fix: resolve NULL csr_pem scan errors and QA smoke test failures

Root cause: certificate_versions.csr_pem is nullable in the schema but Go code scanned it into a plain string. Used sql.NullString in ListVersions and GetLatestVersion to handle NULL values correctly. Also includes: partial update fetch-merge-update pattern to prevent FK violations, nil directory guard in discovery service, diagnostic slog logging in handlers, export handler 422 for unparseable PEM, OpenAPI spec corrections, MCP tool description improvements, and test fixes. Rewrites the Release Sign-Off section in testing-guide.md to individual test-level granularity (320 rows) with smoke test results audited and checked off (121 pass, 5 skip, 194 manual remaining). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-12 06:58:52 +00:00 · 2026-03-30 00:51:18 -04:00
parent 20378ea7bb
commit a8fc177118
12 changed files with 683 additions and 74 deletions
@@ -311,12 +311,56 @@ func (s *CertificateService) CreateCertificate(cert domain.ManagedCertificate) (
 }

 // UpdateCertificate modifies a certificate (handler interface method).
-func (s *CertificateService) UpdateCertificate(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
-	cert.ID = id
-	if err := s.certRepo.Update(context.Background(), &cert); err != nil {
+func (s *CertificateService) UpdateCertificate(id string, patch domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+	ctx := context.Background()
+
+	// Fetch existing certificate so partial updates don't zero out fields
+	existing, err := s.certRepo.Get(ctx, id)
+	if err != nil {
+		return nil, fmt.Errorf("certificate not found: %w", err)
+	}
+
+	// Merge non-zero fields from patch into existing
+	if patch.Name != "" {
+		existing.Name = patch.Name
+	}
+	if patch.CommonName != "" {
+		existing.CommonName = patch.CommonName
+	}
+	if len(patch.SANs) > 0 {
+		existing.SANs = patch.SANs
+	}
+	if patch.Environment != "" {
+		existing.Environment = patch.Environment
+	}
+	if patch.OwnerID != "" {
+		existing.OwnerID = patch.OwnerID
+	}
+	if patch.TeamID != "" {
+		existing.TeamID = patch.TeamID
+	}
+	if patch.IssuerID != "" {
+		existing.IssuerID = patch.IssuerID
+	}
+	if patch.RenewalPolicyID != "" {
+		existing.RenewalPolicyID = patch.RenewalPolicyID
+	}
+	if patch.CertificateProfileID != "" {
+		existing.CertificateProfileID = patch.CertificateProfileID
+	}
+	if patch.Status != "" {
+		existing.Status = patch.Status
+	}
+	if patch.Tags != nil {
+		existing.Tags = patch.Tags
+	}
+
+	existing.UpdatedAt = time.Now()
+
+	if err := s.certRepo.Update(ctx, existing); err != nil {
 		return nil, fmt.Errorf("failed to update certificate: %w", err)
 	}
-	return &cert, nil
+	return existing, nil
 }

 // ArchiveCertificate marks a certificate as archived (handler interface method).
@@ -40,6 +40,11 @@ func (s *DiscoveryService) ProcessDiscoveryReport(ctx context.Context, report *d
 		return nil, fmt.Errorf("report must contain at least one certificate or error")
 	}

+	// Ensure directories is never nil (PostgreSQL TEXT[] NOT NULL)
+	if report.Directories == nil {
+		report.Directories = []string{}
+	}
+
 	now := time.Now()
 	scan := &domain.DiscoveryScan{
 		ID:                generateID("dscan"),
@@ -52,6 +57,11 @@ func (s *DiscoveryService) ProcessDiscoveryReport(ctx context.Context, report *d
 		CompletedAt:       &now,
 	}

+	// Store the scan record first (discovered certs reference scan via FK)
+	if err := s.discoveryRepo.CreateScan(ctx, scan); err != nil {
+		return nil, fmt.Errorf("failed to create scan record: %w", err)
+	}
+
 	// Upsert each discovered certificate
 	newCount := 0
 	for _, entry := range report.Certificates {
@@ -105,11 +115,6 @@ func (s *DiscoveryService) ProcessDiscoveryReport(ctx context.Context, report *d

 	scan.CertificatesNew = newCount

-	// Store the scan record
-	if err := s.discoveryRepo.CreateScan(ctx, scan); err != nil {
-		return nil, fmt.Errorf("failed to create scan record: %w", err)
-	}
-
 	// Audit trail
 	if err := s.auditService.RecordEvent(ctx, report.AgentID, domain.ActorTypeSystem,
 		"discovery_scan_completed", "discovery_scan", scan.ID,
@@ -88,7 +88,7 @@ func (s *ExportService) ExportPKCS12(ctx context.Context, certID string, passwor
 	// Parse PEM chain into x509.Certificate objects
 	certs, err := parsePEMCertificates(version.PEMChain)
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse certificate chain: %w", err)
+		return nil, fmt.Errorf("certificate data cannot be parsed as X.509: %w", err)
 	}

 	if len(certs) == 0 {
@@ -321,8 +321,8 @@ func TestTeamService_Create_EmptyName(t *testing.T) {
 		t.Fatalf("expected validation error for empty name, got nil")
 	}

-	if !errors.Is(err, errors.New("team name is required")) {
-		t.Logf("error: %v", err)
+	if !strings.Contains(err.Error(), "team name is required") {
+		t.Errorf("expected error containing 'team name is required', got: %v", err)
 	}
 }