feat(M41): Envoy target connector with SDS support

File-based deployment for Envoy service mesh — writes cert/key/chain
to watched directory with optional SDS JSON config for xDS bootstrap.
Path traversal prevention, configurable filenames, 15 tests passing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/connector/target/envoy/envoy.go

@@ -0,0 +1,318 @@
+package envoy
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/connector/target"
+)
+
+// Config represents the Envoy deployment target configuration.
+// Envoy uses file-based certificate delivery — the agent writes cert/key files
+// to a directory that Envoy watches via its SDS (Secret Discovery Service)
+// file-based configuration or static filename references in the bootstrap config.
+type Config struct {
+	CertDir       string `json:"cert_dir"`        // Directory where Envoy watches for cert files (required)
+	CertFilename  string `json:"cert_filename"`   // Filename for certificate (default: cert.pem)
+	KeyFilename   string `json:"key_filename"`    // Filename for private key (default: key.pem)
+	ChainFilename string `json:"chain_filename"`  // Optional filename for chain (if set, chain written separately)
+	SDSConfig     bool   `json:"sds_config"`      // If true, write an SDS discovery JSON file for file-based SDS
+}
+
+// SDSResource represents an Envoy SDS tls_certificate resource for file-based SDS.
+// This matches Envoy's expected format for file-based Secret Discovery Service.
+type SDSResource struct {
+	Resources []SDSTLSCertificate `json:"resources"`
+}
+
+// SDSTLSCertificate represents a single SDS tls_certificate entry.
+type SDSTLSCertificate struct {
+	Type            string         `json:"@type"`
+	Name            string         `json:"name"`
+	TLSCertificate  TLSCertificate `json:"tls_certificate"`
+}
+
+// TLSCertificate contains the file paths for cert and key in Envoy's SDS format.
+type TLSCertificate struct {
+	CertificateChain DataSource `json:"certificate_chain"`
+	PrivateKey       DataSource `json:"private_key"`
+}
+
+// DataSource represents an Envoy data source pointing to a file path.
+type DataSource struct {
+	Filename string `json:"filename"`
+}
+
+// Connector implements the target.Connector interface for Envoy proxy servers.
+// This connector runs on the AGENT side and handles local certificate deployment.
+// Envoy watches the configured directory via its file-based SDS or static config
+// and automatically picks up certificate changes without an explicit reload.
+type Connector struct {
+	config *Config
+	logger *slog.Logger
+}
+
+// New creates a new Envoy target connector with the given configuration and logger.
+func New(config *Config, logger *slog.Logger) *Connector {
+	return &Connector{
+		config: config,
+		logger: logger,
+	}
+}
+
+// ValidateConfig checks that the certificate directory is configured and valid.
+func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessage) error {
+	var cfg Config
+	if err := json.Unmarshal(rawConfig, &cfg); err != nil {
+		return fmt.Errorf("invalid Envoy config: %w", err)
+	}
+
+	if cfg.CertDir == "" {
+		return fmt.Errorf("Envoy cert_dir is required")
+	}
+
+	// Default filenames if not provided
+	if cfg.CertFilename == "" {
+		cfg.CertFilename = "cert.pem"
+	}
+	if cfg.KeyFilename == "" {
+		cfg.KeyFilename = "key.pem"
+	}
+
+	// Validate filenames don't contain path separators (prevent path traversal)
+	if strings.Contains(cfg.CertFilename, "/") || strings.Contains(cfg.CertFilename, "\\") {
+		return fmt.Errorf("Envoy cert_filename must not contain path separators")
+	}
+	if strings.Contains(cfg.KeyFilename, "/") || strings.Contains(cfg.KeyFilename, "\\") {
+		return fmt.Errorf("Envoy key_filename must not contain path separators")
+	}
+	if cfg.ChainFilename != "" && (strings.Contains(cfg.ChainFilename, "/") || strings.Contains(cfg.ChainFilename, "\\")) {
+		return fmt.Errorf("Envoy chain_filename must not contain path separators")
+	}
+
+	c.logger.Info("validating Envoy configuration",
+		"cert_dir", cfg.CertDir,
+		"cert_filename", cfg.CertFilename,
+		"key_filename", cfg.KeyFilename,
+		"chain_filename", cfg.ChainFilename,
+		"sds_config", cfg.SDSConfig)
+
+	// Verify directory exists and is writable
+	if _, err := os.Stat(cfg.CertDir); os.IsNotExist(err) {
+		return fmt.Errorf("Envoy cert directory does not exist: %s", cfg.CertDir)
+	}
+
+	// Try to write a test file to verify directory is writable
+	testFile := filepath.Join(cfg.CertDir, ".certctl-write-test")
+	if err := os.WriteFile(testFile, []byte("test"), 0644); err != nil {
+		return fmt.Errorf("Envoy cert directory is not writable: %s (%w)", cfg.CertDir, err)
+	}
+	os.Remove(testFile)
+
+	c.config = &cfg
+	c.logger.Info("Envoy configuration validated")
+	return nil
+}
+
+// DeployCertificate writes the certificate and key files to the configured directory.
+// Envoy watches this directory via file-based SDS or static config references
+// and automatically picks up changes without requiring a reload command.
+//
+// Steps:
+// 1. Write certificate (+ chain if chain_filename not set) to cert_filename with mode 0644
+// 2. Write private key to key_filename with mode 0600
+// 3. If chain_filename set and chain provided, write chain separately with mode 0644
+// 4. If sds_config is true, write SDS JSON file pointing to cert/key paths
+func (c *Connector) DeployCertificate(ctx context.Context, request target.DeploymentRequest) (*target.DeploymentResult, error) {
+	c.logger.Info("deploying certificate to Envoy",
+		"cert_dir", c.config.CertDir,
+		"cert_filename", c.config.CertFilename,
+		"key_filename", c.config.KeyFilename)
+
+	startTime := time.Now()
+
+	certPath := filepath.Join(c.config.CertDir, c.config.CertFilename)
+	keyPath := filepath.Join(c.config.CertDir, c.config.KeyFilename)
+
+	// Build certificate data: if chain_filename is set, write chain separately;
+	// otherwise append chain to cert file (standard fullchain behavior)
+	certData := request.CertPEM + "\n"
+	if request.ChainPEM != "" && c.config.ChainFilename == "" {
+		certData += request.ChainPEM + "\n"
+	}
+
+	// Write certificate with mode 0644 (readable by Envoy process)
+	if err := os.WriteFile(certPath, []byte(certData), 0644); err != nil {
+		errMsg := fmt.Sprintf("failed to write certificate: %v", err)
+		c.logger.Error("certificate deployment failed", "error", err)
+		return &target.DeploymentResult{
+			Success:       false,
+			TargetAddress: certPath,
+			Message:       errMsg,
+			DeployedAt:    time.Now(),
+		}, fmt.Errorf("%s", errMsg)
+	}
+
+	// Write private key with secure permissions (0600: rw-------)
+	if request.KeyPEM != "" {
+		if err := os.WriteFile(keyPath, []byte(request.KeyPEM), 0600); err != nil {
+			errMsg := fmt.Sprintf("failed to write private key: %v", err)
+			c.logger.Error("key deployment failed", "error", err)
+			return &target.DeploymentResult{
+				Success:       false,
+				TargetAddress: keyPath,
+				Message:       errMsg,
+				DeployedAt:    time.Now(),
+			}, fmt.Errorf("%s", errMsg)
+		}
+	}
+
+	// Write chain separately if chain_filename is configured
+	if c.config.ChainFilename != "" && request.ChainPEM != "" {
+		chainPath := filepath.Join(c.config.CertDir, c.config.ChainFilename)
+		if err := os.WriteFile(chainPath, []byte(request.ChainPEM+"\n"), 0644); err != nil {
+			errMsg := fmt.Sprintf("failed to write chain: %v", err)
+			c.logger.Error("chain deployment failed", "error", err)
+			return &target.DeploymentResult{
+				Success:       false,
+				TargetAddress: chainPath,
+				Message:       errMsg,
+				DeployedAt:    time.Now(),
+			}, fmt.Errorf("%s", errMsg)
+		}
+	}
+
+	// Write SDS JSON file if configured
+	if c.config.SDSConfig {
+		if err := c.writeSDSConfig(); err != nil {
+			errMsg := fmt.Sprintf("failed to write SDS config: %v", err)
+			c.logger.Error("SDS config deployment failed", "error", err)
+			return &target.DeploymentResult{
+				Success:       false,
+				TargetAddress: certPath,
+				Message:       errMsg,
+				DeployedAt:    time.Now(),
+			}, fmt.Errorf("%s", errMsg)
+		}
+	}
+
+	deploymentDuration := time.Since(startTime)
+	c.logger.Info("certificate deployed to Envoy successfully",
+		"duration", deploymentDuration.String(),
+		"cert_path", certPath,
+		"key_path", keyPath,
+		"sds_config", c.config.SDSConfig)
+
+	metadata := map[string]string{
+		"cert_path":   certPath,
+		"key_path":    keyPath,
+		"duration_ms": fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
+	}
+	if c.config.SDSConfig {
+		metadata["sds_config_path"] = filepath.Join(c.config.CertDir, "sds.json")
+	}
+
+	return &target.DeploymentResult{
+		Success:       true,
+		TargetAddress: certPath,
+		DeploymentID:  fmt.Sprintf("envoy-%d", time.Now().Unix()),
+		Message:       "Certificate deployed to Envoy (file-based SDS will auto-reload)",
+		DeployedAt:    time.Now(),
+		Metadata:      metadata,
+	}, nil
+}
+
+// writeSDSConfig writes an Envoy SDS JSON file that references the cert/key file paths.
+// This file is consumed by Envoy's file-based SDS provider (path_config_source).
+func (c *Connector) writeSDSConfig() error {
+	certPath := filepath.Join(c.config.CertDir, c.config.CertFilename)
+	keyPath := filepath.Join(c.config.CertDir, c.config.KeyFilename)
+
+	sdsResource := SDSResource{
+		Resources: []SDSTLSCertificate{
+			{
+				Type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
+				Name: "server_cert",
+				TLSCertificate: TLSCertificate{
+					CertificateChain: DataSource{Filename: certPath},
+					PrivateKey:       DataSource{Filename: keyPath},
+				},
+			},
+		},
+	}
+
+	sdsJSON, err := json.MarshalIndent(sdsResource, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal SDS config: %w", err)
+	}
+
+	sdsPath := filepath.Join(c.config.CertDir, "sds.json")
+	if err := os.WriteFile(sdsPath, sdsJSON, 0644); err != nil {
+		return fmt.Errorf("failed to write SDS config file: %w", err)
+	}
+
+	c.logger.Info("SDS config file written", "path", sdsPath)
+	return nil
+}
+
+// ValidateDeployment verifies that the deployed certificate files are readable.
+// It checks that both the certificate and key files exist and are accessible.
+func (c *Connector) ValidateDeployment(ctx context.Context, request target.ValidationRequest) (*target.ValidationResult, error) {
+	c.logger.Info("validating Envoy deployment",
+		"certificate_id", request.CertificateID,
+		"serial", request.Serial)
+
+	startTime := time.Now()
+
+	certPath := filepath.Join(c.config.CertDir, c.config.CertFilename)
+	keyPath := filepath.Join(c.config.CertDir, c.config.KeyFilename)
+
+	// Verify certificate file exists and is readable
+	if _, err := os.Stat(certPath); os.IsNotExist(err) {
+		errMsg := fmt.Sprintf("certificate file not found: %s", certPath)
+		c.logger.Error("validation failed", "error", err)
+		return &target.ValidationResult{
+			Valid:         false,
+			Serial:        request.Serial,
+			TargetAddress: certPath,
+			Message:       errMsg,
+			ValidatedAt:   time.Now(),
+		}, fmt.Errorf("%s", errMsg)
+	}
+
+	// Verify key file exists and is readable
+	if _, err := os.Stat(keyPath); os.IsNotExist(err) {
+		errMsg := fmt.Sprintf("private key file not found: %s", keyPath)
+		c.logger.Error("validation failed", "error", err)
+		return &target.ValidationResult{
+			Valid:         false,
+			Serial:        request.Serial,
+			TargetAddress: keyPath,
+			Message:       errMsg,
+			ValidatedAt:   time.Now(),
+		}, fmt.Errorf("%s", errMsg)
+	}
+
+	validationDuration := time.Since(startTime)
+	c.logger.Info("Envoy deployment validated successfully",
+		"duration", validationDuration.String())
+
+	return &target.ValidationResult{
+		Valid:         true,
+		Serial:        request.Serial,
+		TargetAddress: certPath,
+		Message:       "Certificate and key files accessible",
+		ValidatedAt:   time.Now(),
+		Metadata: map[string]string{
+			"cert_path":   certPath,
+			"key_path":    keyPath,
+			"duration_ms": fmt.Sprintf("%d", validationDuration.Milliseconds()),
+		},
+	}, nil
+}

internal/connector/target/envoy/envoy_test.go

@@ -0,0 +1,394 @@
+package envoy_test
+
+import (
+	"context"
+	"encoding/json"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/connector/target"
+	"github.com/shankar0123/certctl/internal/connector/target/envoy"
+)
+
+func testLogger() *slog.Logger {
+	return slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+}
+
+func TestEnvoyConnector_ValidateConfig_Success(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+
+	cfg := envoy.Config{
+		CertDir:      tmpDir,
+		CertFilename: "cert.pem",
+		KeyFilename:  "key.pem",
+	}
+
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
+		t.Fatalf("ValidateConfig failed: %v", err)
+	}
+}
+
+func TestEnvoyConnector_ValidateConfig_InvalidJSON(t *testing.T) {
+	ctx := context.Background()
+	connector := envoy.New(&envoy.Config{}, testLogger())
+	if err := connector.ValidateConfig(ctx, json.RawMessage(`{invalid}`)); err == nil {
+		t.Fatal("expected error for invalid JSON")
+	}
+}
+
+func TestEnvoyConnector_ValidateConfig_MissingCertDir(t *testing.T) {
+	ctx := context.Background()
+	cfg := envoy.Config{CertFilename: "cert.pem", KeyFilename: "key.pem"}
+
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	if err := connector.ValidateConfig(ctx, rawConfig); err == nil {
+		t.Fatal("expected error for missing cert_dir")
+	}
+}
+
+func TestEnvoyConnector_ValidateConfig_DirectoryNotExists(t *testing.T) {
+	ctx := context.Background()
+	cfg := envoy.Config{CertDir: "/nonexistent/directory"}
+
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	if err := connector.ValidateConfig(ctx, rawConfig); err == nil {
+		t.Fatal("expected error for non-existent directory")
+	}
+}
+
+func TestEnvoyConnector_ValidateConfig_PathTraversal_CertFilename(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+	cfg := envoy.Config{CertDir: tmpDir, CertFilename: "../../../etc/passwd"}
+
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	if err := connector.ValidateConfig(ctx, rawConfig); err == nil {
+		t.Fatal("expected error for path traversal in cert_filename")
+	}
+}
+
+func TestEnvoyConnector_ValidateConfig_PathTraversal_KeyFilename(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+	cfg := envoy.Config{CertDir: tmpDir, KeyFilename: "sub/key.pem"}
+
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	if err := connector.ValidateConfig(ctx, rawConfig); err == nil {
+		t.Fatal("expected error for path traversal in key_filename")
+	}
+}
+
+func TestEnvoyConnector_ValidateConfig_PathTraversal_ChainFilename(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+	cfg := envoy.Config{CertDir: tmpDir, ChainFilename: "../chain.pem"}
+
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	if err := connector.ValidateConfig(ctx, rawConfig); err == nil {
+		t.Fatal("expected error for path traversal in chain_filename")
+	}
+}
+
+func TestEnvoyConnector_ValidateConfig_DefaultFilenames(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+	cfg := envoy.Config{CertDir: tmpDir} // No filenames — should use defaults
+
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
+		t.Fatalf("ValidateConfig with defaults failed: %v", err)
+	}
+}
+
+func TestEnvoyConnector_DeployCertificate_Success(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+
+	cfg := envoy.Config{CertDir: tmpDir, CertFilename: "cert.pem", KeyFilename: "key.pem"}
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	_ = connector.ValidateConfig(ctx, rawConfig)
+
+	request := target.DeploymentRequest{
+		CertPEM:  "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
+		KeyPEM:   "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
+		ChainPEM: "-----BEGIN CERTIFICATE-----\nCAcert...\n-----END CERTIFICATE-----",
+	}
+
+	result, err := connector.DeployCertificate(ctx, request)
+	if err != nil {
+		t.Fatalf("DeployCertificate failed: %v", err)
+	}
+	if !result.Success {
+		t.Fatalf("deployment should succeed, got: %s", result.Message)
+	}
+
+	// Verify cert file was created with chain appended (no chain_filename set)
+	certData, err := os.ReadFile(filepath.Join(tmpDir, "cert.pem"))
+	if err != nil {
+		t.Fatalf("failed to read cert file: %v", err)
+	}
+	if got := string(certData); got != "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nCAcert...\n-----END CERTIFICATE-----\n" {
+		t.Fatalf("cert content mismatch: got %q", got)
+	}
+
+	// Verify key file created with correct permissions
+	keyPath := filepath.Join(tmpDir, "key.pem")
+	keyInfo, err := os.Stat(keyPath)
+	if err != nil {
+		t.Fatalf("key file not found: %v", err)
+	}
+	if perms := keyInfo.Mode().Perm(); perms != 0600 {
+		t.Fatalf("key permissions are %o, expected 0600", perms)
+	}
+}
+
+func TestEnvoyConnector_DeployCertificate_WithoutChain(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+
+	cfg := envoy.Config{CertDir: tmpDir, CertFilename: "cert.pem", KeyFilename: "key.pem"}
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	_ = connector.ValidateConfig(ctx, rawConfig)
+
+	request := target.DeploymentRequest{
+		CertPEM: "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
+		KeyPEM:  "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
+	}
+
+	result, err := connector.DeployCertificate(ctx, request)
+	if err != nil {
+		t.Fatalf("DeployCertificate failed: %v", err)
+	}
+	if !result.Success {
+		t.Fatalf("deployment should succeed, got: %s", result.Message)
+	}
+
+	// Cert file should only contain the leaf cert (no chain)
+	certData, _ := os.ReadFile(filepath.Join(tmpDir, "cert.pem"))
+	if got := string(certData); got != "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----\n" {
+		t.Fatalf("cert content mismatch: got %q", got)
+	}
+}
+
+func TestEnvoyConnector_DeployCertificate_SeparateChainFile(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+
+	cfg := envoy.Config{
+		CertDir:       tmpDir,
+		CertFilename:  "cert.pem",
+		KeyFilename:   "key.pem",
+		ChainFilename: "chain.pem",
+	}
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	_ = connector.ValidateConfig(ctx, rawConfig)
+
+	request := target.DeploymentRequest{
+		CertPEM:  "-----BEGIN CERTIFICATE-----\nleaf...\n-----END CERTIFICATE-----",
+		KeyPEM:   "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
+		ChainPEM: "-----BEGIN CERTIFICATE-----\nCA...\n-----END CERTIFICATE-----",
+	}
+
+	result, err := connector.DeployCertificate(ctx, request)
+	if err != nil {
+		t.Fatalf("DeployCertificate failed: %v", err)
+	}
+	if !result.Success {
+		t.Fatalf("deployment should succeed, got: %s", result.Message)
+	}
+
+	// Cert file should only contain leaf (chain is separate)
+	certData, _ := os.ReadFile(filepath.Join(tmpDir, "cert.pem"))
+	if got := string(certData); got != "-----BEGIN CERTIFICATE-----\nleaf...\n-----END CERTIFICATE-----\n" {
+		t.Fatalf("cert should not contain chain when chain_filename is set: got %q", got)
+	}
+
+	// Chain file should exist with chain data
+	chainData, err := os.ReadFile(filepath.Join(tmpDir, "chain.pem"))
+	if err != nil {
+		t.Fatalf("chain file not found: %v", err)
+	}
+	if got := string(chainData); got != "-----BEGIN CERTIFICATE-----\nCA...\n-----END CERTIFICATE-----\n" {
+		t.Fatalf("chain content mismatch: got %q", got)
+	}
+}
+
+func TestEnvoyConnector_DeployCertificate_WithSDSConfig(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+
+	cfg := envoy.Config{
+		CertDir:      tmpDir,
+		CertFilename: "cert.pem",
+		KeyFilename:  "key.pem",
+		SDSConfig:    true,
+	}
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	_ = connector.ValidateConfig(ctx, rawConfig)
+
+	request := target.DeploymentRequest{
+		CertPEM: "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
+		KeyPEM:  "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
+	}
+
+	result, err := connector.DeployCertificate(ctx, request)
+	if err != nil {
+		t.Fatalf("DeployCertificate failed: %v", err)
+	}
+	if !result.Success {
+		t.Fatalf("deployment should succeed, got: %s", result.Message)
+	}
+
+	// Verify SDS JSON file was created
+	sdsPath := filepath.Join(tmpDir, "sds.json")
+	sdsData, err := os.ReadFile(sdsPath)
+	if err != nil {
+		t.Fatalf("SDS config file not found: %v", err)
+	}
+
+	// Parse and verify SDS JSON structure
+	var sdsResource envoy.SDSResource
+	if err := json.Unmarshal(sdsData, &sdsResource); err != nil {
+		t.Fatalf("invalid SDS JSON: %v", err)
+	}
+
+	if len(sdsResource.Resources) != 1 {
+		t.Fatalf("expected 1 SDS resource, got %d", len(sdsResource.Resources))
+	}
+
+	res := sdsResource.Resources[0]
+	if res.Type != "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" {
+		t.Fatalf("wrong @type: %s", res.Type)
+	}
+	if res.Name != "server_cert" {
+		t.Fatalf("wrong name: %s", res.Name)
+	}
+
+	expectedCertPath := filepath.Join(tmpDir, "cert.pem")
+	expectedKeyPath := filepath.Join(tmpDir, "key.pem")
+	if res.TLSCertificate.CertificateChain.Filename != expectedCertPath {
+		t.Fatalf("cert chain path mismatch: got %s, want %s", res.TLSCertificate.CertificateChain.Filename, expectedCertPath)
+	}
+	if res.TLSCertificate.PrivateKey.Filename != expectedKeyPath {
+		t.Fatalf("private key path mismatch: got %s, want %s", res.TLSCertificate.PrivateKey.Filename, expectedKeyPath)
+	}
+
+	// Verify SDS path is in metadata
+	if result.Metadata["sds_config_path"] != sdsPath {
+		t.Fatalf("SDS config path not in metadata")
+	}
+}
+
+func TestEnvoyConnector_DeployCertificate_WriteError(t *testing.T) {
+	ctx := context.Background()
+
+	cfg := envoy.Config{
+		CertDir:      "/root/envoy/certs",
+		CertFilename: "cert.pem",
+		KeyFilename:  "key.pem",
+	}
+	connector := envoy.New(&cfg, testLogger())
+
+	request := target.DeploymentRequest{
+		CertPEM: "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
+		KeyPEM:  "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
+	}
+
+	result, err := connector.DeployCertificate(ctx, request)
+	if err == nil {
+		t.Fatal("expected error for write failure")
+	}
+	if result.Success {
+		t.Fatal("deployment should fail")
+	}
+}
+
+func TestEnvoyConnector_ValidateDeployment_Success(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+
+	cfg := envoy.Config{CertDir: tmpDir, CertFilename: "cert.pem", KeyFilename: "key.pem"}
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	_ = connector.ValidateConfig(ctx, rawConfig)
+
+	// First deploy
+	deployReq := target.DeploymentRequest{
+		CertPEM: "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
+		KeyPEM:  "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
+	}
+	connector.DeployCertificate(ctx, deployReq)
+
+	// Then validate
+	validateReq := target.ValidationRequest{
+		CertificateID: "mc-test",
+		Serial:        "123456",
+	}
+
+	result, err := connector.ValidateDeployment(ctx, validateReq)
+	if err != nil {
+		t.Fatalf("ValidateDeployment failed: %v", err)
+	}
+	if !result.Valid {
+		t.Fatalf("validation should succeed, got: %s", result.Message)
+	}
+	if result.Serial != "123456" {
+		t.Fatalf("serial mismatch: expected 123456, got %s", result.Serial)
+	}
+}
+
+func TestEnvoyConnector_ValidateDeployment_CertFileNotFound(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+
+	cfg := envoy.Config{CertDir: tmpDir, CertFilename: "cert.pem", KeyFilename: "key.pem"}
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	_ = connector.ValidateConfig(ctx, rawConfig)
+
+	validateReq := target.ValidationRequest{CertificateID: "mc-test", Serial: "123456"}
+	result, err := connector.ValidateDeployment(ctx, validateReq)
+	if err == nil {
+		t.Fatal("expected error for missing certificate file")
+	}
+	if result.Valid {
+		t.Fatal("validation should fail")
+	}
+}
+
+func TestEnvoyConnector_ValidateDeployment_KeyFileNotFound(t *testing.T) {
+	ctx := context.Background()
+	tmpDir := t.TempDir()
+
+	cfg := envoy.Config{CertDir: tmpDir, CertFilename: "cert.pem", KeyFilename: "key.pem"}
+	connector := envoy.New(&cfg, testLogger())
+	rawConfig, _ := json.Marshal(cfg)
+	_ = connector.ValidateConfig(ctx, rawConfig)
+
+	// Write cert but not key
+	os.WriteFile(filepath.Join(tmpDir, "cert.pem"), []byte("cert"), 0644)
+
+	validateReq := target.ValidationRequest{CertificateID: "mc-test", Serial: "123456"}
+	result, err := connector.ValidateDeployment(ctx, validateReq)
+	if err == nil {
+		t.Fatal("expected error for missing key file")
+	}
+	if result.Valid {
+		t.Fatal("validation should fail")
+	}
+}

internal/domain/connector.go

@@ -84,4 +84,5 @@ const (
 	TargetTypeIIS      TargetType = "IIS"
 	TargetTypeTraefik  TargetType = "Traefik"
 	TargetTypeCaddy    TargetType = "Caddy"
+	TargetTypeEnvoy    TargetType = "Envoy"
 )