@rubytech/taskmaster 1.6.0 → 1.7.0

package/dist/control-ui/index.html

@@ -6,8 +6,8 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-C12OTik-.js"></script>
-    <link rel="stylesheet" crossorigin href="./assets/index-D6WTmXJM.css">
+    <script type="module" crossorigin src="./assets/index-DeyIviHA.js"></script>
+    <link rel="stylesheet" crossorigin href="./assets/index-DSF8vENW.css">
   </head>
   <body>
     <taskmaster-app></taskmaster-app>

package/dist/gateway/net.js

@@ -1,5 +1,5 @@
 import net from "node:net";
-import { pickPrimaryTailnetIPv4, pickPrimaryTailnetIPv6 } from "../infra/tailnet.js";
+import { listTailnetAddresses, pickPrimaryTailnetIPv4, pickPrimaryTailnetIPv6, } from "../infra/tailnet.js";
 /**
  * Check if an IPv4 address belongs to a private (RFC 1918) or link-local range.
  * These addresses are non-routable on the public internet, so any request
@@ -25,6 +25,26 @@ function isPrivateIPv4(ip) {
         return true; // 169.254.0.0/16 (link-local)
     return false;
 }
+/**
+ * Check if an IPv4 address is in the Tailscale CGNAT range (100.64.0.0/10)
+ * AND this device has a Tailscale interface. This identifies tailnet peers —
+ * other devices on the user's private Tailscale network.
+ */
+function isTailnetPeerAddress(ip) {
+    const parts = ip.split(".");
+    if (parts.length !== 4)
+        return false;
+    const a = parseInt(parts[0], 10);
+    const b = parseInt(parts[1], 10);
+    if (Number.isNaN(a) || Number.isNaN(b))
+        return false;
+    // Tailscale CGNAT range: 100.64.0.0/10 (100.64.x.x – 100.127.x.x)
+    if (!(a === 100 && b >= 64 && b <= 127))
+        return false;
+    // Only treat as local if this device is itself on a tailnet
+    const addrs = listTailnetAddresses();
+    return addrs.ipv4.length > 0 || addrs.ipv6.length > 0;
+}
 export function isLoopbackAddress(ip) {
     if (!ip)
         return false;
@@ -107,6 +127,14 @@ export function isLocalGatewayAddress(ip) {
     // These are non-routable on the public internet, so they're safe.
     if (isPrivateIPv4(normalized))
         return true;
+    // Tailscale CGNAT addresses (100.64.0.0/10) are tailnet peers — devices on
+    // the user's private Tailscale network. Treat them as local when this device
+    // is itself on a tailnet (has a Tailscale interface), so tailnet peers can
+    // access the control panel via Tailscale Serve. Public internet requests via
+    // Funnel carry real public IPs, not 100.x.x.x, so this doesn't weaken the
+    // Funnel restriction.
+    if (isTailnetPeerAddress(normalized))
+        return true;
     return false;
 }
 /**

package/dist/gateway/server-http.js

@@ -146,12 +146,23 @@ export function createGatewayHttpServer(opts) {
     // on the port, peeks at the first byte of each connection to detect TLS vs
     // plain HTTP, and dispatches accordingly. Plain HTTP gets a 301 redirect to
     // HTTPS so bookmarks and muscle-memory URLs keep working.
+    //
+    // Exception: when a reverse proxy (e.g. Tailscale Serve) terminates TLS and
+    // forwards as plain HTTP with X-Forwarded-Proto: https, the request is
+    // handled normally — redirecting would create an infinite loop.
     let httpServer;
     if (opts.tlsOptions) {
         const httpsServer = createHttpsServer(opts.tlsOptions, (req, res) => {
             void handleRequest(req, res);
         });
         const redirectServer = createHttpServer((req, res) => {
+            // If a TLS-terminating reverse proxy (Tailscale Serve, nginx, etc.)
+            // forwarded this request, handle it normally instead of redirecting.
+            const forwardedProto = req.headers["x-forwarded-proto"];
+            if (forwardedProto === "https") {
+                void handleRequest(req, res);
+                return;
+            }
             const host = req.headers.host ?? "localhost";
             res.writeHead(301, { Location: `https://${host}${req.url ?? "/"}`, Connection: "close" });
             res.end();
@@ -171,6 +182,11 @@ export function createGatewayHttpServer(opts) {
         httpsServer.on("upgrade", (req, socket, head) => {
             tcpServer.emit("upgrade", req, socket, head);
         });
+        // Forward upgrade events from the redirect server too — reverse proxies
+        // (Tailscale Serve) send WebSocket upgrades as plain HTTP.
+        redirectServer.on("upgrade", (req, socket, head) => {
+            tcpServer.emit("upgrade", req, socket, head);
+        });
         httpServer = tcpServer;
     }
     else {

package/dist/gateway/server-methods/tailscale.js

@@ -50,29 +50,47 @@ export const tailscaleHandlers = {
             }
             const cfg = loadConfig();
             const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
-            // Check actual funnel state — config may say "funnel" but the command
-            // may have failed (e.g. tailnet ACL doesn't allow funnel).
+            // Check actual serve/funnel state — config may say "serve" or "funnel"
+            // but the command may have failed (e.g. tailnet ACL doesn't allow funnel).
+            let serveActive = false;
             let funnelActive = false;
-            if (tailscaleMode === "funnel" && loggedIn) {
+            if ((tailscaleMode === "serve" || tailscaleMode === "funnel") && loggedIn) {
                 try {
-                    const { stdout } = await runExec(binary, ["funnel", "status"], {
+                    const { stdout } = await runExec(binary, ["serve", "status"], {
                         timeoutMs: 5_000,
                         maxBuffer: 200_000,
                     });
-                    // "No serve config" means funnel isn't actually proxying anything
-                    funnelActive = !!stdout.trim() && !stdout.includes("No serve config");
+                    // "No serve config" means nothing is proxying
+                    serveActive = !!stdout.trim() && !stdout.includes("No serve config");
                 }
                 catch {
-                    // Command failed — funnel not active
+                    // Command failed — serve not active
+                }
+                if (tailscaleMode === "funnel" && serveActive) {
+                    try {
+                        const { stdout } = await runExec(binary, ["funnel", "status"], {
+                            timeoutMs: 5_000,
+                            maxBuffer: 200_000,
+                        });
+                        funnelActive = !!stdout.trim() && !stdout.includes("No serve config");
+                    }
+                    catch {
+                        // Command failed — funnel not active
+                    }
                 }
             }
+            const serveEnabled = tailscaleMode === "serve" || tailscaleMode === "funnel";
             const funnelEnabled = tailscaleMode === "funnel";
+            const tailnetUrl = serveActive && hostname ? `https://${hostname}` : null;
             const publicUrl = funnelActive && hostname ? `https://${hostname}` : null;
             respond(true, {
                 installed: true,
                 running,
                 loggedIn,
                 hostname,
+                serveEnabled,
+                serveActive,
+                tailnetUrl,
                 funnelEnabled,
                 funnelActive,
                 publicUrl,
@@ -138,6 +156,82 @@ export const tailscaleHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "failed to start Tailscale login"));
         }
     },
+    /**
+     * Enable Tailscale Serve — makes the gateway reachable to all devices on
+     * the user's Tailscale network via a trusted HTTPS URL (Let's Encrypt cert
+     * provisioned by Tailscale for the *.ts.net domain).
+     */
+    "tailscale.serve.enable": async ({ respond, context }) => {
+        try {
+            const binary = await findTailscaleBinary();
+            if (!binary) {
+                respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "Tailscale is not installed"));
+                return;
+            }
+            // Verify Tailscale is logged in
+            try {
+                const status = await readTailscaleStatusJson();
+                if (status.BackendState !== "Running") {
+                    respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "Tailscale is not logged in — complete login first"));
+                    return;
+                }
+            }
+            catch {
+                respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "Cannot reach Tailscale — is it running?"));
+                return;
+            }
+            // Pre-flight: attempt `tailscale serve` to verify it works
+            const cfg = loadConfig();
+            const port = cfg.gateway?.port ?? 18789;
+            try {
+                await runExec(binary, ["serve", "--bg", "--yes", `${port}`], {
+                    timeoutMs: 15_000,
+                    maxBuffer: 200_000,
+                });
+            }
+            catch (serveErr) {
+                const errObj = serveErr;
+                const combined = `${typeof errObj.stdout === "string" ? errObj.stdout : ""}\n${typeof errObj.stderr === "string" ? errObj.stderr : ""}`;
+                context.logGateway.warn(`tailscale.serve.enable pre-flight failed: ${combined.slice(0, 500)}`);
+                respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, `Serve command failed — ${combined.trim().split("\n")[0] || "unknown error"}`));
+                return;
+            }
+            // Serve is active. Patch config so it persists across restarts.
+            // No restart needed — loadConfig() re-reads from disk per request
+            // (200ms cache), so getEffectiveTrustedProxies picks up the new mode.
+            await patchTailscaleMode("serve", respond, context.logGateway, { skipRestart: true });
+        }
+        catch (err) {
+            context.logGateway.warn(`tailscale.serve.enable failed: ${err instanceof Error ? err.message : String(err)}`);
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "failed to enable Serve"));
+        }
+    },
+    /**
+     * Disable Tailscale Serve by resetting the serve config and patching
+     * config to mode=off. If funnel was active, it is also disabled.
+     */
+    "tailscale.serve.disable": async ({ respond, context }) => {
+        try {
+            // Reset the actual tailscale serve config to stop proxying
+            const binary = await findTailscaleBinary();
+            if (binary) {
+                try {
+                    await runExec(binary, ["serve", "reset"], {
+                        timeoutMs: 15_000,
+                        maxBuffer: 200_000,
+                    });
+                }
+                catch {
+                    // Best effort — continue with config patch
+                }
+            }
+            await patchTailscaleMode("off", respond, context.logGateway, { skipRestart: true });
+        }
+        catch (err) {
+            context.logGateway.warn(`tailscale.serve.disable failed: ${err instanceof Error ? err.message : String(err)}`);
+            respond(false, undefined, errorShape(ErrorCodes.UNAVAILABLE, "failed to disable Serve"));
+        }
+    },
     /**
      * Enable Tailscale Funnel by pre-flighting the `tailscale funnel` command,
      * then patching the config if it succeeds.  The pre-flight catches the
@@ -192,7 +286,8 @@ export const tailscaleHandlers = {
                 return;
             }
             // Funnel is active. Patch config so it persists across restarts.
-            await patchTailscaleMode("funnel", respond, context.logGateway);
+            // No restart needed — loadConfig() re-reads from disk per request.
+            await patchTailscaleMode("funnel", respond, context.logGateway, { skipRestart: true });
         }
         catch (err) {
             context.logGateway.warn(`tailscale.funnel.enable failed: ${err instanceof Error ? err.message : String(err)}`);
@@ -200,12 +295,25 @@ export const tailscaleHandlers = {
         }
     },
     /**
-     * Disable Tailscale Funnel by patching config to mode=off.
-     * Triggers gateway restart.
+     * Disable Tailscale Funnel by resetting the serve config (which also
+     * stops funnel) and patching config to mode=off.  No restart needed —
+     * `tailscale serve reset` already stops the proxy.
      */
     "tailscale.funnel.disable": async ({ respond, context }) => {
         try {
-            await patchTailscaleMode("off", respond, context.logGateway);
+            const binary = await findTailscaleBinary();
+            if (binary) {
+                try {
+                    await runExec(binary, ["serve", "reset"], {
+                        timeoutMs: 15_000,
+                        maxBuffer: 200_000,
+                    });
+                }
+                catch {
+                    // Best effort — continue with config patch
+                }
+            }
+            await patchTailscaleMode("off", respond, context.logGateway, { skipRestart: true });
         }
         catch (err) {
             context.logGateway.warn(`tailscale.funnel.disable failed: ${err instanceof Error ? err.message : String(err)}`);
@@ -214,9 +322,13 @@ export const tailscaleHandlers = {
     },
 };
 /**
- * Patch `gateway.tailscale.mode` in the config file and schedule a restart.
+ * Patch `gateway.tailscale.mode` in the config file and optionally restart.
+ *
+ * Disabling serve/funnel doesn't need a restart because `tailscale serve reset`
+ * already stops the reverse proxy — no traffic arrives via Tailscale afterward,
+ * so the stale trusted-proxy list is harmless until the next natural restart.
  */
-async function patchTailscaleMode(mode, respond, log) {
+async function patchTailscaleMode(mode, respond, log, opts) {
     const snapshot = await readConfigFileSnapshot();
     if (!snapshot.valid) {
         respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "config file is invalid — fix before changing Tailscale settings"));
@@ -246,13 +358,16 @@ async function patchTailscaleMode(mode, respond, log) {
     catch {
         log.warn("tailscale: failed to write restart sentinel");
     }
-    const restart = scheduleGatewaySigusr1Restart({
-        reason: `tailscale.${mode === "off" ? "disable" : "enable"}`,
-    });
+    let restart;
+    if (!opts?.skipRestart) {
+        restart = scheduleGatewaySigusr1Restart({
+            reason: `tailscale.${mode === "off" ? "disable" : "enable"}`,
+        });
+    }
     respond(true, {
         ok: true,
         mode,
-        restart,
+        restart: restart ?? false,
         path: CONFIG_PATH_TASKMASTER,
     });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/taskmaster-docs/USER-GUIDE.md

@@ -226,6 +226,41 @@ You only need to do this once per browser. After accepting, the warning won't ap
 > ```
 > Enter your Mac password when prompted. After this, all browsers on that Mac will trust Taskmaster's certificate.
 
+> **Recommended:** To avoid certificate warnings entirely, enable **Remote Access** (see below). Remote Access uses Tailscale to provide a trusted HTTPS certificate — no browser warnings on any device.
+
+---
+
+## Remote Access
+
+Remote Access lets you reach the control panel from anywhere — your phone, another computer, or while away from home. It uses **Tailscale** to create a private, encrypted connection with a trusted HTTPS certificate (no browser warnings).
+
+### What You Need
+
+- **Tailscale installed on the Taskmaster device** (the Raspberry Pi or Mac running Taskmaster)
+- **Tailscale installed on every device** you want to access the control panel from (your phone, laptop, etc.)
+- **All devices logged into the same Tailscale account**
+
+Tailscale is free for personal use (up to 100 devices). Apps are available for iOS, Android, Mac, Windows, and Linux.
+
+### Enabling Remote Access
+
+1. Open the control panel setup page
+2. Find the **Remote Access** row in the status dashboard
+3. If Tailscale is not connected, click **Connect** — scan the QR code with your phone and sign in with your Google or Microsoft account
+4. Once connected, click **Enable**
+5. The control panel restarts. After reconnecting, you'll see a URL like `https://taskmaster.tail0e0afb.ts.net`
+6. **Bookmark this URL** on your other devices — it's your personal, trusted HTTPS address for the control panel
+
+### Accessing from Other Devices
+
+1. Install Tailscale on the device (phone, laptop, etc.)
+2. Log in with the same account you used on the Taskmaster device
+3. Open the bookmarked URL — no certificate warnings, just a normal secure connection
+
+### Disabling Remote Access
+
+Click **Disable** on the Remote Access row. You'll be asked to confirm — click **Confirm** to proceed. The tailnet URL stops working immediately (no gateway restart needed).
+
 ---
 
 ## Two Assistants, One WhatsApp
@@ -1437,15 +1472,16 @@ By default, Taskmaster is only reachable on your local network. If you want peop
 
 This uses **Tailscale Funnel**, a free service that gives your device a public HTTPS address. Only the public chat is exposed; the control panel stays local-network-only.
 
+> **Note:** Internet Access exposes your public chat to the internet. If you only need to access the control panel from your own devices (phone, laptop), use **Remote Access** instead — it's private to your Tailscale network and doesn't expose anything publicly.
+
 ### Enabling Internet Access
 
 1. Go to the **Setup** page (you must be logged in as admin)
-2. Find the **Internet Access** row in the status dashboard
-3. Click **Connect** — a QR code appears
-4. Scan the QR code with your phone and sign in with your Google or Microsoft account (this creates a free Tailscale account)
-5. Wait a few seconds — the status changes to "Connected (LAN only)"
-6. Click **Enable** — if this is your first time, you'll see a message asking you to enable Funnel on your Tailscale account. Click the link, toggle Funnel on, then come back and click Enable again
-7. Your public URL appears (e.g. `https://taskmaster.tail0e0afb.ts.net`)
+2. Find the **Remote Access** row in the status dashboard
+3. If Remote Access is not already enabled, enable it first (see above)
+4. Once remote access is active, click **Enable internet access** on the same row
+5. If this is your first time, you may see a message asking you to enable Funnel on your Tailscale account — click the link, toggle Funnel on, then come back and try again
+6. Your public URL appears (e.g. `https://taskmaster.tail0e0afb.ts.net`)
 
 ### What gets exposed
 
@@ -1455,11 +1491,11 @@ This uses **Tailscale Funnel**, a free service that gives your device a public H
 
 ### Disabling
 
-Click **Disable** on the Internet Access row. The public URL stops working immediately. Your device stays connected to Tailscale but nothing is exposed.
+Click **Disable internet access** on the Remote Access row. The public URL stops working immediately. Remote access to the control panel remains active.
 
-### Copy your public URL
+### Copy your URL
 
-When Internet Access is active, click the copy icon next to the URL to copy it to your clipboard. You can share this URL or embed it on your website.
+When Remote Access is active, click the copy icon next to the URL to copy it. If Internet Access is also enabled, the same URL serves as your public URL — share it or embed it on your website.
 
 ### Embedding the chat widget on your website
 
@@ -1475,7 +1511,7 @@ Once Internet Access is enabled, you can add a floating chat button to any websi
 </script>
 ```
 
-Replace `YOUR-PUBLIC-URL` with the URL shown on the Internet Access row (e.g. `https://taskmaster.tail0e0afb.ts.net`) and `your-account-id` with your account name (e.g. `taskmaster`).
+Replace `YOUR-PUBLIC-URL` with the URL shown on the Remote Access row (e.g. `https://taskmaster.tail0e0afb.ts.net`) and `your-account-id` with your account name (e.g. `taskmaster`).
 
 A chat button appears in the bottom-right corner of the page. Clicking it opens a chat window where visitors can talk to your assistant — no WhatsApp required.