feat(scep-intune): per-profile dispatcher + SIGHUP reload + per-device rate limit + compliance hook seam

Phase 8 of the SCEP RFC 8894 + Intune master bundle. Wires the
internal/scep/intune validator from Phase 7 into the SCEPService
dispatch path, with a SIGHUP-reloadable trust anchor holder, a
per-(Subject, Issuer) sliding-window rate limiter, and a nil-default
ComplianceCheck seam for V3-Pro.

Operator-visible surface (per-profile, all default to off):

  CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_ENABLED=true
  CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CONNECTOR_CERT_PATH=/etc/certctl/intune.pem
  CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_AUDIENCE=https://certctl.example.com/scep/corp
  CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CHALLENGE_VALIDITY=60m
  CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_PER_DEVICE_RATE_LIMIT_24H=3

Per-profile dispatch (Phase 8.8): an operator running corp-laptops
through Intune AND IoT devices through static challenge configures
INTUNE_ENABLED=true on the corp profile only — the IoT profile's
PKCSReq path skips the dispatcher entirely. Mirrors the per-profile
shape established by Phase 1.5.

Wire-in surfaces:

  * config.go (Phase 8.1): SCEPProfileConfig.Intune sub-config of
    type SCEPIntuneProfileConfig (Enabled/ConnectorCertPath/Audience/
    ChallengeValidity/PerDeviceRateLimit24h). Loaded from the indexed
    CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_* env-var family. Per-profile
    Validate gate refuses INTUNE_ENABLED=true with empty ConnectorCertPath
    OR negative PerDeviceRateLimit24h.

  * cmd/server/main.go (Phase 8.2 + wire-in): preflightSCEPIntuneTrustAnchor
    helper mirrors preflightSCEPRACertKey/preflightSCEPMTLSTrustBundle
    shape — fail-loud at boot when the trust anchor file is missing /
    unreadable / empty / contains an expired cert. The per-profile loop
    builds the holder + replay cache + rate limiter, calls
    SetIntuneIntegration on the SCEPService, and starts the SIGHUP
    watcher. A deferred sweep stops every watcher at shutdown.

  * internal/scep/intune/trust_anchor_holder.go (Phase 8.5):
    TrustAnchorHolder mirrors cmd/server/tls.go::certHolder. RWMutex-
    guarded pool + Reload that swaps a fresh slice on success +
    WatchSIGHUP goroutine that responds to the same SIGHUP the existing
    TLS-cert watcher uses. A bad reload (parse error, expired cert)
    keeps the OLD pool in place so a half-rotation doesn't take Intune
    enrollment down — same fail-safe pattern. Operators rotate via the
    on-disk file then 'kill -HUP <certctl-pid>'.

  * internal/scep/intune/rate_limit.go (Phase 8.6): hand-rolled
    sliding-window-log limiter keyed by (Subject, Issuer). 100k-entry
    map cap (matches replay cache); at-cap drops the bucket whose
    newest timestamp is the oldest. Default 3 enrollments per 24h
    covers legitimate first-cert + recovery + post-wipe re-enrollment
    but blocks bulk enumeration from a compromised Connector signing
    key. maxN <= 0 disables the limiter for tests + the rare operator
    who wants no per-device cap. Empty subject short-circuits to allow
    (defense-in-depth: caller's claim validation rejects empty-subject
    upstream; no shared bucket on '').

    Why hand-rolled instead of golang.org/x/time/rate: the rate
    package is in go.sum as an indirect transitive but not a direct
    dep. ~30 LoC of stdlib avoids creating a new direct dep.

  * internal/service/scep.go (Phase 8.3 + 8.4 + 8.7):
    - SCEPService gains intuneEnabled / intuneTrust / intuneAudience /
      intuneValidity / intuneReplayCache / intuneRateLimiter /
      complianceCheck fields.
    - SetIntuneIntegration() constructor-time injection wires the
      per-profile state. Profiles with INTUNE_ENABLED=false never
      call this method, so they pay zero overhead.
    - SetComplianceCheck() installs the V3-Pro plug-in (see Phase 8.7).
    - looksIntuneShaped(): JWT-shape pre-check (length > 200 + exactly
      two dots). Allowed to false-positive (validator catches malformed
      → ErrChallengeMalformed); MUST NOT false-negative on real Intune
      challenges.
    - dispatchIntuneChallenge(): the load-bearing core. Runs
      ValidateChallenge → CSR-binding via DeviceMatchesCSR → replay
      cache CheckAndInsert → per-device Allow → optional ComplianceCheck.
      Each failure leg increments a typed metric label and emits an
      audit-friendly Warn log line.
    - PKCSReq + PKCSReqWithEnvelope + RenewalReqWithEnvelope all call
      dispatchIntuneChallenge first; on outcome.decided=true they
      either short-circuit (with a typed-error → SCEPFailInfo mapping)
      or call processEnrollment with action='scep_pkcsreq_intune'
      (so audit greps can count Intune-vs-static enrollments).
    - mapIntuneErrorToFailInfo(): typed-error → SCEPFailInfo per
      RFC 8894 §3.2.1.4.5 (signature/replay/expired → BadMessageCheck;
      claim-mismatch → BadRequest; default → BadRequest).
    - intuneFailReason(): typed-error → metric label
      ('signature_invalid' / 'expired' / 'rate_limited' / etc.). Default
      'malformed' so a previously-unseen error category still surfaces
      in the metric for follow-up.
    - ComplianceCheck (Phase 8.7): nil-default no-op gate. V3-Pro plugs
      in via SetComplianceCheck to call Microsoft Graph's compliance
      API. Returns (compliant, reason, err). nil-err + compliant=false
      → CertRep FAILURE + 'compliance' reason in audit. err != nil →
      fail-safe deny (V3-Pro module is responsible for any 'permit on
      API failure' policy).

  * internal/service/scep.go also gains parseCSRForIntune() — small
    private wrapper around encoding/pem + x509 used by the dispatcher
    for the claim ↔ CSR binding check (separated from the broader
    processEnrollment because we want to bind BEFORE consuming the
    replay-cache slot).

Tests (gates: ≥85% coverage on intune package, ≥70% on service):

  * scep_intune_test.go (in internal/service): 14 dispatcher tests
    covering happy-path Intune enrollment + static-challenge fallback
    + tampered-challenge reject + claim-mismatch reject + replay
    detected + rate-limited + compliance-hook nil-default + compliance-
    hook denies non-compliant + compliance-hook error fails closed +
    IntuneEnabled accessor + 'no IntuneEnabled = static path
    unchanged' regression pin + intuneFailReason mapping for every
    typed error + looksIntuneShaped boundary cases.

  * trust_anchor_holder_test.go (in internal/scep/intune): NewLoadsBundle,
    NewRequiresLogger, NewSurfacesLoadError, ReloadHappyPath,
    ReloadKeepsOldOnFailure, ReloadKeepsOldOnExpired (the fail-safe
    semantics that make the SIGHUP path operator-friendly),
    WatchSIGHUPReloadsPool (real SIGHUP to self with poll-for-swap
    pattern mirroring cmd/server/tls_test.go), WatchSIGHUPStopIsClean
    (does NOT fire SIGHUP after stop — same caveat as the TLS test:
    the Go runtime would otherwise terminate the test runner on the
    next SIGHUP since signal.Stop has removed the handler).

  * rate_limit_test.go (in internal/scep/intune): AllowsUpToCap,
    DistinctKeysIndependent, WindowExpiry, DisabledBypass (maxN=0),
    NegativeCapDisabled, EmptySubjectShortCircuits (defense-in-depth
    against an empty-subject DoS chokepoint), DefaultCapsHonored,
    MapCapEvictsOldest (at-cap eviction branch), ConcurrentRaceFree
    (50 goroutines × 200 inserts), pruneOlderThan + the no-op case.

Verification:

  * gofmt -l on all touched files: clean
  * go vet ./... : clean
  * staticcheck on intune/service/config/cmd-server: clean
  * go test -count=1 -cover ./internal/scep/intune/...: 94.8%
    (target ≥85%)
  * go test -short across intune+service+config+handler+cmd-server:
    all green
  * G-3 docs-drift CI guard reproduced locally: docs-only filtered=
    empty, config-only=empty. The new env vars match the existing
    CERTCTL_SCEP_ allowlist prefix.

Refs: cowork/scep-rfc8894-intune-master-prompt.md::Phase 8
      cowork/scep-rfc8894-intune/progress.md
      Constitutional rule: 'Always take the complete path, not the
      easy path' (cowork/CLAUDE.md::Operating Rules) — operator can
      flip CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_ENABLED=true and observe
      the dispatcher pick up Intune-shaped challenges end-to-end with
      no further code changes. Foundation + plumbing ship together.

cmd/server/main.go

@@ -32,6 +32,7 @@ import (
 	"github.com/shankar0123/certctl/internal/crypto/signer"
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/repository/postgres"
+	"github.com/shankar0123/certctl/internal/scep/intune"
 	"github.com/shankar0123/certctl/internal/scheduler"
 	"github.com/shankar0123/certctl/internal/service"
 )
@@ -762,6 +763,12 @@ func main() {
 		scepMTLSHandlers := make(map[string]handler.SCEPHandler)
 		scepMTLSUnionPool := x509.NewCertPool()
 		scepMTLSAnyEnabled := false
+		// SCEP RFC 8894 + Intune master bundle Phase 8: per-profile Intune
+		// trust anchor holders. We track them here so a single SIGHUP
+		// reload-watcher set spans every profile, AND so the deferred
+		// stop-watcher cleanup runs once at server shutdown.
+		intuneTrustHolders := []*intune.TrustAnchorHolder{}
+		intuneStopWatchers := []func(){}
 		for i, profile := range cfg.SCEP.Profiles {
 			profile := profile // shadow for closure-safety even though no closures escape
 			profileLog := logger.With(
@@ -826,6 +833,61 @@ func main() {
 				os.Exit(1)
 			}
 			scepHandler.SetRAPair(raCert, raKey)
+
+			// SCEP RFC 8894 + Intune master bundle Phase 8: per-profile Intune
+			// dispatcher wire-in. Builds the trust-anchor holder, replay cache,
+			// and per-device rate limiter; injects them into the SCEPService;
+			// starts the SIGHUP reload watcher (one per holder, all responding
+			// to the same signal as the existing TLS-cert watcher). Profiles
+			// with INTUNE_ENABLED=false skip the entire block, so the cost on
+			// non-Intune deploys is exactly one bool check per profile.
+			if profile.Intune.Enabled {
+				intuneHolder, err := preflightSCEPIntuneTrustAnchor(true, profile.Intune.ConnectorCertPath, profileLog)
+				if err != nil {
+					profileLog.Error(
+						"startup refused: SCEP profile INTUNE trust anchor preflight failed "+
+							"(Phase 8.2: required when INTUNE_ENABLED=true). "+
+							"Verify the bundle file exists at INTUNE_CONNECTOR_CERT_PATH, "+
+							"is readable, parses as PEM, contains ≥1 CERTIFICATE block, "+
+							"and none of the bundled certs are past NotAfter (operator-rotated).",
+						"error", err,
+					)
+					os.Exit(1)
+				}
+				intuneTrustHolders = append(intuneTrustHolders, intuneHolder)
+				intuneStopWatchers = append(intuneStopWatchers, intuneHolder.WatchSIGHUP())
+
+				// Replay cache TTL = ChallengeValidity (defaults to 60m via
+				// config.go's getEnvDuration default). The cache is sized
+				// for the documented 100k-entry production default; smaller
+				// is fine, larger tightens the operator's escape hatch.
+				replayCache := intune.NewReplayCache(profile.Intune.ChallengeValidity, 0)
+
+				// Per-device rate limiter: honor the per-profile cap
+				// (INTUNE_PER_DEVICE_RATE_LIMIT_24H, default 3). The cap can
+				// be 0 to disable (limiter then short-circuits all Allow calls
+				// to nil). Map cap stays at the 100k default.
+				rateLimiter := intune.NewPerDeviceRateLimiter(
+					profile.Intune.PerDeviceRateLimit24h,
+					24*time.Hour,
+					0,
+				)
+
+				scepService.SetIntuneIntegration(
+					intuneHolder,
+					profile.Intune.Audience,
+					profile.Intune.ChallengeValidity,
+					replayCache,
+					rateLimiter,
+				)
+				profileLog.Info("SCEP profile Intune dispatcher enabled",
+					"trust_anchor_path", profile.Intune.ConnectorCertPath,
+					"audience", profile.Intune.Audience,
+					"challenge_validity", profile.Intune.ChallengeValidity,
+					"per_device_rate_limit_24h", profile.Intune.PerDeviceRateLimit24h,
+				)
+			}
+
 			scepHandlers[profile.PathID] = scepHandler
 			endpoint := "/scep"
 			if profile.PathID != "" {
@@ -835,6 +897,7 @@ func main() {
 				"endpoint", endpoint+"?operation={GetCACaps,GetCACert,PKIOperation}",
 				"challenge_password_set", profile.ChallengePassword != "",
 				"ra_cert_path", profile.RACertPath,
+				"intune_enabled", profile.Intune.Enabled,
 			)
 
 			// SCEP RFC 8894 Phase 6.5: register the mTLS sibling route
@@ -913,7 +976,20 @@ func main() {
 		logger.Info("SCEP server enabled",
 			"profile_count", len(scepHandlers),
 			"mtls_profile_count", len(scepMTLSHandlers),
+			"intune_profile_count", len(intuneTrustHolders),
 		)
+
+		// SCEP RFC 8894 + Intune master bundle Phase 8.5: clean up the
+		// SIGHUP watcher goroutines when the server shuts down. We register
+		// the stop functions on a deferred sweep so the cleanup runs in
+		// LIFO order even if a downstream init step os.Exit(1)s.
+		if len(intuneStopWatchers) > 0 {
+			defer func() {
+				for _, stop := range intuneStopWatchers {
+					stop()
+				}
+			}()
+		}
 	}
 
 	// Register RFC 5280 CRL and RFC 6960 OCSP handlers under /.well-known/pki/.
@@ -1319,6 +1395,46 @@ func preflightSCEPMTLSTrustBundle(enabled bool, bundlePath string) (*x509.CertPo
 	return pool, nil
 }
 
+// preflightSCEPIntuneTrustAnchor validates a per-profile Microsoft Intune
+// Certificate Connector signing-cert trust bundle.
+//
+// SCEP RFC 8894 + Intune master bundle Phase 8.2.
+//
+// No-op when this profile has Intune disabled (the common case for
+// non-Intune SCEP deploys). When enabled:
+//
+//  1. Path is non-empty (Validate() refuse covers this too; we re-check
+//     here so the caller can os.Exit(1) with the specific PathID in the
+//     log line).
+//  2. File exists + readable.
+//  3. PEM-decodes to ≥1 CERTIFICATE block (intune.LoadTrustAnchor enforces
+//     this and skips non-CERTIFICATE blocks like accidentally-pasted
+//     priv-key blocks).
+//  4. None of the bundled certs is past NotAfter — an expired Intune
+//     trust anchor would silently reject every Connector challenge at
+//     runtime, which is a much worse failure mode than failing fast at
+//     boot. intune.LoadTrustAnchor enforces this and surfaces the subject
+//     CN in the error message so the operator knows which cert to rotate.
+//
+// On success returns the freshly-built *intune.TrustAnchorHolder ready to
+// inject into the per-profile SCEPService via SetIntuneIntegration. The
+// holder also installs the SIGHUP watcher (started by the caller).
+func preflightSCEPIntuneTrustAnchor(enabled bool, path string, logger *slog.Logger) (*intune.TrustAnchorHolder, error) {
+	if !enabled {
+		return nil, nil
+	}
+	if path == "" {
+		return nil, fmt.Errorf("INTUNE enabled but trust anchor path empty: " +
+			"set CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CONNECTOR_CERT_PATH to a PEM bundle " +
+			"of the Microsoft Intune Certificate Connector's signing certs")
+	}
+	holder, err := intune.NewTrustAnchorHolder(path, logger)
+	if err != nil {
+		return nil, fmt.Errorf("INTUNE trust anchor load failed: %w (path=%s)", err, path)
+	}
+	return holder, nil
+}
+
 // loadSCEPRAPair reads the RA cert PEM + key PEM and returns the parsed
 // x509.Certificate + crypto.PrivateKey ready for the SCEP handler's RFC
 // 8894 path. Called AFTER preflightSCEPRACertKey passed; failures here