npm - @camstack/server - Versions diffs - 0.1.3 - Mend

@camstack/server 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (133) hide show

package/.env.example +17 -0
package/package.json +55 -0
package/src/__tests__/addon-install-e2e.test.ts +75 -0
package/src/__tests__/addon-pages-e2e.test.ts +178 -0
package/src/__tests__/addon-route-session.test.ts +17 -0
package/src/__tests__/addon-settings-router.spec.ts +62 -0
package/src/__tests__/addon-upload.spec.ts +355 -0
package/src/__tests__/agent-registry.spec.ts +162 -0
package/src/__tests__/agent-status-page.spec.ts +84 -0
package/src/__tests__/auth-session-cookie.test.ts +21 -0
package/src/__tests__/cap-providers/cap-usage-graph.spec.ts +23 -0
package/src/__tests__/cap-providers/compute-topology-categories.spec.ts +64 -0
package/src/__tests__/cap-routers/_meta.spec.ts +200 -0
package/src/__tests__/cap-routers/addon-settings.router.spec.ts +106 -0
package/src/__tests__/cap-routers/device-manager-aggregate.router.spec.ts +142 -0
package/src/__tests__/cap-routers/harness.ts +159 -0
package/src/__tests__/cap-routers/metrics-provider.router.spec.ts +119 -0
package/src/__tests__/cap-routers/null-provider-guard.spec.ts +66 -0
package/src/__tests__/cap-routers/pipeline-executor.router.spec.ts +135 -0
package/src/__tests__/cap-routers/settings-store.router.spec.ts +247 -0
package/src/__tests__/capability-e2e.test.ts +386 -0
package/src/__tests__/cli-e2e.test.ts +129 -0
package/src/__tests__/core-cap-bridge.spec.ts +89 -0
package/src/__tests__/embedded-deps-e2e.test.ts +109 -0
package/src/__tests__/event-bus-proxy-router.spec.ts +72 -0
package/src/__tests__/fixtures/mock-analysis-addon-a.ts +37 -0
package/src/__tests__/fixtures/mock-analysis-addon-b.ts +37 -0
package/src/__tests__/fixtures/mock-log-addon.ts +37 -0
package/src/__tests__/fixtures/mock-storage-addon.ts +40 -0
package/src/__tests__/framework-allowlist.spec.ts +95 -0
package/src/__tests__/https-e2e.test.ts +118 -0
package/src/__tests__/lifecycle-e2e.test.ts +140 -0
package/src/__tests__/live-events-subscription.spec.ts +150 -0
package/src/__tests__/moleculer-register-node-idempotency.spec.ts +229 -0
package/src/__tests__/oauth2-account-linking.spec.ts +736 -0
package/src/__tests__/post-boot-restart.spec.ts +161 -0
package/src/__tests__/singleton-contention.test.ts +487 -0
package/src/__tests__/streaming-diagnostic.test.ts +512 -0
package/src/__tests__/streaming-scale.test.ts +280 -0
package/src/agent-status-page.ts +121 -0
package/src/api/__tests__/addons-custom.spec.ts +134 -0
package/src/api/__tests__/capabilities.router.test.ts +47 -0
package/src/api/addon-upload.ts +472 -0
package/src/api/addons-custom.router.ts +100 -0
package/src/api/auth-whoami.ts +99 -0
package/src/api/bridge-addons.router.ts +120 -0
package/src/api/capabilities.router.ts +226 -0
package/src/api/core/__tests__/auth-router-totp.spec.ts +256 -0
package/src/api/core/addon-settings.router.ts +124 -0
package/src/api/core/agents.router.ts +87 -0
package/src/api/core/auth.router.ts +303 -0
package/src/api/core/cap-providers.ts +993 -0
package/src/api/core/capabilities.router.ts +119 -0
package/src/api/core/collection-preference.ts +40 -0
package/src/api/core/event-bus-proxy.router.ts +45 -0
package/src/api/core/hwaccel.router.ts +81 -0
package/src/api/core/live-events.router.ts +60 -0
package/src/api/core/logs.router.ts +162 -0
package/src/api/core/notifications.router.ts +65 -0
package/src/api/core/repl.router.ts +41 -0
package/src/api/core/settings-backend.router.ts +142 -0
package/src/api/core/stream-probe.router.ts +57 -0
package/src/api/core/system-events.router.ts +116 -0
package/src/api/health/health.routes.ts +123 -0
package/src/api/oauth2/__tests__/oauth2-routes.spec.ts +52 -0
package/src/api/oauth2/consent-page.ts +42 -0
package/src/api/oauth2/oauth2-routes.ts +248 -0
package/src/api/trpc/__tests__/scope-access-device.spec.ts +223 -0
package/src/api/trpc/__tests__/scope-access.spec.ts +107 -0
package/src/api/trpc/cap-mount-helpers.ts +225 -0
package/src/api/trpc/core-cap-bridge.ts +152 -0
package/src/api/trpc/generated-cap-mounts.ts +707 -0
package/src/api/trpc/generated-cap-routers.ts +6340 -0
package/src/api/trpc/scope-access.ts +110 -0
package/src/api/trpc/trpc.context.ts +255 -0
package/src/api/trpc/trpc.middleware.ts +140 -0
package/src/api/trpc/trpc.router.ts +275 -0
package/src/auth/session-cookie.ts +44 -0
package/src/boot/boot-config.ts +278 -0
package/src/boot/post-boot.service.ts +103 -0
package/src/core/addon/__tests__/addon-registry-capability.test.ts +53 -0
package/src/core/addon/addon-package.service.ts +1684 -0
package/src/core/addon/addon-registry.service.ts +2926 -0
package/src/core/addon/addon-search.service.ts +90 -0
package/src/core/addon/addon-settings-provider.ts +276 -0
package/src/core/addon/addon.tokens.ts +2 -0
package/src/core/addon-bridge/addon-bridge.service.ts +125 -0
package/src/core/addon-pages/addon-pages.service.spec.ts +117 -0
package/src/core/addon-pages/addon-pages.service.ts +80 -0
package/src/core/addon-widgets/addon-widgets.service.ts +92 -0
package/src/core/agent/agent-registry.service.ts +507 -0
package/src/core/auth/auth.service.spec.ts +88 -0
package/src/core/auth/auth.service.ts +8 -0
package/src/core/capability/capability.service.ts +57 -0
package/src/core/config/config.schema.ts +3 -0
package/src/core/config/config.service.spec.ts +175 -0
package/src/core/config/config.service.ts +7 -0
package/src/core/events/event-bus.service.spec.ts +212 -0
package/src/core/events/event-bus.service.ts +85 -0
package/src/core/feature/feature.service.spec.ts +96 -0
package/src/core/feature/feature.service.ts +8 -0
package/src/core/lifecycle/lifecycle-state-machine.spec.ts +168 -0
package/src/core/lifecycle/lifecycle-state-machine.ts +3 -0
package/src/core/logging/log-ring-buffer.ts +3 -0
package/src/core/logging/logging.service.spec.ts +247 -0
package/src/core/logging/logging.service.ts +129 -0
package/src/core/logging/scoped-logger.ts +3 -0
package/src/core/moleculer/moleculer.service.ts +612 -0
package/src/core/network/network-quality.service.spec.ts +47 -0
package/src/core/network/network-quality.service.ts +5 -0
package/src/core/notification/notification-wrapper.service.ts +36 -0
package/src/core/notification/toast-wrapper.service.ts +31 -0
package/src/core/provider/provider.tokens.ts +1 -0
package/src/core/repl/repl-engine.service.spec.ts +417 -0
package/src/core/repl/repl-engine.service.ts +156 -0
package/src/core/storage/fs-storage-backend.spec.ts +70 -0
package/src/core/storage/fs-storage-backend.ts +3 -0
package/src/core/storage/settings-store.spec.ts +213 -0
package/src/core/storage/settings-store.ts +2 -0
package/src/core/storage/sql-schema.spec.ts +140 -0
package/src/core/storage/sql-schema.ts +3 -0
package/src/core/storage/storage-location-manager.spec.ts +121 -0
package/src/core/storage/storage-location-manager.ts +3 -0
package/src/core/storage/storage.service.spec.ts +73 -0
package/src/core/storage/storage.service.ts +3 -0
package/src/core/streaming/stream-probe.service.ts +212 -0
package/src/core/topology/topology-emitter.service.ts +101 -0
package/src/launcher.ts +309 -0
package/src/main.ts +1049 -0
package/src/manual-boot.ts +322 -0
package/tsconfig.build.json +8 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +26 -0

package/src/__tests__/embedded-deps-e2e.test.ts ADDED Viewed

@@ -0,0 +1,109 @@
+/**
+ * Embedded dependencies E2E — verify ffmpeg/python resolution and download.
+ *
+ * These tests check the resolution logic (PATH detection, embedded binary check)
+ * without actually downloading large binaries (unless CAMSTACK_TEST_DOWNLOAD=true).
+ */
+import { describe, it, expect, beforeAll, afterAll } from 'vitest'
+import * as fs from 'node:fs'
+import * as path from 'node:path'
+import * as os from 'node:os'
+// Import directly from source submodules because vitest+swc doesn't resolve
+// `export * from './deps/index.js'` barrel re-exports in the @camstack/core index.
+import { findInPath, getPlatformInfo, buildBinaryPath } from '../../../../packages/core/src/deps/binary-downloader'
+import { getFfmpegDownloadUrl, ensureFfmpeg } from '../../../../packages/core/src/deps/ffmpeg-downloader'
+import { getPythonDownloadUrl, ensurePython } from '../../../../packages/core/src/deps/python-downloader'
+import type { IScopedLogger } from '@camstack/types'
+function createMockLogger(): IScopedLogger {
+  const logger: IScopedLogger = {
+    info: () => {},
+    warn: () => {},
+    error: () => {},
+    debug: () => {},
+    child: () => createMockLogger(),
+  }
+  return logger
+}
+const mockLogger = createMockLogger()
+describe('Embedded Dependencies E2E', () => {
+  let tmpDir: string
+  beforeAll(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'camstack-deps-e2e-'))
+  })
+  afterAll(() => {
+    fs.rmSync(tmpDir, { recursive: true, force: true })
+  })
+  describe('Platform detection', () => {
+    it('returns valid platform and arch', () => {
+      const info = getPlatformInfo()
+      expect(['darwin', 'linux', 'win32']).toContain(info.platform)
+      expect(['x64', 'arm64', 'arm', 'ia32']).toContain(info.arch)
+    })
+  })
+  describe('Binary path resolution', () => {
+    it('builds correct path for deps directory', () => {
+      const p = buildBinaryPath('/data', 'ffmpeg')
+      expect(p).toBe('/data/deps/ffmpeg')
+    })
+  })
+  describe('FFmpeg', () => {
+    it('generates valid download URL for current platform', () => {
+      const url = getFfmpegDownloadUrl(process.platform, process.arch)
+      expect(url).toMatch(/^https:\/\//)
+      expect(url.length).toBeGreaterThan(20)
+    })
+    it('finds ffmpeg in PATH or reports not found', () => {
+      const result = findInPath('ffmpeg')
+      // Either found (returns the name) or null — both valid
+      expect(result === null || typeof result === 'string').toBe(true)
+    })
+    // Only run download test if explicitly enabled (downloads ~80MB)
+    const downloadTest = process.env.CAMSTACK_TEST_DOWNLOAD === 'true' ? it : it.skip
+    downloadTest('downloads ffmpeg binary', async () => {
+      const ffmpegPath = await ensureFfmpeg(tmpDir, mockLogger)
+      expect(ffmpegPath).toBeTruthy()
+      expect(fs.existsSync(ffmpegPath)).toBe(true)
+    }, 120000)
+  })
+  describe('Python', () => {
+    it('generates valid download URL for current platform', () => {
+      const url = getPythonDownloadUrl(process.platform, process.arch)
+      expect(url).toContain('python-headless')
+      if (process.platform === 'darwin') {
+        expect(url).toContain('universal2')
+      }
+    })
+    it('finds python in PATH or reports not found', () => {
+      const result = findInPath('python3') ?? findInPath('python')
+      // Either found or null — both valid
+      expect(result === null || typeof result === 'string').toBe(true)
+    })
+    // Only run download test if explicitly enabled (downloads ~25MB)
+    const downloadTest = process.env.CAMSTACK_TEST_DOWNLOAD === 'true' ? it : it.skip
+    downloadTest('downloads portable Python', async () => {
+      const pythonPath = await ensurePython(tmpDir, mockLogger)
+      expect(pythonPath).toBeTruthy()
+      expect(fs.existsSync(pythonPath!)).toBe(true)
+      // Verify it actually runs
+      const { execFileSync } = await import('node:child_process')
+      const version = execFileSync(pythonPath!, ['--version'], { encoding: 'utf8' }).trim()
+      expect(version).toMatch(/Python 3\.12/)
+    }, 120000)
+  })
+})

package/src/__tests__/event-bus-proxy-router.spec.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/* eslint-disable @typescript-eslint/no-unsafe-assignment -- test mock typing */
+import { describe, it, expect, vi } from 'vitest'
+import { createEventBusProxyRouter } from '../api/core/event-bus-proxy.router.js'
+import { makeCtx } from './cap-routers/harness.js'
+import type { IEventBus } from '@camstack/types'
+function createMockEventBus() {
+  return {
+    emit: vi.fn(),
+  } as unknown as IEventBus & { emit: ReturnType<typeof vi.fn> }
+}
+describe('event-bus-proxy router', () => {
+  it('emit calls eventBus.emit with the correct shape', async () => {
+    const bus = createMockEventBus()
+    const router = createEventBusProxyRouter(bus)
+    const caller = router.createCaller(makeCtx('admin'))
+    await caller.emit({
+      id: 'evt-1',
+      timestamp: '2026-01-15T10:00:00.000Z',
+      source: { type: 'addon', id: 'my-addon' },
+      category: 'motion',
+      data: { zone: 'front' },
+    })
+    expect(bus.emit).toHaveBeenCalledOnce()
+    expect(bus.emit).toHaveBeenCalledWith({
+      id: 'evt-1',
+      timestamp: expect.any(Date),
+      source: { type: 'addon', id: 'my-addon' },
+      category: 'motion',
+      data: { zone: 'front' },
+    })
+  })
+  it('emit returns { ok: true }', async () => {
+    const bus = createMockEventBus()
+    const router = createEventBusProxyRouter(bus)
+    const caller = router.createCaller(makeCtx('admin'))
+    const result = await caller.emit({
+      id: 'evt-2',
+      timestamp: '2026-01-15T10:00:00.000Z',
+      source: { type: 'device', id: 'cam-1' },
+      category: 'alert',
+      data: {},
+    })
+    expect(result).toEqual({ ok: true })
+  })
+  it('timestamp string is converted to a Date object', async () => {
+    const bus = createMockEventBus()
+    const router = createEventBusProxyRouter(bus)
+    const caller = router.createCaller(makeCtx('admin'))
+    const isoString = '2026-06-20T14:30:00.000Z'
+    await caller.emit({
+      id: 'evt-3',
+      timestamp: isoString,
+      source: { type: 'addon', id: 'test' },
+      category: 'info',
+      data: {},
+    })
+    const emittedEvent = bus.emit.mock.calls[0][0] as { timestamp: unknown }
+    expect(emittedEvent.timestamp).toBeInstanceOf(Date)
+    expect((emittedEvent.timestamp as Date).toISOString()).toBe(isoString)
+  })
+})

package/src/__tests__/fixtures/mock-analysis-addon-a.ts ADDED Viewed

@@ -0,0 +1,37 @@
+// server/backend/src/__tests__/fixtures/mock-analysis-addon-a.ts
+import type { ICamstackAddon, AddonDeclaration, AddonContext } from '@camstack/types'
+export class MockAnalysisAddonA implements ICamstackAddon {
+  readonly manifest: AddonDeclaration = {
+    id: 'mock-analysis-a',
+    name: 'Mock Analysis A',
+    version: '1.0.0',
+    capabilities: ['object-detector'],
+  }
+  private initialized = false
+  readonly provider = { id: 'analysis-a', processFrame: async () => [] }
+  async initialize(_context: AddonContext) {
+    this.initialized = true
+    return [{ capability: 'object-detector', provider: this.provider }]
+  }
+  async shutdown(): Promise<void> {
+    this.initialized = false
+  }
+  isInitialized(): boolean {
+    return this.initialized
+  }
+  getConfigSchema() {
+    return { sections: [] }
+  }
+  getConfig() {
+    return {}
+  }
+  async onConfigChange() {}
+}

package/src/__tests__/fixtures/mock-analysis-addon-b.ts ADDED Viewed

@@ -0,0 +1,37 @@
+// server/backend/src/__tests__/fixtures/mock-analysis-addon-b.ts
+import type { ICamstackAddon, AddonDeclaration, AddonContext } from '@camstack/types'
+export class MockAnalysisAddonB implements ICamstackAddon {
+  readonly manifest: AddonDeclaration = {
+    id: 'mock-analysis-b',
+    name: 'Mock Analysis B',
+    version: '1.0.0',
+    capabilities: ['object-detector'],
+  }
+  private initialized = false
+  readonly provider = { id: 'analysis-b', processFrame: async () => [] }
+  async initialize(_context: AddonContext) {
+    this.initialized = true
+    return [{ capability: 'object-detector', provider: this.provider }]
+  }
+  async shutdown(): Promise<void> {
+    this.initialized = false
+  }
+  isInitialized(): boolean {
+    return this.initialized
+  }
+  getConfigSchema() {
+    return { sections: [] }
+  }
+  getConfig() {
+    return {}
+  }
+  async onConfigChange() {}
+}

package/src/__tests__/fixtures/mock-log-addon.ts ADDED Viewed

@@ -0,0 +1,37 @@
+// server/backend/src/__tests__/fixtures/mock-log-addon.ts
+import type { ICamstackAddon, AddonDeclaration, AddonContext } from '@camstack/types'
+export class MockLogAddon implements ICamstackAddon {
+  readonly manifest: AddonDeclaration = {
+    id: 'mock-log-addon',
+    name: 'Mock Log Destination',
+    version: '1.0.0',
+    capabilities: ['log-destination'],
+  }
+  private initialized = false
+  readonly provider = { id: 'mock-log', write: async () => {} }
+  async initialize(_context: AddonContext) {
+    this.initialized = true
+    return [{ capability: 'log-destination', provider: this.provider }]
+  }
+  async shutdown(): Promise<void> {
+    this.initialized = false
+  }
+  isInitialized(): boolean {
+    return this.initialized
+  }
+  getConfigSchema() {
+    return { sections: [] }
+  }
+  getConfig() {
+    return {}
+  }
+  async onConfigChange() {}
+}

package/src/__tests__/fixtures/mock-storage-addon.ts ADDED Viewed

@@ -0,0 +1,40 @@
+// server/backend/src/__tests__/fixtures/mock-storage-addon.ts
+import type { ICamstackAddon, AddonDeclaration, AddonContext } from '@camstack/types'
+export class MockStorageAddon implements ICamstackAddon {
+  readonly manifest: AddonDeclaration = {
+    id: 'mock-storage',
+    name: 'Mock Storage',
+    version: '1.0.0',
+    capabilities: ['storage', 'settings-store'],
+  }
+  private initialized = false
+  readonly provider = { id: 'mock-storage', type: 'mock' }
+  async initialize(_context: AddonContext) {
+    this.initialized = true
+    return [
+      { capability: 'storage', provider: this.provider },
+      { capability: 'settings-store', provider: this.provider },
+    ]
+  }
+  async shutdown(): Promise<void> {
+    this.initialized = false
+  }
+  isInitialized(): boolean {
+    return this.initialized
+  }
+  getConfigSchema() {
+    return { sections: [] }
+  }
+  getConfig() {
+    return {}
+  }
+  async onConfigChange() {}
+}

package/src/__tests__/framework-allowlist.spec.ts ADDED Viewed

@@ -0,0 +1,95 @@
+/**
+ * Framework package allow-list coherence.
+ *
+ * Spec: docs/superpowers/specs/2026-05-14-framework-live-update-design.md
+ *
+ * Invariants:
+ *   - Every entry in `FRAMEWORK_PACKAGE_ALLOWLIST` resolves to a workspace
+ *     package whose `package.json` declares `camstack.system: true`.
+ *   - Every workspace package with `camstack.system: true` appears in the
+ *     allow-list — drift in either direction breaks live-update.
+ *   - `isFrameworkPackage` accepts framework names and rejects everything
+ *     else (sanity check on the gate the cap method uses).
+ */
+import { describe, it, expect } from 'vitest'
+import * as fs from 'node:fs'
+import * as path from 'node:path'
+import {
+  FRAMEWORK_PACKAGE_ALLOWLIST,
+  isFrameworkPackage,
+} from '../core/addon/addon-package.service.js'
+function repoRoot(): string {
+  return path.resolve(__dirname, '..', '..', '..', '..')
+}
+interface PackageJsonView {
+  readonly name: string
+  readonly system: boolean
+  readonly path: string
+}
+function readPackageJson(pkgJsonPath: string): PackageJsonView | null {
+  try {
+    const raw: unknown = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf-8'))
+    if (raw === null || typeof raw !== 'object' || Array.isArray(raw)) return null
+    const obj = raw as Record<string, unknown>
+    const name = obj['name']
+    if (typeof name !== 'string') return null
+    const camstack = obj['camstack']
+    const isSystem = camstack !== null
+      && typeof camstack === 'object'
+      && !Array.isArray(camstack)
+      && (camstack as Record<string, unknown>)['system'] === true
+    return { name, system: isSystem, path: pkgJsonPath }
+  } catch {
+    return null
+  }
+}
+function discoverWorkspacePackages(): readonly PackageJsonView[] {
+  const packagesDir = path.join(repoRoot(), 'packages')
+  if (!fs.existsSync(packagesDir)) return []
+  const results: PackageJsonView[] = []
+  for (const entry of fs.readdirSync(packagesDir, { withFileTypes: true })) {
+    if (!entry.isDirectory()) continue
+    const pkgJson = path.join(packagesDir, entry.name, 'package.json')
+    if (!fs.existsSync(pkgJson)) continue
+    const view = readPackageJson(pkgJson)
+    if (view !== null) results.push(view)
+  }
+  return results
+}
+describe('framework package allow-list — manifest parity', () => {
+  it('every allow-listed package exists in `packages/` with camstack.system: true', () => {
+    const pkgs = discoverWorkspacePackages()
+    for (const name of FRAMEWORK_PACKAGE_ALLOWLIST) {
+      const match = pkgs.find((p) => p.name === name)
+      expect(match, `expected ${name} in packages/`).toBeDefined()
+      expect(match?.system, `${name} must declare camstack.system: true`).toBe(true)
+    }
+  })
+  it('every workspace package with camstack.system: true is in the allow-list', () => {
+    const systemPkgs = discoverWorkspacePackages().filter((p) => p.system)
+    const allowSet = new Set(FRAMEWORK_PACKAGE_ALLOWLIST)
+    const orphans = systemPkgs.filter((p) => !allowSet.has(p.name))
+    expect(orphans.map((p) => p.name)).toEqual([])
+  })
+})
+describe('isFrameworkPackage', () => {
+  it('returns true for every allow-listed package', () => {
+    for (const name of FRAMEWORK_PACKAGE_ALLOWLIST) {
+      expect(isFrameworkPackage(name)).toBe(true)
+    }
+  })
+  it('returns false for addons and unknown packages', () => {
+    expect(isFrameworkPackage('@camstack/addon-stream-broker')).toBe(false)
+    expect(isFrameworkPackage('left-pad')).toBe(false)
+    expect(isFrameworkPackage('')).toBe(false)
+    expect(isFrameworkPackage('@camstack')).toBe(false)
+  })
+})

package/src/__tests__/https-e2e.test.ts ADDED Viewed

@@ -0,0 +1,118 @@
+/**
+ * HTTPS E2E tests — verify self-signed cert generation, HTTPS serving, and WSS agent connection.
+ */
+import { describe, it, expect, beforeAll, afterAll } from 'vitest'
+import * as fs from 'node:fs'
+import * as path from 'node:path'
+import * as os from 'node:os'
+import * as https from 'node:https'
+import { X509Certificate } from 'node:crypto'
+// Import directly from source submodule because vitest+swc doesn't resolve
+// `export * from './tls/index.js'` barrel re-exports in the @camstack/core index.
+import { ensureTlsCert, loadTlsCert } from '../../../../packages/core/src/tls/cert-manager'
+describe('HTTPS E2E', () => {
+  let tmpDir: string
+  beforeAll(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'camstack-https-e2e-'))
+  })
+  afterAll(() => {
+    fs.rmSync(tmpDir, { recursive: true, force: true })
+  })
+  it('generates a valid self-signed cert on first call', async () => {
+    const result = await ensureTlsCert(tmpDir)
+    expect(result.generated).toBe(true)
+    // Verify cert file is valid PEM
+    const certPem = fs.readFileSync(result.certPath, 'utf-8')
+    expect(certPem).toContain('-----BEGIN CERTIFICATE-----')
+    // Parse and validate
+    const x509 = new X509Certificate(certPem)
+    expect(x509.subject).toContain('CN=camstack.local')
+    // Check SAN includes localhost
+    const san = x509.subjectAltName ?? ''
+    expect(san).toContain('DNS:localhost')
+    expect(san).toContain('IP Address:127.0.0.1')
+    // Check validity (at least 1 year)
+    const validTo = new Date(x509.validTo)
+    const oneYear = new Date()
+    oneYear.setFullYear(oneYear.getFullYear() + 1)
+    expect(validTo.getTime()).toBeGreaterThan(oneYear.getTime() - 86400000)
+  })
+  it('reuses existing cert on subsequent calls', async () => {
+    const first = await ensureTlsCert(tmpDir)
+    const second = await ensureTlsCert(tmpDir)
+    expect(second.generated).toBe(false)
+    const cert1 = fs.readFileSync(first.certPath, 'utf-8')
+    const cert2 = fs.readFileSync(second.certPath, 'utf-8')
+    expect(cert1).toBe(cert2)
+  })
+  it('serves HTTPS with the generated cert', async () => {
+    const { certPath, keyPath } = await ensureTlsCert(tmpDir)
+    const { cert, key } = loadTlsCert(certPath, keyPath)
+    const server = https.createServer({ cert, key }, (_req, res) => {
+      res.writeHead(200, { 'Content-Type': 'text/plain' })
+      res.end('camstack-ok')
+    })
+    const port = 10000 + Math.floor(Math.random() * 50000)
+    await new Promise<void>((resolve) => server.listen(port, '127.0.0.1', resolve))
+    try {
+      const body = await new Promise<string>((resolve, reject) => {
+        const req = https.request(
+          { hostname: '127.0.0.1', port, path: '/', method: 'GET', rejectUnauthorized: false },
+          (res) => {
+            let data = ''
+            res.on('data', (c) => { data += c })
+            res.on('end', () => resolve(data))
+          },
+        )
+        req.on('error', reject)
+        req.end()
+      })
+      expect(body).toBe('camstack-ok')
+    } finally {
+      server.close()
+    }
+  })
+  it('TLS disabled falls back to HTTP', async () => {
+    // When tls.enabled = false, server should work over plain HTTP
+    // This is a config-level test, verified by checking that FastifyAdapter
+    // receives no https options when tls is disabled
+    const http = await import('node:http')
+    const server = http.createServer((_req, res) => {
+      res.writeHead(200)
+      res.end('http-ok')
+    })
+    const port = 10000 + Math.floor(Math.random() * 50000)
+    await new Promise<void>((resolve) => server.listen(port, '127.0.0.1', resolve))
+    try {
+      const body = await new Promise<string>((resolve, reject) => {
+        http.get(`http://127.0.0.1:${port}/`, (res) => {
+          let data = ''
+          res.on('data', (c) => { data += c })
+          res.on('end', () => resolve(data))
+        }).on('error', reject)
+      })
+      expect(body).toBe('http-ok')
+    } finally {
+      server.close()
+    }
+  })
+})