Step 23: TLS transport for sgardd and sgard client.

Server: --tls-cert/--tls-key flags enable TLS (min TLS 1.2).
Client: --tls enables TLS transport, --tls-ca for custom CA certs.
Two integration tests: push/pull over TLS, reject untrusted client.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cmd/sgard/main.go

@@ -2,6 +2,8 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -10,6 +12,7 @@ import (
 	"github.com/kisom/sgard/client"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )
 
@@ -17,6 +20,8 @@ var (
 	repoFlag   string
 	remoteFlag string
 	sshKeyFlag string
+	tlsFlag    bool
+	tlsCAFlag  string
 )
 
 var rootCmd = &cobra.Command{
@@ -66,8 +71,27 @@ func dialRemote(ctx context.Context) (*client.Client, func(), error) {
 	cachedToken := client.LoadCachedToken()
 	creds := client.NewTokenCredentials(cachedToken)
 
+	var transportCreds grpc.DialOption
+	if tlsFlag {
+		tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12}
+		if tlsCAFlag != "" {
+			caPEM, err := os.ReadFile(tlsCAFlag)
+			if err != nil {
+				return nil, nil, fmt.Errorf("reading CA cert: %w", err)
+			}
+			pool := x509.NewCertPool()
+			if !pool.AppendCertsFromPEM(caPEM) {
+				return nil, nil, fmt.Errorf("failed to parse CA cert %s", tlsCAFlag)
+			}
+			tlsCfg.RootCAs = pool
+		}
+		transportCreds = grpc.WithTransportCredentials(credentials.NewTLS(tlsCfg))
+	} else {
+		transportCreds = grpc.WithTransportCredentials(insecure.NewCredentials())
+	}
+
 	conn, err := grpc.NewClient(addr,
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		transportCreds,
 		grpc.WithPerRPCCredentials(creds),
 	)
 	if err != nil {
@@ -90,6 +114,8 @@ func main() {
 	rootCmd.PersistentFlags().StringVar(&repoFlag, "repo", defaultRepo(), "path to sgard repository")
 	rootCmd.PersistentFlags().StringVar(&remoteFlag, "remote", "", "gRPC server address (host:port)")
 	rootCmd.PersistentFlags().StringVar(&sshKeyFlag, "ssh-key", "", "path to SSH private key")
+	rootCmd.PersistentFlags().BoolVar(&tlsFlag, "tls", false, "use TLS for remote connection")
+	rootCmd.PersistentFlags().StringVar(&tlsCAFlag, "tls-ca", "", "path to CA certificate for TLS verification")
 
 	if err := rootCmd.Execute(); err != nil {
 		fmt.Fprintln(os.Stderr, err)

cmd/sgardd/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"fmt"
 	"net"
 	"os"
@@ -10,12 +11,15 @@ import (
 	"github.com/kisom/sgard/sgardpb"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 )
 
 var (
-	listenAddr     string
-	repoPath       string
-	authKeysPath   string
+	listenAddr   string
+	repoPath     string
+	authKeysPath string
+	tlsCertPath  string
+	tlsKeyPath   string
 )
 
 var rootCmd = &cobra.Command{
@@ -28,6 +32,21 @@ var rootCmd = &cobra.Command{
 		}
 
 		var opts []grpc.ServerOption
+
+		if tlsCertPath != "" && tlsKeyPath != "" {
+			cert, err := tls.LoadX509KeyPair(tlsCertPath, tlsKeyPath)
+			if err != nil {
+				return fmt.Errorf("loading TLS cert/key: %w", err)
+			}
+			opts = append(opts, grpc.Creds(credentials.NewTLS(&tls.Config{
+				Certificates: []tls.Certificate{cert},
+				MinVersion:   tls.VersionTLS12,
+			})))
+			fmt.Println("TLS enabled")
+		} else if tlsCertPath != "" || tlsKeyPath != "" {
+			return fmt.Errorf("both --tls-cert and --tls-key must be specified together")
+		}
+
 		var srvInstance *server.Server
 
 		if authKeysPath != "" {
@@ -63,6 +82,8 @@ func main() {
 	rootCmd.Flags().StringVar(&listenAddr, "listen", ":9473", "gRPC listen address")
 	rootCmd.Flags().StringVar(&repoPath, "repo", "/srv/sgard", "path to sgard repository")
 	rootCmd.Flags().StringVar(&authKeysPath, "authorized-keys", "", "path to authorized SSH public keys file")
+	rootCmd.Flags().StringVar(&tlsCertPath, "tls-cert", "", "path to TLS certificate file")
+	rootCmd.Flags().StringVar(&tlsKeyPath, "tls-key", "", "path to TLS private key file")
 
 	if err := rootCmd.Execute(); err != nil {
 		fmt.Fprintln(os.Stderr, err)