certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:02:43 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
shankar0123	8908c8ff5c	web, docs: IssuerHierarchyPage + sysadmin runbook + connectors row (Rank 8 commit 5) Final commit of the 5-commit Rank 8 chain. Operator-facing surface on top of the service + handler layers shipped in commits 1-4. Frontend (web/src): - api/client.ts: 3 new functions + IntermediateCA interface (listIntermediateCAs, getIntermediateCA, retireIntermediateCA). - pages/IssuerHierarchyPage.tsx: recursive nested <ul> render of the hierarchy tree at /issuers/:id/hierarchy. buildHierarchyTree is a pure helper that walks the flat list and groups children on parent_ca_id; the dendrogram view is parking-lot work tracked in WORKSPACE-ROADMAP. Two-phase retire UX surfaces 'Retire…' then 'Confirm retire (terminal)' when the row is in retiring state. Admin gate is enforced at the API; the page renders the backend's 403 as ErrorState for non-admin callers. - main.tsx: register the new /issuers/:id/hierarchy route. CI guard update: - scripts/ci-guards/T-1-frontend-page-coverage.sh: add IssuerHierarchyPage to the deferred-test allowlist with the standard 'why deferred' comment. Admin-gate + recursive build semantics are already pinned at the backend layer (intermediate_ca_test.go service tests + intermediate_ca_test.go handler triplet). Vitest test deferred until next feature change touches the page. Docs: - docs/intermediate-ca-hierarchy.md: new operator runbook covering: Concepts (HierarchyMode 'single' vs 'tree', defense-in-depth on key bytes never persisting on rows). Lifecycle states + drain-first semantics (active → retiring → retired with active-children gate). Three deployment patterns: 4-level FedRAMP boundary CA, 3-level financial-services policy CA, 2-level internal PKI. RFC 5280 enforcement (§3.2 self-signed, §4.2.1.9 path-length tightening, §4.2.1.10 NameConstraints subset). Migration from single → tree using the load-bearing TestLocal_HierarchyMode_SingleVsTree_ByteIdentical pin as the canary. API reference + observability (IntermediateCAMetrics Prometheus exposure). Known limitations + Rank-8 follow-on roadmap. - docs/connectors.md: extend the Built-in Local CA section with a 'Tree mode (Rank 8)' paragraph describing the new chain assembly path + cross-link to docs/intermediate-ca-hierarchy.md. Roadmap: - WORKSPACE-ROADMAP.md: 5 follow-on items under a new 'Intermediate CA hierarchy extensions (Rank 8 V2 follow-ons)' bullet block: HSM-backed roots (PKCS#11 / cloud KMS drivers via existing signer.Driver interface — no service-layer change needed). Automated CA rotation (parallel-validity windows ahead of expiry). Intra-hierarchy CRL chaining (per-CA CRL endpoints stitched at issue time). NameConstraints policy templates (FedRAMP / financial / internal PKI declarative templates instead of hand-rolled JSON). D3 dendrogram visualization (separate page so the existing list view stays the default + the dep stays opt-in). Verified locally: gofmt: clean. go vet ./...: exit 0. tsc --noEmit (web/): exit 0 (no TypeScript errors). go test -short -count=1 ./internal/api/handler/... + service + local: ok across all three packages, 4-5s each. All 24 CI guards: clean (T-1 frontend-page-coverage with the new IssuerHierarchyPage allowlist entry; openapi-handler-parity, M-008 admin-gate, every other guard untouched). Rank 8 chain complete: `66d2af3` domain, migrations: IntermediateCA type + intermediate_cas + Issuer.HierarchyMode (commit 1) `fb54ebc` service: IntermediateCAService + IntermediateCAMetrics + RFC 5280 enforcement (commit 2) `62523fb` service: 10 IntermediateCAService tests + in-memory fake repo (commit 2.5) `ae597f7` local: tree-mode chain assembly + byte-equivalence pin (commit 3 — load-bearing backwards-compat refuse-to-ship pin in TestLocal_HierarchyMode_SingleVsTree_ByteIdentical) `34adcfb` api, handler: 4 admin-gated CA hierarchy endpoints + OpenAPI (commit 4) HEAD web, docs: IssuerHierarchyPage + sysadmin runbook + connectors row (this commit) Reference: cowork/rank-8-intermediate-ca-hierarchy-prompt.md, commit 5.	2026-05-04 02:33:48 +00:00
shankar0123	1caedd5fd3	ci-pipeline-cleanup Phase 1: extract 20 regression guards to scripts/ci-guards/ Bundle: ci-pipeline-cleanup, Phase 1. Pure relocation — no behavior change. Each guard's bash logic is byte-identical to the prior inline version; the only changes are: (a) the guard becomes a sibling script under scripts/ci-guards/<id>.sh, (b) ci.yml's per-guard step is replaced by a single loop step that iterates all scripts. 20 scripts extracted (alphabetized): B-1-orphan-crud.sh, D-1-D-2-statusbadge-phantom.sh, G-1-jwt-auth-literal.sh, G-2-api-key-hash-json.sh, G-3-env-docs-drift.sh, H-001-bare-from.sh, H-009-readme-jwt.sh, L-001-insecure-skip-verify.sh, L-1-bulk-action-loop.sh, M-012-no-root-user.sh, P-1-documented-orphan-fns.sh, S-1-hardcoded-source-counts.sh, S-2-strings-contains-err.sh, T-1-frontend-page-coverage.sh, U-2-plaintext-healthcheck.sh, U-3-migration-mount.sh, bundle-8-L-015-target-blank-rel-noopener.sh, bundle-8-L-019-dangerously-set-inner-html.sh, bundle-8-M-009-bare-usemutation.sh, test-naming-convention.sh Plus scripts/ci-guards/README.md documenting the contract: - Each script must exit 0 on clean repo, non-zero with ::error:: prefix on regression - Runnable from repo root via 'bash scripts/ci-guards/<id>.sh' - Adding a new guard: drop a new <id>.sh; CI auto-picks it up ci.yml dropped 1488 → 557 lines (-931, -63%). Single CI loop step now collects ALL guard failures before failing the build instead of fail-fast — UX win for regressions that hit two guards at once. Two guards (QA-doc Part-count + seed-count, ci.yml lines 868-917) deliberately NOT extracted — they move to 'make verify-docs' in Phase 11 because they protect docs-the-operator-reads, not the product itself. Verification (sandbox): - All 20 scripts pass against HEAD (chmod +x; for g in scripts/ci-guards/*.sh; do bash $g; done) - New ci.yml YAML-parses cleanly - Job boundaries preserved: go-build-and-test, frontend-build, helm-lint, deploy-vendor-e2e, deploy-vendor-e2e-windows - Loop step appears twice (once at end of go-build-and-test, once at end of frontend-build) so both jobs continue running their set of guards	2026-04-30 20:36:26 +00:00

shankar0123

8908c8ff5c

web, docs: IssuerHierarchyPage + sysadmin runbook + connectors row (Rank 8 commit 5)

Final commit of the 5-commit Rank 8 chain. Operator-facing surface
on top of the service + handler layers shipped in commits 1-4.

Frontend (web/src):
  - api/client.ts: 3 new functions + IntermediateCA interface
    (listIntermediateCAs, getIntermediateCA, retireIntermediateCA).
  - pages/IssuerHierarchyPage.tsx: recursive nested <ul> render of
    the hierarchy tree at /issuers/:id/hierarchy. buildHierarchyTree
    is a pure helper that walks the flat list and groups children
    on parent_ca_id; the dendrogram view is parking-lot work tracked
    in WORKSPACE-ROADMAP. Two-phase retire UX surfaces 'Retire…'
    then 'Confirm retire (terminal)' when the row is in retiring
    state. Admin gate is enforced at the API; the page renders the
    backend's 403 as ErrorState for non-admin callers.
  - main.tsx: register the new /issuers/:id/hierarchy route.

CI guard update:
  - scripts/ci-guards/T-1-frontend-page-coverage.sh: add
    IssuerHierarchyPage to the deferred-test allowlist with the
    standard 'why deferred' comment. Admin-gate + recursive build
    semantics are already pinned at the backend layer
    (intermediate_ca_test.go service tests + intermediate_ca_test.go
    handler triplet). Vitest test deferred until next feature
    change touches the page.

Docs:
  - docs/intermediate-ca-hierarchy.md: new operator runbook
    covering:
      Concepts (HierarchyMode 'single' vs 'tree', defense-in-depth
        on key bytes never persisting on rows).
      Lifecycle states + drain-first semantics
        (active → retiring → retired with active-children gate).
      Three deployment patterns: 4-level FedRAMP boundary CA,
        3-level financial-services policy CA, 2-level internal
        PKI.
      RFC 5280 enforcement (§3.2 self-signed, §4.2.1.9 path-length
        tightening, §4.2.1.10 NameConstraints subset).
      Migration from single → tree using the load-bearing
        TestLocal_HierarchyMode_SingleVsTree_ByteIdentical pin as
        the canary.
      API reference + observability (IntermediateCAMetrics
        Prometheus exposure).
      Known limitations + Rank-8 follow-on roadmap.

  - docs/connectors.md: extend the Built-in Local CA section with
    a 'Tree mode (Rank 8)' paragraph describing the new chain
    assembly path + cross-link to docs/intermediate-ca-hierarchy.md.

Roadmap:
  - WORKSPACE-ROADMAP.md: 5 follow-on items under a new
    'Intermediate CA hierarchy extensions (Rank 8 V2 follow-ons)'
    bullet block:
      HSM-backed roots (PKCS#11 / cloud KMS drivers via existing
        signer.Driver interface — no service-layer change needed).
      Automated CA rotation (parallel-validity windows ahead of
        expiry).
      Intra-hierarchy CRL chaining (per-CA CRL endpoints stitched
        at issue time).
      NameConstraints policy templates (FedRAMP / financial /
        internal PKI declarative templates instead of hand-rolled
        JSON).
      D3 dendrogram visualization (separate page so the existing
        list view stays the default + the dep stays opt-in).

Verified locally:
  gofmt: clean.
  go vet ./...: exit 0.
  tsc --noEmit (web/): exit 0 (no TypeScript errors).
  go test -short -count=1 ./internal/api/handler/... + service +
    local: ok across all three packages, 4-5s each.
  All 24 CI guards: clean
    (T-1 frontend-page-coverage with the new
     IssuerHierarchyPage allowlist entry; openapi-handler-parity,
     M-008 admin-gate, every other guard untouched).

Rank 8 chain complete:
  66d2af3  domain, migrations: IntermediateCA type + intermediate_cas
           + Issuer.HierarchyMode (commit 1)
  fb54ebc  service: IntermediateCAService + IntermediateCAMetrics
           + RFC 5280 enforcement (commit 2)
  62523fb  service: 10 IntermediateCAService tests + in-memory fake
           repo (commit 2.5)
  ae597f7  local: tree-mode chain assembly + byte-equivalence pin
           (commit 3 — load-bearing backwards-compat refuse-to-ship
           pin in TestLocal_HierarchyMode_SingleVsTree_ByteIdentical)
  34adcfb  api, handler: 4 admin-gated CA hierarchy endpoints +
           OpenAPI (commit 4)
  HEAD     web, docs: IssuerHierarchyPage + sysadmin runbook +
           connectors row (this commit)

Reference: cowork/rank-8-intermediate-ca-hierarchy-prompt.md, commit 5.

2026-05-04 02:33:48 +00:00

shankar0123

1caedd5fd3

ci-pipeline-cleanup Phase 1: extract 20 regression guards to scripts/ci-guards/

Bundle: ci-pipeline-cleanup, Phase 1.

Pure relocation — no behavior change. Each guard's bash logic is
byte-identical to the prior inline version; the only changes are:
(a) the guard becomes a sibling script under scripts/ci-guards/<id>.sh,
(b) ci.yml's per-guard step is replaced by a single loop step that
iterates all scripts.

20 scripts extracted (alphabetized):
  B-1-orphan-crud.sh, D-1-D-2-statusbadge-phantom.sh,
  G-1-jwt-auth-literal.sh, G-2-api-key-hash-json.sh,
  G-3-env-docs-drift.sh, H-001-bare-from.sh, H-009-readme-jwt.sh,
  L-001-insecure-skip-verify.sh, L-1-bulk-action-loop.sh,
  M-012-no-root-user.sh, P-1-documented-orphan-fns.sh,
  S-1-hardcoded-source-counts.sh, S-2-strings-contains-err.sh,
  T-1-frontend-page-coverage.sh, U-2-plaintext-healthcheck.sh,
  U-3-migration-mount.sh, bundle-8-L-015-target-blank-rel-noopener.sh,
  bundle-8-L-019-dangerously-set-inner-html.sh,
  bundle-8-M-009-bare-usemutation.sh, test-naming-convention.sh

Plus scripts/ci-guards/README.md documenting the contract:
- Each script must exit 0 on clean repo, non-zero with ::error::
  prefix on regression
- Runnable from repo root via 'bash scripts/ci-guards/<id>.sh'
- Adding a new guard: drop a new <id>.sh; CI auto-picks it up

ci.yml dropped 1488 → 557 lines (-931, -63%).

Single CI loop step now collects ALL guard failures before failing
the build instead of fail-fast — UX win for regressions that hit
two guards at once.

Two guards (QA-doc Part-count + seed-count, ci.yml lines 868-917)
deliberately NOT extracted — they move to 'make verify-docs' in
Phase 11 because they protect docs-the-operator-reads, not the
product itself.

Verification (sandbox):
- All 20 scripts pass against HEAD (chmod +x; for g in scripts/ci-guards/*.sh; do bash $g; done)
- New ci.yml YAML-parses cleanly
- Job boundaries preserved: go-build-and-test, frontend-build,
  helm-lint, deploy-vendor-e2e, deploy-vendor-e2e-windows
- Loop step appears twice (once at end of go-build-and-test, once
  at end of frontend-build) so both jobs continue running their
  set of guards

2026-04-30 20:36:26 +00:00

2 Commits