fix: remove dead min_tls_version config field, TLS 1.3 is only supported version (closes #16 )

Co-authored-by: git-echo <git-echo@moon-dragon.us>
feat: add rate limiting and job queue depth cap (closes #15 )
2026-06-06 16:50:55 -05:00 · 2026-06-06 15:39:49 -05:00 · 2026-06-06 13:58:01 -05:00 · 2026-06-06 13:20:43 -05:00 · 2026-06-06 12:47:24 -05:00 · 2026-06-06 12:00:38 -05:00
44 changed files with 2112 additions and 622 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -61,6 +61,18 @@ jobs:
      - uses: dtolnay/rust-toolchain@stable
      - run: cargo install cargo-audit && cargo audit --ignore RUSTSEC-2025-0134
  gitleaks:
    name: Secret scanning
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  enrollment-tests:
    name: Enrollment Tests
    needs: [fmt, clippy]
--- a/.gitignore
+++ b/.gitignore
@ -14,5 +14,12 @@ debian/linux-patch-api.substvars
 *.buildinfo
 *.changes
 # Private key material - NEVER commit
 *.key
 *.key.pem
 configs/certs/*.pem
 configs/certs/*.srl
 tests/e2e/certs/*.key
 # Agent Zero project data
 .a0proj/
--- a/Cargo.lock
+++ b/Cargo.lock
@ -44,6 +44,18 @@ dependencies = [
 "tracing",
 ]
 [[package]]
 name = "actix-governor"
 version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0954b0f27aabd8f56bb03f2a77b412ddf3f8c034a3c27b2086c1fc75415760df"
 dependencies = [
 "actix-http",
 "actix-web",
 "futures",
 "governor",
 ]
 [[package]]
 name = "actix-http"
 version = "3.12.1"
@ -968,6 +980,19 @@ dependencies = [
 "memchr",
 ]
 [[package]]
 name = "dashmap"
 version = "5.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "978747c1d849a7d2ee5e8adc0159961c48fb7e5db2f06af6723b80123bb53856"
 dependencies = [
 "cfg-if",
 "hashbrown 0.14.5",
 "lock_api",
 "once_cell",
 "parking_lot_core",
 ]
 [[package]]
 name = "data-encoding"
 version = "2.11.0"
@ -1314,6 +1339,12 @@ version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
 [[package]]
 name = "futures-timer"
 version = "3.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "af43fadb8a98512d547e37b4e92e0ced13e205c061b87b4623eff01d918d6968"
 [[package]]
 name = "futures-util"
 version = "0.3.32"
@ -1382,6 +1413,26 @@ dependencies = [
 "wasip3",
 ]
 [[package]]
 name = "governor"
 version = "0.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "68a7f542ee6b35af73b06abc0dad1c1bae89964e4e253bc4b587b91c9637867b"
 dependencies = [
 "cfg-if",
 "dashmap",
 "futures",
 "futures-timer",
 "no-std-compat",
 "nonzero_ext",
 "parking_lot",
 "portable-atomic",
 "quanta",
 "rand 0.8.6",
 "smallvec",
 "spinning_top",
 ]
 [[package]]
 name = "h2"
 version = "0.3.27"
@ -1931,9 +1982,10 @@ dependencies = [
 [[package]]
 name = "linux-patch-api"
-version = "1.3.1"
+version = "1.3.2"
 dependencies = [
 "actix",
 "actix-governor",
 "actix-rt",
 "actix-tls",
 "actix-web",
@ -2104,6 +2156,12 @@ dependencies = [
 "libc",
 ]
 [[package]]
 name = "no-std-compat"
 version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b93853da6d84c2e3c7d730d6473e8817692dd89be387eb01b94d7f108ecb5b8c"
 [[package]]
 name = "nom"
 version = "7.1.3"
@ -2114,6 +2172,12 @@ dependencies = [
 "minimal-lexical",
 ]
 [[package]]
 name = "nonzero_ext"
 version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"
 [[package]]
 name = "notify"
 version = "6.1.1"
@ -2383,6 +2447,12 @@ dependencies = [
 "plotters-backend",
 ]
 [[package]]
 name = "portable-atomic"
 version = "1.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
 [[package]]
 name = "potential_utf"
 version = "0.1.5"
@ -2441,6 +2511,21 @@ version = "2.0.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "33cb294fe86a74cbcf50d4445b37da762029549ebeea341421c7c70370f86cac"
 [[package]]
 name = "quanta"
 version = "0.12.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f3ab5a9d756f0d97bdc89019bd2e4ea098cf9cde50ee7564dde6b81ccc8f06c7"
 dependencies = [
 "crossbeam-utils",
 "libc",
 "once_cell",
 "raw-cpuid",
 "wasi",
 "web-sys",
 "winapi",
 ]
 [[package]]
 name = "quinn"
 version = "0.11.9"
@ -2593,6 +2678,15 @@ version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "63b8176103e19a2643978565ca18b50549f6101881c443590420e4dc998a3c69"
 [[package]]
 name = "raw-cpuid"
 version = "11.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "498cd0dc59d73224351ee52a95fee0f1a617a2eae0e7d9d720cc622c73a54186"
 dependencies = [
 "bitflags 2.11.1",
 ]
 [[package]]
 name = "rayon"
 version = "1.12.0"
@ -3085,6 +3179,15 @@ dependencies = [
 "windows-sys 0.61.2",
 ]
 [[package]]
 name = "spinning_top"
 version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d96d2d1d716fb500937168cc09353ffdc7a012be8475ac7308e1bdf0e3923300"
 dependencies = [
 "lock_api",
 ]
 [[package]]
 name = "stable_deref_trait"
 version = "1.2.1"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -16,6 +16,9 @@ actix-web-actors = "4"
 actix = "0.13"
 actix-tls = { version = "3", features = ["rustls-0_23"] }
 # Rate limiting (actix-governor for per-IP rate limiting)
 actix-governor = "0.6"
 # Async runtime
 tokio = { version = "1", features = ["full"] }
@ -114,6 +117,14 @@ path = "tests/integration/enrollment_test.rs"
 name = "enrollment_e2e"
 path = "tests/e2e/test_enrollment_e2e.rs"
 [[test]]
 name = "auth_test"
 path = "tests/integration/auth_test.rs"
 [[test]]
 name = "rate_limit_test"
 path = "tests/unit/rate_limit_test.rs"
 [[bench]]
 name = "api_benchmarks"
 harness = false
--- a/DEPLOYMENT_GUIDE.md
+++ b/DEPLOYMENT_GUIDE.md
@ -181,7 +181,7 @@ tls:
  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
  server_cert: "/etc/linux_patch_api/certs/server.pem"
  server_key: "/etc/linux_patch_api/certs/server.key"
-  min_tls_version: "1.3"
+  # TLS 1.3 is the only supported version (hardcoded, not configurable)
 jobs:
  max_concurrent: 5
--- a/HARDENING_REPORT.md
+++ b/HARDENING_REPORT.md
@ -20,7 +20,7 @@ This report documents the implementation of 6 security hardening fixes deferred
 | VULN-003 | LOW | Input Validation | ✅ RESOLVED | src/api/handlers/packages.rs |
 | VULN-004 | MEDIUM | Header Security | ✅ RESOLVED | src/main.rs |
 | VULN-005 | LOW | HTTP Protocol | ✅ RESOLVED | src/api/routes.rs |
-| VULN-006 | LOW | Header Security | ✅ RESOLVED | src/auth/mtls.rs |
+| VULN-006 | LOW | Header Security | ✅ RESOLVED | src/auth/security_headers.rs |
 ---
@ -176,20 +176,19 @@ web::scope("/api/v1")
 **Finding:** Duplicate Content-Type headers were accepted.
 **Implementation:**
- Added `has_duplicate_critical_headers()` function to check for duplicate headers
+- `has_duplicate_critical_headers()` function checks for duplicate headers on every request
 - Monitors critical headers: `content-type`, `authorization`, `host`
- Integrated into mTLS middleware `call()` method
+- Implemented as `SecurityHeadersMiddleware` — a dedicated Actix-web middleware
- Rejects requests with duplicate critical headers before further processing
+- Wired into the middleware pipeline in `main.rs` between WhitelistMiddleware and Logger
 - Rejects requests with duplicate critical headers with HTTP 400 Bad Request
-**Code Location:** `src/auth/mtls.rs` (lines 26-49, 203-212)
+**Code Location:** `src/auth/security_headers.rs`
 ```rust
-fn has_duplicate_critical_headers(req: &ServiceRequest) -> bool {
+pub fn has_duplicate_critical_headers(headers: &HeaderMap) -> bool {
-    let critical_headers = ["content-type", "authorization", "host"];
+    for header_name in CRITICAL_HEADERS.iter() {
    for header_name in critical_headers.iter() {
        let mut count = 0;
-        for (name, _) in req.headers().iter() {
+        for (name, _value) in headers.iter() {
            if name.as_str().eq_ignore_ascii_case(header_name) {
                count += 1;
                if count > 1 {
@ -202,7 +201,29 @@ fn has_duplicate_critical_headers(req: &ServiceRequest) -> bool {
 }
 ```
-**Response:** HTTP 400 Bad Request with message "Duplicate critical headers not allowed"
+**Response:** HTTP 400 Bad Request with error message "Duplicate critical headers not allowed"
 **Architecture Note:** The duplicate-header check was originally in `MtlsMiddleware`, which was dead code (never wired into the pipeline). It has been extracted into `SecurityHeadersMiddleware`, which IS wired into the pipeline and runs on every request. Client certificate authentication is handled at the TLS handshake level by rustls via `CrlAwareVerifier` — no application-layer certificate middleware is needed. See `src/auth/mtls.rs` for the ADR documenting this decision.
 ---
 ## Architecture Decision Record: rustls as Authoritative Client-Auth Gate
 **Decision:** Client certificate authentication is enforced at the TLS handshake level by rustls via `CrlAwareVerifier`, NOT by application-layer middleware.
 **Context:** The original `MtlsMiddleware` was never wired into the Actix-web pipeline. It contained both a duplicate-header check (VULN-006) and a `validate_client_certificate()` stub that returned `Ok(())` unconditionally. Meanwhile, the actual client certificate verification was always performed by rustls at the TLS handshake level through `CrlAwareVerifier`, which wraps `WebPkiClientVerifier`.
 **Rationale:**
 - rustls provides battle-tested X.509 verification at the TLS handshake level
 - Enforcing auth at the TLS layer eliminates bypass vulnerabilities (middleware ordering bugs, route-specific skips)
 - CRL revocation checking is integrated into the same handshake path via `CrlAwareVerifier`
 - Application-layer certificate validation is redundant when the TLS layer already rejects untrusted connections
 **Consequences:**
 - `MtlsMiddleware` (Transform/Service) and `validate_client_certificate()` have been removed as dead code
 - `build_rustls_config()` is now a free function (no longer a method on `MtlsMiddleware`)
 - `SecurityHeadersMiddleware` handles VULN-006 (duplicate critical header rejection) as a dedicated, wired middleware
 - `ClientCertInfo` struct is preserved for potential future use in extracting certificate details from TLS sessions
 ---
--- a/README.md
+++ b/README.md
@ -395,7 +395,7 @@ tls:
  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
  server_cert: "/etc/linux_patch_api/certs/server.pem"
  server_key: "/etc/linux_patch_api/certs/server.key"
-  min_tls_version: "1.3"
+  # TLS 1.3 is the only supported version (hardcoded, not configurable)
 # Job Configuration
 jobs:
--- a/SECURITY_CONTROLS_MATRIX.md
+++ b/SECURITY_CONTROLS_MATRIX.md
@ -41,7 +41,7 @@
 | **SPEC.md Reference** | Lines 132-138 |
 | **Requirement** | Internal self-hosted CA for certificate issuance |
 | **Implementation** | OpenSSL CA infrastructure with 4096-bit RSA keys |
-| **Evidence** | `configs/CA_SETUP.md`, `configs/certs/ca.pem`, `configs/certs/ca.key.pem` |
+| **Evidence** | `configs/CA_SETUP.md`, `scripts/generate-dev-certs.sh` (private keys generated at runtime, not committed) |
 | **Test Result** | ✅ PASS - CA properly signs server and client certificates |
 | **Compliance Status** | ✅ COMPLIANT |
@ -52,7 +52,7 @@
 | **SPEC.md Reference** | Line 136 |
 | **Requirement** | Unique certificate per client (no shared certs) |
 | **Implementation** | Per-client certificate generation with unique CN |
-| **Evidence** | `configs/certs/client001.pem`, `SECURITY.md` line 65 |
+| **Evidence** | `scripts/generate-dev-certs.sh` (certificates generated at runtime, not committed) |
 | **Test Result** | ✅ PASS - Each client has distinct certificate |
 | **Compliance Status** | ✅ COMPLIANT |
@ -63,7 +63,7 @@
 | **SPEC.md Reference** | Line 135 |
 | **Requirement** | 1 year standard certificate expiration |
 | **Implementation** | Certificates generated with `-days 365` parameter |
-| **Evidence** | `configs/certs/` certificate files, `openssl x509 -in cert.pem -noout -dates` |
+| **Evidence** | `scripts/generate-dev-certs.sh` (certificates generated at runtime, not committed) |
 | **Test Result** | ✅ PASS - Expired certificates properly rejected (FUZZ_TEST_REPORT.md Test 3.2) |
 | **Compliance Status** | ✅ COMPLIANT |
@ -137,7 +137,7 @@
 | **SPEC.md Reference** | Lines 86-89 |
 | **Requirement** | Private key permissions 600 (owner read/write only) |
 | **Implementation** | File permissions set during certificate deployment |
-| **Evidence** | `configs/certs/*.key.pem` (chmod 600), `DEPLOYMENT_SECURITY_GUIDE.md` Section 1 |
+| **Evidence** | Private keys generated at runtime with `chmod 600` by `scripts/generate-dev-certs.sh`, not committed to repository |
 | **Test Result** | ✅ PASS - Key files properly protected |
 | **Compliance Status** | ✅ COMPLIANT |
--- a/SECURITY_FINDINGS_REPORT.md
+++ b/SECURITY_FINDINGS_REPORT.md
@ -15,7 +15,7 @@
 | **Total Tests** | 16 |
 | **Passed** | 16 |
 | **Failed** | 0 |
-| **Critical Findings** | 0 (Previously 1 - RESOLVED) |
+| **Critical Findings** | 1 (Issue #12 - Committed Private Keys - RESOLVED) |
 | **High Findings** | 0 (Previously 2 - RESOLVED) |
 | **Medium Findings** | 3 (Unchanged) |
 | **Low Findings** | 4 (Unchanged) |
@ -150,6 +150,36 @@ Consider storing CA key on separate, more secure host.
 ---
 ### 🔴 CRITICAL: Committed Private Key Material (Issue #12)
 **Description:**  
 Private key files (`*.key`, `*.key.pem`) were committed to version control in:
 - `configs/certs/ca.key.pem` — CA private key
 - `configs/certs/server.key.pem` — Server private key
 - `configs/certs/client001.key.pem` — Client private key
 - `tests/e2e/certs/client.key` — E2E test client private key
 Committed private keys are a critical security risk: anyone with repository access
 (even read-only) can impersonate the server or clients, decrypt captured TLS traffic,
 or forge certificates signed by the CA.
 **Status:** ✅ RESOLVED
 **Remediation Applied:**
 1. Removed all private key files from git tracking (`git rm --cached`)
 2. Added `*.key`, `*.key.pem`, `configs/certs/`, and `tests/e2e/certs/*.key` to `.gitignore`
 3. Created `scripts/generate-dev-certs.sh` to generate test certificates at runtime
 4. Updated e2e tests to generate certificates on demand instead of loading from disk
 5. Added `gitleaks` secret scanning to CI pipeline
 6. Git history will be purged with `git filter-repo` after PR merge
 **Key Rotation:**  
 These keys were used for development/testing only. No production key rotation is needed.
 All committed keys should be considered compromised and must not be used in any
 production environment.
 ---
 ### 🟢 LOW: No Automated Security Scanning
 **Description:**  
@ -235,5 +265,39 @@ The Linux_Patch_API Phase 3 is now **SECURE FOR DEPLOYMENT** in an internal netw
 ---
 ## Architecture Decision Record: rustls as Authoritative Client-Auth Gate
 **Date:** 2026-06-06  
 **Status:** Accepted  
 **Context:** Issue #13
 ### Decision
 Client certificate authentication is enforced at the TLS handshake level by rustls via `CrlAwareVerifier`, NOT by application-layer middleware.
 ### Context
 The original `MtlsMiddleware` was never wired into the Actix-web pipeline (dead code). It contained:
 1. A duplicate-header check (VULN-006) that never ran
 2. A `validate_client_certificate()` stub that returned `Ok(())` unconditionally
 Meanwhile, actual client certificate verification was always performed by rustls at the TLS handshake level through `CrlAwareVerifier` (which wraps `WebPkiClientVerifier`), with CRL revocation checking integrated into the same path.
 ### Changes Made
 1. **Removed dead code:** `MtlsMiddleware`, `MtlsMiddlewareService`, `validate_client_certificate()`, and the Transform/Service impls
 2. **Extracted VULN-006:** `has_duplicate_critical_headers()` moved to new `SecurityHeadersMiddleware` (wired into pipeline)
 3. **Converted `build_rustls_config()`** from method on `MtlsMiddleware` to free function
 4. **Preserved:** `CrlAwareVerifier`, `MtlsConfig`, `MtlsError`, `ClientCertInfo`, `build_rustls_config()`, and all CRL infrastructure
 ### Rationale
 - rustls provides battle-tested X.509 verification at the TLS handshake level
 - Enforcing auth at the TLS layer eliminates bypass vulnerabilities (middleware ordering bugs, route-specific skips)
 - CRL revocation checking is integrated into the same handshake path
 - Application-layer certificate validation is redundant when TLS already rejects untrusted connections
 ---
 **Report Generated:** 2026-04-09T22:57:00Z  
 **Verified By:** Security Verification Agent (Agent Zero)
--- a/configs/certs/README.md
+++ b/configs/certs/README.md
@ -0,0 +1,33 @@
 # Development Certificates
 **⚠️ Private keys are NOT committed to version control.**
 This directory is used for local development certificates only. Private key
 files (`*.key`, `*.key.pem`) are excluded from git via `.gitignore`.
 ## Generating Development Certificates
 Run the generation script from the repository root:
 ```bash
 ./scripts/generate-dev-certs.sh
 ```
 This creates:
 - `ca.pem` / `ca.key.pem` — Internal CA certificate and key
 - `server.pem` / `server.key.pem` — Server certificate and key
 - `client001.pem` / `client001.key.pem` — Client certificate and key
 - `tests/e2e/certs/` — E2E test certificates
 ## Production Deployments
 Production deployments should use certificates issued by the organisation's
 internal CA. The `install.sh` script and systemd unit handle production
 certificate paths at `/etc/linux_patch_api/certs/`.
 ## Security
 - **Never commit private keys** (`*.key`, `*.key.pem`) to version control
 - Private keys must have `0600` permissions in production
 - The `gitleaks` CI check scans for accidentally committed secrets
 - See `SECURITY_FINDINGS_REPORT.md` and `SECURITY.md` for full details
--- a/configs/certs/ca.key.pem
+++ b/configs/certs/ca.key.pem
@ -1,5 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg46Ewu04V/qVbFIaW
 ll6hUNA1ocfdND68cRv6GiOBikyhRANCAARORR0UUR6G6ndxeefpKai+82eH58ud
 sW5qox3Ed4I0WF12RcSwioAPrt5WNB+ptw0wvzx78wH8CdkqjyUb7Koc
 -----END PRIVATE KEY-----
--- a/configs/certs/ca.pem
+++ b/configs/certs/ca.pem
@ -1,12 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIBsTCCAVegAwIBAgIQVxQmz3/uqfSgf+8ukKa6GTAKBggqhkjOPQQDAjA4MR4w
 HAYDVQQDDBVQYXRjaCBNYW5hZ2VyIFJvb3QgQ0ExFjAUBgNVBAoMDVBhdGNoIE1h
 bmFnZXIwHhcNMjYwNTE4MTU1MjUxWhcNMzYwNTE1MTU1MjUxWjA4MR4wHAYDVQQD
 DBVQYXRjaCBNYW5hZ2VyIFJvb3QgQ0ExFjAUBgNVBAoMDVBhdGNoIE1hbmFnZXIw
 WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARORR0UUR6G6ndxeefpKai+82eH58ud
 sW5qox3Ed4I0WF12RcSwioAPrt5WNB+ptw0wvzx78wH8CdkqjyUb7Koco0MwQTAP
 BgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBTcLRFILwfBbjqUm3fT8AzIAN5mQDAP
 BgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIQDMHR7n6plBEz7tP9Si
 Cs6Rk8m2gt9CL6qHlkeWiDJmtgIgVXrj2Lmqn1dEuKbVu9LaxPyvXU4/t2etWHgJ
 lfK+SS8=
 -----END CERTIFICATE-----
--- a/configs/certs/ca.srl
+++ b/configs/certs/ca.srl
@ -1 +0,0 @@
 790CDB9FA2002BF59B3EE88AF326CB060353D113
--- a/configs/certs/client001.csr.pem
+++ b/configs/certs/client001.csr.pem
@ -1,8 +0,0 @@
 -----BEGIN CERTIFICATE REQUEST-----
 MIH7MIGhAgEAMD8xHTAbBgNVBAMMFHBhdGNoLW1hbmFnZXItY2xpZW50MREwDwYD
 VQQKDAhJbnRlcm5hbDELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBggqhkjOPQMB
 BwNCAAQauACwaR4SyVoHEPviQgV0I4fbyFuGoHiQExzpYf9Ta025dy88T/a6qG6G
 TYJMtbRSjP/piLWfZ/2ze2AdbmczoAAwCgYIKoZIzj0EAwIDSQAwRgIhAJ/BBYsB
 aIhKjdwRr0vTqtYPKeeyO2rzHuyRnSvKKkdOAiEA94zCvG0FzkFiqGKT1oHGCVf9
 qZdkjkodRAUk6/4S2AU=
 -----END CERTIFICATE REQUEST-----
--- a/configs/certs/client001.key.pem
+++ b/configs/certs/client001.key.pem
@ -1,5 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg0iNlJbfLqO8Y5sOh
 1xRe2bPq8fF9M1ybEOnqmbSGpdGhRANCAAQauACwaR4SyVoHEPviQgV0I4fbyFuG
 oHiQExzpYf9Ta025dy88T/a6qG6GTYJMtbRSjP/piLWfZ/2ze2Adbmcz
 -----END PRIVATE KEY-----
--- a/configs/certs/client001.pem
+++ b/configs/certs/client001.pem
@ -1,12 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIBuzCCAWGgAwIBAgIUeQzbn6IAK/WbPuiK8ybLBgNT0RMwCgYIKoZIzj0EAwIw
 ODEeMBwGA1UEAwwVUGF0Y2ggTWFuYWdlciBSb290IENBMRYwFAYDVQQKDA1QYXRj
 aCBNYW5hZ2VyMB4XDTI2MDUxODE2MDAwNloXDTI3MDUxODE2MDAwNlowPzEdMBsG
 A1UEAwwUcGF0Y2gtbWFuYWdlci1jbGllbnQxETAPBgNVBAoMCEludGVybmFsMQsw
 CQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBq4ALBpHhLJWgcQ
 ++JCBXQjh9vIW4ageJATHOlh/1NrTbl3LzxP9rqoboZNgky1tFKM/+mItZ9n/bN7
 YB1uZzOjQjBAMB0GA1UdDgQWBBQhTcmoHT0HqIuEUkL891TKMlWWjjAfBgNVHSME
 GDAWgBTcLRFILwfBbjqUm3fT8AzIAN5mQDAKBggqhkjOPQQDAgNIADBFAiApQ6N8
 qQR1vWLU3QNrcIwLxK8g2shV5ggypS/CKkfTgwIhAJdZd0silwqEpPo5ng0I5SJ9
 MOd4Kx0dps2kY/wqgMSI
 -----END CERTIFICATE-----
--- a/configs/certs/server.csr.pem
+++ b/configs/certs/server.csr.pem
@ -1,8 +0,0 @@
 -----BEGIN CERTIFICATE REQUEST-----
 MIH1MIGcAgEAMDoxGDAWBgNVBAMMD2xpbnV4LXBhdGNoLWFwaTERMA8GA1UECgwI
 SW50ZXJuYWwxCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
 C32xU18H3OljGW+wQUesT1qSB+bp5cCkNW9rfpv7wjr79eHriZkQ8EgrdVAK9Zw0
 fZJNdd4LyekDGXiQU/qAJ6AAMAoGCCqGSM49BAMCA0gAMEUCIQDf7FSy4YiZvWkj
 G9BgdSPTcIq8VYSGm7nnXprD8u1ZTwIgO6/5jH72reiCaaMm62X1Vrpc+8SDMVtO
 +dlP4dZ+BM8=
 -----END CERTIFICATE REQUEST-----
--- a/configs/certs/server.key.pem
+++ b/configs/certs/server.key.pem
@ -1,5 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKWrGjaMdvANVPz/d
 LQPtDS4FmU8H0gg8zix2AvxaQp2hRANCAAQLfbFTXwfc6WMZb7BBR6xPWpIH5unl
 wKQ1b2t+m/vCOvv14euJmRDwSCt1UAr1nDR9kk113gvJ6QMZeJBT+oAn
 -----END PRIVATE KEY-----
--- a/configs/certs/server.pem
+++ b/configs/certs/server.pem
@ -1,12 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIBtjCCAVygAwIBAgIUeQzbn6IAK/WbPuiK8ybLBgNT0RIwCgYIKoZIzj0EAwIw
 ODEeMBwGA1UEAwwVUGF0Y2ggTWFuYWdlciBSb290IENBMRYwFAYDVQQKDA1QYXRj
 aCBNYW5hZ2VyMB4XDTI2MDUxODE2MDAwNloXDTI3MDUxODE2MDAwNlowOjEYMBYG
 A1UEAwwPbGludXgtcGF0Y2gtYXBpMREwDwYDVQQKDAhJbnRlcm5hbDELMAkGA1UE
 BhMCVVMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQLfbFTXwfc6WMZb7BBR6xP
 WpIH5unlwKQ1b2t+m/vCOvv14euJmRDwSCt1UAr1nDR9kk113gvJ6QMZeJBT+oAn
 o0IwQDAdBgNVHQ4EFgQUDTnKCjj1BJ0MdwJHPUGf0raJ6/kwHwYDVR0jBBgwFoAU
 3C0RSC8HwW46lJt30/AMyADeZkAwCgYIKoZIzj0EAwIDSAAwRQIhAJ4jy8W2hbqK
 kiTI9aYS+xwMJlxH6cFJaKplrA+a5Ay8AiANPJdJN9ucgCsq/N3Ai6kO89rcXy8Z
 60kvNNc3Zg/Oog==
 -----END CERTIFICATE-----
--- a/configs/config.yaml.example
+++ b/configs/config.yaml.example
@ -14,7 +14,7 @@ tls:
  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
  server_cert: "/etc/linux_patch_api/certs/server.pem"
  server_key: "/etc/linux_patch_api/certs/server.key"
-  min_tls_version: "1.3"
+  # TLS 1.3 is the only supported version (hardcoded, not configurable)
 # Job Configuration
 jobs:
--- a/scripts/generate-dev-certs.sh
+++ b/scripts/generate-dev-certs.sh
@ -0,0 +1,82 @@
 #!/usr/bin/env bash
 # Generate development/test certificates for Linux Patch API.
 #
 # This script creates a self-signed CA, server certificate, and client
 # certificate suitable for local development and testing.  It is NOT
 # intended for production use.
 #
 # Usage:
 #   ./scripts/generate-dev-certs.sh [OUTPUT_DIR]
 #
 # If OUTPUT_DIR is omitted, certificates are written to configs/certs/
 # relative to the repository root.  The e2e Python test certs are also
 # regenerated under tests/e2e/certs/.
 #
 # Private keys (*.key, *.key.pem) are excluded from git via .gitignore
 # and must NEVER be committed to version control.
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 OUTPUT_DIR="${1:-$REPO_ROOT/configs/certs}"
 E2E_DIR="$REPO_ROOT/tests/e2e/certs"
 DAYS_CA=3650
 DAYS_CERT=365
 echo "Generating development certificates..."
 echo "  Output dir: $OUTPUT_DIR"
 echo "  E2E dir:    $E2E_DIR"
 mkdir -p "$OUTPUT_DIR"
 mkdir -p "$E2E_DIR"
 # CA
 echo "[1/6] Generating CA key and certificate..."
 openssl genrsa -out "$OUTPUT_DIR/ca.key.pem" 4096 2>/dev/null
 chmod 600 "$OUTPUT_DIR/ca.key.pem"
 openssl req -x509 -new -nodes -key "$OUTPUT_DIR/ca.key.pem" -sha256 -days "$DAYS_CA" -out "$OUTPUT_DIR/ca.pem" -subj "/CN=LinuxPatchAPI Dev CA/O=Internal/C=US"
 # Server certificate
 echo "[2/6] Generating server key and certificate..."
 openssl genrsa -out "$OUTPUT_DIR/server.key.pem" 2048 2>/dev/null
 chmod 600 "$OUTPUT_DIR/server.key.pem"
 openssl req -new -key "$OUTPUT_DIR/server.key.pem" -out "$OUTPUT_DIR/server.csr.pem" -subj "/CN=localhost/O=Internal/C=US"
 openssl x509 -req -in "$OUTPUT_DIR/server.csr.pem" -CA "$OUTPUT_DIR/ca.pem" -CAkey "$OUTPUT_DIR/ca.key.pem" -CAcreateserial -out "$OUTPUT_DIR/server.pem" -days "$DAYS_CERT" -sha256
 # Client certificate
 echo "[3/6] Generating client key and certificate..."
 openssl genrsa -out "$OUTPUT_DIR/client001.key.pem" 2048 2>/dev/null
 chmod 600 "$OUTPUT_DIR/client001.key.pem"
 openssl req -new -key "$OUTPUT_DIR/client001.key.pem" -out "$OUTPUT_DIR/client001.csr.pem" -subj "/CN=client001/O=Internal/C=US"
 openssl x509 -req -in "$OUTPUT_DIR/client001.csr.pem" -CA "$OUTPUT_DIR/ca.pem" -CAkey "$OUTPUT_DIR/ca.key.pem" -CAcreateserial -out "$OUTPUT_DIR/client001.pem" -days "$DAYS_CERT" -sha256
 # E2E test certificates
 echo "[4/6] Generating e2e test CA certificate..."
 cp "$OUTPUT_DIR/ca.pem" "$E2E_DIR/ca.crt"
 echo "[5/6] Generating e2e test client certificate..."
 openssl genrsa -out "$E2E_DIR/client.key" 2048 2>/dev/null
 chmod 600 "$E2E_DIR/client.key"
 openssl req -new -key "$E2E_DIR/client.key" -out "$E2E_DIR/client.csr" -subj "/CN=e2e-test-client/O=Internal/C=US"
 openssl x509 -req -in "$E2E_DIR/client.csr" -CA "$OUTPUT_DIR/ca.pem" -CAkey "$OUTPUT_DIR/ca.key.pem" -CAcreateserial -out "$E2E_DIR/client.crt" -days "$DAYS_CERT" -sha256
 # Cleanup CSR files
 echo "[6/6] Cleaning up CSR files..."
 rm -f "$OUTPUT_DIR/server.csr.pem" "$OUTPUT_DIR/client001.csr.pem" "$E2E_DIR/client.csr"
 echo
 echo "Development certificates generated successfully."
 echo "  CA cert:         $OUTPUT_DIR/ca.pem"
 echo "  Server cert:     $OUTPUT_DIR/server.pem"
 echo "  Server key:      $OUTPUT_DIR/server.key.pem"
 echo "  Client cert:     $OUTPUT_DIR/client001.pem"
 echo "  Client key:      $OUTPUT_DIR/client001.key.pem"
 echo "  E2E CA cert:     $E2E_DIR/ca.crt"
 echo "  E2E client cert: $E2E_DIR/client.crt"
 echo "  E2E client key:  $E2E_DIR/client.key"
 echo
 echo "⚠  WARNING: These are development-only certificates. Do NOT use in production."
 echo "⚠  Private keys (*.key, *.key.pem) are excluded from git via .gitignore."
--- a/src/api/handlers/jobs.rs
+++ b/src/api/handlers/jobs.rs
@ -190,6 +190,19 @@ pub async fn rollback_job(
    info!(request_id = %request_id, job_id = %job_id_str, "Initiating job rollback");
    // Check job queue capacity
    if !job_manager.can_accept_job().await {
        let response = ApiResponse::<()>::error(
            "QUEUE_FULL",
            "Job queue is at capacity. Please retry later.",
            None,
            true,
        );
        return HttpResponse::TooManyRequests()
            .insert_header(("Retry-After", "60"))
            .json(response);
    }
    // Parse job ID
    let job_id = match Uuid::parse_str(&job_id_str) {
        Ok(id) => id,
@ -321,7 +334,7 @@ pub async fn delete_job(
    }
 }
-/// Configure routes for job endpoints
+/// Configure all job routes
 pub fn configure_routes(cfg: &mut web::ServiceConfig) {
    cfg.service(
        web::scope("/jobs")
--- a/src/api/handlers/packages.rs
+++ b/src/api/handlers/packages.rs
@ -14,29 +14,18 @@ use tracing::{error, info, warn};
 use uuid::Uuid;
 use crate::jobs::manager::{JobManager, JobOperation, JobStatus};
-use crate::packages::{InstallOptions, Package, PackageManagerBackend, PackageSpec};
+use crate::packages::{
    validate_package_name, validate_version_string, InstallOptions, Package, PackageManagerBackend,
    PackageSpec,
 };
-/// Maximum allowed length for package names
+/// Validate all package names and versions in a request
 const MAX_PACKAGE_NAME_LENGTH: usize = 256;
 /// Validate package name: must not be empty and must not exceed max length
 fn validate_package_name(name: &str) -> Result<(), String> {
    if name.is_empty() {
        return Err("Package name cannot be empty".to_string());
    }
    if name.len() > MAX_PACKAGE_NAME_LENGTH {
        return Err(format!(
            "Package name exceeds maximum length of {} characters",
            MAX_PACKAGE_NAME_LENGTH
        ));
    }
    Ok(())
 }
 /// Validate all package names in a request
 fn validate_package_names(packages: &[PackageSpec]) -> Result<(), String> {
    for pkg in packages {
        validate_package_name(&pkg.name)?;
        if let Some(version) = &pkg.version {
            validate_version_string(version)?;
        }
    }
    Ok(())
 }
@ -263,6 +252,19 @@ pub async fn install_packages(
    info!(request_id = %request_id, packages = ?package_names, "Installing packages");
    // Check job queue capacity
    if !job_manager.can_accept_job().await {
        let response = ApiResponse::<()>::error(
            "QUEUE_FULL",
            "Job queue is at capacity. Please retry later.",
            None,
            true,
        );
        return HttpResponse::TooManyRequests()
            .insert_header(("Retry-After", "60"))
            .json(response);
    }
    // Create async job
    match job_manager
        .create_job(JobOperation::Install, package_names.clone())
@ -348,6 +350,19 @@ pub async fn update_package(
    info!(request_id = %request_id, package = %package_name, "Updating package");
    // Check job queue capacity
    if !job_manager.can_accept_job().await {
        let response = ApiResponse::<()>::error(
            "QUEUE_FULL",
            "Job queue is at capacity. Please retry later.",
            None,
            true,
        );
        return HttpResponse::TooManyRequests()
            .insert_header(("Retry-After", "60"))
            .json(response);
    }
    // Create async job
    match job_manager
        .create_job(JobOperation::Update, vec![package_name.clone()])
@ -431,6 +446,20 @@ pub async fn remove_package(
    }
    info!(request_id = %request_id, package = %package_name, "Removing package");
    // Check job queue capacity
    if !job_manager.can_accept_job().await {
        let response = ApiResponse::<()>::error(
            "QUEUE_FULL",
            "Job queue is at capacity. Please retry later.",
            None,
            true,
        );
        return HttpResponse::TooManyRequests()
            .insert_header(("Retry-After", "60"))
            .json(response);
    }
    match job_manager
        .create_job(JobOperation::Remove, vec![package_name.clone()])
        .await
@ -495,7 +524,7 @@ pub async fn remove_package(
    }
 }
-/// Configure routes for package endpoints
+/// Configure all package routes
 pub fn configure_routes(cfg: &mut web::ServiceConfig) {
    cfg.service(
        web::scope("/packages")
--- a/src/api/handlers/patches.rs
+++ b/src/api/handlers/patches.rs
@ -11,7 +11,7 @@ use tracing::{error, info};
 use uuid::Uuid;
 use crate::jobs::manager::{JobManager, JobOperation, JobStatus};
-use crate::packages::PackageManagerBackend;
+use crate::packages::{validate_package_name, PackageManagerBackend};
 use super::packages::{ApiResponse, JobResponseData};
@ -88,6 +88,16 @@ pub async fn apply_patches(
    let _timestamp = Utc::now().to_rfc3339();
    let packages_count = body.packages.as_ref().map(|p| p.len()).unwrap_or(0);
    // SECURITY: Validate all package names in the request to prevent argument injection
    if let Some(ref pkgs) = body.packages {
        for pkg in pkgs {
            if let Err(e) = validate_package_name(pkg) {
                let response = ApiResponse::<()>::error("VALIDATION_ERROR", &e, None, false);
                return HttpResponse::BadRequest().json(response);
            }
        }
    }
    info!(
        request_id = %request_id,
        packages = ?body.packages,
@ -95,6 +105,19 @@ pub async fn apply_patches(
        "Applying patches"
    );
    // Check job queue capacity
    if !job_manager.can_accept_job().await {
        let response = ApiResponse::<()>::error(
            "QUEUE_FULL",
            "Job queue is at capacity. Please retry later.",
            None,
            true,
        );
        return HttpResponse::TooManyRequests()
            .insert_header(("Retry-After", "60"))
            .json(response);
    }
    // Create async job
    let package_list = body.packages.clone().unwrap_or_default();
    match job_manager
@ -311,7 +334,7 @@ pub async fn apply_patches(
    }
 }
-/// Configure routes for patch endpoints
+/// Configure all patch routes
 pub fn configure_routes(cfg: &mut web::ServiceConfig) {
    cfg.service(
        web::scope("/patches")
--- a/src/api/handlers/system.rs
+++ b/src/api/handlers/system.rs
@ -229,6 +229,19 @@ pub async fn reboot_system(
        }
    }
    // Check job queue capacity
    if !job_manager.can_accept_job().await {
        let response = ApiResponse::<()>::error(
            "QUEUE_FULL",
            "Job queue is at capacity. Please retry later.",
            None,
            true,
        );
        return HttpResponse::TooManyRequests()
            .insert_header(("Retry-After", "60"))
            .json(response);
    }
    // Create async job for reboot
    match job_manager.create_job(JobOperation::Reboot, vec![]).await {
        Ok(job_id) => {
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@ -8,6 +8,7 @@
 //! - WebSocket endpoint for real-time job status streaming
 pub mod handlers;
 pub mod rate_limit;
 pub mod routes;
 // Re-export handlers for convenience
--- a/src/api/rate_limit.rs
+++ b/src/api/rate_limit.rs
@ -0,0 +1,209 @@
 //! Rate Limiting Middleware
 //!
 //! Custom Actix-web middleware that provides per-IP rate limiting with two tiers:
 //! - **Destructive tier**: POST/PUT/DELETE methods (20 req/min, burst 10 by default)
 //! - **Read tier**: GET methods (120 req/min, burst 30 by default)
 //! - **Health exempt**: /health, /api/v1/system/info bypass rate limiting entirely
 use actix_governor::governor::clock::{Clock, DefaultClock};
 use actix_governor::governor::middleware::NoOpMiddleware;
 use actix_governor::governor::state::keyed::DefaultKeyedStateStore;
 use actix_governor::governor::{Quota, RateLimiter};
 use actix_web::body::BoxBody;
 use actix_web::dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform};
 use actix_web::http::Method;
 use actix_web::{HttpResponse, ResponseError};
 use std::future::{ready, Ready};
 use std::net::IpAddr;
 use std::num::NonZeroU32;
 use std::sync::Arc;
 use tracing::info;
 use crate::config::loader::RateLimitConfig;
 /// Paths exempt from rate limiting
 const EXEMPT_PATHS: &[&str] = &["/health", "/api/v1/system/info"];
 /// Rate limiting middleware factory
 pub struct RateLimitMiddleware {
    config: RateLimitConfig,
 }
 impl RateLimitMiddleware {
    pub fn new(config: RateLimitConfig) -> Self {
        Self { config }
    }
 }
 /// Error returned when rate limit is exceeded
 #[derive(Debug)]
 pub struct RateLimitError {
    retry_after_secs: u64,
 }
 impl std::fmt::Display for RateLimitError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(
            f,
            "Rate limit exceeded. Retry after {} seconds.",
            self.retry_after_secs
        )
    }
 }
 impl ResponseError for RateLimitError {
    fn status_code(&self) -> actix_web::http::StatusCode {
        actix_web::http::StatusCode::TOO_MANY_REQUESTS
    }
    fn error_response(&self) -> HttpResponse {
        HttpResponse::TooManyRequests()
            .insert_header(("Retry-After", self.retry_after_secs.to_string()))
            .content_type("text/plain; charset=utf-8")
            .body(self.to_string())
    }
 }
 /// Type alias for per-IP rate limiter
 pub type KeyedRateLimiter =
    RateLimiter<IpAddr, DefaultKeyedStateStore<IpAddr>, DefaultClock, NoOpMiddleware>;
 /// Shared rate limiter state
 #[derive(Clone)]
 pub struct RateLimiters {
    /// Rate limiter for destructive operations (POST/PUT/DELETE)
    destructive: Arc<KeyedRateLimiter>,
    /// Rate limiter for read operations (GET)
    read: Arc<KeyedRateLimiter>,
    /// Whether rate limiting is enabled
    enabled: bool,
 }
 impl RateLimiters {
    /// Build rate limiters from configuration
    pub fn new(config: &RateLimitConfig) -> Self {
        let destructive_quota =
            Quota::per_minute(NonZeroU32::new(config.destructive_per_minute).unwrap())
                .allow_burst(NonZeroU32::new(config.destructive_burst).unwrap());
        let read_quota = Quota::per_minute(NonZeroU32::new(config.read_per_minute).unwrap())
            .allow_burst(NonZeroU32::new(config.read_burst).unwrap());
        let destructive = Arc::new(KeyedRateLimiter::keyed(destructive_quota));
        let read = Arc::new(KeyedRateLimiter::keyed(read_quota));
        info!(
            enabled = config.enabled,
            destructive_per_min = config.destructive_per_minute,
            destructive_burst = config.destructive_burst,
            read_per_min = config.read_per_minute,
            read_burst = config.read_burst,
            "Rate limiters configured"
        );
        Self {
            destructive,
            read,
            enabled: config.enabled,
        }
    }
    /// Check if a request should be rate limited
    /// Returns Ok(()) if the request is allowed, Err(RateLimitError) if rate limited
    pub fn check(
        &self,
        method: &Method,
        path: &str,
        peer_ip: IpAddr,
    ) -> Result<(), RateLimitError> {
        if !self.enabled {
            return Ok(());
        }
        // Exempt paths bypass rate limiting entirely
        if EXEMPT_PATHS.contains(&path) {
            return Ok(());
        }
        let limiter = match *method {
            Method::POST | Method::PUT | Method::DELETE => &self.destructive,
            Method::GET => &self.read,
            _ => &self.read, // Default to read tier for other methods
        };
        match limiter.check_key(&peer_ip) {
            Ok(()) => Ok(()),
            Err(negative) => {
                let retry_after = negative
                    .wait_time_from(DefaultClock::default().now())
                    .as_secs();
                Err(RateLimitError {
                    retry_after_secs: retry_after.max(1),
                })
            }
        }
    }
 }
 impl<S> Transform<S, ServiceRequest> for RateLimitMiddleware
 where
    S: Service<ServiceRequest, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
    S::Future: 'static,
 {
    type Response = ServiceResponse<BoxBody>;
    type Error = actix_web::Error;
    type Transform = RateLimitService<S>;
    type InitError = ();
    type Future = Ready<Result<Self::Transform, Self::InitError>>;
    fn new_transform(&self, service: S) -> Self::Future {
        ready(Ok(RateLimitService {
            service,
            limiters: RateLimiters::new(&self.config),
        }))
    }
 }
 /// Rate limiting service wrapper
 pub struct RateLimitService<S> {
    service: S,
    limiters: RateLimiters,
 }
 impl<S> Service<ServiceRequest> for RateLimitService<S>
 where
    S: Service<ServiceRequest, Response = ServiceResponse<BoxBody>, Error = actix_web::Error>,
    S::Future: 'static,
 {
    type Response = ServiceResponse<BoxBody>;
    type Error = actix_web::Error;
    type Future =
        std::pin::Pin<Box<dyn std::future::Future<Output = Result<Self::Response, Self::Error>>>>;
    forward_ready!(service);
    fn call(&self, req: ServiceRequest) -> Self::Future {
        // Extract peer IP
        let peer_ip = req
            .connection_info()
            .peer_addr()
            .and_then(|addr| addr.parse::<IpAddr>().ok());
        // Check rate limiting
        if let Some(ip) = peer_ip {
            let method = req.method().clone();
            let path = req.path().to_string();
            if let Err(e) = self.limiters.check(&method, &path, ip) {
                // Rate limited - return 429 response
                let (http_req, _) = req.into_parts();
                let response = e.error_response();
                let srv_resp = ServiceResponse::new(http_req, response);
                return Box::pin(ready(Ok(srv_resp)));
            }
        }
        // Not rate limited - pass through to the inner service
        Box::pin(self.service.call(req))
    }
 }
--- a/src/api/routes.rs
+++ b/src/api/routes.rs
@ -1,6 +1,11 @@
 //! API Routes Configuration
 //!
 //! Aggregates all endpoint routes and configures the Actix-web application.
 //! Rate limiting is applied at the App level in main.rs using actix-governor
 //! with method-based filtering:
 //! - **Read tier** (120 req/min, burst 30): GET methods
 //! - **Destructive tier** (20 req/min, burst 10): POST/PUT/DELETE methods
 //! - **Health exempt**: /health, /api/v1/system/info (health-exempt routes)
 use actix_web::{web, HttpResponse};
 use tracing::info;
@ -17,6 +22,7 @@ async fn method_not_allowed() -> HttpResponse {
        .insert_header(("Allow", "GET, POST, PUT, DELETE"))
        .finish()
 }
 /// Configure all API routes for the application
 pub fn configure_api_routes(
    cfg: &mut web::ServiceConfig,
@ -26,6 +32,10 @@ pub fn configure_api_routes(
 ) {
    info!("Configuring API v1 routes");
    // Health-exempt endpoint: /api/v1/system/info is registered separately
    // so it can bypass rate limiting applied at the App level
    cfg.service(web::resource("/api/v1/system/info").route(web::get().to(system::get_system_info)));
    cfg.app_data(job_manager)
        .app_data(backend)
        .app_data(cache_state)
@ -33,15 +43,10 @@ pub fn configure_api_routes(
            web::scope("/api/v1")
                // VULN-005: Default handler for unsupported methods returns 405 instead of 404
                .default_service(web::route().to(method_not_allowed))
                // Package Management Endpoints
                .configure(packages::configure_routes)
                // Patch Management Endpoints
                .configure(patches::configure_routes)
                // System Management Endpoints
                .configure(system::configure_routes)
                // Job Management Endpoints
                .configure(jobs::configure_routes)
                // WebSocket Endpoint
                .configure(websocket::configure_routes),
        );
 }
--- a/src/auth/mod.rs
+++ b/src/auth/mod.rs
@ -1,18 +1,31 @@
-//! Auth Module - mTLS and IP Whitelist Enforcement
+//! Auth Module - mTLS, IP Whitelist, and Security Headers
 //!
 //! This module provides security authentication and authorization:
-//! - mTLS (Mutual TLS) certificate-based authentication
+//! - mTLS (Mutual TLS) certificate-based authentication (enforced at TLS handshake by rustls)
 //! - IP whitelist enforcement with CIDR subnet support
 //! - Security header validation (VULN-006: duplicate critical header rejection)
 //! - Silent drop for non-compliant connections
 //! - Comprehensive audit logging
 //!
 //! # Architecture Decision Record: rustls as Authoritative Client-Auth Gate
 //!
 //! Client certificate authentication is enforced at the TLS handshake level by
 //! rustls via `CrlAwareVerifier`. No application-layer certificate validation
 //! middleware is needed — rustls rejects connections that fail client-cert
 //! verification before any HTTP request is processed. See `mtls.rs` for details.
 pub mod crl;
 pub mod mtls;
 pub mod security_headers;
 pub mod whitelist;
 pub use crl::{new_shared_state, CrlState, CrlStatus, SharedCrlState};
-pub use mtls::{ClientCertInfo, MtlsConfig, MtlsError, MtlsMiddleware};
+pub use mtls::{ClientCertInfo, MtlsConfig, MtlsError};
-pub use whitelist::{WhitelistConfig, WhitelistEntry, WhitelistManager, WhitelistMiddleware};
+pub use security_headers::SecurityHeadersMiddleware;
 pub use whitelist::{
    WhitelistConfig, WhitelistEntry, WhitelistManager, WhitelistMiddleware,
    WhitelistMiddlewareService,
 };
 /// Combined authentication result
 #[derive(Debug, Clone)]
--- a/src/auth/mtls.rs
+++ b/src/auth/mtls.rs
@ -1,20 +1,33 @@
-//! mTLS Authentication Module
+//! mTLS Configuration Module
 //!
-//! Provides mutual TLS authentication middleware for Actix-web.
+//! Provides rustls-based mutual TLS configuration for the API server.
-//! Non-mTLS connections are silently dropped (no response).
+//!
-//! Supports CRL-aware client certificate verification when CRL is available.
+//! # Architecture Decision Record: rustls as Authoritative Client-Auth Gate
 //!
 //! Client certificate authentication is enforced at the TLS handshake level by
 //! rustls via `CrlAwareVerifier` (which wraps `WebPkiClientVerifier`). This means:
 //!
 //! - **rustls + CrlAwareVerifier IS the authoritative client-auth gate.**
 //! - No application-layer certificate validation middleware is needed because
 //!   rustls rejects connections that fail client-cert verification before any
 //!   HTTP request is processed.
 //! - `build_rustls_config()` configures the TLS listener to require client
 //!   certificates (`with_client_cert_verifier`), making mTLS enforcement
 //!   unavoidable at the transport layer.
 //! - CRL revocation checking is integrated into the same handshake path via
 //!   `CrlAwareVerifier`, so revoked certificates are also rejected before any
 //!   HTTP handler runs.
 //!
 //! This design was chosen because rustls provides battle-tested X.509
 //! verification, and enforcing auth at the TLS layer eliminates an entire
 //! class of bypass vulnerabilities that application-layer checks are
 //! susceptible to (e.g., middleware ordering bugs, route-specific skips).
-use actix_web::{
+use chrono::{DateTime, Utc};
    dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
    Error, HttpMessage,
 };
 #[allow(unused_imports)]
 use chrono::{DateTime, Duration, Utc};
 use futures_util::future::LocalBoxFuture;
 use rustls::{
    client::danger::HandshakeSignatureValid,
    crypto::aws_lc_rs,
-    pki_types::{CertificateDer, UnixTime},
+    pki_types::CertificateDer,
    server::{
        danger::{ClientCertVerified, ClientCertVerifier},
        ServerConfig, WebPkiClientVerifier,
@ -24,35 +37,10 @@ use rustls::{
 };
 use rustls_pemfile::{certs, private_key};
 use std::{fs::File, io::BufReader, sync::Arc};
-use tracing::{debug, error, info, warn};
+use tracing::{error, info, warn};
 use super::crl::{cert_serial_hex, SharedCrlState};
 /// Check for duplicate critical headers (VULN-006)
 /// Returns true if duplicate headers are detected
 fn has_duplicate_critical_headers(req: &ServiceRequest) -> bool {
    let critical_headers = ["content-type", "authorization", "host"];
    for header_name in critical_headers.iter() {
        // Count occurrences of this header
        let mut count = 0;
        for (name, _) in req.headers().iter() {
            if name.as_str().eq_ignore_ascii_case(header_name) {
                count += 1;
                if count > 1 {
                    warn!(
                        peer_addr = ?req.peer_addr(),
                        header = header_name,
                        "Duplicate critical header detected - rejecting request"
                    );
                    return true;
                }
            }
        }
    }
    false
 }
 /// CRL-aware client certificate verifier.
 ///
 /// Wraps WebPkiClientVerifier for chain validation, then checks the
@ -87,7 +75,7 @@ impl ClientCertVerifier for CrlAwareVerifier {
        &self,
        end_entity: &CertificateDer<'_>,
        intermediates: &[CertificateDer<'_>],
-        now: UnixTime,
+        now: rustls::pki_types::UnixTime,
    ) -> Result<ClientCertVerified, RustlsError> {
        // 1. Delegate chain validation to WebPKI
        self.inner
@ -155,59 +143,50 @@ impl ClientCertVerifier for CrlAwareVerifier {
 }
 /// mTLS Configuration
 ///
 /// TLS 1.3 is the only supported protocol version — this is hardcoded
 /// in `build_rustls_config()` and cannot be configured via this struct.
 #[derive(Debug, Clone)]
 pub struct MtlsConfig {
    pub ca_cert_path: String,
    pub server_cert_path: String,
    pub server_key_path: String,
    pub min_tls_version: String,
 }
-/// mTLS Middleware for Actix-web
+/// Build a rustls ServerConfig with client certificate verification.
-pub struct MtlsMiddleware {
+///
-    config: Arc<MtlsConfig>,
+/// This is the authoritative mTLS gate — rustls enforces client certificate
-    cert_store: Arc<RootCertStore>,
+/// validation at the TLS handshake level, before any HTTP request is processed.
-}
+///
 /// When `crl_state` is provided and the CRL is available, wraps the
 /// WebPkiClientVerifier with CrlAwareVerifier for revocation checking.
 /// When CRL is missing/degraded, falls back to WebPKI-only verification.
 pub fn build_rustls_config(
    config: &MtlsConfig,
    crl_state: Option<SharedCrlState>,
 ) -> Result<Arc<ServerConfig>, MtlsError> {
    let cert_store = load_ca_certs(&config.ca_cert_path)?;
-impl MtlsMiddleware {
+    let webpki_verifier = WebPkiClientVerifier::builder(cert_store.clone().into())
-    /// Create a new mTLS middleware
+        .build()
-    pub fn new(config: MtlsConfig) -> Result<Self, MtlsError> {
+        .map_err(|e| MtlsError::ClientVerifierError(e.to_string()))?;
        let cert_store = load_ca_certs(&config.ca_cert_path)?;
-        Ok(Self {
+    let client_verifier: Arc<dyn ClientCertVerifier> = match crl_state {
-            config: Arc::new(config),
+        Some(state) => {
-            cert_store: Arc::new(cert_store),
+            info!("CRL-aware client verification enabled");
-        })
+            Arc::new(CrlAwareVerifier::new(webpki_verifier, state))
-    }
+        }
        None => {
            info!("No CRL state provided -- using WebPKI-only client verification");
            webpki_verifier
        }
    };
-    /// Build rustls server configuration with client certificate verification.
+    let server_cert = load_certs(&config.server_cert_path)?;
-    ///
+    let server_key = load_private_key(&config.server_key_path)?;
    /// When `crl_state` is provided and the CRL is available, wraps the
    /// WebPkiClientVerifier with CrlAwareVerifier for revocation checking.
    /// When CRL is missing/degraded, falls back to WebPKI-only verification.
    pub fn build_rustls_config(
        &self,
        crl_state: Option<SharedCrlState>,
    ) -> Result<Arc<ServerConfig>, MtlsError> {
        let webpki_verifier = WebPkiClientVerifier::builder(self.cert_store.clone())
            .build()
            .map_err(|e| MtlsError::ClientVerifierError(e.to_string()))?;
-        let client_verifier: Arc<dyn ClientCertVerifier> = match crl_state {
+    let server_config =
-            Some(state) => {
+        ServerConfig::builder_with_provider(Arc::new(aws_lc_rs::default_provider()))
                info!("CRL-aware client verification enabled");
                Arc::new(CrlAwareVerifier::new(webpki_verifier, state))
            }
            None => {
                info!("No CRL state provided -- using WebPKI-only client verification");
                webpki_verifier
            }
        };
        let server_cert = load_certs(&self.config.server_cert_path)?;
        let server_key = load_private_key(&self.config.server_key_path)?;
        let config = ServerConfig::builder_with_provider(Arc::new(aws_lc_rs::default_provider()))
            .with_protocol_versions(&[&TLS13])
            .map_err(|e| {
                MtlsError::ServerConfigError(format!("Failed to set TLS 1.3 only: {}", e))
@ -216,8 +195,7 @@ impl MtlsMiddleware {
            .with_single_cert(server_cert, server_key)
            .map_err(|e| MtlsError::ServerConfigError(e.to_string()))?;
-        Ok(Arc::new(config))
+    Ok(Arc::new(server_config))
    }
 }
 /// Load CA certificates from PEM file
@ -268,6 +246,21 @@ fn load_private_key(path: &str) -> Result<rustls::pki_types::PrivateKeyDer<'stat
    Ok(key)
 }
 /// Certificate information extracted from client certificate.
 ///
 /// NOTE: This struct is preserved for potential future use in extracting
 /// client certificate details from the TLS session at the application layer.
 /// Client authentication is enforced at the TLS handshake level by
 /// CrlAwareVerifier — this struct is NOT used for validation.
 #[derive(Debug, Clone)]
 pub struct ClientCertInfo {
    pub subject: String,
    pub issuer: String,
    pub serial: String,
    pub not_before: DateTime<Utc>,
    pub not_after: DateTime<Utc>,
 }
 /// mTLS Error types
 #[derive(Debug, thiserror::Error)]
 pub enum MtlsError {
@ -285,229 +278,16 @@ pub enum MtlsError {
    ValidationError(String),
 }
 impl<S, B> Transform<S, ServiceRequest> for MtlsMiddleware
 where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
    S::Future: 'static,
    B: 'static,
 {
    type Response = ServiceResponse<B>;
    type Error = Error;
    type InitError = ();
    type Transform = MtlsMiddlewareService<S>;
    type Future = futures_util::future::Ready<Result<Self::Transform, Self::InitError>>;
    fn new_transform(&self, service: S) -> Self::Future {
        futures_util::future::ok(MtlsMiddlewareService {
            service,
            config: self.config.clone(),
            cert_store: self.cert_store.clone(),
        })
    }
 }
 pub struct MtlsMiddlewareService<S> {
    service: S,
    #[allow(dead_code)]
    config: Arc<MtlsConfig>,
    cert_store: Arc<RootCertStore>,
 }
 impl<S, B> Service<ServiceRequest> for MtlsMiddlewareService<S>
 where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
    S::Future: 'static,
    B: 'static,
 {
    type Response = ServiceResponse<B>;
    type Error = Error;
    type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;
    forward_ready!(service);
    fn call(&self, req: ServiceRequest) -> Self::Future {
        let cert_store = self.cert_store.clone();
        let peer_addr = req.peer_addr();
        // VULN-006: Check for duplicate critical headers before processing
        if has_duplicate_critical_headers(&req) {
            warn!(
                peer_addr = ?peer_addr,
                "Duplicate critical headers detected - rejecting request (VULN-006)"
            );
            return Box::pin(async move {
                Err(actix_web::error::ErrorBadRequest(
                    "Duplicate critical headers not allowed",
                ))
            });
        }
        // Check for client certificate in request extensions
        // In a proper mTLS setup with Actix-web + rustls, the certificate
        // would be extracted from the TLS connection before reaching this middleware
        let has_client_cert = req.extensions().get::<ClientCertInfo>().is_some();
        if !has_client_cert {
            // No client certificate provided - silent drop
            warn!(
                peer_addr = ?peer_addr,
                "No client certificate provided - dropping connection (mTLS required)"
            );
            // Return error immediately without calling service
            return Box::pin(async move {
                Err(actix_web::error::ErrorBadRequest(
                    "Client certificate required",
                ))
            });
        }
        // Certificate present - validate it
        let cert_info = req.extensions().get::<ClientCertInfo>().cloned();
        if let Some(info) = cert_info {
            // Validate certificate against CA store
            match validate_client_certificate(&info, &cert_store) {
                Ok(_) => {
                    info!(
                        subject = %info.subject,
                        issuer = %info.issuer,
                        peer_addr = ?peer_addr,
                        "mTLS client certificate validated successfully"
                    );
                }
                Err(e) => {
                    warn!(
                        error = %e,
                        peer_addr = ?peer_addr,
                        "mTLS client certificate validation failed - dropping connection"
                    );
                    return Box::pin(async move {
                        Err(actix_web::error::ErrorBadRequest(
                            "Certificate validation failed",
                        ))
                    });
                }
            }
        } else {
            warn!(
                peer_addr = ?peer_addr,
                "No client certificate provided - dropping connection (mTLS required)"
            );
            return Box::pin(async move {
                Err(actix_web::error::ErrorBadRequest(
                    "Client certificate required",
                ))
            });
        }
        debug!("mTLS authentication passed for request");
        // All checks passed - call the service
        let fut = self.service.call(req);
        Box::pin(fut)
    }
 }
 /// Certificate information extracted from client certificate
 #[derive(Debug, Clone)]
 pub struct ClientCertInfo {
    pub subject: String,
    pub issuer: String,
    pub serial: String,
    pub not_before: DateTime<Utc>,
    pub not_after: DateTime<Utc>,
 }
 /// Validate client certificate against CA store
 fn validate_client_certificate(
    cert_info: &ClientCertInfo,
    _cert_store: &RootCertStore,
 ) -> Result<(), MtlsError> {
    // Check certificate validity period
    let now = Utc::now();
    if now < cert_info.not_before {
        return Err(MtlsError::ValidationError(
            "Certificate is not yet valid".to_string(),
        ));
    }
    if now > cert_info.not_after {
        return Err(MtlsError::ValidationError(
            "Certificate has expired".to_string(),
        ));
    }
    // In production, would verify certificate chain against CA store
    // For now, we trust certificates that were extracted from the TLS connection
    Ok(())
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use std::collections::HashSet;
-    #[test]
+    fn init_crypto_provider() {
    fn test_mtls_config_creation() {
        let config = MtlsConfig {
            ca_cert_path: "/etc/linux_patch_api/certs/ca.pem".to_string(),
            server_cert_path: "/etc/linux_patch_api/certs/server.pem".to_string(),
            server_key_path: "/etc/linux_patch_api/certs/server.key".to_string(),
            min_tls_version: "1.3".to_string(),
        };
        assert_eq!(config.ca_cert_path, "/etc/linux_patch_api/certs/ca.pem");
        assert_eq!(config.min_tls_version, "1.3");
    }
    #[test]
    fn test_client_cert_info() {
        let info = ClientCertInfo {
            subject: "CN=test-client".to_string(),
            issuer: "CN=Test CA".to_string(),
            serial: "12345".to_string(),
            not_before: Utc::now() - Duration::days(1),
            not_after: Utc::now() + Duration::days(365),
        };
        assert!(info.subject.contains("CN="));
        assert!(info.issuer.contains("CN="));
        // Test validation with valid cert
        let cert_store = RootCertStore::empty();
        assert!(validate_client_certificate(&info, &cert_store).is_ok());
    }
    #[test]
    fn test_client_cert_expired() {
        let info = ClientCertInfo {
            subject: "CN=expired-client".to_string(),
            issuer: "CN=Test CA".to_string(),
            serial: "12345".to_string(),
            not_before: Utc::now() - Duration::days(365),
            not_after: Utc::now() - Duration::days(1),
        };
        let cert_store = RootCertStore::empty();
        let result = validate_client_certificate(&info, &cert_store);
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("expired"));
    }
    // -----------------------------------------------------------------------
    // CrlAwareVerifier unit tests
    // -----------------------------------------------------------------------
    /// Test that CrlAwareVerifier can be constructed with a WebPKI verifier
    /// and a SharedCrlState. This verifies the wiring is correct.
    #[test]
    fn crl_aware_verifier_construction() {
        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
-        use super::super::crl::{new_shared_state, CrlState, CrlStatus};
+    }
        use std::collections::HashSet;
-        // Build a simple CA cert + key for the root store.
+    fn make_test_ca_and_root_store() -> (rcgen::KeyPair, RootCertStore) {
        let ca_key = rcgen::KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
        let mut ca_params = rcgen::CertificateParams::default();
        ca_params.not_before = time::OffsetDateTime::now_utc();
@ -519,18 +299,26 @@ mod tests {
        ca_params.distinguished_name = dn;
        let ca_cert = ca_params.self_signed(&ca_key).unwrap();
        // Build root cert store with the CA.
        let mut root_store = RootCertStore::empty();
        root_store.add(ca_cert.der().to_owned()).unwrap();
-        // Build WebPKI verifier — build() returns Arc<WebPkiClientVerifier>
+        (ca_key, root_store)
-        // which coerces to Arc<dyn ClientCertVerifier>.
+    }
    /// Test that CrlAwareVerifier can be constructed with a WebPKI verifier
    /// and a SharedCrlState. This verifies the wiring is correct.
    #[test]
    fn crl_aware_verifier_construction() {
        init_crypto_provider();
        use super::super::crl::{new_shared_state, CrlState, CrlStatus};
        let (_ca_key, root_store) = make_test_ca_and_root_store();
        let webpki_verifier: Arc<dyn ClientCertVerifier> =
            WebPkiClientVerifier::builder(root_store.into())
                .build()
                .unwrap();
        // Build CRL state in Valid status.
        let crl_state = new_shared_state();
        let valid_state = CrlState {
            status: CrlStatus::Valid,
@ -540,31 +328,16 @@ mod tests {
        };
        crl_state.store(Arc::new(valid_state));
        // Construct CrlAwareVerifier — should succeed.
        let _verifier = CrlAwareVerifier::new(webpki_verifier, crl_state);
        // If we reach here without panic, construction succeeded.
    }
    /// Test that CrlAwareVerifier with Missing CRL state can be constructed.
    /// Missing CRL means the verifier falls back to WebPKI-only.
    #[test]
    fn crl_aware_verifier_with_missing_crl() {
-        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+        init_crypto_provider();
        use super::super::crl::new_shared_state;
-        let ca_key = rcgen::KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
+        let (_ca_key, root_store) = make_test_ca_and_root_store();
        let mut ca_params = rcgen::CertificateParams::default();
        ca_params.not_before = time::OffsetDateTime::now_utc();
        ca_params.not_after = time::OffsetDateTime::now_utc() + time::Duration::days(365);
        ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);
        ca_params.key_usages = vec![rcgen::KeyUsagePurpose::KeyCertSign];
        let mut dn = rcgen::DistinguishedName::new();
        dn.push(rcgen::DnType::CommonName, "Test CA for Verifier");
        ca_params.distinguished_name = dn;
        let ca_cert = ca_params.self_signed(&ca_key).unwrap();
        let mut root_store = RootCertStore::empty();
        root_store.add(ca_cert.der().to_owned()).unwrap();
        let webpki_verifier: Arc<dyn ClientCertVerifier> =
            WebPkiClientVerifier::builder(root_store.into())
@ -577,26 +350,12 @@ mod tests {
    }
    /// Test that CrlAwareVerifier with Invalid CRL state can be constructed.
    /// Invalid CRL means the verifier should reject ALL client certificates.
    #[test]
    fn crl_aware_verifier_with_invalid_crl() {
-        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+        init_crypto_provider();
        use super::super::crl::{new_shared_state, CrlState, CrlStatus};
        use std::collections::HashSet;
-        let ca_key = rcgen::KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
+        let (_ca_key, root_store) = make_test_ca_and_root_store();
        let mut ca_params = rcgen::CertificateParams::default();
        ca_params.not_before = time::OffsetDateTime::now_utc();
        ca_params.not_after = time::OffsetDateTime::now_utc() + time::Duration::days(365);
        ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);
        ca_params.key_usages = vec![rcgen::KeyUsagePurpose::KeyCertSign];
        let mut dn = rcgen::DistinguishedName::new();
        dn.push(rcgen::DnType::CommonName, "Test CA for Verifier");
        ca_params.distinguished_name = dn;
        let ca_cert = ca_params.self_signed(&ca_key).unwrap();
        let mut root_store = RootCertStore::empty();
        root_store.add(ca_cert.der().to_owned()).unwrap();
        let webpki_verifier: Arc<dyn ClientCertVerifier> =
            WebPkiClientVerifier::builder(root_store.into())
@ -616,27 +375,13 @@ mod tests {
    }
    /// Test that CrlAwareVerifier with a revoked serial in Valid CRL state
-    /// can be constructed. The actual verification logic is tested through
+    /// can be constructed.
    /// integration tests since it requires a full TLS handshake.
    #[test]
    fn crl_aware_verifier_with_revoked_serial() {
-        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
+        init_crypto_provider();
        use super::super::crl::{new_shared_state, CrlState, CrlStatus};
        use std::collections::HashSet;
-        let ca_key = rcgen::KeyPair::generate_for(&rcgen::PKCS_ECDSA_P256_SHA256).unwrap();
+        let (_ca_key, root_store) = make_test_ca_and_root_store();
        let mut ca_params = rcgen::CertificateParams::default();
        ca_params.not_before = time::OffsetDateTime::now_utc();
        ca_params.not_after = time::OffsetDateTime::now_utc() + time::Duration::days(365);
        ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);
        ca_params.key_usages = vec![rcgen::KeyUsagePurpose::KeyCertSign];
        let mut dn = rcgen::DistinguishedName::new();
        dn.push(rcgen::DnType::CommonName, "Test CA for Verifier");
        ca_params.distinguished_name = dn;
        let ca_cert = ca_params.self_signed(&ca_key).unwrap();
        let mut root_store = RootCertStore::empty();
        root_store.add(ca_cert.der().to_owned()).unwrap();
        let webpki_verifier: Arc<dyn ClientCertVerifier> =
            WebPkiClientVerifier::builder(root_store.into())
@ -655,6 +400,5 @@ mod tests {
        crl_state.store(Arc::new(valid_with_revoked));
        let _verifier = CrlAwareVerifier::new(webpki_verifier, crl_state);
        // Construction succeeded — the verifier is ready to reject revoked certs.
    }
 }
--- a/src/auth/security_headers.rs
+++ b/src/auth/security_headers.rs
@ -0,0 +1,166 @@
 //! Security Headers Middleware Module
 //!
 //! Provides request-level security header validation for Actix-web.
 //! Enforces VULN-006: rejects requests with duplicate critical headers
 //! (content-type, authorization, host) to prevent HTTP request smuggling
 //! and response-splitting attacks.
 use actix_web::{
    dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
    Error,
 };
 use futures_util::future::LocalBoxFuture;
 use tracing::warn;
 /// Critical headers that MUST NOT appear more than once in a request.
 /// Duplicate values for these headers can enable request smuggling,
 /// response splitting, and other HTTP parsing ambiguities.
 const CRITICAL_HEADERS: &[&str] = &["content-type", "authorization", "host"];
 /// Security headers middleware for Actix-web.
 ///
 /// Checks every incoming request for duplicate critical headers (VULN-006)
 /// and rejects malformed requests with HTTP 400 Bad Request.
 pub struct SecurityHeadersMiddleware;
 impl SecurityHeadersMiddleware {
    /// Create a new security headers middleware instance.
    pub fn new() -> Self {
        Self
    }
 }
 impl Default for SecurityHeadersMiddleware {
    fn default() -> Self {
        Self::new()
    }
 }
 /// Actix-web Transform implementation — wraps SecurityHeadersMiddleware as middleware
 impl<S, B> Transform<S, ServiceRequest> for SecurityHeadersMiddleware
 where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
    S::Future: 'static,
    B: 'static,
 {
    type Response = ServiceResponse<B>;
    type Error = Error;
    type InitError = ();
    type Transform = SecurityHeadersMiddlewareService<S>;
    type Future = futures_util::future::Ready<Result<Self::Transform, Self::InitError>>;
    fn new_transform(&self, service: S) -> Self::Future {
        futures_util::future::ok(SecurityHeadersMiddlewareService { service })
    }
 }
 /// Security headers middleware service — performs per-request duplicate header checks
 pub struct SecurityHeadersMiddlewareService<S> {
    service: S,
 }
 impl<S, B> Service<ServiceRequest> for SecurityHeadersMiddlewareService<S>
 where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
    S::Future: 'static,
    B: 'static,
 {
    type Response = ServiceResponse<B>;
    type Error = Error;
    type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;
    forward_ready!(service);
    fn call(&self, req: ServiceRequest) -> Self::Future {
        // VULN-006: Check for duplicate critical headers before processing
        if has_duplicate_critical_headers(req.headers()) {
            let peer_addr = req.peer_addr();
            warn!(
                peer_addr = ?peer_addr,
                "Duplicate critical headers detected - rejecting request (VULN-006)"
            );
            return Box::pin(async move {
                Err(actix_web::error::ErrorBadRequest(
                    "Duplicate critical headers not allowed",
                ))
            });
        }
        // All checks passed — call the service
        let fut = self.service.call(req);
        Box::pin(fut)
    }
 }
 /// Check for duplicate critical headers (VULN-006).
 /// Returns true if any critical header appears more than once.
 ///
 /// This function is public for testing purposes.
 pub fn has_duplicate_critical_headers(headers: &actix_web::http::header::HeaderMap) -> bool {
    for header_name in CRITICAL_HEADERS.iter() {
        let mut count = 0;
        for (name, _value) in headers.iter() {
            if name.as_str().eq_ignore_ascii_case(header_name) {
                count += 1;
                if count > 1 {
                    return true;
                }
            }
        }
    }
    false
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use actix_web::http::header;
    #[test]
    fn test_no_duplicate_headers_passes() {
        let mut headers = header::HeaderMap::new();
        headers.insert(header::CONTENT_TYPE, "application/json".parse().unwrap());
        headers.insert(header::AUTHORIZATION, "Bearer test".parse().unwrap());
        headers.insert(header::HOST, "localhost".parse().unwrap());
        assert!(!has_duplicate_critical_headers(&headers));
    }
    #[test]
    fn test_duplicate_content_type_rejected() {
        let mut headers = header::HeaderMap::new();
        headers.insert(header::CONTENT_TYPE, "application/json".parse().unwrap());
        headers.append(header::CONTENT_TYPE, "text/plain".parse().unwrap());
        assert!(has_duplicate_critical_headers(&headers));
    }
    #[test]
    fn test_duplicate_authorization_rejected() {
        let mut headers = header::HeaderMap::new();
        headers.insert(header::AUTHORIZATION, "Bearer test1".parse().unwrap());
        headers.append(header::AUTHORIZATION, "Bearer test2".parse().unwrap());
        assert!(has_duplicate_critical_headers(&headers));
    }
    #[test]
    fn test_duplicate_host_rejected() {
        let mut headers = header::HeaderMap::new();
        headers.insert(header::HOST, "localhost".parse().unwrap());
        headers.append(header::HOST, "evil.com".parse().unwrap());
        assert!(has_duplicate_critical_headers(&headers));
    }
    #[test]
    fn test_non_critical_duplicate_headers_allowed() {
        // Duplicate non-critical headers should be allowed
        let mut headers = header::HeaderMap::new();
        headers.insert(header::ACCEPT, "text/html".parse().unwrap());
        headers.append(header::ACCEPT, "application/json".parse().unwrap());
        assert!(!has_duplicate_critical_headers(&headers));
    }
    #[test]
    fn test_empty_headers_passes() {
        let headers = header::HeaderMap::new();
        assert!(!has_duplicate_critical_headers(&headers));
    }
 }
--- a/src/auth/whitelist.rs
+++ b/src/auth/whitelist.rs
@ -17,6 +17,12 @@ use std::sync::{Arc, RwLock};
 use std::time::Duration;
 use tracing::{debug, info, warn};
 use actix_web::{
    dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
    Error,
 };
 use futures_util::future::LocalBoxFuture;
 /// Whitelist entry types
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 pub enum WhitelistEntry {
@ -282,6 +288,18 @@ impl WhitelistManager {
        }
    }
    /// Create a deny-all whitelist manager (fail-closed fallback).
    ///
    /// Used when the whitelist file cannot be loaded — all IPs are denied
    /// except health endpoints (handled at middleware level).
    pub fn new_deny_all() -> Self {
        Self {
            entries: Arc::new(RwLock::new(HashSet::new())),
            config_path: String::new(),
            watcher: None,
        }
    }
    /// Get the number of entries in the whitelist
    pub fn entry_count(&self) -> usize {
        self.entries.read().unwrap().len()
@ -426,11 +444,9 @@ pub struct WhitelistMiddleware {
 }
 impl WhitelistMiddleware {
-    /// Create a new whitelist middleware
+    /// Create a new whitelist middleware from an Arc<WhitelistManager>
-    pub fn new(manager: WhitelistManager) -> Self {
+    pub fn new(manager: Arc<WhitelistManager>) -> Self {
-        Self {
+        Self { manager }
            manager: Arc::new(manager),
        }
    }
    /// Get the whitelist manager reference
@ -439,6 +455,99 @@ impl WhitelistMiddleware {
    }
 }
 /// Actix-web Transform implementation — wraps WhitelistMiddleware as middleware
 impl<S, B> Transform<S, ServiceRequest> for WhitelistMiddleware
 where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
    S::Future: 'static,
    B: 'static,
 {
    type Response = ServiceResponse<B>;
    type Error = Error;
    type InitError = ();
    type Transform = WhitelistMiddlewareService<S>;
    type Future = futures_util::future::Ready<Result<Self::Transform, Self::InitError>>;
    fn new_transform(&self, service: S) -> Self::Future {
        futures_util::future::ok(WhitelistMiddlewareService {
            service,
            manager: self.manager.clone(),
        })
    }
 }
 /// Whitelist middleware service — performs per-request IP checks
 pub struct WhitelistMiddlewareService<S> {
    service: S,
    manager: Arc<WhitelistManager>,
 }
 /// Health/system endpoint paths exempt from IP whitelist enforcement
 const WHITELIST_EXEMPT_PATHS: &[&str] = &["/health", "/api/v1/system/info"];
 impl<S, B> Service<ServiceRequest> for WhitelistMiddlewareService<S>
 where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
    S::Future: 'static,
    B: 'static,
 {
    type Response = ServiceResponse<B>;
    type Error = Error;
    type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;
    forward_ready!(service);
    fn call(&self, req: ServiceRequest) -> Self::Future {
        let path = req.path().to_owned();
        // Exempt health and system info endpoints from IP whitelist
        if WHITELIST_EXEMPT_PATHS.iter().any(|p| path == *p) {
            debug!(path = %path, "Path exempt from IP whitelist");
            let fut = self.service.call(req);
            return Box::pin(fut);
        }
        // Get peer address — fail-closed if unavailable
        let peer_addr = req.peer_addr();
        match peer_addr {
            Some(addr) => {
                if self.manager.is_socket_allowed(&addr) {
                    debug!(
                        peer_addr = %addr,
                        path = %path,
                        "IP whitelist check passed"
                    );
                    let fut = self.service.call(req);
                    Box::pin(fut)
                } else {
                    warn!(
                        peer_addr = %addr,
                        path = %path,
                        "IP whitelist denied - connection rejected"
                    );
                    Box::pin(async move {
                        Err(actix_web::error::ErrorForbidden(
                            "IP address not in whitelist",
                        ))
                    })
                }
            }
            None => {
                // No peer address — fail-closed (deny by default)
                warn!(
                    path = %path,
                    "No peer address available - denying request (fail-closed)"
                );
                Box::pin(async move {
                    Err(actix_web::error::ErrorForbidden(
                        "IP address not available - denied by policy",
                    ))
                })
            }
        }
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
@ -511,4 +620,33 @@ mod tests {
        let ip_outside: Ipv4Addr = "192.168.2.100".parse().unwrap();
        assert!(!manager.is_allowed(&ip_outside));
    }
    #[test]
    fn test_new_deny_all_blocks_everything() {
        let manager = WhitelistManager::new_deny_all();
        // No IPs should be allowed in deny-all mode
        let ip: Ipv4Addr = "192.168.1.1".parse().unwrap();
        assert!(!manager.is_allowed(&ip));
        let ip2: Ipv4Addr = "10.0.0.1".parse().unwrap();
        assert!(!manager.is_allowed(&ip2));
        // Entry count should be 0
        assert_eq!(manager.entry_count(), 0);
    }
    #[test]
    fn test_is_socket_allowed_ipv6_denied() {
        let manager = WhitelistManager::new_deny_all();
        // IPv6 should be denied even with a populated whitelist
        let socket_v6: SocketAddr = "[::1]:12345".parse().unwrap();
        assert!(!manager.is_socket_allowed(&socket_v6));
    }
    #[test]
    fn test_exempt_paths_constant() {
        // Verify the exempt paths include health and system info
        assert!(WHITELIST_EXEMPT_PATHS.contains(&"/health"));
        assert!(WHITELIST_EXEMPT_PATHS.contains(&"/api/v1/system/info"));
    }
 }
--- a/src/config/loader.rs
+++ b/src/config/loader.rs
@ -33,8 +33,6 @@ pub struct TlsConfig {
    pub ca_cert: String,
    pub server_cert: String,
    pub server_key: String,
    #[serde(default = "default_tls_version")]
    pub min_tls_version: String,
    /// Path to persist the CRL fetched from the manager.
    /// Defaults to /etc/linux_patch_api/certs/crl.pem
    #[serde(default = "default_crl_path")]
@ -49,10 +47,6 @@ fn default_true() -> bool {
    true
 }
 fn default_tls_version() -> String {
    "1.3".to_string()
 }
 /// Jobs configuration
 #[derive(Debug, Deserialize, Serialize, Clone)]
 pub struct JobsConfig {
@ -60,12 +54,58 @@ pub struct JobsConfig {
    pub timeout_minutes: u64,
    #[serde(default = "default_storage_path")]
    pub storage_path: String,
    #[serde(default = "default_max_queue_depth")]
    pub max_queue_depth: usize,
 }
 fn default_storage_path() -> String {
    "/var/lib/linux_patch_api/jobs".to_string()
 }
 fn default_max_queue_depth() -> usize {
    100
 }
 /// Rate limiting configuration
 #[derive(Debug, Deserialize, Serialize, Clone)]
 pub struct RateLimitConfig {
    #[serde(default = "default_true")]
    pub enabled: bool,
    #[serde(default = "default_destructive_per_minute")]
    pub destructive_per_minute: u32,
    #[serde(default = "default_destructive_burst")]
    pub destructive_burst: u32,
    #[serde(default = "default_read_per_minute")]
    pub read_per_minute: u32,
    #[serde(default = "default_read_burst")]
    pub read_burst: u32,
 }
 fn default_destructive_per_minute() -> u32 {
    20
 }
 fn default_destructive_burst() -> u32 {
    10
 }
 fn default_read_per_minute() -> u32 {
    120
 }
 fn default_read_burst() -> u32 {
    30
 }
 impl Default for RateLimitConfig {
    fn default() -> Self {
        Self {
            enabled: true,
            destructive_per_minute: default_destructive_per_minute(),
            destructive_burst: default_destructive_burst(),
            read_per_minute: default_read_per_minute(),
            read_burst: default_read_burst(),
        }
    }
 }
 /// Logging configuration
 #[derive(Debug, Deserialize, Serialize, Clone)]
 pub struct LoggingConfig {
@ -445,6 +485,8 @@ pub struct AppConfig {
    pub package_manager: Option<PackageManagerConfig>,
    #[serde(default)]
    pub enrollment: Option<EnrollmentConfig>,
    #[serde(default)]
    pub rate_limit: RateLimitConfig,
 }
 impl AppConfig {
@ -453,6 +495,19 @@ impl AppConfig {
        let content = std::fs::read_to_string(path)
            .with_context(|| format!("Failed to read config file: {}", path))?;
        // Check for deprecated fields before typed parsing
        if let Ok(value) = serde_yaml::from_str::<serde_yaml::Value>(&content) {
            if let Some(tls) = value.get("tls") {
                if tls.get("min_tls_version").is_some() {
                    tracing::warn!(
                        "Config contains deprecated 'tls.min_tls_version' field. \
                         This field is ignored — TLS 1.3 is the only supported version. \
                         Remove it from your config to silence this warning."
                    );
                }
            }
        }
        let config: AppConfig = serde_yaml::from_str(&content)
            .with_context(|| format!("Failed to parse config file: {}", path))?;
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@ -6,6 +6,7 @@
 //! - Auto-reload on file change via notify watcher
 pub mod loader;
-pub use loader::{validate_certs, AppConfig, CertStatus, EnrollmentConfig};
+pub use loader::{validate_certs, AppConfig, CertStatus, EnrollmentConfig, RateLimitConfig};
 pub mod validator;
 pub use validator::validate_config_warnings;
 pub mod watcher;
--- a/src/config/validator.rs
+++ b/src/config/validator.rs
@ -1,3 +1,25 @@
 //! Configuration Validator
 //!
-//! Placeholder - implementation in future phases
+//! Validates configuration values and warns about deprecated fields.
 use tracing::warn;
 /// Validate configuration for deprecated or unknown fields.
 ///
 /// This is called after config loading to emit warnings for fields
 /// that are no longer functional but may still be present in operator
 /// config files.
 pub fn validate_config_warnings(config_yaml: &str) {
    // Check for deprecated tls.min_tls_version field
    if let Ok(value) = serde_yaml::from_str::<serde_yaml::Value>(config_yaml) {
        if let Some(tls) = value.get("tls") {
            if tls.get("min_tls_version").is_some() {
                warn!(
                    "Config contains deprecated 'tls.min_tls_version' field. \
                     This field is ignored — TLS 1.3 is the only supported version. \
                     Remove it from your config to silence this warning."
                );
            }
        }
    }
 }
--- a/src/jobs/manager.rs
+++ b/src/jobs/manager.rs
@ -140,6 +140,7 @@ pub struct JobStatusEvent {
 pub struct JobManager {
    max_concurrent: usize,
    timeout_minutes: u64,
    max_queue_depth: usize,
    jobs: Arc<RwLock<HashMap<Uuid, Job>>>,
    /// Broadcast sender for job status events
    event_sender: broadcast::Sender<JobStatusEvent>,
@ -147,11 +148,16 @@ pub struct JobManager {
 impl JobManager {
    /// Create a new job manager
-    pub fn new(max_concurrent: usize, timeout_minutes: u64) -> Result<Self> {
+    pub fn new(
        max_concurrent: usize,
        timeout_minutes: u64,
        max_queue_depth: usize,
    ) -> Result<Self> {
        let (event_sender, _) = broadcast::channel(256);
        Ok(Self {
            max_concurrent,
            timeout_minutes,
            max_queue_depth,
            jobs: Arc::new(RwLock::new(HashMap::new())),
            event_sender,
        })
@ -167,6 +173,11 @@ impl JobManager {
        self.max_concurrent
    }
    /// Get max queue depth
    pub fn max_queue_depth(&self) -> usize {
        self.max_queue_depth
    }
    /// Subscribe to job status events
    /// Returns a broadcast receiver that will receive JobStatusEvent messages
    pub fn subscribe(&self) -> broadcast::Receiver<JobStatusEvent> {
@ -335,9 +346,17 @@ impl JobManager {
            .count()
    }
-    /// Check if can accept new job (respecting max_concurrent)
+    /// Check if can accept new job (respecting max_queue_depth)
    /// Returns false when the total number of pending + running jobs
    /// equals or exceeds the configured queue depth cap.
    pub async fn can_accept_job(&self) -> bool {
-        self.running_count().await < self.max_concurrent
+        let jobs = self.jobs.read().await;
        let active_count = jobs
            .values()
            .filter(|j| j.status == JobStatus::Running || j.status == JobStatus::Pending)
            .count();
        drop(jobs);
        active_count < self.max_queue_depth
    }
    /// Delete a completed/failed job from history
@ -401,6 +420,7 @@ impl Clone for JobManager {
        Self {
            max_concurrent: self.max_concurrent,
            timeout_minutes: self.timeout_minutes,
            max_queue_depth: self.max_queue_depth,
            jobs: self.jobs.clone(),
            event_sender: self.event_sender.clone(),
        }
--- a/src/main.rs
+++ b/src/main.rs
@ -28,7 +28,9 @@ use tracing::{error, info, warn};
 use linux_patch_api::api::{configure_api_routes, configure_health_route};
 use linux_patch_api::auth::crl::{self, CrlStatus};
-use linux_patch_api::auth::{mtls, MtlsMiddleware, WhitelistManager};
+use linux_patch_api::auth::{
    mtls, SecurityHeadersMiddleware, WhitelistManager, WhitelistMiddleware,
 };
 use linux_patch_api::config::loader::{validate_certs, CertStatus};
 use linux_patch_api::enroll;
 use linux_patch_api::packages::cache::PackageCacheState;
@ -250,10 +252,15 @@ async fn main() -> Result<()> {
    }
    // Initialize job manager
-    let job_manager = JobManager::new(config.jobs.max_concurrent, config.jobs.timeout_minutes)?;
+    let job_manager = JobManager::new(
        config.jobs.max_concurrent,
        config.jobs.timeout_minutes,
        config.jobs.max_queue_depth,
    )?;
    info!(
        max_jobs = config.jobs.max_concurrent,
        timeout_minutes = config.jobs.timeout_minutes,
        max_queue_depth = config.jobs.max_queue_depth,
        "Job manager initialized"
    );
@ -282,11 +289,12 @@ async fn main() -> Result<()> {
                entries = manager.entry_count(),
                "Whitelist manager initialized"
            );
-            Some(Arc::new(manager))
+            Arc::new(manager)
        }
        Err(e) => {
-            warn!(error = %e, "Failed to load whitelist - continuing with empty whitelist (all denied)");
+            // Fail-closed: deny all IPs when whitelist cannot be loaded
-            None
+            warn!(error = %e, "Failed to load whitelist - using deny-all mode (fail-closed)");
            Arc::new(WhitelistManager::new_deny_all())
        }
    };
@ -305,29 +313,39 @@ async fn main() -> Result<()> {
    // Configure bind address
    let bind_address = format!("{}:{}", config.server.bind, config.server.port);
    // Clone whitelist manager for use inside the HttpServer closure
    let wl = whitelist_manager.clone();
    // Clone rate limit config for use inside the HttpServer closure
    let rate_limit_config = config.rate_limit.clone();
    // Create server builder
    // Security middleware stack (order matters):
    //   1. WhitelistMiddleware   — IP-based access control (deny-by-default)
    //   2. SecurityHeadersMiddleware — VULN-006: reject duplicate critical headers
    //   3. RateLimitMiddleware   — per-IP rate limiting (read + destructive tiers)
    //   4. Logger                — request logging (after auth decisions)
    let server_builder = HttpServer::new(move || {
-        let mut app = App::new()
+        App::new()
            .wrap(WhitelistMiddleware::new(wl.clone()))
            .wrap(SecurityHeadersMiddleware::new())
            .wrap(linux_patch_api::api::rate_limit::RateLimitMiddleware::new(
                rate_limit_config.clone(),
            ))
            .wrap(Logger::default())
            .app_data(job_manager_data.clone())
            .app_data(backend_data.clone())
            .app_data(cache_state.clone())
-            .app_data(crl_state_data.clone());
+            .app_data(crl_state_data.clone())
-
+            .configure(|cfg| {
-        // Configure API routes
+                configure_api_routes(
-        app = app.configure(|cfg| {
+                    cfg,
-            configure_api_routes(
+                    job_manager_data.clone(),
-                cfg,
+                    backend_data.clone(),
-                job_manager_data.clone(),
+                    cache_state.clone(),
-                backend_data.clone(),
+                );
-                cache_state.clone(),
+            })
-            );
+            .configure(configure_health_route)
        });
        // Configure health route (outside API scope)
        app = app.configure(configure_health_route);
        app
    })
    .workers(4)
    // VULN-004: Configure header size limit to 8KB to prevent DoS via oversized headers
@ -338,8 +356,8 @@ async fn main() -> Result<()> {
    .max_connection_rate(1000);
    info!(
        mtls_enabled = config.tls_config().is_some(),
-        whitelist_enabled = whitelist_manager.is_some(),
+        whitelist_entries = whitelist_manager.entry_count(),
-        "Security layer status"
+        "Security layer status (IP whitelist enforced)"
    );
    info!("Linux Patch API initialized successfully");
@ -350,16 +368,15 @@ async fn main() -> Result<()> {
            ca_cert = %tls_config.ca_cert,
            server_cert = %tls_config.server_cert,
            server_key = %tls_config.server_key,
            min_tls_version = %tls_config.min_tls_version,
            crl_path = %tls_config.crl_path,
-            "Initializing mTLS authentication with TLS binding"
+            "Initializing mTLS authentication with TLS 1.3 binding"
        );
        // TLS 1.3 is the only supported version — hardcoded in build_rustls_config()
        let mtls_config = mtls::MtlsConfig {
            ca_cert_path: tls_config.ca_cert.clone(),
            server_cert_path: tls_config.server_cert.clone(),
            server_key_path: tls_config.server_key.clone(),
            min_tls_version: tls_config.min_tls_version.clone(),
        };
        // Load CRL from disk into the shared CRL state
@ -401,63 +418,58 @@ async fn main() -> Result<()> {
            info!("No manager URL configured -- CRL auto-refresh disabled");
        }
-        match MtlsMiddleware::new(mtls_config.clone()) {
+        // ADR: rustls is the authoritative client-auth gate.
-            Ok(middleware) => {
+        // Client certificate verification happens at the TLS handshake level
-                // Build rustls server configuration with CRL-aware verifier
+        // via CrlAwareVerifier (which wraps WebPkiClientVerifier). No
-                let rustls_config = middleware
+        // application-layer certificate validation middleware is needed.
-                    .build_rustls_config(Some(shared_crl_state.clone()))
+        // See src/auth/mtls.rs for the full ADR.
-                    .map_err(|e| anyhow::anyhow!("Failed to build rustls config: {}", e))?;
+        let rustls_config = mtls::build_rustls_config(&mtls_config, Some(shared_crl_state.clone()))
            .map_err(|e| anyhow::anyhow!("Failed to build rustls config: {}", e))?;
-                info!("mTLS middleware and rustls config initialized successfully");
+        info!(
            "mTLS rustls config initialized successfully (client auth enforced at TLS handshake)"
        );
-                // Create TCP listener with SO_REUSEADDR using socket2
+        // Create TCP listener with SO_REUSEADDR using socket2
-                // This prevents "Address already in use" errors when restarting after a crash
+        // This prevents "Address already in use" errors when restarting after a crash
-                let socket = socket2::Socket::new(
+        let socket = socket2::Socket::new(
-                    socket2::Domain::IPV4,
+            socket2::Domain::IPV4,
-                    socket2::Type::STREAM,
+            socket2::Type::STREAM,
-                    Some(socket2::Protocol::TCP),
+            Some(socket2::Protocol::TCP),
-                )
+        )
-                .map_err(|e| anyhow::anyhow!("Failed to create socket: {}", e))?;
+        .map_err(|e| anyhow::anyhow!("Failed to create socket: {}", e))?;
-                socket
+        socket
-                    .set_reuse_address(true)
+            .set_reuse_address(true)
-                    .map_err(|e| anyhow::anyhow!("Failed to set SO_REUSEADDR: {}", e))?;
+            .map_err(|e| anyhow::anyhow!("Failed to set SO_REUSEADDR: {}", e))?;
-                let bind_addr: std::net::SocketAddr = bind_address.parse().map_err(|e| {
+        let bind_addr: std::net::SocketAddr = bind_address
-                    anyhow::anyhow!("Invalid bind address '{}': {}", bind_address, e)
+            .parse()
-                })?;
+            .map_err(|e| anyhow::anyhow!("Invalid bind address '{}': {}", bind_address, e))?;
-                socket
+        socket
-                    .bind(&socket2::SockAddr::from(bind_addr))
+            .bind(&socket2::SockAddr::from(bind_addr))
-                    .map_err(|e| {
+            .map_err(|e| anyhow::anyhow!("Failed to bind socket to {}: {}", bind_address, e))?;
                        anyhow::anyhow!("Failed to bind socket to {}: {}", bind_address, e)
                    })?;
-                socket
+        socket
-                    .listen(128)
+            .listen(128)
-                    .map_err(|e| anyhow::anyhow!("Failed to listen on socket: {}", e))?;
+            .map_err(|e| anyhow::anyhow!("Failed to listen on socket: {}", e))?;
-                let tcp_listener: std::net::TcpListener = socket.into();
+        let tcp_listener: std::net::TcpListener = socket.into();
-                // Log listening AFTER successful bind
+        // Log listening AFTER successful bind
-                info!("Listening on {} (mTLS enabled)", bind_address);
+        info!("Listening on {} (mTLS enabled)", bind_address);
-                // Clone the ServerConfig from Arc for listen_rustls_0_23
+        // Clone the ServerConfig from Arc for listen_rustls_0_23
-                let server_config = (*rustls_config).clone();
+        let server_config = (*rustls_config).clone();
-                info!("Binding server with TLS 1.3 - non-TLS connections will be rejected");
+        info!("Binding server with TLS 1.3 - non-TLS connections will be rejected");
-                // Bind with TLS using rustls 0.23 - non-TLS connections fail at handshake
+        // Bind with TLS using rustls 0.23 - non-TLS connections fail at handshake
-                server_builder
+        server_builder
-                    .listen_rustls_0_23(tcp_listener, server_config)?
+            .listen_rustls_0_23(tcp_listener, server_config)?
-                    .run()
+            .run()
-                    .await?;
+            .await?;
            }
            Err(e) => {
                error!(error = %e, "Failed to initialize mTLS middleware");
                return Err(anyhow::anyhow!("mTLS initialization failed: {}", e));
            }
        }
    } else {
        // Create TCP listener with SO_REUSEADDR for non-TLS mode
        let socket = socket2::Socket::new(
--- a/src/packages/mod.rs
+++ b/src/packages/mod.rs
@ -12,6 +12,112 @@ use serde::{Deserialize, Serialize};
 use std::process::Command;
 use tracing::info;
 /// Maximum allowed length for package names and version strings
 pub const MAX_NAME_LENGTH: usize = 256;
 /// Validate a package name against a strict allowlist pattern.
 /// Prevents argument injection by blocking shell metacharacters,
 /// path separators, whitespace, and leading hyphens.
 /// Pattern: ^[a-zA-Z0-9][a-zA-Z0-9+._-]*$
 pub fn validate_package_name(name: &str) -> Result<(), String> {
    if name.is_empty() {
        return Err("Package name cannot be empty".to_string());
    }
    if name.len() > MAX_NAME_LENGTH {
        return Err(format!(
            "Package name exceeds maximum length of {} characters",
            MAX_NAME_LENGTH
        ));
    }
    let bytes = name.as_bytes();
    if !bytes[0].is_ascii_alphanumeric() {
        return Err(format!(
            "Package name must start with an alphanumeric character: '{}'",
            name
        ));
    }
    if !name
        .chars()
        .all(|c| c.is_ascii_alphanumeric() || c == '+' || c == '.' || c == '_' || c == '-')
    {
        return Err(format!(
            "Package name contains invalid characters: '{}'. Only alphanumeric, plus, dot, underscore, and hyphen are allowed",
            name
        ));
    }
    Ok(())
 }
 /// Validate a version string against a strict allowlist pattern.
 /// Allows characters commonly found in package versions (colons for RPM epochs,
 /// tildes for version ordering) while blocking shell metacharacters and path separators.
 /// Pattern: ^[a-zA-Z0-9][a-zA-Z0-9+.:~_-]*$
 pub fn validate_version_string(version: &str) -> Result<(), String> {
    if version.is_empty() {
        return Err("Version string cannot be empty".to_string());
    }
    if version.len() > MAX_NAME_LENGTH {
        return Err(format!(
            "Version string exceeds maximum length of {} characters",
            MAX_NAME_LENGTH
        ));
    }
    let bytes = version.as_bytes();
    if !bytes[0].is_ascii_alphanumeric() {
        return Err(format!(
            "Version string must start with an alphanumeric character: '{}'",
            version
        ));
    }
    if !version.chars().all(|c| {
        c.is_ascii_alphanumeric()
            || c == '+'
            || c == '.'
            || c == '_'
            || c == '-'
            || c == ':'
            || c == '~'
    }) {
        return Err(format!(
            "Version string contains invalid characters: '{}'. Only alphanumeric, plus, dot, underscore, hyphen, colon, and tilde are allowed",
            version
        ));
    }
    Ok(())
 }
 /// Validate a service name against a strict allowlist pattern.
 /// Prevents shell injection and argument injection in systemctl/rc-service commands.
 /// Allows hyphens (common in systemd unit names), dots for unit suffixes, and @ for template instances.
 /// Pattern: ^[a-zA-Z0-9][a-zA-Z0-9_.@+-]*$
 pub fn validate_service_name(name: &str) -> Result<(), String> {
    if name.is_empty() {
        return Err("Service name cannot be empty".to_string());
    }
    if name.len() > MAX_NAME_LENGTH {
        return Err(format!(
            "Service name exceeds maximum length of {} characters",
            MAX_NAME_LENGTH
        ));
    }
    let bytes = name.as_bytes();
    if !bytes[0].is_ascii_alphanumeric() {
        return Err(format!(
            "Service name must start with an alphanumeric character: '{}'",
            name
        ));
    }
    if !name.chars().all(|c| {
        c.is_ascii_alphanumeric() || c == '_' || c == '.' || c == '@' || c == '+' || c == '-'
    }) {
        return Err(format!(
            "Service name contains invalid characters: '{}'. Only alphanumeric, underscore, dot, at-sign, plus, and hyphen are allowed",
            name
        ));
    }
    Ok(())
 }
 /// Package status
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 pub enum PackageStatus {
@ -311,10 +417,20 @@ impl PackageManagerBackend for AptBackend {
            args.push("--no-install-recommends".to_string());
        }
        // SECURITY: --force-yes bypasses GPG signature verification and is a security risk.
        // Only allow when explicitly requested; log a warning.
        if options.force {
            tracing::warn!(
                "--force-yes requested: package signature verification will be bypassed"
            );
            args.push("--force-yes".to_string());
        }
        // SECURITY: Insert -- separator before user-supplied package names to prevent
        // argument injection. Without this, a package name like "--allow-unauthenticated"
        // would be interpreted as an apt option rather than a package name.
        args.push("--".to_string());
        for pkg in packages {
            let pkg_arg = if let Some(version) = &pkg.version {
                format!("{}={}", pkg.name, version)
@ -334,16 +450,18 @@ impl PackageManagerBackend for AptBackend {
    }
    fn update_package(&self, name: &str) -> Result<()> {
-        self.run_apt(&["install", "-y", "--only-upgrade", name])?;
+        // SECURITY: -- separator prevents argument injection via package name
        self.run_apt(&["install", "-y", "--only-upgrade", "--", name])?;
        info!("Updated package: {}", name);
        Ok(())
    }
    fn remove_package(&self, name: &str, purge: bool) -> Result<()> {
        // SECURITY: -- separator prevents argument injection via package name
        let args = if purge {
-            vec!["purge", "-y", name]
+            vec!["purge", "-y", "--", name]
        } else {
-            vec!["remove", "-y", name]
+            vec!["remove", "-y", "--", name]
        };
        self.run_apt(&args)?;
@ -392,7 +510,8 @@ impl PackageManagerBackend for AptBackend {
    fn apply_patches(&self, packages: Option<&[String]>) -> Result<()> {
        let args = match packages {
            Some(pkgs) => {
-                let mut a = vec!["install", "-y"];
+                // SECURITY: -- separator prevents argument injection via package names
                let mut a: Vec<&str> = vec!["install", "-y", "--"];
                for pkg in pkgs {
                    a.push(pkg);
                }
@ -506,10 +625,8 @@ impl PackageManagerBackend for AptBackend {
    }
    fn get_service_status(&self, name: &str) -> Result<Option<ServiceStatus>> {
-        // Validate service name to prevent shell injection
+        // SECURITY: Strict allowlist validation to prevent argument/shell injection
-        if name.is_empty() || name.contains('/') || name.contains("..") {
+        validate_service_name(name).map_err(|e| anyhow::anyhow!("{}", e))?;
            return Err(anyhow::anyhow!("Invalid service name: {}", name));
        }
        // Determine init system and query accordingly
        let is_systemd = std::path::Path::new("/run/systemd/system").exists();
@ -549,9 +666,11 @@ impl PackageManagerBackend for AptBackend {
 /// Query systemd service status via systemctl
 fn get_systemd_service_status(name: &str) -> Result<Option<ServiceStatus>> {
    // SECURITY: -- separator prevents argument injection via service name
    let output = Command::new("systemctl")
        .args([
            "show",
            "--",
            name,
            "--property=Id,Description,ActiveState,SubState,LoadState,UnitFileState,MainPID",
            "--no-pager",
@ -978,6 +1097,9 @@ impl PackageManagerBackend for ApkBackend {
            args.push("--force".to_string());
        }
        // SECURITY: -- separator prevents argument injection via package names
        args.push("--".to_string());
        for pkg in packages {
            let pkg_arg = if let Some(version) = &pkg.version {
                format!("{}={}", pkg.name, version)
@ -997,14 +1119,16 @@ impl PackageManagerBackend for ApkBackend {
    }
    fn update_package(&self, name: &str) -> Result<()> {
-        self.run_apk(&["upgrade", name])?;
+        // SECURITY: -- separator prevents argument injection via package name
        self.run_apk(&["upgrade", "--", name])?;
        info!("Updated package: {}", name);
        Ok(())
    }
    fn remove_package(&self, name: &str, _purge: bool) -> Result<()> {
        // APK doesn't have a purge concept - just remove the package
-        self.run_apk(&["del", name])?;
+        // SECURITY: -- separator prevents argument injection via package name
        self.run_apk(&["del", "--", name])?;
        info!("Removed package: {}", name);
        Ok(())
    }
@ -1066,7 +1190,8 @@ impl PackageManagerBackend for ApkBackend {
    fn apply_patches(&self, packages: Option<&[String]>) -> Result<()> {
        match packages {
            Some(pkgs) => {
-                let mut args: Vec<&str> = vec!["upgrade"];
+                // SECURITY: -- separator prevents argument injection via package names
                let mut args: Vec<&str> = vec!["upgrade", "--"];
                for pkg in pkgs {
                    args.push(pkg);
                }
@ -1186,10 +1311,8 @@ impl PackageManagerBackend for ApkBackend {
    }
    fn get_service_status(&self, name: &str) -> Result<Option<ServiceStatus>> {
-        // Validate service name to prevent shell injection
+        // SECURITY: Strict allowlist validation to prevent argument/shell injection
-        if name.is_empty() || name.contains('/') || name.contains("..") {
+        validate_service_name(name).map_err(|e| anyhow::anyhow!("{}", e))?;
            return Err(anyhow::anyhow!("Invalid service name: {}", name));
        }
        // Alpine uses OpenRC for service management
        get_openrc_service_status(name)
@ -1533,6 +1656,9 @@ impl PackageManagerBackend for DnfBackend {
            args.push("--allowerasing".to_string());
        }
        // SECURITY: -- separator prevents argument injection via package names
        args.push("--".to_string());
        for pkg in packages {
            let pkg_arg = if let Some(version) = &pkg.version {
                format!("{}-{}", pkg.name, version)
@ -1552,16 +1678,18 @@ impl PackageManagerBackend for DnfBackend {
    }
    fn update_package(&self, name: &str) -> Result<()> {
-        self.run_dnf(&["upgrade", "-y", name])?;
+        // SECURITY: -- separator prevents argument injection via package name
        self.run_dnf(&["upgrade", "-y", "--", name])?;
        info!("Updated package: {}", name);
        Ok(())
    }
    fn remove_package(&self, name: &str, purge: bool) -> Result<()> {
        // SECURITY: -- separator prevents argument injection via package name
        let args = if purge {
-            vec!["remove", "-y", "--noautoremove", name]
+            vec!["remove", "-y", "--noautoremove", "--", name]
        } else {
-            vec!["remove", "-y", name]
+            vec!["remove", "-y", "--", name]
        };
        self.run_dnf(&args)?;
        info!("Removed package: {} (purge={})", name, purge);
@ -1641,7 +1769,8 @@ impl PackageManagerBackend for DnfBackend {
    fn apply_patches(&self, packages: Option<&[String]>) -> Result<()> {
        match packages {
            Some(pkgs) => {
-                let mut args: Vec<&str> = vec!["upgrade", "-y"];
+                // SECURITY: -- separator prevents argument injection via package names
                let mut args: Vec<&str> = vec!["upgrade", "-y", "--"];
                for pkg in pkgs {
                    args.push(pkg);
                }
@ -1758,10 +1887,8 @@ impl PackageManagerBackend for DnfBackend {
    }
    fn get_service_status(&self, name: &str) -> Result<Option<ServiceStatus>> {
-        // Validate service name to prevent shell injection
+        // SECURITY: Strict allowlist validation to prevent argument/shell injection
-        if name.is_empty() || name.contains('/') || name.contains("..") {
+        validate_service_name(name).map_err(|e| anyhow::anyhow!("{}", e))?;
            return Err(anyhow::anyhow!("Invalid service name: {}", name));
        }
        // Fedora/RHEL use systemd for service management
        get_systemd_service_status(name)
@ -2087,6 +2214,9 @@ impl PackageManagerBackend for YumBackend {
        // yum doesn't have --allowerasing, skip force option
        // SECURITY: -- separator prevents argument injection via package names
        args.push("--".to_string());
        for pkg in packages {
            let pkg_arg = if let Some(version) = &pkg.version {
                format!("{}-{}", pkg.name, version)
@ -2106,7 +2236,8 @@ impl PackageManagerBackend for YumBackend {
    }
    fn update_package(&self, name: &str) -> Result<()> {
-        self.run_yum(&["update", "-y", name])?;
+        // SECURITY: -- separator prevents argument injection via package name
        self.run_yum(&["update", "-y", "--", name])?;
        info!("Updated package: {}", name);
        Ok(())
    }
@ -2114,7 +2245,8 @@ impl PackageManagerBackend for YumBackend {
    fn remove_package(&self, name: &str, purge: bool) -> Result<()> {
        // yum doesn't distinguish between remove and purge
        let _ = purge;
-        self.run_yum(&["remove", "-y", name])?;
+        // SECURITY: -- separator prevents argument injection via package name
        self.run_yum(&["remove", "-y", "--", name])?;
        info!("Removed package: {} (purge={})", name, purge);
        Ok(())
    }
@ -2185,7 +2317,8 @@ impl PackageManagerBackend for YumBackend {
    fn apply_patches(&self, packages: Option<&[String]>) -> Result<()> {
        match packages {
            Some(pkgs) => {
-                let mut args: Vec<&str> = vec!["update", "-y"];
+                // SECURITY: -- separator prevents argument injection via package names
                let mut args: Vec<&str> = vec!["update", "-y", "--"];
                for pkg in pkgs {
                    args.push(pkg);
                }
@ -2301,10 +2434,8 @@ impl PackageManagerBackend for YumBackend {
    }
    fn get_service_status(&self, name: &str) -> Result<Option<ServiceStatus>> {
-        // Validate service name to prevent shell injection
+        // SECURITY: Strict allowlist validation to prevent argument/shell injection
-        if name.is_empty() || name.contains('/') || name.contains("..") {
+        validate_service_name(name).map_err(|e| anyhow::anyhow!("{}", e))?;
            return Err(anyhow::anyhow!("Invalid service name: {}", name));
        }
        // CentOS 7 uses systemd for service management
        get_systemd_service_status(name)
@ -2557,6 +2688,9 @@ impl PackageManagerBackend for PacmanBackend {
            args.push("'*'".to_string());
        }
        // SECURITY: -- separator prevents argument injection via package names
        args.push("--".to_string());
        for pkg in packages {
            args.push(pkg.name.clone());
        }
@ -2571,14 +2705,16 @@ impl PackageManagerBackend for PacmanBackend {
    }
    fn update_package(&self, name: &str) -> Result<()> {
-        self.run_pacman(&["-S", "--noconfirm", name])?;
+        // SECURITY: -- separator prevents argument injection via package name
        self.run_pacman(&["-S", "--noconfirm", "--", name])?;
        info!("Updated package: {}", name);
        Ok(())
    }
    fn remove_package(&self, name: &str, _purge: bool) -> Result<()> {
        // pacman doesn't have a purge concept - just remove the package
-        self.run_pacman(&["-R", "--noconfirm", name])?;
+        // SECURITY: -- separator prevents argument injection via package name
        self.run_pacman(&["-R", "--noconfirm", "--", name])?;
        info!("Removed package: {} (purge={})", name, _purge);
        Ok(())
    }
@ -2629,7 +2765,8 @@ impl PackageManagerBackend for PacmanBackend {
    fn apply_patches(&self, packages: Option<&[String]>) -> Result<()> {
        match packages {
            Some(pkgs) => {
-                let mut args: Vec<&str> = vec!["-S", "--noconfirm", "--needed"];
+                // SECURITY: -- separator prevents argument injection via package names
                let mut args: Vec<&str> = vec!["-S", "--noconfirm", "--needed", "--"];
                for pkg in pkgs {
                    args.push(pkg);
                }
@ -2746,10 +2883,8 @@ impl PackageManagerBackend for PacmanBackend {
    }
    fn get_service_status(&self, name: &str) -> Result<Option<ServiceStatus>> {
-        // Validate service name to prevent shell injection
+        // SECURITY: Strict allowlist validation to prevent argument/shell injection
-        if name.is_empty() || name.contains('/') || name.contains("..") {
+        validate_service_name(name).map_err(|e| anyhow::anyhow!("{}", e))?;
            return Err(anyhow::anyhow!("Invalid service name: {}", name));
        }
        // Arch Linux uses systemd for service management
        get_systemd_service_status(name)
@ -2998,4 +3133,160 @@ mod tests {
        assert_eq!(pkg.dependencies.len(), 3);
        assert!(pkg.dependencies.contains(&"readline".to_string()));
    }
    // --- Validation function tests (Issue #10: Argument injection RCE prevention) ---
    #[test]
    fn test_validate_package_name_valid() {
        assert!(validate_package_name("bash").is_ok());
        assert!(validate_package_name("libssl1.1").is_ok());
        assert!(validate_package_name("python3-pip").is_ok());
        assert!(validate_package_name("g++-11").is_ok());
        assert!(validate_package_name("nginx-common").is_ok());
        assert!(validate_package_name("curl").is_ok());
        assert!(validate_package_name("lib32-glibc").is_ok());
        assert!(validate_package_name("a").is_ok());
    }
    #[test]
    fn test_validate_package_name_empty() {
        assert!(validate_package_name("").is_err());
    }
    #[test]
    fn test_validate_package_name_too_long() {
        let long_name = "a".repeat(257);
        assert!(validate_package_name(&long_name).is_err());
        // Exactly 256 chars should be fine
        let max_name = "a".repeat(256);
        assert!(validate_package_name(&max_name).is_ok());
    }
    #[test]
    fn test_validate_package_name_leading_hyphen() {
        // Leading hyphen could be interpreted as a command-line option
        assert!(validate_package_name("-evil").is_err());
        assert!(validate_package_name("--allow-unauthenticated").is_err());
    }
    #[test]
    fn test_validate_package_name_shell_metacharacters() {
        // Shell metacharacters that could enable injection
        assert!(validate_package_name("pkg;rm -rf").is_err());
        assert!(validate_package_name("pkg$(cmd)").is_err());
        assert!(validate_package_name("pkg`cmd`").is_err());
        assert!(validate_package_name("pkg|other").is_err());
        assert!(validate_package_name("pkg&other").is_err());
        assert!(validate_package_name("pkg>file").is_err());
        assert!(validate_package_name("pkg<file").is_err());
        assert!(validate_package_name("pkg'other").is_err());
        assert!(validate_package_name("pkg\"other").is_err());
        assert!(validate_package_name("pkg!other").is_err());
    }
    #[test]
    fn test_validate_package_name_path_separators() {
        assert!(validate_package_name("/usr/bin/evil").is_err());
        assert!(validate_package_name("..\\..\\evil").is_err());
        assert!(validate_package_name("../evil").is_err());
    }
    #[test]
    fn test_validate_package_name_whitespace() {
        assert!(validate_package_name("pkg name").is_err());
        assert!(validate_package_name("pkg\tname").is_err());
        assert!(validate_package_name("pkg\nname").is_err());
    }
    #[test]
    fn test_validate_package_name_leading_digit() {
        // Digits are valid start characters
        assert!(validate_package_name("3ddesktop").is_ok());
        assert!(validate_package_name("0ad").is_ok());
    }
    #[test]
    fn test_validate_version_string_valid() {
        assert!(validate_version_string("1.2.3").is_ok());
        assert!(validate_version_string("1.2.3-r0").is_ok());
        assert!(validate_version_string("5.2.21-1.fc43").is_ok());
        assert!(validate_version_string("2:1.0-1").is_ok()); // RPM epoch
        assert!(validate_version_string("1.0~beta1").is_ok()); // Debian tilde
        assert!(validate_version_string("1.0+dfsg-1").is_ok()); // Debian suffix
    }
    #[test]
    fn test_validate_version_string_empty() {
        assert!(validate_version_string("").is_err());
    }
    #[test]
    fn test_validate_version_string_leading_hyphen() {
        assert!(validate_version_string("-1.0").is_err());
    }
    #[test]
    fn test_validate_version_string_shell_metacharacters() {
        assert!(validate_version_string("1.0;cmd").is_err());
        assert!(validate_version_string("1.0$(cmd)").is_err());
        assert!(validate_version_string("1.0`cmd`").is_err());
        assert!(validate_version_string("1.0|cmd").is_err());
        assert!(validate_version_string("1.0&cmd").is_err());
        assert!(validate_version_string("1.0 cmd").is_err());
    }
    #[test]
    fn test_validate_version_string_path_separators() {
        assert!(validate_version_string("1.0/evil").is_err());
        assert!(validate_version_string("1.0\\evil").is_err());
    }
    #[test]
    fn test_validate_service_name_valid() {
        assert!(validate_service_name("sshd").is_ok());
        assert!(validate_service_name("nginx.service").is_ok());
        assert!(validate_service_name("ssh@host").is_ok());
        assert!(validate_service_name("docker").is_ok());
        assert!(validate_service_name("networkd-dispatcher").is_ok());
    }
    #[test]
    fn test_validate_service_name_empty() {
        assert!(validate_service_name("").is_err());
    }
    #[test]
    fn test_validate_service_name_leading_hyphen() {
        assert!(validate_service_name("-evil").is_err());
        assert!(validate_service_name("--help").is_err());
    }
    #[test]
    fn test_validate_service_name_path_separators() {
        assert!(validate_service_name("/usr/bin/evil").is_err());
        assert!(validate_service_name("../evil").is_err());
    }
    #[test]
    fn test_validate_service_name_shell_metacharacters() {
        assert!(validate_service_name("svc;rm").is_err());
        assert!(validate_service_name("svc$(cmd)").is_err());
        assert!(validate_service_name("svc|other").is_err());
        assert!(validate_service_name("svc&other").is_err());
        assert!(validate_service_name("svc name").is_err());
    }
    #[test]
    fn test_validate_service_name_with_hyphen() {
        // Hyphens ARE allowed in service names (common in systemd unit names like networkd-dispatcher)
        assert!(validate_service_name("networkd-dispatcher").is_ok());
        // But leading hyphens are NOT allowed (would be interpreted as command flags)
        assert!(validate_service_name("-evil").is_err());
    }
    #[test]
    fn test_validate_service_name_with_plus() {
        // Plus is allowed in service names
        assert!(validate_service_name("cups+daemon").is_ok());
    }
 }
--- a/tests/e2e/certs/README.md
+++ b/tests/e2e/certs/README.md
@ -0,0 +1,24 @@
 # E2E Test Certificates
 **⚠️ Private keys are NOT committed to version control.**
 This directory holds mTLS certificates used by the Python E2E test suite.
 The `client.key` private key is excluded from git via `.gitignore`.
 ## Generating Test Certificates
 Certificates are generated automatically by the E2E test runner, or manually:
 ```bash
 ./scripts/generate-dev-certs.sh
 ```
 This script creates `ca.crt`, `client.crt`, and `client.key` in this directory.
 ## Files
 | File | Committed | Description |
 |------|-----------|-------------|
 | `ca.crt` | ✅ Yes | CA certificate (public) |
 | `client.crt` | ✅ Yes | Client certificate (public) |
 | `client.key` | ❌ No | Client private key (gitignored) |
--- a/tests/e2e/certs/client.key
+++ b/tests/e2e/certs/client.key
@ -1,5 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg5dkQDY44tZkcnQ6M
 lGDNFyFrEvcOlnDoKfA/uTvBCtehRANCAAT8X1WUWE52l/i2I3MmlSiPgrESEJ2R
 I6CJvV2hHKirY+wJbanH39b1ebW8b+W3fuhEHPaFFcpPFEnPriA+xWvT
 -----END PRIVATE KEY-----
--- a/tests/e2e/test_e2e.py
+++ b/tests/e2e/test_e2e.py
@ -16,6 +16,7 @@ Usage:
 import argparse
 import json
 import subprocess
 import sys
 import time
 from dataclasses import dataclass, field
@ -37,6 +38,19 @@ CA_CERT = CERTS_DIR / "ca.crt"
 CLIENT_CERT = CERTS_DIR / "client.crt"
 CLIENT_KEY = CERTS_DIR / "client.key"
 def ensure_certs() -> None:
    """Generate e2e test certificates at runtime if they do not exist."""
    if CLIENT_KEY.exists() and CLIENT_CERT.exists() and CA_CERT.exists():
        return
    script = Path(__file__).resolve().parent.parent.parent / "scripts" / "generate-dev-certs.sh"
    if not script.exists():
        raise FileNotFoundError(
            f"Certificate generation script not found: {script}. "
            "Run ./scripts/generate-dev-certs.sh manually."
        )
    subprocess.check_call([str(script)], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
 TARGETS = {
    "dev": {
        "name": "linux-patch-manager-dev",
@ -537,14 +551,51 @@ def test_wrong_cert_connection(client: PatchAPIClient) -> str:
    """Verify that connections with wrong cert are rejected.
    Per spec: invalid/expired certificates should be silently dropped.
-    Uses project test certs (different CA) which should be rejected.
+    Generates a separate "wrong CA" certificate at runtime to test that
    certificates signed by an untrusted CA are rejected.
    """
-    project_ca = "/a0/usr/projects/linux_patch_api/configs/certs/ca.pem"
+    import tempfile
-    project_cert = "/a0/usr/projects/linux_patch_api/configs/certs/client001.pem"
+    wrong_ca_dir = Path(tempfile.mkdtemp(prefix="lpa-wrong-ca-"))
-    project_key = "/a0/usr/projects/linux_patch_api/configs/certs/client001.key.pem"
+    try:
        # Generate a completely separate CA + client cert (wrong CA)
        wrong_ca_key = wrong_ca_dir / "ca.key"
        wrong_ca_cert = wrong_ca_dir / "ca.crt"
        wrong_client_key = wrong_ca_dir / "client.key"
        wrong_client_csr = wrong_ca_dir / "client.csr"
        wrong_client_cert = wrong_ca_dir / "client.crt"
-    if not Path(project_ca).exists():
+        subprocess.run(
-        return "SKIPPED: Project test certs not available"
+            ["openssl", "genrsa", "-out", str(wrong_ca_key), "2048"],
            check=True, capture_output=True,
        )
        subprocess.run(
            ["openssl", "req", "-x509", "-new", "-nodes", "-key", str(wrong_ca_key),
             "-sha256", "-days", "1", "-out", str(wrong_ca_cert),
             "-subj", "/CN=Wrong CA/O=Attacker/C=US"],
            check=True, capture_output=True,
        )
        subprocess.run(
            ["openssl", "genrsa", "-out", str(wrong_client_key), "2048"],
            check=True, capture_output=True,
        )
        subprocess.run(
            ["openssl", "req", "-new", "-key", str(wrong_client_key),
             "-out", str(wrong_client_csr),
             "-subj", "/CN=wrong-client/O=Attacker/C=US"],
            check=True, capture_output=True,
        )
        subprocess.run(
            ["openssl", "x509", "-req", "-in", str(wrong_client_csr),
             "-CA", str(wrong_ca_cert), "-CAkey", str(wrong_ca_key),
             "-CAcreateserial", "-out", str(wrong_client_cert),
             "-days", "1", "-sha256"],
            check=True, capture_output=True,
        )
        project_cert = str(wrong_client_cert)
        project_key = str(wrong_client_key)
    except (subprocess.CalledProcessError, FileNotFoundError):
        return "SKIPPED: Could not generate wrong-CA test certificates"
    session = requests.Session()
    session.cert = (project_cert, project_key)
@ -559,6 +610,8 @@ def test_wrong_cert_connection(client: PatchAPIClient) -> str:
        return "Correctly rejected connection with untrusted client certificate"
    finally:
        session.close()
        import shutil
        shutil.rmtree(wrong_ca_dir, ignore_errors=True)
 def test_job_lifecycle(client: PatchAPIClient) -> str:
@ -776,7 +829,10 @@ def main():
    )
    args = parser.parse_args()
-    # Verify certs exist
+    # Generate certs at runtime if missing (private keys are not committed)
    ensure_certs()
    # Verify certs exist after generation attempt
    if not CA_CERT.exists():
        print(f"ERROR: CA cert not found: {CA_CERT}")
        sys.exit(1)
--- a/tests/e2e/test_enrollment_e2e.rs
+++ b/tests/e2e/test_enrollment_e2e.rs
@ -77,7 +77,6 @@ fn build_tls_config(cert_dir: &std::path::Path) -> TlsConfig {
            .join("server.key.pem")
            .to_string_lossy()
            .to_string(),
        min_tls_version: "1.3".to_string(),
        crl_path: String::new(), // No CRL in E2E tests
    }
 }
--- a/tests/integration/auth_test.rs
+++ b/tests/integration/auth_test.rs
@ -15,13 +15,17 @@ mod mtls_tests {
            ca_cert_path: "/etc/linux_patch_api/certs/ca.pem".to_string(),
            server_cert_path: "/etc/linux_patch_api/certs/server.pem".to_string(),
            server_key_path: "/etc/linux_patch_api/certs/server.key".to_string(),
            min_tls_version: "1.3".to_string(),
        };
        assert_eq!(config.ca_cert_path, "/etc/linux_patch_api/certs/ca.pem");
-        assert_eq!(config.server_cert_path, "/etc/linux_patch_api/certs/server.pem");
+        assert_eq!(
-        assert_eq!(config.server_key_path, "/etc/linux_patch_api/certs/server.key");
+            config.server_cert_path,
-        assert_eq!(config.min_tls_version, "1.3");
+            "/etc/linux_patch_api/certs/server.pem"
        );
        assert_eq!(
            config.server_key_path,
            "/etc/linux_patch_api/certs/server.key"
        );
    }
    #[test]
@ -232,9 +236,61 @@ mod auth_result_tests {
        assert!(result.is_authenticated());
        assert!(result.cert_info.is_some());
-        assert_eq!(
+        assert_eq!(result.cert_info.unwrap().subject, "CN=client001");
-            result.cert_info.unwrap().subject,
+    }
-            "CN=client001"
+}
-        );
+
 /// Integration tests for SecurityHeadersMiddleware (VULN-006)
 #[cfg(test)]
 mod security_headers_tests {
    use actix_web::http::header;
    use linux_patch_api::auth::security_headers::has_duplicate_critical_headers;
    #[test]
    fn test_no_duplicate_headers_passes() {
        let mut headers = header::HeaderMap::new();
        headers.insert(header::CONTENT_TYPE, "application/json".parse().unwrap());
        headers.insert(header::AUTHORIZATION, "Bearer test".parse().unwrap());
        headers.insert(header::HOST, "localhost".parse().unwrap());
        assert!(!has_duplicate_critical_headers(&headers));
    }
    #[test]
    fn test_duplicate_content_type_detected() {
        let mut headers = header::HeaderMap::new();
        headers.insert(header::CONTENT_TYPE, "application/json".parse().unwrap());
        headers.append(header::CONTENT_TYPE, "text/plain".parse().unwrap());
        assert!(has_duplicate_critical_headers(&headers));
    }
    #[test]
    fn test_duplicate_authorization_detected() {
        let mut headers = header::HeaderMap::new();
        headers.insert(header::AUTHORIZATION, "Bearer test1".parse().unwrap());
        headers.append(header::AUTHORIZATION, "Bearer test2".parse().unwrap());
        assert!(has_duplicate_critical_headers(&headers));
    }
    #[test]
    fn test_duplicate_host_detected() {
        let mut headers = header::HeaderMap::new();
        headers.insert(header::HOST, "localhost".parse().unwrap());
        headers.append(header::HOST, "evil.com".parse().unwrap());
        assert!(has_duplicate_critical_headers(&headers));
    }
    #[test]
    fn test_non_critical_duplicates_allowed() {
        // Duplicate Accept headers should be fine
        let mut headers = header::HeaderMap::new();
        headers.insert(header::ACCEPT, "text/html".parse().unwrap());
        headers.append(header::ACCEPT, "application/json".parse().unwrap());
        assert!(!has_duplicate_critical_headers(&headers));
    }
    #[test]
    fn test_empty_headers_passes() {
        let headers = header::HeaderMap::new();
        assert!(!has_duplicate_critical_headers(&headers));
    }
 }
--- a/tests/unit/rate_limit_test.rs
+++ b/tests/unit/rate_limit_test.rs
@ -0,0 +1,340 @@
 //! Rate Limiting and Job Queue Depth Tests
 //!
 //! Tests for:
 //! - HTTP rate limiting (429 when exceeded)
 //! - Health endpoint exemption from rate limiting
 //! - Job queue depth cap (429 when full)
 //! - Configurable queue depth
 use actix_web::{test, web, App};
 use linux_patch_api::api::rate_limit::RateLimitMiddleware;
 use linux_patch_api::api::routes::{configure_api_routes, configure_health_route};
 use linux_patch_api::auth::crl;
 use linux_patch_api::config::loader::RateLimitConfig;
 use linux_patch_api::jobs::manager::{JobManager, JobOperation};
 use linux_patch_api::packages::cache::PackageCacheState;
 use std::net::SocketAddr;
 /// Helper to build a test request with a peer IP address (required for rate limiting)
 fn test_request(method: actix_web::http::Method, uri: &str) -> test::TestRequest {
    test::TestRequest::with_uri(uri)
        .method(method)
        .peer_addr(SocketAddr::from(([127, 0, 0, 1], 12345)))
 }
 #[actix_web::test]
 async fn test_health_endpoint_exempt_from_rate_limiting() {
    let job_manager = web::Data::new(JobManager::new(5, 30, 100).unwrap());
    let backend = web::Data::new(linux_patch_api::packages::create_backend().unwrap());
    let cache_state = web::Data::new(PackageCacheState::new());
    let shared_crl_state = web::Data::new(crl::new_shared_state());
    let rl_cfg = RateLimitConfig::default();
    let app = test::init_service(
        App::new()
            .wrap(RateLimitMiddleware::new(rl_cfg))
            .app_data(job_manager.clone())
            .app_data(backend.clone())
            .app_data(cache_state.clone())
            .app_data(shared_crl_state.clone())
            .configure(|cfg| {
                configure_api_routes(
                    cfg,
                    job_manager.clone(),
                    backend.clone(),
                    cache_state.clone(),
                );
            })
            .configure(configure_health_route),
    )
    .await;
    // Health endpoint should always respond 200 regardless of rate limiting
    for _ in 0..50 {
        let req = test_request(actix_web::http::Method::GET, "/health").to_request();
        let resp = test::call_service(&app, req).await;
        assert_eq!(
            resp.status(),
            200,
            "Health endpoint should be exempt from rate limiting"
        );
    }
 }
 #[actix_web::test]
 async fn test_system_info_exempt_from_rate_limiting() {
    let job_manager = web::Data::new(JobManager::new(5, 30, 100).unwrap());
    let backend = web::Data::new(linux_patch_api::packages::create_backend().unwrap());
    let cache_state = web::Data::new(PackageCacheState::new());
    let shared_crl_state = web::Data::new(crl::new_shared_state());
    let rl_cfg = RateLimitConfig::default();
    let app = test::init_service(
        App::new()
            .wrap(RateLimitMiddleware::new(rl_cfg))
            .app_data(job_manager.clone())
            .app_data(backend.clone())
            .app_data(cache_state.clone())
            .app_data(shared_crl_state.clone())
            .configure(|cfg| {
                configure_api_routes(
                    cfg,
                    job_manager.clone(),
                    backend.clone(),
                    cache_state.clone(),
                );
            })
            .configure(configure_health_route),
    )
    .await;
    // /api/v1/system/info should be exempt from rate limiting
    for _ in 0..50 {
        let req = test_request(actix_web::http::Method::GET, "/api/v1/system/info").to_request();
        let resp = test::call_service(&app, req).await;
        // May return 200 or 500 depending on system, but should NOT be 429
        assert_ne!(
            resp.status(),
            429,
            "System info endpoint should be exempt from rate limiting"
        );
    }
 }
 #[actix_web::test]
 async fn test_read_rate_limiting_returns_429() {
    let job_manager = web::Data::new(JobManager::new(5, 30, 100).unwrap());
    let backend = web::Data::new(linux_patch_api::packages::create_backend().unwrap());
    let cache_state = web::Data::new(PackageCacheState::new());
    let shared_crl_state = web::Data::new(crl::new_shared_state());
    // Use very low limits so sequential test requests can reliably trigger 429
    let rl_cfg = RateLimitConfig {
        enabled: true,
        destructive_per_minute: 20,
        destructive_burst: 10,
        read_per_minute: 5,
        read_burst: 3,
    };
    let app = test::init_service(
        App::new()
            .wrap(RateLimitMiddleware::new(rl_cfg))
            .app_data(job_manager.clone())
            .app_data(backend.clone())
            .app_data(cache_state.clone())
            .app_data(shared_crl_state.clone())
            .configure(|cfg| {
                configure_api_routes(
                    cfg,
                    job_manager.clone(),
                    backend.clone(),
                    cache_state.clone(),
                );
            })
            .configure(configure_health_route),
    )
    .await;
    // Read tier: 120 req/min, burst 30
    // Send more than burst_size requests to trigger rate limiting
    let mut rate_limited = false;
    for _ in 0..50 {
        let req = test_request(actix_web::http::Method::GET, "/api/v1/packages").to_request();
        let resp = test::call_service(&app, req).await;
        if resp.status() == 429 {
            rate_limited = true;
            break;
        }
    }
    assert!(
        rate_limited,
        "Read endpoint should return 429 after exceeding burst limit"
    );
 }
 #[actix_web::test]
 async fn test_destructive_rate_limiting_returns_429() {
    let job_manager = web::Data::new(JobManager::new(5, 30, 100).unwrap());
    let backend = web::Data::new(linux_patch_api::packages::create_backend().unwrap());
    let cache_state = web::Data::new(PackageCacheState::new());
    let shared_crl_state = web::Data::new(crl::new_shared_state());
    // Use very low limits so sequential test requests can reliably trigger 429
    let rl_cfg = RateLimitConfig {
        enabled: true,
        destructive_per_minute: 5,
        destructive_burst: 3,
        read_per_minute: 120,
        read_burst: 30,
    };
    let app = test::init_service(
        App::new()
            .wrap(RateLimitMiddleware::new(rl_cfg))
            .app_data(job_manager.clone())
            .app_data(backend.clone())
            .app_data(cache_state.clone())
            .app_data(shared_crl_state.clone())
            .configure(|cfg| {
                configure_api_routes(
                    cfg,
                    job_manager.clone(),
                    backend.clone(),
                    cache_state.clone(),
                );
            })
            .configure(configure_health_route),
    )
    .await;
    // Destructive tier: 20 req/min, burst 10
    // Send more than burst_size requests to trigger rate limiting
    let mut rate_limited = false;
    for _ in 0..15 {
        let req = test_request(actix_web::http::Method::POST, "/api/v1/packages")
            .set_json(serde_json::json!({
                "packages": [{"name": "test-pkg"}],
                "options": {}
            }))
            .to_request();
        let resp = test::call_service(&app, req).await;
        if resp.status() == 429 {
            rate_limited = true;
            break;
        }
    }
    assert!(
        rate_limited,
        "Destructive endpoint should return 429 after exceeding burst limit"
    );
 }
 #[actix_web::test]
 async fn test_rate_limiting_disabled() {
    let job_manager = web::Data::new(JobManager::new(5, 30, 100).unwrap());
    let backend = web::Data::new(linux_patch_api::packages::create_backend().unwrap());
    let cache_state = web::Data::new(PackageCacheState::new());
    let shared_crl_state = web::Data::new(crl::new_shared_state());
    let rl_cfg = RateLimitConfig {
        enabled: false,
        ..RateLimitConfig::default()
    };
    let app = test::init_service(
        App::new()
            .wrap(RateLimitMiddleware::new(rl_cfg))
            .app_data(job_manager.clone())
            .app_data(backend.clone())
            .app_data(cache_state.clone())
            .app_data(shared_crl_state.clone())
            .configure(|cfg| {
                configure_api_routes(
                    cfg,
                    job_manager.clone(),
                    backend.clone(),
                    cache_state.clone(),
                );
            })
            .configure(configure_health_route),
    )
    .await;
    // With rate limiting disabled, even excessive requests should not get 429
    let mut got_429 = false;
    for _ in 0..50 {
        let req = test_request(actix_web::http::Method::GET, "/api/v1/packages").to_request();
        let resp = test::call_service(&app, req).await;
        if resp.status() == 429 {
            got_429 = true;
            break;
        }
    }
    assert!(
        !got_429,
        "Should not get 429 when rate limiting is disabled"
    );
 }
 #[actix_web::test]
 async fn test_job_queue_depth_cap() {
    // Create JobManager with very small queue depth (2)
    let job_manager = JobManager::new(5, 30, 2).unwrap();
    // Fill the queue with pending jobs
    job_manager
        .create_job(JobOperation::Install, vec!["pkg1".to_string()])
        .await
        .unwrap();
    job_manager
        .create_job(JobOperation::Install, vec!["pkg2".to_string()])
        .await
        .unwrap();
    // Queue should now be at capacity
    assert!(
        !job_manager.can_accept_job().await,
        "Queue should be at capacity after filling to max_queue_depth"
    );
 }
 #[actix_web::test]
 async fn test_job_queue_depth_default() {
    // Default max_queue_depth should be 100
    let job_manager = JobManager::new(5, 30, 100).unwrap();
    assert_eq!(
        job_manager.max_queue_depth(),
        100,
        "Default max_queue_depth should be 100"
    );
 }
 #[actix_web::test]
 async fn test_job_queue_depth_configurable() {
    // Verify queue depth is configurable
    let job_manager = JobManager::new(5, 30, 50).unwrap();
    assert_eq!(
        job_manager.max_queue_depth(),
        50,
        "max_queue_depth should be configurable"
    );
 }
 #[actix_web::test]
 async fn test_can_accept_job_respects_queue_depth() {
    let job_manager = JobManager::new(5, 30, 3).unwrap();
    // Should accept when queue is empty
    assert!(
        job_manager.can_accept_job().await,
        "Should accept job when queue is empty"
    );
    // Fill to capacity
    job_manager
        .create_job(JobOperation::Install, vec!["a".to_string()])
        .await
        .unwrap();
    job_manager
        .create_job(JobOperation::Install, vec!["b".to_string()])
        .await
        .unwrap();
    job_manager
        .create_job(JobOperation::Install, vec!["c".to_string()])
        .await
        .unwrap();
    // Should reject when at capacity
    assert!(
        !job_manager.can_accept_job().await,
        "Should reject job when queue is at capacity"
    );
 }
 #[actix_web::test]
 async fn test_rate_limit_config_defaults() {
    let config = RateLimitConfig::default();
    assert!(config.enabled, "Rate limiting should be enabled by default");
    assert_eq!(config.destructive_per_minute, 20);
    assert_eq!(config.destructive_burst, 10);
    assert_eq!(config.read_per_minute, 120);
    assert_eq!(config.read_burst, 30);
 }
Author	SHA1	Message	Date
Draco-Lunaris-Echo	eac05ad1eb	fix: remove dead min_tls_version config field, TLS 1.3 is only supported version (closes #16 ) Some checks failed CI/CD Pipeline / Code Format (push) Successful in 4s CI/CD Pipeline / Clippy Lints (push) Successful in 44s CI/CD Pipeline / All Unit Tests (push) Successful in 1m24s CI/CD Pipeline / Security Audit (push) Successful in 4s CI/CD Pipeline / Enrollment Tests (push) Successful in 1m15s CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 1m0s CI/CD Pipeline / Build Debian Package (push) Failing after 4s CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s CI/CD Pipeline / Build RPM Package (push) Successful in 2m17s CI/CD Pipeline / Build Arch Package (push) Successful in 2m25s CI/CD Pipeline / Build Alpine Package (push) Failing after 3m15s Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 16:50:55 -05:00
Draco-Lunaris-Echo	df2f4c70c9	feat: add rate limiting and job queue depth cap (closes #15 ) Some checks failed CI/CD Pipeline / Code Format (push) Successful in 3s CI/CD Pipeline / Clippy Lints (push) Successful in 45s CI/CD Pipeline / All Unit Tests (push) Successful in 1m24s CI/CD Pipeline / Security Audit (push) Successful in 4s CI/CD Pipeline / Enrollment Tests (push) Successful in 1m14s CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 1m0s CI/CD Pipeline / Build Debian Package (push) Failing after 5s CI/CD Pipeline / Build Arch Package (push) Successful in 2m24s CI/CD Pipeline / Build RPM Package (push) Successful in 2m15s CI/CD Pipeline / Build Alpine Package (push) Failing after 3m19s - Add custom RateLimitMiddleware using governor crate for per-IP rate limiting - Two-tier rate limiting: destructive (20 req/min, burst 10) and read (120 req/min, burst 30) - Health endpoints (/health, /api/v1/system/info) exempt from rate limiting - Add max_queue_depth to JobManager (default: 100, configurable via config.yaml) - Return 429 Too Many Requests with Retry-After header when queue is full - Add RateLimitConfig to config.yaml with all rate limit settings - Add 10 tests covering rate limiting, queue depth, and configuration defaults Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 15:39:49 -05:00
Draco-Lunaris-Echo	6a4c4c95a4	fix: remove dead MtlsMiddleware, add security header middleware, document rustls as auth gate (closes #13 ) Some checks failed CI/CD Pipeline / Code Format (push) Successful in 3s CI/CD Pipeline / Clippy Lints (push) Successful in 42s CI/CD Pipeline / All Unit Tests (push) Successful in 1m11s CI/CD Pipeline / Security Audit (push) Successful in 5s CI/CD Pipeline / Enrollment Tests (push) Successful in 1m13s CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 58s CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 8s CI/CD Pipeline / Build Debian Package (push) Failing after 5s CI/CD Pipeline / Build RPM Package (push) Successful in 2m5s CI/CD Pipeline / Build Arch Package (push) Successful in 2m16s CI/CD Pipeline / Build Alpine Package (push) Failing after 3m5s - Remove dead MtlsMiddleware struct, MtlsMiddlewareService, Transform/Service impls - Remove validate_client_certificate() stub (returned Ok(()) unconditionally) - Remove has_duplicate_critical_headers() from mtls.rs (moved to new module) - Convert build_rustls_config() from method on MtlsMiddleware to free function - Create SecurityHeadersMiddleware in src/auth/security_headers.rs for VULN-006 - Wire SecurityHeadersMiddleware into Actix-web pipeline in main.rs - Add ADR documenting rustls as authoritative client-auth gate - Preserve CrlAwareVerifier, MtlsConfig, MtlsError, ClientCertInfo, build_rustls_config - Add integration tests for duplicate header detection - Update HARDENING_REPORT.md and SECURITY_FINDINGS_REPORT.md with ADR Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 13:58:01 -05:00
Draco-Lunaris-Echo	efaac33c47	fix: remove committed private keys and add runtime cert generation (closes #12 ) Some checks failed CI/CD Pipeline / Code Format (push) Successful in 3s CI/CD Pipeline / Clippy Lints (push) Successful in 43s CI/CD Pipeline / All Unit Tests (push) Successful in 1m12s CI/CD Pipeline / Security Audit (push) Successful in 5s CI/CD Pipeline / Enrollment Tests (push) Successful in 1m12s CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 57s CI/CD Pipeline / Build Debian Package (push) Failing after 4s CI/CD Pipeline / Build RPM Package (push) Successful in 2m12s CI/CD Pipeline / Build Arch Package (push) Successful in 2m18s CI/CD Pipeline / Build Alpine Package (push) Failing after 3m7s - Remove all private key files from git tracking (git rm --cached) - configs/certs/ca.key.pem, server.key.pem, client001.key.pem - tests/e2e/certs/client.key - Also remove public certs from configs/certs/ (generated at runtime) - Add .gitignore patterns for .key, .key.pem, configs/certs/.pem, .srl - Add scripts/generate-dev-certs.sh for runtime test cert generation - Update Python e2e test to generate certs on demand (ensure_certs()) - Update test_wrong_cert_connection to generate wrong-CA certs at runtime - Add gitleaks secret scanning job to CI workflow - Update SECURITY_FINDINGS_REPORT.md with critical finding for Issue #12 - Update SECURITY_CONTROLS_MATRIX.md evidence references - Add README.md to configs/certs/ and tests/e2e/certs/ Private keys were dev/test only - no production key rotation needed. Git history purge with filter-repo will follow after PR merge. Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 13:20:43 -05:00
Draco-Lunaris-Echo	d0c0790cbf	fix: enforce IP whitelist middleware in request pipeline (closes #11 ) Some checks failed CI/CD Pipeline / Code Format (push) Successful in 3s CI/CD Pipeline / Clippy Lints (push) Successful in 41s CI/CD Pipeline / All Unit Tests (push) Successful in 1m9s CI/CD Pipeline / Security Audit (push) Successful in 5s CI/CD Pipeline / Enrollment Tests (push) Successful in 1m11s CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 56s CI/CD Pipeline / Build Debian Package (push) Failing after 3s CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s CI/CD Pipeline / Build RPM Package (push) Successful in 2m13s CI/CD Pipeline / Build Arch Package (push) Successful in 2m17s CI/CD Pipeline / Build Alpine Package (push) Failing after 3m13s Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 12:47:24 -05:00
Draco-Lunaris-Echo	130206a3a3	fix: prevent argument injection RCE in package manager backends (closes #10 ) Some checks failed CI/CD Pipeline / Code Format (push) Successful in 4s CI/CD Pipeline / Clippy Lints (push) Successful in 42s CI/CD Pipeline / All Unit Tests (push) Successful in 1m10s CI/CD Pipeline / Security Audit (push) Successful in 5s CI/CD Pipeline / Enrollment Tests (push) Successful in 1m13s CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 59s CI/CD Pipeline / Build RPM Package (push) Successful in 2m13s CI/CD Pipeline / Build Debian Package (push) Failing after 5s CI/CD Pipeline / Build Arch Package (push) Successful in 2m28s CI/CD Pipeline / Build Alpine Package (push) Failing after 3m33s P0-1: Replace weak validate_package_name() with strict allowlist validation - Pattern: ^[a-zA-Z0-9][a-zA-Z0-9+._-]*$ (must start alphanumeric) - Blocks shell metacharacters, path separators, whitespace, leading hyphens - Add validate_version_string() for version fields (allows : and ~ for RPM epochs) - Add validate_service_name() for service names (allows dots, @, hyphens) P0-2: Add -- separator before user-supplied args in all 20 command sites - APT: install_packages, update_package, remove_package, apply_patches - APK: install_packages, update_package, remove_package, apply_patches - DNF: install_packages, update_package, remove_package, apply_patches - YUM: install_packages, update_package, remove_package, apply_patches - Pacman: install_packages, update_package, remove_package, apply_patches P0-3: Add validation to /patches/apply endpoint - Validate all package names using validate_package_name() - Return 400 Bad Request for invalid names P1: Harden service name validation across all 5 backends - Replace weak checks (empty + / + ..) with strict allowlist - Add -- separator to systemctl show command P2: Gate --force-yes option in APT - Log warning when --force-yes is used (bypasses signature verification) Add comprehensive unit tests for all validation functions. Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 12:00:38 -05:00