crewx 0.8.7-rc.17 → 0.8.7-rc.18

package/dist-server/adapters/adapter.module.js

@@ -0,0 +1,35 @@
+"use strict";
+/**
+ * AdapterModule — NestJS module for adapter lifecycle management.
+ *
+ * Implements OnApplicationBootstrap (start adapters from yaml)
+ * and OnApplicationShutdown (stop all adapters with timeout).
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var AdapterModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdapterModule = void 0;
+const common_1 = require("@nestjs/common");
+const adapter_service_js_1 = require("./adapter.service.js");
+const http_router_service_js_1 = require("./http-router.service.js");
+let AdapterModule = AdapterModule_1 = class AdapterModule {
+    logger = new common_1.Logger(AdapterModule_1.name);
+    onApplicationBootstrap() {
+        this.logger.log('AdapterModule bootstrap — adapters will be loaded lazily via AdapterService');
+    }
+    async onApplicationShutdown() {
+        this.logger.log('AdapterModule shutdown — stopping all adapters');
+    }
+};
+exports.AdapterModule = AdapterModule;
+exports.AdapterModule = AdapterModule = AdapterModule_1 = __decorate([
+    (0, common_1.Module)({
+        providers: [adapter_service_js_1.AdapterService, http_router_service_js_1.AdapterHttpRouterService],
+        exports: [adapter_service_js_1.AdapterService, http_router_service_js_1.AdapterHttpRouterService],
+    })
+], AdapterModule);

package/dist-server/adapters/adapter.service.js

@@ -0,0 +1,79 @@
+"use strict";
+/**
+ * AdapterService — loads adapter configs from crewx.yaml and registers them.
+ *
+ * V1: yaml auto-load model. Reads `adapters:` section from crewx config.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var AdapterService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdapterService = void 0;
+const common_1 = require("@nestjs/common");
+let AdapterService = AdapterService_1 = class AdapterService {
+    logger = new common_1.Logger(AdapterService_1.name);
+    async loadFromYaml(crewx, adapters) {
+        for (const adapterConf of adapters) {
+            try {
+                const instanceId = adapterConf.instanceId ?? adapterConf.id;
+                this.logger.log(`Loading adapter: ${adapterConf.id} (instance: ${instanceId})`);
+                const adapterModule = await Promise.resolve(`${adapterConf.module}`).then(s => __importStar(require(s)));
+                const adapter = adapterModule.default ?? adapterModule.adapter;
+                if (!adapter) {
+                    this.logger.error(`Adapter module ${adapterConf.module} has no default export`);
+                    continue;
+                }
+                await crewx.registerChannelAdapter({
+                    adapter,
+                    instanceId,
+                    config: adapterConf.config ?? {},
+                });
+                this.logger.log(`Adapter ${adapterConf.id} started successfully`);
+            }
+            catch (err) {
+                this.logger.error(`Failed to load adapter ${adapterConf.id}: ${err instanceof Error ? err.message : String(err)}`);
+            }
+        }
+    }
+};
+exports.AdapterService = AdapterService;
+exports.AdapterService = AdapterService = AdapterService_1 = __decorate([
+    (0, common_1.Injectable)()
+], AdapterService);

package/dist-server/adapters/http-router.service.js

@@ -0,0 +1,91 @@
+"use strict";
+/**
+ * AdapterHttpRouterService — implements HttpRouter.registerRoute for NestJS.
+ *
+ * M2: raw body handling with bodyParser:false,
+ * requireSignature for webhook signature verification,
+ * rateLimit per route, timeout handling.
+ *
+ * Route prefix: /adapters/:adapterId/* (enforced)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdapterHttpRouterService = void 0;
+class AdapterHttpRouterService {
+    routes = [];
+    rateLimitCounters = new Map();
+    registerRoute(adapterId, path, handler, opts) {
+        const fullPath = `/adapters/${adapterId}${path}`;
+        this.routes.push({ adapterId, path, fullPath, handler, opts });
+    }
+    getRoutes() {
+        return this.routes;
+    }
+    findRoute(_method, url) {
+        for (const route of this.routes) {
+            if (url === route.fullPath || url.startsWith(route.fullPath)) {
+                return route;
+            }
+        }
+        return undefined;
+    }
+    clearRoutes() {
+        this.routes.length = 0;
+        this.rateLimitCounters.clear();
+    }
+    async handleRequest(route, req, res) {
+        if (!req.url.startsWith('/adapters/')) {
+            res.status(403).json({ error: 'route_prefix_violation' });
+            return;
+        }
+        if (route.opts?.requireSignature) {
+            const sig = req.headers[route.opts.requireSignature.headerName];
+            const sigStr = Array.isArray(sig) ? sig[0] : sig;
+            if (!sigStr || !route.opts.requireSignature.verify(req.body, sigStr)) {
+                res.status(401).json({ error: 'invalid_signature' });
+                return;
+            }
+        }
+        if (route.opts?.rateLimit) {
+            const key = `${route.adapterId}:${route.path}`;
+            const now = Date.now();
+            const entry = this.rateLimitCounters.get(key);
+            const windowMs = 60_000;
+            if (!entry || now >= entry.resetAt) {
+                this.rateLimitCounters.set(key, { count: 1, resetAt: now + windowMs });
+            }
+            else if (entry.count >= route.opts.rateLimit.requestsPerMin) {
+                res.status(429).json({ error: 'rate_limit_exceeded' });
+                return;
+            }
+            else {
+                entry.count++;
+            }
+        }
+        const timeoutMs = route.opts?.timeoutMs ?? 30_000;
+        let settled = false;
+        const timeout = setTimeout(() => {
+            if (!settled) {
+                settled = true;
+                res.status(504).json({ error: 'timeout' });
+            }
+        }, timeoutMs);
+        try {
+            await route.handler(req, res);
+            if (!settled) {
+                settled = true;
+                clearTimeout(timeout);
+            }
+        }
+        catch (err) {
+            if (!settled) {
+                settled = true;
+                clearTimeout(timeout);
+                res.status(500).json({
+                    error: 'handler_error',
+                    message: err instanceof Error ? err.message : String(err),
+                });
+            }
+        }
+    }
+}
+exports.AdapterHttpRouterService = AdapterHttpRouterService;

package/dist-server/app.module.js

@@ -0,0 +1,111 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AppModule = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const throttler_1 = require("@nestjs/throttler");
+const repository_exception_filter_js_1 = require("./common/repository.exception-filter.js");
+const workspace_middleware_js_1 = require("./common/middleware/workspace.middleware.js");
+const config_1 = require("@nestjs/config");
+const cli_module_js_1 = require("./domain/cli/cli.module.js");
+const usage_module_js_1 = require("./domain/usage/usage.module.js");
+const task_module_js_1 = require("./domain/task/task.module.js");
+const mcp_module_js_1 = require("./domain/mcp/mcp.module.js");
+const agent_module_js_1 = require("./domain/agent/agent.module.js");
+const git_module_js_1 = require("./domain/git/git.module.js");
+const knowledge_module_js_1 = require("./domain/knowledge/knowledge.module.js");
+const wbs_module_js_1 = require("./domain/wbs/wbs.module.js");
+const thread_module_js_1 = require("./domain/thread/thread.module.js");
+const doc_module_js_1 = require("./domain/doc/doc.module.js");
+const document_module_js_1 = require("./domain/document/document.module.js");
+const project_module_js_1 = require("./domain/project/project.module.js");
+const onboarding_module_js_1 = require("./domain/onboarding/onboarding.module.js");
+const box_module_js_1 = require("./domain/box/box.module.js");
+const message_module_js_1 = require("./domain/message/message.module.js");
+const market_module_js_1 = require("./domain/market/market.module.js");
+const workflow_module_js_1 = require("./domain/workflow/workflow.module.js");
+const planner_module_js_1 = require("./domain/planner/planner.module.js");
+const goal_module_js_1 = require("./domain/goal/goal.module.js");
+const workspace_module_js_1 = require("./domain/workspace/workspace.module.js");
+const health_module_js_1 = require("./domain/health/health.module.js");
+const http_logging_interceptor_js_1 = require("./common/interceptor/http-logging.interceptor.js");
+const api_id_header_interceptor_js_1 = require("./common/interceptor/api-id-header.interceptor.js");
+const repository_module_js_1 = require("./repository/repository.module.js");
+const crewx_module_js_1 = require("./modules/crewx.module.js");
+const analytics_module_js_1 = require("./common/analytics.module.js");
+const limits_module_js_1 = require("./common/limits/limits.module.js");
+const fs_module_js_1 = require("./domain/fs/fs.module.js");
+const auth_module_js_1 = require("./domain/auth/auth.module.js");
+const settings_module_js_1 = require("./domain/settings/settings.module.js");
+let AppModule = class AppModule {
+    configure(consumer) {
+        consumer
+            .apply(workspace_middleware_js_1.WorkspaceMiddleware)
+            .forRoutes({ path: 'ws/:slug/(.*)', method: common_1.RequestMethod.ALL });
+    }
+};
+exports.AppModule = AppModule;
+exports.AppModule = AppModule = __decorate([
+    (0, common_1.Module)({
+        imports: [
+            config_1.ConfigModule.forRoot({ isGlobal: true }),
+            throttler_1.ThrottlerModule.forRoot([{ ttl: 60000, limit: 100 }]),
+            repository_module_js_1.RepositoryModule,
+            analytics_module_js_1.AnalyticsModule,
+            crewx_module_js_1.CrewxModule,
+            // Workspace-scoped modules (controllers use ws/:slug/* prefix directly)
+            thread_module_js_1.ThreadModule,
+            message_module_js_1.MessageModule,
+            task_module_js_1.TaskModule,
+            agent_module_js_1.AgentModule,
+            usage_module_js_1.UsageModule,
+            document_module_js_1.DocumentModule,
+            doc_module_js_1.DocModule,
+            knowledge_module_js_1.KnowledgeModule,
+            onboarding_module_js_1.OnboardingModule,
+            project_module_js_1.ProjectModule,
+            market_module_js_1.MarketModule,
+            wbs_module_js_1.WbsModule,
+            workflow_module_js_1.WorkflowModule,
+            planner_module_js_1.PlannerModule,
+            goal_module_js_1.GoalModule,
+            limits_module_js_1.LimitsModule,
+            // Global modules (no workspace prefix)
+            cli_module_js_1.CliModule,
+            mcp_module_js_1.McpModule,
+            auth_module_js_1.AuthModule,
+            git_module_js_1.GitModule,
+            box_module_js_1.BoxModule,
+            fs_module_js_1.FsModule,
+            workspace_module_js_1.WorkspaceModule,
+            health_module_js_1.HealthModule,
+            settings_module_js_1.SettingsModule,
+        ],
+        controllers: [],
+        providers: [
+            core_1.Reflector,
+            {
+                provide: core_1.APP_FILTER,
+                useClass: repository_exception_filter_js_1.RepositoryExceptionFilter,
+            },
+            {
+                provide: core_1.APP_GUARD,
+                useClass: throttler_1.ThrottlerGuard,
+            },
+            {
+                provide: core_1.APP_INTERCEPTOR,
+                useClass: api_id_header_interceptor_js_1.ApiIdHeaderInterceptor,
+            },
+            {
+                provide: core_1.APP_INTERCEPTOR,
+                useClass: http_logging_interceptor_js_1.HttpLoggingInterceptor,
+            },
+        ],
+    })
+], AppModule);

package/dist-server/bootstrap/crewx-server.js

@@ -0,0 +1,80 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createServerCrewx = createServerCrewx;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const sdk_1 = require("@crewx/sdk");
+const plugins_1 = require("@crewx/sdk/plugins");
+const repository_1 = require("@crewx/sdk/repository");
+const node_1 = require("@crewx/sdk/tools/node");
+const SERVER_VERSION = (() => {
+    try {
+        const pkg = JSON.parse((0, fs_1.readFileSync)((0, path_1.join)(__dirname, '../../package.json'), 'utf8'));
+        return pkg.version ?? '0.0.0';
+    }
+    catch {
+        return '0.0.0';
+    }
+})();
+/**
+ * Build a Crewx instance for the NestJS server with standard plugins
+ * (FileLogger + SqliteTracing) plus built-in node tools registration.
+ * Passes itself as remoteFactory so that file:// remote agent delegation
+ * inherits the same plugin/tool environment in the target Crewx instance
+ * (identical semantics to CLI's createCliCrewx).
+ *
+ * Behavior mirrors createCliCrewx:
+ *   - If configPath resolves to an existing file → load it (with built-ins merged)
+ *   - If configPath is NOT set via CREWX_CONFIG env AND the file doesn't exist →
+ *     fall back to built-in-only mode so `crewx` can launch from any cwd
+ *   - If CREWX_CONFIG is explicitly set AND the file doesn't exist → throw
+ *
+ * workspaceRoot used by FileLoggerPlugin: directory of the yaml when present,
+ * otherwise process.cwd() so logs land in the launch directory.
+ */
+async function createServerCrewx(configPath) {
+    let yamlPath;
+    let workspaceRoot;
+    if (configPath !== undefined) {
+        // Caller explicitly provided a path — trust it directly without existsSync
+        const absConfigPath = (0, path_1.resolve)(configPath);
+        yamlPath = absConfigPath;
+        workspaceRoot = (0, path_1.dirname)(absConfigPath);
+    }
+    else {
+        // No explicit path — use env/default with existsSync fallback
+        const defaultPath = (0, path_1.resolve)(process.env.CREWX_CONFIG ?? 'crewx.yaml');
+        const isExplicitConfig = Boolean(process.env.CREWX_CONFIG);
+        const fileExists = (0, fs_1.existsSync)(defaultPath);
+        if (fileExists) {
+            yamlPath = defaultPath;
+            workspaceRoot = (0, path_1.dirname)(defaultPath);
+        }
+        else if (isExplicitConfig) {
+            throw new Error(`[crewx] Config file not found: ${defaultPath} (set via CREWX_CONFIG)`);
+        }
+        else {
+            yamlPath = undefined;
+            workspaceRoot = process.cwd();
+        }
+    }
+    const dbDir = (0, path_1.join)((0, os_1.homedir)(), '.crewx');
+    (0, fs_1.mkdirSync)(dbDir, { recursive: true });
+    const dbPath = (0, path_1.join)(dbDir, 'crewx.db');
+    const handle = (0, repository_1.openDrizzleDb)(dbPath);
+    try {
+        (0, repository_1.runMigrations)(handle.db);
+    }
+    finally {
+        handle.close();
+    }
+    const crewx = await sdk_1.Crewx.loadYaml(yamlPath, {
+        remoteFactory: createServerCrewx,
+    });
+    (0, node_1.registerBuiltinTools)(crewx);
+    await crewx.use(new plugins_1.FileLoggerPlugin({ workspaceRoot, version: SERVER_VERSION }));
+    await crewx.use(new plugins_1.SqliteTracingPlugin({ version: SERVER_VERSION }));
+    await crewx.use(new plugins_1.ConversationPlugin());
+    return crewx;
+}

package/dist-server/bootstrap/tls.js

@@ -0,0 +1,138 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CERT_PATH = void 0;
+exports.resolveHttpsOptions = resolveHttpsOptions;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const child_process_1 = require("child_process");
+const node_forge_1 = __importDefault(require("node-forge"));
+const TLS_DIR = (0, path_1.join)((0, os_1.homedir)(), '.crewx', 'tls');
+const CA_CERT_PATH = (0, path_1.join)(TLS_DIR, 'ca.pem');
+const CA_KEY_PATH = (0, path_1.join)(TLS_DIR, 'ca-key.pem');
+const CERT_PATH = (0, path_1.join)(TLS_DIR, 'cert.pem');
+exports.CERT_PATH = CERT_PATH;
+const KEY_PATH = (0, path_1.join)(TLS_DIR, 'key.pem');
+async function resolveHttpsOptions() {
+    if (process.env.CREWX_HTTPS !== 'true') {
+        return null;
+    }
+    if (process.env.TLS_CERT && process.env.TLS_KEY) {
+        return {
+            cert: (0, fs_1.readFileSync)(process.env.TLS_CERT),
+            key: (0, fs_1.readFileSync)(process.env.TLS_KEY),
+        };
+    }
+    if ((0, fs_1.existsSync)(CA_CERT_PATH) && (0, fs_1.existsSync)(CERT_PATH) && (0, fs_1.existsSync)(KEY_PATH)) {
+        return {
+            cert: (0, fs_1.readFileSync)(CERT_PATH),
+            key: (0, fs_1.readFileSync)(KEY_PATH),
+        };
+    }
+    // Generate CA (or reuse existing) + server cert signed by CA
+    const ca = ensureCACert();
+    const server = generateServerCert(ca.cert, ca.key);
+    (0, fs_1.writeFileSync)(CERT_PATH, server.certPem, { mode: 0o644 });
+    (0, fs_1.writeFileSync)(KEY_PATH, server.keyPem, { mode: 0o600 });
+    if (ca.isNew && process.env.CREWX_TRUST_CA === 'true') {
+        installCA(CA_CERT_PATH);
+    }
+    return {
+        cert: Buffer.from(server.certPem),
+        key: Buffer.from(server.keyPem),
+    };
+}
+function ensureCACert() {
+    if ((0, fs_1.existsSync)(CA_CERT_PATH) && (0, fs_1.existsSync)(CA_KEY_PATH)) {
+        return {
+            cert: node_forge_1.default.pki.certificateFromPem((0, fs_1.readFileSync)(CA_CERT_PATH, 'utf8')),
+            key: node_forge_1.default.pki.privateKeyFromPem((0, fs_1.readFileSync)(CA_KEY_PATH, 'utf8')),
+            isNew: false,
+        };
+    }
+    const keys = node_forge_1.default.pki.rsa.generateKeyPair(2048);
+    const cert = node_forge_1.default.pki.createCertificate();
+    cert.publicKey = keys.publicKey;
+    cert.serialNumber = randomSerialNumber();
+    cert.validity.notBefore = new Date();
+    cert.validity.notAfter = new Date();
+    cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 10);
+    const attrs = [
+        { name: 'commonName', value: 'SowonLabs CrewX Local CA' },
+        { name: 'organizationName', value: 'SowonLabs' },
+    ];
+    cert.setSubject(attrs);
+    cert.setIssuer(attrs);
+    cert.setExtensions([
+        { name: 'basicConstraints', cA: true },
+        { name: 'keyUsage', keyCertSign: true, cRLSign: true },
+    ]);
+    cert.sign(keys.privateKey, node_forge_1.default.md.sha256.create());
+    (0, fs_1.mkdirSync)(TLS_DIR, { recursive: true });
+    (0, fs_1.writeFileSync)(CA_CERT_PATH, node_forge_1.default.pki.certificateToPem(cert), { mode: 0o644 });
+    (0, fs_1.writeFileSync)(CA_KEY_PATH, node_forge_1.default.pki.privateKeyToPem(keys.privateKey), {
+        mode: 0o600,
+    });
+    console.log('🏛️  SowonLabs CrewX Local CA created: ~/.crewx/tls/ca.pem');
+    return { cert, key: keys.privateKey, isNew: true };
+}
+function generateServerCert(caCert, caKey) {
+    const host = (0, os_1.hostname)();
+    const keys = node_forge_1.default.pki.rsa.generateKeyPair(2048);
+    const cert = node_forge_1.default.pki.createCertificate();
+    cert.publicKey = keys.publicKey;
+    cert.serialNumber = randomSerialNumber();
+    cert.validity.notBefore = new Date();
+    cert.validity.notAfter = new Date();
+    cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);
+    cert.setSubject([{ name: 'commonName', value: host }]);
+    cert.setIssuer(caCert.subject.attributes);
+    cert.setExtensions([
+        {
+            name: 'subjectAltName',
+            altNames: [
+                { type: 2, value: 'localhost' },
+                { type: 2, value: host },
+                { type: 7, ip: '127.0.0.1' },
+                { type: 7, ip: '::1' },
+            ],
+        },
+    ]);
+    cert.sign(caKey, node_forge_1.default.md.sha256.create());
+    console.log('🔒 Server certificate issued by SowonLabs CA: ~/.crewx/tls/cert.pem');
+    return {
+        certPem: node_forge_1.default.pki.certificateToPem(cert),
+        keyPem: node_forge_1.default.pki.privateKeyToPem(keys.privateKey),
+    };
+}
+function installCA(caCertPath) {
+    const platform = process.platform;
+    console.log('');
+    console.log('🔐 Installing CA certificate to system trust store...');
+    console.log('');
+    try {
+        if (platform === 'win32') {
+            (0, child_process_1.execSync)(`powershell -Command "Import-Certificate -FilePath '${caCertPath}' -CertStoreLocation Cert:\\CurrentUser\\Root"`, { stdio: 'inherit' });
+        }
+        else if (platform === 'darwin') {
+            (0, child_process_1.execSync)(`security add-trusted-cert -r trustRoot -k ~/Library/Keychains/login.keychain-db "${caCertPath}"`, { stdio: 'inherit' });
+        }
+        else {
+            console.log('   Manual installation required on Linux:');
+            console.log(`   sudo cp ${caCertPath} /usr/local/share/ca-certificates/crewx-ca.crt`);
+            console.log('   sudo update-ca-certificates');
+            return;
+        }
+        console.log('✅ SowonLabs CA installed. HTTPS will work without browser warnings.');
+    }
+    catch {
+        console.log('⚠️  CA installation failed. HTTPS still works, but browser will show a warning.');
+        console.log(`   Manual install: ${caCertPath}`);
+    }
+}
+function randomSerialNumber() {
+    return node_forge_1.default.util.bytesToHex(node_forge_1.default.random.getBytesSync(16));
+}