feat: add TLS for node bridge

2026-01-16 05:28:33 +00:00
parent 1656f491fd
commit 1ab1e312b2
36 changed files with 1161 additions and 180 deletions
--- a/src/config/types.gateway.ts
+++ b/src/config/types.gateway.ts
@@ -11,6 +11,20 @@ export type BridgeConfig = {
   * - custom: User-specified IP, fallback to 0.0.0.0 if unavailable (requires customBindHost on gateway)
   */
  bind?: BridgeBindMode;
+  tls?: BridgeTlsConfig;
+};
+
+export type BridgeTlsConfig = {
+  /** Enable TLS for the node bridge server. */
+  enabled?: boolean;
+  /** Auto-generate a self-signed cert if cert/key are missing (default: true). */
+  autoGenerate?: boolean;
+  /** PEM certificate path for the bridge server. */
+  certPath?: string;
+  /** PEM private key path for the bridge server. */
+  keyPath?: string;
+  /** Optional PEM CA bundle for TLS clients (mTLS or custom roots). */
+  caPath?: string;
 };

 export type WideAreaDiscoveryConfig = {
--- a/src/config/zod-schema.ts
+++ b/src/config/zod-schema.ts
@@ -171,6 +171,15 @@ export const ClawdbotSchema = z
        bind: z
          .union([z.literal("auto"), z.literal("lan"), z.literal("tailnet"), z.literal("loopback")])
          .optional(),
+        tls: z
+          .object({
+            enabled: z.boolean().optional(),
+            autoGenerate: z.boolean().optional(),
+            certPath: z.string().optional(),
+            keyPath: z.string().optional(),
+            caPath: z.string().optional(),
+          })
+          .optional(),
      })
      .optional(),
    discovery: z