Skip to content

docs: add TLS chain-validation how-to#589

Merged
EffortlessSteven merged 1 commit into
mainfrom
docs/tls-chain-validation-howto
May 12, 2026
Merged

docs: add TLS chain-validation how-to#589
EffortlessSteven merged 1 commit into
mainfrom
docs/tls-chain-validation-howto

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Pure docs PR. Closes the v0.8.0 TLS contract-pack lane with a task-first how-to page.

Summary

  • Adds docs/how-to/test-tls-chain-validation.md — a task-first user-facing how-to for the uselesskey bundle --profile tls contract pack.
  • Walks the reader through generating the bundle, listing the six certificate fixtures (valid leaf, valid chain, four negatives), the documented hostname constants, the expected verifier outcomes per fixture, and the release-grade evidence command.
  • Mirrors the OIDC and JWT-negative how-to pattern: terse, task-first prose with explicit "what this proves / does not prove" claim boundaries.
  • Pure docs change. No source files touched.

v0.8.0 TLS contract-pack lane

Notes

Test plan

  • cargo xtask docs-sync --check
  • cargo xtask typos
  • git diff --check
  • Hostname constants cross-checked against crates/uselesskey-cli/src/main.rs (TLS_EXPECTED_HOSTNAME / TLS_WRONG_HOSTNAME).
  • Bundle file layout cross-checked against crates/uselesskey-cli/tests/tls_profile.rs.
  • No emojis; matches the dry style of docs/how-to/test-oidc-jwks-validation.md and docs/how-to/test-jwt-negative-validation.md.

Task-first user-facing how-to for the `uselesskey bundle --profile tls`
contract pack. Walks readers through generating the bundle, the six
certificate fixtures (valid leaf, valid chain, four negatives), the
expected verifier outcomes per fixture, the documented hostname
constants, and the release-grade evidence command.

Mirrors the OIDC how-to pattern: terse, task-first prose, explicit
"what this proves / does not prove" claim boundaries, and a
scanner-safety note that points back to publish-recovery and the
design doc for out-of-scope coverage.

Completes the v0.8.0 TLS contract-pack lane: design (#585) + CLI
profile (#587) + xtask bundle-proof (#588) + this user-facing piece.
Pure docs PR; no source changes.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 39 minutes before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9a80a388-b2ce-4167-bdcf-f1e23383d4b5

📥 Commits

Reviewing files that changed from the base of the PR and between 16744e0 and d4348aa.

📒 Files selected for processing (1)
  • docs/how-to/test-tls-chain-validation.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/tls-chain-validation-howto

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d4348aa3bd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +143 to +146
adapter crates. `uselesskey-rustls` exposes helpers that turn the
bundle into rustls trust-store and per-leaf material plus accessors for
each negative fixture. `uselesskey-tonic` re-exports the same negative
accessors so a tonic-using test crate does not need to depend on

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Correct the nonexistent adapter helper claim

In this repo, I only found uselesskey-rustls exports for Rustls*Ext on generated X509Cert/X509Chain values in crates/uselesskey-rustls/src/lib.rs and config.rs, plus tonic's own Tonic*Ext traits in crates/uselesskey-tonic/src/lib.rs; neither adapter parses a generated bundle nor exposes/re-exports per-negative accessors. Users following this section after creating target/tls-fixtures will look for APIs that do not exist, so the how-to should instead direct them to re-parse the PEM files or generate an X509Chain and call negative(ChainNegative::...) directly.

Useful? React with 👍 / 👎.

@EffortlessSteven EffortlessSteven merged commit e1f2f0a into main May 12, 2026
5 checks passed
@EffortlessSteven EffortlessSteven mentioned this pull request May 12, 2026
4 tasks
EffortlessSteven added a commit that referenced this pull request May 12, 2026
TLS contract-pack and public crate-surface cleanup release. Bumps
workspace to 0.8.0. CHANGELOG entry curated from merged PRs:
#485-#605 (TLS lane #585/#587/#588/#589, task-first how-tos
#590-#594, SRP collapse #595/#598/#599/#602, migration guide #603,
Clippy ratchets #505, dep bumps #484-#491).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant