portless 0.7.2 → 0.9.0

package/dist/cli.js

@@ -1,12 +1,16 @@
 #!/usr/bin/env node
 import {
   DEFAULT_TLD,
+  FALLBACK_PROXY_PORT,
   FILE_MODE,
   PRIVILEGED_PORT_THRESHOLD,
   RISKY_TLDS,
   RouteConflictError,
   RouteStore,
+  WAIT_FOR_PROXY_INTERVAL_MS,
+  WAIT_FOR_PROXY_MAX_ATTEMPTS,
   cleanHostsFile,
+  createHttpRedirectServer,
   createProxyServer,
   discoverState,
   findFreePort,
@@ -15,15 +19,15 @@ import {
   formatUrl,
   getDefaultPort,
   getDefaultTld,
+  getProtocolPort,
   injectFrameworkFlags,
   isErrnoException,
-  isHttpsEnvEnabled,
+  isHttpsEnvDisabled,
   isProxyRunning,
+  isWildcardEnvEnabled,
   isWindows,
   parseHostname,
   prompt,
-  readTldFromDir,
-  readTlsMarker,
   resolveStateDir,
   spawnCommand,
   syncHostsFile,
@@ -31,10 +35,34 @@ import {
   waitForProxy,
   writeTldFile,
   writeTlsMarker
-} from "./chunk-ROBZDJST.js";
+} from "./chunk-5BR7NCNI.js";
+
+// src/colors.ts
+function supportsColor() {
+  if ("NO_COLOR" in process.env) return false;
+  if ("FORCE_COLOR" in process.env) return true;
+  return !!(process.stdout.isTTY || process.stderr.isTTY);
+}
+var enabled = supportsColor();
+var wrap = (open, close) => {
+  if (!enabled) return (s) => s;
+  return (s) => `\x1B[${open}m${s}\x1B[${close}m`;
+};
+var bold = wrap("1", "22");
+var red = wrap("31", "39");
+var green = wrap("32", "39");
+var yellow = wrap("33", "39");
+var blue = Object.assign(wrap("34", "39"), {
+  bold: enabled ? (s) => `\x1B[34;1m${s}\x1B[22;39m` : (s) => s
+});
+var cyan = Object.assign(wrap("36", "39"), {
+  bold: enabled ? (s) => `\x1B[36;1m${s}\x1B[22;39m` : (s) => s
+});
+var white = wrap("37", "39");
+var gray = wrap("90", "39");
+var colors_default = { bold, red, green, yellow, blue, cyan, white, gray };
 
 // src/cli.ts
-import chalk from "chalk";
 import * as fs3 from "fs";
 import * as path3 from "path";
 import { spawn, spawnSync } from "child_process";
@@ -164,6 +192,13 @@ function generateServerCert(stateDir) {
       "subjectAltName=DNS:localhost,DNS:*.localhost"
     ].join("\n") + "\n"
   );
+  const srlPath = path.join(stateDir, "ca.srl");
+  if (!fileExists(srlPath)) {
+    fs.writeFileSync(
+      srlPath,
+      crypto.randomUUID().replace(/-/g, "").slice(0, 16).toUpperCase() + "\n"
+    );
+  }
   openssl([
     "x509",
     "-req",
@@ -174,7 +209,8 @@ function generateServerCert(stateDir) {
     caCertPath,
     "-CAkey",
     caKeyPath,
-    "-CAcreateserial",
+    "-CAserial",
+    srlPath,
     "-out",
     serverCertPath,
     "-days",
@@ -364,6 +400,13 @@ async function generateHostCertAsync(stateDir, hostname) {
       `subjectAltName=${sans.join(",")}`
     ].join("\n") + "\n"
   );
+  const srlPath = path.join(stateDir, "ca.srl");
+  if (!fs.existsSync(srlPath)) {
+    await fs.promises.writeFile(
+      srlPath,
+      crypto.randomUUID().replace(/-/g, "").slice(0, 16).toUpperCase() + "\n"
+    );
+  }
   await opensslAsync([
     "x509",
     "-req",
@@ -374,7 +417,8 @@ async function generateHostCertAsync(stateDir, hostname) {
     caCertPath,
     "-CAkey",
     caKeyPath,
-    "-CAcreateserial",
+    "-CAserial",
+    srlPath,
     "-out",
     certPath,
     "-days",
@@ -497,7 +541,7 @@ function trustCA(stateDir) {
     if (message.includes("authorization") || message.includes("permission") || message.includes("EACCES")) {
       return {
         trusted: false,
-        error: "Permission denied. Try: sudo portless trust"
+        error: "Permission denied. Try: portless trust"
       };
     }
     return { trusted: false, error: message };
@@ -680,12 +724,36 @@ function readBranchFromHead(gitdir) {
 
 // src/cli.ts
 var HOSTS_DISPLAY = isWindows ? "hosts file" : "/etc/hosts";
-var SUDO_PREFIX = isWindows ? "" : "sudo ";
 var DEBOUNCE_MS = 100;
 var POLL_INTERVAL_MS = 3e3;
 var EXIT_TIMEOUT_MS = 2e3;
 var SUDO_SPAWN_TIMEOUT_MS = 3e4;
-function startProxyServer(store, proxyPort, tld, tlsOptions) {
+function getEntryScript() {
+  const script = process.argv[1];
+  if (!script) {
+    throw new Error("Cannot determine portless entry script (process.argv[1] is undefined)");
+  }
+  return script;
+}
+function collectPortlessEnvArgs() {
+  const envArgs = [];
+  for (const key of Object.keys(process.env)) {
+    if (key.startsWith("PORTLESS_") && process.env[key]) {
+      envArgs.push(`${key}=${process.env[key]}`);
+    }
+  }
+  return envArgs;
+}
+function sudoStop(port) {
+  const stopArgs = [process.execPath, getEntryScript(), "proxy", "stop", "-p", String(port)];
+  console.log(colors_default.yellow("Proxy is running as root. Elevating with sudo to stop it..."));
+  const result = spawnSync("sudo", ["env", ...collectPortlessEnvArgs(), ...stopArgs], {
+    stdio: "inherit",
+    timeout: SUDO_SPAWN_TIMEOUT_MS
+  });
+  return result.status === 0;
+}
+function startProxyServer(store, proxyPort, tld, tlsOptions, strict) {
   store.ensureDir();
   const isTls = !!tlsOptions;
   const routesPath = store.getRoutesPath();
@@ -718,7 +786,7 @@ function startProxyServer(store, proxyPort, tld, tlsOptions) {
       debounceTimer = setTimeout(reloadRoutes, DEBOUNCE_MS);
     });
   } catch {
-    console.warn(chalk.yellow("fs.watch unavailable; falling back to polling for route changes"));
+    console.warn(colors_default.yellow("fs.watch unavailable; falling back to polling for route changes"));
     pollingInterval = setInterval(reloadRoutes, POLL_INTERVAL_MS);
   }
   if (autoSyncHosts) {
@@ -728,31 +796,39 @@ function startProxyServer(store, proxyPort, tld, tlsOptions) {
     getRoutes: () => cachedRoutes,
     proxyPort,
     tld,
-    onError: (msg) => console.error(chalk.red(msg)),
+    strict,
+    onError: (msg) => console.error(colors_default.red(msg)),
     tls: tlsOptions
   });
   server.on("error", (err) => {
     if (err.code === "EADDRINUSE") {
-      console.error(chalk.red(`Port ${proxyPort} is already in use.`));
-      console.error(chalk.blue("Stop the existing proxy first:"));
-      console.error(chalk.cyan("  portless proxy stop"));
-      console.error(chalk.blue("Or check what is using the port:"));
+      console.error(colors_default.red(`Port ${proxyPort} is already in use.`));
+      console.error(colors_default.blue("Stop the existing proxy first:"));
+      console.error(colors_default.cyan("  portless proxy stop"));
+      console.error(colors_default.blue("Or check what is using the port:"));
       console.error(
-        chalk.cyan(
+        colors_default.cyan(
           isWindows ? `  netstat -ano | findstr :${proxyPort}` : `  lsof -ti tcp:${proxyPort}`
         )
       );
     } else if (err.code === "EACCES") {
-      console.error(chalk.red(`Permission denied for port ${proxyPort}.`));
-      console.error(chalk.blue("Either run with sudo:"));
-      console.error(chalk.cyan("  sudo portless proxy start -p 80"));
-      console.error(chalk.blue("Or use a non-privileged port (no sudo needed):"));
-      console.error(chalk.cyan("  portless proxy start"));
+      console.error(colors_default.red(`Permission denied for port ${proxyPort}.`));
+      console.error(colors_default.blue("Use an unprivileged port (no sudo needed):"));
+      console.error(colors_default.cyan("  portless proxy start -p 1355"));
     } else {
-      console.error(chalk.red(`Proxy error: ${err.message}`));
+      console.error(colors_default.red(`Proxy error: ${err.message}`));
     }
+    if (redirectServer) redirectServer.close();
     process.exit(1);
   });
+  let redirectServer = null;
+  if (isTls && proxyPort !== 80) {
+    redirectServer = createHttpRedirectServer(proxyPort);
+    redirectServer.on("error", () => {
+      redirectServer = null;
+    });
+    redirectServer.listen(80);
+  }
   server.listen(proxyPort, () => {
     fs3.writeFileSync(store.pidPath, process.pid.toString(), { mode: FILE_MODE });
     fs3.writeFileSync(store.portFilePath, proxyPort.toString(), { mode: FILE_MODE });
@@ -761,7 +837,13 @@ function startProxyServer(store, proxyPort, tld, tlsOptions) {
     fixOwnership(store.dir, store.pidPath, store.portFilePath);
     const proto = isTls ? "HTTPS/2" : "HTTP";
     const tldLabel = tld !== DEFAULT_TLD ? ` (TLD: .${tld})` : "";
-    console.log(chalk.green(`${proto} proxy listening on port ${proxyPort}${tldLabel}`));
+    const modeLabel = strict === false ? " (wildcard)" : "";
+    console.log(
+      colors_default.green(`${proto} proxy listening on port ${proxyPort}${tldLabel}${modeLabel}`)
+    );
+    if (redirectServer) {
+      console.log(colors_default.green("HTTP-to-HTTPS redirect listening on port 80"));
+    }
   });
   let exiting = false;
   const cleanup = () => {
@@ -772,6 +854,9 @@ function startProxyServer(store, proxyPort, tld, tlsOptions) {
     if (watcher) {
       watcher.close();
     }
+    if (redirectServer) {
+      redirectServer.close();
+    }
     try {
       fs3.unlinkSync(store.pidPath);
     } catch {
@@ -788,16 +873,27 @@ function startProxyServer(store, proxyPort, tld, tlsOptions) {
   };
   process.on("SIGINT", cleanup);
   process.on("SIGTERM", cleanup);
-  console.log(chalk.cyan("\nProxy is running. Press Ctrl+C to stop.\n"));
-  console.log(chalk.gray(`Routes file: ${store.getRoutesPath()}`));
+  console.log(colors_default.cyan("\nProxy is running. Press Ctrl+C to stop.\n"));
+  console.log(colors_default.gray(`Routes file: ${store.getRoutesPath()}`));
+}
+function sudoStopOrHint(port) {
+  if (!isWindows) {
+    if (!sudoStop(port)) {
+      console.error(colors_default.red("Failed to stop proxy with sudo."));
+      console.error(colors_default.blue("Try manually:"));
+      console.error(colors_default.cyan(`  portless proxy stop -p ${port}`));
+    }
+  } else {
+    console.error(colors_default.red("Permission denied. The proxy was started with elevated privileges."));
+    console.error(colors_default.blue("Stop it with:"));
+    console.error(colors_default.cyan("  Run portless proxy stop as Administrator"));
+  }
 }
 async function stopProxy(store, proxyPort, _tls) {
   const pidPath = store.pidPath;
-  const needsSudo = !isWindows && proxyPort < PRIVILEGED_PORT_THRESHOLD;
-  const sudoHint = needsSudo ? "sudo " : "";
   if (!fs3.existsSync(pidPath)) {
     if (await isProxyRunning(proxyPort)) {
-      console.log(chalk.yellow(`PID file is missing but port ${proxyPort} is still in use.`));
+      console.log(colors_default.yellow(`PID file is missing but port ${proxyPort} is still in use.`));
       const pid = findPidOnPort(proxyPort);
       if (pid !== null) {
         try {
@@ -806,58 +902,52 @@ async function stopProxy(store, proxyPort, _tls) {
             fs3.unlinkSync(store.portFilePath);
           } catch {
           }
-          console.log(chalk.green(`Killed process ${pid}. Proxy stopped.`));
+          console.log(colors_default.green(`Killed process ${pid}. Proxy stopped.`));
         } catch (err) {
           if (isErrnoException(err) && err.code === "EPERM") {
-            console.error(
-              chalk.red("Permission denied. The proxy was started with elevated privileges.")
-            );
-            console.error(chalk.blue("Stop it with:"));
-            console.error(
-              chalk.cyan(
-                isWindows ? "  Run portless proxy stop as Administrator" : "  sudo portless proxy stop"
-              )
-            );
+            sudoStopOrHint(proxyPort);
           } else {
             const message = err instanceof Error ? err.message : String(err);
-            console.error(chalk.red(`Failed to stop proxy: ${message}`));
-            console.error(chalk.blue("Check if the process is still running:"));
+            console.error(colors_default.red(`Failed to stop proxy: ${message}`));
+            console.error(colors_default.blue("Check if the process is still running:"));
             console.error(
-              chalk.cyan(
+              colors_default.cyan(
                 isWindows ? `  netstat -ano | findstr :${proxyPort}` : `  lsof -ti tcp:${proxyPort}`
               )
             );
           }
         }
       } else if (!isWindows && process.getuid?.() !== 0) {
-        console.error(chalk.red("Cannot identify the process. It may be running as root."));
-        console.error(chalk.blue("Try stopping with sudo:"));
-        console.error(chalk.cyan("  sudo portless proxy stop"));
+        sudoStopOrHint(proxyPort);
       } else {
-        console.error(chalk.red(`Could not identify the process on port ${proxyPort}.`));
-        console.error(chalk.blue("Try manually:"));
+        console.error(colors_default.red(`Could not identify the process on port ${proxyPort}.`));
+        console.error(colors_default.blue("Try manually:"));
         console.error(
-          chalk.cyan(
+          colors_default.cyan(
             isWindows ? "  taskkill /F /PID <pid>" : `  sudo kill "$(lsof -ti tcp:${proxyPort})"`
           )
         );
       }
     } else {
-      console.log(chalk.yellow("Proxy is not running."));
+      console.log(colors_default.yellow("Proxy is not running."));
     }
     return;
   }
   try {
     const pid = parseInt(fs3.readFileSync(pidPath, "utf-8"), 10);
     if (isNaN(pid)) {
-      console.error(chalk.red("Corrupted PID file. Removing it."));
+      console.error(colors_default.red("Corrupted PID file. Removing it."));
       fs3.unlinkSync(pidPath);
       return;
     }
     try {
       process.kill(pid, 0);
-    } catch {
-      console.log(chalk.yellow("Proxy process is no longer running. Cleaning up stale files."));
+    } catch (err) {
+      if (isErrnoException(err) && err.code === "EPERM") {
+        sudoStopOrHint(proxyPort);
+        return;
+      }
+      console.log(colors_default.yellow("Proxy process is no longer running. Cleaning up stale files."));
       fs3.unlinkSync(pidPath);
       try {
         fs3.unlinkSync(store.portFilePath);
@@ -867,11 +957,11 @@ async function stopProxy(store, proxyPort, _tls) {
     }
     if (!await isProxyRunning(proxyPort)) {
       console.log(
-        chalk.yellow(
+        colors_default.yellow(
           `PID file exists but port ${proxyPort} is not listening. The PID may have been recycled.`
         )
       );
-      console.log(chalk.yellow("Removing stale PID file."));
+      console.log(colors_default.yellow("Removing stale PID file."));
       fs3.unlinkSync(pidPath);
       return;
     }
@@ -881,20 +971,16 @@ async function stopProxy(store, proxyPort, _tls) {
       fs3.unlinkSync(store.portFilePath);
     } catch {
     }
-    console.log(chalk.green("Proxy stopped."));
+    console.log(colors_default.green("Proxy stopped."));
   } catch (err) {
     if (isErrnoException(err) && err.code === "EPERM") {
-      console.error(
-        chalk.red("Permission denied. The proxy was started with elevated privileges.")
-      );
-      console.error(chalk.blue("Stop it with:"));
-      console.error(chalk.cyan(`  ${sudoHint}portless proxy stop`));
+      sudoStopOrHint(proxyPort);
     } else {
       const message = err instanceof Error ? err.message : String(err);
-      console.error(chalk.red(`Failed to stop proxy: ${message}`));
-      console.error(chalk.blue("Check if the process is still running:"));
+      console.error(colors_default.red(`Failed to stop proxy: ${message}`));
+      console.error(colors_default.blue("Check if the process is still running:"));
       console.error(
-        chalk.cyan(
+        colors_default.cyan(
           isWindows ? `  netstat -ano | findstr :${proxyPort}` : `  lsof -ti tcp:${proxyPort}`
         )
       );
@@ -904,143 +990,140 @@ async function stopProxy(store, proxyPort, _tls) {
 function listRoutes(store, proxyPort, tls2) {
   const routes = store.loadRoutes();
   if (routes.length === 0) {
-    console.log(chalk.yellow("No active routes."));
-    console.log(chalk.gray("Start an app with: portless <name> <command>"));
+    console.log(colors_default.yellow("No active routes."));
+    console.log(colors_default.gray("Start an app with: portless <name> <command>"));
     return;
   }
-  console.log(chalk.blue.bold("\nActive routes:\n"));
+  console.log(colors_default.blue.bold("\nActive routes:\n"));
   for (const route of routes) {
     const url = formatUrl(route.hostname, proxyPort, tls2);
     const label = route.pid === 0 ? "(alias)" : `(pid ${route.pid})`;
     console.log(
-      `  ${chalk.cyan(url)}  ${chalk.gray("->")}  ${chalk.white(`localhost:${route.port}`)}  ${chalk.gray(label)}`
+      `  ${colors_default.cyan(url)}  ${colors_default.gray("->")}  ${colors_default.white(`localhost:${route.port}`)}  ${colors_default.gray(label)}`
     );
   }
   console.log();
 }
-async function runApp(store, proxyPort, stateDir, name, commandArgs, tls2, tld, force, autoInfo, desiredPort) {
-  const hostname = parseHostname(name, tld);
+async function runApp(initialStore, proxyPort, stateDir, name, commandArgs, tls2, tld, force, autoInfo, desiredPort) {
+  let store = initialStore;
   let envTld;
   try {
     envTld = getDefaultTld();
   } catch (err) {
-    console.error(chalk.red(`Error: ${err.message}`));
+    console.error(colors_default.red(`Error: ${err.message}`));
     process.exit(1);
   }
   if (envTld !== DEFAULT_TLD && envTld !== tld) {
     console.warn(
-      chalk.yellow(
+      colors_default.yellow(
         `Warning: PORTLESS_TLD=${envTld} but the running proxy uses .${tld}. Using .${tld}.`
       )
     );
   }
-  console.log(chalk.blue.bold(`
+  console.log(colors_default.blue.bold(`
 portless
 `));
-  console.log(chalk.gray(`-- ${hostname} (auto-resolves to 127.0.0.1)`));
+  console.log(colors_default.gray(`-- ${parseHostname(name, tld)} (auto-resolves to 127.0.0.1)`));
   if (autoInfo) {
     const baseName = autoInfo.prefix ? name.slice(autoInfo.prefix.length + 1) : name;
-    console.log(chalk.gray(`-- Name "${baseName}" (from ${autoInfo.nameSource})`));
+    console.log(colors_default.gray(`-- Name "${baseName}" (from ${autoInfo.nameSource})`));
     if (autoInfo.prefix) {
-      console.log(chalk.gray(`-- Prefix "${autoInfo.prefix}" (from ${autoInfo.prefixSource})`));
+      console.log(colors_default.gray(`-- Prefix "${autoInfo.prefix}" (from ${autoInfo.prefixSource})`));
     }
   }
   if (!await isProxyRunning(proxyPort, tls2)) {
-    const defaultPort = getDefaultPort();
+    const wantTls = !isHttpsEnvDisabled();
+    const defaultPort = getDefaultPort(wantTls);
     const needsSudo = !isWindows && defaultPort < PRIVILEGED_PORT_THRESHOLD;
-    const wantHttps = isHttpsEnvEnabled();
-    if (needsSudo) {
-      if (!process.stdin.isTTY) {
-        console.error(chalk.red("Proxy is not running."));
-        console.error(chalk.blue("Start the proxy first (requires sudo for this port):"));
-        console.error(chalk.cyan("  sudo portless proxy start -p 80"));
-        console.error(chalk.blue("Or use the default port (no sudo needed):"));
-        console.error(chalk.cyan("  portless proxy start"));
-        process.exit(1);
-      }
-      const answer = await prompt(chalk.yellow("Proxy not running. Start it? [Y/n/skip] "));
+    if (needsSudo && !process.stdin.isTTY) {
+      console.error(colors_default.red("Proxy is not running and no TTY is available for sudo."));
+      console.error(colors_default.blue("Option 1: start the proxy in a terminal (will prompt for sudo):"));
+      console.error(colors_default.cyan("  portless proxy start"));
+      console.error(
+        colors_default.blue(
+          `Option 2: use an unprivileged port (no sudo needed, URLs will include :${FALLBACK_PROXY_PORT}):`
+        )
+      );
+      console.error(colors_default.cyan(`  portless proxy start -p ${FALLBACK_PROXY_PORT}`));
+      process.exit(1);
+    }
+    if (needsSudo && process.stdin.isTTY) {
+      const answer = await prompt(colors_default.yellow("Proxy not running. Start it? [Y/n/skip] "));
       if (answer === "n" || answer === "no") {
-        console.log(chalk.gray("Cancelled."));
+        console.log(colors_default.gray("Cancelled."));
         process.exit(0);
       }
       if (answer === "s" || answer === "skip") {
-        console.log(chalk.gray("Skipping proxy, running command directly...\n"));
+        console.log(colors_default.gray("Skipping proxy, running command directly...\n"));
         spawnCommand(commandArgs);
         return;
       }
-      console.log(chalk.yellow("Starting proxy (requires sudo)..."));
-      const startArgs = [process.execPath, process.argv[1], "proxy", "start"];
-      if (wantHttps) startArgs.push("--https");
-      if (tld !== DEFAULT_TLD) startArgs.push("--tld", tld);
-      const result = spawnSync("sudo", startArgs, {
-        stdio: "inherit",
-        timeout: SUDO_SPAWN_TIMEOUT_MS
-      });
-      if (result.status !== 0) {
-        if (!await isProxyRunning(proxyPort)) {
-          console.error(chalk.red("Failed to start proxy."));
-          console.error(chalk.blue("Try starting it manually:"));
-          console.error(chalk.cyan("  sudo portless proxy start"));
-          process.exit(1);
-        }
-      }
-    } else {
-      console.log(chalk.yellow("Starting proxy..."));
-      const startArgs = [process.argv[1], "proxy", "start"];
-      if (wantHttps) startArgs.push("--https");
-      if (tld !== DEFAULT_TLD) startArgs.push("--tld", tld);
-      const result = spawnSync(process.execPath, startArgs, {
-        stdio: "inherit",
-        timeout: SUDO_SPAWN_TIMEOUT_MS
-      });
-      if (result.status !== 0) {
-        if (!await isProxyRunning(proxyPort)) {
-          console.error(chalk.red("Failed to start proxy."));
-          console.error(chalk.blue("Try starting it manually:"));
-          console.error(chalk.cyan("  portless proxy start"));
-          process.exit(1);
+    }
+    console.log(colors_default.yellow("Starting proxy..."));
+    const startArgs = [getEntryScript(), "proxy", "start"];
+    if (!wantTls) startArgs.push("--no-tls");
+    if (tld !== DEFAULT_TLD) startArgs.push("--tld", tld);
+    const result = spawnSync(process.execPath, startArgs, {
+      stdio: "inherit",
+      timeout: SUDO_SPAWN_TIMEOUT_MS
+    });
+    let discovered = null;
+    if (result.status === 0) {
+      for (let i = 0; i < WAIT_FOR_PROXY_MAX_ATTEMPTS; i++) {
+        await new Promise((r) => setTimeout(r, WAIT_FOR_PROXY_INTERVAL_MS));
+        const state = await discoverState();
+        if (await isProxyRunning(state.port)) {
+          discovered = state;
+          break;
         }
       }
     }
-    const autoTls = readTlsMarker(stateDir);
-    tld = readTldFromDir(stateDir);
-    if (!await waitForProxy(defaultPort, void 0, void 0, autoTls)) {
-      console.error(chalk.red("Proxy failed to start (timed out waiting for it to listen)."));
-      const logPath = path3.join(stateDir, "proxy.log");
-      console.error(chalk.blue("Try starting the proxy manually to see the error:"));
-      console.error(chalk.cyan(`  ${needsSudo ? "sudo " : ""}portless proxy start`));
+    if (!discovered) {
+      console.error(colors_default.red("Failed to start proxy."));
+      const fallbackDir = resolveStateDir(getDefaultPort(wantTls));
+      const logPath = path3.join(fallbackDir, "proxy.log");
+      console.error(colors_default.blue("Try starting it manually:"));
+      console.error(colors_default.cyan("  portless proxy start"));
       if (fs3.existsSync(logPath)) {
-        console.error(chalk.gray(`Logs: ${logPath}`));
+        console.error(colors_default.gray(`Logs: ${logPath}`));
       }
       process.exit(1);
+      return;
     }
-    tls2 = autoTls;
-    console.log(chalk.green("Proxy started in background"));
+    proxyPort = discovered.port;
+    stateDir = discovered.dir;
+    tld = discovered.tld;
+    tls2 = discovered.tls;
+    store = new RouteStore(stateDir, {
+      onWarning: (msg) => console.warn(colors_default.yellow(msg))
+    });
+    console.log(colors_default.green("Proxy started in background"));
   } else {
-    console.log(chalk.gray("-- Proxy is running"));
+    console.log(colors_default.gray("-- Proxy is running"));
   }
+  const hostname = parseHostname(name, tld);
   const port = desiredPort ?? await findFreePort();
   if (desiredPort) {
-    console.log(chalk.green(`-- Using port ${port} (fixed)`));
+    console.log(colors_default.green(`-- Using port ${port} (fixed)`));
   } else {
-    console.log(chalk.green(`-- Using port ${port}`));
+    console.log(colors_default.green(`-- Using port ${port}`));
   }
   try {
     store.addRoute(hostname, port, process.pid, force);
   } catch (err) {
     if (err instanceof RouteConflictError) {
-      console.error(chalk.red(`Error: ${err.message}`));
+      console.error(colors_default.red(`Error: ${err.message}`));
       process.exit(1);
     }
     throw err;
   }
   const finalUrl = formatUrl(hostname, proxyPort, tls2);
-  console.log(chalk.cyan.bold(`
+  console.log(colors_default.cyan.bold(`
   -> ${finalUrl}
 `));
   injectFrameworkFlags(commandArgs, port);
   console.log(
-    chalk.gray(
+    colors_default.gray(
       `Running: PORT=${port} HOST=127.0.0.1 PORTLESS_URL=${finalUrl} ${commandArgs.join(" ")}
 `
     )
@@ -1063,12 +1146,12 @@ portless
 }
 function parseAppPort(value) {
   if (!value || value.startsWith("--")) {
-    console.error(chalk.red("Error: --app-port requires a port number."));
+    console.error(colors_default.red("Error: --app-port requires a port number."));
     process.exit(1);
   }
   const port = parseInt(value, 10);
   if (isNaN(port) || port < 1 || port > 65535) {
-    console.error(chalk.red(`Error: Invalid app port "${value}". Must be 1-65535.`));
+    console.error(colors_default.red(`Error: Invalid app port "${value}". Must be 1-65535.`));
     process.exit(1);
   }
   return port;
@@ -1078,7 +1161,7 @@ function appPortFromEnv() {
   if (!envVal) return void 0;
   const port = parseInt(envVal, 10);
   if (isNaN(port) || port < 1 || port > 65535) {
-    console.error(chalk.red(`Error: Invalid PORTLESS_APP_PORT="${envVal}". Must be 1-65535.`));
+    console.error(colors_default.red(`Error: Invalid PORTLESS_APP_PORT="${envVal}". Must be 1-65535.`));
     process.exit(1);
   }
   return port;
@@ -1094,18 +1177,18 @@ function parseRunArgs(args) {
       break;
     } else if (args[i] === "--help" || args[i] === "-h") {
       console.log(`
-${chalk.bold("portless run")} - Infer project name and run through the proxy.
+${colors_default.bold("portless run")} - Infer project name and run through the proxy.
 
-${chalk.bold("Usage:")}
-  ${chalk.cyan("portless run [options] <command...>")}
+${colors_default.bold("Usage:")}
+  ${colors_default.cyan("portless run [options] <command...>")}
 
-${chalk.bold("Options:")}
+${colors_default.bold("Options:")}
   --name <name>          Override the inferred base name (worktree prefix still applies)
   --force                Override an existing route registered by another process
   --app-port <number>    Use a fixed port for the app (skip auto-assignment)
   --help, -h             Show this help
 
-${chalk.bold("Name inference (in order):")}
+${colors_default.bold("Name inference (in order):")}
   1. package.json "name" field (walks up directories)
   2. Git repo root directory name
   3. Current directory basename
@@ -1114,10 +1197,10 @@ ${chalk.bold("Name inference (in order):")}
   In git worktrees, the branch name is prepended as a subdomain prefix
   (e.g. feature-auth.myapp.localhost).
 
-${chalk.bold("Examples:")}
-  portless run next dev               # -> http://<project>.localhost:1355
-  portless run --name myapp next dev  # -> http://myapp.localhost:1355
-  portless run vite dev               # -> http://<project>.localhost:1355
+${colors_default.bold("Examples:")}
+  portless run next dev               # -> https://<project>.localhost
+  portless run --name myapp next dev  # -> https://myapp.localhost
+  portless run vite dev               # -> https://<project>.localhost
   portless run --app-port 3000 pnpm start
 `);
       process.exit(0);
@@ -1129,14 +1212,14 @@ ${chalk.bold("Examples:")}
     } else if (args[i] === "--name") {
       i++;
       if (!args[i] || args[i].startsWith("-")) {
-        console.error(chalk.red("Error: --name requires a name value."));
-        console.error(chalk.cyan("  portless run --name <name> <command...>"));
+        console.error(colors_default.red("Error: --name requires a name value."));
+        console.error(colors_default.cyan("  portless run --name <name> <command...>"));
         process.exit(1);
       }
       name = args[i];
     } else {
-      console.error(chalk.red(`Error: Unknown flag "${args[i]}".`));
-      console.error(chalk.blue("Known flags: --name, --force, --app-port, --help"));
+      console.error(colors_default.red(`Error: Unknown flag "${args[i]}".`));
+      console.error(colors_default.blue("Known flags: --name, --force, --app-port, --help"));
       process.exit(1);
     }
     i++;
@@ -1158,8 +1241,8 @@ function parseAppArgs(args) {
       i++;
       appPort = parseAppPort(args[i]);
     } else {
-      console.error(chalk.red(`Error: Unknown flag "${args[i]}".`));
-      console.error(chalk.blue("Known flags: --force, --app-port"));
+      console.error(colors_default.red(`Error: Unknown flag "${args[i]}".`));
+      console.error(colors_default.blue("Known flags: --force, --app-port"));
       process.exit(1);
     }
     i++;
@@ -1176,8 +1259,8 @@ function parseAppArgs(args) {
       i++;
       appPort = parseAppPort(args[i]);
     } else {
-      console.error(chalk.red(`Error: Unknown flag "${args[i]}".`));
-      console.error(chalk.blue("Known flags: --force, --app-port"));
+      console.error(colors_default.red(`Error: Unknown flag "${args[i]}".`));
+      console.error(colors_default.blue("Known flags: --force, --app-port"));
       process.exit(1);
     }
     i++;
@@ -1187,105 +1270,107 @@ function parseAppArgs(args) {
 }
 function printHelp() {
   console.log(`
-${chalk.bold("portless")} - Replace port numbers with stable, named .localhost URLs. For humans and agents.
+${colors_default.bold("portless")} - Replace port numbers with stable, named .localhost URLs. For humans and agents.
 
 Eliminates port conflicts, memorizing port numbers, and cookie/storage
 clashes by giving each dev server a stable .localhost URL.
 
-${chalk.bold("Install:")}
-  ${chalk.cyan("npm install -g portless")}
+${colors_default.bold("Install:")}
+  ${colors_default.cyan("npm install -g portless")}
   Do NOT add portless as a project dependency.
 
-${chalk.bold("Usage:")}
-  ${chalk.cyan("portless proxy start")}             Start the proxy (background daemon)
-  ${chalk.cyan("portless proxy start --https")}     Start with HTTP/2 + TLS (auto-generates certs)
-  ${chalk.cyan("portless proxy start -p 80")}       Start on port 80 (requires sudo)
-  ${chalk.cyan("portless proxy stop")}              Stop the proxy
-  ${chalk.cyan("portless <name> <cmd>")}            Run your app through the proxy
-  ${chalk.cyan("portless run <cmd>")}               Infer name from project, run through proxy
-  ${chalk.cyan("portless get <name>")}              Print URL for a service (for cross-service refs)
-  ${chalk.cyan("portless alias <name> <port>")}     Register a static route (e.g. for Docker)
-  ${chalk.cyan("portless alias --remove <name>")}   Remove a static route
-  ${chalk.cyan("portless list")}                    Show active routes
-  ${chalk.cyan("portless trust")}                   Add local CA to system trust store
-  ${chalk.cyan("portless hosts sync")}              Add routes to ${HOSTS_DISPLAY} (fixes Safari)
-  ${chalk.cyan("portless hosts clean")}             Remove portless entries from ${HOSTS_DISPLAY}
+${colors_default.bold("Usage:")}
+  ${colors_default.cyan("portless proxy start")}             Start the proxy (HTTPS on port 443, daemon)
+  ${colors_default.cyan("portless proxy start --no-tls")}    Start without HTTPS (port 80)
+  ${colors_default.cyan("portless proxy start -p 1355")}     Start on a custom port (no sudo)
+  ${colors_default.cyan("portless proxy stop")}              Stop the proxy
+  ${colors_default.cyan("portless <name> <cmd>")}            Run your app through the proxy
+  ${colors_default.cyan("portless run <cmd>")}               Infer name from project, run through proxy
+  ${colors_default.cyan("portless get <name>")}              Print URL for a service (for cross-service refs)
+  ${colors_default.cyan("portless alias <name> <port>")}     Register a static route (e.g. for Docker)
+  ${colors_default.cyan("portless alias --remove <name>")}   Remove a static route
+  ${colors_default.cyan("portless list")}                    Show active routes
+  ${colors_default.cyan("portless trust")}                   Add local CA to system trust store
+  ${colors_default.cyan("portless hosts sync")}              Add routes to ${HOSTS_DISPLAY} (fixes Safari)
+  ${colors_default.cyan("portless hosts clean")}             Remove portless entries from ${HOSTS_DISPLAY}
 
-${chalk.bold("Examples:")}
-  portless proxy start                # Start proxy on port 1355
-  portless proxy start --https        # Start with HTTPS/2 (faster page loads)
-  portless myapp next dev             # -> http://myapp.localhost:1355
-  portless myapp vite dev             # -> http://myapp.localhost:1355
-  portless api.myapp pnpm start       # -> http://api.myapp.localhost:1355
-  portless run next dev               # -> http://<project>.localhost:1355
-  portless run next dev               # in worktree -> http://<worktree>.<project>.localhost:1355
-  portless get backend                 # -> http://backend.localhost:1355 (for cross-service refs)
+${colors_default.bold("Examples:")}
+  portless proxy start                # Start HTTPS proxy on port 443
+  portless proxy start --no-tls       # Start HTTP proxy on port 80
+  portless myapp next dev             # -> https://myapp.localhost
+  portless myapp vite dev             # -> https://myapp.localhost
+  portless api.myapp pnpm start       # -> https://api.myapp.localhost
+  portless run next dev               # -> https://<project>.localhost
+  portless run next dev               # in worktree -> https://<worktree>.<project>.localhost
+  portless get backend                 # -> https://backend.localhost (for cross-service refs)
   # Wildcard subdomains: tenant.myapp.localhost also routes to myapp
 
-${chalk.bold("In package.json:")}
+${colors_default.bold("In package.json:")}
   {
     "scripts": {
       "dev": "portless run next dev"
     }
   }
 
-${chalk.bold("How it works:")}
-  1. Start the proxy once (listens on port 1355 by default, no sudo needed)
+${colors_default.bold("How it works:")}
+  1. Start the proxy once (HTTPS on port 443 by default, auto-elevates with sudo)
   2. Run your apps - they auto-start the proxy and register automatically
      (apps get a random port in the 4000-4999 range via PORT)
-  3. Access via http://<name>.localhost:1355
+  3. Access via https://<name>.localhost
   4. .localhost domains auto-resolve to 127.0.0.1
   5. Frameworks that ignore PORT (Vite, Astro, React Router, Angular,
      Expo, React Native) get --port and --host flags injected automatically
 
-${chalk.bold("HTTP/2 + HTTPS:")}
-  Use --https for HTTP/2 multiplexing (faster dev server page loads).
+${colors_default.bold("HTTP/2 + HTTPS (default):")}
+  HTTPS with HTTP/2 multiplexing is enabled by default (faster page loads).
   On first use, portless generates a local CA and adds it to your
-  system trust store. No browser warnings. No sudo required on macOS.
+  system trust store. No browser warnings. Disable with --no-tls.
 
-${chalk.bold("Options:")}
+${colors_default.bold("Options:")}
   run [--name <name>] <cmd>      Infer project name (or override with --name)
                                 Adds worktree prefix in git worktrees
-  -p, --port <number>           Port for the proxy to listen on (default: 1355)
-                                Ports < 1024 require sudo
-  --https                       Enable HTTP/2 + TLS with auto-generated certs
-  --cert <path>                 Use a custom TLS certificate (implies --https)
-  --key <path>                  Use a custom TLS private key (implies --https)
-  --no-tls                      Disable HTTPS (overrides PORTLESS_HTTPS)
+  -p, --port <number>           Port for the proxy (default: 443, or 80 with --no-tls)
+                                Standard ports auto-elevate with sudo on macOS/Linux
+  --no-tls                      Disable HTTPS (use plain HTTP on port 80)
+  --https                       Enable HTTPS (default, accepted for compatibility)
+  --cert <path>                 Use a custom TLS certificate
+  --key <path>                  Use a custom TLS private key
   --foreground                  Run proxy in foreground (for debugging)
   --tld <tld>                   Use a custom TLD instead of .localhost (e.g. test, dev)
+  --wildcard                    Allow unregistered subdomains to fall back to parent route
   --app-port <number>           Use a fixed port for the app (skip auto-assignment)
   --force                       Override an existing route registered by another process
   --name <name>                 Use <name> as the app name (bypasses subcommand dispatch)
   --                            Stop flag parsing; everything after is passed to the child
 
-${chalk.bold("Environment variables:")}
+${colors_default.bold("Environment variables:")}
   PORTLESS_PORT=<number>        Override the default proxy port (e.g. in .bashrc)
   PORTLESS_APP_PORT=<number>    Use a fixed port for the app (same as --app-port)
-  PORTLESS_HTTPS=1              Always enable HTTPS (set in .bashrc / .zshrc)
+  PORTLESS_HTTPS                HTTPS on by default; set to 0 to disable (same as --no-tls)
   PORTLESS_TLD=<tld>            Use a custom TLD (e.g. test, dev; default: localhost)
+  PORTLESS_WILDCARD=1           Allow unregistered subdomains to fall back to parent route
   PORTLESS_SYNC_HOSTS=1         Auto-sync ${HOSTS_DISPLAY} (auto-enabled for custom TLDs)
   PORTLESS_STATE_DIR=<path>     Override the state directory
   PORTLESS=0                    Run command directly without proxy
 
-${chalk.bold("Child process environment:")}
+${colors_default.bold("Child process environment:")}
   PORT                          Ephemeral port the child should listen on
   HOST                          Always 127.0.0.1
-  PORTLESS_URL                  Public URL of the app (e.g. http://myapp.localhost:1355)
+  PORTLESS_URL                  Public URL of the app (e.g. https://myapp.localhost)
 
-${chalk.bold("Safari / DNS:")}
+${colors_default.bold("Safari / DNS:")}
   .localhost subdomains auto-resolve in Chrome, Firefox, and Edge.
   Safari relies on the system DNS resolver, which may not handle them.
   Auto-syncs ${HOSTS_DISPLAY} for custom TLDs (e.g. --tld test). For .localhost,
   set PORTLESS_SYNC_HOSTS=1 to enable. To manually sync:
-    ${chalk.cyan(`${SUDO_PREFIX}portless hosts sync`)}
+    ${colors_default.cyan("portless hosts sync")}
   Clean up later with:
-    ${chalk.cyan(`${SUDO_PREFIX}portless hosts clean`)}
+    ${colors_default.cyan("portless hosts clean")}
 
-${chalk.bold("Skip portless:")}
+${colors_default.bold("Skip portless:")}
   PORTLESS=0 pnpm dev           # Runs command directly without proxy
 
-${chalk.bold("Reserved names:")}
+${colors_default.bold("Reserved names:")}
   run, get, alias, hosts, list, trust, proxy are subcommands and cannot
   be used as app names directly. Use "portless run" to infer the name,
   or "portless --name <name>" to force any name including reserved ones.
@@ -1293,38 +1378,44 @@ ${chalk.bold("Reserved names:")}
   process.exit(0);
 }
 function printVersion() {
-  console.log("0.7.2");
+  console.log("0.9.0");
   process.exit(0);
 }
 async function handleTrust() {
   const { dir } = await discoverState();
   const result = trustCA(dir);
   if (result.trusted) {
-    console.log(chalk.green("Local CA added to system trust store."));
-    console.log(chalk.gray("Browsers will now trust portless HTTPS certificates."));
-  } else {
-    console.error(chalk.red(`Failed to trust CA: ${result.error}`));
-    if (result.error?.includes("sudo")) {
-      console.error(chalk.blue("Run with sudo:"));
-      console.error(chalk.cyan("  sudo portless trust"));
-    }
-    process.exit(1);
+    console.log(colors_default.green("Local CA added to system trust store."));
+    console.log(colors_default.gray("Browsers will now trust portless HTTPS certificates."));
+    return;
+  }
+  const isPermissionError = result.error?.includes("Permission denied") || result.error?.includes("EACCES");
+  if (isPermissionError && !isWindows && process.getuid?.() !== 0) {
+    console.log(colors_default.yellow("Trusting the CA requires elevated privileges. Requesting sudo..."));
+    const sudoResult = spawnSync("sudo", [process.execPath, getEntryScript(), "trust"], {
+      stdio: "inherit",
+      timeout: SUDO_SPAWN_TIMEOUT_MS
+    });
+    if (sudoResult.status === 0) return;
+    console.error(colors_default.red("sudo elevation also failed."));
   }
+  console.error(colors_default.red(`Failed to trust CA: ${result.error}`));
+  process.exit(1);
 }
 async function handleList() {
   const { dir, port, tls: tls2 } = await discoverState();
   const store = new RouteStore(dir, {
-    onWarning: (msg) => console.warn(chalk.yellow(msg))
+    onWarning: (msg) => console.warn(colors_default.yellow(msg))
   });
   listRoutes(store, port, tls2);
 }
 async function handleGet(args) {
   if (args[1] === "--help" || args[1] === "-h") {
     console.log(`
-${chalk.bold("portless get")} - Print the URL for a service.
+${colors_default.bold("portless get")} - Print the URL for a service.
 
-${chalk.bold("Usage:")}
-  ${chalk.cyan("portless get <name>")}
+${colors_default.bold("Usage:")}
+  ${colors_default.cyan("portless get <name>")}
 
 Constructs the URL using the same hostname and worktree logic as
 "portless run", then prints it to stdout. Useful for wiring services
@@ -1332,14 +1423,14 @@ together:
 
   BACKEND_URL=$(portless get backend)
 
-${chalk.bold("Options:")}
+${colors_default.bold("Options:")}
   --no-worktree          Skip worktree prefix detection
   --help, -h             Show this help
 
-${chalk.bold("Examples:")}
-  portless get backend                  # -> http://backend.localhost:1355
-  portless get backend                  # in worktree -> http://auth.backend.localhost:1355
-  portless get backend --no-worktree    # -> http://backend.localhost:1355 (skip worktree)
+${colors_default.bold("Examples:")}
+  portless get backend                  # -> https://backend.localhost
+  portless get backend                  # in worktree -> https://auth.backend.localhost
+  portless get backend --no-worktree    # -> https://backend.localhost (skip worktree)
 `);
     process.exit(0);
   }
@@ -1349,19 +1440,19 @@ ${chalk.bold("Examples:")}
     if (args[i] === "--no-worktree") {
       skipWorktree = true;
     } else if (args[i].startsWith("-")) {
-      console.error(chalk.red(`Error: Unknown flag "${args[i]}".`));
-      console.error(chalk.blue("Known flags: --no-worktree, --help"));
+      console.error(colors_default.red(`Error: Unknown flag "${args[i]}".`));
+      console.error(colors_default.blue("Known flags: --no-worktree, --help"));
       process.exit(1);
     } else {
       positional.push(args[i]);
     }
   }
   if (positional.length === 0) {
-    console.error(chalk.red("Error: Missing service name."));
-    console.error(chalk.blue("Usage:"));
-    console.error(chalk.cyan("  portless get <name>"));
-    console.error(chalk.blue("Example:"));
-    console.error(chalk.cyan("  portless get backend"));
+    console.error(colors_default.red("Error: Missing service name."));
+    console.error(colors_default.blue("Usage:"));
+    console.error(colors_default.cyan("  portless get <name>"));
+    console.error(colors_default.blue("Example:"));
+    console.error(colors_default.cyan("  portless get backend"));
     process.exit(1);
   }
   const name = positional[0];
@@ -1375,76 +1466,76 @@ ${chalk.bold("Examples:")}
 async function handleAlias(args) {
   if (args[1] === "--help" || args[1] === "-h") {
     console.log(`
-${chalk.bold("portless alias")} - Register a static route for services not managed by portless.
+${colors_default.bold("portless alias")} - Register a static route for services not managed by portless.
 
-${chalk.bold("Usage:")}
-  ${chalk.cyan("portless alias <name> <port>")}        Register a route
-  ${chalk.cyan("portless alias --remove <name>")}      Remove a route
-  ${chalk.cyan("portless alias <name> <port> --force")} Override existing route
+${colors_default.bold("Usage:")}
+  ${colors_default.cyan("portless alias <name> <port>")}        Register a route
+  ${colors_default.cyan("portless alias --remove <name>")}      Remove a route
+  ${colors_default.cyan("portless alias <name> <port> --force")} Override existing route
 
-${chalk.bold("Examples:")}
-  portless alias my-postgres 5432     # -> http://my-postgres.localhost:1355
-  portless alias redis 6379           # -> http://redis.localhost:1355
+${colors_default.bold("Examples:")}
+  portless alias my-postgres 5432     # -> https://my-postgres.localhost
+  portless alias redis 6379           # -> https://redis.localhost
   portless alias --remove my-postgres # Remove the alias
 `);
     process.exit(0);
   }
   const { dir, tld } = await discoverState();
   const store = new RouteStore(dir, {
-    onWarning: (msg) => console.warn(chalk.yellow(msg))
+    onWarning: (msg) => console.warn(colors_default.yellow(msg))
   });
   if (args[1] === "--remove") {
     const aliasName2 = args[2];
     if (!aliasName2) {
-      console.error(chalk.red("Error: No alias name provided."));
-      console.error(chalk.cyan("  portless alias --remove <name>"));
+      console.error(colors_default.red("Error: No alias name provided."));
+      console.error(colors_default.cyan("  portless alias --remove <name>"));
       process.exit(1);
     }
     const hostname2 = parseHostname(aliasName2, tld);
     const routes = store.loadRoutes();
     const existing = routes.find((r) => r.hostname === hostname2 && r.pid === 0);
     if (!existing) {
-      console.error(chalk.red(`Error: No alias found for "${hostname2}".`));
+      console.error(colors_default.red(`Error: No alias found for "${hostname2}".`));
       process.exit(1);
     }
     store.removeRoute(hostname2);
-    console.log(chalk.green(`Removed alias: ${hostname2}`));
+    console.log(colors_default.green(`Removed alias: ${hostname2}`));
     return;
   }
   const aliasName = args[1];
   const aliasPort = args[2];
   if (!aliasName || !aliasPort) {
-    console.error(chalk.red("Error: Missing arguments."));
-    console.error(chalk.blue("Usage:"));
-    console.error(chalk.cyan("  portless alias <name> <port>"));
-    console.error(chalk.cyan("  portless alias --remove <name>"));
-    console.error(chalk.blue("Example:"));
-    console.error(chalk.cyan("  portless alias my-postgres 5432"));
+    console.error(colors_default.red("Error: Missing arguments."));
+    console.error(colors_default.blue("Usage:"));
+    console.error(colors_default.cyan("  portless alias <name> <port>"));
+    console.error(colors_default.cyan("  portless alias --remove <name>"));
+    console.error(colors_default.blue("Example:"));
+    console.error(colors_default.cyan("  portless alias my-postgres 5432"));
     process.exit(1);
   }
   const hostname = parseHostname(aliasName, tld);
   const port = parseInt(aliasPort, 10);
   if (isNaN(port) || port < 1 || port > 65535) {
-    console.error(chalk.red(`Error: Invalid port "${aliasPort}". Must be 1-65535.`));
+    console.error(colors_default.red(`Error: Invalid port "${aliasPort}". Must be 1-65535.`));
     process.exit(1);
   }
   const force = args.includes("--force");
   store.addRoute(hostname, port, 0, force);
-  console.log(chalk.green(`Alias registered: ${hostname} -> 127.0.0.1:${port}`));
+  console.log(colors_default.green(`Alias registered: ${hostname} -> 127.0.0.1:${port}`));
 }
 async function handleHosts(args) {
   if (args[1] === "--help" || args[1] === "-h") {
     console.log(`
-${chalk.bold("portless hosts")} - Manage ${HOSTS_DISPLAY} entries for .localhost subdomains.
+${colors_default.bold("portless hosts")} - Manage ${HOSTS_DISPLAY} entries for .localhost subdomains.
 
 Safari relies on the system DNS resolver, which may not handle .localhost
 subdomains. This command adds entries to ${HOSTS_DISPLAY} as a workaround.
 
-${chalk.bold("Usage:")}
-  ${chalk.cyan(`${SUDO_PREFIX}portless hosts sync`)}    Add current routes to ${HOSTS_DISPLAY}
-  ${chalk.cyan(`${SUDO_PREFIX}portless hosts clean`)}   Remove portless entries from ${HOSTS_DISPLAY}
+${colors_default.bold("Usage:")}
+  ${colors_default.cyan("portless hosts sync")}    Add current routes to ${HOSTS_DISPLAY}
+  ${colors_default.cyan("portless hosts clean")}   Remove portless entries from ${HOSTS_DISPLAY}
 
-${chalk.bold("Auto-sync:")}
+${colors_default.bold("Auto-sync:")}
   Auto-enabled for custom TLDs (e.g. --tld test). For .localhost, set
   PORTLESS_SYNC_HOSTS=1 to enable. Disable with PORTLESS_SYNC_HOSTS=0.
 `);
@@ -1452,114 +1543,137 @@ ${chalk.bold("Auto-sync:")}
   }
   if (args[1] === "clean") {
     if (cleanHostsFile()) {
-      console.log(chalk.green(`Removed portless entries from ${HOSTS_DISPLAY}.`));
-    } else {
-      console.error(
-        chalk.red(
-          `Failed to update ${HOSTS_DISPLAY}${isWindows ? " (run as Administrator)." : " (requires sudo)."}`
+      console.log(colors_default.green(`Removed portless entries from ${HOSTS_DISPLAY}.`));
+      return;
+    }
+    if (!isWindows && process.getuid?.() !== 0) {
+      console.log(
+        colors_default.yellow(
+          `Writing to ${HOSTS_DISPLAY} requires elevated privileges. Requesting sudo...`
         )
       );
-      console.error(chalk.cyan(`  ${SUDO_PREFIX}portless hosts clean`));
-      process.exit(1);
+      const result = spawnSync(
+        "sudo",
+        ["env", ...collectPortlessEnvArgs(), process.execPath, getEntryScript(), "hosts", "clean"],
+        {
+          stdio: "inherit",
+          timeout: SUDO_SPAWN_TIMEOUT_MS
+        }
+      );
+      if (result.status === 0) return;
     }
+    console.error(
+      colors_default.red(`Failed to update ${HOSTS_DISPLAY}${isWindows ? " (run as Administrator)." : "."}`)
+    );
+    process.exit(1);
     return;
   }
   if (!args[1]) {
     console.log(`
-${chalk.bold("Usage: portless hosts <command>")}
+${colors_default.bold("Usage: portless hosts <command>")}
 
-  ${chalk.cyan(`${SUDO_PREFIX}portless hosts sync`)}    Add current routes to ${HOSTS_DISPLAY}
-  ${chalk.cyan(`${SUDO_PREFIX}portless hosts clean`)}   Remove portless entries from ${HOSTS_DISPLAY}
+  ${colors_default.cyan("portless hosts sync")}    Add current routes to ${HOSTS_DISPLAY}
+  ${colors_default.cyan("portless hosts clean")}   Remove portless entries from ${HOSTS_DISPLAY}
 `);
     process.exit(0);
   }
   if (args[1] !== "sync") {
-    console.error(chalk.red(`Error: Unknown hosts subcommand "${args[1]}".`));
-    console.error(chalk.blue("Usage:"));
-    console.error(
-      chalk.cyan(`  ${SUDO_PREFIX}portless hosts sync    # Add routes to ${HOSTS_DISPLAY}`)
-    );
-    console.error(chalk.cyan(`  ${SUDO_PREFIX}portless hosts clean   # Remove portless entries`));
+    console.error(colors_default.red(`Error: Unknown hosts subcommand "${args[1]}".`));
+    console.error(colors_default.blue("Usage:"));
+    console.error(colors_default.cyan(`  portless hosts sync    # Add routes to ${HOSTS_DISPLAY}`));
+    console.error(colors_default.cyan("  portless hosts clean   # Remove portless entries"));
     process.exit(1);
   }
   const { dir } = await discoverState();
   const store = new RouteStore(dir, {
-    onWarning: (msg) => console.warn(chalk.yellow(msg))
+    onWarning: (msg) => console.warn(colors_default.yellow(msg))
   });
   const routes = store.loadRoutes();
   if (routes.length === 0) {
-    console.log(chalk.yellow("No active routes to sync."));
+    console.log(colors_default.yellow("No active routes to sync."));
     return;
   }
   const hostnames = routes.map((r) => r.hostname);
   if (syncHostsFile(hostnames)) {
-    console.log(chalk.green(`Synced ${hostnames.length} hostname(s) to ${HOSTS_DISPLAY}:`));
+    console.log(colors_default.green(`Synced ${hostnames.length} hostname(s) to ${HOSTS_DISPLAY}:`));
     for (const h of hostnames) {
-      console.log(chalk.cyan(`  127.0.0.1 ${h}`));
+      console.log(colors_default.cyan(`  127.0.0.1 ${h}`));
     }
-  } else {
-    console.error(
-      chalk.red(
-        `Failed to update ${HOSTS_DISPLAY}${isWindows ? " (run as Administrator)." : " (requires sudo)."}`
-      )
+    return;
+  }
+  if (!isWindows && process.getuid?.() !== 0) {
+    console.log(
+      colors_default.yellow(`Writing to ${HOSTS_DISPLAY} requires elevated privileges. Requesting sudo...`)
     );
-    console.error(chalk.cyan(`  ${SUDO_PREFIX}portless hosts sync`));
-    process.exit(1);
+    const result = spawnSync(
+      "sudo",
+      ["env", ...collectPortlessEnvArgs(), process.execPath, getEntryScript(), "hosts", "sync"],
+      {
+        stdio: "inherit",
+        timeout: SUDO_SPAWN_TIMEOUT_MS
+      }
+    );
+    if (result.status === 0) return;
   }
+  console.error(
+    colors_default.red(`Failed to update ${HOSTS_DISPLAY}${isWindows ? " (run as Administrator)." : "."}`)
+  );
+  process.exit(1);
 }
 async function handleProxy(args) {
   if (args[1] === "stop") {
-    const { dir, port, tls: tls2 } = await discoverState();
-    const store2 = new RouteStore(dir, {
-      onWarning: (msg) => console.warn(chalk.yellow(msg))
-    });
-    await stopProxy(store2, port, tls2);
+    let explicitPort;
+    const portIdx = args.indexOf("--port") !== -1 ? args.indexOf("--port") : args.indexOf("-p");
+    if (portIdx !== -1) {
+      const portValue = args[portIdx + 1];
+      if (portValue && !portValue.startsWith("-")) {
+        const parsed = parseInt(portValue, 10);
+        if (!isNaN(parsed) && parsed >= 1 && parsed <= 65535) {
+          explicitPort = parsed;
+        }
+      }
+    }
+    if (explicitPort !== void 0) {
+      const dir = resolveStateDir(explicitPort);
+      const store2 = new RouteStore(dir, {
+        onWarning: (msg) => console.warn(colors_default.yellow(msg))
+      });
+      await stopProxy(store2, explicitPort, false);
+    } else {
+      const { dir, port, tls: tls2 } = await discoverState();
+      const store2 = new RouteStore(dir, {
+        onWarning: (msg) => console.warn(colors_default.yellow(msg))
+      });
+      await stopProxy(store2, port, tls2);
+    }
     return;
   }
   const isProxyHelp = args[1] === "--help" || args[1] === "-h";
   if (isProxyHelp || args[1] !== "start") {
     console.log(`
-${chalk.bold("portless proxy")} - Manage the portless proxy server.
+${colors_default.bold("portless proxy")} - Manage the portless proxy server.
 
-${chalk.bold("Usage:")}
-  ${chalk.cyan("portless proxy start")}                Start the proxy (daemon)
-  ${chalk.cyan("portless proxy start --https")}        Start with HTTP/2 + TLS
-  ${chalk.cyan("portless proxy start --foreground")}   Start in foreground (for debugging)
-  ${chalk.cyan("portless proxy start -p 80")}          Start on port 80 (requires sudo)
-  ${chalk.cyan("portless proxy start --tld test")}     Use .test instead of .localhost
-  ${chalk.cyan("portless proxy stop")}                 Stop the proxy
+${colors_default.bold("Usage:")}
+  ${colors_default.cyan("portless proxy start")}                Start the HTTPS proxy on port 443 (daemon)
+  ${colors_default.cyan("portless proxy start --no-tls")}       Start without HTTPS (port 80)
+  ${colors_default.cyan("portless proxy start --foreground")}   Start in foreground (for debugging)
+  ${colors_default.cyan("portless proxy start -p 1355")}        Start on a custom port (no sudo)
+  ${colors_default.cyan("portless proxy start --tld test")}     Use .test instead of .localhost
+  ${colors_default.cyan("portless proxy start --wildcard")}     Allow unregistered subdomains to fall back to parent
+  ${colors_default.cyan("portless proxy stop")}                 Stop the proxy
 `);
     process.exit(isProxyHelp || !args[1] ? 0 : 1);
   }
   const isForeground = args.includes("--foreground");
-  let proxyPort = getDefaultPort();
-  let portFlagIndex = args.indexOf("--port");
-  if (portFlagIndex === -1) portFlagIndex = args.indexOf("-p");
-  if (portFlagIndex !== -1) {
-    const portValue = args[portFlagIndex + 1];
-    if (!portValue || portValue.startsWith("-")) {
-      console.error(chalk.red("Error: --port / -p requires a port number."));
-      console.error(chalk.blue("Usage:"));
-      console.error(chalk.cyan("  portless proxy start -p 8080"));
-      process.exit(1);
-    }
-    proxyPort = parseInt(portValue, 10);
-    if (isNaN(proxyPort) || proxyPort < 1 || proxyPort > 65535) {
-      console.error(chalk.red(`Error: Invalid port number: ${portValue}`));
-      console.error(chalk.blue("Port must be between 1 and 65535."));
-      process.exit(1);
-    }
-  }
-  const hasNoTls = args.includes("--no-tls");
-  const hasHttpsFlag = args.includes("--https");
-  const wantHttps = !hasNoTls && (hasHttpsFlag || isHttpsEnvEnabled());
+  const hasNoTls = args.includes("--no-tls") || isHttpsEnvDisabled();
+  const wantHttps = !hasNoTls;
   let customCertPath = null;
   let customKeyPath = null;
   const certIdx = args.indexOf("--cert");
   if (certIdx !== -1) {
     customCertPath = args[certIdx + 1] || null;
     if (!customCertPath || customCertPath.startsWith("-")) {
-      console.error(chalk.red("Error: --cert requires a file path."));
+      console.error(colors_default.red("Error: --cert requires a file path."));
       process.exit(1);
     }
   }
@@ -1567,76 +1681,158 @@ ${chalk.bold("Usage:")}
   if (keyIdx !== -1) {
     customKeyPath = args[keyIdx + 1] || null;
     if (!customKeyPath || customKeyPath.startsWith("-")) {
-      console.error(chalk.red("Error: --key requires a file path."));
+      console.error(colors_default.red("Error: --key requires a file path."));
       process.exit(1);
     }
   }
   if (customCertPath && !customKeyPath || !customCertPath && customKeyPath) {
-    console.error(chalk.red("Error: --cert and --key must be used together."));
+    console.error(colors_default.red("Error: --cert and --key must be used together."));
     process.exit(1);
   }
+  const useHttps = wantHttps || !!(customCertPath && customKeyPath);
+  let hasExplicitPort = false;
+  let proxyPort = getDefaultPort(useHttps);
+  let portFlagIndex = args.indexOf("--port");
+  if (portFlagIndex === -1) portFlagIndex = args.indexOf("-p");
+  if (portFlagIndex !== -1) {
+    const portValue = args[portFlagIndex + 1];
+    if (!portValue || portValue.startsWith("-")) {
+      console.error(colors_default.red("Error: --port / -p requires a port number."));
+      console.error(colors_default.blue("Usage:"));
+      console.error(colors_default.cyan("  portless proxy start -p 8080"));
+      process.exit(1);
+    }
+    proxyPort = parseInt(portValue, 10);
+    if (isNaN(proxyPort) || proxyPort < 1 || proxyPort > 65535) {
+      console.error(colors_default.red(`Error: Invalid port number: ${portValue}`));
+      console.error(colors_default.blue("Port must be between 1 and 65535."));
+      process.exit(1);
+    }
+    hasExplicitPort = true;
+  }
   let tld;
   try {
     tld = getDefaultTld();
   } catch (err) {
-    console.error(chalk.red(`Error: ${err.message}`));
+    console.error(colors_default.red(`Error: ${err.message}`));
     process.exit(1);
   }
   const tldIdx = args.indexOf("--tld");
   if (tldIdx !== -1) {
     const tldValue = args[tldIdx + 1];
     if (!tldValue || tldValue.startsWith("-")) {
-      console.error(chalk.red("Error: --tld requires a TLD value (e.g. test, localhost)."));
+      console.error(colors_default.red("Error: --tld requires a TLD value (e.g. test, localhost)."));
       process.exit(1);
     }
     tld = tldValue.trim().toLowerCase();
     const tldErr = validateTld(tld);
     if (tldErr) {
-      console.error(chalk.red(`Error: ${tldErr}`));
+      console.error(colors_default.red(`Error: ${tldErr}`));
       process.exit(1);
     }
   }
   const riskyReason = RISKY_TLDS.get(tld);
   if (riskyReason) {
-    console.warn(chalk.yellow(`Warning: .${tld} -- ${riskyReason}`));
+    console.warn(colors_default.yellow(`Warning: .${tld}: ${riskyReason}`));
   }
   const syncDisabled = process.env.PORTLESS_SYNC_HOSTS === "0" || process.env.PORTLESS_SYNC_HOSTS === "false";
   if (tld !== DEFAULT_TLD && syncDisabled) {
     console.warn(
-      chalk.yellow(
+      colors_default.yellow(
         `Warning: .${tld} domains require ${HOSTS_DISPLAY} entries to resolve to 127.0.0.1.`
       )
     );
-    console.warn(chalk.yellow("Hosts sync is disabled. To add entries manually, run:"));
-    console.warn(chalk.cyan(`  ${SUDO_PREFIX}portless hosts sync`));
+    console.warn(colors_default.yellow("Hosts sync is disabled. To add entries manually, run:"));
+    console.warn(colors_default.cyan("  portless hosts sync"));
   }
-  const useHttps = wantHttps || !!(customCertPath && customKeyPath);
-  const stateDir = resolveStateDir(proxyPort);
-  const store = new RouteStore(stateDir, {
-    onWarning: (msg) => console.warn(chalk.yellow(msg))
+  const useWildcard = args.includes("--wildcard") || isWildcardEnvEnabled();
+  let stateDir = resolveStateDir(proxyPort);
+  let store = new RouteStore(stateDir, {
+    onWarning: (msg) => console.warn(colors_default.yellow(msg))
   });
   if (await isProxyRunning(proxyPort)) {
     if (isForeground) {
       return;
     }
-    const needsSudo = !isWindows && proxyPort < PRIVILEGED_PORT_THRESHOLD;
-    const sudoPrefix = needsSudo ? "sudo " : "";
-    const portFlag = proxyPort !== getDefaultPort() ? ` -p ${proxyPort}` : "";
-    console.log(chalk.yellow(`Proxy is already running on port ${proxyPort}.`));
+    const portFlag = proxyPort !== getProtocolPort(useHttps) ? ` -p ${proxyPort}` : "";
+    console.log(colors_default.yellow(`Proxy is already running on port ${proxyPort}.`));
     console.log(
-      chalk.blue(
-        `To restart: ${sudoPrefix}portless proxy stop${portFlag} && ${sudoPrefix}portless proxy start${portFlag}`
-      )
+      colors_default.blue(`To restart: portless proxy stop${portFlag} && portless proxy start${portFlag}`)
     );
     return;
   }
   if (!isWindows && proxyPort < PRIVILEGED_PORT_THRESHOLD && (process.getuid?.() ?? -1) !== 0) {
-    console.error(chalk.red(`Error: Port ${proxyPort} requires sudo.`));
-    console.error(chalk.blue("Either run with sudo:"));
-    console.error(chalk.cyan("  sudo portless proxy start -p 80"));
-    console.error(chalk.blue("Or use the default port (no sudo needed):"));
-    console.error(chalk.cyan("  portless proxy start"));
-    process.exit(1);
+    const baseArgs = [
+      process.execPath,
+      getEntryScript(),
+      "proxy",
+      "start",
+      "-p",
+      String(proxyPort)
+    ];
+    const optionalFlags = [];
+    if (hasNoTls) optionalFlags.push("--no-tls");
+    if (tld !== DEFAULT_TLD) optionalFlags.push("--tld", tld);
+    if (useWildcard) optionalFlags.push("--wildcard");
+    if (isForeground) optionalFlags.push("--foreground");
+    if (customCertPath && customKeyPath)
+      optionalFlags.push("--cert", customCertPath, "--key", customKeyPath);
+    const startArgs = [...baseArgs, ...optionalFlags];
+    const extraFlags = optionalFlags.map((a) => ` ${a}`).join("");
+    console.log(
+      colors_default.yellow(`Port ${proxyPort} requires elevated privileges. Requesting sudo...`)
+    );
+    if (!hasExplicitPort) {
+      console.log(
+        colors_default.gray(
+          `(To skip sudo, use an unprivileged port: portless proxy start -p ${FALLBACK_PROXY_PORT}${extraFlags})`
+        )
+      );
+    }
+    const result = spawnSync("sudo", ["env", ...collectPortlessEnvArgs(), ...startArgs], {
+      stdio: "inherit",
+      timeout: SUDO_SPAWN_TIMEOUT_MS
+    });
+    if (result.status === 0) {
+      if (!isForeground) {
+        if (await waitForProxy(proxyPort)) {
+          console.log(colors_default.green(`Proxy started on port ${proxyPort}.`));
+        } else {
+          console.error(colors_default.red("Proxy process started but is not responding."));
+          const logPath2 = path3.join(resolveStateDir(proxyPort), "proxy.log");
+          if (fs3.existsSync(logPath2)) {
+            console.error(colors_default.gray(`Logs: ${logPath2}`));
+          }
+        }
+      }
+      return;
+    }
+    if (result.signal) {
+      process.exit(1);
+    }
+    if (!hasExplicitPort) {
+      proxyPort = FALLBACK_PROXY_PORT;
+      console.log(colors_default.yellow(`Falling back to port ${proxyPort}.`));
+      console.log(
+        colors_default.blue(`For clean URLs without port numbers, re-run and accept the sudo prompt:`)
+      );
+      console.log(colors_default.cyan(`  portless proxy start${extraFlags}`));
+      if (await isProxyRunning(proxyPort)) {
+        console.log(colors_default.yellow(`Proxy is already running on port ${proxyPort}.`));
+        return;
+      }
+      stateDir = resolveStateDir(proxyPort);
+      store = new RouteStore(stateDir, {
+        onWarning: (msg) => console.warn(colors_default.yellow(msg))
+      });
+    } else {
+      console.error(
+        colors_default.red(`Error: Port ${proxyPort} requires elevated privileges and sudo failed.`)
+      );
+      console.error(colors_default.blue("Try again (portless will prompt for sudo):"));
+      console.error(colors_default.cyan(`  portless proxy start -p ${proxyPort}${extraFlags}`));
+      process.exit(1);
+    }
   }
   let tlsOptions;
   if (useHttps) {
@@ -1648,43 +1844,45 @@ ${chalk.bold("Usage:")}
         const certStr = cert.toString("utf-8");
         const keyStr = key.toString("utf-8");
         if (!certStr.includes("-----BEGIN CERTIFICATE-----")) {
-          console.error(chalk.red(`Error: ${customCertPath} is not a valid PEM certificate.`));
-          console.error(chalk.gray("Expected a file starting with -----BEGIN CERTIFICATE-----"));
+          console.error(colors_default.red(`Error: ${customCertPath} is not a valid PEM certificate.`));
+          console.error(colors_default.gray("Expected a file starting with -----BEGIN CERTIFICATE-----"));
           process.exit(1);
         }
         if (!keyStr.match(/-----BEGIN [\w\s]*PRIVATE KEY-----/)) {
-          console.error(chalk.red(`Error: ${customKeyPath} is not a valid PEM private key.`));
-          console.error(chalk.gray("Expected a file starting with -----BEGIN ...PRIVATE KEY-----"));
+          console.error(colors_default.red(`Error: ${customKeyPath} is not a valid PEM private key.`));
+          console.error(
+            colors_default.gray("Expected a file starting with -----BEGIN ...PRIVATE KEY-----")
+          );
           process.exit(1);
         }
         tlsOptions = { cert, key };
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);
-        console.error(chalk.red(`Error reading certificate files: ${message}`));
+        console.error(colors_default.red(`Error reading certificate files: ${message}`));
         process.exit(1);
       }
     } else {
-      console.log(chalk.gray("Ensuring TLS certificates..."));
+      console.log(colors_default.gray("Ensuring TLS certificates..."));
       const certs = ensureCerts(stateDir);
       if (certs.caGenerated) {
-        console.log(chalk.green("Generated local CA certificate."));
+        console.log(colors_default.green("Generated local CA certificate."));
       }
       if (!isCATrusted(stateDir)) {
-        console.log(chalk.yellow("Adding CA to system trust store..."));
+        console.log(colors_default.yellow("Adding CA to system trust store..."));
         const trustResult = trustCA(stateDir);
         if (trustResult.trusted) {
           console.log(
-            chalk.green("CA added to system trust store. Browsers will trust portless certs.")
+            colors_default.green("CA added to system trust store. Browsers will trust portless certs.")
           );
         } else {
-          console.warn(chalk.yellow("Could not add CA to system trust store."));
+          console.warn(colors_default.yellow("Could not add CA to system trust store."));
           if (trustResult.error) {
-            console.warn(chalk.gray(trustResult.error));
+            console.warn(colors_default.gray(trustResult.error));
           }
           console.warn(
-            chalk.yellow("Browsers will show certificate warnings. To fix this later, run:")
+            colors_default.yellow("Browsers will show certificate warnings. To fix this later, run:")
           );
-          console.warn(chalk.cyan("  portless trust"));
+          console.warn(colors_default.cyan("  portless trust"));
         }
       }
       const cert = fs3.readFileSync(certs.certPath);
@@ -1697,8 +1895,8 @@ ${chalk.bold("Usage:")}
     }
   }
   if (isForeground) {
-    console.log(chalk.blue.bold("\nportless proxy\n"));
-    startProxyServer(store, proxyPort, tld, tlsOptions);
+    console.log(colors_default.blue.bold("\nportless proxy\n"));
+    startProxyServer(store, proxyPort, tld, tlsOptions, useWildcard ? false : void 0);
     return;
   }
   store.ensureDir();
@@ -1710,20 +1908,29 @@ ${chalk.bold("Usage:")}
     } catch {
     }
     fixOwnership(logPath);
-    const daemonArgs = [process.argv[1], "proxy", "start", "--foreground"];
-    if (portFlagIndex !== -1) {
-      daemonArgs.push("--port", proxyPort.toString());
-    }
+    const daemonArgs = [
+      getEntryScript(),
+      "proxy",
+      "start",
+      "--foreground",
+      "--port",
+      proxyPort.toString()
+    ];
     if (useHttps) {
       if (customCertPath && customKeyPath) {
         daemonArgs.push("--cert", customCertPath, "--key", customKeyPath);
       } else {
         daemonArgs.push("--https");
       }
+    } else {
+      daemonArgs.push("--no-tls");
     }
     if (tld !== DEFAULT_TLD) {
       daemonArgs.push("--tld", tld);
     }
+    if (useWildcard) {
+      daemonArgs.push("--wildcard");
+    }
     const child = spawn(process.execPath, daemonArgs, {
       detached: true,
       stdio: ["ignore", logFd, logFd],
@@ -1735,32 +1942,31 @@ ${chalk.bold("Usage:")}
     fs3.closeSync(logFd);
   }
   if (!await waitForProxy(proxyPort, void 0, void 0, useHttps)) {
-    console.error(chalk.red("Proxy failed to start (timed out waiting for it to listen)."));
-    console.error(chalk.blue("Try starting the proxy in the foreground to see the error:"));
-    const needsSudo = !isWindows && proxyPort < PRIVILEGED_PORT_THRESHOLD;
-    console.error(chalk.cyan(`  ${needsSudo ? "sudo " : ""}portless proxy start --foreground`));
+    console.error(colors_default.red("Proxy failed to start (timed out waiting for it to listen)."));
+    console.error(colors_default.blue("Try starting the proxy in the foreground to see the error:"));
+    console.error(colors_default.cyan("  portless proxy start --foreground"));
     if (fs3.existsSync(logPath)) {
-      console.error(chalk.gray(`Logs: ${logPath}`));
+      console.error(colors_default.gray(`Logs: ${logPath}`));
     }
     process.exit(1);
   }
   const proto = useHttps ? "HTTPS/2" : "HTTP";
-  console.log(chalk.green(`${proto} proxy started on port ${proxyPort}`));
+  console.log(colors_default.green(`${proto} proxy started on port ${proxyPort}`));
 }
 async function handleRunMode(args) {
   const parsed = parseRunArgs(args);
   if (parsed.commandArgs.length === 0) {
-    console.error(chalk.red("Error: No command provided."));
-    console.error(chalk.blue("Usage:"));
-    console.error(chalk.cyan("  portless run <command...>"));
-    console.error(chalk.blue("Example:"));
-    console.error(chalk.cyan("  portless run next dev"));
+    console.error(colors_default.red("Error: No command provided."));
+    console.error(colors_default.blue("Usage:"));
+    console.error(colors_default.cyan("  portless run <command...>"));
+    console.error(colors_default.blue("Example:"));
+    console.error(colors_default.cyan("  portless run next dev"));
     process.exit(1);
   }
   let baseName;
   let nameSource;
   if (parsed.name) {
-    baseName = parsed.name;
+    baseName = parsed.name.split(".").map((label) => truncateLabel(label)).join(".");
     nameSource = "--name flag";
   } else {
     const inferred = inferProjectName();
@@ -1771,7 +1977,7 @@ async function handleRunMode(args) {
   const effectiveName = worktree ? `${worktree.prefix}.${baseName}` : baseName;
   const { dir, port, tls: tls2, tld } = await discoverState();
   const store = new RouteStore(dir, {
-    onWarning: (msg) => console.warn(chalk.yellow(msg))
+    onWarning: (msg) => console.warn(colors_default.yellow(msg))
   });
   await runApp(
     store,
@@ -1789,22 +1995,23 @@ async function handleRunMode(args) {
 async function handleNamedMode(args) {
   const parsed = parseAppArgs(args);
   if (parsed.commandArgs.length === 0) {
-    console.error(chalk.red("Error: No command provided."));
-    console.error(chalk.blue("Usage:"));
-    console.error(chalk.cyan("  portless <name> <command...>"));
-    console.error(chalk.blue("Example:"));
-    console.error(chalk.cyan("  portless myapp next dev"));
+    console.error(colors_default.red("Error: No command provided."));
+    console.error(colors_default.blue("Usage:"));
+    console.error(colors_default.cyan("  portless <name> <command...>"));
+    console.error(colors_default.blue("Example:"));
+    console.error(colors_default.cyan("  portless myapp next dev"));
     process.exit(1);
   }
+  const safeName = parsed.name.split(".").map((label) => truncateLabel(label)).join(".");
   const { dir, port, tls: tls2, tld } = await discoverState();
   const store = new RouteStore(dir, {
-    onWarning: (msg) => console.warn(chalk.yellow(msg))
+    onWarning: (msg) => console.warn(colors_default.yellow(msg))
   });
   await runApp(
     store,
     port,
     dir,
-    parsed.name,
+    safeName,
     parsed.commandArgs,
     tls2,
     tld,
@@ -1826,23 +2033,23 @@ async function main() {
   const isNpx = process.env.npm_command === "exec" && !process.env.npm_lifecycle_event;
   const isPnpmDlx = !!process.env.PNPM_SCRIPT_SRC_DIR && !process.env.npm_lifecycle_event;
   if (isNpx || isPnpmDlx) {
-    console.error(chalk.red("Error: portless should not be run via npx or pnpm dlx."));
-    console.error(chalk.blue("Install globally instead:"));
-    console.error(chalk.cyan("  npm install -g portless"));
+    console.error(colors_default.red("Error: portless should not be run via npx or pnpm dlx."));
+    console.error(colors_default.blue("Install globally instead:"));
+    console.error(colors_default.cyan("  npm install -g portless"));
     process.exit(1);
   }
   if (args[0] === "--name") {
     args.shift();
     if (!args[0]) {
-      console.error(chalk.red("Error: --name requires an app name."));
-      console.error(chalk.cyan("  portless --name <name> <command...>"));
+      console.error(colors_default.red("Error: --name requires an app name."));
+      console.error(colors_default.cyan("  portless --name <name> <command...>"));
       process.exit(1);
     }
     const skipPortless2 = process.env.PORTLESS === "0" || process.env.PORTLESS === "false" || process.env.PORTLESS === "skip";
     if (skipPortless2) {
       const { commandArgs } = parseAppArgs(args);
       if (commandArgs.length === 0) {
-        console.error(chalk.red("Error: No command provided."));
+        console.error(colors_default.red("Error: No command provided."));
         process.exit(1);
       }
       spawnCommand(commandArgs);
@@ -1859,7 +2066,7 @@ async function main() {
   if (skipPortless && (isRunCommand || args.length >= 2 && args[0] !== "proxy")) {
     const { commandArgs } = isRunCommand ? parseRunArgs(args) : parseAppArgs(args);
     if (commandArgs.length === 0) {
-      console.error(chalk.red("Error: No command provided."));
+      console.error(colors_default.red("Error: No command provided."));
       process.exit(1);
     }
     spawnCommand(commandArgs);
@@ -1907,6 +2114,6 @@ async function main() {
 }
 main().catch((err) => {
   const message = err instanceof Error ? err.message : String(err);
-  console.error(chalk.red("Error:"), message);
+  console.error(colors_default.red("Error:"), message);
   process.exit(1);
 });