npm - nothumanallowed - Versions diffs - 16.0.38 → 16.0.39 - Mend

nothumanallowed 16.0.38 → 16.0.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/src/constants.mjs +1 -1
package/src/server/routes/webcraft.mjs +105 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "16.0.38",
+  "version": "16.0.39",
   "description": "Local AI assistant: 80 tools (Gmail, Calendar, Drive, GitHub, Slack, browser, code, files), 38 agents, visual workflows (Studio, AWF, WebCraft). Install with `npm i -g nothumanallowed`, run with `nha ui`. Free tier built-in (Liara), no API key required. Your data stays on your PC — OAuth tokens local, no cloud. Open-source MIT.",
   "type": "module",
   "bin": {

package/src/constants.mjs CHANGED Viewed

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
-export const VERSION = '16.0.38';
+export const VERSION = '16.0.39';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';

package/src/server/routes/webcraft.mjs CHANGED Viewed

@@ -229,6 +229,17 @@ class SandboxManager {
       }
     } catch {}
+    // Pre-flight: repair unsafe err.X / error.X access in route handlers.
+    // LLMs write `res.send(err.stack)` without null-checking err → 500 on
+    // every request when error middleware signature is wrong (3 args not 4).
+    try {
+      const errRepaired = _repairUnsafeErrAccess(projectDir);
+      if (errRepaired.length > 0) {
+        const fileList = errRepaired.slice(0, 5).map(r => `${r.file} (${r.edits} fixes)`).join(', ');
+        emit({ type: 'status', msg: `Pre-flight: null-checked ${errRepaired.reduce((s, r) => s + r.edits, 0)} unsafe err/error accesses in ${errRepaired.length} file${errRepaired.length === 1 ? '' : 's'} → ${fileList}${errRepaired.length > 5 ? '...' : ''}` });
+      }
+    } catch {}
     // ── Phase 2: Dependencies (pre-scan + batch install) ──────────────────
     // Pre-scan the project source files for require()/import statements and
     // diff against package.json + node_modules. Install everything missing in
@@ -3611,6 +3622,93 @@ function _placeholderContent(kind, refPath) {
  * Creates missing directories + empty JSON placeholders so the app can boot
  * instead of crashing with ENOENT on first write.
  */
+/**
+ * Auto-repair unsafe `err.X` and similar null-deref patterns in route handlers.
+ * The most common LLM-generated bug: error middleware that does `res.send(err.stack)`
+ * but `err` is undefined because the middleware signature is wrong (only 3 args
+ * instead of 4). Result: 500 on EVERY request including static files.
+ *
+ * Pattern fixed:
+ *   err.stack       → (err && err.stack)          if not already null-checked
+ *   err.message     → (err && err.message)        same
+ *   error.stack     → (error && error.stack)      same
+ *   error.message   → (error && error.message)    same
+ *
+ * Skips matches already guarded (`err && err.stack`, `err?.stack`, `err?.message`).
+ */
+export function _repairUnsafeErrAccess(projectDir) {
+  const repaired = [];
+  const exts = new Set(['.js', '.mjs', '.cjs']);
+  const skipDirs = new Set(['node_modules', '.git', '.nha-shims', 'dist', 'build', '.next', 'public']);
+  // Match `IDENT.PROP` where PROP is stack|message and IDENT is err|error|e.
+  // Negative lookbehind: skip if preceded by `&&`, `||`, `?.`, `(`, `:`, `,`.
+  // Use a global regex and inspect context manually.
+  const targetIdents = ['err', 'error', 'e'];
+  const targetProps = ['stack', 'message', 'code', 'statusCode', 'name'];
+  const stack = [projectDir];
+  while (stack.length) {
+    const cur = stack.pop();
+    let entries;
+    try { entries = fs.readdirSync(cur, { withFileTypes: true }); } catch { continue; }
+    for (const ent of entries) {
+      if (skipDirs.has(ent.name) || ent.name.startsWith('.')) continue;
+      const abs = path.join(cur, ent.name);
+      if (ent.isDirectory()) { stack.push(abs); continue; }
+      if (!exts.has(path.extname(ent.name))) continue;
+      let content;
+      try { content = fs.readFileSync(abs, 'utf-8'); } catch { continue; }
+      let changed = content;
+      const edits = [];
+      for (const ident of targetIdents) {
+        for (const prop of targetProps) {
+          // Match unsafe access: `ident.prop` not preceded by `&&`, `?`, `||`
+          // Use a simpler regex + manual filter for surrounding context
+          const re = new RegExp(`\\b${ident}\\.${prop}\\b`, 'g');
+          changed = changed.replace(re, (match, offset, str) => {
+            // Check context preceding this match
+            const before = str.slice(Math.max(0, offset - 40), offset);
+            // Already guarded patterns — skip
+            if (/&&\s*$/.test(before)) return match;
+            if (/\?\.$/.test(before.slice(-2))) return match;
+            if (/\?\s*$/.test(before)) return match;
+            if (/\|\|\s*$/.test(before)) return match;
+            // Inside object literal key (e.g., `{ stack: err.stack }`) is harmless
+            // when it's the value. We still wrap because the assignment crashes too.
+            // Inside a string literal — skip
+            const lineStart = str.lastIndexOf('\n', offset) + 1;
+            const lineUpTo = str.slice(lineStart, offset);
+            const singleQuotes = (lineUpTo.match(/(?<!\\)'/g) || []).length;
+            const doubleQuotes = (lineUpTo.match(/(?<!\\)"/g) || []).length;
+            const backticks = (lineUpTo.match(/(?<!\\)`/g) || []).length;
+            if (singleQuotes % 2 !== 0 || doubleQuotes % 2 !== 0 || backticks % 2 !== 0) return match;
+            // Inside a comment — skip
+            if (/\/\/[^\n]*$/.test(lineUpTo)) return match;
+            // Already inside an existing parens guard like `(err && err.stack)` — skip
+            const wider = str.slice(Math.max(0, offset - 60), offset);
+            if (new RegExp(`\\b${ident}\\s*&&\\s*$`).test(wider)) return match;
+            // Wrap in null-check
+            edits.push(`${ident}.${prop} → (${ident} && ${ident}.${prop})`);
+            return `(${ident} && ${ident}.${prop})`;
+          });
+        }
+      }
+      if (changed !== content && edits.length > 0) {
+        try {
+          fs.writeFileSync(abs + '.before-err-repair-' + Date.now(), content, 'utf-8');
+          fs.writeFileSync(abs, changed, 'utf-8');
+          const rel = path.relative(projectDir, abs).replace(/\\/g, '/');
+          repaired.push({ file: rel, edits: edits.length, samples: edits.slice(0, 3) });
+        } catch {}
+      }
+    }
+  }
+  return repaired;
+}
 export function _detectMissingDataFiles(projectDir) {
   const created = [];
   const exts = new Set(['.js', '.mjs', '.cjs', '.ts']);
@@ -3674,6 +3772,13 @@ export function autoRepairProject(projectName) {
     repairs.push({ file: f, kind: 'missing-data-file', source: 'code-reference' });
   }
+  // Phase 0.5: null-check unsafe err.X access in route handlers
+  const errFixed = _repairUnsafeErrAccess(dir);
+  for (const r of errFixed) {
+    filesRepaired.add(r.file);
+    repairs.push({ file: r.file, kind: 'unsafe-err-access', edits: r.edits });
+  }
   // Walk every HTML file in the project
   const stack = [dir];
   const skipDirs = new Set(['node_modules', '.git', '.nha-shims', 'dist', 'build', '.next']);