From 0750c5f8cca45785a65c5a7663663b5b1ad22934 Mon Sep 17 00:00:00 2001 From: Shankar Date: Thu, 16 Apr 2026 23:46:37 +0000 Subject: [PATCH] docs: redact V3 feature specifics from README (fixes H-7) Problem ------- H-7 (CWE-200 / information disclosure, strategic-policy class): the public README's V3 section enumerated the paid-tier feature set -- "Role-based access control with profile-gating", "Event-driven architecture with real-time operational views", "Advanced search", "compliance scoring", "HSM/TPM integration" -- violating the CLAUDE.md directive "Keep V3+ deliberately vague -- one-liner descriptions only. Don't telegraph the paid feature set." The prior wording also carried factual drift: `compliance scoring` was pulled forward to V2.2 per the V2.2 Roadmap, so pairing it with V3 in the README misrepresented the open-core line. Fix --- Replace the two-sentence enumeration at README.md:322-323 with a single deliberately-vague sentence: Enterprise capabilities for larger deployments are available in the commercial tier. No named features. No SKU enumeration. Matches the policy one-liner shape used in neighboring V1 / V2 / V4+ sections. Net -1 line of prose. Files ----- README.md 1 -, 1 + Wire-format invariants preserved -------------------------------- This is a docs-only change. All protocol surfaces are byte-identical: - RFC 7030 EST handler (internal/api/handler/est.go) -- untouched - RFC 8894 SCEP handler (internal/api/handler/scep.go) -- untouched - Shared internal/pkcs7/ package -- untouched - H-1 revocation composite key (migration 000012) -- untouched - H-2 SCEP challenge-password preflight + PKCSReq guard -- untouched - C-2 AES-256-GCM config encryption contract -- untouched - CRL DER bytes, OCSP response bytes -- untouched Verification ------------ git diff 844a05c HEAD -- internal/ cmd/ migrations/ api/ deploy/ -> 0 code changes (only README.md modified after H-1) Operational note ---------------- No behavioral change. Product positioning only. The V3 feature set itself remains documented in the gitignored roadmap.md / strategy.md, which are the intended sources of truth for the paid tier. Audit report: see /Users/shankar/Desktop/cowork/certctl-audit-report.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 07fc371..3afd438 100644 --- a/README.md +++ b/README.md @@ -320,7 +320,7 @@ Core lifecycle management — Local CA + ACME v2 issuers, NGINX target connector 30+ milestones shipping enterprise-grade features for free. Sub-CA mode, ACME DNS-01/DNS-PERSIST-01/EAB/ARI (RFC 9773)/profile selection, step-ca, Vault PKI, DigiCert CertCentral, Sectigo SCM, Google CAS, AWS ACM PCA, Entrust, GlobalSign, EJBCA, OpenSSL/Custom CA issuers. NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS (WinRM), F5 BIG-IP, SSH, Windows Certificate Store, Java Keystore, Kubernetes Secrets targets. EST server (RFC 7030) and SCEP server (RFC 8894) enrollment protocols. RFC 5280 revocation with DER CRL + embedded OCSP responder. Certificate profiles, ownership tracking, team assignment, agent groups, interactive approval workflows. Filesystem, network, and cloud secret manager (AWS SM, Azure KV, GCP SM) certificate discovery with triage GUI. Dynamic issuer/target configuration via GUI with AES-256-GCM encrypted storage. First-run onboarding wizard. Post-deployment TLS verification. Certificate export (PEM/PKCS#12). S/MIME support. Prometheus metrics. Scheduled certificate digest emails. Slack, Teams, PagerDuty, OpsGenie, SMTP notifications. MCP server (80 tools), CLI (12 commands), Helm chart. Compliance mapping (SOC 2, PCI-DSS 4.0, NIST SP 800-57). 5 turnkey deployment examples. Agent install script. Migration guides from certbot, acme.sh, and cert-manager. See the [Feature Inventory](docs/features.md) for details. ### V3: certctl Pro -Team access controls and identity provider integration. Role-based access control with profile-gating. Event-driven architecture with real-time operational views. Advanced search, compliance scoring, and HSM/TPM integration. +Enterprise capabilities for larger deployments are available in the commercial tier. ### V4+: Cloud & Scale Kubernetes cert-manager external issuer, cloud infrastructure targets, extended CA support, and platform-scale features.