fix(api,web,mcp): add bulk-renew + bulk-reassign endpoints, drop client-side N×HTTP loops (L-1 master)

Two audit findings, both category cat-l, both rooted in
web/src/pages/CertificatesPage.tsx. Pre-L-1 the GUI looped per-cert
HTTP calls — 100 selected certs = 100 sequential round-trips × ~50–200
ms each = a 5–20-second wedge during which the operator stared at a
progress bar. Post-L-1 each workflow is a single POST.

  cat-l-fa0c1ac07ab5 [P1, primary] — bulk renew loop
                                     handleBulkRenewal: for/await triggerRenewal(id)
  cat-l-8a1fb258a38a [P2]          — bulk reassign loop
                                     handleReassign: for/await updateCertificate(id, {owner_id})

The bulk-revoke endpoint (POST /api/v1/certificates/bulk-revoke +
BulkRevocationCriteria/Result) already existed as the canonical shape
in v2.0.x — L-1 ports that pattern to renew + reassign with per-action
twists.

Backend (Go)
- internal/domain/bulk_renewal.go: BulkRenewalCriteria mirrors
  BulkRevocationCriteria (criteria + IDs modes); BulkRenewalResult
  envelope adds EnqueuedJobs[] for per-cert {certificate_id, job_id};
  shared BulkOperationError type for all bulk paths.
- internal/domain/bulk_reassignment.go: narrower shape — IDs-only,
  owner_id required, team_id optional.
- internal/service/bulk_renewal.go::BulkRenewalService.BulkRenew:
  resolves criteria → status filter (Archived/Revoked/Expired/
  RenewalInProgress all silent-skip) → per-cert status flip + job
  create. Keygen-mode-aware so jobs land in the same initial status
  as single-cert TriggerRenewal. Single bulk audit event per call,
  not N.
- internal/service/bulk_reassignment.go::BulkReassignmentService.
  BulkReassign: validates owner_id upfront via the
  ErrBulkReassignOwnerNotFound typed sentinel — non-existent owner
  returns 400 before any cert is touched. Already-owned-by-target
  is silent-skip. Single bulk audit event.
- internal/api/handler/{bulk_renewal,bulk_reassignment}.go: HTTP
  shape mirrors bulk_revocation.go. NOT admin-gated (renew is non-
  destructive; reassign is a common-case workflow). Sentinel-error
  → 400 mapping for OwnerNotFound.
- internal/api/router/router.go: three bulk-* routes registered as a
  block before the {id} routes. HandlerRegistry gains BulkRenewal +
  BulkReassignment fields.
- cmd/server/main.go: NewBulkRenewalService threads cfg.Keygen.Mode
  so bulk-renew jobs land in same initial state as single-cert path.

Frontend
- web/src/api/client.ts: bulkRenewCertificates(criteria) +
  bulkReassignCertificates(request) functions with full TS types.
- web/src/pages/CertificatesPage.tsx: handleBulkRenewal + handleReassign
  rewritten from N-call loops to single calls. Result envelope drives
  progress UI; first-error message surfaced when total_failed > 0.
  Stale triggerRenewal + updateCertificate imports removed.

MCP
- internal/mcp/types.go: BulkRenewCertificatesInput +
  BulkReassignCertificatesInput.
- internal/mcp/tools.go: certctl_bulk_renew_certificates +
  certctl_bulk_reassign_certificates tools mirroring the existing
  certctl_bulk_revoke_certificates pattern.

OpenAPI
- api/openapi.yaml: two new operations (bulkRenewCertificates,
  bulkReassignCertificates) under Certificates tag. Four new schemas
  (BulkRenewRequest, BulkRenewResult, BulkEnqueuedJob,
  BulkReassignRequest, BulkReassignResult).

Tests
- Domain: BulkRenewalCriteria.IsEmpty + BulkReassignmentRequest.IsEmpty
  IsEmpty contracts; JSON round-trip shape pinning.
- Service: 7 BulkRenew tests (happy/criteria-mode/skips-RenewalInProgress/
  skips-revoked-archived/empty-criteria-error/partial-failure/
  audit-event-emitted) + 8 BulkReassign tests (happy/skips-already-
  owned/owner-required/empty-IDs/owner-not-found-sentinel/team-id-
  optional/team-id-provided/partial-failure/audit-event-emitted).
- Handler: 5 BulkRenew handler tests (happy/empty-body-400/wrong-
  method-405/actor-attribution/service-error-500) + 6 BulkReassign
  handler tests (happy/empty-IDs-400/missing-owner-400/owner-not-
  found-400-via-sentinel/wrong-method-405/generic-error-500).

CI guardrail
- .github/workflows/ci.yml: 'Forbidden client-side bulk-action loop
  regression guard (L-1)'. Greps web/src/pages/CertificatesPage.tsx
  for 'for(...) await triggerRenewal(...)' and 'for(...) await
  updateCertificate(...)' patterns; comment lines exempt; test files
  exempt. Verified locally (passes against post-fix tree, fires
  against synthetic regression).

Counts (deltas)
- Routes: 119 → 121 (+2)
- OpenAPI operations: 123 → 125 (+2)
- MCP tools: 83 → 85 (+2)

Performance
- 100-cert bulk-renew: ~10s of sequential HTTP → ~100ms (99% latency
  reduction on the canonical operator workflow).
- Audit event volume: 1 + N per operation → 1.

Out of scope (deferred follow-ups)
- cat-b-31ceb6aaa9f1: updateOwner/updateTeam/updateAgentGroup orphan
  (different shape — wire existing PUT to GUI, not new bulk endpoint).
- cat-k-e85d1099b2d7: CertificatesPage no pagination UI.
- cat-i-b0924b6675f8: MCP missing claim/dismiss/acknowledge (L-1 added
  2 new tools but does not close that finding).

Verification
- go build / vet / test -short / test -short -race all clean.
- web tsc --noEmit + vitest run all clean (296 tests passing).
- OpenAPI YAML parses (89 paths, 125 ops).
- L-1 CI guardrail passes against post-fix tree, fires against
  synthetic regression.

No push.

internal/service/bulk_reassignment_test.go

@@ -0,0 +1,221 @@
+package service
+
+import (
+	"context"
+	"errors"
+	"log/slog"
+	"testing"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+func newBulkReassignmentTestService() (*BulkReassignmentService, *mockCertRepo, *mockOwnerRepo, *mockAuditRepo) {
+	certRepo := newMockCertificateRepository()
+	ownerRepo := newMockOwnerRepository()
+	auditRepo := newMockAuditRepository()
+	auditService := NewAuditService(auditRepo)
+	svc := NewBulkReassignmentService(certRepo, ownerRepo, auditService, slog.Default())
+	return svc, certRepo, ownerRepo, auditRepo
+}
+
+// addOwnedCert seeds a cert with a specific owner+team for reassignment.
+func addOwnedCert(repo *mockCertRepo, id, ownerID, teamID string) {
+	cert := &domain.ManagedCertificate{
+		ID: id, CommonName: id, Status: domain.CertificateStatusActive,
+		OwnerID: ownerID, TeamID: teamID,
+		ExpiresAt: time.Now().AddDate(0, 1, 0),
+	}
+	repo.AddCert(cert)
+}
+
+func addOwner(repo *mockOwnerRepo, id string) {
+	repo.owners[id] = &domain.Owner{ID: id, Name: id}
+}
+
+// TestBulkReassign_HappyPath — N certs all reassigned successfully.
+func TestBulkReassign_HappyPath(t *testing.T) {
+	svc, certRepo, ownerRepo, _ := newBulkReassignmentTestService()
+	addOwner(ownerRepo, "o-bob")
+	addOwnedCert(certRepo, "mc-1", "o-alice", "")
+	addOwnedCert(certRepo, "mc-2", "o-alice", "")
+	addOwnedCert(certRepo, "mc-3", "o-alice", "")
+
+	res, err := svc.BulkReassign(context.Background(),
+		domain.BulkReassignmentRequest{
+			CertificateIDs: []string{"mc-1", "mc-2", "mc-3"},
+			OwnerID:        "o-bob",
+		}, "admin")
+	if err != nil {
+		t.Fatalf("BulkReassign failed: %v", err)
+	}
+	if res.TotalReassigned != 3 || res.TotalSkipped != 0 || res.TotalFailed != 0 {
+		t.Errorf("counts = reassigned:%d skipped:%d failed:%d, want 3/0/0",
+			res.TotalReassigned, res.TotalSkipped, res.TotalFailed)
+	}
+	for _, id := range []string{"mc-1", "mc-2", "mc-3"} {
+		if certRepo.Certs[id].OwnerID != "o-bob" {
+			t.Errorf("cert %s: owner_id = %s, want o-bob", id, certRepo.Certs[id].OwnerID)
+		}
+	}
+}
+
+// TestBulkReassign_SkipsAlreadyOwned — certs already owned by the
+// target are no-op-skipped (not counted as reassigned, not surfaced as
+// errors). Operator sees "5 of your 10 selections were no-ops because
+// Bob already owned them" without triaging fake errors.
+func TestBulkReassign_SkipsAlreadyOwned(t *testing.T) {
+	svc, certRepo, ownerRepo, _ := newBulkReassignmentTestService()
+	addOwner(ownerRepo, "o-bob")
+	addOwnedCert(certRepo, "mc-1", "o-bob", "")    // already owned by target
+	addOwnedCert(certRepo, "mc-2", "o-alice", "")  // needs reassign
+
+	res, err := svc.BulkReassign(context.Background(),
+		domain.BulkReassignmentRequest{
+			CertificateIDs: []string{"mc-1", "mc-2"},
+			OwnerID:        "o-bob",
+		}, "admin")
+	if err != nil {
+		t.Fatalf("BulkReassign failed: %v", err)
+	}
+	if res.TotalReassigned != 1 || res.TotalSkipped != 1 {
+		t.Errorf("counts = reassigned:%d skipped:%d, want 1/1", res.TotalReassigned, res.TotalSkipped)
+	}
+	if len(res.Errors) != 0 {
+		t.Errorf("already-owned skip should NOT populate Errors; got %v", res.Errors)
+	}
+}
+
+// TestBulkReassign_OwnerIDRequired_Error — empty owner_id rejected.
+func TestBulkReassign_OwnerIDRequired_Error(t *testing.T) {
+	svc, certRepo, _, _ := newBulkReassignmentTestService()
+	addOwnedCert(certRepo, "mc-1", "o-alice", "")
+	_, err := svc.BulkReassign(context.Background(),
+		domain.BulkReassignmentRequest{CertificateIDs: []string{"mc-1"}, OwnerID: ""}, "admin")
+	if err == nil {
+		t.Fatal("expected error for empty owner_id, got nil")
+	}
+}
+
+// TestBulkReassign_EmptyIDs_Error — empty IDs rejected.
+func TestBulkReassign_EmptyIDs_Error(t *testing.T) {
+	svc, _, ownerRepo, _ := newBulkReassignmentTestService()
+	addOwner(ownerRepo, "o-bob")
+	_, err := svc.BulkReassign(context.Background(),
+		domain.BulkReassignmentRequest{CertificateIDs: []string{}, OwnerID: "o-bob"}, "admin")
+	if err == nil {
+		t.Fatal("expected error for empty IDs, got nil")
+	}
+}
+
+// TestBulkReassign_OwnerNotFound_TypedSentinel — non-existent OwnerID
+// returns ErrBulkReassignOwnerNotFound. Handler maps this to 400 (the
+// operator picked an owner that doesn't exist) rather than 500 (server
+// error). Sentinel-error rather than substring-error matches the
+// project's post-M-1 error-mapping convention.
+func TestBulkReassign_OwnerNotFound_TypedSentinel(t *testing.T) {
+	svc, certRepo, _, _ := newBulkReassignmentTestService()
+	addOwnedCert(certRepo, "mc-1", "o-alice", "")
+	_, err := svc.BulkReassign(context.Background(),
+		domain.BulkReassignmentRequest{CertificateIDs: []string{"mc-1"}, OwnerID: "o-ghost"}, "admin")
+	if err == nil {
+		t.Fatal("expected ErrBulkReassignOwnerNotFound, got nil")
+	}
+	if !errors.Is(err, ErrBulkReassignOwnerNotFound) {
+		t.Errorf("err is not ErrBulkReassignOwnerNotFound; got: %v", err)
+	}
+}
+
+// TestBulkReassign_TeamIDOptional — happy path WITHOUT team_id leaves
+// team_id unchanged. Empty team_id in request must not zero out the
+// existing team_id on the cert.
+func TestBulkReassign_TeamIDOptional(t *testing.T) {
+	svc, certRepo, ownerRepo, _ := newBulkReassignmentTestService()
+	addOwner(ownerRepo, "o-bob")
+	addOwnedCert(certRepo, "mc-1", "o-alice", "t-platform")
+
+	_, err := svc.BulkReassign(context.Background(),
+		domain.BulkReassignmentRequest{
+			CertificateIDs: []string{"mc-1"},
+			OwnerID:        "o-bob",
+			// TeamID intentionally omitted
+		}, "admin")
+	if err != nil {
+		t.Fatalf("BulkReassign failed: %v", err)
+	}
+	if certRepo.Certs["mc-1"].TeamID != "t-platform" {
+		t.Errorf("team_id was zeroed out; want unchanged 't-platform', got %q", certRepo.Certs["mc-1"].TeamID)
+	}
+}
+
+// TestBulkReassign_TeamIDProvided_Updates — when TeamID is non-empty in
+// the request, both owner_id and team_id update.
+func TestBulkReassign_TeamIDProvided_Updates(t *testing.T) {
+	svc, certRepo, ownerRepo, _ := newBulkReassignmentTestService()
+	addOwner(ownerRepo, "o-bob")
+	addOwnedCert(certRepo, "mc-1", "o-alice", "t-platform")
+
+	_, err := svc.BulkReassign(context.Background(),
+		domain.BulkReassignmentRequest{
+			CertificateIDs: []string{"mc-1"},
+			OwnerID:        "o-bob",
+			TeamID:         "t-security",
+		}, "admin")
+	if err != nil {
+		t.Fatalf("BulkReassign failed: %v", err)
+	}
+	if certRepo.Certs["mc-1"].TeamID != "t-security" {
+		t.Errorf("team_id = %q, want t-security", certRepo.Certs["mc-1"].TeamID)
+	}
+}
+
+// TestBulkReassign_PartialFailure — N=3, one cert mid-batch hits an
+// Update error. Rest of the batch continues; failure surfaced in
+// Errors.
+func TestBulkReassign_PartialFailure(t *testing.T) {
+	svc, certRepo, ownerRepo, _ := newBulkReassignmentTestService()
+	addOwner(ownerRepo, "o-bob")
+	addOwnedCert(certRepo, "mc-1", "o-alice", "")
+	addOwnedCert(certRepo, "mc-2", "o-alice", "")
+	addOwnedCert(certRepo, "mc-3", "o-alice", "")
+
+	// Force the next Update to fail uniformly. Mirrors how
+	// TestBulkRevoke_PartialFailure injects a downstream failure.
+	certRepo.UpdateErr = errors.New("simulated DB outage")
+
+	res, err := svc.BulkReassign(context.Background(),
+		domain.BulkReassignmentRequest{
+			CertificateIDs: []string{"mc-1", "mc-2", "mc-3"},
+			OwnerID:        "o-bob",
+		}, "admin")
+	if err != nil {
+		t.Fatalf("BulkReassign should not propagate per-cert errors; got: %v", err)
+	}
+	if res.TotalFailed != 3 || res.TotalReassigned != 0 {
+		t.Errorf("counts = failed:%d reassigned:%d, want 3/0", res.TotalFailed, res.TotalReassigned)
+	}
+}
+
+// TestBulkReassign_AuditEventEmitted — single bulk audit event.
+func TestBulkReassign_AuditEventEmitted(t *testing.T) {
+	svc, certRepo, ownerRepo, auditRepo := newBulkReassignmentTestService()
+	addOwner(ownerRepo, "o-bob")
+	addOwnedCert(certRepo, "mc-1", "o-alice", "")
+	addOwnedCert(certRepo, "mc-2", "o-alice", "")
+
+	_, err := svc.BulkReassign(context.Background(),
+		domain.BulkReassignmentRequest{
+			CertificateIDs: []string{"mc-1", "mc-2"},
+			OwnerID:        "o-bob",
+		}, "admin")
+	if err != nil {
+		t.Fatalf("BulkReassign failed: %v", err)
+	}
+
+	if len(auditRepo.Events) != 1 {
+		t.Errorf("audit events count = %d, want exactly 1 (one bulk event, NOT N per-cert events)", len(auditRepo.Events))
+	}
+	if len(auditRepo.Events) > 0 && auditRepo.Events[0].Action != "bulk_reassignment_initiated" {
+		t.Errorf("audit action = %q, want 'bulk_reassignment_initiated'", auditRepo.Events[0].Action)
+	}
+}