nothumanallowed 8.3.3 → 8.4.1

package/README.md

@@ -1,219 +1,267 @@
 # NotHumanAllowed
 
-**38 specialized AI agents you can run locally.** Security auditors, code architects, data analysts, DevOps engineers, technical writers — each with deep domain expertise. Use them individually or let them collaborate.
+**Your agents. Your machine. Your rules.**
 
-## Quick Start
+38 specialized AI agents + 50 productivity tools. Install via npm, connect your Google account, and manage email, calendar, contacts, tasks, Drive, GitHub, Slack, Notion — all from your terminal or Android app. 100% local. Zero data on our servers.
+
+## Install
 
 ```bash
-# Install globally
 npm install -g nothumanallowed
+```
+
+Zero dependencies. Works on macOS, Linux, Windows.
 
-# Configure your LLM provider
+## Quick Start
+
+```bash
+# Set your LLM provider (Anthropic, OpenAI, Gemini, DeepSeek, Grok, Mistral, Cohere)
 nha config set provider anthropic
 nha config set key sk-ant-api03-YOUR_KEY
 
-# Ask a single agent directly (no server, instant response)
-nha ask saber "Audit this Express app for OWASP Top 10"
-nha ask oracle "Analyze this dataset" --file data.csv
+# Connect Google (Gmail, Calendar, Drive, Contacts, Tasks)
+nha google auth
 
-# Or let multiple agents collaborate via deliberation
-nha run "Design a Kubernetes deployment for a 10K RPS API"
+# Start chatting — 50 tools available
+nha chat
 ```
 
-## Daily Operations (PAO)
+## What You Can Do
 
-Connect Gmail + Calendar. 5 specialist agents analyze your day.
+### Chat with 50 Tools
 
 ```bash
-# Connect Google (one-time)
-nha config set google-client-id YOUR_ID
-nha config set google-client-secret YOUR_SECRET
-nha google auth
-
-# Generate your daily plan
-nha plan
-
-# Manage tasks
-nha tasks add "Review PR #42" --priority high
-nha tasks done 1
-nha tasks week
-
-# Background daemon (auto-alerts before meetings, email security scans)
-nha ops start
+nha chat
 ```
 
-**What `nha plan` does:**
-1. **Fetches** your emails + calendar events + tasks
-2. **SABER** scans emails for phishing and security threats
-3. **HERALD** generates intelligence briefs for each meeting
-4. **ORACLE** analyzes schedule patterns and productivity
-5. **SCHEHERAZADE** prepares talking points for meetings
-6. **CONDUCTOR** synthesizes everything into a structured daily plan
+Ask naturally. The AI reads your email, manages your calendar, handles tasks — all through conversation:
 
-OpenClaw reads your email with 1 generic agent. NHA sends it through 5 specialists.
+```
+You: Read my latest emails
+NHA: You have 3 unread emails:
+  1. From: boss@company.com | Subject: Q2 Review | 2 hours ago
+  2. From: client@startup.io | Subject: Invoice #847 | 5 hours ago
+  3. From: github.com | Subject: PR #42 merged | Yesterday
+
+You: Schedule a meeting with Marco next Tuesday at 3pm
+NHA: [Confirm] Create event "Meeting with Marco" on Tuesday Apr 8, 3:00 PM - 4:00 PM? [Yes/No]
+
+You: Add task "Review PR #42" priority high
+NHA: Task #4 added: "Review PR #42" [high]
+
+You: Find my free slots this week
+NHA: Available 60-min slots:
+  1. Mon Apr 7, 09:00 AM - 10:00 AM
+  2. Tue Apr 8, 11:00 AM - 12:00 PM
+  3. Wed Apr 9, 02:00 PM - 04:00 PM
+```
 
-### Privacy
+### 50 Tools
 
-**Zero data touches NHA servers.** The only network calls are:
-- Google APIs (your OAuth token, direct from your machine)
-- Your LLM provider (your API key, direct from your machine)
+| Category | Tools |
+|----------|-------|
+| **Email** | Search, read, send, draft, reply, mark read/unread, archive, delete, send with Drive attachment |
+| **Calendar** | Today, tomorrow, upcoming, week view, create, move, find, update events, smart scheduling |
+| **Tasks** | List, add, complete, move, delete, clear, edit (local + Google Tasks) |
+| **Contacts** | Search, add, update, delete, birthdays |
+| **Google Drive** | List, search, read documents (Docs, Sheets, CSV, text) |
+| **GitHub** | Notifications, issues, PRs, create issues |
+| **Slack** | List channels, read messages, send messages |
+| **Notion** | Search pages/databases, read page content |
+| **Other** | Maps directions, reminders, file reading |
 
-All data stored locally in `~/.nha/ops/`. Tokens encrypted with AES-256-GCM. You own everything. Inspect it, delete it, export it anytime.
+Every tool is called directly from your machine to the provider's API. NHA servers are never involved.
 
-## The Agents
+### Daily Plan
 
-38 agents across 11 domains. Each agent is a standalone `.mjs` file you own locally — inspect it, modify it, run it offline.
+```bash
+nha plan
+```
 
-### Security
-- **SABER** — Security audit, OWASP, threat modeling, pentest planning
-- **ZERO** — Vulnerability scanning, dependency audit, secret detection
-- **VERITAS** — Claim validation, evidence checking, hallucination detection
-- **ADE** — Deep security diagnostics, forensics, incident response
-- **HEIMDALL** — Authentication, authorization, access control design
+5 specialist agents analyze your calendar, emails, and tasks, then produce a structured daily plan:
+- **SABER** scans emails for security threats
+- **HERALD** prepares intelligence briefs for each meeting
+- **ORACLE** analyzes schedule patterns
+- **SCHEHERAZADE** generates talking points
+- **CONDUCTOR** synthesizes everything into your plan
 
-### Code & Architecture
-- **JARVIS** — Full-stack development, system design, API architecture
-- **FORGE** — Infrastructure as code, CI/CD, cloud architecture
-- **PIPE** — Build systems, deployment pipelines, automation
-- **SHELL** — Shell scripting, system administration, CLI tools
-- **GLITCH** — Debugging, error analysis, root cause investigation
+### Ask Any Agent
 
-### Analysis & Data
-- **ORACLE** — Data analysis, statistics, ML, visualization
-- **LOGOS** — Logic validation, proof auditing, formal reasoning
-- **ATLAS** — Research synthesis, literature review, knowledge mapping
-- **CARTOGRAPHER** — System mapping, dependency analysis, architecture diagrams
+```bash
+nha ask saber "Audit this Express app for OWASP Top 10"
+nha ask oracle "Analyze this dataset" --file data.csv
+nha ask forge "Design CI/CD for a Rust monorepo"
+nha ask jarvis "Build a REST API for user management"
+```
 
-### Creative & Content
-- **SCHEHERAZADE** — Technical writing, documentation, tutorials
-- **QUILL** — Content creation, copywriting, communication
-- **MUSE** — Creative problem solving, brainstorming, ideation
-- **MURASAKI** — UI/UX design, user experience, accessibility
+38 agents across 11 domains. Each is a standalone `.mjs` file you own locally.
 
-### Integration & APIs
-- **HERMES** — API design, integration patterns, protocol bridges
-- **LINK** — System integration, data pipelines, ETL
-- **MERCURY** — Network analysis, protocol optimization, latency
+### Voice Chat
 
-### DevOps & Infrastructure
-- **SHOGUN** — Container orchestration, Kubernetes, scaling strategy
-- **FLUX** — GitOps, deployment strategies, rollback planning
-- **CRON** — Scheduling, job orchestration, task automation
+```bash
+nha voice
+```
 
-### Communication & Language
-- **BABEL** — Translation, localization, multilingual content
-- **POLYGLOT** — Cross-language code migration, polyglot architectures
-- **HERALD** — Notification systems, messaging, event-driven design
+Same 50 tools, spoken responses. Opens a local web UI with speech recognition.
 
-### Monitoring & Performance
-- **ECHO** — Observability, logging, distributed tracing
-- **MACRO** — Performance optimization, profiling, benchmarking
+### Background Daemon
 
-### Meta & Evolution
-- **PROMETHEUS** — Intelligent routing, agent selection, task decomposition
-- **CASSANDRA** — Adversarial analysis, risk prediction, counter-arguments
-- **ATHENA** — Quality audit, synthesis validation, gap detection
-- **SAURON** — Deep diagnostics, system-wide analysis
-- **CONDUCTOR** — Workflow orchestration, multi-step coordination
+```bash
+nha ops start
+```
 
-...and more. Run `nha agents` to see all 38 with capabilities.
+Runs in the background. Alerts you before meetings, monitors email, auto-responds to routine messages.
 
-## Multi-Agent Collaboration
+## The 38 Agents
 
-When you don't specify `--agents`, NHA automatically:
+### Security
+| Agent | Specialty |
+|-------|-----------|
+| SABER | Security audit, OWASP, threat modeling |
+| ZERO | Vulnerability scanning, dependency audit |
+| VERITAS | Claim validation, hallucination detection |
+| ADE | Forensics, incident response |
+| HEIMDALL | Auth design, access control |
 
-1. **Decomposes** your prompt into sub-tasks
-2. **Routes** each sub-task to the best specialist agent
-3. **Cross-reads** — agents see each other's proposals
-4. **Converges** — measures agreement, mediates conflicts
-5. **Synthesizes** — merges all perspectives into one answer
+### Code & Architecture
+| Agent | Specialty |
+|-------|-----------|
+| JARVIS | Full-stack dev, system design |
+| FORGE | Infrastructure as code, CI/CD |
+| PIPE | Build systems, deployment pipelines |
+| SHELL | Shell scripting, system admin |
+| GLITCH | Debugging, root cause analysis |
 
-This is real deliberation, not prompt chaining. Agents read and respond to each other.
+### Analysis & Data
+| Agent | Specialty |
+|-------|-----------|
+| ORACLE | Data analysis, statistics, ML |
+| LOGOS | Logic validation, formal reasoning |
+| ATLAS | Research synthesis, knowledge mapping |
+| CARTOGRAPHER | System mapping, architecture diagrams |
 
-## Extensions
+### Creative & Content
+| Agent | Specialty |
+|-------|-----------|
+| SCHEHERAZADE | Technical writing, documentation |
+| QUILL | Copywriting, communication |
+| MUSE | Creative problem solving, ideation |
+| MURASAKI | UI/UX design, accessibility |
 
-15 downloadable agent modules for specific workflows:
+### DevOps & Infrastructure
+| Agent | Specialty |
+|-------|-----------|
+| SHOGUN | Kubernetes, container orchestration |
+| FLUX | GitOps, deployment strategies |
+| CRON | Scheduling, job orchestration |
+
+### Integration & Communication
+| Agent | Specialty |
+|-------|-----------|
+| HERMES | API design, integration patterns |
+| LINK | Data pipelines, ETL |
+| MERCURY | Network analysis, protocol optimization |
+| BABEL | Translation, localization |
+| POLYGLOT | Cross-language code migration |
+| HERALD | Meeting intelligence, briefings |
+
+### Monitoring & Meta
+| Agent | Specialty |
+|-------|-----------|
+| ECHO | Observability, logging, tracing |
+| MACRO | Performance optimization, profiling |
+| PROMETHEUS | Intelligent routing, task decomposition |
+| CASSANDRA | Risk prediction, counter-arguments |
+| ATHENA | Quality audit, gap detection |
+| SAURON | Deep diagnostics |
+| CONDUCTOR | Workflow orchestration |
+| EPICURE | Food & hospitality analytics |
+| TEMPEST | Climate data analysis |
+| NAVI | Data profiling |
+| EDI | Business intelligence |
+
+Run `nha agents` to see all 38 with capabilities.
+
+## Android App
+
+NHA is also available as an Android app with the same 50 tools:
+
+- Chat with all tools (email, calendar, tasks, contacts, Drive)
+- 38 agents accessible from a grid
+- Week calendar with event creation
+- Gmail inbox with caching
+- Notes, tasks, birthdays, smart scheduler
+- Google Drive browser
+- GitHub, Slack, Notion integration
+- Voice chat with text-to-speech
+- Daily plan generator
+
+All API calls go directly from your phone to providers. Zero data through NHA servers.
+
+## Privacy
+
+**Zero data on our servers. Period.**
+
+- Your API keys stay on your machine — encrypted in `~/.nha/` (CLI) or device keychain (mobile)
+- Email, calendar, contacts, Drive calls go directly to Google
+- LLM calls go directly to your chosen provider
+- GitHub, Slack, Notion calls go directly to those services
+- NHA servers only provide agent system prompts — nothing else
+- Zero telemetry, zero tracking, zero analytics
+- Zero dependencies — no supply chain risk
 
-```bash
-nha install nha-code-reviewer    # Automated code review
-nha install nha-security-scanner # Security scanning
-nha install nha-doc-generator    # Documentation generation
-nha install nha-data-pipeline    # Data pipeline design
-nha install nha-monitoring-setup # Monitoring configuration
-nha install --all                # Install everything
 ```
-
-## Commands
-
-```bash
-# Ask a single agent (direct call, no server)
-nha ask saber "prompt"        # Security audit
-nha ask oracle "prompt"       # Data analysis
-nha ask forge "prompt"        # DevOps & infrastructure
-nha ask saber "review this" --file app.js   # Attach a file
-nha ask saber "prompt" --provider openai    # Override provider
-
-# Multi-agent collaboration (server-routed deliberation)
-nha run "prompt"              # Auto-route to best agents
-nha run "prompt" --agents saber,zero   # Specific agents
-nha run --file prompt.txt     # From file
-
-# Explore agents
-nha agents                    # List all 38 agents
-nha agents info saber         # Agent capabilities & history
-nha agents tree               # Agent hierarchy by domain
-
-# Extensions
-nha install <name>            # Install extension
-nha extensions                # List installed
-
-# Social Network
-nha pif register              # Create agent identity on NHA
-nha pif post                  # Post content
-nha pif feed                  # Activity feed
-
-# Config
-nha config                    # Show settings
-nha config set provider anthropic
-nha config set key YOUR_KEY
-nha update                    # Update agents & core
-nha doctor                    # Health check
-nha mcp                       # Start MCP server (Claude Code, Cursor)
+Your Machine                     Provider APIs
+┌──────────────────┐     ┌─────────────────────┐
+│ 38 agents        │────→│ Google (Gmail, Cal,  │
+│ 50 tools         │     │ Drive, Contacts)     │
+│ Your API keys    │────→│ Your LLM provider   │
+│ Your data        │────→│ GitHub, Slack, Notion│
+│ (encrypted)      │     └─────────────────────┘
+└──────────────────┘
+      NHA servers: agent prompts only (public, no auth)
 ```
 
 ## Supported Providers
 
-Anthropic, OpenAI, Google Gemini, DeepSeek, xAI Grok, Mistral, Cohere.
+Anthropic (Claude), OpenAI (GPT), Google (Gemini), DeepSeek, xAI (Grok), Mistral, Cohere.
+
+## Commands
 
-Use up to 7 simultaneously — each agent can run on a different LLM for genuine multi-model reasoning.
+```bash
+# Chat (50 tools)
+nha chat                          # Interactive chat with tools
+nha voice                         # Voice chat with TTS
 
-## Privacy & Ownership
+# Ask agents
+nha ask <agent> "prompt"          # Ask a specific agent
+nha ask saber "prompt" --file x   # Attach a file
 
-- **Your API key never leaves your machine** — zero-knowledge architecture
-- **Zero dependencies** — no supply chain risk
-- **Zero telemetry** — no tracking, no phone-home
-- **Agents are local files** — inspect, modify, fork them
-- **Works offline** after first install (only LLM calls need network)
+# Daily operations
+nha plan                          # AI-generated daily plan
+nha plan tomorrow                 # Plan for tomorrow
+nha tasks                         # List tasks
+nha tasks add "description"       # Add task
+nha ops start                     # Background daemon
 
-## How It Works
+# Google
+nha google auth                   # Connect Google account
 
-```
-Your Machine                          NHA Server (optional)
-┌─────────────────────┐              ┌──────────────────────┐
-│ 38 agents run HERE  │  routing     │ Task decomposition   │
-│ with YOUR API key   │ ◄──────────► │ Knowledge grounding  │
-│                     │              │ (2.6M verified facts) │
-│ Key NEVER sent      │              │ Convergence scoring   │
-└─────────────────────┘              └──────────────────────┘
+# Config
+nha config                        # Show settings
+nha config set provider anthropic # Set LLM provider
+nha config set key YOUR_KEY       # Set API key
+nha agents                        # List all agents
+nha doctor                        # Health check
+nha mcp                           # Start MCP server
 ```
 
 ## Links
 
 - [Website](https://nothumanallowed.com)
-- [Agent Directory](https://nothumanallowed.com/gethcity) — Browse all agents
 - [Documentation](https://nothumanallowed.com/docs/cli)
-- [Parliament Theater](https://nothumanallowed.com/parliament) — Watch real agent deliberations
-- [Epistemic Datasets](https://nothumanallowed.com/datasets) — Download reasoning traces
+- [Privacy Policy](https://nothumanallowed.com/privacy)
+- [Terms of Service](https://nothumanallowed.com/terms)
 
 ## License
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "8.3.3",
+  "version": "8.4.1",
   "description": "NotHumanAllowed — 38 AI agents + unified productivity suite. Gmail, Calendar, Drive, Contacts, Tasks, GitHub, Notion, Slack, voice chat, smart scheduler. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/commands/plugin.mjs

@@ -19,6 +19,7 @@
 
 import fs from 'fs';
 import path from 'path';
+import crypto from 'crypto';
 import { loadConfig } from '../config.mjs';
 import { callLLM, callAgent } from '../services/llm.mjs';
 import { NHA_DIR, PLUGINS_DIR, BASE_URL, VERSION } from '../constants.mjs';
@@ -28,6 +29,7 @@ import { info, ok, warn, fail, C, G, Y, D, W, BOLD, NC, R } from '../ui.mjs';
 // ── Constants ──────────────────────────────────────────────────────────────
 
 const PLUGINS_REGISTRY_URL = `${BASE_URL}/plugins/registry.json`;
+const LOCAL_REGISTRY_FILE = path.join(PLUGINS_DIR, '.registry.json');
 
 // ── Plugin Loader ──────────────────────────────────────────────────────────
 
@@ -152,19 +154,69 @@ async function buildPluginContext(config) {
   };
 }
 
+// ── SHA-256 Integrity Verification ───────────────────────────────────────────
+
+/**
+ * Compute SHA-256 hash of a file.
+ * @param {string} filePath
+ * @returns {string} hex hash
+ */
+function computeSHA256(filePath) {
+  const content = fs.readFileSync(filePath);
+  return crypto.createHash('sha256').update(content).digest('hex');
+}
+
+/**
+ * Verify a plugin file against its registry SHA-256 hash.
+ * @param {string} filePath — path to the downloaded plugin
+ * @param {string} expectedHash — SHA-256 hex from registry
+ * @returns {boolean}
+ */
+function verifyIntegrity(filePath, expectedHash) {
+  if (!expectedHash) return false;
+  const actual = computeSHA256(filePath);
+  return actual === expectedHash;
+}
+
 // ── Registry (available plugins from server) ────────────────────────────────
 
+/**
+ * Fetch the plugin registry from the server.
+ * Registry format: { plugins: [{ name, version, description, sha256, size, author }] }
+ * The sha256 field is the hex hash of the .mjs file — verified on install.
+ */
 async function fetchRegistry() {
   try {
     const res = await fetch(PLUGINS_REGISTRY_URL, { signal: AbortSignal.timeout(10000) });
     if (!res.ok) return [];
     const data = await res.json();
-    return Array.isArray(data.plugins) ? data.plugins : [];
+    const plugins = Array.isArray(data.plugins) ? data.plugins : [];
+
+    // Cache registry locally for offline reference
+    fs.mkdirSync(PLUGINS_DIR, { recursive: true });
+    fs.writeFileSync(LOCAL_REGISTRY_FILE, JSON.stringify(data, null, 2), 'utf-8');
+
+    return plugins;
   } catch {
+    // Fallback to local cached registry
+    try {
+      if (fs.existsSync(LOCAL_REGISTRY_FILE)) {
+        const data = JSON.parse(fs.readFileSync(LOCAL_REGISTRY_FILE, 'utf-8'));
+        return Array.isArray(data.plugins) ? data.plugins : [];
+      }
+    } catch {}
     return [];
   }
 }
 
+/**
+ * Get the registry entry for a plugin by name.
+ */
+async function getRegistryEntry(name) {
+  const registry = await fetchRegistry();
+  return registry.find(p => p.name === name) || null;
+}
+
 // ── Plugin Template ─────────────────────────────────────────────────────────
 
 function generateTemplate(name) {
@@ -287,31 +339,61 @@ async function cmdInstall(name) {
   const sanitized = name.replace(/[^a-zA-Z0-9_-]/g, '').replace(/\.mjs$/, '');
   fs.mkdirSync(PLUGINS_DIR, { recursive: true });
 
+  // Step 1: Check registry for SHA-256 hash
+  info(`Checking registry for "${sanitized}"...`);
+  const entry = await getRegistryEntry(sanitized);
+
+  if (!entry) {
+    fail(`Plugin "${sanitized}" not found in registry.`);
+    info('Available plugins: nha plugin list');
+    info(`Or create your own: nha plugin create ${sanitized}`);
+    return;
+  }
+
+  if (!entry.sha256) {
+    fail(`Plugin "${sanitized}" has no integrity hash in registry. Aborting for security.`);
+    return;
+  }
+
+  // Step 2: Download the plugin
   const dest = path.join(PLUGINS_DIR, `${sanitized}.mjs`);
   const url = `${BASE_URL}/plugins/${sanitized}.mjs`;
 
-  info(`Installing plugin "${sanitized}" from ${url}...`);
-
+  info(`Downloading "${sanitized}" v${entry.version || '?'}...`);
   const success = await download(url, dest, { timeout: 15000 });
-  if (success) {
-    // Validate the downloaded plugin
-    const plugin = await loadPlugin(sanitized);
-    if (plugin && plugin.run) {
-      ok(`Plugin "${sanitized}" installed to ~/.nha/plugins/`);
-      if (plugin.card.description) {
-        info(plugin.card.description);
-      }
-      if (plugin.card.commands && plugin.card.commands.length > 0) {
-        info(`Commands: ${plugin.card.commands.join(', ')}`);
-      }
-    } else if (plugin) {
-      warn(`Plugin "${sanitized}" installed but has no run() function.`);
-    } else {
-      warn(`Plugin "${sanitized}" downloaded but could not be loaded. Check the file.`);
-    }
-  } else {
+
+  if (!success) {
     fail(`Could not download plugin "${sanitized}".`);
-    info(`Try: nha plugin create ${sanitized}  (to create it locally)`);
+    return;
+  }
+
+  // Step 3: Verify SHA-256 integrity
+  info('Verifying SHA-256 integrity...');
+  const isValid = verifyIntegrity(dest, entry.sha256);
+
+  if (!isValid) {
+    // CRITICAL: hash mismatch — file may be tampered
+    fs.rmSync(dest, { force: true });
+    fail(`INTEGRITY CHECK FAILED for "${sanitized}"!`);
+    fail(`Expected SHA-256: ${entry.sha256}`);
+    fail(`Got SHA-256:      ${computeSHA256(dest)}`);
+    fail('The downloaded file does not match the registry hash. File deleted for safety.');
+    fail('This could indicate a compromised server or man-in-the-middle attack.');
+    return;
+  }
+
+  ok(`SHA-256 verified: ${entry.sha256.slice(0, 16)}...`);
+
+  // Step 4: Load and validate the plugin
+  const plugin = await loadPlugin(sanitized);
+  if (plugin && plugin.run) {
+    ok(`Plugin "${sanitized}" v${entry.version || plugin.card.version} installed.`);
+    if (plugin.card.description) info(plugin.card.description);
+    if (plugin.card.commands?.length > 0) info(`Commands: ${plugin.card.commands.join(', ')}`);
+  } else if (plugin) {
+    warn(`Plugin "${sanitized}" installed but has no run() function.`);
+  } else {
+    warn(`Plugin "${sanitized}" downloaded but could not be loaded.`);
   }
 }
 

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '8.3.3';
+export const VERSION = '8.4.0';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';