docs: TLS auto-cert and lenient client trust
This commit is contained in:
Joseph Doherty
@@ -51,6 +51,19 @@ The shared inputs are:
|
||||
The commands in the matrix use `MXGATEWAY_API_KEY` through each CLI's
|
||||
`api-key-env` flag. They must not embed bearer tokens or raw API keys.
|
||||
|
||||
### TLS variant
|
||||
|
||||
The matrix runs over plaintext (`h2c`) by default. A TLS variant exists but stays
|
||||
a manual/opt-in run, consistent with the gate above, because it needs the gateway
|
||||
started with an HTTPS endpoint (an `https://` `MXGATEWAY_ENDPOINT`) and each CLI
|
||||
switched to its TLS flag (`--tls` / `-tls` / `--plaintext=false` /
|
||||
`plaintext=False`). The clients are lenient by default and accept the gateway's
|
||||
auto-generated self-signed certificate without extra trust setup, except the Rust
|
||||
CLI, which is pin-only and needs `--ca-file` or `--require-certificate-validation`
|
||||
(and Python uses trust-on-first-use). See
|
||||
[Gateway Configuration — Automatic self-signed certificate](./GatewayConfiguration.md#automatic-self-signed-certificate)
|
||||
and each client README for the per-client TLS flags.
|
||||
|
||||
## JSON Comparison
|
||||
|
||||
Every command in the matrix requests JSON output. A runner can compare the
|
||||
|
||||
Reference in New Issue
Block a user