pitchfork-cli 2.13.1

Daemons with DX
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458

use crate::Result;

/// Manage the pitchfork reverse proxy
#[derive(Debug, clap::Args)]
#[clap(
    verbatim_doc_comment,
    long_about = "\
Manage the pitchfork reverse proxy

The reverse proxy routes requests from stable slug-based URLs like:
  https://myapp.localhost

to the daemon's actual listening port (e.g. localhost:3000).

Slugs are defined in the global config (~/.config/pitchfork/config.toml)
under [slugs]. Each slug maps to a project directory and daemon name.

Enable the proxy in your pitchfork.toml or settings:
  [settings.proxy]
  enable = true

Subcommands:
  trust     Install the proxy's TLS certificate into the system trust store
  untrust   Remove the proxy's TLS certificate from the system trust store
  add       Add a slug mapping to the global config
  remove    Remove a slug mapping from the global config
  status    Show all registered slugs and their current state"
)]
pub struct Proxy {
    #[clap(subcommand)]
    command: ProxyCommands,
}

#[derive(Debug, clap::Subcommand)]
enum ProxyCommands {
    Trust(Trust),
    Untrust(Untrust),
    Status(ProxyStatus),
    Add(Add),
    Remove(Remove),
}

impl Proxy {
    pub async fn run(&self) -> Result<()> {
        match &self.command {
            ProxyCommands::Trust(trust) => trust.run().await,
            ProxyCommands::Untrust(untrust) => untrust.run().await,
            ProxyCommands::Status(status) => status.run().await,
            ProxyCommands::Add(add) => add.run().await,
            ProxyCommands::Remove(remove) => remove.run().await,
        }
    }
}

// ─── proxy trust ─────────────────────────────────────────────────────────────

/// Install the proxy's self-signed TLS certificate into the system trust store
///
/// This command installs pitchfork's auto-generated TLS certificate into your
/// system's trust store so that browsers and tools trust HTTPS proxy URLs
/// without certificate warnings.
///
/// On macOS, this installs the certificate into the current user's login
/// keychain. No `sudo` required.
///
/// On Linux, the appropriate CA certificate directory and update command are
/// detected automatically based on the running distribution:
///   - Debian/Ubuntu: /usr/local/share/ca-certificates/ + update-ca-certificates
///   - RHEL/Fedora/CentOS: /etc/pki/ca-trust/source/anchors/ + update-ca-trust
///   - Arch Linux: /etc/ca-certificates/trust-source/anchors/ + trust extract-compat
///   - openSUSE: /etc/pki/trust/anchors/ + update-ca-certificates
///
/// This DOES require sudo on Linux.
///
/// Example:
///   pitchfork proxy trust
///   sudo pitchfork proxy trust    # Linux only
#[derive(Debug, clap::Args)]
#[clap(verbatim_doc_comment)]
struct Trust {
    /// Path to the certificate file to trust (defaults to pitchfork's auto-generated cert)
    #[clap(long)]
    cert: Option<std::path::PathBuf>,
}

impl Trust {
    async fn run(&self) -> Result<()> {
        let cert_path = self.cert.clone().unwrap_or_else(|| {
            // Default: pitchfork's auto-generated CA cert in state dir
            crate::env::PITCHFORK_STATE_DIR.join("proxy").join("ca.pem")
        });

        // Check if already trusted to avoid duplicates (especially on macOS keychain)
        if crate::proxy::trust::is_ca_trusted(&cert_path) {
            println!("CA certificate is already trusted.");
            return Ok(());
        }

        crate::proxy::trust::install_cert(&cert_path)?;
        println!(
            "CA certificate installed: {}\n\
             \n\
             Browsers and tools will now trust HTTPS proxy URLs like:\n\
             https://docs.pf.localhost:7777",
            cert_path.display()
        );
        Ok(())
    }
}

// ─── proxy untrust ───────────────────────────────────────────────────────────

/// Remove the proxy's TLS certificate from the system trust store
///
/// Removes the pitchfork CA certificate that was previously installed by
/// `pitchfork proxy trust` or auto-trust.
///
/// On macOS, removes the certificate from the login keychain and system keychain.
/// On Linux, removes the certificate from the distro-specific CA directory
/// and runs the appropriate update command.
///
/// Example:
///   pitchfork proxy untrust
///   sudo pitchfork proxy untrust    # Linux only
#[derive(Debug, clap::Args)]
#[clap(verbatim_doc_comment)]
struct Untrust {
    /// Path to the certificate file (defaults to pitchfork's auto-generated cert)
    #[clap(long)]
    cert: Option<std::path::PathBuf>,
}

impl Untrust {
    async fn run(&self) -> Result<()> {
        let cert_path = self
            .cert
            .clone()
            .unwrap_or_else(|| crate::env::PITCHFORK_STATE_DIR.join("proxy").join("ca.pem"));

        crate::proxy::trust::uninstall_cert(&cert_path)?;
        println!("CA certificate removed from system trust store.");
        Ok(())
    }
}

// ─── proxy status ─────────────────────────────────────────────────────────────

/// Show all registered slugs and their current state
///
/// Displays the proxy configuration and lists all slugs from the global config
/// with their project directory, daemon name, and current status (running/stopped, port).
#[derive(Debug, clap::Args)]
#[clap(verbatim_doc_comment)]
struct ProxyStatus {}

impl ProxyStatus {
    async fn run(&self) -> Result<()> {
        use crate::pitchfork_toml::PitchforkToml;
        use crate::settings::settings;
        let s = settings();

        if !s.proxy.enable {
            println!("Proxy: disabled");
            println!();
            println!("Enable with:");
            println!("  PITCHFORK_PROXY_ENABLE=true pitchfork supervisor start");
            println!("  # or in pitchfork.toml: [settings.proxy] / enable = true");
            return Ok(());
        }

        let Some(effective_port) = u16::try_from(s.proxy.port).ok().filter(|&p| p > 0) else {
            println!("Proxy: enabled");
            println!(
                "  proxy.port {} is out of valid port range (1-65535)",
                s.proxy.port
            );
            return Ok(());
        };
        let scheme = if s.proxy.https { "https" } else { "http" };
        let lan_enabled = s.proxy.lan || !s.proxy.lan_ip.is_empty();
        let tld = if lan_enabled { "local" } else { &s.proxy.tld };

        println!("Proxy: enabled");
        println!("  Scheme:  {scheme}");
        println!("  TLD:     {tld}");
        println!("  Port:    {effective_port}");
        if lan_enabled {
            let lan_ip = if !s.proxy.lan_ip.is_empty() {
                s.proxy.lan_ip.clone()
            } else {
                "auto-detect".to_string()
            };
            println!("  LAN:     enabled (IP: {lan_ip})");
        }
        if s.proxy.https {
            let cert = if s.proxy.tls_cert.is_empty() {
                format!(
                    "{} (auto-generated)",
                    crate::env::PITCHFORK_STATE_DIR
                        .join("proxy")
                        .join("ca.pem")
                        .display()
                )
            } else {
                s.proxy.tls_cert.clone()
            };
            println!("  TLS cert: {cert}");

            // Show trust status
            let cert_path = if s.proxy.tls_cert.is_empty() {
                crate::env::PITCHFORK_STATE_DIR.join("proxy").join("ca.pem")
            } else {
                std::path::PathBuf::from(&s.proxy.tls_cert)
            };
            let trusted = crate::proxy::trust::is_ca_trusted(&cert_path);
            println!(
                "  Trusted: {}",
                if trusted {
                    "yes"
                } else {
                    "no (run: pitchfork proxy trust)"
                }
            );
        }
        println!();

        // Show all registered slugs from global config
        let slugs = PitchforkToml::read_global_slugs();
        if slugs.is_empty() {
            println!("No slugs registered.");
            println!();
            println!("Add a slug with:");
            println!("  pitchfork proxy add <slug>");
            println!("  pitchfork proxy add <slug> --dir /path/to/project --daemon <name>");
        } else {
            println!("Registered slugs:");
            println!();

            // Read state file for daemon status
            let state_file =
                crate::state_file::StateFile::read(&*crate::env::PITCHFORK_STATE_FILE).ok();

            let standard_port = if s.proxy.https { 443u16 } else { 80u16 };

            for (slug, entry) in &slugs {
                let daemon_name = entry.daemon.as_deref().unwrap_or(slug);
                let url = if effective_port == standard_port {
                    format!("{scheme}://{slug}.{tld}")
                } else {
                    format!("{scheme}://{slug}.{tld}:{effective_port}")
                };

                // Try to find the daemon in the state file, scoped to the slug's
                // registered project directory to avoid picking the wrong daemon
                // when multiple projects have daemons with the same short name.
                let expected_ns = entry.resolve_dir().and_then(|dir| {
                    crate::pitchfork_toml::PitchforkToml::namespace_for_dir(&dir).ok()
                });
                let status_str = if let Some(sf) = &state_file {
                    let daemon_entry = sf.daemons.iter().find(|(id, _)| {
                        id.name() == daemon_name
                            && match &expected_ns {
                                Some(ns) => id.namespace() == ns,
                                None => true,
                            }
                    });
                    if let Some((_, daemon)) = daemon_entry {
                        let port_str = daemon
                            .active_port
                            .or_else(|| daemon.resolved_port.first().copied())
                            .map(|p| format!(" (port {p})"))
                            .unwrap_or_default();
                        if daemon.status.is_running() {
                            format!("running{port_str}")
                        } else {
                            format!("{}", daemon.status)
                        }
                    } else {
                        "not started".to_string()
                    }
                } else {
                    "unknown".to_string()
                };

                println!("  {slug}");
                println!("    URL:    {url}");
                println!(
                    "    Dir:    {}",
                    entry
                        .resolve_dir()
                        .map(|d| d.display().to_string())
                        .unwrap_or_else(|| "(unresolved)".to_string())
                );
                println!("    Daemon: {daemon_name}");
                println!("    Status: {status_str}");
                println!();
            }
        }

        Ok(())
    }
}

// ─── proxy add ───────────────────────────────────────────────────────────────

/// Add a slug mapping to the global config
///
/// Registers a slug in ~/.config/pitchfork/config.toml that maps to a project
/// directory and daemon name. The proxy uses this to route requests.
///
/// If --dir is not specified, uses the current directory.
/// If --daemon is not specified, defaults to the slug name.
///
/// Example:
///   pitchfork proxy add api
///   pitchfork proxy add api --daemon server
///   pitchfork proxy add api --dir /home/user/my-api --daemon server
#[derive(Debug, clap::Args)]
#[clap(verbatim_doc_comment)]
struct Add {
    /// The slug name (used in proxy URLs, e.g. api → api.localhost)
    slug: String,
    /// Project directory (defaults to current directory)
    #[clap(long)]
    dir: Option<std::path::PathBuf>,
    /// Daemon name within the project (defaults to slug name)
    #[clap(long)]
    daemon: Option<String>,
    /// Namespace to associate with the slug. If not provided, derived from the project directory.
    #[clap(long)]
    namespace: Option<String>,
}

impl Add {
    async fn run(&self) -> Result<()> {
        use crate::pitchfork_toml::PitchforkToml;

        // Validate slug characters
        let slug = &self.slug;
        if slug.is_empty() {
            miette::bail!("Slug must be non-empty.");
        }
        if slug.contains('.') {
            miette::bail!(
                "Slug '{slug}' contains a dot ('.'). \
                 Slugs must not contain dots because they are used as \
                 DNS subdomain labels in proxy URLs (<slug>.<tld>)."
            );
        }
        if !slug
            .chars()
            .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '_')
        {
            miette::bail!(
                "Slug '{slug}' contains invalid characters. \
                 Slugs must be alphanumeric with '-' and '_' allowed."
            );
        }

        let dir = self.dir.clone().unwrap_or_else(|| crate::env::CWD.clone());
        let dir = dir.canonicalize().unwrap_or(dir);

        let daemon = self.daemon.as_deref();

        let resolved_ns = self
            .namespace
            .clone()
            .or_else(|| crate::pitchfork_toml::PitchforkToml::namespace_for_dir(&dir).ok());

        let Some(resolved_ns) = resolved_ns else {
            miette::bail!(
                "Cannot derive a namespace for '{}'. \
                 Make sure the directory contains a pitchfork.toml with a valid `namespace`, \
                 or provide an explicit `--namespace`.",
                dir.display()
            );
        };

        // Auto-register namespace if not already registered
        let namespaces = crate::pitchfork_toml::PitchforkToml::read_global_namespaces();
        if !namespaces.contains_key(&resolved_ns) {
            crate::pitchfork_toml::PitchforkToml::register_namespace(
                &resolved_ns,
                &dir.to_string_lossy(),
            )?;
            println!("Registered namespace '{resolved_ns}' at {}", dir.display());
        }

        // Don't store daemon name if it matches the slug (it defaults to slug)
        let stored_daemon = if daemon == Some(slug.as_str()) {
            None
        } else {
            daemon
        };

        PitchforkToml::add_slug_with_namespace(slug, Some(&resolved_ns), stored_daemon)?;

        // Notify the supervisor so it can update mDNS records.
        if let Ok(client) = crate::ipc::client::IpcClient::connect(false).await {
            let _ = client.sync_mdns().await;
        }

        let global_path = &*crate::env::PITCHFORK_GLOBAL_CONFIG_USER;
        let daemon_display = daemon.unwrap_or(slug);
        println!("Added slug '{slug}' → namespace '{resolved_ns}' (daemon: {daemon_display})");
        println!("  Config: {}", global_path.display());

        let s = crate::settings::settings();
        if s.proxy.enable {
            let scheme = if s.proxy.https { "https" } else { "http" };
            let lan_enabled = s.proxy.lan || !s.proxy.lan_ip.is_empty();
            let tld = if lan_enabled { "local" } else { &s.proxy.tld };
            let standard_port = if s.proxy.https { 443u16 } else { 80u16 };
            if let Some(effective_port) = u16::try_from(s.proxy.port).ok().filter(|&p| p > 0) {
                let url = if effective_port == standard_port {
                    format!("{scheme}://{slug}.{tld}")
                } else {
                    format!("{scheme}://{slug}.{tld}:{effective_port}")
                };
                println!("  URL:    {url}");
            }
        }

        Ok(())
    }
}

// ─── proxy remove ────────────────────────────────────────────────────────────

/// Remove a slug mapping from the global config
///
/// Example:
///   pitchfork proxy remove api
#[derive(Debug, clap::Args)]
#[clap(visible_alias = "rm", verbatim_doc_comment)]
struct Remove {
    /// The slug name to remove
    slug: String,
}

impl Remove {
    async fn run(&self) -> Result<()> {
        use crate::pitchfork_toml::PitchforkToml;

        if PitchforkToml::remove_slug(&self.slug)? {
            println!("Removed slug '{}'", self.slug);

            // Notify the supervisor so it can update mDNS records.
            if let Ok(client) = crate::ipc::client::IpcClient::connect(false).await {
                let _ = client.sync_mdns().await;
            }
        } else {
            println!("Slug '{}' was not registered.", self.slug);
        }

        Ok(())
    }
}