EST RFC 7030 hardening master bundle Phases 8-9: GUI ESTAdminPage

(Profiles + Recent Activity + Trust Bundle tabs) + CLI subcommand
family `certctl-cli est {cacerts,csrattrs,enroll,reenroll,
serverkeygen,test}` + 6 MCP tools.

Phase 8 — ESTAdminPage tabbed GUI:
- web/src/pages/ESTAdminPage.tsx mirrors SCEPAdminPage's three-tab
  surface. Profiles tab renders per-profile cards with auth-mode
  badges (mTLS / Basic / ServerKeygen), mTLS trust-anchor expiry
  countdown (good ≥30d / warn 7-30d / bad <7d / EXPIRED), 12-cell
  counter grid (success_simpleenroll/.../internal_error), and the
  admin-gated "Reload trust anchor" action. Recent Activity tab
  merges the four EST audit actions (est_simple_enroll +
  est_simple_reenroll + est_server_keygen + est_auth_failed) across
  four parallel useQuery calls with chip filters for All/Enrollment/
  Re-enrollment/ServerKeygen/AuthFailure. Trust Bundle tab renders
  per-mTLS-profile cert subjects + expiries.
- M-009 useTrackedMutation guard: every mutation routes through
  the tracked hook so audit/progress hooks fire.
- Page-level admin gate renders "Admin access required" banner for
  non-admin callers + skips underlying API requests so the server
  never sees a 403-prone request. Server-side enforcement is the
  M-008 admin gate; this is a UX hint.
- Wired into web/src/main.tsx at /est; nav link added to Layout.tsx.
- New web/src/api/types.ts types ESTStatsSnapshot +
  ESTTrustAnchorInfo + ESTProfilesResponse + ESTReloadTrustResponse
  mirror service.ESTStatsSnapshot 1:1.
- New web/src/api/client.ts helpers getAdminESTProfiles +
  reloadAdminESTTrust.
- 14 Vitest cases (admin gate non-admin / non-auth-required deploy /
  default tab / tab switch / deep-link tab / per-profile card render
  + counter cells / reload-button mTLS-only / trust-expiry badge
  band / reload modal Confirm-Cancel-Error paths / Trust Bundle
  empty-state / Activity filter chip toggle).

Phase 9.1 — CLI subcommands:
- internal/cli/est.go adds 6 subcommands: cacerts / csrattrs /
  enroll / reenroll / serverkeygen / test. CSR input via --csr
  with file-path or '-' for stdin; multipart serverkeygen response
  is parsed by stdlib mime/multipart and split into <prefix>.cert.pem
  + <prefix>.key.enveloped so the operator can decrypt the key with
  openssl smime. EST `test` smoke-tests cacerts + csrattrs + emits
  one-line OK/FAIL diagnostics.
- cmd/cli/main.go grows the `est` dispatch + Usage entries.

Phase 9.2 — MCP tools:
- internal/mcp/tools_est.go adds 6 tools mapped to the EST endpoints
  + admin observability: est_list_profiles + est_admin_stats (alias)
  + est_get_cacerts + est_get_csrattrs + est_enroll + est_reenroll.
  Tool count grew from 87 → 93 (verified via the registered-vs-
  covered guard in tools_per_tool_test.go); the per-tool happy/error-
  path table grew with 6 matching entries so the future-tool-no-test
  CI guard stays green.
- internal/mcp/client.go grows PostRaw — non-JSON POST helper that
  the EST enroll/reenroll tools use to ship raw application/pkcs10
  CSR bytes through the MCP fence-wrapped response.
- estRawResultJSON wraps the raw response body in a JSON envelope
  the MCP consumer can structurally consume (content_type +
  body_base64 + body_size_bytes). Mirrors the CRL/OCSP MCP tools'
  binary-DER envelope.

Phase 9.3 — Tests:
- internal/cli/est_test.go: 8 cases pinning the wire-shape contract
  on the CLI side without dragging the full ESTHandler into the
  test build.
- internal/mcp/tools_est_test.go: path-builder + JSON-envelope unit
  tests + end-to-end tool exercise that pins all 5 captured request
  paths through a fake API.

Pre-commit verification (sandbox): gofmt clean, go vet clean
(excluding repository/postgres which the sandbox can't build —
pre-existing testcontainers limit), staticcheck clean across
cli/mcp/cmd/cli, go test -short -count=1 green for every non-
postgres Go package, Vitest green for ESTAdminPage (14) +
SCEPAdminPage (20) — 34 page tests total. G-3 docs-drift guard
reproduced locally clean (Phases 8-9 added zero new env vars).

Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases
10-13 (libest sidecar e2e / bulk revocation + audit codes /
docs/est.md / release prep + tag) remain — post-2.1.0 work.

web/src/api/client.ts

@@ -1,4 +1,4 @@
-import type { Certificate, CertificateVersion, Agent, Job, Notification, AuditEvent, PolicyRule, PolicyViolation, RenewalPolicy, Issuer, Target, CertificateProfile, Owner, Team, AgentGroup, PaginatedResponse, DashboardSummary, CertificateStatusCount, ExpirationBucket, JobTrendDataPoint, IssuanceRateDataPoint, MetricsResponse, DiscoveredCertificate, DiscoveryScan, DiscoverySummary, NetworkScanTarget, EndpointHealthCheck, HealthHistoryEntry, HealthCheckSummary, AgentDependencyCounts, RetireAgentResponse, BlockedByDependenciesResponse, CRLCacheResponse, IntuneStatsResponse, IntuneReloadTrustResponse, SCEPProfilesResponse, SCEPProbeResult, SCEPProbesResponse } from './types';
+import type { Certificate, CertificateVersion, Agent, Job, Notification, AuditEvent, PolicyRule, PolicyViolation, RenewalPolicy, Issuer, Target, CertificateProfile, Owner, Team, AgentGroup, PaginatedResponse, DashboardSummary, CertificateStatusCount, ExpirationBucket, JobTrendDataPoint, IssuanceRateDataPoint, MetricsResponse, DiscoveredCertificate, DiscoveryScan, DiscoverySummary, NetworkScanTarget, EndpointHealthCheck, HealthHistoryEntry, HealthCheckSummary, AgentDependencyCounts, RetireAgentResponse, BlockedByDependenciesResponse, CRLCacheResponse, IntuneStatsResponse, IntuneReloadTrustResponse, SCEPProfilesResponse, SCEPProbeResult, SCEPProbesResponse, ESTProfilesResponse, ESTReloadTrustResponse } from './types';
 
 const BASE = '/api/v1';
 
@@ -320,6 +320,22 @@ export const reloadAdminSCEPIntuneTrust = (pathID: string) =>
 export const getAdminSCEPProfiles = () =>
   fetchJSON<SCEPProfilesResponse>(`${BASE}/admin/scep/profiles`);
 
+// EST RFC 7030 hardening master bundle Phase 7.2 admin endpoints.
+//
+// Backend handler: internal/api/handler/admin_est.go.
+// Both endpoints are M-008 admin-gated; the ESTAdminPage component
+// gates the React-Query `enabled` flag on useAuth().admin so non-admin
+// callers never see the page (the route itself is also conditional on
+// the admin flag in main.tsx).
+export const getAdminESTProfiles = () =>
+  fetchJSON<ESTProfilesResponse>(`${BASE}/admin/est/profiles`);
+
+export const reloadAdminESTTrust = (pathID: string) =>
+  fetchJSON<ESTReloadTrustResponse>(`${BASE}/admin/est/reload-trust`, {
+    method: 'POST',
+    body: JSON.stringify({ path_id: pathID }),
+  });
+
 // SCEP RFC 8894 + Intune master bundle Phase 11.5: SCEP probe
 // (capability + posture). Synchronous — the caller blocks until the
 // probe completes (cap: 30s server-side). Persists to the history

web/src/api/types.ts

@@ -727,6 +727,43 @@ export interface SCEPProfilesResponse {
   generated_at: string;
 }
 
+// EST RFC 7030 hardening master bundle Phase 7.1 / 8 GUI:
+// per-profile snapshot returned by GET /api/v1/admin/est/profiles. Mirrors
+// the Go-side service.ESTStatsSnapshot 1:1.
+export interface ESTTrustAnchorInfo {
+  subject: string;
+  not_before: string;
+  not_after: string;
+  days_to_expiry: number;
+  expired: boolean;
+}
+
+export interface ESTStatsSnapshot {
+  path_id: string;
+  issuer_id: string;
+  profile_id?: string;
+  // 12 named labels — see service/est_counters.go.
+  counters: Record<string, number>;
+  mtls_enabled: boolean;
+  basic_auth_configured: boolean;
+  server_keygen_enabled: boolean;
+  trust_anchors?: ESTTrustAnchorInfo[];
+  trust_anchor_path?: string;
+  now: string;
+}
+
+export interface ESTProfilesResponse {
+  profiles: ESTStatsSnapshot[];
+  profile_count: number;
+  generated_at: string;
+}
+
+export interface ESTReloadTrustResponse {
+  reloaded: boolean;
+  path_id: string;
+  reloaded_at: string;
+}
+
 // SCEP RFC 8894 + Intune master bundle Phase 11.5 — SCEP probe.
 //
 // Backs the SCEP Probe section on the Network Scan page. The probe