gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 13:41:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Commit Graph

  • 0152bdf567 fix(auth/rbac): scope-aware ActorRole revoke (A-4) shankar0123 2026-05-11 10:50:34 +00:00
  • cc8024932b feat(gui/oidc): expose AllowedEmailDomains on create + edit forms (A-3) shankar0123 2026-05-11 10:30:37 +00:00
  • 78485f7429 fix(auth/users): close MED-11 lying field — DeactivatedAt loaded + enforced on login (A-2) shankar0123 2026-05-11 02:21:05 +00:00
  • a123263498 fix(auth/rbac): close HIGH-10 lying field — EffectivePermissions reads actor-role scope (A-1) shankar0123 2026-05-11 02:02:39 +00:00
  • 191384c1d2 feat(gui): auth GUI batch — MED-4/7/8/10/11/12 + LOW-1/11/12 + HIGH-10 GUI half shankar0123 2026-05-11 00:17:59 +00:00
  • 172b30b8f1 feat(auth): backend endpoints for MED-7 + MED-11 + MED-12 shankar0123 2026-05-11 00:11:07 +00:00
  • e1e43c8924 feat(auth): foundation for MED-11 — users.deactivated_at + 2 catalogue perms shankar0123 2026-05-11 00:02:57 +00:00
  • ca31232ad2 feat(mcp): 11 audit-fix MCP tools — approvals, break-glass, bootstrap, audit-category (MED-13) shankar0123 2026-05-10 23:37:06 +00:00
  • 532cae249d test(oidc): Keycloak integration test for MED-6 auto-refresh (Nit-5) shankar0123 2026-05-10 23:31:10 +00:00
  • e005c004e1 harden(oidc): JWKS auto-refresh on kid-not-in-cache (MED-6) shankar0123 2026-05-10 23:28:57 +00:00
  • b4b98799d5 feat(oidc): POST /api/v1/auth/oidc/test dry-run endpoint (MED-5) shankar0123 2026-05-10 23:25:54 +00:00
  • 2a1a0b347c harden(oidc): pre-login UA/IP binding (MED-16) — RFC 9700 §4.7.1 shankar0123 2026-05-10 23:18:23 +00:00
  • 2cd2a5c52f harden(oidc): RFC 9207 iss URL parameter check on callback (MED-17) shankar0123 2026-05-10 23:05:52 +00:00
  • 874419989d harden(auth/cookies): __Host- prefix on all three auth cookies (MED-14, BREAKING) shankar0123 2026-05-10 22:52:53 +00:00
  • 72b54ce850 feat(auth/rbac): scope_type+scope_id+expires_at on role grants (HIGH-10) shankar0123 2026-05-10 22:47:45 +00:00
  • e7c4654b16 harden(auth/session+oidc): 503/401 split + go-oidc string pin (LOW-6 + Nit-2) shankar0123 2026-05-10 22:41:19 +00:00
  • 9cce2ab043 harden(auth): LOW + Nit batch — bootstrap audit, crypto/rand, XFF trust, CSRF check, protocol-prefix unify (Batch 1) shankar0123 2026-05-10 22:26:12 +00:00
  • 630831aeac harden(audit+session): full SHA-256 audit hash + cookie segment length cap (MED-15 + Nit-4) shankar0123 2026-05-10 22:02:26 +00:00
  • 925523e06e feat(oidc): Enabled toggle on OIDCProvider (MED-9) shankar0123 2026-05-10 21:59:17 +00:00
  • ba0959ddc7 feat(auth/sessions): list-all gate + revoke-all-except-current (MED-1/2/3) shankar0123 2026-05-10 21:49:35 +00:00
  • 912ec3f547 fix(audit): ship streaming NDJSON audit export endpoint (HIGH-9 / HIGH-11) shankar0123 2026-05-10 21:36:01 +00:00
  • 2e97cc10b8 fix(config): refuse to start when CERTCTL_AUTH_TYPE=none binds non-loopback (HIGH-12) shankar0123 2026-05-10 21:29:06 +00:00
  • f5ba17114d fix(audit): close silence-leg of HIGH-6; emit WARN on audit-write failure shankar0123 2026-05-10 21:24:29 +00:00
  • 90210c9334 fix(oidc/prelogin): encrypt state/nonce/PKCE-verifier at rest (HIGH-5) shankar0123 2026-05-10 21:17:55 +00:00
  • 0f340beb14 fix(auth/ux): cause-aware OIDC + session error surfacing (HIGH-7 + HIGH-8 closure) shankar0123 2026-05-10 21:12:11 +00:00
  • 15435ca02b fix(oidc/bcl): jti replay-cache + iat freshness check (HIGH-3 closure) shankar0123 2026-05-10 20:53:29 +00:00
  • 1697845493 fix(auth): wire RevokeAllForActor + RotateCSRFToken to mutation paths shankar0123 2026-05-10 20:43:45 +00:00
  • 739745e9fe fix(oidc): enforce AllowedEmailDomains allowlist in HandleCallback shankar0123 2026-05-10 20:30:32 +00:00
  • f1d97710e1 feat(gui+auth): break-glass admin GUI surface (CRIT-4 closure) shankar0123 2026-05-10 20:24:52 +00:00
  • 00eace8068 fix(api/cors): narrow Bundle-2 routes from wildcard to NewCORS(corsCfg) shankar0123 2026-05-10 20:12:19 +00:00
  • ca1e135aa3 fix(oidc/bcl): resolve sub→actor_id via users.GetByOIDCSubject (CRIT-2 closure) shankar0123 2026-05-10 20:07:29 +00:00
  • 68ca42fef1 fix(auth): apply rbacGate to every state-changing + read handler (CRIT-1 closure) shankar0123 2026-05-10 19:56:15 +00:00
  • c03d18bb1c auth-bundle-2 Phase 16: docs updates (security.md OIDC + sessions + break-glass + auditor split sections; new migration/oidc-enable.md; CHANGELOG.md v2.1.0 Bundle 2 release notes) shankar0123 2026-05-10 17:07:27 +00:00
  • 3f335af45e auth-bundle-2 Phase 15: docs/reference/auth-standards-implemented.md (RFC + CWE evidence list, NOT a compliance-mapping doc) shankar0123 2026-05-10 16:58:06 +00:00
  • 9b6294e83d auth-bundle-2 Phase 14: session + OIDC validation benchmarks (steady-state + cold paths) + auth-benchmarks.md operator doc + Makefile targets shankar0123 2026-05-10 16:51:28 +00:00
  • 130a65f3b6 auth-bundle-2 Phase 13: negative-test backfill (OIDC PreLoginAdapter) + OIDC client_secret encryption invariant + multi-tenant query CI guard + coverage floors held at 90 across 4 Bundle-2 packages + E2E coverage map shankar0123 2026-05-10 16:31:22 +00:00
  • 5e2accbf5f auth-bundle-2 Phase 12: extend auth-threat-model.md with Bundle 2 sections (OIDC + sessions + back-channel logout + OIDC first-admin + break-glass + 8 Bundle 2 threat sub-sections) shankar0123 2026-05-10 16:11:08 +00:00
  • f203a5372d auth-bundle-2 Phase 11 follow-on: drop external-tester reference from oidc-runbooks/index.md shankar0123 2026-05-10 15:58:03 +00:00
  • 2893f9b48e auth-bundle-2 Phase 11: 6 per-IdP OIDC runbooks + index + docs/README wiring shankar0123 2026-05-10 15:49:56 +00:00
  • 8de28a74ba auth-bundle-2 Phase 10: Keycloak testcontainers harness + 5-test e2e OIDC matrix + optional Okta smoke (integration build tag) shankar0123 2026-05-10 07:54:36 +00:00
  • b09bd0984a auth-bundle-2 Phase 9: 11 OIDC + session MCP tools (Phase-5 surface parity) shankar0123 2026-05-10 07:40:34 +00:00
  • 9143003e95 auth-bundle-2 Phase 8: GUI auth surface (OIDC providers + group mappings + sessions + LoginPage IdP buttons + AuthState refactor + logout wiring) shankar0123 2026-05-10 07:23:41 +00:00
  • 1d01c87663 auth-bundle-2 Phase 7 + Phase 7.5: OIDC first-admin bootstrap + break-glass admin (Argon2id, lockout, default-OFF, surface-invisibility) shankar0123 2026-05-10 06:51:41 +00:00
  • 3189f3cd71 auth-bundle-2 Phase 6: session middleware + CSRF token plumbing + chained-auth combinator + AuthInfo OIDC providers extension + 2 CI guards (Bundle-1-compat + Bundle-1-to-2-upgrade) shankar0123 2026-05-10 06:22:25 +00:00
  • 9c679a5960 auth-bundle-2 Phase 5: OIDC + session HTTP surface (13 endpoints), pre-login store, OpenID Connect Back-Channel Logout 1.0, cookieAuth scheme, 7 new auth permissions, CI guard, handler tests shankar0123 2026-05-10 06:08:27 +00:00
  • 17b30c1f7f auth-bundle-2 Phase 4: session service (cookie minting + signature validation, idle/absolute expiry, signing-key rotation, CSRF, GC), 15-case negative-test matrix, fail-fatal initial-key bootstrap shankar0123 2026-05-10 05:31:24 +00:00
  • 854135dfb7 auth-bundle-2 Phase 3: OIDC service (HandleAuthRequest, HandleCallback, RefreshKeys), hand-rolled group-claim resolver, 21+ negative-test matrix, token-leak hygiene, IdP downgrade-attack defense shankar0123 2026-05-10 04:56:03 +00:00
  • 95f1d6cf63 auth-bundle-2 Phase 2b: repository interfaces + Postgres impls + integration tests shankar0123 2026-05-10 04:18:27 +00:00
  • 315e132981 auth-bundle-2 Phase 2a: SQL migrations (oidc_providers, sessions, users) shankar0123 2026-05-10 04:08:06 +00:00
  • b0ac24fbf8 auth-bundle-2 Phase 1: OIDC + Session + User + Breakglass domain types shankar0123 2026-05-10 03:41:46 +00:00
  • 2d9110b0c4 auth-bundle-2 Phase 0: dependency-add + oidc auth-type literal + runtime guard shankar0123 2026-05-10 03:31:51 +00:00
  • 977cdbdf44 docs(README): surface Bundle 1 RBAC + signal Bundle 2 federation as roadmap v2.0.72 shankar0123 2026-05-10 02:18:42 +00:00
  • 5d79e53ad0 auth-bundle-1 follow-on: close coverage gaps to clear Phase 12 floors shankar0123 2026-05-10 02:04:36 +00:00
  • 3e91c7a1f0 chore(security): bump Go toolchain 1.25.9 -> 1.25.10 + golang.org/x/net 0.49 -> 0.53 shankar0123 2026-05-10 01:18:49 +00:00
  • 51f55c5fc9 auth-bundle-1 fix: S-1 ci-guard false positive on "Bundle 1 migrations" shankar0123 2026-05-10 01:18:16 +00:00
  • 22c4971012 Merge branch 'dev/auth-bundle-1' into master shankar0123 2026-05-10 00:56:06 +00:00
  • efea4d0e03 auth-bundle-1 fix: bundled certctl-agent restart loop (latent since 2026-03-14) shankar0123 2026-05-10 00:51:25 +00:00
  • 45122d7edb auth-bundle-1 fix: migration 000029 role_permissions NULL scope_id shankar0123 2026-05-10 00:25:28 +00:00
  • 5313cd8492 auth-bundle-1 Phase 13 follow-up: em-dash sweep + broken-link fix shankar0123 2026-05-10 00:15:30 +00:00
  • e7a94b6080 auth-bundle-1 Phase 13: docs (rbac.md + threat model + migration guide + security.md update) shankar0123 2026-05-10 00:10:15 +00:00
  • 06cea1ce0f auth-bundle-1 Phase 12 follow-up: in-tree TODO for path-12 deferral shankar0123 2026-05-09 23:51:16 +00:00
  • cbb47aaf5d auth-bundle-1 Phase 11 + 12: RBAC MCP tools + negative-test coverage gate shankar0123 2026-05-09 23:46:01 +00:00
  • cfe76ad381 auth-bundle-1 Phase 10 follow-up: approvals queue GUI + transparent E2E deferral shankar0123 2026-05-09 21:12:06 +00:00
  • 69a508dfcf auth-bundle-1 Phase 9 + 10: approval-bypass closure + RBAC GUI shankar0123 2026-05-09 21:03:59 +00:00
  • af4fa12724 auth-bundle-1 Phase 8 follow-up: classify issuer/target audit rows + auditor end-to-end tests + gofmt drift shankar0123 2026-05-09 20:23:41 +00:00
  • 3ef45e2ad4 auth-bundle-1 Phase 6-7-8: bootstrap path + scope-down CLI + auditor-role split shankar0123 2026-05-09 20:15:43 +00:00
  • 60a589ab96 auth-bundle-1 Phase 0-5 closure: demo-mode wire, named-key backfill, AuthCheck enrichment, OpenAPI schema, intermediate-ca comment refresh shankar0123 2026-05-09 19:33:07 +00:00
  • 7ff2e2de08 auth-bundle-1 Phase 3.5: handler IsAdmin -> router-wrapped RequirePermission shankar0123 2026-05-09 17:00:30 +00:00
  • b169f258de auth-bundle-1 Phase 4 + 5: RBAC HTTP API + CLI surface shankar0123 2026-05-09 16:43:48 +00:00
  • d473398aba auth-bundle-1 Phase 3 (primitive): RequirePermission middleware + demo-mode + protocol allowlist shankar0123 2026-05-09 16:20:04 +00:00
  • bd54d5f7fa auth-bundle-1 Phase 2: RBAC service layer + Authorizer primitive shankar0123 2026-05-09 16:20:04 +00:00
  • 19497eef87 auth-bundle-1 Phase 1: RBAC schema + domain types + repository layer shankar0123 2026-05-09 16:00:08 +00:00
  • 99a012e3be auth-bundle-1 Phase 0: extract internal/auth/ from middleware package shankar0123 2026-05-09 15:51:31 +00:00
  • 71ebccb8ba docs: fix broken ../examples/ links across docs/ (closes #11) shankar0123 2026-05-06 20:30:32 +00:00
  • ff6bf8f203 docs(README): add Status: Early-access disclosure block shankar0123 2026-05-06 07:45:55 +00:00
  • 7a9ae3157f fix(seed): repair deployment_targets FK violation crashing fresh demo boot v2.0.71 shankar0123 2026-05-05 21:03:18 +00:00
  • 1720e11109 docs: fix broken single-file demo invocation in README + qa-prerequisites + ENVIRONMENTS shankar0123 2026-05-05 20:55:26 +00:00
  • f40e975439 gui(certificates): surface profile contract in create-cert form (closes P3-3, P3-4, P3-5) shankar0123 2026-05-05 19:49:59 +00:00
  • 0e06f6c4fc cli: promote --force on renew + require --reason on revoke (closes P3-1, P3-2) shankar0123 2026-05-05 19:49:34 +00:00
  • ff75361553 mcp(coverage): add 34 tools across 7 domains to close 2026-05-05 parity audit P1 findings shankar0123 2026-05-05 19:29:57 +00:00
  • e0aaa967c9 docs(README): add MCP server bullet to capabilities list shankar0123 2026-05-05 19:10:27 +00:00
  • 17455d2ea2 deps(web): pin picomatch to >=4.0.4 via npm override; clears 4 dependabot alerts shankar0123 2026-05-05 18:40:10 +00:00
  • f2c77ba3fb deps: bump testcontainers-go v0.35.0 → v0.42.0; drops docker/docker dep entirely (clears CVE-2026-34040) shankar0123 2026-05-05 18:32:57 +00:00
  • d2b62880ce shankar0123 2026-05-05 18:18:38 +00:00
  • 75097909e9 shankar0123 2026-05-05 18:18:29 +00:00
  • 7c5cc57d75 shankar0123 2026-05-05 15:39:08 +00:00
  • 9acf609ac9 docs: convert ASCII flow diagram to Mermaid in test-environment.md shankar0123 2026-05-05 06:18:24 +00:00
  • 622cd29f20 docs: factuality sweep — fix 3 broken links + 12 count claims (audit findings 2026-05-05) shankar0123 2026-05-05 06:15:35 +00:00
  • d809874fa1 docs: retire compliance subtree + sweep framework name-drops from prose shankar0123 2026-05-05 05:26:44 +00:00
  • 5ea8fb48eb ci: restore +x bit on scripts/ci-guards/*.sh (sandbox stripped exec bit) shankar0123 2026-05-05 04:56:43 +00:00
  • 3275f9f1e0 ci: post-Phase-2-docs-overhaul cleanup of stale guards + missing config doc shankar0123 2026-05-05 04:56:26 +00:00
  • ecb8896b1c docs: cleanup pre-existing broken links in connector pages shankar0123 2026-05-05 04:10:09 +00:00
  • f179eab071 docs: expand docs/README.md connectors section to enumerate all 28 deep-dive pages shankar0123 2026-05-05 04:08:08 +00:00
  • 969853ee53 docs: Phase 4 follow-on batch 4 — 5 final target per-pages shankar0123 2026-05-05 04:07:21 +00:00
  • 082b8cf660 docs: Phase 4 follow-on batch 3 — 5 file-based target per-pages shankar0123 2026-05-05 04:02:25 +00:00
  • de06141ce5 docs: Phase 4 follow-on batch 2 — 8 remaining issuer per-pages shankar0123 2026-05-05 03:59:35 +00:00
  • fd94205cfa docs: Phase 4 follow-on batch 1 — 5 issuer per-pages shankar0123 2026-05-05 03:53:52 +00:00
  • b452013dd9 docs: Phase 5 — testing-guide.md prune (8268 → 0 lines, content dispersed) shankar0123 2026-05-05 03:38:54 +00:00
  • fd4eb3b165 docs: Phase 11 follow-on — fix remaining anchor + cross-dir links shankar0123 2026-05-05 03:32:09 +00:00
  • a364cd6990 docs: Phase 11 follow-on — fix anchor-bearing + remaining inter-doc links shankar0123 2026-05-05 03:31:47 +00:00