nothumanallowed 16.0.56 → 16.0.58

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "16.0.56",
+  "version": "16.0.58",
   "description": "Local AI assistant: 80 tools (Gmail, Calendar, Drive, GitHub, Slack, browser, code, files), 38 agents, visual workflows (Studio, AWF, WebCraft). Install with `npm i -g nothumanallowed`, run with `nha ui`. Free tier built-in (Liara), no API key required. Your data stays on your PC — OAuth tokens local, no cloud. Open-source MIT.",
   "type": "module",
   "bin": {

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '16.0.56';
+export const VERSION = '16.0.58';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/server/routes/webcraft.mjs

@@ -4334,27 +4334,36 @@ export async function _autoExtendStylesIfNeeded(projectName, config, emit, opts)
     } catch {}
   }
 
-  const sys = `You are an expert frontend designer producing PRODUCTION-QUALITY CSS.
+  // APPEND mode (16.0.57): output ONLY the new rules — server appends to
+  // existing file. Prevents monotonic regression (LLM truncating + losing
+  // existing rules) and dramatically reduces output token cost.
+  const sys = `You are an expert frontend designer. Generate ONLY new CSS rules to ADD to an existing stylesheet.
 
-DESIGN REQUIREMENTS (NON-NEGOTIABLE):
-- WCAG AA contrast: text-on-background ratio >= 4.5:1. NO washed-out pastels for text. Body text must be near-black on light bg, or near-white on dark bg.
-- Use VIBRANT accent colors with sufficient saturation (HSL S >= 60%, L between 35-65% for accents).
-- Cover EVERY selector listed — including footer, header, nav, hero, sections, cards, buttons, forms, modals, tooltips.
-- Use modern CSS: flex/grid layouts, custom properties for colors, smooth transitions (200-300ms), subtle shadows.
-
-OUTPUT: ONLY the complete extended CSS file content. No markdown fences, no explanations, no preamble. The output will be written directly to disk.`;
+CRITICAL RULES:
+- Output ONLY the new CSS rules — do NOT repeat any existing rules.
+- Do NOT output markdown fences, explanations, or comments about what you're doing.
+- The output will be APPENDED to an existing CSS file. Do not include @import, @charset, or any preamble.
+- Generate at least one rule for EVERY listed missing selector.
+
+DESIGN REQUIREMENTS:
+- WCAG AA contrast: text-on-bg ratio >= 4.5:1. NO washed-out pastels for text.
+- Vibrant accent colors (HSL S >= 60%, L 35-65%).
+- Match the existing CSS's design language (look at the colors/spacing in the existing rules).
+- Include responsive breakpoints (768px, 480px) where layout matters.
+- Hover/focus/transition states for interactive elements.`;
+  // Pick a sample of missing selectors that fits in token budget. We cap at
+  // 200 to keep one pass reasonable; remaining are picked up by next pass.
+  const passSelectors = analysis.missing.slice(0, 200);
   const user =
-    `Extend this CSS file: \`${targetRel}\`\n\n` +
-    `Current CSS (${target.size} bytes, ${analysis.cssRuleCount} rules):\n\`\`\`css\n${target.content.slice(0, 6000)}\n\`\`\`\n\n` +
-    `ALL missing selectors (${analysis.missing.length} — cover every single one):\n${analysis.missing.join(', ')}\n\n` +
-    `HTML files for context:\n${htmlSample}\n\n` +
-    `Output the COMPLETE extended CSS file. Required additions:\n` +
+    `Existing CSS file: \`${targetRel}\` (${target.size} bytes, ${analysis.cssRuleCount} rules).\n\n` +
+    `Sample of existing rules (for design-language reference — DO NOT repeat in output):\n\`\`\`css\n${target.content.slice(0, 3000)}\n\`\`\`\n\n` +
+    `HTML context (snippet, for layout reference):\n${htmlSample.slice(0, 2500)}\n\n` +
+    `Generate NEW CSS rules that cover these ${passSelectors.length} currently-uncovered selectors (out of ${analysis.missing.length} total):\n${passSelectors.join(', ')}\n\n` +
+    `Output ONLY the new rules. Required additions if not already in existing CSS:\n` +
     `- img { max-width: 100%; height: auto; object-fit: cover; display: block; }\n` +
-    `- Footer, header, nav with proper layout and visible styling (NOT transparent backgrounds with low-contrast text)\n` +
-    `- Rules for EVERY one of the ${analysis.missing.length} missing selectors above\n` +
-    `- Responsive breakpoints at 1024px, 768px, 480px (mobile-first)\n` +
-    `- Hover/focus/transition states for buttons, links, cards\n` +
-    `- Color contrast must pass WCAG AA: text-on-bg >= 4.5:1`;
+    `- footer { padding: 32px 16px; background: ...; color: ...; } (or similar — with visible contrast)\n` +
+    `- Responsive @media queries at 768px and 480px for grid/flex sections.\n` +
+    `Begin your output directly with the first CSS rule. No preamble.`;
 
   const provider = config?.llm?.provider || 'unknown';
   const model = config?.llm?.model || config?.llm?.[provider]?.model || 'default';
@@ -4374,23 +4383,30 @@ OUTPUT: ONLY the complete extended CSS file content. No markdown fences, no expl
   let aborted = false;
   const abortController = new AbortController();
 
+  // Track byte velocity for an informative heartbeat: show b/s instead of
+  // misleading "0s since last chunk" (which is almost always 0 when streaming).
+  let prevBytes = 0;
+  let prevHeartbeatAt = startedAt;
   const heartbeatInterval = setInterval(() => {
     if (!emit) return;
-    const elapsed = ((Date.now() - startedAt) / 1000).toFixed(0);
-    const sinceLast = ((Date.now() - lastChunkAt) / 1000).toFixed(0);
-    emit({ type: 'status', msg: `LLM extend: ${elapsed}s elapsed, ${body.length} bytes received (${sinceLast}s since last chunk)` });
-    if (!earlyWarningEmitted && body.length === 0 && Date.now() - startedAt > 15_000) {
+    const now = Date.now();
+    const elapsed = ((now - startedAt) / 1000).toFixed(0);
+    const bytesPerSec = Math.round((body.length - prevBytes) / Math.max(1, (now - prevHeartbeatAt) / 1000));
+    prevBytes = body.length;
+    prevHeartbeatAt = now;
+    emit({ type: 'status', msg: `LLM extend: ${elapsed}s elapsed, ${body.length} bytes received (${bytesPerSec} b/s)` });
+    if (!earlyWarningEmitted && body.length === 0 && now - startedAt > 15_000) {
       earlyWarningEmitted = true;
       emit({ type: 'warn', msg: `Provider ${provider} hasn't sent any data in 15s. If this is Liara, the free tier may be under load — try switching to Anthropic/OpenAI in Settings.` });
     }
     // No-progress timeout: only if STUCK (zero chunks for 30s)
-    if (Date.now() - lastChunkAt > noProgressTimeoutMs && body.length > 0) {
+    if (now - lastChunkAt > noProgressTimeoutMs && body.length > 0) {
       timedOut = true;
       aborted = true;
       abortController.abort();
     }
     // Absolute timeout
-    if (Date.now() - startedAt > absoluteTimeoutMs) {
+    if (now - startedAt > absoluteTimeoutMs) {
       timedOut = true;
       aborted = true;
       abortController.abort();
@@ -4418,30 +4434,47 @@ OUTPUT: ONLY the complete extended CSS file content. No markdown fences, no expl
   }
   clearInterval(heartbeatInterval);
 
-  // Strip markdown fences
+  // Strip markdown fences from the appended rules (LLM sometimes adds them)
   body = body.replace(/^```[a-zA-Z]*\n?/m, '').replace(/\n?```\s*$/m, '').trim();
-  if (_looksLikeLLMError(body) || body.length < target.size * 0.5) {
-    if (emit) emit({ type: 'warn', msg: `CSS extend produced suspicious output (${body.length} bytes vs ${target.size} original) — keeping original.` });
+  if (_looksLikeLLMError(body) || body.length < 200) {
+    if (emit) emit({ type: 'warn', msg: `CSS extend produced suspicious output (${body.length} bytes of new rules) — keeping original.` });
     return { extended: false, reason: 'output_too_short_or_error' };
   }
 
-  // Backup + write
+  // APPEND mode (16.0.57): keep ALL existing rules intact, add new ones at end.
+  // Prevents monotonic regression where pass N replaces pass N-1's work with
+  // a smaller file. Combined content = original + delimiter comment + new rules.
+  const combined = target.content
+    + '\n\n/* === nha-webcraft: auto-extended rules (' + new Date().toISOString() + ') === */\n'
+    + body
+    + '\n';
+
   try {
     fs.writeFileSync(target.abs + '.before-extend-' + Date.now(), target.content, 'utf-8');
-    fs.writeFileSync(target.abs, body, 'utf-8');
+    fs.writeFileSync(target.abs, combined, 'utf-8');
   } catch (e) {
     return { extended: false, reason: 'write_failed', error: e.message };
   }
 
-  // Re-analyze to confirm improvement
+  // Re-analyze to confirm improvement. APPEND mode guarantees coverage
+  // monotonically increases (or stays equal), never decreases.
   const after = _analyzeCssCoverage(dir);
-  if (emit) emit({ type: 'status', msg: `CSS extended: ${targetRel} ${target.size} → ${body.length} bytes. Coverage ${(analysis.coverage * 100).toFixed(0)}% → ${(after.coverage * 100).toFixed(0)}%.` });
+  if (after.missing.length >= analysis.missing.length) {
+    // No progress despite append — LLM produced rules that don't match selectors.
+    // Roll back so the file doesn't bloat with useless rules.
+    try { fs.writeFileSync(target.abs, target.content, 'utf-8'); } catch {}
+    if (emit) emit({ type: 'warn', msg: `CSS extend rolled back: ${body.length} bytes of new rules added but no selectors covered (model output didn't match needed selectors).` });
+    return { extended: false, reason: 'no_coverage_gain', missingBefore: analysis.missing.length, missingAfter: after.missing.length };
+  }
+
+  if (emit) emit({ type: 'status', msg: `CSS extended: ${targetRel} ${target.size} → ${combined.length} bytes (appended ${body.length} bytes). Coverage ${(analysis.coverage * 100).toFixed(0)}% → ${(after.coverage * 100).toFixed(0)}%, ${analysis.missing.length} → ${after.missing.length} selectors missing.` });
 
   return {
     extended: true,
     file: targetRel,
     sizeBefore: target.size,
-    sizeAfter: body.length,
+    sizeAfter: combined.length,
+    appendedBytes: body.length,
     coverageBefore: analysis.coverage,
     coverageAfter: after.coverage,
     missingBefore: analysis.missing.length,

package/src/services/browser-engine.mjs

@@ -125,6 +125,10 @@ function findChromePath() {
       '/snap/bin/chromium',
       '/usr/bin/brave-browser',
       '/usr/bin/microsoft-edge',
+      // Termux on Android — chromium installed via "pkg install chromium"
+      '/data/data/com.termux/files/usr/bin/chromium',
+      '/data/data/com.termux/files/usr/bin/chromium-browser',
+      '/data/data/com.termux/files/usr/bin/google-chrome',
     ],
     win32: [
       'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe',
@@ -657,6 +661,104 @@ async function getBrowser() {
  * @param {boolean} [options.waitForLoad] - Wait for page load event (default true)
  * @returns {Promise<{ title: string, url: string, status: number }>}
  */
+/**
+ * Lightweight HTTP fallback when Chrome/Chromium is not available.
+ * Uses fetch() + regex-based HTML→text extraction. No JS rendering, no clicks.
+ * Good enough for: news sites, blog posts, static pages, API responses,
+ * documentation pages. NOT good for: SPAs, login flows, dynamic dashboards.
+ */
+async function browserOpenViaFetch(url, options = {}) {
+  const timeout = options.timeout || 15000;
+  try {
+    const ac = new AbortController();
+    const timer = setTimeout(() => ac.abort(), timeout);
+    const res = await fetch(url, {
+      redirect: 'follow',
+      signal: ac.signal,
+      headers: {
+        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36',
+        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+        'Accept-Language': 'en-US,en;q=0.9,it;q=0.8',
+      },
+    });
+    clearTimeout(timer);
+
+    const status = res.status;
+    const finalUrl = res.url || url;
+    const ct = res.headers.get('content-type') || '';
+    const isHtml = /html/i.test(ct);
+    const raw = await res.text();
+
+    if (!isHtml) {
+      return {
+        title: finalUrl,
+        url: finalUrl,
+        status,
+        mode: 'fetch-fallback',
+        warning: 'Chrome not installed — used HTTP fetch. No JS rendering. Limited interactivity.',
+        content: raw.slice(0, 50_000),
+      };
+    }
+
+    // Extract title
+    const titleMatch = raw.match(/<title[^>]*>([\s\S]*?)<\/title>/i);
+    const title = titleMatch ? titleMatch[1].replace(/\s+/g, ' ').trim() : finalUrl;
+
+    // Extract main text content: strip script/style/svg/comments, then strip tags
+    let textContent = raw
+      .replace(/<!--[\s\S]*?-->/g, '')
+      .replace(/<script\b[^>]*>[\s\S]*?<\/script>/gi, ' ')
+      .replace(/<style\b[^>]*>[\s\S]*?<\/style>/gi, ' ')
+      .replace(/<svg\b[^>]*>[\s\S]*?<\/svg>/gi, ' ')
+      .replace(/<noscript\b[^>]*>[\s\S]*?<\/noscript>/gi, ' ')
+      .replace(/<header\b[^>]*>[\s\S]*?<\/header>/gi, ' ')   // strip nav/header noise
+      .replace(/<nav\b[^>]*>[\s\S]*?<\/nav>/gi, ' ')
+      .replace(/<footer\b[^>]*>[\s\S]*?<\/footer>/gi, ' ')
+      .replace(/<aside\b[^>]*>[\s\S]*?<\/aside>/gi, ' ');
+
+    // Extract headlines + links separately for news sites
+    const headlines = [];
+    const linkRe = /<a\b[^>]*href=["']([^"']+)["'][^>]*>([\s\S]*?)<\/a>/gi;
+    let lm;
+    while ((lm = linkRe.exec(raw)) !== null && headlines.length < 50) {
+      const linkText = lm[2].replace(/<[^>]+>/g, ' ').replace(/\s+/g, ' ').trim();
+      const href = lm[1];
+      if (linkText.length > 20 && linkText.length < 200 && !href.startsWith('#') && !href.startsWith('javascript:')) {
+        const absHref = href.startsWith('http') ? href : new URL(href, finalUrl).toString();
+        headlines.push({ text: linkText, url: absHref });
+      }
+    }
+
+    // Strip remaining tags to get plain text
+    textContent = textContent
+      .replace(/<[^>]+>/g, ' ')
+      .replace(/&nbsp;/g, ' ')
+      .replace(/&amp;/g, '&')
+      .replace(/&lt;/g, '<')
+      .replace(/&gt;/g, '>')
+      .replace(/&quot;/g, '"')
+      .replace(/&#39;/g, "'")
+      .replace(/&#x?[0-9a-f]+;/gi, '')
+      .replace(/\s+/g, ' ')
+      .trim();
+
+    return {
+      title,
+      url: finalUrl,
+      status,
+      mode: 'fetch-fallback',
+      warning: 'Chrome/Chromium not installed — used HTTP fetch fallback. No JS rendering, no interactive clicks/forms. To install: macOS use brew, Linux apt-get, Termux "pkg install chromium".',
+      headlines: headlines.slice(0, 30),
+      content: textContent.slice(0, 30_000),
+    };
+  } catch (e) {
+    if (e.name === 'AbortError') {
+      return { error: true, message: `HTTP fetch timeout after ${timeout / 1000}s. The site may be slow or blocking the request.` };
+    }
+    return { error: true, message: `HTTP fetch failed: ${e.message}. ${/ENOTFOUND|ECONNREFUSED/.test(e.message) ? 'Network or DNS issue.' : ''}` };
+  }
+}
+
 export async function browserOpen(url, options = {}) {
   // SSRF check
   const check = await isSafeUrl(url);
@@ -664,7 +766,23 @@ export async function browserOpen(url, options = {}) {
     return { error: true, message: `SSRF blocked: ${check.reason}` };
   }
 
-  const browser = await getBrowser();
+  // Fast fallback: if Chrome/Chromium is not installed (e.g. Termux on Android),
+  // do a plain HTTP fetch and extract text content. Limited (no JS rendering,
+  // no clicks), but works for news sites / blog posts / static pages.
+  if (!findChromePath()) {
+    return browserOpenViaFetch(url, options);
+  }
+
+  let browser;
+  try {
+    browser = await getBrowser();
+  } catch (e) {
+    // Chrome detection failed at launch — same fallback
+    if (/Chrome\/Chromium not found/i.test(e.message || '')) {
+      return browserOpenViaFetch(url, options);
+    }
+    throw e;
+  }
   const timeout = options.timeout || NAV_TIMEOUT_MS;
   const waitForLoad = options.waitForLoad !== false;
 

package/src/services/google-oauth.mjs

@@ -12,8 +12,13 @@ import os from 'os';
 import { saveTokens, loadTokens, deleteTokens } from './token-store.mjs';
 import { info, ok, fail, warn } from '../ui.mjs';
 
-// NHA published OAuth client (Desktop app type — client_id is not a secret)
-const DEFAULT_CLIENT_ID = '516893094132-8u2jf6h6h3j6h8j9k0l1m2n3o4p5q6r7.apps.googleusercontent.com'; // NHA Official OAuth Client
+// IMPORTANT: NHA does NOT ship a default Google OAuth client ID.
+// The previous placeholder (516893094132-8u2jf...) was a fake-looking value
+// that always returned `invalid_client` from Google. Each user must register
+// their own OAuth client in Google Cloud Console — this is by design for
+// privacy (no shared client app), and it's a one-time 3-minute setup.
+// See https://nothumanallowed.com/docs/google for the full guide.
+const DEFAULT_CLIENT_ID = '';
 const SCOPES = [
   'https://www.googleapis.com/auth/gmail.modify',
   'https://www.googleapis.com/auth/gmail.send',
@@ -221,14 +226,27 @@ export async function runAuthFlow(config, manual = false) {
 
   if (!clientId) {
     fail('Google OAuth client ID not configured.');
-    info('Get credentials from Google Cloud Console:');
-    info('  1. Go to https://console.cloud.google.com/apis/credentials');
-    info('  2. Create an OAuth 2.0 Client ID (Desktop app type)');
-    info('  3. Enable Gmail API and Calendar API');
-    info('  4. Run:');
+    info('');
+    info('NHA does not ship a shared OAuth client (your data never goes through');
+    info('our servers — Gmail/Calendar API calls go from your PC directly to');
+    info('Google). You need a 3-minute one-time setup of your own OAuth client.');
+    info('');
+    info('STEPS:');
+    info('  1. Open https://console.cloud.google.com/apis/credentials');
+    info('  2. Click + CREATE CREDENTIALS → OAuth client ID');
+    info('  3. Application type: "Desktop app", give it a name (e.g. "NHA local")');
+    info('  4. Click CREATE. Google shows you Client ID + Client Secret.');
+    info('  5. Enable the APIs you need:');
+    info('     - Gmail API:   https://console.cloud.google.com/apis/library/gmail.googleapis.com');
+    info('     - Calendar:    https://console.cloud.google.com/apis/library/calendar-json.googleapis.com');
+    info('     - Drive:       https://console.cloud.google.com/apis/library/drive.googleapis.com');
+    info('     - People API:  https://console.cloud.google.com/apis/library/people.googleapis.com');
+    info('  6. Save the credentials in NHA:');
     info('     nha config set google-client-id YOUR_CLIENT_ID');
     info('     nha config set google-client-secret YOUR_CLIENT_SECRET');
-    info('  5. Run: nha google auth');
+    info('  7. Re-run: nha google auth');
+    info('');
+    info('Full guide with screenshots: https://nothumanallowed.com/docs/google');
     return false;
   }