portless 0.10.1 → 0.10.3

package/README.md

@@ -32,7 +32,11 @@ portless myapp next dev
 
 HTTPS with HTTP/2 is enabled by default. On first run, portless generates a local CA, trusts it, and binds port 443 (auto-elevates with sudo on macOS/Linux). Use `--no-tls` for plain HTTP.
 
-The proxy auto-starts when you run an app. A random port (4000--4999) is assigned via the `PORT` environment variable. Most frameworks (Next.js, Express, Nuxt, etc.) respect this automatically. For frameworks that ignore `PORT` (Vite, VitePlus, Astro, React Router, Angular, Expo, React Native), portless auto-injects the right `--port` flag and, when needed, a matching `--host` flag.
+The proxy auto-starts when you run an app. A random port (4000-4999) is assigned via the `PORT` environment variable. Most frameworks (Next.js, Express, Nuxt, etc.) respect this automatically. For frameworks that ignore `PORT` (Vite, VitePlus, Astro, React Router, Angular, Expo, React Native), portless auto-injects the right `--port` flag and, when needed, a matching `--host` flag.
+
+When auto-starting, portless reuses the configuration (port, TLS, TLD) from the most recent proxy run, so a restart or reboot does not silently revert to defaults. Explicit env vars (`PORTLESS_PORT`, `PORTLESS_HTTPS`, etc.) always take priority.
+
+In non-interactive environments (no TTY, or `CI=1`), portless exits with a descriptive error instead of prompting, so task runners like turborepo and CI scripts fail early with a clear message.
 
 ## Use in package.json
 
@@ -139,7 +143,7 @@ portless proxy start --lan --ip 192.168.1.42
 
 `--lan` switches the proxy to mDNS discovery: services are advertised as `<name>.local` and reachable from any device on the same network. Portless auto-detects your LAN IP and follows Wi-Fi/IP changes automatically, but you can pin another address with `--ip <address>` or by exporting `PORTLESS_LAN_IP`. Set `PORTLESS_LAN=1` in your shell (0/1 boolean) to make LAN mode the default whenever the proxy starts.
 
-Portless remembers LAN mode via `proxy.lan`, so if you stop a LAN proxy and start it again, it stays in LAN mode. Other proxy settings still follow the current flags and env vars. Use `PORTLESS_LAN=0` for one start to switch back to `.localhost` mode. If a proxy is already running with different explicit LAN/TLS/TLD settings, portless warns and asks you to stop it first.
+Portless remembers LAN mode via `proxy.lan`, so if you stop a LAN proxy and start it again, it stays in LAN mode. All proxy settings (port, TLS, TLD, LAN) are persisted and reused on auto-start unless overridden by explicit flags or env vars. Use `PORTLESS_LAN=0` for one start to switch back to `.localhost` mode. If a proxy is already running with different explicit LAN/TLS/TLD settings, portless warns and asks you to stop it first.
 
 LAN mode depends on the system mDNS tools that portless already spawns: macOS ships with `dns-sd`, while Linux uses `avahi-publish-address` from `avahi-utils` (install via `sudo apt install avahi-utils` or your distro’s equivalent). If the command is missing or your network isn’t reachable, `portless proxy start --lan` prints the relevant error and exits.
 
@@ -218,6 +222,7 @@ PORTLESS_STATE_DIR=<path>        Override the state directory
 PORT                             Ephemeral port the child should listen on
 HOST                             Usually 127.0.0.1 (omitted for Expo in LAN mode)
 PORTLESS_URL                     Public URL (e.g. https://myapp.localhost)
+NODE_EXTRA_CA_CERTS              Path to the portless CA (when HTTPS is active)
 ```
 
 > **Reserved names:** `run`, `get`, `alias`, `hosts`, `list`, `trust`, `clean`, and `proxy` are subcommands and cannot be used as app names directly. Use `portless run <cmd>` to infer the name from your project, or `portless --name <name> <cmd>` to force any name including reserved ones.
@@ -275,7 +280,7 @@ devServer: {
 }
 ```
 
-If your tooling doesn't trust the portless CA, point Node.js at it: `NODE_EXTRA_CA_CERTS=/tmp/portless/ca.pem` (or `~/.portless/ca.pem` when the proxy runs on a non-privileged port like 1355). Alternatively, use `--no-tls` for plain HTTP.
+Portless automatically sets `NODE_EXTRA_CA_CERTS` in child processes so Node.js trusts the portless CA. If you run a separate Node.js process outside portless, point it at the CA manually: `NODE_EXTRA_CA_CERTS=/tmp/portless/ca.pem` (or `~/.portless/ca.pem` when the proxy runs on a non-privileged port like 1355). Alternatively, use `--no-tls` for plain HTTP.
 
 Portless detects this misconfiguration and responds with `508 Loop Detected` along with a message pointing to this fix.
 

package/dist/{chunk-FM7IA4AF.js → chunk-EZJWUTUA.js}

@@ -392,8 +392,10 @@ function createProxyServer(options) {
         proxyRes.on("error", () => {
           if (!res.headersSent) {
             res.writeHead(502, { "Content-Type": "text/plain" });
+            res.end();
+          } else {
+            res.destroy();
           }
-          res.end();
         });
         proxyRes.pipe(res);
       }
@@ -516,9 +518,19 @@ function createProxyServer(options) {
       cert: tls.ca ? Buffer.concat([tls.cert, tls.ca]) : tls.cert,
       key: tls.key,
       allowHTTP1: true,
+      // Tolerate high rates of RST_STREAM from browsers during HMR and
+      // page navigations. Without this, Node sends GOAWAY INTERNAL_ERROR
+      // after ~1000 cumulative stream resets and kills the session,
+      // surfacing as ERR_HTTP2_PROTOCOL_ERROR in Chrome. Available in
+      // Node 22.11+; silently ignored on older versions.
+      ...{ streamResetBurst: 1e4, streamResetRate: 100 },
       ...tls.SNICallback ? { SNICallback: tls.SNICallback } : {}
     });
+    h2Server.on("sessionError", () => {
+    });
     h2Server.on("request", (req, res) => {
+      req.stream?.on("error", () => {
+      });
       handleRequest(req, res);
     });
     h2Server.on("upgrade", (req, socket, head) => {
@@ -901,6 +913,24 @@ function isLanEnvEnabled() {
   const val = process.env.PORTLESS_LAN;
   return val === "1" || val === "true";
 }
+function readPersistedProxyState() {
+  const dirs = [];
+  if (process.env.PORTLESS_STATE_DIR) {
+    dirs.push(process.env.PORTLESS_STATE_DIR);
+  } else {
+    dirs.push(USER_STATE_DIR, SYSTEM_STATE_DIR);
+  }
+  for (const dir of dirs) {
+    const port = readPortFromDir(dir);
+    if (port !== null) {
+      const tls = readTlsMarker(dir);
+      const tld = readTldFromDir(dir);
+      const lanIp = readLanMarker(dir);
+      return { port, tls, tld, lanMode: lanIp !== null || tld === "local" };
+    }
+  }
+  return null;
+}
 function buildProxyStartConfig(options) {
   const effectiveTld = options.lanMode ? "local" : options.tld;
   const args = [];
@@ -934,6 +964,9 @@ function buildProxyStartConfig(options) {
   if (options.useWildcard) {
     args.push("--wildcard");
   }
+  if (options.skipTrust) {
+    args.push("--skip-trust");
+  }
   return { effectiveTld, args };
 }
 async function discoverState() {
@@ -1002,8 +1035,8 @@ async function discoverState() {
   return {
     dir,
     port: configuredPort,
-    tls: false,
-    tld: getDefaultTld(),
+    tls: readTlsMarker(dir),
+    tld: readTldFromDir(dir),
     lanMode: readLanMarker(dir) !== null,
     lanIp: null
   };
@@ -1272,8 +1305,9 @@ function prompt(question) {
 import * as fs4 from "fs";
 import * as path3 from "path";
 var STALE_LOCK_THRESHOLD_MS = 1e4;
-var LOCK_MAX_RETRIES = 20;
-var LOCK_RETRY_DELAY_MS = 50;
+var LOCK_TIMEOUT_MS = 5e3;
+var LOCK_RETRY_BASE_MS = 10;
+var LOCK_RETRY_CAP_MS = 500;
 var FILE_MODE = 420;
 var DIR_MODE = 493;
 var SYSTEM_DIR_MODE = 1023;
@@ -1337,8 +1371,10 @@ var RouteStore = class _RouteStore {
   syncSleep(ms) {
     Atomics.wait(_RouteStore.sleepBuffer, 0, 0, ms);
   }
-  acquireLock(maxRetries = LOCK_MAX_RETRIES, retryDelayMs = LOCK_RETRY_DELAY_MS) {
-    for (let i = 0; i < maxRetries; i++) {
+  acquireLock() {
+    const deadline = Date.now() + LOCK_TIMEOUT_MS;
+    let delay = LOCK_RETRY_BASE_MS;
+    while (Date.now() < deadline) {
       try {
         fs4.mkdirSync(this.lockPath);
         return true;
@@ -1353,7 +1389,9 @@ var RouteStore = class _RouteStore {
           } catch {
             continue;
           }
-          this.syncSleep(retryDelayMs);
+          const jitter = Math.floor(Math.random() * delay);
+          this.syncSleep(delay + jitter);
+          delay = Math.min(delay * 2, LOCK_RETRY_CAP_MS);
         } else {
           return false;
         }
@@ -1507,6 +1545,7 @@ export {
   isHttpsEnvDisabled,
   isWildcardEnvEnabled,
   isLanEnvEnabled,
+  readPersistedProxyState,
   buildProxyStartConfig,
   discoverState,
   findFreePort,

package/dist/cli.js

@@ -35,6 +35,7 @@ import {
   parseHostname,
   prompt,
   readLanMarker,
+  readPersistedProxyState,
   readTldFromDir,
   readTlsMarker,
   resolveStateDir,
@@ -46,7 +47,7 @@ import {
   writeLanMarker,
   writeTldFile,
   writeTlsMarker
-} from "./chunk-FM7IA4AF.js";
+} from "./chunk-EZJWUTUA.js";
 
 // src/colors.ts
 function supportsColor() {
@@ -90,6 +91,9 @@ var SERVER_VALIDITY_DAYS = 365;
 var EXPIRY_BUFFER_MS = 7 * 24 * 60 * 60 * 1e3;
 var CA_COMMON_NAME = "portless Local CA";
 var OPENSSL_TIMEOUT_MS = 15e3;
+var MACOS_SECURITY_TIMEOUT_MS = 15e3;
+var MACOS_SECURITY_AUTH_TIMEOUT_MS = 12e4;
+var MACOS_SECURITY_ROOT_TIMEOUT_MS = 6e4;
 var CA_KEY_FILE = "ca-key.pem";
 var CA_CERT_FILE = "ca.pem";
 var SERVER_KEY_FILE = "server-key.pem";
@@ -338,13 +342,13 @@ function isCATrustedMacOS(caCertPath) {
         ["-u", sudoUser, "security", "verify-cert", "-c", caCertPath, "-L", "-p", "ssl"],
         {
           stdio: "pipe",
-          timeout: 5e3
+          timeout: MACOS_SECURITY_TIMEOUT_MS
         }
       );
     } else {
       execFileSync("security", ["verify-cert", "-c", caCertPath, "-L", "-p", "ssl"], {
         stdio: "pipe",
-        timeout: 5e3
+        timeout: MACOS_SECURITY_TIMEOUT_MS
       });
     }
     return true;
@@ -356,7 +360,7 @@ function loginKeychainPath() {
   try {
     const result = execFileSync("security", ["default-keychain"], {
       encoding: "utf-8",
-      timeout: 5e3
+      timeout: MACOS_SECURITY_TIMEOUT_MS
     }).trim();
     const match = result.match(/"(.+)"/);
     if (match) return match[1];
@@ -572,14 +576,14 @@ function trustCA(stateDir) {
             "/Library/Keychains/System.keychain",
             caCertPath
           ],
-          { stdio: "pipe", timeout: 3e4 }
+          { stdio: "pipe", timeout: MACOS_SECURITY_ROOT_TIMEOUT_MS }
         );
       } else {
         const keychain = loginKeychainPath();
         execFileSync(
           "security",
           ["add-trusted-cert", "-r", "trustRoot", "-k", keychain, caCertPath],
-          { stdio: "pipe", timeout: 3e4 }
+          { stdio: "pipe", timeout: MACOS_SECURITY_AUTH_TIMEOUT_MS }
         );
       }
       return { trusted: true };
@@ -602,6 +606,10 @@ function trustCA(stateDir) {
     return { trusted: false, error: `Unsupported platform: ${process.platform}` };
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
+    if (message.includes("ETIMEDOUT")) {
+      const hint = process.platform === "darwin" ? "The macOS security command timed out. This can happen when the Keychain Services daemon is unresponsive or a system authorization dialog was not dismissed in time. Try restarting Keychain Access (or run: sudo killall securityd) and then: portless trust" : "The trust command timed out. Try: portless trust";
+      return { trusted: false, error: hint };
+    }
     if (message.includes("authorization") || message.includes("permission") || message.includes("EACCES")) {
       return {
         trusted: false,
@@ -639,7 +647,7 @@ function untrustCAMacOS(caCertPath) {
   const errors = [];
   const tryExec = (args) => {
     try {
-      execFileSync("security", args, { stdio: "pipe", timeout: 3e4 });
+      execFileSync("security", args, { stdio: "pipe", timeout: MACOS_SECURITY_ROOT_TIMEOUT_MS });
       return true;
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -663,12 +671,12 @@ function isCATrustedMacOSAfterAttempt(caCertPath) {
       execFileSync(
         "sudo",
         ["-u", sudoUser, "security", "verify-cert", "-c", caCertPath, "-L", "-p", "ssl"],
-        { stdio: "pipe", timeout: 5e3 }
+        { stdio: "pipe", timeout: MACOS_SECURITY_TIMEOUT_MS }
       );
     } else {
       execFileSync("security", ["verify-cert", "-c", caCertPath, "-L", "-p", "ssl"], {
         stdio: "pipe",
-        timeout: 5e3
+        timeout: MACOS_SECURITY_TIMEOUT_MS
       });
     }
     return true;
@@ -1522,6 +1530,7 @@ function startProxyServer(store, proxyPort, tld, tlsOptions, lanIp, strict) {
     }
     writeTlsMarker(store.dir, false);
     writeTldFile(store.dir, DEFAULT_TLD);
+    writeLanMarker(store.dir, null);
     if (autoSyncHosts) cleanHostsFile();
     server.close(() => process.exit(0));
     setTimeout(() => process.exit(0), EXIT_TIMEOUT_MS).unref();
@@ -1557,6 +1566,9 @@ async function stopProxy(store, proxyPort, _tls) {
             fs4.unlinkSync(store.portFilePath);
           } catch {
           }
+          writeTlsMarker(store.dir, false);
+          writeTldFile(store.dir, DEFAULT_TLD);
+          writeLanMarker(store.dir, null);
           console.log(colors_default.green(`Killed process ${pid}. Proxy stopped.`));
         } catch (err) {
           if (isErrnoException(err) && err.code === "EPERM") {
@@ -1593,6 +1605,9 @@ async function stopProxy(store, proxyPort, _tls) {
     if (isNaN(pid)) {
       console.error(colors_default.red("Corrupted PID file. Removing it."));
       fs4.unlinkSync(pidPath);
+      writeTlsMarker(store.dir, false);
+      writeTldFile(store.dir, DEFAULT_TLD);
+      writeLanMarker(store.dir, null);
       return;
     }
     try {
@@ -1608,6 +1623,9 @@ async function stopProxy(store, proxyPort, _tls) {
         fs4.unlinkSync(store.portFilePath);
       } catch {
       }
+      writeTlsMarker(store.dir, false);
+      writeTldFile(store.dir, DEFAULT_TLD);
+      writeLanMarker(store.dir, null);
       return;
     }
     if (!await isProxyRunning(proxyPort)) {
@@ -1618,6 +1636,9 @@ async function stopProxy(store, proxyPort, _tls) {
       );
       console.log(colors_default.yellow("Removing stale PID file."));
       fs4.unlinkSync(pidPath);
+      writeTlsMarker(store.dir, false);
+      writeTldFile(store.dir, DEFAULT_TLD);
+      writeLanMarker(store.dir, null);
       return;
     }
     process.kill(pid, "SIGTERM");
@@ -1626,6 +1647,9 @@ async function stopProxy(store, proxyPort, _tls) {
       fs4.unlinkSync(store.portFilePath);
     } catch {
     }
+    writeTlsMarker(store.dir, false);
+    writeTldFile(store.dir, DEFAULT_TLD);
+    writeLanMarker(store.dir, null);
     console.log(colors_default.green("Proxy stopped."));
   } catch (err) {
     if (isErrnoException(err) && err.code === "EPERM") {
@@ -1695,11 +1719,30 @@ portless
   const proxyResponsive = await isProxyRunning(proxyPort, tls2);
   const proxyListeningFromStateDir = !!process.env.PORTLESS_STATE_DIR && await isPortListening(proxyPort);
   if (!proxyResponsive && !proxyListeningFromStateDir) {
-    const defaultPort = getDefaultPort(desiredConfig.useHttps);
-    const needsSudo = !isWindows && defaultPort < PRIVILEGED_PORT_THRESHOLD;
-    const manualStartCommand = formatProxyStartCommand(defaultPort, desiredConfig);
-    const fallbackStartCommand = formatProxyStartCommand(FALLBACK_PROXY_PORT, desiredConfig);
-    if (needsSudo && !process.stdin.isTTY) {
+    const persisted = readPersistedProxyState();
+    const startConfig = { ...desiredConfig };
+    let startPort;
+    if (persisted) {
+      if (!explicit.useHttps && persisted.tls !== desiredConfig.useHttps) {
+        startConfig.useHttps = persisted.tls;
+      }
+      if (!explicit.tld && persisted.tld !== desiredConfig.tld) {
+        startConfig.tld = persisted.tld;
+      }
+      if (!explicit.lanMode && persisted.lanMode !== desiredConfig.lanMode) {
+        startConfig.lanMode = persisted.lanMode;
+      }
+      const envPort = getDefaultPort(startConfig.useHttps);
+      if (persisted.port !== envPort) {
+        startPort = persisted.port;
+      }
+    }
+    const effectivePort = startPort ?? getDefaultPort(startConfig.useHttps);
+    const needsSudo = !isWindows && effectivePort < PRIVILEGED_PORT_THRESHOLD;
+    const manualStartCommand = formatProxyStartCommand(effectivePort, startConfig);
+    const fallbackStartCommand = formatProxyStartCommand(FALLBACK_PROXY_PORT, startConfig);
+    const isInteractive = !!process.stdin.isTTY && !process.env.CI;
+    if (needsSudo && !isInteractive) {
       console.error(colors_default.red("Proxy is not running and no TTY is available for sudo."));
       console.error(colors_default.blue("Option 1: start the proxy in a terminal (will prompt for sudo):"));
       console.error(colors_default.cyan(`  ${manualStartCommand}`));
@@ -1711,7 +1754,7 @@ portless
       console.error(colors_default.cyan(`  ${fallbackStartCommand}`));
       process.exit(1);
     }
-    if (needsSudo && process.stdin.isTTY) {
+    if (needsSudo) {
       const answer = await prompt(colors_default.yellow("Proxy not running. Start it? [Y/n/skip] "));
       if (answer === "n" || answer === "no") {
         console.log(colors_default.gray("Cancelled."));
@@ -1723,16 +1766,26 @@ portless
         return;
       }
     }
-    console.log(colors_default.yellow("Starting proxy..."));
+    if (persisted && startPort !== void 0) {
+      console.log(
+        colors_default.yellow(
+          `Starting proxy with previous configuration (port ${startPort}, ${startConfig.useHttps ? "HTTPS" : "HTTP"})...`
+        )
+      );
+    } else {
+      console.log(colors_default.yellow("Starting proxy..."));
+    }
     const proxyStartConfig = buildProxyStartConfig({
-      useHttps: desiredConfig.useHttps,
-      customCertPath: desiredConfig.customCertPath,
-      customKeyPath: desiredConfig.customKeyPath,
-      lanMode: desiredConfig.lanMode,
-      lanIp: desiredConfig.lanIpExplicit ? desiredConfig.lanIp : null,
-      lanIpExplicit: desiredConfig.lanIpExplicit,
-      tld: desiredConfig.tld,
-      useWildcard: desiredConfig.useWildcard
+      useHttps: startConfig.useHttps,
+      customCertPath: startConfig.customCertPath,
+      customKeyPath: startConfig.customKeyPath,
+      lanMode: startConfig.lanMode,
+      lanIp: startConfig.lanIpExplicit ? startConfig.lanIp : null,
+      lanIpExplicit: startConfig.lanIpExplicit,
+      tld: startConfig.tld,
+      useWildcard: startConfig.useWildcard,
+      includePort: startPort !== void 0,
+      proxyPort: startPort
     });
     const startArgs = [getEntryScript(), "proxy", "start", ...proxyStartConfig.args];
     const result = spawnSync2(process.execPath, startArgs, {
@@ -1752,7 +1805,7 @@ portless
     }
     if (!discovered) {
       console.error(colors_default.red("Failed to start proxy."));
-      const fallbackDir = resolveStateDir(getDefaultPort(desiredConfig.useHttps));
+      const fallbackDir = resolveStateDir(effectivePort);
       const logPath = path4.join(fallbackDir, "proxy.log");
       console.error(colors_default.blue("Try starting it manually:"));
       console.error(colors_default.cyan(`  ${manualStartCommand}`));
@@ -1837,9 +1890,17 @@ portless
     process.env.PORTLESS_LAN = "1";
   }
   injectFrameworkFlags(commandArgs, port);
+  const caEnv = {};
+  if (tls2 && !process.env.NODE_EXTRA_CA_CERTS) {
+    const caPath = path4.join(stateDir, "ca.pem");
+    if (fs4.existsSync(caPath)) {
+      caEnv.NODE_EXTRA_CA_CERTS = caPath;
+    }
+  }
+  const caFragment = caEnv.NODE_EXTRA_CA_CERTS ? ` NODE_EXTRA_CA_CERTS="${caEnv.NODE_EXTRA_CA_CERTS}"` : "";
   console.log(
     chalk.gray(
-      `Running: PORT=${port}${hostBind ? ` HOST=${hostBind}` : ""} PORTLESS_URL=${finalUrl} ${commandArgs.join(" ")}
+      `Running: PORT=${port}${hostBind ? ` HOST=${hostBind}` : ""} PORTLESS_URL=${finalUrl}${caFragment} ${commandArgs.join(" ")}
 `
     )
   );
@@ -1853,7 +1914,8 @@ portless
       // Note: EXPO_PACKAGER_PROXY_URL is not used — expo-dev-client removed
       // baked-in pinging, making this env var ineffective. Expo handles its
       // own LAN discovery natively.
-      ...lanMode ? { PORTLESS_LAN: "1" } : {}
+      ...lanMode ? { PORTLESS_LAN: "1" } : {},
+      ...caEnv
     },
     onCleanup: () => {
       try {
@@ -2055,7 +2117,8 @@ ${colors_default.bold("LAN mode:")}
   Expo keeps Metro's default LAN host behavior in this mode.
   Auto-detected LAN IPs follow network changes automatically.
   Stopped LAN proxies keep LAN mode for the next start via proxy.lan.
-  Other proxy settings still follow the current flags and env vars.
+  All proxy settings are persisted and reused on auto-start unless
+  overridden by explicit flags or env vars.
   Use PORTLESS_LAN=0 for one start to switch back to .localhost mode.
   If a proxy is already running with different explicit LAN/TLS/TLD settings,
   stop it first.
@@ -2098,6 +2161,7 @@ ${colors_default.bold("Child process environment:")}
   HOST                          Usually 127.0.0.1 (omitted for Expo in LAN mode)
   PORTLESS_URL                  Public URL of the app (e.g. https://myapp.localhost)
   PORTLESS_LAN                  Set to 1 when proxy is in LAN mode
+  NODE_EXTRA_CA_CERTS           Path to the portless CA (set when HTTPS is active)
 
 ${colors_default.bold("Safari / DNS:")}
   .localhost subdomains auto-resolve in Chrome, Firefox, and Edge.
@@ -2119,7 +2183,7 @@ ${colors_default.bold("Reserved names:")}
   process.exit(0);
 }
 function printVersion() {
-  console.log("0.10.1");
+  console.log("0.10.3");
   process.exit(0);
 }
 async function handleTrust() {
@@ -2517,6 +2581,7 @@ ${colors_default.bold("LAN mode (--lan):")}
     process.exit(isProxyHelp || !args[1] ? 0 : 1);
   }
   const isForeground = args.includes("--foreground");
+  const skipTrust = args.includes("--skip-trust");
   const hasHttpsFlag = args.includes("--https");
   const hasNoTls = args.includes("--no-tls") || isHttpsEnvDisabled();
   const wantHttps = !hasNoTls;
@@ -2816,7 +2881,7 @@ ${colors_default.bold("LAN mode (--lan):")}
       if (certs.caGenerated) {
         console.log(colors_default.green("Generated local CA certificate."));
       }
-      if (!isCATrusted(stateDir)) {
+      if (!skipTrust && !isCATrusted(stateDir)) {
         console.log(colors_default.yellow("Adding CA to system trust store..."));
         const trustResult = trustCA(stateDir);
         if (trustResult.trusted) {
@@ -2874,7 +2939,8 @@ ${colors_default.bold("LAN mode (--lan):")}
         useWildcard: desiredWildcard,
         foreground: true,
         includePort: true,
-        proxyPort
+        proxyPort,
+        skipTrust: true
       }).args
     ];
     const child = spawn2(process.execPath, daemonArgs, {

package/dist/index.js

@@ -21,7 +21,7 @@ import {
   removeBlock,
   shouldAutoSyncHosts,
   syncHostsFile
-} from "./chunk-FM7IA4AF.js";
+} from "./chunk-EZJWUTUA.js";
 export {
   DIR_MODE,
   FILE_MODE,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "portless",
-  "version": "0.10.1",
+  "version": "0.10.3",
   "description": "Replace port numbers with stable, named .localhost URLs. For humans and agents.",
   "type": "module",
   "main": "./dist/index.js",