docs: add auth requirement and self-signed cert warning to quick-start

[JDis03]

Summary

Fixes #468 and #470. The quick-start examples crashed on first run without a password, and the browser self-signed certificate warning was not documented anywhere a new user would see it.

Changes

• Add --password to all npx quick-start examples (main README + server README)
• Document the three ways to configure auth: --password, env var, auth.json
• Show auth.json schema so users understand the expected format
• Add browser warning note to self-signed certificates section with step-by-step instructions for Chrome/Brave and Firefox
• Mention --https=false --http=true as an alternative for local-only use

Validation

• Reviewed rendered markdown structure
• Verified auth.json schema matches AuthFile interface in auth-store.ts

[github-actions]

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26040413596

Artifacts expire in 7 days.
Artifacts:

• pr-481-000e95e130a5263c8903e8c48490684982a5aa23-tauri-macos
• pr-481-000e95e130a5263c8903e8c48490684982a5aa23-tauri-linux
• pr-481-000e95e130a5263c8903e8c48490684982a5aa23-electron-macos
• pr-481-000e95e130a5263c8903e8c48490684982a5aa23-tauri-windows
• pr-481-000e95e130a5263c8903e8c48490684982a5aa23-tauri-macos-arm64
• pr-481-000e95e130a5263c8903e8c48490684982a5aa23-electron-windows
• pr-481-000e95e130a5263c8903e8c48490684982a5aa23-electron-linux

[pascalandr]

@CodeNomadBot

I want you to perform the gatekeeper checks for latest PR state

check for regressions
check for better possible implementations
Be the PR gatekeeper
Be ruthless about code quality

[codenomadbot]

Gatekeeper review for latest PR state.

Request understood: perform a strict PR quality/regression review, not make changes. I reviewed the PR diff, the auth implementation, CLI flags/defaults, and current README coverage.

Findings:

1. Blocking: documented auth.json schema is wrong and produces unusable credentials.

packages/server/README.md:170-180 documents:

"password": {
  "hash": "<bcrypt-hash>",
  "salt": "<salt>"
}

The actual AuthFile uses PasswordHashRecord from packages/server/src/auth/password-hash.ts, which requires:

"password": {
  "algorithm": "scrypt",
  "saltBase64": "...",
  "hashBase64": "...",
  "keyLength": 64,
  "params": {
    "N": 16384,
    "r": 8,
    "p": 1,
    "maxmem": 33554432
  }
}

verifyPassword() rejects anything where record.algorithm !== "scrypt", so the README’s bcrypt-style example would never authenticate. This is a regression in the exact area the PR is trying to clarify.

2. Blocking: the note says CLI/env passwords are stored, but the code intentionally does not persist them.

packages/server/README.md:183 says:

For manual setup, use --password or CODENOMAD_SERVER_PASSWORD instead — the server will hash and store the password for you on first run.

That is not what the code does. AuthStore.ensureInitialized() creates overrideAuth for CLI/env passwords and logs Using runtime auth password override; ignoring auth file; it does not call persist(). Users following this doc will expect --password once to create ~/.config/codenomad/auth.json, then fail on the next run without the flag/env var.

Better implementation:

• Either remove the manual auth.json schema from the quick-start docs and state that auth.json is managed by the app/UI.
• Or document the real scrypt schema and make it explicit that manual creation requires a fully formed PasswordHashRecord.
• Change the persistence note to something like: --password and CODENOMAD_SERVER_PASSWORD are runtime credentials; provide them on each start, or set a password through the UI/bootstrap flow to persist auth.json.`

What looks good:

• Adding --password to the npx @neuralnomads/codenomad and codenomad-dev quick-start commands matches the server’s default behavior for plain --launch.
• The HTTPS/browser warning note is directionally correct for the default local launch path.
• I found no remaining npx ... --launch examples in markdown that were missed.

Verdict: request changes before merge. The PR fixes the first-run crash guidance, but currently replaces it with misleading auth-file guidance that will break users who follow it exactly.

--
Yours,
CodeNomadBot

[pascalandr]

@CodeNomadBot
same review

[codenomadbot]

Gatekeeper review for latest PR state.

Request understood: rerun the same strict review against the updated PR, especially checking whether the previous auth documentation blockers were resolved.

Findings:

1. Blocking: the new CLI/UI persistence guidance describes startup flows that do not work.

packages/server/README.md:191 now says:

To do this from the CLI, start the server without --password once and set the password through the UI, or use the bootstrap flow with --dangerously-skip-auth.

Both paths are wrong for a fresh config:

• Starting without --password and without an existing auth.json fails during AuthStore.ensureInitialized() unless --generate-token is set. The server does not reach the UI in that state.
• --dangerously-skip-auth disables the internal auth store entirely. /api/auth/password can pass the session check because auth is disabled, but AuthManager.setPassword() then throws Internal authentication is disabled, so it cannot persist auth.json.

The supported bootstrap path appears to be --generate-token, not --dangerously-skip-auth. With --generate-token, allowBootstrapWithoutPassword is true, the server can start without an auth file, a local token session can be created, and then /api/auth/password can persist the first password.

Suggested correction:

The `auth.json` file is normally created automatically when you set a password through the UI. For first-time CLI setup without passing a runtime password on every start, launch with `--generate-token`, complete the local bootstrap flow, then set the password in the UI. The `--password` flag and `CODENOMAD_SERVER_PASSWORD` env var are runtime credentials: they must be provided on every server start and are not persisted to disk.

What improved since the previous review:

• The documented auth.json password record now matches the actual PasswordHashRecord shape (algorithm, saltBase64, hashBase64, keyLength, params).
• The README now correctly states that --password and CODENOMAD_SERVER_PASSWORD are runtime credentials and are not persisted.

No new code regressions were introduced because the PR remains docs-only.

Verdict: request changes before merge. The previous blockers are partially fixed, but the remaining first-time setup guidance still tells users to use flows that cannot create a persisted password.

--
Yours,
CodeNomadBot

[github-actions]

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26466826212

Artifacts expire in 7 days.
Artifacts:

• pr-481-2ee7fdd227952a630930d35cc4cd1ff840843823-tauri-macos
• pr-481-2ee7fdd227952a630930d35cc4cd1ff840843823-electron-macos
• pr-481-2ee7fdd227952a630930d35cc4cd1ff840843823-tauri-windows
• pr-481-2ee7fdd227952a630930d35cc4cd1ff840843823-tauri-linux
• pr-481-2ee7fdd227952a630930d35cc4cd1ff840843823-tauri-macos-arm64
• pr-481-2ee7fdd227952a630930d35cc4cd1ff840843823-electron-windows
• pr-481-2ee7fdd227952a630930d35cc4cd1ff840843823-electron-linux

[github-actions]

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26469311935

Artifacts expire in 7 days.
Artifacts:

• pr-481-896f5106fae1b771999a2cba5c3cd979151e3c3e-tauri-macos
• pr-481-896f5106fae1b771999a2cba5c3cd979151e3c3e-tauri-windows
• pr-481-896f5106fae1b771999a2cba5c3cd979151e3c3e-tauri-linux
• pr-481-896f5106fae1b771999a2cba5c3cd979151e3c3e-tauri-macos-arm64
• pr-481-896f5106fae1b771999a2cba5c3cd979151e3c3e-electron-macos
• pr-481-896f5106fae1b771999a2cba5c3cd979151e3c3e-electron-windows
• pr-481-896f5106fae1b771999a2cba5c3cd979151e3c3e-electron-linux

[pascalandr]

@CodeNomadBot
review the proposed documentation, its quality and usefullness compared to this :
https://github.com/NeuralNomadsAI/CodeNomad/tree/dev/packages/server#self-signed-certificates
and does it really solve #468 and #470.

[codenomadbot]

Documentation quality review for latest PR state.

Request understood: compare the proposed documentation against the current dev server README self-signed certificate section, assess usefulness/quality, and judge whether it really solves #468 and #470.

Findings:

1. Blocking for [Docs]: Quick-start examples missing required auth setup #468: not all first-run usage examples were fixed.

The PR updates the recommended npx @neuralnomads/codenomad examples, but packages/server/README.md still has two install/run examples that will hit the same first-run auth failure on a fresh config:

• packages/server/README.md:55-57

npm install -g @neuralnomads/codenomad
codenomad --launch

• packages/server/README.md:64-66

npm install @neuralnomads/codenomad
npx codenomad --launch

These are in the same Usage section and are just as copy-pasteable as the recommended npx command. If #468 is “quick-start examples crash on first run without a password,” this PR only partially solves it. Add --password <your-password> to these examples too, or explicitly annotate that they require --password, CODENOMAD_SERVER_PASSWORD, existing auth.json, or the bootstrap flow.

2. Non-blocking quality concern: the auth.json path is technically accurate now, but not very useful as user guidance.

packages/server/README.md:164-191 says there are three ways to configure auth and shows the raw auth.json scrypt record. The schema now matches the code, which is good. But from a user documentation perspective, “create auth.json” is not realistically actionable unless the user already has a helper to generate a valid scrypt PasswordHashRecord.

Better documentation would separate practical setup paths from implementation detail:

• Practical: --password, CODENOMAD_SERVER_PASSWORD, or --generate-token followed by setting a password in the UI.
• Advanced/internal: auth.json is managed by CodeNomad and has this schema if you need to inspect/debug it.

3. [Docs]: No guidance on self-signed certificate warning in server mode #470 is materially improved compared to dev, but the browser-warning guidance is still thin.

The current dev section only says CodeNomad generates cert files and that certs rotate; it does not warn users that browsers will block/warn on first visit. The PR adds that missing warning in both the root README quick-start and packages/server/README.md:153, so it does address the core visibility problem from #470.

Quality/usefulness is acceptable for the common local case, but could be stronger:

• The server opens https://127.0.0.1:..., so “Proceed to localhost” may not match the exact browser button text; “Proceed to 127.0.0.1 / localhost” would be more accurate.
• The warning is a dense one-line blockquote. For new users, a short numbered sequence would be more useful than burying Chrome/Brave, Firefox, and HTTP fallback in one sentence.
• The text says this is “safe for localhost,” which is fine for local-only use, but the surrounding self-signed certificate section also covers custom SANs and remote-ish hosts. It should avoid implying that accepting any self-signed cert is broadly safe.

Verdict:

• [Docs]: Quick-start examples missing required auth setup #468: not fully solved. The recommended npx command is fixed, but two adjacent copy-paste install examples still reproduce the same fresh-start auth failure.
• [Docs]: No guidance on self-signed certificate warning in server mode #470: mostly solved. The PR adds the missing warning compared to dev; I’d still polish the browser wording, but this is no longer a blocker by itself.
• Overall: request changes before merge because [Docs]: Quick-start examples missing required auth setup #468 remains partially unresolved in the server README Usage section.

--
Yours,
CodeNomadBot

[github-actions]

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26471784003

Artifacts expire in 7 days.
Artifacts:

• pr-481-69cd175cc0e19d9c43354a39f73b19ae45b8cdc9-tauri-windows
• pr-481-69cd175cc0e19d9c43354a39f73b19ae45b8cdc9-tauri-macos
• pr-481-69cd175cc0e19d9c43354a39f73b19ae45b8cdc9-tauri-linux
• pr-481-69cd175cc0e19d9c43354a39f73b19ae45b8cdc9-electron-macos
• pr-481-69cd175cc0e19d9c43354a39f73b19ae45b8cdc9-tauri-macos-arm64
• pr-481-69cd175cc0e19d9c43354a39f73b19ae45b8cdc9-electron-windows
• pr-481-69cd175cc0e19d9c43354a39f73b19ae45b8cdc9-electron-linux

[pascalandr]

@CodeNomadBot
same review

[codenomadbot]

Documentation quality review for latest PR state.

Request understood: rerun the same review against the latest PR state, comparing the proposed documentation to the current dev server README self-signed certificate section and judging whether #468 and #470 are actually resolved.

Findings:

No blocking findings in the latest state.

What changed since the previous review:

• The remaining packages/server/README.md install examples now include --password <your-password>:
  • Global install: codenomad --password <your-password> --launch
  • Local install: npx codenomad --password <your-password> --launch
• The auth section now separates practical setup options from auth.json internals.
• The self-signed certificate warning is now a clearer multi-step note with browser-specific guidance and a remote-host caution.

Assessment against #468:

Resolved. I no longer find copy-pasteable markdown examples of codenomad / @neuralnomads/codenomad launching without a password. The quick-start, dev package, global install, and local install paths now avoid the fresh-config auth failure described in the PR.

Assessment against #470 and current dev docs:

Resolved. The current dev self-signed certificate section only explains that CodeNomad generates cert files and rotates them. The PR adds the missing user-facing browser warning, gives Chrome/Brave/Edge and Firefox actions, documents the --https=false --http=true local-only escape hatch, and adds a reasonable caution not to accept arbitrary self-signed certs for remote hosts.

Documentation quality notes, non-blocking:

• README.md:55 still uses the shorter “Proceed to localhost” wording, while the server README is more accurate with 127.0.0.1 / localhost. Since the root README points to the server docs, this is acceptable, but aligning the wording would reduce ambiguity.
• README.md:53 says users can “create an auth.json file,” while the server README now correctly frames auth.json as managed/internal and manual creation as not recommended. Consider changing the root README phrase to “use the managed auth.json flow” or simply “see Server Documentation for persistent setup” to avoid making manual file creation sound like a primary path.
• The server README’s auth.json schema is now accurate, but it remains implementation detail. Keeping it under “Advanced: auth.json internals” is the right place for it.

Verdict: approve from a documentation gatekeeper perspective. The PR now materially improves the docs compared to dev, solves #468, and solves #470. Remaining items are wording polish, not merge blockers.

--
Yours,
CodeNomadBot

[pascalandr]

@JDis03 Thanks !