nothumanallowed 4.0.2 → 5.0.0

package/src/services/ops-daemon.mjs

@@ -3,16 +3,19 @@
  *
  * Runs as detached child process. Polls every 5 min (mail), 15 min (calendar).
  * Generates daily plan at configured time. Sends notifications.
+ *
+ * WebSocket server on port 3848 broadcasts real-time events to connected
+ * clients (nha ui dashboard, etc.) when new emails arrive or meetings approach.
  */
 
 import fs from 'fs';
 import path from 'path';
+import http from 'http';
+import crypto from 'crypto';
 import { spawn } from 'child_process';
 import { NHA_DIR } from '../constants.mjs';
 import { loadConfig } from '../config.mjs';
-import { loadTokens } from './token-store.mjs';
-import { getUnreadImportant } from './google-gmail.mjs';
-import { getUpcomingEvents } from './google-calendar.mjs';
+import { hasMailProvider, getUnreadImportant, getUpcomingEvents } from './mail-router.mjs';
 import { notify } from './notification.mjs';
 import { callAgent } from './llm.mjs';
 import { runPlanningPipeline } from './ops-pipeline.mjs';
@@ -21,6 +24,7 @@ const DAEMON_DIR = path.join(NHA_DIR, 'ops', 'daemon');
 const PID_FILE = path.join(DAEMON_DIR, 'daemon.pid');
 const STATE_FILE = path.join(DAEMON_DIR, 'state.json');
 const LOG_FILE = path.join(DAEMON_DIR, 'daemon.log');
+const WS_PORT = 3848;
 
 // ── Daemon Control ─────────────────────────────────────────────────────────
 
@@ -103,6 +107,117 @@ export function getDaemonStatus() {
   return { running, pid, ...state };
 }
 
+// ── WebSocket Server (RFC 6455, zero-dependency) ────────────────────────────
+
+const wsClients = new Set();
+
+/**
+ * Minimal WebSocket handshake and frame implementation.
+ * Implements just enough of RFC 6455 for text-frame broadcast.
+ */
+function startWebSocketServer() {
+  const server = http.createServer((req, res) => {
+    if (req.url === '/health') {
+      res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
+      res.end(JSON.stringify({ ok: true, clients: wsClients.size }));
+      return;
+    }
+    res.writeHead(404);
+    res.end();
+  });
+
+  server.on('upgrade', (req, socket, head) => {
+    const key = req.headers['sec-websocket-key'];
+    if (!key) { socket.destroy(); return; }
+
+    const acceptKey = crypto
+      .createHash('sha1')
+      .update(key + '258EAFA5-E914-47DA-95CA-5AB5DC86C11B')
+      .digest('base64');
+
+    socket.write(
+      'HTTP/1.1 101 Switching Protocols\r\n' +
+      'Upgrade: websocket\r\n' +
+      'Connection: Upgrade\r\n' +
+      `Sec-WebSocket-Accept: ${acceptKey}\r\n` +
+      '\r\n'
+    );
+
+    wsClients.add(socket);
+    log(`WebSocket client connected (${wsClients.size} total)`);
+
+    socket.on('data', (buf) => {
+      if (buf.length < 2) return;
+      const opcode = buf[0] & 0x0f;
+      if (opcode === 0x08) { wsClients.delete(socket); socket.end(); return; }
+      if (opcode === 0x09) {
+        const pong = Buffer.alloc(2);
+        pong[0] = 0x8a;
+        pong[1] = 0;
+        socket.write(pong);
+      }
+    });
+
+    socket.on('close', () => {
+      wsClients.delete(socket);
+      log(`WebSocket client disconnected (${wsClients.size} remaining)`);
+    });
+
+    socket.on('error', () => { wsClients.delete(socket); });
+  });
+
+  server.on('error', (err) => {
+    if (err.code === 'EADDRINUSE') {
+      log(`WebSocket port ${WS_PORT} already in use — skipping WS server`);
+      return;
+    }
+    log(`WebSocket server error: ${err.message}`);
+  });
+
+  server.listen(WS_PORT, '127.0.0.1', () => {
+    log(`WebSocket server listening on 127.0.0.1:${WS_PORT}`);
+  });
+
+  return server;
+}
+
+/**
+ * Encode a string into a WebSocket text frame (RFC 6455).
+ */
+function encodeWSFrame(text) {
+  const data = Buffer.from(text, 'utf-8');
+  const len = data.length;
+  let header;
+  if (len < 126) {
+    header = Buffer.alloc(2);
+    header[0] = 0x81;
+    header[1] = len;
+  } else if (len < 65536) {
+    header = Buffer.alloc(4);
+    header[0] = 0x81;
+    header[1] = 126;
+    header.writeUInt16BE(len, 2);
+  } else {
+    header = Buffer.alloc(10);
+    header[0] = 0x81;
+    header[1] = 127;
+    header.writeBigUInt64BE(BigInt(len), 2);
+  }
+  return Buffer.concat([header, data]);
+}
+
+/**
+ * Broadcast a JSON message to all connected WebSocket clients.
+ */
+function wsBroadcast(payload) {
+  const frame = encodeWSFrame(JSON.stringify(payload));
+  for (const socket of wsClients) {
+    try { socket.write(frame); } catch { wsClients.delete(socket); }
+  }
+}
+
+export { wsBroadcast, WS_PORT };
+
 // ── Daemon Loop (runs in background process) ───────────────────────────────
 
 function saveState(state) {
@@ -119,11 +234,15 @@ async function daemonLoop() {
   log('NHA PAO Daemon started');
   const config = loadConfig();
 
+  // Start WebSocket server for real-time push notifications
+  startWebSocketServer();
+
   const state = {
     startedAt: new Date().toISOString(),
     lastMailCheck: null,
     lastCalendarCheck: null,
     lastPlanGenerated: null,
+    wsPort: WS_PORT,
     errors: 0,
   };
   saveState(state);
@@ -141,8 +260,7 @@ async function daemonLoop() {
   // Main loop
   setInterval(async () => {
     const now = Date.now();
-    const tokens = loadTokens();
-    if (!tokens) return; // not authenticated
+    if (!hasMailProvider()) return; // not authenticated
 
     // ── Mail check ─────────────────────────────────────────
     if (now - lastMailCheck > MAIL_INTERVAL) {
@@ -154,6 +272,19 @@ async function daemonLoop() {
         for (const email of newEmails) {
           knownEmailIds.add(email.id);
 
+          // Broadcast new email event to WebSocket clients
+          wsBroadcast({
+            type: 'new_email',
+            timestamp: new Date().toISOString(),
+            data: {
+              id: email.id,
+              from: email.from,
+              subject: email.subject,
+              snippet: (email.snippet || '').slice(0, 120),
+              isImportant: email.isImportant,
+            },
+          });
+
           // SABER quick scan for suspicious emails
           if (email.urls.length > 0 || email.from.includes('paypal') || email.from.includes('bank') || email.subject.toLowerCase().includes('urgent')) {
             try {
@@ -162,6 +293,11 @@ async function daemonLoop() {
               );
               if (scanResult.toUpperCase().includes('FLAGGED')) {
                 await notify('Security Alert', `Suspicious email from ${email.from}: ${email.subject}\n${scanResult}`, config);
+                wsBroadcast({
+                  type: 'security_alert',
+                  timestamp: new Date().toISOString(),
+                  data: { from: email.from, subject: email.subject, reason: scanResult },
+                });
               }
             } catch { /* non-fatal */ }
           }
@@ -192,6 +328,19 @@ async function daemonLoop() {
           const minutesUntil = (eventStart - now) / 60000;
 
           if (minutesUntil > 0 && minutesUntil <= MEETING_ALERT) {
+            // Broadcast meeting alert to WebSocket clients
+            wsBroadcast({
+              type: 'meeting_alert',
+              timestamp: new Date().toISOString(),
+              data: {
+                summary: event.summary,
+                start: event.start,
+                minutesUntil: Math.round(minutesUntil),
+                location: event.location || null,
+                hangoutLink: event.hangoutLink || null,
+              },
+            });
+
             // Generate quick brief with HERALD
             try {
               const brief = await callAgent(config, 'herald',
@@ -226,6 +375,11 @@ async function daemonLoop() {
         state.lastPlanGenerated = new Date().toISOString();
         saveState(state);
         await notify('Daily Plan Ready', `Your plan for ${todayStr} is ready. Run "nha plan --show" to view.`, config);
+        wsBroadcast({
+          type: 'plan_ready',
+          timestamp: new Date().toISOString(),
+          data: { date: todayStr },
+        });
         log('Daily plan generated');
       } catch (err) {
         log(`Plan generation error: ${err.message}`);

package/src/services/ops-pipeline.mjs

@@ -15,10 +15,10 @@
 import fs from 'fs';
 import path from 'path';
 import { callAgent, callLLM } from './llm.mjs';
-import { getUnreadImportant, getTodayEmails } from './google-gmail.mjs';
-import { getTodayEvents, getUpcomingEvents } from './google-calendar.mjs';
+import { getUnreadImportant, getTodayEmails } from './mail-router.mjs';
+import { getTodayEvents, getUpcomingEvents } from './mail-router.mjs';
 import { getTasks, bulkAddTasks } from './task-store.mjs';
-import { loadTokens } from './token-store.mjs';
+import { hasMailProvider } from './mail-router.mjs';
 import { NHA_DIR } from '../constants.mjs';
 import { info, ok, fail, warn, D, C, G, Y, W, BOLD, NC } from '../ui.mjs';
 
@@ -47,8 +47,7 @@ export async function runPlanningPipeline(config, opts = {}) {
   }
 
   const startTime = Date.now();
-  const tokens = loadTokens();
-  const hasGoogle = !!tokens;
+  const hasMail = hasMailProvider();
 
   console.log(`\n  ${BOLD}NHA Daily Plan — ${dateStr}${NC}`);
   console.log(`  ${D}5 specialist agents analyzing your day${NC}\n`);
@@ -60,7 +59,7 @@ export async function runPlanningPipeline(config, opts = {}) {
   let events = [];
   const tasks = getTasks(dateStr);
 
-  if (hasGoogle) {
+  if (hasMail) {
     try {
       [emails, events] = await Promise.all([
         getUnreadImportant(config, 30),
@@ -68,11 +67,11 @@ export async function runPlanningPipeline(config, opts = {}) {
       ]);
       ok(`${emails.length} emails, ${events.length} events, ${tasks.length} tasks`);
     } catch (err) {
-      warn(`Google API error: ${err.message}`);
+      warn(`Mail API error: ${err.message}`);
       info('Continuing with tasks only...');
     }
   } else {
-    warn('Google not connected. Using tasks only. Run "nha google auth" to connect.');
+    warn('No mail provider connected. Using tasks only. Run "nha google auth" or "nha microsoft auth" to connect.');
   }
 
   // Build context for agents

package/src/services/token-store.mjs

@@ -1,6 +1,8 @@
 /**
  * Encrypted token storage — AES-256-GCM with machine-derived key.
- * Stores OAuth tokens at ~/.nha/ops/tokens.enc
+ * Supports multiple providers (google, microsoft) via separate encrypted files.
+ * Stores OAuth tokens at ~/.nha/ops/tokens-<provider>.enc
+ * Legacy single-file (~/.nha/ops/tokens.enc) is treated as 'google' for backward compat.
  * Zero dependencies — uses Node.js native crypto.
  */
 
@@ -11,7 +13,15 @@ import path from 'path';
 import { NHA_DIR } from '../constants.mjs';
 
 const OPS_DIR = path.join(NHA_DIR, 'ops');
-const TOKENS_FILE = path.join(OPS_DIR, 'tokens.enc');
+const LEGACY_TOKENS_FILE = path.join(OPS_DIR, 'tokens.enc');
+
+/** Get tokens file path for a given provider */
+function getTokensFile(provider) {
+  if (!provider || provider === 'google') {
+    return LEGACY_TOKENS_FILE; // backward compatible — Google uses the original file
+  }
+  return path.join(OPS_DIR, `tokens-${provider}.enc`);
+}
 
 /** Derive encryption key from machine-specific fingerprint */
 function deriveKey() {
@@ -49,21 +59,25 @@ function decrypt(envelope) {
 /**
  * Save OAuth tokens (encrypted).
  * @param {object} tokens — { access_token, refresh_token, expires_at, scope, email }
+ * @param {string} provider — 'google' (default) or 'microsoft'
  */
-export function saveTokens(tokens) {
+export function saveTokens(tokens, provider) {
   fs.mkdirSync(OPS_DIR, { recursive: true });
+  const file = getTokensFile(provider);
   const envelope = encrypt(tokens);
-  fs.writeFileSync(TOKENS_FILE, JSON.stringify(envelope, null, 2), { mode: 0o600 });
+  fs.writeFileSync(file, JSON.stringify(envelope, null, 2), { mode: 0o600 });
 }
 
 /**
  * Load OAuth tokens (decrypted).
+ * @param {string} provider — 'google' (default) or 'microsoft'
  * @returns {object|null} tokens or null if not stored
  */
-export function loadTokens() {
-  if (!fs.existsSync(TOKENS_FILE)) return null;
+export function loadTokens(provider) {
+  const file = getTokensFile(provider);
+  if (!fs.existsSync(file)) return null;
   try {
-    const envelope = JSON.parse(fs.readFileSync(TOKENS_FILE, 'utf-8'));
+    const envelope = JSON.parse(fs.readFileSync(file, 'utf-8'));
     return decrypt(envelope);
   } catch {
     return null;
@@ -72,9 +86,11 @@ export function loadTokens() {
 
 /**
  * Delete stored tokens.
+ * @param {string} provider — 'google' (default) or 'microsoft'
  */
-export function deleteTokens() {
-  if (fs.existsSync(TOKENS_FILE)) fs.rmSync(TOKENS_FILE);
+export function deleteTokens(provider) {
+  const file = getTokensFile(provider);
+  if (fs.existsSync(file)) fs.rmSync(file);
 }
 
 /**
@@ -88,7 +104,7 @@ export function isExpired(tokens) {
 }
 
 /**
- * Refresh access token using refresh_token.
+ * Refresh access token using refresh_token (Google-specific).
  * @param {string} clientId
  * @param {string} clientSecret
  * @param {string} refreshToken
@@ -123,12 +139,12 @@ export async function refreshAccessToken(clientId, clientSecret, refreshToken) {
 }
 
 /**
- * Get a valid access token — refreshes automatically if expired.
+ * Get a valid Google access token — refreshes automatically if expired.
  * @param {object} config — NHA config with google.clientId etc.
  * @returns {Promise<string>} access_token
  */
 export async function getAccessToken(config) {
-  let tokens = loadTokens();
+  let tokens = loadTokens('google');
   if (!tokens) throw new Error('Not authenticated. Run: nha google auth');
 
   if (isExpired(tokens)) {
@@ -137,9 +153,20 @@ export async function getAccessToken(config) {
     if (!clientId) throw new Error('Google client ID not configured');
 
     tokens = await refreshAccessToken(clientId, clientSecret, tokens.refresh_token);
-    tokens.email = loadTokens()?.email; // preserve email
-    saveTokens(tokens);
+    tokens.email = loadTokens('google')?.email; // preserve email
+    saveTokens(tokens, 'google');
   }
 
   return tokens.access_token;
 }
+
+/**
+ * Check which providers are currently authenticated.
+ * @returns {{ google: boolean, microsoft: boolean }}
+ */
+export function getAuthenticatedProviders() {
+  return {
+    google: loadTokens('google') !== null,
+    microsoft: loadTokens('microsoft') !== null,
+  };
+}