From 7c0e4ff92094af938ae0666e33caa997f9756f71 Mon Sep 17 00:00:00 2001
From: wagesj45 <jordan@jordanwages.com>
Date: Sun, 24 Aug 2025 04:14:05 -0500
Subject: [PATCH] =?UTF-8?q?feat(release):=20FTPS=20robustness=20=E2=80=94?=
 =?UTF-8?q?=20passive=20mode,=20TLS=20min,=20cert=20pinning,=20CA=20overri?=
 =?UTF-8?q?de,=20and=20optional=20insecure?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .env.example            | 13 +++++++++++++
 scripts/release-push.js | 15 +++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/.env.example b/.env.example
index 378d72f..e409c43 100644
--- a/.env.example
+++ b/.env.example
@@ -20,6 +20,19 @@ FTP_REMOTE_DIR=/path/on/server
 # If unset, the script auto-detects explicit when FTP_PROTOCOL=ftps and FTP_PORT=21.
 # FTPS_MODE=explicit
 
+# Optional connection flags
+# Use passive mode (some providers require this)
+# FTP_PASSIVE=true
+# Enforce TLS minimum (1.2 or 1.3)
+# TLS_MIN=1.2
+# Pin server certificate public key (recommended if provider's cert CN/SAN mismatch)
+# Accepts a base64 sha256 hash (sha256//...) or a PEM/DER file path
+# TLS_PINNED_PUBKEY=sha256//BASE64HASH
+# Provide a custom CA bundle file (PEM) if needed
+# TLS_CACERT=/path/to/ca-bundle.pem
+# As a last resort only, disable certificate verification (not recommended)
+# TLS_INSECURE=false
+
 # SFTP host verification (SFTP only; choose one)
 # SFTP_KNOWN_HOSTS=/home/you/.ssh/known_hosts
 # SFTP_HOST_PUBKEY_SHA256=base64sha256fingerprint
diff --git a/scripts/release-push.js b/scripts/release-push.js
index 388d81e..167fefb 100644
--- a/scripts/release-push.js
+++ b/scripts/release-push.js
@@ -132,10 +132,25 @@ const baseUrl = `${scheme}://${host}${port ? `:${port}` : ''}${remoteDir}`;
 
 // Prepare common curl flags
 const curlBase = ['curl', '--fail', '--ftp-create-dirs'];
+// Optional passive mode
+if (String(process.env.FTP_PASSIVE || '').toLowerCase() === 'true') {
+  curlBase.push('--ftp-pasv');
+}
+// Optional TLS min version
+const tlsMin = String(process.env.TLS_MIN || '').trim();
+if (tlsMin === '1.2') curlBase.push('--tlsv1.2');
+else if (tlsMin === '1.3') curlBase.push('--tlsv1.3');
 if (protocol === 'ftps' && useExplicitFtps) {
   // Explicit FTPS (FTPES): connect plain on port 21 and then upgrade to TLS
   // Modern curl prefers --ssl-reqd; keep compatibility with older --ftp-ssl-reqd if available
   curlBase.push('--ssl-reqd');
+  // Security knobs: either pin the server cert public key, supply a custom CA bundle, or allow insecure as last resort
+  const pinned = process.env.TLS_PINNED_PUBKEY;
+  const cacert = process.env.TLS_CACERT;
+  const insecure = String(process.env.TLS_INSECURE || '').toLowerCase() === 'true';
+  if (pinned) curlBase.push('--pinnedpubkey', JSON.stringify(pinned));
+  if (cacert) curlBase.push('--cacert', JSON.stringify(cacert));
+  if (insecure) curlBase.push('--insecure');
 }
 // Detect curl option support dynamically to stay compatible with older curl versions
 function curlSupports(opt) {