npm - clay-server - Versions diffs - 2.16.0 → 2.17.0-beta.2 - Mend

clay-server 2.16.0 → 2.17.0-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -8,7 +8,7 @@
 [![npm version](https://img.shields.io/npm/v/clay-server)](https://www.npmjs.com/package/clay-server) [![npm downloads](https://img.shields.io/npm/dw/clay-server)](https://www.npmjs.com/package/clay-server) [![GitHub stars](https://img.shields.io/github/stars/chadbyte/clay)](https://github.com/chadbyte/clay) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://github.com/chadbyte/clay/blob/main/LICENSE)
-Clay gives Claude Code a browser UI that runs on any device. Use it from your phone, run it on macOS, Windows, or Linux. Invite teammates, manage multiple projects from one sidebar, and get push notifications when Claude needs you. Built on the official Claude Agent SDK, not a terminal parser. Your machine is the server. No cloud relay in between, no extra network surface.
+Clay gives Claude Code a browser UI that runs on any device. Use it from your phone, run it on macOS, Windows, or Linux. Invite teammates, manage multiple projects from one sidebar, and get push notifications when Claude needs you. HTTPS and push notifications work out of the box with zero config. Built on the official Claude Agent SDK, not a terminal parser. Your machine is the server. No cloud relay in between, no extra network surface.
 ---
@@ -98,7 +98,7 @@ Take it further with Ralph Loop, an autonomous coding loop built into Clay. The
 Your data flows directly from your machine to the Anthropic API, exactly as it does when you use the CLI. Clay adds a browser layer on top, not a middleman.
-PIN authentication, per-project/session permissions, and HTTPS are supported by default. For local network use, this is sufficient. For remote access, we recommend a VPN like Tailscale.
+HTTPS is enabled by default with a builtin certificate. PIN authentication and per-project/session permissions are built in. For local network use, this is sufficient. For remote access, we recommend a VPN like Tailscale.
 ---
@@ -166,20 +166,32 @@ Yes. Create as many as you need. A code reviewer, a writing partner, a project m
 ---
-## HTTPS for Push
+## HTTPS
-Everything works out of the box. Only push notifications require HTTPS.
+HTTPS is enabled by default using a builtin wildcard certificate for `*.d.clay.studio`. No setup required. Your browser connects to a URL like:
-Set it up once with [mkcert](https://github.com/FiloSottile/mkcert):
+```
+https://192-168-1-50.d.clay.studio:2633
+```
+The domain resolves to your local IP. All traffic stays on your network. See [clay-dns](clay-dns/) for details on how this works.
+Push notifications require HTTPS, so they work out of the box with this setup. Install Clay as a PWA on your device to receive them.
+<details>
+<summary><strong>Alternative: local certificate with mkcert</strong></summary>
+If you prefer to use a locally generated certificate (e.g. air-gapped environments where DNS is unavailable):
 ```bash
 brew install mkcert
 mkcert -install
+npx clay-server --local-cert
 ```
-Certificates are auto-generated. The setup wizard handles the rest.
+This generates a self-signed certificate trusted by your machine. The setup wizard will guide you through installing the CA on other devices.
-If push registration fails: check that your browser trusts the HTTPS certificate and that your phone can reach the server address.
+</details>
 ---
@@ -192,6 +204,7 @@ npx clay-server --yes        # Skip interactive prompts (use defaults)
 npx clay-server -y --pin 123456
                               # Non-interactive + PIN (for scripts/CI)
 npx clay-server --no-https   # Disable HTTPS
+npx clay-server --local-cert # Use local certificate (mkcert) instead of builtin
 npx clay-server --no-update  # Skip update check
 npx clay-server --debug      # Enable debug panel
 npx clay-server --add .      # Add current directory to running daemon

package/bin/cli.js CHANGED Viewed

@@ -52,6 +52,7 @@ function openUrl(url) {
 var args = process.argv.slice(2);
 var port = _isDev ? 2635 : 2633;
 var useHttps = true;
+var forceMkcert = false;
 var skipUpdate = false;
 var debugMode = false;
 var autoYes = false;
@@ -81,6 +82,8 @@ for (var i = 0; i < args.length; i++) {
     i++;
   } else if (args[i] === "--no-https") {
     useHttps = false;
+  } else if (args[i] === "--local-cert") {
+    forceMkcert = true;
   } else if (args[i] === "--no-update" || args[i] === "--skip-update") {
     skipUpdate = true;
   } else if (args[i] === "--dev") {
@@ -124,7 +127,8 @@ for (var i = 0; i < args.length; i++) {
     console.log("Options:");
     console.log("  -p, --port <port>  Port to listen on (default: 2633)");
     console.log("  --host <address>   Address to bind to (default: 0.0.0.0)");
-    console.log("  --no-https         Disable HTTPS (enabled by default via mkcert)");
+    console.log("  --no-https         Disable HTTPS (enabled by default)");
+    console.log("  --local-cert       Use local certificate (mkcert) instead of builtin");
     console.log("  --no-update        Skip auto-update check on startup");
     console.log("  --debug            Enable debug panel in the web UI");
     console.log("  -y, --yes          Skip interactive prompts (accept defaults)");
@@ -564,7 +568,43 @@ function getAllIPs() {
   return ips;
 }
+function getBuiltinCert() {
+  try {
+    var certDir = path.join(__dirname, "..", "lib", "certs");
+    var keyPath = path.join(certDir, "privkey.pem");
+    var certPath = path.join(certDir, "fullchain.pem");
+    if (!fs.existsSync(keyPath) || !fs.existsSync(certPath)) return null;
+    // Check expiry
+    var certText = execFileSync("openssl", [
+      "x509", "-in", certPath, "-noout", "-enddate"
+    ], { encoding: "utf8" });
+    var m = certText.match(/notAfter=(.+)/);
+    if (m) {
+      var expiry = new Date(m[1]);
+      var now = new Date();
+      // Skip if expiring within 7 days
+      if (expiry.getTime() - now.getTime() < 7 * 24 * 60 * 60 * 1000) return null;
+    }
+    return { key: keyPath, cert: certPath, caRoot: null, builtin: true };
+  } catch (e) {
+    return null;
+  }
+}
+function toClayStudioUrl(ip, port, protocol) {
+  var dashed = ip.replace(/\./g, "-");
+  return protocol + "://" + dashed + ".d.clay.studio:" + port;
+}
 function ensureCerts(ip) {
+  // Check builtin cert first (unless --local-cert flag is set)
+  if (!forceMkcert) {
+    var builtin = getBuiltinCert();
+    if (builtin) return builtin;
+  }
   var homeDir = os.homedir();
   var certDir = path.join(process.env.CLAY_HOME || path.join(homeDir, ".clay"), "certs");
   var keyPath = path.join(certDir, "key.pem");
@@ -1395,11 +1435,13 @@ function setup(callback) {
 async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
   var ip = getLocalIP();
   var hasTls = false;
+  var hasBuiltinCert = false;
   if (useHttps) {
     var certPaths = ensureCerts(ip);
     if (certPaths) {
       hasTls = true;
+      if (certPaths.builtin) hasBuiltinCert = true;
     } else {
       log(sym.warn + "  " + a.yellow + "HTTPS unavailable" + a.reset + a.dim + " · mkcert not installed" + a.reset);
     }
@@ -1473,6 +1515,7 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
     host: host,
     pinHash: mode === "multi" && cliPin ? generateAuthToken(cliPin) : null,
     tls: hasTls,
+    builtinCert: hasBuiltinCert,
     debug: debugMode,
     keepAwake: keepAwake,
     dangerouslySkipPermissions: dangerouslySkipPermissions,
@@ -1547,9 +1590,12 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
   // Headless mode — print status and exit immediately
   if (headlessMode) {
     var protocol = config.tls ? "https" : "http";
-    var url = protocol + "://" + ip + ":" + config.port;
+    var url = config.builtinCert
+      ? toClayStudioUrl(ip, config.port, protocol)
+      : protocol + "://" + ip + ":" + config.port;
     console.log("  " + sym.done + "  Daemon started (PID " + config.pid + ")");
     console.log("  " + sym.done + "  " + url);
+    if (config.builtinCert) console.log("  " + sym.done + "  d.clay.studio is only used for HTTPS certificates. All traffic stays on your local network. https://github.com/chadbyte/clay/tree/main/clay-dns");
     console.log("  " + sym.done + "  Headless mode — exiting CLI");
     process.exit(0);
     return;
@@ -1565,10 +1611,14 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
 async function devMode(mode, keepAwake, existingPinHash) {
   var ip = getLocalIP();
   var hasTls = false;
+  var hasBuiltinCert = false;
   if (useHttps) {
     var certPaths = ensureCerts(ip);
-    if (certPaths) hasTls = true;
+    if (certPaths) {
+      hasTls = true;
+      if (certPaths.builtin) hasBuiltinCert = true;
+    }
   }
   var portFree = await isPortFree(port);
@@ -1630,6 +1680,7 @@ async function devMode(mode, keepAwake, existingPinHash) {
     host: host,
     pinHash: existingPinHash || null,
     tls: hasTls,
+    builtinCert: hasBuiltinCert,
     debug: true,
     keepAwake: keepAwake || false,
     dangerouslySkipPermissions: dangerouslySkipPermissions,
@@ -1778,6 +1829,7 @@ async function restartDaemonWithTLS(config, callback) {
     callback(config);
     return;
   }
+  var hasBuiltinCert = !!(certPaths && certPaths.builtin);
   // Shut down old daemon
   stopDaemonWatcher();
@@ -1801,6 +1853,7 @@ async function restartDaemonWithTLS(config, callback) {
     port: config.port,
     pinHash: config.pinHash || null,
     tls: true,
+    builtinCert: hasBuiltinCert,
     debug: config.debug || false,
     keepAwake: config.keepAwake || false,
     dangerouslySkipPermissions: config.dangerouslySkipPermissions || false,
@@ -1879,7 +1932,9 @@ function showServerStarted(config, ip) {
 function showMainMenu(config, ip) {
   startDaemonWatcher();
   var protocol = config.tls ? "https" : "http";
-  var url = protocol + "://" + ip + ":" + config.port;
+  var url = config.builtinCert
+    ? toClayStudioUrl(ip, config.port, protocol)
+    : protocol + "://" + ip + ":" + config.port;
   sendIPCCommand(socketPath(), { cmd: "get_status" }).then(function (status) {
     var projs = (status && status.projects) || [];
@@ -1897,6 +1952,7 @@ function showMainMenu(config, ip) {
     function afterQr() {
       // Status line
       log("  " + a.dim + "clay" + a.reset + " " + a.dim + "v" + currentVersion + a.reset + a.dim + " — " + url + a.reset);
+      if (config.builtinCert) log("  " + a.dim + "d.clay.studio is only used for HTTPS certificates. All traffic stays on your local network. https://github.com/chadbyte/clay/tree/main/clay-dns" + a.reset);
       var parts = [];
       parts.push(a.bold + projs.length + a.reset + a.dim + (projs.length === 1 ? " project" : " projects"));
       parts.push(a.reset + a.bold + totalSessions + a.reset + a.dim + (totalSessions === 1 ? " session" : " sessions"));
@@ -1925,7 +1981,6 @@ function showMainMenu(config, ip) {
     function showMenuItems() {
       var items = [
         { label: "Setup notifications", value: "notifications" },
-        { label: "Projects", value: "projects" },
         { label: "Settings", value: "settings" },
         { label: "Shut down server", value: "shutdown" },
         { label: "Keep server alive & exit", value: "exit" },
@@ -1940,10 +1995,6 @@ function showMainMenu(config, ip) {
             });
             break;
-          case "projects":
-            showProjectsMenu(config, ip);
-            break;
           case "settings":
             showSettingsMenu(config, ip);
             break;
@@ -2000,203 +2051,6 @@ function showMainMenu(config, ip) {
   });
 }
-// ==============================
-// Projects sub-menu
-// ==============================
-function showProjectsMenu(config, ip) {
-  sendIPCCommand(socketPath(), { cmd: "get_status" }).then(function (status) {
-    if (!status.ok) {
-      log(a.red + "Failed to get status" + a.reset);
-      showMainMenu(config, ip);
-      return;
-    }
-    console.clear();
-    printLogo();
-    log("");
-    log(sym.pointer + "  " + a.bold + "Projects" + a.reset);
-    log(sym.bar);
-    var projs = status.projects || [];
-    for (var i = 0; i < projs.length; i++) {
-      var p = projs[i];
-      var statusIcon = p.isProcessing ? "⚡" : (p.clients > 0 ? "🟢" : "⏸");
-      var sessionLabel = p.sessions === 1 ? "1 session" : p.sessions + " sessions";
-      var projName = p.title || p.project;
-      log(sym.bar + "  " + a.bold + projName + a.reset + "    " + sessionLabel + "    " + statusIcon);
-      log(sym.bar + "  " + a.dim + p.path + a.reset);
-      if (i < projs.length - 1) log(sym.bar);
-    }
-    log(sym.bar);
-    // Build menu items
-    var items = [];
-    // Check if cwd is already registered
-    var cwdRegistered = false;
-    for (var j = 0; j < projs.length; j++) {
-      if (projs[j].path === cwd) {
-        cwdRegistered = true;
-        break;
-      }
-    }
-    if (!cwdRegistered) {
-      items.push({ label: "+ Add " + a.bold + path.basename(cwd) + a.reset + " " + a.dim + "(" + cwd + ")" + a.reset, value: "add_cwd" });
-    }
-    items.push({ label: "+ Add project...", value: "add_other" });
-    for (var k = 0; k < projs.length; k++) {
-      var itemLabel = projs[k].title || projs[k].project;
-      items.push({ label: itemLabel, value: "detail:" + projs[k].slug });
-    }
-    items.push({ label: "Back", value: "back" });
-    promptSelect("Select", items, function (choice) {
-      if (choice === "back") {
-        console.clear();
-        printLogo();
-        log("");
-        showMainMenu(config, ip);
-      } else if (choice === "add_cwd") {
-        sendIPCCommand(socketPath(), { cmd: "add_project", path: cwd }).then(function (res) {
-          if (res.ok) {
-            log(sym.done + "  " + a.green + "Added: " + res.slug + a.reset);
-            config = loadConfig() || config;
-          } else {
-            log(sym.warn + "  " + a.yellow + (res.error || "Failed") + a.reset);
-          }
-          log("");
-          showProjectsMenu(config, ip);
-        });
-      } else if (choice === "add_other") {
-        log(sym.bar);
-        promptText("Directory path", cwd, function (dirPath) {
-          if (dirPath === null) {
-            showProjectsMenu(config, ip);
-            return;
-          }
-          var absPath = path.resolve(dirPath);
-          try {
-            var stat = fs.statSync(absPath);
-            if (!stat.isDirectory()) {
-              log(sym.warn + "  " + a.red + "Not a directory: " + absPath + a.reset);
-              setTimeout(function () { showProjectsMenu(config, ip); }, 2000);
-              return;
-            }
-          } catch (e) {
-            log(sym.warn + "  " + a.red + "Directory not found: " + absPath + a.reset);
-            setTimeout(function () { showProjectsMenu(config, ip); }, 2000);
-            return;
-          }
-          var alreadyExists = false;
-          for (var pi = 0; pi < projs.length; pi++) {
-            if (projs[pi].path === absPath) {
-              alreadyExists = true;
-              break;
-            }
-          }
-          if (alreadyExists) {
-            log(sym.done + "  " + a.yellow + "Already added: " + path.basename(absPath) + a.reset + " " + a.dim + "(" + absPath + ")" + a.reset);
-            setTimeout(function () { showProjectsMenu(config, ip); }, 2000);
-            return;
-          }
-          sendIPCCommand(socketPath(), { cmd: "add_project", path: absPath }).then(function (res) {
-            if (res.ok) {
-              log(sym.done + "  " + a.green + "Added: " + res.slug + a.reset + " " + a.dim + "(" + absPath + ")" + a.reset);
-              config = loadConfig() || config;
-            } else {
-              log(sym.warn + "  " + a.yellow + (res.error || "Failed") + a.reset);
-            }
-            setTimeout(function () { showProjectsMenu(config, ip); }, 2000);
-          });
-        });
-      } else if (choice.startsWith("detail:")) {
-        var detailSlug = choice.substring(7);
-        showProjectDetail(config, ip, detailSlug, projs);
-      }
-    });
-  });
-}
-// ==============================
-// Project detail
-// ==============================
-function showProjectDetail(config, ip, slug, projects) {
-  var proj = null;
-  for (var i = 0; i < projects.length; i++) {
-    if (projects[i].slug === slug) {
-      proj = projects[i];
-      break;
-    }
-  }
-  if (!proj) {
-    showProjectsMenu(config, ip);
-    return;
-  }
-  var displayName = proj.title || proj.project;
-  console.clear();
-  printLogo();
-  log("");
-  log(sym.pointer + "  " + a.bold + displayName + a.reset + "  " + a.dim + proj.slug + " · " + proj.path + a.reset);
-  log(sym.bar);
-  var sessionLabel = proj.sessions === 1 ? "1 session" : proj.sessions + " sessions";
-  var clientLabel = proj.clients === 1 ? "1 client" : proj.clients + " clients";
-  log(sym.bar + "  " + sessionLabel + " · " + clientLabel);
-  if (proj.title) {
-    log(sym.bar + "  " + a.dim + "Title: " + a.reset + proj.title);
-  }
-  log(sym.bar);
-  var items = [
-    { label: proj.title ? "Change title" : "Set title", value: "title" },
-    { label: "Remove project", value: "remove" },
-    { label: "Back", value: "back" },
-  ];
-  promptSelect("What would you like to do?", items, function (choice) {
-    if (choice === "title") {
-      log(sym.bar);
-      promptText("Project title", proj.title || proj.project, function (newTitle) {
-        if (newTitle === null) {
-          showProjectDetail(config, ip, slug, projects);
-          return;
-        }
-        var titleVal = newTitle.trim();
-        // If same as directory name, clear custom title
-        if (titleVal === proj.project || titleVal === "") {
-          titleVal = null;
-        }
-        sendIPCCommand(socketPath(), { cmd: "set_project_title", slug: slug, title: titleVal }).then(function (res) {
-          if (res.ok) {
-            proj.title = titleVal;
-            config = loadConfig() || config;
-            log(sym.done + "  " + a.green + "Title updated" + a.reset);
-          } else {
-            log(sym.warn + "  " + a.yellow + (res.error || "Failed") + a.reset);
-          }
-          log("");
-          showProjectDetail(config, ip, slug, projects);
-        });
-      });
-    } else if (choice === "remove") {
-      sendIPCCommand(socketPath(), { cmd: "remove_project", slug: slug }).then(function (res) {
-        if (res.ok) {
-          log(sym.done + "  " + a.green + "Removed: " + slug + a.reset);
-          config = loadConfig() || config;
-        } else {
-          log(sym.warn + "  " + a.yellow + (res.error || "Failed") + a.reset);
-        }
-        log("");
-        showProjectsMenu(config, ip);
-      });
-    } else {
-      showProjectsMenu(config, ip);
-    }
-  });
-}
 // ==============================
 // Setup guide (2x2 toggle flow)
 // ==============================
@@ -2229,7 +2083,7 @@ function showSetupGuide(config, ip, goBack) {
   promptToggle("Access from outside your network?", "Requires Tailscale on both devices", false, function (remote) {
     wantRemote = remote;
     log(sym.bar);
-    promptToggle("Want push notifications?", "Requires HTTPS (mkcert certificate)", false, function (push) {
+    promptToggle("Want push notifications?", "Requires HTTPS", false, function (push) {
       wantPush = push;
       log(sym.bar);
       afterToggles();
@@ -2293,6 +2147,15 @@ function showSetupGuide(config, ip, goBack) {
       return;
     }
+    // Builtin cert: HTTPS already active, skip mkcert flow entirely
+    if (config.builtinCert) {
+      log(sym.pointer + "  " + a.bold + "HTTPS" + a.reset + a.dim + " · Enabled (builtin certificate)" + a.reset);
+      log(sym.bar);
+      showSetupQR();
+      return;
+    }
+    // mkcert flow (--mkcert or fallback)
     var mcReady = hasMkcert();
     log(sym.pointer + "  " + a.bold + "HTTPS Setup (for push notifications)" + a.reset);
     if (mcReady) {
@@ -2341,10 +2204,16 @@ function showSetupGuide(config, ip, goBack) {
     }
     var setupIP = wantRemote ? (tsIP || ip) : (lanIP || ip);
     var setupQuery = wantRemote ? "" : "?mode=lan";
-    // Always use HTTP onboarding URL for QR/setup when TLS is active
-    var setupUrl = config.tls
-      ? "http://" + setupIP + ":" + (config.port + 1) + "/setup" + setupQuery
-      : "http://" + setupIP + ":" + config.port + "/setup" + setupQuery;
+    // Builtin cert: link directly to the app with push notification guide
+    // mkcert: use HTTP onboarding server for CA install flow
+    var setupUrl;
+    if (config.builtinCert) {
+      setupUrl = toClayStudioUrl(setupIP, config.port, "https") + "?playbook=push-notifications";
+    } else if (config.tls) {
+      setupUrl = "http://" + setupIP + ":" + (config.port + 1) + "/setup" + setupQuery;
+    } else {
+      setupUrl = "http://" + setupIP + ":" + config.port + "/setup" + setupQuery;
+    }
     log(sym.pointer + "  " + a.bold + "Continue on your device" + a.reset);
     log(sym.bar + "  " + a.dim + "Scan the QR code or open:" + a.reset);
     log(sym.bar + "  " + a.bold + setupUrl + a.reset);
@@ -2435,11 +2304,13 @@ function showSettingsMenu(config, ip) {
       { label: "Setup notifications", value: "guide" },
     ];
-    if (config.pinHash) {
-      items.push({ label: "Change PIN", value: "pin" });
-      items.push({ label: "Remove PIN", value: "remove_pin" });
-    } else {
-      items.push({ label: "Set PIN", value: "pin" });
+    if (!muEnabled) {
+      if (config.pinHash) {
+        items.push({ label: "Change PIN", value: "pin" });
+        items.push({ label: "Remove PIN", value: "remove_pin" });
+      } else {
+        items.push({ label: "Set PIN", value: "pin" });
+      }
     }
     if (muEnabled) {
       items.push({ label: "Disable multi-user mode", value: "disable_multi_user" });
@@ -2759,7 +2630,9 @@ function showSettingsMenu(config, ip) {
             return;
           }
           var protocol = config.tls ? "https" : "http";
-          var recoveryUrl = protocol + "://" + ip + ":" + config.port + "/recover/" + recoveryUrlPath;
+          var recoveryUrl = config.builtinCert
+            ? toClayStudioUrl(ip, config.port, protocol) + "/recover/" + recoveryUrlPath
+            : protocol + "://" + ip + ":" + config.port + "/recover/" + recoveryUrlPath;
           log(sym.bar);
           log(sym.bar + "  " + a.yellow + sym.warn + " Admin Password Recovery" + a.reset);
           log(sym.bar);
@@ -2849,9 +2722,12 @@ var currentVersion = require("../package.json").version;
     if (headlessMode) {
       var protocol = config.tls ? "https" : "http";
       var ip = getLocalIP();
-      var url = protocol + "://" + ip + ":" + config.port;
+      var url = config.builtinCert
+        ? toClayStudioUrl(ip, config.port, protocol)
+        : protocol + "://" + ip + ":" + config.port;
       console.log("  " + sym.done + "  Daemon already running (PID " + config.pid + ")");
       console.log("  " + sym.done + "  " + url);
+      if (config.builtinCert) console.log("  " + sym.done + "  d.clay.studio is only used for HTTPS certificates. All traffic stays on your local network. https://github.com/chadbyte/clay/tree/main/clay-dns");
       process.exit(0);
       return;
     }

package/lib/certs/fullchain.pem ADDED Viewed

@@ -0,0 +1,47 @@
+-----BEGIN CERTIFICATE-----
+MIIDgjCCAwigAwIBAgISBmtBLGUclrEfhwU9evzgyDCQMAoGCCqGSM49BAMDMDIx
+CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
+ODAeFw0yNjAzMjMwOTQ0MDJaFw0yNjA2MjEwOTQ0MDFaMBoxGDAWBgNVBAMMDyou
+ZC5jbGF5LnN0dWRpbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEhAD1htqRg8
+n7evflBZ1X7UaCeqBGcvG/MNtlAKd1VVfVGFuanyUjksV9++R1EuKLhEPM3loL/3
+Gz8+XEewGw6jggIUMIICEDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU8Anzwuqwtujb+h3o/CnbJu5Z
++W8wHwYDVR0jBBgwFoAUjw0TovYuftFQbDMYOF1ZjiNykcowMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTguaS5sZW5jci5vcmcvMBoGA1UdEQQT
+MBGCDyouZC5jbGF5LnN0dWRpbzATBgNVHSAEDDAKMAgGBmeBDAECATAtBgNVHR8E
+JjAkMCKgIKAehhxodHRwOi8vZTguYy5sZW5jci5vcmcvMTcuY3JsMIIBBQYKKwYB
+BAHWeQIEAgSB9gSB8wDxAHcAFoMtq/CpJQ8P8DqlRf/Iv8gj0IdL9gQpJ/jnHzMT
+9foAAAGdGkoIlgAABAMASDBGAiEAhJFJwEIag1Bzt0WtYgMzLdJn/k+Is2RukdDo
+G5sXpyMCIQCQOX9nOoaVIXxF1KXiavbAY5QIyJRuvK7Fn6WeL58YQQB2AMs49xWJ
+fIShRF9bwd37yW7ymlnNRwppBYWwyxTDFFjnAAABnRpKCJgAAAQDAEcwRQIhAI98
+cmflulGQJMfD10jbstVwodGpzl5licg6FTxcYachAiBZV1cZnPfasTzcteXyjCuz
+c1wayYAtch+0soAWvBKZRzAKBggqhkjOPQQDAwNoADBlAjAwJO4ti4AJJTtMxYsr
+Jf5052oDrD2POtoiPksruQVVacsq0T/9VYVX+X2vElCrxFwCMQDcSToBRWGpv/G3
+JBpbEAB1qhk1Z9lYPQKH6gRvtp35XJWY0PucGRWgQUrXuZcxGlA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEVjCCAj6gAwIBAgIQY5WTY8JOcIJxWRi/w9ftVjANBgkqhkiG9w0BAQsFADBP
+MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
+Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
+Fw0yNzAzMTIyMzU5NTlaMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
+bmNyeXB0MQswCQYDVQQDEwJFODB2MBAGByqGSM49AgEGBSuBBAAiA2IABNFl8l7c
+S7QMApzSsvru6WyrOq44ofTUOTIzxULUzDMMNMchIJBwXOhiLxxxs0LXeb5GDcHb
+R6EToMffgSZjO9SNHfY9gjMy9vQr5/WWOrQTZxh7az6NSNnq3u2ubT6HTKOB+DCB
+9TAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFI8NE6L2Ln7RUGwzGDhdWY4j
+cpHKMB8GA1UdIwQYMBaAFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEB
+BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzATBgNVHSAE
+DDAKMAgGBmeBDAECATAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veDEuYy5sZW5j
+ci5vcmcvMA0GCSqGSIb3DQEBCwUAA4ICAQBnE0hGINKsCYWi0Xx1ygxD5qihEjZ0
+RI3tTZz1wuATH3ZwYPIp97kWEayanD1j0cDhIYzy4CkDo2jB8D5t0a6zZWzlr98d
+AQFNh8uKJkIHdLShy+nUyeZxc5bNeMp1Lu0gSzE4McqfmNMvIpeiwWSYO9w82Ob8
+otvXcO2JUYi3svHIWRm3+707DUbL51XMcY2iZdlCq4Wa9nbuk3WTU4gr6LY8MzVA
+aDQG2+4U3eJ6qUF10bBnR1uuVyDYs9RhrwucRVnfuDj29CMLTsplM5f5wSV5hUpm
+Uwp/vV7M4w4aGunt74koX71n4EdagCsL/Yk5+mAQU0+tue0JOfAV/R6t1k+Xk9s2
+HMQFeoxppfzAVC04FdG9M+AC2JWxmFSt6BCuh3CEey3fE52Qrj9YM75rtvIjsm/1
+Hl+u//Wqxnu1ZQ4jpa+VpuZiGOlWrqSP9eogdOhCGisnyewWJwRQOqK16wiGyZeR
+xs/Bekw65vwSIaVkBruPiTfMOo0Zh4gVa8/qJgMbJbyrwwG97z/PRgmLKCDl8z3d
+tA0Z7qq7fta0Gl24uyuB05dqI5J1LvAzKuWdIjT1tP8qCoxSE/xpix8hX2dt3h+/
+jujUgFPFZ0EVZ0xSyBNRF3MboGZnYXFUxpNjTWPKpagDHJQmqrAcDmWJnMsFY3jS
+u1igv3OefnWjSQ==
+-----END CERTIFICATE-----

package/lib/certs/privkey.pem ADDED Viewed

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtwBpQgcr1N5kEPEv
+Rz5JCBMpDQHD8U44HlzB9bLvQAihRANCAARIQA9YbakYPJ+3r35QWdV+1GgnqgRn
+LxvzDbZQCndVVX1Rhbmp8lI5LFffvkdRLii4RDzN5aC/9xs/PlxHsBsO
+-----END PRIVATE KEY-----

package/lib/daemon.js CHANGED Viewed

@@ -60,10 +60,26 @@ if (config.osUsers) {
 // --- TLS ---
 var tlsOptions = null;
 if (config.tls) {
+  // 1. Check builtin cert (shipped with package)
+  var builtinKeyPath = path.join(__dirname, "certs", "privkey.pem");
+  var builtinCertPath = path.join(__dirname, "certs", "fullchain.pem");
+  // 2. User cert (mkcert, etc.)
   var os = require("os");
   var certDir = path.join(process.env.CLAY_HOME || process.env.CLAUDE_RELAY_HOME || path.join(os.homedir(), ".clay"), "certs");
-  var keyPath = path.join(certDir, "key.pem");
-  var certPath = path.join(certDir, "cert.pem");
+  var userKeyPath = path.join(certDir, "key.pem");
+  var userCertPath = path.join(certDir, "cert.pem");
+  var keyPath, certPath;
+  if (config.builtinCert !== false && fs.existsSync(builtinKeyPath) && fs.existsSync(builtinCertPath)) {
+    keyPath = builtinKeyPath;
+    certPath = builtinCertPath;
+    config.builtinCert = true;
+  } else {
+    keyPath = userKeyPath;
+    certPath = userCertPath;
+  }
   try {
     tlsOptions = {
       key: fs.readFileSync(keyPath),
@@ -119,6 +135,7 @@ var listenHost = config.host || "0.0.0.0";
 var relay = createServer({
   tlsOptions: tlsOptions,
   caPath: caRoot,
+  builtinCert: config.builtinCert || false,
   pinHash: config.pinHash || null,
   port: config.port,
   debug: config.debug || false,

package/lib/public/app.js CHANGED Viewed

@@ -5192,6 +5192,21 @@ import { initLongPress } from './modules/longpress.js';
   // --- Playbook Engine ---
   initPlaybook();
+  // Auto-open playbook from URL param (e.g. ?playbook=push-notifications)
+  (function () {
+    var params = new URLSearchParams(window.location.search);
+    var pbId = params.get("playbook");
+    if (pbId) {
+      // Small delay to ensure DOM and playbook registry are ready
+      setTimeout(function () { openPlaybook(pbId); }, 300);
+      // Clean up URL
+      params.delete("playbook");
+      var clean = params.toString();
+      var newUrl = window.location.pathname + (clean ? "?" + clean : "") + window.location.hash;
+      window.history.replaceState(null, "", newUrl);
+    }
+  })();
   // --- In-session search (Cmd+F / Ctrl+F) ---
   initSessionSearch({
     messagesEl: messagesEl,
@@ -6751,7 +6766,13 @@ import { initLongPress } from './modules/longpress.js';
     modal.querySelector(".pwa-modal-backdrop").addEventListener("click", closeModal);
     confirmBtn.addEventListener("click", function () {
-      // Redirect to setup page
+      // Builtin cert (*.d.clay.studio): open push notification guide directly
+      if (location.hostname.endsWith(".d.clay.studio")) {
+        closeModal();
+        openPlaybook("push-notifications");
+        return;
+      }
+      // mkcert / other: redirect to onboarding setup page
       var port = parseInt(location.port, 10);
       var setupUrl;
       if (!port) {

package/lib/public/sw.js CHANGED Viewed

@@ -38,8 +38,11 @@ self.addEventListener("fetch", function (event) {
   // Only handle GET requests
   if (request.method !== "GET") return;
-  // Skip WebSocket upgrade requests and API/data endpoints
+  // Skip cross-origin requests (external images, fonts, etc.)
   var url = new URL(request.url);
+  if (url.origin !== self.location.origin) return;
+  // Skip WebSocket upgrade requests and API/data endpoints
   if (url.pathname.indexOf("/ws") !== -1) return;
   if (url.pathname.indexOf("/api/") !== -1) return;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clay-server",
-  "version": "2.16.0",
+  "version": "2.17.0-beta.2",
   "description": "Web UI for Claude Code. Any device. Push notifications.",
   "bin": {
     "clay-server": "./bin/cli.js",