v0.0.1 (#8)

Co-authored-by: Tasnim Kabir Sadik <tksadik92@gmail.com> Reviewed-on: wrenn/sandbox#8
2026-04-09 19:24:49 +00:00
parent 32e5a5a715
commit d3e4812e46
199 changed files with 24552 additions and 2776 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -1,24 +1,32 @@
 package config

 import (
+	"encoding/hex"
 	"os"
-	"strings"

 	"github.com/joho/godotenv"
 )

 // Config holds the control plane configuration.
 type Config struct {
-	DatabaseURL   string
-	RedisURL      string
-	ListenAddr    string
-	HostAgentAddr string
-	JWTSecret     string
+	DatabaseURL string
+	RedisURL    string
+	ListenAddr  string
+	JWTSecret   string
+
+	// mTLS — CP→Agent channel. Both must be set to enable mTLS; omitting either
+	// disables cert issuance and leaves agent connections on plain HTTP (dev mode).
+	CACert string // WRENN_CA_CERT — PEM-encoded internal CA certificate
+	CAKey  string // WRENN_CA_KEY  — PEM-encoded internal CA private key

 	OAuthGitHubClientID     string
 	OAuthGitHubClientSecret string
 	OAuthRedirectURL        string
 	CPPublicURL             string
+
+	// Channels — encryption for channel secrets (AES-256-GCM).
+	EncryptionKeyHex string   // WRENN_ENCRYPTION_KEY raw hex string (for validation)
+	EncryptionKey    [32]byte // parsed 32-byte key
 }

 // Load reads configuration from a .env file (if present) and environment variables.
@ -28,21 +36,27 @@ func Load() Config {
 	_ = godotenv.Load()

 	cfg := Config{
-		DatabaseURL:   envOrDefault("DATABASE_URL", "postgres://wrenn:wrenn@localhost:5432/wrenn?sslmode=disable"),
-		RedisURL:      envOrDefault("REDIS_URL", "redis://localhost:6379/0"),
-		ListenAddr:    envOrDefault("CP_LISTEN_ADDR", ":8080"),
-		HostAgentAddr: envOrDefault("CP_HOST_AGENT_ADDR", "http://localhost:50051"),
-		JWTSecret:     os.Getenv("JWT_SECRET"),
+		DatabaseURL: envOrDefault("DATABASE_URL", "postgres://wrenn:wrenn@localhost:5432/wrenn?sslmode=disable"),
+		RedisURL:    envOrDefault("REDIS_URL", "redis://localhost:6379/0"),
+		ListenAddr:  envOrDefault("WRENN_CP_LISTEN_ADDR", ":8080"),
+		JWTSecret:   os.Getenv("JWT_SECRET"),
+
+		CACert: os.Getenv("WRENN_CA_CERT"),
+		CAKey:  os.Getenv("WRENN_CA_KEY"),

 		OAuthGitHubClientID:     os.Getenv("OAUTH_GITHUB_CLIENT_ID"),
 		OAuthGitHubClientSecret: os.Getenv("OAUTH_GITHUB_CLIENT_SECRET"),
 		OAuthRedirectURL:        envOrDefault("OAUTH_REDIRECT_URL", "https://app.wrenn.dev"),
 		CPPublicURL:             os.Getenv("CP_PUBLIC_URL"),
+
+		EncryptionKeyHex: os.Getenv("WRENN_ENCRYPTION_KEY"),
 	}

-	// Ensure the host agent address has a scheme.
-	if !strings.HasPrefix(cfg.HostAgentAddr, "http://") && !strings.HasPrefix(cfg.HostAgentAddr, "https://") {
-		cfg.HostAgentAddr = "http://" + cfg.HostAgentAddr
+	if cfg.EncryptionKeyHex != "" {
+		b, err := hex.DecodeString(cfg.EncryptionKeyHex)
+		if err == nil && len(b) == 32 {
+			copy(cfg.EncryptionKey[:], b)
+		}
 	}

 	return cfg