gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 23:31:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d14411faf5d7b9db25f1be8f3310d840fd67ab68
certctl/cmd
T
History
cowork 90b8ba6f4e Bundle 0.7 (Coverage Audit Closure): cmd/agent key-handling regression coverage — C-008 closed 
Phase 0 of the 2026-04-27 coverage-audit closure plan surfaced cmd/agent/keymem.go

with two security-critical functions at 0.0% / 11.1% line coverage:

  - marshalAgentKeyAndZeroize: zeros the DER backing buffer after PEM encode

  - ensureAgentKeyDirSecure: locks the agent key directory to 0o700

Both ship as defense-in-depth for agent private-key memory hygiene per

Bundle 9 / Audit L-002 + L-003 (agent edition), but had ZERO regression tests.

This commit adds cmd/agent/keymem_test.go (~510 LoC, 17 top-level test funcs):

marshalAgentKeyAndZeroize coverage:

  - happy path (DER decodes, callback invoked once)

  - nil key (asserts onDER NEVER invoked)

  - onDER returns error (errors.Is propagation)

  - DER backing buffer zeroized after return INVARIANT (the critical assertion)

  - DER buffer zeroized even on onDER-error path

  - contract-violator defense (caller retains slice -> reads zeros)

ensureAgentKeyDirSecure coverage (13-row table-driven):

  - empty/dot/root refused with documented error wrap

  - creates with 0700 (incl. nested ancestors)

  - existing 0700 noop short-circuit

  - tighten 0750/0755/0777 -> 0700

  - accept existing 0500/0400 (mode&0o077==0 branch, no chmod)

  - filepath.Clean normalization (trailing slash + dot prefix)

  - PathIsAFile (documents current behavior; not a bug per call sites)

  - Idempotent

  - Concurrent (-race clean across 8 goroutines)

  - Stat error propagated (root-skips cleanly on non-root CI)

  - Mkdir error propagated (root-skips cleanly on non-root CI)

  - Chmod error propagated (linux-only via /sys read-only fs)

  - Format-includes-cleaned-path debuggability assertion

Plus end-to-end smoke replaying cmd/agent/main.go's composition flow.

Coverage delta:

  cmd/agent/keymem.go::marshalAgentKeyAndZeroize  0.0%  -> 85.7% (>=85% gate met)

  cmd/agent/keymem.go::ensureAgentKeyDirSecure   11.1% -> 94.4% (>=85% gate met)

  cmd/agent overall                              54.3% -> 57.7% (+3.4pp)

The cmd/agent overall >=75% stretch target is unachievable from a keymem-only

test file because the package's bulk (Run, main, executeCSRJob,

executeDeploymentJob, verifyAndReportDeployment) is unrelated to key-handling

and dominates the denominator. Tracked as a follow-on cmd/agent flow-test bundle.

Verification:

  go test -short ./cmd/agent/...                  PASS

  go test -race -count=3 ./cmd/agent/...          PASS, 0 races

  gofmt -l cmd/agent/keymem_test.go               clean

  go vet ./cmd/agent/...                          clean

  staticcheck ./cmd/agent/...                     clean

Audit deliverables:

  coverage-audit-2026-04-27/findings.yaml: C-008 status open -> closed

  coverage-audit-2026-04-27/gap-backlog.md: closure log entry + H-006 partial

  coverage-audit-2026-04-27/coverage-report.md: Bundle 0.7 closure block appended

  coverage-audit-2026-04-27/coverage-matrix.md: cmd/agent row 'NOT MEASURED' -> 57.7%

  coverage-audit-closure-plan.md: Bundle 0.7 checklist ticked

  CHANGELOG.md: [unreleased] Bundle 0.7 entry

Bundle J (ACME failure-mode coverage) unblocked.
2026-04-27 14:26:00 +00:00
..
agent
Bundle 0.7 (Coverage Audit Closure): cmd/agent key-handling regression coverage — C-008 closed
2026-04-27 14:26:00 +00:00
cli
v2.0.47: HTTPS Everywhere — TLS-only control plane, agents/CLI/MCP
2026-04-20 03:43:10 +00:00
mcp-server
v2.0.47: HTTPS Everywhere — TLS-only control plane, agents/CLI/MCP
2026-04-20 03:43:10 +00:00
server
Bundle C: Renewal/reliability cluster — 7 findings closed
2026-04-27 00:08:25 +00:00