fix(security): replace 2 generic catches in Node.Runtime/Program.cs

Added FileNotFoundException, UnauthorizedAccessException, CryptographicException handlers for certificate loading

Refs: CodeQL cs/catch-of-all-exceptions

Author: dylan-mccarthy

src/Node.Runtime/Program.cs

@@ -33,10 +33,10 @@
 // Configure gRPC client for LeaseService with mTLS support
 builder.Services.AddSingleton(sp =>
 {
-    var logger = sp.GetRequiredService<ILogger<Program>>();
-
-    GrpcChannel channel;
-
+    var logger = sp.GetRequiredService<ILogger<Program>>();
+
+    GrpcChannel channel;
+
     if (mtlsConfig.Enabled)
     {
         logger.LogInformation("mTLS is enabled for gRPC client connections");
@@ -61,6 +61,18 @@
             clientCertificate = X509Certificate2.CreateFromPem(certPem, keyPem);
             logger.LogInformation("Loaded client certificate from {CertPath}", mtlsConfig.ClientCertificatePath);
         }
+        catch (FileNotFoundException fnfEx)
+        {
+            throw new InvalidOperationException($"Client certificate file not found: {mtlsConfig.ClientCertificatePath}", fnfEx);
+        }
+        catch (UnauthorizedAccessException uaEx)
+        {
+            throw new InvalidOperationException($"Access denied reading client certificate: {mtlsConfig.ClientCertificatePath}", uaEx);
+        }
+        catch (System.Security.Cryptography.CryptographicException cryptoEx)
+        {
+            throw new InvalidOperationException($"Invalid certificate format in {mtlsConfig.ClientCertificatePath}", cryptoEx);
+        }
         catch (Exception ex)
         {
             throw new InvalidOperationException($"Failed to load client certificate from {mtlsConfig.ClientCertificatePath}", ex);
@@ -76,6 +88,18 @@
                 serverCaCertificate = X509Certificate2.CreateFromPem(caPem);
                 logger.LogInformation("Loaded server CA certificate from {CertPath}", mtlsConfig.ServerCaCertificatePath);
             }
+            catch (FileNotFoundException fnfEx)
+            {
+                throw new InvalidOperationException($"Server CA certificate file not found: {mtlsConfig.ServerCaCertificatePath}", fnfEx);
+            }
+            catch (UnauthorizedAccessException uaEx)
+            {
+                throw new InvalidOperationException($"Access denied reading server CA certificate: {mtlsConfig.ServerCaCertificatePath}", uaEx);
+            }
+            catch (System.Security.Cryptography.CryptographicException cryptoEx)
+            {
+                throw new InvalidOperationException($"Invalid CA certificate format in {mtlsConfig.ServerCaCertificatePath}", cryptoEx);
+            }
             catch (Exception ex)
             {
                 throw new InvalidOperationException($"Failed to load server CA certificate from {mtlsConfig.ServerCaCertificatePath}", ex);
@@ -285,13 +309,13 @@
 {
     var metricsService = host.Services.GetRequiredService<INodeMetricsService>();
 
-    Node.Runtime.Observability.TelemetryConfig.ActiveLeasesGauge =
+    Node.Runtime.Observability.TelemetryConfig.ActiveLeasesGauge =
         Node.Runtime.Observability.TelemetryConfig.Meter.CreateObservableGauge(
             "active_leases",
             () => metricsService.GetActiveLeases(),
             description: "Current number of active leases being processed");
 
-    Node.Runtime.Observability.TelemetryConfig.AvailableSlotsGauge =
+    Node.Runtime.Observability.TelemetryConfig.AvailableSlotsGauge =
         Node.Runtime.Observability.TelemetryConfig.Meter.CreateObservableGauge(
             "available_slots",
             () => metricsService.GetAvailableSlots(),