@willjackson/claude-code-bridge 0.6.2 → 0.7.0

package/dist/{chunk-XOAR3DQB.js → chunk-2O352EPO.js}

@@ -148,9 +148,137 @@ var ConnectionState = /* @__PURE__ */ ((ConnectionState2) => {
   return ConnectionState2;
 })(ConnectionState || {});
 
+// src/utils/tls.ts
+import * as fs from "fs";
+var logger = createLogger("tls");
+function readCertFile(filePath) {
+  try {
+    return fs.readFileSync(filePath, "utf-8");
+  } catch (error) {
+    const err = error;
+    if (err.code === "ENOENT") {
+      throw new Error(`Certificate file not found: ${filePath}`);
+    }
+    if (err.code === "EACCES") {
+      throw new Error(`Permission denied reading certificate file: ${filePath}`);
+    }
+    throw new Error(`Failed to read certificate file ${filePath}: ${err.message}`);
+  }
+}
+async function loadCertificates(config) {
+  const options = {};
+  if (config.cert) {
+    logger.debug({ path: config.cert }, "Loading certificate");
+    options.cert = readCertFile(config.cert);
+  }
+  if (config.key) {
+    logger.debug({ path: config.key }, "Loading private key");
+    options.key = readCertFile(config.key);
+  }
+  if (config.ca) {
+    logger.debug({ path: config.ca }, "Loading CA certificate");
+    options.ca = readCertFile(config.ca);
+  }
+  options.rejectUnauthorized = config.rejectUnauthorized ?? true;
+  if (config.passphrase) {
+    options.passphrase = config.passphrase;
+  }
+  logger.info(
+    {
+      hasCert: !!options.cert,
+      hasKey: !!options.key,
+      hasCa: !!options.ca,
+      rejectUnauthorized: options.rejectUnauthorized
+    },
+    "TLS certificates loaded"
+  );
+  return options;
+}
+function loadCertificatesSync(config) {
+  const options = {};
+  if (config.cert) {
+    options.cert = readCertFile(config.cert);
+  }
+  if (config.key) {
+    options.key = readCertFile(config.key);
+  }
+  if (config.ca) {
+    options.ca = readCertFile(config.ca);
+  }
+  options.rejectUnauthorized = config.rejectUnauthorized ?? true;
+  if (config.passphrase) {
+    options.passphrase = config.passphrase;
+  }
+  return options;
+}
+function isFileReadable(filePath) {
+  try {
+    fs.accessSync(filePath, fs.constants.R_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function validateTLSConfig(config) {
+  const errors = [];
+  const warnings = [];
+  if (config.cert && !config.key) {
+    errors.push("Certificate provided without private key");
+  }
+  if (config.key && !config.cert) {
+    errors.push("Private key provided without certificate");
+  }
+  if (config.cert) {
+    if (!isFileReadable(config.cert)) {
+      errors.push(`Certificate file not readable: ${config.cert}`);
+    }
+  }
+  if (config.key) {
+    if (!isFileReadable(config.key)) {
+      errors.push(`Private key file not readable: ${config.key}`);
+    }
+  }
+  if (config.ca) {
+    if (!isFileReadable(config.ca)) {
+      errors.push(`CA certificate file not readable: ${config.ca}`);
+    }
+  }
+  if (config.rejectUnauthorized === false) {
+    warnings.push("TLS certificate verification is disabled - this is insecure for production use");
+  }
+  return {
+    valid: errors.length === 0,
+    errors,
+    warnings
+  };
+}
+function isTLSEnabled(config) {
+  if (!config) {
+    return false;
+  }
+  return !!(config.cert && config.key);
+}
+function createSecureContextOptions(loaded) {
+  const options = {};
+  if (loaded.cert) {
+    options.cert = loaded.cert;
+  }
+  if (loaded.key) {
+    options.key = loaded.key;
+  }
+  if (loaded.ca) {
+    options.ca = loaded.ca;
+  }
+  if (loaded.passphrase) {
+    options.passphrase = loaded.passphrase;
+  }
+  return options;
+}
+
 // src/transport/websocket.ts
 import WebSocket from "ws";
-var logger = createLogger("websocket-transport");
+import * as https from "https";
+var logger2 = createLogger("websocket-transport");
 var DEFAULT_RECONNECT_INTERVAL = 1e3;
 var DEFAULT_MAX_RECONNECT_ATTEMPTS = 10;
 var DEFAULT_HEARTBEAT_INTERVAL = 3e4;
@@ -176,6 +304,7 @@ var WebSocketTransport = class {
   reconnectingHandlers = [];
   /**
    * Build the WebSocket URL from the connection configuration
+   * Uses wss:// if TLS is configured, ws:// otherwise
    */
   buildUrl(config) {
     if (config.url) {
@@ -183,7 +312,79 @@ var WebSocketTransport = class {
     }
     const host = config.host ?? "localhost";
     const port = config.port ?? 8765;
-    return `ws://${host}:${port}`;
+    const useTls = config.tls?.ca || config.tls?.rejectUnauthorized !== void 0;
+    const protocol = useTls ? "wss" : "ws";
+    return `${protocol}://${host}:${port}`;
+  }
+  /**
+   * Build WebSocket options including TLS and auth configuration
+   */
+  buildWsOptions(config) {
+    const options = {};
+    if (config.tls) {
+      try {
+        const tlsOptions = loadCertificatesSync(config.tls);
+        const agentOptions = {
+          rejectUnauthorized: tlsOptions.rejectUnauthorized ?? true
+        };
+        if (tlsOptions.ca) {
+          agentOptions.ca = tlsOptions.ca;
+        }
+        if (tlsOptions.cert) {
+          agentOptions.cert = tlsOptions.cert;
+        }
+        if (tlsOptions.key) {
+          agentOptions.key = tlsOptions.key;
+        }
+        if (tlsOptions.passphrase) {
+          agentOptions.passphrase = tlsOptions.passphrase;
+        }
+        options.agent = new https.Agent(agentOptions);
+        if (tlsOptions.rejectUnauthorized !== void 0) {
+          options.rejectUnauthorized = tlsOptions.rejectUnauthorized;
+        }
+        if (tlsOptions.ca) {
+          options.ca = tlsOptions.ca;
+        }
+        logger2.debug(
+          { hasCa: !!tlsOptions.ca, rejectUnauthorized: tlsOptions.rejectUnauthorized },
+          "TLS options configured for client"
+        );
+      } catch (error) {
+        logger2.error({ error: error.message }, "Failed to load TLS certificates");
+        throw error;
+      }
+    }
+    if (config.auth && config.auth.type !== "none") {
+      options.headers = options.headers || {};
+      if (config.auth.token) {
+        options.headers["Authorization"] = `Bearer ${config.auth.token}`;
+      }
+      if (config.auth.password) {
+        options.headers["X-Auth-Password"] = config.auth.password;
+      }
+      logger2.debug(
+        { hasToken: !!config.auth.token, hasPassword: !!config.auth.password },
+        "Auth headers configured"
+      );
+    }
+    return options;
+  }
+  /**
+   * Build URL with auth query parameters (fallback for servers that don't support headers)
+   */
+  buildUrlWithAuth(baseUrl, config) {
+    if (!config.auth || config.auth.type === "none") {
+      return baseUrl;
+    }
+    const url = new URL(baseUrl);
+    if (config.auth.token) {
+      url.searchParams.set("token", config.auth.token);
+    }
+    if (config.auth.password) {
+      url.searchParams.set("password", config.auth.password);
+    }
+    return url.toString();
   }
   /**
    * Establish connection to a remote peer
@@ -206,15 +407,20 @@ var WebSocketTransport = class {
       throw new Error("No configuration set");
     }
     this.state = "CONNECTING" /* CONNECTING */;
-    const url = this.buildUrl(this.config);
-    logger.debug({ url, attempt: this.reconnectAttempts }, "Connecting to WebSocket server");
+    const baseUrl = this.buildUrl(this.config);
+    const wsOptions = this.buildWsOptions(this.config);
+    const url = this.buildUrlWithAuth(baseUrl, this.config);
+    logger2.debug(
+      { url: baseUrl, attempt: this.reconnectAttempts, hasOptions: Object.keys(wsOptions).length > 0 },
+      "Connecting to WebSocket server"
+    );
     return new Promise((resolve, reject) => {
       try {
-        this.ws = new WebSocket(url);
+        this.ws = Object.keys(wsOptions).length > 0 ? new WebSocket(url, wsOptions) : new WebSocket(url);
         this.ws.on("open", () => {
           this.state = "CONNECTED" /* CONNECTED */;
           this.reconnectAttempts = 0;
-          logger.info({ url }, "WebSocket connection established");
+          logger2.info({ url }, "WebSocket connection established");
           this.startHeartbeat();
           this.flushMessageQueue();
           resolve();
@@ -229,7 +435,7 @@ var WebSocketTransport = class {
           const wasConnected = this.state === "CONNECTED" /* CONNECTED */;
           const wasReconnecting = this.state === "RECONNECTING" /* RECONNECTING */;
           this.stopHeartbeat();
-          logger.info({ code, reason: reason.toString() }, "WebSocket connection closed");
+          logger2.info({ code, reason: reason.toString() }, "WebSocket connection closed");
           if (wasConnected) {
             this.notifyDisconnect();
           }
@@ -240,7 +446,7 @@ var WebSocketTransport = class {
           }
         });
         this.ws.on("error", (error) => {
-          logger.error({ error: error.message }, "WebSocket error");
+          logger2.error({ error: error.message }, "WebSocket error");
           if (this.state === "CONNECTING" /* CONNECTING */ && this.reconnectAttempts === 0) {
             this.state = "DISCONNECTED" /* DISCONNECTED */;
             reject(error);
@@ -266,7 +472,7 @@ var WebSocketTransport = class {
       this.state = "DISCONNECTED" /* DISCONNECTED */;
       return;
     }
-    logger.debug("Disconnecting WebSocket");
+    logger2.debug("Disconnecting WebSocket");
     return new Promise((resolve) => {
       if (!this.ws) {
         this.state = "DISCONNECTED" /* DISCONNECTED */;
@@ -316,11 +522,11 @@ var WebSocketTransport = class {
       throw new Error("Not connected");
     }
     const serialized = serializeMessage(message);
-    logger.debug({ messageId: message.id, type: message.type }, "Sending message");
+    logger2.debug({ messageId: message.id, type: message.type }, "Sending message");
     return new Promise((resolve, reject) => {
       this.ws.send(serialized, (error) => {
         if (error) {
-          logger.error({ error: error.message, messageId: message.id }, "Failed to send message");
+          logger2.error({ error: error.message, messageId: message.id }, "Failed to send message");
           reject(error);
         } else {
           resolve();
@@ -333,7 +539,7 @@ var WebSocketTransport = class {
    */
   queueMessage(message) {
     this.messageQueue.push(message);
-    logger.debug({ messageId: message.id, queueLength: this.messageQueue.length }, "Message queued for delivery");
+    logger2.debug({ messageId: message.id, queueLength: this.messageQueue.length }, "Message queued for delivery");
   }
   /**
    * Flush all queued messages after reconnection
@@ -342,14 +548,14 @@ var WebSocketTransport = class {
     if (this.messageQueue.length === 0) {
       return;
     }
-    logger.info({ queueLength: this.messageQueue.length }, "Flushing message queue");
+    logger2.info({ queueLength: this.messageQueue.length }, "Flushing message queue");
     const messages = [...this.messageQueue];
     this.messageQueue = [];
     for (const message of messages) {
       try {
         await this.sendImmediate(message);
       } catch (error) {
-        logger.error({ error: error.message, messageId: message.id }, "Failed to send queued message");
+        logger2.error({ error: error.message, messageId: message.id }, "Failed to send queued message");
         this.messageQueue.unshift(message);
         break;
       }
@@ -396,20 +602,20 @@ var WebSocketTransport = class {
    */
   handleIncomingMessage(data) {
     const messageString = data.toString();
-    logger.debug({ dataLength: messageString.length }, "Received message");
+    logger2.debug({ dataLength: messageString.length }, "Received message");
     const result = safeDeserializeMessage(messageString);
     if (!result.success) {
-      logger.warn({ error: result.error.message }, "Failed to parse incoming message");
+      logger2.warn({ error: result.error.message }, "Failed to parse incoming message");
       this.notifyError(new Error(`Invalid message format: ${result.error.message}`));
       return;
     }
     const message = result.data;
-    logger.debug({ messageId: message.id, type: message.type }, "Parsed message");
+    logger2.debug({ messageId: message.id, type: message.type }, "Parsed message");
     for (const handler of this.messageHandlers) {
       try {
         handler(message);
       } catch (error) {
-        logger.error({ error: error.message }, "Message handler threw error");
+        logger2.error({ error: error.message }, "Message handler threw error");
       }
     }
   }
@@ -421,7 +627,7 @@ var WebSocketTransport = class {
       try {
         handler();
       } catch (error) {
-        logger.error({ error: error.message }, "Disconnect handler threw error");
+        logger2.error({ error: error.message }, "Disconnect handler threw error");
       }
     }
   }
@@ -433,7 +639,7 @@ var WebSocketTransport = class {
       try {
         handler(error);
       } catch (handlerError) {
-        logger.error({ error: handlerError.message }, "Error handler threw error");
+        logger2.error({ error: handlerError.message }, "Error handler threw error");
       }
     }
   }
@@ -445,7 +651,7 @@ var WebSocketTransport = class {
       try {
         handler(attempt, maxAttempts);
       } catch (error) {
-        logger.error({ error: error.message }, "Reconnecting handler threw error");
+        logger2.error({ error: error.message }, "Reconnecting handler threw error");
       }
     }
   }
@@ -473,7 +679,7 @@ var WebSocketTransport = class {
     this.reconnectAttempts++;
     const maxAttempts = this.config?.maxReconnectAttempts ?? DEFAULT_MAX_RECONNECT_ATTEMPTS;
     const interval = this.config?.reconnectInterval ?? DEFAULT_RECONNECT_INTERVAL;
-    logger.info(
+    logger2.info(
       { attempt: this.reconnectAttempts, maxAttempts, interval },
       "Scheduling reconnection attempt"
     );
@@ -482,13 +688,13 @@ var WebSocketTransport = class {
       this.reconnectTimer = null;
       try {
         await this.establishConnection();
-        logger.info({ attempts: this.reconnectAttempts }, "Reconnection successful");
+        logger2.info({ attempts: this.reconnectAttempts }, "Reconnection successful");
       } catch (error) {
-        logger.warn({ error: error.message }, "Reconnection attempt failed");
+        logger2.warn({ error: error.message }, "Reconnection attempt failed");
         if (this.shouldReconnect()) {
           this.scheduleReconnect();
         } else {
-          logger.error({ maxAttempts }, "Max reconnection attempts reached, giving up");
+          logger2.error({ maxAttempts }, "Max reconnection attempts reached, giving up");
           this.state = "DISCONNECTED" /* DISCONNECTED */;
           this.notifyError(new Error(`Failed to reconnect after ${maxAttempts} attempts`));
         }
@@ -515,7 +721,7 @@ var WebSocketTransport = class {
     this.heartbeatInterval = setInterval(() => {
       this.sendPing();
     }, DEFAULT_HEARTBEAT_INTERVAL);
-    logger.debug({ interval: DEFAULT_HEARTBEAT_INTERVAL }, "Heartbeat monitoring started");
+    logger2.debug({ interval: DEFAULT_HEARTBEAT_INTERVAL }, "Heartbeat monitoring started");
   }
   /**
    * Stop the heartbeat monitoring
@@ -539,7 +745,7 @@ var WebSocketTransport = class {
       return;
     }
     if (this.awaitingPong) {
-      logger.warn("No pong received, connection may be dead");
+      logger2.warn("No pong received, connection may be dead");
       this.handleHeartbeatTimeout();
       return;
     }
@@ -550,7 +756,7 @@ var WebSocketTransport = class {
         this.handleHeartbeatTimeout();
       }
     }, HEARTBEAT_TIMEOUT);
-    logger.debug("Ping sent");
+    logger2.debug("Ping sent");
   }
   /**
    * Handle pong response from peer
@@ -561,13 +767,13 @@ var WebSocketTransport = class {
       clearTimeout(this.heartbeatTimeout);
       this.heartbeatTimeout = null;
     }
-    logger.debug("Pong received");
+    logger2.debug("Pong received");
   }
   /**
    * Handle heartbeat timeout (no pong received)
    */
   handleHeartbeatTimeout() {
-    logger.warn("Heartbeat timeout - closing connection");
+    logger2.warn("Heartbeat timeout - closing connection");
     this.awaitingPong = false;
     if (this.heartbeatTimeout) {
       clearTimeout(this.heartbeatTimeout);
@@ -594,6 +800,290 @@ var WebSocketTransport = class {
   }
 };
 
+// src/utils/auth.ts
+import * as crypto from "crypto";
+var logger3 = createLogger("auth");
+function ipv4ToInt(ip) {
+  const parts = ip.split(".").map(Number);
+  if (parts.length !== 4 || parts.some((p) => isNaN(p) || p < 0 || p > 255)) {
+    return -1;
+  }
+  return parts[0] << 24 | parts[1] << 16 | parts[2] << 8 | parts[3];
+}
+function matchesCidr(clientIp, cidr) {
+  let normalizedIp = clientIp;
+  if (normalizedIp.startsWith("::ffff:")) {
+    normalizedIp = normalizedIp.substring(7);
+  }
+  const [network, prefixStr] = cidr.split("/");
+  const prefix = prefixStr ? parseInt(prefixStr, 10) : 32;
+  if (prefix < 0 || prefix > 32) {
+    return false;
+  }
+  const clientInt = ipv4ToInt(normalizedIp);
+  const networkInt = ipv4ToInt(network);
+  if (clientInt === -1 || networkInt === -1) {
+    return normalizedIp === network || clientIp === cidr;
+  }
+  const mask = prefix === 0 ? 0 : -1 << 32 - prefix >>> 0;
+  return (clientInt & mask) >>> 0 === (networkInt & mask) >>> 0;
+}
+function validateIp(clientIp, allowedCidrs) {
+  if (!allowedCidrs || allowedCidrs.length === 0) {
+    return false;
+  }
+  for (const cidr of allowedCidrs) {
+    if (matchesCidr(clientIp, cidr)) {
+      logger3.debug({ clientIp, matchedCidr: cidr }, "IP matched allowed range");
+      return true;
+    }
+  }
+  logger3.debug({ clientIp, allowedCidrs }, "IP did not match any allowed range");
+  return false;
+}
+function timingSafeCompare(provided, expected) {
+  const providedBuffer = Buffer.from(provided, "utf-8");
+  const expectedBuffer = Buffer.from(expected, "utf-8");
+  if (providedBuffer.length !== expectedBuffer.length) {
+    crypto.timingSafeEqual(expectedBuffer, expectedBuffer);
+    return false;
+  }
+  return crypto.timingSafeEqual(providedBuffer, expectedBuffer);
+}
+function validateToken(provided, expected) {
+  if (!provided) {
+    return false;
+  }
+  return timingSafeCompare(provided, expected);
+}
+function validatePassword(provided, expected) {
+  if (!provided) {
+    return false;
+  }
+  return timingSafeCompare(provided, expected);
+}
+function getClientIp(request) {
+  const forwarded = request.headers["x-forwarded-for"];
+  if (forwarded) {
+    const ips = Array.isArray(forwarded) ? forwarded[0] : forwarded;
+    const clientIp = ips.split(",")[0].trim();
+    if (clientIp) {
+      return clientIp;
+    }
+  }
+  return request.socket.remoteAddress || "unknown";
+}
+function extractCredentials(request) {
+  const credentials = {
+    clientIp: getClientIp(request)
+  };
+  const url = new URL(request.url || "/", `http://${request.headers.host || "localhost"}`);
+  const queryToken = url.searchParams.get("token");
+  if (queryToken) {
+    credentials.token = queryToken;
+  }
+  const queryPassword = url.searchParams.get("password");
+  if (queryPassword) {
+    credentials.password = queryPassword;
+  }
+  const authHeader = request.headers.authorization;
+  if (authHeader) {
+    if (authHeader.startsWith("Bearer ")) {
+      credentials.token = authHeader.substring(7);
+    } else if (authHeader.startsWith("Basic ")) {
+      try {
+        const decoded = Buffer.from(authHeader.substring(6), "base64").toString("utf-8");
+        const [, password] = decoded.split(":");
+        if (password) {
+          credentials.password = password;
+        }
+      } catch {
+      }
+    }
+  }
+  const tokenHeader = request.headers["x-auth-token"];
+  if (tokenHeader && !credentials.token) {
+    credentials.token = Array.isArray(tokenHeader) ? tokenHeader[0] : tokenHeader;
+  }
+  const passwordHeader = request.headers["x-auth-password"];
+  if (passwordHeader && !credentials.password) {
+    credentials.password = Array.isArray(passwordHeader) ? passwordHeader[0] : passwordHeader;
+  }
+  return credentials;
+}
+var Authenticator = class {
+  config;
+  /**
+   * Create a new Authenticator
+   * @param config - Authentication configuration
+   */
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Authenticate a request
+   * @param request - The incoming HTTP request (WebSocket upgrade request)
+   * @returns Authentication result
+   */
+  authenticate(request) {
+    if (this.config.type === "none") {
+      return { success: true };
+    }
+    const credentials = extractCredentials(request);
+    return this.authenticateWithCredentials(credentials);
+  }
+  /**
+   * Authenticate with extracted credentials
+   * @param credentials - The extracted credentials
+   * @returns Authentication result
+   */
+  authenticateWithCredentials(credentials) {
+    const { clientIp } = credentials;
+    if (this.config.type === "none") {
+      return { success: true, clientIp };
+    }
+    const results = [];
+    if (this.config.token) {
+      const tokenValid = validateToken(credentials.token, this.config.token);
+      results.push({ method: "token", success: tokenValid });
+      if (tokenValid) {
+        logger3.debug({ clientIp }, "Token authentication succeeded");
+      } else {
+        logger3.debug({ clientIp }, "Token authentication failed");
+      }
+    }
+    if (this.config.password) {
+      const passwordValid = validatePassword(credentials.password, this.config.password);
+      results.push({ method: "password", success: passwordValid });
+      if (passwordValid) {
+        logger3.debug({ clientIp }, "Password authentication succeeded");
+      } else {
+        logger3.debug({ clientIp }, "Password authentication failed");
+      }
+    }
+    if (this.config.allowedIps && this.config.allowedIps.length > 0) {
+      const ipValid = validateIp(clientIp, this.config.allowedIps);
+      results.push({ method: "ip", success: ipValid });
+      if (ipValid) {
+        logger3.debug({ clientIp }, "IP authentication succeeded");
+      } else {
+        logger3.debug({ clientIp }, "IP authentication failed");
+      }
+    }
+    if (results.length === 0) {
+      logger3.warn("Authentication configured but no methods available");
+      return {
+        success: false,
+        error: "Authentication required but not configured",
+        clientIp
+      };
+    }
+    if (this.config.requireAll) {
+      const allPassed = results.every((r) => r.success);
+      if (allPassed) {
+        logger3.info({ clientIp, methods: results.map((r) => r.method) }, "All authentication methods passed");
+        return { success: true, clientIp };
+      } else {
+        const failed = results.filter((r) => !r.success).map((r) => r.method);
+        logger3.warn({ clientIp, failedMethods: failed }, "Authentication failed (requireAll mode)");
+        return {
+          success: false,
+          error: `Authentication failed for methods: ${failed.join(", ")}`,
+          clientIp
+        };
+      }
+    } else {
+      const passed = results.find((r) => r.success);
+      if (passed) {
+        logger3.info({ clientIp, method: passed.method }, "Authentication succeeded");
+        return { success: true, method: passed.method, clientIp };
+      } else {
+        logger3.warn({ clientIp }, "All authentication methods failed");
+        return {
+          success: false,
+          error: "Authentication failed",
+          clientIp
+        };
+      }
+    }
+  }
+  /**
+   * Get the configured authentication type
+   */
+  getType() {
+    return this.config.type;
+  }
+  /**
+   * Check if authentication is required
+   */
+  isRequired() {
+    return this.config.type !== "none";
+  }
+};
+function createAuthConfigFromOptions(options) {
+  const hasToken = !!options.authToken;
+  const hasPassword = !!options.authPassword;
+  const hasIp = options.authIp && options.authIp.length > 0;
+  let type = "none";
+  if (hasToken || hasPassword || hasIp) {
+    const count = [hasToken, hasPassword, hasIp].filter(Boolean).length;
+    if (count > 1) {
+      type = "combined";
+    } else if (hasToken) {
+      type = "token";
+    } else if (hasPassword) {
+      type = "password";
+    } else if (hasIp) {
+      type = "ip";
+    }
+  }
+  return {
+    type,
+    token: options.authToken,
+    password: options.authPassword,
+    allowedIps: options.authIp,
+    requireAll: options.authRequireAll ?? false
+  };
+}
+function validateAuthConfig(config) {
+  const errors = [];
+  const warnings = [];
+  if (config.type === "token" && !config.token) {
+    errors.push("Token authentication requires a token");
+  }
+  if (config.type === "password" && !config.password) {
+    errors.push("Password authentication requires a password");
+  }
+  if (config.type === "ip" && (!config.allowedIps || config.allowedIps.length === 0)) {
+    errors.push("IP authentication requires at least one allowed IP/CIDR");
+  }
+  if (config.allowedIps) {
+    for (const cidr of config.allowedIps) {
+      const [ip, prefix] = cidr.split("/");
+      if (ipv4ToInt(ip) === -1) {
+        warnings.push(`IP address may not be valid IPv4: ${ip}`);
+      }
+      if (prefix !== void 0) {
+        const prefixNum = parseInt(prefix, 10);
+        if (isNaN(prefixNum) || prefixNum < 0 || prefixNum > 32) {
+          errors.push(`Invalid CIDR prefix: ${cidr}`);
+        }
+      }
+    }
+  }
+  if (config.token && config.token.length < 16) {
+    warnings.push("Token is shorter than 16 characters - consider using a longer token");
+  }
+  if (config.password && config.password.length < 8) {
+    warnings.push("Password is shorter than 8 characters - consider using a longer password");
+  }
+  return {
+    valid: errors.length === 0,
+    errors,
+    warnings
+  };
+}
+
 // src/bridge/messages.ts
 function createContextSyncMessage(source, context) {
   const message = createMessage("context_sync", source);
@@ -644,17 +1134,20 @@ function createNotificationMessage(source, notification) {
 
 // src/bridge/core.ts
 import { WebSocketServer } from "ws";
+import * as https2 from "https";
 import { v4 as uuidv42 } from "uuid";
-import * as fs from "fs";
+import * as fs2 from "fs";
 import * as path from "path";
 import * as os from "os";
-var logger2 = createLogger("bridge");
+var logger4 = createLogger("bridge");
 var Bridge = class {
   config;
   server = null;
+  httpsServer = null;
   clientTransport = null;
   peers = /* @__PURE__ */ new Map();
   started = false;
+  authenticator = null;
   // Event handlers
   peerConnectedHandlers = [];
   peerDisconnectedHandlers = [];
@@ -675,7 +1168,7 @@ var Bridge = class {
   constructor(config) {
     this.config = config;
     this.validateConfig();
-    logger2.info({ instanceName: config.instanceName, mode: config.mode }, "Bridge instance created");
+    logger4.info({ instanceName: config.instanceName, mode: config.mode }, "Bridge instance created");
   }
   /**
    * Validate the configuration based on mode requirements
@@ -688,28 +1181,32 @@ var Bridge = class {
     if (mode === "client" && !connect) {
       throw new Error("'client' mode requires 'connect' configuration");
     }
+    if (mode === "peer" && !listen && !connect) {
+      throw new Error("'peer' mode requires either 'listen' or 'connect' configuration");
+    }
   }
   /**
    * Start the bridge based on configured mode
    * - 'host': Starts WebSocket server, sends commands via MCP
    * - 'client': Connects to host, receives and executes commands
+   * - 'peer': Starts server (if listen configured) and connects to remote (if connect configured)
    */
   async start() {
     if (this.started) {
       throw new Error("Bridge is already started");
     }
     const { mode } = this.config;
-    logger2.info({ mode }, "Starting bridge");
+    logger4.info({ mode }, "Starting bridge");
     try {
-      if (mode === "host" && this.config.listen) {
+      if ((mode === "host" || mode === "peer") && this.config.listen) {
         await this.startServer();
       }
-      if (mode === "client" && this.config.connect) {
+      if ((mode === "client" || mode === "peer") && this.config.connect) {
         await this.connectToRemote();
       }
       this.started = true;
       this.writeStatusFile();
-      logger2.info({ mode, instanceName: this.config.instanceName }, "Bridge started successfully");
+      logger4.info({ mode, instanceName: this.config.instanceName }, "Bridge started successfully");
     } catch (error) {
       await this.cleanup();
       throw error;
@@ -722,10 +1219,10 @@ var Bridge = class {
     if (!this.started) {
       return;
     }
-    logger2.info("Stopping bridge");
+    logger4.info("Stopping bridge");
     await this.cleanup();
     this.started = false;
-    logger2.info("Bridge stopped");
+    logger4.info("Bridge stopped");
   }
   /**
    * Get list of connected peers
@@ -766,9 +1263,9 @@ var Bridge = class {
       });
       transport._peerId = peerId;
       this.notifyPeerConnected(peerInfo);
-      logger2.info({ peerId, url }, "Connected to remote peer");
+      logger4.info({ peerId, url }, "Connected to remote peer");
     } catch (error) {
-      logger2.error({ error: error.message, url }, "Failed to connect to remote peer");
+      logger4.error({ error: error.message, url }, "Failed to connect to remote peer");
       throw error;
     }
   }
@@ -789,7 +1286,7 @@ var Bridge = class {
     }
     this.peers.delete(peerId);
     this.notifyPeerDisconnected(peer.info);
-    logger2.info({ peerId }, "Disconnected from peer");
+    logger4.info({ peerId }, "Disconnected from peer");
   }
   /**
    * Send a message to a specific peer
@@ -817,7 +1314,7 @@ var Bridge = class {
     } else {
       throw new Error("No transport available for peer");
     }
-    logger2.debug({ peerId, messageId: message.id, type: message.type }, "Sent message to peer");
+    logger4.debug({ peerId, messageId: message.id, type: message.type }, "Sent message to peer");
   }
   /**
    * Broadcast a message to all connected peers
@@ -826,11 +1323,11 @@ var Bridge = class {
   async broadcast(message) {
     const sendPromises = Array.from(this.peers.keys()).map(
       (peerId) => this.sendToPeer(peerId, message).catch((error) => {
-        logger2.error({ error: error.message, peerId }, "Failed to send to peer");
+        logger4.error({ error: error.message, peerId }, "Failed to send to peer");
       })
     );
     await Promise.all(sendPromises);
-    logger2.debug({ messageId: message.id, peerCount: this.peers.size }, "Broadcast message sent");
+    logger4.debug({ messageId: message.id, peerCount: this.peers.size }, "Broadcast message sent");
   }
   // ============================================================================
   // Event Registration
@@ -920,7 +1417,7 @@ var Bridge = class {
         this.pendingTasks.delete(task.id);
         reject(error);
       });
-      logger2.debug({ taskId: task.id, peerId, timeout }, "Task delegated");
+      logger4.debug({ taskId: task.id, peerId, timeout }, "Task delegated");
     });
   }
   // ============================================================================
@@ -936,10 +1433,10 @@ var Bridge = class {
     const message = createContextSyncMessage(this.config.instanceName, contextToSync);
     if (peerId) {
       await this.sendToPeer(peerId, message);
-      logger2.debug({ peerId, messageId: message.id }, "Context synced to peer");
+      logger4.debug({ peerId, messageId: message.id }, "Context synced to peer");
     } else {
       await this.broadcast(message);
-      logger2.debug({ peerCount: this.peers.size, messageId: message.id }, "Context synced to all peers");
+      logger4.debug({ peerCount: this.peers.size, messageId: message.id }, "Context synced to all peers");
     }
   }
   /**
@@ -982,7 +1479,7 @@ var Bridge = class {
         this.pendingContextRequests.delete(message.id);
         reject(error);
       });
-      logger2.debug({ requestId: message.id, peerId, query }, "Context requested");
+      logger4.debug({ requestId: message.id, peerId, query }, "Context requested");
     });
   }
   /**
@@ -998,10 +1495,10 @@ var Bridge = class {
         const context = contextProvider ? await contextProvider() : void 0;
         await this.syncContext(context);
       } catch (error) {
-        logger2.error({ error: error.message }, "Auto-sync error");
+        logger4.error({ error: error.message }, "Auto-sync error");
       }
     }, interval);
-    logger2.info({ interval }, "Auto-sync started");
+    logger4.info({ interval }, "Auto-sync started");
   }
   /**
    * Stop automatic context synchronization
@@ -1010,7 +1507,7 @@ var Bridge = class {
     if (this.autoSyncIntervalId) {
       clearInterval(this.autoSyncIntervalId);
       this.autoSyncIntervalId = null;
-      logger2.info("Auto-sync stopped");
+      logger4.info("Auto-sync stopped");
     }
   }
   // ============================================================================
@@ -1018,30 +1515,97 @@ var Bridge = class {
   // ============================================================================
   /**
    * Start the WebSocket server
+   * If TLS is configured, starts an HTTPS server with WebSocket upgrade
+   * If auth is configured, validates connections before accepting
    */
   async startServer() {
     const { listen } = this.config;
     if (!listen) {
       throw new Error("Listen configuration is required");
     }
+    const host = listen.host ?? "0.0.0.0";
+    const port = listen.port;
+    const useTls = isTLSEnabled(listen.tls);
+    if (listen.auth && listen.auth.type !== "none") {
+      this.authenticator = new Authenticator(listen.auth);
+      logger4.info({ authType: listen.auth.type }, "Authentication enabled");
+    }
     return new Promise((resolve, reject) => {
-      const host = listen.host ?? "0.0.0.0";
-      const port = listen.port;
-      logger2.debug({ host, port }, "Starting WebSocket server");
-      this.server = new WebSocketServer({ host, port });
-      this.server.on("listening", () => {
-        logger2.info({ host, port }, "WebSocket server listening");
-        resolve();
-      });
-      this.server.on("error", (error) => {
-        logger2.error({ error: error.message }, "WebSocket server error");
+      logger4.debug({ host, port, tls: useTls, auth: !!this.authenticator }, "Starting WebSocket server");
+      try {
+        if (useTls && listen.tls) {
+          const tlsOptions = loadCertificatesSync(listen.tls);
+          logger4.info({ host, port }, "Starting secure WebSocket server (wss://)");
+          this.httpsServer = https2.createServer({
+            cert: tlsOptions.cert,
+            key: tlsOptions.key,
+            ca: tlsOptions.ca,
+            passphrase: tlsOptions.passphrase
+          });
+          const wsOptions = {
+            server: this.httpsServer
+          };
+          if (this.authenticator) {
+            wsOptions.verifyClient = (info, callback) => {
+              this.verifyClient(info, callback);
+            };
+          }
+          this.server = new WebSocketServer(wsOptions);
+          this.httpsServer.listen(port, host, () => {
+            logger4.info({ host, port, protocol: "wss" }, "Secure WebSocket server listening");
+            resolve();
+          });
+          this.httpsServer.on("error", (error) => {
+            logger4.error({ error: error.message }, "HTTPS server error");
+            reject(error);
+          });
+        } else {
+          const wsOptions = {
+            host,
+            port
+          };
+          if (this.authenticator) {
+            wsOptions.verifyClient = (info, callback) => {
+              this.verifyClient(info, callback);
+            };
+          }
+          this.server = new WebSocketServer(wsOptions);
+          this.server.on("listening", () => {
+            logger4.info({ host, port, protocol: "ws" }, "WebSocket server listening");
+            resolve();
+          });
+          this.server.on("error", (error) => {
+            logger4.error({ error: error.message }, "WebSocket server error");
+            reject(error);
+          });
+        }
+        this.server.on("connection", (ws, request) => {
+          this.handleNewConnection(ws, request);
+        });
+      } catch (error) {
+        logger4.error({ error: error.message }, "Failed to start server");
         reject(error);
-      });
-      this.server.on("connection", (ws, request) => {
-        this.handleNewConnection(ws, request);
-      });
+      }
     });
   }
+  /**
+   * Verify client connection for authentication
+   * Used as WebSocketServer verifyClient callback
+   */
+  verifyClient(info, callback) {
+    if (!this.authenticator) {
+      callback(true);
+      return;
+    }
+    const result = this.authenticator.authenticate(info.req);
+    if (result.success) {
+      logger4.info({ clientIp: result.clientIp, method: result.method }, "Client authenticated");
+      callback(true);
+    } else {
+      logger4.warn({ clientIp: result.clientIp, error: result.error }, "Client authentication failed");
+      callback(false, 4001, result.error || "Authentication failed");
+    }
+  }
   /**
    * Handle a new incoming connection
    */
@@ -1058,7 +1622,7 @@ var Bridge = class {
       info: peerInfo,
       ws
     });
-    logger2.info({ peerId, url: request.url }, "New peer connected");
+    logger4.info({ peerId, url: request.url }, "New peer connected");
     ws.on("message", (data) => {
       const messageString = data.toString();
       const result = safeDeserializeMessage(messageString);
@@ -1066,16 +1630,16 @@ var Bridge = class {
         peerInfo.lastActivity = Date.now();
         this.handleMessage(result.data, ws, peerId);
       } else {
-        logger2.warn({ peerId, error: result.error.message }, "Invalid message received");
+        logger4.warn({ peerId, error: result.error.message }, "Invalid message received");
       }
     });
     ws.on("close", (code, reason) => {
-      logger2.info({ peerId, code, reason: reason.toString() }, "Peer disconnected");
+      logger4.info({ peerId, code, reason: reason.toString() }, "Peer disconnected");
       this.peers.delete(peerId);
       this.notifyPeerDisconnected(peerInfo);
     });
     ws.on("error", (error) => {
-      logger2.error({ peerId, error: error.message }, "Peer connection error");
+      logger4.error({ peerId, error: error.message }, "Peer connection error");
     });
     this.notifyPeerConnected(peerInfo);
   }
@@ -1094,7 +1658,8 @@ var Bridge = class {
     if (!url) {
       const host = connect.hostGateway ? "host.docker.internal" : "localhost";
       const port = connect.port ?? 8765;
-      url = `ws://${host}:${port}`;
+      const protocol = isTLSEnabled(connect.tls) || connect.tls?.ca ? "wss" : "ws";
+      url = `${protocol}://${host}:${port}`;
     }
     this.clientTransport = new WebSocketTransport();
     this.clientTransport.onMessage((message) => {
@@ -1108,7 +1673,9 @@ var Bridge = class {
         url,
         reconnect: true,
         reconnectInterval: 1e3,
-        maxReconnectAttempts: 10
+        maxReconnectAttempts: 10,
+        tls: connect.tls,
+        auth: connect.auth
       });
       const peerId = uuidv42();
       const peerInfo = {
@@ -1123,9 +1690,9 @@ var Bridge = class {
       });
       this.clientTransport._peerId = peerId;
       this.notifyPeerConnected(peerInfo);
-      logger2.info({ peerId, url }, "Connected to remote bridge");
+      logger4.info({ peerId, url }, "Connected to remote bridge");
     } catch (error) {
-      logger2.error({ error: error.message }, "Failed to connect to remote bridge");
+      logger4.error({ error: error.message }, "Failed to connect to remote bridge");
       this.clientTransport = null;
       throw error;
     }
@@ -1141,7 +1708,7 @@ var Bridge = class {
       if (peer) {
         this.peers.delete(peerId);
         this.notifyPeerDisconnected(peer.info);
-        logger2.info({ peerId }, "Client transport disconnected");
+        logger4.info({ peerId }, "Client transport disconnected");
       }
     }
   }
@@ -1165,14 +1732,14 @@ var Bridge = class {
       }
     }
     if (!peerId) {
-      logger2.warn({ messageId: message.id }, "Received message from unknown peer");
+      logger4.warn({ messageId: message.id }, "Received message from unknown peer");
       return;
     }
     const peer = this.peers.get(peerId);
     if (peer) {
       peer.info.lastActivity = Date.now();
     }
-    logger2.debug({ peerId, messageId: message.id, type: message.type }, "Received message");
+    logger4.debug({ peerId, messageId: message.id, type: message.type }, "Received message");
     if (message.type === "task_delegate" && message.task) {
       this.handleTaskDelegate(message, peerId);
       return;
@@ -1200,22 +1767,22 @@ var Bridge = class {
    */
   async handleTaskDelegate(message, peerId) {
     const task = message.task;
-    logger2.debug({ taskId: task.id, peerId }, "Received task delegation");
+    logger4.debug({ taskId: task.id, peerId }, "Received task delegation");
     if (!this.taskReceivedHandler) {
       const otherPeers = Array.from(this.peers.keys()).filter((id) => id !== peerId);
       if (otherPeers.length > 0) {
         const targetPeerId = otherPeers[0];
-        logger2.info({ taskId: task.id, targetPeerId }, "Forwarding task to another peer");
+        logger4.info({ taskId: task.id, targetPeerId }, "Forwarding task to another peer");
         try {
           await this.sendToPeer(targetPeerId, message);
           const forwardKey = `forward:${task.id}`;
           this[forwardKey] = peerId;
           return;
         } catch (err) {
-          logger2.error({ error: err.message, taskId: task.id }, "Failed to forward task");
+          logger4.error({ error: err.message, taskId: task.id }, "Failed to forward task");
         }
       }
-      logger2.warn({ taskId: task.id }, "No task handler registered and no peers to forward to");
+      logger4.warn({ taskId: task.id }, "No task handler registered and no peers to forward to");
       const response = createTaskResponseMessage(
         this.config.instanceName,
         task.id,
@@ -1226,7 +1793,7 @@ var Bridge = class {
         }
       );
       await this.sendToPeer(peerId, response).catch((err) => {
-        logger2.error({ error: err.message, taskId: task.id }, "Failed to send error response");
+        logger4.error({ error: err.message, taskId: task.id }, "Failed to send error response");
       });
       return;
     }
@@ -1238,7 +1805,7 @@ var Bridge = class {
         result
       );
       await this.sendToPeer(peerId, response);
-      logger2.debug({ taskId: task.id, success: result.success }, "Task response sent");
+      logger4.debug({ taskId: task.id, success: result.success }, "Task response sent");
     } catch (error) {
       const response = createTaskResponseMessage(
         this.config.instanceName,
@@ -1250,9 +1817,9 @@ var Bridge = class {
         }
       );
       await this.sendToPeer(peerId, response).catch((err) => {
-        logger2.error({ error: err.message, taskId: task.id }, "Failed to send error response");
+        logger4.error({ error: err.message, taskId: task.id }, "Failed to send error response");
       });
-      logger2.error({ taskId: task.id, error: error.message }, "Task handler error");
+      logger4.error({ taskId: task.id, error: error.message }, "Task handler error");
     }
   }
   /**
@@ -1264,15 +1831,15 @@ var Bridge = class {
     const originalSender = this[forwardKey];
     if (originalSender) {
       delete this[forwardKey];
-      logger2.info({ taskId, originalSender }, "Forwarding task response to original sender");
+      logger4.info({ taskId, originalSender }, "Forwarding task response to original sender");
       await this.sendToPeer(originalSender, message).catch((err) => {
-        logger2.error({ error: err.message, taskId }, "Failed to forward response");
+        logger4.error({ error: err.message, taskId }, "Failed to forward response");
       });
       return;
     }
     const pending = this.pendingTasks.get(taskId);
     if (!pending) {
-      logger2.warn({ taskId }, "Received response for unknown task");
+      logger4.warn({ taskId }, "Received response for unknown task");
       return;
     }
     clearTimeout(pending.timeoutId);
@@ -1285,7 +1852,7 @@ var Bridge = class {
       followUp: message.result.followUp,
       error: message.result.error
     };
-    logger2.debug({ taskId, success: result.success }, "Task result received");
+    logger4.debug({ taskId, success: result.success }, "Task result received");
     pending.resolve(result);
   }
   /**
@@ -1293,7 +1860,7 @@ var Bridge = class {
    */
   handleContextSync(message, peerId) {
     const context = message.context;
-    logger2.debug({ peerId, messageId: message.id }, "Received context sync");
+    logger4.debug({ peerId, messageId: message.id }, "Received context sync");
     this.notifyContextReceived(context, peerId);
   }
   /**
@@ -1301,22 +1868,22 @@ var Bridge = class {
    */
   async handleContextRequest(message, peerId) {
     const query = message.context.summary;
-    logger2.debug({ peerId, messageId: message.id, query }, "Received context request");
+    logger4.debug({ peerId, messageId: message.id, query }, "Received context request");
     if (!this.contextRequestedHandler) {
       const otherPeers = Array.from(this.peers.keys()).filter((id) => id !== peerId);
       if (otherPeers.length > 0) {
         const targetPeerId = otherPeers[0];
-        logger2.info({ messageId: message.id, targetPeerId }, "Forwarding context request to another peer");
+        logger4.info({ messageId: message.id, targetPeerId }, "Forwarding context request to another peer");
         try {
           await this.sendToPeer(targetPeerId, message);
           const forwardKey = `ctxfwd:${message.id}`;
           this[forwardKey] = peerId;
           return;
         } catch (err) {
-          logger2.error({ error: err.message, messageId: message.id }, "Failed to forward context request");
+          logger4.error({ error: err.message, messageId: message.id }, "Failed to forward context request");
         }
       }
-      logger2.warn({ messageId: message.id }, "No context request handler registered and no peers to forward to");
+      logger4.warn({ messageId: message.id }, "No context request handler registered and no peers to forward to");
       const response = createContextSyncMessage(this.config.instanceName, { files: [] });
       const responseMessage = {
         ...response,
@@ -1327,7 +1894,7 @@ var Bridge = class {
         }
       };
       await this.sendToPeer(peerId, responseMessage).catch((err) => {
-        logger2.error({ error: err.message, messageId: message.id }, "Failed to send empty context response");
+        logger4.error({ error: err.message, messageId: message.id }, "Failed to send empty context response");
       });
       return;
     }
@@ -1343,7 +1910,7 @@ var Bridge = class {
         }
       };
       await this.sendToPeer(peerId, responseMessage);
-      logger2.debug({ messageId: message.id, fileCount: files.length }, "Context response sent");
+      logger4.debug({ messageId: message.id, fileCount: files.length }, "Context response sent");
     } catch (error) {
       const response = createContextSyncMessage(this.config.instanceName, {
         files: [],
@@ -1358,9 +1925,9 @@ var Bridge = class {
         }
       };
       await this.sendToPeer(peerId, responseMessage).catch((err) => {
-        logger2.error({ error: err.message, messageId: message.id }, "Failed to send error context response");
+        logger4.error({ error: err.message, messageId: message.id }, "Failed to send error context response");
       });
-      logger2.error({ messageId: message.id, error: error.message }, "Context request handler error");
+      logger4.error({ messageId: message.id, error: error.message }, "Context request handler error");
     }
   }
   /**
@@ -1369,22 +1936,22 @@ var Bridge = class {
   async handleContextResponse(message) {
     const requestId = message.context?.variables?.requestId;
     if (!requestId) {
-      logger2.warn({ messageId: message.id }, "Context response without requestId");
+      logger4.warn({ messageId: message.id }, "Context response without requestId");
       return;
     }
     const forwardKey = `ctxfwd:${requestId}`;
     const originalSender = this[forwardKey];
     if (originalSender) {
       delete this[forwardKey];
-      logger2.info({ requestId, originalSender }, "Forwarding context response to original sender");
+      logger4.info({ requestId, originalSender }, "Forwarding context response to original sender");
       await this.sendToPeer(originalSender, message).catch((err) => {
-        logger2.error({ error: err.message, requestId }, "Failed to forward context response");
+        logger4.error({ error: err.message, requestId }, "Failed to forward context response");
       });
       return;
     }
     const pending = this.pendingContextRequests.get(requestId);
     if (!pending) {
-      logger2.warn({ requestId }, "Received response for unknown context request");
+      logger4.warn({ requestId }, "Received response for unknown context request");
       return;
     }
     clearTimeout(pending.timeoutId);
@@ -1395,7 +1962,7 @@ var Bridge = class {
       return;
     }
     const files = message.context?.files ?? [];
-    logger2.debug({ requestId, fileCount: files.length }, "Context response received");
+    logger4.debug({ requestId, fileCount: files.length }, "Context response received");
     pending.resolve(files);
   }
   // ============================================================================
@@ -1407,7 +1974,7 @@ var Bridge = class {
       try {
         handler(peer);
       } catch (error) {
-        logger2.error({ error: error.message }, "Peer connected handler error");
+        logger4.error({ error: error.message }, "Peer connected handler error");
       }
     }
   }
@@ -1430,7 +1997,7 @@ var Bridge = class {
       try {
         handler(peer);
       } catch (error) {
-        logger2.error({ error: error.message }, "Peer disconnected handler error");
+        logger4.error({ error: error.message }, "Peer disconnected handler error");
       }
     }
     this.writeStatusFile();
@@ -1440,7 +2007,7 @@ var Bridge = class {
       try {
         handler(message, peerId);
       } catch (error) {
-        logger2.error({ error: error.message }, "Message received handler error");
+        logger4.error({ error: error.message }, "Message received handler error");
       }
     }
   }
@@ -1449,7 +2016,7 @@ var Bridge = class {
       try {
         handler(context, peerId);
       } catch (error) {
-        logger2.error({ error: error.message }, "Context received handler error");
+        logger4.error({ error: error.message }, "Context received handler error");
       }
     }
   }
@@ -1460,9 +2027,9 @@ var Bridge = class {
    * Clean up all resources
    */
   async cleanup() {
-    logger2.debug("Starting cleanup");
+    logger4.debug("Starting cleanup");
     this.stopAutoSync();
-    logger2.debug("Auto-sync stopped");
+    logger4.debug("Auto-sync stopped");
     const pendingTaskCount = this.pendingTasks.size;
     for (const [taskId, pending] of this.pendingTasks) {
       clearTimeout(pending.timeoutId);
@@ -1470,7 +2037,7 @@ var Bridge = class {
     }
     this.pendingTasks.clear();
     if (pendingTaskCount > 0) {
-      logger2.debug({ count: pendingTaskCount }, "Pending tasks cancelled");
+      logger4.debug({ count: pendingTaskCount }, "Pending tasks cancelled");
     }
     const pendingContextCount = this.pendingContextRequests.size;
     for (const [requestId, pending] of this.pendingContextRequests) {
@@ -1479,20 +2046,20 @@ var Bridge = class {
     }
     this.pendingContextRequests.clear();
     if (pendingContextCount > 0) {
-      logger2.debug({ count: pendingContextCount }, "Pending context requests cancelled");
+      logger4.debug({ count: pendingContextCount }, "Pending context requests cancelled");
     }
     if (this.clientTransport) {
-      logger2.debug("Disconnecting client transport");
+      logger4.debug("Disconnecting client transport");
       try {
         await this.clientTransport.disconnect();
-        logger2.debug("Client transport disconnected");
+        logger4.debug("Client transport disconnected");
       } catch {
       }
       this.clientTransport = null;
     }
     const peerCount = this.peers.size;
     if (peerCount > 0) {
-      logger2.debug({ count: peerCount }, "Closing peer connections");
+      logger4.debug({ count: peerCount }, "Closing peer connections");
     }
     for (const [peerId, peer] of this.peers) {
       if (peer.ws) {
@@ -1507,21 +2074,31 @@ var Bridge = class {
         } catch {
         }
       }
-      logger2.debug({ peerId }, "Peer disconnected");
+      logger4.debug({ peerId }, "Peer disconnected");
     }
     this.peers.clear();
     if (this.server) {
-      logger2.debug("Closing WebSocket server");
+      logger4.debug("Closing WebSocket server");
       await new Promise((resolve) => {
         this.server.close(() => {
           resolve();
         });
       });
       this.server = null;
-      logger2.debug("WebSocket server closed");
+      logger4.debug("WebSocket server closed");
+    }
+    if (this.httpsServer) {
+      logger4.debug("Closing HTTPS server");
+      await new Promise((resolve) => {
+        this.httpsServer.close(() => {
+          resolve();
+        });
+      });
+      this.httpsServer = null;
+      logger4.debug("HTTPS server closed");
     }
     this.removeStatusFile();
-    logger2.debug("Cleanup complete");
+    logger4.debug("Cleanup complete");
   }
   // ============================================================================
   // Status File Management
@@ -1538,8 +2115,8 @@ var Bridge = class {
    */
   ensureBridgeDir() {
     const bridgeDir = path.join(os.homedir(), ".claude-bridge");
-    if (!fs.existsSync(bridgeDir)) {
-      fs.mkdirSync(bridgeDir, { recursive: true });
+    if (!fs2.existsSync(bridgeDir)) {
+      fs2.mkdirSync(bridgeDir, { recursive: true });
     }
   }
   /**
@@ -1560,10 +2137,10 @@ var Bridge = class {
           lastActivity: new Date(p.lastActivity).toISOString()
         }))
       };
-      fs.writeFileSync(statusFile, JSON.stringify(status, null, 2), "utf-8");
-      logger2.debug({ statusFile }, "Status file updated");
+      fs2.writeFileSync(statusFile, JSON.stringify(status, null, 2), "utf-8");
+      logger4.debug({ statusFile }, "Status file updated");
     } catch (error) {
-      logger2.error({ error: error.message }, "Failed to write status file");
+      logger4.error({ error: error.message }, "Failed to write status file");
     }
   }
   /**
@@ -1572,12 +2149,12 @@ var Bridge = class {
   removeStatusFile() {
     try {
       const statusFile = this.getStatusFilePath();
-      if (fs.existsSync(statusFile)) {
-        fs.unlinkSync(statusFile);
-        logger2.debug({ statusFile }, "Status file removed");
+      if (fs2.existsSync(statusFile)) {
+        fs2.unlinkSync(statusFile);
+        logger4.debug({ statusFile }, "Status file removed");
       }
     } catch (error) {
-      logger2.error({ error: error.message }, "Failed to remove status file");
+      logger4.error({ error: error.message }, "Failed to remove status file");
     }
   }
   // ============================================================================
@@ -1610,7 +2187,7 @@ var Bridge = class {
 };
 
 // src/utils/config.ts
-import * as fs2 from "fs";
+import * as fs3 from "fs";
 import * as path2 from "path";
 import * as os2 from "os";
 import { parse as parseYaml } from "yaml";
@@ -1656,10 +2233,10 @@ function mergeConfig(partial) {
 }
 function readConfigFile(filePath) {
   try {
-    if (!fs2.existsSync(filePath)) {
+    if (!fs3.existsSync(filePath)) {
       return null;
     }
-    const content = fs2.readFileSync(filePath, "utf-8");
+    const content = fs3.readFileSync(filePath, "utf-8");
     const parsed = parseYaml(content);
     return parsed;
   } catch {
@@ -1715,7 +2292,7 @@ function loadConfigSync(configPath) {
 
 // src/mcp/tools.ts
 import { z as z2 } from "zod";
-var logger3 = createLogger("mcp:tools");
+var logger5 = createLogger("mcp:tools");
 var ReadFileInputSchema = z2.object({
   path: z2.string().describe("Path to the file to read")
 });
@@ -1798,7 +2375,7 @@ function createToolHandlers(bridge) {
   }
   handlers["bridge_read_file"] = async (args) => {
     const input = ReadFileInputSchema.parse(args);
-    logger3.debug({ path: input.path }, "Reading file");
+    logger5.debug({ path: input.path }, "Reading file");
     try {
       const result = await delegateFileTask(
         "read_file",
@@ -1810,13 +2387,13 @@ function createToolHandlers(bridge) {
       }
       return successResponse(result.data.content);
     } catch (err) {
-      logger3.error({ error: err.message, path: input.path }, "Failed to read file");
+      logger5.error({ error: err.message, path: input.path }, "Failed to read file");
       return errorResponse(err.message);
     }
   };
   handlers["bridge_write_file"] = async (args) => {
     const input = WriteFileInputSchema.parse(args);
-    logger3.debug({ path: input.path, contentLength: input.content.length }, "Writing file");
+    logger5.debug({ path: input.path, contentLength: input.content.length }, "Writing file");
     try {
       const result = await delegateFileTask(
         "write_file",
@@ -1828,13 +2405,13 @@ function createToolHandlers(bridge) {
       }
       return successResponse(`File written successfully: ${input.path} (${result.data.bytesWritten} bytes)`);
     } catch (err) {
-      logger3.error({ error: err.message, path: input.path }, "Failed to write file");
+      logger5.error({ error: err.message, path: input.path }, "Failed to write file");
       return errorResponse(err.message);
     }
   };
   handlers["bridge_delete_file"] = async (args) => {
     const input = DeleteFileInputSchema.parse(args);
-    logger3.debug({ path: input.path }, "Deleting file");
+    logger5.debug({ path: input.path }, "Deleting file");
     try {
       const result = await delegateFileTask(
         "delete_file",
@@ -1846,13 +2423,13 @@ function createToolHandlers(bridge) {
       }
       return successResponse(`File deleted successfully: ${input.path}`);
     } catch (err) {
-      logger3.error({ error: err.message, path: input.path }, "Failed to delete file");
+      logger5.error({ error: err.message, path: input.path }, "Failed to delete file");
       return errorResponse(err.message);
     }
   };
   handlers["bridge_list_directory"] = async (args) => {
     const input = ListDirectoryInputSchema.parse(args);
-    logger3.debug({ path: input.path }, "Listing directory");
+    logger5.debug({ path: input.path }, "Listing directory");
     try {
       const result = await delegateFileTask(
         "list_directory",
@@ -1870,13 +2447,13 @@ function createToolHandlers(bridge) {
       return successResponse(`Contents of ${input.path}:
 ${listing}`);
     } catch (err) {
-      logger3.error({ error: err.message, path: input.path }, "Failed to list directory");
+      logger5.error({ error: err.message, path: input.path }, "Failed to list directory");
       return errorResponse(err.message);
     }
   };
   handlers["bridge_delegate_task"] = async (args) => {
     const input = DelegateTaskInputSchema.parse(args);
-    logger3.debug({ description: input.description, scope: input.scope }, "Delegating task");
+    logger5.debug({ description: input.description, scope: input.scope }, "Delegating task");
     try {
       const taskId = `mcp-${Date.now()}-${Math.random().toString(36).substring(2, 9)}`;
       const result = await bridge.delegateTask({
@@ -1890,13 +2467,13 @@ ${listing}`);
       }
       return successResponse(JSON.stringify(result.data, null, 2));
     } catch (err) {
-      logger3.error({ error: err.message }, "Failed to delegate task");
+      logger5.error({ error: err.message }, "Failed to delegate task");
       return errorResponse(err.message);
     }
   };
   handlers["bridge_request_context"] = async (args) => {
     const input = RequestContextInputSchema.parse(args);
-    logger3.debug({ query: input.query }, "Requesting context");
+    logger5.debug({ query: input.query }, "Requesting context");
     try {
       const files = await bridge.requestContext(input.query);
       if (files.length === 0) {
@@ -1912,12 +2489,12 @@ ${content}`;
 
 ${fileResults}`);
     } catch (err) {
-      logger3.error({ error: err.message }, "Failed to request context");
+      logger5.error({ error: err.message }, "Failed to request context");
       return errorResponse(err.message);
     }
   };
   handlers["bridge_status"] = async () => {
-    logger3.debug("Getting bridge status");
+    logger5.debug("Getting bridge status");
     const peers = bridge.getPeers();
     const peerCount = bridge.getPeerCount();
     const isStarted = bridge.isStarted();
@@ -1992,7 +2569,7 @@ import {
   CallToolRequestSchema,
   ListToolsRequestSchema
 } from "@modelcontextprotocol/sdk/types.js";
-var logger4 = createLogger("mcp:server");
+var logger6 = createLogger("mcp:server");
 var BridgeMcpServer = class {
   server;
   bridge;
@@ -2015,7 +2592,9 @@ var BridgeMcpServer = class {
       mode: "client",
       instanceName: config.instanceName ?? `mcp-server-${process.pid}`,
       connect: {
-        url: config.bridgeUrl
+        url: config.bridgeUrl,
+        tls: config.tls,
+        auth: config.auth
       },
       taskTimeout: config.taskTimeout ?? 6e4
     };
@@ -2027,7 +2606,7 @@ var BridgeMcpServer = class {
    */
   registerHandlers() {
     this.server.setRequestHandler(ListToolsRequestSchema, async () => {
-      logger4.debug("Listing tools");
+      logger6.debug("Listing tools");
       return {
         tools: TOOL_DEFINITIONS.map((tool) => ({
           name: tool.name,
@@ -2038,13 +2617,13 @@ var BridgeMcpServer = class {
     });
     this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
       const { name, arguments: args } = request.params;
-      logger4.debug({ tool: name }, "Tool call received");
+      logger6.debug({ tool: name }, "Tool call received");
       if (!this.toolHandlers) {
         this.toolHandlers = createToolHandlers(this.bridge);
       }
       const handler = this.toolHandlers[name];
       if (!handler) {
-        logger4.warn({ tool: name }, "Unknown tool requested");
+        logger6.warn({ tool: name }, "Unknown tool requested");
         return {
           content: [{ type: "text", text: `Unknown tool: ${name}` }],
           isError: true
@@ -2052,13 +2631,13 @@ var BridgeMcpServer = class {
       }
       try {
         const result = await handler(args ?? {});
-        logger4.debug({ tool: name, isError: result.isError }, "Tool call completed");
+        logger6.debug({ tool: name, isError: result.isError }, "Tool call completed");
         return {
           content: result.content,
           isError: result.isError
         };
       } catch (err) {
-        logger4.error({ tool: name, error: err.message }, "Tool call failed");
+        logger6.error({ tool: name, error: err.message }, "Tool call failed");
         return {
           content: [{ type: "text", text: `Error: ${err.message}` }],
           isError: true
@@ -2080,7 +2659,7 @@ var BridgeMcpServer = class {
       const transport = new StdioServerTransport();
       await this.server.connect(transport);
       console.error("[MCP] MCP server started and listening on stdio");
-      logger4.info("MCP server started");
+      logger6.info("MCP server started");
     } catch (err) {
       console.error(`[MCP] Failed to start: ${err.message}`);
       throw err;
@@ -2095,7 +2674,7 @@ var BridgeMcpServer = class {
       await this.bridge.stop();
       await this.server.close();
       console.error("[MCP] MCP server stopped");
-      logger4.info("MCP server stopped");
+      logger6.info("MCP server stopped");
     } catch (err) {
       console.error(`[MCP] Error during shutdown: ${err.message}`);
     }
@@ -2131,7 +2710,19 @@ export {
   deserializeMessage,
   safeDeserializeMessage,
   ConnectionState,
+  loadCertificates,
+  loadCertificatesSync,
+  validateTLSConfig,
+  isTLSEnabled,
+  createSecureContextOptions,
   WebSocketTransport,
+  validateIp,
+  validateToken,
+  validatePassword,
+  extractCredentials,
+  Authenticator,
+  createAuthConfigFromOptions,
+  validateAuthConfig,
   createContextSyncMessage,
   createTaskDelegateMessage,
   createTaskResponseMessage,
@@ -2147,4 +2738,4 @@ export {
   BridgeMcpServer,
   startMcpServer
 };
-//# sourceMappingURL=chunk-XOAR3DQB.js.map
+//# sourceMappingURL=chunk-2O352EPO.js.map