gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 23:11:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
952682ebecdb02a0dd56819cb61b0426b75abea6
certctl/docs/testing/skip-inventory.md
T
shankar0123 558d350933 fix(ci): teach 3 CI guards about Phase 9 sibling-file splits 
Two CI guards on origin/master failed against the Sprint-12 commit
(30940108) because they didn't know about new files introduced by
earlier Phase 9 sprints. Both are pure mechanical relocation
fall-out — no actual regression in functionality.

1. scripts/ci-guards/no-new-synthetic-admin.sh — A-8 guard
====================================================================
Sprint 5 (commit 51f9cf13) extracted the Auth-family from
internal/config/config.go to internal/config/auth.go. The 4
'actor-demo-anon' references moved with the Auth-family code:

  - Line 255: 'actor-demo-anon is wired with AdminKey=true'
    documentation comment alongside the AdminKey wiring narrative.
  - Lines 283/289/293: residual-grants detector + cleanup SQL
    examples explaining why 'ar-demo-anon-admin' is reserved.

These are the SAME comments that were previously in config.go (which
IS in the allowlist), just relocated to the new sibling file. The
references were always present in the codebase; the A-8 guard was
just unaware of the new file location.

Fix: add './internal/config/auth.go' to the ALLOWLIST with a rationale
comment pointing at commit 51f9cf13.

Local verification: A-8 guard PASS — actor-demo-anon references
confined to the declared 19-entry allowlist (was 18, now 19).

2. internal/ciparity/surface_parity_test.go — mcpToolFiles list
====================================================================
Sprint 10 (commit fbe053aa) split internal/mcp/tools.go (1867 LOC,
121 mcp.AddTool registrations) into six tool-domain sibling files:

  tools_certificates.go (22 tools — cert + CRL/OCSP + renewal + verify)
  tools_agents.go       (16 tools — agents + agent groups)
  tools_resources.go    (40 tools — issuers + targets + policies +
                                    profiles + teams + owners +
                                    notifications + intermediate-CAs)
  tools_jobs.go         (9  tools — jobs + approvals)
  tools_discovery.go    (10 tools — network-scan + discovery)
  tools_admin.go        (24 tools — audit + stats + digest + metrics
                                    + health + health-check)

The TestSurfaceParity_MCPToolCatalogue hard-gate counts mcp.AddTool
registrations across mcpToolFiles() — a hard-coded 5-file list. After
the split, only 34 tools sat in the 5 known files (tools.go itself
went to 0 tools post-split; only the 4 pre-existing tools_*.go
siblings carried any). The actual cross-file count is 155 (above
the 150 floor).

Fix: expand mcpToolFiles() to include the 6 new Sprint-10 sibling
files. Doc-comment explains the Sprint-10 split + the union-of-files
intent.

Local verification:
  PASS: TestSurfaceParity_MCPToolCatalogue
    MCP tool catalogue: 155 tools (baseline floor 150)

3. docs/testing/skip-inventory.md — line-number drift
====================================================================
Adding the 8-line doc-comment to mcpToolFiles() (item 2) shifted the
location of readFileOrSkip from line 97 to line 113 in
surface_parity_test.go. The skip-inventory.md is auto-generated and
records every t.Skip() site with its file:line; the
skip-inventory-drift CI guard re-runs the generator and diffs.

Fix: bump the inventory entry from :97 to :113. One-line tracking
update; same skip site, new line number. (No t.Skip() was added or
removed.)

Behavior preservation contract
==============================
- Zero runtime change. All three diffs touch only CI-guard
  metadata (allowlist string, file-list slice, doc line-number).
- A-8 guard re-runs clean post-fix.
- TestSurfaceParity_MCPToolCatalogue runs and reports 155 tools.
- skip-inventory drift detection re-pins to the live line number.
- gofmt + go vet + staticcheck remain clean on the touched files
  (verified pre-commit; the sandbox /sessions partition is full so
  the broader 'all guards' loop was interrupted on a tmpfile write,
  not on a real regression — the deterministic fix above matches
  the CI failure output byte-for-byte).

Closes: CI failures on commit 30940108 across Frontend Build (A-8
guard) + Go Build & Test (TestSurfaceParity_MCPToolCatalogue).
2026-05-14 11:04:32 +00:00

18 KiB
Raw Blame History

Test Skip Inventory

Last reviewed: 2026-05-13

Summary

  • Total t.Skip sites: 142
  • testing.Short() guards: 76 (these gate behind go test -short)

Re-run inventory with: ./scripts/skip-inventory.sh.

Sites (grouped by package)

cmd/agent

  • cmd/agent/keymem_test.go:209 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:425 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:451 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:491 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:523 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:526 — t.Skip("running as root; cannot revoke parent dir write permission")
  • cmd/agent/keymem_test.go:553 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:556 — t.Skip("running as root; cannot revoke parent dir read+exec permission")
  • cmd/agent/keymem_test.go:623 — t.Skip("chmod-error branch is only reliably triggerable on linux via /sys (read-only fs)")
  • cmd/agent/keymem_test.go:631 — t.Skipf("/sys/kernel not stat-able as a dir on this host; skipping (%v)", err)
  • cmd/agent/keymem_test.go:637 — t.Skipf("/sys/kernel mode %#o already satisfies no-chmod branch", mode)
  • cmd/agent/keymem_test.go:652 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:655 — t.Skip("running as root; cannot revoke parent dir write permission")
  • cmd/agent/keymem_test.go:686 — t.Skip("permission semantics differ on windows")
  • cmd/agent/verify_test.go:402 — t.Skip("no TLS certificates configured on test server")

cmd/server

  • cmd/server/preflight_demo_residual_test.go:41 — t.Skip("preflight A-8 test requires Postgres (testcontainers); skipping under -short")
  • cmd/server/preflight_demo_residual_test.go:97 — t.Skip("A-8 testcontainers unavailable; skipping")

deploy/test/acme-integration

  • deploy/test/acme-integration/certmanager_test.go:54 — t.Skip("KIND_AVAILABLE unset — kind-driven cert-manager integration test skipped")

deploy/test

  • deploy/test/crl_ocsp_e2e_test.go:134 — t.Skip("integration only")
  • deploy/test/crl_ocsp_e2e_test.go:65 — t.Skip("integration only")
  • deploy/test/est_e2e_test.go:124 — t.Skip("integration tests require INTEGRATION=1; skipping libest e2e suite")
  • deploy/test/est_e2e_test.go:129 — t.Skipf("libest sidecar (container %q) not running (status=%q). Run cd deploy && docker compose -f docker-compose.test.yml --profile est-e2e up -d libest-client to bring it up.", libestContainer, status)
  • deploy/test/est_e2e_test.go:213 — t.Skip("/config/certs/bootstrap.pem not present in libest sidecar — skipping mTLS path. To enable: mint a bootstrap cert against the per-profile mTLS trust anchor and copy into deploy/test/certs/.")
  • deploy/test/est_e2e_test.go:252 — t.Skip("server-keygen disabled on the e2e EST profile (HTTP 404). Enable via CERTCTL_EST_PROFILE_E2E_SERVER_KEYGEN_ENABLED=true in docker-compose.test.yml.")
  • deploy/test/est_e2e_test.go:333 — t.Skipf("libest build lacks --tls-exporter support: %v", err)
  • deploy/test/healthcheck_test.go:102 — t.Skip("docker not available — skipping image-level HEALTHCHECK test")
  • deploy/test/healthcheck_test.go:163 — t.Skip("docker not available — skipping image-level HEALTHCHECK test")
  • deploy/test/healthcheck_test.go:224 — t.Skip("docker not available — skipping runtime HEALTHCHECK test")
  • deploy/test/healthcheck_test.go:227 — t.Skip("runtime HEALTHCHECK test takes ~45s; skipping under -short")
  • deploy/test/healthcheck_test.go:229 — t.Skip("runtime probe contract not yet wired to a sidecar postgres; " +
  • deploy/test/healthcheck_test.go:28 — // The tests skip cleanly with t.Skip when docker is not available
  • deploy/test/healthcheck_test.go:32 — // Q-1 closure (cat-s3-58ce7e9840be): this file's 5 t.Skip sites are
  • deploy/test/healthcheck_test.go:41 — // - Line 212: hard t.Skip for the runtime probe contract — image-spec
  • deploy/test/integration_test.go:1129 — t.Skip("no PEM data in certificate version")
  • deploy/test/integration_test.go:513 — t.Skip("agent not yet online (may be slow to heartbeat)")
  • deploy/test/integration_test.go:805 — t.Skip("depends on Phase04 (Local CA cert not created)")
  • deploy/test/integration_test.go:901 — t.Skip("no discovered certificates yet (agent scan may not have run)")
  • deploy/test/integration_test.go:942 — t.Skip("no certificate in Active state for renewal test")
  • deploy/test/integration_test.go:954 — t.Skipf("renewal trigger returned: %s", body)
  • deploy/test/nginx_vendor_e2e_test.go:108 — t.Skip()
  • deploy/test/qa_test.go:1055 — t.Skip("Part 23 (S/MIME & EKU) is documented in docs/testing-guide.md::Part 23 " +
  • deploy/test/qa_test.go:1065 — t.Skip("Part 24 (OCSP/CRL) is documented in docs/testing-guide.md::Part 24 " +
  • deploy/test/qa_test.go:1175 — t.Skip("Requires compiled certctl-cli binary — manual test")
  • deploy/test/qa_test.go:1179 — t.Skip("Requires compiled mcp-server binary + stdio — manual test")
  • deploy/test/qa_test.go:1313 — t.Skip("Scheduler tests are timing-dependent — verify via Docker logs manually")
  • deploy/test/qa_test.go:1320 — t.Skip("Requires Docker log inspection — manual test")
  • deploy/test/qa_test.go:1327 — t.Skip("Requires browser — manual test")
  • deploy/test/qa_test.go:1334 — t.Skip("Requires browser — manual test")
  • deploy/test/qa_test.go:1338 — t.Skip("Requires browser — manual test")
  • deploy/test/qa_test.go:1914 — t.Skip("Part 55 (Agent Soft-Retirement) is documented in docs/testing-guide.md::Part 55 " +
  • deploy/test/qa_test.go:1924 — t.Skip("Part 56 (Notification Retry/Dead-Letter) is documented in docs/testing-guide.md::Part 56 " +
  • deploy/test/qa_test.go:38 — // Q-1 closure (cat-s3-58ce7e9840be): this file contains 11 `t.Skip("Requires
  • deploy/test/qa_test.go:46 — // the runtime t.Skip is the second-line guard for operators who run
  • deploy/test/qa_test.go:50 — // is correct, and the t.Skip messages already name the missing
  • deploy/test/qa_test.go:870 — t.Skip("Requires CA cert+key setup — manual test")
  • deploy/test/qa_test.go:874 — t.Skip("Requires ACME CA with ARI support — manual test")
  • deploy/test/qa_test.go:881 — t.Skip("Requires live Vault server — manual test")
  • deploy/test/qa_test.go:885 — t.Skip("Requires DigiCert sandbox — manual test")
  • deploy/test/scep_intune_e2e_test.go:159 — t.Skipf("integration stack not reachable at %s: %v — start docker-compose.test.yml first", serverURL, err)
  • deploy/test/scep_intune_e2e_test.go:163 — t.Skipf("/scep/%s not configured — see deploy/docker-compose.test.yml for the e2eintune profile env vars", e2eintunePathID)
  • deploy/test/scep_intune_e2e_test.go:166 — t.Skipf("/scep/%s GetCACaps returned %d — Intune profile may not be enabled in compose env", e2eintunePathID, resp.StatusCode)
  • deploy/test/scep_intune_e2e_test.go:170 — t.Skipf("/scep/%s GetCACaps body=%q does NOT advertise SCEPStandard — Intune profile may be misconfigured", e2eintunePathID, string(body))
  • deploy/test/vendor_e2e_helpers_smoke_test.go:31 — t.Skip("requires network egress to api.github.com (or similar known TLS endpoint); run manually")
  • deploy/test/vendor_e2e_helpers_smoke_test.go:36 — t.Skip("requires network egress; run manually")
  • deploy/test/vendor_e2e_helpers_smoke_test.go:41 — // When hostPath is empty the helper t.Skip's. Re-run-from-

internal/api/handler

  • internal/api/handler/health_test.go:481 — t.Skip("integration-style test; covered by deploy/test/integration_test.go (//go:build integration). " +
  • internal/api/handler/health_test.go:499 — t.Skipf("postgres driver unavailable in this build: %v", err)

internal/auth/breakglass

  • internal/auth/breakglass/service_test.go:417 — t.Skip("timing test skipped in -short mode (Argon2id is expensive)")

internal/auth/oidc/domain

  • internal/auth/oidc/domain/types_test.go:186 — t.Skip()

internal/auth/oidc

  • internal/auth/oidc/bench_keycloak_test.go:103 — // signature matters because it calls t.Skip / t.Fatal / t.Cleanup.
  • internal/auth/oidc/integration_keycloak_test.go:53 — // initialized in keycloakFor() so individual tests can t.Skip under
  • internal/auth/oidc/integration_okta_smoke_test.go:64 — // If any required env var is missing, the test t.Skip's with a clear
  • internal/auth/oidc/integration_okta_smoke_test.go:84 — t.Skipf("Okta smoke test requires env vars: %s — skipping", strings.Join(missing, ", "))

internal/ciparity

  • internal/ciparity/surface_parity_test.go:113 — // readFileOrSkip reads a file; on ENOENT, calls t.Skipf rather than

internal/connector/issuer/acme

  • internal/connector/issuer/acme/acme_failure_test.go:687 — t.Skipf("could not bind challenge server (env may not allow): %v", err)

internal/connector/issuer/local

  • internal/connector/issuer/local/bundle9_coverage_test.go:467 — t.Skip("unexpectedly short DER")
  • internal/connector/issuer/local/bundle9_coverage_test.go:592 — t.Skip("permission semantics differ on windows")
  • internal/connector/issuer/local/bundle9_coverage_test.go:609 — t.Skip("permission semantics differ on windows")
  • internal/connector/issuer/local/bundle9_coverage_test.go:621 — t.Skip("permission semantics differ on windows")
  • internal/connector/issuer/local/bundle9_coverage_test.go:653 — t.Skip("permission semantics differ on windows")

internal/connector/issuer/openssl

  • internal/connector/issuer/openssl/openssl_failure_test.go:124 — t.Skip("running as root; chmod 0o600 doesn't gate execution for uid 0")
  • internal/connector/issuer/openssl/openssl_failure_test.go:71 — t.Skip("openssl adapter shell-out tests assume POSIX bash; skipping on Windows")

internal/connector/notifier/email

  • internal/connector/notifier/email/email_test.go:425 — t.Skip("test requires no service on smtp.example.com:587")
  • internal/connector/notifier/email/email_test.go:503 — t.Skip("test assumes no service on 127.0.0.1:54321")

internal/connector/target/iis

  • internal/connector/target/iis/iis_test.go:225 — t.Skip("Skipping: powershell.exe not available (non-Windows)")
  • internal/connector/target/iis/iis_test.go:92 — t.Skip("Skipping: powershell.exe not available (non-Windows)")

internal/crypto

  • internal/crypto/encryption_property_test.go:35 — t.Skip("skipping property-based test in -short mode (PBKDF2 600k rounds × 50 iters > short budget)")
  • internal/crypto/encryption_property_test.go:75 — t.Skip("skipping property-based test in -short mode (PBKDF2 cost)")

internal/deploy

  • internal/deploy/coverage_test.go:403 — t.Skip("read-only chmod doesn't restrict root")
  • internal/deploy/coverage_test.go:467 — t.Skip("non-unix")
  • internal/deploy/deploy_test.go:611 — t.Skip("non-unix platform")

internal/ratelimit

  • internal/ratelimit/sliding_window_test.go:146 — t.Skip("race-style test under -short")

internal/repository/postgres

  • internal/repository/postgres/audit_worm_test.go:29 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:118 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:149 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:179 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:208 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:56 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:87 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:123 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:153 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:181 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:207 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:229 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:252 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:281 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:95 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_encryption_invariant_test.go:160 — t.Skip("Phase 13 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_encryption_invariant_test.go:225 — t.Skip("Phase 13 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_encryption_invariant_test.go:62 — t.Skip("Phase 13 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_prelogin_encryption_test.go:163 — t.Skip("HIGH-5 legacy fallback: integration test in short mode")
  • internal/repository/postgres/oidc_prelogin_encryption_test.go:42 — t.Skip("HIGH-5 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_test.go:117 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:140 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:171 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:185 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:209 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:239 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:301 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:331 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:45 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:82 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:96 — t.Skip("integration test in short mode")
  • internal/repository/postgres/repo_test.go:1944 — t.Skip("integration test requires PostgreSQL")
  • internal/repository/postgres/repo_test.go:2003 — t.Skip("integration test requires PostgreSQL")
  • internal/repository/postgres/repo_test.go:2114 — t.Skip("integration test requires PostgreSQL")
  • internal/repository/postgres/seed_test.go:91 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/session_test.go:100 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:120 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:167 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:197 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:211 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:246 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:259 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:29 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:307 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:340 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:407 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:54 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:86 — t.Skip("integration test in short mode")
  • internal/repository/postgres/testutil_test.go:39 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/user_test.go:106 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:131 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:170 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:210 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:29 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:302 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:339 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:374 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:59 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:73 — t.Skip("integration test in short mode")

internal/scep/intune

  • internal/scep/intune/challenge_golden_test.go:47 — t.Skip("regenerate fixtures only when -update-golden is passed")
  • internal/scep/intune/challenge_test.go:213 — t.Skip("encoder didn't produce padding for this fixture; skipping")
  • internal/scep/intune/rate_limit_test.go:139 — t.Skip("race-style test under -short")
  • internal/scep/intune/replay_test.go:131 — t.Skip("race-style test under -short; run full suite for coverage")

internal/service

  • internal/service/coverage_extras_test.go:374 — t.Skipf("RSA keygen unavailable: %v", err)
  • internal/service/coverage_extras_test.go:394 — t.Skipf("ECDSA keygen unavailable: %v", err)
Reference in New Issue View Git Blame Copy Permalink