gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 12:21:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(signer): Hotfix #15 — gofmt comment-indent fix from Hotfix #13

Browse Source 
CI run on commit 03f0e08 failed:

  ::error::gofmt would reformat these files (run 'gofmt -w' locally):
  internal/crypto/signer/file_driver.go

Root cause:
  My Hotfix #13 (38f86bc, "go/path-injection in signer FileDriver")
  added an `assertCleanAbsPath` helper with a doc-comment numbered
  list. I used 3-space indent for the numbers ("   1. ...") and
  6-space indent for continuation lines ("      ...:") — gofmt's
  doc-comment formatter (Go 1.19+) standardized on 2-space indent
  for the bullet and 5-space for continuation, matching the
  position of text after "1. ". So all 5 list items + their
  continuations were off-by-one.

  This was undetectable in the sandbox during Hotfix #13's
  preparation because the Go toolchain wasn't installed —
  CLAUDE.md's pre-commit verification gate explicitly required
  `make verify` on workstation before push for that reason, and
  the commit body disclosed the gap. CI caught it.

Fix:
  Run `gofmt -w internal/crypto/signer/file_driver.go`. Pure
  formatting — no code changes, no behavior change. 22 lines
  reformatted (11 add + 11 remove) — every list-item line's
  leading whitespace adjusted by 1 column. Confirmed
  `gofmt -d` is now clean.

Verification (Go toolchain now wired in sandbox):
  Located the cached go1.25.10 toolchain at
    /sessions/.../.gomodcache/golang.org/toolchain@v0.0.1-go1.25.10.linux-arm64/bin
  Wired GOTOOLCHAIN=local + GOMODCACHE pointing at the cache,
  GOCACHE+GOTMPDIR on the root partition (larger free space).

  • gofmt -l internal/api/middleware/etag.go
                internal/crypto/signer/file_driver.go — clean
  • go vet ./internal/api/middleware/... ./internal/crypto/signer/... — exit 0
  • go test -short -count=1 ./internal/api/middleware/... — ok 0.241s
  • go test -short -count=1 ./internal/crypto/signer/... — ok 1.431s
  • staticcheck ./internal/api/middleware/... ./internal/crypto/signer/... — zero findings
  • All 48 CI guards pass

  Ground-truth: origin/master tip 03f0e08 verified via GitHub
  API BEFORE commit. Local is at 03f0e08 (operator pushed Hotfix
  #14); this commit lands directly on top.

Operator: the Go toolchain wiring is now established in the
sandbox session, so future Go-side hotfixes will run full
`go vet / go test / staticcheck` locally before commit (no
more "manual syntax inspection — Go not available" disclaimers
on Go-only changes).

Falsifiable proof for next CI run: gofmt check should pass —
no more "would reformat" output for file_driver.go.
This commit is contained in:
shankar0123
2026-05-14 19:21:10 +00:00
parent 03f0e08a77
commit b22cdb3405
1 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/crypto/signer/file_driver.go
+11 -11
View File
@@ -332,17 +332,17 @@ func (d *FileDriver) Generate(ctx context.Context, alg Algorithm) (Signer, strin
// //
// Invariants enforced: // Invariants enforced:
// //
// 1. path is non-empty. // 1. path is non-empty.
// 2. path is absolute (the validateSafePath caller resolves // 2. path is absolute (the validateSafePath caller resolves
// filepath.Abs upstream; if we get a non-absolute path here, // filepath.Abs upstream; if we get a non-absolute path here,
// something downstream broke the contract). // something downstream broke the contract).
// 3. path is filepath.Clean'd (no trailing separators, no double // 3. path is filepath.Clean'd (no trailing separators, no double
// separators, no redundant "./"). // separators, no redundant "./").
// 4. path's slash-normalized segments contain no literal "..". // 4. path's slash-normalized segments contain no literal "..".
// 5. When safeRoot is non-empty: filepath.Rel(safeRoot, path) // 5. When safeRoot is non-empty: filepath.Rel(safeRoot, path)
// returns a non-"../*" result (path is at or below safeRoot in // returns a non-"../*" result (path is at or below safeRoot in
// the resolved-absolute-path tree). filepath.Rel is the // the resolved-absolute-path tree). filepath.Rel is the
// canonical CodeQL-recognized containment-check pattern. // canonical CodeQL-recognized containment-check pattern.
// //
// All of these are guaranteed by a successful validateSafePath // All of these are guaranteed by a successful validateSafePath
// upstream; this function exists purely so CodeQL sees the // upstream; this function exists purely so CodeQL sees the