9 Commits

Author	SHA1	Message	Date
shankar0123	67f346cd87	docs(arch-h1): Phase 13 Sprint 13.1 — categorize OpenAPI exceptions + bucket guards ... Phase 13 Sprint 13.1 closure (architecture diligence audit ARCH-H1): splits api/openapi-handler-exceptions.yaml's 64 entries into two buckets via a required `category:` field, extends the parity script with bucket reporting + a `--bucket=` subcommand, and adds a sibling monotonic-decrease guard pinned to a checked-in baseline file. Pure YAML + bash + doc; zero runtime change. Strategy ======== The audit originally framed ARCH-H1 as "burn down the 64-entry exception list to ≤20." Sprint 13.1 reframes against the structural reality: 36 of the 64 entries are legitimate IETF-RFC wire-protocol contracts (SCEP RFC 8894, ACME RFC 8555, ACME ARI RFC 9773, EST RFC 7030) that MUST stay; the remaining 28 are REST-shaped routes whose OpenAPI op was deferred. Categorize the two buckets, monotone- gate the rest-deferred bucket against a baseline, and Sprints 13.4-13.6 drive rest-deferred to zero. Categorization rule applied per-entry ===================================== An entry is `category: wire-protocol` if ANY of: 1. `why:` cites an RFC anchor (RFC 8894 / 8555 / 9773 / 7030). 2. `why:` contains the strings "wire-protocol", "wire protocol", "sibling", or "shorthand". 3. Route path starts with `/scep`, `/scep-mtls`, `/acme/`, or `/acme` (wire-protocol prefix). Otherwise: `category: rest-deferred`. This rule produced the 36 / 28 split that the Sprint 13.1 audit prompt expected — verified by python assertion + manual eyeball review of every entry's `why:` field before categorizing. Per-entry decisions (read off the post-categorization YAML) =========================================================== WIRE-PROTOCOL (36) — RFC contracts; never burn down: SCEP family (8) — RFC 8894 + RFC 7030 SCEP-mTLS sibling: GET /scep RFC 8894 §3.1 GetCACert / GetCACaps POST /scep RFC 8894 §3.1 PKCSReq / RenewalReq GET /scep/ trailing-slash variant (ChromeOS) POST /scep/ trailing-slash variant (ChromeOS) GET /scep-mtls EST RFC 7030 Phase 6.5 sibling POST /scep-mtls SCEP-mTLS POST variant GET /scep-mtls/ SCEP-mTLS trailing-slash variant POST /scep-mtls/ SCEP-mTLS trailing-slash POST ACME per-profile (12) — RFC 8555 §7.x + RFC 9773 ARI: GET /acme/profile/{id}/directory RFC 8555 §7.1.1 HEAD /acme/profile/{id}/new-nonce RFC 8555 §7.2 GET /acme/profile/{id}/new-nonce RFC 8555 §7.2 POST /acme/profile/{id}/new-account RFC 8555 §7.3 POST /acme/profile/{id}/account/{acc_id} RFC 8555 §7.3.2/.6 POST /acme/profile/{id}/new-order RFC 8555 §7.4 POST /acme/profile/{id}/order/{ord_id} RFC 8555 §7.4 PoG POST /acme/profile/{id}/order/{ord_id}/finalize RFC 8555 §7.4 POST /acme/profile/{id}/authz/{authz_id} RFC 8555 §7.5 POST /acme/profile/{id}/challenge/{chall_id} RFC 8555 §7.5.1 POST /acme/profile/{id}/cert/{cert_id} RFC 8555 §7.4.2 POST /acme/profile/{id}/key-change RFC 8555 §7.3.5 POST /acme/profile/{id}/revoke-cert RFC 8555 §7.6 GET /acme/profile/{id}/renewal-info/{cert_id} RFC 9773 ARI ACME default-profile shorthand (14) — sibling routes; same wire semantics, dispatched when CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID is set: GET /acme/directory HEAD /acme/new-nonce GET /acme/new-nonce POST /acme/new-account POST /acme/account/{acc_id} POST /acme/new-order POST /acme/order/{ord_id} POST /acme/order/{ord_id}/finalize POST /acme/authz/{authz_id} POST /acme/challenge/{chall_id} POST /acme/cert/{cert_id} POST /acme/key-change POST /acme/revoke-cert GET /acme/renewal-info/{cert_id} REST-DEFERRED (28) — gaps; Sprints 13.4-13.6 author into openapi.yaml: auth/sessions cluster (3): GET /api/v1/auth/sessions DELETE /api/v1/auth/sessions DELETE /api/v1/auth/sessions/{id} auth/oidc CRUD + JWKS + test + refresh cluster (10): GET /api/v1/auth/oidc/providers POST /api/v1/auth/oidc/providers PUT /api/v1/auth/oidc/providers/{id} DELETE /api/v1/auth/oidc/providers/{id} GET /api/v1/auth/oidc/providers/{id}/jwks-status POST /api/v1/auth/oidc/providers/{id}/refresh POST /api/v1/auth/oidc/test GET /api/v1/auth/oidc/group-mappings POST /api/v1/auth/oidc/group-mappings DELETE /api/v1/auth/oidc/group-mappings/{id} auth/breakglass admin cluster (4): GET /api/v1/auth/breakglass/credentials POST /api/v1/auth/breakglass/credentials DELETE /api/v1/auth/breakglass/credentials/{actor_id} POST /api/v1/auth/breakglass/credentials/{actor_id}/unlock auth/users cluster (3): GET /api/v1/auth/users DELETE /api/v1/auth/users/{id} POST /api/v1/auth/users/{id}/reactivate Misc REST one-offs (3): GET /api/v1/auth/runtime-config POST /api/v1/auth/demo-residual/cleanup GET /api/v1/audit/export OIDC + breakglass browser flows (5): GET /auth/oidc/login GET /auth/oidc/callback POST /auth/oidc/back-channel-logout POST /auth/logout POST /auth/breakglass/login Files changed ============= api/openapi-handler-exceptions.yaml (+1 line per entry): - Header rewritten to document the two-bucket contract + the Phase 13 burn-down plan + the baseline-file convention. - Every existing `route:` + `why:` pair preserved verbatim. - ` category: <bucket>` line inserted after each `why:` line. - Pyyaml round-trip parses to 64 entries cleanly. api/openapi-handler-exceptions-baseline.txt (NEW, 1 line): - Contains single integer `28` matching the current rest-deferred count. Sprints 13.4-13.6 decrement this in lockstep with each batch of OpenAPI ops authored. scripts/ci-guards/openapi-handler-parity.sh (rewritten): - Reports `wire-protocol: N` + `rest-deferred: N` lines alongside the existing total. - New `--bucket=wire-protocol|rest-deferred` subcommand prints just the bucket count + exits 0. Used by the new monotonic guard + by Sprint 13.7's hard-floor pin. - New fail condition: any entry missing the required `category:` field, or carrying an unknown category value, fails the build with a clear ::error:: annotation. - Existing exit-code semantics preserved (drift / orphan / stale detection paths unchanged). scripts/ci-guards/openapi-rest-deferred-monotonic.sh (NEW): - Reads the rest-deferred count via the parity script's --bucket subcommand. - Reads the baseline file at api/openapi-handler-exceptions-baseline.txt. - Fails with ::error:: if current count exceeds OR falls below the baseline. The fall-below path forces operators to update the baseline in the same commit as the corresponding YAML deletion — keeps the monotonic-decrease contract honest. - CI workflow auto-discovers any scripts/ci-guards/*.sh; no .github/workflows/ci.yml change required (verified — the loop at .github/workflows/ci.yml::Regression\ guards uses a glob). scripts/ci-guards/README.md (+33 lines): - Two new entries in the per-finding regression-guards table for `openapi-handler-parity` (existing; bucket subcommand documented) and `openapi-rest-deferred-monotonic` (new). - New "ARCH-H1 OpenAPI exception two-bucket contract" section documenting the wire-protocol vs rest-deferred decision rule + the canonical close path for a rest-deferred entry (author op + delete exception + decrement baseline in same PR) + the bucket-count inspection commands. Verification (all local, sandbox /sessions partition full so disk-tmpfile-dependent guards skipped — see Hotfix #4 commit msg for sandbox-disk context) ========================================================= $ bash scripts/ci-guards/openapi-handler-parity.sh Router routes: 220 OpenAPI operations: 158 Documented exceptions: 64 wire-protocol: 36 rest-deferred: 28 openapi-handler-parity: clean. $ bash scripts/ci-guards/openapi-handler-parity.sh --bucket=wire-protocol 36 $ bash scripts/ci-guards/openapi-handler-parity.sh --bucket=rest-deferred 28 $ bash scripts/ci-guards/openapi-rest-deferred-monotonic.sh openapi-rest-deferred-monotonic: clean — rest-deferred = 28, baseline = 28. $ cat api/openapi-handler-exceptions-baseline.txt 28 $ python3 -c "import yaml; d=yaml.safe_load(open('api/openapi-handler-exceptions.yaml')); print(len(d['documented_exceptions']))" 64 Negative test (corrupted baseline → guard fails): $ echo "abc" > api/openapi-handler-exceptions-baseline.txt $ bash scripts/ci-guards/openapi-rest-deferred-monotonic.sh ::error::api/openapi-handler-exceptions-baseline.txt must contain a single non-negative integer; got: 'abc' Negative test (rest-deferred over baseline → guard fails): $ echo "27" > api/openapi-handler-exceptions-baseline.txt $ bash scripts/ci-guards/openapi-rest-deferred-monotonic.sh ::error::rest-deferred bucket grew: 28 > baseline 27. Negative test (missing category → parity script fails): $ # delete first 'category: wire-protocol' line $ bash scripts/ci-guards/openapi-handler-parity.sh ::error::api/openapi-handler-exceptions.yaml: 1 entries missing required `category:` field: GET /scep Ambiguous entries surfaced for operator review ============================================== None. Every entry's category derived deterministically from the 3-rule decision tree (RFC anchor → wire-protocol; wire/sibling/ shorthand keyword in `why:` → wire-protocol; route prefix matches wire-protocol family → wire-protocol; otherwise rest-deferred). Closes: Phase 13 Sprint 13.1 of the certctl architecture diligence remediation (ARCH-H1 structural categorization). Unblocks Sprints 13.4-13.6 (OpenAPI authoring batches against the rest-deferred bucket).	2026-05-14 11:18:12 +00:00
shankar0123	0161bb201c	docs: remove internal engineering docs; docs must be tool- or story-relevant ... Operator policy: docs in the public repo must help (a) a user deploying certctl or (b) the product story. Internal engineering process documentation belongs in cowork/ scratchpads or in git commit history, not docs/. Removed (docs/contributor/, 8 files, 2,323 lines): - release-sign-off.md — internal release-day checklist - ci-pipeline.md — what runs in CI (internal) - ci-guards.md — what the guards are (internal) - testing-strategy.md — internal testing strategy - qa-test-suite.md — internal QA reference (445 lines) - qa-prerequisites.md — internal QA setup - gui-qa-checklist.md — manual GUI QA checklist - test-environment.md — 1,103-line redundant with docs/getting-started/quickstart.md + docs/getting-started/advanced-demo.md Removed supporting script: - scripts/qa-doc-seed-count.sh — CI guard for the deleted qa-test-suite.md seed-data table Cross-reference cleanup: - README.md: dropped the Contributor audience row + footer pointer to docs/contributor/. - Makefile: dropped `verify-docs` target + qa-stats comment refs. - .github/workflows/ci.yml: dropped the QA-doc seed-count drift CI step + dead comment refs. - docs/reference/cli.md: repointed qa-prerequisites.md → quickstart.md. - docs/operator/performance-baselines.md: dropped ci-pipeline.md cross-ref. - scripts/ci-guards/README.md: dropped the 'Guards explicitly NOT here' section that referenced the deleted QA-doc guards. G-3 env-docs-drift guard improvements (a real consequence: deleting the contributor docs surfaced that some env vars only had a home there). Refit the guard to the new doc topology: - Defined-scan widened from `config.go + cmd/*` to all of `cmd/ + internal/` (production code), excluding `*_test.go` — catches service-layer env vars like CERTCTL_STEPCA_ROOT_CERT and CERTCTL_ZEROSSL_EAB_URL that were previously invisible to the guard. - Docs-scan widened to include deploy/ENVIRONMENTS.md (the canonical env-var inventory table — should have been in scope from day one). Kept narrow to README + docs/ + deploy/helm/ + ENVIRONMENTS.md to avoid pulling in compose/test fixtures. - ALLOWED filter now applies to both DOCS_ONLY and CONFIG_ONLY directions, so dynamic per-profile dispatch surfaces (CERTCTL_SCEP_PROFILE_<NAME>_*, CERTCTL_EST_PROFILE_<NAME>_*, CERTCTL_QA_*) don't need static doc entries. - Added CERTCTL_SCEP_PROFILE_[A-Z_]+ and CERTCTL_EST_PROFILE_[A-Z_]+ to ALLOWED for the same reason. deploy/ENVIRONMENTS.md: added CERTCTL_ZEROSSL_EAB_URL row — real operator override (overrides the ZeroSSL EAB-credentials endpoint; read at internal/connector/issuer/acme/acme.go:372) that was defined in Go source but never documented. G-3 caught it after the defined-scan widened. scripts/ci-guards/S-1-hardcoded-source-counts.sh: removed dead WORKSPACE-CHANGELOG.md allowlist entry (the file was deleted in the prior workspace cleanup). Verified: All 35 scripts/ci-guards/*.sh green (FAIL=0). No remaining references to docs/contributor/ or qa-doc-seed-count in tracked files.	2026-05-13 02:44:27 +00:00
shankar0123	aedf19d128	ci(cold-db-smoke): inline into workflow; remove the script (operator: not a per-commit gate) ... Operator pushback: 'I don't want a smoke test I have to manually run every time I commit.' Correct read — the script existed for local debugging but its presence in scripts/ci-guards/ implied 'operator runs this regularly,' which is the opposite of the design intent. Changes: - Removed scripts/ci-guards/cold-db-compose-smoke.sh. - Inlined the smoke logic directly into the cold-db-compose-smoke job in .github/workflows/ci.yml. Same semantics: docker compose down -v -> up -d -> wait-healthy -> bootstrap admin -> issue/renew/revoke -> assert audit rows -> teardown. 15-min wall-clock cap. Logs dump on failure. - Removed the cold-db-compose-smoke.sh skip case from the generic regression-guards loop (no longer needed). - Updated scripts/ci-guards/README.md and docs/contributor/ci-guards.md to reflect the new shape: 'lives in the workflow, not as a script.' Workspace docs updated (cowork/WORKSPACE-CHANGELOG.md, cowork/CLAUDE.md, cowork/auditable-codebase-bundle/RESULTS.md). The gate is unchanged: CI runs the smoke on every push, master branch-protection enforces it as a required check. Operator's manual action is once — adding the check to branch-protection. Audit-Closes: post-v2.1.0-anti-rot/item-6	2026-05-12 14:22:19 +00:00
shankar0123	9f7b5d89a5	docs(contributor): document the Auditable Codebase Bundle guards ... Three doc changes for the bundle's discoverability: 1. New docs/contributor/ci-guards.md (185 lines) Entry-point doc for new contributors. Explains the four categories of guards (code-shape, contract-parity, build/dep, operational), the discipline that keeps them honest (allowlist + expiration), and how to add a new one. Cross-references scripts/ci-guards/README.md for the exhaustive list. 2. scripts/ci-guards/README.md — added a 'Forward-looking guards' subsection naming complete-path-config-coverage, doc-rot-detector, and cold-db-compose-smoke with their item references + a one-sentence description of what each catches. Replaced the stale '22 guards' header with 'Count: re-derive via ls' per the no-version-stamped-numbers convention from CLAUDE.md. 3. docs/README.md — wired ci-guards.md into the Contributor section navigation table. Bumped 'Last reviewed:' to 2026-05-12 on the two docs touched (docs/README.md, docs/contributor/ci-pipeline.md). Verified: doc-rot-detector.sh green at 91 docs scanned, 89 dated, 0 warns, 0 fails. Audit-Closes: post-v2.1.0-anti-rot/item-1 Audit-Closes: post-v2.1.0-anti-rot/item-2 Audit-Closes: post-v2.1.0-anti-rot/item-5 Audit-Closes: post-v2.1.0-anti-rot/item-6	2026-05-12 14:15:13 +00:00
shankar0123	75097909e9		2026-05-05 18:18:29 +00:00
shankar0123	a1c7741e1b	fix(deploy/test) + ci(guard): drop dead SCEP profile from test compose ... The deploy-vendor-e2e job has been failing with the certctl-test-server container restarting endlessly. Diagnostic dump (added in 3b96b35) finally surfaced the actual cause: Failed to load configuration: SCEP profile 0 (PathID="e2eintune") has empty CHALLENGE_PASSWORD — refuse to start (CWE-306: per-profile shared secret is the sole application-layer auth boundary; an empty password would allow any client reaching /scep/e2eintune to enroll a CSR against issuer "iss-local") Same shape as the encryption-key fix that landed in c4157fd: a config validation gate added in code that the test compose never got updated to satisfy, hidden pre-Phase-5 because the matrix-collapse hadn't yet forced the certctl-server to actually boot in CI. Root cause is more interesting than just "missing env var." The 2026-04-29 SCEP RFC 8894 + Intune master bundle Phase I added an `e2eintune` SCEP profile to docker-compose.test.yml expecting deploy/test/scep_intune_e2e_test.go to exercise it. That integration test does exist (//go:build integration) but **NO CI job ever selects it** — ci.yml's deploy-vendor-e2e job runs only `-run 'VendorEdge_'` (line 379), and no other job invokes `go test -tags integration` with a SCEP selector. Confirmed via `grep -rnE "scep_intune|SCEPIntune" .github/workflows/` returning empty. Worse: the supporting fixtures (ra.crt + ra.key + intune_trust_anchor.pem) were documented in deploy/test/fixtures/README.md with the regeneration recipe but never actually committed. Pre-Phase-5 the test stack didn't fully boot the server in CI, so the entire stack of debt — dead config + missing fixtures + no consumer test — sat silent until the matrix collapse forced the boot path. Fixing this with a fake CHALLENGE_PASSWORD value would silence the immediate validator but leave the real problem in place: maintenance cost on test config that no test exercises. Same critique applies to "let me commit fake fixtures" — the fixtures alone don't add test coverage when no CI job runs the SCEP test. The complete-path fix is to make the test compose match what CI actually exercises: - deploy/docker-compose.test.yml: drop CERTCTL_SCEP_ENABLED + the full e2eintune profile env var family (10 lines) + the ./test/fixtures volume mount (1 line). Replace with an in-line comment explaining why SCEP is intentionally disabled and what needs to come back together when SCEP is added to CI for real. - scripts/ci-guards/test-compose-scep-coherence.sh (new, 22nd guard): refuses any future state where CERTCTL_SCEP_ENABLED=true in test compose without ALL of: 1. A CI job that runs the SCEP integration test (matched by scep_intune | SCEPIntune | -run [Ss]cep in ci.yml) 2. The fixture files actually committed (ra.crt, ra.key, intune_trust_anchor.pem) 3. The ./test/fixtures:/etc/certctl/scep:ro volume mount Verified manually with the same pattern as the H-1 guard: clean tree → exit 0; deliberate SCEP_ENABLED=true regression → exit 1 with 5 ::error:: annotations covering each gap; restore → exit 0 again. - scripts/ci-guards/README.md: 21 → 22 guards, new row. The fixtures README at deploy/test/fixtures/README.md keeps the regeneration recipe so the eventual SCEP CI job lands cleanly: the operator who adds the SCEP job restores the env vars, regenerates + commits the fixtures, and the guard auto-passes. Pattern (now firm across this CI-stabilization sequence): - Pre-existing latent bug - Old CI structurally hid it (per-vendor matrix, missing boot path) - Phase-5 matrix collapse + new diagnostic infra exposed it - Direct fix unblocks today - Regression guard prevents the same shape of drift forever Encryption-key (c4157fd) was the same shape; this is its sibling.	2026-05-01 01:39:18 +00:00
shankar0123	c4157fd196	fix(deploy/test) + ci(guard): unblock deploy-vendor-e2e — encryption-key length ... Two-part complete-path fix for the deploy-vendor-e2e failure that has been firing since the ci-pipeline-cleanup Phase 5 matrix collapse started actually booting the certctl-test-server: Failed to load configuration: CERTCTL_CONFIG_ENCRYPTION_KEY too short (29 bytes; minimum 32). Surfaced via the diagnostic-dump step landed in commit 3b96b35 — the server panicked on startup, Docker restarted it endlessly, compose reported the dependency-chain symptom ("container certctl-test-server is unhealthy"), but the actual cause was invisible in the previous CI output. With the dump in place, the next failing run named the problem in one line. Root cause. The H-1 audit-closure master commit 3e78ecb ("feat(security): bodyLimit on noAuth + security headers + encryption- key validation (H-1 master)") added internal/config/config.go's minEncryptionKeyLength = 32 byte floor + 5 unit tests that pin it. The closure was incomplete: it never enforced the rule against the literal CERTCTL_CONFIG_ENCRYPTION_KEY values certctl's own deploy/docker-compose*.yml files pass. Pre-Phase-5 the test stack didn't fully exercise the validator (the per-vendor matrix didn't boot certctl-test-server in every job), so the gap was silent. deploy/docker-compose.test.yml's literal value `test-encryption-key-32chars!!` was 29 bytes — the name claimed 32 but the author miscounted (4+1+10+1+3+1+2+5+2 = 29). Pattern matches every fix in this CI-stabilization sequence: pre-existing latent bug that the old CI structurally hid. Part 1 — direct fix (deploy/docker-compose.test.yml): Replace the 29-byte literal with a clearly test-only, self-documenting 49-byte value (`test-encryption-key-deterministic- 32-byte-fixture`). 17 bytes of safety margin so a future tightening of the floor (32 → 33+) doesn't break this fixture again. Inline comment block explains the byte-budget contract + points at the H-1 closure commit. Production deploy/docker-compose.yml's default (`change-me-32-char-encryption-key`) is exactly 32 bytes — passes by 1 byte but on the edge; not touched here because operators are already told to override it via env (`${VAR:-default}`). Part 2 — structural fix (scripts/ci-guards/H-1-encryption-key-min- length.sh): New regression guard. Scans every deploy/docker-compose*.yml for literal CERTCTL_CONFIG_ENCRYPTION_KEY values + values inside ${VAR:-default} expansions, checks each against the 32-byte floor, fails CI with `::error::` annotation pointing at the offending file:line if any literal regresses. Bare ${VAR} env references with no default are skipped — those are operator-supplied at runtime and the validator handles them at boot. Verified manually: - Clean repo: `H-1-encryption-key-min-length: clean.` (exit 0) - 5-byte regression: emits proper ::error:: annotation, exit 1 - Restore: clean again (exit 0) CI auto-picks up the new guard via the `for g in scripts/ci-guards/*.sh; do bash "$g"; done` loop in ci.yml's Regression guards step (no ci.yml change required). scripts/ci-guards/README.md updated: 20 → 21 guards, new row explaining the closure rationale. The structural piece is the more important half of this fix. The direct fix unblocks today's CI; the guard prevents the same class of drift from ever recurring silently. Future audit closures that add new validation rules to internal/config/config.go now have a working template for the matching CI guard — drop a sibling .sh in the ci-guards directory. Bonus — what the diagnostic-dump step (3b96b35) bought us. Before that step landed, the same failure looked like an opaque "container unhealthy" with no actionable signal. With it, the actual error message + the offending env var + the exact byte count came out in one CI run. The diagnostic infrastructure paid for itself within one push.	2026-05-01 00:57:43 +00:00
shankar0123	7b8cadcd02	refactor(scripts): move CI helpers out of scripts/ci-guards/ ... The 'Regression guards' loop step in ci.yml runs: for g in scripts/ci-guards/*.sh; do bash "$g"; done Per the directory's own contract (scripts/ci-guards/README.md), every script there MUST be runnable bare with no args / no env. Three files violated that contract — they're helpers consumed by specific CI job steps with arguments, not regression guards. They were misplaced. Moved (git mv): scripts/ci-guards/vendor-e2e-skip-check.sh → scripts/ scripts/ci-guards/vendor-e2e-skip-allowlist.txt → scripts/ scripts/ci-guards/coverage-pr-comment.sh → scripts/ Updated ci.yml call sites: - deploy-vendor-e2e job: bash scripts/vendor-e2e-skip-check.sh $LOG - go-build-and-test job: bash scripts/coverage-pr-comment.sh Tightened scripts/vendor-e2e-skip-check.sh arg parse from a silent default ('LOG=${1:-test-output.log}') to a mandatory-arg form ('LOG=${1:?usage: ...}') so misuse fails loud at parse time rather than at the missing-file check. Updated scripts/ci-guards/README.md contract to spell out the guard-vs-helper distinction explicitly; lists current helpers under scripts/ for future-author guidance. Verified locally: 'for g in scripts/ci-guards/*.sh; do bash $g; done' returns clean (22 guards pass) on HEAD post-move. Closes the regression-guards-loop failure that surfaced in CI run 25192163943 (job 73864471346 'Frontend Build').	2026-04-30 22:37:12 +00:00
shankar0123	1caedd5fd3	ci-pipeline-cleanup Phase 1: extract 20 regression guards to scripts/ci-guards/ ... Bundle: ci-pipeline-cleanup, Phase 1. Pure relocation — no behavior change. Each guard's bash logic is byte-identical to the prior inline version; the only changes are: (a) the guard becomes a sibling script under scripts/ci-guards/<id>.sh, (b) ci.yml's per-guard step is replaced by a single loop step that iterates all scripts. 20 scripts extracted (alphabetized): B-1-orphan-crud.sh, D-1-D-2-statusbadge-phantom.sh, G-1-jwt-auth-literal.sh, G-2-api-key-hash-json.sh, G-3-env-docs-drift.sh, H-001-bare-from.sh, H-009-readme-jwt.sh, L-001-insecure-skip-verify.sh, L-1-bulk-action-loop.sh, M-012-no-root-user.sh, P-1-documented-orphan-fns.sh, S-1-hardcoded-source-counts.sh, S-2-strings-contains-err.sh, T-1-frontend-page-coverage.sh, U-2-plaintext-healthcheck.sh, U-3-migration-mount.sh, bundle-8-L-015-target-blank-rel-noopener.sh, bundle-8-L-019-dangerously-set-inner-html.sh, bundle-8-M-009-bare-usemutation.sh, test-naming-convention.sh Plus scripts/ci-guards/README.md documenting the contract: - Each script must exit 0 on clean repo, non-zero with ::error:: prefix on regression - Runnable from repo root via 'bash scripts/ci-guards/<id>.sh' - Adding a new guard: drop a new <id>.sh; CI auto-picks it up ci.yml dropped 1488 → 557 lines (-931, -63%). Single CI loop step now collects ALL guard failures before failing the build instead of fail-fast — UX win for regressions that hit two guards at once. Two guards (QA-doc Part-count + seed-count, ci.yml lines 868-917) deliberately NOT extracted — they move to 'make verify-docs' in Phase 11 because they protect docs-the-operator-reads, not the product itself. Verification (sandbox): - All 20 scripts pass against HEAD (chmod +x; for g in scripts/ci-guards/*.sh; do bash $g; done) - New ci.yml YAML-parses cleanly - Job boundaries preserved: go-build-and-test, frontend-build, helm-lint, deploy-vendor-e2e, deploy-vendor-e2e-windows - Loop step appears twice (once at end of go-build-and-test, once at end of frontend-build) so both jobs continue running their set of guards	2026-04-30 20:36:26 +00:00