Skip to content

feat(graph): add TLS support for PgGraph connections#49

Merged
epicsagas merged 3 commits into
mainfrom
orbit-pg-tls-connect
Jul 1, 2026
Merged

feat(graph): add TLS support for PgGraph connections#49
epicsagas merged 3 commits into
mainfrom
orbit-pg-tls-connect

Conversation

@epicsagas

Copy link
Copy Markdown
Owner

Closes #48

Summary

PgGraph::connect() / PgGraph::connect_config() hardcoded postgres::NoTls, so any Postgres server requiring TLS (sslmode=require+, e.g. RDS with rds.force_ssl) failed immediately with Error { kind: Tls, cause: Some(NoTlsError(())) }. This blocked defense-in-depth encryption on internal DB traffic for the graph-pg feature.

Changes

  • New optional Cargo feature graph-pg-tls (deps: postgres-native-tls, native-tls), included in full. Does not affect existing graph-pg consumers — no new mandatory deps.
  • PgGraph::connect_native_tls(url) — one-call convenience constructor using native-tls with the system trust store (full cert-chain + hostname verification, not weakened). Covers the common RDS/sslmode=require case directly.
  • PgGraph::connect_tls<T> / connect_config_tls<T> — generic over any postgres::tls::MakeTlsConnect implementor, for custom CAs, client certs, or a caller-vendored rustls adapter.
  • Refactored shared post-connect setup (schema init + migration) into a private from_client helper, reused by all constructors — connect/connect_config (NoTls) behavior is unchanged.
  • New test connect_native_tls_returns_result_not_panic, gated on graph-pg-tls, self-skips without LLMKERNEL_PG_URL (matches existing live-DB test convention).
  • Updated module doc comment and AGENTS.md optional-backend-features table.

Spec

Full requirements/AC in SPEC-20260701T050115Z.md (orbit pipeline PIPELINE-20260701T050115Z).

Audit

  • Code quality: PASS — trait bounds correct (mirrors postgres::Config::connect's own bounds), from_client refactor behavior-preserving, API consistent with existing connect/connect_config pair.
  • Security: PASS — native_tls::TlsConnector::new() verifies certs and hostnames by default (no danger_accept_invalid_* used); no NoTls-path regression; no credential-logging issue introduced.

Verification

  • cargo build --features graph-pg-tls — compiles
  • cargo build --features graph-pg — compiles unchanged, no new deps pulled in
  • cargo test --all-features — 540 passed, 0 failed, 6 ignored
  • cargo clippy --all-features -- -D warnings — clean
  • cargo fmt --all -- --check — clean

epicsagas added 3 commits July 1, 2026 14:21
- new graph-pg-tls feature (postgres-native-tls + native-tls deps)
- PgGraph::connect_native_tls for system-trust-store TLS in one call
- PgGraph::connect_tls / connect_config_tls generic over MakeTlsConnect
- closes #48
NoTls is a private-scope import, not resolvable as an intra-doc
link target; docs CI failed with rustdoc::broken_intra_doc_links.
- extract parse_config() shared by connect and connect_tls
- connect_tls/connect_config_tls no longer require T: Clone
  (postgres::Config::connect never clones the connector)
@epicsagas epicsagas merged commit 576b357 into main Jul 1, 2026
22 checks passed
@epicsagas epicsagas deleted the orbit-pg-tls-connect branch July 1, 2026 08:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

PgGraph::connect hardcodes NoTls — no way to enable TLS for graph store connections

1 participant