docs: add TLS chain-validation how-to#589
Conversation
Task-first user-facing how-to for the `uselesskey bundle --profile tls` contract pack. Walks readers through generating the bundle, the six certificate fixtures (valid leaf, valid chain, four negatives), the expected verifier outcomes per fixture, the documented hostname constants, and the release-grade evidence command. Mirrors the OIDC how-to pattern: terse, task-first prose, explicit "what this proves / does not prove" claim boundaries, and a scanner-safety note that points back to publish-recovery and the design doc for out-of-scope coverage. Completes the v0.8.0 TLS contract-pack lane: design (#585) + CLI profile (#587) + xtask bundle-proof (#588) + this user-facing piece. Pure docs PR; no source changes.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d4348aa3bd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| adapter crates. `uselesskey-rustls` exposes helpers that turn the | ||
| bundle into rustls trust-store and per-leaf material plus accessors for | ||
| each negative fixture. `uselesskey-tonic` re-exports the same negative | ||
| accessors so a tonic-using test crate does not need to depend on |
There was a problem hiding this comment.
Correct the nonexistent adapter helper claim
In this repo, I only found uselesskey-rustls exports for Rustls*Ext on generated X509Cert/X509Chain values in crates/uselesskey-rustls/src/lib.rs and config.rs, plus tonic's own Tonic*Ext traits in crates/uselesskey-tonic/src/lib.rs; neither adapter parses a generated bundle nor exposes/re-exports per-negative accessors. Users following this section after creating target/tls-fixtures will look for APIs that do not exist, so the how-to should instead direct them to re-parse the PEM files or generate an X509Chain and call negative(ChainNegative::...) directly.
Useful? React with 👍 / 👎.
Pure docs PR. Closes the v0.8.0 TLS contract-pack lane with a task-first how-to page.
Summary
docs/how-to/test-tls-chain-validation.md— a task-first user-facing how-to for theuselesskey bundle --profile tlscontract pack.v0.8.0 TLS contract-pack lane
docs: define TLS contract-pack profile— the design doc.feat(cli): add tls bundle profile— the CLI surface.xtask: add tls contract-pack proof— the release-evidence runner.Notes
TLS_EXPECTED_HOSTNAME(valid.tls.uselesskey.test) andTLS_WRONG_HOSTNAME(wrong.tls.uselesskey.test) constants that landed in feat(cli): add tls bundle profile #587 — not the prose values used in the design doc.cargo xtask bundle-proof --profile tlsevidence command are taken verbatim from feat(cli): add tls bundle profile #587'stls_profile.rsintegration tests and xtask: add tls contract-pack proof #588's xtask surface.Test plan
cargo xtask docs-sync --checkcargo xtask typosgit diff --checkcrates/uselesskey-cli/src/main.rs(TLS_EXPECTED_HOSTNAME/TLS_WRONG_HOSTNAME).crates/uselesskey-cli/tests/tls_profile.rs.docs/how-to/test-oidc-jwks-validation.mdanddocs/how-to/test-jwt-negative-validation.md.