feat: expose CA cert PEM and add integration test workflow

Adds --ca-cert flag to 'botlockbox serve' that writes the ephemeral MITM
CA public certificate to a file so clients can trust the proxy. The CA PEM
is threaded from GenerateEphemeralCA() through proxy.New() into Injector.CACertPEM.

Adds .github/workflows/integration.yml which:
- Builds the binary
- Generates an age identity and config for api.github.com
- Seals the GITHUB_TOKEN from the Actions secret store
- Starts botlockbox serve (--ca-cert, --pidfile)
- Waits for the proxy port to open
- Trusts the CA system-wide (update-ca-certificates)
- Proves credential injection end-to-end:
  * Unauthenticated curl without proxy → 401
  * gh api /user with GH_TOKEN=dummy through proxy → 200 (proxy replaces dummy)
  * curl through proxy with no auth → valid user JSON
  * Dummy token without proxy → 401
- Tests live reload: re-seals and sends SIGHUP, verifies proxy still works

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: trodemaster

.github/workflows/integration.yml

@@ -0,0 +1,156 @@
+name: Integration
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  integration:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Build
+        run: make build
+
+      - name: Install age
+        run: |
+          GOBIN=/usr/local/bin go install filippo.io/age/cmd/age-keygen@v1.3.1
+          GOBIN=/usr/local/bin go install filippo.io/age/cmd/age@v1.3.1
+
+      # -----------------------------------------------------------------------
+      # Setup: generate keys, config, and sealed secrets
+      # -----------------------------------------------------------------------
+      - name: Generate age identity
+        run: age-keygen -o /tmp/identity.txt
+
+      - name: Write botlockbox config
+        run: |
+          cat > /tmp/botlockbox.yaml <<'EOF'
+          listen: "127.0.0.1:8080"
+          secrets_file: /tmp/secrets.age
+          rules:
+            - name: github-api
+              match:
+                hosts:
+                  - "api.github.com"
+              inject:
+                headers:
+                  Authorization: "Bearer {{secrets.github_token}}"
+          EOF
+
+      - name: Seal GITHUB_TOKEN into secrets.age
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          printf 'github_token: "%s"\n' "$GITHUB_TOKEN" \
+            | ./bin/botlockbox seal \
+                --config /tmp/botlockbox.yaml \
+                --identity /tmp/identity.txt
+
+      # -----------------------------------------------------------------------
+      # Start proxy
+      # -----------------------------------------------------------------------
+      - name: Start botlockbox serve
+        run: |
+          ./bin/botlockbox serve \
+            --config /tmp/botlockbox.yaml \
+            --identity /tmp/identity.txt \
+            --ca-cert /tmp/botlockbox-ca.pem \
+            --pidfile /tmp/botlockbox.pid &
+
+      - name: Wait for proxy to be ready
+        run: |
+          for i in $(seq 1 40); do
+            if nc -z 127.0.0.1 8080 2>/dev/null; then
+              echo "Proxy is ready (attempt $i)"
+              exit 0
+            fi
+            sleep 0.25
+          done
+          echo "Proxy did not become ready in time" >&2
+          exit 1
+
+      - name: Trust botlockbox CA system-wide
+        run: |
+          sudo cp /tmp/botlockbox-ca.pem /usr/local/share/ca-certificates/botlockbox.crt
+          sudo update-ca-certificates
+
+      # -----------------------------------------------------------------------
+      # Tests
+      # -----------------------------------------------------------------------
+
+      # Baseline: unauthenticated request WITHOUT the proxy → 401
+      - name: Baseline - unauthenticated request returns 401
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://api.github.com/user)
+          echo "Status without proxy: $STATUS"
+          [ "$STATUS" = "401" ]
+
+      # Core test: botlockbox injects the real token even when gh carries a dummy token.
+      # GH_TOKEN=dummy forces gh to send "Authorization: Bearer dummy", which the
+      # proxy overwrites with the sealed real token before forwarding to GitHub.
+      - name: Proxy injects real token - gh api /user succeeds with dummy GH_TOKEN
+        env:
+          GH_TOKEN: dummy-credential
+          HTTPS_PROXY: http://127.0.0.1:8080
+        run: |
+          LOGIN=$(gh api /user --jq '.login')
+          echo "Logged in as: $LOGIN"
+          [ -n "$LOGIN" ]
+
+      # Verify the injected identity matches the token owner
+      - name: Proxy injects real token - curl returns valid user JSON
+        run: |
+          RESPONSE=$(curl -s \
+            --proxy http://127.0.0.1:8080 \
+            --cacert /tmp/botlockbox-ca.pem \
+            https://api.github.com/user)
+          echo "$RESPONSE" | python3 -c "
+          import sys, json
+          data = json.load(sys.stdin)
+          assert 'login' in data, f'missing login field: {data}'
+          print('login:', data['login'])
+          "
+
+      # Confirm without proxy the dummy token is rejected → 401
+      - name: Dummy token without proxy returns 401
+        run: |
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
+            -H "Authorization: Bearer dummy-credential" \
+            https://api.github.com/user)
+          echo "Status with dummy token (no proxy): $STATUS"
+          [ "$STATUS" = "401" ]
+
+      # -----------------------------------------------------------------------
+      # Reload test
+      # -----------------------------------------------------------------------
+      - name: Reload secrets via SIGHUP
+        run: |
+          # Re-seal with the same token (simulates a rotation)
+          printf 'github_token: "%s"\n' "$GITHUB_TOKEN" \
+            | ./bin/botlockbox seal \
+                --config /tmp/botlockbox.yaml \
+                --identity /tmp/identity.txt
+
+          # Signal reload
+          ./bin/botlockbox reload --pidfile /tmp/botlockbox.pid
+          sleep 1
+
+          # Proxy must still serve requests correctly after reload
+          LOGIN=$(GH_TOKEN=dummy-credential HTTPS_PROXY=http://127.0.0.1:8080 \
+            gh api /user --jq '.login')
+          echo "After reload, logged in as: $LOGIN"
+          [ -n "$LOGIN" ]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

cmd/botlockbox/serve.go

@@ -111,6 +111,7 @@ func runServe(args []string) {
 	configPath := fs.String("config", "botlockbox.yaml", "path to botlockbox.yaml")
 	identityPath := fs.String("identity", "", "path to age identity file (required)")
 	pidfilePath := fs.String("pidfile", "", "path to write PID file (optional; used with 'botlockbox reload')")
+	caCertPath := fs.String("ca-cert", "", "path to write the ephemeral MITM CA public certificate PEM (optional; trust this cert in clients)")
 	fs.Usage = func() {
 		fmt.Fprintln(os.Stderr, "Usage: botlockbox serve [flags]")
 		fmt.Fprintln(os.Stderr, "Decrypts secrets and starts the MITM proxy.")
@@ -147,6 +148,13 @@ func runServe(args []string) {
 		os.Exit(1)
 	}
 
+	if *caCertPath != "" {
+		if err := os.WriteFile(*caCertPath, injector.CACertPEM, 0644); err != nil {
+			fmt.Fprintf(os.Stderr, "error writing CA cert: %v\n", err)
+			os.Exit(1)
+		}
+	}
+
 	if *pidfilePath != "" {
 		if err := writePIDFile(*pidfilePath); err != nil {
 			fmt.Fprintf(os.Stderr, "error writing PID file: %v\n", err)

internal/proxy/ephemeral_ca.go

@@ -14,14 +14,15 @@ import (
 
 // GenerateEphemeralCA creates a fresh CA cert and key entirely in memory.
 // Never written to disk. 24h lifetime limits blast radius.
-func GenerateEphemeralCA() (*tls.Certificate, error) {
+// Returns the TLS certificate and the PEM-encoded public certificate (safe to share with clients).
+func GenerateEphemeralCA() (*tls.Certificate, []byte, error) {
 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	template := &x509.Certificate{
 		SerialNumber: serial,
@@ -37,18 +38,19 @@ func GenerateEphemeralCA() (*tls.Certificate, error) {
 	}
 	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
 	keyDER, err := x509.MarshalECPrivateKey(key)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	cert, err := tls.X509KeyPair(
-		pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}),
+		certPEM,
 		pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER}),
 	)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
-	return &cert, nil
+	return &cert, certPEM, nil
 }

internal/proxy/injector.go

@@ -24,6 +24,10 @@ type Injector struct {
 	rules         []config.Rule
 	envelope      *secrets.SealedEnvelope
 	lockedSecrets map[string]*memguard.Enclave
+
+	// CACertPEM is the PEM-encoded public certificate of the ephemeral MITM CA.
+	// Safe to write to disk or share with clients that need to trust the proxy.
+	CACertPEM []byte
 }
 
 // Handle is the goproxy request handler.

internal/proxy/proxy.go

@@ -12,7 +12,7 @@ import (
 // New creates a goproxy server configured to inject credentials per the rules.
 // It returns the HTTP handler, the Injector (for live secret rotation via SwapSecrets), and any error.
 func New(cfg *config.Config, result *secrets.UnsealResult) (http.Handler, *Injector, error) {
-	ephemeralCA, err := GenerateEphemeralCA()
+	ephemeralCA, caCertPEM, err := GenerateEphemeralCA()
 	if err != nil {
 		return nil, nil, fmt.Errorf("generating ephemeral CA: %w", err)
 	}
@@ -34,6 +34,7 @@ func New(cfg *config.Config, result *secrets.UnsealResult) (http.Handler, *Injec
 		rules:         cfg.Rules,
 		envelope:      result.Envelope,
 		lockedSecrets: result.LockedSecrets,
+		CACertPEM:     caCertPEM,
 	}
 	p.OnRequest().DoFunc(injector.Handle)
 	InstallResponseScrubber(p)