nothumanallowed 3.7.0 → 4.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "3.7.0",
+  "version": "4.0.0",
   "description": "NotHumanAllowed — 38 AI agents for security, code, DevOps, data & daily ops. Ask agents directly, plan your day with 5 specialist agents, manage tasks, connect Gmail + Calendar.",
   "type": "module",
   "bin": {

package/src/cli.mjs

@@ -15,6 +15,7 @@ import { cmdOps } from './commands/ops.mjs';
 import { cmdChat } from './commands/chat.mjs';
 import { cmdUI } from './commands/ui.mjs';
 import { cmdGoogle } from './commands/google-auth.mjs';
+import { cmdScan } from './commands/scan.mjs';
 import { banner, info, ok, warn, fail, C, G, Y, D, W, BOLD, NC, M, B, R } from './ui.mjs';
 
 export async function main(argv) {
@@ -65,6 +66,9 @@ export async function main(argv) {
     case 'google':
       return cmdGoogle(args);
 
+    case 'scan':
+      return cmdScan(args);
+
     case 'pif':
       return cmdPif(args);
 
@@ -355,6 +359,8 @@ function cmdHelp() {
   console.log(`    ask oracle "prompt" ${D}--provider openai${NC}`);
   console.log(`    agents                List all 38 specialized agents`);
   console.log(`    agents info <name>    Show agent capabilities & domain`);
+  console.log(`    scan <path>           Security scan a project with SABER + ZERO`);
+  console.log(`    scan . ${D}--output report.md${NC}   Save report to file`);
   console.log(`    run "prompt"          Multi-agent collaboration (server-routed)`);
   console.log(`    run "prompt" ${D}--agents saber,zero${NC}   Collaborate with specific agents\n`);
 

package/src/commands/scan.mjs

@@ -0,0 +1,187 @@
+/**
+ * nha scan <path> — Scan a project with SABER + ZERO agents.
+ * Reads files, builds context, runs security + vulnerability analysis.
+ * Zero server. Direct LLM calls with your API key.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { loadConfig } from '../config.mjs';
+import { callAgent } from '../services/llm.mjs';
+import { fail, info, ok, warn, C, G, Y, D, W, BOLD, NC, R } from '../ui.mjs';
+
+const SCAN_EXTENSIONS = new Set([
+  '.js', '.mjs', '.cjs', '.ts', '.tsx', '.jsx',
+  '.py', '.rb', '.go', '.rs', '.java', '.kt',
+  '.php', '.c', '.cpp', '.h', '.cs', '.swift',
+  '.sh', '.bash', '.zsh',
+  '.json', '.yaml', '.yml', '.toml', '.ini', '.cfg',
+  '.env', '.env.example', '.env.local',
+  '.sql', '.prisma', '.graphql',
+  '.dockerfile', '.docker-compose.yml',
+  '.tf', '.hcl',
+  '.md', '.txt',
+]);
+
+const IGNORE_DIRS = new Set([
+  'node_modules', '.git', '.next', 'dist', 'build', 'out',
+  '__pycache__', '.venv', 'venv', 'vendor', 'target',
+  '.cache', '.turbo', 'coverage', '.nyc_output',
+]);
+
+const MAX_FILE_SIZE = 100_000; // 100KB per file
+const MAX_TOTAL_CHARS = 200_000; // 200KB total context
+
+function scanDirectory(dirPath, files = [], depth = 0) {
+  if (depth > 8) return files;
+  try {
+    const entries = fs.readdirSync(dirPath, { withFileTypes: true });
+    for (const entry of entries) {
+      if (entry.name.startsWith('.') && entry.name !== '.env' && entry.name !== '.env.example') continue;
+      if (IGNORE_DIRS.has(entry.name)) continue;
+
+      const fullPath = path.join(dirPath, entry.name);
+      if (entry.isDirectory()) {
+        scanDirectory(fullPath, files, depth + 1);
+      } else if (entry.isFile()) {
+        const ext = path.extname(entry.name).toLowerCase();
+        if (SCAN_EXTENSIONS.has(ext) || entry.name === 'Dockerfile' || entry.name === 'Makefile') {
+          try {
+            const stat = fs.statSync(fullPath);
+            if (stat.size <= MAX_FILE_SIZE && stat.size > 0) {
+              files.push({ path: fullPath, size: stat.size, ext });
+            }
+          } catch {}
+        }
+      }
+    }
+  } catch {}
+  return files;
+}
+
+function buildProjectContext(projectPath, files) {
+  let context = `Project: ${projectPath}\nFiles scanned: ${files.length}\n\n`;
+  let totalChars = context.length;
+
+  // Prioritize security-relevant files first
+  const prioritized = files.sort((a, b) => {
+    const securityFiles = ['.env', 'auth', 'login', 'password', 'secret', 'token', 'key', 'security', 'middleware'];
+    const aScore = securityFiles.some(s => a.path.toLowerCase().includes(s)) ? 0 : 1;
+    const bScore = securityFiles.some(s => b.path.toLowerCase().includes(s)) ? 0 : 1;
+    return aScore - bScore;
+  });
+
+  for (const file of prioritized) {
+    if (totalChars >= MAX_TOTAL_CHARS) break;
+    try {
+      const content = fs.readFileSync(file.path, 'utf-8');
+      const relative = path.relative(projectPath, file.path);
+      const entry = `\n--- ${relative} (${file.size} bytes) ---\n${content.slice(0, MAX_FILE_SIZE)}\n`;
+      if (totalChars + entry.length > MAX_TOTAL_CHARS) {
+        const remaining = MAX_TOTAL_CHARS - totalChars;
+        context += entry.slice(0, remaining) + '\n[... truncated ...]\n';
+        break;
+      }
+      context += entry;
+      totalChars += entry.length;
+    } catch {}
+  }
+
+  return context;
+}
+
+export async function cmdScan(args) {
+  const projectPath = args[0] ? path.resolve(args[0]) : process.cwd();
+
+  if (!fs.existsSync(projectPath) || !fs.statSync(projectPath).isDirectory()) {
+    fail(`Not a directory: ${projectPath}`);
+    process.exit(1);
+  }
+
+  const config = loadConfig();
+  if (!config.llm.apiKey) {
+    fail('No API key configured. Run: nha config set key YOUR_KEY');
+    process.exit(1);
+  }
+
+  // Parse flags
+  let agents = ['saber', 'zero'];
+  let outputFile = null;
+  for (let i = 1; i < args.length; i++) {
+    if (args[i] === '--agents' && args[i + 1]) { agents = args[++i].split(','); continue; }
+    if (args[i] === '--output' && args[i + 1]) { outputFile = args[++i]; continue; }
+    if (args[i] === '-o' && args[i + 1]) { outputFile = args[++i]; continue; }
+  }
+
+  console.log(`\n  ${BOLD}NHA Project Scanner${NC}`);
+  console.log(`  ${D}Path: ${projectPath}${NC}\n`);
+
+  // Scan files
+  info('Scanning project files...');
+  const files = scanDirectory(projectPath);
+  ok(`Found ${files.length} scannable files`);
+
+  if (files.length === 0) {
+    warn('No source files found.');
+    return;
+  }
+
+  // Show file breakdown
+  const extCounts = {};
+  for (const f of files) {
+    extCounts[f.ext] = (extCounts[f.ext] || 0) + 1;
+  }
+  const breakdown = Object.entries(extCounts).sort((a, b) => b[1] - a[1]).slice(0, 8);
+  console.log(`  ${D}${breakdown.map(([e, c]) => `${e}: ${c}`).join(' | ')}${NC}\n`);
+
+  // Build context
+  info('Building project context...');
+  const context = buildProjectContext(projectPath, files);
+  ok(`Context: ${(context.length / 1024).toFixed(0)} KB from ${files.length} files`);
+
+  // Run agents
+  const results = {};
+  for (const agentName of agents) {
+    info(`Running ${agentName.toUpperCase()}...`);
+    const startTime = Date.now();
+    try {
+      const result = await callAgent(config, agentName,
+        `Perform a thorough analysis of this project. Focus on:\n` +
+        `- Security vulnerabilities (OWASP Top 10, CWE references)\n` +
+        `- Hardcoded secrets, API keys, passwords\n` +
+        `- Dependency risks, outdated patterns\n` +
+        `- Authentication/authorization issues\n` +
+        `- Input validation, injection vectors\n` +
+        `- Configuration security\n` +
+        `- Code quality issues that impact security\n\n` +
+        `PROJECT FILES:\n${context}`
+      );
+      const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
+      results[agentName] = result;
+      ok(`${agentName.toUpperCase()} complete (${elapsed}s)`);
+    } catch (e) {
+      warn(`${agentName.toUpperCase()} failed: ${e.message}`);
+      results[agentName] = `Error: ${e.message}`;
+    }
+  }
+
+  // Display results
+  console.log(`\n${'='.repeat(60)}`);
+  for (const [agent, result] of Object.entries(results)) {
+    console.log(`\n  ${BOLD}${C}${agent.toUpperCase()} REPORT${NC}\n`);
+    console.log(result);
+    console.log(`\n${'─'.repeat(60)}`);
+  }
+
+  // Save to file if requested
+  if (outputFile) {
+    const report = Object.entries(results)
+      .map(([agent, result]) => `# ${agent.toUpperCase()} REPORT\n\n${result}`)
+      .join('\n\n---\n\n');
+    const header = `# NHA Security Scan Report\n\nProject: ${projectPath}\nDate: ${new Date().toISOString()}\nAgents: ${agents.join(', ')}\nFiles scanned: ${files.length}\n\n---\n\n`;
+    fs.writeFileSync(outputFile, header + report, 'utf-8');
+    ok(`Report saved to ${outputFile}`);
+  }
+
+  console.log('');
+}

package/src/commands/ui.mjs

@@ -597,7 +597,7 @@ export async function cmdUI(args) {
         return;
       }
 
-      // POST /api/ask
+      // POST /api/ask — agent call with personal context (email, calendar, tasks)
       if (method === 'POST' && pathname === '/api/ask') {
         const body = await parseBody(req);
         if (!body.agent || !body.prompt) {
@@ -619,7 +619,55 @@ export async function cmdUI(args) {
         }
 
         try {
-          const response = await callAgent(config, body.agent, body.prompt);
+          // Build personal context from Gmail + Calendar + Tasks
+          let context = '';
+          try {
+            const [emails, events] = await Promise.all([
+              getUnreadImportant(config, 15).catch(() => []),
+              getTodayEvents(config).catch(() => []),
+            ]);
+            const tasks = getTasks();
+
+            if (emails.length > 0) {
+              context += '\n\n[USER EMAIL CONTEXT — real data from their Gmail]\n';
+              emails.slice(0, 10).forEach((e, i) => {
+                context += `${i + 1}. From: ${e.from} | Subject: ${e.subject} | Date: ${e.date}\n   ${e.snippet.slice(0, 150)}\n   URLs: ${e.urls.join(', ') || 'none'}\n`;
+              });
+            }
+
+            if (events.length > 0) {
+              context += '\n\n[USER CALENDAR — today]\n';
+              events.forEach(e => {
+                const time = e.isAllDay ? 'All day' : `${e.start} - ${e.end}`;
+                context += `${time}: ${e.summary}${e.location ? ' @ ' + e.location : ''}${e.attendees?.length ? ' with ' + e.attendees.map(a => a.name || a.email).join(', ') : ''}\n`;
+              });
+            }
+
+            if (tasks.length > 0) {
+              context += '\n\n[USER TASKS — today]\n';
+              tasks.forEach(t => {
+                context += `#${t.id} [${t.priority}] ${t.status === 'done' ? '[DONE] ' : ''}${t.description}\n`;
+              });
+            }
+          } catch { /* context loading failed, proceed without it */ }
+
+          // Attach file content if provided
+          let fileContext = '';
+          if (body.fileContent && body.fileName) {
+            const maxChars = 100000;
+            const content = String(body.fileContent).slice(0, maxChars);
+            fileContext = '\n\n--- Attached file: ' + body.fileName + ' ---\n' + content;
+            if (body.fileContent.length > maxChars) fileContext += '\n[... truncated at 100KB ...]';
+          }
+
+          const enrichedPrompt = body.prompt + fileContext + (context
+            ? '\n\nIMPORTANT CONTEXT: The data below is from the user\'s OWN accounts (their Gmail, their Google Calendar, their tasks). The user is the OWNER of these accounts. ' +
+              'Recent activity (npm publishes, Google login alerts, GitHub notifications) was done BY THE USER THEMSELVES as part of their normal work. ' +
+              'Do NOT flag the user\'s own legitimate activity as suspicious or compromised. ' +
+              'Only flag ACTUAL external threats: phishing emails from unknown senders, suspicious links, unauthorized access from unknown locations.\n' + context
+            : '');
+
+          const response = await callAgent(config, body.agent, enrichedPrompt);
           sendJSON(res, 200, { response, agent: body.agent });
         } catch (e) {
           sendJSON(res, 200, { response: null, error: e.message });

package/src/services/web-ui.mjs

@@ -475,10 +475,11 @@ function openDayDetail(dateStr){
   // Use the agent modal for day detail
   document.getElementById('modalName').textContent=dayLabel;
   document.getElementById('modalPrompt').style.display='none';
+  document.getElementById('fileDropZone').style.display='none';
+  document.getElementById('fileInfo').style.display='none';
   document.getElementById('modalResponse').style.display='block';
   document.getElementById('modalResponse').innerHTML=h;
   document.getElementById('agentModal').classList.add('modal-overlay--open');
-  // Hide ask button
   var sendBtn=document.getElementById('agentModal').querySelector('.btn--primary');
   if(sendBtn)sendBtn.style.display='none';
 }
@@ -495,12 +496,17 @@ function renderAgents(el){
 }
 function openAgent(name,display){
   selectedAgent=name;
+  attachedFileContent=null;attachedFileName=null;
   document.getElementById('modalName').textContent=display||name;
   document.getElementById('modalPrompt').value='';
   document.getElementById('modalPrompt').style.display='';
   document.getElementById('modalResponse').style.display='none';
   document.getElementById('modalResponse').textContent='';
   document.getElementById('modalResponse').innerHTML='';
+  document.getElementById('fileInfo').style.display='none';
+  document.getElementById('fileDropZone').style.display='';
+  document.getElementById('fileDropZone').style.borderColor='var(--border2)';
+  document.getElementById('fileInput').value='';
   var sendBtn=document.getElementById('agentModal').querySelector('.btn--primary');
   if(sendBtn)sendBtn.style.display='';
   document.getElementById('agentModal').classList.add('modal-overlay--open');
@@ -508,12 +514,56 @@ function openAgent(name,display){
 function closeModal(){
   document.getElementById('agentModal').classList.remove('modal-overlay--open');
 }
+var attachedFileContent = null;
+var attachedFileName = null;
+
+function handleFileDrop(e) {
+  var file = e.dataTransfer.files[0];
+  if (file) readFile(file);
+}
+function handleFileSelect(input) {
+  var file = input.files[0];
+  if (file) readFile(file);
+}
+function readFile(file) {
+  if (file.size > 500000) {
+    document.getElementById('fileInfo').style.display = 'block';
+    document.getElementById('fileInfo').textContent = 'File too large (max 500KB)';
+    document.getElementById('fileInfo').style.color = 'var(--red)';
+    return;
+  }
+  var reader = new FileReader();
+  reader.onload = function(e) {
+    attachedFileContent = e.target.result;
+    attachedFileName = file.name;
+    var info = document.getElementById('fileInfo');
+    info.style.display = 'block';
+    info.style.color = 'var(--cyan)';
+    info.textContent = 'Attached: ' + file.name + ' (' + (file.size / 1024).toFixed(1) + ' KB)';
+    document.getElementById('fileDropZone').style.borderColor = 'var(--green)';
+  };
+  reader.readAsText(file);
+}
+
 function askAgent(){
   var p=document.getElementById('modalPrompt').value.trim();if(!p||!selectedAgent)return;
   var resp=document.getElementById('modalResponse');
   resp.style.display='block';resp.textContent='Thinking...';
-  apiPost('/api/ask',{agent:selectedAgent,prompt:p}).then(function(r){
+
+  var payload = {agent:selectedAgent, prompt:p};
+  if (attachedFileContent) {
+    payload.fileContent = attachedFileContent;
+    payload.fileName = attachedFileName;
+  }
+
+  apiPost('/api/ask', payload).then(function(r){
     resp.textContent=(r&&r.response)||'Error: no response';
+    // Reset file after ask
+    attachedFileContent = null;
+    attachedFileName = null;
+    document.getElementById('fileInfo').style.display = 'none';
+    document.getElementById('fileDropZone').style.borderColor = 'var(--border2)';
+    document.getElementById('fileInput').value = '';
   });
 }
 
@@ -587,6 +637,11 @@ init();
     </div>
     <div class="modal__body">
       <textarea id="modalPrompt" placeholder="Ask this agent something..."></textarea>
+      <div id="fileDropZone" style="border:2px dashed var(--border2);border-radius:6px;padding:12px;text-align:center;color:var(--dim);font-size:11px;cursor:pointer;margin-bottom:10px;transition:border-color .2s" onclick="document.getElementById('fileInput').click()" ondragover="event.preventDefault();this.style.borderColor='var(--green)'" ondragleave="this.style.borderColor='var(--border2)'" ondrop="event.preventDefault();this.style.borderColor='var(--border2)';handleFileDrop(event)">
+        Drop a file here or click to attach
+        <input type="file" id="fileInput" style="display:none" onchange="handleFileSelect(this)">
+      </div>
+      <div id="fileInfo" style="display:none;font-size:10px;color:var(--cyan);margin-bottom:8px"></div>
       <div class="modal__response" id="modalResponse" style="display:none"></div>
     </div>
     <div class="modal__footer">