Checkpoint: grpc auth fix, issuer list/detail, v2 protos, architecture docs

Co-authored-by: Junie <junie@jetbrains.com>

internal/webserver/client.go

@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"log/slog"
 	"os"
 
 	"google.golang.org/grpc"
@@ -24,9 +25,12 @@ type VaultClient struct {
 }
 
 // NewVaultClient dials the vault gRPC server and returns a client.
-func NewVaultClient(addr, caCertPath string) (*VaultClient, error) {
+func NewVaultClient(addr, caCertPath string, logger *slog.Logger) (*VaultClient, error) {
+	logger.Debug("connecting to vault", "addr", addr, "ca_cert", caCertPath)
+
 	tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12}
 	if caCertPath != "" {
+		logger.Debug("loading vault CA certificate", "path", caCertPath)
 		pemData, err := os.ReadFile(caCertPath) //nolint:gosec
 		if err != nil {
 			return nil, fmt.Errorf("webserver: read CA cert: %w", err)
@@ -36,12 +40,17 @@ func NewVaultClient(addr, caCertPath string) (*VaultClient, error) {
 			return nil, fmt.Errorf("webserver: parse CA cert")
 		}
 		tlsCfg.RootCAs = pool
+		logger.Debug("vault CA certificate loaded successfully")
+	} else {
+		logger.Debug("no CA cert configured, using system roots")
 	}
 
+	logger.Debug("dialing vault gRPC", "addr", addr)
 	conn, err := grpc.NewClient(addr, grpc.WithTransportCredentials(credentials.NewTLS(tlsCfg)))
 	if err != nil {
 		return nil, fmt.Errorf("webserver: dial vault: %w", err)
 	}
+	logger.Debug("vault gRPC connection established", "addr", addr)
 
 	return &VaultClient{
 		conn:   conn,