From bf9f6ff261205b4f5759d9995c986c5bbb5abd47 Mon Sep 17 00:00:00 2001
From: shitikyan <shitikyan@gmail.com>
Date: Tue, 12 May 2026 16:55:14 +0400
Subject: [PATCH] fix(tlsnotary): hostname-based scheme, default /tlsn path for
 public bases
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

EXPOSED_URL doubles as the public RPC endpoint advertised to peers for
omniprotocol port discovery, so it must stay as http://host:53550 — peers
fail otherwise. The previous protocol-based scheme switch forced
ws://host:7047 for that base, which can't be reached through the reverse
proxy.

Switch buildWsUrl to a hostname-based rule:
- localhost / 127.0.0.1  → ws://<host>:<port>      (dev, raw port)
- anything else          → wss://<host><path>/<port>/, path defaulting
                          to /tlsn when not supplied

Behaviour:
  http://localhost:53550        → ws://localhost:7047
  http://127.0.0.1:53550        → ws://127.0.0.1:7047
  http://node2.demos.sh:53550   → wss://node2.demos.sh/tlsn/7047/
  https://node2.demos.sh/tlsn   → wss://node2.demos.sh/tlsn/7047/

Public bases now always route through TLS — assumes the reverse proxy
terminates HTTPS at hostname:443 (standard for the production deploy).
---
 src/features/tlsnotary/proxyManager.ts | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/features/tlsnotary/proxyManager.ts b/src/features/tlsnotary/proxyManager.ts
index 29bc580b..8cbbb80d 100644
--- a/src/features/tlsnotary/proxyManager.ts
+++ b/src/features/tlsnotary/proxyManager.ts
@@ -170,19 +170,21 @@ export function extractDomainAndPort(targetUrl: string): {
 
 /**
  * Build a public WebSocket URL from a base HTTP(S)/WS(S) URL and a local port.
- * Path mode: when the base URL has a path, route through a reverse proxy at
- * `url.host` (port preserved) that maps `<path>/<port>` to the local port
- * (single nginx rule). No-path mode: connect directly to `url.hostname` on
- * the target port.
+ * Local bases keep direct ws://localhost:<port> URLs for development. Public
+ * bases always route through a TLS reverse proxy path, defaulting to
+ * /tlsn/<port>/ when no explicit path is provided.
  */
 export function buildWsUrl(base: string, port: number | string): string {
     const url = new URL(base)
-    const secure = url.protocol === "https:" || url.protocol === "wss:"
-    const wsScheme = secure ? "wss" : "ws"
-    const path = url.pathname.replace(/\/+$/, "")
-    return path
-        ? `${wsScheme}://${url.host}${path}/${port}/`
-        : `${wsScheme}://${url.hostname}:${port}`
+    const isLocal =
+        url.hostname === "localhost" || url.hostname === "127.0.0.1"
+
+    if (isLocal) {
+        return `ws://${url.hostname}:${port}`
+    }
+
+    const path = url.pathname.replace(/\/+$/, "") || "/tlsn"
+    return `wss://${url.hostname}${path}/${port}/`
 }
 
 /**