fix(scep-intune): close 11 audit gaps from 2026-04-29 pre-tag review

Closes the eleven gaps identified in the pre-v2.1.0 audit of the SCEP
RFC 8894 + Intune master bundle (cowork/scep-bundle-gap-closure-prompt.md).
Constitutional rule from cowork/CLAUDE.md::Operating Rules — 'Always
take the complete path, not the easy path' — drove this closure: each
gap was a load-bearing wire that crossed multiple layers (config →
validator → service wire-up → tests → docs) and shipping the bundle
without them would have produced lying-field footguns where operator-
visible config options stored values without affecting behavior.

WHAT LANDS:

Phase A — Clock-skew tolerance (master prompt §15 hazard closure)
  internal/scep/intune/challenge.go: ValidateChallenge migrated from
  positional args to ValidateOptions{} struct; new ClockSkewTolerance
  field with default 0 (strict). 24 call sites updated mechanically.
  Asymmetric application: now+tolerance >= iat AND now-tolerance < exp.
  internal/config/config.go: SCEPIntuneProfileConfig.ClockSkewTolerance
  default 60s + Validate() refusal when >= ChallengeValidity.
  cmd/server/main.go: SetIntuneIntegration signature extended;
  per-profile env-var loader honors CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CLOCK_SKEW_TOLERANCE.
  internal/service/scep.go: intuneClockSkew field + IntuneStatsSnapshot
  surfaces clock_skew_tolerance_ns. web/src/api/types.ts mirrors.
  4 new tests in challenge_test.go covering accept-within-tolerance,
  reject-beyond-tolerance, accept-expired-within-tolerance,
  negative-treated-as-zero defensive normalization.
  docs/scep-intune.md updated with the new env var + time-bounds rule.

Phase B — unknown-version-rejected golden test
  internal/scep/intune/golden_helper_test.go: goldenUnknownVersionPayload
  helper + signGoldenChallengeAny generic signer.
  challenge_golden_test.go: TestGoldenChallenge_UnknownVersionRejected
  uses an in-process ECDSA fixture (the on-disk PEM was generated with
  a Go-stdlib version that produces different ecdsa.GenerateKey bytes
  from the current call). TestRegenerateGoldenFixtures emits the new
  unknown_version fixture file too.

Phase C — Two named Intune e2e tests
  internal/api/handler/scep_intune_e2e_test.go:
    TestSCEPIntuneEnrollment_RateLimited_E2E (cap=2 + 3 attempts; 3rd
    returns FAILURE+badRequest with rate_limited counter ticked)
    TestSCEPIntuneEnrollment_TrustAnchorSIGHUPReload_E2E (rotate
    on-disk PEM + holder.Reload(); old-key challenge fails with
    badMessageCheck; signature_invalid counter ticked)
  intuneE2EFixture struct extended with trustHolder + trustPath fields
  so tests can rotate.

Phase D — Four new ChromeOS hermetic tests (10 total now)
  internal/api/handler/scep_chromeos_test.go:
    _RAKeyMismatch — PKIMessage encrypted to wrong RA cert; handler
      rejects without reaching service.
    _3DESBackwardCompat — RFC 8894 §3.5.2 legacy fallback verified.
    _RSACSR + _ECDSACSR — explicit matrix-pair pinning.
  buildTestECDSACSR helper for ECDSA P-256 CSR construction;
  tripleDESCBCEncrypt mirrors aesCBCEncrypt for 3DES-CBC;
  assertChromeOSPositiveCertRep shared assertion.

Phase E — Per-profile counter isolation test
  internal/api/handler/scep_profile_counter_isolation_test.go:
    TestSCEPHandler_PerProfileIntuneCountersIsolated wires two
    SCEPService instances + drives distinct PKIMessages + asserts
    counter isolation. Guards against a future cmd/server/main.go
    refactor that shares a *intuneCounterTab across profiles.
  buildPerProfileIntuneFixture parameterized helper.

Phase F — Server-boot regression tests
  cmd/server/preflight_scep_intune_test.go: 3 named tests covering
  disabled-backward-compat, broken-config-with-PathID, expired-cert
  refusal. preflightSCEPIntuneTrustAnchor signature extended with
  pathID arg so error messages carry PathID= for operator log-grep.

Phase G — docs/connectors.md
  Four new subsections under §EST/SCEP Integration: multi-profile
  dispatch + mTLS sibling route + Intune Connector dispatcher + SCEP
  probe in network scanner. Each has a one-paragraph operator
  explanation + an env-var or endpoint table.

Phase H — Coverage uplift
  internal/service/scep_probe_persist_test.go: 5 unit tests on
  persistProbeResult (nil-safe + nil-repo-safe + repo-error swallow +
  nil-logger guard) + ListRecentSCEPProbes (empty-slice-not-nil + repo
  pass-through) + describeCertAlgorithm (RSA/ECDSA/QF1008-nil-curve
  defensive branch/Ed25519/DSA/empty). CI gates (service ≥70, handler
  ≥75) PASS at 70.9% / 79.3%.

Phase I — deploy/test integration variant
  deploy/test/scep_intune_e2e_test.go (//go:build integration):
    TestSCEPIntuneEnrollment_Integration + _RateLimited_Integration
    against the live docker-compose certctl container. Skip-when-
    stack-missing semantics so sandbox + CI both work.
  deploy/docker-compose.test.yml: new e2eintune SCEP profile env
  vars + bind-mount of deploy/test/fixtures/.
  deploy/test/fixtures/README.md: documents the deterministic trust
  anchor regeneration recipe.

VERIFICATION (sandbox):
  gofmt -d        — clean for all changed files
  staticcheck     — clean for intune + handler + config + service +
                    cmd/server packages
  go vet          — clean for the same packages
  go test -short  — green for intune (95.3% cov), service (70.9%),
                    handler (79.3%), config (94.0%), cmd/server (boot
                    path; my preflight tests cover the directly-
                    testable function), pkcs7 (80.5% informational)

DEFERRED (per closure prompt §7 out-of-scope):
  - V3-Pro Conditional Access gating + Microsoft Graph integration
  - Standalone certctl-scan CLI binary
  - OCSP rate-limiting, OCSP stapling, delta CRLs

Spec preserved at cowork/scep-bundle-gap-closure-prompt.md;
journal at cowork/scep-rfc8894-intune/progress.md (audit-closure
section appended).

internal/service/scep.go

@@ -48,6 +48,7 @@ type SCEPService struct {
 	intuneTrust       *intune.TrustAnchorHolder // SIGHUP-reloadable trust pool
 	intuneAudience    string                    // expected "aud" claim; empty disables the check
 	intuneValidity    time.Duration             // optional override on top of the challenge's exp
+	intuneClockSkew   time.Duration             // ±tolerance applied to iat/exp; default 60s wired from config
 	intuneReplayCache *intune.ReplayCache       // nonce-keyed; catches duplicate submission
 	intuneRateLimiter *intune.PerDeviceRateLimiter
 	complianceCheck   ComplianceCheck   // V3-Pro plug-in seam; nil-default no-op
@@ -161,17 +162,18 @@ type IntuneTrustAnchorInfo struct {
 // GET endpoint hands back. SCEPService.IntuneStats() builds one of
 // these on demand under no contention with the dispatcher hot path.
 type IntuneStatsSnapshot struct {
-	PathID            string                  `json:"path_id"`
-	IssuerID          string                  `json:"issuer_id"`
-	Enabled           bool                    `json:"enabled"`
-	TrustAnchorPath   string                  `json:"trust_anchor_path,omitempty"`
-	TrustAnchors      []IntuneTrustAnchorInfo `json:"trust_anchors,omitempty"`
-	Audience          string                  `json:"audience,omitempty"`
-	ChallengeValidity time.Duration           `json:"challenge_validity_ns,omitempty"`
-	RateLimitDisabled bool                    `json:"rate_limit_disabled"`
-	ReplayCacheSize   int                     `json:"replay_cache_size"`
-	Counters          map[string]uint64       `json:"counters"`
-	GeneratedAt       time.Time               `json:"generated_at"`
+	PathID             string                  `json:"path_id"`
+	IssuerID           string                  `json:"issuer_id"`
+	Enabled            bool                    `json:"enabled"`
+	TrustAnchorPath    string                  `json:"trust_anchor_path,omitempty"`
+	TrustAnchors       []IntuneTrustAnchorInfo `json:"trust_anchors,omitempty"`
+	Audience           string                  `json:"audience,omitempty"`
+	ChallengeValidity  time.Duration           `json:"challenge_validity_ns,omitempty"`
+	ClockSkewTolerance time.Duration           `json:"clock_skew_tolerance_ns,omitempty"`
+	RateLimitDisabled  bool                    `json:"rate_limit_disabled"`
+	ReplayCacheSize    int                     `json:"replay_cache_size"`
+	Counters           map[string]uint64       `json:"counters"`
+	GeneratedAt        time.Time               `json:"generated_at"`
 }
 
 // SetPathID records the SCEP profile path ID this service instance
@@ -207,6 +209,7 @@ func (s *SCEPService) IntuneStats(now time.Time) IntuneStatsSnapshot {
 	}
 	out.Audience = s.intuneAudience
 	out.ChallengeValidity = s.intuneValidity
+	out.ClockSkewTolerance = s.intuneClockSkew
 	if s.intuneRateLimiter != nil {
 		out.RateLimitDisabled = s.intuneRateLimiter.Disabled()
 	}
@@ -315,13 +318,14 @@ type SCEPProfileStatsSnapshot struct {
 // minus the always-present per-profile ones (PathID, IssuerID,
 // GeneratedAt) which live on SCEPProfileStatsSnapshot.
 type IntuneSection struct {
-	TrustAnchorPath   string                  `json:"trust_anchor_path,omitempty"`
-	TrustAnchors      []IntuneTrustAnchorInfo `json:"trust_anchors,omitempty"`
-	Audience          string                  `json:"audience,omitempty"`
-	ChallengeValidity time.Duration           `json:"challenge_validity_ns,omitempty"`
-	RateLimitDisabled bool                    `json:"rate_limit_disabled"`
-	ReplayCacheSize   int                     `json:"replay_cache_size"`
-	Counters          map[string]uint64       `json:"counters"`
+	TrustAnchorPath    string                  `json:"trust_anchor_path,omitempty"`
+	TrustAnchors       []IntuneTrustAnchorInfo `json:"trust_anchors,omitempty"`
+	Audience           string                  `json:"audience,omitempty"`
+	ChallengeValidity  time.Duration           `json:"challenge_validity_ns,omitempty"`
+	ClockSkewTolerance time.Duration           `json:"clock_skew_tolerance_ns,omitempty"`
+	RateLimitDisabled  bool                    `json:"rate_limit_disabled"`
+	ReplayCacheSize    int                     `json:"replay_cache_size"`
+	Counters           map[string]uint64       `json:"counters"`
 }
 
 // ProfileStats returns the per-profile observability snapshot in the
@@ -352,9 +356,10 @@ func (s *SCEPService) ProfileStats(now time.Time) SCEPProfileStatsSnapshot {
 		return out
 	}
 	intuneSection := IntuneSection{
-		Audience:          s.intuneAudience,
-		ChallengeValidity: s.intuneValidity,
-		Counters:          s.intuneCounters.snapshot(),
+		Audience:           s.intuneAudience,
+		ChallengeValidity:  s.intuneValidity,
+		ClockSkewTolerance: s.intuneClockSkew,
+		Counters:           s.intuneCounters.snapshot(),
 	}
 	if s.intuneRateLimiter != nil {
 		intuneSection.RateLimitDisabled = s.intuneRateLimiter.Disabled()
@@ -446,6 +451,7 @@ func (s *SCEPService) SetIntuneIntegration(
 	trust *intune.TrustAnchorHolder,
 	audience string,
 	validity time.Duration,
+	clockSkew time.Duration,
 	replayCache *intune.ReplayCache,
 	rateLimiter *intune.PerDeviceRateLimiter,
 ) {
@@ -453,6 +459,7 @@ func (s *SCEPService) SetIntuneIntegration(
 	s.intuneTrust = trust
 	s.intuneAudience = audience
 	s.intuneValidity = validity
+	s.intuneClockSkew = clockSkew
 	s.intuneReplayCache = replayCache
 	s.intuneRateLimiter = rateLimiter
 	if s.intuneCounters == nil {
@@ -573,7 +580,12 @@ func (s *SCEPService) dispatchIntuneChallenge(ctx context.Context, csrPEM string
 	now := time.Now()
 	trust := s.intuneTrust.Get()
 
-	claim, err := intune.ValidateChallenge(challengePassword, trust, s.intuneAudience, now)
+	claim, err := intune.ValidateChallenge(challengePassword, intune.ValidateOptions{
+		Trust:              trust,
+		ExpectedAudience:   s.intuneAudience,
+		Now:                now,
+		ClockSkewTolerance: s.intuneClockSkew,
+	})
 	if err != nil {
 		s.logger.Warn("SCEP enrollment rejected: Intune challenge validation failed",
 			"transaction_id", transactionID, "reason", intuneFailReason(err), "error", err)

internal/service/scep_intune_test.go

@@ -171,6 +171,7 @@ func TestSCEPService_PKCSReq_IntuneDispatcher_Success(t *testing.T) {
 		holder,
 		"https://certctl.example.com/scep/corp",
 		60*time.Minute,
+		0, // ClockSkewTolerance — strict (no grace) keeps these tests deterministic
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
@@ -207,6 +208,7 @@ func TestSCEPService_PKCSReq_IntuneDispatcher_StaticChallengeStillWorks(t *testi
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"https://certctl.example.com/scep/corp",
 		60*time.Minute,
+		0, // ClockSkewTolerance — strict (no grace) keeps these tests deterministic
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
@@ -224,6 +226,7 @@ func TestSCEPService_PKCSReq_IntuneDispatcher_TamperedChallengeRejected(t *testi
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
+		0, // ClockSkewTolerance — strict (no grace) keeps these tests deterministic
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
@@ -252,6 +255,7 @@ func TestSCEPService_PKCSReq_IntuneDispatcher_ClaimMismatchRejected(t *testing.T
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
+		0, // ClockSkewTolerance — strict (no grace) keeps these tests deterministic
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
@@ -277,6 +281,7 @@ func TestSCEPService_PKCSReq_IntuneDispatcher_ReplayDetected(t *testing.T) {
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
+		0, // ClockSkewTolerance — strict (no grace) keeps these tests deterministic
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(0, 24*time.Hour, 100), // disable rate limit so we don't trip THAT first
 	)
@@ -300,6 +305,7 @@ func TestSCEPService_PKCSReq_IntuneDispatcher_RateLimited(t *testing.T) {
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
+		0, // ClockSkewTolerance — strict (no grace) keeps these tests deterministic
 		// Replay cache must not block us — use disjoint nonces per call.
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(2, 24*time.Hour, 100), // limit = 2
@@ -337,6 +343,7 @@ func TestSCEPService_PKCSReq_IntuneDispatcher_ComplianceHookNilDefault(t *testin
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
+		0, // ClockSkewTolerance — strict (no grace) keeps these tests deterministic
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
@@ -354,6 +361,7 @@ func TestSCEPService_PKCSReq_IntuneDispatcher_ComplianceHookDeniesNonCompliant(t
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
+		0, // ClockSkewTolerance — strict (no grace) keeps these tests deterministic
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
@@ -382,6 +390,7 @@ func TestSCEPService_PKCSReq_IntuneDispatcher_ComplianceHookErrorFailsClosed(t *
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
+		0, // ClockSkewTolerance — strict (no grace) keeps these tests deterministic
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
@@ -411,6 +420,7 @@ func TestSCEPService_IntuneEnabled_AccessorReflectsState(t *testing.T) {
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		0,
+		0, // ClockSkewTolerance — strict (no grace)
 		nil,
 		nil,
 	)

internal/service/scep_probe_persist_test.go

@@ -0,0 +1,218 @@
+package service
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"errors"
+	"math/big"
+	"testing"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// SCEP RFC 8894 + Intune master prompt §13 line 1859 acceptance —
+// coverage uplift on the SCEP probe persistence + clamp paths. Closed
+// in the 2026-04-29 audit-closure bundle (Phase H).
+//
+// Targets the lowest-coverage hot spots in
+// internal/service/scep_probe.go (per the audit) without bloating the
+// suite:
+//
+//   1. persistProbeResult is nil-safe + nil-repo-safe.
+//   2. persistProbeResult swallows repo errors (probe stays a "best-
+//      effort persist") + still surfaces them through the logger.
+//   3. ListRecentSCEPProbes returns an empty slice (NOT nil) when no
+//      repo is wired so JSON marshaling stays clean.
+//   4. describeCertAlgorithm covers RSA/ECDSA/Ed25519/unknown branches
+//      including the QF1008 nil-curve defensive branch added in
+//      commit 9fcea95.
+
+// stubSCEPProbeRepo is a controllable repository.SCEPProbeResultRepository
+// used by the persist + list tests. Returns the configured insertErr +
+// listResults from each Insert/ListRecent call; bumps insertCalls so the
+// test can assert which probes reached the persist path.
+type stubSCEPProbeRepo struct {
+	insertCalls int
+	insertErr   error
+	listResults []*domain.SCEPProbeResult
+	listLimit   int
+	listErr     error
+}
+
+func (r *stubSCEPProbeRepo) Insert(_ context.Context, _ *domain.SCEPProbeResult) error {
+	r.insertCalls++
+	return r.insertErr
+}
+
+func (r *stubSCEPProbeRepo) ListRecent(_ context.Context, limit int) ([]*domain.SCEPProbeResult, error) {
+	r.listLimit = limit
+	return r.listResults, r.listErr
+}
+
+// TestPersistProbeResult_NoRepoIsNoOp verifies persistProbeResult is
+// safe to call before SetSCEPProbeRepo wires a repo (the production
+// startup order is: build service → wire repo). Without this, a probe
+// that runs during the boot window would nil-deref.
+func TestPersistProbeResult_NoRepoIsNoOp(t *testing.T) {
+	s := newScepProbeServiceForTest(t)
+	// Should not panic even though scepProbeRepo is nil.
+	s.persistProbeResult(context.Background(), &domain.SCEPProbeResult{
+		ID:        "probe-no-repo",
+		TargetURL: "https://example.com/scep",
+	})
+}
+
+// TestPersistProbeResult_RepoErrorDoesNotFailCaller pins the
+// "best-effort persist" contract documented on persistProbeResult: a
+// repo write failure MUST NOT bubble back to the probe caller (the
+// probe's primary contract is "run + return," not "run + persist").
+// The repo's insertCalls counter MUST still be bumped so an operator
+// can prove the persist code path was reached even when it failed.
+func TestPersistProbeResult_RepoErrorDoesNotFailCaller(t *testing.T) {
+	repo := &stubSCEPProbeRepo{insertErr: errors.New("simulated db down")}
+	s := newScepProbeServiceForTest(t)
+	s.SetSCEPProbeRepo(repo)
+
+	s.persistProbeResult(context.Background(), &domain.SCEPProbeResult{
+		ID:        "probe-err",
+		TargetURL: "https://example.com/scep",
+	})
+	if repo.insertCalls != 1 {
+		t.Errorf("Insert calls = %d, want 1", repo.insertCalls)
+	}
+
+	// A logger-less service MUST also survive a repo error — the warn-
+	// log branch guards on `s.logger != nil`. Walk the same code path
+	// with a logger-nil service to exercise that defensive guard.
+	sNoLog := &NetworkScanService{nowFn: time.Now}
+	sNoLog.SetSCEPProbeRepo(repo)
+	sNoLog.persistProbeResult(context.Background(), &domain.SCEPProbeResult{
+		ID:        "probe-err-nologger",
+		TargetURL: "https://example.com/scep",
+	})
+	if repo.insertCalls != 2 {
+		t.Errorf("Insert calls (after nologger run) = %d, want 2", repo.insertCalls)
+	}
+}
+
+// TestListRecentSCEPProbes_NilRepoReturnsEmptySlice pins the
+// "JSON-clean empty" contract documented on ListRecentSCEPProbes —
+// the absence of a repo MUST surface as an empty slice (not nil) so
+// the GUI's JSON consumer doesn't render `null` instead of `[]`.
+// Critical for the React Network Scan page that .map()s over the
+// result and would crash on null.
+func TestListRecentSCEPProbes_NilRepoReturnsEmptySlice(t *testing.T) {
+	s := newScepProbeServiceForTest(t)
+	got, err := s.ListRecentSCEPProbes(context.Background(), 50)
+	if err != nil {
+		t.Fatalf("ListRecentSCEPProbes (nil repo): %v", err)
+	}
+	if got == nil {
+		t.Fatal("ListRecentSCEPProbes (nil repo) returned nil, want empty slice for JSON cleanliness")
+	}
+	if len(got) != 0 {
+		t.Errorf("ListRecentSCEPProbes (nil repo) = %d items, want 0", len(got))
+	}
+}
+
+// TestListRecentSCEPProbes_DelegatesToRepo verifies the wired-repo
+// path: the limit value flows through to the repository unmodified
+// (the [1, 200] clamp lives at the handler layer, not the service —
+// this test pins the service is a thin pass-through).
+func TestListRecentSCEPProbes_DelegatesToRepo(t *testing.T) {
+	repo := &stubSCEPProbeRepo{
+		listResults: []*domain.SCEPProbeResult{
+			{ID: "probe-1", TargetURL: "https://a.example.com/scep"},
+			{ID: "probe-2", TargetURL: "https://b.example.com/scep"},
+		},
+	}
+	s := newScepProbeServiceForTest(t)
+	s.SetSCEPProbeRepo(repo)
+
+	got, err := s.ListRecentSCEPProbes(context.Background(), 17)
+	if err != nil {
+		t.Fatalf("ListRecentSCEPProbes: %v", err)
+	}
+	if repo.listLimit != 17 {
+		t.Errorf("repo.ListRecent received limit=%d, want 17", repo.listLimit)
+	}
+	if len(got) != 2 {
+		t.Errorf("ListRecentSCEPProbes returned %d items, want 2", len(got))
+	}
+}
+
+// TestDescribeCertAlgorithm covers every documented branch of the
+// describe helper — including the QF1008 nil-curve defensive guard
+// added in commit 9fcea95. Walking each branch keeps the staticcheck
+// fix exercised in CI so a future "simplify" never reverts the nil
+// check + crashes on a malformed cert.
+func TestDescribeCertAlgorithm(t *testing.T) {
+	rsaCert, _ := fixtureRSACertForDescribeTest(t)
+	if got, want := describeCertAlgorithm(rsaCert), "RSA-2048"; got != want {
+		t.Errorf("RSA describe = %q, want %q", got, want)
+	}
+
+	ecCert, _ := fixtureCACert(t, "ec-describe", time.Now().Add(-1*time.Hour), time.Now().Add(24*time.Hour))
+	if got, want := describeCertAlgorithm(ecCert), "ECDSA-P-256"; got != want {
+		t.Errorf("ECDSA describe = %q, want %q", got, want)
+	}
+
+	// Defensive branch: an ECDSA public key with a nil Curve. The
+	// QF1008 fix keeps the explicit nil check so this case returns
+	// "ECDSA" without panicking.
+	bogusEC := &x509.Certificate{
+		PublicKey:          &ecdsa.PublicKey{Curve: nil},
+		PublicKeyAlgorithm: x509.ECDSA,
+	}
+	if got, want := describeCertAlgorithm(bogusEC), "ECDSA"; got != want {
+		t.Errorf("nil-curve ECDSA describe = %q, want %q (QF1008 defensive branch)", got, want)
+	}
+
+	// Algorithm-only fall-through (no key type match) → Ed25519/DSA.
+	ed := &x509.Certificate{PublicKeyAlgorithm: x509.Ed25519}
+	if got, want := describeCertAlgorithm(ed), "Ed25519"; got != want {
+		t.Errorf("Ed25519 describe = %q, want %q", got, want)
+	}
+	dsa := &x509.Certificate{PublicKeyAlgorithm: x509.DSA}
+	if got, want := describeCertAlgorithm(dsa), "DSA"; got != want {
+		t.Errorf("DSA describe = %q, want %q", got, want)
+	}
+
+	// Unrecognized → empty string (the GUI then renders "—").
+	unknown := &x509.Certificate{}
+	if got := describeCertAlgorithm(unknown); got != "" {
+		t.Errorf("unknown describe = %q, want empty", got)
+	}
+}
+
+// fixtureRSACertForDescribeTest is a tiny helper exclusive to the
+// describe-algo coverage test. The package's other RSA cert helpers
+// live behind type-specialized fixtures; we want a generic 2048-bit
+// RSA cert + nothing else.
+func fixtureRSACertForDescribeTest(t *testing.T) (*x509.Certificate, *rsa.PrivateKey) {
+	t.Helper()
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("rsa.GenerateKey: %v", err)
+	}
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{CommonName: "rsa-describe"},
+		NotBefore:    time.Now().Add(-1 * time.Hour),
+		NotAfter:     time.Now().Add(24 * time.Hour),
+	}
+	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
+	if err != nil {
+		t.Fatalf("CreateCertificate: %v", err)
+	}
+	parsed, err := x509.ParseCertificate(der)
+	if err != nil {
+		t.Fatalf("ParseCertificate: %v", err)
+	}
+	return parsed, key
+}