nothumanallowed 16.0.29 → 16.0.30

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "16.0.29",
+  "version": "16.0.30",
   "description": "Local AI assistant: 80 tools (Gmail, Calendar, Drive, GitHub, Slack, browser, code, files), 38 agents, visual workflows (Studio, AWF, WebCraft). Install with `npm i -g nothumanallowed`, run with `nha ui`. Free tier built-in (Liara), no API key required. Your data stays on your PC — OAuth tokens local, no cloud. Open-source MIT.",
   "type": "module",
   "bin": {

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '16.0.29';
+export const VERSION = '16.0.30';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/server/routes/webcraft.mjs

@@ -183,21 +183,39 @@ class SandboxManager {
     }
     emit({ type: 'status', msg: `Entry point: ${entryFile}` });
 
-    // Pre-flight: validate entry file with acorn. If the file content was
-    // corrupted by a partial LLM stream (HTTP error leaked as code), quarantine
-    // it with a minimal stub so the sandbox can still boot. The user sees a
-    // clear "re-generate from chat" message instead of a SyntaxError crash.
-    const entryAbs = path.join(projectDir, entryFile);
-    if (fs.existsSync(entryAbs)) {
-      try {
-        const entryContent = fs.readFileSync(entryAbs, 'utf-8');
-        const sanitized = _sanitizeGeneratedFile(entryFile, entryContent, path.basename(projectDir));
-        if (sanitized !== entryContent) {
-          emit({ type: 'warn', msg: `Entry file ${entryFile} was corrupted (likely partial stream / HTTP error leaked into content). Auto-quarantined — re-generate from chat.` });
-          fs.writeFileSync(entryAbs + '.corrupt-' + Date.now(), entryContent, 'utf-8');
-          fs.writeFileSync(entryAbs, sanitized, 'utf-8');
-        }
-      } catch {}
+    // Pre-flight: validate ALL .js/.mjs/.cjs/.jsx files in the project with
+    // acorn. If any are corrupted (partial stream / HTTP error leaked as code),
+    // quarantine them with a minimal stub. This catches LLM stream interruptions
+    // in route handlers (routes/auth.js, routes/billing.js, etc.) — not just
+    // the entry file.
+    const repaired = [];
+    const codeExts = new Set(['.js', '.mjs', '.cjs', '.jsx']);
+    const scanSkip = new Set(['node_modules', '.git', '.nha-shims', 'dist', 'build', '.next', 'coverage']);
+    const projectBase = path.basename(projectDir);
+    const stack = [projectDir];
+    while (stack.length) {
+      const cur = stack.pop();
+      let entries;
+      try { entries = fs.readdirSync(cur, { withFileTypes: true }); } catch { continue; }
+      for (const ent of entries) {
+        if (scanSkip.has(ent.name) || ent.name.startsWith('.')) continue;
+        const abs = path.join(cur, ent.name);
+        if (ent.isDirectory()) { stack.push(abs); continue; }
+        if (!codeExts.has(path.extname(ent.name))) continue;
+        try {
+          const content = fs.readFileSync(abs, 'utf-8');
+          const relName = path.relative(projectDir, abs);
+          const sanitized = _sanitizeGeneratedFile(relName, content, projectBase);
+          if (sanitized !== content) {
+            fs.writeFileSync(abs + '.corrupt-' + Date.now(), content, 'utf-8');
+            fs.writeFileSync(abs, sanitized, 'utf-8');
+            repaired.push(relName);
+          }
+        } catch {}
+      }
+    }
+    if (repaired.length > 0) {
+      emit({ type: 'warn', msg: `Pre-flight repair: ${repaired.length} file${repaired.length === 1 ? '' : 's'} quarantined (corrupted content) → ${repaired.join(', ')}. Re-generate from chat to restore them.` });
     }
 
     // ── Phase 2: Dependencies (pre-scan + batch install) ──────────────────
@@ -330,6 +348,43 @@ class SandboxManager {
         emit({ type: 'phase', phase: 'ready', msg: `Server running on port ${port}` });
         emit({ type: 'ready', port });
       }
+      // ── HTTP probe: actually fetch GET / and report what came back ─────
+      // Tells the user IMMEDIATELY if the sandbox bound the port but serves
+      // a 404 / empty body / wrong content-type. Otherwise they see "ready"
+      // but the iframe is black/blank and can't tell why.
+      try {
+        const probeRes = await fetch(`http://127.0.0.1:${port}/`, {
+          signal: AbortSignal.timeout(5000),
+          redirect: 'manual',
+        }).catch(e => ({ _err: e.message }));
+        if (probeRes._err) {
+          emit({ type: 'warn', msg: `Probe GET /: ${probeRes._err}. The port is bound but the app doesn't respond on / — check your route handlers.` });
+        } else {
+          const ct = probeRes.headers.get('content-type') || '(none)';
+          const status = probeRes.status;
+          const body = await probeRes.text().catch(() => '');
+          const len = body.length;
+          const isHtml = /text\/html/i.test(ct);
+          const isJson = /application\/json/i.test(ct);
+          const preview = body.slice(0, 200).replace(/\s+/g, ' ').trim();
+          emit({ type: 'log', msg: `[probe] GET / → ${status} (${ct}, ${len} bytes)` });
+          if (status >= 400) {
+            emit({ type: 'warn', msg: `Probe: GET / returned ${status}. The sandbox is running but has no route for "/". Add app.get('/', ...) in your code or generate an index.html.` });
+          } else if (len === 0) {
+            emit({ type: 'warn', msg: `Probe: GET / returned empty body (${status}). The route exists but sends no response — check that you call res.send() / res.json() / res.end().` });
+          } else if (isHtml && !/<\w+/.test(body)) {
+            emit({ type: 'warn', msg: `Probe: GET / claims text/html but has no HTML tags. Preview: "${preview}". Likely a plain text leaked into the response.` });
+          } else if (isJson) {
+            emit({ type: 'status', msg: `Probe: GET / returns JSON. Browser preview will show raw JSON, not a rendered page. Consider serving an index.html with app.use(express.static('public')) or add a / route returning HTML.` });
+          } else if (isHtml) {
+            emit({ type: 'status', msg: `Probe: GET / returns HTML (${len} bytes). Iframe preview should render fine.` });
+          } else {
+            emit({ type: 'log', msg: `[probe] body preview: ${preview}` });
+          }
+        }
+      } catch (e) {
+        emit({ type: 'log', msg: `[probe] failed: ${e.message}` });
+      }
       return;
     }
 
@@ -3674,7 +3729,7 @@ function _installedDeps(projectDir) {
 // `require('fs')` always works without installation. The pre-scan MUST exclude
 // these or it tries to `npm install fs` which is meaningless (or worse, picks
 // up a malicious typosquat). Authoritative list from Node 22 LTS docs.
-const _NODE_BUILTINS = new Set([
+export const _NODE_BUILTINS = new Set([
   'assert', 'async_hooks', 'buffer', 'child_process', 'cluster', 'console',
   'constants', 'crypto', 'dgram', 'diagnostics_channel', 'dns', 'domain',
   'events', 'fs', 'fs/promises', 'http', 'http2', 'https', 'inspector',
@@ -3689,7 +3744,7 @@ const _NODE_BUILTINS = new Set([
 // Common LLM hallucinations → real package name. The LLM sometimes invents
 // shorter aliases for popular packages. We map them transparently so the
 // generated code "just works" without npm install of fake packages.
-const _PACKAGE_ALIASES = new Map([
+export const _PACKAGE_ALIASES = new Map([
   ['jwt', 'jsonwebtoken'],
   ['bcrypt', 'bcryptjs'],
   ['mongo', 'mongoose'],