@rubytech/taskmaster 1.0.74 → 1.0.75

package/dist/control-ui/index.html

@@ -6,8 +6,8 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-DiwtIkvl.js"></script>
-    <link rel="stylesheet" crossorigin href="./assets/index-BCh3mx9Z.css">
+    <script type="module" crossorigin src="./assets/index-Xczjd9U0.js"></script>
+    <link rel="stylesheet" crossorigin href="./assets/index-B7exVNNa.css">
   </head>
   <body>
     <taskmaster-app></taskmaster-app>

package/dist/gateway/net.js

@@ -219,3 +219,18 @@ export function isExternalRequest(req, trustedProxies) {
     });
     return !isLocalGatewayAddress(clientIp);
 }
+/**
+ * Return the effective trusted proxies list, auto-including 127.0.0.1 when
+ * Tailscale Serve/Funnel is active. Tailscale proxies internet traffic from
+ * 127.0.0.1 with x-forwarded-for headers — without trusting that address,
+ * `isExternalRequest()` would classify internet traffic as local and bypass
+ * the funnel restriction.
+ */
+export function getEffectiveTrustedProxies(cfg) {
+    const configured = cfg.gateway?.trustedProxies ?? [];
+    const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
+    if (tailscaleMode !== "off" && !configured.includes("127.0.0.1")) {
+        return [...configured, "127.0.0.1"];
+    }
+    return configured;
+}

package/dist/gateway/server/ws-connection/message-handler.js

@@ -10,7 +10,7 @@ import { isGatewayCliClient, isWebchatClient } from "../../../utils/message-chan
 import { authorizeGatewayConnect } from "../../auth.js";
 import { loadConfig } from "../../../config/config.js";
 import { buildDeviceAuthPayload } from "../../device-auth.js";
-import { isLocalGatewayAddress, isTrustedProxyAddress, resolveGatewayClientIp } from "../../net.js";
+import { getEffectiveTrustedProxies, isLocalGatewayAddress, isTrustedProxyAddress, resolveGatewayClientIp, } from "../../net.js";
 import { resolveNodeCommandAllowlist } from "../../node-command-policy.js";
 import { ErrorCodes, errorShape, formatValidationErrors, PROTOCOL_VERSION, validateConnectParams, validateRequestFrame, } from "../../protocol/index.js";
 import { GATEWAY_CLIENT_IDS } from "../../protocol/client-info.js";
@@ -68,7 +68,7 @@ function formatGatewayAuthFailureMessage(params) {
 export function attachGatewayWsMessageHandler(params) {
     const { socket, upgradeReq, connId, remoteAddr, forwardedFor, realIp, requestHost, requestOrigin, requestUserAgent, canvasHostUrl, connectNonce, resolvedAuth, gatewayMethods, events, extraHandlers, buildRequestContext, send, close, isClosed, clearHandshakeTimer, getClient, setClient, setHandshakeState, setCloseCause, setLastFrameMeta, logGateway, logHealth, logWsControl, } = params;
     const configSnapshot = loadConfig();
-    const trustedProxies = configSnapshot.gateway?.trustedProxies ?? [];
+    const trustedProxies = getEffectiveTrustedProxies(configSnapshot);
     const clientIp = resolveGatewayClientIp({ remoteAddr, forwardedFor, realIp, trustedProxies });
     // If proxy headers are present but the remote address isn't trusted, don't treat
     // the connection as local. This prevents auth bypass when running behind a reverse

package/dist/gateway/server-http.js

@@ -7,7 +7,7 @@ import { createCloudApiWebhookHandler } from "../web/providers/cloud/webhook-htt
 import { resolveAgentAvatar } from "../agents/identity-avatar.js";
 import { handleBrandIconRequest, handleControlUiAvatarRequest, handleControlUiHttpRequest, handlePublicChatHttpRequest, handlePublicWidgetRequest, } from "./control-ui.js";
 import { isLicensed } from "../license/state.js";
-import { isExternalRequest } from "./net.js";
+import { getEffectiveTrustedProxies, isExternalRequest } from "./net.js";
 import { extractHookToken, getHookChannelError, normalizeAgentPayload, normalizeHookHeaders, normalizeWakePayload, readJsonBody, resolveHookChannel, resolveHookDeliver, } from "./hooks.js";
 import { applyHookMappings } from "./hooks-mapping.js";
 import { handleOpenAiHttpRequest } from "./openai-http.js";
@@ -160,7 +160,7 @@ export function createGatewayHttpServer(opts) {
                 return;
             // Funnel restriction: block non-local requests from accessing non-public paths.
             // /public/* is already handled above, so any request reaching here is non-public.
-            const trustedProxies = configSnapshot.gateway?.trustedProxies ?? [];
+            const trustedProxies = getEffectiveTrustedProxies(configSnapshot);
             if (isExternalRequest(req, trustedProxies)) {
                 const pathname = new URL(req.url ?? "/", "http://localhost").pathname;
                 if (!pathname.startsWith("/public/")) {

package/dist/gateway/server-methods/tailscale.js

@@ -0,0 +1,258 @@
+/**
+ * RPC handlers for Tailscale internet access management.
+ * All methods require operator.admin scope (enforced by the catch-all in server-methods.ts).
+ */
+import { CONFIG_PATH_TASKMASTER, loadConfig, readConfigFileSnapshot, validateConfigObjectWithPlugins, writeConfigFile, } from "../../config/config.js";
+import { applyMergePatch } from "../../config/merge-patch.js";
+import { findTailscaleBinary, getTailnetHostname, readTailscaleStatusJson, } from "../../infra/tailscale.js";
+import { runExec } from "../../process/exec.js";
+import { scheduleGatewaySigusr1Restart } from "../../infra/restart.js";
+import { formatDoctorNonInteractiveHint, writeRestartSentinel, } from "../../infra/restart-sentinel.js";
+import { ErrorCodes, errorShape } from "../protocol/index.js";
+export const tailscaleHandlers = {
+    /**
+     * Return the current Tailscale state on this device.
+     */
+    "tailscale.status": async ({ respond, context }) => {
+        try {
+            const binary = await findTailscaleBinary();
+            if (!binary) {
+                respond(true, {
+                    installed: false,
+                    running: false,
+                    loggedIn: false,
+                    hostname: null,
+                    funnelEnabled: false,
+                    publicUrl: null,
+                });
+                return;
+            }
+            // Check if the daemon is running and whether we're logged in
+            let running = false;
+            let loggedIn = false;
+            try {
+                const status = await readTailscaleStatusJson();
+                running = true;
+                // BackendState "Running" means logged in and connected to the tailnet
+                loggedIn = status.BackendState === "Running";
+            }
+            catch {
+                // Daemon not running or not logged in
+            }
+            let hostname = null;
+            if (loggedIn) {
+                try {
+                    hostname = await getTailnetHostname(runExec, binary);
+                }
+                catch {
+                    // Failed to resolve hostname
+                }
+            }
+            const cfg = loadConfig();
+            const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
+            // Check actual funnel state — config may say "funnel" but the command
+            // may have failed (e.g. tailnet ACL doesn't allow funnel).
+            let funnelActive = false;
+            if (tailscaleMode === "funnel" && loggedIn) {
+                try {
+                    const { stdout } = await runExec(binary, ["funnel", "status"], {
+                        timeoutMs: 5_000,
+                        maxBuffer: 200_000,
+                    });
+                    // "No serve config" means funnel isn't actually proxying anything
+                    funnelActive = !!stdout.trim() && !stdout.includes("No serve config");
+                }
+                catch {
+                    // Command failed — funnel not active
+                }
+            }
+            const funnelEnabled = tailscaleMode === "funnel";
+            const publicUrl = funnelActive && hostname ? `https://${hostname}` : null;
+            respond(true, {
+                installed: true,
+                running,
+                loggedIn,
+                hostname,
+                funnelEnabled,
+                funnelActive,
+                publicUrl,
+            });
+        }
+        catch (err) {
+            context.logGateway.warn(`tailscale.status failed: ${err instanceof Error ? err.message : String(err)}`);
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "failed to check Tailscale status"));
+        }
+    },
+    /**
+     * Start the Tailscale login flow. Runs `tailscale up` and captures the
+     * auth URL printed to stdout. The UI displays this as a QR code + link.
+     * After the user authenticates, the UI polls `tailscale.status` until
+     * `loggedIn` becomes true.
+     */
+    "tailscale.enable": async ({ respond, context }) => {
+        try {
+            const binary = await findTailscaleBinary();
+            if (!binary) {
+                respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "Tailscale is not installed on this device"));
+                return;
+            }
+            // Run `tailscale up` — on a headless device this prints:
+            // "To authenticate, visit:\n\n\thttps://login.tailscale.com/a/..."
+            // The command blocks until auth completes, so we run it with a
+            // timeout and parse the auth URL from the output. The URL appears
+            // within seconds; the timeout just kills the blocking wait.
+            const child = await runExec(binary, ["up"], {
+                timeoutMs: 60_000,
+                maxBuffer: 100_000,
+            }).catch((err) => {
+                // `tailscale up` exits non-zero while waiting for auth but still
+                // prints the URL to stdout/stderr before the timeout kills it.
+                const errObj = err;
+                return {
+                    stdout: typeof errObj.stdout === "string" ? errObj.stdout : "",
+                    stderr: typeof errObj.stderr === "string" ? errObj.stderr : "",
+                };
+            });
+            const combined = `${child.stdout}\n${child.stderr}`;
+            const urlMatch = combined.match(/https:\/\/login\.tailscale\.com\/a\/[A-Za-z0-9]+/);
+            if (urlMatch) {
+                respond(true, { authUrl: urlMatch[0] });
+                return;
+            }
+            // No auth URL found — maybe already logged in
+            try {
+                const status = await readTailscaleStatusJson();
+                if (status.BackendState === "Running") {
+                    respond(true, { authUrl: null, alreadyLoggedIn: true });
+                    return;
+                }
+            }
+            catch {
+                // ignore
+            }
+            context.logGateway.warn(`tailscale.enable: no auth URL found in output: ${combined.slice(0, 500)}`);
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "Could not start Tailscale login — no authentication URL received"));
+        }
+        catch (err) {
+            context.logGateway.warn(`tailscale.enable failed: ${err instanceof Error ? err.message : String(err)}`);
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "failed to start Tailscale login"));
+        }
+    },
+    /**
+     * Enable Tailscale Funnel by pre-flighting the `tailscale funnel` command,
+     * then patching the config if it succeeds.  The pre-flight catches the
+     * "Funnel is not enabled on your tailnet" case and surfaces the enable URL.
+     */
+    "tailscale.funnel.enable": async ({ respond, context }) => {
+        try {
+            const binary = await findTailscaleBinary();
+            if (!binary) {
+                respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "Tailscale is not installed"));
+                return;
+            }
+            // Verify Tailscale is logged in before enabling Funnel
+            try {
+                const status = await readTailscaleStatusJson();
+                if (status.BackendState !== "Running") {
+                    respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "Tailscale is not logged in — complete login first"));
+                    return;
+                }
+            }
+            catch {
+                respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "Cannot reach Tailscale — is it running?"));
+                return;
+            }
+            // Pre-flight: attempt `tailscale funnel` to verify the tailnet allows it.
+            // If the tailnet ACL policy doesn't permit funnel, the command prints a
+            // helpful message with an enable URL — capture it for the UI.
+            const cfg = loadConfig();
+            const port = cfg.gateway?.port ?? 18789;
+            try {
+                await runExec(binary, ["funnel", "--bg", "--yes", `${port}`], {
+                    timeoutMs: 15_000,
+                    maxBuffer: 200_000,
+                });
+            }
+            catch (funnelErr) {
+                const errObj = funnelErr;
+                const combined = `${typeof errObj.stdout === "string" ? errObj.stdout : ""}\n${typeof errObj.stderr === "string" ? errObj.stderr : ""}`;
+                // Check for "Funnel is not enabled" — extract the enable URL
+                if (combined.includes("Funnel is not enabled") ||
+                    combined.includes("not enabled on your tailnet")) {
+                    const enableUrlMatch = combined.match(/https:\/\/login\.tailscale\.com\/f\/funnel\S*/);
+                    const enableUrl = enableUrlMatch?.[0] ?? "https://login.tailscale.com/admin/machines";
+                    context.logGateway.warn(`tailscale.funnel.enable: Funnel not enabled on tailnet`);
+                    respond(false, { enableUrl }, errorShape(ErrorCodes.INVALID_REQUEST, "Funnel is not enabled on your Tailscale account. Open the link in the browser to enable it, then try again."));
+                    return;
+                }
+                // Some other error — try sudo fallback isn't relevant here (gateway
+                // process may not have sudo). Just report the error.
+                context.logGateway.warn(`tailscale.funnel.enable pre-flight failed: ${combined.slice(0, 500)}`);
+                respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, `Funnel command failed — ${combined.trim().split("\n")[0] || "unknown error"}`));
+                return;
+            }
+            // Funnel is active. Patch config so it persists across restarts.
+            await patchTailscaleMode("funnel", respond, context.logGateway);
+        }
+        catch (err) {
+            context.logGateway.warn(`tailscale.funnel.enable failed: ${err instanceof Error ? err.message : String(err)}`);
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "failed to enable Funnel"));
+        }
+    },
+    /**
+     * Disable Tailscale Funnel by patching config to mode=off.
+     * Triggers gateway restart.
+     */
+    "tailscale.funnel.disable": async ({ respond, context }) => {
+        try {
+            await patchTailscaleMode("off", respond, context.logGateway);
+        }
+        catch (err) {
+            context.logGateway.warn(`tailscale.funnel.disable failed: ${err instanceof Error ? err.message : String(err)}`);
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "failed to disable Funnel"));
+        }
+    },
+};
+/**
+ * Patch `gateway.tailscale.mode` in the config file and schedule a restart.
+ */
+async function patchTailscaleMode(mode, respond, log) {
+    const snapshot = await readConfigFileSnapshot();
+    if (!snapshot.valid) {
+        respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "config file is invalid — fix before changing Tailscale settings"));
+        return;
+    }
+    const patch = { gateway: { tailscale: { mode } } };
+    const merged = applyMergePatch(snapshot.config, patch);
+    const validated = validateConfigObjectWithPlugins(merged);
+    if (!validated.ok) {
+        respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "invalid config after patch", {
+            details: { issues: validated.issues },
+        }));
+        return;
+    }
+    await writeConfigFile(validated.config);
+    const sentinelPayload = {
+        kind: "config-apply",
+        status: "ok",
+        ts: Date.now(),
+        message: `Tailscale ${mode === "off" ? "disabled" : mode + " enabled"}`,
+        doctorHint: formatDoctorNonInteractiveHint(),
+        stats: { mode: "tailscale", root: CONFIG_PATH_TASKMASTER },
+    };
+    try {
+        await writeRestartSentinel(sentinelPayload);
+    }
+    catch {
+        log.warn("tailscale: failed to write restart sentinel");
+    }
+    const restart = scheduleGatewaySigusr1Restart({
+        reason: `tailscale.${mode === "off" ? "disable" : "enable"}`,
+    });
+    respond(true, {
+        ok: true,
+        mode,
+        restart,
+        path: CONFIG_PATH_TASKMASTER,
+    });
+}

package/dist/gateway/server-methods.js

@@ -33,6 +33,7 @@ import { voicewakeHandlers } from "./server-methods/voicewake.js";
 import { webHandlers } from "./server-methods/web.js";
 import { wizardHandlers } from "./server-methods/wizard.js";
 import { publicChatHandlers } from "./server-methods/public-chat.js";
+import { tailscaleHandlers } from "./server-methods/tailscale.js";
 import { workspacesHandlers } from "./server-methods/workspaces.js";
 const ADMIN_SCOPE = "operator.admin";
 const READ_SCOPE = "operator.read";
@@ -235,6 +236,7 @@ export const coreGatewayHandlers = {
     ...recordsHandlers,
     ...workspacesHandlers,
     ...publicChatHandlers,
+    ...tailscaleHandlers,
 };
 export async function handleGatewayRequest(opts) {
     const { req, respond, client, isWebchatConnect, context } = opts;

package/dist/gateway/server-runtime-config.js

@@ -35,12 +35,6 @@ export async function resolveGatewayRuntimeConfig(params) {
     const hooksConfig = resolveHooksConfig(params.cfg);
     const canvasHostEnabled = process.env.TASKMASTER_SKIP_CANVAS_HOST !== "1" && params.cfg.canvasHost?.enabled !== false;
     assertGatewayAuthConfigured(resolvedAuth);
-    if (tailscaleMode === "funnel" && authMode !== "password") {
-        throw new Error("tailscale funnel requires gateway auth mode=password (set gateway.auth.password or TASKMASTER_GATEWAY_PASSWORD)");
-    }
-    if (tailscaleMode !== "off" && !isLoopbackHost(bindHost)) {
-        throw new Error("tailscale serve/funnel requires gateway bind=loopback (127.0.0.1)");
-    }
     if (!isLoopbackHost(bindHost) && authMode === "none") {
         throw new Error(`refusing to bind gateway to ${bindHost}:${params.port} without auth (set gateway.auth.token or TASKMASTER_GATEWAY_TOKEN, or pass --token)`);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.0.74",
+  "version": "1.0.75",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/scripts/install.sh

@@ -168,6 +168,15 @@ if [ "$(id -u)" = "0" ] && [ "$REAL_USER" != "root" ]; then
     systemctl restart avahi-daemon 2>/dev/null || true
     echo "  mDNS: ${TM_HOSTNAME}.local ready"
 
+    # Tailscale (for optional internet access via Funnel)
+    if ! command -v tailscale >/dev/null 2>&1; then
+      curl -fsSL https://tailscale.com/install.sh | sh >/dev/null 2>&1 \
+        && echo "  tailscale installed" \
+        || echo "  tailscale install failed (continuing)"
+    else
+      echo "  tailscale already installed"
+    fi
+
     # Enable user services so systemctl --user works after logout
     REAL_UID=$(id -u "$REAL_USER")
     loginctl enable-linger "$REAL_USER" 2>/dev/null || true