feat(gateway-clients): add managed gateway client administration and token-bound route ownership

test/test.certificate-api-token.node.ts

@@ -47,7 +47,11 @@ const makeApiTokenManager = (scopes: TScope[]) => {
   };
 };
 
-const setupHandler = (scopes: TScope[]) => {
+const setupHandler = (scopes: TScope[], options?: {
+  routes?: any[];
+  certProvisionScheduler?: any;
+  certProvisionFunction?: (...args: any[]) => any;
+}) => {
   const typedrouter = new plugins.typedrequest.TypedRouter();
   const opsServerRef: any = {
     typedrouter,
@@ -60,9 +64,13 @@ const setupHandler = (scopes: TScope[]) => {
       apiTokenManager: makeApiTokenManager(scopes),
       certificateStatusMap: new Map(),
       smartProxy: {
-        routeManager: { getRoutes: () => [] },
+        settings: options?.certProvisionFunction ? {
+          certProvisionFunction: options.certProvisionFunction,
+        } : {},
+        routeManager: { getRoutes: () => options?.routes ?? [] },
+        getCertificateStatus: async () => null,
       },
-      certProvisionScheduler: null,
+      certProvisionScheduler: options?.certProvisionScheduler ?? null,
     },
   };
 
@@ -147,6 +155,43 @@ tap.test('CertificateHandler allows API-token import with certificates:write', a
   expect(opsServerRef.dcRouterRef.certificateStatusMap.get('imported.example.com')?.status).toEqual('valid');
 });
 
+tap.test('CertificateHandler reports active certificate backoff as failed with root cause', async () => {
+  await testDbPromise;
+
+  const lastError = 'DNS-01 failed for stack.gallery: DnsManager: no managed domain found for _acme-challenge.stack.gallery.';
+  const retryAfter = new Date(Date.now() + 60 * 60 * 1000).toISOString();
+  const { typedrouter } = setupHandler(['certificates:read'], {
+    certProvisionFunction: async () => 'http01',
+    certProvisionScheduler: {
+      getBackoffInfo: async (domain: string) => domain === 'stack.gallery'
+        ? { failures: 11, retryAfter, lastError }
+        : null,
+    },
+    routes: [
+      {
+        name: 'stack-gallery',
+        match: { domains: ['stack.gallery'] },
+        action: {
+          tls: {
+            mode: 'terminate',
+            certificate: 'auto',
+          },
+        },
+      },
+    ],
+  });
+
+  const result = await fireTypedRequest(typedrouter, 'getCertificateOverview', {
+    apiToken: 'valid-token',
+  });
+
+  expect(result.error).toBeUndefined();
+  expect(result.response.summary.failed).toEqual(1);
+  expect(result.response.certificates[0].status).toEqual('failed');
+  expect(result.response.certificates[0].error).toEqual(lastError);
+  expect(result.response.certificates[0].backoffInfo.failures).toEqual(11);
+});
+
 tap.test('cleanup test db', async () => {
   const testDb = await testDbPromise;
   await testDb.cleanup();