EST RFC 7030 hardening master bundle Phases 10-11: libest sidecar e2e

+ Cisco IOS quirk fixtures + ManagedCertificate.Source provenance +
EST bulk-revoke endpoint + 13 typed audit action codes.

Phase 10.1 — libest reference-client sidecar:
- deploy/test/libest/Dockerfile: multi-stage Debian-bookworm-slim
  build of Cisco's libest v3.2.0-2 from source (autoconf/automake/
  libtool + libcurl4-openssl-dev + libssl-dev). Runtime stage
  carries only estclient + bash + openssl + ca-certificates so the
  exec surface stays small + predictable.
- docker-compose.test.yml libest-client entry (profiles: [est-e2e])
  with bind mounts for /config/est (test workspace) + /config/certs
  (certctl CA bundle for TLS pinning); IP 10.30.50.9 (10.30.50.8
  was already taken by certctl-agent).
- deploy/test/est/.gitkeep keeps the bind-mount target tracked.

Phase 10.2 — 5 integration tests (//go:build integration) in
deploy/test/est_e2e_test.go:
- TestEST_LibESTClient_Enrollment_Integration (cacerts → simpleenroll
  → cert-shape assertion)
- TestEST_LibESTClient_MTLSEnrollment_Integration (mTLS sibling-route
  cert auth; skip when bootstrap cert absent)
- TestEST_LibESTClient_ServerKeygen_Integration (RFC 7030 §4.4
  multipart; skip when profile gate disabled)
- TestEST_LibESTClient_RateLimited_Integration (4th enroll trips
  per-principal cap, asserts 429-shaped error)
- TestEST_LibESTClient_ChannelBinding_Integration (libest
  --tls-exporter; skip when libest build lacks the flag).
- requireESTSidecar guard skips the suite when the operator forgot
  --profile est-e2e; helpful error message includes the exact
  command to bring the sidecar up.

Phase 10.3 — Cisco IOS quirk fixtures + 3 unit tests in
internal/api/handler/cisco_ios_quirks_test.go:
- testdata/cisco_ios_15x_pem_csr.txt: PEM body sent with
  Content-Type application/x-pem-file. Handler dispatches on
  body-prefix not Content-Type — accepts cleanly.
- testdata/cisco_ios_16x_trailing_newline_csr.txt: extra trailing
  newlines after base64 body. strings.TrimSpace tolerates.
- testdata/cisco_ios_crlf_b64_csr.txt: CRLF-wrapped base64.
  base64.StdEncoding handles CRLF + LF identically.

Phase 11.1 — ManagedCertificate.Source provenance:
- New domain.CertificateSource enum (Unspecified/EST/SCEP/API/Agent).
- Migration 000023_managed_certificates_source.up.sql adds source
  TEXT NOT NULL DEFAULT '' so existing rows scan as
  CertificateSourceUnspecified — back-compat: bulk-revoke filter
  treats empty as "any source".
- Postgres repo Insert/Update/scan paths all wire the new column.

Phase 11.2 — EST bulk-revoke endpoint:
- BulkRevocationCriteria.Source field (Source-only requests rejected
  as too broad — must accompany at least one narrower criterion).
- service.bulk_revocation.resolveCertificates post-filter by Source
  (empty=any, no SQL change so existing CertificateFilter callers
  unaffected).
- New BulkRevocationHandler.BulkRevokeEST method pins Source=EST +
  dispatches; new route POST /api/v1/est/certificates/bulk-revoke
  (M-008 admin-gated). openapi.yaml documented + parity-guard green.

Phase 11.3 — 13 typed audit action codes in
internal/service/est_audit_actions.go:
- est_simple_enroll_success / _failed
- est_simple_reenroll_success / _failed
- est_server_keygen_success / _failed
- est_auth_failed_basic / _mtls / _channel_binding
- est_rate_limited
- est_csr_policy_violation
- est_bulk_revoke
- est_trust_anchor_reloaded
- ESTService.processEnrollment + SimpleServerKeygen + ReloadTrust
  split-emit BOTH the legacy bare action codes (back-compat for the
  GUI activity-tab chip filters that match by exact string +
  existing audit-log analysers) AND the new typed _success / _failed
  variants (operator grep target + per-failure-mode counter).

Tests:
- internal/api/handler/bulk_revocation_est_test.go — 5 cases
  (admin-true happy path pins Source=EST + non-admin 403 +
  empty-criteria 400 + invalid-reason 400 + method-not-allowed).
- internal/service/est_audit_actions_test.go — 5 cases (SimpleEnroll
  legacy+typed emission / SimpleReEnroll typed / IssuerError
  typed-failed / PolicyViolation triple-emit /
  unique-string invariant).

Pre-commit verification (sandbox): gofmt clean, go vet clean
(excluding repository/postgres testcontainers limit), staticcheck
clean across api/handler/api/router/domain/service/deploy/test,
go test -short -count=1 green for every non-postgres Go package +
integration build (`go build -tags integration ./deploy/test/...`)
clean. G-3 docs-drift guard reproduced locally clean (Phases 10-11
added zero new env vars).

Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases
12-13 (docs/est.md + WiFi/802.1X / IoT bootstrap / FreeRADIUS
recipes; release prep + tag) remain — post-2.1.0 work.

internal/domain/certificate.go

@@ -26,8 +26,41 @@ type ManagedCertificate struct {
 	RevocationReason     string            `json:"revocation_reason,omitempty"`
 	CreatedAt            time.Time         `json:"created_at"`
 	UpdatedAt            time.Time         `json:"updated_at"`
+
+	// Source tags how this managed certificate was created. EST RFC 7030
+	// hardening master bundle Phase 11.1 — operators bulk-revoke
+	// EST-issued certs by filtering on Source=EST. Empty value preserves
+	// the v2.X.0 behavior (the bulk-revoke handler treats empty as
+	// equivalent to legacy/manual; new EST issuances stamp Source=EST,
+	// new SCEP issuances will eventually stamp Source=SCEP under a
+	// future bundle).
+	Source CertificateSource `json:"source,omitempty"`
 }
 
+// CertificateSource is the enum of provenance values stamped on each
+// managed-certificate row when it's created. The empty string is the
+// back-compat default — pre-Phase-11 rows have it set to "" by the
+// migration's DEFAULT clause; the bulk-revoke filter treats empty as
+// "any source" so existing call paths see no behavior change.
+//
+// EST RFC 7030 hardening master bundle Phase 11.1.
+type CertificateSource string
+
+const (
+	// CertificateSourceUnspecified preserves the v2.X.0 default ("").
+	CertificateSourceUnspecified CertificateSource = ""
+	// CertificateSourceEST stamps every cert issued through one of the
+	// EST endpoints (simpleenroll / simplereenroll / serverkeygen).
+	CertificateSourceEST CertificateSource = "EST"
+	// CertificateSourceSCEP / API / Agent reserve future provenance
+	// values — not stamped today; SCEP-issued certs continue to land
+	// with Source="" until a follow-up bundle wires the stamp at the
+	// SCEP service layer.
+	CertificateSourceSCEP  CertificateSource = "SCEP"
+	CertificateSourceAPI   CertificateSource = "API"
+	CertificateSourceAgent CertificateSource = "Agent"
+)
+
 // CertificateVersion represents a specific version of a certificate.
 type CertificateVersion struct {
 	ID                string    `json:"id"`

internal/domain/revocation.go

@@ -52,9 +52,20 @@ type BulkRevocationCriteria struct {
 	IssuerID       string   `json:"issuer_id,omitempty"`
 	TeamID         string   `json:"team_id,omitempty"`
 	CertificateIDs []string `json:"certificate_ids,omitempty"`
+	// Source filters by ManagedCertificate.Source provenance value.
+	// Empty matches any source (back-compat with v2.X.0 callers); the
+	// EST bulk-revoke endpoint pins this to CertificateSourceEST so an
+	// operator hitting POST /api/v1/est/certificates/bulk-revoke only
+	// affects EST-issued certs, never SCEP/API/Agent-provisioned ones.
+	//
+	// EST RFC 7030 hardening master bundle Phase 11.2.
+	Source CertificateSource `json:"source,omitempty"`
 }
 
-// IsEmpty returns true if no filter criteria are set.
+// IsEmpty returns true if no filter criteria are set. Source alone does
+// NOT count as a criterion — a Source=EST request without any narrower
+// criterion (profile_id, owner_id, etc.) is rejected as too broad,
+// because it would revoke EVERY EST-issued cert in the deployment.
 func (c BulkRevocationCriteria) IsEmpty() bool {
 	return c.ProfileID == "" && c.OwnerID == "" && c.AgentID == "" &&
 		c.IssuerID == "" && c.TeamID == "" && len(c.CertificateIDs) == 0
@@ -62,11 +73,11 @@ func (c BulkRevocationCriteria) IsEmpty() bool {
 
 // BulkRevocationResult contains the outcome of a bulk revocation operation.
 type BulkRevocationResult struct {
-	TotalMatched int                    `json:"total_matched"`
-	TotalRevoked int                    `json:"total_revoked"`
-	TotalSkipped int                    `json:"total_skipped"`
-	TotalFailed  int                    `json:"total_failed"`
-	Errors       []BulkRevocationError  `json:"errors,omitempty"`
+	TotalMatched int                   `json:"total_matched"`
+	TotalRevoked int                   `json:"total_revoked"`
+	TotalSkipped int                   `json:"total_skipped"`
+	TotalFailed  int                   `json:"total_failed"`
+	Errors       []BulkRevocationError `json:"errors,omitempty"`
 }
 
 // BulkRevocationError records a per-certificate revocation failure.