chore: mark US-028 complete and update progress log

NathanFlurry · claude · NathanFlurry · commit 0ba712172a4d · 2026-03-19T22:00:35.000-07:00
Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/progress.txt b/progress.txt
@@ -2816,3 +2816,16 @@ PRD: ralph/kernel-hardening (46 stories)
   - Postgres SSL: use custom Dockerfile (postgres-ssl.Dockerfile) that installs openssl and generates self-signed cert; existing pg fixtures still work when server has SSL enabled (SSL is optional)
   - pg_stat_ssl system view verifies the connection is actually encrypted — query WHERE pid = pg_backend_pid()
 ---
+
+## 2026-03-19 - US-028
+- Implemented HTTPS error handling e2e tests for TLS edge cases
+- Three parity tests: expired cert, hostname mismatch, self-signed cert with rejectUnauthorized:true
+- Tests generate certs via openssl, start HTTPS servers on ephemeral ports, compare host vs sandbox error messages
+- Files changed:
+  - packages/secure-exec/tests/runtime-driver/node/https-errors.test.ts (new)
+- **Learnings for future iterations:**
+  - TLS error messages propagate correctly through the httpRequest bridge — the adapter rejects with the same Node.js error, and isolated-vm delivers it to the sandbox's catch block
+  - openssl days=0 generates a cert that expires at issuance — a 2s delay in beforeAll ensures the cert is actually expired when tests run
+  - Self-signed cert (no CA in trust chain) with default rejectUnauthorized=true triggers SELF_SIGNED_CERT_IN_CHAIN
+  - Hostname mismatch cert (SAN=wrong.example.com, connecting to 127.0.0.1) triggers ERR_TLS_CERT_ALTNAME_MISMATCH
+---
diff --git a/scripts/ralph/prd.json b/scripts/ralph/prd.json
@@ -498,8 +498,8 @@
         "Tests pass"
       ],
       "priority": 28,
-      "passes": false,
-      "notes": "The existing https-streams.test.ts tests the happy path (self-signed with rejectUnauthorized:false and valid cert chain). Error cases for TLS validation failures are untested. If the sandbox silently accepts bad certs, this is a security issue."
+      "passes": true,
+      "notes": "Completed. Three TLS error scenarios tested with parity: expired cert (CERT_HAS_EXPIRED), hostname mismatch (ERR_TLS_CERT_ALTNAME_MISMATCH), self-signed cert with rejectUnauthorized:true (SELF_SIGNED_CERT_IN_CHAIN). Each test generates certs via openssl, starts HTTPS servers, and compares host vs sandbox error messages. TLS errors propagate correctly through the httpRequest bridge."
     }
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -498,8 +498,8 @@`
`498`	`498`	`"Tests pass"`
`499`	`499`	`],`
`500`	`500`	`"priority": 28,`
`501`		`- "passes": false,`
`502`		`- "notes": "The existing https-streams.test.ts tests the happy path (self-signed with rejectUnauthorized:false and valid cert chain). Error cases for TLS validation failures are untested. If the sandbox silently accepts bad certs, this is a security issue."`
	`501`	`+ "passes": true,`
	`502`	`+ "notes": "Completed. Three TLS error scenarios tested with parity: expired cert (CERT_HAS_EXPIRED), hostname mismatch (ERR_TLS_CERT_ALTNAME_MISMATCH), self-signed cert with rejectUnauthorized:true (SELF_SIGNED_CERT_IN_CHAIN). Each test generates certs via openssl, starts HTTPS servers, and compares host vs sandbox error messages. TLS errors propagate correctly through the httpRequest bridge."`
`503`	`503`	`}`
`504`	`504`	`]`
`505`	`505`	`}`