sequentech · BelSequent · Apr 23, 2026 · Apr 24, 2026 · Apr 28, 2026 · Apr 28, 2026
diff --git a/.devcontainer/.env.remote-deployment.example b/.devcontainer/.env.remote-deployment.example
@@ -98,6 +98,33 @@ SUPER_ADMIN_TENANT_ID=90505c8a-23a9-4cdf-a26b-4e19f6a097d5
 KC_OTP_RESEND_INTERVAL=60
 KEYCLOAK_VOTER_GROUP_NAME=voter
 
+# mTLS client certificate configuration.
+#
+# KC_SPI_TRUSTSTORE_PROVIDER — which truststore SPI to use:
+#   "url"  load CA certs from a URL (our plugin, activated below)
+#   "file" load CA certs from a local file (Keycloak built-in default)
+# Replace the URL with an HTTPS endpoint or S3 pre-signed URL pointing to your
+# CA certificate PEM.
+#
+# when --spi-truststore-provider is not passed, Keycloak defaults to file.
+# But the file provider requires --spi-truststore-file-file to be explicitly set
+# to a path. If that's not configured either, the file provider is effectively
+# disabled and Keycloak falls back to the JVM's default TLS trust (cacerts) for
+# outbound connections.
+KC_SPI_TRUSTSTORE_PROVIDER=url
+# URL of the global CA cert (optional). When it is not set, the JVM default.
+# KC_SPI_TRUSTSTORE_URL_URL=
+
+KC_SPI_TRUSTSTORE_URL_REFRESH_INTERVAL_SECONDS=60
+
+# KC_SPI_X509CERT_LOOKUP_PROVIDER — how Keycloak extracts the client cert:
+#   "default" reads cert directly from the TLS connection (no proxy needed).
+#   "nginx"   reads cert from the ssl-client-cert HTTP header (nginx mTLS proxy).
+#   "rfc9440" reads cert from the Client-Cert HTTP header (Cloudflare mTLS).
+# Use "nginx" when keycloak-nginx terminates mTLS and forwards the cert header.
+# Use "rfc9440" if Cloudflare terminates mTLS directly without a local nginx proxy.
+KC_SPI_X509CERT_LOOKUP_PROVIDER=nginx
+
 # SimpleSAMLphp
 SSP_ADMIN_PASSWORD=password
 SSP_LOG_LEVEL=info

diff --git a/.devcontainer/docker-compose-remote.yml b/.devcontainer/docker-compose-remote.yml
@@ -87,14 +87,14 @@ services:
     depends_on:
       postgres-keycloak:
         condition: service_healthy
-      configure-minio:
-        condition: service_completed_successfully
+      harvest:
+        condition: service_healthy
     healthcheck:
       test: ["CMD-SHELL", "exec 3<>/dev/tcp/127.0.0.1/8090"]
       interval: 5s
       timeout: 10s
       retries: 25
-      start_period: 5s
+      start_period: 120s
 
   keycloak-nginx:
     profiles: ["full", "base"]

diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
@@ -80,10 +80,8 @@ services:
     depends_on:
       postgres-keycloak:
         condition: service_healthy
-      minio:
+      harvest:
         condition: service_healthy
-      configure-minio:
-        condition: service_completed_successfully
     healthcheck:
       test: ["CMD-SHELL", "exec 3<>/dev/tcp/127.0.0.1/8090"]
       interval: 5s

diff --git a/packages/Cargo.lock b/packages/Cargo.lock
diff --git a/packages/admin-portal/src/resources/ElectionEvent/EditElectionEventCAs.tsx b/packages/admin-portal/src/resources/ElectionEvent/EditElectionEventCAs.tsx
@@ -51,6 +51,7 @@ import {ETasksExecution} from "@/types/tasksExecution"
 
 const RESOURCE = "sequent_backend_certificate_authority"
 const FINGERPRINT_TRUNCATE_LENGTH = 24
+const AUTO_HIDE_DURATION = 10000
 
 const getExpiryStatus = (notAfter: string): "expired" | "expiringSoon" | "valid" => {
     const expiry = new Date(notAfter)
@@ -260,19 +261,35 @@ export const EditElectionEventCAs: React.FC = () => {
         onCompleted: (result) => {
             const {inserted_count, skipped_count, errors} =
                 result.import_certificate_authority ?? {}
-            if (errors?.length > 0) {
-                notify(t("certificateAuthorities.notify.importError", {error: errors.join("; ")}), {
-                    type: "error",
-                })
-            } else {
+            const hasInserted = (inserted_count ?? 0) > 0
+            const hasSkipped = (skipped_count ?? 0) > 0
+            const hasErrors = (errors?.length ?? 0) > 0
+
+            if (hasInserted) {
+                notify(
+                    t("certificateAuthorities.notify.importSuccess", {inserted: inserted_count}),
+                    {type: "success", autoHideDuration: AUTO_HIDE_DURATION}
+                )
+            }
+
+            if (hasSkipped || hasErrors) {
+                const redParts: string[] = []
+                if (hasSkipped) {
+                    redParts.push(
+                        t("certificateAuthorities.notify.importSkipped", {count: skipped_count})
+                    )
+                }
+                if (hasErrors) {
+                    redParts.push(...(errors as string[]))
+                }
                 notify(
-                    t("certificateAuthorities.notify.importSuccess", {
-                        inserted: inserted_count,
-                        skipped: skipped_count,
+                    t("certificateAuthorities.notify.importErrors", {
+                        errors: redParts.join("; "),
                     }),
-                    {type: "success"}
+                    {type: "error", autoHideDuration: AUTO_HIDE_DURATION}
                 )
             }
+
             setImportDrawerOpen(false)
             setPemContent("")
             setFileError(null)
@@ -281,6 +298,7 @@ export const EditElectionEventCAs: React.FC = () => {
         onError: (err) => {
             notify(t("certificateAuthorities.notify.importError", {error: err.message}), {
                 type: "error",
+                autoHideDuration: AUTO_HIDE_DURATION,
             })
         },
     })

diff --git a/packages/admin-portal/src/translations/cat.ts b/packages/admin-portal/src/translations/cat.ts
@@ -2220,8 +2220,9 @@ const catalanTranslation: TranslationType = {
                 importButton: "Importar",
             },
             notify: {
-                importSuccess:
-                    "S'han importat {{inserted}} certificat(s). {{skipped}} omès(os) (ja presents).",
+                importSuccess: "S'han importat {{inserted}} certificat(s).",
+                importSkipped: "{{count}} omès(os) (ja presents).",
+                importErrors: "Problemes en la importació: {{errors}}",
                 importError: "Error en la importació: {{error}}",
                 deleteSuccess: "Certificat eliminat.",
                 deleteError: "Error en eliminar el certificat.",

diff --git a/packages/admin-portal/src/translations/en.ts b/packages/admin-portal/src/translations/en.ts
@@ -2194,8 +2194,9 @@ const englishTranslation = {
                 importButton: "Import",
             },
             notify: {
-                importSuccess:
-                    "Imported {{inserted}} certificate(s). {{skipped}} skipped (already present).",
+                importSuccess: "Imported {{inserted}} certificate(s).",
+                importSkipped: "{{count}} certificate(s) skipped (already present).",
+                importErrors: "Import issues: {{errors}}",
                 importError: "Import failed: {{error}}",
                 deleteSuccess: "Certificate deleted.",
                 deleteError: "Error deleting certificate.",

diff --git a/packages/admin-portal/src/translations/es.ts b/packages/admin-portal/src/translations/es.ts
@@ -2213,8 +2213,9 @@ const spanishTranslation: TranslationType = {
                 importButton: "Importar",
             },
             notify: {
-                importSuccess:
-                    "Se importaron {{inserted}} certificado(s). {{skipped}} omitido(s) (ya presentes).",
+                importSuccess: "Se importaron {{inserted}} certificado(s).",
+                importSkipped: "{{count}} certificado(s) omitido(s) (ya presentes).",
+                importErrors: "Problemas en la importación: {{errors}}",
                 importError: "Error al importar: {{error}}",
                 deleteSuccess: "Certificado eliminado.",
                 deleteError: "Error al eliminar el certificado.",

diff --git a/packages/admin-portal/src/translations/eu.ts b/packages/admin-portal/src/translations/eu.ts
@@ -2203,8 +2203,9 @@ const basqueTranslation: TranslationType = {
                 importButton: "Inportatu",
             },
             notify: {
-                importSuccess:
-                    "{{inserted}} ziurtagiri inportatuta. {{skipped}} saltatu (dagoeneko badaude).",
+                importSuccess: "{{inserted}} ziurtagiri inportatuta.",
+                importSkipped: "{{count}} saltatu (dagoeneko badaude).",
+                importErrors: "Inportazio arazoak: {{errors}}",
                 importError: "Inportazioa huts egin du: {{error}}",
                 deleteSuccess: "Ziurtagiria ezabatuta.",
                 deleteError: "Errorea ziurtagiria ezabatzean.",

diff --git a/packages/admin-portal/src/translations/fr.ts b/packages/admin-portal/src/translations/fr.ts
@@ -2224,8 +2224,9 @@ const frenchTranslation: TranslationType = {
                 importButton: "Importer",
             },
             notify: {
-                importSuccess:
-                    "{{inserted}} certificat(s) importé(s). {{skipped}} ignoré(s) (déjà présent(s)).",
+                importSuccess: "{{inserted}} certificat(s) importé(s).",
+                importSkipped: "{{count}} ignoré(s) (déjà présent(s)).",
+                importErrors: "Problèmes d'importation : {{errors}}",
                 importError: "Échec de l'importation : {{error}}",
                 deleteSuccess: "Certificat supprimé.",
                 deleteError: "Erreur lors de la suppression du certificat.",

diff --git a/packages/admin-portal/src/translations/gl.ts b/packages/admin-portal/src/translations/gl.ts
@@ -2210,8 +2210,9 @@ const galegoTranslation: TranslationType = {
                 importButton: "Importar",
             },
             notify: {
-                importSuccess:
-                    "Importáronse {{inserted}} certificado(s). {{skipped}} omitido(s) (xa presentes).",
+                importSuccess: "Importáronse {{inserted}} certificado(s).",
+                importSkipped: "{{count}} omitido(s) (xa presentes).",
+                importErrors: "Problemas na importación: {{errors}}",
                 importError: "Erro ao importar: {{error}}",
                 deleteSuccess: "Certificado eliminado.",
                 deleteError: "Erro ao eliminar o certificado.",

diff --git a/packages/admin-portal/src/translations/nl.ts b/packages/admin-portal/src/translations/nl.ts
@@ -2206,8 +2206,9 @@ const dutchTranslation: TranslationType = {
                 importButton: "Importeren",
             },
             notify: {
-                importSuccess:
-                    "{{inserted}} certificaat(-en) geïmporteerd. {{skipped}} overgeslagen (al aanwezig).",
+                importSuccess: "{{inserted}} certificaat(-en) geïmporteerd.",
+                importSkipped: "{{count}} overgeslagen (al aanwezig).",
+                importErrors: "Importproblemen: {{errors}}",
                 importError: "Importeren mislukt: {{error}}",
                 deleteSuccess: "Certificaat verwijderd.",
                 deleteError: "Fout bij verwijderen van certificaat.",

diff --git a/packages/admin-portal/src/translations/tl.ts b/packages/admin-portal/src/translations/tl.ts
@@ -2216,8 +2216,9 @@ const tagalogTranslation: TranslationType = {
                 importButton: "I-import",
             },
             notify: {
-                importSuccess:
-                    "Na-import ang {{inserted}} sertipiko. {{skipped}} nilaktawan (mayroon na).",
+                importSuccess: "Na-import ang {{inserted}} sertipiko.",
+                importSkipped: "{{count}} nilaktawan (mayroon na).",
+                importErrors: "Mga isyu sa pag-import: {{errors}}",
                 importError: "Nabigo ang pag-import: {{error}}",
                 deleteSuccess: "Nabura ang sertipiko.",
                 deleteError: "Error sa pagbura ng sertipiko.",

diff --git a/packages/harvest/src/routes/delete_certificate_authority.rs b/packages/harvest/src/routes/delete_certificate_authority.rs
@@ -4,20 +4,17 @@
 
 use crate::services::authorization::authorize;
 use deadpool_postgres::Client as DbClient;
-use electoral_log::messages::newtypes::CertificateAuthEventAction;
 use rocket::http::Status;
 use rocket::serde::json::Json;
 use sequent_core::ballot::VoterCertificatePolicy;
 use sequent_core::services::jwt::JwtClaims;
 use sequent_core::types::permissions::Permissions;
 use serde::{Deserialize, Serialize};
-use tracing::{error, instrument};
+use tracing::instrument;
 use uuid::Uuid;
-use windmill::postgres::certificate_authority::delete_certificate_authorities;
 use windmill::postgres::election_event::get_election_event_by_id;
+use windmill::services::certificate_authority::delete_certificate_authority as delete_certs;
 use windmill::services::database::get_hasura_pool;
-use windmill::services::election_event_board::get_election_event_board;
-use windmill::services::electoral_log::ElectoralLog;
 
 #[derive(Serialize, Deserialize, Debug)]
 pub struct DeleteCertificateAuthorityInput {
@@ -79,73 +76,22 @@ pub async fn delete_certificate_authority_route(
     if voter_certificate_policy != VoterCertificatePolicy::ENABLED {
         return Err((
             Status::Forbidden,
-            "Digital certificate authentication is not allowed for this election event".to_string(),
+            "Digital certificate authentication is not enabled for this election event".to_string(),
         ));
     }
 
-    let deleted_subjects = delete_certificate_authorities(
-        &hasura_transaction,
+    let deleted_count = delete_certs(
+        hasura_transaction,
         &body.ids,
         body.election_event_id,
         tenant_uuid,
+        election_event.bulletin_board_reference,
+        &tenant_id_str,
+        &claims.hasura_claims.user_id,
+        claims.preferred_username,
     )
     .await
     .map_err(|e| (Status::InternalServerError, format!("{e:?}")))?;
 
-    let electoral_log = if !deleted_subjects.is_empty() {
-        let board_name =
-            get_election_event_board(election_event.bulletin_board_reference)
-                .ok_or_else(|| {
-                (
-                    Status::InternalServerError,
-                    "Missing bulletin board".to_string(),
-                )
-            })?;
-        match ElectoralLog::for_admin_user(
-            &hasura_transaction,
-            &board_name,
-            &tenant_id_str,
-            &body.election_event_id.to_string(),
-            &claims.hasura_claims.user_id,
-            claims.preferred_username.clone(),
-            None,
-            None,
-        )
-        .await
-        {
-            Ok(log) => Some(log),
-            Err(e) => {
-                error!("Error initializing electoral log for CA delete: {e:?}");
-                None
-            }
-        }
-    } else {
-        None
-    };
-
-    let deleted_count = deleted_subjects.len();
-
-    hasura_transaction
-        .commit()
-        .await
-        .map_err(|e| (Status::InternalServerError, format!("{e:?}")))?;
-
-    if let Some(log) = electoral_log {
-        if let Err(e) = log
-            .post_certificate_auth_event(
-                body.election_event_id.to_string(),
-                CertificateAuthEventAction::Delete,
-                deleted_subjects,
-                Some(claims.hasura_claims.user_id.clone()),
-                claims.preferred_username.clone(),
-            )
-            .await
-        {
-            error!("Error posting CA delete event to electoral log: {e:?}");
-        }
-    }
-
-    Ok(Json(DeleteCertificateAuthorityOutput {
-        deleted_count: deleted_count as i32,
-    }))
+    Ok(Json(DeleteCertificateAuthorityOutput { deleted_count }))
 }