## Summary Add TLS support for both apex's outbound connections (to celestia-node) and its inbound RPC server. ## Motivation - Production deployments often require encrypted transport - celestia-node is also tracking TLS support ([celestiaorg/celestia-node#4346](https://github.com/celestiaorg/celestia-node/issues/4346)) - Without TLS, auth tokens transit in plaintext ## Requirements ### Upstream fetcher (outbound) - Support `wss://` endpoints for celestia-node WebSocket connections - Support TLS for gRPC connections to upstream nodes - Configurable CA certificate for self-signed certs - Skip-verify option for development (with warning log) ### RPC server (inbound) - Optional TLS termination on the JSON-RPC server - Optional TLS on the gRPC server - Certificate and key file paths in config ### Configuration ```yaml data_source: endpoint: wss://celestia-node.example.com:26658 tls: ca_cert: "" # custom CA for self-signed skip_verify: false # dev only rpc: address: 0.0.0.0:26659 tls: cert_file: "" key_file: "" grpc: address: 0.0.0.0:26660 tls: cert_file: "" key_file: "" ``` ## Non-goals - mTLS (mutual TLS) — add later if needed - Automatic cert provisioning (Let's Encrypt) — use a reverse proxy for that ## Related - #2 — JSON-RPC server - #3 — gRPC server - #12 — CelestiaNodeFetcher (upstream client) - #13 — Configuration system