git-daemon 0.1.3 → 0.1.4

package/README.md

@@ -41,6 +41,37 @@ npm run daemon
 
 The daemon listens on `http://127.0.0.1:8790` by default.
 
+## HTTPS support
+
+The daemon can also listen on HTTPS (with a locally-trusted certificate).
+
+Generate a local cert/key (requires `mkcert`):
+
+```bash
+npm run cert:local
+```
+
+This writes certs under your daemon config directory (e.g. `~/Library/Preferences/Git Daemon/certs` on macOS).
+Then update your config (example):
+
+```json
+{
+  "server": {
+    "host": "127.0.0.1",
+    "port": 8790,
+    "https": {
+      "enabled": true,
+      "port": 8791,
+      "keyPath": "/absolute/path/to/certs/localhost-key.pem",
+      "certPath": "/absolute/path/to/certs/localhost.pem"
+    }
+  }
+}
+```
+
+For HTTPS test clones, `npm run test:clone` auto-detects mkcert and sets
+`NODE_EXTRA_CA_CERTS` unless you disable it with `MKCERT_AUTO_TRUST=0`.
+
 ## Setup workspace root
 
 ```bash

package/config.schema.json

@@ -36,6 +36,28 @@
           "minimum": 1,
           "maximum": 65535,
           "default": 8790
+        },
+        "https": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "enabled": {
+              "type": "boolean",
+              "default": false
+            },
+            "port": {
+              "type": "integer",
+              "minimum": 1,
+              "maximum": 65535,
+              "default": 8791
+            },
+            "keyPath": {
+              "type": "string"
+            },
+            "certPath": {
+              "type": "string"
+            }
+          }
         }
       }
     },

package/dist/cli-test-clone.js

@@ -4,79 +4,108 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const http_1 = __importDefault(require("http"));
+const https_1 = __importDefault(require("https"));
 const getEnv = (key, fallback) => process.env[key] || fallback;
 const ORIGIN = getEnv("ORIGIN", "https://app.example.com");
-const PORT = Number(getEnv("PORT", "8790"));
-const BASE = `http://127.0.0.1:${PORT}`;
-const REPO = getEnv("REPO_URL", "git@github.com:bunnybones1/git-daemon.git");
-const DEST = getEnv("DEST_RELATIVE", "bunnybones1/git-daemon");
-const requestJson = (path, body) => new Promise((resolve, reject) => {
+const HTTP_PORT = Number(getEnv("PORT", "8790"));
+const HTTPS_PORT = Number(getEnv("HTTPS_PORT", "8791"));
+const HTTP_BASE = `http://127.0.0.1:${HTTP_PORT}`;
+const HTTPS_BASE = `https://127.0.0.1:${HTTPS_PORT}`;
+const HTTP_REPO = getEnv("HTTP_REPO_URL", "git@github.com:bunnybones1/git-daemon.git");
+const HTTP_DEST = getEnv("HTTP_DEST_RELATIVE", "bunnybones1/git-daemon");
+const HTTPS_REPO = getEnv("HTTPS_REPO_URL", "git@github.com:bunnybones1/github-thing.git");
+const HTTPS_DEST = getEnv("HTTPS_DEST_RELATIVE", "bunnybones1/github-thing");
+const HTTPS_INSECURE = getEnv("HTTPS_INSECURE", "0") === "1";
+const asRecord = (value) => value && typeof value === "object"
+    ? value
+    : null;
+const getString = (value) => typeof value === "string" ? value : null;
+const readJson = (res) => new Promise((resolve, reject) => {
+    let raw = "";
+    res.setEncoding("utf8");
+    res.on("data", (chunk) => {
+        raw += chunk;
+    });
+    res.on("end", () => {
+        try {
+            const data = raw ? JSON.parse(raw) : {};
+            resolve({ status: res.statusCode || 0, data });
+        }
+        catch (err) {
+            reject(err);
+        }
+    });
+});
+const requestJson = (client, baseUrl, path, body, token) => new Promise((resolve, reject) => {
     const payload = JSON.stringify(body);
-    const req = http_1.default.request(`${BASE}${path}`, {
+    const headers = {
+        Origin: ORIGIN,
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload),
+    };
+    if (token) {
+        headers.Authorization = `Bearer ${token}`;
+    }
+    const req = client.request(`${baseUrl}${path}`, {
         method: "POST",
-        headers: {
-            Origin: ORIGIN,
-            "Content-Type": "application/json",
-            "Content-Length": Buffer.byteLength(payload),
-        },
+        headers,
     }, (res) => {
-        let raw = "";
-        res.setEncoding("utf8");
-        res.on("data", (chunk) => {
-            raw += chunk;
-        });
-        res.on("end", () => {
-            try {
-                const data = raw ? JSON.parse(raw) : {};
-                resolve({ status: res.statusCode || 0, data });
-            }
-            catch (err) {
-                reject(err);
-            }
-        });
+        readJson(res).then(resolve).catch(reject);
     });
     req.on("error", reject);
     req.write(payload);
     req.end();
 });
-const requestJsonAuth = (path, token, body) => new Promise((resolve, reject) => {
+const requestJsonHttps = (path, body, token) => new Promise((resolve, reject) => {
     const payload = JSON.stringify(body);
-    const req = http_1.default.request(`${BASE}${path}`, {
+    const headers = {
+        Origin: ORIGIN,
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload),
+    };
+    if (token) {
+        headers.Authorization = `Bearer ${token}`;
+    }
+    const req = https_1.default.request(`${HTTPS_BASE}${path}`, {
         method: "POST",
+        headers,
+        rejectUnauthorized: !HTTPS_INSECURE,
+    }, (res) => {
+        readJson(res).then(resolve).catch(reject);
+    });
+    req.on("error", reject);
+    req.write(payload);
+    req.end();
+});
+const streamEvents = (client, baseUrl, jobId, token) => new Promise((resolve, reject) => {
+    const req = client.request(`${baseUrl}/v1/jobs/${jobId}/stream`, {
+        method: "GET",
         headers: {
             Origin: ORIGIN,
             Authorization: `Bearer ${token}`,
-            "Content-Type": "application/json",
-            "Content-Length": Buffer.byteLength(payload),
+            Accept: "text/event-stream",
         },
     }, (res) => {
-        let raw = "";
         res.setEncoding("utf8");
         res.on("data", (chunk) => {
-            raw += chunk;
+            process.stdout.write(chunk);
         });
         res.on("end", () => {
-            try {
-                const data = raw ? JSON.parse(raw) : {};
-                resolve({ status: res.statusCode || 0, data });
-            }
-            catch (err) {
-                reject(err);
-            }
+            resolve();
         });
     });
     req.on("error", reject);
-    req.write(payload);
     req.end();
 });
-const streamEvents = (jobId, token) => new Promise((resolve, reject) => {
-    const req = http_1.default.request(`${BASE}/v1/jobs/${jobId}/stream`, {
+const streamEventsHttps = (jobId, token) => new Promise((resolve, reject) => {
+    const req = https_1.default.request(`${HTTPS_BASE}/v1/jobs/${jobId}/stream`, {
         method: "GET",
         headers: {
             Origin: ORIGIN,
             Authorization: `Bearer ${token}`,
             Accept: "text/event-stream",
         },
+        rejectUnauthorized: !HTTPS_INSECURE,
     }, (res) => {
         res.setEncoding("utf8");
         res.on("data", (chunk) => {
@@ -90,31 +119,57 @@ const streamEvents = (jobId, token) => new Promise((resolve, reject) => {
     req.end();
 });
 const main = async () => {
-    const start = await requestJson("/v1/pair", { step: "start" });
-    if (start.status !== 200 || !start.data.code) {
+    const start = await requestJson(http_1.default, HTTP_BASE, "/v1/pair", {
+        step: "start",
+    });
+    const startData = asRecord(start.data);
+    const code = startData ? getString(startData.code) : null;
+    if (start.status !== 200 || !code) {
         console.error("Pairing start failed", start.data);
         process.exit(1);
     }
-    const confirm = await requestJson("/v1/pair", {
+    const confirm = await requestJson(http_1.default, HTTP_BASE, "/v1/pair", {
         step: "confirm",
-        code: start.data.code,
+        code,
     });
-    if (confirm.status !== 200 || !confirm.data.accessToken) {
+    const confirmData = asRecord(confirm.data);
+    const token = confirmData ? getString(confirmData.accessToken) : null;
+    if (confirm.status !== 200 || !token) {
         console.error("Pairing confirm failed", confirm.data);
         process.exit(1);
     }
-    const token = confirm.data.accessToken;
-    const clone = await requestJsonAuth("/v1/git/clone", token, {
-        repoUrl: REPO,
-        destRelative: DEST,
-    });
-    if (clone.status !== 202 || !clone.data.jobId) {
-        console.error("Clone request failed", clone.data);
+    let hadError = false;
+    const httpClone = await requestJson(http_1.default, HTTP_BASE, "/v1/git/clone", {
+        repoUrl: HTTP_REPO,
+        destRelative: HTTP_DEST,
+    }, token);
+    const httpCloneData = asRecord(httpClone.data);
+    const httpJobId = httpCloneData ? getString(httpCloneData.jobId) : null;
+    if (httpClone.status !== 202 || !httpJobId) {
+        console.error("HTTP clone request failed", httpClone.data);
+        hadError = true;
+    }
+    else {
+        console.log(`http jobId=${httpJobId}`);
+        await streamEvents(http_1.default, HTTP_BASE, httpJobId, token);
+    }
+    const httpsClone = await requestJsonHttps("/v1/git/clone", {
+        repoUrl: HTTPS_REPO,
+        destRelative: HTTPS_DEST,
+    }, token);
+    const httpsCloneData = asRecord(httpsClone.data);
+    const httpsJobId = httpsCloneData ? getString(httpsCloneData.jobId) : null;
+    if (httpsClone.status !== 202 || !httpsJobId) {
+        console.error("HTTPS clone request failed", httpsClone.data);
+        hadError = true;
+    }
+    else {
+        console.log(`https jobId=${httpsJobId}`);
+        await streamEventsHttps(httpsJobId, token);
+    }
+    if (hadError) {
         process.exit(1);
     }
-    const jobId = clone.data.jobId;
-    console.log(`jobId=${jobId}`);
-    await streamEvents(jobId, token);
 };
 main().catch((err) => {
     console.error("Test clone failed", err);

package/dist/config.js

@@ -28,6 +28,10 @@ const defaultConfig = () => ({
     server: {
         host: "127.0.0.1",
         port: 8790,
+        https: {
+            enabled: false,
+            port: 8791,
+        },
     },
     originAllowlist: ["https://app.example.com"],
     workspaceRoot: null,
@@ -67,6 +71,10 @@ const loadConfig = async (configDir) => {
             server: {
                 ...(0, exports.defaultConfig)().server,
                 ...data.server,
+                https: {
+                    ...(0, exports.defaultConfig)().server.https,
+                    ...data.server?.https,
+                },
             },
             pairing: {
                 ...(0, exports.defaultConfig)().pairing,

package/dist/daemon.js

@@ -1,7 +1,14 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const context_1 = require("./context");
 const app_1 = require("./app");
+const http_1 = __importDefault(require("http"));
+const https_1 = __importDefault(require("https"));
+const fs_1 = require("fs");
+const path_1 = __importDefault(require("path"));
 const start = async () => {
     const ctx = await (0, context_1.createContext)();
     const app = (0, app_1.createApp)(ctx);
@@ -20,13 +27,55 @@ const start = async () => {
         console.log(`  port: ${startupSummary.port}`);
         console.log(`  workspace: ${startupSummary.workspaceRoot}`);
         console.log(`  allowlist: ${startupSummary.originAllowlist.join(", ") || "none"}`);
+        const httpsConfig = ctx.config.server.https;
+        if (httpsConfig?.enabled) {
+            console.log(`  https: enabled (port ${httpsConfig.port ?? ctx.config.server.port + 1})`);
+            console.log(`  https.key: ${httpsConfig.keyPath ?? "missing"}`);
+            console.log(`  https.cert: ${httpsConfig.certPath ?? "missing"}`);
+        }
+        else {
+            console.log("  https: disabled");
+        }
     }
-    app.listen(ctx.config.server.port, ctx.config.server.host, () => {
+    const httpServer = http_1.default.createServer(app);
+    httpServer.on("error", (err) => {
+        ctx.logger.error({ err }, "HTTP server error");
+    });
+    httpServer.listen(ctx.config.server.port, ctx.config.server.host, () => {
         ctx.logger.info({
             host: ctx.config.server.host,
             port: ctx.config.server.port,
+            protocol: "http",
         }, "Git Daemon listening");
     });
+    const httpsConfig = ctx.config.server.https;
+    if (httpsConfig?.enabled) {
+        if (!httpsConfig.keyPath || !httpsConfig.certPath) {
+            throw new Error("HTTPS enabled but keyPath/certPath not configured in server.https.");
+        }
+        const keyPath = path_1.default.isAbsolute(httpsConfig.keyPath)
+            ? httpsConfig.keyPath
+            : path_1.default.join(ctx.configDir, httpsConfig.keyPath);
+        const certPath = path_1.default.isAbsolute(httpsConfig.certPath)
+            ? httpsConfig.certPath
+            : path_1.default.join(ctx.configDir, httpsConfig.certPath);
+        const [key, cert] = await Promise.all([
+            fs_1.promises.readFile(keyPath),
+            fs_1.promises.readFile(certPath),
+        ]);
+        const httpsServer = https_1.default.createServer({ key, cert }, app);
+        httpsServer.on("error", (err) => {
+            ctx.logger.error({ err }, "HTTPS server error");
+        });
+        const httpsPort = httpsConfig.port ?? ctx.config.server.port + 1;
+        httpsServer.listen(httpsPort, ctx.config.server.host, () => {
+            ctx.logger.info({
+                host: ctx.config.server.host,
+                port: httpsPort,
+                protocol: "https",
+            }, "Git Daemon listening (TLS)");
+        });
+    }
 };
 start().catch((err) => {
     console.error("Failed to start Git Daemon", err);

package/dist/logger.js

@@ -39,7 +39,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.createHttpLogger = exports.createLogger = void 0;
 const path_1 = __importDefault(require("path"));
 const fs_1 = require("fs");
-const pino_1 = __importDefault(require("pino"));
+const pino_1 = __importStar(require("pino"));
 const pino_http_1 = __importDefault(require("pino-http"));
 const rotating_file_stream_1 = require("rotating-file-stream");
 const createLogger = async (configDir, logging, enabled = true) => {
@@ -70,8 +70,8 @@ const createLogger = async (configDir, logging, enabled = true) => {
     else {
         streams.push({ stream: process.stdout });
     }
-    return (0, pino_1.default)({ enabled, level }, pino_1.default.multistream(streams));
+    return (0, pino_1.default)({ enabled, level }, (0, pino_1.multistream)(streams));
 };
 exports.createLogger = createLogger;
-const createHttpLogger = (logger) => (0, pino_http_1.default)({ logger: logger });
+const createHttpLogger = (logger) => (0, pino_http_1.default)({ logger });
 exports.createHttpLogger = createHttpLogger;

package/dist/setup.js

@@ -81,7 +81,8 @@ const askQuestion = (rl, question) => new Promise((resolve) => {
     rl.question(question, (answer) => resolve(answer));
 });
 const promptForWorkspace = async (rl, initialValue) => {
-    while (true) {
+    let result = null;
+    while (result === null) {
         const answer = await askQuestion(rl, `Workspace root directory (absolute path) [${initialValue}]: `);
         const trimmed = answer.trim();
         const value = trimmed.length > 0 ? trimmed : initialValue;
@@ -93,8 +94,9 @@ const promptForWorkspace = async (rl, initialValue) => {
             console.log("Workspace root must be an absolute path.");
             continue;
         }
-        return value;
+        result = value;
     }
+    return result;
 };
 const promptYesNo = async (rl, message, defaultValue) => {
     const suffix = defaultValue ? "[Y/n]" : "[y/N]";

package/openapi.yaml

@@ -7,6 +7,7 @@ info:
     that matches the allowlist. Non-public endpoints require a Bearer token.
 servers:
   - url: http://127.0.0.1:8790
+  - url: https://127.0.0.1:8791
 security:
   - bearerAuth: []
 paths:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "git-daemon",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "private": false,
   "type": "commonjs",
   "main": "dist/daemon.js",
@@ -10,7 +10,8 @@
     "daemon:setup": "tsx src/setup.ts",
     "test": "vitest run",
     "test:watch": "vitest",
-    "test:clone": "tsx src/cli-test-clone.ts",
+    "test:clone": "bash scripts/test-clone.sh",
+    "cert:local": "bash scripts/generate-local-cert.sh",
     "lint": "eslint . --ext .ts",
     "lint:fix": "eslint . --ext .ts --fix"
   },

package/scripts/generate-local-cert.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if ! command -v mkcert >/dev/null 2>&1; then
+  echo "mkcert is required to generate a locally-trusted certificate."
+  echo "Install it from https://github.com/FiloSottile/mkcert and retry."
+  exit 1
+fi
+
+CONFIG_DIR=$(node -e "const mod=require('env-paths'); const envPaths=mod.default||mod; console.log(envPaths('Git Daemon',{suffix:''}).config)")
+CERT_DIR="${CONFIG_DIR}/certs"
+
+mkdir -p "${CERT_DIR}"
+
+mkcert -install
+mkcert \
+  -key-file "${CERT_DIR}/localhost-key.pem" \
+  -cert-file "${CERT_DIR}/localhost.pem" \
+  127.0.0.1 localhost ::1
+
+echo "Generated certs in ${CERT_DIR}"

package/scripts/test-clone.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "${MKCERT_AUTO_TRUST:-1}" != "0" ]] && command -v mkcert >/dev/null 2>&1; then
+  CAROOT=$(mkcert -CAROOT)
+  export NODE_EXTRA_CA_CERTS="${CAROOT}/rootCA.pem"
+fi
+
+mkdir -p .tmp
+TMPDIR="$PWD/.tmp" exec tsx src/cli-test-clone.ts

package/src/cli-test-clone.ts

@@ -1,12 +1,25 @@
 import http from "http";
+import https from "https";
+import type { IncomingMessage } from "http";
 
 const getEnv = (key: string, fallback: string) => process.env[key] || fallback;
 
 const ORIGIN = getEnv("ORIGIN", "https://app.example.com");
-const PORT = Number(getEnv("PORT", "8790"));
-const BASE = `http://127.0.0.1:${PORT}`;
-const REPO = getEnv("REPO_URL", "git@github.com:bunnybones1/git-daemon.git");
-const DEST = getEnv("DEST_RELATIVE", "bunnybones1/git-daemon");
+const HTTP_PORT = Number(getEnv("PORT", "8790"));
+const HTTPS_PORT = Number(getEnv("HTTPS_PORT", "8791"));
+const HTTP_BASE = `http://127.0.0.1:${HTTP_PORT}`;
+const HTTPS_BASE = `https://127.0.0.1:${HTTPS_PORT}`;
+const HTTP_REPO = getEnv(
+  "HTTP_REPO_URL",
+  "git@github.com:bunnybones1/git-daemon.git",
+);
+const HTTP_DEST = getEnv("HTTP_DEST_RELATIVE", "bunnybones1/git-daemon");
+const HTTPS_REPO = getEnv(
+  "HTTPS_REPO_URL",
+  "git@github.com:bunnybones1/github-thing.git",
+);
+const HTTPS_DEST = getEnv("HTTPS_DEST_RELATIVE", "bunnybones1/github-thing");
+const HTTPS_INSECURE = getEnv("HTTPS_INSECURE", "0") === "1";
 
 const asRecord = (value: unknown): Record<string, unknown> | null =>
   value && typeof value === "object"
@@ -16,33 +29,48 @@ const asRecord = (value: unknown): Record<string, unknown> | null =>
 const getString = (value: unknown): string | null =>
   typeof value === "string" ? value : null;
 
-const requestJson = (path: string, body: unknown) =>
+const readJson = (res: IncomingMessage) =>
+  new Promise<{ status: number; data: unknown }>((resolve, reject) => {
+    let raw = "";
+    res.setEncoding("utf8");
+    res.on("data", (chunk) => {
+      raw += chunk;
+    });
+    res.on("end", () => {
+      try {
+        const data = raw ? JSON.parse(raw) : {};
+        resolve({ status: res.statusCode || 0, data });
+      } catch (err) {
+        reject(err);
+      }
+    });
+  });
+
+const requestJson = (
+  client: typeof http,
+  baseUrl: string,
+  path: string,
+  body: unknown,
+  token?: string,
+) =>
   new Promise<{ status: number; data: unknown }>((resolve, reject) => {
     const payload = JSON.stringify(body);
-    const req = http.request(
-      `${BASE}${path}`,
+    const headers: Record<string, string | number> = {
+      Origin: ORIGIN,
+      "Content-Type": "application/json",
+      "Content-Length": Buffer.byteLength(payload),
+    };
+    if (token) {
+      headers.Authorization = `Bearer ${token}`;
+    }
+    const req = client.request(
+      `${baseUrl}${path}`,
       {
         method: "POST",
-        headers: {
-          Origin: ORIGIN,
-          "Content-Type": "application/json",
-          "Content-Length": Buffer.byteLength(payload),
-        },
+        headers,
       },
       (res) => {
-        let raw = "";
-        res.setEncoding("utf8");
-        res.on("data", (chunk) => {
-          raw += chunk;
-        });
-        res.on("end", () => {
-          try {
-            const data = raw ? JSON.parse(raw) : {};
-            resolve({ status: res.statusCode || 0, data });
-          } catch (err) {
-            reject(err);
-          }
-        });
+        readJson(res).then(resolve).catch(reject);
       },
     );
 
@@ -51,46 +79,69 @@ const requestJson = (path: string, body: unknown) =>
     req.end();
   });
 
-const requestJsonAuth = (path: string, token: string, body: unknown) =>
+const requestJsonHttps = (path: string, body: unknown, token?: string) =>
   new Promise<{ status: number; data: unknown }>((resolve, reject) => {
     const payload = JSON.stringify(body);
-    const req = http.request(
-      `${BASE}${path}`,
+    const headers: Record<string, string | number> = {
+      Origin: ORIGIN,
+      "Content-Type": "application/json",
+      "Content-Length": Buffer.byteLength(payload),
+    };
+    if (token) {
+      headers.Authorization = `Bearer ${token}`;
+    }
+    const req = https.request(
+      `${HTTPS_BASE}${path}`,
       {
         method: "POST",
+        headers,
+        rejectUnauthorized: !HTTPS_INSECURE,
+      },
+      (res) => {
+        readJson(res).then(resolve).catch(reject);
+      },
+    );
+
+    req.on("error", reject);
+    req.write(payload);
+    req.end();
+  });
+
+const streamEvents = (
+  client: typeof http,
+  baseUrl: string,
+  jobId: string,
+  token: string,
+) =>
+  new Promise<void>((resolve, reject) => {
+    const req = client.request(
+      `${baseUrl}/v1/jobs/${jobId}/stream`,
+      {
+        method: "GET",
         headers: {
           Origin: ORIGIN,
           Authorization: `Bearer ${token}`,
-          "Content-Type": "application/json",
-          "Content-Length": Buffer.byteLength(payload),
+          Accept: "text/event-stream",
         },
       },
       (res) => {
-        let raw = "";
         res.setEncoding("utf8");
         res.on("data", (chunk) => {
-          raw += chunk;
+          process.stdout.write(chunk);
         });
         res.on("end", () => {
-          try {
-            const data = raw ? JSON.parse(raw) : {};
-            resolve({ status: res.statusCode || 0, data });
-          } catch (err) {
-            reject(err);
-          }
+          resolve();
         });
       },
     );
-
     req.on("error", reject);
-    req.write(payload);
     req.end();
   });
 
-const streamEvents = (jobId: string, token: string) =>
+const streamEventsHttps = (jobId: string, token: string) =>
   new Promise<void>((resolve, reject) => {
-    const req = http.request(
-      `${BASE}/v1/jobs/${jobId}/stream`,
+    const req = https.request(
+      `${HTTPS_BASE}/v1/jobs/${jobId}/stream`,
       {
         method: "GET",
         headers: {
@@ -98,6 +149,7 @@ const streamEvents = (jobId: string, token: string) =>
           Authorization: `Bearer ${token}`,
           Accept: "text/event-stream",
         },
+        rejectUnauthorized: !HTTPS_INSECURE,
       },
       (res) => {
         res.setEncoding("utf8");
@@ -114,7 +166,9 @@ const streamEvents = (jobId: string, token: string) =>
   });
 
 const main = async () => {
-  const start = await requestJson("/v1/pair", { step: "start" });
+  const start = await requestJson(http, HTTP_BASE, "/v1/pair", {
+    step: "start",
+  });
   const startData = asRecord(start.data);
   const code = startData ? getString(startData.code) : null;
   if (start.status !== 200 || !code) {
@@ -122,7 +176,7 @@ const main = async () => {
     process.exit(1);
   }
 
-  const confirm = await requestJson("/v1/pair", {
+  const confirm = await requestJson(http, HTTP_BASE, "/v1/pair", {
     step: "confirm",
     code,
   });
@@ -133,19 +187,49 @@ const main = async () => {
     process.exit(1);
   }
 
-  const clone = await requestJsonAuth("/v1/git/clone", token, {
-    repoUrl: REPO,
-    destRelative: DEST,
-  });
-  const cloneData = asRecord(clone.data);
-  const jobId = cloneData ? getString(cloneData.jobId) : null;
-  if (clone.status !== 202 || !jobId) {
-    console.error("Clone request failed", clone.data);
-    process.exit(1);
+  let hadError = false;
+
+  const httpClone = await requestJson(
+    http,
+    HTTP_BASE,
+    "/v1/git/clone",
+    {
+      repoUrl: HTTP_REPO,
+      destRelative: HTTP_DEST,
+    },
+    token,
+  );
+  const httpCloneData = asRecord(httpClone.data);
+  const httpJobId = httpCloneData ? getString(httpCloneData.jobId) : null;
+  if (httpClone.status !== 202 || !httpJobId) {
+    console.error("HTTP clone request failed", httpClone.data);
+    hadError = true;
+  } else {
+    console.log(`http jobId=${httpJobId}`);
+    await streamEvents(http, HTTP_BASE, httpJobId, token);
   }
 
-  console.log(`jobId=${jobId}`);
-  await streamEvents(jobId, token);
+  const httpsClone = await requestJsonHttps(
+    "/v1/git/clone",
+    {
+      repoUrl: HTTPS_REPO,
+      destRelative: HTTPS_DEST,
+    },
+    token,
+  );
+  const httpsCloneData = asRecord(httpsClone.data);
+  const httpsJobId = httpsCloneData ? getString(httpsCloneData.jobId) : null;
+  if (httpsClone.status !== 202 || !httpsJobId) {
+    console.error("HTTPS clone request failed", httpsClone.data);
+    hadError = true;
+  } else {
+    console.log(`https jobId=${httpsJobId}`);
+    await streamEventsHttps(httpsJobId, token);
+  }
+
+  if (hadError) {
+    process.exit(1);
+  }
 };
 
 main().catch((err) => {

package/src/config.ts

@@ -27,6 +27,10 @@ export const defaultConfig = (): AppConfig => ({
   server: {
     host: "127.0.0.1",
     port: 8790,
+    https: {
+      enabled: false,
+      port: 8791,
+    },
   },
   originAllowlist: ["https://app.example.com"],
   workspaceRoot: null,
@@ -66,6 +70,10 @@ export const loadConfig = async (configDir: string): Promise<AppConfig> => {
       server: {
         ...defaultConfig().server,
         ...data.server,
+        https: {
+          ...defaultConfig().server.https,
+          ...data.server?.https,
+        },
       },
       pairing: {
         ...defaultConfig().pairing,

package/src/daemon.ts

@@ -1,5 +1,9 @@
 import { createContext } from "./context";
 import { createApp } from "./app";
+import http from "http";
+import https from "https";
+import { promises as fs } from "fs";
+import path from "path";
 
 const start = async () => {
   const ctx = await createContext();
@@ -22,17 +26,67 @@ const start = async () => {
     console.log(
       `  allowlist: ${startupSummary.originAllowlist.join(", ") || "none"}`,
     );
+    const httpsConfig = ctx.config.server.https;
+    if (httpsConfig?.enabled) {
+      console.log(
+        `  https: enabled (port ${httpsConfig.port ?? ctx.config.server.port + 1})`,
+      );
+      console.log(`  https.key: ${httpsConfig.keyPath ?? "missing"}`);
+      console.log(`  https.cert: ${httpsConfig.certPath ?? "missing"}`);
+    } else {
+      console.log("  https: disabled");
+    }
   }
 
-  app.listen(ctx.config.server.port, ctx.config.server.host, () => {
+  const httpServer = http.createServer(app);
+  httpServer.on("error", (err) => {
+    ctx.logger.error({ err }, "HTTP server error");
+  });
+  httpServer.listen(ctx.config.server.port, ctx.config.server.host, () => {
     ctx.logger.info(
       {
         host: ctx.config.server.host,
         port: ctx.config.server.port,
+        protocol: "http",
       },
       "Git Daemon listening",
     );
   });
+
+  const httpsConfig = ctx.config.server.https;
+  if (httpsConfig?.enabled) {
+    if (!httpsConfig.keyPath || !httpsConfig.certPath) {
+      throw new Error(
+        "HTTPS enabled but keyPath/certPath not configured in server.https.",
+      );
+    }
+    const keyPath = path.isAbsolute(httpsConfig.keyPath)
+      ? httpsConfig.keyPath
+      : path.join(ctx.configDir, httpsConfig.keyPath);
+    const certPath = path.isAbsolute(httpsConfig.certPath)
+      ? httpsConfig.certPath
+      : path.join(ctx.configDir, httpsConfig.certPath);
+
+    const [key, cert] = await Promise.all([
+      fs.readFile(keyPath),
+      fs.readFile(certPath),
+    ]);
+    const httpsServer = https.createServer({ key, cert }, app);
+    httpsServer.on("error", (err) => {
+      ctx.logger.error({ err }, "HTTPS server error");
+    });
+    const httpsPort = httpsConfig.port ?? ctx.config.server.port + 1;
+    httpsServer.listen(httpsPort, ctx.config.server.host, () => {
+      ctx.logger.info(
+        {
+          host: ctx.config.server.host,
+          port: httpsPort,
+          protocol: "https",
+        },
+        "Git Daemon listening (TLS)",
+      );
+    });
+  }
 };
 
 start().catch((err) => {

package/src/logger.ts

@@ -44,5 +44,7 @@ export const createLogger = async (
   return pino({ enabled, level }, multistream(streams));
 };
 
+type PinoHttpOptions = Parameters<typeof pinoHttp>[0];
+
 export const createHttpLogger = (logger: Logger) =>
-  pinoHttp({ logger: logger as unknown as Logger });
+  pinoHttp({ logger } as unknown as PinoHttpOptions);

package/src/types.ts

@@ -12,6 +12,12 @@ export type AppConfig = {
   server: {
     host: string;
     port: number;
+    https?: {
+      enabled?: boolean;
+      port?: number;
+      keyPath?: string;
+      certPath?: string;
+    };
   };
   originAllowlist: string[];
   workspaceRoot: string | null;