certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:21:30 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	92afe359e9	Bundle O (Coverage Audit Closure): test hygiene + FSM coverage tables — M-004 + M-005 + M-006 closed Three deliverables shipped: O.1 (M-004): t.Skip rationale audit — 65 sites, 0 orphans O.2 (M-005): fuzz targets 9 -> 11 (+ParseNamedAPIKeys, +SanitizeForShell) O.3 (M-006): FSM coverage tables (5 FSMs catalogued) O.1 — t.Skip rationale audit: Inventoried all 65 t.Skip sites in the repo (audit-time estimate was 41; count grew via Bundle 0.7 keymem tests + Bundle M.Cloud httptest skips). Every site carries a valid rationale — none are orphan. Categories: OS-specific (~30), root-only (~5), external-dep (Docker/PostgreSQL/browser/Vault/DigiCert ~15), manual-test markers (Parts 23/24/55/56 — 4 from Bundle I), -short mode (~6), state-dependent (~5). All class (a) per Bundle O's classification. No edits required; the existing M-009 CI guard catches new orphan skips going forward. O.2 — Fuzz target additions: internal/config/config_fuzz_test.go::FuzzParseNamedAPIKeys Pins the CERTCTL_API_KEYS_NAMED env-var parser (dual-key rotation, Bundle G / L-004). 16 seed inputs covering happy-path, rotation pair, degenerate, whitespace-padded, wrong-case admin, 4-segment, adversarial chars in name, long inputs. internal/validation/command_fuzz_test.go::FuzzSanitizeForShell Appended to existing fuzz file. Asserts no panic + output begins+ ends with single-quote. 17 seed inputs covering plain, whitespace, embedded quotes/backticks/dollars, newlines, NULs, shell-metachar injection, unicode, 100x apostrophe stress, 10000x length stress. Total fuzz-target count: 9 -> 11 (per grep verification) O.3 — FSM coverage tables (NEW: tables/fsm-coverage.md): Job: legal 92%, illegal 100% ✓ Existential gate Certificate: legal 93%, illegal 100% ✓ Existential gate Agent: legal 75%, illegal 100% △ slight Degraded gap Notification: legal 86%, illegal 100% ✓ Health-check: legal 100% (recompute-on-tick model) ✓ 4/5 FSMs meet the ≥80% legal + 100% illegal gate. Agent's Degraded transitions are the lone gap; tracked as M-006-extended. Verification: go vet ./internal/config/... ./internal/validation/... clean go test -short -count=1 PASS grep -rE 'func Fuzz[A-Z]' --include='*_test.go' internal/ \| wc -l == 11 Audit deliverables: gap-backlog.md: M-004 + M-005 + M-006 strikethroughs + Bundle O closure-log entry covering all 3 sub-deliverables closure-plan.md: Bundle O [x] closed tables/fsm-coverage.md: NEW (5 FSMs catalogued) CHANGELOG.md: [unreleased] Bundle O entry	2026-04-27 18:06:06 +00:00

Author

SHA1

Message

Date

shankar0123

92afe359e9

Bundle O (Coverage Audit Closure): test hygiene + FSM coverage tables — M-004 + M-005 + M-006 closed

Three deliverables shipped:

  O.1 (M-004): t.Skip rationale audit — 65 sites, 0 orphans

  O.2 (M-005): fuzz targets 9 -> 11 (+ParseNamedAPIKeys, +SanitizeForShell)

  O.3 (M-006): FSM coverage tables (5 FSMs catalogued)

O.1 — t.Skip rationale audit:

  Inventoried all 65 t.Skip sites in the repo (audit-time estimate

  was 41; count grew via Bundle 0.7 keymem tests + Bundle M.Cloud

  httptest skips). Every site carries a valid rationale —

  none are orphan. Categories: OS-specific (~30), root-only (~5),

  external-dep (Docker/PostgreSQL/browser/Vault/DigiCert ~15),

  manual-test markers (Parts 23/24/55/56 — 4 from Bundle I),

  -short mode (~6), state-dependent (~5). All class (a) per Bundle

  O's classification. No edits required; the existing M-009 CI guard

  catches new orphan skips going forward.

O.2 — Fuzz target additions:

  internal/config/config_fuzz_test.go::FuzzParseNamedAPIKeys

    Pins the CERTCTL_API_KEYS_NAMED env-var parser (dual-key

    rotation, Bundle G / L-004). 16 seed inputs covering happy-path,

    rotation pair, degenerate, whitespace-padded, wrong-case admin,

    4-segment, adversarial chars in name, long inputs.

  internal/validation/command_fuzz_test.go::FuzzSanitizeForShell

    Appended to existing fuzz file. Asserts no panic + output begins+

    ends with single-quote. 17 seed inputs covering plain, whitespace,

    embedded quotes/backticks/dollars, newlines, NULs, shell-metachar

    injection, unicode, 100x apostrophe stress, 10000x length stress.

  Total fuzz-target count: 9 -> 11 (per grep verification)

O.3 — FSM coverage tables (NEW: tables/fsm-coverage.md):

  Job:           legal 92%, illegal 100%   ✓ Existential gate

  Certificate:   legal 93%, illegal 100%   ✓ Existential gate

  Agent:         legal 75%, illegal 100%   △ slight Degraded gap

  Notification:  legal 86%, illegal 100%   ✓

  Health-check:  legal 100% (recompute-on-tick model)   ✓

  4/5 FSMs meet the ≥80% legal + 100% illegal gate.

  Agent's Degraded transitions are the lone gap; tracked as

  M-006-extended.

Verification:

  go vet ./internal/config/... ./internal/validation/...   clean

  go test -short -count=1                                  PASS

  grep -rE 'func Fuzz[A-Z]' --include='*_test.go' internal/ | wc -l == 11

Audit deliverables:

  gap-backlog.md: M-004 + M-005 + M-006 strikethroughs + Bundle O

    closure-log entry covering all 3 sub-deliverables

  closure-plan.md: Bundle O [x] closed

  tables/fsm-coverage.md: NEW (5 FSMs catalogued)

  CHANGELOG.md: [unreleased] Bundle O entry

2026-04-27 18:06:06 +00:00

1 Commits