commandmate 0.2.13 → 0.3.0

package/dist/cli/commands/start.js

@@ -4,6 +4,7 @@
  * Issue #96: npm install CLI support
  * Issue #125: Use getEnvPath and getPidFilePath for correct path resolution
  * Issue #136: Add --issue and --auto-port flags for worktree support
+ * Issue #331: Add --auth, --auth-expire, --https, --cert, --key, --allow-http flags
  * Start CommandMate server
  */
 Object.defineProperty(exports, "__esModule", { value: true });
@@ -21,11 +22,41 @@ const security_messages_1 = require("../config/security-messages");
 const input_validators_1 = require("../utils/input-validators");
 const port_allocator_1 = require("../utils/port-allocator");
 const resource_resolvers_1 = require("../utils/resource-resolvers");
+const auth_1 = require("../../lib/auth");
 const logger = new logger_1.CLILogger();
+/**
+ * Display the generated authentication token to the user.
+ * Called once after server start; the token is not persisted and cannot be retrieved later.
+ *
+ * @param token - The plaintext authentication token to display
+ */
+function displayAuthToken(token) {
+    logger.info('');
+    logger.info('Authentication token (save this - it will not be shown again):');
+    logger.info(`  ${token}`);
+    logger.info('');
+}
+/** HTTPS certificate warning when --auth is used without --cert/--key */
+const HTTPS_WARNING = `
+\x1b[1m\x1b[33mWARNING: Authentication enabled without HTTPS\x1b[0m
+
+Token will be transmitted in plain text over HTTP.
+For secure authentication, use HTTPS with a TLS certificate.
+
+\x1b[1mQuick setup with mkcert:\x1b[0m
+  brew install mkcert     # macOS
+  mkcert -install
+  mkcert localhost
+
+  commandmate start --auth --cert ./localhost.pem --key ./localhost-key.pem
+
+Use --allow-http to suppress this warning.
+`;
 /**
  * Execute start command
  * Issue #125: Use getEnvPath and getPidFilePath for correct path resolution
  * Issue #136: Support --issue and --auto-port flags for worktree servers
+ * Issue #331: Support --auth, --auth-expire, --https, --cert, --key, --allow-http
  */
 async function startCommand(options) {
     try {
@@ -38,6 +69,17 @@ async function startCommand(options) {
                 return;
             }
         }
+        // Issue #331: Validate auth-expire format before proceeding
+        if (options.authExpire) {
+            try {
+                (0, auth_1.parseDuration)(options.authExpire);
+            }
+            catch (error) {
+                logger.error(`Invalid --auth-expire value: ${(0, types_1.getErrorMessage)(error)}`);
+                process.exit(types_1.ExitCode.CONFIG_ERROR);
+                return;
+            }
+        }
         // Issue #125: Check for .env file at correct location
         // Issue #136: Use issue number for worktree-specific paths
         const envPath = (0, env_setup_1.getEnvPath)(options.issue);
@@ -69,6 +111,58 @@ async function startCommand(options) {
             dbPath = dbResolver.resolve(options.issue);
             logger.info(`Using database: ${dbPath}`);
         }
+        // Issue #331: Generate token and hash if --auth is enabled
+        let authTokenHash;
+        let authToken;
+        if (options.auth) {
+            authToken = (0, auth_1.generateToken)();
+            authTokenHash = (0, auth_1.hashToken)(authToken);
+        }
+        // Issue #331: Validate --cert/--key must be specified together
+        if ((options.cert && !options.key) || (!options.cert && options.key)) {
+            logger.error('--cert and --key must be specified together');
+            process.exit(types_1.ExitCode.CONFIG_ERROR);
+            return;
+        }
+        // Issue #331: Determine protocol (matches server.ts: cert+key → always HTTPS)
+        const hasCert = !!(options.cert && options.key);
+        const protocol = hasCert ? 'https' : 'http';
+        // Issue #331: HTTPS certificate validation
+        if (hasCert) {
+            if (!(0, fs_1.existsSync)(options.cert)) {
+                logger.error(`Certificate file not found: ${options.cert}`);
+                process.exit(types_1.ExitCode.CONFIG_ERROR);
+                return;
+            }
+            if (!(0, fs_1.existsSync)(options.key)) {
+                logger.error(`Key file not found: ${options.key}`);
+                process.exit(types_1.ExitCode.CONFIG_ERROR);
+                return;
+            }
+        }
+        // Issue #331: Warn about --auth without HTTPS
+        if (options.auth && !hasCert && !options.allowHttp) {
+            console.log(HTTPS_WARNING);
+        }
+        // Load .env to check for legacy CM_AUTH_TOKEN
+        const mainEnvResult = (0, dotenv_1.config)({ path: mainEnvPath });
+        let envResult = mainEnvResult;
+        if (options.issue !== undefined && (0, fs_1.existsSync)(envPath) && envPath !== mainEnvPath) {
+            envResult = (0, dotenv_1.config)({ path: envPath, override: true });
+        }
+        // Issue #331: Warn about legacy CM_AUTH_TOKEN
+        const allEnvParsed = {
+            ...(mainEnvResult.parsed || {}),
+            ...(envResult.parsed || {}),
+        };
+        if (allEnvParsed.CM_AUTH_TOKEN) {
+            logger.warn('CM_AUTH_TOKEN found in .env file. This is no longer used.');
+            logger.warn('Use "commandmate start --auth" instead. The token is now generated automatically.');
+        }
+        if (mainEnvResult.error) {
+            logger.warn(`Failed to load .env file at ${mainEnvPath}: ${mainEnvResult.error.message}`);
+            logger.info('Continuing with existing environment variables');
+        }
         // Daemon mode
         if (options.daemon) {
             // Check if already running
@@ -79,23 +173,57 @@ async function startCommand(options) {
                 return;
             }
             logger.info(`Starting ${serverLabel} in background...`);
+            // Issue #331: Set auth environment variables in process.env so daemon.ts can forward them
+            // to the child process. daemon.ts reads process.env[key] to build the child env object.
+            if (authTokenHash) {
+                process.env.CM_AUTH_TOKEN_HASH = authTokenHash;
+            }
+            if (options.authExpire) {
+                process.env.CM_AUTH_EXPIRE = options.authExpire;
+            }
+            if (options.cert) {
+                process.env.CM_HTTPS_CERT = options.cert;
+            }
+            if (options.key) {
+                process.env.CM_HTTPS_KEY = options.key;
+            }
+            if (options.allowHttp) {
+                process.env.CM_ALLOW_HTTP = '1';
+            }
+            // Issue #332: Set IP restriction env vars for daemon mode
+            if (options.allowedIps) {
+                process.env.CM_ALLOWED_IPS = options.allowedIps;
+            }
+            if (options.trustProxy) {
+                process.env.CM_TRUST_PROXY = 'true';
+            }
             try {
                 const pid = await daemonManager.start({
                     dev: options.dev,
                     port: port,
                     // Issue #136: Pass DB path for worktree servers
                     dbPath: dbPath,
+                    // Issue #331: Pass auth and HTTPS options
+                    auth: options.auth,
+                    authExpire: options.authExpire,
+                    cert: options.cert,
+                    key: options.key,
+                    allowHttp: options.allowHttp,
                 });
                 logger.success(`${serverLabel} started in background (PID: ${pid})`);
                 const actualPort = port || parseInt(process.env.CM_PORT || '3000', 10);
                 const bind = process.env.CM_BIND || '127.0.0.1';
-                const url = `http://${bind === '0.0.0.0' ? '127.0.0.1' : bind}:${actualPort}`;
+                const url = `${protocol}://${bind === '0.0.0.0' ? '127.0.0.1' : bind}:${actualPort}`;
                 logger.info(`URL: ${url}`);
+                // Issue #331: Show token to user (shown once, not persisted)
+                if (authToken) {
+                    displayAuthToken(authToken);
+                }
                 (0, security_logger_1.logSecurityEvent)({
                     timestamp: new Date().toISOString(),
                     command: 'start',
                     action: 'success',
-                    details: `Daemon started (PID: ${pid})${options.issue !== undefined ? ` (Issue #${options.issue})` : ''}`,
+                    details: `Daemon started (PID: ${pid})${options.issue !== undefined ? ` (Issue #${options.issue})` : ''}${options.auth ? ' [auth enabled]' : ''}`,
                 });
                 process.exit(types_1.ExitCode.SUCCESS);
             }
@@ -115,17 +243,6 @@ async function startCommand(options) {
         // Foreground mode (default)
         const npmScript = options.dev ? 'dev' : 'start';
         logger.info(`Starting ${serverLabel} in foreground (${options.dev ? 'development' : 'production'} mode)...`);
-        // Issue #125: Load .env file from correct location (same as daemon mode)
-        // Issue #136: Load main .env first, then overlay worktree-specific .env if exists
-        const mainEnvResult = (0, dotenv_1.config)({ path: mainEnvPath });
-        let envResult = mainEnvResult;
-        if (options.issue !== undefined && (0, fs_1.existsSync)(envPath) && envPath !== mainEnvPath) {
-            envResult = (0, dotenv_1.config)({ path: envPath, override: true });
-        }
-        if (mainEnvResult.error) {
-            logger.warn(`Failed to load .env file at ${mainEnvPath}: ${mainEnvResult.error.message}`);
-            logger.info('Continuing with existing environment variables');
-        }
         // Build environment by merging process.env with .env values
         const env = {
             ...process.env,
@@ -140,11 +257,39 @@ async function startCommand(options) {
         if (dbPath) {
             env.CM_DB_PATH = dbPath;
         }
+        // Issue #331: Set auth environment variables
+        if (authTokenHash) {
+            env.CM_AUTH_TOKEN_HASH = authTokenHash;
+        }
+        if (options.authExpire) {
+            env.CM_AUTH_EXPIRE = options.authExpire;
+        }
+        if (options.cert) {
+            env.CM_HTTPS_CERT = options.cert;
+        }
+        if (options.key) {
+            env.CM_HTTPS_KEY = options.key;
+        }
+        if (options.allowHttp) {
+            env.CM_ALLOW_HTTP = '1';
+        }
+        // Issue #332: Set IP restriction env vars for foreground mode
+        if (options.allowedIps) {
+            env.CM_ALLOWED_IPS = options.allowedIps;
+        }
+        if (options.trustProxy) {
+            env.CM_TRUST_PROXY = 'true';
+        }
         // Issue #179: Security warning for external access - recommend reverse proxy
         const bindAddress = env.CM_BIND || '127.0.0.1';
-        if (bindAddress === '0.0.0.0') {
+        // Issue #332: Suppress warning when --allowed-ips is set (IP restriction provides access control)
+        if (bindAddress === '0.0.0.0' && !options.auth && !options.allowedIps) {
             console.log(security_messages_1.REVERSE_PROXY_WARNING);
         }
+        // Issue #331: Show token to user (foreground mode, shown once, not persisted)
+        if (authToken) {
+            displayAuthToken(authToken);
+        }
         // Use package installation directory, not current working directory
         const packageRoot = (0, paths_1.getPackageRoot)();
         const child = (0, child_process_1.spawn)('npm', ['run', npmScript], {

package/dist/cli/commands/status.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/status.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAA6B,aAAa,EAAE,MAAM,UAAU,CAAC;AAqFpE;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,OAAO,GAAE,aAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CA6E9E"}
+{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/status.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAA6B,aAAa,EAAE,MAAM,UAAU,CAAC;AAqFpE;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,OAAO,GAAE,aAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAkF9E"}

package/dist/cli/commands/status.js

@@ -140,6 +140,10 @@ async function statusCommand(options = {}) {
         if (status.url) {
             console.log(`URL:     ${status.url}`);
         }
+        // Issue #332: Show IP restriction status
+        if (process.env.CM_ALLOWED_IPS) {
+            console.log(`IP ACL:  ${process.env.CM_ALLOWED_IPS}`);
+        }
         console.log('');
         process.exit(types_1.ExitCode.SUCCESS);
     }

package/dist/cli/config/security-messages.d.ts

@@ -1,13 +1,15 @@
 /**
  * Security Messages
  * Issue #179: Reverse proxy authentication recommendation
+ * Issue #331: Updated to include --auth option
  * Shared warning constants for CLI commands (DRY principle)
  *
  * [SF-002] GitHub URLs imported from github-links.ts (DRY)
  */
 /**
- * Warning message displayed when CM_BIND=0.0.0.0
+ * Warning message displayed when CM_BIND=0.0.0.0 and --auth is not enabled
  * Used by: init.ts, start.ts, daemon.ts
+ * Issue #331: Added --auth as a recommended option
  */
 export declare const REVERSE_PROXY_WARNING: string;
 //# sourceMappingURL=security-messages.d.ts.map

package/dist/cli/config/security-messages.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-messages.d.ts","sourceRoot":"","sources":["../../../src/cli/config/security-messages.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH;;;GAGG;AACH,eAAO,MAAM,qBAAqB,QAgBjC,CAAC"}
+{"version":3,"file":"security-messages.d.ts","sourceRoot":"","sources":["../../../src/cli/config/security-messages.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,QAkBjC,CAAC"}

package/dist/cli/config/security-messages.js

@@ -2,6 +2,7 @@
 /**
  * Security Messages
  * Issue #179: Reverse proxy authentication recommendation
+ * Issue #331: Updated to include --auth option
  * Shared warning constants for CLI commands (DRY principle)
  *
  * [SF-002] GitHub URLs imported from github-links.ts (DRY)
@@ -10,20 +11,23 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.REVERSE_PROXY_WARNING = void 0;
 const github_links_1 = require("../../config/github-links");
 /**
- * Warning message displayed when CM_BIND=0.0.0.0
+ * Warning message displayed when CM_BIND=0.0.0.0 and --auth is not enabled
  * Used by: init.ts, start.ts, daemon.ts
+ * Issue #331: Added --auth as a recommended option
  */
 exports.REVERSE_PROXY_WARNING = `
 \x1b[1m\x1b[31mWARNING: Server is exposed to external networks without authentication\x1b[0m
 
 Exposing the server without reverse proxy authentication
-is a serious security risk.
+or built-in token auth is a serious security risk.
 
 \x1b[1mRisks:\x1b[0m
   File read/write/delete and command execution
   become accessible to third parties.
 
 \x1b[1mRecommended authentication methods:\x1b[0m
+  - commandmate start --auth (built-in token auth)
+  - commandmate start --allowed-ips 192.168.1.0/24 (IP restriction)
   - Nginx + Basic Auth
   - Cloudflare Access
   - Tailscale

package/dist/cli/index.js

@@ -33,6 +33,7 @@ program
 });
 // Start command
 // Issue #136: Add --issue and --auto-port flags for worktree support
+// Issue #331: Add --auth, --auth-expire, --https, --cert, --key, --allow-http flags
 program
     .command('start')
     .description('Start the CommandMate server')
@@ -41,6 +42,14 @@ program
     .option('-p, --port <number>', 'Override port number', parseInt)
     .option('-i, --issue <number>', 'Start server for specific issue worktree', parseInt)
     .option('--auto-port', 'Automatically allocate port for worktree server')
+    .option('--auth', 'Enable token authentication')
+    .option('--auth-expire <duration>', 'Token expiration (e.g., 24h, 7d, 90m)')
+    .option('--https', 'Enable HTTPS')
+    .option('--cert <path>', 'Path to TLS certificate file')
+    .option('--key <path>', 'Path to TLS private key file')
+    .option('--allow-http', 'Suppress HTTPS warning when using --auth without certificates')
+    .option('--allowed-ips <cidrs>', 'Allowed IP addresses/CIDR ranges (comma-separated)')
+    .option('--trust-proxy', 'Trust X-Forwarded-For header from reverse proxy')
     .action(async (options) => {
     await (0, start_1.startCommand)({
         dev: options.dev,
@@ -48,6 +57,14 @@ program
         port: options.port,
         issue: options.issue,
         autoPort: options.autoPort,
+        auth: options.auth,
+        authExpire: options.authExpire,
+        https: options.https,
+        cert: options.cert,
+        key: options.key,
+        allowHttp: options.allowHttp,
+        allowedIps: options.allowedIps,
+        trustProxy: options.trustProxy,
     });
 });
 // Stop command

package/dist/cli/types/index.d.ts

@@ -26,6 +26,7 @@ export interface InitOptions {
 /**
  * Options for start command
  * Issue #136: Added issue and autoPort for worktree support
+ * Issue #331: Added auth, authExpire, https, cert, key, allowHttp for token auth and HTTPS
  */
 export interface StartOptions {
     /** Start in development mode */
@@ -40,6 +41,22 @@ export interface StartOptions {
     autoPort?: boolean;
     /** Override database path for worktree server (Issue #136) */
     dbPath?: string;
+    /** Enable token authentication (Issue #331) */
+    auth?: boolean;
+    /** Token expiration duration (e.g., "24h", "7d") (Issue #331) */
+    authExpire?: string;
+    /** Enable HTTPS (Issue #331) */
+    https?: boolean;
+    /** Path to TLS certificate file (Issue #331) */
+    cert?: string;
+    /** Path to TLS private key file (Issue #331) */
+    key?: string;
+    /** Suppress HTTPS warning when using --auth without certificates (Issue #331) */
+    allowHttp?: boolean;
+    /** Issue #332: Allowed IP addresses/CIDR ranges (comma-separated) */
+    allowedIps?: string;
+    /** Issue #332: Trust X-Forwarded-For header from reverse proxy */
+    trustProxy?: boolean;
 }
 /**
  * Options for stop command

package/dist/cli/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cli/types/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,oBAAY,QAAQ;IAClB,OAAO,IAAI;IACX,gBAAgB,IAAI;IACpB,YAAY,IAAI;IAChB,YAAY,IAAI;IAChB,WAAW,IAAI;IACf,gBAAgB,KAAK;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,uCAAuC;IACvC,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,gCAAgC;IAChC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,wBAAwB;IACxB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qCAAqC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,QAAQ,EAAE,OAAO,CAAC;IAClB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,sBAAsB;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,MAAM,EAAE,IAAI,GAAG,SAAS,GAAG,kBAAkB,CAAC;IAC9C,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,OAAO,EAAE,OAAO,CAAC;IACjB,oCAAoC;IACpC,OAAO,EAAE,gBAAgB,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,oCAAoC;IACpC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mEAAmE;IACnE,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;CAC7C;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,gEAAgE;IAChE,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IACjC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAKtD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cli/types/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,oBAAY,QAAQ;IAClB,OAAO,IAAI;IACX,gBAAgB,IAAI;IACpB,YAAY,IAAI;IAChB,YAAY,IAAI;IAChB,WAAW,IAAI;IACf,gBAAgB,KAAK;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,uCAAuC;IACvC,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,gCAAgC;IAChC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,wBAAwB;IACxB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+CAA+C;IAC/C,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,iEAAiE;IACjE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gCAAgC;IAChC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,gDAAgD;IAChD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,iFAAiF;IACjF,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,qEAAqE;IACrE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kEAAkE;IAClE,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qCAAqC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,QAAQ,EAAE,OAAO,CAAC;IAClB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,sBAAsB;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,MAAM,EAAE,IAAI,GAAG,SAAS,GAAG,kBAAkB,CAAC;IAC9C,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,OAAO,EAAE,OAAO,CAAC;IACjB,oCAAoC;IACpC,OAAO,EAAE,gBAAgB,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,oCAAoC;IACpC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mEAAmE;IACnE,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;CAC7C;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,gEAAgE;IAChE,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IACjC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAKtD"}

package/dist/cli/utils/daemon.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/daemon.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAOtD;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,MAAM,CAAY;gBAEd,WAAW,EAAE,MAAM;IAK/B;;;;;OAKG;IACG,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;IAiFnD;;;;OAIG;IACG,IAAI,CAAC,KAAK,GAAE,OAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IA8BpD;;;OAGG;IACG,SAAS,IAAI,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IA6B/C;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC;IAInC;;OAEG;YACW,WAAW;CAiB1B"}
+{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/daemon.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAOtD;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,MAAM,CAAY;gBAEd,WAAW,EAAE,MAAM;IAK/B;;;;;OAKG;IACG,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;IA6FnD;;;;OAIG;IACG,IAAI,CAAC,KAAK,GAAE,OAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IA8BpD;;;OAGG;IACG,SAAS,IAAI,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IA+B/C;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC;IAInC;;OAEG;YACW,WAAW;CAiB1B"}

package/dist/cli/utils/daemon.js

@@ -64,14 +64,25 @@ class DaemonManager {
         if (options.dbPath) {
             env.CM_DB_PATH = options.dbPath;
         }
+        // Issue #331: Forward auth and HTTPS environment variables from parent process to daemon.
+        // These are set by startCommand before calling daemon.start().
+        // Issue #332: Added CM_ALLOWED_IPS, CM_TRUST_PROXY for IP restriction in daemon mode
+        const authEnvKeys = ['CM_AUTH_TOKEN_HASH', 'CM_AUTH_EXPIRE', 'CM_HTTPS_CERT', 'CM_HTTPS_KEY', 'CM_ALLOW_HTTP', 'CM_ALLOWED_IPS', 'CM_TRUST_PROXY'];
+        for (const key of authEnvKeys) {
+            if (process.env[key]) {
+                env[key] = process.env[key];
+            }
+        }
         // Issue #179: Security warning for external access - recommend reverse proxy
         const bindAddress = env.CM_BIND || '127.0.0.1';
         const port = env.CM_PORT || '3000';
-        if (bindAddress === '0.0.0.0') {
+        const protocol = env.CM_HTTPS_CERT ? 'https' : 'http';
+        // Issue #332: Suppress warning when CM_ALLOWED_IPS is set (IP restriction provides access control)
+        if (bindAddress === '0.0.0.0' && !env.CM_AUTH_TOKEN_HASH && !env.CM_ALLOWED_IPS) {
             console.log(security_messages_1.REVERSE_PROXY_WARNING);
         }
         // Log startup with accurate settings (Stage 4 review: MF-2)
-        this.logger.info(`Starting server at http://${bindAddress}:${port}`);
+        this.logger.info(`Starting server at ${protocol}://${bindAddress}:${port}`);
         // Spawn detached process
         const child = (0, child_process_1.spawn)('npm', ['run', npmScript], {
             cwd: packageRoot,
@@ -139,7 +150,9 @@ class DaemonManager {
         // Get port from environment or default
         const port = parseInt(process.env.CM_PORT || '3000', 10);
         const bind = process.env.CM_BIND || '127.0.0.1';
-        const url = `http://${bind === '0.0.0.0' ? '127.0.0.1' : bind}:${port}`;
+        // Issue #331: Use HTTPS protocol if certificate is configured
+        const protocol = process.env.CM_HTTPS_CERT ? 'https' : 'http';
+        const url = `${protocol}://${bind === '0.0.0.0' ? '127.0.0.1' : bind}:${port}`;
         // Note: Getting accurate uptime would require storing start time
         // For now, we don't track uptime
         return {

package/dist/config/auth-config.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Authentication Configuration Constants
+ * Issue #331: Shared constants for auth.ts and middleware.ts
+ *
+ * CONSTRAINT: This module must be Edge Runtime compatible.
+ * No Node.js-specific imports (crypto, fs, etc.) are allowed.
+ */
+/** Cookie name for authentication token */
+export declare const AUTH_COOKIE_NAME: "cm_auth_token";
+/**
+ * Validate that a CM_AUTH_TOKEN_HASH value is a well-formed SHA-256 hex string.
+ * Used by both auth.ts and middleware.ts to ensure consistent auth-enabled detection.
+ * Returns a type predicate so callers can narrow the type after checking.
+ *
+ * @param hash - The hash string to validate
+ * @returns true if the hash is a valid 64-character hex string
+ */
+export declare function isValidTokenHash(hash: string | undefined): hash is string;
+/**
+ * Paths excluded from authentication check.
+ * S002: Must use === for matching (no startsWith - bypass attack prevention)
+ */
+export declare const AUTH_EXCLUDED_PATHS: readonly ["/login", "/api/auth/login", "/api/auth/logout", "/api/auth/status"];
+/** Default token expiration duration (24 hours) */
+export declare const DEFAULT_EXPIRE_DURATION_MS: number;
+/**
+ * Parse a duration string into milliseconds.
+ * Supported formats: Nh (hours), Nd (days), Nm (minutes)
+ * Minimum: 1h, Maximum: 30d
+ *
+ * @param s - Duration string (e.g., "24h", "7d", "90m")
+ * @returns Duration in milliseconds
+ * @throws Error if format is invalid or out of range
+ */
+export declare function parseDuration(s: string): number;
+/**
+ * Compute token expiration timestamp from environment variables.
+ * Used by both auth.ts (Node.js) and middleware.ts (Edge Runtime).
+ *
+ * @returns Expiration timestamp (ms since epoch), or null if auth is not enabled
+ */
+export declare function computeExpireAt(): number | null;
+//# sourceMappingURL=auth-config.d.ts.map

package/dist/config/auth-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-config.d.ts","sourceRoot":"","sources":["../../src/config/auth-config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,2CAA2C;AAC3C,eAAO,MAAM,gBAAgB,EAAG,eAAwB,CAAC;AAKzD;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,IAAI,MAAM,CAEzE;AAED;;;GAGG;AACH,eAAO,MAAM,mBAAmB,gFAKtB,CAAC;AAeX,mDAAmD;AACnD,eAAO,MAAM,0BAA0B,QAAmB,CAAC;AAQ3D;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAgC/C;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,IAAI,CAgB/C"}

package/dist/config/auth-config.js

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * Authentication Configuration Constants
+ * Issue #331: Shared constants for auth.ts and middleware.ts
+ *
+ * CONSTRAINT: This module must be Edge Runtime compatible.
+ * No Node.js-specific imports (crypto, fs, etc.) are allowed.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_EXPIRE_DURATION_MS = exports.AUTH_EXCLUDED_PATHS = exports.AUTH_COOKIE_NAME = void 0;
+exports.isValidTokenHash = isValidTokenHash;
+exports.parseDuration = parseDuration;
+exports.computeExpireAt = computeExpireAt;
+/** Cookie name for authentication token */
+exports.AUTH_COOKIE_NAME = 'cm_auth_token';
+/** Valid SHA-256 hex string pattern: exactly 64 hex characters */
+const VALID_TOKEN_HASH_PATTERN = /^[0-9a-f]{64}$/;
+/**
+ * Validate that a CM_AUTH_TOKEN_HASH value is a well-formed SHA-256 hex string.
+ * Used by both auth.ts and middleware.ts to ensure consistent auth-enabled detection.
+ * Returns a type predicate so callers can narrow the type after checking.
+ *
+ * @param hash - The hash string to validate
+ * @returns true if the hash is a valid 64-character hex string
+ */
+function isValidTokenHash(hash) {
+    return !!hash && VALID_TOKEN_HASH_PATTERN.test(hash);
+}
+/**
+ * Paths excluded from authentication check.
+ * S002: Must use === for matching (no startsWith - bypass attack prevention)
+ */
+exports.AUTH_EXCLUDED_PATHS = [
+    '/login',
+    '/api/auth/login',
+    '/api/auth/logout',
+    '/api/auth/status',
+];
+// ============================================================
+// Duration Parsing (Edge Runtime compatible)
+// ============================================================
+/** Milliseconds in one minute */
+const MS_PER_MINUTE = 60 * 1000;
+/** Milliseconds in one hour */
+const MS_PER_HOUR = 60 * MS_PER_MINUTE;
+/** Milliseconds in one day */
+const MS_PER_DAY = 24 * MS_PER_HOUR;
+/** Default token expiration duration (24 hours) */
+exports.DEFAULT_EXPIRE_DURATION_MS = 24 * MS_PER_HOUR;
+/** Minimum duration: 1 hour */
+const MIN_DURATION_MS = MS_PER_HOUR;
+/** Maximum duration: 30 days */
+const MAX_DURATION_MS = 30 * MS_PER_DAY;
+/**
+ * Parse a duration string into milliseconds.
+ * Supported formats: Nh (hours), Nd (days), Nm (minutes)
+ * Minimum: 1h, Maximum: 30d
+ *
+ * @param s - Duration string (e.g., "24h", "7d", "90m")
+ * @returns Duration in milliseconds
+ * @throws Error if format is invalid or out of range
+ */
+function parseDuration(s) {
+    const match = s.match(/^(\d+)([hdm])$/);
+    if (!match) {
+        throw new Error(`Invalid duration format: "${s}". Use Nh, Nd, or Nm (e.g., "24h", "7d", "90m")`);
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    /** Map of duration unit characters to their millisecond multipliers */
+    const unitMultipliers = {
+        h: MS_PER_HOUR,
+        d: MS_PER_DAY,
+        m: MS_PER_MINUTE,
+    };
+    const multiplier = unitMultipliers[unit];
+    if (multiplier === undefined) {
+        throw new Error(`Invalid duration unit: "${unit}"`);
+    }
+    const ms = value * multiplier;
+    if (ms < MIN_DURATION_MS) {
+        throw new Error(`Duration too short: minimum is 1h (60m). Got: "${s}"`);
+    }
+    if (ms > MAX_DURATION_MS) {
+        throw new Error(`Duration too long: maximum is 30d (720h). Got: "${s}"`);
+    }
+    return ms;
+}
+/**
+ * Compute token expiration timestamp from environment variables.
+ * Used by both auth.ts (Node.js) and middleware.ts (Edge Runtime).
+ *
+ * @returns Expiration timestamp (ms since epoch), or null if auth is not enabled
+ */
+function computeExpireAt() {
+    const expireStr = process.env.CM_AUTH_EXPIRE;
+    const now = Date.now();
+    if (expireStr) {
+        try {
+            return now + parseDuration(expireStr);
+        }
+        catch {
+            // Invalid duration format - use default
+            return now + exports.DEFAULT_EXPIRE_DURATION_MS;
+        }
+    }
+    // Default 24h if auth is enabled
+    if (process.env.CM_AUTH_TOKEN_HASH) {
+        return now + exports.DEFAULT_EXPIRE_DURATION_MS;
+    }
+    return null;
+}