commandmate 0.2.13 → 0.3.0

package/dist/lib/auth.d.ts

@@ -0,0 +1,104 @@
+/**
+ * Token Authentication Core Module
+ * Issue #331: Token authentication and HTTPS support
+ *
+ * CONSTRAINTS:
+ * - C001: No Next.js module dependencies (next/headers, next/server, etc.)
+ *   This module must be compatible with CLI build (tsconfig.cli.json)
+ * - S001: Token verification uses crypto.timingSafeEqual() (timing-safe comparison)
+ * - S002: AUTH_EXCLUDED_PATHS matching uses === (exact match, no startsWith)
+ */
+import { AUTH_COOKIE_NAME, AUTH_EXCLUDED_PATHS, parseDuration, computeExpireAt, DEFAULT_EXPIRE_DURATION_MS, isValidTokenHash } from '../config/auth-config';
+export { AUTH_COOKIE_NAME, AUTH_EXCLUDED_PATHS, parseDuration, computeExpireAt, DEFAULT_EXPIRE_DURATION_MS, isValidTokenHash };
+/** Rate limiting configuration for brute-force protection */
+export declare const RATE_LIMIT_CONFIG: {
+    /** Maximum failed attempts before lockout */
+    readonly maxAttempts: 5;
+    /** Lockout duration in ms (15 minutes) */
+    readonly lockoutDuration: number;
+    /** Cleanup interval in ms (1 hour) */
+    readonly cleanupInterval: number;
+};
+/** Fallback cookie maxAge in seconds when no explicit expiry is set (24 hours) */
+export declare const DEFAULT_COOKIE_MAX_AGE_SECONDS: number;
+/**
+ * Generate a cryptographically secure random token
+ * @returns 64-character hex string (32 bytes of entropy)
+ */
+export declare function generateToken(): string;
+/**
+ * Hash a token using SHA-256
+ * @param token - The plain text token to hash
+ * @returns 64-character hex string (SHA-256 hash)
+ */
+export declare function hashToken(token: string): string;
+/**
+ * Verify a token against the stored hash
+ * S001: Uses crypto.timingSafeEqual() for timing-safe comparison
+ *
+ * @param token - The plain text token to verify
+ * @returns true if the token is valid and not expired
+ */
+export declare function verifyToken(token: string): boolean;
+/**
+ * Parse a Cookie header string into key-value pairs
+ * Used by WebSocket upgrade handler where next/headers is not available
+ *
+ * @param cookieHeader - Raw Cookie header string
+ * @returns Parsed cookies as Record<string, string>
+ */
+export declare function parseCookies(cookieHeader: string): Record<string, string>;
+/**
+ * Check if authentication is enabled.
+ * Returns true only when CM_AUTH_TOKEN_HASH is set AND passes format validation.
+ * This prevents the state where auth appears enabled but login is impossible
+ * (e.g., when the hash value is malformed).
+ */
+export declare function isAuthEnabled(): boolean;
+/**
+ * Calculate the Cookie maxAge in seconds (remaining token lifetime)
+ * @returns maxAge in seconds, or 0 if expired/no expiry
+ */
+export declare function getTokenMaxAge(): number;
+/**
+ * Check if HTTPS is enabled based on certificate environment variable
+ * @returns true if CM_HTTPS_CERT is set (indicating TLS certificates are configured)
+ */
+export declare function isHttpsEnabled(): boolean;
+/**
+ * Cookie options for authentication cookies.
+ * C001: Uses only standard types (no Next.js CookieOptions dependency).
+ */
+export interface AuthCookieOptions {
+    httpOnly: boolean;
+    sameSite: 'strict';
+    secure: boolean;
+    maxAge: number;
+    path: string;
+}
+/**
+ * Build authentication cookie options with consistent security settings.
+ * Centralizes cookie configuration to enforce HttpOnly, SameSite, and Secure flags.
+ *
+ * @param maxAge - Cookie max age in seconds. Use 0 to clear the cookie.
+ * @returns Cookie options object compatible with Next.js response.cookies.set()
+ */
+export declare function buildAuthCookieOptions(maxAge: number): AuthCookieOptions;
+export interface RateLimitResult {
+    allowed: boolean;
+    retryAfter?: number;
+}
+export interface RateLimiter {
+    checkLimit(ip: string): RateLimitResult;
+    recordFailure(ip: string): void;
+    recordSuccess(ip: string): void;
+    destroy(): void;
+}
+/**
+ * Create a rate limiter for brute-force protection
+ * Uses in-memory Map with periodic cleanup
+ *
+ * @returns RateLimiter instance with checkLimit, recordFailure, recordSuccess, destroy
+ */
+export declare function createRateLimiter(): RateLimiter;
+//# sourceMappingURL=auth.d.ts.map

package/dist/lib/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/lib/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,aAAa,EAAE,eAAe,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC5J,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,aAAa,EAAE,eAAe,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,CAAC;AAE/H,6DAA6D;AAC7D,eAAO,MAAM,iBAAiB;IAC5B,6CAA6C;;IAE7C,0CAA0C;;IAE1C,sCAAsC;;CAE9B,CAAC;AAEX,kFAAkF;AAClF,eAAO,MAAM,8BAA8B,QAAe,CAAC;AA0B3D;;;GAGG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CA0BlD;AAMD;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAoBzE;AAMD;;;;;GAKG;AACH,wBAAgB,aAAa,IAAI,OAAO,CAEvC;AAED;;;GAGG;AACH,wBAAgB,cAAc,IAAI,MAAM,CAWvC;AAED;;;GAGG;AACH,wBAAgB,cAAc,IAAI,OAAO,CAExC;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,QAAQ,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,iBAAiB,CAQxE;AAYD,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,eAAe,CAAC;IACxC,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,OAAO,IAAI,IAAI,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,IAAI,WAAW,CAmE/C"}

package/dist/lib/auth.js

@@ -0,0 +1,250 @@
+"use strict";
+/**
+ * Token Authentication Core Module
+ * Issue #331: Token authentication and HTTPS support
+ *
+ * CONSTRAINTS:
+ * - C001: No Next.js module dependencies (next/headers, next/server, etc.)
+ *   This module must be compatible with CLI build (tsconfig.cli.json)
+ * - S001: Token verification uses crypto.timingSafeEqual() (timing-safe comparison)
+ * - S002: AUTH_EXCLUDED_PATHS matching uses === (exact match, no startsWith)
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_COOKIE_MAX_AGE_SECONDS = exports.RATE_LIMIT_CONFIG = exports.isValidTokenHash = exports.DEFAULT_EXPIRE_DURATION_MS = exports.computeExpireAt = exports.parseDuration = exports.AUTH_EXCLUDED_PATHS = exports.AUTH_COOKIE_NAME = void 0;
+exports.generateToken = generateToken;
+exports.hashToken = hashToken;
+exports.verifyToken = verifyToken;
+exports.parseCookies = parseCookies;
+exports.isAuthEnabled = isAuthEnabled;
+exports.getTokenMaxAge = getTokenMaxAge;
+exports.isHttpsEnabled = isHttpsEnabled;
+exports.buildAuthCookieOptions = buildAuthCookieOptions;
+exports.createRateLimiter = createRateLimiter;
+const crypto_1 = __importDefault(require("crypto"));
+// Import and re-export shared constants and functions from Edge Runtime-compatible config
+const auth_config_1 = require("../config/auth-config");
+Object.defineProperty(exports, "AUTH_COOKIE_NAME", { enumerable: true, get: function () { return auth_config_1.AUTH_COOKIE_NAME; } });
+Object.defineProperty(exports, "AUTH_EXCLUDED_PATHS", { enumerable: true, get: function () { return auth_config_1.AUTH_EXCLUDED_PATHS; } });
+Object.defineProperty(exports, "parseDuration", { enumerable: true, get: function () { return auth_config_1.parseDuration; } });
+Object.defineProperty(exports, "computeExpireAt", { enumerable: true, get: function () { return auth_config_1.computeExpireAt; } });
+Object.defineProperty(exports, "DEFAULT_EXPIRE_DURATION_MS", { enumerable: true, get: function () { return auth_config_1.DEFAULT_EXPIRE_DURATION_MS; } });
+Object.defineProperty(exports, "isValidTokenHash", { enumerable: true, get: function () { return auth_config_1.isValidTokenHash; } });
+/** Rate limiting configuration for brute-force protection */
+exports.RATE_LIMIT_CONFIG = {
+    /** Maximum failed attempts before lockout */
+    maxAttempts: 5,
+    /** Lockout duration in ms (15 minutes) */
+    lockoutDuration: 15 * 60 * 1000,
+    /** Cleanup interval in ms (1 hour) */
+    cleanupInterval: 60 * 60 * 1000,
+};
+/** Fallback cookie maxAge in seconds when no explicit expiry is set (24 hours) */
+exports.DEFAULT_COOKIE_MAX_AGE_SECONDS = 24 * 60 * 60;
+// ============================================================
+// Module-level state (initialized from env at import time)
+// ============================================================
+/** The stored hash of the authentication token */
+const storedTokenHash = (() => {
+    const hash = process.env.CM_AUTH_TOKEN_HASH || undefined;
+    if (!hash)
+        return undefined;
+    // Store validation result to avoid type predicate narrowing to 'never' in else branch
+    const valid = (0, auth_config_1.isValidTokenHash)(hash);
+    if (!valid) {
+        console.error(`[Security] CM_AUTH_TOKEN_HASH is not a valid 64-character hex string (got ${hash.length} chars). Authentication will be disabled.`);
+        return undefined;
+    }
+    return hash;
+})();
+/** Token expiration timestamp (ms since epoch) */
+const expireAt = (0, auth_config_1.computeExpireAt)();
+// ============================================================
+// Token Functions
+// ============================================================
+/**
+ * Generate a cryptographically secure random token
+ * @returns 64-character hex string (32 bytes of entropy)
+ */
+function generateToken() {
+    return crypto_1.default.randomBytes(32).toString('hex');
+}
+/**
+ * Hash a token using SHA-256
+ * @param token - The plain text token to hash
+ * @returns 64-character hex string (SHA-256 hash)
+ */
+function hashToken(token) {
+    return crypto_1.default.createHash('sha256').update(token).digest('hex');
+}
+/**
+ * Verify a token against the stored hash
+ * S001: Uses crypto.timingSafeEqual() for timing-safe comparison
+ *
+ * @param token - The plain text token to verify
+ * @returns true if the token is valid and not expired
+ */
+function verifyToken(token) {
+    if (!storedTokenHash) {
+        return false;
+    }
+    // Guard against undefined/null/empty token
+    if (!token || typeof token !== 'string') {
+        return false;
+    }
+    // Check expiration
+    if (expireAt !== null && Date.now() > expireAt) {
+        return false;
+    }
+    const tokenHash = hashToken(token);
+    // S001: timing-safe comparison to prevent timing attacks
+    const hashBuffer = Buffer.from(tokenHash, 'hex');
+    const storedBuffer = Buffer.from(storedTokenHash, 'hex');
+    if (hashBuffer.length !== storedBuffer.length) {
+        return false;
+    }
+    return crypto_1.default.timingSafeEqual(hashBuffer, storedBuffer);
+}
+// ============================================================
+// Cookie Parsing (for WebSocket authentication)
+// ============================================================
+/**
+ * Parse a Cookie header string into key-value pairs
+ * Used by WebSocket upgrade handler where next/headers is not available
+ *
+ * @param cookieHeader - Raw Cookie header string
+ * @returns Parsed cookies as Record<string, string>
+ */
+function parseCookies(cookieHeader) {
+    const cookies = {};
+    if (!cookieHeader) {
+        return cookies;
+    }
+    const pairs = cookieHeader.split(';');
+    for (const pair of pairs) {
+        const eqIndex = pair.indexOf('=');
+        if (eqIndex === -1) {
+            continue;
+        }
+        const name = pair.substring(0, eqIndex).trim();
+        const value = pair.substring(eqIndex + 1).trim();
+        if (name) {
+            cookies[name] = value;
+        }
+    }
+    return cookies;
+}
+// ============================================================
+// Auth State Functions
+// ============================================================
+/**
+ * Check if authentication is enabled.
+ * Returns true only when CM_AUTH_TOKEN_HASH is set AND passes format validation.
+ * This prevents the state where auth appears enabled but login is impossible
+ * (e.g., when the hash value is malformed).
+ */
+function isAuthEnabled() {
+    return !!storedTokenHash;
+}
+/**
+ * Calculate the Cookie maxAge in seconds (remaining token lifetime)
+ * @returns maxAge in seconds, or 0 if expired/no expiry
+ */
+function getTokenMaxAge() {
+    if (expireAt === null) {
+        return 0;
+    }
+    const remaining = expireAt - Date.now();
+    if (remaining <= 0) {
+        return 0;
+    }
+    return Math.floor(remaining / 1000);
+}
+/**
+ * Check if HTTPS is enabled based on certificate environment variable
+ * @returns true if CM_HTTPS_CERT is set (indicating TLS certificates are configured)
+ */
+function isHttpsEnabled() {
+    return !!process.env.CM_HTTPS_CERT;
+}
+/**
+ * Build authentication cookie options with consistent security settings.
+ * Centralizes cookie configuration to enforce HttpOnly, SameSite, and Secure flags.
+ *
+ * @param maxAge - Cookie max age in seconds. Use 0 to clear the cookie.
+ * @returns Cookie options object compatible with Next.js response.cookies.set()
+ */
+function buildAuthCookieOptions(maxAge) {
+    return {
+        httpOnly: true,
+        sameSite: 'strict',
+        secure: isHttpsEnabled(),
+        maxAge,
+        path: '/',
+    };
+}
+/**
+ * Create a rate limiter for brute-force protection
+ * Uses in-memory Map with periodic cleanup
+ *
+ * @returns RateLimiter instance with checkLimit, recordFailure, recordSuccess, destroy
+ */
+function createRateLimiter() {
+    const entries = new Map();
+    // Periodic cleanup of expired entries
+    const cleanupTimer = setInterval(() => {
+        const now = Date.now();
+        for (const [ip, entry] of entries) {
+            // Remove entries whose lockout has expired (or was never set)
+            // and whose last attempt is older than the lockout duration
+            const isLockoutExpired = entry.lockedUntil === null || now > entry.lockedUntil;
+            const isStale = now - entry.lastAttempt > exports.RATE_LIMIT_CONFIG.lockoutDuration;
+            if (isLockoutExpired && isStale) {
+                entries.delete(ip);
+            }
+        }
+    }, exports.RATE_LIMIT_CONFIG.cleanupInterval);
+    // Ensure timer doesn't prevent process exit
+    if (cleanupTimer.unref) {
+        cleanupTimer.unref();
+    }
+    return {
+        checkLimit(ip) {
+            const entry = entries.get(ip);
+            if (!entry) {
+                return { allowed: true };
+            }
+            // Check if lockout has expired
+            if (entry.lockedUntil !== null) {
+                const now = Date.now();
+                if (now < entry.lockedUntil) {
+                    const retryAfter = Math.ceil((entry.lockedUntil - now) / 1000);
+                    return { allowed: false, retryAfter };
+                }
+                // Lockout expired - reset entry
+                entry.attempts = 0;
+                entry.lockedUntil = null;
+            }
+            return { allowed: true };
+        },
+        recordFailure(ip) {
+            const now = Date.now();
+            const entry = entries.get(ip) || { attempts: 0, lockedUntil: null, lastAttempt: now };
+            entry.attempts++;
+            entry.lastAttempt = now;
+            if (entry.attempts >= exports.RATE_LIMIT_CONFIG.maxAttempts) {
+                entry.lockedUntil = now + exports.RATE_LIMIT_CONFIG.lockoutDuration;
+            }
+            entries.set(ip, entry);
+        },
+        recordSuccess(ip) {
+            entries.delete(ip);
+        },
+        destroy() {
+            clearInterval(cleanupTimer);
+            entries.clear();
+        },
+    };
+}

package/dist/server/server.js

@@ -2,6 +2,7 @@
 /**
  * Custom Next.js Server with WebSocket Support
  * Integrates WebSocket server for real-time communication
+ * Issue #331: HTTPS support and auth cleanup on shutdown
  */
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
@@ -28,6 +29,9 @@ process.on('uncaughtException', (error) => {
     process.exit(1);
 });
 const http_1 = require("http");
+const https_1 = require("https");
+const fs_1 = require("fs");
+const fs_2 = require("fs");
 const url_1 = require("url");
 const next_1 = __importDefault(require("next"));
 const ws_server_1 = require("./src/lib/ws-server");
@@ -42,22 +46,116 @@ const db_1 = require("./src/lib/db");
 const dev = process.env.NODE_ENV !== 'production';
 const hostname = (0, env_1.getEnvByKey)('CM_BIND') || '127.0.0.1';
 const port = parseInt((0, env_1.getEnvByKey)('CM_PORT') || '3000', 10);
+// Issue #331: HTTPS configuration
+const certPath = process.env.CM_HTTPS_CERT;
+const keyPath = process.env.CM_HTTPS_KEY;
+/** Maximum certificate file size: 1MB */
+const MAX_CERT_FILE_SIZE = 1024 * 1024;
+/**
+ * Validate certificate file path for security
+ * Issue #331: Certificate path validation
+ */
+function validateCertPath(filePath, label) {
+    if (!(0, fs_1.existsSync)(filePath)) {
+        console.error(`[Security] ${label} file not found: ${filePath}`);
+        // ExitCode.CONFIG_ERROR = 2 (direct number, not imported from CLI types)
+        process.exit(2);
+    }
+    try {
+        (0, fs_1.accessSync)(filePath, fs_2.constants.R_OK);
+    }
+    catch {
+        console.error(`[Security] ${label} file not readable: ${filePath}`);
+        process.exit(2);
+    }
+    const realPath = (0, fs_1.realpathSync)(filePath);
+    const stats = (0, fs_1.statSync)(realPath);
+    if (stats.size > MAX_CERT_FILE_SIZE) {
+        console.error(`[Security] ${label} file too large (${stats.size} bytes, max ${MAX_CERT_FILE_SIZE}): ${filePath}`);
+        process.exit(2);
+    }
+    return realPath;
+}
 // Create Next.js app
 const app = (0, next_1.default)({ dev, hostname, port });
 const handle = app.getRequestHandler();
+// Issue #331: Prevent Next.js (NextCustomServer) from registering its own upgrade
+// event listener on the HTTP server.
+//
+// When next() is called without customServer:false, it creates a NextCustomServer
+// instance. NextCustomServer.getRequestHandler() lazily calls setupWebSocketHandler()
+// on the first HTTP request, which registers an upgrade listener that calls
+// router-server's upgradeHandler → resolveRoutes({ res: socket }) → middleware match
+// → serverResult.requestHandler(req, socket, parsedUrl). This passes the raw TCP
+// socket as the HTTP response object, causing:
+//   TypeError: Cannot read properties of undefined (reading 'bind')
+// in handleRequestImpl when it tries to call _res.setHeader.bind(_res).
+//
+// Making setupWebSocketHandler a no-op prevents this listener from being added.
+// All WebSocket upgrades are handled by ws-server.ts (our own upgrade listener).
+app.setupWebSocketHandler = () => { };
 app.prepare().then(() => {
-    // Create HTTP server
-    const server = (0, http_1.createServer)(async (req, res) => {
+    // Request handler for both HTTP and HTTPS
+    const requestHandler = async (req, res) => {
+        // Guard: res must be a proper HTTP ServerResponse (not a raw net.Socket).
+        // Defense-in-depth: normally not needed after the setupWebSocketHandler fix above,
+        // but kept for safety in case any other path passes a non-ServerResponse object.
+        if (typeof res?.setHeader !== 'function') {
+            return;
+        }
+        // Issue #332: Inject X-Real-IP header for IP restriction
+        // [S3-005] This applies to HTTP requests only. WebSocket upgrade requests
+        // are skipped below and handled by ws-server.ts (which uses socket.remoteAddress directly).
+        const clientIp = req.socket.remoteAddress || '';
+        if (process.env.CM_TRUST_PROXY !== 'true') {
+            // CM_TRUST_PROXY=false: always overwrite to prevent forged headers
+            req.headers['x-real-ip'] = clientIp;
+        }
+        else {
+            // CM_TRUST_PROXY=true: only set if X-Forwarded-For is absent
+            if (!req.headers['x-forwarded-for']) {
+                req.headers['x-real-ip'] = clientIp;
+            }
+        }
+        // Skip WebSocket upgrade requests - they are handled by the server 'upgrade' event.
+        if (req.headers['upgrade']) {
+            return;
+        }
+        const method = req.method ?? 'UNKNOWN';
+        const url = req.url ?? '/';
         try {
-            const parsedUrl = (0, url_1.parse)(req.url, true);
+            const parsedUrl = (0, url_1.parse)(url, true);
             await handle(req, res, parsedUrl);
         }
         catch (err) {
-            console.error('Error handling request', err);
-            res.statusCode = 500;
-            res.end('Internal Server Error');
+            console.error(`handleRequestImpl failed: ${method} ${url}`, err);
+            if (!res.headersSent) {
+                res.statusCode = 500;
+                res.end('Internal Server Error');
+            }
         }
-    });
+    };
+    // Issue #331: Create HTTP or HTTPS server
+    let server;
+    let protocol = 'http';
+    if (certPath && keyPath) {
+        const validatedCertPath = validateCertPath(certPath, 'Certificate');
+        const validatedKeyPath = validateCertPath(keyPath, 'Key');
+        try {
+            const cert = (0, fs_1.readFileSync)(validatedCertPath);
+            const key = (0, fs_1.readFileSync)(validatedKeyPath);
+            server = (0, https_1.createServer)({ cert, key }, requestHandler);
+            protocol = 'https';
+            console.log('HTTPS server created with TLS certificates');
+        }
+        catch (error) {
+            console.error('Failed to read TLS certificates:', error);
+            process.exit(2);
+        }
+    }
+    else {
+        server = (0, http_1.createServer)(requestHandler);
+    }
     // Setup WebSocket server
     (0, ws_server_1.setupWebSocket)(server);
     // Scan and sync worktrees on startup
@@ -103,16 +201,29 @@ app.prepare().then(() => {
             const worktrees = await (0, worktrees_1.scanMultipleRepositories)(filteredPaths);
             // Sync to database
             (0, worktrees_1.syncWorktreesToDB)(db, worktrees);
-            console.log(`✓ Total: ${worktrees.length} worktree(s) synced to database`);
+            console.log(`Total: ${worktrees.length} worktree(s) synced to database`);
         }
         catch (error) {
             console.error('Error initializing worktrees:', error);
         }
     }
-    server.listen(port, async (err) => {
-        if (err)
-            throw err;
-        console.log(`> Ready on http://${hostname}:${port}`);
+    // H3 fix: Pass hostname to listen() so CM_BIND is respected.
+    // Note: http.Server.listen(port, hostname, callback) does not pass err to callback;
+    // listen errors emit an 'error' event instead.
+    server.on('error', (err) => {
+        if (err.code === 'EADDRINUSE') {
+            console.error(`Port ${port} is already in use`);
+        }
+        else if (err.code === 'EADDRNOTAVAIL') {
+            console.error(`Address ${hostname}:${port} is not available`);
+        }
+        else {
+            console.error('Server error:', err);
+        }
+        process.exit(1);
+    });
+    server.listen(port, hostname, async () => {
+        console.log(`> Ready on ${protocol}://${hostname}:${port}`);
         console.log(`> WebSocket server ready`);
         // Initialize worktrees after server starts
         await initializeWorktrees();

package/dist/server/src/config/auth-config.js

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * Authentication Configuration Constants
+ * Issue #331: Shared constants for auth.ts and middleware.ts
+ *
+ * CONSTRAINT: This module must be Edge Runtime compatible.
+ * No Node.js-specific imports (crypto, fs, etc.) are allowed.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_EXPIRE_DURATION_MS = exports.AUTH_EXCLUDED_PATHS = exports.AUTH_COOKIE_NAME = void 0;
+exports.isValidTokenHash = isValidTokenHash;
+exports.parseDuration = parseDuration;
+exports.computeExpireAt = computeExpireAt;
+/** Cookie name for authentication token */
+exports.AUTH_COOKIE_NAME = 'cm_auth_token';
+/** Valid SHA-256 hex string pattern: exactly 64 hex characters */
+const VALID_TOKEN_HASH_PATTERN = /^[0-9a-f]{64}$/;
+/**
+ * Validate that a CM_AUTH_TOKEN_HASH value is a well-formed SHA-256 hex string.
+ * Used by both auth.ts and middleware.ts to ensure consistent auth-enabled detection.
+ * Returns a type predicate so callers can narrow the type after checking.
+ *
+ * @param hash - The hash string to validate
+ * @returns true if the hash is a valid 64-character hex string
+ */
+function isValidTokenHash(hash) {
+    return !!hash && VALID_TOKEN_HASH_PATTERN.test(hash);
+}
+/**
+ * Paths excluded from authentication check.
+ * S002: Must use === for matching (no startsWith - bypass attack prevention)
+ */
+exports.AUTH_EXCLUDED_PATHS = [
+    '/login',
+    '/api/auth/login',
+    '/api/auth/logout',
+    '/api/auth/status',
+];
+// ============================================================
+// Duration Parsing (Edge Runtime compatible)
+// ============================================================
+/** Milliseconds in one minute */
+const MS_PER_MINUTE = 60 * 1000;
+/** Milliseconds in one hour */
+const MS_PER_HOUR = 60 * MS_PER_MINUTE;
+/** Milliseconds in one day */
+const MS_PER_DAY = 24 * MS_PER_HOUR;
+/** Default token expiration duration (24 hours) */
+exports.DEFAULT_EXPIRE_DURATION_MS = 24 * MS_PER_HOUR;
+/** Minimum duration: 1 hour */
+const MIN_DURATION_MS = MS_PER_HOUR;
+/** Maximum duration: 30 days */
+const MAX_DURATION_MS = 30 * MS_PER_DAY;
+/**
+ * Parse a duration string into milliseconds.
+ * Supported formats: Nh (hours), Nd (days), Nm (minutes)
+ * Minimum: 1h, Maximum: 30d
+ *
+ * @param s - Duration string (e.g., "24h", "7d", "90m")
+ * @returns Duration in milliseconds
+ * @throws Error if format is invalid or out of range
+ */
+function parseDuration(s) {
+    const match = s.match(/^(\d+)([hdm])$/);
+    if (!match) {
+        throw new Error(`Invalid duration format: "${s}". Use Nh, Nd, or Nm (e.g., "24h", "7d", "90m")`);
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    /** Map of duration unit characters to their millisecond multipliers */
+    const unitMultipliers = {
+        h: MS_PER_HOUR,
+        d: MS_PER_DAY,
+        m: MS_PER_MINUTE,
+    };
+    const multiplier = unitMultipliers[unit];
+    if (multiplier === undefined) {
+        throw new Error(`Invalid duration unit: "${unit}"`);
+    }
+    const ms = value * multiplier;
+    if (ms < MIN_DURATION_MS) {
+        throw new Error(`Duration too short: minimum is 1h (60m). Got: "${s}"`);
+    }
+    if (ms > MAX_DURATION_MS) {
+        throw new Error(`Duration too long: maximum is 30d (720h). Got: "${s}"`);
+    }
+    return ms;
+}
+/**
+ * Compute token expiration timestamp from environment variables.
+ * Used by both auth.ts (Node.js) and middleware.ts (Edge Runtime).
+ *
+ * @returns Expiration timestamp (ms since epoch), or null if auth is not enabled
+ */
+function computeExpireAt() {
+    const expireStr = process.env.CM_AUTH_EXPIRE;
+    const now = Date.now();
+    if (expireStr) {
+        try {
+            return now + parseDuration(expireStr);
+        }
+        catch {
+            // Invalid duration format - use default
+            return now + exports.DEFAULT_EXPIRE_DURATION_MS;
+        }
+    }
+    // Default 24h if auth is enabled
+    if (process.env.CM_AUTH_TOKEN_HASH) {
+        return now + exports.DEFAULT_EXPIRE_DURATION_MS;
+    }
+    return null;
+}