Skip to content

Add TLS flag propagation to ServerSession.url() with shim FFI and config support#88

Draft
Copilot wants to merge 2 commits into
mainfrom
copilot/enhance-tls-support-server-session
Draft

Add TLS flag propagation to ServerSession.url() with shim FFI and config support#88
Copilot wants to merge 2 commits into
mainfrom
copilot/enhance-tls-support-server-session

Conversation

Copilot AI commented Apr 15, 2026
edited
Loading

Copy link
Copy Markdown

ServerSession.url() (Java) and Server.URL() (Go) hardcoded http://. This adds the plumbing to detect a TLS-configured server and return https:// instead, with config builder support for cert/key paths.

Rust shim

  • Added tls_enabled: bool to ServerHandle, set by parsing tls_cert_path from the startup YAML via a lightweight ShimTlsConfig struct (independent of FrontendServerConfig, which has no TLS fields)
  • New chroma_server_tls_enabled FFI export — returns 1 (enabled), 0 (disabled), -1 (error)

Go

  • WithTLSCertPath(string) / WithTLSKeyPath(string) server options; serialised as tls_cert_path / tls_key_path in config YAML
  • Server.tls bool populated at startup via chroma_server_tls_enabled; URL() selects http/https accordingly; TLS() bool accessor added
srv, _ := chroma.NewServer(
    chroma.WithPort(8443),
    chroma.WithTLSCertPath("/etc/tls/server.crt"),
    chroma.WithTLSKeyPath("/etc/tls/server.key"),
)
fmt.Println(srv.URL()) // https://0.0.0.0:8443

Java

  • ServerSession constructor gains BooleanSupplier tlsEnabledAccessor (param 7, after persistPathAccessor); url() uses it to choose scheme; new tlsEnabled() accessor
  • ServerConfigBuilder gains .tlsCertPath() / .tlsKeyPath() fluent setters emitting the YAML keys
  • Both JNA and Panama backends bind chroma_server_tls_enabled and pass () -> serverTlsEnabled(handle) into ServerSession
String yaml = new ServerConfigBuilder()
    .port(8443)
    .tlsCertPath("/etc/tls/server.crt")
    .tlsKeyPath("/etc/tls/server.key")
    .build();
try (ServerSession s = runtime.startServer(yaml)) {
    System.out.println(s.url()); // https://127.0.0.1:8443
}

Note: The Chroma frontend does not terminate TLS itself. The tls_cert_path YAML key is a shim-level convention; actual HTTPS requires an external TLS proxy or a future shim-level terminator. The tls_key_path field is parsed and reserved for that future use.

Known issue

MaintenanceExecutorTest.java was missed in the ServerSession constructor update and needs () -> false added as parameter 7 — will cause a Java compile failure and must be fixed before merge.

Copilot AI linked an issue Apr 15, 2026 that may be closed by this pull request
[ENH] Support TLS with self-signed certificates in ServerSession.url() #78
Open
Copilot AI changed the title [WIP] Add TLS support for self-signed certificates in ServerSession.url() Add TLS flag propagation to ServerSession.url() with shim FFI and config support Apr 15, 2026
Copilot AI requested a review from tazarov April 15, 2026 08:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tazarov tazarov Awaiting requested review from tazarov tazarov is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees

@tazarov tazarov

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ENH] Support TLS with self-signed certificates in ServerSession.url()

2 participants

@tazarov