ai-or-die 0.1.53 → 0.1.59

package/bin/ai-or-die.js

@@ -23,7 +23,7 @@ program
   .option('--no-open', 'do not automatically open browser')
   .option('--auth <token>', 'authentication token for secure access')
   .option('--disable-auth', 'disable authentication (not recommended for production)')
-  .option('--https', 'enable HTTPS (requires cert files)')
+  .option('--https', 'enable HTTPS (auto-generates self-signed cert if --cert/--key not provided)')
   .option('--cert <path>', 'path to SSL certificate file')
   .option('--key <path>', 'path to SSL private key file')
   .option('--dev', 'development mode with additional logging')
@@ -125,6 +125,12 @@ async function main() {
       console.log(`   Auth token: \x1b[1m\x1b[33m${authToken}\x1b[0m`);
     }
 
+    // Warn if STT is enabled without HTTPS or tunnel
+    if ((serverOptions.stt || serverOptions.sttEndpoint) && !options.https && !options.tunnel) {
+      console.log('\n\x1b[33m⚠  STT enabled over plain HTTP \u2014 microphone only works on localhost.\x1b[0m');
+      console.log('   For LAN access, restart with \x1b[1m--https\x1b[0m or \x1b[1m--tunnel\x1b[0m.');
+    }
+
     // Dev tunnel or browser open
     let tunnel = null;
     if (options.tunnel) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-or-die",
-  "version": "0.1.53",
+  "version": "0.1.59",
   "description": "Universal AI coding terminal — Claude, Copilot, Gemini & more in your browser",
   "main": "src/server.js",
   "bin": {
@@ -39,6 +39,7 @@
     "cors": "^2.8.5",
     "express": "^4.19.2",
     "open": "^10.1.0",
+    "selfsigned": "^2.4.1",
     "sherpa-onnx-node": "^1.12.24",
     "uuid": "^10.0.0",
     "ws": "^8.18.0"

package/src/public/app.js

@@ -1061,6 +1061,15 @@ class ClaudeCodeWebInterface {
         const btn = document.getElementById('voiceInputBtn');
         if (!btn) return;
 
+        // Microphone APIs require a secure context (HTTPS or localhost)
+        if (typeof window !== 'undefined' && !window.isSecureContext) {
+            btn.style.display = '';
+            btn.disabled = true;
+            btn.title = 'Microphone unavailable \u2014 this page must be served over HTTPS';
+            btn.setAttribute('aria-disabled', 'true');
+            return;
+        }
+
         // Determine mode: prefer local if ready, fall back to cloud
         const localReady = voiceCfg.localStatus === 'ready';
         const cloudAvailable = typeof window !== 'undefined' &&
@@ -1180,7 +1189,9 @@ class ClaudeCodeWebInterface {
                 }
                 // Show error toast (reuse existing toast pattern)
                 var toastMsg = errorMessage;
-                if (errorMessage.indexOf('not-allowed') !== -1 || errorMessage.indexOf('Permission') !== -1 || errorMessage.indexOf('permission') !== -1) {
+                if (errorMessage.indexOf('HTTPS') !== -1 || errorMessage.indexOf('secure connection') !== -1 || errorMessage.indexOf('Secure context') !== -1) {
+                    toastMsg = 'Microphone requires HTTPS. Restart server with --https or --tunnel.';
+                } else if (errorMessage.indexOf('not-allowed') !== -1 || errorMessage.indexOf('Permission') !== -1 || errorMessage.indexOf('permission') !== -1) {
                     toastMsg = errorMessage + '. Check browser permissions';
                 }
                 if (window.feedback) {
@@ -1371,6 +1382,15 @@ class ClaudeCodeWebInterface {
                 if (message.voiceInput) {
                     this.voiceInputConfig = message.voiceInput;
                 }
+                // On insecure context, keep button disabled regardless of backend status
+                if (typeof window !== 'undefined' && !window.isSecureContext) {
+                    if (btn) {
+                        btn.style.display = '';
+                        btn.disabled = true;
+                        btn.title = 'Microphone unavailable \u2014 this page must be served over HTTPS';
+                    }
+                    break;
+                }
                 var localReady = this.voiceInputConfig && this.voiceInputConfig.localStatus === 'ready';
                 var cloudAvailable = typeof window !== 'undefined' &&
                     !!(window.SpeechRecognition || window.webkitSpeechRecognition);

package/src/public/voice-handler.js

@@ -22,6 +22,16 @@ var MAX_RECORDING_SECONDS = 120;
 var MIN_RECORDING_SECONDS = 0.5;
 var PUSH_TO_TALK_THRESHOLD_MS = 300;
 var TARGET_SAMPLE_RATE = 16000;
+
+/**
+ * Whether the page is in a secure context (HTTPS, localhost, file://).
+ * Required for getUserMedia, AudioWorklet, and SpeechRecognition.
+ * @returns {boolean}
+ */
+function isSecureContext() {
+  if (typeof window === 'undefined') return false;
+  return !!window.isSecureContext;
+}
 // ---------------------------------------------------------------------------
 // Utility: Float32 → Int16 conversion
 // ---------------------------------------------------------------------------
@@ -97,11 +107,13 @@ function SpeechRecognitionRecorder() {
 
 /**
  * Whether the SpeechRecognition API is available in this browser.
+ * Requires a secure context (HTTPS or localhost) for microphone access.
  * @returns {boolean}
  */
 SpeechRecognitionRecorder.isSupported = function () {
-  return !!(typeof window !== 'undefined' &&
-    (window.SpeechRecognition || window.webkitSpeechRecognition));
+  if (typeof window === 'undefined') return false;
+  if (!window.isSecureContext) return false;
+  return !!(window.SpeechRecognition || window.webkitSpeechRecognition);
 };
 
 /**
@@ -287,6 +299,20 @@ LocalVoiceRecorder.prototype.start = function () {
     return Promise.reject(new Error('Already recording'));
   }
 
+  // Secure context required for getUserMedia (HTTPS or localhost)
+  if (typeof window !== 'undefined' && !window.isSecureContext) {
+    return Promise.reject(new Error(
+      'Microphone requires a secure connection (HTTPS). ' +
+      'Restart the server with --https or --tunnel for LAN access.'
+    ));
+  }
+  if (!navigator.mediaDevices || !navigator.mediaDevices.getUserMedia) {
+    return Promise.reject(new Error(
+      'Microphone access is not available. ' +
+      'This page must be served over HTTPS or accessed via localhost.'
+    ));
+  }
+
   return navigator.mediaDevices.getUserMedia({
     audio: {
       echoCancellation: true,
@@ -842,6 +868,7 @@ var voiceHandlerExports = {
   // Utilities
   float32ToInt16: float32ToInt16,
   resample: resample,
+  isSecureContext: isSecureContext,
 
   // Recorders
   SpeechRecognitionRecorder: SpeechRecognitionRecorder,

package/src/server.js

@@ -1339,12 +1339,25 @@ class ClaudeCodeWebServer {
     let server;
 
     if (this.useHttps) {
-      if (!this.certFile || !this.keyFile) {
-        throw new Error('HTTPS requires both --cert and --key options');
+      let cert, key;
+      if (this.certFile && this.keyFile) {
+        // User-provided certs
+        cert = fs.readFileSync(this.certFile);
+        key = fs.readFileSync(this.keyFile);
+      } else {
+        // Auto-generate self-signed cert for LAN use
+        const { ensureCert } = require('./utils/self-signed-cert');
+        const certInfo = ensureCert();
+        cert = certInfo.cert;
+        key = certInfo.key;
+        const action = certInfo.generated ? 'Generated' : 'Using cached';
+        console.log(`\n[HTTPS] ${action} self-signed certificate`);
+        if (certInfo.ips.length > 0) {
+          console.log(`        Covers: localhost, ${certInfo.ips.join(', ')}`);
+        }
+        console.log(`        Cached at: ${certInfo.certPath}`);
+        console.log('        Browsers will show a security warning on first visit.');
       }
-      
-      const cert = fs.readFileSync(this.certFile);
-      const key = fs.readFileSync(this.keyFile);
       server = https.createServer({ cert, key }, this.app);
     } else {
       server = http.createServer(this.app);
@@ -1400,7 +1413,8 @@ class ClaudeCodeWebServer {
       id: wsId,
       ws,
       claudeSessionId: null,
-      created: new Date()
+      created: new Date(),
+      secure: !!req.connection.encrypted
     };
     this.webSocketConnections.set(wsId, wsInfo);
 
@@ -1995,6 +2009,16 @@ class ClaudeCodeWebServer {
     }
   }
 
+  _isLocalhostConnection(ws) {
+    try {
+      const addr = ws._socket && ws._socket.remoteAddress;
+      if (!addr) return false;
+      return addr === '127.0.0.1' || addr === '::1' || addr === '::ffff:127.0.0.1';
+    } catch (_) {
+      return false;
+    }
+  }
+
   broadcastToSession(claudeSessionId, data) {
     const session = this.claudeSessions.get(claudeSessionId);
     if (!session) return;
@@ -2472,6 +2496,15 @@ class ClaudeCodeWebServer {
     const wsInfo = this.webSocketConnections.get(wsId);
     if (!wsInfo) return;
 
+    // Reject voice uploads over HTTP from non-localhost origins (defense-in-depth)
+    if (!wsInfo.secure && !this._isLocalhostConnection(wsInfo.ws)) {
+      this.sendToWebSocket(wsInfo.ws, {
+        type: 'voice_transcription_error',
+        message: 'Voice input requires a secure connection (HTTPS). Restart with --https or --tunnel.'
+      });
+      return;
+    }
+
     if (!wsInfo.claudeSessionId) {
       this.sendToWebSocket(wsInfo.ws, {
         type: 'voice_transcription_error',

package/src/utils/self-signed-cert.js

@@ -0,0 +1,126 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const CERT_DIR = path.join(os.homedir(), '.ai-or-die', 'certs');
+const CERT_PATH = path.join(CERT_DIR, 'server.cert');
+const KEY_PATH = path.join(CERT_DIR, 'server.key');
+const META_PATH = path.join(CERT_DIR, 'cert-meta.json');
+const CERT_DAYS = 365;
+
+/**
+ * Get all non-internal IPv4 addresses from network interfaces.
+ * @returns {string[]}
+ */
+function getLocalIPs() {
+  const interfaces = os.networkInterfaces();
+  const ips = [];
+  for (const name of Object.keys(interfaces)) {
+    for (const iface of interfaces[name]) {
+      if (!iface.internal && iface.family === 'IPv4') {
+        ips.push(iface.address);
+      }
+    }
+  }
+  return ips;
+}
+
+/**
+ * Check if the cached certificate covers the current LAN IPs and is not expired.
+ * @returns {{ valid: boolean, reason?: string }}
+ */
+function validateCachedCert() {
+  if (!fs.existsSync(CERT_PATH) || !fs.existsSync(KEY_PATH) || !fs.existsSync(META_PATH)) {
+    return { valid: false, reason: 'missing' };
+  }
+
+  try {
+    const meta = JSON.parse(fs.readFileSync(META_PATH, 'utf8'));
+
+    // Check expiry
+    const expiresAt = new Date(meta.expiresAt);
+    if (expiresAt <= new Date()) {
+      return { valid: false, reason: 'expired' };
+    }
+
+    // Check if current LAN IPs match what was in the cert
+    const currentIPs = getLocalIPs().sort();
+    const certIPs = (meta.lanIPs || []).sort();
+    if (JSON.stringify(currentIPs) !== JSON.stringify(certIPs)) {
+      return { valid: false, reason: 'ip-changed' };
+    }
+
+    return { valid: true };
+  } catch (_) {
+    return { valid: false, reason: 'corrupt' };
+  }
+}
+
+/**
+ * Generate a self-signed certificate with SANs for localhost and LAN IPs.
+ * Caches the result at ~/.ai-or-die/certs/ for reuse.
+ *
+ * @returns {{ cert: string, key: string, ips: string[] }}
+ */
+function generateCert() {
+  const selfsigned = require('selfsigned');
+  const ips = getLocalIPs();
+
+  const altNames = [
+    { type: 2, value: 'localhost' },
+    { type: 7, ip: '127.0.0.1' },
+    { type: 7, ip: '::1' },
+    ...ips.map(ip => ({ type: 7, ip })),
+  ];
+
+  const attrs = [{ name: 'commonName', value: 'ai-or-die' }];
+  const pems = selfsigned.generate(attrs, {
+    keySize: 2048,
+    days: CERT_DAYS,
+    algorithm: 'sha256',
+    extensions: [
+      { name: 'subjectAltName', altNames },
+    ],
+  });
+
+  // Ensure cert directory with restricted permissions
+  fs.mkdirSync(CERT_DIR, { recursive: true, mode: 0o700 });
+
+  // Write cert and key with restricted permissions
+  fs.writeFileSync(CERT_PATH, pems.cert, { mode: 0o644 });
+  fs.writeFileSync(KEY_PATH, pems.private, { mode: 0o600 });
+
+  // Write metadata for cache validation
+  const meta = {
+    createdAt: new Date().toISOString(),
+    expiresAt: new Date(Date.now() + CERT_DAYS * 24 * 60 * 60 * 1000).toISOString(),
+    lanIPs: ips,
+  };
+  fs.writeFileSync(META_PATH, JSON.stringify(meta, null, 2), { mode: 0o644 });
+
+  return { cert: pems.cert, key: pems.private, ips };
+}
+
+/**
+ * Ensure a valid self-signed certificate exists, generating one if needed.
+ * Returns the cert and key as strings.
+ *
+ * @returns {{ cert: string, key: string, certPath: string, ips: string[], generated: boolean }}
+ */
+function ensureCert() {
+  const validation = validateCachedCert();
+
+  if (validation.valid) {
+    const cert = fs.readFileSync(CERT_PATH, 'utf8');
+    const key = fs.readFileSync(KEY_PATH, 'utf8');
+    const meta = JSON.parse(fs.readFileSync(META_PATH, 'utf8'));
+    return { cert, key, certPath: CERT_PATH, ips: meta.lanIPs || [], generated: false };
+  }
+
+  const { cert, key, ips } = generateCert();
+  return { cert, key, certPath: CERT_PATH, ips, generated: true };
+}
+
+module.exports = { ensureCert, getLocalIPs, CERT_DIR };