mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 21:01:31 +00:00
Bundle 9 follow-up: ST1018 ESC sweep + make verify pre-commit gate
CI on the bundle-9 merge (run #24962543332) failed golangci-lint with 16 staticcheck ST1018 'string literal contains the Unicode format character U+202X, consider using the \u202X escape sequence' hits — across the two test files we added (internal/validation/unicode_test.go + internal/connector/issuer/local/bundle9_coverage_test.go). Mechanical sweep, byte-identical at runtime: internal/validation/unicode_test.go (13 + 1 hits cleared) RTL/LTR overrides U+202A..U+202E + U+2066..U+2069 (lines 39-47) zero-width U+200B..U+200D + U+2060 (lines 67-70) additional U+202E in TestValidateUnicodeSafe_ErrorMentionsByteOffset internal/connector/issuer/local/bundle9_coverage_test.go (3 hits) U+202E in TestValidateCSRUnicode_RejectsDNSNameRTL U+200B in TestValidateCSRUnicode_RejectsEmailZeroWidth U+202E in TestValidateCSRUnicode_RejectsAdditionalSAN The strings now use Go \uXXXX escape sequences. Identical UTF-8 bytes hit ValidateUnicodeSafe at runtime — every test passes unchanged locally. The file-header comment in unicode_test.go that promised this convention is now actually honored. Verification: staticcheck -checks=ST1018 returns clean across the two packages. go test -count=1 -short still green. Pre-commit gate added to prevent recurrence: Makefile: new 'verify' aggregate target runs gofmt + go vet + golangci-lint run + go test -short — same set CI enforces. Run 'make verify' before every commit going forward. cowork/CLAUDE.md: new 'Pre-commit verification gate' paragraph in Operating Rules. Documents make verify as the canonical gate; explains WHY (Bundle-9 shipped green-on-vet / red-on-CI because ST1018 only fires under golangci-lint's staticcheck, not vet); documents the staticcheck-only fallback for disk-constrained sandboxes. This commit changes only: - 2 test source files (\uXXXX escapes, no behavior change) - Makefile (1 new target, 1 .PHONY entry, 1 help line) - cowork/CLAUDE.md (1 new operating-rule paragraph)
This commit is contained in:
Shankar
@@ -1,4 +1,4 @@
|
||||
.PHONY: help build run test lint clean docker-up docker-down migrate-up migrate-down generate test-cover frontend-build
|
||||
.PHONY: help build run test lint verify clean docker-up docker-down migrate-up migrate-down generate test-cover frontend-build
|
||||
|
||||
# Default target - show help
|
||||
help:
|
||||
@@ -15,6 +15,7 @@ help:
|
||||
@echo " make test-verbose Run tests with verbose output"
|
||||
@echo " make lint Run linter (golangci-lint)"
|
||||
@echo " make fmt Format code with gofmt"
|
||||
@echo " make verify Pre-commit gate: fmt + vet + lint + test (CI-parity)"
|
||||
@echo ""
|
||||
@echo "Database:"
|
||||
@echo " make migrate-up Run migrations (requires DB_URL)"
|
||||
@@ -97,6 +98,24 @@ vet:
|
||||
@echo "Running go vet..."
|
||||
go vet ./...
|
||||
|
||||
# verify: aggregate pre-commit gate. Mirrors what CI enforces, so
|
||||
# running `make verify` locally before committing prevents the
|
||||
# class of breakages that ship green-locally / red-on-CI (e.g.
|
||||
# Bundle-9's ST1018 invisible-Unicode-literal hits, which `go vet`
|
||||
# alone cannot catch — staticcheck under golangci-lint does).
|
||||
verify:
|
||||
@echo "==> fmt"
|
||||
@go fmt ./... | { ! grep -q '.'; } || (echo "gofmt produced changes — commit them" && exit 1)
|
||||
@echo "==> go vet ./..."
|
||||
@go vet ./...
|
||||
@echo "==> golangci-lint run ./... (incl. staticcheck ST*)"
|
||||
@which golangci-lint > /dev/null || (echo "Installing golangci-lint..." && go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest)
|
||||
@golangci-lint run ./... --timeout 5m
|
||||
@echo "==> go test -short ./..."
|
||||
@go test -short -count=1 ./...
|
||||
@echo ""
|
||||
@echo "verify: PASS — safe to commit"
|
||||
|
||||
# Database targets (requires migrate tool)
|
||||
migrate-up:
|
||||
@echo "Running migrations..."
|
||||
|
||||
@@ -395,7 +395,7 @@ func TestValidateCSRUnicode_RejectsCNHomograph(t *testing.T) {
|
||||
func TestValidateCSRUnicode_RejectsDNSNameRTL(t *testing.T) {
|
||||
csr := &x509.CertificateRequest{
|
||||
Subject: pkix.Name{CommonName: "ok.com"},
|
||||
DNSNames: []string{"goodevil.com"},
|
||||
DNSNames: []string{"good\u202Eevil.com"},
|
||||
}
|
||||
err := validateCSRUnicode(csr, nil)
|
||||
if err == nil {
|
||||
@@ -409,7 +409,7 @@ func TestValidateCSRUnicode_RejectsDNSNameRTL(t *testing.T) {
|
||||
func TestValidateCSRUnicode_RejectsEmailZeroWidth(t *testing.T) {
|
||||
csr := &x509.CertificateRequest{
|
||||
Subject: pkix.Name{CommonName: "ok.com"},
|
||||
EmailAddresses: []string{"goodbad@example.com"},
|
||||
EmailAddresses: []string{"good\u200Bbad@example.com"},
|
||||
}
|
||||
err := validateCSRUnicode(csr, nil)
|
||||
if err == nil {
|
||||
@@ -424,7 +424,7 @@ func TestValidateCSRUnicode_RejectsAdditionalSAN(t *testing.T) {
|
||||
csr := &x509.CertificateRequest{
|
||||
Subject: pkix.Name{CommonName: "ok.com"},
|
||||
}
|
||||
err := validateCSRUnicode(csr, []string{"goodevil.com"})
|
||||
err := validateCSRUnicode(csr, []string{"good\u202Eevil.com"})
|
||||
if err == nil {
|
||||
t.Fatal("expected rejection for additional SAN RTL")
|
||||
}
|
||||
|
||||
@@ -36,15 +36,15 @@ func TestValidateUnicodeSafe_RejectsRTLOverride(t *testing.T) {
|
||||
name string
|
||||
in string
|
||||
}{
|
||||
{"LRE", "goodcom"},
|
||||
{"RLE", "goodcom"},
|
||||
{"PDF", "goodcom"},
|
||||
{"LRO", "goodcom"},
|
||||
{"RLO", "goodcom"},
|
||||
{"LRI", "goodcom"},
|
||||
{"RLI", "goodcom"},
|
||||
{"FSI", "goodcom"},
|
||||
{"PDI", "goodcom"},
|
||||
{"LRE", "good\u202Acom"},
|
||||
{"RLE", "good\u202Bcom"},
|
||||
{"PDF", "good\u202Ccom"},
|
||||
{"LRO", "good\u202Dcom"},
|
||||
{"RLO", "good\u202Ecom"},
|
||||
{"LRI", "good\u2066com"},
|
||||
{"RLI", "good\u2067com"},
|
||||
{"FSI", "good\u2068com"},
|
||||
{"PDI", "good\u2069com"},
|
||||
}
|
||||
for _, c := range cases {
|
||||
t.Run(c.name, func(t *testing.T) {
|
||||
@@ -64,10 +64,10 @@ func TestValidateUnicodeSafe_RejectsZeroWidth(t *testing.T) {
|
||||
name string
|
||||
in string
|
||||
}{
|
||||
{"ZWSP", "goodcom"},
|
||||
{"ZWNJ", "goodcom"},
|
||||
{"ZWJ", "goodcom"},
|
||||
{"WJ", "goodcom"},
|
||||
{"ZWSP", "good\u200Bcom"},
|
||||
{"ZWNJ", "good\u200Ccom"},
|
||||
{"ZWJ", "good\u200Dcom"},
|
||||
{"WJ", "good\u2060com"},
|
||||
{"BOM", "good\uFEFFcom"},
|
||||
}
|
||||
for _, c := range cases {
|
||||
@@ -141,7 +141,7 @@ func TestValidateUnicodeSafe_AcceptsPureNonASCII(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestValidateUnicodeSafe_ErrorMentionsByteOffset(t *testing.T) {
|
||||
in := "goodevil.com"
|
||||
in := "good\u202Eevil.com"
|
||||
err := ValidateUnicodeSafe(in)
|
||||
if err == nil {
|
||||
t.Fatal("expected rejection")
|
||||
|
||||
Reference in New Issue
Block a user