certctl

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 21:11:30 +00:00

Files

T

shankar0123 5d79e53ad0 auth-bundle-1 follow-on: close coverage gaps to clear Phase 12 floors

CI run #486 (post-Bundle-1 merge + Go 1.25.10 bump) failed three
coverage-threshold gates:

  internal/api/handler   74.7% < floor 75 (-0.3pp)
  internal/auth          66.3% < floor 85 (-18.7pp)
  internal/service/auth  51.1% < floor 85 (-33.9pp)

The Phase 12 gate file's "85% with negative-test coverage" claim
turned out to be aspirational — the read-side and Update-path
methods on RoleService / PermissionService / ActorRoleService had
zero unit-test coverage, and internal/auth's keystore +
HasPermission helper had zero tests. This commit closes the gap
without lowering the gate.

Per-package CI-style averages after this commit (per
scripts/check-coverage-thresholds.sh's per-function-mean):

  internal/api/handler   76.1% (+1.4pp,  margin +1.1pp)
  internal/auth          90.5% (+24.2pp, margin +5.5pp)
  internal/service/auth  93.7% (+42.6pp, margin +8.7pp)

Tests added:

  internal/service/auth/service_test.go (+18 tests, +518 LOC):
    PermissionService.List, PermissionService.GetByName,
    RoleService.Get (4 paths), RoleService.List (system caller),
    RoleService.Update (4 paths), RoleService.ListPermissions
    (3 paths), RoleService.AddPermission/RemovePermission round-trip
    + gate paths, RoleService.Delete (success + nil-caller +
    no-perm + audit), RoleService.Create (nil-caller),
    ActorRoleService.ListForActor (self-bypass + cross-actor +
    nil-caller + system + with-perm), ActorRoleService.Effective-
    Permissions (same shape), ActorRoleService.ListKeys (3 paths +
    system bypass), ActorRoleService.Revoke (4 paths), Authorizer
    edge cases (empty actorID short-circuit, empty tenantID
    default, scoped-grant-without-scope-id no-match invariant,
    repo-error wrap-and-return, HoldsAnyOf early-exit), recordAudit
    nil-arm short-circuits.

  internal/auth/keystore_test.go (NEW, +175 LOC):
    StaticKeyStore.Len, StaticKeyStore.LookupByHash hit + miss,
    MutableKeyStore seeded lookup + Len, Add registers new key,
    AddHashed registers from precomputed hash, AddHashed replaces
    on duplicate hash (idempotent boot-loader contract),
    HasPermission no-actor / default-actor-type / checker-error /
    scoped-check threading.

  internal/auth/bootstrap/service_test.go (+36 LOC):
    Service.Available nil-receiver/nil-strategy short-circuit,
    Service.Available delegates to Strategy when configured.

  internal/api/handler/auth_test.go (+208 LOC):
    GetRole returns role + permissions, GetRole 404 + 401, UpdateRole
    200 + invalid-JSON-400 + 401, ListKeys returns actor list + 401,
    RemoveRolePermission 204 (global + scoped) + 401,
    rolePermToResponse scope encoding pin via GetRole.

Verified:
  gofmt -l . clean (touched files only).
  go vet ./internal/auth/... ./internal/service/auth/...
       ./internal/api/handler/ rc=0.
  go test -count=1 -short on the four packages green.
  CI-style per-function averages computed via the live
       scripts/check-coverage-thresholds.sh arithmetic — all three
       gated packages clear their floors with margin.

Per CLAUDE.md "complete path" + "do not lower the gate to make CI
green": gate file unchanged. The 85/85/75 floors stand.

2026-05-10 02:04:36 +00:00

auth

auth-bundle-1 follow-on: close coverage gaps to clear Phase 12 floors

2026-05-10 02:04:36 +00:00

acme_phase4_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

acme_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

acme.go

2026-05-05 18:18:29 +00:00

agent_group_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

agent_group.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

agent_retire_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

agent_retire.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

agent_round_out_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

agent_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

agent.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

approval_metrics.go

ci: fix Rank 7 lint + openapi-handler-parity drift on master

2026-05-04 01:35:30 +00:00

approval_test.go

auth-bundle-1 Phase 9 + 10: approval-bypass closure + RBAC GUI

2026-05-09 21:03:59 +00:00

approval.go

auth-bundle-1 Phase 9 + 10: approval-bypass closure + RBAC GUI

2026-05-09 21:03:59 +00:00

atomic_audit_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

audit_redact_test.go

chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

2026-04-30 22:33:57 +00:00

audit_redact.go

chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

2026-04-30 22:33:57 +00:00

audit_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

audit.go

auth-bundle-1 Phase 6-7-8: bootstrap path + scope-down CLI + auditor-role split

2026-05-09 20:15:43 +00:00

bulk_reassignment_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

bulk_reassignment.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

bulk_renewal_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

bulk_renewal.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

bulk_revocation_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

bulk_revocation.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

ca_operations_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

ca_operations.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

certificate_nil_safety_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

certificate_round_out_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

certificate_test.go

cli: promote --force on renew + require --reason on revoke (closes P3-1, P3-2)

2026-05-05 19:49:34 +00:00

certificate.go

cli: promote --force on renew + require --reason on revoke (closes P3-1, P3-2)

2026-05-05 19:49:34 +00:00

cloud_discovery_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

cloud_discovery.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

concurrent_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

config_helpers_test.go

test: comprehensive test gap closure across 24 packages

2026-04-09 23:09:40 -04:00

config_helpers.go

feat(M35): dynamic target configuration with encrypted config, test connection, and GUI updates

2026-04-04 01:09:53 -04:00

context_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

coverage_extras_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

crl_cache_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

crl_cache.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

crypto_validation_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

crypto_validation.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

csr_renewal_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

deploy_counters_test.go

feat(metrics): per-target-type deploy counters wired into /metrics/prometheus

2026-04-30 15:25:38 +00:00

deploy_counters.go

chore: gofmt fixes across deploy-hardening I new files

2026-04-30 15:33:33 +00:00

deployment_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

deployment.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

digest_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

digest.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

discovery_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

discovery.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

est_audit_actions_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

est_audit_actions.go

EST RFC 7030 hardening master bundle Phases 10-11: libest sidecar e2e

2026-04-30 00:52:43 +00:00

est_counters.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

est_profile_counter_isolation_test.go

EST RFC 7030 hardening master bundle Phases 5-7: end-to-end serverkeygen

2026-04-29 23:57:45 +00:00

est_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

est.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

expiry_alert_metrics.go

2026-05-05 18:18:29 +00:00

export_audit_actions.go

fix(cert-export): satisfy staticcheck ST1022 on PKCS12CipherModernAES256

2026-04-30 05:22:10 +00:00

export_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

export.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

health_check_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

health_check.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

intermediate_ca_metrics.go

service: IntermediateCAService + IntermediateCAMetrics + RFC 5280 enforcement

2026-05-04 01:58:26 +00:00

intermediate_ca_test.go

service: 10 IntermediateCAService tests + in-memory fake repo (Rank 8 commit 2.5)

2026-05-04 02:14:24 +00:00

intermediate_ca.go

service: IntermediateCAService + IntermediateCAMetrics + RFC 5280 enforcement

2026-05-04 01:58:26 +00:00

issuance_metrics_test.go

metrics: gofmt issuance_metrics_test.go — fix CI

2026-05-02 01:27:33 +00:00

issuance_metrics.go

metrics: add per-issuer-type issuance counters, histogram, and failure classifier

2026-05-02 00:39:25 +00:00

issuer_adapter_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

issuer_adapter.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

issuer_bootstrap_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

issuer_registry_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

issuer_registry.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

issuer_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

issuer.go

auth-bundle-1 Phase 8 follow-up: classify issuer/target audit rows + auditor end-to-end tests + gofmt drift

2026-05-09 20:23:41 +00:00

job_concurrency_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

job_offline_agent_reaper_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

job_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

job.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

m11c_crypto_enforcement_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

network_scan_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

network_scan.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

notification_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

notification.go

Revert "chore: drop 'Infisical' label from internal references"

2026-05-04 01:18:15 +00:00

ocsp_counters_test.go

test(service): coverage uplift for production hardening II + adjacent helpers (R-CI-extended floor)

2026-04-30 06:22:06 +00:00

ocsp_counters.go

chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

2026-04-30 22:33:57 +00:00

ocsp_nonce_test.go

feat(ocsp): RFC 6960 §4.4.1 nonce extension support — echo client nonce in response, reject malformed

2026-04-30 04:55:06 +00:00

ocsp_nonce.go

feat(ocsp): RFC 6960 §4.4.1 nonce extension support — echo client nonce in response, reject malformed

2026-04-30 04:55:06 +00:00

ocsp_response_cache_real_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

ocsp_response_cache_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

ocsp_response_cache.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

owner_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

owner.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

policy_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

policy.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

profile_approval_test.go

auth-bundle-1 Phase 9 + 10: approval-bypass closure + RBAC GUI

2026-05-09 21:03:59 +00:00

profile_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

profile.go

auth-bundle-1 Phase 9 + 10: approval-bypass closure + RBAC GUI

2026-05-09 21:03:59 +00:00

renewal_expiry_alerts_test.go

2026-05-05 18:18:29 +00:00

renewal_policy_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

renewal_policy.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

renewal_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

renewal.go

2026-05-05 18:18:29 +00:00

revocation_svc_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

revocation_svc.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

revocation_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

scep_intune_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

scep_must_staple_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

scep_probe_persist_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

scep_probe_test.go

feat(scep): SCEP probe in network scanner for fleet-readiness assessment

2026-04-29 18:51:57 +00:00

scep_probe.go

security: close CodeQL #17 (log injection) + #23 (SSRF false-positive reopen)

2026-05-04 05:29:35 +00:00

scep_test.go

feat(scep): RenewalReq + GetCertInitial + ChromeOS E2E + caps + must-staple

2026-04-29 13:16:09 +00:00

scep.go

2026-05-05 18:18:29 +00:00

shortlived_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

stats_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

stats.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

target_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

target.go

auth-bundle-1 Phase 8 follow-up: classify issuer/target audit rows + auditor end-to-end tests + gofmt drift

2026-05-09 20:23:41 +00:00

team_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

team.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

testutil_test.go

Revert "chore: drop 'Infisical' label from internal references"

2026-05-04 01:18:15 +00:00

vault_renewal_metrics.go

vault: add automatic token renewal at TTL/2 + Prometheus metric

2026-05-03 21:24:27 +00:00

verification_test.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00

verification.go

chore: rename Go module path to github.com/certctl-io/certctl

2026-05-04 00:30:29 +00:00