feat(auth): トークン認証・HTTPS対応 #331

.env.example

@@ -19,12 +19,31 @@ CM_PORT=3000
 CM_BIND=127.0.0.1
 
 # ===================================
-# Security
+# Security / Authentication (Issue #331)
 # ===================================
 
-# When CM_BIND=0.0.0.0, use a reverse proxy (e.g., Nginx) with authentication.
+# Token authentication is enabled via CLI: commandmate start --auth
+# The following variables are set automatically and should NOT be manually edited:
+# CM_AUTH_TOKEN_HASH=<sha256-hash>  # Set automatically by --auth
+# CM_AUTH_EXPIRE=24h                 # Token expiration (default: 24h, max: 30d)
+
+# When CM_BIND=0.0.0.0, use a reverse proxy (e.g., Nginx) with authentication,
+# or enable token auth with: commandmate start --auth
 # See: docs/security-guide.md
 
+# ===================================
+# HTTPS / TLS (Issue #331)
+# ===================================
+
+# Enable HTTPS with TLS certificates:
+#   commandmate start --auth --cert ./localhost.pem --key ./localhost-key.pem
+#
+# Quick setup with mkcert:
+#   brew install mkcert && mkcert -install && mkcert localhost
+#
+# CM_HTTPS_CERT=./localhost.pem
+# CM_HTTPS_KEY=./localhost-key.pem
+
 # ===================================
 # Database
 # ===================================

CLAUDE.md

@@ -129,6 +129,8 @@ tests/
 
 | モジュール | 説明 |
 |-----------|------|
+| `src/lib/auth.ts` | トークン認証コアモジュール（Issue #331: generateToken/hashToken/verifyToken/parseDuration/parseCookies/isAuthEnabled/buildAuthCookieOptions/createRateLimiter、CLIビルド互換性制約: Next.js固有モジュール依存禁止） |
+| `src/middleware.ts` | 認証ミドルウェア（Issue #331: HTTPリクエスト認証、CM_AUTH_TOKEN_HASH未設定時は即NextResponse.next()、AUTH_EXCLUDED_PATHSの完全一致マッチング） |
 | `src/lib/env.ts` | 環境変数取得・フォールバック処理、getDatabasePathWithDeprecationWarning() |
 | `src/lib/db-path-resolver.ts` | DBパス解決（getDefaultDbPath()、validateDbPath()） |
 | `src/lib/db-migration-path.ts` | DBマイグレーション（migrateDbIfNeeded()、getLegacyDbPaths()） |