feat(V2.2): bulk revocation — filter-based fleet-wide certificate revocation

Add POST /api/v1/certificates/bulk-revoke with filter criteria (profile_id,
owner_id, agent_id, issuer_id, team_id, certificate_ids), partial-failure
tolerance, and audit trail. Includes MCP tool, CLI command (certs bulk-revoke),
server-side bulk modal in GUI replacing client-side sequential loop, OpenAPI
spec, compliance mapping updates, and 21 new tests (12 service, 7 handler,
1 CLI, 1 frontend).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cmd/cli/main.go

@@ -130,6 +130,8 @@ func handleCerts(client *cli.Client, args []string) error {
 			reason = subArgs[2]
 		}
 		return client.RevokeCertificate(id, reason)
+	case "bulk-revoke":
+		return client.BulkRevokeCertificates(subArgs)
 	default:
 		fmt.Fprintf(os.Stderr, "unknown subcommand: certs %s\n", subcommand)
 		return nil

cmd/server/main.go

@@ -274,6 +274,9 @@ func main() {
 
 	logger.Info("initialized all services")
 
+	// Initialize bulk revocation service
+	bulkRevocationService := service.NewBulkRevocationService(revocationSvc, certificateRepo, auditService, logger)
+
 	// Initialize stats and metrics services
 	statsService := service.NewStatsService(certificateRepo, jobRepo, agentRepo)
 	logger.Info("initialized stats service")
@@ -301,6 +304,8 @@ func main() {
 	exportService := service.NewExportService(certificateRepo, auditService)
 	exportHandler := handler.NewExportHandler(exportService)
 
+	bulkRevocationHandler := handler.NewBulkRevocationHandler(bulkRevocationService)
+
 	// Initialize digest service (requires email notifier)
 	var digestService *service.DigestService
 	var digestHandler *handler.DigestHandler
@@ -415,7 +420,8 @@ func main() {
 		Verification:  verificationHandler,
 		Export:        exportHandler,
 		Digest:        *digestHandler,
-		HealthChecks:  healthCheckHandler,
+		HealthChecks:     healthCheckHandler,
+		BulkRevocation:   bulkRevocationHandler,
 	})
 	// Register EST (RFC 7030) handlers if enabled
 	if cfg.EST.Enabled {