From f7a368cc221f95cda95b285bf606b5c5267b4205 Mon Sep 17 00:00:00 2001
From: matthew-pilot <matthew@vulturelabs.io>
Date: Sat, 30 May 2026 10:52:28 +0000
Subject: [PATCH] fix(compat): skip dev-*.pem roots in production builds
 (PILOT-284)

The daemon's WSS compat layer uses //go:embed roots/*.pem to embed
trusted root CAs. This glob picks up dev-2026.pem unconditionally,
shipping a development root cert in every production binary.

This commit adds a skipDevPems flag (default true) that excludes
files starting with "dev-" from the trust pool. In dev builds
(-tags dev), roots_dev.go sets skipDevPems via init() so the
development root is still available for local testing.

The existing TestPinnedRoots_LoadsEmbeddedRoots is adjusted to skip
gracefully when no production roots are embedded (transitional state
until a prod root is minted via pilot-ca init-root).

Closes PILOT-284
---
 internal/transport/compat/roots.go         | 10 ++++++++++
 internal/transport/compat/roots_dev.go     |  9 +++++++++
 internal/transport/compat/zz_roots_test.go |  7 +++++++
 3 files changed, 26 insertions(+)
 create mode 100644 internal/transport/compat/roots_dev.go

diff --git a/internal/transport/compat/roots.go b/internal/transport/compat/roots.go
index 2b972d73..4a524859 100644
--- a/internal/transport/compat/roots.go
+++ b/internal/transport/compat/roots.go
@@ -33,6 +33,11 @@ import (
 //go:embed roots/*.pem
 var rootsFS embed.FS
 
+// skipDevPems controls whether development root certs (files starting
+// with "dev-") are excluded from the trust pool. Default true;
+// roots_dev.go (compiled with -tags dev) sets it to false via init().
+var skipDevPems = true
+
 // PinnedRoots returns a CertPool containing every root cert embedded
 // in the daemon binary. Used when -tls-trust=pinned (the default).
 //
@@ -50,6 +55,11 @@ func PinnedRoots() (*x509.CertPool, error) {
 		if e.IsDir() || !strings.HasSuffix(e.Name(), ".pem") {
 			continue
 		}
+		// Skip development root certs in production builds;
+		// roots_dev.go (//go:build dev) disables this guard.
+		if skipDevPems && strings.HasPrefix(e.Name(), "dev-") {
+			continue
+		}
 		body, err := rootsFS.ReadFile("roots/" + e.Name())
 		if err != nil {
 			return nil, fmt.Errorf("read embedded root %s: %w", e.Name(), err)
diff --git a/internal/transport/compat/roots_dev.go b/internal/transport/compat/roots_dev.go
new file mode 100644
index 00000000..23d995e7
--- /dev/null
+++ b/internal/transport/compat/roots_dev.go
@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+//go:build dev
+
+package compat
+
+// In dev builds, development root certs (dev-*.pem) are trusted
+// alongside production roots. Production builds skip them.
+func init() { skipDevPems = false }
diff --git a/internal/transport/compat/zz_roots_test.go b/internal/transport/compat/zz_roots_test.go
index 85570bc7..695aa825 100644
--- a/internal/transport/compat/zz_roots_test.go
+++ b/internal/transport/compat/zz_roots_test.go
@@ -22,6 +22,13 @@ import (
 func TestPinnedRoots_LoadsEmbeddedRoots(t *testing.T) {
 	pool, err := PinnedRoots()
 	if err != nil {
+		// In production builds, dev-* roots are excluded. If no
+		// production root has been minted yet, PinnedRoots returns
+		// "no embedded Pilot Protocol roots found". Skip the test
+		// until a prod root is added.
+		if strings.Contains(err.Error(), "no embedded") && skipDevPems {
+			t.Skipf("no production roots embedded yet: %v", err)
+		}
 		t.Fatalf("PinnedRoots() error: %v", err)
 	}
 	if pool == nil {