git-daemon 0.1.2 → 0.1.4

package/.eslintrc.cjs

@@ -14,5 +14,5 @@ module.exports = {
   rules: {
     "@typescript-eslint/no-unused-vars": ["error", { argsIgnorePattern: "^_" }]
   },
-  ignorePatterns: ["dist/", "node_modules/"]
+  ignorePatterns: ["dist/", "node_modules/", "workspace/"]
 };

package/README.md

@@ -41,6 +41,58 @@ npm run daemon
 
 The daemon listens on `http://127.0.0.1:8790` by default.
 
+## HTTPS support
+
+The daemon can also listen on HTTPS (with a locally-trusted certificate).
+
+Generate a local cert/key (requires `mkcert`):
+
+```bash
+npm run cert:local
+```
+
+This writes certs under your daemon config directory (e.g. `~/Library/Preferences/Git Daemon/certs` on macOS).
+Then update your config (example):
+
+```json
+{
+  "server": {
+    "host": "127.0.0.1",
+    "port": 8790,
+    "https": {
+      "enabled": true,
+      "port": 8791,
+      "keyPath": "/absolute/path/to/certs/localhost-key.pem",
+      "certPath": "/absolute/path/to/certs/localhost.pem"
+    }
+  }
+}
+```
+
+For HTTPS test clones, `npm run test:clone` auto-detects mkcert and sets
+`NODE_EXTRA_CA_CERTS` unless you disable it with `MKCERT_AUTO_TRUST=0`.
+
+## Setup workspace root
+
+```bash
+npm run setup
+```
+
+This prompts for an absolute workspace root path and saves it to your config. The prompt reads from the terminal directly (via `/dev/tty` on macOS/Linux) so it still works in many IDE run configurations.
+For development, you can also run `npm run setup:dev`.
+
+Non-interactive setup (no TTY):
+
+```bash
+GIT_DAEMON_WORKSPACE_ROOT=/absolute/path npm run setup
+```
+
+Or:
+
+```bash
+npm run setup -- --workspace=/absolute/path
+```
+
 Verbose logging options:
 
 - `GIT_DAEMON_LOG_STDOUT=1` to mirror logs to stdout

package/config.schema.json

@@ -36,6 +36,28 @@
           "minimum": 1,
           "maximum": 65535,
           "default": 8790
+        },
+        "https": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "enabled": {
+              "type": "boolean",
+              "default": false
+            },
+            "port": {
+              "type": "integer",
+              "minimum": 1,
+              "maximum": 65535,
+              "default": 8791
+            },
+            "keyPath": {
+              "type": "string"
+            },
+            "certPath": {
+              "type": "string"
+            }
+          }
         }
       }
     },

package/dist/app.js

@@ -116,10 +116,30 @@ const createApp = (ctx) => {
         const sendEvent = (event) => {
             res.write(`data: ${JSON.stringify(event)}\n\n`);
         };
+        const isTerminalState = (event) => {
+            if (!event || typeof event !== "object") {
+                return false;
+            }
+            const record = event;
+            return (record.type === "state" &&
+                (record.state === "done" ||
+                    record.state === "error" ||
+                    record.state === "cancelled"));
+        };
         for (const event of job.events) {
             sendEvent(event);
+            if (isTerminalState(event)) {
+                res.end();
+                return;
+            }
         }
-        const listener = (event) => sendEvent(event);
+        const listener = (event) => {
+            sendEvent(event);
+            if (isTerminalState(event)) {
+                job.emitter.off("event", listener);
+                res.end();
+            }
+        };
         job.emitter.on("event", listener);
         req.on("close", () => {
             job.emitter.off("event", listener);

package/dist/cli-test-clone.js

@@ -0,0 +1,177 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const http_1 = __importDefault(require("http"));
+const https_1 = __importDefault(require("https"));
+const getEnv = (key, fallback) => process.env[key] || fallback;
+const ORIGIN = getEnv("ORIGIN", "https://app.example.com");
+const HTTP_PORT = Number(getEnv("PORT", "8790"));
+const HTTPS_PORT = Number(getEnv("HTTPS_PORT", "8791"));
+const HTTP_BASE = `http://127.0.0.1:${HTTP_PORT}`;
+const HTTPS_BASE = `https://127.0.0.1:${HTTPS_PORT}`;
+const HTTP_REPO = getEnv("HTTP_REPO_URL", "git@github.com:bunnybones1/git-daemon.git");
+const HTTP_DEST = getEnv("HTTP_DEST_RELATIVE", "bunnybones1/git-daemon");
+const HTTPS_REPO = getEnv("HTTPS_REPO_URL", "git@github.com:bunnybones1/github-thing.git");
+const HTTPS_DEST = getEnv("HTTPS_DEST_RELATIVE", "bunnybones1/github-thing");
+const HTTPS_INSECURE = getEnv("HTTPS_INSECURE", "0") === "1";
+const asRecord = (value) => value && typeof value === "object"
+    ? value
+    : null;
+const getString = (value) => typeof value === "string" ? value : null;
+const readJson = (res) => new Promise((resolve, reject) => {
+    let raw = "";
+    res.setEncoding("utf8");
+    res.on("data", (chunk) => {
+        raw += chunk;
+    });
+    res.on("end", () => {
+        try {
+            const data = raw ? JSON.parse(raw) : {};
+            resolve({ status: res.statusCode || 0, data });
+        }
+        catch (err) {
+            reject(err);
+        }
+    });
+});
+const requestJson = (client, baseUrl, path, body, token) => new Promise((resolve, reject) => {
+    const payload = JSON.stringify(body);
+    const headers = {
+        Origin: ORIGIN,
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload),
+    };
+    if (token) {
+        headers.Authorization = `Bearer ${token}`;
+    }
+    const req = client.request(`${baseUrl}${path}`, {
+        method: "POST",
+        headers,
+    }, (res) => {
+        readJson(res).then(resolve).catch(reject);
+    });
+    req.on("error", reject);
+    req.write(payload);
+    req.end();
+});
+const requestJsonHttps = (path, body, token) => new Promise((resolve, reject) => {
+    const payload = JSON.stringify(body);
+    const headers = {
+        Origin: ORIGIN,
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload),
+    };
+    if (token) {
+        headers.Authorization = `Bearer ${token}`;
+    }
+    const req = https_1.default.request(`${HTTPS_BASE}${path}`, {
+        method: "POST",
+        headers,
+        rejectUnauthorized: !HTTPS_INSECURE,
+    }, (res) => {
+        readJson(res).then(resolve).catch(reject);
+    });
+    req.on("error", reject);
+    req.write(payload);
+    req.end();
+});
+const streamEvents = (client, baseUrl, jobId, token) => new Promise((resolve, reject) => {
+    const req = client.request(`${baseUrl}/v1/jobs/${jobId}/stream`, {
+        method: "GET",
+        headers: {
+            Origin: ORIGIN,
+            Authorization: `Bearer ${token}`,
+            Accept: "text/event-stream",
+        },
+    }, (res) => {
+        res.setEncoding("utf8");
+        res.on("data", (chunk) => {
+            process.stdout.write(chunk);
+        });
+        res.on("end", () => {
+            resolve();
+        });
+    });
+    req.on("error", reject);
+    req.end();
+});
+const streamEventsHttps = (jobId, token) => new Promise((resolve, reject) => {
+    const req = https_1.default.request(`${HTTPS_BASE}/v1/jobs/${jobId}/stream`, {
+        method: "GET",
+        headers: {
+            Origin: ORIGIN,
+            Authorization: `Bearer ${token}`,
+            Accept: "text/event-stream",
+        },
+        rejectUnauthorized: !HTTPS_INSECURE,
+    }, (res) => {
+        res.setEncoding("utf8");
+        res.on("data", (chunk) => {
+            process.stdout.write(chunk);
+        });
+        res.on("end", () => {
+            resolve();
+        });
+    });
+    req.on("error", reject);
+    req.end();
+});
+const main = async () => {
+    const start = await requestJson(http_1.default, HTTP_BASE, "/v1/pair", {
+        step: "start",
+    });
+    const startData = asRecord(start.data);
+    const code = startData ? getString(startData.code) : null;
+    if (start.status !== 200 || !code) {
+        console.error("Pairing start failed", start.data);
+        process.exit(1);
+    }
+    const confirm = await requestJson(http_1.default, HTTP_BASE, "/v1/pair", {
+        step: "confirm",
+        code,
+    });
+    const confirmData = asRecord(confirm.data);
+    const token = confirmData ? getString(confirmData.accessToken) : null;
+    if (confirm.status !== 200 || !token) {
+        console.error("Pairing confirm failed", confirm.data);
+        process.exit(1);
+    }
+    let hadError = false;
+    const httpClone = await requestJson(http_1.default, HTTP_BASE, "/v1/git/clone", {
+        repoUrl: HTTP_REPO,
+        destRelative: HTTP_DEST,
+    }, token);
+    const httpCloneData = asRecord(httpClone.data);
+    const httpJobId = httpCloneData ? getString(httpCloneData.jobId) : null;
+    if (httpClone.status !== 202 || !httpJobId) {
+        console.error("HTTP clone request failed", httpClone.data);
+        hadError = true;
+    }
+    else {
+        console.log(`http jobId=${httpJobId}`);
+        await streamEvents(http_1.default, HTTP_BASE, httpJobId, token);
+    }
+    const httpsClone = await requestJsonHttps("/v1/git/clone", {
+        repoUrl: HTTPS_REPO,
+        destRelative: HTTPS_DEST,
+    }, token);
+    const httpsCloneData = asRecord(httpsClone.data);
+    const httpsJobId = httpsCloneData ? getString(httpsCloneData.jobId) : null;
+    if (httpsClone.status !== 202 || !httpsJobId) {
+        console.error("HTTPS clone request failed", httpsClone.data);
+        hadError = true;
+    }
+    else {
+        console.log(`https jobId=${httpsJobId}`);
+        await streamEventsHttps(httpsJobId, token);
+    }
+    if (hadError) {
+        process.exit(1);
+    }
+};
+main().catch((err) => {
+    console.error("Test clone failed", err);
+    process.exit(1);
+});

package/dist/config.js

@@ -28,6 +28,10 @@ const defaultConfig = () => ({
     server: {
         host: "127.0.0.1",
         port: 8790,
+        https: {
+            enabled: false,
+            port: 8791,
+        },
     },
     originAllowlist: ["https://app.example.com"],
     workspaceRoot: null,
@@ -67,6 +71,10 @@ const loadConfig = async (configDir) => {
             server: {
                 ...(0, exports.defaultConfig)().server,
                 ...data.server,
+                https: {
+                    ...(0, exports.defaultConfig)().server.https,
+                    ...data.server?.https,
+                },
             },
             pairing: {
                 ...(0, exports.defaultConfig)().pairing,

package/dist/daemon.js

@@ -1,7 +1,14 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const context_1 = require("./context");
 const app_1 = require("./app");
+const http_1 = __importDefault(require("http"));
+const https_1 = __importDefault(require("https"));
+const fs_1 = require("fs");
+const path_1 = __importDefault(require("path"));
 const start = async () => {
     const ctx = await (0, context_1.createContext)();
     const app = (0, app_1.createApp)(ctx);
@@ -14,14 +21,61 @@ const start = async () => {
     };
     ctx.logger.info(startupSummary, "Git Daemon starting");
     if (process.env.GIT_DAEMON_LOG_STDOUT !== "1") {
-        console.log(`[Git Daemon] config=${startupSummary.configDir} host=${startupSummary.host} port=${startupSummary.port}`);
+        console.log("[Git Daemon] Startup");
+        console.log(`  config: ${startupSummary.configDir}`);
+        console.log(`  host: ${startupSummary.host}`);
+        console.log(`  port: ${startupSummary.port}`);
+        console.log(`  workspace: ${startupSummary.workspaceRoot}`);
+        console.log(`  allowlist: ${startupSummary.originAllowlist.join(", ") || "none"}`);
+        const httpsConfig = ctx.config.server.https;
+        if (httpsConfig?.enabled) {
+            console.log(`  https: enabled (port ${httpsConfig.port ?? ctx.config.server.port + 1})`);
+            console.log(`  https.key: ${httpsConfig.keyPath ?? "missing"}`);
+            console.log(`  https.cert: ${httpsConfig.certPath ?? "missing"}`);
+        }
+        else {
+            console.log("  https: disabled");
+        }
     }
-    app.listen(ctx.config.server.port, ctx.config.server.host, () => {
+    const httpServer = http_1.default.createServer(app);
+    httpServer.on("error", (err) => {
+        ctx.logger.error({ err }, "HTTP server error");
+    });
+    httpServer.listen(ctx.config.server.port, ctx.config.server.host, () => {
         ctx.logger.info({
             host: ctx.config.server.host,
             port: ctx.config.server.port,
+            protocol: "http",
         }, "Git Daemon listening");
     });
+    const httpsConfig = ctx.config.server.https;
+    if (httpsConfig?.enabled) {
+        if (!httpsConfig.keyPath || !httpsConfig.certPath) {
+            throw new Error("HTTPS enabled but keyPath/certPath not configured in server.https.");
+        }
+        const keyPath = path_1.default.isAbsolute(httpsConfig.keyPath)
+            ? httpsConfig.keyPath
+            : path_1.default.join(ctx.configDir, httpsConfig.keyPath);
+        const certPath = path_1.default.isAbsolute(httpsConfig.certPath)
+            ? httpsConfig.certPath
+            : path_1.default.join(ctx.configDir, httpsConfig.certPath);
+        const [key, cert] = await Promise.all([
+            fs_1.promises.readFile(keyPath),
+            fs_1.promises.readFile(certPath),
+        ]);
+        const httpsServer = https_1.default.createServer({ key, cert }, app);
+        httpsServer.on("error", (err) => {
+            ctx.logger.error({ err }, "HTTPS server error");
+        });
+        const httpsPort = httpsConfig.port ?? ctx.config.server.port + 1;
+        httpsServer.listen(httpsPort, ctx.config.server.host, () => {
+            ctx.logger.info({
+                host: ctx.config.server.host,
+                port: httpsPort,
+                protocol: "https",
+            }, "Git Daemon listening (TLS)");
+        });
+    }
 };
 start().catch((err) => {
     console.error("Failed to start Git Daemon", err);

package/dist/logger.js

@@ -39,7 +39,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.createHttpLogger = exports.createLogger = void 0;
 const path_1 = __importDefault(require("path"));
 const fs_1 = require("fs");
-const pino_1 = __importDefault(require("pino"));
+const pino_1 = __importStar(require("pino"));
 const pino_http_1 = __importDefault(require("pino-http"));
 const rotating_file_stream_1 = require("rotating-file-stream");
 const createLogger = async (configDir, logging, enabled = true) => {
@@ -70,8 +70,8 @@ const createLogger = async (configDir, logging, enabled = true) => {
     else {
         streams.push({ stream: process.stdout });
     }
-    return (0, pino_1.default)({ enabled, level }, pino_1.default.multistream(streams));
+    return (0, pino_1.default)({ enabled, level }, (0, pino_1.multistream)(streams));
 };
 exports.createLogger = createLogger;
-const createHttpLogger = (logger) => (0, pino_http_1.default)({ logger: logger });
+const createHttpLogger = (logger) => (0, pino_http_1.default)({ logger });
 exports.createHttpLogger = createHttpLogger;

package/dist/setup.js

@@ -0,0 +1,167 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
+const fs_1 = require("fs");
+const fsSync = __importStar(require("fs"));
+const readline_1 = __importDefault(require("readline"));
+const config_1 = require("./config");
+const expandHome = (input) => {
+    if (input === "~") {
+        return os_1.default.homedir();
+    }
+    if (input.startsWith("~/")) {
+        return path_1.default.join(os_1.default.homedir(), input.slice(2));
+    }
+    return input;
+};
+const pathExists = async (target) => {
+    try {
+        const stats = await fs_1.promises.stat(target);
+        return stats.isDirectory();
+    }
+    catch {
+        return false;
+    }
+};
+const createPromptInterface = () => {
+    if (process.stdin.isTTY && process.stdout.isTTY) {
+        return readline_1.default.createInterface({
+            input: process.stdin,
+            output: process.stdout,
+        });
+    }
+    const ttyPath = process.platform === "win32" ? "CON" : "/dev/tty";
+    try {
+        const input = fsSync.createReadStream(ttyPath, { encoding: "utf8" });
+        const output = fsSync.createWriteStream(ttyPath);
+        return readline_1.default.createInterface({ input, output });
+    }
+    catch {
+        return null;
+    }
+};
+const askQuestion = (rl, question) => new Promise((resolve) => {
+    rl.question(question, (answer) => resolve(answer));
+});
+const promptForWorkspace = async (rl, initialValue) => {
+    let result = null;
+    while (result === null) {
+        const answer = await askQuestion(rl, `Workspace root directory (absolute path) [${initialValue}]: `);
+        const trimmed = answer.trim();
+        const value = trimmed.length > 0 ? trimmed : initialValue;
+        if (!value) {
+            return null;
+        }
+        const expanded = expandHome(value);
+        if (!path_1.default.isAbsolute(expanded)) {
+            console.log("Workspace root must be an absolute path.");
+            continue;
+        }
+        result = value;
+    }
+    return result;
+};
+const promptYesNo = async (rl, message, defaultValue) => {
+    const suffix = defaultValue ? "[Y/n]" : "[y/N]";
+    const answer = await askQuestion(rl, `${message} ${suffix} `);
+    const normalized = answer.trim().toLowerCase();
+    if (!normalized) {
+        return defaultValue;
+    }
+    return normalized === "y" || normalized === "yes";
+};
+const readWorkspaceArg = () => {
+    const args = process.argv.slice(2);
+    const flagIndex = args.findIndex((arg) => arg === "--workspace");
+    if (flagIndex >= 0 && args[flagIndex + 1]) {
+        return args[flagIndex + 1];
+    }
+    const inline = args.find((arg) => arg.startsWith("--workspace="));
+    if (inline) {
+        return inline.split("=").slice(1).join("=");
+    }
+    return null;
+};
+const setup = async () => {
+    const configDir = (0, config_1.getConfigDir)();
+    const config = await (0, config_1.loadConfig)(configDir);
+    console.log(`[Git Daemon setup] config=${configDir}`);
+    const provided = process.env.GIT_DAEMON_WORKSPACE_ROOT || readWorkspaceArg();
+    let workspaceInput = provided?.trim();
+    let rl = null;
+    if (!workspaceInput) {
+        rl = createPromptInterface();
+        if (!rl) {
+            console.error("No interactive prompt available. Use GIT_DAEMON_WORKSPACE_ROOT=/path or --workspace=/path.");
+            process.exit(1);
+        }
+        workspaceInput = await promptForWorkspace(rl, config.workspaceRoot ?? process.cwd());
+    }
+    if (!workspaceInput) {
+        console.error("Workspace root was not provided.");
+        process.exit(1);
+    }
+    const expanded = expandHome(workspaceInput);
+    const resolved = path_1.default.resolve(expanded);
+    if (!(await pathExists(resolved))) {
+        if (!rl) {
+            rl = createPromptInterface();
+        }
+        if (!rl) {
+            console.error(`Directory does not exist: ${resolved}`);
+            console.error("Create it manually, then rerun setup.");
+            process.exit(1);
+        }
+        const create = await promptYesNo(rl, `Directory does not exist. Create ${resolved}?`, true);
+        if (!create) {
+            console.log("Setup aborted. Workspace root not saved.");
+            process.exit(1);
+        }
+        await fs_1.promises.mkdir(resolved, { recursive: true });
+    }
+    config.workspaceRoot = resolved;
+    await (0, config_1.saveConfig)(configDir, config);
+    console.log(`Workspace root set to ${resolved}`);
+    rl?.close();
+};
+setup().catch((err) => {
+    console.error("Setup failed", err);
+    process.exit(1);
+});

package/openapi.yaml

@@ -7,6 +7,7 @@ info:
     that matches the allowlist. Non-public endpoints require a Bearer token.
 servers:
   - url: http://127.0.0.1:8790
+  - url: https://127.0.0.1:8791
 security:
   - bearerAuth: []
 paths:

package/package.json

@@ -1,14 +1,17 @@
 {
   "name": "git-daemon",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "private": false,
   "type": "commonjs",
   "main": "dist/daemon.js",
   "scripts": {
     "build": "tsc",
     "daemon": "tsx src/daemon.ts",
+    "daemon:setup": "tsx src/setup.ts",
     "test": "vitest run",
     "test:watch": "vitest",
+    "test:clone": "bash scripts/test-clone.sh",
+    "cert:local": "bash scripts/generate-local-cert.sh",
     "lint": "eslint . --ext .ts",
     "lint:fix": "eslint . --ext .ts --fix"
   },

package/scripts/generate-local-cert.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if ! command -v mkcert >/dev/null 2>&1; then
+  echo "mkcert is required to generate a locally-trusted certificate."
+  echo "Install it from https://github.com/FiloSottile/mkcert and retry."
+  exit 1
+fi
+
+CONFIG_DIR=$(node -e "const mod=require('env-paths'); const envPaths=mod.default||mod; console.log(envPaths('Git Daemon',{suffix:''}).config)")
+CERT_DIR="${CONFIG_DIR}/certs"
+
+mkdir -p "${CERT_DIR}"
+
+mkcert -install
+mkcert \
+  -key-file "${CERT_DIR}/localhost-key.pem" \
+  -cert-file "${CERT_DIR}/localhost.pem" \
+  127.0.0.1 localhost ::1
+
+echo "Generated certs in ${CERT_DIR}"

package/scripts/test-clone.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "${MKCERT_AUTO_TRUST:-1}" != "0" ]] && command -v mkcert >/dev/null 2>&1; then
+  CAROOT=$(mkcert -CAROOT)
+  export NODE_EXTRA_CA_CERTS="${CAROOT}/rootCA.pem"
+fi
+
+mkdir -p .tmp
+TMPDIR="$PWD/.tmp" exec tsx src/cli-test-clone.ts

package/src/app.ts

@@ -198,11 +198,34 @@ export const createApp = (ctx: DaemonContext) => {
         res.write(`data: ${JSON.stringify(event)}\n\n`);
       };
 
+      const isTerminalState = (event: unknown) => {
+        if (!event || typeof event !== "object") {
+          return false;
+        }
+        const record = event as { type?: string; state?: string };
+        return (
+          record.type === "state" &&
+          (record.state === "done" ||
+            record.state === "error" ||
+            record.state === "cancelled")
+        );
+      };
+
       for (const event of job.events) {
         sendEvent(event);
+        if (isTerminalState(event)) {
+          res.end();
+          return;
+        }
       }
 
-      const listener = (event: unknown) => sendEvent(event);
+      const listener = (event: unknown) => {
+        sendEvent(event);
+        if (isTerminalState(event)) {
+          job.emitter.off("event", listener);
+          res.end();
+        }
+      };
       job.emitter.on("event", listener);
 
       req.on("close", () => {

package/src/cli-test-clone.ts

@@ -0,0 +1,238 @@
+import http from "http";
+import https from "https";
+import type { IncomingMessage } from "http";
+
+const getEnv = (key: string, fallback: string) => process.env[key] || fallback;
+
+const ORIGIN = getEnv("ORIGIN", "https://app.example.com");
+const HTTP_PORT = Number(getEnv("PORT", "8790"));
+const HTTPS_PORT = Number(getEnv("HTTPS_PORT", "8791"));
+const HTTP_BASE = `http://127.0.0.1:${HTTP_PORT}`;
+const HTTPS_BASE = `https://127.0.0.1:${HTTPS_PORT}`;
+const HTTP_REPO = getEnv(
+  "HTTP_REPO_URL",
+  "git@github.com:bunnybones1/git-daemon.git",
+);
+const HTTP_DEST = getEnv("HTTP_DEST_RELATIVE", "bunnybones1/git-daemon");
+const HTTPS_REPO = getEnv(
+  "HTTPS_REPO_URL",
+  "git@github.com:bunnybones1/github-thing.git",
+);
+const HTTPS_DEST = getEnv("HTTPS_DEST_RELATIVE", "bunnybones1/github-thing");
+const HTTPS_INSECURE = getEnv("HTTPS_INSECURE", "0") === "1";
+
+const asRecord = (value: unknown): Record<string, unknown> | null =>
+  value && typeof value === "object"
+    ? (value as Record<string, unknown>)
+    : null;
+
+const getString = (value: unknown): string | null =>
+  typeof value === "string" ? value : null;
+
+const readJson = (res: IncomingMessage) =>
+  new Promise<{ status: number; data: unknown }>((resolve, reject) => {
+    let raw = "";
+    res.setEncoding("utf8");
+    res.on("data", (chunk) => {
+      raw += chunk;
+    });
+    res.on("end", () => {
+      try {
+        const data = raw ? JSON.parse(raw) : {};
+        resolve({ status: res.statusCode || 0, data });
+      } catch (err) {
+        reject(err);
+      }
+    });
+  });
+
+const requestJson = (
+  client: typeof http,
+  baseUrl: string,
+  path: string,
+  body: unknown,
+  token?: string,
+) =>
+  new Promise<{ status: number; data: unknown }>((resolve, reject) => {
+    const payload = JSON.stringify(body);
+    const headers: Record<string, string | number> = {
+      Origin: ORIGIN,
+      "Content-Type": "application/json",
+      "Content-Length": Buffer.byteLength(payload),
+    };
+    if (token) {
+      headers.Authorization = `Bearer ${token}`;
+    }
+    const req = client.request(
+      `${baseUrl}${path}`,
+      {
+        method: "POST",
+        headers,
+      },
+      (res) => {
+        readJson(res).then(resolve).catch(reject);
+      },
+    );
+
+    req.on("error", reject);
+    req.write(payload);
+    req.end();
+  });
+
+const requestJsonHttps = (path: string, body: unknown, token?: string) =>
+  new Promise<{ status: number; data: unknown }>((resolve, reject) => {
+    const payload = JSON.stringify(body);
+    const headers: Record<string, string | number> = {
+      Origin: ORIGIN,
+      "Content-Type": "application/json",
+      "Content-Length": Buffer.byteLength(payload),
+    };
+    if (token) {
+      headers.Authorization = `Bearer ${token}`;
+    }
+    const req = https.request(
+      `${HTTPS_BASE}${path}`,
+      {
+        method: "POST",
+        headers,
+        rejectUnauthorized: !HTTPS_INSECURE,
+      },
+      (res) => {
+        readJson(res).then(resolve).catch(reject);
+      },
+    );
+
+    req.on("error", reject);
+    req.write(payload);
+    req.end();
+  });
+
+const streamEvents = (
+  client: typeof http,
+  baseUrl: string,
+  jobId: string,
+  token: string,
+) =>
+  new Promise<void>((resolve, reject) => {
+    const req = client.request(
+      `${baseUrl}/v1/jobs/${jobId}/stream`,
+      {
+        method: "GET",
+        headers: {
+          Origin: ORIGIN,
+          Authorization: `Bearer ${token}`,
+          Accept: "text/event-stream",
+        },
+      },
+      (res) => {
+        res.setEncoding("utf8");
+        res.on("data", (chunk) => {
+          process.stdout.write(chunk);
+        });
+        res.on("end", () => {
+          resolve();
+        });
+      },
+    );
+    req.on("error", reject);
+    req.end();
+  });
+
+const streamEventsHttps = (jobId: string, token: string) =>
+  new Promise<void>((resolve, reject) => {
+    const req = https.request(
+      `${HTTPS_BASE}/v1/jobs/${jobId}/stream`,
+      {
+        method: "GET",
+        headers: {
+          Origin: ORIGIN,
+          Authorization: `Bearer ${token}`,
+          Accept: "text/event-stream",
+        },
+        rejectUnauthorized: !HTTPS_INSECURE,
+      },
+      (res) => {
+        res.setEncoding("utf8");
+        res.on("data", (chunk) => {
+          process.stdout.write(chunk);
+        });
+        res.on("end", () => {
+          resolve();
+        });
+      },
+    );
+    req.on("error", reject);
+    req.end();
+  });
+
+const main = async () => {
+  const start = await requestJson(http, HTTP_BASE, "/v1/pair", {
+    step: "start",
+  });
+  const startData = asRecord(start.data);
+  const code = startData ? getString(startData.code) : null;
+  if (start.status !== 200 || !code) {
+    console.error("Pairing start failed", start.data);
+    process.exit(1);
+  }
+
+  const confirm = await requestJson(http, HTTP_BASE, "/v1/pair", {
+    step: "confirm",
+    code,
+  });
+  const confirmData = asRecord(confirm.data);
+  const token = confirmData ? getString(confirmData.accessToken) : null;
+  if (confirm.status !== 200 || !token) {
+    console.error("Pairing confirm failed", confirm.data);
+    process.exit(1);
+  }
+
+  let hadError = false;
+
+  const httpClone = await requestJson(
+    http,
+    HTTP_BASE,
+    "/v1/git/clone",
+    {
+      repoUrl: HTTP_REPO,
+      destRelative: HTTP_DEST,
+    },
+    token,
+  );
+  const httpCloneData = asRecord(httpClone.data);
+  const httpJobId = httpCloneData ? getString(httpCloneData.jobId) : null;
+  if (httpClone.status !== 202 || !httpJobId) {
+    console.error("HTTP clone request failed", httpClone.data);
+    hadError = true;
+  } else {
+    console.log(`http jobId=${httpJobId}`);
+    await streamEvents(http, HTTP_BASE, httpJobId, token);
+  }
+
+  const httpsClone = await requestJsonHttps(
+    "/v1/git/clone",
+    {
+      repoUrl: HTTPS_REPO,
+      destRelative: HTTPS_DEST,
+    },
+    token,
+  );
+  const httpsCloneData = asRecord(httpsClone.data);
+  const httpsJobId = httpsCloneData ? getString(httpsCloneData.jobId) : null;
+  if (httpsClone.status !== 202 || !httpsJobId) {
+    console.error("HTTPS clone request failed", httpsClone.data);
+    hadError = true;
+  } else {
+    console.log(`https jobId=${httpsJobId}`);
+    await streamEventsHttps(httpsJobId, token);
+  }
+
+  if (hadError) {
+    process.exit(1);
+  }
+};
+
+main().catch((err) => {
+  console.error("Test clone failed", err);
+  process.exit(1);
+});

package/src/config.ts

@@ -27,6 +27,10 @@ export const defaultConfig = (): AppConfig => ({
   server: {
     host: "127.0.0.1",
     port: 8790,
+    https: {
+      enabled: false,
+      port: 8791,
+    },
   },
   originAllowlist: ["https://app.example.com"],
   workspaceRoot: null,
@@ -66,6 +70,10 @@ export const loadConfig = async (configDir: string): Promise<AppConfig> => {
       server: {
         ...defaultConfig().server,
         ...data.server,
+        https: {
+          ...defaultConfig().server.https,
+          ...data.server?.https,
+        },
       },
       pairing: {
         ...defaultConfig().pairing,

package/src/daemon.ts

@@ -1,5 +1,9 @@
 import { createContext } from "./context";
 import { createApp } from "./app";
+import http from "http";
+import https from "https";
+import { promises as fs } from "fs";
+import path from "path";
 
 const start = async () => {
   const ctx = await createContext();
@@ -14,20 +18,75 @@ const start = async () => {
   };
   ctx.logger.info(startupSummary, "Git Daemon starting");
   if (process.env.GIT_DAEMON_LOG_STDOUT !== "1") {
+    console.log("[Git Daemon] Startup");
+    console.log(`  config: ${startupSummary.configDir}`);
+    console.log(`  host: ${startupSummary.host}`);
+    console.log(`  port: ${startupSummary.port}`);
+    console.log(`  workspace: ${startupSummary.workspaceRoot}`);
     console.log(
-      `[Git Daemon] config=${startupSummary.configDir} host=${startupSummary.host} port=${startupSummary.port}`,
+      `  allowlist: ${startupSummary.originAllowlist.join(", ") || "none"}`,
     );
+    const httpsConfig = ctx.config.server.https;
+    if (httpsConfig?.enabled) {
+      console.log(
+        `  https: enabled (port ${httpsConfig.port ?? ctx.config.server.port + 1})`,
+      );
+      console.log(`  https.key: ${httpsConfig.keyPath ?? "missing"}`);
+      console.log(`  https.cert: ${httpsConfig.certPath ?? "missing"}`);
+    } else {
+      console.log("  https: disabled");
+    }
   }
 
-  app.listen(ctx.config.server.port, ctx.config.server.host, () => {
+  const httpServer = http.createServer(app);
+  httpServer.on("error", (err) => {
+    ctx.logger.error({ err }, "HTTP server error");
+  });
+  httpServer.listen(ctx.config.server.port, ctx.config.server.host, () => {
     ctx.logger.info(
       {
         host: ctx.config.server.host,
         port: ctx.config.server.port,
+        protocol: "http",
       },
       "Git Daemon listening",
     );
   });
+
+  const httpsConfig = ctx.config.server.https;
+  if (httpsConfig?.enabled) {
+    if (!httpsConfig.keyPath || !httpsConfig.certPath) {
+      throw new Error(
+        "HTTPS enabled but keyPath/certPath not configured in server.https.",
+      );
+    }
+    const keyPath = path.isAbsolute(httpsConfig.keyPath)
+      ? httpsConfig.keyPath
+      : path.join(ctx.configDir, httpsConfig.keyPath);
+    const certPath = path.isAbsolute(httpsConfig.certPath)
+      ? httpsConfig.certPath
+      : path.join(ctx.configDir, httpsConfig.certPath);
+
+    const [key, cert] = await Promise.all([
+      fs.readFile(keyPath),
+      fs.readFile(certPath),
+    ]);
+    const httpsServer = https.createServer({ key, cert }, app);
+    httpsServer.on("error", (err) => {
+      ctx.logger.error({ err }, "HTTPS server error");
+    });
+    const httpsPort = httpsConfig.port ?? ctx.config.server.port + 1;
+    httpsServer.listen(httpsPort, ctx.config.server.host, () => {
+      ctx.logger.info(
+        {
+          host: ctx.config.server.host,
+          port: httpsPort,
+          protocol: "https",
+        },
+        "Git Daemon listening (TLS)",
+      );
+    });
+  }
 };
 
 start().catch((err) => {

package/src/jobs.ts

@@ -1,6 +1,12 @@
 import { EventEmitter } from "events";
 import crypto from "crypto";
-import type { ApiErrorBody, JobEvent, JobProgressEvent, JobState, JobStatus } from "./types";
+import type {
+  ApiErrorBody,
+  JobEvent,
+  JobProgressEvent,
+  JobState,
+  JobStatus,
+} from "./types";
 import { timeoutError } from "./errors";
 
 const MAX_EVENTS = 2000;

package/src/logger.ts

@@ -1,6 +1,6 @@
 import path from "path";
 import { promises as fs } from "fs";
-import pino from "pino";
+import pino, { multistream } from "pino";
 import pinoHttp from "pino-http";
 import type { Logger } from "pino";
 import { createStream } from "rotating-file-stream";
@@ -41,8 +41,10 @@ export const createLogger = async (
     streams.push({ stream: process.stdout });
   }
 
-  return pino({ enabled, level }, (pino as any).multistream(streams));
+  return pino({ enabled, level }, multistream(streams));
 };
 
+type PinoHttpOptions = Parameters<typeof pinoHttp>[0];
+
 export const createHttpLogger = (logger: Logger) =>
-  pinoHttp({ logger: logger as any });
+  pinoHttp({ logger } as unknown as PinoHttpOptions);

package/src/setup.ts

@@ -0,0 +1,165 @@
+import path from "path";
+import os from "os";
+import { promises as fs } from "fs";
+import * as fsSync from "fs";
+import readline from "readline";
+import { getConfigDir, loadConfig, saveConfig } from "./config";
+
+const expandHome = (input: string) => {
+  if (input === "~") {
+    return os.homedir();
+  }
+  if (input.startsWith("~/")) {
+    return path.join(os.homedir(), input.slice(2));
+  }
+  return input;
+};
+
+const pathExists = async (target: string) => {
+  try {
+    const stats = await fs.stat(target);
+    return stats.isDirectory();
+  } catch {
+    return false;
+  }
+};
+
+const createPromptInterface = () => {
+  if (process.stdin.isTTY && process.stdout.isTTY) {
+    return readline.createInterface({
+      input: process.stdin,
+      output: process.stdout,
+    });
+  }
+  const ttyPath = process.platform === "win32" ? "CON" : "/dev/tty";
+  try {
+    const input = fsSync.createReadStream(ttyPath, { encoding: "utf8" });
+    const output = fsSync.createWriteStream(ttyPath);
+    return readline.createInterface({ input, output });
+  } catch {
+    return null;
+  }
+};
+
+const askQuestion = (rl: readline.Interface, question: string) =>
+  new Promise<string>((resolve) => {
+    rl.question(question, (answer) => resolve(answer));
+  });
+
+const promptForWorkspace = async (
+  rl: readline.Interface,
+  initialValue: string,
+) => {
+  let result: string | null = null;
+  while (result === null) {
+    const answer = await askQuestion(
+      rl,
+      `Workspace root directory (absolute path) [${initialValue}]: `,
+    );
+    const trimmed = answer.trim();
+    const value = trimmed.length > 0 ? trimmed : initialValue;
+    if (!value) {
+      return null;
+    }
+    const expanded = expandHome(value);
+    if (!path.isAbsolute(expanded)) {
+      console.log("Workspace root must be an absolute path.");
+      continue;
+    }
+    result = value;
+  }
+  return result;
+};
+
+const promptYesNo = async (
+  rl: readline.Interface,
+  message: string,
+  defaultValue: boolean,
+) => {
+  const suffix = defaultValue ? "[Y/n]" : "[y/N]";
+  const answer = await askQuestion(rl, `${message} ${suffix} `);
+  const normalized = answer.trim().toLowerCase();
+  if (!normalized) {
+    return defaultValue;
+  }
+  return normalized === "y" || normalized === "yes";
+};
+
+const readWorkspaceArg = () => {
+  const args = process.argv.slice(2);
+  const flagIndex = args.findIndex((arg) => arg === "--workspace");
+  if (flagIndex >= 0 && args[flagIndex + 1]) {
+    return args[flagIndex + 1];
+  }
+  const inline = args.find((arg) => arg.startsWith("--workspace="));
+  if (inline) {
+    return inline.split("=").slice(1).join("=");
+  }
+  return null;
+};
+
+const setup = async () => {
+  const configDir = getConfigDir();
+  const config = await loadConfig(configDir);
+
+  console.log(`[Git Daemon setup] config=${configDir}`);
+
+  const provided = process.env.GIT_DAEMON_WORKSPACE_ROOT || readWorkspaceArg();
+
+  let workspaceInput: string | null | undefined = provided?.trim();
+  let rl: readline.Interface | null = null;
+
+  if (!workspaceInput) {
+    rl = createPromptInterface();
+    if (!rl) {
+      console.error(
+        "No interactive prompt available. Use GIT_DAEMON_WORKSPACE_ROOT=/path or --workspace=/path.",
+      );
+      process.exit(1);
+    }
+    workspaceInput = await promptForWorkspace(
+      rl,
+      config.workspaceRoot ?? process.cwd(),
+    );
+  }
+
+  if (!workspaceInput) {
+    console.error("Workspace root was not provided.");
+    process.exit(1);
+  }
+
+  const expanded = expandHome(workspaceInput);
+  const resolved = path.resolve(expanded);
+
+  if (!(await pathExists(resolved))) {
+    if (!rl) {
+      rl = createPromptInterface();
+    }
+    if (!rl) {
+      console.error(`Directory does not exist: ${resolved}`);
+      console.error("Create it manually, then rerun setup.");
+      process.exit(1);
+    }
+    const create = await promptYesNo(
+      rl,
+      `Directory does not exist. Create ${resolved}?`,
+      true,
+    );
+    if (!create) {
+      console.log("Setup aborted. Workspace root not saved.");
+      process.exit(1);
+    }
+    await fs.mkdir(resolved, { recursive: true });
+  }
+
+  config.workspaceRoot = resolved;
+  await saveConfig(configDir, config);
+
+  console.log(`Workspace root set to ${resolved}`);
+  rl?.close();
+};
+
+setup().catch((err) => {
+  console.error("Setup failed", err);
+  process.exit(1);
+});

package/src/types.ts

@@ -12,6 +12,12 @@ export type AppConfig = {
   server: {
     host: string;
     port: number;
+    https?: {
+      enabled?: boolean;
+      port?: number;
+      keyPath?: string;
+      certPath?: string;
+    };
   };
   originAllowlist: string[];
   workspaceRoot: string | null;