chore: release v0.10.0-beta.3

Author: Cod-e-Codes

.github/workflows/release.yml

@@ -6,9 +6,9 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: 'Version to build (e.g., v0.10.0-beta.2)'
+        description: 'Version to build (e.g., v0.10.0-beta.3)'
         required: true
-        default: 'v0.10.0-beta.2'
+        default: 'v0.10.0-beta.3'
 
 permissions:
   contents: read

README.md

@@ -7,15 +7,20 @@
 [![Go Version](https://img.shields.io/github/go-mod/go-version/Cod-e-Codes/marchat?logo=go)](https://go.dev/dl/)
 [![GitHub all releases](https://img.shields.io/github/downloads/Cod-e-Codes/marchat/total?logo=github)](https://github.com/Cod-e-Codes/marchat/releases)
 [![Docker Pulls](https://img.shields.io/docker/pulls/codecodesxyz/marchat?logo=docker)](https://hub.docker.com/r/codecodesxyz/marchat)
-[![Version](https://img.shields.io/badge/version-v0.10.0--beta.2-blue)](https://github.com/Cod-e-Codes/marchat/releases/tag/v0.10.0-beta.2)
+[![Version](https://img.shields.io/badge/version-v0.10.0--beta.3-blue)](https://github.com/Cod-e-Codes/marchat/releases/tag/v0.10.0-beta.3)
 
 A lightweight terminal chat with real-time messaging over WebSockets, optional E2E encryption, and a flexible plugin ecosystem. Built for developers who prefer the command line.
 
 **Quick start:** [QUICKSTART.md](QUICKSTART.md) for a single-page walkthrough (install → server → client → next docs).
 
 ## Latest Updates
 
-### v0.10.0-beta.2 (Current)
+### v0.10.0-beta.3 (Current)
+- **Caddy / WSS**: `docker-compose.proxy.yml`, `deploy/caddy/` (`Caddyfile`, `proxy.env.example`), cross-platform `scripts/build-linux.sh` and `scripts/connect-local-wss.sh`, full walkthrough in `deploy/CADDY-REVERSE-PROXY.md`
+- **Client**: WSS/TLS tweaks; sanitize pasted `--server` URLs; connect from flags without profile picker when server+username are set (keystore passphrase prompted for `--e2e` unless `--non-interactive`); `MARCHAT_GLOBAL_E2E_KEY` unchanged
+- **Server config**: Document `godotenv.Overload` for `config/.env` vs process env (see README / env.example)
+
+### v0.10.0-beta.2
 - **CLI diagnostics**: `marchat-client` and `marchat-server` support `-doctor` and `-doctor-json` for environment, paths, and config health
 - **Build**: `build-release.ps1` sets `CGO_ENABLED=0` for consistent cross-compilation
 - **Dependencies**: `modernc.org/sqlite` 1.47.0 → 1.48.0 (via Dependabot)
@@ -36,6 +41,7 @@ A lightweight terminal chat with real-time messaging over WebSockets, optional E
 - **Plugins**: Full plugin system wiring (message forwarding, user list updates, command responses, init handshake, store UI, license enforcement)
 
 ### Recent Releases
+- **v0.10.0-beta.3**: Caddy TLS proxy example, Unix helper scripts, client WSS/direct-connect UX, config `.env` precedence docs
 - **v0.10.0-beta.2**: Doctor CLI, build-release cross-compile fix, sqlite bump, doc metrics refresh, Docker image entrypoint/volume permission fixes
 - **v0.9.0-beta.6**: Rebuilt with Go 1.25.8 to address CVE-2026-25679, CVE-2026-27142, CVE-2026-27139
 - **v0.9.0-beta.5**: Automated release workflow, PBKDF2 keystore key derivation, JWT secret auto-generation, race condition fixes, Docker optimizations
@@ -134,24 +140,24 @@ Key tables for message tracking and moderation:
 **Binary Installation:**
 ```bash
 # Linux (amd64)
-wget https://github.com/Cod-e-Codes/marchat/releases/download/v0.10.0-beta.2/marchat-v0.10.0-beta.2-linux-amd64.zip
-unzip marchat-v0.10.0-beta.2-linux-amd64.zip && chmod +x marchat-*
+wget https://github.com/Cod-e-Codes/marchat/releases/download/v0.10.0-beta.3/marchat-v0.10.0-beta.3-linux-amd64.zip
+unzip marchat-v0.10.0-beta.3-linux-amd64.zip && chmod +x marchat-*
 
 # macOS (amd64)
-wget https://github.com/Cod-e-Codes/marchat/releases/download/v0.10.0-beta.2/marchat-v0.10.0-beta.2-darwin-amd64.zip
-unzip marchat-v0.10.0-beta.2-darwin-amd64.zip && chmod +x marchat-*
+wget https://github.com/Cod-e-Codes/marchat/releases/download/v0.10.0-beta.3/marchat-v0.10.0-beta.3-darwin-amd64.zip
+unzip marchat-v0.10.0-beta.3-darwin-amd64.zip && chmod +x marchat-*
 
 # Windows - PowerShell
 iwr -useb https://raw.githubusercontent.com/Cod-e-Codes/marchat/main/install.ps1 | iex
 ```
 
 **Docker:**
 ```bash
-docker pull codecodesxyz/marchat:v0.10.0-beta.2
+docker pull codecodesxyz/marchat:v0.10.0-beta.3
 docker run -d -p 8080:8080 \
   -e MARCHAT_ADMIN_KEY=$(openssl rand -hex 32) \
   -e MARCHAT_USERS=admin1,admin2 \
-  codecodesxyz/marchat:v0.10.0-beta.2
+  codecodesxyz/marchat:v0.10.0-beta.3
 ```
 
 **Docker Compose (local development):**

SECURITY.md

@@ -2,7 +2,7 @@
 
 ## Supported Versions
 
-`marchat` is currently at **v0.10.0-beta.2**.  
+`marchat` is currently at **v0.10.0-beta.3**.  
 All security updates and fixes are applied to the `main` branch.
 
 | Version            | Supported |

build-release.ps1

@@ -1,9 +1,9 @@
-# Build script for marchat v0.10.0-beta.2
+# Build script for marchat v0.10.0-beta.3
 # This script builds all platform targets and creates release zips
 
 $ErrorActionPreference = "Stop"
 
-$VERSION = "v0.10.0-beta.2"
+$VERSION = "v0.10.0-beta.3"
 $BUILD_DIR = "build"
 $RELEASE_DIR = "release"
 

client/main.go

@@ -34,6 +34,7 @@ import (
 	tea "github.com/charmbracelet/bubbletea"
 	"github.com/charmbracelet/lipgloss"
 	"github.com/gorilla/websocket"
+	"golang.org/x/term"
 )
 
 const maxMessages = 100
@@ -87,7 +88,7 @@ var (
 	skipTLSVerify      = flag.Bool("skip-tls-verify", false, "Skip TLS certificate verification")
 	quickStart         = flag.Bool("quick-start", false, "Use last connection or select from saved profiles")
 	autoConnect        = flag.Bool("auto", false, "Automatically connect using most recent profile")
-	nonInteractive     = flag.Bool("non-interactive", false, "Skip interactive prompts (require all flags)")
+	nonInteractive     = flag.Bool("non-interactive", false, "Skip interactive prompts (with --e2e, require --keystore-passphrase on the command line)")
 	runDoctor          = flag.Bool("doctor", false, "Print environment and configuration diagnostics, then exit")
 	runDoctorJSON      = flag.Bool("doctor-json", false, "Same as -doctor with JSON output (if both are set, JSON is used)")
 )
@@ -2228,24 +2229,37 @@ func main() {
 	var cfg *config.Config
 	var err error
 
-	// Check if all required flags are provided for non-interactive mode
-	if *nonInteractive || (allFlagsProvided(*serverURL, *username, *isAdmin, *adminKey, *useE2E, *keystorePassphrase)) {
+	// Skip profile picker when CLI gives enough to connect: server, username, and admin key if --admin.
+	// If --e2e without --keystore-passphrase, prompt once on the terminal (unless --non-interactive).
+	if *nonInteractive || directConnectFromFlags(*serverURL, *username, *isAdmin, *adminKey) {
 		// Use traditional flag-based configuration
 		cfg, err = loadConfigFromFlags(*configPath, *serverURL, *username, *theme, *isAdmin, *useE2E, *skipTLSVerify)
 		if err != nil {
 			fmt.Printf("Error loading config: %v\n", err)
 			os.Exit(1)
 		}
 
-		// Validate required flags for non-interactive mode
-		if err := validateFlags(*isAdmin, *adminKey, *useE2E, *keystorePassphrase); err != nil {
+		keystorePass := *keystorePassphrase
+		if cfg.UseE2E && keystorePass == "" {
+			if *nonInteractive {
+				fmt.Fprintln(os.Stderr, "Error: --e2e requires --keystore-passphrase when using --non-interactive")
+				os.Exit(1)
+			}
+			var readErr error
+			keystorePass, readErr = readKeystorePassphraseFromTerminal()
+			if readErr != nil {
+				fmt.Fprintf(os.Stderr, "Error reading keystore passphrase: %v\n", readErr)
+				os.Exit(1)
+			}
+		}
+
+		if err := validateFlags(*isAdmin, *adminKey, cfg.UseE2E, keystorePass); err != nil {
 			fmt.Printf("Error: %v\n", err)
 			flag.Usage()
 			os.Exit(1)
 		}
 
-		// Continue with existing client initialization using flag values
-		initializeClient(cfg, *adminKey, *keystorePassphrase)
+		initializeClient(cfg, *adminKey, keystorePass)
 
 	} else {
 		// Check if this is a first-time user (no profiles exist)
@@ -2395,20 +2409,26 @@ func main() {
 	}
 }
 
-func allFlagsProvided(serverURL, username string, isAdmin bool, adminKey string, useE2E bool, keystorePassphrase string) bool {
+// directConnectFromFlags is true when the user supplied enough CLI args to skip the profile menu.
+// Keystore passphrase may still be prompted when --e2e is set (see main).
+func directConnectFromFlags(serverURL, username string, isAdmin bool, adminKey string) bool {
 	if serverURL == "" || username == "" {
 		return false
 	}
-
 	if isAdmin && adminKey == "" {
 		return false
 	}
+	return true
+}
 
-	if useE2E && keystorePassphrase == "" {
-		return false
+func readKeystorePassphraseFromTerminal() (string, error) {
+	fmt.Fprint(os.Stderr, "Keystore passphrase: ")
+	b, err := term.ReadPassword(int(syscall.Stdin))
+	fmt.Fprintln(os.Stderr)
+	if err != nil {
+		return "", err
 	}
-
-	return true
+	return string(b), nil
 }
 
 func loadConfigFromFlags(configPath, serverURL, username, theme string, isAdmin, useE2E, skipTLSVerify bool) (*config.Config, error) {

client/main_test.go

@@ -179,26 +179,20 @@ func TestMainPackageStructure(t *testing.T) {
 
 func TestErrorHandling(t *testing.T) {
 	// Test error handling functions
-	if allFlagsProvided("", "", false, "", false, "") {
-		t.Error("allFlagsProvided should return false for empty required flags")
+	if directConnectFromFlags("", "", false, "") {
+		t.Error("directConnectFromFlags should return false for empty required flags")
 	}
-	if allFlagsProvided("ws://localhost", "", false, "", false, "") {
-		t.Error("allFlagsProvided should return false for missing username")
+	if directConnectFromFlags("ws://localhost", "", false, "") {
+		t.Error("directConnectFromFlags should return false for missing username")
 	}
-	if allFlagsProvided("ws://localhost", "user", true, "", false, "") {
-		t.Error("allFlagsProvided should return false for admin without admin key")
+	if directConnectFromFlags("ws://localhost", "user", true, "") {
+		t.Error("directConnectFromFlags should return false for admin without admin key")
 	}
-	if allFlagsProvided("ws://localhost", "user", false, "", true, "") {
-		t.Error("allFlagsProvided should return false for e2e without passphrase")
+	if !directConnectFromFlags("ws://localhost", "user", false, "") {
+		t.Error("directConnectFromFlags should return true for valid basic flags (e2e passphrase is prompted separately)")
 	}
-	if !allFlagsProvided("ws://localhost", "user", false, "", false, "") {
-		t.Error("allFlagsProvided should return true for valid basic flags")
-	}
-	if !allFlagsProvided("ws://localhost", "user", true, "key", false, "") {
-		t.Error("allFlagsProvided should return true for valid admin flags")
-	}
-	if !allFlagsProvided("ws://localhost", "user", false, "", true, "pass") {
-		t.Error("allFlagsProvided should return true for valid e2e flags")
+	if !directConnectFromFlags("ws://localhost", "user", true, "key") {
+		t.Error("directConnectFromFlags should return true for valid admin flags")
 	}
 }
 
@@ -589,102 +583,59 @@ func TestLogOutputHandling(t *testing.T) {
 	// We can't easily test this without file system manipulation
 }
 
-func TestAllFlagsProvided(t *testing.T) {
-	// Test allFlagsProvided function thoroughly
+func TestDirectConnectFromFlags(t *testing.T) {
 	testCases := []struct {
 		name                string
 		serverURL, username string
 		isAdmin             bool
 		adminKey            string
-		useE2E              bool
-		keystorePassphrase  string
 		expected            bool
 	}{
 		{
-			name:               "all provided",
-			serverURL:          "ws://localhost:8080",
-			username:           "user",
-			isAdmin:            false,
-			adminKey:           "",
-			useE2E:             false,
-			keystorePassphrase: "",
-			expected:           true,
-		},
-		{
-			name:               "missing serverURL",
-			serverURL:          "",
-			username:           "user",
-			isAdmin:            false,
-			adminKey:           "",
-			useE2E:             false,
-			keystorePassphrase: "",
-			expected:           false,
-		},
-		{
-			name:               "missing username",
-			serverURL:          "ws://localhost:8080",
-			username:           "",
-			isAdmin:            false,
-			adminKey:           "",
-			useE2E:             false,
-			keystorePassphrase: "",
-			expected:           false,
-		},
-		{
-			name:               "admin without key",
-			serverURL:          "ws://localhost:8080",
-			username:           "user",
-			isAdmin:            true,
-			adminKey:           "",
-			useE2E:             false,
-			keystorePassphrase: "",
-			expected:           false,
+			name:      "basic",
+			serverURL: "ws://localhost:8080",
+			username:  "user",
+			isAdmin:   false,
+			adminKey:  "",
+			expected:  true,
 		},
 		{
-			name:               "admin with key",
-			serverURL:          "ws://localhost:8080",
-			username:           "user",
-			isAdmin:            true,
-			adminKey:           "secret",
-			useE2E:             false,
-			keystorePassphrase: "",
-			expected:           true,
+			name:      "missing serverURL",
+			serverURL: "",
+			username:  "user",
+			isAdmin:   false,
+			adminKey:  "",
+			expected:  false,
 		},
 		{
-			name:               "e2e without passphrase",
-			serverURL:          "ws://localhost:8080",
-			username:           "user",
-			isAdmin:            false,
-			adminKey:           "",
-			useE2E:             true,
-			keystorePassphrase: "",
-			expected:           false,
+			name:      "missing username",
+			serverURL: "ws://localhost:8080",
+			username:  "",
+			isAdmin:   false,
+			adminKey:  "",
+			expected:  false,
 		},
 		{
-			name:               "e2e with passphrase",
-			serverURL:          "ws://localhost:8080",
-			username:           "user",
-			isAdmin:            false,
-			adminKey:           "",
-			useE2E:             true,
-			keystorePassphrase: "pass",
-			expected:           true,
+			name:      "admin without key",
+			serverURL: "ws://localhost:8080",
+			username:  "user",
+			isAdmin:   true,
+			adminKey:  "",
+			expected:  false,
 		},
 		{
-			name:               "both admin and e2e",
-			serverURL:          "ws://localhost:8080",
-			username:           "user",
-			isAdmin:            true,
-			adminKey:           "secret",
-			useE2E:             true,
-			keystorePassphrase: "pass",
-			expected:           true,
+			name:      "admin with key",
+			serverURL: "ws://localhost:8080",
+			username:  "user",
+			isAdmin:   true,
+			adminKey:  "secret",
+			expected:  true,
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			result := allFlagsProvided(tc.serverURL, tc.username, tc.isAdmin, tc.adminKey, tc.useE2E, tc.keystorePassphrase)
+			result := directConnectFromFlags(tc.serverURL, tc.username, tc.isAdmin, tc.adminKey)
 			if result != tc.expected {
 				t.Errorf("Expected %v for %s, got %v", tc.expected, tc.name, result)
 			}

client/websocket.go

@@ -204,7 +204,26 @@ func (m *model) abortPartialWebSocketConnect() {
 	m.connected = false
 }
 
+// sanitizeServerURL trims whitespace and matching quotes often pasted from docs or PowerShell.
+func sanitizeServerURL(raw string) string {
+	s := strings.TrimSpace(raw)
+	s = strings.Trim(s, `"'`+"`")
+	// Unicode curly quotes (copy-paste from word processors)
+	for {
+		trimmed := strings.TrimPrefix(s, "\u2018")      // ‘
+		trimmed = strings.TrimPrefix(trimmed, "\u201c") // “
+		trimmed = strings.TrimSuffix(trimmed, "\u2019") // ’
+		trimmed = strings.TrimSuffix(trimmed, "\u201d") // ”
+		if trimmed == s {
+			break
+		}
+		s = strings.TrimSpace(trimmed)
+	}
+	return strings.TrimSpace(s)
+}
+
 func (m *model) connectWebSocket(serverURL string) error {
+	serverURL = sanitizeServerURL(serverURL)
 	escapedUsername := url.QueryEscape(m.cfg.Username)
 	fullURL := serverURL + "?username=" + escapedUsername