C-001 scope expansion: tighten parallel POST /api/v1/certificates call sites to six-field contract

Problem: a53a4b8 closed C-001 at the handler boundary by tightening the ValidateRequired contract on POST /api/v1/certificates to require six fields: name, common_name, renewal_policy_id, issuer_id, owner_id, team_id. (Correction re-derived from source: the handler ValidateRequired calls on owner_id/team_id/renewal_policy_id were actually installed in 3287e17 under M-002/M-003/M-006 auth unification — a53a4b8's commit message overstates scope.) Post-audit on 2026-04-18 found three parallel call sites still shipping three-to-four-field payloads that the newly strict handler would reject with HTTP 400: - GUI: OnboardingWizard CertificateStep (common_name + sans + issuer_id + environment only) - CLI: certctl-cli import (common_name + issuer_id + status only; no required-flag gating) - Tests: deploy/test/qa_test.go Part03 positive paths Scope: Bring every POST /api/v1/certificates caller to six-field parity. No handler changes — the contract is authoritative; the callers must conform. Implementation: GUI — OnboardingWizard CertificateStep expansion: web/src/pages/OnboardingWizard.tsx adds name/owner_id/team_id/ renewal_policy_id state. React Query hooks for getOwners/ getTeams/getPolicies use per_page: '500' to populate dropdowns without pagination-driven truncation. Payload ships all six required fields plus sans/certificate_profile_id/environment. nextDisabled gate enforces all six before the Continue button activates. CLI — ImportCertificates rewrite: internal/cli/client.go rewrites ImportCertificates with flag.NewFlagSet("import", flag.ContinueOnError). Required flags: --owner-id, --team-id, --renewal-policy-id, --issuer-id. Optional: --name-template (default {cn}, templated via strings.ReplaceAll against cert.Subject.CommonName), --environment (default imported). Missing required flags fail pre-HTTP with a clear error. Request map ships all six required fields plus sans/ environment/status/optional serial_number. cmd/cli/main.go — usage string updated to document the new required/optional flags. Tests — qa_test.go Part03 positive paths: deploy/test/qa_test.go Part03 Create_Minimal and Create_Full updated to include all six fields. Uses seed_demo.sql-supplied IDs (o-alice, t-platform, rp-standard) — docker-compose.demo.yml is the run context. C-001 explanatory comment added above Create_Minimal so future readers understand why the minimal payload is no longer minimal. MCP parity: Verified no-op. internal/mcp/types.go:28 CreateCertificateInput already declares all six fields; internal/mcp/tools.go:102 forwards the typed struct unchanged. Verification: Go CLI regression tests (internal/cli/client_test.go): * TestClient_ImportCertificates_MissingRequiredFlags — 5 subtests, one per missing required flag, confirms flag.ContinueOnError rejects with non-nil error before any HTTP call is attempted. * TestClient_ImportCertificates_MissingPositionalArgs — confirms the "usage: import <file>" error path when no PEM file is supplied after the flags. * TestClient_ImportCertificates_SixFieldPayload — uses httptest to decode the POST body and assert all six required fields plus sans/environment are present on the wire. Frontend regression test (web/src/api/client.test.ts): 'createCertificate accepts and transmits all six required fields' pins the wire shape for both GUI call sites (OnboardingWizard CertificateStep + CertificatesPage CreateCertificateModal). If either UI surface accidentally drops a field, this assertion fails in CI rather than surfacing as a 400 at runtime. Grep-based call-site sweep: Enumerated every POST /api/v1/certificates create caller. Four total: OnboardingWizard, CertificatesPage, MCP tools, CLI import. All four now ship six-field payloads. Claim path (internal/service/discovery.go) updates existing rows and does not POST. EST/SCEP handlers invoke internal certService.CreateVersion, not the public API. Negative-path tests (qa_test.go:1085/1267/1274/1288/1298) remain valid: they assert 400/non-500 on oversized/malformed/missing-CN/UTF-8/empty bodies, and these properties still hold under the stricter handler. Static gates: go build ./..., go vet ./..., go test ./internal/cli/..., and cd web && npm run test deferred to operator pre-push — the Go toolchain is not available in the session sandbox. Grep-based verification confirms the syntactic shape of every changed file. Residual: None. Every POST /api/v1/certificates call site now conforms to the six-field contract; the wire shape is pinned by both Go and TypeScript regression tests. Commit: TBD-SHA (audit doc + CLAUDE.md carry TBD-SHA placeholders to be amended after commit)
2026-06-07 15:01:32 +00:00 · 2026-04-19 00:25:10 +00:00
parent 0200c7f4a4
commit 91642e2860
6 changed files with 372 additions and 21 deletions
@@ -35,6 +35,8 @@ Commands:
  jobs cancel ID   Cancel a pending job
  import FILE      Bulk import certificates from PEM file(s)
                   Required: --owner-id, --team-id, --renewal-policy-id, --issuer-id
                   Optional: --name-template (default {cn}), --environment (default imported)
  status           Show server health + summary stats
  version          Show CLI version
@@ -435,10 +435,19 @@ func TestQA(t *testing.T) {
 	// ===================================================================
 	t.Run("Part03_CertCRUD", func(t *testing.T) {
 		t.Run("Create_Minimal", func(t *testing.T) {
 			// C-001 scope-expansion: the handler's ValidateRequired
 			// contract now gates common_name, owner_id, team_id,
 			// issuer_id, name, and renewal_policy_id. A 3-field
 			// payload would 400 regardless of the id hint, so the
 			// "minimal" variant carries every required field.
 			code, body := c.bodyStr(t, "POST", "/api/v1/certificates", `{
 				"id": "mc-qa-minimal",
 				"name": "qa-minimal",
 				"common_name": "qa-minimal.example.com",
-				"issuer_id": "iss-local"
+				"issuer_id": "iss-local",
 				"owner_id": "o-alice",
 				"team_id": "t-platform",
 				"renewal_policy_id": "rp-standard"
 			}`)
 			if code != 201 && code != 200 {
 				t.Fatalf("create cert: status %d, body: %s", code, body)
@@ -448,11 +457,14 @@ func TestQA(t *testing.T) {
 		t.Run("Create_Full", func(t *testing.T) {
 			code, body := c.bodyStr(t, "POST", "/api/v1/certificates", `{
 				"id": "mc-qa-full",
 				"name": "qa-full",
 				"common_name": "qa-full.example.com",
 				"sans": ["qa-full-alt.example.com"],
 				"issuer_id": "iss-local",
 				"environment": "staging",
-				"owner_id": "o-alice"
+				"owner_id": "o-alice",
 				"team_id": "t-platform",
 				"renewal_policy_id": "rp-standard"
 			}`)
 			if code != 201 && code != 200 {
 				t.Fatalf("create cert: status %d, body: %s", code, body)
@@ -12,6 +12,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
 	"text/tabwriter"
 	"time"
 )
@@ -430,7 +431,54 @@ func (c *Client) GetStatus() error {
 }
 // ImportCertificates bulk imports certificates from PEM files.
-func (c *Client) ImportCertificates(files []string) error {
+//
 // C-001 scope-expansion closure: the create-certificate handler's
 // six-field required contract (name, common_name, renewal_policy_id,
 // issuer_id, owner_id, team_id) is enforced server-side via
 // ValidateRequired. The bulk importer must therefore be told which
 // owner / team / renewal-policy / issuer to assign to every imported
 // cert — otherwise every POST comes back 400. All four IDs are
 // required flags; missing flags error out with a user-legible message
 // before any files are read.
 func (c *Client) ImportCertificates(args []string) error {
 	fs := flag.NewFlagSet("import", flag.ContinueOnError)
 	ownerID := fs.String("owner-id", "", "Owner ID to assign to each imported certificate (required)")
 	teamID := fs.String("team-id", "", "Team ID to assign to each imported certificate (required)")
 	renewalPolicyID := fs.String("renewal-policy-id", "", "Renewal policy ID to assign to each imported certificate (required)")
 	issuerID := fs.String("issuer-id", "", "Issuer ID to assign to each imported certificate (required)")
 	nameTemplate := fs.String("name-template", "{cn}", "Template for the certificate name; {cn} is substituted with the cert's common name")
 	environment := fs.String("environment", "imported", "Environment tag for each imported certificate")
 	if err := fs.Parse(args); err != nil {
 		return err
 	}
 	// Validate required flags up front — a clear error here beats six
 	// parallel 400s from the server.
 	missing := []string{}
 	if *ownerID == "" {
 		missing = append(missing, "--owner-id")
 	}
 	if *teamID == "" {
 		missing = append(missing, "--team-id")
 	}
 	if *renewalPolicyID == "" {
 		missing = append(missing, "--renewal-policy-id")
 	}
 	if *issuerID == "" {
 		missing = append(missing, "--issuer-id")
 	}
 	if len(missing) > 0 {
 		return fmt.Errorf("missing required flag(s): %s", strings.Join(missing, ", "))
 	}
 	if *nameTemplate == "" {
 		return fmt.Errorf("--name-template must be non-empty")
 	}
 	files := fs.Args()
 	if len(files) == 0 {
 		return fmt.Errorf("at least one PEM file path is required")
 	}
 	var imported, failed int
 	for _, filePath := range files {
@@ -452,12 +500,18 @@ func (c *Client) ImportCertificates(files []string) error {
 			total := len(certs)
 			fmt.Printf("Importing %d/%d certificates from %s...\r", i+1, total, filepath.Base(filePath))
 			name := strings.ReplaceAll(*nameTemplate, "{cn}", cert.Subject.CommonName)
 			req := map[string]interface{}{
-				"common_name": cert.Subject.CommonName,
+				"name":              name,
-				"sans":        cert.DNSNames,
+				"common_name":       cert.Subject.CommonName,
-				"issuer_id":   "iss-local",
+				"sans":              cert.DNSNames,
-				"environment": "imported",
+				"issuer_id":         *issuerID,
-				"status":      "Active",
+				"owner_id":          *ownerID,
 				"team_id":           *teamID,
 				"renewal_policy_id": *renewalPolicyID,
 				"environment":       *environment,
 				"status":            "Active",
 			}
 			if cert.SerialNumber != nil {
@@ -387,6 +387,178 @@ func TestClient_AuthHeader(t *testing.T) {
 	}
 }
 // TestClient_ImportCertificates_MissingRequiredFlags verifies the CLI
 // import command rejects invocations missing any of the four required
 // flags (--owner-id, --team-id, --renewal-policy-id, --issuer-id)
 // before any network call is attempted. This is the C-001 scope-expansion
 // closure for the CLI layer: the handler now requires all six cert
 // fields, so the importer must collect ownership / team / policy /
 // issuer up front rather than hard-coding iss-local and letting the
 // server 400 on every POST.
 func TestClient_ImportCertificates_MissingRequiredFlags(t *testing.T) {
 	var requestCount int
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		requestCount++
 		w.WriteHeader(http.StatusOK)
 	}))
 	defer server.Close()
 	cases := []struct {
 		name    string
 		args    []string
 		missing string
 	}{
 		{
 			name:    "missing owner-id",
 			args:    []string{"--team-id", "t-platform", "--renewal-policy-id", "rp-default", "--issuer-id", "iss-local", "certs.pem"},
 			missing: "--owner-id",
 		},
 		{
 			name:    "missing team-id",
 			args:    []string{"--owner-id", "o-alice", "--renewal-policy-id", "rp-default", "--issuer-id", "iss-local", "certs.pem"},
 			missing: "--team-id",
 		},
 		{
 			name:    "missing renewal-policy-id",
 			args:    []string{"--owner-id", "o-alice", "--team-id", "t-platform", "--issuer-id", "iss-local", "certs.pem"},
 			missing: "--renewal-policy-id",
 		},
 		{
 			name:    "missing issuer-id",
 			args:    []string{"--owner-id", "o-alice", "--team-id", "t-platform", "--renewal-policy-id", "rp-default", "certs.pem"},
 			missing: "--issuer-id",
 		},
 		{
 			name:    "no flags at all",
 			args:    []string{"certs.pem"},
 			missing: "--owner-id",
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			client := NewClient(server.URL, "", "table")
 			err := client.ImportCertificates(tc.args)
 			if err == nil {
 				t.Fatalf("expected error for %s, got nil", tc.name)
 			}
 			msg := err.Error()
 			if !containsStr(msg, tc.missing) {
 				t.Fatalf("expected error to name %q, got: %v", tc.missing, err)
 			}
 			if !containsStr(msg, "required") {
 				t.Fatalf("expected error message to mention 'required', got: %v", err)
 			}
 		})
 	}
 	if requestCount != 0 {
 		t.Fatalf("expected zero HTTP requests before flag validation, got %d", requestCount)
 	}
 }
 // TestClient_ImportCertificates_MissingPositionalArgs verifies the
 // import command errors out when flags are present but no PEM file
 // paths follow them.
 func TestClient_ImportCertificates_MissingPositionalArgs(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		t.Errorf("unexpected HTTP request: %s %s", r.Method, r.URL.Path)
 	}))
 	defer server.Close()
 	client := NewClient(server.URL, "", "table")
 	err := client.ImportCertificates([]string{
 		"--owner-id", "o-alice",
 		"--team-id", "t-platform",
 		"--renewal-policy-id", "rp-default",
 		"--issuer-id", "iss-local",
 	})
 	if err == nil {
 		t.Fatal("expected error when no PEM file paths are supplied")
 	}
 	if !containsStr(err.Error(), "PEM file") {
 		t.Fatalf("expected error to mention 'PEM file', got: %v", err)
 	}
 }
 // TestClient_ImportCertificates_SixFieldPayload verifies the happy
 // path: given all four required flags plus a PEM file, the importer
 // POSTs a request containing all six required fields plus the
 // name-template–resolved name. The httptest handler decodes the
 // request body and asserts every required field is populated with
 // the values supplied via flags.
 func TestClient_ImportCertificates_SixFieldPayload(t *testing.T) {
 	// Generate a test cert and write it to a temp PEM file.
 	cert := generateTestCert()
 	pemBlock := &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
 	pemPath := filepath.Join(t.TempDir(), "test.pem")
 	if err := os.WriteFile(pemPath, pem.EncodeToMemory(pemBlock), 0o600); err != nil {
 		t.Fatalf("write temp PEM: %v", err)
 	}
 	var gotBody map[string]interface{}
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != "POST" || r.URL.Path != "/api/v1/certificates" {
 			w.WriteHeader(http.StatusNotFound)
 			return
 		}
 		if err := json.NewDecoder(r.Body).Decode(&gotBody); err != nil {
 			t.Errorf("decode request body: %v", err)
 		}
 		w.WriteHeader(http.StatusCreated)
 		w.Header().Set("Content-Type", "application/json")
 		_, _ = w.Write([]byte(`{"id":"mc-imported"}`))
 	}))
 	defer server.Close()
 	client := NewClient(server.URL, "", "table")
 	err := client.ImportCertificates([]string{
 		"--owner-id", "o-alice",
 		"--team-id", "t-platform",
 		"--renewal-policy-id", "rp-default",
 		"--issuer-id", "iss-local",
 		"--name-template", "imported-{cn}",
 		pemPath,
 	})
 	if err != nil {
 		t.Fatalf("ImportCertificates failed: %v", err)
 	}
 	// Verify every required field from the six-field contract is present.
 	required := []struct {
 		field string
 		want  interface{}
 	}{
 		{"name", "imported-test.example.com"},
 		{"common_name", "test.example.com"},
 		{"issuer_id", "iss-local"},
 		{"owner_id", "o-alice"},
 		{"team_id", "t-platform"},
 		{"renewal_policy_id", "rp-default"},
 	}
 	for _, r := range required {
 		got, ok := gotBody[r.field]
 		if !ok {
 			t.Errorf("payload missing required field %q (body: %+v)", r.field, gotBody)
 			continue
 		}
 		if got != r.want {
 			t.Errorf("field %q = %v, want %v", r.field, got, r.want)
 		}
 	}
 }
 // containsStr is a tiny substring helper so the test file doesn't
 // need a `strings` import dependency aside from what's already there.
 func containsStr(haystack, needle string) bool {
 	for i := 0; i+len(needle) <= len(haystack); i++ {
 		if haystack[i:i+len(needle)] == needle {
 			return true
 		}
 	}
 	return false
 }
 // Helper function to generate a test certificate
 func generateTestCert() *x509.Certificate {
 	now := time.Now()
@@ -288,6 +288,39 @@ describe('API Client', () => {
      expect(JSON.parse(init.body)).toEqual(certData);
    });
    // C-001 scope-expansion regression: the OnboardingWizard CertificateStep
    // and the CertificatesPage CreateCertificateModal must both ship the full
    // six-field required payload (name, common_name, renewal_policy_id,
    // issuer_id, owner_id, team_id) — the handler's ValidateRequired contract
    // rejects anything less with HTTP 400. This test pins the wire shape so
    // that accidentally dropping a field from either UI surface fails CI
    // rather than only surfacing as a 400 at runtime.
    it('createCertificate accepts and transmits all six required fields', async () => {
      const wizardPayload = {
        name: 'API Production Cert',
        common_name: 'api.example.com',
        sans: ['www.example.com'],
        issuer_id: 'iss-local',
        owner_id: 'o-alice',
        team_id: 't-platform',
        renewal_policy_id: 'rp-standard',
        environment: 'production',
      };
      mockFetch.mockReturnValueOnce(mockJsonResponse({ id: 'mc-new', ...wizardPayload }));
      await createCertificate(wizardPayload);
      const [url, init] = mockFetch.mock.calls[0];
      expect(url).toBe('/api/v1/certificates');
      expect(init.method).toBe('POST');
      const body = JSON.parse(init.body);
      // Assert every required field is present and intact
      expect(body.name).toBe('API Production Cert');
      expect(body.common_name).toBe('api.example.com');
      expect(body.issuer_id).toBe('iss-local');
      expect(body.owner_id).toBe('o-alice');
      expect(body.team_id).toBe('t-platform');
      expect(body.renewal_policy_id).toBe('rp-standard');
    });
    it('updateCertificate sends PUT', async () => {
      mockFetch.mockReturnValueOnce(mockJsonResponse({ id: 'mc-test', status: 'Active' }));
      await updateCertificate('mc-test', { status: 'Active' });
@@ -2,7 +2,7 @@ import { useState } from 'react';
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
 import { useNavigate, Link } from 'react-router-dom';
 import {
-  getIssuers, getAgents, getProfiles, getOwners,
+  getIssuers, getAgents, getProfiles, getOwners, getTeams, getPolicies,
  createIssuer, testIssuerConnection,
  createCertificate, triggerRenewal,
  getApiKey,
@@ -400,18 +400,28 @@ function CertificateStep({ onNext, onSkip, createdIssuerId }: {
  createdIssuerId: string | null;
 }) {
  const queryClient = useQueryClient();
  const [name, setName] = useState('');
  const [commonName, setCommonName] = useState('');
  const [sans, setSans] = useState('');
  const [issuerId, setIssuerId] = useState(createdIssuerId || '');
  const [profileId, setProfileId] = useState('');
  const [ownerId, setOwnerId] = useState('');
  const [teamId, setTeamId] = useState('');
  const [renewalPolicyId, setRenewalPolicyId] = useState('');
  const [error, setError] = useState('');
  const [created, setCreated] = useState(false);
  // C-001: the server requires name, common_name, issuer_id, owner_id,
  // team_id, and renewal_policy_id (handler in
  // internal/api/handler/certificates.go + ManagedCertificate.required in
  // api/openapi.yaml). The wizard must collect the same six fields so that
  // "Issue Certificate" doesn't 400 at the API boundary.
  const { data: issuers } = useQuery({ queryKey: ['issuers'], queryFn: () => getIssuers() });
  const { data: profiles } = useQuery({ queryKey: ['profiles'], queryFn: () => getProfiles() });
  const { data: agents } = useQuery({ queryKey: ['agents'], queryFn: () => getAgents() });
-  const { data: owners } = useQuery({ queryKey: ['owners'], queryFn: () => getOwners() });
+  const { data: owners } = useQuery({ queryKey: ['owners'], queryFn: () => getOwners({ per_page: '500' }) });
  const { data: teams } = useQuery({ queryKey: ['teams'], queryFn: () => getTeams({ per_page: '500' }) });
  const { data: policies } = useQuery({ queryKey: ['renewal-policies'], queryFn: () => getPolicies({ per_page: '500' }) });
  const hasAgents = (agents?.data?.length ?? 0) > 0;
@@ -419,11 +429,14 @@ function CertificateStep({ onNext, onSkip, createdIssuerId }: {
    mutationFn: async () => {
      const sanList = sans.split(',').map(s => s.trim()).filter(Boolean);
      const cert = await createCertificate({
        name,
        common_name: commonName,
        sans: sanList,
        issuer_id: issuerId,
        certificate_profile_id: profileId || undefined,
        owner_id: ownerId,
        team_id: teamId,
        renewal_policy_id: renewalPolicyId,
        environment: 'production',
      });
      // Trigger issuance
@@ -465,6 +478,19 @@ function CertificateStep({ onNext, onSkip, createdIssuerId }: {
      </p>
      <div className="space-y-5">
        <div>
          <label className="block text-sm font-medium text-ink mb-2">
            Name <span className="text-red-600">*</span>
          </label>
          <input
            type="text"
            value={name}
            onChange={e => setName(e.target.value)}
            placeholder="API Production Cert"
            className="w-full px-3 py-2 bg-surface border border-surface-border rounded text-ink placeholder-ink-faint focus:outline-none focus:border-brand-500 transition-colors"
          />
        </div>
        <div>
          <label className="block text-sm font-medium text-ink mb-2">
            Common Name <span className="text-red-600">*</span>
@@ -525,25 +551,69 @@ function CertificateStep({ onNext, onSkip, createdIssuerId }: {
          </div>
        </div>
        <div className="grid grid-cols-2 gap-4">
          <div>
            <label className="block text-sm font-medium text-ink mb-2">
              Owner <span className="text-red-600">*</span>
            </label>
            <select
              value={ownerId}
              onChange={e => setOwnerId(e.target.value)}
              className="w-full px-3 py-2 bg-surface border border-surface-border rounded text-ink focus:outline-none focus:border-brand-500 transition-colors"
            >
              <option value="">Select owner...</option>
              {owners?.data?.map(o => (
                <option key={o.id} value={o.id}>
                  {o.name}{o.email ? ` (${o.email})` : ''}
                </option>
              ))}
            </select>
            {(owners?.data?.length ?? 0) === 0 && (
              <p className="mt-1 text-xs text-ink-muted">
                No owners yet — create one from the <Link to="/owners" className="underline hover:text-ink">Owners page</Link> first, then return here.
              </p>
            )}
          </div>
          <div>
            <label className="block text-sm font-medium text-ink mb-2">
              Team <span className="text-red-600">*</span>
            </label>
            <select
              value={teamId}
              onChange={e => setTeamId(e.target.value)}
              className="w-full px-3 py-2 bg-surface border border-surface-border rounded text-ink focus:outline-none focus:border-brand-500 transition-colors"
            >
              <option value="">Select team...</option>
              {teams?.data?.map(t => (
                <option key={t.id} value={t.id}>{t.name}</option>
              ))}
            </select>
            {(teams?.data?.length ?? 0) === 0 && (
              <p className="mt-1 text-xs text-ink-muted">
                No teams yet — create one from the <Link to="/teams" className="underline hover:text-ink">Teams page</Link> first, then return here.
              </p>
            )}
          </div>
        </div>
        <div>
          <label className="block text-sm font-medium text-ink mb-2">
-            Owner <span className="text-red-600">*</span>
+            Renewal Policy <span className="text-red-600">*</span>
          </label>
          <select
-            value={ownerId}
+            value={renewalPolicyId}
-            onChange={e => setOwnerId(e.target.value)}
+            onChange={e => setRenewalPolicyId(e.target.value)}
            className="w-full px-3 py-2 bg-surface border border-surface-border rounded text-ink focus:outline-none focus:border-brand-500 transition-colors"
          >
-            <option value="">Select owner...</option>
+            <option value="">Select renewal policy...</option>
-            {owners?.data?.map(o => (
+            {policies?.data?.map(p => (
-              <option key={o.id} value={o.id}>
+              <option key={p.id} value={p.id}>{p.name}</option>
                {o.name}{o.email ? ` (${o.email})` : ''}
              </option>
            ))}
          </select>
-          {(owners?.data?.length ?? 0) === 0 && (
+          {(policies?.data?.length ?? 0) === 0 && (
            <p className="mt-1 text-xs text-ink-muted">
-              No owners yet — create one from the <Link to="/owners" className="underline hover:text-ink">Owners page</Link> first, then return here.
+              No renewal policies yet — create one from the <Link to="/policies" className="underline hover:text-ink">Policies page</Link> first, then return here.
            </p>
          )}
        </div>
@@ -573,7 +643,15 @@ function CertificateStep({ onNext, onSkip, createdIssuerId }: {
        onSkip={onSkip}
        onNext={() => createMutation.mutate()}
        nextLabel={createMutation.isPending ? 'Creating...' : 'Issue Certificate'}
-        nextDisabled={!commonName || !issuerId || !ownerId || createMutation.isPending}
+        nextDisabled={
          !name ||
          !commonName ||
          !issuerId ||
          !ownerId ||
          !teamId ||
          !renewalPolicyId ||
          createMutation.isPending
        }
      />
    </div>
  );