Skip to main content
Route mode is the path where Archal reroutes supported service traffic from a local app to hosted twins. Use this guide when you want to understand the trust boundary before attaching a real app.

What Archal changes

In local route mode, Archal starts a local proxy and injects proxy and CA env vars into the target process. That includes:
  • HTTP_PROXY and HTTPS_PROXY
  • NODE_EXTRA_CA_CERTS
  • SSL_CERT_FILE
  • REQUESTS_CA_BUNDLE
  • CURL_CA_BUNDLE
In Docker sandbox mode, the same short-lived CA is installed inside the sandbox container only. That container is the thing that is torn down after the run.

What gets rerouted

Only service domains registered for the selected twins are rerouted. Non-twinned traffic keeps using the normal network path. Examples:
  • GitHub twins reroute GitHub API and web domains
  • Google Workspace twins reroute the supported Google API domains for that twin
  • unsupported services and transports are not intercepted
In local mode, some runtimes also need host entries for full interception. Archal prints the required /etc/hosts lines when that is necessary.

What Archal can see

If a request is routed to a twin, Archal can see the request metadata needed to forward it to the hosted twin. Depending on the flow and trace settings, that can include headers and request bodies for supported twin traffic. That is why route mode should be treated as explicit test infrastructure, not a hidden background transport change.

Cleanup behavior

Local route mode generates a fresh CA in a temp directory for the run and removes it on teardown. That means:
  • no host keychain cleanup step is required in the default local path
  • the temp CA files do not persist after normal teardown
  • stopping the run or proxy is the normal way to clean up
Hosted twin sessions are separate from local cleanup. Stop them with archal twin stop when you are done.