chore: drop 'Infisical' label from internal references

Strategic naming cleanup. Earlier doc-comments + commit messages framed Rank 4 / Rank 5 / Rank 7 work as 'Rank N of the 2026-05-03 Infisical deep-research deliverable' — the 'Infisical' qualifier was a holdover from the original deep-research framing where Infisical (a competing secrets-management platform) was the comparator. Keeping the comparator's name in our source adds noise without value; an external reader sees 'Infisical' and assumes a dependency or shared lineage rather than reading it as the competitive context it was. Mechanical sed across 34 files (32 source / docs + 2 follow-up Python passes to collapse 'deep-research deep-research' duplicates that emerged where the original phrase wrapped across lines): s|Infisical deep-research|deep-research|g s|infisical-deep-research-results|deep-research-results-2026-05-03|g s|infisical-deep-research-prompt|deep-research-prompt-2026-05-03|g s|infisical-deep-research|deep-research|g s|Infisical|deep-research|g s|deep-research deep-research|deep-research|g # collapse-pass Net diff: 63 insertions / 64 deletions across cmd/, docs/, internal/, migrations/. Pure text substitution; zero behavior change. Code path unchanged — go vet clean, tests for TestApproval pass on both internal/service and internal/api/handler packages. Workspace docs (cowork/) carry the same references and will be swept separately — they're not under certctl/ git control. The two filename references (cowork/infisical-deep-research-results.md + cowork/infisical-deep-research-prompt.md) get renamed alongside that sweep to deep-research-results-2026-05-03.md / deep-research-prompt-2026-05-03.md so cross-references in the certctl repo doc-comments resolve cleanly.
2026-06-07 13:51:36 +00:00 · 2026-05-04 01:15:01 +00:00
parent 03c61f4c20
commit 19706e56b3
34 changed files with 63 additions and 64 deletions
@@ -18,7 +18,7 @@ import (
 // inversion) so the handler stays decoupled from the concrete
 // *service.ApprovalService.
 //
-// Rank 7 of the 2026-05-03 Infisical deep-research deliverable, commit 3
+// Rank 7 of the 2026-05-03 deep-research deliverable, commit 3
 // of 4 — the API + RBAC layer.
 type ApprovalServicer interface {
 	Approve(ctx context.Context, requestID, decidedBy, note string) error
@@ -89,8 +89,8 @@ type VaultRenewalSnapshotter interface {
 // (via NotificationService.SetExpiryAlertMetrics) and exposing
 // (here).
 //
-// Rank 4 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5).
+// Rank 4 of the 2026-05-03 deep-research deliverable
+// (cowork/deep-research-results-2026-05-03.md Part 5).
 type ExpiryAlertSnapshotter interface {
 	// SnapshotExpiryAlerts returns one entry per non-zero counter,
 	// pre-sorted by (channel, threshold, result) so the Prometheus
@@ -123,7 +123,7 @@ type MetricsHandler struct {
 	// certctl_vault_token_renewals_total{result=...}.
 	vaultRenewals VaultRenewalSnapshotter
 	// Per-policy multi-channel expiry alert counters. Rank 4 of the
-	// 2026-05-03 Infisical deep-research deliverable. nil disables
+	// 2026-05-03 deep-research deliverable. nil disables
 	// emission of certctl_expiry_alerts_total{channel,threshold,result}.
 	expiryAlerts ExpiryAlertSnapshotter
 }
@@ -168,7 +168,7 @@ func (h *MetricsHandler) SetVaultRenewals(c VaultRenewalSnapshotter) {

 // SetExpiryAlerts wires the per-policy multi-channel expiry-alert
 // counter table for the Prometheus exposition. nil disables the
-// block. Closes Rank 4 of the 2026-05-03 Infisical deep-research
+// block. Closes Rank 4 of the 2026-05-03 deep-research
 // deliverable.
 func (h *MetricsHandler) SetExpiryAlerts(c ExpiryAlertSnapshotter) {
 	h.expiryAlerts = c
@@ -502,7 +502,7 @@ func (h MetricsHandler) GetPrometheusMetrics(w http.ResponseWriter, r *http.Requ
 	}

 	// Per-policy multi-channel expiry-alert counters. Rank 4 of the
-	// 2026-05-03 Infisical deep-research deliverable. Operators alert
+	// 2026-05-03 deep-research deliverable. Operators alert
 	// on certctl_expiry_alerts_total{result="failure"} > 0 to catch
 	// when a notifier connector (PagerDuty / Slack / etc.) is
 	// rejecting our sends. Cardinality: 6 channels × N thresholds × 3
@@ -158,8 +158,7 @@ type HandlerRegistry struct {
 	ACME handler.ACMEHandler

 	// Approvals handles the issuance approval-workflow endpoints under
-	// /api/v1/approvals/*. Rank 7 of the 2026-05-03 Infisical deep-
-	// research deliverable — closes the two-person integrity / four-eyes
+	// /api/v1/approvals/*. Rank 7 of the 2026-05-03 deep-research deliverable — closes the two-person integrity / four-eyes
 	// principle procurement gap. Routes:
 	//   GET  /api/v1/approvals
 	//   GET  /api/v1/approvals/{id}
@@ -29,7 +29,7 @@ type Config struct {
 	Verification VerificationConfig
 	ACME         ACMEConfig
 	// Approval is the issuance approval-workflow primitive's runtime
-	// config. Rank 7 of the 2026-05-03 Infisical deep-research
+	// config. Rank 7 of the 2026-05-03 deep-research
 	// deliverable. The single field — BypassEnabled — short-circuits
 	// the workflow for dev/CI; production deploys MUST leave it false.
 	Approval ApprovalConfig
@@ -1431,7 +1431,7 @@ type SchedulerConfig struct {
 }

 // ApprovalConfig contains issuance approval-workflow runtime configuration.
-// Rank 7 of the 2026-05-03 Infisical deep-research deliverable.
+// Rank 7 of the 2026-05-03 deep-research deliverable.
 type ApprovalConfig struct {
 	// BypassEnabled short-circuits the approval workflow — every
 	// RequestApproval call auto-approves with decidedBy="system-bypass"
@@ -15,8 +15,8 @@
 // on mismatch (or any post-verify failure) the connector re-imports the
 // snapshot bytes to restore the previous cert. Mirrors the Bundle 5+
 // pre-deploy-snapshot + on-failure-restore pattern from IIS / WinCertStore /
-// JavaKeystore. Rank 5 of the 2026-05-03 Infisical deep-research
-// deliverable (cowork/infisical-deep-research-results.md Part 5).
+// JavaKeystore. Rank 5 of the 2026-05-03 deep-research
+// deliverable (cowork/deep-research-results-2026-05-03.md Part 5).
 //
 // IAM permissions required:
 //
@@ -1,7 +1,7 @@
 package awsacm_test

-// Rank 5 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Per-error-class
+// Rank 5 of the 2026-05-03 deep-research deliverable
+// (cowork/deep-research-results-2026-05-03.md Part 5). Per-error-class
 // failure tests for the AWS ACM target connector — mirrors the
 // awsacmpca_failure_test.go shape (commit 60dce0b) on the issuer side.
 //
@@ -1,7 +1,7 @@
 package awsacm_test

-// Rank 5 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Happy-path table-
+// Rank 5 of the 2026-05-03 deep-research deliverable
+// (cowork/deep-research-results-2026-05-03.md Part 5). Happy-path table-
 // driven tests for the AWS ACM target connector. Mirrors the
 // k8ssecret_test.go ergonomics + the Bundle 5+ atomic-rollback
 // assertions from IIS / WinCertStore / JavaKeystore.
@@ -26,8 +26,8 @@
 // is the safe default — recovery requires acm:RecoverDeletedCertificate
 // permission which we deliberately keep off the minimum-RBAC surface.
 //
-// Rank 5 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5).
+// Rank 5 of the 2026-05-03 deep-research deliverable
+// (cowork/deep-research-results-2026-05-03.md Part 5).
 //
 // Required Azure RBAC (minimum):
 //
@@ -1,7 +1,7 @@
 package azurekv_test

-// Rank 5 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Happy-path tests
+// Rank 5 of the 2026-05-03 deep-research deliverable
+// (cowork/deep-research-results-2026-05-03.md Part 5). Happy-path tests
 // for the Azure Key Vault target connector. Mirrors the awsacm_test.go
 // shape so cross-cloud regressions are bisectable side-by-side.

@@ -16,8 +16,8 @@ import "time"
 // Once terminal, the row is immutable; the audit_events table is the
 // durable record of who approved + why.
 //
-// Rank 7 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Closes the
+// Rank 7 of the 2026-05-03 deep-research deliverable
+// (cowork/deep-research-results-2026-05-03.md Part 5). Closes the
 // "two-person integrity / four-eyes principle" procurement gap for
 // PCI-DSS Level 1, FedRAMP Moderate / High, and SOC 2 Type II
 // customers.
@@ -124,8 +124,8 @@ type RenewalPolicy struct {
 	// the dispatch site (closed-enum discipline; we do NOT dynamically
 	// grow Prometheus cardinality on a typo).
 	//
-	// Rank 4 of the 2026-05-03 Infisical deep-research deliverable
-	// (cowork/infisical-deep-research-results.md Part 5).
+	// Rank 4 of the 2026-05-03 deep-research deliverable
+	// (cowork/deep-research-results-2026-05-03.md Part 5).
 	AlertChannels map[string][]string `json:"alert_channels,omitempty"`

 	// AlertSeverityMap maps each threshold-day value to its severity
@@ -215,8 +215,8 @@ const (
 	// TargetTypeAWSACM deploys certificates to AWS Certificate Manager
 	// (ACM) — the public AWS service that ALB / CloudFront / API
 	// Gateway / App Runner consume by ARN. Rank 5 of the 2026-05-03
-	// Infisical deep-research deliverable
-	// (cowork/infisical-deep-research-results.md Part 5). See
+	// deep-research deliverable
+	// (cowork/deep-research-results-2026-05-03.md Part 5). See
 	// docs/connectors.md "AWS Certificate Manager" section for the
 	// operator playbook including minimum IAM policy + atomic-rollback
 	// contract.
@@ -224,7 +224,7 @@ const (
 	// TargetTypeAzureKeyVault deploys certificates to Azure Key Vault —
 	// the Azure-managed cert store that Application Gateway / Front
 	// Door / App Service / Container Apps consume by KID URI. Rank 5
-	// of the 2026-05-03 Infisical deep-research deliverable. See
+	// of the 2026-05-03 deep-research deliverable. See
 	// docs/connectors.md "Azure Key Vault" for the operator playbook
 	// including minimum RBAC role + atomic-rollback + Azure-version
 	// semantics.
@@ -87,7 +87,7 @@ type CertificateProfile struct {
 	//
 	// Backed by certificate_profiles.requires_approval added in
 	// migration 000027_approval_workflow. Rank 7 of the 2026-05-03
-	// Infisical deep-research deliverable.
+	// deep-research deliverable.
 	RequiresApproval bool `json:"requires_approval,omitempty"`

 	Enabled   bool      `json:"enabled"`
@@ -715,7 +715,7 @@ type HealthCheckFilter struct {
 }

 // ApprovalRepository defines operations for managing issuance approval requests.
-// Rank 7 of the 2026-05-03 Infisical deep-research deliverable — closes the
+// Rank 7 of the 2026-05-03 deep-research deliverable — closes the
 // two-person integrity / four-eyes principle procurement gap for PCI-DSS
 // Level 1, FedRAMP Moderate / High, SOC 2 Type II, HIPAA-regulated PHI.
 //
@@ -16,7 +16,7 @@ import (
 )

 // ApprovalRepository is the postgres implementation of
-// repository.ApprovalRepository. Rank 7 of the 2026-05-03 Infisical
+// repository.ApprovalRepository. Rank 7 of the 2026-05-03 deep-research
 // deep-research deliverable.
 type ApprovalRepository struct {
 	db *sql.DB
@@ -37,7 +37,7 @@ func NewRenewalPolicyRepository(db *sql.DB) *RenewalPolicyRepository {
 //
 // alert_channels / alert_severity_map (migration 000026) ARE read here —
 // they're the per-policy channel matrix that drives multi-channel expiry
-// alert routing (Rank 4 of the 2026-05-03 Infisical deep-research
+// alert routing (Rank 4 of the 2026-05-03 deep-research
 // deliverable). Both default to '{}' at the DB level; scanRenewalPolicy
 // unmarshals an empty map into nil so domain.EffectiveAlertChannels /
 // EffectiveAlertSeverityMap fall through to the back-compat defaults.
@@ -11,7 +11,7 @@ import (
 )

 // ApprovalService manages the issuance approval-workflow primitive.
-// Rank 7 of the 2026-05-03 Infisical deep-research deliverable.
+// Rank 7 of the 2026-05-03 deep-research deliverable.
 //
 // Lifecycle: a profile with RequiresApproval=true causes the renewal
 // entry points (TriggerRenewal + CheckExpiringCertificates) to call
@@ -8,7 +8,7 @@ import (
 )

 // ApprovalMetrics is a thread-safe counter table for the issuance
-// approval-workflow dispatch path. Rank 7 of the 2026-05-03 Infisical
+// approval-workflow dispatch path. Rank 7 of the 2026-05-03 deep-research
 // deep-research deliverable. Mirrors the ExpiryAlertMetrics +
 // VaultRenewalMetrics shape: cmd/server/main.go constructs ONE instance,
 // passes it to ApprovalService (recording side) AND metricsHandler
@@ -39,7 +39,7 @@ type CertificateService struct {
 	// a parallel ApprovalRequest row is created via approvalSvc. The
 	// scheduler does NOT dispatch until ApprovalService.Approve
 	// transitions the job to Pending. Rank 7 of the 2026-05-03
-	// Infisical deep-research deliverable. Both setters are optional —
+	// deep-research deliverable. Both setters are optional —
 	// when either is nil, gating is skipped and TriggerRenewal falls
 	// back to the historical unattended path.
 	approvalSvc *ApprovalService
@@ -107,7 +107,7 @@ func (s *CertificateService) SetKeygenMode(mode string) {

 // SetApprovalService wires the approval-workflow service. When both this
 // and SetProfileRepo are wired, TriggerRenewal gates on
-// CertificateProfile.RequiresApproval. Rank 7 of the 2026-05-03 Infisical
+// CertificateProfile.RequiresApproval. Rank 7 of the 2026-05-03 deep-research
 // deep-research deliverable.
 func (s *CertificateService) SetApprovalService(svc *ApprovalService) {
 	s.approvalSvc = svc
@@ -8,8 +8,8 @@ import (

 // ExpiryAlertMetrics is a thread-safe counter table for the per-policy
 // multi-channel expiry-alert dispatch path. Rank 4 of the 2026-05-03
-// Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Closes the
+// deep-research deliverable
+// (cowork/deep-research-results-2026-05-03.md Part 5). Closes the
 // procurement-checklist gap where a customer who configured PagerDuty
 // for cert-expiry pages got silent nothing — ExpirationWarning shipped
 // only to Email pre-fix.
@@ -54,7 +54,7 @@ type NotificationService struct {
 	// to SendThresholdAlertOnChannel reports its outcome (success / failure)
 	// to the metric sink so the Prometheus exposer surfaces
 	// certctl_expiry_alerts_total{channel,threshold,result}. Rank 4 of the
-	// 2026-05-03 Infisical deep-research deliverable. Nil leaves the
+	// 2026-05-03 deep-research deliverable. Nil leaves the
 	// dispatch path unchanged (no metric emission, but alerts still fire).
 	expiryAlertMetrics ExpiryAlertRecorder
 }
@@ -149,7 +149,7 @@ func (s *NotificationService) SendExpirationWarning(ctx context.Context, cert *d
 //
 // Policy-driven dispatch in RenewalService.sendThresholdAlerts uses
 // SendThresholdAlertOnChannel directly with the channel resolved from the
-// per-policy AlertChannels matrix. Rank 4 of the 2026-05-03 Infisical
+// per-policy AlertChannels matrix. Rank 4 of the 2026-05-03 deep-research
 // deep-research deliverable.
 func (s *NotificationService) SendThresholdAlert(ctx context.Context, cert *domain.ManagedCertificate, daysUntilExpiry int, threshold int) error {
 	return s.SendThresholdAlertOnChannel(ctx, cert, daysUntilExpiry, threshold, domain.NotificationChannelEmail)
@@ -204,7 +204,7 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error {
 		// policy pointer (nil-safe) drives the per-(threshold) channel
 		// matrix; nil policy or empty AlertChannels falls through to the
 		// back-compat Email-only default. Rank 4 of the 2026-05-03
-		// Infisical deep-research deliverable.
+		// deep-research deliverable.
 		var policyPtr *domain.RenewalPolicy
 		if cert.RenewalPolicyID != "" {
 			policyPtr = policyCache[cert.RenewalPolicyID]
@@ -323,8 +323,8 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error {
 //     AND metadata->>'channel' = 'PagerDuty' to answer "did the on-call
 //     team get paged?".
 //
-// Rank 4 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). The policy
+// Rank 4 of the 2026-05-03 deep-research deliverable
+// (cowork/deep-research-results-2026-05-03.md Part 5). The policy
 // argument is nil-safe — a cert with no RenewalPolicy attached gets the
 // back-compat Email-only default matrix.
 func (s *RenewalService) sendThresholdAlerts(
@@ -1,7 +1,7 @@
 package service

-// Rank 4 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Pins every leg of
+// Rank 4 of the 2026-05-03 deep-research deliverable
+// (cowork/deep-research-results-2026-05-03.md Part 5). Pins every leg of
 // the per-policy multi-channel expiry-alert fan-out matrix:
 //
 //   1. Default matrix → Email-only at every tier (back-compat).
@@ -513,7 +513,7 @@ func (m *mockNotifRepo) List(ctx context.Context, filter *repository.Notificatio
 	// Apply each non-zero filter field. Mirror the postgres notification
 	// repo's WHERE-clause shape (CertificateID, Type, Status, Channel,
 	// MessageLike) so the multi-channel expiry-alert tests
-	// (renewal_expiry_alerts_test.go, Rank 4 of the 2026-05-03 Infisical
+	// (renewal_expiry_alerts_test.go, Rank 4 of the 2026-05-03 deep-research
 	// deep-research deliverable) get the same per-(cert, threshold,
 	// channel) dedup behaviour they'd see in production. Pre-Rank 4 the
 	// mock returned all rows regardless of filter; legacy callers