@camunda8/orchestration-cluster-api 8.9.0-alpha.26 → 8.9.0-alpha.28

package/CHANGELOG.md

@@ -1,3 +1,27 @@
+# [8.9.0-alpha.28](https://github.com/camunda/orchestration-cluster-api-js/compare/v8.9.0-alpha.27...v8.9.0-alpha.28) (2026-04-08)
+
+
+### Bug Fixes
+
+* shorten discriminant labels for multi-entry operations ([701aed6](https://github.com/camunda/orchestration-cluster-api-js/commit/701aed6a471ef2b138380e34f14c1d0f4d3469c5))
+
+
+### Features
+
+* add imports field to operation-map entries ([a7ecf5f](https://github.com/camunda/orchestration-cluster-api-js/commit/a7ecf5fc68277565afecb2518de583e9f345de9b))
+
+# [8.9.0-alpha.27](https://github.com/camunda/orchestration-cluster-api-js/compare/v8.9.0-alpha.26...v8.9.0-alpha.27) (2026-04-02)
+
+
+### Bug Fixes
+
+* address review comments on mTLS tests and docs ([c7c26df](https://github.com/camunda/orchestration-cluster-api-js/commit/c7c26df1e3ab4bff848a5c4de7eacfc8e62f310a))
+
+
+### Features
+
+* support CA-only TLS (self-signed server certs) ([25f11a7](https://github.com/camunda/orchestration-cluster-api-js/commit/25f11a75a74e4cd32f5ada5ff8d41fc50398b902)), closes [#108](https://github.com/camunda/orchestration-cluster-api-js/issues/108)
+
 # [8.9.0-alpha.26](https://github.com/camunda/orchestration-cluster-api-js/compare/v8.9.0-alpha.25...v8.9.0-alpha.26) (2026-04-02)
 
 

package/README.md

@@ -981,18 +981,49 @@ Browser usage: There is no disk concept—if executed in a browser the SDK (when
 
 If you need a custom persistence strategy (e.g. Redis / encrypted keychain), wrap the client and periodically call `client.forceAuthRefresh()` while storing and re‑injecting the token via a headers hook; first measure whether the built‑in disk cache already meets your needs.
 
-## mTLS (Node only)
+## Self-signed TLS / mTLS (Node only)
 
-Provide inline or path variables (inline wins):
+The SDK supports custom TLS certificates via environment variables. This is useful for:
 
+- **Self-signed server certificates** — trust a CA that signed your server's certificate, without presenting a client identity.
+- **Mutual TLS (mTLS)** — present a client certificate and key to prove the client's identity.
+- **Both** — trust a custom CA _and_ present client credentials.
+
+### Trusting a self-signed server certificate
+
+Set only the CA certificate to trust the server's self-signed certificate:
+
+```bash
+# Path to PEM file:
+CAMUNDA_MTLS_CA_PATH=/path/to/ca.pem
+
+# Or inline PEM (must contain real newlines, not literal '\n'):
+CAMUNDA_MTLS_CA="$(cat /path/to/ca.pem)"
 ```
-CAMUNDA_MTLS_CERT / CAMUNDA_MTLS_CERT_PATH
-CAMUNDA_MTLS_KEY  / CAMUNDA_MTLS_KEY_PATH
-CAMUNDA_MTLS_CA   / CAMUNDA_MTLS_CA_PATH (optional)
-CAMUNDA_MTLS_KEY_PASSPHRASE (optional)
+
+### Mutual TLS (client certificate)
+
+To present a client certificate for mutual TLS, provide both the certificate and private key:
+
+```bash
+CAMUNDA_MTLS_CERT_PATH=/path/to/client.crt
+CAMUNDA_MTLS_KEY_PATH=/path/to/client.key
+
+# Optional — passphrase if the key is encrypted:
+# CAMUNDA_MTLS_KEY_PASSPHRASE=secret
+```
+
+### Full mTLS with custom CA
+
+Combine a custom CA with client credentials:
+
+```bash
+CAMUNDA_MTLS_CA_PATH=/path/to/ca.pem
+CAMUNDA_MTLS_CERT_PATH=/path/to/client.crt
+CAMUNDA_MTLS_KEY_PATH=/path/to/client.key
 ```
 
-If both cert & key are available an https.Agent is attached to all outbound calls (including token fetches).
+Inline PEM values (`CAMUNDA_MTLS_CERT`, `CAMUNDA_MTLS_KEY`, `CAMUNDA_MTLS_CA`) take precedence over their `_PATH` counterparts. An `https.Agent` is attached to all outbound calls (including token fetches).
 
 ## Branded Keys
 

package/dist/{chunk-CCCMH2RY.js → chunk-JQMXVWIG.js}

@@ -3965,11 +3965,16 @@ function hydrateConfig(options = {}) {
   }
   const mtlsCertProvided = !!(rawMap.CAMUNDA_MTLS_CERT || rawMap.CAMUNDA_MTLS_CERT_PATH);
   const mtlsKeyProvided = !!(rawMap.CAMUNDA_MTLS_KEY || rawMap.CAMUNDA_MTLS_KEY_PATH);
-  const mtlsAny = mtlsCertProvided || mtlsKeyProvided || rawMap.CAMUNDA_MTLS_CA || rawMap.CAMUNDA_MTLS_CA_PATH || rawMap.CAMUNDA_MTLS_KEY_PASSPHRASE;
-  if (mtlsAny && (!mtlsCertProvided || !mtlsKeyProvided)) {
+  if (mtlsCertProvided !== mtlsKeyProvided) {
     errors.push({
       code: "CONFIG_MISSING_REQUIRED" /* CONFIG_MISSING_REQUIRED */,
-      message: "Incomplete mTLS configuration; both certificate (CAMUNDA_MTLS_CERT|_PATH) and key (CAMUNDA_MTLS_KEY|_PATH) must be provided."
+      message: "Incomplete mTLS configuration; both certificate (CAMUNDA_MTLS_CERT|_PATH) and key (CAMUNDA_MTLS_KEY|_PATH) must be provided together."
+    });
+  }
+  if (rawMap.CAMUNDA_MTLS_KEY_PASSPHRASE && !mtlsKeyProvided) {
+    errors.push({
+      code: "CONFIG_MISSING_REQUIRED" /* CONFIG_MISSING_REQUIRED */,
+      message: "CAMUNDA_MTLS_KEY_PASSPHRASE is set but no client key was provided."
     });
   }
   const validationRaw = rawMap.CAMUNDA_SDK_VALIDATION || "req:none,res:none";
@@ -4407,7 +4412,7 @@ function installAuthInterceptor(client2, getStrategy, getAuthHeaders) {
 }
 
 // src/runtime/version.ts
-var packageVersion = "8.9.0-alpha.26";
+var packageVersion = "8.9.0-alpha.28";
 
 // src/runtime/supportLogger.ts
 var NoopSupportLogger = class {
@@ -16675,4 +16680,4 @@ export {
   withTimeoutTE,
   eventuallyTE
 };
-//# sourceMappingURL=chunk-CCCMH2RY.js.map
+//# sourceMappingURL=chunk-JQMXVWIG.js.map