlineShim = true;
           return this.start(projectName, projectDir, emit, _attempt + 1);
-        } catch (installErr) {
-          emit({ type: 'warn', msg: `Failed to install ${pkgName}: ${installErr.message.slice(0, 200)}` });
         }
       }
+    } else if (missingModules.length > 0 && uniqueMissing.length === 0) {
+      // All missing modules are shimmable — should never reach here because
+      // the shim handles them transparently. If it does, log the surprise.
+      emit({ type: 'warn', msg: `Crash mentions modules that ARE shimmed (${missingModules.join(', ')}). The shim index.js may not have been preloaded — check .nha-launcher.js wiring.` });
     }
 
     // ── Tier 2: runtime errors that need code fix (require/import mismatch,
@@ -3399,7 +3435,137 @@ function _patchEntry(projectDir, entryFile, shimDir, port) {
   return '.nha-launcher.js';
 }
 
-function _writeShims(shimDir) {
+// Authoritative list of modules covered by our offline-safe shims.
+// Used by both the pre-scan (to skip them from npm install) and the Tier 1
+// retry (to detect "missing module" stderr that's already covered by a shim).
+export const _SHIMMED_MODULES = new Set([
+  'pg', 'redis', 'ioredis', 'helmet', 'mongoose', 'sequelize',
+  'dotenv', 'cors', 'morgan', 'body-parser', 'cookie-parser',
+  'compression', 'express-rate-limit', 'jsonwebtoken', 'bcryptjs', 'bcrypt',
+  'uuid', 'lodash', 'debug', 'chalk', 'multer', 'axios',
+]);
+
+/** Read declared dependencies from package.json (deps + devDeps + peer). */
+function _declaredDeps(projectDir) {
+  const pkgPath = path.join(projectDir, 'package.json');
+  if (!fs.existsSync(pkgPath)) return new Set();
+  try {
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+    return new Set([
+      ...Object.keys(pkg.dependencies || {}),
+      ...Object.keys(pkg.devDependencies || {}),
+      ...Object.keys(pkg.peerDependencies || {}),
+      ...Object.keys(pkg.optionalDependencies || {}),
+    ]);
+  } catch { return new Set(); }
+}
+
+/** List top-level node_modules entries already on disk. */
+function _installedDeps(projectDir) {
+  const nm = path.join(projectDir, 'node_modules');
+  if (!fs.existsSync(nm)) return new Set();
+  try {
+    const out = new Set();
+    for (const entry of fs.readdirSync(nm)) {
+      if (entry.startsWith('.')) continue;
+      if (entry.startsWith('@')) {
+        const scopedDir = path.join(nm, entry);
+        try {
+          for (const sub of fs.readdirSync(scopedDir)) out.add(`${entry}/${sub}`);
+        } catch {}
+      } else {
+        out.add(entry);
+      }
+    }
+    return out;
+  } catch { return new Set(); }
+}
+
+/** Walk project files and extract all bare-import module names. */
+export function _scanProjectImports(projectDir, maxFiles = 500, maxBytes = 200_000) {
+  const found = new Set();
+  const exts = new Set(['.js', '.mjs', '.cjs', '.ts', '.tsx', '.jsx']);
+  const skipDirs = new Set(['node_modules', '.git', '.nha-shims', 'dist', 'build', '.next', 'coverage']);
+  const reRequire = /\brequire\s*\(\s*['"]([^'".][^'"]*)['"]\s*\)/g;
+  const reImport = /\bimport\s+(?:[^'"]*\s+from\s+)?['"]([^'".][^'"]*)['"]/g;
+  const reImportSide = /\bimport\s*\(\s*['"]([^'".][^'"]*)['"]\s*\)/g;
+  const stack = [projectDir];
+  let scanned = 0;
+
+  while (stack.length && scanned < maxFiles) {
+    const dir = stack.pop();
+    let entries;
+    try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { continue; }
+    for (const entry of entries) {
+      if (skipDirs.has(entry.name) || entry.name.startsWith('.')) continue;
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) { stack.push(full); continue; }
+      if (!exts.has(path.extname(entry.name))) continue;
+      let content;
+      try {
+        const stat = fs.statSync(full);
+        if (stat.size > maxBytes) continue;
+        content = fs.readFileSync(full, 'utf-8');
+      } catch { continue; }
+      scanned++;
+      for (const re of [reRequire, reImport, reImportSide]) {
+        re.lastIndex = 0;
+        let m;
+        while ((m = re.exec(content)) !== null) {
+          const spec = m[1];
+          if (spec.startsWith('node:')) continue;
+          const pkg = spec.startsWith('@') ? spec.split('/').slice(0, 2).join('/') : spec.split('/')[0];
+          if (pkg) found.add(pkg);
+        }
+      }
+    }
+  }
+  return found;
+}
+
+/** Classify npm install errors into actionable categories. */
+export function _classifyInstallError(err) {
+  const msg = String(err?.message || err?.stderr || err?.stdout || err || '').toLowerCase();
+  if (/enotfound|etimedout|econnrefused|econnreset|network/.test(msg)) {
+    return { reason: 'offline (npm registry unreachable)', offlineFallback: true,
+      hint: 'Check VM network bridge/NAT, DNS, or corporate proxy (HTTP_PROXY/HTTPS_PROXY). Activating shim fallback.' };
+  }
+  if (/e404|notarget|not found in the npm registry/.test(msg)) {
+    return { reason: 'package does not exist on npm', offlineFallback: false,
+      hint: 'The package name from the LLM-generated code is likely a hallucination. Tier 2 LLM-rewrite will rename it.' };
+  }
+  if (/eacces|eperm|permission denied/.test(msg)) {
+    return { reason: 'permissions denied', offlineFallback: false,
+      hint: 'Run `sudo chown -R $USER ~/.nha` or move the project out of a root-owned directory.' };
+  }
+  if (/engine|unsupported.*node|requires node/.test(msg)) {
+    return { reason: 'Node version mismatch', offlineFallback: false,
+      hint: 'The package requires a different Node version. Check `node --version` and consider using nvm.' };
+  }
+  if (/eintegrity|sha-?(?:1|512) integrity|tarball/.test(msg)) {
+    return { reason: 'package integrity failure', offlineFallback: false,
+      hint: 'Try `rm -rf node_modules package-lock.json && npm install` to clear the cache.' };
+  }
+  return { reason: 'unknown', offlineFallback: false,
+    hint: (err?.message || '').slice(0, 200) };
+}
+
+export function _writeShims(shimDir) {
+  // ── Functional offline-safe shims for the 14 most common npm dependencies.
+  // These are NOT no-ops: they implement enough of the real API to keep code
+  // generated by the LLM running even when npm install is unavailable (VMs
+  // without network, corporate proxies, CI cache misses, etc.).
+  //
+  // Categories:
+  //   • Storage stubs:    pg, redis, ioredis, mongoose, sequelize
+  //   • Security stubs:   helmet, jsonwebtoken, bcryptjs
+  //   • Express middlew:  cors, morgan, body-parser, cookie-parser,
+  //                       compression, express-rate-limit, multer
+  //   • Utility stubs:    dotenv, uuid, lodash, debug, chalk, axios
+  //
+  // Every shim exports both CJS `module.exports` AND `.default` so it works
+  // under both `require('x')` and `import x from 'x'` interop.
+
   // In-memory pg replacement
   const pgShim = `
 const EventEmitter = require('events');
@@ -3476,35 +3642,471 @@ handler.xssFilter = handler;
 module.exports = handler;
 `;
 
-  // Generic no-op shim for unknown enterprise deps
-  const noopShim = `module.exports = new Proxy({}, { get: () => new Proxy(() => {}, { get: (_, p) => p === 'then' ? undefined : new Proxy(() => {}, { get: (__, q) => q === 'then' ? undefined : () => {} }) }) });`;
+  // dotenv — actually parses .env files and sets process.env
+  const dotenvShim = `
+const fs = require('fs');
+const path = require('path');
+function parse(src) {
+  const out = {};
+  const s = src.toString();
+  const re = /^\\s*([A-Za-z_][A-Za-z0-9_]*)\\s*=\\s*(.*?)\\s*$/;
+  for (const raw of s.split(/\\r?\\n/)) {
+    if (!raw || raw.trim().startsWith('#')) continue;
+    const m = raw.match(re);
+    if (!m) continue;
+    let v = m[2];
+    if ((v.startsWith('"') && v.endsWith('"')) || (v.startsWith("'") && v.endsWith("'"))) {
+      v = v.slice(1, -1);
+    }
+    out[m[1]] = v;
+  }
+  return out;
+}
+function config(opts) {
+  opts = opts || {};
+  try {
+    const p = opts.path || path.join(process.cwd(), '.env');
+    if (!fs.existsSync(p)) return { parsed: {} };
+    const parsed = parse(fs.readFileSync(p, 'utf-8'));
+    for (const k of Object.keys(parsed)) {
+      if (opts.override || !(k in process.env)) process.env[k] = parsed[k];
+    }
+    return { parsed };
+  } catch (e) { return { error: e }; }
+}
+module.exports = { config, parse };
+module.exports.default = module.exports;
+`;
+
+  // cors — full Express middleware factory
+  const corsShim = `
+function cors(opts) {
+  opts = opts || {};
+  const origin = opts.origin === undefined ? '*' : opts.origin;
+  const methods = opts.methods || 'GET,HEAD,PUT,PATCH,POST,DELETE';
+  const credentials = opts.credentials === true;
+  const allowedHeaders = opts.allowedHeaders || 'Content-Type,Authorization';
+  return function (req, res, next) {
+    const o = typeof origin === 'function' ? origin(req) : origin;
+    res.setHeader('Access-Control-Allow-Origin', Array.isArray(o) ? o.join(',') : o);
+    res.setHeader('Access-Control-Allow-Methods', methods);
+    res.setHeader('Access-Control-Allow-Headers', allowedHeaders);
+    if (credentials) res.setHeader('Access-Control-Allow-Credentials', 'true');
+    if (req.method === 'OPTIONS') { res.statusCode = 204; return res.end(); }
+    next();
+  };
+}
+module.exports = cors;
+module.exports.default = cors;
+`;
+
+  // morgan — minimal request logger
+  const morganShim = `
+function morgan(format) {
+  return function (req, res, next) {
+    const start = Date.now();
+    res.on('finish', () => {
+      const ms = Date.now() - start;
+      console.log(\`[\${new Date().toISOString()}] \${req.method} \${req.url} \${res.statusCode} \${ms}ms\`);
+    });
+    next();
+  };
+}
+morgan.token = () => morgan;
+morgan.format = () => morgan;
+module.exports = morgan;
+module.exports.default = morgan;
+`;
+
+  // body-parser — JSON + urlencoded
+  const bodyParserShim = `
+function readBody(req, limit) {
+  return new Promise((resolve, reject) => {
+    let data = '';
+    let size = 0;
+    req.on('data', (chunk) => {
+      size += chunk.length;
+      if (size > limit) { req.destroy(); return reject(new Error('Payload too large')); }
+      data += chunk;
+    });
+    req.on('end', () => resolve(data));
+    req.on('error', reject);
+  });
+}
+function jsonMw(opts) {
+  const limit = (opts && opts.limit) ? 1024 * 1024 * 10 : 1024 * 1024;
+  return async function (req, res, next) {
+    if (!/json/i.test(req.headers['content-type'] || '')) return next();
+    try { const raw = await readBody(req, limit); req.body = raw ? JSON.parse(raw) : {}; next(); }
+    catch (e) { res.statusCode = 400; res.end('Invalid JSON'); }
+  };
+}
+function urlencodedMw(opts) {
+  return async function (req, res, next) {
+    if (!/x-www-form-urlencoded/i.test(req.headers['content-type'] || '')) return next();
+    try {
+      const raw = await readBody(req, 1024 * 1024);
+      const body = {};
+      for (const pair of raw.split('&')) {
+        const [k, v] = pair.split('=').map(decodeURIComponent);
+        if (k) body[k] = v || '';
+      }
+      req.body = body;
+      next();
+    } catch (e) { res.statusCode = 400; res.end('Invalid form data'); }
+  };
+}
+const bp = { json: jsonMw, urlencoded: urlencodedMw, raw: () => (req, res, next) => next(), text: () => (req, res, next) => next() };
+module.exports = bp;
+module.exports.default = bp;
+`;
+
+  // cookie-parser
+  const cookieParserShim = `
+function parse(str) {
+  const out = {};
+  if (!str) return out;
+  for (const pair of str.split(';')) {
+    const idx = pair.indexOf('=');
+    if (idx < 0) continue;
+    const k = pair.slice(0, idx).trim();
+    const v = pair.slice(idx + 1).trim();
+    out[k] = decodeURIComponent(v);
+  }
+  return out;
+}
+function cookieParser() {
+  return function (req, res, next) { req.cookies = parse(req.headers.cookie || ''); next(); };
+}
+module.exports = cookieParser;
+module.exports.default = cookieParser;
+`;
+
+  // compression — pass-through (no-op middleware, real compression needs zlib)
+  const compressionShim = `
+function compression() { return function (req, res, next) { next(); }; }
+module.exports = compression;
+module.exports.default = compression;
+`;
+
+  // express-rate-limit — in-memory bucket
+  const rateLimitShim = `
+function rateLimit(opts) {
+  opts = opts || {};
+  const max = opts.max || 100;
+  const windowMs = opts.windowMs || 60_000;
+  const store = new Map();
+  return function (req, res, next) {
+    const key = (req.ip || req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'anon') + ':' + (req.path || req.url || '/');
+    const now = Date.now();
+    const rec = store.get(key) || { count: 0, reset: now + windowMs };
+    if (now > rec.reset) { rec.count = 0; rec.reset = now + windowMs; }
+    rec.count++;
+    store.set(key, rec);
+    res.setHeader('X-RateLimit-Limit', String(max));
+    res.setHeader('X-RateLimit-Remaining', String(Math.max(0, max - rec.count)));
+    if (rec.count > max) { res.statusCode = 429; return res.end('Too many requests'); }
+    next();
+  };
+}
+module.exports = rateLimit;
+module.exports.default = rateLimit;
+`;
+
+  // jsonwebtoken — HS256 sign/verify (sandbox-grade, NOT for production secrets)
+  const jwtShim = `
+const crypto = require('crypto');
+function b64url(buf) { return Buffer.from(buf).toString('base64').replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, ''); }
+function b64urlDecode(s) { s = s.replace(/-/g, '+').replace(/_/g, '/'); while (s.length % 4) s += '='; return Buffer.from(s, 'base64'); }
+function sign(payload, secret, opts) {
+  opts = opts || {};
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const p = Object.assign({}, payload);
+  if (opts.expiresIn) {
+    const sec = typeof opts.expiresIn === 'string' ? parseInt(opts.expiresIn) * (opts.expiresIn.endsWith('h') ? 3600 : opts.expiresIn.endsWith('d') ? 86400 : opts.expiresIn.endsWith('m') ? 60 : 1) : opts.expiresIn;
+    p.exp = Math.floor(Date.now() / 1000) + sec;
+  }
+  const h = b64url(JSON.stringify(header));
+  const b = b64url(JSON.stringify(p));
+  const sig = b64url(crypto.createHmac('sha256', String(secret)).update(h + '.' + b).digest());
+  return h + '.' + b + '.' + sig;
+}
+function verify(token, secret) {
+  const parts = String(token).split('.');
+  if (parts.length !== 3) throw new Error('jwt malformed');
+  const [h, b, s] = parts;
+  const expected = b64url(crypto.createHmac('sha256', String(secret)).update(h + '.' + b).digest());
+  if (expected !== s) throw new Error('invalid signature');
+  const payload = JSON.parse(b64urlDecode(b).toString('utf-8'));
+  if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) throw new Error('jwt expired');
+  return payload;
+}
+function decode(token) { try { return JSON.parse(b64urlDecode(String(token).split('.')[1]).toString('utf-8')); } catch { return null; } }
+module.exports = { sign, verify, decode };
+module.exports.default = module.exports;
+`;
+
+  // bcryptjs — pbkdf2-based, NOT real bcrypt (sandbox-grade)
+  const bcryptShim = `
+const crypto = require('crypto');
+function hashSync(pwd, rounds) {
+  const salt = crypto.randomBytes(16);
+  const iter = Math.pow(2, Math.min(rounds || 10, 14));
+  const hash = crypto.pbkdf2Sync(String(pwd), salt, iter, 32, 'sha256');
+  return '$nha$' + iter + '$' + salt.toString('base64') + '$' + hash.toString('base64');
+}
+function compareSync(pwd, stored) {
+  const m = String(stored).match(/^\\$nha\\$(\\d+)\\$([^$]+)\\$(.+)$/);
+  if (!m) return false;
+  const iter = parseInt(m[1]);
+  const salt = Buffer.from(m[2], 'base64');
+  const expected = Buffer.from(m[3], 'base64');
+  const actual = crypto.pbkdf2Sync(String(pwd), salt, iter, 32, 'sha256');
+  return crypto.timingSafeEqual(expected, actual);
+}
+async function hash(pwd, rounds) { return hashSync(pwd, rounds); }
+async function compare(pwd, stored) { return compareSync(pwd, stored); }
+function genSaltSync() { return 10; }
+async function genSalt() { return 10; }
+module.exports = { hash, hashSync, compare, compareSync, genSalt, genSaltSync };
+module.exports.default = module.exports;
+`;
+
+  // uuid — v4 only
+  const uuidShim = `
+const crypto = require('crypto');
+function v4() {
+  const b = crypto.randomBytes(16);
+  b[6] = (b[6] & 0x0f) | 0x40;
+  b[8] = (b[8] & 0x3f) | 0x80;
+  const h = b.toString('hex');
+  return h.slice(0, 8) + '-' + h.slice(8, 12) + '-' + h.slice(12, 16) + '-' + h.slice(16, 20) + '-' + h.slice(20);
+}
+function v1() { return v4(); }
+function validate(s) { return /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(String(s)); }
+module.exports = { v1, v4, validate };
+module.exports.default = module.exports;
+`;
 
-  fs.writeFileSync(path.join(shimDir, 'pg.js'), pgShim, 'utf-8');
-  fs.writeFileSync(path.join(shimDir, 'redis.js'), redisShim, 'utf-8');
-  fs.writeFileSync(path.join(shimDir, 'helmet.js'), helmetShim, 'utf-8');
-  fs.writeFileSync(path.join(shimDir, 'ioredis.js'), redisShim, 'utf-8');
-  fs.writeFileSync(path.join(shimDir, 'mongoose.js'), noopShim, 'utf-8');
-  fs.writeFileSync(path.join(shimDir, 'sequelize.js'), noopShim, 'utf-8');
+  // lodash — minimal subset (the 95th-percentile-used functions)
+  const lodashShim = `
+const _ = {};
+_.isArray = Array.isArray;
+_.isObject = (x) => x !== null && typeof x === 'object';
+_.isString = (x) => typeof x === 'string';
+_.isNumber = (x) => typeof x === 'number' && !isNaN(x);
+_.isFunction = (x) => typeof x === 'function';
+_.isEmpty = (x) => x == null || (Array.isArray(x) && x.length === 0) || (typeof x === 'object' && Object.keys(x).length === 0) || (typeof x === 'string' && x.length === 0);
+_.get = (obj, path, def) => {
+  const keys = Array.isArray(path) ? path : String(path).split('.');
+  let cur = obj;
+  for (const k of keys) { if (cur == null) return def; cur = cur[k]; }
+  return cur === undefined ? def : cur;
+};
+_.set = (obj, path, val) => {
+  const keys = Array.isArray(path) ? path : String(path).split('.');
+  let cur = obj;
+  for (let i = 0; i < keys.length - 1; i++) { if (cur[keys[i]] == null) cur[keys[i]] = {}; cur = cur[keys[i]]; }
+  cur[keys[keys.length - 1]] = val;
+  return obj;
+};
+_.cloneDeep = (x) => JSON.parse(JSON.stringify(x));
+_.merge = (target, ...sources) => Object.assign(target, ...sources);
+_.pick = (obj, keys) => keys.reduce((o, k) => (k in obj ? (o[k] = obj[k], o) : o), {});
+_.omit = (obj, keys) => Object.keys(obj).reduce((o, k) => (!keys.includes(k) ? (o[k] = obj[k], o) : o), {});
+_.uniq = (arr) => [...new Set(arr)];
+_.uniqBy = (arr, fn) => { const seen = new Set(); return arr.filter(x => { const k = typeof fn === 'function' ? fn(x) : x[fn]; if (seen.has(k)) return false; seen.add(k); return true; }); };
+_.chunk = (arr, n) => { const out = []; for (let i = 0; i < arr.length; i += n) out.push(arr.slice(i, i + n)); return out; };
+_.flatten = (arr) => arr.flat();
+_.flattenDeep = (arr) => arr.flat(Infinity);
+_.groupBy = (arr, fn) => arr.reduce((o, x) => { const k = typeof fn === 'function' ? fn(x) : x[fn]; (o[k] = o[k] || []).push(x); return o; }, {});
+_.sortBy = (arr, fn) => [...arr].sort((a, b) => { const av = typeof fn === 'function' ? fn(a) : a[fn]; const bv = typeof fn === 'function' ? fn(b) : b[fn]; return av < bv ? -1 : av > bv ? 1 : 0; });
+_.keyBy = (arr, fn) => arr.reduce((o, x) => { o[typeof fn === 'function' ? fn(x) : x[fn]] = x; return o; }, {});
+_.debounce = (fn, wait) => { let t; return function (...args) { clearTimeout(t); t = setTimeout(() => fn.apply(this, args), wait); }; };
+_.throttle = (fn, wait) => { let last = 0; return function (...args) { const now = Date.now(); if (now - last >= wait) { last = now; fn.apply(this, args); } }; };
+_.range = (start, end, step) => { if (end === undefined) { end = start; start = 0; } step = step || 1; const out = []; for (let i = start; step > 0 ? i < end : i > end; i += step) out.push(i); return out; };
+_.sum = (arr) => arr.reduce((a, b) => a + b, 0);
+_.mean = (arr) => arr.length ? _.sum(arr) / arr.length : 0;
+_.max = (arr) => arr.length ? Math.max(...arr) : undefined;
+_.min = (arr) => arr.length ? Math.min(...arr) : undefined;
+_.capitalize = (s) => String(s).charAt(0).toUpperCase() + String(s).slice(1).toLowerCase();
+_.camelCase = (s) => String(s).replace(/[-_\\s]+(.)?/g, (_m, c) => c ? c.toUpperCase() : '');
+_.kebabCase = (s) => String(s).replace(/([a-z])([A-Z])/g, '$1-$2').replace(/[\\s_]+/g, '-').toLowerCase();
+_.snakeCase = (s) => String(s).replace(/([a-z])([A-Z])/g, '$1_$2').replace(/[\\s-]+/g, '_').toLowerCase();
+module.exports = _;
+module.exports.default = _;
+`;
 
-  // Shim index — overrides require() for known modules via Module._resolveFilename
+  // debug — namespace-aware logger
+  const debugShim = `
+const enabled = (process.env.DEBUG || '').split(',').filter(Boolean);
+function isEnabled(ns) { return enabled.some(p => p === '*' || ns === p || (p.endsWith('*') && ns.startsWith(p.slice(0, -1)))); }
+function debug(namespace) {
+  const fn = function (...args) { if (isEnabled(namespace)) console.error('[' + namespace + ']', ...args); };
+  fn.namespace = namespace;
+  fn.enabled = isEnabled(namespace);
+  fn.extend = (ns) => debug(namespace + ':' + ns);
+  return fn;
+}
+debug.enable = (ns) => { enabled.push(...ns.split(',')); };
+debug.disable = () => { enabled.length = 0; };
+module.exports = debug;
+module.exports.default = debug;
+`;
+
+  // chalk — ANSI color codes
+  const chalkShim = `
+const codes = { reset: [0, 0], bold: [1, 22], dim: [2, 22], italic: [3, 23], underline: [4, 24],
+  black: [30, 39], red: [31, 39], green: [32, 39], yellow: [33, 39], blue: [34, 39], magenta: [35, 39], cyan: [36, 39], white: [37, 39], gray: [90, 39],
+  bgBlack: [40, 49], bgRed: [41, 49], bgGreen: [42, 49], bgYellow: [43, 49], bgBlue: [44, 49] };
+function wrap(open, close, text) { return '\\x1b[' + open + 'm' + text + '\\x1b[' + close + 'm'; }
+function build(styles) {
+  const fn = function (...args) {
+    let s = args.join(' ');
+    for (let i = styles.length - 1; i >= 0; i--) { const [o, c] = codes[styles[i]]; s = wrap(o, c, s); }
+    return s;
+  };
+  for (const k of Object.keys(codes)) Object.defineProperty(fn, k, { get: () => build([...styles, k]) });
+  return fn;
+}
+const chalk = build([]);
+chalk.level = 1;
+chalk.supportsColor = { level: 1, hasBasic: true };
+module.exports = chalk;
+module.exports.default = chalk;
+`;
+
+  // multer — file upload middleware (no-op, no actual disk write)
+  const multerShim = `
+function multer(opts) {
+  return {
+    single: () => (req, res, next) => { req.file = null; next(); },
+    array: () => (req, res, next) => { req.files = []; next(); },
+    fields: () => (req, res, next) => { req.files = {}; next(); },
+    any: () => (req, res, next) => { req.files = []; next(); },
+    none: () => (req, res, next) => next(),
+  };
+}
+multer.diskStorage = (opts) => ({ _kind: 'disk', opts });
+multer.memoryStorage = () => ({ _kind: 'memory' });
+module.exports = multer;
+module.exports.default = multer;
+`;
+
+  // axios — minimal fetch-based replacement
+  const axiosShim = `
+async function request(config) {
+  const url = typeof config === 'string' ? config : config.url;
+  const method = (typeof config === 'object' && config.method) || 'GET';
+  const headers = (typeof config === 'object' && config.headers) || {};
+  const body = typeof config === 'object' ? config.data : undefined;
+  const init = { method, headers: { ...headers }, };
+  if (body !== undefined) {
+    if (typeof body === 'object' && !(body instanceof URLSearchParams)) {
+      init.body = JSON.stringify(body);
+      if (!init.headers['Content-Type']) init.headers['Content-Type'] = 'application/json';
+    } else { init.body = body; }
+  }
+  const res = await fetch(url, init);
+  const ct = res.headers.get('content-type') || '';
+  const data = ct.includes('json') ? await res.json().catch(() => null) : await res.text();
+  if (res.status >= 400) { const err = new Error('Request failed with status code ' + res.status); err.response = { status: res.status, data, headers: Object.fromEntries(res.headers) }; throw err; }
+  return { data, status: res.status, statusText: res.statusText, headers: Object.fromEntries(res.headers) };
+}
+const axios = function (config) { return request(config); };
+axios.request = request;
+axios.get = (url, config) => request({ ...config, url, method: 'GET' });
+axios.post = (url, data, config) => request({ ...config, url, method: 'POST', data });
+axios.put = (url, data, config) => request({ ...config, url, method: 'PUT', data });
+axios.patch = (url, data, config) => request({ ...config, url, method: 'PATCH', data });
+axios.delete = (url, config) => request({ ...config, url, method: 'DELETE' });
+axios.create = (defaults) => axios;
+module.exports = axios;
+module.exports.default = axios;
+`;
+
+  // Generic no-op shim — deeply chainable proxy. Survives any .a().b.c().d
+  // access chain because every get/apply returns another proxy of the same shape.
+  const noopShim = `
+const noop = function () {};
+const handler = {
+  get(target, prop) {
+    if (prop === 'then' || prop === Symbol.toPrimitive || prop === Symbol.iterator) return undefined;
+    if (prop === 'default') return proxy;
+    if (prop === 'toString') return () => '[nha-noop]';
+    return proxy;
+  },
+  apply() { return proxy; },
+  construct() { return proxy; },
+};
+const proxy = new Proxy(noop, handler);
+module.exports = proxy;
+module.exports.default = proxy;
+`;
+
+  const shimFiles = {
+    'pg.js': pgShim,
+    'redis.js': redisShim,
+    'ioredis.js': redisShim,
+    'helmet.js': helmetShim,
+    'mongoose.js': noopShim,
+    'sequelize.js': noopShim,
+    'dotenv.js': dotenvShim,
+    'cors.js': corsShim,
+    'morgan.js': morganShim,
+    'body-parser.js': bodyParserShim,
+    'cookie-parser.js': cookieParserShim,
+    'compression.js': compressionShim,
+    'express-rate-limit.js': rateLimitShim,
+    'jsonwebtoken.js': jwtShim,
+    'bcryptjs.js': bcryptShim,
+    'bcrypt.js': bcryptShim,
+    'uuid.js': uuidShim,
+    'lodash.js': lodashShim,
+    'debug.js': debugShim,
+    'chalk.js': chalkShim,
+    'multer.js': multerShim,
+    'axios.js': axiosShim,
+    'noop.js': noopShim,
+  };
+  for (const [name, content] of Object.entries(shimFiles)) {
+    fs.writeFileSync(path.join(shimDir, name), content, 'utf-8');
+  }
+
+  // Shim index — only activates a shim if the REAL package is missing.
+  // This lets a project that has its own dotenv/cors/etc. installed use the
+  // real implementation, and only falls back to our shim when resolution fails.
+  // Also supports NHA_OFFLINE_SHIM=1 to no-op any unresolvable module.
+  const shimList = JSON.stringify(Object.keys(shimFiles).filter(f => f !== 'noop.js').map(f => f.replace(/\.js$/, '')));
   const shimIndex = `
 const Module = require('module');
 const path = require('path');
 const __shimDir = ${JSON.stringify(shimDir)};
+const SHIM_NAMES = new Set(${shimList});
+const ALIAS = { 'bcrypt': 'bcryptjs' };
+const OFFLINE = process.env.NHA_OFFLINE_SHIM === '1';
+const _original = Module._resolveFilename.bind(Module);
 
-const SHIMS = {
-  'pg': path.join(__shimDir, 'pg.js'),
-  'redis': path.join(__shimDir, 'redis.js'),
-  'ioredis': path.join(__shimDir, 'redis.js'),
-  'helmet': path.join(__shimDir, 'helmet.js'),
-  'mongoose': path.join(__shimDir, 'mongoose.js'),
-  'sequelize': path.join(__shimDir, 'sequelize.js'),
-};
+function shimPath(name) {
+  const f = (ALIAS[name] || name) + '.js';
+  return path.join(__shimDir, f);
+}
 
-const _original = Module._resolveFilename.bind(Module);
 Module._resolveFilename = function(request, parent, isMain, options) {
-  if (SHIMS[request]) return SHIMS[request];
-  return _original(request, parent, isMain, options);
+  try {
+    return _original(request, parent, isMain, options);
+  } catch (err) {
+    if (err && err.code === 'MODULE_NOT_FOUND') {
+      if (SHIM_NAMES.has(request) || ALIAS[request]) {
+        return shimPath(request);
+      }
+      if (OFFLINE && !request.startsWith('.') && !request.startsWith('/') && !request.startsWith('node:')) {
+        try { console.error('[nha-shim] offline-noop for missing module: ' + request); } catch {}
+        return path.join(__shimDir, 'noop.js');
+      }
+    }
+    throw err;
+  }
 };
 `;
   fs.writeFileSync(path.join(shimDir, 'index.js'), shimIndex, 'utf-8');