- Introduce a universal ConfigurableProvider/ProviderConfig abstraction
for ServiceLoader-based components and align PKI bootstrapping
utilities with it.
- Document deterministic provider selection, property-based
configuration conventions, and security requirements (never log config
values), including package-level documentation for spi, spi.store and
spi.bootstrap.
fix: harden audit runtime, fix gzip scanning, add bounds and docs
- Fix FileAuditSink concatenated gzip scan by shielding underlying
stream
- Use JUnit @TempDir for filesystem-backed tests
- Bound InMemoryAuditSink with deterministic ring buffer
- Add ServiceLoader smoke test and expand DefaultAuditService coverage
- Improve JavaDoc and logging across audit implementation
feat: add deterministic tests for PkiBootstrap with real SPI providers
- add JUnit 5 test suite for PkiBootstrap
- cover SPI selection for filesystem PkiStore and audit sinks
- use @TempDir for filesystem-backed providers
- register test ServiceLoader providers under src/test/resources
- ensure deterministic bootstrap behavior via system properties
Signed-off-by: Leo Galambos <lg@hq.egothor.org>
Introduce a deterministic filesystem-backed PkiStore implementation
under zeroecho.pki.impl.fs.
Key characteristics:
- write-once semantics for immutable objects with explicit failure on
overwrite
- history tracking for mutable records with full audit trail
- atomic writes using NIO (temp + move) with best-effort durability
- strict snapshot export supporting time-travel reconstruction
- configurable history retention (ON_WRITE policy)
- no secrets logged; JUL-only diagnostics for anomalies
Includes comprehensive JUnit 5 tests validating:
- write-once enforcement
- history creation and overwrite semantics
- strict snapshot export (failure and positive selection cases)
- deterministic on-disk layout and structure
This implementation is intentionally non-public and serves as a
reference and validation baseline for future persistence backends.
Signed-off-by: Leo Galambos <lg@hq.egothor.org>
