feat(dcv): DNS domain control validation via IDomainValidatorFactory (#5)

* fix: P1-P3 improvements — OAuth auth, sync CompleteAdding, Ping enabled check, renewal window, retry logic, IDisposable, GroupNumber config, nested product response model

* test: add unit tests for P1-P3 fixes; update MockCertificateData to nested product response format

* test: rewrite integration tests — remove stale hardcoded-order tests, add lifecycle test, make empty-account resilient

* docs: add GroupNumber field, per-account product code note, AgreementAcceptance and DCV findings

* chore: refactor Makefile — extract all API targets into scripts/; add generate-order-149-fresh, probe-endpoints, get-field-details targets

* docs: add cross-plugin analysis, certinext improvement plan, and API findings from sandbox exploration

* chore: add V2 API Makefile targets and scripts; ignore analysis/ directory

Adds 21 make targets covering every CERTInext V2 operation (ssl-certificates,
private-pki-certificates, catalog, groups, orgs, domains, reports). Each target
delegates to a corresponding script under scripts/v2/ which sources the new
scripts/lib/certinext-v2-auth.sh for CERTInext-native SHA256 token exchange.
Adds analysis/ to .gitignore so scratch docs and support emails are never committed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(constants): add Dcv constants and Config DCV key names

Add Constants.Dcv subclass with dcvMethod codes (1=DNS TXT, 2=HTTP,
3=Email), dcvStatus values (0=Pending, 1=Validated, 2=Rejected), and
the default TXT record hostname template. Add DcvEnabled,
DcvTxtRecordTemplate, and DcvPropagationDelaySeconds to Constants.Config.

* feat(api): add GetDcv and VerifyDcv request/response DTOs

Add GetDcvRequest, DcvRequestDetails, and VerifyDcvRequest for the
GetDcv/VerifyDcv endpoints. Add GetDcvResponse, DcvResponseDetails,
VerifyDcvResponse, TrackOrderDomainVerification (with JsonExtensionData
for heterogeneous per-domain entries), and DomainVerificationDetail.
Wire DomainVerification onto TrackOrderResponseDetails.

* feat(client): add GetDcvAsync and VerifyDcvAsync

GetDcvAsync posts to GetDcv and returns the token (and file/email
fields) for a domain on an existing order. VerifyDcvAsync posts to
VerifyDcv to ask CERTInext to check the published DNS TXT record.
Both methods follow the existing pattern: BuildMetaAsync, retry,
auth-failure detection, DeserializeOrThrow, meta.status check,
structured logging with OrderNumber and Domain context.

* feat(config): add DcvEnabled, DcvTxtRecordTemplate, DcvPropagationDelaySeconds

Add three DCV-related fields to CERTInextConfig with documented defaults
(false, _emsign-validation.{0}, 30 s) and corresponding UI annotations
in GetCAConnectorAnnotations. Guards the DNS DCV path so operators must
explicitly opt in before any DNS plugin interaction occurs.

* feat(enroll): inject IDomainValidatorFactory; add DNS DCV orchestration

Bump IAnyCAPlugin to 3.3.0-PRERELEASE-78770-979f582005 to gain access
to IDomainValidatorFactory, IDomainValidator, and IDomainValidatorConfigProvider.

Add a primary constructor accepting IDomainValidatorFactory (gateway
injects this at startup) alongside the existing parameterless fallback.
Add DomainValidatorConfigProvider inner class.

Add PerformDcvIfNeededAsync: reads pending-DCV domains from TrackOrder,
skips if the order is already issued, validates domain FQDNs, calls
GetDcvAsync per domain, resolves the DNS plugin via
ResolveDomainValidator(domain, 'dns-01'), stages the TXT record, waits
for propagation, triggers VerifyDcv, then cleans up in a finally block.
EnrollNewAsync calls this when DcvEnabled=true and the factory is present,
then re-fetches the post-DCV certificate status before returning.

* test(client): add WireMock unit tests for GetDcvAsync and VerifyDcvAsync

Add GetDcvSuccessJson, GetDcvFailureJson, VerifyDcvSuccessJson, and
VerifyDcvFailureJson helpers to MockCertificateData. Add seven tests
covering: successful token retrieval, meta-failure response, 401
authentication failure, successful verification, meta-failure on verify,
401 on verify, and 500 on verify.

* chore(scripts): add get-dcv/verify-dcv probe scripts and Makefile targets

Add scripts/get-dcv.sh and scripts/verify-dcv.sh mirroring the
track-order.sh pattern. Both scripts source ~/.env_certinext and
certinext-auth.sh, accept ORDER_NUMBER, DOMAIN_NAME, and optional
DCV_METHOD (default 1=DNS TXT), and use jq --arg for safe JSON
construction to prevent injection via user-supplied values.

Add get-dcv and verify-dcv Makefile targets with DCV_METHOD variable
and register both in .PHONY.

Author: spbsoluble

.gitignore

@@ -33,3 +33,7 @@ terraform/terraform.tfvars
 
 # macOS
 .DS_Store
+
+# Analysis / scratch — never commit
+analysis/
+

CERTInext.Tests/CERTInextClientTests.cs

@@ -744,5 +744,145 @@ public async Task ExecuteWithRetry_MakesThreeAttempts_WhenServerAlwaysReturns500
             pingCallCount.Should().Be(3,
                 "ExecuteWithRetryAsync makes 3 total attempts on persistent 5xx errors");
         }
+
+        // ---------------------------------------------------------------------------
+        // GetDcvAsync — POST /GetDcv
+        // ---------------------------------------------------------------------------
+
+        [Fact]
+        public async Task GetDcvAsync_ReturnsToken_WhenServerRespondsOk()
+        {
+            const string token = "abc123token";
+            _server
+                .Given(Request.Create().WithPath("/GetDcv").UsingPost())
+                .RespondWith(Response.Create()
+                    .WithStatusCode(200)
+                    .WithHeader("Content-Type", "application/json")
+                    .WithBody(MockCertificateData.GetDcvSuccessJson(token)));
+
+            var client = BuildClient();
+
+            var result = await client.GetDcvAsync(
+                MockCertificateData.OrderNumber1, "example.com", Constants.Dcv.MethodDnsTxt);
+
+            result.Should().NotBeNull();
+            result.DcvDetails.Should().NotBeNull();
+            result.DcvDetails.Token.Should().Be(token);
+            _server.LogEntries.Should().Contain(e => e.RequestMessage.Path == "/GetDcv");
+        }
+
+        [Fact]
+        public async Task GetDcvAsync_Throws_WhenMetaStatusIsFailure()
+        {
+            _server
+                .Given(Request.Create().WithPath("/GetDcv").UsingPost())
+                .RespondWith(Response.Create()
+                    .WithStatusCode(200)
+                    .WithHeader("Content-Type", "application/json")
+                    .WithBody(MockCertificateData.GetDcvFailureJson("EMS-DCV-001", "DCV not available")));
+
+            var client = BuildClient();
+
+            Func<Task> act = () => client.GetDcvAsync(
+                MockCertificateData.OrderNumber1, "example.com", Constants.Dcv.MethodDnsTxt);
+
+            await act.Should().ThrowAsync<Exception>()
+                .WithMessage("*GetDcv failed*");
+        }
+
+        [Fact]
+        public async Task GetDcvAsync_Throws_WhenServerReturns401()
+        {
+            _server
+                .Given(Request.Create().WithPath("/GetDcv").UsingPost())
+                .RespondWith(Response.Create()
+                    .WithStatusCode(401)
+                    .WithBody(MockCertificateData.UnauthorizedJson()));
+
+            var client = BuildClient();
+
+            Func<Task> act = () => client.GetDcvAsync(
+                MockCertificateData.OrderNumber1, "example.com", Constants.Dcv.MethodDnsTxt);
+
+            await act.Should().ThrowAsync<Exception>()
+                .WithMessage("*Authentication failure*");
+        }
+
+        // ---------------------------------------------------------------------------
+        // VerifyDcvAsync — POST /VerifyDcv
+        // ---------------------------------------------------------------------------
+
+        [Fact]
+        public async Task VerifyDcvAsync_Succeeds_WhenServerRespondsOk()
+        {
+            _server
+                .Given(Request.Create().WithPath("/VerifyDcv").UsingPost())
+                .RespondWith(Response.Create()
+                    .WithStatusCode(200)
+                    .WithHeader("Content-Type", "application/json")
+                    .WithBody(MockCertificateData.VerifyDcvSuccessJson()));
+
+            var client = BuildClient();
+
+            // Should not throw
+            await client.VerifyDcvAsync(
+                MockCertificateData.OrderNumber1, "example.com", Constants.Dcv.MethodDnsTxt);
+
+            _server.LogEntries.Should().Contain(e => e.RequestMessage.Path == "/VerifyDcv");
+        }
+
+        [Fact]
+        public async Task VerifyDcvAsync_Throws_WhenMetaStatusIsFailure()
+        {
+            _server
+                .Given(Request.Create().WithPath("/VerifyDcv").UsingPost())
+                .RespondWith(Response.Create()
+                    .WithStatusCode(200)
+                    .WithHeader("Content-Type", "application/json")
+                    .WithBody(MockCertificateData.VerifyDcvFailureJson("EMS-DCV-002", "DNS record not found")));
+
+            var client = BuildClient();
+
+            Func<Task> act = () => client.VerifyDcvAsync(
+                MockCertificateData.OrderNumber1, "example.com", Constants.Dcv.MethodDnsTxt);
+
+            await act.Should().ThrowAsync<Exception>()
+                .WithMessage("*DNS record not found*");
+        }
+
+        [Fact]
+        public async Task VerifyDcvAsync_Throws_WhenServerReturns401()
+        {
+            _server
+                .Given(Request.Create().WithPath("/VerifyDcv").UsingPost())
+                .RespondWith(Response.Create()
+                    .WithStatusCode(401)
+                    .WithBody(MockCertificateData.UnauthorizedJson()));
+
+            var client = BuildClient();
+
+            Func<Task> act = () => client.VerifyDcvAsync(
+                MockCertificateData.OrderNumber1, "example.com", Constants.Dcv.MethodDnsTxt);
+
+            await act.Should().ThrowAsync<Exception>()
+                .WithMessage("*Authentication failure*");
+        }
+
+        [Fact]
+        public async Task VerifyDcvAsync_Throws_WhenServerReturns500()
+        {
+            _server
+                .Given(Request.Create().WithPath("/VerifyDcv").UsingPost())
+                .RespondWith(Response.Create()
+                    .WithStatusCode(500)
+                    .WithBody(MockCertificateData.ServerErrorJson()));
+
+            var client = BuildClient();
+
+            Func<Task> act = () => client.VerifyDcvAsync(
+                MockCertificateData.OrderNumber1, "example.com", Constants.Dcv.MethodDnsTxt);
+
+            await act.Should().ThrowAsync<Exception>();
+        }
     }
 }

CERTInext.Tests/MockCertificateData.cs

@@ -334,6 +334,42 @@ public static LegacyGetCertificateResponse RevokedCertRecord(string id = null) =
         public static string OAuth2TokenJson(int expiresIn = 3600) =>
             $@"{{""access_token"":""fake-bearer-token-abc123"",""token_type"":""Bearer"",""expires_in"":{expiresIn}}}";
 
+        // -----------------------------------------------------------------------
+        // DCV (domain control validation)
+        // -----------------------------------------------------------------------
+
+        /// <summary>
+        /// POST /GetDcv — success response containing the TXT record token for DNS DCV.
+        /// </summary>
+        public static string GetDcvSuccessJson(string token = "abc123token") =>
+            $@"{{
+  ""meta"":{SuccessMetaJson()},
+  ""dcvDetails"":{{
+    ""token"":""{token}"",
+    ""fileName"":null,
+    ""fileContent"":null,
+    ""dcvEmails"":null
+  }}
+}}";
+
+        /// <summary>
+        /// POST /GetDcv — failure response (bad order or unsupported dcvMethod).
+        /// </summary>
+        public static string GetDcvFailureJson(string code = "EMS-DCV-001", string msg = "DCV not available for this order") =>
+            $@"{{""meta"":{FailureMetaJson(code, msg)}}}";
+
+        /// <summary>
+        /// POST /VerifyDcv — success response (meta only, no additional payload).
+        /// </summary>
+        public static string VerifyDcvSuccessJson() =>
+            $@"{{""meta"":{SuccessMetaJson()}}}";
+
+        /// <summary>
+        /// POST /VerifyDcv — failure response (TXT record not found).
+        /// </summary>
+        public static string VerifyDcvFailureJson(string code = "EMS-DCV-002", string msg = "DNS record not found") =>
+            $@"{{""meta"":{FailureMetaJson(code, msg)}}}";
+
         // -----------------------------------------------------------------------
         // Error responses
         // -----------------------------------------------------------------------

CERTInext/API/CertificateRequest.cs

@@ -288,6 +288,87 @@ public class TrackOrderDetails
         public string OrderNumber { get; set; }
     }
 
+    // ---------------------------------------------------------------------------
+    // GetDcv  — POST {baseURL}GetDcv
+    // Retrieves Domain Control Validation token / file content / approver emails
+    // for a given (orderNumber, domainName, dcvMethod) tuple.
+    //
+    // The CERTInext V1 spec defines this body as wrapped in a "dcvDetails" block.
+    // Note: the Postman example for GetDcv uses "orderDetails" instead — this is
+    // an example typo; the inline spec, the response body, and the VerifyDcv body
+    // all use "dcvDetails" consistently.
+    // ---------------------------------------------------------------------------
+
+    /// <summary>
+    /// Request body for POST {baseURL}GetDcv.
+    /// Returns DCV instructions (token / file / approver emails) for one domain
+    /// in the given order.
+    /// </summary>
+    public class GetDcvRequest
+    {
+        [JsonPropertyName("meta")]
+        public RequestMeta Meta { get; set; }
+
+        [JsonPropertyName("dcvDetails")]
+        public DcvRequestDetails DcvDetails { get; set; }
+    }
+
+    /// <summary>
+    /// Common request body for both GetDcv and VerifyDcv — both endpoints take the
+    /// same set of identification fields. <see cref="DcvEmail"/> is only set on
+    /// VerifyDcv requests when <see cref="DcvMethod"/> = email (3).
+    /// </summary>
+    public class DcvRequestDetails
+    {
+        /// <summary>Registered requestor email associated with the order.</summary>
+        [JsonPropertyName("requestorEmail")]
+        public string RequestorEmail { get; set; }
+
+        /// <summary>Order number returned by GenerateOrderSSL.</summary>
+        [JsonPropertyName("orderNumber")]
+        public string OrderNumber { get; set; }
+
+        /// <summary>Domain to retrieve / verify DCV for.</summary>
+        [JsonPropertyName("domainName")]
+        public string DomainName { get; set; }
+
+        /// <summary>
+        /// DCV method (numeric string per CERTInext V1 spec):
+        /// "1" = DNS TXT record, "2" = HTTP file, "3" = email approver.
+        /// See <see cref="Constants.Dcv"/>.
+        /// </summary>
+        [JsonPropertyName("dcvMethod")]
+        public string DcvMethod { get; set; }
+
+        /// <summary>
+        /// Approver email address. Required (and only used) on VerifyDcv when
+        /// <see cref="DcvMethod"/> is "3" (email). Must be one of the
+        /// <c>dcvEmails</c> returned by GetDcv.
+        /// </summary>
+        [JsonPropertyName("dcvEmail")]
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
+        public string DcvEmail { get; set; }
+    }
+
+    // ---------------------------------------------------------------------------
+    // VerifyDcv  — POST {baseURL}VerifyDcv
+    // Triggers CERTInext to verify the DCV record placed by the customer.
+    // ---------------------------------------------------------------------------
+
+    /// <summary>
+    /// Request body for POST {baseURL}VerifyDcv.
+    /// Tells CERTInext to attempt domain verification using the previously
+    /// supplied DCV details. Reuses <see cref="DcvRequestDetails"/>.
+    /// </summary>
+    public class VerifyDcvRequest
+    {
+        [JsonPropertyName("meta")]
+        public RequestMeta Meta { get; set; }
+
+        [JsonPropertyName("dcvDetails")]
+        public DcvRequestDetails DcvDetails { get; set; }
+    }
+
     // ---------------------------------------------------------------------------
     // GetCertificate  — POST {baseURL}GetCertificate
     // Downloads the issued certificate for a fulfilled order.