feat: allow mTLS auth for edge agents

[kmendell]

Checklist

• This PR is not opened from my fork’s main branch

What This PR Implements

Fixes:

Changes Made

Testing Done

• Development environment started: ./scripts/development/dev.sh start
• Frontend verified at http://localhost:3000
• Backend verified at http://localhost:3552
• Manual testing completed (describe):
• No linting errors (e.g., just lint all)
• Backend tests pass: just test backend

AI Tool Used (if applicable)

AI Tool:
Assistance Level:
What AI helped with:
I reviewed and edited all AI-generated output:
I ran all required tests and manually verified changes:

Additional Context

Disclaimer Greptiles Reviews use AI, make sure to check over its work.

To better help train Greptile on our codebase, if the comment is useful and valid Like the comment, if its not helpful or invalid Dislike

To have Greptile Re-Review the changes, mention greptileai.

Greptile Summary

[Linus Torvalds Mode]

This PR stitches together mTLS authentication for edge agents — manager-side CA auto-generation, per-environment client certificate issuance, an agent-side auto-enrollment flow, and a frontend certificate-download UX. It's a legitimately large feature and, mercifully, most of the implementation is coherent. Several issues flagged in a prior review round (missing EDGE_MTLS_AUTO_GENERATE=true in snippets, the EdgeMTLSAutoGenerate guard in shouldAutoGenerateManagerCAInternal, plain-HTTP enrollment guard, and cfg.EdgeMTLSCAFile not being populated after enrollment) appear to be addressed in this revision.

Key changes:

• New tls.go in edge package: CA + client cert generation, validation with cert/key pair consistency, TLS config builders for both manager and agent sides.
• server.go: mTLS enforcement gate on WebSocket and gRPC connect paths, new HandleMTLSEnroll endpoint, session metadata (security mode, session ID, capabilities) propagated to registry.
• environments.go: three new download endpoints (CA, bundle ZIP, per-file) plus updated deployment snippet generation that inlines generated PEM contents.
• Frontend: new ActionButtonGroup split-button support for mTLS download menu, DetailsTab certificate status widget, download utility.

What remains broken or questionable is noted in the inline comments. The codebase doesn't deserve a standing ovation, but it probably deserves to be merged after fixing the expiresAt guard.

Confidence Score: 4/5

[Linus Torvalds Mode] Most of the scary issues from the prior review round appear to be addressed — the auto-generate guard, the HTTPS enrollment check, and the CA-path backfill are all present. What's left is an unguarded optional field that will silently render 'Invalid Date' in the UI, which is a real data-display defect on the changed path. Fix that and the rest is noise.

There are two issues remaining: a P1 frontend rendering defect (unguarded expiresAt) and a P2 backend inconsistency (Content-Disposition quoting mismatch). The P1 is a real wrong-data situation on the certificate details UI — not catastrophic, but incorrect enough to drop to 4. The P2 is cosmetic and doesn't affect current filenames. Everything else looks structurally sound.

Pay attention to frontend/src/routes/(app)/environments/[id]/components/DetailsTab.svelte — the optional expiresAt field is rendered without a guard and will display garbage if the backend omits it.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: backend/internal/huma/handlers/environments.go
Line: 1216

Comment:
**Inconsistent `Content-Disposition` filename quoting**

This is broken garbage — two different wrong approaches to the same header field crammed into the same file. Reading this inconsistency makes me want to hurl my keyboard through a window.

`"attachment; filename="+fileName` concatenates without any quoting, while both `DownloadEnvironmentMTLSBundle` and `DownloadEnvironmentMTLSFile` use `fmt.Sprintf("attachment; filename=%q", fileName)`. If the configured CA path ever has a basename with spaces, the header is syntactically malformed and the browser may ignore the filename. The hardcoded `"ca.crt"` fallback keeps it from exploding today, but the code is silently wrong.

```suggestion
			humaCtx.SetHeader("Content-Disposition", fmt.Sprintf("attachment; filename=%q", fileName))
```

Congratulations on inventing two incompatible approaches to the same problem in the same PR.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: frontend/src/routes/(app)/environments/[id]/components/DetailsTab.svelte
Line: 337

Comment:
**`expiresAt` rendered without optional guard**

Oh, this is embarrassing — you typed `expiresAt` as `string | undefined`, then rendered it unconditionally one line later like a first-year intern. Reading it makes me want to apologize to the TypeScript compiler on your behalf.

`EdgeMTLSCertificate.expiresAt` is typed `string | undefined`, but inside the `{#if mtlsCertificateBadge && environment.edgeMTLSCertificate}` block there is no guard for `expiresAt` specifically. If the backend ever returns a certificate object without an expiry timestamp, `formatDateTime(undefined)` silently renders "Invalid Date" rather than hiding the field.

```suggestion
						<div class="mt-1 font-mono text-sm">{environment.edgeMTLSCertificate.expiresAt ? formatDateTime(environment.edgeMTLSCertificate.expiresAt) : '\u2014'}</div>
```

"The Go implementation always sets it" is the exact same excuse every developer has used right before a nil-pointer display bug hit production.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (5): Last reviewed commit: "feat: allow mTLS auth for edge agents" | Re-trigger Greptile}

Context used:

• Rule used - svelte-core-bestpractices

---

name: svelte-core-b... (source)

• Rule used - JavaScript/TypeScript Best Practices

Use const/le... (source)

[kmendell]

• feat: allow mTLS auth for edge agents #2116 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[getarcaneappbot]

Container images for this PR have been built successfully!

• Manager: ghcr.io/getarcaneapp/arcane:pr-2116
• Agent: ghcr.io/getarcaneapp/arcane-headless:pr-2116

Built from commit 090e2b9

[github-actions]

This pull request has merge conflicts. Please resolve the conflicts so the PR can stay up-to-date and reviewed.

[github-actions]

This pull request has merge conflicts. Please resolve the conflicts so the PR can stay up-to-date and reviewed.

[github-actions]

This pull request has merge conflicts. Please resolve the conflicts so the PR can stay up-to-date and reviewed.

[kmendell]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

This pull request has merge conflicts. Please resolve the conflicts so the PR can stay up-to-date and reviewed.