From 600614fd918096e182e658b6c81b2c59a1a8e19c Mon Sep 17 00:00:00 2001
From: Michael Neale <michael.neale@gmail.com>
Date: Fri, 12 Dec 2025 11:07:41 +1100
Subject: [PATCH] avoid accidentally using native tls again

---
 scripts/check-no-native-tls.sh | 28 ++++++++++++++++++++++++++++
 scripts/clippy-lint.sh         |  3 +++
 2 files changed, 31 insertions(+)
 create mode 100755 scripts/check-no-native-tls.sh

diff --git a/scripts/check-no-native-tls.sh b/scripts/check-no-native-tls.sh
new file mode 100755
index 000000000000..c0a337fbd27a
--- /dev/null
+++ b/scripts/check-no-native-tls.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# Prevent native-tls/OpenSSL from being added to the dependency tree.
+# These cause Linux compatibility issues with OpenSSL version mismatches.
+# See: https://github.com/block/goose/issues/6034
+
+set -e
+
+BANNED_CRATES=("native-tls" "openssl-sys" "openssl")
+FOUND_BANNED=0
+
+for crate in "${BANNED_CRATES[@]}"; do
+    if cargo tree -i "$crate" 2>/dev/null | grep -q "$crate"; then
+        echo "ERROR: Found banned crate '$crate' in dependency tree"
+        echo "This causes Linux compatibility issues with OpenSSL versions."
+        echo "Use rustls-based alternatives instead (e.g., rustls-tls-native-roots)."
+        echo ""
+        echo "Dependency chain:"
+        cargo tree -i "$crate"
+        echo ""
+        FOUND_BANNED=1
+    fi
+done
+
+if [ $FOUND_BANNED -eq 1 ]; then
+    exit 1
+fi
+
+echo "✓ No banned TLS crates found (native-tls, openssl, openssl-sys)"
diff --git a/scripts/clippy-lint.sh b/scripts/clippy-lint.sh
index 0befc5b5a444..6414c94294c9 100755
--- a/scripts/clippy-lint.sh
+++ b/scripts/clippy-lint.sh
@@ -36,4 +36,7 @@ run_clippy
 echo ""
 check_all_baseline_rules
 echo ""
+echo "🔒 Checking for banned TLS crates..."
+"$SCRIPT_DIR/check-no-native-tls.sh"
+echo ""
 echo "✅ Done"