mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 18:31:37 +00:00
shankar0123
8043e2bbac
Rank 7 of the 2026-05-03 Infisical deep-research deliverable, commit 2 of 4
(cowork/rank-7-approval-workflow-primitive-prompt.md). Builds on the
foundation in commit 2025275 — wires the service layer that drives the
approval workflow. Still no handler / integration wiring; commits 3-4
land that.
Files added:
internal/service/approval.go - ApprovalService struct + 6
methods: RequestApproval,
Approve, Reject, ListPending,
List, Get, ExpireStale.
Same-actor RBAC check
(ErrApproveBySameActor) at
both Approve and Reject; the
load-bearing two-person
integrity gate. Bypass mode
short-circuits via
approveInternal(outcome=
"bypassed", actorType=System).
Audit + metric emission per
decision via shared
recordAudit helper. Tolerates
nil AuditService for tests.
Service depends on a narrow
JobStatusUpdater interface
(single-method) rather than
the full repository.JobRepository
— production wiring satisfies
it implicitly via postgres'
existing UpdateStatus.
internal/service/approval_metrics.go - ApprovalMetrics: thread-safe
counter table (decisions
counter dimensioned by
outcome × profile_id) + a
custom durationHistogram for
pending-age (le buckets:
60, 300, 1800, 3600, 21600,
86400, +Inf — 1m, 5m, 30m,
1h, 6h, 24h, beyond).
Snapshot* methods return the
Prometheus exposer's input
shapes. Mirrors the
ExpiryAlertMetrics +
VaultRenewalMetrics pattern
from prior ranks.
internal/service/approval_test.go - 8 table-driven tests with
tight in-package fakes
(fakeApprovalRepo +
fakeJobStateRepo):
TestApproval_RequestCreatesPendingRow_BypassDisabled
TestApproval_BypassMode_AutoApprovesWithSystemBypassActor
TestApproval_Approve_TransitionsJobFromAwaitingApprovalToPending
TestApproval_Reject_TransitionsJobFromAwaitingApprovalToCancelled
TestApproval_Approve_RejectsSameActor
↑ THE LOAD-BEARING TWO-PERSON
INTEGRITY TEST. PCI-DSS 6.4.5
/ NIST 800-53 SA-15 / SOC 2
CC6.1 compliance auditors
pattern-match against this.
Pins same-actor rejection on
both Approve and Reject paths;
pins success when a different
actor approves.
TestApproval_Approve_RejectsAlreadyDecided
TestApproval_ExpireStale_TransitionsPendingToExpired_AndCancelsJob
TestApproval_MetricCounterIncrements
Verified:
gofmt: clean.
go vet ./internal/service/...: exit 0.
go test -short -count=1 -run TestApproval ./internal/service/...:
ok 0.005s — all 8 tests green.
Out of scope for this commit (lands in commits 3-4):
- api/handler/approval.go (5 endpoints + handler-side RBAC).
- api/openapi.yaml extensions.
- Integration into CertificateService.TriggerRenewal +
RenewalService.CheckExpiringCertificates + Scheduler.ReapTimedOutJobs.
- cmd/server/main.go wiring of ApprovalService + ApprovalMetrics.
- Config.Approval.BypassEnabled + CERTCTL_APPROVAL_BYPASS env var.
- docs/connectors.md row + docs/approval-workflow.md runbook.
Reference: cowork/rank-7-approval-workflow-primitive-prompt.md.