coding-tool-x 3.5.5 → 3.5.7

package/src/server/api/dashboard.js

@@ -26,6 +26,30 @@ const { getTodayStatistics: getCodexTodayStatistics } = require('../services/cod
 const { getTodayStatistics: getGeminiTodayStatistics } = require('../services/gemini-statistics-service');
 const { getTodayStatistics: getOpenCodeTodayStatistics } = require('../services/opencode-statistics-service');
 
+function filterEntriesByToolType(entries = {}, toolType) {
+  return Object.fromEntries(
+    Object.entries(entries || {}).filter(([, value]) => !toolType || !value?.toolType || value.toolType === toolType)
+  );
+}
+
+function extractToolScopedStats(stats, toolType) {
+  if (!stats || !toolType || !stats.byToolType) {
+    return stats;
+  }
+
+  const toolScope = stats.byToolType[toolType] || {};
+  return {
+    ...stats,
+    summary: {
+      requests: toolScope.requests || 0,
+      tokens: toolScope.tokens?.total || 0,
+      cost: toolScope.cost || 0
+    },
+    byChannel: filterEntriesByToolType(stats.byChannel, toolType),
+    byModel: filterEntriesByToolType(stats.byModel, toolType)
+  };
+}
+
 /**
  * GET /api/dashboard/init
  * 聚合首页所需的所有数据，一次请求返回
@@ -123,7 +147,7 @@ router.get('/init', async (req, res) => {
           opencode: opencodeCounts || { projectCount: 0, sessionCount: 0 }
         },
         todayStats: {
-          claude: formatStats(claudeTodayStats),
+          claude: formatStats(extractToolScopedStats(claudeTodayStats, 'claude-code')),
           codex: formatStats(codexTodayStats),
           gemini: formatStats(geminiTodayStats),
           opencode: formatStats(opencodeTodayStats)

package/src/server/api/gemini-sessions.js

@@ -13,6 +13,7 @@ const {
 } = require('../services/gemini-sessions');
 const { isGeminiInstalled } = require('../services/gemini-config');
 const { loadAliases } = require('../services/alias');
+const { buildLaunchCommand } = require('../services/session-launch-command');
 
 module.exports = (config) => {
   /**
@@ -407,9 +408,11 @@ module.exports = (config) => {
       const resumeIndex = sessionIndex + 1;
 
       // 构建 Gemini CLI 命令（使用 --resume <index> 恢复特定会话）
-      const command = `gemini --resume ${resumeIndex}`;
-      const quotedCwd = `"${String(projectPath).replace(/"/g, '\\"')}"`;
-      const copyCommand = `cd ${quotedCwd} && ${command}`;
+      const { command, copyCommand } = buildLaunchCommand({
+        cwd: projectPath,
+        executable: 'gemini',
+        args: ['--resume', String(resumeIndex)]
+      });
 
       res.json({
         success: true,

package/src/server/api/hooks.js

@@ -1,7 +1,7 @@
 const express = require('express');
 const router = express.Router();
 const notificationHooks = require('../services/notification-hooks');
-const { createSameOriginGuard } = require('../services/network-access');
+const { createSameOriginGuard, isLoopbackRequest } = require('../services/network-access');
 
 router.use(createSameOriginGuard({
   message: '禁止跨站访问通知配置接口'
@@ -42,4 +42,20 @@ router.post('/test', async (req, res) => {
   }
 });
 
+router.post('/browser-event', (req, res) => {
+  try {
+    if (!isLoopbackRequest(req)) {
+      return res.status(403).json({
+        error: '浏览器提醒事件仅允许本机触发'
+      });
+    }
+
+    notificationHooks.emitBrowserNotificationEvent(req.body || {});
+    res.json({ success: true });
+  } catch (error) {
+    console.error('Error emitting browser notification event:', error);
+    res.status(error.statusCode || 500).json({ error: error.message });
+  }
+});
+
 module.exports = router;

package/src/server/api/opencode-sessions.js

@@ -14,6 +14,7 @@ const {
 } = require('../services/opencode-sessions');
 const { loadAliases } = require('../services/alias');
 const { broadcastLog } = require('../websocket-server');
+const { buildLaunchCommand } = require('../services/session-launch-command');
 const { HOME_DIR } = require('../../config/paths');
 
 function isNotFoundError(error) {
@@ -350,9 +351,11 @@ module.exports = (config) => {
       const projects = getProjects();
       const project = projects.find(p => p.name === projectName);
       const cwd = session.directory || project?.fullPath || HOME_DIR;
-      const command = `opencode -r ${sessionId}`;
-      const quotedCwd = `"${String(cwd).replace(/"/g, '\\"')}"`;
-      const copyCommand = `cd ${quotedCwd} && ${command}`;
+      const { command, copyCommand } = buildLaunchCommand({
+        cwd,
+        executable: 'opencode',
+        args: ['-r', sessionId]
+      });
 
       broadcastLog({
         type: 'action',

package/src/server/api/plugins.js

@@ -45,6 +45,24 @@ function extractRepoPayload(source = {}) {
   };
 }
 
+function extractPluginQueryInfo(name, query = {}) {
+  return {
+    name,
+    repoId: query.repoId || '',
+    repoProvider: query.repoProvider || '',
+    repoHost: query.repoHost || '',
+    repoOwner: query.repoOwner || '',
+    repoName: query.repoName || '',
+    repoBranch: query.repoBranch || '',
+    directory: query.directory || '',
+    source: query.source || '',
+    repoUrl: query.repoUrl || '',
+    repoProjectPath: query.repoProjectPath || '',
+    repoLocalPath: query.repoLocalPath || '',
+    installPath: query.installPath || ''
+  };
+}
+
 function sanitizeRepo(repo = {}) {
   const token = String(repo.token || '').trim();
   const sanitized = {
@@ -431,36 +449,7 @@ router.get('/:name/readme', async (req, res) => {
   try {
     const { platform, service } = getPluginsService(req);
     const { name } = req.params;
-    const {
-      repoId,
-      repoProvider,
-      repoHost,
-      repoOwner,
-      repoName,
-      repoBranch,
-      directory,
-      source,
-      repoUrl,
-      repoProjectPath,
-      repoLocalPath,
-      installPath
-    } = req.query;
-
-    const pluginInfo = {
-      name,
-      repoId,
-      repoProvider,
-      repoHost,
-      repoOwner,
-      repoName,
-      repoBranch,
-      directory,
-      source,
-      repoUrl,
-      repoProjectPath,
-      repoLocalPath,
-      installPath
-    };
+    const pluginInfo = extractPluginQueryInfo(name, req.query);
 
     const readme = await service.getPluginReadme(pluginInfo);
 
@@ -483,12 +472,14 @@ router.get('/:name/readme', async (req, res) => {
  * 获取单个插件详情
  * GET /api/plugins/:name
  */
-router.get('/:name', (req, res) => {
+router.get('/:name', async (req, res) => {
   try {
     const { platform, service } = getPluginsService(req);
     const { name } = req.params;
-
-    const plugin = service.getPlugin(name);
+    const pluginInfo = extractPluginQueryInfo(name, req.query);
+    const plugin = typeof service.getPluginDetail === 'function'
+      ? await service.getPluginDetail(pluginInfo)
+      : service.getPlugin(name);
 
     if (!plugin) {
       return res.status(404).json({

package/src/server/api/sessions.js

@@ -6,6 +6,7 @@ const readline = require('readline');
 const { getSessionsForProject, deleteSession, forkSession, saveSessionOrder, parseRealProjectPath, searchSessions, getRecentSessions, searchSessionsAcrossProjects, hasActualMessages } = require('../services/sessions');
 const { loadAliases } = require('../services/alias');
 const { broadcastLog } = require('../websocket-server');
+const { buildLaunchCommand } = require('../services/session-launch-command');
 const { NATIVE_PATHS } = require('../../config/paths');
 const CLAUDE_PROJECTS_DIR = NATIVE_PATHS.claude.projects;
 
@@ -570,9 +571,11 @@ module.exports = (config) => {
         timestamp: Date.now()
       });
 
-      const command = `claude -r ${sessionId}`;
-      const quotedCwd = `"${String(cwd).replace(/"/g, '\\"')}"`;
-      const copyCommand = `cd ${quotedCwd} && ${command}`;
+      const { command, copyCommand } = buildLaunchCommand({
+        cwd,
+        executable: 'claude',
+        args: ['-r', sessionId]
+      });
 
       res.json({
         success: true,

package/src/server/index.js

@@ -1,4 +1,5 @@
 const express = require('express');
+const https = require('https');
 const path = require('path');
 const chalk = require('chalk');
 const { loadConfig } = require('../config/loader');
@@ -21,8 +22,10 @@ const { startProxyServer } = require('./proxy-server');
 const { startCodexProxyServer } = require('./codex-proxy-server');
 const { startGeminiProxyServer } = require('./gemini-proxy-server');
 const { startOpenCodeProxyServer, collectProxyModelList } = require('./opencode-proxy-server');
-const { createRemoteMutationGuard } = require('./services/network-access');
+const { createRemoteMutationGuard, isRemoteMutationAllowed } = require('./services/network-access');
 const { createApiRequestLogger } = require('./services/request-logger');
+const { getLocalHttpsCredentials } = require('./services/https-cert');
+const { getWebUiProtocol, isHttpsEnabled, getWebUiBaseUrl, getWebSocketBaseUrl } = require('./services/web-ui-runtime');
 
 function getInquirer() {
   return require('inquirer');
@@ -59,6 +62,8 @@ function printPortToolIssue(issue = getPortToolIssue()) {
 async function startServer(port, host = '127.0.0.1', options = {}) {
   ensureStorageDirMigrated();
   const config = loadConfig();
+  const webUiProtocol = getWebUiProtocol({ https: options.https });
+  const httpsEnabled = isHttpsEnabled({ protocol: webUiProtocol });
   // 使用配置的端口，如果没有传入参数
   if (!port) {
     port = config.ports?.webUI || 19999;
@@ -132,7 +137,9 @@ async function startServer(port, host = '127.0.0.1', options = {}) {
 
   const app = express();
   const lanMode = host === '0.0.0.0';
-  const allowRemoteMutation = process.env.CC_TOOL_ALLOW_REMOTE_WRITE === 'true';
+  const allowRemoteMutation = lanMode
+    ? isRemoteMutationAllowed(process.env.CC_TOOL_ALLOW_REMOTE_WRITE)
+    : true;
 
   // Middleware
   app.use(express.json({ limit: '100mb' }));
@@ -156,7 +163,7 @@ async function startServer(port, host = '127.0.0.1', options = {}) {
     app.use('/api', createRemoteMutationGuard({
       enabled: true,
       allowRemoteMutation,
-      message: '出于安全考虑，LAN 模式默认仅允许本机执行写操作。可设置 CC_TOOL_ALLOW_REMOTE_WRITE=true 覆盖。'
+      message: '当前已禁用 LAN 远程写操作，可设置 CC_TOOL_ALLOW_REMOTE_WRITE=true 重新开启。'
     }));
 
   }
@@ -245,7 +252,18 @@ async function startServer(port, host = '127.0.0.1', options = {}) {
   }
 
   // Start server（确保监听成功后才返回，避免命令误报“已启动”）
-  const server = app.listen(port, host);
+  let httpsCertificate = null;
+  const server = httpsEnabled
+    ? (() => {
+      httpsCertificate = getLocalHttpsCredentials();
+      const httpsServer = https.createServer({
+        key: httpsCertificate.key,
+        cert: httpsCertificate.cert
+      }, app);
+      httpsServer.listen(port, host);
+      return httpsServer;
+    })()
+    : app.listen(port, host);
   await new Promise((resolve) => {
     const onListening = () => {
       server.off('error', onError);
@@ -272,18 +290,22 @@ async function startServer(port, host = '127.0.0.1', options = {}) {
   console.log(`\n[START] Coding-Tool Web UI running at:`);
   if (host === '0.0.0.0') {
     console.log(chalk.yellow(`   [WARN]  警告: 服务正在监听所有网络接口 (LAN 可访问)`));
-    console.log(`   http://localhost:${port}`);
-    console.log(chalk.gray(`   http://<your-ip>:${port} (LAN 访问)`));
+    console.log(`   ${getWebUiBaseUrl(port, { protocol: webUiProtocol })}`);
+    console.log(chalk.gray(`   ${webUiProtocol}://<your-ip>:${port} (LAN 访问)`));
   } else {
-    console.log(`   http://localhost:${port}`);
+    console.log(`   ${getWebUiBaseUrl(port, { protocol: webUiProtocol })}`);
   }
 
   // 附加 WebSocket 服务器到同一个端口
   attachWebSocketServer(server, { host });
-  console.log(`   ws://localhost:${port}/ws\n`);
+  console.log(`   ${getWebSocketBaseUrl(port, { protocol: webUiProtocol })}/ws\n`);
+
+  if (httpsEnabled && httpsCertificate?.generated) {
+    console.log(chalk.gray(`   [LOCK] 已生成本地 HTTPS 证书: ${httpsCertificate.certPath}`));
+  }
 
   if (host === '0.0.0.0' && !allowRemoteMutation) {
-    console.log(chalk.yellow('   [LOCK] 已启用 LAN 安全保护：远程写操作默认禁用'));
+    console.log(chalk.yellow('   [LOCK] 已禁用 LAN 远程写操作 (CC_TOOL_ALLOW_REMOTE_WRITE=false)'));
   }
   // 自动恢复代理状态
   autoRestoreProxies();

package/src/server/services/codex-sessions.js

@@ -10,6 +10,7 @@ const ALL_SESSIONS_CACHE_TTL_MS = 20 * 1000;
 const PROJECTS_CACHE_TTL_MS = 300 * 1000;
 const PROJECT_SESSIONS_CACHE_TTL_MS = 120 * 1000;
 const FAST_META_READ_BYTES = 64 * 1024;
+const MAX_SESSION_META_SUMMARY_CACHE_ENTRIES = 5000;
 const EMPTY_COUNTS = Object.freeze({ projectCount: 0, sessionCount: 0 });
 
 let countsCache = {
@@ -32,6 +33,8 @@ let allSessionsCache = {
   value: []
 };
 
+let sessionMetaSummaryCache = new Map();
+
 const CODEX_PROJECTS_CACHE_KEY = `${CacheKeys.PROJECTS}codex`;
 const codexSessionCacheKeys = new Set();
 
@@ -39,6 +42,47 @@ function getCodexSessionsCacheKey(projectName) {
   return `${CacheKeys.SESSIONS}codex:${projectName}`;
 }
 
+function getSessionMetaSummaryCacheKey(filePath, fileMeta = {}) {
+  return `${filePath}:${fileMeta.mtimeMs || 0}:${fileMeta.size || 0}`;
+}
+
+function getCachedSessionMetaSummary(filePath, fileMeta) {
+  if (!fileMeta) {
+    return null;
+  }
+  return sessionMetaSummaryCache.get(getSessionMetaSummaryCacheKey(filePath, fileMeta)) || null;
+}
+
+function setCachedSessionMetaSummary(filePath, fileMeta, summary) {
+  if (!fileMeta || !summary?.payload) {
+    return;
+  }
+
+  const cacheKey = getSessionMetaSummaryCacheKey(filePath, fileMeta);
+  sessionMetaSummaryCache.delete(cacheKey);
+  sessionMetaSummaryCache.set(cacheKey, summary);
+
+  while (sessionMetaSummaryCache.size > MAX_SESSION_META_SUMMARY_CACHE_ENTRIES) {
+    const oldestKey = sessionMetaSummaryCache.keys().next().value;
+    if (!oldestKey) {
+      break;
+    }
+    sessionMetaSummaryCache.delete(oldestKey);
+  }
+}
+
+function pruneSessionMetaSummaryCache(files = []) {
+  const activeKeys = new Set(
+    files.map(file => getSessionMetaSummaryCacheKey(file.filePath, file))
+  );
+
+  for (const cacheKey of sessionMetaSummaryCache.keys()) {
+    if (!activeKeys.has(cacheKey)) {
+      sessionMetaSummaryCache.delete(cacheKey);
+    }
+  }
+}
+
 /**
  * 获取会话目录
  */
@@ -128,6 +172,7 @@ function scanSessionFiles() {
     expiresAt,
     value: new Map(parsed.map(file => [file.sessionId, file]))
   };
+  pruneSessionMetaSummaryCache(parsed);
 
   return parsed;
 }
@@ -145,7 +190,7 @@ function getAllSessions() {
   const files = scanSessionFiles();
 
   const parsed = files.map(file => {
-    const fastSummary = readSessionMetaSummaryFast(file.filePath);
+    const fastSummary = readSessionMetaSummaryFast(file.filePath, file);
     let session = null;
 
     if (fastSummary && fastSummary.payload) {
@@ -216,7 +261,7 @@ function normalizeSession(codexSession) {
     filePath: filePath || '',
     gitBranch: meta.git?.branch || null,
     firstMessage: preview || null,
-    forkedFrom: null, // Codex 不支持 fork
+    forkedFrom: null,
 
     // 额外的 Codex 特有字段（前端可能需要）
     source: 'codex'
@@ -655,9 +700,10 @@ function forkSession(sessionId) {
 
   const newFileName = `rollout-${timestamp}-${newSessionId}.jsonl`;
   const newFilePath = path.join(targetDir, newFileName);
+  const rewrittenContent = rewriteForkedCodexSessionContent(content, newSessionId, now.toISOString());
 
   // 写入新文件
-  fs.writeFileSync(newFilePath, content, 'utf8');
+  fs.writeFileSync(newFilePath, rewrittenContent, 'utf8');
 
   // 保存 fork 关系（复用 Claude Code 的 fork 关系存储）
   const { getForkRelations, saveForkRelations } = require('./sessions');
@@ -674,6 +720,50 @@ function forkSession(sessionId) {
   };
 }
 
+function rewriteForkedCodexSessionContent(content, newSessionId, nowIsoTimestamp) {
+  const lines = String(content || '').split('\n');
+
+  return lines.map((line) => {
+    if (!line.trim()) {
+      return line;
+    }
+
+    let parsed;
+    try {
+      parsed = JSON.parse(line);
+    } catch (err) {
+      return line;
+    }
+
+    if (parsed.type === 'session_meta' && parsed.payload && typeof parsed.payload === 'object') {
+      return JSON.stringify({
+        ...parsed,
+        timestamp: nowIsoTimestamp,
+        payload: {
+          ...parsed.payload,
+          id: newSessionId,
+          timestamp: nowIsoTimestamp
+        }
+      });
+    }
+
+    if (parsed.type === 'event' && parsed.event && typeof parsed.event === 'object' && parsed.event.type === 'session_start') {
+      const nextEvent = { ...parsed.event };
+      if (typeof nextEvent.session_id === 'string' && nextEvent.session_id.trim()) {
+        nextEvent.session_id = newSessionId;
+      }
+
+      return JSON.stringify({
+        ...parsed,
+        timestamp: nowIsoTimestamp,
+        event: nextEvent
+      });
+    }
+
+    return line;
+  }).join('\n');
+}
+
 /**
  * 获取会话排序（按项目）
  * @param {string} projectName - 项目名称
@@ -803,7 +893,12 @@ function extractCodexPreviewFromResponseItem(payload = {}) {
   return text.substring(0, 100);
 }
 
-function readSessionMetaSummaryFast(filePath) {
+function readSessionMetaSummaryFast(filePath, fileMeta = null) {
+  const cached = getCachedSessionMetaSummary(filePath, fileMeta);
+  if (cached) {
+    return cached;
+  }
+
   let fd;
   try {
     fd = fs.openSync(filePath, 'r');
@@ -841,7 +936,9 @@ function readSessionMetaSummaryFast(filePath) {
     }
 
     if (!payload) return null;
-    return { payload, preview };
+    const summary = { payload, preview };
+    setCachedSessionMetaSummary(filePath, fileMeta, summary);
+    return summary;
   } catch (err) {
     return null;
   } finally {
@@ -855,8 +952,8 @@ function readSessionMetaSummaryFast(filePath) {
   }
 }
 
-function readSessionMetaPayloadFast(filePath) {
-  const summary = readSessionMetaSummaryFast(filePath);
+function readSessionMetaPayloadFast(filePath, fileMeta = null) {
+  const summary = readSessionMetaSummaryFast(filePath, fileMeta);
   return summary?.payload || null;
 }
 
@@ -881,7 +978,7 @@ function calculateProjectAndSessionCounts() {
 
   const projectNames = new Set();
   sessions.forEach((session) => {
-    const payload = readSessionMetaPayloadFast(session.filePath);
+    const payload = readSessionMetaPayloadFast(session.filePath, session);
     const projectName = extractCodexProjectNameFromMeta(payload || {});
     if (projectName) {
       projectNames.add(projectName);
@@ -932,5 +1029,6 @@ module.exports = {
   saveSessionOrder,
   getProjectOrder,
   saveProjectOrder,
-  getProjectAndSessionCounts
+  getProjectAndSessionCounts,
+  rewriteForkedCodexSessionContent
 };

package/src/server/services/https-cert.js

@@ -0,0 +1,171 @@
+const fs = require('fs');
+const net = require('net');
+const os = require('os');
+const path = require('path');
+const selfsigned = require('selfsigned');
+const { PATHS } = require('../../config/paths');
+
+function dedupeSorted(values = []) {
+  return [...new Set(values.filter(Boolean).map((value) => String(value).trim()).filter(Boolean))].sort();
+}
+
+function isIpAddress(value) {
+  return net.isIP(String(value || '').trim()) !== 0;
+}
+
+function isValidDnsLabel(value) {
+  return /^[A-Za-z0-9.-]+$/.test(String(value || '').trim());
+}
+
+function collectLocalCertificateHosts() {
+  const hosts = ['localhost', '127.0.0.1', '::1'];
+  const hostname = os.hostname();
+  if (isValidDnsLabel(hostname)) {
+    hosts.push(hostname);
+  }
+
+  const interfaces = os.networkInterfaces();
+  Object.values(interfaces).forEach((entries) => {
+    (entries || []).forEach((entry) => {
+      const address = String(entry?.address || '').trim();
+      if (!address) {
+        return;
+      }
+
+      if (entry?.family === 'IPv4' || entry?.family === 4) {
+        hosts.push(address);
+        return;
+      }
+
+      if ((entry?.family === 'IPv6' || entry?.family === 6) && address !== '::1' && !address.startsWith('fe80::')) {
+        hosts.push(address);
+      }
+    });
+  });
+
+  return dedupeSorted(hosts);
+}
+
+function buildSubjectAltNames(hosts = collectLocalCertificateHosts()) {
+  return dedupeSorted(hosts).map((value) => (
+    isIpAddress(value)
+      ? { type: 7, ip: value }
+      : { type: 2, value }
+  ));
+}
+
+function ensureParentDir(filePath) {
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+}
+
+function readMeta(metaPath) {
+  if (!fs.existsSync(metaPath)) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(fs.readFileSync(metaPath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function needsRegeneration(hosts, meta) {
+  if (!meta || !Array.isArray(meta.hosts)) {
+    return true;
+  }
+  const currentHosts = dedupeSorted(hosts);
+  const storedHosts = dedupeSorted(meta.hosts);
+  return currentHosts.length !== storedHosts.length || currentHosts.some((value, index) => value !== storedHosts[index]);
+}
+
+function generateSelfSignedCertificate(hosts) {
+  const primaryHost = hosts.find((value) => value === '127.0.0.1')
+    || hosts.find((value) => !isIpAddress(value))
+    || hosts[0]
+    || '127.0.0.1';
+
+  const attrs = [{ name: 'commonName', value: primaryHost }];
+  return selfsigned.generate(attrs, {
+    algorithm: 'sha256',
+    days: 3650,
+    keySize: 2048,
+    extensions: [
+      { name: 'basicConstraints', cA: false },
+      {
+        name: 'keyUsage',
+        digitalSignature: true,
+        keyEncipherment: true
+      },
+      {
+        name: 'extKeyUsage',
+        serverAuth: true
+      },
+      {
+        name: 'subjectAltName',
+        altNames: buildSubjectAltNames(hosts)
+      }
+    ]
+  });
+}
+
+function ensureLocalHttpsCertificate(options = {}) {
+  const keyPath = options.keyPath || PATHS.https.key;
+  const certPath = options.certPath || PATHS.https.cert;
+  const metaPath = options.metaPath || PATHS.https.meta;
+  const hosts = dedupeSorted(options.hosts || collectLocalCertificateHosts());
+  const existingMeta = readMeta(metaPath);
+  const hasFiles = fs.existsSync(keyPath) && fs.existsSync(certPath);
+
+  if (hasFiles && !needsRegeneration(hosts, existingMeta)) {
+    return {
+      keyPath,
+      certPath,
+      metaPath,
+      hosts,
+      generated: false
+    };
+  }
+
+  ensureParentDir(keyPath);
+  ensureParentDir(certPath);
+  ensureParentDir(metaPath);
+
+  const certificate = generateSelfSignedCertificate(hosts);
+  fs.writeFileSync(keyPath, certificate.private, 'utf8');
+  fs.writeFileSync(certPath, certificate.cert, 'utf8');
+  fs.writeFileSync(metaPath, JSON.stringify({
+    hosts,
+    generatedAt: new Date().toISOString()
+  }, null, 2), 'utf8');
+
+  return {
+    keyPath,
+    certPath,
+    metaPath,
+    hosts,
+    generated: true
+  };
+}
+
+function getLocalHttpsCredentials(options = {}) {
+  const certificate = ensureLocalHttpsCertificate(options);
+  return {
+    ...certificate,
+    key: fs.readFileSync(certificate.keyPath),
+    cert: fs.readFileSync(certificate.certPath)
+  };
+}
+
+module.exports = {
+  ensureLocalHttpsCertificate,
+  getLocalHttpsCredentials,
+  _test: {
+    dedupeSorted,
+    isIpAddress,
+    isValidDnsLabel,
+    collectLocalCertificateHosts,
+    buildSubjectAltNames,
+    needsRegeneration
+  }
+};