@stacksjs/rpx 0.11.7 → 0.11.10

package/src/https.ts

@@ -9,8 +9,39 @@ import * as process from 'node:process'
 import { addCertToSystemTrustStoreAndSaveCert, createRootCA, generateCertificate as generateCert } from '@stacksjs/tlsx'
 import { log } from './logger'
 import { config } from './config'
+import {
+  MACOS_CA_TRUST_FLAGS,
+  MACOS_SYSTEM_KEYCHAIN,
+  getMacosLoginKeychainPath,
+  isRootCaFingerprintInKeychains,
+  isRootCaTrustedForSsl,
+  pruneStaleRootCas,
+  trustRootCaForBrowsers,
+} from './macos-trust'
 import { debugLog, execSudoSync, getPrimaryDomain, isMultiProxyConfig, isMultiProxyOptions, isSingleProxyOptions, isValidRootCA, safeDeleteFile } from './utils'
 
+export {
+  MACOS_CA_TRUST_FLAGS,
+  MACOS_SYSTEM_KEYCHAIN,
+  RPX_ROOT_CA_COMMON_NAME,
+  getMacosLoginKeychainPath,
+  getMacosTrustKeychains,
+  isRootCaFingerprintInKeychains,
+  isRootCaTrustedForSsl,
+  listCertSha256HashesByCommonName,
+  pruneStaleRootCas,
+  trustRootCaForBrowsers,
+} from './macos-trust'
+
+export {
+  certIncludesSanHostnames,
+  normalizeSha256Fingerprint,
+  parseSha256HashesFromSecurityListing,
+  readCertCommonName,
+  readCertSha256Fingerprint,
+  verifyHttpsChain,
+} from './cert-inspect'
+
 let cachedSSLConfig: { key: string, cert: string, ca?: string } | null = null
 
 // Canonical filenames for the shared Root CA. The CA is a singleton across all
@@ -34,6 +65,21 @@ export function getRootCAPaths(basePath: string): RootCAPaths {
   }
 }
 
+/** Paths for the shared multi-host daemon cert under `~/.stacks/ssl`. */
+export function getSharedDaemonCertPaths(sslDir: string): {
+  certPath: string
+  keyPath: string
+  caCertPath: string
+  rootCA: RootCAPaths
+} {
+  return {
+    certPath: join(sslDir, 'rpx.localhost.crt'),
+    keyPath: join(sslDir, 'rpx.localhost.key'),
+    caCertPath: join(sslDir, 'rpx.localhost.ca.crt'),
+    rootCA: getRootCAPaths(sslDir),
+  }
+}
+
 /**
  * Load a previously-persisted Root CA (cert + private key). Returns `null` if
  * either file is missing or unreadable, signalling that a fresh CA needs to be
@@ -230,9 +276,12 @@ export async function loadSSLConfig(options: ProxyOption): Promise<SSLConfig | n
 /**
  * Force trust a certificate - exposing for direct use
  */
-export async function forceTrustCertificate(certPath: string): Promise<boolean> {
+export async function forceTrustCertificate(
+  certPath: string,
+  options?: { serverName?: string, verbose?: boolean },
+): Promise<boolean> {
   if (process.platform === 'darwin')
-    return forceTrustCertificateMacOS(certPath)
+    return forceTrustCertificateMacOS(certPath, options)
 
   if (process.platform === 'linux') {
     try {
@@ -270,28 +319,24 @@ export async function forceTrustCertificate(certPath: string): Promise<boolean>
  * Force trust a certificate on macOS using direct security command
  * This function first checks if the certificate is already trusted to avoid unnecessary sudo prompts
  */
-async function forceTrustCertificateMacOS(certPath: string): Promise<boolean> {
+async function forceTrustCertificateMacOS(
+  certPath: string,
+  options?: { serverName?: string, verbose?: boolean },
+): Promise<boolean> {
   if (process.platform !== 'darwin')
     return false
 
+  const serverName = options?.serverName ?? 'rpx.localhost'
+  const verbose = options?.verbose ?? false
+
   try {
-    // First check if already trusted to avoid unnecessary sudo prompts
-    const alreadyTrusted = await isCertTrusted(certPath, { verbose: false, regenerateUntrustedCerts: true })
-    if (alreadyTrusted) {
-      debugLog('ssl', 'Certificate is already trusted, skipping trust operation', false)
+    if (isRootCaTrustedForSsl(certPath, serverName, { verbose })) {
+      debugLog('ssl', 'Root CA already trusted for SSL, skipping trust operation', verbose)
       return true
     }
 
-    debugLog('ssl', 'Trusting certificate via macOS security command', false)
-
-    // Use execSudoSync which handles SUDO_PASSWORD from env
-    try {
-      execSudoSync(`security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${certPath}"`)
-      return true
-    }
-    catch {
-      return false
-    }
+    debugLog('ssl', 'Trusting Root CA for browsers (login + system keychains)', verbose)
+    return trustRootCaForBrowsers(certPath, { serverName, verbose })
   }
   catch {
     return false
@@ -299,10 +344,11 @@ async function forceTrustCertificateMacOS(certPath: string): Promise<boolean> {
 }
 
 export async function generateCertificate(options: ProxyOptions): Promise<void> {
-  if (cachedSSLConfig) {
+  if (cachedSSLConfig && !(options as { forceRegenerate?: boolean }).forceRegenerate) {
     debugLog('ssl', 'Using cached SSL configuration', options.verbose)
     return
   }
+  clearSslConfigCache()
 
   // Get all unique domains from the configuration
   const domains: string[] = isMultiProxyOptions(options)
@@ -403,7 +449,13 @@ export async function generateCertificate(options: ProxyOptions): Promise<void>
   // We install only the Root CA — host certs derive their trust from it.
   if (process.platform === 'darwin') {
     try {
-      execSudoSync(`security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${rootCAPaths.caCertPath}"`)
+      pruneStaleRootCas({ caPath: rootCAPaths.caCertPath, verbose: options.verbose })
+      const loginKeychain = getMacosLoginKeychainPath()
+      try {
+        execSync(`security add-trusted-cert ${MACOS_CA_TRUST_FLAGS} -k "${loginKeychain}" "${rootCAPaths.caCertPath}"`, { stdio: 'ignore' })
+      }
+      catch { /* login keychain optional */ }
+      execSudoSync(`security add-trusted-cert ${MACOS_CA_TRUST_FLAGS} -k ${MACOS_SYSTEM_KEYCHAIN} "${rootCAPaths.caCertPath}"`)
       if (options.verbose)
         log.success('Successfully added Root CA to system trust store')
 
@@ -413,7 +465,7 @@ export async function generateCertificate(options: ProxyOptions): Promise<void>
       const scriptPath = join(sslDir, 'trust-rpx-cert.sh')
       const scriptContent = `#!/bin/bash
 echo "Trusting RPX Root CA"
-sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${rootCAPaths.caCertPath}"
+sudo security add-trusted-cert ${MACOS_CA_TRUST_FLAGS} -k ${MACOS_SYSTEM_KEYCHAIN} "${rootCAPaths.caCertPath}"
 echo "Root CA trusted! Please restart your browser."
 echo "If you still see certificate warnings, type 'thisisunsafe' on the warning page in Chrome/Arc browsers."
 `
@@ -426,7 +478,7 @@ echo "If you still see certificate warnings, type 'thisisunsafe' on the warning
       const scriptPath = join(sslDir, 'trust-rpx-cert.sh')
       const scriptContent = `#!/bin/bash
 echo "Trusting RPX Root CA"
-sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${rootCAPaths.caCertPath}"
+sudo security add-trusted-cert ${MACOS_CA_TRUST_FLAGS} -k ${MACOS_SYSTEM_KEYCHAIN} "${rootCAPaths.caCertPath}"
 echo "Root CA trusted! Please restart your browser."
 echo "If you still see certificate warnings, type 'thisisunsafe' on the warning page in Chrome/Arc browsers."
 `
@@ -539,6 +591,11 @@ export function getSSLConfig(): { key: string, cert: string, ca?: string } | nul
   return cachedSSLConfig
 }
 
+/** Clear in-process TLS cache so the next generate/load picks up new files on disk. */
+export function clearSslConfigCache(): void {
+  cachedSSLConfig = null
+}
+
 // needs to accept the options
 export async function checkExistingCertificates(options?: ProxyOptions): Promise<SSLConfig | null> {
   if (!options)
@@ -569,10 +626,15 @@ export async function checkExistingCertificates(options?: ProxyOptions): Promise
     const flagValue = options.regenerateUntrustedCerts
     const shouldCheckTrust = hasFlag ? flagValue !== false : true
     debugLog('ssl', `Trust check: hasFlag=${hasFlag}, flagValue=${flagValue}, shouldCheckTrust=${shouldCheckTrust}`, options.verbose)
-    const certIsTrusted = shouldCheckTrust ? await isCertTrusted(sslConfig.certPath, options) : true
-
-    if (!certIsTrusted) {
-      debugLog('ssl', 'Certificate exists but is not trusted, will regenerate', options.verbose)
+    // Trust anchor is the shared Root CA — host certs are not installed individually.
+    const sslDir = sslConfig.basePath || join(homedir(), '.stacks', 'ssl')
+    const rootCAPaths = getRootCAPaths(sslDir)
+    const caIsTrusted = shouldCheckTrust
+      ? await isCertTrusted(rootCAPaths.caCertPath, options)
+      : true
+
+    if (!caIsTrusted) {
+      debugLog('ssl', 'Root CA exists but is not trusted, will regenerate', options.verbose)
       // Don't attempt to trust here - let generateCertificate handle it in one place
       // This avoids multiple sudo prompts
       return null
@@ -711,39 +773,18 @@ export async function cleanupCertificates(domain: string, verbose?: boolean): Pr
  * Checks if a certificate is trusted by the system (macOS only for now)
  * If options.regenerateUntrustedCerts is false, always returns true (skips trust check)
  */
-export async function isCertTrusted(certPath: string, options?: { verbose?: boolean, regenerateUntrustedCerts?: boolean }): Promise<boolean> {
+export async function isCertTrusted(
+  certPath: string,
+  options?: { verbose?: boolean, regenerateUntrustedCerts?: boolean, serverName?: string },
+): Promise<boolean> {
   try {
     debugLog('ssl', `Checking if certificate is trusted: ${certPath}`, options?.verbose)
 
     // Different check methods per platform
     if (process.platform === 'darwin') {
-      // On macOS, use the security command to check if the cert is trusted
-      try {
-        // Get certificate fingerprint
-        const certFingerprint = execSync(`openssl x509 -noout -fingerprint -sha256 -in "${certPath}"`).toString().trim()
-        const fingerprintValue = certFingerprint.split('=')[1]?.trim() || ''
-
-        if (!fingerprintValue) {
-          debugLog('ssl', 'Could not extract certificate fingerprint', options?.verbose)
-          return false
-        }
-
-        // Check if the fingerprint exists in the system keychain and is trusted
-        const keychainOutput = execSync(`security find-certificate -a -Z -p | openssl x509 -noout -fingerprint -sha256`).toString()
-
-        // If the fingerprint is found in the trusted certs, consider it trusted
-        if (keychainOutput.includes(fingerprintValue)) {
-          debugLog('ssl', 'Certificate fingerprint found in system keychain', options?.verbose)
-          return true
-        }
-
-        debugLog('ssl', 'Certificate fingerprint not found in system keychain', options?.verbose)
-        return false
-      }
-      catch (error) {
-        debugLog('ssl', `Error checking certificate trust: ${error}`, options?.verbose)
-        return false
-      }
+      if (options?.serverName)
+        return isRootCaTrustedForSsl(certPath, options.serverName, { verbose: options.verbose })
+      return isRootCaFingerprintInKeychains(certPath, { verbose: options.verbose })
     }
     else if (process.platform === 'win32') {
       // On Windows, use PowerShell to check the certificate store

package/src/index.ts

@@ -13,13 +13,38 @@ export {
 export {
   checkExistingCertificates,
   cleanupCertificates,
+  clearSslConfigCache,
   forceTrustCertificate,
   generateCertificate,
+  getRootCAPaths,
+  getSharedDaemonCertPaths,
   httpsConfig,
   isCertTrusted,
   loadSSLConfig,
 } from './https'
 
+export {
+  MACOS_CA_TRUST_FLAGS,
+  MACOS_SYSTEM_KEYCHAIN,
+  RPX_ROOT_CA_COMMON_NAME,
+  getMacosLoginKeychainPath,
+  getMacosTrustKeychains,
+  isRootCaFingerprintInKeychains,
+  isRootCaTrustedForSsl,
+  listCertSha256HashesByCommonName,
+  pruneStaleRootCas,
+  trustRootCaForBrowsers,
+} from './macos-trust'
+
+export {
+  certIncludesSanHostnames,
+  normalizeSha256Fingerprint,
+  parseSha256HashesFromSecurityListing,
+  readCertCommonName,
+  readCertSha256Fingerprint,
+  verifyHttpsChain,
+} from './cert-inspect'
+
 export { DefaultPortManager, findAvailablePort, isPortInUse, portManager } from './port-manager'
 
 export {
@@ -36,6 +61,34 @@ export {
 
 export type { RegistryEntry, WatchHandle, WatchOptions } from './registry'
 
+export {
+  DNS_PORT,
+  RPX_RESOLVER_MARKER,
+  contentLooksLikeRpxResolver,
+  isDnsServerRunning,
+  reconcileStaleDevelopmentDns,
+  removeLegacyTldResolvers,
+  removeResolver,
+  resolverFilePath,
+  setupDevelopmentDns,
+  setupResolver,
+  startDnsServer,
+  stopDnsServer,
+  syncDevelopmentDnsFromRegistry,
+  tearDownDevelopmentDns,
+} from './dns'
+
+export type { DevelopmentDnsOptions } from './dns'
+
+export {
+  DNS_STATE_VERSION,
+  LEGACY_TLD_RESOLVER_LABELS,
+  devDomainsFromHosts,
+  normalizeDevDomain,
+  resolverBasenameForDomain,
+  resolverBasenamesForDomains,
+} from './dns-state'
+
 export {
   acquireDaemonLock,
   defaultDaemonSpawnCommand,
@@ -44,6 +97,7 @@ export {
   getDaemonRpxDir,
   isDaemonRunning,
   readDaemonPid,
+  reconcileDevelopmentDnsOnIdle,
   releaseDaemonLock,
   runDaemon,
   stopDaemon,

package/src/macos-trust.ts

@@ -0,0 +1,175 @@
+import { execSync } from 'node:child_process'
+import { homedir } from 'node:os'
+import { join } from 'node:path'
+import { readCertSha256Fingerprint } from './cert-inspect'
+import { debugLog, execSudoSync } from './utils'
+
+/** Chrome/Edge need SSL + basic trust policies — plain trustRoot often leaves "trust settings: 0". */
+export const MACOS_CA_TRUST_FLAGS = '-d -r trustRoot -p ssl -p basic'
+
+export const MACOS_SYSTEM_KEYCHAIN = '/Library/Keychains/System.keychain'
+
+/** Default CN label for the shared rpx Root CA in macOS keychain listings. */
+export const RPX_ROOT_CA_COMMON_NAME = 'rpx.localhost'
+
+export function getMacosLoginKeychainPath(): string {
+  return join(homedir(), 'Library/Keychains/login.keychain-db')
+}
+
+export function getMacosTrustKeychains(): string[] {
+  return [MACOS_SYSTEM_KEYCHAIN, getMacosLoginKeychainPath()]
+}
+
+export interface ListCertsByCommonNameOptions {
+  keychain: string
+  commonName?: string
+}
+
+export function listCertSha256HashesByCommonName(
+  keychain: string,
+  commonName: string = RPX_ROOT_CA_COMMON_NAME,
+): string[] {
+  const listing = execSync(
+    `security find-certificate -a -c "${commonName}" -Z "${keychain}" 2>/dev/null || true`,
+    { encoding: 'utf8' },
+  )
+  const hashes: string[] = []
+  for (const line of listing.split('\n')) {
+    const match = line.match(/SHA-256 hash:\s*([A-F0-9]+)/i)
+    if (match)
+      hashes.push(match[1]!.toUpperCase())
+  }
+  return hashes
+}
+
+export interface PruneStaleRootCasOptions {
+  caPath: string
+  commonName?: string
+  keychains?: string[]
+  verbose?: boolean
+}
+
+/**
+ * Remove older rpx Root CA copies from keychains, keeping only the fingerprint
+ * that matches the on-disk `caPath` file.
+ */
+export function pruneStaleRootCas(options: PruneStaleRootCasOptions): void {
+  if (process.platform !== 'darwin')
+    return
+
+  const keep = readCertSha256Fingerprint(options.caPath)
+  if (!keep)
+    return
+
+  const commonName = options.commonName ?? RPX_ROOT_CA_COMMON_NAME
+  const keychains = options.keychains ?? getMacosTrustKeychains()
+
+  for (const keychain of keychains) {
+    for (const hash of listCertSha256HashesByCommonName(keychain, commonName)) {
+      if (hash === keep)
+        continue
+      try {
+        if (keychain.startsWith('/Library'))
+          execSudoSync(`security delete-certificate -Z ${hash} "${keychain}"`)
+        else
+          execSync(`security delete-certificate -Z ${hash} "${keychain}"`, { stdio: 'ignore' })
+        debugLog('ssl', `Removed stale Root CA ${hash} from ${keychain}`, options.verbose)
+      }
+      catch { /* already removed */ }
+    }
+  }
+}
+
+/**
+ * True when the Root CA is trusted for SSL to `serverName` (macOS verify-cert).
+ * On other platforms, falls back to fingerprint presence in trust stores.
+ */
+export function isRootCaTrustedForSsl(
+  caPath: string,
+  serverName: string,
+  options?: { verbose?: boolean },
+): boolean {
+  if (process.platform !== 'darwin')
+    return isRootCaFingerprintInKeychains(caPath, options)
+
+  try {
+    const out = execSync(
+      `security verify-cert -c "${caPath}" -s "${serverName}" -l -L -R ssl 2>&1`,
+      { encoding: 'utf8' },
+    )
+    const ok = out.includes('successful')
+    debugLog('ssl', `verify-cert ${serverName}: ${ok ? 'trusted' : 'not trusted'}`, options?.verbose)
+    return ok
+  }
+  catch {
+    return false
+  }
+}
+
+export function isRootCaFingerprintInKeychains(
+  caPath: string,
+  options?: { verbose?: boolean },
+): boolean {
+  const fp = readCertSha256Fingerprint(caPath)
+  if (!fp)
+    return false
+
+  for (const keychain of getMacosTrustKeychains()) {
+    try {
+      const listing = execSync(`security find-certificate -a -Z "${keychain}" 2>/dev/null || true`, { encoding: 'utf8' })
+      for (const line of listing.split('\n')) {
+        if (line.toUpperCase().includes('SHA-256')) {
+          const lineFp = line.split('=').pop()!.replace(/SHA-256\s+hash:\s*/gi, '').replace(/:/g, '').trim().toUpperCase()
+          if (lineFp === fp) {
+            debugLog('ssl', `Root CA fingerprint found in ${keychain}`, options?.verbose)
+            return true
+          }
+        }
+      }
+    }
+    catch { /* try next keychain */ }
+  }
+
+  return false
+}
+
+export interface TrustRootCaForBrowsersOptions {
+  serverName: string
+  commonName?: string
+  verbose?: boolean
+}
+
+/**
+ * Install the Root CA into login + system keychains with SSL/basic policies,
+ * pruning stale copies first. Returns true when SSL verification succeeds or
+ * the cert fingerprint is present in a keychain.
+ */
+export function trustRootCaForBrowsers(
+  caPath: string,
+  options: TrustRootCaForBrowsersOptions,
+): boolean {
+  if (process.platform !== 'darwin')
+    return false
+
+  const serverName = options.serverName
+  pruneStaleRootCas({ caPath, commonName: options.commonName, verbose: options.verbose })
+
+  const loginKeychain = getMacosLoginKeychainPath()
+  try {
+    execSync(
+      `security add-trusted-cert ${MACOS_CA_TRUST_FLAGS} -k "${loginKeychain}" "${caPath}"`,
+      { stdio: 'ignore' },
+    )
+  }
+  catch { /* may already exist — re-apply trust below */ }
+
+  try {
+    execSudoSync(`security add-trusted-cert ${MACOS_CA_TRUST_FLAGS} -k ${MACOS_SYSTEM_KEYCHAIN} "${caPath}"`)
+  }
+  catch {
+    return false
+  }
+
+  return isRootCaTrustedForSsl(caPath, serverName, { verbose: options.verbose })
+    || isRootCaFingerprintInKeychains(caPath, { verbose: options.verbose })
+}

package/src/start.ts

@@ -877,10 +877,10 @@ export function startProxy(options: ProxyOption): void {
   }
 
   if (isCustomDomain) {
-    import('./dns').then(({ startDnsServer, setupResolver }) => {
-      startDnsServer([targetDomain], mergedOptions.verbose).then((started) => {
+    import('./dns').then(({ setupDevelopmentDns }) => {
+      setupDevelopmentDns({ domains: [targetDomain], verbose: mergedOptions.verbose }).then((started) => {
         if (started) {
-          setupResolver(mergedOptions.verbose, [targetDomain]).then(() => {
+          Promise.resolve().then(() => {
             if (mergedOptions.verbose) {
               if (reservedTlds.includes(tld)) {
                 log.success(`DNS server started for .${tld} domains`)
@@ -1152,10 +1152,9 @@ export async function startProxies(options?: ProxyOptions): Promise<void> {
   }
 
   if (process.platform === 'darwin' && customDomains.length > 0) {
-    const { startDnsServer, setupResolver } = await import('./dns')
-    const dnsStarted = await startDnsServer(customDomains, verbose)
+    const { setupDevelopmentDns } = await import('./dns')
+    const dnsStarted = await setupDevelopmentDns({ domains: customDomains, verbose })
     if (dnsStarted) {
-      await setupResolver(verbose, customDomains)
       if (verbose) {
         const hasReservedOnly = uniqueTlds.every((t): t is string => !!t && reservedTlds.includes(t as string))
         if (hasReservedOnly) {
@@ -1177,9 +1176,8 @@ export async function startProxies(options?: ProxyOptions): Promise<void> {
 
     try {
       // Stop DNS server
-      const { stopDnsServer, removeResolver } = await import('./dns')
-      stopDnsServer(mergedOptions.verbose)
-      await removeResolver(mergedOptions.verbose)
+      const { tearDownDevelopmentDns } = await import('./dns')
+      await tearDownDevelopmentDns({ verbose: mergedOptions.verbose })
     }
     catch (err) {
       debugLog('cleanup', `Error stopping DNS server: ${err}`, mergedOptions.verbose)

package/dist/chunk-6z1nzq0x.js

@@ -1 +0,0 @@
-import{a as X,d as F}from"./chunk-jpf41gb9.js";import Q from"node:dgram";var $=15353;function _(k){return{id:k.readUInt16BE(0),flags:k.readUInt16BE(2),qdcount:k.readUInt16BE(4),ancount:k.readUInt16BE(6),nscount:k.readUInt16BE(8),arcount:k.readUInt16BE(10)}}function C(k,z){let A=[],j=z;while(!0){let B=k[j];if(B===0){j++;break}if((B&192)===192){let G=k.readUInt16BE(j)&16383,{name:E}=C(k,G);A.push(E),j+=2;break}j++,A.push(k.subarray(j,j+B).toString("ascii")),j+=B}return{name:A.join("."),newOffset:j}}function H(k,z){let{name:A,newOffset:j}=C(k,z),B=k.readUInt16BE(j),G=k.readUInt16BE(j+2);return{question:{name:A,type:B,class:G},newOffset:j+4}}function U(k){let z=k.split("."),A=[];for(let j of z)A.push(Buffer.from([j.length])),A.push(Buffer.from(j,"ascii"));return A.push(Buffer.from([0])),Buffer.concat(A)}function T(k,z,A){let j=[],B=Buffer.alloc(12);B.writeUInt16BE(k,0),B.writeUInt16BE(33152,2),B.writeUInt16BE(1,4),B.writeUInt16BE(1,6),B.writeUInt16BE(0,8),B.writeUInt16BE(0,10),j.push(B),j.push(U(z.name));let G=Buffer.alloc(4);G.writeUInt16BE(z.type,0),G.writeUInt16BE(z.class,2),j.push(G),j.push(U(z.name));let E=Buffer.alloc(10);if(E.writeUInt16BE(z.type,0),E.writeUInt16BE(1,2),E.writeUInt32BE(300,4),z.type===1){E.writeUInt16BE(4,8),j.push(E);let K=A.split(".").map((M)=>Number.parseInt(M,10));j.push(Buffer.from(K))}else if(z.type===28)E.writeUInt16BE(16,8),j.push(E),j.push(Buffer.from([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]));else return B.writeUInt16BE(33155,2),B.writeUInt16BE(0,6),Buffer.concat([B,U(z.name),G]);return Buffer.concat(j)}function I(k,z){let A=[],j=Buffer.alloc(12);j.writeUInt16BE(k,0),j.writeUInt16BE(33155,2),j.writeUInt16BE(1,4),j.writeUInt16BE(0,6),j.writeUInt16BE(0,8),j.writeUInt16BE(0,10),A.push(j),A.push(U(z.name));let B=Buffer.alloc(4);return B.writeUInt16BE(z.type,0),B.writeUInt16BE(z.class,2),A.push(B),Buffer.concat(A)}var J=null,Z=new Set;async function R(k,z){if(J)return F("dns","DNS server already running",z),!0;return Z=new Set(k.map((A)=>A.toLowerCase())),new Promise((A)=>{J=Q.createSocket("udp4"),J.on("error",(j)=>{if(F("dns",`DNS server error: ${j.message}`,z),j.message.includes("EACCES")||j.message.includes("permission"))F("dns","DNS server requires root privileges to bind to port 53",z);J?.close(),J=null,A(!1)}),J.on("message",(j,B)=>{try{let G=_(j),{question:E}=H(j,12);F("dns",`Query for ${E.name} type ${E.type} from ${B.address}`,z);let K=E.name.toLowerCase(),M=!1;for(let Y of Z)if(K===Y||K.endsWith(`.${Y}`)){M=!0;break}let W;if(M&&(E.type===1||E.type===28))W=T(G.id,E,"127.0.0.1"),F("dns",`Responding with localhost for ${E.name}`,z);else W=I(G.id,E),F("dns",`NXDOMAIN for ${E.name}`,z);J?.send(W,B.port,B.address)}catch(G){F("dns",`Error processing DNS query: ${G}`,z)}}),J.on("listening",()=>{let j=J?.address();F("dns",`DNS server listening on ${j?.address}:${j?.port}`,z),A(!0)});try{J.bind($,"127.0.0.1")}catch(j){F("dns",`Failed to bind DNS server: ${j}`,z),A(!1)}})}function O(k){if(J)F("dns","Stopping DNS server",k),J.close(),J=null}function w(){return J!==null}function x(k){let z=new Set;for(let A of k){let j=A.split(".");if(j.length>=2)z.add(j[j.length-1])}return Array.from(z)}var V=new Set;async function D(k){if(process.platform!=="darwin")return;let{execSudoSync:z,getSudoPassword:A}=await import("./chunk-qcdcnadb.js");if(!A()){F("dns","Cannot flush DNS cache without SUDO_PASSWORD",k);return}try{z("dscacheutil -flushcache"),z("killall -HUP mDNSResponder 2>/dev/null || true"),F("dns","DNS cache flushed",k)}catch(B){F("dns",`Could not flush DNS cache: ${B}`,k)}}async function y(k,z){if(process.platform!=="darwin")return F("dns","Resolver setup only needed on macOS",k),!0;let{execSudoSync:A,getSudoPassword:j}=await import("./chunk-qcdcnadb.js");if(!j())return F("dns","SUDO_PASSWORD not set, cannot create resolver files",k),!1;let G=z?x(z):["test"];try{for(let E of G){if(V.has(E))continue;let K=`bash -c 'mkdir -p /etc/resolver && echo -e "nameserver 127.0.0.1\\nport ${$}" > /etc/resolver/${E}'`;A(K),V.add(E),F("dns",`Created /etc/resolver/${E} for .${E} TLD`,k)}return await D(k),!0}catch(E){return F("dns",`Failed to create resolver file: ${E}`,k),!1}}async function L(k){if(process.platform!=="darwin")return;let{execSudoSync:z,getSudoPassword:A}=await import("./chunk-qcdcnadb.js");try{if(A()){for(let B of V)z(`rm -f /etc/resolver/${B}`),F("dns",`Removed /etc/resolver/${B}`,k);V.clear()}}catch(j){F("dns",`Failed to remove resolver files: ${j}`,k)}}export{O as stopDnsServer,R as startDnsServer,y as setupResolver,L as removeResolver,w as isDnsServerRunning};

package/dist/chunk-qcdcnadb.js

@@ -1 +0,0 @@
-import{b as a,c as b,d as c,e as d,f as e,g as f,h as g,i as h,j as i,k as j,l as k,m as l,n as m,o as n}from"./chunk-jpf41gb9.js";export{e as safeStringify,n as safeDeleteFile,m as resolvePathRewrite,d as redactSensitive,g as isValidRootCA,k as isSingleProxyOptions,l as isSingleProxyConfig,j as isMultiProxyOptions,i as isMultiProxyConfig,a as getSudoPassword,h as getPrimaryDomain,f as extractHostname,b as execSudoSync,c as debugLog};