fix(gui): add missing Name field to certificate creation form

The New Certificate modal was missing the required "name" field,
causing all certificate creation attempts to fail with "name is
required". Added Name text input above ID field with client-side
validation matching the backend requirement.

Fixes #GH-issue (name is required on certificate creation)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

api/openapi.yaml

@@ -250,6 +250,8 @@ paths:
                 $ref: "#/components/schemas/ManagedCertificate"
         "400":
           $ref: "#/components/responses/BadRequest"
+        "404":
+          $ref: "#/components/responses/NotFound"
         "500":
           $ref: "#/components/responses/InternalError"
     delete:
@@ -261,6 +263,8 @@ paths:
       responses:
         "204":
           description: Certificate archived
+        "404":
+          $ref: "#/components/responses/NotFound"
         "500":
           $ref: "#/components/responses/InternalError"
 
@@ -306,6 +310,12 @@ paths:
             application/json:
               schema:
                 $ref: "#/components/schemas/StatusResponse"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "404":
+          $ref: "#/components/responses/NotFound"
+        "409":
+          $ref: "#/components/responses/Conflict"
         "500":
           $ref: "#/components/responses/InternalError"
 
@@ -820,6 +830,8 @@ paths:
                 $ref: "#/components/schemas/Agent"
         "400":
           $ref: "#/components/responses/BadRequest"
+        "409":
+          $ref: "#/components/responses/Conflict"
         "500":
           $ref: "#/components/responses/InternalError"
 
@@ -877,6 +889,8 @@ paths:
                 $ref: "#/components/schemas/StatusResponse"
         "400":
           $ref: "#/components/responses/BadRequest"
+        "404":
+          $ref: "#/components/responses/NotFound"
         "500":
           $ref: "#/components/responses/InternalError"
 
@@ -2469,6 +2483,12 @@ components:
         application/json:
           schema:
             $ref: "#/components/schemas/ErrorResponse"
+    Conflict:
+      description: Resource conflict
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/ErrorResponse"
     InternalError:
       description: Internal server error
       content:
@@ -2571,6 +2591,13 @@ components:
         updated_at:
           type: string
           format: date-time
+      required:
+        - name
+        - common_name
+        - renewal_policy_id
+        - issuer_id
+        - owner_id
+        - team_id
 
     CertificateVersion:
       type: object

docs/certctl-for-cert-manager-users.md

@@ -27,7 +27,7 @@ Result:
 
 Deploy certctl control plane once (Docker Compose, Kubernetes Helm chart, or self-hosted). Deploy agents on your VMs, bare metal, and network appliances. One dashboard shows:
 - **All cert-manager certs** via discovery scanning (agents find cert-manager-issued certs copied to target machines, or scan the cluster directly)
-- **All certctl-managed certs** issued by shared issuers (ACME, step-ca, Vault PKI (coming in v2.1), private CA)
+- **All certctl-managed certs** issued by shared issuers (ACME, step-ca, Vault PKI (planned), private CA)
 - **Unified renewal and deployment** across both worlds
 - **Single pane of glass** with expiration timeline, renewal status, deployment verification, audit trail
 
@@ -39,8 +39,7 @@ Deploy certctl control plane once (Docker Compose, Kubernetes Helm chart, or sel
 ```bash
 cd /opt/certctl
 docker compose up -d
-# Dashboard: http://localhost:3000
-# API: http://localhost:8080
+# Dashboard & API: http://localhost:8443
 ```
 
 **Option B: Kubernetes** (recommended for prod)
@@ -60,7 +59,7 @@ chmod +x /usr/local/bin/certctl-agent
 
 # Config
 sudo tee /etc/certctl/agent.env > /dev/null <<EOF
-CERTCTL_SERVER_URL=https://certctl-control-plane:8080
+CERTCTL_SERVER_URL=http://certctl-control-plane:8443
 CERTCTL_API_KEY=your-api-key
 CERTCTL_DISCOVERY_DIRS=/etc/nginx/certs,/etc/ssl,/etc/letsencrypt/live
 CERTCTL_KEY_DIR=/var/lib/certctl/keys
@@ -83,18 +82,20 @@ Agents scan configured directories and report back all existing certs. In the da
 Set up the same issuer certctl uses for non-Kubernetes certs:
 - **ACME** (Let's Encrypt, for public certs)
 - **step-ca** (Smallstep, for internal certs)
-- **Vault PKI** (coming in v2.1) (HashiCorp Vault, for enterprise PKI)
+- **Vault PKI** (planned) (HashiCorp Vault, for enterprise PKI)
 - **Private CA** (your own internal root CA)
 
 No new CA infrastructure needed. If cert-manager already uses your CA, certctl points to the same one.
 
 ### 5. Create Policies for Non-Kubernetes Certs
 
-Go to **Policies** → **New Policy**:
-- Issuer: shared (ACME, step-ca, Vault (coming in v2.1), private CA)
-- Profile: serverAuth for NGINX/Apache/HAProxy, clientAuth for mTLS, emailProtection for S/MIME
-- Renewal Threshold: 30 days (default, adjust per SLA)
-- Scope: agent groups (VMs, bare metal, appliances)
+Go to **Policies** → **+ New Policy** to create enforcement rules:
+- **Name:** e.g., "VM Certificate Policy"
+- **Type:** `expiration_window` or `key_algorithm` (enforce renewal thresholds or crypto requirements)
+- **Severity:** `high`
+- **Config:** set your enforcement parameters
+
+Certificates are linked to issuers and profiles when created or claimed from discovery. Policies add guardrails — enforcing key algorithm requirements, expiration windows, and other compliance rules across your fleet.
 
 ### 6. View Unified Inventory
 
@@ -114,7 +115,7 @@ Go to **Policies** → **New Policy**:
 If cert-manager and certctl both use the same CA:
 - **ACME**: cert-manager uses ClusterIssuer + certctl uses ACME connector → same Let's Encrypt account, transparent coexistence
 - **step-ca**: cert-manager uses external issuer CRD + certctl uses step-ca connector → same provisioner, shared certificate inventory
-- **Vault PKI** (coming in v2.1): cert-manager uses external issuer CRD + certctl uses Vault connector → same mount, same audit trail
+- **Vault PKI** (planned): cert-manager uses external issuer CRD + certctl uses Vault connector → same mount, same audit trail
 
 No conflict. They just issue certs through the same CA. certctl's discovery scanning finds cert-manager-issued certs and shows them alongside certctl-managed ones.
 
@@ -138,6 +139,6 @@ For now: cert-manager handles Kubernetes, certctl handles everything else. They
 ## Next Steps
 
 1. Review [Quick Start](./quickstart.md) for a 5-minute demo
-2. Explore [Agents and Targets](./architecture.md#agents-and-targets) for deployment architecture
-3. Read about [Discovery Scanning](./quickstart.md#discovery) to auto-find certs
+2. Explore [Architecture](./architecture.md#agents) for deployment architecture
+3. Read about [Discovery Scanning](./quickstart.md#certificate-discovery) to auto-find certs
 4. Check [Helm Chart](../deploy/helm/certctl/) for production Kubernetes deployment

docs/migrate-from-acmesh.md

@@ -99,18 +99,23 @@ Environment="CERTCTL_DISCOVERY_DIRS=/etc/acme.sh"
 In the **Discovery** page:
 1. Review the "Unmanaged" certificates found by the agent
 2. Click **Claim** on each acme.sh certificate
-3. Map to the certificate ID (certctl auto-generates suggestions)
+3. Enter the managed certificate ID to link it (e.g., `mc-api-prod`)
 
 Once claimed, the certificate appears in the main **Certificates** page with ownership, renewal history, and deployment status.
 
 ### 5. Create an ACME Issuer
 
-In **Issuers** → **Configure New Issuer:**
+In **Issuers** → **+ New Issuer:**
 
-- **Type:** ACME v2
-- **Directory URL:** `https://acme-v02.api.letsencrypt.org/directory` (production) or staging for testing
-- **Email:** Same email as your acme.sh account (required for ACME ToS)
-- **Challenge Type:** DNS-01 (to match acme.sh's DNS validation)
+1. Select **ACME** from the issuer type grid
+2. Fill in the type-specific fields: name, directory URL (`https://acme-v02.api.letsencrypt.org/directory`), and config
+
+Or configure via environment variables:
+```bash
+export CERTCTL_ACME_DIRECTORY_URL=https://acme-v02.api.letsencrypt.org/directory
+export CERTCTL_ACME_EMAIL=your-email@example.com  # same as your acme.sh account
+export CERTCTL_ACME_CHALLENGE_TYPE=dns-01
+```
 
 ### 6. Adapt Your DNS Provider Scripts
 
@@ -182,26 +187,28 @@ curl -X DELETE "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_record
   -H "X-Auth-Key: ${CF_KEY}"
 ```
 
-Configure in the ACME issuer:
+Configure the ACME issuer via environment variables:
 
-```json
-{
-  "challenge_type": "dns-01",
-  "dns_present_script": "/etc/certctl/dns/cloudflare-present.sh",
-  "dns_cleanup_script": "/etc/certctl/dns/cloudflare-cleanup.sh",
-  "dns_propagation_wait": 30
-}
+```bash
+export CERTCTL_ACME_DIRECTORY_URL=https://acme-v02.api.letsencrypt.org/directory
+export CERTCTL_ACME_EMAIL=your-email@example.com
+export CERTCTL_ACME_CHALLENGE_TYPE=dns-01
+export CERTCTL_ACME_DNS_PRESENT_SCRIPT=/etc/certctl/dns/cloudflare-present.sh
+export CERTCTL_ACME_DNS_CLEANUP_SCRIPT=/etc/certctl/dns/cloudflare-cleanup.sh
 ```
 
+Or create the issuer through the dashboard: **Issuers** → **+ New Issuer** → select **ACME** → fill in the config fields.
+
 ### 7. Create Renewal Policies
 
-In **Policies:**
+In **Policies** → **+ New Policy:**
 
-- **Certificate Profile:** Select the issuer and challenge type from step 5
-- **Renewal Threshold:** 30 days before expiry (or match your acme.sh cron settings)
-- **Agent Group:** Select which agents should renew certificates
+- **Name:** e.g., "ACME DNS-01 Policy"
+- **Type:** `expiration_window` (enforces renewal thresholds)
+- **Severity:** `high`
+- **Config:** set your renewal window (default: 30 days before expiry)
 
-Set one policy per domain or domain pattern.
+Renewal scheduling is driven by the certificate's assigned profile and issuer. Policies add enforcement guardrails on top.
 
 ### 8. Phase Out acme.sh Cron
 
@@ -252,11 +259,10 @@ Benefits:
 
 To enable:
 
-```json
-{
-  "challenge_type": "dns-persist-01",
-  "dns_persist_issuer_domain": "acme-v02.api.letsencrypt.org"
-}
+```bash
+export CERTCTL_ACME_CHALLENGE_TYPE=dns-persist-01
+export CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN=letsencrypt.org
+export CERTCTL_ACME_DNS_PRESENT_SCRIPT=/etc/certctl/dns/cloudflare-present.sh
 ```
 
 certctl automatically falls back to DNS-01 if the CA doesn't support dns-persist-01 yet.

docs/migrate-from-certbot.md

@@ -22,7 +22,7 @@ Option A: Docker Compose (quickest for evaluation)
 ```bash
 cd /opt/certctl
 docker compose up -d
-# Dashboard & API: https://localhost:8443
+# Dashboard & API: http://localhost:8443
 # Default API key in logs (grep CERTCTL_API_KEY docker logs certctl-server)
 ```
 
@@ -45,7 +45,7 @@ chmod +x /usr/local/bin/certctl-agent
 # Create config
 sudo mkdir -p /etc/certctl /var/lib/certctl/keys
 sudo tee /etc/certctl/agent.env > /dev/null <<EOF
-CERTCTL_SERVER_URL=https://certctl-control-plane.example.com:8080
+CERTCTL_SERVER_URL=http://certctl-control-plane.example.com:8443
 CERTCTL_API_KEY=your-api-key-here
 CERTCTL_DISCOVERY_DIRS=/etc/letsencrypt/live
 CERTCTL_KEY_DIR=/var/lib/certctl/keys
@@ -71,24 +71,34 @@ The control plane now knows about all 50 certs and where they live.
 
 ### 4. Configure ACME Issuer
 
-Go to **Issuers** → **Add Issuer**:
-- Type: ACME
-- Directory URL: `https://acme-v02.api.letsencrypt.org/directory` (production)
-- Email: your Let's Encrypt account email
-- Challenge Type: `http-01` (if you have HTTP access) or `dns-01` (for wildcard/internal certs)
-- For DNS-01, provide your DNS provider's script hook (Cloudflare, Route53, Azure DNS, etc.)
+Go to **Issuers** → **+ New Issuer**:
+1. Select **ACME** from the issuer type grid
+2. Fill in the type-specific fields: name, directory URL (`https://acme-v02.api.letsencrypt.org/directory`), and any required config
 
-Test the connection. certctl uses the same Let's Encrypt account; no new credentials needed.
+Alternatively, configure via environment variables before starting the server:
+```bash
+export CERTCTL_ACME_DIRECTORY_URL=https://acme-v02.api.letsencrypt.org/directory
+export CERTCTL_ACME_EMAIL=your-email@example.com
+export CERTCTL_ACME_CHALLENGE_TYPE=http-01  # or dns-01 for wildcard certs
+```
+
+For DNS-01, also set:
+```bash
+export CERTCTL_ACME_DNS_PRESENT_SCRIPT=/etc/certctl/dns/present.sh
+export CERTCTL_ACME_DNS_CLEANUP_SCRIPT=/etc/certctl/dns/cleanup.sh
+```
+
+certctl uses the same Let's Encrypt account; no new credentials needed.
 
 ### 5. Create Renewal Policies
 
-Go to **Policies** → **New Policy**:
-- Profile: ACME (or create a new one with `serverAuth` EKU)
-- Issuer: the ACME issuer you just created
-- Renewal Threshold: 30 days before expiry (default, adjust as needed)
-- Scope: select agent groups or individual agents managing your servers
+Go to **Policies** → **+ New Policy** to create enforcement rules:
+- Name: e.g., "ACME Renewal Policy"
+- Type: `expiration_window` (to enforce renewal thresholds)
+- Severity: `high`
+- Config: set your renewal threshold (default: 30 days before expiry)
 
-Assign this policy to your discovered certs.
+Renewal scheduling is driven by the certificate's assigned profile and issuer. Policies add enforcement guardrails (key algorithm requirements, expiration windows, etc.).
 
 ### 6. Disable Certbot Cron, One Server at a Time
 
@@ -133,11 +143,11 @@ docker compose up -d
 # Other options: CERTCTL_TEAMS_WEBHOOK_URL, CERTCTL_PAGERDUTY_ROUTING_KEY, CERTCTL_OPSGENIE_API_KEY
 ```
 
-Now you get 30/14/7-day warnings before any cert expires, across all 50 servers, in one place.
+Now you get 30/14/7-day warnings before any cert expires, across all 10 servers, in one place.
 
 ## What Changes
 
-- **Renewal**: Agent polls certctl for work instead of Certbot cron triggering locally. Faster failure detection (agent heartbeat every 5 minutes vs. cron running once a day).
+- **Renewal**: Agent polls certctl for work instead of Certbot cron triggering locally. Faster failure detection (agent heartbeat every 60 seconds vs. cron running once a day).
 - **Deployment**: certctl verifies post-deployment by probing the live TLS endpoint and comparing SHA-256 fingerprints. Catches reload failures silently.
 - **Audit Trail**: Every renewal, deployment, and alert is logged immutably. Answer "who renewed cert X when and why" within seconds.
 - **Alerting**: Threshold-based alerts to Slack/email/webhook 30/14/7 days before expiry, not when cert expires.
@@ -157,5 +167,5 @@ certctl will stop renewing that cert when the policy is disabled. Certbot resume
 ## Next Steps
 
 - Review the [Concepts Guide](./concepts.md) for terminology (profiles, policies, agents, jobs)
-- Explore [Network Discovery](./quickstart.md#network-discovery) to find certificates you didn't know about
-- Set up [Kubernetes cert-manager integration](./cert-manager.md) if you manage in-cluster certs too
+- Explore [Network Discovery](./quickstart.md#network-discovery-agentless) to find certificates you didn't know about
+- Set up [Kubernetes cert-manager integration](./certctl-for-cert-manager-users.md) if you manage in-cluster certs too

docs/testing-guide.md

@@ -5071,44 +5071,517 @@ openssl crl -in /tmp/subca-crl.der -inform DER -noout -issuer
 
 ## Release Sign-Off
 
-All 34 parts must pass before tagging v2.1.0.
+All tests below must pass before tagging v2.1.0. Each row is one individual test from the guide above. The **Method** column indicates whether `qa-smoke-test.sh` covers the test automatically (**Auto**) or requires hands-on verification (**Manual**).
 
-| Section | Pass? | Tester | Date | Notes |
-|---------|-------|--------|------|-------|
-| Part 1: Infrastructure & Deployment | ☐ | | | |
-| Part 2: Authentication & Security | ☐ | | | |
-| Part 3: Certificate Lifecycle (CRUD) | ☐ | | | |
-| Part 4: Renewal Workflow | ☐ | | | |
-| Part 5: Revocation | ☐ | | | |
-| Part 6: Issuer Connectors | ☐ | | | |
-| Part 7: Target Connectors & Deployment | ☐ | | | |
-| Part 8: Agent Operations | ☐ | | | |
-| Part 9: Job System | ☐ | | | |
-| Part 10: Policies & Profiles | ☐ | | | |
-| Part 11: Ownership, Teams & Agent Groups | ☐ | | | |
-| Part 12: Notifications | ☐ | | | |
-| Part 13: Observability (JSON + Prometheus) | ☐ | | | |
-| Part 14: Audit Trail | ☐ | | | |
-| Part 15: Certificate Discovery (Filesystem + Network) | ☐ | | | |
-| Part 16: Enhanced Query API | ☐ | | | |
-| Part 17: CLI Tool | ☐ | | | |
-| Part 18: MCP Server | ☐ | | | |
-| Part 19: GUI Testing | ☐ | | | |
-| Part 20: Background Scheduler | ☐ | | | |
-| Part 21: Error Handling | ☐ | | | |
-| Part 22: Performance Spot Checks | ☐ | | | |
-| Part 23: Structured Logging | ☐ | | | |
-| Part 24: Documentation Verification | ☐ | | | |
-| Part 25: Regression Tests | ☐ | | | |
-| Part 26: EST Server (RFC 7030) | ☐ | | | |
-| Part 27: Post-Deployment TLS Verification | ☐ | | | |
-| Part 28: Traefik & Caddy Target Connectors | ☐ | | | |
-| Part 29: Certificate Export (PEM & PKCS#12) | ☐ | | | |
-| Part 30: S/MIME & EKU Support | ☐ | | | |
-| Part 31: OCSP Responder & DER CRL | ☐ | | | |
-| Part 32: Request Body Size Limits | ☐ | | | |
-| Part 33: Apache & HAProxy Target Connectors | ☐ | | | |
-| Part 34: Sub-CA Mode | ☐ | | | |
+### Automated Prerequisites
+
+These must be green before starting manual QA:
+
+| Gate | Pass? | Date | Notes |
+|------|-------|------|-------|
+| CI pipeline green (Go build + vet + race + lint + vuln + tests) | ☐ | | |
+| CI pipeline green (Frontend tsc + vitest + vite build) | ☐ | | |
+| Coverage thresholds met (service 60%, handler 60%, domain 40%, middleware 50%) | ☐ | | |
+| `qa-smoke-test.sh` — 0 failures | ☑ | 2026-03-30 | 121 pass, 0 fail, 5 skip |
+
+### Part 1: Infrastructure & Deployment
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 1.1.1 | PostgreSQL is accepting connections | Auto | ☑ | 2026-03-30 |  |
+| 1.1.2 | Database schema applied (21 tables) | Auto | ☑ | 2026-03-30 |  |
+| 1.1.3 | Server liveness probe | Auto | ☑ | 2026-03-30 |  |
+| 1.1.4 | Server readiness probe | Auto | ☑ | 2026-03-30 |  |
+| 1.1.5 | Agent container is running | Auto | ☑ | 2026-03-30 |  |
+| 1.1.6 | Demo seed data loaded (all 9 resource types) | Auto | ☑ | 2026-03-30 |  |
+| 1.2.1 | Server shuts down cleanly on SIGTERM | Manual | ☐ |  |  |
+| 1.2.2 | Data persists across full restart | Manual | ☐ |  |  |
+| 1.3.1 | Custom port binding | Manual | ☐ |  |  |
+| 1.3.2 | Debug logging | Manual | ☐ |  |  |
+| 1.3.3 | Auth disabled with explicit none | Auto | ☑ | 2026-03-30 |  |
+| 1.3.4 | Auth none produces warning log | Auto | ☑ | 2026-03-30 |  |
+
+### Part 2: Authentication & Security
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 2.1.1 | Request without auth header returns 401 | Manual | ☐ |  |  |
+| 2.1.2 | Request with wrong API key returns 401 | Manual | ☐ |  |  |
+| 2.1.3 | Request with valid API key returns 200 | Manual | ☐ |  |  |
+| 2.1.4 | /health accessible without auth (always) | Manual | ☐ |  |  |
+| 2.1.5 | /ready accessible without auth (always) | Manual | ☐ |  |  |
+| 2.1.6 | /api/v1/auth/info accessible without auth (GUI bootstrap) | Manual | ☐ |  |  |
+| 2.1.7 | /api/v1/auth/check with valid key returns 200 | Manual | ☐ |  |  |
+| 2.1.8 | /api/v1/auth/check without key returns 401 | Manual | ☐ |  |  |
+| 2.2.1 | Burst exceeds limit, returns 429 with Retry-After | Manual | ☐ |  |  |
+| 2.2.2 | 429 response includes Retry-After header | Manual | ☐ |  |  |
+| 2.2.3 | Rate limit bucket refills after waiting | Manual | ☐ |  |  |
+| 2.3.1 | Preflight OPTIONS with allowed origin returns CORS headers | Manual | ☐ |  |  |
+| 2.3.2 | Request from disallowed origin has no CORS headers | Manual | ☐ |  |  |
+| 2.3.3 | Wildcard CORS mode | Manual | ☐ |  |  |
+| 2.4.1 | Private keys never in API responses (certificate detail) | Auto | ☑ | 2026-03-30 |  |
+| 2.4.2 | Private keys never in API responses (certificate versions) | Auto | ☑ | 2026-03-30 |  |
+| 2.4.3 | Private keys never in API responses (agent work) | Auto | ☑ | 2026-03-30 |  |
+| 2.4.4 | Private keys never in server logs | Auto | ☑ | 2026-03-30 |  |
+| 2.4.5 | API key stored as SHA-256 hash (not plaintext) | Manual | ☐ |  |  |
+
+### Part 3: Certificate Lifecycle (CRUD)
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 3.1.1 | Create certificate with minimal fields | Auto | ☑ | 2026-03-30 |  |
+| 3.1.2 | Create certificate with all fields | Auto | ☑ | 2026-03-30 |  |
+| 3.1.3 | Create certificate with duplicate common_name | Auto | ☑ | 2026-03-30 |  |
+| 3.2.1 | List certificates with pagination metadata | Auto | ☑ | 2026-03-30 |  |
+| 3.2.2 | Filter by status | Auto | ☑ | 2026-03-30 |  |
+| 3.2.3 | Filter by owner | Auto | ☑ | 2026-03-30 |  |
+| 3.2.4 | Filter by issuer | Auto | ☑ | 2026-03-30 |  |
+| 3.2.5 | Filter by environment | Auto | ☑ | 2026-03-30 |  |
+| 3.2.6 | Pagination: page 2 | Auto | ☑ | 2026-03-30 |  |
+| 3.2.7 | Sort descending by notAfter | Manual | ☐ |  |  |
+| 3.2.8 | Sort ascending by commonName | Manual | ☐ |  |  |
+| 3.2.9 | Sparse fields | Auto | ☑ | 2026-03-30 |  |
+| 3.2.10 | Cursor pagination: first page | Auto | ☑ | 2026-03-30 |  |
+| 3.2.11 | Cursor pagination: second page | Manual | ☐ |  |  |
+| 3.2.12 | Time-range filter: expires_before | Auto | ☑ | 2026-03-30 |  |
+| 3.3.1 | Get single certificate by ID | Auto | ☑ | 2026-03-30 |  |
+| 3.3.2 | Get nonexistent certificate returns 404 | Auto | ☑ | 2026-03-30 |  |
+| 3.3.3 | Update certificate fields | Auto | ☑ | 2026-03-30 |  |
+| 3.3.4 | Archive (soft delete) certificate | Auto | ☑ | 2026-03-30 |  |
+| 3.3.5 | Get archived certificate behavior | Manual | ☐ |  |  |
+| 3.4.1 | Get certificate versions | Auto | ☑ | 2026-03-30 |  |
+| 3.4.2 | Get certificate deployments | Auto | ☑ | 2026-03-30 |  |
+| 3.4.3 | Trigger deployment creates a job | Manual | ☐ |  |  |
+
+### Part 4: Renewal Workflow
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 4.1.1 | Trigger renewal creates job | Auto | ☑ | 2026-03-30 |  |
+| 4.1.2 | Renewal job appears in jobs list | Auto | ☑ | 2026-03-30 |  |
+| 4.1.3 | Renewal on nonexistent certificate returns 404 | Auto | ☑ | 2026-03-30 |  |
+| 4.2.1 | Server keygen mode: job completes automatically | Manual | ☐ |  |  |
+| 4.3.1 | Approve a job | Manual | ☐ |  |  |
+| 4.3.2 | Reject a job with reason | Manual | ☐ |  |  |
+| 4.4.1 | Agent work endpoint returns pending jobs | Auto | ☑ | 2026-03-30 |  |
+| 4.4.2 | Agent reports job status | Manual | ☐ |  |  |
+
+### Part 5: Revocation
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 5.1.1 | Revoke with default reason | Auto | ☑ | 2026-03-30 |  |
+| 5.1.2 | Revoke with reason: keyCompromise | Auto | ☑ | 2026-03-30 |  |
+| 5.1.3 | Revoke with reason: caCompromise | Manual | ☐ |  |  |
+| 5.1.4 | Revoke with reason: affiliationChanged | Manual | ☐ |  |  |
+| 5.1.5 | Revoke with reason: superseded | Manual | ☐ |  |  |
+| 5.1.6 | Revoke with reason: cessationOfOperation | Manual | ☐ |  |  |
+| 5.1.7 | Revoke with reason: certificateHold | Manual | ☐ |  |  |
+| 5.1.8 | Revoke with reason: privilegeWithdrawn | Manual | ☐ |  |  |
+| 5.2.1 | Revoke already-revoked certificate | Auto | ☑ | 2026-03-30 |  |
+| 5.2.2 | Revoke nonexistent certificate | Auto | ☑ | 2026-03-30 |  |
+| 5.2.3 | Revoke with invalid reason | Auto | ☑ | 2026-03-30 |  |
+| 5.2.4 | Revocation appears in audit trail | Manual | ☐ |  |  |
+| 5.3.1 | JSON CRL endpoint | Auto | ☑ | 2026-03-30 |  |
+| 5.3.2 | DER CRL endpoint | Auto | ☑ | 2026-03-30 |  |
+| 5.3.3 | OCSP: good response for non-revoked cert | Auto | ☑ | 2026-03-30 |  |
+| 5.3.4 | OCSP: revoked response for revoked cert | Manual | ☐ |  |  |
+| 5.3.5 | OCSP: unknown serial | Manual | ☐ |  |  |
+
+### Part 6: Issuer Connectors
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 6.1.1 | List issuers shows seed data | Auto | ☑ | 2026-03-30 |  |
+| 6.1.2 | Get issuer detail | Auto | ☑ | 2026-03-30 |  |
+| 6.1.3 | Create issuer | Auto | ☑ | 2026-03-30 |  |
+| 6.1.4 | Update issuer | Manual | ☐ |  |  |
+| 6.1.5 | Delete issuer | Auto | ☑ | 2026-03-30 |  |
+| 6.1.6 | Test issuer connection | Manual | ☐ |  |  |
+| 6.1.7 | Create issuer with missing name returns validation error | Auto | ☑ | 2026-03-30 |  |
+| 6.1.8 | Create issuer with invalid type | Manual | ☐ |  |  |
+| 6.2.1 | List ACME issuer with DNS-01 configuration | Manual | ☐ |  |  |
+| 6.2.2 | Create ACME issuer with DNS-PERSIST-01 | Manual | ☐ |  |  |
+| 6.2.3 | Configure ACME with External Account Binding (ZeroSSL) | Manual | ☐ |  |  |
+
+### Part 7: Target Connectors & Deployment
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 7.1.1 | List targets shows seed data | Auto | ☑ | 2026-03-30 |  |
+| 7.1.2 | Create NGINX target | Auto | ☑ | 2026-03-30 |  |
+| 7.1.3 | Create Apache target | Manual | ☐ |  |  |
+| 7.1.4 | Create HAProxy target | Manual | ☐ |  |  |
+| 7.1.5 | Create F5 BIG-IP target (stub) | Auto | ☑ | 2026-03-30 |  |
+| 7.1.6 | Create IIS target (stub) | Auto | ☑ | 2026-03-30 |  |
+| 7.1.7 | Get target verifies type-specific config stored | Manual | ☐ |  |  |
+| 7.1.8 | Update target config | Manual | ☐ |  |  |
+| 7.1.9 | Delete target returns 204 | Auto | ☑ | 2026-03-30 |  |
+
+### Part 8: Agent Operations
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 8.1.1 | Register new agent | Auto | ☑ | 2026-03-30 |  |
+| 8.1.2 | List agents includes new agent | Manual | ☐ |  |  |
+| 8.1.3 | Get agent detail with metadata | Manual | ☐ |  |  |
+| 8.2.1 | Agent heartbeat updates last_heartbeat_at | Auto | ☑ | 2026-03-30 |  |
+| 8.2.2 | Heartbeat metadata stored | Auto | ☑ | 2026-03-30 |  |
+| 8.2.3 | Heartbeat for nonexistent agent | Auto | ☑ | 2026-03-30 |  |
+| 8.3.1 | Agent work polling returns jobs | Manual | ☐ |  |  |
+| 8.3.2 | Agent work polling with no pending work | Manual | ☐ |  |  |
+| 8.3.3 | Agent certificate pickup | Manual | ☐ |  |  |
+| 8.3.4 | Delete agent for cleanup | Auto | — | 2026-03-30 | Skipped — DELETE not implemented |
+
+### Part 9: Job System
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 9.1.1 | List jobs with pagination | Auto | ☑ | 2026-03-30 |  |
+| 9.1.2 | Filter jobs by status | Manual | ☐ |  |  |
+| 9.1.3 | Filter jobs by type | Manual | ☐ |  |  |
+| 9.1.4 | Get job detail | Manual | ☐ |  |  |
+| 9.1.5 | Get nonexistent job | Auto | ☑ | 2026-03-30 |  |
+| 9.2.1 | Cancel pending job | Manual | ☐ |  |  |
+| 9.2.2 | Cancel already-completed job | Manual | ☐ |  |  |
+
+### Part 10: Policies & Profiles
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 10.1.1 | List policies | Auto | ☑ | 2026-03-30 |  |
+| 10.1.2 | Create policy | Auto | ☑ | 2026-03-30 |  |
+| 10.1.3 | Get policy | Manual | ☐ |  |  |
+| 10.1.4 | Update policy | Manual | ☐ |  |  |
+| 10.1.5 | Delete policy | Auto | ☑ | 2026-03-30 |  |
+| 10.1.6 | Policy violations endpoint | Manual | ☐ |  |  |
+| 10.1.7 | Invalid policy type returns 400 | Auto | ☑ | 2026-03-30 |  |
+| 10.2.1 | List profiles | Auto | ☑ | 2026-03-30 |  |
+| 10.2.2 | Create profile with crypto constraints | Auto | ☑ | 2026-03-30 |  |
+| 10.2.3 | Get profile | Manual | ☐ |  |  |
+| 10.2.4 | Update profile | Manual | ☐ |  |  |
+| 10.2.5 | Delete profile | Auto | ☑ | 2026-03-30 |  |
+| 10.2.6 | Short-lived profile exists (TTL < 1 hour) | Manual | ☐ |  |  |
+
+### Part 11: Ownership, Teams & Agent Groups
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 11.1.1 | List teams | Auto | ☑ | 2026-03-30 |  |
+| 11.1.2 | Team CRUD cycle | Auto | ☑ | 2026-03-30 |  |
+| 11.2.1 | Owner CRUD with team assignment | Auto | ☑ | 2026-03-30 |  |
+| 11.2.2 | Get, update, delete owner | Manual | ☐ |  |  |
+| 11.3.1 | List agent groups | Auto | ☑ | 2026-03-30 |  |
+| 11.3.2 | Create agent group with dynamic criteria | Manual | ☐ |  |  |
+| 11.3.3 | Agent group membership endpoint | Manual | ☐ |  |  |
+| 11.3.4 | Delete agent group returns 204 | Manual | ☐ |  |  |
+| 11.4.1 | Delete owner with assigned certificates (expect 409) | Auto | ☑ | 2026-03-30 |  |
+| 11.4.2 | Delete issuer with assigned certificates (expect 409) | Auto | ☑ | 2026-03-30 |  |
+| 11.4.3 | Delete team cascades successfully | Manual | ☐ |  |  |
+
+### Part 12: Notifications
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 12.1.1 | List notifications with pagination | Auto | ☑ | 2026-03-30 |  |
+| 12.1.2 | Get single notification | Manual | ☐ |  |  |
+| 12.1.3 | Mark notification as read | Auto | ☑ | 2026-03-30 |  |
+| 12.1.4 | Mark already-read notification (idempotent) | Manual | ☐ |  |  |
+| 12.1.5 | Get nonexistent notification | Auto | ☑ | 2026-03-30 |  |
+| 12.1.6 | Verify notification created from revocation | Manual | ☐ |  |  |
+
+### Part 13: Observability
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 13.1.1 | Dashboard summary | Auto | ☑ | 2026-03-30 |  |
+| 13.1.2 | Certificates by status | Auto | ☑ | 2026-03-30 |  |
+| 13.1.3 | Expiration timeline | Auto | ☑ | 2026-03-30 |  |
+| 13.1.4 | Job trends | Auto | ☑ | 2026-03-30 |  |
+| 13.1.5 | Issuance rate | Auto | ☑ | 2026-03-30 |  |
+| 13.1.6 | Stats with invalid days parameter | Manual | ☐ |  |  |
+| 13.2.1 | JSON metrics endpoint | Auto | ☑ | 2026-03-30 |  |
+| 13.2.2 | Metric values are non-negative | Manual | ☐ |  |  |
+| 13.2.3 | Uptime is positive | Manual | ☐ |  |  |
+| 13.3.1 | Prometheus content type | Auto | ☑ | 2026-03-30 |  |
+| 13.3.2 | Prometheus output contains HELP lines | Auto | ☑ | 2026-03-30 |  |
+| 13.3.3 | Prometheus output contains TYPE lines | Manual | ☐ |  |  |
+| 13.3.4 | All documented Prometheus metrics present | Auto | ☑ | 2026-03-30 |  |
+| 13.3.5 | Prometheus metric values are parseable numbers | Manual | ☐ |  |  |
+| 13.3.6 | Method not allowed on metrics (POST) | Manual | ☐ |  |  |
+
+### Part 14: Audit Trail
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 14.1.1 | List audit events | Auto | ☑ | 2026-03-30 |  |
+| 14.1.2 | Get single audit event | Manual | ☐ |  |  |
+| 14.1.3 | Filter audit by time range | Manual | ☐ |  |  |
+| 14.1.4 | Filter audit by actor | Manual | ☐ |  |  |
+| 14.1.5 | Filter audit by resource type | Auto | ☑ | 2026-03-30 |  |
+| 14.1.6 | Filter audit by action | Manual | ☐ |  |  |
+| 14.1.7 | API calls create audit entries | Manual | ☐ |  |  |
+| 14.1.8 | Audit immutability (no PUT/DELETE) | Auto | ☑ | 2026-03-30 |  |
+
+### Part 15: Certificate Discovery
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 15.1.1 | Submit discovery report | Auto | ☑ | 2026-03-30 |  |
+| 15.1.2 | Submit report with multiple certificates | Manual | ☐ |  |  |
+| 15.1.3 | Duplicate fingerprint deduplication | Manual | ☐ |  |  |
+| 15.1.4 | List discovered certificates | Auto | ☑ | 2026-03-30 |  |
+| 15.1.5 | Filter by status: Unmanaged | Manual | ☐ |  |  |
+| 15.1.6 | Filter by agent_id | Manual | ☐ |  |  |
+| 15.1.7 | Get discovered certificate detail | Manual | ☐ |  |  |
+| 15.1.8 | Claim discovered certificate | Manual | ☐ |  |  |
+| 15.1.9 | Dismiss discovered certificate | Manual | ☐ |  |  |
+| 15.1.10 | List discovery scans | Manual | ☐ |  |  |
+| 15.1.11 | Discovery summary | Auto | ☑ | 2026-03-30 |  |
+| 15.2.1 | List network scan targets (seed data) | Auto | ☑ | 2026-03-30 |  |
+| 15.2.2 | Create network scan target | Auto | ☑ | 2026-03-30 |  |
+| 15.2.3 | Get scan target detail | Manual | ☐ |  |  |
+| 15.2.4 | Update scan target | Manual | ☐ |  |  |
+| 15.2.5 | Delete scan target | Auto | ☑ | 2026-03-30 |  |
+| 15.2.6 | Trigger manual scan | Manual | ☐ |  |  |
+| 15.2.7 | Invalid CIDR validation | Auto | ☑ | 2026-03-30 |  |
+
+### Part 16: Enhanced Query API
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 16.1.1 | Sparse fields: only requested fields returned | Manual | ☐ |  |  |
+| 16.1.2 | Sort ascending: commonName | Manual | ☐ |  |  |
+| 16.1.3 | Sort descending: notAfter | Manual | ☐ |  |  |
+| 16.1.4 | Sort by invalid field | Auto | ☑ | 2026-03-30 |  |
+| 16.1.5 | Cursor pagination first page | Manual | ☐ |  |  |
+| 16.1.6 | Cursor pagination second page | Manual | ☐ |  |  |
+| 16.1.7 | Time-range: expires_before | Auto | ☑ | 2026-03-30 |  |
+| 16.1.8 | Time-range: created_after | Auto | ☑ | 2026-03-30 |  |
+| 16.1.9 | Combined filters | Auto | ☑ | 2026-03-30 |  |
+
+### Part 17: CLI Tool
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 17.2.1 | List certificates (table format) | Manual | ☐ |  |  |
+| 17.2.2 | List certificates (JSON format) | Manual | ☐ |  |  |
+| 17.2.3 | Get specific certificate | Manual | ☐ |  |  |
+| 17.2.4 | Get nonexistent certificate | Manual | ☐ |  |  |
+| 17.2.5 | Renew certificate | Manual | ☐ |  |  |
+| 17.2.6 | Revoke certificate with reason | Manual | ☐ |  |  |
+| 17.3.1 | List agents | Manual | ☐ |  |  |
+| 17.3.2 | List jobs | Manual | ☐ |  |  |
+| 17.4.1 | Server status/health | Manual | ☐ |  |  |
+| 17.4.2 | CLI version | Manual | ☐ |  |  |
+| 17.5.1 | Import single PEM file | Manual | ☐ |  |  |
+| 17.6.1 | --server flag overrides env var | Manual | ☐ |  |  |
+| 17.6.2 | --api-key flag overrides env var | Manual | ☐ |  |  |
+| 17.6.3 | Missing server URL produces error | Manual | ☐ |  |  |
+
+### Part 18: MCP Server
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 18.1.1 | Binary builds successfully | Manual | ☐ |  |  |
+| 18.1.2 | Startup with valid env vars | Manual | ☐ |  |  |
+| 18.1.3 | Missing CERTCTL_SERVER_URL behavior | Manual | ☐ |  |  |
+| 18.2.1 | Tool count verification (78 tools) | Manual | ☐ |  |  |
+| 18.2.2 | All 16 resource domains present | Manual | ☐ |  |  |
+| 18.3.1 | List certificates via MCP | Manual | ☐ |  |  |
+| 18.3.2 | Get specific certificate via MCP | Manual | ☐ |  |  |
+
+### Part 19: GUI Testing
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 19.1 | Authentication Flow | Manual | ☐ |  |  |
+| 19.2 | Dashboard Page | Manual | ☐ |  |  |
+| 19.3 | Certificates Page | Manual | ☐ |  |  |
+| 19.4 | Certificate Detail Page | Manual | ☐ |  |  |
+| 19.5 | Jobs Page — Approval Workflow | Manual | ☐ |  |  |
+| 19.6 | Discovery Triage Page | Manual | ☐ |  |  |
+| 19.7 | Network Scan Management Page | Manual | ☐ |  |  |
+| 19.8 | Other Pages (agents, policies, audit, etc.) | Manual | ☐ |  |  |
+| 19.9 | Cross-Cutting (responsive, error states, dark theme) | Manual | ☐ |  |  |
+
+### Part 20: Background Scheduler
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 20.1.1 | Scheduler startup: all 7 loops registered | Manual | ☐ |  |  |
+| 20.1.2 | Job processor loop fires (30s interval) | Manual | ☐ |  |  |
+| 20.1.3 | Agent health check marks offline (2m interval) | Manual | ☐ |  |  |
+| 20.1.4 | Notification processor fires (1m interval) | Manual | ☐ |  |  |
+| 20.1.5 | Short-lived expiry check (30s interval) | Manual | ☐ |  |  |
+| 20.1.6 | Network scanner loop (conditional on env var) | Manual | ☐ |  |  |
+| 20.1.7 | Renewal check loop (1h interval — log verification) | Manual | ☐ |  |  |
+| 20.1.8 | Scheduler graceful stop | Manual | ☐ |  |  |
+
+### Part 21: Error Handling
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 21.1.1 | Malformed JSON body | Auto | ☑ | 2026-03-30 |  |
+| 21.1.2 | Missing required field | Auto | ☑ | 2026-03-30 |  |
+| 21.1.3 | Method not allowed | Auto | ☑ | 2026-03-30 |  |
+| 21.1.4 | Invalid query parameter | Manual | ☐ |  |  |
+| 21.1.5 | UTF-8 in common name | Auto | ☑ | 2026-03-30 |  |
+| 21.1.6 | Concurrent requests (parallel curl) | Manual | ☐ |  |  |
+| 21.1.7 | Server survives internal error | Auto | ☑ | 2026-03-30 |  |
+| 21.1.8 | Empty request body on POST | Auto | ☑ | 2026-03-30 |  |
+
+### Part 22: Performance Spot Checks
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 22.1.1 | List certificates < 200ms | Auto | ☑ | 2026-03-30 |  |
+| 22.1.2 | Stats summary < 500ms | Auto | ☑ | 2026-03-30 |  |
+| 22.1.3 | Metrics < 200ms | Auto | ☑ | 2026-03-30 |  |
+| 22.1.4 | 50 health checks < 5 seconds total | Manual | ☐ |  |  |
+
+### Part 23: Structured Logging
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 23.1.1 | Server logs are valid JSON | Manual | ☐ |  |  |
+| 23.1.2 | Log lines contain level field | Manual | ☐ |  |  |
+| 23.1.3 | Request ID propagation | Manual | ☐ |  |  |
+| 23.1.4 | Error logs at ERROR level | Manual | ☐ |  |  |
+| 23.1.5 | No unstructured output in log stream | Manual | ☐ |  |  |
+
+### Part 24: Documentation Verification
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 24.1 | OpenAPI spec matches router, README accuracy | Manual | ☐ |  |  |
+
+### Part 25: Regression Tests
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 25.1.1 | DELETE endpoints return 204, not 200 | Auto | ☑ | 2026-03-30 |  |
+| 25.1.2 | per_page exceeding max falls back to default | Auto | ☑ | 2026-03-30 |  |
+| 25.1.3 | Seed demo network scan targets present | Auto | ☑ | 2026-03-30 |  |
+| 25.1.4 | GUI delete on FK-restricted entities shows error, not silent f... | Auto | ☑ | 2026-03-30 |  |
+| 25.1.5 | OpenAPI spec operations match router | Manual | ☐ |  |  |
+| 25.1.6 | Go service tests use strings.Contains, not errors.Is | Auto | ☑ | 2026-03-30 |  |
+
+### Part 26: EST Server (RFC 7030)
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 26.1 | GET /.well-known/est/cacerts returns PKCS#7 CA chain | Auto | — | 2026-03-30 | Skipped — EST not enabled in demo |
+| 26.2 | GET /cacerts method enforcement | Auto | — | 2026-03-30 | Skipped — EST not enabled in demo |
+| 26.3 | POST /.well-known/est/simpleenroll with PEM CSR | Manual | ☐ |  |  |
+| 26.4 | POST /simpleenroll with base64-encoded DER CSR | Manual | ☐ |  |  |
+| 26.5 | POST /simpleenroll with empty body | Auto | — | 2026-03-30 | Skipped — EST not enabled in demo |
+| 26.6 | POST /simpleenroll with invalid CSR | Manual | ☐ |  |  |
+| 26.7 | POST /simpleenroll with CSR missing Common Name | Manual | ☐ |  |  |
+| 26.8 | POST /simpleenroll method enforcement (GET not allowed) | Manual | ☐ |  |  |
+| 26.9 | POST /.well-known/est/simplereenroll (re-enrollment) | Manual | ☐ |  |  |
+| 26.10 | GET /simplereenroll method enforcement | Manual | ☐ |  |  |
+| 26.11 | GET /.well-known/est/csrattrs returns 204 (no required attrs) | Auto | — | 2026-03-30 | Skipped — EST not enabled in demo |
+| 26.12 | POST /csrattrs method enforcement | Manual | ☐ |  |  |
+| 26.13 | EST enrollment creates audit event | Manual | ☐ |  |  |
+| 26.14 | EST disabled returns 404 | Manual | ☐ |  |  |
+| 26.15 | EST with profile binding | Manual | ☐ |  |  |
+
+### Part 27: Post-Deployment TLS Verification
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 27.1 | Submit Verification Result (Success) | Manual | ☐ |  |  |
+| 27.2 | Submit Verification Result (Failure — Fingerprint Mismatch) | Manual | ☐ |  |  |
+| 27.3 | Get Verification Status | Manual | ☐ |  |  |
+| 27.4 | Missing Required Fields | Manual | ☐ |  |  |
+| 27.5 | Audit Trail | Manual | ☐ |  |  |
+| 27.6 | Database Schema Verification | Auto | ☑ | 2026-03-30 |  |
+
+### Part 28: Traefik & Caddy Target Connectors
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 28.1 | Traefik File Provider Deployment | Manual | ☐ |  |  |
+| 28.2 | Caddy API Mode Deployment | Manual | ☐ |  |  |
+| 28.3 | Caddy File Mode Deployment | Manual | ☐ |  |  |
+| 28.4 | Agent Connector Dispatch | Manual | ☐ |  |  |
+| 28.5 | Connector Unit Tests | Manual | ☐ |  |  |
+
+### Part 29: Certificate Export
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 29.1 | Export PEM (JSON Response) | Auto | ☑ | 2026-03-30 |  |
+| 29.2 | Export PEM (File Download) | Manual | ☐ |  |  |
+| 29.3 | Export PEM — Not Found | Auto | ☑ | 2026-03-30 |  |
+| 29.4 | Export PKCS#12 | Auto | ☑ | 2026-03-30 |  |
+| 29.5 | Export PKCS#12 — Empty Password | Manual | ☐ |  |  |
+| 29.6 | Export Audit Trail | Manual | ☐ |  |  |
+| 29.7 | Export Unit Tests | Manual | ☐ |  |  |
+| 29.8 | GUI Export Buttons | Manual | ☐ |  |  |
+
+### Part 30: S/MIME & EKU Support
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 30.1 | S/MIME Profile Exists in Seed Data | Auto | ☑ | 2026-03-30 |  |
+| 30.2 | All Five Profiles Present | Auto | ☑ | 2026-03-30 |  |
+| 30.3 | EKU Strings in Profile API | Manual | ☐ |  |  |
+| 30.4 | Agent CSR SAN Splitting (Email vs DNS) | Manual | ☐ |  |  |
+| 30.5 | EKU Service-Layer Tests | Manual | ☐ |  |  |
+
+### Part 31: OCSP Responder & DER CRL
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 31.1 | DER-Encoded CRL | Auto | ☑ | 2026-03-30 |  |
+| 31.2 | DER CRL — Nonexistent Issuer | Auto | ☑ | 2026-03-30 |  |
+| 31.3 | OCSP Responder — Good Status | Manual | ☐ |  |  |
+| 31.4 | OCSP Responder — Revoked Status | Manual | ☐ |  |  |
+| 31.5 | OCSP — Unknown Certificate | Manual | ☐ |  |  |
+| 31.6 | Short-Lived Certificate CRL Exemption | Manual | ☐ |  |  |
+| 31.7 | OCSP / CRL Unit Tests | Manual | ☐ |  |  |
+
+### Part 32: Request Body Size Limits
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 32.1 | Default 1MB Limit | Manual | ☐ |  |  |
+| 32.2 | Normal-Sized Requests Work | Auto | ☑ | 2026-03-30 |  |
+| 32.3 | Custom Body Size via Environment Variable | Manual | ☐ |  |  |
+| 32.4 | Requests Without Bodies Are Unaffected | Auto | ☑ | 2026-03-30 |  |
+
+### Part 33: Apache & HAProxy Target Connectors
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 33.1 | Create Apache Target | Manual | ☐ |  |  |
+| 33.2 | Apache Config — Separate Files | Manual | ☐ |  |  |
+| 33.3 | Create HAProxy Target | Manual | ☐ |  |  |
+| 33.4 | HAProxy Combined PEM Requirement | Manual | ☐ |  |  |
+| 33.5 | Shell Command Injection Prevention | Manual | ☐ |  |  |
+| 33.6 | Connector Unit Tests | Manual | ☐ |  |  |
+
+### Part 34: Sub-CA Mode
+
+| Test | Description | Method | Pass? | Date | Notes |
+|------|-------------|--------|-------|------|-------|
+| 34.1 | Self-Signed Mode (Default) | Manual | ☐ |  |  |
+| 34.2 | Sub-CA Mode — Configuration | Manual | ☐ |  |  |
+| 34.3 | Sub-CA Chain Construction | Manual | ☐ |  |  |
+| 34.4 | Sub-CA Validation — Non-CA Cert Rejected | Manual | ☐ |  |  |
+| 34.5 | Sub-CA Key Format Support | Manual | ☐ |  |  |
+| 34.6 | CRL Signing in Sub-CA Mode | Manual | ☐ |  |  |
+
+### Summary
+
+| Category | Count |
+|----------|-------|
+| ☑ Auto (passed in `qa-smoke-test.sh`) | 121 |
+| — Skipped (preconditions not met in demo) | 5 |
+| ☐ Manual (requires hands-on verification) | 194 |
+| **Total** | **320** |
 
 **Automated tests must also be green.** CI passing is necessary but not sufficient — this manual QA catches integration issues that isolated unit tests miss.
 

internal/api/handler/agents.go

@@ -3,6 +3,7 @@ package handler
 import (
 	"context"
 	"encoding/json"
+	"log/slog"
 	"net/http"
 	"strconv"
 	"strings"
@@ -134,6 +135,11 @@ func (h AgentHandler) RegisterAgent(w http.ResponseWriter, r *http.Request) {
 
 	created, err := h.svc.RegisterAgent(r.Context(), agent)
 	if err != nil {
+		errMsg := err.Error()
+		if strings.Contains(errMsg, "unique") || strings.Contains(errMsg, "duplicate") || strings.Contains(errMsg, "already exists") {
+			ErrorWithRequestID(w, http.StatusConflict, "Agent with this name already exists", requestID)
+			return
+		}
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to register agent", requestID)
 		return
 	}
@@ -184,6 +190,11 @@ func (h AgentHandler) Heartbeat(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if err := h.svc.Heartbeat(r.Context(), agentID, metadata); err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			ErrorWithRequestID(w, http.StatusNotFound, "Agent not found", requestID)
+			return
+		}
+		slog.Error("Heartbeat failed", "agent_id", agentID, "error", err.Error())
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to record heartbeat", requestID)
 		return
 	}

internal/api/handler/certificate_handler_test.go

@@ -353,11 +353,12 @@ func TestCreateCertificate_Success(t *testing.T) {
 	handler := NewCertificateHandler(mock)
 
 	certBody := domain.ManagedCertificate{
-		Name:       "Production Cert",
-		CommonName: "example.com",
-		OwnerID:    "o-alice",
-		TeamID:     "t-platform",
-		IssuerID:   "iss-local",
+		Name:            "Production Cert",
+		CommonName:      "example.com",
+		OwnerID:         "o-alice",
+		TeamID:          "t-platform",
+		IssuerID:        "iss-local",
+		RenewalPolicyID: "rp-standard",
 	}
 	body, _ := json.Marshal(certBody)
 
@@ -410,11 +411,12 @@ func TestCreateCertificate_ServiceError(t *testing.T) {
 	handler := NewCertificateHandler(mock)
 
 	certBody := domain.ManagedCertificate{
-		Name:       "Production Cert",
-		CommonName: "example.com",
-		OwnerID:    "o-alice",
-		TeamID:     "t-platform",
-		IssuerID:   "iss-local",
+		Name:            "Production Cert",
+		CommonName:      "example.com",
+		OwnerID:         "o-alice",
+		TeamID:          "t-platform",
+		IssuerID:        "iss-local",
+		RenewalPolicyID: "rp-standard",
 	}
 	body, _ := json.Marshal(certBody)
 
@@ -534,8 +536,8 @@ func TestArchiveCertificate_NotFound(t *testing.T) {
 
 	handler.ArchiveCertificate(w, req)
 
-	if w.Code != http.StatusInternalServerError {
-		t.Errorf("expected status %d, got %d", http.StatusInternalServerError, w.Code)
+	if w.Code != http.StatusNotFound {
+		t.Errorf("expected status %d, got %d", http.StatusNotFound, w.Code)
 	}
 }
 

internal/api/handler/certificates.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"encoding/json"
+	"log/slog"
 	"net/http"
 	"strconv"
 	"strings"
@@ -231,6 +232,14 @@ func (h CertificateHandler) CreateCertificate(w http.ResponseWriter, r *http.Req
 		ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
 		return
 	}
+	if err := ValidateRequired("name", cert.Name); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
+		return
+	}
+	if err := ValidateRequired("renewal_policy_id", cert.RenewalPolicyID); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
+		return
+	}
 
 	created, err := h.svc.CreateCertificate(cert)
 	if err != nil {
@@ -287,6 +296,11 @@ func (h CertificateHandler) UpdateCertificate(w http.ResponseWriter, r *http.Req
 
 	updated, err := h.svc.UpdateCertificate(id, cert)
 	if err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
+			return
+		}
+		slog.Error("UpdateCertificate failed", "cert_id", id, "error", err.Error())
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update certificate", requestID)
 		return
 	}
@@ -311,6 +325,10 @@ func (h CertificateHandler) ArchiveCertificate(w http.ResponseWriter, r *http.Re
 	}
 
 	if err := h.svc.ArchiveCertificate(id); err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
+			return
+		}
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to archive certificate", requestID)
 		return
 	}
@@ -353,7 +371,12 @@ func (h CertificateHandler) GetCertificateVersions(w http.ResponseWriter, r *htt
 
 	versions, total, err := h.svc.GetCertificateVersions(certID, page, perPage)
 	if err != nil {
-		ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
+		if strings.Contains(err.Error(), "not found") {
+			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
+			return
+		}
+		slog.Error("GetCertificateVersions failed", "cert_id", certID, "error", err.Error())
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to get certificate versions", requestID)
 		return
 	}
 
@@ -387,6 +410,19 @@ func (h CertificateHandler) TriggerRenewal(w http.ResponseWriter, r *http.Reques
 	certID := parts[0]
 
 	if err := h.svc.TriggerRenewal(certID); err != nil {
+		errMsg := err.Error()
+		if strings.Contains(errMsg, "not found") {
+			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
+			return
+		}
+		if strings.Contains(errMsg, "cannot renew") {
+			ErrorWithRequestID(w, http.StatusBadRequest, errMsg, requestID)
+			return
+		}
+		if strings.Contains(errMsg, "already in progress") {
+			ErrorWithRequestID(w, http.StatusConflict, errMsg, requestID)
+			return
+		}
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to trigger renewal", requestID)
 		return
 	}
@@ -480,7 +516,7 @@ func (h CertificateHandler) RevokeCertificate(w http.ResponseWriter, r *http.Req
 			ErrorWithRequestID(w, http.StatusBadRequest, errMsg, requestID)
 			return
 		}
-		if strings.Contains(errMsg, "not found") || strings.Contains(errMsg, "failed to fetch") {
+		if strings.Contains(errMsg, "not found") || strings.Contains(errMsg, "failed to fetch") || strings.Contains(errMsg, "failed to get") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
 			return
 		}

internal/api/handler/export.go

@@ -3,6 +3,7 @@ package handler
 import (
 	"context"
 	"encoding/json"
+	"log/slog"
 	"net/http"
 	"strings"
 
@@ -49,6 +50,7 @@ func (h ExportHandler) ExportPEM(w http.ResponseWriter, r *http.Request) {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
 			return
 		}
+		slog.Error("ExportPEM failed", "cert_id", id, "error", err.Error())
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to export certificate", requestID)
 		return
 	}
@@ -96,6 +98,11 @@ func (h ExportHandler) ExportPKCS12(w http.ResponseWriter, r *http.Request) {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
 			return
 		}
+		if strings.Contains(err.Error(), "cannot be parsed") || strings.Contains(err.Error(), "no certificates found") {
+			ErrorWithRequestID(w, http.StatusUnprocessableEntity, "Certificate data cannot be parsed as X.509", requestID)
+			return
+		}
+		slog.Error("ExportPKCS12 failed", "cert_id", id, "error", err.Error())
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to export PKCS#12", requestID)
 		return
 	}

internal/mcp/tools.go

@@ -99,7 +99,7 @@ func registerCertificateTools(s *gomcp.Server, c *Client) {
 
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_create_certificate",
-		Description: "Create a new managed certificate. Requires common_name and issuer_id at minimum.",
+		Description: "Create a new managed certificate. Requires name, common_name, renewal_policy_id, issuer_id, owner_id, and team_id.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input CreateCertificateInput) (*gomcp.CallToolResult, any, error) {
 		data, err := c.Post("/api/v1/certificates", input)
 		if err != nil {
@@ -144,7 +144,7 @@ func registerCertificateTools(s *gomcp.Server, c *Client) {
 
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_trigger_renewal",
-		Description: "Trigger immediate renewal of a certificate. Creates a renewal job (async, returns 202).",
+		Description: "Trigger immediate renewal of a certificate. Creates a renewal job (async, returns 202). Returns 404 if certificate not found, 400 if certificate is archived/expired, 409 if renewal already in progress.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input GetByIDInput) (*gomcp.CallToolResult, any, error) {
 		data, err := c.Post("/api/v1/certificates/"+input.ID+"/renew", nil)
 		if err != nil {
@@ -385,7 +385,7 @@ func registerAgentTools(s *gomcp.Server, c *Client) {
 
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_register_agent",
-		Description: "Register a new agent. Requires name and hostname.",
+		Description: "Register a new agent. Requires name and hostname. Returns 409 if an agent with the same name already exists.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input RegisterAgentInput) (*gomcp.CallToolResult, any, error) {
 		data, err := c.Post("/api/v1/agents", input)
 		if err != nil {
@@ -396,7 +396,7 @@ func registerAgentTools(s *gomcp.Server, c *Client) {
 
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_agent_heartbeat",
-		Description: "Send agent heartbeat with optional metadata (OS, architecture, IP, version).",
+		Description: "Send agent heartbeat with optional metadata (OS, architecture, IP, version). Returns 404 if agent not found.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input struct {
 		ID           string `json:"id" jsonschema:"Agent ID"`
 		Version      string `json:"version,omitempty" jsonschema:"Agent version"`

internal/repository/postgres/certificate.go

@@ -349,7 +349,7 @@ func (r *CertificateRepository) Archive(ctx context.Context, id string) error {
 func (r *CertificateRepository) ListVersions(ctx context.Context, certID string) ([]*domain.CertificateVersion, error) {
 	rows, err := r.db.QueryContext(ctx, `
 		SELECT id, certificate_id, serial_number, not_before, not_after,
-		       fingerprint_sha256, pem_chain, csr_pem, key_algorithm, key_size, created_at
+		       fingerprint_sha256, pem_chain, csr_pem, created_at
 		FROM certificate_versions
 		WHERE certificate_id = $1
 		ORDER BY created_at DESC
@@ -363,10 +363,12 @@ func (r *CertificateRepository) ListVersions(ctx context.Context, certID string)
 	var versions []*domain.CertificateVersion
 	for rows.Next() {
 		var v domain.CertificateVersion
+		var csrPEM sql.NullString
 		if err := rows.Scan(&v.ID, &v.CertificateID, &v.SerialNumber, &v.NotBefore, &v.NotAfter,
-			&v.FingerprintSHA256, &v.PEMChain, &v.CSRPEM, &v.KeyAlgorithm, &v.KeySize, &v.CreatedAt); err != nil {
+			&v.FingerprintSHA256, &v.PEMChain, &csrPEM, &v.CreatedAt); err != nil {
 			return nil, fmt.Errorf("failed to scan certificate version: %w", err)
 		}
+		v.CSRPEM = csrPEM.String
 		versions = append(versions, &v)
 	}
 
@@ -386,11 +388,11 @@ func (r *CertificateRepository) CreateVersion(ctx context.Context, version *doma
 	err := r.db.QueryRowContext(ctx, `
 		INSERT INTO certificate_versions (
 			id, certificate_id, serial_number, not_before, not_after,
-			fingerprint_sha256, pem_chain, csr_pem, key_algorithm, key_size, created_at
-		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
+			fingerprint_sha256, pem_chain, csr_pem, created_at
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
 		RETURNING id
 	`, version.ID, version.CertificateID, version.SerialNumber, version.NotBefore, version.NotAfter,
-		version.FingerprintSHA256, version.PEMChain, version.CSRPEM, version.KeyAlgorithm, version.KeySize, version.CreatedAt).Scan(&version.ID)
+		version.FingerprintSHA256, version.PEMChain, version.CSRPEM, version.CreatedAt).Scan(&version.ID)
 
 	if err != nil {
 		return fmt.Errorf("failed to create certificate version: %w", err)
@@ -433,15 +435,17 @@ func (r *CertificateRepository) GetExpiringCertificates(ctx context.Context, bef
 // GetLatestVersion returns the most recent certificate version for a certificate.
 func (r *CertificateRepository) GetLatestVersion(ctx context.Context, certID string) (*domain.CertificateVersion, error) {
 	var v domain.CertificateVersion
+	var csrPEM sql.NullString
 	err := r.db.QueryRowContext(ctx, `
 		SELECT id, certificate_id, serial_number, not_before, not_after,
-		       fingerprint_sha256, pem_chain, csr_pem, key_algorithm, key_size, created_at
+		       fingerprint_sha256, pem_chain, csr_pem, created_at
 		FROM certificate_versions
 		WHERE certificate_id = $1
 		ORDER BY created_at DESC
 		LIMIT 1
 	`, certID).Scan(&v.ID, &v.CertificateID, &v.SerialNumber, &v.NotBefore, &v.NotAfter,
-		&v.FingerprintSHA256, &v.PEMChain, &v.CSRPEM, &v.KeyAlgorithm, &v.KeySize, &v.CreatedAt)
+		&v.FingerprintSHA256, &v.PEMChain, &csrPEM, &v.CreatedAt)
+	v.CSRPEM = csrPEM.String
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to get latest certificate version: %w", err)

internal/service/certificate.go

@@ -311,12 +311,56 @@ func (s *CertificateService) CreateCertificate(cert domain.ManagedCertificate) (
 }
 
 // UpdateCertificate modifies a certificate (handler interface method).
-func (s *CertificateService) UpdateCertificate(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
-	cert.ID = id
-	if err := s.certRepo.Update(context.Background(), &cert); err != nil {
+func (s *CertificateService) UpdateCertificate(id string, patch domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+	ctx := context.Background()
+
+	// Fetch existing certificate so partial updates don't zero out fields
+	existing, err := s.certRepo.Get(ctx, id)
+	if err != nil {
+		return nil, fmt.Errorf("certificate not found: %w", err)
+	}
+
+	// Merge non-zero fields from patch into existing
+	if patch.Name != "" {
+		existing.Name = patch.Name
+	}
+	if patch.CommonName != "" {
+		existing.CommonName = patch.CommonName
+	}
+	if len(patch.SANs) > 0 {
+		existing.SANs = patch.SANs
+	}
+	if patch.Environment != "" {
+		existing.Environment = patch.Environment
+	}
+	if patch.OwnerID != "" {
+		existing.OwnerID = patch.OwnerID
+	}
+	if patch.TeamID != "" {
+		existing.TeamID = patch.TeamID
+	}
+	if patch.IssuerID != "" {
+		existing.IssuerID = patch.IssuerID
+	}
+	if patch.RenewalPolicyID != "" {
+		existing.RenewalPolicyID = patch.RenewalPolicyID
+	}
+	if patch.CertificateProfileID != "" {
+		existing.CertificateProfileID = patch.CertificateProfileID
+	}
+	if patch.Status != "" {
+		existing.Status = patch.Status
+	}
+	if patch.Tags != nil {
+		existing.Tags = patch.Tags
+	}
+
+	existing.UpdatedAt = time.Now()
+
+	if err := s.certRepo.Update(ctx, existing); err != nil {
 		return nil, fmt.Errorf("failed to update certificate: %w", err)
 	}
-	return &cert, nil
+	return existing, nil
 }
 
 // ArchiveCertificate marks a certificate as archived (handler interface method).

internal/service/discovery.go

@@ -40,6 +40,11 @@ func (s *DiscoveryService) ProcessDiscoveryReport(ctx context.Context, report *d
 		return nil, fmt.Errorf("report must contain at least one certificate or error")
 	}
 
+	// Ensure directories is never nil (PostgreSQL TEXT[] NOT NULL)
+	if report.Directories == nil {
+		report.Directories = []string{}
+	}
+
 	now := time.Now()
 	scan := &domain.DiscoveryScan{
 		ID:                generateID("dscan"),
@@ -52,6 +57,11 @@ func (s *DiscoveryService) ProcessDiscoveryReport(ctx context.Context, report *d
 		CompletedAt:       &now,
 	}
 
+	// Store the scan record first (discovered certs reference scan via FK)
+	if err := s.discoveryRepo.CreateScan(ctx, scan); err != nil {
+		return nil, fmt.Errorf("failed to create scan record: %w", err)
+	}
+
 	// Upsert each discovered certificate
 	newCount := 0
 	for _, entry := range report.Certificates {
@@ -105,11 +115,6 @@ func (s *DiscoveryService) ProcessDiscoveryReport(ctx context.Context, report *d
 
 	scan.CertificatesNew = newCount
 
-	// Store the scan record
-	if err := s.discoveryRepo.CreateScan(ctx, scan); err != nil {
-		return nil, fmt.Errorf("failed to create scan record: %w", err)
-	}
-
 	// Audit trail
 	if err := s.auditService.RecordEvent(ctx, report.AgentID, domain.ActorTypeSystem,
 		"discovery_scan_completed", "discovery_scan", scan.ID,

internal/service/export.go

@@ -88,7 +88,7 @@ func (s *ExportService) ExportPKCS12(ctx context.Context, certID string, passwor
 	// Parse PEM chain into x509.Certificate objects
 	certs, err := parsePEMCertificates(version.PEMChain)
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse certificate chain: %w", err)
+		return nil, fmt.Errorf("certificate data cannot be parsed as X.509: %w", err)
 	}
 
 	if len(certs) == 0 {

internal/service/team_test.go

@@ -321,8 +321,8 @@ func TestTeamService_Create_EmptyName(t *testing.T) {
 		t.Fatalf("expected validation error for empty name, got nil")
 	}
 
-	if !errors.Is(err, errors.New("team name is required")) {
-		t.Logf("error: %v", err)
+	if !strings.Contains(err.Error(), "team name is required") {
+		t.Errorf("expected error containing 'team name is required', got: %v", err)
 	}
 }
 

web/src/pages/CertificatesPage.tsx

@@ -13,6 +13,7 @@ import type { Certificate } from '../api/types';
 
 function CreateCertificateModal({ onClose, onSuccess }: { onClose: () => void; onSuccess: () => void }) {
   const [form, setForm] = useState({
+    name: '',
     id: '',
     common_name: '',
     environment: 'production',
@@ -35,6 +36,12 @@ function CreateCertificateModal({ onClose, onSuccess }: { onClose: () => void; o
         <h2 className="text-lg font-semibold text-ink mb-4">New Certificate</h2>
         {error && <div className="bg-red-50 border border-red-200 text-red-700 rounded px-3 py-2 text-sm mb-4">{error}</div>}
         <div className="space-y-3">
+          <div>
+            <label className="text-xs text-ink-muted block mb-1">Name *</label>
+            <input value={form.name} onChange={e => setForm(f => ({ ...f, name: e.target.value }))}
+              className="w-full bg-white border border-surface-border rounded px-3 py-2 text-sm text-ink focus:outline-none focus:border-brand-400 focus:ring-1 focus:ring-brand-400/20"
+              placeholder="API Production Cert" />
+          </div>
           <div>
             <label className="text-xs text-ink-muted block mb-1">ID (optional)</label>
             <input value={form.id} onChange={e => setForm(f => ({ ...f, id: e.target.value }))}
@@ -89,7 +96,7 @@ function CreateCertificateModal({ onClose, onSuccess }: { onClose: () => void; o
           <button onClick={onClose} className="btn btn-ghost text-sm">Cancel</button>
           <button
             onClick={() => mutation.mutate()}
-            disabled={!form.common_name || !form.issuer_id || mutation.isPending}
+            disabled={!form.name || !form.common_name || !form.issuer_id || mutation.isPending}
             className="btn btn-primary text-sm disabled:opacity-50"
           >
             {mutation.isPending ? 'Creating...' : 'Create Certificate'}