@cardelli/ambit 0.1.3 → 0.1.5

package/esm/src/cli/commands/destroy.js

@@ -1,19 +1,47 @@
 // =============================================================================
-// Destroy Command - Tear Down Router and Clean Up
+// Destroy Command - Destroy Networks or Apps
 // =============================================================================
-import { parseArgs } from "../../../deps/jsr.io/@std/cli/1.0.27/mod.js";
+import * as dntShim from "../../../_dnt.shims.js";
+import { parseArgs } from "../../../deps/jsr.io/@std/cli/1.0.28/mod.js";
 import { bold, confirm } from "../../../lib/cli.js";
 import { createOutput } from "../../../lib/output.js";
 import { registerCommand } from "../mod.js";
 import { createFlyProvider } from "../../providers/fly.js";
 import { createTailscaleProvider } from "../../providers/tailscale.js";
 import { checkDependencies } from "../../credentials.js";
-import { findRouterApp } from "../../discovery.js";
+import { findRouterApp, findWorkloadApp, listWorkloadAppsOnNetwork, } from "../../discovery.js";
 import { resolveOrg } from "../../resolve.js";
+import { assertNotRouter } from "../../guard.js";
 // =============================================================================
-// Destroy Command
+// Top-Level Help
 // =============================================================================
-const destroy = async (argv) => {
+const showDestroyHelp = () => {
+    console.log(`
+${bold("ambit destroy")} - Destroy Networks or Apps
+
+${bold("USAGE")}
+  ambit destroy network <name> [options]
+  ambit destroy app <app>.<network> [options]
+
+${bold("SUBCOMMANDS")}
+  network    Tear down a router, clean up DNS and tailnet device
+  app        Destroy a workload app on a network
+
+${bold("OPTIONS")}
+  --help     Show help for a subcommand
+
+${bold("EXAMPLES")}
+  ambit destroy network browsers
+  ambit destroy app my-app.browsers
+  ambit destroy app my-app --network browsers
+
+Run 'ambit destroy network --help' or 'ambit destroy app --help' for details.
+`);
+};
+// =============================================================================
+// Destroy Network
+// =============================================================================
+const destroyNetwork = async (argv) => {
     const args = parseArgs(argv, {
         string: ["network", "org"],
         boolean: ["help", "yes", "json"],
@@ -21,57 +49,78 @@ const destroy = async (argv) => {
     });
     if (args.help) {
         console.log(`
-${bold("ambit destroy")} - Tear Down Router
+${bold("ambit destroy network")} - Tear Down Router
 
 ${bold("USAGE")}
-  ambit destroy --network <name> [--org <org>] [--yes] [--json]
+  ambit destroy network <name> [--org <org>] [--yes] [--json]
 
 ${bold("OPTIONS")}
-  --network <name>   Network of the router to destroy (required)
   --org <org>        Fly.io organization slug
   -y, --yes          Skip confirmation prompts
   --json             Output as JSON
+
+${bold("EXAMPLES")}
+  ambit destroy network browsers
+  ambit destroy network browsers --org my-org --yes
 `);
         return;
     }
     const out = createOutput(args.json);
-    if (!args.network) {
-        return out.die("--network Is Required");
+    // Accept network as positional or --network flag (backward compat)
+    const network = (typeof args._[0] === "string" ? args._[0] : undefined) || args.network;
+    if (!network) {
+        return out.die("Network name required. Usage: ambit destroy network <name>");
     }
-    // =========================================================================
+    // ===========================================================================
     // Prerequisites
-    // =========================================================================
+    // ===========================================================================
     const { tailscaleKey } = await checkDependencies(out);
     const fly = createFlyProvider();
     await fly.ensureAuth({ interactive: !args.json });
     const tailscale = createTailscaleProvider("-", tailscaleKey);
     const org = await resolveOrg(fly, args, out);
-    // =========================================================================
+    // ===========================================================================
     // Discover Router
-    // =========================================================================
+    // ===========================================================================
     const spinner = out.spinner("Discovering Router");
-    const app = await findRouterApp(fly, org, args.network);
+    const app = await findRouterApp(fly, org, network);
     if (!app) {
         spinner.fail("Router Not Found");
-        return out.die(`No Router Found for Network '${args.network}'`);
+        return out.die(`No Router Found for Network '${network}'`);
     }
     spinner.success(`Found Router: ${app.appName}`);
     let tsDevice = null;
     try {
         tsDevice = await tailscale.getDeviceByHostname(app.appName);
     }
-    catch { /* device may not exist */ }
+    catch {
+        /* device may not exist */
+    }
     const tag = tsDevice?.tags?.[0] ?? null;
-    // =========================================================================
+    // ===========================================================================
+    // Check for Workload Apps on This Network
+    // ===========================================================================
+    const workloadApps = await listWorkloadAppsOnNetwork(fly, org, network);
+    // ===========================================================================
     // Confirm
-    // =========================================================================
+    // ===========================================================================
     out.blank()
-        .header("ambit Destroy")
+        .header("ambit Destroy Network")
         .blank()
-        .text(`  Network:    ${app.network}`)
+        .text(`  Network:    ${network}`)
         .text(`  Router App: ${app.appName}`)
         .text(`  Tag:        ${tag ?? "unknown"}`)
         .blank();
+    if (workloadApps.length > 0) {
+        out.warn(`${workloadApps.length} Workload App(s) Still on Network '${network}':`);
+        for (const wa of workloadApps) {
+            out.text(`  - ${wa.appName}`);
+        }
+        out.blank();
+        out.dim("These apps will lose connectivity when the router is destroyed.");
+        out.dim(`Consider destroying them first with: ambit destroy app <name>.${network}`);
+        out.blank();
+    }
     if (!args.yes && !args.json) {
         const confirmed = await confirm("Destroy this router?");
         if (!confirmed) {
@@ -80,12 +129,12 @@ ${bold("OPTIONS")}
         }
         out.blank();
     }
-    // =========================================================================
+    // ===========================================================================
     // Tear Down
-    // =========================================================================
+    // ===========================================================================
     const dnsSpinner = out.spinner("Clearing Split DNS");
     try {
-        await tailscale.clearSplitDns(app.network);
+        await tailscale.clearSplitDns(network);
         dnsSpinner.success("Split DNS Cleared");
     }
     catch {
@@ -113,10 +162,14 @@ ${bold("OPTIONS")}
     catch {
         appSpinner.fail("Could Not Destroy Fly App");
     }
-    // =========================================================================
+    // ===========================================================================
     // Done
-    // =========================================================================
-    out.done({ destroyed: true, appName: app.appName });
+    // ===========================================================================
+    out.done({
+        destroyed: true,
+        appName: app.appName,
+        workloadAppsWarned: workloadApps.length,
+    });
     out.ok("Router Destroyed");
     if (tag) {
         out.blank()
@@ -135,11 +188,153 @@ ${bold("OPTIONS")}
     out.print();
 };
 // =============================================================================
+// Destroy App
+// =============================================================================
+const destroyApp = async (argv) => {
+    const args = parseArgs(argv, {
+        string: ["network", "org"],
+        boolean: ["help", "yes", "json"],
+        alias: { y: "yes" },
+    });
+    if (args.help) {
+        console.log(`
+${bold("ambit destroy app")} - Destroy a Workload App
+
+${bold("USAGE")}
+  ambit destroy app <app>.<network> [--org <org>] [--yes] [--json]
+  ambit destroy app <app> --network <name> [--org <org>] [--yes] [--json]
+
+${bold("OPTIONS")}
+  --network <name>   Target network (if not using dot syntax)
+  --org <org>        Fly.io organization slug
+  -y, --yes          Skip confirmation prompts
+  --json             Output as JSON
+
+${bold("EXAMPLES")}
+  ambit destroy app my-app.browsers
+  ambit destroy app my-app --network browsers --yes
+`);
+        return;
+    }
+    const out = createOutput(args.json);
+    // ===========================================================================
+    // Parse App & Network
+    // ===========================================================================
+    const appArg = args._[0];
+    if (!appArg || typeof appArg !== "string") {
+        return out.die("Missing app name. Usage: ambit destroy app <app>.<network>");
+    }
+    let app;
+    let network;
+    if (appArg.includes(".")) {
+        const parts = appArg.split(".");
+        if (parts.length !== 2 || !parts[0] || !parts[1]) {
+            return out.die(`'${appArg}' should have exactly one dot, like my-app.my-network`);
+        }
+        if (args.network) {
+            return out.die(`Network is already part of the name ('${appArg}'), --network is not needed`);
+        }
+        app = parts[0];
+        network = parts[1];
+    }
+    else {
+        app = appArg;
+        if (!args.network) {
+            return out.die(`Missing network. Use: ambit destroy app ${app}.<network>`);
+        }
+        network = args.network;
+    }
+    try {
+        assertNotRouter(app);
+    }
+    catch (e) {
+        return out.die(e instanceof Error ? e.message : String(e));
+    }
+    // ===========================================================================
+    // Prerequisites
+    // ===========================================================================
+    const { tailscaleKey: _tailscaleKey } = await checkDependencies(out);
+    const fly = createFlyProvider();
+    await fly.ensureAuth({ interactive: !args.json });
+    const org = await resolveOrg(fly, args, out);
+    // ===========================================================================
+    // Discover App
+    // ===========================================================================
+    const spinner = out.spinner("Discovering App");
+    const workloadApp = await findWorkloadApp(fly, org, app, network);
+    if (!workloadApp) {
+        spinner.fail("App Not Found");
+        // Check if app exists on a different network
+        const anyApp = await findWorkloadApp(fly, org, app);
+        if (anyApp) {
+            return out.die(`App '${app}' exists on network '${anyApp.network}', not '${network}'`);
+        }
+        return out.die(`No app '${app}' found on network '${network}'`);
+    }
+    spinner.success(`Found App: ${workloadApp.appName} (network: ${workloadApp.network})`);
+    // ===========================================================================
+    // Confirm
+    // ===========================================================================
+    out.blank()
+        .header("ambit Destroy App")
+        .blank()
+        .text(`  App:      ${workloadApp.appName}`)
+        .text(`  Network:  ${workloadApp.network}`)
+        .blank();
+    if (!args.yes && !args.json) {
+        const confirmed = await confirm(`Destroy app '${app}' on network '${network}'?`);
+        if (!confirmed) {
+            out.text("Cancelled.");
+            return;
+        }
+        out.blank();
+    }
+    // ===========================================================================
+    // Destroy
+    // ===========================================================================
+    const appSpinner = out.spinner("Destroying Fly App");
+    try {
+        await fly.deleteApp(workloadApp.appName);
+        appSpinner.success("Fly App Destroyed");
+    }
+    catch {
+        appSpinner.fail("Could Not Destroy Fly App");
+    }
+    // ===========================================================================
+    // Done
+    // ===========================================================================
+    out.done({ destroyed: true, appName: workloadApp.appName, network });
+    out.ok("App Destroyed");
+    out.blank();
+    out.print();
+};
+// =============================================================================
+// Dispatcher
+// =============================================================================
+const destroy = async (argv) => {
+    const subcommand = typeof argv[0] === "string" ? argv[0] : undefined;
+    if (subcommand === "network") {
+        return destroyNetwork(argv.slice(1));
+    }
+    if (subcommand === "app") {
+        return destroyApp(argv.slice(1));
+    }
+    // Handle --help at the top level
+    const args = parseArgs(argv, { boolean: ["help"] });
+    if (args.help) {
+        showDestroyHelp();
+        return;
+    }
+    // No valid subcommand
+    showDestroyHelp();
+    dntShim.Deno.exit(1);
+};
+// =============================================================================
 // Register Command
 // =============================================================================
 registerCommand({
     name: "destroy",
-    description: "Tear down the router, clean up DNS and tailnet device",
-    usage: "ambit destroy --network <name> [--org <org>] [--yes] [--json]",
+    description: "Destroy a network (router) or a workload app",
+    usage: "ambit destroy network|app <name> [options]",
     run: destroy,
 });

package/esm/src/cli/commands/doctor.js

@@ -1,7 +1,7 @@
 // =============================================================================
 // Doctor Command - Verify Environment and Infrastructure Health
 // =============================================================================
-import { parseArgs } from "../../../deps/jsr.io/@std/cli/1.0.27/mod.js";
+import { parseArgs } from "../../../deps/jsr.io/@std/cli/1.0.28/mod.js";
 import { bold } from "../../../lib/cli.js";
 import { createOutput } from "../../../lib/output.js";
 import { runCommand } from "../../../lib/command.js";
@@ -67,7 +67,7 @@ ${bold("CHECKS")}
     report("Tailscale Installed", await isTailscaleInstalled(), "Install from https://tailscale.com/download");
     const tsStatus = await runCommand(["tailscale", "status", "--json"]);
     let tsConnected = false;
-    if (tsStatus.success) {
+    if (tsStatus.ok) {
         try {
             const parsed = JSON.parse(tsStatus.stdout);
             tsConnected = parsed.BackendState === "Running";

package/esm/src/cli/commands/list.js

@@ -1,7 +1,7 @@
 // =============================================================================
 // List Command - List All Discovered Routers
 // =============================================================================
-import { parseArgs } from "../../../deps/jsr.io/@std/cli/1.0.27/mod.js";
+import { parseArgs } from "../../../deps/jsr.io/@std/cli/1.0.28/mod.js";
 import { Table } from "../../../deps/jsr.io/@cliffy/table/1.0.0/mod.js";
 import { bold } from "../../../lib/cli.js";
 import { createOutput } from "../../../lib/output.js";

package/esm/src/cli/commands/status.js

@@ -1,7 +1,7 @@
 // =============================================================================
 // Status Command - Show Router Status
 // =============================================================================
-import { parseArgs } from "../../../deps/jsr.io/@std/cli/1.0.27/mod.js";
+import { parseArgs } from "../../../deps/jsr.io/@std/cli/1.0.28/mod.js";
 import { Table } from "../../../deps/jsr.io/@cliffy/table/1.0.0/mod.js";
 import { bold } from "../../../lib/cli.js";
 import { createOutput } from "../../../lib/output.js";

package/esm/src/cli/mod.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../../src/src/cli/mod.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACxC;AAQD,eAAO,MAAM,eAAe,GAAI,SAAS,OAAO,KAAG,IAElD,CAAC;AAEF,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,OAAO,GAAG,SAEnD,CAAC;AAEF,eAAO,MAAM,cAAc,QAAO,OAAO,EAExC,CAAC;AAQF,eAAO,MAAM,QAAQ,QAAO,IA4B3B,CAAC;AAEF,eAAO,MAAM,WAAW,QAAO,IAE9B,CAAC;AAMF,eAAO,MAAM,MAAM,GAAU,MAAM,MAAM,EAAE,KAAG,OAAO,CAAC,IAAI,CAuCzD,CAAC"}
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../../src/src/cli/mod.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACxC;AAQD,eAAO,MAAM,eAAe,GAAI,SAAS,OAAO,KAAG,IAElD,CAAC;AAEF,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,OAAO,GAAG,SAEnD,CAAC;AAEF,eAAO,MAAM,cAAc,QAAO,OAAO,EAExC,CAAC;AAQF,eAAO,MAAM,QAAQ,QAAO,IA6B3B,CAAC;AAEF,eAAO,MAAM,WAAW,QAAO,IAE9B,CAAC;AAMF,eAAO,MAAM,MAAM,GAAU,MAAM,MAAM,EAAE,KAAG,OAAO,CAAC,IAAI,CAuCzD,CAAC"}

package/esm/src/cli/mod.js

@@ -2,7 +2,7 @@
 // CLI Framework - Command Parser and Router
 // =============================================================================
 import * as dntShim from "../../_dnt.shims.js";
-import { parseArgs } from "../../deps/jsr.io/@std/cli/1.0.27/mod.js";
+import { parseArgs } from "../../deps/jsr.io/@std/cli/1.0.28/mod.js";
 import { bold, dim } from "../../lib/cli.js";
 import denoConfig from "../../deno.js";
 // =============================================================================
@@ -34,7 +34,7 @@ ${bold("COMMANDS")}
   deploy     Deploy an app safely on a custom private network
   list       List all discovered routers across networks
   status     Show router status, network, and tailnet info
-  destroy    Tear down the router, clean up DNS and tailnet device
+  destroy    Destroy a network (router) or a workload app
   doctor     Check that Tailscale and the router are working correctly
 
 ${bold("OPTIONS")}
@@ -45,7 +45,8 @@ ${bold("EXAMPLES")}
   ambit create browsers
   ambit list
   ambit status --network browsers
-  ambit destroy --network browsers
+  ambit destroy network browsers
+  ambit destroy app my-app.browsers
   ambit doctor
 
 ${dim("Run 'ambit <command> --help' for command-specific help.")}

package/esm/src/discovery.d.ts

@@ -6,6 +6,7 @@ export interface RouterApp {
     appName: string;
     network: string;
     org: string;
+    routerId: string;
 }
 /** Machine state for a router, from the Fly Machines API. */
 export interface RouterMachineInfo {
@@ -25,6 +26,18 @@ export interface RouterTailscaleInfo {
 export declare const listRouterApps: (fly: FlyProvider, org: string) => Promise<RouterApp[]>;
 /** Find the router app for a specific network. */
 export declare const findRouterApp: (fly: FlyProvider, org: string, network: string) => Promise<RouterApp | null>;
+/** A workload (non-router) app discovered from the Fly REST API. */
+export interface WorkloadApp {
+    appName: string;
+    network: string;
+    org: string;
+}
+/** List all non-router apps on a specific custom network in an org. */
+export declare const listWorkloadAppsOnNetwork: (fly: FlyProvider, org: string, network: string) => Promise<WorkloadApp[]>;
+/** Find a specific workload app by logical name, optionally scoped to a network.
+ *  When a network is provided, resolves the router-suffixed Fly app name
+ *  (e.g. "thing" on network "lab" with routerId "abc123" → "thing-abc123"). */
+export declare const findWorkloadApp: (fly: FlyProvider, org: string, appName: string, network?: string) => Promise<WorkloadApp | null>;
 /** Get machine info for a router app. Returns null if no machines exist. */
 export declare const getRouterMachineInfo: (fly: FlyProvider, appName: string) => Promise<RouterMachineInfo | null>;
 /** Get tailscale device info for a router. Returns null if not found. */

package/esm/src/discovery.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/src/discovery.ts"],"names":[],"mappings":"AAcA,OAAO,sBAAsB,CAAC;AAG9B,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAOlE,qDAAqD;AACrD,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,6DAA6D;AAC7D,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAaD,wDAAwD;AACxD,eAAO,MAAM,cAAc,GACzB,KAAK,WAAW,EAChB,KAAK,MAAM,KACV,OAAO,CAAC,SAAS,EAAE,CAcrB,CAAC;AAEF,kDAAkD;AAClD,eAAO,MAAM,aAAa,GACxB,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,SAAS,GAAG,IAAI,CAG1B,CAAC;AAMF,4EAA4E;AAC5E,eAAO,MAAM,oBAAoB,GAC/B,KAAK,WAAW,EAChB,SAAS,MAAM,KACd,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAclC,CAAC;AAMF,yEAAyE;AACzE,eAAO,MAAM,sBAAsB,GACjC,WAAW,iBAAiB,EAC5B,SAAS,MAAM,KACd,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAcpC,CAAC"}
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/src/discovery.ts"],"names":[],"mappings":"AAcA,OAAO,sBAAsB,CAAC;AAG9B,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAOlE,qDAAqD;AACrD,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,6DAA6D;AAC7D,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAaD,wDAAwD;AACxD,eAAO,MAAM,cAAc,GACzB,KAAK,WAAW,EAChB,KAAK,MAAM,KACV,OAAO,CAAC,SAAS,EAAE,CAerB,CAAC;AAEF,kDAAkD;AAClD,eAAO,MAAM,aAAa,GACxB,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,SAAS,GAAG,IAAI,CAG1B,CAAC;AAMF,oEAAoE;AACpE,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,uEAAuE;AACvE,eAAO,MAAM,yBAAyB,GACpC,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,WAAW,EAAE,CAcvB,CAAC;AAEF;;+EAE+E;AAC/E,eAAO,MAAM,eAAe,GAC1B,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,EACf,UAAU,MAAM,KACf,OAAO,CAAC,WAAW,GAAG,IAAI,CA4B5B,CAAC;AAMF,4EAA4E;AAC5E,eAAO,MAAM,oBAAoB,GAC/B,KAAK,WAAW,EAChB,SAAS,MAAM,KACd,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAclC,CAAC;AAMF,yEAAyE;AACzE,eAAO,MAAM,sBAAsB,GACjC,WAAW,iBAAiB,EAC5B,SAAS,MAAM,KACd,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAcpC,CAAC"}

package/esm/src/discovery.js

@@ -13,6 +13,7 @@
 //
 // =============================================================================
 import "../_dnt.polyfills.js";
+import { getRouterSuffix, getWorkloadAppName } from "./providers/fly.js";
 import { extractSubnet } from "./schemas/config.js";
 // =============================================================================
 // Constants
@@ -32,6 +33,7 @@ export const listRouterApps = async (fly, org) => {
         appName: app.name,
         network: app.network,
         org: app.organization?.slug ?? org,
+        routerId: getRouterSuffix(app.name, app.network),
     }));
 };
 /** Find the router app for a specific network. */
@@ -39,6 +41,46 @@ export const findRouterApp = async (fly, org, network) => {
     const apps = await listRouterApps(fly, org);
     return apps.find((a) => a.network === network) ?? null;
 };
+/** List all non-router apps on a specific custom network in an org. */
+export const listWorkloadAppsOnNetwork = async (fly, org, network) => {
+    const apps = await fly.listAppsWithNetwork(org);
+    return apps
+        .filter((app) => !app.name.startsWith(ROUTER_APP_PREFIX) &&
+        app.network === network)
+        .map((app) => ({
+        appName: app.name,
+        network: app.network,
+        org: app.organization?.slug ?? org,
+    }));
+};
+/** Find a specific workload app by logical name, optionally scoped to a network.
+ *  When a network is provided, resolves the router-suffixed Fly app name
+ *  (e.g. "thing" on network "lab" with routerId "abc123" → "thing-abc123"). */
+export const findWorkloadApp = async (fly, org, appName, network) => {
+    const apps = await fly.listAppsWithNetwork(org);
+    const workloads = apps
+        .filter((app) => !app.name.startsWith(ROUTER_APP_PREFIX) &&
+        app.network !== DEFAULT_NETWORK)
+        .map((app) => ({
+        appName: app.name,
+        network: app.network,
+        org: app.organization?.slug ?? org,
+    }));
+    if (network) {
+        // Resolve the router's suffix so we can match the suffixed Fly app name
+        const router = await findRouterApp(fly, org, network);
+        if (router) {
+            const suffixedName = getWorkloadAppName(appName, router.routerId);
+            const found = workloads.find((a) => a.appName === suffixedName && a.network === network);
+            if (found)
+                return found;
+        }
+        // Fallback: try exact match (for pre-suffix apps or direct Fly name)
+        return workloads.find((a) => a.appName === appName && a.network === network) ?? null;
+    }
+    // Without network, try exact match only
+    return workloads.find((a) => a.appName === appName) ?? null;
+};
 // =============================================================================
 // 2. What's the machine state? (Fly Machines API)
 // =============================================================================

package/esm/src/docker/router/start.sh

@@ -5,8 +5,10 @@ set -e
 # ambit - Self-Configuring Tailscale Subnet Router
 # =============================================================================
 # State is persisted to /var/lib/tailscale via Fly volume.
-# On first run: creates auth key (with tags), authenticates, approves routes.
+# On first run: authenticates with a pre-minted auth key, advertises routes.
 # On restart: reuses existing state, no new device created.
+# The router never receives the user's API token — only a single-use,
+# tag-scoped auth key that expires after 5 minutes.
 # =============================================================================
 
 echo "Router: Enabling IP Forwarding"
@@ -33,42 +35,9 @@ if /usr/local/bin/tailscale status --json 2>/dev/null | jq -e '.BackendState ==
     --hostname="${FLY_APP_NAME:-ambit}" \
     --advertise-routes="${SUBNET}"
 else
-  # First run - need to authenticate
-  if [ -n "${TAILSCALE_API_TOKEN}" ]; then
-    echo "Router: Creating Auth Key (First Run)"
-
-    TAGS_JSON="[]"
-    if [ -n "${TAILSCALE_TAGS}" ]; then
-      TAGS_JSON=$(echo "${TAILSCALE_TAGS}" | jq -R 'split(",")')
-    fi
-
-    AUTH_KEY_RESPONSE=$(curl -s -X POST \
-      -u "${TAILSCALE_API_TOKEN}:" \
-      -H "Content-Type: application/json" \
-      -d "$(jq -n \
-        --argjson tags "${TAGS_JSON}" \
-        '{
-          capabilities: { devices: { create: {
-            reusable: false,
-            ephemeral: false,
-            preauthorized: true,
-            tags: $tags
-          }}},
-          expirySeconds: 300
-        }' | jq 'if .capabilities.devices.create.tags == [] then .capabilities.devices.create |= del(.tags) else . end')" \
-      "https://api.tailscale.com/api/v2/tailnet/-/keys")
-
-    TAILSCALE_AUTHKEY=$(echo "${AUTH_KEY_RESPONSE}" | jq -r '.key')
-
-    if [ -z "${TAILSCALE_AUTHKEY}" ] || [ "${TAILSCALE_AUTHKEY}" = "null" ]; then
-      echo "Router: ERROR - Failed to Create Auth Key"
-      echo "${AUTH_KEY_RESPONSE}"
-      exit 1
-    fi
-
-    echo "Router: Auth Key Created"
-  elif [ -z "${TAILSCALE_AUTHKEY}" ]; then
-    echo "Router: ERROR - No TAILSCALE_API_TOKEN or TAILSCALE_AUTHKEY Provided"
+  # First run - authenticate with pre-minted auth key
+  if [ -z "${TAILSCALE_AUTHKEY}" ]; then
+    echo "Router: ERROR - No TAILSCALE_AUTHKEY Provided"
     exit 1
   fi
 
@@ -79,40 +48,6 @@ else
     --advertise-routes="${SUBNET}"
 fi
 
-echo "Router: Getting Node Key"
-NODE_KEY=$(/usr/local/bin/tailscale status --json | jq -r '.Self.PublicKey')
-echo "Router: Node Key ${NODE_KEY}"
-
-# Self-approve routes if we have API access
-# This is a fallback — if the user has autoApprovers configured in their
-# Tailscale policy file, routes are approved automatically and this block
-# is a no-op (routes are already enabled).
-if [ -n "${TAILSCALE_API_TOKEN}" ]; then
-  echo "Router: Finding Device ID"
-
-  DEVICES_RESPONSE=$(curl -s \
-    -u "${TAILSCALE_API_TOKEN}:" \
-    "https://api.tailscale.com/api/v2/tailnet/-/devices")
-
-  DEVICE_ID=$(echo "${DEVICES_RESPONSE}" | jq -r ".devices[] | select(.nodeKey == \"${NODE_KEY}\") | .id")
-
-  if [ -n "${DEVICE_ID}" ] && [ "${DEVICE_ID}" != "null" ]; then
-    echo "Router: Device ID ${DEVICE_ID}"
-    echo "Router: Approving Subnet Routes"
-
-    curl -s -X POST \
-      -u "${TAILSCALE_API_TOKEN}:" \
-      -H "Content-Type: application/json" \
-      -d "{\"routes\": [\"${SUBNET}\"]}" \
-      "https://api.tailscale.com/api/v2/device/${DEVICE_ID}/routes" > /dev/null
-
-    echo "Router: Routes Approved"
-  else
-    echo "Router: WARNING - Could Not Find Device ID"
-    echo "Router: Routes May Need Manual Approval"
-  fi
-fi
-
 echo "Router: Fully Configured"
 
 # Start SOCKS5 proxy for bidirectional tailnet access
@@ -124,10 +59,21 @@ echo "Router: Starting DNS Proxy"
 
 # Generate Corefile for CoreDNS
 # Rewrites NETWORK_NAME TLD to .flycast before forwarding to Fly DNS.
+# When ROUTER_ID is set, workload app names are suffixed: app.network ->
+# app-ROUTER_ID.flycast. This ties workloads to their router and avoids
+# name collisions across networks.
 # .flycast resolves to the Flycast address (private_v6) which routes through
 # Fly Proxy — enabling autostart/autostop and load balancing. The Flycast IP
 # is within the network's /48 subnet so it's routable through the tailnet.
-if [ -n "${NETWORK_NAME}" ]; then
+if [ -n "${NETWORK_NAME}" ] && [ -n "${ROUTER_ID}" ]; then
+  echo "Router: DNS Rewrite *.${NETWORK_NAME} -> *-${ROUTER_ID}.flycast"
+  cat > /etc/coredns/Corefile <<EOF
+.:53 {
+    rewrite name regex (.+)\.${NETWORK_NAME}\. {1}-${ROUTER_ID}.flycast. answer auto
+    forward . fdaa::3
+}
+EOF
+elif [ -n "${NETWORK_NAME}" ]; then
   echo "Router: DNS Rewrite ${NETWORK_NAME} -> flycast"
   cat > /etc/coredns/Corefile <<EOF
 .:53 {

package/esm/src/providers/fly.d.ts

@@ -32,6 +32,7 @@ export interface SafeDeployOptions {
     image?: string;
     config?: string;
     region?: string;
+    routerId?: string;
 }
 export interface FlyProvider {
     ensureInstalled(): Promise<void>;
@@ -41,6 +42,7 @@ export interface FlyProvider {
     listOrgs(): Promise<Record<string, string>>;
     createApp(name: string, org: string, options?: {
         network?: string;
+        routerId?: string;
     }): Promise<void>;
     deleteApp(name: string): Promise<void>;
     listApps(org?: string): Promise<FlyApp[]>;
@@ -67,4 +69,8 @@ export interface FlyProvider {
 }
 export declare const createFlyProvider: () => FlyProvider;
 export declare const getRouterAppName: (network: string, randomSuffix: string) => string;
+/** Extract the routerId suffix from a router app name. */
+export declare const getRouterSuffix: (routerAppName: string, network: string) => string;
+/** Build the physical Fly app name for a workload. */
+export declare const getWorkloadAppName: (name: string, routerId: string) => string;
 //# sourceMappingURL=fly.d.ts.map