nothumanallowed 16.0.28 → 16.0.30

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "16.0.28",
+  "version": "16.0.30",
   "description": "Local AI assistant: 80 tools (Gmail, Calendar, Drive, GitHub, Slack, browser, code, files), 38 agents, visual workflows (Studio, AWF, WebCraft). Install with `npm i -g nothumanallowed`, run with `nha ui`. Free tier built-in (Liara), no API key required. Your data stays on your PC — OAuth tokens local, no cloud. Open-source MIT.",
   "type": "module",
   "bin": {

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '16.0.28';
+export const VERSION = '16.0.30';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/server/routes/webcraft.mjs

@@ -183,21 +183,39 @@ class SandboxManager {
     }
     emit({ type: 'status', msg: `Entry point: ${entryFile}` });
 
-    // Pre-flight: validate entry file with acorn. If the file content was
-    // corrupted by a partial LLM stream (HTTP error leaked as code), quarantine
-    // it with a minimal stub so the sandbox can still boot. The user sees a
-    // clear "re-generate from chat" message instead of a SyntaxError crash.
-    const entryAbs = path.join(projectDir, entryFile);
-    if (fs.existsSync(entryAbs)) {
-      try {
-        const entryContent = fs.readFileSync(entryAbs, 'utf-8');
-        const sanitized = _sanitizeGeneratedFile(entryFile, entryContent, path.basename(projectDir));
-        if (sanitized !== entryContent) {
-          emit({ type: 'warn', msg: `Entry file ${entryFile} was corrupted (likely partial stream / HTTP error leaked into content). Auto-quarantined — re-generate from chat.` });
-          fs.writeFileSync(entryAbs + '.corrupt-' + Date.now(), entryContent, 'utf-8');
-          fs.writeFileSync(entryAbs, sanitized, 'utf-8');
-        }
-      } catch {}
+    // Pre-flight: validate ALL .js/.mjs/.cjs/.jsx files in the project with
+    // acorn. If any are corrupted (partial stream / HTTP error leaked as code),
+    // quarantine them with a minimal stub. This catches LLM stream interruptions
+    // in route handlers (routes/auth.js, routes/billing.js, etc.) — not just
+    // the entry file.
+    const repaired = [];
+    const codeExts = new Set(['.js', '.mjs', '.cjs', '.jsx']);
+    const scanSkip = new Set(['node_modules', '.git', '.nha-shims', 'dist', 'build', '.next', 'coverage']);
+    const projectBase = path.basename(projectDir);
+    const stack = [projectDir];
+    while (stack.length) {
+      const cur = stack.pop();
+      let entries;
+      try { entries = fs.readdirSync(cur, { withFileTypes: true }); } catch { continue; }
+      for (const ent of entries) {
+        if (scanSkip.has(ent.name) || ent.name.startsWith('.')) continue;
+        const abs = path.join(cur, ent.name);
+        if (ent.isDirectory()) { stack.push(abs); continue; }
+        if (!codeExts.has(path.extname(ent.name))) continue;
+        try {
+          const content = fs.readFileSync(abs, 'utf-8');
+          const relName = path.relative(projectDir, abs);
+          const sanitized = _sanitizeGeneratedFile(relName, content, projectBase);
+          if (sanitized !== content) {
+            fs.writeFileSync(abs + '.corrupt-' + Date.now(), content, 'utf-8');
+            fs.writeFileSync(abs, sanitized, 'utf-8');
+            repaired.push(relName);
+          }
+        } catch {}
+      }
+    }
+    if (repaired.length > 0) {
+      emit({ type: 'warn', msg: `Pre-flight repair: ${repaired.length} file${repaired.length === 1 ? '' : 's'} quarantined (corrupted content) → ${repaired.join(', ')}. Re-generate from chat to restore them.` });
     }
 
     // ── Phase 2: Dependencies (pre-scan + batch install) ──────────────────
@@ -330,6 +348,43 @@ class SandboxManager {
         emit({ type: 'phase', phase: 'ready', msg: `Server running on port ${port}` });
         emit({ type: 'ready', port });
       }
+      // ── HTTP probe: actually fetch GET / and report what came back ─────
+      // Tells the user IMMEDIATELY if the sandbox bound the port but serves
+      // a 404 / empty body / wrong content-type. Otherwise they see "ready"
+      // but the iframe is black/blank and can't tell why.
+      try {
+        const probeRes = await fetch(`http://127.0.0.1:${port}/`, {
+          signal: AbortSignal.timeout(5000),
+          redirect: 'manual',
+        }).catch(e => ({ _err: e.message }));
+        if (probeRes._err) {
+          emit({ type: 'warn', msg: `Probe GET /: ${probeRes._err}. The port is bound but the app doesn't respond on / — check your route handlers.` });
+        } else {
+          const ct = probeRes.headers.get('content-type') || '(none)';
+          const status = probeRes.status;
+          const body = await probeRes.text().catch(() => '');
+          const len = body.length;
+          const isHtml = /text\/html/i.test(ct);
+          const isJson = /application\/json/i.test(ct);
+          const preview = body.slice(0, 200).replace(/\s+/g, ' ').trim();
+          emit({ type: 'log', msg: `[probe] GET / → ${status} (${ct}, ${len} bytes)` });
+          if (status >= 400) {
+            emit({ type: 'warn', msg: `Probe: GET / returned ${status}. The sandbox is running but has no route for "/". Add app.get('/', ...) in your code or generate an index.html.` });
+          } else if (len === 0) {
+            emit({ type: 'warn', msg: `Probe: GET / returned empty body (${status}). The route exists but sends no response — check that you call res.send() / res.json() / res.end().` });
+          } else if (isHtml && !/<\w+/.test(body)) {
+            emit({ type: 'warn', msg: `Probe: GET / claims text/html but has no HTML tags. Preview: "${preview}". Likely a plain text leaked into the response.` });
+          } else if (isJson) {
+            emit({ type: 'status', msg: `Probe: GET / returns JSON. Browser preview will show raw JSON, not a rendered page. Consider serving an index.html with app.use(express.static('public')) or add a / route returning HTML.` });
+          } else if (isHtml) {
+            emit({ type: 'status', msg: `Probe: GET / returns HTML (${len} bytes). Iframe preview should render fine.` });
+          } else {
+            emit({ type: 'log', msg: `[probe] body preview: ${preview}` });
+          }
+        }
+      } catch (e) {
+        emit({ type: 'log', msg: `[probe] failed: ${e.message}` });
+      }
       return;
     }
 
@@ -363,10 +418,22 @@ class SandboxManager {
     // The pre-scan in Phase 2 catches most cases. Tier 1 here is the safety
     // net for files generated AFTER pre-scan (e.g. user added a require()
     // during chat) or for transitive crashes that surface only at runtime.
-    const missingModules = [...stderrBuf.matchAll(/Cannot find module ['"]([^'"]+)['"]/g)]
+    const rawMissing = [...stderrBuf.matchAll(/Cannot find module ['"]([^'"]+)['"]/g)]
       .map(m => m[1])
       .filter(m => !m.startsWith('.') && !m.startsWith('/') && !m.startsWith('node:'))
-      .map(m => m.startsWith('@') ? m.split('/').slice(0, 2).join('/') : m.split('/')[0]);
+      .map(m => m.startsWith('@') ? m.split('/').slice(0, 2).join('/') : m.split('/')[0])
+      // Drop Node.js built-ins — they're in the runtime, can't be installed
+      .filter(m => !_NODE_BUILTINS.has(m));
+    // Resolve LLM hallucinated aliases (jwt → jsonwebtoken, bcrypt → bcryptjs)
+    const missingModules = rawMissing.map(m => _PACKAGE_ALIASES.get(m) || m);
+    // Detect aliases — if the shim already covers the resolved name, no install needed
+    const aliasedFromShim = rawMissing.filter(m => {
+      const real = _PACKAGE_ALIASES.get(m);
+      return real && _SHIMMED_MODULES.has(real);
+    });
+    if (aliasedFromShim.length > 0) {
+      emit({ type: 'warn', msg: `LLM hallucinated package names: ${aliasedFromShim.join(', ')} — the runtime shim already aliases these. If you still see this crash, the shim wasn't re-generated. Restart "nha ui".` });
+    }
     const uniqueMissing = [...new Set(missingModules)].filter(m => !_SHIMMED_MODULES.has(m));
     if (uniqueMissing.length > 0 && _attempt < MAX_RETRIES) {
       emit({ type: 'phase', phase: 'autofix', msg: `Missing module${uniqueMissing.length === 1 ? '' : 's'}: ${uniqueMissing.join(', ')} — batch installing...` });
@@ -3658,6 +3725,39 @@ function _installedDeps(projectDir) {
   } catch { return new Set(); }
 }
 
+// Node.js built-in modules — these are part of the runtime, not npm packages.
+// `require('fs')` always works without installation. The pre-scan MUST exclude
+// these or it tries to `npm install fs` which is meaningless (or worse, picks
+// up a malicious typosquat). Authoritative list from Node 22 LTS docs.
+export const _NODE_BUILTINS = new Set([
+  'assert', 'async_hooks', 'buffer', 'child_process', 'cluster', 'console',
+  'constants', 'crypto', 'dgram', 'diagnostics_channel', 'dns', 'domain',
+  'events', 'fs', 'fs/promises', 'http', 'http2', 'https', 'inspector',
+  'inspector/promises', 'module', 'net', 'os', 'path', 'path/posix',
+  'path/win32', 'perf_hooks', 'process', 'punycode', 'querystring', 'readline',
+  'readline/promises', 'repl', 'stream', 'stream/consumers', 'stream/promises',
+  'stream/web', 'string_decoder', 'sys', 'timers', 'timers/promises', 'tls',
+  'trace_events', 'tty', 'url', 'util', 'util/types', 'v8', 'vm', 'wasi',
+  'worker_threads', 'zlib',
+]);
+
+// Common LLM hallucinations → real package name. The LLM sometimes invents
+// shorter aliases for popular packages. We map them transparently so the
+// generated code "just works" without npm install of fake packages.
+export const _PACKAGE_ALIASES = new Map([
+  ['jwt', 'jsonwebtoken'],
+  ['bcrypt', 'bcryptjs'],
+  ['mongo', 'mongoose'],
+  ['postgres', 'pg'],
+  ['postgresql', 'pg'],
+  ['mysql', 'mysql2'],
+  ['env', 'dotenv'],
+  ['util-lodash', 'lodash'],
+  ['express-cors', 'cors'],
+  ['express-helmet', 'helmet'],
+  ['express-body-parser', 'body-parser'],
+]);
+
 /** Walk project files and extract all bare-import module names. */
 export function _scanProjectImports(projectDir, maxFiles = 500, maxBytes = 200_000) {
   const found = new Set();
@@ -3690,9 +3790,16 @@ export function _scanProjectImports(projectDir, maxFiles = 500, maxBytes = 200_0
         let m;
         while ((m = re.exec(content)) !== null) {
           const spec = m[1];
+          // Filter 1: node:fs, node:path etc.
           if (spec.startsWith('node:')) continue;
+          // Get the bare package name (handle @scope/name and subpaths)
           const pkg = spec.startsWith('@') ? spec.split('/').slice(0, 2).join('/') : spec.split('/')[0];
-          if (pkg) found.add(pkg);
+          if (!pkg) continue;
+          // Filter 2: skip Node built-ins (fs, path, crypto, http, etc.)
+          if (_NODE_BUILTINS.has(pkg)) continue;
+          // Filter 3: resolve LLM-hallucinated aliases to real packages
+          const real = _PACKAGE_ALIASES.get(pkg) || pkg;
+          found.add(real);
         }
       }
     }
@@ -4357,12 +4464,26 @@ module.exports.default = proxy;
   // real implementation, and only falls back to our shim when resolution fails.
   // Also supports NHA_OFFLINE_SHIM=1 to no-op any unresolvable module.
   const shimList = JSON.stringify(Object.keys(shimFiles).filter(f => f !== 'noop.js').map(f => f.replace(/\.js$/, '')));
+  // ALIAS map: bare names the LLM tends to invent → real package name we shim.
+  // Must stay in sync with _PACKAGE_ALIASES in the parent module so pre-scan
+  // and runtime shim agree on what to resolve.
+  const aliasJson = JSON.stringify({
+    'bcrypt': 'bcryptjs',
+    'jwt': 'jsonwebtoken',
+    'mongo': 'mongoose',
+    'postgres': 'pg',
+    'postgresql': 'pg',
+    'env': 'dotenv',
+    'express-cors': 'cors',
+    'express-helmet': 'helmet',
+    'express-body-parser': 'body-parser',
+  });
   const shimIndex = `
 const Module = require('module');
 const path = require('path');
 const __shimDir = ${JSON.stringify(shimDir)};
 const SHIM_NAMES = new Set(${shimList});
-const ALIAS = { 'bcrypt': 'bcryptjs' };
+const ALIAS = ${aliasJson};
 const OFFLINE = process.env.NHA_OFFLINE_SHIM === '1';
 const _original = Module._resolveFilename.bind(Module);