Transport Hardening: mTLS Identity + Domain Boundaries

What you’re proving

  • Certificate identity extraction rules are tested and passing.

  • Wire framing/typing checks are tested and passing.

  • Domain mismatch rejection is a coded transport boundary (environment-dependent runtime socket test).

Prereqs

  • Repo root: <repo-root>

  • Go toolchain available

Steps

  1. Run deterministic transport identity/wire tests.

GOCACHE=/tmp/go-build go test ./edge/transport \
  -run 'TestCertIdentityFromCert_URIRules|TestCertIdentityFromCert_CNFallback|TestWireOfferRoundTrip|TestWireSegmentRoundTrip|TestWireRejectsTypeMismatch' -v

  1. Inspect captured output.

sed -n '1,180p' docs/_generated/test-outputs/transport-hardening-output.txt

Expected outputs (from real run)

--- PASS: TestCertIdentityFromCert_URIRules
--- PASS: TestCertIdentityFromCert_CNFallback
--- PASS: TestWireOfferRoundTrip
--- PASS: TestWireSegmentRoundTrip
--- PASS: TestWireRejectsTypeMismatch
PASS

Verification

  • All listed identity/wire tests pass.

  • Output matches transport-hardening-output.txt.

  • Domain mismatch behavior remains specified in transport tests (TestTCPTLS_WrongDomain_Rejected) even when socket tests are unavailable in this environment.

Failure modes

  • Socket-based transport tests can fail in restricted environments (socket: operation not permitted).

  • Go cache permission errors: use GOCACHE=/tmp/go-build.

Non-goals

  • This tutorial does not claim orchestration or cross-node convergence.

  • This tutorial does not grant control-plane authority over edge execution.

Evidence

  • edge/transport/tcptls.go (certIdentityFromCert, domain check and ErrDomainMismatch path)

  • edge/transport/identity_test.go

  • edge/transport/wire.go

  • edge/transport/wire_test.go

  • edge/transport/transport_test.go (TestTCPTLS_WrongDomain_Rejected)

  • docs/_generated/test-outputs/transport-hardening-output.txt