clay-server 2.16.0 → 2.17.0-beta.10

package/README.md

@@ -8,7 +8,7 @@
 
 [![npm version](https://img.shields.io/npm/v/clay-server)](https://www.npmjs.com/package/clay-server) [![npm downloads](https://img.shields.io/npm/dw/clay-server)](https://www.npmjs.com/package/clay-server) [![GitHub stars](https://img.shields.io/github/stars/chadbyte/clay)](https://github.com/chadbyte/clay) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://github.com/chadbyte/clay/blob/main/LICENSE)
 
-Clay gives Claude Code a browser UI that runs on any device. Use it from your phone, run it on macOS, Windows, or Linux. Invite teammates, manage multiple projects from one sidebar, and get push notifications when Claude needs you. Built on the official Claude Agent SDK, not a terminal parser. Your machine is the server. No cloud relay in between, no extra network surface.
+Clay gives Claude Code a browser UI that runs on any device. Use it from your phone, run it on macOS, Windows, or Linux. Invite teammates, manage multiple projects from one sidebar, and get push notifications when Claude needs you. HTTPS and push notifications work out of the box with zero config. Built on the official Claude Agent SDK, not a terminal parser. Your machine is the server. No cloud relay in between, no extra network surface.
 
 ---
 
@@ -98,7 +98,7 @@ Take it further with Ralph Loop, an autonomous coding loop built into Clay. The
 
 Your data flows directly from your machine to the Anthropic API, exactly as it does when you use the CLI. Clay adds a browser layer on top, not a middleman.
 
-PIN authentication, per-project/session permissions, and HTTPS are supported by default. For local network use, this is sufficient. For remote access, we recommend a VPN like Tailscale.
+HTTPS is enabled by default with a builtin certificate. PIN authentication and per-project/session permissions are built in. For local network use, this is sufficient. For remote access, we recommend a VPN like Tailscale.
 
 ---
 
@@ -166,20 +166,32 @@ Yes. Create as many as you need. A code reviewer, a writing partner, a project m
 
 ---
 
-## HTTPS for Push
+## HTTPS
 
-Everything works out of the box. Only push notifications require HTTPS.
+HTTPS is enabled by default using a builtin wildcard certificate for `*.d.clay.studio`. No setup required. Available from `v2.17.0-beta.2`. Your browser connects to a URL like:
 
-Set it up once with [mkcert](https://github.com/FiloSottile/mkcert):
+```
+https://192-168-1-50.d.clay.studio:2633
+```
+
+The domain resolves to your local IP. All traffic stays on your network. See [clay-dns](clay-dns/) for details on how this works.
+
+Push notifications require HTTPS, so they work out of the box with this setup. Install Clay as a PWA on your device to receive them.
+
+<details>
+<summary><strong>Alternative: local certificate with mkcert</strong></summary>
+
+If you prefer to use a locally generated certificate (e.g. air-gapped environments where DNS is unavailable):
 
 ```bash
 brew install mkcert
 mkcert -install
+npx clay-server --local-cert
 ```
 
-Certificates are auto-generated. The setup wizard handles the rest.
+This generates a self-signed certificate trusted by your machine. The setup wizard will guide you through installing the CA on other devices.
 
-If push registration fails: check that your browser trusts the HTTPS certificate and that your phone can reach the server address.
+</details>
 
 ---
 
@@ -192,6 +204,7 @@ npx clay-server --yes        # Skip interactive prompts (use defaults)
 npx clay-server -y --pin 123456
                               # Non-interactive + PIN (for scripts/CI)
 npx clay-server --no-https   # Disable HTTPS
+npx clay-server --local-cert # Use local certificate (mkcert) instead of builtin
 npx clay-server --no-update  # Skip update check
 npx clay-server --debug      # Enable debug panel
 npx clay-server --add .      # Add current directory to running daemon

package/bin/cli.js

@@ -52,6 +52,8 @@ function openUrl(url) {
 var args = process.argv.slice(2);
 var port = _isDev ? 2635 : 2633;
 var useHttps = true;
+var forceMkcert = false;
+var forceBuiltin = false;
 var skipUpdate = false;
 var debugMode = false;
 var autoYes = false;
@@ -81,6 +83,10 @@ for (var i = 0; i < args.length; i++) {
     i++;
   } else if (args[i] === "--no-https") {
     useHttps = false;
+  } else if (args[i] === "--local-cert") {
+    forceMkcert = true;
+  } else if (args[i] === "--builtin-cert") {
+    forceBuiltin = true;
   } else if (args[i] === "--no-update" || args[i] === "--skip-update") {
     skipUpdate = true;
   } else if (args[i] === "--dev") {
@@ -124,7 +130,9 @@ for (var i = 0; i < args.length; i++) {
     console.log("Options:");
     console.log("  -p, --port <port>  Port to listen on (default: 2633)");
     console.log("  --host <address>   Address to bind to (default: 0.0.0.0)");
-    console.log("  --no-https         Disable HTTPS (enabled by default via mkcert)");
+    console.log("  --no-https         Disable HTTPS (enabled by default)");
+    console.log("  --local-cert       Use local certificate (mkcert), suppress migration notice");
+    console.log("  --builtin-cert    Use builtin certificate even if mkcert is installed");
     console.log("  --no-update        Skip auto-update check on startup");
     console.log("  --debug            Enable debug panel in the web UI");
     console.log("  -y, --yes          Skip interactive prompts (accept defaults)");
@@ -564,7 +572,44 @@ function getAllIPs() {
   return ips;
 }
 
+function getBuiltinCert() {
+  try {
+    var certDir = path.join(__dirname, "..", "lib", "certs");
+    var keyPath = path.join(certDir, "privkey.pem");
+    var certPath = path.join(certDir, "fullchain.pem");
+    if (!fs.existsSync(keyPath) || !fs.existsSync(certPath)) return null;
+
+    // Check expiry
+    var certText = execFileSync("openssl", [
+      "x509", "-in", certPath, "-noout", "-enddate"
+    ], { encoding: "utf8" });
+    var m = certText.match(/notAfter=(.+)/);
+    if (m) {
+      var expiry = new Date(m[1]);
+      var now = new Date();
+      // Skip if expiring within 7 days
+      if (expiry.getTime() - now.getTime() < 7 * 24 * 60 * 60 * 1000) return null;
+    }
+
+    return { key: keyPath, cert: certPath, caRoot: null, builtin: true };
+  } catch (e) {
+    return null;
+  }
+}
+
+function toClayStudioUrl(ip, port, protocol) {
+  var dashed = ip.replace(/\./g, "-");
+  return protocol + "://" + dashed + ".d.clay.studio:" + port;
+}
+
 function ensureCerts(ip) {
+  // --builtin-cert: skip mkcert entirely, go straight to builtin
+  if (forceBuiltin) {
+    var builtin = getBuiltinCert();
+    if (builtin) return builtin;
+    return null;
+  }
+
   var homeDir = os.homedir();
   var certDir = path.join(process.env.CLAY_HOME || path.join(homeDir, ".clay"), "certs");
   var keyPath = path.join(certDir, "key.pem");
@@ -579,24 +624,30 @@ function ensureCerts(ip) {
     fs.copyFileSync(legacyCert, certPath);
   }
 
+  var mkcertInstalled = hasMkcert();
+
   var caRoot = null;
-  try {
-    caRoot = path.join(
-      execSync("mkcert -CAROOT", { encoding: "utf8" }).trim(),
-      "rootCA.pem"
-    );
-    if (!fs.existsSync(caRoot)) caRoot = null;
-  } catch (e) {}
+  if (mkcertInstalled) {
+    try {
+      caRoot = path.join(
+        execSync("mkcert -CAROOT", { encoding: "utf8" }).trim(),
+        "rootCA.pem"
+      );
+      if (!fs.existsSync(caRoot)) caRoot = null;
+    } catch (e) {}
+  }
 
   // Collect all IPv4 addresses (Tailscale + LAN)
   var allIPs = getAllIPs();
 
   if (fs.existsSync(keyPath) && fs.existsSync(certPath)) {
     var needRegen = false;
+    var isMkcertCert = false;
     try {
       var certText = execFileSync("openssl", ["x509", "-in", certPath, "-text", "-noout"], { encoding: "utf8" });
       // If cert is from an external CA (e.g. Tailscale/Let's Encrypt), never regenerate
       if (certText.indexOf("mkcert") === -1) return { key: keyPath, cert: certPath, caRoot: caRoot };
+      isMkcertCert = true;
       for (var i = 0; i < allIPs.length; i++) {
         if (certText.indexOf(allIPs[i]) === -1) {
           needRegen = true;
@@ -604,24 +655,41 @@ function ensureCerts(ip) {
         }
       }
     } catch (e) { needRegen = true; }
-    if (!needRegen) return { key: keyPath, cert: certPath, caRoot: caRoot };
+    // mkcert cert but mkcert uninstalled: CA is gone, cert is untrusted. Skip it.
+    if (isMkcertCert && !mkcertInstalled) needRegen = true;
+    if (!needRegen) {
+      return { key: keyPath, cert: certPath, caRoot: caRoot, mkcertDetected: mkcertInstalled && !forceMkcert };
+    }
   }
 
-  fs.mkdirSync(certDir, { recursive: true });
+  // mkcert installed: generate local cert (legacy behavior)
+  if (mkcertInstalled) {
+    fs.mkdirSync(certDir, { recursive: true });
+
+    var domains = ["localhost", "127.0.0.1", "::1"];
+    for (var i = 0; i < allIPs.length; i++) {
+      if (domains.indexOf(allIPs[i]) === -1) domains.push(allIPs[i]);
+    }
+
+    try {
+      var mkcertArgs = ["-key-file", keyPath, "-cert-file", certPath].concat(domains);
+      execFileSync("mkcert", mkcertArgs, { stdio: "pipe" });
+    } catch (err) {
+      // mkcert generation failed, fall through to builtin
+    }
 
-  var domains = ["localhost", "127.0.0.1", "::1"];
-  for (var i = 0; i < allIPs.length; i++) {
-    if (domains.indexOf(allIPs[i]) === -1) domains.push(allIPs[i]);
+    if (fs.existsSync(keyPath) && fs.existsSync(certPath)) {
+      return { key: keyPath, cert: certPath, caRoot: caRoot, mkcertDetected: !forceMkcert };
+    }
   }
 
-  try {
-    var mkcertArgs = ["-key-file", keyPath, "-cert-file", certPath].concat(domains);
-    execFileSync("mkcert", mkcertArgs, { stdio: "pipe" });
-  } catch (err) {
-    return null;
+  // Fallback: builtin cert (unless --local-cert forces mkcert-only)
+  if (!forceMkcert) {
+    var builtin = getBuiltinCert();
+    if (builtin) return builtin;
   }
 
-  return { key: keyPath, cert: certPath, caRoot: caRoot };
+  return null;
 }
 
 // --- Logo ---
@@ -1395,11 +1463,15 @@ function setup(callback) {
 async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
   var ip = getLocalIP();
   var hasTls = false;
+  var hasBuiltinCert = false;
+  var mkcertDetected = false;
 
   if (useHttps) {
     var certPaths = ensureCerts(ip);
     if (certPaths) {
       hasTls = true;
+      if (certPaths.builtin) hasBuiltinCert = true;
+      if (certPaths.mkcertDetected) mkcertDetected = true;
     } else {
       log(sym.warn + "  " + a.yellow + "HTTPS unavailable" + a.reset + a.dim + " · mkcert not installed" + a.reset);
     }
@@ -1473,6 +1545,8 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
     host: host,
     pinHash: mode === "multi" && cliPin ? generateAuthToken(cliPin) : null,
     tls: hasTls,
+    builtinCert: hasBuiltinCert,
+    mkcertDetected: mkcertDetected,
     debug: debugMode,
     keepAwake: keepAwake,
     dangerouslySkipPermissions: dangerouslySkipPermissions,
@@ -1547,9 +1621,13 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
   // Headless mode — print status and exit immediately
   if (headlessMode) {
     var protocol = config.tls ? "https" : "http";
-    var url = protocol + "://" + ip + ":" + config.port;
+    var url = config.builtinCert
+      ? toClayStudioUrl(ip, config.port, protocol)
+      : protocol + "://" + ip + ":" + config.port;
     console.log("  " + sym.done + "  Daemon started (PID " + config.pid + ")");
     console.log("  " + sym.done + "  " + url);
+    if (config.builtinCert) console.log("  " + sym.done + "  d.clay.studio provides HTTPS certificates only. Your traffic never leaves your network.");
+    if (config.mkcertDetected) console.log("  " + sym.warn + "  Clay now ships with a builtin HTTPS certificate. To use it, pass --builtin-cert or uninstall mkcert.");
     console.log("  " + sym.done + "  Headless mode — exiting CLI");
     process.exit(0);
     return;
@@ -1565,10 +1643,16 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
 async function devMode(mode, keepAwake, existingPinHash) {
   var ip = getLocalIP();
   var hasTls = false;
+  var hasBuiltinCert = false;
+  var mkcertDetected = false;
 
   if (useHttps) {
     var certPaths = ensureCerts(ip);
-    if (certPaths) hasTls = true;
+    if (certPaths) {
+      hasTls = true;
+      if (certPaths.builtin) hasBuiltinCert = true;
+      if (certPaths.mkcertDetected) mkcertDetected = true;
+    }
   }
 
   var portFree = await isPortFree(port);
@@ -1630,6 +1714,8 @@ async function devMode(mode, keepAwake, existingPinHash) {
     host: host,
     pinHash: existingPinHash || null,
     tls: hasTls,
+    builtinCert: hasBuiltinCert,
+    mkcertDetected: mkcertDetected,
     debug: true,
     keepAwake: keepAwake || false,
     dangerouslySkipPermissions: dangerouslySkipPermissions,
@@ -1778,6 +1864,8 @@ async function restartDaemonWithTLS(config, callback) {
     callback(config);
     return;
   }
+  var hasBuiltinCert = !!(certPaths && certPaths.builtin);
+  var mkcertDetected = !!(certPaths && certPaths.mkcertDetected);
 
   // Shut down old daemon
   stopDaemonWatcher();
@@ -1801,6 +1889,8 @@ async function restartDaemonWithTLS(config, callback) {
     port: config.port,
     pinHash: config.pinHash || null,
     tls: true,
+    builtinCert: hasBuiltinCert,
+    mkcertDetected: mkcertDetected,
     debug: config.debug || false,
     keepAwake: config.keepAwake || false,
     dangerouslySkipPermissions: config.dangerouslySkipPermissions || false,
@@ -1879,7 +1969,9 @@ function showServerStarted(config, ip) {
 function showMainMenu(config, ip) {
   startDaemonWatcher();
   var protocol = config.tls ? "https" : "http";
-  var url = protocol + "://" + ip + ":" + config.port;
+  var url = config.builtinCert
+    ? toClayStudioUrl(ip, config.port, protocol)
+    : protocol + "://" + ip + ":" + config.port;
 
   sendIPCCommand(socketPath(), { cmd: "get_status" }).then(function (status) {
     var projs = (status && status.projects) || [];
@@ -1897,6 +1989,7 @@ function showMainMenu(config, ip) {
     function afterQr() {
       // Status line
       log("  " + a.dim + "clay" + a.reset + " " + a.dim + "v" + currentVersion + a.reset + a.dim + " — " + url + a.reset);
+      if (config.builtinCert) log("  " + a.dim + "d.clay.studio provides HTTPS certificates only. Your traffic never leaves your network." + a.reset);
       var parts = [];
       parts.push(a.bold + projs.length + a.reset + a.dim + (projs.length === 1 ? " project" : " projects"));
       parts.push(a.reset + a.bold + totalSessions + a.reset + a.dim + (totalSessions === 1 ? " session" : " sessions"));
@@ -1907,6 +2000,13 @@ function showMainMenu(config, ip) {
       log("  Press " + a.bold + "o" + a.reset + " to open in browser");
       log("");
 
+      if (config.mkcertDetected) {
+        log("  " + sym.warn + "  " + a.yellow + "Clay now ships with a builtin HTTPS certificate." + a.reset);
+        log("     " + a.dim + "No more CA setup on each device." + a.reset);
+        log("     " + a.dim + "To use it, pass --builtin-cert or uninstall mkcert." + a.reset);
+        log("");
+      }
+
       showMenuItems();
     }
 
@@ -1925,7 +2025,6 @@ function showMainMenu(config, ip) {
     function showMenuItems() {
       var items = [
         { label: "Setup notifications", value: "notifications" },
-        { label: "Projects", value: "projects" },
         { label: "Settings", value: "settings" },
         { label: "Shut down server", value: "shutdown" },
         { label: "Keep server alive & exit", value: "exit" },
@@ -1940,10 +2039,6 @@ function showMainMenu(config, ip) {
             });
             break;
 
-          case "projects":
-            showProjectsMenu(config, ip);
-            break;
-
           case "settings":
             showSettingsMenu(config, ip);
             break;
@@ -1981,9 +2076,8 @@ function showMainMenu(config, ip) {
         }
       }, {
         hint: [
-          "claude-relay has been renamed to clay-server  ·  npx clay-server",
           "Run npx clay-server in other directories to add more projects.",
-          "★ github.com/chadbyte/claude-relay — Press s to star the repo",
+          "★ github.com/chadbyte/clay — Press s to star the repo",
         ],
         keys: [
           { key: "o", onKey: function () {
@@ -1991,7 +2085,7 @@ function showMainMenu(config, ip) {
             showMainMenu(config, ip);
           }},
           { key: "s", onKey: function () {
-            openUrl("https://github.com/chadbyte/claude-relay");
+            openUrl("https://github.com/chadbyte/clay");
             showMainMenu(config, ip);
           }},
         ],
@@ -2000,203 +2094,6 @@ function showMainMenu(config, ip) {
   });
 }
 
-// ==============================
-// Projects sub-menu
-// ==============================
-function showProjectsMenu(config, ip) {
-  sendIPCCommand(socketPath(), { cmd: "get_status" }).then(function (status) {
-    if (!status.ok) {
-      log(a.red + "Failed to get status" + a.reset);
-      showMainMenu(config, ip);
-      return;
-    }
-
-    console.clear();
-    printLogo();
-    log("");
-    log(sym.pointer + "  " + a.bold + "Projects" + a.reset);
-    log(sym.bar);
-
-    var projs = status.projects || [];
-    for (var i = 0; i < projs.length; i++) {
-      var p = projs[i];
-      var statusIcon = p.isProcessing ? "⚡" : (p.clients > 0 ? "🟢" : "⏸");
-      var sessionLabel = p.sessions === 1 ? "1 session" : p.sessions + " sessions";
-      var projName = p.title || p.project;
-      log(sym.bar + "  " + a.bold + projName + a.reset + "    " + sessionLabel + "    " + statusIcon);
-      log(sym.bar + "  " + a.dim + p.path + a.reset);
-      if (i < projs.length - 1) log(sym.bar);
-    }
-    log(sym.bar);
-
-    // Build menu items
-    var items = [];
-
-    // Check if cwd is already registered
-    var cwdRegistered = false;
-    for (var j = 0; j < projs.length; j++) {
-      if (projs[j].path === cwd) {
-        cwdRegistered = true;
-        break;
-      }
-    }
-    if (!cwdRegistered) {
-      items.push({ label: "+ Add " + a.bold + path.basename(cwd) + a.reset + " " + a.dim + "(" + cwd + ")" + a.reset, value: "add_cwd" });
-    }
-    items.push({ label: "+ Add project...", value: "add_other" });
-
-    for (var k = 0; k < projs.length; k++) {
-      var itemLabel = projs[k].title || projs[k].project;
-      items.push({ label: itemLabel, value: "detail:" + projs[k].slug });
-    }
-    items.push({ label: "Back", value: "back" });
-
-    promptSelect("Select", items, function (choice) {
-      if (choice === "back") {
-        console.clear();
-        printLogo();
-        log("");
-        showMainMenu(config, ip);
-      } else if (choice === "add_cwd") {
-        sendIPCCommand(socketPath(), { cmd: "add_project", path: cwd }).then(function (res) {
-          if (res.ok) {
-            log(sym.done + "  " + a.green + "Added: " + res.slug + a.reset);
-            config = loadConfig() || config;
-          } else {
-            log(sym.warn + "  " + a.yellow + (res.error || "Failed") + a.reset);
-          }
-          log("");
-          showProjectsMenu(config, ip);
-        });
-      } else if (choice === "add_other") {
-        log(sym.bar);
-        promptText("Directory path", cwd, function (dirPath) {
-          if (dirPath === null) {
-            showProjectsMenu(config, ip);
-            return;
-          }
-          var absPath = path.resolve(dirPath);
-          try {
-            var stat = fs.statSync(absPath);
-            if (!stat.isDirectory()) {
-              log(sym.warn + "  " + a.red + "Not a directory: " + absPath + a.reset);
-              setTimeout(function () { showProjectsMenu(config, ip); }, 2000);
-              return;
-            }
-          } catch (e) {
-            log(sym.warn + "  " + a.red + "Directory not found: " + absPath + a.reset);
-            setTimeout(function () { showProjectsMenu(config, ip); }, 2000);
-            return;
-          }
-          var alreadyExists = false;
-          for (var pi = 0; pi < projs.length; pi++) {
-            if (projs[pi].path === absPath) {
-              alreadyExists = true;
-              break;
-            }
-          }
-          if (alreadyExists) {
-            log(sym.done + "  " + a.yellow + "Already added: " + path.basename(absPath) + a.reset + " " + a.dim + "(" + absPath + ")" + a.reset);
-            setTimeout(function () { showProjectsMenu(config, ip); }, 2000);
-            return;
-          }
-          sendIPCCommand(socketPath(), { cmd: "add_project", path: absPath }).then(function (res) {
-            if (res.ok) {
-              log(sym.done + "  " + a.green + "Added: " + res.slug + a.reset + " " + a.dim + "(" + absPath + ")" + a.reset);
-              config = loadConfig() || config;
-            } else {
-              log(sym.warn + "  " + a.yellow + (res.error || "Failed") + a.reset);
-            }
-            setTimeout(function () { showProjectsMenu(config, ip); }, 2000);
-          });
-        });
-      } else if (choice.startsWith("detail:")) {
-        var detailSlug = choice.substring(7);
-        showProjectDetail(config, ip, detailSlug, projs);
-      }
-    });
-  });
-}
-
-// ==============================
-// Project detail
-// ==============================
-function showProjectDetail(config, ip, slug, projects) {
-  var proj = null;
-  for (var i = 0; i < projects.length; i++) {
-    if (projects[i].slug === slug) {
-      proj = projects[i];
-      break;
-    }
-  }
-  if (!proj) {
-    showProjectsMenu(config, ip);
-    return;
-  }
-
-  var displayName = proj.title || proj.project;
-
-  console.clear();
-  printLogo();
-  log("");
-  log(sym.pointer + "  " + a.bold + displayName + a.reset + "  " + a.dim + proj.slug + " · " + proj.path + a.reset);
-  log(sym.bar);
-  var sessionLabel = proj.sessions === 1 ? "1 session" : proj.sessions + " sessions";
-  var clientLabel = proj.clients === 1 ? "1 client" : proj.clients + " clients";
-  log(sym.bar + "  " + sessionLabel + " · " + clientLabel);
-  if (proj.title) {
-    log(sym.bar + "  " + a.dim + "Title: " + a.reset + proj.title);
-  }
-  log(sym.bar);
-
-  var items = [
-    { label: proj.title ? "Change title" : "Set title", value: "title" },
-    { label: "Remove project", value: "remove" },
-    { label: "Back", value: "back" },
-  ];
-
-  promptSelect("What would you like to do?", items, function (choice) {
-    if (choice === "title") {
-      log(sym.bar);
-      promptText("Project title", proj.title || proj.project, function (newTitle) {
-        if (newTitle === null) {
-          showProjectDetail(config, ip, slug, projects);
-          return;
-        }
-        var titleVal = newTitle.trim();
-        // If same as directory name, clear custom title
-        if (titleVal === proj.project || titleVal === "") {
-          titleVal = null;
-        }
-        sendIPCCommand(socketPath(), { cmd: "set_project_title", slug: slug, title: titleVal }).then(function (res) {
-          if (res.ok) {
-            proj.title = titleVal;
-            config = loadConfig() || config;
-            log(sym.done + "  " + a.green + "Title updated" + a.reset);
-          } else {
-            log(sym.warn + "  " + a.yellow + (res.error || "Failed") + a.reset);
-          }
-          log("");
-          showProjectDetail(config, ip, slug, projects);
-        });
-      });
-    } else if (choice === "remove") {
-      sendIPCCommand(socketPath(), { cmd: "remove_project", slug: slug }).then(function (res) {
-        if (res.ok) {
-          log(sym.done + "  " + a.green + "Removed: " + slug + a.reset);
-          config = loadConfig() || config;
-        } else {
-          log(sym.warn + "  " + a.yellow + (res.error || "Failed") + a.reset);
-        }
-        log("");
-        showProjectsMenu(config, ip);
-      });
-    } else {
-      showProjectsMenu(config, ip);
-    }
-  });
-}
-
 // ==============================
 // Setup guide (2x2 toggle flow)
 // ==============================
@@ -2229,7 +2126,7 @@ function showSetupGuide(config, ip, goBack) {
   promptToggle("Access from outside your network?", "Requires Tailscale on both devices", false, function (remote) {
     wantRemote = remote;
     log(sym.bar);
-    promptToggle("Want push notifications?", "Requires HTTPS (mkcert certificate)", false, function (push) {
+    promptToggle("Want push notifications?", "Requires HTTPS", false, function (push) {
       wantPush = push;
       log(sym.bar);
       afterToggles();
@@ -2293,6 +2190,15 @@ function showSetupGuide(config, ip, goBack) {
       return;
     }
 
+    // Builtin cert: HTTPS already active, skip mkcert flow entirely
+    if (config.builtinCert) {
+      log(sym.pointer + "  " + a.bold + "HTTPS" + a.reset + a.dim + " · Enabled (builtin certificate)" + a.reset);
+      log(sym.bar);
+      showSetupQR();
+      return;
+    }
+
+    // mkcert flow (--mkcert or fallback)
     var mcReady = hasMkcert();
     log(sym.pointer + "  " + a.bold + "HTTPS Setup (for push notifications)" + a.reset);
     if (mcReady) {
@@ -2341,10 +2247,16 @@ function showSetupGuide(config, ip, goBack) {
     }
     var setupIP = wantRemote ? (tsIP || ip) : (lanIP || ip);
     var setupQuery = wantRemote ? "" : "?mode=lan";
-    // Always use HTTP onboarding URL for QR/setup when TLS is active
-    var setupUrl = config.tls
-      ? "http://" + setupIP + ":" + (config.port + 1) + "/setup" + setupQuery
-      : "http://" + setupIP + ":" + config.port + "/setup" + setupQuery;
+    // Builtin cert: link directly to the app with push notification guide
+    // mkcert: use HTTP onboarding server for CA install flow
+    var setupUrl;
+    if (config.builtinCert) {
+      setupUrl = toClayStudioUrl(setupIP, config.port, "https") + "/pwa";
+    } else if (config.tls) {
+      setupUrl = "http://" + setupIP + ":" + (config.port + 1) + "/setup" + setupQuery;
+    } else {
+      setupUrl = "http://" + setupIP + ":" + config.port + "/setup" + setupQuery;
+    }
     log(sym.pointer + "  " + a.bold + "Continue on your device" + a.reset);
     log(sym.bar + "  " + a.dim + "Scan the QR code or open:" + a.reset);
     log(sym.bar + "  " + a.bold + setupUrl + a.reset);
@@ -2435,11 +2347,13 @@ function showSettingsMenu(config, ip) {
       { label: "Setup notifications", value: "guide" },
     ];
 
-    if (config.pinHash) {
-      items.push({ label: "Change PIN", value: "pin" });
-      items.push({ label: "Remove PIN", value: "remove_pin" });
-    } else {
-      items.push({ label: "Set PIN", value: "pin" });
+    if (!muEnabled) {
+      if (config.pinHash) {
+        items.push({ label: "Change PIN", value: "pin" });
+        items.push({ label: "Remove PIN", value: "remove_pin" });
+      } else {
+        items.push({ label: "Set PIN", value: "pin" });
+      }
     }
     if (muEnabled) {
       items.push({ label: "Disable multi-user mode", value: "disable_multi_user" });
@@ -2759,7 +2673,9 @@ function showSettingsMenu(config, ip) {
             return;
           }
           var protocol = config.tls ? "https" : "http";
-          var recoveryUrl = protocol + "://" + ip + ":" + config.port + "/recover/" + recoveryUrlPath;
+          var recoveryUrl = config.builtinCert
+            ? toClayStudioUrl(ip, config.port, protocol) + "/recover/" + recoveryUrlPath
+            : protocol + "://" + ip + ":" + config.port + "/recover/" + recoveryUrlPath;
           log(sym.bar);
           log(sym.bar + "  " + a.yellow + sym.warn + " Admin Password Recovery" + a.reset);
           log(sym.bar);
@@ -2849,9 +2765,12 @@ var currentVersion = require("../package.json").version;
     if (headlessMode) {
       var protocol = config.tls ? "https" : "http";
       var ip = getLocalIP();
-      var url = protocol + "://" + ip + ":" + config.port;
+      var url = config.builtinCert
+        ? toClayStudioUrl(ip, config.port, protocol)
+        : protocol + "://" + ip + ":" + config.port;
       console.log("  " + sym.done + "  Daemon already running (PID " + config.pid + ")");
       console.log("  " + sym.done + "  " + url);
+      if (config.builtinCert) console.log("  " + sym.done + "  d.clay.studio provides HTTPS certificates only. Your traffic never leaves your network.");
       process.exit(0);
       return;
     }