npm - clay-server - Versions diffs - 2.17.0-beta.2 → 2.17.0-beta.3 - Mend

clay-server 2.17.0-beta.2 → 2.17.0-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -168,7 +168,7 @@ Yes. Create as many as you need. A code reviewer, a writing partner, a project m
 ## HTTPS
-HTTPS is enabled by default using a builtin wildcard certificate for `*.d.clay.studio`. No setup required. Your browser connects to a URL like:
+HTTPS is enabled by default using a builtin wildcard certificate for `*.d.clay.studio`. No setup required. Available from `v2.17.0-beta.2`. Your browser connects to a URL like:
 ```
 https://192-168-1-50.d.clay.studio:2633

package/bin/cli.js CHANGED Viewed

@@ -599,12 +599,6 @@ function toClayStudioUrl(ip, port, protocol) {
 }
 function ensureCerts(ip) {
-  // Check builtin cert first (unless --local-cert flag is set)
-  if (!forceMkcert) {
-    var builtin = getBuiltinCert();
-    if (builtin) return builtin;
-  }
   var homeDir = os.homedir();
   var certDir = path.join(process.env.CLAY_HOME || path.join(homeDir, ".clay"), "certs");
   var keyPath = path.join(certDir, "key.pem");
@@ -619,14 +613,18 @@ function ensureCerts(ip) {
     fs.copyFileSync(legacyCert, certPath);
   }
+  var mkcertInstalled = hasMkcert();
   var caRoot = null;
-  try {
-    caRoot = path.join(
-      execSync("mkcert -CAROOT", { encoding: "utf8" }).trim(),
-      "rootCA.pem"
-    );
-    if (!fs.existsSync(caRoot)) caRoot = null;
-  } catch (e) {}
+  if (mkcertInstalled) {
+    try {
+      caRoot = path.join(
+        execSync("mkcert -CAROOT", { encoding: "utf8" }).trim(),
+        "rootCA.pem"
+      );
+      if (!fs.existsSync(caRoot)) caRoot = null;
+    } catch (e) {}
+  }
   // Collect all IPv4 addresses (Tailscale + LAN)
   var allIPs = getAllIPs();
@@ -644,24 +642,39 @@ function ensureCerts(ip) {
         }
       }
     } catch (e) { needRegen = true; }
-    if (!needRegen) return { key: keyPath, cert: certPath, caRoot: caRoot };
+    if (!needRegen) {
+      return { key: keyPath, cert: certPath, caRoot: caRoot, mkcertDetected: mkcertInstalled && !forceMkcert };
+    }
   }
-  fs.mkdirSync(certDir, { recursive: true });
+  // mkcert installed: generate local cert (legacy behavior)
+  if (mkcertInstalled) {
+    fs.mkdirSync(certDir, { recursive: true });
+    var domains = ["localhost", "127.0.0.1", "::1"];
+    for (var i = 0; i < allIPs.length; i++) {
+      if (domains.indexOf(allIPs[i]) === -1) domains.push(allIPs[i]);
+    }
-  var domains = ["localhost", "127.0.0.1", "::1"];
-  for (var i = 0; i < allIPs.length; i++) {
-    if (domains.indexOf(allIPs[i]) === -1) domains.push(allIPs[i]);
+    try {
+      var mkcertArgs = ["-key-file", keyPath, "-cert-file", certPath].concat(domains);
+      execFileSync("mkcert", mkcertArgs, { stdio: "pipe" });
+    } catch (err) {
+      // mkcert generation failed, fall through to builtin
+    }
+    if (fs.existsSync(keyPath) && fs.existsSync(certPath)) {
+      return { key: keyPath, cert: certPath, caRoot: caRoot, mkcertDetected: !forceMkcert };
+    }
   }
-  try {
-    var mkcertArgs = ["-key-file", keyPath, "-cert-file", certPath].concat(domains);
-    execFileSync("mkcert", mkcertArgs, { stdio: "pipe" });
-  } catch (err) {
-    return null;
+  // Fallback: builtin cert (unless --local-cert forces mkcert-only)
+  if (!forceMkcert) {
+    var builtin = getBuiltinCert();
+    if (builtin) return builtin;
   }
-  return { key: keyPath, cert: certPath, caRoot: caRoot };
+  return null;
 }
 // --- Logo ---
@@ -1436,12 +1449,14 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
   var ip = getLocalIP();
   var hasTls = false;
   var hasBuiltinCert = false;
+  var mkcertDetected = false;
   if (useHttps) {
     var certPaths = ensureCerts(ip);
     if (certPaths) {
       hasTls = true;
       if (certPaths.builtin) hasBuiltinCert = true;
+      if (certPaths.mkcertDetected) mkcertDetected = true;
     } else {
       log(sym.warn + "  " + a.yellow + "HTTPS unavailable" + a.reset + a.dim + " · mkcert not installed" + a.reset);
     }
@@ -1516,6 +1531,7 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
     pinHash: mode === "multi" && cliPin ? generateAuthToken(cliPin) : null,
     tls: hasTls,
     builtinCert: hasBuiltinCert,
+    mkcertDetected: mkcertDetected,
     debug: debugMode,
     keepAwake: keepAwake,
     dangerouslySkipPermissions: dangerouslySkipPermissions,
@@ -1596,6 +1612,7 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
     console.log("  " + sym.done + "  Daemon started (PID " + config.pid + ")");
     console.log("  " + sym.done + "  " + url);
     if (config.builtinCert) console.log("  " + sym.done + "  d.clay.studio is only used for HTTPS certificates. All traffic stays on your local network. https://github.com/chadbyte/clay/tree/main/clay-dns");
+    if (config.mkcertDetected) console.log("  " + sym.warn + "  mkcert detected. Uninstall mkcert to use builtin cert, or pass --local-cert to suppress this warning.");
     console.log("  " + sym.done + "  Headless mode — exiting CLI");
     process.exit(0);
     return;
@@ -1612,12 +1629,14 @@ async function devMode(mode, keepAwake, existingPinHash) {
   var ip = getLocalIP();
   var hasTls = false;
   var hasBuiltinCert = false;
+  var mkcertDetected = false;
   if (useHttps) {
     var certPaths = ensureCerts(ip);
     if (certPaths) {
       hasTls = true;
       if (certPaths.builtin) hasBuiltinCert = true;
+      if (certPaths.mkcertDetected) mkcertDetected = true;
     }
   }
@@ -1681,6 +1700,7 @@ async function devMode(mode, keepAwake, existingPinHash) {
     pinHash: existingPinHash || null,
     tls: hasTls,
     builtinCert: hasBuiltinCert,
+    mkcertDetected: mkcertDetected,
     debug: true,
     keepAwake: keepAwake || false,
     dangerouslySkipPermissions: dangerouslySkipPermissions,
@@ -1830,6 +1850,7 @@ async function restartDaemonWithTLS(config, callback) {
     return;
   }
   var hasBuiltinCert = !!(certPaths && certPaths.builtin);
+  var mkcertDetected = !!(certPaths && certPaths.mkcertDetected);
   // Shut down old daemon
   stopDaemonWatcher();
@@ -1854,6 +1875,7 @@ async function restartDaemonWithTLS(config, callback) {
     pinHash: config.pinHash || null,
     tls: true,
     builtinCert: hasBuiltinCert,
+    mkcertDetected: mkcertDetected,
     debug: config.debug || false,
     keepAwake: config.keepAwake || false,
     dangerouslySkipPermissions: config.dangerouslySkipPermissions || false,
@@ -1963,6 +1985,15 @@ function showMainMenu(config, ip) {
       log("  Press " + a.bold + "o" + a.reset + " to open in browser");
       log("");
+      if (config.mkcertDetected) {
+        log("  " + sym.warn + "  " + a.yellow + "mkcert detected." + a.reset + " Clay now ships with a builtin HTTPS certificate.");
+        log("     " + a.dim + "Uninstall mkcert to use it. No more CA setup on each device." + a.reset);
+        log("     " + a.dim + "  brew uninstall mkcert  (macOS)" + a.reset);
+        log("     " + a.dim + "  sudo apt remove mkcert  (Linux)" + a.reset);
+        log("     " + a.dim + "Or pass --local-cert to keep using mkcert without this warning." + a.reset);
+        log("");
+      }
       showMenuItems();
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clay-server",
-  "version": "2.17.0-beta.2",
+  "version": "2.17.0-beta.3",
   "description": "Web UI for Claude Code. Any device. Push notifications.",
   "bin": {
     "clay-server": "./bin/cli.js",