diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cba0aab..133661c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -424,6 +424,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          # ARCH-001-A closure (Sprint 5, 2026-05-16). The
+          # openapi-version-tag-parity guard needs the v* tags to
+          # be present locally so it can confirm openapi.yaml's
+          # info.version matches the latest release. Without
+          # fetch-tags, the guard falls back to the GitHub API —
+          # works but adds a network round-trip per CI run.
+          fetch-tags: true
+          fetch-depth: 0
 
       - name: Set up Node.js
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4
diff --git a/api/openapi.yaml b/api/openapi.yaml
index b8ca345..29ab810 100644
--- a/api/openapi.yaml
+++ b/api/openapi.yaml
@@ -11,7 +11,11 @@ info:
 
     Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
     query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
-  version: 2.0.0
+  # ARCH-001-A closure (Sprint 5, 2026-05-16): info.version MUST track
+  # the latest `v*` git tag. The openapi-version-tag-parity.sh CI guard
+  # asserts this on every CI run. Bump in lockstep with the
+  # `git tag -a v* ...` command at release time.
+  version: 2.1.7
   license:
     name: BSL 1.1
     url: https://github.com/certctl-io/certctl/blob/master/LICENSE
@@ -75,6 +79,7 @@ tags:
   - name: EST
     description: Enrollment over Secure Transport (RFC 7030)
   - name: SCEP
+    description: Simple Certificate Enrollment Protocol (RFC 8894)
   - name: Sessions
     description: |
       Server-side session management. Phase 13 Sprint 13.4 (ARCH-H1
@@ -86,7 +91,6 @@ tags:
       Phase 13 Sprint 13.4 — authored against the Phase 9 Sprint 11
       sibling-file handlers at internal/api/handler/auth_session_oidc_crud.go +
       the JWKS-status surface at internal/api/handler/auth_users.go.
-    description: Simple Certificate Enrollment Protocol (RFC 8894)
 
 paths:
   # ─── Health & Auth ───────────────────────────────────────────────────
@@ -5931,6 +5935,16 @@ components:
         request_id:
           type: string
 
+    # ARCH-001-A closure (Sprint 5, 2026-05-16). Three operation
+    # responses (search `#/components/schemas/Error` in this file)
+    # reference a schema named "Error" — but only "ErrorResponse" was
+    # defined, so the orval codegen failed with
+    # MissingPointerError. Alias Error → ErrorResponse so the spec
+    # parses cleanly and the three offenders keep their stable
+    # response shape.
+    Error:
+      $ref: "#/components/schemas/ErrorResponse"
+
     StatusResponse:
       type: object
       properties:
diff --git a/scripts/ci-guards/openapi-codegen-drift.sh b/scripts/ci-guards/openapi-codegen-drift.sh
index 00ac7e5..d101728 100755
--- a/scripts/ci-guards/openapi-codegen-drift.sh
+++ b/scripts/ci-guards/openapi-codegen-drift.sh
@@ -31,11 +31,18 @@ set -e
 GENERATED_DIR="web/src/api/generated"
 
 if [ ! -d "$GENERATED_DIR" ]; then
-  echo "openapi-codegen-drift: skipped — $GENERATED_DIR does not exist yet."
-  echo "  This is expected during Phase 5 scaffolding. Once the operator"
-  echo "  runs 'cd web && npm install && npm run generate' for the first"
-  echo "  time, the directory lands and this guard activates."
-  exit 0
+  # ARCH-001-A closure (Sprint 5, 2026-05-16). Pre-fix the guard
+  # tolerated a missing generated/ tree as "Phase 5 scaffolding."
+  # Phase 5 scaffolded; ARCH-001-A landed the first generation and
+  # committed the tree. From this point on, a missing generated/
+  # directory means a contributor deleted it (intentionally or not)
+  # — the guard fails closed so CI catches the deletion.
+  echo "::error::openapi-codegen-drift: $GENERATED_DIR does not exist. ARCH-001-A committed the initial generated tree; a deletion has happened since."
+  echo "  Restore via:"
+  echo "      cd web && npm ci && npm run generate"
+  echo "  Then commit the result. Do NOT delete generated/ — the codegen-drift"
+  echo "  guard depends on its presence."
+  exit 1
 fi
 
 # Tolerate the case where orval isn't installed in the local
diff --git a/scripts/ci-guards/openapi-version-tag-parity.sh b/scripts/ci-guards/openapi-version-tag-parity.sh
new file mode 100755
index 0000000..d91601b
--- /dev/null
+++ b/scripts/ci-guards/openapi-version-tag-parity.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# scripts/ci-guards/openapi-version-tag-parity.sh
+#
+# ARCH-001-A closure (Sprint 5, 2026-05-16). The hand-written
+# api/openapi.yaml carries an info.version that historically drifted
+# from the actual git-tag-shipping cadence (was "2.0.0" against a
+# v2.1.7 latest tag). External consumers reading the spec for their
+# generated clients have no signal which release shipped it.
+#
+# Fix: the guard reads info.version from openapi.yaml and the latest
+# `v*` git tag from the repo. If they don't match, fail. Bump
+# info.version in the same commit that runs `git tag -a v* ...`
+# at release time.
+#
+# Edge cases handled:
+#   - Shallow CI clones: actions/checkout fetches no tags by default.
+#     The guard falls back to the GitHub API when local tags are
+#     unavailable, mirroring CLAUDE.md's ground-truth-against-the-API
+#     pattern. CI sets fetch-tags: true on the checkout step (per the
+#     workflow update that lands alongside this guard) so local-tag
+#     reads work reliably.
+#   - Pre-first-tag: skip with a notice if no v* tag exists yet.
+
+set -e
+
+YAML="api/openapi.yaml"
+if [ ! -f "$YAML" ]; then
+  echo "::error::openapi-version-tag-parity: $YAML not found"
+  exit 1
+fi
+
+# Extract info.version from openapi.yaml. The version is at top level
+# under `info:`. Use a minimal awk state machine instead of pulling
+# yq into the CI dep graph.
+spec_version=$(awk '
+  /^info:/        { in_info = 1; next }
+  /^[a-zA-Z]/     { in_info = 0 }
+  in_info && /^[[:space:]]+version:/ {
+    sub(/.*version:[[:space:]]*/, "")
+    sub(/[[:space:]]*#.*$/, "")
+    gsub(/^[[:space:]]+|[[:space:]]+$/, "")
+    print
+    exit
+  }' "$YAML")
+
+if [ -z "$spec_version" ]; then
+  echo "::error file=${YAML}::openapi-version-tag-parity: could not parse info.version. Expected a `version: x.y.z` line under `info:`."
+  exit 1
+fi
+
+# Resolve the latest tag locally. Fall back to the GitHub API if the
+# checkout is shallow + tag-less (CLAUDE.md ground-truth pattern).
+latest_tag=$(git tag --sort=-v:refname 2>/dev/null | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -1 || true)
+if [ -z "$latest_tag" ]; then
+  echo "openapi-version-tag-parity: no local v* tag found; falling back to api.github.com/.../tags"
+  latest_tag=$(curl -sS https://api.github.com/repos/certctl-io/certctl/tags 2>/dev/null \
+    | grep -oE '"name": *"v[0-9]+\.[0-9]+\.[0-9]+"' \
+    | head -1 \
+    | sed -E 's/.*"v/v/; s/".*//')
+fi
+if [ -z "$latest_tag" ]; then
+  echo "openapi-version-tag-parity: no v* tag anywhere yet — skipping (pre-first-release)."
+  exit 0
+fi
+
+# Strip the leading 'v' from the tag for comparison.
+tag_version="${latest_tag#v}"
+
+if [ "$spec_version" != "$tag_version" ]; then
+  echo "::error file=${YAML}::openapi-version-tag-parity: info.version=${spec_version} does NOT match latest tag ${latest_tag}."
+  echo "  Bump $YAML info.version to ${tag_version} in the same commit that ships the release,"
+  echo "  OR if a release commit is in flight, tag it first then re-run CI."
+  exit 1
+fi
+
+echo "openapi-version-tag-parity: clean (info.version=${spec_version} matches latest tag ${latest_tag})."
diff --git a/web/src/api/client.ts b/web/src/api/client.ts
index cca32c3..d594397 100644
--- a/web/src/api/client.ts
+++ b/web/src/api/client.ts
@@ -117,7 +117,12 @@ function isStateChangingMethod(method?: string): boolean {
   }
 }
 
-async function fetchJSON<T>(url: string, init?: RequestInit): Promise<T> {
+// fetchJSON is exported (ARCH-001-A closure, Sprint 5, 2026-05-16)
+// so the orval-generated mutator at src/api/mutator.ts can delegate to
+// the same auth/CSRF/401-event semantics without duplicating them. The
+// hand-written client.ts entry points (getCertificates, etc.) continue
+// to call this internally during the per-consumer migration window.
+export async function fetchJSON<T>(url: string, init?: RequestInit): Promise<T> {
   // Bundle 2 Phase 8 — credentials:'include' lets the certctl_session
   // cookie ride along on every request. Bearer-mode deployments work
   // unchanged (the cookie just isn't there). Auto-attach X-CSRF-Token
diff --git a/web/src/api/generated/agent-groups/agent-groups.ts b/web/src/api/generated/agent-groups/agent-groups.ts
new file mode 100644
index 0000000..a1af050
--- /dev/null
+++ b/web/src/api/generated/agent-groups/agent-groups.ts
@@ -0,0 +1,517 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  AgentGroup,
+  BadRequestResponse,
+  InternalErrorResponse,
+  ListAgentGroupMembers200,
+  ListAgentGroups200,
+  ListAgentGroupsParams,
+  NotFoundResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List agent groups
+ */
+export const listAgentGroups = (
+    params?: ListAgentGroupsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAgentGroups200>(
+      {url: `/api/v1/agent-groups`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAgentGroupsQueryKey = (params?: ListAgentGroupsParams,) => {
+    return [
+    `/api/v1/agent-groups`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListAgentGroupsQueryOptions = <TData = Awaited<ReturnType<typeof listAgentGroups>>, TError = InternalErrorResponse>(params?: ListAgentGroupsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAgentGroupsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAgentGroups>>> = ({ signal }) => listAgentGroups(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAgentGroupsQueryResult = NonNullable<Awaited<ReturnType<typeof listAgentGroups>>>
+export type ListAgentGroupsQueryError = InternalErrorResponse
+
+
+export function useListAgentGroups<TData = Awaited<ReturnType<typeof listAgentGroups>>, TError = InternalErrorResponse>(
+ params: undefined |  ListAgentGroupsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgentGroups>>,
+          TError,
+          Awaited<ReturnType<typeof listAgentGroups>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgentGroups<TData = Awaited<ReturnType<typeof listAgentGroups>>, TError = InternalErrorResponse>(
+ params?: ListAgentGroupsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgentGroups>>,
+          TError,
+          Awaited<ReturnType<typeof listAgentGroups>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgentGroups<TData = Awaited<ReturnType<typeof listAgentGroups>>, TError = InternalErrorResponse>(
+ params?: ListAgentGroupsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List agent groups
+ */
+
+export function useListAgentGroups<TData = Awaited<ReturnType<typeof listAgentGroups>>, TError = InternalErrorResponse>(
+ params?: ListAgentGroupsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAgentGroupsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Create agent group
+ */
+export const createAgentGroup = (
+    agentGroup: AgentGroup,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<AgentGroup>(
+      {url: `/api/v1/agent-groups`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: agentGroup, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateAgentGroupMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createAgentGroup>>, TError,{data: AgentGroup}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createAgentGroup>>, TError,{data: AgentGroup}, TContext> => {
+
+const mutationKey = ['createAgentGroup'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createAgentGroup>>, {data: AgentGroup}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createAgentGroup(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateAgentGroupMutationResult = NonNullable<Awaited<ReturnType<typeof createAgentGroup>>>
+    export type CreateAgentGroupMutationBody = AgentGroup
+    export type CreateAgentGroupMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create agent group
+ */
+export const useCreateAgentGroup = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createAgentGroup>>, TError,{data: AgentGroup}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createAgentGroup>>,
+        TError,
+        {data: AgentGroup},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateAgentGroupMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Get agent group
+ */
+export const getAgentGroup = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<AgentGroup>(
+      {url: `/api/v1/agent-groups/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAgentGroupQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/agent-groups/${id}`
+    ] as const;
+    }
+
+    
+export const getGetAgentGroupQueryOptions = <TData = Awaited<ReturnType<typeof getAgentGroup>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAgentGroupQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAgentGroup>>> = ({ signal }) => getAgentGroup(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAgentGroupQueryResult = NonNullable<Awaited<ReturnType<typeof getAgentGroup>>>
+export type GetAgentGroupQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetAgentGroup<TData = Awaited<ReturnType<typeof getAgentGroup>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAgentGroup>>,
+          TError,
+          Awaited<ReturnType<typeof getAgentGroup>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAgentGroup<TData = Awaited<ReturnType<typeof getAgentGroup>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAgentGroup>>,
+          TError,
+          Awaited<ReturnType<typeof getAgentGroup>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAgentGroup<TData = Awaited<ReturnType<typeof getAgentGroup>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get agent group
+ */
+
+export function useGetAgentGroup<TData = Awaited<ReturnType<typeof getAgentGroup>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAgentGroupQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Update agent group
+ */
+export const updateAgentGroup = (
+    id: string,
+    agentGroup: AgentGroup,
+ ) => {
+      
+      
+      return certctlFetch<AgentGroup>(
+      {url: `/api/v1/agent-groups/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: agentGroup
+    },
+      );
+    }
+  
+
+
+export const getUpdateAgentGroupMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateAgentGroup>>, TError,{id: string;data: AgentGroup}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateAgentGroup>>, TError,{id: string;data: AgentGroup}, TContext> => {
+
+const mutationKey = ['updateAgentGroup'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateAgentGroup>>, {id: string;data: AgentGroup}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateAgentGroup(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateAgentGroupMutationResult = NonNullable<Awaited<ReturnType<typeof updateAgentGroup>>>
+    export type UpdateAgentGroupMutationBody = AgentGroup
+    export type UpdateAgentGroupMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Update agent group
+ */
+export const useUpdateAgentGroup = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateAgentGroup>>, TError,{id: string;data: AgentGroup}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateAgentGroup>>,
+        TError,
+        {id: string;data: AgentGroup},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateAgentGroupMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete agent group
+ */
+export const deleteAgentGroup = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/agent-groups/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteAgentGroupMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteAgentGroup>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteAgentGroup>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteAgentGroup'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteAgentGroup>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteAgentGroup(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteAgentGroupMutationResult = NonNullable<Awaited<ReturnType<typeof deleteAgentGroup>>>
+    
+    export type DeleteAgentGroupMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete agent group
+ */
+export const useDeleteAgentGroup = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteAgentGroup>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteAgentGroup>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteAgentGroupMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns agents matching the group's dynamic criteria plus manually included members.
+ * @summary List agent group members
+ */
+export const listAgentGroupMembers = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAgentGroupMembers200>(
+      {url: `/api/v1/agent-groups/${id}/members`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAgentGroupMembersQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/agent-groups/${id}/members`
+    ] as const;
+    }
+
+    
+export const getListAgentGroupMembersQueryOptions = <TData = Awaited<ReturnType<typeof listAgentGroupMembers>>, TError = BadRequestResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAgentGroupMembersQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAgentGroupMembers>>> = ({ signal }) => listAgentGroupMembers(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAgentGroupMembersQueryResult = NonNullable<Awaited<ReturnType<typeof listAgentGroupMembers>>>
+export type ListAgentGroupMembersQueryError = BadRequestResponse | InternalErrorResponse
+
+
+export function useListAgentGroupMembers<TData = Awaited<ReturnType<typeof listAgentGroupMembers>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgentGroupMembers>>,
+          TError,
+          Awaited<ReturnType<typeof listAgentGroupMembers>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgentGroupMembers<TData = Awaited<ReturnType<typeof listAgentGroupMembers>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgentGroupMembers>>,
+          TError,
+          Awaited<ReturnType<typeof listAgentGroupMembers>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgentGroupMembers<TData = Awaited<ReturnType<typeof listAgentGroupMembers>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List agent group members
+ */
+
+export function useListAgentGroupMembers<TData = Awaited<ReturnType<typeof listAgentGroupMembers>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAgentGroupMembersQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
diff --git a/web/src/api/generated/agents/agents.ts b/web/src/api/generated/agents/agents.ts
new file mode 100644
index 0000000..44b78eb
--- /dev/null
+++ b/web/src/api/generated/agents/agents.ts
@@ -0,0 +1,899 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  Agent,
+  AgentGetWork200,
+  AgentHeartbeatBody,
+  AgentPickupCertificate200,
+  AgentReportJobStatusBody,
+  AgentSubmitCSRBody,
+  BadRequestResponse,
+  BlockedByDependenciesResponse,
+  ConflictResponse,
+  ErrorResponse,
+  InternalErrorResponse,
+  ListAgents200,
+  ListAgentsParams,
+  ListRetiredAgents200,
+  ListRetiredAgentsParams,
+  NotFoundResponse,
+  RetireAgentParams,
+  RetireAgentResponse,
+  StatusResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List agents
+ */
+export const listAgents = (
+    params?: ListAgentsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAgents200>(
+      {url: `/api/v1/agents`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAgentsQueryKey = (params?: ListAgentsParams,) => {
+    return [
+    `/api/v1/agents`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListAgentsQueryOptions = <TData = Awaited<ReturnType<typeof listAgents>>, TError = InternalErrorResponse>(params?: ListAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAgentsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAgents>>> = ({ signal }) => listAgents(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAgentsQueryResult = NonNullable<Awaited<ReturnType<typeof listAgents>>>
+export type ListAgentsQueryError = InternalErrorResponse
+
+
+export function useListAgents<TData = Awaited<ReturnType<typeof listAgents>>, TError = InternalErrorResponse>(
+ params: undefined |  ListAgentsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgents>>,
+          TError,
+          Awaited<ReturnType<typeof listAgents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgents<TData = Awaited<ReturnType<typeof listAgents>>, TError = InternalErrorResponse>(
+ params?: ListAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgents>>,
+          TError,
+          Awaited<ReturnType<typeof listAgents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgents<TData = Awaited<ReturnType<typeof listAgents>>, TError = InternalErrorResponse>(
+ params?: ListAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List agents
+ */
+
+export function useListAgents<TData = Awaited<ReturnType<typeof listAgents>>, TError = InternalErrorResponse>(
+ params?: ListAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAgentsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Register agent
+ */
+export const registerAgent = (
+    agent: Agent,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Agent>(
+      {url: `/api/v1/agents`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: agent, signal
+    },
+      );
+    }
+  
+
+
+export const getRegisterAgentMutationOptions = <TError = BadRequestResponse | ConflictResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof registerAgent>>, TError,{data: Agent}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof registerAgent>>, TError,{data: Agent}, TContext> => {
+
+const mutationKey = ['registerAgent'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof registerAgent>>, {data: Agent}> = (props) => {
+          const {data} = props ?? {};
+
+          return  registerAgent(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RegisterAgentMutationResult = NonNullable<Awaited<ReturnType<typeof registerAgent>>>
+    export type RegisterAgentMutationBody = Agent
+    export type RegisterAgentMutationError = BadRequestResponse | ConflictResponse | InternalErrorResponse
+
+    /**
+ * @summary Register agent
+ */
+export const useRegisterAgent = <TError = BadRequestResponse | ConflictResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof registerAgent>>, TError,{data: Agent}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof registerAgent>>,
+        TError,
+        {data: Agent},
+        TContext
+      > => {
+
+      const mutationOptions = getRegisterAgentMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * I-004: opt-in listing of soft-retired agents. The default
+`GET /api/v1/agents` endpoint filters retired rows out; this is the
+dedicated surface for reading them back (e.g., the operator UI's
+"Retired" tab, audit and forensics workflows). Pagination defaults
+match the default agent listing (page=1, per_page=50, max 500). Go
+1.22's enhanced ServeMux routes `/agents/retired` to this handler
+via the literal-beats-pattern-var precedence rule, so the sibling
+`/agents/{id}` route does not shadow it.
+
+ * @summary List retired agents
+ */
+export const listRetiredAgents = (
+    params?: ListRetiredAgentsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListRetiredAgents200>(
+      {url: `/api/v1/agents/retired`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListRetiredAgentsQueryKey = (params?: ListRetiredAgentsParams,) => {
+    return [
+    `/api/v1/agents/retired`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListRetiredAgentsQueryOptions = <TData = Awaited<ReturnType<typeof listRetiredAgents>>, TError = InternalErrorResponse>(params?: ListRetiredAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListRetiredAgentsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listRetiredAgents>>> = ({ signal }) => listRetiredAgents(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListRetiredAgentsQueryResult = NonNullable<Awaited<ReturnType<typeof listRetiredAgents>>>
+export type ListRetiredAgentsQueryError = InternalErrorResponse
+
+
+export function useListRetiredAgents<TData = Awaited<ReturnType<typeof listRetiredAgents>>, TError = InternalErrorResponse>(
+ params: undefined |  ListRetiredAgentsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listRetiredAgents>>,
+          TError,
+          Awaited<ReturnType<typeof listRetiredAgents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListRetiredAgents<TData = Awaited<ReturnType<typeof listRetiredAgents>>, TError = InternalErrorResponse>(
+ params?: ListRetiredAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listRetiredAgents>>,
+          TError,
+          Awaited<ReturnType<typeof listRetiredAgents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListRetiredAgents<TData = Awaited<ReturnType<typeof listRetiredAgents>>, TError = InternalErrorResponse>(
+ params?: ListRetiredAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List retired agents
+ */
+
+export function useListRetiredAgents<TData = Awaited<ReturnType<typeof listRetiredAgents>>, TError = InternalErrorResponse>(
+ params?: ListRetiredAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListRetiredAgentsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Get agent
+ */
+export const getAgent = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Agent>(
+      {url: `/api/v1/agents/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAgentQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/agents/${id}`
+    ] as const;
+    }
+
+    
+export const getGetAgentQueryOptions = <TData = Awaited<ReturnType<typeof getAgent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAgentQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAgent>>> = ({ signal }) => getAgent(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAgentQueryResult = NonNullable<Awaited<ReturnType<typeof getAgent>>>
+export type GetAgentQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetAgent<TData = Awaited<ReturnType<typeof getAgent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAgent>>,
+          TError,
+          Awaited<ReturnType<typeof getAgent>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAgent<TData = Awaited<ReturnType<typeof getAgent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAgent>>,
+          TError,
+          Awaited<ReturnType<typeof getAgent>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAgent<TData = Awaited<ReturnType<typeof getAgent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get agent
+ */
+
+export function useGetAgent<TData = Awaited<ReturnType<typeof getAgent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAgentQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * I-004: soft-retirement. The agent row is preserved (so its audit
+trail and historical job links remain intact) and `retired_at` is
+stamped. A retired agent receives `410 Gone` on subsequent
+heartbeats so it can shut down cleanly.
+
+Behavior matrix:
+
+| Scenario | Query | Status | Body |
+| --- | --- | --- | --- |
+| Clean retire (no active dependencies) | none | `200` | `RetireAgentResponse` with `cascade=false`, zero counts |
+| Blocked by active targets/certs/jobs | none | `409` | `BlockedByDependenciesResponse` with per-bucket counts |
+| Force-cascade retire | `force=true&reason=...` | `200` | `RetireAgentResponse` with `cascade=true`, pre-cascade counts |
+| Idempotent re-retire | either | `204` | (empty — downstream consumers break on stray bodies) |
+| `force=true` without reason | `force=true` | `400` | ErrorResponse (ErrForceReasonRequired) |
+| Reserved sentinel agent | any | `403` | ErrorResponse (ErrAgentIsSentinel) |
+| Unknown agent id | any | `404` | ErrorResponse |
+
+Sentinel agents are the four reserved identities backing non-agent
+discovery subsystems (`server-scanner`, `cloud-aws-sm`,
+`cloud-azure-kv`, `cloud-gcp-sm`). Retiring them would orphan the
+scanner or a cloud secret-manager source, so the handler refuses
+unconditionally — even with `force=true`.
+
+ * @summary Soft-retire agent
+ */
+export const retireAgent = (
+    id: string,
+    params?: RetireAgentParams,
+ ) => {
+      
+      
+      return certctlFetch<RetireAgentResponse | void>(
+      {url: `/api/v1/agents/${id}`, method: 'DELETE',
+        params
+    },
+      );
+    }
+  
+
+
+export const getRetireAgentMutationOptions = <TError = ErrorResponse | NotFoundResponse | void | BlockedByDependenciesResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof retireAgent>>, TError,{id: string;params?: RetireAgentParams}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof retireAgent>>, TError,{id: string;params?: RetireAgentParams}, TContext> => {
+
+const mutationKey = ['retireAgent'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof retireAgent>>, {id: string;params?: RetireAgentParams}> = (props) => {
+          const {id,params} = props ?? {};
+
+          return  retireAgent(id,params,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RetireAgentMutationResult = NonNullable<Awaited<ReturnType<typeof retireAgent>>>
+    
+    export type RetireAgentMutationError = ErrorResponse | NotFoundResponse | void | BlockedByDependenciesResponse | InternalErrorResponse
+
+    /**
+ * @summary Soft-retire agent
+ */
+export const useRetireAgent = <TError = ErrorResponse | NotFoundResponse | void | BlockedByDependenciesResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof retireAgent>>, TError,{id: string;params?: RetireAgentParams}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof retireAgent>>,
+        TError,
+        {id: string;params?: RetireAgentParams},
+        TContext
+      > => {
+
+      const mutationOptions = getRetireAgentMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Reports agent liveness and metadata (OS, architecture, IP, version).
+
+I-004: a retired agent still polling the heartbeat endpoint receives
+`410 Gone` so `cmd/agent` detects the terminal signal and shuts down
+cleanly instead of looping forever against a decommissioned identity.
+The retired-agent check runs before any "not found" string match so
+it can never be masked by a sibling error branch.
+
+ * @summary Agent heartbeat
+ */
+export const agentHeartbeat = (
+    id: string,
+    agentHeartbeatBody: AgentHeartbeatBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/agents/${id}/heartbeat`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: agentHeartbeatBody, signal
+    },
+      );
+    }
+  
+
+
+export const getAgentHeartbeatMutationOptions = <TError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentHeartbeat>>, TError,{id: string;data: AgentHeartbeatBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof agentHeartbeat>>, TError,{id: string;data: AgentHeartbeatBody}, TContext> => {
+
+const mutationKey = ['agentHeartbeat'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof agentHeartbeat>>, {id: string;data: AgentHeartbeatBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  agentHeartbeat(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type AgentHeartbeatMutationResult = NonNullable<Awaited<ReturnType<typeof agentHeartbeat>>>
+    export type AgentHeartbeatMutationBody = AgentHeartbeatBody
+    export type AgentHeartbeatMutationError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse
+
+    /**
+ * @summary Agent heartbeat
+ */
+export const useAgentHeartbeat = <TError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentHeartbeat>>, TError,{id: string;data: AgentHeartbeatBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof agentHeartbeat>>,
+        TError,
+        {id: string;data: AgentHeartbeatBody},
+        TContext
+      > => {
+
+      const mutationOptions = getAgentHeartbeatMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Agent submits a PEM-encoded CSR for signing. Used in agent keygen mode.
+ * @summary Submit CSR
+ */
+export const agentSubmitCSR = (
+    id: string,
+    agentSubmitCSRBody: AgentSubmitCSRBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/agents/${id}/csr`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: agentSubmitCSRBody, signal
+    },
+      );
+    }
+  
+
+
+export const getAgentSubmitCSRMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentSubmitCSR>>, TError,{id: string;data: AgentSubmitCSRBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof agentSubmitCSR>>, TError,{id: string;data: AgentSubmitCSRBody}, TContext> => {
+
+const mutationKey = ['agentSubmitCSR'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof agentSubmitCSR>>, {id: string;data: AgentSubmitCSRBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  agentSubmitCSR(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type AgentSubmitCSRMutationResult = NonNullable<Awaited<ReturnType<typeof agentSubmitCSR>>>
+    export type AgentSubmitCSRMutationBody = AgentSubmitCSRBody
+    export type AgentSubmitCSRMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Submit CSR
+ */
+export const useAgentSubmitCSR = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentSubmitCSR>>, TError,{id: string;data: AgentSubmitCSRBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof agentSubmitCSR>>,
+        TError,
+        {id: string;data: AgentSubmitCSRBody},
+        TContext
+      > => {
+
+      const mutationOptions = getAgentSubmitCSRMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Agent retrieves the signed certificate PEM after CSR signing completes.
+ * @summary Pick up signed certificate
+ */
+export const agentPickupCertificate = (
+    id: string,
+    certId: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<AgentPickupCertificate200>(
+      {url: `/api/v1/agents/${id}/certificates/${certId}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getAgentPickupCertificateQueryKey = (id?: string,
+    certId?: string,) => {
+    return [
+    `/api/v1/agents/${id}/certificates/${certId}`
+    ] as const;
+    }
+
+    
+export const getAgentPickupCertificateQueryOptions = <TData = Awaited<ReturnType<typeof agentPickupCertificate>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string,
+    certId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getAgentPickupCertificateQueryKey(id,certId);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof agentPickupCertificate>>> = ({ signal }) => agentPickupCertificate(id,certId, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id && certId), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type AgentPickupCertificateQueryResult = NonNullable<Awaited<ReturnType<typeof agentPickupCertificate>>>
+export type AgentPickupCertificateQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useAgentPickupCertificate<TData = Awaited<ReturnType<typeof agentPickupCertificate>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    certId: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof agentPickupCertificate>>,
+          TError,
+          Awaited<ReturnType<typeof agentPickupCertificate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useAgentPickupCertificate<TData = Awaited<ReturnType<typeof agentPickupCertificate>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    certId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof agentPickupCertificate>>,
+          TError,
+          Awaited<ReturnType<typeof agentPickupCertificate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useAgentPickupCertificate<TData = Awaited<ReturnType<typeof agentPickupCertificate>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    certId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Pick up signed certificate
+ */
+
+export function useAgentPickupCertificate<TData = Awaited<ReturnType<typeof agentPickupCertificate>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    certId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getAgentPickupCertificateQueryOptions(id,certId,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns pending deployment and AwaitingCSR jobs for the agent.
+ * @summary Get pending work
+ */
+export const agentGetWork = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<AgentGetWork200>(
+      {url: `/api/v1/agents/${id}/work`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getAgentGetWorkQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/agents/${id}/work`
+    ] as const;
+    }
+
+    
+export const getAgentGetWorkQueryOptions = <TData = Awaited<ReturnType<typeof agentGetWork>>, TError = BadRequestResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getAgentGetWorkQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof agentGetWork>>> = ({ signal }) => agentGetWork(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type AgentGetWorkQueryResult = NonNullable<Awaited<ReturnType<typeof agentGetWork>>>
+export type AgentGetWorkQueryError = BadRequestResponse | InternalErrorResponse
+
+
+export function useAgentGetWork<TData = Awaited<ReturnType<typeof agentGetWork>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof agentGetWork>>,
+          TError,
+          Awaited<ReturnType<typeof agentGetWork>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useAgentGetWork<TData = Awaited<ReturnType<typeof agentGetWork>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof agentGetWork>>,
+          TError,
+          Awaited<ReturnType<typeof agentGetWork>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useAgentGetWork<TData = Awaited<ReturnType<typeof agentGetWork>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get pending work
+ */
+
+export function useAgentGetWork<TData = Awaited<ReturnType<typeof agentGetWork>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getAgentGetWorkQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Agent reports completion or failure of an assigned job.
+ * @summary Report job status
+ */
+export const agentReportJobStatus = (
+    id: string,
+    jobId: string,
+    agentReportJobStatusBody: AgentReportJobStatusBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/agents/${id}/jobs/${jobId}/status`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: agentReportJobStatusBody, signal
+    },
+      );
+    }
+  
+
+
+export const getAgentReportJobStatusMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentReportJobStatus>>, TError,{id: string;jobId: string;data: AgentReportJobStatusBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof agentReportJobStatus>>, TError,{id: string;jobId: string;data: AgentReportJobStatusBody}, TContext> => {
+
+const mutationKey = ['agentReportJobStatus'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof agentReportJobStatus>>, {id: string;jobId: string;data: AgentReportJobStatusBody}> = (props) => {
+          const {id,jobId,data} = props ?? {};
+
+          return  agentReportJobStatus(id,jobId,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type AgentReportJobStatusMutationResult = NonNullable<Awaited<ReturnType<typeof agentReportJobStatus>>>
+    export type AgentReportJobStatusMutationBody = AgentReportJobStatusBody
+    export type AgentReportJobStatusMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Report job status
+ */
+export const useAgentReportJobStatus = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentReportJobStatus>>, TError,{id: string;jobId: string;data: AgentReportJobStatusBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof agentReportJobStatus>>,
+        TError,
+        {id: string;jobId: string;data: AgentReportJobStatusBody},
+        TContext
+      > => {
+
+      const mutationOptions = getAgentReportJobStatusMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/approvals/approvals.ts b/web/src/api/generated/approvals/approvals.ts
new file mode 100644
index 0000000..f02f627
--- /dev/null
+++ b/web/src/api/generated/approvals/approvals.ts
@@ -0,0 +1,387 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  ApprovalRequest,
+  ApproveApprovalRequest200,
+  ApproveApprovalRequestBody,
+  InternalErrorResponse,
+  ListApprovalRequests200,
+  ListApprovalRequestsParams,
+  NotFoundResponse,
+  RejectApprovalRequest200,
+  RejectApprovalRequestBody
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Rank 7 issuance approval-workflow primitive. Returns paginated approval
+requests, optionally filtered by ?state= (pending/approved/rejected/expired),
+?certificate_id=, or ?requested_by=. Empty filters return the unfiltered
+list (default page=1, per_page=50).
+
+ * @summary List approval requests
+ */
+export const listApprovalRequests = (
+    params?: ListApprovalRequestsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListApprovalRequests200>(
+      {url: `/api/v1/approvals`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListApprovalRequestsQueryKey = (params?: ListApprovalRequestsParams,) => {
+    return [
+    `/api/v1/approvals`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListApprovalRequestsQueryOptions = <TData = Awaited<ReturnType<typeof listApprovalRequests>>, TError = InternalErrorResponse>(params?: ListApprovalRequestsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListApprovalRequestsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listApprovalRequests>>> = ({ signal }) => listApprovalRequests(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListApprovalRequestsQueryResult = NonNullable<Awaited<ReturnType<typeof listApprovalRequests>>>
+export type ListApprovalRequestsQueryError = InternalErrorResponse
+
+
+export function useListApprovalRequests<TData = Awaited<ReturnType<typeof listApprovalRequests>>, TError = InternalErrorResponse>(
+ params: undefined |  ListApprovalRequestsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listApprovalRequests>>,
+          TError,
+          Awaited<ReturnType<typeof listApprovalRequests>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListApprovalRequests<TData = Awaited<ReturnType<typeof listApprovalRequests>>, TError = InternalErrorResponse>(
+ params?: ListApprovalRequestsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listApprovalRequests>>,
+          TError,
+          Awaited<ReturnType<typeof listApprovalRequests>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListApprovalRequests<TData = Awaited<ReturnType<typeof listApprovalRequests>>, TError = InternalErrorResponse>(
+ params?: ListApprovalRequestsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List approval requests
+ */
+
+export function useListApprovalRequests<TData = Awaited<ReturnType<typeof listApprovalRequests>>, TError = InternalErrorResponse>(
+ params?: ListApprovalRequestsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListApprovalRequestsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns a single approval request by ID.
+ * @summary Get approval request
+ */
+export const getApprovalRequest = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ApprovalRequest>(
+      {url: `/api/v1/approvals/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetApprovalRequestQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/approvals/${id}`
+    ] as const;
+    }
+
+    
+export const getGetApprovalRequestQueryOptions = <TData = Awaited<ReturnType<typeof getApprovalRequest>>, TError = NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetApprovalRequestQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getApprovalRequest>>> = ({ signal }) => getApprovalRequest(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetApprovalRequestQueryResult = NonNullable<Awaited<ReturnType<typeof getApprovalRequest>>>
+export type GetApprovalRequestQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useGetApprovalRequest<TData = Awaited<ReturnType<typeof getApprovalRequest>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getApprovalRequest>>,
+          TError,
+          Awaited<ReturnType<typeof getApprovalRequest>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetApprovalRequest<TData = Awaited<ReturnType<typeof getApprovalRequest>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getApprovalRequest>>,
+          TError,
+          Awaited<ReturnType<typeof getApprovalRequest>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetApprovalRequest<TData = Awaited<ReturnType<typeof getApprovalRequest>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get approval request
+ */
+
+export function useGetApprovalRequest<TData = Awaited<ReturnType<typeof getApprovalRequest>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetApprovalRequestQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Transitions a pending request to approved AND transitions the linked
+Job from AwaitingApproval to Pending so the scheduler picks it up.
+RBAC: the authenticated actor extracted via the auth middleware MUST
+differ from the request's requested_by — a same-actor self-approval
+returns HTTP 403 with the substring `two-person integrity` in the
+body. This is the load-bearing two-person integrity contract;
+compliance auditors (PCI-DSS 6.4.5, NIST 800-53 SA-15, SOC 2 CC6.1)
+pattern-match against this code path.
+
+ * @summary Approve a pending approval request
+ */
+export const approveApprovalRequest = (
+    id: string,
+    approveApprovalRequestBody?: ApproveApprovalRequestBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ApproveApprovalRequest200>(
+      {url: `/api/v1/approvals/${id}/approve`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: approveApprovalRequestBody, signal
+    },
+      );
+    }
+  
+
+
+export const getApproveApprovalRequestMutationOptions = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof approveApprovalRequest>>, TError,{id: string;data: ApproveApprovalRequestBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof approveApprovalRequest>>, TError,{id: string;data: ApproveApprovalRequestBody}, TContext> => {
+
+const mutationKey = ['approveApprovalRequest'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof approveApprovalRequest>>, {id: string;data: ApproveApprovalRequestBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  approveApprovalRequest(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ApproveApprovalRequestMutationResult = NonNullable<Awaited<ReturnType<typeof approveApprovalRequest>>>
+    export type ApproveApprovalRequestMutationBody = ApproveApprovalRequestBody
+    export type ApproveApprovalRequestMutationError = void | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Approve a pending approval request
+ */
+export const useApproveApprovalRequest = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof approveApprovalRequest>>, TError,{id: string;data: ApproveApprovalRequestBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof approveApprovalRequest>>,
+        TError,
+        {id: string;data: ApproveApprovalRequestBody},
+        TContext
+      > => {
+
+      const mutationOptions = getApproveApprovalRequestMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Transitions a pending request to rejected AND cancels the linked
+Job. Same-actor RBAC contract as approve. The job's error_message
+is populated with the supplied note for audit continuity.
+
+ * @summary Reject a pending approval request
+ */
+export const rejectApprovalRequest = (
+    id: string,
+    rejectApprovalRequestBody?: RejectApprovalRequestBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<RejectApprovalRequest200>(
+      {url: `/api/v1/approvals/${id}/reject`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: rejectApprovalRequestBody, signal
+    },
+      );
+    }
+  
+
+
+export const getRejectApprovalRequestMutationOptions = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof rejectApprovalRequest>>, TError,{id: string;data: RejectApprovalRequestBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof rejectApprovalRequest>>, TError,{id: string;data: RejectApprovalRequestBody}, TContext> => {
+
+const mutationKey = ['rejectApprovalRequest'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof rejectApprovalRequest>>, {id: string;data: RejectApprovalRequestBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  rejectApprovalRequest(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RejectApprovalRequestMutationResult = NonNullable<Awaited<ReturnType<typeof rejectApprovalRequest>>>
+    export type RejectApprovalRequestMutationBody = RejectApprovalRequestBody
+    export type RejectApprovalRequestMutationError = void | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Reject a pending approval request
+ */
+export const useRejectApprovalRequest = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof rejectApprovalRequest>>, TError,{id: string;data: RejectApprovalRequestBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof rejectApprovalRequest>>,
+        TError,
+        {id: string;data: RejectApprovalRequestBody},
+        TContext
+      > => {
+
+      const mutationOptions = getRejectApprovalRequestMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/audit/audit.ts b/web/src/api/generated/audit/audit.ts
new file mode 100644
index 0000000..440861c
--- /dev/null
+++ b/web/src/api/generated/audit/audit.ts
@@ -0,0 +1,363 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  AuditEvent,
+  BadRequestResponse,
+  ExportAuditParams,
+  InternalErrorResponse,
+  ListAuditEvents200,
+  ListAuditEventsParams,
+  NotFoundResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Permission `audit.export`. Streams every audit row inside the
+requested `[from, to]` window as `application/x-ndjson`. Used
+by compliance pipelines (Splunk Universal Forwarder, Elastic
+Filebeat, Vector, etc.) that prefer line-by-line ingestion
+over a single JSON document.
+
+Range cap: 90 days. Requests with `to - from > 90d` return
+400; paginate by narrower windows.
+
+Per-record cap: `limit` query parameter (default 50000;
+accepted range 1..100000). Values outside the range silently
+clamp to default.
+
+The export itself is recursively audited: every successful
+export emits an `audit.export` event capturing actor, range,
+category, and row count so the audit log records who pulled
+which compliance evidence and when.
+
+ * @summary Export audit events as newline-delimited JSON (NDJSON) for a date range
+ */
+export const exportAudit = (
+    params: ExportAuditParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/api/v1/audit/export`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getExportAuditQueryKey = (params?: ExportAuditParams,) => {
+    return [
+    `/api/v1/audit/export`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getExportAuditQueryOptions = <TData = Awaited<ReturnType<typeof exportAudit>>, TError = void>(params: ExportAuditParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getExportAuditQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof exportAudit>>> = ({ signal }) => exportAudit(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ExportAuditQueryResult = NonNullable<Awaited<ReturnType<typeof exportAudit>>>
+export type ExportAuditQueryError = void
+
+
+export function useExportAudit<TData = Awaited<ReturnType<typeof exportAudit>>, TError = void>(
+ params: ExportAuditParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof exportAudit>>,
+          TError,
+          Awaited<ReturnType<typeof exportAudit>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useExportAudit<TData = Awaited<ReturnType<typeof exportAudit>>, TError = void>(
+ params: ExportAuditParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof exportAudit>>,
+          TError,
+          Awaited<ReturnType<typeof exportAudit>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useExportAudit<TData = Awaited<ReturnType<typeof exportAudit>>, TError = void>(
+ params: ExportAuditParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Export audit events as newline-delimited JSON (NDJSON) for a date range
+ */
+
+export function useExportAudit<TData = Awaited<ReturnType<typeof exportAudit>>, TError = void>(
+ params: ExportAuditParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getExportAuditQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Bundle 1 Phase 8 adds the optional `category` query parameter
+for auditor-role filtering. Allowed values: `cert_lifecycle`
+(cert/agent/deployment events), `auth` (role/key/bootstrap
+mutations), `config` (issuer/target/settings edits). Omitting
+the parameter returns every category.
+
+P-H2 closure (frontend-design-audit 2026-05-14) adds the
+optional `since` / `until` time-range query parameters. Both
+accept RFC3339 timestamps (e.g. `2026-04-01T00:00:00Z`).
+Either bound can be omitted to leave that side open-ended.
+Combined with `category`, they let auditor-role clients query
+"auth events from yesterday" without a separate endpoint.
+
+Note on naming: this endpoint uses `since` / `until` to match
+the existing MCP `certctl_audit_list_with_category` tool's
+published contract. The sibling `/api/v1/audit/export`
+endpoint uses `from` / `to` for compliance-window semantics
+(required, ≤ 90-day range, NDJSON streaming); the two
+endpoints share data but the names reflect the different
+param semantics.
+
+ * @summary List audit events
+ */
+export const listAuditEvents = (
+    params?: ListAuditEventsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAuditEvents200>(
+      {url: `/api/v1/audit`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAuditEventsQueryKey = (params?: ListAuditEventsParams,) => {
+    return [
+    `/api/v1/audit`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListAuditEventsQueryOptions = <TData = Awaited<ReturnType<typeof listAuditEvents>>, TError = void | InternalErrorResponse>(params?: ListAuditEventsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAuditEventsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAuditEvents>>> = ({ signal }) => listAuditEvents(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAuditEventsQueryResult = NonNullable<Awaited<ReturnType<typeof listAuditEvents>>>
+export type ListAuditEventsQueryError = void | InternalErrorResponse
+
+
+export function useListAuditEvents<TData = Awaited<ReturnType<typeof listAuditEvents>>, TError = void | InternalErrorResponse>(
+ params: undefined |  ListAuditEventsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuditEvents>>,
+          TError,
+          Awaited<ReturnType<typeof listAuditEvents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuditEvents<TData = Awaited<ReturnType<typeof listAuditEvents>>, TError = void | InternalErrorResponse>(
+ params?: ListAuditEventsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuditEvents>>,
+          TError,
+          Awaited<ReturnType<typeof listAuditEvents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuditEvents<TData = Awaited<ReturnType<typeof listAuditEvents>>, TError = void | InternalErrorResponse>(
+ params?: ListAuditEventsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List audit events
+ */
+
+export function useListAuditEvents<TData = Awaited<ReturnType<typeof listAuditEvents>>, TError = void | InternalErrorResponse>(
+ params?: ListAuditEventsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAuditEventsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Get audit event
+ */
+export const getAuditEvent = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<AuditEvent>(
+      {url: `/api/v1/audit/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAuditEventQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/audit/${id}`
+    ] as const;
+    }
+
+    
+export const getGetAuditEventQueryOptions = <TData = Awaited<ReturnType<typeof getAuditEvent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAuditEventQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAuditEvent>>> = ({ signal }) => getAuditEvent(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAuditEventQueryResult = NonNullable<Awaited<ReturnType<typeof getAuditEvent>>>
+export type GetAuditEventQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetAuditEvent<TData = Awaited<ReturnType<typeof getAuditEvent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuditEvent>>,
+          TError,
+          Awaited<ReturnType<typeof getAuditEvent>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuditEvent<TData = Awaited<ReturnType<typeof getAuditEvent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuditEvent>>,
+          TError,
+          Awaited<ReturnType<typeof getAuditEvent>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuditEvent<TData = Awaited<ReturnType<typeof getAuditEvent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get audit event
+ */
+
+export function useGetAuditEvent<TData = Awaited<ReturnType<typeof getAuditEvent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAuditEventQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
diff --git a/web/src/api/generated/auth/auth.ts b/web/src/api/generated/auth/auth.ts
new file mode 100644
index 0000000..dc71bac
--- /dev/null
+++ b/web/src/api/generated/auth/auth.ts
@@ -0,0 +1,2338 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  AssignAuthKeyRoleBody,
+  AuthRole,
+  BreakglassCredentialListResponse,
+  BreakglassLoginRequest,
+  BreakglassSetPasswordRequest,
+  BreakglassSetPasswordResponse,
+  CreateAuthRoleBody,
+  DemoResidualCleanupResponse,
+  GetAuthBootstrap200,
+  GetAuthMe200,
+  GetAuthRole200,
+  GetAuthRuntimeConfig200,
+  GrantAuthRolePermissionBody,
+  ListAuthKeys200,
+  ListAuthPermissions200,
+  ListAuthRoles200,
+  ListAuthUsers200,
+  ListAuthUsersParams,
+  OidcBackChannelLogoutBody,
+  OidcLoginCallbackParams,
+  OidcLoginInitiateParams,
+  PostAuthBootstrap201,
+  PostAuthBootstrapBody,
+  RevokeAuthRolePermissionParams,
+  UpdateAuthRoleBody
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Returns `{available: true}` when CERTCTL_BOOTSTRAP_TOKEN is set
+AND no admin-roled actor exists yet; otherwise `{available: false}`.
+Auth-exempt because it serves the GUI / install one-liner before
+the first admin key has been minted. Bundle 1 Phase 6.
+
+ * @summary Probe whether the day-0 bootstrap endpoint is callable
+ */
+export const getAuthBootstrap = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetAuthBootstrap200>(
+      {url: `/api/v1/auth/bootstrap`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAuthBootstrapQueryKey = () => {
+    return [
+    `/api/v1/auth/bootstrap`
+    ] as const;
+    }
+
+    
+export const getGetAuthBootstrapQueryOptions = <TData = Awaited<ReturnType<typeof getAuthBootstrap>>, TError = unknown>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthBootstrap>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAuthBootstrapQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAuthBootstrap>>> = ({ signal }) => getAuthBootstrap(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAuthBootstrap>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAuthBootstrapQueryResult = NonNullable<Awaited<ReturnType<typeof getAuthBootstrap>>>
+export type GetAuthBootstrapQueryError = unknown
+
+
+export function useGetAuthBootstrap<TData = Awaited<ReturnType<typeof getAuthBootstrap>>, TError = unknown>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthBootstrap>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthBootstrap>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthBootstrap>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthBootstrap<TData = Awaited<ReturnType<typeof getAuthBootstrap>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthBootstrap>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthBootstrap>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthBootstrap>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthBootstrap<TData = Awaited<ReturnType<typeof getAuthBootstrap>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthBootstrap>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Probe whether the day-0 bootstrap endpoint is callable
+ */
+
+export function useGetAuthBootstrap<TData = Awaited<ReturnType<typeof getAuthBootstrap>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthBootstrap>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAuthBootstrapQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Operator POSTs the CERTCTL_BOOTSTRAP_TOKEN value plus the desired
+admin-key name. Returns the freshly minted plaintext key value
+once; the server stores only the SHA-256 hash. Subsequent calls
+return 410 Gone (the strategy is one-shot AND the admin-existence
+probe re-closes the door once the new admin lands). Auth-exempt
+because the endpoint authenticates via the bootstrap token
+itself. Bundle 1 Phase 6.
+
+ * @summary Mint the first admin API key from a one-shot bootstrap token
+ */
+export const postAuthBootstrap = (
+    postAuthBootstrapBody: PostAuthBootstrapBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<PostAuthBootstrap201>(
+      {url: `/api/v1/auth/bootstrap`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: postAuthBootstrapBody, signal
+    },
+      );
+    }
+  
+
+
+export const getPostAuthBootstrapMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof postAuthBootstrap>>, TError,{data: PostAuthBootstrapBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof postAuthBootstrap>>, TError,{data: PostAuthBootstrapBody}, TContext> => {
+
+const mutationKey = ['postAuthBootstrap'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof postAuthBootstrap>>, {data: PostAuthBootstrapBody}> = (props) => {
+          const {data} = props ?? {};
+
+          return  postAuthBootstrap(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type PostAuthBootstrapMutationResult = NonNullable<Awaited<ReturnType<typeof postAuthBootstrap>>>
+    export type PostAuthBootstrapMutationBody = PostAuthBootstrapBody
+    export type PostAuthBootstrapMutationError = void
+
+    /**
+ * @summary Mint the first admin API key from a one-shot bootstrap token
+ */
+export const usePostAuthBootstrap = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof postAuthBootstrap>>, TError,{data: PostAuthBootstrapBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof postAuthBootstrap>>,
+        TError,
+        {data: PostAuthBootstrapBody},
+        TContext
+      > => {
+
+      const mutationOptions = getPostAuthBootstrapMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns the standing roles + effective permission set for the
+authenticated caller. This is the query the GUI uses to gate
+affordance rendering; /api/v1/auth/check returns the same shape
+on the boot path.
+
+ * @summary Current actor's roles + effective permissions
+ */
+export const getAuthMe = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetAuthMe200>(
+      {url: `/api/v1/auth/me`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAuthMeQueryKey = () => {
+    return [
+    `/api/v1/auth/me`
+    ] as const;
+    }
+
+    
+export const getGetAuthMeQueryOptions = <TData = Awaited<ReturnType<typeof getAuthMe>>, TError = void>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthMe>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAuthMeQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAuthMe>>> = ({ signal }) => getAuthMe(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAuthMe>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAuthMeQueryResult = NonNullable<Awaited<ReturnType<typeof getAuthMe>>>
+export type GetAuthMeQueryError = void
+
+
+export function useGetAuthMe<TData = Awaited<ReturnType<typeof getAuthMe>>, TError = void>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthMe>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthMe>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthMe>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthMe<TData = Awaited<ReturnType<typeof getAuthMe>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthMe>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthMe>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthMe>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthMe<TData = Awaited<ReturnType<typeof getAuthMe>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthMe>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Current actor's roles + effective permissions
+ */
+
+export function useGetAuthMe<TData = Awaited<ReturnType<typeof getAuthMe>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthMe>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAuthMeQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns every permission name registered in the canonical
+catalogue. Used by the GUI's role editor to populate the
+"grant permission" picker. Permission: `auth.role.list`.
+
+ * @summary List canonical permission catalogue
+ */
+export const listAuthPermissions = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAuthPermissions200>(
+      {url: `/api/v1/auth/permissions`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAuthPermissionsQueryKey = () => {
+    return [
+    `/api/v1/auth/permissions`
+    ] as const;
+    }
+
+    
+export const getListAuthPermissionsQueryOptions = <TData = Awaited<ReturnType<typeof listAuthPermissions>>, TError = void>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthPermissions>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAuthPermissionsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAuthPermissions>>> = ({ signal }) => listAuthPermissions(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAuthPermissions>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAuthPermissionsQueryResult = NonNullable<Awaited<ReturnType<typeof listAuthPermissions>>>
+export type ListAuthPermissionsQueryError = void
+
+
+export function useListAuthPermissions<TData = Awaited<ReturnType<typeof listAuthPermissions>>, TError = void>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthPermissions>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuthPermissions>>,
+          TError,
+          Awaited<ReturnType<typeof listAuthPermissions>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuthPermissions<TData = Awaited<ReturnType<typeof listAuthPermissions>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthPermissions>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuthPermissions>>,
+          TError,
+          Awaited<ReturnType<typeof listAuthPermissions>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuthPermissions<TData = Awaited<ReturnType<typeof listAuthPermissions>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthPermissions>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List canonical permission catalogue
+ */
+
+export function useListAuthPermissions<TData = Awaited<ReturnType<typeof listAuthPermissions>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthPermissions>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAuthPermissionsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Permission `auth.role.list`. Returns every role registered for `t-default` (Bundle 1 single-tenant).
+ * @summary List roles for the active tenant
+ */
+export const listAuthRoles = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAuthRoles200>(
+      {url: `/api/v1/auth/roles`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAuthRolesQueryKey = () => {
+    return [
+    `/api/v1/auth/roles`
+    ] as const;
+    }
+
+    
+export const getListAuthRolesQueryOptions = <TData = Awaited<ReturnType<typeof listAuthRoles>>, TError = void>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthRoles>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAuthRolesQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAuthRoles>>> = ({ signal }) => listAuthRoles(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAuthRoles>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAuthRolesQueryResult = NonNullable<Awaited<ReturnType<typeof listAuthRoles>>>
+export type ListAuthRolesQueryError = void
+
+
+export function useListAuthRoles<TData = Awaited<ReturnType<typeof listAuthRoles>>, TError = void>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthRoles>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuthRoles>>,
+          TError,
+          Awaited<ReturnType<typeof listAuthRoles>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuthRoles<TData = Awaited<ReturnType<typeof listAuthRoles>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthRoles>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuthRoles>>,
+          TError,
+          Awaited<ReturnType<typeof listAuthRoles>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuthRoles<TData = Awaited<ReturnType<typeof listAuthRoles>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthRoles>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List roles for the active tenant
+ */
+
+export function useListAuthRoles<TData = Awaited<ReturnType<typeof listAuthRoles>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthRoles>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAuthRolesQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Permission `auth.role.create`. Default roles (`r-admin` / `r-operator` / `r-viewer` / `r-agent` / `r-mcp` / `r-cli` / `r-auditor`) are seeded by migration and immutable.
+ * @summary Create a custom role
+ */
+export const createAuthRole = (
+    createAuthRoleBody: CreateAuthRoleBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<AuthRole>(
+      {url: `/api/v1/auth/roles`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: createAuthRoleBody, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateAuthRoleMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createAuthRole>>, TError,{data: CreateAuthRoleBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createAuthRole>>, TError,{data: CreateAuthRoleBody}, TContext> => {
+
+const mutationKey = ['createAuthRole'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createAuthRole>>, {data: CreateAuthRoleBody}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createAuthRole(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateAuthRoleMutationResult = NonNullable<Awaited<ReturnType<typeof createAuthRole>>>
+    export type CreateAuthRoleMutationBody = CreateAuthRoleBody
+    export type CreateAuthRoleMutationError = void
+
+    /**
+ * @summary Create a custom role
+ */
+export const useCreateAuthRole = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createAuthRole>>, TError,{data: CreateAuthRoleBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createAuthRole>>,
+        TError,
+        {data: CreateAuthRoleBody},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateAuthRoleMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.role.list`.
+ * @summary Get a role and its permissions
+ */
+export const getAuthRole = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetAuthRole200>(
+      {url: `/api/v1/auth/roles/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAuthRoleQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/auth/roles/${id}`
+    ] as const;
+    }
+
+    
+export const getGetAuthRoleQueryOptions = <TData = Awaited<ReturnType<typeof getAuthRole>>, TError = void>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthRole>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAuthRoleQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAuthRole>>> = ({ signal }) => getAuthRole(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAuthRole>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAuthRoleQueryResult = NonNullable<Awaited<ReturnType<typeof getAuthRole>>>
+export type GetAuthRoleQueryError = void
+
+
+export function useGetAuthRole<TData = Awaited<ReturnType<typeof getAuthRole>>, TError = void>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthRole>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthRole>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthRole>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthRole<TData = Awaited<ReturnType<typeof getAuthRole>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthRole>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthRole>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthRole>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthRole<TData = Awaited<ReturnType<typeof getAuthRole>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthRole>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get a role and its permissions
+ */
+
+export function useGetAuthRole<TData = Awaited<ReturnType<typeof getAuthRole>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthRole>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAuthRoleQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Permission `auth.role.edit`. Default roles cannot be renamed.
+ * @summary Update a custom role's name or description
+ */
+export const updateAuthRole = (
+    id: string,
+    updateAuthRoleBody: UpdateAuthRoleBody,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/roles/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: updateAuthRoleBody
+    },
+      );
+    }
+  
+
+
+export const getUpdateAuthRoleMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateAuthRole>>, TError,{id: string;data: UpdateAuthRoleBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateAuthRole>>, TError,{id: string;data: UpdateAuthRoleBody}, TContext> => {
+
+const mutationKey = ['updateAuthRole'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateAuthRole>>, {id: string;data: UpdateAuthRoleBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateAuthRole(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateAuthRoleMutationResult = NonNullable<Awaited<ReturnType<typeof updateAuthRole>>>
+    export type UpdateAuthRoleMutationBody = UpdateAuthRoleBody
+    export type UpdateAuthRoleMutationError = void
+
+    /**
+ * @summary Update a custom role's name or description
+ */
+export const useUpdateAuthRole = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateAuthRole>>, TError,{id: string;data: UpdateAuthRoleBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateAuthRole>>,
+        TError,
+        {id: string;data: UpdateAuthRoleBody},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateAuthRoleMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.role.delete`. Fails with 409 when actors still hold the role (FK ON DELETE RESTRICT).
+ * @summary Delete a custom role
+ */
+export const deleteAuthRole = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/roles/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteAuthRoleMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteAuthRole>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteAuthRole>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteAuthRole'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteAuthRole>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteAuthRole(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteAuthRoleMutationResult = NonNullable<Awaited<ReturnType<typeof deleteAuthRole>>>
+    
+    export type DeleteAuthRoleMutationError = void
+
+    /**
+ * @summary Delete a custom role
+ */
+export const useDeleteAuthRole = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteAuthRole>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteAuthRole>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteAuthRoleMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.role.edit`. ScopeType defaults to `global`; per-profile / per-issuer scopes require ScopeID.
+ * @summary Grant a permission to a role at a scope
+ */
+export const grantAuthRolePermission = (
+    id: string,
+    grantAuthRolePermissionBody: GrantAuthRolePermissionBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/roles/${id}/permissions`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: grantAuthRolePermissionBody, signal
+    },
+      );
+    }
+  
+
+
+export const getGrantAuthRolePermissionMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof grantAuthRolePermission>>, TError,{id: string;data: GrantAuthRolePermissionBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof grantAuthRolePermission>>, TError,{id: string;data: GrantAuthRolePermissionBody}, TContext> => {
+
+const mutationKey = ['grantAuthRolePermission'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof grantAuthRolePermission>>, {id: string;data: GrantAuthRolePermissionBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  grantAuthRolePermission(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type GrantAuthRolePermissionMutationResult = NonNullable<Awaited<ReturnType<typeof grantAuthRolePermission>>>
+    export type GrantAuthRolePermissionMutationBody = GrantAuthRolePermissionBody
+    export type GrantAuthRolePermissionMutationError = void
+
+    /**
+ * @summary Grant a permission to a role at a scope
+ */
+export const useGrantAuthRolePermission = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof grantAuthRolePermission>>, TError,{id: string;data: GrantAuthRolePermissionBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof grantAuthRolePermission>>,
+        TError,
+        {id: string;data: GrantAuthRolePermissionBody},
+        TContext
+      > => {
+
+      const mutationOptions = getGrantAuthRolePermissionMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.role.edit`.
+ * @summary Revoke a permission from a role
+ */
+export const revokeAuthRolePermission = (
+    id: string,
+    perm: string,
+    params?: RevokeAuthRolePermissionParams,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/roles/${id}/permissions/${perm}`, method: 'DELETE',
+        params
+    },
+      );
+    }
+  
+
+
+export const getRevokeAuthRolePermissionMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof revokeAuthRolePermission>>, TError,{id: string;perm: string;params?: RevokeAuthRolePermissionParams}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof revokeAuthRolePermission>>, TError,{id: string;perm: string;params?: RevokeAuthRolePermissionParams}, TContext> => {
+
+const mutationKey = ['revokeAuthRolePermission'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof revokeAuthRolePermission>>, {id: string;perm: string;params?: RevokeAuthRolePermissionParams}> = (props) => {
+          const {id,perm,params} = props ?? {};
+
+          return  revokeAuthRolePermission(id,perm,params,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RevokeAuthRolePermissionMutationResult = NonNullable<Awaited<ReturnType<typeof revokeAuthRolePermission>>>
+    
+    export type RevokeAuthRolePermissionMutationError = void
+
+    /**
+ * @summary Revoke a permission from a role
+ */
+export const useRevokeAuthRolePermission = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof revokeAuthRolePermission>>, TError,{id: string;perm: string;params?: RevokeAuthRolePermissionParams}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof revokeAuthRolePermission>>,
+        TError,
+        {id: string;perm: string;params?: RevokeAuthRolePermissionParams},
+        TContext
+      > => {
+
+      const mutationOptions = getRevokeAuthRolePermissionMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns every distinct (actor_id, actor_type) pair in the
+tenant that holds at least one role grant. Bundle 1 Phase 7
+ships this so the CLI's `auth keys list` and scope-down helper
+can enumerate the operator-key population without joining
+against the env-var-loaded namedKeys directly. Permission
+`auth.role.list`.
+
+ * @summary List actors with role grants in the active tenant
+ */
+export const listAuthKeys = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAuthKeys200>(
+      {url: `/api/v1/auth/keys`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAuthKeysQueryKey = () => {
+    return [
+    `/api/v1/auth/keys`
+    ] as const;
+    }
+
+    
+export const getListAuthKeysQueryOptions = <TData = Awaited<ReturnType<typeof listAuthKeys>>, TError = void>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthKeys>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAuthKeysQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAuthKeys>>> = ({ signal }) => listAuthKeys(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAuthKeys>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAuthKeysQueryResult = NonNullable<Awaited<ReturnType<typeof listAuthKeys>>>
+export type ListAuthKeysQueryError = void
+
+
+export function useListAuthKeys<TData = Awaited<ReturnType<typeof listAuthKeys>>, TError = void>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthKeys>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuthKeys>>,
+          TError,
+          Awaited<ReturnType<typeof listAuthKeys>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuthKeys<TData = Awaited<ReturnType<typeof listAuthKeys>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthKeys>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuthKeys>>,
+          TError,
+          Awaited<ReturnType<typeof listAuthKeys>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuthKeys<TData = Awaited<ReturnType<typeof listAuthKeys>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthKeys>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List actors with role grants in the active tenant
+ */
+
+export function useListAuthKeys<TData = Awaited<ReturnType<typeof listAuthKeys>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthKeys>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAuthKeysQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Permission `auth.role.assign`. The reserved `actor-demo-anon` actor cannot be re-assigned.
+ * @summary Assign a role to an API key
+ */
+export const assignAuthKeyRole = (
+    id: string,
+    assignAuthKeyRoleBody: AssignAuthKeyRoleBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/keys/${id}/roles`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: assignAuthKeyRoleBody, signal
+    },
+      );
+    }
+  
+
+
+export const getAssignAuthKeyRoleMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof assignAuthKeyRole>>, TError,{id: string;data: AssignAuthKeyRoleBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof assignAuthKeyRole>>, TError,{id: string;data: AssignAuthKeyRoleBody}, TContext> => {
+
+const mutationKey = ['assignAuthKeyRole'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof assignAuthKeyRole>>, {id: string;data: AssignAuthKeyRoleBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  assignAuthKeyRole(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type AssignAuthKeyRoleMutationResult = NonNullable<Awaited<ReturnType<typeof assignAuthKeyRole>>>
+    export type AssignAuthKeyRoleMutationBody = AssignAuthKeyRoleBody
+    export type AssignAuthKeyRoleMutationError = void
+
+    /**
+ * @summary Assign a role to an API key
+ */
+export const useAssignAuthKeyRole = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof assignAuthKeyRole>>, TError,{id: string;data: AssignAuthKeyRoleBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof assignAuthKeyRole>>,
+        TError,
+        {id: string;data: AssignAuthKeyRoleBody},
+        TContext
+      > => {
+
+      const mutationOptions = getAssignAuthKeyRoleMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.role.assign`. Revoking the synthetic `actor-demo-anon` admin grant is rejected.
+ * @summary Revoke a role from an API key
+ */
+export const revokeAuthKeyRole = (
+    id: string,
+    roleId: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/keys/${id}/roles/${roleId}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getRevokeAuthKeyRoleMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof revokeAuthKeyRole>>, TError,{id: string;roleId: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof revokeAuthKeyRole>>, TError,{id: string;roleId: string}, TContext> => {
+
+const mutationKey = ['revokeAuthKeyRole'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof revokeAuthKeyRole>>, {id: string;roleId: string}> = (props) => {
+          const {id,roleId} = props ?? {};
+
+          return  revokeAuthKeyRole(id,roleId,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RevokeAuthKeyRoleMutationResult = NonNullable<Awaited<ReturnType<typeof revokeAuthKeyRole>>>
+    
+    export type RevokeAuthKeyRoleMutationError = void
+
+    /**
+ * @summary Revoke a role from an API key
+ */
+export const useRevokeAuthKeyRole = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof revokeAuthKeyRole>>, TError,{id: string;roleId: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof revokeAuthKeyRole>>,
+        TError,
+        {id: string;roleId: string},
+        TContext
+      > => {
+
+      const mutationOptions = getRevokeAuthKeyRoleMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.breakglass.admin`. Audit 2026-05-10 CRIT-4
+closure — backs the GUI Break-glass admin page. The password
+hash is NEVER serialized to the wire; only the credential
+metadata.
+
+Returns 404 when `CERTCTL_BREAKGLASS_ENABLED=false` (surface-
+invisibility: an attacker probing the admin surface gets the
+same signal as probing the login endpoint).
+
+ * @summary List break-glass credentials (metadata only — never the password hash)
+ */
+export const listBreakglassCredentials = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<BreakglassCredentialListResponse>(
+      {url: `/api/v1/auth/breakglass/credentials`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListBreakglassCredentialsQueryKey = () => {
+    return [
+    `/api/v1/auth/breakglass/credentials`
+    ] as const;
+    }
+
+    
+export const getListBreakglassCredentialsQueryOptions = <TData = Awaited<ReturnType<typeof listBreakglassCredentials>>, TError = void>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listBreakglassCredentials>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListBreakglassCredentialsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listBreakglassCredentials>>> = ({ signal }) => listBreakglassCredentials(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listBreakglassCredentials>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListBreakglassCredentialsQueryResult = NonNullable<Awaited<ReturnType<typeof listBreakglassCredentials>>>
+export type ListBreakglassCredentialsQueryError = void
+
+
+export function useListBreakglassCredentials<TData = Awaited<ReturnType<typeof listBreakglassCredentials>>, TError = void>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listBreakglassCredentials>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listBreakglassCredentials>>,
+          TError,
+          Awaited<ReturnType<typeof listBreakglassCredentials>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListBreakglassCredentials<TData = Awaited<ReturnType<typeof listBreakglassCredentials>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listBreakglassCredentials>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listBreakglassCredentials>>,
+          TError,
+          Awaited<ReturnType<typeof listBreakglassCredentials>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListBreakglassCredentials<TData = Awaited<ReturnType<typeof listBreakglassCredentials>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listBreakglassCredentials>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List break-glass credentials (metadata only — never the password hash)
+ */
+
+export function useListBreakglassCredentials<TData = Awaited<ReturnType<typeof listBreakglassCredentials>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listBreakglassCredentials>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListBreakglassCredentialsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Permission `auth.breakglass.admin`. Creates or rotates a
+break-glass credential for the named `actor_id`. Password
+strength is validated by the service (min 12 bytes, max 256
+bytes); weak passwords return 400.
+
+Returns 404 when `CERTCTL_BREAKGLASS_ENABLED=false`.
+
+ * @summary Set a break-glass password for an actor
+ */
+export const setBreakglassPassword = (
+    breakglassSetPasswordRequest: BreakglassSetPasswordRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<BreakglassSetPasswordResponse>(
+      {url: `/api/v1/auth/breakglass/credentials`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: breakglassSetPasswordRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getSetBreakglassPasswordMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof setBreakglassPassword>>, TError,{data: BreakglassSetPasswordRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof setBreakglassPassword>>, TError,{data: BreakglassSetPasswordRequest}, TContext> => {
+
+const mutationKey = ['setBreakglassPassword'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof setBreakglassPassword>>, {data: BreakglassSetPasswordRequest}> = (props) => {
+          const {data} = props ?? {};
+
+          return  setBreakglassPassword(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type SetBreakglassPasswordMutationResult = NonNullable<Awaited<ReturnType<typeof setBreakglassPassword>>>
+    export type SetBreakglassPasswordMutationBody = BreakglassSetPasswordRequest
+    export type SetBreakglassPasswordMutationError = void
+
+    /**
+ * @summary Set a break-glass password for an actor
+ */
+export const useSetBreakglassPassword = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof setBreakglassPassword>>, TError,{data: BreakglassSetPasswordRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof setBreakglassPassword>>,
+        TError,
+        {data: BreakglassSetPasswordRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getSetBreakglassPasswordMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.breakglass.admin`. Returns 404 when
+`CERTCTL_BREAKGLASS_ENABLED=false` OR when the credential
+doesn't exist.
+
+ * @summary Remove a break-glass credential
+ */
+export const removeBreakglassCredential = (
+    actorId: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/breakglass/credentials/${actorId}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getRemoveBreakglassCredentialMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof removeBreakglassCredential>>, TError,{actorId: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof removeBreakglassCredential>>, TError,{actorId: string}, TContext> => {
+
+const mutationKey = ['removeBreakglassCredential'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof removeBreakglassCredential>>, {actorId: string}> = (props) => {
+          const {actorId} = props ?? {};
+
+          return  removeBreakglassCredential(actorId,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RemoveBreakglassCredentialMutationResult = NonNullable<Awaited<ReturnType<typeof removeBreakglassCredential>>>
+    
+    export type RemoveBreakglassCredentialMutationError = void
+
+    /**
+ * @summary Remove a break-glass credential
+ */
+export const useRemoveBreakglassCredential = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof removeBreakglassCredential>>, TError,{actorId: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof removeBreakglassCredential>>,
+        TError,
+        {actorId: string},
+        TContext
+      > => {
+
+      const mutationOptions = getRemoveBreakglassCredentialMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.breakglass.admin`. Resets the failure counter
+and clears any active lockout on the named credential so the
+actor can attempt to log in again after the configured
+lockout window has elapsed organically OR an admin unblocks
+them early.
+
+Returns 404 when `CERTCTL_BREAKGLASS_ENABLED=false` OR when
+the credential doesn't exist.
+
+ * @summary Clear the lockout on a break-glass credential
+ */
+export const unlockBreakglassCredential = (
+    actorId: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/breakglass/credentials/${actorId}/unlock`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getUnlockBreakglassCredentialMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof unlockBreakglassCredential>>, TError,{actorId: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof unlockBreakglassCredential>>, TError,{actorId: string}, TContext> => {
+
+const mutationKey = ['unlockBreakglassCredential'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof unlockBreakglassCredential>>, {actorId: string}> = (props) => {
+          const {actorId} = props ?? {};
+
+          return  unlockBreakglassCredential(actorId,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UnlockBreakglassCredentialMutationResult = NonNullable<Awaited<ReturnType<typeof unlockBreakglassCredential>>>
+    
+    export type UnlockBreakglassCredentialMutationError = void
+
+    /**
+ * @summary Clear the lockout on a break-glass credential
+ */
+export const useUnlockBreakglassCredential = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof unlockBreakglassCredential>>, TError,{actorId: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof unlockBreakglassCredential>>,
+        TError,
+        {actorId: string},
+        TContext
+      > => {
+
+      const mutationOptions = getUnlockBreakglassCredentialMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.user.read`. Audit 2026-05-10 MED-11 +
+2026-05-11 A-2 — backs the admin GUI Users page. Pagination is
+not server-side; the repository's `ListAll` returns every row
+and the handler filters client-side. Optional
+`oidc_provider_id` query parameter scopes the list to users
+federated from one provider.
+
+ * @summary List federated users for the active tenant
+ */
+export const listAuthUsers = (
+    params?: ListAuthUsersParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAuthUsers200>(
+      {url: `/api/v1/auth/users`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAuthUsersQueryKey = (params?: ListAuthUsersParams,) => {
+    return [
+    `/api/v1/auth/users`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListAuthUsersQueryOptions = <TData = Awaited<ReturnType<typeof listAuthUsers>>, TError = void>(params?: ListAuthUsersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthUsers>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAuthUsersQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAuthUsers>>> = ({ signal }) => listAuthUsers(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAuthUsers>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAuthUsersQueryResult = NonNullable<Awaited<ReturnType<typeof listAuthUsers>>>
+export type ListAuthUsersQueryError = void
+
+
+export function useListAuthUsers<TData = Awaited<ReturnType<typeof listAuthUsers>>, TError = void>(
+ params: undefined |  ListAuthUsersParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthUsers>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuthUsers>>,
+          TError,
+          Awaited<ReturnType<typeof listAuthUsers>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuthUsers<TData = Awaited<ReturnType<typeof listAuthUsers>>, TError = void>(
+ params?: ListAuthUsersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthUsers>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuthUsers>>,
+          TError,
+          Awaited<ReturnType<typeof listAuthUsers>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuthUsers<TData = Awaited<ReturnType<typeof listAuthUsers>>, TError = void>(
+ params?: ListAuthUsersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthUsers>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List federated users for the active tenant
+ */
+
+export function useListAuthUsers<TData = Awaited<ReturnType<typeof listAuthUsers>>, TError = void>(
+ params?: ListAuthUsersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthUsers>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAuthUsersQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Permission `auth.user.deactivate`. Audit 2026-05-11 A-2 — the
+handler rejects self-deactivation with 409 to prevent the
+"admin deactivates self, can't reactivate themselves" foot-gun
+(break-glass remains the recovery path).
+
+ * @summary Deactivate a user (sets deactivated_at + cascade-revokes active sessions)
+ */
+export const deactivateAuthUser = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/users/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeactivateAuthUserMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deactivateAuthUser>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deactivateAuthUser>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deactivateAuthUser'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deactivateAuthUser>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deactivateAuthUser(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeactivateAuthUserMutationResult = NonNullable<Awaited<ReturnType<typeof deactivateAuthUser>>>
+    
+    export type DeactivateAuthUserMutationError = void
+
+    /**
+ * @summary Deactivate a user (sets deactivated_at + cascade-revokes active sessions)
+ */
+export const useDeactivateAuthUser = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deactivateAuthUser>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deactivateAuthUser>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeactivateAuthUserMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.user.deactivate` (same gate as the inverse
+op — reactivation is not a separate privilege). Idempotent:
+reactivating an already-active user is a no-op (204).
+
+ * @summary Reactivate a previously-deactivated user
+ */
+export const reactivateAuthUser = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/users/${id}/reactivate`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getReactivateAuthUserMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof reactivateAuthUser>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof reactivateAuthUser>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['reactivateAuthUser'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof reactivateAuthUser>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  reactivateAuthUser(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ReactivateAuthUserMutationResult = NonNullable<Awaited<ReturnType<typeof reactivateAuthUser>>>
+    
+    export type ReactivateAuthUserMutationError = void
+
+    /**
+ * @summary Reactivate a previously-deactivated user
+ */
+export const useReactivateAuthUser = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof reactivateAuthUser>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof reactivateAuthUser>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getReactivateAuthUserMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.role.assign` (admin-class). Removes the
+leftover `actor_roles` rows for the synthetic `actor-demo-anon`
+actor after the operator has flipped `CERTCTL_AUTH_TYPE` away
+from `none` (demo mode). Idempotent: subsequent invocations
+return `removed: 0`.
+
+Refuses (503) when the server is currently in demo mode —
+the `actor-demo-anon` grants ARE the active runtime state at
+`auth_type=none`, so "cleaning them up" would lock the operator
+out of the live admin surface. The GUI hides the action button
+when `/api/v1/auth/info` reports `auth_type=none`; this guard
+is defense-in-depth.
+
+ * @summary Remove residual `actor-demo-anon` role grants after exiting demo mode
+ */
+export const cleanupDemoResidualGrants = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<DemoResidualCleanupResponse>(
+      {url: `/api/v1/auth/demo-residual/cleanup`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getCleanupDemoResidualGrantsMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof cleanupDemoResidualGrants>>, TError,void, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof cleanupDemoResidualGrants>>, TError,void, TContext> => {
+
+const mutationKey = ['cleanupDemoResidualGrants'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof cleanupDemoResidualGrants>>, void> = () => {
+          
+
+          return  cleanupDemoResidualGrants()
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CleanupDemoResidualGrantsMutationResult = NonNullable<Awaited<ReturnType<typeof cleanupDemoResidualGrants>>>
+    
+    export type CleanupDemoResidualGrantsMutationError = void
+
+    /**
+ * @summary Remove residual `actor-demo-anon` role grants after exiting demo mode
+ */
+export const useCleanupDemoResidualGrants = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof cleanupDemoResidualGrants>>, TError,void, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof cleanupDemoResidualGrants>>,
+        TError,
+        void,
+        TContext
+      > => {
+
+      const mutationOptions = getCleanupDemoResidualGrantsMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Auth-exempt at the router (the session cookie is validated
+inside the handler). Reads `certctl_session` cookie, validates
++ revokes the underlying session row, rotates the CSRF token
+on the actor's other sessions (Audit 2026-05-11 Fix 13 / HIGH-2
+fourth call site), clears the session + CSRF cookies, returns
+204.
+
+Idempotent: when no valid session cookie is presented the
+handler clears any stale cookies and returns 204 without
+side-effects.
+
+ * @summary Revoke the caller's current session
+ */
+export const logoutCurrentSession = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/auth/logout`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getLogoutCurrentSessionMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof logoutCurrentSession>>, TError,void, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof logoutCurrentSession>>, TError,void, TContext> => {
+
+const mutationKey = ['logoutCurrentSession'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof logoutCurrentSession>>, void> = () => {
+          
+
+          return  logoutCurrentSession()
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type LogoutCurrentSessionMutationResult = NonNullable<Awaited<ReturnType<typeof logoutCurrentSession>>>
+    
+    export type LogoutCurrentSessionMutationError = void
+
+    /**
+ * @summary Revoke the caller's current session
+ */
+export const useLogoutCurrentSession = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof logoutCurrentSession>>, TError,void, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof logoutCurrentSession>>,
+        TError,
+        void,
+        TContext
+      > => {
+
+      const mutationOptions = getLogoutCurrentSessionMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Auth-bypass — the whole point is to log in WITHOUT existing
+certctl credentials. On success, sets the post-login session
+cookie + CSRF cookie and returns 204. On any failure (wrong
+password, locked account, no credential, unknown actor):
+uniform 401 + identical timing (no scanner-friendly
+distinction).
+
+Returns 404 when `CERTCTL_BREAKGLASS_ENABLED=false` (surface
+invisibility — Phase 7.5 spec).
+
+Rate-limited per source IP (default 5 attempts/min/IP;
+configurable via `CERTCTL_RATE_LIMIT_BACKEND` + the
+constructor in cmd/server/main.go). Exceeded budget returns
+429 with no body.
+
+ * @summary Local password login for emergency admin recovery
+ */
+export const breakglassLogin = (
+    breakglassLoginRequest: BreakglassLoginRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/auth/breakglass/login`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: breakglassLoginRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getBreakglassLoginMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof breakglassLogin>>, TError,{data: BreakglassLoginRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof breakglassLogin>>, TError,{data: BreakglassLoginRequest}, TContext> => {
+
+const mutationKey = ['breakglassLogin'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof breakglassLogin>>, {data: BreakglassLoginRequest}> = (props) => {
+          const {data} = props ?? {};
+
+          return  breakglassLogin(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type BreakglassLoginMutationResult = NonNullable<Awaited<ReturnType<typeof breakglassLogin>>>
+    export type BreakglassLoginMutationBody = BreakglassLoginRequest
+    export type BreakglassLoginMutationError = void
+
+    /**
+ * @summary Local password login for emergency admin recovery
+ */
+export const useBreakglassLogin = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof breakglassLogin>>, TError,{data: BreakglassLoginRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof breakglassLogin>>,
+        TError,
+        {data: BreakglassLoginRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getBreakglassLoginMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Auth-exempt — pre-auth by definition. Browser-flow endpoint:
+the response is a 302 with `Location:` pointing at the
+configured provider's authorization URL, NOT a JSON response.
+Consumers MUST follow the redirect for the flow to complete.
+
+On success: persists a pre-login row capturing the state +
+nonce + PKCE-S256 verifier, sets the `certctl_oidc_pending`
+cookie (HttpOnly, SameSite=Lax, 10-minute lifetime, `__Host-`
+prefix), and 302-redirects to the IdP. The cookie is consumed
++ cleared by `/auth/oidc/callback`.
+
+Audit 2026-05-10 MED-16 — the pre-login row captures the
+client IP + User-Agent at this step so the callback handler
+can reject a stolen cookie replayed from a different browser
+or source.
+
+ * @summary Browser-flow — start an OIDC login; 302 to IdP authorization URL
+ */
+export const oidcLoginInitiate = (
+    params: OidcLoginInitiateParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<unknown>(
+      {url: `/auth/oidc/login`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getOidcLoginInitiateQueryKey = (params?: OidcLoginInitiateParams,) => {
+    return [
+    `/auth/oidc/login`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getOidcLoginInitiateQueryOptions = <TData = Awaited<ReturnType<typeof oidcLoginInitiate>>, TError = void>(params: OidcLoginInitiateParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof oidcLoginInitiate>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getOidcLoginInitiateQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof oidcLoginInitiate>>> = ({ signal }) => oidcLoginInitiate(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof oidcLoginInitiate>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type OidcLoginInitiateQueryResult = NonNullable<Awaited<ReturnType<typeof oidcLoginInitiate>>>
+export type OidcLoginInitiateQueryError = void
+
+
+export function useOidcLoginInitiate<TData = Awaited<ReturnType<typeof oidcLoginInitiate>>, TError = void>(
+ params: OidcLoginInitiateParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof oidcLoginInitiate>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof oidcLoginInitiate>>,
+          TError,
+          Awaited<ReturnType<typeof oidcLoginInitiate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useOidcLoginInitiate<TData = Awaited<ReturnType<typeof oidcLoginInitiate>>, TError = void>(
+ params: OidcLoginInitiateParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof oidcLoginInitiate>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof oidcLoginInitiate>>,
+          TError,
+          Awaited<ReturnType<typeof oidcLoginInitiate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useOidcLoginInitiate<TData = Awaited<ReturnType<typeof oidcLoginInitiate>>, TError = void>(
+ params: OidcLoginInitiateParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof oidcLoginInitiate>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Browser-flow — start an OIDC login; 302 to IdP authorization URL
+ */
+
+export function useOidcLoginInitiate<TData = Awaited<ReturnType<typeof oidcLoginInitiate>>, TError = void>(
+ params: OidcLoginInitiateParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof oidcLoginInitiate>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getOidcLoginInitiateQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Auth-exempt — pre-auth by definition (the cookie + state are
+validated inside the handler). Browser-flow endpoint: the
+success response is a 302 with `Location:` pointing at the
+configured `postLoginURL` (default `/`), NOT a JSON response.
+
+Reads the `certctl_oidc_pending` pre-login cookie, drives the
+OIDC service's 11-step token validation (sig + iss + aud +
+nonce + at_hash + iat + jti + sub + group-claim resolution +
+role-mapping + user-upsert), mints a post-login session,
+deletes the pre-login cookie, sets the post-login session +
+CSRF cookies, and 302's to the dashboard.
+
+Failure responses are ALSO 302 — to `/login?error=oidc_failed&reason=<category>`
+— so the SPA can render an operator-friendly alert without
+the browser seeing a raw 400. The audit row carries the
+specific failure category server-side.
+
+ * @summary Browser-flow — consume IdP authorization response; 302 to post-login URL
+ */
+export const oidcLoginCallback = (
+    params: OidcLoginCallbackParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<unknown>(
+      {url: `/auth/oidc/callback`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getOidcLoginCallbackQueryKey = (params?: OidcLoginCallbackParams,) => {
+    return [
+    `/auth/oidc/callback`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getOidcLoginCallbackQueryOptions = <TData = Awaited<ReturnType<typeof oidcLoginCallback>>, TError = void>(params: OidcLoginCallbackParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof oidcLoginCallback>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getOidcLoginCallbackQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof oidcLoginCallback>>> = ({ signal }) => oidcLoginCallback(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof oidcLoginCallback>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type OidcLoginCallbackQueryResult = NonNullable<Awaited<ReturnType<typeof oidcLoginCallback>>>
+export type OidcLoginCallbackQueryError = void
+
+
+export function useOidcLoginCallback<TData = Awaited<ReturnType<typeof oidcLoginCallback>>, TError = void>(
+ params: OidcLoginCallbackParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof oidcLoginCallback>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof oidcLoginCallback>>,
+          TError,
+          Awaited<ReturnType<typeof oidcLoginCallback>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useOidcLoginCallback<TData = Awaited<ReturnType<typeof oidcLoginCallback>>, TError = void>(
+ params: OidcLoginCallbackParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof oidcLoginCallback>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof oidcLoginCallback>>,
+          TError,
+          Awaited<ReturnType<typeof oidcLoginCallback>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useOidcLoginCallback<TData = Awaited<ReturnType<typeof oidcLoginCallback>>, TError = void>(
+ params: OidcLoginCallbackParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof oidcLoginCallback>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Browser-flow — consume IdP authorization response; 302 to post-login URL
+ */
+
+export function useOidcLoginCallback<TData = Awaited<ReturnType<typeof oidcLoginCallback>>, TError = void>(
+ params: OidcLoginCallbackParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof oidcLoginCallback>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getOidcLoginCallbackQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Auth via the IdP-signed `logout_token` JWT in the form body —
+NOT certctl-issued credentials, so `security: []`. Spec
+reference: OpenID Connect Back-Channel Logout 1.0 §2.6.
+
+Validates the logout token against the matched provider's
+JWKS (signature + alg-allowlist + iat-skew window + jti
+consumed-set + required claims: iss, aud, iat, jti, events;
+exactly one of sub or sid; nonce MUST be absent), revokes
+every matching session, returns 200 with `Cache-Control:
+no-store`.
+
+Any validation failure returns 400 — uniform wire shape per
+spec §2.6. The audit row carries the specific reason.
+Replayed jti (RFC 9700 §2.7) returns 200 with audit
+outcome=jti_replayed (idempotent re-receive of a logout
+is harmless).
+
+ * @summary IdP-initiated session revocation via OIDC Back-Channel Logout 1.0
+ */
+export const oidcBackChannelLogout = (
+    oidcBackChannelLogoutBody: OidcBackChannelLogoutBody,
+ signal?: AbortSignal
+) => {
+      
+      const formUrlEncoded = new URLSearchParams();
+formUrlEncoded.append(`logout_token`, oidcBackChannelLogoutBody.logout_token)
+
+      return certctlFetch<void>(
+      {url: `/auth/oidc/back-channel-logout`, method: 'POST',
+      headers: {'Content-Type': 'application/x-www-form-urlencoded', },
+       data: formUrlEncoded, signal
+    },
+      );
+    }
+  
+
+
+export const getOidcBackChannelLogoutMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof oidcBackChannelLogout>>, TError,{data: OidcBackChannelLogoutBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof oidcBackChannelLogout>>, TError,{data: OidcBackChannelLogoutBody}, TContext> => {
+
+const mutationKey = ['oidcBackChannelLogout'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof oidcBackChannelLogout>>, {data: OidcBackChannelLogoutBody}> = (props) => {
+          const {data} = props ?? {};
+
+          return  oidcBackChannelLogout(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type OidcBackChannelLogoutMutationResult = NonNullable<Awaited<ReturnType<typeof oidcBackChannelLogout>>>
+    export type OidcBackChannelLogoutMutationBody = OidcBackChannelLogoutBody
+    export type OidcBackChannelLogoutMutationError = void
+
+    /**
+ * @summary IdP-initiated session revocation via OIDC Back-Channel Logout 1.0
+ */
+export const useOidcBackChannelLogout = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof oidcBackChannelLogout>>, TError,{data: OidcBackChannelLogoutBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof oidcBackChannelLogout>>,
+        TError,
+        {data: OidcBackChannelLogoutBody},
+        TContext
+      > => {
+
+      const mutationOptions = getOidcBackChannelLogoutMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.role.assign` (admin-class — gated tighter
+than `auth.user.read` so non-admins can't enumerate the
+deployment's auth knobs). Audit 2026-05-10 MED-12 — backs the
+GUI AuthSettings page so operators can verify the deployed
+configuration matches their intent from the browser without
+SSH access to the host.
+
+Read-only — no mutation surface. Config changes require a
+restart + env-var edit by design.
+
+ * @summary Read the deployed auth-related runtime configuration
+ */
+export const getAuthRuntimeConfig = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetAuthRuntimeConfig200>(
+      {url: `/api/v1/auth/runtime-config`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAuthRuntimeConfigQueryKey = () => {
+    return [
+    `/api/v1/auth/runtime-config`
+    ] as const;
+    }
+
+    
+export const getGetAuthRuntimeConfigQueryOptions = <TData = Awaited<ReturnType<typeof getAuthRuntimeConfig>>, TError = void>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthRuntimeConfig>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAuthRuntimeConfigQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAuthRuntimeConfig>>> = ({ signal }) => getAuthRuntimeConfig(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAuthRuntimeConfig>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAuthRuntimeConfigQueryResult = NonNullable<Awaited<ReturnType<typeof getAuthRuntimeConfig>>>
+export type GetAuthRuntimeConfigQueryError = void
+
+
+export function useGetAuthRuntimeConfig<TData = Awaited<ReturnType<typeof getAuthRuntimeConfig>>, TError = void>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthRuntimeConfig>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthRuntimeConfig>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthRuntimeConfig>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthRuntimeConfig<TData = Awaited<ReturnType<typeof getAuthRuntimeConfig>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthRuntimeConfig>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthRuntimeConfig>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthRuntimeConfig>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthRuntimeConfig<TData = Awaited<ReturnType<typeof getAuthRuntimeConfig>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthRuntimeConfig>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Read the deployed auth-related runtime configuration
+ */
+
+export function useGetAuthRuntimeConfig<TData = Awaited<ReturnType<typeof getAuthRuntimeConfig>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthRuntimeConfig>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAuthRuntimeConfigQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
diff --git a/web/src/api/generated/certificates/certificates.ts b/web/src/api/generated/certificates/certificates.ts
new file mode 100644
index 0000000..e13d341
--- /dev/null
+++ b/web/src/api/generated/certificates/certificates.ts
@@ -0,0 +1,1214 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  BulkReassignRequest,
+  BulkReassignResult,
+  BulkRenewRequest,
+  BulkRenewResult,
+  BulkRevokeRequest,
+  BulkRevokeResult,
+  ConflictResponse,
+  ExportCertificatePEM200One,
+  ExportCertificatePEMParams,
+  ExportCertificatePKCS12Body,
+  GetCertificateDeployments200,
+  InternalErrorResponse,
+  ListCertificateVersions200,
+  ListCertificateVersionsParams,
+  ListCertificates200,
+  ListCertificatesParams,
+  ManagedCertificate,
+  NotFoundResponse,
+  RevokeCertificateBody,
+  StatusResponse,
+  TriggerDeploymentBody
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List certificates
+ */
+export const listCertificates = (
+    params?: ListCertificatesParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListCertificates200>(
+      {url: `/api/v1/certificates`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListCertificatesQueryKey = (params?: ListCertificatesParams,) => {
+    return [
+    `/api/v1/certificates`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListCertificatesQueryOptions = <TData = Awaited<ReturnType<typeof listCertificates>>, TError = InternalErrorResponse>(params?: ListCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCertificates>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListCertificatesQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listCertificates>>> = ({ signal }) => listCertificates(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listCertificates>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListCertificatesQueryResult = NonNullable<Awaited<ReturnType<typeof listCertificates>>>
+export type ListCertificatesQueryError = InternalErrorResponse
+
+
+export function useListCertificates<TData = Awaited<ReturnType<typeof listCertificates>>, TError = InternalErrorResponse>(
+ params: undefined |  ListCertificatesParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCertificates>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listCertificates>>,
+          TError,
+          Awaited<ReturnType<typeof listCertificates>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListCertificates<TData = Awaited<ReturnType<typeof listCertificates>>, TError = InternalErrorResponse>(
+ params?: ListCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCertificates>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listCertificates>>,
+          TError,
+          Awaited<ReturnType<typeof listCertificates>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListCertificates<TData = Awaited<ReturnType<typeof listCertificates>>, TError = InternalErrorResponse>(
+ params?: ListCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCertificates>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List certificates
+ */
+
+export function useListCertificates<TData = Awaited<ReturnType<typeof listCertificates>>, TError = InternalErrorResponse>(
+ params?: ListCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCertificates>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListCertificatesQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Create certificate
+ */
+export const createCertificate = (
+    managedCertificate: ManagedCertificate,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ManagedCertificate>(
+      {url: `/api/v1/certificates`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: managedCertificate, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateCertificateMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createCertificate>>, TError,{data: ManagedCertificate}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createCertificate>>, TError,{data: ManagedCertificate}, TContext> => {
+
+const mutationKey = ['createCertificate'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createCertificate>>, {data: ManagedCertificate}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createCertificate(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateCertificateMutationResult = NonNullable<Awaited<ReturnType<typeof createCertificate>>>
+    export type CreateCertificateMutationBody = ManagedCertificate
+    export type CreateCertificateMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create certificate
+ */
+export const useCreateCertificate = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createCertificate>>, TError,{data: ManagedCertificate}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createCertificate>>,
+        TError,
+        {data: ManagedCertificate},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateCertificateMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Get certificate
+ */
+export const getCertificate = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ManagedCertificate>(
+      {url: `/api/v1/certificates/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetCertificateQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/certificates/${id}`
+    ] as const;
+    }
+
+    
+export const getGetCertificateQueryOptions = <TData = Awaited<ReturnType<typeof getCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificate>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetCertificateQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getCertificate>>> = ({ signal }) => getCertificate(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getCertificate>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetCertificateQueryResult = NonNullable<Awaited<ReturnType<typeof getCertificate>>>
+export type GetCertificateQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useGetCertificate<TData = Awaited<ReturnType<typeof getCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificate>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getCertificate>>,
+          TError,
+          Awaited<ReturnType<typeof getCertificate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetCertificate<TData = Awaited<ReturnType<typeof getCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificate>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getCertificate>>,
+          TError,
+          Awaited<ReturnType<typeof getCertificate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetCertificate<TData = Awaited<ReturnType<typeof getCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificate>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get certificate
+ */
+
+export function useGetCertificate<TData = Awaited<ReturnType<typeof getCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificate>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetCertificateQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Update certificate
+ */
+export const updateCertificate = (
+    id: string,
+    managedCertificate: ManagedCertificate,
+ ) => {
+      
+      
+      return certctlFetch<ManagedCertificate>(
+      {url: `/api/v1/certificates/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: managedCertificate
+    },
+      );
+    }
+  
+
+
+export const getUpdateCertificateMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateCertificate>>, TError,{id: string;data: ManagedCertificate}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateCertificate>>, TError,{id: string;data: ManagedCertificate}, TContext> => {
+
+const mutationKey = ['updateCertificate'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateCertificate>>, {id: string;data: ManagedCertificate}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateCertificate(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateCertificateMutationResult = NonNullable<Awaited<ReturnType<typeof updateCertificate>>>
+    export type UpdateCertificateMutationBody = ManagedCertificate
+    export type UpdateCertificateMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Update certificate
+ */
+export const useUpdateCertificate = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateCertificate>>, TError,{id: string;data: ManagedCertificate}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateCertificate>>,
+        TError,
+        {id: string;data: ManagedCertificate},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateCertificateMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Archive certificate
+ */
+export const archiveCertificate = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/certificates/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getArchiveCertificateMutationOptions = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof archiveCertificate>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof archiveCertificate>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['archiveCertificate'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof archiveCertificate>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  archiveCertificate(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ArchiveCertificateMutationResult = NonNullable<Awaited<ReturnType<typeof archiveCertificate>>>
+    
+    export type ArchiveCertificateMutationError = NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Archive certificate
+ */
+export const useArchiveCertificate = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof archiveCertificate>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof archiveCertificate>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getArchiveCertificateMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary List certificate versions
+ */
+export const listCertificateVersions = (
+    id: string,
+    params?: ListCertificateVersionsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListCertificateVersions200>(
+      {url: `/api/v1/certificates/${id}/versions`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListCertificateVersionsQueryKey = (id?: string,
+    params?: ListCertificateVersionsParams,) => {
+    return [
+    `/api/v1/certificates/${id}/versions`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListCertificateVersionsQueryOptions = <TData = Awaited<ReturnType<typeof listCertificateVersions>>, TError = NotFoundResponse | InternalErrorResponse>(id: string,
+    params?: ListCertificateVersionsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCertificateVersions>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListCertificateVersionsQueryKey(id,params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listCertificateVersions>>> = ({ signal }) => listCertificateVersions(id,params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listCertificateVersions>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListCertificateVersionsQueryResult = NonNullable<Awaited<ReturnType<typeof listCertificateVersions>>>
+export type ListCertificateVersionsQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useListCertificateVersions<TData = Awaited<ReturnType<typeof listCertificateVersions>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params: undefined |  ListCertificateVersionsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCertificateVersions>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listCertificateVersions>>,
+          TError,
+          Awaited<ReturnType<typeof listCertificateVersions>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListCertificateVersions<TData = Awaited<ReturnType<typeof listCertificateVersions>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: ListCertificateVersionsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCertificateVersions>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listCertificateVersions>>,
+          TError,
+          Awaited<ReturnType<typeof listCertificateVersions>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListCertificateVersions<TData = Awaited<ReturnType<typeof listCertificateVersions>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: ListCertificateVersionsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCertificateVersions>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List certificate versions
+ */
+
+export function useListCertificateVersions<TData = Awaited<ReturnType<typeof listCertificateVersions>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: ListCertificateVersionsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCertificateVersions>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListCertificateVersionsQueryOptions(id,params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Trigger certificate renewal
+ */
+export const triggerRenewal = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/certificates/${id}/renew`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getTriggerRenewalMutationOptions = <TError = BadRequestResponse | NotFoundResponse | ConflictResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof triggerRenewal>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof triggerRenewal>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['triggerRenewal'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof triggerRenewal>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  triggerRenewal(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type TriggerRenewalMutationResult = NonNullable<Awaited<ReturnType<typeof triggerRenewal>>>
+    
+    export type TriggerRenewalMutationError = BadRequestResponse | NotFoundResponse | ConflictResponse | InternalErrorResponse
+
+    /**
+ * @summary Trigger certificate renewal
+ */
+export const useTriggerRenewal = <TError = BadRequestResponse | NotFoundResponse | ConflictResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof triggerRenewal>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof triggerRenewal>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getTriggerRenewalMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Trigger certificate deployment
+ */
+export const triggerDeployment = (
+    id: string,
+    triggerDeploymentBody: TriggerDeploymentBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/certificates/${id}/deploy`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: triggerDeploymentBody, signal
+    },
+      );
+    }
+  
+
+
+export const getTriggerDeploymentMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof triggerDeployment>>, TError,{id: string;data: TriggerDeploymentBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof triggerDeployment>>, TError,{id: string;data: TriggerDeploymentBody}, TContext> => {
+
+const mutationKey = ['triggerDeployment'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof triggerDeployment>>, {id: string;data: TriggerDeploymentBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  triggerDeployment(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type TriggerDeploymentMutationResult = NonNullable<Awaited<ReturnType<typeof triggerDeployment>>>
+    export type TriggerDeploymentMutationBody = TriggerDeploymentBody
+    export type TriggerDeploymentMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Trigger certificate deployment
+ */
+export const useTriggerDeployment = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof triggerDeployment>>, TError,{id: string;data: TriggerDeploymentBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof triggerDeployment>>,
+        TError,
+        {id: string;data: TriggerDeploymentBody},
+        TContext
+      > => {
+
+      const mutationOptions = getTriggerDeploymentMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Revokes a certificate with an optional RFC 5280 reason code. Records revocation in
+cert inventory, audit log, and certificate_revocations table. Best-effort issuer notification.
+
+ * @summary Revoke certificate
+ */
+export const revokeCertificate = (
+    id: string,
+    revokeCertificateBody: RevokeCertificateBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/certificates/${id}/revoke`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: revokeCertificateBody, signal
+    },
+      );
+    }
+  
+
+
+export const getRevokeCertificateMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof revokeCertificate>>, TError,{id: string;data: RevokeCertificateBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof revokeCertificate>>, TError,{id: string;data: RevokeCertificateBody}, TContext> => {
+
+const mutationKey = ['revokeCertificate'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof revokeCertificate>>, {id: string;data: RevokeCertificateBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  revokeCertificate(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RevokeCertificateMutationResult = NonNullable<Awaited<ReturnType<typeof revokeCertificate>>>
+    export type RevokeCertificateMutationBody = RevokeCertificateBody
+    export type RevokeCertificateMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Revoke certificate
+ */
+export const useRevokeCertificate = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof revokeCertificate>>, TError,{id: string;data: RevokeCertificateBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof revokeCertificate>>,
+        TError,
+        {id: string;data: RevokeCertificateBody},
+        TContext
+      > => {
+
+      const mutationOptions = getRevokeCertificateMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Revokes all certificates matching the given filter criteria. At least one criterion
+is required (safety guard against accidental mass revocation). Reuses the single-cert
+revocation flow per certificate with partial-failure tolerance.
+
+ * @summary Bulk revoke certificates
+ */
+export const bulkRevokeCertificates = (
+    bulkRevokeRequest: BulkRevokeRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<BulkRevokeResult>(
+      {url: `/api/v1/certificates/bulk-revoke`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: bulkRevokeRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getBulkRevokeCertificatesMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof bulkRevokeCertificates>>, TError,{data: BulkRevokeRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof bulkRevokeCertificates>>, TError,{data: BulkRevokeRequest}, TContext> => {
+
+const mutationKey = ['bulkRevokeCertificates'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof bulkRevokeCertificates>>, {data: BulkRevokeRequest}> = (props) => {
+          const {data} = props ?? {};
+
+          return  bulkRevokeCertificates(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type BulkRevokeCertificatesMutationResult = NonNullable<Awaited<ReturnType<typeof bulkRevokeCertificates>>>
+    export type BulkRevokeCertificatesMutationBody = BulkRevokeRequest
+    export type BulkRevokeCertificatesMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Bulk revoke certificates
+ */
+export const useBulkRevokeCertificates = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof bulkRevokeCertificates>>, TError,{data: BulkRevokeRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof bulkRevokeCertificates>>,
+        TError,
+        {data: BulkRevokeRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getBulkRevokeCertificatesMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Enqueues a renewal job for every matching managed certificate. Mirrors POST
+/api/v1/certificates/bulk-revoke shape exactly so operators who already know
+that contract have zero new surface to learn. L-1 closure
+(cat-l-fa0c1ac07ab5): pre-L-1 the GUI looped per-cert HTTP calls;
+post-L-1 it's a single POST. Status filter: certs in
+Archived/Revoked/Expired/RenewalInProgress are silent-skipped (TotalSkipped++)
+rather than returned as errors. Asynchronous: the action ENQUEUES jobs the
+scheduler picks up; per-cert {certificate_id, job_id} pairs are returned in
+enqueued_jobs. NOT admin-gated — bulk renewal is non-destructive.
+
+ * @summary Bulk renew certificates by criteria or explicit IDs
+ */
+export const bulkRenewCertificates = (
+    bulkRenewRequest: BulkRenewRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<BulkRenewResult>(
+      {url: `/api/v1/certificates/bulk-renew`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: bulkRenewRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getBulkRenewCertificatesMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof bulkRenewCertificates>>, TError,{data: BulkRenewRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof bulkRenewCertificates>>, TError,{data: BulkRenewRequest}, TContext> => {
+
+const mutationKey = ['bulkRenewCertificates'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof bulkRenewCertificates>>, {data: BulkRenewRequest}> = (props) => {
+          const {data} = props ?? {};
+
+          return  bulkRenewCertificates(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type BulkRenewCertificatesMutationResult = NonNullable<Awaited<ReturnType<typeof bulkRenewCertificates>>>
+    export type BulkRenewCertificatesMutationBody = BulkRenewRequest
+    export type BulkRenewCertificatesMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Bulk renew certificates by criteria or explicit IDs
+ */
+export const useBulkRenewCertificates = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof bulkRenewCertificates>>, TError,{data: BulkRenewRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof bulkRenewCertificates>>,
+        TError,
+        {data: BulkRenewRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getBulkRenewCertificatesMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Updates owner_id (required) and team_id (optional) on every certificate in
+certificate_ids. Skips certs already owned by the target (silent no-op,
+TotalSkipped++). L-2 closure (cat-l-8a1fb258a38a). Narrower than bulk-renew:
+explicit IDs only, no criteria-mode. The OwnerID is validated upfront — a
+non-existent owner returns 400 before any cert is touched. Verb chosen as
+POST (not PATCH) for codebase consistency with bulk-revoke and bulk-renew.
+
+ * @summary Bulk reassign owner (and optionally team) for a set of certificates
+ */
+export const bulkReassignCertificates = (
+    bulkReassignRequest: BulkReassignRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<BulkReassignResult>(
+      {url: `/api/v1/certificates/bulk-reassign`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: bulkReassignRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getBulkReassignCertificatesMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof bulkReassignCertificates>>, TError,{data: BulkReassignRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof bulkReassignCertificates>>, TError,{data: BulkReassignRequest}, TContext> => {
+
+const mutationKey = ['bulkReassignCertificates'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof bulkReassignCertificates>>, {data: BulkReassignRequest}> = (props) => {
+          const {data} = props ?? {};
+
+          return  bulkReassignCertificates(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type BulkReassignCertificatesMutationResult = NonNullable<Awaited<ReturnType<typeof bulkReassignCertificates>>>
+    export type BulkReassignCertificatesMutationBody = BulkReassignRequest
+    export type BulkReassignCertificatesMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Bulk reassign owner (and optionally team) for a set of certificates
+ */
+export const useBulkReassignCertificates = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof bulkReassignCertificates>>, TError,{data: BulkReassignRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof bulkReassignCertificates>>,
+        TError,
+        {data: BulkReassignRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getBulkReassignCertificatesMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns the certificate and its chain in PEM format. By default returns JSON
+with cert_pem, chain_pem, and full_pem fields. Add ?download=true to get the
+full PEM chain as a file download with Content-Disposition headers.
+
+ * @summary Export certificate as PEM
+ */
+export const exportCertificatePEM = (
+    id: string,
+    params?: ExportCertificatePEMParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ExportCertificatePEM200One | Blob>(
+      {url: `/api/v1/certificates/${id}/export/pem`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getExportCertificatePEMQueryKey = (id?: string,
+    params?: ExportCertificatePEMParams,) => {
+    return [
+    `/api/v1/certificates/${id}/export/pem`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getExportCertificatePEMQueryOptions = <TData = Awaited<ReturnType<typeof exportCertificatePEM>>, TError = NotFoundResponse | InternalErrorResponse>(id: string,
+    params?: ExportCertificatePEMParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportCertificatePEM>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getExportCertificatePEMQueryKey(id,params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof exportCertificatePEM>>> = ({ signal }) => exportCertificatePEM(id,params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof exportCertificatePEM>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ExportCertificatePEMQueryResult = NonNullable<Awaited<ReturnType<typeof exportCertificatePEM>>>
+export type ExportCertificatePEMQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useExportCertificatePEM<TData = Awaited<ReturnType<typeof exportCertificatePEM>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params: undefined |  ExportCertificatePEMParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportCertificatePEM>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof exportCertificatePEM>>,
+          TError,
+          Awaited<ReturnType<typeof exportCertificatePEM>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useExportCertificatePEM<TData = Awaited<ReturnType<typeof exportCertificatePEM>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: ExportCertificatePEMParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportCertificatePEM>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof exportCertificatePEM>>,
+          TError,
+          Awaited<ReturnType<typeof exportCertificatePEM>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useExportCertificatePEM<TData = Awaited<ReturnType<typeof exportCertificatePEM>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: ExportCertificatePEMParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportCertificatePEM>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Export certificate as PEM
+ */
+
+export function useExportCertificatePEM<TData = Awaited<ReturnType<typeof exportCertificatePEM>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: ExportCertificatePEMParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportCertificatePEM>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getExportCertificatePEMQueryOptions(id,params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns a PKCS#12 (.p12) bundle containing the certificate and chain.
+Private keys are NOT included — they live on agents and never touch the control plane.
+The bundle is encrypted with the provided password (or empty password if omitted).
+
+ * @summary Export certificate as PKCS#12
+ */
+export const exportCertificatePKCS12 = (
+    id: string,
+    exportCertificatePKCS12Body: ExportCertificatePKCS12Body,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Blob>(
+      {url: `/api/v1/certificates/${id}/export/pkcs12`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: exportCertificatePKCS12Body,
+        responseType: 'blob', signal
+    },
+      );
+    }
+  
+
+
+export const getExportCertificatePKCS12MutationOptions = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof exportCertificatePKCS12>>, TError,{id: string;data: ExportCertificatePKCS12Body}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof exportCertificatePKCS12>>, TError,{id: string;data: ExportCertificatePKCS12Body}, TContext> => {
+
+const mutationKey = ['exportCertificatePKCS12'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof exportCertificatePKCS12>>, {id: string;data: ExportCertificatePKCS12Body}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  exportCertificatePKCS12(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ExportCertificatePKCS12MutationResult = NonNullable<Awaited<ReturnType<typeof exportCertificatePKCS12>>>
+    export type ExportCertificatePKCS12MutationBody = ExportCertificatePKCS12Body
+    export type ExportCertificatePKCS12MutationError = NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Export certificate as PKCS#12
+ */
+export const useExportCertificatePKCS12 = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof exportCertificatePKCS12>>, TError,{id: string;data: ExportCertificatePKCS12Body}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof exportCertificatePKCS12>>,
+        TError,
+        {id: string;data: ExportCertificatePKCS12Body},
+        TContext
+      > => {
+
+      const mutationOptions = getExportCertificatePKCS12MutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns deployment targets associated with this certificate.
+ * @summary List certificate deployments
+ */
+export const getCertificateDeployments = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetCertificateDeployments200>(
+      {url: `/api/v1/certificates/${id}/deployments`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetCertificateDeploymentsQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/certificates/${id}/deployments`
+    ] as const;
+    }
+
+    
+export const getGetCertificateDeploymentsQueryOptions = <TData = Awaited<ReturnType<typeof getCertificateDeployments>>, TError = NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificateDeployments>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetCertificateDeploymentsQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getCertificateDeployments>>> = ({ signal }) => getCertificateDeployments(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getCertificateDeployments>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetCertificateDeploymentsQueryResult = NonNullable<Awaited<ReturnType<typeof getCertificateDeployments>>>
+export type GetCertificateDeploymentsQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useGetCertificateDeployments<TData = Awaited<ReturnType<typeof getCertificateDeployments>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificateDeployments>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getCertificateDeployments>>,
+          TError,
+          Awaited<ReturnType<typeof getCertificateDeployments>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetCertificateDeployments<TData = Awaited<ReturnType<typeof getCertificateDeployments>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificateDeployments>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getCertificateDeployments>>,
+          TError,
+          Awaited<ReturnType<typeof getCertificateDeployments>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetCertificateDeployments<TData = Awaited<ReturnType<typeof getCertificateDeployments>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificateDeployments>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List certificate deployments
+ */
+
+export function useGetCertificateDeployments<TData = Awaited<ReturnType<typeof getCertificateDeployments>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificateDeployments>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetCertificateDeploymentsQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
diff --git a/web/src/api/generated/crl-ocsp/crl-ocsp.ts b/web/src/api/generated/crl-ocsp/crl-ocsp.ts
new file mode 100644
index 0000000..fffffc0
--- /dev/null
+++ b/web/src/api/generated/crl-ocsp/crl-ocsp.ts
@@ -0,0 +1,434 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  ListCRLCache200,
+  NotFoundResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Returns a DER-encoded CRL signed by the issuing CA (RFC 5280 §5),
+served unauthenticated per RFC 8615 `.well-known` semantics so
+relying parties can retrieve it without a certctl API key.
+Validity is 24 hours.
+
+ * @summary Get DER-encoded X.509 CRL (RFC 5280)
+ */
+export const getDERCRL = (
+    issuerId: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Blob>(
+      {url: `/.well-known/pki/crl/${issuerId}`, method: 'GET',
+        responseType: 'blob', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetDERCRLQueryKey = (issuerId?: string,) => {
+    return [
+    `/.well-known/pki/crl/${issuerId}`
+    ] as const;
+    }
+
+    
+export const getGetDERCRLQueryOptions = <TData = Awaited<ReturnType<typeof getDERCRL>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(issuerId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetDERCRLQueryKey(issuerId);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getDERCRL>>> = ({ signal }) => getDERCRL(issuerId, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(issuerId), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetDERCRLQueryResult = NonNullable<Awaited<ReturnType<typeof getDERCRL>>>
+export type GetDERCRLQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void
+
+
+export function useGetDERCRL<TData = Awaited<ReturnType<typeof getDERCRL>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDERCRL>>,
+          TError,
+          Awaited<ReturnType<typeof getDERCRL>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDERCRL<TData = Awaited<ReturnType<typeof getDERCRL>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDERCRL>>,
+          TError,
+          Awaited<ReturnType<typeof getDERCRL>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDERCRL<TData = Awaited<ReturnType<typeof getDERCRL>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get DER-encoded X.509 CRL (RFC 5280)
+ */
+
+export function useGetDERCRL<TData = Awaited<ReturnType<typeof getDERCRL>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetDERCRLQueryOptions(issuerId,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns a signed OCSP response (good/revoked/unknown) for the
+given serial number per RFC 6960 §2.1, served unauthenticated
+per RFC 8615 so relying parties and OCSP stapling sidecars can
+query revocation status without a certctl API key.
+
+ * @summary OCSP responder (RFC 6960)
+ */
+export const handleOCSP = (
+    issuerId: string,
+    serial: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Blob>(
+      {url: `/.well-known/pki/ocsp/${issuerId}/${serial}`, method: 'GET',
+        responseType: 'blob', signal
+    },
+      );
+    }
+  
+
+
+
+export const getHandleOCSPQueryKey = (issuerId?: string,
+    serial?: string,) => {
+    return [
+    `/.well-known/pki/ocsp/${issuerId}/${serial}`
+    ] as const;
+    }
+
+    
+export const getHandleOCSPQueryOptions = <TData = Awaited<ReturnType<typeof handleOCSP>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(issuerId: string,
+    serial: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getHandleOCSPQueryKey(issuerId,serial);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof handleOCSP>>> = ({ signal }) => handleOCSP(issuerId,serial, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(issuerId && serial), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type HandleOCSPQueryResult = NonNullable<Awaited<ReturnType<typeof handleOCSP>>>
+export type HandleOCSPQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void
+
+
+export function useHandleOCSP<TData = Awaited<ReturnType<typeof handleOCSP>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string,
+    serial: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof handleOCSP>>,
+          TError,
+          Awaited<ReturnType<typeof handleOCSP>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useHandleOCSP<TData = Awaited<ReturnType<typeof handleOCSP>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string,
+    serial: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof handleOCSP>>,
+          TError,
+          Awaited<ReturnType<typeof handleOCSP>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useHandleOCSP<TData = Awaited<ReturnType<typeof handleOCSP>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string,
+    serial: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary OCSP responder (RFC 6960)
+ */
+
+export function useHandleOCSP<TData = Awaited<ReturnType<typeof handleOCSP>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string,
+    serial: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getHandleOCSPQueryOptions(issuerId,serial,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns the per-issuer CRL cache state populated by the
+scheduler's crlGenerationLoop. One row per registered issuer
+with `cache_present` indicating whether a CRL has ever been
+generated, plus `is_stale` derived from `next_update` vs.
+wall clock, plus the most recent generation events for
+ops grep.
+
+Admin-gated (M-003 pattern). Bundle CRL/OCSP-Responder Phase 5.
+
+ * @summary Inspect CRL pre-generation cache (admin)
+ */
+export const listCRLCache = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListCRLCache200>(
+      {url: `/api/v1/admin/crl/cache`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListCRLCacheQueryKey = () => {
+    return [
+    `/api/v1/admin/crl/cache`
+    ] as const;
+    }
+
+    
+export const getListCRLCacheQueryOptions = <TData = Awaited<ReturnType<typeof listCRLCache>>, TError = void | InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListCRLCacheQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listCRLCache>>> = ({ signal }) => listCRLCache(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListCRLCacheQueryResult = NonNullable<Awaited<ReturnType<typeof listCRLCache>>>
+export type ListCRLCacheQueryError = void | InternalErrorResponse
+
+
+export function useListCRLCache<TData = Awaited<ReturnType<typeof listCRLCache>>, TError = void | InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listCRLCache>>,
+          TError,
+          Awaited<ReturnType<typeof listCRLCache>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListCRLCache<TData = Awaited<ReturnType<typeof listCRLCache>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listCRLCache>>,
+          TError,
+          Awaited<ReturnType<typeof listCRLCache>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListCRLCache<TData = Awaited<ReturnType<typeof listCRLCache>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Inspect CRL pre-generation cache (admin)
+ */
+
+export function useListCRLCache<TData = Awaited<ReturnType<typeof listCRLCache>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListCRLCacheQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Standard RFC 6960 §A.1.1 POST form of the OCSP responder. The
+request body is the binary DER-encoded OCSPRequest with
+Content-Type `application/ocsp-request`; the serial number is
+carried inside that body, not in the URL path. Most production
+OCSP clients (Firefox, OpenSSL `s_client -status`, cert-manager,
+Microsoft Intune device validators) use POST exclusively.
+
+The pre-existing GET form
+(`/.well-known/pki/ocsp/{issuer_id}/{serial}`) is preserved for
+ad-hoc curl inspection and human-readable URL paths; behaviour
+and response are otherwise identical.
+
+Auth-exempt under `/.well-known/pki/*` per RFC 8615 so relying
+parties can poll without a certctl API key. CRL/OCSP-Responder
+bundle Phase 4.
+
+ * @summary OCSP responder (RFC 6960 §A.1.1, POST form)
+ */
+export const handleOCSPPost = (
+    issuerId: string,
+    handleOCSPPostBody: Blob,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Blob>(
+      {url: `/.well-known/pki/ocsp/${issuerId}`, method: 'POST',
+      headers: {'Content-Type': 'application/ocsp-request', },
+      data: handleOCSPPostBody,
+        responseType: 'blob', signal
+    },
+      );
+    }
+  
+
+
+export const getHandleOCSPPostMutationOptions = <TError = BadRequestResponse | NotFoundResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof handleOCSPPost>>, TError,{issuerId: string;data: Blob}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof handleOCSPPost>>, TError,{issuerId: string;data: Blob}, TContext> => {
+
+const mutationKey = ['handleOCSPPost'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof handleOCSPPost>>, {issuerId: string;data: Blob}> = (props) => {
+          const {issuerId,data} = props ?? {};
+
+          return  handleOCSPPost(issuerId,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type HandleOCSPPostMutationResult = NonNullable<Awaited<ReturnType<typeof handleOCSPPost>>>
+    export type HandleOCSPPostMutationBody = Blob
+    export type HandleOCSPPostMutationError = BadRequestResponse | NotFoundResponse | void | InternalErrorResponse
+
+    /**
+ * @summary OCSP responder (RFC 6960 §A.1.1, POST form)
+ */
+export const useHandleOCSPPost = <TError = BadRequestResponse | NotFoundResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof handleOCSPPost>>, TError,{issuerId: string;data: Blob}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof handleOCSPPost>>,
+        TError,
+        {issuerId: string;data: Blob},
+        TContext
+      > => {
+
+      const mutationOptions = getHandleOCSPPostMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/digest/digest.ts b/web/src/api/generated/digest/digest.ts
new file mode 100644
index 0000000..17f71dd
--- /dev/null
+++ b/web/src/api/generated/digest/digest.ts
@@ -0,0 +1,206 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  InternalErrorResponse,
+  StatusMessageResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Returns an HTML preview of the scheduled certificate digest email.
+This includes a summary of certificate status, pending jobs, and expiring certificates.
+
+ * @summary Preview digest email
+ */
+export const previewDigest = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/api/v1/digest/preview`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getPreviewDigestQueryKey = () => {
+    return [
+    `/api/v1/digest/preview`
+    ] as const;
+    }
+
+    
+export const getPreviewDigestQueryOptions = <TData = Awaited<ReturnType<typeof previewDigest>>, TError = InternalErrorResponse | StatusMessageResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getPreviewDigestQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof previewDigest>>> = ({ signal }) => previewDigest(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type PreviewDigestQueryResult = NonNullable<Awaited<ReturnType<typeof previewDigest>>>
+export type PreviewDigestQueryError = InternalErrorResponse | StatusMessageResponse
+
+
+export function usePreviewDigest<TData = Awaited<ReturnType<typeof previewDigest>>, TError = InternalErrorResponse | StatusMessageResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof previewDigest>>,
+          TError,
+          Awaited<ReturnType<typeof previewDigest>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function usePreviewDigest<TData = Awaited<ReturnType<typeof previewDigest>>, TError = InternalErrorResponse | StatusMessageResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof previewDigest>>,
+          TError,
+          Awaited<ReturnType<typeof previewDigest>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function usePreviewDigest<TData = Awaited<ReturnType<typeof previewDigest>>, TError = InternalErrorResponse | StatusMessageResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Preview digest email
+ */
+
+export function usePreviewDigest<TData = Awaited<ReturnType<typeof previewDigest>>, TError = InternalErrorResponse | StatusMessageResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getPreviewDigestQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Triggers immediate sending of the certificate digest email to configured recipients.
+If no explicit recipients are configured, sends to certificate owners.
+
+ * @summary Send digest email
+ */
+export const sendDigest = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusMessageResponse>(
+      {url: `/api/v1/digest/send`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getSendDigestMutationOptions = <TError = InternalErrorResponse | StatusMessageResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof sendDigest>>, TError,void, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof sendDigest>>, TError,void, TContext> => {
+
+const mutationKey = ['sendDigest'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof sendDigest>>, void> = () => {
+          
+
+          return  sendDigest()
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type SendDigestMutationResult = NonNullable<Awaited<ReturnType<typeof sendDigest>>>
+    
+    export type SendDigestMutationError = InternalErrorResponse | StatusMessageResponse
+
+    /**
+ * @summary Send digest email
+ */
+export const useSendDigest = <TError = InternalErrorResponse | StatusMessageResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof sendDigest>>, TError,void, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof sendDigest>>,
+        TError,
+        void,
+        TContext
+      > => {
+
+      const mutationOptions = getSendDigestMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/discovery/discovery.ts b/web/src/api/generated/discovery/discovery.ts
new file mode 100644
index 0000000..a4b6a2a
--- /dev/null
+++ b/web/src/api/generated/discovery/discovery.ts
@@ -0,0 +1,627 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  ClaimDiscoveredCertificateBody,
+  DiscoveredCertificate,
+  DiscoveryReport,
+  DiscoveryScan,
+  GetDiscoverySummary200,
+  InternalErrorResponse,
+  ListDiscoveredCertificates200,
+  ListDiscoveredCertificatesParams,
+  ListDiscoveryScans200,
+  ListDiscoveryScansParams,
+  NotFoundResponse,
+  StatusMessageResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Agent submits a batch of discovered certificates from filesystem scanning.
+Server deduplicates by (fingerprint, agent_id, source_path) and records scan metadata.
+
+ * @summary Submit discovery report
+ */
+export const submitDiscoveryReport = (
+    id: string,
+    discoveryReport: DiscoveryReport,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<DiscoveryScan>(
+      {url: `/api/v1/agents/${id}/discoveries`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: discoveryReport, signal
+    },
+      );
+    }
+  
+
+
+export const getSubmitDiscoveryReportMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof submitDiscoveryReport>>, TError,{id: string;data: DiscoveryReport}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof submitDiscoveryReport>>, TError,{id: string;data: DiscoveryReport}, TContext> => {
+
+const mutationKey = ['submitDiscoveryReport'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof submitDiscoveryReport>>, {id: string;data: DiscoveryReport}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  submitDiscoveryReport(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type SubmitDiscoveryReportMutationResult = NonNullable<Awaited<ReturnType<typeof submitDiscoveryReport>>>
+    export type SubmitDiscoveryReportMutationBody = DiscoveryReport
+    export type SubmitDiscoveryReportMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Submit discovery report
+ */
+export const useSubmitDiscoveryReport = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof submitDiscoveryReport>>, TError,{id: string;data: DiscoveryReport}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof submitDiscoveryReport>>,
+        TError,
+        {id: string;data: DiscoveryReport},
+        TContext
+      > => {
+
+      const mutationOptions = getSubmitDiscoveryReportMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns discovered certificates with optional filters by agent and triage status.
+ * @summary List discovered certificates
+ */
+export const listDiscoveredCertificates = (
+    params?: ListDiscoveredCertificatesParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListDiscoveredCertificates200>(
+      {url: `/api/v1/discovered-certificates`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListDiscoveredCertificatesQueryKey = (params?: ListDiscoveredCertificatesParams,) => {
+    return [
+    `/api/v1/discovered-certificates`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListDiscoveredCertificatesQueryOptions = <TData = Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError = InternalErrorResponse>(params?: ListDiscoveredCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListDiscoveredCertificatesQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listDiscoveredCertificates>>> = ({ signal }) => listDiscoveredCertificates(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListDiscoveredCertificatesQueryResult = NonNullable<Awaited<ReturnType<typeof listDiscoveredCertificates>>>
+export type ListDiscoveredCertificatesQueryError = InternalErrorResponse
+
+
+export function useListDiscoveredCertificates<TData = Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError = InternalErrorResponse>(
+ params: undefined |  ListDiscoveredCertificatesParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listDiscoveredCertificates>>,
+          TError,
+          Awaited<ReturnType<typeof listDiscoveredCertificates>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListDiscoveredCertificates<TData = Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveredCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listDiscoveredCertificates>>,
+          TError,
+          Awaited<ReturnType<typeof listDiscoveredCertificates>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListDiscoveredCertificates<TData = Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveredCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List discovered certificates
+ */
+
+export function useListDiscoveredCertificates<TData = Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveredCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListDiscoveredCertificatesQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns a single discovered certificate by ID.
+ * @summary Get discovered certificate
+ */
+export const getDiscoveredCertificate = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<DiscoveredCertificate>(
+      {url: `/api/v1/discovered-certificates/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetDiscoveredCertificateQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/discovered-certificates/${id}`
+    ] as const;
+    }
+
+    
+export const getGetDiscoveredCertificateQueryOptions = <TData = Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetDiscoveredCertificateQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getDiscoveredCertificate>>> = ({ signal }) => getDiscoveredCertificate(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetDiscoveredCertificateQueryResult = NonNullable<Awaited<ReturnType<typeof getDiscoveredCertificate>>>
+export type GetDiscoveredCertificateQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useGetDiscoveredCertificate<TData = Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDiscoveredCertificate>>,
+          TError,
+          Awaited<ReturnType<typeof getDiscoveredCertificate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDiscoveredCertificate<TData = Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDiscoveredCertificate>>,
+          TError,
+          Awaited<ReturnType<typeof getDiscoveredCertificate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDiscoveredCertificate<TData = Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get discovered certificate
+ */
+
+export function useGetDiscoveredCertificate<TData = Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetDiscoveredCertificateQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Links a discovered certificate to an existing managed certificate. Changes status to Managed.
+ * @summary Claim discovered certificate
+ */
+export const claimDiscoveredCertificate = (
+    id: string,
+    claimDiscoveredCertificateBody: ClaimDiscoveredCertificateBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusMessageResponse>(
+      {url: `/api/v1/discovered-certificates/${id}/claim`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: claimDiscoveredCertificateBody, signal
+    },
+      );
+    }
+  
+
+
+export const getClaimDiscoveredCertificateMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof claimDiscoveredCertificate>>, TError,{id: string;data: ClaimDiscoveredCertificateBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof claimDiscoveredCertificate>>, TError,{id: string;data: ClaimDiscoveredCertificateBody}, TContext> => {
+
+const mutationKey = ['claimDiscoveredCertificate'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof claimDiscoveredCertificate>>, {id: string;data: ClaimDiscoveredCertificateBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  claimDiscoveredCertificate(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ClaimDiscoveredCertificateMutationResult = NonNullable<Awaited<ReturnType<typeof claimDiscoveredCertificate>>>
+    export type ClaimDiscoveredCertificateMutationBody = ClaimDiscoveredCertificateBody
+    export type ClaimDiscoveredCertificateMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Claim discovered certificate
+ */
+export const useClaimDiscoveredCertificate = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof claimDiscoveredCertificate>>, TError,{id: string;data: ClaimDiscoveredCertificateBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof claimDiscoveredCertificate>>,
+        TError,
+        {id: string;data: ClaimDiscoveredCertificateBody},
+        TContext
+      > => {
+
+      const mutationOptions = getClaimDiscoveredCertificateMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Marks a discovered certificate as dismissed (excluded from triage queue).
+ * @summary Dismiss discovered certificate
+ */
+export const dismissDiscoveredCertificate = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusMessageResponse>(
+      {url: `/api/v1/discovered-certificates/${id}/dismiss`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getDismissDiscoveredCertificateMutationOptions = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof dismissDiscoveredCertificate>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof dismissDiscoveredCertificate>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['dismissDiscoveredCertificate'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof dismissDiscoveredCertificate>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  dismissDiscoveredCertificate(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DismissDiscoveredCertificateMutationResult = NonNullable<Awaited<ReturnType<typeof dismissDiscoveredCertificate>>>
+    
+    export type DismissDiscoveredCertificateMutationError = NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Dismiss discovered certificate
+ */
+export const useDismissDiscoveredCertificate = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof dismissDiscoveredCertificate>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof dismissDiscoveredCertificate>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDismissDiscoveredCertificateMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns history of discovery scan executions with optional agent filter.
+ * @summary List discovery scans
+ */
+export const listDiscoveryScans = (
+    params?: ListDiscoveryScansParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListDiscoveryScans200>(
+      {url: `/api/v1/discovery-scans`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListDiscoveryScansQueryKey = (params?: ListDiscoveryScansParams,) => {
+    return [
+    `/api/v1/discovery-scans`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListDiscoveryScansQueryOptions = <TData = Awaited<ReturnType<typeof listDiscoveryScans>>, TError = InternalErrorResponse>(params?: ListDiscoveryScansParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListDiscoveryScansQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listDiscoveryScans>>> = ({ signal }) => listDiscoveryScans(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListDiscoveryScansQueryResult = NonNullable<Awaited<ReturnType<typeof listDiscoveryScans>>>
+export type ListDiscoveryScansQueryError = InternalErrorResponse
+
+
+export function useListDiscoveryScans<TData = Awaited<ReturnType<typeof listDiscoveryScans>>, TError = InternalErrorResponse>(
+ params: undefined |  ListDiscoveryScansParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listDiscoveryScans>>,
+          TError,
+          Awaited<ReturnType<typeof listDiscoveryScans>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListDiscoveryScans<TData = Awaited<ReturnType<typeof listDiscoveryScans>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveryScansParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listDiscoveryScans>>,
+          TError,
+          Awaited<ReturnType<typeof listDiscoveryScans>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListDiscoveryScans<TData = Awaited<ReturnType<typeof listDiscoveryScans>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveryScansParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List discovery scans
+ */
+
+export function useListDiscoveryScans<TData = Awaited<ReturnType<typeof listDiscoveryScans>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveryScansParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListDiscoveryScansQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns aggregate counts of discovered certificates by triage status.
+ * @summary Discovery status summary
+ */
+export const getDiscoverySummary = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetDiscoverySummary200>(
+      {url: `/api/v1/discovery-summary`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetDiscoverySummaryQueryKey = () => {
+    return [
+    `/api/v1/discovery-summary`
+    ] as const;
+    }
+
+    
+export const getGetDiscoverySummaryQueryOptions = <TData = Awaited<ReturnType<typeof getDiscoverySummary>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetDiscoverySummaryQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getDiscoverySummary>>> = ({ signal }) => getDiscoverySummary(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetDiscoverySummaryQueryResult = NonNullable<Awaited<ReturnType<typeof getDiscoverySummary>>>
+export type GetDiscoverySummaryQueryError = InternalErrorResponse
+
+
+export function useGetDiscoverySummary<TData = Awaited<ReturnType<typeof getDiscoverySummary>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDiscoverySummary>>,
+          TError,
+          Awaited<ReturnType<typeof getDiscoverySummary>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDiscoverySummary<TData = Awaited<ReturnType<typeof getDiscoverySummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDiscoverySummary>>,
+          TError,
+          Awaited<ReturnType<typeof getDiscoverySummary>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDiscoverySummary<TData = Awaited<ReturnType<typeof getDiscoverySummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Discovery status summary
+ */
+
+export function useGetDiscoverySummary<TData = Awaited<ReturnType<typeof getDiscoverySummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetDiscoverySummaryQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
diff --git a/web/src/api/generated/est/est.ts b/web/src/api/generated/est/est.ts
new file mode 100644
index 0000000..643009c
--- /dev/null
+++ b/web/src/api/generated/est/est.ts
@@ -0,0 +1,735 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  BulkRevokeRequest,
+  BulkRevokeResult,
+  InternalErrorResponse,
+  ListESTProfiles200,
+  ReloadESTTrust200,
+  ReloadESTTrustBody
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * EST-source-scoped bulk revocation. Identical wire shape to
+/api/v1/certificates/bulk-revoke; the handler pins
+`Source=EST` so the operation only affects certs the EST
+service stamped at issuance time. SCEP-issued / API-issued /
+Agent-provisioned certs are never touched by this endpoint.
+
+At least one narrower criterion (profile_id, owner_id,
+agent_id, issuer_id, team_id, or certificate_ids) is
+required — Source-only requests are rejected as too broad
+to prevent accidental fleet-wide revocation. Admin-gated
+(M-008 / M-003 pattern). Audit action emitted: `est_bulk_revoke`.
+
+EST RFC 7030 hardening master bundle Phase 11.2.
+
+ * @summary Bulk revoke EST-issued certificates (admin)
+ */
+export const bulkRevokeESTCertificates = (
+    bulkRevokeRequest: BulkRevokeRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<BulkRevokeResult>(
+      {url: `/api/v1/est/certificates/bulk-revoke`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: bulkRevokeRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getBulkRevokeESTCertificatesMutationOptions = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof bulkRevokeESTCertificates>>, TError,{data: BulkRevokeRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof bulkRevokeESTCertificates>>, TError,{data: BulkRevokeRequest}, TContext> => {
+
+const mutationKey = ['bulkRevokeESTCertificates'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof bulkRevokeESTCertificates>>, {data: BulkRevokeRequest}> = (props) => {
+          const {data} = props ?? {};
+
+          return  bulkRevokeESTCertificates(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type BulkRevokeESTCertificatesMutationResult = NonNullable<Awaited<ReturnType<typeof bulkRevokeESTCertificates>>>
+    export type BulkRevokeESTCertificatesMutationBody = BulkRevokeRequest
+    export type BulkRevokeESTCertificatesMutationError = BadRequestResponse | void | InternalErrorResponse
+
+    /**
+ * @summary Bulk revoke EST-issued certificates (admin)
+ */
+export const useBulkRevokeESTCertificates = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof bulkRevokeESTCertificates>>, TError,{data: BulkRevokeRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof bulkRevokeESTCertificates>>,
+        TError,
+        {data: BulkRevokeRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getBulkRevokeESTCertificatesMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns one snapshot per configured EST profile with always-present
+per-profile fields (path_id, issuer_id, profile_id, mtls_enabled,
+basic_auth_configured, server_keygen_enabled, counters) plus an
+optional trust-anchor sub-block when the profile has MTLS_ENABLED=true.
+
+Counter labels: success_simpleenroll, success_simplereenroll,
+success_serverkeygen, auth_failed_basic, auth_failed_mtls,
+auth_failed_channel_binding, csr_invalid, csr_policy_violation,
+csr_signature_mismatch, rate_limited, issuer_error, internal_error.
+
+Admin-gated (M-008 pattern). Non-admin Bearer callers get HTTP 403 —
+the snapshot reveals operator profile set, mTLS trust-anchor expiries,
+and auth-mode posture (sensitive operational metadata). EST RFC 7030
+hardening master bundle Phase 7.2.
+
+ * @summary Per-profile EST administration overview (admin)
+ */
+export const listESTProfiles = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListESTProfiles200>(
+      {url: `/api/v1/admin/est/profiles`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListESTProfilesQueryKey = () => {
+    return [
+    `/api/v1/admin/est/profiles`
+    ] as const;
+    }
+
+    
+export const getListESTProfilesQueryOptions = <TData = Awaited<ReturnType<typeof listESTProfiles>>, TError = void | InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListESTProfilesQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listESTProfiles>>> = ({ signal }) => listESTProfiles(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListESTProfilesQueryResult = NonNullable<Awaited<ReturnType<typeof listESTProfiles>>>
+export type ListESTProfilesQueryError = void | InternalErrorResponse
+
+
+export function useListESTProfiles<TData = Awaited<ReturnType<typeof listESTProfiles>>, TError = void | InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listESTProfiles>>,
+          TError,
+          Awaited<ReturnType<typeof listESTProfiles>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListESTProfiles<TData = Awaited<ReturnType<typeof listESTProfiles>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listESTProfiles>>,
+          TError,
+          Awaited<ReturnType<typeof listESTProfiles>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListESTProfiles<TData = Awaited<ReturnType<typeof listESTProfiles>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Per-profile EST administration overview (admin)
+ */
+
+export function useListESTProfiles<TData = Awaited<ReturnType<typeof listESTProfiles>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListESTProfilesQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Triggers the same Reload that the SIGHUP watcher would run for
+the named EST profile. The body MUST be `{"path_id": "<pathID>"}`;
+an empty body targets the legacy `/.well-known/est` root profile
+(PathID="").
+
+Returns 200 + `{"reloaded": true, ...}` on success; 404 when the
+path_id doesn't match any configured EST profile; 409 when the
+profile exists but mTLS is disabled on it (no trust anchor to
+reload); 500 when the underlying file fails to parse — in which
+case the holder retains the OLD pool so enrollment keeps working
+off the previous trust anchor while the operator fixes the file.
+
+Admin-gated (M-008 pattern). EST RFC 7030 hardening master
+bundle Phase 7.2.
+
+ * @summary Reload an EST profile's mTLS trust anchor (admin)
+ */
+export const reloadESTTrust = (
+    reloadESTTrustBody?: ReloadESTTrustBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ReloadESTTrust200>(
+      {url: `/api/v1/admin/est/reload-trust`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: reloadESTTrustBody, signal
+    },
+      );
+    }
+  
+
+
+export const getReloadESTTrustMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof reloadESTTrust>>, TError,{data: ReloadESTTrustBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof reloadESTTrust>>, TError,{data: ReloadESTTrustBody}, TContext> => {
+
+const mutationKey = ['reloadESTTrust'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof reloadESTTrust>>, {data: ReloadESTTrustBody}> = (props) => {
+          const {data} = props ?? {};
+
+          return  reloadESTTrust(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ReloadESTTrustMutationResult = NonNullable<Awaited<ReturnType<typeof reloadESTTrust>>>
+    export type ReloadESTTrustMutationBody = ReloadESTTrustBody
+    export type ReloadESTTrustMutationError = void
+
+    /**
+ * @summary Reload an EST profile's mTLS trust anchor (admin)
+ */
+export const useReloadESTTrust = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof reloadESTTrust>>, TError,{data: ReloadESTTrustBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof reloadESTTrust>>,
+        TError,
+        {data: ReloadESTTrustBody},
+        TContext
+      > => {
+
+      const mutationOptions = getReloadESTTrustMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns the CA certificate chain used to verify certctl-issued certificates.
+Response is a base64-encoded degenerate PKCS#7 SignedData (certs-only) per
+RFC 7030 §4.1.3.
+
+ * @summary EST CA certificates distribution
+ */
+export const estCACerts = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/.well-known/est/cacerts`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getEstCACertsQueryKey = () => {
+    return [
+    `/.well-known/est/cacerts`
+    ] as const;
+    }
+
+    
+export const getEstCACertsQueryOptions = <TData = Awaited<ReturnType<typeof estCACerts>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getEstCACertsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof estCACerts>>> = ({ signal }) => estCACerts(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type EstCACertsQueryResult = NonNullable<Awaited<ReturnType<typeof estCACerts>>>
+export type EstCACertsQueryError = InternalErrorResponse
+
+
+export function useEstCACerts<TData = Awaited<ReturnType<typeof estCACerts>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof estCACerts>>,
+          TError,
+          Awaited<ReturnType<typeof estCACerts>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useEstCACerts<TData = Awaited<ReturnType<typeof estCACerts>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof estCACerts>>,
+          TError,
+          Awaited<ReturnType<typeof estCACerts>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useEstCACerts<TData = Awaited<ReturnType<typeof estCACerts>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary EST CA certificates distribution
+ */
+
+export function useEstCACerts<TData = Awaited<ReturnType<typeof estCACerts>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getEstCACertsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Enrolls a new certificate from a PKCS#10 CSR per RFC 7030 §4.2.1.
+The CSR MAY be supplied as base64-encoded DER (EST standard wire format)
+or as PEM for convenience. Returns a base64-encoded PKCS#7 certs-only
+structure containing the issued certificate.
+
+ * @summary EST simple enrollment
+ */
+export const estSimpleEnroll = (
+    estSimpleEnrollBody: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/.well-known/est/simpleenroll`, method: 'POST',
+      headers: {'Content-Type': 'application/pkcs10', },
+      data: estSimpleEnrollBody, signal
+    },
+      );
+    }
+  
+
+
+export const getEstSimpleEnrollMutationOptions = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estSimpleEnroll>>, TError,{data: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof estSimpleEnroll>>, TError,{data: string}, TContext> => {
+
+const mutationKey = ['estSimpleEnroll'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof estSimpleEnroll>>, {data: string}> = (props) => {
+          const {data} = props ?? {};
+
+          return  estSimpleEnroll(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type EstSimpleEnrollMutationResult = NonNullable<Awaited<ReturnType<typeof estSimpleEnroll>>>
+    export type EstSimpleEnrollMutationBody = string
+    export type EstSimpleEnrollMutationError = BadRequestResponse | void | InternalErrorResponse
+
+    /**
+ * @summary EST simple enrollment
+ */
+export const useEstSimpleEnroll = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estSimpleEnroll>>, TError,{data: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof estSimpleEnroll>>,
+        TError,
+        {data: string},
+        TContext
+      > => {
+
+      const mutationOptions = getEstSimpleEnrollMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Re-enrolls an existing certificate (same as simpleenroll in certctl's
+implementation — re-enrollment is treated as a fresh issuance) per
+RFC 7030 §4.2.2.
+
+ * @summary EST simple re-enrollment
+ */
+export const estSimpleReEnroll = (
+    estSimpleReEnrollBody: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/.well-known/est/simplereenroll`, method: 'POST',
+      headers: {'Content-Type': 'application/pkcs10', },
+      data: estSimpleReEnrollBody, signal
+    },
+      );
+    }
+  
+
+
+export const getEstSimpleReEnrollMutationOptions = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estSimpleReEnroll>>, TError,{data: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof estSimpleReEnroll>>, TError,{data: string}, TContext> => {
+
+const mutationKey = ['estSimpleReEnroll'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof estSimpleReEnroll>>, {data: string}> = (props) => {
+          const {data} = props ?? {};
+
+          return  estSimpleReEnroll(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type EstSimpleReEnrollMutationResult = NonNullable<Awaited<ReturnType<typeof estSimpleReEnroll>>>
+    export type EstSimpleReEnrollMutationBody = string
+    export type EstSimpleReEnrollMutationError = BadRequestResponse | void | InternalErrorResponse
+
+    /**
+ * @summary EST simple re-enrollment
+ */
+export const useEstSimpleReEnroll = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estSimpleReEnroll>>, TError,{data: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof estSimpleReEnroll>>,
+        TError,
+        {data: string},
+        TContext
+      > => {
+
+      const mutationOptions = getEstSimpleReEnrollMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns attributes the EST client should include in its CSR per
+RFC 7030 §4.5. certctl currently returns an empty attribute set
+(HTTP 204) — profile-based constraints are enforced server-side
+during enrollment rather than advertised here.
+
+ * @summary EST CSR attributes
+ */
+export const estCSRAttrs = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string | void>(
+      {url: `/.well-known/est/csrattrs`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getEstCSRAttrsQueryKey = () => {
+    return [
+    `/.well-known/est/csrattrs`
+    ] as const;
+    }
+
+    
+export const getEstCSRAttrsQueryOptions = <TData = Awaited<ReturnType<typeof estCSRAttrs>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getEstCSRAttrsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof estCSRAttrs>>> = ({ signal }) => estCSRAttrs(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type EstCSRAttrsQueryResult = NonNullable<Awaited<ReturnType<typeof estCSRAttrs>>>
+export type EstCSRAttrsQueryError = InternalErrorResponse
+
+
+export function useEstCSRAttrs<TData = Awaited<ReturnType<typeof estCSRAttrs>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof estCSRAttrs>>,
+          TError,
+          Awaited<ReturnType<typeof estCSRAttrs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useEstCSRAttrs<TData = Awaited<ReturnType<typeof estCSRAttrs>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof estCSRAttrs>>,
+          TError,
+          Awaited<ReturnType<typeof estCSRAttrs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useEstCSRAttrs<TData = Awaited<ReturnType<typeof estCSRAttrs>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary EST CSR attributes
+ */
+
+export function useEstCSRAttrs<TData = Awaited<ReturnType<typeof estCSRAttrs>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getEstCSRAttrsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * EST RFC 7030 §4.4 server-keygen endpoint. Server generates the
+keypair, issues the certificate with the new pubkey, and returns
+BOTH the cert (as `application/pkcs7-mime; smime-type=certs-only`)
+AND the corresponding private key (as `application/pkcs7-mime;
+smime-type=enveloped-data` — the private key is wrapped in CMS
+EnvelopedData encrypted to the client's CSR-supplied
+key-encipherment public key per RFC 7030 §4.4.2).
+
+The two parts are returned as a `multipart/mixed` response body
+with a per-response random boundary. Standard EST clients
+(libest, openssl + smime) parse this multipart body natively.
+
+Per-profile gate: this endpoint is registered for every EST
+profile but returns 404 unless the operator opted in via
+`CERTCTL_EST_PROFILE_<NAME>_SERVER_KEYGEN_ENABLED=true`. The
+per-profile gate constrains the attack surface — server-driven
+keygen requires the server to hold plaintext private keys
+briefly, a meaningful trust delta from device-driven keygen.
+
+Auth modes match the simpleenroll endpoint: HTTP Basic when the
+per-profile enrollment-password is set, anonymous otherwise.
+The mTLS sibling route at /.well-known/est-mtls/<PathID>/serverkeygen
+is registered when the profile has MTLS_ENABLED=true.
+
+EST RFC 7030 hardening master bundle Phase 5.
+
+ * @summary EST server-driven key generation (RFC 7030 §4.4)
+ */
+export const estServerKeygen = (
+    estServerKeygenBody: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/.well-known/est/serverkeygen`, method: 'POST',
+      headers: {'Content-Type': 'application/pkcs10', },
+      data: estServerKeygenBody, signal
+    },
+      );
+    }
+  
+
+
+export const getEstServerKeygenMutationOptions = <TError = void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estServerKeygen>>, TError,{data: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof estServerKeygen>>, TError,{data: string}, TContext> => {
+
+const mutationKey = ['estServerKeygen'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof estServerKeygen>>, {data: string}> = (props) => {
+          const {data} = props ?? {};
+
+          return  estServerKeygen(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type EstServerKeygenMutationResult = NonNullable<Awaited<ReturnType<typeof estServerKeygen>>>
+    export type EstServerKeygenMutationBody = string
+    export type EstServerKeygenMutationError = void | InternalErrorResponse
+
+    /**
+ * @summary EST server-driven key generation (RFC 7030 §4.4)
+ */
+export const useEstServerKeygen = <TError = void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estServerKeygen>>, TError,{data: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof estServerKeygen>>,
+        TError,
+        {data: string},
+        TContext
+      > => {
+
+      const mutationOptions = getEstServerKeygenMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/health-monitoring/health-monitoring.ts b/web/src/api/generated/health-monitoring/health-monitoring.ts
new file mode 100644
index 0000000..ed09150
--- /dev/null
+++ b/web/src/api/generated/health-monitoring/health-monitoring.ts
@@ -0,0 +1,695 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  AcknowledgeHealthCheckIncidentBody,
+  BadRequestResponse,
+  CreateHealthCheckBody,
+  EndpointHealthCheck,
+  GetHealthCheckHistory200,
+  GetHealthCheckHistoryParams,
+  GetHealthCheckSummary200,
+  InternalErrorResponse,
+  ListHealthChecks200,
+  ListHealthChecksParams,
+  NotFoundResponse,
+  UpdateHealthCheckBody
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Lists all TLS endpoint health checks with optional filtering by status, certificate, or network scan target.
+Includes current status, last probe results, and probe history summary.
+
+ * @summary List endpoint health checks
+ */
+export const listHealthChecks = (
+    params?: ListHealthChecksParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListHealthChecks200>(
+      {url: `/api/v1/health-checks`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListHealthChecksQueryKey = (params?: ListHealthChecksParams,) => {
+    return [
+    `/api/v1/health-checks`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListHealthChecksQueryOptions = <TData = Awaited<ReturnType<typeof listHealthChecks>>, TError = InternalErrorResponse>(params?: ListHealthChecksParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListHealthChecksQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listHealthChecks>>> = ({ signal }) => listHealthChecks(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListHealthChecksQueryResult = NonNullable<Awaited<ReturnType<typeof listHealthChecks>>>
+export type ListHealthChecksQueryError = InternalErrorResponse
+
+
+export function useListHealthChecks<TData = Awaited<ReturnType<typeof listHealthChecks>>, TError = InternalErrorResponse>(
+ params: undefined |  ListHealthChecksParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listHealthChecks>>,
+          TError,
+          Awaited<ReturnType<typeof listHealthChecks>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListHealthChecks<TData = Awaited<ReturnType<typeof listHealthChecks>>, TError = InternalErrorResponse>(
+ params?: ListHealthChecksParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listHealthChecks>>,
+          TError,
+          Awaited<ReturnType<typeof listHealthChecks>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListHealthChecks<TData = Awaited<ReturnType<typeof listHealthChecks>>, TError = InternalErrorResponse>(
+ params?: ListHealthChecksParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List endpoint health checks
+ */
+
+export function useListHealthChecks<TData = Awaited<ReturnType<typeof listHealthChecks>>, TError = InternalErrorResponse>(
+ params?: ListHealthChecksParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListHealthChecksQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Creates a new manual health check for an endpoint.
+ * @summary Create health check
+ */
+export const createHealthCheck = (
+    createHealthCheckBody: CreateHealthCheckBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<EndpointHealthCheck>(
+      {url: `/api/v1/health-checks`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: createHealthCheckBody, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateHealthCheckMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createHealthCheck>>, TError,{data: CreateHealthCheckBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createHealthCheck>>, TError,{data: CreateHealthCheckBody}, TContext> => {
+
+const mutationKey = ['createHealthCheck'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createHealthCheck>>, {data: CreateHealthCheckBody}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createHealthCheck(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateHealthCheckMutationResult = NonNullable<Awaited<ReturnType<typeof createHealthCheck>>>
+    export type CreateHealthCheckMutationBody = CreateHealthCheckBody
+    export type CreateHealthCheckMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create health check
+ */
+export const useCreateHealthCheck = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createHealthCheck>>, TError,{data: CreateHealthCheckBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createHealthCheck>>,
+        TError,
+        {data: CreateHealthCheckBody},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateHealthCheckMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns aggregate status counts for all health checks.
+ * @summary Health check summary
+ */
+export const getHealthCheckSummary = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetHealthCheckSummary200>(
+      {url: `/api/v1/health-checks/summary`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetHealthCheckSummaryQueryKey = () => {
+    return [
+    `/api/v1/health-checks/summary`
+    ] as const;
+    }
+
+    
+export const getGetHealthCheckSummaryQueryOptions = <TData = Awaited<ReturnType<typeof getHealthCheckSummary>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetHealthCheckSummaryQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getHealthCheckSummary>>> = ({ signal }) => getHealthCheckSummary(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetHealthCheckSummaryQueryResult = NonNullable<Awaited<ReturnType<typeof getHealthCheckSummary>>>
+export type GetHealthCheckSummaryQueryError = InternalErrorResponse
+
+
+export function useGetHealthCheckSummary<TData = Awaited<ReturnType<typeof getHealthCheckSummary>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheckSummary>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheckSummary>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheckSummary<TData = Awaited<ReturnType<typeof getHealthCheckSummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheckSummary>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheckSummary>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheckSummary<TData = Awaited<ReturnType<typeof getHealthCheckSummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Health check summary
+ */
+
+export function useGetHealthCheckSummary<TData = Awaited<ReturnType<typeof getHealthCheckSummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetHealthCheckSummaryQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Get health check
+ */
+export const getHealthCheck = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<EndpointHealthCheck>(
+      {url: `/api/v1/health-checks/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetHealthCheckQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/health-checks/${id}`
+    ] as const;
+    }
+
+    
+export const getGetHealthCheckQueryOptions = <TData = Awaited<ReturnType<typeof getHealthCheck>>, TError = NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetHealthCheckQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getHealthCheck>>> = ({ signal }) => getHealthCheck(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetHealthCheckQueryResult = NonNullable<Awaited<ReturnType<typeof getHealthCheck>>>
+export type GetHealthCheckQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useGetHealthCheck<TData = Awaited<ReturnType<typeof getHealthCheck>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheck>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheck>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheck<TData = Awaited<ReturnType<typeof getHealthCheck>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheck>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheck>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheck<TData = Awaited<ReturnType<typeof getHealthCheck>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get health check
+ */
+
+export function useGetHealthCheck<TData = Awaited<ReturnType<typeof getHealthCheck>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetHealthCheckQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Update thresholds, interval, or expected fingerprint.
+ * @summary Update health check
+ */
+export const updateHealthCheck = (
+    id: string,
+    updateHealthCheckBody: UpdateHealthCheckBody,
+ ) => {
+      
+      
+      return certctlFetch<EndpointHealthCheck>(
+      {url: `/api/v1/health-checks/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: updateHealthCheckBody
+    },
+      );
+    }
+  
+
+
+export const getUpdateHealthCheckMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateHealthCheck>>, TError,{id: string;data: UpdateHealthCheckBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateHealthCheck>>, TError,{id: string;data: UpdateHealthCheckBody}, TContext> => {
+
+const mutationKey = ['updateHealthCheck'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateHealthCheck>>, {id: string;data: UpdateHealthCheckBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateHealthCheck(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateHealthCheckMutationResult = NonNullable<Awaited<ReturnType<typeof updateHealthCheck>>>
+    export type UpdateHealthCheckMutationBody = UpdateHealthCheckBody
+    export type UpdateHealthCheckMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Update health check
+ */
+export const useUpdateHealthCheck = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateHealthCheck>>, TError,{id: string;data: UpdateHealthCheckBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateHealthCheck>>,
+        TError,
+        {id: string;data: UpdateHealthCheckBody},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateHealthCheckMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete health check
+ */
+export const deleteHealthCheck = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/health-checks/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteHealthCheckMutationOptions = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteHealthCheck>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteHealthCheck>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteHealthCheck'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteHealthCheck>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteHealthCheck(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteHealthCheckMutationResult = NonNullable<Awaited<ReturnType<typeof deleteHealthCheck>>>
+    
+    export type DeleteHealthCheckMutationError = NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete health check
+ */
+export const useDeleteHealthCheck = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteHealthCheck>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteHealthCheck>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteHealthCheckMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns historical probe records with status, response times, and errors.
+ * @summary Get probe history
+ */
+export const getHealthCheckHistory = (
+    id: string,
+    params?: GetHealthCheckHistoryParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetHealthCheckHistory200>(
+      {url: `/api/v1/health-checks/${id}/history`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetHealthCheckHistoryQueryKey = (id?: string,
+    params?: GetHealthCheckHistoryParams,) => {
+    return [
+    `/api/v1/health-checks/${id}/history`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getGetHealthCheckHistoryQueryOptions = <TData = Awaited<ReturnType<typeof getHealthCheckHistory>>, TError = NotFoundResponse | InternalErrorResponse>(id: string,
+    params?: GetHealthCheckHistoryParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetHealthCheckHistoryQueryKey(id,params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getHealthCheckHistory>>> = ({ signal }) => getHealthCheckHistory(id,params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetHealthCheckHistoryQueryResult = NonNullable<Awaited<ReturnType<typeof getHealthCheckHistory>>>
+export type GetHealthCheckHistoryQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useGetHealthCheckHistory<TData = Awaited<ReturnType<typeof getHealthCheckHistory>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params: undefined |  GetHealthCheckHistoryParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheckHistory>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheckHistory>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheckHistory<TData = Awaited<ReturnType<typeof getHealthCheckHistory>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: GetHealthCheckHistoryParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheckHistory>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheckHistory>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheckHistory<TData = Awaited<ReturnType<typeof getHealthCheckHistory>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: GetHealthCheckHistoryParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get probe history
+ */
+
+export function useGetHealthCheckHistory<TData = Awaited<ReturnType<typeof getHealthCheckHistory>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: GetHealthCheckHistoryParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetHealthCheckHistoryQueryOptions(id,params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Mark a health check incident as acknowledged by the operator.
+ * @summary Acknowledge incident
+ */
+export const acknowledgeHealthCheckIncident = (
+    id: string,
+    acknowledgeHealthCheckIncidentBody: AcknowledgeHealthCheckIncidentBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<EndpointHealthCheck>(
+      {url: `/api/v1/health-checks/${id}/acknowledge`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: acknowledgeHealthCheckIncidentBody, signal
+    },
+      );
+    }
+  
+
+
+export const getAcknowledgeHealthCheckIncidentMutationOptions = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>, TError,{id: string;data: AcknowledgeHealthCheckIncidentBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>, TError,{id: string;data: AcknowledgeHealthCheckIncidentBody}, TContext> => {
+
+const mutationKey = ['acknowledgeHealthCheckIncident'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>, {id: string;data: AcknowledgeHealthCheckIncidentBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  acknowledgeHealthCheckIncident(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type AcknowledgeHealthCheckIncidentMutationResult = NonNullable<Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>>
+    export type AcknowledgeHealthCheckIncidentMutationBody = AcknowledgeHealthCheckIncidentBody
+    export type AcknowledgeHealthCheckIncidentMutationError = NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Acknowledge incident
+ */
+export const useAcknowledgeHealthCheckIncident = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>, TError,{id: string;data: AcknowledgeHealthCheckIncidentBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>,
+        TError,
+        {id: string;data: AcknowledgeHealthCheckIncidentBody},
+        TContext
+      > => {
+
+      const mutationOptions = getAcknowledgeHealthCheckIncidentMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/health/health.ts b/web/src/api/generated/health/health.ts
new file mode 100644
index 0000000..b38cc2f
--- /dev/null
+++ b/web/src/api/generated/health/health.ts
@@ -0,0 +1,526 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  CheckAuth200,
+  GetAuthInfo200,
+  GetHealth200,
+  GetReady200,
+  GetVersion200
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary Health check
+ */
+export const getHealth = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetHealth200>(
+      {url: `/health`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetHealthQueryKey = () => {
+    return [
+    `/health`
+    ] as const;
+    }
+
+    
+export const getGetHealthQueryOptions = <TData = Awaited<ReturnType<typeof getHealth>>, TError = unknown>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetHealthQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getHealth>>> = ({ signal }) => getHealth(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetHealthQueryResult = NonNullable<Awaited<ReturnType<typeof getHealth>>>
+export type GetHealthQueryError = unknown
+
+
+export function useGetHealth<TData = Awaited<ReturnType<typeof getHealth>>, TError = unknown>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealth>>,
+          TError,
+          Awaited<ReturnType<typeof getHealth>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealth<TData = Awaited<ReturnType<typeof getHealth>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealth>>,
+          TError,
+          Awaited<ReturnType<typeof getHealth>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealth<TData = Awaited<ReturnType<typeof getHealth>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Health check
+ */
+
+export function useGetHealth<TData = Awaited<ReturnType<typeof getHealth>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetHealthQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Readiness check
+ */
+export const getReady = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetReady200>(
+      {url: `/ready`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetReadyQueryKey = () => {
+    return [
+    `/ready`
+    ] as const;
+    }
+
+    
+export const getGetReadyQueryOptions = <TData = Awaited<ReturnType<typeof getReady>>, TError = unknown>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetReadyQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getReady>>> = ({ signal }) => getReady(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetReadyQueryResult = NonNullable<Awaited<ReturnType<typeof getReady>>>
+export type GetReadyQueryError = unknown
+
+
+export function useGetReady<TData = Awaited<ReturnType<typeof getReady>>, TError = unknown>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getReady>>,
+          TError,
+          Awaited<ReturnType<typeof getReady>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetReady<TData = Awaited<ReturnType<typeof getReady>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getReady>>,
+          TError,
+          Awaited<ReturnType<typeof getReady>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetReady<TData = Awaited<ReturnType<typeof getReady>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Readiness check
+ */
+
+export function useGetReady<TData = Awaited<ReturnType<typeof getReady>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetReadyQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns auth mode. Served without auth so GUI can detect auth requirements before login.
+ * @summary Auth configuration info
+ */
+export const getAuthInfo = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetAuthInfo200>(
+      {url: `/api/v1/auth/info`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAuthInfoQueryKey = () => {
+    return [
+    `/api/v1/auth/info`
+    ] as const;
+    }
+
+    
+export const getGetAuthInfoQueryOptions = <TData = Awaited<ReturnType<typeof getAuthInfo>>, TError = unknown>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAuthInfoQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAuthInfo>>> = ({ signal }) => getAuthInfo(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAuthInfoQueryResult = NonNullable<Awaited<ReturnType<typeof getAuthInfo>>>
+export type GetAuthInfoQueryError = unknown
+
+
+export function useGetAuthInfo<TData = Awaited<ReturnType<typeof getAuthInfo>>, TError = unknown>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthInfo>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthInfo>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthInfo<TData = Awaited<ReturnType<typeof getAuthInfo>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthInfo>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthInfo>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthInfo<TData = Awaited<ReturnType<typeof getAuthInfo>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Auth configuration info
+ */
+
+export function useGetAuthInfo<TData = Awaited<ReturnType<typeof getAuthInfo>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAuthInfoQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns 200 if auth credentials are valid, 401 otherwise.
+
+Bundle 1 Phase 3 closure (M1): when the server has the RBAC
+primitive wired (Bundle 1 default), the response also includes
+the caller's `actor_id`, `actor_type`, `tenant_id`, the
+`roles` they hold, and `effective_permissions` they resolve
+to. The legacy `admin` boolean is preserved for back-compat
+with pre-Bundle-1 GUIs; new GUIs should switch to
+`effective_permissions` for affordance gating.
+
+ * @summary Validate credentials
+ */
+export const checkAuth = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<CheckAuth200>(
+      {url: `/api/v1/auth/check`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getCheckAuthQueryKey = () => {
+    return [
+    `/api/v1/auth/check`
+    ] as const;
+    }
+
+    
+export const getCheckAuthQueryOptions = <TData = Awaited<ReturnType<typeof checkAuth>>, TError = void>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getCheckAuthQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof checkAuth>>> = ({ signal }) => checkAuth(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type CheckAuthQueryResult = NonNullable<Awaited<ReturnType<typeof checkAuth>>>
+export type CheckAuthQueryError = void
+
+
+export function useCheckAuth<TData = Awaited<ReturnType<typeof checkAuth>>, TError = void>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof checkAuth>>,
+          TError,
+          Awaited<ReturnType<typeof checkAuth>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useCheckAuth<TData = Awaited<ReturnType<typeof checkAuth>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof checkAuth>>,
+          TError,
+          Awaited<ReturnType<typeof checkAuth>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useCheckAuth<TData = Awaited<ReturnType<typeof checkAuth>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Validate credentials
+ */
+
+export function useCheckAuth<TData = Awaited<ReturnType<typeof checkAuth>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getCheckAuthQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns the running server's build identity. Served without
+auth so rollout systems and blackbox probes can read it without
+Bearer credentials. U-3 ride-along (cat-u-no_version_endpoint).
+Excluded from audit logging because rollout polling would
+otherwise dominate the audit trail.
+
+The Version field follows a fallback ladder: ldflags-supplied
+value > VCS commit SHA > "dev". Commit / Modified / BuildTime
+come from runtime/debug.BuildInfo (Go 1.18+ stamps these on
+every module-tracked build). GoVersion is runtime.Version().
+
+ * @summary Build identity (version, commit, Go runtime)
+ */
+export const getVersion = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetVersion200>(
+      {url: `/api/v1/version`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetVersionQueryKey = () => {
+    return [
+    `/api/v1/version`
+    ] as const;
+    }
+
+    
+export const getGetVersionQueryOptions = <TData = Awaited<ReturnType<typeof getVersion>>, TError = unknown>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetVersionQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getVersion>>> = ({ signal }) => getVersion(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetVersionQueryResult = NonNullable<Awaited<ReturnType<typeof getVersion>>>
+export type GetVersionQueryError = unknown
+
+
+export function useGetVersion<TData = Awaited<ReturnType<typeof getVersion>>, TError = unknown>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getVersion>>,
+          TError,
+          Awaited<ReturnType<typeof getVersion>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetVersion<TData = Awaited<ReturnType<typeof getVersion>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getVersion>>,
+          TError,
+          Awaited<ReturnType<typeof getVersion>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetVersion<TData = Awaited<ReturnType<typeof getVersion>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Build identity (version, commit, Go runtime)
+ */
+
+export function useGetVersion<TData = Awaited<ReturnType<typeof getVersion>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetVersionQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
diff --git a/web/src/api/generated/intermediate-c-as/intermediate-c-as.ts b/web/src/api/generated/intermediate-c-as/intermediate-c-as.ts
new file mode 100644
index 0000000..4cc4857
--- /dev/null
+++ b/web/src/api/generated/intermediate-c-as/intermediate-c-as.ts
@@ -0,0 +1,381 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  CreateIntermediateCABody,
+  InternalErrorResponse,
+  ListIntermediateCAs200,
+  NotFoundResponse,
+  RetireIntermediateCABody
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Admin-gated. Discriminator on body shape: when parent_ca_id is
+empty AND root_cert_pem + key_driver_id are present, the
+endpoint registers an operator-supplied root CA. Otherwise it
+signs a child sub-CA cert under the named parent (RFC 5280
+§4.2.1.9 path-length tightening + §4.2.1.10 NameConstraints
+subset semantics enforced at the service layer).
+
+ * @summary Create a root or child intermediate CA under the issuer
+ */
+export const createIntermediateCA = (
+    id: string,
+    createIntermediateCABody: CreateIntermediateCABody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/issuers/${id}/intermediates`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: createIntermediateCABody, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateIntermediateCAMutationOptions = <TError = void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createIntermediateCA>>, TError,{id: string;data: CreateIntermediateCABody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createIntermediateCA>>, TError,{id: string;data: CreateIntermediateCABody}, TContext> => {
+
+const mutationKey = ['createIntermediateCA'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createIntermediateCA>>, {id: string;data: CreateIntermediateCABody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  createIntermediateCA(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateIntermediateCAMutationResult = NonNullable<Awaited<ReturnType<typeof createIntermediateCA>>>
+    export type CreateIntermediateCAMutationBody = CreateIntermediateCABody
+    export type CreateIntermediateCAMutationError = void | InternalErrorResponse
+
+    /**
+ * @summary Create a root or child intermediate CA under the issuer
+ */
+export const useCreateIntermediateCA = <TError = void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createIntermediateCA>>, TError,{id: string;data: CreateIntermediateCABody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createIntermediateCA>>,
+        TError,
+        {id: string;data: CreateIntermediateCABody},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateIntermediateCAMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Admin-gated. Returns the flat list of every IntermediateCA row
+for the issuer, ordered by created_at. The caller renders the
+tree from each row's parent_ca_id (nil = root).
+
+ * @summary List the CA hierarchy for an issuer
+ */
+export const listIntermediateCAs = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListIntermediateCAs200>(
+      {url: `/api/v1/issuers/${id}/intermediates`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListIntermediateCAsQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/issuers/${id}/intermediates`
+    ] as const;
+    }
+
+    
+export const getListIntermediateCAsQueryOptions = <TData = Awaited<ReturnType<typeof listIntermediateCAs>>, TError = void>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListIntermediateCAsQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listIntermediateCAs>>> = ({ signal }) => listIntermediateCAs(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListIntermediateCAsQueryResult = NonNullable<Awaited<ReturnType<typeof listIntermediateCAs>>>
+export type ListIntermediateCAsQueryError = void
+
+
+export function useListIntermediateCAs<TData = Awaited<ReturnType<typeof listIntermediateCAs>>, TError = void>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listIntermediateCAs>>,
+          TError,
+          Awaited<ReturnType<typeof listIntermediateCAs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListIntermediateCAs<TData = Awaited<ReturnType<typeof listIntermediateCAs>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listIntermediateCAs>>,
+          TError,
+          Awaited<ReturnType<typeof listIntermediateCAs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListIntermediateCAs<TData = Awaited<ReturnType<typeof listIntermediateCAs>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List the CA hierarchy for an issuer
+ */
+
+export function useListIntermediateCAs<TData = Awaited<ReturnType<typeof listIntermediateCAs>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListIntermediateCAsQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Get a single intermediate CA by ID
+ */
+export const getIntermediateCA = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/intermediates/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetIntermediateCAQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/intermediates/${id}`
+    ] as const;
+    }
+
+    
+export const getGetIntermediateCAQueryOptions = <TData = Awaited<ReturnType<typeof getIntermediateCA>>, TError = void | NotFoundResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetIntermediateCAQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getIntermediateCA>>> = ({ signal }) => getIntermediateCA(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetIntermediateCAQueryResult = NonNullable<Awaited<ReturnType<typeof getIntermediateCA>>>
+export type GetIntermediateCAQueryError = void | NotFoundResponse
+
+
+export function useGetIntermediateCA<TData = Awaited<ReturnType<typeof getIntermediateCA>>, TError = void | NotFoundResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getIntermediateCA>>,
+          TError,
+          Awaited<ReturnType<typeof getIntermediateCA>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetIntermediateCA<TData = Awaited<ReturnType<typeof getIntermediateCA>>, TError = void | NotFoundResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getIntermediateCA>>,
+          TError,
+          Awaited<ReturnType<typeof getIntermediateCA>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetIntermediateCA<TData = Awaited<ReturnType<typeof getIntermediateCA>>, TError = void | NotFoundResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get a single intermediate CA by ID
+ */
+
+export function useGetIntermediateCA<TData = Awaited<ReturnType<typeof getIntermediateCA>>, TError = void | NotFoundResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetIntermediateCAQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Admin-gated. Two-phase: first call (confirm=false) transitions
+active to retiring (the CA stops issuing new children but
+existing children continue). Second call (confirm=true)
+transitions retiring to retired (terminal). Refuses the
+terminal transition if the CA still has active children —
+drain-first semantics.
+
+ * @summary Retire an intermediate CA (two-phase drain)
+ */
+export const retireIntermediateCA = (
+    id: string,
+    retireIntermediateCABody?: RetireIntermediateCABody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/intermediates/${id}/retire`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: retireIntermediateCABody, signal
+    },
+      );
+    }
+  
+
+
+export const getRetireIntermediateCAMutationOptions = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof retireIntermediateCA>>, TError,{id: string;data: RetireIntermediateCABody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof retireIntermediateCA>>, TError,{id: string;data: RetireIntermediateCABody}, TContext> => {
+
+const mutationKey = ['retireIntermediateCA'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof retireIntermediateCA>>, {id: string;data: RetireIntermediateCABody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  retireIntermediateCA(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RetireIntermediateCAMutationResult = NonNullable<Awaited<ReturnType<typeof retireIntermediateCA>>>
+    export type RetireIntermediateCAMutationBody = RetireIntermediateCABody
+    export type RetireIntermediateCAMutationError = void | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Retire an intermediate CA (two-phase drain)
+ */
+export const useRetireIntermediateCA = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof retireIntermediateCA>>, TError,{id: string;data: RetireIntermediateCABody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof retireIntermediateCA>>,
+        TError,
+        {id: string;data: RetireIntermediateCABody},
+        TContext
+      > => {
+
+      const mutationOptions = getRetireIntermediateCAMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/issuers/issuers.ts b/web/src/api/generated/issuers/issuers.ts
new file mode 100644
index 0000000..ce6abae
--- /dev/null
+++ b/web/src/api/generated/issuers/issuers.ts
@@ -0,0 +1,487 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  Issuer,
+  ListIssuers200,
+  ListIssuersParams,
+  NotFoundResponse,
+  StatusResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List issuers
+ */
+export const listIssuers = (
+    params?: ListIssuersParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListIssuers200>(
+      {url: `/api/v1/issuers`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListIssuersQueryKey = (params?: ListIssuersParams,) => {
+    return [
+    `/api/v1/issuers`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListIssuersQueryOptions = <TData = Awaited<ReturnType<typeof listIssuers>>, TError = InternalErrorResponse>(params?: ListIssuersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListIssuersQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listIssuers>>> = ({ signal }) => listIssuers(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListIssuersQueryResult = NonNullable<Awaited<ReturnType<typeof listIssuers>>>
+export type ListIssuersQueryError = InternalErrorResponse
+
+
+export function useListIssuers<TData = Awaited<ReturnType<typeof listIssuers>>, TError = InternalErrorResponse>(
+ params: undefined |  ListIssuersParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listIssuers>>,
+          TError,
+          Awaited<ReturnType<typeof listIssuers>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListIssuers<TData = Awaited<ReturnType<typeof listIssuers>>, TError = InternalErrorResponse>(
+ params?: ListIssuersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listIssuers>>,
+          TError,
+          Awaited<ReturnType<typeof listIssuers>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListIssuers<TData = Awaited<ReturnType<typeof listIssuers>>, TError = InternalErrorResponse>(
+ params?: ListIssuersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List issuers
+ */
+
+export function useListIssuers<TData = Awaited<ReturnType<typeof listIssuers>>, TError = InternalErrorResponse>(
+ params?: ListIssuersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListIssuersQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Create issuer
+ */
+export const createIssuer = (
+    issuer: Issuer,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Issuer>(
+      {url: `/api/v1/issuers`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: issuer, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateIssuerMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createIssuer>>, TError,{data: Issuer}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createIssuer>>, TError,{data: Issuer}, TContext> => {
+
+const mutationKey = ['createIssuer'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createIssuer>>, {data: Issuer}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createIssuer(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateIssuerMutationResult = NonNullable<Awaited<ReturnType<typeof createIssuer>>>
+    export type CreateIssuerMutationBody = Issuer
+    export type CreateIssuerMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create issuer
+ */
+export const useCreateIssuer = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createIssuer>>, TError,{data: Issuer}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createIssuer>>,
+        TError,
+        {data: Issuer},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateIssuerMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Get issuer
+ */
+export const getIssuer = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Issuer>(
+      {url: `/api/v1/issuers/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetIssuerQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/issuers/${id}`
+    ] as const;
+    }
+
+    
+export const getGetIssuerQueryOptions = <TData = Awaited<ReturnType<typeof getIssuer>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetIssuerQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getIssuer>>> = ({ signal }) => getIssuer(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetIssuerQueryResult = NonNullable<Awaited<ReturnType<typeof getIssuer>>>
+export type GetIssuerQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetIssuer<TData = Awaited<ReturnType<typeof getIssuer>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getIssuer>>,
+          TError,
+          Awaited<ReturnType<typeof getIssuer>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetIssuer<TData = Awaited<ReturnType<typeof getIssuer>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getIssuer>>,
+          TError,
+          Awaited<ReturnType<typeof getIssuer>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetIssuer<TData = Awaited<ReturnType<typeof getIssuer>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get issuer
+ */
+
+export function useGetIssuer<TData = Awaited<ReturnType<typeof getIssuer>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetIssuerQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Update issuer
+ */
+export const updateIssuer = (
+    id: string,
+    issuer: Issuer,
+ ) => {
+      
+      
+      return certctlFetch<Issuer>(
+      {url: `/api/v1/issuers/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: issuer
+    },
+      );
+    }
+  
+
+
+export const getUpdateIssuerMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateIssuer>>, TError,{id: string;data: Issuer}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateIssuer>>, TError,{id: string;data: Issuer}, TContext> => {
+
+const mutationKey = ['updateIssuer'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateIssuer>>, {id: string;data: Issuer}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateIssuer(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateIssuerMutationResult = NonNullable<Awaited<ReturnType<typeof updateIssuer>>>
+    export type UpdateIssuerMutationBody = Issuer
+    export type UpdateIssuerMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Update issuer
+ */
+export const useUpdateIssuer = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateIssuer>>, TError,{id: string;data: Issuer}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateIssuer>>,
+        TError,
+        {id: string;data: Issuer},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateIssuerMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete issuer
+ */
+export const deleteIssuer = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/issuers/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteIssuerMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteIssuer>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteIssuer>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteIssuer'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteIssuer>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteIssuer(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteIssuerMutationResult = NonNullable<Awaited<ReturnType<typeof deleteIssuer>>>
+    
+    export type DeleteIssuerMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete issuer
+ */
+export const useDeleteIssuer = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteIssuer>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteIssuer>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteIssuerMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Test issuer connection
+ */
+export const testIssuerConnection = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/issuers/${id}/test`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getTestIssuerConnectionMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof testIssuerConnection>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof testIssuerConnection>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['testIssuerConnection'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof testIssuerConnection>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  testIssuerConnection(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type TestIssuerConnectionMutationResult = NonNullable<Awaited<ReturnType<typeof testIssuerConnection>>>
+    
+    export type TestIssuerConnectionMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Test issuer connection
+ */
+export const useTestIssuerConnection = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof testIssuerConnection>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof testIssuerConnection>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getTestIssuerConnectionMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/jobs/jobs.ts b/web/src/api/generated/jobs/jobs.ts
new file mode 100644
index 0000000..a2b0b85
--- /dev/null
+++ b/web/src/api/generated/jobs/jobs.ts
@@ -0,0 +1,428 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  Job,
+  ListJobs200,
+  ListJobsParams,
+  NotFoundResponse,
+  RejectJobBody,
+  StatusResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List jobs
+ */
+export const listJobs = (
+    params?: ListJobsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListJobs200>(
+      {url: `/api/v1/jobs`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListJobsQueryKey = (params?: ListJobsParams,) => {
+    return [
+    `/api/v1/jobs`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListJobsQueryOptions = <TData = Awaited<ReturnType<typeof listJobs>>, TError = InternalErrorResponse>(params?: ListJobsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListJobsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listJobs>>> = ({ signal }) => listJobs(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListJobsQueryResult = NonNullable<Awaited<ReturnType<typeof listJobs>>>
+export type ListJobsQueryError = InternalErrorResponse
+
+
+export function useListJobs<TData = Awaited<ReturnType<typeof listJobs>>, TError = InternalErrorResponse>(
+ params: undefined |  ListJobsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listJobs>>,
+          TError,
+          Awaited<ReturnType<typeof listJobs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListJobs<TData = Awaited<ReturnType<typeof listJobs>>, TError = InternalErrorResponse>(
+ params?: ListJobsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listJobs>>,
+          TError,
+          Awaited<ReturnType<typeof listJobs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListJobs<TData = Awaited<ReturnType<typeof listJobs>>, TError = InternalErrorResponse>(
+ params?: ListJobsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List jobs
+ */
+
+export function useListJobs<TData = Awaited<ReturnType<typeof listJobs>>, TError = InternalErrorResponse>(
+ params?: ListJobsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListJobsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Get job
+ */
+export const getJob = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Job>(
+      {url: `/api/v1/jobs/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetJobQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/jobs/${id}`
+    ] as const;
+    }
+
+    
+export const getGetJobQueryOptions = <TData = Awaited<ReturnType<typeof getJob>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetJobQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getJob>>> = ({ signal }) => getJob(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetJobQueryResult = NonNullable<Awaited<ReturnType<typeof getJob>>>
+export type GetJobQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetJob<TData = Awaited<ReturnType<typeof getJob>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getJob>>,
+          TError,
+          Awaited<ReturnType<typeof getJob>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetJob<TData = Awaited<ReturnType<typeof getJob>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getJob>>,
+          TError,
+          Awaited<ReturnType<typeof getJob>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetJob<TData = Awaited<ReturnType<typeof getJob>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get job
+ */
+
+export function useGetJob<TData = Awaited<ReturnType<typeof getJob>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetJobQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Cancel job
+ */
+export const cancelJob = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/jobs/${id}/cancel`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getCancelJobMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof cancelJob>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof cancelJob>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['cancelJob'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof cancelJob>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  cancelJob(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CancelJobMutationResult = NonNullable<Awaited<ReturnType<typeof cancelJob>>>
+    
+    export type CancelJobMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Cancel job
+ */
+export const useCancelJob = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof cancelJob>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof cancelJob>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getCancelJobMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Approves a job in AwaitingApproval state.
+ * @summary Approve job
+ */
+export const approveJob = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/jobs/${id}/approve`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getApproveJobMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof approveJob>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof approveJob>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['approveJob'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof approveJob>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  approveJob(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ApproveJobMutationResult = NonNullable<Awaited<ReturnType<typeof approveJob>>>
+    
+    export type ApproveJobMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Approve job
+ */
+export const useApproveJob = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof approveJob>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof approveJob>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getApproveJobMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Rejects a job in AwaitingApproval state with an optional reason.
+ * @summary Reject job
+ */
+export const rejectJob = (
+    id: string,
+    rejectJobBody: RejectJobBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/jobs/${id}/reject`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: rejectJobBody, signal
+    },
+      );
+    }
+  
+
+
+export const getRejectJobMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof rejectJob>>, TError,{id: string;data: RejectJobBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof rejectJob>>, TError,{id: string;data: RejectJobBody}, TContext> => {
+
+const mutationKey = ['rejectJob'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof rejectJob>>, {id: string;data: RejectJobBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  rejectJob(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RejectJobMutationResult = NonNullable<Awaited<ReturnType<typeof rejectJob>>>
+    export type RejectJobMutationBody = RejectJobBody
+    export type RejectJobMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Reject job
+ */
+export const useRejectJob = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof rejectJob>>, TError,{id: string;data: RejectJobBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof rejectJob>>,
+        TError,
+        {id: string;data: RejectJobBody},
+        TContext
+      > => {
+
+      const mutationOptions = getRejectJobMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/metrics/metrics.ts b/web/src/api/generated/metrics/metrics.ts
new file mode 100644
index 0000000..2734746
--- /dev/null
+++ b/web/src/api/generated/metrics/metrics.ts
@@ -0,0 +1,230 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  InternalErrorResponse,
+  MetricsResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * JSON metrics snapshot with gauges, counters, and uptime. See also /api/v1/metrics/prometheus for Prometheus exposition format.
+ * @summary System metrics
+ */
+export const getMetrics = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<MetricsResponse>(
+      {url: `/api/v1/metrics`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetMetricsQueryKey = () => {
+    return [
+    `/api/v1/metrics`
+    ] as const;
+    }
+
+    
+export const getGetMetricsQueryOptions = <TData = Awaited<ReturnType<typeof getMetrics>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetMetricsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getMetrics>>> = ({ signal }) => getMetrics(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetMetricsQueryResult = NonNullable<Awaited<ReturnType<typeof getMetrics>>>
+export type GetMetricsQueryError = InternalErrorResponse
+
+
+export function useGetMetrics<TData = Awaited<ReturnType<typeof getMetrics>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getMetrics>>,
+          TError,
+          Awaited<ReturnType<typeof getMetrics>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetMetrics<TData = Awaited<ReturnType<typeof getMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getMetrics>>,
+          TError,
+          Awaited<ReturnType<typeof getMetrics>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetMetrics<TData = Awaited<ReturnType<typeof getMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary System metrics
+ */
+
+export function useGetMetrics<TData = Awaited<ReturnType<typeof getMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetMetricsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Prometheus exposition format metrics. Compatible with Prometheus, Grafana Agent,
+Datadog Agent, Victoria Metrics, and any OpenMetrics scraper.
+Returns 11 metrics with certctl_ prefix (8 gauges, 2 counters, 1 info).
+
+ * @summary Prometheus metrics
+ */
+export const getPrometheusMetrics = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/api/v1/metrics/prometheus`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetPrometheusMetricsQueryKey = () => {
+    return [
+    `/api/v1/metrics/prometheus`
+    ] as const;
+    }
+
+    
+export const getGetPrometheusMetricsQueryOptions = <TData = Awaited<ReturnType<typeof getPrometheusMetrics>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetPrometheusMetricsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getPrometheusMetrics>>> = ({ signal }) => getPrometheusMetrics(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetPrometheusMetricsQueryResult = NonNullable<Awaited<ReturnType<typeof getPrometheusMetrics>>>
+export type GetPrometheusMetricsQueryError = InternalErrorResponse
+
+
+export function useGetPrometheusMetrics<TData = Awaited<ReturnType<typeof getPrometheusMetrics>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getPrometheusMetrics>>,
+          TError,
+          Awaited<ReturnType<typeof getPrometheusMetrics>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetPrometheusMetrics<TData = Awaited<ReturnType<typeof getPrometheusMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getPrometheusMetrics>>,
+          TError,
+          Awaited<ReturnType<typeof getPrometheusMetrics>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetPrometheusMetrics<TData = Awaited<ReturnType<typeof getPrometheusMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Prometheus metrics
+ */
+
+export function useGetPrometheusMetrics<TData = Awaited<ReturnType<typeof getPrometheusMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetPrometheusMetricsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
diff --git a/web/src/api/generated/model/acknowledgeHealthCheckIncidentBody.ts b/web/src/api/generated/model/acknowledgeHealthCheckIncidentBody.ts
new file mode 100644
index 0000000..3b3931b
--- /dev/null
+++ b/web/src/api/generated/model/acknowledgeHealthCheckIncidentBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AcknowledgeHealthCheckIncidentBody = {
+  /** Operator name or ID */
+  acknowledged_by?: string;
+};
diff --git a/web/src/api/generated/model/actorType.ts b/web/src/api/generated/model/actorType.ts
new file mode 100644
index 0000000..01d0067
--- /dev/null
+++ b/web/src/api/generated/model/actorType.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ActorType = typeof ActorType[keyof typeof ActorType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ActorType = {
+  User: 'User',
+  System: 'System',
+  Agent: 'Agent',
+} as const;
diff --git a/web/src/api/generated/model/agent.ts b/web/src/api/generated/model/agent.ts
new file mode 100644
index 0000000..dd66a9c
--- /dev/null
+++ b/web/src/api/generated/model/agent.ts
@@ -0,0 +1,48 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AgentStatus } from './agentStatus';
+
+export interface Agent {
+  id?: string;
+  name?: string;
+  hostname?: string;
+  status?: AgentStatus;
+  last_heartbeat_at?: string;
+  registered_at?: string;
+  os?: string;
+  architecture?: string;
+  ip_address?: string;
+  version?: string;
+  /**
+   * I-004: soft-retirement timestamp. `null` (or field absent) means the
+agent is active. A non-null value is the canonical "retired" state —
+the operational `status` column is preserved at retirement time as
+the last-seen value, but `retired_at` is the source of truth for
+filtering agents out of active listings.
+
+   * @nullable
+   */
+  retired_at?: string | null;
+  /**
+   * I-004: human-readable reason captured at retirement time. Only set
+when the agent was retired via `?force=true&reason=...` cascade; a
+default soft-retire leaves this field null.
+
+   * @nullable
+   */
+  retired_reason?: string | null;
+}
diff --git a/web/src/api/generated/model/agentDependencyCounts.ts b/web/src/api/generated/model/agentDependencyCounts.ts
new file mode 100644
index 0000000..63e8962
--- /dev/null
+++ b/web/src/api/generated/model/agentDependencyCounts.ts
@@ -0,0 +1,34 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * I-004: preflight counts of active downstream rows that would be
+orphaned by retiring an agent. Returned in the 409
+`blocked_by_dependencies` body so the operator UI can tell the user
+which bucket is blocking the retire, and also in the 200 response
+body on a successful `?force=true` cascade as a snapshot of what
+was cascaded.
+
+ */
+export interface AgentDependencyCounts {
+  /** Deployment targets with this agent assigned and retired_at IS NULL */
+  active_targets?: number;
+  /** Certificates currently deployed via one of this agent's active targets */
+  active_certificates?: number;
+  /** Jobs with agent_id=this in status Pending, AwaitingCSR, AwaitingApproval, or Running */
+  pending_jobs?: number;
+}
diff --git a/web/src/api/generated/model/agentGetWork200.ts b/web/src/api/generated/model/agentGetWork200.ts
new file mode 100644
index 0000000..86e4d3a
--- /dev/null
+++ b/web/src/api/generated/model/agentGetWork200.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { WorkItem } from './workItem';
+
+export type AgentGetWork200 = {
+  jobs?: WorkItem[];
+  count?: number;
+};
diff --git a/web/src/api/generated/model/agentGroup.ts b/web/src/api/generated/model/agentGroup.ts
new file mode 100644
index 0000000..abfe111
--- /dev/null
+++ b/web/src/api/generated/model/agentGroup.ts
@@ -0,0 +1,29 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface AgentGroup {
+  id?: string;
+  name?: string;
+  description?: string;
+  match_os?: string;
+  match_architecture?: string;
+  match_ip_cidr?: string;
+  match_version?: string;
+  enabled?: boolean;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/agentHeartbeatBody.ts b/web/src/api/generated/model/agentHeartbeatBody.ts
new file mode 100644
index 0000000..a8929e3
--- /dev/null
+++ b/web/src/api/generated/model/agentHeartbeatBody.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AgentHeartbeatBody = {
+  version?: string;
+  hostname?: string;
+  os?: string;
+  architecture?: string;
+  ip_address?: string;
+};
diff --git a/web/src/api/generated/model/agentPickupCertificate200.ts b/web/src/api/generated/model/agentPickupCertificate200.ts
new file mode 100644
index 0000000..3cc8e17
--- /dev/null
+++ b/web/src/api/generated/model/agentPickupCertificate200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AgentPickupCertificate200 = {
+  certificate_pem?: string;
+};
diff --git a/web/src/api/generated/model/agentReportJobStatusBody.ts b/web/src/api/generated/model/agentReportJobStatusBody.ts
new file mode 100644
index 0000000..df7ddf4
--- /dev/null
+++ b/web/src/api/generated/model/agentReportJobStatusBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AgentReportJobStatusBody = {
+  status: string;
+  error?: string;
+};
diff --git a/web/src/api/generated/model/agentStatus.ts b/web/src/api/generated/model/agentStatus.ts
new file mode 100644
index 0000000..15c15f2
--- /dev/null
+++ b/web/src/api/generated/model/agentStatus.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AgentStatus = typeof AgentStatus[keyof typeof AgentStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const AgentStatus = {
+  Online: 'Online',
+  Offline: 'Offline',
+  Degraded: 'Degraded',
+} as const;
diff --git a/web/src/api/generated/model/agentSubmitCSRBody.ts b/web/src/api/generated/model/agentSubmitCSRBody.ts
new file mode 100644
index 0000000..e6ca9dd
--- /dev/null
+++ b/web/src/api/generated/model/agentSubmitCSRBody.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AgentSubmitCSRBody = {
+  /** PEM-encoded certificate signing request */
+  csr_pem: string;
+  certificate_id?: string;
+};
diff --git a/web/src/api/generated/model/approvalRequest.ts b/web/src/api/generated/model/approvalRequest.ts
new file mode 100644
index 0000000..bff9ac0
--- /dev/null
+++ b/web/src/api/generated/model/approvalRequest.ts
@@ -0,0 +1,50 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ApprovalRequestState } from './approvalRequestState';
+import type { ApprovalRequestMetadata } from './approvalRequestMetadata';
+
+/**
+ * Rank 7 issuance approval-workflow primitive. One row per (CertificateID,
+JobID) pair; the JobID points at the blocked Job whose Status is
+AwaitingApproval. Lifecycle: pending → approved | rejected | expired.
+Once terminal, the row is immutable; the audit_events table is the
+durable record of who decided + why.
+
+ */
+export interface ApprovalRequest {
+  /** Approval request ID (ar-<slug>). */
+  id: string;
+  certificate_id: string;
+  job_id: string;
+  profile_id: string;
+  /** Actor that triggered the renewal. */
+  requested_by: string;
+  state: ApprovalRequestState;
+  /**
+   * Approver identity; null while state=pending.
+   * @nullable
+   */
+  decided_by?: string | null;
+  /** @nullable */
+  decided_at?: string | null;
+  /** @nullable */
+  decision_note?: string | null;
+  /** Free-form key/value (common_name, sans, issuer_id, severity_tier). */
+  metadata?: ApprovalRequestMetadata;
+  created_at: string;
+  updated_at: string;
+}
diff --git a/web/src/api/generated/model/approvalRequestMetadata.ts b/web/src/api/generated/model/approvalRequestMetadata.ts
new file mode 100644
index 0000000..a582b8c
--- /dev/null
+++ b/web/src/api/generated/model/approvalRequestMetadata.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Free-form key/value (common_name, sans, issuer_id, severity_tier).
+ */
+export type ApprovalRequestMetadata = {[key: string]: string};
diff --git a/web/src/api/generated/model/approvalRequestState.ts b/web/src/api/generated/model/approvalRequestState.ts
new file mode 100644
index 0000000..c5ce626
--- /dev/null
+++ b/web/src/api/generated/model/approvalRequestState.ts
@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ApprovalRequestState = typeof ApprovalRequestState[keyof typeof ApprovalRequestState];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ApprovalRequestState = {
+  pending: 'pending',
+  approved: 'approved',
+  rejected: 'rejected',
+  expired: 'expired',
+} as const;
diff --git a/web/src/api/generated/model/approveApprovalRequest200.ts b/web/src/api/generated/model/approveApprovalRequest200.ts
new file mode 100644
index 0000000..f807712
--- /dev/null
+++ b/web/src/api/generated/model/approveApprovalRequest200.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ApproveApprovalRequest200Action } from './approveApprovalRequest200Action';
+
+export type ApproveApprovalRequest200 = {
+  id?: string;
+  decided_by?: string;
+  action?: ApproveApprovalRequest200Action;
+};
diff --git a/web/src/api/generated/model/approveApprovalRequest200Action.ts b/web/src/api/generated/model/approveApprovalRequest200Action.ts
new file mode 100644
index 0000000..7b07076
--- /dev/null
+++ b/web/src/api/generated/model/approveApprovalRequest200Action.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ApproveApprovalRequest200Action = typeof ApproveApprovalRequest200Action[keyof typeof ApproveApprovalRequest200Action];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ApproveApprovalRequest200Action = {
+  approved: 'approved',
+} as const;
diff --git a/web/src/api/generated/model/approveApprovalRequestBody.ts b/web/src/api/generated/model/approveApprovalRequestBody.ts
new file mode 100644
index 0000000..fb43651
--- /dev/null
+++ b/web/src/api/generated/model/approveApprovalRequestBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ApproveApprovalRequestBody = {
+  /** Optional reason text for the audit trail. */
+  note?: string;
+};
diff --git a/web/src/api/generated/model/assignAuthKeyRoleBody.ts b/web/src/api/generated/model/assignAuthKeyRoleBody.ts
new file mode 100644
index 0000000..6da1da5
--- /dev/null
+++ b/web/src/api/generated/model/assignAuthKeyRoleBody.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AssignAuthKeyRoleBody = {
+  role_id: string;
+};
diff --git a/web/src/api/generated/model/auditEvent.ts b/web/src/api/generated/model/auditEvent.ts
new file mode 100644
index 0000000..0300b60
--- /dev/null
+++ b/web/src/api/generated/model/auditEvent.ts
@@ -0,0 +1,35 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ActorType } from './actorType';
+import type { AuditEventDetails } from './auditEventDetails';
+import type { AuditEventEventCategory } from './auditEventEventCategory';
+
+export interface AuditEvent {
+  id?: string;
+  actor?: string;
+  actor_type?: ActorType;
+  action?: string;
+  resource_type?: string;
+  resource_id?: string;
+  details?: AuditEventDetails;
+  timestamp?: string;
+  /** Bundle 1 Phase 8: classifies the event for auditor-role
+filtering. Empty / absent on rows from pre-Phase-8
+deployments (the migration backfills "cert_lifecycle").
+ */
+  event_category?: AuditEventEventCategory;
+}
diff --git a/web/src/api/generated/model/auditEventDetails.ts b/web/src/api/generated/model/auditEventDetails.ts
new file mode 100644
index 0000000..1b55baf
--- /dev/null
+++ b/web/src/api/generated/model/auditEventDetails.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AuditEventDetails = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/auditEventEventCategory.ts b/web/src/api/generated/model/auditEventEventCategory.ts
new file mode 100644
index 0000000..7e3e310
--- /dev/null
+++ b/web/src/api/generated/model/auditEventEventCategory.ts
@@ -0,0 +1,32 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Bundle 1 Phase 8: classifies the event for auditor-role
+filtering. Empty / absent on rows from pre-Phase-8
+deployments (the migration backfills "cert_lifecycle").
+
+ */
+export type AuditEventEventCategory = typeof AuditEventEventCategory[keyof typeof AuditEventEventCategory];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const AuditEventEventCategory = {
+  cert_lifecycle: 'cert_lifecycle',
+  auth: 'auth',
+  config: 'config',
+} as const;
diff --git a/web/src/api/generated/model/authRole.ts b/web/src/api/generated/model/authRole.ts
new file mode 100644
index 0000000..300a695
--- /dev/null
+++ b/web/src/api/generated/model/authRole.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface AuthRole {
+  /** Role ID (`r-` prefix). */
+  id: string;
+  tenant_id: string;
+  name: string;
+  description?: string;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/authRolePermission.ts b/web/src/api/generated/model/authRolePermission.ts
new file mode 100644
index 0000000..9ca389b
--- /dev/null
+++ b/web/src/api/generated/model/authRolePermission.ts
@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AuthRolePermissionScopeType } from './authRolePermissionScopeType';
+
+export interface AuthRolePermission {
+  role_id: string;
+  permission_id: string;
+  scope_type: AuthRolePermissionScopeType;
+  /** NULL/absent for global scope; profile/issuer ID otherwise. */
+  scope_id?: string;
+}
diff --git a/web/src/api/generated/model/authRolePermissionScopeType.ts b/web/src/api/generated/model/authRolePermissionScopeType.ts
new file mode 100644
index 0000000..73abb30
--- /dev/null
+++ b/web/src/api/generated/model/authRolePermissionScopeType.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AuthRolePermissionScopeType = typeof AuthRolePermissionScopeType[keyof typeof AuthRolePermissionScopeType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const AuthRolePermissionScopeType = {
+  global: 'global',
+  profile: 'profile',
+  issuer: 'issuer',
+} as const;
diff --git a/web/src/api/generated/model/authSession.ts b/web/src/api/generated/model/authSession.ts
new file mode 100644
index 0000000..2197a94
--- /dev/null
+++ b/web/src/api/generated/model/authSession.ts
@@ -0,0 +1,42 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_session_oidc_sessions.go::sessionResponse.
+ */
+export interface AuthSession {
+  /** Session identifier (UUID-shaped). */
+  id: string;
+  /** Owning actor (user, API key, etc.). */
+  actor_id: string;
+  /** Actor type — `user`, `api_key`, or `actor-demo-anon` in demo mode. */
+  actor_type: string;
+  /** Source IP at session create-time. Omitted when not recorded. */
+  ip_address?: string;
+  /** User-Agent header at session create-time. Omitted when not recorded. */
+  user_agent?: string;
+  /** RFC 3339 UTC timestamp the session was minted. */
+  created_at: string;
+  /** RFC 3339 UTC timestamp the session most-recently validated a request. */
+  last_seen_at: string;
+  /** RFC 3339 UTC timestamp past which the session is idle-expired (CERTCTL_SESSION_IDLE_TIMEOUT from last_seen_at). */
+  idle_expires_at: string;
+  /** RFC 3339 UTC timestamp past which the session is absolute-expired regardless of activity (CERTCTL_SESSION_ABSOLUTE_TIMEOUT from created_at). */
+  absolute_expires_at: string;
+  /** True when the session has been revoked (via this API or via back-channel-logout). */
+  revoked: boolean;
+}
diff --git a/web/src/api/generated/model/authUser.ts b/web/src/api/generated/model/authUser.ts
new file mode 100644
index 0000000..4f69498
--- /dev/null
+++ b/web/src/api/generated/model/authUser.ts
@@ -0,0 +1,45 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_users.go::userResponse. Federated
+user shape (OIDC subject + provider). `deactivated_at` is the soft-
+delete marker; nil/absent means the user is active.
+
+ */
+export interface AuthUser {
+  /** User identifier (UUID-shaped). */
+  id: string;
+  tenant_id: string;
+  /** Federated email claim from the IdP. */
+  email: string;
+  /** Federated display name (preferred_username or name claim from the IdP). */
+  display_name: string;
+  /** The IdP's `sub` claim for this user (stable identifier across email changes). */
+  oidc_subject: string;
+  /** ID of the OIDC provider that minted this user record. */
+  oidc_provider_id: string;
+  /** RFC 3339 UTC timestamp of the user's most-recent successful login. */
+  last_login_at: string;
+  /** RFC 3339 UTC timestamp the user row was first created (upserted from an OIDC callback). */
+  created_at: string;
+  /**
+   * RFC 3339 UTC timestamp the user was deactivated. Omitted when the user is active.
+   * @nullable
+   */
+  deactivated_at?: string | null;
+}
diff --git a/web/src/api/generated/model/badRequestResponse.ts b/web/src/api/generated/model/badRequestResponse.ts
new file mode 100644
index 0000000..e7edb74
--- /dev/null
+++ b/web/src/api/generated/model/badRequestResponse.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ErrorResponse } from './errorResponse';
+
+/**
+ * Validation error
+ */
+export type BadRequestResponse = ErrorResponse;
diff --git a/web/src/api/generated/model/blockedByDependenciesResponse.ts b/web/src/api/generated/model/blockedByDependenciesResponse.ts
new file mode 100644
index 0000000..13d97fa
--- /dev/null
+++ b/web/src/api/generated/model/blockedByDependenciesResponse.ts
@@ -0,0 +1,31 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AgentDependencyCounts } from './agentDependencyCounts';
+
+/**
+ * I-004: 409 response body for a retire request blocked by active
+downstream dependencies. Returned when `force=true` is not set and
+any of the three counts is non-zero. The operator UI renders these
+counts so the human can retire or reassign the blocking rows
+before re-running the retire, or tick the force checkbox to cascade.
+
+ */
+export interface BlockedByDependenciesResponse {
+  error?: string;
+  message?: string;
+  counts?: AgentDependencyCounts;
+}
diff --git a/web/src/api/generated/model/breakglassCredentialListResponse.ts b/web/src/api/generated/model/breakglassCredentialListResponse.ts
new file mode 100644
index 0000000..e29da44
--- /dev/null
+++ b/web/src/api/generated/model/breakglassCredentialListResponse.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { BreakglassCredentialResponse } from './breakglassCredentialResponse';
+
+/**
+ * Mirrors internal/api/handler/auth_breakglass.go::
+listBreakglassCredentialsResponse.
+
+ */
+export interface BreakglassCredentialListResponse {
+  credentials: BreakglassCredentialResponse[];
+}
diff --git a/web/src/api/generated/model/breakglassCredentialResponse.ts b/web/src/api/generated/model/breakglassCredentialResponse.ts
new file mode 100644
index 0000000..f766883
--- /dev/null
+++ b/web/src/api/generated/model/breakglassCredentialResponse.ts
@@ -0,0 +1,43 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_breakglass.go::
+breakglassCredentialResponse. Password hash is NEVER serialized
+to the wire — only metadata.
+
+ */
+export interface BreakglassCredentialResponse {
+  /** Actor the credential belongs to. */
+  actor_id: string;
+  /** RFC 3339 UTC timestamp the credential was first set. */
+  created_at: string;
+  /** RFC 3339 UTC timestamp the password was most-recently rotated. */
+  last_password_change_at: string;
+  /** Current consecutive-failure counter (Argon2id lockout state-machine input). */
+  failure_count: number;
+  /**
+   * RFC 3339 UTC timestamp past which the lockout clears organically. Omitted when no active lockout.
+   * @nullable
+   */
+  locked_until?: string | null;
+  /**
+   * RFC 3339 UTC timestamp of the most recent failed-attempt. Omitted when failure_count == 0.
+   * @nullable
+   */
+  last_failure_at?: string | null;
+}
diff --git a/web/src/api/generated/model/breakglassLoginRequest.ts b/web/src/api/generated/model/breakglassLoginRequest.ts
new file mode 100644
index 0000000..b27a5b5
--- /dev/null
+++ b/web/src/api/generated/model/breakglassLoginRequest.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_breakglass.go::
+breakglassLoginRequest. Plaintext password on the wire ONLY at
+login-time; the service hashes via Argon2id for the
+constant-time compare.
+
+ */
+export interface BreakglassLoginRequest {
+  /** Actor attempting recovery login. */
+  actor_id: string;
+  /** Plaintext password (Argon2id-hashed at rest by the service). */
+  password: string;
+}
diff --git a/web/src/api/generated/model/breakglassSetPasswordRequest.ts b/web/src/api/generated/model/breakglassSetPasswordRequest.ts
new file mode 100644
index 0000000..509f5bb
--- /dev/null
+++ b/web/src/api/generated/model/breakglassSetPasswordRequest.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_breakglass.go::
+breakglassSetPasswordRequest. Password is plaintext on the wire
+ONLY at set-time; stored at rest as an Argon2id hash with
+per-record salt.
+
+ */
+export interface BreakglassSetPasswordRequest {
+  /** Actor the password is being set for. */
+  actor_id: string;
+  /** New break-glass password. Validated server-side against the strength policy (min 12 bytes, max 256 bytes). */
+  password: string;
+}
diff --git a/web/src/api/generated/model/breakglassSetPasswordResponse.ts b/web/src/api/generated/model/breakglassSetPasswordResponse.ts
new file mode 100644
index 0000000..ad2ef55
--- /dev/null
+++ b/web/src/api/generated/model/breakglassSetPasswordResponse.ts
@@ -0,0 +1,28 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors the inline response body returned by
+AuthBreakglassHandler.SetPassword: actor_id + the credential's
+created_at timestamp (RFC 3339, UTC).
+
+ */
+export interface BreakglassSetPasswordResponse {
+  actor_id: string;
+  /** RFC 3339 UTC timestamp the credential row was created (or re-created on rotation). */
+  created_at: string;
+}
diff --git a/web/src/api/generated/model/bulkEnqueuedJob.ts b/web/src/api/generated/model/bulkEnqueuedJob.ts
new file mode 100644
index 0000000..8bb7ee5
--- /dev/null
+++ b/web/src/api/generated/model/bulkEnqueuedJob.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface BulkEnqueuedJob {
+  certificate_id?: string;
+  /** ID of the renewal job created for this certificate */
+  job_id?: string;
+}
diff --git a/web/src/api/generated/model/bulkReassignRequest.ts b/web/src/api/generated/model/bulkReassignRequest.ts
new file mode 100644
index 0000000..2612c8e
--- /dev/null
+++ b/web/src/api/generated/model/bulkReassignRequest.ts
@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface BulkReassignRequest {
+  /** Explicit list of certificate IDs to reassign */
+  certificate_ids: string[];
+  /** Required. New owner_id for every cert in certificate_ids. */
+  owner_id: string;
+  /** Optional. When non-empty, also updates team_id on every cert. */
+  team_id?: string;
+}
diff --git a/web/src/api/generated/model/bulkReassignResult.ts b/web/src/api/generated/model/bulkReassignResult.ts
new file mode 100644
index 0000000..8e8cdbf
--- /dev/null
+++ b/web/src/api/generated/model/bulkReassignResult.ts
@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { BulkReassignResultErrorsItem } from './bulkReassignResultErrorsItem';
+
+export interface BulkReassignResult {
+  total_matched?: number;
+  /** Number of certs whose owner_id (and optionally team_id) was actually mutated */
+  total_reassigned?: number;
+  /** Certs already owned by the target (silent no-op) */
+  total_skipped?: number;
+  total_failed?: number;
+  errors?: BulkReassignResultErrorsItem[];
+}
diff --git a/web/src/api/generated/model/bulkReassignResultErrorsItem.ts b/web/src/api/generated/model/bulkReassignResultErrorsItem.ts
new file mode 100644
index 0000000..1e22265
--- /dev/null
+++ b/web/src/api/generated/model/bulkReassignResultErrorsItem.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type BulkReassignResultErrorsItem = {
+  certificate_id?: string;
+  error?: string;
+};
diff --git a/web/src/api/generated/model/bulkRenewRequest.ts b/web/src/api/generated/model/bulkRenewRequest.ts
new file mode 100644
index 0000000..6ecbe71
--- /dev/null
+++ b/web/src/api/generated/model/bulkRenewRequest.ts
@@ -0,0 +1,34 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Criteria for bulk renewal. At least one selector required.
+ */
+export interface BulkRenewRequest {
+  /** Renew all certificates matching this profile */
+  profile_id?: string;
+  /** Renew all certificates owned by this owner */
+  owner_id?: string;
+  /** Renew all certificates deployed via this agent */
+  agent_id?: string;
+  /** Renew all certificates issued by this issuer */
+  issuer_id?: string;
+  /** Renew all certificates owned by members of this team */
+  team_id?: string;
+  /** Explicit list of certificate IDs to renew */
+  certificate_ids?: string[];
+}
diff --git a/web/src/api/generated/model/bulkRenewResult.ts b/web/src/api/generated/model/bulkRenewResult.ts
new file mode 100644
index 0000000..1670bd6
--- /dev/null
+++ b/web/src/api/generated/model/bulkRenewResult.ts
@@ -0,0 +1,33 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { BulkEnqueuedJob } from './bulkEnqueuedJob';
+import type { BulkRenewResultErrorsItem } from './bulkRenewResultErrorsItem';
+
+export interface BulkRenewResult {
+  /** Number of certificates matching the criteria */
+  total_matched?: number;
+  /** Number of renewal jobs successfully created */
+  total_enqueued?: number;
+  /** Certs already RenewalInProgress / Revoked / Archived / Expired (silent no-op) */
+  total_skipped?: number;
+  /** Number of certificates whose enqueue path returned an error */
+  total_failed?: number;
+  /** Per-certificate {certificate_id, job_id} pairs for the successful enqueue path */
+  enqueued_jobs?: BulkEnqueuedJob[];
+  /** Per-certificate error details for the failure path */
+  errors?: BulkRenewResultErrorsItem[];
+}
diff --git a/web/src/api/generated/model/bulkRenewResultErrorsItem.ts b/web/src/api/generated/model/bulkRenewResultErrorsItem.ts
new file mode 100644
index 0000000..7589621
--- /dev/null
+++ b/web/src/api/generated/model/bulkRenewResultErrorsItem.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type BulkRenewResultErrorsItem = {
+  certificate_id?: string;
+  error?: string;
+};
diff --git a/web/src/api/generated/model/bulkRevokeRequest.ts b/web/src/api/generated/model/bulkRevokeRequest.ts
new file mode 100644
index 0000000..212a304
--- /dev/null
+++ b/web/src/api/generated/model/bulkRevokeRequest.ts
@@ -0,0 +1,33 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { RevocationReason } from './revocationReason';
+
+export interface BulkRevokeRequest {
+  reason: RevocationReason;
+  /** Revoke all certificates matching this profile */
+  profile_id?: string;
+  /** Revoke all certificates owned by this owner */
+  owner_id?: string;
+  /** Revoke all certificates deployed via this agent */
+  agent_id?: string;
+  /** Revoke all certificates issued by this issuer */
+  issuer_id?: string;
+  /** Revoke all certificates owned by members of this team */
+  team_id?: string;
+  /** Explicit list of certificate IDs to revoke */
+  certificate_ids?: string[];
+}
diff --git a/web/src/api/generated/model/bulkRevokeResult.ts b/web/src/api/generated/model/bulkRevokeResult.ts
new file mode 100644
index 0000000..56f2845
--- /dev/null
+++ b/web/src/api/generated/model/bulkRevokeResult.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { BulkRevokeResultErrorsItem } from './bulkRevokeResultErrorsItem';
+
+export interface BulkRevokeResult {
+  /** Number of certificates matching the criteria */
+  total_matched?: number;
+  /** Number of certificates successfully revoked */
+  total_revoked?: number;
+  /** Number of certificates skipped (already revoked or archived) */
+  total_skipped?: number;
+  /** Number of certificates that failed to revoke */
+  total_failed?: number;
+  /** Per-certificate error details for failed revocations */
+  errors?: BulkRevokeResultErrorsItem[];
+}
diff --git a/web/src/api/generated/model/bulkRevokeResultErrorsItem.ts b/web/src/api/generated/model/bulkRevokeResultErrorsItem.ts
new file mode 100644
index 0000000..ffa0755
--- /dev/null
+++ b/web/src/api/generated/model/bulkRevokeResultErrorsItem.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type BulkRevokeResultErrorsItem = {
+  certificate_id?: string;
+  error?: string;
+};
diff --git a/web/src/api/generated/model/certificateProfile.ts b/web/src/api/generated/model/certificateProfile.ts
new file mode 100644
index 0000000..1ec357f
--- /dev/null
+++ b/web/src/api/generated/model/certificateProfile.ts
@@ -0,0 +1,34 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { KeyAlgorithmRule } from './keyAlgorithmRule';
+import type { CertificateProfileAllowedEkusItem } from './certificateProfileAllowedEkusItem';
+
+export interface CertificateProfile {
+  id?: string;
+  name?: string;
+  description?: string;
+  allowed_key_algorithms?: KeyAlgorithmRule[];
+  max_ttl_seconds?: number;
+  /** Extended Key Usages to include in issued certificates */
+  allowed_ekus?: CertificateProfileAllowedEkusItem[];
+  required_san_patterns?: string[];
+  spiffe_uri_pattern?: string;
+  allow_short_lived?: boolean;
+  enabled?: boolean;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/certificateProfileAllowedEkusItem.ts b/web/src/api/generated/model/certificateProfileAllowedEkusItem.ts
new file mode 100644
index 0000000..786c655
--- /dev/null
+++ b/web/src/api/generated/model/certificateProfileAllowedEkusItem.ts
@@ -0,0 +1,28 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CertificateProfileAllowedEkusItem = typeof CertificateProfileAllowedEkusItem[keyof typeof CertificateProfileAllowedEkusItem];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const CertificateProfileAllowedEkusItem = {
+  serverAuth: 'serverAuth',
+  clientAuth: 'clientAuth',
+  codeSigning: 'codeSigning',
+  emailProtection: 'emailProtection',
+  timeStamping: 'timeStamping',
+} as const;
diff --git a/web/src/api/generated/model/certificateStatus.ts b/web/src/api/generated/model/certificateStatus.ts
new file mode 100644
index 0000000..b9186e9
--- /dev/null
+++ b/web/src/api/generated/model/certificateStatus.ts
@@ -0,0 +1,31 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CertificateStatus = typeof CertificateStatus[keyof typeof CertificateStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const CertificateStatus = {
+  Pending: 'Pending',
+  Active: 'Active',
+  Expiring: 'Expiring',
+  Expired: 'Expired',
+  RenewalInProgress: 'RenewalInProgress',
+  Failed: 'Failed',
+  Revoked: 'Revoked',
+  Archived: 'Archived',
+} as const;
diff --git a/web/src/api/generated/model/certificateVersion.ts b/web/src/api/generated/model/certificateVersion.ts
new file mode 100644
index 0000000..02e68f7
--- /dev/null
+++ b/web/src/api/generated/model/certificateVersion.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface CertificateVersion {
+  id?: string;
+  certificate_id?: string;
+  serial_number?: string;
+  not_before?: string;
+  not_after?: string;
+  fingerprint_sha256?: string;
+  pem_chain?: string;
+  csr_pem?: string;
+  key_algorithm?: string;
+  key_size?: number;
+  created_at?: string;
+}
diff --git a/web/src/api/generated/model/checkAuth200.ts b/web/src/api/generated/model/checkAuth200.ts
new file mode 100644
index 0000000..2966a10
--- /dev/null
+++ b/web/src/api/generated/model/checkAuth200.ts
@@ -0,0 +1,37 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { CheckAuth200ActorType } from './checkAuth200ActorType';
+import type { CheckAuth200EffectivePermissionsItem } from './checkAuth200EffectivePermissionsItem';
+
+export type CheckAuth200 = {
+  status: string;
+  /** Named-key identity (empty when CERTCTL_AUTH_TYPE=none) */
+  user?: string;
+  /** Legacy admin flag (back-compat with pre-Bundle-1 GUIs). */
+  admin?: boolean;
+  /** Actor identifier for the authenticated request (Bundle 1+). */
+  actor_id?: string;
+  /** Actor-type discriminator (Bundle 1+). */
+  actor_type?: CheckAuth200ActorType;
+  /** Tenant the actor belongs to (Bundle 1 ships single-tenant `t-default`). */
+  tenant_id?: string;
+  /** True when the actor holds `r-admin`. Authoritative admin signal under Bundle 1+. */
+  admin_via_role?: boolean;
+  /** Role IDs (e.g. `r-admin`, `r-viewer`) the actor holds. */
+  roles?: string[];
+  effective_permissions?: CheckAuth200EffectivePermissionsItem[];
+};
diff --git a/web/src/api/generated/model/checkAuth200ActorType.ts b/web/src/api/generated/model/checkAuth200ActorType.ts
new file mode 100644
index 0000000..1f76f39
--- /dev/null
+++ b/web/src/api/generated/model/checkAuth200ActorType.ts
@@ -0,0 +1,31 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Actor-type discriminator (Bundle 1+).
+ */
+export type CheckAuth200ActorType = typeof CheckAuth200ActorType[keyof typeof CheckAuth200ActorType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const CheckAuth200ActorType = {
+  User: 'User',
+  System: 'System',
+  Agent: 'Agent',
+  APIKey: 'APIKey',
+  Anonymous: 'Anonymous',
+} as const;
diff --git a/web/src/api/generated/model/checkAuth200EffectivePermissionsItem.ts b/web/src/api/generated/model/checkAuth200EffectivePermissionsItem.ts
new file mode 100644
index 0000000..9f3359e
--- /dev/null
+++ b/web/src/api/generated/model/checkAuth200EffectivePermissionsItem.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { CheckAuth200EffectivePermissionsItemScopeType } from './checkAuth200EffectivePermissionsItemScopeType';
+
+export type CheckAuth200EffectivePermissionsItem = {
+  permission: string;
+  scope_type: CheckAuth200EffectivePermissionsItemScopeType;
+  scope_id?: string;
+};
diff --git a/web/src/api/generated/model/checkAuth200EffectivePermissionsItemScopeType.ts b/web/src/api/generated/model/checkAuth200EffectivePermissionsItemScopeType.ts
new file mode 100644
index 0000000..3cc6601
--- /dev/null
+++ b/web/src/api/generated/model/checkAuth200EffectivePermissionsItemScopeType.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CheckAuth200EffectivePermissionsItemScopeType = typeof CheckAuth200EffectivePermissionsItemScopeType[keyof typeof CheckAuth200EffectivePermissionsItemScopeType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const CheckAuth200EffectivePermissionsItemScopeType = {
+  global: 'global',
+  profile: 'profile',
+  issuer: 'issuer',
+} as const;
diff --git a/web/src/api/generated/model/claimDiscoveredCertificateBody.ts b/web/src/api/generated/model/claimDiscoveredCertificateBody.ts
new file mode 100644
index 0000000..980a099
--- /dev/null
+++ b/web/src/api/generated/model/claimDiscoveredCertificateBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ClaimDiscoveredCertificateBody = {
+  /** ID of the managed certificate to link to */
+  managed_certificate_id: string;
+};
diff --git a/web/src/api/generated/model/conflictResponse.ts b/web/src/api/generated/model/conflictResponse.ts
new file mode 100644
index 0000000..27c0796
--- /dev/null
+++ b/web/src/api/generated/model/conflictResponse.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ErrorResponse } from './errorResponse';
+
+/**
+ * Resource conflict
+ */
+export type ConflictResponse = ErrorResponse;
diff --git a/web/src/api/generated/model/createAuthRoleBody.ts b/web/src/api/generated/model/createAuthRoleBody.ts
new file mode 100644
index 0000000..1bd47a7
--- /dev/null
+++ b/web/src/api/generated/model/createAuthRoleBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CreateAuthRoleBody = {
+  name: string;
+  description?: string;
+};
diff --git a/web/src/api/generated/model/createHealthCheckBody.ts b/web/src/api/generated/model/createHealthCheckBody.ts
new file mode 100644
index 0000000..146ae90
--- /dev/null
+++ b/web/src/api/generated/model/createHealthCheckBody.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CreateHealthCheckBody = {
+  /** host:port to monitor */
+  endpoint: string;
+  /** Expected certificate SHA-256 fingerprint (optional) */
+  expected_fingerprint?: string;
+  /**
+   * Probe frequency in seconds (default 300)
+   * @minimum 30
+   */
+  check_interval_seconds: number;
+  /** TLS connection timeout in milliseconds */
+  timeout_ms?: number;
+};
diff --git a/web/src/api/generated/model/createIntermediateCABody.ts b/web/src/api/generated/model/createIntermediateCABody.ts
new file mode 100644
index 0000000..f066e7e
--- /dev/null
+++ b/web/src/api/generated/model/createIntermediateCABody.ts
@@ -0,0 +1,39 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { CreateIntermediateCABodySubject } from './createIntermediateCABodySubject';
+import type { CreateIntermediateCABodyNameConstraintsItem } from './createIntermediateCABodyNameConstraintsItem';
+import type { CreateIntermediateCABodyMetadata } from './createIntermediateCABodyMetadata';
+
+export type CreateIntermediateCABody = {
+  name: string;
+  /** Empty for root registration; non-empty for child signing */
+  parent_ca_id?: string;
+  /** Operator-supplied root cert PEM (root path only) */
+  root_cert_pem?: string;
+  /** signer.Driver reference for the root key (root path only) */
+  key_driver_id?: string;
+  /** Distinguished name for child CA (child path only) */
+  subject?: CreateIntermediateCABodySubject;
+  /** Signing algorithm for child key (default ECDSA-P256) */
+  algorithm?: string;
+  ttl_days?: number;
+  /** @nullable */
+  path_len_constraint?: number | null;
+  name_constraints?: CreateIntermediateCABodyNameConstraintsItem[];
+  ocsp_responder_url?: string;
+  metadata?: CreateIntermediateCABodyMetadata;
+};
diff --git a/web/src/api/generated/model/createIntermediateCABodyMetadata.ts b/web/src/api/generated/model/createIntermediateCABodyMetadata.ts
new file mode 100644
index 0000000..ae4476c
--- /dev/null
+++ b/web/src/api/generated/model/createIntermediateCABodyMetadata.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CreateIntermediateCABodyMetadata = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/createIntermediateCABodyNameConstraintsItem.ts b/web/src/api/generated/model/createIntermediateCABodyNameConstraintsItem.ts
new file mode 100644
index 0000000..a0a7be4
--- /dev/null
+++ b/web/src/api/generated/model/createIntermediateCABodyNameConstraintsItem.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CreateIntermediateCABodyNameConstraintsItem = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/createIntermediateCABodySubject.ts b/web/src/api/generated/model/createIntermediateCABodySubject.ts
new file mode 100644
index 0000000..1bde7b2
--- /dev/null
+++ b/web/src/api/generated/model/createIntermediateCABodySubject.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Distinguished name for child CA (child path only)
+ */
+export type CreateIntermediateCABodySubject = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/dashboardSummary.ts b/web/src/api/generated/model/dashboardSummary.ts
new file mode 100644
index 0000000..0114087
--- /dev/null
+++ b/web/src/api/generated/model/dashboardSummary.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface DashboardSummary {
+  total_certificates?: number;
+  expiring_certificates?: number;
+  expired_certificates?: number;
+  revoked_certificates?: number;
+  active_agents?: number;
+  offline_agents?: number;
+  total_agents?: number;
+  pending_jobs?: number;
+  failed_jobs?: number;
+  complete_jobs?: number;
+  completed_at?: string;
+}
diff --git a/web/src/api/generated/model/demoResidualCleanupResponse.ts b/web/src/api/generated/model/demoResidualCleanupResponse.ts
new file mode 100644
index 0000000..e354fcd
--- /dev/null
+++ b/web/src/api/generated/model/demoResidualCleanupResponse.ts
@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/demo_residual.go::
+demoResidualCleanupResponse. Always present; idempotent re-runs
+return `removed: 0`.
+
+ */
+export interface DemoResidualCleanupResponse {
+  /** Number of `actor_roles` rows removed in this cleanup call. */
+  removed: number;
+}
diff --git a/web/src/api/generated/model/deploymentTarget.ts b/web/src/api/generated/model/deploymentTarget.ts
new file mode 100644
index 0000000..e468b3f
--- /dev/null
+++ b/web/src/api/generated/model/deploymentTarget.ts
@@ -0,0 +1,36 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { TargetType } from './targetType';
+import type { DeploymentTargetConfig } from './deploymentTargetConfig';
+
+export interface DeploymentTarget {
+  id?: string;
+  name: string;
+  type: TargetType;
+  /** ID of the agent that manages this target. Required because
+deployment_targets.agent_id is a NOT NULL foreign key to agents(id)
+(migration 000001). Empty or nonexistent agent IDs are rejected
+with HTTP 400 by the service layer (see C-002 in the coverage-gap
+audit).
+ */
+  agent_id: string;
+  /** Target-specific configuration (varies by type) */
+  config?: DeploymentTargetConfig;
+  enabled?: boolean;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/deploymentTargetConfig.ts b/web/src/api/generated/model/deploymentTargetConfig.ts
new file mode 100644
index 0000000..684565f
--- /dev/null
+++ b/web/src/api/generated/model/deploymentTargetConfig.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Target-specific configuration (varies by type)
+ */
+export type DeploymentTargetConfig = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/discoveredCertificate.ts b/web/src/api/generated/model/discoveredCertificate.ts
new file mode 100644
index 0000000..6f772ab
--- /dev/null
+++ b/web/src/api/generated/model/discoveredCertificate.ts
@@ -0,0 +1,46 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { DiscoveredCertificateStatus } from './discoveredCertificateStatus';
+
+export interface DiscoveredCertificate {
+  id?: string;
+  fingerprint_sha256?: string;
+  common_name?: string;
+  sans?: string[];
+  serial_number?: string;
+  issuer_dn?: string;
+  subject_dn?: string;
+  /** @nullable */
+  not_before?: string | null;
+  /** @nullable */
+  not_after?: string | null;
+  key_algorithm?: string;
+  key_size?: number;
+  is_ca?: boolean;
+  source_path?: string;
+  source_format?: string;
+  agent_id?: string;
+  /** @nullable */
+  discovery_scan_id?: string | null;
+  /** @nullable */
+  managed_certificate_id?: string | null;
+  status?: DiscoveredCertificateStatus;
+  first_seen_at?: string;
+  last_seen_at?: string;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/discoveredCertificateStatus.ts b/web/src/api/generated/model/discoveredCertificateStatus.ts
new file mode 100644
index 0000000..ab186ca
--- /dev/null
+++ b/web/src/api/generated/model/discoveredCertificateStatus.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type DiscoveredCertificateStatus = typeof DiscoveredCertificateStatus[keyof typeof DiscoveredCertificateStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const DiscoveredCertificateStatus = {
+  Unmanaged: 'Unmanaged',
+  Managed: 'Managed',
+  Dismissed: 'Dismissed',
+} as const;
diff --git a/web/src/api/generated/model/discoveryReport.ts b/web/src/api/generated/model/discoveryReport.ts
new file mode 100644
index 0000000..00c455c
--- /dev/null
+++ b/web/src/api/generated/model/discoveryReport.ts
@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { DiscoveryReportCertificatesItem } from './discoveryReportCertificatesItem';
+
+export interface DiscoveryReport {
+  agent_id: string;
+  directories: string[];
+  certificates: DiscoveryReportCertificatesItem[];
+  errors?: string[];
+  scan_duration_ms?: number;
+}
diff --git a/web/src/api/generated/model/discoveryReportCertificatesItem.ts b/web/src/api/generated/model/discoveryReportCertificatesItem.ts
new file mode 100644
index 0000000..e6447c2
--- /dev/null
+++ b/web/src/api/generated/model/discoveryReportCertificatesItem.ts
@@ -0,0 +1,33 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type DiscoveryReportCertificatesItem = {
+  fingerprint_sha256?: string;
+  common_name?: string;
+  sans?: string[];
+  serial_number?: string;
+  issuer_dn?: string;
+  subject_dn?: string;
+  not_before?: string;
+  not_after?: string;
+  key_algorithm?: string;
+  key_size?: number;
+  is_ca?: boolean;
+  pem_data?: string;
+  source_path?: string;
+  source_format?: string;
+};
diff --git a/web/src/api/generated/model/discoveryScan.ts b/web/src/api/generated/model/discoveryScan.ts
new file mode 100644
index 0000000..cfc6f04
--- /dev/null
+++ b/web/src/api/generated/model/discoveryScan.ts
@@ -0,0 +1,29 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface DiscoveryScan {
+  id?: string;
+  agent_id?: string;
+  directories?: string[];
+  certificates_found?: number;
+  certificates_new?: number;
+  errors_count?: number;
+  scan_duration_ms?: number;
+  started_at?: string;
+  /** @nullable */
+  completed_at?: string | null;
+}
diff --git a/web/src/api/generated/model/endpointHealthCheck.ts b/web/src/api/generated/model/endpointHealthCheck.ts
new file mode 100644
index 0000000..b224e88
--- /dev/null
+++ b/web/src/api/generated/model/endpointHealthCheck.ts
@@ -0,0 +1,84 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { EndpointHealthCheckStatus } from './endpointHealthCheckStatus';
+
+export interface EndpointHealthCheck {
+  /** Health check ID */
+  id?: string;
+  /** Target endpoint (host:port) */
+  endpoint?: string;
+  /**
+   * Associated managed certificate ID (if from deployment)
+   * @nullable
+   */
+  certificate_id?: string | null;
+  /**
+   * Associated network scan target ID (if auto-created)
+   * @nullable
+   */
+  network_scan_target_id?: string | null;
+  /**
+   * Expected certificate SHA-256 fingerprint
+   * @nullable
+   */
+  expected_fingerprint?: string | null;
+  /** Current health status */
+  status?: EndpointHealthCheckStatus;
+  enabled?: boolean;
+  /** Frequency of TLS probes (seconds) */
+  check_interval_seconds?: number;
+  /** TLS connection timeout (milliseconds) */
+  timeout_ms?: number;
+  /** Number of consecutive probe failures */
+  consecutive_failures?: number;
+  /**
+   * Timestamp of last probe
+   * @nullable
+   */
+  last_checked_at?: string | null;
+  /**
+   * Timestamp of last successful probe
+   * @nullable
+   */
+  last_success_at?: string | null;
+  /**
+   * Timestamp of last failed probe
+   * @nullable
+   */
+  last_failure_at?: string | null;
+  /**
+   * Timestamp of last status transition
+   * @nullable
+   */
+  last_transition_at?: string | null;
+  /**
+   * Reason for last failure
+   * @nullable
+   */
+  failure_reason?: string | null;
+  /** Whether the current status has been acknowledged */
+  acknowledged?: boolean;
+  /**
+   * Operator name who acknowledged (if applicable)
+   * @nullable
+   */
+  acknowledged_by?: string | null;
+  /** @nullable */
+  acknowledged_at?: string | null;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/endpointHealthCheckStatus.ts b/web/src/api/generated/model/endpointHealthCheckStatus.ts
new file mode 100644
index 0000000..c40cdd5
--- /dev/null
+++ b/web/src/api/generated/model/endpointHealthCheckStatus.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Current health status
+ */
+export type EndpointHealthCheckStatus = typeof EndpointHealthCheckStatus[keyof typeof EndpointHealthCheckStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const EndpointHealthCheckStatus = {
+  Healthy: 'Healthy',
+  Degraded: 'Degraded',
+  Down: 'Down',
+  CertMismatch: 'CertMismatch',
+} as const;
diff --git a/web/src/api/generated/model/error.ts b/web/src/api/generated/model/error.ts
new file mode 100644
index 0000000..a68fbbc
--- /dev/null
+++ b/web/src/api/generated/model/error.ts
@@ -0,0 +1,19 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ErrorResponse } from './errorResponse';
+
+export type Error = ErrorResponse;
diff --git a/web/src/api/generated/model/errorResponse.ts b/web/src/api/generated/model/errorResponse.ts
new file mode 100644
index 0000000..8ebc947
--- /dev/null
+++ b/web/src/api/generated/model/errorResponse.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface ErrorResponse {
+  error?: string;
+  request_id?: string;
+}
diff --git a/web/src/api/generated/model/exportAuditCategory.ts b/web/src/api/generated/model/exportAuditCategory.ts
new file mode 100644
index 0000000..b9a989a
--- /dev/null
+++ b/web/src/api/generated/model/exportAuditCategory.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ExportAuditCategory = typeof ExportAuditCategory[keyof typeof ExportAuditCategory];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ExportAuditCategory = {
+  cert_lifecycle: 'cert_lifecycle',
+  auth: 'auth',
+  config: 'config',
+} as const;
diff --git a/web/src/api/generated/model/exportAuditParams.ts b/web/src/api/generated/model/exportAuditParams.ts
new file mode 100644
index 0000000..41065ef
--- /dev/null
+++ b/web/src/api/generated/model/exportAuditParams.ts
@@ -0,0 +1,38 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ExportAuditCategory } from './exportAuditCategory';
+
+export type ExportAuditParams = {
+/**
+ * RFC 3339 start of the export window (inclusive).
+ */
+from: string;
+/**
+ * RFC 3339 end of the export window (exclusive). Must be strictly after `from`.
+ */
+to: string;
+/**
+ * Optional category filter. Omit to return every event in the window.
+ */
+category?: ExportAuditCategory;
+/**
+ * Maximum rows to stream (default 50000; out-of-range values clamp to default).
+ * @minimum 1
+ * @maximum 100000
+ */
+limit?: number;
+};
diff --git a/web/src/api/generated/model/exportCertificatePEM200One.ts b/web/src/api/generated/model/exportCertificatePEM200One.ts
new file mode 100644
index 0000000..19a8fe5
--- /dev/null
+++ b/web/src/api/generated/model/exportCertificatePEM200One.ts
@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ExportCertificatePEM200One = {
+  /** Leaf certificate PEM */
+  cert_pem?: string;
+  /** Intermediate/root chain PEM */
+  chain_pem?: string;
+  /** Full PEM chain (cert + intermediates) */
+  full_pem?: string;
+};
diff --git a/web/src/api/generated/model/exportCertificatePEMDownload.ts b/web/src/api/generated/model/exportCertificatePEMDownload.ts
new file mode 100644
index 0000000..38d8de8
--- /dev/null
+++ b/web/src/api/generated/model/exportCertificatePEMDownload.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ExportCertificatePEMDownload = typeof ExportCertificatePEMDownload[keyof typeof ExportCertificatePEMDownload];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ExportCertificatePEMDownload = {
+  true: 'true',
+} as const;
diff --git a/web/src/api/generated/model/exportCertificatePEMParams.ts b/web/src/api/generated/model/exportCertificatePEMParams.ts
new file mode 100644
index 0000000..5516998
--- /dev/null
+++ b/web/src/api/generated/model/exportCertificatePEMParams.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ExportCertificatePEMDownload } from './exportCertificatePEMDownload';
+
+export type ExportCertificatePEMParams = {
+/**
+ * Set to "true" to get a file download instead of JSON.
+ */
+download?: ExportCertificatePEMDownload;
+};
diff --git a/web/src/api/generated/model/exportCertificatePKCS12Body.ts b/web/src/api/generated/model/exportCertificatePKCS12Body.ts
new file mode 100644
index 0000000..48d2dcd
--- /dev/null
+++ b/web/src/api/generated/model/exportCertificatePKCS12Body.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ExportCertificatePKCS12Body = {
+  /** Password to encrypt the PKCS#12 bundle (can be empty) */
+  password?: string;
+};
diff --git a/web/src/api/generated/model/getAuthBootstrap200.ts b/web/src/api/generated/model/getAuthBootstrap200.ts
new file mode 100644
index 0000000..63024e9
--- /dev/null
+++ b/web/src/api/generated/model/getAuthBootstrap200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetAuthBootstrap200 = {
+  available: boolean;
+};
diff --git a/web/src/api/generated/model/getAuthInfo200.ts b/web/src/api/generated/model/getAuthInfo200.ts
new file mode 100644
index 0000000..e2b7362
--- /dev/null
+++ b/web/src/api/generated/model/getAuthInfo200.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { GetAuthInfo200AuthType } from './getAuthInfo200AuthType';
+
+export type GetAuthInfo200 = {
+  auth_type?: GetAuthInfo200AuthType;
+  required?: boolean;
+};
diff --git a/web/src/api/generated/model/getAuthInfo200AuthType.ts b/web/src/api/generated/model/getAuthInfo200AuthType.ts
new file mode 100644
index 0000000..030d2c9
--- /dev/null
+++ b/web/src/api/generated/model/getAuthInfo200AuthType.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetAuthInfo200AuthType = typeof GetAuthInfo200AuthType[keyof typeof GetAuthInfo200AuthType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const GetAuthInfo200AuthType = {
+  'api-key': 'api-key',
+  none: 'none',
+  oidc: 'oidc',
+} as const;
diff --git a/web/src/api/generated/model/getAuthMe200.ts b/web/src/api/generated/model/getAuthMe200.ts
new file mode 100644
index 0000000..978bc83
--- /dev/null
+++ b/web/src/api/generated/model/getAuthMe200.ts
@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { GetAuthMe200ActorType } from './getAuthMe200ActorType';
+import type { GetAuthMe200EffectivePermissionsItem } from './getAuthMe200EffectivePermissionsItem';
+
+export type GetAuthMe200 = {
+  actor_id: string;
+  actor_type: GetAuthMe200ActorType;
+  tenant_id: string;
+  admin: boolean;
+  roles: string[];
+  effective_permissions: GetAuthMe200EffectivePermissionsItem[];
+};
diff --git a/web/src/api/generated/model/getAuthMe200ActorType.ts b/web/src/api/generated/model/getAuthMe200ActorType.ts
new file mode 100644
index 0000000..c3b59f9
--- /dev/null
+++ b/web/src/api/generated/model/getAuthMe200ActorType.ts
@@ -0,0 +1,28 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetAuthMe200ActorType = typeof GetAuthMe200ActorType[keyof typeof GetAuthMe200ActorType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const GetAuthMe200ActorType = {
+  User: 'User',
+  System: 'System',
+  Agent: 'Agent',
+  APIKey: 'APIKey',
+  Anonymous: 'Anonymous',
+} as const;
diff --git a/web/src/api/generated/model/getAuthMe200EffectivePermissionsItem.ts b/web/src/api/generated/model/getAuthMe200EffectivePermissionsItem.ts
new file mode 100644
index 0000000..347d474
--- /dev/null
+++ b/web/src/api/generated/model/getAuthMe200EffectivePermissionsItem.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { GetAuthMe200EffectivePermissionsItemScopeType } from './getAuthMe200EffectivePermissionsItemScopeType';
+
+export type GetAuthMe200EffectivePermissionsItem = {
+  permission: string;
+  scope_type: GetAuthMe200EffectivePermissionsItemScopeType;
+  scope_id?: string;
+};
diff --git a/web/src/api/generated/model/getAuthMe200EffectivePermissionsItemScopeType.ts b/web/src/api/generated/model/getAuthMe200EffectivePermissionsItemScopeType.ts
new file mode 100644
index 0000000..a856008
--- /dev/null
+++ b/web/src/api/generated/model/getAuthMe200EffectivePermissionsItemScopeType.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetAuthMe200EffectivePermissionsItemScopeType = typeof GetAuthMe200EffectivePermissionsItemScopeType[keyof typeof GetAuthMe200EffectivePermissionsItemScopeType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const GetAuthMe200EffectivePermissionsItemScopeType = {
+  global: 'global',
+  profile: 'profile',
+  issuer: 'issuer',
+} as const;
diff --git a/web/src/api/generated/model/getAuthRole200.ts b/web/src/api/generated/model/getAuthRole200.ts
new file mode 100644
index 0000000..4e4a042
--- /dev/null
+++ b/web/src/api/generated/model/getAuthRole200.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AuthRole } from './authRole';
+import type { AuthRolePermission } from './authRolePermission';
+
+export type GetAuthRole200 = {
+  role?: AuthRole;
+  permissions?: AuthRolePermission[];
+};
diff --git a/web/src/api/generated/model/getAuthRuntimeConfig200.ts b/web/src/api/generated/model/getAuthRuntimeConfig200.ts
new file mode 100644
index 0000000..068b57e
--- /dev/null
+++ b/web/src/api/generated/model/getAuthRuntimeConfig200.ts
@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { GetAuthRuntimeConfig200RuntimeConfig } from './getAuthRuntimeConfig200RuntimeConfig';
+
+export type GetAuthRuntimeConfig200 = {
+  /** Map of CERTCTL_* env var name → resolved value.
+The exact key set depends on the deployment's
+configured auth surface (OIDC, break-glass, etc.).
+ */
+  runtime_config: GetAuthRuntimeConfig200RuntimeConfig;
+};
diff --git a/web/src/api/generated/model/getAuthRuntimeConfig200RuntimeConfig.ts b/web/src/api/generated/model/getAuthRuntimeConfig200RuntimeConfig.ts
new file mode 100644
index 0000000..6296d4c
--- /dev/null
+++ b/web/src/api/generated/model/getAuthRuntimeConfig200RuntimeConfig.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Map of CERTCTL_* env var name → resolved value.
+The exact key set depends on the deployment's
+configured auth surface (OIDC, break-glass, etc.).
+
+ */
+export type GetAuthRuntimeConfig200RuntimeConfig = {[key: string]: string};
diff --git a/web/src/api/generated/model/getCertificateDeployments200.ts b/web/src/api/generated/model/getCertificateDeployments200.ts
new file mode 100644
index 0000000..1fc81ee
--- /dev/null
+++ b/web/src/api/generated/model/getCertificateDeployments200.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { DeploymentTarget } from './deploymentTarget';
+
+export type GetCertificateDeployments200 = {
+  data?: DeploymentTarget[];
+  total?: number;
+};
diff --git a/web/src/api/generated/model/getCertificatesByStatus200.ts b/web/src/api/generated/model/getCertificatesByStatus200.ts
new file mode 100644
index 0000000..fdc189b
--- /dev/null
+++ b/web/src/api/generated/model/getCertificatesByStatus200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { GetCertificatesByStatus200StatusCountsItem } from './getCertificatesByStatus200StatusCountsItem';
+
+export type GetCertificatesByStatus200 = {
+  status_counts?: GetCertificatesByStatus200StatusCountsItem[];
+};
diff --git a/web/src/api/generated/model/getCertificatesByStatus200StatusCountsItem.ts b/web/src/api/generated/model/getCertificatesByStatus200StatusCountsItem.ts
new file mode 100644
index 0000000..4ec66ea
--- /dev/null
+++ b/web/src/api/generated/model/getCertificatesByStatus200StatusCountsItem.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetCertificatesByStatus200StatusCountsItem = {
+  status?: string;
+  count?: number;
+};
diff --git a/web/src/api/generated/model/getDiscoverySummary200.ts b/web/src/api/generated/model/getDiscoverySummary200.ts
new file mode 100644
index 0000000..f3e4291
--- /dev/null
+++ b/web/src/api/generated/model/getDiscoverySummary200.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetDiscoverySummary200 = {
+  Unmanaged?: number;
+  Managed?: number;
+  Dismissed?: number;
+};
diff --git a/web/src/api/generated/model/getExpirationTimeline200.ts b/web/src/api/generated/model/getExpirationTimeline200.ts
new file mode 100644
index 0000000..8c5946f
--- /dev/null
+++ b/web/src/api/generated/model/getExpirationTimeline200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { GetExpirationTimeline200BucketsItem } from './getExpirationTimeline200BucketsItem';
+
+export type GetExpirationTimeline200 = {
+  buckets?: GetExpirationTimeline200BucketsItem[];
+};
diff --git a/web/src/api/generated/model/getExpirationTimeline200BucketsItem.ts b/web/src/api/generated/model/getExpirationTimeline200BucketsItem.ts
new file mode 100644
index 0000000..87650da
--- /dev/null
+++ b/web/src/api/generated/model/getExpirationTimeline200BucketsItem.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetExpirationTimeline200BucketsItem = {
+  date?: string;
+  count?: number;
+};
diff --git a/web/src/api/generated/model/getExpirationTimelineParams.ts b/web/src/api/generated/model/getExpirationTimelineParams.ts
new file mode 100644
index 0000000..4769307
--- /dev/null
+++ b/web/src/api/generated/model/getExpirationTimelineParams.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetExpirationTimelineParams = {
+/**
+ * @minimum 1
+ * @maximum 365
+ */
+days?: number;
+};
diff --git a/web/src/api/generated/model/getHealth200.ts b/web/src/api/generated/model/getHealth200.ts
new file mode 100644
index 0000000..848a47b
--- /dev/null
+++ b/web/src/api/generated/model/getHealth200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetHealth200 = {
+  status?: string;
+};
diff --git a/web/src/api/generated/model/getHealthCheckHistory200.ts b/web/src/api/generated/model/getHealthCheckHistory200.ts
new file mode 100644
index 0000000..afcee01
--- /dev/null
+++ b/web/src/api/generated/model/getHealthCheckHistory200.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { HealthHistoryEntry } from './healthHistoryEntry';
+
+export type GetHealthCheckHistory200 = {
+  data?: HealthHistoryEntry[];
+  total?: number;
+};
diff --git a/web/src/api/generated/model/getHealthCheckHistoryParams.ts b/web/src/api/generated/model/getHealthCheckHistoryParams.ts
new file mode 100644
index 0000000..51dbc99
--- /dev/null
+++ b/web/src/api/generated/model/getHealthCheckHistoryParams.ts
@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetHealthCheckHistoryParams = {
+/**
+ * Max number of records to return
+ * @minimum 1
+ * @maximum 1000
+ */
+limit?: number;
+};
diff --git a/web/src/api/generated/model/getHealthCheckSummary200.ts b/web/src/api/generated/model/getHealthCheckSummary200.ts
new file mode 100644
index 0000000..3868ee1
--- /dev/null
+++ b/web/src/api/generated/model/getHealthCheckSummary200.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetHealthCheckSummary200 = {
+  healthy?: number;
+  degraded?: number;
+  down?: number;
+  cert_mismatch?: number;
+};
diff --git a/web/src/api/generated/model/getIssuanceRate200.ts b/web/src/api/generated/model/getIssuanceRate200.ts
new file mode 100644
index 0000000..07adadf
--- /dev/null
+++ b/web/src/api/generated/model/getIssuanceRate200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { GetIssuanceRate200RateItem } from './getIssuanceRate200RateItem';
+
+export type GetIssuanceRate200 = {
+  rate?: GetIssuanceRate200RateItem[];
+};
diff --git a/web/src/api/generated/model/getIssuanceRate200RateItem.ts b/web/src/api/generated/model/getIssuanceRate200RateItem.ts
new file mode 100644
index 0000000..4ea3806
--- /dev/null
+++ b/web/src/api/generated/model/getIssuanceRate200RateItem.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetIssuanceRate200RateItem = {
+  date?: string;
+  count?: number;
+};
diff --git a/web/src/api/generated/model/getIssuanceRateParams.ts b/web/src/api/generated/model/getIssuanceRateParams.ts
new file mode 100644
index 0000000..38e6083
--- /dev/null
+++ b/web/src/api/generated/model/getIssuanceRateParams.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetIssuanceRateParams = {
+/**
+ * @minimum 1
+ * @maximum 365
+ */
+days?: number;
+};
diff --git a/web/src/api/generated/model/getJobTrends200.ts b/web/src/api/generated/model/getJobTrends200.ts
new file mode 100644
index 0000000..7749067
--- /dev/null
+++ b/web/src/api/generated/model/getJobTrends200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { GetJobTrends200TrendsItem } from './getJobTrends200TrendsItem';
+
+export type GetJobTrends200 = {
+  trends?: GetJobTrends200TrendsItem[];
+};
diff --git a/web/src/api/generated/model/getJobTrends200TrendsItem.ts b/web/src/api/generated/model/getJobTrends200TrendsItem.ts
new file mode 100644
index 0000000..7f4d9b8
--- /dev/null
+++ b/web/src/api/generated/model/getJobTrends200TrendsItem.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetJobTrends200TrendsItem = {
+  date?: string;
+  completed?: number;
+  failed?: number;
+};
diff --git a/web/src/api/generated/model/getJobTrendsParams.ts b/web/src/api/generated/model/getJobTrendsParams.ts
new file mode 100644
index 0000000..d03fd76
--- /dev/null
+++ b/web/src/api/generated/model/getJobTrendsParams.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetJobTrendsParams = {
+/**
+ * @minimum 1
+ * @maximum 365
+ */
+days?: number;
+};
diff --git a/web/src/api/generated/model/getReady200.ts b/web/src/api/generated/model/getReady200.ts
new file mode 100644
index 0000000..90e8537
--- /dev/null
+++ b/web/src/api/generated/model/getReady200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetReady200 = {
+  status?: string;
+};
diff --git a/web/src/api/generated/model/getVersion200.ts b/web/src/api/generated/model/getVersion200.ts
new file mode 100644
index 0000000..4c5c274
--- /dev/null
+++ b/web/src/api/generated/model/getVersion200.ts
@@ -0,0 +1,29 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetVersion200 = {
+  /** Release tag (ldflags-supplied) or VCS SHA fallback or "dev" */
+  version: string;
+  /** Git SHA from runtime/debug.BuildInfo (vcs.revision); empty when not VCS-tracked */
+  commit: string;
+  /** True when build had uncommitted changes (vcs.modified) */
+  modified: boolean;
+  /** RFC 3339 build timestamp (vcs.time); empty when not VCS-tracked */
+  build_time: string;
+  /** Go toolchain version that compiled the binary (runtime.Version()) */
+  go_version: string;
+};
diff --git a/web/src/api/generated/model/grantAuthRolePermissionBody.ts b/web/src/api/generated/model/grantAuthRolePermissionBody.ts
new file mode 100644
index 0000000..dc4dd3a
--- /dev/null
+++ b/web/src/api/generated/model/grantAuthRolePermissionBody.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { GrantAuthRolePermissionBodyScopeType } from './grantAuthRolePermissionBodyScopeType';
+
+export type GrantAuthRolePermissionBody = {
+  permission: string;
+  scope_type?: GrantAuthRolePermissionBodyScopeType;
+  scope_id?: string;
+};
diff --git a/web/src/api/generated/model/grantAuthRolePermissionBodyScopeType.ts b/web/src/api/generated/model/grantAuthRolePermissionBodyScopeType.ts
new file mode 100644
index 0000000..ceac6a0
--- /dev/null
+++ b/web/src/api/generated/model/grantAuthRolePermissionBodyScopeType.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GrantAuthRolePermissionBodyScopeType = typeof GrantAuthRolePermissionBodyScopeType[keyof typeof GrantAuthRolePermissionBodyScopeType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const GrantAuthRolePermissionBodyScopeType = {
+  global: 'global',
+  profile: 'profile',
+  issuer: 'issuer',
+} as const;
diff --git a/web/src/api/generated/model/healthHistoryEntry.ts b/web/src/api/generated/model/healthHistoryEntry.ts
new file mode 100644
index 0000000..04139be
--- /dev/null
+++ b/web/src/api/generated/model/healthHistoryEntry.ts
@@ -0,0 +1,64 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { HealthHistoryEntryStatus } from './healthHistoryEntryStatus';
+
+export interface HealthHistoryEntry {
+  id?: string;
+  health_check_id?: string;
+  status?: HealthHistoryEntryStatus;
+  /**
+   * Time to connect and complete TLS handshake (milliseconds)
+   * @nullable
+   */
+  response_time_ms?: number | null;
+  /**
+   * SHA-256 fingerprint of certificate observed on endpoint
+   * @nullable
+   */
+  observed_fingerprint?: string | null;
+  /**
+   * TLS version (e.g., TLSv1.3)
+   * @nullable
+   */
+  tls_version?: string | null;
+  /**
+   * Cipher suite used in TLS handshake
+   * @nullable
+   */
+  cipher_suite?: string | null;
+  /**
+   * Subject DN of observed certificate
+   * @nullable
+   */
+  cert_subject?: string | null;
+  /**
+   * Issuer DN of observed certificate
+   * @nullable
+   */
+  cert_issuer?: string | null;
+  /** @nullable */
+  cert_not_before?: string | null;
+  /** @nullable */
+  cert_not_after?: string | null;
+  /**
+   * Error message if probe failed
+   * @nullable
+   */
+  failure_reason?: string | null;
+  /** Timestamp of this probe */
+  checked_at?: string;
+}
diff --git a/web/src/api/generated/model/healthHistoryEntryStatus.ts b/web/src/api/generated/model/healthHistoryEntryStatus.ts
new file mode 100644
index 0000000..a8d5f71
--- /dev/null
+++ b/web/src/api/generated/model/healthHistoryEntryStatus.ts
@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type HealthHistoryEntryStatus = typeof HealthHistoryEntryStatus[keyof typeof HealthHistoryEntryStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const HealthHistoryEntryStatus = {
+  Healthy: 'Healthy',
+  Degraded: 'Degraded',
+  Down: 'Down',
+  CertMismatch: 'CertMismatch',
+} as const;
diff --git a/web/src/api/generated/model/index.ts b/web/src/api/generated/model/index.ts
new file mode 100644
index 0000000..6afd501
--- /dev/null
+++ b/web/src/api/generated/model/index.ts
@@ -0,0 +1,303 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export * from './acknowledgeHealthCheckIncidentBody';
+export * from './actorType';
+export * from './agent';
+export * from './agentDependencyCounts';
+export * from './agentGetWork200';
+export * from './agentGroup';
+export * from './agentHeartbeatBody';
+export * from './agentPickupCertificate200';
+export * from './agentReportJobStatusBody';
+export * from './agentStatus';
+export * from './agentSubmitCSRBody';
+export * from './approvalRequest';
+export * from './approvalRequestMetadata';
+export * from './approvalRequestState';
+export * from './approveApprovalRequest200';
+export * from './approveApprovalRequest200Action';
+export * from './approveApprovalRequestBody';
+export * from './assignAuthKeyRoleBody';
+export * from './auditEvent';
+export * from './auditEventDetails';
+export * from './auditEventEventCategory';
+export * from './authRole';
+export * from './authRolePermission';
+export * from './authRolePermissionScopeType';
+export * from './authSession';
+export * from './authUser';
+export * from './badRequestResponse';
+export * from './blockedByDependenciesResponse';
+export * from './breakglassCredentialListResponse';
+export * from './breakglassCredentialResponse';
+export * from './breakglassLoginRequest';
+export * from './breakglassSetPasswordRequest';
+export * from './breakglassSetPasswordResponse';
+export * from './bulkEnqueuedJob';
+export * from './bulkReassignRequest';
+export * from './bulkReassignResult';
+export * from './bulkReassignResultErrorsItem';
+export * from './bulkRenewRequest';
+export * from './bulkRenewResult';
+export * from './bulkRenewResultErrorsItem';
+export * from './bulkRevokeRequest';
+export * from './bulkRevokeResult';
+export * from './bulkRevokeResultErrorsItem';
+export * from './certificateProfile';
+export * from './certificateProfileAllowedEkusItem';
+export * from './certificateStatus';
+export * from './certificateVersion';
+export * from './checkAuth200';
+export * from './checkAuth200ActorType';
+export * from './checkAuth200EffectivePermissionsItem';
+export * from './checkAuth200EffectivePermissionsItemScopeType';
+export * from './claimDiscoveredCertificateBody';
+export * from './conflictResponse';
+export * from './createAuthRoleBody';
+export * from './createHealthCheckBody';
+export * from './createIntermediateCABody';
+export * from './createIntermediateCABodyMetadata';
+export * from './createIntermediateCABodyNameConstraintsItem';
+export * from './createIntermediateCABodySubject';
+export * from './dashboardSummary';
+export * from './demoResidualCleanupResponse';
+export * from './deploymentTarget';
+export * from './deploymentTargetConfig';
+export * from './discoveredCertificate';
+export * from './discoveredCertificateStatus';
+export * from './discoveryReport';
+export * from './discoveryReportCertificatesItem';
+export * from './discoveryScan';
+export * from './endpointHealthCheck';
+export * from './endpointHealthCheckStatus';
+export * from './error';
+export * from './errorResponse';
+export * from './exportAuditCategory';
+export * from './exportAuditParams';
+export * from './exportCertificatePEM200One';
+export * from './exportCertificatePEMDownload';
+export * from './exportCertificatePEMParams';
+export * from './exportCertificatePKCS12Body';
+export * from './getAuthBootstrap200';
+export * from './getAuthInfo200';
+export * from './getAuthInfo200AuthType';
+export * from './getAuthMe200';
+export * from './getAuthMe200ActorType';
+export * from './getAuthMe200EffectivePermissionsItem';
+export * from './getAuthMe200EffectivePermissionsItemScopeType';
+export * from './getAuthRole200';
+export * from './getAuthRuntimeConfig200';
+export * from './getAuthRuntimeConfig200RuntimeConfig';
+export * from './getCertificateDeployments200';
+export * from './getCertificatesByStatus200';
+export * from './getCertificatesByStatus200StatusCountsItem';
+export * from './getDiscoverySummary200';
+export * from './getExpirationTimeline200';
+export * from './getExpirationTimeline200BucketsItem';
+export * from './getExpirationTimelineParams';
+export * from './getHealth200';
+export * from './getHealthCheckHistory200';
+export * from './getHealthCheckHistoryParams';
+export * from './getHealthCheckSummary200';
+export * from './getIssuanceRate200';
+export * from './getIssuanceRate200RateItem';
+export * from './getIssuanceRateParams';
+export * from './getJobTrends200';
+export * from './getJobTrends200TrendsItem';
+export * from './getJobTrendsParams';
+export * from './getReady200';
+export * from './getVersion200';
+export * from './grantAuthRolePermissionBody';
+export * from './grantAuthRolePermissionBodyScopeType';
+export * from './healthHistoryEntry';
+export * from './healthHistoryEntryStatus';
+export * from './internalErrorResponse';
+export * from './issuer';
+export * from './issuerConfig';
+export * from './issuerType';
+export * from './job';
+export * from './jobStatus';
+export * from './jobType';
+export * from './keyAlgorithmRule';
+export * from './keyAlgorithmRuleAlgorithm';
+export * from './listAgentGroupMembers200';
+export * from './listAgentGroupMembers200AllOf';
+export * from './listAgentGroups200';
+export * from './listAgentGroups200AllOf';
+export * from './listAgentGroupsParams';
+export * from './listAgents200';
+export * from './listAgents200AllOf';
+export * from './listAgentsParams';
+export * from './listApprovalRequests200';
+export * from './listApprovalRequestsParams';
+export * from './listApprovalRequestsState';
+export * from './listAuditEvents200';
+export * from './listAuditEvents200AllOf';
+export * from './listAuditEventsCategory';
+export * from './listAuditEventsParams';
+export * from './listAuthKeys200';
+export * from './listAuthKeys200KeysItem';
+export * from './listAuthKeys200KeysItemActorType';
+export * from './listAuthPermissions200';
+export * from './listAuthPermissions200PermissionsItem';
+export * from './listAuthRoles200';
+export * from './listAuthSessions200';
+export * from './listAuthSessionsParams';
+export * from './listAuthUsers200';
+export * from './listAuthUsersParams';
+export * from './listCRLCache200';
+export * from './listCRLCache200CacheRowsItem';
+export * from './listCertificateVersions200';
+export * from './listCertificateVersions200AllOf';
+export * from './listCertificateVersionsParams';
+export * from './listCertificates200';
+export * from './listCertificates200AllOf';
+export * from './listCertificatesParams';
+export * from './listDiscoveredCertificates200';
+export * from './listDiscoveredCertificates200AllOf';
+export * from './listDiscoveredCertificatesParams';
+export * from './listDiscoveredCertificatesStatus';
+export * from './listDiscoveryScans200';
+export * from './listDiscoveryScans200AllOf';
+export * from './listDiscoveryScansParams';
+export * from './listESTProfiles200';
+export * from './listESTProfiles200ProfilesItem';
+export * from './listHealthChecks200';
+export * from './listHealthChecksParams';
+export * from './listHealthChecksStatus';
+export * from './listIntermediateCAs200';
+export * from './listIntermediateCAs200DataItem';
+export * from './listIssuers200';
+export * from './listIssuers200AllOf';
+export * from './listIssuersParams';
+export * from './listJobs200';
+export * from './listJobs200AllOf';
+export * from './listJobsParams';
+export * from './listNetworkScanTargets200';
+export * from './listNetworkScanTargets200AllOf';
+export * from './listNotifications200';
+export * from './listNotifications200AllOf';
+export * from './listNotificationsParams';
+export * from './listNotificationsStatus';
+export * from './listOIDCGroupMappings200';
+export * from './listOIDCGroupMappingsParams';
+export * from './listOIDCProviders200';
+export * from './listOwners200';
+export * from './listOwners200AllOf';
+export * from './listOwnersParams';
+export * from './listPolicies200';
+export * from './listPolicies200AllOf';
+export * from './listPoliciesParams';
+export * from './listPolicyViolations200';
+export * from './listPolicyViolations200AllOf';
+export * from './listPolicyViolationsParams';
+export * from './listProfiles200';
+export * from './listProfiles200AllOf';
+export * from './listProfilesParams';
+export * from './listRenewalPolicies200';
+export * from './listRenewalPolicies200AllOf';
+export * from './listRenewalPoliciesParams';
+export * from './listRetiredAgents200';
+export * from './listRetiredAgents200AllOf';
+export * from './listRetiredAgentsParams';
+export * from './listSCEPIntuneStats200';
+export * from './listSCEPIntuneStats200ProfilesItem';
+export * from './listSCEPProbes200';
+export * from './listSCEPProbes200ProbesItem';
+export * from './listSCEPProfiles200';
+export * from './listSCEPProfiles200ProfilesItem';
+export * from './listTargets200';
+export * from './listTargets200AllOf';
+export * from './listTargetsParams';
+export * from './listTeams200';
+export * from './listTeams200AllOf';
+export * from './listTeamsParams';
+export * from './managedCertificate';
+export * from './managedCertificateTags';
+export * from './metricsResponse';
+export * from './metricsResponseCounter';
+export * from './metricsResponseGauge';
+export * from './metricsResponseUptime';
+export * from './networkScanTarget';
+export * from './networkScanTargetCreate';
+export * from './notFoundResponse';
+export * from './notificationChannel';
+export * from './notificationEvent';
+export * from './notificationEventStatus';
+export * from './notificationType';
+export * from './oIDCGroupMappingRequest';
+export * from './oIDCGroupMappingResponse';
+export * from './oIDCJWKSStatusSnapshot';
+export * from './oIDCProviderRequest';
+export * from './oIDCProviderResponse';
+export * from './oIDCTestDiscoveryResult';
+export * from './oIDCTestRequest';
+export * from './oidcBackChannelLogoutBody';
+export * from './oidcLoginCallbackParams';
+export * from './oidcLoginInitiateParams';
+export * from './owner';
+export * from './pageParameter';
+export * from './paginationEnvelope';
+export * from './perPageParameter';
+export * from './policyRule';
+export * from './policyRuleConfig';
+export * from './policySeverity';
+export * from './policyType';
+export * from './policyViolation';
+export * from './postAuthBootstrap201';
+export * from './postAuthBootstrapBody';
+export * from './probeSCEP200';
+export * from './probeSCEPBody';
+export * from './refreshOIDCProvider200';
+export * from './rejectApprovalRequest200';
+export * from './rejectApprovalRequest200Action';
+export * from './rejectApprovalRequestBody';
+export * from './rejectJobBody';
+export * from './reloadESTTrust200';
+export * from './reloadESTTrustBody';
+export * from './reloadSCEPIntuneTrust200';
+export * from './reloadSCEPIntuneTrustBody';
+export * from './renewalPolicy';
+export * from './renewalPolicyCreateRequest';
+export * from './renewalPolicyUpdateRequest';
+export * from './retireAgentParams';
+export * from './retireAgentResponse';
+export * from './retireIntermediateCABody';
+export * from './revocationReason';
+export * from './revokeAuthRolePermissionParams';
+export * from './revokeAuthRolePermissionScopeType';
+export * from './revokeAuthSessionsExceptCurrent200';
+export * from './revokeAuthSessionsExceptCurrentExcept';
+export * from './revokeAuthSessionsExceptCurrentParams';
+export * from './revokeCertificateBody';
+export * from './scepGetOperation';
+export * from './scepGetParams';
+export * from './scepPostOperation';
+export * from './scepPostParams';
+export * from './statusMessageResponse';
+export * from './statusResponse';
+export * from './targetType';
+export * from './team';
+export * from './triggerDeploymentBody';
+export * from './updateAuthRoleBody';
+export * from './updateHealthCheckBody';
+export * from './verificationResult';
+export * from './verifyDeployment200';
+export * from './verifyDeploymentRequest';
+export * from './workItem';
+export * from './workItemTargetConfig';
\ No newline at end of file
diff --git a/web/src/api/generated/model/internalErrorResponse.ts b/web/src/api/generated/model/internalErrorResponse.ts
new file mode 100644
index 0000000..674cbdd
--- /dev/null
+++ b/web/src/api/generated/model/internalErrorResponse.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ErrorResponse } from './errorResponse';
+
+/**
+ * Internal server error
+ */
+export type InternalErrorResponse = ErrorResponse;
diff --git a/web/src/api/generated/model/issuer.ts b/web/src/api/generated/model/issuer.ts
new file mode 100644
index 0000000..5e8266b
--- /dev/null
+++ b/web/src/api/generated/model/issuer.ts
@@ -0,0 +1,29 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { IssuerType } from './issuerType';
+import type { IssuerConfig } from './issuerConfig';
+
+export interface Issuer {
+  id?: string;
+  name?: string;
+  type?: IssuerType;
+  /** Issuer-specific configuration (varies by type) */
+  config?: IssuerConfig;
+  enabled?: boolean;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/issuerConfig.ts b/web/src/api/generated/model/issuerConfig.ts
new file mode 100644
index 0000000..4f1d2e8
--- /dev/null
+++ b/web/src/api/generated/model/issuerConfig.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Issuer-specific configuration (varies by type)
+ */
+export type IssuerConfig = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/issuerType.ts b/web/src/api/generated/model/issuerType.ts
new file mode 100644
index 0000000..9ddcc6c
--- /dev/null
+++ b/web/src/api/generated/model/issuerType.ts
@@ -0,0 +1,34 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type IssuerType = typeof IssuerType[keyof typeof IssuerType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const IssuerType = {
+  ACME: 'ACME',
+  GenericCA: 'GenericCA',
+  StepCA: 'StepCA',
+  VaultPKI: 'VaultPKI',
+  DigiCert: 'DigiCert',
+  Sectigo: 'Sectigo',
+  GoogleCAS: 'GoogleCAS',
+  AWSACMPCA: 'AWSACMPCA',
+  Entrust: 'Entrust',
+  GlobalSign: 'GlobalSign',
+  EJBCA: 'EJBCA',
+} as const;
diff --git a/web/src/api/generated/model/job.ts b/web/src/api/generated/model/job.ts
new file mode 100644
index 0000000..22f99ff
--- /dev/null
+++ b/web/src/api/generated/model/job.ts
@@ -0,0 +1,33 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { JobType } from './jobType';
+import type { JobStatus } from './jobStatus';
+
+export interface Job {
+  id?: string;
+  type?: JobType;
+  certificate_id?: string;
+  target_id?: string;
+  status?: JobStatus;
+  attempts?: number;
+  max_attempts?: number;
+  last_error?: string;
+  scheduled_at?: string;
+  started_at?: string;
+  completed_at?: string;
+  created_at?: string;
+}
diff --git a/web/src/api/generated/model/jobStatus.ts b/web/src/api/generated/model/jobStatus.ts
new file mode 100644
index 0000000..60c72e4
--- /dev/null
+++ b/web/src/api/generated/model/jobStatus.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type JobStatus = typeof JobStatus[keyof typeof JobStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const JobStatus = {
+  Pending: 'Pending',
+  AwaitingCSR: 'AwaitingCSR',
+  AwaitingApproval: 'AwaitingApproval',
+  Running: 'Running',
+  Completed: 'Completed',
+  Failed: 'Failed',
+  Cancelled: 'Cancelled',
+} as const;
diff --git a/web/src/api/generated/model/jobType.ts b/web/src/api/generated/model/jobType.ts
new file mode 100644
index 0000000..394b953
--- /dev/null
+++ b/web/src/api/generated/model/jobType.ts
@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type JobType = typeof JobType[keyof typeof JobType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const JobType = {
+  Issuance: 'Issuance',
+  Renewal: 'Renewal',
+  Deployment: 'Deployment',
+  Validation: 'Validation',
+} as const;
diff --git a/web/src/api/generated/model/keyAlgorithmRule.ts b/web/src/api/generated/model/keyAlgorithmRule.ts
new file mode 100644
index 0000000..dd8a196
--- /dev/null
+++ b/web/src/api/generated/model/keyAlgorithmRule.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { KeyAlgorithmRuleAlgorithm } from './keyAlgorithmRuleAlgorithm';
+
+export interface KeyAlgorithmRule {
+  algorithm?: KeyAlgorithmRuleAlgorithm;
+  min_size?: number;
+}
diff --git a/web/src/api/generated/model/keyAlgorithmRuleAlgorithm.ts b/web/src/api/generated/model/keyAlgorithmRuleAlgorithm.ts
new file mode 100644
index 0000000..5022bfd
--- /dev/null
+++ b/web/src/api/generated/model/keyAlgorithmRuleAlgorithm.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type KeyAlgorithmRuleAlgorithm = typeof KeyAlgorithmRuleAlgorithm[keyof typeof KeyAlgorithmRuleAlgorithm];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const KeyAlgorithmRuleAlgorithm = {
+  RSA: 'RSA',
+  ECDSA: 'ECDSA',
+  Ed25519: 'Ed25519',
+} as const;
diff --git a/web/src/api/generated/model/listAgentGroupMembers200.ts b/web/src/api/generated/model/listAgentGroupMembers200.ts
new file mode 100644
index 0000000..d14711e
--- /dev/null
+++ b/web/src/api/generated/model/listAgentGroupMembers200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListAgentGroupMembers200AllOf } from './listAgentGroupMembers200AllOf';
+
+export type ListAgentGroupMembers200 = PaginationEnvelope & ListAgentGroupMembers200AllOf;
diff --git a/web/src/api/generated/model/listAgentGroupMembers200AllOf.ts b/web/src/api/generated/model/listAgentGroupMembers200AllOf.ts
new file mode 100644
index 0000000..c6a5d49
--- /dev/null
+++ b/web/src/api/generated/model/listAgentGroupMembers200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { Agent } from './agent';
+
+export type ListAgentGroupMembers200AllOf = {
+  data?: Agent[];
+};
diff --git a/web/src/api/generated/model/listAgentGroups200.ts b/web/src/api/generated/model/listAgentGroups200.ts
new file mode 100644
index 0000000..b4d9eaf
--- /dev/null
+++ b/web/src/api/generated/model/listAgentGroups200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListAgentGroups200AllOf } from './listAgentGroups200AllOf';
+
+export type ListAgentGroups200 = PaginationEnvelope & ListAgentGroups200AllOf;
diff --git a/web/src/api/generated/model/listAgentGroups200AllOf.ts b/web/src/api/generated/model/listAgentGroups200AllOf.ts
new file mode 100644
index 0000000..1d1312e
--- /dev/null
+++ b/web/src/api/generated/model/listAgentGroups200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AgentGroup } from './agentGroup';
+
+export type ListAgentGroups200AllOf = {
+  data?: AgentGroup[];
+};
diff --git a/web/src/api/generated/model/listAgentGroupsParams.ts b/web/src/api/generated/model/listAgentGroupsParams.ts
new file mode 100644
index 0000000..76e845d
--- /dev/null
+++ b/web/src/api/generated/model/listAgentGroupsParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListAgentGroupsParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listAgents200.ts b/web/src/api/generated/model/listAgents200.ts
new file mode 100644
index 0000000..ddaf71a
--- /dev/null
+++ b/web/src/api/generated/model/listAgents200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListAgents200AllOf } from './listAgents200AllOf';
+
+export type ListAgents200 = PaginationEnvelope & ListAgents200AllOf;
diff --git a/web/src/api/generated/model/listAgents200AllOf.ts b/web/src/api/generated/model/listAgents200AllOf.ts
new file mode 100644
index 0000000..4fa2ed6
--- /dev/null
+++ b/web/src/api/generated/model/listAgents200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { Agent } from './agent';
+
+export type ListAgents200AllOf = {
+  data?: Agent[];
+};
diff --git a/web/src/api/generated/model/listAgentsParams.ts b/web/src/api/generated/model/listAgentsParams.ts
new file mode 100644
index 0000000..85576ba
--- /dev/null
+++ b/web/src/api/generated/model/listAgentsParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListAgentsParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listApprovalRequests200.ts b/web/src/api/generated/model/listApprovalRequests200.ts
new file mode 100644
index 0000000..ba8f0d6
--- /dev/null
+++ b/web/src/api/generated/model/listApprovalRequests200.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ApprovalRequest } from './approvalRequest';
+
+export type ListApprovalRequests200 = {
+  data?: ApprovalRequest[];
+  page?: number;
+  per_page?: number;
+};
diff --git a/web/src/api/generated/model/listApprovalRequestsParams.ts b/web/src/api/generated/model/listApprovalRequestsParams.ts
new file mode 100644
index 0000000..b1e1142
--- /dev/null
+++ b/web/src/api/generated/model/listApprovalRequestsParams.ts
@@ -0,0 +1,34 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+import type { ListApprovalRequestsState } from './listApprovalRequestsState';
+
+export type ListApprovalRequestsParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+state?: ListApprovalRequestsState;
+certificate_id?: string;
+requested_by?: string;
+};
diff --git a/web/src/api/generated/model/listApprovalRequestsState.ts b/web/src/api/generated/model/listApprovalRequestsState.ts
new file mode 100644
index 0000000..906262f
--- /dev/null
+++ b/web/src/api/generated/model/listApprovalRequestsState.ts
@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListApprovalRequestsState = typeof ListApprovalRequestsState[keyof typeof ListApprovalRequestsState];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ListApprovalRequestsState = {
+  pending: 'pending',
+  approved: 'approved',
+  rejected: 'rejected',
+  expired: 'expired',
+} as const;
diff --git a/web/src/api/generated/model/listAuditEvents200.ts b/web/src/api/generated/model/listAuditEvents200.ts
new file mode 100644
index 0000000..a54869b
--- /dev/null
+++ b/web/src/api/generated/model/listAuditEvents200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListAuditEvents200AllOf } from './listAuditEvents200AllOf';
+
+export type ListAuditEvents200 = PaginationEnvelope & ListAuditEvents200AllOf;
diff --git a/web/src/api/generated/model/listAuditEvents200AllOf.ts b/web/src/api/generated/model/listAuditEvents200AllOf.ts
new file mode 100644
index 0000000..b4f40bb
--- /dev/null
+++ b/web/src/api/generated/model/listAuditEvents200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AuditEvent } from './auditEvent';
+
+export type ListAuditEvents200AllOf = {
+  data?: AuditEvent[];
+};
diff --git a/web/src/api/generated/model/listAuditEventsCategory.ts b/web/src/api/generated/model/listAuditEventsCategory.ts
new file mode 100644
index 0000000..1a27a13
--- /dev/null
+++ b/web/src/api/generated/model/listAuditEventsCategory.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListAuditEventsCategory = typeof ListAuditEventsCategory[keyof typeof ListAuditEventsCategory];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ListAuditEventsCategory = {
+  cert_lifecycle: 'cert_lifecycle',
+  auth: 'auth',
+  config: 'config',
+} as const;
diff --git a/web/src/api/generated/model/listAuditEventsParams.ts b/web/src/api/generated/model/listAuditEventsParams.ts
new file mode 100644
index 0000000..93cb2c5
--- /dev/null
+++ b/web/src/api/generated/model/listAuditEventsParams.ts
@@ -0,0 +1,48 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+import type { ListAuditEventsCategory } from './listAuditEventsCategory';
+
+export type ListAuditEventsParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+/**
+ * Filter to events of this event_category. (Bundle 1 Phase 8)
+ */
+category?: ListAuditEventsCategory;
+/**
+ * Lower bound on `timestamp` (RFC3339). Inclusive.
+Open-ended when omitted. (P-H2 2026-05-14)
+
+ */
+since?: string;
+/**
+ * Upper bound on `timestamp` (RFC3339). Inclusive.
+Open-ended when omitted. Must be after `since` if both
+are set. (P-H2 2026-05-14)
+
+ */
+until?: string;
+};
diff --git a/web/src/api/generated/model/listAuthKeys200.ts b/web/src/api/generated/model/listAuthKeys200.ts
new file mode 100644
index 0000000..c143045
--- /dev/null
+++ b/web/src/api/generated/model/listAuthKeys200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ListAuthKeys200KeysItem } from './listAuthKeys200KeysItem';
+
+export type ListAuthKeys200 = {
+  keys?: ListAuthKeys200KeysItem[];
+};
diff --git a/web/src/api/generated/model/listAuthKeys200KeysItem.ts b/web/src/api/generated/model/listAuthKeys200KeysItem.ts
new file mode 100644
index 0000000..4ba067d
--- /dev/null
+++ b/web/src/api/generated/model/listAuthKeys200KeysItem.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ListAuthKeys200KeysItemActorType } from './listAuthKeys200KeysItemActorType';
+
+export type ListAuthKeys200KeysItem = {
+  actor_id: string;
+  actor_type: ListAuthKeys200KeysItemActorType;
+  tenant_id: string;
+  role_ids: string[];
+};
diff --git a/web/src/api/generated/model/listAuthKeys200KeysItemActorType.ts b/web/src/api/generated/model/listAuthKeys200KeysItemActorType.ts
new file mode 100644
index 0000000..b701029
--- /dev/null
+++ b/web/src/api/generated/model/listAuthKeys200KeysItemActorType.ts
@@ -0,0 +1,28 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListAuthKeys200KeysItemActorType = typeof ListAuthKeys200KeysItemActorType[keyof typeof ListAuthKeys200KeysItemActorType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ListAuthKeys200KeysItemActorType = {
+  User: 'User',
+  System: 'System',
+  Agent: 'Agent',
+  APIKey: 'APIKey',
+  Anonymous: 'Anonymous',
+} as const;
diff --git a/web/src/api/generated/model/listAuthPermissions200.ts b/web/src/api/generated/model/listAuthPermissions200.ts
new file mode 100644
index 0000000..c303085
--- /dev/null
+++ b/web/src/api/generated/model/listAuthPermissions200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ListAuthPermissions200PermissionsItem } from './listAuthPermissions200PermissionsItem';
+
+export type ListAuthPermissions200 = {
+  permissions?: ListAuthPermissions200PermissionsItem[];
+};
diff --git a/web/src/api/generated/model/listAuthPermissions200PermissionsItem.ts b/web/src/api/generated/model/listAuthPermissions200PermissionsItem.ts
new file mode 100644
index 0000000..a46017d
--- /dev/null
+++ b/web/src/api/generated/model/listAuthPermissions200PermissionsItem.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListAuthPermissions200PermissionsItem = {
+  id: string;
+  name: string;
+  namespace: string;
+};
diff --git a/web/src/api/generated/model/listAuthRoles200.ts b/web/src/api/generated/model/listAuthRoles200.ts
new file mode 100644
index 0000000..8fb0894
--- /dev/null
+++ b/web/src/api/generated/model/listAuthRoles200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AuthRole } from './authRole';
+
+export type ListAuthRoles200 = {
+  roles?: AuthRole[];
+};
diff --git a/web/src/api/generated/model/listAuthSessions200.ts b/web/src/api/generated/model/listAuthSessions200.ts
new file mode 100644
index 0000000..793adfc
--- /dev/null
+++ b/web/src/api/generated/model/listAuthSessions200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AuthSession } from './authSession';
+
+export type ListAuthSessions200 = {
+  sessions: AuthSession[];
+};
diff --git a/web/src/api/generated/model/listAuthSessionsParams.ts b/web/src/api/generated/model/listAuthSessionsParams.ts
new file mode 100644
index 0000000..ea45a90
--- /dev/null
+++ b/web/src/api/generated/model/listAuthSessionsParams.ts
@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListAuthSessionsParams = {
+/**
+ * Target actor whose sessions to list. Defaults to the calling actor.
+ */
+actor_id?: string;
+/**
+ * Required when `actor_id` is set and differs from the caller's type. Ignored otherwise.
+ */
+actor_type?: string;
+};
diff --git a/web/src/api/generated/model/listAuthUsers200.ts b/web/src/api/generated/model/listAuthUsers200.ts
new file mode 100644
index 0000000..75eb61d
--- /dev/null
+++ b/web/src/api/generated/model/listAuthUsers200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AuthUser } from './authUser';
+
+export type ListAuthUsers200 = {
+  users: AuthUser[];
+};
diff --git a/web/src/api/generated/model/listAuthUsersParams.ts b/web/src/api/generated/model/listAuthUsersParams.ts
new file mode 100644
index 0000000..5ef377e
--- /dev/null
+++ b/web/src/api/generated/model/listAuthUsersParams.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListAuthUsersParams = {
+/**
+ * When set, only return users whose `oidc_provider_id` matches exactly.
+ */
+oidc_provider_id?: string;
+};
diff --git a/web/src/api/generated/model/listCRLCache200.ts b/web/src/api/generated/model/listCRLCache200.ts
new file mode 100644
index 0000000..f86cca0
--- /dev/null
+++ b/web/src/api/generated/model/listCRLCache200.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ListCRLCache200CacheRowsItem } from './listCRLCache200CacheRowsItem';
+
+export type ListCRLCache200 = {
+  cache_rows?: ListCRLCache200CacheRowsItem[];
+  row_count?: number;
+  generated_at?: string;
+};
diff --git a/web/src/api/generated/model/listCRLCache200CacheRowsItem.ts b/web/src/api/generated/model/listCRLCache200CacheRowsItem.ts
new file mode 100644
index 0000000..7d6f477
--- /dev/null
+++ b/web/src/api/generated/model/listCRLCache200CacheRowsItem.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListCRLCache200CacheRowsItem = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/listCertificateVersions200.ts b/web/src/api/generated/model/listCertificateVersions200.ts
new file mode 100644
index 0000000..1474f04
--- /dev/null
+++ b/web/src/api/generated/model/listCertificateVersions200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListCertificateVersions200AllOf } from './listCertificateVersions200AllOf';
+
+export type ListCertificateVersions200 = PaginationEnvelope & ListCertificateVersions200AllOf;
diff --git a/web/src/api/generated/model/listCertificateVersions200AllOf.ts b/web/src/api/generated/model/listCertificateVersions200AllOf.ts
new file mode 100644
index 0000000..62cfa38
--- /dev/null
+++ b/web/src/api/generated/model/listCertificateVersions200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { CertificateVersion } from './certificateVersion';
+
+export type ListCertificateVersions200AllOf = {
+  data?: CertificateVersion[];
+};
diff --git a/web/src/api/generated/model/listCertificateVersionsParams.ts b/web/src/api/generated/model/listCertificateVersionsParams.ts
new file mode 100644
index 0000000..c618203
--- /dev/null
+++ b/web/src/api/generated/model/listCertificateVersionsParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListCertificateVersionsParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listCertificates200.ts b/web/src/api/generated/model/listCertificates200.ts
new file mode 100644
index 0000000..52ada58
--- /dev/null
+++ b/web/src/api/generated/model/listCertificates200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListCertificates200AllOf } from './listCertificates200AllOf';
+
+export type ListCertificates200 = PaginationEnvelope & ListCertificates200AllOf;
diff --git a/web/src/api/generated/model/listCertificates200AllOf.ts b/web/src/api/generated/model/listCertificates200AllOf.ts
new file mode 100644
index 0000000..6e41d05
--- /dev/null
+++ b/web/src/api/generated/model/listCertificates200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ManagedCertificate } from './managedCertificate';
+
+export type ListCertificates200AllOf = {
+  data?: ManagedCertificate[];
+};
diff --git a/web/src/api/generated/model/listCertificatesParams.ts b/web/src/api/generated/model/listCertificatesParams.ts
new file mode 100644
index 0000000..c79a739
--- /dev/null
+++ b/web/src/api/generated/model/listCertificatesParams.ts
@@ -0,0 +1,36 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+import type { CertificateStatus } from './certificateStatus';
+
+export type ListCertificatesParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+status?: CertificateStatus;
+environment?: string;
+owner_id?: string;
+team_id?: string;
+issuer_id?: string;
+};
diff --git a/web/src/api/generated/model/listDiscoveredCertificates200.ts b/web/src/api/generated/model/listDiscoveredCertificates200.ts
new file mode 100644
index 0000000..0e58619
--- /dev/null
+++ b/web/src/api/generated/model/listDiscoveredCertificates200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListDiscoveredCertificates200AllOf } from './listDiscoveredCertificates200AllOf';
+
+export type ListDiscoveredCertificates200 = PaginationEnvelope & ListDiscoveredCertificates200AllOf;
diff --git a/web/src/api/generated/model/listDiscoveredCertificates200AllOf.ts b/web/src/api/generated/model/listDiscoveredCertificates200AllOf.ts
new file mode 100644
index 0000000..cf172a3
--- /dev/null
+++ b/web/src/api/generated/model/listDiscoveredCertificates200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { DiscoveredCertificate } from './discoveredCertificate';
+
+export type ListDiscoveredCertificates200AllOf = {
+  data?: DiscoveredCertificate[];
+};
diff --git a/web/src/api/generated/model/listDiscoveredCertificatesParams.ts b/web/src/api/generated/model/listDiscoveredCertificatesParams.ts
new file mode 100644
index 0000000..cfc9e9d
--- /dev/null
+++ b/web/src/api/generated/model/listDiscoveredCertificatesParams.ts
@@ -0,0 +1,39 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+import type { ListDiscoveredCertificatesStatus } from './listDiscoveredCertificatesStatus';
+
+export type ListDiscoveredCertificatesParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+/**
+ * Filter by discovering agent
+ */
+agent_id?: string;
+/**
+ * Filter by triage status
+ */
+status?: ListDiscoveredCertificatesStatus;
+};
diff --git a/web/src/api/generated/model/listDiscoveredCertificatesStatus.ts b/web/src/api/generated/model/listDiscoveredCertificatesStatus.ts
new file mode 100644
index 0000000..ced54b3
--- /dev/null
+++ b/web/src/api/generated/model/listDiscoveredCertificatesStatus.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListDiscoveredCertificatesStatus = typeof ListDiscoveredCertificatesStatus[keyof typeof ListDiscoveredCertificatesStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ListDiscoveredCertificatesStatus = {
+  Unmanaged: 'Unmanaged',
+  Managed: 'Managed',
+  Dismissed: 'Dismissed',
+} as const;
diff --git a/web/src/api/generated/model/listDiscoveryScans200.ts b/web/src/api/generated/model/listDiscoveryScans200.ts
new file mode 100644
index 0000000..dbb4856
--- /dev/null
+++ b/web/src/api/generated/model/listDiscoveryScans200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListDiscoveryScans200AllOf } from './listDiscoveryScans200AllOf';
+
+export type ListDiscoveryScans200 = PaginationEnvelope & ListDiscoveryScans200AllOf;
diff --git a/web/src/api/generated/model/listDiscoveryScans200AllOf.ts b/web/src/api/generated/model/listDiscoveryScans200AllOf.ts
new file mode 100644
index 0000000..5bf494a
--- /dev/null
+++ b/web/src/api/generated/model/listDiscoveryScans200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { DiscoveryScan } from './discoveryScan';
+
+export type ListDiscoveryScans200AllOf = {
+  data?: DiscoveryScan[];
+};
diff --git a/web/src/api/generated/model/listDiscoveryScansParams.ts b/web/src/api/generated/model/listDiscoveryScansParams.ts
new file mode 100644
index 0000000..0e723e6
--- /dev/null
+++ b/web/src/api/generated/model/listDiscoveryScansParams.ts
@@ -0,0 +1,34 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListDiscoveryScansParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+/**
+ * Filter by agent ID
+ */
+agent_id?: string;
+};
diff --git a/web/src/api/generated/model/listESTProfiles200.ts b/web/src/api/generated/model/listESTProfiles200.ts
new file mode 100644
index 0000000..8de2fac
--- /dev/null
+++ b/web/src/api/generated/model/listESTProfiles200.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ListESTProfiles200ProfilesItem } from './listESTProfiles200ProfilesItem';
+
+export type ListESTProfiles200 = {
+  profiles?: ListESTProfiles200ProfilesItem[];
+  profile_count?: number;
+  generated_at?: string;
+};
diff --git a/web/src/api/generated/model/listESTProfiles200ProfilesItem.ts b/web/src/api/generated/model/listESTProfiles200ProfilesItem.ts
new file mode 100644
index 0000000..edf09ec
--- /dev/null
+++ b/web/src/api/generated/model/listESTProfiles200ProfilesItem.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListESTProfiles200ProfilesItem = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/listHealthChecks200.ts b/web/src/api/generated/model/listHealthChecks200.ts
new file mode 100644
index 0000000..bec3dc3
--- /dev/null
+++ b/web/src/api/generated/model/listHealthChecks200.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { EndpointHealthCheck } from './endpointHealthCheck';
+
+export type ListHealthChecks200 = {
+  data?: EndpointHealthCheck[];
+  total?: number;
+  page?: number;
+  per_page?: number;
+};
diff --git a/web/src/api/generated/model/listHealthChecksParams.ts b/web/src/api/generated/model/listHealthChecksParams.ts
new file mode 100644
index 0000000..454897f
--- /dev/null
+++ b/web/src/api/generated/model/listHealthChecksParams.ts
@@ -0,0 +1,47 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ListHealthChecksStatus } from './listHealthChecksStatus';
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListHealthChecksParams = {
+/**
+ * Filter by health status
+ */
+status?: ListHealthChecksStatus;
+/**
+ * Filter by certificate ID
+ */
+certificate_id?: string;
+/**
+ * Filter by network scan target ID
+ */
+network_scan_target_id?: string;
+/**
+ * Filter by enabled/disabled state
+ */
+enabled?: boolean;
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listHealthChecksStatus.ts b/web/src/api/generated/model/listHealthChecksStatus.ts
new file mode 100644
index 0000000..b5f34cb
--- /dev/null
+++ b/web/src/api/generated/model/listHealthChecksStatus.ts
@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListHealthChecksStatus = typeof ListHealthChecksStatus[keyof typeof ListHealthChecksStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ListHealthChecksStatus = {
+  Healthy: 'Healthy',
+  Degraded: 'Degraded',
+  Down: 'Down',
+  CertMismatch: 'CertMismatch',
+} as const;
diff --git a/web/src/api/generated/model/listIntermediateCAs200.ts b/web/src/api/generated/model/listIntermediateCAs200.ts
new file mode 100644
index 0000000..76e9129
--- /dev/null
+++ b/web/src/api/generated/model/listIntermediateCAs200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ListIntermediateCAs200DataItem } from './listIntermediateCAs200DataItem';
+
+export type ListIntermediateCAs200 = {
+  data?: ListIntermediateCAs200DataItem[];
+};
diff --git a/web/src/api/generated/model/listIntermediateCAs200DataItem.ts b/web/src/api/generated/model/listIntermediateCAs200DataItem.ts
new file mode 100644
index 0000000..9c583ac
--- /dev/null
+++ b/web/src/api/generated/model/listIntermediateCAs200DataItem.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListIntermediateCAs200DataItem = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/listIssuers200.ts b/web/src/api/generated/model/listIssuers200.ts
new file mode 100644
index 0000000..8848f96
--- /dev/null
+++ b/web/src/api/generated/model/listIssuers200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListIssuers200AllOf } from './listIssuers200AllOf';
+
+export type ListIssuers200 = PaginationEnvelope & ListIssuers200AllOf;
diff --git a/web/src/api/generated/model/listIssuers200AllOf.ts b/web/src/api/generated/model/listIssuers200AllOf.ts
new file mode 100644
index 0000000..ce12c81
--- /dev/null
+++ b/web/src/api/generated/model/listIssuers200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { Issuer } from './issuer';
+
+export type ListIssuers200AllOf = {
+  data?: Issuer[];
+};
diff --git a/web/src/api/generated/model/listIssuersParams.ts b/web/src/api/generated/model/listIssuersParams.ts
new file mode 100644
index 0000000..e03fd44
--- /dev/null
+++ b/web/src/api/generated/model/listIssuersParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListIssuersParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listJobs200.ts b/web/src/api/generated/model/listJobs200.ts
new file mode 100644
index 0000000..4457643
--- /dev/null
+++ b/web/src/api/generated/model/listJobs200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListJobs200AllOf } from './listJobs200AllOf';
+
+export type ListJobs200 = PaginationEnvelope & ListJobs200AllOf;
diff --git a/web/src/api/generated/model/listJobs200AllOf.ts b/web/src/api/generated/model/listJobs200AllOf.ts
new file mode 100644
index 0000000..406ee9b
--- /dev/null
+++ b/web/src/api/generated/model/listJobs200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { Job } from './job';
+
+export type ListJobs200AllOf = {
+  data?: Job[];
+};
diff --git a/web/src/api/generated/model/listJobsParams.ts b/web/src/api/generated/model/listJobsParams.ts
new file mode 100644
index 0000000..a6ff6cb
--- /dev/null
+++ b/web/src/api/generated/model/listJobsParams.ts
@@ -0,0 +1,34 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+import type { JobStatus } from './jobStatus';
+import type { JobType } from './jobType';
+
+export type ListJobsParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+status?: JobStatus;
+type?: JobType;
+};
diff --git a/web/src/api/generated/model/listNetworkScanTargets200.ts b/web/src/api/generated/model/listNetworkScanTargets200.ts
new file mode 100644
index 0000000..5e48842
--- /dev/null
+++ b/web/src/api/generated/model/listNetworkScanTargets200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListNetworkScanTargets200AllOf } from './listNetworkScanTargets200AllOf';
+
+export type ListNetworkScanTargets200 = PaginationEnvelope & ListNetworkScanTargets200AllOf;
diff --git a/web/src/api/generated/model/listNetworkScanTargets200AllOf.ts b/web/src/api/generated/model/listNetworkScanTargets200AllOf.ts
new file mode 100644
index 0000000..f141e8a
--- /dev/null
+++ b/web/src/api/generated/model/listNetworkScanTargets200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { NetworkScanTarget } from './networkScanTarget';
+
+export type ListNetworkScanTargets200AllOf = {
+  data?: NetworkScanTarget[];
+};
diff --git a/web/src/api/generated/model/listNotifications200.ts b/web/src/api/generated/model/listNotifications200.ts
new file mode 100644
index 0000000..5b2c7c3
--- /dev/null
+++ b/web/src/api/generated/model/listNotifications200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListNotifications200AllOf } from './listNotifications200AllOf';
+
+export type ListNotifications200 = PaginationEnvelope & ListNotifications200AllOf;
diff --git a/web/src/api/generated/model/listNotifications200AllOf.ts b/web/src/api/generated/model/listNotifications200AllOf.ts
new file mode 100644
index 0000000..eadfe51
--- /dev/null
+++ b/web/src/api/generated/model/listNotifications200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { NotificationEvent } from './notificationEvent';
+
+export type ListNotifications200AllOf = {
+  data?: NotificationEvent[];
+};
diff --git a/web/src/api/generated/model/listNotificationsParams.ts b/web/src/api/generated/model/listNotificationsParams.ts
new file mode 100644
index 0000000..eac7b56
--- /dev/null
+++ b/web/src/api/generated/model/listNotificationsParams.ts
@@ -0,0 +1,38 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+import type { ListNotificationsStatus } from './listNotificationsStatus';
+
+export type ListNotificationsParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+/**
+ * Filter by lifecycle status. I-005: `dead` powers the Dead letter
+tab on the GUI; empty/omitted returns the default all-statuses
+listing to preserve pre-I-005 behavior.
+
+ */
+status?: ListNotificationsStatus;
+};
diff --git a/web/src/api/generated/model/listNotificationsStatus.ts b/web/src/api/generated/model/listNotificationsStatus.ts
new file mode 100644
index 0000000..7a0c839
--- /dev/null
+++ b/web/src/api/generated/model/listNotificationsStatus.ts
@@ -0,0 +1,28 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListNotificationsStatus = typeof ListNotificationsStatus[keyof typeof ListNotificationsStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ListNotificationsStatus = {
+  pending: 'pending',
+  sent: 'sent',
+  failed: 'failed',
+  dead: 'dead',
+  read: 'read',
+} as const;
diff --git a/web/src/api/generated/model/listOIDCGroupMappings200.ts b/web/src/api/generated/model/listOIDCGroupMappings200.ts
new file mode 100644
index 0000000..af795ed
--- /dev/null
+++ b/web/src/api/generated/model/listOIDCGroupMappings200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { OIDCGroupMappingResponse } from './oIDCGroupMappingResponse';
+
+export type ListOIDCGroupMappings200 = {
+  mappings: OIDCGroupMappingResponse[];
+};
diff --git a/web/src/api/generated/model/listOIDCGroupMappingsParams.ts b/web/src/api/generated/model/listOIDCGroupMappingsParams.ts
new file mode 100644
index 0000000..8a6dd70
--- /dev/null
+++ b/web/src/api/generated/model/listOIDCGroupMappingsParams.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListOIDCGroupMappingsParams = {
+provider_id: string;
+};
diff --git a/web/src/api/generated/model/listOIDCProviders200.ts b/web/src/api/generated/model/listOIDCProviders200.ts
new file mode 100644
index 0000000..d2f7929
--- /dev/null
+++ b/web/src/api/generated/model/listOIDCProviders200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { OIDCProviderResponse } from './oIDCProviderResponse';
+
+export type ListOIDCProviders200 = {
+  providers: OIDCProviderResponse[];
+};
diff --git a/web/src/api/generated/model/listOwners200.ts b/web/src/api/generated/model/listOwners200.ts
new file mode 100644
index 0000000..5f992b6
--- /dev/null
+++ b/web/src/api/generated/model/listOwners200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListOwners200AllOf } from './listOwners200AllOf';
+
+export type ListOwners200 = PaginationEnvelope & ListOwners200AllOf;
diff --git a/web/src/api/generated/model/listOwners200AllOf.ts b/web/src/api/generated/model/listOwners200AllOf.ts
new file mode 100644
index 0000000..365754b
--- /dev/null
+++ b/web/src/api/generated/model/listOwners200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { Owner } from './owner';
+
+export type ListOwners200AllOf = {
+  data?: Owner[];
+};
diff --git a/web/src/api/generated/model/listOwnersParams.ts b/web/src/api/generated/model/listOwnersParams.ts
new file mode 100644
index 0000000..cc329fc
--- /dev/null
+++ b/web/src/api/generated/model/listOwnersParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListOwnersParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listPolicies200.ts b/web/src/api/generated/model/listPolicies200.ts
new file mode 100644
index 0000000..0b22ccf
--- /dev/null
+++ b/web/src/api/generated/model/listPolicies200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListPolicies200AllOf } from './listPolicies200AllOf';
+
+export type ListPolicies200 = PaginationEnvelope & ListPolicies200AllOf;
diff --git a/web/src/api/generated/model/listPolicies200AllOf.ts b/web/src/api/generated/model/listPolicies200AllOf.ts
new file mode 100644
index 0000000..52332e6
--- /dev/null
+++ b/web/src/api/generated/model/listPolicies200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PolicyRule } from './policyRule';
+
+export type ListPolicies200AllOf = {
+  data?: PolicyRule[];
+};
diff --git a/web/src/api/generated/model/listPoliciesParams.ts b/web/src/api/generated/model/listPoliciesParams.ts
new file mode 100644
index 0000000..32cd3f9
--- /dev/null
+++ b/web/src/api/generated/model/listPoliciesParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListPoliciesParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listPolicyViolations200.ts b/web/src/api/generated/model/listPolicyViolations200.ts
new file mode 100644
index 0000000..dc5af4e
--- /dev/null
+++ b/web/src/api/generated/model/listPolicyViolations200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListPolicyViolations200AllOf } from './listPolicyViolations200AllOf';
+
+export type ListPolicyViolations200 = PaginationEnvelope & ListPolicyViolations200AllOf;
diff --git a/web/src/api/generated/model/listPolicyViolations200AllOf.ts b/web/src/api/generated/model/listPolicyViolations200AllOf.ts
new file mode 100644
index 0000000..499a8f4
--- /dev/null
+++ b/web/src/api/generated/model/listPolicyViolations200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PolicyViolation } from './policyViolation';
+
+export type ListPolicyViolations200AllOf = {
+  data?: PolicyViolation[];
+};
diff --git a/web/src/api/generated/model/listPolicyViolationsParams.ts b/web/src/api/generated/model/listPolicyViolationsParams.ts
new file mode 100644
index 0000000..56b4d42
--- /dev/null
+++ b/web/src/api/generated/model/listPolicyViolationsParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListPolicyViolationsParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listProfiles200.ts b/web/src/api/generated/model/listProfiles200.ts
new file mode 100644
index 0000000..b386ae5
--- /dev/null
+++ b/web/src/api/generated/model/listProfiles200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListProfiles200AllOf } from './listProfiles200AllOf';
+
+export type ListProfiles200 = PaginationEnvelope & ListProfiles200AllOf;
diff --git a/web/src/api/generated/model/listProfiles200AllOf.ts b/web/src/api/generated/model/listProfiles200AllOf.ts
new file mode 100644
index 0000000..70ec2e9
--- /dev/null
+++ b/web/src/api/generated/model/listProfiles200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { CertificateProfile } from './certificateProfile';
+
+export type ListProfiles200AllOf = {
+  data?: CertificateProfile[];
+};
diff --git a/web/src/api/generated/model/listProfilesParams.ts b/web/src/api/generated/model/listProfilesParams.ts
new file mode 100644
index 0000000..d319746
--- /dev/null
+++ b/web/src/api/generated/model/listProfilesParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListProfilesParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listRenewalPolicies200.ts b/web/src/api/generated/model/listRenewalPolicies200.ts
new file mode 100644
index 0000000..86d204c
--- /dev/null
+++ b/web/src/api/generated/model/listRenewalPolicies200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListRenewalPolicies200AllOf } from './listRenewalPolicies200AllOf';
+
+export type ListRenewalPolicies200 = PaginationEnvelope & ListRenewalPolicies200AllOf;
diff --git a/web/src/api/generated/model/listRenewalPolicies200AllOf.ts b/web/src/api/generated/model/listRenewalPolicies200AllOf.ts
new file mode 100644
index 0000000..fef9668
--- /dev/null
+++ b/web/src/api/generated/model/listRenewalPolicies200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { RenewalPolicy } from './renewalPolicy';
+
+export type ListRenewalPolicies200AllOf = {
+  data?: RenewalPolicy[];
+};
diff --git a/web/src/api/generated/model/listRenewalPoliciesParams.ts b/web/src/api/generated/model/listRenewalPoliciesParams.ts
new file mode 100644
index 0000000..9234ab3
--- /dev/null
+++ b/web/src/api/generated/model/listRenewalPoliciesParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListRenewalPoliciesParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listRetiredAgents200.ts b/web/src/api/generated/model/listRetiredAgents200.ts
new file mode 100644
index 0000000..458d72b
--- /dev/null
+++ b/web/src/api/generated/model/listRetiredAgents200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListRetiredAgents200AllOf } from './listRetiredAgents200AllOf';
+
+export type ListRetiredAgents200 = PaginationEnvelope & ListRetiredAgents200AllOf;
diff --git a/web/src/api/generated/model/listRetiredAgents200AllOf.ts b/web/src/api/generated/model/listRetiredAgents200AllOf.ts
new file mode 100644
index 0000000..da109a4
--- /dev/null
+++ b/web/src/api/generated/model/listRetiredAgents200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { Agent } from './agent';
+
+export type ListRetiredAgents200AllOf = {
+  data?: Agent[];
+};
diff --git a/web/src/api/generated/model/listRetiredAgentsParams.ts b/web/src/api/generated/model/listRetiredAgentsParams.ts
new file mode 100644
index 0000000..4573743
--- /dev/null
+++ b/web/src/api/generated/model/listRetiredAgentsParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListRetiredAgentsParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listSCEPIntuneStats200.ts b/web/src/api/generated/model/listSCEPIntuneStats200.ts
new file mode 100644
index 0000000..0c85935
--- /dev/null
+++ b/web/src/api/generated/model/listSCEPIntuneStats200.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ListSCEPIntuneStats200ProfilesItem } from './listSCEPIntuneStats200ProfilesItem';
+
+export type ListSCEPIntuneStats200 = {
+  profiles?: ListSCEPIntuneStats200ProfilesItem[];
+  profile_count?: number;
+  generated_at?: string;
+};
diff --git a/web/src/api/generated/model/listSCEPIntuneStats200ProfilesItem.ts b/web/src/api/generated/model/listSCEPIntuneStats200ProfilesItem.ts
new file mode 100644
index 0000000..965121f
--- /dev/null
+++ b/web/src/api/generated/model/listSCEPIntuneStats200ProfilesItem.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListSCEPIntuneStats200ProfilesItem = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/listSCEPProbes200.ts b/web/src/api/generated/model/listSCEPProbes200.ts
new file mode 100644
index 0000000..a6faade
--- /dev/null
+++ b/web/src/api/generated/model/listSCEPProbes200.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ListSCEPProbes200ProbesItem } from './listSCEPProbes200ProbesItem';
+
+export type ListSCEPProbes200 = {
+  probes?: ListSCEPProbes200ProbesItem[];
+  probe_count?: number;
+};
diff --git a/web/src/api/generated/model/listSCEPProbes200ProbesItem.ts b/web/src/api/generated/model/listSCEPProbes200ProbesItem.ts
new file mode 100644
index 0000000..ac20b0e
--- /dev/null
+++ b/web/src/api/generated/model/listSCEPProbes200ProbesItem.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListSCEPProbes200ProbesItem = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/listSCEPProfiles200.ts b/web/src/api/generated/model/listSCEPProfiles200.ts
new file mode 100644
index 0000000..aaf5356
--- /dev/null
+++ b/web/src/api/generated/model/listSCEPProfiles200.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ListSCEPProfiles200ProfilesItem } from './listSCEPProfiles200ProfilesItem';
+
+export type ListSCEPProfiles200 = {
+  profiles?: ListSCEPProfiles200ProfilesItem[];
+  profile_count?: number;
+  generated_at?: string;
+};
diff --git a/web/src/api/generated/model/listSCEPProfiles200ProfilesItem.ts b/web/src/api/generated/model/listSCEPProfiles200ProfilesItem.ts
new file mode 100644
index 0000000..8e0578d
--- /dev/null
+++ b/web/src/api/generated/model/listSCEPProfiles200ProfilesItem.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ListSCEPProfiles200ProfilesItem = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/listTargets200.ts b/web/src/api/generated/model/listTargets200.ts
new file mode 100644
index 0000000..25c5a99
--- /dev/null
+++ b/web/src/api/generated/model/listTargets200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListTargets200AllOf } from './listTargets200AllOf';
+
+export type ListTargets200 = PaginationEnvelope & ListTargets200AllOf;
diff --git a/web/src/api/generated/model/listTargets200AllOf.ts b/web/src/api/generated/model/listTargets200AllOf.ts
new file mode 100644
index 0000000..0b90eb2
--- /dev/null
+++ b/web/src/api/generated/model/listTargets200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { DeploymentTarget } from './deploymentTarget';
+
+export type ListTargets200AllOf = {
+  data?: DeploymentTarget[];
+};
diff --git a/web/src/api/generated/model/listTargetsParams.ts b/web/src/api/generated/model/listTargetsParams.ts
new file mode 100644
index 0000000..44de993
--- /dev/null
+++ b/web/src/api/generated/model/listTargetsParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListTargetsParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/listTeams200.ts b/web/src/api/generated/model/listTeams200.ts
new file mode 100644
index 0000000..dd16234
--- /dev/null
+++ b/web/src/api/generated/model/listTeams200.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PaginationEnvelope } from './paginationEnvelope';
+import type { ListTeams200AllOf } from './listTeams200AllOf';
+
+export type ListTeams200 = PaginationEnvelope & ListTeams200AllOf;
diff --git a/web/src/api/generated/model/listTeams200AllOf.ts b/web/src/api/generated/model/listTeams200AllOf.ts
new file mode 100644
index 0000000..71b102a
--- /dev/null
+++ b/web/src/api/generated/model/listTeams200AllOf.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { Team } from './team';
+
+export type ListTeams200AllOf = {
+  data?: Team[];
+};
diff --git a/web/src/api/generated/model/listTeamsParams.ts b/web/src/api/generated/model/listTeamsParams.ts
new file mode 100644
index 0000000..3980c49
--- /dev/null
+++ b/web/src/api/generated/model/listTeamsParams.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PageParameter } from './pageParameter';
+import type { PerPageParameter } from './perPageParameter';
+
+export type ListTeamsParams = {
+/**
+ * @minimum 1
+ */
+page?: PageParameter;
+/**
+ * @minimum 1
+ * @maximum 500
+ */
+per_page?: PerPageParameter;
+};
diff --git a/web/src/api/generated/model/managedCertificate.ts b/web/src/api/generated/model/managedCertificate.ts
new file mode 100644
index 0000000..8003908
--- /dev/null
+++ b/web/src/api/generated/model/managedCertificate.ts
@@ -0,0 +1,41 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { CertificateStatus } from './certificateStatus';
+import type { ManagedCertificateTags } from './managedCertificateTags';
+
+export interface ManagedCertificate {
+  id?: string;
+  name: string;
+  common_name: string;
+  sans?: string[];
+  environment?: string;
+  owner_id: string;
+  team_id: string;
+  issuer_id: string;
+  target_ids?: string[];
+  renewal_policy_id: string;
+  certificate_profile_id?: string;
+  status?: CertificateStatus;
+  expires_at?: string;
+  tags?: ManagedCertificateTags;
+  last_renewal_at?: string;
+  last_deployment_at?: string;
+  revoked_at?: string;
+  revocation_reason?: string;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/managedCertificateTags.ts b/web/src/api/generated/model/managedCertificateTags.ts
new file mode 100644
index 0000000..3ddb554
--- /dev/null
+++ b/web/src/api/generated/model/managedCertificateTags.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ManagedCertificateTags = {[key: string]: string};
diff --git a/web/src/api/generated/model/metricsResponse.ts b/web/src/api/generated/model/metricsResponse.ts
new file mode 100644
index 0000000..b92269e
--- /dev/null
+++ b/web/src/api/generated/model/metricsResponse.ts
@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { MetricsResponseGauge } from './metricsResponseGauge';
+import type { MetricsResponseCounter } from './metricsResponseCounter';
+import type { MetricsResponseUptime } from './metricsResponseUptime';
+
+export interface MetricsResponse {
+  gauge?: MetricsResponseGauge;
+  counter?: MetricsResponseCounter;
+  uptime?: MetricsResponseUptime;
+}
diff --git a/web/src/api/generated/model/metricsResponseCounter.ts b/web/src/api/generated/model/metricsResponseCounter.ts
new file mode 100644
index 0000000..0de51f3
--- /dev/null
+++ b/web/src/api/generated/model/metricsResponseCounter.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type MetricsResponseCounter = {
+  job_completed_total?: number;
+  job_failed_total?: number;
+};
diff --git a/web/src/api/generated/model/metricsResponseGauge.ts b/web/src/api/generated/model/metricsResponseGauge.ts
new file mode 100644
index 0000000..b3b6aa8
--- /dev/null
+++ b/web/src/api/generated/model/metricsResponseGauge.ts
@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type MetricsResponseGauge = {
+  certificate_total?: number;
+  certificate_active?: number;
+  certificate_expiring_soon?: number;
+  certificate_expired?: number;
+  certificate_revoked?: number;
+  agent_total?: number;
+  agent_online?: number;
+  job_pending?: number;
+};
diff --git a/web/src/api/generated/model/metricsResponseUptime.ts b/web/src/api/generated/model/metricsResponseUptime.ts
new file mode 100644
index 0000000..408fbff
--- /dev/null
+++ b/web/src/api/generated/model/metricsResponseUptime.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type MetricsResponseUptime = {
+  uptime_seconds?: number;
+  server_started?: string;
+  measured_at?: string;
+};
diff --git a/web/src/api/generated/model/networkScanTarget.ts b/web/src/api/generated/model/networkScanTarget.ts
new file mode 100644
index 0000000..a912fd1
--- /dev/null
+++ b/web/src/api/generated/model/networkScanTarget.ts
@@ -0,0 +1,38 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface NetworkScanTarget {
+  id?: string;
+  name?: string;
+  /** CIDR ranges to scan (max /20 per CIDR) */
+  cidrs?: string[];
+  /** TCP ports to probe for TLS */
+  ports?: number[];
+  enabled?: boolean;
+  /** Hours between scheduled scans */
+  scan_interval_hours?: number;
+  /** Per-connection timeout in milliseconds */
+  timeout_ms?: number;
+  /** @nullable */
+  last_scan_at?: string | null;
+  /** @nullable */
+  last_scan_duration_ms?: number | null;
+  /** @nullable */
+  last_scan_certs_found?: number | null;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/networkScanTargetCreate.ts b/web/src/api/generated/model/networkScanTargetCreate.ts
new file mode 100644
index 0000000..8752aa4
--- /dev/null
+++ b/web/src/api/generated/model/networkScanTargetCreate.ts
@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface NetworkScanTargetCreate {
+  name: string;
+  /** CIDR ranges (max /20 per CIDR, max 4096 IPs) */
+  cidrs: string[];
+  /** TCP ports to probe (default [443]) */
+  ports?: number[];
+  enabled?: boolean;
+  scan_interval_hours?: number;
+  timeout_ms?: number;
+}
diff --git a/web/src/api/generated/model/notFoundResponse.ts b/web/src/api/generated/model/notFoundResponse.ts
new file mode 100644
index 0000000..a595485
--- /dev/null
+++ b/web/src/api/generated/model/notFoundResponse.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ErrorResponse } from './errorResponse';
+
+/**
+ * Resource not found
+ */
+export type NotFoundResponse = ErrorResponse;
diff --git a/web/src/api/generated/model/notificationChannel.ts b/web/src/api/generated/model/notificationChannel.ts
new file mode 100644
index 0000000..fda90dd
--- /dev/null
+++ b/web/src/api/generated/model/notificationChannel.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type NotificationChannel = typeof NotificationChannel[keyof typeof NotificationChannel];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const NotificationChannel = {
+  Email: 'Email',
+  Webhook: 'Webhook',
+  Slack: 'Slack',
+} as const;
diff --git a/web/src/api/generated/model/notificationEvent.ts b/web/src/api/generated/model/notificationEvent.ts
new file mode 100644
index 0000000..17422a8
--- /dev/null
+++ b/web/src/api/generated/model/notificationEvent.ts
@@ -0,0 +1,51 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { NotificationType } from './notificationType';
+import type { NotificationChannel } from './notificationChannel';
+import type { NotificationEventStatus } from './notificationEventStatus';
+
+export interface NotificationEvent {
+  id?: string;
+  type?: NotificationType;
+  certificate_id?: string;
+  channel?: NotificationChannel;
+  recipient?: string;
+  message?: string;
+  sent_at?: string;
+  /** Notification lifecycle status. I-005 adds `dead` for notifications
+that exhausted their 5-attempt retry budget and were moved to the
+dead-letter queue; operators triage these in the GUI's Dead letter
+tab and use POST /notifications/{id}/requeue to resurrect them.
+ */
+  status?: NotificationEventStatus;
+  error?: string;
+  /** Number of delivery attempts made. I-005 retry-sweep field; caps
+at max_attempts=5 before the notification transitions to `dead`.
+ */
+  retry_count?: number;
+  /** When the next retry attempt is scheduled. I-005 retry-sweep field;
+null for `sent`, `dead`, and `read` statuses. Backoff follows
+`min(2^retry_count * 1m, 1h)`.
+ */
+  next_retry_at?: string;
+  /** Most recent transient delivery error (SMTP failure, webhook 5xx,
+etc.). I-005 retry-sweep field; surfaced on the Dead letter tab
+so operators can triage without chasing server logs.
+ */
+  last_error?: string;
+  created_at?: string;
+}
diff --git a/web/src/api/generated/model/notificationEventStatus.ts b/web/src/api/generated/model/notificationEventStatus.ts
new file mode 100644
index 0000000..7b49fa5
--- /dev/null
+++ b/web/src/api/generated/model/notificationEventStatus.ts
@@ -0,0 +1,35 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Notification lifecycle status. I-005 adds `dead` for notifications
+that exhausted their 5-attempt retry budget and were moved to the
+dead-letter queue; operators triage these in the GUI's Dead letter
+tab and use POST /notifications/{id}/requeue to resurrect them.
+
+ */
+export type NotificationEventStatus = typeof NotificationEventStatus[keyof typeof NotificationEventStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const NotificationEventStatus = {
+  pending: 'pending',
+  sent: 'sent',
+  failed: 'failed',
+  dead: 'dead',
+  read: 'read',
+} as const;
diff --git a/web/src/api/generated/model/notificationType.ts b/web/src/api/generated/model/notificationType.ts
new file mode 100644
index 0000000..9298bbb
--- /dev/null
+++ b/web/src/api/generated/model/notificationType.ts
@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type NotificationType = typeof NotificationType[keyof typeof NotificationType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const NotificationType = {
+  ExpirationWarning: 'ExpirationWarning',
+  RenewalSuccess: 'RenewalSuccess',
+  RenewalFailure: 'RenewalFailure',
+  DeploymentSuccess: 'DeploymentSuccess',
+  DeploymentFailure: 'DeploymentFailure',
+  PolicyViolation: 'PolicyViolation',
+  Revocation: 'Revocation',
+} as const;
diff --git a/web/src/api/generated/model/oIDCGroupMappingRequest.ts b/web/src/api/generated/model/oIDCGroupMappingRequest.ts
new file mode 100644
index 0000000..13cac36
--- /dev/null
+++ b/web/src/api/generated/model/oIDCGroupMappingRequest.ts
@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_session_oidc_crud.go::groupMappingRequest. Tenant is derived from the calling actor; not accepted from the request body.
+ */
+export interface OIDCGroupMappingRequest {
+  provider_id: string;
+  group_name: string;
+  role_id: string;
+}
diff --git a/web/src/api/generated/model/oIDCGroupMappingResponse.ts b/web/src/api/generated/model/oIDCGroupMappingResponse.ts
new file mode 100644
index 0000000..3d17320
--- /dev/null
+++ b/web/src/api/generated/model/oIDCGroupMappingResponse.ts
@@ -0,0 +1,32 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_session_oidc_crud.go::groupMappingResponse.
+ */
+export interface OIDCGroupMappingResponse {
+  /** Mapping identifier (`grm-` + base64-URL random suffix). */
+  id: string;
+  /** Owning OIDC provider. */
+  provider_id: string;
+  /** Group name as advertised by the IdP's groups claim. */
+  group_name: string;
+  /** Role granted to members of `group_name` for this provider/tenant. */
+  role_id: string;
+  tenant_id: string;
+  created_at: string;
+}
diff --git a/web/src/api/generated/model/oIDCJWKSStatusSnapshot.ts b/web/src/api/generated/model/oIDCJWKSStatusSnapshot.ts
new file mode 100644
index 0000000..b53e3f4
--- /dev/null
+++ b/web/src/api/generated/model/oIDCJWKSStatusSnapshot.ts
@@ -0,0 +1,34 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/auth/oidc/service.go::JWKSStatusSnapshot. Per-provider JWKS verifier counters surfaced for operator diagnostics.
+ */
+export interface OIDCJWKSStatusSnapshot {
+  /** RFC 3339 UTC timestamp the JWKS was most-recently refreshed. Omitted before the first refresh. */
+  last_refresh_at?: string;
+  /** Currently-cached JWKS key IDs. */
+  current_kids: string[];
+  /** Lifetime count of JWKS refresh fetches for this provider. */
+  refresh_count: number;
+  /** Last refresh-error message; omitted when no refresh has failed. */
+  last_error?: string;
+  /** Lifetime count of JWS verifications rejected against this provider's JWKS (debugging hint for IdP key-rotation issues). */
+  rejected_jws_count: number;
+  /** Whether the provider's discovery doc advertised RFC 9207 `iss` parameter support at the most recent refresh. */
+  iss_param_supported: boolean;
+}
diff --git a/web/src/api/generated/model/oIDCProviderRequest.ts b/web/src/api/generated/model/oIDCProviderRequest.ts
new file mode 100644
index 0000000..31b95ab
--- /dev/null
+++ b/web/src/api/generated/model/oIDCProviderRequest.ts
@@ -0,0 +1,39 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_session_oidc_crud.go::oidcProviderRequest. `client_secret` is plaintext on the wire only at create/update time; encrypted at rest via `CERTCTL_CONFIG_ENCRYPTION_KEY`.
+ */
+export interface OIDCProviderRequest {
+  name: string;
+  issuer_url: string;
+  client_id: string;
+  /** IdP client secret. Encrypted at rest after submission; never echoed back on read endpoints. */
+  client_secret: string;
+  redirect_uri: string;
+  /** Optional; defaults to `groups` when blank. */
+  groups_claim_path?: string;
+  /** Optional; defaults to `string_array` when blank. */
+  groups_claim_format?: string;
+  fetch_userinfo?: boolean;
+  scopes?: string[];
+  allowed_email_domains?: string[];
+  /** Optional; defaults to 300 when zero. */
+  iat_window_seconds?: number;
+  /** Optional; defaults to 3600 when zero. */
+  jwks_cache_ttl_seconds?: number;
+}
diff --git a/web/src/api/generated/model/oIDCProviderResponse.ts b/web/src/api/generated/model/oIDCProviderResponse.ts
new file mode 100644
index 0000000..085370b
--- /dev/null
+++ b/web/src/api/generated/model/oIDCProviderResponse.ts
@@ -0,0 +1,50 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_session_oidc_crud.go::oidcProviderResponse.
+ */
+export interface OIDCProviderResponse {
+  /** Provider identifier (`op-` + base64-URL random suffix). */
+  id: string;
+  /** Owning tenant. */
+  tenant_id: string;
+  /** Operator-facing provider name (unique per tenant). */
+  name: string;
+  /** Canonical OIDC issuer URL. Must match the `iss` claim on returned ID tokens. */
+  issuer_url: string;
+  /** Client identifier registered with the IdP. */
+  client_id: string;
+  /** Absolute URL the IdP redirects to after authorization. */
+  redirect_uri: string;
+  /** JSONPath-style claim path that the group→role mapper reads (default `groups`). */
+  groups_claim_path: string;
+  /** How the claim is shaped (default `string_array`). */
+  groups_claim_format: string;
+  /** Whether to call the IdP's userinfo endpoint after token exchange (extends the available claims surface). */
+  fetch_userinfo: boolean;
+  /** OAuth scopes requested at authorization (typically `openid`, `email`, `profile`, and optionally `groups`). */
+  scopes?: string[];
+  /** Whitelisted email-domain suffixes; empty means accept any email-domain. */
+  allowed_email_domains?: string[];
+  /** Maximum allowed iat-skew for received ID tokens (default 300). */
+  iat_window_seconds: number;
+  /** JWKS cache TTL before refetch (default 3600). */
+  jwks_cache_ttl_seconds: number;
+  created_at: string;
+  updated_at: string;
+}
diff --git a/web/src/api/generated/model/oIDCTestDiscoveryResult.ts b/web/src/api/generated/model/oIDCTestDiscoveryResult.ts
new file mode 100644
index 0000000..aae3c24
--- /dev/null
+++ b/web/src/api/generated/model/oIDCTestDiscoveryResult.ts
@@ -0,0 +1,40 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/auth/oidc/test_discovery.go::TestDiscoveryResult. Each field is independently observable so the GUI can render a per-check status row. `errors` is non-empty for both total failures (200 with all checks false) and partial-success cases (200 with some checks true).
+ */
+export interface OIDCTestDiscoveryResult {
+  /** True when `<issuer>/.well-known/openid-configuration` fetched + parsed cleanly. */
+  discovery_succeeded: boolean;
+  /** True when the JWKS URI advertised by the discovery doc returned a JWKS document. */
+  jwks_reachable: boolean;
+  /** ID-token signing algorithms the IdP advertises support for. */
+  supported_alg_values: string[];
+  /** True when the discovery doc advertises support for RFC 9207 `iss` parameter (cross-IdP mix-up defense). */
+  iss_param_supported: boolean;
+  /** The `iss` value the IdP's discovery doc advertises; surfaces IdP misconfigurations where this differs from the issuer URL the operator submitted. */
+  issuer_echo?: string;
+  authorization_url?: string;
+  token_url?: string;
+  jwks_uri?: string;
+  userinfo_endpoint?: string;
+  /** Current key-IDs reachable in the JWKS document at probe time. Always present in the response payload (empty array when no keys are reachable). */
+  current_kids: string[];
+  /** Per-leg failure messages; empty on full success, non-empty on partial-success and full-failure cases. */
+  errors?: string[];
+}
diff --git a/web/src/api/generated/model/oIDCTestRequest.ts b/web/src/api/generated/model/oIDCTestRequest.ts
new file mode 100644
index 0000000..8a94b37
--- /dev/null
+++ b/web/src/api/generated/model/oIDCTestRequest.ts
@@ -0,0 +1,29 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors the anonymous struct inside auth_session_oidc_crud.go::TestProvider. Discovery-only dry-run; the IdP's discovery + JWKS are fetched and validated WITHOUT persisting anything.
+ */
+export interface OIDCTestRequest {
+  /** Candidate OIDC issuer URL to dry-run. */
+  issuer_url: string;
+  /** Optional — only used to confirm the discovery doc advertises matching audience. */
+  client_id?: string;
+  /** Optional — discovery + JWKS don't require it, but the GUI passes it through so the dry-run shape matches CreateProvider's surface. */
+  client_secret?: string;
+  scopes?: string[];
+}
diff --git a/web/src/api/generated/model/oidcBackChannelLogoutBody.ts b/web/src/api/generated/model/oidcBackChannelLogoutBody.ts
new file mode 100644
index 0000000..ea421df
--- /dev/null
+++ b/web/src/api/generated/model/oidcBackChannelLogoutBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type OidcBackChannelLogoutBody = {
+  /** IdP-signed logout_token JWT per OpenID Connect Back-Channel Logout 1.0 §2.4. */
+  logout_token: string;
+};
diff --git a/web/src/api/generated/model/oidcLoginCallbackParams.ts b/web/src/api/generated/model/oidcLoginCallbackParams.ts
new file mode 100644
index 0000000..7779f8f
--- /dev/null
+++ b/web/src/api/generated/model/oidcLoginCallbackParams.ts
@@ -0,0 +1,31 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type OidcLoginCallbackParams = {
+/**
+ * OAuth2 authorization code returned by the IdP.
+ */
+code: string;
+/**
+ * Opaque state value the certctl `/auth/oidc/login` step embedded into the IdP URL.
+ */
+state: string;
+/**
+ * RFC 9207 `iss` URL parameter. Preserved byte-strict for the service-layer compare against the matched provider's `IssuerURL`. The IdP emits this only when advertised in its discovery doc; the service-layer check is a no-op otherwise.
+ */
+iss?: string;
+};
diff --git a/web/src/api/generated/model/oidcLoginInitiateParams.ts b/web/src/api/generated/model/oidcLoginInitiateParams.ts
new file mode 100644
index 0000000..1248967
--- /dev/null
+++ b/web/src/api/generated/model/oidcLoginInitiateParams.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type OidcLoginInitiateParams = {
+/**
+ * OIDC provider ID (one of the rows under `/api/v1/auth/oidc/providers`).
+ */
+provider: string;
+};
diff --git a/web/src/api/generated/model/owner.ts b/web/src/api/generated/model/owner.ts
new file mode 100644
index 0000000..ace5fbe
--- /dev/null
+++ b/web/src/api/generated/model/owner.ts
@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface Owner {
+  id?: string;
+  name?: string;
+  email?: string;
+  team_id?: string;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/pageParameter.ts b/web/src/api/generated/model/pageParameter.ts
new file mode 100644
index 0000000..012d138
--- /dev/null
+++ b/web/src/api/generated/model/pageParameter.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type PageParameter = number;
diff --git a/web/src/api/generated/model/paginationEnvelope.ts b/web/src/api/generated/model/paginationEnvelope.ts
new file mode 100644
index 0000000..48331b5
--- /dev/null
+++ b/web/src/api/generated/model/paginationEnvelope.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface PaginationEnvelope {
+  total?: number;
+  page?: number;
+  per_page?: number;
+}
diff --git a/web/src/api/generated/model/perPageParameter.ts b/web/src/api/generated/model/perPageParameter.ts
new file mode 100644
index 0000000..fec589c
--- /dev/null
+++ b/web/src/api/generated/model/perPageParameter.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type PerPageParameter = number;
diff --git a/web/src/api/generated/model/policyRule.ts b/web/src/api/generated/model/policyRule.ts
new file mode 100644
index 0000000..cd2efc8
--- /dev/null
+++ b/web/src/api/generated/model/policyRule.ts
@@ -0,0 +1,32 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PolicyType } from './policyType';
+import type { PolicyRuleConfig } from './policyRuleConfig';
+import type { PolicySeverity } from './policySeverity';
+
+export interface PolicyRule {
+  id?: string;
+  name?: string;
+  type?: PolicyType;
+  /** Policy-specific configuration (varies by type) */
+  config?: PolicyRuleConfig;
+  enabled?: boolean;
+  /** Severity level applied to violations of this rule. Defaults to Warning on create when omitted. */
+  severity?: PolicySeverity;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/policyRuleConfig.ts b/web/src/api/generated/model/policyRuleConfig.ts
new file mode 100644
index 0000000..4667212
--- /dev/null
+++ b/web/src/api/generated/model/policyRuleConfig.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Policy-specific configuration (varies by type)
+ */
+export type PolicyRuleConfig = { [key: string]: unknown };
diff --git a/web/src/api/generated/model/policySeverity.ts b/web/src/api/generated/model/policySeverity.ts
new file mode 100644
index 0000000..7feddfc
--- /dev/null
+++ b/web/src/api/generated/model/policySeverity.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type PolicySeverity = typeof PolicySeverity[keyof typeof PolicySeverity];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const PolicySeverity = {
+  Warning: 'Warning',
+  Error: 'Error',
+  Critical: 'Critical',
+} as const;
diff --git a/web/src/api/generated/model/policyType.ts b/web/src/api/generated/model/policyType.ts
new file mode 100644
index 0000000..42be848
--- /dev/null
+++ b/web/src/api/generated/model/policyType.ts
@@ -0,0 +1,29 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type PolicyType = typeof PolicyType[keyof typeof PolicyType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const PolicyType = {
+  AllowedIssuers: 'AllowedIssuers',
+  AllowedDomains: 'AllowedDomains',
+  RequiredMetadata: 'RequiredMetadata',
+  AllowedEnvironments: 'AllowedEnvironments',
+  RenewalLeadTime: 'RenewalLeadTime',
+  CertificateLifetime: 'CertificateLifetime',
+} as const;
diff --git a/web/src/api/generated/model/policyViolation.ts b/web/src/api/generated/model/policyViolation.ts
new file mode 100644
index 0000000..b224b0d
--- /dev/null
+++ b/web/src/api/generated/model/policyViolation.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { PolicySeverity } from './policySeverity';
+
+export interface PolicyViolation {
+  id?: string;
+  certificate_id?: string;
+  rule_id?: string;
+  message?: string;
+  severity?: PolicySeverity;
+  created_at?: string;
+}
diff --git a/web/src/api/generated/model/postAuthBootstrap201.ts b/web/src/api/generated/model/postAuthBootstrap201.ts
new file mode 100644
index 0000000..f4b08b4
--- /dev/null
+++ b/web/src/api/generated/model/postAuthBootstrap201.ts
@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type PostAuthBootstrap201 = {
+  actor_id: string;
+  api_key_id: string;
+  /** The plaintext API key. Capture this — it is shown only once. */
+  key_value: string;
+  created_at: string;
+  message: string;
+};
diff --git a/web/src/api/generated/model/postAuthBootstrapBody.ts b/web/src/api/generated/model/postAuthBootstrapBody.ts
new file mode 100644
index 0000000..63e996d
--- /dev/null
+++ b/web/src/api/generated/model/postAuthBootstrapBody.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type PostAuthBootstrapBody = {
+  /** The CERTCTL_BOOTSTRAP_TOKEN value (constant-time compared server-side). */
+  token: string;
+  /**
+   * 3-64 chars, lowercase alphanumeric + hyphen + underscore.
+   * @pattern ^[a-z0-9][a-z0-9_-]{2,63}$
+   */
+  actor_name: string;
+};
diff --git a/web/src/api/generated/model/probeSCEP200.ts b/web/src/api/generated/model/probeSCEP200.ts
new file mode 100644
index 0000000..ee8a61b
--- /dev/null
+++ b/web/src/api/generated/model/probeSCEP200.ts
@@ -0,0 +1,40 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ProbeSCEP200 = {
+  id?: string;
+  target_url?: string;
+  reachable?: boolean;
+  advertised_caps?: string[];
+  supports_rfc8894?: boolean;
+  supports_aes?: boolean;
+  supports_post_operation?: boolean;
+  supports_renewal?: boolean;
+  supports_sha256?: boolean;
+  supports_sha512?: boolean;
+  ca_cert_subject?: string;
+  ca_cert_issuer?: string;
+  ca_cert_not_before?: string;
+  ca_cert_not_after?: string;
+  ca_cert_expired?: boolean;
+  ca_cert_days_to_expiry?: number;
+  ca_cert_algorithm?: string;
+  ca_cert_chain_length?: number;
+  probed_at?: string;
+  probe_duration_ms?: number;
+  error?: string;
+};
diff --git a/web/src/api/generated/model/probeSCEPBody.ts b/web/src/api/generated/model/probeSCEPBody.ts
new file mode 100644
index 0000000..c16c6aa
--- /dev/null
+++ b/web/src/api/generated/model/probeSCEPBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ProbeSCEPBody = {
+  /** Base SCEP server URL (no `?operation=...` suffix needed; the probe appends its own operations). */
+  url: string;
+};
diff --git a/web/src/api/generated/model/refreshOIDCProvider200.ts b/web/src/api/generated/model/refreshOIDCProvider200.ts
new file mode 100644
index 0000000..82e14c5
--- /dev/null
+++ b/web/src/api/generated/model/refreshOIDCProvider200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type RefreshOIDCProvider200 = {
+  /** Always `true` on success. */
+  refreshed: boolean;
+};
diff --git a/web/src/api/generated/model/rejectApprovalRequest200.ts b/web/src/api/generated/model/rejectApprovalRequest200.ts
new file mode 100644
index 0000000..dd17031
--- /dev/null
+++ b/web/src/api/generated/model/rejectApprovalRequest200.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { RejectApprovalRequest200Action } from './rejectApprovalRequest200Action';
+
+export type RejectApprovalRequest200 = {
+  id?: string;
+  decided_by?: string;
+  action?: RejectApprovalRequest200Action;
+};
diff --git a/web/src/api/generated/model/rejectApprovalRequest200Action.ts b/web/src/api/generated/model/rejectApprovalRequest200Action.ts
new file mode 100644
index 0000000..29f04a2
--- /dev/null
+++ b/web/src/api/generated/model/rejectApprovalRequest200Action.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type RejectApprovalRequest200Action = typeof RejectApprovalRequest200Action[keyof typeof RejectApprovalRequest200Action];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const RejectApprovalRequest200Action = {
+  rejected: 'rejected',
+} as const;
diff --git a/web/src/api/generated/model/rejectApprovalRequestBody.ts b/web/src/api/generated/model/rejectApprovalRequestBody.ts
new file mode 100644
index 0000000..b746e59
--- /dev/null
+++ b/web/src/api/generated/model/rejectApprovalRequestBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type RejectApprovalRequestBody = {
+  /** Optional reason text for the audit trail. */
+  note?: string;
+};
diff --git a/web/src/api/generated/model/rejectJobBody.ts b/web/src/api/generated/model/rejectJobBody.ts
new file mode 100644
index 0000000..b26a43b
--- /dev/null
+++ b/web/src/api/generated/model/rejectJobBody.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type RejectJobBody = {
+  reason?: string;
+};
diff --git a/web/src/api/generated/model/reloadESTTrust200.ts b/web/src/api/generated/model/reloadESTTrust200.ts
new file mode 100644
index 0000000..fe5f4c1
--- /dev/null
+++ b/web/src/api/generated/model/reloadESTTrust200.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ReloadESTTrust200 = {
+  reloaded?: boolean;
+  path_id?: string;
+  reloaded_at?: string;
+};
diff --git a/web/src/api/generated/model/reloadESTTrustBody.ts b/web/src/api/generated/model/reloadESTTrustBody.ts
new file mode 100644
index 0000000..7f479a2
--- /dev/null
+++ b/web/src/api/generated/model/reloadESTTrustBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ReloadESTTrustBody = {
+  /** EST profile PathID (empty string = legacy /.well-known/est root) */
+  path_id?: string;
+};
diff --git a/web/src/api/generated/model/reloadSCEPIntuneTrust200.ts b/web/src/api/generated/model/reloadSCEPIntuneTrust200.ts
new file mode 100644
index 0000000..55920bd
--- /dev/null
+++ b/web/src/api/generated/model/reloadSCEPIntuneTrust200.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ReloadSCEPIntuneTrust200 = {
+  reloaded?: boolean;
+  path_id?: string;
+  reloaded_at?: string;
+};
diff --git a/web/src/api/generated/model/reloadSCEPIntuneTrustBody.ts b/web/src/api/generated/model/reloadSCEPIntuneTrustBody.ts
new file mode 100644
index 0000000..787f59f
--- /dev/null
+++ b/web/src/api/generated/model/reloadSCEPIntuneTrustBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ReloadSCEPIntuneTrustBody = {
+  /** SCEP profile PathID (empty string = legacy /scep root) */
+  path_id?: string;
+};
diff --git a/web/src/api/generated/model/renewalPolicy.ts b/web/src/api/generated/model/renewalPolicy.ts
new file mode 100644
index 0000000..3f3ebc3
--- /dev/null
+++ b/web/src/api/generated/model/renewalPolicy.ts
@@ -0,0 +1,52 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface RenewalPolicy {
+  /** Human-readable ID, prefixed `rp-` (e.g., `rp-default`). */
+  id: string;
+  /** Unique display name (UNIQUE in DB). */
+  name: string;
+  /**
+   * Days before expiry to trigger renewal.
+   * @minimum 1
+   * @maximum 365
+   */
+  renewal_window_days: number;
+  /** Whether renewal is triggered automatically by the scheduler. */
+  auto_renew: boolean;
+  /**
+   * Maximum renewal retry attempts on failure.
+   * @minimum 0
+   * @maximum 10
+   */
+  max_retries: number;
+  /**
+   * Seconds to wait between retry attempts.
+   * @minimum 60
+   * @maximum 86400
+   */
+  retry_interval_seconds: number;
+  /** Days-before-expiry thresholds at which to emit alerts. */
+  alert_thresholds_days: number[];
+  /**
+   * Optional certificate profile binding. Read-only at this endpoint; UI does not currently edit this field.
+   * @nullable
+   */
+  certificate_profile_id?: string | null;
+  created_at: string;
+  updated_at: string;
+}
diff --git a/web/src/api/generated/model/renewalPolicyCreateRequest.ts b/web/src/api/generated/model/renewalPolicyCreateRequest.ts
new file mode 100644
index 0000000..ece5d4d
--- /dev/null
+++ b/web/src/api/generated/model/renewalPolicyCreateRequest.ts
@@ -0,0 +1,44 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface RenewalPolicyCreateRequest {
+  /** Optional human-readable ID. Auto-generated from name when omitted. */
+  id?: string;
+  /**
+   * @minLength 1
+   * @maxLength 255
+   */
+  name: string;
+  /**
+   * @minimum 1
+   * @maximum 365
+   */
+  renewal_window_days?: number;
+  auto_renew?: boolean;
+  /**
+   * Required. Not defaulted — 0 is a valid operator choice.
+   * @minimum 0
+   * @maximum 10
+   */
+  max_retries?: number;
+  /**
+   * @minimum 60
+   * @maximum 86400
+   */
+  retry_interval_seconds?: number;
+  alert_thresholds_days?: number[];
+}
diff --git a/web/src/api/generated/model/renewalPolicyUpdateRequest.ts b/web/src/api/generated/model/renewalPolicyUpdateRequest.ts
new file mode 100644
index 0000000..dec87e2
--- /dev/null
+++ b/web/src/api/generated/model/renewalPolicyUpdateRequest.ts
@@ -0,0 +1,44 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Partial update. Omitted fields are left unchanged.
+ */
+export interface RenewalPolicyUpdateRequest {
+  /**
+   * @minLength 1
+   * @maxLength 255
+   */
+  name?: string;
+  /**
+   * @minimum 1
+   * @maximum 365
+   */
+  renewal_window_days?: number;
+  auto_renew?: boolean;
+  /**
+   * @minimum 0
+   * @maximum 10
+   */
+  max_retries?: number;
+  /**
+   * @minimum 60
+   * @maximum 86400
+   */
+  retry_interval_seconds?: number;
+  alert_thresholds_days?: number[];
+}
diff --git a/web/src/api/generated/model/retireAgentParams.ts b/web/src/api/generated/model/retireAgentParams.ts
new file mode 100644
index 0000000..c941184
--- /dev/null
+++ b/web/src/api/generated/model/retireAgentParams.ts
@@ -0,0 +1,35 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type RetireAgentParams = {
+/**
+ * Cascade-retire active downstream targets, certificates, and
+jobs. When `true`, a non-empty `reason` is required. A
+malformed value (anything strconv.ParseBool rejects) is
+silently treated as `false` so a typoed query can never
+accidentally enable the cascade.
+
+ */
+force?: boolean;
+/**
+ * Human-readable reason recorded on the retired row and in the
+immutable audit trail. Required (non-empty after trimming)
+when `force=true`.
+
+ */
+reason?: string;
+};
diff --git a/web/src/api/generated/model/retireAgentResponse.ts b/web/src/api/generated/model/retireAgentResponse.ts
new file mode 100644
index 0000000..5e62a63
--- /dev/null
+++ b/web/src/api/generated/model/retireAgentResponse.ts
@@ -0,0 +1,38 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AgentDependencyCounts } from './agentDependencyCounts';
+
+/**
+ * I-004: response body for a successful retire on DELETE /api/v1/agents/{id}.
+Returned on both clean retires (cascade=false, zero counts) and
+force-cascade retires (cascade=true, counts snapshot of the
+pre-cascade dependency state). The 204 idempotent-retire path does
+NOT emit this body — re-retiring an already-retired agent returns
+an empty response.
+
+ */
+export interface RetireAgentResponse {
+  retired_at?: string;
+  /** Always false on the 200 response — the already-retired path
+returns 204 No Content with no body. Surfaced in the schema
+only so downstream consumers have a complete field map.
+ */
+  already_retired?: boolean;
+  /** True when the retire was invoked with ?force=true */
+  cascade?: boolean;
+  counts?: AgentDependencyCounts;
+}
diff --git a/web/src/api/generated/model/retireIntermediateCABody.ts b/web/src/api/generated/model/retireIntermediateCABody.ts
new file mode 100644
index 0000000..092e806
--- /dev/null
+++ b/web/src/api/generated/model/retireIntermediateCABody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type RetireIntermediateCABody = {
+  note?: string;
+  confirm?: boolean;
+};
diff --git a/web/src/api/generated/model/revocationReason.ts b/web/src/api/generated/model/revocationReason.ts
new file mode 100644
index 0000000..58a574f
--- /dev/null
+++ b/web/src/api/generated/model/revocationReason.ts
@@ -0,0 +1,31 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type RevocationReason = typeof RevocationReason[keyof typeof RevocationReason];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const RevocationReason = {
+  unspecified: 'unspecified',
+  keyCompromise: 'keyCompromise',
+  caCompromise: 'caCompromise',
+  affiliationChanged: 'affiliationChanged',
+  superseded: 'superseded',
+  cessationOfOperation: 'cessationOfOperation',
+  certificateHold: 'certificateHold',
+  privilegeWithdrawn: 'privilegeWithdrawn',
+} as const;
diff --git a/web/src/api/generated/model/revokeAuthRolePermissionParams.ts b/web/src/api/generated/model/revokeAuthRolePermissionParams.ts
new file mode 100644
index 0000000..918761a
--- /dev/null
+++ b/web/src/api/generated/model/revokeAuthRolePermissionParams.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { RevokeAuthRolePermissionScopeType } from './revokeAuthRolePermissionScopeType';
+
+export type RevokeAuthRolePermissionParams = {
+scope_type?: RevokeAuthRolePermissionScopeType;
+scope_id?: string;
+};
diff --git a/web/src/api/generated/model/revokeAuthRolePermissionScopeType.ts b/web/src/api/generated/model/revokeAuthRolePermissionScopeType.ts
new file mode 100644
index 0000000..9db26a5
--- /dev/null
+++ b/web/src/api/generated/model/revokeAuthRolePermissionScopeType.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type RevokeAuthRolePermissionScopeType = typeof RevokeAuthRolePermissionScopeType[keyof typeof RevokeAuthRolePermissionScopeType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const RevokeAuthRolePermissionScopeType = {
+  global: 'global',
+  profile: 'profile',
+  issuer: 'issuer',
+} as const;
diff --git a/web/src/api/generated/model/revokeAuthSessionsExceptCurrent200.ts b/web/src/api/generated/model/revokeAuthSessionsExceptCurrent200.ts
new file mode 100644
index 0000000..34e78a6
--- /dev/null
+++ b/web/src/api/generated/model/revokeAuthSessionsExceptCurrent200.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type RevokeAuthSessionsExceptCurrent200 = {
+  /** Number of sessions revoked (excludes the current session). */
+  revoked_count: number;
+};
diff --git a/web/src/api/generated/model/revokeAuthSessionsExceptCurrentExcept.ts b/web/src/api/generated/model/revokeAuthSessionsExceptCurrentExcept.ts
new file mode 100644
index 0000000..255ae02
--- /dev/null
+++ b/web/src/api/generated/model/revokeAuthSessionsExceptCurrentExcept.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type RevokeAuthSessionsExceptCurrentExcept = typeof RevokeAuthSessionsExceptCurrentExcept[keyof typeof RevokeAuthSessionsExceptCurrentExcept];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const RevokeAuthSessionsExceptCurrentExcept = {
+  current: 'current',
+} as const;
diff --git a/web/src/api/generated/model/revokeAuthSessionsExceptCurrentParams.ts b/web/src/api/generated/model/revokeAuthSessionsExceptCurrentParams.ts
new file mode 100644
index 0000000..66dc49e
--- /dev/null
+++ b/web/src/api/generated/model/revokeAuthSessionsExceptCurrentParams.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { RevokeAuthSessionsExceptCurrentExcept } from './revokeAuthSessionsExceptCurrentExcept';
+
+export type RevokeAuthSessionsExceptCurrentParams = {
+/**
+ * Must be the literal string `current`.
+ */
+except: RevokeAuthSessionsExceptCurrentExcept;
+};
diff --git a/web/src/api/generated/model/revokeCertificateBody.ts b/web/src/api/generated/model/revokeCertificateBody.ts
new file mode 100644
index 0000000..1db0d0b
--- /dev/null
+++ b/web/src/api/generated/model/revokeCertificateBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { RevocationReason } from './revocationReason';
+
+export type RevokeCertificateBody = {
+  reason?: RevocationReason;
+};
diff --git a/web/src/api/generated/model/scepGetOperation.ts b/web/src/api/generated/model/scepGetOperation.ts
new file mode 100644
index 0000000..0665c43
--- /dev/null
+++ b/web/src/api/generated/model/scepGetOperation.ts
@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ScepGetOperation = typeof ScepGetOperation[keyof typeof ScepGetOperation];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ScepGetOperation = {
+  GetCACaps: 'GetCACaps',
+  GetCACert: 'GetCACert',
+  PKIOperation: 'PKIOperation',
+} as const;
diff --git a/web/src/api/generated/model/scepGetParams.ts b/web/src/api/generated/model/scepGetParams.ts
new file mode 100644
index 0000000..5d95e18
--- /dev/null
+++ b/web/src/api/generated/model/scepGetParams.ts
@@ -0,0 +1,28 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ScepGetOperation } from './scepGetOperation';
+
+export type ScepGetParams = {
+/**
+ * SCEP operation selector
+ */
+operation: ScepGetOperation;
+/**
+ * Optional SCEP message parameter (base64-encoded for GET PKIOperation)
+ */
+message?: string;
+};
diff --git a/web/src/api/generated/model/scepPostOperation.ts b/web/src/api/generated/model/scepPostOperation.ts
new file mode 100644
index 0000000..f15442f
--- /dev/null
+++ b/web/src/api/generated/model/scepPostOperation.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ScepPostOperation = typeof ScepPostOperation[keyof typeof ScepPostOperation];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ScepPostOperation = {
+  PKIOperation: 'PKIOperation',
+} as const;
diff --git a/web/src/api/generated/model/scepPostParams.ts b/web/src/api/generated/model/scepPostParams.ts
new file mode 100644
index 0000000..5bdcef4
--- /dev/null
+++ b/web/src/api/generated/model/scepPostParams.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ScepPostOperation } from './scepPostOperation';
+
+export type ScepPostParams = {
+operation: ScepPostOperation;
+};
diff --git a/web/src/api/generated/model/statusMessageResponse.ts b/web/src/api/generated/model/statusMessageResponse.ts
new file mode 100644
index 0000000..bce753f
--- /dev/null
+++ b/web/src/api/generated/model/statusMessageResponse.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface StatusMessageResponse {
+  status?: string;
+  message?: string;
+}
diff --git a/web/src/api/generated/model/statusResponse.ts b/web/src/api/generated/model/statusResponse.ts
new file mode 100644
index 0000000..f39e155
--- /dev/null
+++ b/web/src/api/generated/model/statusResponse.ts
@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface StatusResponse {
+  status?: string;
+}
diff --git a/web/src/api/generated/model/targetType.ts b/web/src/api/generated/model/targetType.ts
new file mode 100644
index 0000000..e3240e8
--- /dev/null
+++ b/web/src/api/generated/model/targetType.ts
@@ -0,0 +1,37 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type TargetType = typeof TargetType[keyof typeof TargetType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const TargetType = {
+  NGINX: 'NGINX',
+  Apache: 'Apache',
+  HAProxy: 'HAProxy',
+  Traefik: 'Traefik',
+  Caddy: 'Caddy',
+  Envoy: 'Envoy',
+  Postfix: 'Postfix',
+  Dovecot: 'Dovecot',
+  IIS: 'IIS',
+  F5: 'F5',
+  SSH: 'SSH',
+  WinCertStore: 'WinCertStore',
+  JavaKeystore: 'JavaKeystore',
+  KubernetesSecrets: 'KubernetesSecrets',
+} as const;
diff --git a/web/src/api/generated/model/team.ts b/web/src/api/generated/model/team.ts
new file mode 100644
index 0000000..c023fc1
--- /dev/null
+++ b/web/src/api/generated/model/team.ts
@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface Team {
+  id?: string;
+  name?: string;
+  description?: string;
+  created_at?: string;
+  updated_at?: string;
+}
diff --git a/web/src/api/generated/model/triggerDeploymentBody.ts b/web/src/api/generated/model/triggerDeploymentBody.ts
new file mode 100644
index 0000000..7173a6f
--- /dev/null
+++ b/web/src/api/generated/model/triggerDeploymentBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type TriggerDeploymentBody = {
+  /** Optional specific target ID */
+  target_id?: string;
+};
diff --git a/web/src/api/generated/model/updateAuthRoleBody.ts b/web/src/api/generated/model/updateAuthRoleBody.ts
new file mode 100644
index 0000000..6f3cdf6
--- /dev/null
+++ b/web/src/api/generated/model/updateAuthRoleBody.ts
@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type UpdateAuthRoleBody = {
+  name?: string;
+  description?: string;
+};
diff --git a/web/src/api/generated/model/updateHealthCheckBody.ts b/web/src/api/generated/model/updateHealthCheckBody.ts
new file mode 100644
index 0000000..a4d0d35
--- /dev/null
+++ b/web/src/api/generated/model/updateHealthCheckBody.ts
@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type UpdateHealthCheckBody = {
+  expected_fingerprint?: string;
+  check_interval_seconds?: number;
+  timeout_ms?: number;
+  enabled?: boolean;
+};
diff --git a/web/src/api/generated/model/verificationResult.ts b/web/src/api/generated/model/verificationResult.ts
new file mode 100644
index 0000000..9506d32
--- /dev/null
+++ b/web/src/api/generated/model/verificationResult.ts
@@ -0,0 +1,29 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface VerificationResult {
+  job_id?: string;
+  target_id?: string;
+  /** SHA-256 fingerprint (hex) of the certificate deployed by this job */
+  expected_fingerprint?: string;
+  /** SHA-256 fingerprint (hex) observed on the live TLS endpoint */
+  actual_fingerprint?: string;
+  verified?: boolean;
+  verified_at?: string;
+  /** Error message when verification failed */
+  error?: string;
+}
diff --git a/web/src/api/generated/model/verifyDeployment200.ts b/web/src/api/generated/model/verifyDeployment200.ts
new file mode 100644
index 0000000..afda173
--- /dev/null
+++ b/web/src/api/generated/model/verifyDeployment200.ts
@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type VerifyDeployment200 = {
+  job_id?: string;
+  verified?: boolean;
+  verified_at?: string;
+};
diff --git a/web/src/api/generated/model/verifyDeploymentRequest.ts b/web/src/api/generated/model/verifyDeploymentRequest.ts
new file mode 100644
index 0000000..0129d01
--- /dev/null
+++ b/web/src/api/generated/model/verifyDeploymentRequest.ts
@@ -0,0 +1,32 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface VerifyDeploymentRequest {
+  /** Deployment target the agent probed */
+  target_id: string;
+  /** SHA-256 fingerprint of the certificate that should be served (hex, lowercase) */
+  expected_fingerprint: string;
+  /** SHA-256 fingerprint observed on the live TLS endpoint (hex, lowercase) */
+  actual_fingerprint: string;
+  /** True when expected and actual fingerprints match */
+  verified: boolean;
+  /**
+   * Error message when probe failed or fingerprints differ
+   * @nullable
+   */
+  error?: string | null;
+}
diff --git a/web/src/api/generated/model/workItem.ts b/web/src/api/generated/model/workItem.ts
new file mode 100644
index 0000000..aeb8dc2
--- /dev/null
+++ b/web/src/api/generated/model/workItem.ts
@@ -0,0 +1,31 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { JobType } from './jobType';
+import type { WorkItemTargetConfig } from './workItemTargetConfig';
+import type { JobStatus } from './jobStatus';
+
+export interface WorkItem {
+  id?: string;
+  type?: JobType;
+  certificate_id?: string;
+  common_name?: string;
+  sans?: string[];
+  target_id?: string;
+  target_type?: string;
+  target_config?: WorkItemTargetConfig;
+  status?: JobStatus;
+}
diff --git a/web/src/api/generated/model/workItemTargetConfig.ts b/web/src/api/generated/model/workItemTargetConfig.ts
new file mode 100644
index 0000000..968ffcc
--- /dev/null
+++ b/web/src/api/generated/model/workItemTargetConfig.ts
@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type WorkItemTargetConfig = { [key: string]: unknown };
diff --git a/web/src/api/generated/network-scan/network-scan.ts b/web/src/api/generated/network-scan/network-scan.ts
new file mode 100644
index 0000000..2e53fb7
--- /dev/null
+++ b/web/src/api/generated/network-scan/network-scan.ts
@@ -0,0 +1,497 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  DiscoveryScan,
+  InternalErrorResponse,
+  ListNetworkScanTargets200,
+  NetworkScanTarget,
+  NetworkScanTargetCreate,
+  NotFoundResponse,
+  StatusMessageResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Returns all configured network scan targets with CIDR ranges and ports.
+ * @summary List network scan targets
+ */
+export const listNetworkScanTargets = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListNetworkScanTargets200>(
+      {url: `/api/v1/network-scan-targets`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListNetworkScanTargetsQueryKey = () => {
+    return [
+    `/api/v1/network-scan-targets`
+    ] as const;
+    }
+
+    
+export const getListNetworkScanTargetsQueryOptions = <TData = Awaited<ReturnType<typeof listNetworkScanTargets>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listNetworkScanTargets>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListNetworkScanTargetsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listNetworkScanTargets>>> = ({ signal }) => listNetworkScanTargets(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listNetworkScanTargets>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListNetworkScanTargetsQueryResult = NonNullable<Awaited<ReturnType<typeof listNetworkScanTargets>>>
+export type ListNetworkScanTargetsQueryError = InternalErrorResponse
+
+
+export function useListNetworkScanTargets<TData = Awaited<ReturnType<typeof listNetworkScanTargets>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listNetworkScanTargets>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listNetworkScanTargets>>,
+          TError,
+          Awaited<ReturnType<typeof listNetworkScanTargets>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListNetworkScanTargets<TData = Awaited<ReturnType<typeof listNetworkScanTargets>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listNetworkScanTargets>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listNetworkScanTargets>>,
+          TError,
+          Awaited<ReturnType<typeof listNetworkScanTargets>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListNetworkScanTargets<TData = Awaited<ReturnType<typeof listNetworkScanTargets>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listNetworkScanTargets>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List network scan targets
+ */
+
+export function useListNetworkScanTargets<TData = Awaited<ReturnType<typeof listNetworkScanTargets>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listNetworkScanTargets>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListNetworkScanTargetsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Creates a new network scan target. CIDR ranges are validated and capped at /20
+(4096 IPs max per CIDR) to prevent accidental huge scans.
+
+ * @summary Create network scan target
+ */
+export const createNetworkScanTarget = (
+    networkScanTargetCreate: NetworkScanTargetCreate,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<NetworkScanTarget>(
+      {url: `/api/v1/network-scan-targets`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: networkScanTargetCreate, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateNetworkScanTargetMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createNetworkScanTarget>>, TError,{data: NetworkScanTargetCreate}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createNetworkScanTarget>>, TError,{data: NetworkScanTargetCreate}, TContext> => {
+
+const mutationKey = ['createNetworkScanTarget'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createNetworkScanTarget>>, {data: NetworkScanTargetCreate}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createNetworkScanTarget(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateNetworkScanTargetMutationResult = NonNullable<Awaited<ReturnType<typeof createNetworkScanTarget>>>
+    export type CreateNetworkScanTargetMutationBody = NetworkScanTargetCreate
+    export type CreateNetworkScanTargetMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create network scan target
+ */
+export const useCreateNetworkScanTarget = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createNetworkScanTarget>>, TError,{data: NetworkScanTargetCreate}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createNetworkScanTarget>>,
+        TError,
+        {data: NetworkScanTargetCreate},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateNetworkScanTargetMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns a single network scan target by ID.
+ * @summary Get network scan target
+ */
+export const getNetworkScanTarget = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<NetworkScanTarget>(
+      {url: `/api/v1/network-scan-targets/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetNetworkScanTargetQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/network-scan-targets/${id}`
+    ] as const;
+    }
+
+    
+export const getGetNetworkScanTargetQueryOptions = <TData = Awaited<ReturnType<typeof getNetworkScanTarget>>, TError = NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getNetworkScanTarget>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetNetworkScanTargetQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getNetworkScanTarget>>> = ({ signal }) => getNetworkScanTarget(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getNetworkScanTarget>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetNetworkScanTargetQueryResult = NonNullable<Awaited<ReturnType<typeof getNetworkScanTarget>>>
+export type GetNetworkScanTargetQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useGetNetworkScanTarget<TData = Awaited<ReturnType<typeof getNetworkScanTarget>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getNetworkScanTarget>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getNetworkScanTarget>>,
+          TError,
+          Awaited<ReturnType<typeof getNetworkScanTarget>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetNetworkScanTarget<TData = Awaited<ReturnType<typeof getNetworkScanTarget>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getNetworkScanTarget>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getNetworkScanTarget>>,
+          TError,
+          Awaited<ReturnType<typeof getNetworkScanTarget>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetNetworkScanTarget<TData = Awaited<ReturnType<typeof getNetworkScanTarget>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getNetworkScanTarget>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get network scan target
+ */
+
+export function useGetNetworkScanTarget<TData = Awaited<ReturnType<typeof getNetworkScanTarget>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getNetworkScanTarget>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetNetworkScanTargetQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Updates an existing network scan target.
+ * @summary Update network scan target
+ */
+export const updateNetworkScanTarget = (
+    id: string,
+    networkScanTargetCreate: NetworkScanTargetCreate,
+ ) => {
+      
+      
+      return certctlFetch<NetworkScanTarget>(
+      {url: `/api/v1/network-scan-targets/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: networkScanTargetCreate
+    },
+      );
+    }
+  
+
+
+export const getUpdateNetworkScanTargetMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateNetworkScanTarget>>, TError,{id: string;data: NetworkScanTargetCreate}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateNetworkScanTarget>>, TError,{id: string;data: NetworkScanTargetCreate}, TContext> => {
+
+const mutationKey = ['updateNetworkScanTarget'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateNetworkScanTarget>>, {id: string;data: NetworkScanTargetCreate}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateNetworkScanTarget(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateNetworkScanTargetMutationResult = NonNullable<Awaited<ReturnType<typeof updateNetworkScanTarget>>>
+    export type UpdateNetworkScanTargetMutationBody = NetworkScanTargetCreate
+    export type UpdateNetworkScanTargetMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Update network scan target
+ */
+export const useUpdateNetworkScanTarget = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateNetworkScanTarget>>, TError,{id: string;data: NetworkScanTargetCreate}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateNetworkScanTarget>>,
+        TError,
+        {id: string;data: NetworkScanTargetCreate},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateNetworkScanTargetMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Deletes a network scan target.
+ * @summary Delete network scan target
+ */
+export const deleteNetworkScanTarget = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/network-scan-targets/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteNetworkScanTargetMutationOptions = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteNetworkScanTarget>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteNetworkScanTarget>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteNetworkScanTarget'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteNetworkScanTarget>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteNetworkScanTarget(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteNetworkScanTargetMutationResult = NonNullable<Awaited<ReturnType<typeof deleteNetworkScanTarget>>>
+    
+    export type DeleteNetworkScanTargetMutationError = NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete network scan target
+ */
+export const useDeleteNetworkScanTarget = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteNetworkScanTarget>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteNetworkScanTarget>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteNetworkScanTargetMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Triggers an immediate scan of the specified target. Scans all configured CIDRs and ports
+concurrently (50 goroutines). Results feed into the discovery pipeline for deduplication.
+
+ * @summary Trigger network scan
+ */
+export const triggerNetworkScan = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusMessageResponse | DiscoveryScan>(
+      {url: `/api/v1/network-scan-targets/${id}/scan`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getTriggerNetworkScanMutationOptions = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof triggerNetworkScan>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof triggerNetworkScan>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['triggerNetworkScan'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof triggerNetworkScan>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  triggerNetworkScan(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type TriggerNetworkScanMutationResult = NonNullable<Awaited<ReturnType<typeof triggerNetworkScan>>>
+    
+    export type TriggerNetworkScanMutationError = NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Trigger network scan
+ */
+export const useTriggerNetworkScan = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof triggerNetworkScan>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof triggerNetworkScan>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getTriggerNetworkScanMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/notifications/notifications.ts b/web/src/api/generated/notifications/notifications.ts
new file mode 100644
index 0000000..a323acc
--- /dev/null
+++ b/web/src/api/generated/notifications/notifications.ts
@@ -0,0 +1,367 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  ListNotifications200,
+  ListNotificationsParams,
+  NotFoundResponse,
+  NotificationEvent,
+  StatusResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List notifications
+ */
+export const listNotifications = (
+    params?: ListNotificationsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListNotifications200>(
+      {url: `/api/v1/notifications`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListNotificationsQueryKey = (params?: ListNotificationsParams,) => {
+    return [
+    `/api/v1/notifications`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListNotificationsQueryOptions = <TData = Awaited<ReturnType<typeof listNotifications>>, TError = InternalErrorResponse>(params?: ListNotificationsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listNotifications>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListNotificationsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listNotifications>>> = ({ signal }) => listNotifications(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listNotifications>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListNotificationsQueryResult = NonNullable<Awaited<ReturnType<typeof listNotifications>>>
+export type ListNotificationsQueryError = InternalErrorResponse
+
+
+export function useListNotifications<TData = Awaited<ReturnType<typeof listNotifications>>, TError = InternalErrorResponse>(
+ params: undefined |  ListNotificationsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listNotifications>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listNotifications>>,
+          TError,
+          Awaited<ReturnType<typeof listNotifications>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListNotifications<TData = Awaited<ReturnType<typeof listNotifications>>, TError = InternalErrorResponse>(
+ params?: ListNotificationsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listNotifications>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listNotifications>>,
+          TError,
+          Awaited<ReturnType<typeof listNotifications>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListNotifications<TData = Awaited<ReturnType<typeof listNotifications>>, TError = InternalErrorResponse>(
+ params?: ListNotificationsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listNotifications>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List notifications
+ */
+
+export function useListNotifications<TData = Awaited<ReturnType<typeof listNotifications>>, TError = InternalErrorResponse>(
+ params?: ListNotificationsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listNotifications>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListNotificationsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Get notification
+ */
+export const getNotification = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<NotificationEvent>(
+      {url: `/api/v1/notifications/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetNotificationQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/notifications/${id}`
+    ] as const;
+    }
+
+    
+export const getGetNotificationQueryOptions = <TData = Awaited<ReturnType<typeof getNotification>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getNotification>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetNotificationQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getNotification>>> = ({ signal }) => getNotification(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getNotification>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetNotificationQueryResult = NonNullable<Awaited<ReturnType<typeof getNotification>>>
+export type GetNotificationQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetNotification<TData = Awaited<ReturnType<typeof getNotification>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getNotification>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getNotification>>,
+          TError,
+          Awaited<ReturnType<typeof getNotification>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetNotification<TData = Awaited<ReturnType<typeof getNotification>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getNotification>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getNotification>>,
+          TError,
+          Awaited<ReturnType<typeof getNotification>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetNotification<TData = Awaited<ReturnType<typeof getNotification>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getNotification>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get notification
+ */
+
+export function useGetNotification<TData = Awaited<ReturnType<typeof getNotification>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getNotification>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetNotificationQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Mark notification as read
+ */
+export const markNotificationAsRead = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/notifications/${id}/read`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getMarkNotificationAsReadMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof markNotificationAsRead>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof markNotificationAsRead>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['markNotificationAsRead'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof markNotificationAsRead>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  markNotificationAsRead(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type MarkNotificationAsReadMutationResult = NonNullable<Awaited<ReturnType<typeof markNotificationAsRead>>>
+    
+    export type MarkNotificationAsReadMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Mark notification as read
+ */
+export const useMarkNotificationAsRead = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof markNotificationAsRead>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof markNotificationAsRead>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getMarkNotificationAsReadMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * I-005: flip a notification from the `dead` dead-letter queue back to
+`pending` so the retry sweep (default 2 minutes) picks it up on its
+next tick. Used by operators after fixing the underlying delivery
+failure (SMTP config, webhook endpoint, etc.). Clears `next_retry_at`
+and resets the `retry_count` budget; `last_error` is preserved for
+audit continuity.
+
+ * @summary Requeue a dead notification
+ */
+export const requeueNotification = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/notifications/${id}/requeue`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getRequeueNotificationMutationOptions = <TError = BadRequestResponse | NotFoundResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof requeueNotification>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof requeueNotification>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['requeueNotification'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof requeueNotification>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  requeueNotification(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RequeueNotificationMutationResult = NonNullable<Awaited<ReturnType<typeof requeueNotification>>>
+    
+    export type RequeueNotificationMutationError = BadRequestResponse | NotFoundResponse | void | InternalErrorResponse
+
+    /**
+ * @summary Requeue a dead notification
+ */
+export const useRequeueNotification = <TError = BadRequestResponse | NotFoundResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof requeueNotification>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof requeueNotification>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getRequeueNotificationMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/oidc/oidc.ts b/web/src/api/generated/oidc/oidc.ts
new file mode 100644
index 0000000..514b07b
--- /dev/null
+++ b/web/src/api/generated/oidc/oidc.ts
@@ -0,0 +1,807 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  ListOIDCGroupMappings200,
+  ListOIDCGroupMappingsParams,
+  ListOIDCProviders200,
+  OIDCGroupMappingRequest,
+  OIDCGroupMappingResponse,
+  OIDCJWKSStatusSnapshot,
+  OIDCProviderRequest,
+  OIDCProviderResponse,
+  OIDCTestDiscoveryResult,
+  OIDCTestRequest,
+  RefreshOIDCProvider200
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Permission `auth.oidc.list`. Returns provider rows for the calling actor's tenant.
+ * @summary List configured OIDC identity providers
+ */
+export const listOIDCProviders = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListOIDCProviders200>(
+      {url: `/api/v1/auth/oidc/providers`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListOIDCProvidersQueryKey = () => {
+    return [
+    `/api/v1/auth/oidc/providers`
+    ] as const;
+    }
+
+    
+export const getListOIDCProvidersQueryOptions = <TData = Awaited<ReturnType<typeof listOIDCProviders>>, TError = void>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOIDCProviders>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListOIDCProvidersQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listOIDCProviders>>> = ({ signal }) => listOIDCProviders(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listOIDCProviders>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListOIDCProvidersQueryResult = NonNullable<Awaited<ReturnType<typeof listOIDCProviders>>>
+export type ListOIDCProvidersQueryError = void
+
+
+export function useListOIDCProviders<TData = Awaited<ReturnType<typeof listOIDCProviders>>, TError = void>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOIDCProviders>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listOIDCProviders>>,
+          TError,
+          Awaited<ReturnType<typeof listOIDCProviders>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListOIDCProviders<TData = Awaited<ReturnType<typeof listOIDCProviders>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOIDCProviders>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listOIDCProviders>>,
+          TError,
+          Awaited<ReturnType<typeof listOIDCProviders>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListOIDCProviders<TData = Awaited<ReturnType<typeof listOIDCProviders>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOIDCProviders>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List configured OIDC identity providers
+ */
+
+export function useListOIDCProviders<TData = Awaited<ReturnType<typeof listOIDCProviders>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOIDCProviders>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListOIDCProvidersQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Permission `auth.oidc.create`. `client_secret` is required +
+encrypted at rest via the config-encryption key
+(`CERTCTL_CONFIG_ENCRYPTION_KEY`). The provider is namespaced
+by the caller's tenant.
+
+ * @summary Create an OIDC identity provider
+ */
+export const createOIDCProvider = (
+    oIDCProviderRequest: OIDCProviderRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<OIDCProviderResponse>(
+      {url: `/api/v1/auth/oidc/providers`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: oIDCProviderRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateOIDCProviderMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createOIDCProvider>>, TError,{data: OIDCProviderRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createOIDCProvider>>, TError,{data: OIDCProviderRequest}, TContext> => {
+
+const mutationKey = ['createOIDCProvider'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createOIDCProvider>>, {data: OIDCProviderRequest}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createOIDCProvider(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateOIDCProviderMutationResult = NonNullable<Awaited<ReturnType<typeof createOIDCProvider>>>
+    export type CreateOIDCProviderMutationBody = OIDCProviderRequest
+    export type CreateOIDCProviderMutationError = void
+
+    /**
+ * @summary Create an OIDC identity provider
+ */
+export const useCreateOIDCProvider = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createOIDCProvider>>, TError,{data: OIDCProviderRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createOIDCProvider>>,
+        TError,
+        {data: OIDCProviderRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateOIDCProviderMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.oidc.edit`. Update is a full replacement: every
+OIDCProviderRequest field is honored; `client_secret` is
+re-encrypted on every update.
+
+ * @summary Update an OIDC identity provider's configuration
+ */
+export const updateOIDCProvider = (
+    id: string,
+    oIDCProviderRequest: OIDCProviderRequest,
+ ) => {
+      
+      
+      return certctlFetch<OIDCProviderResponse>(
+      {url: `/api/v1/auth/oidc/providers/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: oIDCProviderRequest
+    },
+      );
+    }
+  
+
+
+export const getUpdateOIDCProviderMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateOIDCProvider>>, TError,{id: string;data: OIDCProviderRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateOIDCProvider>>, TError,{id: string;data: OIDCProviderRequest}, TContext> => {
+
+const mutationKey = ['updateOIDCProvider'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateOIDCProvider>>, {id: string;data: OIDCProviderRequest}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateOIDCProvider(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateOIDCProviderMutationResult = NonNullable<Awaited<ReturnType<typeof updateOIDCProvider>>>
+    export type UpdateOIDCProviderMutationBody = OIDCProviderRequest
+    export type UpdateOIDCProviderMutationError = void
+
+    /**
+ * @summary Update an OIDC identity provider's configuration
+ */
+export const useUpdateOIDCProvider = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateOIDCProvider>>, TError,{id: string;data: OIDCProviderRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateOIDCProvider>>,
+        TError,
+        {id: string;data: OIDCProviderRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateOIDCProviderMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.oidc.delete`. 409 Conflict is returned when the
+provider has active group-mappings or live sessions referencing
+it (the operator must remove the dependencies first).
+
+ * @summary Delete an OIDC identity provider
+ */
+export const deleteOIDCProvider = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/oidc/providers/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteOIDCProviderMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteOIDCProvider>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteOIDCProvider>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteOIDCProvider'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteOIDCProvider>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteOIDCProvider(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteOIDCProviderMutationResult = NonNullable<Awaited<ReturnType<typeof deleteOIDCProvider>>>
+    
+    export type DeleteOIDCProviderMutationError = void
+
+    /**
+ * @summary Delete an OIDC identity provider
+ */
+export const useDeleteOIDCProvider = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteOIDCProvider>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteOIDCProvider>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteOIDCProviderMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.oidc.list`. Audit 2026-05-10 MED-7 — surfaces
+the JWKS verifier state for the named provider so operators can
+diagnose IdP key-rotation issues without server logs.
+
+ * @summary Read per-provider JWKS health (cached keys, refresh count, last error)
+ */
+export const getOIDCProviderJWKSStatus = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<OIDCJWKSStatusSnapshot>(
+      {url: `/api/v1/auth/oidc/providers/${id}/jwks-status`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetOIDCProviderJWKSStatusQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/auth/oidc/providers/${id}/jwks-status`
+    ] as const;
+    }
+
+    
+export const getGetOIDCProviderJWKSStatusQueryOptions = <TData = Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>, TError = void>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetOIDCProviderJWKSStatusQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>> = ({ signal }) => getOIDCProviderJWKSStatus(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetOIDCProviderJWKSStatusQueryResult = NonNullable<Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>>
+export type GetOIDCProviderJWKSStatusQueryError = void
+
+
+export function useGetOIDCProviderJWKSStatus<TData = Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>, TError = void>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>,
+          TError,
+          Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetOIDCProviderJWKSStatus<TData = Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>,
+          TError,
+          Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetOIDCProviderJWKSStatus<TData = Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Read per-provider JWKS health (cached keys, refresh count, last error)
+ */
+
+export function useGetOIDCProviderJWKSStatus<TData = Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getOIDCProviderJWKSStatus>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetOIDCProviderJWKSStatusQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Permission `auth.oidc.edit`. Triggers an immediate refetch of
+the named provider's OIDC discovery document + JWKS, re-runs
+the IdP downgrade-attack defense (Audit 2026-05-10 HIGH-6),
+and updates the in-memory verifier cache. Used by the
+SessionsPage "Refresh JWKS" button when an operator rotates
+IdP keys out-of-band.
+
+ * @summary Force re-fetch of the IdP discovery doc + JWKS for a provider
+ */
+export const refreshOIDCProvider = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<RefreshOIDCProvider200>(
+      {url: `/api/v1/auth/oidc/providers/${id}/refresh`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getRefreshOIDCProviderMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof refreshOIDCProvider>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof refreshOIDCProvider>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['refreshOIDCProvider'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof refreshOIDCProvider>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  refreshOIDCProvider(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RefreshOIDCProviderMutationResult = NonNullable<Awaited<ReturnType<typeof refreshOIDCProvider>>>
+    
+    export type RefreshOIDCProviderMutationError = void
+
+    /**
+ * @summary Force re-fetch of the IdP discovery doc + JWKS for a provider
+ */
+export const useRefreshOIDCProvider = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof refreshOIDCProvider>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof refreshOIDCProvider>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getRefreshOIDCProviderMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.oidc.create`. Audit 2026-05-10 MED-5 — fetches
+the candidate issuer's discovery doc + JWKS, runs the
+alg-downgrade defense, parses the RFC 9207 iss-parameter
+advert, and returns the per-check report so the GUI can
+render a discovery-validation panel before the operator
+commits to creating the provider.
+
+ * @summary Dry-run an OIDC provider config without persisting
+ */
+export const testOIDCProvider = (
+    oIDCTestRequest: OIDCTestRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<OIDCTestDiscoveryResult>(
+      {url: `/api/v1/auth/oidc/test`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: oIDCTestRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getTestOIDCProviderMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof testOIDCProvider>>, TError,{data: OIDCTestRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof testOIDCProvider>>, TError,{data: OIDCTestRequest}, TContext> => {
+
+const mutationKey = ['testOIDCProvider'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof testOIDCProvider>>, {data: OIDCTestRequest}> = (props) => {
+          const {data} = props ?? {};
+
+          return  testOIDCProvider(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type TestOIDCProviderMutationResult = NonNullable<Awaited<ReturnType<typeof testOIDCProvider>>>
+    export type TestOIDCProviderMutationBody = OIDCTestRequest
+    export type TestOIDCProviderMutationError = void
+
+    /**
+ * @summary Dry-run an OIDC provider config without persisting
+ */
+export const useTestOIDCProvider = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof testOIDCProvider>>, TError,{data: OIDCTestRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof testOIDCProvider>>,
+        TError,
+        {data: OIDCTestRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getTestOIDCProviderMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.oidc.list`. `provider_id` query parameter is required.
+ * @summary List group → role mappings for a provider
+ */
+export const listOIDCGroupMappings = (
+    params: ListOIDCGroupMappingsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListOIDCGroupMappings200>(
+      {url: `/api/v1/auth/oidc/group-mappings`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListOIDCGroupMappingsQueryKey = (params?: ListOIDCGroupMappingsParams,) => {
+    return [
+    `/api/v1/auth/oidc/group-mappings`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListOIDCGroupMappingsQueryOptions = <TData = Awaited<ReturnType<typeof listOIDCGroupMappings>>, TError = void>(params: ListOIDCGroupMappingsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOIDCGroupMappings>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListOIDCGroupMappingsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listOIDCGroupMappings>>> = ({ signal }) => listOIDCGroupMappings(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listOIDCGroupMappings>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListOIDCGroupMappingsQueryResult = NonNullable<Awaited<ReturnType<typeof listOIDCGroupMappings>>>
+export type ListOIDCGroupMappingsQueryError = void
+
+
+export function useListOIDCGroupMappings<TData = Awaited<ReturnType<typeof listOIDCGroupMappings>>, TError = void>(
+ params: ListOIDCGroupMappingsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOIDCGroupMappings>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listOIDCGroupMappings>>,
+          TError,
+          Awaited<ReturnType<typeof listOIDCGroupMappings>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListOIDCGroupMappings<TData = Awaited<ReturnType<typeof listOIDCGroupMappings>>, TError = void>(
+ params: ListOIDCGroupMappingsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOIDCGroupMappings>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listOIDCGroupMappings>>,
+          TError,
+          Awaited<ReturnType<typeof listOIDCGroupMappings>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListOIDCGroupMappings<TData = Awaited<ReturnType<typeof listOIDCGroupMappings>>, TError = void>(
+ params: ListOIDCGroupMappingsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOIDCGroupMappings>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List group → role mappings for a provider
+ */
+
+export function useListOIDCGroupMappings<TData = Awaited<ReturnType<typeof listOIDCGroupMappings>>, TError = void>(
+ params: ListOIDCGroupMappingsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOIDCGroupMappings>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListOIDCGroupMappingsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Permission `auth.oidc.edit`. Establishes that members of `group_name` (as advertised by the IdP) receive the named role for the calling tenant.
+ * @summary Add a group → role mapping
+ */
+export const addOIDCGroupMapping = (
+    oIDCGroupMappingRequest: OIDCGroupMappingRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<OIDCGroupMappingResponse>(
+      {url: `/api/v1/auth/oidc/group-mappings`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: oIDCGroupMappingRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getAddOIDCGroupMappingMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof addOIDCGroupMapping>>, TError,{data: OIDCGroupMappingRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof addOIDCGroupMapping>>, TError,{data: OIDCGroupMappingRequest}, TContext> => {
+
+const mutationKey = ['addOIDCGroupMapping'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof addOIDCGroupMapping>>, {data: OIDCGroupMappingRequest}> = (props) => {
+          const {data} = props ?? {};
+
+          return  addOIDCGroupMapping(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type AddOIDCGroupMappingMutationResult = NonNullable<Awaited<ReturnType<typeof addOIDCGroupMapping>>>
+    export type AddOIDCGroupMappingMutationBody = OIDCGroupMappingRequest
+    export type AddOIDCGroupMappingMutationError = void
+
+    /**
+ * @summary Add a group → role mapping
+ */
+export const useAddOIDCGroupMapping = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof addOIDCGroupMapping>>, TError,{data: OIDCGroupMappingRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof addOIDCGroupMapping>>,
+        TError,
+        {data: OIDCGroupMappingRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getAddOIDCGroupMappingMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.oidc.edit`.
+ * @summary Remove a group → role mapping
+ */
+export const removeOIDCGroupMapping = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/oidc/group-mappings/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getRemoveOIDCGroupMappingMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof removeOIDCGroupMapping>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof removeOIDCGroupMapping>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['removeOIDCGroupMapping'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof removeOIDCGroupMapping>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  removeOIDCGroupMapping(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RemoveOIDCGroupMappingMutationResult = NonNullable<Awaited<ReturnType<typeof removeOIDCGroupMapping>>>
+    
+    export type RemoveOIDCGroupMappingMutationError = void
+
+    /**
+ * @summary Remove a group → role mapping
+ */
+export const useRemoveOIDCGroupMapping = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof removeOIDCGroupMapping>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof removeOIDCGroupMapping>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getRemoveOIDCGroupMappingMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/owners/owners.ts b/web/src/api/generated/owners/owners.ts
new file mode 100644
index 0000000..552967f
--- /dev/null
+++ b/web/src/api/generated/owners/owners.ts
@@ -0,0 +1,424 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  ListOwners200,
+  ListOwnersParams,
+  NotFoundResponse,
+  Owner
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List owners
+ */
+export const listOwners = (
+    params?: ListOwnersParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListOwners200>(
+      {url: `/api/v1/owners`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListOwnersQueryKey = (params?: ListOwnersParams,) => {
+    return [
+    `/api/v1/owners`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListOwnersQueryOptions = <TData = Awaited<ReturnType<typeof listOwners>>, TError = InternalErrorResponse>(params?: ListOwnersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOwners>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListOwnersQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listOwners>>> = ({ signal }) => listOwners(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listOwners>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListOwnersQueryResult = NonNullable<Awaited<ReturnType<typeof listOwners>>>
+export type ListOwnersQueryError = InternalErrorResponse
+
+
+export function useListOwners<TData = Awaited<ReturnType<typeof listOwners>>, TError = InternalErrorResponse>(
+ params: undefined |  ListOwnersParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOwners>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listOwners>>,
+          TError,
+          Awaited<ReturnType<typeof listOwners>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListOwners<TData = Awaited<ReturnType<typeof listOwners>>, TError = InternalErrorResponse>(
+ params?: ListOwnersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOwners>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listOwners>>,
+          TError,
+          Awaited<ReturnType<typeof listOwners>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListOwners<TData = Awaited<ReturnType<typeof listOwners>>, TError = InternalErrorResponse>(
+ params?: ListOwnersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOwners>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List owners
+ */
+
+export function useListOwners<TData = Awaited<ReturnType<typeof listOwners>>, TError = InternalErrorResponse>(
+ params?: ListOwnersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listOwners>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListOwnersQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Create owner
+ */
+export const createOwner = (
+    owner: Owner,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Owner>(
+      {url: `/api/v1/owners`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: owner, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateOwnerMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createOwner>>, TError,{data: Owner}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createOwner>>, TError,{data: Owner}, TContext> => {
+
+const mutationKey = ['createOwner'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createOwner>>, {data: Owner}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createOwner(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateOwnerMutationResult = NonNullable<Awaited<ReturnType<typeof createOwner>>>
+    export type CreateOwnerMutationBody = Owner
+    export type CreateOwnerMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create owner
+ */
+export const useCreateOwner = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createOwner>>, TError,{data: Owner}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createOwner>>,
+        TError,
+        {data: Owner},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateOwnerMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Get owner
+ */
+export const getOwner = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Owner>(
+      {url: `/api/v1/owners/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetOwnerQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/owners/${id}`
+    ] as const;
+    }
+
+    
+export const getGetOwnerQueryOptions = <TData = Awaited<ReturnType<typeof getOwner>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getOwner>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetOwnerQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getOwner>>> = ({ signal }) => getOwner(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getOwner>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetOwnerQueryResult = NonNullable<Awaited<ReturnType<typeof getOwner>>>
+export type GetOwnerQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetOwner<TData = Awaited<ReturnType<typeof getOwner>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getOwner>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getOwner>>,
+          TError,
+          Awaited<ReturnType<typeof getOwner>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetOwner<TData = Awaited<ReturnType<typeof getOwner>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getOwner>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getOwner>>,
+          TError,
+          Awaited<ReturnType<typeof getOwner>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetOwner<TData = Awaited<ReturnType<typeof getOwner>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getOwner>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get owner
+ */
+
+export function useGetOwner<TData = Awaited<ReturnType<typeof getOwner>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getOwner>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetOwnerQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Update owner
+ */
+export const updateOwner = (
+    id: string,
+    owner: Owner,
+ ) => {
+      
+      
+      return certctlFetch<Owner>(
+      {url: `/api/v1/owners/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: owner
+    },
+      );
+    }
+  
+
+
+export const getUpdateOwnerMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateOwner>>, TError,{id: string;data: Owner}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateOwner>>, TError,{id: string;data: Owner}, TContext> => {
+
+const mutationKey = ['updateOwner'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateOwner>>, {id: string;data: Owner}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateOwner(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateOwnerMutationResult = NonNullable<Awaited<ReturnType<typeof updateOwner>>>
+    export type UpdateOwnerMutationBody = Owner
+    export type UpdateOwnerMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Update owner
+ */
+export const useUpdateOwner = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateOwner>>, TError,{id: string;data: Owner}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateOwner>>,
+        TError,
+        {id: string;data: Owner},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateOwnerMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete owner
+ */
+export const deleteOwner = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/owners/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteOwnerMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteOwner>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteOwner>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteOwner'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteOwner>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteOwner(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteOwnerMutationResult = NonNullable<Awaited<ReturnType<typeof deleteOwner>>>
+    
+    export type DeleteOwnerMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete owner
+ */
+export const useDeleteOwner = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteOwner>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteOwner>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteOwnerMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/policies/policies.ts b/web/src/api/generated/policies/policies.ts
new file mode 100644
index 0000000..2dbffea
--- /dev/null
+++ b/web/src/api/generated/policies/policies.ts
@@ -0,0 +1,525 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  ListPolicies200,
+  ListPoliciesParams,
+  ListPolicyViolations200,
+  ListPolicyViolationsParams,
+  NotFoundResponse,
+  PolicyRule
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List policies
+ */
+export const listPolicies = (
+    params?: ListPoliciesParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListPolicies200>(
+      {url: `/api/v1/policies`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListPoliciesQueryKey = (params?: ListPoliciesParams,) => {
+    return [
+    `/api/v1/policies`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListPoliciesQueryOptions = <TData = Awaited<ReturnType<typeof listPolicies>>, TError = InternalErrorResponse>(params?: ListPoliciesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listPolicies>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListPoliciesQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listPolicies>>> = ({ signal }) => listPolicies(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listPolicies>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListPoliciesQueryResult = NonNullable<Awaited<ReturnType<typeof listPolicies>>>
+export type ListPoliciesQueryError = InternalErrorResponse
+
+
+export function useListPolicies<TData = Awaited<ReturnType<typeof listPolicies>>, TError = InternalErrorResponse>(
+ params: undefined |  ListPoliciesParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listPolicies>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listPolicies>>,
+          TError,
+          Awaited<ReturnType<typeof listPolicies>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListPolicies<TData = Awaited<ReturnType<typeof listPolicies>>, TError = InternalErrorResponse>(
+ params?: ListPoliciesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listPolicies>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listPolicies>>,
+          TError,
+          Awaited<ReturnType<typeof listPolicies>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListPolicies<TData = Awaited<ReturnType<typeof listPolicies>>, TError = InternalErrorResponse>(
+ params?: ListPoliciesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listPolicies>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List policies
+ */
+
+export function useListPolicies<TData = Awaited<ReturnType<typeof listPolicies>>, TError = InternalErrorResponse>(
+ params?: ListPoliciesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listPolicies>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListPoliciesQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Create policy
+ */
+export const createPolicy = (
+    policyRule: PolicyRule,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<PolicyRule>(
+      {url: `/api/v1/policies`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: policyRule, signal
+    },
+      );
+    }
+  
+
+
+export const getCreatePolicyMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createPolicy>>, TError,{data: PolicyRule}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createPolicy>>, TError,{data: PolicyRule}, TContext> => {
+
+const mutationKey = ['createPolicy'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createPolicy>>, {data: PolicyRule}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createPolicy(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreatePolicyMutationResult = NonNullable<Awaited<ReturnType<typeof createPolicy>>>
+    export type CreatePolicyMutationBody = PolicyRule
+    export type CreatePolicyMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create policy
+ */
+export const useCreatePolicy = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createPolicy>>, TError,{data: PolicyRule}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createPolicy>>,
+        TError,
+        {data: PolicyRule},
+        TContext
+      > => {
+
+      const mutationOptions = getCreatePolicyMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Get policy
+ */
+export const getPolicy = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<PolicyRule>(
+      {url: `/api/v1/policies/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetPolicyQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/policies/${id}`
+    ] as const;
+    }
+
+    
+export const getGetPolicyQueryOptions = <TData = Awaited<ReturnType<typeof getPolicy>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPolicy>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetPolicyQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getPolicy>>> = ({ signal }) => getPolicy(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getPolicy>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetPolicyQueryResult = NonNullable<Awaited<ReturnType<typeof getPolicy>>>
+export type GetPolicyQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetPolicy<TData = Awaited<ReturnType<typeof getPolicy>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPolicy>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getPolicy>>,
+          TError,
+          Awaited<ReturnType<typeof getPolicy>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetPolicy<TData = Awaited<ReturnType<typeof getPolicy>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPolicy>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getPolicy>>,
+          TError,
+          Awaited<ReturnType<typeof getPolicy>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetPolicy<TData = Awaited<ReturnType<typeof getPolicy>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPolicy>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get policy
+ */
+
+export function useGetPolicy<TData = Awaited<ReturnType<typeof getPolicy>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPolicy>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetPolicyQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Update policy
+ */
+export const updatePolicy = (
+    id: string,
+    policyRule: PolicyRule,
+ ) => {
+      
+      
+      return certctlFetch<PolicyRule>(
+      {url: `/api/v1/policies/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: policyRule
+    },
+      );
+    }
+  
+
+
+export const getUpdatePolicyMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updatePolicy>>, TError,{id: string;data: PolicyRule}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updatePolicy>>, TError,{id: string;data: PolicyRule}, TContext> => {
+
+const mutationKey = ['updatePolicy'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updatePolicy>>, {id: string;data: PolicyRule}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updatePolicy(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdatePolicyMutationResult = NonNullable<Awaited<ReturnType<typeof updatePolicy>>>
+    export type UpdatePolicyMutationBody = PolicyRule
+    export type UpdatePolicyMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Update policy
+ */
+export const useUpdatePolicy = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updatePolicy>>, TError,{id: string;data: PolicyRule}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updatePolicy>>,
+        TError,
+        {id: string;data: PolicyRule},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdatePolicyMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete policy
+ */
+export const deletePolicy = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/policies/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeletePolicyMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deletePolicy>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deletePolicy>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deletePolicy'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deletePolicy>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deletePolicy(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeletePolicyMutationResult = NonNullable<Awaited<ReturnType<typeof deletePolicy>>>
+    
+    export type DeletePolicyMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete policy
+ */
+export const useDeletePolicy = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deletePolicy>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deletePolicy>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeletePolicyMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary List policy violations
+ */
+export const listPolicyViolations = (
+    id: string,
+    params?: ListPolicyViolationsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListPolicyViolations200>(
+      {url: `/api/v1/policies/${id}/violations`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListPolicyViolationsQueryKey = (id?: string,
+    params?: ListPolicyViolationsParams,) => {
+    return [
+    `/api/v1/policies/${id}/violations`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListPolicyViolationsQueryOptions = <TData = Awaited<ReturnType<typeof listPolicyViolations>>, TError = BadRequestResponse | InternalErrorResponse>(id: string,
+    params?: ListPolicyViolationsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listPolicyViolations>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListPolicyViolationsQueryKey(id,params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listPolicyViolations>>> = ({ signal }) => listPolicyViolations(id,params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listPolicyViolations>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListPolicyViolationsQueryResult = NonNullable<Awaited<ReturnType<typeof listPolicyViolations>>>
+export type ListPolicyViolationsQueryError = BadRequestResponse | InternalErrorResponse
+
+
+export function useListPolicyViolations<TData = Awaited<ReturnType<typeof listPolicyViolations>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string,
+    params: undefined |  ListPolicyViolationsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listPolicyViolations>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listPolicyViolations>>,
+          TError,
+          Awaited<ReturnType<typeof listPolicyViolations>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListPolicyViolations<TData = Awaited<ReturnType<typeof listPolicyViolations>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string,
+    params?: ListPolicyViolationsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listPolicyViolations>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listPolicyViolations>>,
+          TError,
+          Awaited<ReturnType<typeof listPolicyViolations>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListPolicyViolations<TData = Awaited<ReturnType<typeof listPolicyViolations>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string,
+    params?: ListPolicyViolationsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listPolicyViolations>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List policy violations
+ */
+
+export function useListPolicyViolations<TData = Awaited<ReturnType<typeof listPolicyViolations>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string,
+    params?: ListPolicyViolationsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listPolicyViolations>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListPolicyViolationsQueryOptions(id,params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
diff --git a/web/src/api/generated/profiles/profiles.ts b/web/src/api/generated/profiles/profiles.ts
new file mode 100644
index 0000000..3c33ccc
--- /dev/null
+++ b/web/src/api/generated/profiles/profiles.ts
@@ -0,0 +1,424 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  CertificateProfile,
+  InternalErrorResponse,
+  ListProfiles200,
+  ListProfilesParams,
+  NotFoundResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List profiles
+ */
+export const listProfiles = (
+    params?: ListProfilesParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListProfiles200>(
+      {url: `/api/v1/profiles`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListProfilesQueryKey = (params?: ListProfilesParams,) => {
+    return [
+    `/api/v1/profiles`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListProfilesQueryOptions = <TData = Awaited<ReturnType<typeof listProfiles>>, TError = InternalErrorResponse>(params?: ListProfilesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listProfiles>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListProfilesQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listProfiles>>> = ({ signal }) => listProfiles(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listProfiles>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListProfilesQueryResult = NonNullable<Awaited<ReturnType<typeof listProfiles>>>
+export type ListProfilesQueryError = InternalErrorResponse
+
+
+export function useListProfiles<TData = Awaited<ReturnType<typeof listProfiles>>, TError = InternalErrorResponse>(
+ params: undefined |  ListProfilesParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listProfiles>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listProfiles>>,
+          TError,
+          Awaited<ReturnType<typeof listProfiles>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListProfiles<TData = Awaited<ReturnType<typeof listProfiles>>, TError = InternalErrorResponse>(
+ params?: ListProfilesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listProfiles>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listProfiles>>,
+          TError,
+          Awaited<ReturnType<typeof listProfiles>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListProfiles<TData = Awaited<ReturnType<typeof listProfiles>>, TError = InternalErrorResponse>(
+ params?: ListProfilesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listProfiles>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List profiles
+ */
+
+export function useListProfiles<TData = Awaited<ReturnType<typeof listProfiles>>, TError = InternalErrorResponse>(
+ params?: ListProfilesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listProfiles>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListProfilesQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Create profile
+ */
+export const createProfile = (
+    certificateProfile: CertificateProfile,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<CertificateProfile>(
+      {url: `/api/v1/profiles`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: certificateProfile, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateProfileMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createProfile>>, TError,{data: CertificateProfile}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createProfile>>, TError,{data: CertificateProfile}, TContext> => {
+
+const mutationKey = ['createProfile'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createProfile>>, {data: CertificateProfile}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createProfile(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateProfileMutationResult = NonNullable<Awaited<ReturnType<typeof createProfile>>>
+    export type CreateProfileMutationBody = CertificateProfile
+    export type CreateProfileMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create profile
+ */
+export const useCreateProfile = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createProfile>>, TError,{data: CertificateProfile}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createProfile>>,
+        TError,
+        {data: CertificateProfile},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateProfileMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Get profile
+ */
+export const getProfile = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<CertificateProfile>(
+      {url: `/api/v1/profiles/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetProfileQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/profiles/${id}`
+    ] as const;
+    }
+
+    
+export const getGetProfileQueryOptions = <TData = Awaited<ReturnType<typeof getProfile>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getProfile>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetProfileQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getProfile>>> = ({ signal }) => getProfile(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getProfile>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetProfileQueryResult = NonNullable<Awaited<ReturnType<typeof getProfile>>>
+export type GetProfileQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetProfile<TData = Awaited<ReturnType<typeof getProfile>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getProfile>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getProfile>>,
+          TError,
+          Awaited<ReturnType<typeof getProfile>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetProfile<TData = Awaited<ReturnType<typeof getProfile>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getProfile>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getProfile>>,
+          TError,
+          Awaited<ReturnType<typeof getProfile>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetProfile<TData = Awaited<ReturnType<typeof getProfile>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getProfile>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get profile
+ */
+
+export function useGetProfile<TData = Awaited<ReturnType<typeof getProfile>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getProfile>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetProfileQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Update profile
+ */
+export const updateProfile = (
+    id: string,
+    certificateProfile: CertificateProfile,
+ ) => {
+      
+      
+      return certctlFetch<CertificateProfile>(
+      {url: `/api/v1/profiles/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: certificateProfile
+    },
+      );
+    }
+  
+
+
+export const getUpdateProfileMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateProfile>>, TError,{id: string;data: CertificateProfile}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateProfile>>, TError,{id: string;data: CertificateProfile}, TContext> => {
+
+const mutationKey = ['updateProfile'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateProfile>>, {id: string;data: CertificateProfile}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateProfile(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateProfileMutationResult = NonNullable<Awaited<ReturnType<typeof updateProfile>>>
+    export type UpdateProfileMutationBody = CertificateProfile
+    export type UpdateProfileMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Update profile
+ */
+export const useUpdateProfile = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateProfile>>, TError,{id: string;data: CertificateProfile}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateProfile>>,
+        TError,
+        {id: string;data: CertificateProfile},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateProfileMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete profile
+ */
+export const deleteProfile = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/profiles/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteProfileMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteProfile>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteProfile>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteProfile'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteProfile>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteProfile(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteProfileMutationResult = NonNullable<Awaited<ReturnType<typeof deleteProfile>>>
+    
+    export type DeleteProfileMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete profile
+ */
+export const useDeleteProfile = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteProfile>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteProfile>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteProfileMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/renewal-policies/renewal-policies.ts b/web/src/api/generated/renewal-policies/renewal-policies.ts
new file mode 100644
index 0000000..7a9084a
--- /dev/null
+++ b/web/src/api/generated/renewal-policies/renewal-policies.ts
@@ -0,0 +1,427 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  ErrorResponse,
+  InternalErrorResponse,
+  ListRenewalPolicies200,
+  ListRenewalPoliciesParams,
+  NotFoundResponse,
+  RenewalPolicy,
+  RenewalPolicyCreateRequest,
+  RenewalPolicyUpdateRequest
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List renewal policies
+ */
+export const listRenewalPolicies = (
+    params?: ListRenewalPoliciesParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListRenewalPolicies200>(
+      {url: `/api/v1/renewal-policies`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListRenewalPoliciesQueryKey = (params?: ListRenewalPoliciesParams,) => {
+    return [
+    `/api/v1/renewal-policies`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListRenewalPoliciesQueryOptions = <TData = Awaited<ReturnType<typeof listRenewalPolicies>>, TError = InternalErrorResponse>(params?: ListRenewalPoliciesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRenewalPolicies>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListRenewalPoliciesQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listRenewalPolicies>>> = ({ signal }) => listRenewalPolicies(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listRenewalPolicies>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListRenewalPoliciesQueryResult = NonNullable<Awaited<ReturnType<typeof listRenewalPolicies>>>
+export type ListRenewalPoliciesQueryError = InternalErrorResponse
+
+
+export function useListRenewalPolicies<TData = Awaited<ReturnType<typeof listRenewalPolicies>>, TError = InternalErrorResponse>(
+ params: undefined |  ListRenewalPoliciesParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRenewalPolicies>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listRenewalPolicies>>,
+          TError,
+          Awaited<ReturnType<typeof listRenewalPolicies>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListRenewalPolicies<TData = Awaited<ReturnType<typeof listRenewalPolicies>>, TError = InternalErrorResponse>(
+ params?: ListRenewalPoliciesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRenewalPolicies>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listRenewalPolicies>>,
+          TError,
+          Awaited<ReturnType<typeof listRenewalPolicies>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListRenewalPolicies<TData = Awaited<ReturnType<typeof listRenewalPolicies>>, TError = InternalErrorResponse>(
+ params?: ListRenewalPoliciesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRenewalPolicies>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List renewal policies
+ */
+
+export function useListRenewalPolicies<TData = Awaited<ReturnType<typeof listRenewalPolicies>>, TError = InternalErrorResponse>(
+ params?: ListRenewalPoliciesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRenewalPolicies>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListRenewalPoliciesQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Create renewal policy
+ */
+export const createRenewalPolicy = (
+    renewalPolicyCreateRequest: RenewalPolicyCreateRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<RenewalPolicy>(
+      {url: `/api/v1/renewal-policies`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: renewalPolicyCreateRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateRenewalPolicyMutationOptions = <TError = BadRequestResponse | ErrorResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createRenewalPolicy>>, TError,{data: RenewalPolicyCreateRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createRenewalPolicy>>, TError,{data: RenewalPolicyCreateRequest}, TContext> => {
+
+const mutationKey = ['createRenewalPolicy'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createRenewalPolicy>>, {data: RenewalPolicyCreateRequest}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createRenewalPolicy(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateRenewalPolicyMutationResult = NonNullable<Awaited<ReturnType<typeof createRenewalPolicy>>>
+    export type CreateRenewalPolicyMutationBody = RenewalPolicyCreateRequest
+    export type CreateRenewalPolicyMutationError = BadRequestResponse | ErrorResponse | InternalErrorResponse
+
+    /**
+ * @summary Create renewal policy
+ */
+export const useCreateRenewalPolicy = <TError = BadRequestResponse | ErrorResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createRenewalPolicy>>, TError,{data: RenewalPolicyCreateRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createRenewalPolicy>>,
+        TError,
+        {data: RenewalPolicyCreateRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateRenewalPolicyMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Get renewal policy
+ */
+export const getRenewalPolicy = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<RenewalPolicy>(
+      {url: `/api/v1/renewal-policies/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetRenewalPolicyQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/renewal-policies/${id}`
+    ] as const;
+    }
+
+    
+export const getGetRenewalPolicyQueryOptions = <TData = Awaited<ReturnType<typeof getRenewalPolicy>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getRenewalPolicy>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetRenewalPolicyQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getRenewalPolicy>>> = ({ signal }) => getRenewalPolicy(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getRenewalPolicy>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetRenewalPolicyQueryResult = NonNullable<Awaited<ReturnType<typeof getRenewalPolicy>>>
+export type GetRenewalPolicyQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetRenewalPolicy<TData = Awaited<ReturnType<typeof getRenewalPolicy>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getRenewalPolicy>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getRenewalPolicy>>,
+          TError,
+          Awaited<ReturnType<typeof getRenewalPolicy>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetRenewalPolicy<TData = Awaited<ReturnType<typeof getRenewalPolicy>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getRenewalPolicy>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getRenewalPolicy>>,
+          TError,
+          Awaited<ReturnType<typeof getRenewalPolicy>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetRenewalPolicy<TData = Awaited<ReturnType<typeof getRenewalPolicy>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getRenewalPolicy>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get renewal policy
+ */
+
+export function useGetRenewalPolicy<TData = Awaited<ReturnType<typeof getRenewalPolicy>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getRenewalPolicy>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetRenewalPolicyQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Update renewal policy
+ */
+export const updateRenewalPolicy = (
+    id: string,
+    renewalPolicyUpdateRequest: RenewalPolicyUpdateRequest,
+ ) => {
+      
+      
+      return certctlFetch<RenewalPolicy>(
+      {url: `/api/v1/renewal-policies/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: renewalPolicyUpdateRequest
+    },
+      );
+    }
+  
+
+
+export const getUpdateRenewalPolicyMutationOptions = <TError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateRenewalPolicy>>, TError,{id: string;data: RenewalPolicyUpdateRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateRenewalPolicy>>, TError,{id: string;data: RenewalPolicyUpdateRequest}, TContext> => {
+
+const mutationKey = ['updateRenewalPolicy'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateRenewalPolicy>>, {id: string;data: RenewalPolicyUpdateRequest}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateRenewalPolicy(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateRenewalPolicyMutationResult = NonNullable<Awaited<ReturnType<typeof updateRenewalPolicy>>>
+    export type UpdateRenewalPolicyMutationBody = RenewalPolicyUpdateRequest
+    export type UpdateRenewalPolicyMutationError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse
+
+    /**
+ * @summary Update renewal policy
+ */
+export const useUpdateRenewalPolicy = <TError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateRenewalPolicy>>, TError,{id: string;data: RenewalPolicyUpdateRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateRenewalPolicy>>,
+        TError,
+        {id: string;data: RenewalPolicyUpdateRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateRenewalPolicyMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete renewal policy
+ */
+export const deleteRenewalPolicy = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/renewal-policies/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteRenewalPolicyMutationOptions = <TError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteRenewalPolicy>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteRenewalPolicy>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteRenewalPolicy'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteRenewalPolicy>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteRenewalPolicy(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteRenewalPolicyMutationResult = NonNullable<Awaited<ReturnType<typeof deleteRenewalPolicy>>>
+    
+    export type DeleteRenewalPolicyMutationError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete renewal policy
+ */
+export const useDeleteRenewalPolicy = <TError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteRenewalPolicy>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteRenewalPolicy>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteRenewalPolicyMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/scep/scep.ts b/web/src/api/generated/scep/scep.ts
new file mode 100644
index 0000000..bdf38e2
--- /dev/null
+++ b/web/src/api/generated/scep/scep.ts
@@ -0,0 +1,705 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  ListSCEPIntuneStats200,
+  ListSCEPProbes200,
+  ListSCEPProfiles200,
+  ProbeSCEP200,
+  ProbeSCEPBody,
+  ReloadSCEPIntuneTrust200,
+  ReloadSCEPIntuneTrustBody,
+  ScepGetParams,
+  ScepPostParams
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Synchronous probe against an SCEP server URL. Issues
+`GET ?operation=GetCACaps` and `GET ?operation=GetCACert`
+and returns the structured `SCEPProbeResult` (reachable,
+advertised caps, RFC 8894 / AES / POST / Renewal / SHA-256 /
+SHA-512 support flags, CA cert subject + issuer + NotBefore +
+NotAfter + days-to-expiry + algorithm + chain length).
+
+Capability-only — does NOT POST a CSR (would consume slot
+allocations on the target server + create audit noise). Used
+for pre-migration assessment + compliance posture audits.
+
+SSRF-defended: the URL is validated up-front (reserved IPs
+rejected) AND the underlying HTTP client uses the
+SafeHTTPDialContext that re-resolves the host at dial time
+(defends against DNS rebinding).
+
+Result is persisted to the `scep_probe_results` table via
+migration 000021 so the GUI can show recent probe history.
+SCEP RFC 8894 + Intune master bundle Phase 11.5.
+
+ * @summary Probe an SCEP server for capability + posture
+ */
+export const probeSCEP = (
+    probeSCEPBody: ProbeSCEPBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ProbeSCEP200>(
+      {url: `/api/v1/network-scan/scep-probe`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: probeSCEPBody, signal
+    },
+      );
+    }
+  
+
+
+export const getProbeSCEPMutationOptions = <TError = void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof probeSCEP>>, TError,{data: ProbeSCEPBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof probeSCEP>>, TError,{data: ProbeSCEPBody}, TContext> => {
+
+const mutationKey = ['probeSCEP'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof probeSCEP>>, {data: ProbeSCEPBody}> = (props) => {
+          const {data} = props ?? {};
+
+          return  probeSCEP(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ProbeSCEPMutationResult = NonNullable<Awaited<ReturnType<typeof probeSCEP>>>
+    export type ProbeSCEPMutationBody = ProbeSCEPBody
+    export type ProbeSCEPMutationError = void | InternalErrorResponse
+
+    /**
+ * @summary Probe an SCEP server for capability + posture
+ */
+export const useProbeSCEP = <TError = void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof probeSCEP>>, TError,{data: ProbeSCEPBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof probeSCEP>>,
+        TError,
+        {data: ProbeSCEPBody},
+        TContext
+      > => {
+
+      const mutationOptions = getProbeSCEPMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns the most recent 50 SCEP probe results across any
+target URL, ordered by `probed_at` descending. Backs the
+GUI's "Recent SCEP probes" history table on the Network
+Scan page. SCEP RFC 8894 + Intune master bundle Phase 11.5.
+
+ * @summary List recent SCEP probe results
+ */
+export const listSCEPProbes = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListSCEPProbes200>(
+      {url: `/api/v1/network-scan/scep-probes`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListSCEPProbesQueryKey = () => {
+    return [
+    `/api/v1/network-scan/scep-probes`
+    ] as const;
+    }
+
+    
+export const getListSCEPProbesQueryOptions = <TData = Awaited<ReturnType<typeof listSCEPProbes>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPProbes>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListSCEPProbesQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listSCEPProbes>>> = ({ signal }) => listSCEPProbes(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listSCEPProbes>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListSCEPProbesQueryResult = NonNullable<Awaited<ReturnType<typeof listSCEPProbes>>>
+export type ListSCEPProbesQueryError = InternalErrorResponse
+
+
+export function useListSCEPProbes<TData = Awaited<ReturnType<typeof listSCEPProbes>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPProbes>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listSCEPProbes>>,
+          TError,
+          Awaited<ReturnType<typeof listSCEPProbes>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListSCEPProbes<TData = Awaited<ReturnType<typeof listSCEPProbes>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPProbes>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listSCEPProbes>>,
+          TError,
+          Awaited<ReturnType<typeof listSCEPProbes>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListSCEPProbes<TData = Awaited<ReturnType<typeof listSCEPProbes>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPProbes>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List recent SCEP probe results
+ */
+
+export function useListSCEPProbes<TData = Awaited<ReturnType<typeof listSCEPProbes>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPProbes>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListSCEPProbesQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns one snapshot per configured SCEP profile in the
+SCEPProfileStatsSnapshot shape: always-present per-profile
+fields (path_id, issuer_id, challenge_password_set, RA cert
+subject + NotBefore/NotAfter + days-to-expiry, mTLS
+sibling-route status, mTLS trust bundle path) plus an
+optional `intune` sub-block when the profile has
+INTUNE_ENABLED=true.
+
+Profiles where Intune is disabled appear with the `intune`
+field omitted (rather than null) so the GUI's per-profile
+card can render the lean shape without an Intune deep-dive
+button. Profiles where Intune is enabled also appear in the
+sibling /api/v1/admin/scep/intune/stats endpoint with the
+flat Phase 9.2 shape preserved for backward compat.
+
+Admin-gated (M-008 pattern). Non-admin Bearer callers get
+HTTP 403 — the snapshot reveals the operator's profile set,
+RA cert expiries, and mTLS bundle paths (sensitive
+operational metadata). SCEP RFC 8894 + Intune master bundle
+Phase 9 follow-up.
+
+ * @summary Per-profile SCEP administration overview (admin)
+ */
+export const listSCEPProfiles = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListSCEPProfiles200>(
+      {url: `/api/v1/admin/scep/profiles`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListSCEPProfilesQueryKey = () => {
+    return [
+    `/api/v1/admin/scep/profiles`
+    ] as const;
+    }
+
+    
+export const getListSCEPProfilesQueryOptions = <TData = Awaited<ReturnType<typeof listSCEPProfiles>>, TError = void | InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPProfiles>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListSCEPProfilesQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listSCEPProfiles>>> = ({ signal }) => listSCEPProfiles(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listSCEPProfiles>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListSCEPProfilesQueryResult = NonNullable<Awaited<ReturnType<typeof listSCEPProfiles>>>
+export type ListSCEPProfilesQueryError = void | InternalErrorResponse
+
+
+export function useListSCEPProfiles<TData = Awaited<ReturnType<typeof listSCEPProfiles>>, TError = void | InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPProfiles>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listSCEPProfiles>>,
+          TError,
+          Awaited<ReturnType<typeof listSCEPProfiles>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListSCEPProfiles<TData = Awaited<ReturnType<typeof listSCEPProfiles>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPProfiles>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listSCEPProfiles>>,
+          TError,
+          Awaited<ReturnType<typeof listSCEPProfiles>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListSCEPProfiles<TData = Awaited<ReturnType<typeof listSCEPProfiles>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPProfiles>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Per-profile SCEP administration overview (admin)
+ */
+
+export function useListSCEPProfiles<TData = Awaited<ReturnType<typeof listSCEPProfiles>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPProfiles>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListSCEPProfilesQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns one snapshot per configured SCEP profile (Intune-enabled
+or not). Profiles where Intune is disabled appear with
+`enabled=false`; profiles where Intune is enabled additionally
+carry the trust anchor pool's per-cert expiry, the audience
+binding, the per-status enrollment counters
+(success / signature_invalid / claim_mismatch / expired /
+wrong_audience / replay / rate_limited / malformed /
+compliance_failed / not_yet_valid / unknown_version), the
+in-memory replay-cache size, and the per-device-rate-limit
+opt-out flag.
+
+Admin-gated (M-008 pattern) — non-admin Bearer callers get 403
+because the trust-anchor expiries and per-status counters are
+sensitive operational metadata. SCEP RFC 8894 + Intune master
+bundle Phase 9.2.
+
+ * @summary Per-profile Microsoft Intune dispatcher observability (admin)
+ */
+export const listSCEPIntuneStats = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListSCEPIntuneStats200>(
+      {url: `/api/v1/admin/scep/intune/stats`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListSCEPIntuneStatsQueryKey = () => {
+    return [
+    `/api/v1/admin/scep/intune/stats`
+    ] as const;
+    }
+
+    
+export const getListSCEPIntuneStatsQueryOptions = <TData = Awaited<ReturnType<typeof listSCEPIntuneStats>>, TError = void | InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPIntuneStats>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListSCEPIntuneStatsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listSCEPIntuneStats>>> = ({ signal }) => listSCEPIntuneStats(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listSCEPIntuneStats>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListSCEPIntuneStatsQueryResult = NonNullable<Awaited<ReturnType<typeof listSCEPIntuneStats>>>
+export type ListSCEPIntuneStatsQueryError = void | InternalErrorResponse
+
+
+export function useListSCEPIntuneStats<TData = Awaited<ReturnType<typeof listSCEPIntuneStats>>, TError = void | InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPIntuneStats>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listSCEPIntuneStats>>,
+          TError,
+          Awaited<ReturnType<typeof listSCEPIntuneStats>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListSCEPIntuneStats<TData = Awaited<ReturnType<typeof listSCEPIntuneStats>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPIntuneStats>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listSCEPIntuneStats>>,
+          TError,
+          Awaited<ReturnType<typeof listSCEPIntuneStats>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListSCEPIntuneStats<TData = Awaited<ReturnType<typeof listSCEPIntuneStats>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPIntuneStats>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Per-profile Microsoft Intune dispatcher observability (admin)
+ */
+
+export function useListSCEPIntuneStats<TData = Awaited<ReturnType<typeof listSCEPIntuneStats>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listSCEPIntuneStats>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListSCEPIntuneStatsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Triggers the same Reload that the SIGHUP watcher would run for
+the named profile. The body MUST be `{"path_id": "<pathID>"}`;
+an empty body targets the legacy `/scep` root profile (PathID="").
+
+Returns 200 + `{"reloaded": true, ...}` on success; 404 when the
+path_id doesn't match any configured SCEP profile; 409 when the
+profile exists but Intune is disabled on it (no trust anchor to
+reload); 500 when the underlying file fails to parse — in which
+case the holder retains the OLD pool so enrollment keeps working
+off the previous trust anchor while the operator fixes the file.
+
+Admin-gated (M-008 pattern). SCEP RFC 8894 + Intune master
+bundle Phase 9.2.
+
+ * @summary Reload a SCEP profile's Intune trust anchor (admin)
+ */
+export const reloadSCEPIntuneTrust = (
+    reloadSCEPIntuneTrustBody?: ReloadSCEPIntuneTrustBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ReloadSCEPIntuneTrust200>(
+      {url: `/api/v1/admin/scep/intune/reload-trust`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: reloadSCEPIntuneTrustBody, signal
+    },
+      );
+    }
+  
+
+
+export const getReloadSCEPIntuneTrustMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof reloadSCEPIntuneTrust>>, TError,{data: ReloadSCEPIntuneTrustBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof reloadSCEPIntuneTrust>>, TError,{data: ReloadSCEPIntuneTrustBody}, TContext> => {
+
+const mutationKey = ['reloadSCEPIntuneTrust'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof reloadSCEPIntuneTrust>>, {data: ReloadSCEPIntuneTrustBody}> = (props) => {
+          const {data} = props ?? {};
+
+          return  reloadSCEPIntuneTrust(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ReloadSCEPIntuneTrustMutationResult = NonNullable<Awaited<ReturnType<typeof reloadSCEPIntuneTrust>>>
+    export type ReloadSCEPIntuneTrustMutationBody = ReloadSCEPIntuneTrustBody
+    export type ReloadSCEPIntuneTrustMutationError = void
+
+    /**
+ * @summary Reload a SCEP profile's Intune trust anchor (admin)
+ */
+export const useReloadSCEPIntuneTrust = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof reloadSCEPIntuneTrust>>, TError,{data: ReloadSCEPIntuneTrustBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof reloadSCEPIntuneTrust>>,
+        TError,
+        {data: ReloadSCEPIntuneTrustBody},
+        TContext
+      > => {
+
+      const mutationOptions = getReloadSCEPIntuneTrustMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Single SCEP entry point dispatched by the `operation` query parameter
+per RFC 8894. GET is used for capability discovery (`GetCACaps`) and
+CA certificate retrieval (`GetCACert`).
+
+ * @summary SCEP operation dispatch (GET)
+ */
+export const scepGet = (
+    params: ScepGetParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string | Blob>(
+      {url: `/scep`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getScepGetQueryKey = (params?: ScepGetParams,) => {
+    return [
+    `/scep`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getScepGetQueryOptions = <TData = Awaited<ReturnType<typeof scepGet>>, TError = BadRequestResponse | InternalErrorResponse>(params: ScepGetParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof scepGet>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getScepGetQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof scepGet>>> = ({ signal }) => scepGet(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof scepGet>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ScepGetQueryResult = NonNullable<Awaited<ReturnType<typeof scepGet>>>
+export type ScepGetQueryError = BadRequestResponse | InternalErrorResponse
+
+
+export function useScepGet<TData = Awaited<ReturnType<typeof scepGet>>, TError = BadRequestResponse | InternalErrorResponse>(
+ params: ScepGetParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof scepGet>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof scepGet>>,
+          TError,
+          Awaited<ReturnType<typeof scepGet>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useScepGet<TData = Awaited<ReturnType<typeof scepGet>>, TError = BadRequestResponse | InternalErrorResponse>(
+ params: ScepGetParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof scepGet>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof scepGet>>,
+          TError,
+          Awaited<ReturnType<typeof scepGet>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useScepGet<TData = Awaited<ReturnType<typeof scepGet>>, TError = BadRequestResponse | InternalErrorResponse>(
+ params: ScepGetParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof scepGet>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary SCEP operation dispatch (GET)
+ */
+
+export function useScepGet<TData = Awaited<ReturnType<typeof scepGet>>, TError = BadRequestResponse | InternalErrorResponse>(
+ params: ScepGetParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof scepGet>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getScepGetQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * SCEP enrollment / renewal / revocation request per RFC 8894.
+Request body is a PKCS#7 SignedData envelope wrapping the PKCS#10 CSR
+or a degenerate raw CSR (fallback). The challenge password in the CSR
+attributes is validated against `CERTCTL_SCEP_CHALLENGE_PASSWORD` when
+configured.
+
+ * @summary SCEP PKIOperation (POST)
+ */
+export const scepPost = (
+    scepPostBody: Blob,
+    params: ScepPostParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Blob>(
+      {url: `/scep`, method: 'POST',
+      headers: {'Content-Type': 'application/x-pki-message', },
+      data: scepPostBody,
+        params,
+        responseType: 'blob', signal
+    },
+      );
+    }
+  
+
+
+export const getScepPostMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof scepPost>>, TError,{data: Blob;params: ScepPostParams}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof scepPost>>, TError,{data: Blob;params: ScepPostParams}, TContext> => {
+
+const mutationKey = ['scepPost'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof scepPost>>, {data: Blob;params: ScepPostParams}> = (props) => {
+          const {data,params} = props ?? {};
+
+          return  scepPost(data,params,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ScepPostMutationResult = NonNullable<Awaited<ReturnType<typeof scepPost>>>
+    export type ScepPostMutationBody = Blob
+    export type ScepPostMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary SCEP PKIOperation (POST)
+ */
+export const useScepPost = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof scepPost>>, TError,{data: Blob;params: ScepPostParams}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof scepPost>>,
+        TError,
+        {data: Blob;params: ScepPostParams},
+        TContext
+      > => {
+
+      const mutationOptions = getScepPostMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/sessions/sessions.ts b/web/src/api/generated/sessions/sessions.ts
new file mode 100644
index 0000000..746d175
--- /dev/null
+++ b/web/src/api/generated/sessions/sessions.ts
@@ -0,0 +1,289 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  ListAuthSessions200,
+  ListAuthSessionsParams,
+  RevokeAuthSessionsExceptCurrent200,
+  RevokeAuthSessionsExceptCurrentParams
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Permission `auth.session.list` for own-sessions. Listing another
+actor's sessions additionally requires `auth.session.list.all`
+(re-checked inline by the handler; the router-level rbacGate
+cannot see the query parameter).
+
+Audit 2026-05-10 MED-2 closure — the all-actors variant is an
+admin-class capability, segregated from the same-actor floor.
+
+ * @summary List active sessions (own actor by default; specify actor_id to list another actor's)
+ */
+export const listAuthSessions = (
+    params?: ListAuthSessionsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAuthSessions200>(
+      {url: `/api/v1/auth/sessions`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAuthSessionsQueryKey = (params?: ListAuthSessionsParams,) => {
+    return [
+    `/api/v1/auth/sessions`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListAuthSessionsQueryOptions = <TData = Awaited<ReturnType<typeof listAuthSessions>>, TError = void>(params?: ListAuthSessionsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthSessions>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAuthSessionsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAuthSessions>>> = ({ signal }) => listAuthSessions(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAuthSessions>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAuthSessionsQueryResult = NonNullable<Awaited<ReturnType<typeof listAuthSessions>>>
+export type ListAuthSessionsQueryError = void
+
+
+export function useListAuthSessions<TData = Awaited<ReturnType<typeof listAuthSessions>>, TError = void>(
+ params: undefined |  ListAuthSessionsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthSessions>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuthSessions>>,
+          TError,
+          Awaited<ReturnType<typeof listAuthSessions>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuthSessions<TData = Awaited<ReturnType<typeof listAuthSessions>>, TError = void>(
+ params?: ListAuthSessionsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthSessions>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuthSessions>>,
+          TError,
+          Awaited<ReturnType<typeof listAuthSessions>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuthSessions<TData = Awaited<ReturnType<typeof listAuthSessions>>, TError = void>(
+ params?: ListAuthSessionsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthSessions>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List active sessions (own actor by default; specify actor_id to list another actor's)
+ */
+
+export function useListAuthSessions<TData = Awaited<ReturnType<typeof listAuthSessions>>, TError = void>(
+ params?: ListAuthSessionsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuthSessions>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAuthSessionsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Permission `auth.session.revoke`. Revokes every active session
+for the calling actor EXCEPT the session that issued this
+request (so the user isn't logged out by the action they just
+took). Bearer/API-key callers (whose request has no session
+cookie) get all their sessions revoked.
+
+Audit 2026-05-10 MED-3 closure — backs the SessionsPage's
+"Sign out all other sessions" button.
+
+Only the `?except=current` form is accepted; any other query
+parameter combination returns 400.
+
+ * @summary Revoke all sessions for the caller except the current one
+ */
+export const revokeAuthSessionsExceptCurrent = (
+    params: RevokeAuthSessionsExceptCurrentParams,
+ ) => {
+      
+      
+      return certctlFetch<RevokeAuthSessionsExceptCurrent200>(
+      {url: `/api/v1/auth/sessions`, method: 'DELETE',
+        params
+    },
+      );
+    }
+  
+
+
+export const getRevokeAuthSessionsExceptCurrentMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof revokeAuthSessionsExceptCurrent>>, TError,{params: RevokeAuthSessionsExceptCurrentParams}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof revokeAuthSessionsExceptCurrent>>, TError,{params: RevokeAuthSessionsExceptCurrentParams}, TContext> => {
+
+const mutationKey = ['revokeAuthSessionsExceptCurrent'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof revokeAuthSessionsExceptCurrent>>, {params: RevokeAuthSessionsExceptCurrentParams}> = (props) => {
+          const {params} = props ?? {};
+
+          return  revokeAuthSessionsExceptCurrent(params,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RevokeAuthSessionsExceptCurrentMutationResult = NonNullable<Awaited<ReturnType<typeof revokeAuthSessionsExceptCurrent>>>
+    
+    export type RevokeAuthSessionsExceptCurrentMutationError = void
+
+    /**
+ * @summary Revoke all sessions for the caller except the current one
+ */
+export const useRevokeAuthSessionsExceptCurrent = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof revokeAuthSessionsExceptCurrent>>, TError,{params: RevokeAuthSessionsExceptCurrentParams}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof revokeAuthSessionsExceptCurrent>>,
+        TError,
+        {params: RevokeAuthSessionsExceptCurrentParams},
+        TContext
+      > => {
+
+      const mutationOptions = getRevokeAuthSessionsExceptCurrentMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Permission `auth.session.revoke`. Revoking your own session is
+always allowed (any authenticated caller); revoking another
+actor's session requires the same `auth.session.revoke`
+permission enforced at the rbacGate.
+
+ * @summary Revoke a specific session by ID
+ */
+export const revokeAuthSession = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/auth/sessions/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getRevokeAuthSessionMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof revokeAuthSession>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof revokeAuthSession>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['revokeAuthSession'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof revokeAuthSession>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  revokeAuthSession(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RevokeAuthSessionMutationResult = NonNullable<Awaited<ReturnType<typeof revokeAuthSession>>>
+    
+    export type RevokeAuthSessionMutationError = void
+
+    /**
+ * @summary Revoke a specific session by ID
+ */
+export const useRevokeAuthSession = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof revokeAuthSession>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof revokeAuthSession>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getRevokeAuthSessionMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/stats/stats.ts b/web/src/api/generated/stats/stats.ts
new file mode 100644
index 0000000..faeca87
--- /dev/null
+++ b/web/src/api/generated/stats/stats.ts
@@ -0,0 +1,511 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  DashboardSummary,
+  GetCertificatesByStatus200,
+  GetExpirationTimeline200,
+  GetExpirationTimelineParams,
+  GetIssuanceRate200,
+  GetIssuanceRateParams,
+  GetJobTrends200,
+  GetJobTrendsParams,
+  InternalErrorResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary Dashboard summary
+ */
+export const getDashboardSummary = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<DashboardSummary>(
+      {url: `/api/v1/stats/summary`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetDashboardSummaryQueryKey = () => {
+    return [
+    `/api/v1/stats/summary`
+    ] as const;
+    }
+
+    
+export const getGetDashboardSummaryQueryOptions = <TData = Awaited<ReturnType<typeof getDashboardSummary>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDashboardSummary>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetDashboardSummaryQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getDashboardSummary>>> = ({ signal }) => getDashboardSummary(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getDashboardSummary>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetDashboardSummaryQueryResult = NonNullable<Awaited<ReturnType<typeof getDashboardSummary>>>
+export type GetDashboardSummaryQueryError = InternalErrorResponse
+
+
+export function useGetDashboardSummary<TData = Awaited<ReturnType<typeof getDashboardSummary>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDashboardSummary>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDashboardSummary>>,
+          TError,
+          Awaited<ReturnType<typeof getDashboardSummary>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDashboardSummary<TData = Awaited<ReturnType<typeof getDashboardSummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDashboardSummary>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDashboardSummary>>,
+          TError,
+          Awaited<ReturnType<typeof getDashboardSummary>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDashboardSummary<TData = Awaited<ReturnType<typeof getDashboardSummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDashboardSummary>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Dashboard summary
+ */
+
+export function useGetDashboardSummary<TData = Awaited<ReturnType<typeof getDashboardSummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDashboardSummary>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetDashboardSummaryQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Certificate status breakdown
+ */
+export const getCertificatesByStatus = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetCertificatesByStatus200>(
+      {url: `/api/v1/stats/certificates-by-status`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetCertificatesByStatusQueryKey = () => {
+    return [
+    `/api/v1/stats/certificates-by-status`
+    ] as const;
+    }
+
+    
+export const getGetCertificatesByStatusQueryOptions = <TData = Awaited<ReturnType<typeof getCertificatesByStatus>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificatesByStatus>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetCertificatesByStatusQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getCertificatesByStatus>>> = ({ signal }) => getCertificatesByStatus(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getCertificatesByStatus>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetCertificatesByStatusQueryResult = NonNullable<Awaited<ReturnType<typeof getCertificatesByStatus>>>
+export type GetCertificatesByStatusQueryError = InternalErrorResponse
+
+
+export function useGetCertificatesByStatus<TData = Awaited<ReturnType<typeof getCertificatesByStatus>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificatesByStatus>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getCertificatesByStatus>>,
+          TError,
+          Awaited<ReturnType<typeof getCertificatesByStatus>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetCertificatesByStatus<TData = Awaited<ReturnType<typeof getCertificatesByStatus>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificatesByStatus>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getCertificatesByStatus>>,
+          TError,
+          Awaited<ReturnType<typeof getCertificatesByStatus>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetCertificatesByStatus<TData = Awaited<ReturnType<typeof getCertificatesByStatus>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificatesByStatus>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Certificate status breakdown
+ */
+
+export function useGetCertificatesByStatus<TData = Awaited<ReturnType<typeof getCertificatesByStatus>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getCertificatesByStatus>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetCertificatesByStatusQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Expiration timeline
+ */
+export const getExpirationTimeline = (
+    params?: GetExpirationTimelineParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetExpirationTimeline200>(
+      {url: `/api/v1/stats/expiration-timeline`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetExpirationTimelineQueryKey = (params?: GetExpirationTimelineParams,) => {
+    return [
+    `/api/v1/stats/expiration-timeline`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getGetExpirationTimelineQueryOptions = <TData = Awaited<ReturnType<typeof getExpirationTimeline>>, TError = InternalErrorResponse>(params?: GetExpirationTimelineParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getExpirationTimeline>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetExpirationTimelineQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getExpirationTimeline>>> = ({ signal }) => getExpirationTimeline(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getExpirationTimeline>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetExpirationTimelineQueryResult = NonNullable<Awaited<ReturnType<typeof getExpirationTimeline>>>
+export type GetExpirationTimelineQueryError = InternalErrorResponse
+
+
+export function useGetExpirationTimeline<TData = Awaited<ReturnType<typeof getExpirationTimeline>>, TError = InternalErrorResponse>(
+ params: undefined |  GetExpirationTimelineParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getExpirationTimeline>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getExpirationTimeline>>,
+          TError,
+          Awaited<ReturnType<typeof getExpirationTimeline>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetExpirationTimeline<TData = Awaited<ReturnType<typeof getExpirationTimeline>>, TError = InternalErrorResponse>(
+ params?: GetExpirationTimelineParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getExpirationTimeline>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getExpirationTimeline>>,
+          TError,
+          Awaited<ReturnType<typeof getExpirationTimeline>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetExpirationTimeline<TData = Awaited<ReturnType<typeof getExpirationTimeline>>, TError = InternalErrorResponse>(
+ params?: GetExpirationTimelineParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getExpirationTimeline>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Expiration timeline
+ */
+
+export function useGetExpirationTimeline<TData = Awaited<ReturnType<typeof getExpirationTimeline>>, TError = InternalErrorResponse>(
+ params?: GetExpirationTimelineParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getExpirationTimeline>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetExpirationTimelineQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Job success/failure trends
+ */
+export const getJobTrends = (
+    params?: GetJobTrendsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetJobTrends200>(
+      {url: `/api/v1/stats/job-trends`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetJobTrendsQueryKey = (params?: GetJobTrendsParams,) => {
+    return [
+    `/api/v1/stats/job-trends`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getGetJobTrendsQueryOptions = <TData = Awaited<ReturnType<typeof getJobTrends>>, TError = InternalErrorResponse>(params?: GetJobTrendsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJobTrends>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetJobTrendsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getJobTrends>>> = ({ signal }) => getJobTrends(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getJobTrends>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetJobTrendsQueryResult = NonNullable<Awaited<ReturnType<typeof getJobTrends>>>
+export type GetJobTrendsQueryError = InternalErrorResponse
+
+
+export function useGetJobTrends<TData = Awaited<ReturnType<typeof getJobTrends>>, TError = InternalErrorResponse>(
+ params: undefined |  GetJobTrendsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJobTrends>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getJobTrends>>,
+          TError,
+          Awaited<ReturnType<typeof getJobTrends>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetJobTrends<TData = Awaited<ReturnType<typeof getJobTrends>>, TError = InternalErrorResponse>(
+ params?: GetJobTrendsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJobTrends>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getJobTrends>>,
+          TError,
+          Awaited<ReturnType<typeof getJobTrends>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetJobTrends<TData = Awaited<ReturnType<typeof getJobTrends>>, TError = InternalErrorResponse>(
+ params?: GetJobTrendsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJobTrends>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Job success/failure trends
+ */
+
+export function useGetJobTrends<TData = Awaited<ReturnType<typeof getJobTrends>>, TError = InternalErrorResponse>(
+ params?: GetJobTrendsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJobTrends>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetJobTrendsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Certificate issuance rate
+ */
+export const getIssuanceRate = (
+    params?: GetIssuanceRateParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetIssuanceRate200>(
+      {url: `/api/v1/stats/issuance-rate`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetIssuanceRateQueryKey = (params?: GetIssuanceRateParams,) => {
+    return [
+    `/api/v1/stats/issuance-rate`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getGetIssuanceRateQueryOptions = <TData = Awaited<ReturnType<typeof getIssuanceRate>>, TError = InternalErrorResponse>(params?: GetIssuanceRateParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuanceRate>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetIssuanceRateQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getIssuanceRate>>> = ({ signal }) => getIssuanceRate(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getIssuanceRate>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetIssuanceRateQueryResult = NonNullable<Awaited<ReturnType<typeof getIssuanceRate>>>
+export type GetIssuanceRateQueryError = InternalErrorResponse
+
+
+export function useGetIssuanceRate<TData = Awaited<ReturnType<typeof getIssuanceRate>>, TError = InternalErrorResponse>(
+ params: undefined |  GetIssuanceRateParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuanceRate>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getIssuanceRate>>,
+          TError,
+          Awaited<ReturnType<typeof getIssuanceRate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetIssuanceRate<TData = Awaited<ReturnType<typeof getIssuanceRate>>, TError = InternalErrorResponse>(
+ params?: GetIssuanceRateParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuanceRate>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getIssuanceRate>>,
+          TError,
+          Awaited<ReturnType<typeof getIssuanceRate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetIssuanceRate<TData = Awaited<ReturnType<typeof getIssuanceRate>>, TError = InternalErrorResponse>(
+ params?: GetIssuanceRateParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuanceRate>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Certificate issuance rate
+ */
+
+export function useGetIssuanceRate<TData = Awaited<ReturnType<typeof getIssuanceRate>>, TError = InternalErrorResponse>(
+ params?: GetIssuanceRateParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuanceRate>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetIssuanceRateQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
diff --git a/web/src/api/generated/targets/targets.ts b/web/src/api/generated/targets/targets.ts
new file mode 100644
index 0000000..75f7031
--- /dev/null
+++ b/web/src/api/generated/targets/targets.ts
@@ -0,0 +1,492 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  DeploymentTarget,
+  InternalErrorResponse,
+  ListTargets200,
+  ListTargetsParams,
+  NotFoundResponse,
+  StatusMessageResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List targets
+ */
+export const listTargets = (
+    params?: ListTargetsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListTargets200>(
+      {url: `/api/v1/targets`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListTargetsQueryKey = (params?: ListTargetsParams,) => {
+    return [
+    `/api/v1/targets`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListTargetsQueryOptions = <TData = Awaited<ReturnType<typeof listTargets>>, TError = InternalErrorResponse>(params?: ListTargetsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listTargets>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListTargetsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listTargets>>> = ({ signal }) => listTargets(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listTargets>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListTargetsQueryResult = NonNullable<Awaited<ReturnType<typeof listTargets>>>
+export type ListTargetsQueryError = InternalErrorResponse
+
+
+export function useListTargets<TData = Awaited<ReturnType<typeof listTargets>>, TError = InternalErrorResponse>(
+ params: undefined |  ListTargetsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listTargets>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listTargets>>,
+          TError,
+          Awaited<ReturnType<typeof listTargets>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListTargets<TData = Awaited<ReturnType<typeof listTargets>>, TError = InternalErrorResponse>(
+ params?: ListTargetsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listTargets>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listTargets>>,
+          TError,
+          Awaited<ReturnType<typeof listTargets>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListTargets<TData = Awaited<ReturnType<typeof listTargets>>, TError = InternalErrorResponse>(
+ params?: ListTargetsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listTargets>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List targets
+ */
+
+export function useListTargets<TData = Awaited<ReturnType<typeof listTargets>>, TError = InternalErrorResponse>(
+ params?: ListTargetsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listTargets>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListTargetsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Create target
+ */
+export const createTarget = (
+    deploymentTarget: DeploymentTarget,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<DeploymentTarget>(
+      {url: `/api/v1/targets`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: deploymentTarget, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateTargetMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createTarget>>, TError,{data: DeploymentTarget}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createTarget>>, TError,{data: DeploymentTarget}, TContext> => {
+
+const mutationKey = ['createTarget'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createTarget>>, {data: DeploymentTarget}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createTarget(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateTargetMutationResult = NonNullable<Awaited<ReturnType<typeof createTarget>>>
+    export type CreateTargetMutationBody = DeploymentTarget
+    export type CreateTargetMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create target
+ */
+export const useCreateTarget = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createTarget>>, TError,{data: DeploymentTarget}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createTarget>>,
+        TError,
+        {data: DeploymentTarget},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateTargetMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Get target
+ */
+export const getTarget = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<DeploymentTarget>(
+      {url: `/api/v1/targets/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetTargetQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/targets/${id}`
+    ] as const;
+    }
+
+    
+export const getGetTargetQueryOptions = <TData = Awaited<ReturnType<typeof getTarget>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getTarget>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetTargetQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getTarget>>> = ({ signal }) => getTarget(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getTarget>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetTargetQueryResult = NonNullable<Awaited<ReturnType<typeof getTarget>>>
+export type GetTargetQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetTarget<TData = Awaited<ReturnType<typeof getTarget>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getTarget>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getTarget>>,
+          TError,
+          Awaited<ReturnType<typeof getTarget>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetTarget<TData = Awaited<ReturnType<typeof getTarget>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getTarget>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getTarget>>,
+          TError,
+          Awaited<ReturnType<typeof getTarget>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetTarget<TData = Awaited<ReturnType<typeof getTarget>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getTarget>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get target
+ */
+
+export function useGetTarget<TData = Awaited<ReturnType<typeof getTarget>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getTarget>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetTargetQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Update target
+ */
+export const updateTarget = (
+    id: string,
+    deploymentTarget: DeploymentTarget,
+ ) => {
+      
+      
+      return certctlFetch<DeploymentTarget>(
+      {url: `/api/v1/targets/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: deploymentTarget
+    },
+      );
+    }
+  
+
+
+export const getUpdateTargetMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateTarget>>, TError,{id: string;data: DeploymentTarget}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateTarget>>, TError,{id: string;data: DeploymentTarget}, TContext> => {
+
+const mutationKey = ['updateTarget'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateTarget>>, {id: string;data: DeploymentTarget}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateTarget(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateTargetMutationResult = NonNullable<Awaited<ReturnType<typeof updateTarget>>>
+    export type UpdateTargetMutationBody = DeploymentTarget
+    export type UpdateTargetMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Update target
+ */
+export const useUpdateTarget = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateTarget>>, TError,{id: string;data: DeploymentTarget}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateTarget>>,
+        TError,
+        {id: string;data: DeploymentTarget},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateTargetMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete target
+ */
+export const deleteTarget = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/targets/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteTargetMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteTarget>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteTarget>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteTarget'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteTarget>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteTarget(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteTargetMutationResult = NonNullable<Awaited<ReturnType<typeof deleteTarget>>>
+    
+    export type DeleteTargetMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete target
+ */
+export const useDeleteTarget = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteTarget>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteTarget>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteTargetMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Checks target connectivity by verifying the assigned agent's heartbeat status
+(agent reported within the last 5 minutes). Always returns HTTP 200 — the
+connectivity result is reflected in the response body's `status` field
+(`success` when the agent is reachable, `failed` otherwise).
+
+ * @summary Test target connection
+ */
+export const testTargetConnection = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusMessageResponse>(
+      {url: `/api/v1/targets/${id}/test`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getTestTargetConnectionMutationOptions = <TError = BadRequestResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof testTargetConnection>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof testTargetConnection>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['testTargetConnection'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof testTargetConnection>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  testTargetConnection(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type TestTargetConnectionMutationResult = NonNullable<Awaited<ReturnType<typeof testTargetConnection>>>
+    
+    export type TestTargetConnectionMutationError = BadRequestResponse
+
+    /**
+ * @summary Test target connection
+ */
+export const useTestTargetConnection = <TError = BadRequestResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof testTargetConnection>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof testTargetConnection>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getTestTargetConnectionMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/teams/teams.ts b/web/src/api/generated/teams/teams.ts
new file mode 100644
index 0000000..83a7a45
--- /dev/null
+++ b/web/src/api/generated/teams/teams.ts
@@ -0,0 +1,424 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  ListTeams200,
+  ListTeamsParams,
+  NotFoundResponse,
+  Team
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List teams
+ */
+export const listTeams = (
+    params?: ListTeamsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListTeams200>(
+      {url: `/api/v1/teams`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListTeamsQueryKey = (params?: ListTeamsParams,) => {
+    return [
+    `/api/v1/teams`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListTeamsQueryOptions = <TData = Awaited<ReturnType<typeof listTeams>>, TError = InternalErrorResponse>(params?: ListTeamsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listTeams>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListTeamsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listTeams>>> = ({ signal }) => listTeams(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listTeams>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListTeamsQueryResult = NonNullable<Awaited<ReturnType<typeof listTeams>>>
+export type ListTeamsQueryError = InternalErrorResponse
+
+
+export function useListTeams<TData = Awaited<ReturnType<typeof listTeams>>, TError = InternalErrorResponse>(
+ params: undefined |  ListTeamsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listTeams>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listTeams>>,
+          TError,
+          Awaited<ReturnType<typeof listTeams>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListTeams<TData = Awaited<ReturnType<typeof listTeams>>, TError = InternalErrorResponse>(
+ params?: ListTeamsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listTeams>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listTeams>>,
+          TError,
+          Awaited<ReturnType<typeof listTeams>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListTeams<TData = Awaited<ReturnType<typeof listTeams>>, TError = InternalErrorResponse>(
+ params?: ListTeamsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listTeams>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List teams
+ */
+
+export function useListTeams<TData = Awaited<ReturnType<typeof listTeams>>, TError = InternalErrorResponse>(
+ params?: ListTeamsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listTeams>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListTeamsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Create team
+ */
+export const createTeam = (
+    team: Team,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Team>(
+      {url: `/api/v1/teams`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: team, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateTeamMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createTeam>>, TError,{data: Team}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createTeam>>, TError,{data: Team}, TContext> => {
+
+const mutationKey = ['createTeam'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createTeam>>, {data: Team}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createTeam(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateTeamMutationResult = NonNullable<Awaited<ReturnType<typeof createTeam>>>
+    export type CreateTeamMutationBody = Team
+    export type CreateTeamMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create team
+ */
+export const useCreateTeam = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createTeam>>, TError,{data: Team}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createTeam>>,
+        TError,
+        {data: Team},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateTeamMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Get team
+ */
+export const getTeam = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Team>(
+      {url: `/api/v1/teams/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetTeamQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/teams/${id}`
+    ] as const;
+    }
+
+    
+export const getGetTeamQueryOptions = <TData = Awaited<ReturnType<typeof getTeam>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getTeam>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetTeamQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getTeam>>> = ({ signal }) => getTeam(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getTeam>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetTeamQueryResult = NonNullable<Awaited<ReturnType<typeof getTeam>>>
+export type GetTeamQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetTeam<TData = Awaited<ReturnType<typeof getTeam>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getTeam>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getTeam>>,
+          TError,
+          Awaited<ReturnType<typeof getTeam>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetTeam<TData = Awaited<ReturnType<typeof getTeam>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getTeam>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getTeam>>,
+          TError,
+          Awaited<ReturnType<typeof getTeam>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetTeam<TData = Awaited<ReturnType<typeof getTeam>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getTeam>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get team
+ */
+
+export function useGetTeam<TData = Awaited<ReturnType<typeof getTeam>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getTeam>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetTeamQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Update team
+ */
+export const updateTeam = (
+    id: string,
+    team: Team,
+ ) => {
+      
+      
+      return certctlFetch<Team>(
+      {url: `/api/v1/teams/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: team
+    },
+      );
+    }
+  
+
+
+export const getUpdateTeamMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateTeam>>, TError,{id: string;data: Team}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateTeam>>, TError,{id: string;data: Team}, TContext> => {
+
+const mutationKey = ['updateTeam'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateTeam>>, {id: string;data: Team}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateTeam(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateTeamMutationResult = NonNullable<Awaited<ReturnType<typeof updateTeam>>>
+    export type UpdateTeamMutationBody = Team
+    export type UpdateTeamMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Update team
+ */
+export const useUpdateTeam = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateTeam>>, TError,{id: string;data: Team}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateTeam>>,
+        TError,
+        {id: string;data: Team},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateTeamMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete team
+ */
+export const deleteTeam = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/teams/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteTeamMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteTeam>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteTeam>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteTeam'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteTeam>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteTeam(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteTeamMutationResult = NonNullable<Awaited<ReturnType<typeof deleteTeam>>>
+    
+    export type DeleteTeamMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete team
+ */
+export const useDeleteTeam = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteTeam>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteTeam>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteTeamMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    
\ No newline at end of file
diff --git a/web/src/api/generated/verification/verification.ts b/web/src/api/generated/verification/verification.ts
new file mode 100644
index 0000000..0cc8388
--- /dev/null
+++ b/web/src/api/generated/verification/verification.ts
@@ -0,0 +1,213 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  VerificationResult,
+  VerifyDeployment200,
+  VerifyDeploymentRequest
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Agents submit the result of probing a deployed certificate's live TLS endpoint.
+Compares the served certificate's SHA-256 fingerprint against the expected
+fingerprint. Best-effort: failures are recorded on the job but do not roll
+back the deployment.
+
+ * @summary Record post-deployment verification result
+ */
+export const verifyDeployment = (
+    id: string,
+    verifyDeploymentRequest: VerifyDeploymentRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<VerifyDeployment200>(
+      {url: `/api/v1/jobs/${id}/verify`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: verifyDeploymentRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getVerifyDeploymentMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof verifyDeployment>>, TError,{id: string;data: VerifyDeploymentRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof verifyDeployment>>, TError,{id: string;data: VerifyDeploymentRequest}, TContext> => {
+
+const mutationKey = ['verifyDeployment'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof verifyDeployment>>, {id: string;data: VerifyDeploymentRequest}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  verifyDeployment(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type VerifyDeploymentMutationResult = NonNullable<Awaited<ReturnType<typeof verifyDeployment>>>
+    export type VerifyDeploymentMutationBody = VerifyDeploymentRequest
+    export type VerifyDeploymentMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Record post-deployment verification result
+ */
+export const useVerifyDeployment = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof verifyDeployment>>, TError,{id: string;data: VerifyDeploymentRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof verifyDeployment>>,
+        TError,
+        {id: string;data: VerifyDeploymentRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getVerifyDeploymentMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns the stored verification result for a deployment job — expected
+and observed SHA-256 fingerprints, verified flag, and timestamp.
+
+ * @summary Get post-deployment verification status
+ */
+export const getJobVerification = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<VerificationResult>(
+      {url: `/api/v1/jobs/${id}/verification`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetJobVerificationQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/jobs/${id}/verification`
+    ] as const;
+    }
+
+    
+export const getGetJobVerificationQueryOptions = <TData = Awaited<ReturnType<typeof getJobVerification>>, TError = BadRequestResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJobVerification>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetJobVerificationQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getJobVerification>>> = ({ signal }) => getJobVerification(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getJobVerification>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetJobVerificationQueryResult = NonNullable<Awaited<ReturnType<typeof getJobVerification>>>
+export type GetJobVerificationQueryError = BadRequestResponse | InternalErrorResponse
+
+
+export function useGetJobVerification<TData = Awaited<ReturnType<typeof getJobVerification>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJobVerification>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getJobVerification>>,
+          TError,
+          Awaited<ReturnType<typeof getJobVerification>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetJobVerification<TData = Awaited<ReturnType<typeof getJobVerification>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJobVerification>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getJobVerification>>,
+          TError,
+          Awaited<ReturnType<typeof getJobVerification>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetJobVerification<TData = Awaited<ReturnType<typeof getJobVerification>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJobVerification>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get post-deployment verification status
+ */
+
+export function useGetJobVerification<TData = Awaited<ReturnType<typeof getJobVerification>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJobVerification>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetJobVerificationQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
diff --git a/web/src/api/mutator.ts b/web/src/api/mutator.ts
new file mode 100644
index 0000000..3487057
--- /dev/null
+++ b/web/src/api/mutator.ts
@@ -0,0 +1,85 @@
+// Copyright 2026 certctl LLC. All rights reserved.
+// SPDX-License-Identifier: BUSL-1.1
+//
+// ARCH-001-A closure (Sprint 5, 2026-05-16). Shared fetch mutator
+// referenced from web/orval.config.ts. Every generated useQuery /
+// useMutation hook routes through this function so we can wire
+// the existing hand-written client.ts auth / CSRF / event semantics
+// in one place instead of mirroring them across 162+ generated tools.
+//
+// The migration plan (per orval.config.ts header comment) is per-
+// consumer — pages flip from `client.ts` imports to `generated/`
+// imports one at a time; both styles share the same fetch semantics
+// because this mutator delegates to the same primitives.
+//
+// Key contracts this mutator preserves from the hand-written
+// `fetchJSON` in src/api/client.ts:
+//
+//   - `credentials: 'include'` so the session cookie flows.
+//   - CSRF-token header on state-changing methods (POST/PUT/PATCH/DELETE)
+//     reading from the auth context's CSRF surface.
+//   - 401 dispatches a `certctl:auth-required` CustomEvent that
+//     AuthProvider's listener consumes. Hotfix #19 (GitHub #13)
+//     unconditionally redirects to /login on this event.
+//   - AbortController support so React Query / generated hooks can
+//     cancel in-flight requests on unmount.
+//
+// The body shape is whatever the operation expects; orval threads
+// the input type through TypeScript so callers stay type-safe.
+
+import { fetchJSON } from './client';
+
+interface CertctlFetchOptions {
+  url: string;
+  method: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | 'HEAD' | 'OPTIONS';
+  params?: Record<string, string | number | boolean | undefined | null>;
+  data?: unknown;
+  signal?: AbortSignal;
+  headers?: Record<string, string>;
+  // Orval emits `responseType` (e.g. 'blob' / 'text' / 'arraybuffer')
+  // for routes whose response shape isn't JSON — CRL / OCSP / cert
+  // downloads. fetchJSON ignores it today (those routes are excluded
+  // from MCP coverage for the same reason — they're binary). Accept
+  // the field so the generated tsc stays clean; consumers needing the
+  // raw bytes should reach for the hand-written client.ts API.
+  responseType?: 'json' | 'blob' | 'text' | 'arraybuffer' | 'stream';
+}
+
+/**
+ * certctlFetch is the orval-generated-hook shim that delegates to
+ * the existing hand-written fetchJSON. Generated hooks receive the
+ * deserialised JSON; on error they receive the rejected promise.
+ */
+export const certctlFetch = async <T>({
+  url,
+  method,
+  params,
+  data,
+  signal,
+  headers,
+}: CertctlFetchOptions): Promise<T> => {
+  // Build the URL with query params. Orval emits params separately
+  // from the path so we can serialise them consistently.
+  const u = new URL(url, window.location.origin);
+  if (params) {
+    for (const [k, v] of Object.entries(params)) {
+      if (v === undefined || v === null) continue;
+      u.searchParams.append(k, String(v));
+    }
+  }
+  // Strip the origin so fetchJSON's BASE-relative prefix logic works.
+  const pathAndQuery = `${u.pathname}${u.search}`;
+
+  const init: RequestInit = { method };
+  if (data !== undefined) {
+    init.body = typeof data === 'string' ? data : JSON.stringify(data);
+  }
+  if (signal) init.signal = signal;
+  if (headers) init.headers = headers;
+
+  return fetchJSON<T>(pathAndQuery, init);
+};
+
+// Orval's default export contract — the generated hooks import this
+// symbol by the name set in orval.config.ts `override.mutator.name`.
+export default certctlFetch;