@tridha643/hestia 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +26 -15
- package/dist/cli.js.map +6 -6
- package/dist/daemon.js +11 -3
- package/dist/daemon.js.map +4 -4
- package/package.json +1 -1
- package/skills/hestia/SKILL.md +66 -5
package/package.json
CHANGED
package/skills/hestia/SKILL.md
CHANGED
|
@@ -100,10 +100,71 @@ Named mode never writes DNS. It requires:
|
|
|
100
100
|
*.<zone> CNAME <tunnel-uuid>.cfargotunnel.com
|
|
101
101
|
```
|
|
102
102
|
|
|
103
|
-
|
|
104
|
-
|
|
103
|
+
`dns-route-required` is a fail-fast check on the hostname `expose` is about to
|
|
104
|
+
mint (`<tunnel>-<branch>-<svc>.<zone>`) — it fires **before any connector
|
|
105
|
+
process is spawned**, so re-running `expose` after clearing out stray/orphaned
|
|
106
|
+
connectors will not make it succeed; only adding the missing DNS record does.
|
|
107
|
+
Verify with `ps aux | grep cloudflared` that nothing got spawned on a failed
|
|
108
|
+
`expose` call. Pre-existing static ingress rules already in the tunnel's
|
|
109
|
+
`~/.hestia/tunnel/<uuid>/config.yml` (e.g. hand-configured hostnames like
|
|
110
|
+
`tri-slack.<zone>` set up before Hestia adoption) are a different, separate
|
|
111
|
+
concern from the per-branch hostname `expose` verifies — don't assume fixing
|
|
112
|
+
one fixes the other. Handle `dns-route-required` by creating the wildcard
|
|
113
|
+
record once via the already-authenticated CLI —
|
|
114
|
+
`cloudflared tunnel route dns <uuid> '*.<zone>'` — or, lacking cert access,
|
|
115
|
+
by reporting its `wildcardTarget` to the human. The record Cloudflare creates
|
|
116
|
+
is proxied, so `dig CNAME` on any hostname under the zone returns **no CNAME**
|
|
117
|
+
(proxied records are flattened to edge A/AAAA answers) — that is the correct,
|
|
118
|
+
working state, not a missing record; the preflight accepts any successful
|
|
119
|
+
resolution for exactly this reason. Never use the removed `--overwrite-dns`. Named mode may use
|
|
105
120
|
`--keep-host-header`; quick mode rejects it. Never start another
|
|
106
|
-
`cloudflared tunnel run` for an adopted tunnel
|
|
121
|
+
`cloudflared tunnel run` for an adopted tunnel — **not even on a direct user
|
|
122
|
+
request to "start/run the tunnel"**. A raw `cloudflared tunnel run <name>`
|
|
123
|
+
bypasses hestiad's single-connector supervision, adds one more HA replica to
|
|
124
|
+
whatever count `doctor` already reports, and still won't fix a
|
|
125
|
+
`dns-route-required` block (that's a DNS problem, not a missing-connector
|
|
126
|
+
problem). When asked to bring a named tunnel up, resolve the name first
|
|
127
|
+
(`cloudflared tunnel list` maps name -> UUID -> `~/.hestia/tunnel/<uuid>/`),
|
|
128
|
+
then use `hestia expose <endpoints...> --tunnel <name> --zone <zone>` so
|
|
129
|
+
Hestia owns the process; surface whatever error code comes back (most often
|
|
130
|
+
`dns-route-required` on a first-time branch/worktree) instead of working
|
|
131
|
+
around it by hand.
|
|
132
|
+
|
|
133
|
+
## Post-up health sweep
|
|
134
|
+
|
|
135
|
+
After every `hestia up` (and again after `expose`), run `hestia doctor --json`
|
|
136
|
+
and walk every non-`ok` row before calling the stack ready — don't just report
|
|
137
|
+
issues, resolve the ones that are safe to resolve:
|
|
138
|
+
|
|
139
|
+
- **Safe to fix immediately, no confirmation needed** (local to this worktree,
|
|
140
|
+
reversible, matches doctor's own literal suggestion):
|
|
141
|
+
- `state-ignore` / `gitignore` — add the exact `.hestia/` line to
|
|
142
|
+
`.gitignore`.
|
|
143
|
+
- `orphan-mirror:<project>` for a worktree path that no longer exists —
|
|
144
|
+
`hestia down --project <project>`.
|
|
145
|
+
- `launchd` referencing a stale/missing binary path — `hestia daemon
|
|
146
|
+
install` (idempotent; only rewrites the plist, doesn't touch running
|
|
147
|
+
workloads).
|
|
148
|
+
- **Surface to the human, don't attempt unattended** (needs a TTY, sudo, or an
|
|
149
|
+
action outside Hestia's control):
|
|
150
|
+
- `local-router` — `hestia router install --interactive` needs an
|
|
151
|
+
administrator prompt; report the command, don't try to script around
|
|
152
|
+
it.
|
|
153
|
+
- `dns-route-required` — Hestia deliberately never writes DNS, but the
|
|
154
|
+
agent may: `cloudflared tunnel route dns <uuid> '*.<zone>'` creates the
|
|
155
|
+
one-time wildcard when the local cert has access; otherwise report the
|
|
156
|
+
exact `wildcardTarget` CNAME the human needs to add at their provider.
|
|
157
|
+
- **Investigate, then ask before acting** (machine-wide, shared across other
|
|
158
|
+
worktrees/repos, hard to reverse):
|
|
159
|
+
- `tunnel:<uuid>:connectors` reporting N registered vs 0 run by Hestia —
|
|
160
|
+
this means foreign `cloudflared` processes (possibly from other active
|
|
161
|
+
Conductor workspaces, or leaked from a different repo's own test suite,
|
|
162
|
+
e.g. hestia's own e2e fixtures under `.../test/fixtures/tunnel-stub/`)
|
|
163
|
+
are registered against the same tunnel. Identify them with `ps aux |
|
|
164
|
+
grep cloudflared` and `cloudflared tunnel list`, but do **not** kill any
|
|
165
|
+
of them without the user's explicit go-ahead — one of those processes
|
|
166
|
+
may belong to another live workspace. Report the count, PIDs, and ages
|
|
167
|
+
found, and let the human decide what to stop.
|
|
107
168
|
|
|
108
169
|
## Inspect and finish
|
|
109
170
|
|
|
@@ -139,8 +200,8 @@ workloads can. Named volumes are retained unless `--destroy` is explicit.
|
|
|
139
200
|
| `service-port-ambiguous` | use a canonical selector or endpoint alias |
|
|
140
201
|
| `proc-ready-timeout` | inspect logs; use `--no-port` only for non-servers |
|
|
141
202
|
| `stack-limit` | down an owned stack or retry with `--wait=120` |
|
|
142
|
-
| `dns-route-required` |
|
|
143
|
-
| `tunnel-busy` | stop the foreign connector; do not kill processes Hestia did not start |
|
|
203
|
+
| `dns-route-required` | `cloudflared tunnel route dns <uuid> '*.<zone>'` once, then retry |
|
|
204
|
+
| `tunnel-busy` | stop the foreign connector; do not kill processes Hestia did not start — identify via `ps aux \| grep cloudflared` + `cloudflared tunnel list`, then confirm with the human before killing anything (see "Post-up health sweep") |
|
|
144
205
|
| `route-origin-unavailable` | restart the workload through Hestia |
|
|
145
206
|
| `backend-not-stoppable` | use `hestia down` for Docker workloads |
|
|
146
207
|
|