Skip to content

refactor: unify env + JSON helpers; secure key perms; CA verify; inspect timeout; RunE #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
trahma merged 2 commits into from
Sep 2, 2025
Merged

refactor: unify env + JSON helpers; secure key perms; CA verify; inspect timeout; RunE #2

trahma merged 2 commits into from
Sep 2, 2025

Conversation

@trahma
Copy link
Owner

@trahma trahma commented Sep 2, 2025

refactor: unify env + JSON helpers; secure key perms; CA verify; inspect timeout; RunE

Summary

  • Improves security, reliability, and maintainability with minimal behavior change.
  • Centralizes env and JSON logic, adds inspect timeouts, completes CA verification, and normalizes Cobra error flow.

Changes

  • Env helpers: new internal/environ (IsCI, SupportsUnicode); used by UI and cmd.
  • JSON helpers: printJSON, printJSONError standardized across commands.
  • Key perms: generated private keys now 0600 on Unix (Generate).
  • CA verification: Verify validates chain when --ca is provided (PEM or DER) via x509.VerifyOptions.
  • Inspect timeouts: default 5s dial timeout; new --timeout flag on inspect.
  • Cobra: commands use RunE and return errors (consistent non-zero exit on failure).
  • SAN parsing: DRY via pkg/cert/san.go (supports DNS, IP, email, URI).
  • Root help: rely on Cobra defaults; --version still prints version.
  • Docs: updated docs/commands.md, docs/usage.md, docs/faq.md; added AGENTS.md.

Why

  • Security: consistent least-privilege for private keys.
  • Consistency: single source for CI/unicode and JSON output.
  • UX: avoid hangs with timeouts; complete verification with CA chains.
  • Maintainability: reduce duplication; clearer error flow and tests.

Validation

  • Build: make build succeeds.
  • Tests: make test passes (all packages).

Backward Compatibility

  • No flag/command renames. verify still exits non-zero on failure (now via returned error).

Follow-ups (optional)

  • Add CERT_TIMEOUT env default for inspect.
  • Tests for CA verification with a fixture chain.
  • Consider shared output abstraction if more formats are added.

@trahma
refactor: unify env + JSON helpers; secure key perms; CA verify; insp…
ba3246e 
…ect timeout; RunE

- Add internal/environ with IsCI/SupportsUnicode; use in UI and cmd
- Centralize JSON output helpers (, ) in cmd
- Set 0600 permissions for generated private keys (Unix)
- Implement CA chain verification in Verify when --ca provided
- Add TLS dial timeout (default 5s) and  flag for inspect
- Normalize Cobra commands to RunE and error-return flow
- DRY SAN parsing via pkg/cert/san.go; support IP/email/URI SANs
- Simplify root help to use Cobra defaults; keep --version
- Update docs: commands/usage/faq; add JSON docs and timeout
- Add AGENTS.md contributor guidelines tailored to repo
@trahma
test: regenerate test certificates with updated timestamps
d6dabac
@trahma trahma merged commit 71fabca into main Sep 2, 2025
10 checks passed
@trahma trahma deleted the refactor/env-json-keyperms branch September 2, 2025 17:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@trahma