@camstack/addon-tailscale-ingress 0.1.3 → 0.1.5

package/dist/tailscale-ingress.addon.js

@@ -4621,7 +4621,7 @@ function _instanceof(cls, params = {}) {
 	return inst;
 }
 //#endregion
-//#region ../types/dist/index-YnRVILXN.mjs
+//#region ../types/dist/index-CWhQOnm9.mjs
 var MODEL_FORMATS = [
 	"onnx",
 	"coreml",
@@ -7288,14 +7288,35 @@ var StatusSchema = object({
 	embeddedRunning: boolean()
 });
 method(_void(), array(BrokerInfoSchema)), method(IdInputSchema, BrokerConnectionDetailsSchema), method(AddBrokerInputSchema, AddBrokerResultSchema, { kind: "mutation" }), method(IdInputSchema, _void(), { kind: "mutation" }), method(IdInputSchema, TestResultSchema, { kind: "mutation" }), method(StartEmbeddedInputSchema, StartEmbeddedResultSchema, { kind: "mutation" }), method(IdInputSchema, _void(), { kind: "mutation" }), method(_void(), StatusSchema);
+var LinkStateSchema = _enum([
+	"unlinked",
+	"linked",
+	"error"
+]);
+var ExportSetupFieldSchema = object({
+	label: string(),
+	value: string(),
+	/** Mask the value by default + render a reveal toggle (client id, secrets). */
+	secret: boolean().optional()
+});
+var ExportSetupSchema = object({
+	/** A string to render as a scannable QR — HAP `X-HM://…` URI, a pairing URL, etc. Omitted when there's nothing to scan. */
+	qr: string().optional(),
+	/** Label/value rows shown with a copy button (HAP setup code, OAuth URLs, client id, linked-account count, …). */
+	fields: array(ExportSetupFieldSchema).readonly().optional(),
+	/** Free-form operator instructions rendered above the fields. */
+	note: string().optional()
+});
 var DeviceExportStatusSchema = object({
-	linkState: _enum([
-		"unlinked",
-		"linked",
-		"error"
-	]),
+	linkState: LinkStateSchema,
 	exposedDeviceCount: number(),
-	error: string().optional()
+	error: string().optional(),
+	/**
+	* Optional pairing/account info the panel renders in a generic
+	* "Setup" section. Addon-agnostic — the addon id identifies the
+	* export target, never an `ecosystem` key here.
+	*/
+	setup: ExportSetupSchema.optional()
 });
 var DeviceKindSchema = string();
 var ExposedDeviceSchema = object({
@@ -8209,42 +8230,6 @@ method(object({
 	username: string(),
 	password: string()
 }), AuthResultSchema.nullable(), { kind: "mutation" }), method(object({ state: string() }), string()), method(record(string(), string()), AuthResultSchema, { kind: "mutation" }), method(object({ token: string() }), AuthResultSchema.nullable());
-var AuthProviderInfoSchema = object({
-	/** Stable id matching the addon id (used for `getLoginUrl({addonId,…})`). */
-	addonId: string(),
-	/**
-	* Per-instance id when one addon registers multiple "logical"
-	* providers (e.g. OIDC with Google + Microsoft + custom). The login
-	* URL becomes `/addon/${addonId}/${instanceId}/start` — handler reads
-	* `:instanceId` from the route. Empty/unset means the addon is a
-	* single-instance provider; the URL is `/addon/${addonId}/start`.
-	*/
-	instanceId: string().optional(),
-	/** Display label shown on the login button + admin row. */
-	displayName: string(),
-	/** Optional iconography hint (lucide-react icon name OR emoji). */
-	icon: string().optional(),
-	/** When true, the provider exposes a redirect-based login flow
-	*  (`getLoginUrl` returns a URL the browser navigates to). */
-	hasRedirectFlow: boolean(),
-	/** When true, the provider exposes a credential-form login flow
-	*  (`validateCredentials` accepts username + password). */
-	hasCredentialFlow: boolean(),
-	/** Provider kind, drives admin-UI hint dispatch (oidc / saml / totp / …). */
-	kind: string().optional(),
-	/** Operator-facing status string (e.g. "Connected to https://login.acme.com"). */
-	status: string().optional(),
-	/** When false, the provider is registered but disabled by config; the
-	*  UI surfaces it as inactive without enumerating it for login. */
-	enabled: boolean()
-});
-method(_void(), array(AuthProviderInfoSchema).readonly()), method(object({
-	addonId: string(),
-	enabled: boolean()
-}), object({ success: literal(true) }), {
-	kind: "mutation",
-	auth: "admin"
-});
 var NetworkEndpointSchema = object({
 	url: string(),
 	hostname: string(),
@@ -8273,7 +8258,6 @@ var networkAccessCapability = {
 	name: "network-access",
 	scope: "system",
 	mode: "collection",
-	internal: true,
 	providerKind: "ingress",
 	methods: {
 		start: method(_void(), NetworkEndpointSchema, { kind: "mutation" }),
@@ -8281,40 +8265,13 @@ var networkAccessCapability = {
 		getEndpoint: method(_void(), NetworkEndpointSchema.nullable()),
 		getStatus: method(_void(), NetworkAccessStatusSchema),
 		/**
-		* Enumerate every active ingress entry. Default implementation (when
-		* the provider omits this method) is derived from `getEndpoint()` —
-		* see the remote-access orchestrator for the fallback path.
+		* Enumerate every active ingress entry. Providers that expose only a
+		* single endpoint may omit this method; callers fall back to
+		* `getEndpoint()` in that case.
 		*/
 		listEndpoints: method(_void(), array(NetworkEndpointEntrySchema).readonly())
 	}
 };
-var RemoteAccessEndpointSchema = object({
-	url: string(),
-	hostname: string(),
-	port: number(),
-	protocol: _enum(["http", "https"])
-});
-var RemoteAccessProviderInfoSchema = object({
-	/** Stable id matching the addon id. */
-	addonId: string(),
-	/** Display label shown on the admin row — sourced from the addon manifest. */
-	displayName: string(),
-	/** When false, the provider is registered but disabled. */
-	enabled: boolean(),
-	/** True when the underlying tunnel/connection is up. */
-	connected: boolean(),
-	/** Public-facing endpoint, when connected. Null otherwise. */
-	endpoint: RemoteAccessEndpointSchema.nullable(),
-	/** Last error message (when connected=false), if available. */
-	error: string().optional()
-});
-method(_void(), array(RemoteAccessProviderInfoSchema).readonly()), method(object({ addonId: string() }), RemoteAccessEndpointSchema, {
-	kind: "mutation",
-	auth: "admin"
-}), method(object({ addonId: string() }), object({ success: literal(true) }), {
-	kind: "mutation",
-	auth: "admin"
-});
 var TurnServerSchema = object({
 	/** Single URL or list of URLs (e.g. "turn:turn.example.com:3478?transport=udp"). */
 	urls: union([string(), array(string())]),
@@ -8322,33 +8279,6 @@ var TurnServerSchema = object({
 	credential: string().optional()
 });
 method(_void(), array(TurnServerSchema).readonly());
-var TurnProviderInfoSchema = object({
-	/** Stable id matching the addon id. */
-	addonId: string(),
-	/** Display label shown on the admin row — sourced from the addon manifest. */
-	displayName: string(),
-	/** When false, the provider is registered but disabled. */
-	enabled: boolean(),
-	/** Number of servers this provider is currently exposing. */
-	serverCount: number(),
-	/**
-	* Flat list of every TURN/STUN URL this provider currently exposes.
-	* One row per URL (multi-URL ICE server entries are flattened). The
-	* admin UI shows this in a compact per-provider list so operators
-	* can verify what's actually being negotiated without having to dig
-	* into the combined `getAllServers` output.
-	*/
-	urls: array(string()).readonly(),
-	/** Last fetch error (when serverCount=0 due to API failure), if any. */
-	error: string().optional()
-});
-method(_void(), array(TurnProviderInfoSchema).readonly()), method(_void(), array(TurnServerSchema).readonly()), method(object({
-	addonId: string(),
-	enabled: boolean()
-}), object({ success: literal(true) }), {
-	kind: "mutation",
-	auth: "admin"
-});
 var SnapshotImageSchema = object({
 	base64: string(),
 	contentType: string()
@@ -9442,7 +9372,7 @@ method(_void(), ListResultSchema), method(_void(), PreferredSchema), method(obje
 	*  tunnel always emits `https://` regardless. */
 	scheme: _enum(["http", "https"]).optional()
 }), GetConnectionEndpointsResultSchema), method(_void(), AllowedAddressesSchema), method(AllowedAddressesSchema, object({ success: literal(true) }), { kind: "mutation" }), method(_void(), AllowedAddressesSchema, { kind: "mutation" });
-var MeshEndpointSchema$1 = object({
+var MeshEndpointSchema = object({
 	/** Stable identifier within the provider (e.g. `mesh-ipv4`, `magicdns`, `funnel`). */
 	id: string(),
 	/** Operator-facing label (e.g. "Mesh IPv4", "MagicDNS"). */
@@ -9519,7 +9449,7 @@ var MeshStatusSchema = object({
 	/** Number of peers visible to this host (excluding self). */
 	peerCount: number(),
 	/** Every endpoint this provider exposes for the current host. */
-	endpoints: array(MeshEndpointSchema$1).readonly(),
+	endpoints: array(MeshEndpointSchema).readonly(),
 	/** Last error from the daemon, when not joined. */
 	error: string().optional(),
 	/**
@@ -9551,7 +9481,24 @@ var MeshStatusSchema = object({
 	* doesn't rotate keys for the bound host. Operator-facing surface
 	* for "your access expires on …" banners.
 	*/
-	keyExpiry: number().nullable()
+	keyExpiry: number().nullable(),
+	/**
+	* When the provider runs its OWN mesh daemon (e.g. the Tailscale
+	* client addon in `onboard` mode spawns a private `tailscaled`),
+	* this carries the local control-socket path. Companion addons that
+	* must drive the SAME daemon — chiefly `tailscale-ingress` for
+	* Serve/Funnel — read it to point their CLI at the right socket
+	* instead of the system default. Empty when the provider uses the
+	* host's system daemon (or doesn't have the concept).
+	*/
+	daemonSocket: string().optional(),
+	/**
+	* Path to the mesh CLI binary the provider downloaded for onboard
+	* mode. Companion addons reuse it so they don't need a system
+	* install when the operator chose a fully self-contained mesh.
+	* Empty in host mode.
+	*/
+	daemonCliPath: string().optional()
 });
 method(_void(), MeshStatusSchema), method(object({
 	/** Provider-specific auth key. For Tailscale this is the
@@ -9577,51 +9524,6 @@ authKey: string().optional() }), object({
 	/** Human-readable error when `ok: false`. */
 	error: string().optional()
 }), { kind: "mutation" });
-var MeshEndpointSchema = object({
-	id: string(),
-	label: string(),
-	scope: _enum(["mesh", "public"]),
-	url: string(),
-	hostname: string(),
-	port: number(),
-	protocol: _enum(["http", "https"])
-});
-var MeshProviderInfoSchema = object({
-	/** Stable id matching the addon id. */
-	addonId: string(),
-	/** Display label shown on the admin row — sourced from the addon manifest. */
-	displayName: string(),
-	/** True when the host is joined to this provider's mesh. */
-	joined: boolean(),
-	/** Local mesh IP (empty when not joined). */
-	meshIp: string(),
-	/** MagicDNS / mesh hostname (empty when not configured). */
-	magicDnsHostname: string(),
-	/** Peer count (excluding self). */
-	peerCount: number(),
-	/** Active endpoints (mesh IP + MagicDNS + optional public Funnel). */
-	endpoints: array(MeshEndpointSchema).readonly(),
-	/** Last error reported by the provider. */
-	error: string().optional(),
-	/** Tenant / tailnet / network display name. Empty pre-join. */
-	tenantName: string(),
-	/** Mesh DNS suffix (e.g. tailXXXX.ts.net). Empty when not configured. */
-	magicDnsSuffix: string(),
-	/** Authenticated user / account login. Null for token-only providers. */
-	userLogin: string().nullable(),
-	/** Provider control-plane URL. */
-	controlPlaneUrl: string(),
-	/** Machine-key expiry (epoch ms). Null when keys don't rotate. */
-	keyExpiry: number().nullable()
-});
-method(_void(), array(MeshProviderInfoSchema).readonly()), method(object({
-	addonId: string(),
-	authKey: string().min(8),
-	hostname: string().optional()
-}), object({ joined: literal(true) }), { kind: "mutation" }), method(object({ addonId: string() }), object({ success: literal(true) }), { kind: "mutation" }), method(object({
-	addonId: string(),
-	hostname: string().optional()
-}), object({ loginUrl: string() }), { kind: "mutation" }), method(object({ addonId: string() }), object({ loggedOut: literal(true) }), { kind: "mutation" }), method(object({ addonId: string() }), object({ peers: array(MeshPeerSchema).readonly() }));
 var MethodAccessSchema = _enum([
 	"view",
 	"create",
@@ -10233,6 +10135,21 @@ var AddonAutoUpdateSchema = ChannelWithInheritSchema;
 var RestartAddonResultSchema = unknown();
 var InstallPackageResultSchema = unknown();
 var ReloadPackagesResultSchema = unknown();
+var UpdateFrameworkPackageResultSchema = object({
+	packageName: string(),
+	fromVersion: string(),
+	toVersion: string(),
+	/** Ms-epoch the server scheduled its self-restart. */
+	restartingAt: number()
+});
+var FrameworkPackageStatusSchema = object({
+	packageName: string(),
+	currentVersion: string(),
+	latestVersion: string().nullable(),
+	hasUpdate: boolean(),
+	/** Optional manifest description for the row tooltip. */
+	description: string().optional()
+});
 var LogStreamEntrySchema = object({
 	timestamp: string(),
 	level: string(),
@@ -10264,21 +10181,50 @@ method(_void(), array(AddonListItemSchema).readonly()), method(object({
 }), method(_void(), ReloadPackagesResultSchema, {
 	kind: "mutation",
 	auth: "admin"
-}), method(object({ query: string().optional() }), array(SearchResultSchema)), method(_void(), array(PackageUpdateSchema).readonly(), { auth: "admin" }), method(object({
+}), method(object({ query: string().optional() }), array(SearchResultSchema)), method(object({ nodeId: string().optional() }), array(PackageUpdateSchema).readonly(), { auth: "admin" }), method(object({
 	name: string().min(1),
-	version: string().optional()
+	version: string().optional(),
+	nodeId: string().optional()
 }), unknown(), {
 	kind: "mutation",
 	auth: "admin"
 }), method(object({ name: string().min(1) }), object({ rolledBackTo: string().nullable() }), {
 	kind: "mutation",
 	auth: "admin"
-}), method(_void(), unknown(), {
+}), method(object({ nodeId: string().optional() }), unknown(), {
 	kind: "mutation",
 	auth: "admin"
 }), method(object({ confirm: literal(true) }), unknown(), {
 	kind: "mutation",
 	auth: "admin"
+}), method(_void(), object({
+	kind: _enum([
+		"framework-update",
+		"manual",
+		"system"
+	]),
+	packageName: string().optional(),
+	fromVersion: string().optional(),
+	toVersion: string().optional(),
+	requestedBy: string().optional(),
+	requestedAt: number()
+}).nullable(), { auth: "admin" }), method(_void(), array(FrameworkPackageStatusSchema).readonly(), { auth: "admin" }), method(object({ capName: string().min(1) }), array(object({
+	addonId: string(),
+	mode: _enum(["singleton", "collection"]),
+	isActive: boolean()
+})).readonly()), method(object({
+	capName: string().min(1),
+	addonId: string().min(1),
+	enabled: boolean()
+}), object({ success: literal(true) }), {
+	kind: "mutation",
+	auth: "admin"
+}), method(object({
+	packageName: string().min(1),
+	version: string().optional()
+}), UpdateFrameworkPackageResultSchema, {
+	kind: "mutation",
+	auth: "admin"
 }), method(object({ name: string() }), array(PackageVersionInfoSchema).readonly()), method(object({ addonId: string() }), RestartAddonResultSchema, {
 	kind: "mutation",
 	auth: "admin"
@@ -10310,6 +10256,7 @@ var EventCategory = /* @__PURE__ */ ((EventCategory2) => {
 	EventCategory2["SystemBoot"] = "system.boot";
 	EventCategory2["SystemAddonsReady"] = "system.addons-ready";
 	EventCategory2["SystemRestarting"] = "system.restarting";
+	EventCategory2["SystemRestartCompleted"] = "system.restart-completed";
 	EventCategory2["SystemReadyState"] = "system.ready-state";
 	EventCategory2["AddonStarted"] = "addon.started";
 	EventCategory2["AddonStopped"] = "addon.stopped";
@@ -10832,6 +10779,12 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
+	"addons.getLastRestart": {
+		capName: "addons",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"addons.getLogs": {
 		capName: "addons",
 		capScope: "system",
@@ -10868,6 +10821,18 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
+	"addons.listCapabilityProviders": {
+		capName: "addons",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
+	"addons.listFrameworkPackages": {
+		capName: "addons",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"addons.listPackages": {
 		capName: "addons",
 		capScope: "system",
@@ -10940,12 +10905,24 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
+	"addons.setCapabilityProviderEnabled": {
+		capName: "addons",
+		capScope: "system",
+		addonId: null,
+		access: "create"
+	},
 	"addons.uninstallPackage": {
 		capName: "addons",
 		capScope: "system",
 		addonId: null,
 		access: "delete"
 	},
+	"addons.updateFrameworkPackage": {
+		capName: "addons",
+		capScope: "system",
+		addonId: null,
+		access: "create"
+	},
 	"addons.updatePackage": {
 		capName: "addons",
 		capScope: "system",
@@ -11186,18 +11163,6 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
-	"authentication.listProviders": {
-		capName: "authentication",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"authentication.setProviderEnabled": {
-		capName: "authentication",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
 	"authProvider.getLoginUrl": {
 		capName: "auth-provider",
 		capScope: "system",
@@ -12044,42 +12009,6 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
-	"meshOrchestrator.joinProvider": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
-	"meshOrchestrator.leaveProvider": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
-	"meshOrchestrator.listProviderPeers": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"meshOrchestrator.listProviders": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"meshOrchestrator.logoutProvider": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
-	"meshOrchestrator.startLoginProvider": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
 	"metricsProvider.collectSnapshot": {
 		capName: "metrics-provider",
 		capScope: "system",
@@ -13106,24 +13035,6 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
-	"remoteAccess.listProviders": {
-		capName: "remote-access",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"remoteAccess.startProvider": {
-		capName: "remote-access",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
-	"remoteAccess.stopProvider": {
-		capName: "remote-access",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
 	"restreamer.getExposedResources": {
 		capName: "restreamer",
 		capScope: "system",
@@ -13682,24 +13593,6 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
-	"turnOrchestrator.getAllServers": {
-		capName: "turn-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"turnOrchestrator.listProviders": {
-		capName: "turn-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"turnOrchestrator.setProviderEnabled": {
-		capName: "turn-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
 	"turnProvider.getTurnServers": {
 		capName: "turn-provider",
 		capScope: "system",
@@ -14053,32 +13946,98 @@ var TailscaleCliError = class extends Error {
 		this.name = "TailscaleCliError";
 	}
 };
+var NOOP_LOGGER = {
+	info: () => void 0,
+	warn: () => void 0,
+	error: () => void 0,
+	debug: () => void 0,
+	child: () => NOOP_LOGGER,
+	withTags: () => NOOP_LOGGER
+};
 var TailscaleCli = class {
 	resolvedBin = null;
+	logger;
+	binPathOverride;
+	socketPath;
+	constructor(opts = {}) {
+		if (typeof opts.info === "function" && !("logger" in opts)) {
+			this.logger = opts;
+			this.binPathOverride = void 0;
+			this.socketPath = void 0;
+		} else {
+			const o = opts;
+			this.logger = o.logger ?? NOOP_LOGGER;
+			this.binPathOverride = o.binPath;
+			this.socketPath = o.socketPath;
+		}
+	}
+	/** Prepend `--socket=<path>` when driving an onboard daemon. */
+	withSocket(args) {
+		return this.socketPath ? [`--socket=${this.socketPath}`, ...args] : [...args];
+	}
 	/** Locate the `tailscale` binary once and cache the result. */
 	async resolveBin() {
 		if (this.resolvedBin) return this.resolvedBin;
+		if (this.binPathOverride) {
+			this.resolvedBin = this.binPathOverride;
+			this.logger.info("CLI binary (onboard override)", { meta: {
+				bin: this.binPathOverride,
+				socketPath: this.socketPath
+			} });
+			return this.binPathOverride;
+		}
+		const tried = [];
 		for (const candidate of TAILSCALE_CANDIDATES) try {
 			await execFileP(candidate, ["version"], { timeout: 3e3 });
 			this.resolvedBin = candidate;
+			this.logger.info("CLI binary resolved", { meta: {
+				bin: candidate,
+				candidatesTried: tried
+			} });
 			return candidate;
-		} catch {}
+		} catch {
+			tried.push(candidate);
+		}
 		throw new TailscaleCliError("tailscale binary not found — install Tailscale from https://tailscale.com/download");
 	}
 	async version() {
-		const { stdout } = await execFileP(await this.resolveBin(), ["version"], { timeout: 5e3 });
+		const { stdout } = await execFileP(await this.resolveBin(), this.withSocket(["version"]), { timeout: 5e3 });
 		return stdout.trim().split("\n")[0] ?? "";
 	}
 	async status() {
 		const bin = await this.resolveBin();
 		try {
-			const { stdout } = await execFileP(bin, ["status", "--json"], { timeout: 1e4 });
+			const { stdout } = await execFileP(bin, this.withSocket(["status", "--json"]), { timeout: 1e4 });
 			return JSON.parse(stdout);
 		} catch (err) {
 			const e = err;
 			throw new TailscaleCliError(`tailscale status failed: ${e.message}`, e.stderr ?? "");
 		}
 	}
+	/**
+	* Whether the tailnet ACL policy grants THIS host the Funnel
+	* attribute. Reads `Self.CapMap` / `Self.Capabilities` from
+	* `tailscale status --json` — a pre-flight check so the addon can
+	* fail fast with an actionable error BEFORE spending 15s on a
+	* `tailscale funnel` call that the daemon would reject anyway.
+	*
+	* The funnel grant surfaces as a bare `funnel` key in the modern
+	* CapMap; the legacy `Capabilities` string array carries either
+	* `funnel` or a `.../cap/funnel` URL form.
+	*/
+	async funnelCapable() {
+		const s = await this.status();
+		const capMap = s.Self?.CapMap ?? {};
+		if (Object.prototype.hasOwnProperty.call(capMap, "funnel")) return true;
+		const legacy = s.Self?.Capabilities ?? [];
+		const capable = legacy.some((c) => c === "funnel" || c.endsWith("/cap/funnel"));
+		this.logger.info("funnelCapable check", { meta: {
+			capable,
+			capMapKeys: Object.keys(capMap),
+			legacyCount: legacy.length
+		} });
+		return capable;
+	}
 	/** Bring the daemon up with an auth key. Idempotent — calling
 	*  while already joined returns immediately. */
 	async up(input) {
@@ -14091,7 +14050,7 @@ var TailscaleCli = class {
 		];
 		if (input.hostname) args.push(`--hostname=${input.hostname}`);
 		try {
-			await execFileP(bin, args, { timeout: 6e4 });
+			await execFileP(bin, this.withSocket(args), { timeout: 6e4 });
 		} catch (err) {
 			const e = err;
 			throw new TailscaleCliError(`tailscale up failed: ${e.message}`, e.stderr ?? "");
@@ -14102,7 +14061,7 @@ var TailscaleCli = class {
 	async down() {
 		const bin = await this.resolveBin();
 		try {
-			await execFileP(bin, ["down"], { timeout: 15e3 });
+			await execFileP(bin, this.withSocket(["down"]), { timeout: 15e3 });
 		} catch (err) {
 			const e = err;
 			throw new TailscaleCliError(`tailscale down failed: ${e.message}`, e.stderr ?? "");
@@ -14118,11 +14077,19 @@ var TailscaleCli = class {
 	async serve(input) {
 		const bin = await this.resolveBin();
 		const args = this.buildIngressArgs("serve", input);
+		this.logger.info("serve: invoking CLI", { meta: {
+			bin,
+			args,
+			...input
+		} });
 		try {
-			await execFileP(bin, args, { timeout: 15e3 });
+			const { stdout, stderr } = await execFileP(bin, this.withSocket(args), { timeout: 15e3 });
+			this.logger.info("serve: CLI returned", { meta: {
+				stdout: trimForLog(stdout),
+				stderr: trimForLog(stderr)
+			} });
 		} catch (err) {
-			const e = err;
-			throw new TailscaleCliError(`tailscale serve failed: ${e.message}`, e.stderr ?? "");
+			throw this.wrapCliError("tailscale serve", err, bin, args);
 		}
 	}
 	/** `tailscale funnel` — exposes a local port to the open internet
@@ -14131,14 +14098,52 @@ var TailscaleCli = class {
 	async funnel(input) {
 		const bin = await this.resolveBin();
 		const args = this.buildIngressArgs("funnel", input);
+		this.logger.info("funnel: invoking CLI", { meta: {
+			bin,
+			args,
+			...input
+		} });
 		try {
-			await execFileP(bin, args, { timeout: 15e3 });
+			const { stdout, stderr } = await execFileP(bin, this.withSocket(args), { timeout: 15e3 });
+			this.logger.info("funnel: CLI returned", { meta: {
+				stdout: trimForLog(stdout),
+				stderr: trimForLog(stderr)
+			} });
 		} catch (err) {
-			const e = err;
-			throw new TailscaleCliError(`tailscale funnel failed: ${e.message}`, e.stderr ?? "");
+			throw this.wrapCliError("tailscale funnel", err, bin, args);
 		}
 	}
 	/**
+	* Build a TailscaleCliError that propagates BOTH stdout and stderr
+	* up to the caller. The tailscale CLI is inconsistent about which
+	* stream it uses for human-readable errors — `funnel` (and at least
+	* some `serve` paths) writes the actionable hint to STDOUT when
+	* the host lacks the ACL grant (e.g. "Funnel is not enabled on
+	* your tailnet. To enable, visit: https://login.tailscale.com/...").
+	* Reading only stderr loses that hint and the operator sees a bare
+	* "Command failed: …" with no recovery path.
+	*
+	* Special-cases the "Funnel is not enabled" outcome: extracts the
+	* enable-URL the CLI prints and surfaces a concise, single-line
+	* actionable error instead of dumping the raw multi-line blob.
+	*/
+	wrapCliError(verb, err, bin, args) {
+		const e = err;
+		const stderr = (e.stderr ?? "").trim();
+		const stdout = (e.stdout ?? "").trim();
+		this.logger.error(`${verb}: CLI failed`, { meta: {
+			bin,
+			args,
+			message: e.message,
+			stderr: trimForLog(stderr),
+			stdout: trimForLog(stdout)
+		} });
+		const combined = `${stdout}\n${stderr}`;
+		if (/funnel is not enabled/i.test(combined)) return new TailscaleCliError(`Funnel is not enabled on your tailnet. Enable it for this host at: ${combined.match(/https:\/\/login\.tailscale\.com\/\S+/)?.[0] ?? "https://login.tailscale.com/admin/settings/funnel"}`, stderr.length > 0 ? stderr : stdout);
+		const detail = stderr.length > 0 ? `--- stderr ---\n${stderr}` : stdout.length > 0 ? `--- stdout ---\n${stdout}` : "";
+		return new TailscaleCliError(`${verb} failed: ${e.message.trim()}${detail ? `\n${detail}` : ""}`, stderr.length > 0 ? stderr : stdout);
+	}
+	/**
 	* Single source of truth for the serve/funnel arg shape. The CLI
 	* accepts the same flag layout for both verbs, so we share the
 	* builder. `--set-path` is only emitted when the operator picks a
@@ -14154,10 +14159,17 @@ var TailscaleCli = class {
 		}
 		const out = [verb, "--bg"];
 		if (path && path !== "/") out.push(`--set-path=${path}`);
-		out.push(`http://127.0.0.1:${input.port}`);
+		const scheme = input.upstreamScheme ?? "https+insecure";
+		out.push(`${scheme}://127.0.0.1:${input.port}`);
 		return out;
 	}
 };
+/** Truncate long stdout/stderr blobs so the log entry stays readable. */
+function trimForLog(s, max = 800) {
+	const trimmed = s.trim();
+	if (trimmed.length <= max) return trimmed;
+	return `${trimmed.slice(0, max)}…[+${trimmed.length - max} bytes]`;
+}
 //#endregion
 //#region src/tailscale-ingress.addon.ts
 /**
@@ -14185,10 +14197,11 @@ var TailscaleCli = class {
 var DEFAULT_CONFIG = {
 	mode: "serve",
 	sourcePort: 4443,
-	targetPath: ""
+	targetPath: "",
+	upstreamScheme: "https+insecure"
 };
 var TailscaleIngressAddon = class extends BaseAddon {
-	cli = new TailscaleCli();
+	cli;
 	/**
 	* Snapshot of the running ingress params so stop()/disposer can issue
 	* the matching `off` call even if `this.config` mutates mid-flight.
@@ -14201,6 +14214,7 @@ var TailscaleIngressAddon = class extends BaseAddon {
 		super({ ...DEFAULT_CONFIG });
 	}
 	async onInitialize() {
+		this.cli = new TailscaleCli(this.ctx.logger.child("tailscale-cli"));
 		try {
 			await this.cli.version();
 		} catch (err) {
@@ -14226,17 +14240,27 @@ var TailscaleIngressAddon = class extends BaseAddon {
 			topic: "tailscale-ingress",
 			phase: "verify-client"
 		} });
-		await this.requireClientJoined();
+		const meshStatus = await this.requireClientJoined();
+		this.syncCliToDaemon(meshStatus);
+		if (this.config.mode === "funnel") {
+			log.info("start: phase=verify-funnel-grant", { tags: {
+				topic: "tailscale-ingress",
+				phase: "verify-funnel-grant"
+			} });
+			if (!await this.cli.funnelCapable()) throw new Error("tailscale-ingress: Funnel is not enabled for this host in the tailnet ACL policy. Enable it at https://login.tailscale.com/admin/settings/funnel (or add a `funnel` nodeAttr for this machine), then retry. Serve mode works without this grant.");
+		}
 		const next = {
 			mode: this.config.mode,
 			sourcePort: this.config.sourcePort,
-			targetPath: this.config.targetPath
+			targetPath: this.config.targetPath,
+			upstreamScheme: this.config.upstreamScheme
 		};
 		log.info("start: phase=apply-rule", {
 			meta: {
 				mode: next.mode,
 				sourcePort: next.sourcePort,
-				targetPath: next.targetPath
+				targetPath: next.targetPath,
+				upstreamScheme: next.upstreamScheme
 			},
 			tags: {
 				topic: "tailscale-ingress",
@@ -14376,10 +14400,27 @@ var TailscaleIngressAddon = class extends BaseAddon {
 		const opts = {
 			port: rule.sourcePort,
 			enabled,
+			upstreamScheme: rule.upstreamScheme,
 			...rule.targetPath && rule.targetPath !== "/" ? { targetPath: rule.targetPath } : {}
 		};
+		this.ctx.logger.info(`applyRule: ${rule.mode}`, {
+			meta: {
+				...opts,
+				mode: rule.mode
+			},
+			tags: {
+				topic: "tailscale-ingress",
+				phase: "apply-rule",
+				verb: rule.mode
+			}
+		});
 		if (rule.mode === "funnel") await this.cli.funnel(opts);
 		else await this.cli.serve(opts);
+		this.ctx.logger.info(`applyRule: ${rule.mode} done`, { tags: {
+			topic: "tailscale-ingress",
+			phase: "apply-rule-done",
+			verb: rule.mode
+		} });
 	}
 	/**
 	* Build the canonical endpoint from the active ingress + the
@@ -14409,15 +14450,65 @@ var TailscaleIngressAddon = class extends BaseAddon {
 	/**
 	* Wait for `mesh-network` (the tailscale-client provider) to be
 	* mounted AND report joined. Throws an actionable error otherwise.
+	*
+	* IMPORTANT: we route the check through the API surface
+	* (`api.meshNetwork.getStatus.query({ addonId: 'tailscale-client' })`),
+	* NOT through `ctx.capabilities.getCollectionEntries`. The latter
+	* only sees providers registered in THIS process's local
+	* CapabilityRegistry — and tailscale-client runs in a separate
+	* `hub/tailscale-client` group runner. The API surface is
+	* cross-process via Moleculer, so it can find the provider wherever
+	* it lives.
+	*
+	* `mesh-network` is a `collection` cap (Tailscale + Headscale +
+	* ZeroTier could all implement it in parallel), so we pin to
+	* `tailscale-client` via the `addonId` filter — without it the API
+	* would route to whichever provider registered first and we'd risk
+	* emitting `tailscale serve` against e.g. a Headscale daemon that
+	* doesn't know that verb.
 	*/
 	async requireClientJoined() {
-		if (!(this.ctx.capabilities?.getCollectionEntries("mesh-network") ?? []).find(([id]) => id === "tailscale-client")) throw new Error(`tailscale-ingress: tailscale-client provider not registered — install + start the @camstack/addon-tailscale-client addon first.`);
-		if (!(await this.fetchMeshStatus()).joined) throw new Error("tailscale-ingress: tailnet not joined — open the Mesh Networks page and click \"Connect to Tailscale\" first.");
+		let status;
+		try {
+			status = await this.fetchMeshStatus({ addonId: "tailscale-client" });
+		} catch (err) {
+			throw new Error("tailscale-ingress: tailscale-client provider not registered — install + start the @camstack/addon-tailscale-client addon first.", { cause: err });
+		}
+		if (!status.joined) throw new Error("tailscale-ingress: tailnet not joined — open the Mesh Networks page and click \"Connect to Tailscale\" first.");
+		return status;
 	}
-	async fetchMeshStatus() {
+	/**
+	* Rebuild `this.cli` to drive the tailscale-client's daemon. When
+	* the client runs in `onboard` mode it spawned a private
+	* `tailscaled`; the mesh status then carries `daemonSocket` +
+	* `daemonCliPath` and we MUST route serve/funnel through that
+	* socket — the system daemon is a different node with a different
+	* mesh identity. Host mode leaves both unset → default CLI.
+	*/
+	syncCliToDaemon(status) {
+		const cliLogger = this.ctx.logger.child("tailscale-cli");
+		if (status.daemonSocket) {
+			this.ctx.logger.info("start: routing CLI to onboard daemon", {
+				meta: {
+					daemonSocket: status.daemonSocket,
+					daemonCliPath: status.daemonCliPath
+				},
+				tags: {
+					topic: "tailscale-ingress",
+					phase: "daemon-route"
+				}
+			});
+			this.cli = new TailscaleCli({
+				logger: cliLogger,
+				socketPath: status.daemonSocket,
+				...status.daemonCliPath ? { binPath: status.daemonCliPath } : {}
+			});
+		} else this.cli = new TailscaleCli({ logger: cliLogger });
+	}
+	async fetchMeshStatus(filter) {
 		const api = this.ctx.api;
 		if (!api.meshNetwork?.getStatus?.query) throw new Error("tailscale-ingress: mesh-network cap not exposed on the api surface");
-		return await api.meshNetwork.getStatus.query();
+		return await api.meshNetwork.getStatus.query(filter);
 	}
 	globalSettingsSchema() {
 		return this.schema({ sections: [{
@@ -14457,6 +14548,27 @@ var TailscaleIngressAddon = class extends BaseAddon {
 					description: "Public-side mount path. Leave empty for root.",
 					default: DEFAULT_CONFIG.targetPath,
 					placeholder: "/"
+				}),
+				this.field({
+					type: "select",
+					key: "upstreamScheme",
+					label: "Upstream scheme",
+					description: "How Tailscale reaches the local hub. The hub listens HTTPS with a self-signed cert by default — keep \"https+insecure\". Use \"http\" ONLY if the hub runs with tls.enabled: false (a plain \"http\" rule against the TLS listener returns 502).",
+					default: DEFAULT_CONFIG.upstreamScheme,
+					options: [
+						{
+							value: "https+insecure",
+							label: "HTTPS, self-signed (default)"
+						},
+						{
+							value: "https",
+							label: "HTTPS, valid cert"
+						},
+						{
+							value: "http",
+							label: "HTTP (only if hub TLS disabled)"
+						}
+					]
 				})
 			]
 		}] });