certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:01:32 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	21aeed4f4e	legal: addlicense headers + normalize legacy variants (Phase 0 RED-4) Phase 0 closure (Path B2, post-rewrite): addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1 SPDX header to every production Go file. Template: // Copyright 2026 certctl LLC. All rights reserved. // SPDX-License-Identifier: BUSL-1.1 Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding _test.go and /testdata/). Pre-sweep coverage was 22 / 338 (6.5%); post-sweep is 338 / 338 (100%). Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl` + `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a `Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1` is non-standard; the official SPDX identifier for Business Source License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the canonical form. Generated via: addlicense -c "certctl LLC" -y 2026 \ -f cowork/legal/copyright-header.tpl \ -ignore '/testdata/' -ignore '/_test.go' \ cmd/ internal/ Verification: find cmd internal -name '.go' -not -name '_test.go' \ -not -path '/testdata/' \ -exec grep -L '^// Copyright 2026 certctl LLC' {} \; \| wc -l Returns: 0 gofmt clean. Header additions are comments only, no compile impact. Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4	2026-05-13 21:23:35 +00:00
shankar0123	13b29ca1bd	fix(cert-export): satisfy staticcheck ST1022 on PKCS12CipherModernAES256 Production hardening II Phase 11 verification — golangci-lint v2.11.4 flagged the const PKCS12CipherModernAES256 doc comment with ST1022 (comments on exported identifiers should start with the identifier name). Reformatted to lead with the const name; same content. Reproduced clean: 0 issues across handler/, service/, connector/issuer/local/, api/router/, ratelimit/.	2026-04-30 05:22:10 +00:00
shankar0123	8cba794723	feat(cert-export): typed audit-action constants + has_private_key + cipher detail (Phase 7) Production hardening II Phase 7 — typify the cert-export audit emission. The pre-Phase-7 audit log carried inline strings ("export_pem" / "export_pkcs12"); this commit adds typed constants alongside via the split-emit pattern so operators get both back-compat with existing log analysers AND a stable typed grep target. NEW internal/service/export_audit_actions.go: - AuditActionCertExportPEM = "cert_export_pem" - AuditActionCertExportPEMWithKey = "cert_export_pem_with_key" (reserved for future bundle that adds key-bearing export; not emitted in V2) - AuditActionCertExportPKCS12 = "cert_export_pkcs12" - AuditActionCertExportFailed = "cert_export_failed" - PKCS12CipherModernAES256 = "AES-256-CBC-PBE2-SHA256" pinned string for the cipher detail (drift catches a future go-pkcs12 default change) Detail enrichment on both emission sites: - has_private_key (bool, V2 always false — cert-only export is the only V2 path; key-bearing export deferred to future bundle) - actor_kind ("user") - cipher (PKCS12 only — pinned to PKCS12CipherModernAES256) Split-emit pattern: each export emits BOTH the legacy bare action code AND the typed constant. Mirrors est.go::processEnrollment which emits both "est_simple_enroll" + "est_simple_enroll_success". Existing audit-log analysers that match by exact string "export_pem" keep working; new operator alerts can target the typed constant. Pre-commit verification: go build ./... clean; go test -short -count=1 green for service/.	2026-04-30 05:13:15 +00:00

Author

SHA1

Message

Date

shankar0123

21aeed4f4e

legal: addlicense headers + normalize legacy variants (Phase 0 RED-4)

Phase 0 closure (Path B2, post-rewrite):

addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:

  // Copyright 2026 certctl LLC. All rights reserved.
  // SPDX-License-Identifier: BUSL-1.1

Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).

Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.

Generated via:
  addlicense -c "certctl LLC" -y 2026 \
    -f cowork/legal/copyright-header.tpl \
    -ignore '**/testdata/**' -ignore '**/*_test.go' \
    cmd/ internal/

Verification:
  find cmd internal -name '*.go' -not -name '*_test.go' \
    -not -path '*/testdata/*' \
    -exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l

  Returns: 0

gofmt clean. Header additions are comments only, no compile impact.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4

2026-05-13 21:23:35 +00:00

shankar0123

13b29ca1bd

fix(cert-export): satisfy staticcheck ST1022 on PKCS12CipherModernAES256

Production hardening II Phase 11 verification — golangci-lint v2.11.4
flagged the const PKCS12CipherModernAES256 doc comment with ST1022
(comments on exported identifiers should start with the identifier
name). Reformatted to lead with the const name; same content.

Reproduced clean: 0 issues across handler/, service/,
connector/issuer/local/, api/router/, ratelimit/.

2026-04-30 05:22:10 +00:00

shankar0123

8cba794723

feat(cert-export): typed audit-action constants + has_private_key + cipher detail (Phase 7)

Production hardening II Phase 7 — typify the cert-export audit
emission. The pre-Phase-7 audit log carried inline strings
("export_pem" / "export_pkcs12"); this commit adds typed
constants alongside via the split-emit pattern so operators get
both back-compat with existing log analysers AND a stable typed
grep target.

NEW internal/service/export_audit_actions.go:
  - AuditActionCertExportPEM = "cert_export_pem"
  - AuditActionCertExportPEMWithKey = "cert_export_pem_with_key"
    (reserved for future bundle that adds key-bearing export; not
    emitted in V2)
  - AuditActionCertExportPKCS12 = "cert_export_pkcs12"
  - AuditActionCertExportFailed = "cert_export_failed"
  - PKCS12CipherModernAES256 = "AES-256-CBC-PBE2-SHA256" pinned
    string for the cipher detail (drift catches a future go-pkcs12
    default change)

Detail enrichment on both emission sites:
  - has_private_key (bool, V2 always false — cert-only export is
    the only V2 path; key-bearing export deferred to future bundle)
  - actor_kind ("user")
  - cipher (PKCS12 only — pinned to PKCS12CipherModernAES256)

Split-emit pattern: each export emits BOTH the legacy bare action
code AND the typed constant. Mirrors est.go::processEnrollment which
emits both "est_simple_enroll" + "est_simple_enroll_success".
Existing audit-log analysers that match by exact string "export_pem"
keep working; new operator alerts can target the typed constant.

Pre-commit verification: go build ./... clean; go test -short
-count=1 green for service/.

2026-04-30 05:13:15 +00:00

3 Commits