refactor(tls): address PR review feedback and consolidate code

- Consolidate TLSSocket with llrt_net by sharing common types
  (ReadyState, LOCALHOST, get_hostname, rw_join) from llrt_net
- Merge SecureContextOptions into BuildClientConfigOptions to
  reduce duplication between tls and http modules
- Replace custom hex_encode with llrt_encoding::bytes_to_hex_string
- Use [].concat() pattern for string formatting in keylog.rs
- Capture actual cipher/protocol info from TLS connection after
  handshake instead of returning hardcoded values
- Add clarifying comment for servername SNI requirement

Author: chessbyte

Cargo.lock

@@ -45,9 +45,7 @@ impl Agent {
         let config = llrt_tls::build_client_config(llrt_tls::BuildClientConfigOptions {
             reject_unauthorized,
             ca,
-            cert: None,
-            key: None,
-            key_log: None,
+            ..Default::default()
         })
         .or_throw_msg(&ctx, "Failed to build TLS config")?;
         let client =

modules/llrt_http/src/agent.rs

@@ -28,10 +28,12 @@ mod socket;
 
 use self::{server::Server, socket::Socket};
 
-const LOCALHOST: &str = "localhost";
+/// Localhost constant shared across socket implementations
+pub const LOCALHOST: &str = "localhost";
 
-#[allow(dead_code)]
-enum ReadyState {
+/// Socket ready state, shared between net::Socket and tls::TLSSocket
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub enum ReadyState {
     Opening,
     Open,
     Closed,
@@ -103,11 +105,13 @@ impl Listener {
     }
 }
 
-fn get_hostname(host: &str, port: u16) -> String {
+/// Build a hostname:port string from host and port
+pub fn get_hostname(host: &str, port: u16) -> String {
     [host, itoa::Buffer::new().format(port)].join(":")
 }
 
-fn get_address_parts(
+/// Extract address parts (ip, port, family) from a socket address result
+pub fn get_address_parts(
     ctx: &Ctx,
     addr: StdResult<SocketAddr, std::io::Error>,
 ) -> Result<(String, u16, String)> {
@@ -119,7 +123,8 @@ fn get_address_parts(
     ))
 }
 
-async fn rw_join(
+/// Wait for both readable and writable streams to complete
+pub async fn rw_join(
     ctx: &Ctx<'_>,
     readable_done: Receiver<bool>,
     writable_done: Receiver<bool>,

modules/llrt_net/src/lib.rs

@@ -22,7 +22,9 @@ base64-simd = { version = "0.8", features = ["alloc"], default-features = false
 itoa = { version = "1", default-features = false }
 llrt_buffer = { version = "0.7.0-beta", path = "../llrt_buffer" }
 llrt_context = { version = "0.7.0-beta", path = "../../libs/llrt_context" }
+llrt_encoding = { version = "0.7.0-beta", path = "../../libs/llrt_encoding" }
 llrt_events = { version = "0.7.0-beta", path = "../llrt_events" }
+llrt_net = { version = "0.7.0-beta", path = "../llrt_net" }
 llrt_stream = { version = "0.7.0-beta", path = "../llrt_stream" }
 llrt_utils = { version = "0.7.0-beta", path = "../../libs/llrt_utils", default-features = false }
 once_cell = { version = "1", features = ["std"], default-features = false }

modules/llrt_tls/Cargo.toml

@@ -44,24 +44,42 @@ pub fn get_tls_versions() -> Option<Vec<&'static SupportedProtocolVersion>> {
 }
 
 pub static TLS_CONFIG: Lazy<Result<ClientConfig, Box<dyn std::error::Error + Send + Sync>>> =
-    Lazy::new(|| {
-        build_client_config(BuildClientConfigOptions {
-            reject_unauthorized: true,
-            ca: None,
-            cert: None,
-            key: None,
-            key_log: None,
-        })
-    });
+    Lazy::new(|| build_client_config(BuildClientConfigOptions::default()));
 
+/// Unified TLS client configuration options.
+/// Used by SecureContext, tls.connect(), and HTTP agent.
 pub struct BuildClientConfigOptions {
+    /// Whether to reject unauthorized certificates (default: true)
     pub reject_unauthorized: bool,
+    /// Custom CA certificates in PEM format
     pub ca: Option<Vec<Vec<u8>>>,
     /// Client certificate in PEM format for mTLS
     pub cert: Option<Vec<u8>>,
     /// Client private key in PEM format for mTLS
     pub key: Option<Vec<u8>>,
+    /// Key log callback for debugging TLS connections
     pub key_log: Option<Arc<dyn rustls::KeyLog>>,
+    /// Cipher suites (OpenSSL format) - currently unused, reserved for future
+    pub ciphers: Option<String>,
+    /// Minimum TLS version (e.g., "TLSv1.2") - currently unused, reserved for future
+    pub min_version: Option<String>,
+    /// Maximum TLS version (e.g., "TLSv1.3") - currently unused, reserved for future
+    pub max_version: Option<String>,
+}
+
+impl Default for BuildClientConfigOptions {
+    fn default() -> Self {
+        Self {
+            reject_unauthorized: true, // Secure by default
+            ca: None,
+            cert: None,
+            key: None,
+            key_log: None,
+            ciphers: None,
+            min_version: None,
+            max_version: None,
+        }
+    }
 }
 
 pub fn build_client_config(

modules/llrt_tls/src/config.rs

@@ -12,6 +12,7 @@
 use std::fmt::Debug;
 use std::sync::Arc;
 
+use llrt_encoding::bytes_to_hex_string;
 use rustls::KeyLog;
 use tokio::sync::mpsc;
 
@@ -24,10 +25,10 @@ pub struct KeyLogLine {
 impl KeyLogLine {
     /// Format a key log line in NSS format
     pub fn new(label: &str, client_random: &[u8], secret: &[u8]) -> Self {
-        let client_random_hex = hex_encode(client_random);
-        let secret_hex = hex_encode(secret);
+        let client_random_hex = bytes_to_hex_string(client_random);
+        let secret_hex = bytes_to_hex_string(secret);
         Self {
-            line: format!("{} {} {}\n", label, client_random_hex, secret_hex),
+            line: [label, " ", &client_random_hex, " ", &secret_hex, "\n"].concat(),
         }
     }
 
@@ -37,11 +38,6 @@ impl KeyLogLine {
     }
 }
 
-/// Encode bytes as hexadecimal string
-fn hex_encode(bytes: &[u8]) -> String {
-    bytes.iter().map(|b| format!("{:02x}", b)).collect()
-}
-
 /// A KeyLog implementation that sends key log lines through a channel
 pub struct ChannelKeyLog {
     sender: mpsc::UnboundedSender<KeyLogLine>,
@@ -84,12 +80,6 @@ mod tests {
         assert_eq!(line.line, "CLIENT_RANDOM 010203 aabbcc\n");
     }
 
-    #[test]
-    fn test_hex_encode() {
-        assert_eq!(hex_encode(&[0x00, 0xff, 0x10]), "00ff10");
-        assert_eq!(hex_encode(&[]), "");
-    }
-
     #[tokio::test]
     async fn test_channel_keylog() {
         let (keylog, mut receiver) = ChannelKeyLog::new();

modules/llrt_tls/src/keylog.rs

@@ -130,7 +130,7 @@ fn get_ciphers(ctx: Ctx<'_>) -> Result<Array<'_>> {
 }
 
 /// Convert rustls CipherSuite to OpenSSL-style name
-fn cipher_suite_to_openssl_name(suite: rustls::CipherSuite) -> &'static str {
+pub fn cipher_suite_to_openssl_name(suite: rustls::CipherSuite) -> &'static str {
     use rustls::CipherSuite::*;
     match suite {
         // TLS 1.3 cipher suites

modules/llrt_tls/src/lib.rs

@@ -14,75 +14,73 @@ use rustls::pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer};
 use rustls::{ClientConfig, RootCertStore, ServerConfig};
 use webpki_roots::TLS_SERVER_ROOTS;
 
-/// Options for creating a secure context
-#[derive(Default)]
-pub struct SecureContextOptions {
-    pub cert: Option<Vec<u8>>,
-    pub key: Option<Vec<u8>>,
-    pub ca: Option<Vec<Vec<u8>>>,
-    pub ciphers: Option<String>,
-    pub min_version: Option<String>,
-    pub max_version: Option<String>,
-}
-
-impl SecureContextOptions {
-    pub fn from_js_options<'js>(ctx: &Ctx<'js>, opts: &Object<'js>) -> Result<Self> {
-        let mut options = Self::default();
-
-        // Handle certificate
-        if let Some(cert_value) = opts.get_optional::<_, Value>("cert")? {
-            if let Some(s) = cert_value.as_string() {
-                options.cert = Some(s.to_string()?.into_bytes());
-            } else if let Some(bytes) = get_bytes_from_value(ctx, &cert_value)? {
-                options.cert = Some(bytes);
-            }
+use crate::BuildClientConfigOptions;
+
+/// Parse BuildClientConfigOptions from a JavaScript options object
+pub fn options_from_js<'js>(
+    ctx: &Ctx<'js>,
+    opts: &Object<'js>,
+) -> Result<BuildClientConfigOptions> {
+    let mut options = BuildClientConfigOptions::default();
+
+    // Handle certificate
+    if let Some(cert_value) = opts.get_optional::<_, Value>("cert")? {
+        if let Some(s) = cert_value.as_string() {
+            options.cert = Some(s.to_string()?.into_bytes());
+        } else if let Some(bytes) = get_bytes_from_value(ctx, &cert_value)? {
+            options.cert = Some(bytes);
         }
+    }
 
-        // Handle private key
-        if let Some(key_value) = opts.get_optional::<_, Value>("key")? {
-            if let Some(s) = key_value.as_string() {
-                options.key = Some(s.to_string()?.into_bytes());
-            } else if let Some(bytes) = get_bytes_from_value(ctx, &key_value)? {
-                options.key = Some(bytes);
-            }
+    // Handle private key
+    if let Some(key_value) = opts.get_optional::<_, Value>("key")? {
+        if let Some(s) = key_value.as_string() {
+            options.key = Some(s.to_string()?.into_bytes());
+        } else if let Some(bytes) = get_bytes_from_value(ctx, &key_value)? {
+            options.key = Some(bytes);
         }
+    }
 
-        // Handle CA certificates
-        if let Some(ca_value) = opts.get_optional::<_, Value>("ca")? {
-            let mut ca_certs = Vec::new();
-            if let Some(ca_array) = ca_value.as_array() {
-                for item in ca_array.iter::<Value>() {
-                    let item = item?;
-                    if let Some(s) = item.as_string() {
-                        ca_certs.push(s.to_string()?.into_bytes());
-                    } else if let Some(bytes) = get_bytes_from_value(ctx, &item)? {
-                        ca_certs.push(bytes);
-                    }
+    // Handle CA certificates
+    if let Some(ca_value) = opts.get_optional::<_, Value>("ca")? {
+        let mut ca_certs = Vec::new();
+        if let Some(ca_array) = ca_value.as_array() {
+            for item in ca_array.iter::<Value>() {
+                let item = item?;
+                if let Some(s) = item.as_string() {
+                    ca_certs.push(s.to_string()?.into_bytes());
+                } else if let Some(bytes) = get_bytes_from_value(ctx, &item)? {
+                    ca_certs.push(bytes);
                 }
-            } else if let Some(s) = ca_value.as_string() {
-                ca_certs.push(s.to_string()?.into_bytes());
-            } else if let Some(bytes) = get_bytes_from_value(ctx, &ca_value)? {
-                ca_certs.push(bytes);
-            }
-            if !ca_certs.is_empty() {
-                options.ca = Some(ca_certs);
             }
+        } else if let Some(s) = ca_value.as_string() {
+            ca_certs.push(s.to_string()?.into_bytes());
+        } else if let Some(bytes) = get_bytes_from_value(ctx, &ca_value)? {
+            ca_certs.push(bytes);
         }
-
-        if let Some(ciphers) = opts.get_optional::<_, String>("ciphers")? {
-            options.ciphers = Some(ciphers);
+        if !ca_certs.is_empty() {
+            options.ca = Some(ca_certs);
         }
+    }
 
-        if let Some(min_version) = opts.get_optional::<_, String>("minVersion")? {
-            options.min_version = Some(min_version);
-        }
+    // Handle rejectUnauthorized
+    if let Some(reject_unauthorized) = opts.get_optional::<_, bool>("rejectUnauthorized")? {
+        options.reject_unauthorized = reject_unauthorized;
+    }
 
-        if let Some(max_version) = opts.get_optional::<_, String>("maxVersion")? {
-            options.max_version = Some(max_version);
-        }
+    if let Some(ciphers) = opts.get_optional::<_, String>("ciphers")? {
+        options.ciphers = Some(ciphers);
+    }
 
-        Ok(options)
+    if let Some(min_version) = opts.get_optional::<_, String>("minVersion")? {
+        options.min_version = Some(min_version);
     }
+
+    if let Some(max_version) = opts.get_optional::<_, String>("maxVersion")? {
+        options.max_version = Some(max_version);
+    }
+
+    Ok(options)
 }
 
 fn get_bytes_from_value<'js>(ctx: &Ctx<'js>, value: &Value<'js>) -> Result<Option<Vec<u8>>> {
@@ -132,7 +130,7 @@ impl SecureContext {
 
 impl SecureContext {
     /// Create a new SecureContext from options
-    pub fn from_options(ctx: &Ctx<'_>, options: SecureContextOptions) -> Result<Self> {
+    pub fn from_options(ctx: &Ctx<'_>, options: BuildClientConfigOptions) -> Result<Self> {
         let mut secure_context = Self::new();
 
         // Build client config if we have CA certs or need default trust
@@ -165,26 +163,32 @@ impl SecureContext {
             })?
             .with_root_certificates(root_store);
 
-        let client_config = if let (Some(cert_pem), Some(key_pem)) = (&options.cert, &options.key) {
-            // Client certificate authentication
-            let certs: Vec<CertificateDer<'static>> = CertificateDer::pem_slice_iter(cert_pem)
-                .collect::<std::result::Result<Vec<_>, _>>()
-                .map_err(|e| {
-                    Exception::throw_message(ctx, &format!("Invalid certificate: {}", e))
+        let mut client_config =
+            if let (Some(cert_pem), Some(key_pem)) = (&options.cert, &options.key) {
+                // Client certificate authentication
+                let certs: Vec<CertificateDer<'static>> = CertificateDer::pem_slice_iter(cert_pem)
+                    .collect::<std::result::Result<Vec<_>, _>>()
+                    .map_err(|e| {
+                        Exception::throw_message(ctx, &format!("Invalid certificate: {}", e))
+                    })?;
+
+                let key = PrivateKeyDer::from_pem_slice(key_pem).map_err(|e| {
+                    Exception::throw_message(ctx, &format!("Invalid private key: {}", e))
                 })?;
 
-            let key = PrivateKeyDer::from_pem_slice(key_pem).map_err(|e| {
-                Exception::throw_message(ctx, &format!("Invalid private key: {}", e))
-            })?;
-
-            client_builder
-                .with_client_auth_cert(certs, key)
-                .map_err(|e| {
-                    Exception::throw_message(ctx, &format!("Failed to set client auth: {}", e))
-                })?
-        } else {
-            client_builder.with_no_client_auth()
-        };
+                client_builder
+                    .with_client_auth_cert(certs, key)
+                    .map_err(|e| {
+                        Exception::throw_message(ctx, &format!("Failed to set client auth: {}", e))
+                    })?
+            } else {
+                client_builder.with_no_client_auth()
+            };
+
+        // Set key log if provided
+        if let Some(key_log) = options.key_log {
+            client_config.key_log = key_log;
+        }
 
         secure_context.client_config = Some(Arc::new(client_config));
 
@@ -220,9 +224,9 @@ pub fn create_secure_context<'js>(
     options: Option<Object<'js>>,
 ) -> Result<Class<'js, SecureContext>> {
     let opts = if let Some(opts) = options {
-        SecureContextOptions::from_js_options(&ctx, &opts)?
+        options_from_js(&ctx, &opts)?
     } else {
-        SecureContextOptions::default()
+        BuildClientConfigOptions::default()
     };
 
     let secure_context = SecureContext::from_options(&ctx, opts)?;