@co0ontty/wand 1.31.3 → 1.32.0

package/dist/auth.d.ts

@@ -1,4 +1,24 @@
 import { WandStorage } from "./storage.js";
+/**
+ * Cookie 名按 scheme 隔离 —— 解决浏览器 Strict Secure Cookies 在 HTTPS↔HTTP 切换时
+ * "新 Set-Cookie 被同名 Secure 旧 cookie 静默丢弃"导致登录后立刻 401 的问题。
+ *
+ *   - HTTPS 模式：`__Host-wand_session`（强制 Secure + Path=/，安全性更高）
+ *   - HTTP 模式：`wand_session_local`（独立名字，不会被 HTTPS 留下的 Secure cookie 拦截）
+ *   - `wand_session`：legacy 名字。HTTPS 模式下仍写一份用于兼容老 macOS APP（写死了找
+ *     `wand_session`），同时让升级前的老登录态在过渡期不被踢。
+ *
+ * 读取顺序按"当前 scheme 主名字 → legacy"逐项 fallback。
+ */
+export declare const SESSION_COOKIE_HTTPS = "__Host-wand_session";
+export declare const SESSION_COOKIE_HTTP = "wand_session_local";
+export declare const SESSION_COOKIE_LEGACY = "wand_session";
+/** 解析 Cookie 头，按候选名字顺序返回第一个匹配到的 token 值。 */
+export declare function readSessionCookie(req: {
+    headers: {
+        cookie?: string;
+    };
+}, useHttps: boolean): string | undefined;
 export declare function createSession(): string;
 export declare function validateSession(token: string | undefined): boolean;
 export declare function revokeSession(token: string | undefined): void;

package/dist/auth.js

@@ -2,6 +2,37 @@ import crypto from "node:crypto";
 const sessions = new Map();
 const SESSION_TTL_MS = 1000 * 60 * 60 * 12;
 let storage = null;
+/**
+ * Cookie 名按 scheme 隔离 —— 解决浏览器 Strict Secure Cookies 在 HTTPS↔HTTP 切换时
+ * "新 Set-Cookie 被同名 Secure 旧 cookie 静默丢弃"导致登录后立刻 401 的问题。
+ *
+ *   - HTTPS 模式：`__Host-wand_session`（强制 Secure + Path=/，安全性更高）
+ *   - HTTP 模式：`wand_session_local`（独立名字，不会被 HTTPS 留下的 Secure cookie 拦截）
+ *   - `wand_session`：legacy 名字。HTTPS 模式下仍写一份用于兼容老 macOS APP（写死了找
+ *     `wand_session`），同时让升级前的老登录态在过渡期不被踢。
+ *
+ * 读取顺序按"当前 scheme 主名字 → legacy"逐项 fallback。
+ */
+export const SESSION_COOKIE_HTTPS = "__Host-wand_session";
+export const SESSION_COOKIE_HTTP = "wand_session_local";
+export const SESSION_COOKIE_LEGACY = "wand_session";
+/** 解析 Cookie 头，按候选名字顺序返回第一个匹配到的 token 值。 */
+export function readSessionCookie(req, useHttps) {
+    const cookie = req.headers.cookie;
+    if (!cookie)
+        return undefined;
+    const parts = cookie.split(";").map((part) => part.trim());
+    const order = useHttps
+        ? [SESSION_COOKIE_HTTPS, SESSION_COOKIE_LEGACY, SESSION_COOKIE_HTTP]
+        : [SESSION_COOKIE_HTTP, SESSION_COOKIE_LEGACY, SESSION_COOKIE_HTTPS];
+    for (const name of order) {
+        const prefix = `${name}=`;
+        const hit = parts.find((part) => part.startsWith(prefix));
+        if (hit)
+            return hit.slice(prefix.length);
+    }
+    return undefined;
+}
 // Periodic cleanup every 10 minutes
 const sessionCleanupTimer = setInterval(() => {
     cleanupExpiredSessions();

package/dist/cert.d.ts

@@ -1,8 +1,23 @@
 export interface SSLConfig {
     key: Buffer;
     cert: Buffer;
+    /** 实际生效的证书路径，用于 `/cert/server.crt` 下载路由。 */
+    certPath: string;
+    /** SHA-256 指纹（大写 + 冒号分隔），方便用户在浏览器里核对。 */
+    fingerprint: string;
+    /** 是否走的是用户自备证书。true = 自带，false = wand 自签。 */
+    userProvided: boolean;
+}
+export interface EnsureCertificatesOptions {
+    /** 用户自带证书路径（PEM）。配了且存在就直接用。 */
+    userCertPath?: string;
+    userKeyPath?: string;
 }
 /**
- * Ensure certificates exist, generate if not
+ * 主入口：装载 TLS 证书。优先级（高 → 低）：
+ *   1. options.userCertPath / userKeyPath（config.tls）
+ *   2. 配置目录下已存在的 server.crt + server.key
+ *   3. 用 openssl 现场生成自签
+ *   4. node crypto 兜底（产出非法证书，主要避免崩溃）
  */
-export declare function ensureCertificates(configDir: string): SSLConfig;
+export declare function ensureCertificates(configDir: string, options?: EnsureCertificatesOptions): SSLConfig;

package/dist/cert.js

@@ -1,5 +1,7 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { execSync } from "node:child_process";
+import { createHash } from "node:crypto";
+import os from "node:os";
 import path from "node:path";
 function getCertificatePaths(configDir) {
     return {
@@ -10,38 +12,85 @@ function getCertificatePaths(configDir) {
 function certificatesExist(paths) {
     return existsSync(paths.keyPath) && existsSync(paths.certPath);
 }
-function loadCertificates(paths) {
+function readPair(keyPath, certPath) {
     try {
-        if (!certificatesExist(paths)) {
+        if (!existsSync(keyPath) || !existsSync(certPath))
             return null;
-        }
-        return {
-            key: readFileSync(paths.keyPath),
-            cert: readFileSync(paths.certPath)
-        };
+        return { key: readFileSync(keyPath), cert: readFileSync(certPath) };
     }
     catch {
         return null;
     }
 }
 /**
- * Generate self-signed certificate using openssl
+ * 收集本机所有可外部访问的 IPv4 地址 + hostname，作为自签证书的 SAN。
+ * 之前 SAN 只有 `localhost,127.0.0.1`，从手机/局域网用 `https://192.168.x.x` 访问
+ * 时浏览器会直接拒绝（NET::ERR_CERT_COMMON_NAME_INVALID），连页面都打不开。
+ */
+function collectSanEntries() {
+    const dns = new Set(["localhost"]);
+    const ip = new Set(["127.0.0.1", "::1"]);
+    const hostname = os.hostname();
+    if (hostname && hostname !== "localhost") {
+        dns.add(hostname);
+        // 部分 mDNS 环境下 hostname.local 也能解析
+        if (!hostname.endsWith(".local"))
+            dns.add(`${hostname}.local`);
+    }
+    const ifaces = os.networkInterfaces();
+    for (const list of Object.values(ifaces)) {
+        if (!list)
+            continue;
+        for (const entry of list) {
+            if (entry.internal)
+                continue;
+            // Node 18+ entry.family 是 "IPv4" | "IPv6"，旧版本是 4 | 6
+            const fam = entry.family;
+            if (fam === "IPv4" || fam === 4 || fam === "IPv6" || fam === 6) {
+                ip.add(entry.address.split("%")[0]); // 去掉 zone-id
+            }
+        }
+    }
+    return { dns: [...dns], ip: [...ip] };
+}
+function buildSanArg() {
+    const { dns, ip } = collectSanEntries();
+    const parts = [];
+    for (const d of dns)
+        parts.push(`DNS:${d}`);
+    for (const i of ip)
+        parts.push(`IP:${i}`);
+    return parts.join(",");
+}
+function computeFingerprint(certPem) {
+    const text = certPem.toString("utf8");
+    const match = text.match(/-----BEGIN CERTIFICATE-----([\s\S]+?)-----END CERTIFICATE-----/);
+    if (!match)
+        return "(unavailable)";
+    const der = Buffer.from(match[1].replace(/\s+/g, ""), "base64");
+    const hex = createHash("sha256").update(der).digest("hex").toUpperCase();
+    return hex.match(/.{2}/g).join(":");
+}
+/**
+ * 生成 self-signed 证书（OpenSSL 路径）。SAN 覆盖本机 hostname / LAN IP，
+ * 这样从手机/局域网设备访问 `https://<LAN IP>:port/` 时不会撞 SAN 不匹配。
  */
 function generateWithOpenSSL(paths) {
     try {
-        // Check if openssl is available
         execSync("openssl version", { stdio: "pipe" });
         const dir = path.dirname(paths.keyPath);
-        if (!existsSync(dir)) {
+        if (!existsSync(dir))
             mkdirSync(dir, { recursive: true });
-        }
-        // Generate private key
         execSync(`openssl genrsa -out "${paths.keyPath}" 2048`, { stdio: "pipe" });
-        // Generate self-signed certificate (valid for 365 days)
-        execSync(`openssl req -new -x509 -key "${paths.keyPath}" -out "${paths.certPath}" -days 365 -subj "/CN=localhost/O=Wand Local Development" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"`, { stdio: "pipe" });
+        const san = buildSanArg();
+        execSync(`openssl req -new -x509 -key "${paths.keyPath}" -out "${paths.certPath}" -days 825 ` +
+            `-subj "/CN=wand-local/O=Wand Local Development" ` +
+            `-addext "subjectAltName=${san}" ` +
+            `-addext "extendedKeyUsage=serverAuth" ` +
+            `-addext "basicConstraints=critical,CA:FALSE"`, { stdio: "pipe" });
         return {
             key: readFileSync(paths.keyPath),
-            cert: readFileSync(paths.certPath)
+            cert: readFileSync(paths.certPath),
         };
     }
     catch {
@@ -49,76 +98,83 @@ function generateWithOpenSSL(paths) {
     }
 }
 /**
- * Generate a simple self-signed certificate without openssl
- * Uses Node.js crypto to create RSA key and a basic certificate
+ * 没有 openssl 时的兜底：用 node 内置 crypto 生成 RSA 密钥，证书部分写一个
+ * 明显的 placeholder PEM。这条路径产出的证书**无法被浏览器接受**，主要是为了
+ * 不让 HTTPS 监听直接崩；启动日志会强烈建议用户装 openssl 或自备证书。
  */
 function generateWithoutOpenSSL(paths) {
     const dir = path.dirname(paths.keyPath);
-    if (!existsSync(dir)) {
+    if (!existsSync(dir))
         mkdirSync(dir, { recursive: true });
-    }
-    // Use Node.js built-in crypto to generate key
-    // For certificate, we'll create a minimal PEM structure
-    // This is a simplified approach - for production, use proper tools
     const { generateKeyPairSync } = require("node:crypto");
-    const { privateKey, publicKey } = generateKeyPairSync("rsa", {
+    const { privateKey } = generateKeyPairSync("rsa", {
         modulusLength: 2048,
         publicKeyEncoding: { type: "spki", format: "pem" },
-        privateKeyEncoding: { type: "pkcs8", format: "pem" }
+        privateKeyEncoding: { type: "pkcs8", format: "pem" },
     });
-    // Create a minimal certificate (browsers will warn, but it works)
-    const cert = createMinimalCert(privateKey);
+    const cert = "-----BEGIN CERTIFICATE-----\n" +
+        "MIIBkTCB+wIJAKHBfPOPlvfoMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBnNh\n" +
+        "bmRib3gwHhcNMjQwMTAxMDAwMDAwWhcNMjUwMTAxMDAwMDAwWjARMQ8wDQYDVQQD\n" +
+        "DAZzYW5kYm94MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALLgGbUPZxEvLPLXZQrz\n" +
+        "KxLhP5EoaUuB7V8FYA5JQZbRE6RkxEKkR8jFQHOcQYevGQYEbXvKZ0WxR2BqMJsC\n" +
+        "AwEAAaMgMB4wDQYJKoZIhvcNAQELBQADQQBpMq0NweMwF7fh0TiMwFCTzC/wK7fR\n" +
+        "e0WxR2BqMJsC\n" +
+        "-----END CERTIFICATE-----\n";
     writeFileSync(paths.keyPath, privateKey, { mode: 0o600 });
     writeFileSync(paths.certPath, cert, { mode: 0o644 });
-    return {
-        key: Buffer.from(privateKey),
-        cert: Buffer.from(cert)
-    };
-}
-/**
- * Create a minimal self-signed certificate
- * Note: This creates a very basic cert structure
- */
-function createMinimalCert(privateKeyPem) {
-    // For a proper cert, we'd need node-forge or similar
-    // Instead, create a placeholder that prompts the user
-    const placeholder = `-----BEGIN CERTIFICATE-----
-MIIBkTCB+wIJAKHBfPOPlvfoMA0GCSqGSIb3DQEBCwUAMBExDzANBgNVBAMMBnNh
-bmRib3gwHhcNMjQwMTAxMDAwMDAwWhcNMjUwMTAxMDAwMDAwWjARMQ8wDQYDVQQD
-DAZzYW5kYm94MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALLgGbUPZxEvLPLXZQrz
-KxLhP5EoaUuB7V8FYA5JQZbRE6RkxEKkR8jFQHOcQYevGQYEbXvKZ0WxR2BqMJsC
-AwEAAaMgMB4wDQYJKoZIhvcNAQELBQADQQBpMq0NweMwF7fh0TiMwFCTzC/wK7fR
-e0WxR2BqMJsC
------END CERTIFICATE-----`;
-    process.stderr.write("\x1b[33m[wand] Warning: Generated basic certificate. For better compatibility,\n" +
-        "[wand] install openssl or provide your own certificate files.\n" +
-        "[wand] Certificate files should be at:\n" +
-        "[wand]   - server.key (private key)\n" +
-        "[wand]   - server.crt (certificate)\x1b[0m\n");
-    return placeholder;
+    process.stderr.write("\x1b[33m[wand] 警告：未检测到 openssl，写出的是无效占位证书。\n" +
+        "[wand] 请安装 openssl，或在 config.json 里配 tls.certPath / tls.keyPath\n" +
+        "[wand] 指向自备证书（推荐 mkcert：mkcert -install && mkcert localhost <hostname> <LAN-IP>）。\x1b[0m\n");
+    return { key: Buffer.from(privateKey), cert: Buffer.from(cert) };
 }
 /**
- * Ensure certificates exist, generate if not
+ * 主入口：装载 TLS 证书。优先级（高 → 低）：
+ *   1. options.userCertPath / userKeyPath（config.tls）
+ *   2. 配置目录下已存在的 server.crt + server.key
+ *   3. 用 openssl 现场生成自签
+ *   4. node crypto 兜底（产出非法证书，主要避免崩溃）
  */
-export function ensureCertificates(configDir) {
+export function ensureCertificates(configDir, options = {}) {
+    // 1. 用户自备证书
+    if (options.userCertPath && options.userKeyPath) {
+        const pair = readPair(options.userKeyPath, options.userCertPath);
+        if (pair) {
+            const fingerprint = computeFingerprint(pair.cert);
+            process.stdout.write(`[wand] 使用 config.tls 指定的证书：${options.userCertPath}\n` +
+                `[wand] SHA-256 指纹: ${fingerprint}\n`);
+            return { ...pair, certPath: options.userCertPath, fingerprint, userProvided: true };
+        }
+        process.stderr.write(`\x1b[33m[wand] 警告：config.tls 指向的证书文件无法读取（cert=${options.userCertPath}, key=${options.userKeyPath}），回退到默认自签流程。\x1b[0m\n`);
+    }
     const paths = getCertificatePaths(configDir);
-    // Try to load existing certificates
-    const existing = loadCertificates(paths);
+    // 2. 已存在的自签
+    const existing = readPair(paths.keyPath, paths.certPath);
     if (existing) {
-        return existing;
+        return {
+            ...existing,
+            certPath: paths.certPath,
+            fingerprint: computeFingerprint(existing.cert),
+            userProvided: false,
+        };
     }
-    process.stdout.write("[wand] Generating self-signed HTTPS certificate...\n");
-    // Try openssl first
+    process.stdout.write("[wand] 正在生成 self-signed HTTPS 证书…\n");
+    // 3. OpenSSL
     const ssl = generateWithOpenSSL(paths);
     if (ssl) {
-        process.stdout.write(`[wand] Certificate saved to ${paths.certPath}\n`);
-        process.stdout.write("[wand] Note: Browsers will show a security warning for self-signed certificates.\n");
-        process.stdout.write("[wand] You can replace these files with your own certificates if needed.\n");
-        return ssl;
+        const fingerprint = computeFingerprint(ssl.cert);
+        process.stdout.write(`[wand] 证书已写入 ${paths.certPath}\n` +
+            `[wand] SHA-256 指纹: ${fingerprint}\n` +
+            `[wand] 注意：自签证书浏览器会标红；PWA / Service Worker 需要把它导入受信任根证书才能工作。\n` +
+            `[wand] HTTPS 启用后可通过 GET /cert/server.crt 在客户端下载安装。\n`);
+        return { ...ssl, certPath: paths.certPath, fingerprint, userProvided: false };
     }
-    // Fallback to basic generation
-    process.stdout.write("[wand] OpenSSL not found, using basic certificate generation...\n");
-    const basicSsl = generateWithoutOpenSSL(paths);
-    process.stdout.write(`[wand] Certificate saved to ${paths.certPath}\n`);
-    return basicSsl;
+    // 4. 兜底
+    process.stdout.write("[wand] 未检测到 openssl，使用 node crypto 兜底（产出占位证书，仅防崩）。\n");
+    const fallback = generateWithoutOpenSSL(paths);
+    return {
+        ...fallback,
+        certPath: paths.certPath,
+        fingerprint: computeFingerprint(fallback.cert),
+        userProvided: false,
+    };
 }

package/dist/config.js

@@ -424,6 +424,18 @@ function mergeWithDefaults(input) {
         ...input,
         // Ensure https is boolean
         https: typeof input.https === "boolean" ? input.https : defaults.https,
+        tls: (() => {
+            if (!input.tls || typeof input.tls !== "object")
+                return undefined;
+            const certPath = typeof input.tls.certPath === "string" ? input.tls.certPath.trim() : "";
+            const keyPath = typeof input.tls.keyPath === "string" ? input.tls.keyPath.trim() : "";
+            if (!certPath && !keyPath)
+                return undefined;
+            return {
+                ...(certPath ? { certPath } : {}),
+                ...(keyPath ? { keyPath } : {}),
+            };
+        })(),
         defaultCwd: typeof input.defaultCwd === "string" && input.defaultCwd.trim()
             ? input.defaultCwd
             : defaults.defaultCwd,

package/dist/server.js

@@ -11,7 +11,7 @@ import path from "node:path";
 import process from "node:process";
 import { WebSocketServer } from "ws";
 import { ensureAvatarSeed, getAvatarSvg } from "./avatar.js";
-import { createSession, revokeSession, setAuthStorage, validateSession } from "./auth.js";
+import { createSession, readSessionCookie, revokeSession, SESSION_COOKIE_HTTP, SESSION_COOKIE_HTTPS, SESSION_COOKIE_LEGACY, setAuthStorage, validateSession, } from "./auth.js";
 import { ensureCertificates } from "./cert.js";
 import { buildChildEnv } from "./env-utils.js";
 import { isExecutionMode, PREFERENCE_KEYS, resolveConfigDir, saveConfig, writePreferenceToStorage, } from "./config.js";
@@ -367,19 +367,14 @@ async function enrichWithGitStatus(items, dirPath) {
     }
 }
 // ── Auth helpers ──
-function requireAuth(req, res, next) {
-    if (!validateSession(readSessionCookie(req))) {
-        res.status(401).json({ error: "未授权，请先登录。" });
-        return;
-    }
-    next();
-}
-function readSessionCookie(req) {
-    const cookie = req.headers.cookie;
-    if (!cookie)
-        return undefined;
-    const match = cookie.split(";").map((part) => part.trim()).find((part) => part.startsWith("wand_session="));
-    return match?.slice("wand_session=".length);
+function buildRequireAuth(useHttps) {
+    return function requireAuth(req, res, next) {
+        if (!validateSession(readSessionCookie(req, useHttps))) {
+            res.status(401).json({ error: "未授权，请先登录。" });
+            return;
+        }
+        next();
+    };
 }
 // ── App connection token helpers ──
 function generateAppToken(password, secret) {
@@ -738,26 +733,6 @@ function classifyFile(ext, baseName) {
 function mimeForExt(ext) {
     return MIME_BY_EXT[ext.toLowerCase()] || "application/octet-stream";
 }
-/** Hidden files that should still surface even when "show hidden" is off. */
-const HIDDEN_ALLOWLIST = new Set([
-    ".gitignore", ".gitattributes", ".gitmodules",
-    ".env", ".env.local", ".env.example",
-    ".editorconfig", ".prettierrc", ".eslintrc",
-    ".dockerignore", ".npmrc", ".nvmrc",
-    ".browserslistrc", ".babelrc",
-]);
-function isHiddenEntry(name) {
-    if (!name.startsWith("."))
-        return false;
-    if (HIDDEN_ALLOWLIST.has(name))
-        return false;
-    // Common patterns like `.env.production` are also kept visible
-    for (const allowed of HIDDEN_ALLOWLIST) {
-        if (name.startsWith(allowed + "."))
-            return false;
-    }
-    return true;
-}
 export async function startServer(config, configPath) {
     const app = express();
     const storage = new WandStorage(resolveDatabasePath(configPath));
@@ -769,6 +744,7 @@ export async function startServer(config, configPath) {
     const structuredSessions = new StructuredSessionManager(storage, config, structuredLogger);
     const useHttps = config.https === true;
     const protocol = useHttps ? "https" : "http";
+    const requireAuth = buildRequireAuth(useHttps);
     const nodeModulesDir = path.join(RUNTIME_ROOT_DIR, "node_modules");
     app.use(express.json({ limit: "1mb" }));
     app.use(compression({ threshold: 1024 }));
@@ -878,17 +854,34 @@ export async function startServer(config, configPath) {
         }
         resetRateLimit(clientIp);
         const token = createSession();
-        res.cookie("wand_session", token, {
+        const cookieOpts = {
             httpOnly: true,
             sameSite: "strict",
-            secure: useHttps,
+            path: "/",
             maxAge: 1000 * 60 * 60 * 12,
-        });
+        };
+        // 主 cookie：按 scheme 分名字，避免被旧的同名 Secure cookie 阻挡覆盖。
+        // 兼容 cookie `wand_session`：老 macOS APP（WandAuth.swift 写死了找 `wand_session`）需要这份才能登录。
+        //   - HTTPS 模式：legacy 也带 Secure，浏览器与 APP 都能用
+        //   - HTTP 模式：legacy 不带 Secure。浏览器场景下若之前留有同名 Secure cookie 会被 Strict Secure
+        //     Cookies 拦截（无害噪音，主 cookie `wand_session_local` 兜得住）；APP 走 native cookie API
+        //     不受这条策略约束，能正确拿到
+        if (useHttps) {
+            res.cookie(SESSION_COOKIE_HTTPS, token, { ...cookieOpts, secure: true });
+            res.cookie(SESSION_COOKIE_LEGACY, token, { ...cookieOpts, secure: true });
+        }
+        else {
+            res.cookie(SESSION_COOKIE_HTTP, token, { ...cookieOpts, secure: false });
+            res.cookie(SESSION_COOKIE_LEGACY, token, { ...cookieOpts, secure: false });
+        }
         res.json({ ok: true });
     });
     app.post("/api/logout", (req, res) => {
-        revokeSession(readSessionCookie(req));
-        res.clearCookie("wand_session");
+        revokeSession(readSessionCookie(req, useHttps));
+        // 全部名字都清一遍，避免遗留 cookie 在下次同源访问时被回放。
+        for (const name of [SESSION_COOKIE_HTTPS, SESSION_COOKIE_HTTP, SESSION_COOKIE_LEGACY]) {
+            res.clearCookie(name, { path: "/" });
+        }
         res.json({ ok: true });
     });
     app.post("/api/set-password", requireAuth, (req, res) => {
@@ -978,7 +971,7 @@ export async function startServer(config, configPath) {
     });
     // Public probe so the unauthenticated browser does not log a 401 on /api/config
     app.get("/api/session-check", (req, res) => {
-        res.json({ authed: validateSession(readSessionCookie(req)) });
+        res.json({ authed: validateSession(readSessionCookie(req, useHttps)) });
     });
     app.use("/api", requireAuth);
     // ── Config & Session info ──
@@ -1361,16 +1354,10 @@ export async function startServer(config, configPath) {
     app.get("/api/directory", async (req, res) => {
         const q = typeof req.query.q === "string" ? req.query.q : "";
         const includeGitStatus = req.query.gitStatus === "true";
-        const showHidden = req.query.showHidden === "true";
         const targetPath = path.resolve(q || config.defaultCwd);
-        if (isBlockedFolderPath(targetPath)) {
-            res.status(403).json({ error: "访问被拒绝：无法访问系统敏感目录。" });
-            return;
-        }
         try {
             const entries = await readdir(targetPath, { withFileTypes: true });
-            const visible = showHidden ? entries : entries.filter((e) => !isHiddenEntry(e.name));
-            const sorted = visible.sort((a, b) => {
+            const sorted = entries.sort((a, b) => {
                 if (a.isDirectory() && !b.isDirectory())
                     return -1;
                 if (!a.isDirectory() && b.isDirectory())
@@ -1764,8 +1751,6 @@ export async function startServer(config, configPath) {
                 for (const entry of entries) {
                     if (results.length >= maxResults)
                         break;
-                    if (entry.name.startsWith(".") || entry.name === "node_modules")
-                        continue;
                     const entryPath = path.join(dirPath, entry.name);
                     const nameLower = entry.name.toLowerCase();
                     const matchIndex = nameLower.indexOf(queryLower);
@@ -1823,12 +1808,36 @@ export async function startServer(config, configPath) {
         }
     });
     // ── WebSocket broadcast layer ──
+    let activeSslCertPath = null;
     const server = useHttps
         ? (() => {
-            const ssl = ensureCertificates(resolveConfigDir(configPath));
+            const ssl = ensureCertificates(resolveConfigDir(configPath), {
+                userCertPath: config.tls?.certPath,
+                userKeyPath: config.tls?.keyPath,
+            });
+            activeSslCertPath = ssl.certPath;
             return createHttpsServer({ key: ssl.key, cert: ssl.cert }, app);
         })()
         : createHttpServer(app);
+    // 公开下载当前证书 —— 方便从手机/其他终端拉证书并导入信任链。
+    // 不鉴权：证书本身是公开材料（不含私钥），泄露不影响安全。
+    if (useHttps && activeSslCertPath) {
+        const certPath = activeSslCertPath;
+        app.get("/cert/server.crt", (_req, res) => {
+            try {
+                if (!existsSync(certPath)) {
+                    res.status(404).type("text/plain").send("证书文件不存在");
+                    return;
+                }
+                res.setHeader("Content-Type", "application/x-x509-ca-cert");
+                res.setHeader("Content-Disposition", 'attachment; filename="wand-server.crt"');
+                res.send(readFileSync(certPath));
+            }
+            catch (err) {
+                res.status(500).type("text/plain").send(`读取证书失败: ${getErrorMessage(err, "未知错误")}`);
+            }
+        });
+    }
     const wss = new WebSocketServer({
         server,
         path: "/ws",
@@ -1838,7 +1847,7 @@ export async function startServer(config, configPath) {
             concurrencyLimit: 10,
         },
     });
-    const wsManager = new WsBroadcastManager(wss, () => config.cardDefaults ?? {});
+    const wsManager = new WsBroadcastManager(wss, () => config.cardDefaults ?? {}, useHttps);
     wsManager.setup((id) => structuredSessions.get(id) ?? processes.get(id));
     // Wire process events to WebSocket broadcast
     processes.on("process", (event) => {

package/dist/tui/commands.js

@@ -428,6 +428,42 @@ function resolveWandBin(ctx) {
         return which.stdout.trim();
     return "wand";
 }
+/**
+ * 构造写入 service unit 的 PATH，要覆盖以下来源（按优先级、去重）：
+ *   1. nodeBinDir —— 保证 service 用的 node 和 install 时的一致
+ *   2. process.env.PATH —— 调用 install 的终端 PATH，里面包含用户实际能跑通的 claude/codex 等
+ *   3. 常见用户级 bin 兜底（~/.local/bin / ~/.npm-global/bin / ~/bin）—— 防 sudo 把 PATH 收窄
+ *   4. /usr/local/... 等系统标准路径
+ * 用 sudo 装系统级服务时 `process.env.PATH` 会被 secure_path 替换为极简集合，
+ * 所以兜底路径不能省，否则又退化回 "command not found" 现场。
+ */
+function buildServicePath(nodeBinDir, home) {
+    const out = [];
+    const seen = new Set();
+    const push = (raw) => {
+        if (!raw)
+            return;
+        for (const seg of raw.split(":")) {
+            const trimmed = seg.trim();
+            if (!trimmed || seen.has(trimmed))
+                continue;
+            seen.add(trimmed);
+            out.push(trimmed);
+        }
+    };
+    push(nodeBinDir);
+    push(process.env.PATH);
+    push(`${home}/.local/bin`);
+    push(`${home}/.npm-global/bin`);
+    push(`${home}/bin`);
+    push("/usr/local/sbin");
+    push("/usr/local/bin");
+    push("/usr/sbin");
+    push("/usr/bin");
+    push("/sbin");
+    push("/bin");
+    return out.join(":");
+}
 /** 当前 process 的真实用户名（system unit 里要写 User=）。 */
 function currentUserName() {
     try {
@@ -442,6 +478,12 @@ function installSystemdService(ctx, scope) {
     const wandBin = resolveWandBin(ctx);
     const nodeBin = process.execPath;
     const nodeBinDir = path.dirname(nodeBin);
+    const runHome = process.env.HOME || os.homedir();
+    // 关键：把调用 `wand service:install` 时的真实 PATH 写进 unit。
+    // 否则 systemd 默认 PATH 极简（system scope 之前写死 `nodeBin:/usr/local/...`，
+    // user scope 干脆没写），spawn 出的 claude/codex 子进程会撞 "command not found"
+    // ——比如 claude 装在 ~/.local/bin、npm global 装在 ~/.npm-global/bin 都不在默认 PATH 里。
+    const servicePath = buildServicePath(nodeBinDir, runHome);
     // 共同字段
     const commonExec = [
         "[Unit]",
@@ -453,24 +495,21 @@ function installSystemdService(ctx, scope) {
         "Type=simple",
         `ExecStart=${nodeBin} ${wandBin} web -c ${ctx.configPath}`,
         `Environment=WAND_NO_TUI=1`,
+        `Environment=PATH=${servicePath}`,
         "Restart=always",
         "RestartSec=3",
         "StandardOutput=journal",
         "StandardError=journal",
         "SyslogIdentifier=wand",
     ];
-    // system scope 额外要：User= / HOME= / PATH=（systemd 系统级 service 默认 HOME=/root 是不行的，
-    // 而且 PATH 极简，nvm 装的 node spawn 出来的 npm 子进程找不到）
     let unitLines;
     if (scope === "system") {
         const runUser = currentUserName();
-        const runHome = process.env.HOME || os.homedir();
         unitLines = [
             ...commonExec,
             `User=${runUser}`,
             `WorkingDirectory=${runHome}`,
             `Environment=HOME=${runHome}`,
-            `Environment=PATH=${nodeBinDir}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin`,
             "OOMScoreAdjust=-500",
             "",
             "[Install]",
@@ -479,7 +518,8 @@ function installSystemdService(ctx, scope) {
         ];
     }
     else {
-        // user scope: 跑在 user@<uid>.service cgroup 内，HOME/PATH 自带
+        // user scope: 跑在 user@<uid>.service cgroup 内，HOME 自带；PATH 也要写，
+        // systemd 用户实例默认 PATH 同样不含 ~/.local/bin、nvm、npm-global 这些。
         unitLines = [
             ...commonExec,
             "",
@@ -547,6 +587,10 @@ function installLaunchdService(ctx, scope) {
     const plistPath = servicePathFor(scope);
     const wandBin = resolveWandBin(ctx);
     const nodeBin = process.execPath;
+    const nodeBinDir = path.dirname(nodeBin);
+    const runHome = process.env.HOME || os.homedir();
+    // 与 systemd 同理：launchd 默认 PATH 极简，spawn 出的 claude 会找不到。
+    const servicePath = buildServicePath(nodeBinDir, runHome);
     // LaunchDaemon (system) 跑在 root，但 wand 数据应该归 ctx.configPath 的 owner；
     // 简化处理：system 模式下不强制改 owner，让用户自己提前 chown。
     const plist = `<?xml version="1.0" encoding="UTF-8"?>
@@ -565,6 +609,8 @@ function installLaunchdService(ctx, scope) {
   <key>EnvironmentVariables</key>
   <dict>
     <key>WAND_NO_TUI</key><string>1</string>
+    <key>PATH</key><string>${servicePath}</string>
+    <key>HOME</key><string>${runHome}</string>
   </dict>
   <key>RunAtLoad</key><true/>
   <key>KeepAlive</key><true/>