feat(hub): load main listener TLS from a certificate directory (--tls-dir)#77
Merged
Conversation
…-dir) Add `--tls-dir` to `hub start`/`service install hub`: load the main wss listener certificate from a directory holding fullchain.pem + privkey.pem (Let's Encrypt layout) as a mutually-exclusive alternative to --cert/--key. On renewal the Hub rebinds the listener (shared port) with the fresh context so the new cert is served without a restart, draining existing connections on the old listener. When --tls-dir is set, --tunnel-tls-dir defaults to the same directory and --tunnel-public-host defaults to the certificate's DNS name (SAN, falling back to the subject CN). - Generalize TunnelTlsSource -> reusable PemTlsSource (adds a log label), used for both the main listener and tunnel ports. - Add CertificateNames.primaryDnsName to derive the public host from the leaf certificate's SAN/CN. - HubConfig: nullable securityContext + tlsDirectory/tlsReloadInterval (exactly one TLS source); OmnyShellHub rebinds on reload. - WsServerEndpoint.bind gains a `shared` flag for gap-free rebind. - Tests: certificate_names, renamed pem_tls_source, CLI dry-run/validation, and an integration test covering serve + renewal->rebind->reconnect. - README + CLI help updated for --tls-dir and the derived tunnel defaults. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
--tls-dirtohub start/service install hub: the mainwsslistener can load its certificate from a directory holdingfullchain.pem+privkey.pem(the Let's Encrypt layout), as a mutually-exclusive alternative to--cert/--key.On renewal the Hub rebinds the listener on the same port (
shared: true) with the freshly-loaded context, so the new certificate is served without a restart — established connections drain on the old listener while new ones land on the renewed cert.When
--tls-diris set it also drives sensible tunnel defaults:--tunnel-tls-dirdefaults to the same directory (secure tunnels reuse the cert, hot-reloaded the same way).--tunnel-public-hostdefaults to the certificate's DNS name (its SAN, falling back to the subject CN). This derivation applies in--cert/--keymode too.Changes
TunnelTlsSource→ reusablePemTlsSource(adds a loglabel), used for both the main listener and tunnel ports.CertificateNames.primaryDnsName— derives the public host from the leaf cert's SAN/CN (hand-rolled DER walk, in the existingspki.dartstyle).HubConfig: nullablesecurityContext+tlsDirectory/tlsReloadInterval(asserts exactly one TLS source);OmnyShellHubrebinds on reload.WsServerEndpoint.bindgains asharedflag for gap-free rebind.--tls-dirand the derived tunnel defaults.Tests
certificate_namesunit test; renamedpem_tls_sourcereload tests.dart analyzeclean;dart formatapplied.🤖 Generated with Claude Code