[FIX] added intermediate cert, fixed verify script, tests

[Scratch-net]

Summary by CodeRabbit

• Bug Fixes

  • Expanded trusted root certificates to improve TLS verification and compatibility.

• Chores

  • Initialized a WebCrypto-based crypto backend for TLS operations.
  • Promoted a native TLS-related dependency from optional to required.
  • Exposed TLS utility into the public exports.

• Tests

  • Temporarily skipped two GCP attestation test cases to stabilize the suite.

[cursor]

You have run out of free Bugbot PR reviews for this billing cycle. This will reset on October 20.

To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[coderabbitai]

Walkthrough

Sets the TLS crypto implementation to a WebCrypto provider at process start, adds a PEM root CA to the additional root list, moves koffi to required dependencies, exports the tls util, and marks two GCP attestation tests as skipped.

Changes

Cohort / File(s)	Summary
TLS initialization in root CA verifier src/scripts/verify-root-ca.ts	Import and invoke setCryptoImplementation(webcryptoCrypto) at the start of main to configure WebCrypto before existing verification logic.
TLS root CA data update src/utils/tls.ts	Replace placeholder with a full PEM certificate in TLS_ADDITIONAL_ROOT_CA_LIST (adds data only).
Exports updated src/utils/index.ts	Add export for tls.ts (new public export); no behavioral changes.
GCP attestation tests adjustments src/tests/gcp-attestation.test.ts	Two tests changed to it.skip(...), making them skipped during test runs.
Dependencies modified package.json	Move koffi from optionalDependencies to dependencies (now required).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant User as CLI/User
  participant Script as verify-root-ca.ts
  participant Crypto as WebCrypto Impl
  participant TLS as TLS client
  participant Cert as Root CA store

  Note over Script,Crypto: Initialization (new)
  User->>Script: run verification
  Script->>Crypto: setCryptoImplementation(webcryptoCrypto)
  Script->>TLS: create TLS client
  TLS->>Cert: load default roots + additional PEM
  TLS->>Crypto: perform crypto ops
  TLS-->>Script: verification result
  Script-->>User: print status

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: update tls to load root cas globally #45: Related change to src/utils/tls.ts (previously added placeholder entry that this PR replaces with a full PEM).
• Gcp support for TEE #53: Modifies the same src/tests/gcp-attestation.test.ts test suite that this PR marks tests as skipped.

Suggested reviewers

• Sajjad21990

Poem

I hopped in the burrow with a cryptic cheer,
Plugged WebCrypto in so the checks are clear.
A fresh PEM root tucked safe in my lair,
Two sleepy tests snooze without a care.
Hop, verify, munch—secure and near. 🐇🔐

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The title mentions several true changes—adding an intermediate certificate, updating the verification script, and touching tests—but it reads as a list rather than a concise summary and uses the generic term “tests” without clarity on what was done, making it vague and not focused on the primary change.	Please simplify the title to highlight the core update in a single clear phrase (for example, “Add intermediate root certificate and update verification script”) and move detailed notes about test modifications into the PR description.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch RapidSSL

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

src/tests/gcp-attestation.test.ts (2)

84-84: Consider updating test fixtures instead of skipping tests.

Skipping this test reduces coverage for GCP attestation validation. Since the test already handles expired tokens gracefully (lines 119-127), consider one of these alternatives:

1. Generate fresh test data with non-expired tokens
2. Mock the time-sensitive validation logic
3. Use a test fixture that won't expire (if applicable to your testing strategy)

---

137-137: Consider updating test fixtures instead of skipping tests.

This test already handles expiration gracefully (lines 153-158). As with the previous skipped test, consider generating fresh test data or mocking time-sensitive components to maintain test coverage.

src/utils/tls.ts (1)

29-58: Rename TLS_ADDITIONAL_ROOT_CA_LIST to reflect intermediate CAs
• The added certificate is an intermediate CA (DigiCert Global Root G2 → RapidSSL TLS RSA CA G1), valid until 2027-11-02.
• Rename the list (e.g. TLS_ADDITIONAL_TRUSTED_CA_LIST) to avoid implying it holds only root CAs.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d9283e and 3f1d8ac.

📒 Files selected for processing (3)

• src/scripts/verify-root-ca.ts (2 hunks)
• src/tests/gcp-attestation.test.ts (2 hunks)
• src/utils/tls.ts (1 hunks)

🔇 Additional comments (2)

src/scripts/verify-root-ca.ts (2)

1-2: LGTM! Proper imports for crypto initialization.

The imports correctly bring in the crypto implementation setup needed for the TLS client.

---

11-11: LGTM! Crypto initialization properly placed.

Initializing the crypto implementation at the start of main() before any TLS operations is the correct approach. This ensures the WebCrypto implementation is available when the TLS client is created and certificates are verified.

[LaithAlebrahim]

lgt xD

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3f1d8ac and b67ad38.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• package.json (1 hunks)
• src/utils/index.ts (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: test

🔇 Additional comments (1)

package.json (1)

96-96: Ensure koffi builds on all target platforms and update docs accordingly

“koffi” was moved into dependencies and is only stubbed in browser/JSC builds (see src/scripts/build-browser.ts and build-jsc.ts). On Node it must compile native bindings. Confirm that:

• koffi installs successfully on Linux, macOS, Windows and all supported architectures
• README/docs include required toolchain prerequisites and fallback guidance if the native build fails