feat(tls): implement TLS certificate management and rotation

protobufs/arbiter.proto

@@ -7,23 +7,27 @@ import "auth.proto";
 message ClientRequest {
   oneof payload {
     arbiter.auth.ClientMessage auth_message = 1;
+    CertRotationAck cert_rotation_ack = 2;
   }
 }
 
 message ClientResponse {
   oneof payload {
     arbiter.auth.ServerMessage auth_message = 1;
+    CertRotationNotification cert_rotation_notification = 2;
   }
 }
 
 message UserAgentRequest {
   oneof payload {
     arbiter.auth.ClientMessage auth_message = 1;
+    CertRotationAck cert_rotation_ack = 2;
   }
 }
 message UserAgentResponse {
   oneof payload {
     arbiter.auth.ServerMessage auth_message = 1;
+    CertRotationNotification cert_rotation_notification = 2;
   }
 }
 
@@ -32,6 +36,32 @@ message ServerInfo {
   bytes cert_public_key = 2;
 }
 
+// TLS Certificate Rotation Protocol
+message CertRotationNotification {
+  // New public certificate (DER-encoded)
+  bytes new_cert = 1;
+
+  // Unix timestamp when rotation will be executed (if all ACKs received)
+  int64 rotation_scheduled_at = 2;
+
+  // Unix timestamp deadline for ACK (7 days from now)
+  int64 ack_deadline = 3;
+
+  // Rotation ID for tracking
+  int32 rotation_id = 4;
+}
+
+message CertRotationAck {
+  // Rotation ID (from CertRotationNotification)
+  int32 rotation_id = 1;
+
+  // Client public key for identification
+  bytes client_public_key = 2;
+
+  // Confirmation that client saved the new certificate
+  bool cert_saved = 3;
+}
+
 service ArbiterService {
   rpc Client(stream ClientRequest) returns (stream ClientResponse);
   rpc UserAgent(stream UserAgentRequest) returns (stream UserAgentResponse);

protobufs/google/protobuf/timestamp.proto

@@ -0,0 +1,46 @@
+// Protocol Buffers - Google's data interchange format
+// Copyright 2008 Google Inc.  All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+
+syntax = "proto3";
+
+package google.protobuf;
+
+option csharp_namespace = "Google.Protobuf.WellKnownTypes";
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/protobuf/types/known/timestamppb";
+option java_package = "com.google.protobuf";
+option java_outer_classname = "TimestampProto";
+option java_multiple_files = true;
+option objc_class_prefix = "GPB";
+
+// A Timestamp represents a point in time independent of any time zone or local
+// calendar, encoded as a count of seconds and fractions of seconds at
+// nanosecond resolution. The count is relative to an epoch at UTC midnight on
+// January 1, 1970, in the proleptic Gregorian calendar which extends the
+// Gregorian calendar backwards to year one.
+message Timestamp {
+  // Represents seconds of UTC time since Unix epoch
+  // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+  // 9999-12-31T23:59:59Z inclusive.
+  int64 seconds = 1;
+
+  // Non-negative fractions of a second at nanosecond resolution. Negative
+  // second values with fractions must still have non-negative nanos values
+  // that count forward in time. Must be from 0 to 999,999,999
+  // inclusive.
+  int32 nanos = 2;
+}