certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 21:01:31 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	56e2ea1ad7	docs: v2.1.0 release polish — strip internal bundle/phase tags, update status for OIDC ship README: - Rewrite Status block: drop the stale 'federated identity not yet shipped' line; flag v2.1.0 OIDC + sessions + back-channel logout + break-glass as early-access; encourage GitHub issues for IdP rough edges. (A1 framing — keep early-access umbrella, no SAML/WebAuthn/JIT roadmap teaser.) - Add OIDC SSO bullet to 'What it does' covering per-IdP runbooks, group-claim → role mapping, AES-256-GCM client_secret encryption, JWKS auto-refresh, PKCE-S256, RFC 9700 §4.7.1 pre-login binding, RFC 9207 iss check, __Host- cookies, CSRF rotation, idle+absolute expiry, BCL, break-glass admin. - Update Security paragraph: three auth paths (API keys / OIDC / break-glass), HMAC-signed sessions, CSRF rotation, RFC OIDC BCL. - Correct CI coverage thresholds against .github/coverage-thresholds.yml (service 70%, handler 75%, crypto 88%, auth packages 85-95%); 'static analysis' replaces the inflated '11 linters' claim (actual count is 4 active). Docs B3 sweep — strip operator-facing 'Bundle N' / 'Phase N' tags: - docs/operator/auth-threat-model.md — rewrite intro; rename 5 H2 sections (API-key + RBAC defenses / OIDC + sessions + break-glass defenses / OIDC + sessions threat catalogue / Closed federated- identity threats / Future-work threats); clean ~12 H3/prose hits. - docs/operator/rbac.md — strip Bundle 1 framing from intro, scope_id deferral note, MCP tools section, day-0 bootstrap, and 'Where to look next'. - docs/operator/auth-benchmarks.md — drop 'Phase 14' framing from title intro, hardware floor caption, result table caption, methodology, and pre-merge audit section. - docs/operator/security.md — already cleaned earlier this session (RBAC / day-0 / approval-bypass / OIDC federation / sessions / OIDC first-admin / break-glass H3s). - docs/operator/oidc-runbooks/{index,keycloak,authentik,okta, azure-ad}.md — strip Auth Bundle 2 framing + Phase 10/3/4 references; replace with feature-name prose. - docs/operator/legacy-clients-tls-1.2.md — drop Bundle F / M-023 audit-reference framing; keep CWE-326. - docs/operator/database-tls.md — drop Bundle B / M-018 framing from intro + Helm section. - docs/operator/runbooks/disaster-recovery.md — drop 'Production hardening II Phase 10' status callout. - docs/migration/oidc-enable.md — retitle 'Enable OIDC SSO'; strip Bundle 1/2 framing from prereqs, troubleshooting, related docs; update __Host- cookie callout from 'audit MED-14' to v2.1.0-BREAKING. - docs/migration/api-keys-to-rbac.md — strip Bundle 1 framing from intro, migration table, IsAdmin section, and cross-references. - docs/migration/acme-from-cert-manager.md — strip residual 'Phase 5' tags from cert-manager integration test references. - docs/reference/configuration.md — retitle Auth section. - docs/reference/profiles.md — strip Bundle 1 Phase 9 framing from RequiresApproval section + Related list. - docs/reference/auth-standards-implemented.md — rewrite intro (API-key + RBAC + OIDC + sessions + back-channel logout + break-glass); rename 'Bundle 1 (RBAC) standards covered separately' H2; clean per-row Phase references. - docs/README.md — rewrite nav-table entries to drop Bundle 1/2 parentheticals; retitle 'Enable OIDC SSO' migration entry. No code or test changes; pure operator-facing prose polish for the v2.1.0 tag.	2026-05-11 16:54:07 +00:00
shankar0123	3f335af45e	auth-bundle-2 Phase 15: docs/reference/auth-standards-implemented.md (RFC + CWE evidence list, NOT a compliance-mapping doc) Closes Phase 15 of cowork/auth-bundle-2-prompt.md. Ships a single operator-facing doc that lists every RFC the auth bundles implement and every CWE class the implementation closes, with concrete file paths + test anchors per row. Files ===== docs/reference/auth-standards-implemented.md (NEW): * Table 1: 13 RFCs / standards rows (RFC 6749, 7636, 7519, 7517, OIDC Core 1.0, OIDC BCL 1.0, RFC 6265, RFC 9700, RFC 8414, RFC 7633, RFC 8555, RFC 7515 plus the OIDC Core §5.3.2 UserInfo endpoint). Every row has a concrete source file path + a negative-test anchor. * Table 2: 14 CWE rows (CWE-287, 352, 384, 294, 916/329, 307, 345, 200, 770, 330, 311, 326, 1004, 614, 1275). Every row points at where the defense lives + where it is pinned. * Bundle 1 RBAC standards covered separately at the end with CWE-285, 862, 863, 732 pointers into Bundle 1's surface. * Explicit 'What this document is NOT' section preserving the operator's 2026-05-05 retired-compliance-docs decision: the doc is an evidence list, NOT a SOC 2 / PCI-DSS / HIPAA / NIST SP 800-53 / NIST SSDF / FedRAMP framework-mapping doc. Framework name-drops appear ONLY inside the explicit 'this is NOT' disclaimer paragraphs; no marketing-flavored prose claims certctl 'satisfies CC6.1' or similar. docs/README.md (MODIFIED): * Adds the auth-standards-implemented.md doc to the Reference section nav table between intermediate-ca-hierarchy.md and the deployment-model.md entry, with a one-line description flagging it as RFC + CWE evidence (NOT a compliance-mapping doc). Verification ============ * Last-reviewed header: 2026-05-10. * Internal-link sweep: every relative link resolves cleanly. * Framework-name grep: SOC 2 / PCI-DSS / HIPAA / NIST SSDF / FedRAMP appear ONLY inside the 'this is NOT a compliance- mapping doc' disclaimer paragraphs (lines 7 and 66 of the new doc). No marketing-flavored claims. * No Go-side impact; pure docs commit, make verify gate unchanged.	2026-05-10 16:58:06 +00:00

Author

SHA1

Message

Date

shankar0123

56e2ea1ad7

docs: v2.1.0 release polish — strip internal bundle/phase tags, update status for OIDC ship

README:
- Rewrite Status block: drop the stale 'federated identity not yet
  shipped' line; flag v2.1.0 OIDC + sessions + back-channel logout
  + break-glass as early-access; encourage GitHub issues for IdP
  rough edges. (A1 framing — keep early-access umbrella, no
  SAML/WebAuthn/JIT roadmap teaser.)
- Add OIDC SSO bullet to 'What it does' covering per-IdP runbooks,
  group-claim → role mapping, AES-256-GCM client_secret encryption,
  JWKS auto-refresh, PKCE-S256, RFC 9700 §4.7.1 pre-login binding,
  RFC 9207 iss check, __Host- cookies, CSRF rotation, idle+absolute
  expiry, BCL, break-glass admin.
- Update Security paragraph: three auth paths (API keys / OIDC /
  break-glass), HMAC-signed sessions, CSRF rotation, RFC OIDC BCL.
- Correct CI coverage thresholds against
  .github/coverage-thresholds.yml (service 70%, handler 75%,
  crypto 88%, auth packages 85-95%); 'static analysis' replaces
  the inflated '11 linters' claim (actual count is 4 active).

Docs B3 sweep — strip operator-facing 'Bundle N' / 'Phase N' tags:
- docs/operator/auth-threat-model.md — rewrite intro; rename 5 H2
  sections (API-key + RBAC defenses / OIDC + sessions + break-glass
  defenses / OIDC + sessions threat catalogue / Closed federated-
  identity threats / Future-work threats); clean ~12 H3/prose hits.
- docs/operator/rbac.md — strip Bundle 1 framing from intro,
  scope_id deferral note, MCP tools section, day-0 bootstrap, and
  'Where to look next'.
- docs/operator/auth-benchmarks.md — drop 'Phase 14' framing from
  title intro, hardware floor caption, result table caption,
  methodology, and pre-merge audit section.
- docs/operator/security.md — already cleaned earlier this session
  (RBAC / day-0 / approval-bypass / OIDC federation / sessions /
  OIDC first-admin / break-glass H3s).
- docs/operator/oidc-runbooks/{index,keycloak,authentik,okta,
  azure-ad}.md — strip Auth Bundle 2 framing + Phase 10/3/4
  references; replace with feature-name prose.
- docs/operator/legacy-clients-tls-1.2.md — drop Bundle F / M-023
  audit-reference framing; keep CWE-326.
- docs/operator/database-tls.md — drop Bundle B / M-018 framing
  from intro + Helm section.
- docs/operator/runbooks/disaster-recovery.md — drop 'Production
  hardening II Phase 10' status callout.
- docs/migration/oidc-enable.md — retitle 'Enable OIDC SSO';
  strip Bundle 1/2 framing from prereqs, troubleshooting, related
  docs; update __Host- cookie callout from 'audit MED-14' to
  v2.1.0-BREAKING.
- docs/migration/api-keys-to-rbac.md — strip Bundle 1 framing from
  intro, migration table, IsAdmin section, and cross-references.
- docs/migration/acme-from-cert-manager.md — strip residual
  'Phase 5' tags from cert-manager integration test references.
- docs/reference/configuration.md — retitle Auth section.
- docs/reference/profiles.md — strip Bundle 1 Phase 9 framing
  from RequiresApproval section + Related list.
- docs/reference/auth-standards-implemented.md — rewrite intro
  (API-key + RBAC + OIDC + sessions + back-channel logout +
  break-glass); rename 'Bundle 1 (RBAC) standards covered
  separately' H2; clean per-row Phase references.
- docs/README.md — rewrite nav-table entries to drop Bundle 1/2
  parentheticals; retitle 'Enable OIDC SSO' migration entry.

No code or test changes; pure operator-facing prose polish for
the v2.1.0 tag.

2026-05-11 16:54:07 +00:00

shankar0123

3f335af45e

auth-bundle-2 Phase 15: docs/reference/auth-standards-implemented.md (RFC + CWE evidence list, NOT a compliance-mapping doc)

Closes Phase 15 of cowork/auth-bundle-2-prompt.md. Ships a single
operator-facing doc that lists every RFC the auth bundles implement
and every CWE class the implementation closes, with concrete file
paths + test anchors per row.

Files
=====

docs/reference/auth-standards-implemented.md (NEW):
* Table 1: 13 RFCs / standards rows (RFC 6749, 7636, 7519, 7517,
  OIDC Core 1.0, OIDC BCL 1.0, RFC 6265, RFC 9700, RFC 8414,
  RFC 7633, RFC 8555, RFC 7515 plus the OIDC Core §5.3.2 UserInfo
  endpoint). Every row has a concrete source file path + a
  negative-test anchor.
* Table 2: 14 CWE rows (CWE-287, 352, 384, 294, 916/329, 307,
  345, 200, 770, 330, 311, 326, 1004, 614, 1275). Every row
  points at where the defense lives + where it is pinned.
* Bundle 1 RBAC standards covered separately at the end with
  CWE-285, 862, 863, 732 pointers into Bundle 1's surface.
* Explicit 'What this document is NOT' section preserving the
  operator's 2026-05-05 retired-compliance-docs decision: the
  doc is an evidence list, NOT a SOC 2 / PCI-DSS / HIPAA /
  NIST SP 800-53 / NIST SSDF / FedRAMP framework-mapping doc.
  Framework name-drops appear ONLY inside the explicit
  'this is NOT' disclaimer paragraphs; no marketing-flavored
  prose claims certctl 'satisfies CC6.1' or similar.

docs/README.md (MODIFIED):
* Adds the auth-standards-implemented.md doc to the Reference
  section nav table between intermediate-ca-hierarchy.md and
  the deployment-model.md entry, with a one-line description
  flagging it as RFC + CWE evidence (NOT a compliance-mapping
  doc).

Verification
============

* Last-reviewed header: 2026-05-10.
* Internal-link sweep: every relative link resolves cleanly.
* Framework-name grep: SOC 2 / PCI-DSS / HIPAA / NIST SSDF /
  FedRAMP appear ONLY inside the 'this is NOT a compliance-
  mapping doc' disclaimer paragraphs (lines 7 and 66 of the
  new doc). No marketing-flavored claims.
* No Go-side impact; pure docs commit, make verify gate
  unchanged.

2026-05-10 16:58:06 +00:00

2 Commits