crewx 0.8.5 → 0.8.6-rc.1

package/bin/crewx-lib.js

@@ -164,7 +164,9 @@ export function ensureCrewxDirs() {
   const crewxHome = join(homedir(), '.crewx');         // config/DB
   const crewxWorkspaces = join(homedir(), 'crewx');    // workspaces collection
 
-  for (const dir of [crewxHome, crewxWorkspaces]) {
+  const crewxTls = join(crewxHome, 'tls');
+
+  for (const dir of [crewxHome, crewxWorkspaces, crewxTls]) {
     try {
       mkdirSync(dir, { recursive: true });
     } catch (err) {

package/bin/crewx.js

@@ -14,7 +14,7 @@
  *   crewx q|x|agent|... <args>         → CLI subcommand (forwarded to packages/cli)
  */
 import { spawn } from 'child_process';
-import { readFileSync } from 'fs';
+import { existsSync, readFileSync } from 'fs';
 import { fileURLToPath } from 'url';
 import { dirname, join } from 'path';
 import { homedir } from 'os';
@@ -139,6 +139,11 @@ function launchWeb(serveArgs = [], { openBrowser = false } = {}) {
     env.MCP_BEARER_TOKEN = content;
   }
 
+  const certPath = join(homedir(), '.crewx', 'tls', 'cert.pem');
+  if (existsSync(certPath)) {
+    env.NODE_EXTRA_CA_CERTS = certPath;
+  }
+
   if (openBrowser && !noOpen) {
     env.CREWX_OPEN_BROWSER = '1';
   }

package/dist-server/bootstrap/tls.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CERT_PATH = void 0;
+exports.resolveHttpsOptions = resolveHttpsOptions;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const selfsigned_1 = require("selfsigned");
+const TLS_DIR = (0, path_1.join)((0, os_1.homedir)(), '.crewx', 'tls');
+const CERT_PATH = (0, path_1.join)(TLS_DIR, 'cert.pem');
+exports.CERT_PATH = CERT_PATH;
+const KEY_PATH = (0, path_1.join)(TLS_DIR, 'key.pem');
+async function resolveHttpsOptions() {
+    if (process.env.NODE_ENV !== 'production') {
+        return null;
+    }
+    if (process.env.TLS_CERT && process.env.TLS_KEY) {
+        return {
+            cert: (0, fs_1.readFileSync)(process.env.TLS_CERT),
+            key: (0, fs_1.readFileSync)(process.env.TLS_KEY),
+        };
+    }
+    if ((0, fs_1.existsSync)(CERT_PATH) && (0, fs_1.existsSync)(KEY_PATH)) {
+        return {
+            cert: (0, fs_1.readFileSync)(CERT_PATH),
+            key: (0, fs_1.readFileSync)(KEY_PATH),
+        };
+    }
+    return generateSelfSignedCert();
+}
+async function generateSelfSignedCert() {
+    const host = (0, os_1.hostname)();
+    const attrs = [{ name: 'commonName', value: 'CrewX Local Server' }];
+    const sanExt = {
+        name: 'subjectAltName',
+        altNames: [
+            { type: 2, value: 'localhost' },
+            { type: 2, value: host },
+            { type: 7, ip: '127.0.0.1' },
+            { type: 7, ip: '::1' },
+        ],
+    };
+    const pems = await (0, selfsigned_1.generate)(attrs, {
+        keySize: 2048,
+        extensions: [sanExt],
+    });
+    (0, fs_1.mkdirSync)(TLS_DIR, { recursive: true });
+    (0, fs_1.writeFileSync)(CERT_PATH, pems.cert, { mode: 0o644 });
+    (0, fs_1.writeFileSync)(KEY_PATH, pems.private, { mode: 0o600 });
+    console.log(`🔒 Self-signed TLS certificate generated: ~/.crewx/tls/`);
+    console.log(`⚠️  Browser will show a security warning on first access.`);
+    console.log(`💡 Install mkcert for warning-free local HTTPS.`);
+    return {
+        cert: Buffer.from(pems.cert),
+        key: Buffer.from(pems.private),
+    };
+}

package/dist-server/domain/auth/auth.controller.js

@@ -56,7 +56,7 @@ let AuthController = AuthController_1 = class AuthController {
         return { success: true, data: { authenticated: true, method } };
     }
     // AUTH.LOGIN: brute-force protected, @Public() skips BaseAuthGuard
-    login(body, res) {
+    login(body, req, res) {
         const usernameOk = (0, ip_utils_js_1.safeCompare)(body.username, this.credentials.username);
         const passwordOk = (0, ip_utils_js_1.safeCompare)(body.password, this.credentials.password);
         if (!usernameOk || !passwordOk) {
@@ -69,7 +69,7 @@ let AuthController = AuthController_1 = class AuthController {
         res.cookie(COOKIE_NAME, this.mcpToken.token, {
             httpOnly: true,
             sameSite: 'strict',
-            secure: process.env.NODE_ENV === 'production',
+            secure: req.secure,
             maxAge: 7 * 24 * 60 * 60 * 1000,
             path: '/',
         });
@@ -97,9 +97,10 @@ __decorate([
     (0, common_1.HttpCode)(200),
     (0, throttler_1.Throttle)({ default: { limit: 5, ttl: 60000 } }),
     __param(0, (0, common_1.Body)()),
-    __param(1, (0, common_1.Res)({ passthrough: true })),
+    __param(1, (0, common_1.Req)()),
+    __param(2, (0, common_1.Res)({ passthrough: true })),
     __metadata("design:type", Function),
-    __metadata("design:paramtypes", [LoginDto, Object]),
+    __metadata("design:paramtypes", [LoginDto, Object, Object]),
     __metadata("design:returntype", Object)
 ], AuthController.prototype, "login", null);
 __decorate([

package/dist-server/domain/mcp/mcp.service.js

@@ -429,24 +429,26 @@ let McpService = McpService_1 = class McpService {
                 }
             }
         }
-        const duration = Date.now() - startTime;
-        const taskId = response.result?._meta?.taskId ??
-            (sessionId ? this.activeTaskMap.get(sessionId) : undefined) ??
-            null;
-        try {
-            this.toolCallRepo.insertToolCall({
-                id: (0, sdk_1.generateId)('tcl'),
-                task_id: taskId,
-                session_id: sessionId ?? null,
-                tool_name: `mcp_${params.name}`,
-                input: JSON.stringify(params.arguments ?? {}),
-                output: JSON.stringify(response.result?.content ?? response.error ?? null),
-                duration_ms: duration,
-                timestamp: new Date().toISOString(),
-            });
-        }
-        catch (err) {
-            this.logger.warn(`tool_calls insert failed: ${err?.message}`);
+        // Record only browser tool calls (agent calling a tool during execution).
+        // Server tools (queryAgent, executeAgent, etc.) are task triggers, not tool calls.
+        if (this.toolRouter.isBrowserTool(params.name, sessionId)) {
+            const duration = Date.now() - startTime;
+            const taskId = (sessionId ? this.activeTaskMap.get(sessionId) : undefined) ?? null;
+            try {
+                this.toolCallRepo.insertToolCall({
+                    id: (0, sdk_1.generateId)('tcl'),
+                    task_id: taskId,
+                    session_id: sessionId ?? null,
+                    tool_name: `mcp_${params.name}`,
+                    input: JSON.stringify(params.arguments ?? {}),
+                    output: JSON.stringify(response.result?.content ?? response.error ?? null),
+                    duration_ms: duration,
+                    timestamp: new Date().toISOString(),
+                });
+            }
+            catch (err) {
+                this.logger.warn(`tool_calls insert failed: ${err?.message}`);
+            }
         }
         return response;
     }

package/dist-server/main.js

@@ -45,15 +45,20 @@ const cookie_parser_1 = __importDefault(require("cookie-parser"));
 const fs_1 = __importDefault(require("fs"));
 const path_1 = require("path");
 const app_module_js_1 = require("./app.module.js");
+const tls_js_1 = require("./bootstrap/tls.js");
 const cors_js_1 = require("./common/cors.js");
 const mcp_constants_js_1 = require("./domain/mcp/mcp.constants.js");
 const auth_constants_js_1 = require("./domain/auth/auth.constants.js");
 const ip_utils_js_1 = require("./domain/auth/utils/ip.utils.js");
 const project_repository_js_1 = require("./repository/project.repository.js");
 async function bootstrap() {
+    const httpsOptions = await (0, tls_js_1.resolveHttpsOptions)();
     // RT-6: bodyParser disabled to preserve raw body for adapter webhook signature verification.
     // Adapter routes (/adapters/*) need raw Buffer body for signature verification.
-    const app = await core_1.NestFactory.create(app_module_js_1.AppModule, { bodyParser: false });
+    const app = await core_1.NestFactory.create(app_module_js_1.AppModule, {
+        bodyParser: false,
+        ...(httpsOptions ? { httpsOptions } : {}),
+    });
     // trust proxy — set before other middleware so req.ip is correct behind nginx/Caddy
     if (process.env.TRUST_PROXY) {
         app.set('trust proxy', process.env.TRUST_PROXY);
@@ -142,8 +147,9 @@ async function bootstrap() {
     const server = app.getHttpServer();
     const address = server.address();
     const actualPort = typeof address === 'object' ? address?.port : port;
-    console.log(`🚀 CrewX UI Server running on http://localhost:${actualPort}`);
-    console.log(`📖 Swagger UI: http://localhost:${actualPort}/api/docs`);
+    const protocol = httpsOptions ? 'https' : 'http';
+    console.log(`🚀 CrewX UI Server running on ${protocol}://localhost:${actualPort}`);
+    console.log(`📖 Swagger UI: ${protocol}://localhost:${actualPort}/api/docs`);
     // Print MCP token info and clickable URLs
     const tokenInfo = app.get(mcp_constants_js_1.MCP_TOKEN);
     const tokenSource = tokenInfo.source === 'env' ? 'MCP_BEARER_TOKEN env' : 'auto-generated';
@@ -158,14 +164,14 @@ async function bootstrap() {
         console.log(`🔐 Web UI auth: ${authCreds.username} / ${masked} (source: ${authCreds.source})`);
         console.log(`   Set AUTH_USERNAME / AUTH_PASSWORD in .env to customize.`);
     }
-    console.log(`🏥 MCP Health: http://localhost:${actualPort}/mcp/health?token=${tokenInfo.token}`);
-    console.log(`📡 MCP Endpoint: POST http://localhost:${actualPort}/mcp`);
+    console.log(`🏥 MCP Health: ${protocol}://localhost:${actualPort}/mcp/health?token=${tokenInfo.token}`);
+    console.log(`📡 MCP Endpoint: POST ${protocol}://localhost:${actualPort}/mcp`);
     // Auto-open browser when CREWX_OPEN_BROWSER=1 (set by bin/crewx.js for web-default route)
     if (process.env.CREWX_OPEN_BROWSER === '1') {
         try {
             const open = (await Promise.resolve().then(() => __importStar(require('open')))).default;
-            await open(`http://localhost:${actualPort}`);
-            console.log(`🌐 Browser opened: http://localhost:${actualPort}`);
+            await open(`${protocol}://localhost:${actualPort}`);
+            console.log(`🌐 Browser opened: ${protocol}://localhost:${actualPort}`);
         }
         catch {
             console.warn('⚠️  Could not open browser automatically. Please open manually.');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "crewx",
-  "version": "0.8.5",
+  "version": "0.8.6-rc.1",
   "description": "CrewX — AI agent team dashboard with Electron UI and CLI (Web + Electron + Global CLI)",
   "main": "server.js",
   "bin": {
@@ -60,6 +60,7 @@
     "remark-parse": "^11.0.0",
     "remark-stringify": "^11.0.0",
     "rxjs": "^7.8.1",
+    "selfsigned": "^5.5.0",
     "swagger-ui-express": "^5.0.1",
     "unified": "^11.0.5",
     "unist-util-visit": "^5.0.0",
@@ -67,12 +68,12 @@
     "wink-nlp-utils": "^2.1.0",
     "yargs": "^17.7.0",
     "zod": "^3.22.0",
-    "@crewx/cli": "0.8.5",
-    "@crewx/cron": "0.1.8",
+    "@crewx/cli": "0.8.6-rc.1",
     "@crewx/doc": "0.1.8",
-    "@crewx/knowledge-core": "0.1.6",
+    "@crewx/cron": "0.1.8",
     "@crewx/memory": "0.1.10",
-    "@crewx/sdk": "0.8.5",
+    "@crewx/knowledge-core": "0.1.6",
+    "@crewx/sdk": "0.8.6-rc.2",
     "@crewx/shared": "0.0.5",
     "@crewx/wbs": "0.1.9",
     "@crewx/search": "0.1.9",

package/packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@crewx/cli",
-  "version": "0.8.5",
+  "version": "0.8.6-rc.1",
   "license": "UNLICENSED",
   "engines": {
     "node": ">=20.19.0"

package/dist-server/package.json

@@ -1,3 +0,0 @@
-{
-  "type": "commonjs"
-}