feat: add HTTPS/TLS server support via rustls

Add optional TLS support for the server using axum-server with the tls-rustls feature. When --server-cert and --server-key are provided (and tls feature is enabled), the server binds with TLS instead of plain HTTP. Changes: - Add axum-server dependency with optional tls-rustls feature - New 'tls' feature flag (independent of 'server') - --server-cert/--server-key CLI args gated behind tls feature - ServerConfig extended with cert_file/key_file fields - Conditional TLS/HTTP binding in server mod.rs - Fix PathBuf::to_str().unwrap() panic risk -> to_string_lossy() - Update README.md and DESIGN.md with TLS documentation
2026-03-12 22:18:42 -03:00
parent 237a581429
commit bee980605f
8 changed files with 569 additions and 124 deletions
--- a/DESIGN.md
+++ b/DESIGN.md
@@ -31,7 +31,8 @@
 - `modes/info.rs` - Show detailed item information
 - `modes/diff.rs` - Compare two items
 - `modes/status.rs` - Show system status and capabilities
- `modes/server.rs` - REST HTTP server mode with OpenAPI documentation
+- `modes/server.rs` - REST HTTP/HTTPS server mode with OpenAPI documentation
+- `modes/client.rs` - Client mode for remote server (streaming save, local decompression)
 - `modes/common.rs` - Shared utilities for all modes

 ### Database Module
@@ -57,6 +58,16 @@
 - `common/is_binary.rs` - Binary file detection utilities
 - `common/status.rs` - Status information generation

+### Client Module
+- `client.rs` - HTTP client wrapper (ureq-based, supports streaming POST)
+- `modes/client/save.rs` - 3-thread streaming save (stdin → tee → compress → pipe → HTTP POST)
+- `modes/client/get.rs` - Get with server-side raw fetch + local decompression
+- `modes/client/list.rs` - List delegation to server
+- `modes/client/info.rs` - Info delegation to server
+- `modes/client/delete.rs` - Delete delegation to server
+- `modes/client/diff.rs` - Diff delegation to server
+- `modes/client/status.rs` - Status delegation to server
+
 ### Utility Modules
 - `plugins.rs` - Shared plugin utilities
 - `args.rs` - CLI argument definitions
@@ -88,8 +99,14 @@
 - `--quiet` - Do not show any messages
 - `--output-format <table|json|yaml>` - Output format for info, status, and list modes
 - `--server-password <PASSWORD>` - Password for server authentication
+- `--server-cert <PATH>` - TLS certificate file (PEM) for HTTPS server
+- `--server-key <PATH>` - TLS private key file (PEM) for HTTPS server
 - `--force` - Force output even when binary data would be sent to a TTY

+### Client Options (requires `client` feature)
+- `--client-url <URL>` - Remote keep server URL
+- `--client-password <PASSWORD>` - Remote server password
+
 ## Data Storage

 ### Database Schema
@@ -107,17 +124,31 @@

 ### Status Operations
 - `GET /api/status` - Get system status information
+- `GET /api/plugins/status` - Get plugin status information

 ### Item Operations
- `GET /api/item/` - Get a list of items as JSON. Optional params: `order=newest|oldest`, `start=0`, `count=100`, `tags[]=tag1&tags[]=tag2`
- `POST /api/item/` - Add a new item
+- `GET /api/item/` - Get a list of items as JSON. Optional params: `order=newest|oldest`, `start=0`, `count=100`, `tags=tag1,tag2`
+- `POST /api/item/` - Add a new item (body: raw content). Query params: `tags`, `metadata` (JSON), `compress=true|false`, `meta=true|false`
+- `POST /api/item/<#>/meta` - Add metadata to an existing item (body: JSON object)
 - `DELETE /api/item/<#>` - Delete an item
- `GET /api/item/latest` - Return the latest item as JSON. Optional params: `tags[]=tag1&tags[]=tag2`, `allow_binary=true|false`
- `GET /api/item/latest/meta` - Return the latest item metadata as JSON. Optional params: `tags[]=tag1&tags[]=tag2`
- `GET /api/item/latest/content` - Return the raw content of the latest item. Optional params: `tags[]=tag1&tags[]=tag2`
+- `GET /api/item/latest` - Return the latest item as JSON. Optional params: `tags=tag1,tag2`, `allow_binary=true|false`
+- `GET /api/item/latest/meta` - Return the latest item metadata as JSON. Optional params: `tags=tag1,tag2`
+- `GET /api/item/latest/content` - Return the raw content of the latest item. Optional params: `tags=tag1,tag2`, `decompress=true|false`
 - `GET /api/item/<#>` - Return the item as JSON. Optional params: `allow_binary=true|false`
 - `GET /api/item/<#>/meta` - Return the item metadata as JSON
- `GET /api/item/<#>/content` - Return the raw content of the item
+- `GET /api/item/<#>/content` - Return the raw content of the item. Optional params: `decompress=true|false`
+- `GET /api/diff` - Diff two items. Params: `id_a`, `id_b`
+
+### Server Modes
+- **Plain HTTP** (default): `tokio::net::TcpListener` + `axum::serve()`
+- **HTTPS** (with `tls` feature): `axum_server::bind_rustls()` with rustls when `--server-cert` and `--server-key` are provided
+- Conditional selection at startup: cert+key present → HTTPS, otherwise → HTTP
+
+### Client/Server Protocol
+- Smart clients (keep CLI) set `compress=false` and `meta=false` on POST, handling compression/metadata locally
+- Dumb clients (curl) use defaults (`compress=true`, `meta=true`), server handles everything
+- GET responses include `X-Keep-Compression` header when `decompress=false`
+- Streaming save uses chunked transfer encoding for constant memory usage

 ### Authentication
 - Bearer token authentication: `Authorization: Bearer <password>`
@@ -173,5 +204,19 @@
 - File permissions are restricted to user only (umask 077)
 - Input validation for item IDs to prevent path traversal
 - Authentication for server mode with bearer or basic auth
+- TLS/HTTPS support via rustls when certificate and key are provided
 - Proper resource cleanup using RAII patterns
 - Safe handling of external processes with proper stdin/stdout management
+
+## Feature Flags
+- `server` - HTTP REST API server (axum-based)
+- `tls` - HTTPS/TLS support for server (axum-server + rustls)
+- `client` - HTTP client for remote server (ureq-based, includes streaming save)
+- `mcp` - Model Context Protocol for AI assistant integration
+- `swagger` - OpenAPI/Swagger UI documentation
+- `magic` - File type detection via libmagic
+- `lz4` - LZ4 compression (internal)
+- `gzip` - GZip compression (internal)
+- `bzip2` - BZip2 compression (external)
+- `xz` - XZ compression (external)
+- `zstd` - ZStd compression (external)