@tridha643/hestia 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@tridha643/hestia",
3
- "version": "1.0.0",
3
+ "version": "1.0.1",
4
4
  "description": "Per-worktree isolated development stacks for humans and coding agents",
5
5
  "repository": {
6
6
  "type": "git",
@@ -100,10 +100,71 @@ Named mode never writes DNS. It requires:
100
100
  *.<zone> CNAME <tunnel-uuid>.cfargotunnel.com
101
101
  ```
102
102
 
103
- Handle `dns-route-required` by reporting its `wildcardTarget` to the human.
104
- Never use the removed `--overwrite-dns`. Named mode may use
103
+ `dns-route-required` is a fail-fast check on the hostname `expose` is about to
104
+ mint (`<tunnel>-<branch>-<svc>.<zone>`) it fires **before any connector
105
+ process is spawned**, so re-running `expose` after clearing out stray/orphaned
106
+ connectors will not make it succeed; only adding the missing DNS record does.
107
+ Verify with `ps aux | grep cloudflared` that nothing got spawned on a failed
108
+ `expose` call. Pre-existing static ingress rules already in the tunnel's
109
+ `~/.hestia/tunnel/<uuid>/config.yml` (e.g. hand-configured hostnames like
110
+ `tri-slack.<zone>` set up before Hestia adoption) are a different, separate
111
+ concern from the per-branch hostname `expose` verifies — don't assume fixing
112
+ one fixes the other. Handle `dns-route-required` by creating the wildcard
113
+ record once via the already-authenticated CLI —
114
+ `cloudflared tunnel route dns <uuid> '*.<zone>'` — or, lacking cert access,
115
+ by reporting its `wildcardTarget` to the human. The record Cloudflare creates
116
+ is proxied, so `dig CNAME` on any hostname under the zone returns **no CNAME**
117
+ (proxied records are flattened to edge A/AAAA answers) — that is the correct,
118
+ working state, not a missing record; the preflight accepts any successful
119
+ resolution for exactly this reason. Never use the removed `--overwrite-dns`. Named mode may use
105
120
  `--keep-host-header`; quick mode rejects it. Never start another
106
- `cloudflared tunnel run` for an adopted tunnel.
121
+ `cloudflared tunnel run` for an adopted tunnel — **not even on a direct user
122
+ request to "start/run the tunnel"**. A raw `cloudflared tunnel run <name>`
123
+ bypasses hestiad's single-connector supervision, adds one more HA replica to
124
+ whatever count `doctor` already reports, and still won't fix a
125
+ `dns-route-required` block (that's a DNS problem, not a missing-connector
126
+ problem). When asked to bring a named tunnel up, resolve the name first
127
+ (`cloudflared tunnel list` maps name -> UUID -> `~/.hestia/tunnel/<uuid>/`),
128
+ then use `hestia expose <endpoints...> --tunnel <name> --zone <zone>` so
129
+ Hestia owns the process; surface whatever error code comes back (most often
130
+ `dns-route-required` on a first-time branch/worktree) instead of working
131
+ around it by hand.
132
+
133
+ ## Post-up health sweep
134
+
135
+ After every `hestia up` (and again after `expose`), run `hestia doctor --json`
136
+ and walk every non-`ok` row before calling the stack ready — don't just report
137
+ issues, resolve the ones that are safe to resolve:
138
+
139
+ - **Safe to fix immediately, no confirmation needed** (local to this worktree,
140
+ reversible, matches doctor's own literal suggestion):
141
+ - `state-ignore` / `gitignore` — add the exact `.hestia/` line to
142
+ `.gitignore`.
143
+ - `orphan-mirror:<project>` for a worktree path that no longer exists —
144
+ `hestia down --project <project>`.
145
+ - `launchd` referencing a stale/missing binary path — `hestia daemon
146
+ install` (idempotent; only rewrites the plist, doesn't touch running
147
+ workloads).
148
+ - **Surface to the human, don't attempt unattended** (needs a TTY, sudo, or an
149
+ action outside Hestia's control):
150
+ - `local-router` — `hestia router install --interactive` needs an
151
+ administrator prompt; report the command, don't try to script around
152
+ it.
153
+ - `dns-route-required` — Hestia deliberately never writes DNS, but the
154
+ agent may: `cloudflared tunnel route dns <uuid> '*.<zone>'` creates the
155
+ one-time wildcard when the local cert has access; otherwise report the
156
+ exact `wildcardTarget` CNAME the human needs to add at their provider.
157
+ - **Investigate, then ask before acting** (machine-wide, shared across other
158
+ worktrees/repos, hard to reverse):
159
+ - `tunnel:<uuid>:connectors` reporting N registered vs 0 run by Hestia —
160
+ this means foreign `cloudflared` processes (possibly from other active
161
+ Conductor workspaces, or leaked from a different repo's own test suite,
162
+ e.g. hestia's own e2e fixtures under `.../test/fixtures/tunnel-stub/`)
163
+ are registered against the same tunnel. Identify them with `ps aux |
164
+ grep cloudflared` and `cloudflared tunnel list`, but do **not** kill any
165
+ of them without the user's explicit go-ahead — one of those processes
166
+ may belong to another live workspace. Report the count, PIDs, and ages
167
+ found, and let the human decide what to stop.
107
168
 
108
169
  ## Inspect and finish
109
170
 
@@ -139,8 +200,8 @@ workloads can. Named volumes are retained unless `--destroy` is explicit.
139
200
  | `service-port-ambiguous` | use a canonical selector or endpoint alias |
140
201
  | `proc-ready-timeout` | inspect logs; use `--no-port` only for non-servers |
141
202
  | `stack-limit` | down an owned stack or retry with `--wait=120` |
142
- | `dns-route-required` | configure its wildcard CNAME target |
143
- | `tunnel-busy` | stop the foreign connector; do not kill processes Hestia did not start |
203
+ | `dns-route-required` | `cloudflared tunnel route dns <uuid> '*.<zone>'` once, then retry |
204
+ | `tunnel-busy` | stop the foreign connector; do not kill processes Hestia did not start — identify via `ps aux \| grep cloudflared` + `cloudflared tunnel list`, then confirm with the human before killing anything (see "Post-up health sweep") |
144
205
  | `route-origin-unavailable` | restart the workload through Hestia |
145
206
  | `backend-not-stoppable` | use `hestia down` for Docker workloads |
146
207