@fusionkit/cli 0.1.2 → 0.1.4

package/dist/shared/portless.d.ts

@@ -0,0 +1,97 @@
+/**
+ * Programmatic portless integration for the fusion stack.
+ *
+ * Every dev server and CLI-spawned service the launcher starts is registered
+ * with portless as a stable, named `.localhost` route, so humans and external
+ * coding agents get clean HTTPS URLs instead of raw ports, and a service can be
+ * discovered + reused across runs (a singleton) via the shared route table.
+ *
+ * Routes are managed entirely against the `portless` *library* (its exported
+ * `RouteStore` writes the same file-locked `routes.json` the running proxy reads
+ * live) — we never shell out to the `portless` binary. The privileged TLS proxy
+ * daemon + CA trust are a one-time user setup (`portless service install` +
+ * `portless trust`); here we only detect that it is running and register routes.
+ *
+ * `portless` requires Node >= 24 and is declared an optional dependency, so on
+ * older Node (or when the package/proxy is absent) the session degrades to
+ * plain loopback URLs with no discovery — identical code paths, just unproxied.
+ */
+/** Resolve the portless state directory (honoring `PORTLESS_STATE_DIR`). */
+export declare function stateDir(): string;
+/** Path to the portless CA, for `NODE_EXTRA_CA_CERTS` / `SSL_CERT_FILE`. */
+export declare function caCertPath(): string;
+/** The TLD portless serves routes under (default `.localhost`). */
+export declare function tld(): string;
+/** A running portless proxy, as detected from on-disk state + a live probe. */
+export type DetectedProxy = {
+    port: number;
+    tls: boolean;
+};
+/**
+ * Detect a running portless proxy: read `<stateDir>/proxy.port`, confirm the
+ * owning pid is alive, and probe the port for the `X-Portless` header (a plain
+ * HTTP probe works even against a TLS proxy, which 302-redirects to https and
+ * still stamps the header). Returns `undefined` when no proxy is reachable.
+ */
+export declare function detectProxy(): Promise<DetectedProxy | undefined>;
+/** A service the launcher started, addressable through portless. */
+export type SpawnedService = {
+    port: number;
+    /** Owning pid for the route (defaults to this process). */
+    pid?: number;
+    close: () => Promise<void> | void;
+};
+export type DiscoverOrSpawnInput = {
+    /** Short service name; the `.fusion` project suffix + TLD are added here. */
+    name: string;
+    /** Expected identity token of a reusable instance (model set, config hash, ...). */
+    identity: string;
+    /** Probe a candidate instance on its loopback URL; return its identity token. */
+    healthCheck: (loopbackUrl: string) => Promise<string | undefined>;
+    /** Start a fresh instance when none can be reused. */
+    spawn: () => Promise<SpawnedService>;
+};
+export type DiscoverOrSpawnResult = {
+    /** The URL callers should surface/inject (portless name, or loopback). */
+    url: string;
+    /** The loopback URL for in-process CLI fetches (avoids the CA-at-startup hazard). */
+    loopbackUrl: string;
+    port: number;
+    /** True when this run spawned the instance (and therefore owns teardown). */
+    owned: boolean;
+    /** Tear down only an owned instance; reused instances are left running. */
+    close: () => Promise<void> | void;
+};
+/**
+ * A live portless session threaded through the launcher. When `enabled` is
+ * false (portless off, package absent, or no proxy detected) every method
+ * degrades to plain loopback behavior with no proxy registration or discovery.
+ */
+export type PortlessSession = {
+    enabled: boolean;
+    /** Portless CA path when active, else undefined. */
+    caCertPath: string | undefined;
+    /** Register `127.0.0.1:<port>` under `<name>.<project>.localhost`; returns the URL. */
+    register(name: string, appPort: number): string;
+    /** Remove a route this process owns. */
+    unregister(name: string): void;
+    /** Reuse a compatible running instance, or spawn + register a new one. */
+    discoverOrSpawn(input: DiscoverOrSpawnInput): Promise<DiscoverOrSpawnResult>;
+};
+export type CreateSessionInput = {
+    /** Whether portless is requested (CLI flag / config / PORTLESS env). */
+    enabled: boolean;
+    log?: (line: string) => void;
+};
+/**
+ * Create a portless session. Returns a disabled (loopback) session when
+ * portless is off, the library is unavailable (Node < 24 / not installed), or
+ * no proxy is running; otherwise an active session backed by `RouteStore`.
+ */
+export declare function createPortlessSession(input: CreateSessionInput): Promise<PortlessSession>;
+/**
+ * Reap fusion singleton services: terminate the owning pid of every registered
+ * `*.fusion.<tld>` / `scope.<tld>` route and drop the route. Returns the number
+ * of services stopped. A no-op when portless is unavailable.
+ */
+export declare function reapFusionServices(log?: (line: string) => void): Promise<number>;

package/dist/shared/portless.js

@@ -0,0 +1,253 @@
+/**
+ * Programmatic portless integration for the fusion stack.
+ *
+ * Every dev server and CLI-spawned service the launcher starts is registered
+ * with portless as a stable, named `.localhost` route, so humans and external
+ * coding agents get clean HTTPS URLs instead of raw ports, and a service can be
+ * discovered + reused across runs (a singleton) via the shared route table.
+ *
+ * Routes are managed entirely against the `portless` *library* (its exported
+ * `RouteStore` writes the same file-locked `routes.json` the running proxy reads
+ * live) — we never shell out to the `portless` binary. The privileged TLS proxy
+ * daemon + CA trust are a one-time user setup (`portless service install` +
+ * `portless trust`); here we only detect that it is running and register routes.
+ *
+ * `portless` requires Node >= 24 and is declared an optional dependency, so on
+ * older Node (or when the package/proxy is absent) the session degrades to
+ * plain loopback URLs with no discovery — identical code paths, just unproxied.
+ */
+import { existsSync, readFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+/** The npm scope-less project prefix for fusion service hostnames. */
+const PROJECT = "fusion";
+/** Resolve the portless state directory (honoring `PORTLESS_STATE_DIR`). */
+export function stateDir() {
+    return process.env.PORTLESS_STATE_DIR ?? join(homedir(), ".portless");
+}
+/** Path to the portless CA, for `NODE_EXTRA_CA_CERTS` / `SSL_CERT_FILE`. */
+export function caCertPath() {
+    return join(stateDir(), "ca.pem");
+}
+/** The TLD portless serves routes under (default `.localhost`). */
+export function tld() {
+    return process.env.PORTLESS_TLD ?? "localhost";
+}
+/**
+ * Detect a running portless proxy: read `<stateDir>/proxy.port`, confirm the
+ * owning pid is alive, and probe the port for the `X-Portless` header (a plain
+ * HTTP probe works even against a TLS proxy, which 302-redirects to https and
+ * still stamps the header). Returns `undefined` when no proxy is reachable.
+ */
+export async function detectProxy() {
+    const dir = stateDir();
+    const portFile = join(dir, "proxy.port");
+    if (!existsSync(portFile))
+        return undefined;
+    const port = Number.parseInt(readFileSync(portFile, "utf8").trim(), 10);
+    if (!Number.isInteger(port) || port <= 0)
+        return undefined;
+    const pidFile = join(dir, "proxy.pid");
+    if (existsSync(pidFile)) {
+        const pid = Number.parseInt(readFileSync(pidFile, "utf8").trim(), 10);
+        if (Number.isInteger(pid) && pid > 0 && !isAlive(pid))
+            return undefined;
+    }
+    // Prefer the proxy's recorded TLS mode; fall back to inferring it from the
+    // redirect a plain-HTTP probe gets (a TLS proxy 302s to https).
+    const tlsFile = join(dir, "proxy.tls");
+    const tlsFromFile = existsSync(tlsFile)
+        ? ["1", "true"].includes(readFileSync(tlsFile, "utf8").trim().toLowerCase())
+        : undefined;
+    try {
+        const response = await fetch(`http://127.0.0.1:${port}/`, {
+            redirect: "manual",
+            signal: AbortSignal.timeout(1500)
+        });
+        if (response.headers.get("x-portless") === null)
+            return undefined;
+        const location = response.headers.get("location");
+        const tls = tlsFromFile ?? (port === 443 || (location !== null && location.startsWith("https://")));
+        return { port, tls };
+    }
+    catch {
+        return undefined;
+    }
+}
+function isAlive(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch (error) {
+        // EPERM means the process exists but is owned by another user (e.g. the
+        // portless proxy installed as a root LaunchDaemon) — still alive. Only
+        // ESRCH ("no such process") means it is actually gone.
+        return error?.code === "EPERM";
+    }
+}
+async function loadPortless() {
+    // Variable specifier + dynamic import: `portless` is an optional dependency
+    // (Node >= 24 only), so this must not be a static import — it would break the
+    // build/install on Node 22. Documented exception to the no-inline-imports rule.
+    const specifier = "portless";
+    try {
+        return (await import(specifier));
+    }
+    catch {
+        return undefined;
+    }
+}
+/** Names that stay bare (`<name>.localhost`) instead of being namespaced under the project. */
+const BARE_NAMES = new Set(["scope"]);
+/** Map a short service name to its portless hostname. */
+function hostnameFor(portless, name) {
+    // `scope` stays bare (`scope.localhost`); everything else is namespaced under
+    // the project (`gateway.fusion.localhost`). A name already containing a dot or
+    // equal to the project is treated as an explicit subdomain path.
+    const full = name === PROJECT || name.includes(".") || BARE_NAMES.has(name) ? name : `${name}.${PROJECT}`;
+    return portless.parseHostname(full, tld());
+}
+const loopback = (port) => `http://127.0.0.1:${port}`;
+/** Build a disabled session: pure loopback, no proxy, no discovery. */
+function disabledSession() {
+    return {
+        enabled: false,
+        caCertPath: undefined,
+        register: (_name, appPort) => loopback(appPort),
+        unregister: () => { },
+        discoverOrSpawn: async (input) => {
+            const service = await input.spawn();
+            const url = loopback(service.port);
+            return { url, loopbackUrl: url, port: service.port, owned: true, close: service.close };
+        }
+    };
+}
+/**
+ * Create a portless session. Returns a disabled (loopback) session when
+ * portless is off, the library is unavailable (Node < 24 / not installed), or
+ * no proxy is running; otherwise an active session backed by `RouteStore`.
+ */
+export async function createPortlessSession(input) {
+    if (!input.enabled)
+        return disabledSession();
+    const portless = await loadPortless();
+    if (portless === undefined) {
+        input.log?.("fusion: portless not installed (needs Node >= 24); using loopback URLs");
+        return disabledSession();
+    }
+    const proxy = await detectProxy();
+    if (proxy === undefined) {
+        // Portless is installed but its proxy isn't running: degrade to loopback
+        // (never block a run) and point the user at the one-time setup for stable
+        // HTTPS names.
+        input.log?.("fusion: portless proxy not running; using loopback URLs " +
+            "(run `portless service install` + `portless trust` for stable https://*.localhost names)");
+        return disabledSession();
+    }
+    const store = new portless.RouteStore(stateDir(), {
+        onWarning: (message) => input.log?.(`fusion: portless: ${message}`)
+    });
+    const urlFor = (hostname) => portless.formatUrl(hostname, proxy.port, proxy.tls);
+    const register = (name, appPort) => {
+        try {
+            const hostname = hostnameFor(portless, name);
+            store.addRoute(hostname, appPort, process.pid, true);
+            return urlFor(hostname);
+        }
+        catch (error) {
+            // Never let a routing hiccup break a run; fall back to the raw port.
+            input.log?.(`fusion: portless register(${name}) failed: ${errorText(error)}`);
+            return loopback(appPort);
+        }
+    };
+    const unregister = (name) => {
+        try {
+            store.removeRoute(hostnameFor(portless, name), process.pid);
+        }
+        catch {
+            // best-effort
+        }
+    };
+    const discoverOrSpawn = async (req) => {
+        const hostname = hostnameFor(portless, req.name);
+        // Discover: is a compatible instance already registered and alive?
+        try {
+            const existing = store.loadRoutes().find((route) => route.hostname === hostname);
+            if (existing !== undefined) {
+                const candidate = loopback(existing.port);
+                const identity = await req.healthCheck(candidate);
+                if (identity === req.identity) {
+                    return {
+                        url: urlFor(hostname),
+                        loopbackUrl: candidate,
+                        port: existing.port,
+                        owned: false,
+                        close: () => { }
+                    };
+                }
+            }
+        }
+        catch (error) {
+            input.log?.(`fusion: portless discover(${req.name}) failed: ${errorText(error)}`);
+        }
+        // Spawn + register a fresh instance, owned by the service pid so the proxy's
+        // liveness filter keeps the route across runs and only drops it when the
+        // service itself exits.
+        const service = await req.spawn();
+        let url = loopback(service.port);
+        try {
+            store.addRoute(hostname, service.port, service.pid ?? process.pid, true);
+            url = urlFor(hostname);
+        }
+        catch (error) {
+            input.log?.(`fusion: portless register(${req.name}) failed: ${errorText(error)}`);
+        }
+        return {
+            url,
+            loopbackUrl: loopback(service.port),
+            port: service.port,
+            owned: true,
+            close: service.close
+        };
+    };
+    return { enabled: true, caCertPath: caCertPath(), register, unregister, discoverOrSpawn };
+}
+function errorText(error) {
+    return error instanceof Error ? error.message : String(error);
+}
+/**
+ * Reap fusion singleton services: terminate the owning pid of every registered
+ * `*.fusion.<tld>` / `scope.<tld>` route and drop the route. Returns the number
+ * of services stopped. A no-op when portless is unavailable.
+ */
+export async function reapFusionServices(log) {
+    const portless = await loadPortless();
+    if (portless === undefined)
+        return 0;
+    const store = new portless.RouteStore(stateDir(), {
+        onWarning: (message) => log?.(`fusion: portless: ${message}`)
+    });
+    const suffix = `.${PROJECT}.${tld()}`;
+    const scopeHost = portless.parseHostname("scope", tld());
+    let stopped = 0;
+    for (const route of store.loadRoutes()) {
+        if (!route.hostname.endsWith(suffix) && route.hostname !== scopeHost)
+            continue;
+        try {
+            process.kill(route.pid, "SIGTERM");
+            stopped += 1;
+            log?.(`fusion: stopped ${route.hostname} (pid ${route.pid})`);
+        }
+        catch {
+            // process already gone; still drop the stale route below
+        }
+        try {
+            store.removeRoute(route.hostname);
+        }
+        catch {
+            // best-effort
+        }
+    }
+    return stopped;
+}

package/dist/test/portless.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/portless.test.js

@@ -0,0 +1,65 @@
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { after, test } from "node:test";
+import { caCertPath, createPortlessSession, detectProxy, stateDir } from "../shared/portless.js";
+const tmpRoots = [];
+function freshStateDir() {
+    const dir = mkdtempSync(join(tmpdir(), "portless-state-"));
+    tmpRoots.push(dir);
+    process.env.PORTLESS_STATE_DIR = dir;
+    return dir;
+}
+after(() => {
+    delete process.env.PORTLESS_STATE_DIR;
+    for (const dir of tmpRoots)
+        rmSync(dir, { recursive: true, force: true });
+});
+test("stateDir + caCertPath honor PORTLESS_STATE_DIR", () => {
+    const dir = freshStateDir();
+    assert.equal(stateDir(), dir);
+    assert.equal(caCertPath(), join(dir, "ca.pem"));
+});
+test("detectProxy returns undefined when no proxy.port file exists", async () => {
+    freshStateDir();
+    assert.equal(await detectProxy(), undefined);
+});
+test("detectProxy returns undefined for a dead proxy pid", async () => {
+    const dir = freshStateDir();
+    writeFileSync(join(dir, "proxy.port"), "443");
+    // pid 1 is alive but won't answer a portless probe; a clearly-dead pid keeps
+    // this deterministic without binding a port.
+    writeFileSync(join(dir, "proxy.pid"), "999999999");
+    assert.equal(await detectProxy(), undefined);
+});
+test("a disabled session uses loopback URLs and never registers", async () => {
+    const session = await createPortlessSession({ enabled: false });
+    assert.equal(session.enabled, false);
+    assert.equal(session.caCertPath, undefined);
+    assert.equal(session.register("scope", 4317), "http://127.0.0.1:4317");
+    assert.equal(session.register("gateway", 5123), "http://127.0.0.1:5123");
+    session.unregister("scope"); // no throw
+    let spawned = 0;
+    const result = await session.discoverOrSpawn({
+        name: "router",
+        identity: "gpt,sonnet",
+        healthCheck: async () => "gpt,sonnet",
+        spawn: async () => {
+            spawned += 1;
+            return { port: 6001, close: () => { } };
+        }
+    });
+    assert.equal(spawned, 1, "a disabled session always spawns (no discovery)");
+    assert.equal(result.owned, true);
+    assert.equal(result.url, "http://127.0.0.1:6001");
+    assert.equal(result.loopbackUrl, "http://127.0.0.1:6001");
+});
+test("enabled session with no reachable proxy degrades to loopback", async () => {
+    freshStateDir(); // empty: no proxy.port
+    const session = await createPortlessSession({ enabled: true });
+    // Whether or not portless is installed, an unreachable proxy degrades to
+    // loopback (never a hard failure) so a fresh install always runs.
+    assert.equal(session.enabled, false, "no proxy detected -> disabled");
+    assert.equal(session.register("scope", 4317), "http://127.0.0.1:4317");
+});

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@fusionkit/cli",
   "private": false,
-  "version": "0.1.2",
+  "version": "0.1.4",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/velum-labs/handoffkit.git",
@@ -34,14 +34,17 @@
   },
   "dependencies": {
     "commander": "14.0.3",
-    "@fusionkit/ensemble": "0.1.2",
-    "@fusionkit/handoff": "0.1.2",
-    "@fusionkit/model-gateway": "0.1.2",
-    "@fusionkit/protocol": "0.1.2",
-    "@fusionkit/runner": "0.1.2",
-    "@fusionkit/plane": "0.1.2",
-    "@fusionkit/sdk": "0.1.2",
-    "@fusionkit/workspace": "0.1.2"
+    "@fusionkit/ensemble": "0.1.4",
+    "@fusionkit/handoff": "0.1.4",
+    "@fusionkit/model-gateway": "0.1.4",
+    "@fusionkit/plane": "0.1.4",
+    "@fusionkit/protocol": "0.1.4",
+    "@fusionkit/runner": "0.1.4",
+    "@fusionkit/workspace": "0.1.4",
+    "@fusionkit/sdk": "0.1.4"
+  },
+  "optionalDependencies": {
+    "portless": "0.14.0"
   },
   "devDependencies": {
     "@fusionkit/testkit": "0.1.0"

package/scope/.next/BUILD_ID

@@ -1 +1 @@
-hyFZFZhpE5yuTp_t6QAIZ
+5tnFLuvnSbNZNtqRgoot8

package/scope/.next/app-build-manifest.json

@@ -24,6 +24,13 @@
       "static/chunks/main-app-2a6b1f94de31f96f.js",
       "static/chunks/app/api/environments/route-95e822afbebe548b.js"
     ],
+    "/api/models/route": [
+      "static/chunks/webpack-4501ec292abda191.js",
+      "static/chunks/4bd1b696-409494caf8c83275.js",
+      "static/chunks/255-69a4a78fac9becef.js",
+      "static/chunks/main-app-2a6b1f94de31f96f.js",
+      "static/chunks/app/api/models/route-95e822afbebe548b.js"
+    ],
     "/api/ingest/route": [
       "static/chunks/webpack-4501ec292abda191.js",
       "static/chunks/4bd1b696-409494caf8c83275.js",
@@ -31,12 +38,12 @@
       "static/chunks/main-app-2a6b1f94de31f96f.js",
       "static/chunks/app/api/ingest/route-95e822afbebe548b.js"
     ],
-    "/api/models/route": [
+    "/api/replay/route": [
       "static/chunks/webpack-4501ec292abda191.js",
       "static/chunks/4bd1b696-409494caf8c83275.js",
       "static/chunks/255-69a4a78fac9becef.js",
       "static/chunks/main-app-2a6b1f94de31f96f.js",
-      "static/chunks/app/api/models/route-95e822afbebe548b.js"
+      "static/chunks/app/api/replay/route-95e822afbebe548b.js"
     ],
     "/api/sessions/route": [
       "static/chunks/webpack-4501ec292abda191.js",
@@ -52,13 +59,6 @@
       "static/chunks/main-app-2a6b1f94de31f96f.js",
       "static/chunks/app/api/sessions/[traceId]/route-95e822afbebe548b.js"
     ],
-    "/api/replay/route": [
-      "static/chunks/webpack-4501ec292abda191.js",
-      "static/chunks/4bd1b696-409494caf8c83275.js",
-      "static/chunks/255-69a4a78fac9becef.js",
-      "static/chunks/main-app-2a6b1f94de31f96f.js",
-      "static/chunks/app/api/replay/route-95e822afbebe548b.js"
-    ],
     "/api/stream/route": [
       "static/chunks/webpack-4501ec292abda191.js",
       "static/chunks/4bd1b696-409494caf8c83275.js",
@@ -83,26 +83,26 @@
       "static/chunks/873-9351d1edaa9d58ef.js",
       "static/chunks/app/models/page-d9b7d19485e9a640.js"
     ],
-    "/sessions/[traceId]/page": [
+    "/page": [
       "static/chunks/webpack-4501ec292abda191.js",
       "static/chunks/4bd1b696-409494caf8c83275.js",
       "static/chunks/255-69a4a78fac9becef.js",
       "static/chunks/main-app-2a6b1f94de31f96f.js",
       "static/chunks/239-1c69ce437d02745f.js",
       "static/chunks/989-1c7081e9fd5c9b9d.js",
-      "static/chunks/425-9a1b036b5fdd8b06.js",
       "static/chunks/22-1934dc9c2e544aa9.js",
-      "static/chunks/app/sessions/[traceId]/page-209dfd895566db6f.js"
+      "static/chunks/app/page-57dce47ff6c00ddd.js"
     ],
-    "/page": [
+    "/sessions/[traceId]/page": [
       "static/chunks/webpack-4501ec292abda191.js",
       "static/chunks/4bd1b696-409494caf8c83275.js",
       "static/chunks/255-69a4a78fac9becef.js",
       "static/chunks/main-app-2a6b1f94de31f96f.js",
       "static/chunks/239-1c69ce437d02745f.js",
       "static/chunks/989-1c7081e9fd5c9b9d.js",
+      "static/chunks/425-9a1b036b5fdd8b06.js",
       "static/chunks/22-1934dc9c2e544aa9.js",
-      "static/chunks/app/page-57dce47ff6c00ddd.js"
+      "static/chunks/app/sessions/[traceId]/page-209dfd895566db6f.js"
     ]
   }
 }

package/scope/.next/app-path-routes-manifest.json

@@ -1,14 +1,14 @@
 {
   "/_not-found/page": "/_not-found",
   "/api/environments/route": "/api/environments",
-  "/api/ingest/route": "/api/ingest",
   "/api/models/route": "/api/models",
+  "/api/ingest/route": "/api/ingest",
+  "/api/replay/route": "/api/replay",
   "/api/sessions/route": "/api/sessions",
   "/api/sessions/[traceId]/route": "/api/sessions/[traceId]",
-  "/api/replay/route": "/api/replay",
   "/api/stream/route": "/api/stream",
   "/environments/page": "/environments",
   "/models/page": "/models",
-  "/sessions/[traceId]/page": "/sessions/[traceId]",
-  "/page": "/"
+  "/page": "/",
+  "/sessions/[traceId]/page": "/sessions/[traceId]"
 }

package/scope/.next/build-manifest.json

@@ -5,8 +5,8 @@
   "devFiles": [],
   "ampDevFiles": [],
   "lowPriorityFiles": [
-    "static/hyFZFZhpE5yuTp_t6QAIZ/_buildManifest.js",
-    "static/hyFZFZhpE5yuTp_t6QAIZ/_ssgManifest.js"
+    "static/5tnFLuvnSbNZNtqRgoot8/_buildManifest.js",
+    "static/5tnFLuvnSbNZNtqRgoot8/_ssgManifest.js"
   ],
   "rootMainFiles": [
     "static/chunks/webpack-4501ec292abda191.js",

package/scope/.next/prerender-manifest.json

@@ -1,8 +1,7 @@
 {
   "version": 4,
   "routes": {
-    "/_not-found": {
-      "initialStatus": 404,
+    "/environments": {
       "experimentalBypassFor": [
         {
           "type": "header",
@@ -15,8 +14,8 @@
         }
       ],
       "initialRevalidateSeconds": false,
-      "srcRoute": "/_not-found",
-      "dataRoute": "/_not-found.rsc",
+      "srcRoute": "/environments",
+      "dataRoute": "/environments.rsc",
       "allowHeader": [
         "host",
         "x-matched-path",
@@ -50,7 +49,8 @@
         "x-next-revalidate-tag-token"
       ]
     },
-    "/models": {
+    "/_not-found": {
+      "initialStatus": 404,
       "experimentalBypassFor": [
         {
           "type": "header",
@@ -63,8 +63,8 @@
         }
       ],
       "initialRevalidateSeconds": false,
-      "srcRoute": "/models",
-      "dataRoute": "/models.rsc",
+      "srcRoute": "/_not-found",
+      "dataRoute": "/_not-found.rsc",
       "allowHeader": [
         "host",
         "x-matched-path",
@@ -74,7 +74,7 @@
         "x-next-revalidate-tag-token"
       ]
     },
-    "/environments": {
+    "/models": {
       "experimentalBypassFor": [
         {
           "type": "header",
@@ -87,8 +87,8 @@
         }
       ],
       "initialRevalidateSeconds": false,
-      "srcRoute": "/environments",
-      "dataRoute": "/environments.rsc",
+      "srcRoute": "/models",
+      "dataRoute": "/models.rsc",
       "allowHeader": [
         "host",
         "x-matched-path",
@@ -102,8 +102,8 @@
   "dynamicRoutes": {},
   "notFoundRoutes": [],
   "preview": {
-    "previewModeId": "93562feea0145c5a4e94d8b5e54da028",
-    "previewModeSigningKey": "e6d1ae16dbd3134764feaab5c799955e8266e41874e3dc373b656c75a412a806",
-    "previewModeEncryptionKey": "40c9af6cdf5b56b54cd0ba8102ff42aa1a5a20d1e01c89839e56e0580128fd82"
+    "previewModeId": "effae3e9acd85706afc099ae8638302b",
+    "previewModeSigningKey": "c391010c73d6e7db27b3e132573063849eef3972f19ce0282cdbf15ddf64efdd",
+    "previewModeEncryptionKey": "66d3bfe283a3f90c8c2031d2f3ecf302014e63a3a211c0cdaceaedbbecd3c9db"
   }
 }

package/scope/.next/required-server-files.json

@@ -101,6 +101,10 @@
       }
     },
     "outputFileTracingRoot": "/home/runner/work/handoffkit/handoffkit/apps/scope",
+    "allowedDevOrigins": [
+      "scope.localhost",
+      "*.scope.localhost"
+    ],
     "experimental": {
       "useSkewCookie": false,
       "cacheLife": {