@cardelli/ambit 0.1.4 → 0.1.5

package/esm/src/cli/commands/create.js

@@ -11,13 +11,14 @@ import { createFlyProvider, FlyDeployError, getRouterAppName, } from "../../prov
 import { createTailscaleProvider, enableAcceptRoutes, isAcceptRoutesEnabled, isTailscaleInstalled, waitForDevice, } from "../../providers/tailscale.js";
 import { getCredentialStore } from "../../credentials.js";
 import { resolveOrg } from "../../resolve.js";
+import { findRouterApp } from "../../discovery.js";
 // =============================================================================
 // Create Command
 // =============================================================================
 const create = async (argv) => {
     const args = parseArgs(argv, {
         string: ["org", "region", "api-key", "tag"],
-        boolean: ["help", "yes", "json", "self-approve"],
+        boolean: ["help", "yes", "json", "no-auto-approve"],
         alias: { y: "yes" },
     });
     if (args.help) {
@@ -32,9 +33,9 @@ ${bold("OPTIONS")}
   --region <region>   Fly.io region (default: iad)
   --api-key <key>     Tailscale API access token (tskey-api-...)
   --tag <tag>         Tailscale ACL tag for the router (default: tag:ambit-<network>)
-  --self-approve      Approve subnet routes via API (when autoApprovers not configured)
+  --no-auto-approve        Skip waiting for router and approving routes
   -y, --yes           Skip confirmation prompts
-  --json              Output as JSON
+  --json              Output as JSON (implies --no-auto-approve)
 
 ${bold("DESCRIPTION")}
   Deploys a Tailscale subnet router onto a Fly.io custom private network.
@@ -45,7 +46,6 @@ ${bold("DESCRIPTION")}
 ${bold("EXAMPLES")}
   ambit create browsers
   ambit create browsers --org my-org --region sea
-  ambit create browsers --self-approve
 `);
         return;
     }
@@ -59,7 +59,7 @@ ${bold("EXAMPLES")}
         return out.die(`"${network}" Is a Public TLD and Cannot Be Used as a Network Name`);
     }
     const tag = args.tag || getRouterTag(network);
-    const selfApprove = args["self-approve"] ?? false;
+    const shouldApprove = !(args["no-auto-approve"] || args.json);
     out.blank()
         .header("=".repeat(50))
         .header(`  ambit Create: ${network}`)
@@ -75,7 +75,13 @@ ${bold("EXAMPLES")}
     out.ok(`Authenticated as ${email}`);
     const org = await resolveOrg(fly, args, out);
     const region = args.region || "iad";
-    out.ok(`Using Region: ${region}`).blank();
+    out.ok(`Using Region: ${region}`);
+    const existingRouter = await findRouterApp(fly, org, network);
+    if (existingRouter) {
+        return out.die(`A Router Already Exists for Network "${network}": ${existingRouter.appName}. ` +
+            `Use "ambit destroy ${network}" First, or Choose a Different Network Name.`);
+    }
+    out.blank();
     // ==========================================================================
     // Step 2: Tailscale Configuration
     // ==========================================================================
@@ -86,8 +92,8 @@ ${bold("EXAMPLES")}
         if (args.json) {
             return out.die("--api-key Is Required in JSON Mode");
         }
-        out.dim("ambit needs an API access token (not an auth key) to manage your tailnet.")
-            .dim("Create one at: https://login.tailscale.com/admin/settings/keys")
+        out.dim("Ambit Needs an API Access Token (Not an Auth Key) to Manage Your Tailnet.")
+            .dim("Create One at: https://login.tailscale.com/admin/settings/keys")
             .blank();
         apiKey = await readSecret("API access token (tskey-api-...): ");
         if (!apiKey) {
@@ -114,10 +120,10 @@ ${bold("EXAMPLES")}
     if (!hasTagOwner) {
         tagOwnerSpinner.fail(`Tag ${tag} Not Configured in tagOwners`);
         out.blank()
-            .text(`  The tag ${tag} does not exist in your Tailscale ACL tagOwners.`)
-            .text("  Tailscale will reject auth keys for undefined tags.")
+            .text(`  The Tag ${tag} Does Not Exist in Your Tailscale ACL tagOwners.`)
+            .text("  Tailscale Will Reject Auth Keys for Undefined Tags.")
             .blank()
-            .text("  Add this tag in your Tailscale ACL settings:")
+            .text("  Add This Tag in Your Tailscale ACL Settings:")
             .dim("  https://login.tailscale.com/admin/acls/visual/tags")
             .blank()
             .dim(`    "tagOwners": { "${tag}": ["autogroup:admin"] }`)
@@ -125,46 +131,31 @@ ${bold("EXAMPLES")}
         return out.die(`Add ${tag} to tagOwners Before Creating Router`);
     }
     tagOwnerSpinner.success(`Tag ${tag} Configured in tagOwners`);
-    // ==========================================================================
-    // Step 2.6: Check autoApprovers
-    // ==========================================================================
-    if (!selfApprove) {
-        const autoApproverSpinner = out.spinner("Checking autoApprovers Configuration");
-        const hasAutoApprover = await tailscale.isAutoApproverConfigured(tag);
-        if (!hasAutoApprover) {
-            autoApproverSpinner.fail("autoApprovers Not Configured");
-            out.blank()
-                .text(`  The tag ${tag} is not listed in your Tailscale ACL autoApprovers.`)
-                .text("  Routes advertised by the router will not be auto-approved.")
-                .blank()
-                .text("  Either configure autoApprovers in your Tailscale ACL policy:")
-                .dim(`    "autoApprovers": { "routes": { "fdaa:X:XXXX::/48": ["${tag}"] } }`)
-                .blank()
-                .text("  Or re-run with --self-approve to approve routes via API:")
-                .dim(`    ambit create ${network} --self-approve`)
-                .blank();
-            return out.die("Configure autoApprovers or Use --self-approve");
-        }
-        autoApproverSpinner.success("autoApprovers Configured");
-    }
-    else {
-        out.info("Self-Approve Mode: Routes Will Be Approved via API");
-    }
     out.blank();
     // ==========================================================================
     // Step 3: Deploy Router on Custom 6PN
     // ==========================================================================
+    let hasAutoApprover = false;
     out.header("Step 3: Deploy Subnet Router").blank();
-    const routerAppName = getRouterAppName(network, randomId(6));
+    const suffix = randomId(8);
+    const routerAppName = getRouterAppName(network, suffix);
     out.info(`Creating Router App: ${routerAppName}`)
         .info(`Custom Network: ${network}`)
         .info(`Router Tag: ${tag}`);
     await fly.createApp(routerAppName, org, { network });
     out.ok(`Created App: ${routerAppName}`);
+    const authKeySpinner = out.spinner("Creating Tag-Scoped Auth Key");
+    const authKey = await tailscale.createAuthKey({
+        reusable: false,
+        ephemeral: false,
+        preauthorized: true,
+        tags: [tag],
+    });
+    authKeySpinner.success("Auth Key Created (Single-Use, 5min Expiry)");
     await fly.setSecrets(routerAppName, {
-        TAILSCALE_API_TOKEN: apiKey,
+        TAILSCALE_AUTHKEY: authKey,
         NETWORK_NAME: network,
-        TAILSCALE_TAGS: tag,
+        ROUTER_ID: suffix,
     }, { stage: true });
     out.ok("Set Router Secrets");
     const dockerDir = new URL("../../docker/router", globalThis[Symbol.for("import-meta-ponyfill-esmodule")](import.meta).url).pathname;
@@ -180,61 +171,79 @@ ${bold("EXAMPLES")}
         throw e;
     }
     out.ok("Router Deployed");
-    out.blank();
-    const joinSpinner = out.spinner("Waiting for Router to Join Tailnet");
-    const device = await waitForDevice(tailscale, routerAppName, 180000);
-    joinSpinner.success(`Router Joined Tailnet: ${device.addresses[0]}`);
-    const machines = await fly.listMachines(routerAppName);
-    const routerMachine = machines.find((m) => m.private_ip);
-    const subnet = routerMachine?.private_ip
-        ? extractSubnet(routerMachine.private_ip)
-        : null;
-    if (subnet) {
-        out.ok(`Subnet: ${subnet}`);
-    }
-    if (selfApprove && subnet) {
-        const approveSpinner = out.spinner("Approving Subnet Routes via API");
-        await tailscale.approveSubnetRoutes(device.id, [subnet]);
-        approveSpinner.success("Subnet Routes Approved via API");
-    }
-    if (device.advertisedRoutes && device.advertisedRoutes.length > 0) {
-        out.ok(`Routes: ${device.advertisedRoutes.join(", ")}`);
-    }
-    const dnsSpinner = out.spinner("Configuring Split DNS");
-    await tailscale.setSplitDns(network, [device.addresses[0]]);
-    dnsSpinner.success(`Split DNS Configured: *.${network} -> Router`);
     // ==========================================================================
-    // Step 4: Local Client Configuration
+    // Step 4: Wait for Router, Approve Routes, Configure DNS
     // ==========================================================================
-    out.blank().header("Step 4: Local Client Configuration").blank();
-    if (await isTailscaleInstalled()) {
-        if (await isAcceptRoutesEnabled()) {
-            out.ok("Accept Routes Already Enabled");
+    let device = null;
+    let routerMachine;
+    let subnet = null;
+    if (shouldApprove) {
+        out.blank();
+        const joinSpinner = out.spinner("Waiting for Router to Join Tailnet");
+        device = await waitForDevice(tailscale, routerAppName, 180000);
+        joinSpinner.success(`Router Joined Tailnet: ${device.addresses[0]}`);
+        const machines = await fly.listMachines(routerAppName);
+        routerMachine = machines.find((m) => m.private_ip);
+        subnet = routerMachine?.private_ip
+            ? extractSubnet(routerMachine.private_ip)
+            : null;
+        if (subnet) {
+            out.ok(`Subnet: ${subnet}`);
+            hasAutoApprover = await tailscale.isAutoApproverConfigured(tag);
+            if (!hasAutoApprover) {
+                const approveSpinner = out.spinner("Approving Subnet Routes");
+                await tailscale.approveSubnetRoutes(device.id, [subnet]);
+                approveSpinner.success("Subnet Routes Approved");
+            }
+            else {
+                out.ok("Routes Auto-Approved via ACL Policy");
+            }
         }
-        else {
-            const routeSpinner = out.spinner("Enabling Accept Routes");
-            if (await enableAcceptRoutes()) {
-                routeSpinner.success("Accept Routes Enabled");
+        if (device.advertisedRoutes && device.advertisedRoutes.length > 0) {
+            out.ok(`Routes: ${device.advertisedRoutes.join(", ")}`);
+        }
+        const dnsSpinner = out.spinner("Configuring Split DNS");
+        await tailscale.setSplitDns(network, [device.addresses[0]]);
+        dnsSpinner.success(`Split DNS Configured: *.${network} -> Router`);
+        // ========================================================================
+        // Step 5: Local Client Configuration
+        // ========================================================================
+        out.blank().header("Step 5: Local Client Configuration").blank();
+        if (await isTailscaleInstalled()) {
+            if (await isAcceptRoutesEnabled()) {
+                out.ok("Accept Routes Already Enabled");
             }
             else {
-                routeSpinner.fail("Could Not Enable Accept Routes");
-                out.blank()
-                    .dim("Run Manually with Elevated Permissions:")
-                    .dim("  sudo tailscale set --accept-routes");
+                const routeSpinner = out.spinner("Enabling Accept Routes");
+                if (await enableAcceptRoutes()) {
+                    routeSpinner.success("Accept Routes Enabled");
+                }
+                else {
+                    routeSpinner.fail("Could Not Enable Accept Routes");
+                    out.blank()
+                        .dim("Run Manually With Elevated Permissions:")
+                        .dim("  sudo tailscale set --accept-routes");
+                }
             }
         }
+        else {
+            out.warn("Tailscale CLI Not Found")
+                .dim("  Ensure Accept-Routes is Enabled on This Device");
+        }
     }
     else {
-        out.warn("Tailscale CLI Not Found")
-            .dim("  Ensure Accept-Routes Is Enabled on This Device");
+        out.blank().info("Skipping Route Approval and DNS Configuration (Use ambit doctor to Verify Later)");
     }
     // ==========================================================================
     // Done
     // ==========================================================================
     out.done({
         network,
-        router: { appName: routerAppName, tailscaleIp: device.addresses[0] },
-        subnet: subnet || "unknown",
+        router: {
+            appName: routerAppName,
+            tailscaleIp: device?.addresses[0] ?? "pending",
+        },
+        subnet: subnet || "pending",
         tag,
     });
     out.blank()
@@ -244,43 +253,48 @@ ${bold("EXAMPLES")}
         .blank()
         .text(`Any Flycast app on the "${network}" network is reachable as:`)
         .text(`  <app-name>.${network}`)
-        .blank()
-        .text(`SOCKS5 proxy available at:`)
-        .text(`  socks5://[${routerMachine?.private_ip ?? "ROUTER_IP"}]:1080`)
-        .dim("Containers on this network can use it to reach your tailnet.")
-        .blank()
-        .dim("Deploy an app to this network:")
+        .blank();
+    if (routerMachine?.private_ip) {
+        out.text("SOCKS5 Proxy Available at:")
+            .text(`  socks5://[${routerMachine.private_ip}]:1080`)
+            .dim("Containers on This Network Can Use It to Reach Your Tailnet.")
+            .blank();
+    }
+    out.dim("Deploy an App to This Network:")
         .dim(`  ambit deploy my-app --network ${network}`)
         .blank()
-        .dim("Invite people to your tailnet:")
+        .dim("Invite People to Your Tailnet:")
         .dim("  https://login.tailscale.com/admin/users")
-        .dim("Control their access:")
+        .dim("Control Their Access:")
         .dim("  https://login.tailscale.com/admin/acls/visual/general-access-rules")
         .blank();
-    if (subnet && selfApprove) {
-        out.header("Recommended Tailscale ACL Policy:")
+    if (subnet && !hasAutoApprover) {
+        out.header("Recommended: Configure autoApprovers")
             .blank()
-            .dim("  Add these to your tailnet policy file at:")
+            .dim("  Add to Your Tailnet Policy File at:")
             .dim("  https://login.tailscale.com/admin/acls/file")
             .blank()
-            .text(`  "tagOwners": { "${tag}": ["autogroup:admin"] }`)
             .text(`  "autoApprovers": { "routes": { "${subnet}": ["${tag}"] } }`)
             .blank()
-            .dim("  To restrict access, add ACL rules:")
-            .dim(`    {"action": "accept", "src": ["group:YOUR_GROUP"], "dst": ["${tag}:53"]}`)
-            .dim(`    {"action": "accept", "src": ["group:YOUR_GROUP"], "dst": ["${subnet}:*"]}`)
+            .dim("  Routes Were Approved via API for This Session.")
+            .dim("  autoApprovers Will Auto-Approve on Future Restarts.")
             .blank();
     }
-    else if (subnet) {
+    if (subnet) {
         out.header("Recommended ACL Rules:")
             .blank()
-            .dim("  To restrict access, add ACL rules to your policy file:")
+            .dim("  To Restrict Access, Add ACL Rules to Your Policy File:")
             .dim("  https://login.tailscale.com/admin/acls/file")
             .blank()
             .dim(`    {"action": "accept", "src": ["group:YOUR_GROUP"], "dst": ["${tag}:53"]}`)
             .dim(`    {"action": "accept", "src": ["group:YOUR_GROUP"], "dst": ["${subnet}:*"]}`)
             .blank();
     }
+    if (!shouldApprove) {
+        out.dim("Route Approval Was Skipped. To Complete Setup:")
+            .dim(`  ambit doctor --network ${network}`)
+            .blank();
+    }
     out.print();
 };
 // =============================================================================

package/esm/src/cli/commands/deploy.js

@@ -7,7 +7,7 @@ import { join } from "../../../deps/jsr.io/@std/path/1.1.4/mod.js";
 import { bold, confirm, fileExists } from "../../../lib/cli.js";
 import { createOutput } from "../../../lib/output.js";
 import { registerCommand } from "../mod.js";
-import { createFlyProvider, FlyDeployError } from "../../providers/fly.js";
+import { createFlyProvider, FlyDeployError, getWorkloadAppName, } from "../../providers/fly.js";
 import { findRouterApp } from "../../discovery.js";
 import { resolveOrg } from "../../resolve.js";
 import { assertNotRouter, auditDeploy, scanFlyToml } from "../../guard.js";
@@ -111,19 +111,20 @@ const resolveTemplateMode = async (templateRaw, out) => {
     const result = await fetchTemplate(ref);
     if (!result.ok) {
         fetchSpinner.fail("Template Fetch Failed");
-        out.die(result.message);
+        out.die(result.error);
         return null;
     }
+    const { tempDir, templateDir } = result.value;
     fetchSpinner.success("Template Fetched");
     // Find and scan the template's fly.toml
-    const configPath = join(result.templateDir, "fly.toml");
+    const configPath = join(templateDir, "fly.toml");
     let tomlContent;
     try {
         tomlContent = await dntShim.Deno.readTextFile(configPath);
     }
     catch {
         try {
-            dntShim.Deno.removeSync(result.tempDir, { recursive: true });
+            dntShim.Deno.removeSync(tempDir, { recursive: true });
         }
         catch { /* ignore */ }
         out.die(`Template '${ref.path === "." ? ref.repo : ref.path}' Has No fly.toml`);
@@ -132,7 +133,7 @@ const resolveTemplateMode = async (templateRaw, out) => {
     const scan = scanFlyToml(tomlContent);
     if (scan.errors.length > 0) {
         try {
-            dntShim.Deno.removeSync(result.tempDir, { recursive: true });
+            dntShim.Deno.removeSync(tempDir, { recursive: true });
         }
         catch { /* ignore */ }
         for (const err of scan.errors) {
@@ -148,7 +149,7 @@ const resolveTemplateMode = async (templateRaw, out) => {
     return {
         configPath,
         preflight: { scanned: scan.scanned, warnings: scan.warnings },
-        tempDir: result.tempDir,
+        tempDir,
     };
 };
 // =============================================================================
@@ -294,27 +295,29 @@ ${bold("EXAMPLES")}
             `Run 'ambit create ${network}' first.`);
     }
     routerSpinner.success(`Router Found: ${router.appName}`);
+    const routerId = router.routerId;
+    const flyAppName = getWorkloadAppName(app, routerId);
     out.blank();
     // ==========================================================================
     // Phase 3: App Creation (if needed)
     // ==========================================================================
     out.header("Step 3: App Setup").blank();
     let created = false;
-    const exists = await fly.appExists(app);
+    const exists = await fly.appExists(flyAppName);
     if (exists) {
-        out.ok(`App '${app}' Exists`);
+        out.ok(`App '${flyAppName}' Exists`);
     }
     else {
-        out.info(`App '${app}' Does Not Exist — Will Create on Network '${network}'`);
+        out.info(`App '${flyAppName}' Does Not Exist — Will Create on Network '${network}'`);
         if (!args.yes && !args.json) {
-            const confirmed = await confirm(`Create app '${app}' on network '${network}'?`);
+            const confirmed = await confirm(`Create app '${flyAppName}' on network '${network}'?`);
             if (!confirmed) {
                 out.text("Cancelled.");
                 return;
             }
         }
-        await fly.createApp(app, org, { network });
-        out.ok(`Created App '${app}' on Network '${network}'`);
+        await fly.createApp(app, org, { network, routerId });
+        out.ok(`Created App '${flyAppName}' on Network '${network}'`);
         created = true;
     }
     out.blank();
@@ -342,6 +345,7 @@ ${bold("EXAMPLES")}
     out.dim("Deploying with --no-public-ips --flycast ...");
     try {
         await fly.deploySafe(app, {
+            routerId,
             image: deployConfig.image,
             config: deployConfig.configPath,
             region: args.region,
@@ -369,7 +373,7 @@ ${bold("EXAMPLES")}
     // ==========================================================================
     out.header("Step 6: Post-flight Audit").blank();
     const auditSpinner = out.spinner("Auditing Deployment");
-    const audit = await auditDeploy(fly, app, network);
+    const audit = await auditDeploy(fly, flyAppName, network);
     auditSpinner.success("Audit Complete");
     if (audit.public_ips_released > 0) {
         out.warn(`Released ${audit.public_ips_released} Public IP(s)`);

package/esm/src/cli/commands/destroy.js

@@ -112,7 +112,7 @@ ${bold("EXAMPLES")}
         .text(`  Tag:        ${tag ?? "unknown"}`)
         .blank();
     if (workloadApps.length > 0) {
-        out.warn(`${workloadApps.length} workload app(s) still on network '${network}':`);
+        out.warn(`${workloadApps.length} Workload App(s) Still on Network '${network}':`);
         for (const wa of workloadApps) {
             out.text(`  - ${wa.appName}`);
         }
@@ -294,7 +294,7 @@ ${bold("EXAMPLES")}
     // ===========================================================================
     const appSpinner = out.spinner("Destroying Fly App");
     try {
-        await fly.deleteApp(app);
+        await fly.deleteApp(workloadApp.appName);
         appSpinner.success("Fly App Destroyed");
     }
     catch {
@@ -303,7 +303,7 @@ ${bold("EXAMPLES")}
     // ===========================================================================
     // Done
     // ===========================================================================
-    out.done({ destroyed: true, appName: app, network });
+    out.done({ destroyed: true, appName: workloadApp.appName, network });
     out.ok("App Destroyed");
     out.blank();
     out.print();

package/esm/src/cli/commands/doctor.js

@@ -67,7 +67,7 @@ ${bold("CHECKS")}
     report("Tailscale Installed", await isTailscaleInstalled(), "Install from https://tailscale.com/download");
     const tsStatus = await runCommand(["tailscale", "status", "--json"]);
     let tsConnected = false;
-    if (tsStatus.success) {
+    if (tsStatus.ok) {
         try {
             const parsed = JSON.parse(tsStatus.stdout);
             tsConnected = parsed.BackendState === "Running";

package/esm/src/discovery.d.ts

@@ -6,6 +6,7 @@ export interface RouterApp {
     appName: string;
     network: string;
     org: string;
+    routerId: string;
 }
 /** Machine state for a router, from the Fly Machines API. */
 export interface RouterMachineInfo {
@@ -33,7 +34,9 @@ export interface WorkloadApp {
 }
 /** List all non-router apps on a specific custom network in an org. */
 export declare const listWorkloadAppsOnNetwork: (fly: FlyProvider, org: string, network: string) => Promise<WorkloadApp[]>;
-/** Find a specific workload app by name, optionally verifying network. */
+/** Find a specific workload app by logical name, optionally scoped to a network.
+ *  When a network is provided, resolves the router-suffixed Fly app name
+ *  (e.g. "thing" on network "lab" with routerId "abc123" → "thing-abc123"). */
 export declare const findWorkloadApp: (fly: FlyProvider, org: string, appName: string, network?: string) => Promise<WorkloadApp | null>;
 /** Get machine info for a router app. Returns null if no machines exist. */
 export declare const getRouterMachineInfo: (fly: FlyProvider, appName: string) => Promise<RouterMachineInfo | null>;

package/esm/src/discovery.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/src/discovery.ts"],"names":[],"mappings":"AAcA,OAAO,sBAAsB,CAAC;AAG9B,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAOlE,qDAAqD;AACrD,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,6DAA6D;AAC7D,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAaD,wDAAwD;AACxD,eAAO,MAAM,cAAc,GACzB,KAAK,WAAW,EAChB,KAAK,MAAM,KACV,OAAO,CAAC,SAAS,EAAE,CAcrB,CAAC;AAEF,kDAAkD;AAClD,eAAO,MAAM,aAAa,GACxB,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,SAAS,GAAG,IAAI,CAG1B,CAAC;AAMF,oEAAoE;AACpE,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,uEAAuE;AACvE,eAAO,MAAM,yBAAyB,GACpC,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,WAAW,EAAE,CAcvB,CAAC;AAEF,0EAA0E;AAC1E,eAAO,MAAM,eAAe,GAC1B,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,EACf,UAAU,MAAM,KACf,OAAO,CAAC,WAAW,GAAG,IAAI,CAmB5B,CAAC;AAMF,4EAA4E;AAC5E,eAAO,MAAM,oBAAoB,GAC/B,KAAK,WAAW,EAChB,SAAS,MAAM,KACd,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAclC,CAAC;AAMF,yEAAyE;AACzE,eAAO,MAAM,sBAAsB,GACjC,WAAW,iBAAiB,EAC5B,SAAS,MAAM,KACd,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAcpC,CAAC"}
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/src/discovery.ts"],"names":[],"mappings":"AAcA,OAAO,sBAAsB,CAAC;AAG9B,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAOlE,qDAAqD;AACrD,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,6DAA6D;AAC7D,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAaD,wDAAwD;AACxD,eAAO,MAAM,cAAc,GACzB,KAAK,WAAW,EAChB,KAAK,MAAM,KACV,OAAO,CAAC,SAAS,EAAE,CAerB,CAAC;AAEF,kDAAkD;AAClD,eAAO,MAAM,aAAa,GACxB,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,SAAS,GAAG,IAAI,CAG1B,CAAC;AAMF,oEAAoE;AACpE,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,uEAAuE;AACvE,eAAO,MAAM,yBAAyB,GACpC,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,WAAW,EAAE,CAcvB,CAAC;AAEF;;+EAE+E;AAC/E,eAAO,MAAM,eAAe,GAC1B,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,EACf,UAAU,MAAM,KACf,OAAO,CAAC,WAAW,GAAG,IAAI,CA4B5B,CAAC;AAMF,4EAA4E;AAC5E,eAAO,MAAM,oBAAoB,GAC/B,KAAK,WAAW,EAChB,SAAS,MAAM,KACd,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAclC,CAAC;AAMF,yEAAyE;AACzE,eAAO,MAAM,sBAAsB,GACjC,WAAW,iBAAiB,EAC5B,SAAS,MAAM,KACd,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAcpC,CAAC"}

package/esm/src/discovery.js

@@ -13,6 +13,7 @@
 //
 // =============================================================================
 import "../_dnt.polyfills.js";
+import { getRouterSuffix, getWorkloadAppName } from "./providers/fly.js";
 import { extractSubnet } from "./schemas/config.js";
 // =============================================================================
 // Constants
@@ -32,6 +33,7 @@ export const listRouterApps = async (fly, org) => {
         appName: app.name,
         network: app.network,
         org: app.organization?.slug ?? org,
+        routerId: getRouterSuffix(app.name, app.network),
     }));
 };
 /** Find the router app for a specific network. */
@@ -51,7 +53,9 @@ export const listWorkloadAppsOnNetwork = async (fly, org, network) => {
         org: app.organization?.slug ?? org,
     }));
 };
-/** Find a specific workload app by name, optionally verifying network. */
+/** Find a specific workload app by logical name, optionally scoped to a network.
+ *  When a network is provided, resolves the router-suffixed Fly app name
+ *  (e.g. "thing" on network "lab" with routerId "abc123" → "thing-abc123"). */
 export const findWorkloadApp = async (fly, org, appName, network) => {
     const apps = await fly.listAppsWithNetwork(org);
     const workloads = apps
@@ -63,8 +67,18 @@ export const findWorkloadApp = async (fly, org, appName, network) => {
         org: app.organization?.slug ?? org,
     }));
     if (network) {
+        // Resolve the router's suffix so we can match the suffixed Fly app name
+        const router = await findRouterApp(fly, org, network);
+        if (router) {
+            const suffixedName = getWorkloadAppName(appName, router.routerId);
+            const found = workloads.find((a) => a.appName === suffixedName && a.network === network);
+            if (found)
+                return found;
+        }
+        // Fallback: try exact match (for pre-suffix apps or direct Fly name)
         return workloads.find((a) => a.appName === appName && a.network === network) ?? null;
     }
+    // Without network, try exact match only
     return workloads.find((a) => a.appName === appName) ?? null;
 };
 // =============================================================================