5 Commits

Author	SHA1	Message	Date
Shankar	90f0cab204	fix(bundle-6): Audit Integrity + Privacy — 3 audit findings closed ... Closes Audit-2026-04-25 H-008 (High), M-017 (Medium), M-022 (Medium). Hardens audit-trail tamper-resistance + minimizes PII leakage in one cohesive change, with both controls applying automatically and no operator action required at install time. What changed - internal/service/audit_redact.go (NEW) — RedactDetailsForAudit: * credentialKeys deny-list (api_key, password, *_pem, eab_secret, ...) * piiKeys deny-list (email, phone, ssn, name, address, ip_address, ...) * case-insensitive key match; recurses into nested maps + arrays * mutation-free; surfaces redacted_keys array for operator visibility * nil/empty input → nil out (preserves pre-Bundle-6 behaviour) - internal/service/audit.go — RecordEvent now routes details through RedactDetailsForAudit BEFORE marshaling. No call-site changes required. - internal/service/audit_redact_test.go (NEW) — full coverage: * credential keys (~30 entries) * PII keys (~20 entries) * nested maps + arrays * case-insensitivity * mutation-free invariant * JSON round-trip (catches type-assertion regressions) * scalar pass-through (no panic on int/bool/nil) - migrations/000018_audit_events_worm.up.sql (NEW) — DB-level WORM: * BEFORE UPDATE OR DELETE trigger raises check_violation with diagnostic citing the rationale + compliance-superuser hint * REVOKE UPDATE,DELETE ON audit_events FROM certctl (defence-in-depth) * REVOKE wrapped in pg_roles existence check so test fixtures without the certctl role stay idempotent - migrations/000018_audit_events_worm.down.sql (NEW) — clean teardown for dev resets; not for production use. - internal/repository/postgres/audit_worm_test.go (NEW, testcontainers, -short gated) — INSERT succeeds; UPDATE + DELETE fail with check_violation; second INSERT after blocked modification still succeeds (no trigger-state corruption). - docs/compliance.md — new section "Audit-Trail Integrity & Privacy (Bundle 6)" with verification psql snippet, compliance-superuser pattern (NOT auto-created), redactor before/after example, and a maintenance note for adding new credential keys. Compliance mapping - H-008 (CWE-532 Insertion of Sensitive Information into Log File) - M-017 (HIPAA Technical Safeguards §164.312(b) — audit controls) - M-022 (GDPR Art. 32 — data minimization) Threat model: TB-3 (audit log tampering), TB-1 (operator/orchestrator). Verification - go vet ./... → clean - go build ./... → clean - go test -short -count=1 ./... → all packages pass - go test -count=1 -run TestRedactDetailsForAudit ./internal/service/... → all pass - (testcontainers, gated by -short) audit_worm_test.go pins WORM contract - npx tsc --noEmit (web) → clean (no frontend changes) - python3 yaml.safe_load(api/openapi.yaml) → 89 paths Backward compatibility - Trigger applies forward only — existing rows unchanged. - nil/empty details from RecordEvent callers → nil out (preserves prior behaviour for the many existing call sites that pass nil). - Compliance superusers (provisioned out-of-band) bypass the trigger. Bundle 6 of the 2026-04-25 comprehensive audit.	2026-04-26 00:26:44 +00:00
Shankar	c2e9ebf62f	fix(m2-pr-d): thread ctx through Job/Notification/Audit services ... Collapse CancelJobWithContext into CancelJob; eliminate 10 context.Background() hits across the Job+Notification+Audit service cluster by threading ctx through their handler-facing service interfaces. Services (ctx-first): - service/job.go: ListJobs, GetJob, CancelJob, ApproveJob, RejectJob now accept ctx; the CancelJobWithContext wrapper is removed (handler callers continue to invoke CancelJob, now ctx-aware). - service/notification.go: ListNotifications, GetNotification, MarkAsRead accept ctx. - service/audit.go: ListAuditEvents, GetAuditEvent accept ctx. Handlers (interface + callsites): - handler/jobs.go, handler/notifications.go, handler/audit.go: local service interfaces updated, r.Context() threaded at every callsite. Tests: - Mock services updated to match the new interfaces (ctx accepted and ignored via '_ context.Context' first parameter; Fn closure fields unchanged). - job_test.go / notification_test.go callsites thread context.Background() to match production shape. Verification: go build ./... ok go vet ./... ok go test -short ./... ok go test -race -short ./... ok golangci-lint run ./... 0 issues Locked decisions from the M-2 plan: D-1 ctx-only signatures (no dual forms) D-4 preserve handler method names facing the router D-5 domain types stay ctx-free Audit complete. Commit: 855124a9d9. Sections: 12. Findings: 2/7/10/4/6.	2026-04-18 01:20:46 +00:00
Shankar	9918f2f5cb	Fix runtime bugs, implement service layer, and overhaul documentation ... Runtime fixes: - Fix env var mismatch (CERTCTL_DB_URL → CERTCTL_DATABASE_URL) - Fix table name mismatches (certificates → managed_certificates, notifications → notification_events) - Add renewal_policy_id to certificate queries - Remove non-existent created_at from notification queries - Add env var fallback for agent CLI flags - Graceful degradation for missing notifiers/issuers in demo mode - Copy web/ directory in Dockerfile for dashboard serving Service layer: - Implement handler-service interface pattern across all services - Wire up certificate, agent, job, policy, team, owner, audit, notification services Documentation: - Add concepts.md: beginner-friendly guide to TLS, CAs, private keys - Rewrite quickstart.md with accurate API examples matching actual handlers - Add demo-advanced.md: interactive demo with cert issuance and automated script - Update architecture.md with correct table names and connector interfaces - Update connectors.md to match actual Go interface signatures - Update demo-guide.md with cross-references to new docs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-14 21:38:11 -04:00
shankar0123	3a9fe8ba37	Complete V1 scaffold	2026-03-14 20:01:53 -04:00
shankar0123	d395776a95	Initial scaffold: certificate control plane v0.1.0	2026-03-14 08:22:17 -04:00