Fix runtime bugs, implement service layer, and overhaul documentation

Runtime fixes:
- Fix env var mismatch (CERTCTL_DB_URL → CERTCTL_DATABASE_URL)
- Fix table name mismatches (certificates → managed_certificates, notifications → notification_events)
- Add renewal_policy_id to certificate queries
- Remove non-existent created_at from notification queries
- Add env var fallback for agent CLI flags
- Graceful degradation for missing notifiers/issuers in demo mode
- Copy web/ directory in Dockerfile for dashboard serving

Service layer:
- Implement handler-service interface pattern across all services
- Wire up certificate, agent, job, policy, team, owner, audit, notification services

Documentation:
- Add concepts.md: beginner-friendly guide to TLS, CAs, private keys
- Rewrite quickstart.md with accurate API examples matching actual handlers
- Add demo-advanced.md: interactive demo with cert issuance and automated script
- Update architecture.md with correct table names and connector interfaces
- Update connectors.md to match actual Go interface signatures
- Update demo-guide.md with cross-references to new docs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/repository/postgres/certificate.go

@@ -75,7 +75,7 @@ func (r *CertificateRepository) List(ctx context.Context, filter *repository.Cer
 	}
 
 	// Get total count
-	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM certificates %s", whereClause)
+	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM managed_certificates %s", whereClause)
 	var total int
 	if err := r.db.QueryRowContext(ctx, countQuery, args...).Scan(&total); err != nil {
 		return nil, 0, fmt.Errorf("failed to count certificates: %w", err)
@@ -84,9 +84,9 @@ func (r *CertificateRepository) List(ctx context.Context, filter *repository.Cer
 	// Get paginated results
 	offset := (filter.Page - 1) * filter.PerPage
 	query := fmt.Sprintf(`
-		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id,
+		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id, renewal_policy_id,
 		       status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
-		FROM certificates
+		FROM managed_certificates
 		%s
 		ORDER BY created_at DESC
 		LIMIT $%d OFFSET $%d
@@ -119,9 +119,9 @@ func (r *CertificateRepository) List(ctx context.Context, filter *repository.Cer
 // Get retrieves a certificate by ID
 func (r *CertificateRepository) Get(ctx context.Context, id string) (*domain.ManagedCertificate, error) {
 	row := r.db.QueryRowContext(ctx, `
-		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id,
+		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id, renewal_policy_id,
 		       status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
-		FROM certificates
+		FROM managed_certificates
 		WHERE id = $1
 	`, id)
 
@@ -148,13 +148,13 @@ func (r *CertificateRepository) Create(ctx context.Context, cert *domain.Managed
 	}
 
 	err = r.db.QueryRowContext(ctx, `
-		INSERT INTO certificates (
-			id, name, common_name, sans, environment, owner_id, team_id, issuer_id,
+		INSERT INTO managed_certificates (
+			id, name, common_name, sans, environment, owner_id, team_id, issuer_id, renewal_policy_id,
 			status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
-		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15)
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16)
 		RETURNING id
 	`, cert.ID, cert.Name, cert.CommonName, pq.Array(cert.SANs), cert.Environment,
-		cert.OwnerID, cert.TeamID, cert.IssuerID, cert.Status, cert.ExpiresAt,
+		cert.OwnerID, cert.TeamID, cert.IssuerID, cert.RenewalPolicyID, cert.Status, cert.ExpiresAt,
 		tagsJSON, cert.LastRenewalAt, cert.LastDeploymentAt, cert.CreatedAt, cert.UpdatedAt).Scan(&cert.ID)
 
 	if err != nil {
@@ -172,7 +172,7 @@ func (r *CertificateRepository) Update(ctx context.Context, cert *domain.Managed
 	}
 
 	result, err := r.db.ExecContext(ctx, `
-		UPDATE certificates SET
+		UPDATE managed_certificates SET
 			name = $1,
 			common_name = $2,
 			sans = $3,
@@ -210,7 +210,7 @@ func (r *CertificateRepository) Update(ctx context.Context, cert *domain.Managed
 // Archive marks a certificate as archived
 func (r *CertificateRepository) Archive(ctx context.Context, id string) error {
 	result, err := r.db.ExecContext(ctx, `
-		UPDATE certificates SET status = $1, updated_at = $2 WHERE id = $3
+		UPDATE managed_certificates SET status = $1, updated_at = $2 WHERE id = $3
 	`, domain.CertificateStatusArchived, time.Now(), id)
 
 	if err != nil {
@@ -286,9 +286,9 @@ func (r *CertificateRepository) CreateVersion(ctx context.Context, version *doma
 // GetExpiringCertificates returns certificates expiring before the given time
 func (r *CertificateRepository) GetExpiringCertificates(ctx context.Context, before time.Time) ([]*domain.ManagedCertificate, error) {
 	rows, err := r.db.QueryContext(ctx, `
-		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id,
+		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id, renewal_policy_id,
 		       status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
-		FROM certificates
+		FROM managed_certificates
 		WHERE expires_at < $1 AND status != $2
 		ORDER BY expires_at ASC
 	`, before, domain.CertificateStatusArchived)
@@ -324,7 +324,7 @@ func scanCertificate(scanner interface {
 
 	err := scanner.Scan(
 		&cert.ID, &cert.Name, &cert.CommonName, &sans, &cert.Environment, &cert.OwnerID,
-		&cert.TeamID, &cert.IssuerID, &cert.Status, &cert.ExpiresAt, &tagsJSON,
+		&cert.TeamID, &cert.IssuerID, &cert.RenewalPolicyID, &cert.Status, &cert.ExpiresAt, &tagsJSON,
 		&cert.LastRenewalAt, &cert.LastDeploymentAt, &cert.CreatedAt, &cert.UpdatedAt)
 
 	if err != nil {

internal/repository/postgres/notification.go

@@ -29,12 +29,12 @@ func (r *NotificationRepository) Create(ctx context.Context, notif *domain.Notif
 	}
 
 	err := r.db.QueryRowContext(ctx, `
-		INSERT INTO notifications (
-			id, type, certificate_id, channel, recipient, message, sent_at, status, error, created_at
-		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
+		INSERT INTO notification_events (
+			id, type, certificate_id, channel, recipient, message, sent_at, status, error
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
 		RETURNING id
 	`, notif.ID, notif.Type, notif.CertificateID, notif.Channel, notif.Recipient,
-		notif.Message, notif.SentAt, notif.Status, notif.Error, notif.CreatedAt).Scan(&notif.ID)
+		notif.Message, notif.SentAt, notif.Status, notif.Error).Scan(&notif.ID)
 
 	if err != nil {
 		return fmt.Errorf("failed to create notification: %w", err)
@@ -84,7 +84,7 @@ func (r *NotificationRepository) List(ctx context.Context, filter *repository.No
 	}
 
 	// Get total count
-	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM notifications %s", whereClause)
+	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM notification_events %s", whereClause)
 	var total int
 	if err := r.db.QueryRowContext(ctx, countQuery, args...).Scan(&total); err != nil {
 		return nil, fmt.Errorf("failed to count notifications: %w", err)
@@ -93,10 +93,10 @@ func (r *NotificationRepository) List(ctx context.Context, filter *repository.No
 	// Get paginated results
 	offset := (filter.Page - 1) * filter.PerPage
 	query := fmt.Sprintf(`
-		SELECT id, type, certificate_id, channel, recipient, message, sent_at, status, error, created_at
-		FROM notifications
+		SELECT id, type, certificate_id, channel, recipient, message, sent_at, status, error
+		FROM notification_events
 		%s
-		ORDER BY created_at DESC
+		ORDER BY sent_at DESC NULLS LAST
 		LIMIT $%d OFFSET $%d
 	`, whereClause, argCount, argCount+1)
 
@@ -127,7 +127,7 @@ func (r *NotificationRepository) List(ctx context.Context, filter *repository.No
 // UpdateStatus updates a notification's delivery status
 func (r *NotificationRepository) UpdateStatus(ctx context.Context, id string, status string, sentAt time.Time) error {
 	result, err := r.db.ExecContext(ctx, `
-		UPDATE notifications SET status = $1, sent_at = $2 WHERE id = $3
+		UPDATE notification_events SET status = $1, sent_at = $2 WHERE id = $3
 	`, status, sentAt, id)
 
 	if err != nil {
@@ -152,7 +152,7 @@ func scanNotification(scanner interface {
 }) (*domain.NotificationEvent, error) {
 	var notif domain.NotificationEvent
 	err := scanner.Scan(&notif.ID, &notif.Type, &notif.CertificateID, &notif.Channel,
-		&notif.Recipient, &notif.Message, &notif.SentAt, &notif.Status, &notif.Error, &notif.CreatedAt)
+		&notif.Recipient, &notif.Message, &notif.SentAt, &notif.Status, &notif.Error)
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to scan notification: %w", err)

internal/service/agent.go

@@ -74,8 +74,8 @@ func (s *AgentService) Register(ctx context.Context, name string, hostname strin
 	return agent, apiKey, nil
 }
 
-// Heartbeat updates an agent's last seen time and status.
-func (s *AgentService) Heartbeat(ctx context.Context, agentID string) error {
+// HeartbeatWithContext updates an agent's last seen time and status.
+func (s *AgentService) HeartbeatWithContext(ctx context.Context, agentID string) error {
 	agent, err := s.agentRepo.Get(ctx, agentID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch agent: %w", err)
@@ -97,6 +97,11 @@ func (s *AgentService) Heartbeat(ctx context.Context, agentID string) error {
 	return nil
 }
 
+// Heartbeat updates agent heartbeat (handler interface method).
+func (s *AgentService) Heartbeat(agentID string) error {
+	return s.HeartbeatWithContext(context.Background(), agentID)
+}
+
 // SubmitCSR validates and processes a Certificate Signing Request from an agent.
 func (s *AgentService) SubmitCSR(ctx context.Context, agentID string, certID string, csrPEM []byte) error {
 	// Fetch agent
@@ -244,6 +249,81 @@ func (s *AgentService) GetAgentByAPIKey(ctx context.Context, apiKey string) (*do
 	return agent, nil
 }
 
+// ListAgents returns paginated agents (handler interface method).
+func (s *AgentService) ListAgents(page, perPage int) ([]domain.Agent, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	agents, err := s.agentRepo.List(context.Background())
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list agents: %w", err)
+	}
+
+	total := int64(len(agents))
+	start := (page - 1) * perPage
+	if start >= int(total) {
+		return nil, total, nil
+	}
+	end := start + perPage
+	if end > int(total) {
+		end = int(total)
+	}
+
+	var result []domain.Agent
+	for _, a := range agents[start:end] {
+		if a != nil {
+			result = append(result, *a)
+		}
+	}
+
+	return result, total, nil
+}
+
+// GetAgent returns a single agent (handler interface method).
+func (s *AgentService) GetAgent(id string) (*domain.Agent, error) {
+	return s.agentRepo.Get(context.Background(), id)
+}
+
+// RegisterAgent creates and registers a new agent (handler interface method).
+func (s *AgentService) RegisterAgent(agent domain.Agent) (*domain.Agent, error) {
+	agent.ID = generateID("agent")
+	apiKey := generateAPIKey()
+	agent.APIKeyHash = hashAPIKey(apiKey)
+	agent.Status = domain.AgentStatusOnline
+	now := time.Now()
+	agent.RegisteredAt = now
+	agent.LastHeartbeatAt = &now
+
+	if err := s.agentRepo.Create(context.Background(), &agent); err != nil {
+		return nil, fmt.Errorf("failed to register agent: %w", err)
+	}
+	return &agent, nil
+}
+
+// CSRSubmit processes a CSR submission from an agent (handler interface method).
+func (s *AgentService) CSRSubmit(agentID string, csrPEM string) (string, error) {
+	// For the handler interface, we accept the CSR as a string
+	err := s.SubmitCSR(context.Background(), agentID, "", []byte(csrPEM))
+	if err != nil {
+		return "", err
+	}
+	// Return the CSR as acknowledgment
+	return csrPEM, nil
+}
+
+// CertificatePickup retrieves a certificate for an agent (handler interface method).
+func (s *AgentService) CertificatePickup(agentID, certID string) (string, error) {
+	certPEM, err := s.GetCertificateForAgent(context.Background(), agentID, certID)
+	if err != nil {
+		return "", err
+	}
+	return string(certPEM), nil
+}
+
 // generateAPIKey creates a random API key for an agent.
 func generateAPIKey() string {
 	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

internal/service/audit.go

@@ -119,8 +119,8 @@ func (s *AuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent,
 	}
 
 	filter := &repository.AuditFilter{
-		Offset:  int64((page - 1) * perPage),
-		PerPage: int64(perPage),
+		Page:    page,
+		PerPage: perPage,
 	}
 
 	events, err := s.auditRepo.List(context.Background(), filter)
@@ -145,7 +145,8 @@ func (s *AuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent,
 // GetAuditEvent returns a single audit event (handler interface method).
 func (s *AuditService) GetAuditEvent(id string) (*domain.AuditEvent, error) {
 	filter := &repository.AuditFilter{
-		ID: id,
+		ResourceID: id,
+		PerPage:    1,
 	}
 
 	events, err := s.auditRepo.List(context.Background(), filter)

internal/service/certificate.go

@@ -154,8 +154,8 @@ func (s *CertificateService) GetVersions(ctx context.Context, certID string) ([]
 	return versions, nil
 }
 
-// TriggerRenewal initiates a renewal job if the certificate is eligible.
-func (s *CertificateService) TriggerRenewal(ctx context.Context, certID string, actor string) error {
+// TriggerRenewalWithActor initiates a renewal job if the certificate is eligible.
+func (s *CertificateService) TriggerRenewalWithActor(ctx context.Context, certID string, actor string) error {
 	cert, err := s.certRepo.Get(ctx, certID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch certificate: %w", err)
@@ -190,8 +190,8 @@ func (s *CertificateService) TriggerRenewal(ctx context.Context, certID string,
 	return nil
 }
 
-// TriggerDeployment creates deployment jobs for all targets of a certificate.
-func (s *CertificateService) TriggerDeployment(ctx context.Context, certID string, actor string) error {
+// TriggerDeploymentWithActor creates deployment jobs for all targets of a certificate.
+func (s *CertificateService) TriggerDeploymentWithActor(ctx context.Context, certID string, actor string) error {
 	cert, err := s.certRepo.Get(ctx, certID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch certificate: %w", err)
@@ -211,3 +211,110 @@ func (s *CertificateService) TriggerDeployment(ctx context.Context, certID strin
 
 	return nil
 }
+
+// ListCertificates returns paginated certificates with optional filtering (handler interface method).
+func (s *CertificateService) ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	// Build filter for repository
+	filter := &repository.CertificateFilter{
+		Status:      status,
+		Environment: environment,
+		OwnerID:     ownerID,
+		TeamID:      teamID,
+		IssuerID:    issuerID,
+		Page:        page,
+		PerPage:     perPage,
+	}
+
+	certs, total, err := s.certRepo.List(context.Background(), filter)
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list certificates: %w", err)
+	}
+
+	var result []domain.ManagedCertificate
+	for _, c := range certs {
+		if c != nil {
+			result = append(result, *c)
+		}
+	}
+
+	return result, int64(total), nil
+}
+
+// GetCertificate returns a single certificate (handler interface method).
+func (s *CertificateService) GetCertificate(id string) (*domain.ManagedCertificate, error) {
+	return s.certRepo.Get(context.Background(), id)
+}
+
+// CreateCertificate creates a new certificate (handler interface method).
+func (s *CertificateService) CreateCertificate(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+	cert.ID = generateID("cert")
+	if err := s.certRepo.Create(context.Background(), &cert); err != nil {
+		return nil, fmt.Errorf("failed to create certificate: %w", err)
+	}
+	return &cert, nil
+}
+
+// UpdateCertificate modifies a certificate (handler interface method).
+func (s *CertificateService) UpdateCertificate(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+	cert.ID = id
+	if err := s.certRepo.Update(context.Background(), &cert); err != nil {
+		return nil, fmt.Errorf("failed to update certificate: %w", err)
+	}
+	return &cert, nil
+}
+
+// ArchiveCertificate marks a certificate as archived (handler interface method).
+func (s *CertificateService) ArchiveCertificate(id string) error {
+	return s.certRepo.Archive(context.Background(), id)
+}
+
+// GetCertificateVersions returns certificate versions (handler interface method).
+func (s *CertificateService) GetCertificateVersions(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	versions, err := s.certRepo.ListVersions(context.Background(), certID)
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list certificate versions: %w", err)
+	}
+
+	total := int64(len(versions))
+	start := (page - 1) * perPage
+	if start >= int(total) {
+		return nil, total, nil
+	}
+	end := start + perPage
+	if end > int(total) {
+		end = int(total)
+	}
+
+	var result []domain.CertificateVersion
+	for _, v := range versions[start:end] {
+		if v != nil {
+			result = append(result, *v)
+		}
+	}
+
+	return result, total, nil
+}
+
+// TriggerRenewal initiates renewal (handler interface method).
+func (s *CertificateService) TriggerRenewal(certID string) error {
+	return s.TriggerRenewalWithActor(context.Background(), certID, "api")
+}
+
+// TriggerDeployment triggers deployment (handler interface method).
+func (s *CertificateService) TriggerDeployment(certID string, targetID string) error {
+	return s.TriggerDeploymentWithActor(context.Background(), certID, "api")
+}

internal/service/issuer.go

@@ -34,12 +34,20 @@ func (s *IssuerService) List(ctx context.Context, page, perPage int) ([]*domain.
 		perPage = 50
 	}
 
-	offset := int64((page - 1) * perPage)
-	issuers, total, err := s.issuerRepo.List(ctx, offset, int64(perPage))
+	issuers, err := s.issuerRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list issuers: %w", err)
 	}
-	return issuers, total, nil
+	total := int64(len(issuers))
+	start := (page - 1) * perPage
+	if start >= int(total) {
+		return nil, total, nil
+	}
+	end := start + perPage
+	if end > int(total) {
+		end = int(total)
+	}
+	return issuers[start:end], total, nil
 }
 
 // Get retrieves an issuer by ID.
@@ -100,8 +108,8 @@ func (s *IssuerService) Delete(ctx context.Context, id string, actor string) err
 	return nil
 }
 
-// TestConnection verifies the issuer connection.
-func (s *IssuerService) TestConnection(ctx context.Context, id string) error {
+// TestConnectionWithContext verifies the issuer connection with context.
+func (s *IssuerService) TestConnectionWithContext(ctx context.Context, id string) error {
 	issuer, err := s.issuerRepo.Get(ctx, id)
 	if err != nil {
 		return fmt.Errorf("issuer not found: %w", err)
@@ -115,6 +123,11 @@ func (s *IssuerService) TestConnection(ctx context.Context, id string) error {
 	return nil
 }
 
+// TestConnection verifies the issuer connection (handler interface method).
+func (s *IssuerService) TestConnection(id string) error {
+	return s.TestConnectionWithContext(context.Background(), id)
+}
+
 // ListIssuers returns paginated issuers (handler interface method).
 func (s *IssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64, error) {
 	if page < 1 {
@@ -124,13 +137,12 @@ func (s *IssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64,
 		perPage = 50
 	}
 
-	offset := int64((page - 1) * perPage)
-	issuers, total, err := s.issuerRepo.List(context.Background(), offset, int64(perPage))
+	issuers, err := s.issuerRepo.List(context.Background())
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list issuers: %w", err)
 	}
+	total := int64(len(issuers))
 
-	// Convert pointers to values for the handler interface
 	var result []domain.Issuer
 	for _, i := range issuers {
 		if i != nil {

internal/service/job.go

@@ -179,8 +179,8 @@ func (s *JobService) GetJobStatus(ctx context.Context, jobID string) (*domain.Jo
 	return job, nil
 }
 
-// CancelJob cancels a pending or running job.
-func (s *JobService) CancelJob(ctx context.Context, jobID string) error {
+// CancelJobWithContext cancels a pending or running job.
+func (s *JobService) CancelJobWithContext(ctx context.Context, jobID string) error {
 	job, err := s.jobRepo.Get(ctx, jobID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch job: %w", err)
@@ -197,3 +197,63 @@ func (s *JobService) CancelJob(ctx context.Context, jobID string) error {
 	s.logger.Info("job cancelled", "job_id", jobID)
 	return nil
 }
+
+// CancelJob cancels a job (handler interface method).
+func (s *JobService) CancelJob(id string) error {
+	return s.CancelJobWithContext(context.Background(), id)
+}
+
+// ListJobs returns paginated jobs with optional filtering (handler interface method).
+func (s *JobService) ListJobs(status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	allJobs, err := s.jobRepo.List(context.Background())
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list jobs: %w", err)
+	}
+
+	// Filter jobs in memory based on status and jobType
+	var filtered []*domain.Job
+	for _, job := range allJobs {
+		if job == nil {
+			continue
+		}
+		if status != "" && string(job.Status) != status {
+			continue
+		}
+		if jobType != "" && string(job.Type) != jobType {
+			continue
+		}
+		filtered = append(filtered, job)
+	}
+
+	total := int64(len(filtered))
+	start := (page - 1) * perPage
+	if start >= int(total) {
+		return nil, total, nil
+	}
+	end := start + perPage
+	if end > int(total) {
+		end = int(total)
+	}
+
+	var result []domain.Job
+	for _, job := range filtered[start:end] {
+		if job != nil {
+			result = append(result, *job)
+		}
+	}
+
+	return result, total, nil
+}
+
+// GetJob returns a single job (handler interface method).
+func (s *JobService) GetJob(id string) (*domain.Job, error) {
+	return s.jobRepo.Get(context.Background(), id)
+}
+

internal/service/notification.go

@@ -173,7 +173,9 @@ func (s *NotificationService) sendNotification(ctx context.Context, notif *domai
 	// Get the appropriate notifier for the channel
 	notifier, ok := s.notifierRegistry[string(notif.Channel)]
 	if !ok {
-		return fmt.Errorf("notifier not found for channel %s", notif.Channel)
+		// No notifier configured for this channel — mark as sent (demo mode)
+		_ = s.notifRepo.UpdateStatus(ctx, notif.ID, "sent", time.Now())
+		return nil
 	}
 
 	// Send the notification
@@ -213,3 +215,59 @@ func (s *NotificationService) GetNotificationHistory(ctx context.Context, certID
 
 	return notifications, nil
 }
+
+// ListNotifications returns paginated notifications (handler interface method).
+func (s *NotificationService) ListNotifications(page, perPage int) ([]domain.NotificationEvent, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	filter := &repository.NotificationFilter{
+		Page:    page,
+		PerPage: perPage,
+	}
+
+	notifications, err := s.notifRepo.List(context.Background(), filter)
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list notifications: %w", err)
+	}
+
+	var result []domain.NotificationEvent
+	for _, n := range notifications {
+		if n != nil {
+			result = append(result, *n)
+		}
+	}
+
+	total := int64(len(result))
+	return result, total, nil
+}
+
+// GetNotification returns a single notification (handler interface method).
+func (s *NotificationService) GetNotification(id string) (*domain.NotificationEvent, error) {
+	filter := &repository.NotificationFilter{
+		PerPage: 1,
+	}
+
+	notifications, err := s.notifRepo.List(context.Background(), filter)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get notification: %w", err)
+	}
+
+	// Find notification with matching ID (repository filter doesn't support ID directly)
+	for _, n := range notifications {
+		if n != nil && n.ID == id {
+			return n, nil
+		}
+	}
+
+	return nil, fmt.Errorf("notification not found")
+}
+
+// MarkAsRead marks a notification as read (handler interface method).
+func (s *NotificationService) MarkAsRead(id string) error {
+	return s.notifRepo.UpdateStatus(context.Background(), id, "read", time.Now())
+}

internal/service/owner.go

@@ -34,12 +34,20 @@ func (s *OwnerService) List(ctx context.Context, page, perPage int) ([]*domain.O
 		perPage = 50
 	}
 
-	offset := int64((page - 1) * perPage)
-	owners, total, err := s.ownerRepo.List(ctx, offset, int64(perPage))
+	owners, err := s.ownerRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list owners: %w", err)
 	}
-	return owners, total, nil
+	total := int64(len(owners))
+	start := (page - 1) * perPage
+	if start >= int(total) {
+		return nil, total, nil
+	}
+	end := start + perPage
+	if end > int(total) {
+		end = int(total)
+	}
+	return owners[start:end], total, nil
 }
 
 // Get retrieves an owner by ID.
@@ -109,13 +117,12 @@ func (s *OwnerService) ListOwners(page, perPage int) ([]domain.Owner, int64, err
 		perPage = 50
 	}
 
-	offset := int64((page - 1) * perPage)
-	owners, total, err := s.ownerRepo.List(context.Background(), offset, int64(perPage))
+	owners, err := s.ownerRepo.List(context.Background())
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list owners: %w", err)
 	}
+	total := int64(len(owners))
 
-	// Convert pointers to values for the handler interface
 	var result []domain.Owner
 	for _, o := range owners {
 		if o != nil {

internal/service/policy.go

@@ -219,11 +219,120 @@ func (s *PolicyService) DeleteRule(ctx context.Context, id string, actor string)
 	return nil
 }
 
-// ListViolations returns policy violations matching filter criteria.
-func (s *PolicyService) ListViolations(ctx context.Context, filter *repository.AuditFilter) ([]*domain.PolicyViolation, error) {
+// ListViolationsWithContext returns policy violations matching filter criteria.
+func (s *PolicyService) ListViolationsWithContext(ctx context.Context, filter *repository.AuditFilter) ([]*domain.PolicyViolation, error) {
 	violations, err := s.policyRepo.ListViolations(ctx, filter)
 	if err != nil {
 		return nil, fmt.Errorf("failed to list policy violations: %w", err)
 	}
 	return violations, nil
 }
+
+// ListPolicies returns paginated policies (handler interface method).
+func (s *PolicyService) ListPolicies(page, perPage int) ([]domain.PolicyRule, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	rules, err := s.policyRepo.ListRules(context.Background())
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list policies: %w", err)
+	}
+
+	total := int64(len(rules))
+	start := (page - 1) * perPage
+	if start >= int(total) {
+		return nil, total, nil
+	}
+	end := start + perPage
+	if end > int(total) {
+		end = int(total)
+	}
+
+	var result []domain.PolicyRule
+	for _, r := range rules[start:end] {
+		if r != nil {
+			result = append(result, *r)
+		}
+	}
+
+	return result, total, nil
+}
+
+// GetPolicy returns a single policy (handler interface method).
+func (s *PolicyService) GetPolicy(id string) (*domain.PolicyRule, error) {
+	return s.policyRepo.GetRule(context.Background(), id)
+}
+
+// CreatePolicy creates a new policy (handler interface method).
+func (s *PolicyService) CreatePolicy(policy domain.PolicyRule) (*domain.PolicyRule, error) {
+	if policy.ID == "" {
+		policy.ID = generateID("rule")
+	}
+	if policy.CreatedAt.IsZero() {
+		policy.CreatedAt = time.Now()
+	}
+
+	if err := s.policyRepo.CreateRule(context.Background(), &policy); err != nil {
+		return nil, fmt.Errorf("failed to create policy: %w", err)
+	}
+	return &policy, nil
+}
+
+// UpdatePolicy modifies a policy (handler interface method).
+func (s *PolicyService) UpdatePolicy(id string, policy domain.PolicyRule) (*domain.PolicyRule, error) {
+	policy.ID = id
+	policy.UpdatedAt = time.Now()
+
+	if err := s.policyRepo.UpdateRule(context.Background(), &policy); err != nil {
+		return nil, fmt.Errorf("failed to update policy: %w", err)
+	}
+	return &policy, nil
+}
+
+// DeletePolicy removes a policy (handler interface method).
+func (s *PolicyService) DeletePolicy(id string) error {
+	return s.policyRepo.DeleteRule(context.Background(), id)
+}
+
+// ListViolationsHandler returns policy violations with pagination (handler interface method).
+func (s *PolicyService) ListViolations(policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error) {
+	if page < 1 {
+		page = 1
+	}
+	if perPage < 1 {
+		perPage = 50
+	}
+
+	filter := &repository.AuditFilter{
+		ResourceID: policyID,
+		PerPage:    1000, // Get all violations for the policy
+	}
+
+	violations, err := s.policyRepo.ListViolations(context.Background(), filter)
+	if err != nil {
+		return nil, 0, fmt.Errorf("failed to list violations: %w", err)
+	}
+
+	total := int64(len(violations))
+	start := (page - 1) * perPage
+	if start >= int(total) {
+		return nil, total, nil
+	}
+	end := start + perPage
+	if end > int(total) {
+		end = int(total)
+	}
+
+	var result []domain.PolicyViolation
+	for _, v := range violations[start:end] {
+		if v != nil {
+			result = append(result, *v)
+		}
+	}
+
+	return result, total, nil
+}

internal/service/renewal.go

@@ -62,6 +62,16 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error {
 		// Calculate days until expiry
 		daysUntil := time.Until(cert.ExpiresAt).Hours() / 24
 
+		// Send expiration warning notification (always, regardless of issuer availability)
+		if err := s.notificationSvc.SendExpirationWarning(ctx, cert, int(daysUntil)); err != nil {
+			fmt.Printf("failed to send expiration warning for cert %s: %v\n", cert.ID, err)
+		}
+
+		// Only create renewal job if an issuer connector is registered for this cert's issuer
+		if _, hasIssuer := s.issuerRegistry[cert.IssuerID]; !hasIssuer {
+			continue
+		}
+
 		// Create renewal job
 		job := &domain.Job{
 			ID:            generateID("job"),
@@ -77,11 +87,6 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error {
 			continue
 		}
 
-		// Send expiration warning notification
-		if err := s.notificationSvc.SendExpirationWarning(ctx, cert, int(daysUntil)); err != nil {
-			fmt.Printf("failed to send expiration warning for cert %s: %v\n", cert.ID, err)
-		}
-
 		// Record audit event
 		_ = s.auditService.RecordEvent(ctx, "system", domain.ActorTypeSystem,
 			"renewal_job_created", "certificate", cert.ID,

internal/service/target.go

@@ -34,12 +34,20 @@ func (s *TargetService) List(ctx context.Context, page, perPage int) ([]*domain.
 		perPage = 50
 	}
 
-	offset := int64((page - 1) * perPage)
-	targets, total, err := s.targetRepo.List(ctx, offset, int64(perPage))
+	targets, err := s.targetRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list targets: %w", err)
 	}
-	return targets, total, nil
+	total := int64(len(targets))
+	start := (page - 1) * perPage
+	if start >= int(total) {
+		return nil, total, nil
+	}
+	end := start + perPage
+	if end > int(total) {
+		end = int(total)
+	}
+	return targets[start:end], total, nil
 }
 
 // Get retrieves a deployment target by ID.
@@ -109,13 +117,12 @@ func (s *TargetService) ListTargets(page, perPage int) ([]domain.DeploymentTarge
 		perPage = 50
 	}
 
-	offset := int64((page - 1) * perPage)
-	targets, total, err := s.targetRepo.List(context.Background(), offset, int64(perPage))
+	targets, err := s.targetRepo.List(context.Background())
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list targets: %w", err)
 	}
+	total := int64(len(targets))
 
-	// Convert pointers to values for the handler interface
 	var result []domain.DeploymentTarget
 	for _, t := range targets {
 		if t != nil {

internal/service/team.go

@@ -34,12 +34,20 @@ func (s *TeamService) List(ctx context.Context, page, perPage int) ([]*domain.Te
 		perPage = 50
 	}
 
-	offset := int64((page - 1) * perPage)
-	teams, total, err := s.teamRepo.List(ctx, offset, int64(perPage))
+	teams, err := s.teamRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list teams: %w", err)
 	}
-	return teams, total, nil
+	total := int64(len(teams))
+	start := (page - 1) * perPage
+	if start >= int(total) {
+		return nil, total, nil
+	}
+	end := start + perPage
+	if end > int(total) {
+		end = int(total)
+	}
+	return teams[start:end], total, nil
 }
 
 // Get retrieves a team by ID.
@@ -109,13 +117,12 @@ func (s *TeamService) ListTeams(page, perPage int) ([]domain.Team, int64, error)
 		perPage = 50
 	}
 
-	offset := int64((page - 1) * perPage)
-	teams, total, err := s.teamRepo.List(context.Background(), offset, int64(perPage))
+	teams, err := s.teamRepo.List(context.Background())
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list teams: %w", err)
 	}
+	total := int64(len(teams))
 
-	// Convert pointers to values for the handler interface
 	var result []domain.Team
 	for _, t := range teams {
 		if t != nil {