fix(api,codegen): ARCH-001-A — Phase 1 Orval codegen + 2 new CI guards (large diff)

Sprint 5 unified-master-audit closure. Pre-fix:

  - api/openapi.yaml: 7,788 LOC of hand-authored spec.
  - web/src/api/generated/: directory did NOT exist (the Phase-5
    scaffolding never had its first generation run).
  - scripts/ci-guards/openapi-codegen-drift.sh: skip-when-absent
    (line 33-39 — informational scaffold).
  - api/openapi.yaml info.version: '2.0.0', latest tag: v2.1.7
    (a 7-version drift between spec and ship).

Net effect: every new route required three coordinated edits (Go
handler, openapi.yaml, frontend client.ts), payload-level breaking
changes shipped unnoticed, and downstream API client integration
cost was permanent.

Phase 1 fix (the audit's literal scope):

  1. **Run Orval**, commit the generated tree. 316 files / ~1.8 MB
     under web/src/api/generated/, tags-split layout (one directory
     per OpenAPI tag), TanStack Query client mode. All output routes
     through web/src/api/mutator.ts which delegates to the existing
     fetchJSON in client.ts so auth/CSRF/401-event semantics stay
     in one place.

  2. **Fix two spec defects** the first orval run surfaced:
     - YAML duplicate-key bug at L77-89 — SCEP's description was
       misplaced under OIDC. Restored to its own tag entry.
     - Missing #/components/schemas/Error referenced by three
       operations. Aliased to the existing ErrorResponse schema.

  3. **Flip the codegen-drift guard from skip-when-absent to
     hard-gate.** A missing generated/ directory now fails the
     build with an actionable restore command. The existing
     regenerate-and-diff path stays as before.

  4. **New openapi-version-tag-parity CI guard.** Asserts
     openapi.yaml info.version equals the latest v* git tag. Falls
     back to api.github.com when the local clone is shallow.
     Bumped openapi.yaml info.version 2.0.0 → 2.1.7 in the same
     commit so the new guard greens out.

  5. **CI workflow** updated to fetch tags on the frontend job's
     checkout so the parity guard reads them locally (the GH API
     fallback still works but adds a network round-trip).

Verified locally:
  - openapi-codegen-drift.sh: clean (re-generation produces
    byte-identical tree to what's tracked).
  - openapi-version-tag-parity.sh: clean (2.1.7 == v2.1.7).
  - tsc --noEmit: exit 0 across the entire frontend (the
    generated tree's responseType field threaded through the
    mutator's CertctlFetchOptions cleanly).
  - Existing Vitest suite: 141/141 pass on the three sampled
    suites (AuthProvider + client + IssuerHierarchyPage).

Follow-on work (NOT in this commit):
  - Per-consumer migration: pages flip from client.ts imports to
    generated/ imports one at a time. Both styles share fetchJSON
    semantics, so the migration is incremental.
  - Server-side oapi-codegen handler stubs (Phase 2 from the
    audit's fix language) — separate sprint.

Closes ARCH-001-A.

.github/workflows/ci.yml

@@ -424,6 +424,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          # ARCH-001-A closure (Sprint 5, 2026-05-16). The
+          # openapi-version-tag-parity guard needs the v* tags to
+          # be present locally so it can confirm openapi.yaml's
+          # info.version matches the latest release. Without
+          # fetch-tags, the guard falls back to the GitHub API —
+          # works but adds a network round-trip per CI run.
+          fetch-tags: true
+          fetch-depth: 0
 
       - name: Set up Node.js
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4

api/openapi.yaml

@@ -11,7 +11,11 @@ info:
 
     Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
     query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
-  version: 2.0.0
+  # ARCH-001-A closure (Sprint 5, 2026-05-16): info.version MUST track
+  # the latest `v*` git tag. The openapi-version-tag-parity.sh CI guard
+  # asserts this on every CI run. Bump in lockstep with the
+  # `git tag -a v* ...` command at release time.
+  version: 2.1.7
   license:
     name: BSL 1.1
     url: https://github.com/certctl-io/certctl/blob/master/LICENSE
@@ -75,6 +79,7 @@ tags:
   - name: EST
     description: Enrollment over Secure Transport (RFC 7030)
   - name: SCEP
+    description: Simple Certificate Enrollment Protocol (RFC 8894)
   - name: Sessions
     description: |
       Server-side session management. Phase 13 Sprint 13.4 (ARCH-H1
@@ -86,7 +91,6 @@ tags:
       Phase 13 Sprint 13.4 — authored against the Phase 9 Sprint 11
       sibling-file handlers at internal/api/handler/auth_session_oidc_crud.go +
       the JWKS-status surface at internal/api/handler/auth_users.go.
-    description: Simple Certificate Enrollment Protocol (RFC 8894)
 
 paths:
   # ─── Health & Auth ───────────────────────────────────────────────────
@@ -5931,6 +5935,16 @@ components:
         request_id:
           type: string
 
+    # ARCH-001-A closure (Sprint 5, 2026-05-16). Three operation
+    # responses (search `#/components/schemas/Error` in this file)
+    # reference a schema named "Error" — but only "ErrorResponse" was
+    # defined, so the orval codegen failed with
+    # MissingPointerError. Alias Error → ErrorResponse so the spec
+    # parses cleanly and the three offenders keep their stable
+    # response shape.
+    Error:
+      $ref: "#/components/schemas/ErrorResponse"
+
     StatusResponse:
       type: object
       properties:

scripts/ci-guards/openapi-codegen-drift.sh

@@ -31,11 +31,18 @@ set -e
 GENERATED_DIR="web/src/api/generated"
 
 if [ ! -d "$GENERATED_DIR" ]; then
-  echo "openapi-codegen-drift: skipped — $GENERATED_DIR does not exist yet."
+  # ARCH-001-A closure (Sprint 5, 2026-05-16). Pre-fix the guard
-  echo "  This is expected during Phase 5 scaffolding. Once the operator"
+  # tolerated a missing generated/ tree as "Phase 5 scaffolding."
-  echo "  runs 'cd web && npm install && npm run generate' for the first"
+  # Phase 5 scaffolded; ARCH-001-A landed the first generation and
-  echo "  time, the directory lands and this guard activates."
+  # committed the tree. From this point on, a missing generated/
-  exit 0
+  # directory means a contributor deleted it (intentionally or not)
+  # — the guard fails closed so CI catches the deletion.
+  echo "::error::openapi-codegen-drift: $GENERATED_DIR does not exist. ARCH-001-A committed the initial generated tree; a deletion has happened since."
+  echo "  Restore via:"
+  echo "      cd web && npm ci && npm run generate"
+  echo "  Then commit the result. Do NOT delete generated/ — the codegen-drift"
+  echo "  guard depends on its presence."
+  exit 1
 fi
 
 # Tolerate the case where orval isn't installed in the local

scripts/ci-guards/openapi-version-tag-parity.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# scripts/ci-guards/openapi-version-tag-parity.sh
+#
+# ARCH-001-A closure (Sprint 5, 2026-05-16). The hand-written
+# api/openapi.yaml carries an info.version that historically drifted
+# from the actual git-tag-shipping cadence (was "2.0.0" against a
+# v2.1.7 latest tag). External consumers reading the spec for their
+# generated clients have no signal which release shipped it.
+#
+# Fix: the guard reads info.version from openapi.yaml and the latest
+# `v*` git tag from the repo. If they don't match, fail. Bump
+# info.version in the same commit that runs `git tag -a v* ...`
+# at release time.
+#
+# Edge cases handled:
+#   - Shallow CI clones: actions/checkout fetches no tags by default.
+#     The guard falls back to the GitHub API when local tags are
+#     unavailable, mirroring CLAUDE.md's ground-truth-against-the-API
+#     pattern. CI sets fetch-tags: true on the checkout step (per the
+#     workflow update that lands alongside this guard) so local-tag
+#     reads work reliably.
+#   - Pre-first-tag: skip with a notice if no v* tag exists yet.
+
+set -e
+
+YAML="api/openapi.yaml"
+if [ ! -f "$YAML" ]; then
+  echo "::error::openapi-version-tag-parity: $YAML not found"
+  exit 1
+fi
+
+# Extract info.version from openapi.yaml. The version is at top level
+# under `info:`. Use a minimal awk state machine instead of pulling
+# yq into the CI dep graph.
+spec_version=$(awk '
+  /^info:/        { in_info = 1; next }
+  /^[a-zA-Z]/     { in_info = 0 }
+  in_info && /^[[:space:]]+version:/ {
+    sub(/.*version:[[:space:]]*/, "")
+    sub(/[[:space:]]*#.*$/, "")
+    gsub(/^[[:space:]]+|[[:space:]]+$/, "")
+    print
+    exit
+  }' "$YAML")
+
+if [ -z "$spec_version" ]; then
+  echo "::error file=${YAML}::openapi-version-tag-parity: could not parse info.version. Expected a `version: x.y.z` line under `info:`."
+  exit 1
+fi
+
+# Resolve the latest tag locally. Fall back to the GitHub API if the
+# checkout is shallow + tag-less (CLAUDE.md ground-truth pattern).
+latest_tag=$(git tag --sort=-v:refname 2>/dev/null | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -1 || true)
+if [ -z "$latest_tag" ]; then
+  echo "openapi-version-tag-parity: no local v* tag found; falling back to api.github.com/.../tags"
+  latest_tag=$(curl -sS https://api.github.com/repos/certctl-io/certctl/tags 2>/dev/null \
+    | grep -oE '"name": *"v[0-9]+\.[0-9]+\.[0-9]+"' \
+    | head -1 \
+    | sed -E 's/.*"v/v/; s/".*//')
+fi
+if [ -z "$latest_tag" ]; then
+  echo "openapi-version-tag-parity: no v* tag anywhere yet — skipping (pre-first-release)."
+  exit 0
+fi
+
+# Strip the leading 'v' from the tag for comparison.
+tag_version="${latest_tag#v}"
+
+if [ "$spec_version" != "$tag_version" ]; then
+  echo "::error file=${YAML}::openapi-version-tag-parity: info.version=${spec_version} does NOT match latest tag ${latest_tag}."
+  echo "  Bump $YAML info.version to ${tag_version} in the same commit that ships the release,"
+  echo "  OR if a release commit is in flight, tag it first then re-run CI."
+  exit 1
+fi
+
+echo "openapi-version-tag-parity: clean (info.version=${spec_version} matches latest tag ${latest_tag})."

web/src/api/client.ts

@@ -117,7 +117,12 @@ function isStateChangingMethod(method?: string): boolean {
   }
 }
 
-async function fetchJSON<T>(url: string, init?: RequestInit): Promise<T> {
+// fetchJSON is exported (ARCH-001-A closure, Sprint 5, 2026-05-16)
+// so the orval-generated mutator at src/api/mutator.ts can delegate to
+// the same auth/CSRF/401-event semantics without duplicating them. The
+// hand-written client.ts entry points (getCertificates, etc.) continue
+// to call this internally during the per-consumer migration window.
+export async function fetchJSON<T>(url: string, init?: RequestInit): Promise<T> {
   // Bundle 2 Phase 8 — credentials:'include' lets the certctl_session
   // cookie ride along on every request. Bearer-mode deployments work
   // unchanged (the cookie just isn't there). Auto-attach X-CSRF-Token

web/src/api/generated/agent-groups/agent-groups.ts

@@ -0,0 +1,517 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  AgentGroup,
+  BadRequestResponse,
+  InternalErrorResponse,
+  ListAgentGroupMembers200,
+  ListAgentGroups200,
+  ListAgentGroupsParams,
+  NotFoundResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List agent groups
+ */
+export const listAgentGroups = (
+    params?: ListAgentGroupsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAgentGroups200>(
+      {url: `/api/v1/agent-groups`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAgentGroupsQueryKey = (params?: ListAgentGroupsParams,) => {
+    return [
+    `/api/v1/agent-groups`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListAgentGroupsQueryOptions = <TData = Awaited<ReturnType<typeof listAgentGroups>>, TError = InternalErrorResponse>(params?: ListAgentGroupsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAgentGroupsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAgentGroups>>> = ({ signal }) => listAgentGroups(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAgentGroupsQueryResult = NonNullable<Awaited<ReturnType<typeof listAgentGroups>>>
+export type ListAgentGroupsQueryError = InternalErrorResponse
+
+
+export function useListAgentGroups<TData = Awaited<ReturnType<typeof listAgentGroups>>, TError = InternalErrorResponse>(
+ params: undefined |  ListAgentGroupsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgentGroups>>,
+          TError,
+          Awaited<ReturnType<typeof listAgentGroups>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgentGroups<TData = Awaited<ReturnType<typeof listAgentGroups>>, TError = InternalErrorResponse>(
+ params?: ListAgentGroupsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgentGroups>>,
+          TError,
+          Awaited<ReturnType<typeof listAgentGroups>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgentGroups<TData = Awaited<ReturnType<typeof listAgentGroups>>, TError = InternalErrorResponse>(
+ params?: ListAgentGroupsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List agent groups
+ */
+
+export function useListAgentGroups<TData = Awaited<ReturnType<typeof listAgentGroups>>, TError = InternalErrorResponse>(
+ params?: ListAgentGroupsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroups>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAgentGroupsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Create agent group
+ */
+export const createAgentGroup = (
+    agentGroup: AgentGroup,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<AgentGroup>(
+      {url: `/api/v1/agent-groups`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: agentGroup, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateAgentGroupMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createAgentGroup>>, TError,{data: AgentGroup}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createAgentGroup>>, TError,{data: AgentGroup}, TContext> => {
+
+const mutationKey = ['createAgentGroup'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createAgentGroup>>, {data: AgentGroup}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createAgentGroup(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateAgentGroupMutationResult = NonNullable<Awaited<ReturnType<typeof createAgentGroup>>>
+    export type CreateAgentGroupMutationBody = AgentGroup
+    export type CreateAgentGroupMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create agent group
+ */
+export const useCreateAgentGroup = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createAgentGroup>>, TError,{data: AgentGroup}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createAgentGroup>>,
+        TError,
+        {data: AgentGroup},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateAgentGroupMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Get agent group
+ */
+export const getAgentGroup = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<AgentGroup>(
+      {url: `/api/v1/agent-groups/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAgentGroupQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/agent-groups/${id}`
+    ] as const;
+    }
+
+    
+export const getGetAgentGroupQueryOptions = <TData = Awaited<ReturnType<typeof getAgentGroup>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAgentGroupQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAgentGroup>>> = ({ signal }) => getAgentGroup(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAgentGroupQueryResult = NonNullable<Awaited<ReturnType<typeof getAgentGroup>>>
+export type GetAgentGroupQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetAgentGroup<TData = Awaited<ReturnType<typeof getAgentGroup>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAgentGroup>>,
+          TError,
+          Awaited<ReturnType<typeof getAgentGroup>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAgentGroup<TData = Awaited<ReturnType<typeof getAgentGroup>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAgentGroup>>,
+          TError,
+          Awaited<ReturnType<typeof getAgentGroup>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAgentGroup<TData = Awaited<ReturnType<typeof getAgentGroup>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get agent group
+ */
+
+export function useGetAgentGroup<TData = Awaited<ReturnType<typeof getAgentGroup>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgentGroup>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAgentGroupQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Update agent group
+ */
+export const updateAgentGroup = (
+    id: string,
+    agentGroup: AgentGroup,
+ ) => {
+      
+      
+      return certctlFetch<AgentGroup>(
+      {url: `/api/v1/agent-groups/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: agentGroup
+    },
+      );
+    }
+  
+
+
+export const getUpdateAgentGroupMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateAgentGroup>>, TError,{id: string;data: AgentGroup}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateAgentGroup>>, TError,{id: string;data: AgentGroup}, TContext> => {
+
+const mutationKey = ['updateAgentGroup'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateAgentGroup>>, {id: string;data: AgentGroup}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateAgentGroup(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateAgentGroupMutationResult = NonNullable<Awaited<ReturnType<typeof updateAgentGroup>>>
+    export type UpdateAgentGroupMutationBody = AgentGroup
+    export type UpdateAgentGroupMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Update agent group
+ */
+export const useUpdateAgentGroup = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateAgentGroup>>, TError,{id: string;data: AgentGroup}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateAgentGroup>>,
+        TError,
+        {id: string;data: AgentGroup},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateAgentGroupMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete agent group
+ */
+export const deleteAgentGroup = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/agent-groups/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteAgentGroupMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteAgentGroup>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteAgentGroup>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteAgentGroup'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteAgentGroup>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteAgentGroup(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteAgentGroupMutationResult = NonNullable<Awaited<ReturnType<typeof deleteAgentGroup>>>
+    
+    export type DeleteAgentGroupMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete agent group
+ */
+export const useDeleteAgentGroup = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteAgentGroup>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteAgentGroup>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteAgentGroupMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns agents matching the group's dynamic criteria plus manually included members.
+ * @summary List agent group members
+ */
+export const listAgentGroupMembers = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAgentGroupMembers200>(
+      {url: `/api/v1/agent-groups/${id}/members`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAgentGroupMembersQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/agent-groups/${id}/members`
+    ] as const;
+    }
+
+    
+export const getListAgentGroupMembersQueryOptions = <TData = Awaited<ReturnType<typeof listAgentGroupMembers>>, TError = BadRequestResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAgentGroupMembersQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAgentGroupMembers>>> = ({ signal }) => listAgentGroupMembers(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAgentGroupMembersQueryResult = NonNullable<Awaited<ReturnType<typeof listAgentGroupMembers>>>
+export type ListAgentGroupMembersQueryError = BadRequestResponse | InternalErrorResponse
+
+
+export function useListAgentGroupMembers<TData = Awaited<ReturnType<typeof listAgentGroupMembers>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgentGroupMembers>>,
+          TError,
+          Awaited<ReturnType<typeof listAgentGroupMembers>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgentGroupMembers<TData = Awaited<ReturnType<typeof listAgentGroupMembers>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgentGroupMembers>>,
+          TError,
+          Awaited<ReturnType<typeof listAgentGroupMembers>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgentGroupMembers<TData = Awaited<ReturnType<typeof listAgentGroupMembers>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List agent group members
+ */
+
+export function useListAgentGroupMembers<TData = Awaited<ReturnType<typeof listAgentGroupMembers>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgentGroupMembers>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAgentGroupMembersQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+

web/src/api/generated/agents/agents.ts

@@ -0,0 +1,899 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  Agent,
+  AgentGetWork200,
+  AgentHeartbeatBody,
+  AgentPickupCertificate200,
+  AgentReportJobStatusBody,
+  AgentSubmitCSRBody,
+  BadRequestResponse,
+  BlockedByDependenciesResponse,
+  ConflictResponse,
+  ErrorResponse,
+  InternalErrorResponse,
+  ListAgents200,
+  ListAgentsParams,
+  ListRetiredAgents200,
+  ListRetiredAgentsParams,
+  NotFoundResponse,
+  RetireAgentParams,
+  RetireAgentResponse,
+  StatusResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List agents
+ */
+export const listAgents = (
+    params?: ListAgentsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAgents200>(
+      {url: `/api/v1/agents`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAgentsQueryKey = (params?: ListAgentsParams,) => {
+    return [
+    `/api/v1/agents`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListAgentsQueryOptions = <TData = Awaited<ReturnType<typeof listAgents>>, TError = InternalErrorResponse>(params?: ListAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAgentsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAgents>>> = ({ signal }) => listAgents(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAgentsQueryResult = NonNullable<Awaited<ReturnType<typeof listAgents>>>
+export type ListAgentsQueryError = InternalErrorResponse
+
+
+export function useListAgents<TData = Awaited<ReturnType<typeof listAgents>>, TError = InternalErrorResponse>(
+ params: undefined |  ListAgentsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgents>>,
+          TError,
+          Awaited<ReturnType<typeof listAgents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgents<TData = Awaited<ReturnType<typeof listAgents>>, TError = InternalErrorResponse>(
+ params?: ListAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAgents>>,
+          TError,
+          Awaited<ReturnType<typeof listAgents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAgents<TData = Awaited<ReturnType<typeof listAgents>>, TError = InternalErrorResponse>(
+ params?: ListAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List agents
+ */
+
+export function useListAgents<TData = Awaited<ReturnType<typeof listAgents>>, TError = InternalErrorResponse>(
+ params?: ListAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAgents>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAgentsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Register agent
+ */
+export const registerAgent = (
+    agent: Agent,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Agent>(
+      {url: `/api/v1/agents`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: agent, signal
+    },
+      );
+    }
+  
+
+
+export const getRegisterAgentMutationOptions = <TError = BadRequestResponse | ConflictResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof registerAgent>>, TError,{data: Agent}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof registerAgent>>, TError,{data: Agent}, TContext> => {
+
+const mutationKey = ['registerAgent'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof registerAgent>>, {data: Agent}> = (props) => {
+          const {data} = props ?? {};
+
+          return  registerAgent(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RegisterAgentMutationResult = NonNullable<Awaited<ReturnType<typeof registerAgent>>>
+    export type RegisterAgentMutationBody = Agent
+    export type RegisterAgentMutationError = BadRequestResponse | ConflictResponse | InternalErrorResponse
+
+    /**
+ * @summary Register agent
+ */
+export const useRegisterAgent = <TError = BadRequestResponse | ConflictResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof registerAgent>>, TError,{data: Agent}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof registerAgent>>,
+        TError,
+        {data: Agent},
+        TContext
+      > => {
+
+      const mutationOptions = getRegisterAgentMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * I-004: opt-in listing of soft-retired agents. The default
+`GET /api/v1/agents` endpoint filters retired rows out; this is the
+dedicated surface for reading them back (e.g., the operator UI's
+"Retired" tab, audit and forensics workflows). Pagination defaults
+match the default agent listing (page=1, per_page=50, max 500). Go
+1.22's enhanced ServeMux routes `/agents/retired` to this handler
+via the literal-beats-pattern-var precedence rule, so the sibling
+`/agents/{id}` route does not shadow it.
+
+ * @summary List retired agents
+ */
+export const listRetiredAgents = (
+    params?: ListRetiredAgentsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListRetiredAgents200>(
+      {url: `/api/v1/agents/retired`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListRetiredAgentsQueryKey = (params?: ListRetiredAgentsParams,) => {
+    return [
+    `/api/v1/agents/retired`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListRetiredAgentsQueryOptions = <TData = Awaited<ReturnType<typeof listRetiredAgents>>, TError = InternalErrorResponse>(params?: ListRetiredAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListRetiredAgentsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listRetiredAgents>>> = ({ signal }) => listRetiredAgents(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListRetiredAgentsQueryResult = NonNullable<Awaited<ReturnType<typeof listRetiredAgents>>>
+export type ListRetiredAgentsQueryError = InternalErrorResponse
+
+
+export function useListRetiredAgents<TData = Awaited<ReturnType<typeof listRetiredAgents>>, TError = InternalErrorResponse>(
+ params: undefined |  ListRetiredAgentsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listRetiredAgents>>,
+          TError,
+          Awaited<ReturnType<typeof listRetiredAgents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListRetiredAgents<TData = Awaited<ReturnType<typeof listRetiredAgents>>, TError = InternalErrorResponse>(
+ params?: ListRetiredAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listRetiredAgents>>,
+          TError,
+          Awaited<ReturnType<typeof listRetiredAgents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListRetiredAgents<TData = Awaited<ReturnType<typeof listRetiredAgents>>, TError = InternalErrorResponse>(
+ params?: ListRetiredAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List retired agents
+ */
+
+export function useListRetiredAgents<TData = Awaited<ReturnType<typeof listRetiredAgents>>, TError = InternalErrorResponse>(
+ params?: ListRetiredAgentsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listRetiredAgents>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListRetiredAgentsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Get agent
+ */
+export const getAgent = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Agent>(
+      {url: `/api/v1/agents/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAgentQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/agents/${id}`
+    ] as const;
+    }
+
+    
+export const getGetAgentQueryOptions = <TData = Awaited<ReturnType<typeof getAgent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAgentQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAgent>>> = ({ signal }) => getAgent(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAgentQueryResult = NonNullable<Awaited<ReturnType<typeof getAgent>>>
+export type GetAgentQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetAgent<TData = Awaited<ReturnType<typeof getAgent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAgent>>,
+          TError,
+          Awaited<ReturnType<typeof getAgent>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAgent<TData = Awaited<ReturnType<typeof getAgent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAgent>>,
+          TError,
+          Awaited<ReturnType<typeof getAgent>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAgent<TData = Awaited<ReturnType<typeof getAgent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get agent
+ */
+
+export function useGetAgent<TData = Awaited<ReturnType<typeof getAgent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAgent>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAgentQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * I-004: soft-retirement. The agent row is preserved (so its audit
+trail and historical job links remain intact) and `retired_at` is
+stamped. A retired agent receives `410 Gone` on subsequent
+heartbeats so it can shut down cleanly.
+
+Behavior matrix:
+
+| Scenario | Query | Status | Body |
+| --- | --- | --- | --- |
+| Clean retire (no active dependencies) | none | `200` | `RetireAgentResponse` with `cascade=false`, zero counts |
+| Blocked by active targets/certs/jobs | none | `409` | `BlockedByDependenciesResponse` with per-bucket counts |
+| Force-cascade retire | `force=true&reason=...` | `200` | `RetireAgentResponse` with `cascade=true`, pre-cascade counts |
+| Idempotent re-retire | either | `204` | (empty — downstream consumers break on stray bodies) |
+| `force=true` without reason | `force=true` | `400` | ErrorResponse (ErrForceReasonRequired) |
+| Reserved sentinel agent | any | `403` | ErrorResponse (ErrAgentIsSentinel) |
+| Unknown agent id | any | `404` | ErrorResponse |
+
+Sentinel agents are the four reserved identities backing non-agent
+discovery subsystems (`server-scanner`, `cloud-aws-sm`,
+`cloud-azure-kv`, `cloud-gcp-sm`). Retiring them would orphan the
+scanner or a cloud secret-manager source, so the handler refuses
+unconditionally — even with `force=true`.
+
+ * @summary Soft-retire agent
+ */
+export const retireAgent = (
+    id: string,
+    params?: RetireAgentParams,
+ ) => {
+      
+      
+      return certctlFetch<RetireAgentResponse | void>(
+      {url: `/api/v1/agents/${id}`, method: 'DELETE',
+        params
+    },
+      );
+    }
+  
+
+
+export const getRetireAgentMutationOptions = <TError = ErrorResponse | NotFoundResponse | void | BlockedByDependenciesResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof retireAgent>>, TError,{id: string;params?: RetireAgentParams}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof retireAgent>>, TError,{id: string;params?: RetireAgentParams}, TContext> => {
+
+const mutationKey = ['retireAgent'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof retireAgent>>, {id: string;params?: RetireAgentParams}> = (props) => {
+          const {id,params} = props ?? {};
+
+          return  retireAgent(id,params,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RetireAgentMutationResult = NonNullable<Awaited<ReturnType<typeof retireAgent>>>
+    
+    export type RetireAgentMutationError = ErrorResponse | NotFoundResponse | void | BlockedByDependenciesResponse | InternalErrorResponse
+
+    /**
+ * @summary Soft-retire agent
+ */
+export const useRetireAgent = <TError = ErrorResponse | NotFoundResponse | void | BlockedByDependenciesResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof retireAgent>>, TError,{id: string;params?: RetireAgentParams}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof retireAgent>>,
+        TError,
+        {id: string;params?: RetireAgentParams},
+        TContext
+      > => {
+
+      const mutationOptions = getRetireAgentMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Reports agent liveness and metadata (OS, architecture, IP, version).
+
+I-004: a retired agent still polling the heartbeat endpoint receives
+`410 Gone` so `cmd/agent` detects the terminal signal and shuts down
+cleanly instead of looping forever against a decommissioned identity.
+The retired-agent check runs before any "not found" string match so
+it can never be masked by a sibling error branch.
+
+ * @summary Agent heartbeat
+ */
+export const agentHeartbeat = (
+    id: string,
+    agentHeartbeatBody: AgentHeartbeatBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/agents/${id}/heartbeat`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: agentHeartbeatBody, signal
+    },
+      );
+    }
+  
+
+
+export const getAgentHeartbeatMutationOptions = <TError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentHeartbeat>>, TError,{id: string;data: AgentHeartbeatBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof agentHeartbeat>>, TError,{id: string;data: AgentHeartbeatBody}, TContext> => {
+
+const mutationKey = ['agentHeartbeat'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof agentHeartbeat>>, {id: string;data: AgentHeartbeatBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  agentHeartbeat(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type AgentHeartbeatMutationResult = NonNullable<Awaited<ReturnType<typeof agentHeartbeat>>>
+    export type AgentHeartbeatMutationBody = AgentHeartbeatBody
+    export type AgentHeartbeatMutationError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse
+
+    /**
+ * @summary Agent heartbeat
+ */
+export const useAgentHeartbeat = <TError = BadRequestResponse | NotFoundResponse | ErrorResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentHeartbeat>>, TError,{id: string;data: AgentHeartbeatBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof agentHeartbeat>>,
+        TError,
+        {id: string;data: AgentHeartbeatBody},
+        TContext
+      > => {
+
+      const mutationOptions = getAgentHeartbeatMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Agent submits a PEM-encoded CSR for signing. Used in agent keygen mode.
+ * @summary Submit CSR
+ */
+export const agentSubmitCSR = (
+    id: string,
+    agentSubmitCSRBody: AgentSubmitCSRBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/agents/${id}/csr`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: agentSubmitCSRBody, signal
+    },
+      );
+    }
+  
+
+
+export const getAgentSubmitCSRMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentSubmitCSR>>, TError,{id: string;data: AgentSubmitCSRBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof agentSubmitCSR>>, TError,{id: string;data: AgentSubmitCSRBody}, TContext> => {
+
+const mutationKey = ['agentSubmitCSR'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof agentSubmitCSR>>, {id: string;data: AgentSubmitCSRBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  agentSubmitCSR(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type AgentSubmitCSRMutationResult = NonNullable<Awaited<ReturnType<typeof agentSubmitCSR>>>
+    export type AgentSubmitCSRMutationBody = AgentSubmitCSRBody
+    export type AgentSubmitCSRMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Submit CSR
+ */
+export const useAgentSubmitCSR = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentSubmitCSR>>, TError,{id: string;data: AgentSubmitCSRBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof agentSubmitCSR>>,
+        TError,
+        {id: string;data: AgentSubmitCSRBody},
+        TContext
+      > => {
+
+      const mutationOptions = getAgentSubmitCSRMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Agent retrieves the signed certificate PEM after CSR signing completes.
+ * @summary Pick up signed certificate
+ */
+export const agentPickupCertificate = (
+    id: string,
+    certId: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<AgentPickupCertificate200>(
+      {url: `/api/v1/agents/${id}/certificates/${certId}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getAgentPickupCertificateQueryKey = (id?: string,
+    certId?: string,) => {
+    return [
+    `/api/v1/agents/${id}/certificates/${certId}`
+    ] as const;
+    }
+
+    
+export const getAgentPickupCertificateQueryOptions = <TData = Awaited<ReturnType<typeof agentPickupCertificate>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string,
+    certId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getAgentPickupCertificateQueryKey(id,certId);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof agentPickupCertificate>>> = ({ signal }) => agentPickupCertificate(id,certId, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id && certId), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type AgentPickupCertificateQueryResult = NonNullable<Awaited<ReturnType<typeof agentPickupCertificate>>>
+export type AgentPickupCertificateQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useAgentPickupCertificate<TData = Awaited<ReturnType<typeof agentPickupCertificate>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    certId: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof agentPickupCertificate>>,
+          TError,
+          Awaited<ReturnType<typeof agentPickupCertificate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useAgentPickupCertificate<TData = Awaited<ReturnType<typeof agentPickupCertificate>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    certId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof agentPickupCertificate>>,
+          TError,
+          Awaited<ReturnType<typeof agentPickupCertificate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useAgentPickupCertificate<TData = Awaited<ReturnType<typeof agentPickupCertificate>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    certId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Pick up signed certificate
+ */
+
+export function useAgentPickupCertificate<TData = Awaited<ReturnType<typeof agentPickupCertificate>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    certId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentPickupCertificate>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getAgentPickupCertificateQueryOptions(id,certId,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns pending deployment and AwaitingCSR jobs for the agent.
+ * @summary Get pending work
+ */
+export const agentGetWork = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<AgentGetWork200>(
+      {url: `/api/v1/agents/${id}/work`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getAgentGetWorkQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/agents/${id}/work`
+    ] as const;
+    }
+
+    
+export const getAgentGetWorkQueryOptions = <TData = Awaited<ReturnType<typeof agentGetWork>>, TError = BadRequestResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getAgentGetWorkQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof agentGetWork>>> = ({ signal }) => agentGetWork(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type AgentGetWorkQueryResult = NonNullable<Awaited<ReturnType<typeof agentGetWork>>>
+export type AgentGetWorkQueryError = BadRequestResponse | InternalErrorResponse
+
+
+export function useAgentGetWork<TData = Awaited<ReturnType<typeof agentGetWork>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof agentGetWork>>,
+          TError,
+          Awaited<ReturnType<typeof agentGetWork>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useAgentGetWork<TData = Awaited<ReturnType<typeof agentGetWork>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof agentGetWork>>,
+          TError,
+          Awaited<ReturnType<typeof agentGetWork>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useAgentGetWork<TData = Awaited<ReturnType<typeof agentGetWork>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get pending work
+ */
+
+export function useAgentGetWork<TData = Awaited<ReturnType<typeof agentGetWork>>, TError = BadRequestResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof agentGetWork>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getAgentGetWorkQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Agent reports completion or failure of an assigned job.
+ * @summary Report job status
+ */
+export const agentReportJobStatus = (
+    id: string,
+    jobId: string,
+    agentReportJobStatusBody: AgentReportJobStatusBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/agents/${id}/jobs/${jobId}/status`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: agentReportJobStatusBody, signal
+    },
+      );
+    }
+  
+
+
+export const getAgentReportJobStatusMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentReportJobStatus>>, TError,{id: string;jobId: string;data: AgentReportJobStatusBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof agentReportJobStatus>>, TError,{id: string;jobId: string;data: AgentReportJobStatusBody}, TContext> => {
+
+const mutationKey = ['agentReportJobStatus'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof agentReportJobStatus>>, {id: string;jobId: string;data: AgentReportJobStatusBody}> = (props) => {
+          const {id,jobId,data} = props ?? {};
+
+          return  agentReportJobStatus(id,jobId,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type AgentReportJobStatusMutationResult = NonNullable<Awaited<ReturnType<typeof agentReportJobStatus>>>
+    export type AgentReportJobStatusMutationBody = AgentReportJobStatusBody
+    export type AgentReportJobStatusMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Report job status
+ */
+export const useAgentReportJobStatus = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof agentReportJobStatus>>, TError,{id: string;jobId: string;data: AgentReportJobStatusBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof agentReportJobStatus>>,
+        TError,
+        {id: string;jobId: string;data: AgentReportJobStatusBody},
+        TContext
+      > => {
+
+      const mutationOptions = getAgentReportJobStatusMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    

web/src/api/generated/approvals/approvals.ts

@@ -0,0 +1,387 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  ApprovalRequest,
+  ApproveApprovalRequest200,
+  ApproveApprovalRequestBody,
+  InternalErrorResponse,
+  ListApprovalRequests200,
+  ListApprovalRequestsParams,
+  NotFoundResponse,
+  RejectApprovalRequest200,
+  RejectApprovalRequestBody
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Rank 7 issuance approval-workflow primitive. Returns paginated approval
+requests, optionally filtered by ?state= (pending/approved/rejected/expired),
+?certificate_id=, or ?requested_by=. Empty filters return the unfiltered
+list (default page=1, per_page=50).
+
+ * @summary List approval requests
+ */
+export const listApprovalRequests = (
+    params?: ListApprovalRequestsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListApprovalRequests200>(
+      {url: `/api/v1/approvals`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListApprovalRequestsQueryKey = (params?: ListApprovalRequestsParams,) => {
+    return [
+    `/api/v1/approvals`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListApprovalRequestsQueryOptions = <TData = Awaited<ReturnType<typeof listApprovalRequests>>, TError = InternalErrorResponse>(params?: ListApprovalRequestsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListApprovalRequestsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listApprovalRequests>>> = ({ signal }) => listApprovalRequests(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListApprovalRequestsQueryResult = NonNullable<Awaited<ReturnType<typeof listApprovalRequests>>>
+export type ListApprovalRequestsQueryError = InternalErrorResponse
+
+
+export function useListApprovalRequests<TData = Awaited<ReturnType<typeof listApprovalRequests>>, TError = InternalErrorResponse>(
+ params: undefined |  ListApprovalRequestsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listApprovalRequests>>,
+          TError,
+          Awaited<ReturnType<typeof listApprovalRequests>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListApprovalRequests<TData = Awaited<ReturnType<typeof listApprovalRequests>>, TError = InternalErrorResponse>(
+ params?: ListApprovalRequestsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listApprovalRequests>>,
+          TError,
+          Awaited<ReturnType<typeof listApprovalRequests>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListApprovalRequests<TData = Awaited<ReturnType<typeof listApprovalRequests>>, TError = InternalErrorResponse>(
+ params?: ListApprovalRequestsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List approval requests
+ */
+
+export function useListApprovalRequests<TData = Awaited<ReturnType<typeof listApprovalRequests>>, TError = InternalErrorResponse>(
+ params?: ListApprovalRequestsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listApprovalRequests>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListApprovalRequestsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns a single approval request by ID.
+ * @summary Get approval request
+ */
+export const getApprovalRequest = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ApprovalRequest>(
+      {url: `/api/v1/approvals/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetApprovalRequestQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/approvals/${id}`
+    ] as const;
+    }
+
+    
+export const getGetApprovalRequestQueryOptions = <TData = Awaited<ReturnType<typeof getApprovalRequest>>, TError = NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetApprovalRequestQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getApprovalRequest>>> = ({ signal }) => getApprovalRequest(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetApprovalRequestQueryResult = NonNullable<Awaited<ReturnType<typeof getApprovalRequest>>>
+export type GetApprovalRequestQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useGetApprovalRequest<TData = Awaited<ReturnType<typeof getApprovalRequest>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getApprovalRequest>>,
+          TError,
+          Awaited<ReturnType<typeof getApprovalRequest>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetApprovalRequest<TData = Awaited<ReturnType<typeof getApprovalRequest>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getApprovalRequest>>,
+          TError,
+          Awaited<ReturnType<typeof getApprovalRequest>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetApprovalRequest<TData = Awaited<ReturnType<typeof getApprovalRequest>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get approval request
+ */
+
+export function useGetApprovalRequest<TData = Awaited<ReturnType<typeof getApprovalRequest>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getApprovalRequest>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetApprovalRequestQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Transitions a pending request to approved AND transitions the linked
+Job from AwaitingApproval to Pending so the scheduler picks it up.
+RBAC: the authenticated actor extracted via the auth middleware MUST
+differ from the request's requested_by — a same-actor self-approval
+returns HTTP 403 with the substring `two-person integrity` in the
+body. This is the load-bearing two-person integrity contract;
+compliance auditors (PCI-DSS 6.4.5, NIST 800-53 SA-15, SOC 2 CC6.1)
+pattern-match against this code path.
+
+ * @summary Approve a pending approval request
+ */
+export const approveApprovalRequest = (
+    id: string,
+    approveApprovalRequestBody?: ApproveApprovalRequestBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ApproveApprovalRequest200>(
+      {url: `/api/v1/approvals/${id}/approve`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: approveApprovalRequestBody, signal
+    },
+      );
+    }
+  
+
+
+export const getApproveApprovalRequestMutationOptions = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof approveApprovalRequest>>, TError,{id: string;data: ApproveApprovalRequestBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof approveApprovalRequest>>, TError,{id: string;data: ApproveApprovalRequestBody}, TContext> => {
+
+const mutationKey = ['approveApprovalRequest'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof approveApprovalRequest>>, {id: string;data: ApproveApprovalRequestBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  approveApprovalRequest(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ApproveApprovalRequestMutationResult = NonNullable<Awaited<ReturnType<typeof approveApprovalRequest>>>
+    export type ApproveApprovalRequestMutationBody = ApproveApprovalRequestBody
+    export type ApproveApprovalRequestMutationError = void | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Approve a pending approval request
+ */
+export const useApproveApprovalRequest = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof approveApprovalRequest>>, TError,{id: string;data: ApproveApprovalRequestBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof approveApprovalRequest>>,
+        TError,
+        {id: string;data: ApproveApprovalRequestBody},
+        TContext
+      > => {
+
+      const mutationOptions = getApproveApprovalRequestMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Transitions a pending request to rejected AND cancels the linked
+Job. Same-actor RBAC contract as approve. The job's error_message
+is populated with the supplied note for audit continuity.
+
+ * @summary Reject a pending approval request
+ */
+export const rejectApprovalRequest = (
+    id: string,
+    rejectApprovalRequestBody?: RejectApprovalRequestBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<RejectApprovalRequest200>(
+      {url: `/api/v1/approvals/${id}/reject`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: rejectApprovalRequestBody, signal
+    },
+      );
+    }
+  
+
+
+export const getRejectApprovalRequestMutationOptions = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof rejectApprovalRequest>>, TError,{id: string;data: RejectApprovalRequestBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof rejectApprovalRequest>>, TError,{id: string;data: RejectApprovalRequestBody}, TContext> => {
+
+const mutationKey = ['rejectApprovalRequest'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof rejectApprovalRequest>>, {id: string;data: RejectApprovalRequestBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  rejectApprovalRequest(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RejectApprovalRequestMutationResult = NonNullable<Awaited<ReturnType<typeof rejectApprovalRequest>>>
+    export type RejectApprovalRequestMutationBody = RejectApprovalRequestBody
+    export type RejectApprovalRequestMutationError = void | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Reject a pending approval request
+ */
+export const useRejectApprovalRequest = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof rejectApprovalRequest>>, TError,{id: string;data: RejectApprovalRequestBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof rejectApprovalRequest>>,
+        TError,
+        {id: string;data: RejectApprovalRequestBody},
+        TContext
+      > => {
+
+      const mutationOptions = getRejectApprovalRequestMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    

web/src/api/generated/audit/audit.ts

@@ -0,0 +1,363 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  AuditEvent,
+  BadRequestResponse,
+  ExportAuditParams,
+  InternalErrorResponse,
+  ListAuditEvents200,
+  ListAuditEventsParams,
+  NotFoundResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Permission `audit.export`. Streams every audit row inside the
+requested `[from, to]` window as `application/x-ndjson`. Used
+by compliance pipelines (Splunk Universal Forwarder, Elastic
+Filebeat, Vector, etc.) that prefer line-by-line ingestion
+over a single JSON document.
+
+Range cap: 90 days. Requests with `to - from > 90d` return
+400; paginate by narrower windows.
+
+Per-record cap: `limit` query parameter (default 50000;
+accepted range 1..100000). Values outside the range silently
+clamp to default.
+
+The export itself is recursively audited: every successful
+export emits an `audit.export` event capturing actor, range,
+category, and row count so the audit log records who pulled
+which compliance evidence and when.
+
+ * @summary Export audit events as newline-delimited JSON (NDJSON) for a date range
+ */
+export const exportAudit = (
+    params: ExportAuditParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/api/v1/audit/export`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getExportAuditQueryKey = (params?: ExportAuditParams,) => {
+    return [
+    `/api/v1/audit/export`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getExportAuditQueryOptions = <TData = Awaited<ReturnType<typeof exportAudit>>, TError = void>(params: ExportAuditParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getExportAuditQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof exportAudit>>> = ({ signal }) => exportAudit(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ExportAuditQueryResult = NonNullable<Awaited<ReturnType<typeof exportAudit>>>
+export type ExportAuditQueryError = void
+
+
+export function useExportAudit<TData = Awaited<ReturnType<typeof exportAudit>>, TError = void>(
+ params: ExportAuditParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof exportAudit>>,
+          TError,
+          Awaited<ReturnType<typeof exportAudit>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useExportAudit<TData = Awaited<ReturnType<typeof exportAudit>>, TError = void>(
+ params: ExportAuditParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof exportAudit>>,
+          TError,
+          Awaited<ReturnType<typeof exportAudit>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useExportAudit<TData = Awaited<ReturnType<typeof exportAudit>>, TError = void>(
+ params: ExportAuditParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Export audit events as newline-delimited JSON (NDJSON) for a date range
+ */
+
+export function useExportAudit<TData = Awaited<ReturnType<typeof exportAudit>>, TError = void>(
+ params: ExportAuditParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof exportAudit>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getExportAuditQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Bundle 1 Phase 8 adds the optional `category` query parameter
+for auditor-role filtering. Allowed values: `cert_lifecycle`
+(cert/agent/deployment events), `auth` (role/key/bootstrap
+mutations), `config` (issuer/target/settings edits). Omitting
+the parameter returns every category.
+
+P-H2 closure (frontend-design-audit 2026-05-14) adds the
+optional `since` / `until` time-range query parameters. Both
+accept RFC3339 timestamps (e.g. `2026-04-01T00:00:00Z`).
+Either bound can be omitted to leave that side open-ended.
+Combined with `category`, they let auditor-role clients query
+"auth events from yesterday" without a separate endpoint.
+
+Note on naming: this endpoint uses `since` / `until` to match
+the existing MCP `certctl_audit_list_with_category` tool's
+published contract. The sibling `/api/v1/audit/export`
+endpoint uses `from` / `to` for compliance-window semantics
+(required, ≤ 90-day range, NDJSON streaming); the two
+endpoints share data but the names reflect the different
+param semantics.
+
+ * @summary List audit events
+ */
+export const listAuditEvents = (
+    params?: ListAuditEventsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListAuditEvents200>(
+      {url: `/api/v1/audit`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListAuditEventsQueryKey = (params?: ListAuditEventsParams,) => {
+    return [
+    `/api/v1/audit`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListAuditEventsQueryOptions = <TData = Awaited<ReturnType<typeof listAuditEvents>>, TError = void | InternalErrorResponse>(params?: ListAuditEventsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListAuditEventsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listAuditEvents>>> = ({ signal }) => listAuditEvents(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListAuditEventsQueryResult = NonNullable<Awaited<ReturnType<typeof listAuditEvents>>>
+export type ListAuditEventsQueryError = void | InternalErrorResponse
+
+
+export function useListAuditEvents<TData = Awaited<ReturnType<typeof listAuditEvents>>, TError = void | InternalErrorResponse>(
+ params: undefined |  ListAuditEventsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuditEvents>>,
+          TError,
+          Awaited<ReturnType<typeof listAuditEvents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuditEvents<TData = Awaited<ReturnType<typeof listAuditEvents>>, TError = void | InternalErrorResponse>(
+ params?: ListAuditEventsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listAuditEvents>>,
+          TError,
+          Awaited<ReturnType<typeof listAuditEvents>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListAuditEvents<TData = Awaited<ReturnType<typeof listAuditEvents>>, TError = void | InternalErrorResponse>(
+ params?: ListAuditEventsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List audit events
+ */
+
+export function useListAuditEvents<TData = Awaited<ReturnType<typeof listAuditEvents>>, TError = void | InternalErrorResponse>(
+ params?: ListAuditEventsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listAuditEvents>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListAuditEventsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Get audit event
+ */
+export const getAuditEvent = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<AuditEvent>(
+      {url: `/api/v1/audit/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAuditEventQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/audit/${id}`
+    ] as const;
+    }
+
+    
+export const getGetAuditEventQueryOptions = <TData = Awaited<ReturnType<typeof getAuditEvent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAuditEventQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAuditEvent>>> = ({ signal }) => getAuditEvent(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAuditEventQueryResult = NonNullable<Awaited<ReturnType<typeof getAuditEvent>>>
+export type GetAuditEventQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetAuditEvent<TData = Awaited<ReturnType<typeof getAuditEvent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuditEvent>>,
+          TError,
+          Awaited<ReturnType<typeof getAuditEvent>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuditEvent<TData = Awaited<ReturnType<typeof getAuditEvent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuditEvent>>,
+          TError,
+          Awaited<ReturnType<typeof getAuditEvent>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuditEvent<TData = Awaited<ReturnType<typeof getAuditEvent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get audit event
+ */
+
+export function useGetAuditEvent<TData = Awaited<ReturnType<typeof getAuditEvent>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuditEvent>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAuditEventQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+

web/src/api/generated/crl-ocsp/crl-ocsp.ts

@@ -0,0 +1,434 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  ListCRLCache200,
+  NotFoundResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Returns a DER-encoded CRL signed by the issuing CA (RFC 5280 §5),
+served unauthenticated per RFC 8615 `.well-known` semantics so
+relying parties can retrieve it without a certctl API key.
+Validity is 24 hours.
+
+ * @summary Get DER-encoded X.509 CRL (RFC 5280)
+ */
+export const getDERCRL = (
+    issuerId: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Blob>(
+      {url: `/.well-known/pki/crl/${issuerId}`, method: 'GET',
+        responseType: 'blob', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetDERCRLQueryKey = (issuerId?: string,) => {
+    return [
+    `/.well-known/pki/crl/${issuerId}`
+    ] as const;
+    }
+
+    
+export const getGetDERCRLQueryOptions = <TData = Awaited<ReturnType<typeof getDERCRL>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(issuerId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetDERCRLQueryKey(issuerId);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getDERCRL>>> = ({ signal }) => getDERCRL(issuerId, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(issuerId), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetDERCRLQueryResult = NonNullable<Awaited<ReturnType<typeof getDERCRL>>>
+export type GetDERCRLQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void
+
+
+export function useGetDERCRL<TData = Awaited<ReturnType<typeof getDERCRL>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDERCRL>>,
+          TError,
+          Awaited<ReturnType<typeof getDERCRL>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDERCRL<TData = Awaited<ReturnType<typeof getDERCRL>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDERCRL>>,
+          TError,
+          Awaited<ReturnType<typeof getDERCRL>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDERCRL<TData = Awaited<ReturnType<typeof getDERCRL>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get DER-encoded X.509 CRL (RFC 5280)
+ */
+
+export function useGetDERCRL<TData = Awaited<ReturnType<typeof getDERCRL>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDERCRL>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetDERCRLQueryOptions(issuerId,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns a signed OCSP response (good/revoked/unknown) for the
+given serial number per RFC 6960 §2.1, served unauthenticated
+per RFC 8615 so relying parties and OCSP stapling sidecars can
+query revocation status without a certctl API key.
+
+ * @summary OCSP responder (RFC 6960)
+ */
+export const handleOCSP = (
+    issuerId: string,
+    serial: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Blob>(
+      {url: `/.well-known/pki/ocsp/${issuerId}/${serial}`, method: 'GET',
+        responseType: 'blob', signal
+    },
+      );
+    }
+  
+
+
+
+export const getHandleOCSPQueryKey = (issuerId?: string,
+    serial?: string,) => {
+    return [
+    `/.well-known/pki/ocsp/${issuerId}/${serial}`
+    ] as const;
+    }
+
+    
+export const getHandleOCSPQueryOptions = <TData = Awaited<ReturnType<typeof handleOCSP>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(issuerId: string,
+    serial: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getHandleOCSPQueryKey(issuerId,serial);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof handleOCSP>>> = ({ signal }) => handleOCSP(issuerId,serial, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(issuerId && serial), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type HandleOCSPQueryResult = NonNullable<Awaited<ReturnType<typeof handleOCSP>>>
+export type HandleOCSPQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void
+
+
+export function useHandleOCSP<TData = Awaited<ReturnType<typeof handleOCSP>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string,
+    serial: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof handleOCSP>>,
+          TError,
+          Awaited<ReturnType<typeof handleOCSP>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useHandleOCSP<TData = Awaited<ReturnType<typeof handleOCSP>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string,
+    serial: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof handleOCSP>>,
+          TError,
+          Awaited<ReturnType<typeof handleOCSP>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useHandleOCSP<TData = Awaited<ReturnType<typeof handleOCSP>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string,
+    serial: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary OCSP responder (RFC 6960)
+ */
+
+export function useHandleOCSP<TData = Awaited<ReturnType<typeof handleOCSP>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse | void>(
+ issuerId: string,
+    serial: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof handleOCSP>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getHandleOCSPQueryOptions(issuerId,serial,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns the per-issuer CRL cache state populated by the
+scheduler's crlGenerationLoop. One row per registered issuer
+with `cache_present` indicating whether a CRL has ever been
+generated, plus `is_stale` derived from `next_update` vs.
+wall clock, plus the most recent generation events for
+ops grep.
+
+Admin-gated (M-003 pattern). Bundle CRL/OCSP-Responder Phase 5.
+
+ * @summary Inspect CRL pre-generation cache (admin)
+ */
+export const listCRLCache = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListCRLCache200>(
+      {url: `/api/v1/admin/crl/cache`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListCRLCacheQueryKey = () => {
+    return [
+    `/api/v1/admin/crl/cache`
+    ] as const;
+    }
+
+    
+export const getListCRLCacheQueryOptions = <TData = Awaited<ReturnType<typeof listCRLCache>>, TError = void | InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListCRLCacheQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listCRLCache>>> = ({ signal }) => listCRLCache(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListCRLCacheQueryResult = NonNullable<Awaited<ReturnType<typeof listCRLCache>>>
+export type ListCRLCacheQueryError = void | InternalErrorResponse
+
+
+export function useListCRLCache<TData = Awaited<ReturnType<typeof listCRLCache>>, TError = void | InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listCRLCache>>,
+          TError,
+          Awaited<ReturnType<typeof listCRLCache>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListCRLCache<TData = Awaited<ReturnType<typeof listCRLCache>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listCRLCache>>,
+          TError,
+          Awaited<ReturnType<typeof listCRLCache>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListCRLCache<TData = Awaited<ReturnType<typeof listCRLCache>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Inspect CRL pre-generation cache (admin)
+ */
+
+export function useListCRLCache<TData = Awaited<ReturnType<typeof listCRLCache>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listCRLCache>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListCRLCacheQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Standard RFC 6960 §A.1.1 POST form of the OCSP responder. The
+request body is the binary DER-encoded OCSPRequest with
+Content-Type `application/ocsp-request`; the serial number is
+carried inside that body, not in the URL path. Most production
+OCSP clients (Firefox, OpenSSL `s_client -status`, cert-manager,
+Microsoft Intune device validators) use POST exclusively.
+
+The pre-existing GET form
+(`/.well-known/pki/ocsp/{issuer_id}/{serial}`) is preserved for
+ad-hoc curl inspection and human-readable URL paths; behaviour
+and response are otherwise identical.
+
+Auth-exempt under `/.well-known/pki/*` per RFC 8615 so relying
+parties can poll without a certctl API key. CRL/OCSP-Responder
+bundle Phase 4.
+
+ * @summary OCSP responder (RFC 6960 §A.1.1, POST form)
+ */
+export const handleOCSPPost = (
+    issuerId: string,
+    handleOCSPPostBody: Blob,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Blob>(
+      {url: `/.well-known/pki/ocsp/${issuerId}`, method: 'POST',
+      headers: {'Content-Type': 'application/ocsp-request', },
+      data: handleOCSPPostBody,
+        responseType: 'blob', signal
+    },
+      );
+    }
+  
+
+
+export const getHandleOCSPPostMutationOptions = <TError = BadRequestResponse | NotFoundResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof handleOCSPPost>>, TError,{issuerId: string;data: Blob}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof handleOCSPPost>>, TError,{issuerId: string;data: Blob}, TContext> => {
+
+const mutationKey = ['handleOCSPPost'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof handleOCSPPost>>, {issuerId: string;data: Blob}> = (props) => {
+          const {issuerId,data} = props ?? {};
+
+          return  handleOCSPPost(issuerId,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type HandleOCSPPostMutationResult = NonNullable<Awaited<ReturnType<typeof handleOCSPPost>>>
+    export type HandleOCSPPostMutationBody = Blob
+    export type HandleOCSPPostMutationError = BadRequestResponse | NotFoundResponse | void | InternalErrorResponse
+
+    /**
+ * @summary OCSP responder (RFC 6960 §A.1.1, POST form)
+ */
+export const useHandleOCSPPost = <TError = BadRequestResponse | NotFoundResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof handleOCSPPost>>, TError,{issuerId: string;data: Blob}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof handleOCSPPost>>,
+        TError,
+        {issuerId: string;data: Blob},
+        TContext
+      > => {
+
+      const mutationOptions = getHandleOCSPPostMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    

web/src/api/generated/digest/digest.ts

@@ -0,0 +1,206 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  InternalErrorResponse,
+  StatusMessageResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Returns an HTML preview of the scheduled certificate digest email.
+This includes a summary of certificate status, pending jobs, and expiring certificates.
+
+ * @summary Preview digest email
+ */
+export const previewDigest = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/api/v1/digest/preview`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getPreviewDigestQueryKey = () => {
+    return [
+    `/api/v1/digest/preview`
+    ] as const;
+    }
+
+    
+export const getPreviewDigestQueryOptions = <TData = Awaited<ReturnType<typeof previewDigest>>, TError = InternalErrorResponse | StatusMessageResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getPreviewDigestQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof previewDigest>>> = ({ signal }) => previewDigest(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type PreviewDigestQueryResult = NonNullable<Awaited<ReturnType<typeof previewDigest>>>
+export type PreviewDigestQueryError = InternalErrorResponse | StatusMessageResponse
+
+
+export function usePreviewDigest<TData = Awaited<ReturnType<typeof previewDigest>>, TError = InternalErrorResponse | StatusMessageResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof previewDigest>>,
+          TError,
+          Awaited<ReturnType<typeof previewDigest>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function usePreviewDigest<TData = Awaited<ReturnType<typeof previewDigest>>, TError = InternalErrorResponse | StatusMessageResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof previewDigest>>,
+          TError,
+          Awaited<ReturnType<typeof previewDigest>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function usePreviewDigest<TData = Awaited<ReturnType<typeof previewDigest>>, TError = InternalErrorResponse | StatusMessageResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Preview digest email
+ */
+
+export function usePreviewDigest<TData = Awaited<ReturnType<typeof previewDigest>>, TError = InternalErrorResponse | StatusMessageResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof previewDigest>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getPreviewDigestQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Triggers immediate sending of the certificate digest email to configured recipients.
+If no explicit recipients are configured, sends to certificate owners.
+
+ * @summary Send digest email
+ */
+export const sendDigest = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusMessageResponse>(
+      {url: `/api/v1/digest/send`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getSendDigestMutationOptions = <TError = InternalErrorResponse | StatusMessageResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof sendDigest>>, TError,void, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof sendDigest>>, TError,void, TContext> => {
+
+const mutationKey = ['sendDigest'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof sendDigest>>, void> = () => {
+          
+
+          return  sendDigest()
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type SendDigestMutationResult = NonNullable<Awaited<ReturnType<typeof sendDigest>>>
+    
+    export type SendDigestMutationError = InternalErrorResponse | StatusMessageResponse
+
+    /**
+ * @summary Send digest email
+ */
+export const useSendDigest = <TError = InternalErrorResponse | StatusMessageResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof sendDigest>>, TError,void, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof sendDigest>>,
+        TError,
+        void,
+        TContext
+      > => {
+
+      const mutationOptions = getSendDigestMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    

web/src/api/generated/discovery/discovery.ts

@@ -0,0 +1,627 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  ClaimDiscoveredCertificateBody,
+  DiscoveredCertificate,
+  DiscoveryReport,
+  DiscoveryScan,
+  GetDiscoverySummary200,
+  InternalErrorResponse,
+  ListDiscoveredCertificates200,
+  ListDiscoveredCertificatesParams,
+  ListDiscoveryScans200,
+  ListDiscoveryScansParams,
+  NotFoundResponse,
+  StatusMessageResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Agent submits a batch of discovered certificates from filesystem scanning.
+Server deduplicates by (fingerprint, agent_id, source_path) and records scan metadata.
+
+ * @summary Submit discovery report
+ */
+export const submitDiscoveryReport = (
+    id: string,
+    discoveryReport: DiscoveryReport,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<DiscoveryScan>(
+      {url: `/api/v1/agents/${id}/discoveries`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: discoveryReport, signal
+    },
+      );
+    }
+  
+
+
+export const getSubmitDiscoveryReportMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof submitDiscoveryReport>>, TError,{id: string;data: DiscoveryReport}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof submitDiscoveryReport>>, TError,{id: string;data: DiscoveryReport}, TContext> => {
+
+const mutationKey = ['submitDiscoveryReport'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof submitDiscoveryReport>>, {id: string;data: DiscoveryReport}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  submitDiscoveryReport(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type SubmitDiscoveryReportMutationResult = NonNullable<Awaited<ReturnType<typeof submitDiscoveryReport>>>
+    export type SubmitDiscoveryReportMutationBody = DiscoveryReport
+    export type SubmitDiscoveryReportMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Submit discovery report
+ */
+export const useSubmitDiscoveryReport = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof submitDiscoveryReport>>, TError,{id: string;data: DiscoveryReport}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof submitDiscoveryReport>>,
+        TError,
+        {id: string;data: DiscoveryReport},
+        TContext
+      > => {
+
+      const mutationOptions = getSubmitDiscoveryReportMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns discovered certificates with optional filters by agent and triage status.
+ * @summary List discovered certificates
+ */
+export const listDiscoveredCertificates = (
+    params?: ListDiscoveredCertificatesParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListDiscoveredCertificates200>(
+      {url: `/api/v1/discovered-certificates`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListDiscoveredCertificatesQueryKey = (params?: ListDiscoveredCertificatesParams,) => {
+    return [
+    `/api/v1/discovered-certificates`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListDiscoveredCertificatesQueryOptions = <TData = Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError = InternalErrorResponse>(params?: ListDiscoveredCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListDiscoveredCertificatesQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listDiscoveredCertificates>>> = ({ signal }) => listDiscoveredCertificates(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListDiscoveredCertificatesQueryResult = NonNullable<Awaited<ReturnType<typeof listDiscoveredCertificates>>>
+export type ListDiscoveredCertificatesQueryError = InternalErrorResponse
+
+
+export function useListDiscoveredCertificates<TData = Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError = InternalErrorResponse>(
+ params: undefined |  ListDiscoveredCertificatesParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listDiscoveredCertificates>>,
+          TError,
+          Awaited<ReturnType<typeof listDiscoveredCertificates>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListDiscoveredCertificates<TData = Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveredCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listDiscoveredCertificates>>,
+          TError,
+          Awaited<ReturnType<typeof listDiscoveredCertificates>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListDiscoveredCertificates<TData = Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveredCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List discovered certificates
+ */
+
+export function useListDiscoveredCertificates<TData = Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveredCertificatesParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveredCertificates>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListDiscoveredCertificatesQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns a single discovered certificate by ID.
+ * @summary Get discovered certificate
+ */
+export const getDiscoveredCertificate = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<DiscoveredCertificate>(
+      {url: `/api/v1/discovered-certificates/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetDiscoveredCertificateQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/discovered-certificates/${id}`
+    ] as const;
+    }
+
+    
+export const getGetDiscoveredCertificateQueryOptions = <TData = Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetDiscoveredCertificateQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getDiscoveredCertificate>>> = ({ signal }) => getDiscoveredCertificate(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetDiscoveredCertificateQueryResult = NonNullable<Awaited<ReturnType<typeof getDiscoveredCertificate>>>
+export type GetDiscoveredCertificateQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useGetDiscoveredCertificate<TData = Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDiscoveredCertificate>>,
+          TError,
+          Awaited<ReturnType<typeof getDiscoveredCertificate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDiscoveredCertificate<TData = Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDiscoveredCertificate>>,
+          TError,
+          Awaited<ReturnType<typeof getDiscoveredCertificate>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDiscoveredCertificate<TData = Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get discovered certificate
+ */
+
+export function useGetDiscoveredCertificate<TData = Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoveredCertificate>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetDiscoveredCertificateQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Links a discovered certificate to an existing managed certificate. Changes status to Managed.
+ * @summary Claim discovered certificate
+ */
+export const claimDiscoveredCertificate = (
+    id: string,
+    claimDiscoveredCertificateBody: ClaimDiscoveredCertificateBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusMessageResponse>(
+      {url: `/api/v1/discovered-certificates/${id}/claim`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: claimDiscoveredCertificateBody, signal
+    },
+      );
+    }
+  
+
+
+export const getClaimDiscoveredCertificateMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof claimDiscoveredCertificate>>, TError,{id: string;data: ClaimDiscoveredCertificateBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof claimDiscoveredCertificate>>, TError,{id: string;data: ClaimDiscoveredCertificateBody}, TContext> => {
+
+const mutationKey = ['claimDiscoveredCertificate'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof claimDiscoveredCertificate>>, {id: string;data: ClaimDiscoveredCertificateBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  claimDiscoveredCertificate(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ClaimDiscoveredCertificateMutationResult = NonNullable<Awaited<ReturnType<typeof claimDiscoveredCertificate>>>
+    export type ClaimDiscoveredCertificateMutationBody = ClaimDiscoveredCertificateBody
+    export type ClaimDiscoveredCertificateMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Claim discovered certificate
+ */
+export const useClaimDiscoveredCertificate = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof claimDiscoveredCertificate>>, TError,{id: string;data: ClaimDiscoveredCertificateBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof claimDiscoveredCertificate>>,
+        TError,
+        {id: string;data: ClaimDiscoveredCertificateBody},
+        TContext
+      > => {
+
+      const mutationOptions = getClaimDiscoveredCertificateMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Marks a discovered certificate as dismissed (excluded from triage queue).
+ * @summary Dismiss discovered certificate
+ */
+export const dismissDiscoveredCertificate = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusMessageResponse>(
+      {url: `/api/v1/discovered-certificates/${id}/dismiss`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getDismissDiscoveredCertificateMutationOptions = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof dismissDiscoveredCertificate>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof dismissDiscoveredCertificate>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['dismissDiscoveredCertificate'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof dismissDiscoveredCertificate>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  dismissDiscoveredCertificate(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DismissDiscoveredCertificateMutationResult = NonNullable<Awaited<ReturnType<typeof dismissDiscoveredCertificate>>>
+    
+    export type DismissDiscoveredCertificateMutationError = NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Dismiss discovered certificate
+ */
+export const useDismissDiscoveredCertificate = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof dismissDiscoveredCertificate>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof dismissDiscoveredCertificate>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDismissDiscoveredCertificateMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns history of discovery scan executions with optional agent filter.
+ * @summary List discovery scans
+ */
+export const listDiscoveryScans = (
+    params?: ListDiscoveryScansParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListDiscoveryScans200>(
+      {url: `/api/v1/discovery-scans`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListDiscoveryScansQueryKey = (params?: ListDiscoveryScansParams,) => {
+    return [
+    `/api/v1/discovery-scans`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListDiscoveryScansQueryOptions = <TData = Awaited<ReturnType<typeof listDiscoveryScans>>, TError = InternalErrorResponse>(params?: ListDiscoveryScansParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListDiscoveryScansQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listDiscoveryScans>>> = ({ signal }) => listDiscoveryScans(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListDiscoveryScansQueryResult = NonNullable<Awaited<ReturnType<typeof listDiscoveryScans>>>
+export type ListDiscoveryScansQueryError = InternalErrorResponse
+
+
+export function useListDiscoveryScans<TData = Awaited<ReturnType<typeof listDiscoveryScans>>, TError = InternalErrorResponse>(
+ params: undefined |  ListDiscoveryScansParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listDiscoveryScans>>,
+          TError,
+          Awaited<ReturnType<typeof listDiscoveryScans>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListDiscoveryScans<TData = Awaited<ReturnType<typeof listDiscoveryScans>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveryScansParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listDiscoveryScans>>,
+          TError,
+          Awaited<ReturnType<typeof listDiscoveryScans>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListDiscoveryScans<TData = Awaited<ReturnType<typeof listDiscoveryScans>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveryScansParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List discovery scans
+ */
+
+export function useListDiscoveryScans<TData = Awaited<ReturnType<typeof listDiscoveryScans>>, TError = InternalErrorResponse>(
+ params?: ListDiscoveryScansParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listDiscoveryScans>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListDiscoveryScansQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns aggregate counts of discovered certificates by triage status.
+ * @summary Discovery status summary
+ */
+export const getDiscoverySummary = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetDiscoverySummary200>(
+      {url: `/api/v1/discovery-summary`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetDiscoverySummaryQueryKey = () => {
+    return [
+    `/api/v1/discovery-summary`
+    ] as const;
+    }
+
+    
+export const getGetDiscoverySummaryQueryOptions = <TData = Awaited<ReturnType<typeof getDiscoverySummary>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetDiscoverySummaryQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getDiscoverySummary>>> = ({ signal }) => getDiscoverySummary(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetDiscoverySummaryQueryResult = NonNullable<Awaited<ReturnType<typeof getDiscoverySummary>>>
+export type GetDiscoverySummaryQueryError = InternalErrorResponse
+
+
+export function useGetDiscoverySummary<TData = Awaited<ReturnType<typeof getDiscoverySummary>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDiscoverySummary>>,
+          TError,
+          Awaited<ReturnType<typeof getDiscoverySummary>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDiscoverySummary<TData = Awaited<ReturnType<typeof getDiscoverySummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getDiscoverySummary>>,
+          TError,
+          Awaited<ReturnType<typeof getDiscoverySummary>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetDiscoverySummary<TData = Awaited<ReturnType<typeof getDiscoverySummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Discovery status summary
+ */
+
+export function useGetDiscoverySummary<TData = Awaited<ReturnType<typeof getDiscoverySummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getDiscoverySummary>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetDiscoverySummaryQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+

web/src/api/generated/est/est.ts

@@ -0,0 +1,735 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  BulkRevokeRequest,
+  BulkRevokeResult,
+  InternalErrorResponse,
+  ListESTProfiles200,
+  ReloadESTTrust200,
+  ReloadESTTrustBody
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * EST-source-scoped bulk revocation. Identical wire shape to
+/api/v1/certificates/bulk-revoke; the handler pins
+`Source=EST` so the operation only affects certs the EST
+service stamped at issuance time. SCEP-issued / API-issued /
+Agent-provisioned certs are never touched by this endpoint.
+
+At least one narrower criterion (profile_id, owner_id,
+agent_id, issuer_id, team_id, or certificate_ids) is
+required — Source-only requests are rejected as too broad
+to prevent accidental fleet-wide revocation. Admin-gated
+(M-008 / M-003 pattern). Audit action emitted: `est_bulk_revoke`.
+
+EST RFC 7030 hardening master bundle Phase 11.2.
+
+ * @summary Bulk revoke EST-issued certificates (admin)
+ */
+export const bulkRevokeESTCertificates = (
+    bulkRevokeRequest: BulkRevokeRequest,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<BulkRevokeResult>(
+      {url: `/api/v1/est/certificates/bulk-revoke`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: bulkRevokeRequest, signal
+    },
+      );
+    }
+  
+
+
+export const getBulkRevokeESTCertificatesMutationOptions = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof bulkRevokeESTCertificates>>, TError,{data: BulkRevokeRequest}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof bulkRevokeESTCertificates>>, TError,{data: BulkRevokeRequest}, TContext> => {
+
+const mutationKey = ['bulkRevokeESTCertificates'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof bulkRevokeESTCertificates>>, {data: BulkRevokeRequest}> = (props) => {
+          const {data} = props ?? {};
+
+          return  bulkRevokeESTCertificates(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type BulkRevokeESTCertificatesMutationResult = NonNullable<Awaited<ReturnType<typeof bulkRevokeESTCertificates>>>
+    export type BulkRevokeESTCertificatesMutationBody = BulkRevokeRequest
+    export type BulkRevokeESTCertificatesMutationError = BadRequestResponse | void | InternalErrorResponse
+
+    /**
+ * @summary Bulk revoke EST-issued certificates (admin)
+ */
+export const useBulkRevokeESTCertificates = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof bulkRevokeESTCertificates>>, TError,{data: BulkRevokeRequest}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof bulkRevokeESTCertificates>>,
+        TError,
+        {data: BulkRevokeRequest},
+        TContext
+      > => {
+
+      const mutationOptions = getBulkRevokeESTCertificatesMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns one snapshot per configured EST profile with always-present
+per-profile fields (path_id, issuer_id, profile_id, mtls_enabled,
+basic_auth_configured, server_keygen_enabled, counters) plus an
+optional trust-anchor sub-block when the profile has MTLS_ENABLED=true.
+
+Counter labels: success_simpleenroll, success_simplereenroll,
+success_serverkeygen, auth_failed_basic, auth_failed_mtls,
+auth_failed_channel_binding, csr_invalid, csr_policy_violation,
+csr_signature_mismatch, rate_limited, issuer_error, internal_error.
+
+Admin-gated (M-008 pattern). Non-admin Bearer callers get HTTP 403 —
+the snapshot reveals operator profile set, mTLS trust-anchor expiries,
+and auth-mode posture (sensitive operational metadata). EST RFC 7030
+hardening master bundle Phase 7.2.
+
+ * @summary Per-profile EST administration overview (admin)
+ */
+export const listESTProfiles = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListESTProfiles200>(
+      {url: `/api/v1/admin/est/profiles`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListESTProfilesQueryKey = () => {
+    return [
+    `/api/v1/admin/est/profiles`
+    ] as const;
+    }
+
+    
+export const getListESTProfilesQueryOptions = <TData = Awaited<ReturnType<typeof listESTProfiles>>, TError = void | InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListESTProfilesQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listESTProfiles>>> = ({ signal }) => listESTProfiles(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListESTProfilesQueryResult = NonNullable<Awaited<ReturnType<typeof listESTProfiles>>>
+export type ListESTProfilesQueryError = void | InternalErrorResponse
+
+
+export function useListESTProfiles<TData = Awaited<ReturnType<typeof listESTProfiles>>, TError = void | InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listESTProfiles>>,
+          TError,
+          Awaited<ReturnType<typeof listESTProfiles>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListESTProfiles<TData = Awaited<ReturnType<typeof listESTProfiles>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listESTProfiles>>,
+          TError,
+          Awaited<ReturnType<typeof listESTProfiles>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListESTProfiles<TData = Awaited<ReturnType<typeof listESTProfiles>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Per-profile EST administration overview (admin)
+ */
+
+export function useListESTProfiles<TData = Awaited<ReturnType<typeof listESTProfiles>>, TError = void | InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listESTProfiles>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListESTProfilesQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Triggers the same Reload that the SIGHUP watcher would run for
+the named EST profile. The body MUST be `{"path_id": "<pathID>"}`;
+an empty body targets the legacy `/.well-known/est` root profile
+(PathID="").
+
+Returns 200 + `{"reloaded": true, ...}` on success; 404 when the
+path_id doesn't match any configured EST profile; 409 when the
+profile exists but mTLS is disabled on it (no trust anchor to
+reload); 500 when the underlying file fails to parse — in which
+case the holder retains the OLD pool so enrollment keeps working
+off the previous trust anchor while the operator fixes the file.
+
+Admin-gated (M-008 pattern). EST RFC 7030 hardening master
+bundle Phase 7.2.
+
+ * @summary Reload an EST profile's mTLS trust anchor (admin)
+ */
+export const reloadESTTrust = (
+    reloadESTTrustBody?: ReloadESTTrustBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ReloadESTTrust200>(
+      {url: `/api/v1/admin/est/reload-trust`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: reloadESTTrustBody, signal
+    },
+      );
+    }
+  
+
+
+export const getReloadESTTrustMutationOptions = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof reloadESTTrust>>, TError,{data: ReloadESTTrustBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof reloadESTTrust>>, TError,{data: ReloadESTTrustBody}, TContext> => {
+
+const mutationKey = ['reloadESTTrust'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof reloadESTTrust>>, {data: ReloadESTTrustBody}> = (props) => {
+          const {data} = props ?? {};
+
+          return  reloadESTTrust(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ReloadESTTrustMutationResult = NonNullable<Awaited<ReturnType<typeof reloadESTTrust>>>
+    export type ReloadESTTrustMutationBody = ReloadESTTrustBody
+    export type ReloadESTTrustMutationError = void
+
+    /**
+ * @summary Reload an EST profile's mTLS trust anchor (admin)
+ */
+export const useReloadESTTrust = <TError = void,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof reloadESTTrust>>, TError,{data: ReloadESTTrustBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof reloadESTTrust>>,
+        TError,
+        {data: ReloadESTTrustBody},
+        TContext
+      > => {
+
+      const mutationOptions = getReloadESTTrustMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns the CA certificate chain used to verify certctl-issued certificates.
+Response is a base64-encoded degenerate PKCS#7 SignedData (certs-only) per
+RFC 7030 §4.1.3.
+
+ * @summary EST CA certificates distribution
+ */
+export const estCACerts = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/.well-known/est/cacerts`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getEstCACertsQueryKey = () => {
+    return [
+    `/.well-known/est/cacerts`
+    ] as const;
+    }
+
+    
+export const getEstCACertsQueryOptions = <TData = Awaited<ReturnType<typeof estCACerts>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getEstCACertsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof estCACerts>>> = ({ signal }) => estCACerts(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type EstCACertsQueryResult = NonNullable<Awaited<ReturnType<typeof estCACerts>>>
+export type EstCACertsQueryError = InternalErrorResponse
+
+
+export function useEstCACerts<TData = Awaited<ReturnType<typeof estCACerts>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof estCACerts>>,
+          TError,
+          Awaited<ReturnType<typeof estCACerts>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useEstCACerts<TData = Awaited<ReturnType<typeof estCACerts>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof estCACerts>>,
+          TError,
+          Awaited<ReturnType<typeof estCACerts>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useEstCACerts<TData = Awaited<ReturnType<typeof estCACerts>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary EST CA certificates distribution
+ */
+
+export function useEstCACerts<TData = Awaited<ReturnType<typeof estCACerts>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCACerts>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getEstCACertsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Enrolls a new certificate from a PKCS#10 CSR per RFC 7030 §4.2.1.
+The CSR MAY be supplied as base64-encoded DER (EST standard wire format)
+or as PEM for convenience. Returns a base64-encoded PKCS#7 certs-only
+structure containing the issued certificate.
+
+ * @summary EST simple enrollment
+ */
+export const estSimpleEnroll = (
+    estSimpleEnrollBody: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/.well-known/est/simpleenroll`, method: 'POST',
+      headers: {'Content-Type': 'application/pkcs10', },
+      data: estSimpleEnrollBody, signal
+    },
+      );
+    }
+  
+
+
+export const getEstSimpleEnrollMutationOptions = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estSimpleEnroll>>, TError,{data: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof estSimpleEnroll>>, TError,{data: string}, TContext> => {
+
+const mutationKey = ['estSimpleEnroll'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof estSimpleEnroll>>, {data: string}> = (props) => {
+          const {data} = props ?? {};
+
+          return  estSimpleEnroll(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type EstSimpleEnrollMutationResult = NonNullable<Awaited<ReturnType<typeof estSimpleEnroll>>>
+    export type EstSimpleEnrollMutationBody = string
+    export type EstSimpleEnrollMutationError = BadRequestResponse | void | InternalErrorResponse
+
+    /**
+ * @summary EST simple enrollment
+ */
+export const useEstSimpleEnroll = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estSimpleEnroll>>, TError,{data: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof estSimpleEnroll>>,
+        TError,
+        {data: string},
+        TContext
+      > => {
+
+      const mutationOptions = getEstSimpleEnrollMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Re-enrolls an existing certificate (same as simpleenroll in certctl's
+implementation — re-enrollment is treated as a fresh issuance) per
+RFC 7030 §4.2.2.
+
+ * @summary EST simple re-enrollment
+ */
+export const estSimpleReEnroll = (
+    estSimpleReEnrollBody: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/.well-known/est/simplereenroll`, method: 'POST',
+      headers: {'Content-Type': 'application/pkcs10', },
+      data: estSimpleReEnrollBody, signal
+    },
+      );
+    }
+  
+
+
+export const getEstSimpleReEnrollMutationOptions = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estSimpleReEnroll>>, TError,{data: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof estSimpleReEnroll>>, TError,{data: string}, TContext> => {
+
+const mutationKey = ['estSimpleReEnroll'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof estSimpleReEnroll>>, {data: string}> = (props) => {
+          const {data} = props ?? {};
+
+          return  estSimpleReEnroll(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type EstSimpleReEnrollMutationResult = NonNullable<Awaited<ReturnType<typeof estSimpleReEnroll>>>
+    export type EstSimpleReEnrollMutationBody = string
+    export type EstSimpleReEnrollMutationError = BadRequestResponse | void | InternalErrorResponse
+
+    /**
+ * @summary EST simple re-enrollment
+ */
+export const useEstSimpleReEnroll = <TError = BadRequestResponse | void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estSimpleReEnroll>>, TError,{data: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof estSimpleReEnroll>>,
+        TError,
+        {data: string},
+        TContext
+      > => {
+
+      const mutationOptions = getEstSimpleReEnrollMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns attributes the EST client should include in its CSR per
+RFC 7030 §4.5. certctl currently returns an empty attribute set
+(HTTP 204) — profile-based constraints are enforced server-side
+during enrollment rather than advertised here.
+
+ * @summary EST CSR attributes
+ */
+export const estCSRAttrs = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string | void>(
+      {url: `/.well-known/est/csrattrs`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getEstCSRAttrsQueryKey = () => {
+    return [
+    `/.well-known/est/csrattrs`
+    ] as const;
+    }
+
+    
+export const getEstCSRAttrsQueryOptions = <TData = Awaited<ReturnType<typeof estCSRAttrs>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getEstCSRAttrsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof estCSRAttrs>>> = ({ signal }) => estCSRAttrs(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type EstCSRAttrsQueryResult = NonNullable<Awaited<ReturnType<typeof estCSRAttrs>>>
+export type EstCSRAttrsQueryError = InternalErrorResponse
+
+
+export function useEstCSRAttrs<TData = Awaited<ReturnType<typeof estCSRAttrs>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof estCSRAttrs>>,
+          TError,
+          Awaited<ReturnType<typeof estCSRAttrs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useEstCSRAttrs<TData = Awaited<ReturnType<typeof estCSRAttrs>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof estCSRAttrs>>,
+          TError,
+          Awaited<ReturnType<typeof estCSRAttrs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useEstCSRAttrs<TData = Awaited<ReturnType<typeof estCSRAttrs>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary EST CSR attributes
+ */
+
+export function useEstCSRAttrs<TData = Awaited<ReturnType<typeof estCSRAttrs>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof estCSRAttrs>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getEstCSRAttrsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * EST RFC 7030 §4.4 server-keygen endpoint. Server generates the
+keypair, issues the certificate with the new pubkey, and returns
+BOTH the cert (as `application/pkcs7-mime; smime-type=certs-only`)
+AND the corresponding private key (as `application/pkcs7-mime;
+smime-type=enveloped-data` — the private key is wrapped in CMS
+EnvelopedData encrypted to the client's CSR-supplied
+key-encipherment public key per RFC 7030 §4.4.2).
+
+The two parts are returned as a `multipart/mixed` response body
+with a per-response random boundary. Standard EST clients
+(libest, openssl + smime) parse this multipart body natively.
+
+Per-profile gate: this endpoint is registered for every EST
+profile but returns 404 unless the operator opted in via
+`CERTCTL_EST_PROFILE_<NAME>_SERVER_KEYGEN_ENABLED=true`. The
+per-profile gate constrains the attack surface — server-driven
+keygen requires the server to hold plaintext private keys
+briefly, a meaningful trust delta from device-driven keygen.
+
+Auth modes match the simpleenroll endpoint: HTTP Basic when the
+per-profile enrollment-password is set, anonymous otherwise.
+The mTLS sibling route at /.well-known/est-mtls/<PathID>/serverkeygen
+is registered when the profile has MTLS_ENABLED=true.
+
+EST RFC 7030 hardening master bundle Phase 5.
+
+ * @summary EST server-driven key generation (RFC 7030 §4.4)
+ */
+export const estServerKeygen = (
+    estServerKeygenBody: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/.well-known/est/serverkeygen`, method: 'POST',
+      headers: {'Content-Type': 'application/pkcs10', },
+      data: estServerKeygenBody, signal
+    },
+      );
+    }
+  
+
+
+export const getEstServerKeygenMutationOptions = <TError = void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estServerKeygen>>, TError,{data: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof estServerKeygen>>, TError,{data: string}, TContext> => {
+
+const mutationKey = ['estServerKeygen'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof estServerKeygen>>, {data: string}> = (props) => {
+          const {data} = props ?? {};
+
+          return  estServerKeygen(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type EstServerKeygenMutationResult = NonNullable<Awaited<ReturnType<typeof estServerKeygen>>>
+    export type EstServerKeygenMutationBody = string
+    export type EstServerKeygenMutationError = void | InternalErrorResponse
+
+    /**
+ * @summary EST server-driven key generation (RFC 7030 §4.4)
+ */
+export const useEstServerKeygen = <TError = void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof estServerKeygen>>, TError,{data: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof estServerKeygen>>,
+        TError,
+        {data: string},
+        TContext
+      > => {
+
+      const mutationOptions = getEstServerKeygenMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    

web/src/api/generated/health-monitoring/health-monitoring.ts

@@ -0,0 +1,695 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  AcknowledgeHealthCheckIncidentBody,
+  BadRequestResponse,
+  CreateHealthCheckBody,
+  EndpointHealthCheck,
+  GetHealthCheckHistory200,
+  GetHealthCheckHistoryParams,
+  GetHealthCheckSummary200,
+  InternalErrorResponse,
+  ListHealthChecks200,
+  ListHealthChecksParams,
+  NotFoundResponse,
+  UpdateHealthCheckBody
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Lists all TLS endpoint health checks with optional filtering by status, certificate, or network scan target.
+Includes current status, last probe results, and probe history summary.
+
+ * @summary List endpoint health checks
+ */
+export const listHealthChecks = (
+    params?: ListHealthChecksParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListHealthChecks200>(
+      {url: `/api/v1/health-checks`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListHealthChecksQueryKey = (params?: ListHealthChecksParams,) => {
+    return [
+    `/api/v1/health-checks`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListHealthChecksQueryOptions = <TData = Awaited<ReturnType<typeof listHealthChecks>>, TError = InternalErrorResponse>(params?: ListHealthChecksParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListHealthChecksQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listHealthChecks>>> = ({ signal }) => listHealthChecks(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListHealthChecksQueryResult = NonNullable<Awaited<ReturnType<typeof listHealthChecks>>>
+export type ListHealthChecksQueryError = InternalErrorResponse
+
+
+export function useListHealthChecks<TData = Awaited<ReturnType<typeof listHealthChecks>>, TError = InternalErrorResponse>(
+ params: undefined |  ListHealthChecksParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listHealthChecks>>,
+          TError,
+          Awaited<ReturnType<typeof listHealthChecks>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListHealthChecks<TData = Awaited<ReturnType<typeof listHealthChecks>>, TError = InternalErrorResponse>(
+ params?: ListHealthChecksParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listHealthChecks>>,
+          TError,
+          Awaited<ReturnType<typeof listHealthChecks>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListHealthChecks<TData = Awaited<ReturnType<typeof listHealthChecks>>, TError = InternalErrorResponse>(
+ params?: ListHealthChecksParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List endpoint health checks
+ */
+
+export function useListHealthChecks<TData = Awaited<ReturnType<typeof listHealthChecks>>, TError = InternalErrorResponse>(
+ params?: ListHealthChecksParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listHealthChecks>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListHealthChecksQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Creates a new manual health check for an endpoint.
+ * @summary Create health check
+ */
+export const createHealthCheck = (
+    createHealthCheckBody: CreateHealthCheckBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<EndpointHealthCheck>(
+      {url: `/api/v1/health-checks`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: createHealthCheckBody, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateHealthCheckMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createHealthCheck>>, TError,{data: CreateHealthCheckBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createHealthCheck>>, TError,{data: CreateHealthCheckBody}, TContext> => {
+
+const mutationKey = ['createHealthCheck'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createHealthCheck>>, {data: CreateHealthCheckBody}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createHealthCheck(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateHealthCheckMutationResult = NonNullable<Awaited<ReturnType<typeof createHealthCheck>>>
+    export type CreateHealthCheckMutationBody = CreateHealthCheckBody
+    export type CreateHealthCheckMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create health check
+ */
+export const useCreateHealthCheck = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createHealthCheck>>, TError,{data: CreateHealthCheckBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createHealthCheck>>,
+        TError,
+        {data: CreateHealthCheckBody},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateHealthCheckMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns aggregate status counts for all health checks.
+ * @summary Health check summary
+ */
+export const getHealthCheckSummary = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetHealthCheckSummary200>(
+      {url: `/api/v1/health-checks/summary`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetHealthCheckSummaryQueryKey = () => {
+    return [
+    `/api/v1/health-checks/summary`
+    ] as const;
+    }
+
+    
+export const getGetHealthCheckSummaryQueryOptions = <TData = Awaited<ReturnType<typeof getHealthCheckSummary>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetHealthCheckSummaryQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getHealthCheckSummary>>> = ({ signal }) => getHealthCheckSummary(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetHealthCheckSummaryQueryResult = NonNullable<Awaited<ReturnType<typeof getHealthCheckSummary>>>
+export type GetHealthCheckSummaryQueryError = InternalErrorResponse
+
+
+export function useGetHealthCheckSummary<TData = Awaited<ReturnType<typeof getHealthCheckSummary>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheckSummary>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheckSummary>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheckSummary<TData = Awaited<ReturnType<typeof getHealthCheckSummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheckSummary>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheckSummary>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheckSummary<TData = Awaited<ReturnType<typeof getHealthCheckSummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Health check summary
+ */
+
+export function useGetHealthCheckSummary<TData = Awaited<ReturnType<typeof getHealthCheckSummary>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckSummary>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetHealthCheckSummaryQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Get health check
+ */
+export const getHealthCheck = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<EndpointHealthCheck>(
+      {url: `/api/v1/health-checks/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetHealthCheckQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/health-checks/${id}`
+    ] as const;
+    }
+
+    
+export const getGetHealthCheckQueryOptions = <TData = Awaited<ReturnType<typeof getHealthCheck>>, TError = NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetHealthCheckQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getHealthCheck>>> = ({ signal }) => getHealthCheck(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetHealthCheckQueryResult = NonNullable<Awaited<ReturnType<typeof getHealthCheck>>>
+export type GetHealthCheckQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useGetHealthCheck<TData = Awaited<ReturnType<typeof getHealthCheck>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheck>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheck>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheck<TData = Awaited<ReturnType<typeof getHealthCheck>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheck>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheck>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheck<TData = Awaited<ReturnType<typeof getHealthCheck>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get health check
+ */
+
+export function useGetHealthCheck<TData = Awaited<ReturnType<typeof getHealthCheck>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheck>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetHealthCheckQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Update thresholds, interval, or expected fingerprint.
+ * @summary Update health check
+ */
+export const updateHealthCheck = (
+    id: string,
+    updateHealthCheckBody: UpdateHealthCheckBody,
+ ) => {
+      
+      
+      return certctlFetch<EndpointHealthCheck>(
+      {url: `/api/v1/health-checks/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: updateHealthCheckBody
+    },
+      );
+    }
+  
+
+
+export const getUpdateHealthCheckMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateHealthCheck>>, TError,{id: string;data: UpdateHealthCheckBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateHealthCheck>>, TError,{id: string;data: UpdateHealthCheckBody}, TContext> => {
+
+const mutationKey = ['updateHealthCheck'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateHealthCheck>>, {id: string;data: UpdateHealthCheckBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateHealthCheck(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateHealthCheckMutationResult = NonNullable<Awaited<ReturnType<typeof updateHealthCheck>>>
+    export type UpdateHealthCheckMutationBody = UpdateHealthCheckBody
+    export type UpdateHealthCheckMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Update health check
+ */
+export const useUpdateHealthCheck = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateHealthCheck>>, TError,{id: string;data: UpdateHealthCheckBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateHealthCheck>>,
+        TError,
+        {id: string;data: UpdateHealthCheckBody},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateHealthCheckMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete health check
+ */
+export const deleteHealthCheck = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/health-checks/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteHealthCheckMutationOptions = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteHealthCheck>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteHealthCheck>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteHealthCheck'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteHealthCheck>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteHealthCheck(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteHealthCheckMutationResult = NonNullable<Awaited<ReturnType<typeof deleteHealthCheck>>>
+    
+    export type DeleteHealthCheckMutationError = NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete health check
+ */
+export const useDeleteHealthCheck = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteHealthCheck>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteHealthCheck>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteHealthCheckMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Returns historical probe records with status, response times, and errors.
+ * @summary Get probe history
+ */
+export const getHealthCheckHistory = (
+    id: string,
+    params?: GetHealthCheckHistoryParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetHealthCheckHistory200>(
+      {url: `/api/v1/health-checks/${id}/history`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetHealthCheckHistoryQueryKey = (id?: string,
+    params?: GetHealthCheckHistoryParams,) => {
+    return [
+    `/api/v1/health-checks/${id}/history`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getGetHealthCheckHistoryQueryOptions = <TData = Awaited<ReturnType<typeof getHealthCheckHistory>>, TError = NotFoundResponse | InternalErrorResponse>(id: string,
+    params?: GetHealthCheckHistoryParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetHealthCheckHistoryQueryKey(id,params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getHealthCheckHistory>>> = ({ signal }) => getHealthCheckHistory(id,params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetHealthCheckHistoryQueryResult = NonNullable<Awaited<ReturnType<typeof getHealthCheckHistory>>>
+export type GetHealthCheckHistoryQueryError = NotFoundResponse | InternalErrorResponse
+
+
+export function useGetHealthCheckHistory<TData = Awaited<ReturnType<typeof getHealthCheckHistory>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params: undefined |  GetHealthCheckHistoryParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheckHistory>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheckHistory>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheckHistory<TData = Awaited<ReturnType<typeof getHealthCheckHistory>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: GetHealthCheckHistoryParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealthCheckHistory>>,
+          TError,
+          Awaited<ReturnType<typeof getHealthCheckHistory>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealthCheckHistory<TData = Awaited<ReturnType<typeof getHealthCheckHistory>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: GetHealthCheckHistoryParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get probe history
+ */
+
+export function useGetHealthCheckHistory<TData = Awaited<ReturnType<typeof getHealthCheckHistory>>, TError = NotFoundResponse | InternalErrorResponse>(
+ id: string,
+    params?: GetHealthCheckHistoryParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealthCheckHistory>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetHealthCheckHistoryQueryOptions(id,params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Mark a health check incident as acknowledged by the operator.
+ * @summary Acknowledge incident
+ */
+export const acknowledgeHealthCheckIncident = (
+    id: string,
+    acknowledgeHealthCheckIncidentBody: AcknowledgeHealthCheckIncidentBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<EndpointHealthCheck>(
+      {url: `/api/v1/health-checks/${id}/acknowledge`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: acknowledgeHealthCheckIncidentBody, signal
+    },
+      );
+    }
+  
+
+
+export const getAcknowledgeHealthCheckIncidentMutationOptions = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>, TError,{id: string;data: AcknowledgeHealthCheckIncidentBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>, TError,{id: string;data: AcknowledgeHealthCheckIncidentBody}, TContext> => {
+
+const mutationKey = ['acknowledgeHealthCheckIncident'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>, {id: string;data: AcknowledgeHealthCheckIncidentBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  acknowledgeHealthCheckIncident(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type AcknowledgeHealthCheckIncidentMutationResult = NonNullable<Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>>
+    export type AcknowledgeHealthCheckIncidentMutationBody = AcknowledgeHealthCheckIncidentBody
+    export type AcknowledgeHealthCheckIncidentMutationError = NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Acknowledge incident
+ */
+export const useAcknowledgeHealthCheckIncident = <TError = NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>, TError,{id: string;data: AcknowledgeHealthCheckIncidentBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof acknowledgeHealthCheckIncident>>,
+        TError,
+        {id: string;data: AcknowledgeHealthCheckIncidentBody},
+        TContext
+      > => {
+
+      const mutationOptions = getAcknowledgeHealthCheckIncidentMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    

web/src/api/generated/health/health.ts

@@ -0,0 +1,526 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  CheckAuth200,
+  GetAuthInfo200,
+  GetHealth200,
+  GetReady200,
+  GetVersion200
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary Health check
+ */
+export const getHealth = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetHealth200>(
+      {url: `/health`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetHealthQueryKey = () => {
+    return [
+    `/health`
+    ] as const;
+    }
+
+    
+export const getGetHealthQueryOptions = <TData = Awaited<ReturnType<typeof getHealth>>, TError = unknown>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetHealthQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getHealth>>> = ({ signal }) => getHealth(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetHealthQueryResult = NonNullable<Awaited<ReturnType<typeof getHealth>>>
+export type GetHealthQueryError = unknown
+
+
+export function useGetHealth<TData = Awaited<ReturnType<typeof getHealth>>, TError = unknown>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealth>>,
+          TError,
+          Awaited<ReturnType<typeof getHealth>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealth<TData = Awaited<ReturnType<typeof getHealth>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getHealth>>,
+          TError,
+          Awaited<ReturnType<typeof getHealth>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetHealth<TData = Awaited<ReturnType<typeof getHealth>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Health check
+ */
+
+export function useGetHealth<TData = Awaited<ReturnType<typeof getHealth>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getHealth>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetHealthQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Readiness check
+ */
+export const getReady = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetReady200>(
+      {url: `/ready`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetReadyQueryKey = () => {
+    return [
+    `/ready`
+    ] as const;
+    }
+
+    
+export const getGetReadyQueryOptions = <TData = Awaited<ReturnType<typeof getReady>>, TError = unknown>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetReadyQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getReady>>> = ({ signal }) => getReady(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetReadyQueryResult = NonNullable<Awaited<ReturnType<typeof getReady>>>
+export type GetReadyQueryError = unknown
+
+
+export function useGetReady<TData = Awaited<ReturnType<typeof getReady>>, TError = unknown>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getReady>>,
+          TError,
+          Awaited<ReturnType<typeof getReady>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetReady<TData = Awaited<ReturnType<typeof getReady>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getReady>>,
+          TError,
+          Awaited<ReturnType<typeof getReady>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetReady<TData = Awaited<ReturnType<typeof getReady>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Readiness check
+ */
+
+export function useGetReady<TData = Awaited<ReturnType<typeof getReady>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getReady>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetReadyQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns auth mode. Served without auth so GUI can detect auth requirements before login.
+ * @summary Auth configuration info
+ */
+export const getAuthInfo = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetAuthInfo200>(
+      {url: `/api/v1/auth/info`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetAuthInfoQueryKey = () => {
+    return [
+    `/api/v1/auth/info`
+    ] as const;
+    }
+
+    
+export const getGetAuthInfoQueryOptions = <TData = Awaited<ReturnType<typeof getAuthInfo>>, TError = unknown>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetAuthInfoQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getAuthInfo>>> = ({ signal }) => getAuthInfo(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetAuthInfoQueryResult = NonNullable<Awaited<ReturnType<typeof getAuthInfo>>>
+export type GetAuthInfoQueryError = unknown
+
+
+export function useGetAuthInfo<TData = Awaited<ReturnType<typeof getAuthInfo>>, TError = unknown>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthInfo>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthInfo>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthInfo<TData = Awaited<ReturnType<typeof getAuthInfo>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getAuthInfo>>,
+          TError,
+          Awaited<ReturnType<typeof getAuthInfo>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetAuthInfo<TData = Awaited<ReturnType<typeof getAuthInfo>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Auth configuration info
+ */
+
+export function useGetAuthInfo<TData = Awaited<ReturnType<typeof getAuthInfo>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getAuthInfo>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetAuthInfoQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns 200 if auth credentials are valid, 401 otherwise.
+
+Bundle 1 Phase 3 closure (M1): when the server has the RBAC
+primitive wired (Bundle 1 default), the response also includes
+the caller's `actor_id`, `actor_type`, `tenant_id`, the
+`roles` they hold, and `effective_permissions` they resolve
+to. The legacy `admin` boolean is preserved for back-compat
+with pre-Bundle-1 GUIs; new GUIs should switch to
+`effective_permissions` for affordance gating.
+
+ * @summary Validate credentials
+ */
+export const checkAuth = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<CheckAuth200>(
+      {url: `/api/v1/auth/check`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getCheckAuthQueryKey = () => {
+    return [
+    `/api/v1/auth/check`
+    ] as const;
+    }
+
+    
+export const getCheckAuthQueryOptions = <TData = Awaited<ReturnType<typeof checkAuth>>, TError = void>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getCheckAuthQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof checkAuth>>> = ({ signal }) => checkAuth(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type CheckAuthQueryResult = NonNullable<Awaited<ReturnType<typeof checkAuth>>>
+export type CheckAuthQueryError = void
+
+
+export function useCheckAuth<TData = Awaited<ReturnType<typeof checkAuth>>, TError = void>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof checkAuth>>,
+          TError,
+          Awaited<ReturnType<typeof checkAuth>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useCheckAuth<TData = Awaited<ReturnType<typeof checkAuth>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof checkAuth>>,
+          TError,
+          Awaited<ReturnType<typeof checkAuth>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useCheckAuth<TData = Awaited<ReturnType<typeof checkAuth>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Validate credentials
+ */
+
+export function useCheckAuth<TData = Awaited<ReturnType<typeof checkAuth>>, TError = void>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof checkAuth>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getCheckAuthQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Returns the running server's build identity. Served without
+auth so rollout systems and blackbox probes can read it without
+Bearer credentials. U-3 ride-along (cat-u-no_version_endpoint).
+Excluded from audit logging because rollout polling would
+otherwise dominate the audit trail.
+
+The Version field follows a fallback ladder: ldflags-supplied
+value > VCS commit SHA > "dev". Commit / Modified / BuildTime
+come from runtime/debug.BuildInfo (Go 1.18+ stamps these on
+every module-tracked build). GoVersion is runtime.Version().
+
+ * @summary Build identity (version, commit, Go runtime)
+ */
+export const getVersion = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<GetVersion200>(
+      {url: `/api/v1/version`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetVersionQueryKey = () => {
+    return [
+    `/api/v1/version`
+    ] as const;
+    }
+
+    
+export const getGetVersionQueryOptions = <TData = Awaited<ReturnType<typeof getVersion>>, TError = unknown>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetVersionQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getVersion>>> = ({ signal }) => getVersion(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetVersionQueryResult = NonNullable<Awaited<ReturnType<typeof getVersion>>>
+export type GetVersionQueryError = unknown
+
+
+export function useGetVersion<TData = Awaited<ReturnType<typeof getVersion>>, TError = unknown>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getVersion>>,
+          TError,
+          Awaited<ReturnType<typeof getVersion>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetVersion<TData = Awaited<ReturnType<typeof getVersion>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getVersion>>,
+          TError,
+          Awaited<ReturnType<typeof getVersion>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetVersion<TData = Awaited<ReturnType<typeof getVersion>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Build identity (version, commit, Go runtime)
+ */
+
+export function useGetVersion<TData = Awaited<ReturnType<typeof getVersion>>, TError = unknown>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getVersion>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetVersionQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+

web/src/api/generated/intermediate-c-as/intermediate-c-as.ts

@@ -0,0 +1,381 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  CreateIntermediateCABody,
+  InternalErrorResponse,
+  ListIntermediateCAs200,
+  NotFoundResponse,
+  RetireIntermediateCABody
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * Admin-gated. Discriminator on body shape: when parent_ca_id is
+empty AND root_cert_pem + key_driver_id are present, the
+endpoint registers an operator-supplied root CA. Otherwise it
+signs a child sub-CA cert under the named parent (RFC 5280
+§4.2.1.9 path-length tightening + §4.2.1.10 NameConstraints
+subset semantics enforced at the service layer).
+
+ * @summary Create a root or child intermediate CA under the issuer
+ */
+export const createIntermediateCA = (
+    id: string,
+    createIntermediateCABody: CreateIntermediateCABody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/issuers/${id}/intermediates`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: createIntermediateCABody, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateIntermediateCAMutationOptions = <TError = void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createIntermediateCA>>, TError,{id: string;data: CreateIntermediateCABody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createIntermediateCA>>, TError,{id: string;data: CreateIntermediateCABody}, TContext> => {
+
+const mutationKey = ['createIntermediateCA'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createIntermediateCA>>, {id: string;data: CreateIntermediateCABody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  createIntermediateCA(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateIntermediateCAMutationResult = NonNullable<Awaited<ReturnType<typeof createIntermediateCA>>>
+    export type CreateIntermediateCAMutationBody = CreateIntermediateCABody
+    export type CreateIntermediateCAMutationError = void | InternalErrorResponse
+
+    /**
+ * @summary Create a root or child intermediate CA under the issuer
+ */
+export const useCreateIntermediateCA = <TError = void | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createIntermediateCA>>, TError,{id: string;data: CreateIntermediateCABody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createIntermediateCA>>,
+        TError,
+        {id: string;data: CreateIntermediateCABody},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateIntermediateCAMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Admin-gated. Returns the flat list of every IntermediateCA row
+for the issuer, ordered by created_at. The caller renders the
+tree from each row's parent_ca_id (nil = root).
+
+ * @summary List the CA hierarchy for an issuer
+ */
+export const listIntermediateCAs = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListIntermediateCAs200>(
+      {url: `/api/v1/issuers/${id}/intermediates`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getListIntermediateCAsQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/issuers/${id}/intermediates`
+    ] as const;
+    }
+
+    
+export const getListIntermediateCAsQueryOptions = <TData = Awaited<ReturnType<typeof listIntermediateCAs>>, TError = void>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListIntermediateCAsQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listIntermediateCAs>>> = ({ signal }) => listIntermediateCAs(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListIntermediateCAsQueryResult = NonNullable<Awaited<ReturnType<typeof listIntermediateCAs>>>
+export type ListIntermediateCAsQueryError = void
+
+
+export function useListIntermediateCAs<TData = Awaited<ReturnType<typeof listIntermediateCAs>>, TError = void>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listIntermediateCAs>>,
+          TError,
+          Awaited<ReturnType<typeof listIntermediateCAs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListIntermediateCAs<TData = Awaited<ReturnType<typeof listIntermediateCAs>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listIntermediateCAs>>,
+          TError,
+          Awaited<ReturnType<typeof listIntermediateCAs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListIntermediateCAs<TData = Awaited<ReturnType<typeof listIntermediateCAs>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List the CA hierarchy for an issuer
+ */
+
+export function useListIntermediateCAs<TData = Awaited<ReturnType<typeof listIntermediateCAs>>, TError = void>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIntermediateCAs>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListIntermediateCAsQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Get a single intermediate CA by ID
+ */
+export const getIntermediateCA = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/intermediates/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetIntermediateCAQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/intermediates/${id}`
+    ] as const;
+    }
+
+    
+export const getGetIntermediateCAQueryOptions = <TData = Awaited<ReturnType<typeof getIntermediateCA>>, TError = void | NotFoundResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetIntermediateCAQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getIntermediateCA>>> = ({ signal }) => getIntermediateCA(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetIntermediateCAQueryResult = NonNullable<Awaited<ReturnType<typeof getIntermediateCA>>>
+export type GetIntermediateCAQueryError = void | NotFoundResponse
+
+
+export function useGetIntermediateCA<TData = Awaited<ReturnType<typeof getIntermediateCA>>, TError = void | NotFoundResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getIntermediateCA>>,
+          TError,
+          Awaited<ReturnType<typeof getIntermediateCA>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetIntermediateCA<TData = Awaited<ReturnType<typeof getIntermediateCA>>, TError = void | NotFoundResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getIntermediateCA>>,
+          TError,
+          Awaited<ReturnType<typeof getIntermediateCA>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetIntermediateCA<TData = Awaited<ReturnType<typeof getIntermediateCA>>, TError = void | NotFoundResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get a single intermediate CA by ID
+ */
+
+export function useGetIntermediateCA<TData = Awaited<ReturnType<typeof getIntermediateCA>>, TError = void | NotFoundResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIntermediateCA>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetIntermediateCAQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Admin-gated. Two-phase: first call (confirm=false) transitions
+active to retiring (the CA stops issuing new children but
+existing children continue). Second call (confirm=true)
+transitions retiring to retired (terminal). Refuses the
+terminal transition if the CA still has active children —
+drain-first semantics.
+
+ * @summary Retire an intermediate CA (two-phase drain)
+ */
+export const retireIntermediateCA = (
+    id: string,
+    retireIntermediateCABody?: RetireIntermediateCABody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/intermediates/${id}/retire`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: retireIntermediateCABody, signal
+    },
+      );
+    }
+  
+
+
+export const getRetireIntermediateCAMutationOptions = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof retireIntermediateCA>>, TError,{id: string;data: RetireIntermediateCABody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof retireIntermediateCA>>, TError,{id: string;data: RetireIntermediateCABody}, TContext> => {
+
+const mutationKey = ['retireIntermediateCA'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof retireIntermediateCA>>, {id: string;data: RetireIntermediateCABody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  retireIntermediateCA(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RetireIntermediateCAMutationResult = NonNullable<Awaited<ReturnType<typeof retireIntermediateCA>>>
+    export type RetireIntermediateCAMutationBody = RetireIntermediateCABody
+    export type RetireIntermediateCAMutationError = void | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Retire an intermediate CA (two-phase drain)
+ */
+export const useRetireIntermediateCA = <TError = void | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof retireIntermediateCA>>, TError,{id: string;data: RetireIntermediateCABody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof retireIntermediateCA>>,
+        TError,
+        {id: string;data: RetireIntermediateCABody},
+        TContext
+      > => {
+
+      const mutationOptions = getRetireIntermediateCAMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    

web/src/api/generated/issuers/issuers.ts

@@ -0,0 +1,487 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  Issuer,
+  ListIssuers200,
+  ListIssuersParams,
+  NotFoundResponse,
+  StatusResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List issuers
+ */
+export const listIssuers = (
+    params?: ListIssuersParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListIssuers200>(
+      {url: `/api/v1/issuers`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListIssuersQueryKey = (params?: ListIssuersParams,) => {
+    return [
+    `/api/v1/issuers`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListIssuersQueryOptions = <TData = Awaited<ReturnType<typeof listIssuers>>, TError = InternalErrorResponse>(params?: ListIssuersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListIssuersQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listIssuers>>> = ({ signal }) => listIssuers(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListIssuersQueryResult = NonNullable<Awaited<ReturnType<typeof listIssuers>>>
+export type ListIssuersQueryError = InternalErrorResponse
+
+
+export function useListIssuers<TData = Awaited<ReturnType<typeof listIssuers>>, TError = InternalErrorResponse>(
+ params: undefined |  ListIssuersParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listIssuers>>,
+          TError,
+          Awaited<ReturnType<typeof listIssuers>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListIssuers<TData = Awaited<ReturnType<typeof listIssuers>>, TError = InternalErrorResponse>(
+ params?: ListIssuersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listIssuers>>,
+          TError,
+          Awaited<ReturnType<typeof listIssuers>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListIssuers<TData = Awaited<ReturnType<typeof listIssuers>>, TError = InternalErrorResponse>(
+ params?: ListIssuersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List issuers
+ */
+
+export function useListIssuers<TData = Awaited<ReturnType<typeof listIssuers>>, TError = InternalErrorResponse>(
+ params?: ListIssuersParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listIssuers>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListIssuersQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Create issuer
+ */
+export const createIssuer = (
+    issuer: Issuer,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Issuer>(
+      {url: `/api/v1/issuers`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: issuer, signal
+    },
+      );
+    }
+  
+
+
+export const getCreateIssuerMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createIssuer>>, TError,{data: Issuer}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof createIssuer>>, TError,{data: Issuer}, TContext> => {
+
+const mutationKey = ['createIssuer'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof createIssuer>>, {data: Issuer}> = (props) => {
+          const {data} = props ?? {};
+
+          return  createIssuer(data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CreateIssuerMutationResult = NonNullable<Awaited<ReturnType<typeof createIssuer>>>
+    export type CreateIssuerMutationBody = Issuer
+    export type CreateIssuerMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Create issuer
+ */
+export const useCreateIssuer = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof createIssuer>>, TError,{data: Issuer}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof createIssuer>>,
+        TError,
+        {data: Issuer},
+        TContext
+      > => {
+
+      const mutationOptions = getCreateIssuerMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Get issuer
+ */
+export const getIssuer = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Issuer>(
+      {url: `/api/v1/issuers/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetIssuerQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/issuers/${id}`
+    ] as const;
+    }
+
+    
+export const getGetIssuerQueryOptions = <TData = Awaited<ReturnType<typeof getIssuer>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetIssuerQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getIssuer>>> = ({ signal }) => getIssuer(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetIssuerQueryResult = NonNullable<Awaited<ReturnType<typeof getIssuer>>>
+export type GetIssuerQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetIssuer<TData = Awaited<ReturnType<typeof getIssuer>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getIssuer>>,
+          TError,
+          Awaited<ReturnType<typeof getIssuer>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetIssuer<TData = Awaited<ReturnType<typeof getIssuer>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getIssuer>>,
+          TError,
+          Awaited<ReturnType<typeof getIssuer>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetIssuer<TData = Awaited<ReturnType<typeof getIssuer>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get issuer
+ */
+
+export function useGetIssuer<TData = Awaited<ReturnType<typeof getIssuer>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getIssuer>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetIssuerQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Update issuer
+ */
+export const updateIssuer = (
+    id: string,
+    issuer: Issuer,
+ ) => {
+      
+      
+      return certctlFetch<Issuer>(
+      {url: `/api/v1/issuers/${id}`, method: 'PUT',
+      headers: {'Content-Type': 'application/json', },
+      data: issuer
+    },
+      );
+    }
+  
+
+
+export const getUpdateIssuerMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateIssuer>>, TError,{id: string;data: Issuer}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof updateIssuer>>, TError,{id: string;data: Issuer}, TContext> => {
+
+const mutationKey = ['updateIssuer'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof updateIssuer>>, {id: string;data: Issuer}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  updateIssuer(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type UpdateIssuerMutationResult = NonNullable<Awaited<ReturnType<typeof updateIssuer>>>
+    export type UpdateIssuerMutationBody = Issuer
+    export type UpdateIssuerMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Update issuer
+ */
+export const useUpdateIssuer = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof updateIssuer>>, TError,{id: string;data: Issuer}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof updateIssuer>>,
+        TError,
+        {id: string;data: Issuer},
+        TContext
+      > => {
+
+      const mutationOptions = getUpdateIssuerMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Delete issuer
+ */
+export const deleteIssuer = (
+    id: string,
+ ) => {
+      
+      
+      return certctlFetch<void>(
+      {url: `/api/v1/issuers/${id}`, method: 'DELETE'
+    },
+      );
+    }
+  
+
+
+export const getDeleteIssuerMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteIssuer>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof deleteIssuer>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['deleteIssuer'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof deleteIssuer>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  deleteIssuer(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type DeleteIssuerMutationResult = NonNullable<Awaited<ReturnType<typeof deleteIssuer>>>
+    
+    export type DeleteIssuerMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Delete issuer
+ */
+export const useDeleteIssuer = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof deleteIssuer>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof deleteIssuer>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getDeleteIssuerMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * @summary Test issuer connection
+ */
+export const testIssuerConnection = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/issuers/${id}/test`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getTestIssuerConnectionMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof testIssuerConnection>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof testIssuerConnection>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['testIssuerConnection'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof testIssuerConnection>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  testIssuerConnection(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type TestIssuerConnectionMutationResult = NonNullable<Awaited<ReturnType<typeof testIssuerConnection>>>
+    
+    export type TestIssuerConnectionMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Test issuer connection
+ */
+export const useTestIssuerConnection = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof testIssuerConnection>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof testIssuerConnection>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getTestIssuerConnectionMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    

web/src/api/generated/jobs/jobs.ts

@@ -0,0 +1,428 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useMutation,
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  MutationFunction,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseMutationOptions,
+  UseMutationResult,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  BadRequestResponse,
+  InternalErrorResponse,
+  Job,
+  ListJobs200,
+  ListJobsParams,
+  NotFoundResponse,
+  RejectJobBody,
+  StatusResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * @summary List jobs
+ */
+export const listJobs = (
+    params?: ListJobsParams,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<ListJobs200>(
+      {url: `/api/v1/jobs`, method: 'GET',
+        params, signal
+    },
+      );
+    }
+  
+
+
+
+export const getListJobsQueryKey = (params?: ListJobsParams,) => {
+    return [
+    `/api/v1/jobs`, ...(params ? [params]: [])
+    ] as const;
+    }
+
+    
+export const getListJobsQueryOptions = <TData = Awaited<ReturnType<typeof listJobs>>, TError = InternalErrorResponse>(params?: ListJobsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getListJobsQueryKey(params);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof listJobs>>> = ({ signal }) => listJobs(params, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type ListJobsQueryResult = NonNullable<Awaited<ReturnType<typeof listJobs>>>
+export type ListJobsQueryError = InternalErrorResponse
+
+
+export function useListJobs<TData = Awaited<ReturnType<typeof listJobs>>, TError = InternalErrorResponse>(
+ params: undefined |  ListJobsParams, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listJobs>>,
+          TError,
+          Awaited<ReturnType<typeof listJobs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListJobs<TData = Awaited<ReturnType<typeof listJobs>>, TError = InternalErrorResponse>(
+ params?: ListJobsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof listJobs>>,
+          TError,
+          Awaited<ReturnType<typeof listJobs>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useListJobs<TData = Awaited<ReturnType<typeof listJobs>>, TError = InternalErrorResponse>(
+ params?: ListJobsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary List jobs
+ */
+
+export function useListJobs<TData = Awaited<ReturnType<typeof listJobs>>, TError = InternalErrorResponse>(
+ params?: ListJobsParams, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof listJobs>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getListJobsQueryOptions(params,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Get job
+ */
+export const getJob = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<Job>(
+      {url: `/api/v1/jobs/${id}`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetJobQueryKey = (id?: string,) => {
+    return [
+    `/api/v1/jobs/${id}`
+    ] as const;
+    }
+
+    
+export const getGetJobQueryOptions = <TData = Awaited<ReturnType<typeof getJob>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetJobQueryKey(id);
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getJob>>> = ({ signal }) => getJob(id, signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, enabled: !!(id), ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetJobQueryResult = NonNullable<Awaited<ReturnType<typeof getJob>>>
+export type GetJobQueryError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+
+export function useGetJob<TData = Awaited<ReturnType<typeof getJob>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getJob>>,
+          TError,
+          Awaited<ReturnType<typeof getJob>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetJob<TData = Awaited<ReturnType<typeof getJob>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getJob>>,
+          TError,
+          Awaited<ReturnType<typeof getJob>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetJob<TData = Awaited<ReturnType<typeof getJob>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Get job
+ */
+
+export function useGetJob<TData = Awaited<ReturnType<typeof getJob>>, TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse>(
+ id: string, options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getJob>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetJobQueryOptions(id,options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * @summary Cancel job
+ */
+export const cancelJob = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/jobs/${id}/cancel`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getCancelJobMutationOptions = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof cancelJob>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof cancelJob>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['cancelJob'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof cancelJob>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  cancelJob(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type CancelJobMutationResult = NonNullable<Awaited<ReturnType<typeof cancelJob>>>
+    
+    export type CancelJobMutationError = BadRequestResponse | InternalErrorResponse
+
+    /**
+ * @summary Cancel job
+ */
+export const useCancelJob = <TError = BadRequestResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof cancelJob>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof cancelJob>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getCancelJobMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Approves a job in AwaitingApproval state.
+ * @summary Approve job
+ */
+export const approveJob = (
+    id: string,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/jobs/${id}/approve`, method: 'POST', signal
+    },
+      );
+    }
+  
+
+
+export const getApproveJobMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof approveJob>>, TError,{id: string}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof approveJob>>, TError,{id: string}, TContext> => {
+
+const mutationKey = ['approveJob'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof approveJob>>, {id: string}> = (props) => {
+          const {id} = props ?? {};
+
+          return  approveJob(id,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type ApproveJobMutationResult = NonNullable<Awaited<ReturnType<typeof approveJob>>>
+    
+    export type ApproveJobMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Approve job
+ */
+export const useApproveJob = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof approveJob>>, TError,{id: string}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof approveJob>>,
+        TError,
+        {id: string},
+        TContext
+      > => {
+
+      const mutationOptions = getApproveJobMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    /**
+ * Rejects a job in AwaitingApproval state with an optional reason.
+ * @summary Reject job
+ */
+export const rejectJob = (
+    id: string,
+    rejectJobBody: RejectJobBody,
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<StatusResponse>(
+      {url: `/api/v1/jobs/${id}/reject`, method: 'POST',
+      headers: {'Content-Type': 'application/json', },
+      data: rejectJobBody, signal
+    },
+      );
+    }
+  
+
+
+export const getRejectJobMutationOptions = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof rejectJob>>, TError,{id: string;data: RejectJobBody}, TContext>, }
+): UseMutationOptions<Awaited<ReturnType<typeof rejectJob>>, TError,{id: string;data: RejectJobBody}, TContext> => {
+
+const mutationKey = ['rejectJob'];
+const {mutation: mutationOptions} = options ?
+      options.mutation && 'mutationKey' in options.mutation && options.mutation.mutationKey ?
+      options
+      : {...options, mutation: {...options.mutation, mutationKey}}
+      : {mutation: { mutationKey, }};
+
+      
+
+
+      const mutationFn: MutationFunction<Awaited<ReturnType<typeof rejectJob>>, {id: string;data: RejectJobBody}> = (props) => {
+          const {id,data} = props ?? {};
+
+          return  rejectJob(id,data,)
+        }
+
+        
+
+
+  return  { mutationFn, ...mutationOptions }}
+
+    export type RejectJobMutationResult = NonNullable<Awaited<ReturnType<typeof rejectJob>>>
+    export type RejectJobMutationBody = RejectJobBody
+    export type RejectJobMutationError = BadRequestResponse | NotFoundResponse | InternalErrorResponse
+
+    /**
+ * @summary Reject job
+ */
+export const useRejectJob = <TError = BadRequestResponse | NotFoundResponse | InternalErrorResponse,
+    TContext = unknown>(options?: { mutation?:UseMutationOptions<Awaited<ReturnType<typeof rejectJob>>, TError,{id: string;data: RejectJobBody}, TContext>, }
+ , queryClient?: QueryClient): UseMutationResult<
+        Awaited<ReturnType<typeof rejectJob>>,
+        TError,
+        {id: string;data: RejectJobBody},
+        TContext
+      > => {
+
+      const mutationOptions = getRejectJobMutationOptions(options);
+
+      return useMutation(mutationOptions, queryClient);
+    }
+    

web/src/api/generated/metrics/metrics.ts

@@ -0,0 +1,230 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import {
+  useQuery
+} from '@tanstack/react-query';
+import type {
+  DataTag,
+  DefinedInitialDataOptions,
+  DefinedUseQueryResult,
+  QueryClient,
+  QueryFunction,
+  QueryKey,
+  UndefinedInitialDataOptions,
+  UseQueryOptions,
+  UseQueryResult
+} from '@tanstack/react-query';
+
+import type {
+  InternalErrorResponse,
+  MetricsResponse
+} from '.././model';
+
+import { certctlFetch } from '../../mutator';
+
+
+
+
+/**
+ * JSON metrics snapshot with gauges, counters, and uptime. See also /api/v1/metrics/prometheus for Prometheus exposition format.
+ * @summary System metrics
+ */
+export const getMetrics = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<MetricsResponse>(
+      {url: `/api/v1/metrics`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetMetricsQueryKey = () => {
+    return [
+    `/api/v1/metrics`
+    ] as const;
+    }
+
+    
+export const getGetMetricsQueryOptions = <TData = Awaited<ReturnType<typeof getMetrics>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetMetricsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getMetrics>>> = ({ signal }) => getMetrics(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetMetricsQueryResult = NonNullable<Awaited<ReturnType<typeof getMetrics>>>
+export type GetMetricsQueryError = InternalErrorResponse
+
+
+export function useGetMetrics<TData = Awaited<ReturnType<typeof getMetrics>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getMetrics>>,
+          TError,
+          Awaited<ReturnType<typeof getMetrics>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetMetrics<TData = Awaited<ReturnType<typeof getMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getMetrics>>,
+          TError,
+          Awaited<ReturnType<typeof getMetrics>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetMetrics<TData = Awaited<ReturnType<typeof getMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary System metrics
+ */
+
+export function useGetMetrics<TData = Awaited<ReturnType<typeof getMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getMetrics>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetMetricsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+
+/**
+ * Prometheus exposition format metrics. Compatible with Prometheus, Grafana Agent,
+Datadog Agent, Victoria Metrics, and any OpenMetrics scraper.
+Returns 11 metrics with certctl_ prefix (8 gauges, 2 counters, 1 info).
+
+ * @summary Prometheus metrics
+ */
+export const getPrometheusMetrics = (
+    
+ signal?: AbortSignal
+) => {
+      
+      
+      return certctlFetch<string>(
+      {url: `/api/v1/metrics/prometheus`, method: 'GET', signal
+    },
+      );
+    }
+  
+
+
+
+export const getGetPrometheusMetricsQueryKey = () => {
+    return [
+    `/api/v1/metrics/prometheus`
+    ] as const;
+    }
+
+    
+export const getGetPrometheusMetricsQueryOptions = <TData = Awaited<ReturnType<typeof getPrometheusMetrics>>, TError = InternalErrorResponse>( options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData>>, }
+) => {
+
+const {query: queryOptions} = options ?? {};
+
+  const queryKey =  queryOptions?.queryKey ?? getGetPrometheusMetricsQueryKey();
+
+  
+
+    const queryFn: QueryFunction<Awaited<ReturnType<typeof getPrometheusMetrics>>> = ({ signal }) => getPrometheusMetrics(signal);
+
+      
+
+      
+
+   return  { queryKey, queryFn, ...queryOptions} as UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData> & { queryKey: DataTag<QueryKey, TData, TError> }
+}
+
+export type GetPrometheusMetricsQueryResult = NonNullable<Awaited<ReturnType<typeof getPrometheusMetrics>>>
+export type GetPrometheusMetricsQueryError = InternalErrorResponse
+
+
+export function useGetPrometheusMetrics<TData = Awaited<ReturnType<typeof getPrometheusMetrics>>, TError = InternalErrorResponse>(
+  options: { query:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData>> & Pick<
+        DefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getPrometheusMetrics>>,
+          TError,
+          Awaited<ReturnType<typeof getPrometheusMetrics>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  DefinedUseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetPrometheusMetrics<TData = Awaited<ReturnType<typeof getPrometheusMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData>> & Pick<
+        UndefinedInitialDataOptions<
+          Awaited<ReturnType<typeof getPrometheusMetrics>>,
+          TError,
+          Awaited<ReturnType<typeof getPrometheusMetrics>>
+        > , 'initialData'
+      >, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+export function useGetPrometheusMetrics<TData = Awaited<ReturnType<typeof getPrometheusMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData>>, }
+ , queryClient?: QueryClient
+  ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> }
+/**
+ * @summary Prometheus metrics
+ */
+
+export function useGetPrometheusMetrics<TData = Awaited<ReturnType<typeof getPrometheusMetrics>>, TError = InternalErrorResponse>(
+  options?: { query?:Partial<UseQueryOptions<Awaited<ReturnType<typeof getPrometheusMetrics>>, TError, TData>>, }
+ , queryClient?: QueryClient 
+ ):  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> } {
+
+  const queryOptions = getGetPrometheusMetricsQueryOptions(options)
+
+  const query = useQuery(queryOptions, queryClient) as  UseQueryResult<TData, TError> & { queryKey: DataTag<QueryKey, TData, TError> };
+
+  query.queryKey = queryOptions.queryKey ;
+
+  return query;
+}
+
+
+
+

web/src/api/generated/model/acknowledgeHealthCheckIncidentBody.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AcknowledgeHealthCheckIncidentBody = {
+  /** Operator name or ID */
+  acknowledged_by?: string;
+};

web/src/api/generated/model/actorType.ts

@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ActorType = typeof ActorType[keyof typeof ActorType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ActorType = {
+  User: 'User',
+  System: 'System',
+  Agent: 'Agent',
+} as const;

web/src/api/generated/model/agent.ts

@@ -0,0 +1,48 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AgentStatus } from './agentStatus';
+
+export interface Agent {
+  id?: string;
+  name?: string;
+  hostname?: string;
+  status?: AgentStatus;
+  last_heartbeat_at?: string;
+  registered_at?: string;
+  os?: string;
+  architecture?: string;
+  ip_address?: string;
+  version?: string;
+  /**
+   * I-004: soft-retirement timestamp. `null` (or field absent) means the
+agent is active. A non-null value is the canonical "retired" state —
+the operational `status` column is preserved at retirement time as
+the last-seen value, but `retired_at` is the source of truth for
+filtering agents out of active listings.
+
+   * @nullable
+   */
+  retired_at?: string | null;
+  /**
+   * I-004: human-readable reason captured at retirement time. Only set
+when the agent was retired via `?force=true&reason=...` cascade; a
+default soft-retire leaves this field null.
+
+   * @nullable
+   */
+  retired_reason?: string | null;
+}

web/src/api/generated/model/agentDependencyCounts.ts

@@ -0,0 +1,34 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * I-004: preflight counts of active downstream rows that would be
+orphaned by retiring an agent. Returned in the 409
+`blocked_by_dependencies` body so the operator UI can tell the user
+which bucket is blocking the retire, and also in the 200 response
+body on a successful `?force=true` cascade as a snapshot of what
+was cascaded.
+
+ */
+export interface AgentDependencyCounts {
+  /** Deployment targets with this agent assigned and retired_at IS NULL */
+  active_targets?: number;
+  /** Certificates currently deployed via one of this agent's active targets */
+  active_certificates?: number;
+  /** Jobs with agent_id=this in status Pending, AwaitingCSR, AwaitingApproval, or Running */
+  pending_jobs?: number;
+}

web/src/api/generated/model/agentGetWork200.ts

@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { WorkItem } from './workItem';
+
+export type AgentGetWork200 = {
+  jobs?: WorkItem[];
+  count?: number;
+};

web/src/api/generated/model/agentGroup.ts

@@ -0,0 +1,29 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface AgentGroup {
+  id?: string;
+  name?: string;
+  description?: string;
+  match_os?: string;
+  match_architecture?: string;
+  match_ip_cidr?: string;
+  match_version?: string;
+  enabled?: boolean;
+  created_at?: string;
+  updated_at?: string;
+}

web/src/api/generated/model/agentHeartbeatBody.ts

@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AgentHeartbeatBody = {
+  version?: string;
+  hostname?: string;
+  os?: string;
+  architecture?: string;
+  ip_address?: string;
+};

web/src/api/generated/model/agentPickupCertificate200.ts

@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AgentPickupCertificate200 = {
+  certificate_pem?: string;
+};

web/src/api/generated/model/agentReportJobStatusBody.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AgentReportJobStatusBody = {
+  status: string;
+  error?: string;
+};

web/src/api/generated/model/agentStatus.ts

@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AgentStatus = typeof AgentStatus[keyof typeof AgentStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const AgentStatus = {
+  Online: 'Online',
+  Offline: 'Offline',
+  Degraded: 'Degraded',
+} as const;

web/src/api/generated/model/agentSubmitCSRBody.ts

@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AgentSubmitCSRBody = {
+  /** PEM-encoded certificate signing request */
+  csr_pem: string;
+  certificate_id?: string;
+};

web/src/api/generated/model/approvalRequest.ts

@@ -0,0 +1,50 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ApprovalRequestState } from './approvalRequestState';
+import type { ApprovalRequestMetadata } from './approvalRequestMetadata';
+
+/**
+ * Rank 7 issuance approval-workflow primitive. One row per (CertificateID,
+JobID) pair; the JobID points at the blocked Job whose Status is
+AwaitingApproval. Lifecycle: pending → approved | rejected | expired.
+Once terminal, the row is immutable; the audit_events table is the
+durable record of who decided + why.
+
+ */
+export interface ApprovalRequest {
+  /** Approval request ID (ar-<slug>). */
+  id: string;
+  certificate_id: string;
+  job_id: string;
+  profile_id: string;
+  /** Actor that triggered the renewal. */
+  requested_by: string;
+  state: ApprovalRequestState;
+  /**
+   * Approver identity; null while state=pending.
+   * @nullable
+   */
+  decided_by?: string | null;
+  /** @nullable */
+  decided_at?: string | null;
+  /** @nullable */
+  decision_note?: string | null;
+  /** Free-form key/value (common_name, sans, issuer_id, severity_tier). */
+  metadata?: ApprovalRequestMetadata;
+  created_at: string;
+  updated_at: string;
+}

web/src/api/generated/model/approvalRequestMetadata.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Free-form key/value (common_name, sans, issuer_id, severity_tier).
+ */
+export type ApprovalRequestMetadata = {[key: string]: string};

web/src/api/generated/model/approvalRequestState.ts

@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ApprovalRequestState = typeof ApprovalRequestState[keyof typeof ApprovalRequestState];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ApprovalRequestState = {
+  pending: 'pending',
+  approved: 'approved',
+  rejected: 'rejected',
+  expired: 'expired',
+} as const;

web/src/api/generated/model/approveApprovalRequest200.ts

@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ApproveApprovalRequest200Action } from './approveApprovalRequest200Action';
+
+export type ApproveApprovalRequest200 = {
+  id?: string;
+  decided_by?: string;
+  action?: ApproveApprovalRequest200Action;
+};

web/src/api/generated/model/approveApprovalRequest200Action.ts

@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ApproveApprovalRequest200Action = typeof ApproveApprovalRequest200Action[keyof typeof ApproveApprovalRequest200Action];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ApproveApprovalRequest200Action = {
+  approved: 'approved',
+} as const;

web/src/api/generated/model/approveApprovalRequestBody.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ApproveApprovalRequestBody = {
+  /** Optional reason text for the audit trail. */
+  note?: string;
+};

web/src/api/generated/model/assignAuthKeyRoleBody.ts

@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AssignAuthKeyRoleBody = {
+  role_id: string;
+};

web/src/api/generated/model/auditEvent.ts

@@ -0,0 +1,35 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ActorType } from './actorType';
+import type { AuditEventDetails } from './auditEventDetails';
+import type { AuditEventEventCategory } from './auditEventEventCategory';
+
+export interface AuditEvent {
+  id?: string;
+  actor?: string;
+  actor_type?: ActorType;
+  action?: string;
+  resource_type?: string;
+  resource_id?: string;
+  details?: AuditEventDetails;
+  timestamp?: string;
+  /** Bundle 1 Phase 8: classifies the event for auditor-role
+filtering. Empty / absent on rows from pre-Phase-8
+deployments (the migration backfills "cert_lifecycle").
+ */
+  event_category?: AuditEventEventCategory;
+}

web/src/api/generated/model/auditEventDetails.ts

@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AuditEventDetails = { [key: string]: unknown };

web/src/api/generated/model/auditEventEventCategory.ts

@@ -0,0 +1,32 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Bundle 1 Phase 8: classifies the event for auditor-role
+filtering. Empty / absent on rows from pre-Phase-8
+deployments (the migration backfills "cert_lifecycle").
+
+ */
+export type AuditEventEventCategory = typeof AuditEventEventCategory[keyof typeof AuditEventEventCategory];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const AuditEventEventCategory = {
+  cert_lifecycle: 'cert_lifecycle',
+  auth: 'auth',
+  config: 'config',
+} as const;

web/src/api/generated/model/authRole.ts

@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface AuthRole {
+  /** Role ID (`r-` prefix). */
+  id: string;
+  tenant_id: string;
+  name: string;
+  description?: string;
+  created_at?: string;
+  updated_at?: string;
+}

web/src/api/generated/model/authRolePermission.ts

@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AuthRolePermissionScopeType } from './authRolePermissionScopeType';
+
+export interface AuthRolePermission {
+  role_id: string;
+  permission_id: string;
+  scope_type: AuthRolePermissionScopeType;
+  /** NULL/absent for global scope; profile/issuer ID otherwise. */
+  scope_id?: string;
+}

web/src/api/generated/model/authRolePermissionScopeType.ts

@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type AuthRolePermissionScopeType = typeof AuthRolePermissionScopeType[keyof typeof AuthRolePermissionScopeType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const AuthRolePermissionScopeType = {
+  global: 'global',
+  profile: 'profile',
+  issuer: 'issuer',
+} as const;

web/src/api/generated/model/authSession.ts

@@ -0,0 +1,42 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_session_oidc_sessions.go::sessionResponse.
+ */
+export interface AuthSession {
+  /** Session identifier (UUID-shaped). */
+  id: string;
+  /** Owning actor (user, API key, etc.). */
+  actor_id: string;
+  /** Actor type — `user`, `api_key`, or `actor-demo-anon` in demo mode. */
+  actor_type: string;
+  /** Source IP at session create-time. Omitted when not recorded. */
+  ip_address?: string;
+  /** User-Agent header at session create-time. Omitted when not recorded. */
+  user_agent?: string;
+  /** RFC 3339 UTC timestamp the session was minted. */
+  created_at: string;
+  /** RFC 3339 UTC timestamp the session most-recently validated a request. */
+  last_seen_at: string;
+  /** RFC 3339 UTC timestamp past which the session is idle-expired (CERTCTL_SESSION_IDLE_TIMEOUT from last_seen_at). */
+  idle_expires_at: string;
+  /** RFC 3339 UTC timestamp past which the session is absolute-expired regardless of activity (CERTCTL_SESSION_ABSOLUTE_TIMEOUT from created_at). */
+  absolute_expires_at: string;
+  /** True when the session has been revoked (via this API or via back-channel-logout). */
+  revoked: boolean;
+}

web/src/api/generated/model/authUser.ts

@@ -0,0 +1,45 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_users.go::userResponse. Federated
+user shape (OIDC subject + provider). `deactivated_at` is the soft-
+delete marker; nil/absent means the user is active.
+
+ */
+export interface AuthUser {
+  /** User identifier (UUID-shaped). */
+  id: string;
+  tenant_id: string;
+  /** Federated email claim from the IdP. */
+  email: string;
+  /** Federated display name (preferred_username or name claim from the IdP). */
+  display_name: string;
+  /** The IdP's `sub` claim for this user (stable identifier across email changes). */
+  oidc_subject: string;
+  /** ID of the OIDC provider that minted this user record. */
+  oidc_provider_id: string;
+  /** RFC 3339 UTC timestamp of the user's most-recent successful login. */
+  last_login_at: string;
+  /** RFC 3339 UTC timestamp the user row was first created (upserted from an OIDC callback). */
+  created_at: string;
+  /**
+   * RFC 3339 UTC timestamp the user was deactivated. Omitted when the user is active.
+   * @nullable
+   */
+  deactivated_at?: string | null;
+}

web/src/api/generated/model/badRequestResponse.ts

@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ErrorResponse } from './errorResponse';
+
+/**
+ * Validation error
+ */
+export type BadRequestResponse = ErrorResponse;

web/src/api/generated/model/blockedByDependenciesResponse.ts

@@ -0,0 +1,31 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { AgentDependencyCounts } from './agentDependencyCounts';
+
+/**
+ * I-004: 409 response body for a retire request blocked by active
+downstream dependencies. Returned when `force=true` is not set and
+any of the three counts is non-zero. The operator UI renders these
+counts so the human can retire or reassign the blocking rows
+before re-running the retire, or tick the force checkbox to cascade.
+
+ */
+export interface BlockedByDependenciesResponse {
+  error?: string;
+  message?: string;
+  counts?: AgentDependencyCounts;
+}

web/src/api/generated/model/breakglassCredentialListResponse.ts

@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { BreakglassCredentialResponse } from './breakglassCredentialResponse';
+
+/**
+ * Mirrors internal/api/handler/auth_breakglass.go::
+listBreakglassCredentialsResponse.
+
+ */
+export interface BreakglassCredentialListResponse {
+  credentials: BreakglassCredentialResponse[];
+}

web/src/api/generated/model/breakglassCredentialResponse.ts

@@ -0,0 +1,43 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_breakglass.go::
+breakglassCredentialResponse. Password hash is NEVER serialized
+to the wire — only metadata.
+
+ */
+export interface BreakglassCredentialResponse {
+  /** Actor the credential belongs to. */
+  actor_id: string;
+  /** RFC 3339 UTC timestamp the credential was first set. */
+  created_at: string;
+  /** RFC 3339 UTC timestamp the password was most-recently rotated. */
+  last_password_change_at: string;
+  /** Current consecutive-failure counter (Argon2id lockout state-machine input). */
+  failure_count: number;
+  /**
+   * RFC 3339 UTC timestamp past which the lockout clears organically. Omitted when no active lockout.
+   * @nullable
+   */
+  locked_until?: string | null;
+  /**
+   * RFC 3339 UTC timestamp of the most recent failed-attempt. Omitted when failure_count == 0.
+   * @nullable
+   */
+  last_failure_at?: string | null;
+}

web/src/api/generated/model/breakglassLoginRequest.ts

@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_breakglass.go::
+breakglassLoginRequest. Plaintext password on the wire ONLY at
+login-time; the service hashes via Argon2id for the
+constant-time compare.
+
+ */
+export interface BreakglassLoginRequest {
+  /** Actor attempting recovery login. */
+  actor_id: string;
+  /** Plaintext password (Argon2id-hashed at rest by the service). */
+  password: string;
+}

web/src/api/generated/model/breakglassSetPasswordRequest.ts

@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/auth_breakglass.go::
+breakglassSetPasswordRequest. Password is plaintext on the wire
+ONLY at set-time; stored at rest as an Argon2id hash with
+per-record salt.
+
+ */
+export interface BreakglassSetPasswordRequest {
+  /** Actor the password is being set for. */
+  actor_id: string;
+  /** New break-glass password. Validated server-side against the strength policy (min 12 bytes, max 256 bytes). */
+  password: string;
+}

web/src/api/generated/model/breakglassSetPasswordResponse.ts

@@ -0,0 +1,28 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors the inline response body returned by
+AuthBreakglassHandler.SetPassword: actor_id + the credential's
+created_at timestamp (RFC 3339, UTC).
+
+ */
+export interface BreakglassSetPasswordResponse {
+  actor_id: string;
+  /** RFC 3339 UTC timestamp the credential row was created (or re-created on rotation). */
+  created_at: string;
+}

web/src/api/generated/model/bulkEnqueuedJob.ts

@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface BulkEnqueuedJob {
+  certificate_id?: string;
+  /** ID of the renewal job created for this certificate */
+  job_id?: string;
+}

web/src/api/generated/model/bulkReassignRequest.ts

@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface BulkReassignRequest {
+  /** Explicit list of certificate IDs to reassign */
+  certificate_ids: string[];
+  /** Required. New owner_id for every cert in certificate_ids. */
+  owner_id: string;
+  /** Optional. When non-empty, also updates team_id on every cert. */
+  team_id?: string;
+}

web/src/api/generated/model/bulkReassignResult.ts

@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { BulkReassignResultErrorsItem } from './bulkReassignResultErrorsItem';
+
+export interface BulkReassignResult {
+  total_matched?: number;
+  /** Number of certs whose owner_id (and optionally team_id) was actually mutated */
+  total_reassigned?: number;
+  /** Certs already owned by the target (silent no-op) */
+  total_skipped?: number;
+  total_failed?: number;
+  errors?: BulkReassignResultErrorsItem[];
+}

web/src/api/generated/model/bulkReassignResultErrorsItem.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type BulkReassignResultErrorsItem = {
+  certificate_id?: string;
+  error?: string;
+};

web/src/api/generated/model/bulkRenewRequest.ts

@@ -0,0 +1,34 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Criteria for bulk renewal. At least one selector required.
+ */
+export interface BulkRenewRequest {
+  /** Renew all certificates matching this profile */
+  profile_id?: string;
+  /** Renew all certificates owned by this owner */
+  owner_id?: string;
+  /** Renew all certificates deployed via this agent */
+  agent_id?: string;
+  /** Renew all certificates issued by this issuer */
+  issuer_id?: string;
+  /** Renew all certificates owned by members of this team */
+  team_id?: string;
+  /** Explicit list of certificate IDs to renew */
+  certificate_ids?: string[];
+}

web/src/api/generated/model/bulkRenewResult.ts

@@ -0,0 +1,33 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { BulkEnqueuedJob } from './bulkEnqueuedJob';
+import type { BulkRenewResultErrorsItem } from './bulkRenewResultErrorsItem';
+
+export interface BulkRenewResult {
+  /** Number of certificates matching the criteria */
+  total_matched?: number;
+  /** Number of renewal jobs successfully created */
+  total_enqueued?: number;
+  /** Certs already RenewalInProgress / Revoked / Archived / Expired (silent no-op) */
+  total_skipped?: number;
+  /** Number of certificates whose enqueue path returned an error */
+  total_failed?: number;
+  /** Per-certificate {certificate_id, job_id} pairs for the successful enqueue path */
+  enqueued_jobs?: BulkEnqueuedJob[];
+  /** Per-certificate error details for the failure path */
+  errors?: BulkRenewResultErrorsItem[];
+}

web/src/api/generated/model/bulkRenewResultErrorsItem.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type BulkRenewResultErrorsItem = {
+  certificate_id?: string;
+  error?: string;
+};

web/src/api/generated/model/bulkRevokeRequest.ts

@@ -0,0 +1,33 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { RevocationReason } from './revocationReason';
+
+export interface BulkRevokeRequest {
+  reason: RevocationReason;
+  /** Revoke all certificates matching this profile */
+  profile_id?: string;
+  /** Revoke all certificates owned by this owner */
+  owner_id?: string;
+  /** Revoke all certificates deployed via this agent */
+  agent_id?: string;
+  /** Revoke all certificates issued by this issuer */
+  issuer_id?: string;
+  /** Revoke all certificates owned by members of this team */
+  team_id?: string;
+  /** Explicit list of certificate IDs to revoke */
+  certificate_ids?: string[];
+}

web/src/api/generated/model/bulkRevokeResult.ts

@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { BulkRevokeResultErrorsItem } from './bulkRevokeResultErrorsItem';
+
+export interface BulkRevokeResult {
+  /** Number of certificates matching the criteria */
+  total_matched?: number;
+  /** Number of certificates successfully revoked */
+  total_revoked?: number;
+  /** Number of certificates skipped (already revoked or archived) */
+  total_skipped?: number;
+  /** Number of certificates that failed to revoke */
+  total_failed?: number;
+  /** Per-certificate error details for failed revocations */
+  errors?: BulkRevokeResultErrorsItem[];
+}

web/src/api/generated/model/bulkRevokeResultErrorsItem.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type BulkRevokeResultErrorsItem = {
+  certificate_id?: string;
+  error?: string;
+};

web/src/api/generated/model/certificateProfile.ts

@@ -0,0 +1,34 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { KeyAlgorithmRule } from './keyAlgorithmRule';
+import type { CertificateProfileAllowedEkusItem } from './certificateProfileAllowedEkusItem';
+
+export interface CertificateProfile {
+  id?: string;
+  name?: string;
+  description?: string;
+  allowed_key_algorithms?: KeyAlgorithmRule[];
+  max_ttl_seconds?: number;
+  /** Extended Key Usages to include in issued certificates */
+  allowed_ekus?: CertificateProfileAllowedEkusItem[];
+  required_san_patterns?: string[];
+  spiffe_uri_pattern?: string;
+  allow_short_lived?: boolean;
+  enabled?: boolean;
+  created_at?: string;
+  updated_at?: string;
+}

web/src/api/generated/model/certificateProfileAllowedEkusItem.ts

@@ -0,0 +1,28 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CertificateProfileAllowedEkusItem = typeof CertificateProfileAllowedEkusItem[keyof typeof CertificateProfileAllowedEkusItem];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const CertificateProfileAllowedEkusItem = {
+  serverAuth: 'serverAuth',
+  clientAuth: 'clientAuth',
+  codeSigning: 'codeSigning',
+  emailProtection: 'emailProtection',
+  timeStamping: 'timeStamping',
+} as const;

web/src/api/generated/model/certificateStatus.ts

@@ -0,0 +1,31 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CertificateStatus = typeof CertificateStatus[keyof typeof CertificateStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const CertificateStatus = {
+  Pending: 'Pending',
+  Active: 'Active',
+  Expiring: 'Expiring',
+  Expired: 'Expired',
+  RenewalInProgress: 'RenewalInProgress',
+  Failed: 'Failed',
+  Revoked: 'Revoked',
+  Archived: 'Archived',
+} as const;

web/src/api/generated/model/certificateVersion.ts

@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface CertificateVersion {
+  id?: string;
+  certificate_id?: string;
+  serial_number?: string;
+  not_before?: string;
+  not_after?: string;
+  fingerprint_sha256?: string;
+  pem_chain?: string;
+  csr_pem?: string;
+  key_algorithm?: string;
+  key_size?: number;
+  created_at?: string;
+}

web/src/api/generated/model/checkAuth200.ts

@@ -0,0 +1,37 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { CheckAuth200ActorType } from './checkAuth200ActorType';
+import type { CheckAuth200EffectivePermissionsItem } from './checkAuth200EffectivePermissionsItem';
+
+export type CheckAuth200 = {
+  status: string;
+  /** Named-key identity (empty when CERTCTL_AUTH_TYPE=none) */
+  user?: string;
+  /** Legacy admin flag (back-compat with pre-Bundle-1 GUIs). */
+  admin?: boolean;
+  /** Actor identifier for the authenticated request (Bundle 1+). */
+  actor_id?: string;
+  /** Actor-type discriminator (Bundle 1+). */
+  actor_type?: CheckAuth200ActorType;
+  /** Tenant the actor belongs to (Bundle 1 ships single-tenant `t-default`). */
+  tenant_id?: string;
+  /** True when the actor holds `r-admin`. Authoritative admin signal under Bundle 1+. */
+  admin_via_role?: boolean;
+  /** Role IDs (e.g. `r-admin`, `r-viewer`) the actor holds. */
+  roles?: string[];
+  effective_permissions?: CheckAuth200EffectivePermissionsItem[];
+};

web/src/api/generated/model/checkAuth200ActorType.ts

@@ -0,0 +1,31 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Actor-type discriminator (Bundle 1+).
+ */
+export type CheckAuth200ActorType = typeof CheckAuth200ActorType[keyof typeof CheckAuth200ActorType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const CheckAuth200ActorType = {
+  User: 'User',
+  System: 'System',
+  Agent: 'Agent',
+  APIKey: 'APIKey',
+  Anonymous: 'Anonymous',
+} as const;

web/src/api/generated/model/checkAuth200EffectivePermissionsItem.ts

@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { CheckAuth200EffectivePermissionsItemScopeType } from './checkAuth200EffectivePermissionsItemScopeType';
+
+export type CheckAuth200EffectivePermissionsItem = {
+  permission: string;
+  scope_type: CheckAuth200EffectivePermissionsItemScopeType;
+  scope_id?: string;
+};

web/src/api/generated/model/checkAuth200EffectivePermissionsItemScopeType.ts

@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CheckAuth200EffectivePermissionsItemScopeType = typeof CheckAuth200EffectivePermissionsItemScopeType[keyof typeof CheckAuth200EffectivePermissionsItemScopeType];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const CheckAuth200EffectivePermissionsItemScopeType = {
+  global: 'global',
+  profile: 'profile',
+  issuer: 'issuer',
+} as const;

web/src/api/generated/model/claimDiscoveredCertificateBody.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ClaimDiscoveredCertificateBody = {
+  /** ID of the managed certificate to link to */
+  managed_certificate_id: string;
+};

web/src/api/generated/model/conflictResponse.ts

@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ErrorResponse } from './errorResponse';
+
+/**
+ * Resource conflict
+ */
+export type ConflictResponse = ErrorResponse;

web/src/api/generated/model/createAuthRoleBody.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CreateAuthRoleBody = {
+  name: string;
+  description?: string;
+};

web/src/api/generated/model/createHealthCheckBody.ts

@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CreateHealthCheckBody = {
+  /** host:port to monitor */
+  endpoint: string;
+  /** Expected certificate SHA-256 fingerprint (optional) */
+  expected_fingerprint?: string;
+  /**
+   * Probe frequency in seconds (default 300)
+   * @minimum 30
+   */
+  check_interval_seconds: number;
+  /** TLS connection timeout in milliseconds */
+  timeout_ms?: number;
+};

web/src/api/generated/model/createIntermediateCABody.ts

@@ -0,0 +1,39 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { CreateIntermediateCABodySubject } from './createIntermediateCABodySubject';
+import type { CreateIntermediateCABodyNameConstraintsItem } from './createIntermediateCABodyNameConstraintsItem';
+import type { CreateIntermediateCABodyMetadata } from './createIntermediateCABodyMetadata';
+
+export type CreateIntermediateCABody = {
+  name: string;
+  /** Empty for root registration; non-empty for child signing */
+  parent_ca_id?: string;
+  /** Operator-supplied root cert PEM (root path only) */
+  root_cert_pem?: string;
+  /** signer.Driver reference for the root key (root path only) */
+  key_driver_id?: string;
+  /** Distinguished name for child CA (child path only) */
+  subject?: CreateIntermediateCABodySubject;
+  /** Signing algorithm for child key (default ECDSA-P256) */
+  algorithm?: string;
+  ttl_days?: number;
+  /** @nullable */
+  path_len_constraint?: number | null;
+  name_constraints?: CreateIntermediateCABodyNameConstraintsItem[];
+  ocsp_responder_url?: string;
+  metadata?: CreateIntermediateCABodyMetadata;
+};

web/src/api/generated/model/createIntermediateCABodyMetadata.ts

@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CreateIntermediateCABodyMetadata = { [key: string]: unknown };

web/src/api/generated/model/createIntermediateCABodyNameConstraintsItem.ts

@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type CreateIntermediateCABodyNameConstraintsItem = { [key: string]: unknown };

web/src/api/generated/model/createIntermediateCABodySubject.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Distinguished name for child CA (child path only)
+ */
+export type CreateIntermediateCABodySubject = { [key: string]: unknown };

web/src/api/generated/model/dashboardSummary.ts

@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface DashboardSummary {
+  total_certificates?: number;
+  expiring_certificates?: number;
+  expired_certificates?: number;
+  revoked_certificates?: number;
+  active_agents?: number;
+  offline_agents?: number;
+  total_agents?: number;
+  pending_jobs?: number;
+  failed_jobs?: number;
+  complete_jobs?: number;
+  completed_at?: string;
+}

web/src/api/generated/model/demoResidualCleanupResponse.ts

@@ -0,0 +1,27 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Mirrors internal/api/handler/demo_residual.go::
+demoResidualCleanupResponse. Always present; idempotent re-runs
+return `removed: 0`.
+
+ */
+export interface DemoResidualCleanupResponse {
+  /** Number of `actor_roles` rows removed in this cleanup call. */
+  removed: number;
+}

web/src/api/generated/model/deploymentTarget.ts

@@ -0,0 +1,36 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { TargetType } from './targetType';
+import type { DeploymentTargetConfig } from './deploymentTargetConfig';
+
+export interface DeploymentTarget {
+  id?: string;
+  name: string;
+  type: TargetType;
+  /** ID of the agent that manages this target. Required because
+deployment_targets.agent_id is a NOT NULL foreign key to agents(id)
+(migration 000001). Empty or nonexistent agent IDs are rejected
+with HTTP 400 by the service layer (see C-002 in the coverage-gap
+audit).
+ */
+  agent_id: string;
+  /** Target-specific configuration (varies by type) */
+  config?: DeploymentTargetConfig;
+  enabled?: boolean;
+  created_at?: string;
+  updated_at?: string;
+}

web/src/api/generated/model/deploymentTargetConfig.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Target-specific configuration (varies by type)
+ */
+export type DeploymentTargetConfig = { [key: string]: unknown };

web/src/api/generated/model/discoveredCertificate.ts

@@ -0,0 +1,46 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { DiscoveredCertificateStatus } from './discoveredCertificateStatus';
+
+export interface DiscoveredCertificate {
+  id?: string;
+  fingerprint_sha256?: string;
+  common_name?: string;
+  sans?: string[];
+  serial_number?: string;
+  issuer_dn?: string;
+  subject_dn?: string;
+  /** @nullable */
+  not_before?: string | null;
+  /** @nullable */
+  not_after?: string | null;
+  key_algorithm?: string;
+  key_size?: number;
+  is_ca?: boolean;
+  source_path?: string;
+  source_format?: string;
+  agent_id?: string;
+  /** @nullable */
+  discovery_scan_id?: string | null;
+  /** @nullable */
+  managed_certificate_id?: string | null;
+  status?: DiscoveredCertificateStatus;
+  first_seen_at?: string;
+  last_seen_at?: string;
+  created_at?: string;
+  updated_at?: string;
+}

web/src/api/generated/model/discoveredCertificateStatus.ts

@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type DiscoveredCertificateStatus = typeof DiscoveredCertificateStatus[keyof typeof DiscoveredCertificateStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const DiscoveredCertificateStatus = {
+  Unmanaged: 'Unmanaged',
+  Managed: 'Managed',
+  Dismissed: 'Dismissed',
+} as const;

web/src/api/generated/model/discoveryReport.ts

@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { DiscoveryReportCertificatesItem } from './discoveryReportCertificatesItem';
+
+export interface DiscoveryReport {
+  agent_id: string;
+  directories: string[];
+  certificates: DiscoveryReportCertificatesItem[];
+  errors?: string[];
+  scan_duration_ms?: number;
+}

web/src/api/generated/model/discoveryReportCertificatesItem.ts

@@ -0,0 +1,33 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type DiscoveryReportCertificatesItem = {
+  fingerprint_sha256?: string;
+  common_name?: string;
+  sans?: string[];
+  serial_number?: string;
+  issuer_dn?: string;
+  subject_dn?: string;
+  not_before?: string;
+  not_after?: string;
+  key_algorithm?: string;
+  key_size?: number;
+  is_ca?: boolean;
+  pem_data?: string;
+  source_path?: string;
+  source_format?: string;
+};

web/src/api/generated/model/discoveryScan.ts

@@ -0,0 +1,29 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface DiscoveryScan {
+  id?: string;
+  agent_id?: string;
+  directories?: string[];
+  certificates_found?: number;
+  certificates_new?: number;
+  errors_count?: number;
+  scan_duration_ms?: number;
+  started_at?: string;
+  /** @nullable */
+  completed_at?: string | null;
+}

web/src/api/generated/model/endpointHealthCheck.ts

@@ -0,0 +1,84 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { EndpointHealthCheckStatus } from './endpointHealthCheckStatus';
+
+export interface EndpointHealthCheck {
+  /** Health check ID */
+  id?: string;
+  /** Target endpoint (host:port) */
+  endpoint?: string;
+  /**
+   * Associated managed certificate ID (if from deployment)
+   * @nullable
+   */
+  certificate_id?: string | null;
+  /**
+   * Associated network scan target ID (if auto-created)
+   * @nullable
+   */
+  network_scan_target_id?: string | null;
+  /**
+   * Expected certificate SHA-256 fingerprint
+   * @nullable
+   */
+  expected_fingerprint?: string | null;
+  /** Current health status */
+  status?: EndpointHealthCheckStatus;
+  enabled?: boolean;
+  /** Frequency of TLS probes (seconds) */
+  check_interval_seconds?: number;
+  /** TLS connection timeout (milliseconds) */
+  timeout_ms?: number;
+  /** Number of consecutive probe failures */
+  consecutive_failures?: number;
+  /**
+   * Timestamp of last probe
+   * @nullable
+   */
+  last_checked_at?: string | null;
+  /**
+   * Timestamp of last successful probe
+   * @nullable
+   */
+  last_success_at?: string | null;
+  /**
+   * Timestamp of last failed probe
+   * @nullable
+   */
+  last_failure_at?: string | null;
+  /**
+   * Timestamp of last status transition
+   * @nullable
+   */
+  last_transition_at?: string | null;
+  /**
+   * Reason for last failure
+   * @nullable
+   */
+  failure_reason?: string | null;
+  /** Whether the current status has been acknowledged */
+  acknowledged?: boolean;
+  /**
+   * Operator name who acknowledged (if applicable)
+   * @nullable
+   */
+  acknowledged_by?: string | null;
+  /** @nullable */
+  acknowledged_at?: string | null;
+  created_at?: string;
+  updated_at?: string;
+}

web/src/api/generated/model/endpointHealthCheckStatus.ts

@@ -0,0 +1,30 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+/**
+ * Current health status
+ */
+export type EndpointHealthCheckStatus = typeof EndpointHealthCheckStatus[keyof typeof EndpointHealthCheckStatus];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const EndpointHealthCheckStatus = {
+  Healthy: 'Healthy',
+  Degraded: 'Degraded',
+  Down: 'Down',
+  CertMismatch: 'CertMismatch',
+} as const;

web/src/api/generated/model/error.ts

@@ -0,0 +1,19 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ErrorResponse } from './errorResponse';
+
+export type Error = ErrorResponse;

web/src/api/generated/model/errorResponse.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export interface ErrorResponse {
+  error?: string;
+  request_id?: string;
+}

web/src/api/generated/model/exportAuditCategory.ts

@@ -0,0 +1,26 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ExportAuditCategory = typeof ExportAuditCategory[keyof typeof ExportAuditCategory];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ExportAuditCategory = {
+  cert_lifecycle: 'cert_lifecycle',
+  auth: 'auth',
+  config: 'config',
+} as const;

web/src/api/generated/model/exportAuditParams.ts

@@ -0,0 +1,38 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ExportAuditCategory } from './exportAuditCategory';
+
+export type ExportAuditParams = {
+/**
+ * RFC 3339 start of the export window (inclusive).
+ */
+from: string;
+/**
+ * RFC 3339 end of the export window (exclusive). Must be strictly after `from`.
+ */
+to: string;
+/**
+ * Optional category filter. Omit to return every event in the window.
+ */
+category?: ExportAuditCategory;
+/**
+ * Maximum rows to stream (default 50000; out-of-range values clamp to default).
+ * @minimum 1
+ * @maximum 100000
+ */
+limit?: number;
+};

web/src/api/generated/model/exportCertificatePEM200One.ts

@@ -0,0 +1,25 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ExportCertificatePEM200One = {
+  /** Leaf certificate PEM */
+  cert_pem?: string;
+  /** Intermediate/root chain PEM */
+  chain_pem?: string;
+  /** Full PEM chain (cert + intermediates) */
+  full_pem?: string;
+};

web/src/api/generated/model/exportCertificatePEMDownload.ts

@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ExportCertificatePEMDownload = typeof ExportCertificatePEMDownload[keyof typeof ExportCertificatePEMDownload];
+
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ExportCertificatePEMDownload = {
+  true: 'true',
+} as const;

web/src/api/generated/model/exportCertificatePEMParams.ts

@@ -0,0 +1,24 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+import type { ExportCertificatePEMDownload } from './exportCertificatePEMDownload';
+
+export type ExportCertificatePEMParams = {
+/**
+ * Set to "true" to get a file download instead of JSON.
+ */
+download?: ExportCertificatePEMDownload;
+};

web/src/api/generated/model/exportCertificatePKCS12Body.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type ExportCertificatePKCS12Body = {
+  /** Password to encrypt the PKCS#12 bundle (can be empty) */
+  password?: string;
+};

web/src/api/generated/model/getAuthBootstrap200.ts

@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v7.21.0 🍺
+ * Do not edit manually.
+ * certctl API
+ * Certificate lifecycle management platform API. Manages certificates, issuers,
+deployment targets, agents, jobs, policies, profiles, teams, owners, agent groups,
+audit events, notifications, and observability metrics.
+
+All endpoints under `/api/v1/` require authentication by default (configurable via
+`CERTCTL_AUTH_TYPE`). Use `Bearer {api_key}` in the Authorization header.
+
+Paginated list endpoints accept `page` (default 1) and `per_page` (default 50, max 500)
+query parameters and return a standard envelope with `data`, `total`, `page`, and `per_page`.
+
+ * OpenAPI spec version: 2.1.7
+ */
+
+export type GetAuthBootstrap200 = {
+  available: boolean;
+};