nothumanallowed 16.0.49 → 16.0.51

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "16.0.49",
+  "version": "16.0.51",
   "description": "Local AI assistant: 80 tools (Gmail, Calendar, Drive, GitHub, Slack, browser, code, files), 38 agents, visual workflows (Studio, AWF, WebCraft). Install with `npm i -g nothumanallowed`, run with `nha ui`. Free tier built-in (Liara), no API key required. Your data stays on your PC — OAuth tokens local, no cloud. Open-source MIT.",
   "type": "module",
   "bin": {

package/src/commands/ask.mjs

@@ -182,11 +182,11 @@ export async function cmdAsk(args) {
     const callFn = getProviderCall(provider);
     if (!callFn) {
       fail(`Unknown provider: ${provider}`);
-      info('Supported: anthropic, openai, gemini, deepseek, grok, mistral, cohere');
+      info('Supported: anthropic, openai, gemini, deepseek, grok, mistral, cohere, openrouter');
       process.exit(1);
     }
 
-    const useStream = stream && (provider === 'anthropic' || provider === 'openai' || provider === 'deepseek' || provider === 'grok' || provider === 'mistral');
+    const useStream = stream && (provider === 'anthropic' || provider === 'openai' || provider === 'deepseek' || provider === 'grok' || provider === 'mistral' || provider === 'openrouter');
     const result = await callFn(apiKey, model, systemPrompt, userMessage, useStream);
 
     if (!useStream && result) {

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '16.0.49';
+export const VERSION = '16.0.51';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/server/routes/webcraft.mjs

@@ -1373,9 +1373,11 @@ RULES:
     return `Error: unknown tool ${toolName}`;
   }
 
-  // Try native tool calling first (Anthropic, OpenAI)
+  // Try native tool calling first. Providers that support OpenAI-style native
+  // tool_use: Anthropic, OpenAI, and OpenRouter (which proxies to Claude/GPT/etc.
+  // with the same OpenAI-compatible schema).
   const provider = config.llm?.provider || 'anthropic';
-  const useNativeTools = provider === 'anthropic' || provider === 'openai';
+  const useNativeTools = provider === 'anthropic' || provider === 'openai' || provider === 'openrouter';
 
   if (useNativeTools) {
     const systemPrompt = buildSystemPrompt();
@@ -4330,19 +4332,30 @@ OUTPUT: ONLY the complete extended CSS file content. No markdown fences, no expl
     `- Hover/focus/transition states for buttons, links, cards\n` +
     `- Color contrast must pass WCAG AA: text-on-bg >= 4.5:1`;
 
-  if (emit) emit({ type: 'status', msg: `CSS coverage ${(analysis.coverage * 100).toFixed(0)}% (${analysis.missing.length} selectors missing). Auto-extending ${targetRel} via LLM (timeout 60s)...` });
+  const provider = config?.llm?.provider || 'unknown';
+  const model = config?.llm?.model || config?.llm?.[provider]?.model || 'default';
+  if (emit) emit({ type: 'status', msg: `CSS coverage ${(analysis.coverage * 100).toFixed(0)}% (${analysis.missing.length} selectors missing). Auto-extending ${targetRel} via ${provider}:${model} (timeout 60s)...` });
 
-  // Call LLM with timeout + progress heartbeat. Otherwise a slow/stuck Liara
-  // leaves the user staring at "Auto-extending..." forever with no feedback.
+  // Call LLM with timeout + progress heartbeat + early warning when no bytes arrive.
+  // Different providers have different latencies: Claude is fast (~5-15s),
+  // OpenAI similar, Liara/Qwen3 can be 20-40s under load, Gemini sometimes
+  // stuck on long prompts. Adapt max_tokens to 4096 (down from 8192) to keep
+  // Liara responsive.
   let body = '';
   let lastChunkAt = Date.now();
   const startedAt = Date.now();
   const timeoutMs = 60_000;
+  let earlyWarningEmitted = false;
   const heartbeatInterval = setInterval(() => {
     if (!emit) return;
     const elapsed = ((Date.now() - startedAt) / 1000).toFixed(0);
     const sinceLast = ((Date.now() - lastChunkAt) / 1000).toFixed(0);
     emit({ type: 'status', msg: `LLM extend: ${elapsed}s elapsed, ${body.length} bytes received (${sinceLast}s since last chunk)` });
+    // Early warning if no bytes at all after 15s — provider is likely stuck or rate-limited
+    if (!earlyWarningEmitted && body.length === 0 && Date.now() - startedAt > 15_000) {
+      earlyWarningEmitted = true;
+      emit({ type: 'warn', msg: `Provider ${provider} hasn't sent any data in 15s. If this is Liara, the free tier may be under load — try switching to Anthropic/OpenAI in Settings, or check your API key.` });
+    }
   }, 5_000);
 
   try {
@@ -4350,13 +4363,19 @@ OUTPUT: ONLY the complete extended CSS file content. No markdown fences, no expl
       callLLMStream(config, sys, user, (chunk) => {
         body += chunk;
         lastChunkAt = Date.now();
-      }, { max_tokens: 8192 }),
-      new Promise((_, reject) => setTimeout(() => reject(new Error('LLM timeout after ' + (timeoutMs / 1000) + 's')), timeoutMs)),
+      }, { max_tokens: 4096 }),
+      new Promise((_, reject) => setTimeout(() => reject(new Error('LLM timeout after ' + (timeoutMs / 1000) + 's — provider ' + provider + ' did not respond')), timeoutMs)),
     ]);
   } catch (e) {
     clearInterval(heartbeatInterval);
-    if (emit) emit({ type: 'warn', msg: `CSS extend failed: ${(e.message || e).slice(0, 200)}. Sandbox continues with current CSS — open chat to extend manually.` });
-    return { extended: false, reason: 'llm_failed', error: e.message, partialBytes: body.length };
+    const errMsg = (e.message || String(e)).slice(0, 200);
+    if (emit) {
+      emit({ type: 'warn', msg: `CSS extend failed: ${errMsg}` });
+      if (errMsg.includes('timeout') || body.length === 0) {
+        emit({ type: 'warn', msg: `Provider ${provider} unresponsive. Open NHA Settings and switch to a different provider (Anthropic Claude is fastest), or check that your API key is valid. Sandbox continues with current CSS.` });
+      }
+    }
+    return { extended: false, reason: 'llm_failed', error: errMsg, partialBytes: body.length };
   }
   clearInterval(heartbeatInterval);
 
@@ -5038,6 +5057,7 @@ export const _SHIMMED_MODULES = new Set([
   'dotenv', 'cors', 'morgan', 'body-parser', 'cookie-parser',
   'compression', 'express-rate-limit', 'jsonwebtoken', 'bcryptjs', 'bcrypt',
   'uuid', 'lodash', 'debug', 'chalk', 'multer', 'axios', 'express',
+  'marked', 'markdown-it',
 ]);
 
 /** Read declared dependencies from package.json (deps + devDeps + peer). */
@@ -5165,9 +5185,16 @@ export function _classifyInstallError(err) {
     return { reason: 'offline (npm registry unreachable)', offlineFallback: true,
       hint: 'Check VM network bridge/NAT, DNS, or corporate proxy (HTTP_PROXY/HTTPS_PROXY). Activating shim fallback.' };
   }
-  if (/e404|notarget|not found in the npm registry/.test(msg)) {
+  // Distinguish "true E404" (package doesn't exist) from "offline cache miss"
+  // (--prefer-offline can produce 404-looking errors when registry is unreachable).
+  // True E404 also mentions "not in registry"; cache miss mentions "not in cache" or "ENETUNREACH".
+  if (/not in.*(cache|local)|ENETUNREACH|prefer.?offline.*not.*found/i.test(msg)) {
+    return { reason: 'offline cache miss (registry not reached, package not cached)', offlineFallback: true,
+      hint: 'npm --prefer-offline could not find the package in local cache and registry is unreachable. Activating shim fallback.' };
+  }
+  if (/e404|"npm error code e404"|notarget|404 not found|not found in the npm registry|package.*does not exist/i.test(msg)) {
     return { reason: 'package does not exist on npm', offlineFallback: false,
-      hint: 'The package name from the LLM-generated code is likely a hallucination. Tier 2 LLM-rewrite will rename it.' };
+      hint: 'The package name from the LLM-generated code is likely a hallucination, or you are offline. Tier 2 LLM-rewrite will rename it, or shim layer will take over if available.' };
   }
   if (/eacces|eperm|permission denied/.test(msg)) {
     return { reason: 'permissions denied', offlineFallback: false,
@@ -5843,6 +5870,74 @@ express.static = function (root, opts) {
 express.Router = function () { const r = createApp(); return r; };
 module.exports = express;
 module.exports.default = express;
+`;
+
+  // marked — minimal Markdown → HTML parser. Real `marked` is 200KB+ but we
+  // only need basic parsing. Covers: headings, bold/italic, links, code blocks,
+  // lists, paragraphs, line breaks. Good enough for blog-style content.
+  const markedShim = `
+function escapeHtml(s) {
+  return String(s).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+}
+function parseMarkdown(md) {
+  if (!md) return '';
+  let html = String(md);
+  // Code blocks (must come first)
+  html = html.replace(/\\\`\\\`\\\`(\\\\w+)?\\n([\\s\\S]*?)\\n\\\`\\\`\\\`/g, (_, lang, code) => '<pre><code' + (lang ? ' class="language-' + lang + '"' : '') + '>' + escapeHtml(code) + '</code></pre>');
+  // Inline code
+  html = html.replace(/\\\`([^\\\`\\n]+)\\\`/g, '<code>$1</code>');
+  // Headings
+  html = html.replace(/^######\\s+(.+)$/gm, '<h6>$1</h6>');
+  html = html.replace(/^#####\\s+(.+)$/gm, '<h5>$1</h5>');
+  html = html.replace(/^####\\s+(.+)$/gm, '<h4>$1</h4>');
+  html = html.replace(/^###\\s+(.+)$/gm, '<h3>$1</h3>');
+  html = html.replace(/^##\\s+(.+)$/gm, '<h2>$1</h2>');
+  html = html.replace(/^#\\s+(.+)$/gm, '<h1>$1</h1>');
+  // Bold + italic
+  html = html.replace(/\\*\\*\\*([^*]+)\\*\\*\\*/g, '<strong><em>$1</em></strong>');
+  html = html.replace(/\\*\\*([^*]+)\\*\\*/g, '<strong>$1</strong>');
+  html = html.replace(/\\*([^*]+)\\*/g, '<em>$1</em>');
+  html = html.replace(/__([^_]+)__/g, '<strong>$1</strong>');
+  html = html.replace(/_([^_]+)_/g, '<em>$1</em>');
+  // Links + images
+  html = html.replace(/!\\[([^\\]]*)\\]\\(([^)]+)\\)/g, '<img src="$2" alt="$1">');
+  html = html.replace(/\\[([^\\]]+)\\]\\(([^)]+)\\)/g, '<a href="$2">$1</a>');
+  // Blockquotes
+  html = html.replace(/^>\\s+(.+)$/gm, '<blockquote>$1</blockquote>');
+  // Horizontal rules
+  html = html.replace(/^---+$/gm, '<hr>');
+  // Lists (simple)
+  html = html.replace(/^[\\*\\-]\\s+(.+)$/gm, '<li>$1</li>');
+  html = html.replace(/(<li>[\\s\\S]*?<\\/li>\\n?)+/g, (m) => '<ul>' + m.replace(/\\n/g, '') + '</ul>');
+  html = html.replace(/^\\d+\\.\\s+(.+)$/gm, '<li>$1</li>');
+  // Paragraphs (lines not in other elements)
+  const lines = html.split(/\\n\\n+/);
+  html = lines.map(line => {
+    line = line.trim();
+    if (!line) return '';
+    if (/^<(h[1-6]|ul|ol|pre|blockquote|hr|p|div)/.test(line)) return line;
+    return '<p>' + line + '</p>';
+  }).join('\\n');
+  return html;
+}
+function marked(md, opts) {
+  return parseMarkdown(md);
+}
+marked.parse = parseMarkdown;
+marked.setOptions = function () { return marked; };
+marked.use = function () { return marked; };
+marked.Renderer = function () {};
+marked.parseInline = function (md) {
+  let html = String(md || '');
+  html = html.replace(/\\*\\*([^*]+)\\*\\*/g, '<strong>$1</strong>');
+  html = html.replace(/\\*([^*]+)\\*/g, '<em>$1</em>');
+  html = html.replace(/\\\`([^\\\`]+)\\\`/g, '<code>$1</code>');
+  html = html.replace(/\\[([^\\]]+)\\]\\(([^)]+)\\)/g, '<a href="$2">$1</a>');
+  return html;
+};
+module.exports = marked;
+module.exports.marked = marked;
+module.exports.default = marked;
 `;
 
   // axios — minimal fetch-based replacement
@@ -5920,6 +6015,8 @@ module.exports.default = proxy;
     'multer.js': multerShim,
     'axios.js': axiosShim,
     'express.js': expressShim,
+    'marked.js': markedShim,
+    'markdown-it.js': markedShim,
     'noop.js': noopShim,
   };
   for (const [name, content] of Object.entries(shimFiles)) {

package/src/services/llm.mjs

@@ -563,6 +563,44 @@ export async function callGrok(apiKey, model, systemPrompt, userMessage, stream
   return data.choices?.[0]?.message?.content || '';
 }
 
+/**
+ * OpenRouter — aggregator that exposes 100+ models (Claude, GPT, Gemini,
+ * Mistral, Llama, Qwen, DeepSeek, etc.) via a single OpenAI-compatible API.
+ * Endpoint: https://openrouter.ai/api/v1/chat/completions
+ * Model names: "anthropic/claude-sonnet-4.5", "openai/gpt-4o", "google/gemini-2.5-pro"...
+ */
+export async function callOpenRouter(apiKey, model, systemPrompt, userMessage, stream = false, opts = {}) {
+  const body = {
+    model: model || 'anthropic/claude-sonnet-4.5',
+    max_tokens: opts.max_tokens || 8192,
+    messages: [
+      { role: 'system', content: systemPrompt },
+      ..._openaiHistory(opts),
+      { role: 'user', content: userMessage },
+    ],
+    stream,
+  };
+  if (opts.temperature !== undefined) body.temperature = opts.temperature;
+  const res = await fetch('https://openrouter.ai/api/v1/chat/completions', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Authorization': `Bearer ${apiKey}`,
+      // OpenRouter recommends these for proper attribution + ranking
+      'HTTP-Referer': 'https://nothumanallowed.com',
+      'X-Title': 'NotHumanAllowed CLI',
+    },
+    body: JSON.stringify(body),
+  });
+  if (!res.ok) {
+    const err = await res.text();
+    throw new Error(`OpenRouter ${res.status}: ${err}`);
+  }
+  if (stream) return streamSSE(res, 'openai');
+  const data = await res.json();
+  return data.choices?.[0]?.message?.content || '';
+}
+
 export async function callMistral(apiKey, model, systemPrompt, userMessage, stream = false, opts = {}) {
   const body = {
     model: model || 'mistral-large-latest',
@@ -753,6 +791,7 @@ const PROVIDERS = {
   grok: callGrok,
   mistral: callMistral,
   cohere: callCohere,
+  openrouter: callOpenRouter,
 };
 
 export function getProviderCall(provider) {
@@ -788,6 +827,12 @@ export async function callLLMWithTools(config, systemPrompt, messages, tools, on
     return _callOpenAIWithTools(apiKey, model, systemPrompt, messages, tools, onText, onToolCall, opts);
   }
 
+  // OpenRouter — uses OpenAI-compatible function calling schema. We reuse the
+  // OpenAI tool-call implementation but point to OpenRouter's endpoint.
+  if (provider === 'openrouter') {
+    return _callOpenAIWithTools(apiKey, model || 'anthropic/claude-sonnet-4.5', systemPrompt, messages, tools, onText, onToolCall, { ...opts, baseUrl: 'https://openrouter.ai/api/v1', referer: 'https://nothumanallowed.com', xTitle: 'NotHumanAllowed CLI' });
+  }
+
   // Other providers: fallback to text-based tool calling (old system)
   // The caller should handle this by checking the return value
   return null;
@@ -972,12 +1017,17 @@ async function _callOpenAIWithTools(apiKey, model, systemPrompt, messages, tools
       stream: true,
     };
 
-    const res = await fetch('https://api.openai.com/v1/chat/completions', {
+    // Support baseUrl override so OpenRouter (OpenAI-compatible) can reuse this loop.
+    const endpoint = (opts.baseUrl || 'https://api.openai.com/v1') + '/chat/completions';
+    const headers = { 'Content-Type': 'application/json', 'Authorization': `Bearer ${apiKey}` };
+    if (opts.referer) headers['HTTP-Referer'] = opts.referer;
+    if (opts.xTitle) headers['X-Title'] = opts.xTitle;
+    const res = await fetch(endpoint, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${apiKey}` },
+      headers,
       body: JSON.stringify(body),
     });
-    if (!res.ok) { const err = await res.text(); throw new Error(`OpenAI ${res.status}: ${err}`); }
+    if (!res.ok) { const err = await res.text(); throw new Error(`${opts.baseUrl ? 'OpenRouter' : 'OpenAI'} ${res.status}: ${err}`); }
 
     const reader = res.body.getReader();
     const dec = new TextDecoder();
@@ -1053,6 +1103,7 @@ export function getApiKey(config, provider) {
     grok: config.llm.grokKey || config.llm.apiKey,
     mistral: config.llm.mistralKey || config.llm.apiKey,
     cohere: config.llm.cohereKey || config.llm.apiKey,
+    openrouter: config.llm.openrouterKey || config.llm.openrouter_key || config.llm.apiKey,
   };
   return keyMap[provider] || config.llm.apiKey;
 }