From 4fdf171912537144c80c1610c6e5e7502281841e Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Fri, 10 Apr 2026 22:21:26 +0200
Subject: [PATCH] fix: don't show stale CA banner when no CA bundle exists

The self-signed bootstrap cert has no CA bundle, so newly created tenants
with ca_applied_at=NULL are not actually stale. Skip the count when the
active cert has hasCa=false.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../siegeln/cameleer/saas/certificate/CertificateService.java    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/java/net/siegeln/cameleer/saas/certificate/CertificateService.java b/src/main/java/net/siegeln/cameleer/saas/certificate/CertificateService.java
index 19d07eb..8bc0f79 100644
--- a/src/main/java/net/siegeln/cameleer/saas/certificate/CertificateService.java
+++ b/src/main/java/net/siegeln/cameleer/saas/certificate/CertificateService.java
@@ -132,6 +132,7 @@ public class CertificateService {
     public long countStaleTenants() {
         var active = certRepository.findByStatus(CertificateEntity.Status.ACTIVE).orElse(null);
         if (active == null || active.getActivatedAt() == null) return 0;
+        if (!active.isHasCa()) return 0; // no CA bundle to propagate
         return tenantRepository.countByCaAppliedAtBeforeOrCaAppliedAtIsNull(active.getActivatedAt());
     }