certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:11:29 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
shankar0123	910097eb30	fix(migrations): 000043 idempotency — wrap CHECK + UNIQUE adds in DO blocks Cold-DB compose smoke ran the migration ladder twice (first cold-boot, then smoke step 4 force-recreate certctl-server with the bootstrap token env var). On the second run, 000043 fails with: pq: constraint "actor_roles_scope_type_enum" for relation "actor_roles" already exists Server then crashloops trying the same migration every ~10s until the healthcheck times out and the smoke gives up (5 min wall clock). Root cause: internal/repository/postgres/db.go::RunMigrations has no schema_migrations tracker — every .up.sql runs on every boot. That makes idempotency mandatory; the CLAUDE.md architecture decision 'Idempotent migrations. IF NOT EXISTS + ON CONFLICT for safe repeated execution' is the contract every migration must honor. Most do; 000043 didn't. PostgreSQL CHECK constraints don't support IF NOT EXISTS directly, so each non-idempotent statement gets wrapped in a DO block that guards against duplication via pg_constraint lookup. The canonical pattern lives in migrations/000033_approval_kinds.up.sql — mirrored here exactly. ADD COLUMN already used IF NOT EXISTS; DROP CONSTRAINT already used IF EXISTS; CREATE INDEX already used IF NOT EXISTS. Only the two ADD CONSTRAINT CHECK and one ADD CONSTRAINT UNIQUE needed the DO-block wrap. Wrapped in BEGIN/COMMIT to match 000033 — keeps all schema changes inside a single transaction. Behavior: - Fresh DB: every DO block runs the ADD CONSTRAINT (no row in pg_constraint yet). Schema lands identically to the non-idempotent original. - Warm DB (constraints already present): every DO block short-circuits via the NOT EXISTS guard. Migration is a no-op. Same bug class as 2026-05-09 migration 000045 broken INSERT (commit `def4be9`) and the 2026-05-09 migration 000029 PRIMARY KEY fix. THIRD time the non-idempotent migration pattern slipped past code review — strongly suggests a CI guard that scans every .up.sql for un-guarded ADD CONSTRAINT is the next follow-up. Audit-Closes: post-v2.1.0-anti-rot/item-6 Audit-Closes: audit-2026-05-10/HIGH-10-followon	2026-05-12 15:31:55 +00:00
shankar0123	72b54ce850	feat(auth/rbac): scope_type+scope_id+expires_at on role grants (HIGH-10) Audit 2026-05-10 — close HIGH-10 from the HANDOFF.md backend batch (item 1). Per-actor scoped + time-bound role grants are now expressible via the API. Migration 000043: adds scope_type TEXT NOT NULL DEFAULT 'global' + scope_id TEXT to actor_roles. Constraints: - actor_roles_scope_type_enum: scope_type ∈ {global, profile, issuer} - actor_roles_scope_id_required_when_not_global: scope_id is NULL iff scope_type='global' - Uniqueness extended: (actor_id, actor_type, role_id, scope_type, scope_id, tenant_id) — so an operator can grant the same role to the same actor scoped to multiple profiles/issuers (e.g. r-operator on p-finance AND on p-engineering). Index idx_actor_roles_scope for non-global lookup hot paths. Domain: ActorRole.ScopeType (ScopeType enum) + ScopeID (*string). Authorizer.CheckPermission already understands the tuple via the parallel role_permissions columns; this addition gives operators a per-actor knob without forking roles. Postgres repo: Grant writes scope_type+scope_id with ON CONFLICT keyed on the new uniqueness tuple. Defaults to (global, NULL) when caller omits. Handler: assignRoleRequest extended with scope_type / scope_id / expires_at. Validation: - role_id required (unchanged) - scope_type defaults to 'global'; allowed values global/profile/ issuer; anything else → 400 - scope_id required when scope_type ∈ {profile, issuer}; rejected (must be empty) when scope_type='global' - expires_at must be in the future when present; nil = standing Regression matrix in internal/api/handler/auth_test.go (6 cases): - TestAssignRoleToKey_HIGH10_ProfileScopeBoundGrantPersists - TestAssignRoleToKey_HIGH10_TimeBoundGrantPersists - TestAssignRoleToKey_HIGH10_RejectsScopeIDWithGlobalScope - TestAssignRoleToKey_HIGH10_RejectsMissingScopeIDOnProfile - TestAssignRoleToKey_HIGH10_RejectsPastExpiry - TestAssignRoleToKey_HIGH10_RejectsInvalidScopeType HIGH-10 marked CLOSED in audit-doc — the v3 deferral from the prior session is reversed; everything lands in v2. Refs: cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 1 cowork/auth-bundles-audit-2026-05-10.md HIGH-10	2026-05-10 22:47:45 +00:00

shankar0123

910097eb30

fix(migrations): 000043 idempotency — wrap CHECK + UNIQUE adds in DO blocks

Cold-DB compose smoke ran the migration ladder twice (first cold-boot,
then smoke step 4 force-recreate certctl-server with the bootstrap
token env var). On the second run, 000043 fails with:

  pq: constraint "actor_roles_scope_type_enum" for relation
  "actor_roles" already exists

Server then crashloops trying the same migration every ~10s until the
healthcheck times out and the smoke gives up (5 min wall clock).

Root cause: internal/repository/postgres/db.go::RunMigrations has
no schema_migrations tracker — every *.up.sql runs on every boot.
That makes idempotency mandatory; the CLAUDE.md architecture
decision 'Idempotent migrations. IF NOT EXISTS + ON CONFLICT for
safe repeated execution' is the contract every migration must
honor. Most do; 000043 didn't.

PostgreSQL CHECK constraints don't support IF NOT EXISTS directly,
so each non-idempotent statement gets wrapped in a DO block that
guards against duplication via pg_constraint lookup. The canonical
pattern lives in migrations/000033_approval_kinds.up.sql — mirrored
here exactly. ADD COLUMN already used IF NOT EXISTS; DROP
CONSTRAINT already used IF EXISTS; CREATE INDEX already used IF
NOT EXISTS. Only the two ADD CONSTRAINT CHECK and one ADD
CONSTRAINT UNIQUE needed the DO-block wrap.

Wrapped in BEGIN/COMMIT to match 000033 — keeps all schema
changes inside a single transaction.

Behavior:
  - Fresh DB: every DO block runs the ADD CONSTRAINT (no row in
    pg_constraint yet). Schema lands identically to the
    non-idempotent original.
  - Warm DB (constraints already present): every DO block
    short-circuits via the NOT EXISTS guard. Migration is a no-op.

Same bug class as 2026-05-09 migration 000045 broken INSERT
(commit def4be9) and the 2026-05-09 migration 000029 PRIMARY KEY
fix. THIRD time the non-idempotent migration pattern slipped past
code review — strongly suggests a CI guard that scans every
*.up.sql for un-guarded ADD CONSTRAINT is the next follow-up.

Audit-Closes: post-v2.1.0-anti-rot/item-6
Audit-Closes: audit-2026-05-10/HIGH-10-followon

2026-05-12 15:31:55 +00:00

shankar0123

72b54ce850

feat(auth/rbac): scope_type+scope_id+expires_at on role grants (HIGH-10)

Audit 2026-05-10 — close HIGH-10 from the HANDOFF.md backend batch
(item 1). Per-actor scoped + time-bound role grants are now
expressible via the API.

Migration 000043: adds scope_type TEXT NOT NULL DEFAULT 'global' +
scope_id TEXT to actor_roles. Constraints:
  - actor_roles_scope_type_enum: scope_type ∈ {global, profile, issuer}
  - actor_roles_scope_id_required_when_not_global: scope_id is NULL
    iff scope_type='global'
  - Uniqueness extended: (actor_id, actor_type, role_id, scope_type,
    scope_id, tenant_id) — so an operator can grant the same role to
    the same actor scoped to multiple profiles/issuers (e.g.
    r-operator on p-finance AND on p-engineering).
Index idx_actor_roles_scope for non-global lookup hot paths.

Domain: ActorRole.ScopeType (ScopeType enum) + ScopeID (*string).
Authorizer.CheckPermission already understands the tuple via the
parallel role_permissions columns; this addition gives operators a
per-actor knob without forking roles.

Postgres repo: Grant writes scope_type+scope_id with ON CONFLICT keyed
on the new uniqueness tuple. Defaults to (global, NULL) when caller
omits.

Handler: assignRoleRequest extended with scope_type / scope_id /
expires_at. Validation:
  - role_id required (unchanged)
  - scope_type defaults to 'global'; allowed values global/profile/
    issuer; anything else → 400
  - scope_id required when scope_type ∈ {profile, issuer}; rejected
    (must be empty) when scope_type='global'
  - expires_at must be in the future when present; nil = standing

Regression matrix in internal/api/handler/auth_test.go (6 cases):
  - TestAssignRoleToKey_HIGH10_ProfileScopeBoundGrantPersists
  - TestAssignRoleToKey_HIGH10_TimeBoundGrantPersists
  - TestAssignRoleToKey_HIGH10_RejectsScopeIDWithGlobalScope
  - TestAssignRoleToKey_HIGH10_RejectsMissingScopeIDOnProfile
  - TestAssignRoleToKey_HIGH10_RejectsPastExpiry
  - TestAssignRoleToKey_HIGH10_RejectsInvalidScopeType

HIGH-10 marked CLOSED in audit-doc — the v3 deferral from the prior
session is reversed; everything lands in v2.

Refs: cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 1
      cowork/auth-bundles-audit-2026-05-10.md HIGH-10

2026-05-10 22:47:45 +00:00

2 Commits