zester

Code-to-Docs Coverage Map

This map treats code as source of truth and lists documentation coverage for key runtime packages.

Scope

  • pkg/auth
  • pkg/enroll
  • pkg/update

pkg/auth

Code SurfacePrimary DocsCoverage
keys.go (GenerateKeyBundle, LoadKeyBundle*, ValidatePublicKey, PublicKeyFromSeed)docs/authentication/nkeys.mdFull
jwt.go (Create*JWT, Decode*JWT, ValidateJWTChain, PeelUserJWTOptions, MasterUserJWTOptions, AdminUserJWTOptions)docs/authentication/jwt.md, docs/architecture/security.mdFull
creds.go (GenerateCredsFile, WriteCredsFile, LoadCredsFile, NATS options, bootstrap)docs/authentication/credentials.mdFull
accept.go (KeyStore, accept policies, key lifecycle)docs/authentication/key-management.mdFull
encrypt.go (NaCl box settings encryption helpers)docs/settings/encryption.md, docs/architecture/security.mdFull

pkg/enroll

Code SurfacePrimary DocsCoverage
enrollment.go (state machine and transitions)docs/enrollment-architecture.md, docs/enrollment-design.mdFull
verify.go (signature verification, input validation)docs/enrollment-api.md, docs/enrollment-security.mdFull
challenge.go (challenge issuance/consume, TTL)docs/enrollment-api.md, docs/enrollment-security.mdFull
store.go (KV schema, CAS transitions, list/filter)docs/enrollment-architecture.md, docs/enrollment-design.md, docs/enrollment-security.mdFull
handler.go (HTTP endpoints, SSE, rate limit/security headers)docs/enrollment-api.md, docs/enrollment-operations.md, docs/enrollment-security.mdFull
server.go (TLS-only server, min TLS version)docs/enrollment-operations.md, docs/enrollment-security.mdFull
credential.go (JWT issuance and transport encoding)docs/enrollment-api.md, docs/enrollment-security.mdFull
client.go + persist.go (auto-enroll flow, credential/seed persistence)docs/enrollment-operations.md, docs/enrollment-architecture.mdFull

pkg/update

Code SurfacePrimary DocsCoverage
CLI command surface (cmd/zester/cmd/update*.go)docs/cli/update.mdFull (CLI only)
KV buckets/object store names and retention (BucketUpdate*, ObjectBucketUpdateBinaries)docs/update/storage.md, docs/architecture/nats.mdFull
manifest.go (manifest schema/keying, binary object keys, upload/download verification)docs/update/storage.md, docs/update/architecture.mdFull
rollout.go (rollout state model, batching, abort semantics, persisted rollout state)docs/update/architecture.md, docs/cli/update.mdFull
status.go (watchdog reporter, update-status heartbeat schema)docs/update/watchdog.md, docs/update/storage.md, docs/cli/update.mdFull
handler.go (watchdog update state machine + command protocol)docs/update/watchdog.mdFull
slots.go (atomic slot swap/rollback/recovery: .staging/.prev)docs/update/watchdog.mdFull
supervisor.go (child lifecycle + health check policy + degraded mode)docs/update/watchdog.mdFull
NATS update subjects (zester.update.cmd.*, rollout start/abort subjects)docs/update/architecture.md, docs/architecture/nats.mdFull

Remaining Undocumented Areas (highest impact)

No high-impact gaps found for pkg/update at the package-surface level.

Notes

  • This map is intentionally package-surface oriented; it does not duplicate detailed module docs.
  • When this file says Partial, there is at least one user-visible behavior in code that is not described in docs.

On this page