@stacksjs/rpx 0.4.1 → 0.5.0

package/dist/cli.js

@@ -20461,11 +20461,11 @@ var quotes = collect([
 ]);
 var export_prompts = import_prompts.default;
 // package.json
-var version = "0.4.1";
+var version = "0.5.0";
 
 // src/config.ts
-import os2 from "os";
-import path from "path";
+import { homedir } from "os";
+import { join as join2 } from "path";
 
 // node_modules/bun-config/dist/index.js
 import { resolve } from "path";
@@ -20517,24 +20517,27 @@ async function loadConfig({ name, cwd, defaultConfig }) {
 }
 
 // src/config.ts
+var defaultConfig = {
+  from: "localhost:5173",
+  to: "stacks.localhost",
+  https: {
+    basePath: "",
+    caCertPath: join2(homedir(), ".stacks", "ssl", `stacks.localhost.ca.crt`),
+    certPath: join2(homedir(), ".stacks", "ssl", `stacks.localhost.crt`),
+    keyPath: join2(homedir(), ".stacks", "ssl", `stacks.localhost.crt.key`)
+  },
+  etcHostsCleanup: true,
+  verbose: true
+};
 var config4 = await loadConfig({
   name: "reverse-proxy",
-  defaultConfig: {
-    from: "localhost:5173",
-    to: "stacks.localhost",
-    https: {
-      caCertPath: path.join(os2.homedir(), ".stacks", "ssl", `stacks.localhost.ca.crt`),
-      certPath: path.join(os2.homedir(), ".stacks", "ssl", `stacks.localhost.crt`),
-      keyPath: path.join(os2.homedir(), ".stacks", "ssl", `stacks.localhost.crt.key`)
-    },
-    etcHostsCleanup: true,
-    verbose: false
-  }
+  defaultConfig
 });
 
 // src/https.ts
-import os5 from "os";
-import path4 from "path";
+import fs3 from "fs/promises";
+import { homedir as homedir2 } from "os";
+import { join as join4 } from "path";
 
 // node_modules/@stacksjs/tlsx/dist/index.js
 import fs2 from "fs";
@@ -20558,7 +20561,7 @@ import {
   dirname as dirname3,
   extname as extname2,
   isAbsolute as isAbsolute2,
-  join as join2,
+  join as join3,
   normalize as normalize2,
   parse as parse2,
   relative as relative2,
@@ -20573,7 +20576,7 @@ import process8 from "process";
 import process102 from "process";
 import process182 from "process";
 import process112 from "process";
-import os3 from "os";
+import os2 from "os";
 import tty32 from "tty";
 import process142 from "process";
 import process132 from "process";
@@ -20582,11 +20585,11 @@ import process162 from "process";
 import process172 from "process";
 import process192 from "process";
 import os22 from "os";
-import path2 from "path";
+import path from "path";
 import { resolve as resolve3 } from "path";
 import process22 from "process";
 import fs from "fs";
-import path22 from "path";
+import path2 from "path";
 var __create3 = Object.create;
 var __getProtoOf3 = Object.getPrototypeOf;
 var __defProp3 = Object.defineProperty;
@@ -48110,29 +48113,29 @@ var log2 = {
   },
   echo: (...args) => console.log(...args)
 };
-function userDatabasePath2(path23) {
-  return projectPath2(`database/${path23 || ""}`);
+function userDatabasePath2(path22) {
+  return projectPath2(`database/${path22 || ""}`);
 }
-function appPath2(path23) {
-  return projectPath2(`app/${path23 || ""}`);
+function appPath2(path22) {
+  return projectPath2(`app/${path22 || ""}`);
 }
-function commandsPath2(path23) {
-  return appPath2(`Commands/${path23 || ""}`);
+function commandsPath2(path22) {
+  return appPath2(`Commands/${path22 || ""}`);
 }
-function logsPath2(path23) {
-  return storagePath2(`logs/${path23 || ""}`);
+function logsPath2(path22) {
+  return storagePath2(`logs/${path22 || ""}`);
 }
 function projectPath2(filePath = "", options2) {
-  let path23 = process52.cwd();
-  while (path23.includes("storage"))
-    path23 = resolve22(path23, "..");
-  const finalPath = resolve22(path23, filePath);
+  let path22 = process52.cwd();
+  while (path22.includes("storage"))
+    path22 = resolve22(path22, "..");
+  const finalPath = resolve22(path22, filePath);
   if (options2?.relative)
     return relative2(process52.cwd(), finalPath);
   return finalPath;
 }
-function storagePath2(path23) {
-  return projectPath2(`storage/${path23 || ""}`);
+function storagePath2(path22) {
+  return projectPath2(`storage/${path22 || ""}`);
 }
 var config6 = {
   ai: {
@@ -54219,7 +54222,7 @@ function _supportsColor2(haveStream, { streamIsTTY, sniffFlags = true } = {}) {
     return min;
   }
   if (process112.platform === "win32") {
-    const osRelease = os3.release().split(".");
+    const osRelease = os2.release().split(".");
     if (Number(osRelease[0]) >= 10 && Number(osRelease[2]) >= 10586) {
       return Number(osRelease[2]) >= 14931 ? 3 : 2;
     }
@@ -56793,35 +56796,37 @@ function deepMerge2(target, source) {
 function isObject32(item) {
   return Boolean(item && typeof item === "object" && !Array.isArray(item));
 }
-async function loadConfig2({ name, cwd, defaultConfig }) {
+async function loadConfig2({ name, cwd, defaultConfig: defaultConfig2 }) {
   const configPath = resolve3(cwd || process22.cwd(), `${name}.config`);
   try {
     const importedConfig = await import(configPath);
     const loadedConfig = importedConfig.default || importedConfig;
-    return deepMerge2(defaultConfig, loadedConfig);
+    return deepMerge2(defaultConfig2, loadedConfig);
   } catch (error) {
-    return defaultConfig;
-  }
-}
+    return defaultConfig2;
+  }
+}
+var defaultConfig2 = {
+  altNameIPs: ["127.0.0.1"],
+  altNameURIs: ["localhost"],
+  organizationName: "Local Development",
+  countryName: "US",
+  stateName: "California",
+  localityName: "Playa Vista",
+  commonName: "stacks.localhost",
+  validityDays: 825,
+  hostCertCN: "stacks.localhost",
+  domain: "stacks.localhost",
+  rootCA: { certificate: "", privateKey: "" },
+  basePath: "",
+  caCertPath: path.join(os22.homedir(), ".stacks", "ssl", `stacks.localhost.ca.crt`),
+  certPath: path.join(os22.homedir(), ".stacks", "ssl", `stacks.localhost.crt`),
+  keyPath: path.join(os22.homedir(), ".stacks", "ssl", `stacks.localhost.crt.key`),
+  verbose: false
+};
 var config42 = await loadConfig2({
   name: "tls",
-  defaultConfig: {
-    altNameIPs: ["127.0.0.1"],
-    altNameURIs: ["localhost"],
-    organizationName: "Local Development",
-    countryName: "US",
-    stateName: "California",
-    localityName: "Playa Vista",
-    commonName: "stacks.localhost",
-    validityDays: 825,
-    hostCertCN: "stacks.localhost",
-    domain: "stacks.localhost",
-    rootCAObject: { certificate: "", privateKey: "" },
-    caCertPath: path2.join(os22.homedir(), ".stacks", "ssl", `stacks.localhost.ca.crt`),
-    certPath: path2.join(os22.homedir(), ".stacks", "ssl", `stacks.localhost.crt`),
-    keyPath: path2.join(os22.homedir(), ".stacks", "ssl", `stacks.localhost.crt.key`),
-    verbose: false
-  }
+  defaultConfig: defaultConfig2
 });
 var import_node_forge = __toESM3(require_lib2(), 1);
 function makeNumberPositive(hexString) {
@@ -56837,7 +56842,7 @@ function findFoldersWithFile(rootDir, fileName) {
     try {
       const files = fs.readdirSync(dir);
       for (const file of files) {
-        const filePath = path22.join(dir, file);
+        const filePath = path2.join(dir, file);
         const stats = fs.lstatSync(filePath);
         if (stats.isDirectory()) {
           search(filePath);
@@ -56955,12 +56960,12 @@ async function createRootCA(options22 = {}) {
 async function generateCertificate(options22) {
   debugLog("cert", "Generating new certificate", options22.verbose);
   debugLog("cert", `Options: ${JSON.stringify(options22)}`, options22.verbose);
-  if (!options22.rootCAObject?.certificate || !options22.rootCAObject?.privateKey) {
+  if (!options22.rootCA?.certificate || !options22.rootCA?.privateKey) {
     throw new Error("Root CA certificate and private key are required");
   }
-  const caCert = import_node_forge2.pki.certificateFromPem(options22.rootCAObject.certificate);
-  const caKey = import_node_forge2.pki.privateKeyFromPem(options22.rootCAObject.privateKey);
-  debugLog("cert", "Generating 2048-bit RSA key pair for host certificate", options22?.verbose);
+  const caCert = import_node_forge2.pki.certificateFromPem(options22.rootCA.certificate);
+  const caKey = import_node_forge2.pki.privateKeyFromPem(options22.rootCA.privateKey);
+  debugLog("cert", "Generating 2048-bit RSA key pair for host certificate", options22.verbose);
   const keySize = 2048;
   const { privateKey, publicKey } = import_node_forge2.pki.rsa.generateKeyPair(keySize);
   const attributes = options22.certificateAttributes || [
@@ -57033,8 +57038,8 @@ async function addCertToSystemTrustStoreAndSaveCert(cert, caCert, options22) {
 }
 function storeCertificate(cert, options22) {
   debugLog("storage", `Storing certificate and private key with options: ${JSON.stringify(options22)}`, options22?.verbose);
-  const certPath = options22?.certPath || config42.certPath;
-  const certKeyPath = options22?.keyPath || config42.keyPath;
+  const certPath = path3.join(options22?.basePath || config42.basePath, options22?.certPath || config42.certPath);
+  const certKeyPath = path3.join(options22?.basePath || config42.basePath, options22?.keyPath || config42.keyPath);
   debugLog("storage", `Certificate path: ${certPath}`, options22?.verbose);
   debugLog("storage", `Private key path: ${certKeyPath}`, options22?.verbose);
   const certDir = path3.dirname(certPath);
@@ -57056,7 +57061,7 @@ function storeCertificate(cert, options22) {
 }
 function storeCACertificate(caCert, options22) {
   debugLog("storage", "Storing CA certificate", options22?.verbose);
-  const caCertPath = options22?.caCertPath || config42.caCertPath;
+  const caCertPath = path3.join(options22?.basePath || config42.basePath, options22?.caCertPath || config42.caCertPath);
   debugLog("storage", `CA certificate path: ${caCertPath}`, options22?.verbose);
   const caCertDir = path3.dirname(caCertPath);
   if (!fs2.existsSync(caCertDir)) {
@@ -57078,114 +57083,172 @@ function debugLog2(category, message, verbose) {
     console.debug(`[rpx:${category}] ${message}`);
   }
 }
-function extractDomains(options3) {
-  if (isMultiProxyConfig(options3)) {
+function extractHostname(options3) {
+  if (isMultiProxyOptions(options3)) {
     return options3.proxies.map((proxy) => {
-      const domain2 = proxy.to || "stacks.localhost";
-      return domain2.startsWith("http") ? new URL(domain2).hostname : domain2;
+      const domain = proxy.to || "stacks.localhost";
+      return domain.startsWith("http") ? new URL(domain).hostname : domain;
     });
   }
-  const domain = options3.to || "stacks.localhost";
-  return [domain.startsWith("http") ? new URL(domain).hostname : domain];
+  if (isSingleProxyOptions(options3)) {
+    const domain = options3.to || "stacks.localhost";
+    return [domain.startsWith("http") ? new URL(domain).hostname : domain];
+  }
+  return ["stacks.localhost"];
+}
+function isValidRootCA(value) {
+  return typeof value === "object" && value !== null && "certificate" in value && "privateKey" in value && typeof value.certificate === "string" && typeof value.privateKey === "string";
 }
 
 // src/https.ts
 var cachedSSLConfig = null;
 function isMultiProxyConfig(options3) {
-  return "proxies" in options3;
+  return "proxies" in options3 && Array.isArray(options3.proxies);
+}
+function isMultiProxyOptions(options3) {
+  return "proxies" in options3 && Array.isArray(options3.proxies);
+}
+function isSingleProxyOptions(options3) {
+  return "to" in options3 && typeof options3.to === "string";
+}
+function resolveSSLPaths(options3, defaultConfig3) {
+  const domain = isMultiProxyConfig(options3) ? options3.proxies[0].to || "stacks.localhost" : options3.to || "stacks.localhost";
+  if (typeof options3.https === "object" && typeof defaultConfig3.https === "object") {
+    const hasAllPaths = options3.https.caCertPath && options3.https.certPath && options3.https.keyPath;
+    if (hasAllPaths) {
+      const baseConfig = httpsConfig({
+        ...options3,
+        to: domain,
+        https: defaultConfig3.https
+      });
+      const altNameIPs = options3.https.altNameIPs?.filter((ip) => ip !== undefined) || baseConfig.altNameIPs;
+      const altNameURIs = options3.https.altNameURIs?.filter((uri) => uri !== undefined) || baseConfig.altNameURIs;
+      return {
+        ...baseConfig,
+        caCertPath: options3.https.caCertPath || baseConfig.caCertPath,
+        certPath: options3.https.certPath || baseConfig.certPath,
+        keyPath: options3.https.keyPath || baseConfig.keyPath,
+        basePath: options3.https.basePath || baseConfig.basePath,
+        commonName: options3.https.commonName || baseConfig.commonName,
+        organizationName: options3.https.organizationName || baseConfig.organizationName,
+        countryName: options3.https.countryName || baseConfig.countryName,
+        stateName: options3.https.stateName || baseConfig.stateName,
+        localityName: options3.https.localityName || baseConfig.localityName,
+        validityDays: options3.https.validityDays || baseConfig.validityDays,
+        altNameIPs,
+        altNameURIs,
+        verbose: options3.verbose || baseConfig.verbose
+      };
+    }
+  }
+  return httpsConfig({
+    ...options3,
+    to: domain
+  });
 }
 function generateWildcardPatterns(domain) {
   const patterns = new Set;
   patterns.add(domain);
   const parts = domain.split(".");
-  if (parts.length >= 2) {
+  if (parts.length >= 2)
     patterns.add(`*.${parts.slice(1).join(".")}`);
-  }
   return Array.from(patterns);
 }
-function generateBaseConfig(options3, verbose) {
-  const domains = extractDomains(options3);
-  const sslBase = path4.join(os5.homedir(), ".stacks", "ssl");
-  const httpsConfig = options3.https === true ? {
-    caCertPath: path4.join(sslBase, "rpx-ca.crt"),
-    certPath: path4.join(sslBase, "rpx.crt"),
-    keyPath: path4.join(sslBase, "rpx.key")
-  } : typeof config4.https === "object" ? {
-    ...options3.https,
-    ...config4.https
-  } : {};
-  debugLog2("ssl", `Extracted domains: ${domains.join(", ")}`, verbose);
-  debugLog2("ssl", `Using SSL base path: ${sslBase}`, verbose);
-  debugLog2("ssl", `Using HTTPS config: ${JSON.stringify(httpsConfig)}`, verbose);
-  const allPatterns = new Set;
-  domains.forEach((domain) => {
-    allPatterns.add(domain);
-    generateWildcardPatterns(domain).forEach((pattern) => allPatterns.add(pattern));
-  });
-  allPatterns.add("localhost");
-  allPatterns.add("*.localhost");
-  const uniqueDomains = Array.from(allPatterns);
-  debugLog2("ssl", `Generated domain patterns: ${uniqueDomains.join(", ")}`, verbose);
+function getPrimaryDomain(options3) {
+  if (!options3)
+    return "stacks.localhost";
+  if (isMultiProxyOptions(options3) && options3.proxies.length > 0)
+    return options3.proxies[0].to || "stacks.localhost";
+  if (isSingleProxyOptions(options3))
+    return options3.to || "stacks.localhost";
+  return "stacks.localhost";
+}
+function generateSSLPaths(options3) {
+  const domain = getPrimaryDomain(options3);
+  let basePath = "";
+  if (typeof options3?.https === "object") {
+    basePath = options3.https.basePath || "";
+    return {
+      caCertPath: options3.https.caCertPath || join4(basePath, `${domain}.ca.crt`),
+      certPath: options3.https.certPath || join4(basePath, `${domain}.crt`),
+      keyPath: options3.https.keyPath || join4(basePath, `${domain}.key`)
+    };
+  }
+  const sslBase = basePath || join4(homedir2(), ".stacks", "ssl");
+  const sanitizedDomain = domain.replace(/\*/g, "wildcard");
   return {
-    domain: domains[0],
-    hostCertCN: domains[0],
-    caCertPath: httpsConfig?.caCertPath ?? path4.join(sslBase, "rpx-ca.crt"),
-    certPath: httpsConfig?.certPath ?? path4.join(sslBase, "rpx.crt"),
-    keyPath: httpsConfig?.keyPath ?? path4.join(sslBase, "rpx.key"),
-    altNameIPs: httpsConfig?.altNameIPs ?? ["127.0.0.1", "::1"],
-    altNameURIs: httpsConfig?.altNameURIs ?? [],
-    commonName: httpsConfig?.commonName ?? domains[0],
-    organizationName: httpsConfig?.organizationName ?? "Local Development",
-    countryName: httpsConfig?.countryName ?? "US",
-    stateName: httpsConfig?.stateName ?? "California",
-    localityName: httpsConfig?.localityName ?? "Playa Vista",
-    validityDays: httpsConfig?.validityDays ?? 825,
-    verbose: verbose ?? false,
-    subjectAltNames: uniqueDomains.map((domain) => ({
-      type: 2,
-      value: domain
-    }))
+    caCertPath: join4(sslBase, `${sanitizedDomain}.ca.crt`),
+    certPath: join4(sslBase, `${sanitizedDomain}.crt`),
+    keyPath: join4(sslBase, `${sanitizedDomain}.key`)
   };
 }
-function generateRootCAConfig(verbose = false) {
-  const sslBase = path4.join(os5.homedir(), ".stacks", "ssl");
-  return {
-    domain: "stacks.localhost",
-    hostCertCN: "stacks.localhost",
-    caCertPath: path4.join(sslBase, "rpx-root-ca.crt"),
-    certPath: path4.join(sslBase, "rpx-certificate.crt"),
-    keyPath: path4.join(sslBase, "rpx-certificate.key"),
-    altNameIPs: ["127.0.0.1", "::1"],
-    altNameURIs: [],
-    organizationName: "Stacks Local Development",
-    countryName: "US",
-    stateName: "California",
-    localityName: "Playa Vista",
-    commonName: "stacks.localhost",
-    validityDays: 3650,
-    verbose
-  };
+function getAllDomains(options3) {
+  const domains = new Set;
+  if (isMultiProxyOptions(options3)) {
+    options3.proxies.forEach((proxy) => {
+      const domain = proxy.to || "stacks.localhost";
+      generateWildcardPatterns(domain).forEach((pattern) => domains.add(pattern));
+    });
+  } else if (isSingleProxyOptions(options3)) {
+    const domain = options3.to || "stacks.localhost";
+    generateWildcardPatterns(domain).forEach((pattern) => domains.add(pattern));
+  } else {
+    domains.add("stacks.localhost");
+  }
+  domains.add("localhost");
+  domains.add("*.localhost");
+  return domains;
 }
-function httpsConfig(options3) {
-  return generateBaseConfig(options3, options3.verbose);
+async function loadSSLConfig(options3) {
+  debugLog2("ssl", `Loading SSL configuration`, options3.verbose);
+  const mergedOptions = {
+    ...config4,
+    ...options3
+  };
+  options3.https = httpsConfig(mergedOptions);
+  if (!options3.https?.keyPath && !options3.https?.certPath) {
+    debugLog2("ssl", "No SSL configuration provided", options3.verbose);
+    return null;
+  }
+  if (options3.https?.keyPath && !options3.https?.certPath || !options3.https?.keyPath && options3.https?.certPath) {
+    const missing = !options3.https?.keyPath ? "keyPath" : "certPath";
+    debugLog2("ssl", `Invalid SSL configuration - missing ${missing}`, options3.verbose);
+    throw new Error(`SSL Configuration requires both keyPath and certPath. Missing: ${missing}`);
+  }
+  try {
+    if (!options3.https?.keyPath || !options3.https?.certPath)
+      return null;
+    try {
+      debugLog2("ssl", "Reading SSL certificate files", options3.verbose);
+      const key = await fs3.readFile(options3.https?.keyPath, "utf8");
+      const cert = await fs3.readFile(options3.https?.certPath, "utf8");
+      debugLog2("ssl", "SSL configuration loaded successfully", options3.verbose);
+      return { key, cert };
+    } catch (error) {
+      debugLog2("ssl", `Failed to read certificates: ${error}`, options3.verbose);
+      return null;
+    }
+  } catch (err3) {
+    debugLog2("ssl", `SSL configuration error: ${err3}`, options3.verbose);
+    throw err3;
+  }
 }
 async function generateCertificate2(options3) {
   if (cachedSSLConfig) {
-    const verbose2 = isMultiProxyConfig(options3) ? options3.verbose : options3.verbose;
-    debugLog2("ssl", "Using cached SSL configuration", verbose2);
+    debugLog2("ssl", "Using cached SSL configuration", options3.verbose);
     return;
   }
-  const domains = isMultiProxyConfig(options3) ? [options3.proxies[0].to, ...options3.proxies.map((proxy) => proxy.to)] : [options3.to];
-  const verbose = isMultiProxyConfig(options3) ? options3.verbose : options3.verbose;
-  debugLog2("ssl", `Generating certificate for domains: ${domains.join(", ")}`, verbose);
-  const rootCAConfig = generateRootCAConfig(verbose);
+  const domains = isMultiProxyOptions(options3) ? options3.proxies.map((proxy) => proxy.to) : [options3.to];
+  debugLog2("ssl", `Generating certificate for domains: ${domains.join(", ")}`, options3.verbose);
+  const rootCAConfig = httpsConfig(options3, options3.verbose);
   log.info("Generating Root CA certificate...");
   const caCert = await createRootCA(rootCAConfig);
-  const hostConfig = generateBaseConfig(options3, verbose);
+  const hostConfig = httpsConfig(options3, options3.verbose);
+  console.log("hostConfig", hostConfig);
   log.info(`Generating host certificate for: ${domains.join(", ")}`);
   const hostCert = await generateCertificate({
     ...hostConfig,
-    rootCAObject: {
+    rootCA: {
       certificate: caCert.certificate,
       privateKey: caCert.privateKey
     }
@@ -57197,14 +57260,88 @@ async function generateCertificate2(options3) {
     ca: caCert.certificate
   };
   log.success(`Certificate generated successfully for ${domains.length} domain${domains.length > 1 ? "s" : ""}`);
-  debugLog2("ssl", `Certificate includes domains: ${domains.join(", ")}`, verbose);
+  debugLog2("ssl", `Certificate includes domains: ${domains.join(", ")}`, options3.verbose);
 }
 function getSSLConfig() {
   return cachedSSLConfig;
 }
+async function checkExistingCertificates(options3) {
+  const name = getPrimaryDomain(options3);
+  const paths = generateSSLPaths(options3);
+  try {
+    debugLog2("ssl", `Checking certificates for ${name} at paths:`, options3?.verbose);
+    debugLog2("ssl", `CA: ${paths.caCertPath}`, options3?.verbose);
+    debugLog2("ssl", `Cert: ${paths.certPath}`, options3?.verbose);
+    debugLog2("ssl", `Key: ${paths.keyPath}`, options3?.verbose);
+    const key = await fs3.readFile(paths.keyPath, "utf8");
+    const cert = await fs3.readFile(paths.certPath, "utf8");
+    let ca;
+    if (paths.caCertPath) {
+      try {
+        ca = await fs3.readFile(paths.caCertPath, "utf8");
+      } catch (err3) {
+        debugLog2("ssl", `Failed to read CA cert: ${err3}`, options3?.verbose);
+      }
+    }
+    return { key, cert, ca };
+  } catch (err3) {
+    debugLog2("ssl", `Failed to read certificates: ${err3}`, options3?.verbose);
+    return null;
+  }
+}
+function httpsConfig(options3, verbose) {
+  const primaryDomain = getPrimaryDomain(options3);
+  debugLog2("ssl", `Primary domain: ${primaryDomain}`, verbose);
+  const defaultPaths = generateSSLPaths(options3);
+  if (typeof options3.https === "object") {
+    const config5 = {
+      domain: primaryDomain,
+      hostCertCN: primaryDomain,
+      basePath: options3.https.basePath || "",
+      caCertPath: options3.https.caCertPath || defaultPaths.caCertPath,
+      certPath: options3.https.certPath || defaultPaths.certPath,
+      keyPath: options3.https.keyPath || defaultPaths.keyPath,
+      altNameIPs: ["127.0.0.1", "::1"],
+      altNameURIs: [],
+      commonName: options3.https.commonName || primaryDomain,
+      organizationName: options3.https.organizationName || "Local Development",
+      countryName: options3.https.countryName || "US",
+      stateName: options3.https.stateName || "California",
+      localityName: options3.https.localityName || "Playa Vista",
+      validityDays: options3.https.validityDays || 825,
+      verbose: verbose || false,
+      subjectAltNames: Array.from(getAllDomains(options3)).map((domain) => ({
+        type: 2,
+        value: domain
+      }))
+    };
+    if (isValidRootCA(options3.https.rootCA)) {
+      config5.rootCA = options3.https.rootCA;
+    }
+    return config5;
+  }
+  return {
+    domain: primaryDomain,
+    hostCertCN: primaryDomain,
+    basePath: "",
+    ...defaultPaths,
+    altNameIPs: ["127.0.0.1", "::1"],
+    altNameURIs: [],
+    commonName: primaryDomain,
+    organizationName: "Local Development",
+    countryName: "US",
+    stateName: "California",
+    localityName: "Playa Vista",
+    validityDays: 825,
+    verbose: verbose || false,
+    subjectAltNames: Array.from(getAllDomains(options3)).map((domain) => ({
+      type: 2,
+      value: domain
+    }))
+  };
+}
 
 // src/start.ts
-import * as fs5 from "fs";
 import * as http from "http";
 import * as https from "https";
 import * as net from "net";
@@ -57212,29 +57349,29 @@ import process9 from "process";
 
 // src/hosts.ts
 import { spawn } from "child_process";
-import fs3 from "fs";
-import os7 from "os";
-import path6 from "path";
+import fs5 from "fs";
+import os3 from "os";
+import path4 from "path";
 import process3 from "process";
-var hostsFilePath = process3.platform === "win32" ? path6.join(process3.env.windir || "C:\\Windows", "System32", "drivers", "etc", "hosts") : "/etc/hosts";
+var hostsFilePath = process3.platform === "win32" ? path4.join(process3.env.windir || "C:\\Windows", "System32", "drivers", "etc", "hosts") : "/etc/hosts";
 async function sudoWrite(operation, content) {
   return new Promise((resolve4, reject) => {
     if (process3.platform === "win32") {
       reject(new Error("Administrator privileges required on Windows"));
       return;
     }
-    const tmpFile = path6.join(os7.tmpdir(), "hosts.tmp");
+    const tmpFile = path4.join(os3.tmpdir(), "hosts.tmp");
     try {
       if (operation === "append") {
-        const currentContent = fs3.readFileSync(hostsFilePath, "utf8");
-        fs3.writeFileSync(tmpFile, currentContent + content, "utf8");
+        const currentContent = fs5.readFileSync(hostsFilePath, "utf8");
+        fs5.writeFileSync(tmpFile, currentContent + content, "utf8");
       } else {
-        fs3.writeFileSync(tmpFile, content, "utf8");
+        fs5.writeFileSync(tmpFile, content, "utf8");
       }
       const sudo = spawn("sudo", ["cp", tmpFile, hostsFilePath]);
       sudo.on("close", (code) => {
         try {
-          fs3.unlinkSync(tmpFile);
+          fs5.unlinkSync(tmpFile);
           if (code === 0)
             resolve4();
           else
@@ -57245,7 +57382,7 @@ async function sudoWrite(operation, content) {
       });
       sudo.on("error", (err3) => {
         try {
-          fs3.unlinkSync(tmpFile);
+          fs5.unlinkSync(tmpFile);
         } catch {
         }
         reject(err3);
@@ -57259,7 +57396,7 @@ async function addHosts(hosts, verbose) {
   debugLog2("hosts", `Adding hosts: ${hosts.join(", ")}`, verbose);
   debugLog2("hosts", `Using hosts file at: ${hostsFilePath}`, verbose);
   try {
-    const existingContent = await fs3.promises.readFile(hostsFilePath, "utf-8");
+    const existingContent = await fs5.promises.readFile(hostsFilePath, "utf-8");
     const newEntries = hosts.filter((host) => {
       const ipv4Entry = `127.0.0.1 ${host}`;
       const ipv6Entry = `::1 ${host}`;
@@ -57276,7 +57413,7 @@ async function addHosts(hosts, verbose) {
 ::1 ${host}`).join(`
 `);
     try {
-      await fs3.promises.appendFile(hostsFilePath, hostEntries, { flag: "a" });
+      await fs5.promises.appendFile(hostsFilePath, hostEntries, { flag: "a" });
       log.success(`Added new hosts: ${newEntries.join(", ")}`);
     } catch (writeErr) {
       if (writeErr.code === "EACCES") {
@@ -57314,7 +57451,7 @@ On Unix systems:`);
 async function removeHosts(hosts, verbose) {
   debugLog2("hosts", `Removing hosts: ${hosts.join(", ")}`, verbose);
   try {
-    const content = await fs3.promises.readFile(hostsFilePath, "utf-8");
+    const content = await fs5.promises.readFile(hostsFilePath, "utf-8");
     const lines = content.split(`
 `);
     const filteredLines = lines.filter((line, index) => {
@@ -57330,7 +57467,7 @@ async function removeHosts(hosts, verbose) {
 `)}
 `;
     try {
-      await fs3.promises.writeFile(hostsFilePath, newContent);
+      await fs5.promises.writeFile(hostsFilePath, newContent);
       log.success("Hosts removed successfully");
     } catch (writeErr) {
       if (writeErr.code === "EACCES") {
@@ -57370,7 +57507,7 @@ On Unix systems:`);
 }
 async function checkHosts(hosts, verbose) {
   debugLog2("hosts", `Checking hosts: ${hosts}`, verbose);
-  const content = await fs3.promises.readFile(hostsFilePath, "utf-8");
+  const content = await fs5.promises.readFile(hostsFilePath, "utf-8");
   return hosts.map((host) => {
     const ipv4Entry = `127.0.0.1 ${host}`;
     const ipv6Entry = `::1 ${host}`;
@@ -57424,39 +57561,6 @@ process9.on("uncaughtException", (err3) => {
   log.error("Uncaught exception:", err3);
   cleanup();
 });
-async function loadSSLConfig(options3) {
-  debugLog2("ssl", `Loading SSL configuration`, options3.verbose);
-  if (options3.https === true)
-    options3.https = httpsConfig(options3);
-  else if (options3.https === false)
-    return null;
-  if (!options3.https?.keyPath && !options3.https?.certPath) {
-    debugLog2("ssl", "No SSL configuration provided", options3.verbose);
-    return null;
-  }
-  if (options3.https?.keyPath && !options3.https?.certPath || !options3.https?.keyPath && options3.https?.certPath) {
-    const missing = !options3.https?.keyPath ? "keyPath" : "certPath";
-    debugLog2("ssl", `Invalid SSL configuration - missing ${missing}`, options3.verbose);
-    throw new Error(`SSL Configuration requires both keyPath and certPath. Missing: ${missing}`);
-  }
-  try {
-    if (!options3.https?.keyPath || !options3.https?.certPath)
-      return null;
-    try {
-      debugLog2("ssl", "Reading SSL certificate files", options3.verbose);
-      const key = await fs5.promises.readFile(options3.https?.keyPath, "utf8");
-      const cert = await fs5.promises.readFile(options3.https?.certPath, "utf8");
-      debugLog2("ssl", "SSL configuration loaded successfully", options3.verbose);
-      return { key, cert };
-    } catch (error) {
-      debugLog2("ssl", `Failed to read certificates: ${error}`, options3.verbose);
-      return null;
-    }
-  } catch (err3) {
-    debugLog2("ssl", `SSL configuration error: ${err3}`, options3.verbose);
-    throw err3;
-  }
-}
 function isPortInUse(port, hostname, verbose) {
   debugLog2("port", `Checking if port ${port} is in use on ${hostname}`, verbose);
   return new Promise((resolve4) => {
@@ -57512,8 +57616,8 @@ async function testConnection(hostname, port, verbose) {
 }
 async function startServer(options3) {
   debugLog2("server", `Starting server with options: ${JSON.stringify(options3)}`, options3.verbose);
-  const fromUrl = new URL(options3.from.startsWith("http") ? options3.from : `http://${options3.from}`);
-  const toUrl = new URL(options3.to.startsWith("http") ? options3.to : `http://${options3.to}`);
+  const fromUrl = new URL((options3.from?.startsWith("http") ? options3.from : `http://${options3.from}`) || "localhost:5173");
+  const toUrl = new URL((options3.to?.startsWith("http") ? options3.to : `http://${options3.to}`) || "stacks.localhost");
   const fromPort = Number.parseInt(fromUrl.port) || (fromUrl.protocol.includes("https:") ? 443 : 80);
   const hostsToCheck = [toUrl.hostname];
   if (!toUrl.hostname.includes("localhost") && !toUrl.hostname.includes("127.0.0.1")) {
@@ -57597,7 +57701,7 @@ async function startServer(options3) {
   debugLog2("server", `Setting up reverse proxy with SSL config for ${toUrl.hostname}`, options3.verbose);
   await setupReverseProxy({
     ...options3,
-    from: options3.from,
+    from: options3.from || "localhost:5173",
     to: toUrl.hostname,
     fromPort,
     sourceUrl: {
@@ -57752,51 +57856,77 @@ function startHttpRedirectServer(verbose) {
   debugLog2("redirect", "HTTP redirect server started", verbose);
 }
 function startProxy(options3) {
-  debugLog2("proxy", `Starting proxy with options: ${JSON.stringify(options3)}`, options3?.verbose);
+  const mergedOptions = {
+    ...config4,
+    ...options3
+  };
+  debugLog2("proxy", `Starting proxy with options: ${JSON.stringify(mergedOptions)}`, mergedOptions?.verbose);
   const serverOptions = {
-    from: options3?.from || "localhost:5173",
-    to: options3?.to || "stacks.localhost",
-    https: httpsConfig(options3),
-    etcHostsCleanup: options3?.etcHostsCleanup || false,
-    verbose: options3?.verbose || false
+    from: mergedOptions.from,
+    to: mergedOptions.to,
+    https: httpsConfig(mergedOptions),
+    etcHostsCleanup: mergedOptions.etcHostsCleanup,
+    verbose: mergedOptions.verbose
   };
   console.log("serverOptions", serverOptions);
   startServer(serverOptions).catch((err3) => {
-    debugLog2("proxy", `Failed to start proxy: ${err3}`, options3.verbose);
+    debugLog2("proxy", `Failed to start proxy: ${err3}`, mergedOptions.verbose);
     log.error(`Failed to start proxy: ${err3.message}`);
     cleanup({
-      domains: [options3.to],
-      etcHostsCleanup: options3.etcHostsCleanup,
-      verbose: options3.verbose
+      domains: [mergedOptions.to],
+      etcHostsCleanup: mergedOptions.etcHostsCleanup,
+      verbose: mergedOptions.verbose
     });
   });
 }
 async function startProxies(options3) {
-  if (!options3)
-    return;
-  debugLog2("proxies", "Starting proxies setup", isMultiProxyConfig2(options3) ? options3.verbose : options3.verbose);
-  if (options3.https) {
-    await generateCertificate2(options3);
+  debugLog2("proxies", "Starting proxy setup", options3?.verbose);
+  const mergedOptions = {
+    ...config4,
+    ...options3
+  };
+  const primaryDomain = isMultiProxyConfig(mergedOptions) ? mergedOptions.proxies[0].to || "stacks.localhost" : mergedOptions.to || "stacks.localhost";
+  if (mergedOptions.https) {
+    const existingSSLConfig = await checkExistingCertificates(mergedOptions);
+    if (existingSSLConfig) {
+      debugLog2("ssl", `Using existing certificates for ${primaryDomain}`, mergedOptions.verbose);
+      mergedOptions._cachedSSLConfig = existingSSLConfig;
+    } else {
+      debugLog2("ssl", `No valid certificates found for ${primaryDomain}, generating new ones`, mergedOptions.verbose);
+      await generateCertificate2(mergedOptions);
+      const sslConfig2 = await checkExistingCertificates(mergedOptions);
+      if (!sslConfig2) {
+        throw new Error(`Failed to load SSL certificates after generation for ${primaryDomain}. Please check file permissions and paths.`);
+      }
+      mergedOptions._cachedSSLConfig = sslConfig2;
+    }
   }
-  const proxyOptions = isMultiProxyConfig2(options3) ? options3.proxies.map((proxy) => ({
+  const proxyOptions = isMultiProxyConfig(mergedOptions) ? mergedOptions.proxies.map((proxy) => ({
     ...proxy,
-    https: options3.https,
-    etcHostsCleanup: options3.etcHostsCleanup,
-    verbose: options3.verbose,
-    _cachedSSLConfig: options3._cachedSSLConfig
-  })) : [options3];
-  const domains = extractDomains(options3);
-  const sslConfig = options3.https ? getSSLConfig() : null;
+    https: mergedOptions.https,
+    etcHostsCleanup: mergedOptions.etcHostsCleanup,
+    verbose: mergedOptions.verbose,
+    _cachedSSLConfig: mergedOptions._cachedSSLConfig
+  })) : [{
+    from: mergedOptions.from || "localhost:5173",
+    to: mergedOptions.to || "stacks.localhost",
+    https: mergedOptions.https,
+    etcHostsCleanup: mergedOptions.etcHostsCleanup,
+    verbose: mergedOptions.verbose,
+    _cachedSSLConfig: mergedOptions._cachedSSLConfig
+  }];
+  const domains = proxyOptions.map((opt) => opt.to || "stacks.localhost");
+  const sslConfig = mergedOptions._cachedSSLConfig;
   const cleanupHandler = () => cleanup({
     domains,
-    etcHostsCleanup: isMultiProxyConfig2(options3) ? options3.etcHostsCleanup : options3.etcHostsCleanup || false,
-    verbose: isMultiProxyConfig2(options3) ? options3.verbose : options3.verbose || false
+    etcHostsCleanup: mergedOptions.etcHostsCleanup || false,
+    verbose: mergedOptions.verbose || false
   });
   process9.on("SIGINT", cleanupHandler);
   process9.on("SIGTERM", cleanupHandler);
   process9.on("uncaughtException", (err3) => {
     debugLog2("process", `Uncaught exception: ${err3}`, true);
-    log.error("Uncaught exception:", err3);
+    console.error("Uncaught exception:", err3);
     cleanupHandler();
   });
   for (const option of proxyOptions) {
@@ -57813,14 +57943,11 @@ async function startProxies(options3) {
       });
     } catch (err3) {
       debugLog2("proxies", `Failed to start proxy for ${option.to}: ${err3}`, option.verbose);
-      log.error(`Failed to start proxy for ${option.to}:`, err3);
+      console.error(`Failed to start proxy for ${option.to}:`, err3);
       cleanupHandler();
     }
   }
 }
-function isMultiProxyConfig2(options3) {
-  return "proxies" in options3;
-}
 
 // bin/cli.ts
 var cli = new CAC("reverse-proxy");