@stacksjs/rpx 0.11.7 → 0.11.8

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@stacksjs/rpx",
   "type": "module",
-  "version": "0.11.7",
+  "version": "0.11.8",
   "description": "A modern and smart reverse proxy.",
   "author": "Chris Breuer <chris@stacksjs.org>",
   "license": "MIT",

package/src/daemon-runner.ts

@@ -42,6 +42,16 @@ export interface DaemonRunnerOptions {
   detached?: boolean
   /** Override the daemon spawn command (tests). */
   spawnCommand?: string[]
+  /** Passed through to `ensureDaemonRunning` (default 5000ms). */
+  startupTimeoutMs?: number
+  /** Extra env for the daemon child (e.g. `SUDO_PASSWORD`). */
+  spawnEnv?: Record<string, string>
+  /**
+   * When true, registry entries omit `pid` so they persist until
+   * `rpx unregister` — avoids PID-GC dropping routes when the registering
+   * process is short-lived (e.g. a CLI wrapper).
+   */
+  persistent?: boolean
 }
 
 /**
@@ -78,14 +88,15 @@ export async function runViaDaemon(opts: DaemonRunnerOptions): Promise<void> {
     return { ...p, id }
   })
 
+  const createdAt = new Date().toISOString()
   for (const p of resolved) {
     await writeEntry({
       id: p.id,
       from: p.from,
       to: p.to,
-      pid: process.pid,
+      pid: opts.persistent ? undefined : process.pid,
       cwd: process.cwd(),
-      createdAt: new Date().toISOString(),
+      createdAt,
       cleanUrls: p.cleanUrls,
       changeOrigin: p.changeOrigin,
       pathRewrites: p.pathRewrites,
@@ -96,6 +107,8 @@ export async function runViaDaemon(opts: DaemonRunnerOptions): Promise<void> {
     rpxDir: opts.rpxDir,
     verbose,
     spawnCommand: opts.spawnCommand,
+    startupTimeoutMs: opts.startupTimeoutMs,
+    spawnEnv: opts.spawnEnv,
   })
 
   for (const p of resolved)

package/src/daemon.ts

@@ -156,16 +156,38 @@ function entryToRoute(entry: RegistryEntry): ProxyRoute {
  * Bootstrap the daemon's TLS material. Reuses the persisted Root CA and any
  * existing trusted host cert; mints fresh ones if none exist.
  *
- * The host cert is issued with the standard `*.localhost` SAN list (set by
- * `httpsConfig` via `getAllDomains`), so every `<app>.localhost` route is
- * covered without needing to regenerate when apps register.
+ * The host cert SAN list includes every hostname in the registry (e.g.
+ * `postline.localhost`, `api.postline.localhost`). Chrome does not treat
+ * `*.localhost` as matching `<app>.localhost`, so those names must be explicit.
  */
-async function bootstrapTls(opts: DaemonOptions): Promise<SSLConfig> {
+function pickPrimaryRegistryHost(hosts: string[]): string {
+  const appHost = hosts.find(h => !/^api\./.test(h) && !/^docs\./.test(h) && !/^dashboard\./.test(h))
+  return appHost ?? hosts[0] ?? 'rpx.localhost'
+}
+
+async function bootstrapTls(opts: DaemonOptions, registryDir: string): Promise<SSLConfig> {
+  const entries = await readAll(registryDir, opts.verbose)
+  const registryHosts = [...new Set(entries.map(e => e.to))]
+  const primary = pickPrimaryRegistryHost(registryHosts)
+  const hostnames = [...new Set([primary, ...registryHosts, 'rpx.localhost'])]
+
+  const sslDir = path.join(homedir(), '.stacks', 'ssl')
+  const sharedCert = path.join(sslDir, 'rpx.localhost.crt')
+
   const proxyOpts: ProxyOptions = {
-    https: opts.https ?? true,
-    to: 'rpx.localhost',
+    https: typeof opts.https === 'object'
+      ? { ...opts.https, certPath: sharedCert, keyPath: path.join(sslDir, 'rpx.localhost.key'), commonName: primary }
+      : {
+          certPath: sharedCert,
+          keyPath: path.join(sslDir, 'rpx.localhost.key'),
+          caCertPath: path.join(sslDir, 'rpx.localhost.ca.crt'),
+          commonName: primary,
+        },
     verbose: opts.verbose,
     regenerateUntrustedCerts: true,
+    ...(hostnames.length > 1
+      ? { proxies: hostnames.map(to => ({ from: 'localhost:1', to })) }
+      : { to: primary, from: 'localhost:1' }),
   }
 
   let sslConfig = await checkExistingCertificates(proxyOpts)
@@ -216,7 +238,7 @@ export async function runDaemon(opts: DaemonOptions = {}): Promise<DaemonHandle>
   })
   rebuild(await readAll(registryDir, verbose))
 
-  const sslConfig = await bootstrapTls(opts)
+  const sslConfig = await bootstrapTls(opts, registryDir)
 
   const httpsServer = Bun.serve({
     port: httpsPort,

package/src/https.ts

@@ -284,10 +284,19 @@ async function forceTrustCertificateMacOS(certPath: string): Promise<boolean> {
 
     debugLog('ssl', 'Trusting certificate via macOS security command', false)
 
-    // Use execSudoSync which handles SUDO_PASSWORD from env
+    // Login keychain — no sudo; Chrome/Arc often read this store on macOS.
+    const loginKeychain = join(homedir(), 'Library/Keychains/login.keychain-db')
     try {
-      execSudoSync(`security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${certPath}"`)
-      return true
+      execSync(`security add-trusted-cert -d -r trustRoot -p ssl -p basic -k "${loginKeychain}" "${certPath}"`, { stdio: 'ignore' })
+      if (await isCertTrusted(certPath, { verbose: false, regenerateUntrustedCerts: true }))
+        return true
+    }
+    catch { /* fall through to system keychain */ }
+
+    // System keychain — requires sudo / SUDO_PASSWORD.
+    try {
+      execSudoSync(`security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain "${certPath}"`)
+      return await isCertTrusted(certPath, { verbose: false, regenerateUntrustedCerts: true })
     }
     catch {
       return false
@@ -299,10 +308,11 @@ async function forceTrustCertificateMacOS(certPath: string): Promise<boolean> {
 }
 
 export async function generateCertificate(options: ProxyOptions): Promise<void> {
-  if (cachedSSLConfig) {
+  if (cachedSSLConfig && !(options as { forceRegenerate?: boolean }).forceRegenerate) {
     debugLog('ssl', 'Using cached SSL configuration', options.verbose)
     return
   }
+  clearSslConfigCache()
 
   // Get all unique domains from the configuration
   const domains: string[] = isMultiProxyOptions(options)
@@ -403,7 +413,7 @@ export async function generateCertificate(options: ProxyOptions): Promise<void>
   // We install only the Root CA — host certs derive their trust from it.
   if (process.platform === 'darwin') {
     try {
-      execSudoSync(`security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${rootCAPaths.caCertPath}"`)
+      execSudoSync(`security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain "${rootCAPaths.caCertPath}"`)
       if (options.verbose)
         log.success('Successfully added Root CA to system trust store')
 
@@ -413,7 +423,7 @@ export async function generateCertificate(options: ProxyOptions): Promise<void>
       const scriptPath = join(sslDir, 'trust-rpx-cert.sh')
       const scriptContent = `#!/bin/bash
 echo "Trusting RPX Root CA"
-sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${rootCAPaths.caCertPath}"
+sudo security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain "${rootCAPaths.caCertPath}"
 echo "Root CA trusted! Please restart your browser."
 echo "If you still see certificate warnings, type 'thisisunsafe' on the warning page in Chrome/Arc browsers."
 `
@@ -426,7 +436,7 @@ echo "If you still see certificate warnings, type 'thisisunsafe' on the warning
       const scriptPath = join(sslDir, 'trust-rpx-cert.sh')
       const scriptContent = `#!/bin/bash
 echo "Trusting RPX Root CA"
-sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${rootCAPaths.caCertPath}"
+sudo security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain "${rootCAPaths.caCertPath}"
 echo "Root CA trusted! Please restart your browser."
 echo "If you still see certificate warnings, type 'thisisunsafe' on the warning page in Chrome/Arc browsers."
 `
@@ -539,6 +549,11 @@ export function getSSLConfig(): { key: string, cert: string, ca?: string } | nul
   return cachedSSLConfig
 }
 
+/** Clear in-process TLS cache so the next generate/load picks up new files on disk. */
+export function clearSslConfigCache(): void {
+  cachedSSLConfig = null
+}
+
 // needs to accept the options
 export async function checkExistingCertificates(options?: ProxyOptions): Promise<SSLConfig | null> {
   if (!options)
@@ -569,10 +584,15 @@ export async function checkExistingCertificates(options?: ProxyOptions): Promise
     const flagValue = options.regenerateUntrustedCerts
     const shouldCheckTrust = hasFlag ? flagValue !== false : true
     debugLog('ssl', `Trust check: hasFlag=${hasFlag}, flagValue=${flagValue}, shouldCheckTrust=${shouldCheckTrust}`, options.verbose)
-    const certIsTrusted = shouldCheckTrust ? await isCertTrusted(sslConfig.certPath, options) : true
-
-    if (!certIsTrusted) {
-      debugLog('ssl', 'Certificate exists but is not trusted, will regenerate', options.verbose)
+    // Trust anchor is the shared Root CA — host certs are not installed individually.
+    const sslDir = sslConfig.basePath || join(homedir(), '.stacks', 'ssl')
+    const rootCAPaths = getRootCAPaths(sslDir)
+    const caIsTrusted = shouldCheckTrust
+      ? await isCertTrusted(rootCAPaths.caCertPath, options)
+      : true
+
+    if (!caIsTrusted) {
+      debugLog('ssl', 'Root CA exists but is not trusted, will regenerate', options.verbose)
       // Don't attempt to trust here - let generateCertificate handle it in one place
       // This avoids multiple sudo prompts
       return null
@@ -721,23 +741,33 @@ export async function isCertTrusted(certPath: string, options?: { verbose?: bool
       try {
         // Get certificate fingerprint
         const certFingerprint = execSync(`openssl x509 -noout -fingerprint -sha256 -in "${certPath}"`).toString().trim()
-        const fingerprintValue = certFingerprint.split('=')[1]?.trim() || ''
+        const normalize = (raw: string) => raw.split('=').pop()!.replace(/SHA-256\s+hash:\s*/gi, '').replace(/:/g, '').trim().toUpperCase()
+        const fingerprintValue = normalize(certFingerprint)
 
         if (!fingerprintValue) {
           debugLog('ssl', 'Could not extract certificate fingerprint', options?.verbose)
           return false
         }
 
-        // Check if the fingerprint exists in the system keychain and is trusted
-        const keychainOutput = execSync(`security find-certificate -a -Z -p | openssl x509 -noout -fingerprint -sha256`).toString()
+        const keychains = [
+          '/Library/Keychains/System.keychain',
+          join(homedir(), 'Library/Keychains/login.keychain-db'),
+        ]
 
-        // If the fingerprint is found in the trusted certs, consider it trusted
-        if (keychainOutput.includes(fingerprintValue)) {
-          debugLog('ssl', 'Certificate fingerprint found in system keychain', options?.verbose)
-          return true
+        for (const keychain of keychains) {
+          try {
+            const listing = execSync(`security find-certificate -a -Z "${keychain}" 2>/dev/null || true`).toString()
+            for (const line of listing.split('\n')) {
+              if (line.toUpperCase().includes('SHA-256') && normalize(line) === fingerprintValue) {
+                debugLog('ssl', `Certificate fingerprint found in ${keychain}`, options?.verbose)
+                return true
+              }
+            }
+          }
+          catch { /* try next keychain */ }
         }
 
-        debugLog('ssl', 'Certificate fingerprint not found in system keychain', options?.verbose)
+        debugLog('ssl', 'Certificate fingerprint not found in system keychains', options?.verbose)
         return false
       }
       catch (error) {

package/src/index.ts

@@ -13,6 +13,7 @@ export {
 export {
   checkExistingCertificates,
   cleanupCertificates,
+  clearSslConfigCache,
   forceTrustCertificate,
   generateCertificate,
   httpsConfig,