Skip to content

feat(ssl): property-scoped assertion grammar#1404

Open
danielpaulus wants to merge 4 commits into
mainfrom
ssl-assertion-grammar-redesign
Open

feat(ssl): property-scoped assertion grammar#1404
danielpaulus wants to merge 4 commits into
mainfrom
ssl-assertion-grammar-redesign

Conversation

@danielpaulus

@danielpaulus danielpaulus commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

What

Redesigns the SSL monitor assertion grammar in the CLI constructs to the property-scoped model (matching the go-runner / backend / webapp change in the monorepo, and the go-sdk / terraform PRs).

  • SslAssertionBuilder is now: certificate(property), connection(property), responseTime(), jsonResponse(jsonPath), textResponse(regex?) — replacing the flat per-source methods (certExpiresInDays(), tlsVersion(), sanContains(), …). Source union is CERTIFICATE | CONNECTION | RESPONSE_TIME | JSON_RESPONSE | TEXT_RESPONSE. The TlsVersion / SignatureAlgorithm / CipherSuite typed constant maps are kept (used as targets).
  • ssl-assertion-validation.ts is rekeyed by (source, property) with per-property comparison whitelists (unknown properties flagged; boolean-target validation retained).
  • Drops the SSL-only GREATER_THAN_OR_EQUAL and MATCHES operators (also removed the now-unused SSL-only valueForBooleanAssertion / hasMatches codegen path — SSL was its sole caller; verified other check types unaffected).
  • Codegen switches on the 5 new sources; tests + AI-context example updated.

Tests

tsc --build clean; vitest run ssl uptime-monitor-codegen → 39 passed; broader run across grpc/dns/tcp/api → 107 passed (no regression from the shared codegen change); eslint clean.

Out of scope (left untouched per no-drive-by): SSL result-display fixtures/formatters (handshakeTimeMs, CERT_* in result snapshots) — those model the backend result wire format, not the construct assertion grammar.

🤖 Generated with Claude Code

danielpaulus and others added 4 commits July 14, 2026 22:36
Replace the flat per-source SSL assertion builder with a property-scoped
model mirroring the API check grammar and the monorepo redesign.

Sources are now CERTIFICATE | CONNECTION | RESPONSE_TIME | JSON_RESPONSE |
TEXT_RESPONSE. SslAssertionBuilder exposes certificate(property),
connection(property), responseTime(), jsonResponse(jsonPath) and
textResponse(regex?), reusing GeneralAssertionBuilder / NumericAssertionBuilder.
The TlsVersion / SignatureAlgorithm / CipherSuite constant maps are kept as
assertion targets, with JSDoc updated to the new API.

Validation is rekeyed by (source, property): CERTIFICATE/CONNECTION whitelist
comparisons per property and flag unknown properties; RESPONSE_TIME /
JSON_RESPONSE / TEXT_RESPONSE whitelist per source. Boolean-target validation
is retained for boolean properties. Both GREATER_THAN_OR_EQUAL and the regex
(MATCHES) operator are removed for SSL; the now-unused SSL-only boolean/matches
codegen helpers are dropped from the shared internal codegen.

Codegen emits the five new sources and all specs (ssl-assertion,
ssl-assertion-codegen, ssl-monitor, uptime-monitor-codegen) plus the
ai-context example are migrated to the new grammar.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013AYwkvoaANQTH5dGStbBj2
resolvedIp allowed EQUALS/NOT_EQUALS/CONTAINS but not NOT_CONTAINS, diverging
from the webapp/backend string value type. Use the shared STRING set for parity.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013AYwkvoaANQTH5dGStbBj2
Convert SslAssertionBuilder.certificate/connection to typed overloads so
property names are narrowed to known unions (typos are compile errors +
autocomplete), and the two typed-constant properties narrow the builder
target type: connection('tlsVersion') -> TlsVersionValue,
certificate('signatureAlgorithm') -> SignatureAlgorithmValue. cipherSuite
stays unconstrained by prior decision.

Add type-level @ts-expect-error coverage proving the narrowing, plus
runtime validation coverage for the removed SSL-only operators
(MATCHES, GREATER_THAN_OR_EQUAL) and the per-property comparison
whitelist (sans/serialNumber/ocspStatus rejects; sans/resolvedIp accepts).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013AYwkvoaANQTH5dGStbBj2
Fixes the lint job (@stylistic/member-delimiter-style): single-line type
literals use a comma, not a semicolon.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013AYwkvoaANQTH5dGStbBj2
@danielpaulus danielpaulus requested a review from sorccu July 15, 2026 06:11
@danielpaulus danielpaulus enabled auto-merge (squash) July 15, 2026 06:20
@danielpaulus danielpaulus disabled auto-merge July 15, 2026 06:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant