# Expose

`expose` attaches a reachable URL to a running workload.

## Public (default in M1)

```
h4a expose mygame --mode public
# { url: "https://mygame.h4a.site", mode: "public" }
```

What happens:
1. Control plane looks up the workload; it must be in `running` state.
2. Bunny DNS upserts `<name>.h4a.site → <workload-ipv4>`.
3. The workload's Caddy (configured at provision time) completes its
   Let's Encrypt HTTP-01 challenge on the next attempt — typically within
   60 seconds.
4. `https://<name>.h4a.site` serves the workload.

Idempotent: calling `expose` twice returns the same URL and does not
duplicate DNS records. Destroying the workload tears down the DNS record
too.

## Private (arrives in M2)

`mode=private` returns an `ErrInvalidInput` for now, with a pointer to
this page. The target shape:

```
h4a expose mygame --mode private
# { internal_url: "mygame.h4a.internal", enroll_command: "h4a enroll ..." }
```

It adds the workload as a peer in the tenant's Netbird network; the user
enrolls their laptop once and the internal hostname resolves. See the M2
milestone for implementation status.