Generate api/openapi.yaml from handler and domain source code. Covers
all 76 endpoints under /api/v1/ plus /health and /ready (78 total).
Includes full request/response schemas, domain model definitions,
enum types (CertificateStatus, JobType, RevocationReason, etc.),
reusable pagination envelope, error responses, and common parameters.
This spec serves as the contract for the upcoming MCP server (M18a)
and enables Swagger/Redocly interactive documentation immediately.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bulk certificate operations: multi-select checkboxes on certificates list with
bulk action bar for triggering renewal, revocation (with RFC 5280 reason modal
and progress bar), and owner reassignment across selected certificates.
Deployment status timeline: visual 4-step lifecycle pipeline (Requested → Issued
→ Deploying → Active) on certificate detail page, powered by per-cert job queries
with animated status indicators for active steps and failure states.
Inline policy editor: edit/save/cancel interface on certificate detail page for
changing renewal policy and certificate profile assignments via dropdown selectors
with lazy-loaded policy and profile lists.
Target connector configuration wizard: 3-step modal (Select Type → Configure →
Review) with type-specific configuration fields for NGINX, Apache, HAProxy, F5
BIG-IP, and IIS targets including required field validation.
Audit trail export: CSV and JSON download buttons on audit page with applied
filters preserved in export. Added action filter input for narrower searches.
Short-lived credentials dashboard: new page at /short-lived showing ephemeral
certificates (profile TTL < 1 hour) with live TTL countdown, auto-refresh every
10 seconds, profile lookup, and stats bar (active/expired/profiles).
DataTable enhanced with optional selectable/selectedKeys/onSelectionChange props
for checkbox multi-select with select-all toggle and row highlighting.
Frontend tests expanded from 53 to 79: full API client endpoint coverage for
profiles, owners, teams, agent groups, revocation, approval/rejection, policy
violations, and issuer creation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Backend:
- Embedded OCSP responder: GET /api/v1/ocsp/{issuer_id}/{serial} returns
signed OCSP responses (good/revoked/unknown) using CA key
- DER-encoded X.509 CRL: GET /api/v1/crl/{issuer_id} returns proper DER CRL
signed by issuing CA with 24h validity window
- Short-lived cert exemption: certs with profile TTL < 1 hour skip CRL/OCSP
(expiry is sufficient revocation for ephemeral workloads)
- Extended issuer connector interface with GenerateCRL and SignOCSPResponse
- Local CA implements full CRL/OCSP signing; ACME and step-ca return
appropriate "use native endpoint" errors
- IssuerConnectorAdapter bridges new methods between layers
Frontend:
- Revoke button on certificate detail page with RFC 5280 reason modal
- Revocation banner with reason display and timestamp
- Revocation status indicators in lifecycle section
- "Revoked" filter option in certificates list
- API client: revokeCertificate() function and Certificate type extensions
Tests: ~31 new tests across connector, service, handler, and adapter layers
Docs: milestones renumbered (M13-M14, M16-M18), M15b marked complete
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Strip explicit V2/V3 version labels from planned features in README,
architecture, connectors, and demo docs. F5/IIS now say "interface only"
and "implementation planned" without version targets. DigiCert and other
future issuers say "planned" without version numbers. Keeps completed
milestones detailed (social proof) while keeping future work abstract.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Trim V2 roadmap to free-tier features only (GUI operations, CLI, notifiers,
Prometheus metrics, OCSP, MCP server, filesystem discovery). Move enterprise
features to V3 with deliberately vague descriptions. Remove specific version
references for F5/IIS implementations and SSE/WebSocket from docs. Add
roadmap.md to gitignore for private strategy tracking.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update test counts (525+ → 600+), table counts (17 → 18), endpoint
counts (68 → 70), add revocation/CRL endpoints to API overview, add
certificate_revocations table to schema docs, update M15 roadmap to
show M15a complete and M15b remaining.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
README: lead with CA/Browser Forum Ballot SC-081v3 (47-day certs by 2029)
and certctl's end-to-end automation positioning. Update architecture
diagram and target lists to include Apache/HAProxy. Update roadmap
with new M15 (Revocation Infrastructure), renumbered M16-M18, and
V3.1 cert-manager/IAM Roles Anywhere additions.
concepts.md: rewrite "Why Do Certificates Expire?" with shrinking
lifespan timeline and automation imperative.
quickstart.md: add 47-day framing in intro.
architecture.md: add Apache/HAProxy to system diagram, target connector
diagram, deployment section, and ER diagram (agent metadata columns).
Update planned targets list for V3.1. Fix test count (230+).
connectors.md: fix notifier planned version reference (V2 not V2.1).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Agents now report OS, architecture, IP address, hostname, and version
via heartbeat using runtime.GOOS, runtime.GOARCH, and net.Dial. New
migration adds columns to agents table. Heartbeat handler, service,
and repository updated to accept and persist metadata. GUI shows
OS/Arch in agent list and full system info in agent detail page.
Apache httpd connector: separate cert/chain/key files, apachectl
configtest validation, graceful reload. HAProxy connector: combined
PEM file (cert+chain+key), optional config validation, reload.
Both wired into agent binary's target connector switch.
14 tests for new connectors. All existing tests updated for new
Heartbeat/UpdateHeartbeat signatures. Docs updated across README,
architecture, concepts, and connectors guides.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix demo certificate count: 14 → 15 across README, quickstart,
demo-guide (wildcard cert was added but count never updated)
- Fix negative_test subtest count: 12 → 14 in architecture.md
- Update README roadmap: v1.0.0 released (no longer "tag pending")
- Update status badge: "active development" → "v1.0.0"
- Remove stale POSTGRES_IMPLEMENTATION.md and POSTGRES_PATTERNS.md
(scaffold-era dev notes, not referenced anywhere)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Community feedback requested fleet inventory and policy-based targeting.
Agents will report OS, platform, IP, hostname via heartbeat; dynamic
grouping enables policy scoping by agent criteria instead of manual assignment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Active Directory Certificate Services (ADCS) added as a planned
issuer connector across README, architecture, connectors, and
demo-advanced docs. Requested by community feedback.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Added step-ca and OpenSSL/Custom CA as planned V2 issuer connectors
across README, architecture, connectors, and demo-advanced docs
- Fixed F5 BIG-IP and IIS target status from "Implemented" to
"Interface only" — both are stubs with mapped-out flows but no
actual API calls yet
- Updated all diagrams and tables to be consistent across docs
- DNS-01, step-ca, OpenSSL, F5, IIS all listed under V2.0 roadmap
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
DNS-01 enables wildcard certificates and validation for hosts that
can't serve HTTP on port 80. Planned with provider adapters
(Cloudflare, Route53) and custom script hooks.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
BSL 1.1 is not OSI-approved open source. Changed headline to
"Self-Hosted Certificate Lifecycle Platform" to be accurate.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Added 9 screenshots showing all dashboard views: dashboard overview,
certificates list, agents fleet, jobs queue, notifications inbox,
policies, issuers, targets, and audit trail. Screenshots are displayed
in a 2-column grid in the README.
Note: actual .png files need to be added to docs/screenshots/ — this
commit includes the README markup and directory placeholder.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Without --build, Docker reuses cached images that don't include the
built frontend, resulting in a blank page. Every doc that tells users
to run docker compose up now includes --build.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- CLAUDE.md: check off frontend tests (53 Vitest tests done), update test count to 220+, update endpoint count to 55, update CI description
- README.md: add missing API endpoints (PUT/DELETE for issuers, targets, teams, owners, policies; POST notifications/{id}/read; auth endpoints), update endpoint count from 40+ to 55, update test count to 220+
- architecture.md: add frontend test layer description, update CI section with Vitest step, update dashboard description with action buttons (create cert modal, deploy, archive, test issuer, enable/disable policy, delete)
- demo-guide.md: fix incorrect /api/v1/policies/violations endpoint to /api/v1/policies/{id}/violations, update "Demo Without Docker" section from stale web/index.html to Vite dev server
- quickstart.md: fix auto-generated ID format from UUID to name-timestamp format
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Private keys never leave agent infrastructure. Agents generate ECDSA P-256
key pairs locally, store them with 0600 permissions, and submit only the CSR
(public key) to the control plane. New AwaitingCSR job state pauses
renewal/issuance jobs until the agent submits its CSR. Server-side keygen
retained behind CERTCTL_KEYGEN_MODE=server for demo/development.
Key changes:
- Dual keygen mode via CERTCTL_KEYGEN_MODE (agent default, server for demo)
- AwaitingCSR job state with CommonName/SANs in work response
- Agent ECDSA P-256 keygen, local key storage, CSR-only submission
- CompleteAgentCSRRenewal server-side flow for agent-submitted CSRs
- DeploymentRequest.KeyPEM for agent-provided keys during deployment
- Dockerfile.agent creates /var/lib/certctl/keys with correct ownership
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Split the monolithic M7 (Security Baseline) into three focused
milestones: M7 (Auth + Rate Limiting), M8 (Agent-Side Key Generation),
and M9 (End-to-End Test Hardening). M9 adds handler tests for all 7
files, negative-path integration tests, scheduler/connector tests,
and CI coverage gates (service 70%+, handler 60%+). Updated v1.0
gate criteria, replaced all stale V2+ references with M8, and added
Testing Strategy section to architecture docs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replaces the old M5 "Polish & Release" catch-all with three focused
milestones: M5 (Hardening + GUI Foundation), M6 (Functional GUI + CI),
M7 (Security Baseline). Agent-side keygen and API auth now gate v1.0
instead of being deferred to V2. V2 resequenced into Operational
Workflows (GUI-first), Team Adoption, and Observability.
Adds explicit v1.0.0 gate criteria, "GUI parallel-tracked" architecture
principle, and Vite + React + TypeScript + TanStack Query tech decisions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Service layer (63 tests): certificate, agent, audit, job, notification,
policy, and renewal services with mock repositories covering threshold
alerting, deduplication, status transitions, and job processing.
Handler layer (46 tests): certificate and agent HTTP handlers using
httptest with mock service interfaces, covering success/error paths,
pagination, JSON marshaling, and path parameter extraction.
Integration (11 subtests): end-to-end certificate lifecycle test
exercising real services and Local CA issuer through HTTP API —
create cert, trigger renewal, process jobs, register agent, heartbeat,
verify audit trail.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Wire issuer connector end-to-end with IssuerConnectorAdapter (dependency inversion)
- Renewal/issuance job processor: RSA key + CSR generation, Local CA signing, cert version storage
- Agent work API (GET /agents/{id}/work) and job status API (POST /agents/{id}/jobs/{job_id}/status)
- Agent-side deployment: WorkItem enrichment with target type/config, NGINX/F5/IIS connector invocation
- Full ACME v2 implementation: HTTP-01 challenge solving, account registration, order lifecycle
- Update all docs (README, architecture, connectors, demo-advanced, quickstart) for M1-M2
- Fix go vet warning in deployment.go (non-constant format string)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Business Source License 1.1 with 7-year conversion period
- Change Date: March 14, 2033 (converts to Apache 2.0)
- Additional Use Grant: all uses permitted except offering certctl
as a hosted/managed certificate management service
- Update README badge and license section
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
README.md:
- Replace ASCII architecture diagram with Mermaid
- Fix all database table names (managed_certificates, audit_events, etc.)
- Fix env var names to use CERTCTL_ prefix matching config.go
- Fix API endpoint paths ({id} not :id, /audit not /audit/logs)
- Add all missing endpoints (renew, deploy, CSR, heartbeat, policies, notifications)
- Add dashboard as primary feature (was completely missing)
- Link to all new docs (concepts, advanced demo, architecture, connectors)
- Fix integration status (Local CA implemented, ACME in progress)
- Fix security section (API key auth, not mTLS)
- Remove broken links to non-existent docs (api.md, k8s-deployment.md, scaling.md)
- Remove placeholder Support & Community section
.env.example:
- Change all var names to CERTCTL_ prefix (CERTCTL_DATABASE_URL, etc.)
- Remove vars that don't exist in config.go (ACME_*, SMTP_*, feature flags)
- Add scheduler tuning vars as commented examples
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add how/why technical breakdowns to every step in demo-advanced.md:
handler→service→repository code paths, SQL details, security reasoning,
field-by-field explanations, and architectural design decisions
- Convert all ASCII box diagrams to Mermaid across docs:
architecture.md (9 diagrams), demo-advanced.md (6), concepts.md (1)
- Diagram types: flowcharts, sequence diagrams, ER diagram, state machine
- Remove placeholder Support & Community section from README
- Zero ASCII box-drawing characters remaining in docs
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
shankar0123