npm - nothumanallowed - Versions diffs - 16.0.28 → 16.0.29 - Mend

nothumanallowed 16.0.28 → 16.0.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/src/constants.mjs +1 -1
package/src/server/routes/webcraft.mjs +70 -4

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "16.0.28",
+  "version": "16.0.29",
   "description": "Local AI assistant: 80 tools (Gmail, Calendar, Drive, GitHub, Slack, browser, code, files), 38 agents, visual workflows (Studio, AWF, WebCraft). Install with `npm i -g nothumanallowed`, run with `nha ui`. Free tier built-in (Liara), no API key required. Your data stays on your PC — OAuth tokens local, no cloud. Open-source MIT.",
   "type": "module",
   "bin": {

package/src/constants.mjs CHANGED Viewed

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
-export const VERSION = '16.0.28';
+export const VERSION = '16.0.29';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';

package/src/server/routes/webcraft.mjs CHANGED Viewed

@@ -363,10 +363,22 @@ class SandboxManager {
     // The pre-scan in Phase 2 catches most cases. Tier 1 here is the safety
     // net for files generated AFTER pre-scan (e.g. user added a require()
     // during chat) or for transitive crashes that surface only at runtime.
-    const missingModules = [...stderrBuf.matchAll(/Cannot find module ['"]([^'"]+)['"]/g)]
+    const rawMissing = [...stderrBuf.matchAll(/Cannot find module ['"]([^'"]+)['"]/g)]
       .map(m => m[1])
       .filter(m => !m.startsWith('.') && !m.startsWith('/') && !m.startsWith('node:'))
-      .map(m => m.startsWith('@') ? m.split('/').slice(0, 2).join('/') : m.split('/')[0]);
+      .map(m => m.startsWith('@') ? m.split('/').slice(0, 2).join('/') : m.split('/')[0])
+      // Drop Node.js built-ins — they're in the runtime, can't be installed
+      .filter(m => !_NODE_BUILTINS.has(m));
+    // Resolve LLM hallucinated aliases (jwt → jsonwebtoken, bcrypt → bcryptjs)
+    const missingModules = rawMissing.map(m => _PACKAGE_ALIASES.get(m) || m);
+    // Detect aliases — if the shim already covers the resolved name, no install needed
+    const aliasedFromShim = rawMissing.filter(m => {
+      const real = _PACKAGE_ALIASES.get(m);
+      return real && _SHIMMED_MODULES.has(real);
+    });
+    if (aliasedFromShim.length > 0) {
+      emit({ type: 'warn', msg: `LLM hallucinated package names: ${aliasedFromShim.join(', ')} — the runtime shim already aliases these. If you still see this crash, the shim wasn't re-generated. Restart "nha ui".` });
+    }
     const uniqueMissing = [...new Set(missingModules)].filter(m => !_SHIMMED_MODULES.has(m));
     if (uniqueMissing.length > 0 && _attempt < MAX_RETRIES) {
       emit({ type: 'phase', phase: 'autofix', msg: `Missing module${uniqueMissing.length === 1 ? '' : 's'}: ${uniqueMissing.join(', ')} — batch installing...` });
@@ -3658,6 +3670,39 @@ function _installedDeps(projectDir) {
   } catch { return new Set(); }
 }
+// Node.js built-in modules — these are part of the runtime, not npm packages.
+// `require('fs')` always works without installation. The pre-scan MUST exclude
+// these or it tries to `npm install fs` which is meaningless (or worse, picks
+// up a malicious typosquat). Authoritative list from Node 22 LTS docs.
+const _NODE_BUILTINS = new Set([
+  'assert', 'async_hooks', 'buffer', 'child_process', 'cluster', 'console',
+  'constants', 'crypto', 'dgram', 'diagnostics_channel', 'dns', 'domain',
+  'events', 'fs', 'fs/promises', 'http', 'http2', 'https', 'inspector',
+  'inspector/promises', 'module', 'net', 'os', 'path', 'path/posix',
+  'path/win32', 'perf_hooks', 'process', 'punycode', 'querystring', 'readline',
+  'readline/promises', 'repl', 'stream', 'stream/consumers', 'stream/promises',
+  'stream/web', 'string_decoder', 'sys', 'timers', 'timers/promises', 'tls',
+  'trace_events', 'tty', 'url', 'util', 'util/types', 'v8', 'vm', 'wasi',
+  'worker_threads', 'zlib',
+]);
+// Common LLM hallucinations → real package name. The LLM sometimes invents
+// shorter aliases for popular packages. We map them transparently so the
+// generated code "just works" without npm install of fake packages.
+const _PACKAGE_ALIASES = new Map([
+  ['jwt', 'jsonwebtoken'],
+  ['bcrypt', 'bcryptjs'],
+  ['mongo', 'mongoose'],
+  ['postgres', 'pg'],
+  ['postgresql', 'pg'],
+  ['mysql', 'mysql2'],
+  ['env', 'dotenv'],
+  ['util-lodash', 'lodash'],
+  ['express-cors', 'cors'],
+  ['express-helmet', 'helmet'],
+  ['express-body-parser', 'body-parser'],
+]);
 /** Walk project files and extract all bare-import module names. */
 export function _scanProjectImports(projectDir, maxFiles = 500, maxBytes = 200_000) {
   const found = new Set();
@@ -3690,9 +3735,16 @@ export function _scanProjectImports(projectDir, maxFiles = 500, maxBytes = 200_0
         let m;
         while ((m = re.exec(content)) !== null) {
           const spec = m[1];
+          // Filter 1: node:fs, node:path etc.
           if (spec.startsWith('node:')) continue;
+          // Get the bare package name (handle @scope/name and subpaths)
           const pkg = spec.startsWith('@') ? spec.split('/').slice(0, 2).join('/') : spec.split('/')[0];
-          if (pkg) found.add(pkg);
+          if (!pkg) continue;
+          // Filter 2: skip Node built-ins (fs, path, crypto, http, etc.)
+          if (_NODE_BUILTINS.has(pkg)) continue;
+          // Filter 3: resolve LLM-hallucinated aliases to real packages
+          const real = _PACKAGE_ALIASES.get(pkg) || pkg;
+          found.add(real);
         }
       }
     }
@@ -4357,12 +4409,26 @@ module.exports.default = proxy;
   // real implementation, and only falls back to our shim when resolution fails.
   // Also supports NHA_OFFLINE_SHIM=1 to no-op any unresolvable module.
   const shimList = JSON.stringify(Object.keys(shimFiles).filter(f => f !== 'noop.js').map(f => f.replace(/\.js$/, '')));
+  // ALIAS map: bare names the LLM tends to invent → real package name we shim.
+  // Must stay in sync with _PACKAGE_ALIASES in the parent module so pre-scan
+  // and runtime shim agree on what to resolve.
+  const aliasJson = JSON.stringify({
+    'bcrypt': 'bcryptjs',
+    'jwt': 'jsonwebtoken',
+    'mongo': 'mongoose',
+    'postgres': 'pg',
+    'postgresql': 'pg',
+    'env': 'dotenv',
+    'express-cors': 'cors',
+    'express-helmet': 'helmet',
+    'express-body-parser': 'body-parser',
+  });
   const shimIndex = `
 const Module = require('module');
 const path = require('path');
 const __shimDir = ${JSON.stringify(shimDir)};
 const SHIM_NAMES = new Set(${shimList});
-const ALIAS = { 'bcrypt': 'bcryptjs' };
+const ALIAS = ${aliasJson};
 const OFFLINE = process.env.NHA_OFFLINE_SHIM === '1';
 const _original = Module._resolveFilename.bind(Module);