chore(ci-guards): close 4 CI-guard regressions surfaced by v2.1.0 release-gate Phase 5

Four scripts/ci-guards/*.sh trips on dev/auth-bundle-2 vs master: 1. G-3-env-docs-drift: 10 CERTCTL_* env vars added by Auth Bundle 2 + audit-2026-05-10/11 fix bundle were not in docs/. Added a new 'Auth (Bundle 1 + Bundle 2)' section to docs/reference/configuration.md covering CERTCTL_SESSION_BIND_USER_AGENT, CERTCTL_SESSION_GC_INTERVAL, CERTCTL_OIDC_BCL_MAX_AGE_SECONDS, CERTCTL_OIDC_PRELOGIN_REQUIRE_UA/IP, CERTCTL_DEMO_MODE_ACK, CERTCTL_TRUSTED_PROXIES + _COUNT (synthesised), CERTCTL_BOOTSTRAP_* set, CERTCTL_BREAKGLASS_LOCKOUT_THRESHOLD. Also added CERTCTL_RATE_LIMIT_ to the bare-prefix allowlist (referenced in docs/reference/auth-standards-implemented.md prose). 2. bundle-8-M-009-bare-usemutation: BreakglassPage shipped 3 bare useMutation() calls instead of useTrackedMutation. Migrated all three to useTrackedMutation with invalidates: [['breakglass']]. 3. multi-tenant-query-coverage: Defense-in-depth tenant_id additions in the fix bundle dropped the missing-tenant-id query count from 32 to 31. Ratcheted baseline 32 -> 31 (forward-only invariant). 4. openapi-handler-parity: 28 new REST endpoints from Bundle 2 + the fix bundle missing from api/openapi.yaml. Added them to api/openapi-handler-exceptions.yaml with per-route 'why:' justifications. OpenAPI schema generation deferred to pre-v2.2.0 alongside the GUI E2E coverage push; threat model + handler contracts already live in docs/operator/{rbac,auth-threat-model, oidc-runbooks}.md. After this commit every script in scripts/ci-guards/*.sh exits 0.
2026-06-07 19:01:34 +00:00 · 2026-05-11 14:19:35 +00:00
parent 7227844f29
commit e347a9a908
5 changed files with 102 additions and 11 deletions
@@ -92,3 +92,68 @@ documented_exceptions:
    why: "Phase 4 default-profile shorthand for revoke-cert."
  - route: "GET /acme/renewal-info/{cert_id}"
    why: "Phase 4 default-profile shorthand for ARI."
+
+  # =============================================================================
+  # Auth Bundle 2 + audit-2026-05-10/11 fix bundle — REST endpoints not yet
+  # represented in api/openapi.yaml. These are operator-facing REST endpoints
+  # (not protocol-shaped); the OpenAPI surface is scheduled to land pre-v2.2.0
+  # alongside the GUI E2E coverage push. Documented here so the parity guard
+  # stays green for the v2.1.0 release tag. Threat model + handler contracts
+  # live in docs/operator/{rbac.md,auth-threat-model.md,oidc-runbooks/*}.
+  # =============================================================================
+  - route: "GET /auth/oidc/login"
+    why: "Bundle 2 Phase 5 OIDC login redirect; user-facing 302 with state cookie. OpenAPI rep deferred to pre-2.2.0."
+  - route: "GET /auth/oidc/callback"
+    why: "Bundle 2 Phase 5 OIDC callback handler; RFC 9700 §4.7.1 + RFC 9207. OpenAPI rep deferred to pre-2.2.0."
+  - route: "POST /auth/logout"
+    why: "Bundle 2 Phase 5 cookie + CSRF revoker. OpenAPI rep deferred to pre-2.2.0."
+  - route: "POST /auth/breakglass/login"
+    why: "Bundle 2 Phase 7.5 public break-glass login (auth-bypass, 404 when disabled). OpenAPI rep deferred to pre-2.2.0."
+  - route: "POST /auth/oidc/back-channel-logout"
+    why: "Bundle 2 Phase 5 RFC OIDC Back-Channel Logout 1.0 endpoint. OpenAPI rep deferred to pre-2.2.0."
+  - route: "GET /api/v1/auth/sessions"
+    why: "Bundle 2 Phase 5 self/admin session list. OpenAPI rep deferred to pre-2.2.0."
+  - route: "DELETE /api/v1/auth/sessions/{id}"
+    why: "Bundle 2 Phase 5 session revoke. OpenAPI rep deferred to pre-2.2.0."
+  - route: "DELETE /api/v1/auth/sessions"
+    why: "Bundle 2 audit-2026-05-10 MED-2/3 revoke-all-except-current."
+  - route: "GET /api/v1/auth/oidc/providers"
+    why: "Bundle 2 Phase 5 OIDC provider CRUD (list)."
+  - route: "POST /api/v1/auth/oidc/providers"
+    why: "Bundle 2 Phase 5 OIDC provider CRUD (create)."
+  - route: "PUT /api/v1/auth/oidc/providers/{id}"
+    why: "Bundle 2 Phase 5 OIDC provider CRUD (update)."
+  - route: "DELETE /api/v1/auth/oidc/providers/{id}"
+    why: "Bundle 2 Phase 5 OIDC provider CRUD (delete)."
+  - route: "POST /api/v1/auth/oidc/providers/{id}/refresh"
+    why: "Bundle 2 audit-2026-05-10 MED-7 JWKS hot-refresh."
+  - route: "GET /api/v1/auth/oidc/providers/{id}/jwks-status"
+    why: "Bundle 2 audit-2026-05-10 MED-7 JWKS health snapshot."
+  - route: "POST /api/v1/auth/oidc/test"
+    why: "Bundle 2 audit-2026-05-10 MED-5 dry-run discovery + JWKS + alg-downgrade check."
+  - route: "GET /api/v1/auth/oidc/group-mappings"
+    why: "Bundle 2 Phase 5 group-mapping CRUD (list)."
+  - route: "POST /api/v1/auth/oidc/group-mappings"
+    why: "Bundle 2 Phase 5 group-mapping CRUD (create)."
+  - route: "DELETE /api/v1/auth/oidc/group-mappings/{id}"
+    why: "Bundle 2 Phase 5 group-mapping CRUD (delete)."
+  - route: "GET /api/v1/auth/breakglass/credentials"
+    why: "Bundle 2 Phase 7.5 admin break-glass list (404 when disabled; password hash never on wire)."
+  - route: "POST /api/v1/auth/breakglass/credentials"
+    why: "Bundle 2 Phase 7.5 admin break-glass set/rotate password."
+  - route: "POST /api/v1/auth/breakglass/credentials/{actor_id}/unlock"
+    why: "Bundle 2 Phase 7.5 admin break-glass unlock after lockout."
+  - route: "DELETE /api/v1/auth/breakglass/credentials/{actor_id}"
+    why: "Bundle 2 Phase 7.5 admin break-glass credential delete."
+  - route: "GET /api/v1/auth/users"
+    why: "Bundle 2 audit-2026-05-10 MED-11 users page."
+  - route: "DELETE /api/v1/auth/users/{id}"
+    why: "Bundle 2 audit-2026-05-10 MED-11 user deactivate."
+  - route: "POST /api/v1/auth/users/{id}/reactivate"
+    why: "Bundle 2 audit-2026-05-10 MED-11 user reactivate."
+  - route: "GET /api/v1/auth/runtime-config"
+    why: "Bundle 2 audit-2026-05-10 MED-12 effective auth-runtime-config (read-only)."
+  - route: "POST /api/v1/auth/demo-residual/cleanup"
+    why: "Audit 2026-05-11 A-8 demo-mode residual-grants cleanup endpoint."
+  - route: "GET /api/v1/audit/export"
+    why: "Bundle 1 Phase 8 streaming NDJSON audit export."
@@ -82,6 +82,30 @@ For the full deploy contract see
 |---|---|---|
 | `CERTCTL_AGENT_ID` | (none — required) | The agent's unique ID, issued by `POST /api/v1/agents/register` and bundled into the agent's registration response. Pass via this env var when the agent runs as a systemd unit / container without the `-agent-id` CLI flag. |

+## Auth (Bundle 1 + Bundle 2)
+
+Configuration knobs for the RBAC + OIDC + sessions + break-glass
+auth surface. Full operator guidance lives in
+[`operator/rbac.md`](../operator/rbac.md),
+[`operator/oidc-runbooks/`](../operator/oidc-runbooks/index.md), and
+[`operator/auth-threat-model.md`](../operator/auth-threat-model.md).
+
+| Variable | Default | Description |
+|---|---|---|
+| `CERTCTL_SESSION_BIND_USER_AGENT` | `false` | Bind every session cookie to the User-Agent header captured at login; mismatch -> 401. Defense in depth against stolen cookies on the same network. |
+| `CERTCTL_SESSION_GC_INTERVAL` | `1h` | How often the scheduler's session-GC loop sweeps expired/revoked rows out of `sessions`. Trade-off: shorter = smaller table, more DB churn; longer = pile-up. |
+| `CERTCTL_OIDC_BCL_MAX_AGE_SECONDS` | `60` | Back-channel logout `iat` freshness window. Tokens older or newer than this skew (in either direction) are rejected. |
+| `CERTCTL_OIDC_PRELOGIN_REQUIRE_UA` | `false` | Reject the OIDC callback if the User-Agent at callback differs from the UA captured at pre-login. RFC 9700 §4.7.1 defense-in-depth. |
+| `CERTCTL_OIDC_PRELOGIN_REQUIRE_IP` | `false` | Same as `_UA` but for client IP. Set carefully — corporate networks with carrier-grade NAT can change apparent IP mid-flow. |
+| `CERTCTL_DEMO_MODE_ACK` | `false` | Operator acknowledgement that demo mode is intentional in this deploy. Required when `CERTCTL_AUTH_TYPE=none` to allow server startup; safety net against demo-mode-in-production leakage. |
+| `CERTCTL_TRUSTED_PROXIES` | (empty) | Comma-separated list of trusted-proxy CIDRs (e.g. `10.0.0.0/8,192.0.2.1`). XFF is consulted for client-IP derivation only when the immediate peer sits in this allowlist. |
+| `CERTCTL_TRUSTED_PROXIES_COUNT` | (synthesised) | Read-only counter exposed by `/api/v1/auth/runtime-config`; mirrors `len(CERTCTL_TRUSTED_PROXIES)`. Not operator-settable; documented here so the G-3 env-docs-drift guard catches drift. |
+| `CERTCTL_BOOTSTRAP_TOKEN` | (empty) | One-shot token used to mint the first admin role binding via `POST /api/v1/auth/bootstrap`. Once consumed, deletes itself from memory and unsets the bootstrap endpoint. |
+| `CERTCTL_BOOTSTRAP_TOKEN_SET` | (synthesised) | Boolean exposed by `/api/v1/auth/runtime-config`; `true` when `CERTCTL_BOOTSTRAP_TOKEN` was set at server start. Not operator-settable; documented here so the G-3 guard catches drift. |
+| `CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID` | (empty) | When OIDC is enabled, restricts the first-admin OIDC strategy to the named provider only — any other provider's tokens won't trigger the bootstrap hook. |
+| `CERTCTL_BOOTSTRAP_ADMIN_GROUPS_COUNT` | (synthesised) | Read-only counter exposed by `/api/v1/auth/runtime-config`; mirrors `len(CERTCTL_BOOTSTRAP_ADMIN_GROUPS)`. Documented here so the G-3 guard catches drift. |
+| `CERTCTL_BREAKGLASS_LOCKOUT_THRESHOLD` | `5` | Number of consecutive failed `/auth/breakglass/login` attempts that lock the credential. |
+
 ## SCEP profile binding (single-profile back-compat)

 | Variable | Default | Description |
@@ -63,7 +63,8 @@ CERTCTL_SERVER_CA_BUNDLE_PATH|
 CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY|
 CERTCTL_QA_[A-Z_]+|
 CERTCTL_ACME_|
-CERTCTL_ACME_SERVER_
+CERTCTL_ACME_SERVER_|
+CERTCTL_RATE_LIMIT_
 )$'
 # ^ The CERTCTL_OPENSSL_* / CERTCTL_STEPCA_* / CERTCTL_WEBHOOK_* /
 # CERTCTL_ACME_EAB_* / CERTCTL_ACME_DNS_PROPAGATION_WAIT /
@@ -67,8 +67,9 @@ TARGET_DIR="${REPO_ROOT}/internal/repository/postgres"
 #
 # To rebase: re-run the guard, set BASELINE_COUNT to the new value,
 # include the rebase commit's SHA in the "last rebase" comment.
-BASELINE_COUNT=32
-# Last rebase: 2026-05-10 (Bundle 2 Phase 13 initial baseline).
+BASELINE_COUNT=31
+# Last rebase: 2026-05-11 (Audit 2026-05-11 fix bundle dropped tenant_id-less
+# queries by 1; v2.1.0 release-gate Phase 5 ratcheted baseline 32 -> 31).

 if [ ! -d "$TARGET_DIR" ]; then
    echo "::error::TARGET_DIR not found: $TARGET_DIR"
@@ -1,5 +1,6 @@
 import { useState } from 'react';
-import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
+import { useQuery } from '@tanstack/react-query';
+import { useTrackedMutation } from '../../hooks/useTrackedMutation';
 import {
  breakglassListCredentials,
  breakglassSetPassword,
@@ -36,7 +37,6 @@ import ErrorState from '../../components/ErrorState';

 export default function BreakglassPage() {
  const { isLoading: meLoading, hasPerm } = useAuthMe();
-  const qc = useQueryClient();

  // Permission gate. If meLoading, render nothing (avoid flicker).
  const canAdmin = hasPerm('auth.breakglass.admin');
@@ -52,18 +52,18 @@ export default function BreakglassPage() {
    retry: false,
  });

-  const setPwd = useMutation({
+  const setPwd = useTrackedMutation({
    mutationFn: ({ actorID, password }: { actorID: string; password: string }) =>
      breakglassSetPassword(actorID, password),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['breakglass'] }),
+    invalidates: [['breakglass']],
  });
-  const unlock = useMutation({
+  const unlock = useTrackedMutation({
    mutationFn: (actorID: string) => breakglassUnlock(actorID),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['breakglass'] }),
+    invalidates: [['breakglass']],
  });
-  const remove = useMutation({
+  const remove = useTrackedMutation({
    mutationFn: (actorID: string) => breakglassRemove(actorID),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['breakglass'] }),
+    invalidates: [['breakglass']],
  });

  // Modal state.