feat: [#272] Handle localhost-bound services in show command and validation (Task 7.4)

- Add LocalhostWithTls error to reject localhost + TLS combinations in domain layer
- Add is_localhost helper function for detecting 127.0.0.1 and ::1
- Add is_localhost_only fields to ServiceInfo for API, health check, HTTP trackers
- Update show command to display "Internal only" for localhost services
- Add SSH tunnel hint for localhost-only services
- Validation logic in TrackerConfig::validate() to avoid duplication

Author: josecelano

docs/issues/272-add-https-support-with-caddy.md

@@ -1081,7 +1081,7 @@ Internal ports (1212, 7070, 7071, 3000) are not directly accessible when TLS is
 
 > **Note**: JSON schema regeneration deferred to Phase 8.
 
-#### 7.4: Handle Localhost-Bound Services in Show Command and Validation
+#### 7.4: Handle Localhost-Bound Services in Show Command and Validation ✅ COMPLETE
 
 **Current State**:
 
@@ -1145,11 +1145,11 @@ Health Check:
 
 **Implementation Scope**:
 
-- [ ] Add validation in domain layer to reject localhost + TLS combinations (during DTO-to-domain conversion)
-- [ ] Update show command to detect localhost-bound services
-- [ ] Add `is_localhost_only` field to `ServiceInfo` for health check, API, and HTTP trackers
-- [ ] Display "Internal only" message for internal-only services
-- [ ] Apply to: health check API, HTTP API, HTTP trackers (Grafana excluded - hardcoded port)
+- [x] Add validation in domain layer to reject localhost + TLS combinations (during DTO-to-domain conversion)
+- [x] Update show command to detect localhost-bound services
+- [x] Add `is_localhost_only` field to `ServiceInfo` for health check, API, and HTTP trackers
+- [x] Display "Internal only" message for internal-only services
+- [x] Apply to: health check API, HTTP API, HTTP trackers (Grafana excluded - hardcoded port)
 
 ### Phase 8: Schema Generation (30 minutes)
 

src/application/command_handlers/create/config/errors.rs

@@ -675,7 +675,7 @@ mod tests {
             let help = error.help();
             assert!(!help.is_empty(), "Help text should not be empty");
             assert!(
-                help.contains("Fix:") || help.contains("Common"),
+                help.contains("Fix") || help.contains("Common"),
                 "Help should contain actionable guidance"
             );
         }

src/application/command_handlers/create/config/tracker/health_check_api_section.rs

@@ -30,6 +30,9 @@ impl HealthCheckApiSection {
     /// Returns `CreateConfigError::InvalidBindAddress` if the bind address cannot be parsed as a valid IP:PORT combination.
     /// Returns `CreateConfigError::DynamicPortNotSupported` if port 0 (dynamic port assignment) is specified.
     /// Returns `CreateConfigError::InvalidDomain` if the TLS domain is invalid.
+    ///
+    /// Note: Localhost + TLS validation is performed at the domain layer
+    /// (see `TrackerConfig::validate()`) to avoid duplicating business rules.
     pub fn to_health_check_api_config(&self) -> Result<HealthCheckApiConfig, CreateConfigError> {
         // Validate that the bind address can be parsed as SocketAddr
         let bind_address = self.bind_address.parse::<SocketAddr>().map_err(|e| {

src/application/command_handlers/create/config/tracker/http_api_section.rs

@@ -31,6 +31,9 @@ impl HttpApiSection {
     /// Returns `CreateConfigError::InvalidBindAddress` if the bind address cannot be parsed as a valid IP:PORT combination.
     /// Returns `CreateConfigError::DynamicPortNotSupported` if port 0 (dynamic port assignment) is specified.
     /// Returns `CreateConfigError::InvalidDomain` if the TLS domain is invalid.
+    ///
+    /// Note: Localhost + TLS validation is performed at the domain layer
+    /// (see `TrackerConfig::validate()`) to avoid duplicating business rules.
     pub fn to_http_api_config(&self) -> Result<HttpApiConfig, CreateConfigError> {
         // Validate that the bind address can be parsed as SocketAddr
         let bind_address = self.bind_address.parse::<SocketAddr>().map_err(|e| {
@@ -151,4 +154,21 @@ mod tests {
         assert_eq!(section.bind_address, "0.0.0.0:1212");
         assert_eq!(section.admin_token, "MyAccessToken");
     }
+
+    #[test]
+    fn it_should_allow_non_localhost_with_tls() {
+        let section = HttpApiSection {
+            bind_address: "0.0.0.0:1212".to_string(),
+            admin_token: "token".to_string(),
+            tls: Some(TlsSection {
+                domain: "api.tracker.local".to_string(),
+            }),
+        };
+
+        let result = section.to_http_api_config();
+
+        assert!(result.is_ok());
+        let config = result.unwrap();
+        assert!(config.tls.is_some());
+    }
 }

src/application/command_handlers/create/config/tracker/http_tracker_section.rs

@@ -29,6 +29,9 @@ impl HttpTrackerSection {
     /// Returns `CreateConfigError::InvalidBindAddress` if the bind address cannot be parsed as a valid IP:PORT combination.
     /// Returns `CreateConfigError::DynamicPortNotSupported` if port 0 (dynamic port assignment) is specified.
     /// Returns `CreateConfigError::InvalidDomain` if the TLS domain is invalid.
+    ///
+    /// Note: Localhost + TLS validation is performed at the domain layer
+    /// (see `TrackerConfig::validate()`) to avoid duplicating business rules.
     pub fn to_http_tracker_config(&self) -> Result<HttpTrackerConfig, CreateConfigError> {
         // Validate that the bind address can be parsed as SocketAddr
         let bind_address = self.bind_address.parse::<SocketAddr>().map_err(|e| {
@@ -137,4 +140,20 @@ mod tests {
         let section: HttpTrackerSection = serde_json::from_str(json).unwrap();
         assert_eq!(section.bind_address, "0.0.0.0:7070");
     }
+
+    #[test]
+    fn it_should_allow_non_localhost_with_tls() {
+        let section = HttpTrackerSection {
+            bind_address: "0.0.0.0:7070".to_string(),
+            tls: Some(TlsSection {
+                domain: "tracker.local".to_string(),
+            }),
+        };
+
+        let result = section.to_http_tracker_config();
+
+        assert!(result.is_ok());
+        let config = result.unwrap();
+        assert!(config.tls.is_some());
+    }
 }

src/application/command_handlers/show/info/mod.rs

@@ -21,7 +21,7 @@ use chrono::{DateTime, Utc};
 
 pub use self::grafana::GrafanaInfo;
 pub use self::prometheus::PrometheusInfo;
-pub use self::tracker::{ServiceInfo, TlsDomainInfo};
+pub use self::tracker::{LocalhostServiceInfo, ServiceInfo, TlsDomainInfo};
 
 /// Environment information for display purposes
 ///