The 4096-bit limit produced ~500-byte serials that violate RFC 5280
§4.1.2.2's 20-octet cap. Apple's DER parser enforces this strictly,
so URLSession, NWConnection, AVFoundation and every other client on
macOS/iOS/tvOS rejected the cert with "Unknown format in import"
before any trust evaluation ran.
Lower the limit to 128 bits (matching Go stdlib's generate_cert.go
example) and add a one-shot migration that drops any already-baked
oversized CA, plus the leaves it issued, on startup so existing
devices recover without manual SSH cleanup.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* Enhance synctrace logging.
Switched the maps to be indexed by the .Pointer (not a string)
Grouped the lockCount, unlockCount ,and lastLock in an trackingEntry so we can detect unlocks of something that wasn't ever locked and excessive unlocks and also tracks the first time locked and the last unlock time.
Added LogDangledLocks for debugging use.
Added a panic handler to the Main so we can log out panics
* Switch to traceable sync for most everything
* More documentation
* Update internal/sync/log.go
* Update DEVELOPMENT.md
* Resolve merge issue.
* Applied review comments
* Restore --enable-sync-trace option.
* Use WithLevel so we can re-panic as desired
Maurus Cuelenaere
Marc Brooks
Aveline
Ben Kochie
Siyuan Miao