feat(searchengine): env-gated TLS skip verify for ES connections

Adds an opt-in tlsSkipVerify bool to searchengine.New, plumbed from
each service's config:

- search-service:     SEARCH_TLS_SKIP_VERIFY (default false)
- search-sync-worker: SEARCH_TLS_SKIP_VERIFY (default false)

Default-off keeps prod safe; ops opts in per environment for
self-signed/internal ES clusters. When false, the factory uses the
standard ES client transport — same behavior as before this PR.
When true, clones http.DefaultTransport (preserving ProxyFromEnvironment,
dial/TLS-handshake timeouts, HTTP/2, idle-conn tuning) and overrides
only TLSClientConfig with InsecureSkipVerify=true and MinVersion=TLS 1.2,
guarding the type assertion on http.DefaultTransport so we error out
cleanly if a middleware (e.g. OTel) has replaced it.

Also enables gosec G402 narrowly in .golangci.yml so the //nolint:gosec
annotation in pkg/oidc and pkg/searchengine actually suppresses a real
rule, and any future unannotated InsecureSkipVerify is rejected at
lint time.

Includes a goimports-only struct alignment tweak in
room-worker/integration_test.go picked up while running make fmt — no
behavior change.

https://claude.ai/code/session_01UkLD7hpaypxjeh5zbEWTjp

Author: claude

.golangci.yml

@@ -9,13 +9,21 @@ linters:
     - nilerr
     - bodyclose
     - exhaustive
+    - gosec
   settings:
     exhaustive:
       default-signifies-exhaustive: true
     gocritic:
       enabled-tags:
         - diagnostic
         - performance
+    gosec:
+      # Narrowly scoped to G402 (TLS InsecureSkipVerify) so the existing
+      # //nolint:gosec annotations in pkg/oidc and pkg/searchengine are
+      # actually suppressing a real rule, and any new unannotated
+      # InsecureSkipVerify is rejected at lint time.
+      includes:
+        - G402
   exclusions:
     presets:
       - std-error-handling

pkg/searchengine/factory.go

@@ -2,19 +2,36 @@ package searchengine
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
+	"net/http"
 	"time"
 
 	"github.com/elastic/go-elasticsearch/v8"
 )
 
 // New creates a SearchEngine for the given backend ("elasticsearch" or "opensearch").
-// It verifies connectivity via Ping before returning.
-func New(ctx context.Context, backend, url string) (SearchEngine, error) {
+// It verifies connectivity via Ping before returning. When tlsSkipVerify is
+// true, server certificate verification is disabled — intended for
+// self-signed/internal ES clusters; MUST stay false in production.
+func New(ctx context.Context, backend, url string, tlsSkipVerify bool) (SearchEngine, error) {
 	var transport Transporter
 	switch backend {
 	case "elasticsearch":
-		client, err := elasticsearch.NewClient(elasticsearch.Config{Addresses: []string{url}})
+		esCfg := elasticsearch.Config{Addresses: []string{url}}
+		if tlsSkipVerify {
+			dt, ok := http.DefaultTransport.(*http.Transport)
+			if !ok {
+				return nil, fmt.Errorf("create elasticsearch client: http.DefaultTransport is not *http.Transport")
+			}
+			httpTransport := dt.Clone()
+			httpTransport.TLSClientConfig = &tls.Config{
+				InsecureSkipVerify: true, //nolint:gosec // intentional: opt-in via config for self-signed ES certs
+				MinVersion:         tls.VersionTLS12,
+			}
+			esCfg.Transport = httpTransport
+		}
+		client, err := elasticsearch.NewClient(esCfg)
 		if err != nil {
 			return nil, fmt.Errorf("create elasticsearch client: %w", err)
 		}

room-worker/integration_test.go

@@ -752,9 +752,9 @@ func TestProcessAddMembers_OutboxPerRemoteSite(t *testing.T) {
 	})
 	// Owner sub.
 	mustInsertSub(t, db, &model.Subscription{
-		ID:       idgen.GenerateUUIDv7(),
-		User:     model.SubscriptionUser{ID: "u_alice", Account: "alice"},
-		RoomID:   roomID, SiteID: "site-A", Name: roomName, RoomType: model.RoomTypeChannel,
+		ID:     idgen.GenerateUUIDv7(),
+		User:   model.SubscriptionUser{ID: "u_alice", Account: "alice"},
+		RoomID: roomID, SiteID: "site-A", Name: roomName, RoomType: model.RoomTypeChannel,
 		Roles:    []model.Role{model.RoleOwner},
 		JoinedAt: time.Now().UTC(),
 	})
@@ -872,9 +872,9 @@ func TestProcessAddMembers_PublishesLocalInbox_Integration(t *testing.T) {
 		CreatedAt: time.Now().UTC(), UpdatedAt: time.Now().UTC(),
 	})
 	mustInsertSub(t, db, &model.Subscription{
-		ID:       idgen.GenerateUUIDv7(),
-		User:     model.SubscriptionUser{ID: "u_alice", Account: "alice"},
-		RoomID:   roomID, SiteID: "site-A", Name: roomName, RoomType: model.RoomTypeChannel,
+		ID:     idgen.GenerateUUIDv7(),
+		User:   model.SubscriptionUser{ID: "u_alice", Account: "alice"},
+		RoomID: roomID, SiteID: "site-A", Name: roomName, RoomType: model.RoomTypeChannel,
 		Roles:    []model.Role{model.RoleOwner},
 		JoinedAt: time.Now().UTC(),
 	})
@@ -933,7 +933,7 @@ func TestProcessRemoveIndividual_PublishesLocalInbox_Integration(t *testing.T) {
 	mustInsertSub(t, db, &model.Subscription{
 		ID: idgen.GenerateUUIDv7(), User: model.SubscriptionUser{ID: "u_bob", Account: "bob"},
 		RoomID: roomID, SiteID: "site-A", Name: "fed-room", RoomType: model.RoomTypeChannel,
-		Roles:  []model.Role{model.RoleMember}, JoinedAt: time.Now().UTC(),
+		Roles: []model.Role{model.RoleMember}, JoinedAt: time.Now().UTC(),
 	})
 	_, err := db.Collection("room_members").InsertOne(ctx, model.RoomMember{
 		ID: idgen.GenerateUUIDv7(), RoomID: roomID, Ts: time.Now().UTC(),

search-service/main.go

@@ -22,8 +22,9 @@ import (
 // ESConfig bundles the search backend knobs. BACKEND is the key
 // `pkg/searchengine.New` reads to choose between elasticsearch/opensearch.
 type ESConfig struct {
-	URL     string `env:"URL,required"`
-	Backend string `env:"BACKEND" envDefault:"elasticsearch"`
+	URL           string `env:"URL,required"`
+	Backend       string `env:"BACKEND"          envDefault:"elasticsearch"`
+	TLSSkipVerify bool   `env:"TLS_SKIP_VERIFY"  envDefault:"false"`
 }
 
 type ValkeyConfig struct {
@@ -80,7 +81,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	engine, err := searchengine.New(ctx, cfg.ES.Backend, cfg.ES.URL)
+	engine, err := searchengine.New(ctx, cfg.ES.Backend, cfg.ES.URL, cfg.ES.TLSSkipVerify)
 	if err != nil {
 		slog.Error("search engine connect failed", "error", err)
 		os.Exit(1)

search-sync-worker/main.go

@@ -40,14 +40,15 @@ type bootstrapConfig struct {
 }
 
 type config struct {
-	NatsURL        string `env:"NATS_URL,required"`
-	NatsCredsFile  string `env:"NATS_CREDS_FILE" envDefault:""`
-	SiteID         string `env:"SITE_ID,required"`
-	SearchURL      string `env:"SEARCH_URL,required"`
-	SearchBackend  string `env:"SEARCH_BACKEND"  envDefault:"elasticsearch"`
-	MsgIndexPrefix string `env:"MSG_INDEX_PREFIX,required"`
-	SpotlightIndex string `env:"SPOTLIGHT_INDEX" envDefault:""`
-	UserRoomIndex  string `env:"USER_ROOM_INDEX" envDefault:""`
+	NatsURL             string `env:"NATS_URL,required"`
+	NatsCredsFile       string `env:"NATS_CREDS_FILE" envDefault:""`
+	SiteID              string `env:"SITE_ID,required"`
+	SearchURL           string `env:"SEARCH_URL,required"`
+	SearchBackend       string `env:"SEARCH_BACKEND"         envDefault:"elasticsearch"`
+	SearchTLSSkipVerify bool   `env:"SEARCH_TLS_SKIP_VERIFY" envDefault:"false"`
+	MsgIndexPrefix      string `env:"MSG_INDEX_PREFIX,required"`
+	SpotlightIndex      string `env:"SPOTLIGHT_INDEX" envDefault:""`
+	UserRoomIndex       string `env:"USER_ROOM_INDEX" envDefault:""`
 
 	// FetchBatchSize is the maximum number of JetStream messages to pull
 	// per Fetch() round-trip. Smaller values give lower latency per message
@@ -118,7 +119,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	engine, err := searchengine.New(ctx, cfg.SearchBackend, cfg.SearchURL)
+	engine, err := searchengine.New(ctx, cfg.SearchBackend, cfg.SearchURL, cfg.SearchTLSSkipVerify)
 	if err != nil {
 		slog.Error("search engine connect failed", "error", err)
 		os.Exit(1)