mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:51:30 +00:00
shankar0123
1b95709d4b
Acquisition-audit DOC-002 + COMP-005 closure (Sprint 7 ACQ,
2026-05-16). Both findings were UNKNOWN because the auditor
couldn't independently verify the auditor-role permission set is
locked-down. The set IS locked down in three places (schema,
code, tests) — DOC-002 + COMP-005 close by surfacing that pin in
docs/operator/rbac.md so a future SOC 2 / FedRAMP / PCI auditor
can re-derive the proof without rebuilding the trail.
New "Auditor role invariants" subsection in docs/operator/rbac.md
under the existing two-person integrity section. Documents:
Layer 1 (schema) — migrations/000029_rbac.up.sql:261-262 +
migrations/000039_audit_crit1_perms.up.sql:111 (the inline
"r-auditor: NOTHING new" comment).
Layer 2 (code) — internal/domain/auth/DefaultRoles[RoleIDAuditor].
Layer 3 (the load-bearing one — tests):
- TestAuditorRoleHoldsExactlyAuditReadAndExport
set-equality on {audit.read, audit.export}
- TestAuditorRoleDoesNotHoldMutatingOrReadingNonAuditPerms
catches subtle widening even if set-equality is bypassed
- TestAuditorRoleSeparateFromViewer
pins auditor and viewer permission sets are disjoint
except audit.read (which viewer shares by design)
Explicitly notes the audit prompt's recommendation against a bash
CI guard — the property is already enforced at the Go test layer
with stronger semantics (struct-aware set equality) than `grep`
could provide.
No code changes; documentation-only closure (existing tests + schema
already pin the invariant). Verified locally: gofmt clean, go vet
clean across internal/domain/auth + internal/service.