fix(web,ci): close TS↔Go type drift across 5 entities (D-2 master)

Closes five 2026-04-24 audit findings (all P2, all category cat-f /
diff-05x06-*) by reconciling the TypeScript interfaces in
web/src/api/types.ts with the on-wire JSON shape Go's
internal/domain/*.go structs actually emit. D-1 closed the same pattern
for one entity (Certificate / ManagedCertificate); D-2 covers the
remaining five.

Per-entity verdicts (audit's "stricter side is the contract"):

  Agent       — TRIM 5 phantoms (last_heartbeat, capabilities, tags,
                created_at, updated_at). Go emits last_heartbeat_at only.
  Target      — ADD 2 (retired_at?, retired_reason?) — I-004 fields.
  DiscCert    — ADD pem_data? — real field, real Go emit, omitempty.
  Issuer      — TRIM phantom status. Go has Enabled bool only.
  Notif       — TRIM phantom subject. Go has Message string only.
  Certificate — verify-only; D-1 closure confirmed clean at recon.

Consumer fixes (same commit as the trim):
- AgentDetailPage.tsx — remove dead Capabilities + Tags sections (always
  rendered empty); replace agent.created_at/updated_at row with the
  Go-emitted registered_at; widen heartbeatStatus() to accept undefined.
- AgentsPage.tsx — same heartbeatStatus widening.
- IssuersPage.tsx + IssuerDetailPage.tsx — issuerStatus() now derives
  from `enabled` exclusively; the dead `issuer.status || 'Unknown'`
  fallback is gone.
- NotificationsPage.tsx — drop dead `|| n.subject` fallback.
- NotificationsPage.test.tsx — drop dead `subject:` from mocks.
- api/utils.ts::timeAgo widened to accept string | undefined | null.
- api/types.test.ts — Agent (I-004) fixture trimmed of the 5 phantoms.

Tests (Vitest):
- 5 new describe blocks in web/src/api/types.test.ts:
  - Agent interface (D-2 phantom-fields trim) — 2 it blocks
  - Target interface (D-2 retirement fields) — 2 it blocks
  - DiscoveredCertificate interface (D-2 pem_data ADD) — 2 it blocks
  - Issuer interface (D-2 status phantom trim) — 1 it block
  - Notification interface (D-2 subject phantom trim) — 1 it block
- Each block uses the literal-construction pattern from D-1; trimmed
  fields are pinned via excess-property comments that compile-fail when
  uncommented if a phantom is reintroduced.

CI regression guardrail:
- .github/workflows/ci.yml — existing D-1 step renamed to "Forbidden
  StatusBadge dead-key + TS phantom-field regression guard (D-1 + D-2)".
  Three new awk-windowed greps over Agent / Issuer / Notification
  interfaces in types.ts. The Agent grep includes a `grep -v
  'last_heartbeat_at'` filter to avoid false positives on the
  legitimate Go-emitted heartbeat field.

Documentation:
- CHANGELOG.md — new D-2 section above B-1 under [unreleased] with full
  Added/Removed/Audit findings closed/Known follow-ups breakdown.
- docs/architecture.md — Web Dashboard section gains a new "TS ↔ Go
  type contract rule (D-1 + D-2 closure)" paragraph capturing the
  stricter-side-wins rule and the CI guardrail it's anchored by.
- coverage-gap-audit-2026-04-24-v5/unified-audit.md — Live Tracker score
  20/47 → 25/47 (P2: 6/27 → 11/27). Per-finding ✅ RESOLVED Status
  blocks added to all 5 diff-05x06-* entries plus the verify-only
  Certificate entry. Closed-bundle index gets D-2 row.

Verification (all gates green):
- cd web && tsc --noEmit                 → clean
- cd web && vitest run --reporter=dot    → 9 files, 302 tests passing
                                            (was 294 → +8 D-2 cases)
- cd web && vite build                   → clean
- go vet ./internal/... ./cmd/...        → clean (no Go touched)
- golangci-lint v2.11.4 run ./...        → 0 issues
- D-2 Agent guardrail dry-run            → empty (good)
- D-2 Issuer guardrail dry-run           → empty (good)
- D-2 Notification guardrail dry-run     → empty (good)
- D-2 Target ADD-shape sanity            → 2 retirement fields present
- D-2 DiscCert ADD-shape sanity          → pem_data present
- D-1 Certificate guardrail still clean  → empty (good)
- OpenAPI YAML parses                    → 89 paths

Audit findings closed:
- diff-05x06-7cdf4e78ae24 (P2, Agent TS↔Go drift)
- diff-05x06-2044a46f4dd0 (P2, Target TS↔DeploymentTarget Go drift)
- diff-05x06-85ab6b98a2f7 (P2, DiscoveredCertificate TS↔Go drift)
- diff-05x06-97fab8783a5c (P2, Issuer TS↔Go drift)
- diff-05x06-caba9eb3620e (P2, Notification TS↔NotificationEvent drift)
- diff-05x06-af18a8d7ef41 (P2) — verified clean since D-1; no edit

Deferred follow-ups:
- Issuer richer status view (enabled × test_status) — UX scope, not drift.
- Real Agent metadata (capabilities, tags) — backend feature, not drift.
- DiscoveredCertificate pem_data list-response perf — separate backend change.

web/src/pages/AgentDetailPage.tsx

@@ -15,7 +15,12 @@ function InfoRow({ label, value }: { label: string; value: React.ReactNode }) {
   );
 }
 
-function heartbeatStatus(lastHeartbeat: string): string {
+// D-2 (master): the `lastHeartbeat` parameter accepts undefined because
+// the Go-side struct emits `last_heartbeat_at` as `omitempty` (a never-
+// heartbeated agent omits the field entirely). Pre-D-2 the TS interface
+// declared the field as required, masking this case. Post-D-2 the empty
+// case is explicit at both the type level and the function signature.
+function heartbeatStatus(lastHeartbeat: string | undefined): string {
   if (!lastHeartbeat) return 'Offline';
   const ago = Date.now() - new Date(lastHeartbeat).getTime();
   if (ago < 5 * 60 * 1000) return 'Online';
@@ -89,8 +94,15 @@ export default function AgentDetailPage() {
                 </span>
               ) : '—'
             } />
-            <InfoRow label="Registered" value={formatDateTime(agent.created_at)} />
-            <InfoRow label="Updated" value={formatDateTime(agent.updated_at)} />
+            {/* D-2 (master): pre-D-2 these rows used `agent.created_at`
+                + `agent.updated_at` — TS phantoms that the Go-side
+                struct (`internal/domain/connector.go::Agent`) never
+                emitted. The "Registered" row now reads from the real
+                Go-emitted `registered_at` field; the "Updated" row is
+                dropped because the Go struct has no equivalent
+                update-timestamp on Agent (heartbeats are tracked via
+                `last_heartbeat_at` above). */}
+            <InfoRow label="Registered" value={formatDateTime(agent.registered_at)} />
           </div>
 
           {/* System Info */}
@@ -100,26 +112,17 @@ export default function AgentDetailPage() {
             <InfoRow label="Architecture" value={agent.architecture || '—'} />
             <InfoRow label="IP Address" value={<span className="font-mono text-xs">{agent.ip_address || '—'}</span>} />
             <InfoRow label="Agent Version" value={agent.version || '—'} />
-            {agent.capabilities?.length ? (
-              <div className="mt-4">
-                <p className="text-xs text-ink-muted mb-2">Capabilities</p>
-                <div className="flex flex-wrap gap-2">
-                  {agent.capabilities.map((c) => (
-                    <span key={c} className="badge badge-info">{c}</span>
-                  ))}
-                </div>
-              </div>
-            ) : null}
-            {agent.tags && Object.keys(agent.tags).length > 0 ? (
-              <div className="mt-4">
-                <p className="text-xs text-ink-muted mb-2">Tags</p>
-                <div className="flex flex-wrap gap-2">
-                  {Object.entries(agent.tags).map(([k, v]) => (
-                    <span key={k} className="badge badge-neutral">{k}: {v}</span>
-                  ))}
-                </div>
-              </div>
-            ) : null}
+            {/* D-2 (master): the previous "Capabilities" + "Tags" sections
+                rendered `agent.capabilities` and `agent.tags`, both of
+                which were TS phantom fields the Go-side struct
+                (`internal/domain/connector.go::Agent`) never emitted.
+                Both sections always rendered as the empty-state fallback
+                (the `?.length ?` and `Object.keys(...).length > 0`
+                guards always evaluated false). Removed in D-2 master.
+                If/when the backend grows real Agent metadata fields
+                (capabilities advertised at heartbeat time, operator-
+                applied tags), re-introduce here in the same commit that
+                ships the Go-side change. */}
           </div>
         </div>
 

web/src/pages/AgentsPage.tsx

@@ -15,7 +15,12 @@ import ErrorState from '../components/ErrorState';
 import { timeAgo } from '../api/utils';
 import type { Agent, AgentDependencyCounts } from '../api/types';
 
-function heartbeatStatus(lastHeartbeat: string): string {
+// D-2 (master): the `lastHeartbeat` parameter accepts undefined because
+// the Go-side struct emits `last_heartbeat_at` as `omitempty` (never-
+// heartbeated agents omit the field). Mirror of the same helper in
+// AgentDetailPage.tsx — kept as twin definitions to avoid a shared-
+// helper PR detour during D-2; consolidate in a follow-up if desired.
+function heartbeatStatus(lastHeartbeat: string | undefined): string {
   if (!lastHeartbeat) return 'Offline';
   const ago = Date.now() - new Date(lastHeartbeat).getTime();
   if (ago < 5 * 60 * 1000) return 'Online';

web/src/pages/IssuerDetailPage.tsx

@@ -19,12 +19,15 @@ function InfoRow({ label, value }: { label: string; value: React.ReactNode }) {
   );
 }
 
-/** Derive display status from backend enabled boolean */
+// Derive display status from backend `enabled` boolean.
+//
+// D-2 (diff-05x06-97fab8783a5c, master): pre-D-2 the fall-through here
+// was `issuer.status || 'Unknown'`, but `Issuer.status` was a TS phantom
+// the Go-side struct never emitted (see types.ts::Issuer docblock for the
+// full closure rationale). Post-D-2 the phantom is gone; this function
+// derives the displayed status from `enabled` exclusively.
 function issuerStatus(issuer: Issuer): string {
-  if (issuer.enabled !== undefined) {
-    return issuer.enabled ? 'Enabled' : 'Disabled';
-  }
-  return issuer.status || 'Unknown';
+  return issuer.enabled ? 'Enabled' : 'Disabled';
 }
 
 export default function IssuerDetailPage() {

web/src/pages/IssuersPage.tsx

@@ -14,13 +14,19 @@ import TypeSelector from '../components/issuer/TypeSelector';
 import ConfigForm from '../components/issuer/ConfigForm';
 import ConfigDetailModal from '../components/issuer/ConfigDetailModal';
 
-/** Derive display status from backend enabled boolean */
+// Derive display status from backend `enabled` boolean.
+//
+// D-2 (diff-05x06-97fab8783a5c, master): pre-D-2 the fall-through chain
+// here was `issuer.status || 'Unknown'`, which always rendered 'Unknown'
+// because the Go-side struct never emitted a `status` field — the TS
+// interface comment claimed status was "derived from enabled" but no
+// derivation existed. Post-D-2 the phantom `Issuer.status` is gone and
+// this function is the canonical derivation site. `enabled` is a
+// required boolean on Go's Issuer struct so the `!== undefined` guard
+// is now belt-and-suspenders rather than load-bearing, but kept for
+// defensive rendering against malformed responses.
 function issuerStatus(issuer: Issuer): string {
-  if (issuer.enabled !== undefined) {
-    return issuer.enabled ? 'Enabled' : 'Disabled';
-  }
-  // Fallback for legacy data that may have status string
-  return issuer.status || 'Unknown';
+  return issuer.enabled ? 'Enabled' : 'Disabled';
 }
 
 export default function IssuersPage() {

web/src/pages/NotificationsPage.test.tsx

@@ -50,12 +50,14 @@ function renderWithQuery(ui: ReactNode) {
   );
 }
 
+// D-2 (master): pre-D-2 these mocks set `subject:` — the field was a TS
+// phantom the Go-side struct never emitted. Post-D-2 the phantom is
+// removed from the Notification interface; the mocks no longer set it.
 const pendingNotif = {
   id: 'notif-001',
   type: 'ExpirationWarning',
   channel: 'Email',
   recipient: 'admin@example.com',
-  subject: 'Certificate expiring',
   message: 'Certificate expiring in 7 days',
   status: 'Pending',
   certificate_id: 'mc-prod-001',
@@ -67,7 +69,6 @@ const deadNotif = {
   type: 'ExpirationWarning',
   channel: 'Email',
   recipient: 'admin@example.com',
-  subject: 'Certificate expiring',
   message: 'Certificate expiring in 7 days',
   status: 'dead',
   certificate_id: 'mc-prod-001',

web/src/pages/NotificationsPage.tsx

@@ -238,7 +238,13 @@ function NotificationRow({
           <StatusBadge status={n.status} />
           <span className="text-xs text-ink-faint">{n.channel}</span>
         </div>
-        <p className="text-xs text-ink-muted truncate">{n.message || n.subject}</p>
+        {/* D-2 (master): pre-D-2 the fallback was `{n.message || n.subject}`,
+            but `subject` was a TS phantom the Go struct never emitted
+            (`internal/domain/notification.go::NotificationEvent` has only
+            `message`). The fallback always fell through to `message`
+            because `subject` was always undefined. Post-D-2 the dead
+            fallback is dropped along with the phantom field. */}
+        <p className="text-xs text-ink-muted truncate">{n.message}</p>
         {isDead && (
           <div className="flex items-center gap-3 mt-1 text-xs">
             <span className="text-ink-faint">