Two CI guards on origin/master failed against the Sprint-12 commit
(30940108) because they didn't know about new files introduced by
earlier Phase 9 sprints. Both are pure mechanical relocation
fall-out — no actual regression in functionality.
1. scripts/ci-guards/no-new-synthetic-admin.sh — A-8 guard
====================================================================
Sprint 5 (commit 51f9cf13) extracted the Auth-family from
internal/config/config.go to internal/config/auth.go. The 4
'actor-demo-anon' references moved with the Auth-family code:
- Line 255: 'actor-demo-anon is wired with AdminKey=true'
documentation comment alongside the AdminKey wiring narrative.
- Lines 283/289/293: residual-grants detector + cleanup SQL
examples explaining why 'ar-demo-anon-admin' is reserved.
These are the SAME comments that were previously in config.go (which
IS in the allowlist), just relocated to the new sibling file. The
references were always present in the codebase; the A-8 guard was
just unaware of the new file location.
Fix: add './internal/config/auth.go' to the ALLOWLIST with a rationale
comment pointing at commit 51f9cf13.
Local verification: A-8 guard PASS — actor-demo-anon references
confined to the declared 19-entry allowlist (was 18, now 19).
2. internal/ciparity/surface_parity_test.go — mcpToolFiles list
====================================================================
Sprint 10 (commit fbe053aa) split internal/mcp/tools.go (1867 LOC,
121 mcp.AddTool registrations) into six tool-domain sibling files:
tools_certificates.go (22 tools — cert + CRL/OCSP + renewal + verify)
tools_agents.go (16 tools — agents + agent groups)
tools_resources.go (40 tools — issuers + targets + policies +
profiles + teams + owners +
notifications + intermediate-CAs)
tools_jobs.go (9 tools — jobs + approvals)
tools_discovery.go (10 tools — network-scan + discovery)
tools_admin.go (24 tools — audit + stats + digest + metrics
+ health + health-check)
The TestSurfaceParity_MCPToolCatalogue hard-gate counts mcp.AddTool
registrations across mcpToolFiles() — a hard-coded 5-file list. After
the split, only 34 tools sat in the 5 known files (tools.go itself
went to 0 tools post-split; only the 4 pre-existing tools_*.go
siblings carried any). The actual cross-file count is 155 (above
the 150 floor).
Fix: expand mcpToolFiles() to include the 6 new Sprint-10 sibling
files. Doc-comment explains the Sprint-10 split + the union-of-files
intent.
Local verification:
PASS: TestSurfaceParity_MCPToolCatalogue
MCP tool catalogue: 155 tools (baseline floor 150)
3. docs/testing/skip-inventory.md — line-number drift
====================================================================
Adding the 8-line doc-comment to mcpToolFiles() (item 2) shifted the
location of readFileOrSkip from line 97 to line 113 in
surface_parity_test.go. The skip-inventory.md is auto-generated and
records every t.Skip() site with its file:line; the
skip-inventory-drift CI guard re-runs the generator and diffs.
Fix: bump the inventory entry from :97 to :113. One-line tracking
update; same skip site, new line number. (No t.Skip() was added or
removed.)
Behavior preservation contract
==============================
- Zero runtime change. All three diffs touch only CI-guard
metadata (allowlist string, file-list slice, doc line-number).
- A-8 guard re-runs clean post-fix.
- TestSurfaceParity_MCPToolCatalogue runs and reports 155 tools.
- skip-inventory drift detection re-pins to the live line number.
- gofmt + go vet + staticcheck remain clean on the touched files
(verified pre-commit; the sandbox /sessions partition is full so
the broader 'all guards' loop was interrupted on a tmpfile write,
not on a real regression — the deterministic fix above matches
the CI failure output byte-for-byte).
Closes: CI failures on commit 30940108 across Frontend Build (A-8
guard) + Go Build & Test (TestSurfaceParity_MCPToolCatalogue).
Audit 2026-05-11 A-8 closure. Closes the deferred Phase 2 leg of the
2026-05-10 HIGH-12 closure (2e97cc1) — production-startup observability
for actor-demo-anon residual grants + CI guard banning new synthetic-
admin code paths.
What this changes:
* cmd/server/preflight_demo_residual.go (new) runs after the DB pool +
audit service are constructed and before the HTTPS listener starts.
Under any non-'none' auth type it queries actor_roles for the
synthetic actor-demo-anon and emits a WARN log + a categorized audit
row (auth.demo_residual_grants_detected) listing every grant
present. Migration 000029 unconditionally seeds the ar-demo-anon-admin
row at install time, so EVERY production deploy will see this WARN
on first boot; the intended cutover workflow is cleanup-once at
production handover.
* CERTCTL_DEMO_MODE_RESIDUAL_STRICT (new env var on AuthConfig,
default false) pivots the WARN to fail-closed startup refusal for
operators who want a paranoid posture against re-seeding.
* POST /api/v1/auth/demo-residual/cleanup (new handler at
internal/api/handler/demo_residual.go) is an admin-class
(auth.role.assign) endpoint that removes every actor-demo-anon row
from actor_roles and returns {removed: int64}. Idempotent; refuses
503 under Auth.Type=none (deleting the row would break the demo
path); audit-logs every invocation including no-op zero-removed
calls so the admin's action is always recorded.
* scripts/ci-guards/no-new-synthetic-admin.sh pins the 17-entry
allowlist of source files that legitimately reference the
actor-demo-anon literal. New runtime code paths that resolve to the
synthetic actor (the same pattern that produced the original CRIT
class) are rejected at PR time. CI workflow auto-picks the script
via the existing scripts/ci-guards/*.sh loop in .github/workflows/
ci.yml; no workflow edit needed.
Regression matrix:
* cmd/server/preflight_demo_residual_test.go — 7 tests covering the
4 main behaviour branches (testcontainers-backed, testing.Short()-
skipped: DemoModeActive_Skips, NoResidue_Passes, HasResidue_LogsAnd
Audits, StrictMode_RefusesStartup, DeleteDemoAnonResidue_Idempotent)
plus 3 pure-Go stdlib unit tests for the row-string formatter +
nil-safety contracts on both helpers.
* internal/api/handler/demo_residual_test.go — 7 stdlib+httptest
cases: HappyPath, Idempotent_ReturnsZero, RejectsInDemoMode (503),
CleanupError_Surfaces500, NilCleanupFn (defensive 500),
NilAuditWriter_DoesNotPanic, MissingActorContext (falls back to
'unknown' actor in the audit row).
* internal/api/router/openapi_parity_test.go — new
POST /api/v1/auth/demo-residual/cleanup entry plus 6 pre-existing
pre-A-8 entries (oidc/test, jwks-status, users CRUD, runtime-config)
that had drifted out of SpecParityExceptions; the parity test was
red on dev/auth-bundle-2 before my work; this commit returns it to
green with full per-entry justifications + parity-debt notes.
Docs:
* docs/operator/security.md — new 'Demo-to-production cutover (Audit
2026-05-11 A-8)' section explaining the WARN message, the cleanup
curl one-liner, the equivalent SQL, the strict-mode env var, and
the CI guard.
* docs/operator/rbac.md — Last-reviewed bump + pointer to the new
env var + the security.md section.
* cowork/auth-bundles-audit-2026-05-10.md — HIGH-12 row gains an
'A-8 follow-on CLOSED 2026-05-11' annotation describing the
deferred Phase 2 leg now landed.
* CHANGELOG.md — Unreleased ### Security entry summarizing the four
legs (detector + cleanup + strict-mode flag + CI guard) and the
acquisition-readiness narrative this closes.
Operator-facing impact: this closes a credibility gap, not an
exploitable vulnerability. The residue requires a regression
elsewhere in the middleware chain to be exploitable. After this
fix, the canonical narrative ('RBAC primitive with no synthetic-
admin fallback') is fully true.
Refs cowork/auth-bundles-fixes-2026-05-11/08-high-demo-mode-residual-
cleanup.md.
shankar0123