Final PR in the six-commit M-2 sequence (PR-A: CertificateService cluster
cdc9d03, PR-B: IssuerService+TargetService eb14236, PR-C: Policy/Profile/
Owner/Team 2497be4, PR-D: Job/Notification/Audit ccd89c3, PR-E: AgentService
283ec27, PR-F: this commit). PR-A through PR-E collapsed the service-layer
shim methods and deleted every in-production context.Background() /
context.TODO() call from internal/service/; this PR completes the sweep
across the non-service tiers (HTTP middleware + ACME connector) and wires
the contextcheck linter so regressions fail CI.
Three narrow edits land the D-3 pattern (context.WithoutCancel for
subsidiary async writes and deferred shutdown contexts):
- internal/api/middleware/audit.go -- async audit goroutine now runs
on auditCtx := context.WithoutCancel(r.Context()) instead of
context.Background(). Preserves request-scoped values (trace ID, auth)
while detaching from the request's cancellation so the audit write
does not get killed when the response completes. Goroutine is still
tracked via a.wg (M-1 shutdown drain) so Flush(ctx) behaviour is
unchanged. CWE-770 Missing Release (goroutine leak potential) +
CWE-400 Resource Exhaustion (missed cancellation propagation).
- internal/api/middleware/middleware.go -- Recovery panic path now
logs via slog.ErrorContext(ctx, ...) instead of log.Printf. Request-
scoped trace/auth metadata now carries through the panic log, matching
every other request log. D-3 non-bypass: the context is r.Context()
captured before the defer, so even a panic mid-handler propagates
the ctx's trace ID into the ERROR log line.
- internal/connector/issuer/acme/acme.go (HTTP-01 challenge server
shutdown) -- defer shutdown context derived from
context.WithTimeout(context.WithoutCancel(ctx), 5s) instead of
context.Background(). Preserves parent ctx values, detaches from
parent cancellation so Shutdown always gets its full 5-second
budget even when the parent was cancelled. Matches the same pattern
applied in ACME's solveAuthorizationsDNS01 and solveAuthorizationsDNSPersist01.
Linter wiring: .golangci.yml adds `contextcheck` to the enabled set.
golangci-lint v2.11.4 now fails CI on any function that takes a
context.Context parameter but calls into context.Background() or
context.TODO() instead of propagating -- regression guard for all five
prior PRs.
Verification (CI parity, GOCACHE=/tmp/gocache GOMODCACHE=/tmp/gomodcache
GOLANGCI_LINT_CACHE=/tmp/lintcache):
- go build ./... -> 0
- go vet ./... -> 0
- golangci-lint run (contextcheck enabled) -> 0 issues
- go test -race -short ./internal/api/middleware/... -> PASS
- go test -race -short ./internal/scheduler/... -> PASS
- go test -race -short ./internal/connector/issuer/acme/... -> PASS
- go test -race -short ./internal/service/... -> PASS
- rg "context\.(Background|TODO)\(\)" internal/service/ internal/scheduler/
internal/connector/ internal/api/middleware/ -> 0 non-test hits
(one pedagogical godoc reference in audit.go documenting why
context.Background() would be wrong remains intentional)
Wire-format invariants preserved: 0 API routes, 0 SQL migrations, 0
frontend bytes, 0 OpenAPI bytes, 0 connector interface signature changes,
0 new env vars, 0 new external dependencies (pure context stdlib). The
AuditRecorder interface signature, the body-hash algorithm (SHA-256 16
hex chars), the excluded-path short-circuit, the actor-extraction path,
the responseWriter status-capture wrapper, the AuditServiceAdapter, and
all 116 API routes under /api/v1/, /.well-known/est/, /scep, /health,
/auth are byte-identical.
M-2 aggregate across PR-A through PR-F: 57 files, +635 / -613 (PR-A 12f
+227/-237, PR-B 9f +150/-146, PR-C 17f +156/-148, PR-D 11f +67/-63,
PR-E 4f +9/-15, PR-F 4f +26/-4). With M-2 closed, 8 of 10 Medium
findings resolved; M-9, M-10, L-1..L-4, I-1..I-8 remain post-v2.1.0
hardening batch.
Audit complete. Commit: 1f6cf0eafa. Sections: 12. Findings: 2/7/10/4/6.
Audit events spawned from the HTTP middleware ran in detached goroutines
using context.Background(). On SIGTERM the DB pool was closed before
those goroutines finished writing, silently dropping audit events
(CWE-662 Improper Synchronization / CWE-400 Uncontrolled Resource
Consumption).
NewAuditLog now returns an *AuditMiddleware struct that tracks every
spawned goroutine with sync.WaitGroup. Callers wire the middleware via
its Middleware method value (preserves the existing
func(http.Handler) http.Handler shape) and drain the WaitGroup with
Flush(ctx), which blocks until in-flight recordings complete or the
provided context is cancelled — mirroring scheduler.WaitForCompletion.
Flush is invoked in cmd/server/main.go between http.Server.Shutdown
(no new requests accepted) and db.Close (pool torn down), with a
timeout returning ErrAuditFlushTimeout wrapping ctx.Err().
Request-derived inputs (method, path, status) are snapshotted before
the goroutine spawn so the worker does not race with http.Server
reusing r after the handler returns.
Tests:
TestAuditLog_FlushDrainsInFlightGoroutines
TestAuditLog_FlushTimeoutReturnsErrAuditFlushTimeout
Verification:
go build ./... : 0
go vet ./... : 0
go test -race -short ./... : 0 (all packages)
go test -cover ./internal/api/middleware : 81.4%
golangci-lint run : 0 issues
govulncheck ./... : 0 vulns in called code
M19: HTTP middleware records every API call to the immutable audit trail
with method, path, actor, SHA-256 body hash, status, and latency. Best-effort
async recording via goroutine. Health/ready probes excluded.
M16a: Four pluggable notifier connectors — Slack (incoming webhook), Teams
(MessageCard), PagerDuty (Events API v2), OpsGenie (Alert API v2). Each
enabled by config env var. 30 new tests across middleware and connectors.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
shankar0123