npm - @rip-lang/server - Versions diffs - 1.3.10 → 1.3.12 - Mend

@rip-lang/server 1.3.10 → 1.3.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -16,7 +16,7 @@ dependencies.
 - **Multi-worker architecture** — Automatic worker spawning based on CPU cores
 - **Hot module reloading** — Watches `*.rip` files by default, rolling restarts on change
 - **Rolling restarts** — Zero-downtime deployments
-- **Automatic HTTPS** — TLS with mkcert or self-signed certificates
+- **Automatic HTTPS** — Shipped `*.ripdev.io` wildcard cert (green lock, zero setup)
 - **mDNS discovery** — `.local` hostname advertisement
 - **Request queue** — Built-in request buffering and load balancing
 - **Built-in dashboard** — Server status UI at `rip.local`
@@ -846,9 +846,8 @@ rip serve [flags] [app-path]@<alias1>,<alias2>,...
 | `https:<port>` | Set HTTPS port | 443, fallback 3443 |
 | `w:<n>` | Worker count (`auto`, `half`, `2x`, `3x`, or number) | `half` of cores |
 | `r:<reqs>,<secs>s` | Restart policy: requests, seconds (e.g., `5000,3600s`) | `10000,3600s` |
-| `--cert=<path>` | TLS certificate path | Auto-generated |
-| `--key=<path>` | TLS private key path | Auto-generated |
-| `--auto-tls` | Try mkcert first, then self-signed | Self-signed only |
+| `--cert=<path>` | TLS certificate path | Shipped `*.ripdev.io` cert |
+| `--key=<path>` | TLS private key path | Shipped `*.ripdev.io` key |
 | `--hsts` | Enable HSTS headers | Disabled |
 | `--no-redirect-http` | Don't redirect HTTP to HTTPS | Redirects enabled |
 | `--json-logging` | Output JSON access logs | Human-readable |
@@ -870,9 +869,6 @@ rip serve
 # HTTP only
 rip serve http
-# HTTPS with mkcert
-rip serve --auto-tls
 # Production: 8 workers, no hot reload
 rip serve --static w:8
@@ -966,17 +962,22 @@ The server provides these endpoints automatically:
 ## TLS Certificates
-### Automatic Certificate Generation
+### Shipped Wildcard Cert (`*.ripdev.io`)
-When HTTPS is enabled without explicit certificates, the server will:
+The server ships with a GlobalSign wildcard certificate for `*.ripdev.io`. Combined with DNS (`*.ripdev.io → 127.0.0.1`), every app gets trusted HTTPS automatically:
-1. Try **mkcert** (if installed and `--auto-tls` flag used)
-2. Fall back to **self-signed** certificate via OpenSSL
+```bash
+rip serve streamline    # → https://streamline.ripdev.io (green lock)
+rip serve analytics     # → https://analytics.ripdev.io (green lock)
+rip serve myapp         # → https://myapp.ripdev.io (green lock)
+```
-Certificates are stored in `~/.rip/certs/`.
+No setup, no flags, no certificate generation. The app name becomes the subdomain.
 ### Custom Certificates
+For production domains or custom setups, provide your own cert/key:
 ```bash
 rip serve --cert=/path/to/cert.pem --key=/path/to/key.pem
 ```

package/certs/ripdev.io.crt ADDED Viewed

@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIGWzCCBUOgAwIBAgIMFMf54+s6EwpqpLa+MA0GCSqGSIb3DQEBCwUAMFUxCzAJ
+BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSswKQYDVQQDEyJH
+bG9iYWxTaWduIEdDQyBSNiBBbHBoYVNTTCBDQSAyMDI1MB4XDTI2MDIyNTEwMjQz
+MloXDTI3MDMyOTEwMjQzMVowFjEUMBIGA1UEAwwLKi5yaXBkZXYuaW8wggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBzo9MgygbFQH4mw5nj3wdt5HllRdk
+mfbzxi02tJOMSZLgmeYiJ0VUZ9bcIbcif0gFv4na7+oYaKf0vLYsBArTzq6WYa7i
+8Bzr/UYXlynzlZ3GS9qn5AGo1Y+jfHi239XE5xE4qCoybJU/NaFd0n5y/inMjUWx
+G9yRC8foX0zW5tn3dYE8BR3o409sfvaf7gylvPDJGc8p86rCqEInsCbLQguiE5DV
+L2eYia8q0yemuXUEKvdZ0KngyshuWdQkg9F6I68G7QXD/Pvm8sP6MiAx87aykQQb
+1Fm9MQHhxOXyiSVKCR+lKJwcdBJF0hIBIwTeBA/9yQ8HfQl9FD6mXz8dAgMBAAGj
+ggNoMIIDZDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADCBmQYIKwYBBQUH
+AQEEgYwwgYkwSQYIKwYBBQUHMAKGPWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5j
+b20vY2FjZXJ0L2dzZ2NjcjZhbHBoYXNzbGNhMjAyNS5jcnQwPAYIKwYBBQUHMAGG
+MGh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjZhbHBoYXNzbGNhMjAy
+NTBXBgNVHSAEUDBOMAgGBmeBDAECATBCBgorBgEEAaAyCgEDMDQwMgYIKwYBBQUH
+AgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMEQGA1Ud
+HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNmFs
+cGhhc3NsY2EyMDI1LmNybDAhBgNVHREEGjAYggsqLnJpcGRldi5pb4IJcmlwZGV2
+LmlvMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBTF
+tJOPbyvcHki/txAwhc7RsrtILTAdBgNVHQ4EFgQUOitYLYlCmzpOvCSqT8lWnyEk
+CvMwggGFBgorBgEEAdZ5AgQCBIIBdQSCAXEBbwB9AI7KRwus3mrzogawpHqEt0b+
+H8a/lT4l5ptO5AJI88boAAABnJRUaM0ACAAABQAC9hXVBAMARjBEAiBnEvFsYS+k
+HcN7jHzpg6LHsrSb7aFHnrmsliLKxky4ygIgOJzdjwD9GcO79nbeajca4pxhrLyG
+tjbuhmkQ3gD9COEAdwAcn2gs6frwRWlQ+BuWiofd2zIQ2EzmyLLjglJKxM9ZnwAA
+AZyUVGgbAAAEAwBIMEYCIQC2o2qGrBvv5lPQl+CHYTFdjkiaobqUIC4nvmO9Hj0z
+dgIhAP+96D5I8ryQ3HVslgWXAp1v8JAO8pdVQ+pX1e/j+dEfAHUATGPcmOWcHauI
+9h6KPd6uj6tEozd7X5uUw/uhnPzBviYAAAGclFRm7gAABAMARjBEAiB0vpn6eh9X
+fLVscIMPf+/iigYxxDO/9NkwG497CxM/bwIgWye6IgzH0RPlccR6C2idFtow2nUr
+b7lWSNtHl04+9zAwDQYJKoZIhvcNAQELBQADggEBACSzZXZI5+1PH40ih224gjT3
+8yElNS5rYREiAeJIgmZ8fQnxq0111AS+UWVAwQUFnnaM18E4Vz476J3vPpb+c4NB
+91jHoM+axcvkd9bAlZswu1l1sZTqIbA3q9yCy2VD+tOtDHxZ1+b25ScLRn+IXpRl
+h2h+NUPMllg5jyIhj7hYNd/SoyqyplA7NQ3/gWx1VFD90TfxzWO5/gbMh9QcC8aj
+6ODQvfJovl6EOu6dnycRlm/MnChuM5+Iy+xXnaLiUTBGjnBOqAkuJ/ycOEGGNVyq
+m3DYlp+Pky/a9COQA9Ig/TWFhWDfaOz+vFkvmVflQg9eFv1KsX0w47BbJhb0oos=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIRAIN9TriekS/nLK07x2kt3CAwDQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjYxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMjUwNTIxMDIzNjUyWhcNMjcwNTIxMDAwMDAwWjBVMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTErMCkGA1UEAxMiR2xvYmFsU2lnbiBHQ0MgUjYgQWxwaGFTU0wgQ0EgMjAyNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ/oiu0Bviq52UUEADbFWmgu3rC7KDSMoorLN1Wd03McG3Z1aP71DlPCE33838r72Dfuj5M9LXfiQLJpAu6MwNExmKOzothw4x0zGf5oBYyrCMGm3fBpLPafwYQ3MchBOWMTbf83rKUPLH48KCJ0MnU8GUl8oA/J81wIvbbKPuNrFf6hvJDccjzc4NyxLz3A89zjV2g5whCg5O0u9YX4Zxk9JHuc/LvllOJO4waAYLjbWBJkz3rV3ts1SmSYnJqmyRTIjXwQgRvhEYqtDbRskt0W7M6cPwCze3GTBN2UHNpHkMs3YmVxku68I0aOQn5+uz//fDROP3z1Z/7I
+APteRtECAwEAAaOCAV8wggFbMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUxbSTj28r3B5Iv7cQMIXO0bK7SC0wHwYDVR0jBBgwFoAUrmwFo5MT4qLn4tcc1sfwf8hnU6AwewYIKwYBBQUHAQEEbzBtMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vcm9vdHI2MDsGCCsGAQUFBzAChi9odHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9yb290LXI2LmNydDA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL3Jvb3QtcjYuY3JsMCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQBoDIKAQMwDQYJKoZIhvcNAQELBQADggIBAB/uvBuZf4CiuSahwiXn4geF52roAH+6jxsEPTXTfb7bbeMDXsYgRRsOTNA70ruZ
+Tnz5DfFMuBhNoFhIFb0qR1izdy6VkdKOqFPNF2dOFI1EcnY9l2ory9mrzHqVbrL4vzUd17FLUVyjTVU7PAv4nxyhnO1GTeT83YlrdRF31NyR6bvZVTEERHmpbWSgeveJLRtaMzlGWiLZ8IwkH7o6GH3jp/KPtDW4Npu8w64HrRZdN2pqQhi7+YKwfHM7H+2U
+dM1BGN0sjOWMVbMSB9MtCsleS2Mb7TRZEbOHxECJLLIluQypZr7Pol3+hAqrhyKIk+6y+Da0NeDuWxW59Ku4NvClqW1UFX1SpfNGhzVfp/CH+vPM1tySomx2jE0EnYZuGwVucXPBsp5nUWqUV9+143glVuS7GTg9hFPjNBInn17HbCoIIQIOzj5Vd9bK3A9U
+GxXNpwenDHEalCsD/4eQYDHPhFE7sNe0D/OXu+FAM02VZkARx37Jp4bDdujvgL9PvZPR3wThvDN1CTU8Bc3xea3yKFAraKcPZLkhReQUAm2VpR+HSJRPlUpYizlF9WkLh3KcAVCBJWvnOkVwxyU5QJMcnwW95JlOtx+9100GL99jHE5rs3gXp7F4bg8H01QT9jVOhBBmQ7nQoXuwI0tqal2QUqZz3eeu62CU7xBwtfYR
+-----END CERTIFICATE-----

package/certs/ripdev.io.key ADDED Viewed

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBzo9MgygbFQH4
+mw5nj3wdt5HllRdkmfbzxi02tJOMSZLgmeYiJ0VUZ9bcIbcif0gFv4na7+oYaKf0
+vLYsBArTzq6WYa7i8Bzr/UYXlynzlZ3GS9qn5AGo1Y+jfHi239XE5xE4qCoybJU/
+NaFd0n5y/inMjUWxG9yRC8foX0zW5tn3dYE8BR3o409sfvaf7gylvPDJGc8p86rC
+qEInsCbLQguiE5DVL2eYia8q0yemuXUEKvdZ0KngyshuWdQkg9F6I68G7QXD/Pvm
+8sP6MiAx87aykQQb1Fm9MQHhxOXyiSVKCR+lKJwcdBJF0hIBIwTeBA/9yQ8HfQl9
+FD6mXz8dAgMBAAECggEAGv6CmqFdDXKeYOp19eo4GyqFrYDX7oj8auVkSE2cDIr1
+5IdDFOg74Z8KAATJLYqldTmBwccvZ8Fx/WZoiFZyzKAp1KPb+FuB58PSBrilHPqu
+rF9F4CMjsQi39klAxhYEwCWAElBn+jiCDDkT1g3a03j/yPA3cA0FqoVFzaGyge8M
+7vITBEyA0ZwJeFs0tQe+7t1r6hbf9+3w2Z3v+hQfAglIStjS5hXqXY+qlHKVg/cH
+qt2dnQFjwUCs2JpPkT7aZJdAaOfDv2A6B1tXlEjvIXbjRHNy+gnuUAxN8KB8XxGF
+iBgTkowuLSo5VzmV8E24UC916rI/2ZsS3ShztLmuGQKBgQDsDqS5yqm/zbioWX1O
+kx95CNi9x9YOCLrV/fui8NIsKWueVEHXlgcaDO6HNyNEVHvuIrqtUWYh62C7Eyad
+YtBRyITZvtyS1T4JPCd0eblu2XDFTccKyLccPW8VaeNMzV8GNYHx0MmPH1wLw7nu
+FCQ47FUAA9Qr6bWLZaImmzl+5QKBgQDSLiRf60DKtqar6js815YTCdCCzl6HUFqV
+DIDFcF7Hher5fxAKD3OQAVLBIu5S4dJLOajew94W5FukMcfN9Wk332ZH4AxWCuHv
+vbws14d3vNAvlKCYiQ3R2052rM3KqCE4rMJc6AQ/2GEE1XzS2CWEKLbOkk4qoKxs
+U2HxpS4D2QKBgA9pmVnEILc0QGVFiofx1TE64aPqg1BhQ4mrTp3B6YcWoT8yMyZX
+VlleFMjhUb0pYvoWbGfak7eNPcCZLIFELWPZmsr4ykAQCj/iHJVfSTsymUlYnbFX
+j5UZccJNKpkeI6EtJzHZtv9QRdtCyUYBLKhGzfn1Rgoj9UWHukGZCvT9AoGAVsx5
+dydXbZ/6uvqTli/OKXSfKLYDMcyMbAtqzp72dV2nyXug6xaweeMiAuLjG1VpHGnm
+hIDNIhUSh3+LbVIRLuLSgZJUZeA+qFxp7vbfWiKes1ek7vmCvIzeHYKFxlCiz54A
+8o9a2ecJQg7MauKas7aAsFSZdV8/dckFpN67XxkCgYEApSsiCH3/FSKpmriCEBcI
+aqz132RvkQ9622kkMnLo3TOIbjGmW3tnTGpCeCP5iCsknkJMoyA6CF/8lJcvBBVp
+S/sFuOblz6i1+11yfir3znkWfotA0c4ClHtp0ebcjjbf2Y2f+T9XVHsVYoIevirk
+5IxlgMVXTb4IG5lOEdl8TRA=
+-----END PRIVATE KEY-----

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rip-lang/server",
-  "version": "1.3.10",
+  "version": "1.3.12",
   "description": "Pure Rip web framework and application server",
   "type": "module",
   "main": "api.rip",
@@ -45,13 +45,14 @@
   "author": "Steve Shreeve <steve.shreeve@gmail.com>",
   "license": "MIT",
   "dependencies": {
-    "rip-lang": ">=3.13.18"
+    "rip-lang": ">=3.13.27"
   },
   "files": [
     "api.rip",
     "middleware.rip",
     "server.rip",
     "server.html",
+    "certs/",
     "bin/",
     "tests/",
     "docs/",

package/server.rip CHANGED Viewed

@@ -12,9 +12,9 @@
 #   bun server.rip list                    # List registered hosts
 # ==============================================================================
-import { existsSync, statSync, readFileSync, writeFileSync, unlinkSync, mkdirSync, watch, utimesSync } from 'node:fs'
+import { existsSync, statSync, readFileSync, writeFileSync, unlinkSync, watch, utimesSync } from 'node:fs'
 import { basename, dirname, isAbsolute, join, resolve } from 'node:path'
-import { homedir, cpus, networkInterfaces } from 'node:os'
+import { cpus, networkInterfaces } from 'node:os'
 import { X509Certificate } from 'node:crypto'
 # Match capture holder for Rip's =~
@@ -33,6 +33,7 @@ SHUTDOWN_TIMEOUT_MS = 30000   # Max time to wait for in-flight requests on shutd
 # ==============================================================================
 nowMs = -> Date.now()
+formatPort = (protocol, port) -> if (protocol is 'https' and port is 443) or (protocol is 'http' and port is 80) then '' else ":#{port}"
 getWorkerSocketPath = (prefix, id) -> "/tmp/#{prefix}.#{id}.sock"
 getControlSocketPath = (prefix) -> "/tmp/#{prefix}.ctl.sock"
@@ -107,19 +108,24 @@ logAccessJson = (app, req, res, totalSeconds, workerSeconds) ->
     type: type
     length: if len then Number(len) else undefined
+typeAbbrev =
+  html: 'html', css: 'css', javascript: 'js', json: 'json', plain: 'text'
+  png: 'png', jpeg: 'jpg', gif: 'gif', webp: 'webp', svg: 'svg'
+  'svg+xml': 'svg', 'x-icon': 'ico', 'octet-stream': 'bin'
 logAccessHuman = (app, req, res, totalSeconds, workerSeconds) ->
   { timestamp, timezone } = formatTimestamp()
-  d1 = scale(totalSeconds, 's')
-  d2 = scale(workerSeconds, 's')
+  dur = scale(totalSeconds, 's')
   method = req.method or 'GET'
   url = new URL(req.url)
   path = url.pathname
   status = res.status
-  lenHeader = res.headers.get('content-length') or ''
-  len = if lenHeader then "#{lenHeader}B" else ''
+  bytes = Number(res.headers.get('content-length') or 0)
+  size = scale(bytes, 'B')
   contentType = (res.headers.get('content-type') or '').split(';')[0] or ''
-  type = if contentType.includes('/') then contentType.split('/')[1] else contentType
-  console.log "[#{timestamp} #{timezone} #{d1} #{d2}] #{method} #{path} → #{status} #{type} #{len}"
+  sub = if contentType.includes('/') then contentType.split('/')[1] else contentType
+  type = (typeAbbrev[sub] or sub or '-').padEnd(4)
+  console.log "[#{timestamp} #{timezone} #{dur}] #{status} #{type} #{size} - #{method} #{path}"
 INTERNAL_HEADERS = new Set(['rip-worker-busy', 'rip-worker-id', 'rip-no-log'])
@@ -330,7 +336,6 @@ parseFlags = (argv) ->
     httpsPort
     certPath: getKV('--cert=')
     keyPath: getKV('--key=')
-    autoTls: has('--auto-tls')
     hsts: has('--hsts')
     redirectHttp: not has('--no-redirect-http')
     reload
@@ -739,6 +744,7 @@ class Server
     for alias in @flags.appAliases
       host = if alias.includes('.') then alias else "#{alias}.local"
       @hostRegistry.add(host)
+    @hostRegistry.add("#{@flags.appName}.ripdev.io")
   start: ->
     httpOnly = @flags.httpsPort is null
@@ -1009,6 +1015,10 @@ class Server
       host = if alias.includes('.') then alias else "#{alias}.local"
       @startMdnsAdvertisement(host)
+    port = @flags.httpsPort or @flags.httpPort or 80
+    protocol = if @flags.httpsPort then 'https' else 'http'
+    console.log "rip-server: #{protocol}://#{@flags.appName}.ripdev.io#{formatPort(protocol, port)}"
   controlFetch: (req) ->
     url = new URL(req.url)
@@ -1065,42 +1075,18 @@ class Server
         console.error 'Failed to read TLS cert/key from provided paths. Use http or fix paths.'
         process.exit(2)
-    # Ensure certs directory exists
-    certsDir = join(homedir(), '.rip', 'certs')
-    try mkdirSync(certsDir, { recursive: true }) catch then null
-    # Try mkcert first (trusted local CA)
-    if @flags.autoTls
-      certPath = join(certsDir, 'localhost.pem')
-      keyPath = join(certsDir, 'localhost-key.pem')
-      unless existsSync(certPath) and existsSync(keyPath)
-        try
-          Bun.spawnSync(['mkcert', '-install'])
-          Bun.spawnSync(['mkcert', '-key-file', keyPath, '-cert-file', certPath, 'localhost', '127.0.0.1', '::1'])
-        catch
-          null  # fall through to self-signed
-      if existsSync(certPath) and existsSync(keyPath)
-        cert = readFileSync(certPath, 'utf8')
-        key = readFileSync(keyPath, 'utf8')
-        @printCertSummary(cert)
-        return { cert, key }
-    # Self-signed via openssl
-    certPath = join(certsDir, 'selfsigned-localhost.pem')
-    keyPath = join(certsDir, 'selfsigned-localhost-key.pem')
-    unless existsSync(certPath) and existsSync(keyPath)
-      try
-        Bun.spawnSync(['openssl', 'req', '-x509', '-nodes', '-newkey', 'rsa:2048', '-keyout', keyPath, '-out', certPath, '-subj', '/CN=localhost', '-days', '3650'])
-      catch
-        console.error 'TLS required but could not provision a certificate (mkcert/openssl missing). Use http or provide --cert/--key.'
-        process.exit(2)
+    # Shipped wildcard cert for *.ripdev.io (GlobalSign, valid for all subdomains)
+    certsDir = join(import.meta.dir, 'certs')
+    certPath = join(certsDir, 'ripdev.io.crt')
+    keyPath = join(certsDir, 'ripdev.io.key')
     try
       cert = readFileSync(certPath, 'utf8')
       key = readFileSync(keyPath, 'utf8')
       @printCertSummary(cert)
       return { cert, key }
-    catch
-      console.error 'Failed to read generated self-signed cert/key from ~/.rip/certs'
+    catch e
+      console.error "rip-server: failed to load TLS certs from #{certsDir}: #{e.message}"
+      console.error 'Use --cert/--key to provide your own, or use http to disable TLS.'
       process.exit(2)
   printCertSummary: (certPem) ->
@@ -1153,7 +1139,7 @@ class Server
         stderr: 'ignore'
       @mdnsProcesses.set(host, proc)
-      console.log "rip-server: #{protocol}://#{host}:#{port}"
+      console.log "rip-server: #{protocol}://#{host}#{formatPort(protocol, port)}"
     catch e
       console.error "rip-server: failed to advertise #{host} via mDNS:", e.message
@@ -1191,11 +1177,10 @@ main = ->
       Network:
         http                    HTTP only (no TLS)
-        https                   HTTPS with auto TLS (default)
+        https                   HTTPS with trusted *.ripdev.io cert (default)
         <port>                  Listen on specific port
-        --cert=<path>           TLS certificate file
-        --key=<path>            TLS key file
-        --auto-tls              Generate TLS cert via mkcert
+        --cert=<path>           TLS certificate file (overrides shipped cert)
+        --key=<path>            TLS key file (overrides shipped cert)
         --hsts                  Enable HSTS header
         --no-redirect-http      Don't redirect HTTP to HTTPS
@@ -1301,8 +1286,9 @@ main = ->
   mgr.start!
   httpOnly = flags.httpsPort is null
-  url = if httpOnly then "http://localhost:#{flags.httpPort}/server" else "https://localhost:#{flags.httpsPort}/server"
-  console.log "rip-server: app=#{flags.appName} workers=#{flags.workers} url=#{url}"
+  protocol = if httpOnly then 'http' else 'https'
+  port = flags.httpsPort or flags.httpPort or 80
+  console.log "rip-server: app=#{flags.appName} workers=#{flags.workers} url=#{protocol}://#{flags.appName}.ripdev.io#{formatPort(protocol, port)}/server"
 # ==============================================================================
 # Entry Point