Problem:
5c01c7f closed C-001 at the handler boundary by tightening the
ValidateRequired contract on POST /api/v1/certificates to require six
fields: name, common_name, renewal_policy_id, issuer_id, owner_id,
team_id. (Correction re-derived from source: the handler
ValidateRequired calls on owner_id/team_id/renewal_policy_id were
actually installed in 4536147 under M-002/M-003/M-006 auth unification
— 5c01c7f's commit message overstates scope.) Post-audit on
2026-04-18 found three parallel call sites still shipping
three-to-four-field payloads that the newly strict handler would
reject with HTTP 400:
- GUI: OnboardingWizard CertificateStep (common_name + sans +
issuer_id + environment only)
- CLI: certctl-cli import (common_name + issuer_id + status only;
no required-flag gating)
- Tests: deploy/test/qa_test.go Part03 positive paths
Scope:
Bring every POST /api/v1/certificates caller to six-field parity. No
handler changes — the contract is authoritative; the callers must
conform.
Implementation:
GUI — OnboardingWizard CertificateStep expansion:
web/src/pages/OnboardingWizard.tsx adds name/owner_id/team_id/
renewal_policy_id state. React Query hooks for getOwners/
getTeams/getPolicies use per_page: '500' to populate dropdowns
without pagination-driven truncation. Payload ships all six
required fields plus sans/certificate_profile_id/environment.
nextDisabled gate enforces all six before the Continue button
activates.
CLI — ImportCertificates rewrite:
internal/cli/client.go rewrites ImportCertificates with
flag.NewFlagSet("import", flag.ContinueOnError). Required flags:
--owner-id, --team-id, --renewal-policy-id, --issuer-id. Optional:
--name-template (default {cn}, templated via strings.ReplaceAll
against cert.Subject.CommonName), --environment (default
imported). Missing required flags fail pre-HTTP with a clear
error. Request map ships all six required fields plus sans/
environment/status/optional serial_number.
cmd/cli/main.go — usage string updated to document the new
required/optional flags.
Tests — qa_test.go Part03 positive paths:
deploy/test/qa_test.go Part03 Create_Minimal and Create_Full
updated to include all six fields. Uses seed_demo.sql-supplied IDs
(o-alice, t-platform, rp-standard) — docker-compose.demo.yml is
the run context. C-001 explanatory comment added above
Create_Minimal so future readers understand why the minimal
payload is no longer minimal.
MCP parity:
Verified no-op. internal/mcp/types.go:28 CreateCertificateInput
already declares all six fields; internal/mcp/tools.go:102
forwards the typed struct unchanged.
Verification:
Go CLI regression tests (internal/cli/client_test.go):
* TestClient_ImportCertificates_MissingRequiredFlags — 5 subtests,
one per missing required flag, confirms flag.ContinueOnError
rejects with non-nil error before any HTTP call is attempted.
* TestClient_ImportCertificates_MissingPositionalArgs — confirms
the "usage: import <file>" error path when no PEM file is
supplied after the flags.
* TestClient_ImportCertificates_SixFieldPayload — uses httptest
to decode the POST body and assert all six required fields
plus sans/environment are present on the wire.
Frontend regression test (web/src/api/client.test.ts):
'createCertificate accepts and transmits all six required fields'
pins the wire shape for both GUI call sites (OnboardingWizard
CertificateStep + CertificatesPage CreateCertificateModal). If
either UI surface accidentally drops a field, this assertion
fails in CI rather than surfacing as a 400 at runtime.
Grep-based call-site sweep:
Enumerated every POST /api/v1/certificates create caller. Four
total: OnboardingWizard, CertificatesPage, MCP tools, CLI import.
All four now ship six-field payloads. Claim path
(internal/service/discovery.go) updates existing rows and does
not POST. EST/SCEP handlers invoke internal
certService.CreateVersion, not the public API. Negative-path
tests (qa_test.go:1085/1267/1274/1288/1298) remain valid: they
assert 400/non-500 on oversized/malformed/missing-CN/UTF-8/empty
bodies, and these properties still hold under the stricter
handler.
Static gates:
go build ./..., go vet ./..., go test ./internal/cli/..., and
cd web && npm run test deferred to operator pre-push — the Go
toolchain is not available in the session sandbox. Grep-based
verification confirms the syntactic shape of every changed file.
Residual:
None. Every POST /api/v1/certificates call site now conforms to the
six-field contract; the wire shape is pinned by both Go and
TypeScript regression tests.
Commit:
TBD-SHA (audit doc + CLAUDE.md carry TBD-SHA placeholders to be
amended after commit)
The first-run onboarding wizard's Certificate step now surfaces an
Owner dropdown (required) alongside Issuer and Profile, matching the
ownership model introduced in M11b. Prevents newly-created certs from
being unowned and bypassing notification routing.
- web/src/pages/OnboardingWizard.tsx: getOwners query, ownerId state,
Owner <select>, required-field guard (nextDisabled), empty-state link
to /owners page when no owners exist yet.
Frontend-only change; no backend wiring or schema impact. Separated
from the M-6 sentinel-agent idempotency commit per scope-guard.
Closes#7. The issuer create/update handlers swallowed all service errors
as generic 500s. Now differentiates: 409 for UNIQUE constraint violations,
400 for unsupported issuer type, 404 for not-found on update, 500 for
unknown errors. Adds structured error logging via slog.
OnboardingWizard now pre-populates config field defaults when a type is
selected (matching IssuersPage behavior), preventing empty required fields
from causing silent failures.
install-agent.sh hardened for curl|bash usage: --agent-id flag, =value
syntax, /dev/tty stdin reopening, proper stderr routing in download_binary,
non-interactive install examples in help text, and updated wizard commands.
Adds adversarial security tests for EST, path traversal, and query
injection handlers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
4-step wizard (Connect CA → Deploy Agent → Add Certificate → Done) shown
on fresh installs when no user-configured issuers or certificates exist.
Auto-seeded env var issuers (source="env") are excluded from first-run
detection. Wizard state latches to prevent query refetches from dismissing
it mid-flow. Split docker-compose into clean default (wizard-compatible)
and demo override (seed_demo.sql). Added missing migrations 000009/000010
to test compose.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Shankar