Ensure SSL_CERT_DIR messages are always shown and check for existing value

[tomerqodo]

Benchmark PR from agentic-review-benchmarks#3

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (1) 📎 Requirement gaps (0)

1. prettyCertDir used for fullpath 📘 Rule violation ✓ Correctness

Description

• The code computes certDirFullPath from prettyCertDir, which may be rewritten to start with
  $HOME for display purposes.
• When prettyCertDir contains $HOME, Path.GetFullPath(prettyCertDir) will not expand $HOME
  and can resolve to an unrelated path, causing isCertDirIncluded to be computed incorrectly.
• This breaks edge-case handling for common home-directory installs and can incorrectly mark trust
  as failed (sawTrustFailure = !hasValidSslCertDir).

Code

src/Shared/CertificateGeneration/UnixCertificateManager.cs[R355-409]

                ? Path.Combine("$HOME", certDir[homeDirectoryWithSlash.Length..])
                : certDir;

-            if (TryGetOpenSslDirectory(out var openSslDir))
+            var hasValidSslCertDir = false;
+
+            // Check if SSL_CERT_DIR is already set and if certDir is already included
+            var existingSslCertDir = Environment.GetEnvironmentVariable(OpenSslCertificateDirectoryVariableName);
+            if (!string.IsNullOrEmpty(existingSslCertDir))
+            {
+                var existingDirs = existingSslCertDir.Split(Path.PathSeparator);
+                var certDirFullPath = Path.GetFullPath(prettyCertDir);
+                var isCertDirIncluded = existingDirs.Any(dir =>
+                {
+                    if (string.IsNullOrWhiteSpace(dir))
+                    {
+                        return false;
+                    }
+
+                    try
+                    {
+                        return string.Equals(Path.GetFullPath(dir), certDirFullPath, StringComparison.OrdinalIgnoreCase);
+                    }
+                    catch
+                    {
+                        // Ignore invalid directory entries in SSL_CERT_DIR
+                        return false;
+                    }
+                });
+
+                if (isCertDirIncluded)
+                {
+                    // The certificate directory is already in SSL_CERT_DIR, no action needed
+                    Log.UnixOpenSslCertificateDirectoryAlreadyConfigured(prettyCertDir, OpenSslCertificateDirectoryVariableName);
+                    hasValidSslCertDir = true;
+                }
+                else
+                {
+                    // SSL_CERT_DIR is set but doesn't include our directory - suggest appending
+                    Log.UnixSuggestAppendingToEnvironmentVariable(prettyCertDir, OpenSslCertificateDirectoryVariableName);
+                    hasValidSslCertDir = false;
+                }
+            }
+            else if (TryGetOpenSslDirectory(out var openSslDir))
            {
                Log.UnixSuggestSettingEnvironmentVariable(prettyCertDir, Path.Combine(openSslDir, "certs"), OpenSslCertificateDirectoryVariableName);
+                hasValidSslCertDir = false;
            }
            else
            {
                Log.UnixSuggestSettingEnvironmentVariableWithoutExample(prettyCertDir, OpenSslCertificateDirectoryVariableName);
+                hasValidSslCertDir = false;
            }
+
+            sawTrustFailure = !hasValidSslCertDir;
        }

Evidence

Compliance requires explicit handling of edge cases; here a display-only path ($HOME/...) is used
for filesystem normalization, which can mis-detect whether the actual cert directory is present in
SSL_CERT_DIR and incorrectly flip the trust result.

Rule 3: Generic: Robust Error Handling and Edge Case Management
src/Shared/CertificateGeneration/UnixCertificateManager.cs[354-409]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`Path.GetFullPath(prettyCertDir)` uses a display-friendly `$HOME`-prefixed string to compute `certDirFullPath`, which can mis-resolve paths and incorrectly decide whether `SSL_CERT_DIR` already includes the certificate directory.

## Issue Context
`prettyCertDir` is intended for messaging, but it is used for filesystem comparison (`certDirFullPath`). On Unix, `$HOME` is not expanded by `GetFullPath`, so the comparison can fail even when `SSL_CERT_DIR` is correctly configured.

## Fix Focus Areas
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[354-409]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. TrustLevel can be wrong 🐞 Bug ✓ Correctness

Description

• TrustCertificateCore accumulates failures across .NET/OpenSSL/NSS trust steps, but the new
  SSL_CERT_DIR block overwrites sawTrustFailure based only on the env-var check.
• If NSS trust (or .NET trust) failed earlier but SSL_CERT_DIR is configured, the final result may
  incorrectly become TrustLevel.Full.
• This can also create inconsistent output (logging “partially succeeded” but returning Full).

Code

src/Shared/CertificateGeneration/UnixCertificateManager.cs[R408-409]

+            sawTrustFailure = !hasValidSslCertDir;
        }

Evidence

Earlier in TrustCertificateCore, failures are recorded in sawTrustFailure for .NET store add
failures and NSS DB failures. Later, inside the OpenSSL env-var messaging block, sawTrustFailure is
reassigned based only on hasValidSslCertDir, discarding any previously-recorded failures; the return
value is then computed solely from the (possibly overwritten) sawTrustFailure flag.

src/Shared/CertificateGeneration/UnixCertificateManager.cs[198-414]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`TrustCertificateCore` overwrites `sawTrustFailure` based only on the SSL_CERT_DIR check, losing prior failures from other trust mechanisms (e.g., NSS trust failures). This can cause incorrect `TrustLevel.Full` results.

### Issue Context
`sawTrustFailure` is used as the final gate for returning `TrustLevel.Partial` vs `TrustLevel.Full`. It must represent *any* failures encountered across all trust targets.

### Fix Focus Areas
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[346-414]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-code-review]

1. prettycertdir used for fullpath 📘 Rule violation ✓ Correctness

• The code computes certDirFullPath from prettyCertDir, which may be rewritten to start with
  $HOME for display purposes.
• When prettyCertDir contains $HOME, Path.GetFullPath(prettyCertDir) will not expand $HOME
  and can resolve to an unrelated path, causing isCertDirIncluded to be computed incorrectly.
• This breaks edge-case handling for common home-directory installs and can incorrectly mark trust
  as failed (sawTrustFailure = !hasValidSslCertDir).

Agent prompt

## Issue description
`Path.GetFullPath(prettyCertDir)` uses a display-friendly `$HOME`-prefixed string to compute `certDirFullPath`, which can mis-resolve paths and incorrectly decide whether `SSL_CERT_DIR` already includes the certificate directory.

## Issue Context
`prettyCertDir` is intended for messaging, but it is used for filesystem comparison (`certDirFullPath`). On Unix, `$HOME` is not expanded by `GetFullPath`, so the comparison can fail even when `SSL_CERT_DIR` is correctly configured.

## Fix Focus Areas
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[354-409]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

2. Trustlevel can be wrong 🐞 Bug ✓ Correctness

• TrustCertificateCore accumulates failures across .NET/OpenSSL/NSS trust steps, but the new
  SSL_CERT_DIR block overwrites sawTrustFailure based only on the env-var check.
• If NSS trust (or .NET trust) failed earlier but SSL_CERT_DIR is configured, the final result may
  incorrectly become TrustLevel.Full.
• This can also create inconsistent output (logging “partially succeeded” but returning Full).

Agent prompt

### Issue description
`TrustCertificateCore` overwrites `sawTrustFailure` based only on the SSL_CERT_DIR check, losing prior failures from other trust mechanisms (e.g., NSS trust failures). This can cause incorrect `TrustLevel.Full` results.

### Issue Context
`sawTrustFailure` is used as the final gate for returning `TrustLevel.Partial` vs `TrustLevel.Full`. It must represent *any* failures encountered across all trust targets.

### Fix Focus Areas
- src/Shared/CertificateGeneration/UnixCertificateManager.cs[346-414]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools