@camstack/addon-tailscale-ingress 0.1.3 → 0.1.4

package/dist/tailscale-ingress.addon.js

@@ -4621,7 +4621,7 @@ function _instanceof(cls, params = {}) {
 	return inst;
 }
 //#endregion
-//#region ../types/dist/index-YnRVILXN.mjs
+//#region ../types/dist/index-Ce7RZWP4.mjs
 var MODEL_FORMATS = [
 	"onnx",
 	"coreml",
@@ -7288,14 +7288,35 @@ var StatusSchema = object({
 	embeddedRunning: boolean()
 });
 method(_void(), array(BrokerInfoSchema)), method(IdInputSchema, BrokerConnectionDetailsSchema), method(AddBrokerInputSchema, AddBrokerResultSchema, { kind: "mutation" }), method(IdInputSchema, _void(), { kind: "mutation" }), method(IdInputSchema, TestResultSchema, { kind: "mutation" }), method(StartEmbeddedInputSchema, StartEmbeddedResultSchema, { kind: "mutation" }), method(IdInputSchema, _void(), { kind: "mutation" }), method(_void(), StatusSchema);
+var LinkStateSchema = _enum([
+	"unlinked",
+	"linked",
+	"error"
+]);
+var ExportSetupFieldSchema = object({
+	label: string(),
+	value: string(),
+	/** Mask the value by default + render a reveal toggle (client id, secrets). */
+	secret: boolean().optional()
+});
+var ExportSetupSchema = object({
+	/** A string to render as a scannable QR — HAP `X-HM://…` URI, a pairing URL, etc. Omitted when there's nothing to scan. */
+	qr: string().optional(),
+	/** Label/value rows shown with a copy button (HAP setup code, OAuth URLs, client id, linked-account count, …). */
+	fields: array(ExportSetupFieldSchema).readonly().optional(),
+	/** Free-form operator instructions rendered above the fields. */
+	note: string().optional()
+});
 var DeviceExportStatusSchema = object({
-	linkState: _enum([
-		"unlinked",
-		"linked",
-		"error"
-	]),
+	linkState: LinkStateSchema,
 	exposedDeviceCount: number(),
-	error: string().optional()
+	error: string().optional(),
+	/**
+	* Optional pairing/account info the panel renders in a generic
+	* "Setup" section. Addon-agnostic — the addon id identifies the
+	* export target, never an `ecosystem` key here.
+	*/
+	setup: ExportSetupSchema.optional()
 });
 var DeviceKindSchema = string();
 var ExposedDeviceSchema = object({
@@ -9551,7 +9572,24 @@ var MeshStatusSchema = object({
 	* doesn't rotate keys for the bound host. Operator-facing surface
 	* for "your access expires on …" banners.
 	*/
-	keyExpiry: number().nullable()
+	keyExpiry: number().nullable(),
+	/**
+	* When the provider runs its OWN mesh daemon (e.g. the Tailscale
+	* client addon in `onboard` mode spawns a private `tailscaled`),
+	* this carries the local control-socket path. Companion addons that
+	* must drive the SAME daemon — chiefly `tailscale-ingress` for
+	* Serve/Funnel — read it to point their CLI at the right socket
+	* instead of the system default. Empty when the provider uses the
+	* host's system daemon (or doesn't have the concept).
+	*/
+	daemonSocket: string().optional(),
+	/**
+	* Path to the mesh CLI binary the provider downloaded for onboard
+	* mode. Companion addons reuse it so they don't need a system
+	* install when the operator chose a fully self-contained mesh.
+	* Empty in host mode.
+	*/
+	daemonCliPath: string().optional()
 });
 method(_void(), MeshStatusSchema), method(object({
 	/** Provider-specific auth key. For Tailscale this is the
@@ -10233,6 +10271,21 @@ var AddonAutoUpdateSchema = ChannelWithInheritSchema;
 var RestartAddonResultSchema = unknown();
 var InstallPackageResultSchema = unknown();
 var ReloadPackagesResultSchema = unknown();
+var UpdateFrameworkPackageResultSchema = object({
+	packageName: string(),
+	fromVersion: string(),
+	toVersion: string(),
+	/** Ms-epoch the server scheduled its self-restart. */
+	restartingAt: number()
+});
+var FrameworkPackageStatusSchema = object({
+	packageName: string(),
+	currentVersion: string(),
+	latestVersion: string().nullable(),
+	hasUpdate: boolean(),
+	/** Optional manifest description for the row tooltip. */
+	description: string().optional()
+});
 var LogStreamEntrySchema = object({
 	timestamp: string(),
 	level: string(),
@@ -10264,21 +10317,43 @@ method(_void(), array(AddonListItemSchema).readonly()), method(object({
 }), method(_void(), ReloadPackagesResultSchema, {
 	kind: "mutation",
 	auth: "admin"
-}), method(object({ query: string().optional() }), array(SearchResultSchema)), method(_void(), array(PackageUpdateSchema).readonly(), { auth: "admin" }), method(object({
+}), method(object({ query: string().optional() }), array(SearchResultSchema)), method(object({ nodeId: string().optional() }), array(PackageUpdateSchema).readonly(), { auth: "admin" }), method(object({
 	name: string().min(1),
-	version: string().optional()
+	version: string().optional(),
+	nodeId: string().optional()
 }), unknown(), {
 	kind: "mutation",
 	auth: "admin"
 }), method(object({ name: string().min(1) }), object({ rolledBackTo: string().nullable() }), {
 	kind: "mutation",
 	auth: "admin"
-}), method(_void(), unknown(), {
+}), method(object({ nodeId: string().optional() }), unknown(), {
 	kind: "mutation",
 	auth: "admin"
 }), method(object({ confirm: literal(true) }), unknown(), {
 	kind: "mutation",
 	auth: "admin"
+}), method(_void(), object({
+	kind: _enum([
+		"framework-update",
+		"manual",
+		"system"
+	]),
+	packageName: string().optional(),
+	fromVersion: string().optional(),
+	toVersion: string().optional(),
+	requestedBy: string().optional(),
+	requestedAt: number()
+}).nullable(), { auth: "admin" }), method(_void(), array(FrameworkPackageStatusSchema).readonly(), { auth: "admin" }), method(object({ capName: string().min(1) }), array(object({
+	addonId: string(),
+	mode: _enum(["singleton", "collection"]),
+	isActive: boolean()
+})).readonly()), method(object({
+	packageName: string().min(1),
+	version: string().optional()
+}), UpdateFrameworkPackageResultSchema, {
+	kind: "mutation",
+	auth: "admin"
 }), method(object({ name: string() }), array(PackageVersionInfoSchema).readonly()), method(object({ addonId: string() }), RestartAddonResultSchema, {
 	kind: "mutation",
 	auth: "admin"
@@ -10310,6 +10385,7 @@ var EventCategory = /* @__PURE__ */ ((EventCategory2) => {
 	EventCategory2["SystemBoot"] = "system.boot";
 	EventCategory2["SystemAddonsReady"] = "system.addons-ready";
 	EventCategory2["SystemRestarting"] = "system.restarting";
+	EventCategory2["SystemRestartCompleted"] = "system.restart-completed";
 	EventCategory2["SystemReadyState"] = "system.ready-state";
 	EventCategory2["AddonStarted"] = "addon.started";
 	EventCategory2["AddonStopped"] = "addon.stopped";
@@ -10832,6 +10908,12 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
+	"addons.getLastRestart": {
+		capName: "addons",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"addons.getLogs": {
 		capName: "addons",
 		capScope: "system",
@@ -10868,6 +10950,18 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
+	"addons.listCapabilityProviders": {
+		capName: "addons",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
+	"addons.listFrameworkPackages": {
+		capName: "addons",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"addons.listPackages": {
 		capName: "addons",
 		capScope: "system",
@@ -10946,6 +11040,12 @@ Object.freeze({
 		addonId: null,
 		access: "delete"
 	},
+	"addons.updateFrameworkPackage": {
+		capName: "addons",
+		capScope: "system",
+		addonId: null,
+		access: "create"
+	},
 	"addons.updatePackage": {
 		capName: "addons",
 		capScope: "system",
@@ -14053,32 +14153,98 @@ var TailscaleCliError = class extends Error {
 		this.name = "TailscaleCliError";
 	}
 };
+var NOOP_LOGGER = {
+	info: () => void 0,
+	warn: () => void 0,
+	error: () => void 0,
+	debug: () => void 0,
+	child: () => NOOP_LOGGER,
+	withTags: () => NOOP_LOGGER
+};
 var TailscaleCli = class {
 	resolvedBin = null;
+	logger;
+	binPathOverride;
+	socketPath;
+	constructor(opts = {}) {
+		if (typeof opts.info === "function" && !("logger" in opts)) {
+			this.logger = opts;
+			this.binPathOverride = void 0;
+			this.socketPath = void 0;
+		} else {
+			const o = opts;
+			this.logger = o.logger ?? NOOP_LOGGER;
+			this.binPathOverride = o.binPath;
+			this.socketPath = o.socketPath;
+		}
+	}
+	/** Prepend `--socket=<path>` when driving an onboard daemon. */
+	withSocket(args) {
+		return this.socketPath ? [`--socket=${this.socketPath}`, ...args] : [...args];
+	}
 	/** Locate the `tailscale` binary once and cache the result. */
 	async resolveBin() {
 		if (this.resolvedBin) return this.resolvedBin;
+		if (this.binPathOverride) {
+			this.resolvedBin = this.binPathOverride;
+			this.logger.info("CLI binary (onboard override)", { meta: {
+				bin: this.binPathOverride,
+				socketPath: this.socketPath
+			} });
+			return this.binPathOverride;
+		}
+		const tried = [];
 		for (const candidate of TAILSCALE_CANDIDATES) try {
 			await execFileP(candidate, ["version"], { timeout: 3e3 });
 			this.resolvedBin = candidate;
+			this.logger.info("CLI binary resolved", { meta: {
+				bin: candidate,
+				candidatesTried: tried
+			} });
 			return candidate;
-		} catch {}
+		} catch {
+			tried.push(candidate);
+		}
 		throw new TailscaleCliError("tailscale binary not found — install Tailscale from https://tailscale.com/download");
 	}
 	async version() {
-		const { stdout } = await execFileP(await this.resolveBin(), ["version"], { timeout: 5e3 });
+		const { stdout } = await execFileP(await this.resolveBin(), this.withSocket(["version"]), { timeout: 5e3 });
 		return stdout.trim().split("\n")[0] ?? "";
 	}
 	async status() {
 		const bin = await this.resolveBin();
 		try {
-			const { stdout } = await execFileP(bin, ["status", "--json"], { timeout: 1e4 });
+			const { stdout } = await execFileP(bin, this.withSocket(["status", "--json"]), { timeout: 1e4 });
 			return JSON.parse(stdout);
 		} catch (err) {
 			const e = err;
 			throw new TailscaleCliError(`tailscale status failed: ${e.message}`, e.stderr ?? "");
 		}
 	}
+	/**
+	* Whether the tailnet ACL policy grants THIS host the Funnel
+	* attribute. Reads `Self.CapMap` / `Self.Capabilities` from
+	* `tailscale status --json` — a pre-flight check so the addon can
+	* fail fast with an actionable error BEFORE spending 15s on a
+	* `tailscale funnel` call that the daemon would reject anyway.
+	*
+	* The funnel grant surfaces as a bare `funnel` key in the modern
+	* CapMap; the legacy `Capabilities` string array carries either
+	* `funnel` or a `.../cap/funnel` URL form.
+	*/
+	async funnelCapable() {
+		const s = await this.status();
+		const capMap = s.Self?.CapMap ?? {};
+		if (Object.prototype.hasOwnProperty.call(capMap, "funnel")) return true;
+		const legacy = s.Self?.Capabilities ?? [];
+		const capable = legacy.some((c) => c === "funnel" || c.endsWith("/cap/funnel"));
+		this.logger.info("funnelCapable check", { meta: {
+			capable,
+			capMapKeys: Object.keys(capMap),
+			legacyCount: legacy.length
+		} });
+		return capable;
+	}
 	/** Bring the daemon up with an auth key. Idempotent — calling
 	*  while already joined returns immediately. */
 	async up(input) {
@@ -14091,7 +14257,7 @@ var TailscaleCli = class {
 		];
 		if (input.hostname) args.push(`--hostname=${input.hostname}`);
 		try {
-			await execFileP(bin, args, { timeout: 6e4 });
+			await execFileP(bin, this.withSocket(args), { timeout: 6e4 });
 		} catch (err) {
 			const e = err;
 			throw new TailscaleCliError(`tailscale up failed: ${e.message}`, e.stderr ?? "");
@@ -14102,7 +14268,7 @@ var TailscaleCli = class {
 	async down() {
 		const bin = await this.resolveBin();
 		try {
-			await execFileP(bin, ["down"], { timeout: 15e3 });
+			await execFileP(bin, this.withSocket(["down"]), { timeout: 15e3 });
 		} catch (err) {
 			const e = err;
 			throw new TailscaleCliError(`tailscale down failed: ${e.message}`, e.stderr ?? "");
@@ -14118,11 +14284,19 @@ var TailscaleCli = class {
 	async serve(input) {
 		const bin = await this.resolveBin();
 		const args = this.buildIngressArgs("serve", input);
+		this.logger.info("serve: invoking CLI", { meta: {
+			bin,
+			args,
+			...input
+		} });
 		try {
-			await execFileP(bin, args, { timeout: 15e3 });
+			const { stdout, stderr } = await execFileP(bin, this.withSocket(args), { timeout: 15e3 });
+			this.logger.info("serve: CLI returned", { meta: {
+				stdout: trimForLog(stdout),
+				stderr: trimForLog(stderr)
+			} });
 		} catch (err) {
-			const e = err;
-			throw new TailscaleCliError(`tailscale serve failed: ${e.message}`, e.stderr ?? "");
+			throw this.wrapCliError("tailscale serve", err, bin, args);
 		}
 	}
 	/** `tailscale funnel` — exposes a local port to the open internet
@@ -14131,14 +14305,52 @@ var TailscaleCli = class {
 	async funnel(input) {
 		const bin = await this.resolveBin();
 		const args = this.buildIngressArgs("funnel", input);
+		this.logger.info("funnel: invoking CLI", { meta: {
+			bin,
+			args,
+			...input
+		} });
 		try {
-			await execFileP(bin, args, { timeout: 15e3 });
+			const { stdout, stderr } = await execFileP(bin, this.withSocket(args), { timeout: 15e3 });
+			this.logger.info("funnel: CLI returned", { meta: {
+				stdout: trimForLog(stdout),
+				stderr: trimForLog(stderr)
+			} });
 		} catch (err) {
-			const e = err;
-			throw new TailscaleCliError(`tailscale funnel failed: ${e.message}`, e.stderr ?? "");
+			throw this.wrapCliError("tailscale funnel", err, bin, args);
 		}
 	}
 	/**
+	* Build a TailscaleCliError that propagates BOTH stdout and stderr
+	* up to the caller. The tailscale CLI is inconsistent about which
+	* stream it uses for human-readable errors — `funnel` (and at least
+	* some `serve` paths) writes the actionable hint to STDOUT when
+	* the host lacks the ACL grant (e.g. "Funnel is not enabled on
+	* your tailnet. To enable, visit: https://login.tailscale.com/...").
+	* Reading only stderr loses that hint and the operator sees a bare
+	* "Command failed: …" with no recovery path.
+	*
+	* Special-cases the "Funnel is not enabled" outcome: extracts the
+	* enable-URL the CLI prints and surfaces a concise, single-line
+	* actionable error instead of dumping the raw multi-line blob.
+	*/
+	wrapCliError(verb, err, bin, args) {
+		const e = err;
+		const stderr = (e.stderr ?? "").trim();
+		const stdout = (e.stdout ?? "").trim();
+		this.logger.error(`${verb}: CLI failed`, { meta: {
+			bin,
+			args,
+			message: e.message,
+			stderr: trimForLog(stderr),
+			stdout: trimForLog(stdout)
+		} });
+		const combined = `${stdout}\n${stderr}`;
+		if (/funnel is not enabled/i.test(combined)) return new TailscaleCliError(`Funnel is not enabled on your tailnet. Enable it for this host at: ${combined.match(/https:\/\/login\.tailscale\.com\/\S+/)?.[0] ?? "https://login.tailscale.com/admin/settings/funnel"}`, stderr.length > 0 ? stderr : stdout);
+		const detail = stderr.length > 0 ? `--- stderr ---\n${stderr}` : stdout.length > 0 ? `--- stdout ---\n${stdout}` : "";
+		return new TailscaleCliError(`${verb} failed: ${e.message.trim()}${detail ? `\n${detail}` : ""}`, stderr.length > 0 ? stderr : stdout);
+	}
+	/**
 	* Single source of truth for the serve/funnel arg shape. The CLI
 	* accepts the same flag layout for both verbs, so we share the
 	* builder. `--set-path` is only emitted when the operator picks a
@@ -14154,10 +14366,17 @@ var TailscaleCli = class {
 		}
 		const out = [verb, "--bg"];
 		if (path && path !== "/") out.push(`--set-path=${path}`);
-		out.push(`http://127.0.0.1:${input.port}`);
+		const scheme = input.upstreamScheme ?? "https+insecure";
+		out.push(`${scheme}://127.0.0.1:${input.port}`);
 		return out;
 	}
 };
+/** Truncate long stdout/stderr blobs so the log entry stays readable. */
+function trimForLog(s, max = 800) {
+	const trimmed = s.trim();
+	if (trimmed.length <= max) return trimmed;
+	return `${trimmed.slice(0, max)}…[+${trimmed.length - max} bytes]`;
+}
 //#endregion
 //#region src/tailscale-ingress.addon.ts
 /**
@@ -14185,10 +14404,11 @@ var TailscaleCli = class {
 var DEFAULT_CONFIG = {
 	mode: "serve",
 	sourcePort: 4443,
-	targetPath: ""
+	targetPath: "",
+	upstreamScheme: "https+insecure"
 };
 var TailscaleIngressAddon = class extends BaseAddon {
-	cli = new TailscaleCli();
+	cli;
 	/**
 	* Snapshot of the running ingress params so stop()/disposer can issue
 	* the matching `off` call even if `this.config` mutates mid-flight.
@@ -14201,6 +14421,7 @@ var TailscaleIngressAddon = class extends BaseAddon {
 		super({ ...DEFAULT_CONFIG });
 	}
 	async onInitialize() {
+		this.cli = new TailscaleCli(this.ctx.logger.child("tailscale-cli"));
 		try {
 			await this.cli.version();
 		} catch (err) {
@@ -14226,17 +14447,27 @@ var TailscaleIngressAddon = class extends BaseAddon {
 			topic: "tailscale-ingress",
 			phase: "verify-client"
 		} });
-		await this.requireClientJoined();
+		const meshStatus = await this.requireClientJoined();
+		this.syncCliToDaemon(meshStatus);
+		if (this.config.mode === "funnel") {
+			log.info("start: phase=verify-funnel-grant", { tags: {
+				topic: "tailscale-ingress",
+				phase: "verify-funnel-grant"
+			} });
+			if (!await this.cli.funnelCapable()) throw new Error("tailscale-ingress: Funnel is not enabled for this host in the tailnet ACL policy. Enable it at https://login.tailscale.com/admin/settings/funnel (or add a `funnel` nodeAttr for this machine), then retry. Serve mode works without this grant.");
+		}
 		const next = {
 			mode: this.config.mode,
 			sourcePort: this.config.sourcePort,
-			targetPath: this.config.targetPath
+			targetPath: this.config.targetPath,
+			upstreamScheme: this.config.upstreamScheme
 		};
 		log.info("start: phase=apply-rule", {
 			meta: {
 				mode: next.mode,
 				sourcePort: next.sourcePort,
-				targetPath: next.targetPath
+				targetPath: next.targetPath,
+				upstreamScheme: next.upstreamScheme
 			},
 			tags: {
 				topic: "tailscale-ingress",
@@ -14376,10 +14607,27 @@ var TailscaleIngressAddon = class extends BaseAddon {
 		const opts = {
 			port: rule.sourcePort,
 			enabled,
+			upstreamScheme: rule.upstreamScheme,
 			...rule.targetPath && rule.targetPath !== "/" ? { targetPath: rule.targetPath } : {}
 		};
+		this.ctx.logger.info(`applyRule: ${rule.mode}`, {
+			meta: {
+				...opts,
+				mode: rule.mode
+			},
+			tags: {
+				topic: "tailscale-ingress",
+				phase: "apply-rule",
+				verb: rule.mode
+			}
+		});
 		if (rule.mode === "funnel") await this.cli.funnel(opts);
 		else await this.cli.serve(opts);
+		this.ctx.logger.info(`applyRule: ${rule.mode} done`, { tags: {
+			topic: "tailscale-ingress",
+			phase: "apply-rule-done",
+			verb: rule.mode
+		} });
 	}
 	/**
 	* Build the canonical endpoint from the active ingress + the
@@ -14409,15 +14657,65 @@ var TailscaleIngressAddon = class extends BaseAddon {
 	/**
 	* Wait for `mesh-network` (the tailscale-client provider) to be
 	* mounted AND report joined. Throws an actionable error otherwise.
+	*
+	* IMPORTANT: we route the check through the API surface
+	* (`api.meshNetwork.getStatus.query({ addonId: 'tailscale-client' })`),
+	* NOT through `ctx.capabilities.getCollectionEntries`. The latter
+	* only sees providers registered in THIS process's local
+	* CapabilityRegistry — and tailscale-client runs in a separate
+	* `hub/tailscale-client` group runner. The API surface is
+	* cross-process via Moleculer, so it can find the provider wherever
+	* it lives.
+	*
+	* `mesh-network` is a `collection` cap (Tailscale + Headscale +
+	* ZeroTier could all implement it in parallel), so we pin to
+	* `tailscale-client` via the `addonId` filter — without it the API
+	* would route to whichever provider registered first and we'd risk
+	* emitting `tailscale serve` against e.g. a Headscale daemon that
+	* doesn't know that verb.
 	*/
 	async requireClientJoined() {
-		if (!(this.ctx.capabilities?.getCollectionEntries("mesh-network") ?? []).find(([id]) => id === "tailscale-client")) throw new Error(`tailscale-ingress: tailscale-client provider not registered — install + start the @camstack/addon-tailscale-client addon first.`);
-		if (!(await this.fetchMeshStatus()).joined) throw new Error("tailscale-ingress: tailnet not joined — open the Mesh Networks page and click \"Connect to Tailscale\" first.");
+		let status;
+		try {
+			status = await this.fetchMeshStatus({ addonId: "tailscale-client" });
+		} catch (err) {
+			throw new Error("tailscale-ingress: tailscale-client provider not registered — install + start the @camstack/addon-tailscale-client addon first.", { cause: err });
+		}
+		if (!status.joined) throw new Error("tailscale-ingress: tailnet not joined — open the Mesh Networks page and click \"Connect to Tailscale\" first.");
+		return status;
 	}
-	async fetchMeshStatus() {
+	/**
+	* Rebuild `this.cli` to drive the tailscale-client's daemon. When
+	* the client runs in `onboard` mode it spawned a private
+	* `tailscaled`; the mesh status then carries `daemonSocket` +
+	* `daemonCliPath` and we MUST route serve/funnel through that
+	* socket — the system daemon is a different node with a different
+	* mesh identity. Host mode leaves both unset → default CLI.
+	*/
+	syncCliToDaemon(status) {
+		const cliLogger = this.ctx.logger.child("tailscale-cli");
+		if (status.daemonSocket) {
+			this.ctx.logger.info("start: routing CLI to onboard daemon", {
+				meta: {
+					daemonSocket: status.daemonSocket,
+					daemonCliPath: status.daemonCliPath
+				},
+				tags: {
+					topic: "tailscale-ingress",
+					phase: "daemon-route"
+				}
+			});
+			this.cli = new TailscaleCli({
+				logger: cliLogger,
+				socketPath: status.daemonSocket,
+				...status.daemonCliPath ? { binPath: status.daemonCliPath } : {}
+			});
+		} else this.cli = new TailscaleCli({ logger: cliLogger });
+	}
+	async fetchMeshStatus(filter) {
 		const api = this.ctx.api;
 		if (!api.meshNetwork?.getStatus?.query) throw new Error("tailscale-ingress: mesh-network cap not exposed on the api surface");
-		return await api.meshNetwork.getStatus.query();
+		return await api.meshNetwork.getStatus.query(filter);
 	}
 	globalSettingsSchema() {
 		return this.schema({ sections: [{
@@ -14457,6 +14755,27 @@ var TailscaleIngressAddon = class extends BaseAddon {
 					description: "Public-side mount path. Leave empty for root.",
 					default: DEFAULT_CONFIG.targetPath,
 					placeholder: "/"
+				}),
+				this.field({
+					type: "select",
+					key: "upstreamScheme",
+					label: "Upstream scheme",
+					description: "How Tailscale reaches the local hub. The hub listens HTTPS with a self-signed cert by default — keep \"https+insecure\". Use \"http\" ONLY if the hub runs with tls.enabled: false (a plain \"http\" rule against the TLS listener returns 502).",
+					default: DEFAULT_CONFIG.upstreamScheme,
+					options: [
+						{
+							value: "https+insecure",
+							label: "HTTPS, self-signed (default)"
+						},
+						{
+							value: "https",
+							label: "HTTPS, valid cert"
+						},
+						{
+							value: "http",
+							label: "HTTP (only if hub TLS disabled)"
+						}
+					]
 				})
 			]
 		}] });