docs: add documentations for v1.19.0

[kmendell]

Disclaimer Greptiles Reviews use AI, make sure to check over its work.

To better help train Greptile on our codebase, if the comment is useful and valid Like the comment, if its not helpful or invalid Dislike

To have Greptile Re-Review the changes, mention greptileai.

Greptile Summary

This PR adds v1.19.0 documentation: new APT and YUM/DNF installation sections for the CLI, a full mTLS edge-agent guide (security/edge-mtls.md), and the corresponding nav entry in docs.ts.

• The mTLS doc is thorough, covering quick-start, modes, custom PKI, UI certificate downloads, local dev, troubleshooting, and rotation/revocation.
• The YUM/DNF repo snippet ships with gpgcheck=0, which disables GPG package signature verification; the APT section correctly wires up a keyring and Signed-By, so parity is expected here.
• src/lib/config/docs.ts correctly adds the new page to the Security navigation group.

Confidence Score: 3/5

The mTLS documentation and nav change are safe; the YUM/DNF install snippet actively instructs users to disable package signature verification, which needs to be corrected before the page goes live.

The new mTLS guide and nav entry are well-written and pose no correctness concerns. However, the YUM/DNF repo snippet ships gpgcheck=0 — unlike the APT section, which properly configures a signing key — meaning every RPM-based user who follows this guide will install the CLI without any package integrity check. Fixing this before publication is important given this is a security product's documentation.

content/cli/install.md — the YUM/DNF repo block needs GPG verification enabled before the page is published.

Security Review

• Package integrity bypass (content/cli/install.md): The YUM/DNF repository configuration disables GPG signature verification for installed packages. The APT section correctly uses a keyring and Signed-By; the RPM section should match it by enabling signature checking and pointing to the signing key already hosted on pkgs.getarcane.app.

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
content/cli/install.md:69-75
The YUM/DNF repo config disables GPG package verification with `gpgcheck=0`, while the APT section correctly sets up signature checking with a keyring. Any user who follows these instructions on RHEL/Fedora/CentOS will install packages without verifying their authenticity, leaving them open to tampered packages from a MITM or a compromised mirror. The signing key URL is already served from `pkgs.getarcane.app`, so it can simply be referenced here.

```suggestion
sudo tee /etc/yum.repos.d/arcane.repo << 'EOF'
[arcane]
name=Arcane Repository
baseurl=https://pkgs.getarcane.app/repository/yum/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://pkgs.getarcane.app/repository/raw/arcane-repo-signing.asc
EOF
```

_{Reviews (1): Last reviewed commit: "docs: add documentations for v1.19.0" | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[kmendell]

• docs: add documentations for v1.19.0 #380 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[getarcaneappbot]

Preview deployed successfully!

• Preview: https://pr-380-arcane.ofkm.workers.dev

Built from commit 60f1e44

[greptile-apps]

The YUM/DNF repo config disables GPG package verification with gpgcheck=0, while the APT section correctly sets up signature checking with a keyring. Any user who follows these instructions on RHEL/Fedora/CentOS will install packages without verifying their authenticity, leaving them open to tampered packages from a MITM or a compromised mirror. The signing key URL is already served from pkgs.getarcane.app, so it can simply be referenced here.

Suggested change

	sudo tee /etc/yum.repos.d/arcane.repo << 'EOF'
	[arcane]
	name=Arcane Repository
	baseurl=https://pkgs.getarcane.app/repository/yum/$basearch/
	enabled=1
	gpgcheck=0
	EOF
	sudo tee /etc/yum.repos.d/arcane.repo << 'EOF'
	[arcane]
	name=Arcane Repository
	baseurl=https://pkgs.getarcane.app/repository/yum/$basearch/
	enabled=1
	gpgcheck=1
	gpgkey=https://pkgs.getarcane.app/repository/raw/arcane-repo-signing.asc
	EOF

Prompt To Fix With AI

This is a comment left during a code review.
Path: content/cli/install.md
Line: 69-75

Comment:
The YUM/DNF repo config disables GPG package verification with `gpgcheck=0`, while the APT section correctly sets up signature checking with a keyring. Any user who follows these instructions on RHEL/Fedora/CentOS will install packages without verifying their authenticity, leaving them open to tampered packages from a MITM or a compromised mirror. The signing key URL is already served from `pkgs.getarcane.app`, so it can simply be referenced here.

```suggestion
sudo tee /etc/yum.repos.d/arcane.repo << 'EOF'
[arcane]
name=Arcane Repository
baseurl=https://pkgs.getarcane.app/repository/yum/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://pkgs.getarcane.app/repository/raw/arcane-repo-signing.asc
EOF
```

How can I resolve this? If you propose a fix, please make it concise.