@iann29/synapse 1.8.7 → 1.8.9

package/lib/commands/https-status.js

@@ -0,0 +1,154 @@
+// `synapse https status [domain]` — diagnose what's already
+// configured. With a domain: deep dive on that one. Without: list
+// every domain under ~/.config/dev-certs/.
+
+const fs = require("node:fs");
+const path = require("node:path");
+const colors = require("../colors");
+const { extractFlags } = require("./_resource");
+const detectMod = require("../https/detect");
+
+function renderDomainStatus(detection, { stdout }) {
+  const sym = (b) => (b ? colors.green("✓") : colors.dim("·"));
+  stdout.write(`${colors.bold(detection.domain)}\n`);
+  stdout.write(
+    `  ${sym(detection.mkcert.present)} mkcert ${
+      detection.mkcert.present ? colors.dim(detection.mkcert.version) : colors.red("missing")
+    }\n`,
+  );
+  stdout.write(
+    `  ${sym(detection.caTrusted)} CA trusted${
+      detection.caTrusted ? "" : colors.red(" (run `mkcert -install`)")
+    }\n`,
+  );
+  const certPresent = detection.existingCerts && detection.existingCerts.present;
+  stdout.write(
+    `  ${sym(certPresent)} cert pair ${
+      certPresent ? colors.dim(detection.existingCerts.certPath) : colors.dim("(not generated yet)")
+    }\n`,
+  );
+  if (certPresent && detection.existingCerts.expiry) {
+    stdout.write(colors.dim(`     expires ${detection.existingCerts.expiry}\n`));
+  }
+  const resolves = detection.resolution.resolvesToLoopback;
+  const src = detection.resolution.source;
+  stdout.write(
+    `  ${sym(resolves)} resolves to 127.0.0.1 ${
+      resolves ? colors.dim(`(via ${src})`) : colors.red("(no — add to hosts or DNS A record)")
+    }\n`,
+  );
+  const scriptOk = !!detection.pkg.existingDevHttps;
+  stdout.write(
+    `  ${sym(scriptOk)} package.json dev:https ${
+      scriptOk
+        ? colors.dim("set")
+        : detection.pkg.present
+          ? colors.dim("(missing in cwd's package.json)")
+          : colors.dim("(no package.json in cwd)")
+    }\n`,
+  );
+}
+
+module.exports = {
+  name: "https status",
+  summary: "Show local-HTTPS state for one domain or every configured domain.",
+  usage: "synapse https status [domain] [--json]",
+  description: `Without a domain: lists every cert directory in ~/.config/dev-certs/.
+With a domain: prints a deep diagnostic (mkcert, CA trust, cert presence + expiry, DNS resolution, package.json script).`,
+
+  async run(args, ctx) {
+    const { flags, rest } = extractFlags(args, {
+      string: [],
+      boolean: ["json"],
+    });
+    const domain = rest[0];
+    if (rest.length > 1) {
+      throw new Error(`Unexpected positional: ${rest[1]}.`);
+    }
+
+    if (!domain) {
+      // List mode. We accept TWO layouts in the cert store:
+      //   1. Canonical (v1.8.8+): `<root>/<domain>/<domain>.pem` + `-key.pem`
+      //   2. Flat (operator's pre-existing intermediate layout):
+      //      `<root>/<domain>.pem` + `<domain>{-,.}key.pem`
+      // Flat-format certs aren't moved automatically — they show up
+      // here with a `flat: true` hint so `https migrate --root` can
+      // reorganise them.
+      const root = detectMod.certsRoot();
+      let entries = [];
+      try {
+        entries = fs.readdirSync(root, { withFileTypes: true });
+      } catch {
+        entries = [];
+      }
+      const domains = new Set();
+      const flatDomains = new Set();
+      // (1) Subdirectories (canonical).
+      for (const e of entries) {
+        if (e.isDirectory()) domains.add(e.name);
+      }
+      // (2) Flat pairs in the root.
+      const flat = detectMod.detectFlatCertsInStore();
+      for (const p of flat) {
+        domains.add(p.domain);
+        flatDomains.add(p.domain);
+      }
+      const rows = await Promise.all(
+        [...domains].sort().map(async (d) => {
+          const det = await detectMod.scan({ domain: d, cwd: ctx.cwd });
+          return {
+            domain: d,
+            cert: det.existingCerts?.present ?? false,
+            expiry: det.existingCerts?.expiry ?? null,
+            resolves: det.resolution.resolvesToLoopback,
+            resolutionSource: det.resolution.source,
+            flat: flatDomains.has(d),
+          };
+        }),
+      );
+      ctx.out.result(
+        { root, count: rows.length, domains: rows },
+        (_d, { stdout }) => {
+          stdout.write(colors.dim(`Cert store: ${root}\n`));
+          if (rows.length === 0) {
+            stdout.write(
+              colors.dim("(no certs configured — run `synapse https setup <domain>`)\n"),
+            );
+            return;
+          }
+          ctx.out.table(
+            rows.map((r) => ({
+              domain: colors.bold(r.domain) + (r.flat ? colors.dim(" (flat)") : ""),
+              cert: r.cert ? colors.green("yes") : colors.dim("no"),
+              expiry: r.expiry ? colors.dim(r.expiry.slice(0, 10)) : colors.dim("?"),
+              resolves: r.resolves
+                ? colors.green(r.resolutionSource)
+                : colors.red("no"),
+            })),
+            [
+              { key: "domain", header: "DOMAIN" },
+              { key: "cert", header: "CERT" },
+              { key: "expiry", header: "EXPIRES" },
+              { key: "resolves", header: "LOOPBACK" },
+            ],
+          );
+          if (rows.some((r) => r.flat)) {
+            stdout.write(
+              colors.dim(
+                "\n(flat) = cert lives directly in ~/.config/dev-certs/ instead of a subdirectory. Run `synapse https migrate --root=~/.config/dev-certs` to reorganise.\n",
+              ),
+            );
+          }
+        },
+      );
+      return;
+    }
+
+    // Single-domain detail mode.
+    const det = await detectMod.scan({ domain, cwd: ctx.cwd });
+    ctx.out.result(det, (d, { stdout }) => renderDomainStatus(d, { stdout }));
+  },
+
+  // Exports for tests.
+  renderDomainStatus,
+};

package/lib/doctor/checks.js

@@ -634,6 +634,238 @@ function makeDeploymentCheck(target) {
   };
 }
 
+// ============================================================
+// v1.8.9: Local HTTPS dev category. Checks the `synapse https setup`
+// surface — mkcert presence, CA trust, cert file presence + expiry,
+// hostname resolution.
+//
+// These checks are CONTEXT-GATED: they only emit a meaningful result
+// when the operator is in a project that uses dev:https OR has
+// generated certs under ~/.config/dev-certs/. When neither is true,
+// every check returns `silentlySkip: true` in its data, and the
+// renderer hides the whole category — operators in a "no HTTPS
+// here" project don't see a section of dim "skipped" lines.
+//
+// We require the https detect helpers; importing them here is a
+// pure dependency (no side effects at require time).
+// ============================================================
+
+const httpsDetect = require("../https/detect");
+
+// Read the cwd's package.json dev:https script (if any) and extract
+// the --hostname / --experimental-https-cert / --experimental-https-key
+// values. Returns null when there's no script, malformed JSON, or
+// the script isn't recognisable.
+function parseDevHttpsScript(cwd) {
+  const info = httpsDetect.detectPackageJson(cwd);
+  if (!info.present || !info.existingDevHttps) return null;
+  const cmd = info.existingDevHttps;
+  const hostMatch = cmd.match(/--hostname[\s=]+(\S+)/);
+  const certMatch = cmd.match(/--experimental-https-cert[\s=]+(\S+)/);
+  const keyMatch = cmd.match(/--experimental-https-key[\s=]+(\S+)/);
+  if (!hostMatch || !certMatch || !keyMatch) return null;
+  return {
+    domain: hostMatch[1],
+    cert: certMatch[1],
+    key: keyMatch[1],
+    raw: cmd,
+  };
+}
+
+// "Does this operator's machine HAVE any local-HTTPS context?"
+// True when either:
+//   - cwd has a dev:https script, OR
+//   - ~/.config/dev-certs/ has at least one cert pair (any shape)
+//
+// Used as the gate for every check in this category — when it's
+// false, the checks silently skip and the category is hidden.
+function hasLocalHttpsContext(cwd) {
+  const dev = parseDevHttpsScript(cwd);
+  if (dev) return true;
+  // Check the cert store.
+  try {
+    const fs = require("node:fs");
+    const root = httpsDetect.certsRoot();
+    if (!fs.existsSync(root)) return false;
+    const entries = fs.readdirSync(root, { withFileTypes: true });
+    // Either a subdir (canonical) or a .pem pair (flat) means context.
+    if (entries.some((e) => e.isDirectory())) return true;
+    const flat = httpsDetect.detectFlatCertsInStore();
+    return flat.length > 0;
+  } catch {
+    return false;
+  }
+}
+
+const checkHttpsMkcert = {
+  id: "https-mkcert",
+  category: "local-https-dev",
+  title: "mkcert installed",
+  autoFix: "never",
+  dependsOn: [],
+  run: safeRun(async (ctx) => {
+    if (!hasLocalHttpsContext(ctx.cwd)) {
+      return { status: "skipped", summary: "no local HTTPS context", data: { silentlySkip: true } };
+    }
+    const m = httpsDetect.detectMkcert();
+    if (m.present) {
+      return { status: "ok", summary: m.version || "(version unknown)", data: { version: m.version, caroot: m.caroot } };
+    }
+    return {
+      status: "issue",
+      summary: "mkcert not found in PATH",
+      remediation: "Install mkcert (apt/pacman/dnf/brew/choco/scoop/winget), then run `synapse https setup <domain>`.",
+      data: { present: false },
+    };
+  }),
+};
+
+const checkHttpsCaTrusted = {
+  id: "https-ca-trusted",
+  category: "local-https-dev",
+  title: "local CA trusted (rootCA.pem present)",
+  autoFix: "never",
+  dependsOn: ["https-mkcert"],
+  run: safeRun(async (ctx) => {
+    if (!hasLocalHttpsContext(ctx.cwd)) {
+      return { status: "skipped", summary: "no local HTTPS context", data: { silentlySkip: true } };
+    }
+    const m = httpsDetect.detectMkcert();
+    if (!m.present) {
+      return { status: "skipped", summary: "mkcert missing", data: {} };
+    }
+    if (httpsDetect.detectCaTrusted(m)) {
+      return { status: "ok", summary: `rootCA in ${m.caroot}`, data: { caroot: m.caroot } };
+    }
+    return {
+      status: "issue",
+      summary: "rootCA.pem not found in mkcert's CAROOT",
+      remediation: "Run `mkcert -install` once (or just `synapse https setup <domain>`).",
+      data: { caroot: m.caroot },
+    };
+  }),
+};
+
+const checkHttpsCertFiles = {
+  id: "https-cert-files",
+  category: "local-https-dev",
+  title: "dev:https cert + key files exist",
+  autoFix: "never",
+  dependsOn: ["https-mkcert"],
+  run: safeRun(async (ctx) => {
+    const dev = parseDevHttpsScript(ctx.cwd);
+    if (!dev) {
+      return { status: "skipped", summary: "no dev:https script in cwd", data: { silentlySkip: true } };
+    }
+    const fs = require("node:fs");
+    const certExists = fs.existsSync(dev.cert);
+    const keyExists = fs.existsSync(dev.key);
+    if (certExists && keyExists) {
+      return {
+        status: "ok",
+        summary: `${dev.domain} ✓ both files present`,
+        data: { domain: dev.domain, cert: dev.cert, key: dev.key },
+      };
+    }
+    const missing = [];
+    if (!certExists) missing.push("cert");
+    if (!keyExists) missing.push("key");
+    return {
+      status: "issue",
+      summary: `${dev.domain}: missing ${missing.join(" + ")}`,
+      remediation: `Run \`synapse https setup ${dev.domain}\` to regenerate.`,
+      data: { domain: dev.domain, cert: dev.cert, key: dev.key, certExists, keyExists },
+    };
+  }),
+};
+
+const checkHttpsDomainResolves = {
+  id: "https-domain-resolves",
+  category: "local-https-dev",
+  title: "dev:https domain resolves to 127.0.0.1",
+  autoFix: "never",
+  dependsOn: [],
+  run: safeRun(async (ctx) => {
+    const dev = parseDevHttpsScript(ctx.cwd);
+    if (!dev) {
+      return { status: "skipped", summary: "no dev:https script in cwd", data: { silentlySkip: true } };
+    }
+    const resolution = await httpsDetect.detectDomainResolution(dev.domain);
+    if (resolution.resolvesToLoopback) {
+      return {
+        status: "ok",
+        summary: `${dev.domain} → 127.0.0.1 (via ${resolution.source})`,
+        data: { domain: dev.domain, source: resolution.source },
+      };
+    }
+    return {
+      status: "issue",
+      summary: `${dev.domain} doesn't resolve to 127.0.0.1 (got: ${resolution.got.join(", ") || "nothing"})`,
+      remediation: `Run \`synapse https setup ${dev.domain}\` to add the hosts entry, OR add a DNS A record pointing the domain at 127.0.0.1.`,
+      data: { domain: dev.domain, got: resolution.got },
+    };
+  }),
+};
+
+const checkHttpsCertExpiry = {
+  id: "https-cert-expiry",
+  category: "local-https-dev",
+  title: "cert not expiring soon (>30 days)",
+  autoFix: "never",
+  dependsOn: ["https-cert-files"],
+  run: safeRun(async (ctx) => {
+    const dev = parseDevHttpsScript(ctx.cwd);
+    if (!dev) {
+      return { status: "skipped", summary: "no dev:https script in cwd", data: { silentlySkip: true } };
+    }
+    const fs = require("node:fs");
+    if (!fs.existsSync(dev.cert)) {
+      return { status: "skipped", summary: "cert file missing", data: {} };
+    }
+    if (!httpsDetect.commandExists("openssl")) {
+      return { status: "skipped", summary: "openssl not available — can't check expiry", data: {} };
+    }
+    const { execFileSync } = require("node:child_process");
+    let expiry;
+    try {
+      const out = execFileSync(
+        "openssl",
+        ["x509", "-in", dev.cert, "-noout", "-enddate"],
+        { encoding: "utf8", stdio: ["ignore", "pipe", "ignore"] },
+      );
+      const m = out.match(/notAfter=(.+)/);
+      if (m) expiry = new Date(m[1]);
+    } catch (err) {
+      return { status: "skipped", summary: `openssl read failed: ${err.message}`, data: {} };
+    }
+    if (!expiry || Number.isNaN(expiry.getTime())) {
+      return { status: "skipped", summary: "could not parse cert expiry", data: {} };
+    }
+    const daysLeft = Math.floor((expiry.getTime() - Date.now()) / (1000 * 60 * 60 * 24));
+    if (daysLeft < 0) {
+      return {
+        status: "issue",
+        summary: `${dev.domain}: cert EXPIRED ${-daysLeft} days ago (${expiry.toISOString().slice(0, 10)})`,
+        remediation: `Regenerate: \`synapse https setup ${dev.domain} --force\`.`,
+        data: { domain: dev.domain, expiry: expiry.toISOString(), daysLeft },
+      };
+    }
+    if (daysLeft < 30) {
+      return {
+        status: "warn",
+        summary: `${dev.domain}: cert expires in ${daysLeft} days (${expiry.toISOString().slice(0, 10)})`,
+        remediation: `Regenerate soon: \`synapse https setup ${dev.domain} --force\`.`,
+        data: { domain: dev.domain, expiry: expiry.toISOString(), daysLeft },
+      };
+    }
+    return {
+      status: "ok",
+      summary: `${dev.domain}: ${daysLeft} days left (expires ${expiry.toISOString().slice(0, 10)})`,
+      data: { domain: dev.domain, expiry: expiry.toISOString(), daysLeft },
+    };
+  }),
+};
+
 const ALL_CHECKS = [
   // Tier A
   checkNodeVersion,
@@ -653,6 +885,22 @@ const ALL_CHECKS = [
   // Tier C (per deployment)
   makeDeploymentCheck("dev"),
   makeDeploymentCheck("prod"),
+
+  // Tier D — local HTTPS dev (v1.8.9). Context-gated: if the cwd
+  // doesn't have a dev:https script AND no certs are configured, the
+  // whole category is hidden from the report.
+  checkHttpsMkcert,
+  checkHttpsCaTrusted,
+  checkHttpsCertFiles,
+  checkHttpsDomainResolves,
+  checkHttpsCertExpiry,
 ];
 
-module.exports = { ALL_CHECKS, isBrowserReachable, cmpVer };
+module.exports = {
+  ALL_CHECKS,
+  isBrowserReachable,
+  cmpVer,
+  // exports for tests
+  parseDevHttpsScript,
+  hasLocalHttpsContext,
+};

package/lib/doctor/renderer.js

@@ -21,10 +21,19 @@ const CATEGORY_TITLE = {
   project: "Project",
   backend: "Backend",
   deployments: "Deployments",
+  "local-https-dev": "Local HTTPS dev",
   upstream: "Upstream",
   workspace: "Workspace",
 };
-const CATEGORY_ORDER = ["local-env", "project", "backend", "deployments", "upstream", "workspace"];
+const CATEGORY_ORDER = [
+  "local-env",
+  "project",
+  "backend",
+  "deployments",
+  "local-https-dev",
+  "upstream",
+  "workspace",
+];
 
 function renderHeader(report, write) {
   const parts = ["Synapse doctor"];
@@ -74,8 +83,16 @@ function renderReport(report, { stdout, verbose = false } = {}) {
   for (const cat of CATEGORY_ORDER) {
     const rows = byCategory.get(cat);
     if (!rows || rows.length === 0) continue;
+    // v1.8.9: filter out individual results marked `silentlySkip`
+    // (checks that decided their context is missing — e.g. `dev:https`
+    // checks in a project without that script). Then hide the
+    // category if NOTHING is left.
+    const visibleRows = rows.filter(
+      (r) => !(r.status === "skipped" && r.data && r.data.silentlySkip),
+    );
+    if (visibleRows.length === 0) continue;
     write(`  ${colors.bold(CATEGORY_TITLE[cat] ?? cat)}\n`);
-    for (const r of rows) renderCheck(r, { verbose }, write);
+    for (const r of visibleRows) renderCheck(r, { verbose }, write);
     write("\n");
   }
 

package/lib/doctor/runner.js

@@ -39,13 +39,22 @@ async function runChecks(checks, ctx) {
         return r.status === "issue" || r.status === "skipped";
       });
       if (failedDeps.length > 0) {
+        // v1.8.9: propagate `silentlySkip` from any silent-skipped
+        // prereq so the cascade-skipped child stays hidden too.
+        // Without this, https-cert-expiry would re-surface as a
+        // visible "·" every time its parent (https-cert-files) was
+        // silently skipped for "no dev:https script in cwd".
+        const silentParent = failedDeps.some((d) => {
+          const parent = resultsById.get(d);
+          return parent && parent.data && parent.data.silentlySkip;
+        });
         resultsById.set(id, {
           id,
           category: check.category,
           title: check.title,
           status: "skipped",
           summary: `skipped (prereq failed: ${failedDeps.join(", ")})`,
-          data: { skippedBecause: failedDeps },
+          data: { skippedBecause: failedDeps, silentlySkip: silentParent },
           durationMs: 0,
         });
         pending.delete(id);