Update environment mode for HTTPS setup

[backspace]

Environment mode, which lets you run parallel environments locally, needed reworking with the change to use certificates and HTTPS.

Try it out by running something like this in one terminal:

BOXEL_ENVIRONMENT=enva BOXEL_TURBO=true INDEX_CACHE=true mise run dev-all

and this in another:

BOXEL_ENVIRONMENT=envb BOXEL_TURBO=true INDEX_CACHE=true mise run dev-all

Then you should be able to visit UIs for the parallel environments at host.enva.localhost and host.envb.localhost.

[github-actions]

Preview deployments

• Host staging preview

• Host production preview

Host Test Results

    1 files      1 suites   1h 46m 46s ⏱️
2 724 tests 2 709 ✅ 15 💤 0 ❌
2 743 runs  2 728 ✅ 15 💤 0 ❌

Results for commit 4498931.

Realm Server Test Results

    1 files  ±0      1 suites  ±0   10m 25s ⏱️ -15s
1 482 tests +2  1 482 ✅ +2  0 💤 ±0  0 ❌ ±0 
1 573 runs  +2  1 573 ✅ +2  0 💤 ±0  0 ❌ ±0 

Results for commit 4498931. ± Comparison against earlier commit df025a0.

[Copilot]

Pull request overview

This PR reworks “environment mode” (parallel local dev stacks keyed by BOXEL_ENVIRONMENT) to function correctly with the move to HTTPS + mkcert certificates, primarily by ensuring Traefik is the TLS terminator and by hardening startup/registration flows.

Changes:

• Make env-mode consistently HTTPS at the browser edge (Traefik websecure + HTTP→HTTPS redirects) and prevent accidental upstream TLS termination by Vite/realm-server when TLS env vars “leak” into env mode.
• Improve robustness of local boot/infra: host-app smoke test retries, mkcert SAN expansion for *.<slug>.localhost, and macOS Traefik reload workarounds.
• Fix concurrency/reliability in Matrix login and broaden local URL migration logic to include env-mode .localhost hostnames.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
scripts/env-slug.sh	Makes env slug resolution safe under set -u by using ${VAR:-} guards.
packages/runtime-common/matrix-client.ts	Replaces Deferred login gating with an in-flight cached promise to share concurrent logins and allow retries after failure.
packages/realm-server/server.ts	Forces plain HTTP upstream when BOXEL_ENVIRONMENT is set (Traefik terminates TLS in env mode).
packages/realm-server/scripts/start-icons.sh	Registers icons with Traefik using TLS router + HTTP→HTTPS redirect, with macOS Traefik restart workaround.
packages/realm-server/main.ts	Adds retrying host-app smoke test to avoid crash loops during transient boot-time unreachability.
packages/realm-server/lib/is-https-loopback.ts	Expands loopback detection to include *.localhost for env-mode hostnames.
packages/realm-server/lib/dev-service-registry.ts	Restarts Traefik on macOS after service registration to work around missing inotify propagation in Docker Desktop mounts.
packages/matrix/scripts/migrate-account-data-http-to-https.ts	Generalizes URL rewriting to flip scheme for standard-mode ports and env-mode *.localhost hosts.
packages/matrix/scripts/assert-synapse-running.sh	In env mode, re-registers Synapse with Traefik on dev-all restarts when the container persists.
packages/matrix/helpers/environment-config.ts	Updates Synapse Traefik config to include TLS router + HTTP→HTTPS redirect and macOS Traefik restart.
packages/host/vite.config.mjs	Avoids enabling Vite HTTPS in env mode; updates env-mode HMR to use wss on port 443 behind Traefik.
packages/host/scripts/traefik-helpers.js	Adds macOS Traefik restart after config writes (same bind-mount watch issue).
packages/host/config/environment.js	Uses HTTPS service URLs in env mode (realm/icons/matrix) and ignores potentially stale MATRIX_URL env var in env mode.
mise-tasks/lib/env-vars.sh	Unsets TLS termination vars in env mode; ensures Node trusts mkcert root CA via NODE_EXTRA_CA_CERTS.
mise-tasks/lib/dev-common.sh	Makes pidfiles per-session and adjusts cleanup guardian + sweep behavior (but see critical issue in comments).
mise-tasks/kill-all	Updates kill-all to iterate over per-session pidfiles and force orphan sweep.
mise-tasks/infra/ensure-dev-cert	Persists known env slugs and regenerates cert with SANs for *.<slug>.localhost and *.realm-server.<slug>.localhost.

Comments suppressed due to low confidence (1)

mise-tasks/lib/dev-common.sh:156

• PIDFILE is now derived from $$, but the cleanup guardian re-sources lib/dev-common.sh inside its own shell. That reinitializes PIDFILE to the guardian’s PID-based filename, so kill_from_pidfile will read/delete the wrong pidfile and fail to clean up the original dev-all session’s processes. Capture the parent’s pidfile path and pass it into the guardian (e.g., export BOXEL_DEV_ALL_PIDFILE/PIDFILE before sourcing) so the guardian targets the correct file.

  $_scg_session_prefix sh -c "
    trap '' HUP
    exec </dev/null >>'$_scg_log' 2>&1
    echo \"[guardian \$(date +%H:%M:%S)] watching dev-all pid $_scg_parent_pid (pidfile $PIDFILE)\"
    while kill -0 $_scg_parent_pid 2>/dev/null; do
      sleep 1
    done
    echo \"[guardian \$(date +%H:%M:%S)] dev-all pid $_scg_parent_pid is gone; running cleanup\"
    . '$_scg_lib'
    kill_from_pidfile
    sweep_orphaned_services
    echo \"[guardian \$(date +%H:%M:%S)] All dev-stack processes stopped (via guardian).\"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.