nothumanallowed 16.0.37 → 16.0.39

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "16.0.37",
+  "version": "16.0.39",
   "description": "Local AI assistant: 80 tools (Gmail, Calendar, Drive, GitHub, Slack, browser, code, files), 38 agents, visual workflows (Studio, AWF, WebCraft). Install with `npm i -g nothumanallowed`, run with `nha ui`. Free tier built-in (Liara), no API key required. Your data stays on your PC — OAuth tokens local, no cloud. Open-source MIT.",
   "type": "module",
   "bin": {

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '16.0.37';
+export const VERSION = '16.0.39';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/server/routes/webcraft.mjs

@@ -229,6 +229,17 @@ class SandboxManager {
       }
     } catch {}
 
+    // Pre-flight: repair unsafe err.X / error.X access in route handlers.
+    // LLMs write `res.send(err.stack)` without null-checking err → 500 on
+    // every request when error middleware signature is wrong (3 args not 4).
+    try {
+      const errRepaired = _repairUnsafeErrAccess(projectDir);
+      if (errRepaired.length > 0) {
+        const fileList = errRepaired.slice(0, 5).map(r => `${r.file} (${r.edits} fixes)`).join(', ');
+        emit({ type: 'status', msg: `Pre-flight: null-checked ${errRepaired.reduce((s, r) => s + r.edits, 0)} unsafe err/error accesses in ${errRepaired.length} file${errRepaired.length === 1 ? '' : 's'} → ${fileList}${errRepaired.length > 5 ? '...' : ''}` });
+      }
+    } catch {}
+
     // ── Phase 2: Dependencies (pre-scan + batch install) ──────────────────
     // Pre-scan the project source files for require()/import statements and
     // diff against package.json + node_modules. Install everything missing in
@@ -380,7 +391,16 @@ class SandboxManager {
           const preview = body.slice(0, 200).replace(/\s+/g, ' ').trim();
           emit({ type: 'log', msg: `[probe] GET / → ${status} (${ct}, ${len} bytes)` });
           if (status >= 400) {
-            emit({ type: 'warn', msg: `Probe: GET / returned ${status}. The sandbox is running but has no route for "/". Add app.get('/', ...) in your code or generate an index.html.` });
+            // Show the actual error body so the user knows WHAT went wrong,
+            // not just the status code. 500s from Express handlers often
+            // include the stack trace or error message in the body.
+            const bodyPreview = body.slice(0, 800).trim();
+            emit({ type: 'error', msg: `Probe: GET / returned ${status}. Response body:\n${bodyPreview}` });
+            if (status === 500) {
+              emit({ type: 'warn', msg: `500 Internal Server Error usually means the route handler threw. Common causes: missing await on async function, JSON.parse on empty file, undefined variable, DB connection failure. Check stderr logs above for the actual stack trace.` });
+            } else if (status === 404) {
+              emit({ type: 'warn', msg: `404 means no route matches "/". Add app.get('/', ...) returning HTML, or app.use(express.static('public')) if you have an index.html in public/.` });
+            }
           } else if (len === 0) {
             emit({ type: 'warn', msg: `Probe: GET / returned empty body (${status}). The route exists but sends no response — check that you call res.send() / res.json() / res.end().` });
           } else if (isHtml && !/<\w+/.test(body)) {
@@ -3602,6 +3622,93 @@ function _placeholderContent(kind, refPath) {
  * Creates missing directories + empty JSON placeholders so the app can boot
  * instead of crashing with ENOENT on first write.
  */
+/**
+ * Auto-repair unsafe `err.X` and similar null-deref patterns in route handlers.
+ * The most common LLM-generated bug: error middleware that does `res.send(err.stack)`
+ * but `err` is undefined because the middleware signature is wrong (only 3 args
+ * instead of 4). Result: 500 on EVERY request including static files.
+ *
+ * Pattern fixed:
+ *   err.stack       → (err && err.stack)          if not already null-checked
+ *   err.message     → (err && err.message)        same
+ *   error.stack     → (error && error.stack)      same
+ *   error.message   → (error && error.message)    same
+ *
+ * Skips matches already guarded (`err && err.stack`, `err?.stack`, `err?.message`).
+ */
+export function _repairUnsafeErrAccess(projectDir) {
+  const repaired = [];
+  const exts = new Set(['.js', '.mjs', '.cjs']);
+  const skipDirs = new Set(['node_modules', '.git', '.nha-shims', 'dist', 'build', '.next', 'public']);
+  // Match `IDENT.PROP` where PROP is stack|message and IDENT is err|error|e.
+  // Negative lookbehind: skip if preceded by `&&`, `||`, `?.`, `(`, `:`, `,`.
+  // Use a global regex and inspect context manually.
+  const targetIdents = ['err', 'error', 'e'];
+  const targetProps = ['stack', 'message', 'code', 'statusCode', 'name'];
+
+  const stack = [projectDir];
+  while (stack.length) {
+    const cur = stack.pop();
+    let entries;
+    try { entries = fs.readdirSync(cur, { withFileTypes: true }); } catch { continue; }
+    for (const ent of entries) {
+      if (skipDirs.has(ent.name) || ent.name.startsWith('.')) continue;
+      const abs = path.join(cur, ent.name);
+      if (ent.isDirectory()) { stack.push(abs); continue; }
+      if (!exts.has(path.extname(ent.name))) continue;
+      let content;
+      try { content = fs.readFileSync(abs, 'utf-8'); } catch { continue; }
+
+      let changed = content;
+      const edits = [];
+
+      for (const ident of targetIdents) {
+        for (const prop of targetProps) {
+          // Match unsafe access: `ident.prop` not preceded by `&&`, `?`, `||`
+          // Use a simpler regex + manual filter for surrounding context
+          const re = new RegExp(`\\b${ident}\\.${prop}\\b`, 'g');
+          changed = changed.replace(re, (match, offset, str) => {
+            // Check context preceding this match
+            const before = str.slice(Math.max(0, offset - 40), offset);
+            // Already guarded patterns — skip
+            if (/&&\s*$/.test(before)) return match;
+            if (/\?\.$/.test(before.slice(-2))) return match;
+            if (/\?\s*$/.test(before)) return match;
+            if (/\|\|\s*$/.test(before)) return match;
+            // Inside object literal key (e.g., `{ stack: err.stack }`) is harmless
+            // when it's the value. We still wrap because the assignment crashes too.
+            // Inside a string literal — skip
+            const lineStart = str.lastIndexOf('\n', offset) + 1;
+            const lineUpTo = str.slice(lineStart, offset);
+            const singleQuotes = (lineUpTo.match(/(?<!\\)'/g) || []).length;
+            const doubleQuotes = (lineUpTo.match(/(?<!\\)"/g) || []).length;
+            const backticks = (lineUpTo.match(/(?<!\\)`/g) || []).length;
+            if (singleQuotes % 2 !== 0 || doubleQuotes % 2 !== 0 || backticks % 2 !== 0) return match;
+            // Inside a comment — skip
+            if (/\/\/[^\n]*$/.test(lineUpTo)) return match;
+            // Already inside an existing parens guard like `(err && err.stack)` — skip
+            const wider = str.slice(Math.max(0, offset - 60), offset);
+            if (new RegExp(`\\b${ident}\\s*&&\\s*$`).test(wider)) return match;
+            // Wrap in null-check
+            edits.push(`${ident}.${prop} → (${ident} && ${ident}.${prop})`);
+            return `(${ident} && ${ident}.${prop})`;
+          });
+        }
+      }
+
+      if (changed !== content && edits.length > 0) {
+        try {
+          fs.writeFileSync(abs + '.before-err-repair-' + Date.now(), content, 'utf-8');
+          fs.writeFileSync(abs, changed, 'utf-8');
+          const rel = path.relative(projectDir, abs).replace(/\\/g, '/');
+          repaired.push({ file: rel, edits: edits.length, samples: edits.slice(0, 3) });
+        } catch {}
+      }
+    }
+  }
+  return repaired;
+}
+
 export function _detectMissingDataFiles(projectDir) {
   const created = [];
   const exts = new Set(['.js', '.mjs', '.cjs', '.ts']);
@@ -3665,6 +3772,13 @@ export function autoRepairProject(projectName) {
     repairs.push({ file: f, kind: 'missing-data-file', source: 'code-reference' });
   }
 
+  // Phase 0.5: null-check unsafe err.X access in route handlers
+  const errFixed = _repairUnsafeErrAccess(dir);
+  for (const r of errFixed) {
+    filesRepaired.add(r.file);
+    repairs.push({ file: r.file, kind: 'unsafe-err-access', edits: r.edits });
+  }
+
   // Walk every HTML file in the project
   const stack = [dir];
   const skipDirs = new Set(['node_modules', '.git', '.nha-shims', 'dist', 'build', '.next']);