[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-78852":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":14,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":17,"rankGlobal":10,"rankLanguage":10,"license":18,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":19,"hasPages":19,"topics":21,"createdAt":10,"pushedAt":10,"updatedAt":31,"readmeContent":32,"aiSummary":33,"trendingCount":15,"starSnapshotCount":15,"syncStatus":34,"lastSyncTime":35,"discoverSource":36},78852,"mkdev","venkatkrishna07\u002Fmkdev","venkatkrishna07","Trusted localhost HTTPS — local CA, \u002Fetc\u002Fhosts, mDNS LAN sharing, reverse proxy. Maps https:\u002F\u002Fname.local → localhost:port","",null,"Go",136,14,1,0,42,48.23,"MIT License",false,"main",[22,23,24,25,26,27,28,29,30],"cli","developer-tools","golang","homebrew","local-development","localhost","mdns","mkcert","tui","2026-06-12 04:01:24","# mkdev\n\n**Real HTTPS for local dev — with a TUI and LAN sharing.**\n\n[![ci](https:\u002F\u002Fgithub.com\u002Fvenkatkrishna07\u002Fmkdev\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fvenkatkrishna07\u002Fmkdev\u002Factions\u002Fworkflows\u002Fci.yml) [![release](https:\u002F\u002Fgithub.com\u002Fvenkatkrishna07\u002Fmkdev\u002Factions\u002Fworkflows\u002Frelease.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fvenkatkrishna07\u002Fmkdev\u002Factions\u002Fworkflows\u002Frelease.yml) [![license](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-MIT-blue)](.\u002FLICENSE)\n\n---\n\nmkdev runs trusted HTTPS on `*.local`. A single Go binary: cert authority + reverse proxy + `\u002Fetc\u002Fhosts` + mDNS broadcast + a full TUI.\n\nWhat makes it different:\n\n- **LAN sharing** Mark a route shared, hit `https:\u002F\u002Fapp.local` from your phone or any device on the same Wi-Fi.\n- **TUI, not just a CLI.** Live route table, request logs, cert inspection, health doctor. `mkdev` with no args drops you in.\n- **Hardened privilege boundary.** Owner, writability, and symlink checks on the sudo helper binary before any elevated call ([`internal\u002Fsafeexec`](.\u002Finternal\u002Fsafeexec\u002Fsafeexec.go)). No PATH-based shadowing, no group-writable shortcuts.\n- **Per-SNI cert minting.** Leaves are issued on demand and gated by an explicit `knownHost` allow-list. Not wildcard, not pre-baked.\n\n## What it does\n\n```\nmkdev install # generates CA, trusts in system store\nmkdev add myapp localhost:3000 # routes https:\u002F\u002Fmyapp.local → localhost:3000\nmkdev serve # foreground TLS proxy\ncurl https:\u002F\u002Fmyapp.local # 200 from your local app\n```\n\n![mkdev demo](assets\u002Fdemo-add.gif)\n\n## LAN sharing\n\nmkdev's headline feature. Share a route to any device on the same Wi-Fi with real TLS — no warnings, no tunnel service.\n\n1. In the TUI Domains tab, select a route and press `s` to flip the **SHARE** column to `LAN`.\n2. The route is advertised via mDNS as `\u003Cname>.local` → this machine's LAN IP.\n3. On the phone \u002F second laptop, browse to `https:\u002F\u002F\u003Cname>.local`. Once the device trusts the mkdev CA (one-time), no warnings.\n\n### Caveats\n\n- Only `.local` routes broadcast over mDNS. Other TLDs still proxy but aren't LAN-reachable by name.\n- Corporate \u002F cloud Wi-Fi often blocks multicast. Home and office Wi-Fi work.\n- Toggling `s` is live — mDNS advertising and the LAN-side ACL update on the next request. No restart.\n- Non-shared routes 403 non-loopback requests as defense-in-depth.\n- Anyone on the LAN can hit your shared routes. Don't enable on untrusted Wi-Fi.\n\n## Install\n\n### Homebrew (macOS, Linux)\n\n```sh\nbrew install venkatkrishna07\u002Ftap\u002Fmkdev\n```\n\nUpgrade later:\n\n```sh\nbrew update\nbrew upgrade mkdev\n```\n\n### Go\n\n```sh\ngo install github.com\u002Fvenkatkrishna07\u002Fmkdev\u002Fcmd\u002Fmkdev@latest\n```\n\nUpgrade to a specific version:\n\n```sh\ngo install github.com\u002Fvenkatkrishna07\u002Fmkdev\u002Fcmd\u002Fmkdev@v0.2.0\n```\n\n### Direct download\n\nPre-built binaries for macOS (Intel + Apple Silicon), Linux (amd64 + arm64), and Windows (amd64) are published on the [Releases page](https:\u002F\u002Fgithub.com\u002Fvenkatkrishna07\u002Fmkdev\u002Freleases). Each release includes `checksums.txt` plus a cosign keyless signature (`checksums.txt.sig` + `.pem`) — see [SECURITY.md#verifying-releases](.\u002FSECURITY.md) for the verify command.\n\nOn macOS, if Gatekeeper blocks a direct-download binary:\n\n```sh\nxattr -d com.apple.quarantine .\u002Fmkdev\n```\n\n### From source\n\n```sh\ngit clone https:\u002F\u002Fgithub.com\u002Fvenkatkrishna07\u002Fmkdev.git\ncd mkdev\ntask build\ncp bin\u002Fmkdev ~\u002Fbin\u002F # or \u002Fusr\u002Flocal\u002Fbin\n```\n\nRequires **Go 1.25+**.\n\n## First run\n\n```sh\nmkdev install # one-time root CA trust\nmkdev # launch TUI\n```\n\n## Platform support\n\n| Platform | Trust store | Elevation |\n|----------|-------------------------------------------------------------------|-----------------|\n| macOS | System Keychain (`security add-trusted-cert`) | `sudo` \u002F `osascript` |\n| Linux | `update-ca-trust` \u002F `update-ca-certificates` \u002F `trust extract-compat` | `sudo` \u002F `pkexec` |\n| Windows | `ROOT` system store via `crypt32.dll` | UAC (PowerShell `RunAs`) |\n\nLinux distros detected: Debian\u002FUbuntu (`\u002Fusr\u002Flocal\u002Fshare\u002Fca-certificates`), RHEL\u002FFedora (`\u002Fetc\u002Fpki\u002Fca-trust\u002Fsource\u002Fanchors`), Arch (`\u002Fetc\u002Fca-certificates\u002Ftrust-source\u002Fanchors`), openSUSE (`\u002Fusr\u002Fshare\u002Fpki\u002Ftrust\u002Fanchors`).\n\nFirefox uses its own NSS store and is **not yet covered** — system Chrome\u002FSafari\u002FEdge\u002Fcurl\u002Fwget all work.\n\n## Commands\n\n| Command | Purpose |\n|--------------------------------------|---------------------------------------------------------------|\n| `install` | Generate the root CA, write defaults, trust in system store. |\n| `add \u003Cname> \u003Ctarget>` | Add route. Appends a `127.0.0.1` entry to `\u002Fetc\u002Fhosts`. |\n| `remove \u003Cname>` | Remove route and its `\u002Fetc\u002Fhosts` entry. |\n| `list` | List routes in the store. |\n| `serve` | Run the TLS reverse proxy in the foreground. |\n| `tui` | Launch the TUI (also the default when run with no args). |\n| `uninstall` | Untrust the CA. `--purge` also wipes `~\u002F.mkdev\u002F`. |\n| `version` | Print version, commit, build date. |\n| `completion \u003Cbash\\|zsh\\|fish\\|powershell>` | Emit shell completion script. |\n| `hosts-helper` | Hidden. Invoked via `sudo` to mutate `\u002Fetc\u002Fhosts` atomically. |\n\n### Flags and environment\n\n| Flag \u002F env | Effect |\n|-------------------------------|--------------------------------------------------------------|\n| `--home \u003Cpath>` | Override `~\u002F.mkdev` state directory. |\n| `--verbose`, `-v` | Debug-level logging to stderr. |\n| `--version` | Print version and exit. |\n| `MKDEV_HOME=\u003Cpath>` | Equivalent to `--home`. |\n\n### Target formats\n\n`\u003Ctarget>` accepts any of:\n\n```\nhost:port e.g. localhost:3000\nhttp:\u002F\u002Fhost[:port]\u002Fpath e.g. http:\u002F\u002Flocalhost:3000\u002Fapi\nhttps:\u002F\u002Fhost[:port]\u002Fpath e.g. https:\u002F\u002Fgitlab.example.com\n```\n\nFor HTTPS upstreams (e.g., a private GitLab on a corporate VPN) the upstream's TLS cert must verify against the system trust store. Private CAs need their root added to the OS keychain.\n\n`hosts-helper` is not meant to be called directly. `add` \u002F `remove` re-invoke the same binary under `sudo` to perform the privileged `\u002Fetc\u002Fhosts` write.\n\n## Configuration\n\n> **TLD note.** `.local` routes need an mDNS responder (always-on on macOS, available on Linux when `nss-mdns` is installed). `.test` \u002F `.dev` \u002F `.localhost` work everywhere via `\u002Fetc\u002Fhosts` alone. Set `tld` in config to match.\n\nConfig lives at `~\u002F.mkdev\u002Fconfig.toml`. Defaults:\n\n```toml\ntld = \".local\" # appended to bare names in `add`\nproxy_port = 443 # binding :443 requires sudo on serve\ntheme = \"auto\" # reserved for future TUI\nlog_retention = \"7d\" # reserved\nlog_max_size = \"100MB\" # reserved\n```\n\n| Field | Default | Notes |\n|-----------------|-------------|-------------------------------------------------------------|\n| `tld` | `.local` | Auto-appended when `add \u003Cname>` has no dot. |\n| `proxy_port` | `443` | Set to `8443` to run `serve` without sudo for dev testing. |\n| `theme` | `auto` | Reserved for the upcoming TUI. |\n| `log_retention` | `7d` | Reserved. |\n| `log_max_size` | `100MB` | Reserved. |\n\nOverride the config directory with `--home \u003Cpath>` or `MKDEV_HOME=...`.\n\n## How it works\n\n- Generates an **ECDSA P-256** root CA at `~\u002F.mkdev\u002Fca\u002F`. The private key is mode `0o400`.\n- Installs the CA in the OS-native trust store: macOS Keychain (`security`), Linux CA-bundle directory + `update-ca-*`, Windows `ROOT` store via `crypt32.dll`. Trust-store integration is adapted from [mkcert](https:\u002F\u002Fgithub.com\u002FFiloSottile\u002Fmkcert) (BSD-3) — see [`LICENSE-MKCERT`](.\u002FLICENSE-MKCERT).\n- On `add`, writes a route to a **bbolt** KV at `~\u002F.mkdev\u002Fstate.db` and appends a `127.0.0.1 \u003Cname>.\u003Ctld>` line to `\u002Fetc\u002Fhosts` via a `sudo`-invoked helper subcommand.\n- `serve` listens TLS on `0.0.0.0:\u003Cproxy_port>`, **mints leaf certs per SNI** on demand using the root CA, and reverse-proxies to the configured upstream.\n- The route table is re-read every 2 seconds, so `add` \u002F `remove` take effect without restarting `serve`.\n- The proxy binds `0.0.0.0`, but non-loopback requests are 403'd unless the matching route is marked **shared** — see [LAN sharing](#lan-sharing--your-dev-server-on-your-phone).\n\n## Security\n\nThis tool installs a **private CA into your system trust store**. Anyone with read access to `~\u002F.mkdev\u002Fca\u002FrootCA-key.pem` can mint TLS certs that your machine will trust. The key is created `0o400` (owner read only).\n\n- The proxy binds `0.0.0.0`, but a connection-source ACL 403s LAN requests to any route not explicitly marked **shared**. Loopback always passes.\n- No telemetry. No remote calls. No update checks.\n- `add` \u002F `remove` invoke `sudo` to mutate `\u002Fetc\u002Fhosts`. See [SECURITY.md](.\u002FSECURITY.md) for the threat model and a known limit around `os.Executable()`-resolved helper paths.\n\n## Uninstall\n\n```sh\nmkdev uninstall # untrust CA, remove \u002Fetc\u002Fhosts entries\nmkdev uninstall --purge # also delete ~\u002F.mkdev\u002F\n```\n\nIf something gets stuck, open **Keychain Access.app**, search for `mkdev`, and delete by hand. Then `grep mkdev \u002Fetc\u002Fhosts` and clean any leftovers.\n\n\n## Roadmap\n\nNext:\n\n- Background daemon (`mkdev up` \u002F `mkdev down`); UDS IPC; launchd \u002F systemd \u002F Task Scheduler.\n- Project config file (`.mkdev.yaml` checked into the repo).\n- Firefox \u002F NSS trust store integration.\n- Per-path routing (`\u002Fapi` → 8080, `\u002Fws` → 9000 on a single domain).\n\n## Troubleshooting\n\n- **Firefox shows a red bar.** Firefox uses its own NSS store; system trust doesn't reach it. NSS integration is on the roadmap. For now, import `~\u002F.mkdev\u002Fca\u002FrootCA.pem` manually under Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import.\n- **`serve` fails with \"permission denied\" on :443.** Either run as root, or set `proxy_port = 8443` in `~\u002F.mkdev\u002Fconfig.toml` and use `https:\u002F\u002Fname.local:8443`.\n- **`mkdev add` keeps asking for sudo.** Sudo's per-session cache expires (default 5 min). Use the TUI Domains tab instead — it elevates via `osascript` (macOS GUI prompt) or `pkexec` (Linux Polkit).\n- **`\u002Fetc\u002Fhosts` already has an entry for that name.** `mkdev add` is idempotent and only appends when no `mkdev`-managed entry exists. Remove the prior entry by hand or pick a different name.\n\n## Contributing\n\nSee [CONTRIBUTING.md](.\u002FCONTRIBUTING.md).\n\n## Acknowledgements\n\nmkdev's trust-store integration — Keychain\u002F`security` on macOS, CA-bundle + `update-ca-*` on Linux, `crypt32.dll` `ROOT` store on Windows, and the NSS adjacent paths — is adapted from [**mkcert**](https:\u002F\u002Fgithub.com\u002FFiloSottile\u002Fmkcert) by Filippo Valsorda, BSD-3. Without that prior art, this project would be substantially harder. See [`LICENSE-MKCERT`](.\u002FLICENSE-MKCERT) for the upstream license.\n\nThe TUI is built with [Charmbracelet's](https:\u002F\u002Fcharm.sh) Bubble Tea \u002F Bubbles \u002F Lipgloss. mDNS via [`hashicorp\u002Fmdns`](https:\u002F\u002Fgithub.com\u002Fhashicorp\u002Fmdns). Local KV via [`bbolt`](https:\u002F\u002Fgithub.com\u002Fetcd-io\u002Fbbolt).\n\n## License\n\nMIT [LICENSE](.\u002FLICENSE).\n","mkdev 是一个用于本地开发环境的工具,它提供了一个图形化终端界面(TUI)和局域网共享功能,能够为本地主机生成受信任的HTTPS证书。该项目使用Go语言编写,主要功能包括自动生成并安装本地CA证书、通过mDNS在局域网内广播服务、以及作为反向代理将`https:\u002F\u002Fname.local`映射到`localhost:port`。其特色在于支持跨设备访问同一Wi-Fi下的开发服务而无需额外配置或警告提示,并且具有直观易用的TUI界面来管理路由表、请求日志等。适用于需要安全便捷地测试Web应用或API的开发者场景中,特别是在多设备协同工作的环境中更加实用。",2,"2026-06-11 03:57:15","CREATED_QUERY"]