feat: allow loading root cas from global var

[adiwajshing]

Description

Testing (ignore for documentation update)

Type of change

• Bug fix
• New feature
• Breaking change
• Documentation update

Checklist:

• I have read and agree to the Code of Conduct.
• I have signed the Contributor License Agreement (CLA).
• I have considered the Security Policy.
• I have self-reviewed and tested my code.
• I have updated documentation as needed.
• I agree to the project's custom license.

Additional Notes:

Summary by CodeRabbit

• New Features

  • Additional trusted root and intermediate certificate authorities are now globally recognized, improving compatibility with a wider range of secure connections.

• Refactor

  • Root certificate handling has been streamlined to use a Mozilla root CA list by default, with dynamic inclusion of additional CAs.
  • Certificate parsing now loads root CAs on demand for improved efficiency.
  • Updated module exports and file paths for root CA data to enhance maintainability.

• Chores

  • Improved TypeScript configuration to include all relevant TypeScript and JavaScript files in the project.
  • Package version updated to 0.0.6.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

This set of changes refactors the handling of root CA certificates by removing static inclusion and parsing of additional root CAs, simplifying the main CA list to only Mozilla roots, and introducing a dynamic, global mechanism for extending root CAs at runtime. File structure and TypeScript configuration are updated accordingly.

Changes

Files/Paths	Change Summary
package.json	Bumped @reclaimprotocol/tls version from 0.0.5 to 0.0.6.
src/scripts/ca-template.ts	Removed all logic for additional root CAs and certificate parsing; now exports a placeholder Mozilla CA list.
src/scripts/update-ca-certs.ts	Changed output path for generated CA file from root-ca.ts to mozilla-root-cas.ts.
src/types/index.ts	Added global declaration for TLS_ADDITIONAL_ROOT_CA_LIST: string[].
src/utils/additional-root-cas.js	New file: Initializes and populates global TLS_ADDITIONAL_ROOT_CA_LIST with PEM-encoded certificates.
src/utils/index.ts	Changed export from root-ca to mozilla-root-cas.
src/utils/mozilla-root-cas.ts	Removed additional CA logic; now exports only the original Mozilla root CA PEM strings.
src/utils/parse-certificate.ts	Refactored to use lazy loading of root CAs, supporting global runtime extension; imports new CA management files.
tsconfig.json	Broadened file inclusion to all .ts and .js files recursively under src/.

Sequence Diagram(s)

sequenceDiagram
    participant App
    participant additional-root-cas.js
    participant parse-certificate.ts
    participant mozilla-root-cas.ts

    App->>additional-root-cas.js: (On startup) Initialize TLS_ADDITIONAL_ROOT_CA_LIST
    App->>parse-certificate.ts: verifyCertificateChain()
    parse-certificate.ts->>mozilla-root-cas.ts: Import MOZILLA_ROOT_CA_LIST
    parse-certificate.ts->>additional-root-cas.js: Access global TLS_ADDITIONAL_ROOT_CA_LIST
    parse-certificate.ts->>parse-certificate.ts: loadRootCAs() (combine Mozilla + additional CAs)
    parse-certificate.ts->>App: Return verification result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~18 minutes

Possibly related PRs

• [FIX] cert #4: Directly related as it modifies the same certificate handling code but in the opposite direction, adding and updating additional root CA certificates.
• [FIX] Added GeoTrust TLS RSA CA G1 #3: Related due to changes in the root CA list, specifically adding new CAs and retaining parsing logic that this PR removes.

Suggested reviewers

• LaithAlebrahim
• AbdulRashidReshamwala

Poem

A bunny hops with nimble paws,
Tidying up the root CA laws.
Mozilla roots now stand alone,
While globals let new friends be known.
TypeScript paths are wide and clear—
Secure connections, have no fear!
🐇🔐

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

npm error Exit handler never called!
npm error This is an error with npm itself. Please report this error at:
npm error https://github.com/npm/cli/issues
npm error A complete log of this run can be found in: /.npm/_logs/2025-07-24T05_20_18_880Z-debug-0.log

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c5449d0 and 639c779.

📒 Files selected for processing (1)

• src/utils/additional-root-cas.js (1 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch global-root-cas

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

src/types/index.ts (1)

6-8: Global declaration looks correct but consider runtime safety.

The global declaration properly types the TLS_ADDITIONAL_ROOT_CA_LIST variable for TypeScript awareness. However, since this relies on runtime initialization from a JavaScript module, consider adding runtime existence checks in consuming code to prevent potential ReferenceErrors.

Example of safer access pattern:

const additionalCAs = typeof TLS_ADDITIONAL_ROOT_CA_LIST !== 'undefined' 
  ? TLS_ADDITIONAL_ROOT_CA_LIST 
  : []

package.json (1)

3-3: Consider whether this should be a minor version bump.

The version increment from 0.0.5 to 0.0.6 represents a patch-level change, but the PR introduces significant architectural changes in root CA handling. Consider whether this warrants a minor version bump (e.g., 0.1.0) if the changes could affect existing consumers or introduce new features.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4f122e8 and c5449d0.

📒 Files selected for processing (9)

• package.json (1 hunks)
• src/scripts/ca-template.ts (1 hunks)
• src/scripts/update-ca-certs.ts (1 hunks)
• src/types/index.ts (1 hunks)
• src/utils/additional-root-cas.js (1 hunks)
• src/utils/index.ts (1 hunks)
• src/utils/mozilla-root-cas.ts (2 hunks)
• src/utils/parse-certificate.ts (4 hunks)
• tsconfig.json (1 hunks)

👮 Files not reviewed due to content moderation or server errors (1)

• src/utils/mozilla-root-cas.ts

🧰 Additional context used

🧬 Code Graph Analysis (2)

src/utils/parse-certificate.ts (2)

src/scripts/ca-template.ts (1)

• MOZILLA_ROOT_CA_LIST (6-6)

src/utils/x509.ts (1)

• loadX509FromPem (9-56)

src/utils/mozilla-root-cas.ts (1)

src/scripts/ca-template.ts (1)

• MOZILLA_ROOT_CA_LIST (6-6)

🔇 Additional comments (6)

tsconfig.json (1)

20-21: LGTM! Improved file inclusion patterns.

The changes correctly expand the TypeScript compilation scope:

• "src/**/*.ts" now recursively includes all TypeScript files (improvement over previous "src/*/*.ts")
• "src/**/*.js" inclusion is necessary for the new additional-root-cas.js module mentioned in the PR

These changes align well with the existing allowJs: true configuration.

src/scripts/update-ca-certs.ts (1)

36-36: LGTM! Output path correctly updated.

The change from src/utils/root-ca.ts to src/utils/mozilla-root-cas.ts aligns well with the architectural refactor to separate Mozilla root CAs from additional CAs. The script logic remains unchanged, focusing only on Mozilla certificates as intended.

src/utils/index.ts (1)

14-14: LGTM! Export path correctly updated.

The export source update from ./root-ca to ./mozilla-root-cas is necessary and correct following the file rename in the CA certificate generation script. This maintains proper module exports while supporting the new architectural separation.

src/utils/parse-certificate.ts (3)

1-1: LGTM: Import changes support the new dynamic root CA loading architecture.

The imports correctly add the necessary dependencies:

• Side-effect module for global initialization
• Mozilla root CA list for the primary certificate source
• PEM parser for certificate processing

Also applies to: 7-7, 9-9

---

19-19: LGTM: Proper caching implementation for root CAs.

The module-scoped ROOT_CAS variable correctly implements lazy loading with caching to avoid re-parsing certificates on subsequent calls.

---

165-166: LGTM: Correctly implements dynamic root CA loading.

The function now uses loadRootCAs() for lazy initialization while maintaining the same API contract and combining both Mozilla and additional root CAs.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify that the build process correctly replaces the placeholder.

The export now uses a placeholder ['<<CERTIFICATES>>'] which suggests this file is processed during the build. Ensure that:

1. The build script properly replaces the placeholder with actual Mozilla root CA certificates
2. The placeholder format is consistently handled across the build pipeline
3. Error handling exists if the placeholder isn't replaced

---

🏁 Script executed:

#!/bin/bash
# Description: Verify build process handles the ca-template correctly
# Expected: Find build scripts that process this template

# Search for build scripts that might process the template
rg -A 5 -B 5 "<<CERTIFICATES>>" --type ts --type js --type json

# Look for references to ca-template in build configurations
rg -A 3 "ca-template" --type ts --type js --type json

Length of output: 1267

---

Build script correctly replaces the placeholder in ca-template.ts

The src/scripts/update-ca-certs.ts script reads src/scripts/ca-template.ts, replaces the '<\<CERTIFICATES>>' placeholder with the generated PEM blocks, and writes the result to src/utils/mozilla-root-cas.ts. No further changes are needed to the template itself.

Action required:

• Enhance src/scripts/update-ca-certs.ts with a sanity check that the placeholder was actually replaced. For example, after doing

  const newData = data.replace('\'<<CERTIFICATES>>\'', certs);

  throw an error if newData === data, to fail fast if the placeholder wasn’t found.

🤖 Prompt for AI Agents

In src/scripts/update-ca-certs.ts, after replacing the placeholder string
"'<<CERTIFICATES>>'" with the generated PEM blocks, add a check to verify that
the replacement actually occurred by comparing the new string with the original.
If they are identical, throw an error to fail fast and indicate the placeholder
was not found. This ensures the build script correctly updates the template.

[coderabbitai]

⚠️ Potential issue

Review the security implications of using global variables for root CAs.

Using a global variable to manage root certificate authorities introduces potential security and reliability concerns:

1. Global state mutation: Multiple modules can modify TLS_ADDITIONAL_ROOT_CA_LIST, potentially leading to race conditions or unintended certificate additions
2. Lack of access control: No validation or authorization mechanism prevents malicious code from adding compromised certificates

Consider implementing a more controlled approach with proper encapsulation and validation.

-/* eslint indent: 0 */
-global.TLS_ADDITIONAL_ROOT_CA_LIST ||= []
+/* eslint indent: 0 */
+// Initialize global CA list with proper validation
+if (!global.TLS_ADDITIONAL_ROOT_CA_LIST) {
+  global.TLS_ADDITIONAL_ROOT_CA_LIST = []
+}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	/* eslint indent: 0 */
	global.TLS_ADDITIONAL_ROOT_CA_LIST ||= []
	/* eslint indent: 0 */
	// Initialize global CA list with proper validation
	if (!global.TLS_ADDITIONAL_ROOT_CA_LIST) {
	global.TLS_ADDITIONAL_ROOT_CA_LIST = []
	}

🤖 Prompt for AI Agents

In src/utils/additional-root-cas.js at lines 1 to 2, avoid using a global
variable for TLS_ADDITIONAL_ROOT_CA_LIST to prevent security risks from
uncontrolled global state mutation and lack of access control. Refactor the code
to encapsulate the root CA list within a module or class, provide controlled
methods to add or retrieve certificates, and implement validation checks to
ensure only trusted certificates are added, thereby improving security and
reliability.

[coderabbitai]

🛠️ Refactor suggestion

Implement certificate validation and consider certificate expiry monitoring.

The hard-coded certificates include several with specific expiry dates (e.g., GlobalSign GCC R6 expires in 2026, connect.dca.ca.gov expires in 2025). This approach has several concerns:

1. No certificate validation: Certificates are added without verification of their validity or integrity
2. Expiry management: No mechanism to track or warn about expiring certificates
3. Bundle size: Large PEM strings increase the bundle size significantly

Consider implementing:

• Certificate validation before addition
• Expiry date monitoring with warnings
• External certificate loading mechanism
• Proper error handling for malformed certificates

+/**
+ * Validates and adds certificates to the global root CA list
+ * @param {string[]} certificates - Array of PEM-encoded certificates
+ */
+function addRootCAs(certificates) {
+  const validCertificates = certificates.filter(cert => {
+    // Add certificate validation logic here
+    return cert.includes('-----BEGIN CERTIFICATE-----') && 
+           cert.includes('-----END CERTIFICATE-----')
+  })
+  
+  global.TLS_ADDITIONAL_ROOT_CA_LIST.push(...validCertificates)
+}

-TLS_ADDITIONAL_ROOT_CA_LIST.push([
+addRootCAs([
   // ... certificates
-])
+])

🤖 Prompt for AI Agents

In src/utils/additional-root-cas.js around lines 4 to 185, the current
implementation hard-codes multiple PEM certificates without validating their
integrity or monitoring their expiry dates, which risks using invalid or expired
certificates and increases bundle size. To fix this, implement a certificate
validation step before adding each certificate to ensure they are well-formed
and trusted, add logic to parse and monitor expiry dates to warn about
soon-to-expire certificates, refactor to load certificates from external sources
or configuration files to reduce bundle size, and include error handling to
gracefully manage malformed or invalid certificates.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify global variable type safety and consider error handling.

The lazy loading implementation is well-structured with proper caching. However, consider these aspects:

1. Type Safety: The global TLS_ADDITIONAL_ROOT_CA_LIST lacks type checking beyond existence
2. Error Handling: Certificate parsing errors from loadX509FromPem will propagate uncaught

Verify the global variable declaration and error handling approach:

---

🏁 Script executed:

#!/bin/bash
# Check if TLS_ADDITIONAL_ROOT_CA_LIST is properly typed in the global declarations
ast-grep --pattern 'declare global {
  $$$
  TLS_ADDITIONAL_ROOT_CA_LIST: $TYPE
  $$$
}'

# Check for any error handling patterns around loadX509FromPem usage
rg -A 3 -B 3 'loadX509FromPem'

Length of output: 3684

---

🏁 Script executed:

#!/bin/bash
# Inspect the implementation of loadX509FromPem to confirm its error handling
head -n 50 src/utils/x509.ts

Length of output: 1472

---

Ensure TLS_ADDITIONAL_ROOT_CA_LIST Is Typed & Parsing Errors Are Handled

The lazy‐loader works, but we’ve uncovered two gaps:

• Missing Type Declaration
  No TLS_ADDITIONAL_ROOT_CA_LIST declaration was found in the repo. Without it, TS treats it as any, losing safety.

• Uncaught Parsing Errors
  loadX509FromPem throws on invalid PEM, and ROOT_CAS = …map(loadX509FromPem) will abort the entire load if any entry is bad.

———

Recommended fixes:

1. Declare the global variable (e.g. in src/types/global.d.ts):

   declare global {
     /** Additional root CAs (PEM strings) */
     const TLS_ADDITIONAL_ROOT_CA_LIST?: string[];
   }
   export {};

2. Tighten the runtime check in loadRootCAs() and handle PEM errors:

   function loadRootCAs() {
     if (ROOT_CAS) return ROOT_CAS;
   
     const loaded: X509Certificate[] = [];
     for (const pem of MOZILLA_ROOT_CA_LIST) {
       loaded.push(loadX509FromPem(pem)); // keep fail-fast for Mozilla CAs
     }
   
     if (Array.isArray(TLS_ADDITIONAL_ROOT_CA_LIST)) {
       for (const pem of TLS_ADDITIONAL_ROOT_CA_LIST) {
         try {
           loaded.push(loadX509FromPem(pem));
         } catch (err) {
           console.warn('Skipping invalid additional root CA:', err);
         }
       }
     }
   
     ROOT_CAS = loaded;
     return ROOT_CAS;
   }

• This preserves fast failure on the official list but skips/logs any bad entries in the optional list.
• Adjust as needed if you prefer an all-or-nothing strategy.

🤖 Prompt for AI Agents

In src/utils/parse-certificate.ts around lines 263 to 274, the global variable
TLS_ADDITIONAL_ROOT_CA_LIST is missing a TypeScript declaration, causing it to
be typed as any and losing type safety. Add a declaration for it in
src/types/global.d.ts as an optional string array. Also, modify loadRootCAs() to
check if TLS_ADDITIONAL_ROOT_CA_LIST is an array before processing, and wrap
each loadX509FromPem call for these additional CAs in a try-catch block to
handle and log parsing errors without aborting the entire load, while keeping
fail-fast behavior for the MOZILLA_ROOT_CA_LIST entries.