fix(nix): give moq-relay's check phase a CA bundle via cacert

[kixelated]

Summary

nix build .#moq-relay fails during its check phase (doCheck = true) in the relay auth tests. The root cause:

• Auth::new always builds a rustls client config up front (auth.rs:688).
• That TLS builder defaults to loading native system roots and now hard-errors when none are found (tls.rs:323).
• The Nix build sandbox has no system trust store, so rustls-native-certs returns no roots and the tests blow up, including plain-http:// wiremock helpers (e.g. key_dir: Some(format!("{}/keys/", server.uri()))) that never make a TLS connection.

This wires a CA bundle into the moq-relay crane build so the check phase passes:

nativeBuildInputs = [ final.cacert ];
SSL_CERT_FILE = "${final.cacert}/etc/ssl/certs/ca-bundle.crt";

Notes for reviewers

• Scoped to moq-relay since it's the only crane package that constructs a TLS client during tests. moq-cli/moq-token-cli also run doCheck = true but don't hit this path.
• The cross x86_64-apple-darwin relay output inherits these args but sets doCheck = false, so the extra env is inert there.
• The nativeBuildInputs entry is redundant given the explicit SSL_CERT_FILE, but keeps the cacert dependency visible/idiomatic.

Test plan

• nixfmt clean, flake still evaluates (nix eval .#moq-relay.drvPath).
• Verified the derivation env now carries SSL_CERT_FILE=…/nss-cacert-3.123/etc/ssl/certs/ca-bundle.crt, nss-cacert in nativeBuildInputs, and doCheck=1 with cargo test -p moq-relay in the check phase.
• Full nix build .#moq-relay (not run locally; long source build).

🤖 Generated with Claude Code

(Written by Claude)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 65dff99b-e2c6-444b-bcc5-ef420a85f454

📥 Commits

Reviewing files that changed from the base of the PR and between 2af9777 and c95e67f.

📒 Files selected for processing (1)

• nix/overlay.nix

---

Walkthrough

The Nix overlay for moq-relay now adds cacert to the build inputs and sets SSL_CERT_FILE to the bundled CA certificate file during the build/check phase. This changes the build environment used by rustls-based initialization.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the Nix fix for moq-relay's check phase using cacert.
Description check	✅ Passed	The description directly explains the moq-relay CA bundle fix and its test failure context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch claude/heuristic-mcnulty-fb756e

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}