legal: addlicense headers + normalize legacy variants (Phase 0 RED-4)

Phase 0 closure (Path B2, post-rewrite): addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1 SPDX header to every production Go file. Template: // Copyright 2026 certctl LLC. All rights reserved. // SPDX-License-Identifier: BUSL-1.1 Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding *_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%); post-sweep is 338 / 338 (100%). Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl` + `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a `Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1` is non-standard; the official SPDX identifier for Business Source License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the canonical form. Generated via: addlicense -c "certctl LLC" -y 2026 \ -f cowork/legal/copyright-header.tpl \ -ignore '**/testdata/**' -ignore '**/*_test.go' \ cmd/ internal/ Verification: find cmd internal -name '*.go' -not -name '*_test.go' \ -not -path '*/testdata/*' \ -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l Returns: 0 gofmt clean. Header additions are comments only, no compile impact. Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4
2026-06-12 20:59:00 +00:00 · 2026-05-13 21:23:35 +00:00
parent 8c0c8aa69d
commit 21aeed4f4e
338 changed files with 992 additions and 45 deletions
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package apache implements the Apache httpd target connector.
 // As of the deploy-hardening I master bundle Phase 5, Apache
 // follows the canonical pattern established by NGINX (Phase 4):
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package awsacm implements a target.Connector for deploying certificates to
 // AWS Certificate Manager (ACM). ACM is the public AWS service for storing
 // TLS certificates that AWS-managed TLS-termination endpoints (Application
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package azurekv implements a target.Connector for deploying certificates
 // to Azure Key Vault. Key Vault is the Azure-managed secret/certificate
 // store that App Service / Application Gateway / Front Door / Container
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package azurekv

 // sdk_client.go isolates the imports of github.com/Azure/azure-sdk-for-go/
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package caddy

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package caddy

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package certutil provides shared certificate utility functions for target connectors.
 // These functions handle PEM/PFX conversion, key parsing, thumbprint computation,
 // and random password generation. Extracted from the IIS connector (M39) to enable
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package configcheck provides server-side syntactic validation of target
 // connector configurations.
 //
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package envoy

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package envoy

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package f5

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package f5

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package haproxy implements the HAProxy target connector.
 //
 // HAProxy expects all TLS material concatenated in a single PEM
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package iis

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package iis

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package iis

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package target

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package javakeystore implements a target connector for deploying certificates
 // to Java KeyStores (JKS/PKCS#12) via the keytool CLI. This enables TLS cert
 // deployment for Tomcat, Jetty, Kafka, Elasticsearch, and any JVM-based service
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package javakeystore

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package k8ssecret implements a target.Connector for deploying certificates to Kubernetes Secrets.
 // This enables the "proxy agent" pattern — a certctl agent running in a Kubernetes cluster
 // (or outside with kubeconfig access) can deploy certificates as kubernetes.io/tls Secrets.
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package k8ssecret

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package nginx

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package nginx implements the NGINX target connector. As of the
 // deploy-hardening I master bundle Phase 4 (the canonical
 // implementation that Phases 5-9 model on), NGINX is the first
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package postfix implements the Postfix + Dovecot mail-server
 // target connector. As of the deploy-hardening I master bundle
 // Phase 7, both modes follow the canonical NGINX template:
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package ssh implements a target.Connector for agentless certificate deployment
 // via SSH/SFTP. This enables the "proxy agent" pattern — a certctl agent in the
 // same network zone deploys certificates to remote servers without requiring the
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package ssh

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package traefik implements the Traefik file-provider target
 // connector. Bundle 4 of the 2026-05-02 deployment-target audit:
 // upgraded from two separate deploy.AtomicWriteFile calls (cert,
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 package wincertstore

 import (
@@ -1,3 +1,6 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+
 // Package wincertstore implements a target connector for deploying certificates
 // to the Windows Certificate Store via PowerShell. Unlike the IIS connector,
 // this connector only imports certificates into the store — it does not manage