certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 18:41:30 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
shankar0123	21aeed4f4e	legal: addlicense headers + normalize legacy variants (Phase 0 RED-4) Phase 0 closure (Path B2, post-rewrite): addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1 SPDX header to every production Go file. Template: // Copyright 2026 certctl LLC. All rights reserved. // SPDX-License-Identifier: BUSL-1.1 Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding _test.go and /testdata/). Pre-sweep coverage was 22 / 338 (6.5%); post-sweep is 338 / 338 (100%). Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl` + `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a `Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1` is non-standard; the official SPDX identifier for Business Source License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the canonical form. Generated via: addlicense -c "certctl LLC" -y 2026 \ -f cowork/legal/copyright-header.tpl \ -ignore '/testdata/' -ignore '/_test.go' \ cmd/ internal/ Verification: find cmd internal -name '.go' -not -name '_test.go' \ -not -path '/testdata/' \ -exec grep -L '^// Copyright 2026 certctl LLC' {} \; \| wc -l Returns: 0 gofmt clean. Header additions are comments only, no compile impact. Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4	2026-05-13 21:23:35 +00:00
shankar0123	7cb453a336	chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4 Mechanical reformat. The new 'gofmt drift' CI step (added in ci-pipeline-cleanup Phase 4, commit `0f205a8`) surfaced 111 files with accumulated gofmt drift across cmd/, internal/, and deploy/test/. Each file's diff is gofmt-standard: whitespace adjustments, intra- group import sorting (alphabetical by import path within blank-line- separated groups), and struct-tag column alignment. No semantic changes — verified via 'git diff --ignore-all-space' which shows only the line-position deltas from import reordering. The gate stays in place after this commit. Going forward it catches gofmt drift at PR time.	2026-04-30 22:33:57 +00:00
shankar0123	1d6c7a0552	fix(bundle-6): Audit Integrity + Privacy — 3 audit findings closed Closes Audit-2026-04-25 H-008 (High), M-017 (Medium), M-022 (Medium). Hardens audit-trail tamper-resistance + minimizes PII leakage in one cohesive change, with both controls applying automatically and no operator action required at install time. What changed - internal/service/audit_redact.go (NEW) — RedactDetailsForAudit: * credentialKeys deny-list (api_key, password, _pem, eab_secret, ...) piiKeys deny-list (email, phone, ssn, name, address, ip_address, ...) * case-insensitive key match; recurses into nested maps + arrays * mutation-free; surfaces redacted_keys array for operator visibility * nil/empty input → nil out (preserves pre-Bundle-6 behaviour) - internal/service/audit.go — RecordEvent now routes details through RedactDetailsForAudit BEFORE marshaling. No call-site changes required. - internal/service/audit_redact_test.go (NEW) — full coverage: * credential keys (~30 entries) * PII keys (~20 entries) * nested maps + arrays * case-insensitivity * mutation-free invariant * JSON round-trip (catches type-assertion regressions) * scalar pass-through (no panic on int/bool/nil) - migrations/000018_audit_events_worm.up.sql (NEW) — DB-level WORM: * BEFORE UPDATE OR DELETE trigger raises check_violation with diagnostic citing the rationale + compliance-superuser hint * REVOKE UPDATE,DELETE ON audit_events FROM certctl (defence-in-depth) * REVOKE wrapped in pg_roles existence check so test fixtures without the certctl role stay idempotent - migrations/000018_audit_events_worm.down.sql (NEW) — clean teardown for dev resets; not for production use. - internal/repository/postgres/audit_worm_test.go (NEW, testcontainers, -short gated) — INSERT succeeds; UPDATE + DELETE fail with check_violation; second INSERT after blocked modification still succeeds (no trigger-state corruption). - docs/compliance.md — new section "Audit-Trail Integrity & Privacy (Bundle 6)" with verification psql snippet, compliance-superuser pattern (NOT auto-created), redactor before/after example, and a maintenance note for adding new credential keys. Compliance mapping - H-008 (CWE-532 Insertion of Sensitive Information into Log File) - M-017 (HIPAA Technical Safeguards §164.312(b) — audit controls) - M-022 (GDPR Art. 32 — data minimization) Threat model: TB-3 (audit log tampering), TB-1 (operator/orchestrator). Verification - go vet ./... → clean - go build ./... → clean - go test -short -count=1 ./... → all packages pass - go test -count=1 -run TestRedactDetailsForAudit ./internal/service/... → all pass - (testcontainers, gated by -short) audit_worm_test.go pins WORM contract - npx tsc --noEmit (web) → clean (no frontend changes) - python3 yaml.safe_load(api/openapi.yaml) → 89 paths Backward compatibility - Trigger applies forward only — existing rows unchanged. - nil/empty details from RecordEvent callers → nil out (preserves prior behaviour for the many existing call sites that pass nil). - Compliance superusers (provisioned out-of-band) bypass the trigger. Bundle 6 of the 2026-04-25 comprehensive audit.	2026-04-26 00:26:44 +00:00

shankar0123

21aeed4f4e

legal: addlicense headers + normalize legacy variants (Phase 0 RED-4)

Phase 0 closure (Path B2, post-rewrite):

addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:

  // Copyright 2026 certctl LLC. All rights reserved.
  // SPDX-License-Identifier: BUSL-1.1

Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).

Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.

Generated via:
  addlicense -c "certctl LLC" -y 2026 \
    -f cowork/legal/copyright-header.tpl \
    -ignore '**/testdata/**' -ignore '**/*_test.go' \
    cmd/ internal/

Verification:
  find cmd internal -name '*.go' -not -name '*_test.go' \
    -not -path '*/testdata/*' \
    -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l

  Returns: 0

gofmt clean. Header additions are comments only, no compile impact.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4

2026-05-13 21:23:35 +00:00

shankar0123

7cb453a336

chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

Mechanical reformat. The new 'gofmt drift' CI step (added in
ci-pipeline-cleanup Phase 4, commit 0f205a8) surfaced 111 files
with accumulated gofmt drift across cmd/, internal/, and deploy/test/.

Each file's diff is gofmt-standard: whitespace adjustments, intra-
group import sorting (alphabetical by import path within blank-line-
separated groups), and struct-tag column alignment. No semantic
changes — verified via 'git diff --ignore-all-space' which shows only
the line-position deltas from import reordering.

The gate stays in place after this commit. Going forward it catches
gofmt drift at PR time.

2026-04-30 22:33:57 +00:00

shankar0123

1d6c7a0552

fix(bundle-6): Audit Integrity + Privacy — 3 audit findings closed

Closes Audit-2026-04-25 H-008 (High), M-017 (Medium), M-022 (Medium).
Hardens audit-trail tamper-resistance + minimizes PII leakage in one
cohesive change, with both controls applying automatically and no
operator action required at install time.

What changed
- internal/service/audit_redact.go (NEW) — RedactDetailsForAudit:
    * credentialKeys deny-list (api_key, password, *_pem, eab_secret, ...)
    * piiKeys deny-list (email, phone, ssn, name, address, ip_address, ...)
    * case-insensitive key match; recurses into nested maps + arrays
    * mutation-free; surfaces redacted_keys array for operator visibility
    * nil/empty input → nil out (preserves pre-Bundle-6 behaviour)
- internal/service/audit.go — RecordEvent now routes details through
  RedactDetailsForAudit BEFORE marshaling. No call-site changes required.
- internal/service/audit_redact_test.go (NEW) — full coverage:
    * credential keys (~30 entries)
    * PII keys (~20 entries)
    * nested maps + arrays
    * case-insensitivity
    * mutation-free invariant
    * JSON round-trip (catches type-assertion regressions)
    * scalar pass-through (no panic on int/bool/nil)
- migrations/000018_audit_events_worm.up.sql (NEW) — DB-level WORM:
    * BEFORE UPDATE OR DELETE trigger raises check_violation with
      diagnostic citing the rationale + compliance-superuser hint
    * REVOKE UPDATE,DELETE ON audit_events FROM certctl (defence-in-depth)
    * REVOKE wrapped in pg_roles existence check so test fixtures
      without the certctl role stay idempotent
- migrations/000018_audit_events_worm.down.sql (NEW) — clean teardown
  for dev resets; not for production use.
- internal/repository/postgres/audit_worm_test.go (NEW, testcontainers,
  -short gated) — INSERT succeeds; UPDATE + DELETE fail with
  check_violation; second INSERT after blocked modification still
  succeeds (no trigger-state corruption).
- docs/compliance.md — new section "Audit-Trail Integrity & Privacy
  (Bundle 6)" with verification psql snippet, compliance-superuser
  pattern (NOT auto-created), redactor before/after example, and a
  maintenance note for adding new credential keys.

Compliance mapping
- H-008 (CWE-532 Insertion of Sensitive Information into Log File)
- M-017 (HIPAA Technical Safeguards §164.312(b) — audit controls)
- M-022 (GDPR Art. 32 — data minimization)

Threat model: TB-3 (audit log tampering), TB-1 (operator/orchestrator).

Verification
- go vet ./...                                → clean
- go build ./...                              → clean
- go test -short -count=1 ./...               → all packages pass
- go test -count=1 -run TestRedactDetailsForAudit ./internal/service/...
                                              → all pass
- (testcontainers, gated by -short) audit_worm_test.go pins WORM contract
- npx tsc --noEmit (web)                      → clean (no frontend changes)
- python3 yaml.safe_load(api/openapi.yaml)    → 89 paths

Backward compatibility
- Trigger applies forward only — existing rows unchanged.
- nil/empty details from RecordEvent callers → nil out (preserves prior
  behaviour for the many existing call sites that pass nil).
- Compliance superusers (provisioned out-of-band) bypass the trigger.

Bundle 6 of the 2026-04-25 comprehensive audit.

2026-04-26 00:26:44 +00:00

3 Commits