ci: fix Rank 7 lint + openapi-handler-parity drift on master

Two CI failures from the Rank 7 chain push (#438): Go Build & Test — staticcheck ST1021: internal/service/approval_metrics.go:97 comment for ApprovalDecisionEntry doesn't start with the type name internal/service/approval_metrics.go:130 comment for ApprovalPendingAgeSnapshot doesn't start with the type name Frontend Build — scripts/ci-guards/openapi-handler-parity.sh: 4 router routes have no OpenAPI operationId: GET /api/v1/approvals GET /api/v1/approvals/{id} POST /api/v1/approvals/{id}/approve POST /api/v1/approvals/{id}/reject The Rank 7 commit-3 spec deferred OpenAPI extension to commit 4 with a 'batched alongside the integration changes' note; commit 4 didn't actually add them. This commit closes that gap. Fixes: approval_metrics.go — split the doc comment that was attached to SnapshotApprovalDecisions (the function) but visually preceded ApprovalDecisionEntry (the type), so the type appeared to staticcheck as having a comment that named the function instead of the type. Same fix on ApprovalPendingAgeSnapshot. Now each exported type has its own type-name-leading comment per Go convention. api/openapi.yaml — added 4 new operationIds (listApprovalRequests, getApprovalRequest, approveApprovalRequest, rejectApprovalRequest) + new ApprovalRequest schema component under components/schemas. Inline 401 response (the Unauthorized component does not exist in this spec; the canonical pattern in the rest of the file is inline 'description: Authentication required'). The two-person integrity contract surface is documented in the description of the approve / reject endpoints so external readers see the RBAC contract from the spec alone. Verified locally: go vet ./internal/service/...: exit 0. scripts/ci-guards/openapi-handler-parity.sh: clean (140 ops vs 174 routes, 36 documented exceptions). Third CI failure (image-and-supply-chain) was a transient apt-fetch 'Connection reset by peer' from deb.debian.org while pulling libasan6_10.2.1-6_amd64.deb. Not a code issue; just re-run the workflow. No code change needed.
2026-06-07 13:51:36 +00:00 · 2026-05-04 01:35:30 +00:00
parent b601928e1c
commit 31e50d987f
2 changed files with 227 additions and 6 deletions
@@ -94,15 +94,19 @@ func (m *ApprovalMetrics) ObservePendingAge(seconds float64) {
 	m.pendingAgeHist.observe(seconds)
 }

-// SnapshotApprovalDecisions returns the current decision counter table
-// as a sorted slice for deterministic Prometheus exposition. Sort key
-// is (outcome, profile_id).
+// ApprovalDecisionEntry is a single row of the SnapshotApprovalDecisions
+// output — the (outcome, profile_id) tuple plus the cumulative count.
+// Used by the Prometheus exposer to emit
+// certctl_approval_decisions_total{outcome,profile_id} samples.
 type ApprovalDecisionEntry struct {
 	Outcome   string
 	ProfileID string
 	Count     uint64
 }

+// SnapshotApprovalDecisions returns the current decision counter table
+// as a sorted slice for deterministic Prometheus exposition. Sort key
+// is (outcome, profile_id).
 func (m *ApprovalMetrics) SnapshotApprovalDecisions() []ApprovalDecisionEntry {
 	if m == nil {
 		return nil
@@ -127,9 +131,10 @@ func (m *ApprovalMetrics) SnapshotApprovalDecisions() []ApprovalDecisionEntry {
 	return out
 }

-// SnapshotApprovalPendingAgeHistogram returns the current bucket counts
-// + sum + total count for the pending-age histogram. Format suits the
-// Prometheus histogram exposition (le buckets + _sum + _count).
+// ApprovalPendingAgeSnapshot is the snapshot output of
+// SnapshotApprovalPendingAgeHistogram — bucket bounds + cumulative
+// counts + sum + total count. Format suits the Prometheus histogram
+// exposition (le buckets + _sum + _count).
 type ApprovalPendingAgeSnapshot struct {
 	BucketBounds []float64 // [60, 300, 1800, 3600, 21600, 86400] — exclusive of +Inf
 	BucketCounts []uint64  // cumulative counts per bucket; len = len(BucketBounds) + 1 (last is +Inf)