internal/api/handler/acme.go

@@ -167,7 +167,7 @@ func (h ACMEHandler) NewNonce(w http.ResponseWriter, r *http.Request) {
 func (h ACMEHandler) directoryBaseURL(r *http.Request, profileID string) string {
 	scheme := "https"
 	if r.TLS == nil {
-		// HTTPS-only architecture decision (CLAUDE.md): the listener
+		// HTTPS-only architecture decision: the listener
 		// is TLS 1.3 pinned. r.TLS == nil only happens in tests with
 		// httptest.NewServer (non-TLS); honor http: for those.
 		scheme = "http"

internal/api/handler/admin_scep_intune.go

@@ -17,7 +17,7 @@ import (
 // service-side and the handler stays test-friendly.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 9.1, extended in the
-// Phase 9 follow-up (cowork/scep-gui-restructure-prompt.md) with
+// Phase 9 follow-up (the project's SCEP GUI restructure spec) with
 // Profiles for the per-profile SCEP Administration tab.
 type AdminSCEPIntuneService interface {
 	// Stats returns one snapshot per configured SCEP profile (Intune-

internal/api/handler/metrics.go

@@ -90,7 +90,7 @@ type VaultRenewalSnapshotter interface {
 // (here).
 //
 // Rank 4 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5).
+// (the project's deep-research deliverable, Part 5).
 type ExpiryAlertSnapshotter interface {
 	// SnapshotExpiryAlerts returns one entry per non-zero counter,
 	// pre-sorted by (channel, threshold, result) so the Prometheus

internal/api/handler/scep_chromeos_test.go

@@ -286,7 +286,7 @@ func TestSCEPHandler_ChromeOSPKIMessage_AESVariants(t *testing.T) {
 }
 
 // TestSCEPHandler_ChromeOSPKIMessage_RAKeyMismatch — closure-bundle
-// gap M-1 / acceptance D.1 (cowork/scep-bundle-gap-closure-prompt.md).
+// gap M-1 / acceptance D.1 (the project's SCEP gap-closure spec).
 // Build a PKIMessage encrypted to a freshly-generated RA cert whose
 // matching private key the server does NOT have. The handler MUST
 // reject (RFC 8894 path can't decrypt → falls through; MVP path can't

internal/api/handler/scep_intune_e2e_test.go

@@ -614,7 +614,7 @@ func TestSCEPIntuneEnrollment_RateLimited_E2E(t *testing.T) {
 // race with t.Parallel(), and signal.Notify is global). The SIGHUP
 // goroutine's only job is to call Reload, so calling Reload directly is
 // the equivalent contract — and stable in tests. Phase B frozen
-// decision #3 in cowork/scep-bundle-gap-closure-prompt.md.
+// decision #3 in the project's SCEP gap-closure spec.
 func TestSCEPIntuneEnrollment_TrustAnchorSIGHUPReload_E2E(t *testing.T) {
 	fix := newIntuneE2EFixture(t)
 	now := time.Now()

internal/api/router/router.go

@@ -357,7 +357,7 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) {
 	// the handler (M-003 pattern); non-admin callers get 403.
 	r.Register("GET /api/v1/admin/crl/cache", http.HandlerFunc(reg.AdminCRLCache.ListCache))
 	// SCEP RFC 8894 + Intune master bundle Phase 9.2 + Phase 9 follow-up
-	// (cowork/scep-gui-restructure-prompt.md). All three endpoints are
+	// (the project's SCEP GUI restructure spec). All three endpoints are
 	// admin-gated at the handler layer; the M-008 regression scanner pins
 	// the gate set and TestM008_AdminGatedHandlers_HaveTripletTests
 	// enforces the per-handler test triplet.

internal/connector/issuer/googlecas/googlecas_failure_test.go

@@ -309,7 +309,7 @@ func TestGoogleCAS_Issue_RegionalAPIUnavailable_RetryableSurface(t *testing.T) {
 // (We deliberately do NOT exercise the service-layer audit-row
 // rollback here — that's an integration test owned by
 // internal/service/revocation_svc_test.go. Mixing concerns would
-// re-introduce the exact "lying field" footgun CLAUDE.md warns
+// re-introduce the exact "lying field" footgun the project guidelines warn
 // against. The adapter contract is the single thing under test.)
 func TestGoogleCAS_Revoke_PermissionDenied_DoesNotSilentlySwallow(t *testing.T) {
 	ctx := context.Background()

internal/connector/target/awsacm/awsacm.go

@@ -16,7 +16,7 @@
 // snapshot bytes to restore the previous cert. Mirrors the Bundle 5+
 // pre-deploy-snapshot + on-failure-restore pattern from IIS / WinCertStore /
 // JavaKeystore. Rank 5 of the 2026-05-03 Infisical deep-research
-// deliverable (cowork/infisical-deep-research-results.md Part 5).
+// deliverable (the project's deep-research deliverable, Part 5).
 //
 // IAM permissions required:
 //

internal/connector/target/awsacm/awsacm_failure_test.go

@@ -1,7 +1,7 @@
 package awsacm_test
 
 // Rank 5 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Per-error-class
+// (the project's deep-research deliverable, Part 5). Per-error-class
 // failure tests for the AWS ACM target connector — mirrors the
 // awsacmpca_failure_test.go shape (commit 60dce0b) on the issuer side.
 //

internal/connector/target/awsacm/awsacm_test.go

@@ -1,7 +1,7 @@
 package awsacm_test
 
 // Rank 5 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Happy-path table-
+// (the project's deep-research deliverable, Part 5). Happy-path table-
 // driven tests for the AWS ACM target connector. Mirrors the
 // k8ssecret_test.go ergonomics + the Bundle 5+ atomic-rollback
 // assertions from IIS / WinCertStore / JavaKeystore.

internal/connector/target/azurekv/azurekv.go

@@ -27,7 +27,7 @@
 // permission which we deliberately keep off the minimum-RBAC surface.
 //
 // Rank 5 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5).
+// (the project's deep-research deliverable, Part 5).
 //
 // Required Azure RBAC (minimum):
 //

internal/connector/target/azurekv/azurekv_test.go

@@ -1,7 +1,7 @@
 package azurekv_test
 
 // Rank 5 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Happy-path tests
+// (the project's deep-research deliverable, Part 5). Happy-path tests
 // for the Azure Key Vault target connector. Mirrors the awsacm_test.go
 // shape so cross-cloud regressions are bisectable side-by-side.
 

internal/deploy/deploy_test.go

@@ -24,7 +24,7 @@ import (
 // rename-race correctness.
 //
 // All 12 are required by the prompt at
-// cowork/deploy-hardening-i-prompt.md::"Test plan (Phase 1
+// the project's deploy-hardening I spec::"Test plan (Phase 1
 // ships ≥95% coverage on the new package)".
 //
 // The tests run in non-root environments — they do NOT exercise

internal/domain/approval.go

@@ -17,7 +17,7 @@ import "time"
 // durable record of who approved + why.
 //
 // Rank 7 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Closes the
+// (the project's deep-research deliverable, Part 5). Closes the
 // "two-person integrity / four-eyes principle" procurement gap for
 // PCI-DSS Level 1, FedRAMP Moderate / High, and SOC 2 Type II
 // customers.

internal/domain/certificate.go

@@ -125,7 +125,7 @@ type RenewalPolicy struct {
 	// grow Prometheus cardinality on a typo).
 	//
 	// Rank 4 of the 2026-05-03 Infisical deep-research deliverable
-	// (cowork/infisical-deep-research-results.md Part 5).
+	// (the project's deep-research deliverable, Part 5).
 	AlertChannels map[string][]string `json:"alert_channels,omitempty"`
 
 	// AlertSeverityMap maps each threshold-day value to its severity

internal/domain/connector.go

@@ -228,7 +228,7 @@ const (
 	// (ACM) — the public AWS service that ALB / CloudFront / API
 	// Gateway / App Runner consume by ARN. Rank 5 of the 2026-05-03
 	// Infisical deep-research deliverable
-	// (cowork/infisical-deep-research-results.md Part 5). See
+	// (the project's deep-research deliverable, Part 5). See
 	// docs/connectors.md "AWS Certificate Manager" section for the
 	// operator playbook including minimum IAM policy + atomic-rollback
 	// contract.

internal/mcp/fence.go

@@ -20,7 +20,7 @@ import (
 //     of the system control these — M-005).
 //
 // An attacker who plants "ignore previous instructions" inside any of
-// those fields can steer LLM consumers (Claude, Cursor, custom agents)
+// those fields can steer LLM consumers (any MCP-compatible AI client)
 // of the certctl MCP server. certctl's own MCP server cannot prevent
 // the LLM consumer from honoring such injection on its own — but it
 // CAN make the trust boundary explicit so consumers that fence

internal/mcp/tools.go

@@ -1260,7 +1260,7 @@ func registerHealthTools(s *gomcp.Server, c *Client) {
 	// I-2 closure (cat-i-b0924b6675f8): pre-I-2 the README claimed "all
 	// API endpoints are exposed via MCP" but the discovered-certificate
 	// lifecycle (claim + dismiss) was never wrapped — operators using
-	// MCP clients (Claude, Cursor, etc.) had no path to bring an
+	// MCP clients had no path to bring an
 	// out-of-band cert under management or to mark a benign discovery
 	// as not-of-interest without dropping to the REST API directly.
 	// These two tools wrap the existing HTTP handlers

internal/pkcs7/envelopeddata_fuzz_test.go

@@ -6,7 +6,7 @@ import "testing"
 //
 // SCEP RFC 8894 + Intune master bundle Phase 2.5: every parser certctl
 // adds gets a Fuzz target in the same package (the fuzz-target-ownership
-// rule from cowork/CLAUDE.md::Operating Rules). The point isn't to find
+// per the project's operating rules). The point isn't to find
 // vulnerabilities (the parser uses stdlib encoding/asn1 which is itself
 // fuzzed upstream) — it's to prove that arbitrary attacker-controlled
 // bytes cannot panic the SCEP server. Any panic = an availability bug.

internal/scheduler/scheduler.go

@@ -1112,7 +1112,7 @@ func (s *Scheduler) runCRLGeneration(ctx context.Context) {
 var ErrSchedulerShutdownTimeout = errors.New("scheduler graceful shutdown timeout")
 
 // acmeGCLoop runs every acmeGCInterval and invokes ACMEGarbageCollector.
-// Per CLAUDE.md "Scheduler idempotency" architecture decision: an
+// Per the project's scheduler-idempotency architecture decision: an
 // atomic.Bool guard prevents concurrent tick execution; the
 // sync.WaitGroup tracks the in-flight goroutine for graceful shutdown.
 // Phase 5.

internal/service/acme.go

@@ -1039,7 +1039,7 @@ type FinalizeOrderResult struct {
 //
 // The window between Step B and Step C can leave a managed_certificates
 // row whose order is still in `processing`. Phase 5's GC scheduler
-// reconciles. Documented in cowork/acme-server-prompts/03-... + the
+// reconciles. Documented in the project's ACME-server design notes + the
 // service file's design notes.
 func (s *ACMEService) FinalizeOrder(
 	ctx context.Context,
@@ -1293,7 +1293,7 @@ func randIDSuffix() string {
 // base32encode emits the lowercase Crockford-style base32 alphabet
 // without padding. Used by randIDSuffix; alphabet matches the
 // per-id-prefix human-readable convention (acme-acc-, acme-ord-,
-// etc.) — see CLAUDE.md "TEXT primary keys with human-readable
+// etc.) — see the project's "TEXT primary keys with human-readable
 // prefixes" architecture decision.
 func base32encode(b []byte) string {
 	const alpha = "0123456789abcdefghjkmnpqrstvwxyz"

internal/service/expiry_alert_metrics.go

@@ -9,7 +9,7 @@ import (
 // ExpiryAlertMetrics is a thread-safe counter table for the per-policy
 // multi-channel expiry-alert dispatch path. Rank 4 of the 2026-05-03
 // Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Closes the
+// (the project's deep-research deliverable, Part 5). Closes the
 // procurement-checklist gap where a customer who configured PagerDuty
 // for cert-expiry pages got silent nothing — ExpirationWarning shipped
 // only to Email pre-fix.

internal/service/renewal.go

@@ -324,7 +324,7 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error {
 //     team get paged?".
 //
 // Rank 4 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). The policy
+// (the project's deep-research deliverable, Part 5). The policy
 // argument is nil-safe — a cert with no RenewalPolicy attached gets the
 // back-compat Email-only default matrix.
 func (s *RenewalService) sendThresholdAlerts(

internal/service/renewal_expiry_alerts_test.go

@@ -1,7 +1,7 @@
 package service
 
 // Rank 4 of the 2026-05-03 Infisical deep-research deliverable
-// (cowork/infisical-deep-research-results.md Part 5). Pins every leg of
+// (the project's deep-research deliverable, Part 5). Pins every leg of
 // the per-policy multi-channel expiry-alert fan-out matrix:
 //
 //   1. Default matrix → Email-only at every tier (back-compat).

internal/service/scep.go

@@ -57,7 +57,7 @@ type SCEPService struct {
 
 	// Per-profile metadata surfaced by the new /admin/scep/profiles
 	// endpoint. SCEP RFC 8894 + Intune master bundle Phase 9 follow-up
-	// (cowork/scep-gui-restructure-prompt.md). All fields are nil/zero
+	// (the project's SCEP GUI restructure spec). All fields are nil/zero
 	// when the operator runs without Intune AND without mTLS — we still
 	// surface the always-present challenge-password-set + RA cert
 	// expiry on the Profiles tab for those.
@@ -292,7 +292,7 @@ func (s *SCEPService) SetMTLSConfig(enabled bool, bundlePath string) {
 // compatibility for the Phase 9 admin contract.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 9 follow-up
-// (cowork/scep-gui-restructure-prompt.md).
+// (the project's SCEP GUI restructure spec).
 type SCEPProfileStatsSnapshot struct {
 	// Always-present per-profile fields.
 	PathID               string    `json:"path_id"`

internal/service/target.go

@@ -16,7 +16,7 @@ import (
 // ErrAgentNotFound is returned by [TargetService.CreateTarget] when the caller
 // references an agent_id that is empty or does not correspond to a registered
 // agent. The handler layer maps this to HTTP 400 via [errors.Is]. See C-002 in
-// cowork/certctl-coverage-gap-audit.md — this sentinel replaces a silent
+// the project's coverage-gap audit — this sentinel replaces a silent
 // Postgres FK violation (23503 → HTTP 500) with a deterministic 400.
 var ErrAgentNotFound = errors.New("referenced agent does not exist")