@stacksjs/rpx 0.11.7 → 0.11.10

package/dist/daemon-runner.d.ts

@@ -26,4 +26,7 @@ export declare interface DaemonRunnerOptions {
   rpxDir?: string
   detached?: boolean
   spawnCommand?: string[]
+  startupTimeoutMs?: number
+  spawnEnv?: Record<string, string>
+  persistent?: boolean
 }

package/dist/daemon.d.ts

@@ -55,6 +55,10 @@ export declare function ensureDaemonRunning(opts?: EnsureDaemonOptions): Promise
  * if we had to SIGKILL.
  */
 export declare function stopDaemon(opts?: StopDaemonOptions): Promise<StopDaemonResult>;
+/**
+ * When the daemon is not running, ensure no stale macOS resolver overrides remain.
+ */
+export declare function reconcileDevelopmentDnsOnIdle(opts?: { rpxDir?: string, verbose?: boolean }): Promise<void>;
 export declare interface DaemonOptions {
   verbose?: boolean
   rpxDir?: string

package/dist/dns-state.d.ts

@@ -0,0 +1,27 @@
+export declare function defaultRpxDir(): string;
+export declare function getDnsStatePath(rpxDir?: string): string;
+export declare function loadDnsState(rpxDir?: string): Promise<DnsState | null>;
+export declare function saveDnsState(rpxDir: string, state: DnsState): Promise<void>;
+export declare function clearDnsState(rpxDir: string): Promise<void>;
+/**
+ * Normalize a dev hostname. Returns null for localhost / IPs — those use /etc/hosts only.
+ */
+export declare function normalizeDevDomain(raw: string): string | null;
+/**
+ * macOS resolver basename for a dev domain. Uses the registrable base (last two labels)
+ * so `api.postline.test` and `postline.test` share one `/etc/resolver/postline.test` file.
+ */
+export declare function resolverBasenameForDomain(raw: string): string | null;
+export declare function resolverBasenamesForDomains(domains: string[]): string[];
+export declare function devDomainsFromHosts(hosts: string[]): string[];
+export declare const DNS_STATE_VERSION: 1;
+export declare const RPX_DNS_STATE_FILE: 'dns-state.json';
+/** Single-label /etc/resolver files created by older rpx versions (whole-TLD hijack). */
+export declare const LEGACY_TLD_RESOLVER_LABELS: readonly ['com', 'test', 'dev', 'app', 'page', 'local', 'localhost', 'example', 'invalid'];
+export declare interface DnsState {
+  version: typeof DNS_STATE_VERSION
+  resolvers: string[]
+  domains: string[]
+  ownerPid: number | null
+  updatedAt: string
+}

package/dist/dns.d.ts

@@ -0,0 +1,43 @@
+import type { RegistryEntry } from './registry';
+export declare function startDnsServer(domains: string[], verbose?: boolean): Promise<boolean>;
+export declare function stopDnsServer(verbose?: boolean): void;
+export declare function isDnsServerRunning(): boolean;
+export declare function resolverFilePath(basename: string): string;
+/** True when a resolver file points at the rpx local DNS port. */
+export declare function contentLooksLikeRpxResolver(content: string): boolean;
+/**
+ * @deprecated Use {@link setupDevelopmentDns}. Domain-scoped resolver files only.
+ */
+export declare function setupResolver(verbose?: boolean, domains?: string[]): Promise<boolean>;
+/** Remove legacy whole-TLD resolver files (e.g. `/etc/resolver/com`). */
+export declare function removeLegacyTldResolvers(verbose?: boolean): Promise<string[]>;
+/**
+ * Start the local DNS server and install domain-scoped macOS resolver files.
+ */
+export declare function setupDevelopmentDns(opts: DevelopmentDnsOptions): Promise<boolean>;
+/**
+ * Sync resolver + DNS state to the current set of registry hosts (daemon mode).
+ */
+export declare function syncDevelopmentDnsFromRegistry(entries: RegistryEntry[], opts?: { rpxDir?: string, verbose?: boolean, ownerPid?: number }): Promise<void>;
+/**
+ * Stop DNS and remove all resolver files recorded in state (plus legacy TLD files).
+ */
+export declare function tearDownDevelopmentDns(opts?: { rpxDir?: string, verbose?: boolean }): Promise<void>;
+/**
+ * @deprecated Use {@link tearDownDevelopmentDns}.
+ */
+export declare function removeResolver(verbose?: boolean): Promise<void>;
+/**
+ * Remove stale DNS overrides left after a crashed dev session or legacy TLD hijacks.
+ * Safe to call before starting the daemon or `./buddy dev`.
+ */
+export declare function reconcileStaleDevelopmentDns(opts?: { rpxDir?: string, verbose?: boolean }): Promise<void>;
+/** High port — does not require root. */
+export declare const DNS_PORT: 15353;
+export declare const RPX_RESOLVER_MARKER: '# managed-by: rpx';
+export declare interface DevelopmentDnsOptions {
+  domains: string[]
+  rpxDir?: string
+  verbose?: boolean
+  ownerPid?: number
+}

package/dist/https.d.ts

@@ -1,9 +1,17 @@
 import { config } from './config';
+import { MACOS_CA_TRUST_FLAGS, MACOS_SYSTEM_KEYCHAIN, getMacosLoginKeychainPath, isRootCaFingerprintInKeychains, isRootCaTrustedForSsl, pruneStaleRootCas, trustRootCaForBrowsers } from './macos-trust';
 import type { ProxyConfigs, ProxyOption, ProxyOptions, SSLConfig, TlsConfig } from './types';
 /**
  * Returns the canonical Root CA cert + key paths inside `basePath`.
  */
 export declare function getRootCAPaths(basePath: string): RootCAPaths;
+/** Paths for the shared multi-host daemon cert under `~/.stacks/ssl`. */
+export declare function getSharedDaemonCertPaths(sslDir: string): {
+  certPath: string
+  keyPath: string
+  caCertPath: string
+  rootCA: RootCAPaths
+};
 /**
  * Resolves SSL paths based on configuration
  */
@@ -26,9 +34,11 @@ export declare function loadSSLConfig(options: ProxyOption): Promise<SSLConfig |
 /**
  * Force trust a certificate - exposing for direct use
  */
-export declare function forceTrustCertificate(certPath: string): Promise<boolean>;
+export declare function forceTrustCertificate(certPath: string, options?: { serverName?: string, verbose?: boolean }): Promise<boolean>;
 export declare function generateCertificate(options: ProxyOptions): Promise<void>;
 export declare function getSSLConfig(): { key: string, cert: string, ca?: string } | null;
+/** Clear in-process TLS cache so the next generate/load picks up new files on disk. */
+export declare function clearSslConfigCache(): void;
 // needs to accept the options
 export declare function checkExistingCertificates(options?: ProxyOptions): Promise<SSLConfig | null>;
 export declare function httpsConfig(options: ProxyOption | ProxyOptions, verbose?: boolean): TlsConfig;
@@ -40,8 +50,28 @@ export declare function cleanupCertificates(domain: string, verbose?: boolean):
  * Checks if a certificate is trusted by the system (macOS only for now)
  * If options.regenerateUntrustedCerts is false, always returns true (skips trust check)
  */
-export declare function isCertTrusted(certPath: string, options?: { verbose?: boolean, regenerateUntrustedCerts?: boolean }): Promise<boolean>;
+export declare function isCertTrusted(certPath: string, options?: { verbose?: boolean, regenerateUntrustedCerts?: boolean, serverName?: string }): Promise<boolean>;
 export declare interface RootCAPaths {
   caCertPath: string
   caKeyPath: string
 }
+export {
+  MACOS_CA_TRUST_FLAGS,
+  MACOS_SYSTEM_KEYCHAIN,
+  RPX_ROOT_CA_COMMON_NAME,
+  getMacosLoginKeychainPath,
+  getMacosTrustKeychains,
+  isRootCaFingerprintInKeychains,
+  isRootCaTrustedForSsl,
+  listCertSha256HashesByCommonName,
+  pruneStaleRootCas,
+  trustRootCaForBrowsers,
+} from './macos-trust';
+export {
+  certIncludesSanHostnames,
+  normalizeSha256Fingerprint,
+  parseSha256HashesFromSecurityListing,
+  readCertCommonName,
+  readCertSha256Fingerprint,
+  verifyHttpsChain,
+} from './cert-inspect';

package/dist/index.d.ts

@@ -1,5 +1,6 @@
 import { startProxies as startProxiesFunc } from './start';
 export type { RegistryEntry, WatchHandle, WatchOptions } from './registry';
+export type { DevelopmentDnsOptions } from './dns';
 export type {
   DaemonHandle,
   DaemonOptions,
@@ -20,12 +21,35 @@ export {
 export {
   checkExistingCertificates,
   cleanupCertificates,
+  clearSslConfigCache,
   forceTrustCertificate,
   generateCertificate,
+  getRootCAPaths,
+  getSharedDaemonCertPaths,
   httpsConfig,
   isCertTrusted,
   loadSSLConfig,
 } from './https';
+export {
+  MACOS_CA_TRUST_FLAGS,
+  MACOS_SYSTEM_KEYCHAIN,
+  RPX_ROOT_CA_COMMON_NAME,
+  getMacosLoginKeychainPath,
+  getMacosTrustKeychains,
+  isRootCaFingerprintInKeychains,
+  isRootCaTrustedForSsl,
+  listCertSha256HashesByCommonName,
+  pruneStaleRootCas,
+  trustRootCaForBrowsers,
+} from './macos-trust';
+export {
+  certIncludesSanHostnames,
+  normalizeSha256Fingerprint,
+  parseSha256HashesFromSecurityListing,
+  readCertCommonName,
+  readCertSha256Fingerprint,
+  verifyHttpsChain,
+} from './cert-inspect';
 export { DefaultPortManager, findAvailablePort, isPortInUse, portManager } from './port-manager';
 export {
   gcStaleEntries,
@@ -38,6 +62,30 @@ export {
   watchRegistry,
   writeEntry,
 } from './registry';
+export {
+  DNS_PORT,
+  RPX_RESOLVER_MARKER,
+  contentLooksLikeRpxResolver,
+  isDnsServerRunning,
+  reconcileStaleDevelopmentDns,
+  removeLegacyTldResolvers,
+  removeResolver,
+  resolverFilePath,
+  setupDevelopmentDns,
+  setupResolver,
+  startDnsServer,
+  stopDnsServer,
+  syncDevelopmentDnsFromRegistry,
+  tearDownDevelopmentDns,
+} from './dns';
+export {
+  DNS_STATE_VERSION,
+  LEGACY_TLD_RESOLVER_LABELS,
+  devDomainsFromHosts,
+  normalizeDevDomain,
+  resolverBasenameForDomain,
+  resolverBasenamesForDomains,
+} from './dns-state';
 export {
   acquireDaemonLock,
   defaultDaemonSpawnCommand,
@@ -46,6 +94,7 @@ export {
   getDaemonRpxDir,
   isDaemonRunning,
   readDaemonPid,
+  reconcileDevelopmentDnsOnIdle,
   releaseDaemonLock,
   runDaemon,
   stopDaemon,