feat(M44): Google CAS issuer connector

Google Cloud Certificate Authority Service integration via REST API
with OAuth2 service account auth (JWT→access token). Synchronous
issuance model, CA pool selection, mutex-guarded token caching,
revocation with RFC 5280 reason mapping. No Google SDK dependency —
all stdlib. 19 tests with httptest mock OAuth2 + CAS API.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/architecture.md

@@ -514,6 +514,7 @@ flowchart TB
         II --> VP["Vault PKI"]
         II --> DC["DigiCert CertCentral"]
         II --> SG["Sectigo SCM"]
+        II --> GC["Google CAS"]
     end
 
     subgraph "Target Connectors"

docs/connectors.md

@@ -379,12 +379,29 @@ The connector submits certificate enrollments to Sectigo's `/ssl/v1/enroll` API.
 
 Location: `internal/connector/issuer/sectigo/sectigo.go`
 
+### Built-in: Google CAS
+
+Google Cloud Certificate Authority Service — managed private CA on GCP. Synchronous issuance via CAS REST API with OAuth2 service account auth.
+
+| Setting | Required | Default | Description |
+|---------|----------|---------|-------------|
+| `CERTCTL_GOOGLE_CAS_PROJECT` | Yes | — | GCP project ID |
+| `CERTCTL_GOOGLE_CAS_LOCATION` | Yes | — | GCP region (e.g., `us-central1`) |
+| `CERTCTL_GOOGLE_CAS_CA_POOL` | Yes | — | CA pool name |
+| `CERTCTL_GOOGLE_CAS_CREDENTIALS` | Yes | — | Path to service account JSON |
+| `CERTCTL_GOOGLE_CAS_TTL` | No | `8760h` | Default certificate TTL |
+
+**Authentication:** OAuth2 service account. The connector reads a service account JSON file, signs a JWT with the private key, and exchanges it for an access token at Google's token endpoint. Tokens are cached and refreshed automatically (5 min before expiry).
+
+**Note:** CRL and OCSP are managed by Google CAS directly. certctl records revocations locally and notifies Google CAS via the revoke endpoint.
+
+Location: `internal/connector/issuer/googlecas/googlecas.go`
+
 ### Coming in V2.2+
 
 The following issuer connectors are planned for future releases:
 
 - **Entrust** — Enterprise CA via Entrust API
-- **Google CAS** — Google Cloud Certificate Authority Service
 - **AWS ACM Private CA** — AWS-managed private CA
 
 Note: ADCS (Active Directory Certificate Services) integration is handled via the **sub-CA mode** of the Local CA issuer, not as a separate connector. certctl operates as a subordinate CA with its signing certificate issued by ADCS, so all certctl-issued certs chain to the enterprise ADCS root. See the Local CA section above.

docs/testing-guide.md

@@ -6385,15 +6385,83 @@ These must be green before starting manual QA:
 
 **PASS if** correct 3-header auth on all requests.
 
+### Part 44: Google CAS Issuer Connector (M44)
+
+**Prerequisites:** GCP project with Certificate Authority Service enabled, CA pool created, service account with `roles/privateca.certificateManager`, service account JSON key file.
+
+#### Automated Tests
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 44.s1 | `IssuerTypeGoogleCAS` constant exists in domain | Auto | ☐ |  | `grep 'GoogleCAS' internal/domain/connector.go` |
+| 44.s2 | `GoogleCASConfig` struct exists in config | Auto | ☐ |  | `grep 'GoogleCASConfig' internal/config/config.go` |
+| 44.s3 | `iss-googlecas` in seed_demo.sql | Auto | ☐ |  | `grep 'iss-googlecas' migrations/seed_demo.sql` |
+| 44.s4 | GoogleCAS in OpenAPI IssuerType enum | Auto | ☐ |  | `grep 'GoogleCAS' api/openapi.yaml` |
+| 44.s5 | Google CAS connector tests pass | Auto | ☐ |  | `go test ./internal/connector/issuer/googlecas/... -v` |
+| 44.s6 | GoogleCAS in issuerTypes.ts | Auto | ☐ |  | `grep 'GoogleCAS' web/src/config/issuerTypes.ts` |
+| 44.s7 | Frontend build succeeds | Auto | ☐ |  | `cd web && npm run build` |
+| 44.s8 | Full Go build succeeds | Auto | ☐ |  | `go build ./cmd/server/... ./cmd/agent/... ./cmd/cli/... ./cmd/mcp-server/...` |
+
+#### Manual Tests
+
+**44.M1: Validate Google CAS Credentials**
+
+1. Configure env vars: `CERTCTL_GOOGLE_CAS_PROJECT`, `CERTCTL_GOOGLE_CAS_LOCATION`, `CERTCTL_GOOGLE_CAS_CA_POOL`, `CERTCTL_GOOGLE_CAS_CREDENTIALS`
+2. Start certctl server — verify log line: `Google CAS issuer registered`
+3. Call `GET /api/v1/issuers` — verify `iss-googlecas` appears in the list
+
+**PASS if** `iss-googlecas` registered and visible in API.
+
+**44.M2: Issue Certificate via Google CAS**
+
+1. Create a certificate with `issuer_id: iss-googlecas`
+2. Trigger issuance — verify synchronous issuance (no async polling needed)
+3. Verify PEM cert returned with correct CN and SANs
+4. Verify certificate resource name stored in order_id field
+
+**PASS if** certificate issued synchronously, PEM valid, resource name tracked.
+
+**44.M3: Renewal via Google CAS**
+
+1. Trigger renewal on a Google CAS-issued certificate
+2. Verify new certificate issued (delegates to IssueCertificate)
+3. Verify new serial number, updated validity dates
+
+**PASS if** renewal produces new cert with new serial.
+
+**44.M4: Revocation via Google CAS**
+
+1. Revoke a Google CAS-issued certificate via `POST /api/v1/certificates/{id}/revoke`
+2. Verify Google CAS revoke endpoint called (`POST {name}:revoke`)
+3. Verify revocation reason mapped correctly (RFC 5280 → Google CAS enum)
+4. Verify audit trail records revocation
+
+**PASS if** revocation recorded in certctl and sent to Google CAS.
+
+**44.M5: OAuth2 Token Caching**
+
+1. Issue multiple certificates in quick succession
+2. Verify token is cached (not re-fetched for every request)
+3. Verify token refresh after expiry
+
+**PASS if** token reuse observed, refresh works after expiry.
+
+**44.M6: CA Certificate Retrieval**
+
+1. Call EST cacerts endpoint with Google CAS as issuer
+2. Verify CA certificate chain returned from Google CAS fetchCaCerts API
+
+**PASS if** CA cert PEM returned successfully.
+
 ### Summary
 
 | Category | Count |
 |----------|-------|
 | ☑ Auto (passed in `qa-smoke-test.sh`) | 144 |
-| ☐ Auto (not yet run) | 20 |
+| ☐ Auto (not yet run) | 28 |
 | — Skipped (preconditions not met in demo) | 5 |
-| ☐ Manual (requires hands-on verification) | 247 |
-| **Total** | **416** |
+| ☐ Manual (requires hands-on verification) | 253 |
+| **Total** | **430** |
 
 **Automated tests must also be green.** CI passing is necessary but not sufficient — this manual QA catches integration issues that isolated unit tests miss.