CI on the Bundle J merge (0eacde5) failed at golangci-lint:
internal/connector/issuer/acme/acme_failure_test.go:244:3:
QF1002: could use tagged switch on r.URL.Path (staticcheck)
TestGetRenewalInfo_ARI5xx had a switch{} with case r.URL.Path == ...
which staticcheck QF1002 flags as a quick-fix candidate (use tagged
switch instead). The function also accumulated dead ts/ts2/ts3 setup
from earlier iteration — only ts3 was actually used by the assertion.
This commit:
- Collapses the 3-server scaffold into a single ts using if/return
instead of switch (sidesteps QF1002 entirely + removes ~25 LoC of
dead code)
- Verifies via 'staticcheck -checks all' (which includes QF*) that
the package is clean except for pre-existing ST1000 hits in
acme.go/ari.go/dns.go/profile.go (out of scope for this fix)
Verification:
staticcheck -checks all internal/connector/issuer/acme/... clean
(excluding 4 pre-existing ST1000 'missing package comment')
go vet ./internal/connector/issuer/acme/... clean
go test -short ./internal/connector/issuer/acme/... PASS
Coverage unchanged at 55.6% (the test logic was already correct;
this commit only removes lint friction).
CI run #295 surfaced an L-019 guard regression: my Pass 3 XSS-hardening
test docstrings cite 'dangerouslySetInnerHTML' by name to explain what the
test is guarding against (e.g., 'a careless refactor to
dangerouslySetInnerHTML would let an attacker-controlled CSR deliver an
XSS payload'). The grep guard caught the literal string in the comments.
The guards exist to prevent PRODUCTION code from regressing. Tests
describing the threat by name aren't using it. Fix all three text-pattern
guards to exclude *.test.{ts,tsx} files via grep -vE pattern; the test
code itself can't sneak past, only docstrings + fixture data.
Guards updated:
- L-015 target=_blank rel=noopener (defensive — currently no test
references but symmetric with L-019)
- L-019 dangerouslySetInnerHTML — fixes the active CI break
- M-009 hard-zero useMutation — symmetric defensive update
Verification:
python3 yaml.safe_load YAML OK
L-019 grep -vE simulation PASS (test docstrings excluded)
L-015 grep -vE simulation PASS (no offenders)
M-009 grep -vE simulation PASS (still 0 bare useMutation)
Second CI run surfaced 8 real failures across 7 detail/list pages and 1
mock-shape error. Root causes:
1. Multi-match disambiguation. screen.getByText(...) matched both the
PageHeader <h2> AND duplicated text in InfoRow / detail-row spans
within the same page (e.g., issuer name appears as page title AND
in the Issuer Details panel; cert.common_name appears as page title
AND in the Common Name InfoRow). The regex variants (getByText(/X/i))
were even worse — matched any element containing the substring.
2. NetworkScanPage mock-shape. xssScanTarget.ports was '443,8443'
(string), but NetworkScanPage.tsx:180 calls t.ports?.join() which
requires a number[] per src/api/types.ts:506. Page errored before
rendering the DataTable, so the XSS test's body.textContent
assertion saw an empty string.
Fixes:
- Every page-title assertion in the 14 Pass 3 test files now uses
screen.getByRole('heading', { level: 2, name: ... }), which matches
ONLY the PageHeader <h2> (PageHeader.tsx:11 renders an actual <h2>).
Detail-row spans / InfoRow text / column-header text in lower-level
headings (h3) is excluded by the level filter.
- NetworkScanPage xssScanTarget.ports changed from '443,8443' (string)
to [443, 8443] (number[]) per the NetworkScanTarget TS type.
Pages with assertion fixes (8 tests across 7 files):
- AgentFleetPage /Agent/i -> 'Agent Fleet Overview' (h2)
- AuditPage /Audit/ -> 'Audit Trail' (h2)
- CertificateDetailPage 'plain.example.com' (text) -> heading h2
- HealthMonitorPage /Health/i -> 'Health Monitor' (h2)
- IssuerDetailPage 'Plain Name' (text) -> heading h2
- JobDetailPage /j-xss-001/ (text) -> heading h2
- JobsPage /Jobs/i -> 'Jobs' (h2)
- ProfilesPage /Profile/i -> 'Certificate Profiles' (h2)
- TargetDetailPage 'Plain Name' (text) -> heading h2
Plus 4 already-correct pages updated for consistency:
- DigestPage text 'Certificate Digest' -> heading h2
- ObservabilityPage text 'Observability' -> heading h2
- NetworkScanPage /Network/i -> 'Network Scanning' (h2)
- ShortLivedPage text 'Short-Lived...' -> heading h2
Mock-shape fix:
- NetworkScanPage.test.tsx ports: '443,8443' -> [443, 8443]
End-to-end audit:
Every Pass 3 test now anchors on the unambiguous PageHeader <h2>;
no remaining getByText() with regex or substring that could spuriously
multi-match. Mock data shapes verified against src/api/types.ts
interfaces (NetworkScanTarget, MetricsResponse, ManagedCertificate).
CI surfaced two real failures in the Pass 3 tests:
1. ObservabilityPage.test.tsx — tests 2 + 3 mocked getMetrics with only
the uptime field, but ObservabilityPage.tsx:85 reads metrics.gauge
.certificate_total. Test 2 silently 'passed' because the page error
bailed out before any rendering took place — its assertions (no live
<script>, __xss_pwned__ undefined) became vacuous; test 3 surfaced
the actual TypeError. Fix: every getMetrics mock now returns the full
MetricsResponse shape (gauge / counter / uptime) per src/api/types.ts
:517 — sanity-checked against the actual TS interface.
2. CertificateDetailPage.test.tsx — the xssCert mock was missing
updated_at, which CertificateDetailPage.tsx:605 reads through
formatDateTime. formatDateTime tolerates undefined per utils.ts:6,
so the page didn't throw, but the cert mock should mirror the real
ManagedCertificate shape — added updated_at.
Both fixes are mock-shape corrections; no production code changes.
Closes M-029 Pass 3 fully. Every src/pages/*.tsx now has a *.test.tsx peer.
Audit recon: 'comm -23 <pages> <test-peers>' returns zero (all 14 T-1-deferred
pages now covered).
Test files added (each ships render-coverage + an XSS-hardening contract):
- HealthMonitorPage.test.tsx endpoint URL + last_error payloads
- JobsPage.test.tsx type / certificate_id / agent_id /
error_message payloads
- NetworkScanPage.test.tsx network_range / agent_id / last_scan_message
payloads
- ProfilesPage.test.tsx profile name / description / EKUs payloads
- AgentFleetPage.test.tsx agent name / hostname / OS / arch / IP
payloads (mirrors the M-003 MCP fence shape)
Pass 3 totals across batches A + B + C: 14 new test files, 14/14 T-1-deferred
pages closed. Each test pins three invariants:
1. The page renders against mock data without crashing.
2. No live <script data-xss='...'> attaches to the DOM.
3. The literal payload appears as escaped text content (proving the page
surfaces the data without rendering it as HTML).
M-029 status after Pass 3:
Pass 1 — useMutation -> useTrackedMutation COMPLETE (6 batches, 56 -> 0)
Pass 2 — useState pagination -> useListParams COMPLETE (CertificatesPage)
Pass 3 — XSS-hardening test suites COMPLETE (14/14 pages)
M-029 IS NOW READY TO CLOSE.
Continues Pass 3. Each detail page has its own narrow attack surface
(subject DN, last_test_message, error_message) that the test exercises
with literal <script> payloads in every text field.
Test files added:
- CertificateDetailPage.test.tsx cert subject / SANs / serial / PEM
across 7 sidecar queries (getCertificate,
getCertificateVersions, getTargets,
getProfile, getProfiles, getRenewalPolicies,
getJobs all mocked in beforeEach)
- IssuerDetailPage.test.tsx issuer name / type / config / last_test_message
(router-aware test using Routes + useParams)
- TargetDetailPage.test.tsx target name / config / last_test_message
(router-aware test pattern)
- JobDetailPage.test.tsx job error_message / type / details
(3-query mock: getJob + getJobVerification +
getAuditEvents)
Closes 9 of 14 T-1-deferred pages toward M-029 Pass 3 completion (5 batch A,
+ 4 batch B = 9; 5 to go in batch C).
Pass 3 of M-029 ships per-page render + XSS-hardening test suites for the
14 T-1-deferred pages. Each test:
- Renders the page with mock data containing <script> payloads in every
text-rendering field.
- Asserts no live <script data-xss='...'> element attached to the DOM.
- Asserts no global side-effect from the script body executed (window
__xss_pwned__ stays undefined).
- Asserts the literal payload text appears as escaped content (proving
the page surfaces the data without rendering it as HTML).
Batch A: 5 simpler pages (display-only / single-mutation / login).
Test files added:
- DigestPage.test.tsx preview HTML payload + render coverage
- LoginPage.test.tsx useAuth.error payload + form invariants
(mocked AuthProvider via Layout.test pattern)
- ShortLivedPage.test.tsx cert subject DN / SAN / id / environment
payloads through the DataTable rendering
- AuditPage.test.tsx audit-event action / actor / resource_*
payloads through the DataTable rendering
- ObservabilityPage.test.tsx health.status + Prometheus text payloads
through the <pre> rendering surface
Closes 5 of 14 T-1-deferred pages toward M-029 Pass 3 completion.
M-029 Pass 2 surface turned out to be much smaller than the audit estimated:
the only page with real UI-driven pagination + filter state stored in
useState was CertificatesPage. Most other pages either fetch filter-dropdown
data with hardcoded per_page (sidecars, not pagination) or use
useSearchParams directly already. So Pass 2 is a single-page migration.
What changed:
- 9 useState hooks (statusFilter, envFilter, issuerFilter, ownerFilter,
profileFilter, teamFilter, expiresBefore, sortBy, page, perPage) collapse
into a single useListParams({ pageSize: 50 }) call.
- All filter onChange handlers now call setFilter('<key>', value).
- setFilter automatically resets page to 1 on every filter / sort change,
so the manual setPage(1) calls at three sites (team / expires_before /
sort) are no longer needed — the F-1 contract is now enforced by the
hook, not by hand-rolled setPage calls scattered through onChange.
- Pagination handler simplified: onPerPageChange: setPageSize (the hook
drops the page param from the URL when pageSize changes).
Behavior preserved:
- The 8 filter keys (status / environment / issuer_id / owner_id /
profile_id / team_id / expires_before / sort) still flow through
getCertificates with the same param names — pinned by the existing
CertificatesPage.test.tsx F-1 contract tests.
- Default pageSize stays at 50 (matches the F-1 baseline; the hook's
global default is 25 but the per-page override takes precedence).
- Page reset on filter / per_page change preserved (now hook-enforced).
Side benefit: filter / sort / pagination state is now URL-resident (browser
deep-link + back-button correct). Sharing a filtered list view is now a
URL copy, not a 'recreate this filter combo by hand' message.
Verification:
legacy useMutation count still 0 (Pass 1 invariant intact)
CertificatesPage useListParams 0 -> 1 site
CertificatesPage local pagination removed
Pass 1 finished — every src/ useMutation now goes through useTrackedMutation.
Promote the M-009 guard to a hard-zero invariant: any bare useMutation() call
outside web/src/hooks/useTrackedMutation.ts fails CI immediately.
Pre-Bundle-8 the codebase had 56 bare useMutation sites. Bundle 8 shipped the
wrapper. M-029 Pass 1 migrated all 56 sites to the wrapper across 6 batches
(commits 08ffbad / 73c6883 / 64c6cd0 / d5541fe / 1c960ff / 1baefd4). With the
soft-budget gate now obsolete, the hard-zero gate prevents drift back into
the discretionary-invalidation pattern that motivated M-009 in the first place.
Rationale: per-site enforcement (the wrapper's discriminated-union invalidates
contract) is strictly stronger than the +5 budget guard. The guard's failure
mode also improves: instead of a count delta the operator has to interpret,
they get the exact file:line(s) of the offending bare useMutation call.
Verification:
python3 yaml.safe_load YAML OK
manual guard simulation PASS: bare useMutation = 0 outside wrapper
Drains the last 10 useMutation sites (10 -> 0). Pass 1 is now COMPLETE:
every legacy useMutation site in src/pages and src/components has been
migrated to useTrackedMutation with explicit invalidates contract. The only
remaining useMutation reference in the codebase is inside useTrackedMutation.ts
itself (the wrapper).
Pages migrated:
- CertificateDetailPage.tsx 5 mutations across 2 components:
InlinePolicyEditor.saveMutation invalidates
[['certificate', certId]];
main page renew/deploy/archive/revoke invalidate
various combinations of [['certificate', id]]
and [['certificates']].
(queryClient + useQueryClient dropped from both)
- OnboardingWizard.tsx 5 mutations across 4 components:
Issuer step create/test invalidates [['issuers']]
(test refreshes last_tested_at server-side);
CreateTeamModalInline.create invalidates [['teams']];
CreateOwnerModalInline.create invalidates [['owners']];
CertificateStep.create invalidates
[['certificates'], ['dashboard-summary']].
(queryClient + useQueryClient dropped from all 4)
Verification:
legacy useMutation calls 10 -> 0 (-10) — Pass 1 COMPLETE
useTrackedMutation count 46 -> 61 (+15; some 5-mutation pages collapse
two invalidate-pairs into one array literal,
hence net is greater than the +10 removal)
Pass 1 totals: 56 useMutation sites -> 0; 0 useTrackedMutation -> 61.
Total work in Pass 1: 6 batches across 21 page files merged --no-ff to master.
Closes the 2026-04-25 audit's final-closure cluster. Score 51/55 -> 54/55
(98% closed); deferred 4/7 -> 7/7 (100%). All severity-graded findings now
closed except M-029 (frontend per-PR migration backlog, by design incremental).
L-004 (CWE-924) — dual-key API rotation overlap window:
internal/config/config.go::ParseNamedAPIKeys rewritten to allow same-name
duplicate entries iff admin flag matches. Mismatched-admin entries rejected
at startup (privilege escalation guard); exact (name,key) duplicates rejected
(typo guard — rotation requires DIFFERENT keys under the same name). Startup
INFO log per name with multiple entries surfaces the active rotation window.
NewAuthWithNamedKeys was already shaped correctly (constant-time hash compare
across all entries, same UserKey + AdminKey for either bearer); Bundle B's
M-025 per-user rate-limit bucket and audit-trail actor inherit consistency
across the rollover automatically. 8 new tests pin the contract end-to-end.
docs/security.md::API key rotation walks the 6-step zero-downtime rollover.
D-003 — Mutation testing wired:
security-deep-scan.yml gets a go-mutesting step covering ./internal/crypto/...,
./internal/pkcs7/..., ./internal/connector/issuer/local/... with per-package
summary lines extracted into go-mutesting.txt artefact.
D-007 — Frontend semgrep wired (recon found Bundle 7's wiring claim was false):
security-deep-scan.yml gets a 'semgrep p/react-security' step running
returntocorp/semgrep:latest --config=p/react-security against /src/web/src;
results uploaded as semgrep-react.json.
D-004 + D-005 — Operator runbook published:
docs/testing-strategy.md (NEW) consolidates per-tool local-run procedures,
acceptance thresholds, and triage paths for go-mutesting, ZAP baseline DAST,
testssl.sh, and semgrep p/react-security. Closes the 'wired CI-only, no
local-run validation' framing for D-004/D-005 by giving operators the same
commands the CI workflow runs.
Verification:
gofmt -l no diff
go vet ./internal/config/... ./internal/api/middleware/... clean
go test -short -count=1 ./internal/config/... ./internal/api/middleware/... PASS
python3 -c 'yaml.safe_load(...)' YAML OK
G-3 env-var docs guard no phantom env-vars
Audit deliverables:
audit-report.md: L-004 + D-003/4/5/7 boxes flipped [x]; score 51/55 -> 54/55
findings.yaml: 5 status flips; new bundle-G-final-closure closure_log entry
CHANGELOG.md: Bundle G entry under [unreleased]; supersedes Bundle E + F
L-004-deferred framing
CI on the bundle-F merge (run #24972730564) failed the G-3 env-var
docs guardrail because docs/legacy-est-scep.md mentioned
CERTCTL_EST_PROXY_TRUSTED_SOURCES
CERTCTL_EST_TRUST_PROXY_CLIENT_CERT_HEADER
which are documented as future-feature env vars but don't exist in
config.go. The G-3 guard treats any env-var name in docs that's not
either defined in source OR on the documented integration-surface
allowlist as drift.
The runbook's 'certctl-side configuration' section was over-promising
features that haven't shipped yet. Rewritten to be honest:
- Current implementation is header-agnostic (X-SSL-Client-Cert is
ignored). EST/SCEP authentication still works correctly because
both protocols carry their own auth (CSR signature for EST,
challengePassword for SCEP) inside the request body.
- The reverse proxy is purely a TLS-version bridge.
- Future-feature description retained in prose form (without
literal env-var names) so an operator who needs proxy-supplied
client identity knows to open an issue.
The nginx config block's comment was also rewritten to reflect the
header-agnostic default. The proxy still SETS the headers (cheap,
no-op when ignored); a future commit can flip certctl to read them
behind a fail-closed CIDR allowlist + opt-in toggle.
Verification:
grep -rnE 'CERTCTL_EST_PROXY|CERTCTL_EST_TRUST' README.md docs/ deploy/helm/
— empty (G-3 guard now passes for these names)
Closes H-001 + M-012 + M-014 from comprehensive-audit-2026-04-25.
H-001 (CWE-829) — Container base images SHA-pinned
Pre-bundle: 5 FROM lines pulled by tag only — registry-side tag
swap could silently change the build.
Post-bundle: every FROM pinned to immutable digest fetched live
from Docker Hub at audit time:
node:20-alpine@sha256:fb4cd12c85ee03686f6af5362a0b0d56d50c58a04632e6c0fb8363f609372293
golang:1.25-alpine@sha256:5caaf1cca9dc351e13deafbc3879fd4754801acba8653fa9540cea125d01a71f (x2)
alpine:3.19@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1 (x2)
Dockerfile header comment documents the operator bump procedure
(quarterly cadence; docker manifest inspect or Hub Registry API).
CI step Forbidden bare FROM regression guard (H-001) fails build
if any new FROM lacks @sha256.
M-012 (CWE-250) — Verified-already-clean + USER guard
Recon found both Dockerfile:75 and Dockerfile.agent:59 already
carry USER certctl directives; pre-USER RUN calls are build-setup
steps that legitimately need root, each happening before the
USER drop.
CI step Forbidden missing USER regression guard (M-012) greps
every Dockerfile* for the LAST USER directive; fails build if
missing OR equals root/0. Future Dockerfile additions must
preserve the privilege drop.
M-014 — npm ci explicit retry helper
Pre-bundle Dockerfile:25:
RUN npm ci --include=dev || npm ci --include=dev && \
tsc --version && npm run build
Broken bash precedence: A || (B && C && D) means tsc+build only
ran on success path of the second npm ci. A transient registry
blip silently skipped the production step — build would succeed
with no node_modules + no tsc verification.
Post-bundle: deterministic 3-attempt retry loop with 5s backoff
plus explicit [ -d node_modules ] post-check that fails loudly
if directory wasn't created. Silent failure is now impossible.
Audit deliverables:
audit-report.md: H-001/M-012/M-014 flipped [x] with closure
notes; score 49/55 closed (High 9/9 = 100%; Medium 24/27;
Low 19/19 with L-004 deferred). All High audit findings now
closed for the first time.
findings.yaml: 3 status flips
CHANGELOG.md: Bundle A section
Verification:
Self-test of both new CI guards locally — PASS for current state
(every FROM has @sha256; every Dockerfile drops to non-root).
Closes L-009 + L-010 + L-011 + L-013 + L-020 + L-021 from
comprehensive-audit-2026-04-25. L-004 deferred — recon found NO
rotation infrastructure exists at all; building it from scratch is
a feature project, not a Bundle-E mechanical sweep.
L-009 — ZeroSSL EAB URL configurable
Audit's 'no timeout' claim was wrong: ari.go:329 has 15s timeout.
internal/connector/issuer/acme/acme.go: zeroSSLEABEndpoint now
lazily reads CERTCTL_ZEROSSL_EAB_URL from env at package init;
defaults to ZeroSSL public endpoint. Pre-existing test override
path preserved.
L-010 — Verified-already-clean
grep -rn 'mock\.Anything' --include='*_test.go' . returned 0.
certctl uses hand-rolled struct mocks (mockJobRepo, mockAuditRepo,
etc.) with explicit method bodies; no testify-style mocks anywhere.
L-011 — IPv6 bracket-aware dialing pinned
Every production net.Dial / DialTimeout site audited:
cmd/agent/main.go:293 — intentional IPv4 literal '8.8.8.8:80'
verify.go / tlsprobe / network_scan — net.Dialer (no string addr)
email.go — net.JoinHostPort (bracket-aware)
ssh.go — addr derives from JoinHostPort upstream
ssrf.go — net.Dialer
internal/connector/notifier/email/email_ipv6_test.go (NEW):
TestJoinHostPort_IPv6BracketsRoundTrip pins IPv4/IPv6/zone variants;
TestSMTPDialerUsesJoinHostPort source-greps email.go and fails CI
if a future refactor swaps in 'host:port' concatenation.
L-013 — Verified-already-clean (monotonic-safe)
Only one site uses now.Sub: middleware.go:393 in tokenBucket.allow().
Both 'now' and tb.lastRefill come from time.Now() which carries
monotonic-clock readings per Go's time package contract;
intra-process now.Sub is monotonic-safe by construction. Doc
comment block added above the call to make the invariant explicit.
L-020 (CWE-563) — ineffassign sweep, 8 unique sites
certificate.go:135 — sortDir initial value dropped (set
unconditionally below by SortDesc branch).
certificate.go:169,175 — argCount post-increments dropped (var
not read past the LIMIT/OFFSET formatting).
agent_group.go, profile.go — page/perPage truly vestigial,
replaced with _ = page; _ = perPage.
issuer.go:633, owner.go:131, target.go:267, team.go:131 — same
treatment for the audit-flagged second-function ListXxx clamps.
First-function List() in issuer/owner/target/team KEEPS its
clamp because page/perPage is used for in-memory slice
pagination — ineffassign correctly didn't flag those.
Build + tests green post-sweep.
L-021 — Transitive CVE bump
go get golang.org/x/crypto@v0.45.0 golang.org/x/net@v0.47.0
(crypto required net@0.47.0). go-text@v0.31.0 transitively
bumped.
Per tool-output govulncheck-verbose: x/net@v0.45.0 fixes
GO-2026-4441 + GO-2026-4440; x/crypto@v0.45.0 fixes
GO-2025-4134 + GO-2025-4135 + GO-2025-4116 — all 5 advisories
cleared. Bundle B's ISV grep guard + Bundle D's release-time
govulncheck step are the going-forward monitor + bump pass.
L-004 — Deferred to dedicated bundle
Recon: zero hits for RotateAPIKey / rotated_at / key_status
anywhere in source. API keys configured via
CERTCTL_API_KEYS_NAMED env var; rotation is operator-managed
(edit env + restart). Building rotation infrastructure from
scratch is a feature project, not a mechanical sweep.
Documented in audit-report.md with scope-pivot note.
Audit deliverables:
audit-report.md: score 46/55 -> 52/55 closed
(Low 14/19 -> 19/19 — 100% Low closed except L-004 deferred)
findings.yaml: 6 status flips
certctl/CHANGELOG.md: Bundle E section
Verification:
go test -count=1 -short ./internal/service ./internal/connector/issuer/acme
./internal/connector/notifier/email green
go vet on changed packages clean
Closes H-009 + L-001 + L-007 + L-008 + L-016 + L-017 + L-018 + M-027
from comprehensive-audit-2026-04-25.
H-009 — README JWT verified-already-clean
README has zero JWT mentions at audit time. docs/architecture.md
correctly documents JWT/OIDC integration via authenticating-gateway
pattern (line 905-912).
.github/workflows/ci.yml: new step
'Forbidden README JWT advertising regression guard (H-009)'
greps README for JWT-as-supported phrasing; passes verbatim
(gateway / pre-G-1) but fails build on net-new advertising.
L-001 (CWE-295) — InsecureSkipVerify per-site justification
Audit count was 8; recon found 13 production sites.
docs/tls.md: new 'InsecureSkipVerify justifications' table
enumerates each site by file:line with per-site rationale.
cmd/agent/verify.go:78, internal/tlsprobe/probe.go:54,
internal/service/network_scan.go:460: each previously-bare
InsecureSkipVerify: true now carries //nolint:gosec.
.github/workflows/ci.yml: new step
'Forbidden bare InsecureSkipVerify regression guard (L-001)'
fails build if any net-new ISV lands in non-test .go without
nolint:gosec on the same or preceding line.
L-007 — README dependency-audit commands
README.md: new Dependencies section with go list -m all | wc -l,
go mod why, govulncheck ./.... Honors operating-rules invariant.
L-008 — Release-time govulncheck gate
.github/workflows/release.yml: new 'Install govulncheck' +
'Run govulncheck (release gate)' steps in the matrix job.
Pinned to same install path as ci.yml. Default exit code
semantics (fail on called-vuln only, deferred-call advisories
tracked on master via L-021) keeps the gate appropriate.
L-016 — architecture.md drift fixes
docs/architecture.md: system-components diagram's '21 tables'
annotation removed (current 23; replaced with TEXT-keys
descriptor); connector-architecture '9 connectors' prose
replaced with grep ref + current 12-issuer list (added
Entrust/GlobalSign/EJBCA which were missing); API-design
'97 operations / 107 total' replaced with grep commands.
Connector subgraphs verified-current at 12/13/6.
L-017 — workspace CLAUDE.md verified-already-clean
Bundle B's pre-commit-gate refactor already converted current-
state numeric claims to grep commands. Phase 0 recon confirmed
zero remaining hardcoded counts.
L-018 — Defect age table
cowork/comprehensive-audit-2026-04-25/defect-age.md (NEW):
Tabulates all 9 High findings with first-mentioned commit,
closing bundle, days-open. Methodology snippet for re-running.
Key finding: 8 of 9 closed within 24h of audit publication.
M-027 — OpenAPI parity verified-already-clean
Audit's 'router 121 vs OpenAPI 125 — 4-op gap' was wrong
methodology. The 4-op 'gap' was exactly the 4 routes registered
via r.mux.Handle (auth-exempt allowlist) instead of r.Register.
When you count both dispatch shapes the totals match exactly.
internal/api/router/openapi_parity_test.go (NEW):
TestRouter_OpenAPIParity AST-walks router.go for both
Register and mux.Handle calls + walks api/openapi.yaml's
path/method nesting + asserts the sets match. Adding a route
without updating the spec fails CI permanently.
Audit deliverables:
audit-report.md: score 38/55 -> 46/55 closed
(High 7/9 -> 8/9; Medium 20/27 -> 21/27; Low 8/19 -> 14/19)
findings.yaml: 8 status flips open -> closed
defect-age.md: new file
certctl/CHANGELOG.md: Bundle D section
Verification:
TestRouter_OpenAPIParity PASS
L-001 grep guard self-test (after //nolint:gosec adds) PASS
H-009 grep guard self-test PASS
go test -count=1 -short on changed packages green
cowork