feat: M15a — certificate revocation API, CRL endpoint, and revocation notifications

Implements core revocation infrastructure: POST /api/v1/certificates/{id}/revoke
with all 8 RFC 5280 reason codes, JSON-formatted CRL at GET /api/v1/crl, webhook
and email revocation notifications, best-effort issuer notification, and immutable
revocation audit trail. Includes 48 new tests across service, handler, integration,
and domain layers (600+ total). Fixes 3 pre-existing test bugs (team_test error
matching, agent_group delete status code, team handler per_page validation).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/domain/certificate.go

@@ -22,6 +22,8 @@ type ManagedCertificate struct {
 	Tags                 map[string]string `json:"tags"`
 	LastRenewalAt        *time.Time        `json:"last_renewal_at,omitempty"`
 	LastDeploymentAt     *time.Time        `json:"last_deployment_at,omitempty"`
+	RevokedAt            *time.Time        `json:"revoked_at,omitempty"`
+	RevocationReason     string            `json:"revocation_reason,omitempty"`
 	CreatedAt            time.Time         `json:"created_at"`
 	UpdatedAt            time.Time         `json:"updated_at"`
 }

internal/domain/notification.go

@@ -28,6 +28,7 @@ const (
 	NotificationTypeDeploymentSuccess NotificationType = "DeploymentSuccess"
 	NotificationTypeDeploymentFailure NotificationType = "DeploymentFailure"
 	NotificationTypePolicyViolation   NotificationType = "PolicyViolation"
+	NotificationTypeRevocation        NotificationType = "Revocation"
 )
 
 // NotificationChannel represents the communication medium for a notification.

internal/domain/revocation.go

@@ -0,0 +1,58 @@
+package domain
+
+import "time"
+
+// RevocationReason represents the reason for revoking a certificate.
+// Values align with RFC 5280 Section 5.3.1 CRL reason codes.
+type RevocationReason string
+
+const (
+	RevocationReasonUnspecified          RevocationReason = "unspecified"
+	RevocationReasonKeyCompromise        RevocationReason = "keyCompromise"
+	RevocationReasonCACompromise         RevocationReason = "caCompromise"
+	RevocationReasonAffiliationChanged   RevocationReason = "affiliationChanged"
+	RevocationReasonSuperseded           RevocationReason = "superseded"
+	RevocationReasonCessationOfOperation RevocationReason = "cessationOfOperation"
+	RevocationReasonCertificateHold      RevocationReason = "certificateHold"
+	RevocationReasonPrivilegeWithdrawn   RevocationReason = "privilegeWithdrawn"
+)
+
+// ValidRevocationReasons contains all valid revocation reason strings.
+var ValidRevocationReasons = map[RevocationReason]int{
+	RevocationReasonUnspecified:          0,
+	RevocationReasonKeyCompromise:        1,
+	RevocationReasonCACompromise:         2,
+	RevocationReasonAffiliationChanged:   3,
+	RevocationReasonSuperseded:           4,
+	RevocationReasonCessationOfOperation: 5,
+	RevocationReasonCertificateHold:      6,
+	RevocationReasonPrivilegeWithdrawn:   9,
+}
+
+// IsValidRevocationReason checks whether a reason string is a valid RFC 5280 reason code.
+func IsValidRevocationReason(reason string) bool {
+	_, ok := ValidRevocationReasons[RevocationReason(reason)]
+	return ok
+}
+
+// CRLReasonCode returns the RFC 5280 integer reason code for a revocation reason.
+func CRLReasonCode(reason RevocationReason) int {
+	if code, ok := ValidRevocationReasons[reason]; ok {
+		return code
+	}
+	return 0 // unspecified
+}
+
+// CertificateRevocation records the revocation of a specific certificate version.
+// Used as the authoritative source for CRL generation.
+type CertificateRevocation struct {
+	ID             string    `json:"id"`
+	CertificateID  string    `json:"certificate_id"`
+	SerialNumber   string    `json:"serial_number"`
+	Reason         string    `json:"reason"`
+	RevokedBy      string    `json:"revoked_by"`
+	RevokedAt      time.Time `json:"revoked_at"`
+	IssuerID       string    `json:"issuer_id"`
+	IssuerNotified bool      `json:"issuer_notified"`
+	CreatedAt      time.Time `json:"created_at"`
+}

internal/domain/revocation_test.go

@@ -0,0 +1,57 @@
+package domain
+
+import "testing"
+
+func TestIsValidRevocationReason(t *testing.T) {
+	tests := []struct {
+		name   string
+		reason string
+		want   bool
+	}{
+		{"unspecified", "unspecified", true},
+		{"keyCompromise", "keyCompromise", true},
+		{"caCompromise", "caCompromise", true},
+		{"affiliationChanged", "affiliationChanged", true},
+		{"superseded", "superseded", true},
+		{"cessationOfOperation", "cessationOfOperation", true},
+		{"certificateHold", "certificateHold", true},
+		{"privilegeWithdrawn", "privilegeWithdrawn", true},
+		{"empty string", "", false},
+		{"random string", "notAValidReason", false},
+		{"partial match", "key", false},
+		{"case sensitive", "KeyCompromise", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := IsValidRevocationReason(tt.reason); got != tt.want {
+				t.Errorf("IsValidRevocationReason(%q) = %v, want %v", tt.reason, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCRLReasonCode(t *testing.T) {
+	tests := []struct {
+		reason RevocationReason
+		want   int
+	}{
+		{RevocationReasonUnspecified, 0},
+		{RevocationReasonKeyCompromise, 1},
+		{RevocationReasonCACompromise, 2},
+		{RevocationReasonAffiliationChanged, 3},
+		{RevocationReasonSuperseded, 4},
+		{RevocationReasonCessationOfOperation, 5},
+		{RevocationReasonCertificateHold, 6},
+		{RevocationReasonPrivilegeWithdrawn, 9},
+		{RevocationReason("unknown"), 0}, // falls back to unspecified
+	}
+
+	for _, tt := range tests {
+		t.Run(string(tt.reason), func(t *testing.T) {
+			if got := CRLReasonCode(tt.reason); got != tt.want {
+				t.Errorf("CRLReasonCode(%q) = %d, want %d", tt.reason, got, tt.want)
+			}
+		})
+	}
+}