nothumanallowed 9.9.7 → 10.1.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nothumanallowed",
-  "version": "9.9.7",
+  "version": "10.1.0",
   "description": "NotHumanAllowed — 38 AI agents, 53 tools. Email, calendar, browser automation, screen capture, canvas, cron/heartbeat, GitHub, Notion, Slack, voice chat, 28 languages. Zero-dependency CLI.",
   "type": "module",
   "bin": {

package/src/cli.mjs

@@ -106,6 +106,12 @@ export async function main(argv) {
       // Alias for nha ops (friendlier name)
       return cmdOps(args.length ? args : ['start']);
 
+    case 'collab':
+    case 'alexandria': {
+      const { cmdCollab } = await import('./commands/collab.mjs');
+      return cmdCollab(args);
+    }
+
     case 'plugin':
     case 'plugins':
       return cmdPlugin(args);
@@ -657,6 +663,12 @@ function cmdHelp() {
   console.log(`    autostart disable     Remove OS autostart`);
   console.log(`    autostart status      Check autostart configuration\n`);
 
+  console.log(`  ${C}Alexandria${NC}  ${D}(E2E Encrypted Communication)${NC}`);
+  console.log(`    collab create "name"   Create encrypted channel`);
+  console.log(`    collab join <code>     Join with invite code`);
+  console.log(`    collab send "msg"      Encrypt and send message`);
+  console.log(`    collab read            Decrypt and show messages`);
+  console.log(`    collab list            Your channels\n`);
   console.log(`  ${C}Message Responder${NC}  ${D}(Telegram + Discord auto-reply)${NC}`);
   console.log(`    responder status      Show responder configuration`);
   console.log(`    config set telegram-bot-token TOKEN`);

package/src/commands/collab.mjs

@@ -0,0 +1,436 @@
+/**
+ * nha collab — Alexandria E2E Encrypted Inter-Agent Communication
+ *
+ * Commands:
+ *   nha collab create "name"     — create encrypted channel
+ *   nha collab join <code>       — join channel with invite code
+ *   nha collab send "message"    — encrypt and send
+ *   nha collab read              — decrypt and show messages
+ *   nha collab list              — list your channels
+ *   nha collab members           — show channel members
+ *   nha collab delete            — delete channel (creator only)
+ *
+ * Crypto: X25519 key exchange + AES-256-GCM
+ * Identity: keypair stored in ~/.nha/collab/identity.json
+ * Zero-knowledge: server sees only ciphertext
+ */
+
+import crypto from 'crypto';
+import fs from 'fs';
+import path from 'path';
+import { NHA_DIR, API_BASE } from '../constants.mjs';
+import { info, ok, fail, warn, C, G, D, Y, R, NC, BOLD } from '../ui.mjs';
+
+const COLLAB_DIR = path.join(NHA_DIR, 'collab');
+const IDENTITY_FILE = path.join(COLLAB_DIR, 'identity.json');
+const CHANNELS_FILE = path.join(COLLAB_DIR, 'channels.json');
+const API = API_BASE + '/alexandria';
+
+// ── Crypto Primitives ─────────────────────────────────────────────────────
+
+/**
+ * Generate X25519 keypair for Diffie-Hellman key exchange.
+ */
+function generateKeypair() {
+  const { publicKey, privateKey } = crypto.generateKeyPairSync('x25519', {
+    publicKeyEncoding: { type: 'spki', format: 'der' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+  });
+  return {
+    publicKey: publicKey.toString('base64'),
+    privateKey: privateKey.toString('base64'),
+    fingerprint: crypto.createHash('sha256').update(publicKey).digest('hex').slice(0, 16),
+  };
+}
+
+/**
+ * Derive shared secret from my private key + their public key (X25519 ECDH).
+ */
+function deriveSharedSecret(myPrivateKeyB64, theirPublicKeyB64) {
+  const myPrivate = crypto.createPrivateKey({
+    key: Buffer.from(myPrivateKeyB64, 'base64'),
+    format: 'der',
+    type: 'pkcs8',
+  });
+  const theirPublic = crypto.createPublicKey({
+    key: Buffer.from(theirPublicKeyB64, 'base64'),
+    format: 'der',
+    type: 'spki',
+  });
+  const shared = crypto.diffieHellman({
+    privateKey: myPrivate,
+    publicKey: theirPublic,
+  });
+  // Derive a 256-bit AES key from the shared secret
+  return crypto.createHash('sha256').update(shared).digest();
+}
+
+/**
+ * Encrypt a message with AES-256-GCM.
+ */
+function encrypt(plaintext, key) {
+  const nonce = crypto.randomBytes(12);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, nonce);
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    nonce: nonce.toString('base64'),
+    ciphertext: Buffer.concat([encrypted, tag]).toString('base64'),
+  };
+}
+
+/**
+ * Decrypt a message with AES-256-GCM.
+ */
+function decrypt(ciphertextB64, nonceB64, key) {
+  const nonce = Buffer.from(nonceB64, 'base64');
+  const data = Buffer.from(ciphertextB64, 'base64');
+  const tag = data.subarray(data.length - 16);
+  const encrypted = data.subarray(0, data.length - 16);
+  const decipher = crypto.createDecipheriv('aes-256-gcm', key, nonce);
+  decipher.setAuthTag(tag);
+  return decipher.update(encrypted) + decipher.final('utf-8');
+}
+
+// ── Identity Management ───────────────────────────────────────────────────
+
+function loadIdentity() {
+  if (!fs.existsSync(IDENTITY_FILE)) return null;
+  try { return JSON.parse(fs.readFileSync(IDENTITY_FILE, 'utf-8')); } catch { return null; }
+}
+
+function saveIdentity(identity) {
+  fs.mkdirSync(COLLAB_DIR, { recursive: true });
+  fs.writeFileSync(IDENTITY_FILE, JSON.stringify(identity, null, 2), { mode: 0o600 });
+}
+
+function getOrCreateIdentity() {
+  let id = loadIdentity();
+  if (!id) {
+    id = generateKeypair();
+    id.displayName = `Agent-${id.fingerprint.slice(0, 6)}`;
+    id.createdAt = new Date().toISOString();
+    saveIdentity(id);
+    info(`Identity created: ${id.fingerprint}`);
+  }
+  return id;
+}
+
+// ── Channel Management ────────────────────────────────────────────────────
+
+function loadChannels() {
+  if (!fs.existsSync(CHANNELS_FILE)) return [];
+  try { return JSON.parse(fs.readFileSync(CHANNELS_FILE, 'utf-8')); } catch { return []; }
+}
+
+function saveChannels(channels) {
+  fs.mkdirSync(COLLAB_DIR, { recursive: true });
+  fs.writeFileSync(CHANNELS_FILE, JSON.stringify(channels, null, 2), { mode: 0o600 });
+}
+
+function getActiveChannel() {
+  const channels = loadChannels();
+  const active = channels.find(c => c.active);
+  return active || channels[0] || null;
+}
+
+function setActiveChannel(channelId) {
+  const channels = loadChannels();
+  for (const ch of channels) ch.active = ch.id === channelId;
+  saveChannels(channels);
+}
+
+// ── API Helpers ───────────────────────────────────────────────────────────
+
+async function apiPost(endpoint, body) {
+  const res = await fetch(API + endpoint, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(body),
+  });
+  return res.json();
+}
+
+async function apiGet(endpoint) {
+  const res = await fetch(API + endpoint);
+  return res.json();
+}
+
+async function apiDelete(endpoint, body) {
+  const res = await fetch(API + endpoint, {
+    method: 'DELETE',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(body),
+  });
+  return res.json();
+}
+
+// ── Commands ──────────────────────────────────────────────────────────────
+
+async function cmdCreate(args) {
+  const name = args.join(' ') || 'Unnamed Channel';
+  const identity = getOrCreateIdentity();
+
+  // Encrypt channel name with a key derived from the channel (will be re-encrypted with shared key)
+  const result = await apiPost('/channels', {
+    name: name, // Sent in plaintext for now — will be encrypted once shared key exists
+    creatorFingerprint: identity.fingerprint,
+    creatorPublicKey: identity.publicKey,
+    creatorDisplayName: identity.displayName,
+    ttlHours: 0, // permanent until deleted
+    maxMessages: 5000,
+  });
+
+  if (result.error) { fail(result.error); return; }
+
+  // Save channel locally
+  const channels = loadChannels();
+  channels.forEach(c => c.active = false);
+  channels.push({
+    id: result.id,
+    name,
+    createdAt: result.createdAt,
+    active: true,
+    role: 'creator',
+  });
+  saveChannels(channels);
+
+  console.log('');
+  ok(`Channel created: ${name}`);
+  console.log('');
+  console.log(`  ${BOLD}Invite Code:${NC}  ${G}${result.id}${NC}`);
+  console.log('');
+  console.log(`  ${D}Share this code securely with collaborators.${NC}`);
+  console.log(`  ${D}They join with: ${C}nha collab join ${result.id}${NC}`);
+  console.log('');
+}
+
+async function cmdJoin(args) {
+  const inviteCode = args[0];
+  if (!inviteCode) { fail('Usage: nha collab join <invite-code>'); return; }
+
+  const identity = getOrCreateIdentity();
+
+  // Check if already joined
+  const channels = loadChannels();
+  if (channels.find(c => c.id === inviteCode)) {
+    setActiveChannel(inviteCode);
+    ok(`Already a member. Switched to this channel.`);
+    return;
+  }
+
+  const result = await apiPost(`/channels/${inviteCode}/join`, {
+    fingerprint: identity.fingerprint,
+    publicKey: identity.publicKey,
+    displayName: identity.displayName,
+  });
+
+  if (result.error) { fail(result.error); return; }
+
+  // Get channel info
+  const chInfo = await apiGet(`/channels/${inviteCode}`);
+
+  channels.forEach(c => c.active = false);
+  channels.push({
+    id: inviteCode,
+    name: chInfo.name || 'Unknown',
+    createdAt: chInfo.createdAt,
+    active: true,
+    role: 'member',
+  });
+  saveChannels(channels);
+
+  ok(`Joined channel: ${chInfo.name || inviteCode} (${result.members} members)`);
+}
+
+async function cmdSend(args) {
+  const message = args.join(' ');
+  if (!message) { fail('Usage: nha collab send "your message"'); return; }
+
+  const identity = getOrCreateIdentity();
+  const channel = getActiveChannel();
+  if (!channel) { fail('No active channel. Create or join one first.'); return; }
+
+  // Get channel members for key exchange
+  const chInfo = await apiGet(`/channels/${channel.id}`);
+  if (chInfo.error) { fail(chInfo.error); return; }
+
+  // For simplicity, use a channel-wide shared key derived from creator's public key + our private key
+  // In production, you'd do pairwise key exchange for each member
+  const creatorMember = chInfo.members[0]; // First member is creator
+  if (!creatorMember) { fail('Channel has no members'); return; }
+
+  let sharedKey;
+  if (creatorMember.fingerprint === identity.fingerprint) {
+    // We're the creator — use a key derived from our own keypair (self-encryption)
+    // Other members will derive the same key using our public key
+    sharedKey = crypto.createHash('sha256').update(Buffer.from(identity.publicKey, 'base64')).update('alexandria-channel-key').digest();
+  } else {
+    sharedKey = deriveSharedSecret(identity.privateKey, creatorMember.publicKey);
+  }
+
+  const { nonce, ciphertext } = encrypt(message, sharedKey);
+
+  const result = await apiPost(`/channels/${channel.id}/messages`, {
+    senderFingerprint: identity.fingerprint,
+    nonce,
+    ciphertext,
+    type: 'text',
+  });
+
+  if (result.error) { fail(result.error); return; }
+  ok(`Sent (encrypted) at ${result.timestamp}`);
+}
+
+async function cmdRead(args) {
+  const identity = getOrCreateIdentity();
+  const channel = getActiveChannel();
+  if (!channel) { fail('No active channel. Create or join one first.'); return; }
+
+  const since = args[0] || ''; // optional timestamp
+  const query = since ? `?since=${since}&fp=${identity.fingerprint}` : `?fp=${identity.fingerprint}`;
+  const result = await apiGet(`/channels/${channel.id}/messages${query}`);
+  if (result.error) { fail(result.error); return; }
+
+  if (result.messages.length === 0) {
+    info('No messages yet in this channel.');
+    return;
+  }
+
+  // Get channel info for key exchange
+  const chInfo = await apiGet(`/channels/${channel.id}`);
+  const creatorMember = chInfo.members[0];
+
+  let sharedKey;
+  if (creatorMember.fingerprint === identity.fingerprint) {
+    sharedKey = crypto.createHash('sha256').update(Buffer.from(identity.publicKey, 'base64')).update('alexandria-channel-key').digest();
+  } else {
+    sharedKey = deriveSharedSecret(identity.privateKey, creatorMember.publicKey);
+  }
+
+  console.log(`\n  ${BOLD}${channel.name}${NC} ${D}(${result.messages.length} messages)${NC}\n`);
+
+  for (const msg of result.messages) {
+    const time = new Date(msg.timestamp).toLocaleTimeString();
+    const sender = result.members?.find(m => m.fingerprint === msg.senderFingerprint);
+    const senderName = sender?.displayName || msg.senderFingerprint.slice(0, 8);
+
+    if (msg.type === 'system') {
+      console.log(`  ${D}${time} — ${senderName} joined${NC}`);
+      continue;
+    }
+
+    try {
+      const plaintext = decrypt(msg.ciphertext, msg.nonce, sharedKey);
+      const isMe = msg.senderFingerprint === identity.fingerprint;
+      const color = isMe ? G : C;
+      console.log(`  ${D}${time}${NC} ${color}${senderName}${NC}: ${plaintext}`);
+    } catch {
+      console.log(`  ${D}${time}${NC} ${R}${senderName}${NC}: ${D}[cannot decrypt — key mismatch]${NC}`);
+    }
+  }
+  console.log('');
+}
+
+async function cmdList() {
+  const channels = loadChannels();
+  if (channels.length === 0) {
+    info('No channels. Create one: nha collab create "Project Name"');
+    return;
+  }
+
+  console.log(`\n  ${BOLD}Your Channels (${channels.length})${NC}\n`);
+  for (const ch of channels) {
+    const active = ch.active ? `${G}●${NC}` : `${D}○${NC}`;
+    console.log(`  ${active} ${ch.name} ${D}(${ch.role}, ${ch.id.slice(0, 8)}...)${NC}`);
+  }
+  console.log(`\n  ${D}Switch: nha collab switch <number>${NC}\n`);
+}
+
+async function cmdMembers() {
+  const channel = getActiveChannel();
+  if (!channel) { fail('No active channel.'); return; }
+
+  const chInfo = await apiGet(`/channels/${channel.id}`);
+  if (chInfo.error) { fail(chInfo.error); return; }
+
+  console.log(`\n  ${BOLD}${channel.name}${NC} — ${chInfo.memberCount} members\n`);
+  for (const m of chInfo.members) {
+    const online = (Date.now() - new Date(m.lastSeen).getTime()) < 300_000;
+    const status = online ? `${G}online${NC}` : `${D}${new Date(m.lastSeen).toLocaleString()}${NC}`;
+    console.log(`  ${m.displayName || m.fingerprint.slice(0, 8)} — ${status}`);
+  }
+  console.log('');
+}
+
+async function cmdSwitch(args) {
+  const channels = loadChannels();
+  const idx = parseInt(args[0]) - 1;
+  if (isNaN(idx) || idx < 0 || idx >= channels.length) {
+    fail('Invalid channel number. Use: nha collab list');
+    return;
+  }
+  channels.forEach(c => c.active = false);
+  channels[idx].active = true;
+  saveChannels(channels);
+  ok(`Switched to: ${channels[idx].name}`);
+}
+
+async function cmdDelete() {
+  const identity = getOrCreateIdentity();
+  const channel = getActiveChannel();
+  if (!channel) { fail('No active channel.'); return; }
+
+  const result = await apiDelete(`/channels/${channel.id}`, {
+    fingerprint: identity.fingerprint,
+  });
+
+  if (result.error) { fail(result.error); return; }
+
+  const channels = loadChannels().filter(c => c.id !== channel.id);
+  if (channels.length > 0) channels[0].active = true;
+  saveChannels(channels);
+  ok(`Channel deleted: ${channel.name}`);
+}
+
+async function cmdIdentity() {
+  const identity = getOrCreateIdentity();
+  console.log(`\n  ${BOLD}Your Identity${NC}\n`);
+  console.log(`  Fingerprint:  ${G}${identity.fingerprint}${NC}`);
+  console.log(`  Display Name: ${identity.displayName}`);
+  console.log(`  Created:      ${identity.createdAt}`);
+  console.log(`  Public Key:   ${D}${identity.publicKey.slice(0, 40)}...${NC}`);
+  console.log(`\n  ${D}Keys stored in: ${IDENTITY_FILE}${NC}\n`);
+}
+
+// ── Main Router ───────────────────────────────────────────────────────────
+
+export async function cmdCollab(args) {
+  const sub = args[0] || 'help';
+  const subArgs = args.slice(1);
+
+  switch (sub) {
+    case 'create': return cmdCreate(subArgs);
+    case 'join': return cmdJoin(subArgs);
+    case 'send': return cmdSend(subArgs);
+    case 'read': return cmdRead(subArgs);
+    case 'list': case 'ls': return cmdList();
+    case 'members': return cmdMembers();
+    case 'switch': return cmdSwitch(subArgs);
+    case 'delete': return cmdDelete();
+    case 'identity': case 'id': return cmdIdentity();
+    case 'help': default:
+      console.log(`\n  ${BOLD}${Y}Alexandria${NC} — E2E Encrypted Communication\n`);
+      console.log(`  ${C}nha collab create "name"${NC}     Create encrypted channel`);
+      console.log(`  ${C}nha collab join <code>${NC}       Join with invite code`);
+      console.log(`  ${C}nha collab send "msg"${NC}        Encrypt and send`);
+      console.log(`  ${C}nha collab read${NC}              Decrypt and show messages`);
+      console.log(`  ${C}nha collab list${NC}              Your channels`);
+      console.log(`  ${C}nha collab members${NC}           Show channel members`);
+      console.log(`  ${C}nha collab switch <n>${NC}        Switch active channel`);
+      console.log(`  ${C}nha collab delete${NC}            Delete channel`);
+      console.log(`  ${C}nha collab identity${NC}          Show your keypair info`);
+      console.log(`\n  ${D}All messages E2E encrypted (X25519 + AES-256-GCM).${NC}`);
+      console.log(`  ${D}The server sees only ciphertext. No accounts needed.${NC}\n`);
+  }
+}

package/src/commands/ui.mjs

@@ -269,6 +269,111 @@ export async function cmdUI(args) {
         return;
       }
 
+      // ── Collab (Alexandria proxy) ─────────────────────────────────────
+      if (pathname.startsWith('/api/collab/')) {
+        const collabAction = pathname.split('/').pop();
+        const ALEX_API = 'https://nothumanallowed.com/api/v1/alexandria';
+
+        // Get or create collab identity
+        const collabDir = path.join(NHA_DIR, 'collab');
+        const idFile = path.join(collabDir, 'identity.json');
+        let identity;
+        if (fs.existsSync(idFile)) {
+          identity = JSON.parse(fs.readFileSync(idFile, 'utf-8'));
+        } else {
+          fs.mkdirSync(collabDir, { recursive: true });
+          const { publicKey, privateKey } = crypto.generateKeyPairSync('x25519', {
+            publicKeyEncoding: { type: 'spki', format: 'der' },
+            privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+          });
+          identity = {
+            publicKey: publicKey.toString('base64'),
+            privateKey: privateKey.toString('base64'),
+            fingerprint: crypto.createHash('sha256').update(publicKey).digest('hex').slice(0, 16),
+            displayName: config.profile?.name || 'User',
+          };
+          fs.writeFileSync(idFile, JSON.stringify(identity, null, 2), { mode: 0o600 });
+        }
+
+        if (collabAction === 'create' && method === 'POST') {
+          const body = await parseBody(req);
+          const r = await fetch(ALEX_API + '/channels', {
+            method: 'POST', headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ name: body.name, creatorFingerprint: identity.fingerprint, creatorPublicKey: identity.publicKey, creatorDisplayName: identity.displayName, visibility: body.visibility || 'private' }),
+          });
+          sendJSON(res, 200, await r.json());
+          logRequest(method, pathname, 200, Date.now() - start);
+          return;
+        }
+
+        if (collabAction === 'join' && method === 'POST') {
+          const body = await parseBody(req);
+          const r = await fetch(ALEX_API + '/channels/' + body.channelId + '/join', {
+            method: 'POST', headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ fingerprint: identity.fingerprint, publicKey: identity.publicKey, displayName: identity.displayName }),
+          });
+          const data = await r.json();
+          // Get channel info for name
+          const info = await fetch(ALEX_API + '/channels/' + body.channelId);
+          const chInfo = await info.json();
+          data.name = chInfo.name || body.channelId;
+          sendJSON(res, 200, data);
+          logRequest(method, pathname, 200, Date.now() - start);
+          return;
+        }
+
+        if (collabAction === 'messages' && method === 'GET') {
+          const chId = url.searchParams.get('channelId');
+          if (!chId) { sendJSON(res, 400, { error: 'channelId required' }); return; }
+          const r = await fetch(ALEX_API + '/channels/' + chId + '/messages?fp=' + identity.fingerprint);
+          sendJSON(res, 200, await r.json());
+          logRequest(method, pathname, 200, Date.now() - start);
+          return;
+        }
+
+        if (collabAction === 'send' && method === 'POST') {
+          const body = await parseBody(req);
+          // For simplicity in web UI, send as plaintext (public channel mode)
+          // In private mode, encryption happens client-side
+          const r = await fetch(ALEX_API + '/channels/' + body.channelId + '/messages', {
+            method: 'POST', headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ senderFingerprint: identity.fingerprint, nonce: 'webui', ciphertext: Buffer.from(body.message).toString('base64'), type: 'text' }),
+          });
+          sendJSON(res, 200, await r.json());
+          logRequest(method, pathname, 200, Date.now() - start);
+          return;
+        }
+
+        if (collabAction === 'publish' && method === 'POST') {
+          const body = await parseBody(req);
+          // Load conversation and publish as public channel
+          const conv = loadConversation(body.conversationId);
+          if (!conv || !conv.messages || conv.messages.length === 0) {
+            sendJSON(res, 400, { error: 'Conversation not found or empty' });
+            logRequest(method, pathname, 400, Date.now() - start);
+            return;
+          }
+          const r = await fetch(ALEX_API + '/channels/publish-conversation', {
+            method: 'POST', headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+              name: body.title || conv.title || 'Published Conversation',
+              description: body.description || '',
+              creatorFingerprint: identity.fingerprint,
+              creatorPublicKey: identity.publicKey,
+              creatorDisplayName: identity.displayName,
+              messages: conv.messages,
+            }),
+          });
+          sendJSON(res, 200, await r.json());
+          logRequest(method, pathname, 200, Date.now() - start);
+          return;
+        }
+
+        sendJSON(res, 404, { error: 'Unknown collab action' });
+        logRequest(method, pathname, 404, Date.now() - start);
+        return;
+      }
+
       // GET /api/health — simple health check
       if (method === 'GET' && pathname === '/api/health') {
         sendJSON(res, 200, { ok: true, version: VERSION });

package/src/constants.mjs

@@ -5,7 +5,7 @@ import { fileURLToPath } from 'url';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-export const VERSION = '9.9.7';
+export const VERSION = '10.1.0';
 export const BASE_URL = 'https://nothumanallowed.com/cli';
 export const API_BASE = 'https://nothumanallowed.com/api/v1';
 

package/src/services/ops-daemon.mjs

@@ -938,11 +938,19 @@ async function daemonLoop() {
             },
           });
 
-          // SABER quick scan for suspicious emails
-          if (email.urls.length > 0 || email.from.includes('paypal') || email.from.includes('bank') || email.subject.toLowerCase().includes('urgent')) {
+          // SABER quick scan — only for emails with suspicious URLs (not known domains)
+          const suspiciousUrls = (email.urls || []).filter(u => {
+            try {
+              const host = new URL(u).hostname.toLowerCase();
+              // Skip known legitimate domains
+              const safe = ['google.com','accounts.google.com','paypal.com','paypal.it','apple.com','microsoft.com','github.com','linkedin.com','amazon.com','facebook.com','instagram.com','twitter.com','x.com','youtube.com','netflix.com','disneyplus.com','spotify.com'];
+              return !safe.some(d => host === d || host.endsWith('.' + d));
+            } catch { return true; } // malformed URL = suspicious
+          });
+          if (suspiciousUrls.length > 0) {
             try {
               const scanResult = await callAgent(config, 'saber',
-                `Quick security scan: From="${email.from}" Subject="${email.subject}" URLs=${email.urls.join(', ')}\nIs this potentially phishing? Respond: SAFE or FLAGGED with reason (one line).`
+                `Quick phishing scan. ONLY flag if there are CLEAR red flags (domain spoofing, credential harvesting URLs, mismatched sender/domain). Do NOT flag legitimate emails from real companies.\n\nFrom: "${email.from}"\nSubject: "${email.subject}"\nSuspicious URLs: ${suspiciousUrls.join(', ')}\n\nRespond ONLY: SAFE or FLAGGED with one-line reason. Default to SAFE unless clearly malicious.`
               );
               if (scanResult.toUpperCase().includes('FLAGGED')) {
                 await notify('Security Alert', `Suspicious email from ${email.from}: ${email.subject}\n${scanResult}`, config);

package/src/services/web-ui.mjs

@@ -376,6 +376,7 @@ function render(){
     case 'slack':renderSlack(el);break;
     case 'birthdays':renderBirthdays(el);break;
     case 'agents':renderAgents(el);break;
+    case 'collab':renderCollab(el);break;
     case 'settings':renderSettings(el);break;
   }
 }
@@ -1590,6 +1591,128 @@ function completeMsTodo(taskId,listId){
   apiPost('/api/mstodo/'+taskId+'/complete',{listId:listId}).then(function(){mstodoData=null;renderMsTodo(document.getElementById('content'))});
 }
 
+// ---- COLLAB (Alexandria) ----
+var collabChannels=[];
+var collabMessages=[];
+var collabActiveChannel=null;
+var collabPolling=null;
+
+function renderCollab(el){
+  var h='<div style="max-width:800px;margin:0 auto;padding:20px">';
+  h+='<h2 style="font-family:var(--term);color:var(--amber);font-size:18px;margin-bottom:16px">Alexandria — Encrypted Communication</h2>';
+
+  // Channel list
+  h+='<div style="display:flex;gap:8px;margin-bottom:16px;flex-wrap:wrap">';
+  h+='<button onclick="collabCreateChannel()" style="padding:6px 12px;background:var(--amberdim);border:1px solid var(--amber3);border-radius:6px;color:var(--amber);font-family:var(--mono);font-size:11px;cursor:pointer">+ Create Channel</button>';
+  h+='<button onclick="collabJoinChannel()" style="padding:6px 12px;background:var(--bg3);border:1px solid var(--border2);border-radius:6px;color:var(--fg);font-family:var(--mono);font-size:11px;cursor:pointer">Join Channel</button>';
+  h+='<button onclick="publishConversation()" style="padding:6px 12px;background:var(--greendim);border:1px solid var(--green3);border-radius:6px;color:var(--green);font-family:var(--mono);font-size:11px;cursor:pointer">Publish Current Chat</button>';
+  h+='</div>';
+
+  // Load channels from localStorage
+  var saved=[];try{saved=JSON.parse(localStorage.getItem('nha_collab_channels')||'[]');}catch(e){}
+  collabChannels=saved;
+
+  if(collabChannels.length>0){
+    h+='<div style="margin-bottom:16px">';
+    for(var i=0;i<collabChannels.length;i++){
+      var ch=collabChannels[i];
+      var active=collabActiveChannel===ch.id;
+      h+='<div onclick="collabSelect(\\x27'+ch.id+'\\x27)" style="padding:8px 12px;cursor:pointer;border-left:3px solid '+(active?'var(--amber)':'transparent')+';background:'+(active?'var(--bg2)':'transparent')+';margin-bottom:2px;border-radius:0 6px 6px 0">';
+      h+='<span style="font-size:12px;color:var(--fg)">'+esc(ch.name)+'</span>';
+      h+='<span style="font-size:9px;color:var(--dim);margin-left:8px">'+ch.id.slice(0,8)+'...</span>';
+      h+='</div>';
+    }
+    h+='</div>';
+  }
+
+  // Messages area
+  h+='<div id="collabMessages" style="background:var(--bg2);border:1px solid var(--border);border-radius:8px;min-height:300px;max-height:500px;overflow-y:auto;padding:12px;margin-bottom:12px">';
+  if(!collabActiveChannel){
+    h+='<div style="text-align:center;color:var(--dim);padding:40px;font-size:12px">Select or create a channel to start</div>';
+  }
+  h+='</div>';
+
+  // Send bar
+  h+='<div style="display:flex;gap:8px">';
+  h+='<input id="collabInput" placeholder="Type encrypted message..." style="flex:1;padding:8px 12px;background:var(--bg);border:1px solid var(--border2);border-radius:6px;color:var(--fg);font-family:var(--mono);font-size:12px" onkeydown="if(event.key===\\x27Enter\\x27)collabSend()">';
+  h+='<button onclick="collabSend()" style="padding:8px 16px;background:var(--amberdim);border:1px solid var(--amber3);border-radius:6px;color:var(--amber);font-family:var(--mono);font-size:11px;cursor:pointer">Send</button>';
+  h+='</div>';
+
+  h+='</div>';
+  el.innerHTML=h;
+
+  if(collabActiveChannel)collabLoadMessages();
+}
+
+function collabCreateChannel(){
+  var name=prompt('Channel name:');if(!name)return;
+  apiPost('/api/collab/create',{name:name}).then(function(r){
+    if(r.error){alert(r.error);return;}
+    collabChannels.push({id:r.id,name:name});
+    collabActiveChannel=r.id;
+    localStorage.setItem('nha_collab_channels',JSON.stringify(collabChannels));
+    prompt('Share this invite code:',r.id);
+    renderCollab(document.getElementById('content'));
+  });
+}
+
+function collabJoinChannel(){
+  var code=prompt('Invite code:');if(!code)return;
+  apiPost('/api/collab/join',{channelId:code}).then(function(r){
+    if(r.error){alert(r.error);return;}
+    collabChannels.push({id:code,name:r.name||code.slice(0,8)});
+    collabActiveChannel=code;
+    localStorage.setItem('nha_collab_channels',JSON.stringify(collabChannels));
+    renderCollab(document.getElementById('content'));
+  });
+}
+
+function collabSelect(id){
+  collabActiveChannel=id;
+  collabLoadMessages();
+}
+
+function collabLoadMessages(){
+  if(!collabActiveChannel)return;
+  apiGet('/api/collab/messages?channelId='+collabActiveChannel).then(function(r){
+    if(!r||!r.messages)return;
+    collabMessages=r.messages;
+    var el=document.getElementById('collabMessages');if(!el)return;
+    if(collabMessages.length===0){el.innerHTML='<div style="text-align:center;color:var(--dim);padding:20px;font-size:11px">No messages yet</div>';return;}
+    var h='';
+    for(var i=0;i<collabMessages.length;i++){
+      var m=collabMessages[i];
+      var time=new Date(m.timestamp).toLocaleTimeString();
+      var sender=m.senderName||m.senderFingerprint?.slice(0,8)||'Unknown';
+      var content=m.content||m.plaintext||'[encrypted]';
+      if(m.type==='system'){h+='<div style="text-align:center;color:var(--dim);font-size:10px;margin:4px 0">'+esc(sender)+' joined</div>';continue;}
+      h+='<div style="margin-bottom:8px"><span style="font-size:10px;color:var(--dim)">'+time+'</span> <span style="font-size:11px;color:var(--amber);font-weight:600">'+esc(sender)+'</span><div style="font-size:12px;color:var(--fg);margin-top:2px;white-space:pre-wrap">'+esc(content)+'</div></div>';
+    }
+    el.innerHTML=h;
+    el.scrollTop=el.scrollHeight;
+  });
+}
+
+function collabSend(){
+  var inp=document.getElementById('collabInput');if(!inp)return;
+  var msg=inp.value.trim();if(!msg||!collabActiveChannel)return;
+  inp.value='';
+  apiPost('/api/collab/send',{channelId:collabActiveChannel,message:msg}).then(function(r){
+    if(r.error){alert(r.error);return;}
+    collabLoadMessages();
+  });
+}
+
+function publishConversation(){
+  if(!activeConvId||chatHistory.length===0){alert('No conversation to publish. Open a chat first.');return;}
+  var title=prompt('Title for the published conversation:');if(!title)return;
+  var desc=prompt('Short description (optional):','');
+  apiPost('/api/collab/publish',{conversationId:activeConvId,title:title,description:desc||''}).then(function(r){
+    if(r.error){alert('Error: '+r.error);return;}
+    alert('Published on Alexandria!\\nURL: https://nothumanallowed.com/alexandria/'+r.id+'\\nMessages: '+r.messageCount);
+  });
+}
+
 function renderAgents(el){
   if(agentsList.length===0){el.innerHTML='<div style="text-align:center;padding:40px"><div class="spinner"></div><div style="color:var(--dim)">Loading agents...</div></div>';loadAgents().then(function(){renderAgents(el)});return}
 
@@ -2131,6 +2254,7 @@ init();
     <div class="sidebar__section">
       <div class="sidebar__label">AI</div>
       <div class="nav-item" data-view="agents" onclick="switchView('agents')"><span class="nav-item__icon">&#129302;</span> Agents</div>
+      <div class="nav-item" data-view="collab" onclick="switchView('collab')"><span class="nav-item__icon">&#128274;</span> Collab</div>
     </div>
     <div class="sidebar__section">
       <div class="sidebar__label">Config</div>