clay-server 2.17.0-beta.2 → 2.17.0-beta.4

package/README.md

@@ -168,7 +168,7 @@ Yes. Create as many as you need. A code reviewer, a writing partner, a project m
 
 ## HTTPS
 
-HTTPS is enabled by default using a builtin wildcard certificate for `*.d.clay.studio`. No setup required. Your browser connects to a URL like:
+HTTPS is enabled by default using a builtin wildcard certificate for `*.d.clay.studio`. No setup required. Available from `v2.17.0-beta.2`. Your browser connects to a URL like:
 
 ```
 https://192-168-1-50.d.clay.studio:2633

package/bin/cli.js

@@ -53,6 +53,7 @@ var args = process.argv.slice(2);
 var port = _isDev ? 2635 : 2633;
 var useHttps = true;
 var forceMkcert = false;
+var forceBuiltin = false;
 var skipUpdate = false;
 var debugMode = false;
 var autoYes = false;
@@ -84,6 +85,8 @@ for (var i = 0; i < args.length; i++) {
     useHttps = false;
   } else if (args[i] === "--local-cert") {
     forceMkcert = true;
+  } else if (args[i] === "--builtin-cert") {
+    forceBuiltin = true;
   } else if (args[i] === "--no-update" || args[i] === "--skip-update") {
     skipUpdate = true;
   } else if (args[i] === "--dev") {
@@ -128,7 +131,8 @@ for (var i = 0; i < args.length; i++) {
     console.log("  -p, --port <port>  Port to listen on (default: 2633)");
     console.log("  --host <address>   Address to bind to (default: 0.0.0.0)");
     console.log("  --no-https         Disable HTTPS (enabled by default)");
-    console.log("  --local-cert       Use local certificate (mkcert) instead of builtin");
+    console.log("  --local-cert       Use local certificate (mkcert), suppress migration notice");
+    console.log("  --builtin-cert    Use builtin certificate even if mkcert is installed");
     console.log("  --no-update        Skip auto-update check on startup");
     console.log("  --debug            Enable debug panel in the web UI");
     console.log("  -y, --yes          Skip interactive prompts (accept defaults)");
@@ -599,10 +603,11 @@ function toClayStudioUrl(ip, port, protocol) {
 }
 
 function ensureCerts(ip) {
-  // Check builtin cert first (unless --local-cert flag is set)
-  if (!forceMkcert) {
+  // --builtin-cert: skip mkcert entirely, go straight to builtin
+  if (forceBuiltin) {
     var builtin = getBuiltinCert();
     if (builtin) return builtin;
+    return null;
   }
 
   var homeDir = os.homedir();
@@ -619,24 +624,30 @@ function ensureCerts(ip) {
     fs.copyFileSync(legacyCert, certPath);
   }
 
+  var mkcertInstalled = hasMkcert();
+
   var caRoot = null;
-  try {
-    caRoot = path.join(
-      execSync("mkcert -CAROOT", { encoding: "utf8" }).trim(),
-      "rootCA.pem"
-    );
-    if (!fs.existsSync(caRoot)) caRoot = null;
-  } catch (e) {}
+  if (mkcertInstalled) {
+    try {
+      caRoot = path.join(
+        execSync("mkcert -CAROOT", { encoding: "utf8" }).trim(),
+        "rootCA.pem"
+      );
+      if (!fs.existsSync(caRoot)) caRoot = null;
+    } catch (e) {}
+  }
 
   // Collect all IPv4 addresses (Tailscale + LAN)
   var allIPs = getAllIPs();
 
   if (fs.existsSync(keyPath) && fs.existsSync(certPath)) {
     var needRegen = false;
+    var isMkcertCert = false;
     try {
       var certText = execFileSync("openssl", ["x509", "-in", certPath, "-text", "-noout"], { encoding: "utf8" });
       // If cert is from an external CA (e.g. Tailscale/Let's Encrypt), never regenerate
       if (certText.indexOf("mkcert") === -1) return { key: keyPath, cert: certPath, caRoot: caRoot };
+      isMkcertCert = true;
       for (var i = 0; i < allIPs.length; i++) {
         if (certText.indexOf(allIPs[i]) === -1) {
           needRegen = true;
@@ -644,24 +655,41 @@ function ensureCerts(ip) {
         }
       }
     } catch (e) { needRegen = true; }
-    if (!needRegen) return { key: keyPath, cert: certPath, caRoot: caRoot };
+    // mkcert cert but mkcert uninstalled: CA is gone, cert is untrusted. Skip it.
+    if (isMkcertCert && !mkcertInstalled) needRegen = true;
+    if (!needRegen) {
+      return { key: keyPath, cert: certPath, caRoot: caRoot, mkcertDetected: mkcertInstalled && !forceMkcert };
+    }
   }
 
-  fs.mkdirSync(certDir, { recursive: true });
+  // mkcert installed: generate local cert (legacy behavior)
+  if (mkcertInstalled) {
+    fs.mkdirSync(certDir, { recursive: true });
+
+    var domains = ["localhost", "127.0.0.1", "::1"];
+    for (var i = 0; i < allIPs.length; i++) {
+      if (domains.indexOf(allIPs[i]) === -1) domains.push(allIPs[i]);
+    }
+
+    try {
+      var mkcertArgs = ["-key-file", keyPath, "-cert-file", certPath].concat(domains);
+      execFileSync("mkcert", mkcertArgs, { stdio: "pipe" });
+    } catch (err) {
+      // mkcert generation failed, fall through to builtin
+    }
 
-  var domains = ["localhost", "127.0.0.1", "::1"];
-  for (var i = 0; i < allIPs.length; i++) {
-    if (domains.indexOf(allIPs[i]) === -1) domains.push(allIPs[i]);
+    if (fs.existsSync(keyPath) && fs.existsSync(certPath)) {
+      return { key: keyPath, cert: certPath, caRoot: caRoot, mkcertDetected: !forceMkcert };
+    }
   }
 
-  try {
-    var mkcertArgs = ["-key-file", keyPath, "-cert-file", certPath].concat(domains);
-    execFileSync("mkcert", mkcertArgs, { stdio: "pipe" });
-  } catch (err) {
-    return null;
+  // Fallback: builtin cert (unless --local-cert forces mkcert-only)
+  if (!forceMkcert) {
+    var builtin = getBuiltinCert();
+    if (builtin) return builtin;
   }
 
-  return { key: keyPath, cert: certPath, caRoot: caRoot };
+  return null;
 }
 
 // --- Logo ---
@@ -1436,12 +1464,14 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
   var ip = getLocalIP();
   var hasTls = false;
   var hasBuiltinCert = false;
+  var mkcertDetected = false;
 
   if (useHttps) {
     var certPaths = ensureCerts(ip);
     if (certPaths) {
       hasTls = true;
       if (certPaths.builtin) hasBuiltinCert = true;
+      if (certPaths.mkcertDetected) mkcertDetected = true;
     } else {
       log(sym.warn + "  " + a.yellow + "HTTPS unavailable" + a.reset + a.dim + " · mkcert not installed" + a.reset);
     }
@@ -1516,6 +1546,7 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
     pinHash: mode === "multi" && cliPin ? generateAuthToken(cliPin) : null,
     tls: hasTls,
     builtinCert: hasBuiltinCert,
+    mkcertDetected: mkcertDetected,
     debug: debugMode,
     keepAwake: keepAwake,
     dangerouslySkipPermissions: dangerouslySkipPermissions,
@@ -1595,7 +1626,8 @@ async function forkDaemon(mode, keepAwake, extraProjects, addCwd, wantOsUsers) {
       : protocol + "://" + ip + ":" + config.port;
     console.log("  " + sym.done + "  Daemon started (PID " + config.pid + ")");
     console.log("  " + sym.done + "  " + url);
-    if (config.builtinCert) console.log("  " + sym.done + "  d.clay.studio is only used for HTTPS certificates. All traffic stays on your local network. https://github.com/chadbyte/clay/tree/main/clay-dns");
+    if (config.builtinCert) console.log("  " + sym.done + "  d.clay.studio provides HTTPS certificates only. Your traffic never leaves your network.");
+    if (config.mkcertDetected) console.log("  " + sym.warn + "  Clay now ships with a builtin HTTPS certificate. To use it, pass --builtin-cert or uninstall mkcert.");
     console.log("  " + sym.done + "  Headless mode — exiting CLI");
     process.exit(0);
     return;
@@ -1612,12 +1644,14 @@ async function devMode(mode, keepAwake, existingPinHash) {
   var ip = getLocalIP();
   var hasTls = false;
   var hasBuiltinCert = false;
+  var mkcertDetected = false;
 
   if (useHttps) {
     var certPaths = ensureCerts(ip);
     if (certPaths) {
       hasTls = true;
       if (certPaths.builtin) hasBuiltinCert = true;
+      if (certPaths.mkcertDetected) mkcertDetected = true;
     }
   }
 
@@ -1681,6 +1715,7 @@ async function devMode(mode, keepAwake, existingPinHash) {
     pinHash: existingPinHash || null,
     tls: hasTls,
     builtinCert: hasBuiltinCert,
+    mkcertDetected: mkcertDetected,
     debug: true,
     keepAwake: keepAwake || false,
     dangerouslySkipPermissions: dangerouslySkipPermissions,
@@ -1830,6 +1865,7 @@ async function restartDaemonWithTLS(config, callback) {
     return;
   }
   var hasBuiltinCert = !!(certPaths && certPaths.builtin);
+  var mkcertDetected = !!(certPaths && certPaths.mkcertDetected);
 
   // Shut down old daemon
   stopDaemonWatcher();
@@ -1854,6 +1890,7 @@ async function restartDaemonWithTLS(config, callback) {
     pinHash: config.pinHash || null,
     tls: true,
     builtinCert: hasBuiltinCert,
+    mkcertDetected: mkcertDetected,
     debug: config.debug || false,
     keepAwake: config.keepAwake || false,
     dangerouslySkipPermissions: config.dangerouslySkipPermissions || false,
@@ -1952,7 +1989,7 @@ function showMainMenu(config, ip) {
     function afterQr() {
       // Status line
       log("  " + a.dim + "clay" + a.reset + " " + a.dim + "v" + currentVersion + a.reset + a.dim + " — " + url + a.reset);
-      if (config.builtinCert) log("  " + a.dim + "d.clay.studio is only used for HTTPS certificates. All traffic stays on your local network. https://github.com/chadbyte/clay/tree/main/clay-dns" + a.reset);
+      if (config.builtinCert) log("  " + a.dim + "d.clay.studio provides HTTPS certificates only. Your traffic never leaves your network." + a.reset);
       var parts = [];
       parts.push(a.bold + projs.length + a.reset + a.dim + (projs.length === 1 ? " project" : " projects"));
       parts.push(a.reset + a.bold + totalSessions + a.reset + a.dim + (totalSessions === 1 ? " session" : " sessions"));
@@ -1963,6 +2000,13 @@ function showMainMenu(config, ip) {
       log("  Press " + a.bold + "o" + a.reset + " to open in browser");
       log("");
 
+      if (config.mkcertDetected) {
+        log("  " + sym.warn + "  " + a.yellow + "Clay now ships with a builtin HTTPS certificate." + a.reset);
+        log("     " + a.dim + "No more CA setup on each device." + a.reset);
+        log("     " + a.dim + "To use it, pass --builtin-cert or uninstall mkcert." + a.reset);
+        log("");
+      }
+
       showMenuItems();
     }
 
@@ -2032,9 +2076,8 @@ function showMainMenu(config, ip) {
         }
       }, {
         hint: [
-          "claude-relay has been renamed to clay-server  ·  npx clay-server",
           "Run npx clay-server in other directories to add more projects.",
-          "★ github.com/chadbyte/claude-relay — Press s to star the repo",
+          "★ github.com/chadbyte/clay — Press s to star the repo",
         ],
         keys: [
           { key: "o", onKey: function () {
@@ -2042,7 +2085,7 @@ function showMainMenu(config, ip) {
             showMainMenu(config, ip);
           }},
           { key: "s", onKey: function () {
-            openUrl("https://github.com/chadbyte/claude-relay");
+            openUrl("https://github.com/chadbyte/clay");
             showMainMenu(config, ip);
           }},
         ],
@@ -2727,7 +2770,7 @@ var currentVersion = require("../package.json").version;
         : protocol + "://" + ip + ":" + config.port;
       console.log("  " + sym.done + "  Daemon already running (PID " + config.pid + ")");
       console.log("  " + sym.done + "  " + url);
-      if (config.builtinCert) console.log("  " + sym.done + "  d.clay.studio is only used for HTTPS certificates. All traffic stays on your local network. https://github.com/chadbyte/clay/tree/main/clay-dns");
+      if (config.builtinCert) console.log("  " + sym.done + "  d.clay.studio provides HTTPS certificates only. Your traffic never leaves your network.");
       process.exit(0);
       return;
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clay-server",
-  "version": "2.17.0-beta.2",
+  "version": "2.17.0-beta.4",
   "description": "Web UI for Claude Code. Any device. Push notifications.",
   "bin": {
     "clay-server": "./bin/cli.js",