mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 19:11:30 +00:00
shankar0123
5a9e994f62
Drop steps 5-7 (issue/renew/revoke + audit row assertion). They covered functional API behavior (cert lifecycle) which the warm-DB integration test suite under 'Go Test with Coverage' already covers thoroughly. The cold-DB smoke's unique value is catching the bug class only a true cold boot can surface — config validation gaps, non-idempotent migrations, env-var-wiring gaps in the demo compose. Today's run found three real master bugs of that class (4737fffDEMO_MODE_ACK,f1aecc6migration 000043 idempotency,ec72c69bootstrap-token interpolation); cert lifecycle is not in that bug class. Steps that remain (proven to fire on real bugs today): 1. docker compose down -v --remove-orphans 2. docker compose up -d (cold boot) 3. wait for postgres + certctl-server + certctl-agent healthy 4. force-recreate certctl-server with CERTCTL_BOOTSTRAP_TOKEN + POST /api/v1/auth/bootstrap — proves the full migration ladder ran cleanly on a warm DB second-boot AND that the day-0 admin path works. Steps dropped: 5. issuing test cert via POST /api/v1/certificates — required team_id + renewal_policy_id + issuer_id from the seeded demo data; the original payload was speculative and would have needed maintenance whenever the seed shape changes. Functional cert-issue coverage already in the integration suite. 6. renewing via POST /api/v1/certificates/{id}/renew — same: functional renewal coverage in the integration suite. 7. revoking + asserting audit row presence — same: handler tests cover audit emission. Wall-clock cap tightened from 15min to 10min (the dropped steps were the slowest; 4 steps fit comfortably in ~7-8min cold). Audit-Closes: post-v2.1.0-anti-rot/item-6