specrails-desktop 2.0.0

package/server/dist/mobile/mobile-router.js

@@ -0,0 +1,411 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MOBILE_ALLOWLIST = void 0;
+exports.createMobileRouter = createMobileRouter;
+const express_1 = require("express");
+const auth_1 = require("../auth");
+const mobile_redact_1 = require("./mobile-redact");
+const mobile_auth_1 = require("./mobile-auth");
+// The LAN-facing REST surface. Two parts:
+//   /pair/*  — unauthenticated, locked-down pairing handshake.
+//   /v1/*    — authenticated allow-list. Each route forwards, in-process, via a
+//              REAL loopback HTTP request to http://127.0.0.1:<desktopPort> with
+//              the master token injected server-side as `x-desktop-token` (it
+//              never leaves the box).
+//
+// Forwarding is PARAMETERISED: the internal path is rebuilt from Express route
+// params (each a single URL segment — `..`/`/` can't appear), never from the raw
+// request URL, so there is no path-traversal or SPA-catch-all bypass. Responses
+// are deep-redacted before reaching the phone.
+const PID_RE = /^[A-Za-z0-9_-]{1,64}$/;
+const NUM_RE = /^\d{1,9}$/;
+const JOBID_RE = /^[A-Za-z0-9_-]{1,64}$/;
+const CONV_ID_RE = /^[A-Za-z0-9-]{1,64}$/;
+function createMobileRouter(deps) {
+    const router = (0, express_1.Router)();
+    const internalBase = `http://127.0.0.1:${deps.desktopPort}`;
+    // Express 5 types a route param as `string | string[]`; coerce to a single
+    // segment (an array — which path-to-regexp never produces here — collapses to
+    // '' and fails the validators below).
+    const seg = (v) => (typeof v === 'string' ? v : '');
+    // ─── Pairing (unauthenticated, rate-limited inside PairingManager) ──────────
+    const pairRouter = (0, express_1.Router)();
+    pairRouter.post('/claim', (req, res) => {
+        const body = (req.body ?? {});
+        const secret = typeof body.secret === 'string' ? body.secret : '';
+        const deviceName = typeof body.deviceName === 'string' ? body.deviceName : 'Device';
+        const platform = body.platform === 'android' ? 'android' : 'ios';
+        const ip = req.socket?.remoteAddress ?? 'unknown';
+        if (!secret) {
+            res.status(400).json({ error: 'secret required' });
+            return;
+        }
+        const result = deps.pairing.claim(secret, { name: deviceName, platform }, ip);
+        if (result.ok) {
+            res.json({ ok: true });
+            return;
+        }
+        const code = result.reason === 'locked' ? 429 : result.reason === 'no-session' || result.reason === 'expired' ? 410 : 403;
+        res.status(code).json({ ok: false, reason: result.reason });
+    });
+    pairRouter.get('/status', (req, res) => {
+        const claimId = typeof req.query.claimId === 'string' ? req.query.claimId : '';
+        if (!claimId) {
+            res.status(400).json({ error: 'claimId required' });
+            return;
+        }
+        res.json(deps.pairing.pollStatus(claimId));
+    });
+    router.use('/pair', pairRouter);
+    // ─── Authenticated allow-list (/v1) ─────────────────────────────────────────
+    const v1 = (0, express_1.Router)();
+    v1.use((0, mobile_auth_1.createMobileAuthMiddleware)({ db: deps.db, currentFingerprint: deps.currentFingerprint }));
+    /** Forward to the internal desktop API with the master token injected; redact
+     *  the JSON response. `internalPath` is built from validated params only. */
+    async function forward(res, method, internalPath, query, body) {
+        const url = internalBase + internalPath + (query ? `?${query}` : '');
+        try {
+            const init = {
+                method,
+                headers: {
+                    'x-desktop-token': (0, auth_1.loadOrGenerateToken)(),
+                    ...(body !== undefined ? { 'Content-Type': 'application/json' } : {}),
+                },
+                ...(body !== undefined ? { body: JSON.stringify(body) } : {}),
+            };
+            const upstream = await fetch(url, init);
+            const text = await upstream.text();
+            let json;
+            try {
+                json = text ? JSON.parse(text) : {};
+            }
+            catch {
+                // Non-JSON upstream (should not happen on the allow-listed API) — never
+                // forward raw bytes; collapse to a status echo.
+                res.status(502).json({ error: 'Bad upstream response' });
+                return;
+            }
+            res.status(upstream.status).json((0, mobile_redact_1.redact)(json));
+        }
+        catch {
+            res.status(502).json({ error: 'Server unreachable' });
+        }
+    }
+    function rawQuery(req) {
+        const i = req.originalUrl.indexOf('?');
+        return i >= 0 ? req.originalUrl.slice(i + 1) : '';
+    }
+    /** 400 unless every (value, regex) pair matches. Guards param injection. */
+    function validate(res, ...pairs) {
+        for (const [value, re] of pairs) {
+            if (!re.test(value)) {
+                res.status(400).json({ error: 'Invalid parameter' });
+                return false;
+            }
+        }
+        return true;
+    }
+    // —— Reads ——
+    v1.get('/projects', (req, res) => {
+        // Exact GET /api/projects is served by the desktop router (mounted at /api).
+        void forward(res, 'GET', '/api/projects', '');
+    });
+    const projectReads = [
+        ['/projects/:pid/tickets', '/tickets'],
+        ['/projects/:pid/jobs', '/jobs'],
+        ['/projects/:pid/queue', '/queue'],
+        ['/projects/:pid/rails', '/rails'],
+        ['/projects/:pid/activity', '/activity'],
+        ['/projects/:pid/stats', '/stats'],
+        ['/projects/:pid/state', '/state'],
+        ['/projects/:pid/spending', '/spending'],
+    ];
+    for (const [gw, internal] of projectReads) {
+        v1.get(gw, (req, res) => {
+            const pid = seg(req.params.pid);
+            if (!validate(res, [pid, PID_RE]))
+                return;
+            void forward(res, 'GET', `/api/projects/${encodeURIComponent(pid)}${internal}`, rawQuery(req));
+        });
+    }
+    v1.get('/projects/:pid/tickets/:tid', (req, res) => {
+        const pid = seg(req.params.pid), tid = seg(req.params.tid);
+        if (!validate(res, [pid, PID_RE], [tid, NUM_RE]))
+            return;
+        void forward(res, 'GET', `/api/projects/${encodeURIComponent(pid)}/tickets/${encodeURIComponent(tid)}`, '');
+    });
+    v1.get('/projects/:pid/jobs/:jid', (req, res) => {
+        const pid = seg(req.params.pid), jid = seg(req.params.jid);
+        if (!validate(res, [pid, PID_RE], [jid, JOBID_RE]))
+            return;
+        void forward(res, 'GET', `/api/projects/${encodeURIComponent(pid)}/jobs/${encodeURIComponent(jid)}`, '');
+    });
+    v1.get('/projects/:pid/tickets/:tid/spending-summary', (req, res) => {
+        const pid = seg(req.params.pid), tid = seg(req.params.tid);
+        if (!validate(res, [pid, PID_RE], [tid, NUM_RE]))
+            return;
+        void forward(res, 'GET', `/api/projects/${encodeURIComponent(pid)}/tickets/${encodeURIComponent(tid)}/spending-summary`, '');
+    });
+    // —— Actions (bodies narrowed) ——
+    v1.patch('/projects/:pid/tickets/:tid', (req, res) => {
+        const pid = seg(req.params.pid), tid = seg(req.params.tid);
+        if (!validate(res, [pid, PID_RE], [tid, NUM_RE]))
+            return;
+        const b = (req.body ?? {});
+        const narrowed = {};
+        if (typeof b.status === 'string')
+            narrowed.status = b.status;
+        if (typeof b.priority === 'string')
+            narrowed.priority = b.priority;
+        if (typeof b.title === 'string')
+            narrowed.title = b.title;
+        void forward(res, 'PATCH', `/api/projects/${encodeURIComponent(pid)}/tickets/${encodeURIComponent(tid)}`, '', narrowed);
+    });
+    v1.delete('/projects/:pid/tickets/:tid', (req, res) => {
+        const pid = seg(req.params.pid), tid = seg(req.params.tid);
+        if (!validate(res, [pid, PID_RE], [tid, NUM_RE]))
+            return;
+        void forward(res, 'DELETE', `/api/projects/${encodeURIComponent(pid)}/tickets/${encodeURIComponent(tid)}`, '');
+    });
+    v1.put('/projects/:pid/rails/:i/tickets', (req, res) => {
+        const pid = seg(req.params.pid), i = seg(req.params.i);
+        if (!validate(res, [pid, PID_RE], [i, NUM_RE]))
+            return;
+        const b = (req.body ?? {});
+        const ticketIds = Array.isArray(b.ticketIds) ? b.ticketIds.filter((n) => typeof n === 'number') : [];
+        void forward(res, 'PUT', `/api/projects/${encodeURIComponent(pid)}/rails/${encodeURIComponent(i)}/tickets`, '', { ticketIds });
+    });
+    v1.post('/projects/:pid/rails/:i/launch', (req, res) => {
+        const pid = seg(req.params.pid), i = seg(req.params.i);
+        if (!validate(res, [pid, PID_RE], [i, NUM_RE]))
+            return;
+        const b = (req.body ?? {});
+        const narrowed = {};
+        if (typeof b.mode === 'string')
+            narrowed.mode = b.mode;
+        if (typeof b.profileName === 'string')
+            narrowed.profileName = b.profileName;
+        if (typeof b.aiEngine === 'string')
+            narrowed.aiEngine = b.aiEngine;
+        if (typeof b.model === 'string')
+            narrowed.model = b.model; // ultracode model
+        void forward(res, 'POST', `/api/projects/${encodeURIComponent(pid)}/rails/${encodeURIComponent(i)}/launch`, '', narrowed);
+    });
+    v1.put('/projects/:pid/rails/:i/engine', (req, res) => {
+        const pid = seg(req.params.pid), i = seg(req.params.i);
+        if (!validate(res, [pid, PID_RE], [i, NUM_RE]))
+            return;
+        const b = (req.body ?? {});
+        // aiEngine: a provider string, or null to clear the override.
+        const aiEngine = typeof b.aiEngine === 'string' ? b.aiEngine : null;
+        void forward(res, 'PUT', `/api/projects/${encodeURIComponent(pid)}/rails/${encodeURIComponent(i)}/engine`, '', { aiEngine });
+    });
+    v1.put('/projects/:pid/rails/:i/name', (req, res) => {
+        const pid = seg(req.params.pid), i = seg(req.params.i);
+        if (!validate(res, [pid, PID_RE], [i, NUM_RE]))
+            return;
+        const b = (req.body ?? {});
+        // name: the display label, or null to clear back to the default "Rail N".
+        const name = typeof b.name === 'string' ? b.name : null;
+        void forward(res, 'PUT', `/api/projects/${encodeURIComponent(pid)}/rails/${encodeURIComponent(i)}/name`, '', { name });
+    });
+    v1.post('/projects/:pid/rails/:i/stop', (req, res) => {
+        const pid = seg(req.params.pid), i = seg(req.params.i);
+        if (!validate(res, [pid, PID_RE], [i, NUM_RE]))
+            return;
+        void forward(res, 'POST', `/api/projects/${encodeURIComponent(pid)}/rails/${encodeURIComponent(i)}/stop`, '', {});
+    });
+    v1.delete('/projects/:pid/jobs/:jid', (req, res) => {
+        const pid = seg(req.params.pid), jid = seg(req.params.jid);
+        if (!validate(res, [pid, PID_RE], [jid, JOBID_RE]))
+            return;
+        void forward(res, 'DELETE', `/api/projects/${encodeURIComponent(pid)}/jobs/${encodeURIComponent(jid)}`, '');
+    });
+    v1.post('/projects/:pid/queue/pause', (req, res) => {
+        const pid = seg(req.params.pid);
+        if (!validate(res, [pid, PID_RE]))
+            return;
+        void forward(res, 'POST', `/api/projects/${encodeURIComponent(pid)}/queue/pause`, '', {});
+    });
+    v1.post('/projects/:pid/queue/resume', (req, res) => {
+        const pid = seg(req.params.pid);
+        if (!validate(res, [pid, PID_RE]))
+            return;
+        void forward(res, 'POST', `/api/projects/${encodeURIComponent(pid)}/queue/resume`, '', {});
+    });
+    // —— Spec capture on the go ——
+    v1.post('/projects/:pid/tickets/generate-spec', (req, res) => {
+        const pid = seg(req.params.pid);
+        if (!validate(res, [pid, PID_RE]))
+            return;
+        const b = (req.body ?? {});
+        const narrowed = {};
+        // The server's generate-spec expects `idea` — the app sends `prompt`.
+        if (typeof b.prompt === 'string')
+            narrowed.idea = b.prompt;
+        if (typeof b.model === 'string')
+            narrowed.model = b.model;
+        if (typeof b.aiEngine === 'string')
+            narrowed.aiEngine = b.aiEngine;
+        if (typeof b.contractRefine === 'boolean')
+            narrowed.contractRefine = b.contractRefine;
+        // Forward the context scope so the server injects .specrails/local-tickets.json
+        // (specrails:true) and dedups against existing specs — without this the AI has
+        // no context and re-creates specs that already exist.
+        const scope = narrowScope(b.contextScope);
+        if (scope)
+            narrowed.contextScope = scope;
+        void forward(res, 'POST', `/api/projects/${encodeURIComponent(pid)}/tickets/generate-spec`, '', narrowed);
+    });
+    v1.post('/projects/:pid/tickets/from-prompt', (req, res) => {
+        const pid = seg(req.params.pid);
+        if (!validate(res, [pid, PID_RE]))
+            return;
+        const b = (req.body ?? {});
+        const narrowed = {};
+        // The server's from-prompt expects `description` — the app sends `prompt`.
+        if (typeof b.prompt === 'string')
+            narrowed.description = b.prompt;
+        if (typeof b.title === 'string')
+            narrowed.title = b.title;
+        void forward(res, 'POST', `/api/projects/${encodeURIComponent(pid)}/tickets/from-prompt`, '', narrowed);
+    });
+    // —— Model catalog (for the Quick/Explore model picker) ——
+    v1.get('/projects/:pid/default-spec-model', (req, res) => {
+        const pid = seg(req.params.pid);
+        if (!validate(res, [pid, PID_RE]))
+            return;
+        void forward(res, 'GET', `/api/projects/${encodeURIComponent(pid)}/default-spec-model`, rawQuery(req));
+    });
+    // —— Explore conversations (Add Spec → Explore: a conversational agent) ——
+    function narrowScope(raw) {
+        if (!raw || typeof raw !== 'object')
+            return undefined;
+        const r = raw;
+        const out = {};
+        for (const k of ['specrails', 'openspec', 'full', 'mcp', 'contractRefine', 'userMcp']) {
+            if (typeof r[k] === 'boolean')
+                out[k] = r[k];
+        }
+        return out;
+    }
+    v1.post('/projects/:pid/chat/conversations', (req, res) => {
+        const pid = seg(req.params.pid);
+        if (!validate(res, [pid, PID_RE]))
+            return;
+        const b = (req.body ?? {});
+        const narrowed = {};
+        narrowed.kind = b.kind === 'explore' ? 'explore' : 'sidebar';
+        if (typeof b.model === 'string')
+            narrowed.model = b.model;
+        if (typeof b.aiEngine === 'string')
+            narrowed.aiEngine = b.aiEngine;
+        const scope = narrowScope(b.contextScope);
+        if (scope)
+            narrowed.contextScope = scope;
+        void forward(res, 'POST', `/api/projects/${encodeURIComponent(pid)}/chat/conversations`, '', narrowed);
+    });
+    v1.get('/projects/:pid/chat/conversations/:cid', (req, res) => {
+        const pid = seg(req.params.pid), cid = seg(req.params.cid);
+        if (!validate(res, [pid, PID_RE], [cid, CONV_ID_RE]))
+            return;
+        void forward(res, 'GET', `/api/projects/${encodeURIComponent(pid)}/chat/conversations/${encodeURIComponent(cid)}`, '');
+    });
+    v1.get('/projects/:pid/chat/conversations/:cid/spec-draft', (req, res) => {
+        const pid = seg(req.params.pid), cid = seg(req.params.cid);
+        if (!validate(res, [pid, PID_RE], [cid, CONV_ID_RE]))
+            return;
+        void forward(res, 'GET', `/api/projects/${encodeURIComponent(pid)}/chat/conversations/${encodeURIComponent(cid)}/spec-draft`, '');
+    });
+    v1.post('/projects/:pid/chat/conversations/:cid/messages', (req, res) => {
+        const pid = seg(req.params.pid), cid = seg(req.params.cid);
+        if (!validate(res, [pid, PID_RE], [cid, CONV_ID_RE]))
+            return;
+        const b = (req.body ?? {});
+        const narrowed = {};
+        if (typeof b.text === 'string')
+            narrowed.text = b.text;
+        narrowed.lightweight = b.lightweight === false ? false : true;
+        if (typeof b.maxTurns === 'number')
+            narrowed.maxTurns = b.maxTurns;
+        void forward(res, 'POST', `/api/projects/${encodeURIComponent(pid)}/chat/conversations/${encodeURIComponent(cid)}/messages`, '', narrowed);
+    });
+    v1.delete('/projects/:pid/chat/conversations/:cid/messages/stream', (req, res) => {
+        const pid = seg(req.params.pid), cid = seg(req.params.cid);
+        if (!validate(res, [pid, PID_RE], [cid, CONV_ID_RE]))
+            return;
+        void forward(res, 'DELETE', `/api/projects/${encodeURIComponent(pid)}/chat/conversations/${encodeURIComponent(cid)}/messages/stream`, '');
+    });
+    for (const action of ['minimize', 'restore']) {
+        v1.post(`/projects/:pid/chat/conversations/:cid/${action}`, (req, res) => {
+            const pid = seg(req.params.pid), cid = seg(req.params.cid);
+            if (!validate(res, [pid, PID_RE], [cid, CONV_ID_RE]))
+                return;
+            void forward(res, 'POST', `/api/projects/${encodeURIComponent(pid)}/chat/conversations/${encodeURIComponent(cid)}/${action}`, '', {});
+        });
+    }
+    // —— Commit an Explore conversation to a ticket ——
+    v1.post('/projects/:pid/tickets/from-draft', (req, res) => {
+        const pid = seg(req.params.pid);
+        if (!validate(res, [pid, PID_RE]))
+            return;
+        const b = (req.body ?? {});
+        const narrowed = {};
+        if (typeof b.title === 'string')
+            narrowed.title = b.title;
+        if (typeof b.conversationId === 'string')
+            narrowed.conversationId = b.conversationId;
+        if (typeof b.description === 'string')
+            narrowed.description = b.description;
+        if (typeof b.priority === 'string')
+            narrowed.priority = b.priority;
+        if (Array.isArray(b.labels))
+            narrowed.labels = b.labels.filter((x) => typeof x === 'string');
+        if (Array.isArray(b.acceptanceCriteria))
+            narrowed.acceptanceCriteria = b.acceptanceCriteria.filter((x) => typeof x === 'string');
+        void forward(res, 'POST', `/api/projects/${encodeURIComponent(pid)}/tickets/from-draft`, '', narrowed);
+    });
+    router.use('/v1', v1);
+    // Any unmatched gateway path → 404 JSON (NEVER falls through to a SPA handler;
+    // the gateway serves JSON/WS only, no static client).
+    router.use((_req, res) => {
+        res.status(404).json({ error: 'Not found' });
+    });
+    return router;
+}
+/** The allow-list, exported for the CI drift test (asserts each entry resolves
+ *  against a real internal route, and that no traversal param is accepted). */
+exports.MOBILE_ALLOWLIST = [
+    { method: 'GET', path: '/v1/projects' },
+    { method: 'GET', path: '/v1/projects/:pid/tickets' },
+    { method: 'GET', path: '/v1/projects/:pid/tickets/:tid' },
+    { method: 'GET', path: '/v1/projects/:pid/jobs' },
+    { method: 'GET', path: '/v1/projects/:pid/jobs/:jid' },
+    { method: 'GET', path: '/v1/projects/:pid/queue' },
+    { method: 'GET', path: '/v1/projects/:pid/rails' },
+    { method: 'GET', path: '/v1/projects/:pid/activity' },
+    { method: 'GET', path: '/v1/projects/:pid/stats' },
+    { method: 'GET', path: '/v1/projects/:pid/state' },
+    { method: 'GET', path: '/v1/projects/:pid/spending' },
+    { method: 'GET', path: '/v1/projects/:pid/tickets/:tid/spending-summary' },
+    { method: 'PATCH', path: '/v1/projects/:pid/tickets/:tid' },
+    { method: 'DELETE', path: '/v1/projects/:pid/tickets/:tid' },
+    { method: 'PUT', path: '/v1/projects/:pid/rails/:i/tickets' },
+    { method: 'POST', path: '/v1/projects/:pid/rails/:i/launch' },
+    { method: 'PUT', path: '/v1/projects/:pid/rails/:i/engine' },
+    { method: 'POST', path: '/v1/projects/:pid/rails/:i/stop' },
+    { method: 'DELETE', path: '/v1/projects/:pid/jobs/:jid' },
+    { method: 'POST', path: '/v1/projects/:pid/queue/pause' },
+    { method: 'POST', path: '/v1/projects/:pid/queue/resume' },
+    { method: 'POST', path: '/v1/projects/:pid/tickets/generate-spec' },
+    { method: 'POST', path: '/v1/projects/:pid/tickets/from-prompt' },
+    { method: 'GET', path: '/v1/projects/:pid/default-spec-model' },
+    { method: 'POST', path: '/v1/projects/:pid/chat/conversations' },
+    { method: 'GET', path: '/v1/projects/:pid/chat/conversations/:cid' },
+    { method: 'GET', path: '/v1/projects/:pid/chat/conversations/:cid/spec-draft' },
+    { method: 'POST', path: '/v1/projects/:pid/chat/conversations/:cid/messages' },
+    { method: 'DELETE', path: '/v1/projects/:pid/chat/conversations/:cid/messages/stream' },
+    { method: 'POST', path: '/v1/projects/:pid/chat/conversations/:cid/minimize' },
+    { method: 'POST', path: '/v1/projects/:pid/chat/conversations/:cid/restore' },
+    { method: 'POST', path: '/v1/projects/:pid/tickets/from-draft' },
+];

package/server/dist/mobile/mobile-tls.js

@@ -0,0 +1,86 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.mobileDir = mobileDir;
+exports.fingerprintOf = fingerprintOf;
+exports.loadOrCreateCert = loadOrCreateCert;
+exports.rotateCert = rotateCert;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
+const crypto_1 = require("crypto");
+const selfsigned_1 = require("selfsigned");
+function mobileDir() {
+    return path_1.default.join(os_1.default.homedir(), '.specrails', 'mobile');
+}
+function certPath(dir) {
+    return path_1.default.join(dir, 'tls-cert.pem');
+}
+function keyPath(dir) {
+    return path_1.default.join(dir, 'tls-key.pem');
+}
+/** sha256(DER) of a PEM cert, hex lowercase — the value put in the QR and pinned
+ *  by the phone (Dart: `sha256.convert(x509.der)`). */
+function fingerprintOf(certPem) {
+    const der = new crypto_1.X509Certificate(certPem).raw;
+    return (0, crypto_1.createHash)('sha256').update(der).digest('hex');
+}
+async function generatePair() {
+    // The phone pins sha256(cert DER), never the CN, so renaming the CN only
+    // affects freshly generated certs (which always require a fresh QR pairing).
+    const attrs = [{ name: 'commonName', value: 'specrails-desktop-mobile' }];
+    const notAfter = new Date();
+    notAfter.setFullYear(notAfter.getFullYear() + 10);
+    const pems = await (0, selfsigned_1.generate)(attrs, {
+        keyType: 'ec',
+        curve: 'P-256',
+        algorithm: 'sha256',
+        notAfterDate: notAfter,
+        extensions: [
+            { name: 'basicConstraints', cA: true },
+            {
+                name: 'subjectAltName',
+                altNames: [
+                    { type: 2, value: 'localhost' },
+                    { type: 7, ip: '127.0.0.1' },
+                ],
+            },
+        ],
+    });
+    return { certPem: pems.cert, keyPem: pems.private };
+}
+function writePair(dir, certPem, keyPem) {
+    fs_1.default.mkdirSync(dir, { recursive: true });
+    try {
+        fs_1.default.chmodSync(dir, 0o700);
+    }
+    catch { /* best-effort on platforms without chmod */ }
+    fs_1.default.writeFileSync(certPath(dir), certPem, { encoding: 'utf-8', mode: 0o600 });
+    fs_1.default.writeFileSync(keyPath(dir), keyPem, { encoding: 'utf-8', mode: 0o600 });
+}
+/** Load the existing gateway cert, generating + persisting one on first use. */
+async function loadOrCreateCert(dir = mobileDir()) {
+    try {
+        const certPem = fs_1.default.readFileSync(certPath(dir), 'utf-8');
+        const keyPem = fs_1.default.readFileSync(keyPath(dir), 'utf-8');
+        if (certPem.includes('BEGIN CERTIFICATE') && keyPem.includes('PRIVATE KEY')) {
+            return { certPem, keyPem, fingerprint: fingerprintOf(certPem) };
+        }
+    }
+    catch {
+        // Fall through to generate.
+    }
+    const { certPem, keyPem } = await generatePair();
+    writePair(dir, certPem, keyPem);
+    return { certPem, keyPem, fingerprint: fingerprintOf(certPem) };
+}
+/** Generate a brand-new cert (rotation). Caller is responsible for revoking all
+ *  devices afterwards — a rotated cert no longer matches any stored fingerprint,
+ *  which is the point: "Reset mobile identity" invalidates every paired device. */
+async function rotateCert(dir = mobileDir()) {
+    const { certPem, keyPem } = await generatePair();
+    writePair(dir, certPem, keyPem);
+    return { certPem, keyPem, fingerprint: fingerprintOf(certPem) };
+}

package/server/dist/mobile/mobile-types.js

@@ -0,0 +1,9 @@
+"use strict";
+// Shared types for the Mobile Gateway (server/mobile/*).
+//
+// The gateway is a second HTTPS+WSS listener in the SAME Node process as the
+// main server, default port 4202, OFF by default. It pairs phones/tablets by QR +
+// desktop-approval and exposes a deny-by-default allow-list of the existing API,
+// redacted, over a per-device token. The main server at 127.0.0.1:4200 is never
+// itself exposed. See docs/mobile.md.
+Object.defineProperty(exports, "__esModule", { value: true });