fix(plugin-cassandra): apply client certificate and key passphrase to SSL connections

[datlechin]

Fixes #1487.

Problem

The Cassandra SSL pane let you set a client certificate and key path, but the driver never applied them to the SSL context, and there was no field for an encrypted key's passphrase. An encrypted private key failed inside the handshake with a generic error that gave no hint about the passphrase.

Fix

Driver (the actual cause)

• CassandraConnectionActor now applies the client cert and key to the SSL context with cass_ssl_set_cert and cass_ssl_set_private_key(ssl, key, password) before cass_cluster_set_ssl.
• Wrong or missing passphrase fails immediately at key load with a clear message: clientKeyPassphraseRequired (encrypted key, no passphrase) or clientKeyPassphraseIncorrect (wrong passphrase). These two SSLHandshakeError cases are appended at the end of the enum so existing discriminators don't shift for plugins built against the older PluginKit.

UI

• The SSL pane shows a Key Passphrase SecureField, but only when a client key path is set and the engine advertises the new supportsClientKeyPassphrase capability (true for Cassandra/ScyllaDB, false elsewhere), so it never appears as a dead control for engines that ignore it.

Secret handling

• The passphrase is stored in the Keychain (com.TablePro.sslkeypassphrase.<id>), wired into delete and duplicate, and never written to the Codable/iCloud-synced SSLConfiguration. It reaches the driver through additionalFields["sslClientKeyPassphrase"].
• Saved, applied, and cleaned up on the connection form's Test action, and round-tripped through encrypted export/import.

Tests

• SSLHandshakeErrorTests: the two new error cases.
• SSLConfigurationTests: the encoded JSON carries no passphrase or password.

PluginKit / registry

• No currentPluginKitVersion bump: no protocol or signature change, and the new enum cases are appended for layout compatibility.
• Cassandra is registry-only, so after merge it needs a plugin-cassandra-v* rebuild and release for the cert/key application and new error cases to reach registry users.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2e7938df12

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Bump the PluginKit version for new enum cases

Because these cases are inserted into SSLHandshakeError while PluginManager.currentPluginKitVersion still accepts kit version 16 plugins, an older plugin compiled with the previous enum layout can throw .cipherMismatch/.unknown and the host will decode that payload as one of the new passphrase/key errors. The app rejects only plugins whose declared TableProPluginKitVersion is different from the current version, so this ABI change needs a version bump (and matching plugin plist updates) before released plugins built against the old layout are loaded.

Useful? React with 👍 / 👎.