refactor(scep-gui): rebrand SCEP admin surface to per-profile tabbed interface (Profiles + Intune + Recent Activity)

Phase 9 follow-up to the SCEP RFC 8894 + Intune master bundle. The
Phase 9.4 GUI shipped 'SCEP Intune Monitoring' at /scep/intune, which
made the per-profile observability surface look Intune-only — operators
running EJBCA + Jamf would never click that nav link expecting per-
profile RA cert + mTLS observability. The page is per-profile keyed
under the hood; this commit rebrands + restructures so the surface
matches what operators actually need.

Spec: cowork/scep-gui-restructure-prompt.md.

User-visible change:

  - Nav link renamed: 'SCEP Intune' → 'SCEP Admin'.
  - Route: /scep is the new canonical path; /scep/intune kept as a
    backward-compat alias that lands directly on the Intune tab.
  - Page header: 'SCEP Administration'.
  - Three tabs:
      * Profiles (default) — per-profile lean cards with RA cert
        expiry countdown, mTLS sibling-route status badge, Intune
        enabled/disabled badge, challenge-password-set indicator.
        'View Intune details →' link on Intune-enabled cards
        deep-links into the Intune tab.
      * Intune Monitoring — the existing Phase 9.4 deep-dive
        (per-status counters, trust anchor expiry, recent failures
        table, reload-trust button + confirmation modal).
      * Recent Activity — full SCEP audit log filter merging all
        four action codes (scep_pkcsreq + scep_renewalreq +
        scep_pkcsreq_intune + scep_renewalreq_intune); chip filters
        for All / Initial / Renewal / Intune / Static.

Backend:

  * internal/service/scep.go — new SCEPProfileStatsSnapshot type +
    IntuneSection sub-block + ProfileStats(now) accessor. Adds
    raCertSubject/raCertNotBefore/raCertNotAfter + mtlsEnabled +
    mtlsTrustBundlePath fields with SetRACert + SetMTLSConfig setters.
    Existing IntuneStatsSnapshot + IntuneStats(now) preserved
    UNCHANGED for /admin/scep/intune/stats backward compat (the
    JSON shape stays byte-stable for external consumers — the
    aliasing approach the prompt initially suggested doesn't work
    because the new shape nests Intune while the old one is flat).
    ChallengePasswordSet is derived from challengePassword != ''
    (the secret value itself is never surfaced).

  * internal/api/handler/admin_scep_intune.go — new Profiles handler
    method on AdminSCEPIntuneHandler with the same M-008 admin gate.
    AdminSCEPIntuneServiceImpl extended (in place; same
    map[string]*service.SCEPService) to satisfy the new
    AdminSCEPProfileService interface. Single handler file gets the
    third method so the M-008 pin entry count stays steady (no new
    file, no new triplet of admin-gate test files — just three new
    Profiles tests inside the existing test file).

  * internal/api/router/router.go — one new route
    'GET /api/v1/admin/scep/profiles' registered to
    reg.AdminSCEPIntune.Profiles. HandlerRegistry unchanged.

  * api/openapi.yaml — new operation 'listSCEPProfiles' documenting
    the request body / response shape / error mapping. Existing
    Intune entries unchanged.

  * cmd/server/main.go — per-profile loop now calls
    scepService.SetMTLSConfig(profile.MTLSEnabled,
    profile.MTLSClientCATrustBundlePath) right after SetPathID, and
    scepService.SetRACert(raCert) right after loadSCEPRAPair returns
    the leaf cert. Both setters are nil-safe.

  * internal/api/handler/m008_admin_gate_test.go — extended the
    existing admin_scep_intune.go entry's justification to mention
    the third endpoint. No new map entry needed (file already
    listed).

Backend tests (8 new):

  * TestAdminSCEPProfiles_NonAdmin_Returns403
  * TestAdminSCEPProfiles_AdminExplicitFalse_Returns403
  * TestAdminSCEPProfiles_AdminPermitted_ForwardsActor — also pins
    that Intune-enabled profiles emit an 'intune' sub-block while
    Intune-disabled profiles OMIT it.
  * TestAdminSCEPProfiles_RejectsNonGetMethod
  * TestAdminSCEPProfiles_PropagatesServiceError
  * TestAdminSCEPProfilesServiceImpl_NilMapReturnsEmpty
  * (existing 16 Phase 9 admin tests still pass — backward-compat
    preserved)

Frontend:

  * web/src/api/types.ts — new SCEPProfileStatsSnapshot +
    IntuneSection + SCEPProfilesResponse types. Existing
    IntuneStatsSnapshot et al unchanged.
  * web/src/api/client.ts — new getAdminSCEPProfiles helper.
  * web/src/pages/SCEPAdminPage.tsx — full rewrite as the tabbed
    surface. Reuses the existing ConfirmReloadModal and Intune
    deep-dive card components verbatim; adds ProfileSummaryCard
    (lean card for the Profiles tab) and ActivityTab. URL state
    sync via useSearchParams so deep links survive reloads + browser
    back/forward. The legacy /scep/intune route alias defaults the
    activeTab to 'intune' on mount.
  * web/src/main.tsx — new <Route path='scep' /> + preserved
    <Route path='scep/intune' /> alias. Both render SCEPAdminPage.
  * web/src/components/Layout.tsx — nav link rebranded:
    label 'SCEP Intune' → 'SCEP Admin', to '/scep/intune' → '/scep'.

Frontend tests (20 — full rebuild):

  * Admin gate (non-admin sees gated banner + zero admin API calls)
  * Profiles tab default + Intune tab tabswitch + ?tab=intune deep
    link + legacy /scep/intune alias all land on Intune
  * Profiles tab status badges (Intune + mTLS + challenge-set)
    reflect each profile's flags
  * RA cert expiry tone bands (good ≥30d / warn 7-30d / bad <7d /
    EXPIRED) verified across three fixture profiles
  * 'View Intune details →' only renders for Intune-enabled
    profiles AND switches tabs on click
  * Empty-state banner when no profiles configured
  * Intune tab counters render with the existing Phase 9 deep-dive
    shape; reload modal Open/Confirm/Cancel/Error paths all pinned
  * Recent Activity tab merges all four SCEP audit actions across
    four parallel useQuery calls; filter chips
    (all/initial/renewal/intune/static) narrow correctly
  * Error path surfaces ErrorState on the active tab

Docs:

  * docs/scep-intune.md — Operational monitoring section heading
    expanded to '(SCEP Administration → Intune Monitoring tab)'.
    Page-surface description rewritten for the tabbed shape;
    admin-endpoints list extended with the new /admin/scep/profiles
    entry.
  * docs/architecture.md — Microsoft Intune Connector trust anchor
    subsection updated to reference the Intune Monitoring tab inside
    the SCEP Administration page + lists all three admin endpoints.
  * docs/legacy-est-scep.md — forward-ref expanded with a parallel
    sentence for the per-profile observability surface (independent
    of Intune).
  * README.md — Enrollment Protocols bullet for Intune updated to
    'admin GUI SCEP Administration page at /scep' with the three
    tabs called out.

Verification:
  * gofmt clean on touched files
  * go vet ./... clean
  * staticcheck on intune+service+handler+router+cmd-server clean
  * go test -short across intune+service+handler+router+cmd-server:
    all green (existing Phase 9 tests + new Profiles tests)
  * Frontend tsc --noEmit clean
  * Vitest: 20/20 SCEPAdminPage tests + 3/3 sibling AuditPage tests
    pass
  * G-3 docs-drift CI guard reproduced locally: clean (no new env
    vars; existing CERTCTL_SCEP_ allowlist prefix covers everything)
  * M-009 hard-zero useMutation guard reproduced locally: clean
    (the existing reload mutation already used useTrackedMutation
    from the Phase 9 follow-up commit 28e277a)
  * openapi-parity test green (new GET /api/v1/admin/scep/profiles
    operation documented)
  * M-008 admin-gate scanner green (existing admin_scep_intune.go
    entry covers all three handler methods; the test scanner
    enforces the triplet by file, not by endpoint, and the new
    Profiles triplet was added to the existing test file)

Backward compat preserved:
  * /api/v1/admin/scep/intune/stats unchanged — same JSON shape,
    same error codes, same M-008 gate
  * /api/v1/admin/scep/intune/reload-trust unchanged
  * /scep/intune route still works (alias to /scep with activeTab=intune)
  * IntuneStatsSnapshot Go type unchanged
  * IntuneStats(now) accessor unchanged

Refs: cowork/scep-gui-restructure-prompt.md
      cowork/scep-rfc8894-intune-master-prompt.md::Phase 9
      Phase 11.5 (SCEP probe in scanner — opt-in) and Phase 12
      (release prep + tag) of the master bundle resume after this.

internal/api/handler/admin_scep_intune.go

@@ -16,14 +16,20 @@ import (
 // rather than the concrete *service.SCEPService set so wiring stays
 // service-side and the handler stays test-friendly.
 //
-// SCEP RFC 8894 + Intune master bundle Phase 9.1.
+// SCEP RFC 8894 + Intune master bundle Phase 9.1, extended in the
+// Phase 9 follow-up (cowork/scep-gui-restructure-prompt.md) with
+// Profiles for the per-profile SCEP Administration tab.
 type AdminSCEPIntuneService interface {
 	// Stats returns one snapshot per configured SCEP profile (Intune-
-	// enabled or not). Profiles where Intune is disabled appear with
-	// Enabled=false so the GUI can show "off — opt in via env vars"
-	// rather than 404ing per-profile.
+	// enabled or not) in the Phase 9.1 flat shape. Backward-compat for
+	// the existing /admin/scep/intune/stats endpoint.
 	Stats(ctx context.Context, now time.Time) ([]service.IntuneStatsSnapshot, error)
 
+	// Profiles returns one snapshot per configured SCEP profile in the
+	// new shape (always-present per-profile fields + optional Intune
+	// sub-block). Backs the new /admin/scep/profiles endpoint.
+	Profiles(ctx context.Context, now time.Time) ([]service.SCEPProfileStatsSnapshot, error)
+
 	// ReloadTrust triggers the SIGHUP-equivalent Reload on the named
 	// profile's trust holder. Returns ErrAdminSCEPProfileNotFound if
 	// the PathID isn't known, or ErrSCEPProfileIntuneDisabled if the
@@ -39,18 +45,20 @@ type AdminSCEPIntuneService interface {
 // to any configured profile. The handler maps this to HTTP 404.
 var ErrAdminSCEPProfileNotFound = errors.New("admin scep intune: profile not found for the given path_id")
 
-// AdminSCEPIntuneHandler serves the per-profile Intune observability
-// endpoints for the GUI Intune Monitoring tab.
+// AdminSCEPIntuneHandler serves the per-profile SCEP observability
+// endpoints for the GUI SCEP Administration page.
 //
 // Endpoints:
 //
-//	GET  /api/v1/admin/scep/intune/stats
-//	POST /api/v1/admin/scep/intune/reload-trust   (JSON body: {"path_id": "corp"})
+//	GET  /api/v1/admin/scep/profiles                — Phase 9 follow-up
+//	GET  /api/v1/admin/scep/intune/stats            — Phase 9.2
+//	POST /api/v1/admin/scep/intune/reload-trust     — Phase 9.2 (JSON body: {"path_id": "corp"})
 //
-// Both endpoints are admin-gated (M-008 pattern). Non-admin Bearer
+// All three endpoints are admin-gated (M-008 pattern). Non-admin Bearer
 // callers get 403 — the stats endpoint reveals the operator's profile
-// set + trust anchor expiries (sensitive operational metadata) and the
-// reload endpoint is a privileged action.
+// set + trust anchor expiries (sensitive operational metadata), the
+// profiles endpoint additionally reveals RA cert expiries + mTLS bundle
+// paths, and the reload endpoint is a privileged action.
 type AdminSCEPIntuneHandler struct {
 	svc AdminSCEPIntuneService
 }
@@ -68,6 +76,42 @@ type adminScepIntuneReloadRequest struct {
 	PathID string `json:"path_id"`
 }
 
+// Profiles handles GET /api/v1/admin/scep/profiles.
+//
+// Phase 9 follow-up endpoint backing the SCEP Administration page's
+// Profiles tab. Returns one snapshot per configured SCEP profile in
+// the SCEPProfileStatsSnapshot shape (always-present per-profile
+// fields + optional Intune sub-block).
+//
+// Same M-008 admin gate as Stats. Profiles where Intune is disabled
+// appear with Intune=null in the response.
+func (h AdminSCEPIntuneHandler) Profiles(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+	if !middleware.IsAdmin(r.Context()) {
+		Error(w, http.StatusForbidden, "Admin access required")
+		return
+	}
+
+	now := time.Now()
+	rows, err := h.svc.Profiles(r.Context(), now)
+	if err != nil {
+		Error(w, http.StatusInternalServerError, "Failed to read SCEP profiles")
+		return
+	}
+	if rows == nil {
+		// Avoid serialising as `null` — the GUI expects an array.
+		rows = []service.SCEPProfileStatsSnapshot{}
+	}
+	_ = JSON(w, http.StatusOK, map[string]any{
+		"profiles":      rows,
+		"profile_count": len(rows),
+		"generated_at":  now.UTC(),
+	})
+}
+
 // Stats handles GET /api/v1/admin/scep/intune/stats.
 func (h AdminSCEPIntuneHandler) Stats(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
@@ -177,6 +221,18 @@ func (s *AdminSCEPIntuneServiceImpl) Stats(_ context.Context, now time.Time) ([]
 	return out, nil
 }
 
+// Profiles implements AdminSCEPIntuneService for the new
+// /admin/scep/profiles endpoint. Walks the same per-profile SCEPService
+// map but emits the SCEPProfileStatsSnapshot shape (always-present
+// fields + optional Intune sub-block).
+func (s *AdminSCEPIntuneServiceImpl) Profiles(_ context.Context, now time.Time) ([]service.SCEPProfileStatsSnapshot, error) {
+	out := make([]service.SCEPProfileStatsSnapshot, 0, len(s.services))
+	for _, svc := range s.services {
+		out = append(out, svc.ProfileStats(now))
+	}
+	return out, nil
+}
+
 // ReloadTrust implements AdminSCEPIntuneService.
 func (s *AdminSCEPIntuneServiceImpl) ReloadTrust(_ context.Context, pathID string) error {
 	svc, ok := s.services[pathID]

internal/api/handler/admin_scep_intune_test.go

@@ -18,12 +18,15 @@ import (
 // Records call observations so the M-008 admin-gate triplet can pin
 // "service was never invoked" when the gate rejects the caller.
 type fakeAdminSCEPIntuneService struct {
-	statsCalled  bool
-	reloadCalled bool
-	rows         []service.IntuneStatsSnapshot
-	statsErr     error
-	reloadPathID string
-	reloadErr    error
+	statsCalled    bool
+	profilesCalled bool
+	reloadCalled   bool
+	rows           []service.IntuneStatsSnapshot
+	profileRows    []service.SCEPProfileStatsSnapshot
+	statsErr       error
+	profilesErr    error
+	reloadPathID   string
+	reloadErr      error
 }
 
 func (f *fakeAdminSCEPIntuneService) Stats(_ context.Context, _ time.Time) ([]service.IntuneStatsSnapshot, error) {
@@ -31,6 +34,11 @@ func (f *fakeAdminSCEPIntuneService) Stats(_ context.Context, _ time.Time) ([]se
 	return f.rows, f.statsErr
 }
 
+func (f *fakeAdminSCEPIntuneService) Profiles(_ context.Context, _ time.Time) ([]service.SCEPProfileStatsSnapshot, error) {
+	f.profilesCalled = true
+	return f.profileRows, f.profilesErr
+}
+
 func (f *fakeAdminSCEPIntuneService) ReloadTrust(_ context.Context, pathID string) error {
 	f.reloadCalled = true
 	f.reloadPathID = pathID
@@ -334,3 +342,154 @@ func TestAdminSCEPIntuneServiceImpl_ReloadUnknownPathReturnsNotFound(t *testing.
 		t.Errorf("ReloadTrust unknown = %v, want ErrAdminSCEPProfileNotFound", err)
 	}
 }
+
+// =============================================================================
+// M-008 admin-gate triplet for Profiles (GET) — Phase 9 follow-up endpoint.
+// =============================================================================
+
+func TestAdminSCEPProfiles_NonAdmin_Returns403(t *testing.T) {
+	svc := &fakeAdminSCEPIntuneService{}
+	h := NewAdminSCEPIntuneHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
+	req = req.WithContext(contextWithRequestID()) // request id only, no admin flag
+	w := httptest.NewRecorder()
+
+	h.Profiles(w, req)
+
+	if w.Code != http.StatusForbidden {
+		t.Fatalf("expected 403 for non-admin, got %d (body=%q)", w.Code, w.Body.String())
+	}
+	var resp map[string]any
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	msg, _ := resp["message"].(string)
+	if !strings.Contains(strings.ToLower(msg), "admin") {
+		t.Errorf("expected message to mention admin requirement, got %q", msg)
+	}
+	if svc.profilesCalled {
+		t.Errorf("service was invoked despite non-admin caller — gate failed open")
+	}
+}
+
+func TestAdminSCEPProfiles_AdminExplicitFalse_Returns403(t *testing.T) {
+	svc := &fakeAdminSCEPIntuneService{}
+	h := NewAdminSCEPIntuneHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
+	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
+	ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
+	req = req.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Profiles(w, req)
+
+	if w.Code != http.StatusForbidden {
+		t.Fatalf("expected 403 for admin=false, got %d", w.Code)
+	}
+	if svc.profilesCalled {
+		t.Error("service called despite admin=false gate")
+	}
+}
+
+func TestAdminSCEPProfiles_AdminPermitted_ForwardsActor(t *testing.T) {
+	svc := &fakeAdminSCEPIntuneService{
+		profileRows: []service.SCEPProfileStatsSnapshot{
+			{
+				PathID:               "corp",
+				IssuerID:             "iss-corp",
+				ChallengePasswordSet: true,
+				MTLSEnabled:          true,
+				Intune: &service.IntuneSection{
+					Audience: "https://certctl.example.com/scep/corp",
+				},
+			},
+			{
+				PathID:               "iot",
+				IssuerID:             "iss-iot",
+				ChallengePasswordSet: true,
+				// Intune nil — disabled
+			},
+		},
+	}
+	h := NewAdminSCEPIntuneHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
+	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
+	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
+	req = req.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.Profiles(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200 for admin caller, got %d (body=%q)", w.Code, w.Body.String())
+	}
+	if !svc.profilesCalled {
+		t.Fatal("service was not invoked for admin caller")
+	}
+	var resp map[string]any
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if pc, ok := resp["profile_count"].(float64); !ok || pc != 2 {
+		t.Errorf("profile_count = %v, want 2", resp["profile_count"])
+	}
+	rows, ok := resp["profiles"].([]any)
+	if !ok || len(rows) != 2 {
+		t.Fatalf("profiles missing or wrong shape: %v", resp["profiles"])
+	}
+	// Find the Intune-enabled vs Intune-disabled row by path_id and
+	// assert the Intune sub-block is present/absent accordingly.
+	for _, raw := range rows {
+		row := raw.(map[string]any)
+		switch row["path_id"] {
+		case "corp":
+			if _, has := row["intune"]; !has {
+				t.Errorf("expected corp profile to carry an intune sub-block")
+			}
+		case "iot":
+			if _, has := row["intune"]; has {
+				t.Errorf("expected iot profile to OMIT the intune sub-block (Intune disabled)")
+			}
+		}
+	}
+}
+
+func TestAdminSCEPProfiles_RejectsNonGetMethod(t *testing.T) {
+	h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/profiles", nil)
+	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	req = req.WithContext(ctx)
+	w := httptest.NewRecorder()
+	h.Profiles(w, req)
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected 405 for POST, got %d", w.Code)
+	}
+}
+
+func TestAdminSCEPProfiles_PropagatesServiceError(t *testing.T) {
+	svc := &fakeAdminSCEPIntuneService{profilesErr: errors.New("registry walk failed")}
+	h := NewAdminSCEPIntuneHandler(svc)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
+	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	req = req.WithContext(ctx)
+	w := httptest.NewRecorder()
+	h.Profiles(w, req)
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500 on service error, got %d", w.Code)
+	}
+}
+
+func TestAdminSCEPProfilesServiceImpl_NilMapReturnsEmpty(t *testing.T) {
+	impl := NewAdminSCEPIntuneServiceImpl(nil)
+	rows, err := impl.Profiles(context.Background(), time.Now())
+	if err != nil {
+		t.Fatalf("nil-map Profiles: %v", err)
+	}
+	if len(rows) != 0 {
+		t.Errorf("nil-map Profiles len=%d, want 0", len(rows))
+	}
+}

internal/api/handler/m008_admin_gate_test.go

@@ -35,9 +35,9 @@ import (
 // the gate exists. health.go is an INFORMATIONAL caller of IsAdmin (it
 // surfaces the flag to the GUI but does not gate) — explicitly excluded.
 var AdminGatedHandlers = map[string]string{
-	"bulk_revocation.go":     "M-003: bulk revocation is fleet-scale destructive — admin-only",
-	"admin_crl_cache.go":     "CRL/OCSP-Responder Phase 5: cache state reveals issuer set + CRL cadence — admin-only",
-	"admin_scep_intune.go":   "SCEP RFC 8894 + Intune master bundle Phase 9.2: stats endpoint reveals per-profile trust anchor expiries + reload-trust is a privileged action — admin-only",
+	"bulk_revocation.go":   "M-003: bulk revocation is fleet-scale destructive — admin-only",
+	"admin_crl_cache.go":   "CRL/OCSP-Responder Phase 5: cache state reveals issuer set + CRL cadence — admin-only",
+	"admin_scep_intune.go": "SCEP RFC 8894 + Intune master bundle Phase 9.2 + Phase 9 follow-up: profiles + stats endpoints reveal per-profile RA cert expiries + Intune trust anchor expiries + mTLS bundle paths; reload-trust is a privileged action — admin-only",
 }
 
 // InformationalIsAdminCallers is the documented allowlist of files that