diff --git a/cmd/agent/agent_test.go b/cmd/agent/agent_test.go index a11bd98..365618b 100644 --- a/cmd/agent/agent_test.go +++ b/cmd/agent/agent_test.go @@ -947,7 +947,7 @@ func TestCreateTargetConnector_AllSupportedTypes(t *testing.T) { }, }, { - // Rank 5 of the 2026-05-03 deep-research deliverable. + // Rank 5 of the 2026-05-03 Infisical deep-research deliverable. // Region must be a valid AWS region; the connector lazy-loads // the SDK client during ValidateConfig but New() with a populated // region should succeed against the SDK credential chain diff --git a/cmd/agent/main.go b/cmd/agent/main.go index 8e0bf08..a5b588c 100644 --- a/cmd/agent/main.go +++ b/cmd/agent/main.go @@ -907,7 +907,7 @@ func (a *Agent) createTargetConnector(ctx context.Context, targetType string, co return k8s.New(&cfg, a.logger) case "AWSACM": - // Rank 5 of the 2026-05-03 deep-research deliverable. + // Rank 5 of the 2026-05-03 Infisical deep-research deliverable. // AWS Certificate Manager target — SDK-driven (no file I/O). // LoadDefaultConfig handles the standard AWS credential chain // (IRSA / EC2 instance profile / SSO / env vars) without any @@ -921,7 +921,7 @@ func (a *Agent) createTargetConnector(ctx context.Context, targetType string, co return awsacm.New(ctx, &cfg, a.logger) case "AzureKeyVault": - // Rank 5 of the 2026-05-03 deep-research deliverable. + // Rank 5 of the 2026-05-03 Infisical deep-research deliverable. // Azure Key Vault target — SDK-driven (no file I/O). // DefaultAzureCredential handles the standard Azure credential // chain (managed identity / workload identity / env vars / az diff --git a/cmd/server/main.go b/cmd/server/main.go index 20aec1b..ed4ae19 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -268,7 +268,7 @@ func main() { transactor := postgres.NewTransactor(db) certificateService.SetTransactor(transactor) - // Rank 7 of the 2026-05-03 deep-research deliverable — + // Rank 7 of the 2026-05-03 Infisical deep-research deliverable — // issuance approval-workflow primitive. ApprovalRepository + // ApprovalMetrics + ApprovalService construct here; the gate is // activated on CertificateService via SetApprovalService + @@ -344,8 +344,8 @@ func main() { notificationService := service.NewNotificationService(notificationRepo, notifierRegistry) notificationService.SetOwnerRepo(ownerRepo) - // Rank 4 of the 2026-05-03 deep-research deliverable - // (cowork/deep-research-results-2026-05-03.md Part 5). Per-policy + // Rank 4 of the 2026-05-03 Infisical deep-research deliverable + // (cowork/infisical-deep-research-results.md Part 5). Per-policy // multi-channel expiry-alert metrics. Same instance is wired into // the notification service (recording side, every // SendThresholdAlertOnChannel call reports its outcome) AND into @@ -626,7 +626,7 @@ func main() { // Top-10 fix #5 (2026-05-03 audit): Vault PKI token-renewal counter. // Same instance the registry uses to record per-tick results. metricsHandler.SetVaultRenewals(vaultRenewalMetrics) - // Rank 4 of the 2026-05-03 deep-research deliverable: + // Rank 4 of the 2026-05-03 Infisical deep-research deliverable: // per-policy multi-channel expiry-alert counter. Same instance the // notification service uses to record per-(channel, threshold, // result) outcomes. @@ -927,7 +927,7 @@ func main() { // docs/acme-server.md for the operator-facing reference. ACME: acmeHandler, // Approvals — issuance approval-workflow primitive. Rank 7 of - // the 2026-05-03 deep-research deliverable. See + // the 2026-05-03 Infisical deep-research deliverable. See // docs/approval-workflow.md. Approvals: approvalHandler, }) diff --git a/docs/approval-workflow.md b/docs/approval-workflow.md index 8d57c7b..7bef42f 100644 --- a/docs/approval-workflow.md +++ b/docs/approval-workflow.md @@ -2,7 +2,7 @@ certctl can gate certificate issuance + renewal on a per-profile, two-person-integrity check. Compliance customers (PCI-DSS Level 1, FedRAMP Moderate / High, SOC 2 Type II, HIPAA) configure this on production-tier `CertificateProfile` rows so every renewal-loop tick or manual `POST /api/v1/certificates/{id}/renew` blocks at `JobStatusAwaitingApproval` until a different actor approves. -Rank 7 of the 2026-05-03 deep-research deliverable. Closes the procurement-checklist question "How do you enforce two-person integrity on cert issuance?" — pre-Rank-7 the answer was "we don't"; post-Rank-7 the answer is "set `requires_approval=true` on the profile + here's the audit query that proves bypass mode is off in production." +Rank 7 of the 2026-05-03 Infisical deep-research deliverable. Closes the procurement-checklist question "How do you enforce two-person integrity on cert issuance?" — pre-Rank-7 the answer was "we don't"; post-Rank-7 the answer is "set `requires_approval=true` on the profile + here's the audit query that proves bypass mode is off in production." ## End-to-end flow diff --git a/docs/connectors.md b/docs/connectors.md index 492dac9..5951c59 100644 --- a/docs/connectors.md +++ b/docs/connectors.md @@ -1411,7 +1411,7 @@ Location: `internal/connector/target/k8ssecret/k8ssecret.go` ### AWS Certificate Manager (ACM) -The AWS ACM target connector deploys certificates into AWS Certificate Manager — the public AWS service that ALB / CloudFront / API Gateway / App Runner consume by ARN. Closes the "we terminate TLS at AWS, how do we get certctl-issued certs to ALB?" question for cloud-first deployments. Rank 5 of the 2026-05-03 deep-research deliverable. +The AWS ACM target connector deploys certificates into AWS Certificate Manager — the public AWS service that ALB / CloudFront / API Gateway / App Runner consume by ARN. Closes the "we terminate TLS at AWS, how do we get certctl-issued certs to ALB?" question for cloud-first deployments. Rank 5 of the 2026-05-03 Infisical deep-research deliverable. ```json { @@ -1506,7 +1506,7 @@ Location: `internal/connector/target/awsacm/awsacm.go` + `internal/connector/tar ### Azure Key Vault -The Azure Key Vault target connector deploys certificates into Azure Key Vault — the Azure-managed cert/secret store that Application Gateway / Front Door / App Service / Container Apps consume by KID URI. Rank 5 (Azure half) of the 2026-05-03 deep-research deliverable. +The Azure Key Vault target connector deploys certificates into Azure Key Vault — the Azure-managed cert/secret store that Application Gateway / Front Door / App Service / Container Apps consume by KID URI. Rank 5 (Azure half) of the 2026-05-03 Infisical deep-research deliverable. ```json { @@ -1619,7 +1619,7 @@ Built-in notifiers: **Email** (SMTP), **Webhook** (HTTP POST), **Slack** (incomi ### Routing expiry alerts across channels -certctl-server runs a daily renewal-check loop that scans for managed certificates approaching expiry. For each cert that has crossed a configured threshold (default `[30, 14, 7, 0]` days), an `ExpirationWarning` notification is dispatched. **Pre-2026-05-03**, dispatch went exclusively via the `Email` channel — operators with PagerDuty / Slack / Teams / OpsGenie wired up received nothing at any threshold unless SMTP was also configured. Rank 4 of the 2026-05-03 deep-research deliverable closed that gap with a per-policy channel-matrix. +certctl-server runs a daily renewal-check loop that scans for managed certificates approaching expiry. For each cert that has crossed a configured threshold (default `[30, 14, 7, 0]` days), an `ExpirationWarning` notification is dispatched. **Pre-2026-05-03**, dispatch went exclusively via the `Email` channel — operators with PagerDuty / Slack / Teams / OpsGenie wired up received nothing at any threshold unless SMTP was also configured. Rank 4 of the 2026-05-03 Infisical deep-research deliverable closed that gap with a per-policy channel-matrix. **The matrix lives on `RenewalPolicy`:** diff --git a/docs/runbook-cloud-targets.md b/docs/runbook-cloud-targets.md index bc59818..47a9f6f 100644 --- a/docs/runbook-cloud-targets.md +++ b/docs/runbook-cloud-targets.md @@ -1,7 +1,7 @@ # Runbook: cloud-target deployment connectors (AWS ACM + Azure Key Vault) This runbook covers the SDK-driven cloud target connectors that ship in -certctl post-2026-05-03 (Rank 5 of the deep-research +certctl post-2026-05-03 (Rank 5 of the Infisical deep-research deliverable). It complements the operator-facing [AWS Certificate Manager](connectors.md#aws-certificate-manager-acm) and [Azure Key Vault](connectors.md#azure-key-vault) sections in diff --git a/docs/runbook-expiry-alerts.md b/docs/runbook-expiry-alerts.md index 69fa4b5..f5e7db7 100644 --- a/docs/runbook-expiry-alerts.md +++ b/docs/runbook-expiry-alerts.md @@ -1,7 +1,7 @@ # Runbook: certificate-expiry alerts (multi-channel) This runbook covers the per-policy multi-channel expiry-alert dispatch -path that ships in certctl post-2026-05-03 (Rank 4 of the deep-research +path that ships in certctl post-2026-05-03 (Rank 4 of the Infisical deep-research deliverable). It complements the operator-facing [Routing expiry alerts across channels](connectors.md#routing-expiry-alerts-across-channels) section in `docs/connectors.md`. diff --git a/internal/api/handler/approval.go b/internal/api/handler/approval.go index 8ea3cf7..9974b8c 100644 --- a/internal/api/handler/approval.go +++ b/internal/api/handler/approval.go @@ -18,7 +18,7 @@ import ( // inversion) so the handler stays decoupled from the concrete // *service.ApprovalService. // -// Rank 7 of the 2026-05-03 deep-research deliverable, commit 3 +// Rank 7 of the 2026-05-03 Infisical deep-research deliverable, commit 3 // of 4 — the API + RBAC layer. type ApprovalServicer interface { Approve(ctx context.Context, requestID, decidedBy, note string) error diff --git a/internal/api/handler/metrics.go b/internal/api/handler/metrics.go index 942c3eb..a256537 100644 --- a/internal/api/handler/metrics.go +++ b/internal/api/handler/metrics.go @@ -89,8 +89,8 @@ type VaultRenewalSnapshotter interface { // (via NotificationService.SetExpiryAlertMetrics) and exposing // (here). // -// Rank 4 of the 2026-05-03 deep-research deliverable -// (cowork/deep-research-results-2026-05-03.md Part 5). +// Rank 4 of the 2026-05-03 Infisical deep-research deliverable +// (cowork/infisical-deep-research-results.md Part 5). type ExpiryAlertSnapshotter interface { // SnapshotExpiryAlerts returns one entry per non-zero counter, // pre-sorted by (channel, threshold, result) so the Prometheus @@ -123,7 +123,7 @@ type MetricsHandler struct { // certctl_vault_token_renewals_total{result=...}. vaultRenewals VaultRenewalSnapshotter // Per-policy multi-channel expiry alert counters. Rank 4 of the - // 2026-05-03 deep-research deliverable. nil disables + // 2026-05-03 Infisical deep-research deliverable. nil disables // emission of certctl_expiry_alerts_total{channel,threshold,result}. expiryAlerts ExpiryAlertSnapshotter } @@ -168,7 +168,7 @@ func (h *MetricsHandler) SetVaultRenewals(c VaultRenewalSnapshotter) { // SetExpiryAlerts wires the per-policy multi-channel expiry-alert // counter table for the Prometheus exposition. nil disables the -// block. Closes Rank 4 of the 2026-05-03 deep-research +// block. Closes Rank 4 of the 2026-05-03 Infisical deep-research // deliverable. func (h *MetricsHandler) SetExpiryAlerts(c ExpiryAlertSnapshotter) { h.expiryAlerts = c @@ -502,7 +502,7 @@ func (h MetricsHandler) GetPrometheusMetrics(w http.ResponseWriter, r *http.Requ } // Per-policy multi-channel expiry-alert counters. Rank 4 of the - // 2026-05-03 deep-research deliverable. Operators alert + // 2026-05-03 Infisical deep-research deliverable. Operators alert // on certctl_expiry_alerts_total{result="failure"} > 0 to catch // when a notifier connector (PagerDuty / Slack / etc.) is // rejecting our sends. Cardinality: 6 channels × N thresholds × 3 diff --git a/internal/api/router/router.go b/internal/api/router/router.go index aba5a53..39a86d5 100644 --- a/internal/api/router/router.go +++ b/internal/api/router/router.go @@ -158,7 +158,8 @@ type HandlerRegistry struct { ACME handler.ACMEHandler // Approvals handles the issuance approval-workflow endpoints under - // /api/v1/approvals/*. Rank 7 of the 2026-05-03 deep-research deliverable — closes the two-person integrity / four-eyes + // /api/v1/approvals/*. Rank 7 of the 2026-05-03 Infisical deep- + // research deliverable — closes the two-person integrity / four-eyes // principle procurement gap. Routes: // GET /api/v1/approvals // GET /api/v1/approvals/{id} diff --git a/internal/config/config.go b/internal/config/config.go index 6667ebf..168131e 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -29,7 +29,7 @@ type Config struct { Verification VerificationConfig ACME ACMEConfig // Approval is the issuance approval-workflow primitive's runtime - // config. Rank 7 of the 2026-05-03 deep-research + // config. Rank 7 of the 2026-05-03 Infisical deep-research // deliverable. The single field — BypassEnabled — short-circuits // the workflow for dev/CI; production deploys MUST leave it false. Approval ApprovalConfig @@ -1431,7 +1431,7 @@ type SchedulerConfig struct { } // ApprovalConfig contains issuance approval-workflow runtime configuration. -// Rank 7 of the 2026-05-03 deep-research deliverable. +// Rank 7 of the 2026-05-03 Infisical deep-research deliverable. type ApprovalConfig struct { // BypassEnabled short-circuits the approval workflow — every // RequestApproval call auto-approves with decidedBy="system-bypass" diff --git a/internal/connector/target/awsacm/awsacm.go b/internal/connector/target/awsacm/awsacm.go index 6ccc687..b2756bc 100644 --- a/internal/connector/target/awsacm/awsacm.go +++ b/internal/connector/target/awsacm/awsacm.go @@ -15,8 +15,8 @@ // on mismatch (or any post-verify failure) the connector re-imports the // snapshot bytes to restore the previous cert. Mirrors the Bundle 5+ // pre-deploy-snapshot + on-failure-restore pattern from IIS / WinCertStore / -// JavaKeystore. Rank 5 of the 2026-05-03 deep-research -// deliverable (cowork/deep-research-results-2026-05-03.md Part 5). +// JavaKeystore. Rank 5 of the 2026-05-03 Infisical deep-research +// deliverable (cowork/infisical-deep-research-results.md Part 5). // // IAM permissions required: // diff --git a/internal/connector/target/awsacm/awsacm_failure_test.go b/internal/connector/target/awsacm/awsacm_failure_test.go index 9335e63..cfd1bd1 100644 --- a/internal/connector/target/awsacm/awsacm_failure_test.go +++ b/internal/connector/target/awsacm/awsacm_failure_test.go @@ -1,7 +1,7 @@ package awsacm_test -// Rank 5 of the 2026-05-03 deep-research deliverable -// (cowork/deep-research-results-2026-05-03.md Part 5). Per-error-class +// Rank 5 of the 2026-05-03 Infisical deep-research deliverable +// (cowork/infisical-deep-research-results.md Part 5). Per-error-class // failure tests for the AWS ACM target connector — mirrors the // awsacmpca_failure_test.go shape (commit 60dce0b) on the issuer side. // diff --git a/internal/connector/target/awsacm/awsacm_test.go b/internal/connector/target/awsacm/awsacm_test.go index 7da8585..492ca9f 100644 --- a/internal/connector/target/awsacm/awsacm_test.go +++ b/internal/connector/target/awsacm/awsacm_test.go @@ -1,7 +1,7 @@ package awsacm_test -// Rank 5 of the 2026-05-03 deep-research deliverable -// (cowork/deep-research-results-2026-05-03.md Part 5). Happy-path table- +// Rank 5 of the 2026-05-03 Infisical deep-research deliverable +// (cowork/infisical-deep-research-results.md Part 5). Happy-path table- // driven tests for the AWS ACM target connector. Mirrors the // k8ssecret_test.go ergonomics + the Bundle 5+ atomic-rollback // assertions from IIS / WinCertStore / JavaKeystore. diff --git a/internal/connector/target/azurekv/azurekv.go b/internal/connector/target/azurekv/azurekv.go index c8c0147..7e1cb24 100644 --- a/internal/connector/target/azurekv/azurekv.go +++ b/internal/connector/target/azurekv/azurekv.go @@ -26,8 +26,8 @@ // is the safe default — recovery requires acm:RecoverDeletedCertificate // permission which we deliberately keep off the minimum-RBAC surface. // -// Rank 5 of the 2026-05-03 deep-research deliverable -// (cowork/deep-research-results-2026-05-03.md Part 5). +// Rank 5 of the 2026-05-03 Infisical deep-research deliverable +// (cowork/infisical-deep-research-results.md Part 5). // // Required Azure RBAC (minimum): // diff --git a/internal/connector/target/azurekv/azurekv_test.go b/internal/connector/target/azurekv/azurekv_test.go index df8ec2f..8763ed7 100644 --- a/internal/connector/target/azurekv/azurekv_test.go +++ b/internal/connector/target/azurekv/azurekv_test.go @@ -1,7 +1,7 @@ package azurekv_test -// Rank 5 of the 2026-05-03 deep-research deliverable -// (cowork/deep-research-results-2026-05-03.md Part 5). Happy-path tests +// Rank 5 of the 2026-05-03 Infisical deep-research deliverable +// (cowork/infisical-deep-research-results.md Part 5). Happy-path tests // for the Azure Key Vault target connector. Mirrors the awsacm_test.go // shape so cross-cloud regressions are bisectable side-by-side. diff --git a/internal/domain/approval.go b/internal/domain/approval.go index 314c712..6f7e742 100644 --- a/internal/domain/approval.go +++ b/internal/domain/approval.go @@ -16,8 +16,8 @@ import "time" // Once terminal, the row is immutable; the audit_events table is the // durable record of who approved + why. // -// Rank 7 of the 2026-05-03 deep-research deliverable -// (cowork/deep-research-results-2026-05-03.md Part 5). Closes the +// Rank 7 of the 2026-05-03 Infisical deep-research deliverable +// (cowork/infisical-deep-research-results.md Part 5). Closes the // "two-person integrity / four-eyes principle" procurement gap for // PCI-DSS Level 1, FedRAMP Moderate / High, and SOC 2 Type II // customers. diff --git a/internal/domain/certificate.go b/internal/domain/certificate.go index a64801d..feec558 100644 --- a/internal/domain/certificate.go +++ b/internal/domain/certificate.go @@ -124,8 +124,8 @@ type RenewalPolicy struct { // the dispatch site (closed-enum discipline; we do NOT dynamically // grow Prometheus cardinality on a typo). // - // Rank 4 of the 2026-05-03 deep-research deliverable - // (cowork/deep-research-results-2026-05-03.md Part 5). + // Rank 4 of the 2026-05-03 Infisical deep-research deliverable + // (cowork/infisical-deep-research-results.md Part 5). AlertChannels map[string][]string `json:"alert_channels,omitempty"` // AlertSeverityMap maps each threshold-day value to its severity diff --git a/internal/domain/connector.go b/internal/domain/connector.go index f66c87f..f2fd232 100644 --- a/internal/domain/connector.go +++ b/internal/domain/connector.go @@ -215,8 +215,8 @@ const ( // TargetTypeAWSACM deploys certificates to AWS Certificate Manager // (ACM) — the public AWS service that ALB / CloudFront / API // Gateway / App Runner consume by ARN. Rank 5 of the 2026-05-03 - // deep-research deliverable - // (cowork/deep-research-results-2026-05-03.md Part 5). See + // Infisical deep-research deliverable + // (cowork/infisical-deep-research-results.md Part 5). See // docs/connectors.md "AWS Certificate Manager" section for the // operator playbook including minimum IAM policy + atomic-rollback // contract. @@ -224,7 +224,7 @@ const ( // TargetTypeAzureKeyVault deploys certificates to Azure Key Vault — // the Azure-managed cert store that Application Gateway / Front // Door / App Service / Container Apps consume by KID URI. Rank 5 - // of the 2026-05-03 deep-research deliverable. See + // of the 2026-05-03 Infisical deep-research deliverable. See // docs/connectors.md "Azure Key Vault" for the operator playbook // including minimum RBAC role + atomic-rollback + Azure-version // semantics. diff --git a/internal/domain/profile.go b/internal/domain/profile.go index 813d1a7..53b657e 100644 --- a/internal/domain/profile.go +++ b/internal/domain/profile.go @@ -87,7 +87,7 @@ type CertificateProfile struct { // // Backed by certificate_profiles.requires_approval added in // migration 000027_approval_workflow. Rank 7 of the 2026-05-03 - // deep-research deliverable. + // Infisical deep-research deliverable. RequiresApproval bool `json:"requires_approval,omitempty"` Enabled bool `json:"enabled"` diff --git a/internal/repository/interfaces.go b/internal/repository/interfaces.go index 5a7e12a..7e926c5 100644 --- a/internal/repository/interfaces.go +++ b/internal/repository/interfaces.go @@ -715,7 +715,7 @@ type HealthCheckFilter struct { } // ApprovalRepository defines operations for managing issuance approval requests. -// Rank 7 of the 2026-05-03 deep-research deliverable — closes the +// Rank 7 of the 2026-05-03 Infisical deep-research deliverable — closes the // two-person integrity / four-eyes principle procurement gap for PCI-DSS // Level 1, FedRAMP Moderate / High, SOC 2 Type II, HIPAA-regulated PHI. // diff --git a/internal/repository/postgres/approval.go b/internal/repository/postgres/approval.go index d06698d..775b9cd 100644 --- a/internal/repository/postgres/approval.go +++ b/internal/repository/postgres/approval.go @@ -16,7 +16,7 @@ import ( ) // ApprovalRepository is the postgres implementation of -// repository.ApprovalRepository. Rank 7 of the 2026-05-03 deep-research +// repository.ApprovalRepository. Rank 7 of the 2026-05-03 Infisical // deep-research deliverable. type ApprovalRepository struct { db *sql.DB diff --git a/internal/repository/postgres/renewal_policy.go b/internal/repository/postgres/renewal_policy.go index e435c2e..add2d14 100644 --- a/internal/repository/postgres/renewal_policy.go +++ b/internal/repository/postgres/renewal_policy.go @@ -37,7 +37,7 @@ func NewRenewalPolicyRepository(db *sql.DB) *RenewalPolicyRepository { // // alert_channels / alert_severity_map (migration 000026) ARE read here — // they're the per-policy channel matrix that drives multi-channel expiry -// alert routing (Rank 4 of the 2026-05-03 deep-research +// alert routing (Rank 4 of the 2026-05-03 Infisical deep-research // deliverable). Both default to '{}' at the DB level; scanRenewalPolicy // unmarshals an empty map into nil so domain.EffectiveAlertChannels / // EffectiveAlertSeverityMap fall through to the back-compat defaults. diff --git a/internal/service/approval.go b/internal/service/approval.go index b82aa7d..d12a994 100644 --- a/internal/service/approval.go +++ b/internal/service/approval.go @@ -11,7 +11,7 @@ import ( ) // ApprovalService manages the issuance approval-workflow primitive. -// Rank 7 of the 2026-05-03 deep-research deliverable. +// Rank 7 of the 2026-05-03 Infisical deep-research deliverable. // // Lifecycle: a profile with RequiresApproval=true causes the renewal // entry points (TriggerRenewal + CheckExpiringCertificates) to call diff --git a/internal/service/approval_metrics.go b/internal/service/approval_metrics.go index d432eea..996766f 100644 --- a/internal/service/approval_metrics.go +++ b/internal/service/approval_metrics.go @@ -8,7 +8,7 @@ import ( ) // ApprovalMetrics is a thread-safe counter table for the issuance -// approval-workflow dispatch path. Rank 7 of the 2026-05-03 deep-research +// approval-workflow dispatch path. Rank 7 of the 2026-05-03 Infisical // deep-research deliverable. Mirrors the ExpiryAlertMetrics + // VaultRenewalMetrics shape: cmd/server/main.go constructs ONE instance, // passes it to ApprovalService (recording side) AND metricsHandler diff --git a/internal/service/certificate.go b/internal/service/certificate.go index 8d4a114..f494680 100644 --- a/internal/service/certificate.go +++ b/internal/service/certificate.go @@ -39,7 +39,7 @@ type CertificateService struct { // a parallel ApprovalRequest row is created via approvalSvc. The // scheduler does NOT dispatch until ApprovalService.Approve // transitions the job to Pending. Rank 7 of the 2026-05-03 - // deep-research deliverable. Both setters are optional — + // Infisical deep-research deliverable. Both setters are optional — // when either is nil, gating is skipped and TriggerRenewal falls // back to the historical unattended path. approvalSvc *ApprovalService @@ -107,7 +107,7 @@ func (s *CertificateService) SetKeygenMode(mode string) { // SetApprovalService wires the approval-workflow service. When both this // and SetProfileRepo are wired, TriggerRenewal gates on -// CertificateProfile.RequiresApproval. Rank 7 of the 2026-05-03 deep-research +// CertificateProfile.RequiresApproval. Rank 7 of the 2026-05-03 Infisical // deep-research deliverable. func (s *CertificateService) SetApprovalService(svc *ApprovalService) { s.approvalSvc = svc diff --git a/internal/service/expiry_alert_metrics.go b/internal/service/expiry_alert_metrics.go index a1d2997..d4356a0 100644 --- a/internal/service/expiry_alert_metrics.go +++ b/internal/service/expiry_alert_metrics.go @@ -8,8 +8,8 @@ import ( // ExpiryAlertMetrics is a thread-safe counter table for the per-policy // multi-channel expiry-alert dispatch path. Rank 4 of the 2026-05-03 -// deep-research deliverable -// (cowork/deep-research-results-2026-05-03.md Part 5). Closes the +// Infisical deep-research deliverable +// (cowork/infisical-deep-research-results.md Part 5). Closes the // procurement-checklist gap where a customer who configured PagerDuty // for cert-expiry pages got silent nothing — ExpirationWarning shipped // only to Email pre-fix. diff --git a/internal/service/notification.go b/internal/service/notification.go index a77f4a6..54b6d0a 100644 --- a/internal/service/notification.go +++ b/internal/service/notification.go @@ -54,7 +54,7 @@ type NotificationService struct { // to SendThresholdAlertOnChannel reports its outcome (success / failure) // to the metric sink so the Prometheus exposer surfaces // certctl_expiry_alerts_total{channel,threshold,result}. Rank 4 of the - // 2026-05-03 deep-research deliverable. Nil leaves the + // 2026-05-03 Infisical deep-research deliverable. Nil leaves the // dispatch path unchanged (no metric emission, but alerts still fire). expiryAlertMetrics ExpiryAlertRecorder } @@ -149,7 +149,7 @@ func (s *NotificationService) SendExpirationWarning(ctx context.Context, cert *d // // Policy-driven dispatch in RenewalService.sendThresholdAlerts uses // SendThresholdAlertOnChannel directly with the channel resolved from the -// per-policy AlertChannels matrix. Rank 4 of the 2026-05-03 deep-research +// per-policy AlertChannels matrix. Rank 4 of the 2026-05-03 Infisical // deep-research deliverable. func (s *NotificationService) SendThresholdAlert(ctx context.Context, cert *domain.ManagedCertificate, daysUntilExpiry int, threshold int) error { return s.SendThresholdAlertOnChannel(ctx, cert, daysUntilExpiry, threshold, domain.NotificationChannelEmail) diff --git a/internal/service/renewal.go b/internal/service/renewal.go index 13d71d4..8a09f83 100644 --- a/internal/service/renewal.go +++ b/internal/service/renewal.go @@ -204,7 +204,7 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error { // policy pointer (nil-safe) drives the per-(threshold) channel // matrix; nil policy or empty AlertChannels falls through to the // back-compat Email-only default. Rank 4 of the 2026-05-03 - // deep-research deliverable. + // Infisical deep-research deliverable. var policyPtr *domain.RenewalPolicy if cert.RenewalPolicyID != "" { policyPtr = policyCache[cert.RenewalPolicyID] @@ -323,8 +323,8 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error { // AND metadata->>'channel' = 'PagerDuty' to answer "did the on-call // team get paged?". // -// Rank 4 of the 2026-05-03 deep-research deliverable -// (cowork/deep-research-results-2026-05-03.md Part 5). The policy +// Rank 4 of the 2026-05-03 Infisical deep-research deliverable +// (cowork/infisical-deep-research-results.md Part 5). The policy // argument is nil-safe — a cert with no RenewalPolicy attached gets the // back-compat Email-only default matrix. func (s *RenewalService) sendThresholdAlerts( diff --git a/internal/service/renewal_expiry_alerts_test.go b/internal/service/renewal_expiry_alerts_test.go index 46fcdeb..16783b2 100644 --- a/internal/service/renewal_expiry_alerts_test.go +++ b/internal/service/renewal_expiry_alerts_test.go @@ -1,7 +1,7 @@ package service -// Rank 4 of the 2026-05-03 deep-research deliverable -// (cowork/deep-research-results-2026-05-03.md Part 5). Pins every leg of +// Rank 4 of the 2026-05-03 Infisical deep-research deliverable +// (cowork/infisical-deep-research-results.md Part 5). Pins every leg of // the per-policy multi-channel expiry-alert fan-out matrix: // // 1. Default matrix → Email-only at every tier (back-compat). diff --git a/internal/service/testutil_test.go b/internal/service/testutil_test.go index 61d9bca..5085e93 100644 --- a/internal/service/testutil_test.go +++ b/internal/service/testutil_test.go @@ -513,7 +513,7 @@ func (m *mockNotifRepo) List(ctx context.Context, filter *repository.Notificatio // Apply each non-zero filter field. Mirror the postgres notification // repo's WHERE-clause shape (CertificateID, Type, Status, Channel, // MessageLike) so the multi-channel expiry-alert tests - // (renewal_expiry_alerts_test.go, Rank 4 of the 2026-05-03 deep-research + // (renewal_expiry_alerts_test.go, Rank 4 of the 2026-05-03 Infisical // deep-research deliverable) get the same per-(cert, threshold, // channel) dedup behaviour they'd see in production. Pre-Rank 4 the // mock returned all rows regardless of filter; legacy callers diff --git a/migrations/000026_renewal_policy_channel_matrix.up.sql b/migrations/000026_renewal_policy_channel_matrix.up.sql index f709aba..085cc4b 100644 --- a/migrations/000026_renewal_policy_channel_matrix.up.sql +++ b/migrations/000026_renewal_policy_channel_matrix.up.sql @@ -1,5 +1,5 @@ --- Rank 4 of the 2026-05-03 deep-research deliverable --- (cowork/deep-research-results-2026-05-03.md Part 5). Adds the +-- Rank 4 of the 2026-05-03 Infisical deep-research deliverable +-- (cowork/infisical-deep-research-results.md Part 5). Adds the -- per-policy channel matrix that the multi-channel expiry-alert -- routing reads from. Two JSONB columns: -- diff --git a/migrations/000027_approval_workflow.up.sql b/migrations/000027_approval_workflow.up.sql index ff858df..df202ae 100644 --- a/migrations/000027_approval_workflow.up.sql +++ b/migrations/000027_approval_workflow.up.sql @@ -1,6 +1,6 @@ -- 000027_approval_workflow.up.sql --- Rank 7 of the 2026-05-03 deep-research deliverable --- (cowork/deep-research-results-2026-05-03.md Part 5). Two-person +-- Rank 7 of the 2026-05-03 Infisical deep-research deliverable +-- (cowork/infisical-deep-research-results.md Part 5). Two-person -- integrity / four-eyes principle for compliance-tier certificate -- issuance. CertificateProfile.RequiresApproval gates the renewal- -- loop entry; issuance_approval_requests captures the per-job diff --git a/migrations/seed_demo.sql b/migrations/seed_demo.sql index bd8beb4..6e8e91d 100644 --- a/migrations/seed_demo.sql +++ b/migrations/seed_demo.sql @@ -92,7 +92,7 @@ INSERT INTO deployment_targets (id, name, type, agent_id, config, enabled, creat ('tgt-traefik-prod', 'Traefik Production', 'Traefik', 'ag-k8s-prod', '{"watch_dir": "/etc/traefik/dynamic/certs"}', true, NOW() - INTERVAL '30 days', NOW()), ('tgt-caddy-prod', 'Caddy Production', 'Caddy', 'ag-edge-01', '{"mode": "api", "admin_url": "http://localhost:2019"}', true, NOW() - INTERVAL '45 days', NOW()), ('tgt-nginx-data', 'NGINX Data Services', 'NGINX', 'ag-data-prod', '{"cert_path": "/etc/nginx/ssl/cert.pem", "key_path": "/etc/nginx/ssl/key.pem", "reload_command": "nginx -s reload"}', true, NOW() - INTERVAL '90 days', NOW()), - -- Rank 5 cloud target seed rows (2026-05-03 deep-research deliverable). + -- Rank 5 cloud target seed rows (2026-05-03 Infisical deep-research deliverable). -- AWS ACM and Azure Key Vault demo targets so QA can exercise the wiring -- end-to-end without standing up a real cloud account. ('tgt-aws-acm-prod', 'AWS ACM Production', 'AWSACM', 'ag-server', '{"region": "us-east-1", "tags": {"env": "production", "app": "api-gateway"}}', true, NOW() - INTERVAL '7 days', NOW()),