refactor: optimize startup, improve security, and simplify n8n configuration for v2 compatibility

.env.example

@@ -1,33 +1,10 @@
-# =============================================================================
-# Hugging8n — Environment Variables Reference
-# Copy to .env and fill in your values before running locally.
-# On HuggingFace Spaces, add Secrets and Variables in Settings → Variables and secrets.
-# =============================================================================
-
-# -----------------------------------------------------------------------------
-# REQUIRED — Basic Auth (set these as Secrets on HF Spaces)
-# -----------------------------------------------------------------------------
-
-# Username for n8n basic auth login
-N8N_BASIC_AUTH_USER=admin
-
-# Password for n8n basic auth login. REQUIRED to protect your instance.
-# Generate a strong password: openssl rand -base64 24
-N8N_BASIC_AUTH_PASSWORD=
-
-# -----------------------------------------------------------------------------
-# RECOMMENDED — Persistent Backup (set these as Secrets on HF Spaces)
-# -----------------------------------------------------------------------------
-
-# Your Hugging Face write token (to create/update the backup dataset)
-# Get one at: https://huggingface.co/settings/tokens
+# Your Hugging Face write token
 HF_TOKEN=
 
-# Your Hugging Face username (owner of the backup dataset)
-# If not set, inferred from SPACE_AUTHOR_NAME automatically on HF Spaces
+# Your Hugging Face username (inferred automatically on HF Spaces)
 HF_USERNAME=
 
-# Name of the private dataset repo used for backup (auto-created on first run)
+# Name of the private dataset repo used for backup
 BACKUP_DATASET_NAME=hugging8n-backup
 
 # How often to sync the backup, in seconds
@@ -37,59 +14,30 @@ SYNC_INTERVAL=180
 # OPTIONAL — n8n Configuration
 # -----------------------------------------------------------------------------
 
-# Timezone for n8n schedule triggers (e.g. Asia/Dhaka, Europe/London, US/Eastern)
+# Timezone for n8n triggers (e.g. Asia/Dhaka)
 GENERIC_TIMEZONE=UTC
 
 # n8n encryption key — protects stored credentials. Persisted in backup.
 # Generate with: openssl rand -hex 32
-# WARNING: if you lose this key and your backup, all credentials are lost.
 N8N_ENCRYPTION_KEY=
 
-# Override the auto-detected Space hostname (leave blank on HF Spaces)
-SPACE_HOST_OVERRIDE=
-
 # -----------------------------------------------------------------------------
-# OPTIONAL — Keep-Alive
+# ADVANCED — n8n Internals
 # -----------------------------------------------------------------------------
 
-# UptimeRobot Main API key for creating an external keep-alive monitor
-# Get one at: https://uptimerobot.com → My Settings → API Settings → Main API Key
-# This is NOT needed as a HF Space Secret — it's only used by setup-uptimerobot.sh
-UPTIMEROBOT_API_KEY=
-
-# Custom monitor name (defaults to "Hugging8n <space-host>")
-UPTIMEROBOT_MONITOR_NAME=
-
-# UptimeRobot ping interval in minutes (default: 5)
-UPTIMEROBOT_INTERVAL=5
-
-# Comma-separated UptimeRobot alert contact IDs (optional)
-UPTIMEROBOT_ALERT_CONTACTS=
-
-# -----------------------------------------------------------------------------
-# ADVANCED — n8n Internals (usually leave as defaults)
-# -----------------------------------------------------------------------------
-
-# Disable n8n basic auth (not recommended — leaves your instance unprotected)
-# N8N_BASIC_AUTH_ACTIVE=false
-
 # Internal n8n port (default: 5678)
 N8N_PORT=5678
 
 # Public proxy port exposed by HF Spaces (default: 7861)
 PUBLIC_PORT=7861
 
-# Disable n8n telemetry (default: false)
-N8N_DIAGNOSTICS_ENABLED=false
-
-# Disable n8n personalization prompts (default: false)
-N8N_PERSONALIZATION_ENABLED=false
+# Disable unnecessary services
+N8N_RUNNERS_ENABLED=false
+N8N_LICENSE_AUTO_RENEW_ENABLED=false
 
 # -----------------------------------------------------------------------------
 # BUILD-TIME VARIABLE (HF Spaces: add as Variable, not Secret)
 # -----------------------------------------------------------------------------
 
-# Pin a specific n8n version for reproducibility (default: latest)
-# Example: 1.90.0
-# On HF Spaces, add this as a Variable (not Secret) so it's passed as a build arg.
+# Pin a specific n8n version for reproducibility
 N8N_VERSION=latest

Dockerfile

@@ -37,5 +37,8 @@ USER node
 
 EXPOSE 7861
 
+HEALTHCHECK --interval=30s --timeout=5s --start-period=60s \
+  CMD curl -f http://localhost:7861/health || exit 1
+
 ENTRYPOINT ["/usr/bin/tini", "--"]
 CMD ["/home/node/app/start.sh"]

README.md

@@ -8,43 +8,22 @@ app_port: 7861
 pinned: true
 license: mit
 secrets:
-  - name: N8N_BASIC_AUTH_PASSWORD
-    description: Password to log in to your n8n instance. Required to protect your workflows.
   - name: HF_TOKEN
-    description: HuggingFace token with write access. Used for automatic backup of your workflows and credentials to a private dataset.
+    description: HuggingFace token with write access. Used for automatic backup.
 ---
 
-<!-- Badges -->
-[![GitHub Stars](https://img.shields.io/github/stars/somratpro/hugging8n?style=flat-square)](https://github.com/somratpro/Hugging8N)
-[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat-square)](https://opensource.org/licenses/MIT)
-[![HF Space](https://img.shields.io/badge/🤗%20HuggingFace-Space-blue?style=flat-square)](https://huggingface.co/spaces/somratpro/Hugging8n)
-[![n8n](https://img.shields.io/badge/n8n-workflow%20automation-orange?style=flat-square)](https://n8n.io)
+# ♾️ Hugging8n
 
-**Self-hosted n8n workflow automation — free, no server needed.** Hugging8n runs [n8n](https://n8n.io) on HuggingFace Spaces Docker, giving you a full-featured workflow automation platform with 400+ integrations. Your workflows, credentials, and settings are automatically backed up to a private HuggingFace Dataset so nothing is lost on restart.
-
-## Table of Contents
-
-- [✨ Features](#-features)
-- [🚀 Quick Start](#-quick-start)
-- [🔐 Authentication](#-authentication)
-- [💾 Persistent Backup](#-persistent-backup)
-- [💓 Staying Alive](#-staying-alive)
-- [🏗️ Architecture](#-architecture)
-- [💻 Local Development](#-local-development)
-- [🐛 Troubleshooting](#-troubleshooting)
-- [🤝 Contributing](#-contributing)
-- [📄 License](#-license)
+**Self-hosted n8n workflow automation — free, no server needed.** Hugging8n runs [n8n](https://n8n.io) on HuggingFace Spaces Docker, serving a premium dashboard at `/` and the n8n editor at `/app/`.
 
 ## ✨ Features
 
-- ⚡ **Zero Config:** Duplicate this Space, set your credentials, and n8n is running in minutes.
-- 🔌 **400+ Integrations:** Connect any service — HTTP, webhooks, databases, Slack, Gmail, GitHub, and more.
-- 💾 **Persistent Backup:** Workflows, credentials, and the SQLite database back up automatically to a private HF Dataset. Restored on every startup so nothing is lost.
-- 🔐 **Basic Auth:** n8n is protected by basic auth out of the box — just set your username and password.
-- 🐳 **Docker Native:** Runs on the free HF Spaces tier (2 vCPU, 16GB RAM) with SQLite — no external database needed.
-- ⏰ **External Keep-Alive:** Optional UptimeRobot integration to prevent free Space sleep.
-- 🌐 **Health Endpoint:** `/health` returns service and sync status for monitoring.
-- 🏠 **100% HF-Native:** Runs entirely on HuggingFace's free infrastructure.
+- ⚡ **Zero Config:** Duplicate this Space, set `HF_TOKEN`, and you're ready.
+- 💾 **Persistent Backup:** Workflows and credentials back up automatically to a private HF Dataset.
+- 🔐 **Secure by Default:** Uses n8n v2's built-in user management. No more insecure environment variables.
+- 🐳 **Docker Native:** Optimized for the free HF Spaces tier.
+- 🌐 **Dashboard UI:** Beautiful management interface at the root URL.
+- ⏰ **Built-in Keep-Alive:** Easily setup UptimeRobot from the dashboard.
 
 ## 🚀 Quick Start
 
@@ -52,173 +31,28 @@ secrets:
 
 [![Duplicate this Space](https://huggingface.co/datasets/huggingface/badges/resolve/main/duplicate-this-space-xl.svg)](https://huggingface.co/spaces/somratpro/Hugging8n?duplicate=true)
 
-Click the button above to duplicate the template into your own account.
-
-### Step 2: Add Your Secrets
-
-Navigate to your new Space's **Settings**, scroll to the **Variables and secrets** section, and add the following under **Secrets**:
-
-#### Required — Authentication
-
-| Secret | Description |
-| :--- | :--- |
-| `N8N_BASIC_AUTH_PASSWORD` | Password to log in to your n8n instance. Set this to protect your workflows. |
-
-#### Required — Persistent Backup *(Highly Recommended)*
-
-| Secret | Description |
-| :--- | :--- |
-| `HF_TOKEN` | HuggingFace token with write access. Get one at [hf.co/settings/tokens](https://huggingface.co/settings/tokens). |
-
-> [!TIP]
-> Without `HF_TOKEN`, n8n will still run, but workflows and credentials will be **lost every time the Space restarts**. It is strongly recommended to set this.
-
-#### Optional — Configuration
+### Step 2: Add Your HF_TOKEN
 
-| Variable / Secret | Default | Description |
-| :--- | :--- | :--- |
-| `N8N_BASIC_AUTH_USER` | `admin` | Username for n8n login |
-| `HF_USERNAME` | *(auto-detected)* | Your HF username, for naming the backup dataset |
-| `BACKUP_DATASET_NAME` | `hugging8n-backup` | Name of the private dataset repo for backup |
-| `SYNC_INTERVAL` | `180` | How often to back up, in seconds |
-| `GENERIC_TIMEZONE` | `UTC` | Timezone for schedule triggers (e.g. `Asia/Dhaka`) |
-| `N8N_ENCRYPTION_KEY` | *(auto-generated)* | Encryption key for stored credentials. Set explicitly so it survives Space rebuilds. |
+Add your HuggingFace token with **write** access to the Space Secrets. This enables automatic backup so your workflows aren't lost on restart.
 
-#### Build-Time Variable (add as Variable, not Secret)
+### Step 3: Set Up Auth
 
-| Variable | Default | Description |
-| :--- | :--- | :--- |
-| `N8N_VERSION` | `latest` | Pin a specific n8n version (e.g. `1.90.0`) for reproducibility |
-
-> [!IMPORTANT]
-> On HuggingFace Spaces, `N8N_VERSION` must be added as a **Variable** (not a Secret) so it is passed as a Docker build arg during image build.
-
-### Step 3: Deploy & Run
-
-That's it! The Space will build and start automatically. Watch progress in the **Logs** tab. First build takes a few minutes as n8n installs.
-
-### Step 4: Log In
-
-Once the Space is running, open it and log in with:
-- **Username:** the value of `N8N_BASIC_AUTH_USER` (default: `admin`)
-- **Password:** the value of `N8N_BASIC_AUTH_PASSWORD`
-
-> [!WARNING]
-> If you did not set `N8N_BASIC_AUTH_PASSWORD`, your n8n instance is **unprotected**. Anyone with the Space URL can access your workflows and credentials. Set this secret immediately.
+When the Space starts, visit the URL and click **Open n8n Editor**. On the first run, n8n will ask you to create an owner account. **This is your primary login.**
 
 ## 🔐 Authentication
 
-Hugging8n uses n8n's built-in basic auth to protect your instance. It is enabled by default.
-
-| Variable | Default | Description |
-| :--- | :--- | :--- |
-| `N8N_BASIC_AUTH_ACTIVE` | `true` | Set to `false` to disable basic auth (not recommended) |
-| `N8N_BASIC_AUTH_USER` | `admin` | Login username |
-| `N8N_BASIC_AUTH_PASSWORD` | *(none)* | Login password — **must be set** |
+Hugging8n uses n8n's native user management.
+1. The first person to visit `/app/` on a fresh install becomes the owner.
+2. If you are restoring from a backup, your existing user accounts will be active.
 
 ## 💾 Persistent Backup
 
-Hugging8n automatically backs up your entire n8n data directory (`/home/node/.n8n`) to a **private** HuggingFace Dataset.
-
-**What is backed up:**
-- All workflows
-- All credentials (encrypted)
-- SQLite database (hot-copy via `sqlite3 .backup`)
-- n8n encryption key
-- User data
-
-**How it works:**
-1. On startup: restore from dataset (if it exists)
-2. Every `SYNC_INTERVAL` seconds: detect changes and upload
-3. On shutdown (`SIGTERM`): run a final backup before exiting
-
-| Variable | Default | Description |
-| :--- | :--- | :--- |
-| `HF_TOKEN` | — | HF write token |
-| `HF_USERNAME` | *(auto)* | Dataset owner username |
-| `BACKUP_DATASET_NAME` | `hugging8n-backup` | Dataset repo name |
-| `SYNC_INTERVAL` | `180` | Backup interval in seconds |
-
-> [!TIP]
-> Set `N8N_ENCRYPTION_KEY` explicitly. If n8n auto-generates it and the Space is rebuilt (not just restarted), the key will be different and your backed-up credentials will be unreadable.
-
-## 💓 Staying Alive *(Recommended on Free HF Spaces)*
-
-Free HF Spaces sleep after periods of inactivity. Set up an external UptimeRobot monitor to keep yours awake.
-
-1. Create a free account at [uptimerobot.com](https://uptimerobot.com)
-2. Get your **Main API Key** from My Settings → API Settings
-3. Run the helper script:
-   ```bash
-   UPTIMEROBOT_API_KEY=your-key ./setup-uptimerobot.sh your-space.hf.space
-   ```
-4. UptimeRobot will ping `/health` every 5 minutes from outside HF, keeping the Space awake.
-
-> [!NOTE]
-> This works for **public** Spaces only. Private Spaces cannot be pinged by external monitors.
+Your data is synced to a private dataset named `hugging8n-backup` in your HF account.
 
 ## 🏗️ Architecture
 
-```
-Hugging8n/
-├── Dockerfile           # Builds on node:22-slim, installs n8n + Python sync
-├── start.sh             # Startup orchestrator: restore → sync loop → proxy → n8n
-├── n8n-sync.py          # Backup/restore via huggingface_hub
-├── health-server.js     # HTTP + WebSocket reverse proxy (port 7861 → 5678)
-├── setup-uptimerobot.sh # One-shot UptimeRobot monitor creation
-├── .env.example         # All environment variable documentation
-└── README.md            # This file
-```
-
-**Startup sequence:**
-1. Read environment variables and set n8n config
-2. Warn if `N8N_BASIC_AUTH_PASSWORD` is not set
-3. Restore backup from HF Dataset (if `HF_TOKEN` is set)
-4. Start backup sync loop in background
-5. Start health/proxy server on port 7861
-6. Start n8n on port 5678
-7. On `SIGTERM` / `SIGINT`: final backup + clean exit
-
-## 💻 Local Development
-
-```bash
-git clone https://github.com/somratpro/Hugging8N.git
-cd Hugging8N
-cp .env.example .env
-# Fill in N8N_BASIC_AUTH_PASSWORD and optionally HF_TOKEN
-```
-
-**With Docker:**
-
-```bash
-docker build -t hugging8n .
-docker run -p 7861:7861 --env-file .env hugging8n
-```
-
-Then open `http://localhost:7861`.
-
-**Pin an n8n version:**
-
-```bash
-docker build --build-arg N8N_VERSION=1.90.0 -t hugging8n .
-```
-
-## 🐛 Troubleshooting
-
-- **Can't log in:** Make sure `N8N_BASIC_AUTH_PASSWORD` is set in Secrets. Default username is `admin`.
-- **Workflows lost after restart:** Set `HF_TOKEN` and `HF_USERNAME` so the backup dataset is created and restored.
-- **n8n editor shows "disconnected":** The WebSocket proxy may not have connected yet — wait a few seconds and refresh. Check Space logs for errors.
-- **Space keeps sleeping:** Use `setup-uptimerobot.sh` to set up an external keep-alive monitor.
-- **Credentials unreadable after rebuild:** Make sure `N8N_ENCRYPTION_KEY` is set explicitly as a Secret. If it was auto-generated, it changes on rebuild.
-- **Build fails:** If you pinned `N8N_VERSION`, verify the version exists at [npmjs.com/package/n8n](https://www.npmjs.com/package/n8n?activeTab=versions).
-- **Backup failing:** Check Space logs for `Sync failed`. Verify `HF_TOKEN` has write access and `HF_USERNAME` is correct.
-
-## 🤝 Contributing
-
-Contributions are welcome! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
-
-## 📄 License
-
-MIT — see [LICENSE](LICENSE) for details.
+- `/` : Premium Dashboard (Status, Uptime, Keep-Alive setup)
+- `/app/` : n8n Workflow Editor
+- `/health` : Health check endpoint
 
 *Made with ❤️ by [@somratpro](https://github.com/somratpro)*

health-server.js

@@ -1,109 +1,266 @@
 const http = require("http");
-const net = require("net");
+const https = require("https");
 const fs = require("fs");
+const net = require("net");
 
-const PUBLIC_PORT = Number(process.env.PUBLIC_PORT || 7861);
+const PORT = Number(process.env.PUBLIC_PORT || 7861);
 const TARGET_PORT = Number(process.env.N8N_PORT || 5678);
 const TARGET_HOST = "127.0.0.1";
-const STATUS_FILE = "/tmp/hugging8n-sync-status.json";
+const SYNC_STATUS_FILE = "/tmp/hugging8n-sync-status.json";
+const APP_BASE = "/app";
+const startTime = Date.now();
 
-function getStatus() {
+function parseRequestUrl(url) {
   try {
-    return JSON.parse(fs.readFileSync(STATUS_FILE, "utf8"));
+    return new URL(url, "http://localhost");
   } catch {
-    return {
-      status: "unknown",
-      message: "No sync status yet",
-      timestamp: new Date().toISOString(),
-    };
+    return new URL("http://localhost/");
   }
 }
 
-function writeJson(res, statusCode, payload) {
-  res.writeHead(statusCode, { "content-type": "application/json; charset=utf-8" });
-  res.end(JSON.stringify(payload));
+function getStatus() {
+  try {
+    if (fs.existsSync(SYNC_STATUS_FILE)) {
+      return JSON.parse(fs.readFileSync(SYNC_STATUS_FILE, "utf8"));
+    }
+  } catch {}
+  return { status: "unknown", message: "Initial startup...", timestamp: new Date().toISOString() };
 }
 
-function buildHeaders(req) {
-  return {
-    ...req.headers,
-    host: req.headers.host || "",
-    "x-forwarded-for": req.socket.remoteAddress || "",
-    "x-forwarded-host": req.headers.host || "",
-    "x-forwarded-proto": req.headers["x-forwarded-proto"] || "https",
+function renderDashboard(data) {
+  const syncBadge = (status) => {
+    let cls = "status-offline";
+    if (status === "success" || status === "configured" || status === "restored") cls = "status-online";
+    if (status === "syncing" || status === "restoring") cls = "status-syncing";
+    return `<div class="status-badge ${cls}">${cls === 'status-online' ? '<div class="pulse"></div>' : ''}${String(status).toUpperCase()}</div>`;
   };
+
+  const keepAwakeHtml = data.isPrivate 
+    ? `<div class="helper-summary"><strong>Private Space detected.</strong> External monitors cannot access private health URLs.</div>`
+    : `
+        <div id="uptimerobot-flow">
+            <div class="helper-summary" id="uptimerobot-summary">Setup a free monitor to prevent this Space from sleeping.</div>
+            <button id="uptimerobot-toggle" class="helper-toggle">Set Up Monitor</button>
+            <div id="uptimerobot-shell" class="hidden" style="margin-top:12px">
+                <input id="uptimerobot-key" class="helper-input" type="password" placeholder="UptimeRobot Main API Key">
+                <button id="uptimerobot-btn" class="helper-button">Create Monitor</button>
+            </div>
+        </div>
+    `;
+
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Hugging8n Dashboard</title>
+    <link href="https://fonts.googleapis.com/css2?family=Outfit:wght@300;400;600&display=swap" rel="stylesheet">
+    <style>
+        :root { --bg: #0f172a; --card: rgba(30, 41, 59, 0.7); --accent: linear-gradient(135deg, #3b82f6, #8b5cf6); --text: #f8fafc; --text-dim: #94a3b8; --success: #10b981; --error: #ef4444; }
+        * { box-sizing: border-box; margin: 0; padding: 0; }
+        body { font-family: 'Outfit', sans-serif; background: var(--bg); color: var(--text); display: flex; justify-content: center; min-height: 100vh; padding: 40px 20px; background-image: radial-gradient(at 0% 0%, rgba(59, 130, 246, 0.15) 0px, transparent 50%), radial-gradient(at 100% 0%, rgba(139, 92, 246, 0.15) 0px, transparent 50%); }
+        .dashboard { width: 100%; max-width: 600px; background: var(--card); backdrop-filter: blur(12px); border: 1px solid rgba(255, 255, 255, 0.1); border-radius: 24px; padding: 40px; box-shadow: 0 25px 50px -12px rgba(0,0,0,0.5); }
+        h1 { font-size: 2.2rem; margin-bottom: 8px; background: var(--accent); -webkit-background-clip: text; -webkit-text-fill-color: transparent; text-align: center; }
+        .subtitle { color: var(--text-dim); text-align: center; font-size: 0.9rem; margin-bottom: 40px; text-transform: uppercase; letter-spacing: 1px; }
+        .stats { display: grid; grid-template-columns: 1fr 1fr; gap: 16px; margin-bottom: 24px; }
+        .card { background: rgba(255,255,255,0.03); border: 1px solid rgba(255,255,255,0.05); padding: 20px; border-radius: 16px; }
+        .label { color: var(--text-dim); font-size: 0.75rem; text-transform: uppercase; margin-bottom: 8px; display: block; }
+        .value { font-size: 1.1rem; font-weight: 600; }
+        .btn { display: block; background: var(--accent); color: #fff; padding: 16px; border-radius: 16px; text-align: center; text-decoration: none; font-weight: 600; margin-top: 8px; transition: transform 0.2s; box-shadow: 0 10px 20px -5px rgba(59, 130, 246, 0.4); }
+        .btn:hover { transform: scale(1.02); }
+        .status-badge { display: inline-flex; align-items: center; gap: 6px; padding: 4px 12px; border-radius: 20px; font-size: 0.8rem; font-weight: 600; }
+        .status-online { background: rgba(16, 185, 129, 0.1); color: var(--success); }
+        .status-syncing { background: rgba(59, 130, 246, 0.1); color: #3b82f6; }
+        .status-offline { background: rgba(239, 68, 68, 0.1); color: var(--error); }
+        .pulse { width: 8px; height: 8px; border-radius: 50%; background: currentColor; animation: pulse 2s infinite; }
+        @keyframes pulse { 0% { box-shadow: 0 0 0 0 rgba(16, 185, 129, 0.7); } 70% { box-shadow: 0 0 0 10px rgba(16, 185, 129, 0); } 100% { box-shadow: 0 0 0 0 rgba(16, 185, 129, 0); } }
+        .helper-input { width: 100%; background: rgba(255,255,255,0.05); border: 1px solid rgba(255,255,255,0.1); color: #fff; padding: 12px; border-radius: 12px; margin-bottom: 12px; }
+        .helper-button { background: var(--accent); color: #fff; border: 0; padding: 12px; border-radius: 12px; cursor: pointer; width: 100%; font-weight: 600; }
+        .helper-toggle { background: rgba(255,255,255,0.05); color: #fff; border: 1px solid rgba(255,255,255,0.1); padding: 8px 16px; border-radius: 12px; cursor: pointer; font-size: 0.85rem; }
+        .hidden { display: none; }
+        .helper-summary { background: rgba(255,255,255,0.03); padding: 12px; border-radius: 12px; font-size: 0.85rem; color: var(--text-dim); margin-bottom: 12px; }
+        .helper-result { margin-top: 12px; font-size: 0.85rem; padding: 10px; border-radius: 8px; display: none; }
+        .helper-result.ok { display: block; background: rgba(16, 185, 129, 0.1); color: var(--success); }
+        .helper-result.error { display: block; background: rgba(239, 68, 68, 0.1); color: var(--error); }
+    </style>
+</head>
+<body>
+    <div class="dashboard">
+        <h1>♾️ Hugging8n</h1>
+        <p class="subtitle">Workflow Automation Space</p>
+        
+        <div class="stats">
+            <div class="card"><span class="label">Uptime</span><span class="value" id="uptime">${data.uptimeHuman}</span></div>
+            <div class="card"><span class="label">n8n Port</span><span class="value">${TARGET_PORT}</span></div>
+        </div>
+
+        <div class="card" style="margin-bottom:16px">
+            <div style="display:flex; justify-content:space-between; align-items:center; margin-bottom:12px">
+                <span class="label" style="margin-bottom:0">Sync Status</span>
+                <div id="sync-badge">${syncBadge(data.sync.status)}</div>
+            </div>
+            <div style="font-size:0.85rem; color:var(--text-dim)">
+                Last Activity: <span id="sync-time" style="color:var(--text)">${data.sync.timestamp}</span>
+                <div id="sync-msg" style="margin-top:4px">${data.sync.message}</div>
+            </div>
+        </div>
+
+        <a href="/app/" class="btn">Open n8n Editor</a>
+
+        <div class="card" style="margin-top:24px">
+            <span class="label">Keep Alive</span>
+            ${keepAwakeHtml}
+            <div id="uptimerobot-result" class="helper-result"></div>
+        </div>
+    </div>
+
+    <script>
+        async function refresh() {
+            try {
+                const res = await fetch('/status' + window.location.search);
+                const d = await res.json();
+                document.getElementById('uptime').textContent = d.uptime;
+                document.getElementById('sync-time').textContent = d.sync.timestamp;
+                document.getElementById('sync-msg').textContent = d.sync.message;
+                
+                const s = d.sync.status;
+                let cls = "status-offline";
+                if (s === "success" || s === "configured" || s === "restored") cls = "status-online";
+                if (s === "syncing" || s === "restoring") cls = "status-syncing";
+                document.getElementById('sync-badge').innerHTML = '<div class="status-badge ' + cls + '">' + (cls === 'status-online' ? '<div class="pulse"></div>' : '') + s.toUpperCase() + '</div>';
+            } catch (e) {}
+        }
+        setInterval(refresh, 5000);
+
+        const toggle = document.getElementById('uptimerobot-toggle');
+        if (toggle) {
+            toggle.onclick = () => document.getElementById('uptimerobot-shell').classList.toggle('hidden');
+            document.getElementById('uptimerobot-btn').onclick = async () => {
+                const key = document.getElementById('uptimerobot-key').value;
+                const res = document.getElementById('uptimerobot-result');
+                if (!key) return;
+                res.className = 'helper-result'; res.textContent = 'Creating...'; res.style.display = 'block';
+                try {
+                    const r = await fetch('/uptimerobot/setup' + window.location.search, {
+                        method: 'POST',
+                        headers: { 'Content-Type': 'application/json' },
+                        body: JSON.stringify({ apiKey: key })
+                    });
+                    const data = await r.json();
+                    res.className = 'helper-result ' + (r.ok ? 'ok' : 'error');
+                    res.textContent = data.message;
+                } catch (e) { res.className = 'helper-result error'; res.textContent = 'Connection failed'; }
+            };
+        }
+    </script>
+</body>
+</html>`;
 }
 
-const server = http.createServer((req, res) => {
-  if (req.url === "/health") {
-    return writeJson(res, 200, {
-      ok: true,
-      service: "hugging8n",
-      n8nPort: TARGET_PORT,
-      ...getStatus(),
+async function resolveSpaceIsPrivate(req) {
+  const params = new URLSearchParams(parseRequestUrl(req.url).search);
+  const token = params.get("__sign");
+  if (!token) return false;
+  try {
+    const payload = JSON.parse(Buffer.from(token.split(".")[1], "base64").toString());
+    const sub = payload.sub || "";
+    const match = sub.match(/^\/spaces\/([^/]+)\/([^/]+)$/);
+    if (!match) return false;
+    return new Promise((resolve) => {
+      https.get(`https://huggingface.co/api/spaces/${match[1]}/${match[2]}`, { headers: { "User-Agent": "Hugging8n" } }, (res) => {
+        resolve(res.statusCode === 401 || res.statusCode === 403 || res.statusCode === 404);
+      }).on("error", () => resolve(false));
     });
+  } catch { return false; }
+}
+
+const server = http.createServer(async (req, res) => {
+  const url = parseRequestUrl(req.url);
+  const pathname = url.pathname;
+
+  if (pathname === "/health") {
+    res.writeHead(200, { "Content-Type": "application/json" });
+    return res.end(JSON.stringify({ status: "ok", ...getStatus() }));
   }
 
-  if (req.url === "/status") {
-    return writeJson(res, 200, getStatus());
+  if (pathname === "/status") {
+    const uptime = Math.floor((Date.now() - startTime) / 1000);
+    return res.end(JSON.stringify({
+      uptime: `${Math.floor(uptime/3600)}h ${Math.floor((uptime%3600)/60)}m`,
+      sync: getStatus()
+    }));
   }
 
-  const upstream = http.request(
-    {
-      hostname: TARGET_HOST,
-      port: TARGET_PORT,
-      path: req.url,
-      method: req.method,
-      headers: buildHeaders(req),
-    },
-    (upstreamRes) => {
-      res.writeHead(upstreamRes.statusCode || 502, upstreamRes.headers);
-      upstreamRes.pipe(res);
-    },
-  );
-
-  upstream.on("error", (error) => {
-    writeJson(res, 502, {
-      ok: false,
-      error: "upstream_unavailable",
-      detail: error.message,
+  if (pathname === "/uptimerobot/setup" && req.method === "POST") {
+    let body = "";
+    req.on("data", c => body += c);
+    req.on("end", async () => {
+      try {
+        const { apiKey } = JSON.parse(body);
+        const host = req.headers.host;
+        const monitorUrl = `https://${host}/health`;
+        const post = (p, d) => new Promise((res, rej) => {
+          const r = https.request({ hostname: "api.uptimerobot.com", port: 443, path: p, method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" } }, r => {
+            let b = ""; r.on("data", c => b += c); r.on("end", () => res(JSON.parse(b)));
+          }); r.on("error", rej); r.write(new URLSearchParams(d).toString()); r.end();
+        });
+        
+        const existing = await post("/v2/getMonitors", { api_key: apiKey, format: "json" });
+        if (existing.monitors?.some(m => m.url === monitorUrl)) {
+          res.writeHead(200); return res.end(JSON.stringify({ message: "Monitor already exists." }));
+        }
+        const created = await post("/v2/newMonitor", { api_key: apiKey, format: "json", type: "1", friendly_name: `Hugging8n ${host}`, url: monitorUrl, interval: "300" });
+        if (created.stat === "ok") {
+          res.writeHead(200); return res.end(JSON.stringify({ message: "Monitor created successfully!" }));
+        }
+        res.writeHead(400); res.end(JSON.stringify({ message: created.error?.message || "Failed to create monitor." }));
+      } catch (e) { res.writeHead(400); res.end(JSON.stringify({ message: "Invalid request." })); }
     });
+    return;
+  }
+
+  if (pathname === "/" || pathname === "/dashboard") {
+    const uptime = Math.floor((Date.now() - startTime) / 1000);
+    const isPrivate = await resolveSpaceIsPrivate(req);
+    res.writeHead(200, { "Content-Type": "text/html" });
+    return res.end(renderDashboard({
+      uptimeHuman: `${Math.floor(uptime/3600)}h ${Math.floor((uptime%3600)/60)}m`,
+      sync: getStatus(),
+      isPrivate
+    }));
+  }
+
+  // Proxy to n8n
+  const proxyPath = pathname.startsWith(APP_BASE) ? pathname.slice(APP_BASE.length) || "/" : pathname;
+  const proxyHeaders = { ...req.headers, host: `127.0.0.1:${TARGET_PORT}`, "x-forwarded-for": req.socket.remoteAddress, "x-forwarded-proto": "https" };
+  
+  const proxyReq = http.request({ hostname: TARGET_HOST, port: TARGET_PORT, path: proxyPath + url.search, method: req.method, headers: proxyHeaders }, (proxyRes) => {
+    res.writeHead(proxyRes.statusCode, proxyRes.headers);
+    proxyRes.pipe(res);
+  });
+
+  proxyReq.on("error", () => {
+    res.writeHead(503, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "starting", message: "n8n is initializing, please wait..." }));
   });
 
-  req.pipe(upstream);
+  req.pipe(proxyReq);
 });
 
 server.on("upgrade", (req, socket, head) => {
-  const upstream = net.connect(TARGET_PORT, TARGET_HOST, () => {
-    const headers = {
-      ...req.headers,
-      host: `${TARGET_HOST}:${TARGET_PORT}`,
-      "x-forwarded-for": req.socket.remoteAddress || "",
-      "x-forwarded-host": req.headers.host || "",
-      "x-forwarded-proto": req.headers["x-forwarded-proto"] || "https",
-      upgrade: req.headers.upgrade || "websocket",
-      connection: "Upgrade",
-    };
-
-    const headerLines = Object.entries(headers)
-      .map(([key, value]) => `${key}: ${value}`)
-      .join("\r\n");
-
-    upstream.write(
-      `${req.method} ${req.url} HTTP/${req.httpVersion}\r\n` +
-        headerLines +
-        "\r\n\r\n",
-    );
-
-    if (head && head.length) upstream.write(head);
-    upstream.pipe(socket);
-    socket.pipe(upstream);
+  const url = parseRequestUrl(req.url);
+  const proxyPath = url.pathname.startsWith(APP_BASE) ? url.pathname.slice(APP_BASE.length) || "/" : url.pathname;
+  const proxySocket = net.connect(TARGET_PORT, TARGET_HOST, () => {
+    proxySocket.write(`${req.method} ${proxyPath}${url.search} HTTP/${req.httpVersion}\r\n`);
+    for (let i = 0; i < req.rawHeaders.length; i += 2) {
+      proxySocket.write(`${req.rawHeaders[i]}: ${req.rawHeaders[i+1]}\r\n`);
+    }
+    proxySocket.write("\r\n");
+    if (head && head.length) proxySocket.write(head);
+    proxySocket.pipe(socket).pipe(proxySocket);
   });
-
-  upstream.on("error", () => socket.destroy());
-  socket.on("error", () => upstream.destroy());
+  proxySocket.on("error", () => socket.destroy());
 });
 
-server.listen(PUBLIC_PORT, "0.0.0.0", () => {
-  console.log(`Hugging8n proxy listening on ${PUBLIC_PORT}, forwarding to ${TARGET_PORT}`);
-});
+server.listen(PORT, "0.0.0.0", () => console.log(`Dashboard/Proxy on ${PORT} -> n8n on ${TARGET_PORT}`));

n8n-sync.py

@@ -9,6 +9,7 @@ import subprocess
 import sys
 import tempfile
 import time
+import threading
 from pathlib import Path
 
 os.environ.setdefault("HF_HUB_DISABLE_PROGRESS_BARS", "1")
@@ -26,7 +27,7 @@ HF_USERNAME = (
 )
 BACKUP_DATASET_NAME = os.environ.get("BACKUP_DATASET_NAME", "hugging8n-backup").strip()
 HF_API = HfApi(token=HF_TOKEN) if HF_TOKEN else None
-RUNNING = True
+STOP_EVENT = threading.Event()
 
 
 def write_status(status: str, message: str) -> None:
@@ -187,8 +188,7 @@ def sync_once(last_fingerprint: str | None = None) -> str:
 
 
 def handle_signal(_sig, _frame) -> None:
-    global RUNNING
-    RUNNING = False
+    STOP_EVENT.set()
 
 
 def loop() -> int:
@@ -198,16 +198,15 @@ def loop() -> int:
     last_fingerprint = fingerprint_dir(N8N_HOME)
     write_status("configured", f"Backup loop active with {INTERVAL}s interval.")
 
-    while RUNNING:
+    while not STOP_EVENT.is_set():
         try:
             last_fingerprint = sync_once(last_fingerprint)
         except Exception as exc:
             write_status("error", f"Sync failed: {exc}")
             print(f"Sync failed: {exc}", file=sys.stderr)
-        for _ in range(INTERVAL):
-            if not RUNNING:
-                break
-            time.sleep(1)
+        
+        if STOP_EVENT.wait(INTERVAL):
+            break
 
     try:
         sync_once(None)

start.sh

@@ -1,6 +1,9 @@
 #!/bin/bash
 set -euo pipefail
 
+# Tighten default file permissions for any files created by this process
+umask 0077
+
 APP_DIR="/home/node/app"
 N8N_HOME="/home/node/.n8n"
 N8N_PORT="${N8N_PORT:-5678}"
@@ -12,16 +15,15 @@ mkdir -p "$N8N_HOME"
 SPACE_HOST_DETECTED="${SPACE_HOST_OVERRIDE:-${SPACE_HOST:-}}"
 if [ -n "$SPACE_HOST_DETECTED" ]; then
   export N8N_HOST="${N8N_HOST:-$SPACE_HOST_DETECTED}"
-  export WEBHOOK_URL="${WEBHOOK_URL:-https://${SPACE_HOST_DETECTED}/}"
-  export N8N_EDITOR_BASE_URL="${N8N_EDITOR_BASE_URL:-https://${SPACE_HOST_DETECTED}/}"
+  # Updated for /app base path
+  export WEBHOOK_URL="${WEBHOOK_URL:-https://${SPACE_HOST_DETECTED}/app/}"
+  export N8N_EDITOR_BASE_URL="${N8N_EDITOR_BASE_URL:-https://${SPACE_HOST_DETECTED}/app/}"
 fi
 
 export N8N_PORT
 export N8N_PROTOCOL="${N8N_PROTOCOL:-https}"
 export N8N_PROXY_HOPS="${N8N_PROXY_HOPS:-1}"
 export N8N_LISTEN_ADDRESS="${N8N_LISTEN_ADDRESS:-0.0.0.0}"
-# Must be false: HF Spaces terminates TLS at its edge; n8n sees plain HTTP internally.
-# Secure cookies require HTTPS end-to-end and will break login on HF Spaces.
 export N8N_SECURE_COOKIE="${N8N_SECURE_COOKIE:-false}"
 export N8N_DIAGNOSTICS_ENABLED="${N8N_DIAGNOSTICS_ENABLED:-false}"
 export N8N_PERSONALIZATION_ENABLED="${N8N_PERSONALIZATION_ENABLED:-false}"
@@ -30,16 +32,11 @@ export N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS="${N8N_ENFORCE_SETTINGS_FILE_PERMIS
 export GENERIC_TIMEZONE="${GENERIC_TIMEZONE:-${TZ:-UTC}}"
 export TZ="${TZ:-$GENERIC_TIMEZONE}"
 
-# Basic auth — enabled by default to protect your n8n instance
-export N8N_BASIC_AUTH_ACTIVE="${N8N_BASIC_AUTH_ACTIVE:-true}"
-if [ "${N8N_BASIC_AUTH_ACTIVE}" = "true" ]; then
-  export N8N_BASIC_AUTH_USER="${N8N_BASIC_AUTH_USER:-admin}"
-  export N8N_BASIC_AUTH_PASSWORD="${N8N_BASIC_AUTH_PASSWORD:-}"
-  if [ -z "${N8N_BASIC_AUTH_PASSWORD:-}" ]; then
-    echo "⚠️  WARNING: N8N_BASIC_AUTH_ACTIVE=true but N8N_BASIC_AUTH_PASSWORD is not set."
-    echo "   Your n8n instance is NOT protected. Set N8N_BASIC_AUTH_PASSWORD in Secrets."
-  fi
-fi
+# Disable noisy or unnecessary services
+export N8N_RUNNERS_ENABLED="${N8N_RUNNERS_ENABLED:-false}"
+export N8N_LICENSE_AUTO_RENEW_ENABLED="${N8N_LICENSE_AUTO_RENEW_ENABLED:-false}"
+
+# n8n v2 uses built-in user management.
 
 echo ""
 echo "  ╔════════════════════════════════════╗"
@@ -61,15 +58,9 @@ fi
 
 cleanup() {
   echo "Stopping Hugging8n..."
-  if [ -n "${SYNC_PID:-}" ] && kill -0 "$SYNC_PID" 2>/dev/null; then
-    kill "$SYNC_PID" 2>/dev/null || true
-  fi
-  if [ -n "${N8N_PID:-}" ] && kill -0 "$N8N_PID" 2>/dev/null; then
-    kill "$N8N_PID" 2>/dev/null || true
-  fi
-  if [ -n "${PROXY_PID:-}" ] && kill -0 "$PROXY_PID" 2>/dev/null; then
-    kill "$PROXY_PID" 2>/dev/null || true
-  fi
+  [ -n "${SYNC_PID:-}" ] && kill "$SYNC_PID" 2>/dev/null || true
+  [ -n "${N8N_PID:-}" ] && kill "$N8N_PID" 2>/dev/null || true
+  [ -n "${PROXY_PID:-}" ] && kill "$PROXY_PID" 2>/dev/null || true
   if [ -n "${HF_TOKEN:-}" ]; then
     echo "Running final backup pass..."
     python3 "$APP_DIR/n8n-sync.py" sync-once || true
@@ -89,4 +80,11 @@ PROXY_PID=$!
 n8n start &
 N8N_PID=$!
 
+# Readiness probe
+echo "Waiting for n8n to be ready on port ${N8N_PORT}..."
+until curl -sf "http://127.0.0.1:${N8N_PORT}/healthz" > /dev/null 2>&1; do
+  sleep 1
+done
+echo "n8n is ready!"
+
 wait "$N8N_PID"