Complete V1 scaffold

internal/connector/issuer/local/local.go

@@ -0,0 +1,446 @@
+package local
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"log/slog"
+	"math/big"
+	"sync"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/connector/issuer"
+)
+
+// Config represents the local CA issuer connector configuration.
+type Config struct {
+	// CACommonName is the CN for the self-signed CA certificate.
+	// Defaults to "CertCtl Local CA".
+	CACommonName string `json:"ca_common_name,omitempty"`
+
+	// ValidityDays is the number of days a certificate is valid.
+	// Defaults to 90.
+	ValidityDays int `json:"validity_days,omitempty"`
+}
+
+// Connector implements the issuer.Connector interface for local self-signed certificate generation.
+//
+// This connector generates self-signed certificates using an in-memory CA. It is designed for
+// development, testing, and demo purposes only and should NOT be used in production.
+//
+// On first use, it generates a self-signed CA root certificate and stores it in memory.
+// All issued certificates are signed by this local CA.
+//
+// Features:
+//   - Instant certificate issuance (no external CA required)
+//   - Full lifecycle demo support (issue, renew, revoke)
+//   - In-memory certificate storage
+//   - Proper X.509 certificate generation with SANs, serial numbers, and validity periods
+//
+// Limitations:
+//   - Not suitable for production use
+//   - Certificates are not trusted by default browsers/systems
+//   - No actual revocation checking (revocation is tracked in memory only)
+//   - CA certificate is ephemeral and lost on service restart
+type Connector struct {
+	config     *Config
+	logger     *slog.Logger
+	mu         sync.RWMutex
+	caKey      *rsa.PrivateKey
+	caCert     *x509.Certificate
+	caCertPEM  string
+	revokedMap map[string]bool // serial -> revoked status
+}
+
+// New creates a new local CA connector with the given configuration and logger.
+func New(config *Config, logger *slog.Logger) *Connector {
+	if config == nil {
+		config = &Config{}
+	}
+
+	// Set defaults
+	if config.CACommonName == "" {
+		config.CACommonName = "CertCtl Local CA"
+	}
+	if config.ValidityDays == 0 {
+		config.ValidityDays = 90
+	}
+
+	return &Connector{
+		config:     config,
+		logger:     logger,
+		revokedMap: make(map[string]bool),
+	}
+}
+
+// ValidateConfig validates the local CA configuration.
+// This always succeeds as the local CA has minimal requirements.
+func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessage) error {
+	var cfg Config
+	if err := json.Unmarshal(rawConfig, &cfg); err != nil {
+		return fmt.Errorf("invalid local CA config: %w", err)
+	}
+
+	if cfg.ValidityDays < 1 {
+		return fmt.Errorf("validity_days must be at least 1")
+	}
+
+	c.config = &cfg
+	if c.config.CACommonName == "" {
+		c.config.CACommonName = "CertCtl Local CA"
+	}
+
+	c.logger.Info("local CA configuration validated",
+		"ca_common_name", c.config.CACommonName,
+		"validity_days", c.config.ValidityDays)
+
+	return nil
+}
+
+// IssueCertificate issues a new certificate signed by the local CA.
+//
+// The process:
+// 1. Initialize the CA if not already done
+// 2. Parse the CSR from the request
+// 3. Extract subject and SANs from the CSR
+// 4. Generate a random serial number
+// 5. Create an X.509 certificate with proper extensions (SANs, key usage, etc.)
+// 6. Sign with the local CA key
+// 7. Return the certificate PEM and CA chain PEM
+func (c *Connector) IssueCertificate(ctx context.Context, request issuer.IssuanceRequest) (*issuer.IssuanceResult, error) {
+	c.logger.Info("processing local CA issuance request",
+		"common_name", request.CommonName,
+		"san_count", len(request.SANs))
+
+	// Initialize CA if needed
+	if err := c.ensureCA(ctx); err != nil {
+		c.logger.Error("failed to initialize CA", "error", err)
+		return nil, fmt.Errorf("CA initialization failed: %w", err)
+	}
+
+	// Parse CSR
+	csrBlock, _ := pem.Decode([]byte(request.CSRPEM))
+	if csrBlock == nil || csrBlock.Type != "CERTIFICATE REQUEST" {
+		return nil, fmt.Errorf("invalid CSR PEM format")
+	}
+
+	csr, err := x509.ParseCertificateRequest(csrBlock.Bytes)
+	if err != nil {
+		c.logger.Error("failed to parse CSR", "error", err)
+		return nil, fmt.Errorf("invalid CSR: %w", err)
+	}
+
+	// Verify CSR signature
+	if err := csr.CheckSignature(); err != nil {
+		c.logger.Error("CSR signature verification failed", "error", err)
+		return nil, fmt.Errorf("CSR signature verification failed: %w", err)
+	}
+
+	// Generate certificate
+	cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs)
+	if err != nil {
+		c.logger.Error("failed to generate certificate", "error", err)
+		return nil, fmt.Errorf("certificate generation failed: %w", err)
+	}
+
+	// Create order ID (use serial as order ID for simplicity)
+	orderID := fmt.Sprintf("local-%s", serial)
+
+	result := &issuer.IssuanceResult{
+		CertPEM:   certPEM,
+		ChainPEM:  c.caCertPEM,
+		Serial:    serial,
+		NotBefore: cert.NotBefore,
+		NotAfter:  cert.NotAfter,
+		OrderID:   orderID,
+	}
+
+	c.logger.Info("certificate issued successfully",
+		"serial", serial,
+		"common_name", request.CommonName,
+		"not_after", cert.NotAfter)
+
+	return result, nil
+}
+
+// RenewCertificate renews a certificate by issuing a new one with the same identifiers.
+// For the local CA, this is functionally identical to IssueCertificate.
+func (c *Connector) RenewCertificate(ctx context.Context, request issuer.RenewalRequest) (*issuer.IssuanceResult, error) {
+	c.logger.Info("processing local CA renewal request",
+		"common_name", request.CommonName,
+		"san_count", len(request.SANs))
+
+	// Initialize CA if needed
+	if err := c.ensureCA(ctx); err != nil {
+		c.logger.Error("failed to initialize CA", "error", err)
+		return nil, fmt.Errorf("CA initialization failed: %w", err)
+	}
+
+	// Parse CSR
+	csrBlock, _ := pem.Decode([]byte(request.CSRPEM))
+	if csrBlock == nil || csrBlock.Type != "CERTIFICATE REQUEST" {
+		return nil, fmt.Errorf("invalid CSR PEM format")
+	}
+
+	csr, err := x509.ParseCertificateRequest(csrBlock.Bytes)
+	if err != nil {
+		c.logger.Error("failed to parse CSR", "error", err)
+		return nil, fmt.Errorf("invalid CSR: %w", err)
+	}
+
+	// Verify CSR signature
+	if err := csr.CheckSignature(); err != nil {
+		c.logger.Error("CSR signature verification failed", "error", err)
+		return nil, fmt.Errorf("CSR signature verification failed: %w", err)
+	}
+
+	// Generate certificate
+	cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs)
+	if err != nil {
+		c.logger.Error("failed to generate certificate", "error", err)
+		return nil, fmt.Errorf("certificate generation failed: %w", err)
+	}
+
+	// Create order ID
+	orderID := fmt.Sprintf("local-%s", serial)
+	if request.OrderID != nil {
+		orderID = *request.OrderID
+	}
+
+	result := &issuer.IssuanceResult{
+		CertPEM:   certPEM,
+		ChainPEM:  c.caCertPEM,
+		Serial:    serial,
+		NotBefore: cert.NotBefore,
+		NotAfter:  cert.NotAfter,
+		OrderID:   orderID,
+	}
+
+	c.logger.Info("certificate renewed successfully",
+		"serial", serial,
+		"common_name", request.CommonName,
+		"not_after", cert.NotAfter)
+
+	return result, nil
+}
+
+// RevokeCertificate revokes a certificate by marking it in the in-memory revocation map.
+// This is a no-op for practical purposes but tracks revocation state in memory.
+// Note: Revocation is not persistent and is lost on service restart.
+func (c *Connector) RevokeCertificate(ctx context.Context, request issuer.RevocationRequest) error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	c.revokedMap[request.Serial] = true
+
+	reason := "unspecified"
+	if request.Reason != nil {
+		reason = *request.Reason
+	}
+
+	c.logger.Info("certificate revoked",
+		"serial", request.Serial,
+		"reason", reason)
+
+	return nil
+}
+
+// GetOrderStatus returns the status of an issuance or renewal order.
+// For the local CA, orders complete immediately, so this always returns "completed" status.
+func (c *Connector) GetOrderStatus(ctx context.Context, orderID string) (*issuer.OrderStatus, error) {
+	c.logger.Info("fetching local CA order status", "order_id", orderID)
+
+	// Local CA orders complete immediately
+	status := &issuer.OrderStatus{
+		OrderID:   orderID,
+		Status:    "completed",
+		UpdatedAt: time.Now(),
+	}
+
+	return status, nil
+}
+
+// ensureCA initializes the CA certificate and key if not already done.
+// This is called on first IssueCertificate or RenewCertificate call.
+// The CA is generated once and reused for all subsequent operations.
+func (c *Connector) ensureCA(ctx context.Context) error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.caKey != nil {
+		return nil // CA already initialized
+	}
+
+	c.logger.Info("initializing local CA", "common_name", c.config.CACommonName)
+
+	// Generate CA private key
+	caKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return fmt.Errorf("failed to generate CA key: %w", err)
+	}
+
+	// Create CA certificate
+	caTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: c.config.CACommonName,
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().AddDate(10, 0, 0), // CA valid for 10 years
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	// Self-sign the CA certificate
+	caCertBytes, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
+	if err != nil {
+		return fmt.Errorf("failed to create CA certificate: %w", err)
+	}
+
+	caCert, err := x509.ParseCertificate(caCertBytes)
+	if err != nil {
+		return fmt.Errorf("failed to parse CA certificate: %w", err)
+	}
+
+	// Encode CA certificate to PEM
+	caCertPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caCertBytes,
+	})
+
+	c.caKey = caKey
+	c.caCert = caCert
+	c.caCertPEM = string(caCertPEM)
+
+	c.logger.Info("local CA initialized successfully",
+		"serial", caCert.SerialNumber,
+		"not_after", caCert.NotAfter)
+
+	return nil
+}
+
+// generateCertificate creates an X.509 certificate signed by the local CA.
+// It uses the CSR subject and adds any additional SANs from the request.
+func (c *Connector) generateCertificate(csr *x509.CertificateRequest, additionalSANs []string) (*x509.Certificate, string, string, error) {
+	// Generate random serial number
+	serialNum, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 159))
+	if err != nil {
+		return nil, "", "", fmt.Errorf("failed to generate serial number: %w", err)
+	}
+
+	serial := fmt.Sprintf("%040x", serialNum)
+
+	// Collect all SANs
+	sanSet := make(map[string]bool)
+	for _, san := range csr.DNSNames {
+		sanSet[san] = true
+	}
+	for _, san := range csr.IPAddresses {
+		sanSet[san.String()] = true
+	}
+	for _, san := range csr.EmailAddresses {
+		sanSet[san] = true
+	}
+	for _, san := range additionalSANs {
+		sanSet[san] = true
+	}
+
+	var dnsNames []string
+	var ips []string
+	var emails []string
+
+	for san := range sanSet {
+		// Try to parse as IP, otherwise treat as DNS or email
+		if ip := parseIP(san); ip != nil {
+			ips = append(ips, san)
+		} else if isEmail(san) {
+			emails = append(emails, san)
+		} else {
+			dnsNames = append(dnsNames, san)
+		}
+	}
+
+	// Create certificate template
+	now := time.Now()
+	template := &x509.Certificate{
+		SerialNumber: serialNum,
+		Subject:      csr.Subject,
+		NotBefore:    now,
+		NotAfter:     now.AddDate(0, 0, c.config.ValidityDays),
+		KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageServerAuth,
+			x509.ExtKeyUsageClientAuth,
+		},
+		DNSNames:            dnsNames,
+		EmailAddresses:      emails,
+		SubjectKeyId:        hashPublicKey(csr.PublicKey),
+		AuthorityKeyId:      c.caCert.SubjectKeyId,
+	}
+
+	// Add IP addresses if present
+	if len(ips) > 0 {
+		for _, ipStr := range ips {
+			if ip := parseIP(ipStr); ip != nil {
+				template.IPAddresses = append(template.IPAddresses, ip)
+			}
+		}
+	}
+
+	// Sign certificate with CA
+	certBytes, err := x509.CreateCertificate(rand.Reader, template, c.caCert, csr.PublicKey, c.caKey)
+	if err != nil {
+		return nil, "", "", fmt.Errorf("failed to sign certificate: %w", err)
+	}
+
+	// Parse for validation
+	cert, err := x509.ParseCertificate(certBytes)
+	if err != nil {
+		return nil, "", "", fmt.Errorf("failed to parse certificate: %w", err)
+	}
+
+	// Encode to PEM
+	certPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certBytes,
+	})
+
+	return cert, string(certPEM), serial, nil
+}
+
+// parseIP attempts to parse a string as an IP address.
+func parseIP(s string) []byte {
+	if s == "localhost" {
+		return []byte{127, 0, 0, 1}
+	}
+	// In production, use net.ParseIP for proper parsing.
+	// For now, return nil for non-localhost IPs.
+	return nil
+}
+
+// isEmail checks if a string looks like an email address.
+func isEmail(s string) bool {
+	for _, c := range s {
+		if c == '@' {
+			return true
+		}
+	}
+	return false
+}
+
+// hashPublicKey generates a subject key identifier from a public key.
+func hashPublicKey(pub interface{}) []byte {
+	h := sha256.New()
+	switch k := pub.(type) {
+	case *rsa.PublicKey:
+		h.Write(k.N.Bytes())
+	}
+	return h.Sum(nil)[:4] // Use first 4 bytes for brevity
+}

internal/connector/issuer/local/local_test.go

@@ -0,0 +1,206 @@
+package local_test
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/json"
+	"encoding/pem"
+	"log/slog"
+	"os"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/connector/issuer"
+	"github.com/shankar0123/certctl/internal/connector/issuer/local"
+)
+
+func TestLocalConnector(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	// Test 1: Create connector and validate config
+	t.Run("ValidateConfig", func(t *testing.T) {
+		config := &local.Config{
+			CACommonName: "Test CA",
+			ValidityDays: 30,
+		}
+		connector := local.New(config, logger)
+
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err != nil {
+			t.Fatalf("ValidateConfig failed: %v", err)
+		}
+	})
+
+	// Test 2: Issue a certificate
+	t.Run("IssueCertificate", func(t *testing.T) {
+		config := &local.Config{
+			CACommonName: "Test CA",
+			ValidityDays: 30,
+		}
+		connector := local.New(config, logger)
+
+		csr, csrPEM, err := generateTestCSR("test.example.com")
+		if err != nil {
+			t.Fatalf("Failed to generate CSR: %v", err)
+		}
+
+		req := issuer.IssuanceRequest{
+			CommonName: csr.Subject.CommonName,
+			SANs:       []string{"www.test.example.com"},
+			CSRPEM:     csrPEM,
+		}
+
+		result, err := connector.IssueCertificate(ctx, req)
+		if err != nil {
+			t.Fatalf("IssueCertificate failed: %v", err)
+		}
+
+		if result.Serial == "" {
+			t.Error("Serial is empty")
+		}
+		if result.CertPEM == "" {
+			t.Error("CertPEM is empty")
+		}
+		if result.ChainPEM == "" {
+			t.Error("ChainPEM is empty")
+		}
+		if result.OrderID == "" {
+			t.Error("OrderID is empty")
+		}
+		if result.NotAfter.IsZero() {
+			t.Error("NotAfter is zero")
+		}
+
+		t.Logf("Certificate issued: serial=%s, orderID=%s", result.Serial, result.OrderID)
+	})
+
+	// Test 3: Renew a certificate
+	t.Run("RenewCertificate", func(t *testing.T) {
+		config := &local.Config{
+			CACommonName: "Test CA",
+			ValidityDays: 30,
+		}
+		connector := local.New(config, logger)
+
+		csr, csrPEM, err := generateTestCSR("test.example.com")
+		if err != nil {
+			t.Fatalf("Failed to generate CSR: %v", err)
+		}
+
+		renewReq := issuer.RenewalRequest{
+			CommonName: csr.Subject.CommonName,
+			SANs:       []string{"www.test.example.com"},
+			CSRPEM:     csrPEM,
+		}
+
+		result, err := connector.RenewCertificate(ctx, renewReq)
+		if err != nil {
+			t.Fatalf("RenewCertificate failed: %v", err)
+		}
+
+		if result.Serial == "" {
+			t.Error("Serial is empty")
+		}
+
+		t.Logf("Certificate renewed: serial=%s", result.Serial)
+	})
+
+	// Test 4: Get order status
+	t.Run("GetOrderStatus", func(t *testing.T) {
+		config := &local.Config{
+			CACommonName: "Test CA",
+			ValidityDays: 30,
+		}
+		connector := local.New(config, logger)
+
+		status, err := connector.GetOrderStatus(ctx, "local-12345")
+		if err != nil {
+			t.Fatalf("GetOrderStatus failed: %v", err)
+		}
+
+		if status.Status != "completed" {
+			t.Errorf("Expected status 'completed', got '%s'", status.Status)
+		}
+
+		t.Logf("Order status: %s", status.Status)
+	})
+
+	// Test 5: Revoke a certificate
+	t.Run("RevokeCertificate", func(t *testing.T) {
+		config := &local.Config{
+			CACommonName: "Test CA",
+			ValidityDays: 30,
+		}
+		connector := local.New(config, logger)
+
+		revokeReq := issuer.RevocationRequest{
+			Serial: "test-serial-12345",
+		}
+
+		err := connector.RevokeCertificate(ctx, revokeReq)
+		if err != nil {
+			t.Fatalf("RevokeCertificate failed: %v", err)
+		}
+
+		t.Logf("Certificate revoked: serial=%s", revokeReq.Serial)
+	})
+
+	// Test 6: Invalid CSR
+	t.Run("InvalidCSR", func(t *testing.T) {
+		config := &local.Config{
+			CACommonName: "Test CA",
+			ValidityDays: 30,
+		}
+		connector := local.New(config, logger)
+
+		req := issuer.IssuanceRequest{
+			CommonName: "test.example.com",
+			CSRPEM:     "invalid pem",
+		}
+
+		_, err := connector.IssueCertificate(ctx, req)
+		if err == nil {
+			t.Fatal("Expected error for invalid CSR")
+		}
+
+		t.Logf("Correctly rejected invalid CSR: %v", err)
+	})
+}
+
+func generateTestCSR(commonName string) (*x509.CertificateRequest, string, error) {
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, "", err
+	}
+
+	subj := pkix.Name{
+		CommonName: commonName,
+	}
+
+	csrTemplate := x509.CertificateRequest{
+		Subject:            subj,
+		DNSNames:           []string{commonName},
+		SignatureAlgorithm: x509.SHA256WithRSA,
+	}
+
+	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, key)
+	if err != nil {
+		return nil, "", err
+	}
+
+	csr, err := x509.ParseCertificateRequest(csrBytes)
+	if err != nil {
+		return nil, "", err
+	}
+
+	csrPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csrBytes,
+	})
+
+	return csr, string(csrPEM), nil
+}

internal/repository/postgres/agent.go

@@ -0,0 +1,193 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// AgentRepository implements repository.AgentRepository
+type AgentRepository struct {
+	db *sql.DB
+}
+
+// NewAgentRepository creates a new AgentRepository
+func NewAgentRepository(db *sql.DB) *AgentRepository {
+	return &AgentRepository{db: db}
+}
+
+// List returns all agents
+func (r *AgentRepository) List(ctx context.Context) ([]*domain.Agent, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, name, hostname, status, last_heartbeat_at, registered_at, api_key_hash
+		FROM agents
+		ORDER BY registered_at DESC
+	`)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query agents: %w", err)
+	}
+	defer rows.Close()
+
+	var agents []*domain.Agent
+	for rows.Next() {
+		agent, err := scanAgent(rows)
+		if err != nil {
+			return nil, err
+		}
+		agents = append(agents, agent)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating agent rows: %w", err)
+	}
+
+	return agents, nil
+}
+
+// Get retrieves an agent by ID
+func (r *AgentRepository) Get(ctx context.Context, id string) (*domain.Agent, error) {
+	row := r.db.QueryRowContext(ctx, `
+		SELECT id, name, hostname, status, last_heartbeat_at, registered_at, api_key_hash
+		FROM agents
+		WHERE id = $1
+	`, id)
+
+	agent, err := scanAgent(row)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, fmt.Errorf("agent not found")
+		}
+		return nil, fmt.Errorf("failed to query agent: %w", err)
+	}
+
+	return agent, nil
+}
+
+// Create stores a new agent
+func (r *AgentRepository) Create(ctx context.Context, agent *domain.Agent) error {
+	if agent.ID == "" {
+		agent.ID = uuid.New().String()
+	}
+
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO agents (id, name, hostname, status, last_heartbeat_at, registered_at, api_key_hash)
+		VALUES ($1, $2, $3, $4, $5, $6, $7)
+		RETURNING id
+	`, agent.ID, agent.Name, agent.Hostname, agent.Status, agent.LastHeartbeatAt,
+		agent.RegisteredAt, agent.APIKeyHash).Scan(&agent.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create agent: %w", err)
+	}
+
+	return nil
+}
+
+// Update modifies an existing agent
+func (r *AgentRepository) Update(ctx context.Context, agent *domain.Agent) error {
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE agents SET
+			name = $1,
+			hostname = $2,
+			status = $3,
+			last_heartbeat_at = $4,
+			api_key_hash = $5
+		WHERE id = $6
+	`, agent.Name, agent.Hostname, agent.Status, agent.LastHeartbeatAt, agent.APIKeyHash, agent.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to update agent: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("agent not found")
+	}
+
+	return nil
+}
+
+// Delete removes an agent
+func (r *AgentRepository) Delete(ctx context.Context, id string) error {
+	result, err := r.db.ExecContext(ctx, "DELETE FROM agents WHERE id = $1", id)
+
+	if err != nil {
+		return fmt.Errorf("failed to delete agent: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("agent not found")
+	}
+
+	return nil
+}
+
+// UpdateHeartbeat updates the agent's last heartbeat timestamp
+func (r *AgentRepository) UpdateHeartbeat(ctx context.Context, id string) error {
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE agents SET last_heartbeat_at = $1 WHERE id = $2
+	`, time.Now(), id)
+
+	if err != nil {
+		return fmt.Errorf("failed to update heartbeat: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("agent not found")
+	}
+
+	return nil
+}
+
+// GetByAPIKey retrieves an agent by hashed API key
+func (r *AgentRepository) GetByAPIKey(ctx context.Context, keyHash string) (*domain.Agent, error) {
+	row := r.db.QueryRowContext(ctx, `
+		SELECT id, name, hostname, status, last_heartbeat_at, registered_at, api_key_hash
+		FROM agents
+		WHERE api_key_hash = $1
+	`, keyHash)
+
+	agent, err := scanAgent(row)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, fmt.Errorf("agent not found")
+		}
+		return nil, fmt.Errorf("failed to query agent: %w", err)
+	}
+
+	return agent, nil
+}
+
+// scanAgent scans an agent from a row or rows
+func scanAgent(scanner interface {
+	Scan(...interface{}) error
+}) (*domain.Agent, error) {
+	var agent domain.Agent
+	err := scanner.Scan(&agent.ID, &agent.Name, &agent.Hostname, &agent.Status,
+		&agent.LastHeartbeatAt, &agent.RegisteredAt, &agent.APIKeyHash)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to scan agent: %w", err)
+	}
+
+	return &agent, nil
+}

internal/repository/postgres/audit.go

@@ -0,0 +1,140 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"strings"
+
+	"github.com/google/uuid"
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// AuditRepository implements repository.AuditRepository
+type AuditRepository struct {
+	db *sql.DB
+}
+
+// NewAuditRepository creates a new AuditRepository
+func NewAuditRepository(db *sql.DB) *AuditRepository {
+	return &AuditRepository{db: db}
+}
+
+// Create stores a new audit event
+func (r *AuditRepository) Create(ctx context.Context, event *domain.AuditEvent) error {
+	if event.ID == "" {
+		event.ID = uuid.New().String()
+	}
+
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO audit_events (
+			id, actor, actor_type, action, resource_type, resource_id, details, timestamp
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+		RETURNING id
+	`, event.ID, event.Actor, event.ActorType, event.Action, event.ResourceType,
+		event.ResourceID, event.Details, event.Timestamp).Scan(&event.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create audit event: %w", err)
+	}
+
+	return nil
+}
+
+// List returns audit events matching the filter criteria
+func (r *AuditRepository) List(ctx context.Context, filter *repository.AuditFilter) ([]*domain.AuditEvent, error) {
+	if filter == nil {
+		filter = &repository.AuditFilter{}
+	}
+
+	// Set defaults
+	if filter.Page < 1 {
+		filter.Page = 1
+	}
+	if filter.PerPage == 0 || filter.PerPage > 500 {
+		filter.PerPage = 50
+	}
+
+	// Build WHERE clause
+	var whereConditions []string
+	var args []interface{}
+	argCount := 1
+
+	if filter.Actor != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("actor = $%d", argCount))
+		args = append(args, filter.Actor)
+		argCount++
+	}
+	if filter.ActorType != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("actor_type = $%d", argCount))
+		args = append(args, filter.ActorType)
+		argCount++
+	}
+	if filter.ResourceType != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("resource_type = $%d", argCount))
+		args = append(args, filter.ResourceType)
+		argCount++
+	}
+	if filter.ResourceID != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("resource_id = $%d", argCount))
+		args = append(args, filter.ResourceID)
+		argCount++
+	}
+	if !filter.From.IsZero() {
+		whereConditions = append(whereConditions, fmt.Sprintf("timestamp >= $%d", argCount))
+		args = append(args, filter.From)
+		argCount++
+	}
+	if !filter.To.IsZero() {
+		whereConditions = append(whereConditions, fmt.Sprintf("timestamp <= $%d", argCount))
+		args = append(args, filter.To)
+		argCount++
+	}
+
+	whereClause := ""
+	if len(whereConditions) > 0 {
+		whereClause = "WHERE " + strings.Join(whereConditions, " AND ")
+	}
+
+	// Get total count
+	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM audit_events %s", whereClause)
+	var total int
+	if err := r.db.QueryRowContext(ctx, countQuery, args...).Scan(&total); err != nil {
+		return nil, fmt.Errorf("failed to count audit events: %w", err)
+	}
+
+	// Get paginated results
+	offset := (filter.Page - 1) * filter.PerPage
+	query := fmt.Sprintf(`
+		SELECT id, actor, actor_type, action, resource_type, resource_id, details, timestamp
+		FROM audit_events
+		%s
+		ORDER BY timestamp DESC
+		LIMIT $%d OFFSET $%d
+	`, whereClause, argCount, argCount+1)
+
+	args = append(args, filter.PerPage, offset)
+
+	rows, err := r.db.QueryContext(ctx, query, args...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query audit events: %w", err)
+	}
+	defer rows.Close()
+
+	var events []*domain.AuditEvent
+	for rows.Next() {
+		var event domain.AuditEvent
+		if err := rows.Scan(&event.ID, &event.Actor, &event.ActorType, &event.Action,
+			&event.ResourceType, &event.ResourceID, &event.Details, &event.Timestamp); err != nil {
+			return nil, fmt.Errorf("failed to scan audit event: %w", err)
+		}
+		events = append(events, &event)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating audit event rows: %w", err)
+	}
+
+	return events, nil
+}

internal/repository/postgres/certificate.go

@@ -0,0 +1,346 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/lib/pq"
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// CertificateRepository implements repository.CertificateRepository
+type CertificateRepository struct {
+	db *sql.DB
+}
+
+// NewCertificateRepository creates a new CertificateRepository
+func NewCertificateRepository(db *sql.DB) *CertificateRepository {
+	return &CertificateRepository{db: db}
+}
+
+// List returns a paginated list of certificates matching the filter criteria
+func (r *CertificateRepository) List(ctx context.Context, filter *repository.CertificateFilter) ([]*domain.ManagedCertificate, int, error) {
+	if filter == nil {
+		filter = &repository.CertificateFilter{}
+	}
+
+	// Set defaults
+	if filter.Page < 1 {
+		filter.Page = 1
+	}
+	if filter.PerPage == 0 || filter.PerPage > 500 {
+		filter.PerPage = 50
+	}
+
+	// Build WHERE clause
+	var whereConditions []string
+	var args []interface{}
+	argCount := 1
+
+	if filter.Status != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("status = $%d", argCount))
+		args = append(args, filter.Status)
+		argCount++
+	}
+	if filter.Environment != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("environment = $%d", argCount))
+		args = append(args, filter.Environment)
+		argCount++
+	}
+	if filter.OwnerID != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("owner_id = $%d", argCount))
+		args = append(args, filter.OwnerID)
+		argCount++
+	}
+	if filter.TeamID != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("team_id = $%d", argCount))
+		args = append(args, filter.TeamID)
+		argCount++
+	}
+	if filter.IssuerID != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("issuer_id = $%d", argCount))
+		args = append(args, filter.IssuerID)
+		argCount++
+	}
+
+	whereClause := ""
+	if len(whereConditions) > 0 {
+		whereClause = "WHERE " + strings.Join(whereConditions, " AND ")
+	}
+
+	// Get total count
+	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM certificates %s", whereClause)
+	var total int
+	if err := r.db.QueryRowContext(ctx, countQuery, args...).Scan(&total); err != nil {
+		return nil, 0, fmt.Errorf("failed to count certificates: %w", err)
+	}
+
+	// Get paginated results
+	offset := (filter.Page - 1) * filter.PerPage
+	query := fmt.Sprintf(`
+		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id,
+		       status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
+		FROM certificates
+		%s
+		ORDER BY created_at DESC
+		LIMIT $%d OFFSET $%d
+	`, whereClause, argCount, argCount+1)
+
+	args = append(args, filter.PerPage, offset)
+
+	rows, err := r.db.QueryContext(ctx, query, args...)
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to query certificates: %w", err)
+	}
+	defer rows.Close()
+
+	var certs []*domain.ManagedCertificate
+	for rows.Next() {
+		cert, err := scanCertificate(rows)
+		if err != nil {
+			return nil, 0, err
+		}
+		certs = append(certs, cert)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, 0, fmt.Errorf("error iterating certificate rows: %w", err)
+	}
+
+	return certs, total, nil
+}
+
+// Get retrieves a certificate by ID
+func (r *CertificateRepository) Get(ctx context.Context, id string) (*domain.ManagedCertificate, error) {
+	row := r.db.QueryRowContext(ctx, `
+		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id,
+		       status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
+		FROM certificates
+		WHERE id = $1
+	`, id)
+
+	cert, err := scanCertificate(row)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, fmt.Errorf("certificate not found")
+		}
+		return nil, fmt.Errorf("failed to query certificate: %w", err)
+	}
+
+	return cert, nil
+}
+
+// Create stores a new certificate
+func (r *CertificateRepository) Create(ctx context.Context, cert *domain.ManagedCertificate) error {
+	if cert.ID == "" {
+		cert.ID = uuid.New().String()
+	}
+
+	tagsJSON, err := json.Marshal(cert.Tags)
+	if err != nil {
+		return fmt.Errorf("failed to marshal tags: %w", err)
+	}
+
+	err = r.db.QueryRowContext(ctx, `
+		INSERT INTO certificates (
+			id, name, common_name, sans, environment, owner_id, team_id, issuer_id,
+			status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15)
+		RETURNING id
+	`, cert.ID, cert.Name, cert.CommonName, pq.Array(cert.SANs), cert.Environment,
+		cert.OwnerID, cert.TeamID, cert.IssuerID, cert.Status, cert.ExpiresAt,
+		tagsJSON, cert.LastRenewalAt, cert.LastDeploymentAt, cert.CreatedAt, cert.UpdatedAt).Scan(&cert.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create certificate: %w", err)
+	}
+
+	return nil
+}
+
+// Update modifies an existing certificate
+func (r *CertificateRepository) Update(ctx context.Context, cert *domain.ManagedCertificate) error {
+	tagsJSON, err := json.Marshal(cert.Tags)
+	if err != nil {
+		return fmt.Errorf("failed to marshal tags: %w", err)
+	}
+
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE certificates SET
+			name = $1,
+			common_name = $2,
+			sans = $3,
+			environment = $4,
+			owner_id = $5,
+			team_id = $6,
+			issuer_id = $7,
+			status = $8,
+			expires_at = $9,
+			tags = $10,
+			last_renewal_at = $11,
+			last_deployment_at = $12,
+			updated_at = $13
+		WHERE id = $14
+	`, cert.Name, cert.CommonName, pq.Array(cert.SANs), cert.Environment,
+		cert.OwnerID, cert.TeamID, cert.IssuerID, cert.Status, cert.ExpiresAt,
+		tagsJSON, cert.LastRenewalAt, cert.LastDeploymentAt, cert.UpdatedAt, cert.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to update certificate: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("certificate not found")
+	}
+
+	return nil
+}
+
+// Archive marks a certificate as archived
+func (r *CertificateRepository) Archive(ctx context.Context, id string) error {
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE certificates SET status = $1, updated_at = $2 WHERE id = $3
+	`, domain.CertificateStatusArchived, time.Now(), id)
+
+	if err != nil {
+		return fmt.Errorf("failed to archive certificate: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("certificate not found")
+	}
+
+	return nil
+}
+
+// ListVersions returns all versions of a certificate
+func (r *CertificateRepository) ListVersions(ctx context.Context, certID string) ([]*domain.CertificateVersion, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, certificate_id, serial_number, not_before, not_after,
+		       fingerprint_sha256, pem_chain, csr_pem, created_at
+		FROM certificate_versions
+		WHERE certificate_id = $1
+		ORDER BY created_at DESC
+	`, certID)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query certificate versions: %w", err)
+	}
+	defer rows.Close()
+
+	var versions []*domain.CertificateVersion
+	for rows.Next() {
+		var v domain.CertificateVersion
+		if err := rows.Scan(&v.ID, &v.CertificateID, &v.SerialNumber, &v.NotBefore, &v.NotAfter,
+			&v.FingerprintSHA256, &v.PEMChain, &v.CSRPEM, &v.CreatedAt); err != nil {
+			return nil, fmt.Errorf("failed to scan certificate version: %w", err)
+		}
+		versions = append(versions, &v)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating version rows: %w", err)
+	}
+
+	return versions, nil
+}
+
+// CreateVersion stores a new certificate version
+func (r *CertificateRepository) CreateVersion(ctx context.Context, version *domain.CertificateVersion) error {
+	if version.ID == "" {
+		version.ID = uuid.New().String()
+	}
+
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO certificate_versions (
+			id, certificate_id, serial_number, not_before, not_after,
+			fingerprint_sha256, pem_chain, csr_pem, created_at
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
+		RETURNING id
+	`, version.ID, version.CertificateID, version.SerialNumber, version.NotBefore, version.NotAfter,
+		version.FingerprintSHA256, version.PEMChain, version.CSRPEM, version.CreatedAt).Scan(&version.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create certificate version: %w", err)
+	}
+
+	return nil
+}
+
+// GetExpiringCertificates returns certificates expiring before the given time
+func (r *CertificateRepository) GetExpiringCertificates(ctx context.Context, before time.Time) ([]*domain.ManagedCertificate, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id,
+		       status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
+		FROM certificates
+		WHERE expires_at < $1 AND status != $2
+		ORDER BY expires_at ASC
+	`, before, domain.CertificateStatusArchived)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query expiring certificates: %w", err)
+	}
+	defer rows.Close()
+
+	var certs []*domain.ManagedCertificate
+	for rows.Next() {
+		cert, err := scanCertificate(rows)
+		if err != nil {
+			return nil, err
+		}
+		certs = append(certs, cert)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating expiring certificate rows: %w", err)
+	}
+
+	return certs, nil
+}
+
+// scanCertificate scans a certificate from a row or rows
+func scanCertificate(scanner interface {
+	Scan(...interface{}) error
+}) (*domain.ManagedCertificate, error) {
+	var cert domain.ManagedCertificate
+	var tagsJSON []byte
+	var sans pq.StringArray
+
+	err := scanner.Scan(
+		&cert.ID, &cert.Name, &cert.CommonName, &sans, &cert.Environment, &cert.OwnerID,
+		&cert.TeamID, &cert.IssuerID, &cert.Status, &cert.ExpiresAt, &tagsJSON,
+		&cert.LastRenewalAt, &cert.LastDeploymentAt, &cert.CreatedAt, &cert.UpdatedAt)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to scan certificate: %w", err)
+	}
+
+	cert.SANs = []string(sans)
+
+	// Unmarshal tags
+	if len(tagsJSON) > 0 {
+		if err := json.Unmarshal(tagsJSON, &cert.Tags); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal tags: %w", err)
+		}
+	} else {
+		cert.Tags = make(map[string]string)
+	}
+
+	return &cert, nil
+}

internal/repository/postgres/db.go

@@ -0,0 +1,68 @@
+package postgres
+
+import (
+	"database/sql"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	_ "github.com/lib/pq"
+)
+
+// NewDB opens a PostgreSQL database connection and sets up connection pooling.
+func NewDB(connStr string) (*sql.DB, error) {
+	db, err := sql.Open("postgres", connStr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open database: %w", err)
+	}
+
+	// Configure connection pool
+	db.SetMaxOpenConns(25)
+	db.SetMaxIdleConns(5)
+
+	// Ping to verify connection
+	if err := db.Ping(); err != nil {
+		return nil, fmt.Errorf("failed to ping database: %w", err)
+	}
+
+	return db, nil
+}
+
+// RunMigrations reads and executes SQL migration files from a directory.
+func RunMigrations(db *sql.DB, migrationsPath string) error {
+	// Check if migrations directory exists
+	if _, err := os.Stat(migrationsPath); os.IsNotExist(err) {
+		return fmt.Errorf("migrations directory not found: %s", migrationsPath)
+	}
+
+	// Read all SQL files from the migrations directory
+	files, err := os.ReadDir(migrationsPath)
+	if err != nil {
+		return fmt.Errorf("failed to read migrations directory: %w", err)
+	}
+
+	// Sort and filter SQL files
+	var sqlFiles []string
+	for _, file := range files {
+		if !file.IsDir() && strings.HasSuffix(file.Name(), ".sql") {
+			sqlFiles = append(sqlFiles, file.Name())
+		}
+	}
+
+	// Execute each migration file in order
+	for _, filename := range sqlFiles {
+		filePath := filepath.Join(migrationsPath, filename)
+		content, err := os.ReadFile(filePath)
+		if err != nil {
+			return fmt.Errorf("failed to read migration file %s: %w", filename, err)
+		}
+
+		// Execute the SQL content
+		if _, err := db.Exec(string(content)); err != nil {
+			return fmt.Errorf("failed to execute migration %s: %w", filename, err)
+		}
+	}
+
+	return nil
+}

internal/repository/postgres/issuer.go

@@ -0,0 +1,138 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// IssuerRepository implements repository.IssuerRepository
+type IssuerRepository struct {
+	db *sql.DB
+}
+
+// NewIssuerRepository creates a new IssuerRepository
+func NewIssuerRepository(db *sql.DB) *IssuerRepository {
+	return &IssuerRepository{db: db}
+}
+
+// List returns all issuers
+func (r *IssuerRepository) List(ctx context.Context) ([]*domain.Issuer, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, name, type, config, enabled, created_at, updated_at
+		FROM issuers
+		ORDER BY created_at DESC
+	`)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query issuers: %w", err)
+	}
+	defer rows.Close()
+
+	var issuers []*domain.Issuer
+	for rows.Next() {
+		var issuer domain.Issuer
+		if err := rows.Scan(&issuer.ID, &issuer.Name, &issuer.Type, &issuer.Config,
+			&issuer.Enabled, &issuer.CreatedAt, &issuer.UpdatedAt); err != nil {
+			return nil, fmt.Errorf("failed to scan issuer: %w", err)
+		}
+		issuers = append(issuers, &issuer)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating issuer rows: %w", err)
+	}
+
+	return issuers, nil
+}
+
+// Get retrieves an issuer by ID
+func (r *IssuerRepository) Get(ctx context.Context, id string) (*domain.Issuer, error) {
+	var issuer domain.Issuer
+	err := r.db.QueryRowContext(ctx, `
+		SELECT id, name, type, config, enabled, created_at, updated_at
+		FROM issuers
+		WHERE id = $1
+	`, id).Scan(&issuer.ID, &issuer.Name, &issuer.Type, &issuer.Config,
+		&issuer.Enabled, &issuer.CreatedAt, &issuer.UpdatedAt)
+
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, fmt.Errorf("issuer not found")
+		}
+		return nil, fmt.Errorf("failed to query issuer: %w", err)
+	}
+
+	return &issuer, nil
+}
+
+// Create stores a new issuer
+func (r *IssuerRepository) Create(ctx context.Context, issuer *domain.Issuer) error {
+	if issuer.ID == "" {
+		issuer.ID = uuid.New().String()
+	}
+
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO issuers (id, name, type, config, enabled, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7)
+		RETURNING id
+	`, issuer.ID, issuer.Name, issuer.Type, issuer.Config, issuer.Enabled,
+		issuer.CreatedAt, issuer.UpdatedAt).Scan(&issuer.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create issuer: %w", err)
+	}
+
+	return nil
+}
+
+// Update modifies an existing issuer
+func (r *IssuerRepository) Update(ctx context.Context, issuer *domain.Issuer) error {
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE issuers SET
+			name = $1,
+			type = $2,
+			config = $3,
+			enabled = $4,
+			updated_at = $5
+		WHERE id = $6
+	`, issuer.Name, issuer.Type, issuer.Config, issuer.Enabled, issuer.UpdatedAt, issuer.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to update issuer: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("issuer not found")
+	}
+
+	return nil
+}
+
+// Delete removes an issuer
+func (r *IssuerRepository) Delete(ctx context.Context, id string) error {
+	result, err := r.db.ExecContext(ctx, "DELETE FROM issuers WHERE id = $1", id)
+
+	if err != nil {
+		return fmt.Errorf("failed to delete issuer: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("issuer not found")
+	}
+
+	return nil
+}

internal/repository/postgres/job.go

@@ -0,0 +1,284 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// JobRepository implements repository.JobRepository
+type JobRepository struct {
+	db *sql.DB
+}
+
+// NewJobRepository creates a new JobRepository
+func NewJobRepository(db *sql.DB) *JobRepository {
+	return &JobRepository{db: db}
+}
+
+// List returns all jobs
+func (r *JobRepository) List(ctx context.Context) ([]*domain.Job, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, type, certificate_id, target_id, status, attempts, max_attempts,
+		       last_error, scheduled_at, started_at, completed_at, created_at
+		FROM jobs
+		ORDER BY created_at DESC
+	`)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query jobs: %w", err)
+	}
+	defer rows.Close()
+
+	var jobs []*domain.Job
+	for rows.Next() {
+		job, err := scanJob(rows)
+		if err != nil {
+			return nil, err
+		}
+		jobs = append(jobs, job)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating job rows: %w", err)
+	}
+
+	return jobs, nil
+}
+
+// Get retrieves a job by ID
+func (r *JobRepository) Get(ctx context.Context, id string) (*domain.Job, error) {
+	row := r.db.QueryRowContext(ctx, `
+		SELECT id, type, certificate_id, target_id, status, attempts, max_attempts,
+		       last_error, scheduled_at, started_at, completed_at, created_at
+		FROM jobs
+		WHERE id = $1
+	`, id)
+
+	job, err := scanJob(row)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, fmt.Errorf("job not found")
+		}
+		return nil, fmt.Errorf("failed to query job: %w", err)
+	}
+
+	return job, nil
+}
+
+// Create stores a new job
+func (r *JobRepository) Create(ctx context.Context, job *domain.Job) error {
+	if job.ID == "" {
+		job.ID = uuid.New().String()
+	}
+
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO jobs (
+			id, type, certificate_id, target_id, status, attempts, max_attempts,
+			last_error, scheduled_at, started_at, completed_at, created_at
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
+		RETURNING id
+	`, job.ID, job.Type, job.CertificateID, job.TargetID, job.Status, job.Attempts,
+		job.MaxAttempts, job.LastError, job.ScheduledAt, job.StartedAt, job.CompletedAt,
+		job.CreatedAt).Scan(&job.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create job: %w", err)
+	}
+
+	return nil
+}
+
+// Update modifies an existing job
+func (r *JobRepository) Update(ctx context.Context, job *domain.Job) error {
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE jobs SET
+			type = $1,
+			certificate_id = $2,
+			target_id = $3,
+			status = $4,
+			attempts = $5,
+			max_attempts = $6,
+			last_error = $7,
+			scheduled_at = $8,
+			started_at = $9,
+			completed_at = $10
+		WHERE id = $11
+	`, job.Type, job.CertificateID, job.TargetID, job.Status, job.Attempts,
+		job.MaxAttempts, job.LastError, job.ScheduledAt, job.StartedAt,
+		job.CompletedAt, job.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to update job: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("job not found")
+	}
+
+	return nil
+}
+
+// Delete removes a job
+func (r *JobRepository) Delete(ctx context.Context, id string) error {
+	result, err := r.db.ExecContext(ctx, "DELETE FROM jobs WHERE id = $1", id)
+
+	if err != nil {
+		return fmt.Errorf("failed to delete job: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("job not found")
+	}
+
+	return nil
+}
+
+// ListByStatus returns jobs with a specific status
+func (r *JobRepository) ListByStatus(ctx context.Context, status domain.JobStatus) ([]*domain.Job, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, type, certificate_id, target_id, status, attempts, max_attempts,
+		       last_error, scheduled_at, started_at, completed_at, created_at
+		FROM jobs
+		WHERE status = $1
+		ORDER BY created_at DESC
+	`, status)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query jobs by status: %w", err)
+	}
+	defer rows.Close()
+
+	var jobs []*domain.Job
+	for rows.Next() {
+		job, err := scanJob(rows)
+		if err != nil {
+			return nil, err
+		}
+		jobs = append(jobs, job)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating job rows: %w", err)
+	}
+
+	return jobs, nil
+}
+
+// ListByCertificate returns all jobs for a certificate
+func (r *JobRepository) ListByCertificate(ctx context.Context, certID string) ([]*domain.Job, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, type, certificate_id, target_id, status, attempts, max_attempts,
+		       last_error, scheduled_at, started_at, completed_at, created_at
+		FROM jobs
+		WHERE certificate_id = $1
+		ORDER BY created_at DESC
+	`, certID)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query jobs for certificate: %w", err)
+	}
+	defer rows.Close()
+
+	var jobs []*domain.Job
+	for rows.Next() {
+		job, err := scanJob(rows)
+		if err != nil {
+			return nil, err
+		}
+		jobs = append(jobs, job)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating job rows: %w", err)
+	}
+
+	return jobs, nil
+}
+
+// UpdateStatus updates a job's status and optional error message
+func (r *JobRepository) UpdateStatus(ctx context.Context, id string, status domain.JobStatus, errMsg string) error {
+	var lastError *string
+	if errMsg != "" {
+		lastError = &errMsg
+	}
+
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE jobs SET status = $1, last_error = $2 WHERE id = $3
+	`, status, lastError, id)
+
+	if err != nil {
+		return fmt.Errorf("failed to update job status: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("job not found")
+	}
+
+	return nil
+}
+
+// GetPendingJobs returns jobs not yet processed of a specific type
+func (r *JobRepository) GetPendingJobs(ctx context.Context, jobType domain.JobType) ([]*domain.Job, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, type, certificate_id, target_id, status, attempts, max_attempts,
+		       last_error, scheduled_at, started_at, completed_at, created_at
+		FROM jobs
+		WHERE type = $1 AND status = $2
+		ORDER BY scheduled_at ASC
+	`, jobType, domain.JobStatusPending)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query pending jobs: %w", err)
+	}
+	defer rows.Close()
+
+	var jobs []*domain.Job
+	for rows.Next() {
+		job, err := scanJob(rows)
+		if err != nil {
+			return nil, err
+		}
+		jobs = append(jobs, job)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating job rows: %w", err)
+	}
+
+	return jobs, nil
+}
+
+// scanJob scans a job from a row or rows
+func scanJob(scanner interface {
+	Scan(...interface{}) error
+}) (*domain.Job, error) {
+	var job domain.Job
+	err := scanner.Scan(&job.ID, &job.Type, &job.CertificateID, &job.TargetID,
+		&job.Status, &job.Attempts, &job.MaxAttempts, &job.LastError,
+		&job.ScheduledAt, &job.StartedAt, &job.CompletedAt, &job.CreatedAt)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to scan job: %w", err)
+	}
+
+	return &job, nil
+}

internal/repository/postgres/notification.go

@@ -0,0 +1,162 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// NotificationRepository implements repository.NotificationRepository
+type NotificationRepository struct {
+	db *sql.DB
+}
+
+// NewNotificationRepository creates a new NotificationRepository
+func NewNotificationRepository(db *sql.DB) *NotificationRepository {
+	return &NotificationRepository{db: db}
+}
+
+// Create stores a new notification
+func (r *NotificationRepository) Create(ctx context.Context, notif *domain.NotificationEvent) error {
+	if notif.ID == "" {
+		notif.ID = uuid.New().String()
+	}
+
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO notifications (
+			id, type, certificate_id, channel, recipient, message, sent_at, status, error, created_at
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
+		RETURNING id
+	`, notif.ID, notif.Type, notif.CertificateID, notif.Channel, notif.Recipient,
+		notif.Message, notif.SentAt, notif.Status, notif.Error, notif.CreatedAt).Scan(&notif.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create notification: %w", err)
+	}
+
+	return nil
+}
+
+// List returns notifications matching the filter criteria
+func (r *NotificationRepository) List(ctx context.Context, filter *repository.NotificationFilter) ([]*domain.NotificationEvent, error) {
+	if filter == nil {
+		filter = &repository.NotificationFilter{}
+	}
+
+	// Set defaults
+	if filter.Page < 1 {
+		filter.Page = 1
+	}
+	if filter.PerPage == 0 || filter.PerPage > 500 {
+		filter.PerPage = 50
+	}
+
+	// Build WHERE clause
+	var whereConditions []string
+	var args []interface{}
+	argCount := 1
+
+	if filter.CertificateID != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("certificate_id = $%d", argCount))
+		args = append(args, filter.CertificateID)
+		argCount++
+	}
+	if filter.Status != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("status = $%d", argCount))
+		args = append(args, filter.Status)
+		argCount++
+	}
+	if filter.Channel != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("channel = $%d", argCount))
+		args = append(args, filter.Channel)
+		argCount++
+	}
+
+	whereClause := ""
+	if len(whereConditions) > 0 {
+		whereClause = "WHERE " + strings.Join(whereConditions, " AND ")
+	}
+
+	// Get total count
+	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM notifications %s", whereClause)
+	var total int
+	if err := r.db.QueryRowContext(ctx, countQuery, args...).Scan(&total); err != nil {
+		return nil, fmt.Errorf("failed to count notifications: %w", err)
+	}
+
+	// Get paginated results
+	offset := (filter.Page - 1) * filter.PerPage
+	query := fmt.Sprintf(`
+		SELECT id, type, certificate_id, channel, recipient, message, sent_at, status, error, created_at
+		FROM notifications
+		%s
+		ORDER BY created_at DESC
+		LIMIT $%d OFFSET $%d
+	`, whereClause, argCount, argCount+1)
+
+	args = append(args, filter.PerPage, offset)
+
+	rows, err := r.db.QueryContext(ctx, query, args...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query notifications: %w", err)
+	}
+	defer rows.Close()
+
+	var notifs []*domain.NotificationEvent
+	for rows.Next() {
+		notif, err := scanNotification(rows)
+		if err != nil {
+			return nil, err
+		}
+		notifs = append(notifs, notif)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating notification rows: %w", err)
+	}
+
+	return notifs, nil
+}
+
+// UpdateStatus updates a notification's delivery status
+func (r *NotificationRepository) UpdateStatus(ctx context.Context, id string, status string, sentAt time.Time) error {
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE notifications SET status = $1, sent_at = $2 WHERE id = $3
+	`, status, sentAt, id)
+
+	if err != nil {
+		return fmt.Errorf("failed to update notification status: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("notification not found")
+	}
+
+	return nil
+}
+
+// scanNotification scans a notification from a row or rows
+func scanNotification(scanner interface {
+	Scan(...interface{}) error
+}) (*domain.NotificationEvent, error) {
+	var notif domain.NotificationEvent
+	err := scanner.Scan(&notif.ID, &notif.Type, &notif.CertificateID, &notif.Channel,
+		&notif.Recipient, &notif.Message, &notif.SentAt, &notif.Status, &notif.Error, &notif.CreatedAt)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to scan notification: %w", err)
+	}
+
+	return &notif, nil
+}

internal/repository/postgres/owner.go

@@ -0,0 +1,137 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// OwnerRepository implements repository.OwnerRepository
+type OwnerRepository struct {
+	db *sql.DB
+}
+
+// NewOwnerRepository creates a new OwnerRepository
+func NewOwnerRepository(db *sql.DB) *OwnerRepository {
+	return &OwnerRepository{db: db}
+}
+
+// List returns all owners
+func (r *OwnerRepository) List(ctx context.Context) ([]*domain.Owner, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, name, email, team_id, created_at, updated_at
+		FROM owners
+		ORDER BY created_at DESC
+	`)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query owners: %w", err)
+	}
+	defer rows.Close()
+
+	var owners []*domain.Owner
+	for rows.Next() {
+		var owner domain.Owner
+		if err := rows.Scan(&owner.ID, &owner.Name, &owner.Email, &owner.TeamID,
+			&owner.CreatedAt, &owner.UpdatedAt); err != nil {
+			return nil, fmt.Errorf("failed to scan owner: %w", err)
+		}
+		owners = append(owners, &owner)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating owner rows: %w", err)
+	}
+
+	return owners, nil
+}
+
+// Get retrieves an owner by ID
+func (r *OwnerRepository) Get(ctx context.Context, id string) (*domain.Owner, error) {
+	var owner domain.Owner
+	err := r.db.QueryRowContext(ctx, `
+		SELECT id, name, email, team_id, created_at, updated_at
+		FROM owners
+		WHERE id = $1
+	`, id).Scan(&owner.ID, &owner.Name, &owner.Email, &owner.TeamID,
+		&owner.CreatedAt, &owner.UpdatedAt)
+
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, fmt.Errorf("owner not found")
+		}
+		return nil, fmt.Errorf("failed to query owner: %w", err)
+	}
+
+	return &owner, nil
+}
+
+// Create stores a new owner
+func (r *OwnerRepository) Create(ctx context.Context, owner *domain.Owner) error {
+	if owner.ID == "" {
+		owner.ID = uuid.New().String()
+	}
+
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO owners (id, name, email, team_id, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6)
+		RETURNING id
+	`, owner.ID, owner.Name, owner.Email, owner.TeamID,
+		owner.CreatedAt, owner.UpdatedAt).Scan(&owner.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create owner: %w", err)
+	}
+
+	return nil
+}
+
+// Update modifies an existing owner
+func (r *OwnerRepository) Update(ctx context.Context, owner *domain.Owner) error {
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE owners SET
+			name = $1,
+			email = $2,
+			team_id = $3,
+			updated_at = $4
+		WHERE id = $5
+	`, owner.Name, owner.Email, owner.TeamID, owner.UpdatedAt, owner.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to update owner: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("owner not found")
+	}
+
+	return nil
+}
+
+// Delete removes an owner
+func (r *OwnerRepository) Delete(ctx context.Context, id string) error {
+	result, err := r.db.ExecContext(ctx, "DELETE FROM owners WHERE id = $1", id)
+
+	if err != nil {
+		return fmt.Errorf("failed to delete owner: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("owner not found")
+	}
+
+	return nil
+}

internal/repository/postgres/policy.go

@@ -0,0 +1,242 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"strings"
+
+	"github.com/google/uuid"
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// PolicyRepository implements repository.PolicyRepository
+type PolicyRepository struct {
+	db *sql.DB
+}
+
+// NewPolicyRepository creates a new PolicyRepository
+func NewPolicyRepository(db *sql.DB) *PolicyRepository {
+	return &PolicyRepository{db: db}
+}
+
+// ListRules returns all policy rules
+func (r *PolicyRepository) ListRules(ctx context.Context) ([]*domain.PolicyRule, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, name, type, config, enabled, created_at, updated_at
+		FROM policy_rules
+		ORDER BY created_at DESC
+	`)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query policy rules: %w", err)
+	}
+	defer rows.Close()
+
+	var rules []*domain.PolicyRule
+	for rows.Next() {
+		var rule domain.PolicyRule
+		if err := rows.Scan(&rule.ID, &rule.Name, &rule.Type, &rule.Config,
+			&rule.Enabled, &rule.CreatedAt, &rule.UpdatedAt); err != nil {
+			return nil, fmt.Errorf("failed to scan policy rule: %w", err)
+		}
+		rules = append(rules, &rule)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating policy rule rows: %w", err)
+	}
+
+	return rules, nil
+}
+
+// GetRule retrieves a policy rule by ID
+func (r *PolicyRepository) GetRule(ctx context.Context, id string) (*domain.PolicyRule, error) {
+	var rule domain.PolicyRule
+	err := r.db.QueryRowContext(ctx, `
+		SELECT id, name, type, config, enabled, created_at, updated_at
+		FROM policy_rules
+		WHERE id = $1
+	`, id).Scan(&rule.ID, &rule.Name, &rule.Type, &rule.Config,
+		&rule.Enabled, &rule.CreatedAt, &rule.UpdatedAt)
+
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, fmt.Errorf("policy rule not found")
+		}
+		return nil, fmt.Errorf("failed to query policy rule: %w", err)
+	}
+
+	return &rule, nil
+}
+
+// CreateRule stores a new policy rule
+func (r *PolicyRepository) CreateRule(ctx context.Context, rule *domain.PolicyRule) error {
+	if rule.ID == "" {
+		rule.ID = uuid.New().String()
+	}
+
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO policy_rules (id, name, type, config, enabled, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7)
+		RETURNING id
+	`, rule.ID, rule.Name, rule.Type, rule.Config, rule.Enabled,
+		rule.CreatedAt, rule.UpdatedAt).Scan(&rule.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create policy rule: %w", err)
+	}
+
+	return nil
+}
+
+// UpdateRule modifies an existing policy rule
+func (r *PolicyRepository) UpdateRule(ctx context.Context, rule *domain.PolicyRule) error {
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE policy_rules SET
+			name = $1,
+			type = $2,
+			config = $3,
+			enabled = $4,
+			updated_at = $5
+		WHERE id = $6
+	`, rule.Name, rule.Type, rule.Config, rule.Enabled, rule.UpdatedAt, rule.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to update policy rule: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("policy rule not found")
+	}
+
+	return nil
+}
+
+// DeleteRule removes a policy rule
+func (r *PolicyRepository) DeleteRule(ctx context.Context, id string) error {
+	result, err := r.db.ExecContext(ctx, "DELETE FROM policy_rules WHERE id = $1", id)
+
+	if err != nil {
+		return fmt.Errorf("failed to delete policy rule: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("policy rule not found")
+	}
+
+	return nil
+}
+
+// CreateViolation records a policy violation
+func (r *PolicyRepository) CreateViolation(ctx context.Context, violation *domain.PolicyViolation) error {
+	if violation.ID == "" {
+		violation.ID = uuid.New().String()
+	}
+
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO policy_violations (id, certificate_id, rule_id, message, severity, created_at)
+		VALUES ($1, $2, $3, $4, $5, $6)
+		RETURNING id
+	`, violation.ID, violation.CertificateID, violation.RuleID, violation.Message,
+		violation.Severity, violation.CreatedAt).Scan(&violation.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create policy violation: %w", err)
+	}
+
+	return nil
+}
+
+// ListViolations returns policy violations, optionally filtered
+func (r *PolicyRepository) ListViolations(ctx context.Context, filter *repository.AuditFilter) ([]*domain.PolicyViolation, error) {
+	if filter == nil {
+		filter = &repository.AuditFilter{}
+	}
+
+	// Set defaults
+	if filter.Page < 1 {
+		filter.Page = 1
+	}
+	if filter.PerPage == 0 || filter.PerPage > 500 {
+		filter.PerPage = 50
+	}
+
+	// Build WHERE clause
+	var whereConditions []string
+	var args []interface{}
+	argCount := 1
+
+	if filter.ResourceID != "" {
+		whereConditions = append(whereConditions, fmt.Sprintf("certificate_id = $%d", argCount))
+		args = append(args, filter.ResourceID)
+		argCount++
+	}
+	if !filter.From.IsZero() {
+		whereConditions = append(whereConditions, fmt.Sprintf("created_at >= $%d", argCount))
+		args = append(args, filter.From)
+		argCount++
+	}
+	if !filter.To.IsZero() {
+		whereConditions = append(whereConditions, fmt.Sprintf("created_at <= $%d", argCount))
+		args = append(args, filter.To)
+		argCount++
+	}
+
+	whereClause := ""
+	if len(whereConditions) > 0 {
+		whereClause = "WHERE " + strings.Join(whereConditions, " AND ")
+	}
+
+	// Get total count
+	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM policy_violations %s", whereClause)
+	var total int
+	if err := r.db.QueryRowContext(ctx, countQuery, args...).Scan(&total); err != nil {
+		return nil, fmt.Errorf("failed to count policy violations: %w", err)
+	}
+
+	// Get paginated results
+	offset := (filter.Page - 1) * filter.PerPage
+	query := fmt.Sprintf(`
+		SELECT id, certificate_id, rule_id, message, severity, created_at
+		FROM policy_violations
+		%s
+		ORDER BY created_at DESC
+		LIMIT $%d OFFSET $%d
+	`, whereClause, argCount, argCount+1)
+
+	args = append(args, filter.PerPage, offset)
+
+	rows, err := r.db.QueryContext(ctx, query, args...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query policy violations: %w", err)
+	}
+	defer rows.Close()
+
+	var violations []*domain.PolicyViolation
+	for rows.Next() {
+		var v domain.PolicyViolation
+		if err := rows.Scan(&v.ID, &v.CertificateID, &v.RuleID, &v.Message,
+			&v.Severity, &v.CreatedAt); err != nil {
+			return nil, fmt.Errorf("failed to scan policy violation: %w", err)
+		}
+		violations = append(violations, &v)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating policy violation rows: %w", err)
+	}
+
+	return violations, nil
+}

internal/repository/postgres/target.go

@@ -0,0 +1,171 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// TargetRepository implements repository.TargetRepository
+type TargetRepository struct {
+	db *sql.DB
+}
+
+// NewTargetRepository creates a new TargetRepository
+func NewTargetRepository(db *sql.DB) *TargetRepository {
+	return &TargetRepository{db: db}
+}
+
+// List returns all targets
+func (r *TargetRepository) List(ctx context.Context) ([]*domain.DeploymentTarget, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, name, type, agent_id, config, enabled, created_at, updated_at
+		FROM deployment_targets
+		ORDER BY created_at DESC
+	`)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query targets: %w", err)
+	}
+	defer rows.Close()
+
+	var targets []*domain.DeploymentTarget
+	for rows.Next() {
+		var target domain.DeploymentTarget
+		if err := rows.Scan(&target.ID, &target.Name, &target.Type, &target.AgentID,
+			&target.Config, &target.Enabled, &target.CreatedAt, &target.UpdatedAt); err != nil {
+			return nil, fmt.Errorf("failed to scan target: %w", err)
+		}
+		targets = append(targets, &target)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating target rows: %w", err)
+	}
+
+	return targets, nil
+}
+
+// Get retrieves a target by ID
+func (r *TargetRepository) Get(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
+	var target domain.DeploymentTarget
+	err := r.db.QueryRowContext(ctx, `
+		SELECT id, name, type, agent_id, config, enabled, created_at, updated_at
+		FROM deployment_targets
+		WHERE id = $1
+	`, id).Scan(&target.ID, &target.Name, &target.Type, &target.AgentID,
+		&target.Config, &target.Enabled, &target.CreatedAt, &target.UpdatedAt)
+
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, fmt.Errorf("target not found")
+		}
+		return nil, fmt.Errorf("failed to query target: %w", err)
+	}
+
+	return &target, nil
+}
+
+// Create stores a new target
+func (r *TargetRepository) Create(ctx context.Context, target *domain.DeploymentTarget) error {
+	if target.ID == "" {
+		target.ID = uuid.New().String()
+	}
+
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO deployment_targets (id, name, type, agent_id, config, enabled, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+		RETURNING id
+	`, target.ID, target.Name, target.Type, target.AgentID, target.Config, target.Enabled,
+		target.CreatedAt, target.UpdatedAt).Scan(&target.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create target: %w", err)
+	}
+
+	return nil
+}
+
+// Update modifies an existing target
+func (r *TargetRepository) Update(ctx context.Context, target *domain.DeploymentTarget) error {
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE deployment_targets SET
+			name = $1,
+			type = $2,
+			agent_id = $3,
+			config = $4,
+			enabled = $5,
+			updated_at = $6
+		WHERE id = $7
+	`, target.Name, target.Type, target.AgentID, target.Config, target.Enabled, target.UpdatedAt, target.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to update target: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("target not found")
+	}
+
+	return nil
+}
+
+// Delete removes a target
+func (r *TargetRepository) Delete(ctx context.Context, id string) error {
+	result, err := r.db.ExecContext(ctx, "DELETE FROM deployment_targets WHERE id = $1", id)
+
+	if err != nil {
+		return fmt.Errorf("failed to delete target: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("target not found")
+	}
+
+	return nil
+}
+
+// ListByCertificate returns all targets for a given certificate
+func (r *TargetRepository) ListByCertificate(ctx context.Context, certID string) ([]*domain.DeploymentTarget, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT dt.id, dt.name, dt.type, dt.agent_id, dt.config, dt.enabled, dt.created_at, dt.updated_at
+		FROM deployment_targets dt
+		INNER JOIN certificate_target_mappings ctm ON dt.id = ctm.target_id
+		WHERE ctm.certificate_id = $1
+		ORDER BY dt.created_at DESC
+	`, certID)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query targets for certificate: %w", err)
+	}
+	defer rows.Close()
+
+	var targets []*domain.DeploymentTarget
+	for rows.Next() {
+		var target domain.DeploymentTarget
+		if err := rows.Scan(&target.ID, &target.Name, &target.Type, &target.AgentID,
+			&target.Config, &target.Enabled, &target.CreatedAt, &target.UpdatedAt); err != nil {
+			return nil, fmt.Errorf("failed to scan target: %w", err)
+		}
+		targets = append(targets, &target)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating target rows: %w", err)
+	}
+
+	return targets, nil
+}

internal/repository/postgres/team.go

@@ -0,0 +1,135 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// TeamRepository implements repository.TeamRepository
+type TeamRepository struct {
+	db *sql.DB
+}
+
+// NewTeamRepository creates a new TeamRepository
+func NewTeamRepository(db *sql.DB) *TeamRepository {
+	return &TeamRepository{db: db}
+}
+
+// List returns all teams
+func (r *TeamRepository) List(ctx context.Context) ([]*domain.Team, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, name, description, created_at, updated_at
+		FROM teams
+		ORDER BY created_at DESC
+	`)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to query teams: %w", err)
+	}
+	defer rows.Close()
+
+	var teams []*domain.Team
+	for rows.Next() {
+		var team domain.Team
+		if err := rows.Scan(&team.ID, &team.Name, &team.Description,
+			&team.CreatedAt, &team.UpdatedAt); err != nil {
+			return nil, fmt.Errorf("failed to scan team: %w", err)
+		}
+		teams = append(teams, &team)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating team rows: %w", err)
+	}
+
+	return teams, nil
+}
+
+// Get retrieves a team by ID
+func (r *TeamRepository) Get(ctx context.Context, id string) (*domain.Team, error) {
+	var team domain.Team
+	err := r.db.QueryRowContext(ctx, `
+		SELECT id, name, description, created_at, updated_at
+		FROM teams
+		WHERE id = $1
+	`, id).Scan(&team.ID, &team.Name, &team.Description,
+		&team.CreatedAt, &team.UpdatedAt)
+
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, fmt.Errorf("team not found")
+		}
+		return nil, fmt.Errorf("failed to query team: %w", err)
+	}
+
+	return &team, nil
+}
+
+// Create stores a new team
+func (r *TeamRepository) Create(ctx context.Context, team *domain.Team) error {
+	if team.ID == "" {
+		team.ID = uuid.New().String()
+	}
+
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO teams (id, name, description, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5)
+		RETURNING id
+	`, team.ID, team.Name, team.Description, team.CreatedAt, team.UpdatedAt).Scan(&team.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to create team: %w", err)
+	}
+
+	return nil
+}
+
+// Update modifies an existing team
+func (r *TeamRepository) Update(ctx context.Context, team *domain.Team) error {
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE teams SET
+			name = $1,
+			description = $2,
+			updated_at = $3
+		WHERE id = $4
+	`, team.Name, team.Description, team.UpdatedAt, team.ID)
+
+	if err != nil {
+		return fmt.Errorf("failed to update team: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("team not found")
+	}
+
+	return nil
+}
+
+// Delete removes a team
+func (r *TeamRepository) Delete(ctx context.Context, id string) error {
+	result, err := r.db.ExecContext(ctx, "DELETE FROM teams WHERE id = $1", id)
+
+	if err != nil {
+		return fmt.Errorf("failed to delete team: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("team not found")
+	}
+
+	return nil
+}

internal/service/audit.go

@@ -108,3 +108,54 @@ func (s *AuditService) ListByAction(ctx context.Context, action string, from, to
 
 	return filtered, nil
 }
+
+// ListAuditEvents returns paginated audit events (handler interface method).
+func (s *AuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	filter := &repository.AuditFilter{
+		Offset:  int64((page - 1) * perPage),
+		PerPage: int64(perPage),
+	}
+
+	events, err := s.auditRepo.List(context.Background(), filter)
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list audit events: %w", err)
+	}
+
+	// Convert pointers to values for the handler interface
+	var result []domain.AuditEvent
+	for _, e := range events {
+		if e != nil {
+			result = append(result, *e)
+		}
+	}
+
+	// TODO: Get total count from repository
+	total := int64(len(result))
+
+	return result, total, nil
+}
+
+// GetAuditEvent returns a single audit event (handler interface method).
+func (s *AuditService) GetAuditEvent(id string) (*domain.AuditEvent, error) {
+	filter := &repository.AuditFilter{
+		ID: id,
+	}
+
+	events, err := s.auditRepo.List(context.Background(), filter)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get audit event: %w", err)
+	}
+
+	if len(events) == 0 {
+		return nil, fmt.Errorf("audit event not found")
+	}
+
+	return events[0], nil
+}

internal/service/audit.go.4445065566393902048

@@ -0,0 +1,161 @@
+package service
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// AuditService provides business logic for recording and retrieving audit events.
+type AuditService struct {
+	auditRepo repository.AuditRepository
+}
+
+// NewAuditService creates a new audit service.
+func NewAuditService(auditRepo repository.AuditRepository) *AuditService {
+	return &AuditService{
+		auditRepo: auditRepo,
+	}
+}
+
+// RecordEvent records an audit event with actor, action, and resource information.
+func (s *AuditService) RecordEvent(ctx context.Context, actor string, actorType domain.ActorType, action string, resourceType string, resourceID string, details map[string]interface{}) error {
+	detailsJSON, err := json.Marshal(details)
+	if err != nil {
+		detailsJSON = []byte("{}")
+	}
+
+	event := &domain.AuditEvent{
+		ID:           generateID("audit"),
+		Timestamp:    time.Now(),
+		Actor:        actor,
+		ActorType:    actorType,
+		Action:       action,
+		ResourceType: resourceType,
+		ResourceID:   resourceID,
+		Details:      json.RawMessage(detailsJSON),
+	}
+
+	if err := s.auditRepo.Create(ctx, event); err != nil {
+		return fmt.Errorf("failed to record audit event: %w", err)
+	}
+
+	return nil
+}
+
+// List returns audit events matching filter criteria.
+func (s *AuditService) List(ctx context.Context, filter *repository.AuditFilter) ([]*domain.AuditEvent, error) {
+	events, err := s.auditRepo.List(ctx, filter)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list audit events: %w", err)
+	}
+	return events, nil
+}
+
+// ListByResource returns all audit events for a specific resource.
+func (s *AuditService) ListByResource(ctx context.Context, resourceType string, resourceID string) ([]*domain.AuditEvent, error) {
+	filter := &repository.AuditFilter{
+		ResourceType: resourceType,
+		ResourceID:   resourceID,
+		PerPage:      1000, // reasonable default for single resource
+	}
+
+	events, err := s.auditRepo.List(ctx, filter)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list audit events: %w", err)
+	}
+	return events, nil
+}
+
+// ListByActor returns all audit events for a specific actor.
+func (s *AuditService) ListByActor(ctx context.Context, actor string) ([]*domain.AuditEvent, error) {
+	filter := &repository.AuditFilter{
+		Actor:   actor,
+		PerPage: 1000,
+	}
+
+	events, err := s.auditRepo.List(ctx, filter)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list audit events: %w", err)
+	}
+	return events, nil
+}
+
+// ListByAction returns all audit events for a specific action type.
+func (s *AuditService) ListByAction(ctx context.Context, action string, from, to time.Time) ([]*domain.AuditEvent, error) {
+	filter := &repository.AuditFilter{
+		From:    from,
+		To:      to,
+		PerPage: 1000,
+	}
+
+	events, err := s.auditRepo.List(ctx, filter)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list audit events: %w", err)
+	}
+
+	// Filter by action on client side (repository may not filter by action directly)
+	var filtered []*domain.AuditEvent
+	for _, e := range events {
+		if e.Action == action {
+			filtered = append(filtered, e)
+		}
+	}
+
+	return filtered, nil
+}
+
+// ListAuditEvents returns paginated audit events (handler interface method).
+func (s *AuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	filter := &repository.AuditFilter{
+		Offset: int64((page - 1) * perPage),
+		PerPage: int64(perPage),
+	}
+
+	events, err := s.auditRepo.List(context.Background(), filter)
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list audit events: %w", err)
+	}
+
+	// Convert pointers to values for the handler interface
+	var result []domain.AuditEvent
+	for _, e := range events {
+		if e != nil {
+			result = append(result, *e)
+		}
+	}
+
+	// TODO: Get total count from repository
+	total := int64(len(result))
+
+	return result, total, nil
+}
+
+// GetAuditEvent returns a single audit event (handler interface method).
+func (s *AuditService) GetAuditEvent(id string) (*domain.AuditEvent, error) {
+	filter := &repository.AuditFilter{
+		ID: id,
+	}
+
+	events, err := s.auditRepo.List(context.Background(), filter)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get audit event: %w", err)
+	}
+
+	if len(events) == 0 {
+		return nil, fmt.Errorf("audit event not found")
+	}
+
+	return events[0], nil
+}

internal/service/issuer.go

@@ -0,0 +1,170 @@
+package service
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// IssuerService provides business logic for certificate issuer management.
+type IssuerService struct {
+	issuerRepo   repository.IssuerRepository
+	auditService *AuditService
+}
+
+// NewIssuerService creates a new issuer service.
+func NewIssuerService(
+	issuerRepo repository.IssuerRepository,
+	auditService *AuditService,
+) *IssuerService {
+	return &IssuerService{
+		issuerRepo:   issuerRepo,
+		auditService: auditService,
+	}
+}
+
+// List returns a paginated list of issuers.
+func (s *IssuerService) List(ctx context.Context, page, perPage int) ([]*domain.Issuer, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	offset := int64((page - 1) * perPage)
+	issuers, total, err := s.issuerRepo.List(ctx, offset, int64(perPage))
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list issuers: %w", err)
+	}
+	return issuers, total, nil
+}
+
+// Get retrieves an issuer by ID.
+func (s *IssuerService) Get(ctx context.Context, id string) (*domain.Issuer, error) {
+	issuer, err := s.issuerRepo.Get(ctx, id)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get issuer %s: %w", id, err)
+	}
+	return issuer, nil
+}
+
+// Create validates and stores a new issuer.
+func (s *IssuerService) Create(ctx context.Context, issuer *domain.Issuer, actor string) error {
+	if issuer.Name == "" {
+		return fmt.Errorf("issuer name is required")
+	}
+
+	issuer.ID = generateID("issuer")
+	if err := s.issuerRepo.Create(ctx, issuer); err != nil {
+		return fmt.Errorf("failed to create issuer: %w", err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "create_issuer", "issuer", issuer.ID, nil)
+	}
+
+	return nil
+}
+
+// Update modifies an existing issuer.
+func (s *IssuerService) Update(ctx context.Context, id string, issuer *domain.Issuer, actor string) error {
+	if issuer.Name == "" {
+		return fmt.Errorf("issuer name is required")
+	}
+
+	issuer.ID = id
+	if err := s.issuerRepo.Update(ctx, issuer); err != nil {
+		return fmt.Errorf("failed to update issuer %s: %w", id, err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "update_issuer", "issuer", id, nil)
+	}
+
+	return nil
+}
+
+// Delete removes an issuer.
+func (s *IssuerService) Delete(ctx context.Context, id string, actor string) error {
+	if err := s.issuerRepo.Delete(ctx, id); err != nil {
+		return fmt.Errorf("failed to delete issuer %s: %w", id, err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "delete_issuer", "issuer", id, nil)
+	}
+
+	return nil
+}
+
+// TestConnection verifies the issuer connection.
+func (s *IssuerService) TestConnection(ctx context.Context, id string) error {
+	issuer, err := s.issuerRepo.Get(ctx, id)
+	if err != nil {
+		return fmt.Errorf("issuer not found: %w", err)
+	}
+
+	// TODO: Implement actual connection test based on issuer type
+	if issuer == nil {
+		return fmt.Errorf("issuer not found")
+	}
+
+	return nil
+}
+
+// ListIssuers returns paginated issuers (handler interface method).
+func (s *IssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	offset := int64((page - 1) * perPage)
+	issuers, total, err := s.issuerRepo.List(context.Background(), offset, int64(perPage))
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list issuers: %w", err)
+	}
+
+	// Convert pointers to values for the handler interface
+	var result []domain.Issuer
+	for _, i := range issuers {
+		if i != nil {
+			result = append(result, *i)
+		}
+	}
+
+	return result, total, nil
+}
+
+// GetIssuer returns a single issuer (handler interface method).
+func (s *IssuerService) GetIssuer(id string) (*domain.Issuer, error) {
+	return s.issuerRepo.Get(context.Background(), id)
+}
+
+// CreateIssuer creates a new issuer (handler interface method).
+func (s *IssuerService) CreateIssuer(issuer domain.Issuer) (*domain.Issuer, error) {
+	issuer.ID = generateID("issuer")
+	if err := s.issuerRepo.Create(context.Background(), &issuer); err != nil {
+		return nil, fmt.Errorf("failed to create issuer: %w", err)
+	}
+	return &issuer, nil
+}
+
+// UpdateIssuer modifies an issuer (handler interface method).
+func (s *IssuerService) UpdateIssuer(id string, issuer domain.Issuer) (*domain.Issuer, error) {
+	issuer.ID = id
+	if err := s.issuerRepo.Update(context.Background(), &issuer); err != nil {
+		return nil, fmt.Errorf("failed to update issuer: %w", err)
+	}
+	return &issuer, nil
+}
+
+// DeleteIssuer removes an issuer (handler interface method).
+func (s *IssuerService) DeleteIssuer(id string) error {
+	return s.issuerRepo.Delete(context.Background(), id)
+}

internal/service/issuer.go.4749230034325506546

@@ -0,0 +1,116 @@
+package service
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// IssuerService provides business logic for certificate issuer management.
+type IssuerService struct {
+	issuerRepo repository.IssuerRepository
+	auditService *AuditService
+}
+
+// NewIssuerService creates a new issuer service.
+func NewIssuerService(
+	issuerRepo repository.IssuerRepository,
+	auditService *AuditService,
+) *IssuerService {
+	return &IssuerService{
+		issuerRepo: issuerRepo,
+		auditService: auditService,
+	}
+}
+
+// List returns a paginated list of issuers.
+func (s *IssuerService) List(ctx context.Context, page, perPage int) ([]*domain.Issuer, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	offset := int64((page - 1) * perPage)
+	issuers, total, err := s.issuerRepo.List(ctx, offset, int64(perPage))
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list issuers: %w", err)
+	}
+	return issuers, total, nil
+}
+
+// Get retrieves an issuer by ID.
+func (s *IssuerService) Get(ctx context.Context, id string) (*domain.Issuer, error) {
+	issuer, err := s.issuerRepo.Get(ctx, id)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get issuer %s: %w", id, err)
+	}
+	return issuer, nil
+}
+
+// Create validates and stores a new issuer.
+func (s *IssuerService) Create(ctx context.Context, issuer *domain.Issuer, actor string) error {
+	if issuer.Name == "" {
+		return fmt.Errorf("issuer name is required")
+	}
+
+	issuer.ID = generateID("issuer")
+	if err := s.issuerRepo.Create(ctx, issuer); err != nil {
+		return fmt.Errorf("failed to create issuer: %w", err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "create_issuer", "issuer", issuer.ID, nil)
+	}
+
+	return nil
+}
+
+// Update modifies an existing issuer.
+func (s *IssuerService) Update(ctx context.Context, id string, issuer *domain.Issuer, actor string) error {
+	if issuer.Name == "" {
+		return fmt.Errorf("issuer name is required")
+	}
+
+	issuer.ID = id
+	if err := s.issuerRepo.Update(ctx, issuer); err != nil {
+		return fmt.Errorf("failed to update issuer %s: %w", id, err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "update_issuer", "issuer", id, nil)
+	}
+
+	return nil
+}
+
+// Delete removes an issuer.
+func (s *IssuerService) Delete(ctx context.Context, id string, actor string) error {
+	if err := s.issuerRepo.Delete(ctx, id); err != nil {
+		return fmt.Errorf("failed to delete issuer %s: %w", id, err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "delete_issuer", "issuer", id, nil)
+	}
+
+	return nil
+}
+
+// TestConnection verifies the issuer connection.
+func (s *IssuerService) TestConnection(ctx context.Context, id string) error {
+	issuer, err := s.issuerRepo.Get(ctx, id)
+	if err != nil {
+		return fmt.Errorf("issuer not found: %w", err)
+	}
+
+	// TODO: Implement actual connection test based on issuer type
+	if issuer == nil {
+		return fmt.Errorf("issuer not found")
+	}
+
+	return nil
+}

internal/service/owner.go

@@ -0,0 +1,155 @@
+package service
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// OwnerService provides business logic for certificate owner management.
+type OwnerService struct {
+	ownerRepo    repository.OwnerRepository
+	auditService *AuditService
+}
+
+// NewOwnerService creates a new owner service.
+func NewOwnerService(
+	ownerRepo repository.OwnerRepository,
+	auditService *AuditService,
+) *OwnerService {
+	return &OwnerService{
+		ownerRepo:    ownerRepo,
+		auditService: auditService,
+	}
+}
+
+// List returns a paginated list of owners.
+func (s *OwnerService) List(ctx context.Context, page, perPage int) ([]*domain.Owner, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	offset := int64((page - 1) * perPage)
+	owners, total, err := s.ownerRepo.List(ctx, offset, int64(perPage))
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list owners: %w", err)
+	}
+	return owners, total, nil
+}
+
+// Get retrieves an owner by ID.
+func (s *OwnerService) Get(ctx context.Context, id string) (*domain.Owner, error) {
+	owner, err := s.ownerRepo.Get(ctx, id)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get owner %s: %w", id, err)
+	}
+	return owner, nil
+}
+
+// Create validates and stores a new owner.
+func (s *OwnerService) Create(ctx context.Context, owner *domain.Owner, actor string) error {
+	if owner.Name == "" {
+		return fmt.Errorf("owner name is required")
+	}
+
+	owner.ID = generateID("owner")
+	if err := s.ownerRepo.Create(ctx, owner); err != nil {
+		return fmt.Errorf("failed to create owner: %w", err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "create_owner", "owner", owner.ID, nil)
+	}
+
+	return nil
+}
+
+// Update modifies an existing owner.
+func (s *OwnerService) Update(ctx context.Context, id string, owner *domain.Owner, actor string) error {
+	if owner.Name == "" {
+		return fmt.Errorf("owner name is required")
+	}
+
+	owner.ID = id
+	if err := s.ownerRepo.Update(ctx, owner); err != nil {
+		return fmt.Errorf("failed to update owner %s: %w", id, err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "update_owner", "owner", id, nil)
+	}
+
+	return nil
+}
+
+// Delete removes an owner.
+func (s *OwnerService) Delete(ctx context.Context, id string, actor string) error {
+	if err := s.ownerRepo.Delete(ctx, id); err != nil {
+		return fmt.Errorf("failed to delete owner %s: %w", id, err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "delete_owner", "owner", id, nil)
+	}
+
+	return nil
+}
+
+// ListOwners returns paginated owners (handler interface method).
+func (s *OwnerService) ListOwners(page, perPage int) ([]domain.Owner, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	offset := int64((page - 1) * perPage)
+	owners, total, err := s.ownerRepo.List(context.Background(), offset, int64(perPage))
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list owners: %w", err)
+	}
+
+	// Convert pointers to values for the handler interface
+	var result []domain.Owner
+	for _, o := range owners {
+		if o != nil {
+			result = append(result, *o)
+		}
+	}
+
+	return result, total, nil
+}
+
+// GetOwner returns a single owner (handler interface method).
+func (s *OwnerService) GetOwner(id string) (*domain.Owner, error) {
+	return s.ownerRepo.Get(context.Background(), id)
+}
+
+// CreateOwner creates a new owner (handler interface method).
+func (s *OwnerService) CreateOwner(owner domain.Owner) (*domain.Owner, error) {
+	owner.ID = generateID("owner")
+	if err := s.ownerRepo.Create(context.Background(), &owner); err != nil {
+		return nil, fmt.Errorf("failed to create owner: %w", err)
+	}
+	return &owner, nil
+}
+
+// UpdateOwner modifies an owner (handler interface method).
+func (s *OwnerService) UpdateOwner(id string, owner domain.Owner) (*domain.Owner, error) {
+	owner.ID = id
+	if err := s.ownerRepo.Update(context.Background(), &owner); err != nil {
+		return nil, fmt.Errorf("failed to update owner: %w", err)
+	}
+	return &owner, nil
+}
+
+// DeleteOwner removes an owner (handler interface method).
+func (s *OwnerService) DeleteOwner(id string) error {
+	return s.ownerRepo.Delete(context.Background(), id)
+}

internal/service/target.go

@@ -0,0 +1,155 @@
+package service
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// TargetService provides business logic for deployment target management.
+type TargetService struct {
+	targetRepo   repository.TargetRepository
+	auditService *AuditService
+}
+
+// NewTargetService creates a new target service.
+func NewTargetService(
+	targetRepo repository.TargetRepository,
+	auditService *AuditService,
+) *TargetService {
+	return &TargetService{
+		targetRepo:   targetRepo,
+		auditService: auditService,
+	}
+}
+
+// List returns a paginated list of deployment targets.
+func (s *TargetService) List(ctx context.Context, page, perPage int) ([]*domain.DeploymentTarget, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	offset := int64((page - 1) * perPage)
+	targets, total, err := s.targetRepo.List(ctx, offset, int64(perPage))
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list targets: %w", err)
+	}
+	return targets, total, nil
+}
+
+// Get retrieves a deployment target by ID.
+func (s *TargetService) Get(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
+	target, err := s.targetRepo.Get(ctx, id)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get target %s: %w", id, err)
+	}
+	return target, nil
+}
+
+// Create validates and stores a new deployment target.
+func (s *TargetService) Create(ctx context.Context, target *domain.DeploymentTarget, actor string) error {
+	if target.Name == "" {
+		return fmt.Errorf("target name is required")
+	}
+
+	target.ID = generateID("target")
+	if err := s.targetRepo.Create(ctx, target); err != nil {
+		return fmt.Errorf("failed to create target: %w", err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "create_target", "target", target.ID, nil)
+	}
+
+	return nil
+}
+
+// Update modifies an existing deployment target.
+func (s *TargetService) Update(ctx context.Context, id string, target *domain.DeploymentTarget, actor string) error {
+	if target.Name == "" {
+		return fmt.Errorf("target name is required")
+	}
+
+	target.ID = id
+	if err := s.targetRepo.Update(ctx, target); err != nil {
+		return fmt.Errorf("failed to update target %s: %w", id, err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "update_target", "target", id, nil)
+	}
+
+	return nil
+}
+
+// Delete removes a deployment target.
+func (s *TargetService) Delete(ctx context.Context, id string, actor string) error {
+	if err := s.targetRepo.Delete(ctx, id); err != nil {
+		return fmt.Errorf("failed to delete target %s: %w", id, err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "delete_target", "target", id, nil)
+	}
+
+	return nil
+}
+
+// ListTargets returns paginated targets (handler interface method).
+func (s *TargetService) ListTargets(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	offset := int64((page - 1) * perPage)
+	targets, total, err := s.targetRepo.List(context.Background(), offset, int64(perPage))
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list targets: %w", err)
+	}
+
+	// Convert pointers to values for the handler interface
+	var result []domain.DeploymentTarget
+	for _, t := range targets {
+		if t != nil {
+			result = append(result, *t)
+		}
+	}
+
+	return result, total, nil
+}
+
+// GetTarget returns a single target (handler interface method).
+func (s *TargetService) GetTarget(id string) (*domain.DeploymentTarget, error) {
+	return s.targetRepo.Get(context.Background(), id)
+}
+
+// CreateTarget creates a new target (handler interface method).
+func (s *TargetService) CreateTarget(target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+	target.ID = generateID("target")
+	if err := s.targetRepo.Create(context.Background(), &target); err != nil {
+		return nil, fmt.Errorf("failed to create target: %w", err)
+	}
+	return &target, nil
+}
+
+// UpdateTarget modifies a target (handler interface method).
+func (s *TargetService) UpdateTarget(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+	target.ID = id
+	if err := s.targetRepo.Update(context.Background(), &target); err != nil {
+		return nil, fmt.Errorf("failed to update target: %w", err)
+	}
+	return &target, nil
+}
+
+// DeleteTarget removes a target (handler interface method).
+func (s *TargetService) DeleteTarget(id string) error {
+	return s.targetRepo.Delete(context.Background(), id)
+}

internal/service/team.go

@@ -0,0 +1,155 @@
+package service
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// TeamService provides business logic for team management.
+type TeamService struct {
+	teamRepo     repository.TeamRepository
+	auditService *AuditService
+}
+
+// NewTeamService creates a new team service.
+func NewTeamService(
+	teamRepo repository.TeamRepository,
+	auditService *AuditService,
+) *TeamService {
+	return &TeamService{
+		teamRepo:     teamRepo,
+		auditService: auditService,
+	}
+}
+
+// List returns a paginated list of teams.
+func (s *TeamService) List(ctx context.Context, page, perPage int) ([]*domain.Team, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	offset := int64((page - 1) * perPage)
+	teams, total, err := s.teamRepo.List(ctx, offset, int64(perPage))
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list teams: %w", err)
+	}
+	return teams, total, nil
+}
+
+// Get retrieves a team by ID.
+func (s *TeamService) Get(ctx context.Context, id string) (*domain.Team, error) {
+	team, err := s.teamRepo.Get(ctx, id)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get team %s: %w", id, err)
+	}
+	return team, nil
+}
+
+// Create validates and stores a new team.
+func (s *TeamService) Create(ctx context.Context, team *domain.Team, actor string) error {
+	if team.Name == "" {
+		return fmt.Errorf("team name is required")
+	}
+
+	team.ID = generateID("team")
+	if err := s.teamRepo.Create(ctx, team); err != nil {
+		return fmt.Errorf("failed to create team: %w", err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "create_team", "team", team.ID, nil)
+	}
+
+	return nil
+}
+
+// Update modifies an existing team.
+func (s *TeamService) Update(ctx context.Context, id string, team *domain.Team, actor string) error {
+	if team.Name == "" {
+		return fmt.Errorf("team name is required")
+	}
+
+	team.ID = id
+	if err := s.teamRepo.Update(ctx, team); err != nil {
+		return fmt.Errorf("failed to update team %s: %w", id, err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "update_team", "team", id, nil)
+	}
+
+	return nil
+}
+
+// Delete removes a team.
+func (s *TeamService) Delete(ctx context.Context, id string, actor string) error {
+	if err := s.teamRepo.Delete(ctx, id); err != nil {
+		return fmt.Errorf("failed to delete team %s: %w", id, err)
+	}
+
+	if s.auditService != nil {
+		_ = s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "delete_team", "team", id, nil)
+	}
+
+	return nil
+}
+
+// ListTeams returns paginated teams (handler interface method).
+func (s *TeamService) ListTeams(page, perPage int) ([]domain.Team, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	offset := int64((page - 1) * perPage)
+	teams, total, err := s.teamRepo.List(context.Background(), offset, int64(perPage))
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list teams: %w", err)
+	}
+
+	// Convert pointers to values for the handler interface
+	var result []domain.Team
+	for _, t := range teams {
+		if t != nil {
+			result = append(result, *t)
+		}
+	}
+
+	return result, total, nil
+}
+
+// GetTeam returns a single team (handler interface method).
+func (s *TeamService) GetTeam(id string) (*domain.Team, error) {
+	return s.teamRepo.Get(context.Background(), id)
+}
+
+// CreateTeam creates a new team (handler interface method).
+func (s *TeamService) CreateTeam(team domain.Team) (*domain.Team, error) {
+	team.ID = generateID("team")
+	if err := s.teamRepo.Create(context.Background(), &team); err != nil {
+		return nil, fmt.Errorf("failed to create team: %w", err)
+	}
+	return &team, nil
+}
+
+// UpdateTeam modifies a team (handler interface method).
+func (s *TeamService) UpdateTeam(id string, team domain.Team) (*domain.Team, error) {
+	team.ID = id
+	if err := s.teamRepo.Update(context.Background(), &team); err != nil {
+		return nil, fmt.Errorf("failed to update team: %w", err)
+	}
+	return &team, nil
+}
+
+// DeleteTeam removes a team (handler interface method).
+func (s *TeamService) DeleteTeam(id string) error {
+	return s.teamRepo.Delete(context.Background(), id)
+}