Step 23: TLS transport for sgardd and sgard client.

Server: --tls-cert/--tls-key flags enable TLS (min TLS 1.2). Client: --tls enables TLS transport, --tls-ca for custom CA certs. Two integration tests: push/pull over TLS, reject untrusted client. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 11:57:03 -07:00
parent c00d9c65c3
commit 3fabd86150
7 changed files with 329 additions and 19 deletions
--- a/PROGRESS.md
+++ b/PROGRESS.md
@@ -7,7 +7,7 @@ ARCHITECTURE.md for design details.

 ## Current Status

-**Phase:** Phase 4 in progress. Steps 21–22 complete, ready for Step 23.
+**Phase:** Phase 4 in progress. Steps 21–23 complete, ready for Step 24.

 **Last updated:** 2026-03-24

@@ -42,7 +42,7 @@ ARCHITECTURE.md for design details.

 ## Up Next

-Step 23: TLS Transport for sgardd.
+Step 24: DEK Rotation.

 ## Known Issues / Decisions Deferred

@@ -86,3 +86,4 @@ Step 23: TLS Transport for sgardd.
 | 2026-03-24 | — | Phase 4 planned (Steps 21–27): lock/unlock, shell completion, TLS, DEK rotation, real FIDO2, test cleanup. |
 | 2026-03-24 | 21 | Lock/unlock toggle commands. garden/lock.go, cmd/sgard/lock.go, 6 tests. |
 | 2026-03-24 | 22 | Shell completion: cobra built-in, README docs for bash/zsh/fish. |
+| 2026-03-24 | 23 | TLS transport: sgardd --tls-cert/--tls-key, sgard --tls/--tls-ca, 2 integration tests. |