peakroute 0.5.0

package/dist/cli.js

@@ -0,0 +1,1145 @@
+#!/usr/bin/env node
+import {
+  FILE_MODE,
+  IS_WINDOWS,
+  PRIVILEGED_PORT_THRESHOLD,
+  RouteConflictError,
+  RouteStore,
+  chmodSafe,
+  createProxyServer,
+  discoverState,
+  findFreePort,
+  findPidOnPort,
+  fixOwnership,
+  formatUrl,
+  getDefaultPort,
+  injectFrameworkFlags,
+  isErrnoException,
+  isHttpsEnvEnabled,
+  isProxyRunning,
+  parseHostname,
+  prompt,
+  readTlsMarker,
+  resolveStateDir,
+  spawnCommand,
+  waitForProxy,
+  writeTlsMarker
+} from "./chunk-OWNUHDR5.js";
+
+// src/cli.ts
+import chalk from "chalk";
+import * as fs2 from "fs";
+import * as path2 from "path";
+import { spawn, spawnSync } from "child_process";
+
+// src/certs.ts
+import * as fs from "fs";
+import * as path from "path";
+import * as crypto from "crypto";
+import * as tls from "tls";
+import { execFile as execFileCb, execFileSync } from "child_process";
+import { promisify } from "util";
+var CA_VALIDITY_DAYS = 3650;
+var SERVER_VALIDITY_DAYS = 365;
+var EXPIRY_BUFFER_MS = 7 * 24 * 60 * 60 * 1e3;
+var CA_COMMON_NAME = "peakroute Local CA";
+var OPENSSL_TIMEOUT_MS = 15e3;
+var CA_KEY_FILE = "ca-key.pem";
+var CA_CERT_FILE = "ca.pem";
+var SERVER_KEY_FILE = "server-key.pem";
+var SERVER_CERT_FILE = "server.pem";
+function fileExists(filePath) {
+  try {
+    fs.accessSync(filePath, fs.constants.R_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isCertValid(certPath) {
+  try {
+    const pem = fs.readFileSync(certPath, "utf-8");
+    const cert = new crypto.X509Certificate(pem);
+    const expiry = new Date(cert.validTo).getTime();
+    return Date.now() + EXPIRY_BUFFER_MS < expiry;
+  } catch {
+    return false;
+  }
+}
+function isCertSignatureStrong(certPath) {
+  try {
+    const text = openssl(["x509", "-in", certPath, "-noout", "-text"]);
+    const match = text.match(/Signature Algorithm:\s*(\S+)/i);
+    if (!match) return false;
+    const algo = match[1].toLowerCase();
+    return !algo.includes("sha1");
+  } catch {
+    return false;
+  }
+}
+function openssl(args, options) {
+  try {
+    return execFileSync("openssl", args, {
+      encoding: "utf-8",
+      timeout: OPENSSL_TIMEOUT_MS,
+      input: options?.input,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    throw new Error(
+      `openssl failed: ${message}
+
+Make sure openssl is installed (ships with macOS and most Linux distributions).`
+    );
+  }
+}
+var execFileAsync = promisify(execFileCb);
+async function opensslAsync(args) {
+  try {
+    const { stdout } = await execFileAsync("openssl", args, {
+      encoding: "utf-8",
+      timeout: OPENSSL_TIMEOUT_MS
+    });
+    return stdout;
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    throw new Error(
+      `openssl failed: ${message}
+
+Make sure openssl is installed (ships with macOS and most Linux distributions).`
+    );
+  }
+}
+function generateCA(stateDir) {
+  const keyPath = path.join(stateDir, CA_KEY_FILE);
+  const certPath = path.join(stateDir, CA_CERT_FILE);
+  openssl(["ecparam", "-genkey", "-name", "prime256v1", "-noout", "-out", keyPath]);
+  openssl([
+    "req",
+    "-new",
+    "-x509",
+    "-sha256",
+    "-key",
+    keyPath,
+    "-out",
+    certPath,
+    "-days",
+    CA_VALIDITY_DAYS.toString(),
+    "-subj",
+    `/CN=${CA_COMMON_NAME}`,
+    "-addext",
+    "basicConstraints=critical,CA:TRUE",
+    "-addext",
+    "keyUsage=critical,keyCertSign,cRLSign"
+  ]);
+  fs.chmodSync(keyPath, 384);
+  fs.chmodSync(certPath, 420);
+  fixOwnership(keyPath, certPath);
+  return { certPath, keyPath };
+}
+function generateServerCert(stateDir) {
+  const caKeyPath = path.join(stateDir, CA_KEY_FILE);
+  const caCertPath = path.join(stateDir, CA_CERT_FILE);
+  const serverKeyPath = path.join(stateDir, SERVER_KEY_FILE);
+  const serverCertPath = path.join(stateDir, SERVER_CERT_FILE);
+  const csrPath = path.join(stateDir, "server.csr");
+  const extPath = path.join(stateDir, "server-ext.cnf");
+  openssl(["ecparam", "-genkey", "-name", "prime256v1", "-noout", "-out", serverKeyPath]);
+  openssl(["req", "-new", "-key", serverKeyPath, "-out", csrPath, "-subj", "/CN=localhost"]);
+  fs.writeFileSync(
+    extPath,
+    [
+      "authorityKeyIdentifier=keyid,issuer",
+      "basicConstraints=CA:FALSE",
+      "keyUsage=digitalSignature,keyEncipherment",
+      "extendedKeyUsage=serverAuth",
+      "subjectAltName=DNS:localhost,DNS:*.localhost"
+    ].join("\n") + "\n"
+  );
+  openssl([
+    "x509",
+    "-req",
+    "-sha256",
+    "-in",
+    csrPath,
+    "-CA",
+    caCertPath,
+    "-CAkey",
+    caKeyPath,
+    "-CAcreateserial",
+    "-out",
+    serverCertPath,
+    "-days",
+    SERVER_VALIDITY_DAYS.toString(),
+    "-extfile",
+    extPath
+  ]);
+  for (const tmp of [csrPath, extPath]) {
+    try {
+      fs.unlinkSync(tmp);
+    } catch {
+    }
+  }
+  fs.chmodSync(serverKeyPath, 384);
+  fs.chmodSync(serverCertPath, 420);
+  fixOwnership(serverKeyPath, serverCertPath);
+  return { certPath: serverCertPath, keyPath: serverKeyPath };
+}
+function ensureCerts(stateDir) {
+  const caCertPath = path.join(stateDir, CA_CERT_FILE);
+  const caKeyPath = path.join(stateDir, CA_KEY_FILE);
+  const serverCertPath = path.join(stateDir, SERVER_CERT_FILE);
+  const serverKeyPath = path.join(stateDir, SERVER_KEY_FILE);
+  let caGenerated = false;
+  if (!fileExists(caCertPath) || !fileExists(caKeyPath) || !isCertValid(caCertPath) || !isCertSignatureStrong(caCertPath)) {
+    generateCA(stateDir);
+    caGenerated = true;
+  }
+  if (caGenerated || !fileExists(serverCertPath) || !fileExists(serverKeyPath) || !isCertValid(serverCertPath) || !isCertSignatureStrong(serverCertPath)) {
+    generateServerCert(stateDir);
+  }
+  return {
+    certPath: serverCertPath,
+    keyPath: path.join(stateDir, SERVER_KEY_FILE),
+    caPath: caCertPath,
+    caGenerated
+  };
+}
+function isCATrusted(stateDir) {
+  const caCertPath = path.join(stateDir, CA_CERT_FILE);
+  if (!fileExists(caCertPath)) return false;
+  if (process.platform === "darwin") {
+    return isCATrustedMacOS(caCertPath);
+  } else if (process.platform === "linux") {
+    return isCATrustedLinux(stateDir);
+  } else if (IS_WINDOWS) {
+    return isCATrustedWindows(caCertPath);
+  }
+  return false;
+}
+function isCATrustedMacOS(caCertPath) {
+  try {
+    const fingerprint = openssl(["x509", "-in", caCertPath, "-noout", "-fingerprint", "-sha1"]).trim().replace(/^.*=/, "").replace(/:/g, "").toLowerCase();
+    for (const keychain of [loginKeychainPath(), "/Library/Keychains/System.keychain"]) {
+      try {
+        const result = execFileSync("security", ["find-certificate", "-a", "-Z", keychain], {
+          encoding: "utf-8",
+          timeout: 5e3,
+          stdio: ["pipe", "pipe", "pipe"]
+        });
+        if (result.toLowerCase().includes(fingerprint)) return true;
+      } catch {
+      }
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+function loginKeychainPath() {
+  try {
+    const result = execFileSync("security", ["default-keychain"], {
+      encoding: "utf-8",
+      timeout: 5e3
+    }).trim();
+    const match = result.match(/"(.+)"/);
+    if (match) return match[1];
+  } catch {
+  }
+  const home = process.env.HOME || `/Users/${process.env.USER || "unknown"}`;
+  return path.join(home, "Library", "Keychains", "login.keychain-db");
+}
+function isCATrustedLinux(stateDir) {
+  const systemCertPath = `/usr/local/share/ca-certificates/peakroute-ca.crt`;
+  if (!fileExists(systemCertPath)) return false;
+  try {
+    const ours = fs.readFileSync(path.join(stateDir, CA_CERT_FILE), "utf-8").trim();
+    const installed = fs.readFileSync(systemCertPath, "utf-8").trim();
+    return ours === installed;
+  } catch {
+    return false;
+  }
+}
+function isCATrustedWindows(caCertPath) {
+  try {
+    const fingerprint = openssl(["x509", "-in", caCertPath, "-noout", "-fingerprint", "-sha1"]).trim().replace(/^.*=/, "").replace(/:/g, "").toLowerCase();
+    const result = execFileSync("certutil", ["-store", "-user", "Root"], {
+      encoding: "utf-8",
+      timeout: 5e3,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return result.toLowerCase().includes(fingerprint);
+  } catch {
+    return false;
+  }
+}
+var HOST_CERTS_DIR = "host-certs";
+function sanitizeHostForFilename(hostname) {
+  return hostname.replace(/\./g, "_").replace(/[^a-z0-9_-]/gi, "");
+}
+async function generateHostCertAsync(stateDir, hostname) {
+  const caKeyPath = path.join(stateDir, CA_KEY_FILE);
+  const caCertPath = path.join(stateDir, CA_CERT_FILE);
+  const hostDir = path.join(stateDir, HOST_CERTS_DIR);
+  if (!fs.existsSync(hostDir)) {
+    await fs.promises.mkdir(hostDir, { recursive: true, mode: 493 });
+    fixOwnership(hostDir);
+  }
+  const safeName = sanitizeHostForFilename(hostname);
+  const keyPath = path.join(hostDir, `${safeName}-key.pem`);
+  const certPath = path.join(hostDir, `${safeName}.pem`);
+  const csrPath = path.join(hostDir, `${safeName}.csr`);
+  const extPath = path.join(hostDir, `${safeName}-ext.cnf`);
+  await opensslAsync(["ecparam", "-genkey", "-name", "prime256v1", "-noout", "-out", keyPath]);
+  await opensslAsync(["req", "-new", "-key", keyPath, "-out", csrPath, "-subj", `/CN=${hostname}`]);
+  const sans = [`DNS:${hostname}`];
+  const parts = hostname.split(".");
+  if (parts.length >= 2) {
+    sans.push(`DNS:*.${parts.slice(1).join(".")}`);
+  }
+  await fs.promises.writeFile(
+    extPath,
+    [
+      "authorityKeyIdentifier=keyid,issuer",
+      "basicConstraints=CA:FALSE",
+      "keyUsage=digitalSignature,keyEncipherment",
+      "extendedKeyUsage=serverAuth",
+      `subjectAltName=${sans.join(",")}`
+    ].join("\n") + "\n"
+  );
+  await opensslAsync([
+    "x509",
+    "-req",
+    "-sha256",
+    "-in",
+    csrPath,
+    "-CA",
+    caCertPath,
+    "-CAkey",
+    caKeyPath,
+    "-CAcreateserial",
+    "-out",
+    certPath,
+    "-days",
+    SERVER_VALIDITY_DAYS.toString(),
+    "-extfile",
+    extPath
+  ]);
+  for (const tmp of [csrPath, extPath]) {
+    try {
+      await fs.promises.unlink(tmp);
+    } catch {
+    }
+  }
+  await fs.promises.chmod(keyPath, 384);
+  await fs.promises.chmod(certPath, 420);
+  fixOwnership(keyPath, certPath);
+  return { certPath, keyPath };
+}
+function createSNICallback(stateDir, defaultCert, defaultKey) {
+  const cache = /* @__PURE__ */ new Map();
+  const pending = /* @__PURE__ */ new Map();
+  const defaultCtx = tls.createSecureContext({ cert: defaultCert, key: defaultKey });
+  return (servername, cb) => {
+    if (servername === "localhost") {
+      cb(null, defaultCtx);
+      return;
+    }
+    if (cache.has(servername)) {
+      cb(null, cache.get(servername));
+      return;
+    }
+    const safeName = sanitizeHostForFilename(servername);
+    const hostDir = path.join(stateDir, HOST_CERTS_DIR);
+    const certPath = path.join(hostDir, `${safeName}.pem`);
+    const keyPath = path.join(hostDir, `${safeName}-key.pem`);
+    if (fileExists(certPath) && fileExists(keyPath) && isCertValid(certPath) && isCertSignatureStrong(certPath)) {
+      try {
+        const ctx = tls.createSecureContext({
+          cert: fs.readFileSync(certPath),
+          key: fs.readFileSync(keyPath)
+        });
+        cache.set(servername, ctx);
+        cb(null, ctx);
+        return;
+      } catch {
+      }
+    }
+    if (pending.has(servername)) {
+      pending.get(servername).then((ctx) => cb(null, ctx)).catch((err) => cb(err instanceof Error ? err : new Error(String(err))));
+      return;
+    }
+    const promise = generateHostCertAsync(stateDir, servername).then(async (generated) => {
+      const [cert, key] = await Promise.all([
+        fs.promises.readFile(generated.certPath),
+        fs.promises.readFile(generated.keyPath)
+      ]);
+      return tls.createSecureContext({ cert, key });
+    });
+    pending.set(servername, promise);
+    promise.then((ctx) => {
+      cache.set(servername, ctx);
+      pending.delete(servername);
+      cb(null, ctx);
+    }).catch((err) => {
+      pending.delete(servername);
+      cb(err instanceof Error ? err : new Error(String(err)));
+    });
+  };
+}
+function trustCAWindows(caCertPath) {
+  execFileSync("certutil", ["-addstore", "-user", "Root", caCertPath], {
+    stdio: "pipe",
+    timeout: 3e4
+  });
+}
+function trustCA(stateDir) {
+  const caCertPath = path.join(stateDir, CA_CERT_FILE);
+  if (!fileExists(caCertPath)) {
+    return { trusted: false, error: "CA certificate not found. Run with --https first." };
+  }
+  try {
+    if (process.platform === "darwin") {
+      const keychain = loginKeychainPath();
+      execFileSync(
+        "security",
+        ["add-trusted-cert", "-r", "trustRoot", "-k", keychain, caCertPath],
+        { stdio: "pipe", timeout: 3e4 }
+      );
+      return { trusted: true };
+    } else if (process.platform === "linux") {
+      const dest = "/usr/local/share/ca-certificates/peakroute-ca.crt";
+      fs.copyFileSync(caCertPath, dest);
+      execFileSync("update-ca-certificates", [], { stdio: "pipe", timeout: 3e4 });
+      return { trusted: true };
+    } else if (IS_WINDOWS) {
+      trustCAWindows(caCertPath);
+      return { trusted: true };
+    }
+    return { trusted: false, error: `Unsupported platform: ${process.platform}` };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    if (message.includes("authorization") || message.includes("permission") || message.includes("EACCES") || message.includes("Access is denied")) {
+      return {
+        trusted: false,
+        error: IS_WINDOWS ? "Permission denied. Try running as Administrator." : "Permission denied. Try: sudo peakroute trust"
+      };
+    }
+    return { trusted: false, error: message };
+  }
+}
+
+// src/cli.ts
+var DEBOUNCE_MS = 100;
+var POLL_INTERVAL_MS = 3e3;
+var EXIT_TIMEOUT_MS = 2e3;
+var SUDO_SPAWN_TIMEOUT_MS = 3e4;
+function startProxyServer(store, proxyPort, tlsOptions) {
+  store.ensureDir();
+  const isTls = !!tlsOptions;
+  const routesPath = store.getRoutesPath();
+  if (!fs2.existsSync(routesPath)) {
+    fs2.writeFileSync(routesPath, "[]", { mode: FILE_MODE });
+  }
+  chmodSafe(routesPath, FILE_MODE);
+  fixOwnership(routesPath);
+  let cachedRoutes = store.loadRoutes();
+  let debounceTimer = null;
+  let watcher = null;
+  let pollingInterval = null;
+  const reloadRoutes = () => {
+    try {
+      cachedRoutes = store.loadRoutes();
+    } catch {
+    }
+  };
+  try {
+    watcher = fs2.watch(routesPath, () => {
+      if (debounceTimer) clearTimeout(debounceTimer);
+      debounceTimer = setTimeout(reloadRoutes, DEBOUNCE_MS);
+    });
+  } catch {
+    console.warn(chalk.yellow("fs.watch unavailable; falling back to polling for route changes"));
+    pollingInterval = setInterval(reloadRoutes, POLL_INTERVAL_MS);
+  }
+  const server = createProxyServer({
+    getRoutes: () => cachedRoutes,
+    proxyPort,
+    onError: (msg) => console.error(chalk.red(msg)),
+    tls: tlsOptions
+  });
+  server.on("error", (err) => {
+    if (err.code === "EADDRINUSE") {
+      console.error(chalk.red(`Port ${proxyPort} is already in use.`));
+      console.error(chalk.blue("Stop the existing proxy first:"));
+      console.error(chalk.cyan("  peakroute proxy stop"));
+      console.error(chalk.blue("Or check what is using the port:"));
+      if (IS_WINDOWS) {
+        console.error(chalk.cyan(`  netstat -ano | findstr :${proxyPort}`));
+      } else {
+        console.error(chalk.cyan(`  lsof -ti tcp:${proxyPort}`));
+      }
+    } else if (err.code === "EACCES") {
+      console.error(chalk.red(`Permission denied for port ${proxyPort}.`));
+      if (IS_WINDOWS) {
+        console.error(chalk.blue("Try running as Administrator:"));
+        console.error(chalk.cyan("  peakroute proxy start -p 80"));
+      } else {
+        console.error(chalk.blue("Either run with sudo:"));
+        console.error(chalk.cyan("  sudo peakroute proxy start -p 80"));
+        console.error(chalk.blue("Or use a non-privileged port (no sudo needed):"));
+        console.error(chalk.cyan("  peakroute proxy start"));
+      }
+    } else {
+      console.error(chalk.red(`Proxy error: ${err.message}`));
+    }
+    process.exit(1);
+  });
+  server.listen(proxyPort, () => {
+    fs2.writeFileSync(store.pidPath, process.pid.toString(), { mode: FILE_MODE });
+    fs2.writeFileSync(store.portFilePath, proxyPort.toString(), { mode: FILE_MODE });
+    writeTlsMarker(store.dir, isTls);
+    fixOwnership(store.dir, store.pidPath, store.portFilePath);
+    const proto = isTls ? "HTTPS/2" : "HTTP";
+    console.log(chalk.green(`${proto} proxy listening on port ${proxyPort}`));
+  });
+  let exiting = false;
+  const cleanup = () => {
+    if (exiting) return;
+    exiting = true;
+    if (debounceTimer) clearTimeout(debounceTimer);
+    if (pollingInterval) clearInterval(pollingInterval);
+    if (watcher) {
+      watcher.close();
+    }
+    try {
+      fs2.unlinkSync(store.pidPath);
+    } catch {
+    }
+    try {
+      fs2.unlinkSync(store.portFilePath);
+    } catch {
+    }
+    writeTlsMarker(store.dir, false);
+    server.close(() => process.exit(0));
+    setTimeout(() => process.exit(0), EXIT_TIMEOUT_MS).unref();
+  };
+  process.on("SIGINT", cleanup);
+  process.on("SIGTERM", cleanup);
+  console.log(chalk.cyan("\nProxy is running. Press Ctrl+C to stop.\n"));
+  console.log(chalk.gray(`Routes file: ${store.getRoutesPath()}`));
+}
+async function stopProxy(store, proxyPort, tls2) {
+  const pidPath = store.pidPath;
+  const needsSudo = !IS_WINDOWS && proxyPort < PRIVILEGED_PORT_THRESHOLD;
+  const sudoHint = needsSudo ? "sudo " : "";
+  if (!fs2.existsSync(pidPath)) {
+    if (await isProxyRunning(proxyPort, tls2)) {
+      console.log(chalk.yellow(`PID file is missing but port ${proxyPort} is still in use.`));
+      const pid = findPidOnPort(proxyPort);
+      if (pid !== null) {
+        try {
+          process.kill(pid, "SIGTERM");
+          try {
+            fs2.unlinkSync(store.portFilePath);
+          } catch {
+          }
+          console.log(chalk.green(`Killed process ${pid}. Proxy stopped.`));
+        } catch (err) {
+          if (isErrnoException(err) && err.code === "EPERM") {
+            console.error(
+              chalk.red("Permission denied. The proxy was started with elevated permissions.")
+            );
+            if (IS_WINDOWS) {
+              console.error(chalk.blue("Stop it with Administrator privileges:"));
+              console.error(chalk.cyan("  peakroute proxy stop"));
+            } else {
+              console.error(chalk.blue("Stop it with:"));
+              console.error(chalk.cyan("  sudo peakroute proxy stop"));
+            }
+          } else {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(chalk.red(`Failed to stop proxy: ${message}`));
+            console.error(chalk.blue("Check if the process is still running:"));
+            if (IS_WINDOWS) {
+              console.error(chalk.cyan(`  netstat -ano | findstr :${proxyPort}`));
+            } else {
+              console.error(chalk.cyan(`  lsof -ti tcp:${proxyPort}`));
+            }
+          }
+        }
+      } else if (!IS_WINDOWS && process.getuid?.() !== 0) {
+        console.error(chalk.red("Cannot identify the process. It may be running as root."));
+        console.error(chalk.blue("Try stopping with sudo:"));
+        console.error(chalk.cyan("  sudo peakroute proxy stop"));
+      } else {
+        console.error(chalk.red(`Could not identify the process on port ${proxyPort}.`));
+        console.error(chalk.blue("Try manually:"));
+        if (IS_WINDOWS) {
+          console.error(chalk.cyan(`  taskkill /F /IM peakroute.exe`));
+        } else {
+          console.error(chalk.cyan(`  sudo kill "$(lsof -ti tcp:${proxyPort})"`));
+        }
+      }
+    } else {
+      console.log(chalk.yellow("Proxy is not running."));
+    }
+    return;
+  }
+  try {
+    const pid = parseInt(fs2.readFileSync(pidPath, "utf-8"), 10);
+    if (isNaN(pid)) {
+      console.error(chalk.red("Corrupted PID file. Removing it."));
+      fs2.unlinkSync(pidPath);
+      return;
+    }
+    try {
+      process.kill(pid, 0);
+    } catch {
+      console.log(chalk.yellow("Proxy process is no longer running. Cleaning up stale files."));
+      fs2.unlinkSync(pidPath);
+      try {
+        fs2.unlinkSync(store.portFilePath);
+      } catch {
+      }
+      return;
+    }
+    if (!await isProxyRunning(proxyPort, tls2)) {
+      console.log(
+        chalk.yellow(
+          `PID file exists but port ${proxyPort} is not listening. The PID may have been recycled.`
+        )
+      );
+      console.log(chalk.yellow("Removing stale PID file."));
+      fs2.unlinkSync(pidPath);
+      return;
+    }
+    process.kill(pid, "SIGTERM");
+    fs2.unlinkSync(pidPath);
+    try {
+      fs2.unlinkSync(store.portFilePath);
+    } catch {
+    }
+    console.log(chalk.green("Proxy stopped."));
+  } catch (err) {
+    if (isErrnoException(err) && err.code === "EPERM") {
+      console.error(
+        chalk.red("Permission denied. The proxy was started with elevated permissions.")
+      );
+      if (IS_WINDOWS) {
+        console.error(chalk.blue("Stop it with Administrator privileges:"));
+        console.error(chalk.cyan("  peakroute proxy stop"));
+      } else {
+        console.error(chalk.blue("Stop it with:"));
+        console.error(chalk.cyan(`  ${sudoHint}peakroute proxy stop`));
+      }
+    } else {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error(chalk.red(`Failed to stop proxy: ${message}`));
+      console.error(chalk.blue("Check if the process is still running:"));
+      if (IS_WINDOWS) {
+        console.error(chalk.cyan(`  netstat -ano | findstr :${proxyPort}`));
+      } else {
+        console.error(chalk.cyan(`  lsof -ti tcp:${proxyPort}`));
+      }
+    }
+  }
+}
+function listRoutes(store, proxyPort, tls2) {
+  const routes = store.loadRoutes();
+  if (routes.length === 0) {
+    console.log(chalk.yellow("No active routes."));
+    console.log(chalk.gray("Start an app with: peakroute <name> <command>"));
+    return;
+  }
+  console.log(chalk.blue.bold("\nActive routes:\n"));
+  for (const route of routes) {
+    const url = formatUrl(route.hostname, proxyPort, tls2);
+    console.log(
+      `  ${chalk.cyan(url)}  ${chalk.gray("->")}  ${chalk.white(`localhost:${route.port}`)}  ${chalk.gray(`(pid ${route.pid})`)}`
+    );
+  }
+  console.log();
+}
+async function runApp(store, proxyPort, stateDir, name, commandArgs, tls2, force) {
+  const hostname = parseHostname(name);
+  console.log(chalk.blue.bold(`
+peakroute
+`));
+  console.log(chalk.gray(`-- ${hostname} (auto-resolves to 127.0.0.1)`));
+  if (!await isProxyRunning(proxyPort, tls2)) {
+    const defaultPort = getDefaultPort();
+    const needsSudo = defaultPort < PRIVILEGED_PORT_THRESHOLD;
+    const wantHttps = isHttpsEnvEnabled();
+    const needsElevated = !IS_WINDOWS && defaultPort < PRIVILEGED_PORT_THRESHOLD;
+    if (needsElevated) {
+      if (!process.stdin.isTTY) {
+        console.error(chalk.red("Proxy is not running."));
+        if (IS_WINDOWS) {
+          console.error(chalk.blue("Start the proxy first:"));
+          console.error(chalk.cyan("  peakroute proxy start"));
+        } else {
+          console.error(chalk.blue("Start the proxy first (requires sudo for this port):"));
+          console.error(chalk.cyan("  sudo peakroute proxy start -p 80"));
+          console.error(chalk.blue("Or use the default port (no sudo needed):"));
+          console.error(chalk.cyan("  peakroute proxy start"));
+        }
+        process.exit(1);
+      }
+      const answer = await prompt(chalk.yellow("Proxy not running. Start it? [Y/n/skip] "));
+      if (answer === "n" || answer === "no") {
+        console.log(chalk.gray("Cancelled."));
+        process.exit(0);
+      }
+      if (answer === "s" || answer === "skip") {
+        console.log(chalk.gray("Skipping proxy, running command directly...\n"));
+        spawnCommand(commandArgs);
+        return;
+      }
+      if (IS_WINDOWS) {
+        console.log(chalk.yellow("Starting proxy..."));
+        const startArgs = [process.argv[1], "proxy", "start"];
+        if (wantHttps) startArgs.push("--https");
+        const result = spawnSync(process.execPath, startArgs, {
+          stdio: "inherit",
+          timeout: SUDO_SPAWN_TIMEOUT_MS,
+          windowsHide: true
+        });
+        if (result.status !== 0) {
+          console.error(chalk.red("Failed to start proxy."));
+          console.error(chalk.blue("Try starting it manually:"));
+          console.error(chalk.cyan("  peakroute proxy start"));
+          process.exit(1);
+        }
+      } else {
+        console.log(chalk.yellow("Starting proxy (requires sudo)..."));
+        const startArgs = [process.execPath, process.argv[1], "proxy", "start"];
+        if (wantHttps) startArgs.push("--https");
+        const result = spawnSync("sudo", startArgs, {
+          stdio: "inherit",
+          timeout: SUDO_SPAWN_TIMEOUT_MS
+        });
+        if (result.status !== 0) {
+          console.error(chalk.red("Failed to start proxy."));
+          console.error(chalk.blue("Try starting it manually:"));
+          console.error(chalk.cyan("  sudo peakroute proxy start"));
+          process.exit(1);
+        }
+      }
+    } else {
+      console.log(chalk.yellow("Starting proxy..."));
+      const startArgs = [process.argv[1], "proxy", "start"];
+      if (wantHttps) startArgs.push("--https");
+      const result = spawnSync(process.execPath, startArgs, {
+        stdio: "inherit",
+        timeout: SUDO_SPAWN_TIMEOUT_MS
+      });
+      if (result.status !== 0) {
+        console.error(chalk.red("Failed to start proxy."));
+        console.error(chalk.blue("Try starting it manually:"));
+        console.error(chalk.cyan("  peakroute proxy start"));
+        process.exit(1);
+      }
+    }
+    const autoTls = readTlsMarker(stateDir);
+    if (!await waitForProxy(defaultPort, void 0, void 0, autoTls)) {
+      console.error(chalk.red("Proxy failed to start (timed out waiting for it to listen)."));
+      const logPath = path2.join(stateDir, "proxy.log");
+      console.error(chalk.blue("Try starting the proxy manually to see the error:"));
+      console.error(chalk.cyan(`  ${needsSudo ? "sudo " : ""}peakroute proxy start`));
+      if (fs2.existsSync(logPath)) {
+        console.error(chalk.gray(`Logs: ${logPath}`));
+      }
+      process.exit(1);
+    }
+    tls2 = autoTls;
+    console.log(chalk.green("Proxy started in background"));
+  } else {
+    console.log(chalk.gray("-- Proxy is running"));
+  }
+  const port = await findFreePort();
+  console.log(chalk.green(`-- Using port ${port}`));
+  try {
+    store.addRoute(hostname, port, process.pid, force);
+  } catch (err) {
+    if (err instanceof RouteConflictError) {
+      console.error(chalk.red(`Error: ${err.message}`));
+      process.exit(1);
+    }
+    throw err;
+  }
+  const finalUrl = formatUrl(hostname, proxyPort, tls2);
+  console.log(chalk.cyan.bold(`
+  -> ${finalUrl}
+`));
+  injectFrameworkFlags(commandArgs, port);
+  console.log(chalk.gray(`Running: PORT=${port} HOST=127.0.0.1 ${commandArgs.join(" ")}
+`));
+  spawnCommand(commandArgs, {
+    env: {
+      ...process.env,
+      PORT: port.toString(),
+      HOST: "127.0.0.1",
+      __VITE_ADDITIONAL_SERVER_ALLOWED_HOSTS: ".localhost"
+    },
+    onCleanup: () => {
+      try {
+        store.removeRoute(hostname);
+      } catch {
+      }
+    }
+  });
+}
+async function main() {
+  if (process.stdin.isTTY) {
+    process.on("exit", () => {
+      try {
+        process.stdin.setRawMode(false);
+      } catch {
+      }
+    });
+  }
+  const args = process.argv.slice(2);
+  const isNpx = process.env.npm_command === "exec" && !process.env.npm_lifecycle_event;
+  const isPnpmDlx = !!process.env.PNPM_SCRIPT_SRC_DIR && !process.env.npm_lifecycle_event;
+  if (isNpx || isPnpmDlx) {
+    console.error(chalk.red("Error: peakroute should not be run via npx or pnpm dlx."));
+    console.error(chalk.blue("Install globally instead:"));
+    console.error(chalk.cyan("  npm install -g peakroute"));
+    process.exit(1);
+  }
+  const skipPortless = process.env.PEAKROUTE === "0" || process.env.PEAKROUTE === "skip";
+  if (skipPortless && args.length >= 2 && args[0] !== "proxy") {
+    spawnCommand(args.slice(1));
+    return;
+  }
+  if (args.length === 0 || args[0] === "--help" || args[0] === "-h") {
+    console.log(`
+${chalk.bold("peakroute")} - Replace port numbers with stable, named .localhost URLs. For humans and agents.
+
+Eliminates port conflicts, memorizing port numbers, and cookie/storage
+clashes by giving each dev server a stable .localhost URL.
+
+${chalk.bold("Install:")}
+  ${chalk.cyan("npm install -g peakroute")}
+  Do NOT add peakroute as a project dependency.
+
+${chalk.bold("Usage:")}
+  ${chalk.cyan("peakroute proxy start")}             Start the proxy (background daemon)
+  ${chalk.cyan("peakroute proxy start --https")}     Start with HTTP/2 + TLS (auto-generates certs)
+  ${chalk.cyan("peakroute proxy start -p 80")}       Start on port 80 (requires sudo)
+  ${chalk.cyan("peakroute proxy stop")}              Stop the proxy
+  ${chalk.cyan("peakroute <name> <cmd>")}            Run your app through the proxy
+  ${chalk.cyan("peakroute list")}                    Show active routes
+  ${chalk.cyan("peakroute trust")}                   Add local CA to system trust store
+
+${chalk.bold("Examples:")}
+  peakroute proxy start                # Start proxy on port 1355
+  peakroute proxy start --https        # Start with HTTPS/2 (faster page loads)
+  peakroute myapp next dev             # -> http://myapp.localhost:1355
+  peakroute myapp vite dev             # -> http://myapp.localhost:1355
+  peakroute api.myapp bun start        # -> http://api.myapp.localhost:1355
+
+${chalk.bold("In package.json:")}
+  {
+    "scripts": {
+      "dev": "peakroute myapp next dev"
+    }
+  }
+
+${chalk.bold("How it works:")}
+  1. Start the proxy once (listens on port 1355 by default, no sudo needed)
+  2. Run your apps - they auto-start the proxy and register automatically
+  3. Access via http://<name>.localhost:1355
+  4. .localhost domains auto-resolve to 127.0.0.1
+  5. Frameworks that ignore PORT (Vite, Astro, React Router, Angular) get
+     --port and --host flags injected automatically
+
+${chalk.bold("HTTP/2 + HTTPS:")}
+  Use --https for HTTP/2 multiplexing (faster dev server page loads).
+  On first use, peakroute generates a local CA and adds it to your
+  system trust store. No browser warnings. No sudo required on macOS.
+
+${chalk.bold("Options:")}
+  -p, --port <number>           Port for the proxy to listen on (default: 1355)
+                                Ports < 1024 require sudo
+  --https                       Enable HTTP/2 + TLS with auto-generated certs
+  --cert <path>                 Use a custom TLS certificate (implies --https)
+  --key <path>                  Use a custom TLS private key (implies --https)
+  --no-tls                      Disable HTTPS (overrides PEAKROUTE_HTTPS)
+  --foreground                  Run proxy in foreground (for debugging)
+  --force                       Override an existing route registered by another process
+
+${chalk.bold("Environment variables:")}
+  PEAKROUTE_PORT=<number>        Override the default proxy port (e.g. in .bashrc)
+  PEAKROUTE_HTTPS=1              Always enable HTTPS (set in .bashrc / .zshrc)
+  PEAKROUTE_STATE_DIR=<path>     Override the state directory
+  PEAKROUTE=0 | PEAKROUTE=skip    Run command directly without proxy
+
+${chalk.bold("Skip peakroute:")}
+  PEAKROUTE=0 bun dev              # Runs command directly without proxy
+  PEAKROUTE=skip bun dev           # Same as above
+`);
+    process.exit(0);
+  }
+  if (args[0] === "--version" || args[0] === "-v") {
+    console.log("0.5.0");
+    process.exit(0);
+  }
+  if (args[0] === "trust") {
+    const { dir: dir2 } = await discoverState();
+    const result = trustCA(dir2);
+    if (result.trusted) {
+      console.log(chalk.green("Local CA added to system trust store."));
+      console.log(chalk.gray("Browsers will now trust peakroute HTTPS certificates."));
+    } else {
+      console.error(chalk.red(`Failed to trust CA: ${result.error}`));
+      if (result.error?.includes("sudo")) {
+        console.error(chalk.blue("Run with sudo:"));
+        console.error(chalk.cyan("  sudo peakroute trust"));
+      } else if (result.error?.includes("Administrator")) {
+        console.error(chalk.blue("Run as Administrator:"));
+        console.error(chalk.cyan("  peakroute trust"));
+      }
+      process.exit(1);
+    }
+    return;
+  }
+  if (args[0] === "list") {
+    const { dir: dir2, port: port2, tls: tls3 } = await discoverState();
+    const store2 = new RouteStore(dir2, {
+      onWarning: (msg) => console.warn(chalk.yellow(msg))
+    });
+    listRoutes(store2, port2, tls3);
+    return;
+  }
+  if (args[0] === "proxy") {
+    if (args[1] === "stop") {
+      const { dir: dir2, port: port2, tls: tls3 } = await discoverState();
+      const store3 = new RouteStore(dir2, {
+        onWarning: (msg) => console.warn(chalk.yellow(msg))
+      });
+      await stopProxy(store3, port2, tls3);
+      return;
+    }
+    if (args[1] !== "start") {
+      console.log(`
+${chalk.bold("Usage: peakroute proxy <command>")}
+
+  ${chalk.cyan("peakroute proxy start")}                Start the proxy (daemon)
+  ${chalk.cyan("peakroute proxy start --https")}        Start with HTTP/2 + TLS
+  ${chalk.cyan("peakroute proxy start --foreground")}   Start in foreground (for debugging)
+  ${chalk.cyan("peakroute proxy start -p 80")}          Start on port 80 (requires sudo)
+  ${chalk.cyan("peakroute proxy stop")}                 Stop the proxy
+`);
+      process.exit(args[1] ? 1 : 0);
+    }
+    const isForeground = args.includes("--foreground");
+    let proxyPort = getDefaultPort();
+    let portFlagIndex = args.indexOf("--port");
+    if (portFlagIndex === -1) portFlagIndex = args.indexOf("-p");
+    if (portFlagIndex !== -1) {
+      const portValue = args[portFlagIndex + 1];
+      if (!portValue || portValue.startsWith("-")) {
+        console.error(chalk.red("Error: --port / -p requires a port number."));
+        console.error(chalk.blue("Usage:"));
+        console.error(chalk.cyan("  peakroute proxy start -p 8080"));
+        process.exit(1);
+      }
+      proxyPort = parseInt(portValue, 10);
+      if (isNaN(proxyPort) || proxyPort < 1 || proxyPort > 65535) {
+        console.error(chalk.red(`Error: Invalid port number: ${portValue}`));
+        console.error(chalk.blue("Port must be between 1 and 65535."));
+        process.exit(1);
+      }
+    }
+    const hasNoTls = args.includes("--no-tls");
+    const hasHttpsFlag = args.includes("--https");
+    const wantHttps = !hasNoTls && (hasHttpsFlag || isHttpsEnvEnabled());
+    let customCertPath = null;
+    let customKeyPath = null;
+    const certIdx = args.indexOf("--cert");
+    if (certIdx !== -1) {
+      customCertPath = args[certIdx + 1] || null;
+      if (!customCertPath || customCertPath.startsWith("-")) {
+        console.error(chalk.red("Error: --cert requires a file path."));
+        process.exit(1);
+      }
+    }
+    const keyIdx = args.indexOf("--key");
+    if (keyIdx !== -1) {
+      customKeyPath = args[keyIdx + 1] || null;
+      if (!customKeyPath || customKeyPath.startsWith("-")) {
+        console.error(chalk.red("Error: --key requires a file path."));
+        process.exit(1);
+      }
+    }
+    if (customCertPath && !customKeyPath || !customCertPath && customKeyPath) {
+      console.error(chalk.red("Error: --cert and --key must be used together."));
+      process.exit(1);
+    }
+    const useHttps = wantHttps || !!(customCertPath && customKeyPath);
+    const stateDir = resolveStateDir(proxyPort);
+    const store2 = new RouteStore(stateDir, {
+      onWarning: (msg) => console.warn(chalk.yellow(msg))
+    });
+    if (await isProxyRunning(proxyPort)) {
+      if (isForeground) {
+        return;
+      }
+      const needsSudo = proxyPort < PRIVILEGED_PORT_THRESHOLD;
+      const sudoPrefix = needsSudo ? "sudo " : "";
+      console.log(chalk.yellow(`Proxy is already running on port ${proxyPort}.`));
+      console.log(
+        chalk.blue(`To restart: peakroute proxy stop && ${sudoPrefix}peakroute proxy start`)
+      );
+      return;
+    }
+    const needsRoot = !IS_WINDOWS && proxyPort < PRIVILEGED_PORT_THRESHOLD;
+    if (needsRoot && (process.getuid?.() ?? -1) !== 0) {
+      console.error(
+        chalk.red(`Error: Port ${proxyPort} requires ${IS_WINDOWS ? "Administrator" : "sudo"}.`)
+      );
+      if (!IS_WINDOWS) {
+        console.error(chalk.blue("Either run with sudo:"));
+        console.error(chalk.cyan("  sudo peakroute proxy start -p 80"));
+        console.error(chalk.blue("Or use the default port (no sudo needed):"));
+        console.error(chalk.cyan("  peakroute proxy start"));
+      }
+      process.exit(1);
+    }
+    let tlsOptions;
+    if (useHttps) {
+      store2.ensureDir();
+      if (customCertPath && customKeyPath) {
+        try {
+          const cert = fs2.readFileSync(customCertPath);
+          const key = fs2.readFileSync(customKeyPath);
+          const certStr = cert.toString("utf-8");
+          const keyStr = key.toString("utf-8");
+          if (!certStr.includes("-----BEGIN CERTIFICATE-----")) {
+            console.error(chalk.red(`Error: ${customCertPath} is not a valid PEM certificate.`));
+            console.error(chalk.gray("Expected a file starting with -----BEGIN CERTIFICATE-----"));
+            process.exit(1);
+          }
+          if (!keyStr.match(/-----BEGIN [\w\s]*PRIVATE KEY-----/)) {
+            console.error(chalk.red(`Error: ${customKeyPath} is not a valid PEM private key.`));
+            console.error(
+              chalk.gray("Expected a file starting with -----BEGIN ...PRIVATE KEY-----")
+            );
+            process.exit(1);
+          }
+          tlsOptions = { cert, key };
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          console.error(chalk.red(`Error reading certificate files: ${message}`));
+          process.exit(1);
+        }
+      } else {
+        console.log(chalk.gray("Ensuring TLS certificates..."));
+        const certs = ensureCerts(stateDir);
+        if (certs.caGenerated) {
+          console.log(chalk.green("Generated local CA certificate."));
+        }
+        if (!isCATrusted(stateDir)) {
+          console.log(chalk.yellow("Adding CA to system trust store..."));
+          const trustResult = trustCA(stateDir);
+          if (trustResult.trusted) {
+            console.log(
+              chalk.green("CA added to system trust store. Browsers will trust peakroute certs.")
+            );
+          } else {
+            console.warn(chalk.yellow("Could not add CA to system trust store."));
+            if (trustResult.error) {
+              console.warn(chalk.gray(trustResult.error));
+            }
+            console.warn(
+              chalk.yellow("Browsers will show certificate warnings. To fix this later, run:")
+            );
+            console.warn(chalk.cyan("  peakroute trust"));
+          }
+        }
+        const cert = fs2.readFileSync(certs.certPath);
+        const key = fs2.readFileSync(certs.keyPath);
+        tlsOptions = {
+          cert,
+          key,
+          SNICallback: createSNICallback(stateDir, cert, key)
+        };
+      }
+    }
+    if (isForeground) {
+      console.log(chalk.blue.bold("\npeakroute proxy\n"));
+      startProxyServer(store2, proxyPort, tlsOptions);
+      return;
+    }
+    store2.ensureDir();
+    const logPath = path2.join(stateDir, "proxy.log");
+    const logFd = fs2.openSync(logPath, "a");
+    try {
+      try {
+        fs2.chmodSync(logPath, FILE_MODE);
+      } catch {
+      }
+      fixOwnership(logPath);
+      const daemonArgs = [process.argv[1], "proxy", "start", "--foreground"];
+      if (portFlagIndex !== -1) {
+        daemonArgs.push("--port", proxyPort.toString());
+      }
+      if (useHttps) {
+        if (customCertPath && customKeyPath) {
+          daemonArgs.push("--cert", customCertPath, "--key", customKeyPath);
+        } else {
+          daemonArgs.push("--https");
+        }
+      }
+      const child = spawn(process.execPath, daemonArgs, {
+        detached: true,
+        stdio: ["ignore", logFd, logFd],
+        env: process.env,
+        windowsHide: true
+        // PR #6: Evita popup de console no Windows
+      });
+      child.unref();
+    } finally {
+      fs2.closeSync(logFd);
+    }
+    if (!await waitForProxy(proxyPort, void 0, void 0, useHttps)) {
+      console.error(chalk.red("Proxy failed to start (timed out waiting for it to listen)."));
+      console.error(chalk.blue("Try starting the proxy in the foreground to see the error:"));
+      const needsSudo = proxyPort < PRIVILEGED_PORT_THRESHOLD;
+      console.error(chalk.cyan(`  ${needsSudo ? "sudo " : ""}peakroute proxy start --foreground`));
+      if (fs2.existsSync(logPath)) {
+        console.error(chalk.gray(`Logs: ${logPath}`));
+      }
+      process.exit(1);
+    }
+    const proto = useHttps ? "HTTPS/2" : "HTTP";
+    console.log(chalk.green(`${proto} proxy started on port ${proxyPort}`));
+    return;
+  }
+  const forceIdx = args.indexOf("--force");
+  const force = forceIdx >= 0 && forceIdx <= 1;
+  const appArgs = force ? [...args.slice(0, forceIdx), ...args.slice(forceIdx + 1)] : args;
+  const name = appArgs[0];
+  const commandArgs = appArgs.slice(1);
+  if (commandArgs.length === 0) {
+    console.error(chalk.red("Error: No command provided."));
+    console.error(chalk.blue("Usage:"));
+    console.error(chalk.cyan("  peakroute <name> <command...>"));
+    console.error(chalk.blue("Example:"));
+    console.error(chalk.cyan("  peakroute myapp next dev"));
+    process.exit(1);
+  }
+  const { dir, port, tls: tls2 } = await discoverState();
+  const store = new RouteStore(dir, {
+    onWarning: (msg) => console.warn(chalk.yellow(msg))
+  });
+  await runApp(store, port, dir, name, commandArgs, tls2, force);
+}
+main().catch((err) => {
+  const message = err instanceof Error ? err.message : String(err);
+  console.error(chalk.red("Error:"), message);
+  process.exit(1);
+});