fix: auto-generate CA cert in portless trust instead of erroring

[elliotllliu]

Summary

Fixes #124 — portless trust no longer fails with "CA certificate not found. Run with --https first." on Windows (or any platform).

Problem

portless trust checks if the CA cert exists and errors with "Run with --https first" if it doesn't. But --https is only a valid flag for portless proxy start, not portless trust. Users hit a dead-end loop:

$ portless trust
Failed to trust CA: CA certificate not found. Run with --https first.

$ portless trust --https
Failed to trust CA: CA certificate not found. Run with --https first.

Fix

When the CA cert doesn't exist, trustCA() now auto-generates it via generateCA() before proceeding to trust it. This makes portless trust self-contained — no need to run portless proxy start --https first.

Changes

• packages/portless/src/certs.ts: trustCA() calls generateCA() when the CA cert is missing

[vercel]

@elliotllliu is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

Additional Suggestion:

Test asserts "CA certificate not found" error but trustCA was changed to auto-generate the CA cert, so the test always fails.

[ctate]

Thanks for the fix! The approach of auto-generating the CA via generateCA() is clean and matches how ensureCerts() already handles this.

One thing needed before merging: the test at certs.test.ts:319 ("returns error when CA cert is missing") fails since it still expects the old error message. Please update it to reflect the new auto-generation behavior. Once CI is green, this is good to go!

[elliotllliu]

Updated in 40540bf — test now verifies the auto-generation behavior instead of expecting the old error message. Thanks for the review!

[ctate]

@elliotllliu Thanks for the update! The concept is correct and the production code is good, but the test has a filename typo ("ca.crt" vs "ca.pem") that causes CI to fail. Once that's fixed this is good to merge.