fix(packaging): declare runtime deps and handle openSUSE trust-store path

The Fedora and openSUSE install round-trips failed because:
1. ca-certificates is not in those minimal base images, so postinstall's
   update-ca-trust / update-ca-certificates command was absent and the
   trust-store install silently no-op'd.
2. openSUSE ships update-ca-certificates but reads anchors from
   /etc/pki/trust/anchors (Debian uses /usr/local/share/ca-certificates).
   The original postinstall blindly used the Debian path, so the CA never
   reached the trust store.

Fixes:
- Declare ca-certificates and systemd as package deps so dnf/apt/zypper
  pull them automatically.
- Detect the right anchor directory in postinstall (Debian / openSUSE /
  RHEL) before copying the CA.
- preremove now removes from all three possible anchor paths.
- test-install.sh accepts the openSUSE path as a valid trust-store
  location during verification.

Author: claude

.github/scripts/test-install.sh

@@ -43,9 +43,11 @@ test -f /etc/ai-proxy/ca-key.pem
 # Env file: Debian uses /etc/default, RHEL uses /etc/sysconfig
 test -s /etc/default/ai-proxy || test -s /etc/sysconfig/ai-proxy
 
-# CA should be in the OS trust store
+# CA should be in the OS trust store. The anchor directory varies by distro
+# family (Debian, openSUSE, RHEL); accept any of them.
 trust_found=0
 [ -f /usr/local/share/ca-certificates/ai-proxy.crt ] && trust_found=1
+[ -f /etc/pki/trust/anchors/ai-proxy.crt ] && trust_found=1
 [ -f /etc/pki/ca-trust/source/anchors/ai-proxy.crt ] && trust_found=1
 if [ "$trust_found" != "1" ]; then
   echo "CA not installed into trust store" >&2
@@ -78,6 +80,7 @@ fi
 
 # Trust-store entry and binary must be gone after remove
 test ! -f /usr/local/share/ca-certificates/ai-proxy.crt
+test ! -f /etc/pki/trust/anchors/ai-proxy.crt
 test ! -f /etc/pki/ca-trust/source/anchors/ai-proxy.crt
 test ! -x /usr/bin/ai-proxy
 

packaging/linux/nfpm.yaml

@@ -13,6 +13,14 @@ vendor: laplaque
 homepage: https://github.com/laplaque/ai-anonymizing-proxy
 license: MIT
 
+# Runtime dependencies. ca-certificates supplies the trust-store update tool
+# (update-ca-certificates on Debian/openSUSE, update-ca-trust on RHEL/Fedora);
+# systemd is required for the service unit. Both are typically present on
+# every supported distro but minimal container/cloud images omit them.
+depends:
+  - ca-certificates
+  - systemd
+
 contents:
   - src: ./bin/ai-proxy
     dst: /usr/bin/ai-proxy

packaging/linux/postinstall.sh

@@ -1,14 +1,23 @@
 #!/bin/sh
 set -eu
 
-# Detect distro family for trust-store integration
+# Detect distro family for trust-store integration. Debian and openSUSE both
+# ship `update-ca-certificates` but use different anchor directories; RHEL
+# uses `update-ca-trust` with a third path. Pick by the presence of the
+# distro-specific anchor directory rather than by tool name alone.
 TRUST_DIR=""
 TRUST_NAME=ai-proxy.crt
 TRUST_UPDATE=""
-if command -v update-ca-certificates >/dev/null 2>&1; then
+if [ -d /usr/local/share/ca-certificates ] && command -v update-ca-certificates >/dev/null 2>&1; then
+  # Debian / Ubuntu
   TRUST_DIR=/usr/local/share/ca-certificates
   TRUST_UPDATE=update-ca-certificates
-elif command -v update-ca-trust >/dev/null 2>&1; then
+elif [ -d /etc/pki/trust/anchors ] && command -v update-ca-certificates >/dev/null 2>&1; then
+  # openSUSE / SLES
+  TRUST_DIR=/etc/pki/trust/anchors
+  TRUST_UPDATE=update-ca-certificates
+elif [ -d /etc/pki/ca-trust/source/anchors ] && command -v update-ca-trust >/dev/null 2>&1; then
+  # RHEL / Fedora / Alma / Rocky
   TRUST_DIR=/etc/pki/ca-trust/source/anchors
   TRUST_UPDATE=update-ca-trust
 else

packaging/linux/preremove.sh

@@ -14,9 +14,12 @@ fi
 
 # Remove CA from trust store. The cert+key under /etc/ai-proxy/ stay — they
 # are user data and conffile semantics handle their removal on purge.
+# Cover all three anchor directories since the file may have been placed in
+# any one of them depending on the distro family detected at install time.
 if command -v update-ca-certificates >/dev/null 2>&1; then
   rm -f /usr/local/share/ca-certificates/ai-proxy.crt
-  update-ca-certificates --fresh >/dev/null 2>&1 || true
+  rm -f /etc/pki/trust/anchors/ai-proxy.crt
+  update-ca-certificates --fresh >/dev/null 2>&1 || update-ca-certificates >/dev/null 2>&1 || true
 elif command -v update-ca-trust >/dev/null 2>&1; then
   rm -f /etc/pki/ca-trust/source/anchors/ai-proxy.crt
   update-ca-trust >/dev/null 2>&1 || true