feat(httpclient): trust additional CA certs from a directory

[reinkrul]

Closes #4285

Summary

The outbound HTTP client trusted only the OS CA bundle, so trusting an extra CA (e.g. the AORTA-GtK issuer) required rebuilding the Docker image with the cert baked in. This adds a config option to load additional CA certificates from a directory at startup.

Changes

• Config: new httpclient.tls.extracertsdir. When set, all *.pem and *.crt files in the directory are parsed and added to the HTTP client trust bundle, on top of the OS CA bundle. Each cert is logged with its subject, SHA-256 fingerprint and type (root CA / intermediate CA / certificate) for audit.
• Wiring: loaded in http.Engine.configureClient, mutating the shared client.SafeHttpTransport root pool. Affects the general clients (client.New / NewWithCache).
• Docker: image creates /etc/nuts/http-trust.d (owned by the nuts user) and sets NUTS_HTTPCLIENT_TLS_EXTRACERTSDIR by default → drop PEM/CRT files in via a volume mount, no rebuild.
• Docs: new server_options.rst row, documented the trust dir / env var in the Docker deployment guide, and regenerated config docs (make cli-docs).
• Tests: loader unit tests (valid .pem+.crt, non-existent dir, non-cert extension ignored, malformed cert), cert classification, flag parsing, and an end-to-end test that stands up an HTTPS server with a custom-CA cert and verifies the client only connects after the CA is loaded.

Behavior

• Empty config → feature off.
• Configured-but-missing directory, or a malformed cert file → hard error at startup (fail fast rather than silently dropping an intended trust anchor).
• In Docker the dir always exists; an empty dir is a no-op.

Scope notes

• Separate from the gRPC trust bundle (tls.truststorefile) — out of scope per the issue.
• A TLS client has a single trust-anchor pool (RootCAs); intermediates presented by the server are used for chain building during the handshake. All loaded certs go into that one pool (same as the gRPC truststore); the root/intermediate split is informational in the logs.
• The mTLS path (NewWithTLSConfig, OpenID4VCI) replaces the whole TLS config and is intentionally unaffected.
• No hot reload (out of scope).

🤖 Assisted by AI

[qltysh]

Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.01%.

Modified Files with Diff Coverage (3)

Rating	File	% Diff	Uncovered Line #s
	http/engine.go	55.6%	70-71, 107-108
	core/server_config.go	100.0%
	http/client/trustbundle.go	85.7%	45-48, 57, 68-69
	Total	81.4%

🤖 Increase coverage with AI coding...

In the `feature/4285-httpclient-trust-bundle` branch, add test coverage for this new code:

- `http/client/trustbundle.go` -- Lines 45-48, 57, and 68-69
- `http/engine.go` -- Lines 70-71 and 107-108

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

[qltysh]

0 new issues

Tool	Category	Rule	Count