feat(m28+m29+m30): ACME ARI, email digest, and Helm chart

M28: ACME Renewal Information (RFC 9702) — CA-directed renewal timing with cert ID computation, directory endpoint discovery, graceful degradation for non-ARI CAs. 19 tests. M29: Email notifier wiring + scheduled certificate digest — SMTP connector bridged to service layer via NotifierAdapter, DigestService with HTML email template, 7th scheduler loop (24h), digest preview/send API endpoints and GUI card. 21 tests. M30: Production-ready Helm chart — server Deployment, PostgreSQL StatefulSet, agent DaemonSet, ConfigMaps, Secrets, Ingress, security contexts, health probes, example values for dev/prod/ACME scenarios. Also: OpenAPI spec updates, MCP tool additions, CI helm-lint job, documentation updates across 5 doc files and README. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-14 16:58:58 +00:00 · 2026-03-28 21:18:35 -04:00
parent cb2ef9d0e7
commit ec21c9bb29
61 changed files with 6106 additions and 27 deletions
@@ -13,16 +13,19 @@ import (

 // mockConnectorLayerIssuer is a test implementation of issuer.Connector
 type mockConnectorLayerIssuer struct {
-	issueResult   *issuer.IssuanceResult
-	issueErr      error
-	renewResult   *issuer.IssuanceResult
-	renewErr      error
-	lastIssueReq  *issuer.IssuanceRequest
-	lastRenewReq  *issuer.RenewalRequest
-	validateErr   error
-	revokeErr     error
-	orderStatusErr error
-	orderStatus   *issuer.OrderStatus
+	issueResult        *issuer.IssuanceResult
+	issueErr           error
+	renewResult        *issuer.IssuanceResult
+	renewErr           error
+	lastIssueReq       *issuer.IssuanceRequest
+	lastRenewReq       *issuer.RenewalRequest
+	validateErr        error
+	revokeErr          error
+	orderStatusErr     error
+	orderStatus        *issuer.OrderStatus
+	renewalInfoResult  *issuer.RenewalInfoResult
+	renewalInfoErr     error
+	renewalInfoNil     bool // flag to force nil result
 }

 func (m *mockConnectorLayerIssuer) ValidateConfig(ctx context.Context, config json.RawMessage) error {
@@ -100,6 +103,23 @@ func (m *mockConnectorLayerIssuer) GetCACertPEM(ctx context.Context) (string, er
 	return "-----BEGIN CERTIFICATE-----\nmock-ca-cert\n-----END CERTIFICATE-----", nil
 }

+func (m *mockConnectorLayerIssuer) GetRenewalInfo(ctx context.Context, certPEM string) (*issuer.RenewalInfoResult, error) {
+	if m.renewalInfoErr != nil {
+		return nil, m.renewalInfoErr
+	}
+	if m.renewalInfoNil {
+		return nil, nil
+	}
+	if m.renewalInfoResult != nil {
+		return m.renewalInfoResult, nil
+	}
+	now := time.Now()
+	return &issuer.RenewalInfoResult{
+		SuggestedWindowStart: now,
+		SuggestedWindowEnd:   now.Add(7 * 24 * time.Hour),
+	}, nil
+}
+
 // Tests for IssueCertificate

 func TestIssuerConnectorAdapter_IssueCertificate_Success(t *testing.T) {
@@ -527,3 +547,102 @@ func TestIssuerConnectorAdapter_SignOCSPResponse_Unknown(t *testing.T) {

 	t.Log("OCSP response for unknown cert signed via adapter")
 }
+
+// Tests for GetRenewalInfo
+
+func TestIssuerConnectorAdapter_GetRenewalInfo_Success(t *testing.T) {
+	ctx := context.Background()
+
+	mock := &mockConnectorLayerIssuer{}
+	adapter := NewIssuerConnectorAdapter(mock)
+
+	testCertPEM := "-----BEGIN CERTIFICATE-----\ntest-cert\n-----END CERTIFICATE-----"
+
+	result, err := adapter.GetRenewalInfo(ctx, testCertPEM)
+
+	if err != nil {
+		t.Fatalf("GetRenewalInfo failed: %v", err)
+	}
+
+	if result == nil {
+		t.Fatal("expected non-nil result")
+	}
+
+	if result.SuggestedWindowStart.IsZero() {
+		t.Error("SuggestedWindowStart should not be zero")
+	}
+
+	if result.SuggestedWindowEnd.IsZero() {
+		t.Error("SuggestedWindowEnd should not be zero")
+	}
+
+	if result.SuggestedWindowEnd.Before(result.SuggestedWindowStart) {
+		t.Error("SuggestedWindowEnd should be after SuggestedWindowStart")
+	}
+}
+
+func TestIssuerConnectorAdapter_GetRenewalInfo_Nil(t *testing.T) {
+	ctx := context.Background()
+
+	mock := &mockConnectorLayerIssuer{
+		renewalInfoNil: true,
+	}
+
+	adapter := NewIssuerConnectorAdapter(mock)
+
+	result, err := adapter.GetRenewalInfo(ctx, "test-cert-pem")
+
+	if err != nil {
+		t.Fatalf("GetRenewalInfo failed: %v", err)
+	}
+
+	if result != nil {
+		t.Error("expected nil result when underlying connector returns nil")
+	}
+}
+
+func TestIssuerConnectorAdapter_GetRenewalInfo_ResultTranslation(t *testing.T) {
+	ctx := context.Background()
+	now := time.Now()
+	windowStart := now
+	windowEnd := now.Add(24 * time.Hour)
+	retryAfter := now.Add(1 * time.Hour)
+	explanationURL := "https://example.com/renewal-info"
+
+	mock := &mockConnectorLayerIssuer{
+		renewalInfoResult: &issuer.RenewalInfoResult{
+			SuggestedWindowStart: windowStart,
+			SuggestedWindowEnd:   windowEnd,
+			RetryAfter:           retryAfter,
+			ExplanationURL:       explanationURL,
+		},
+	}
+
+	adapter := NewIssuerConnectorAdapter(mock)
+
+	result, err := adapter.GetRenewalInfo(ctx, "test-cert-pem")
+
+	if err != nil {
+		t.Fatalf("GetRenewalInfo failed: %v", err)
+	}
+
+	if result == nil {
+		t.Fatal("expected non-nil result")
+	}
+
+	if !result.SuggestedWindowStart.Equal(windowStart) {
+		t.Errorf("expected SuggestedWindowStart %v, got %v", windowStart, result.SuggestedWindowStart)
+	}
+
+	if !result.SuggestedWindowEnd.Equal(windowEnd) {
+		t.Errorf("expected SuggestedWindowEnd %v, got %v", windowEnd, result.SuggestedWindowEnd)
+	}
+
+	if !result.RetryAfter.Equal(retryAfter) {
+		t.Errorf("expected RetryAfter %v, got %v", retryAfter, result.RetryAfter)
+	}
+
+	if result.ExplanationURL != explanationURL {
+		t.Errorf("expected ExplanationURL %s, got %s", explanationURL, result.ExplanationURL)
+	}
+}