feat: implement TLS certificate generation

[2witstudios]

Summary

• Add self-signed CA + server certificate generation using hand-coded ASN.1/DER encoding with only Node.js built-in crypto (no external dependencies)
• Server certs include LAN IP SANs so mobile companion apps can connect over the local network
• Smart cert reuse: CA preserved across server cert rotations (preserves pairing), regenerates only when needed (expired, SAN mismatch, missing files)
• Adds getLanIps() (IPv4 non-internal + 127.0.0.1), buildPairingUrl() (ppg:// protocol with CA fingerprint for trust pinning), and ensureTls() entry point
• Path helpers for .ppg/serve/tls/ directory structure and TlsError class

Files changed

• src/server/tls.ts — Certificate generation, reuse logic, pairing URL, LAN IP detection
• src/server/tls.test.ts — 14 integration tests using real crypto + temp directories
• src/lib/paths.ts — 6 new path helpers (serveDir, tlsDir, tlsCaKeyPath, tlsCaCertPath, tlsServerKeyPath, tlsServerCertPath)
• src/lib/paths.test.ts — Tests for new path helpers
• src/lib/errors.ts — TlsError class

Test plan

• All 238 tests pass (22 test files)
• TypeScript compiles cleanly (npm run typecheck)
• CA cert: self-signed, cA:TRUE, ~10yr validity
• Server cert: signed by CA, correct SANs, ~1yr validity
• Cert reuse: valid certs not rewritten; SAN mismatch triggers server-only regen; missing CA triggers full regen
• File permissions: 0o600 on all PEM files
• CA fingerprint: stable, colon-delimited SHA-256

Closes #65

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[coderabbitai]

Warning

Rate limit exceeded

@2witstudios has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 17 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 34deb69 and 2ee6544.

📒 Files selected for processing (5)

• src/commands/spawn.test.ts
• src/lib/paths.test.ts
• src/lib/paths.ts
• src/server/tls.test.ts
• src/server/tls.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ppg/issue-65-tls-certs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}