Agents now report OS, architecture, IP address, hostname, and version
via heartbeat using runtime.GOOS, runtime.GOARCH, and net.Dial. New
migration adds columns to agents table. Heartbeat handler, service,
and repository updated to accept and persist metadata. GUI shows
OS/Arch in agent list and full system info in agent detail page.
Apache httpd connector: separate cert/chain/key files, apachectl
configtest validation, graceful reload. HAProxy connector: combined
PEM file (cert+chain+key), optional config validation, reload.
Both wired into agent binary's target connector switch.
14 tests for new connectors. All existing tests updated for new
Heartbeat/UpdateHeartbeat signatures. Docs updated across README,
architecture, concepts, and connectors guides.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix demo certificate count: 14 → 15 across README, quickstart,
demo-guide (wildcard cert was added but count never updated)
- Fix negative_test subtest count: 12 → 14 in architecture.md
- Update README roadmap: v1.0.0 released (no longer "tag pending")
- Update status badge: "active development" → "v1.0.0"
- Remove stale POSTGRES_IMPLEMENTATION.md and POSTGRES_PATTERNS.md
(scaffold-era dev notes, not referenced anywhere)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Community feedback requested fleet inventory and policy-based targeting.
Agents will report OS, platform, IP, hostname via heartbeat; dynamic
grouping enables policy scoping by agent criteria instead of manual assignment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Active Directory Certificate Services (ADCS) added as a planned
issuer connector across README, architecture, connectors, and
demo-advanced docs. Requested by community feedback.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Added step-ca and OpenSSL/Custom CA as planned V2 issuer connectors
across README, architecture, connectors, and demo-advanced docs
- Fixed F5 BIG-IP and IIS target status from "Implemented" to
"Interface only" — both are stubs with mapped-out flows but no
actual API calls yet
- Updated all diagrams and tables to be consistent across docs
- DNS-01, step-ca, OpenSSL, F5, IIS all listed under V2.0 roadmap
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
DNS-01 enables wildcard certificates and validation for hosts that
can't serve HTTP on port 80. Planned with provider adapters
(Cloudflare, Route53) and custom script hooks.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
BSL 1.1 is not OSI-approved open source. Changed headline to
"Self-Hosted Certificate Lifecycle Platform" to be accurate.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Added 9 screenshots showing all dashboard views: dashboard overview,
certificates list, agents fleet, jobs queue, notifications inbox,
policies, issuers, targets, and audit trail. Screenshots are displayed
in a 2-column grid in the README.
Note: actual .png files need to be added to docs/screenshots/ — this
commit includes the README markup and directory placeholder.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Without --build, Docker reuses cached images that don't include the
built frontend, resulting in a blank page. Every doc that tells users
to run docker compose up now includes --build.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- CLAUDE.md: check off frontend tests (53 Vitest tests done), update test count to 220+, update endpoint count to 55, update CI description
- README.md: add missing API endpoints (PUT/DELETE for issuers, targets, teams, owners, policies; POST notifications/{id}/read; auth endpoints), update endpoint count from 40+ to 55, update test count to 220+
- architecture.md: add frontend test layer description, update CI section with Vitest step, update dashboard description with action buttons (create cert modal, deploy, archive, test issuer, enable/disable policy, delete)
- demo-guide.md: fix incorrect /api/v1/policies/violations endpoint to /api/v1/policies/{id}/violations, update "Demo Without Docker" section from stale web/index.html to Vite dev server
- quickstart.md: fix auto-generated ID format from UUID to name-timestamp format
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Private keys never leave agent infrastructure. Agents generate ECDSA P-256
key pairs locally, store them with 0600 permissions, and submit only the CSR
(public key) to the control plane. New AwaitingCSR job state pauses
renewal/issuance jobs until the agent submits its CSR. Server-side keygen
retained behind CERTCTL_KEYGEN_MODE=server for demo/development.
Key changes:
- Dual keygen mode via CERTCTL_KEYGEN_MODE (agent default, server for demo)
- AwaitingCSR job state with CommonName/SANs in work response
- Agent ECDSA P-256 keygen, local key storage, CSR-only submission
- CompleteAgentCSRRenewal server-side flow for agent-submitted CSRs
- DeploymentRequest.KeyPEM for agent-provided keys during deployment
- Dockerfile.agent creates /var/lib/certctl/keys with correct ownership
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Split the monolithic M7 (Security Baseline) into three focused
milestones: M7 (Auth + Rate Limiting), M8 (Agent-Side Key Generation),
and M9 (End-to-End Test Hardening). M9 adds handler tests for all 7
files, negative-path integration tests, scheduler/connector tests,
and CI coverage gates (service 70%+, handler 60%+). Updated v1.0
gate criteria, replaced all stale V2+ references with M8, and added
Testing Strategy section to architecture docs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replaces the old M5 "Polish & Release" catch-all with three focused
milestones: M5 (Hardening + GUI Foundation), M6 (Functional GUI + CI),
M7 (Security Baseline). Agent-side keygen and API auth now gate v1.0
instead of being deferred to V2. V2 resequenced into Operational
Workflows (GUI-first), Team Adoption, and Observability.
Adds explicit v1.0.0 gate criteria, "GUI parallel-tracked" architecture
principle, and Vite + React + TypeScript + TanStack Query tech decisions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Service layer (63 tests): certificate, agent, audit, job, notification,
policy, and renewal services with mock repositories covering threshold
alerting, deduplication, status transitions, and job processing.
Handler layer (46 tests): certificate and agent HTTP handlers using
httptest with mock service interfaces, covering success/error paths,
pagination, JSON marshaling, and path parameter extraction.
Integration (11 subtests): end-to-end certificate lifecycle test
exercising real services and Local CA issuer through HTTP API —
create cert, trigger renewal, process jobs, register agent, heartbeat,
verify audit trail.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Wire issuer connector end-to-end with IssuerConnectorAdapter (dependency inversion)
- Renewal/issuance job processor: RSA key + CSR generation, Local CA signing, cert version storage
- Agent work API (GET /agents/{id}/work) and job status API (POST /agents/{id}/jobs/{job_id}/status)
- Agent-side deployment: WorkItem enrichment with target type/config, NGINX/F5/IIS connector invocation
- Full ACME v2 implementation: HTTP-01 challenge solving, account registration, order lifecycle
- Update all docs (README, architecture, connectors, demo-advanced, quickstart) for M1-M2
- Fix go vet warning in deployment.go (non-constant format string)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Business Source License 1.1 with 7-year conversion period
- Change Date: March 14, 2033 (converts to Apache 2.0)
- Additional Use Grant: all uses permitted except offering certctl
as a hosted/managed certificate management service
- Update README badge and license section
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
README.md:
- Replace ASCII architecture diagram with Mermaid
- Fix all database table names (managed_certificates, audit_events, etc.)
- Fix env var names to use CERTCTL_ prefix matching config.go
- Fix API endpoint paths ({id} not :id, /audit not /audit/logs)
- Add all missing endpoints (renew, deploy, CSR, heartbeat, policies, notifications)
- Add dashboard as primary feature (was completely missing)
- Link to all new docs (concepts, advanced demo, architecture, connectors)
- Fix integration status (Local CA implemented, ACME in progress)
- Fix security section (API key auth, not mTLS)
- Remove broken links to non-existent docs (api.md, k8s-deployment.md, scaling.md)
- Remove placeholder Support & Community section
.env.example:
- Change all var names to CERTCTL_ prefix (CERTCTL_DATABASE_URL, etc.)
- Remove vars that don't exist in config.go (ACME_*, SMTP_*, feature flags)
- Add scheduler tuning vars as commented examples
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add how/why technical breakdowns to every step in demo-advanced.md:
handler→service→repository code paths, SQL details, security reasoning,
field-by-field explanations, and architectural design decisions
- Convert all ASCII box diagrams to Mermaid across docs:
architecture.md (9 diagrams), demo-advanced.md (6), concepts.md (1)
- Diagram types: flowcharts, sequence diagrams, ER diagram, state machine
- Remove placeholder Support & Community section from README
- Zero ASCII box-drawing characters remaining in docs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
shankar0123