fix: resolve frontend-to-backend mapping gaps across API types, config fields, and issuer IDs

Full audit of all ~100 backend API endpoints against frontend client functions
and TypeScript interfaces. Fixes field name mismatches, missing client functions,
phantom interface fields, type coercion for Go bool/int config fields, and
issuer type ID alignment with backend domain constants.

Backend:
- issuer.go/target.go: GUI-created entities default enabled=true (Go bool
  zero value was overriding DB DEFAULT)

Frontend types (types.ts):
- Certificate: fingerprint→fingerprint_sha256, phantom fields made optional
- CertificateVersion: fingerprint→fingerprint_sha256, chain_pem→pem_chain,
  removed phantom version/cert_pem fields
- Job: error_message→last_error (matches Go json tag)

Frontend client (client.ts):
- Added getNotification(id) and getAuditEvent(id) for existing backend routes

Frontend pages:
- CertificateDetailPage: derives serial/fingerprint/issuedAt from latest
  CertificateVersion instead of empty Certificate fields
- JobsPage/JobDetailPage: error_message→last_error
- TargetsPage: reload_cmd→reload_command, validate_cmd→validate_command,
  added missing config fields per backend structs (validate_command for
  NGINX/Apache, hostname/winrm_timeout for IIS, private_key/passphrase/
  cert_mode/key_mode for SSH, winrm_https/winrm_insecure for WinCertStore,
  create_keystore for JavaKeystore, mode for Dovecot), type coercion via
  buildConfigPayload() with BOOL_FIELDS/INT_FIELDS sets, IIS WinRM nesting
- TargetDetailPage: added passphrase to sensitiveKeys redaction
- issuerTypes.ts: type IDs aligned to backend constants (acme→ACME,
  local→GenericCA, stepca→StepCA, openssl→OpenSSL), backward compat aliases
  preserved, step-ca config fields updated to match backend struct

Utilities (utils.ts):
- formatDate/formatDateTime accept string|undefined|null

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/src/config/issuerTypes.ts

@@ -29,19 +29,23 @@ export interface IssuerTypeConfig {
 }
 
 /**
- * Canonical type label map. Keys match what the backend API returns.
- * DB stores: local, acme, stepca, openssl, VaultPKI, DigiCert
+ * Canonical type label map. Keys MUST match backend IssuerType constants
+ * defined in internal/domain/connector.go (e.g., "ACME", "GenericCA", "StepCA").
  */
 export const typeLabels: Record<string, string> = {
-  local: 'Local CA',
+  GenericCA: 'Local CA',
+  local: 'Local CA',          // backward compat for old DB records
   local_ca: 'Local CA',       // backward compat (some frontend references)
-  acme: 'ACME',
-  stepca: 'step-ca',
-  openssl: 'OpenSSL/Custom',
+  ACME: 'ACME',
+  acme: 'ACME',               // backward compat for old DB records
+  StepCA: 'step-ca',
+  stepca: 'step-ca',          // backward compat for old DB records
+  OpenSSL: 'OpenSSL/Custom',
+  openssl: 'OpenSSL/Custom',  // backward compat for old DB records
   VaultPKI: 'Vault PKI',
   DigiCert: 'DigiCert',
   Sectigo: 'Sectigo SCM',
-  manual: 'Manual',
+  GoogleCAS: 'Google CAS',
 };
 
 /**
@@ -50,7 +54,7 @@ export const typeLabels: Record<string, string> = {
  */
 export const issuerTypes: IssuerTypeConfig[] = [
   {
-    id: 'acme',
+    id: 'ACME',
     name: 'ACME',
     description: "Let's Encrypt, ZeroSSL, or any ACME-compatible CA",
     icon: '\uD83D\uDD12',
@@ -64,7 +68,7 @@ export const issuerTypes: IssuerTypeConfig[] = [
     ],
   },
   {
-    id: 'local',
+    id: 'GenericCA',
     name: 'Local CA',
     description: 'Self-signed or subordinate CA for internal certificates',
     icon: '\uD83C\uDFE0',
@@ -74,14 +78,15 @@ export const issuerTypes: IssuerTypeConfig[] = [
     ],
   },
   {
-    id: 'stepca',
+    id: 'StepCA',
     name: 'step-ca',
     description: 'Smallstep private CA with JWK provisioner auth',
     icon: '\uD83D\uDC63',
     configFields: [
       { key: 'ca_url', label: 'CA URL', placeholder: 'https://ca.example.com', required: true },
       { key: 'provisioner_name', label: 'Provisioner Name', placeholder: 'my-provisioner', required: true },
-      { key: 'provisioner_key', label: 'Provisioner Key (JWK)', placeholder: '{...}', type: 'textarea', required: true, sensitive: true },
+      { key: 'provisioner_key_path', label: 'Provisioner Key Path', placeholder: '/path/to/provisioner.key', required: false, sensitive: true },
+      { key: 'provisioner_password', label: 'Provisioner Password', placeholder: 'Password for encrypted key', required: false, type: 'password', sensitive: true },
     ],
   },
   {
@@ -110,7 +115,7 @@ export const issuerTypes: IssuerTypeConfig[] = [
     ],
   },
   {
-    id: 'openssl',
+    id: 'OpenSSL',
     name: 'OpenSSL/Custom',
     description: 'Script-based signing with your own CA',
     icon: '\uD83D\uDD27',
@@ -188,7 +193,10 @@ export function getIssuerCatalogStatus(
     }
     // Match both the canonical id and common aliases
     const aliases: Record<string, string[]> = {
-      local: ['local', 'local_ca'],
+      GenericCA: ['GenericCA', 'local', 'local_ca'],
+      ACME: ['ACME', 'acme'],
+      StepCA: ['StepCA', 'stepca'],
+      OpenSSL: ['OpenSSL', 'openssl'],
     };
     const matchIds = aliases[t.id] || [t.id];
     const matching = configuredIssuers.filter(i => matchIds.includes(i.type));