mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:21:30 +00:00
shankar0123
1caedd5fd3
Bundle: ci-pipeline-cleanup, Phase 1. Pure relocation — no behavior change. Each guard's bash logic is byte-identical to the prior inline version; the only changes are: (a) the guard becomes a sibling script under scripts/ci-guards/<id>.sh, (b) ci.yml's per-guard step is replaced by a single loop step that iterates all scripts. 20 scripts extracted (alphabetized): B-1-orphan-crud.sh, D-1-D-2-statusbadge-phantom.sh, G-1-jwt-auth-literal.sh, G-2-api-key-hash-json.sh, G-3-env-docs-drift.sh, H-001-bare-from.sh, H-009-readme-jwt.sh, L-001-insecure-skip-verify.sh, L-1-bulk-action-loop.sh, M-012-no-root-user.sh, P-1-documented-orphan-fns.sh, S-1-hardcoded-source-counts.sh, S-2-strings-contains-err.sh, T-1-frontend-page-coverage.sh, U-2-plaintext-healthcheck.sh, U-3-migration-mount.sh, bundle-8-L-015-target-blank-rel-noopener.sh, bundle-8-L-019-dangerously-set-inner-html.sh, bundle-8-M-009-bare-usemutation.sh, test-naming-convention.sh Plus scripts/ci-guards/README.md documenting the contract: - Each script must exit 0 on clean repo, non-zero with ::error:: prefix on regression - Runnable from repo root via 'bash scripts/ci-guards/<id>.sh' - Adding a new guard: drop a new <id>.sh; CI auto-picks it up ci.yml dropped 1488 → 557 lines (-931, -63%). Single CI loop step now collects ALL guard failures before failing the build instead of fail-fast — UX win for regressions that hit two guards at once. Two guards (QA-doc Part-count + seed-count, ci.yml lines 868-917) deliberately NOT extracted — they move to 'make verify-docs' in Phase 11 because they protect docs-the-operator-reads, not the product itself. Verification (sandbox): - All 20 scripts pass against HEAD (chmod +x; for g in scripts/ci-guards/*.sh; do bash $g; done) - New ci.yml YAML-parses cleanly - Job boundaries preserved: go-build-and-test, frontend-build, helm-lint, deploy-vendor-e2e, deploy-vendor-e2e-windows - Loop step appears twice (once at end of go-build-and-test, once at end of frontend-build) so both jobs continue running their set of guards
155 lines
6.6 KiB
Bash
Executable File
155 lines
6.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# scripts/ci-guards/D-1-D-2-statusbadge-phantom.sh
|
|
#
|
|
# D-1 master closed cat-d-359e92c20cbf (Agent: 'Stale' dead key,
|
|
# 'Degraded' missing), cat-d-9f4c8e4a91f1 (Notification: 'dead'
|
|
# missing), cat-d-1447e04732e7 (Cert: 'PendingIssuance' dead
|
|
# key), cat-f-cert_detail_page_key_render_fallback (render-site
|
|
# uses cert.X directly), and cat-f-ae0d06b6588f (Certificate
|
|
# TS phantom fields). This script grep-fails the build if either
|
|
# half of the closure is reverted:
|
|
#
|
|
# 1. The dead StatusBadge keys ('Stale' for Agent, 'PendingIssuance'
|
|
# for Cert) reappearing as map literals, OR
|
|
# 2. The five phantom Certificate TS fields (serial_number,
|
|
# fingerprint_sha256, key_algorithm, key_size, issued_at)
|
|
# reappearing on the `Certificate` interface in types.ts
|
|
# (CertificateVersion legitimately carries them and is
|
|
# explicitly excluded by the awk pre-filter below).
|
|
#
|
|
# Comments are exempt so the closure prose in StatusBadge.tsx +
|
|
# types.ts can stay. Test files are exempt so negative tests
|
|
# asserting the dead keys fall through to neutral keep working.
|
|
#
|
|
# See coverage-gap-audit-2026-04-24-v5/unified-audit.md
|
|
# cat-d-* / cat-f-* for the closure rationale, or
|
|
# web/src/components/StatusBadge.test.tsx for the live
|
|
# enum-coverage contract.
|
|
|
|
set -e
|
|
|
|
BAD_BADGE=$(grep -nE "^\s*(Stale|PendingIssuance)\s*:\s*'badge-" \
|
|
web/src/components/StatusBadge.tsx 2>/dev/null \
|
|
| grep -v '\.test\.' \
|
|
| grep -vE '^\s*[^:]+:[0-9]+:\s*//' \
|
|
|| true)
|
|
if [ -n "$BAD_BADGE" ]; then
|
|
echo "::error::D-1 regression: dead StatusBadge key reappeared:"
|
|
echo "$BAD_BADGE"
|
|
echo ""
|
|
echo "Allowed surface: comment lines naming the removed key in"
|
|
echo "the file's preamble. The Go-side AgentStatus values are"
|
|
echo "Online/Offline/Degraded (no Stale); CertificateStatus values"
|
|
echo "are Pending/Active/... (no PendingIssuance). See"
|
|
echo "web/src/components/StatusBadge.test.tsx for the contract."
|
|
exit 1
|
|
fi
|
|
|
|
# Certificate TS phantom-field check. Scoped to the
|
|
# `export interface Certificate {` block in web/src/api/types.ts
|
|
# — CertificateVersion legitimately declares these fields and
|
|
# must NOT trip the guardrail. The awk window opens on the
|
|
# exact `Certificate {` header (not `CertificateVersion {`,
|
|
# not `CertificateProfile {`) and closes at the first `}`,
|
|
# then the grep matches a phantom-field declaration anywhere
|
|
# in that window.
|
|
BAD_TS=$(awk '
|
|
/^export interface Certificate \{/ { flag=1; next }
|
|
flag && /^\}/ { flag=0 }
|
|
flag { print FILENAME":"NR":"$0 }
|
|
' web/src/api/types.ts \
|
|
| grep -E '\b(serial_number|fingerprint_sha256|key_algorithm|key_size|issued_at)\??\s*:' \
|
|
|| true)
|
|
if [ -n "$BAD_TS" ]; then
|
|
echo "::error::D-1 regression: Certificate TS interface re-added a phantom field:"
|
|
echo "$BAD_TS"
|
|
echo ""
|
|
echo "These fields live on CertificateVersion, not ManagedCertificate."
|
|
echo "The Go-side ManagedCertificate has never carried them; the"
|
|
echo "TS optional declarations were silently undefined on every"
|
|
echo "list response. Render-site consumers (e.g. CertificateDetailPage)"
|
|
echo "use latestVersion?.field as the canonical access path."
|
|
echo "See coverage-gap-audit-2026-04-24-v5/unified-audit.md"
|
|
echo "cat-f-ae0d06b6588f for the closure rationale."
|
|
exit 1
|
|
fi
|
|
|
|
# D-2 master closed five diff-05x06-* type-drift findings:
|
|
# Agent (5 phantoms), Issuer (1 phantom), Notification (1 phantom)
|
|
# — TRIM half. The Target (2 missing fields) and DiscoveredCertificate
|
|
# (1 missing field) — ADD half is pinned by the literal-construction
|
|
# blocks in web/src/api/types.test.ts, not a CI grep. The phantom-
|
|
# trim regression vector is an awk-windowed grep per interface
|
|
# mirroring the D-1 Certificate check above.
|
|
#
|
|
# See coverage-gap-audit-2026-04-24-v5/unified-audit.md
|
|
# diff-05x06-7cdf4e78ae24 (Agent), diff-05x06-97fab8783a5c (Issuer),
|
|
# diff-05x06-caba9eb3620e (Notification) for the closure rationale.
|
|
|
|
# D-2 Agent phantom-field check. The grep matches `last_heartbeat`
|
|
# but NOT `last_heartbeat_at` (the legitimate Go-emitted field) —
|
|
# the `\b...\b` boundaries plus the `grep -v 'last_heartbeat_at'`
|
|
# filter handle that.
|
|
BAD_AGENT=$(awk '
|
|
/^export interface Agent \{/ { flag=1; next }
|
|
flag && /^\}/ { flag=0 }
|
|
flag { print FILENAME":"NR":"$0 }
|
|
' web/src/api/types.ts \
|
|
| grep -E '\b(last_heartbeat|capabilities|tags|created_at|updated_at)\??\s*:' \
|
|
| grep -v 'last_heartbeat_at' \
|
|
|| true)
|
|
if [ -n "$BAD_AGENT" ]; then
|
|
echo "::error::D-2 regression: Agent TS interface re-added a phantom field:"
|
|
echo "$BAD_AGENT"
|
|
echo ""
|
|
echo "The Go-side internal/domain/connector.go::Agent emits exactly:"
|
|
echo "id, name, hostname, status, last_heartbeat_at?, registered_at,"
|
|
echo "os, architecture, ip_address, version, retired_at?, retired_reason?."
|
|
echo "The five fields blocked by this guard (last_heartbeat,"
|
|
echo "capabilities, tags, created_at, updated_at) were TS phantoms"
|
|
echo "the Go struct never emitted. See unified-audit.md"
|
|
echo "diff-05x06-7cdf4e78ae24 for closure rationale."
|
|
exit 1
|
|
fi
|
|
|
|
# D-2 Issuer phantom-field check.
|
|
BAD_ISSUER=$(awk '
|
|
/^export interface Issuer \{/ { flag=1; next }
|
|
flag && /^\}/ { flag=0 }
|
|
flag { print FILENAME":"NR":"$0 }
|
|
' web/src/api/types.ts \
|
|
| grep -E '\bstatus\??\s*:' \
|
|
|| true)
|
|
if [ -n "$BAD_ISSUER" ]; then
|
|
echo "::error::D-2 regression: Issuer TS interface re-added a phantom 'status' field:"
|
|
echo "$BAD_ISSUER"
|
|
echo ""
|
|
echo "The Go-side internal/domain/connector.go::Issuer has no 'status'"
|
|
echo "field — only 'enabled' (bool). Render sites derive the displayed"
|
|
echo "status from 'enabled' at the call site (see"
|
|
echo "web/src/pages/IssuersPage.tsx::issuerStatus). See unified-audit.md"
|
|
echo "diff-05x06-97fab8783a5c for closure rationale."
|
|
exit 1
|
|
fi
|
|
|
|
# D-2 Notification phantom-field check.
|
|
BAD_NOTIF=$(awk '
|
|
/^export interface Notification \{/ { flag=1; next }
|
|
flag && /^\}/ { flag=0 }
|
|
flag { print FILENAME":"NR":"$0 }
|
|
' web/src/api/types.ts \
|
|
| grep -E '\bsubject\??\s*:' \
|
|
|| true)
|
|
if [ -n "$BAD_NOTIF" ]; then
|
|
echo "::error::D-2 regression: Notification TS interface re-added a phantom 'subject' field:"
|
|
echo "$BAD_NOTIF"
|
|
echo ""
|
|
echo "The Go-side internal/domain/notification.go::NotificationEvent"
|
|
echo "has no 'subject' field — only 'message'. Pre-D-2 the consumer"
|
|
echo "at NotificationsPage.tsx had a dead '|| n.subject' fallback"
|
|
echo "that always fell through. See unified-audit.md"
|
|
echo "diff-05x06-caba9eb3620e for closure rationale."
|
|
exit 1
|
|
fi
|
|
echo "D-1 + D-2 statusbadge-phantom: clean."
|