Add trellis vm trust for self-signed SSL certs (#682)

* Add `trellis vm trust` for self-signed SSL certs

Automates extracting the per-site self-signed cert and key from the Lima
VM and trusting the cert on the host (macOS login keychain + Firefox NSS
on macOS and Linux). Replaces the manual 6-step ritual previously
documented for Lima users.

Adds `vm trust`, `vm untrust`, and `vm trust paths` subcommands. Trust
state is recorded in ~/.local/share/trellis/state/trusted_certs.json
with a process-level flock so concurrent runs serialize. Verify checks
the live trust setting (macOS verify-cert, Linux system bundle, NSS
fingerprint) so drift triggers a re-trust instead of silently passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Simplify fingerprinting

Compute macOS specific one within macOS specific code and only expose a
single `Fingerprint` field.

* Move per-site trust orchestration into pkg/trust

Lift the read-cert / fingerprint / decide-skip-or-retrust / untrust-old /
trust-new / record-state sequence out of cmd/vm_trust.go into
trust.ApplySite, plus the symmetric trust.RevokeSite for vm_untrust.go.
Path/label helpers (ProjectID, Label, ExportDir) move alongside since
the package owns the on-disk layout.

The cmd files now hold only CLI concerns: flag parsing, site selection,
VM cert fetching, and UI formatting. vm_trust.go Run drops from ~230
to ~100 lines; vm_untrust.go from ~135 to ~75. Trust logic, state
mutation, and path conventions are now testable without spawning
security/certutil from a cmd test.

Drive-by: the private key is now written via a temp-file + rename
helper, closing a brief window where an existing key file at 0o644
would hold the new private bytes before Chmod ran.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Drop the trust-state flock

The lock guarded a vanishingly rare race: two concurrent `trellis vm
trust` runs against the same state file. State.Save already does
temp-write + atomic rename, so concurrent saves can't corrupt the file
— the realistic hazard is a lost update across a load/modify/save
window, which requires the user to run the command twice in parallel
by hand. The Linux user CA bundle rebuild has the same shape.

If lost updates ever show up in practice the right fix is a short-lived
flock inside State.Save, not a multi-second lock around the whole trust
loop (which on Linux can include blocking sudo prompts).

Removing it deletes lock_unix.go, the windows no-op stub, and the
AcquireLock calls in both cmd files.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Add unit tests for trust path helpers and ApplySite/RevokeSite

Covers the deterministic part of the package:

- paths_test: ProjectID stable + distinct, Label format, ExportDir
  separates forks of the same instance name
- format_test: FormatLocation across macOS / Linux / NSS / unknown
- store_test: VerifyResult.AllAccounted (Missing breaks, Unknown counts,
  lengths must match)
- linux_test: safeFilename (dot/dash/underscore preserved, slashes and
  control chars and unicode replaced)
- apply_test: ApplySite via a recordingStore Store fake — fresh trust,
  fingerprint-match skip, drift re-trust, fingerprint-changed re-trust,
  untrust-error state-preservation, trust-error partial state,
  empty-cert early exit, key file mode 0o600, key file removal when
  KeyPEM is empty, CertPath refresh on skip; RevokeSite success + error;
  writeFileAtomic mode invariant on existing 0o644 file

Coverage for pkg/trust goes from ~7% to ~27%, but the relevant number is
that ApplySite is now at 87% and RevokeSite at 100%. Remaining 0% is in
macos/linux/nss.go where exec-binding makes them Tier 4 work.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Add filesystem-only tests for state, linux bundle, NSS, macOS helpers

Covers the platform store layer's pure-FS and pure-string parts. Uses
t.Setenv(\"XDG_DATA_HOME\") and t.Setenv(\"HOME\") to point app_paths
and Firefox profile lookup at tempdirs — no production refactor needed
since both already respect those env vars.

- state_test: Load on missing/empty/corrupt JSON, Save+Load round-trip
  preserves all fields including AddedAt, Save leaves no temp files
  behind from the atomic-rename path
- linux_test: rebuildBundle concatenates user CAs in dir order, injects
  trailing newlines so adjacent PEM blocks parse, removes the bundle
  when the dir is empty; pemFileContainsFingerprint scans all PEM
  blocks; fileFingerprintMatches handles match/mismatch/missing-file
- nss_test: isNSSNicknameNotFound covers the certutil error variants;
  isNSSProfile detects cert9.db (modern) and cert8.db (legacy);
  firefoxProfileDirs walks the platform-appropriate parent
- macos_test: isKeychainNotFound covers the security CLI error
  variants; sha1HexFromCertFile matches crypto/sha1 over DER and
  returns empty on missing/invalid input

Coverage for pkg/trust now 47.6% (was ~27% after Tier 2, ~7% baseline).
The remaining 0% surface is exec-bound: linuxStore.Trust/Untrust/
Verify, macOSStore.Trust/Untrust/Verify, nssTrust/Untrust/Verify,
keychainTrustsCertForSSL, keychainHasFingerprint. Those are Tier 4
work that needs an exec runner shim.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Test platform stores via injectable exec runner

Add a runner interface (Run, RunStdin, Lookup) and a default execRunner
wrapping os/exec. Each platform store and a new nssHelper take a runner
so tests can inject a recording fake instead of spawning real binaries.

The fake (runner_test.go) registers single-shot canned responses keyed
by program name + an args prefix and records every call so tests can
assert on argument shape and call sequence.

Tests cover the previously-zero-coverage branches:
- macOS: Trust calls add-trusted-cert with -p ssl / -r trustRoot;
  Untrust deletes when find-certificate confirms presence; skips
  delete when fingerprint is already gone; treats "could not be
  found" as success; surfaces other delete errors; Verify maps
  verify-cert outcomes to Present / Missing (not-trusted) / Unknown
- Linux: Trust writes user CA + bundle without sudo; --trust-system
  invokes sudo tee + sudo update-ca-certificates; system location is
  recorded even when update-ca-certificates fails so untrust can clean
  up; Untrust removes user CA file; system Untrust runs sudo rm -f and
  update-ca-certificates --fresh; Verify requires both file and bundle
- NSS: disabled is a no-op; reports CertutilMissing without erroring;
  reports FirefoxFound=false when no profiles exist; happy path runs
  -D then -A in order; -A failure surfaces; Untrust treats nickname-
  not-found as success; certutil-missing-but-records-exist returns
  error; Verify classifies present / missing / unknown

Drive-by fix: rebuildBundle would error when called with the user CA
dir absent and no bundle present (os.Remove on missing file). Now
guarded with os.IsNotExist so untrust paths that bypass the user CA
location don't panic on a fresh install.

Coverage for pkg/trust now 81.2%, up from 47.6%. Remaining 0% is
execRunner itself (the prod-only os/exec wrapper) and Default()
(GOOS dispatcher).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Scott Walkinshaw <scott.walkinshaw@gmail.com>

Author: 3 people

cmd/vm_trust.go

@@ -0,0 +1,235 @@
+package cmd
+
+import (
+	"flag"
+	"fmt"
+	"path/filepath"
+	"runtime"
+	"sort"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/roots/trellis-cli/app_paths"
+	"github.com/roots/trellis-cli/pkg/trust"
+	"github.com/roots/trellis-cli/trellis"
+)
+
+type VmTrustCommand struct {
+	UI          cli.Ui
+	Trellis     *trellis.Trellis
+	flags       *flag.FlagSet
+	noExportKey bool
+	trustSystem bool
+	site        string
+}
+
+func NewVmTrustCommand(ui cli.Ui, trellis *trellis.Trellis) *VmTrustCommand {
+	c := &VmTrustCommand{UI: ui, Trellis: trellis}
+	c.init()
+	return c
+}
+
+func (c *VmTrustCommand) init() {
+	c.flags = flag.NewFlagSet("", flag.ContinueOnError)
+	c.flags.Usage = func() { c.UI.Info(c.Help()) }
+	c.flags.BoolVar(&c.noExportKey, "no-export-key", false, "Skip exporting the private key to the host.")
+	c.flags.BoolVar(&c.trustSystem, "trust-system", false, "Linux only: also write to /usr/local/share/ca-certificates and run sudo update-ca-certificates.")
+	c.flags.StringVar(&c.site, "site", "", "Trust only the named site instead of every self-signed site.")
+}
+
+func (c *VmTrustCommand) Run(args []string) int {
+	if err := c.Trellis.LoadProject(); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	c.Trellis.CheckVirtualenv(c.UI)
+
+	if err := c.flags.Parse(args); err != nil {
+		return 1
+	}
+
+	if err := (&CommandArgumentValidator{required: 0, optional: 0}).validate(c.flags.Args()); err != nil {
+		c.UI.Error(err.Error())
+		c.UI.Output(c.Help())
+		return 1
+	}
+
+	if c.trustSystem && runtime.GOOS != "linux" {
+		c.UI.Error("Error: --trust-system is only supported on Linux.")
+		return 1
+	}
+
+	manager, err := newVmManager(c.Trellis, c.UI)
+	if err != nil {
+		c.UI.Error("Error: " + err.Error())
+		return 1
+	}
+
+	sites := c.selectSites()
+	if len(sites) == 0 {
+		if c.site != "" {
+			c.UI.Error(fmt.Sprintf("Error: site %q not found, or it is not configured with ssl.enabled and ssl.provider: self-signed.", c.site))
+			return 1
+		}
+		c.UI.Info("No sites in the development environment have ssl.enabled with provider: self-signed. Nothing to trust.")
+		return 0
+	}
+
+	store, err := trust.Default(trust.Options{TrustSystem: c.trustSystem})
+	if err != nil {
+		c.UI.Error("Error: " + err.Error())
+		return 1
+	}
+
+	state, err := trust.Load()
+	if err != nil {
+		c.UI.Error("Error reading trust state: " + err.Error())
+		return 1
+	}
+
+	instanceName, err := c.Trellis.GetVmInstanceName()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	exitCode := 0
+	firefoxHintShown := false
+
+	for _, name := range sortedSiteNames(sites) {
+		certPEM, err := manager.ReadRootFile("/etc/nginx/ssl/" + name + ".cert")
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("%s: failed to read cert from VM: %s", name, err))
+			c.UI.Error(fmt.Sprintf("       (does the cert exist at /etc/nginx/ssl/%s.cert? run `trellis provision development` if SSL was just enabled)", name))
+			exitCode = 1
+			continue
+		}
+
+		var keyPEM []byte
+		if !c.noExportKey {
+			keyData, keyErr := manager.ReadRootFile("/etc/nginx/ssl/" + name + ".key")
+			if keyErr != nil {
+				c.UI.Warn(fmt.Sprintf("%s: failed to export private key from VM: %s", name, keyErr))
+			} else if len(keyData) == 0 {
+				c.UI.Warn(fmt.Sprintf("%s: VM returned an empty private key; skipping key export.", name))
+			} else {
+				keyPEM = keyData
+			}
+		}
+
+		out := trust.ApplySite(store, state, trust.SiteInput{
+			Project:      c.Trellis.Path,
+			Site:         name,
+			InstanceName: instanceName,
+			BaseDir:      app_paths.DataDir(),
+			CertPEM:      certPEM,
+			KeyPEM:       keyPEM,
+		})
+
+		if out.Err != nil {
+			c.UI.Error(fmt.Sprintf("%s: %s", name, out.Err))
+			if out.ErrHint != "" {
+				c.UI.Error("       (" + out.ErrHint + ")")
+			}
+			exitCode = 1
+			continue
+		}
+
+		c.UI.Info(fmt.Sprintf("%s: %s", name, out.Verb))
+		for _, loc := range out.Locations {
+			c.UI.Info("  - " + trust.FormatLocation(loc))
+		}
+		if out.NSS.FirefoxFound && out.NSS.CertutilMissing {
+			firefoxHintShown = true
+		}
+	}
+
+	if err := state.Save(); err != nil {
+		c.UI.Error("Error saving trust state: " + err.Error())
+		exitCode = 1
+	}
+
+	c.printSummary(trust.ExportDir(app_paths.DataDir(), instanceName, c.Trellis.Path), firefoxHintShown)
+
+	return exitCode
+}
+
+func (c *VmTrustCommand) selectSites() map[string]*trellis.Site {
+	out := map[string]*trellis.Site{}
+	env := c.Trellis.Environments["development"]
+	if env == nil {
+		return out
+	}
+	for name, site := range env.WordPressSites {
+		if c.site != "" && name != c.site {
+			continue
+		}
+		if !site.SslEnabled() || site.SslProvider() != "self-signed" {
+			continue
+		}
+		out[name] = site
+	}
+	return out
+}
+
+func (c *VmTrustCommand) printSummary(exportDir string, firefoxHint bool) {
+	c.UI.Info("")
+	c.UI.Info(fmt.Sprintf("Exported certs and keys live under %s", exportDir))
+	if runtime.GOOS == "linux" {
+		c.UI.Info(fmt.Sprintf("Set NODE_EXTRA_CA_CERTS, SSL_CERT_FILE, REQUESTS_CA_BUNDLE to %s for tools that read a single bundle.", filepath.Join(app_paths.DataDir(), "ca-bundle.pem")))
+		c.UI.Info("Tools with statically-linked roots (some Go binaries, Java) ignore env-var trust roots; use --trust-system if you need system-wide trust.")
+	}
+	if firefoxHint {
+		c.UI.Warn("")
+		c.UI.Warn("Firefox is installed but `certutil` is not on PATH, so Firefox was not auto-trusted.")
+		switch runtime.GOOS {
+		case "darwin":
+			c.UI.Warn("  Install with: brew install nss")
+		case "linux":
+			c.UI.Warn("  Install with: sudo apt install libnss3-tools  (or your distro's equivalent)")
+		}
+		c.UI.Warn("Then re-run `trellis vm trust`.")
+		c.UI.Warn("Alternative: in Firefox set `security.enterprise_roots.enabled = true` in about:config to use the system trust store.")
+	}
+}
+
+func sortedSiteNames(sites map[string]*trellis.Site) []string {
+	names := make([]string, 0, len(sites))
+	for name := range sites {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	return names
+}
+
+func (c *VmTrustCommand) Synopsis() string {
+	return "Trusts the VM's self-signed SSL certificates on the host."
+}
+
+func (c *VmTrustCommand) Help() string {
+	helpText := `
+Usage: trellis vm trust [options]
+
+Extracts each self-signed SSL cert generated by Trellis for the development
+environment, exports the cert and key to ~/.local/share/trellis/ssl/<project>/,
+and trusts the cert in the host's platform trust stores.
+
+On macOS the cert is added to the user's login keychain. On Linux the cert is
+written to a per-user CA dir and a combined bundle.
+
+When the certutil binary is available (from nss / libnss3-tools), the cert is
+also added to every Firefox profile's NSS database.
+
+This command requires the VM to be running.
+
+Options:
+      --site         Trust only this site instead of every self-signed site.
+      --no-export-key  Skip writing the private key to the host.
+      --trust-system Linux only: also install the cert system-wide
+                     (writes to /usr/local/share/ca-certificates and runs
+                     sudo update-ca-certificates).
+  -h, --help         Show this help.
+`
+	return strings.TrimSpace(helpText)
+}

cmd/vm_trust_paths.go

@@ -0,0 +1,107 @@
+package cmd
+
+import (
+	"flag"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/cli"
+	"github.com/roots/trellis-cli/pkg/trust"
+	"github.com/roots/trellis-cli/trellis"
+)
+
+type VmTrustPathsCommand struct {
+	UI      cli.Ui
+	Trellis *trellis.Trellis
+	flags   *flag.FlagSet
+	site    string
+}
+
+func NewVmTrustPathsCommand(ui cli.Ui, trellis *trellis.Trellis) *VmTrustPathsCommand {
+	c := &VmTrustPathsCommand{UI: ui, Trellis: trellis}
+	c.init()
+	return c
+}
+
+func (c *VmTrustPathsCommand) init() {
+	c.flags = flag.NewFlagSet("", flag.ContinueOnError)
+	c.flags.Usage = func() { c.UI.Info(c.Help()) }
+	c.flags.StringVar(&c.site, "site", "", "Show only the named site.")
+}
+
+func (c *VmTrustPathsCommand) Run(args []string) int {
+	if err := c.Trellis.LoadProject(); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	c.Trellis.CheckVirtualenv(c.UI)
+
+	if err := c.flags.Parse(args); err != nil {
+		return 1
+	}
+
+	if err := (&CommandArgumentValidator{required: 0, optional: 0}).validate(c.flags.Args()); err != nil {
+		c.UI.Error(err.Error())
+		c.UI.Output(c.Help())
+		return 1
+	}
+
+	state, err := trust.Load()
+	if err != nil {
+		c.UI.Error("Error reading trust state: " + err.Error())
+		return 1
+	}
+
+	project := c.Trellis.Path
+	entries := state.EntriesForProject(project)
+	if c.site != "" {
+		filtered := entries[:0]
+		for _, e := range entries {
+			if e.Site == c.site {
+				filtered = append(filtered, e)
+			}
+		}
+		entries = filtered
+	}
+
+	if len(entries) == 0 {
+		c.UI.Info(fmt.Sprintf("no trust entries for %s. Run `trellis vm trust` first.", project))
+		return 0
+	}
+
+	for i, entry := range entries {
+		if i > 0 {
+			c.UI.Info("")
+		}
+		key := entry.KeyPath
+		if key == "" {
+			key = "<not exported>"
+		}
+		c.UI.Info(entry.Site)
+		c.UI.Info("  cert: " + entry.CertPath)
+		c.UI.Info("  key:  " + key)
+	}
+
+	return 0
+}
+
+func (c *VmTrustPathsCommand) Synopsis() string {
+	return "Prints the host paths of the exported SSL cert and key for each trusted site."
+}
+
+func (c *VmTrustPathsCommand) Help() string {
+	helpText := `
+Usage: trellis vm trust paths [options]
+
+Prints one line per trusted site for the current project, showing where the
+exported cert and private key live on the host. Use these paths to wire up
+host-side tooling (Vite, Playwright, curl) against the same cert the VM
+serves.
+
+Options:
+      --site  Show only the named site.
+  -h, --help  Show this help.
+`
+	return strings.TrimSpace(helpText)
+}