BSL 1.1 is not OSI-approved open source. Changed headline to
"Self-Hosted Certificate Lifecycle Platform" to be accurate.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Added 9 screenshots showing all dashboard views: dashboard overview,
certificates list, agents fleet, jobs queue, notifications inbox,
policies, issuers, targets, and audit trail. Screenshots are displayed
in a 2-column grid in the README.
Note: actual .png files need to be added to docs/screenshots/ — this
commit includes the README markup and directory placeholder.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Without --build, Docker reuses cached images that don't include the
built frontend, resulting in a blank page. Every doc that tells users
to run docker compose up now includes --build.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- CLAUDE.md: check off frontend tests (53 Vitest tests done), update test count to 220+, update endpoint count to 55, update CI description
- README.md: add missing API endpoints (PUT/DELETE for issuers, targets, teams, owners, policies; POST notifications/{id}/read; auth endpoints), update endpoint count from 40+ to 55, update test count to 220+
- architecture.md: add frontend test layer description, update CI section with Vitest step, update dashboard description with action buttons (create cert modal, deploy, archive, test issuer, enable/disable policy, delete)
- demo-guide.md: fix incorrect /api/v1/policies/violations endpoint to /api/v1/policies/{id}/violations, update "Demo Without Docker" section from stale web/index.html to Vite dev server
- quickstart.md: fix auto-generated ID format from UUID to name-timestamp format
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Private keys never leave agent infrastructure. Agents generate ECDSA P-256
key pairs locally, store them with 0600 permissions, and submit only the CSR
(public key) to the control plane. New AwaitingCSR job state pauses
renewal/issuance jobs until the agent submits its CSR. Server-side keygen
retained behind CERTCTL_KEYGEN_MODE=server for demo/development.
Key changes:
- Dual keygen mode via CERTCTL_KEYGEN_MODE (agent default, server for demo)
- AwaitingCSR job state with CommonName/SANs in work response
- Agent ECDSA P-256 keygen, local key storage, CSR-only submission
- CompleteAgentCSRRenewal server-side flow for agent-submitted CSRs
- DeploymentRequest.KeyPEM for agent-provided keys during deployment
- Dockerfile.agent creates /var/lib/certctl/keys with correct ownership
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Split the monolithic M7 (Security Baseline) into three focused
milestones: M7 (Auth + Rate Limiting), M8 (Agent-Side Key Generation),
and M9 (End-to-End Test Hardening). M9 adds handler tests for all 7
files, negative-path integration tests, scheduler/connector tests,
and CI coverage gates (service 70%+, handler 60%+). Updated v1.0
gate criteria, replaced all stale V2+ references with M8, and added
Testing Strategy section to architecture docs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replaces the old M5 "Polish & Release" catch-all with three focused
milestones: M5 (Hardening + GUI Foundation), M6 (Functional GUI + CI),
M7 (Security Baseline). Agent-side keygen and API auth now gate v1.0
instead of being deferred to V2. V2 resequenced into Operational
Workflows (GUI-first), Team Adoption, and Observability.
Adds explicit v1.0.0 gate criteria, "GUI parallel-tracked" architecture
principle, and Vite + React + TypeScript + TanStack Query tech decisions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Service layer (63 tests): certificate, agent, audit, job, notification,
policy, and renewal services with mock repositories covering threshold
alerting, deduplication, status transitions, and job processing.
Handler layer (46 tests): certificate and agent HTTP handlers using
httptest with mock service interfaces, covering success/error paths,
pagination, JSON marshaling, and path parameter extraction.
Integration (11 subtests): end-to-end certificate lifecycle test
exercising real services and Local CA issuer through HTTP API —
create cert, trigger renewal, process jobs, register agent, heartbeat,
verify audit trail.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Wire issuer connector end-to-end with IssuerConnectorAdapter (dependency inversion)
- Renewal/issuance job processor: RSA key + CSR generation, Local CA signing, cert version storage
- Agent work API (GET /agents/{id}/work) and job status API (POST /agents/{id}/jobs/{job_id}/status)
- Agent-side deployment: WorkItem enrichment with target type/config, NGINX/F5/IIS connector invocation
- Full ACME v2 implementation: HTTP-01 challenge solving, account registration, order lifecycle
- Update all docs (README, architecture, connectors, demo-advanced, quickstart) for M1-M2
- Fix go vet warning in deployment.go (non-constant format string)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Business Source License 1.1 with 7-year conversion period
- Change Date: March 14, 2033 (converts to Apache 2.0)
- Additional Use Grant: all uses permitted except offering certctl
as a hosted/managed certificate management service
- Update README badge and license section
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
README.md:
- Replace ASCII architecture diagram with Mermaid
- Fix all database table names (managed_certificates, audit_events, etc.)
- Fix env var names to use CERTCTL_ prefix matching config.go
- Fix API endpoint paths ({id} not :id, /audit not /audit/logs)
- Add all missing endpoints (renew, deploy, CSR, heartbeat, policies, notifications)
- Add dashboard as primary feature (was completely missing)
- Link to all new docs (concepts, advanced demo, architecture, connectors)
- Fix integration status (Local CA implemented, ACME in progress)
- Fix security section (API key auth, not mTLS)
- Remove broken links to non-existent docs (api.md, k8s-deployment.md, scaling.md)
- Remove placeholder Support & Community section
.env.example:
- Change all var names to CERTCTL_ prefix (CERTCTL_DATABASE_URL, etc.)
- Remove vars that don't exist in config.go (ACME_*, SMTP_*, feature flags)
- Add scheduler tuning vars as commented examples
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add how/why technical breakdowns to every step in demo-advanced.md:
handler→service→repository code paths, SQL details, security reasoning,
field-by-field explanations, and architectural design decisions
- Convert all ASCII box diagrams to Mermaid across docs:
architecture.md (9 diagrams), demo-advanced.md (6), concepts.md (1)
- Diagram types: flowcharts, sequence diagrams, ER diagram, state machine
- Remove placeholder Support & Community section from README
- Zero ASCII box-drawing characters remaining in docs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
shankar0123