portless 0.4.1 → 0.4.2

package/dist/cli.js

@@ -1,19 +1,34 @@
 #!/usr/bin/env node
 import {
   FILE_MODE,
-  PORTLESS_HEADER,
+  PRIVILEGED_PORT_THRESHOLD,
+  RouteConflictError,
   RouteStore,
   createProxyServer,
+  discoverState,
+  findFreePort,
+  findPidOnPort,
+  fixOwnership,
   formatUrl,
+  getDefaultPort,
+  injectFrameworkFlags,
   isErrnoException,
-  parseHostname
-} from "./chunk-VRBD6YAY.js";
+  isHttpsEnvEnabled,
+  isProxyRunning,
+  parseHostname,
+  prompt,
+  readTlsMarker,
+  resolveStateDir,
+  spawnCommand,
+  waitForProxy,
+  writeTlsMarker
+} from "./chunk-JMRTQAVX.js";
 
 // src/cli.ts
 import chalk from "chalk";
-import * as fs3 from "fs";
-import * as path3 from "path";
-import { spawn as spawn2, spawnSync } from "child_process";
+import * as fs2 from "fs";
+import * as path2 from "path";
+import { spawn, spawnSync } from "child_process";
 
 // src/certs.ts
 import * as fs from "fs";
@@ -23,17 +38,6 @@ import * as tls from "tls";
 import { execFile as execFileCb, execFileSync } from "child_process";
 import { promisify } from "util";
 var CA_VALIDITY_DAYS = 3650;
-function fixOwnership(...paths) {
-  const uid = process.env.SUDO_UID;
-  const gid = process.env.SUDO_GID;
-  if (!uid || process.getuid?.() !== 0) return;
-  for (const p of paths) {
-    try {
-      fs.chownSync(p, parseInt(uid, 10), parseInt(gid || uid, 10));
-    } catch {
-    }
-  }
-}
 var SERVER_VALIDITY_DAYS = 365;
 var EXPIRY_BUFFER_MS = 7 * 24 * 60 * 60 * 1e3;
 var CA_COMMON_NAME = "portless Local CA";
@@ -60,6 +64,17 @@ function isCertValid(certPath) {
     return false;
   }
 }
+function isCertSignatureStrong(certPath) {
+  try {
+    const text = openssl(["x509", "-in", certPath, "-noout", "-text"]);
+    const match = text.match(/Signature Algorithm:\s*(\S+)/i);
+    if (!match) return false;
+    const algo = match[1].toLowerCase();
+    return !algo.includes("sha1");
+  } catch {
+    return false;
+  }
+}
 function openssl(args, options) {
   try {
     return execFileSync("openssl", args, {
@@ -102,6 +117,7 @@ function generateCA(stateDir) {
     "req",
     "-new",
     "-x509",
+    "-sha256",
     "-key",
     keyPath,
     "-out",
@@ -142,6 +158,7 @@ function generateServerCert(stateDir) {
   openssl([
     "x509",
     "-req",
+    "-sha256",
     "-in",
     csrPath,
     "-CA",
@@ -171,12 +188,13 @@ function ensureCerts(stateDir) {
   const caCertPath = path.join(stateDir, CA_CERT_FILE);
   const caKeyPath = path.join(stateDir, CA_KEY_FILE);
   const serverCertPath = path.join(stateDir, SERVER_CERT_FILE);
+  const serverKeyPath = path.join(stateDir, SERVER_KEY_FILE);
   let caGenerated = false;
-  if (!fileExists(caCertPath) || !fileExists(caKeyPath) || !isCertValid(caCertPath)) {
+  if (!fileExists(caCertPath) || !fileExists(caKeyPath) || !isCertValid(caCertPath) || !isCertSignatureStrong(caCertPath)) {
     generateCA(stateDir);
     caGenerated = true;
   }
-  if (caGenerated || !fileExists(serverCertPath) || !isCertValid(serverCertPath)) {
+  if (caGenerated || !fileExists(serverCertPath) || !fileExists(serverKeyPath) || !isCertValid(serverCertPath) || !isCertSignatureStrong(serverCertPath)) {
     generateServerCert(stateDir);
   }
   return {
@@ -276,6 +294,7 @@ async function generateHostCertAsync(stateDir, hostname) {
   await opensslAsync([
     "x509",
     "-req",
+    "-sha256",
     "-in",
     csrPath,
     "-CA",
@@ -301,16 +320,12 @@ async function generateHostCertAsync(stateDir, hostname) {
   fixOwnership(keyPath, certPath);
   return { certPath, keyPath };
 }
-function isSimpleLocalhostSubdomain(hostname) {
-  const parts = hostname.split(".");
-  return parts.length === 2 && parts[1] === "localhost";
-}
 function createSNICallback(stateDir, defaultCert, defaultKey) {
   const cache = /* @__PURE__ */ new Map();
   const pending = /* @__PURE__ */ new Map();
   const defaultCtx = tls.createSecureContext({ cert: defaultCert, key: defaultKey });
   return (servername, cb) => {
-    if (servername === "localhost" || isSimpleLocalhostSubdomain(servername)) {
+    if (servername === "localhost") {
       cb(null, defaultCtx);
       return;
     }
@@ -322,7 +337,7 @@ function createSNICallback(stateDir, defaultCert, defaultKey) {
     const hostDir = path.join(stateDir, HOST_CERTS_DIR);
     const certPath = path.join(hostDir, `${safeName}.pem`);
     const keyPath = path.join(hostDir, `${safeName}-key.pem`);
-    if (fileExists(certPath) && fileExists(keyPath) && isCertValid(certPath)) {
+    if (fileExists(certPath) && fileExists(keyPath) && isCertValid(certPath) && isCertSignatureStrong(certPath)) {
       try {
         const ctx = tls.createSecureContext({
           cert: fs.readFileSync(certPath),
@@ -389,252 +404,6 @@ function trustCA(stateDir) {
   }
 }
 
-// src/cli-utils.ts
-import * as fs2 from "fs";
-import * as http from "http";
-import * as https from "https";
-import * as net from "net";
-import * as os from "os";
-import * as path2 from "path";
-import * as readline from "readline";
-import { execSync, spawn } from "child_process";
-var DEFAULT_PROXY_PORT = 1355;
-var PRIVILEGED_PORT_THRESHOLD = 1024;
-var SYSTEM_STATE_DIR = "/tmp/portless";
-var USER_STATE_DIR = path2.join(os.homedir(), ".portless");
-var MIN_APP_PORT = 4e3;
-var MAX_APP_PORT = 4999;
-var RANDOM_PORT_ATTEMPTS = 50;
-var SOCKET_TIMEOUT_MS = 500;
-var LSOF_TIMEOUT_MS = 5e3;
-var WAIT_FOR_PROXY_MAX_ATTEMPTS = 20;
-var WAIT_FOR_PROXY_INTERVAL_MS = 250;
-var SIGNAL_CODES = {
-  SIGHUP: 1,
-  SIGINT: 2,
-  SIGQUIT: 3,
-  SIGABRT: 6,
-  SIGKILL: 9,
-  SIGTERM: 15
-};
-function getDefaultPort() {
-  const envPort = process.env.PORTLESS_PORT;
-  if (envPort) {
-    const port = parseInt(envPort, 10);
-    if (!isNaN(port) && port >= 1 && port <= 65535) return port;
-  }
-  return DEFAULT_PROXY_PORT;
-}
-function resolveStateDir(port) {
-  if (process.env.PORTLESS_STATE_DIR) return process.env.PORTLESS_STATE_DIR;
-  return port < PRIVILEGED_PORT_THRESHOLD ? SYSTEM_STATE_DIR : USER_STATE_DIR;
-}
-function readPortFromDir(dir) {
-  try {
-    const raw = fs2.readFileSync(path2.join(dir, "proxy.port"), "utf-8").trim();
-    const port = parseInt(raw, 10);
-    return isNaN(port) ? null : port;
-  } catch {
-    return null;
-  }
-}
-var TLS_MARKER_FILE = "proxy.tls";
-function readTlsMarker(dir) {
-  try {
-    return fs2.existsSync(path2.join(dir, TLS_MARKER_FILE));
-  } catch {
-    return false;
-  }
-}
-function writeTlsMarker(dir, enabled) {
-  const markerPath = path2.join(dir, TLS_MARKER_FILE);
-  if (enabled) {
-    fs2.writeFileSync(markerPath, "1", { mode: 420 });
-  } else {
-    try {
-      fs2.unlinkSync(markerPath);
-    } catch {
-    }
-  }
-}
-function isHttpsEnvEnabled() {
-  const val = process.env.PORTLESS_HTTPS;
-  return val === "1" || val === "true";
-}
-async function discoverState() {
-  if (process.env.PORTLESS_STATE_DIR) {
-    const dir = process.env.PORTLESS_STATE_DIR;
-    const port = readPortFromDir(dir) ?? getDefaultPort();
-    const tls2 = readTlsMarker(dir);
-    return { dir, port, tls: tls2 };
-  }
-  const userPort = readPortFromDir(USER_STATE_DIR);
-  if (userPort !== null) {
-    const tls2 = readTlsMarker(USER_STATE_DIR);
-    if (await isProxyRunning(userPort, tls2)) {
-      return { dir: USER_STATE_DIR, port: userPort, tls: tls2 };
-    }
-  }
-  const systemPort = readPortFromDir(SYSTEM_STATE_DIR);
-  if (systemPort !== null) {
-    const tls2 = readTlsMarker(SYSTEM_STATE_DIR);
-    if (await isProxyRunning(systemPort, tls2)) {
-      return { dir: SYSTEM_STATE_DIR, port: systemPort, tls: tls2 };
-    }
-  }
-  const defaultPort = getDefaultPort();
-  return { dir: resolveStateDir(defaultPort), port: defaultPort, tls: false };
-}
-async function findFreePort(minPort = MIN_APP_PORT, maxPort = MAX_APP_PORT) {
-  if (minPort > maxPort) {
-    throw new Error(`minPort (${minPort}) must be <= maxPort (${maxPort})`);
-  }
-  const tryPort = (port) => {
-    return new Promise((resolve) => {
-      const server = net.createServer();
-      server.listen(port, () => {
-        server.close(() => resolve(true));
-      });
-      server.on("error", () => resolve(false));
-    });
-  };
-  for (let i = 0; i < RANDOM_PORT_ATTEMPTS; i++) {
-    const port = minPort + Math.floor(Math.random() * (maxPort - minPort + 1));
-    if (await tryPort(port)) {
-      return port;
-    }
-  }
-  for (let port = minPort; port <= maxPort; port++) {
-    if (await tryPort(port)) {
-      return port;
-    }
-  }
-  throw new Error(`No free port found in range ${minPort}-${maxPort}`);
-}
-function isProxyRunning(port, tls2 = false) {
-  return new Promise((resolve) => {
-    const requestFn = tls2 ? https.request : http.request;
-    const req = requestFn(
-      {
-        hostname: "127.0.0.1",
-        port,
-        path: "/",
-        method: "HEAD",
-        timeout: SOCKET_TIMEOUT_MS,
-        ...tls2 ? { rejectUnauthorized: false } : {}
-      },
-      (res) => {
-        res.resume();
-        resolve(res.headers[PORTLESS_HEADER.toLowerCase()] === "1");
-      }
-    );
-    req.on("error", () => resolve(false));
-    req.on("timeout", () => {
-      req.destroy();
-      resolve(false);
-    });
-    req.end();
-  });
-}
-function findPidOnPort(port) {
-  try {
-    const output = execSync(`lsof -ti tcp:${port} -sTCP:LISTEN`, {
-      encoding: "utf-8",
-      timeout: LSOF_TIMEOUT_MS
-    });
-    const pid = parseInt(output.trim().split("\n")[0], 10);
-    return isNaN(pid) ? null : pid;
-  } catch {
-    return null;
-  }
-}
-async function waitForProxy(port, maxAttempts = WAIT_FOR_PROXY_MAX_ATTEMPTS, intervalMs = WAIT_FOR_PROXY_INTERVAL_MS, tls2 = false) {
-  for (let i = 0; i < maxAttempts; i++) {
-    await new Promise((resolve) => setTimeout(resolve, intervalMs));
-    if (await isProxyRunning(port, tls2)) {
-      return true;
-    }
-  }
-  return false;
-}
-function spawnCommand(commandArgs, options) {
-  const child = spawn(commandArgs[0], commandArgs.slice(1), {
-    stdio: "inherit",
-    env: options?.env
-  });
-  let exiting = false;
-  const cleanup = () => {
-    process.removeListener("SIGINT", onSigInt);
-    process.removeListener("SIGTERM", onSigTerm);
-    options?.onCleanup?.();
-  };
-  const handleSignal = (signal) => {
-    if (exiting) return;
-    exiting = true;
-    child.kill(signal);
-    cleanup();
-    process.exit(128 + (SIGNAL_CODES[signal] || 15));
-  };
-  const onSigInt = () => handleSignal("SIGINT");
-  const onSigTerm = () => handleSignal("SIGTERM");
-  process.on("SIGINT", onSigInt);
-  process.on("SIGTERM", onSigTerm);
-  child.on("error", (err) => {
-    if (exiting) return;
-    exiting = true;
-    console.error(`Failed to run command: ${err.message}`);
-    if (err.code === "ENOENT") {
-      console.error(`Is "${commandArgs[0]}" installed and in your PATH?`);
-    }
-    cleanup();
-    process.exit(1);
-  });
-  child.on("exit", (code, signal) => {
-    if (exiting) return;
-    exiting = true;
-    cleanup();
-    if (signal) {
-      process.exit(128 + (SIGNAL_CODES[signal] || 15));
-    }
-    process.exit(code ?? 1);
-  });
-}
-var FRAMEWORKS_NEEDING_PORT = {
-  vite: { strictPort: true },
-  "react-router": { strictPort: true },
-  astro: { strictPort: false },
-  ng: { strictPort: false }
-};
-function injectFrameworkFlags(commandArgs, port) {
-  const cmd = commandArgs[0];
-  if (!cmd) return;
-  const basename2 = path2.basename(cmd);
-  const framework = FRAMEWORKS_NEEDING_PORT[basename2];
-  if (!framework) return;
-  if (!commandArgs.includes("--port")) {
-    commandArgs.push("--port", port.toString());
-    if (framework.strictPort) {
-      commandArgs.push("--strictPort");
-    }
-  }
-  if (!commandArgs.includes("--host")) {
-    commandArgs.push("--host", "127.0.0.1");
-  }
-}
-function prompt(question) {
-  const rl = readline.createInterface({
-    input: process.stdin,
-    output: process.stdout
-  });
-  return new Promise((resolve) => {
-    rl.on("close", () => resolve(""));
-    rl.question(question, (answer) => {
-      rl.close();
-      resolve(answer.trim().toLowerCase());
-    });
-  });
-}
-
 // src/cli.ts
 var DEBOUNCE_MS = 100;
 var POLL_INTERVAL_MS = 3e3;
@@ -644,13 +413,14 @@ function startProxyServer(store, proxyPort, tlsOptions) {
   store.ensureDir();
   const isTls = !!tlsOptions;
   const routesPath = store.getRoutesPath();
-  if (!fs3.existsSync(routesPath)) {
-    fs3.writeFileSync(routesPath, "[]", { mode: FILE_MODE });
+  if (!fs2.existsSync(routesPath)) {
+    fs2.writeFileSync(routesPath, "[]", { mode: FILE_MODE });
   }
   try {
-    fs3.chmodSync(routesPath, FILE_MODE);
+    fs2.chmodSync(routesPath, FILE_MODE);
   } catch {
   }
+  fixOwnership(routesPath);
   let cachedRoutes = store.loadRoutes();
   let debounceTimer = null;
   let watcher = null;
@@ -662,7 +432,7 @@ function startProxyServer(store, proxyPort, tlsOptions) {
     }
   };
   try {
-    watcher = fs3.watch(routesPath, () => {
+    watcher = fs2.watch(routesPath, () => {
       if (debounceTimer) clearTimeout(debounceTimer);
       debounceTimer = setTimeout(reloadRoutes, DEBOUNCE_MS);
     });
@@ -695,9 +465,10 @@ function startProxyServer(store, proxyPort, tlsOptions) {
     process.exit(1);
   });
   server.listen(proxyPort, () => {
-    fs3.writeFileSync(store.pidPath, process.pid.toString(), { mode: FILE_MODE });
-    fs3.writeFileSync(store.portFilePath, proxyPort.toString(), { mode: FILE_MODE });
+    fs2.writeFileSync(store.pidPath, process.pid.toString(), { mode: FILE_MODE });
+    fs2.writeFileSync(store.portFilePath, proxyPort.toString(), { mode: FILE_MODE });
     writeTlsMarker(store.dir, isTls);
+    fixOwnership(store.dir, store.pidPath, store.portFilePath);
     const proto = isTls ? "HTTPS/2" : "HTTP";
     console.log(chalk.green(`${proto} proxy listening on port ${proxyPort}`));
   });
@@ -711,11 +482,11 @@ function startProxyServer(store, proxyPort, tlsOptions) {
       watcher.close();
     }
     try {
-      fs3.unlinkSync(store.pidPath);
+      fs2.unlinkSync(store.pidPath);
     } catch {
     }
     try {
-      fs3.unlinkSync(store.portFilePath);
+      fs2.unlinkSync(store.portFilePath);
     } catch {
     }
     writeTlsMarker(store.dir, false);
@@ -731,7 +502,7 @@ async function stopProxy(store, proxyPort, tls2) {
   const pidPath = store.pidPath;
   const needsSudo = proxyPort < PRIVILEGED_PORT_THRESHOLD;
   const sudoHint = needsSudo ? "sudo " : "";
-  if (!fs3.existsSync(pidPath)) {
+  if (!fs2.existsSync(pidPath)) {
     if (await isProxyRunning(proxyPort, tls2)) {
       console.log(chalk.yellow(`PID file is missing but port ${proxyPort} is still in use.`));
       const pid = findPidOnPort(proxyPort);
@@ -739,7 +510,7 @@ async function stopProxy(store, proxyPort, tls2) {
         try {
           process.kill(pid, "SIGTERM");
           try {
-            fs3.unlinkSync(store.portFilePath);
+            fs2.unlinkSync(store.portFilePath);
           } catch {
           }
           console.log(chalk.green(`Killed process ${pid}. Proxy stopped.`));
@@ -770,19 +541,19 @@ async function stopProxy(store, proxyPort, tls2) {
     return;
   }
   try {
-    const pid = parseInt(fs3.readFileSync(pidPath, "utf-8"), 10);
+    const pid = parseInt(fs2.readFileSync(pidPath, "utf-8"), 10);
     if (isNaN(pid)) {
       console.error(chalk.red("Corrupted PID file. Removing it."));
-      fs3.unlinkSync(pidPath);
+      fs2.unlinkSync(pidPath);
       return;
     }
     try {
       process.kill(pid, 0);
     } catch {
       console.log(chalk.yellow("Proxy process is no longer running. Cleaning up stale files."));
-      fs3.unlinkSync(pidPath);
+      fs2.unlinkSync(pidPath);
       try {
-        fs3.unlinkSync(store.portFilePath);
+        fs2.unlinkSync(store.portFilePath);
       } catch {
       }
       return;
@@ -794,13 +565,13 @@ async function stopProxy(store, proxyPort, tls2) {
         )
       );
       console.log(chalk.yellow("Removing stale PID file."));
-      fs3.unlinkSync(pidPath);
+      fs2.unlinkSync(pidPath);
       return;
     }
     process.kill(pid, "SIGTERM");
-    fs3.unlinkSync(pidPath);
+    fs2.unlinkSync(pidPath);
     try {
-      fs3.unlinkSync(store.portFilePath);
+      fs2.unlinkSync(store.portFilePath);
     } catch {
     }
     console.log(chalk.green("Proxy stopped."));
@@ -833,7 +604,7 @@ function listRoutes(store, proxyPort, tls2) {
   }
   console.log();
 }
-async function runApp(store, proxyPort, stateDir, name, commandArgs, tls2) {
+async function runApp(store, proxyPort, stateDir, name, commandArgs, tls2, force) {
   const hostname = parseHostname(name);
   console.log(chalk.blue.bold(`
 portless
@@ -893,10 +664,10 @@ portless
     const autoTls = readTlsMarker(stateDir);
     if (!await waitForProxy(defaultPort, void 0, void 0, autoTls)) {
       console.error(chalk.red("Proxy failed to start (timed out waiting for it to listen)."));
-      const logPath = path3.join(stateDir, "proxy.log");
+      const logPath = path2.join(stateDir, "proxy.log");
       console.error(chalk.blue("Try starting the proxy manually to see the error:"));
       console.error(chalk.cyan(`  ${needsSudo ? "sudo " : ""}portless proxy start`));
-      if (fs3.existsSync(logPath)) {
+      if (fs2.existsSync(logPath)) {
         console.error(chalk.gray(`Logs: ${logPath}`));
       }
       process.exit(1);
@@ -908,7 +679,15 @@ portless
   }
   const port = await findFreePort();
   console.log(chalk.green(`-- Using port ${port}`));
-  store.addRoute(hostname, port, process.pid);
+  try {
+    store.addRoute(hostname, port, process.pid, force);
+  } catch (err) {
+    if (err instanceof RouteConflictError) {
+      console.error(chalk.red(`Error: ${err.message}`));
+      process.exit(1);
+    }
+    throw err;
+  }
   const finalUrl = formatUrl(hostname, proxyPort, tls2);
   console.log(chalk.cyan.bold(`
   -> ${finalUrl}
@@ -932,6 +711,14 @@ portless
   });
 }
 async function main() {
+  if (process.stdin.isTTY) {
+    process.on("exit", () => {
+      try {
+        process.stdin.setRawMode(false);
+      } catch {
+      }
+    });
+  }
   const args = process.argv.slice(2);
   const isNpx = process.env.npm_command === "exec" && !process.env.npm_lifecycle_event;
   const isPnpmDlx = !!process.env.PNPM_SCRIPT_SRC_DIR && !process.env.npm_lifecycle_event;
@@ -1001,6 +788,7 @@ ${chalk.bold("Options:")}
   --key <path>                  Use a custom TLS private key (implies --https)
   --no-tls                      Disable HTTPS (overrides PORTLESS_HTTPS)
   --foreground                  Run proxy in foreground (for debugging)
+  --force                       Override an existing route registered by another process
 
 ${chalk.bold("Environment variables:")}
   PORTLESS_PORT=<number>        Override the default proxy port (e.g. in .bashrc)
@@ -1015,7 +803,7 @@ ${chalk.bold("Skip portless:")}
     process.exit(0);
   }
   if (args[0] === "--version" || args[0] === "-v") {
-    console.log("0.4.1");
+    console.log("0.4.2");
     process.exit(0);
   }
   if (args[0] === "trust") {
@@ -1137,8 +925,8 @@ ${chalk.bold("Usage: portless proxy <command>")}
       store2.ensureDir();
       if (customCertPath && customKeyPath) {
         try {
-          const cert = fs3.readFileSync(customCertPath);
-          const key = fs3.readFileSync(customKeyPath);
+          const cert = fs2.readFileSync(customCertPath);
+          const key = fs2.readFileSync(customKeyPath);
           const certStr = cert.toString("utf-8");
           const keyStr = key.toString("utf-8");
           if (!certStr.includes("-----BEGIN CERTIFICATE-----")) {
@@ -1183,8 +971,8 @@ ${chalk.bold("Usage: portless proxy <command>")}
             console.warn(chalk.cyan("  portless trust"));
           }
         }
-        const cert = fs3.readFileSync(certs.certPath);
-        const key = fs3.readFileSync(certs.keyPath);
+        const cert = fs2.readFileSync(certs.certPath);
+        const key = fs2.readFileSync(certs.keyPath);
         tlsOptions = {
           cert,
           key,
@@ -1198,13 +986,14 @@ ${chalk.bold("Usage: portless proxy <command>")}
       return;
     }
     store2.ensureDir();
-    const logPath = path3.join(stateDir, "proxy.log");
-    const logFd = fs3.openSync(logPath, "a");
+    const logPath = path2.join(stateDir, "proxy.log");
+    const logFd = fs2.openSync(logPath, "a");
     try {
       try {
-        fs3.chmodSync(logPath, FILE_MODE);
+        fs2.chmodSync(logPath, FILE_MODE);
       } catch {
       }
+      fixOwnership(logPath);
       const daemonArgs = [process.argv[1], "proxy", "start", "--foreground"];
       if (portFlagIndex !== -1) {
         daemonArgs.push("--port", proxyPort.toString());
@@ -1216,21 +1005,21 @@ ${chalk.bold("Usage: portless proxy <command>")}
           daemonArgs.push("--https");
         }
       }
-      const child = spawn2(process.execPath, daemonArgs, {
+      const child = spawn(process.execPath, daemonArgs, {
         detached: true,
         stdio: ["ignore", logFd, logFd],
         env: process.env
       });
       child.unref();
     } finally {
-      fs3.closeSync(logFd);
+      fs2.closeSync(logFd);
     }
     if (!await waitForProxy(proxyPort, void 0, void 0, useHttps)) {
       console.error(chalk.red("Proxy failed to start (timed out waiting for it to listen)."));
       console.error(chalk.blue("Try starting the proxy in the foreground to see the error:"));
       const needsSudo = proxyPort < PRIVILEGED_PORT_THRESHOLD;
       console.error(chalk.cyan(`  ${needsSudo ? "sudo " : ""}portless proxy start --foreground`));
-      if (fs3.existsSync(logPath)) {
+      if (fs2.existsSync(logPath)) {
         console.error(chalk.gray(`Logs: ${logPath}`));
       }
       process.exit(1);
@@ -1239,8 +1028,11 @@ ${chalk.bold("Usage: portless proxy <command>")}
     console.log(chalk.green(`${proto} proxy started on port ${proxyPort}`));
     return;
   }
-  const name = args[0];
-  const commandArgs = args.slice(1);
+  const forceIdx = args.indexOf("--force");
+  const force = forceIdx >= 0 && forceIdx <= 1;
+  const appArgs = force ? [...args.slice(0, forceIdx), ...args.slice(forceIdx + 1)] : args;
+  const name = appArgs[0];
+  const commandArgs = appArgs.slice(1);
   if (commandArgs.length === 0) {
     console.error(chalk.red("Error: No command provided."));
     console.error(chalk.blue("Usage:"));
@@ -1253,7 +1045,7 @@ ${chalk.bold("Usage: portless proxy <command>")}
   const store = new RouteStore(dir, {
     onWarning: (msg) => console.warn(chalk.yellow(msg))
   });
-  await runApp(store, port, dir, name, commandArgs, tls2);
+  await runApp(store, port, dir, name, commandArgs, tls2, force);
 }
 main().catch((err) => {
   const message = err instanceof Error ? err.message : String(err);