legal: addlicense headers + normalize legacy variants (Phase 0 RED-4)

Phase 0 closure (Path B2, post-rewrite): addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1 SPDX header to every production Go file. Template: // Copyright 2026 certctl LLC. All rights reserved. // SPDX-License-Identifier: BUSL-1.1 Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding *_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%); post-sweep is 338 / 338 (100%). Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl` + `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a `Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1` is non-standard; the official SPDX identifier for Business Source License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the canonical form. Generated via: addlicense -c "certctl LLC" -y 2026 \ -f cowork/legal/copyright-header.tpl \ -ignore '**/testdata/**' -ignore '**/*_test.go' \ cmd/ internal/ Verification: find cmd internal -name '*.go' -not -name '*_test.go' \ -not -path '*/testdata/*' \ -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l Returns: 0 gofmt clean. Header additions are comments only, no compile impact. Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4
2026-06-07 15:01:32 +00:00 · 2026-05-13 21:23:35 +00:00
parent 8c0c8aa69d
commit 21aeed4f4e
338 changed files with 992 additions and 45 deletions
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package awssm implements the domain.DiscoverySource interface for AWS Secrets Manager.
 //
 // AWS Secrets Manager is a managed service for storing and managing secrets including
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package azurekv implements the domain.DiscoverySource interface for
 // Azure Key Vault certificate discovery.
 //
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package gcpsm implements the domain.DiscoverySource interface for GCP Secret Manager.
 //
 // GCP Secret Manager is a Google Cloud service for securely storing and managing secrets,
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package acme

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package acme

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package acme

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package acme

 import (
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
-// SPDX-License-Identifier: BSL-1.1
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1

 // Package asyncpoll provides bounded polling for async-CA issuer
 // connectors (DigiCert, Sectigo, Entrust, GlobalSign).
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package awsacmpca implements the issuer.Connector interface for AWS Certificate Manager Private CA (ACM PCA).
 //
 // AWS ACM Private CA provides a fully managed private certificate authority
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package digicert implements the issuer.Connector interface for DigiCert CertCentral.
 //
 // DigiCert CertCentral is an enterprise certificate authority offering DV, OV, and EV
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package ejbca implements the issuer.Connector interface for EJBCA (Keyfactor).
 //
 // EJBCA is an open-source and enterprise certificate authority platform.
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package entrust implements the issuer.Connector interface for Entrust Certificate Services.
 //
 // Entrust Certificate Services provides enterprise certificate authority offerings via
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package issuer

 // Factory has been moved to internal/connector/issuerfactory to avoid import cycles.
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package globalsign implements the issuer.Connector interface for GlobalSign Atlas HVCA.
 //
 // GlobalSign Atlas HVCA (Hosted Validation CA) is an enterprise certificate authority
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package googlecas implements the issuer.Connector interface for
 // Google Cloud Certificate Authority Service (CAS).
 //
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package issuer

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package issuer

 import "context"
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package local

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package local

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Bundle-9 / Audit L-014 (Document the CA-key-in-process threat model):
 //
 // The local CA holds its private key in this process's heap (c.caSigner
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package local

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package mtlscache caches a parsed mTLS keypair plus a precomputed
 // *http.Transport across API calls in connectors that authenticate via
 // client certificates. RefreshIfStale stats the cert file on the
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package openssl implements the issuer.Connector interface for custom CA integrations.
 //
 // This connector delegates certificate signing to user-provided scripts/commands.
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package sectigo implements the issuer.Connector interface for Sectigo Certificate Manager (SCM).
 //
 // Sectigo Certificate Manager is an enterprise certificate authority offering DV, OV, and EV
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package stepca — JWE decryption for step-ca provisioner keys.
 //
 // step-ca stores provisioner private keys as JWE-encrypted JSON files using:
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package stepca implements the issuer.Connector interface for Smallstep step-ca
 // private certificate authority.
 //
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package vault implements the issuer.Connector interface for HashiCorp Vault PKI
 // secrets engine.
 //
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package vault

 // Top-10 fix #5 of the 2026-05-03 issuer-coverage audit. Pre-fix,
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package issuerfactory

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package email

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package email

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package notifier

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package opsgenie

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package pagerduty

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package slack

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package teams

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package webhook

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package apache implements the Apache httpd target connector.
 // As of the deploy-hardening I master bundle Phase 5, Apache
 // follows the canonical pattern established by NGINX (Phase 4):
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package awsacm implements a target.Connector for deploying certificates to
 // AWS Certificate Manager (ACM). ACM is the public AWS service for storing
 // TLS certificates that AWS-managed TLS-termination endpoints (Application
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package azurekv implements a target.Connector for deploying certificates
 // to Azure Key Vault. Key Vault is the Azure-managed secret/certificate
 // store that App Service / Application Gateway / Front Door / Container
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package azurekv

 // sdk_client.go isolates the imports of github.com/Azure/azure-sdk-for-go/
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package caddy

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package caddy

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package certutil provides shared certificate utility functions for target connectors.
 // These functions handle PEM/PFX conversion, key parsing, thumbprint computation,
 // and random password generation. Extracted from the IIS connector (M39) to enable
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package configcheck provides server-side syntactic validation of target
 // connector configurations.
 //
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package envoy

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package envoy

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package f5

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package f5

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package haproxy implements the HAProxy target connector.
 //
 // HAProxy expects all TLS material concatenated in a single PEM
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package iis

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package iis

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package iis

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package target

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package javakeystore implements a target connector for deploying certificates
 // to Java KeyStores (JKS/PKCS#12) via the keytool CLI. This enables TLS cert
 // deployment for Tomcat, Jetty, Kafka, Elasticsearch, and any JVM-based service
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package javakeystore

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package k8ssecret implements a target.Connector for deploying certificates to Kubernetes Secrets.
 // This enables the "proxy agent" pattern — a certctl agent running in a Kubernetes cluster
 // (or outside with kubeconfig access) can deploy certificates as kubernetes.io/tls Secrets.
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package k8ssecret

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package nginx

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package nginx implements the NGINX target connector. As of the
 // deploy-hardening I master bundle Phase 4 (the canonical
 // implementation that Phases 5-9 model on), NGINX is the first
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package postfix implements the Postfix + Dovecot mail-server
 // target connector. As of the deploy-hardening I master bundle
 // Phase 7, both modes follow the canonical NGINX template:
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package ssh implements a target.Connector for agentless certificate deployment
 // via SSH/SFTP. This enables the "proxy agent" pattern — a certctl agent in the
 // same network zone deploys certificates to remote servers without requiring the
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package ssh

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package traefik implements the Traefik file-provider target
 // connector. Bundle 4 of the 2026-05-02 deployment-target audit:
 // upgraded from two separate deploy.AtomicWriteFile calls (cert,
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package wincertstore

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package wincertstore implements a target connector for deploying certificates
 // to the Windows Certificate Store via PowerShell. Unlike the IIS connector,
 // this connector only imports certificates into the store — it does not manage