feat: M20 Enhanced Query API — sort, time-range filters, cursor pagination, sparse fields, deployments endpoint

V2 (free) query enhancements for certificates:
- `sort` param with direction (`?sort=-notAfter` for descending)
- Time-range filters: `expires_before`, `expires_after`, `created_after`, `updated_after`
- Cursor-based pagination (`?cursor=token&page_size=100`) alongside page-based
- Sparse field selection (`?fields=id,commonName,status`)
- Additional filters: `agent_id`, `profile_id`
- New endpoint: `GET /api/v1/certificates/{id}/deployments`

25 new tests (12 handler + 13 e2e) covering all M20 features.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/api/handler/certificates.go

@@ -9,11 +9,13 @@ import (
 
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
 )
 
 // CertificateService defines the service interface for certificate operations.
 type CertificateService interface {
 	ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
+	ListCertificatesWithFilter(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
 	GetCertificate(id string) (*domain.ManagedCertificate, error)
 	CreateCertificate(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
 	UpdateCertificate(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
@@ -25,6 +27,7 @@ type CertificateService interface {
 	GetRevokedCertificates() ([]*domain.CertificateRevocation, error)
 	GenerateDERCRL(issuerID string) ([]byte, error)
 	GetOCSPResponse(issuerID string, serialHex string) ([]byte, error)
+	GetCertificateDeployments(certID string) ([]domain.DeploymentTarget, error)
 }
 
 // CertificateHandler handles HTTP requests for certificate operations.
@@ -38,7 +41,7 @@ func NewCertificateHandler(svc CertificateService) CertificateHandler {
 }
 
 // ListCertificates lists certificates with optional filtering.
-// GET /api/v1/certificates?status=Active&environment=prod&owner_id=...&team_id=...&issuer_id=...&page=1&per_page=50
+// GET /api/v1/certificates?status=Active&environment=prod&owner_id=...&team_id=...&issuer_id=...&agent_id=...&profile_id=...&expires_before=...&expires_after=...&created_after=...&updated_after=...&sort=notAfter&sort_desc=false&cursor=...&page=1&per_page=50&fields=id,commonName,status
 func (h CertificateHandler) ListCertificates(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
@@ -49,12 +52,56 @@ func (h CertificateHandler) ListCertificates(w http.ResponseWriter, r *http.Requ
 
 	// Parse query parameters
 	query := r.URL.Query()
-	status := query.Get("status")
-	environment := query.Get("environment")
-	ownerID := query.Get("owner_id")
-	teamID := query.Get("team_id")
-	issuerID := query.Get("issuer_id")
 
+	// Basic filters
+	filter := &repository.CertificateFilter{
+		Status:      query.Get("status"),
+		Environment: query.Get("environment"),
+		OwnerID:     query.Get("owner_id"),
+		TeamID:      query.Get("team_id"),
+		IssuerID:    query.Get("issuer_id"),
+		AgentID:     query.Get("agent_id"),
+		ProfileID:   query.Get("profile_id"),
+	}
+
+	// Time-range filters
+	if eb := query.Get("expires_before"); eb != "" {
+		if t, err := time.Parse(time.RFC3339, eb); err == nil {
+			filter.ExpiresBefore = &t
+		}
+	}
+	if ea := query.Get("expires_after"); ea != "" {
+		if t, err := time.Parse(time.RFC3339, ea); err == nil {
+			filter.ExpiresAfter = &t
+		}
+	}
+	if ca := query.Get("created_after"); ca != "" {
+		if t, err := time.Parse(time.RFC3339, ca); err == nil {
+			filter.CreatedAfter = &t
+		}
+	}
+	if ua := query.Get("updated_after"); ua != "" {
+		if t, err := time.Parse(time.RFC3339, ua); err == nil {
+			filter.UpdatedAfter = &t
+		}
+	}
+
+	// Sorting
+	if sort := query.Get("sort"); sort != "" {
+		// Handle sort direction prefix
+		if strings.HasPrefix(sort, "-") {
+			filter.Sort = sort[1:]
+			filter.SortDesc = true
+		} else {
+			filter.Sort = sort
+			filter.SortDesc = query.Get("sort_desc") == "true"
+		}
+	}
+
+	// Cursor-based pagination
+	filter.Cursor = query.Get("cursor")
+
+	// Page-based pagination
 	page := 1
 	perPage := 50
 	if p := query.Get("page"); p != "" {
@@ -67,21 +114,59 @@ func (h CertificateHandler) ListCertificates(w http.ResponseWriter, r *http.Requ
 			perPage = parsed
 		}
 	}
+	if ps := query.Get("page_size"); ps != "" {
+		if parsed, err := strconv.Atoi(ps); err == nil && parsed > 0 && parsed <= 500 {
+			filter.PageSize = parsed
+		}
+	}
+	filter.Page = page
+	filter.PerPage = perPage
 
-	certs, total, err := h.svc.ListCertificates(status, environment, ownerID, teamID, issuerID, page, perPage)
+	// Sparse fields
+	if fieldsStr := query.Get("fields"); fieldsStr != "" {
+		filter.Fields = strings.Split(fieldsStr, ",")
+	}
+
+	certs, total, err := h.svc.ListCertificatesWithFilter(filter)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list certificates", requestID)
 		return
 	}
 
-	response := PagedResponse{
-		Data:    certs,
-		Total:   total,
-		Page:    page,
-		PerPage: perPage,
+	// Apply sparse field filtering if requested
+	var responseData interface{} = certs
+	if len(filter.Fields) > 0 {
+		responseData = filterFields(certs, filter.Fields)
 	}
 
-	JSON(w, http.StatusOK, response)
+	// Return cursor-based or page-based response depending on which pagination is used
+	if filter.Cursor != "" {
+		// Compute next cursor from last result
+		nextCursor := ""
+		if len(certs) > 0 {
+			lastCert := certs[len(certs)-1]
+			nextCursor = encodeCursor(lastCert.CreatedAt, lastCert.ID)
+		}
+		pageSize := filter.PageSize
+		if pageSize == 0 {
+			pageSize = filter.PerPage
+		}
+		response := CursorPagedResponse{
+			Data:       responseData,
+			Total:      int64(total),
+			NextCursor: nextCursor,
+			PageSize:   pageSize,
+		}
+		JSON(w, http.StatusOK, response)
+	} else {
+		response := PagedResponse{
+			Data:    responseData,
+			Total:   int64(total),
+			Page:    page,
+			PerPage: perPage,
+		}
+		JSON(w, http.StatusOK, response)
+	}
 }
 
 // GetCertificate retrieves a single certificate by ID.
@@ -525,3 +610,39 @@ func (h CertificateHandler) HandleOCSP(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusOK)
 	w.Write(derBytes)
 }
+
+// GetCertificateDeployments retrieves all deployment targets for a certificate.
+// GET /api/v1/certificates/{id}/deployments
+func (h CertificateHandler) GetCertificateDeployments(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	// Extract certificate ID from path /api/v1/certificates/{id}/deployments
+	path := strings.TrimPrefix(r.URL.Path, "/api/v1/certificates/")
+	parts := strings.Split(path, "/")
+	if len(parts) < 2 || parts[0] == "" {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Certificate ID is required", requestID)
+		return
+	}
+	certID := parts[0]
+
+	deployments, err := h.svc.GetCertificateDeployments(certID)
+	if err != nil {
+		errMsg := err.Error()
+		if strings.Contains(errMsg, "not found") {
+			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
+			return
+		}
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to get deployments", requestID)
+		return
+	}
+
+	JSON(w, http.StatusOK, map[string]interface{}{
+		"data":  deployments,
+		"total": len(deployments),
+	})
+}