Propagate changes from development into feature/beta-release

[github-actions]

Automated PR to propagate changes from development into feature/beta-release.

Triggered by push to development.

[codecov]

Codecov Report

❌ Patch coverage is 89.87430% with 145 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...ckend/internal/api/handlers/certificate_handler.go	75.90%	42 Missing and 18 partials ⚠️
backend/internal/services/certificate_service.go	86.66%	44 Missing and 12 partials ⚠️
backend/internal/services/certificate_validator.go	95.25%	7 Missing and 6 partials ⚠️
...ackend/internal/api/handlers/proxy_host_handler.go	82.75%	4 Missing and 1 partial ⚠️
backend/internal/config/config.go	25.00%	2 Missing and 1 partial ⚠️
backend/internal/api/routes/routes.go	92.30%	1 Missing and 1 partial ⚠️
backend/internal/caddy/manager.go	33.33%	2 Missing ⚠️
...src/components/dialogs/CertificateUploadDialog.tsx	97.33%	1 Missing and 1 partial ⚠️
backend/cmd/api/main.go	75.00%	0 Missing and 1 partial ⚠️
frontend/src/pages/Dashboard.tsx	50.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Automated merge-up PR propagating development changes into feature/beta-release, primarily expanding certificate management (UUID-based cert references, upload/validate/export/detail UI), adding encrypted private-key handling in Caddy config generation, and updating dependencies/CI workflow pins.

Changes:

• Introduce expanded Certificates API surface (detail/update/export/validate) and update frontend models/tests to use uuid + domains (plural) consistently.
• Add certificate upload UX (file drop zones + validation preview) and certificate chain/detail/export dialogs.
• Backend wiring for encryption service and a background certificate expiry checker; plus dependency and workflow pin bumps.

Reviewed changes

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
scripts/security-scan.sh	Bump govulncheck install version used by local security scan script.
package.json	Dev dependency bumps and add vitest at repo root.
go.work.sum	Workspace checksum update for golang.org/x/term go.mod.
frontend/src/pages/tests/UsersPage.test.tsx	Stabilize invite preview tests (timeouts/debounce waits).
frontend/src/pages/tests/ProxyHosts-extra.test.tsx	Update mocked certificate shape to include uuid/domains/has_key/in_use.
frontend/src/pages/tests/ProxyHosts-coverage.test.tsx	Update certificate mocks to uuid/domains + flags.
frontend/src/pages/tests/ProxyHosts-coverage-isolated.test.tsx	Update certificate mock field domain → domains.
frontend/src/pages/tests/ProxyHosts-cert-cleanup.test.tsx	Update cert deletion expectations to use UUID.
frontend/src/pages/tests/Dashboard.test.tsx	Add coverage for missing domains field handling.
frontend/src/pages/tests/Certificates.test.tsx	Simplify page-level tests and mock upload dialog component.
frontend/src/pages/ProxyHosts.tsx	Switch cert cleanup/delete flows from numeric id to uuid; guard domains.
frontend/src/pages/Dashboard.tsx	Read cert.domains (plural) for domain aggregation.
frontend/src/pages/Certificates.tsx	Replace inline upload dialog with CertificateUploadDialog.
frontend/src/locales/en/translation.json	Add certificate upload/validate/detail/export translation keys.
frontend/src/hooks/useCertificates.ts	Add certificate detail + upload/update/delete/export/validate hooks and bulk delete.
frontend/src/components/ui/tests/FileDropZone.test.tsx	Add unit tests for new FileDropZone component.
frontend/src/components/ui/FileDropZone.tsx	Add reusable accessible file drop/select UI component.
frontend/src/components/dialogs/tests/DeleteCertificateDialog.test.tsx	Update certificate mock shape for uuid/domains/flags.
frontend/src/components/dialogs/tests/BulkDeleteCertificateDialog.test.tsx	Update certificate mocks to uuid/domains/flags.
frontend/src/components/dialogs/DeleteCertificateDialog.tsx	Display certificate.domains (plural).
frontend/src/components/dialogs/CertificateUploadDialog.tsx	New upload dialog with validation flow and drop zones.
frontend/src/components/dialogs/CertificateExportDialog.tsx	New export dialog supporting pem/pfx/der and optional key export.
frontend/src/components/dialogs/CertificateDetailDialog.tsx	New detail dialog (chain/hosts/metadata) using detail endpoint hook.
frontend/src/components/dialogs/CertificateCleanupDialog.tsx	Switch cleanup list keying from cert id to uuid.
frontend/src/components/dialogs/BulkDeleteCertificateDialog.tsx	Use cert.uuid keys and display cert.domains.
frontend/src/components/tests/CertificateValidationPreview.test.tsx	Add tests for validation preview UI.
frontend/src/components/tests/CertificateStatusCard.test.tsx	Update cert mocks for uuid/domains/flags.
frontend/src/components/tests/CertificateChainViewer.test.tsx	Add tests for certificate chain viewer component.
frontend/src/components/ProxyHostForm.tsx	Allow certificate_id to be UUID or numeric; update select token handling.
frontend/src/components/CertificateValidationPreview.tsx	New validation preview component.
frontend/src/components/CertificateStatusCard.tsx	Read cert.domains (plural) for domain aggregation.
frontend/src/components/CertificateChainViewer.tsx	New certificate chain viewer component.
frontend/src/api/proxyHosts.ts	Allow certificate_id to be `number
frontend/src/api/certificates.ts	Expand Certificates API (detail/update/export/validate) + updated Certificate shape.
frontend/src/api/tests/certificates.test.ts	Expand API unit tests for new endpoints and payloads.
frontend/package.json	Frontend dependency bumps (React Query, i18next, router, tooling).
docs/reports/qa_report_pr928.md	Add QA audit report artifact for prior CI test fix.
docs/development/go_version_upgrades.md	Update patch-version examples in Go upgrade guidance.
backend/pkg/dnsprovider/custom/rfc2136_provider_test.go	Add early return after nil-provider fatal check.
backend/internal/services/certificate_validator_patch_coverage_test.go	Add patch-coverage tests for validator/format/key parsing and conversions.
backend/internal/services/certificate_service_checkexpiry_test.go	Add tests for expiry checks and several error paths in certificate service.
backend/internal/services/certificate_helpers_test.go	Add helper for generating self-signed cert PEMs in tests.
backend/internal/network/safeclient_test.go	Add early returns after fatal nil-client checks.
backend/internal/network/internal_service_client_test.go	Add early return after fatal nil-client check.
backend/internal/models/ssl_certificate.go	Expand certificate model fields; store key material encrypted/hidden in JSON.
backend/internal/config/config.go	Add configurable CertExpiryWarningDays via env.
backend/internal/caddy/manager_ssl_provider_test.go	Update generateConfigFunc signature for optional encryption service.
backend/internal/caddy/manager_patch_coverage_test.go	Update generateConfigFunc signature for optional encryption service.
backend/internal/caddy/manager_additional_test.go	Update generateConfigFunc signature for optional encryption service.
backend/internal/caddy/manager.go	Add encryption service plumbing into config generation.
backend/internal/caddy/config_customcert_test.go	Add tests for custom cert loading with encrypted key + chain behaviors.
backend/internal/caddy/config.go	Support encrypted private keys and chain concatenation in TLS load config.
backend/internal/api/tests/integration_test.go	Update routes registration to pass context.
backend/internal/api/routes/routes_save_contract_test.go	Update routes registration to pass context.
backend/internal/api/routes/routes_coverage_test.go	Update routes registration to pass context (with cancellable ctx).
backend/internal/api/routes/routes.go	Add ctx-based Register functions; wire encryption; expand cert endpoints; start expiry checker.
backend/internal/api/routes/endpoint_inventory_test.go	Update routes registration to pass context.
backend/internal/api/handlers/proxy_host_handler_patch_coverage_test.go	Add patch-coverage tests incl. invalid certificate/security-header references.
backend/internal/api/handlers/proxy_host_handler.go	Accept certificate references by UUID in create/update flows.
backend/internal/api/handlers/certificate_handler_security_test.go	Update tests for new cert route params and new service constructor signature.
backend/go.sum	Dependency checksum updates (mongo driver, pkcs12).
backend/go.mod	Add go-pkcs12 and bump mongo driver patch version.
backend/cmd/api/main.go	Introduce lifecycle context for background goroutines; cancel on shutdown.
Dockerfile	Bump caddy plugins; add git; expand apk upgrades for security libs; update Go patch mention.
.gitignore	Ignore new local test output artifacts.
.github/workflows/supply-chain-pr.yml	Bump pinned upload-sarif action SHA.
.github/workflows/security-weekly-rebuild.yml	Bump pinned upload-sarif action SHA.
.github/workflows/renovate.yml	Bump Renovate GitHub Action pin.
.github/workflows/nightly-build.yml	Bump pinned upload-sarif action SHA.
.github/workflows/e2e-tests-split.yml	Bump pinned actions/cache SHA.
.github/workflows/docs.yml	Bump pinned upload-pages-artifact SHA.
.github/workflows/docker-build.yml	Bump pinned upload-sarif action SHA (multiple steps).
.github/workflows/codeql.yml	Bump pinned CodeQL action SHAs (init/autobuild/analyze).
.github/workflows/auto-versioning.yml	Bump action-gh-release pin (v2→v3).
.github/skills/examples/gorm-scanner-ci-workflow.yml	Update example workflow action pins/versions.
.github/instructions/subagent.instructions.md	Update guidance from multi-PR slicing to multi-commit slicing.
.github/agents/Planning.agent.md	Update guidance from multi-PR slicing to multi-commit slicing.
.github/agents/Management.agent.md	Update guidance from multi-PR slicing to multi-commit slicing.

[Copilot]

certificate_id is normalized via normalizeAccessListReference(...), which works structurally but is misleading (it encodes an access-list-specific name into certificate handling). Consider extracting a generic helper (e.g., normalizeNullableReference) or a dedicated normalizeCertificateReference wrapper to avoid confusion and accidental divergence later.

[Copilot]

URL.revokeObjectURL(url) is called immediately after a.click(). In some browsers this can revoke the blob URL before the download actually starts, leading to intermittent download failures. Consider revoking after a microtask/timeout, and optionally sanitize certificate.name when building filename (to avoid path separators or control chars).

[Copilot]

If crypto.NewEncryptionService(cfg.EncryptionKey) fails here, the error is silently ignored. That can lead to certificates failing to load/decrypt later without any visible explanation. Please log (or return) the initialization error so operators can diagnose misconfiguration.

[Copilot]

The warning logs for skipped custom certificates only include cert.Name in the structured field. Since name can be empty/non-unique, it will be hard to identify the affected certificate in production. Consider logging cert.UUID (and/or cert.Domains) in the structured fields for these warnings.