feat: add macOS Keychain integration for CA certificate (#51)

Author: ammario

.claude/commands/ci.md

@@ -1,9 +1,9 @@
 Commit working changes and push them to CI
 
-Run `cargo clippy -- -D warning` before pushing changes.
+Run `cargo clippy -- -D warnings` before pushing changes.
 
 Also fetch the latest version of the base branch and merge it into the current branch.
 
-Enter loop where you wait for CI to complete, resolve issues,
-and return to user once CI is green or a major decision is needed
-to resolve it.
+Enter loop where you wait for CI to complete using `./scripts/wait-pr-checks.sh` 
+(auto-detects PR from current branch), resolve issues, and return to user once 
+CI is green or a major decision is needed to resolve it.

.config/nextest.toml

@@ -22,5 +22,8 @@ failure-output = "final"
 success-output = "never"
 status-level = "retry"
 
+# Test timeout - terminate tests that run longer than 30 seconds
+slow-timeout = { period = "30s", terminate-after = 1 }
+
 # Allow more retries in CI for flaky tests
 retries = { backoff = "exponential", count = 2, delay = "1s", max-delay = "10s" }

.github/workflows/tests.yml

@@ -54,6 +54,11 @@ jobs:
           fi
       - uses: actions/checkout@v4
 
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: stable
+
       - name: Fix permissions on current directory
         run: |
           # Clean up any files left from previous sudo runs

CLAUDE.md

@@ -49,6 +49,16 @@ Run the full suite:
 cargo test
 ```
 
+### Test Performance Requirements
+
+**All tests must complete within seconds, not minutes.** The CI timeout is set to 30 seconds per test. Tests that require longer operations (like timeouts) should use minimal durations:
+
+- Use `HttpjailCommand::timeout(2)` for timeout tests with `sleep 3`
+- Network tests should use `--connect-timeout 5 --max-time 8` for curl commands
+- Any test taking longer than a few seconds should be optimized or redesigned
+
+This ensures fast feedback during development and prevents CI timeouts.
+
 ## Cargo Cache
 
 Occasionally you will encounter permissions issues due to running the tests under sudo. In these cases,
@@ -62,6 +72,15 @@ DO NOT `cargo clean`. Instead, `chown -R <user> target`.
   cargo test --test weak_integration
   ```
 
+### Certificate Trust on macOS
+
+- **curl and most CLI tools**: Respect the `SSL_CERT_FILE`/`SSL_CERT_DIR` environment variables that httpjail sets, so they work even without the CA in the system keychain
+- **Go programs (gh, go, etc.)**: Use the macOS Security.framework and ignore environment variables, requiring the CA to be installed in the keychain via `httpjail trust --install`
+- When the CA is not trusted in the keychain, httpjail will:
+  - Still attempt TLS interception (not pass-through)
+  - Warn that applications may fail with certificate errors
+  - Go programs will fail to connect until `httpjail trust --install` is run
+
 ## Documentation
 
 User-facing documentation should be in the README.md file.
@@ -107,8 +126,9 @@ The CI workspace is located at `/home/ci/actions-runner/_work/httpjail/httpjail`
 ./scripts/ci-scp.sh root@ci-1:/path/to/file ./         # Download
 
 # Wait for PR checks to pass or fail
-./scripts/wait-pr-checks.sh 47               # Monitor PR #47
-./scripts/wait-pr-checks.sh 47 coder/httpjail # Specify repo explicitly
+./scripts/wait-pr-checks.sh                  # Auto-detect PR from current branch
+./scripts/wait-pr-checks.sh 47               # Monitor specific PR #47
+./scripts/wait-pr-checks.sh 47 coder/httpjail # Specify PR and repo explicitly
 ```
 
 ### Manual Testing on CI

Cargo.lock

@@ -40,8 +40,8 @@ url = "2.5"
 v8 = "129"
 
 [target.'cfg(target_os = "macos")'.dependencies]
-nix = { version = "0.27", features = ["user"] }
 libc = "0.2"
+atty = "0.2"
 
 [target.'cfg(target_os = "linux")'.dependencies]
 libc = "0.2"
@@ -53,6 +53,9 @@ assert_cmd = "2.0"
 predicates = "3.0"
 serial_test = "3.0"
 
+[package.metadata.cargo-udeps.ignore]
+dev = ["serial_test"]
+
 [profile.fast]
 inherits = "release"
 opt-level = 1

Cargo.toml

@@ -126,6 +126,15 @@ httpjail creates an isolated network environment for the target process, interce
 ### macOS
 
 - No special permissions required (runs in weak mode)
+- **Automatic keychain trust:** On first run, httpjail will attempt to automatically install its CA certificate to your user keychain (with macOS password prompt). This enables HTTPS interception for most applications.
+- **Manual keychain management:**
+  - `httpjail trust` - Check if the CA certificate is trusted
+  - `httpjail trust --install` - Manually install CA to user keychain (with prompt)
+  - `httpjail trust --remove` - Remove CA from keychain
+- **Application compatibility:**
+  - ✅ Most CLI tools (curl, npm, etc.) work with environment variables or keychain trust
+  - ❌ Go programs (gh, go) require keychain trust and may fail until `httpjail trust --install` is run
+  - ❌ Some applications may bypass proxy settings entirely
 
 ## Configuration File
 

README.md

@@ -1,30 +1,52 @@
 #!/bin/bash
 # wait-pr-checks.sh - Poll GitHub Actions status for a PR and exit on first failure or when all pass
 #
-# Usage: ./scripts/wait-pr-checks.sh <pr-number> [repo]
-#   pr-number: The PR number to check
+# Usage: ./scripts/wait-pr-checks.sh [pr-number] [repo]
+#   pr-number: Optional PR number (auto-detects from current branch if not provided)
 #   repo: Optional repository in format owner/repo (defaults to coder/httpjail)
 #
 # Exit codes:
 #   0 - All checks passed
 #   1 - A check failed
-#   2 - Invalid arguments
+#   2 - Invalid arguments or no PR found
 #
 # Requires: gh, jq
 
 set -euo pipefail
 
-# Parse arguments
-if [ $# -lt 1 ]; then
-    echo "Usage: $0 <pr-number> [repo]" >&2
-    echo "Example: $0 47" >&2
-    echo "Example: $0 47 coder/httpjail" >&2
-    exit 2
+# Parse arguments and auto-detect PR if needed
+if [ $# -eq 0 ]; then
+    # Auto-detect PR from current branch
+    echo "Auto-detecting PR from current branch..." >&2
+    CURRENT_BRANCH=$(git branch --show-current)
+    
+    # Try to find PR for current branch
+    PR_INFO=$(gh pr list --head "${CURRENT_BRANCH}" --json number,headRefName --limit 1 2>/dev/null || echo "[]")
+    PR_NUMBER=$(echo "$PR_INFO" | jq -r '.[0].number // empty')
+    
+    if [ -z "$PR_NUMBER" ]; then
+        echo "Error: No PR found for branch '${CURRENT_BRANCH}'" >&2
+        echo "" >&2
+        echo "Usage: $0 [pr-number] [repo]" >&2
+        echo "  When called without arguments, auto-detects PR from current branch" >&2
+        echo "  Examples:" >&2
+        echo "    $0                    # Auto-detect PR from current branch" >&2
+        echo "    $0 47                 # Monitor PR #47" >&2
+        echo "    $0 47 coder/httpjail  # Monitor PR #47 in specific repo" >&2
+        exit 2
+    fi
+    
+    # Auto-detect repo from git remote
+    REPO=$(gh repo view --json nameWithOwner -q .nameWithOwner 2>/dev/null || echo "coder/httpjail")
+    echo "Found PR #${PR_NUMBER} for branch '${CURRENT_BRANCH}' in ${REPO}" >&2
+elif [ $# -eq 1 ]; then
+    PR_NUMBER="$1"
+    REPO="coder/httpjail"
+else
+    PR_NUMBER="$1"
+    REPO="$2"
 fi
 
-PR_NUMBER="$1"
-REPO="${2:-coder/httpjail}"
-
 # Check for required tools
 if ! command -v jq &> /dev/null; then
     echo "Error: jq is required but not installed" >&2
@@ -71,7 +93,43 @@ while true; do
     if [ $failed_count -gt 0 ]; then
         echo -e "\n\n${RED}❌ The following check(s) failed:${NC}"
         echo "$json_output" | jq -r '.[] | select(.state == "FAILURE" or .state == "ERROR") | "  - \(.name)"'
-        echo -e "\nView details at: https://github.com/${REPO}/pull/${PR_NUMBER}/checks"
+        
+        # Try to fetch logs for the first failed check
+        echo -e "\n${YELLOW}Fetching logs for first failed check...${NC}\n"
+        
+        # Get the first failed check details
+        first_failed=$(echo "$json_output" | jq -r '.[] | select(.state == "FAILURE" or .state == "ERROR") | "\(.name)|\(.link)"' | head -1)
+        
+        if [ -n "$first_failed" ]; then
+            IFS='|' read -r check_name check_link <<< "$first_failed"
+            echo -e "${YELLOW}=== Logs for: ${check_name} ===${NC}"
+            
+            # Extract run ID and job ID from the link
+            if [[ "$check_link" =~ /runs/([0-9]+)/job/([0-9]+) ]]; then
+                run_id="${BASH_REMATCH[1]}"
+                job_id="${BASH_REMATCH[2]}"
+                
+                # Use direct API call to get job logs (more reliable than gh run view)
+                if job_logs=$(gh api "repos/${REPO}/actions/jobs/${job_id}/logs" --paginate 2>&1); then
+                    # Look for error patterns in the logs
+                    error_logs=$(echo "$job_logs" | grep -E "(error:|Error:|ERROR:|warning:|clippy::|failed|Failed|##\[error\])" | head -30)
+                    if [ -n "$error_logs" ]; then
+                        echo "$error_logs"
+                    else
+                        # If no error patterns found, show last 100 lines which often contain the failure
+                        echo "$job_logs" | tail -100
+                    fi
+                else
+                    # If logs aren't ready, try to at least show the conclusion
+                    echo "Full logs not available yet. Check: ${check_link}"
+                fi
+            else
+                echo "Could not parse check link: ${check_link}"
+            fi
+            echo ""
+        fi
+        
+        echo -e "\nView full details at: https://github.com/${REPO}/pull/${PR_NUMBER}/checks"
         exit 1
     fi
 

scripts/wait-pr-checks.sh

@@ -1,5 +1,6 @@
 pub mod dangerous_verifier;
 pub mod jail;
+pub mod macos_keychain;
 pub mod proxy;
 pub mod proxy_tls;
 pub mod rules;