feat(cli): add HTTPS proxy support for development apps

[justAkshitAgrawal]

Description of Changes

Added support for proxying HTTPS development applications with self-signed certificates through a new --app-https CLI flag and appHttps configuration option.

Changes include:

• New --app-https CLI flag to enable HTTPS proxying
• New appHttps boolean option in stagewise.json config file
• Updated proxy middleware to use HTTPS protocol when configured
• Added secure: false to accept self-signed certificates
• Defaults to false (HTTP) for backward compatibility

Motivation and Context

Fixes #689

Some development setups require HTTPS, particularly:

• Host applications running on HTTPS (e.g., enterprise apps with Module Federation)
• Apps with self-signed certificates for local development
• Micro-frontend architectures where the host app must use HTTPS

Previously, the CLI could only proxy HTTP applications. When users tried to proxy HTTPS apps (like a host app on port 8181), the connection would fail with "socket hang up" errors because the proxy was hardcoded to use HTTP.

This change enables the CLI to work with HTTPS development apps, making it compatible with more complex development setups like Module Federation micro-frontends.

Usage:

# Via CLI flag
stagewise --app-port 8181 --app-https

# Via config file
{
  "appPort": 8181,
  "appHttps": true
}

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

## Summary by CodeRabbit

* **New Features**
  * Added HTTPS proxy support for local development, enabling apps with self-signed certificates to run through the dev proxy.
  * Introduced a new CLI option --app-https and a corresponding config setting (appHttps) to opt into HTTPS proxying. Disabled by default.
  * Proxy now accepts self-signed certificates without extra setup.

* **Chores**
  * Added changeset entry for a minor release.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

[cla-bot]

We require contributors to sign our Contributor License Agreement, and we don"t have @justAkshitAgrawal on file. In order for us to review and merge your code, please follow our CLA guidelines.

[vercel]

@justAkshitAgrawal is attempting to deploy a commit to the stagewise Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

Adds HTTPS proxy support for development apps with self-signed certificates. Introduces a new CLI flag (--app-https), config schema/type updates, resolves the flag into the runtime Config, and updates the dev proxy to pick https or http accordingly and disable TLS verification via secure: false.

Changes

Cohort / File(s)	Summary of changes
Changeset metadata .changeset/funky-nails-rush.md	Adds a changeset entry describing minor change: HTTPS proxy support for dev apps with self-signed certs.
CLI config surface (flag, schema, types, resolution) apps/cli/src/config/argparse.ts, apps/cli/src/config/config-file.ts, apps/cli/src/config/types.ts, apps/cli/src/config/index.ts	Introduces --app-https flag; parses and exports appHttps; adds optional appHttps to config file schema/types; includes required appHttps in resolved Config; computes value from CLI or config and propagates through resolution paths.
Dev server proxy behavior apps/cli/src/server/proxy.ts	Sets secure: false in proxy options; dynamically selects protocol in router based on config.appHttps (https when true, otherwise http).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant U as User
  participant CLI as CLI (argparse)
  participant RC as Config Resolver
  participant PS as Proxy Server
  participant DA as Dev App (http/https)

  U->>CLI: Run stagewise ... [--app-https]
  CLI->>RC: Provide parsed options (appHttps?)
  RC->>RC: Merge CLI + config file -> Config.appHttps
  RC-->>PS: Start proxy with Config (appHttps)
  alt Config.appHttps = true
    note over PS,DA: HTTPS route (self-signed allowed)
    PS->>DA: HTTPS request (TLS verify disabled: secure=false)
  else Config.appHttps = false
    PS->>DA: HTTP request
  end
  DA-->>PS: Response
  PS-->>U: Proxied response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(cli): rewrite response headers to be compatible with iframe-restrictive apps #502 — Also modifies apps/cli/src/server/proxy.ts to handle response header rewrites; related to proxy behavior changes.

Suggested reviewers

• glenntws

Poem

A whisker twitch, a proxy hop,
I toggle flags—no need to stop.
If certs are shy, I’m fearless, see—
I bound through HTTPS with glee.
secure:false, the burrow’s bright,
The dev app loads—both day and night.
Thump-thump: it works just right! 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title follows the conventional commit format and precisely summarizes the main change of adding HTTPS proxy support for development apps, matching the new CLI flag and proxy middleware updates introduced in the PR.
Linked Issues Check	✅ Passed	The PR fulfills the core coding requirement from issue #689 by adding a CLI flag, configuration option, and proxy logic updates that enable HTTPS proxying with self-signed certificates, thereby addressing the failure when proxying micro-frontend host apps.
Out of Scope Changes Check	✅ Passed	All modifications are confined to the implementation of HTTPS proxy support and related type and config updates, with no unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 589104e and bf25d2f.

📒 Files selected for processing (6)

• .changeset/funky-nails-rush.md (1 hunks)
• apps/cli/src/config/argparse.ts (7 hunks)
• apps/cli/src/config/config-file.ts (1 hunks)
• apps/cli/src/config/index.ts (3 hunks)
• apps/cli/src/config/types.ts (2 hunks)
• apps/cli/src/server/proxy.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

apps/!(toolbar)/**

📄 CodeRabbit inference engine (.cursor/rules/precommit.mdc)

For changes in apps/*, use the package name as the scope (e.g., changes in apps/example use scope "example").

Files:

• apps/cli/src/config/config-file.ts
• apps/cli/src/config/types.ts
• apps/cli/src/server/proxy.ts
• apps/cli/src/config/argparse.ts
• apps/cli/src/config/index.ts

apps/cli/**/*.{ts,js,tsx}

📄 CodeRabbit inference engine (apps/cli/CLAUDE.md)

Prefer writing async code where applicable

Files:

• apps/cli/src/config/config-file.ts
• apps/cli/src/config/types.ts
• apps/cli/src/server/proxy.ts
• apps/cli/src/config/argparse.ts
• apps/cli/src/config/index.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

NEVER use any. NEVER use unknown unless absolutely necessary.

Files:

• apps/cli/src/config/config-file.ts
• apps/cli/src/config/types.ts
• apps/cli/src/server/proxy.ts
• apps/cli/src/config/argparse.ts
• apps/cli/src/config/index.ts

🧬 Code graph analysis (1)

apps/cli/src/config/index.ts (1)

apps/cli/src/config/argparse.ts (1)

• appHttps (214-214)

🔇 Additional comments (15)

apps/cli/src/config/config-file.ts (1)

36-39: LGTM!

The schema addition for appHttps is well-structured with appropriate validation and a clear description. The optional boolean type aligns with the backward compatibility requirement mentioned in the PR objectives.

apps/cli/src/config/types.ts (2)

14-14: LGTM!

The appHttps field correctly follows the established pattern where ConfigFile has optional fields.

---

23-23: LGTM!

The appHttps field correctly follows the established pattern where Config has required fields with defaults applied during resolution.

apps/cli/src/server/proxy.ts (2)

10-10: LGTM!

Setting secure: false is appropriate for a development tool that needs to support self-signed certificates. Since http-proxy-middleware's secure option is static and cannot be dynamically evaluated per-request, it must be set to false at proxy creation time to support HTTPS with self-signed certificates.

---

30-35: LGTM!

The dynamic protocol selection correctly uses config.appHttps to choose between https and http, enabling the proxy to adapt based on the development app's configuration.

apps/cli/src/config/index.ts (3)

85-85: LGTM!

The appHttps field is correctly resolved using the same fallback pattern as other config fields (CLI args → config file → default).

---

124-124: LGTM!

The appHttps field is correctly resolved in non-bridge mode using the same fallback pattern.

---

237-237: LGTM!

The appHttps field is correctly included in the final resolved Config object.

apps/cli/src/config/argparse.ts (7)

49-52: LGTM!

The CLI option is well-defined with a clear description that explains the purpose and use case for self-signed certificates.

---

153-153: LGTM!

Variable declaration follows the established pattern for other CLI options.

---

168-168: LGTM!

Default value of false is appropriate for auth/telemetry commands and maintains backward compatibility.

---

178-178: LGTM!

Destructuring correctly extracts appHttps from the parsed options.

---

187-187: LGTM!

Type definition correctly marks appHttps as optional, consistent with the boolean flag behavior.

---

202-202: LGTM!

Assignment correctly applies the default value of false when the flag is not provided, ensuring backward compatibility.

---

214-214: LGTM!

Export makes the appHttps value available to other modules for config resolution.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[juliangoetze]

Hi @justAkshitAgrawal, thanks for the PR! I will have a look at the implementation and test it, please sign the cla in the meanwhile, so you're an official contributor 😁