feat(V2.2): bulk revocation — filter-based fleet-wide certificate revocation

Add POST /api/v1/certificates/bulk-revoke with filter criteria (profile_id, owner_id, agent_id, issuer_id, team_id, certificate_ids), partial-failure tolerance, and audit trail. Includes MCP tool, CLI command (certs bulk-revoke), server-side bulk modal in GUI replacing client-side sequential loop, OpenAPI spec, compliance mapping updates, and 21 new tests (12 service, 7 handler, 1 CLI, 1 frontend). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-09 15:28:54 +00:00 · 2026-04-16 00:06:34 -04:00
parent cdb448dfe5
commit 4e3927e8b4
25 changed files with 1264 additions and 39 deletions
@@ -0,0 +1,94 @@
+package handler
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+
+	"github.com/shankar0123/certctl/internal/api/middleware"
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// BulkRevocationService defines the service interface for bulk certificate revocation.
+type BulkRevocationService interface {
+	BulkRevoke(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error)
+}
+
+// BulkRevocationHandler handles HTTP requests for bulk revocation operations.
+type BulkRevocationHandler struct {
+	svc BulkRevocationService
+}
+
+// NewBulkRevocationHandler creates a new BulkRevocationHandler.
+func NewBulkRevocationHandler(svc BulkRevocationService) BulkRevocationHandler {
+	return BulkRevocationHandler{svc: svc}
+}
+
+// bulkRevokeRequest represents the JSON request body for bulk revocation.
+type bulkRevokeRequest struct {
+	Reason         string   `json:"reason"`
+	ProfileID      string   `json:"profile_id,omitempty"`
+	OwnerID        string   `json:"owner_id,omitempty"`
+	AgentID        string   `json:"agent_id,omitempty"`
+	IssuerID       string   `json:"issuer_id,omitempty"`
+	TeamID         string   `json:"team_id,omitempty"`
+	CertificateIDs []string `json:"certificate_ids,omitempty"`
+}
+
+// BulkRevoke handles bulk certificate revocation.
+// POST /api/v1/certificates/bulk-revoke
+func (h BulkRevocationHandler) BulkRevoke(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	var req bulkRevokeRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID)
+		return
+	}
+
+	// Validate reason is present
+	if req.Reason == "" {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Revocation reason is required", requestID)
+		return
+	}
+
+	// Validate reason is a valid RFC 5280 code
+	if !domain.IsValidRevocationReason(req.Reason) {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid revocation reason: "+req.Reason, requestID)
+		return
+	}
+
+	criteria := domain.BulkRevocationCriteria{
+		ProfileID:      req.ProfileID,
+		OwnerID:        req.OwnerID,
+		AgentID:        req.AgentID,
+		IssuerID:       req.IssuerID,
+		TeamID:         req.TeamID,
+		CertificateIDs: req.CertificateIDs,
+	}
+
+	// Safety guard: at least one criterion required
+	if criteria.IsEmpty() {
+		ErrorWithRequestID(w, http.StatusBadRequest, "At least one filter criterion is required (profile_id, owner_id, agent_id, issuer_id, team_id, or certificate_ids)", requestID)
+		return
+	}
+
+	// Extract actor from auth context
+	actor := "api"
+	if user, ok := middleware.GetUser(r.Context()); ok && user != "" {
+		actor = user
+	}
+
+	result, err := h.svc.BulkRevoke(r.Context(), criteria, req.Reason, actor)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Bulk revocation failed: "+err.Error(), requestID)
+		return
+	}
+
+	JSON(w, http.StatusOK, result)
+}
@@ -0,0 +1,170 @@
+package handler
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// mockBulkRevocationService is a test implementation of BulkRevocationService
+type mockBulkRevocationService struct {
+	BulkRevokeFn func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error)
+}
+
+func (m *mockBulkRevocationService) BulkRevoke(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
+	if m.BulkRevokeFn != nil {
+		return m.BulkRevokeFn(ctx, criteria, reason, actor)
+	}
+	return &domain.BulkRevocationResult{}, nil
+}
+
+func TestBulkRevoke_Success_WithIDs(t *testing.T) {
+	svc := &mockBulkRevocationService{
+		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
+			if len(criteria.CertificateIDs) != 2 {
+				t.Errorf("expected 2 IDs, got %d", len(criteria.CertificateIDs))
+			}
+			if reason != "keyCompromise" {
+				t.Errorf("expected reason keyCompromise, got %s", reason)
+			}
+			return &domain.BulkRevocationResult{
+				TotalMatched: 2,
+				TotalRevoked: 2,
+			}, nil
+		},
+	}
+	h := NewBulkRevocationHandler(svc)
+
+	body := `{"reason":"keyCompromise","certificate_ids":["mc-1","mc-2"]}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+
+	var result domain.BulkRevocationResult
+	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if result.TotalMatched != 2 {
+		t.Errorf("expected TotalMatched=2, got %d", result.TotalMatched)
+	}
+	if result.TotalRevoked != 2 {
+		t.Errorf("expected TotalRevoked=2, got %d", result.TotalRevoked)
+	}
+}
+
+func TestBulkRevoke_Success_WithProfile(t *testing.T) {
+	svc := &mockBulkRevocationService{
+		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
+			if criteria.ProfileID != "prof-tls" {
+				t.Errorf("expected profile prof-tls, got %s", criteria.ProfileID)
+			}
+			return &domain.BulkRevocationResult{
+				TotalMatched: 5,
+				TotalRevoked: 4,
+				TotalSkipped: 1,
+			}, nil
+		},
+	}
+	h := NewBulkRevocationHandler(svc)
+
+	body := `{"reason":"keyCompromise","profile_id":"prof-tls"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+}
+
+func TestBulkRevoke_MissingReason_400(t *testing.T) {
+	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
+
+	body := `{"certificate_ids":["mc-1"]}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestBulkRevoke_EmptyCriteria_400(t *testing.T) {
+	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
+
+	body := `{"reason":"keyCompromise"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestBulkRevoke_InvalidReason_400(t *testing.T) {
+	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
+
+	body := `{"reason":"totallyBogus","certificate_ids":["mc-1"]}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestBulkRevoke_MethodNotAllowed_405(t *testing.T) {
+	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates/bulk-revoke", nil)
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected 405, got %d", w.Code)
+	}
+}
+
+func TestBulkRevoke_ServiceError_500(t *testing.T) {
+	svc := &mockBulkRevocationService{
+		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
+			return nil, fmt.Errorf("database connection failed")
+		},
+	}
+	h := NewBulkRevocationHandler(svc)
+
+	body := `{"reason":"keyCompromise","certificate_ids":["mc-1"]}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d", w.Code)
+	}
+}
@@ -65,7 +65,8 @@ type HandlerRegistry struct {
 	Verification  handler.VerificationHandler
 	Export        handler.ExportHandler
 	Digest        handler.DigestHandler
-	HealthChecks  *handler.HealthCheckHandler
+	HealthChecks     *handler.HealthCheckHandler
+	BulkRevocation   handler.BulkRevocationHandler
 }

 // RegisterHandlers sets up all API routes with their handlers.
@@ -91,6 +92,8 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) {
 	r.Register("GET /api/v1/auth/check", http.HandlerFunc(reg.Health.AuthCheck))

 	// Certificates routes: /api/v1/certificates
+	// Bulk revoke must be registered before {id} routes to avoid path conflict
+	r.Register("POST /api/v1/certificates/bulk-revoke", http.HandlerFunc(reg.BulkRevocation.BulkRevoke))
 	r.Register("GET /api/v1/certificates", http.HandlerFunc(reg.Certificates.ListCertificates))
 	r.Register("POST /api/v1/certificates", http.HandlerFunc(reg.Certificates.CreateCertificate))
 	r.Register("GET /api/v1/certificates/{id}", http.HandlerFunc(reg.Certificates.GetCertificate))
@@ -198,6 +198,65 @@ func (c *Client) RevokeCertificate(id, reason string) error {
 	return nil
 }

+// BulkRevokeCertificates revokes certificates matching filter criteria.
+func (c *Client) BulkRevokeCertificates(args []string) error {
+	fs := flag.NewFlagSet("certs bulk-revoke", flag.ContinueOnError)
+	reason := fs.String("reason", "unspecified", "RFC 5280 revocation reason")
+	profileID := fs.String("profile-id", "", "Revoke certs matching this profile")
+	ownerID := fs.String("owner-id", "", "Revoke certs owned by this owner")
+	agentID := fs.String("agent-id", "", "Revoke certs deployed via this agent")
+	issuerID := fs.String("issuer-id", "", "Revoke certs issued by this issuer")
+	teamID := fs.String("team-id", "", "Revoke certs owned by team members")
+	if err := fs.Parse(args); err != nil {
+		return err
+	}
+
+	body := map[string]interface{}{
+		"reason": *reason,
+	}
+	if *profileID != "" {
+		body["profile_id"] = *profileID
+	}
+	if *ownerID != "" {
+		body["owner_id"] = *ownerID
+	}
+	if *agentID != "" {
+		body["agent_id"] = *agentID
+	}
+	if *issuerID != "" {
+		body["issuer_id"] = *issuerID
+	}
+	if *teamID != "" {
+		body["team_id"] = *teamID
+	}
+
+	// Remaining positional args are certificate IDs
+	if fs.NArg() > 0 {
+		body["certificate_ids"] = fs.Args()
+	}
+
+	resp, err := c.do("POST", "/api/v1/certificates/bulk-revoke", nil, body)
+	if err != nil {
+		return err
+	}
+
+	var result map[string]interface{}
+	if err := json.Unmarshal(resp, &result); err != nil {
+		return fmt.Errorf("parsing response: %w", err)
+	}
+
+	if c.format == "json" {
+		return c.outputJSON(result)
+	}
+
+	fmt.Printf("Bulk revocation complete:\n")
+	fmt.Printf("  Matched: %v\n", result["total_matched"])
+	fmt.Printf("  Revoked: %v\n", result["total_revoked"])
+	fmt.Printf("  Skipped: %v\n", result["total_skipped"])
+	fmt.Printf("  Failed:  %v\n", result["total_failed"])
+	return nil
+}
+
 // ListAgents lists all agents.
 func (c *Client) ListAgents(args []string) error {
 	fs := flag.NewFlagSet("agents list", flag.ContinueOnError)
@@ -112,6 +112,43 @@ func TestClient_RevokeCertificate(t *testing.T) {
 	}
 }

+func TestClient_BulkRevokeCertificates(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "POST" || r.URL.Path != "/api/v1/certificates/bulk-revoke" {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+
+		// Verify request body contains expected fields
+		var body map[string]interface{}
+		json.NewDecoder(r.Body).Decode(&body)
+		if body["reason"] != "keyCompromise" {
+			t.Errorf("expected reason keyCompromise, got %v", body["reason"])
+		}
+		if body["profile_id"] != "prof-tls" {
+			t.Errorf("expected profile_id prof-tls, got %v", body["profile_id"])
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(map[string]interface{}{
+			"total_matched": 3,
+			"total_revoked": 2,
+			"total_skipped": 1,
+			"total_failed":  0,
+		})
+	}))
+	defer server.Close()
+
+	client := NewClient(server.URL, "", "table")
+	err := client.BulkRevokeCertificates([]string{
+		"--reason", "keyCompromise",
+		"--profile-id", "prof-tls",
+	})
+	if err != nil {
+		t.Fatalf("BulkRevokeCertificates failed: %v", err)
+	}
+}
+
 func TestClient_ListAgents(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != "GET" || r.URL.Path != "/api/v1/agents" {
@@ -43,6 +43,38 @@ func CRLReasonCode(reason RevocationReason) int {
 	return 0 // unspecified
 }

+// BulkRevocationCriteria defines the filter criteria for bulk certificate revocation.
+// At least one field must be set — empty criteria is rejected as a safety guard.
+type BulkRevocationCriteria struct {
+	ProfileID      string   `json:"profile_id,omitempty"`
+	OwnerID        string   `json:"owner_id,omitempty"`
+	AgentID        string   `json:"agent_id,omitempty"`
+	IssuerID       string   `json:"issuer_id,omitempty"`
+	TeamID         string   `json:"team_id,omitempty"`
+	CertificateIDs []string `json:"certificate_ids,omitempty"`
+}
+
+// IsEmpty returns true if no filter criteria are set.
+func (c BulkRevocationCriteria) IsEmpty() bool {
+	return c.ProfileID == "" && c.OwnerID == "" && c.AgentID == "" &&
+		c.IssuerID == "" && c.TeamID == "" && len(c.CertificateIDs) == 0
+}
+
+// BulkRevocationResult contains the outcome of a bulk revocation operation.
+type BulkRevocationResult struct {
+	TotalMatched int                    `json:"total_matched"`
+	TotalRevoked int                    `json:"total_revoked"`
+	TotalSkipped int                    `json:"total_skipped"`
+	TotalFailed  int                    `json:"total_failed"`
+	Errors       []BulkRevocationError  `json:"errors,omitempty"`
+}
+
+// BulkRevocationError records a per-certificate revocation failure.
+type BulkRevocationError struct {
+	CertificateID string `json:"certificate_id"`
+	Error         string `json:"error"`
+}
+
 // CertificateRevocation records the revocation of a specific certificate version.
 // Used as the authoritative source for CRL generation.
 type CertificateRevocation struct {
@@ -113,7 +113,8 @@ func TestCertificateLifecycle(t *testing.T) {
 		Health:        healthHandler,
 		Discovery:     discoveryHandler,
 		NetworkScan:   networkScanHandler,
-		Verification:  verificationHandler,
+		Verification:    verificationHandler,
+		BulkRevocation:  handler.BulkRevocationHandler{},
 	})
 	r.RegisterESTHandlers(estHandler)

@@ -103,7 +103,8 @@ func setupTestServer(t *testing.T) (*httptest.Server, *mockCertificateRepository
 		Health:        healthHandler,
 		Discovery:     discoveryHandler,
 		NetworkScan:   networkScanHandler,
-		Verification:  verificationHandler,
+		Verification:    verificationHandler,
+		BulkRevocation:  handler.BulkRevocationHandler{},
 	})
 	r.RegisterESTHandlers(estHandler)

@@ -182,6 +182,38 @@ func registerCertificateTools(s *gomcp.Server, c *Client) {
 		}
 		return textResult(data)
 	})
+
+	gomcp.AddTool(s, &gomcp.Tool{
+		Name:        "certctl_bulk_revoke_certificates",
+		Description: "Bulk revoke certificates matching filter criteria. At least one criterion (profile_id, owner_id, agent_id, issuer_id, team_id, or certificate_ids) is required. Returns counts of matched, revoked, skipped, and failed certificates.",
+	}, func(ctx context.Context, req *gomcp.CallToolRequest, input BulkRevokeCertificatesInput) (*gomcp.CallToolResult, any, error) {
+		body := map[string]interface{}{
+			"reason": input.Reason,
+		}
+		if input.ProfileID != "" {
+			body["profile_id"] = input.ProfileID
+		}
+		if input.OwnerID != "" {
+			body["owner_id"] = input.OwnerID
+		}
+		if input.AgentID != "" {
+			body["agent_id"] = input.AgentID
+		}
+		if input.IssuerID != "" {
+			body["issuer_id"] = input.IssuerID
+		}
+		if input.TeamID != "" {
+			body["team_id"] = input.TeamID
+		}
+		if len(input.CertificateIDs) > 0 {
+			body["certificate_ids"] = input.CertificateIDs
+		}
+		data, err := c.Post("/api/v1/certificates/bulk-revoke", body)
+		if err != nil {
+			return errorResult(err)
+		}
+		return textResult(data)
+	})
 }

 // ── CRL & OCSP ──────────────────────────────────────────────────────
@@ -62,6 +62,16 @@ type RevokeCertificateInput struct {
 	Reason string `json:"reason,omitempty" jsonschema:"RFC 5280 reason: unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn"`
 }

+type BulkRevokeCertificatesInput struct {
+	Reason         string   `json:"reason" jsonschema:"RFC 5280 reason: unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn"`
+	ProfileID      string   `json:"profile_id,omitempty" jsonschema:"Revoke all certs matching this profile ID"`
+	OwnerID        string   `json:"owner_id,omitempty" jsonschema:"Revoke all certs owned by this owner"`
+	AgentID        string   `json:"agent_id,omitempty" jsonschema:"Revoke all certs deployed via this agent"`
+	IssuerID       string   `json:"issuer_id,omitempty" jsonschema:"Revoke all certs issued by this issuer"`
+	TeamID         string   `json:"team_id,omitempty" jsonschema:"Revoke all certs owned by members of this team"`
+	CertificateIDs []string `json:"certificate_ids,omitempty" jsonschema:"Explicit list of certificate IDs to revoke"`
+}
+
 type ListVersionsInput struct {
 	ID string `json:"id" jsonschema:"Certificate ID"`
 	ListParams
@@ -0,0 +1,182 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"strings"
+
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// BulkRevocationService coordinates bulk certificate revocation operations.
+// It builds on the single-cert RevokeCertificateWithActor flow — no duplicate logic.
+type BulkRevocationService struct {
+	revSvc       *RevocationSvc
+	certRepo     repository.CertificateRepository
+	auditService *AuditService
+	logger       *slog.Logger
+}
+
+// NewBulkRevocationService creates a new BulkRevocationService.
+func NewBulkRevocationService(
+	revSvc *RevocationSvc,
+	certRepo repository.CertificateRepository,
+	auditService *AuditService,
+	logger *slog.Logger,
+) *BulkRevocationService {
+	return &BulkRevocationService{
+		revSvc:       revSvc,
+		certRepo:     certRepo,
+		auditService: auditService,
+		logger:       logger,
+	}
+}
+
+// BulkRevoke revokes all certificates matching the given criteria.
+// It reuses RevokeCertificateWithActor for each cert — partial failures don't abort the batch.
+func (s *BulkRevocationService) BulkRevoke(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
+	// Validate inputs
+	if criteria.IsEmpty() {
+		return nil, fmt.Errorf("at least one filter criterion is required")
+	}
+	if reason == "" {
+		return nil, fmt.Errorf("revocation reason is required")
+	}
+	if !domain.IsValidRevocationReason(reason) {
+		return nil, fmt.Errorf("invalid revocation reason: %s", reason)
+	}
+
+	// Resolve matching certificates
+	certs, err := s.resolveCertificates(ctx, criteria)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve certificates: %w", err)
+	}
+
+	result := &domain.BulkRevocationResult{
+		TotalMatched: len(certs),
+	}
+
+	// Revoke each certificate, continuing on individual failures
+	for _, cert := range certs {
+		// Skip already-revoked or archived certs
+		if cert.Status == domain.CertificateStatusRevoked {
+			result.TotalSkipped++
+			continue
+		}
+		if cert.Status == domain.CertificateStatusArchived {
+			result.TotalSkipped++
+			continue
+		}
+
+		err := s.revSvc.RevokeCertificateWithActor(ctx, cert.ID, reason, actor)
+		if err != nil {
+			result.TotalFailed++
+			result.Errors = append(result.Errors, domain.BulkRevocationError{
+				CertificateID: cert.ID,
+				Error:         err.Error(),
+			})
+			s.logger.Warn("bulk revocation: individual cert failed",
+				"certificate_id", cert.ID,
+				"error", err)
+		} else {
+			result.TotalRevoked++
+		}
+	}
+
+	// Record audit event for the bulk operation
+	criteriaDetails := s.buildAuditDetails(criteria)
+	criteriaDetails["reason"] = reason
+	criteriaDetails["total_matched"] = result.TotalMatched
+	criteriaDetails["total_revoked"] = result.TotalRevoked
+	criteriaDetails["total_skipped"] = result.TotalSkipped
+	criteriaDetails["total_failed"] = result.TotalFailed
+	if err := s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser,
+		"bulk_revocation_initiated", "certificate", "bulk",
+		criteriaDetails); err != nil {
+		s.logger.Error("failed to record bulk revocation audit event", "error", err)
+	}
+
+	return result, nil
+}
+
+// resolveCertificates fetches the set of certificates matching the bulk revocation criteria.
+// When CertificateIDs are provided, it fetches each cert by ID individually.
+// When filter criteria (profile, owner, etc.) are provided, it uses the repository List method.
+// When both are provided, it intersects: only IDs that also match the filter criteria.
+func (s *BulkRevocationService) resolveCertificates(ctx context.Context, criteria domain.BulkRevocationCriteria) ([]*domain.ManagedCertificate, error) {
+	hasFilterCriteria := criteria.ProfileID != "" || criteria.OwnerID != "" ||
+		criteria.AgentID != "" || criteria.IssuerID != "" || criteria.TeamID != ""
+	hasExplicitIDs := len(criteria.CertificateIDs) > 0
+
+	if hasExplicitIDs && !hasFilterCriteria {
+		// Only explicit IDs — fetch each cert by ID
+		var certs []*domain.ManagedCertificate
+		for _, id := range criteria.CertificateIDs {
+			cert, err := s.certRepo.Get(ctx, id)
+			if err != nil {
+				// Skip not-found certs — they'll count as "matched" but skipped
+				continue
+			}
+			certs = append(certs, cert)
+		}
+		return certs, nil
+	}
+
+	// Use filter-based query
+	filter := &repository.CertificateFilter{
+		OwnerID:   criteria.OwnerID,
+		TeamID:    criteria.TeamID,
+		IssuerID:  criteria.IssuerID,
+		AgentID:   criteria.AgentID,
+		ProfileID: criteria.ProfileID,
+		PerPage:   10000, // High limit to get all matching certs in one query
+	}
+
+	certs, _, err := s.certRepo.List(ctx, filter)
+	if err != nil {
+		return nil, err
+	}
+
+	// If explicit IDs also provided, intersect
+	if hasExplicitIDs {
+		idSet := make(map[string]bool, len(criteria.CertificateIDs))
+		for _, id := range criteria.CertificateIDs {
+			idSet[id] = true
+		}
+		var filtered []*domain.ManagedCertificate
+		for _, cert := range certs {
+			if idSet[cert.ID] {
+				filtered = append(filtered, cert)
+			}
+		}
+		return filtered, nil
+	}
+
+	return certs, nil
+}
+
+// buildAuditDetails constructs a map of criteria fields for the audit event.
+func (s *BulkRevocationService) buildAuditDetails(criteria domain.BulkRevocationCriteria) map[string]interface{} {
+	details := map[string]interface{}{}
+	if criteria.ProfileID != "" {
+		details["profile_id"] = criteria.ProfileID
+	}
+	if criteria.OwnerID != "" {
+		details["owner_id"] = criteria.OwnerID
+	}
+	if criteria.AgentID != "" {
+		details["agent_id"] = criteria.AgentID
+	}
+	if criteria.IssuerID != "" {
+		details["issuer_id"] = criteria.IssuerID
+	}
+	if criteria.TeamID != "" {
+		details["team_id"] = criteria.TeamID
+	}
+	if len(criteria.CertificateIDs) > 0 {
+		details["certificate_ids"] = strings.Join(criteria.CertificateIDs, ",")
+	}
+	return details
+}
@@ -0,0 +1,379 @@
+package service
+
+import (
+	"context"
+	"errors"
+	"log/slog"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// helper to create a test BulkRevocationService wired for bulk revocation tests
+func newBulkRevocationTestService() (*BulkRevocationService, *mockCertRepo, *mockRevocationRepo, *mockAuditRepo) {
+	certRepo := newMockCertificateRepository()
+	auditRepo := newMockAuditRepository()
+	revocationRepo := newMockRevocationRepository()
+
+	auditService := NewAuditService(auditRepo)
+
+	// Create RevocationSvc (underlying single-cert revocation)
+	revSvc := NewRevocationSvc(certRepo, revocationRepo, auditService)
+	registry := NewIssuerRegistry(slog.Default())
+	registry.Set("iss-local", &mockIssuerConnector{})
+	revSvc.SetIssuerRegistry(registry)
+
+	bulkSvc := NewBulkRevocationService(revSvc, certRepo, auditService, slog.Default())
+
+	return bulkSvc, certRepo, revocationRepo, auditRepo
+}
+
+func addTestCert(repo *mockCertRepo, id, status, issuerID string) {
+	cert := &domain.ManagedCertificate{
+		ID:        id,
+		CommonName: id + ".example.com",
+		Status:    domain.CertificateStatus(status),
+		IssuerID:  issuerID,
+		ExpiresAt: time.Now().AddDate(0, 6, 0),
+	}
+	repo.AddCert(cert)
+	// Add a version with serial number (needed by RevokeCertificateWithActor)
+	repo.Versions[id] = []*domain.CertificateVersion{
+		{
+			ID:            "ver-" + id,
+			CertificateID: id,
+			SerialNumber:  "serial-" + id,
+			NotBefore:     time.Now(),
+			NotAfter:      time.Now().AddDate(1, 0, 0),
+			CreatedAt:     time.Now(),
+		},
+	}
+}
+
+func addTestCertWithProfile(repo *mockCertRepo, id, status, issuerID, profileID, ownerID string) {
+	cert := &domain.ManagedCertificate{
+		ID:        id,
+		CommonName: id + ".example.com",
+		Status:    domain.CertificateStatus(status),
+		IssuerID:  issuerID,
+		CertificateProfileID: profileID,
+		OwnerID:   ownerID,
+		ExpiresAt: time.Now().AddDate(0, 6, 0),
+	}
+	repo.AddCert(cert)
+	repo.Versions[id] = []*domain.CertificateVersion{
+		{
+			ID:            "ver-" + id,
+			CertificateID: id,
+			SerialNumber:  "serial-" + id,
+			NotBefore:     time.Now(),
+			NotAfter:      time.Now().AddDate(1, 0, 0),
+			CreatedAt:     time.Now(),
+		},
+	}
+}
+
+func TestBulkRevoke_ByExplicitIDs(t *testing.T) {
+	svc, certRepo, _, _ := newBulkRevocationTestService()
+
+	addTestCert(certRepo, "mc-1", "Active", "iss-local")
+	addTestCert(certRepo, "mc-2", "Active", "iss-local")
+	addTestCert(certRepo, "mc-3", "Active", "iss-local")
+
+	criteria := domain.BulkRevocationCriteria{
+		CertificateIDs: []string{"mc-1", "mc-2", "mc-3"},
+	}
+
+	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+
+	if result.TotalMatched != 3 {
+		t.Errorf("expected TotalMatched=3, got %d", result.TotalMatched)
+	}
+	if result.TotalRevoked != 3 {
+		t.Errorf("expected TotalRevoked=3, got %d", result.TotalRevoked)
+	}
+	if result.TotalSkipped != 0 {
+		t.Errorf("expected TotalSkipped=0, got %d", result.TotalSkipped)
+	}
+	if result.TotalFailed != 0 {
+		t.Errorf("expected TotalFailed=0, got %d", result.TotalFailed)
+	}
+
+	// Verify certs are revoked
+	for _, id := range []string{"mc-1", "mc-2", "mc-3"} {
+		cert, _ := certRepo.Get(context.Background(), id)
+		if cert.Status != domain.CertificateStatusRevoked {
+			t.Errorf("expected cert %s to be Revoked, got %s", id, cert.Status)
+		}
+	}
+}
+
+func TestBulkRevoke_ByProfile(t *testing.T) {
+	svc, certRepo, _, _ := newBulkRevocationTestService()
+
+	// The mock List returns all certs regardless of filter (mock limitation).
+	// We test the code path — real repo would filter by profile.
+	addTestCert(certRepo, "mc-1", "Active", "iss-local")
+	addTestCert(certRepo, "mc-2", "Active", "iss-local")
+
+	criteria := domain.BulkRevocationCriteria{
+		ProfileID: "prof-tls",
+	}
+
+	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+
+	if result.TotalMatched != 2 {
+		t.Errorf("expected TotalMatched=2, got %d", result.TotalMatched)
+	}
+	if result.TotalRevoked != 2 {
+		t.Errorf("expected TotalRevoked=2, got %d", result.TotalRevoked)
+	}
+}
+
+func TestBulkRevoke_ByOwner(t *testing.T) {
+	svc, certRepo, _, _ := newBulkRevocationTestService()
+
+	addTestCertWithProfile(certRepo, "mc-1", "Active", "iss-local", "", "o-alice")
+	addTestCertWithProfile(certRepo, "mc-2", "Active", "iss-local", "", "o-alice")
+
+	criteria := domain.BulkRevocationCriteria{
+		OwnerID: "o-alice",
+	}
+
+	result, err := svc.BulkRevoke(context.Background(), criteria, "cessationOfOperation", "admin")
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+
+	if result.TotalRevoked != 2 {
+		t.Errorf("expected TotalRevoked=2, got %d", result.TotalRevoked)
+	}
+}
+
+func TestBulkRevoke_MultipleCriteria(t *testing.T) {
+	svc, certRepo, _, _ := newBulkRevocationTestService()
+
+	addTestCertWithProfile(certRepo, "mc-1", "Active", "iss-local", "prof-tls", "o-alice")
+	addTestCertWithProfile(certRepo, "mc-2", "Active", "iss-local", "prof-tls", "o-bob")
+
+	criteria := domain.BulkRevocationCriteria{
+		ProfileID:      "prof-tls",
+		CertificateIDs: []string{"mc-1"}, // Intersect: only mc-1 from the filter results
+	}
+
+	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+
+	// Both certs match the filter, but intersection with IDs gives 1
+	if result.TotalMatched != 1 {
+		t.Errorf("expected TotalMatched=1, got %d", result.TotalMatched)
+	}
+	if result.TotalRevoked != 1 {
+		t.Errorf("expected TotalRevoked=1, got %d", result.TotalRevoked)
+	}
+
+	// mc-1 should be revoked, mc-2 should not
+	cert1, _ := certRepo.Get(context.Background(), "mc-1")
+	if cert1.Status != domain.CertificateStatusRevoked {
+		t.Errorf("expected mc-1 to be Revoked, got %s", cert1.Status)
+	}
+	cert2, _ := certRepo.Get(context.Background(), "mc-2")
+	if cert2.Status == domain.CertificateStatusRevoked {
+		t.Error("expected mc-2 to NOT be revoked")
+	}
+}
+
+func TestBulkRevoke_EmptyCriteria_Error(t *testing.T) {
+	svc, _, _, _ := newBulkRevocationTestService()
+
+	criteria := domain.BulkRevocationCriteria{}
+	_, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
+	if err == nil {
+		t.Fatal("expected error for empty criteria")
+	}
+	if !strings.Contains(err.Error(), "at least one filter criterion") {
+		t.Errorf("expected 'at least one filter criterion' error, got: %v", err)
+	}
+}
+
+func TestBulkRevoke_InvalidReason_Error(t *testing.T) {
+	svc, _, _, _ := newBulkRevocationTestService()
+
+	criteria := domain.BulkRevocationCriteria{
+		CertificateIDs: []string{"mc-1"},
+	}
+
+	_, err := svc.BulkRevoke(context.Background(), criteria, "totallyBogus", "admin")
+	if err == nil {
+		t.Fatal("expected error for invalid reason")
+	}
+	if !strings.Contains(err.Error(), "invalid revocation reason") {
+		t.Errorf("expected 'invalid revocation reason' error, got: %v", err)
+	}
+}
+
+func TestBulkRevoke_EmptyReason_Error(t *testing.T) {
+	svc, _, _, _ := newBulkRevocationTestService()
+
+	criteria := domain.BulkRevocationCriteria{
+		CertificateIDs: []string{"mc-1"},
+	}
+
+	_, err := svc.BulkRevoke(context.Background(), criteria, "", "admin")
+	if err == nil {
+		t.Fatal("expected error for empty reason")
+	}
+	if !strings.Contains(err.Error(), "revocation reason is required") {
+		t.Errorf("expected 'revocation reason is required' error, got: %v", err)
+	}
+}
+
+func TestBulkRevoke_SkipsRevokedAndArchived(t *testing.T) {
+	svc, certRepo, _, _ := newBulkRevocationTestService()
+
+	addTestCert(certRepo, "mc-active", "Active", "iss-local")
+	addTestCert(certRepo, "mc-revoked", "Revoked", "iss-local")
+	addTestCert(certRepo, "mc-archived", "Archived", "iss-local")
+
+	criteria := domain.BulkRevocationCriteria{
+		CertificateIDs: []string{"mc-active", "mc-revoked", "mc-archived"},
+	}
+
+	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+
+	if result.TotalMatched != 3 {
+		t.Errorf("expected TotalMatched=3, got %d", result.TotalMatched)
+	}
+	if result.TotalRevoked != 1 {
+		t.Errorf("expected TotalRevoked=1, got %d", result.TotalRevoked)
+	}
+	if result.TotalSkipped != 2 {
+		t.Errorf("expected TotalSkipped=2, got %d", result.TotalSkipped)
+	}
+}
+
+func TestBulkRevoke_PartialFailure(t *testing.T) {
+	svc, certRepo, _, _ := newBulkRevocationTestService()
+
+	// mc-1 is active with version — will succeed
+	addTestCert(certRepo, "mc-1", "Active", "iss-local")
+	// mc-2 is active but has NO version — RevokeCertificateWithActor will fail on GetLatestVersion
+	cert2 := &domain.ManagedCertificate{
+		ID:        "mc-2",
+		CommonName: "mc-2.example.com",
+		Status:    domain.CertificateStatusActive,
+		IssuerID:  "iss-local",
+		ExpiresAt: time.Now().AddDate(0, 6, 0),
+	}
+	certRepo.AddCert(cert2)
+	// Don't add versions for mc-2 so GetLatestVersion returns errNotFound
+
+	criteria := domain.BulkRevocationCriteria{
+		CertificateIDs: []string{"mc-1", "mc-2"},
+	}
+
+	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
+	if err != nil {
+		t.Fatalf("expected no error (partial failure is ok), got: %v", err)
+	}
+
+	if result.TotalMatched != 2 {
+		t.Errorf("expected TotalMatched=2, got %d", result.TotalMatched)
+	}
+	if result.TotalRevoked != 1 {
+		t.Errorf("expected TotalRevoked=1, got %d", result.TotalRevoked)
+	}
+	if result.TotalFailed != 1 {
+		t.Errorf("expected TotalFailed=1, got %d", result.TotalFailed)
+	}
+	if len(result.Errors) != 1 {
+		t.Fatalf("expected 1 error entry, got %d", len(result.Errors))
+	}
+	if result.Errors[0].CertificateID != "mc-2" {
+		t.Errorf("expected error for mc-2, got %s", result.Errors[0].CertificateID)
+	}
+}
+
+func TestBulkRevoke_AuditEvent(t *testing.T) {
+	svc, certRepo, _, auditRepo := newBulkRevocationTestService()
+
+	addTestCert(certRepo, "mc-1", "Active", "iss-local")
+
+	criteria := domain.BulkRevocationCriteria{
+		CertificateIDs: []string{"mc-1"},
+	}
+
+	_, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+
+	// Find the bulk_revocation_initiated audit event
+	var found bool
+	for _, event := range auditRepo.Events {
+		if event.Action == "bulk_revocation_initiated" {
+			found = true
+			if event.Actor != "admin" {
+				t.Errorf("expected actor 'admin', got '%s'", event.Actor)
+			}
+			if event.ResourceType != "certificate" {
+				t.Errorf("expected resource type 'certificate', got '%s'", event.ResourceType)
+			}
+			break
+		}
+	}
+	if !found {
+		t.Error("expected bulk_revocation_initiated audit event")
+	}
+}
+
+func TestBulkRevoke_NoMatches(t *testing.T) {
+	svc, _, _, _ := newBulkRevocationTestService()
+
+	// IDs that don't exist in the repo
+	criteria := domain.BulkRevocationCriteria{
+		CertificateIDs: []string{"mc-nonexistent-1", "mc-nonexistent-2"},
+	}
+
+	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+
+	if result.TotalMatched != 0 {
+		t.Errorf("expected TotalMatched=0, got %d", result.TotalMatched)
+	}
+	if result.TotalRevoked != 0 {
+		t.Errorf("expected TotalRevoked=0, got %d", result.TotalRevoked)
+	}
+}
+
+func TestBulkRevoke_ListError(t *testing.T) {
+	svc, certRepo, _, _ := newBulkRevocationTestService()
+	certRepo.ListErr = errors.New("database connection failed")
+
+	criteria := domain.BulkRevocationCriteria{
+		ProfileID: "prof-tls",
+	}
+
+	_, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
+	if err == nil {
+		t.Fatal("expected error from list failure")
+	}
+	if !strings.Contains(err.Error(), "failed to resolve certificates") {
+		t.Errorf("expected 'failed to resolve certificates' error, got: %v", err)
+	}
+}