legal: addlicense headers + normalize legacy variants (Phase 0 RED-4)

Phase 0 closure (Path B2, post-rewrite): addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1 SPDX header to every production Go file. Template: // Copyright 2026 certctl LLC. All rights reserved. // SPDX-License-Identifier: BUSL-1.1 Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding *_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%); post-sweep is 338 / 338 (100%). Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl` + `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a `Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1` is non-standard; the official SPDX identifier for Business Source License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the canonical form. Generated via: addlicense -c "certctl LLC" -y 2026 \ -f cowork/legal/copyright-header.tpl \ -ignore '**/testdata/**' -ignore '**/*_test.go' \ cmd/ internal/ Verification: find cmd internal -name '*.go' -not -name '*_test.go' \ -not -path '*/testdata/*' \ -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l Returns: 0 gofmt clean. Header additions are comments only, no compile impact. Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4
2026-06-07 12:21:31 +00:00 · 2026-05-13 21:23:35 +00:00
parent 8c0c8aa69d
commit 21aeed4f4e
338 changed files with 992 additions and 45 deletions
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package main
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package main
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package main
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package main
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package main
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package main
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package main
 import (
@@ -1,4 +1,5 @@
-// Copyright (c) certctl-io contributors.
+// Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 //
 // Audit 2026-05-11 A-8 — demo-mode residual-grants detector. Closes the
 // deferred Phase 2 leg of HIGH-12 (cowork/auth-bundles-fixes-2026-05-10/
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package main
 import (
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 package acme
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 package acme
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 package acme
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 // Package acme implements the ACME server-side protocol surface (RFC 8555
 // + RFC 9773 ARI). It is deliberately separate from
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 package acme
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 package acme
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 package acme
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 package acme
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 package acme
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 package acme
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 package acme
@@ -1,5 +1,5 @@
-// Copyright (c) certctl
+// Copyright 2026 certctl LLC. All rights reserved.
-// SPDX-License-Identifier: BSL-1.1
+// SPDX-License-Identifier: BUSL-1.1
 package handler
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package handler — Auth Bundle 2 Phase 7.5 / break-glass admin HTTP surface.
 //
 // 4 endpoints across two access levels:
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package handler — Auth Bundle 2 Phase 5 / OIDC + session HTTP surface.
 //
 // 13 endpoints split into three logical groups:
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 // Audit 2026-05-10 MED-11 closure — federated-user admin surface.
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import "time"
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package handler
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package middleware
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package middleware
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package middleware
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package middleware
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package router
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package auth
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package bootstrap ships the day-0 admin-creation primitive for Bundle 1
 // Phase 6. The control plane comes up with no admin-roled actors; the
 // operator hands the env-var token to a single curl call; the server
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package bootstrap
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package domain holds the break-glass-admin persisted-shape type.
 //
 // Auth Bundle 2 Phase 1 / Phase 7.5: types only. Phase 2 ships the
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package breakglass — Auth Bundle 2 Phase 7.5 / break-glass admin service.
 //
 // Decision 4: operator-toggleable local-password admin for the SSO-broken
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package auth holds the certctl auth surface: API-key validation, the
 // authenticated-actor context keys, and the helpers that consumers across
 // the codebase use to read the actor identity (rate limiter, audit
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package auth
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package auth
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package oidc — Auth Bundle 2 Phase 7 / OIDC bootstrap hook.
 //
 // Phase 7 ships the "first OIDC login matching CERTCTL_BOOTSTRAP_ADMIN_GROUPS
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package oidc is the Bundle 2 OpenID Connect integration: server-side
 // validation of ID tokens issued by an enterprise IdP (Okta / Azure AD /
 // Google Workspace / Keycloak / Authentik / Auth0), JWKS rotation,
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package domain holds the OIDC integration's persisted-shape types.
 //
 // Auth Bundle 2 Phase 1: types only, no service or repository wiring.
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package groupclaim resolves the operator-configured `groups_claim_path`
 // against an ID token's parsed claims, returning the user's group
 // membership as a `[]string`.
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package oidc — Bundle 2 Phase 5 / pre-login cookie machinery.
 //
 // This file implements the production-side PreLoginStore that the
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package oidc
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package oidc
 // Audit 2026-05-10 MED-5 closure — dry-run validator for OIDC provider
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 //go:build integration
 // Package testfixtures provides Bundle 2 Phase 10 multi-IdP integration
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package auth
 import "strings"
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package auth
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package domain holds the session-management persisted-shape types.
 //
 // Auth Bundle 2 Phase 1: types only. Phase 2 ships the SQL migration;
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package session — Auth Bundle 2 Phase 6 / session + CSRF middleware.
 //
 // This file ships the HTTP middleware that wires the post-login session
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package session implements the post-login session lifecycle for
 // Auth Bundle 2 Phase 4: cookie minting + signature validation +
 // idle/absolute expiry + revocation + signing-key rotation + GC.
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package auth
 import "context"
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package domain holds the federated-human user persisted-shape type.
 //
 // Auth Bundle 2 Phase 1: types only. Phase 2 ships the SQL migration;
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package ciparity hosts cross-surface contract-parity tests.
 //
 // Per post-v2.1.0 anti-rot item 2 (Auditable Codebase Bundle), this
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package cli
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package cli
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package cli
 import (
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package cli
 // EST RFC 7030 hardening master bundle Phase 9.1 — CLI subcommands.
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 // Package cms implements the small subset of CMS / RFC 7030 / RFC 9266
 // helpers that the EST handler needs at request-time: extracting the
 // RFC 9266 tls-exporter from a *tls.ConnectionState, and pulling the
@@ -1,3 +1,6 @@
 // Copyright 2026 certctl LLC. All rights reserved.
 // SPDX-License-Identifier: BUSL-1.1
 package config
 import (
--- a/Show More
+++ b/Show More