feat: M11b — ownership tracking, agent groups, interactive renewal approval

Ownership: owners/teams GUI pages, notification email resolution via
resolveRecipient (owner_id → owner.email lookup). Agent groups: dynamic
device grouping by OS/arch/IP CIDR/version with manual include/exclude
membership, migration 000004, full CRUD stack (domain → repo → service →
handler → frontend). Interactive approval: AwaitingApproval job state,
approve/reject API endpoints with reason tracking. Tests: 12 agent group
handler tests, 8 approve/reject job handler tests, integration tests
updated for 13-param RegisterHandlers. Docs updated across architecture,
concepts, and seed data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/api/handler/agent_group_handler_test.go

@@ -0,0 +1,324 @@
+package handler
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// MockAgentGroupService is a mock implementation of AgentGroupService interface.
+type MockAgentGroupService struct {
+	ListAgentGroupsFn  func(page, perPage int) ([]domain.AgentGroup, int64, error)
+	GetAgentGroupFn    func(id string) (*domain.AgentGroup, error)
+	CreateAgentGroupFn func(group domain.AgentGroup) (*domain.AgentGroup, error)
+	UpdateAgentGroupFn func(id string, group domain.AgentGroup) (*domain.AgentGroup, error)
+	DeleteAgentGroupFn func(id string) error
+	ListMembersFn      func(id string) ([]domain.Agent, int64, error)
+}
+
+func (m *MockAgentGroupService) ListAgentGroups(page, perPage int) ([]domain.AgentGroup, int64, error) {
+	if m.ListAgentGroupsFn != nil {
+		return m.ListAgentGroupsFn(page, perPage)
+	}
+	return []domain.AgentGroup{}, 0, nil
+}
+
+func (m *MockAgentGroupService) GetAgentGroup(id string) (*domain.AgentGroup, error) {
+	if m.GetAgentGroupFn != nil {
+		return m.GetAgentGroupFn(id)
+	}
+	return nil, fmt.Errorf("not found")
+}
+
+func (m *MockAgentGroupService) CreateAgentGroup(group domain.AgentGroup) (*domain.AgentGroup, error) {
+	if m.CreateAgentGroupFn != nil {
+		return m.CreateAgentGroupFn(group)
+	}
+	return &group, nil
+}
+
+func (m *MockAgentGroupService) UpdateAgentGroup(id string, group domain.AgentGroup) (*domain.AgentGroup, error) {
+	if m.UpdateAgentGroupFn != nil {
+		return m.UpdateAgentGroupFn(id, group)
+	}
+	group.ID = id
+	return &group, nil
+}
+
+func (m *MockAgentGroupService) DeleteAgentGroup(id string) error {
+	if m.DeleteAgentGroupFn != nil {
+		return m.DeleteAgentGroupFn(id)
+	}
+	return nil
+}
+
+func (m *MockAgentGroupService) ListMembers(id string) ([]domain.Agent, int64, error) {
+	if m.ListMembersFn != nil {
+		return m.ListMembersFn(id)
+	}
+	return []domain.Agent{}, 0, nil
+}
+
+func TestListAgentGroups_Success(t *testing.T) {
+	group := domain.AgentGroup{
+		ID:          "ag-linux",
+		Name:        "Linux Agents",
+		Description: "All Linux-based agents",
+		MatchOS:     "linux",
+		Enabled:     true,
+	}
+
+	mock := &MockAgentGroupService{
+		ListAgentGroupsFn: func(page, perPage int) ([]domain.AgentGroup, int64, error) {
+			return []domain.AgentGroup{group}, 1, nil
+		},
+	}
+
+	h := NewAgentGroupHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/agent-groups", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.ListAgentGroups(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status 200, got %d", w.Code)
+	}
+
+	var resp PagedResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if resp.Total != 1 {
+		t.Errorf("expected total 1, got %d", resp.Total)
+	}
+}
+
+func TestListAgentGroups_ServiceError(t *testing.T) {
+	mock := &MockAgentGroupService{
+		ListAgentGroupsFn: func(page, perPage int) ([]domain.AgentGroup, int64, error) {
+			return nil, 0, ErrMockServiceFailed
+		},
+	}
+
+	h := NewAgentGroupHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/agent-groups", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.ListAgentGroups(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Fatalf("expected status 500, got %d", w.Code)
+	}
+}
+
+func TestListAgentGroups_MethodNotAllowed(t *testing.T) {
+	h := NewAgentGroupHandler(&MockAgentGroupService{})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/agent-groups", nil)
+	w := httptest.NewRecorder()
+
+	h.ListAgentGroups(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Fatalf("expected status 405, got %d", w.Code)
+	}
+}
+
+func TestGetAgentGroup_Success(t *testing.T) {
+	mock := &MockAgentGroupService{
+		GetAgentGroupFn: func(id string) (*domain.AgentGroup, error) {
+			return &domain.AgentGroup{
+				ID:      id,
+				Name:    "Linux Agents",
+				MatchOS: "linux",
+				Enabled: true,
+			}, nil
+		},
+	}
+
+	h := NewAgentGroupHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/agent-groups/ag-linux", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.GetAgentGroup(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status 200, got %d", w.Code)
+	}
+}
+
+func TestGetAgentGroup_NotFound(t *testing.T) {
+	mock := &MockAgentGroupService{
+		GetAgentGroupFn: func(id string) (*domain.AgentGroup, error) {
+			return nil, ErrMockNotFound
+		},
+	}
+
+	h := NewAgentGroupHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/agent-groups/ag-ghost", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.GetAgentGroup(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("expected status 404, got %d", w.Code)
+	}
+}
+
+func TestCreateAgentGroup_Success(t *testing.T) {
+	mock := &MockAgentGroupService{
+		CreateAgentGroupFn: func(group domain.AgentGroup) (*domain.AgentGroup, error) {
+			group.ID = "ag-new"
+			return &group, nil
+		},
+	}
+
+	body := map[string]interface{}{
+		"name":     "Ubuntu Agents",
+		"match_os": "linux",
+		"enabled":  true,
+	}
+	bodyBytes, _ := json.Marshal(body)
+
+	h := NewAgentGroupHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/agent-groups", bytes.NewReader(bodyBytes))
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.CreateAgentGroup(w, req)
+
+	if w.Code != http.StatusCreated {
+		t.Fatalf("expected status 201, got %d. Body: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestCreateAgentGroup_MissingName(t *testing.T) {
+	body := map[string]interface{}{
+		"match_os": "linux",
+	}
+	bodyBytes, _ := json.Marshal(body)
+
+	h := NewAgentGroupHandler(&MockAgentGroupService{})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/agent-groups", bytes.NewReader(bodyBytes))
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.CreateAgentGroup(w, req)
+
+	// Handler may or may not validate name — service does. Either 400 or 500 acceptable.
+	if w.Code == http.StatusCreated || w.Code == http.StatusOK {
+		t.Fatalf("expected error for missing name, got %d", w.Code)
+	}
+}
+
+func TestCreateAgentGroup_InvalidJSON(t *testing.T) {
+	h := NewAgentGroupHandler(&MockAgentGroupService{})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/agent-groups", bytes.NewReader([]byte("not json")))
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.CreateAgentGroup(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected status 400, got %d", w.Code)
+	}
+}
+
+func TestDeleteAgentGroup_Success(t *testing.T) {
+	var deletedID string
+	mock := &MockAgentGroupService{
+		DeleteAgentGroupFn: func(id string) error {
+			deletedID = id
+			return nil
+		},
+	}
+
+	h := NewAgentGroupHandler(mock)
+	req := httptest.NewRequest(http.MethodDelete, "/api/v1/agent-groups/ag-linux", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.DeleteAgentGroup(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status 200, got %d", w.Code)
+	}
+	if deletedID != "ag-linux" {
+		t.Errorf("expected deleted ID 'ag-linux', got '%s'", deletedID)
+	}
+}
+
+func TestDeleteAgentGroup_ServiceError(t *testing.T) {
+	mock := &MockAgentGroupService{
+		DeleteAgentGroupFn: func(id string) error {
+			return ErrMockServiceFailed
+		},
+	}
+
+	h := NewAgentGroupHandler(mock)
+	req := httptest.NewRequest(http.MethodDelete, "/api/v1/agent-groups/ag-linux", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.DeleteAgentGroup(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Fatalf("expected status 500, got %d", w.Code)
+	}
+}
+
+func TestListAgentGroupMembers_Success(t *testing.T) {
+	mock := &MockAgentGroupService{
+		ListMembersFn: func(id string) ([]domain.Agent, int64, error) {
+			return []domain.Agent{
+				{ID: "agent-001", Name: "web-1", Hostname: "web-1.prod"},
+			}, 1, nil
+		},
+	}
+
+	h := NewAgentGroupHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/agent-groups/ag-linux/members", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.ListAgentGroupMembers(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status 200, got %d", w.Code)
+	}
+
+	var resp PagedResponse
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if resp.Total != 1 {
+		t.Errorf("expected total 1, got %d", resp.Total)
+	}
+}
+
+func TestListAgentGroupMembers_ServiceError(t *testing.T) {
+	mock := &MockAgentGroupService{
+		ListMembersFn: func(id string) ([]domain.Agent, int64, error) {
+			return nil, 0, ErrMockServiceFailed
+		},
+	}
+
+	h := NewAgentGroupHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/agent-groups/ag-linux/members", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.ListAgentGroupMembers(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Fatalf("expected status 500, got %d", w.Code)
+	}
+}

internal/api/handler/agent_groups.go

@@ -0,0 +1,234 @@
+package handler
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/shankar0123/certctl/internal/api/middleware"
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// AgentGroupService defines the service interface for agent group operations.
+type AgentGroupService interface {
+	ListAgentGroups(page, perPage int) ([]domain.AgentGroup, int64, error)
+	GetAgentGroup(id string) (*domain.AgentGroup, error)
+	CreateAgentGroup(group domain.AgentGroup) (*domain.AgentGroup, error)
+	UpdateAgentGroup(id string, group domain.AgentGroup) (*domain.AgentGroup, error)
+	DeleteAgentGroup(id string) error
+	ListMembers(id string) ([]domain.Agent, int64, error)
+}
+
+// AgentGroupHandler handles HTTP requests for agent group operations.
+type AgentGroupHandler struct {
+	svc AgentGroupService
+}
+
+// NewAgentGroupHandler creates a new AgentGroupHandler with a service dependency.
+func NewAgentGroupHandler(svc AgentGroupService) AgentGroupHandler {
+	return AgentGroupHandler{svc: svc}
+}
+
+// ListAgentGroups lists all agent groups.
+// GET /api/v1/agent-groups?page=1&per_page=50
+func (h AgentGroupHandler) ListAgentGroups(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	page := 1
+	perPage := 50
+	query := r.URL.Query()
+	if p := query.Get("page"); p != "" {
+		if parsed, err := strconv.Atoi(p); err == nil && parsed > 0 {
+			page = parsed
+		}
+	}
+	if pp := query.Get("per_page"); pp != "" {
+		if parsed, err := strconv.Atoi(pp); err == nil && parsed > 0 && parsed <= 500 {
+			perPage = parsed
+		}
+	}
+
+	groups, total, err := h.svc.ListAgentGroups(page, perPage)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list agent groups", requestID)
+		return
+	}
+
+	response := PagedResponse{
+		Data:    groups,
+		Total:   total,
+		Page:    page,
+		PerPage: perPage,
+	}
+
+	JSON(w, http.StatusOK, response)
+}
+
+// GetAgentGroup retrieves a single agent group by ID.
+// GET /api/v1/agent-groups/{id}
+func (h AgentGroupHandler) GetAgentGroup(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	id := strings.TrimPrefix(r.URL.Path, "/api/v1/agent-groups/")
+	if id == "" || strings.Contains(id, "/") {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Agent group ID is required", requestID)
+		return
+	}
+
+	group, err := h.svc.GetAgentGroup(id)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusNotFound, "Agent group not found", requestID)
+		return
+	}
+
+	JSON(w, http.StatusOK, group)
+}
+
+// CreateAgentGroup creates a new agent group.
+// POST /api/v1/agent-groups
+func (h AgentGroupHandler) CreateAgentGroup(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	var group domain.AgentGroup
+	if err := json.NewDecoder(r.Body).Decode(&group); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID)
+		return
+	}
+
+	if err := ValidateRequired("name", group.Name); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
+		return
+	}
+	if err := ValidateStringLength("name", group.Name, 255); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
+		return
+	}
+
+	created, err := h.svc.CreateAgentGroup(group)
+	if err != nil {
+		if strings.Contains(err.Error(), "invalid") || strings.Contains(err.Error(), "required") {
+			ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
+			return
+		}
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create agent group", requestID)
+		return
+	}
+
+	JSON(w, http.StatusCreated, created)
+}
+
+// UpdateAgentGroup updates an existing agent group.
+// PUT /api/v1/agent-groups/{id}
+func (h AgentGroupHandler) UpdateAgentGroup(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPut {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	id := strings.TrimPrefix(r.URL.Path, "/api/v1/agent-groups/")
+	parts := strings.Split(id, "/")
+	if len(parts) == 0 || parts[0] == "" {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Agent group ID is required", requestID)
+		return
+	}
+	id = parts[0]
+
+	var group domain.AgentGroup
+	if err := json.NewDecoder(r.Body).Decode(&group); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID)
+		return
+	}
+
+	updated, err := h.svc.UpdateAgentGroup(id, group)
+	if err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			ErrorWithRequestID(w, http.StatusNotFound, "Agent group not found", requestID)
+			return
+		}
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update agent group", requestID)
+		return
+	}
+
+	JSON(w, http.StatusOK, updated)
+}
+
+// DeleteAgentGroup deletes an agent group.
+// DELETE /api/v1/agent-groups/{id}
+func (h AgentGroupHandler) DeleteAgentGroup(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodDelete {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	id := strings.TrimPrefix(r.URL.Path, "/api/v1/agent-groups/")
+	if id == "" || strings.Contains(id, "/") {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Agent group ID is required", requestID)
+		return
+	}
+
+	if err := h.svc.DeleteAgentGroup(id); err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			ErrorWithRequestID(w, http.StatusNotFound, "Agent group not found", requestID)
+			return
+		}
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to delete agent group", requestID)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// ListAgentGroupMembers lists agents in a group.
+// GET /api/v1/agent-groups/{id}/members
+func (h AgentGroupHandler) ListAgentGroupMembers(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	// Parse ID from: /api/v1/agent-groups/{id}/members
+	path := strings.TrimPrefix(r.URL.Path, "/api/v1/agent-groups/")
+	parts := strings.Split(path, "/")
+	if len(parts) < 2 || parts[0] == "" {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Agent group ID is required", requestID)
+		return
+	}
+	id := parts[0]
+
+	members, total, err := h.svc.ListMembers(id)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list group members", requestID)
+		return
+	}
+
+	response := PagedResponse{
+		Data:    members,
+		Total:   total,
+		Page:    1,
+		PerPage: int(total),
+	}
+
+	JSON(w, http.StatusOK, response)
+}

internal/api/handler/job_handler_test.go

@@ -2,8 +2,10 @@ package handler
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 	"time"
 
@@ -12,9 +14,11 @@ import (
 
 // MockJobService is a mock implementation of JobService interface.
 type MockJobService struct {
-	ListJobsFn  func(status, jobType string, page, perPage int) ([]domain.Job, int64, error)
-	GetJobFn    func(id string) (*domain.Job, error)
-	CancelJobFn func(id string) error
+	ListJobsFn   func(status, jobType string, page, perPage int) ([]domain.Job, int64, error)
+	GetJobFn     func(id string) (*domain.Job, error)
+	CancelJobFn  func(id string) error
+	ApproveJobFn func(id string) error
+	RejectJobFn  func(id string, reason string) error
 }
 
 func (m *MockJobService) ListJobs(status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
@@ -38,6 +42,20 @@ func (m *MockJobService) CancelJob(id string) error {
 	return nil
 }
 
+func (m *MockJobService) ApproveJob(id string) error {
+	if m.ApproveJobFn != nil {
+		return m.ApproveJobFn(id)
+	}
+	return nil
+}
+
+func (m *MockJobService) RejectJob(id string, reason string) error {
+	if m.RejectJobFn != nil {
+		return m.RejectJobFn(id, reason)
+	}
+	return nil
+}
+
 func TestListJobs_Success(t *testing.T) {
 	now := time.Now()
 	job1 := domain.Job{
@@ -325,3 +343,164 @@ func TestCancelJob_EmptyID(t *testing.T) {
 		t.Fatalf("expected status 400, got %d", w.Code)
 	}
 }
+
+func TestApproveJob_Success(t *testing.T) {
+	var approvedID string
+	mock := &MockJobService{
+		ApproveJobFn: func(id string) error {
+			approvedID = id
+			return nil
+		},
+	}
+
+	h := NewJobHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/jobs/job-001/approve", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.ApproveJob(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status 200, got %d", w.Code)
+	}
+	if approvedID != "job-001" {
+		t.Errorf("expected approved ID 'job-001', got '%s'", approvedID)
+	}
+
+	var resp map[string]string
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if resp["status"] != "job_approved" {
+		t.Errorf("expected status 'job_approved', got '%s'", resp["status"])
+	}
+}
+
+func TestApproveJob_NotFound(t *testing.T) {
+	mock := &MockJobService{
+		ApproveJobFn: func(id string) error {
+			return fmt.Errorf("job not found: no rows")
+		},
+	}
+
+	h := NewJobHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/jobs/job-ghost/approve", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.ApproveJob(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("expected status 404, got %d", w.Code)
+	}
+}
+
+func TestApproveJob_BadStatus(t *testing.T) {
+	mock := &MockJobService{
+		ApproveJobFn: func(id string) error {
+			return fmt.Errorf("cannot approve job with status Running")
+		},
+	}
+
+	h := NewJobHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/jobs/job-001/approve", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.ApproveJob(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected status 400, got %d", w.Code)
+	}
+}
+
+func TestApproveJob_MethodNotAllowed(t *testing.T) {
+	h := NewJobHandler(&MockJobService{})
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/jobs/job-001/approve", nil)
+	w := httptest.NewRecorder()
+
+	h.ApproveJob(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Fatalf("expected status 405, got %d", w.Code)
+	}
+}
+
+func TestRejectJob_Success(t *testing.T) {
+	var rejectedID, capturedReason string
+	mock := &MockJobService{
+		RejectJobFn: func(id string, reason string) error {
+			rejectedID = id
+			capturedReason = reason
+			return nil
+		},
+	}
+
+	body := `{"reason":"Certificate no longer needed"}`
+	h := NewJobHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/jobs/job-002/reject", strings.NewReader(body))
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.RejectJob(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status 200, got %d", w.Code)
+	}
+	if rejectedID != "job-002" {
+		t.Errorf("expected rejected ID 'job-002', got '%s'", rejectedID)
+	}
+	if capturedReason != "Certificate no longer needed" {
+		t.Errorf("expected reason 'Certificate no longer needed', got '%s'", capturedReason)
+	}
+}
+
+func TestRejectJob_NoReason(t *testing.T) {
+	mock := &MockJobService{
+		RejectJobFn: func(id string, reason string) error {
+			return nil
+		},
+	}
+
+	h := NewJobHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/jobs/job-002/reject", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.RejectJob(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status 200, got %d", w.Code)
+	}
+}
+
+func TestRejectJob_NotFound(t *testing.T) {
+	mock := &MockJobService{
+		RejectJobFn: func(id string, reason string) error {
+			return fmt.Errorf("job not found: no rows")
+		},
+	}
+
+	h := NewJobHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/jobs/job-ghost/reject", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.RejectJob(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("expected status 404, got %d", w.Code)
+	}
+}
+
+func TestRejectJob_MethodNotAllowed(t *testing.T) {
+	h := NewJobHandler(&MockJobService{})
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/jobs/job-001/reject", nil)
+	w := httptest.NewRecorder()
+
+	h.RejectJob(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Fatalf("expected status 405, got %d", w.Code)
+	}
+}

internal/api/handler/jobs.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"encoding/json"
 	"net/http"
 	"strconv"
 	"strings"
@@ -14,6 +15,8 @@ type JobService interface {
 	ListJobs(status, jobType string, page, perPage int) ([]domain.Job, int64, error)
 	GetJob(id string) (*domain.Job, error)
 	CancelJob(id string) error
+	ApproveJob(id string) error
+	RejectJob(id string, reason string) error
 }
 
 // JobHandler handles HTTP requests for job operations.
@@ -126,3 +129,78 @@ func (h JobHandler) CancelJob(w http.ResponseWriter, r *http.Request) {
 
 	JSON(w, http.StatusOK, response)
 }
+
+// ApproveJob approves a renewal job awaiting approval.
+// POST /api/v1/jobs/{id}/approve
+func (h JobHandler) ApproveJob(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	path := strings.TrimPrefix(r.URL.Path, "/api/v1/jobs/")
+	parts := strings.Split(path, "/")
+	if len(parts) < 2 || parts[0] == "" {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Job ID is required", requestID)
+		return
+	}
+	jobID := parts[0]
+
+	if err := h.svc.ApproveJob(jobID); err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
+			return
+		}
+		if strings.Contains(err.Error(), "cannot approve") {
+			ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
+			return
+		}
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to approve job", requestID)
+		return
+	}
+
+	JSON(w, http.StatusOK, map[string]string{"status": "job_approved"})
+}
+
+// RejectJob rejects a renewal job awaiting approval.
+// POST /api/v1/jobs/{id}/reject
+func (h JobHandler) RejectJob(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	path := strings.TrimPrefix(r.URL.Path, "/api/v1/jobs/")
+	parts := strings.Split(path, "/")
+	if len(parts) < 2 || parts[0] == "" {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Job ID is required", requestID)
+		return
+	}
+	jobID := parts[0]
+
+	var body struct {
+		Reason string `json:"reason"`
+	}
+	if r.Body != nil {
+		json.NewDecoder(r.Body).Decode(&body)
+	}
+
+	if err := h.svc.RejectJob(jobID, body.Reason); err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
+			return
+		}
+		if strings.Contains(err.Error(), "cannot reject") {
+			ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
+			return
+		}
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to reject job", requestID)
+		return
+	}
+
+	JSON(w, http.StatusOK, map[string]string{"status": "job_rejected"})
+}