Merge branch 'fix/p1-master-orphan-client-fn-sweep' (P-1 master, 2 audit findings)

.github/workflows/ci.yml

@@ -656,6 +656,38 @@ jobs:
           fi
           echo "S-1 stale-counts guardrail: clean."
 
+      - name: Documented orphan client fns sync guard (P-1)
+        # P-1 master closed diff-04x03-d24864996ad4 + cat-b-dc46aadab98e
+        # by documenting 17 detail-page-candidate orphan client.ts
+        # functions in a docblock at the top of web/src/api/client.ts.
+        # This step verifies the docblock list ↔ export list relationship:
+        # every name listed in the docblock must still be declared as
+        # an export below it (catches drift where someone deletes the
+        # export but forgets the docblock, or vice versa).
+        #
+        # See coverage-gap-audit-2026-04-24-v5/unified-audit.md
+        # diff-04x03-d24864996ad4 + cat-b-dc46aadab98e for closure rationale.
+        run: |
+          set -e
+          DOCUMENTED='getAgentGroup getAgentGroupMembers getAuditEvent getCertificateDeployments getDiscoveredCertificate getHealthCheck getHealthCheckHistory getNetworkScanTarget getNotification getOCSPStatus getOwner getPolicy getPolicyViolations getRenewalPolicy getTeam registerAgent updateHealthCheck'
+          MISSING=""
+          for fn in $DOCUMENTED; do
+            if ! grep -qE "^export const ${fn}\b" web/src/api/client.ts; then
+              MISSING="${MISSING}${fn} "
+            fi
+          done
+          if [ -n "$MISSING" ]; then
+            echo "P-1 regression: documented orphan(s) missing from client.ts exports:"
+            echo "  $MISSING"
+            echo ""
+            echo "Either restore the export, or delete the corresponding line"
+            echo "in the documented-orphans docblock at the top of client.ts."
+            echo "See coverage-gap-audit-2026-04-24-v5/unified-audit.md"
+            echo "diff-04x03-d24864996ad4 for closure rationale."
+            exit 1
+          fi
+          echo "P-1 documented-orphans sync guard: clean ($(echo $DOCUMENTED | wc -w) fns verified)."
+
       - name: Forbidden env-var docs drift regression guard (G-3)
         # G-3 master closed cat-g-163dae19bc59 (docs-only env vars
         # phantom in features.md), cat-g-b8f8f8796159 (6 config-only

web/src/api/client.ts

@@ -2,6 +2,35 @@ import type { Certificate, CertificateVersion, Agent, Job, Notification, AuditEv
 
 const BASE = '/api/v1';
 
+// P-1 closure (diff-04x03-d24864996ad4 P2 + cat-b-dc46aadab98e P3):
+// the audit flagged 26+16 orphan client functions. Recon at HEAD
+// found 17 actual orphans (the 26+16 audit numbers conflated; many
+// were eliminated by the B-1 / S-1 / I-2 / D-2 closures since the
+// audit was written). The remaining 17 are all detail-page
+// candidates — singleton-getter `getX(id)` fns that detail pages
+// will need when the corresponding `XPage` grows a `XDetailPage`
+// route. Preserved here (rather than deleted) so the future
+// detail-page work doesn't have to relitigate the client.ts surface.
+//
+// Intentionally-orphan client functions:
+//   getAgentGroup, getAgentGroupMembers, getAuditEvent,
+//   getCertificateDeployments, getDiscoveredCertificate,
+//   getHealthCheck, getHealthCheckHistory, getNetworkScanTarget,
+//   getNotification, getOCSPStatus, getOwner, getPolicy,
+//   getPolicyViolations, getRenewalPolicy, getTeam, registerAgent
+//   (by-design pull-only; see C-1 closure docblock above its export),
+//   updateHealthCheck.
+//
+// CI guardrail at .github/workflows/ci.yml::"Documented orphan
+// client fns sync guard (P-1)" enforces the docblock list ↔
+// export list relationship: every name above must still be
+// declared somewhere in this file, and conversely if a name is
+// removed from the list its export must also be removed (orphans
+// must never silently accumulate).
+//
+// See coverage-gap-audit-2026-04-24-v5/unified-audit.md
+// diff-04x03-d24864996ad4 + cat-b-dc46aadab98e for closure rationale.
+
 // API key stored in memory (not localStorage for security)
 let apiKey: string | null = null;