gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:11:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5411c12841310010d6c1117de00b55ce642e96c9
certctl/scripts/ci-guards/complete-path-config-coverage-exceptions.yaml
T
shankar0123 0ab6bc4a73 feat(ci): item-1 complete-path config-coverage guard (PARTIAL — sandbox could not verify Go test) 
Shell guard verified working in sandbox:
  - Green on clean repo: 'OK — every CERTCTL_* env var (194) has at least
    one non-config-package consumer.'
  - Red on injected orphan: '::error::Orphan env vars — defined in
    config.go but no consumer found outside internal/config/' with three
    remediation paths listed.

Go test internal/config/coverage_test.go written but NOT verified —
sandbox Go 1.25.9 < go.mod's 1.25.10 requirement; toolchain
auto-download fails (disk full). Operator must run `make verify` from
workstation before merge.

Allowlist scaffold at scripts/ci-guards/complete-path-config-coverage-exceptions.yaml.
Every entry requires name + justification + expires fields; expired
entries fail the guard.

Catches the lying-field bug class — env var defined in config.go that no
business-logic code reads. The 2026-04-29 SCEP MustStaple Phase 5.6 gap
(domain field shipped, service layer never read profile.MustStaple) is
the canonical case this guard would have caught at commit time.

Audit-Closes: post-v2.1.0-anti-rot/item-1
2026-05-12 14:02:04 +00:00

25 lines
1.0 KiB
YAML
Raw Blame History

# scripts/ci-guards/complete-path-config-coverage-exceptions.yaml
#
# Allowlist for the complete-path config-coverage guard
# (scripts/ci-guards/complete-path-config-coverage.sh).
#
# Each entry exempts a CERTCTL_* env var from the "must have a consumer
# outside internal/config/" rule. Every row MUST carry:
#
# - name: "CERTCTL_NAME"
# justification: "one-line reason this is documented but not consumed"
# expires: "YYYY-MM-DD" # required; the guard rejects exceptions
# # whose expiration date has passed
#
# Discipline: when an exception is added, it gets a hard expiration date
# (usually 90 days out). When it expires, the guard fails until either
# (a) the env var is wired to a real consumer, (b) the env var is
# removed, or (c) the row is re-justified with a new expiration. Keeps
# the allowlist from becoming a dumping ground.
#
# DO NOT add entries here to silence the guard on a real defect. If the
# env var should be wired and isn't, that's the bug — fix it instead of
# allowlisting.
exceptions: []
Reference in New Issue View Git Blame Copy Permalink