feat(workflow-executor): optional database TLS via DATABASE_SSL

[PMerlet]

Problem

Managed databases (AWS RDS, etc.) commonly require TLS. The executor CLI only passed the connection URI to Sequelize with no SSL option, so against such a database the connection is rejected at startup:

no pg_hba.conf entry for host "…", user "…", database "…", no encryption

→ runStore.init() (migration) throws → the process exits → the service never becomes healthy. Hit while deploying the executor as a Beanstalk service against the staging RDS (which enforces SSL).

Fix

Add a DATABASE_SSL env var. When enabled, the database connection uses:

dialectOptions: { ssl: { require: true, rejectUnauthorized: false } }

i.e. encrypt without verifying the server certificate — the same setup the agent's server uses for staging/production RDS, and the standard approach for RDS without bundling the CA. Defaults off, so existing non-TLS deployments are unchanged.

Robust parsing (QA hardening)

DATABASE_SSL is parsed leniently — true / 1 / yes / on (case-insensitive) enable it, false / 0 / no / off / unset disable it — and an unrecognized value throws ConfigurationError rather than silently disabling TLS (the same footgun we just removed for LOG_LEVEL).

Observability

The resolved database TLS state is logged at startup (databaseSsl in the "Workflow executor starting" line), so operators can confirm whether the connection is encrypted.

Tests

cli.test.ts — 83 passing, and cli-core.ts at 100% statements / lines / functions (all changed lines covered):

• DATABASE_SSL truthy variants (true/TRUE/True/1/yes/on) → enabled.
• Falsy variants (false/0/no/off/'') → disabled; unset → disabled.
• Unrecognized value → throws ConfigurationError.
• runCli with SSL on → buildDatabase receives database.dialectOptions.ssl = { require: true, rejectUnauthorized: false }; with SSL off → database stays { uri }.
• logStartup reports databaseSsl in database mode.

Documented in the README and --help.

Known limitation (intentional)

rejectUnauthorized: false is the only TLS mode offered — it encrypts but does not verify the server certificate (MITM exposure). This matches the agent's server setup and is the practical choice for RDS, but there is no verify-full / custom-CA option yet. Worth a follow-up for stricter TLS policies. End-to-end TLS is verified at deploy time (no SSL-capable DB in this package's CI; the tests assert wiring).

🤖 Generated with Claude Code

[qltysh]

Coverage Impact

This PR will not change total coverage.

Modified Files with Diff Coverage (1)

Rating	File	% Diff	Uncovered Line #s
	packages/workflow-executor/src/cli-core.ts	100.0%
	Total	100.0%

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.