v2.0.47: HTTPS Everywhere — TLS-only control plane, agents/CLI/MCP

Breaking change release. Plaintext HTTP listener removed. The certctl control plane now terminates TLS 1.3 on :8443 via http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md. Server - cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback), preflightServerTLS validation - cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe, watchSIGHUP wiring, cert/key path config threading - tls_test.go: 418-line regression coverage of reload, preflight, callback behavior, SAN validation Config - CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required) - Plaintext rejection: agents/CLI/MCP pre-flight-fail on http:// URLs with a pointer to docs/upgrade-to-tls.md Agents, CLI, MCP - All three pre-flight-reject http:// URLs with fail-loud diagnostic - CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust - CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass (loud warning on startup) - install-agent.sh emits both vars as commented template lines docker-compose - certctl-tls-init sidecar generates SAN-valid self-signed cert into deploy/test/certs/ on first boot - All demo-stack curls pin against ca.crt with --cacert Helm chart - Three TLS provisioning modes, exactly one required: - server.tls.existingSecret (operator-supplied) - server.tls.certManager.enabled (cert-manager integration) - server.tls.selfSigned.enabled (eval only — not for production) - server-certificate.yaml template for cert-manager mode - helm install without a TLS source fails at template render with a pointer to docs/tls.md CI - .github/workflows/ci.yml Helm Chart Validation step renders the chart in both existingSecret and cert-manager modes, plus an inverse guard-regression test that asserts helm template MUST refuse to render when no TLS source is configured. Previously the single `helm template` invocation hit the certctl.tls.required fail-loud guard and exit-1'd CI. Four invocations now: lint (existingSecret), template (existingSecret), template (cert-manager), template (no args — must fail). Integration tests - deploy/test/integration_test.go stands up the Compose stack over HTTPS, extracts the CA bundle, and exercises every certctl API over https://localhost:8443 - All 34 integration subtests green (per Phase 8 local CI-parity) Documentation - New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload) - New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade warnings, fleet-roll sequencing) - CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry (file heading unchanged; release tag is v2.0.47) - All curls in docs/, examples/, deploy/helm/ guides use https://localhost:8443 --cacert Verification - grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits - grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin API default, SSRF doc comment) — zero certctl endpoints - Tasks #197–#206 (Phases 0–8) all closed in the tracker Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).
2026-06-07 13:51:36 +00:00 · 2026-04-20 03:31:05 +00:00
parent 04c7eca615
commit 52248be717
66 changed files with 3518 additions and 375 deletions
@@ -2,11 +2,14 @@ package mcp

 import (
 	"bytes"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
+	"os"
 	"time"
 )

@@ -18,15 +21,45 @@ type Client struct {
 	httpClient *http.Client
 }

-// NewClient creates a new certctl API client.
-func NewClient(baseURL, apiKey string) *Client {
+// NewClient creates a new certctl API client. The control plane is HTTPS-only
+// as of v2.2, so the transport is pinned to TLS 1.3 and optionally loads a
+// PEM-encoded CA bundle from caBundlePath (empty means "trust the system
+// roots"). The insecure flag disables certificate verification and is a
+// dev-only opt-in documented in docs/tls.md — it must never be set in
+// production. Returns an error if the CA bundle path is non-empty but the
+// file is missing or contains no valid PEM-encoded certificates, so the
+// caller can fail loud before any network call.
+func NewClient(baseURL, apiKey, caBundlePath string, insecure bool) (*Client, error) {
+	tlsConfig := &tls.Config{
+		MinVersion:         tls.VersionTLS13,
+		InsecureSkipVerify: insecure, //nolint:gosec // opt-in dev toggle, documented in docs/tls.md
+	}
+	if caBundlePath != "" {
+		pemBytes, err := os.ReadFile(caBundlePath)
+		if err != nil {
+			return nil, fmt.Errorf("reading CA bundle at %q: %w", caBundlePath, err)
+		}
+		pool := x509.NewCertPool()
+		if !pool.AppendCertsFromPEM(pemBytes) {
+			return nil, fmt.Errorf("CA bundle at %q contains no valid PEM-encoded certificates", caBundlePath)
+		}
+		tlsConfig.RootCAs = pool
+	}
 	return &Client{
 		baseURL: baseURL,
 		apiKey:  apiKey,
 		httpClient: &http.Client{
 			Timeout: 30 * time.Second,
+			Transport: &http.Transport{
+				TLSClientConfig:       tlsConfig,
+				ForceAttemptHTTP2:     true,
+				MaxIdleConns:          10,
+				IdleConnTimeout:       90 * time.Second,
+				TLSHandshakeTimeout:   10 * time.Second,
+				ExpectContinueTimeout: 1 * time.Second,
+			},
 		},
-	}
+	}, nil
 }

 // Get performs an HTTP GET and returns the raw JSON response body.
@@ -1,17 +1,30 @@
 package mcp

 import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
+	"encoding/pem"
 	"io"
+	"math/big"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"path/filepath"
 	"testing"
+	"time"
 )

 func TestNewClient(t *testing.T) {
-	c := NewClient("http://localhost:8443", "test-key")
-	if c.baseURL != "http://localhost:8443" {
-		t.Errorf("expected baseURL http://localhost:8443, got %s", c.baseURL)
+	c, err := NewClient("https://localhost:8443", "test-key", "", false)
+	if err != nil {
+		t.Fatalf("NewClient err=%v want nil", err)
+	}
+	if c.baseURL != "https://localhost:8443" {
+		t.Errorf("expected baseURL https://localhost:8443, got %s", c.baseURL)
 	}
 	if c.apiKey != "test-key" {
 		t.Errorf("expected apiKey test-key, got %s", c.apiKey)
@@ -44,7 +57,7 @@ func TestClient_Get(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "test-key")
+	c, _ := NewClient(server.URL, "test-key", "", false)
 	data, err := c.Get("/api/v1/certificates", map[string][]string{"status": {"Active"}})
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -64,7 +77,7 @@ func TestClient_Get_NoAuth(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "")
+	c, _ := NewClient(server.URL, "", "", false)
 	_, err := c.Get("/api/v1/certificates", nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -95,7 +108,7 @@ func TestClient_Post(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "test-key")
+	c, _ := NewClient(server.URL, "test-key", "", false)
 	data, err := c.Post("/api/v1/certificates", map[string]string{"name": "test-cert"})
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -120,7 +133,7 @@ func TestClient_Put(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "test-key")
+	c, _ := NewClient(server.URL, "test-key", "", false)
 	data, err := c.Put("/api/v1/certificates/mc-test", map[string]string{"name": "updated"})
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -139,7 +152,7 @@ func TestClient_Delete_204(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "test-key")
+	c, _ := NewClient(server.URL, "test-key", "", false)
 	data, err := c.Delete("/api/v1/certificates/mc-test")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -161,7 +174,7 @@ func TestClient_ErrorResponse(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "test-key")
+	c, _ := NewClient(server.URL, "test-key", "", false)
 	_, err := c.Get("/api/v1/certificates/nonexistent", nil)
 	if err == nil {
 		t.Fatal("expected error for 404 response")
@@ -179,7 +192,7 @@ func TestClient_ServerError(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "test-key")
+	c, _ := NewClient(server.URL, "test-key", "", false)
 	_, err := c.Post("/api/v1/certificates", map[string]string{"name": "test"})
 	if err == nil {
 		t.Fatal("expected error for 500 response")
@@ -202,7 +215,7 @@ func TestClient_GetRaw(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "test-key")
+	c, _ := NewClient(server.URL, "test-key", "", false)
 	data, contentType, err := c.GetRaw("/.well-known/pki/crl/iss-local")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -222,7 +235,7 @@ func TestClient_GetRaw_Error(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "test-key")
+	c, _ := NewClient(server.URL, "test-key", "", false)
 	_, _, err := c.GetRaw("/.well-known/pki/crl/nonexistent")
 	if err == nil {
 		t.Fatal("expected error for 404 response")
@@ -230,7 +243,7 @@ func TestClient_GetRaw_Error(t *testing.T) {
 }

 func TestClient_ConnectionRefused(t *testing.T) {
-	c := NewClient("http://localhost:1", "test-key")
+	c, _ := NewClient("https://localhost:1", "test-key", "", false)
 	_, err := c.Get("/api/v1/certificates", nil)
 	if err == nil {
 		t.Fatal("expected error for connection refused")
@@ -247,7 +260,7 @@ func TestClient_PostNilBody(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "test-key")
+	c, _ := NewClient(server.URL, "test-key", "", false)
 	data, err := c.Post("/api/v1/certificates/mc-test/renew", nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -270,7 +283,7 @@ func TestClient_QueryParams(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "test-key")
+	c, _ := NewClient(server.URL, "test-key", "", false)
 	q := paginationQuery(2, 10)
 	_, err := c.Get("/api/v1/certificates", q)
 	if err != nil {
@@ -287,3 +300,223 @@ func containsStr(s, substr string) bool {
 	}
 	return false
 }
+
+// generateTestCert produces a short-lived self-signed RSA-2048 certificate for
+// tests that need a PEM-encodable cert. Mirrors the helper used in
+// internal/cli/client_test.go so the two packages pin the same HTTPS-Everywhere
+// TLS-wiring contract against matching test fixtures.
+func generateTestCert() *x509.Certificate {
+	now := time.Now()
+	template := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: "test.certctl.local",
+		},
+		NotBefore:             now,
+		NotAfter:              now.Add(365 * 24 * time.Hour),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              []string{"test.certctl.local"},
+	}
+
+	privateKey, _ := rsa.GenerateKey(rand.Reader, 2048)
+	certBytes, _ := x509.CreateCertificate(rand.Reader, template, template, &privateKey.PublicKey, privateKey)
+	cert, _ := x509.ParseCertificate(certBytes)
+	return cert
+}
+
+// -----------------------------------------------------------------------------
+// HTTPS-Everywhere milestone (v2.2, §3.2 + §7 Phase 5):
+// The MCP server binary talks HTTPS-only to the certctl control plane. These
+// tests pin the three contracts every client binary (agent, CLI, MCP) must
+// satisfy in lock-step:
+//   (a) CA bundle load success — PEM loads, RootCAs + MinVersion=TLS1.3 wired
+//       through the injected *http.Transport so the httpClient actually uses
+//       them on the wire, not just in the struct.
+//   (b) CA bundle load failure — missing file and malformed/empty PEM each fail
+//       loud with a pinned substring so operators get a useful diagnostic.
+//   (c) End-to-end TLS round-trip — an httptest.NewTLSServer whose own cert is
+//       written out as the CA bundle validates that every TLS-config knob
+//       actually flows into the dialer.
+// The substrings below must stay in sync with internal/mcp/client.go:NewClient;
+// drifting them in isolation is exactly what this suite is here to catch.
+// -----------------------------------------------------------------------------
+
+// writeCABundle PEM-encodes a DER cert and writes it to a temp file under the
+// test's own TempDir. Returns the absolute path for piping into NewClient.
+func writeCABundle(t *testing.T, dir string, certDER []byte, filename string) string {
+	t.Helper()
+	path := filepath.Join(dir, filename)
+	pemBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+	if err := os.WriteFile(path, pemBytes, 0o600); err != nil {
+		t.Fatalf("writing CA bundle to %q: %v", path, err)
+	}
+	return path
+}
+
+// TestNewClient_CABundle_Success pins the happy path: a valid PEM CA bundle
+// loads, populates RootCAs on the client's TLS config, and leaves
+// MinVersion=TLS1.3 intact. Regression guard for any future edit that
+// accidentally swaps the transport or detaches *tls.Config from *http.Transport.
+func TestNewClient_CABundle_Success(t *testing.T) {
+	cert := generateTestCert()
+	tmp := t.TempDir()
+	bundlePath := writeCABundle(t, tmp, cert.Raw, "ca.pem")
+
+	client, err := NewClient("https://certctl-server:8443", "test-key", bundlePath, false)
+	if err != nil {
+		t.Fatalf("NewClient with valid CA bundle err=%v want nil", err)
+	}
+	if client == nil {
+		t.Fatal("NewClient returned nil client on happy path")
+	}
+
+	transport, ok := client.httpClient.Transport.(*http.Transport)
+	if !ok {
+		t.Fatalf("httpClient.Transport type=%T want *http.Transport (TLS config injection broke)", client.httpClient.Transport)
+	}
+	if transport.TLSClientConfig == nil {
+		t.Fatal("transport.TLSClientConfig is nil; TLS config must be set on every client")
+	}
+	if transport.TLSClientConfig.RootCAs == nil {
+		t.Fatal("transport.TLSClientConfig.RootCAs is nil; CA bundle path was ignored")
+	}
+	if transport.TLSClientConfig.MinVersion != tls.VersionTLS13 {
+		t.Errorf("MinVersion=%d want tls.VersionTLS13 (%d); HTTPS-Everywhere requires TLS1.3 floor",
+			transport.TLSClientConfig.MinVersion, tls.VersionTLS13)
+	}
+	if transport.TLSClientConfig.InsecureSkipVerify {
+		t.Error("InsecureSkipVerify=true with insecure=false arg; flag wiring crossed")
+	}
+}
+
+// TestNewClient_CABundle_MissingFile pins the fail-loud path for a nonexistent
+// bundle path. The error surface must include "reading CA bundle" so operators
+// see the right diagnostic instead of a downstream TLS-handshake-error.
+func TestNewClient_CABundle_MissingFile(t *testing.T) {
+	_, err := NewClient("https://certctl-server:8443", "test-key", "/nonexistent/path/ca.pem", false)
+	if err == nil {
+		t.Fatal("NewClient with missing CA bundle err=nil; must fail loud so operators see the right diagnostic")
+	}
+	if !containsStr(err.Error(), "reading CA bundle") {
+		t.Errorf("err=%q must contain %q so operators can locate the misconfigured path", err.Error(), "reading CA bundle")
+	}
+}
+
+// TestNewClient_CABundle_EmptyPEM pins the fail-loud path for a file whose
+// contents are not valid PEM. AppendCertsFromPEM returning false is the signal
+// we need to surface — otherwise the client would silently ship with an empty
+// cert pool and every TLS handshake would fail downstream.
+func TestNewClient_CABundle_EmptyPEM(t *testing.T) {
+	tmp := t.TempDir()
+	garbagePath := filepath.Join(tmp, "garbage.pem")
+	if err := os.WriteFile(garbagePath, []byte("not a pem certificate, just bytes"), 0o600); err != nil {
+		t.Fatalf("writing garbage file: %v", err)
+	}
+
+	_, err := NewClient("https://certctl-server:8443", "test-key", garbagePath, false)
+	if err == nil {
+		t.Fatal("NewClient with malformed PEM err=nil; must fail loud, not silently skip")
+	}
+	if !containsStr(err.Error(), "no valid PEM-encoded certificates") {
+		t.Errorf("err=%q must contain %q so operators know the file parsed but held no certs",
+			err.Error(), "no valid PEM-encoded certificates")
+	}
+}
+
+// TestNewClient_TLSRoundTrip validates that the TLS config knobs we set on
+// NewClient actually reach the wire. An httptest.NewTLSServer signs its own
+// self-signed leaf; we PEM-encode that server cert, write it as the CA bundle,
+// and issue a real HTTPS GET via c.Get. A successful round-trip proves RootCAs
+// + MinVersion are flowing through *http.Transport into the dialer, not just
+// surviving into the client struct.
+func TestNewClient_TLSRoundTrip(t *testing.T) {
+	var handlerHit int
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method == http.MethodGet && r.URL.Path == "/api/v1/certificates" {
+			handlerHit++
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(map[string]interface{}{
+				"data":  []interface{}{},
+				"total": 0,
+			})
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	defer server.Close()
+
+	serverCert := server.Certificate()
+	if serverCert == nil {
+		t.Fatal("httptest.NewTLSServer.Certificate() returned nil; cannot build CA bundle")
+	}
+
+	tmp := t.TempDir()
+	bundlePath := writeCABundle(t, tmp, serverCert.Raw, "server-ca.pem")
+
+	client, err := NewClient(server.URL, "test-key", bundlePath, false)
+	if err != nil {
+		t.Fatalf("NewClient(TLS server) err=%v want nil", err)
+	}
+	data, err := client.Get("/api/v1/certificates", nil)
+	if err != nil {
+		t.Fatalf("Get over HTTPS err=%v; TLS config must reach the wire", err)
+	}
+	if data == nil {
+		t.Fatal("Get over HTTPS returned nil data; want non-empty JSON body")
+	}
+	if handlerHit != 1 {
+		t.Errorf("handlerHit=%d want 1; request did not reach the TLS server", handlerHit)
+	}
+}
+
+// TestNewClient_InsecureSkipVerify pins the dev-only escape hatch: an untrusted
+// TLS server (cert NOT in the client's root pool) must be reachable when
+// insecure=true. This is the only path in the control plane that disables
+// certificate verification; it's documented in docs/tls.md and gated by the
+// CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY env var so it never slips into
+// production silently.
+func TestNewClient_InsecureSkipVerify(t *testing.T) {
+	var handlerHit int
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		handlerHit++
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(map[string]interface{}{
+			"data":  []interface{}{},
+			"total": 0,
+		})
+	}))
+	defer server.Close()
+
+	// No CA bundle → system roots, which will NOT trust the self-signed
+	// httptest cert. insecure=true is the only thing keeping this call from
+	// failing with an x509-unknown-authority error.
+	client, err := NewClient(server.URL, "test-key", "", true)
+	if err != nil {
+		t.Fatalf("NewClient(insecure=true) err=%v want nil", err)
+	}
+
+	transport, ok := client.httpClient.Transport.(*http.Transport)
+	if !ok {
+		t.Fatalf("httpClient.Transport type=%T want *http.Transport", client.httpClient.Transport)
+	}
+	if !transport.TLSClientConfig.InsecureSkipVerify {
+		t.Fatal("insecure=true arg did not set TLSClientConfig.InsecureSkipVerify; flag wiring broken")
+	}
+	if transport.TLSClientConfig.MinVersion != tls.VersionTLS13 {
+		t.Errorf("MinVersion=%d want tls.VersionTLS13 even with insecure=true (TLS1.3 floor is not optional)",
+			transport.TLSClientConfig.MinVersion)
+	}
+
+	data, err := client.Get("/api/v1/certificates", nil)
+	if err != nil {
+		t.Fatalf("Get(insecure=true) err=%v; escape hatch must still complete the round-trip", err)
+	}
+	if data == nil {
+		t.Fatal("Get(insecure=true) returned nil data; want non-empty JSON body")
+	}
+	if handlerHit != 1 {
+		t.Errorf("handlerHit=%d want 1; insecure round-trip did not reach the server", handlerHit)
+	}
+}
@@ -44,7 +44,7 @@ func TestClient_DeleteWithQuery_ForceRetire(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "test-key")
+	c, _ := NewClient(server.URL, "test-key", "", false)
 	// Compile-fail until Phase 2b grows Client.DeleteWithQuery. Passing the
 	// query as a url.Values is the established pattern (matches Get's shape).
 	query := url.Values{}
@@ -87,7 +87,7 @@ func TestClient_DeleteWithQuery_NoQuery(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "")
+	c, _ := NewClient(server.URL, "", "", false)
 	if _, err := c.DeleteWithQuery("/api/v1/agents/ag-1", nil); err != nil {
 		t.Fatalf("DeleteWithQuery(nil query) err=%v want nil", err)
 	}
@@ -108,7 +108,7 @@ func TestClient_DeleteWithQuery_204ReturnsMinimalBody(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "")
+	c, _ := NewClient(server.URL, "", "", false)
 	data, err := c.DeleteWithQuery("/api/v1/agents/ag-1", nil)
 	if err != nil {
 		t.Fatalf("DeleteWithQuery(204) err=%v want nil (idempotent)", err)
@@ -141,7 +141,7 @@ func TestClient_DeleteWithQuery_409PropagatesError(t *testing.T) {
 	}))
 	defer server.Close()

-	c := NewClient(server.URL, "")
+	c, _ := NewClient(server.URL, "", "", false)
 	_, err := c.DeleteWithQuery("/api/v1/agents/ag-1", nil)
 	if err == nil {
 		t.Fatalf("DeleteWithQuery(409) err=nil; 409 must propagate as Go error")
@@ -88,7 +88,7 @@ func TestRegisterTools_ToolCount(t *testing.T) {
 	api := mockCertctlAPI(log)
 	defer api.Close()

-	client := NewClient(api.URL, "test-key")
+	client, _ := NewClient(api.URL, "test-key", "", false)
 	RegisterTools(server, client)

 	// The server should have tools registered — we can verify by listing them
@@ -166,7 +166,7 @@ func TestToolEndToEnd_ListCertificates(t *testing.T) {
 	api := mockCertctlAPI(log)
 	defer api.Close()

-	client := NewClient(api.URL, "test-key")
+	client, _ := NewClient(api.URL, "test-key", "", false)

 	// Manually call the handler logic that would be registered as a tool
 	q := paginationQuery(1, 50)
@@ -204,7 +204,7 @@ func TestToolEndToEnd_CreateCertificate(t *testing.T) {
 	api := mockCertctlAPI(log)
 	defer api.Close()

-	client := NewClient(api.URL, "test-key")
+	client, _ := NewClient(api.URL, "test-key", "", false)

 	input := CreateCertificateInput{
 		Name:       "API Production",
@@ -244,7 +244,7 @@ func TestToolEndToEnd_TriggerRenewal(t *testing.T) {
 	api := mockCertctlAPI(log)
 	defer api.Close()

-	client := NewClient(api.URL, "test-key")
+	client, _ := NewClient(api.URL, "test-key", "", false)
 	data, err := client.Post("/api/v1/certificates/mc-api-prod/renew", nil)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -272,7 +272,7 @@ func TestToolEndToEnd_DeleteTarget(t *testing.T) {
 	api := mockCertctlAPI(log)
 	defer api.Close()

-	client := NewClient(api.URL, "test-key")
+	client, _ := NewClient(api.URL, "test-key", "", false)
 	data, err := client.Delete("/api/v1/targets/t-platform")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -300,7 +300,7 @@ func TestToolEndToEnd_RevokeCertificate(t *testing.T) {
 	api := mockCertctlAPI(log)
 	defer api.Close()

-	client := NewClient(api.URL, "test-key")
+	client, _ := NewClient(api.URL, "test-key", "", false)
 	input := RevokeCertificateInput{
 		ID:     "mc-api-prod",
 		Reason: "keyCompromise",
@@ -327,7 +327,7 @@ func TestToolEndToEnd_AgentHeartbeat(t *testing.T) {
 	api := mockCertctlAPI(log)
 	defer api.Close()

-	client := NewClient(api.URL, "test-key")
+	client, _ := NewClient(api.URL, "test-key", "", false)
 	_, err := client.Post("/api/v1/agents/agent-001/heartbeat", map[string]string{
 		"os":           "linux",
 		"architecture": "amd64",
@@ -347,7 +347,7 @@ func TestToolEndToEnd_ListWithFilters(t *testing.T) {
 	api := mockCertctlAPI(log)
 	defer api.Close()

-	client := NewClient(api.URL, "test-key")
+	client, _ := NewClient(api.URL, "test-key", "", false)
 	q := paginationQuery(1, 25)
 	q.Set("status", "Pending")
 	q.Set("type", "Renewal")
@@ -377,7 +377,7 @@ func TestToolEndToEnd_GetRawBinary(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "test-key")
+	client, _ := NewClient(server.URL, "test-key", "", false)
 	data, ct, err := client.GetRaw("/.well-known/pki/crl/iss-local")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -397,7 +397,7 @@ func TestToolEndToEnd_ErrorPropagation(t *testing.T) {
 	}))
 	defer server.Close()

-	client := NewClient(server.URL, "test-key")
+	client, _ := NewClient(server.URL, "test-key", "", false)
 	_, err := client.Get("/api/v1/certificates", nil)
 	if err == nil {
 		t.Fatal("expected error for 403 response")