feat(ssl): property-scoped assertion grammar#1404
Open
danielpaulus wants to merge 4 commits into
Open
Conversation
Replace the flat per-source SSL assertion builder with a property-scoped model mirroring the API check grammar and the monorepo redesign. Sources are now CERTIFICATE | CONNECTION | RESPONSE_TIME | JSON_RESPONSE | TEXT_RESPONSE. SslAssertionBuilder exposes certificate(property), connection(property), responseTime(), jsonResponse(jsonPath) and textResponse(regex?), reusing GeneralAssertionBuilder / NumericAssertionBuilder. The TlsVersion / SignatureAlgorithm / CipherSuite constant maps are kept as assertion targets, with JSDoc updated to the new API. Validation is rekeyed by (source, property): CERTIFICATE/CONNECTION whitelist comparisons per property and flag unknown properties; RESPONSE_TIME / JSON_RESPONSE / TEXT_RESPONSE whitelist per source. Boolean-target validation is retained for boolean properties. Both GREATER_THAN_OR_EQUAL and the regex (MATCHES) operator are removed for SSL; the now-unused SSL-only boolean/matches codegen helpers are dropped from the shared internal codegen. Codegen emits the five new sources and all specs (ssl-assertion, ssl-assertion-codegen, ssl-monitor, uptime-monitor-codegen) plus the ai-context example are migrated to the new grammar. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013AYwkvoaANQTH5dGStbBj2
resolvedIp allowed EQUALS/NOT_EQUALS/CONTAINS but not NOT_CONTAINS, diverging from the webapp/backend string value type. Use the shared STRING set for parity. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013AYwkvoaANQTH5dGStbBj2
Convert SslAssertionBuilder.certificate/connection to typed overloads so
property names are narrowed to known unions (typos are compile errors +
autocomplete), and the two typed-constant properties narrow the builder
target type: connection('tlsVersion') -> TlsVersionValue,
certificate('signatureAlgorithm') -> SignatureAlgorithmValue. cipherSuite
stays unconstrained by prior decision.
Add type-level @ts-expect-error coverage proving the narrowing, plus
runtime validation coverage for the removed SSL-only operators
(MATCHES, GREATER_THAN_OR_EQUAL) and the per-property comparison
whitelist (sans/serialNumber/ocspStatus rejects; sans/resolvedIp accepts).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013AYwkvoaANQTH5dGStbBj2
Fixes the lint job (@stylistic/member-delimiter-style): single-line type literals use a comma, not a semicolon. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013AYwkvoaANQTH5dGStbBj2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Redesigns the SSL monitor assertion grammar in the CLI constructs to the property-scoped model (matching the go-runner / backend / webapp change in the monorepo, and the go-sdk / terraform PRs).
SslAssertionBuilderis now:certificate(property),connection(property),responseTime(),jsonResponse(jsonPath),textResponse(regex?)— replacing the flat per-source methods (certExpiresInDays(),tlsVersion(),sanContains(), …). Source union isCERTIFICATE | CONNECTION | RESPONSE_TIME | JSON_RESPONSE | TEXT_RESPONSE. TheTlsVersion/SignatureAlgorithm/CipherSuitetyped constant maps are kept (used as targets).ssl-assertion-validation.tsis rekeyed by(source, property)with per-property comparison whitelists (unknown properties flagged; boolean-target validation retained).GREATER_THAN_OR_EQUALandMATCHESoperators (also removed the now-unused SSL-onlyvalueForBooleanAssertion/hasMatchescodegen path — SSL was its sole caller; verified other check types unaffected).Tests
tsc --buildclean;vitest run ssl uptime-monitor-codegen→ 39 passed; broader run across grpc/dns/tcp/api → 107 passed (no regression from the shared codegen change); eslint clean.Out of scope (left untouched per no-drive-by): SSL result-display fixtures/formatters (
handshakeTimeMs,CERT_*in result snapshots) — those model the backend result wire format, not the construct assertion grammar.🤖 Generated with Claude Code