Upgrade nats.c to latest stable release

[pmarkowsky]

This PR updates the nats.c library to the latest stable release v3.12.0.

There were some interface changes between v3.12.0 and v3.8.2. Most notably around the TLS validation and callbacks.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dbb2b239-5300-42d4-8f3b-8189073ae545

📥 Commits

Reviewing files that changed from the base of the PR and between 5fc3143 and d17339e.

📒 Files selected for processing (2)

• Source/santasyncservice/SNTPushClientNATS.mm
• Source/santasyncservice/SNTPushClientNATSTest.mm

🚧 Files skipped from review as they are similar to previous changes (1)

• Source/santasyncservice/SNTPushClientNATSTest.mm

---

📝 Walkthrough

Walkthrough

Adds leaf-certificate SAN validation and verification-callback wiring into NATS TLS connections; switches NATS error retrieval to a fixed-size buffer API; expands NATS build inputs and BoringSSL compatibility defines; adds unit tests for SAN logic; silences a Clang unused-function warning around a utility include.

Changes

Cohort / File(s)	Summary
NATS build & dependency deps/non_module_deps.bzl, deps/BUILD.nats	Bumped nats_c pin from v3.8.2 → v3.12.0; include src/glib/*.c/*.h in the nats cc_library and add src/glib to includes; add local_defines mapping some OpenSSL symbols to BoringSSL-compatible forms.
NATS TLS verification & error handling Source/santasyncservice/SNTPushClientNATS.mm	Added extern "C" bool NATSLeafCertHasPushDomain(X509* cert) to inspect DNS SANs for *.push.northpole.security; added NATSSSLVerifyCallback wired into NATS SSL options during connect; replaced natsConnection_GetLastError usage with natsConnection_ReadLastError into a local buffer.
Tests & test BUILD Source/santasyncservice/SNTPushClientNATSTest.mm, Source/santasyncservice/BUILD	Added unit tests constructing minimal X509s with DNS SANs and validating SAN handling (including embedded-NUL rejection); added @boringssl//:crypto to the test deps.
Compiler diagnostic suppression Source/common/NKeyTokenValidator.mm	Wrapped #include "src/util.h" with Clang diagnostic push/ignore/pop to silence -Wunused-function.
Makefile change Makefile	Removed -DSANTA_NATS_DISABLE_TLS=1 from the debugrelease target flags.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant SNTPush as SNTPushClientNATS
    participant NATSlib as NATS lib
    participant SSL as OpenSSL/BoringSSL
    participant X509 as X509 parser

    Client->>SNTPush: Initiate NATS connect (TLS)
    SNTPush->>NATSlib: set SSL options + NATSSSLVerifyCallback
    NATSlib->>SSL: perform TLS handshake
    SSL->>SNTPush: invoke NATSSSLVerifyCallback(depth, preverifyOk, cert)
    SNTPush->>X509: NATSLeafCertHasPushDomain(cert)
    X509-->>SNTPush: return hasPushDomain (true/false)
    SNTPush-->>SSL: return verification result
    SSL-->>NATSlib: handshake outcome
    NATSlib-->>Client: connection established or error

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• deps: Update NATS dep to use local_defines #796: Modifies deps/BUILD.nats and cc_library preprocessor/local_defines for the NATS dependency (closely related build changes).
• sync v2: add token enforcement #786: Changes in Source/common/NKeyTokenValidator.mm touching the same file where this PR adds a Clang diagnostic suppression.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the primary change: upgrading the nats.c dependency to its latest stable release.
Description check	✅ Passed	The description is related to the changeset, explaining the upgrade from v3.8.2 to v3.12.0 and mentioning interface changes around TLS validation and callbacks.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deps/BUILD.nats`:
- Around line 41-46: The macro aliases in BUILD.nats change TLS semantics: do
not remap SSL_CTX_set_ciphersuites to SSL_CTX_set_cipher_list or
SSL_use_certificate_chain_file to SSL_use_certificate_file(...,
SSL_FILETYPE_PEM) because this breaks nats.c usage (e.g., TLS 1.3 cipher names
like TLS_AES_256_GCM_SHA384 and full chain loading). Remove these two mappings
(the "SSL_CTX_set_ciphersuites=SSL_CTX_set_cipher_list" and
"SSL_use_certificate_chain_file(s,f)=SSL_use_certificate_file(s,f,SSL_FILETYPE_PEM"
entries) or replace them with platform-aware shims that preserve TLS1.3 cipher
handling and full chain loading semantics for callers in nats.c (ensure
SSL_CTX_set_ciphersuites and SSL_use_certificate_chain_file behaviors are
preserved or explicitly implemented).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c6e409ea-106c-41a5-b454-ca9fcc0797b7

📥 Commits

Reviewing files that changed from the base of the PR and between 09c57fb and cbd3c5a.

📒 Files selected for processing (4)

• Source/common/NKeyTokenValidator.mm
• Source/santasyncservice/SNTPushClientNATS.mm
• deps/BUILD.nats
• deps/non_module_deps.bzl