Merge branch 'fix/m11-cosign-v3-sign-blob-bundle': M-11 cosign v3 sign-blob migration

ci(release): migrate cosign sign-blob to --bundle (cosign v3.0)
Cosign v3.0 (shipped by default with sigstore/cosign-installer@cad07c2e, release v3.0.5) removed --output-signature and --output-certificate from the sign-blob subcommand. The replacement is a single --bundle flag that emits a unified Sigstore bundle (.sigstore.json) containing the signature, certificate chain, and Rekor inclusion proof in one file. This change migrates both sign-blob invocations in .github/workflows/ release.yml (per-binary matrix signing and aggregate checksums.txt signing), updates the artefact upload paths, the artefact aggregation case filter, the GitHub Release asset list, and the release-notes body verify-blob example. The README cosign verification snippet and sidecar description are also updated to the --bundle / .sigstore.json shape. No cosign version pinning. No legacy fallback. OCI image signing (cosign sign on image digest) is unchanged — only sign-blob flags changed in v3.0. See M-11 in certctl-audit-report.md. Verification gates: - YAML parse: OK - go vet ./...: exit 0 - go build ./...: exit 0 - grep 'cosign sign-blob' release.yml: 2 (expected: 2) - grep '.sigstore.json' release.yml: 9 (expected: >=5) - grep '.sig/.pem' release.yml non-comment: 0 (expected: 0) - README legacy cosign refs: 0 (expected: 0) - docs/ legacy cosign refs: 0 (expected: 0) Coverage: unchanged (CI workflow edit + README — zero Go code touched).
2026-06-08 18:38:54 +00:00 · 2026-04-18 09:29:25 +00:00 · 2026-04-18 09:29:20 +00:00 · 2026-04-18 03:21:45 +00:00 · 2026-04-18 03:21:40 +00:00 · 2026-04-18 02:53:50 +00:00
128 changed files with 7219 additions and 1128 deletions
@@ -45,11 +45,11 @@ jobs:
        run: govulncheck ./...
      - name: Race Detection
-        run: go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -timeout 300s
+        run: go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/crypto/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -timeout 300s
      - name: Go Test with Coverage
        run: |
-          go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -cover -coverprofile=coverage.out
+          go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/crypto/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -cover -coverprofile=coverage.out
      - name: Check Coverage Thresholds
        run: |
@@ -73,6 +73,13 @@ jobs:
          MIDDLEWARE_COV=$(go tool cover -func=coverage.out | grep 'internal/api/middleware' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
          echo "Middleware layer coverage: ${MIDDLEWARE_COV}%"
          # Check crypto package coverage (target: 85%+)
          # M-8 rationale: encryption primitives are a security-critical gate.
          # v2 format, key-derivation, fallback, and fail-closed sentinel paths
          # all need exhaustive coverage to avoid silent regressions (CWE-916 / CWE-329).
          CRYPTO_COV=$(go tool cover -func=coverage.out | grep 'internal/crypto' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
          echo "Crypto package coverage: ${CRYPTO_COV}%"
          # Fail if thresholds not met
          if [ "$(echo "$SERVICE_COV < 55" | bc -l)" -eq 1 ]; then
            echo "::error::Service layer coverage ${SERVICE_COV}% is below 55% threshold"
@@ -90,6 +97,10 @@ jobs:
            echo "::error::Middleware layer coverage ${MIDDLEWARE_COV}% is below 30% threshold"
            exit 1
          fi
          if [ "$(echo "$CRYPTO_COV < 85" | bc -l)" -eq 1 ]; then
            echo "::error::Crypto package coverage ${CRYPTO_COV}% is below 85% threshold"
            exit 1
          fi
          echo "Coverage thresholds passed!"
      - name: Upload Coverage Report
@@ -7,40 +7,30 @@ on:
 env:
  REGISTRY: ghcr.io
-  GO_VERSION: '1.22'
+  # Keep in lock-step with .github/workflows/ci.yml (M-3).
  GO_VERSION: '1.25.9'
  IMAGE_NAMESPACE: shankar0123
 jobs:
-  # Cross-compile agent and server binaries for multiple platforms
+  # ----------------------------------------------------------------------
  # build-binaries (M-3): matrix build every (binary × OS × arch) tuple.
  # For each tuple we produce: the binary, a SPDX-JSON SBOM, a keyless
  # Cosign signature + certificate bundle, and a single-line sha256sum
  # file. All artefacts are uploaded to a workflow-scoped artifact; the
  # aggregate-checksums job fans them back in for release upload.
  # ----------------------------------------------------------------------
  build-binaries:
-    name: Build Cross-Platform Binaries
+    name: Build ${{ matrix.binary }} (${{ matrix.os }}/${{ matrix.arch }})
    runs-on: ubuntu-latest
    permissions:
-      contents: write
+      contents: read
-
+      id-token: write  # Cosign keyless OIDC identity token
    strategy:
      fail-fast: false
      matrix:
-        include:
+        binary: [agent, server, cli, mcp-server]
-          # Agent binaries (4 platforms)
+        os: [linux, darwin]
-          - os: linux
+        arch: [amd64, arm64]
            arch: amd64
            binary: agent
          - os: linux
            arch: arm64
            binary: agent
          - os: darwin
            arch: amd64
            binary: agent
          - os: darwin
            arch: arm64
            binary: agent
          # Server binaries (2 platforms)
          - os: linux
            arch: amd64
            binary: server
          - os: linux
            arch: arm64
            binary: server
    steps:
      - uses: actions/checkout@v4
@@ -51,35 +41,174 @@ jobs:
      - name: Extract version from tag
        id: version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
-      - name: Build ${{ matrix.binary }} binary (${{ matrix.os }}-${{ matrix.arch }})
+      - name: Build binary
        id: build
        env:
          GOOS: ${{ matrix.os }}
          GOARCH: ${{ matrix.arch }}
-          CGO_ENABLED: 0
+          CGO_ENABLED: '0'
          VERSION: ${{ steps.version.outputs.VERSION }}
        run: |
          set -euo pipefail
          OUTPUT_NAME="certctl-${{ matrix.binary }}-${{ matrix.os }}-${{ matrix.arch }}"
-          go build -ldflags="-w -s -X main.Version=${{ steps.version.outputs.VERSION }}" \
+          mkdir -p dist
          go build \
            -trimpath \
            -ldflags="-w -s -X main.Version=${VERSION}" \
            -o "dist/${OUTPUT_NAME}" \
            "./cmd/${{ matrix.binary }}"
          ls -lh "dist/${OUTPUT_NAME}"
          echo "output_name=${OUTPUT_NAME}" >> "$GITHUB_OUTPUT"
-      - name: Upload binaries to release
+      - name: Generate SBOM (SPDX-JSON)
        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610  # v0.24.0
        with:
          file: dist/${{ steps.build.outputs.output_name }}
          format: spdx-json
          output-file: dist/${{ steps.build.outputs.output_name }}.sbom.spdx.json
          upload-artifact: false
          upload-release-assets: false
      - name: Install Cosign
        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
      - name: Keyless-sign binary with Cosign
        env:
          OUTPUT_NAME: ${{ steps.build.outputs.output_name }}
        run: |
          set -euo pipefail
          # Cosign v3.0 (shipped by cosign-installer@v4.1.1 default
          # cosign-release=v3.0.5) removed --output-signature/--output-certificate
          # on sign-blob. The replacement is --bundle, which emits a unified
          # Sigstore bundle (signature + cert chain + Rekor inclusion proof) as
          # a single .sigstore.json artefact. M-11.
          cosign sign-blob \
            --yes \
            --bundle "dist/${OUTPUT_NAME}.sigstore.json" \
            "dist/${OUTPUT_NAME}"
      - name: Compute SHA-256 sidecar
        env:
          OUTPUT_NAME: ${{ steps.build.outputs.output_name }}
        run: |
          set -euo pipefail
          cd dist
          sha256sum "${OUTPUT_NAME}" > "${OUTPUT_NAME}.sha256"
          cat "${OUTPUT_NAME}.sha256"
      - name: Upload build artefacts
        uses: actions/upload-artifact@v4
        with:
          name: binary-${{ steps.build.outputs.output_name }}
          path: |
            dist/${{ steps.build.outputs.output_name }}
            dist/${{ steps.build.outputs.output_name }}.sigstore.json
            dist/${{ steps.build.outputs.output_name }}.sbom.spdx.json
            dist/${{ steps.build.outputs.output_name }}.sha256
          if-no-files-found: error
          retention-days: 7
  # ----------------------------------------------------------------------
  # aggregate-checksums (M-3): fan in every matrix artefact, produce a
  # single checksums.txt (sha256sum format, compatible with `sha256sum
  # -c`), sign it with Cosign, upload everything to the GitHub Release,
  # and emit a base64-encoded hash manifest for the SLSA generator.
  # ----------------------------------------------------------------------
  aggregate-checksums:
    name: Aggregate checksums & sign
    runs-on: ubuntu-latest
    needs: [build-binaries]
    permissions:
      contents: write
      id-token: write  # Cosign keyless OIDC identity token
    outputs:
      hashes: ${{ steps.hashes.outputs.hashes }}
    steps:
      - name: Download binary artefacts
        uses: actions/download-artifact@v4
        with:
          pattern: binary-*
          path: artifacts
          merge-multiple: true
      - name: Aggregate SHA-256 sums
        id: hashes
        run: |
          set -euo pipefail
          cd artifacts
          : > checksums.txt
          for f in certctl-*; do
            case "$f" in
              *.sigstore.json|*.sbom.spdx.json|*.sha256|checksums.txt)
                continue ;;
            esac
            sha256sum "$f" >> checksums.txt
          done
          echo "=== checksums.txt ==="
          cat checksums.txt
          # base64 hashes (single line, no wrapping) for SLSA generator.
          HASHES=$(base64 -w0 < checksums.txt)
          echo "hashes=${HASHES}" >> "$GITHUB_OUTPUT"
      - name: Install Cosign
        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
      - name: Keyless-sign checksums.txt
        run: |
          set -euo pipefail
          cd artifacts
          # Cosign v3.0 --bundle replaces the removed v2 flag pair
          # --output-signature / --output-certificate. See M-11.
          cosign sign-blob \
            --yes \
            --bundle checksums.txt.sigstore.json \
            checksums.txt
      - name: Upload artefacts to GitHub Release
        uses: softprops/action-gh-release@v2
        if: startsWith(github.ref, 'refs/tags/')
        with:
          files: |
-            dist/certctl-agent-*
+            artifacts/certctl-*
-            dist/certctl-server-*
+            artifacts/checksums.txt
            artifacts/checksums.txt.sigstore.json
-  # Build and push Docker images
+  # ----------------------------------------------------------------------
  # provenance-binaries (M-3): SLSA Level 3 provenance for every binary.
  # The SLSA generic generator reusable workflow runs in a hermetic
  # workflow run, producing multiple.intoto.jsonl from the base64 hash
  # manifest and uploading it as a release asset.
  # ----------------------------------------------------------------------
  provenance-binaries:
    name: SLSA provenance (binaries)
    needs: [aggregate-checksums]
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.aggregate-checksums.outputs.hashes }}"
      upload-assets: true
      provenance-name: multiple.intoto.jsonl
  # ----------------------------------------------------------------------
  # build-and-push-docker: push container images to GHCR with native
  # SLSA L3 provenance (mode=max) and SBOM attestations emitted by
  # docker/build-push-action@v6, plus a keyless Cosign signature on the
  # image digest for identity-bound verification. The M-4 proxy-propagation
  # build-args block is retained verbatim — M-3 only adds supply-chain
  # steps; it never touches M-4 wiring.
  # ----------------------------------------------------------------------
  build-and-push-docker:
    name: Build & Push Docker Images
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: write
      id-token: write  # Cosign keyless OIDC identity token
    steps:
      - uses: actions/checkout@v4
@@ -93,40 +222,90 @@ jobs:
      - name: Extract version from tag
        id: version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Install Cosign
        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
      - name: Build and push server image
        id: server-push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: true
          tags: |
-            ${{ env.REGISTRY }}/shankar0123/certctl-server:${{ steps.version.outputs.VERSION }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-server:${{ steps.version.outputs.VERSION }}
-            ${{ env.REGISTRY }}/shankar0123/certctl-server:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-server:latest
          # Proxy propagation (M-4, Issue #9) — forwards runner-level proxy
          # secrets into the Docker build so self-hosted runners behind
          # corporate proxies can reach public registries. GitHub-hosted
          # runners don't need proxies, so the secrets are optional and
          # resolve to empty strings when unset — byte-identical to the
          # pre-fix behaviour for the public-runner path.
          build-args: |
            HTTP_PROXY=${{ secrets.HTTP_PROXY }}
            HTTPS_PROXY=${{ secrets.HTTPS_PROXY }}
            NO_PROXY=${{ secrets.NO_PROXY }}
          # Supply-chain hardening (M-3): emit native SLSA L3 provenance
          # and SBOM attestations bound to the image manifest.
          provenance: mode=max
          sbom: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
      - name: Keyless-sign server image with Cosign
        env:
          DIGEST: ${{ steps.server-push.outputs.digest }}
          IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-server
        run: |
          set -euo pipefail
          cosign sign --yes "${IMAGE}@${DIGEST}"
      - name: Build and push agent image
        id: agent-push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile.agent
          push: true
          tags: |
-            ${{ env.REGISTRY }}/shankar0123/certctl-agent:${{ steps.version.outputs.VERSION }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-agent:${{ steps.version.outputs.VERSION }}
-            ${{ env.REGISTRY }}/shankar0123/certctl-agent:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-agent:latest
          # Proxy propagation (M-4, Issue #9) — see server-image step for
          # rationale. Empty secrets resolve to empty build args, leaving
          # the un-proxied code path byte-identical to the pre-fix tree.
          build-args: |
            HTTP_PROXY=${{ secrets.HTTP_PROXY }}
            HTTPS_PROXY=${{ secrets.HTTPS_PROXY }}
            NO_PROXY=${{ secrets.NO_PROXY }}
          # Supply-chain hardening (M-3): emit native SLSA L3 provenance
          # and SBOM attestations bound to the image manifest.
          provenance: mode=max
          sbom: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
-  # Create release notes with all artifacts
+      - name: Keyless-sign agent image with Cosign
        env:
          DIGEST: ${{ steps.agent-push.outputs.digest }}
          IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-agent
        run: |
          set -euo pipefail
          cosign sign --yes "${IMAGE}@${DIGEST}"
  # ----------------------------------------------------------------------
  # create-release: stamp the release body. The actual asset uploads are
  # handled by aggregate-checksums (binaries, SBOMs, sigs, certs,
  # checksums.txt + signature) and the SLSA generator (multiple.intoto.jsonl).
  # ----------------------------------------------------------------------
  create-release:
    name: Create Release Notes
    runs-on: ubuntu-latest
-    needs: [build-binaries, build-and-push-docker]
+    needs: [build-binaries, aggregate-checksums, provenance-binaries, build-and-push-docker]
    permissions:
      contents: write
@@ -135,7 +314,7 @@ jobs:
      - name: Extract version from tag
        id: version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
      - name: Create release with notes
        uses: softprops/action-gh-release@v2
@@ -197,6 +376,76 @@ jobs:
            - **Linux x86_64**: `certctl-server-linux-amd64`
            - **Linux ARM64**: `certctl-server-linux-arm64`
            - **macOS x86_64**: `certctl-server-darwin-amd64`
            - **macOS ARM64 (Apple Silicon)**: `certctl-server-darwin-arm64`
            ## CLI & MCP Server Binaries
            The `certctl-cli` (REST API wrapper) and `certctl-mcp-server` (Model Context
            Protocol bridge) binaries ship for all four platforms as well:
            - `certctl-cli-{linux,darwin}-{amd64,arm64}`
            - `certctl-mcp-server-{linux,darwin}-{amd64,arm64}`
            ## Verifying this release
            Every binary, `checksums.txt`, and container image is signed with Cosign
            keyless OIDC. Each binary ships with a SPDX-JSON SBOM. Binaries are covered
            by SLSA Level 3 provenance; container images carry native SLSA L3 provenance
            and SBOM attestations (docker/build-push-action `provenance: mode=max`,
            `sbom: true`) in addition to a Cosign signature on the digest.
            **1. Verify SHA-256 checksums:**
            ```bash
            sha256sum -c checksums.txt
            ```
            **2. Verify the Cosign signature on checksums.txt (keyless OIDC):**
            ```bash
            cosign verify-blob \
              --bundle checksums.txt.sigstore.json \
              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
              checksums.txt
            ```
            Replace `checksums.txt` with any individual binary name to verify that
            artefact directly (each binary ships with its own `.sigstore.json`
            bundle, e.g. `cosign verify-blob --bundle certctl-agent-linux-amd64.sigstore.json …`).
            **3. Verify SLSA Level 3 provenance (binaries):**
            ```bash
            slsa-verifier verify-artifact \
              --provenance-path multiple.intoto.jsonl \
              --source-uri github.com/shankar0123/certctl \
              --source-tag ${{ steps.version.outputs.VERSION }} \
              certctl-agent-linux-amd64
            ```
            **4. Verify container image signature and attestations:**
            ```bash
            IMAGE=ghcr.io/shankar0123/certctl-server:${{ steps.version.outputs.VERSION }}
            cosign verify \
              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
              "$IMAGE"
            # SBOM attestation (SPDX-JSON) emitted by docker/build-push-action
            cosign verify-attestation --type spdxjson \
              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
              "$IMAGE"
            # SLSA provenance attestation (mode=max)
            cosign verify-attestation --type slsaprovenance \
              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
              "$IMAGE"
            ```
            ## Helm Chart
@@ -6,6 +6,7 @@ run:
 linters:
  default: none
  enable:
    - contextcheck
    - govet
    - staticcheck
    - unused
@@ -3,17 +3,43 @@
 # Stage 1: Build frontend
 FROM node:20-alpine AS frontend
 # Proxy propagation (M-4, Issue #9) — defaulted to empty so un-proxied builds
 # behave identically to the pre-fix tree. When `HTTP_PROXY`/`HTTPS_PROXY`/
 # `NO_PROXY` are forwarded via `docker build --build-arg` (or compose
 # `build.args`), they are re-exported as ENV with both upper- and lower-case
 # names because npm/apk/curl read the lowercase variants while Go, Node, and
 # most HTTP libraries read the uppercase ones.
 ARG HTTP_PROXY=
 ARG HTTPS_PROXY=
 ARG NO_PROXY=
 ENV HTTP_PROXY=${HTTP_PROXY} \
    HTTPS_PROXY=${HTTPS_PROXY} \
    NO_PROXY=${NO_PROXY} \
    http_proxy=${HTTP_PROXY} \
    https_proxy=${HTTPS_PROXY} \
    no_proxy=${NO_PROXY}
 WORKDIR /app/web
 COPY web/package.json web/package-lock.json ./
 RUN npm ci
 COPY web/ .
-RUN npm run build
+RUN npm ci --include=dev || npm ci --include=dev && \
    node_modules/.bin/tsc --version && \
    npm run build
 # Stage 2: Build Go binary
 FROM golang:1.25-alpine AS builder
 # Proxy propagation (M-4, Issue #9) — see Stage 1 rationale.
 ARG HTTP_PROXY=
 ARG HTTPS_PROXY=
 ARG NO_PROXY=
 ENV HTTP_PROXY=${HTTP_PROXY} \
    HTTPS_PROXY=${HTTPS_PROXY} \
    NO_PROXY=${NO_PROXY} \
    http_proxy=${HTTP_PROXY} \
    https_proxy=${HTTPS_PROXY} \
    no_proxy=${NO_PROXY}
 RUN apk add --no-cache git ca-certificates tzdata
 WORKDIR /app
@@ -2,6 +2,22 @@
 # Stage 1: Build
 FROM golang:1.25-alpine AS builder
 # Proxy propagation (M-4, Issue #9) — defaulted to empty so un-proxied builds
 # behave identically to the pre-fix tree. When `HTTP_PROXY`/`HTTPS_PROXY`/
 # `NO_PROXY` are forwarded via `docker build --build-arg` (or compose
 # `build.args`), they are re-exported as ENV with both upper- and lower-case
 # names because apk and curl read the lowercase variants while Go reads the
 # uppercase ones.
 ARG HTTP_PROXY=
 ARG HTTPS_PROXY=
 ARG NO_PROXY=
 ENV HTTP_PROXY=${HTTP_PROXY} \
    HTTPS_PROXY=${HTTPS_PROXY} \
    NO_PROXY=${NO_PROXY} \
    http_proxy=${HTTP_PROXY} \
    https_proxy=${HTTPS_PROXY} \
    no_proxy=${NO_PROXY}
 RUN apk add --no-cache git ca-certificates
 WORKDIR /app
@@ -36,6 +36,10 @@ gantt
        47 days                :crit, 2020-01-01, 47d
 ```
 > **Actively maintained — shipping weekly.** Found something? [Open a GitHub issue](https://github.com/shankar0123/certctl/issues) — issues get triaged same-day. CI runs the full test suite with race detection, static analysis, and vulnerability scanning on every commit.
 **Ready to try it?** Jump to the [Quick Start](#quick-start) — you'll have a running dashboard in under 5 minutes.
 ## Documentation
 | Guide | Description |
@@ -145,10 +149,6 @@ All connectors are pluggable — build your own by implementing the [connector i
 **[See all screenshots →](docs/screenshots/)**
 > **Actively maintained — shipping weekly.** Found something? [Open a GitHub issue](https://github.com/shankar0123/certctl/issues) — issues get triaged same-day. CI runs the full test suite with race detection, static analysis, and vulnerability scanning on every commit.
 **Ready to try it?** Jump to the [Quick Start](#quick-start) — you'll have a running dashboard in under 5 minutes.
 ## Why certctl
 Certificate lifecycle tooling falls into two camps: enterprise platforms (Venafi, Keyfactor) that cost six figures and take months to deploy, or single-purpose tools (certbot, cert-manager) that handle one slice of the problem. certctl fills the gap — full lifecycle automation, self-hosted, free, CA-agnostic, and target-agnostic. If you're running certbot cron jobs, manually renewing certs, or stitching together scripts across mixed infrastructure, certctl replaces all of that.
@@ -175,7 +175,7 @@ Built for **platform engineering and DevOps teams** managing 10–500+ certifica
 **Enrollment protocols.** EST server (RFC 7030) for device and WiFi enrollment. SCEP server (RFC 8894) for MDM platforms and network devices. S/MIME issuance with email protection EKU.
-**Revocation.** DER-encoded X.509 CRL per issuer, signed by the issuing CA. Embedded OCSP responder. RFC 5280 reason codes. Short-lived certs (TTL < 1 hour) are exempt — expiry is sufficient revocation.
+**Revocation.** Single and bulk revocation (by profile, owner, agent, or issuer). DER-encoded X.509 CRL per issuer, signed by the issuing CA. Embedded OCSP responder. RFC 5280 reason codes. Short-lived certs (TTL < 1 hour) are exempt — expiry is sufficient revocation.
 **Audit and observability.** Immutable append-only audit trail records every lifecycle action, every API call, and every approval decision. Prometheus metrics endpoint. Scheduled certificate digest emails. Continuous endpoint health monitoring with state machine transitions and real-time alerts.
@@ -237,6 +237,74 @@ docker pull shankar0123.docker.scarf.sh/certctl-server
 docker pull shankar0123.docker.scarf.sh/certctl-agent
 ```
 ## Verifying this release
 Every `v*` tag publishes signed, attested release artefacts. Binaries
 (`certctl-agent`, `certctl-server`, `certctl-cli`, `certctl-mcp-server` for
 `linux|darwin × amd64|arm64`) ship alongside a `checksums.txt`, per-binary
 SPDX-JSON SBOMs, Cosign signatures, and SLSA Level 3 provenance. Container
 images on `ghcr.io/shankar0123/certctl-{server,agent}` are built with
 `docker/build-push-action` `provenance: mode=max` + `sbom: true` and are
 additionally signed with Cosign at the image digest.
 All signatures use Cosign keyless OIDC; the signing identity is the
 release workflow running on a signed tag.
 **1. Verify SHA-256 checksums:**
 ```bash
 sha256sum -c checksums.txt
 ```
 **2. Verify the Cosign signature on `checksums.txt`:**
 ```bash
 cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  checksums.txt
 ```
 Every individual binary ships with its own `.sigstore.json` bundle
 (unified Sigstore bundle containing signature, certificate chain, and
 Rekor inclusion proof). Swap `checksums.txt` for any binary name and
 point `--bundle` at the matching `<binary>.sigstore.json` to verify it
 directly.
 **3. Verify SLSA Level 3 provenance on a binary:**
 ```bash
 slsa-verifier verify-artifact \
  --provenance-path multiple.intoto.jsonl \
  --source-uri github.com/shankar0123/certctl \
  --source-tag v2.1.0 \
  certctl-agent-linux-amd64
 ```
 **4. Verify a container image signature and its SBOM / provenance attestations:**
 ```bash
 IMAGE=ghcr.io/shankar0123/certctl-server:v2.1.0
 cosign verify \
  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  "$IMAGE"
 # SBOM attestation (SPDX-JSON, emitted by docker/build-push-action)
 cosign verify-attestation --type spdxjson \
  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  "$IMAGE"
 # SLSA provenance attestation (docker/build-push-action `provenance: mode=max`)
 cosign verify-attestation --type slsaprovenance \
  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  "$IMAGE"
 ```
 ## Examples
 Pick the scenario closest to your setup and have it running in 2 minutes.
@@ -320,7 +388,7 @@ Core lifecycle management — Local CA + ACME v2 issuers, NGINX target connector
 30+ milestones shipping enterprise-grade features for free. Sub-CA mode, ACME DNS-01/DNS-PERSIST-01/EAB/ARI (RFC 9773)/profile selection, step-ca, Vault PKI, DigiCert CertCentral, Sectigo SCM, Google CAS, AWS ACM PCA, Entrust, GlobalSign, EJBCA, OpenSSL/Custom CA issuers. NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS (WinRM), F5 BIG-IP, SSH, Windows Certificate Store, Java Keystore, Kubernetes Secrets targets. EST server (RFC 7030) and SCEP server (RFC 8894) enrollment protocols. RFC 5280 revocation with DER CRL + embedded OCSP responder. Certificate profiles, ownership tracking, team assignment, agent groups, interactive approval workflows. Filesystem, network, and cloud secret manager (AWS SM, Azure KV, GCP SM) certificate discovery with triage GUI. Dynamic issuer/target configuration via GUI with AES-256-GCM encrypted storage. First-run onboarding wizard. Post-deployment TLS verification. Certificate export (PEM/PKCS#12). S/MIME support. Prometheus metrics. Scheduled certificate digest emails. Slack, Teams, PagerDuty, OpsGenie, SMTP notifications. MCP server (80 tools), CLI (12 commands), Helm chart. Compliance mapping (SOC 2, PCI-DSS 4.0, NIST SP 800-57). 5 turnkey deployment examples. Agent install script. Migration guides from certbot, acme.sh, and cert-manager. See the [Feature Inventory](docs/features.md) for details.
 ### V3: certctl Pro
-Team access controls and identity provider integration. Role-based access control with profile-gating. Event-driven architecture with real-time operational views. Advanced search, compliance scoring, bulk fleet operations.
+Enterprise capabilities for larger deployments are available in the commercial tier.
 ### V4+: Cloud & Scale
 Kubernetes cert-manager external issuer, cloud infrastructure targets, extended CA support, and platform-scale features.
@@ -66,6 +66,12 @@ tags:
    description: Continuous TLS endpoint health checks with status tracking and probe history
  - name: Digest
    description: Scheduled certificate digest email notifications
  - name: Verification
    description: Post-deployment TLS endpoint fingerprint verification
  - name: EST
    description: Enrollment over Secure Transport (RFC 7030)
  - name: SCEP
    description: Simple Certificate Enrollment Protocol (RFC 8894)
 paths:
  # ─── Health & Auth ───────────────────────────────────────────────────
@@ -381,6 +387,34 @@ paths:
        "500":
          $ref: "#/components/responses/InternalError"
  # ─── Bulk Revocation ─────────────────────────────────────────────────
  /api/v1/certificates/bulk-revoke:
    post:
      tags: [Certificates]
      summary: Bulk revoke certificates
      description: |
        Revokes all certificates matching the given filter criteria. At least one criterion
        is required (safety guard against accidental mass revocation). Reuses the single-cert
        revocation flow per certificate with partial-failure tolerance.
      operationId: bulkRevokeCertificates
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: "#/components/schemas/BulkRevokeRequest"
      responses:
        "200":
          description: Bulk revocation result
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/BulkRevokeResult"
        "400":
          $ref: "#/components/responses/BadRequest"
        "500":
          $ref: "#/components/responses/InternalError"
  # ─── Certificate Export ──────────────────────────────────────────────
  /api/v1/certificates/{id}/export/pem:
    get:
@@ -788,6 +822,28 @@ paths:
        "500":
          $ref: "#/components/responses/InternalError"
  /api/v1/targets/{id}/test:
    post:
      tags: [Targets]
      summary: Test target connection
      description: |
        Checks target connectivity by verifying the assigned agent's heartbeat status
        (agent reported within the last 5 minutes). Always returns HTTP 200 — the
        connectivity result is reflected in the response body's `status` field
        (`success` when the agent is reachable, `failed` otherwise).
      operationId: testTargetConnection
      parameters:
        - $ref: "#/components/parameters/resourceId"
      responses:
        "200":
          description: Connection test result (success or failed in body)
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/StatusMessageResponse"
        "400":
          $ref: "#/components/responses/BadRequest"
  # ─── Agents ──────────────────────────────────────────────────────────
  /api/v1/agents:
    get:
@@ -1149,6 +1205,66 @@ paths:
        "500":
          $ref: "#/components/responses/InternalError"
  /api/v1/jobs/{id}/verify:
    post:
      tags: [Verification]
      summary: Record post-deployment verification result
      description: |
        Agents submit the result of probing a deployed certificate's live TLS endpoint.
        Compares the served certificate's SHA-256 fingerprint against the expected
        fingerprint. Best-effort: failures are recorded on the job but do not roll
        back the deployment.
      operationId: verifyDeployment
      parameters:
        - $ref: "#/components/parameters/resourceId"
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: "#/components/schemas/VerifyDeploymentRequest"
      responses:
        "200":
          description: Verification result recorded
          content:
            application/json:
              schema:
                type: object
                properties:
                  job_id:
                    type: string
                  verified:
                    type: boolean
                  verified_at:
                    type: string
                    format: date-time
        "400":
          $ref: "#/components/responses/BadRequest"
        "500":
          $ref: "#/components/responses/InternalError"
  /api/v1/jobs/{id}/verification:
    get:
      tags: [Verification]
      summary: Get post-deployment verification status
      description: |
        Returns the stored verification result for a deployment job — expected
        and observed SHA-256 fingerprints, verified flag, and timestamp.
      operationId: getJobVerification
      parameters:
        - $ref: "#/components/parameters/resourceId"
      responses:
        "200":
          description: Verification result for the job
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/VerificationResult"
        "400":
          $ref: "#/components/responses/BadRequest"
        "500":
          $ref: "#/components/responses/InternalError"
  # ─── Policies ────────────────────────────────────────────────────────
  /api/v1/policies:
    get:
@@ -2690,6 +2806,238 @@ paths:
        "500":
          $ref: "#/components/responses/InternalError"
  # ─── EST (RFC 7030) ────────────────────────────────────────────────
  /.well-known/est/cacerts:
    get:
      tags: [EST]
      summary: EST CA certificates distribution
      description: |
        Returns the CA certificate chain used to verify certctl-issued certificates.
        Response is a base64-encoded degenerate PKCS#7 SignedData (certs-only) per
        RFC 7030 §4.1.3.
      operationId: estCACerts
      security: []
      responses:
        "200":
          description: Base64-encoded PKCS#7 certs-only structure
          headers:
            Content-Transfer-Encoding:
              schema:
                type: string
                example: base64
          content:
            application/pkcs7-mime:
              schema:
                type: string
                format: byte
                description: "Base64-encoded PKCS#7 (smime-type=certs-only)"
        "500":
          $ref: "#/components/responses/InternalError"
  /.well-known/est/simpleenroll:
    post:
      tags: [EST]
      summary: EST simple enrollment
      description: |
        Enrolls a new certificate from a PKCS#10 CSR per RFC 7030 §4.2.1.
        The CSR MAY be supplied as base64-encoded DER (EST standard wire format)
        or as PEM for convenience. Returns a base64-encoded PKCS#7 certs-only
        structure containing the issued certificate.
      operationId: estSimpleEnroll
      security: []
      requestBody:
        required: true
        description: "Base64-encoded DER PKCS#10 CSR, or PEM-encoded CSR"
        content:
          application/pkcs10:
            schema:
              type: string
              format: byte
      responses:
        "200":
          description: Base64-encoded PKCS#7 cert-only response with issued certificate
          headers:
            Content-Transfer-Encoding:
              schema:
                type: string
                example: base64
          content:
            application/pkcs7-mime:
              schema:
                type: string
                format: byte
                description: "Base64-encoded PKCS#7 (smime-type=certs-only)"
        "400":
          $ref: "#/components/responses/BadRequest"
        "405":
          description: Method not allowed (only POST accepted)
        "500":
          $ref: "#/components/responses/InternalError"
  /.well-known/est/simplereenroll:
    post:
      tags: [EST]
      summary: EST simple re-enrollment
      description: |
        Re-enrolls an existing certificate (same as simpleenroll in certctl's
        implementation — re-enrollment is treated as a fresh issuance) per
        RFC 7030 §4.2.2.
      operationId: estSimpleReEnroll
      security: []
      requestBody:
        required: true
        description: "Base64-encoded DER PKCS#10 CSR, or PEM-encoded CSR"
        content:
          application/pkcs10:
            schema:
              type: string
              format: byte
      responses:
        "200":
          description: Base64-encoded PKCS#7 cert-only response with re-issued certificate
          headers:
            Content-Transfer-Encoding:
              schema:
                type: string
                example: base64
          content:
            application/pkcs7-mime:
              schema:
                type: string
                format: byte
                description: "Base64-encoded PKCS#7 (smime-type=certs-only)"
        "400":
          $ref: "#/components/responses/BadRequest"
        "405":
          description: Method not allowed (only POST accepted)
        "500":
          $ref: "#/components/responses/InternalError"
  /.well-known/est/csrattrs:
    get:
      tags: [EST]
      summary: EST CSR attributes
      description: |
        Returns attributes the EST client should include in its CSR per
        RFC 7030 §4.5. certctl currently returns an empty attribute set
        (HTTP 204) — profile-based constraints are enforced server-side
        during enrollment rather than advertised here.
      operationId: estCSRAttrs
      security: []
      responses:
        "200":
          description: Base64-encoded CsrAttrs (when non-empty)
          headers:
            Content-Transfer-Encoding:
              schema:
                type: string
                example: base64
          content:
            application/csrattrs:
              schema:
                type: string
                format: byte
        "204":
          description: No CSR attributes defined (empty response)
        "500":
          $ref: "#/components/responses/InternalError"
  # ─── SCEP (RFC 8894) ──────────────────────────────────────────────
  /scep:
    get:
      tags: [SCEP]
      summary: SCEP operation dispatch (GET)
      description: |
        Single SCEP entry point dispatched by the `operation` query parameter
        per RFC 8894. GET is used for capability discovery (`GetCACaps`) and
        CA certificate retrieval (`GetCACert`).
      operationId: scepGet
      security: []
      parameters:
        - name: operation
          in: query
          required: true
          schema:
            type: string
            enum: [GetCACaps, GetCACert, PKIOperation]
          description: SCEP operation selector
        - name: message
          in: query
          required: false
          schema:
            type: string
          description: Optional SCEP message parameter (base64-encoded for GET PKIOperation)
      responses:
        "200":
          description: |
            Success. Content-Type varies by operation:
            - `GetCACaps` → `text/plain` capability list
            - `GetCACert` (single cert) → `application/x-x509-ca-cert` (raw DER)
            - `GetCACert` (chain) → `application/x-x509-ca-ra-cert` (PKCS#7)
            - `PKIOperation` → `application/x-pki-message` (PKCS#7 SignedData)
          content:
            text/plain:
              schema:
                type: string
                description: "SCEP capabilities (GetCACaps only)"
            application/x-x509-ca-cert:
              schema:
                type: string
                format: binary
                description: "CA certificate DER (GetCACert single)"
            application/x-x509-ca-ra-cert:
              schema:
                type: string
                format: binary
                description: "CA chain PKCS#7 (GetCACert chain)"
            application/x-pki-message:
              schema:
                type: string
                format: binary
                description: "PKCS#7 SignedData response (PKIOperation)"
        "400":
          $ref: "#/components/responses/BadRequest"
        "500":
          $ref: "#/components/responses/InternalError"
    post:
      tags: [SCEP]
      summary: SCEP PKIOperation (POST)
      description: |
        SCEP enrollment / renewal / revocation request per RFC 8894.
        Request body is a PKCS#7 SignedData envelope wrapping the PKCS#10 CSR
        or a degenerate raw CSR (fallback). The challenge password in the CSR
        attributes is validated against `CERTCTL_SCEP_CHALLENGE_PASSWORD` when
        configured.
      operationId: scepPost
      security: []
      parameters:
        - name: operation
          in: query
          required: true
          schema:
            type: string
            enum: [PKIOperation]
      requestBody:
        required: true
        description: PKCS#7 SignedData envelope wrapping a PKCS#10 CSR (or raw CSR as fallback)
        content:
          application/x-pki-message:
            schema:
              type: string
              format: binary
      responses:
        "200":
          description: PKCS#7 SignedData PKIMessage response
          content:
            application/x-pki-message:
              schema:
                type: string
                format: binary
        "400":
          $ref: "#/components/responses/BadRequest"
        "500":
          $ref: "#/components/responses/InternalError"
 # ═══════════════════════════════════════════════════════════════════════
 components:
  securitySchemes:
@@ -2892,6 +3240,59 @@ components:
        - certificateHold
        - privilegeWithdrawn
    BulkRevokeRequest:
      type: object
      required: [reason]
      properties:
        reason:
          $ref: "#/components/schemas/RevocationReason"
        profile_id:
          type: string
          description: Revoke all certificates matching this profile
        owner_id:
          type: string
          description: Revoke all certificates owned by this owner
        agent_id:
          type: string
          description: Revoke all certificates deployed via this agent
        issuer_id:
          type: string
          description: Revoke all certificates issued by this issuer
        team_id:
          type: string
          description: Revoke all certificates owned by members of this team
        certificate_ids:
          type: array
          items:
            type: string
          description: Explicit list of certificate IDs to revoke
    BulkRevokeResult:
      type: object
      properties:
        total_matched:
          type: integer
          description: Number of certificates matching the criteria
        total_revoked:
          type: integer
          description: Number of certificates successfully revoked
        total_skipped:
          type: integer
          description: Number of certificates skipped (already revoked or archived)
        total_failed:
          type: integer
          description: Number of certificates that failed to revoke
        errors:
          type: array
          items:
            type: object
            properties:
              certificate_id:
                type: string
              error:
                type: string
          description: Per-certificate error details for failed revocations
    # ─── Issuers ─────────────────────────────────────────────────────
    IssuerType:
      type: string
@@ -3724,3 +4125,47 @@ components:
          type: string
          format: date-time
          description: Timestamp of this probe
    # ─── Verification (M25) ──────────────────────────────────────────
    VerifyDeploymentRequest:
      type: object
      required: [target_id, expected_fingerprint, actual_fingerprint, verified]
      properties:
        target_id:
          type: string
          description: Deployment target the agent probed
        expected_fingerprint:
          type: string
          description: SHA-256 fingerprint of the certificate that should be served (hex, lowercase)
        actual_fingerprint:
          type: string
          description: SHA-256 fingerprint observed on the live TLS endpoint (hex, lowercase)
        verified:
          type: boolean
          description: True when expected and actual fingerprints match
        error:
          type: string
          nullable: true
          description: Error message when probe failed or fingerprints differ
    VerificationResult:
      type: object
      properties:
        job_id:
          type: string
        target_id:
          type: string
        expected_fingerprint:
          type: string
          description: SHA-256 fingerprint (hex) of the certificate deployed by this job
        actual_fingerprint:
          type: string
          description: SHA-256 fingerprint (hex) observed on the live TLS endpoint
        verified:
          type: boolean
        verified_at:
          type: string
          format: date-time
        error:
          type: string
          description: Error message when verification failed
@@ -130,6 +130,8 @@ func handleCerts(client *cli.Client, args []string) error {
 			reason = subArgs[2]
 		}
 		return client.RevokeCertificate(id, reason)
 	case "bulk-revoke":
 		return client.BulkRevokeCertificates(subArgs)
 	default:
 		fmt.Fprintf(os.Stderr, "unknown subcommand: certs %s\n", subcommand)
 		return nil
@@ -16,7 +16,6 @@ import (
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/api/router"
 	"github.com/shankar0123/certctl/internal/config"
 	"github.com/shankar0123/certctl/internal/crypto"
 	"github.com/shankar0123/certctl/internal/domain"
 	discoveryawssm "github.com/shankar0123/certctl/internal/connector/discovery/awssm"
 	discoveryazurekv "github.com/shankar0123/certctl/internal/connector/discovery/azurekv"
@@ -82,14 +81,60 @@ func main() {
 	logger.Info("initialized all repositories")
 	// Initialize dynamic issuer registry.
-	// Issuers are loaded from the database (with AES-GCM encrypted config).
+	// Issuers are loaded from the database (with AES-256-GCM encrypted config).
 	// On first boot with an empty database, env var issuers are seeded automatically.
-	var encryptionKey []byte
+	//
-	if cfg.Encryption.ConfigEncryptionKey != "" {
+	// M-8 (CWE-916 / CWE-329): the encryption passphrase is passed as a raw
-		encryptionKey = crypto.DeriveKey(cfg.Encryption.ConfigEncryptionKey)
+	// string into IssuerService / TargetService / IssuerRegistry. Each call to
-		logger.Info("config encryption enabled (AES-256-GCM)")
+	// crypto.EncryptIfKeySet generates a fresh 16-byte PBKDF2 salt and emits a
 	// v2 blob (magic 0x02 || salt || nonce || sealed). Decryption auto-detects
 	// v1 legacy blobs (no magic) and falls back to the fixed v1 salt for
 	// backward compatibility; v1 blobs transparently upgrade to v2 on next
 	// write. DO NOT pre-derive the key here with crypto.DeriveKey — that was
 	// the v1 fixed-salt behaviour that M-8 removes.
 	encryptionKey := cfg.Encryption.ConfigEncryptionKey
 	if encryptionKey != "" {
 		logger.Info("config encryption enabled (AES-256-GCM, per-ciphertext PBKDF2 salt)")
 	} else {
-		logger.Warn("CERTCTL_CONFIG_ENCRYPTION_KEY not set — issuer configs stored in plaintext (not recommended for production)")
+		// C-2 fix: fail closed at startup when database-sourced issuer or target
 		// rows exist without a configured encryption key. Previously the server
 		// would emit a one-line warning and silently persist new GUI-created
 		// configs as plaintext (CWE-311). Refuse to start instead: the operator
 		// must either configure CERTCTL_CONFIG_ENCRYPTION_KEY or remove the
 		// vulnerable rows before the control plane can boot.
 		ctx := context.Background()
 		dbIssuers, ierr := issuerRepo.List(ctx)
 		if ierr != nil {
 			logger.Error("startup check: failed to list issuers", "error", ierr)
 			os.Exit(1)
 		}
 		dbTargets, terr := targetRepo.List(ctx)
 		if terr != nil {
 			logger.Error("startup check: failed to list targets", "error", terr)
 			os.Exit(1)
 		}
 		var dbIssuerCount, dbTargetCount int
 		for _, iss := range dbIssuers {
 			if iss != nil && iss.Source == "database" {
 				dbIssuerCount++
 			}
 		}
 		for _, tgt := range dbTargets {
 			if tgt != nil && tgt.Source == "database" {
 				dbTargetCount++
 			}
 		}
 		if dbIssuerCount > 0 || dbTargetCount > 0 {
 			logger.Error(
 				"startup refused: CERTCTL_CONFIG_ENCRYPTION_KEY is not set but database-sourced configs exist "+
 					"(would expose sensitive fields as plaintext, CWE-311). "+
 					"Set the encryption key or remove the affected rows before restarting.",
 				"database_sourced_issuers", dbIssuerCount,
 				"database_sourced_targets", dbTargetCount,
 			)
 			os.Exit(1)
 		}
 		logger.Warn("CERTCTL_CONFIG_ENCRYPTION_KEY not set — env-seeded issuers will be stored in plaintext; GUI-created issuers and targets will be rejected until a key is configured")
 	}
 	issuerRegistry := service.NewIssuerRegistry(logger)
@@ -208,9 +253,15 @@ func main() {
 			Name:   "Network Scanner (Server-Side)",
 			Status: domain.AgentStatusOnline,
 		}
-		if err := agentRepo.Create(context.Background(), sentinelAgent); err != nil {
+		// M-6: use CreateIfNotExists so duplicate rows on restart/upgrade are
-			// Ignore duplicate key errors (agent already exists)
+		// idempotent without swallowing unrelated DB failures (CWE-662).
-			logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelAgentID)
+		created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelAgent)
 		if err != nil {
 			logger.Error("sentinel agent creation failed", "id", service.SentinelAgentID, "error", err)
 		} else if created {
 			logger.Info("sentinel agent created", "id", service.SentinelAgentID)
 		} else {
 			logger.Debug("sentinel agent already exists", "id", service.SentinelAgentID)
 		}
 	}
@@ -229,8 +280,14 @@ func main() {
 				Name:   "AWS Secrets Manager Discovery",
 				Status: domain.AgentStatusOnline,
 			}
-			if err := agentRepo.Create(context.Background(), sentinelAWS); err != nil {
+			// M-6: idempotent create (CWE-662).
-				logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelAWSSecretsMgr)
+			created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelAWS)
 			if err != nil {
 				logger.Error("sentinel agent creation failed", "id", service.SentinelAWSSecretsMgr, "error", err)
 			} else if created {
 				logger.Info("sentinel agent created", "id", service.SentinelAWSSecretsMgr)
 			} else {
 				logger.Debug("sentinel agent already exists", "id", service.SentinelAWSSecretsMgr)
 			}
 		}
@@ -248,8 +305,14 @@ func main() {
 				Name:   "Azure Key Vault Discovery",
 				Status: domain.AgentStatusOnline,
 			}
-			if err := agentRepo.Create(context.Background(), sentinelAzure); err != nil {
+			// M-6: idempotent create (CWE-662).
-				logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelAzureKeyVault)
+			created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelAzure)
 			if err != nil {
 				logger.Error("sentinel agent creation failed", "id", service.SentinelAzureKeyVault, "error", err)
 			} else if created {
 				logger.Info("sentinel agent created", "id", service.SentinelAzureKeyVault)
 			} else {
 				logger.Debug("sentinel agent already exists", "id", service.SentinelAzureKeyVault)
 			}
 		}
@@ -262,8 +325,14 @@ func main() {
 				Name:   "GCP Secret Manager Discovery",
 				Status: domain.AgentStatusOnline,
 			}
-			if err := agentRepo.Create(context.Background(), sentinelGCP); err != nil {
+			// M-6: idempotent create (CWE-662).
-				logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelGCPSecretMgr)
+			created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelGCP)
 			if err != nil {
 				logger.Error("sentinel agent creation failed", "id", service.SentinelGCPSecretMgr, "error", err)
 			} else if created {
 				logger.Info("sentinel agent created", "id", service.SentinelGCPSecretMgr)
 			} else {
 				logger.Debug("sentinel agent already exists", "id", service.SentinelGCPSecretMgr)
 			}
 		}
@@ -274,6 +343,9 @@ func main() {
 	logger.Info("initialized all services")
 	// Initialize bulk revocation service
 	bulkRevocationService := service.NewBulkRevocationService(revocationSvc, certificateRepo, auditService, logger)
 	// Initialize stats and metrics services
 	statsService := service.NewStatsService(certificateRepo, jobRepo, agentRepo)
 	logger.Info("initialized stats service")
@@ -301,6 +373,8 @@ func main() {
 	exportService := service.NewExportService(certificateRepo, auditService)
 	exportHandler := handler.NewExportHandler(exportService)
 	bulkRevocationHandler := handler.NewBulkRevocationHandler(bulkRevocationService)
 	// Initialize digest service (requires email notifier)
 	var digestService *service.DigestService
 	var digestHandler *handler.DigestHandler
@@ -415,7 +489,8 @@ func main() {
 		Verification:  verificationHandler,
 		Export:        exportHandler,
 		Digest:        *digestHandler,
-		HealthChecks:  healthCheckHandler,
+		HealthChecks:     healthCheckHandler,
 		BulkRevocation:   bulkRevocationHandler,
 	})
 	// Register EST (RFC 7030) handlers if enabled
 	if cfg.EST.Enabled {
@@ -439,6 +514,24 @@ func main() {
 	// Register SCEP (RFC 8894) handlers if enabled
 	if cfg.SCEP.Enabled {
 		// H-2 fix: fail closed at startup when SCEP is enabled without a
 		// challenge password configured. Previously the service-layer guard
 		// at internal/service/scep.go:72-79 skipped the password check when
 		// s.challengePassword == "", meaning any client that could reach the
 		// /scep endpoint could enroll an arbitrary CSR against the configured
 		// issuer (CWE-306, missing authentication for a critical function).
 		// Refuse to start instead: the operator must set
 		// CERTCTL_SCEP_CHALLENGE_PASSWORD (or disable SCEP) before the control
 		// plane can boot.
 		if err := preflightSCEPChallengePassword(cfg.SCEP.Enabled, cfg.SCEP.ChallengePassword); err != nil {
 			logger.Error(
 				"startup refused: SCEP is enabled but CERTCTL_SCEP_CHALLENGE_PASSWORD is not set "+
 					"(would allow unauthenticated certificate enrollment, CWE-306). "+
 					"Set a non-empty challenge password or disable SCEP before restarting.",
 				"error", err,
 			)
 			os.Exit(1)
 		}
 		issuerConn, ok := issuerRegistry.Get(cfg.SCEP.IssuerID)
 		if !ok {
 			logger.Error("SCEP issuer not found in registry", "issuer_id", cfg.SCEP.IssuerID)
@@ -496,7 +589,7 @@ func main() {
 		bodyLimitMiddleware,
 		corsMiddleware,
 		authMiddleware,
-		auditMiddleware,
+		auditMiddleware.Middleware,
 	}
 	// Add rate limiter if enabled
@@ -513,7 +606,7 @@ func main() {
 			rateLimiter,
 			corsMiddleware,
 			authMiddleware,
-			auditMiddleware,
+			auditMiddleware.Middleware,
 		}
 		logger.Info("rate limiting enabled", "rps", cfg.RateLimit.RPS, "burst", cfg.RateLimit.BurstSize)
 	}
@@ -631,6 +724,17 @@ func main() {
 		logger.Error("HTTP server shutdown error", "error", err)
 	}
 	// Drain in-flight audit-recording goroutines before closing the DB pool.
 	// The audit middleware spawns one goroutine per non-excluded request; those
 	// goroutines run detached from the request context and write to the
 	// audit_events table via the same *sql.DB. Without this drain, SIGTERM
 	// would close the DB pool while recordings were mid-flight, silently
 	// dropping audit events (M-1, CWE-662 / CWE-400).
 	logger.Info("flushing audit middleware in-flight recordings")
 	if err := auditMiddleware.Flush(shutdownCtx); err != nil {
 		logger.Warn("audit middleware flush did not complete in time", "error", err)
 	}
 	// Close database connection
 	if err := db.Close(); err != nil {
 		logger.Error("error closing database connection", "error", err)
@@ -639,3 +743,23 @@ func main() {
 	logger.Info("certctl server stopped")
 }
 // preflightSCEPChallengePassword enforces the H-2 fix: if SCEP is enabled, a
 // non-empty challenge password MUST be configured. Returns a non-nil error
 // otherwise so the caller can refuse to start the control plane (CWE-306,
 // missing authentication for a critical function).
 //
 // This helper is extracted so the check can be unit tested without booting
 // the full server. The caller (main) is responsible for translating the
 // returned error into a structured log line and os.Exit(1).
 func preflightSCEPChallengePassword(enabled bool, challengePassword string) error {
 	if !enabled {
 		return nil
 	}
 	if challengePassword == "" {
 		return fmt.Errorf("SCEP enabled but CERTCTL_SCEP_CHALLENGE_PASSWORD is empty: " +
 			"SCEP enrollment would accept any client (CWE-306); " +
 			"configure a non-empty shared secret or set CERTCTL_SCEP_ENABLED=false")
 	}
 	return nil
 }
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"strings"
 	"testing"
 	"github.com/shankar0123/certctl/internal/api/middleware"
@@ -538,3 +539,68 @@ func TestMain_ContextPropagation(t *testing.T) {
 		t.Logf("Context value may not be propagated (status %d), this may be expected", w.Code)
 	}
 }
 // TestPreflightSCEPChallengePassword is the H-2 regression guard for the
 // startup pre-flight check. The helper MUST return a non-nil error whenever
 // SCEP is enabled with an empty challenge password — that configuration
 // previously allowed unauthenticated certificate enrollment (CWE-306).
 // Disabled-SCEP and configured-password cases must pass cleanly.
 func TestPreflightSCEPChallengePassword(t *testing.T) {
 	tests := []struct {
 		name              string
 		enabled           bool
 		challengePassword string
 		wantErr           bool
 		wantErrSubstring  string
 	}{
 		{
 			name:              "disabled_empty_password_ok",
 			enabled:           false,
 			challengePassword: "",
 			wantErr:           false,
 		},
 		{
 			name:              "disabled_with_password_ok",
 			enabled:           false,
 			challengePassword: "leftover-value",
 			wantErr:           false,
 		},
 		{
 			name:              "enabled_empty_password_rejected",
 			enabled:           true,
 			challengePassword: "",
 			wantErr:           true,
 			wantErrSubstring:  "CERTCTL_SCEP_CHALLENGE_PASSWORD",
 		},
 		{
 			name:              "enabled_with_password_ok",
 			enabled:           true,
 			challengePassword: "hunter2",
 			wantErr:           false,
 		},
 		{
 			name:              "enabled_single_char_password_ok",
 			enabled:           true,
 			challengePassword: "x",
 			wantErr:           false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := preflightSCEPChallengePassword(tt.enabled, tt.challengePassword)
 			if tt.wantErr {
 				if err == nil {
 					t.Fatalf("expected error, got nil")
 				}
 				if tt.wantErrSubstring != "" && !strings.Contains(err.Error(), tt.wantErrSubstring) {
 					t.Errorf("expected error to mention %q, got: %v", tt.wantErrSubstring, err)
 				}
 				if !strings.Contains(err.Error(), "CWE-306") {
 					t.Errorf("expected error to cite CWE-306 for traceability, got: %v", err)
 				}
 			} else if err != nil {
 				t.Errorf("expected no error, got: %v", err)
 			}
 		})
 	}
 }
@@ -9,6 +9,16 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile
      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
      # vars into the Docker build so the Node frontend stage and Go module
      # download can reach the public registries behind corporate proxies.
      # Defaults to empty; omit the variables from the host environment for
      # un-proxied builds and the behaviour is byte-identical to the pre-fix
      # tree.
      args:
        HTTP_PROXY: ${HTTP_PROXY:-}
        HTTPS_PROXY: ${HTTPS_PROXY:-}
        NO_PROXY: ${NO_PROXY:-}
    environment:
      # Verbose logging for development
      CERTCTL_LOG_LEVEL: debug
@@ -29,6 +39,15 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile.agent
      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
      # vars into the Docker build so the Go module download stage can reach
      # the public Go module proxy behind corporate proxies. Defaults to
      # empty; omit the variables from the host environment for un-proxied
      # builds and the behaviour is byte-identical to the pre-fix tree.
      args:
        HTTP_PROXY: ${HTTP_PROXY:-}
        HTTPS_PROXY: ${HTTPS_PROXY:-}
        NO_PROXY: ${NO_PROXY:-}
    environment:
      CERTCTL_LOG_LEVEL: debug
@@ -150,6 +150,16 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile
      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
      # vars into the Docker build so the Node frontend stage and Go module
      # download can reach the public registries behind corporate proxies.
      # Defaults to empty; omit the variables from the host environment for
      # un-proxied builds and the behaviour is byte-identical to the pre-fix
      # tree.
      args:
        HTTP_PROXY: ${HTTP_PROXY:-}
        HTTPS_PROXY: ${HTTPS_PROXY:-}
        NO_PROXY: ${NO_PROXY:-}
    container_name: certctl-test-server
    depends_on:
      postgres:
@@ -266,6 +276,15 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile.agent
      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
      # vars into the Docker build so the Go module download stage can reach
      # the public Go module proxy behind corporate proxies. Defaults to
      # empty; omit the variables from the host environment for un-proxied
      # builds and the behaviour is byte-identical to the pre-fix tree.
      args:
        HTTP_PROXY: ${HTTP_PROXY:-}
        HTTPS_PROXY: ${HTTPS_PROXY:-}
        NO_PROXY: ${NO_PROXY:-}
    container_name: certctl-test-agent
    depends_on:
      certctl-server:
@@ -36,6 +36,16 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile
      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
      # vars into the Docker build so the Node frontend stage and Go module
      # download can reach the public registries behind corporate proxies.
      # Defaults to empty; omit the variables from the host environment for
      # un-proxied builds and the behaviour is byte-identical to the pre-fix
      # tree.
      args:
        HTTP_PROXY: ${HTTP_PROXY:-}
        HTTPS_PROXY: ${HTTPS_PROXY:-}
        NO_PROXY: ${NO_PROXY:-}
    container_name: certctl-server
    depends_on:
      postgres:
@@ -75,6 +85,15 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile.agent
      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
      # vars into the Docker build so the Go module download stage can reach
      # the public Go module proxy behind corporate proxies. Defaults to
      # empty; omit the variables from the host environment for un-proxied
      # builds and the behaviour is byte-identical to the pre-fix tree.
      args:
        HTTP_PROXY: ${HTTP_PROXY:-}
        HTTPS_PROXY: ${HTTPS_PROXY:-}
        NO_PROXY: ${NO_PROXY:-}
    container_name: certctl-agent
    depends_on:
      certctl-server:
@@ -458,4 +458,4 @@ For issues, questions, or contributions:
 ## License
 BSL-1.1 (Business Source License)
-Converts to Apache 2.0 on March 28, 2033
+Converts to Apache 2.0 on March 14, 2033
@@ -467,6 +467,10 @@ The revocation is recorded in the `certificate_revocations` table (separate from
 Short-lived certificates (those with profile TTL < 1 hour) return "good" from OCSP and are excluded from CRL — their rapid expiry is treated as sufficient revocation.
 #### Bulk Revocation
 For compliance events requiring fleet-wide revocation (key compromise, CA distrust, mass decommission), certctl supports bulk revocation by filter criteria. The `POST /api/v1/certificates/bulk-revoke` endpoint accepts filter parameters (profile_id, owner_id, agent_id, issuer_id) and creates individual revocation jobs for each matching certificate. Bulk revocation reuses the same 7-step single-cert flow for each certificate — no new issuer notification or audit mechanics. The operation is idempotent: revoking an already-revoked certificate is a no-op. Partial failures are tolerated — if one certificate fails to revoke (e.g., issuer unavailable), the operation continues for remaining certs and returns a summary. A single `bulk_revocation_initiated` audit event logs the operation with filter criteria, operator actor, and summary (total requested, succeeded, failed counts). Audit events for individual certificate revocations record the operator identity separately. The GUI bulk revoke button on the certificates list filters by visible selections and displays an affected-cert count modal before confirmation.
 ### 4. Automatic Renewal
 The control plane runs a scheduler with seven background loops:
@@ -804,6 +808,34 @@ All shell-facing inputs (connector scripts, domain names, ACME tokens) are valid
 All incoming HTTP request bodies are capped by `http.MaxBytesReader` middleware (default 1MB, configurable via `CERTCTL_MAX_BODY_SIZE`). Requests exceeding the limit receive a 413 Request Entity Too Large response. The middleware is positioned before authentication in the chain so oversized payloads are rejected early, before any auth processing or database work occurs. Requests without bodies (GET, HEAD, nil body) skip the limit check.
 ### Config Encryption at Rest
 Dynamic issuer and target configurations (rows with `source='database'`) contain credentials — ACME EAB HMACs, Vault tokens, DigiCert/Sectigo API keys, SSH private keys, WinRM passwords, F5 BIG-IP passwords, and similar. These are sealed at rest in PostgreSQL via `internal/crypto/encryption.go` using AES-256-GCM with a key derived from the operator passphrase `CERTCTL_CONFIG_ENCRYPTION_KEY` through PBKDF2-SHA256 (100,000 rounds, 32-byte output).
 **v2 wire format (current, M-8 remediation, CWE-916 / CWE-329):**
 ```
 magic(0x02) || salt(16) || nonce(12) || ciphertext+tag
 ```
 Every call to `EncryptIfKeySet` draws 16 fresh bytes from `crypto/rand` as the PBKDF2 salt, so the derived AES-256 key is distinct per ciphertext and per re-encryption. The salt is stored alongside the ciphertext; decryption reads the magic byte, splits out the salt, re-derives the key, and verifies the AEAD tag.
 **v1 legacy format (read-only):**
 ```
 nonce(12) || ciphertext+tag
 ```
 Pre-M-8 blobs were sealed with a package-level fixed salt `"certctl-config-encryption-v1"`. `DecryptIfKeySet` preserves the v1 read path unchanged — a blob whose first byte is not `0x02`, or whose v2 AEAD verification fails (including the 1/256 case where a v1 nonce happens to begin with `0x02`), falls through to a v1 attempt against the legacy fixed salt. v1 blobs are never written by the post-M-8 code path; they re-seal as v2 naturally on the next UPDATE through the normal service CRUD flow. No operator migration ceremony is required.
 **Fail-closed behavior (C-2 sentinel, CWE-311):** both `EncryptIfKeySet` and `DecryptIfKeySet` return `ErrEncryptionKeyRequired` when invoked with an empty passphrase. The server refuses to start if any `source='database'` rows already exist without `CERTCTL_CONFIG_ENCRYPTION_KEY` set.
 **Low-level primitives preserved byte-identical.** `Encrypt`, `Decrypt`, and `DeriveKey` are kept bit-stable so v1 fixtures on disk remain decryptable unchanged and so callers outside the config-encryption path (none today, but the symbols are exported) do not see a breaking change. The new per-ciphertext salt path is reached via the helper `deriveKeyWithSalt(passphrase, salt)`.
 **Passphrase plumbing.** Services (`IssuerService`, `TargetService`, `IssuerRegistry`) hold the operator passphrase as a raw `string` and delegate PBKDF2 to the crypto package per ciphertext. This replaces the pre-M-8 design that pre-derived a single `[]byte` key at service construction and reused it for every row, which was the direct consequence of the fixed-salt KDF.
 **Coverage gate.** CI enforces `internal/crypto/...` coverage ≥ 85% (observed 86.7%) — the encryption primitives are a security-critical gate, and the v2 format plus v1 fallback plus C-2 sentinel paths all need exhaustive coverage to avoid silent regressions.
 ### CORS
 CORS uses a **deny-by-default** posture: when `CERTCTL_CORS_ORIGINS` is empty, no CORS headers are set and only same-origin requests can read responses. Operators must explicitly configure allowed origins. This prevents accidental exposure of the API to cross-origin requests in production.
@@ -846,6 +878,8 @@ The full API is documented in an OpenAPI 3.1 specification at `api/openapi.yaml`
 Jobs support additional action endpoints: `POST /api/v1/jobs/{id}/cancel`, `POST /api/v1/jobs/{id}/approve`, `POST /api/v1/jobs/{id}/reject`.
 **Bulk Operations:** `POST /api/v1/certificates/bulk-revoke` — Bulk revocation by filter criteria (profile_id, owner_id, agent_id, issuer_id). Creates individual revocation jobs for matching certificates, with partial-failure tolerance and a summary audit event.
 **Enhanced Query Features (M20):** Certificate list endpoints support additional query capabilities beyond basic pagination:
 - **Sorting**: `?sort=notAfter` (ascending) or `?sort=-createdAt` (descending). Whitelist: notAfter, expiresAt, createdAt, updatedAt, commonName, name, status, environment.
@@ -1063,9 +1097,9 @@ Beyond one-time discovery, certctl continuously monitors TLS endpoints for certi
 certctl is extensively tested across eight layers with CI-enforced coverage gates that act as regression floors. The goal is high-confidence regression prevention at the service and handler layers (where the most complex business logic lives), combined with integration tests that exercise the full request path from HTTP to database.
-**Service layer unit tests** (`internal/service/*_test.go`) — Mock-based tests across all service files covering certificate CRUD, revocation (all RFC 5280 reason codes, OCSP/CRL generation), agent lifecycle, job state machine, policy evaluation, renewal/issuance flow (both keygen modes), notification deduplication, team/owner/agent group CRUD, issuer service CRUD with connection testing, and the issuer connector adapter. Mock repositories are simple structs with function fields — no heavy mocking frameworks.
+**Service layer unit tests** (`internal/service/*_test.go`) — Mock-based tests across all service files covering certificate CRUD, revocation (all RFC 5280 reason codes, OCSP/CRL generation, bulk revocation by filter with partial-failure tolerance), agent lifecycle, job state machine, policy evaluation, renewal/issuance flow (both keygen modes), notification deduplication, team/owner/agent group CRUD, issuer service CRUD with connection testing, and the issuer connector adapter. Mock repositories are simple structs with function fields — no heavy mocking frameworks.
-**Handler layer tests** (`internal/api/handler/*_test.go`) — Every handler file has a corresponding test file using Go's `httptest` package: certificates (including revocation, DER CRL, OCSP), agents, jobs (including approve/reject), notifications, policies, profiles, issuers, targets, agent groups, teams, owners, discovery, network scan, verification, export, EST, digest, stats, and metrics. Tests cover the happy path, input validation, error propagation, method-not-allowed, and pagination.
+**Handler layer tests** (`internal/api/handler/*_test.go`) — Every handler file has a corresponding test file using Go's `httptest` package: certificates (including revocation, bulk revocation by profile/owner/agent/issuer, DER CRL, OCSP), agents, jobs (including approve/reject), notifications, policies, profiles, issuers, targets, agent groups, teams, owners, discovery, network scan, verification, export, EST, digest, stats, and metrics. Tests cover the happy path, input validation, error propagation, method-not-allowed, pagination, and bulk operation partial-failure scenarios.
 **Integration tests** (`internal/integration/`) — Three test files exercising the full stack from HTTP request through router, handler, service, and repository layers. `lifecycle_test.go` covers the complete certificate lifecycle (team/owner creation through deployment and status reporting). `negative_test.go` covers error paths, endpoint validation, and revocation scenarios. `e2e_test.go` exercises cross-milestone features end-to-end (agent metadata, profiles, issuer registry, GUI operations, stats, revocation, notifications, enhanced query API).
@@ -272,13 +272,16 @@ NIST SP 800-57 Part 3 covers revocation (Section 2.5) when keys are suspected co
 - OCSP responder queries revocation table in real-time
 - Short-lived certificate exemption: certs with TTL < 1 hour skip CRL/OCSP (expiry is sufficient revocation)
 **Bulk Revocation for Large-Scale Compromise Response** (V2.2) — NIST SP 800-57 Part 3 emphasizes rapid revocation when keys are compromised. `POST /api/v1/certificates/bulk-revoke` revokes all certificates matching filter criteria (profile, owner, agent, issuer) in a single operation. This enables operators to execute fleet-wide revocation for key compromise events affecting multiple certificates. Each bulk revocation creates individual jobs reusing the existing revocation pipeline, ensuring every certificate is recorded in the audit trail with the incident reason.
 **Revocation Audit Trail**
 All revocation events logged:
- Event type: `certificate_revoked`
+- Event type: `certificate_revoked` or `bulk_revocation_initiated` (for fleet operations)
 - Actor: authenticated user or service
- Reason code: RFC 5280 enum
+- Reason code: RFC 5280 enum (or incident justification for bulk operations)
 - Timestamp: RFC3339
 - Issuer notification status: success or error reason
 - Filter criteria: profile_id, owner_id, agent_id, issuer_id (for bulk revocation)
 ## Alignment Summary Table
@@ -301,9 +304,11 @@ All revocation events logged:
 - [x] RFC 5280 revocation support
 - [x] Immutable audit trail
 ### V2.2 (Planned: 2026)
 - Bulk revocation by profile/owner/agent/issuer (fleet-level revocation for incident response)
 ### V3 (Planned: 2026)
 - Role-based access control (limit revocation/approval to authorized operators)
 - Bulk revocation by profile/owner/agent (fleet-level revocation policy)
 ### V3 Pro (Planned)
 - HSM support for CA key storage and agent key storage (TPM 2.0, PKCS#11)
@@ -93,8 +93,10 @@ Your QSA will request evidence that your certificate and key management systems
 - **Certificate Status Tracking** — Four statuses: Active (deployed, not yet expired), Expiring (within threshold, awaiting renewal), Expired (past not-after date), Revoked (revoked via RFC 5280 revocation API). Dashboard charts show status distribution.
 - **Revocation Infrastructure** (M15a, M15b):
  - Revocation API: `POST /api/v1/certificates/{id}/revoke` with RFC 5280 reason codes
  - CRL endpoint: `GET /api/v1/crl` (JSON format) or `GET /api/v1/crl/{issuer_id}` (DER X.509 CRL, 24h validity, signed by issuing CA)
  - OCSP responder: `GET /api/v1/ocsp/{issuer_id}/{serial}` (returns DER-encoded OCSP response: good/revoked/unknown)
  - Bulk revocation (V2.2): `POST /api/v1/certificates/bulk-revoke` with filter criteria (profile, owner, agent, issuer) for fleet-wide incident response
  - Short-lived cert exemption: certs with TTL < 1 hour skip CRL/OCSP (expiry is sufficient revocation)
 - **Stats API** (M14) — Real-time visibility:
@@ -331,6 +333,8 @@ This requirement covers key generation, storage, rotation, and destruction. Cert
  - OCSP: `GET /api/v1/ocsp/{issuer_id}/{serial}` (returns revoked status for clients validating certificate chain)
  - Clients checking certificate status via OCSP or CRL see revoked status within 24 hours.
 - **Bulk Revocation for Incident Response** (V2.2) — `POST /api/v1/certificates/bulk-revoke` with filter criteria (profile, owner, agent, issuer) revokes all matching certificates in a single operation. PCI-DSS Req 4 requires rapid response to data transmission security incidents — bulk revocation enables operators to revoke an entire certificate set (e.g., all certs used by a compromised team or endpoint) in minutes rather than hours.
 - **Private Key Destruction on Agent** — When certificate renewed or revoked:
  - Agent removes old private key file from `CERTCTL_KEY_DIR` when new certificate deployed.
  - Job status tracking confirms old key is no longer needed.
@@ -288,6 +288,7 @@ Each section includes:
  - Certificate owner (email)
  - Configured webhooks (if you have a SIEM that subscribes)
  - Slack/Teams channels (if notifiers are configured)
 - **Bulk Revocation for Fleet-Wide Incidents** (V2.2) — `POST /api/v1/certificates/bulk-revoke` with filter criteria (profile, owner, agent, issuer) revokes all matching certificates in a single operation. Essential for incident response: key compromise affecting multiple certs, CA distrust events, decommissioning a team's infrastructure. Each bulk revocation creates individual jobs reusing the existing revocation pipeline, ensuring audit trail and notifications for every certificate.
 - **Short-Lived Cert Exemption** — Certificates with TTL < 1 hour (configured in profile) skip CRL/OCSP publication. Expiry is the revocation mechanism for short-lived certs (e.g., Kubernetes pod certs, session tokens).
 - **Deployment Rollback** — If a revoked cert is still deployed (shouldn't happen, but race conditions exist), operators can manually redeploy a previous version via the GUI. Rollback is audited.
@@ -302,7 +303,6 @@ Each section includes:
 **V3 Enhancement**:
 - **Bulk Revocation** — Revoke all certs issued by a specific profile, owner, or agent in a single API call (useful for large-scale incidents like CA compromise)
 - **Revocation Automation** — Trigger revocation based on external events (e.g., employee termination, security breach alert from CT Log monitoring)
 **Operator Responsibility**:
@@ -214,6 +214,8 @@ certctl implements revocation using three complementary mechanisms:
 **Revocation API**: `POST /api/v1/certificates/{id}/revoke` marks a certificate as revoked in the inventory, records the revocation in a dedicated `certificate_revocations` table, notifies the issuing CA (best-effort — the revocation succeeds even if the CA is unreachable), creates an audit trail entry, and sends notifications. You can specify an RFC 5280 reason code (keyCompromise, superseded, cessationOfOperation, etc.) or let it default to "unspecified."
 **Bulk Revocation** (Fleet-Level Incident Response): For large-scale incidents like CA compromise or team infrastructure decommissioning, `POST /api/v1/certificates/bulk-revoke` revokes all certificates matching filter criteria in a single operation. Filter by profile, owner, team, agent group, or issuer to target the affected certificate set. This is essential for incident response — instead of revoking certificates one-by-one, operators can revoke an entire fleet in minutes. Bulk revocation creates individual revocation jobs that reuse the existing revocation pipeline, ensuring every certificate is audited and notifications are sent.
 **Certificate Revocation List (CRL)**: certctl serves both a JSON-formatted CRL at `GET /api/v1/crl` and DER-encoded X.509 CRLs per issuer at `GET /api/v1/crl/{issuer_id}`. The DER CRL is signed by the issuing CA's key and has 24-hour validity — clients can download it periodically to check revocation status offline.
 **OCSP Responder**: For real-time revocation checking, certctl includes an embedded OCSP responder at `GET /api/v1/ocsp/{issuer_id}/{serial}`. It returns signed OCSP responses (good, revoked, or unknown) so clients can verify certificate status without downloading the full CRL.
@@ -465,9 +465,12 @@ GlobalSign Atlas High Volume CA REST API with dual authentication: mTLS for the
 | `CERTCTL_GLOBALSIGN_API_SECRET` | Yes | — | API secret for request authentication |
 | `CERTCTL_GLOBALSIGN_CLIENT_CERT_PATH` | Yes | — | Path to mTLS client certificate PEM |
 | `CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH` | Yes | — | Path to mTLS client private key PEM |
 | `CERTCTL_GLOBALSIGN_SERVER_CA_PATH` | No | system trust store | PEM bundle used to verify the Atlas API server certificate. Set this for private/lab Atlas deployments whose server TLS chain is not in the host's default trust bundle. |
 **Authentication:** Dual — mTLS client certificate for TLS handshake plus `X-API-Key` and `X-API-Secret` headers on every request.
 **TLS verification:** The connector always verifies the server certificate. When `server_ca_path` is set, the PEM bundle at that path is used as the trust anchor; otherwise the host's system trust store is used. TLS 1.2 is the minimum protocol version.
 **Issuance model:** `POST /v2/certificates` returns a serial number. Certificate PEM is available after validation completes. Typically resolves within seconds for DV. `GetOrderStatus` polls the certificate endpoint.
 **Note:** CRL and OCSP are managed by GlobalSign. certctl records revocations locally and notifies GlobalSign via `PUT /v2/certificates/{serial}/revoke`.
@@ -182,6 +182,52 @@ Configurable per-policy thresholds stored as `alert_thresholds_days` JSONB (defa
 Revocation is a 7-step process: validate eligibility → get serial → update status → record in `certificate_revocations` table → notify issuer (best-effort) → audit → send notification.
 ### Bulk Revocation
 `POST /api/v1/certificates/bulk-revoke` revokes multiple certificates matching filter criteria in a single operation.
 **Filter criteria** (at least one required):
 - `profile_id` — revoke all certs issued with this profile
 - `owner_id` — revoke all certs owned by this owner
 - `agent_id` — revoke all certs deployed to this agent
 - `issuer_id` — revoke all certs from this issuer
 - `team_id` — revoke all certs owned by members of this team
 - `certificate_ids` — array of specific cert IDs to revoke
 **Request body** example:
 ```json
 {
  "reason": "keyCompromise",
  "profile_id": "prof-staging",
  "team_id": "team-platform"
 }
 ```
 **Response:**
 ```json
 {
  "job_id": "job-bulk-rev-123",
  "criteria": {
    "reason": "keyCompromise",
    "profile_id": "prof-staging",
    "team_id": "team-platform"
  },
  "affected_count": 47,
  "status": "Pending"
 }
 ```
 **Behavior:**
 - Individual revocation jobs created for each matching cert (reuses existing revocation flow)
 - Progress tracked via job system (job status: Pending → Running → Completed)
 - Partial failures tolerated — if 47 certs match but 3 fail, the other 44 still revoke
 - Audit trail: single `bulk_revocation_initiated` event logs the criteria and actor
 - Optional `--reason` defaults to `unspecified` if omitted
 ### CRL Endpoints
 - `GET /api/v1/crl` — JSON-formatted CRL (version, entries array, total count, timestamp)
@@ -1110,7 +1156,7 @@ Same pattern as issuer configuration:
 | Page | Route | Description |
 |---|---|---|
 | Dashboard | `/` | Summary stats, 4 charts (status donut, expiration heatmap, renewal trends, issuance rate) |
-| Certificates | `/certificates` | List with bulk ops (renew, revoke, reassign owner), multi-select |
+| Certificates | `/certificates` | List with bulk ops (renew, revoke by filter criteria, reassign owner), multi-select. Bulk revoke via server-side filter API, not client-side sequential calls. |
 | Certificate Detail | `/certificates/:id` | Versions, deployment timeline, inline policy editor, export buttons |
 | Agents | `/agents` | List with OS/arch metadata |
 | Agent Detail | `/agents/:id` | System info, heartbeat status, capabilities, recent jobs |
@@ -1163,6 +1209,7 @@ Latching state prevents refetch-driven dismissal. `localStorage` dismissal key:
 | `certs get ID` | Certificate details |
 | `certs renew ID` | Trigger renewal |
 | `certs revoke ID` | Revoke (with `--reason`) |
 | `certs bulk-revoke` | Bulk revoke by filter criteria (see below) |
 | `agents list` | List agents |
 | `agents get ID` | Agent details |
 | `jobs list` | List jobs |
@@ -1180,6 +1227,39 @@ Latching state prevents refetch-driven dismissal. `localStorage` dismissal key:
 | `--api-key` | `CERTCTL_API_KEY` | (none) | API key |
 | `--format` | (none) | `table` | Output: `table` or `json` |
 ### Bulk Revocation Command
 `certs bulk-revoke` revokes multiple certificates matching filter criteria.
 **Usage:** `certs bulk-revoke [CERT_IDs...] [flags]`
 **Flags:**
 | Flag | Description |
 |---|---|
 | `--reason` | RFC 5280 revocation reason (`keyCompromise`, `caCompromise`, `affiliationChanged`, `superseded`, `cessationOfOperation`, `certificateHold`, `privilegeWithdrawn`, `unspecified` — default). |
 | `--profile-id` | Revoke all certs with this profile ID |
 | `--owner-id` | Revoke all certs owned by this owner |
 | `--agent-id` | Revoke all certs deployed to this agent |
 | `--issuer-id` | Revoke all certs issued by this issuer |
 | `--team-id` | Revoke all certs owned by members of this team |
 **Examples:**
 ```bash
 # Revoke certs with specific IDs (positional args)
 certctl-cli certs bulk-revoke mc-api-prod mc-web-prod --reason keyCompromise
 # Revoke by profile
 certctl-cli certs bulk-revoke --profile-id prof-staging --reason cessationOfOperation
 # Revoke by team
 certctl-cli certs bulk-revoke --team-id team-platform --reason superseded
 # Revoke by issuer (all certs from one CA)
 certctl-cli certs bulk-revoke --issuer-id iss-letsencrypt --reason caCompromise
 ```
 ---
 ## MCP Server
@@ -114,6 +114,6 @@ See the [Quickstart Guide](quickstart.md) for a full walkthrough, or explore the
 ## License
-certctl is source-available under the [Business Source License 1.1](../LICENSE). Free for any use except offering a competing managed service. Converts to Apache 2.0 on March 1, 2033.
+certctl is source-available under the [Business Source License 1.1](../LICENSE). Free for any use except offering a competing managed service. Converts to Apache 2.0 on March 14, 2033.
 You own your data, your keys, and your deployment.
@@ -27,6 +27,7 @@ package handler
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -120,7 +121,7 @@ func TestGetCertificate_PathInjection(t *testing.T) {
 			handler, mock := newCertHandlerWithMock()
 			// Force a 404 so we can distinguish "service was called" from
 			// "parser accepted the ID"; a 200 with null body is also fine.
-			mock.GetCertificateFn = func(id string) (*domain.ManagedCertificate, error) {
+			mock.GetCertificateFn = func(_ context.Context, id string) (*domain.ManagedCertificate, error) {
 				return nil, ErrMockNotFound
 			}
@@ -156,7 +157,7 @@ func TestUpdateCertificate_PathInjection(t *testing.T) {
 			}()
 			handler, mock := newCertHandlerWithMock()
-			mock.UpdateCertificateFn = func(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+			mock.UpdateCertificateFn = func(_ context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 				return nil, ErrMockNotFound
 			}
@@ -184,7 +185,7 @@ func TestArchiveCertificate_PathInjection(t *testing.T) {
 			}()
 			handler, mock := newCertHandlerWithMock()
-			mock.ArchiveCertificateFn = func(id string) error { return ErrMockNotFound }
+			mock.ArchiveCertificateFn = func(_ context.Context, id string) error { return ErrMockNotFound }
 			req := httptest.NewRequest(http.MethodDelete, "/api/v1/certificates/x", nil)
 			req.URL.Path = "/api/v1/certificates/" + tc.input
@@ -227,7 +228,7 @@ func TestGetCertificateVersions_MultiSegment(t *testing.T) {
 			}()
 			handler, mock := newCertHandlerWithMock()
-			mock.GetCertificateVersionsFn = func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+			mock.GetCertificateVersionsFn = func(_ context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 				return []domain.CertificateVersion{}, 0, nil
 			}
@@ -277,7 +278,7 @@ func TestHandleOCSP_MultiSegment(t *testing.T) {
 			}()
 			handler, mock := newCertHandlerWithMock()
-			mock.GetOCSPResponseFn = func(issuerID, serialHex string) ([]byte, error) {
+			mock.GetOCSPResponseFn = func(_ context.Context, issuerID, serialHex string) ([]byte, error) {
 				return nil, ErrMockNotFound
 			}
@@ -311,7 +312,7 @@ func TestGetDERCRL_IssuerPathInjection(t *testing.T) {
 			}()
 			handler, mock := newCertHandlerWithMock()
-			mock.GenerateDERCRLFn = func(issuerID string) ([]byte, error) {
+			mock.GenerateDERCRLFn = func(_ context.Context, issuerID string) ([]byte, error) {
 				return nil, ErrMockNotFound
 			}
@@ -19,6 +19,7 @@ package handler
 import (
 	"bytes"
 	"context"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -76,7 +77,7 @@ func TestListCertificates_PaginationAbuse(t *testing.T) {
 			}()
 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				// Sanity: page/perPage on the filter must never be negative
 				// and perPage must never exceed 500 after parsing.
 				if filter.Page < 1 {
@@ -133,7 +134,7 @@ func TestListCertificates_SortAbuse(t *testing.T) {
 			}()
 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}
@@ -175,7 +176,7 @@ func TestListCertificates_FieldsAbuse(t *testing.T) {
 			}()
 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}
@@ -219,7 +220,7 @@ func TestListCertificates_TimeRangeAbuse(t *testing.T) {
 			}()
 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}
@@ -263,7 +264,7 @@ func TestListCertificates_CursorAbuse(t *testing.T) {
 			}()
 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}
@@ -314,7 +315,7 @@ func TestListCertificates_FilterInjection(t *testing.T) {
 				}()
 				handler, mock := newCertHandlerWithMock()
-				mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+				mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 					return []domain.ManagedCertificate{}, 0, nil
 				}
@@ -374,7 +375,7 @@ func TestCreateCertificate_BodyAbuse(t *testing.T) {
 			}()
 			handler, mock := newCertHandlerWithMock()
-			mock.CreateCertificateFn = func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+			mock.CreateCertificateFn = func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 				// If we ever reach this, the handler accepted a malformed
 				// body. Return a sentinel that passes but flag it.
 				c := cert
@@ -419,7 +420,7 @@ func TestCreateCertificate_HugeBody(t *testing.T) {
 	sb.WriteString(`]}`)
 	handler, mock := newCertHandlerWithMock()
-	mock.CreateCertificateFn = func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+	mock.CreateCertificateFn = func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 		c := cert
 		c.ID = "mc-huge"
 		return &c, nil
@@ -476,7 +477,7 @@ func TestRevokeCertificate_ReasonAbuse(t *testing.T) {
 			handler, mock := newCertHandlerWithMock()
 			// The mock always returns "invalid revocation reason" so we
 			// verify the handler's errMsg→status mapping turns it into a 400.
-			mock.RevokeCertificateFn = func(id string, reason string) error {
+			mock.RevokeCertificateFn = func(_ context.Context, id string, reason string, _ string) error {
 				// The service uses domain.IsValidRevocationReason. If we got
 				// through to here with something bogus, simulate a real
 				// service error.
@@ -500,7 +501,7 @@ func TestRevokeCertificate_ReasonAbuse(t *testing.T) {
 // service error message, which is fragile — this test catches regressions.
 func TestRevokeCertificate_AlreadyRevoked(t *testing.T) {
 	handler, mock := newCertHandlerWithMock()
-	mock.RevokeCertificateFn = func(id string, reason string) error {
+	mock.RevokeCertificateFn = func(_ context.Context, id string, reason string, _ string) error {
 		return fmt.Errorf("cannot revoke: certificate is already revoked")
 	}
@@ -520,7 +521,7 @@ func TestRevokeCertificate_AlreadyRevoked(t *testing.T) {
 // TestRevokeCertificate_NotFound verifies 404 mapping.
 func TestRevokeCertificate_NotFound(t *testing.T) {
 	handler, mock := newCertHandlerWithMock()
-	mock.RevokeCertificateFn = func(id string, reason string) error {
+	mock.RevokeCertificateFn = func(_ context.Context, id string, reason string, _ string) error {
 		return fmt.Errorf("certificate not found")
 	}
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"net/http"
 	"strconv"
 	"strings"
@@ -11,8 +12,8 @@ import (
 // AuditService defines the service interface for audit event operations.
 type AuditService interface {
-	ListAuditEvents(page, perPage int) ([]domain.AuditEvent, int64, error)
+	ListAuditEvents(ctx context.Context, page, perPage int) ([]domain.AuditEvent, int64, error)
-	GetAuditEvent(id string) (*domain.AuditEvent, error)
+	GetAuditEvent(ctx context.Context, id string) (*domain.AuditEvent, error)
 }
 // AuditHandler handles HTTP requests for audit event operations.
@@ -49,7 +50,7 @@ func (h AuditHandler) ListAuditEvents(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	events, total, err := h.svc.ListAuditEvents(page, perPage)
+	events, total, err := h.svc.ListAuditEvents(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list audit events", requestID)
 		return
@@ -83,7 +84,7 @@ func (h AuditHandler) GetAuditEvent(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
-	event, err := h.svc.GetAuditEvent(id)
+	event, err := h.svc.GetAuditEvent(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Audit event not found", requestID)
 		return
@@ -19,14 +19,14 @@ type mockAuditService struct {
 	getFunc   func(id string) (*domain.AuditEvent, error)
 }
-func (m *mockAuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent, int64, error) {
+func (m *mockAuditService) ListAuditEvents(_ context.Context, page, perPage int) ([]domain.AuditEvent, int64, error) {
 	if m.listFunc != nil {
 		return m.listFunc(page, perPage)
 	}
 	return nil, 0, nil
 }
-func (m *mockAuditService) GetAuditEvent(id string) (*domain.AuditEvent, error) {
+func (m *mockAuditService) GetAuditEvent(_ context.Context, id string) (*domain.AuditEvent, error) {
 	if m.getFunc != nil {
 		return m.getFunc(id)
 	}
@@ -0,0 +1,94 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/domain"
 )
 // BulkRevocationService defines the service interface for bulk certificate revocation.
 type BulkRevocationService interface {
 	BulkRevoke(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error)
 }
 // BulkRevocationHandler handles HTTP requests for bulk revocation operations.
 type BulkRevocationHandler struct {
 	svc BulkRevocationService
 }
 // NewBulkRevocationHandler creates a new BulkRevocationHandler.
 func NewBulkRevocationHandler(svc BulkRevocationService) BulkRevocationHandler {
 	return BulkRevocationHandler{svc: svc}
 }
 // bulkRevokeRequest represents the JSON request body for bulk revocation.
 type bulkRevokeRequest struct {
 	Reason         string   `json:"reason"`
 	ProfileID      string   `json:"profile_id,omitempty"`
 	OwnerID        string   `json:"owner_id,omitempty"`
 	AgentID        string   `json:"agent_id,omitempty"`
 	IssuerID       string   `json:"issuer_id,omitempty"`
 	TeamID         string   `json:"team_id,omitempty"`
 	CertificateIDs []string `json:"certificate_ids,omitempty"`
 }
 // BulkRevoke handles bulk certificate revocation.
 // POST /api/v1/certificates/bulk-revoke
 func (h BulkRevocationHandler) BulkRevoke(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
 	requestID := middleware.GetRequestID(r.Context())
 	var req bulkRevokeRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID)
 		return
 	}
 	// Validate reason is present
 	if req.Reason == "" {
 		ErrorWithRequestID(w, http.StatusBadRequest, "Revocation reason is required", requestID)
 		return
 	}
 	// Validate reason is a valid RFC 5280 code
 	if !domain.IsValidRevocationReason(req.Reason) {
 		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid revocation reason: "+req.Reason, requestID)
 		return
 	}
 	criteria := domain.BulkRevocationCriteria{
 		ProfileID:      req.ProfileID,
 		OwnerID:        req.OwnerID,
 		AgentID:        req.AgentID,
 		IssuerID:       req.IssuerID,
 		TeamID:         req.TeamID,
 		CertificateIDs: req.CertificateIDs,
 	}
 	// Safety guard: at least one criterion required
 	if criteria.IsEmpty() {
 		ErrorWithRequestID(w, http.StatusBadRequest, "At least one filter criterion is required (profile_id, owner_id, agent_id, issuer_id, team_id, or certificate_ids)", requestID)
 		return
 	}
 	// Extract actor from auth context
 	actor := "api"
 	if user, ok := middleware.GetUser(r.Context()); ok && user != "" {
 		actor = user
 	}
 	result, err := h.svc.BulkRevoke(r.Context(), criteria, req.Reason, actor)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Bulk revocation failed: "+err.Error(), requestID)
 		return
 	}
 	JSON(w, http.StatusOK, result)
 }
@@ -0,0 +1,170 @@
 package handler
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/shankar0123/certctl/internal/domain"
 )
 // mockBulkRevocationService is a test implementation of BulkRevocationService
 type mockBulkRevocationService struct {
 	BulkRevokeFn func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error)
 }
 func (m *mockBulkRevocationService) BulkRevoke(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
 	if m.BulkRevokeFn != nil {
 		return m.BulkRevokeFn(ctx, criteria, reason, actor)
 	}
 	return &domain.BulkRevocationResult{}, nil
 }
 func TestBulkRevoke_Success_WithIDs(t *testing.T) {
 	svc := &mockBulkRevocationService{
 		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
 			if len(criteria.CertificateIDs) != 2 {
 				t.Errorf("expected 2 IDs, got %d", len(criteria.CertificateIDs))
 			}
 			if reason != "keyCompromise" {
 				t.Errorf("expected reason keyCompromise, got %s", reason)
 			}
 			return &domain.BulkRevocationResult{
 				TotalMatched: 2,
 				TotalRevoked: 2,
 			}, nil
 		},
 	}
 	h := NewBulkRevocationHandler(svc)
 	body := `{"reason":"keyCompromise","certificate_ids":["mc-1","mc-2"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusOK {
 		t.Errorf("expected 200, got %d", w.Code)
 	}
 	var result domain.BulkRevocationResult
 	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
 		t.Fatalf("failed to decode response: %v", err)
 	}
 	if result.TotalMatched != 2 {
 		t.Errorf("expected TotalMatched=2, got %d", result.TotalMatched)
 	}
 	if result.TotalRevoked != 2 {
 		t.Errorf("expected TotalRevoked=2, got %d", result.TotalRevoked)
 	}
 }
 func TestBulkRevoke_Success_WithProfile(t *testing.T) {
 	svc := &mockBulkRevocationService{
 		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
 			if criteria.ProfileID != "prof-tls" {
 				t.Errorf("expected profile prof-tls, got %s", criteria.ProfileID)
 			}
 			return &domain.BulkRevocationResult{
 				TotalMatched: 5,
 				TotalRevoked: 4,
 				TotalSkipped: 1,
 			}, nil
 		},
 	}
 	h := NewBulkRevocationHandler(svc)
 	body := `{"reason":"keyCompromise","profile_id":"prof-tls"}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusOK {
 		t.Errorf("expected 200, got %d", w.Code)
 	}
 }
 func TestBulkRevoke_MissingReason_400(t *testing.T) {
 	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
 	body := `{"certificate_ids":["mc-1"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusBadRequest {
 		t.Errorf("expected 400, got %d", w.Code)
 	}
 }
 func TestBulkRevoke_EmptyCriteria_400(t *testing.T) {
 	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
 	body := `{"reason":"keyCompromise"}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusBadRequest {
 		t.Errorf("expected 400, got %d", w.Code)
 	}
 }
 func TestBulkRevoke_InvalidReason_400(t *testing.T) {
 	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
 	body := `{"reason":"totallyBogus","certificate_ids":["mc-1"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusBadRequest {
 		t.Errorf("expected 400, got %d", w.Code)
 	}
 }
 func TestBulkRevoke_MethodNotAllowed_405(t *testing.T) {
 	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates/bulk-revoke", nil)
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusMethodNotAllowed {
 		t.Errorf("expected 405, got %d", w.Code)
 	}
 }
 func TestBulkRevoke_ServiceError_500(t *testing.T) {
 	svc := &mockBulkRevocationService{
 		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
 			return nil, fmt.Errorf("database connection failed")
 		},
 	}
 	h := NewBulkRevocationHandler(svc)
 	body := `{"reason":"keyCompromise","certificate_ids":["mc-1"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("expected 500, got %d", w.Code)
 	}
 }
@@ -17,116 +17,116 @@ import (
 // MockCertificateService is a mock implementation of CertificateService interface.
 type MockCertificateService struct {
-	ListCertificatesFn           func(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
+	ListCertificatesFn           func(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
-	ListCertificatesWithFilterFn func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
+	ListCertificatesWithFilterFn func(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
-	GetCertificateFn             func(id string) (*domain.ManagedCertificate, error)
+	GetCertificateFn             func(ctx context.Context, id string) (*domain.ManagedCertificate, error)
-	CreateCertificateFn          func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	CreateCertificateFn          func(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	UpdateCertificateFn          func(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	UpdateCertificateFn          func(ctx context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	ArchiveCertificateFn         func(id string) error
+	ArchiveCertificateFn         func(ctx context.Context, id string) error
-	GetCertificateVersionsFn     func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
+	GetCertificateVersionsFn     func(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
-	TriggerRenewalFn             func(certID string) error
+	TriggerRenewalFn             func(ctx context.Context, certID string, actor string) error
-	TriggerDeploymentFn          func(certID string, targetID string) error
+	TriggerDeploymentFn          func(ctx context.Context, certID string, targetID string, actor string) error
-	RevokeCertificateFn          func(certID string, reason string) error
+	RevokeCertificateFn          func(ctx context.Context, certID string, reason string, actor string) error
-	GetRevokedCertificatesFn     func() ([]*domain.CertificateRevocation, error)
+	GetRevokedCertificatesFn     func(ctx context.Context) ([]*domain.CertificateRevocation, error)
-	GenerateDERCRLFn             func(issuerID string) ([]byte, error)
+	GenerateDERCRLFn             func(ctx context.Context, issuerID string) ([]byte, error)
-	GetOCSPResponseFn            func(issuerID string, serialHex string) ([]byte, error)
+	GetOCSPResponseFn            func(ctx context.Context, issuerID string, serialHex string) ([]byte, error)
-	GetCertificateDeploymentsFn  func(certID string) ([]domain.DeploymentTarget, error)
+	GetCertificateDeploymentsFn  func(ctx context.Context, certID string) ([]domain.DeploymentTarget, error)
 }
-func (m *MockCertificateService) ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
+func (m *MockCertificateService) ListCertificates(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
 	if m.ListCertificatesFn != nil {
-		return m.ListCertificatesFn(status, environment, ownerID, teamID, issuerID, page, perPage)
+		return m.ListCertificatesFn(ctx, status, environment, ownerID, teamID, issuerID, page, perPage)
 	}
 	return nil, 0, nil
 }
-func (m *MockCertificateService) GetCertificate(id string) (*domain.ManagedCertificate, error) {
+func (m *MockCertificateService) GetCertificate(ctx context.Context, id string) (*domain.ManagedCertificate, error) {
 	if m.GetCertificateFn != nil {
-		return m.GetCertificateFn(id)
+		return m.GetCertificateFn(ctx, id)
 	}
 	return nil, nil
 }
-func (m *MockCertificateService) CreateCertificate(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+func (m *MockCertificateService) CreateCertificate(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 	if m.CreateCertificateFn != nil {
-		return m.CreateCertificateFn(cert)
+		return m.CreateCertificateFn(ctx, cert)
 	}
 	return nil, nil
 }
-func (m *MockCertificateService) UpdateCertificate(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+func (m *MockCertificateService) UpdateCertificate(ctx context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 	if m.UpdateCertificateFn != nil {
-		return m.UpdateCertificateFn(id, cert)
+		return m.UpdateCertificateFn(ctx, id, cert)
 	}
 	return nil, nil
 }
-func (m *MockCertificateService) ArchiveCertificate(id string) error {
+func (m *MockCertificateService) ArchiveCertificate(ctx context.Context, id string) error {
 	if m.ArchiveCertificateFn != nil {
-		return m.ArchiveCertificateFn(id)
+		return m.ArchiveCertificateFn(ctx, id)
 	}
 	return nil
 }
-func (m *MockCertificateService) GetCertificateVersions(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+func (m *MockCertificateService) GetCertificateVersions(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 	if m.GetCertificateVersionsFn != nil {
-		return m.GetCertificateVersionsFn(certID, page, perPage)
+		return m.GetCertificateVersionsFn(ctx, certID, page, perPage)
 	}
 	return nil, 0, nil
 }
-func (m *MockCertificateService) TriggerRenewal(certID string) error {
+func (m *MockCertificateService) TriggerRenewal(ctx context.Context, certID string, actor string) error {
 	if m.TriggerRenewalFn != nil {
-		return m.TriggerRenewalFn(certID)
+		return m.TriggerRenewalFn(ctx, certID, actor)
 	}
 	return nil
 }
-func (m *MockCertificateService) TriggerDeployment(certID string, targetID string) error {
+func (m *MockCertificateService) TriggerDeployment(ctx context.Context, certID string, targetID string, actor string) error {
 	if m.TriggerDeploymentFn != nil {
-		return m.TriggerDeploymentFn(certID, targetID)
+		return m.TriggerDeploymentFn(ctx, certID, targetID, actor)
 	}
 	return nil
 }
-func (m *MockCertificateService) RevokeCertificate(certID string, reason string) error {
+func (m *MockCertificateService) RevokeCertificate(ctx context.Context, certID string, reason string, actor string) error {
 	if m.RevokeCertificateFn != nil {
-		return m.RevokeCertificateFn(certID, reason)
+		return m.RevokeCertificateFn(ctx, certID, reason, actor)
 	}
 	return nil
 }
-func (m *MockCertificateService) GetRevokedCertificates() ([]*domain.CertificateRevocation, error) {
+func (m *MockCertificateService) GetRevokedCertificates(ctx context.Context) ([]*domain.CertificateRevocation, error) {
 	if m.GetRevokedCertificatesFn != nil {
-		return m.GetRevokedCertificatesFn()
+		return m.GetRevokedCertificatesFn(ctx)
 	}
 	return nil, nil
 }
-func (m *MockCertificateService) GenerateDERCRL(issuerID string) ([]byte, error) {
+func (m *MockCertificateService) GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error) {
 	if m.GenerateDERCRLFn != nil {
-		return m.GenerateDERCRLFn(issuerID)
+		return m.GenerateDERCRLFn(ctx, issuerID)
 	}
 	return nil, nil
 }
-func (m *MockCertificateService) GetOCSPResponse(issuerID string, serialHex string) ([]byte, error) {
+func (m *MockCertificateService) GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error) {
 	if m.GetOCSPResponseFn != nil {
-		return m.GetOCSPResponseFn(issuerID, serialHex)
+		return m.GetOCSPResponseFn(ctx, issuerID, serialHex)
 	}
 	return nil, nil
 }
-func (m *MockCertificateService) ListCertificatesWithFilter(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+func (m *MockCertificateService) ListCertificatesWithFilter(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 	if m.ListCertificatesWithFilterFn != nil {
-		return m.ListCertificatesWithFilterFn(filter)
+		return m.ListCertificatesWithFilterFn(ctx, filter)
 	}
 	return nil, 0, nil
 }
-func (m *MockCertificateService) GetCertificateDeployments(certID string) ([]domain.DeploymentTarget, error) {
+func (m *MockCertificateService) GetCertificateDeployments(ctx context.Context, certID string) ([]domain.DeploymentTarget, error) {
 	if m.GetCertificateDeploymentsFn != nil {
-		return m.GetCertificateDeploymentsFn(certID)
+		return m.GetCertificateDeploymentsFn(ctx, certID)
 	}
 	return nil, nil
 }
@@ -158,7 +158,7 @@ func TestListCertificates_Success(t *testing.T) {
 	}
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Page == 1 && filter.PerPage == 50 {
 				return []domain.ManagedCertificate{cert1, cert2}, 2, nil
 			}
@@ -197,7 +197,7 @@ func TestListCertificates_Success(t *testing.T) {
 // Test ListCertificates - with filters
 func TestListCertificates_WithFilters(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Status == "Active" && filter.Environment == "prod" {
 				return []domain.ManagedCertificate{}, 0, nil
 			}
@@ -236,7 +236,7 @@ func TestListCertificates_MethodNotAllowed(t *testing.T) {
 // Test ListCertificates - service error
 func TestListCertificates_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			return nil, 0, ErrMockServiceFailed
 		},
 	}
@@ -266,7 +266,7 @@ func TestGetCertificate_Success(t *testing.T) {
 	}
 	mock := &MockCertificateService{
-		GetCertificateFn: func(id string) (*domain.ManagedCertificate, error) {
+		GetCertificateFn: func(_ context.Context, id string) (*domain.ManagedCertificate, error) {
 			if id == "mc-prod-001" {
 				return cert, nil
 			}
@@ -298,7 +298,7 @@ func TestGetCertificate_Success(t *testing.T) {
 // Test GetCertificate - not found
 func TestGetCertificate_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateFn: func(id string) (*domain.ManagedCertificate, error) {
+		GetCertificateFn: func(_ context.Context, id string) (*domain.ManagedCertificate, error) {
 			return nil, ErrMockNotFound
 		},
 	}
@@ -345,7 +345,7 @@ func TestCreateCertificate_Success(t *testing.T) {
 	}
 	mock := &MockCertificateService{
-		CreateCertificateFn: func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+		CreateCertificateFn: func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 			return created, nil
 		},
 	}
@@ -403,7 +403,7 @@ func TestCreateCertificate_InvalidBody(t *testing.T) {
 // Test CreateCertificate - service error
 func TestCreateCertificate_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
-		CreateCertificateFn: func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+		CreateCertificateFn: func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 			return nil, ErrMockServiceFailed
 		},
 	}
@@ -445,7 +445,7 @@ func TestUpdateCertificate_Success(t *testing.T) {
 	}
 	mock := &MockCertificateService{
-		UpdateCertificateFn: func(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+		UpdateCertificateFn: func(_ context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 			if id == "mc-prod-001" {
 				return updated, nil
 			}
@@ -501,7 +501,7 @@ func TestUpdateCertificate_InvalidBody(t *testing.T) {
 // Test ArchiveCertificate - success case
 func TestArchiveCertificate_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		ArchiveCertificateFn: func(id string) error {
+		ArchiveCertificateFn: func(_ context.Context, id string) error {
 			if id == "mc-prod-001" {
 				return nil
 			}
@@ -524,7 +524,7 @@ func TestArchiveCertificate_Success(t *testing.T) {
 // Test ArchiveCertificate - not found
 func TestArchiveCertificate_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		ArchiveCertificateFn: func(id string) error {
+		ArchiveCertificateFn: func(_ context.Context, id string) error {
 			return ErrMockNotFound
 		},
 	}
@@ -554,7 +554,7 @@ func TestGetCertificateVersions_Success(t *testing.T) {
 	}
 	mock := &MockCertificateService{
-		GetCertificateVersionsFn: func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+		GetCertificateVersionsFn: func(_ context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 			if certID == "mc-prod-001" {
 				return []domain.CertificateVersion{ver1}, 1, nil
 			}
@@ -586,7 +586,7 @@ func TestGetCertificateVersions_Success(t *testing.T) {
 // Test GetCertificateVersions - not found
 func TestGetCertificateVersions_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateVersionsFn: func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+		GetCertificateVersionsFn: func(_ context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 			return nil, 0, ErrMockNotFound
 		},
 	}
@@ -606,7 +606,7 @@ func TestGetCertificateVersions_NotFound(t *testing.T) {
 // Test TriggerRenewal - success case
 func TestTriggerRenewal_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerRenewalFn: func(certID string) error {
+		TriggerRenewalFn: func(_ context.Context, certID string, _ string) error {
 			if certID == "mc-prod-001" {
 				return nil
 			}
@@ -638,7 +638,7 @@ func TestTriggerRenewal_Success(t *testing.T) {
 // Test TriggerRenewal - service error
 func TestTriggerRenewal_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerRenewalFn: func(certID string) error {
+		TriggerRenewalFn: func(_ context.Context, certID string, _ string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -658,7 +658,7 @@ func TestTriggerRenewal_ServiceError(t *testing.T) {
 // Test TriggerDeployment - success case
 func TestTriggerDeployment_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerDeploymentFn: func(certID string, targetID string) error {
+		TriggerDeploymentFn: func(_ context.Context, certID string, targetID string, _ string) error {
 			if certID == "mc-prod-001" {
 				return nil
 			}
@@ -695,7 +695,7 @@ func TestTriggerDeployment_Success(t *testing.T) {
 // Test TriggerDeployment - without target ID
 func TestTriggerDeployment_NoTargetID(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerDeploymentFn: func(certID string, targetID string) error {
+		TriggerDeploymentFn: func(_ context.Context, certID string, targetID string, _ string) error {
 			// Should accept empty targetID (deploy to all)
 			return nil
 		},
@@ -716,7 +716,7 @@ func TestTriggerDeployment_NoTargetID(t *testing.T) {
 // Test ListCertificates - invalid page parameter
 func TestListCertificates_InvalidPageParam(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			// Should default to page 1
 			if filter.Page == 1 {
 				return []domain.ManagedCertificate{}, 0, nil
@@ -740,7 +740,7 @@ func TestListCertificates_InvalidPageParam(t *testing.T) {
 // Test ListCertificates - per_page exceeds max
 func TestListCertificates_PerPageExceedsMax(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			// Should cap perPage at 500
 			if filter.PerPage == 50 { // defaults to 50 if > 500
 				return []domain.ManagedCertificate{}, 0, nil
@@ -765,7 +765,7 @@ func TestListCertificates_PerPageExceedsMax(t *testing.T) {
 func TestRevokeCertificate_Handler_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			if certID != "mc-prod-001" {
 				t.Errorf("expected certID mc-prod-001, got %s", certID)
 			}
@@ -798,7 +798,7 @@ func TestRevokeCertificate_Handler_Success(t *testing.T) {
 func TestRevokeCertificate_Handler_NoBody(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			// Empty reason is OK — service defaults to "unspecified"
 			return nil
 		},
@@ -818,7 +818,7 @@ func TestRevokeCertificate_Handler_NoBody(t *testing.T) {
 func TestRevokeCertificate_Handler_AlreadyRevoked(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("certificate is already revoked")
 		},
 	}
@@ -839,7 +839,7 @@ func TestRevokeCertificate_Handler_AlreadyRevoked(t *testing.T) {
 func TestRevokeCertificate_Handler_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("failed to fetch certificate: not found")
 		},
 	}
@@ -858,7 +858,7 @@ func TestRevokeCertificate_Handler_NotFound(t *testing.T) {
 func TestRevokeCertificate_Handler_InvalidReason(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("invalid revocation reason: badReason")
 		},
 	}
@@ -922,7 +922,7 @@ func TestRevokeCertificate_Handler_EmptyID(t *testing.T) {
 func TestRevokeCertificate_Handler_CannotRevokeArchived(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("cannot revoke archived certificate")
 		},
 	}
@@ -941,7 +941,7 @@ func TestRevokeCertificate_Handler_CannotRevokeArchived(t *testing.T) {
 func TestRevokeCertificate_Handler_ServerError(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("database connection lost")
 		},
 	}
@@ -962,7 +962,7 @@ func TestRevokeCertificate_Handler_ServerError(t *testing.T) {
 func TestGetCRL_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
+		GetRevokedCertificatesFn: func(_ context.Context) ([]*domain.CertificateRevocation, error) {
 			return []*domain.CertificateRevocation{
 				{
 					ID:            "rev-1",
@@ -1022,7 +1022,7 @@ func TestGetCRL_Success(t *testing.T) {
 func TestGetCRL_Empty(t *testing.T) {
 	mock := &MockCertificateService{
-		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
+		GetRevokedCertificatesFn: func(_ context.Context) ([]*domain.CertificateRevocation, error) {
 			return nil, nil
 		},
 	}
@@ -1047,7 +1047,7 @@ func TestGetCRL_Empty(t *testing.T) {
 func TestGetCRL_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
-		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
+		GetRevokedCertificatesFn: func(_ context.Context) ([]*domain.CertificateRevocation, error) {
 			return nil, fmt.Errorf("revocation repository not configured")
 		},
 	}
@@ -1083,7 +1083,7 @@ func TestGetCRL_MethodNotAllowed(t *testing.T) {
 func TestGetDERCRL_Success(t *testing.T) {
 	derCRLData := []byte{0x30, 0x82, 0x01, 0x00} // Mock DER CRL bytes
 	mock := &MockCertificateService{
-		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+		GenerateDERCRLFn: func(_ context.Context, issuerID string) ([]byte, error) {
 			if issuerID == "iss-local" {
 				return derCRLData, nil
 			}
@@ -1111,7 +1111,7 @@ func TestGetDERCRL_Success(t *testing.T) {
 func TestGetDERCRL_IssuerNotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+		GenerateDERCRLFn: func(_ context.Context, issuerID string) ([]byte, error) {
 			return nil, fmt.Errorf("issuer not found")
 		},
 	}
@@ -1130,7 +1130,7 @@ func TestGetDERCRL_IssuerNotFound(t *testing.T) {
 func TestGetDERCRL_NotSupported(t *testing.T) {
 	mock := &MockCertificateService{
-		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+		GenerateDERCRLFn: func(_ context.Context, issuerID string) ([]byte, error) {
 			return nil, fmt.Errorf("issuer does not support CRL generation")
 		},
 	}
@@ -1165,7 +1165,7 @@ func TestGetDERCRL_MethodNotAllowed(t *testing.T) {
 func TestHandleOCSP_Success(t *testing.T) {
 	ocspResponseBytes := []byte{0x30, 0x82, 0x02, 0x00} // Mock OCSP response
 	mock := &MockCertificateService{
-		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+		GetOCSPResponseFn: func(_ context.Context, issuerID string, serialHex string) ([]byte, error) {
 			if issuerID == "iss-local" && serialHex == "12345" {
 				return ocspResponseBytes, nil
 			}
@@ -1206,7 +1206,7 @@ func TestHandleOCSP_MissingSerial(t *testing.T) {
 func TestHandleOCSP_IssuerNotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+		GetOCSPResponseFn: func(_ context.Context, issuerID string, serialHex string) ([]byte, error) {
 			return nil, fmt.Errorf("issuer not found")
 		},
 	}
@@ -1225,7 +1225,7 @@ func TestHandleOCSP_IssuerNotFound(t *testing.T) {
 func TestHandleOCSP_CertNotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+		GetOCSPResponseFn: func(_ context.Context, issuerID string, serialHex string) ([]byte, error) {
 			return nil, fmt.Errorf("certificate not found")
 		},
 	}
@@ -1261,7 +1261,7 @@ func TestHandleOCSP_MethodNotAllowed(t *testing.T) {
 // TestListCertificates_SortParam tests sort parameter parsing and passing to service.
 func TestListCertificates_SortParam(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			// Handler strips the '-' prefix and sets SortDesc = true
 			if filter.Sort != "notAfter" || !filter.SortDesc {
 				t.Errorf("expected sort=notAfter desc=true, got sort=%s desc=%v", filter.Sort, filter.SortDesc)
@@ -1284,7 +1284,7 @@ func TestListCertificates_SortParam(t *testing.T) {
 // TestListCertificates_SortParam_Ascending tests sort parameter without '-' prefix (ascending).
 func TestListCertificates_SortParam_Ascending(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Sort != "createdAt" || filter.SortDesc {
 				t.Errorf("expected sort=createdAt desc=false, got sort=%s desc=%v", filter.Sort, filter.SortDesc)
 			}
@@ -1309,7 +1309,7 @@ func TestListCertificates_TimeRangeFilters(t *testing.T) {
 	after := time.Now().AddDate(0, 0, -90)
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.ExpiresBefore == nil {
 				t.Error("expected ExpiresBefore to be set")
 			}
@@ -1339,7 +1339,7 @@ func TestListCertificates_CreatedAfterFilter(t *testing.T) {
 	past := time.Now().AddDate(-1, 0, 0)
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.CreatedAfter == nil {
 				t.Error("expected CreatedAfter to be set")
 			}
@@ -1369,7 +1369,7 @@ func TestListCertificates_CursorPagination(t *testing.T) {
 	}
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			return []domain.ManagedCertificate{cert}, 1, nil
 		},
 	}
@@ -1409,7 +1409,7 @@ func TestListCertificates_SparseFields(t *testing.T) {
 	}
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if len(filter.Fields) != 2 {
 				t.Errorf("expected 2 fields, got %d", len(filter.Fields))
 			}
@@ -1456,7 +1456,7 @@ func TestListCertificates_SparseFields(t *testing.T) {
 // TestListCertificates_ProfileFilter tests profile_id filter.
 func TestListCertificates_ProfileFilter(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.ProfileID != "prof-standard" {
 				t.Errorf("expected ProfileID=prof-standard, got %s", filter.ProfileID)
 			}
@@ -1479,7 +1479,7 @@ func TestListCertificates_ProfileFilter(t *testing.T) {
 // TestListCertificates_AgentIDFilter tests agent_id filter.
 func TestListCertificates_AgentIDFilter(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.AgentID != "agent-prod-001" {
 				t.Errorf("expected AgentID=agent-prod-001, got %s", filter.AgentID)
 			}
@@ -1502,7 +1502,7 @@ func TestListCertificates_AgentIDFilter(t *testing.T) {
 // TestListCertificates_CombinedFilters tests multiple filters together.
 func TestListCertificates_CombinedFilters(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Status != "Active" || filter.Environment != "production" || filter.ProfileID != "prof-standard" {
 				t.Error("expected all filters to be set")
 			}
@@ -1540,7 +1540,7 @@ func TestGetCertificateDeployments_Success(t *testing.T) {
 	}
 	mock := &MockCertificateService{
-		GetCertificateDeploymentsFn: func(certID string) ([]domain.DeploymentTarget, error) {
+		GetCertificateDeploymentsFn: func(_ context.Context, certID string) ([]domain.DeploymentTarget, error) {
 			if certID != "mc-prod-001" {
 				return nil, ErrMockNotFound
 			}
@@ -1576,7 +1576,7 @@ func TestGetCertificateDeployments_Success(t *testing.T) {
 // TestGetCertificateDeployments_NotFound tests 404 for nonexistent certificate.
 func TestGetCertificateDeployments_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateDeploymentsFn: func(certID string) ([]domain.DeploymentTarget, error) {
+		GetCertificateDeploymentsFn: func(_ context.Context, certID string) ([]domain.DeploymentTarget, error) {
 			return nil, fmt.Errorf("certificate not found")
 		},
 	}
@@ -1596,7 +1596,7 @@ func TestGetCertificateDeployments_NotFound(t *testing.T) {
 // TestGetCertificateDeployments_Empty tests successful response with no deployments.
 func TestGetCertificateDeployments_Empty(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateDeploymentsFn: func(certID string) ([]domain.DeploymentTarget, error) {
+		GetCertificateDeploymentsFn: func(_ context.Context, certID string) ([]domain.DeploymentTarget, error) {
 			if certID == "mc-no-deployments" {
 				return []domain.DeploymentTarget{}, nil
 			}
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"log/slog"
 	"net/http"
@@ -15,20 +16,20 @@ import (
 // CertificateService defines the service interface for certificate operations.
 type CertificateService interface {
-	ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
+	ListCertificates(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
-	ListCertificatesWithFilter(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
+	ListCertificatesWithFilter(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
-	GetCertificate(id string) (*domain.ManagedCertificate, error)
+	GetCertificate(ctx context.Context, id string) (*domain.ManagedCertificate, error)
-	CreateCertificate(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	CreateCertificate(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	UpdateCertificate(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	UpdateCertificate(ctx context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	ArchiveCertificate(id string) error
+	ArchiveCertificate(ctx context.Context, id string) error
-	GetCertificateVersions(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
+	GetCertificateVersions(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
-	TriggerRenewal(certID string) error
+	TriggerRenewal(ctx context.Context, certID string, actor string) error
-	TriggerDeployment(certID string, targetID string) error
+	TriggerDeployment(ctx context.Context, certID string, targetID string, actor string) error
-	RevokeCertificate(certID string, reason string) error
+	RevokeCertificate(ctx context.Context, certID string, reason string, actor string) error
-	GetRevokedCertificates() ([]*domain.CertificateRevocation, error)
+	GetRevokedCertificates(ctx context.Context) ([]*domain.CertificateRevocation, error)
-	GenerateDERCRL(issuerID string) ([]byte, error)
+	GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error)
-	GetOCSPResponse(issuerID string, serialHex string) ([]byte, error)
+	GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error)
-	GetCertificateDeployments(certID string) ([]domain.DeploymentTarget, error)
+	GetCertificateDeployments(ctx context.Context, certID string) ([]domain.DeploymentTarget, error)
 }
 // CertificateHandler handles HTTP requests for certificate operations.
@@ -128,7 +129,7 @@ func (h CertificateHandler) ListCertificates(w http.ResponseWriter, r *http.Requ
 		filter.Fields = strings.Split(fieldsStr, ",")
 	}
-	certs, total, err := h.svc.ListCertificatesWithFilter(filter)
+	certs, total, err := h.svc.ListCertificatesWithFilter(r.Context(), filter)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list certificates", requestID)
 		return
@@ -186,7 +187,7 @@ func (h CertificateHandler) GetCertificate(w http.ResponseWriter, r *http.Reques
 		return
 	}
-	cert, err := h.svc.GetCertificate(id)
+	cert, err := h.svc.GetCertificate(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
 		return
@@ -241,7 +242,7 @@ func (h CertificateHandler) CreateCertificate(w http.ResponseWriter, r *http.Req
 		return
 	}
-	created, err := h.svc.CreateCertificate(cert)
+	created, err := h.svc.CreateCertificate(r.Context(), cert)
 	if err != nil {
 		slog.Error("failed to create certificate", "error", err, "request_id", requestID, "common_name", cert.CommonName, "name", cert.Name)
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create certificate", requestID)
@@ -295,7 +296,7 @@ func (h CertificateHandler) UpdateCertificate(w http.ResponseWriter, r *http.Req
 		}
 	}
-	updated, err := h.svc.UpdateCertificate(id, cert)
+	updated, err := h.svc.UpdateCertificate(r.Context(), id, cert)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
@@ -325,7 +326,7 @@ func (h CertificateHandler) ArchiveCertificate(w http.ResponseWriter, r *http.Re
 		return
 	}
-	if err := h.svc.ArchiveCertificate(id); err != nil {
+	if err := h.svc.ArchiveCertificate(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
 			return
@@ -370,7 +371,7 @@ func (h CertificateHandler) GetCertificateVersions(w http.ResponseWriter, r *htt
 		}
 	}
-	versions, total, err := h.svc.GetCertificateVersions(certID, page, perPage)
+	versions, total, err := h.svc.GetCertificateVersions(r.Context(), certID, page, perPage)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
@@ -410,7 +411,7 @@ func (h CertificateHandler) TriggerRenewal(w http.ResponseWriter, r *http.Reques
 	}
 	certID := parts[0]
-	if err := h.svc.TriggerRenewal(certID); err != nil {
+	if err := h.svc.TriggerRenewal(r.Context(), certID, "api"); err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
@@ -466,7 +467,7 @@ func (h CertificateHandler) TriggerDeployment(w http.ResponseWriter, r *http.Req
 		}
 	}
-	if err := h.svc.TriggerDeployment(certID, req.TargetID); err != nil {
+	if err := h.svc.TriggerDeployment(r.Context(), certID, req.TargetID, "api"); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to trigger deployment", requestID)
 		return
 	}
@@ -508,7 +509,7 @@ func (h CertificateHandler) RevokeCertificate(w http.ResponseWriter, r *http.Req
 		}
 	}
-	if err := h.svc.RevokeCertificate(certID, req.Reason); err != nil {
+	if err := h.svc.RevokeCertificate(r.Context(), certID, req.Reason, "api"); err != nil {
 		// Distinguish between client errors and server errors
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "already revoked") ||
@@ -540,7 +541,7 @@ func (h CertificateHandler) GetCRL(w http.ResponseWriter, r *http.Request) {
 	requestID := middleware.GetRequestID(r.Context())
-	revocations, err := h.svc.GetRevokedCertificates()
+	revocations, err := h.svc.GetRevokedCertificates(r.Context())
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to generate CRL", requestID)
 		return
@@ -585,7 +586,7 @@ func (h CertificateHandler) GetDERCRL(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	derBytes, err := h.svc.GenerateDERCRL(issuerID)
+	derBytes, err := h.svc.GenerateDERCRL(r.Context(), issuerID)
 	if err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
@@ -627,7 +628,7 @@ func (h CertificateHandler) HandleOCSP(w http.ResponseWriter, r *http.Request) {
 	issuerID := parts[0]
 	serialHex := parts[1]
-	derBytes, err := h.svc.GetOCSPResponse(issuerID, serialHex)
+	derBytes, err := h.svc.GetOCSPResponse(r.Context(), issuerID, serialHex)
 	if err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
@@ -667,7 +668,7 @@ func (h CertificateHandler) GetCertificateDeployments(w http.ResponseWriter, r *
 	}
 	certID := parts[0]
-	deployments, err := h.svc.GetCertificateDeployments(certID)
+	deployments, err := h.svc.GetCertificateDeployments(r.Context(), certID)
 	if err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
@@ -2,6 +2,7 @@ package handler
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -15,52 +16,52 @@ import (
 // MockIssuerService is a mock implementation of IssuerService interface.
 type MockIssuerService struct {
-	ListIssuersFn    func(page, perPage int) ([]domain.Issuer, int64, error)
+	ListIssuersFn    func(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error)
-	GetIssuerFn      func(id string) (*domain.Issuer, error)
+	GetIssuerFn      func(ctx context.Context, id string) (*domain.Issuer, error)
-	CreateIssuerFn   func(issuer domain.Issuer) (*domain.Issuer, error)
+	CreateIssuerFn   func(ctx context.Context, issuer domain.Issuer) (*domain.Issuer, error)
-	UpdateIssuerFn   func(id string, issuer domain.Issuer) (*domain.Issuer, error)
+	UpdateIssuerFn   func(ctx context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error)
-	DeleteIssuerFn   func(id string) error
+	DeleteIssuerFn   func(ctx context.Context, id string) error
-	TestConnectionFn func(id string) error
+	TestConnectionFn func(ctx context.Context, id string) error
 }
-func (m *MockIssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64, error) {
+func (m *MockIssuerService) ListIssuers(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 	if m.ListIssuersFn != nil {
-		return m.ListIssuersFn(page, perPage)
+		return m.ListIssuersFn(ctx, page, perPage)
 	}
 	return nil, 0, nil
 }
-func (m *MockIssuerService) GetIssuer(id string) (*domain.Issuer, error) {
+func (m *MockIssuerService) GetIssuer(ctx context.Context, id string) (*domain.Issuer, error) {
 	if m.GetIssuerFn != nil {
-		return m.GetIssuerFn(id)
+		return m.GetIssuerFn(ctx, id)
 	}
 	return nil, nil
 }
-func (m *MockIssuerService) CreateIssuer(issuer domain.Issuer) (*domain.Issuer, error) {
+func (m *MockIssuerService) CreateIssuer(ctx context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 	if m.CreateIssuerFn != nil {
-		return m.CreateIssuerFn(issuer)
+		return m.CreateIssuerFn(ctx, issuer)
 	}
 	return nil, nil
 }
-func (m *MockIssuerService) UpdateIssuer(id string, issuer domain.Issuer) (*domain.Issuer, error) {
+func (m *MockIssuerService) UpdateIssuer(ctx context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error) {
 	if m.UpdateIssuerFn != nil {
-		return m.UpdateIssuerFn(id, issuer)
+		return m.UpdateIssuerFn(ctx, id, issuer)
 	}
 	return nil, nil
 }
-func (m *MockIssuerService) DeleteIssuer(id string) error {
+func (m *MockIssuerService) DeleteIssuer(ctx context.Context, id string) error {
 	if m.DeleteIssuerFn != nil {
-		return m.DeleteIssuerFn(id)
+		return m.DeleteIssuerFn(ctx, id)
 	}
 	return nil
 }
-func (m *MockIssuerService) TestConnection(id string) error {
+func (m *MockIssuerService) TestConnection(ctx context.Context, id string) error {
 	if m.TestConnectionFn != nil {
-		return m.TestConnectionFn(id)
+		return m.TestConnectionFn(ctx, id)
 	}
 	return nil
 }
@@ -85,7 +86,7 @@ func TestListIssuers_Success(t *testing.T) {
 	}
 	mock := &MockIssuerService{
-		ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
+		ListIssuersFn: func(_ context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 			return []domain.Issuer{iss1, iss2}, 2, nil
 		},
 	}
@@ -113,7 +114,7 @@ func TestListIssuers_Success(t *testing.T) {
 func TestListIssuers_Pagination(t *testing.T) {
 	var capturedPage, capturedPerPage int
 	mock := &MockIssuerService{
-		ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
+		ListIssuersFn: func(_ context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 			capturedPage = page
 			capturedPerPage = perPage
 			return []domain.Issuer{}, 0, nil
@@ -137,7 +138,7 @@ func TestListIssuers_Pagination(t *testing.T) {
 func TestListIssuers_ServiceError(t *testing.T) {
 	mock := &MockIssuerService{
-		ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
+		ListIssuersFn: func(_ context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 			return nil, 0, ErrMockServiceFailed
 		},
 	}
@@ -169,7 +170,7 @@ func TestListIssuers_MethodNotAllowed(t *testing.T) {
 func TestGetIssuer_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockIssuerService{
-		GetIssuerFn: func(id string) (*domain.Issuer, error) {
+		GetIssuerFn: func(_ context.Context, id string) (*domain.Issuer, error) {
 			return &domain.Issuer{
 				ID:        id,
 				Name:      "Local CA",
@@ -195,7 +196,7 @@ func TestGetIssuer_Success(t *testing.T) {
 func TestGetIssuer_NotFound(t *testing.T) {
 	mock := &MockIssuerService{
-		GetIssuerFn: func(id string) (*domain.Issuer, error) {
+		GetIssuerFn: func(_ context.Context, id string) (*domain.Issuer, error) {
 			return nil, ErrMockNotFound
 		},
 	}
@@ -228,7 +229,7 @@ func TestGetIssuer_EmptyID(t *testing.T) {
 func TestCreateIssuer_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			issuer.ID = "iss-new"
 			issuer.CreatedAt = now
 			issuer.UpdatedAt = now
@@ -328,7 +329,7 @@ func TestCreateIssuer_NameTooLong(t *testing.T) {
 func TestCreateIssuer_DuplicateName(t *testing.T) {
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("failed to create issuer: duplicate key value violates unique constraint \"issuers_name_key\"")
 		},
 	}
@@ -361,7 +362,7 @@ func TestCreateIssuer_DuplicateName(t *testing.T) {
 func TestCreateIssuer_UnsupportedType(t *testing.T) {
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("unsupported issuer type: FakeCA")
 		},
 	}
@@ -394,7 +395,7 @@ func TestCreateIssuer_UnsupportedType(t *testing.T) {
 func TestCreateIssuer_GenericServiceError(t *testing.T) {
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("failed to encrypt config: cipher error")
 		},
 	}
@@ -419,7 +420,7 @@ func TestCreateIssuer_GenericServiceError(t *testing.T) {
 func TestUpdateIssuer_DuplicateName(t *testing.T) {
 	mock := &MockIssuerService{
-		UpdateIssuerFn: func(id string, issuer domain.Issuer) (*domain.Issuer, error) {
+		UpdateIssuerFn: func(_ context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("failed to update issuer: duplicate key value violates unique constraint")
 		},
 	}
@@ -445,7 +446,7 @@ func TestUpdateIssuer_DuplicateName(t *testing.T) {
 func TestDeleteIssuer_Success(t *testing.T) {
 	var deletedID string
 	mock := &MockIssuerService{
-		DeleteIssuerFn: func(id string) error {
+		DeleteIssuerFn: func(_ context.Context, id string) error {
 			deletedID = id
 			return nil
 		},
@@ -468,7 +469,7 @@ func TestDeleteIssuer_Success(t *testing.T) {
 func TestDeleteIssuer_ServiceError(t *testing.T) {
 	mock := &MockIssuerService{
-		DeleteIssuerFn: func(id string) error {
+		DeleteIssuerFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -487,7 +488,7 @@ func TestDeleteIssuer_ServiceError(t *testing.T) {
 func TestTestConnection_Success(t *testing.T) {
 	mock := &MockIssuerService{
-		TestConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return nil
 		},
 	}
@@ -514,7 +515,7 @@ func TestTestConnection_Success(t *testing.T) {
 func TestTestConnection_Failure(t *testing.T) {
 	mock := &MockIssuerService{
-		TestConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"log/slog"
 	"net/http"
@@ -13,12 +14,12 @@ import (
 // IssuerService defines the service interface for issuer operations.
 type IssuerService interface {
-	ListIssuers(page, perPage int) ([]domain.Issuer, int64, error)
+	ListIssuers(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error)
-	GetIssuer(id string) (*domain.Issuer, error)
+	GetIssuer(ctx context.Context, id string) (*domain.Issuer, error)
-	CreateIssuer(issuer domain.Issuer) (*domain.Issuer, error)
+	CreateIssuer(ctx context.Context, issuer domain.Issuer) (*domain.Issuer, error)
-	UpdateIssuer(id string, issuer domain.Issuer) (*domain.Issuer, error)
+	UpdateIssuer(ctx context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error)
-	DeleteIssuer(id string) error
+	DeleteIssuer(ctx context.Context, id string) error
-	TestConnection(id string) error
+	TestConnection(ctx context.Context, id string) error
 }
 // IssuerHandler handles HTTP requests for issuer operations.
@@ -61,7 +62,7 @@ func (h IssuerHandler) ListIssuers(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	issuers, total, err := h.svc.ListIssuers(page, perPage)
+	issuers, total, err := h.svc.ListIssuers(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list issuers", requestID)
 		return
@@ -93,7 +94,7 @@ func (h IssuerHandler) GetIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	issuer, err := h.svc.GetIssuer(id)
+	issuer, err := h.svc.GetIssuer(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Issuer not found", requestID)
 		return
@@ -132,7 +133,7 @@ func (h IssuerHandler) CreateIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	created, err := h.svc.CreateIssuer(issuer)
+	created, err := h.svc.CreateIssuer(r.Context(), issuer)
 	if err != nil {
 		h.logger.Error("failed to create issuer", "error", err, "name", issuer.Name, "type", issuer.Type)
 		errMsg := err.Error()
@@ -174,7 +175,7 @@ func (h IssuerHandler) UpdateIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	updated, err := h.svc.UpdateIssuer(id, issuer)
+	updated, err := h.svc.UpdateIssuer(r.Context(), id, issuer)
 	if err != nil {
 		h.logger.Error("failed to update issuer", "error", err, "id", id)
 		errMsg := err.Error()
@@ -208,7 +209,7 @@ func (h IssuerHandler) DeleteIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	if err := h.svc.DeleteIssuer(id); err != nil {
+	if err := h.svc.DeleteIssuer(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "violates foreign key") || strings.Contains(err.Error(), "RESTRICT") {
 			ErrorWithRequestID(w, http.StatusConflict, "Cannot delete issuer: certificates are still using this issuer", requestID)
 		} else if strings.Contains(err.Error(), "not found") {
@@ -241,7 +242,7 @@ func (h IssuerHandler) TestConnection(w http.ResponseWriter, r *http.Request) {
 	}
 	issuerID := parts[0]
-	if err := h.svc.TestConnection(issuerID); err != nil {
+	if err := h.svc.TestConnection(r.Context(), issuerID); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Connection test failed", requestID)
 		return
 	}
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -21,35 +22,35 @@ type MockJobService struct {
 	RejectJobFn  func(id string, reason string) error
 }
-func (m *MockJobService) ListJobs(status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
+func (m *MockJobService) ListJobs(_ context.Context, status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
 	if m.ListJobsFn != nil {
 		return m.ListJobsFn(status, jobType, page, perPage)
 	}
 	return nil, 0, nil
 }
-func (m *MockJobService) GetJob(id string) (*domain.Job, error) {
+func (m *MockJobService) GetJob(_ context.Context, id string) (*domain.Job, error) {
 	if m.GetJobFn != nil {
 		return m.GetJobFn(id)
 	}
 	return nil, nil
 }
-func (m *MockJobService) CancelJob(id string) error {
+func (m *MockJobService) CancelJob(_ context.Context, id string) error {
 	if m.CancelJobFn != nil {
 		return m.CancelJobFn(id)
 	}
 	return nil
 }
-func (m *MockJobService) ApproveJob(id string) error {
+func (m *MockJobService) ApproveJob(_ context.Context, id string) error {
 	if m.ApproveJobFn != nil {
 		return m.ApproveJobFn(id)
 	}
 	return nil
 }
-func (m *MockJobService) RejectJob(id string, reason string) error {
+func (m *MockJobService) RejectJob(_ context.Context, id string, reason string) error {
 	if m.RejectJobFn != nil {
 		return m.RejectJobFn(id, reason)
 	}
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -13,11 +14,11 @@ import (
 // JobService defines the service interface for job operations.
 type JobService interface {
-	ListJobs(status, jobType string, page, perPage int) ([]domain.Job, int64, error)
+	ListJobs(ctx context.Context, status, jobType string, page, perPage int) ([]domain.Job, int64, error)
-	GetJob(id string) (*domain.Job, error)
+	GetJob(ctx context.Context, id string) (*domain.Job, error)
-	CancelJob(id string) error
+	CancelJob(ctx context.Context, id string) error
-	ApproveJob(id string) error
+	ApproveJob(ctx context.Context, id string) error
-	RejectJob(id string, reason string) error
+	RejectJob(ctx context.Context, id string, reason string) error
 }
 // JobHandler handles HTTP requests for job operations.
@@ -57,7 +58,7 @@ func (h JobHandler) ListJobs(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	jobs, total, err := h.svc.ListJobs(status, jobType, page, perPage)
+	jobs, total, err := h.svc.ListJobs(r.Context(), status, jobType, page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list jobs", requestID)
 		return
@@ -91,7 +92,7 @@ func (h JobHandler) GetJob(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
-	job, err := h.svc.GetJob(id)
+	job, err := h.svc.GetJob(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
 		return
@@ -119,7 +120,7 @@ func (h JobHandler) CancelJob(w http.ResponseWriter, r *http.Request) {
 	}
 	jobID := parts[0]
-	if err := h.svc.CancelJob(jobID); err != nil {
+	if err := h.svc.CancelJob(r.Context(), jobID); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to cancel job", requestID)
 		return
 	}
@@ -149,7 +150,7 @@ func (h JobHandler) ApproveJob(w http.ResponseWriter, r *http.Request) {
 	}
 	jobID := parts[0]
-	if err := h.svc.ApproveJob(jobID); err != nil {
+	if err := h.svc.ApproveJob(r.Context(), jobID); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
 			return
@@ -193,7 +194,7 @@ func (h JobHandler) RejectJob(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	if err := h.svc.RejectJob(jobID, body.Reason); err != nil {
+	if err := h.svc.RejectJob(r.Context(), jobID, body.Reason); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
 			return
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -17,21 +18,21 @@ type MockNotificationService struct {
 	MarkAsReadFn        func(id string) error
 }
-func (m *MockNotificationService) ListNotifications(page, perPage int) ([]domain.NotificationEvent, int64, error) {
+func (m *MockNotificationService) ListNotifications(_ context.Context, page, perPage int) ([]domain.NotificationEvent, int64, error) {
 	if m.ListNotificationsFn != nil {
 		return m.ListNotificationsFn(page, perPage)
 	}
 	return nil, 0, nil
 }
-func (m *MockNotificationService) GetNotification(id string) (*domain.NotificationEvent, error) {
+func (m *MockNotificationService) GetNotification(_ context.Context, id string) (*domain.NotificationEvent, error) {
 	if m.GetNotificationFn != nil {
 		return m.GetNotificationFn(id)
 	}
 	return nil, nil
 }
-func (m *MockNotificationService) MarkAsRead(id string) error {
+func (m *MockNotificationService) MarkAsRead(_ context.Context, id string) error {
 	if m.MarkAsReadFn != nil {
 		return m.MarkAsReadFn(id)
 	}
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"net/http"
 	"strconv"
 	"strings"
@@ -11,9 +12,9 @@ import (
 // NotificationService defines the service interface for notification operations.
 type NotificationService interface {
-	ListNotifications(page, perPage int) ([]domain.NotificationEvent, int64, error)
+	ListNotifications(ctx context.Context, page, perPage int) ([]domain.NotificationEvent, int64, error)
-	GetNotification(id string) (*domain.NotificationEvent, error)
+	GetNotification(ctx context.Context, id string) (*domain.NotificationEvent, error)
-	MarkAsRead(id string) error
+	MarkAsRead(ctx context.Context, id string) error
 }
 // NotificationHandler handles HTTP requests for notification operations.
@@ -50,7 +51,7 @@ func (h NotificationHandler) ListNotifications(w http.ResponseWriter, r *http.Re
 		}
 	}
-	notifications, total, err := h.svc.ListNotifications(page, perPage)
+	notifications, total, err := h.svc.ListNotifications(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list notifications", requestID)
 		return
@@ -84,7 +85,7 @@ func (h NotificationHandler) GetNotification(w http.ResponseWriter, r *http.Requ
 	}
 	id = parts[0]
-	notification, err := h.svc.GetNotification(id)
+	notification, err := h.svc.GetNotification(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Notification not found", requestID)
 		return
@@ -112,7 +113,7 @@ func (h NotificationHandler) MarkAsRead(w http.ResponseWriter, r *http.Request)
 	}
 	notificationID := parts[0]
-	if err := h.svc.MarkAsRead(notificationID); err != nil {
+	if err := h.svc.MarkAsRead(r.Context(), notificationID); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to mark notification as read", requestID)
 		return
 	}
@@ -2,6 +2,7 @@ package handler
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -20,35 +21,35 @@ type MockOwnerService struct {
 	DeleteOwnerFn func(id string) error
 }
-func (m *MockOwnerService) ListOwners(page, perPage int) ([]domain.Owner, int64, error) {
+func (m *MockOwnerService) ListOwners(_ context.Context, page, perPage int) ([]domain.Owner, int64, error) {
 	if m.ListOwnersFn != nil {
 		return m.ListOwnersFn(page, perPage)
 	}
 	return nil, 0, nil
 }
-func (m *MockOwnerService) GetOwner(id string) (*domain.Owner, error) {
+func (m *MockOwnerService) GetOwner(_ context.Context, id string) (*domain.Owner, error) {
 	if m.GetOwnerFn != nil {
 		return m.GetOwnerFn(id)
 	}
 	return nil, nil
 }
-func (m *MockOwnerService) CreateOwner(owner domain.Owner) (*domain.Owner, error) {
+func (m *MockOwnerService) CreateOwner(_ context.Context, owner domain.Owner) (*domain.Owner, error) {
 	if m.CreateOwnerFn != nil {
 		return m.CreateOwnerFn(owner)
 	}
 	return nil, nil
 }
-func (m *MockOwnerService) UpdateOwner(id string, owner domain.Owner) (*domain.Owner, error) {
+func (m *MockOwnerService) UpdateOwner(_ context.Context, id string, owner domain.Owner) (*domain.Owner, error) {
 	if m.UpdateOwnerFn != nil {
 		return m.UpdateOwnerFn(id, owner)
 	}
 	return nil, nil
 }
-func (m *MockOwnerService) DeleteOwner(id string) error {
+func (m *MockOwnerService) DeleteOwner(_ context.Context, id string) error {
 	if m.DeleteOwnerFn != nil {
 		return m.DeleteOwnerFn(id)
 	}
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,11 +13,11 @@ import (
 // OwnerService defines the service interface for owner operations.
 type OwnerService interface {
-	ListOwners(page, perPage int) ([]domain.Owner, int64, error)
+	ListOwners(ctx context.Context, page, perPage int) ([]domain.Owner, int64, error)
-	GetOwner(id string) (*domain.Owner, error)
+	GetOwner(ctx context.Context, id string) (*domain.Owner, error)
-	CreateOwner(owner domain.Owner) (*domain.Owner, error)
+	CreateOwner(ctx context.Context, owner domain.Owner) (*domain.Owner, error)
-	UpdateOwner(id string, owner domain.Owner) (*domain.Owner, error)
+	UpdateOwner(ctx context.Context, id string, owner domain.Owner) (*domain.Owner, error)
-	DeleteOwner(id string) error
+	DeleteOwner(ctx context.Context, id string) error
 }
 // OwnerHandler handles HTTP requests for owner operations.
@@ -53,7 +54,7 @@ func (h OwnerHandler) ListOwners(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	owners, total, err := h.svc.ListOwners(page, perPage)
+	owners, total, err := h.svc.ListOwners(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list owners", requestID)
 		return
@@ -87,7 +88,7 @@ func (h OwnerHandler) GetOwner(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
-	owner, err := h.svc.GetOwner(id)
+	owner, err := h.svc.GetOwner(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Owner not found", requestID)
 		return
@@ -122,7 +123,7 @@ func (h OwnerHandler) CreateOwner(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	created, err := h.svc.CreateOwner(owner)
+	created, err := h.svc.CreateOwner(r.Context(), owner)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create owner", requestID)
 		return
@@ -155,7 +156,7 @@ func (h OwnerHandler) UpdateOwner(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	updated, err := h.svc.UpdateOwner(id, owner)
+	updated, err := h.svc.UpdateOwner(r.Context(), id, owner)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update owner", requestID)
 		return
@@ -182,7 +183,7 @@ func (h OwnerHandler) DeleteOwner(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
-	if err := h.svc.DeleteOwner(id); err != nil {
+	if err := h.svc.DeleteOwner(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "violates foreign key") || strings.Contains(err.Error(), "RESTRICT") {
 			ErrorWithRequestID(w, http.StatusConflict, "Cannot delete owner: certificates are still assigned to this owner", requestID)
 		} else if strings.Contains(err.Error(), "not found") {
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,12 +13,12 @@ import (
 // PolicyService defines the service interface for policy rule operations.
 type PolicyService interface {
-	ListPolicies(page, perPage int) ([]domain.PolicyRule, int64, error)
+	ListPolicies(ctx context.Context, page, perPage int) ([]domain.PolicyRule, int64, error)
-	GetPolicy(id string) (*domain.PolicyRule, error)
+	GetPolicy(ctx context.Context, id string) (*domain.PolicyRule, error)
-	CreatePolicy(policy domain.PolicyRule) (*domain.PolicyRule, error)
+	CreatePolicy(ctx context.Context, policy domain.PolicyRule) (*domain.PolicyRule, error)
-	UpdatePolicy(id string, policy domain.PolicyRule) (*domain.PolicyRule, error)
+	UpdatePolicy(ctx context.Context, id string, policy domain.PolicyRule) (*domain.PolicyRule, error)
-	DeletePolicy(id string) error
+	DeletePolicy(ctx context.Context, id string) error
-	ListViolations(policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error)
+	ListViolations(ctx context.Context, policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error)
 }
 // PolicyHandler handles HTTP requests for policy rule operations.
@@ -54,7 +55,7 @@ func (h PolicyHandler) ListPolicies(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	policies, total, err := h.svc.ListPolicies(page, perPage)
+	policies, total, err := h.svc.ListPolicies(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list policies", requestID)
 		return
@@ -88,7 +89,7 @@ func (h PolicyHandler) GetPolicy(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
-	policy, err := h.svc.GetPolicy(id)
+	policy, err := h.svc.GetPolicy(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Policy not found", requestID)
 		return
@@ -127,7 +128,7 @@ func (h PolicyHandler) CreatePolicy(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	created, err := h.svc.CreatePolicy(policy)
+	created, err := h.svc.CreatePolicy(r.Context(), policy)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create policy", requestID)
 		return
@@ -174,7 +175,7 @@ func (h PolicyHandler) UpdatePolicy(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	updated, err := h.svc.UpdatePolicy(id, policy)
+	updated, err := h.svc.UpdatePolicy(r.Context(), id, policy)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update policy", requestID)
 		return
@@ -201,7 +202,7 @@ func (h PolicyHandler) DeletePolicy(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
-	if err := h.svc.DeletePolicy(id); err != nil {
+	if err := h.svc.DeletePolicy(r.Context(), id); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to delete policy", requestID)
 		return
 	}
@@ -242,7 +243,7 @@ func (h PolicyHandler) ListViolations(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	violations, total, err := h.svc.ListViolations(policyID, page, perPage)
+	violations, total, err := h.svc.ListViolations(r.Context(), policyID, page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list violations", requestID)
 		return
@@ -2,6 +2,7 @@ package handler
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -21,42 +22,42 @@ type MockPolicyService struct {
 	ListViolationsFn func(policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error)
 }
-func (m *MockPolicyService) ListPolicies(page, perPage int) ([]domain.PolicyRule, int64, error) {
+func (m *MockPolicyService) ListPolicies(_ context.Context, page, perPage int) ([]domain.PolicyRule, int64, error) {
 	if m.ListPoliciesFn != nil {
 		return m.ListPoliciesFn(page, perPage)
 	}
 	return nil, 0, nil
 }
-func (m *MockPolicyService) GetPolicy(id string) (*domain.PolicyRule, error) {
+func (m *MockPolicyService) GetPolicy(_ context.Context, id string) (*domain.PolicyRule, error) {
 	if m.GetPolicyFn != nil {
 		return m.GetPolicyFn(id)
 	}
 	return nil, nil
 }
-func (m *MockPolicyService) CreatePolicy(policy domain.PolicyRule) (*domain.PolicyRule, error) {
+func (m *MockPolicyService) CreatePolicy(_ context.Context, policy domain.PolicyRule) (*domain.PolicyRule, error) {
 	if m.CreatePolicyFn != nil {
 		return m.CreatePolicyFn(policy)
 	}
 	return nil, nil
 }
-func (m *MockPolicyService) UpdatePolicy(id string, policy domain.PolicyRule) (*domain.PolicyRule, error) {
+func (m *MockPolicyService) UpdatePolicy(_ context.Context, id string, policy domain.PolicyRule) (*domain.PolicyRule, error) {
 	if m.UpdatePolicyFn != nil {
 		return m.UpdatePolicyFn(id, policy)
 	}
 	return nil, nil
 }
-func (m *MockPolicyService) DeletePolicy(id string) error {
+func (m *MockPolicyService) DeletePolicy(_ context.Context, id string) error {
 	if m.DeletePolicyFn != nil {
 		return m.DeletePolicyFn(id)
 	}
 	return nil
 }
-func (m *MockPolicyService) ListViolations(policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error) {
+func (m *MockPolicyService) ListViolations(_ context.Context, policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error) {
 	if m.ListViolationsFn != nil {
 		return m.ListViolationsFn(policyID, page, perPage)
 	}
@@ -2,6 +2,7 @@ package handler
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -20,35 +21,35 @@ type MockProfileService struct {
 	DeleteProfileFn func(id string) error
 }
-func (m *MockProfileService) ListProfiles(page, perPage int) ([]domain.CertificateProfile, int64, error) {
+func (m *MockProfileService) ListProfiles(_ context.Context, page, perPage int) ([]domain.CertificateProfile, int64, error) {
 	if m.ListProfilesFn != nil {
 		return m.ListProfilesFn(page, perPage)
 	}
 	return nil, 0, nil
 }
-func (m *MockProfileService) GetProfile(id string) (*domain.CertificateProfile, error) {
+func (m *MockProfileService) GetProfile(_ context.Context, id string) (*domain.CertificateProfile, error) {
 	if m.GetProfileFn != nil {
 		return m.GetProfileFn(id)
 	}
 	return nil, nil
 }
-func (m *MockProfileService) CreateProfile(profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *MockProfileService) CreateProfile(_ context.Context, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	if m.CreateProfileFn != nil {
 		return m.CreateProfileFn(profile)
 	}
 	return nil, nil
 }
-func (m *MockProfileService) UpdateProfile(id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *MockProfileService) UpdateProfile(_ context.Context, id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	if m.UpdateProfileFn != nil {
 		return m.UpdateProfileFn(id, profile)
 	}
 	return nil, nil
 }
-func (m *MockProfileService) DeleteProfile(id string) error {
+func (m *MockProfileService) DeleteProfile(_ context.Context, id string) error {
 	if m.DeleteProfileFn != nil {
 		return m.DeleteProfileFn(id)
 	}
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,11 +13,11 @@ import (
 // ProfileService defines the service interface for certificate profile operations.
 type ProfileService interface {
-	ListProfiles(page, perPage int) ([]domain.CertificateProfile, int64, error)
+	ListProfiles(ctx context.Context, page, perPage int) ([]domain.CertificateProfile, int64, error)
-	GetProfile(id string) (*domain.CertificateProfile, error)
+	GetProfile(ctx context.Context, id string) (*domain.CertificateProfile, error)
-	CreateProfile(profile domain.CertificateProfile) (*domain.CertificateProfile, error)
+	CreateProfile(ctx context.Context, profile domain.CertificateProfile) (*domain.CertificateProfile, error)
-	UpdateProfile(id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error)
+	UpdateProfile(ctx context.Context, id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error)
-	DeleteProfile(id string) error
+	DeleteProfile(ctx context.Context, id string) error
 }
 // ProfileHandler handles HTTP requests for certificate profile operations.
@@ -53,7 +54,7 @@ func (h ProfileHandler) ListProfiles(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	profiles, total, err := h.svc.ListProfiles(page, perPage)
+	profiles, total, err := h.svc.ListProfiles(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list profiles", requestID)
 		return
@@ -85,7 +86,7 @@ func (h ProfileHandler) GetProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	profile, err := h.svc.GetProfile(id)
+	profile, err := h.svc.GetProfile(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Profile not found", requestID)
 		return
@@ -120,7 +121,7 @@ func (h ProfileHandler) CreateProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	created, err := h.svc.CreateProfile(profile)
+	created, err := h.svc.CreateProfile(r.Context(), profile)
 	if err != nil {
 		// Check if it's a validation error from the service
 		if strings.Contains(err.Error(), "invalid") || strings.Contains(err.Error(), "required") ||
@@ -159,7 +160,7 @@ func (h ProfileHandler) UpdateProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	updated, err := h.svc.UpdateProfile(id, profile)
+	updated, err := h.svc.UpdateProfile(r.Context(), id, profile)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Profile not found", requestID)
@@ -193,7 +194,7 @@ func (h ProfileHandler) DeleteProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	if err := h.svc.DeleteProfile(id); err != nil {
+	if err := h.svc.DeleteProfile(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Profile not found", requestID)
 			return
@@ -2,6 +2,7 @@ package handler
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -13,52 +14,52 @@ import (
 // MockTargetService is a mock implementation of TargetService interface.
 type MockTargetService struct {
-	ListTargetsFn        func(page, perPage int) ([]domain.DeploymentTarget, int64, error)
+	ListTargetsFn    func(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error)
-	GetTargetFn          func(id string) (*domain.DeploymentTarget, error)
+	GetTargetFn      func(ctx context.Context, id string) (*domain.DeploymentTarget, error)
-	CreateTargetFn       func(target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	CreateTargetFn   func(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	UpdateTargetFn       func(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	UpdateTargetFn   func(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	DeleteTargetFn       func(id string) error
+	DeleteTargetFn   func(ctx context.Context, id string) error
-	TestTargetConnectionFn func(id string) error
+	TestConnectionFn func(ctx context.Context, id string) error
 }
-func (m *MockTargetService) ListTargets(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+func (m *MockTargetService) ListTargets(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 	if m.ListTargetsFn != nil {
-		return m.ListTargetsFn(page, perPage)
+		return m.ListTargetsFn(ctx, page, perPage)
 	}
 	return nil, 0, nil
 }
-func (m *MockTargetService) GetTarget(id string) (*domain.DeploymentTarget, error) {
+func (m *MockTargetService) GetTarget(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
 	if m.GetTargetFn != nil {
-		return m.GetTargetFn(id)
+		return m.GetTargetFn(ctx, id)
 	}
 	return nil, nil
 }
-func (m *MockTargetService) CreateTarget(target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (m *MockTargetService) CreateTarget(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 	if m.CreateTargetFn != nil {
-		return m.CreateTargetFn(target)
+		return m.CreateTargetFn(ctx, target)
 	}
 	return nil, nil
 }
-func (m *MockTargetService) UpdateTarget(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (m *MockTargetService) UpdateTarget(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 	if m.UpdateTargetFn != nil {
-		return m.UpdateTargetFn(id, target)
+		return m.UpdateTargetFn(ctx, id, target)
 	}
 	return nil, nil
 }
-func (m *MockTargetService) DeleteTarget(id string) error {
+func (m *MockTargetService) DeleteTarget(ctx context.Context, id string) error {
 	if m.DeleteTargetFn != nil {
-		return m.DeleteTargetFn(id)
+		return m.DeleteTargetFn(ctx, id)
 	}
 	return nil
 }
-func (m *MockTargetService) TestTargetConnection(id string) error {
+func (m *MockTargetService) TestConnection(ctx context.Context, id string) error {
-	if m.TestTargetConnectionFn != nil {
+	if m.TestConnectionFn != nil {
-		return m.TestTargetConnectionFn(id)
+		return m.TestConnectionFn(ctx, id)
 	}
 	return nil
 }
@@ -85,7 +86,7 @@ func TestListTargets_Success(t *testing.T) {
 	}
 	mock := &MockTargetService{
-		ListTargetsFn: func(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+		ListTargetsFn: func(_ context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 			return []domain.DeploymentTarget{t1, t2}, 2, nil
 		},
 	}
@@ -113,7 +114,7 @@ func TestListTargets_Success(t *testing.T) {
 func TestListTargets_Pagination(t *testing.T) {
 	var capturedPage, capturedPerPage int
 	mock := &MockTargetService{
-		ListTargetsFn: func(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+		ListTargetsFn: func(_ context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 			capturedPage = page
 			capturedPerPage = perPage
 			return []domain.DeploymentTarget{}, 0, nil
@@ -137,7 +138,7 @@ func TestListTargets_Pagination(t *testing.T) {
 func TestListTargets_ServiceError(t *testing.T) {
 	mock := &MockTargetService{
-		ListTargetsFn: func(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+		ListTargetsFn: func(_ context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 			return nil, 0, ErrMockServiceFailed
 		},
 	}
@@ -169,7 +170,7 @@ func TestListTargets_MethodNotAllowed(t *testing.T) {
 func TestGetTarget_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockTargetService{
-		GetTargetFn: func(id string) (*domain.DeploymentTarget, error) {
+		GetTargetFn: func(_ context.Context, id string) (*domain.DeploymentTarget, error) {
 			return &domain.DeploymentTarget{
 				ID:        id,
 				Name:      "NGINX Proxy",
@@ -196,7 +197,7 @@ func TestGetTarget_Success(t *testing.T) {
 func TestGetTarget_NotFound(t *testing.T) {
 	mock := &MockTargetService{
-		GetTargetFn: func(id string) (*domain.DeploymentTarget, error) {
+		GetTargetFn: func(_ context.Context, id string) (*domain.DeploymentTarget, error) {
 			return nil, ErrMockNotFound
 		},
 	}
@@ -229,7 +230,7 @@ func TestGetTarget_EmptyID(t *testing.T) {
 func TestCreateTarget_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockTargetService{
-		CreateTargetFn: func(target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+		CreateTargetFn: func(_ context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 			target.ID = "t-new"
 			target.CreatedAt = now
 			target.UpdatedAt = now
@@ -342,7 +343,7 @@ func TestCreateTarget_MethodNotAllowed(t *testing.T) {
 func TestUpdateTarget_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockTargetService{
-		UpdateTargetFn: func(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+		UpdateTargetFn: func(_ context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 			return &domain.DeploymentTarget{
 				ID:        id,
 				Name:      target.Name,
@@ -375,7 +376,7 @@ func TestUpdateTarget_Success(t *testing.T) {
 func TestDeleteTarget_Success(t *testing.T) {
 	var deletedID string
 	mock := &MockTargetService{
-		DeleteTargetFn: func(id string) error {
+		DeleteTargetFn: func(_ context.Context, id string) error {
 			deletedID = id
 			return nil
 		},
@@ -398,7 +399,7 @@ func TestDeleteTarget_Success(t *testing.T) {
 func TestDeleteTarget_ServiceError(t *testing.T) {
 	mock := &MockTargetService{
-		DeleteTargetFn: func(id string) error {
+		DeleteTargetFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -430,7 +431,7 @@ func TestDeleteTarget_EmptyID(t *testing.T) {
 func TestTestTargetConnection_Success(t *testing.T) {
 	mock := &MockTargetService{
-		TestTargetConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return nil
 		},
 	}
@@ -457,7 +458,7 @@ func TestTestTargetConnection_Success(t *testing.T) {
 func TestTestTargetConnection_Failed(t *testing.T) {
 	mock := &MockTargetService{
-		TestTargetConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,12 +13,12 @@ import (
 // TargetService defines the service interface for deployment target operations.
 type TargetService interface {
-	ListTargets(page, perPage int) ([]domain.DeploymentTarget, int64, error)
+	ListTargets(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error)
-	GetTarget(id string) (*domain.DeploymentTarget, error)
+	GetTarget(ctx context.Context, id string) (*domain.DeploymentTarget, error)
-	CreateTarget(target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	CreateTarget(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	UpdateTarget(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	UpdateTarget(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	DeleteTarget(id string) error
+	DeleteTarget(ctx context.Context, id string) error
-	TestTargetConnection(id string) error
+	TestConnection(ctx context.Context, id string) error
 }
 // TargetHandler handles HTTP requests for deployment target operations.
@@ -54,7 +55,7 @@ func (h TargetHandler) ListTargets(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	targets, total, err := h.svc.ListTargets(page, perPage)
+	targets, total, err := h.svc.ListTargets(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list targets", requestID)
 		return
@@ -86,7 +87,7 @@ func (h TargetHandler) GetTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	target, err := h.svc.GetTarget(id)
+	target, err := h.svc.GetTarget(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Target not found", requestID)
 		return
@@ -125,7 +126,7 @@ func (h TargetHandler) CreateTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	created, err := h.svc.CreateTarget(target)
+	created, err := h.svc.CreateTarget(r.Context(), target)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create target", requestID)
 		return
@@ -158,7 +159,7 @@ func (h TargetHandler) UpdateTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	updated, err := h.svc.UpdateTarget(id, target)
+	updated, err := h.svc.UpdateTarget(r.Context(), id, target)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update target", requestID)
 		return
@@ -183,7 +184,7 @@ func (h TargetHandler) DeleteTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	if err := h.svc.DeleteTarget(id); err != nil {
+	if err := h.svc.DeleteTarget(r.Context(), id); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to delete target", requestID)
 		return
 	}
@@ -210,7 +211,7 @@ func (h TargetHandler) TestTargetConnection(w http.ResponseWriter, r *http.Reque
 	}
 	id := parts[0]
-	if err := h.svc.TestTargetConnection(id); err != nil {
+	if err := h.svc.TestConnection(r.Context(), id); err != nil {
 		JSON(w, http.StatusOK, map[string]interface{}{
 			"status":  "failed",
 			"message": err.Error(),
@@ -2,6 +2,7 @@ package handler
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -20,35 +21,35 @@ type MockTeamService struct {
 	DeleteTeamFn func(id string) error
 }
-func (m *MockTeamService) ListTeams(page, perPage int) ([]domain.Team, int64, error) {
+func (m *MockTeamService) ListTeams(_ context.Context, page, perPage int) ([]domain.Team, int64, error) {
 	if m.ListTeamsFn != nil {
 		return m.ListTeamsFn(page, perPage)
 	}
 	return nil, 0, nil
 }
-func (m *MockTeamService) GetTeam(id string) (*domain.Team, error) {
+func (m *MockTeamService) GetTeam(_ context.Context, id string) (*domain.Team, error) {
 	if m.GetTeamFn != nil {
 		return m.GetTeamFn(id)
 	}
 	return nil, nil
 }
-func (m *MockTeamService) CreateTeam(team domain.Team) (*domain.Team, error) {
+func (m *MockTeamService) CreateTeam(_ context.Context, team domain.Team) (*domain.Team, error) {
 	if m.CreateTeamFn != nil {
 		return m.CreateTeamFn(team)
 	}
 	return nil, nil
 }
-func (m *MockTeamService) UpdateTeam(id string, team domain.Team) (*domain.Team, error) {
+func (m *MockTeamService) UpdateTeam(_ context.Context, id string, team domain.Team) (*domain.Team, error) {
 	if m.UpdateTeamFn != nil {
 		return m.UpdateTeamFn(id, team)
 	}
 	return nil, nil
 }
-func (m *MockTeamService) DeleteTeam(id string) error {
+func (m *MockTeamService) DeleteTeam(_ context.Context, id string) error {
 	if m.DeleteTeamFn != nil {
 		return m.DeleteTeamFn(id)
 	}
@@ -1,6 +1,7 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,11 +13,11 @@ import (
 // TeamService defines the service interface for team operations.
 type TeamService interface {
-	ListTeams(page, perPage int) ([]domain.Team, int64, error)
+	ListTeams(ctx context.Context, page, perPage int) ([]domain.Team, int64, error)
-	GetTeam(id string) (*domain.Team, error)
+	GetTeam(ctx context.Context, id string) (*domain.Team, error)
-	CreateTeam(team domain.Team) (*domain.Team, error)
+	CreateTeam(ctx context.Context, team domain.Team) (*domain.Team, error)
-	UpdateTeam(id string, team domain.Team) (*domain.Team, error)
+	UpdateTeam(ctx context.Context, id string, team domain.Team) (*domain.Team, error)
-	DeleteTeam(id string) error
+	DeleteTeam(ctx context.Context, id string) error
 }
 // TeamHandler handles HTTP requests for team operations.
@@ -53,7 +54,7 @@ func (h TeamHandler) ListTeams(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	teams, total, err := h.svc.ListTeams(page, perPage)
+	teams, total, err := h.svc.ListTeams(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list teams", requestID)
 		return
@@ -87,7 +88,7 @@ func (h TeamHandler) GetTeam(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
-	team, err := h.svc.GetTeam(id)
+	team, err := h.svc.GetTeam(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Team not found", requestID)
 		return
@@ -122,7 +123,7 @@ func (h TeamHandler) CreateTeam(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	created, err := h.svc.CreateTeam(team)
+	created, err := h.svc.CreateTeam(r.Context(), team)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create team", requestID)
 		return
@@ -155,7 +156,7 @@ func (h TeamHandler) UpdateTeam(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	updated, err := h.svc.UpdateTeam(id, team)
+	updated, err := h.svc.UpdateTeam(r.Context(), id, team)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update team", requestID)
 		return
@@ -182,7 +183,7 @@ func (h TeamHandler) DeleteTeam(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
-	if err := h.svc.DeleteTeam(id); err != nil {
+	if err := h.svc.DeleteTeam(r.Context(), id); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to delete team", requestID)
 		return
 	}
@@ -4,16 +4,22 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
 	"log/slog"
 	"net/http"
 	"strings"
 	"sync"
 	"time"
 )
 // AuditRecorder is the interface that the audit middleware uses to record API calls.
 // This avoids importing the service package directly, maintaining dependency inversion.
 //
 // Implementations may perform I/O (e.g., database writes). The middleware invokes
 // RecordAPICall from a tracked goroutine so that callers can drain in-flight
 // recordings during graceful shutdown via AuditMiddleware.Flush.
 type AuditRecorder interface {
 	RecordAPICall(ctx context.Context, method, path, actor string, bodyHash string, status int, latencyMs int64) error
 }
@@ -26,10 +32,42 @@ type AuditConfig struct {
 	Logger *slog.Logger
 }
-// NewAuditLog creates a middleware that records every API call to the audit trail.
+// ErrAuditFlushTimeout is returned by AuditMiddleware.Flush when in-flight audit
-// It captures method, path, authenticated actor, request body hash, response status, and latency.
+// recordings do not complete before the provided context is cancelled or its
-// Audit recording is best-effort — failures are logged but don't affect the HTTP response.
+// deadline elapses. It mirrors scheduler.ErrSchedulerShutdownTimeout so callers
-func NewAuditLog(recorder AuditRecorder, cfg AuditConfig) func(http.Handler) http.Handler {
+// can branch on graceful-shutdown timeouts consistently across subsystems.
 var ErrAuditFlushTimeout = errors.New("audit middleware flush timeout")
 // AuditMiddleware is the handle returned by NewAuditLog. It wraps the audit
 // logging HTTP middleware and tracks the goroutines spawned to record each API
 // call, so that callers can drain them during graceful shutdown (M-1, CWE-662
 // / CWE-400). The goroutines themselves still run detached from the request
 // context — the shutdown-drain signal flows through this struct's WaitGroup
 // instead of the per-request context.
 type AuditMiddleware struct {
 	recorder   AuditRecorder
 	logger     *slog.Logger
 	excludeSet map[string]bool
 	// wg tracks every audit-recording goroutine spawned by Middleware so Flush
 	// can block until they complete before the DB pool is torn down.
 	wg sync.WaitGroup
 }
 // NewAuditLog constructs the API audit logging middleware. The returned
 // *AuditMiddleware exposes the HTTP middleware via the Middleware method value
 // (same func(http.Handler) http.Handler shape) and a Flush method that the
 // process shutdown path must call after the HTTP server has stopped accepting
 // new requests but before the audit recorder's backing store (e.g., the
 // database connection pool) is closed.
 //
 // The middleware records method, path, authenticated actor, request body hash,
 // response status, and latency. Recording is best-effort — individual failures
 // are logged and do not affect the HTTP response. Shutdown is NOT best-effort:
 // Flush must succeed (or time out, returning ErrAuditFlushTimeout) so that
 // in-flight events are not lost when the audit recorder's connection pool is
 // closed out from under the goroutines.
 func NewAuditLog(recorder AuditRecorder, cfg AuditConfig) *AuditMiddleware {
 	excludeSet := make(map[string]bool, len(cfg.ExcludePaths))
 	for _, p := range cfg.ExcludePaths {
 		excludeSet[p] = true
@@ -40,68 +78,131 @@ func NewAuditLog(recorder AuditRecorder, cfg AuditConfig) func(http.Handler) htt
 		logger = slog.Default()
 	}
-	return func(next http.Handler) http.Handler {
+	return &AuditMiddleware{
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		recorder:   recorder,
-			// Skip excluded paths (health, readiness probes)
+		logger:     logger,
-			for prefix := range excludeSet {
+		excludeSet: excludeSet,
-				if strings.HasPrefix(r.URL.Path, prefix) {
+	}
-					next.ServeHTTP(w, r)
+}
-					return
+
-				}
+// Middleware is the http.Handler wrapper. It has the standard
 // func(http.Handler) http.Handler middleware signature so it can be composed
 // into an existing middleware chain via a method value (auditMiddleware.Middleware).
 func (a *AuditMiddleware) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Skip excluded paths (health, readiness probes)
 		for prefix := range a.excludeSet {
 			if strings.HasPrefix(r.URL.Path, prefix) {
 				next.ServeHTTP(w, r)
 				return
 			}
 		}
-			start := time.Now()
+		start := time.Now()
-			// Hash request body for audit (don't store raw bodies — security + size concerns)
+		// Hash request body for audit (don't store raw bodies — security + size concerns)
-			bodyHash := ""
+		bodyHash := ""
-			if r.Body != nil && r.Body != http.NoBody {
+		if r.Body != nil && r.Body != http.NoBody {
-				hasher := sha256.New()
+			hasher := sha256.New()
-				body, err := io.ReadAll(r.Body)
+			body, err := io.ReadAll(r.Body)
-				if err == nil && len(body) > 0 {
+			if err == nil && len(body) > 0 {
-					hasher.Write(body)
+				hasher.Write(body)
-					bodyHash = hex.EncodeToString(hasher.Sum(nil))[:16] // truncated hash
+				bodyHash = hex.EncodeToString(hasher.Sum(nil))[:16] // truncated hash
-					// Restore the body for downstream handlers
+				// Restore the body for downstream handlers
-					r.Body = io.NopCloser(strings.NewReader(string(body)))
+				r.Body = io.NopCloser(strings.NewReader(string(body)))
 				}
 			}
 		}
-			// Extract actor from auth context
+		// Extract actor from auth context
-			actor := "anonymous"
+		actor := "anonymous"
-			if user, ok := GetUser(r.Context()); ok && user != "" {
+		if user, ok := GetUser(r.Context()); ok && user != "" {
-				actor = user
+			actor = user
 		}
 		// Wrap response writer to capture status code
 		wrapped := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
 		next.ServeHTTP(wrapped, r)
 		latency := time.Since(start).Milliseconds()
 		// Snapshot request-derived inputs so the goroutine does not race with
 		// the http.Server reusing r after this handler returns.
 		method := r.Method
 		path := r.URL.Path
 		status := wrapped.statusCode
 		// Derive a detached context that preserves request-scoped values
 		// (trace IDs, auth info carried via context keys) but is not cancelled
 		// when the HTTP server finalizes the request. Using r.Context()
 		// directly would cause the async audit write to observe ctx.Done()
 		// as soon as the response completes; using context.Background() would
 		// discard useful observability metadata. WithoutCancel gives us both
 		// (M-2 / D-3).
 		auditCtx := context.WithoutCancel(r.Context())
 		// Record audit event asynchronously (best-effort, don't block response).
 		// SECURITY: We intentionally use r.URL.Path (not r.URL.String() or r.RequestURI)
 		// to prevent query parameters from being recorded in the immutable audit trail.
 		// Query strings may contain cursor tokens, API keys passed as params, or other
 		// sensitive filter values. Since the audit trail is append-only with no deletion
 		// capability, any sensitive data recorded would persist permanently.
 		//
 		// The goroutine is tracked in a.wg so AuditMiddleware.Flush can drain
 		// in-flight recordings during graceful shutdown. Without this (M-1,
 		// CWE-662 / CWE-400), SIGTERM would close the DB pool while recordings
 		// were still mid-flight, silently dropping audit events.
 		a.wg.Add(1)
 		go func() {
 			defer a.wg.Done()
 			if err := a.recorder.RecordAPICall(
 				auditCtx,
 				method,
 				path,
 				actor,
 				bodyHash,
 				status,
 				latency,
 			); err != nil {
 				a.logger.Error("failed to record API audit event",
 					"error", err,
 					"method", method,
 					"path", path,
 				)
 			}
 		}()
 	})
 }
-			// Wrap response writer to capture status code
+// Flush blocks until every audit-recording goroutine spawned by Middleware has
-			wrapped := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
+// completed, or until ctx is cancelled / its deadline elapses. It must be
 // called from the process shutdown path after http.Server.Shutdown has
 // returned (so no new requests are being accepted) but before the backing
 // audit recorder's resources (DB pool, etc.) are torn down.
 //
 // On timeout or cancellation Flush returns ErrAuditFlushTimeout wrapped with
 // any context error; in-flight goroutines continue to run and may still write
 // to the recorder once they unblock — the caller is responsible for deciding
 // whether to proceed with teardown anyway or surface the error.
 //
 // Flush mirrors the idiom used by scheduler.Scheduler.WaitForCompletion so
 // that the two subsystems drain identically at shutdown.
 func (a *AuditMiddleware) Flush(ctx context.Context) error {
 	done := make(chan struct{})
 	go func() {
 		a.wg.Wait()
 		close(done)
 	}()
-			next.ServeHTTP(wrapped, r)
+	select {
-
+	case <-done:
-			latency := time.Since(start).Milliseconds()
+		a.logger.Info("audit middleware flush complete")
-
+		return nil
-			// Record audit event asynchronously (best-effort, don't block response).
+	case <-ctx.Done():
-			// SECURITY: We intentionally use r.URL.Path (not r.URL.String() or r.RequestURI)
+		a.logger.Warn("audit middleware flush did not complete before context cancellation",
-			// to prevent query parameters from being recorded in the immutable audit trail.
+			"error", ctx.Err(),
-			// Query strings may contain cursor tokens, API keys passed as params, or other
+		)
-			// sensitive filter values. Since the audit trail is append-only with no deletion
+		return fmt.Errorf("%w: %w", ErrAuditFlushTimeout, ctx.Err())
 			// capability, any sensitive data recorded would persist permanently.
 			go func() {
 				if err := recorder.RecordAPICall(
 					context.Background(),
 					r.Method,
 					r.URL.Path,
 					actor,
 					bodyHash,
 					wrapped.statusCode,
 					latency,
 				); err != nil {
 					logger.Error("failed to record API audit event",
 						"error", err,
 						"method", r.Method,
 						"path", r.URL.Path,
 					)
 				}
 			}()
 		})
 	}
 }
@@ -2,6 +2,7 @@ package middleware
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -16,7 +17,8 @@ import (
 type mockAuditRecorder struct {
 	mu      sync.Mutex
 	calls   []auditCall
-	err     error // if non-nil, RecordAPICall returns this
+	err     error         // if non-nil, RecordAPICall returns this
 	block   chan struct{} // if non-nil, RecordAPICall blocks on receive before returning
 }
 type auditCall struct {
@@ -29,6 +31,13 @@ type auditCall struct {
 }
 func (m *mockAuditRecorder) RecordAPICall(ctx context.Context, method, path, actor, bodyHash string, status int, latencyMs int64) error {
 	// Optional: block the recorder until a signal is received so tests can
 	// exercise the shutdown-drain path deterministically. The block happens
 	// before any state mutation so Flush-timeout tests see the call
 	// "in-flight" (wg counter > 0) with no recorded entries yet.
 	if m.block != nil {
 		<-m.block
 	}
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.calls = append(m.calls, auditCall{
@@ -90,7 +99,7 @@ func (w *waitableAuditRecorder) Wait(timeout time.Duration) bool {
 func TestAuditLog_RecordsAPICall(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -130,7 +139,7 @@ func TestAuditLog_RecordsAPICall(t *testing.T) {
 func TestAuditLog_CapturesStatusCode(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusNotFound)
@@ -157,7 +166,7 @@ func TestAuditLog_ExcludesHealth(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
 	mw := NewAuditLog(recorder, AuditConfig{
 		ExcludePaths: []string{"/health", "/ready"},
-	})
+	}).Middleware
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -193,7 +202,7 @@ func TestAuditLog_ExcludesHealth(t *testing.T) {
 func TestAuditLog_HashesRequestBody(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 	// Handler verifies body was restored
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -228,7 +237,7 @@ func TestAuditLog_HashesRequestBody(t *testing.T) {
 func TestAuditLog_EmptyBodyNoHash(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -253,7 +262,7 @@ func TestAuditLog_EmptyBodyNoHash(t *testing.T) {
 func TestAuditLog_ExtractsAuthenticatedActor(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -285,7 +294,7 @@ func TestAuditLog_ExtractsAuthenticatedActor(t *testing.T) {
 func TestAuditLog_RecorderErrorDoesNotBreakResponse(t *testing.T) {
 	recorder := &mockAuditRecorder{err: fmt.Errorf("db connection lost")}
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -304,7 +313,7 @@ func TestAuditLog_RecorderErrorDoesNotBreakResponse(t *testing.T) {
 func TestAuditLog_CapturesLatency(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		time.Sleep(10 * time.Millisecond)
@@ -330,7 +339,7 @@ func TestAuditLog_CapturesLatency(t *testing.T) {
 func TestAuditLog_ExcludesQueryParamsFromPath(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -429,3 +438,112 @@ func TestAuditServiceAdapter_PropagatesError(t *testing.T) {
 		t.Errorf("expected database error, got %v", err)
 	}
 }
 // TestAuditLog_FlushDrainsInFlightGoroutines verifies the M-1 shutdown-drain
 // contract: Flush blocks until every audit-recording goroutine spawned by the
 // middleware completes, then returns nil. Without the drain (pre-M-1 code),
 // the DB pool would be closed while in-flight goroutines were still calling
 // RecordAPICall, silently dropping audit events (CWE-662 / CWE-400).
 func TestAuditLog_FlushDrainsInFlightGoroutines(t *testing.T) {
 	// Recorder blocks on `unblock` until the test releases it. This simulates
 	// a slow DB write still in flight when shutdown begins.
 	unblock := make(chan struct{})
 	recorder := &mockAuditRecorder{block: unblock}
 	auditMW := NewAuditLog(recorder, AuditConfig{})
 	handler := auditMW.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	// Fire a request. Handler returns immediately; recorder goroutine is
 	// parked on the `unblock` channel inside RecordAPICall.
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
 	rr := httptest.NewRecorder()
 	handler.ServeHTTP(rr, req)
 	// Start Flush in a goroutine — it must block on the WaitGroup until we
 	// release the recorder.
 	flushDone := make(chan error, 1)
 	go func() {
 		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 		defer cancel()
 		flushDone <- auditMW.Flush(ctx)
 	}()
 	// Confirm Flush is actually blocked (not returning immediately).
 	select {
 	case err := <-flushDone:
 		t.Fatalf("Flush returned before recorder unblocked: err=%v", err)
 	case <-time.After(50 * time.Millisecond):
 		// expected: Flush is blocked on wg.Wait
 	}
 	// Release the recorder. Flush should now observe wg counter drop to 0
 	// and return nil.
 	close(unblock)
 	select {
 	case err := <-flushDone:
 		if err != nil {
 			t.Fatalf("expected nil from Flush after drain, got %v", err)
 		}
 	case <-time.After(2 * time.Second):
 		t.Fatal("Flush did not return after recorder unblocked")
 	}
 	// Verify the audit event was actually recorded (i.e., the goroutine
 	// completed its write — not just that Flush unblocked).
 	calls := recorder.getCalls()
 	if len(calls) != 1 {
 		t.Fatalf("expected 1 recorded audit call, got %d", len(calls))
 	}
 	if calls[0].Path != "/api/v1/certificates" {
 		t.Errorf("expected path /api/v1/certificates, got %s", calls[0].Path)
 	}
 }
 // TestAuditLog_FlushTimeoutReturnsErrAuditFlushTimeout verifies that Flush
 // respects its context: when in-flight goroutines exceed the shutdown budget,
 // Flush returns an error wrapping ErrAuditFlushTimeout plus ctx.Err(). The
 // caller can then decide whether to proceed with teardown anyway.
 func TestAuditLog_FlushTimeoutReturnsErrAuditFlushTimeout(t *testing.T) {
 	// Recorder will never unblock on its own — we unblock at end of test for
 	// a clean race-safe teardown.
 	unblock := make(chan struct{})
 	recorder := &mockAuditRecorder{block: unblock}
 	auditMW := NewAuditLog(recorder, AuditConfig{})
 	handler := auditMW.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates", nil)
 	rr := httptest.NewRecorder()
 	handler.ServeHTTP(rr, req)
 	// Flush with a tiny deadline — must time out.
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Millisecond)
 	defer cancel()
 	err := auditMW.Flush(ctx)
 	if err == nil {
 		// Release the blocked goroutine before failing so the race detector
 		// doesn't trip on teardown.
 		close(unblock)
 		t.Fatal("expected Flush to return an error on timeout, got nil")
 	}
 	if !errors.Is(err, ErrAuditFlushTimeout) {
 		close(unblock)
 		t.Fatalf("expected error to wrap ErrAuditFlushTimeout, got %v", err)
 	}
 	if !errors.Is(err, context.DeadlineExceeded) {
 		close(unblock)
 		t.Fatalf("expected error to wrap context.DeadlineExceeded, got %v", err)
 	}
 	// Race-safe teardown: unblock the recorder goroutine so it exits cleanly
 	// before the test returns. The goroutine itself is still detached and
 	// will record to the mock even after Flush timed out — that's the
 	// documented behavior (Flush surfaces the timeout; caller decides).
 	close(unblock)
 }
@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/hex"
 	"fmt"
 	"log"
 	"log/slog"
 	"net/http"
@@ -78,10 +79,17 @@ func NewLogging(logger *slog.Logger) func(http.Handler) http.Handler {
 // Recovery middleware recovers from panics and returns a 500 error.
 func Recovery(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 		defer func() {
 			if err := recover(); err != nil {
-				requestID := getRequestID(r.Context())
+				requestID := getRequestID(ctx)
-				log.Printf("[%s] PANIC: %v", requestID, err)
+				// Use slog.ErrorContext so the panic log carries the same
 				// request-scoped trace/auth metadata as normal request logs
 				// (M-2 / D-3 — preserve ctx propagation on the panic path).
 				slog.ErrorContext(ctx, "panic recovered in HTTP handler",
 					"request_id", requestID,
 					"panic", fmt.Sprintf("%v", err),
 				)
 				http.Error(w, `{"error":"Internal Server Error"}`, http.StatusInternalServerError)
 			}
 		}()
@@ -65,7 +65,8 @@ type HandlerRegistry struct {
 	Verification  handler.VerificationHandler
 	Export        handler.ExportHandler
 	Digest        handler.DigestHandler
-	HealthChecks  *handler.HealthCheckHandler
+	HealthChecks     *handler.HealthCheckHandler
 	BulkRevocation   handler.BulkRevocationHandler
 }
 // RegisterHandlers sets up all API routes with their handlers.
@@ -91,6 +92,8 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) {
 	r.Register("GET /api/v1/auth/check", http.HandlerFunc(reg.Health.AuthCheck))
 	// Certificates routes: /api/v1/certificates
 	// Bulk revoke must be registered before {id} routes to avoid path conflict
 	r.Register("POST /api/v1/certificates/bulk-revoke", http.HandlerFunc(reg.BulkRevocation.BulkRevoke))
 	r.Register("GET /api/v1/certificates", http.HandlerFunc(reg.Certificates.ListCertificates))
 	r.Register("POST /api/v1/certificates", http.HandlerFunc(reg.Certificates.CreateCertificate))
 	r.Register("GET /api/v1/certificates/{id}", http.HandlerFunc(reg.Certificates.GetCertificate))
@@ -198,6 +198,65 @@ func (c *Client) RevokeCertificate(id, reason string) error {
 	return nil
 }
 // BulkRevokeCertificates revokes certificates matching filter criteria.
 func (c *Client) BulkRevokeCertificates(args []string) error {
 	fs := flag.NewFlagSet("certs bulk-revoke", flag.ContinueOnError)
 	reason := fs.String("reason", "unspecified", "RFC 5280 revocation reason")
 	profileID := fs.String("profile-id", "", "Revoke certs matching this profile")
 	ownerID := fs.String("owner-id", "", "Revoke certs owned by this owner")
 	agentID := fs.String("agent-id", "", "Revoke certs deployed via this agent")
 	issuerID := fs.String("issuer-id", "", "Revoke certs issued by this issuer")
 	teamID := fs.String("team-id", "", "Revoke certs owned by team members")
 	if err := fs.Parse(args); err != nil {
 		return err
 	}
 	body := map[string]interface{}{
 		"reason": *reason,
 	}
 	if *profileID != "" {
 		body["profile_id"] = *profileID
 	}
 	if *ownerID != "" {
 		body["owner_id"] = *ownerID
 	}
 	if *agentID != "" {
 		body["agent_id"] = *agentID
 	}
 	if *issuerID != "" {
 		body["issuer_id"] = *issuerID
 	}
 	if *teamID != "" {
 		body["team_id"] = *teamID
 	}
 	// Remaining positional args are certificate IDs
 	if fs.NArg() > 0 {
 		body["certificate_ids"] = fs.Args()
 	}
 	resp, err := c.do("POST", "/api/v1/certificates/bulk-revoke", nil, body)
 	if err != nil {
 		return err
 	}
 	var result map[string]interface{}
 	if err := json.Unmarshal(resp, &result); err != nil {
 		return fmt.Errorf("parsing response: %w", err)
 	}
 	if c.format == "json" {
 		return c.outputJSON(result)
 	}
 	fmt.Printf("Bulk revocation complete:\n")
 	fmt.Printf("  Matched: %v\n", result["total_matched"])
 	fmt.Printf("  Revoked: %v\n", result["total_revoked"])
 	fmt.Printf("  Skipped: %v\n", result["total_skipped"])
 	fmt.Printf("  Failed:  %v\n", result["total_failed"])
 	return nil
 }
 // ListAgents lists all agents.
 func (c *Client) ListAgents(args []string) error {
 	fs := flag.NewFlagSet("agents list", flag.ContinueOnError)
@@ -112,6 +112,43 @@ func TestClient_RevokeCertificate(t *testing.T) {
 	}
 }
 func TestClient_BulkRevokeCertificates(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != "POST" || r.URL.Path != "/api/v1/certificates/bulk-revoke" {
 			w.WriteHeader(http.StatusNotFound)
 			return
 		}
 		// Verify request body contains expected fields
 		var body map[string]interface{}
 		json.NewDecoder(r.Body).Decode(&body)
 		if body["reason"] != "keyCompromise" {
 			t.Errorf("expected reason keyCompromise, got %v", body["reason"])
 		}
 		if body["profile_id"] != "prof-tls" {
 			t.Errorf("expected profile_id prof-tls, got %v", body["profile_id"])
 		}
 		w.Header().Set("Content-Type", "application/json")
 		json.NewEncoder(w).Encode(map[string]interface{}{
 			"total_matched": 3,
 			"total_revoked": 2,
 			"total_skipped": 1,
 			"total_failed":  0,
 		})
 	}))
 	defer server.Close()
 	client := NewClient(server.URL, "", "table")
 	err := client.BulkRevokeCertificates([]string{
 		"--reason", "keyCompromise",
 		"--profile-id", "prof-tls",
 	})
 	if err != nil {
 		t.Fatalf("BulkRevokeCertificates failed: %v", err)
 	}
 }
 func TestClient_ListAgents(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != "GET" || r.URL.Path != "/api/v1/agents" {
@@ -116,6 +116,14 @@ type GlobalSignConfig struct {
 	// ClientKeyPath is the path to the mTLS client private key PEM file.
 	// Setting: CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH environment variable.
 	ClientKeyPath string
 	// ServerCAPath is the optional path to a PEM file containing the CA
 	// certificate(s) used to verify the GlobalSign Atlas HVCA API server
 	// certificate. If empty, the system trust store is used. Set this
 	// for private/lab Atlas deployments whose server TLS chain is not
 	// present in the host's default trust bundle.
 	// Setting: CERTCTL_GLOBALSIGN_SERVER_CA_PATH environment variable.
 	ServerCAPath string
 }
 // EJBCAConfig contains EJBCA (Keyfactor) issuer connector configuration.
@@ -641,7 +649,12 @@ type SCEPConfig struct {
 	// ChallengePassword is the shared secret used to authenticate SCEP enrollment requests.
 	// Clients include this in the PKCS#10 CSR challengePassword attribute.
-	// Required when SCEP is enabled.
+	//
 	// REQUIRED when Enabled is true. If SCEP is enabled and this value is empty,
 	// cmd/server/main.go's preflightSCEPChallengePassword check will refuse to
 	// start the server (H-2, CWE-306): an empty shared secret allowed any client
 	// that could reach /scep to enroll a CSR against the configured issuer. The
 	// service-layer PKCSReq path also rejects this configuration defense-in-depth.
 	ChallengePassword string
 }
@@ -882,6 +895,7 @@ func Load() (*Config, error) {
 			APISecret:      getEnv("CERTCTL_GLOBALSIGN_API_SECRET", ""),
 			ClientCertPath: getEnv("CERTCTL_GLOBALSIGN_CLIENT_CERT_PATH", ""),
 			ClientKeyPath:  getEnv("CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH", ""),
 			ServerCAPath:   getEnv("CERTCTL_GLOBALSIGN_SERVER_CA_PATH", ""),
 		},
 		EJBCA: EJBCAConfig{
 			APIUrl:         getEnv("CERTCTL_EJBCA_API_URL", ""),
@@ -547,7 +547,11 @@ func (c *Connector) solveAuthorizationsHTTP01(ctx context.Context, authzURLs []s
 		return fmt.Errorf("failed to start challenge server: %w", err)
 	}
 	defer func() {
-		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		// Derive the challenge-server shutdown context from the parent ctx so
 		// values (trace IDs, deadlines) propagate, but detach from its
 		// cancellation so Shutdown always gets its full budget even when the
 		// parent was cancelled (M-2 / D-3).
 		shutdownCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 5*time.Second)
 		defer cancel()
 		_ = srv.Shutdown(shutdownCtx)
 		c.logger.Debug("challenge server stopped")
@@ -34,6 +34,7 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
 	"os"
 	"strings"
 	"time"
@@ -64,6 +65,14 @@ type Config struct {
 	// Must match the certificate in ClientCertPath.
 	// Required. Set via CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH environment variable.
 	ClientKeyPath string `json:"client_key_path"`
 	// ServerCAPath is the filesystem path to a PEM file containing the CA
 	// certificate(s) used to verify the GlobalSign Atlas HVCA API server certificate.
 	// Optional. If empty, the system trust store is used. This option exists for
 	// private/lab deployments of GlobalSign Atlas that terminate TLS with an
 	// internal CA not present in the host's default trust bundle.
 	// Set via CERTCTL_GLOBALSIGN_SERVER_CA_PATH environment variable.
 	ServerCAPath string `json:"server_ca_path,omitempty"`
 }
 // Connector implements the issuer.Connector interface for GlobalSign Atlas HVCA.
@@ -153,14 +162,12 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 		return fmt.Errorf("failed to load GlobalSign client certificate: %w", err)
 	}
-	// Create an mTLS client for validation
+	// Build a verifying mTLS TLS config. If ServerCAPath is set, that PEM
-	tlsConfig := &tls.Config{
+	// bundle is used as the trust anchor for the server certificate;
-		Certificates: []tls.Certificate{cert},
+	// otherwise the system trust store is used. TLS 1.2 is the minimum.
-		// InsecureSkipVerify=true allows testing against self-signed server certs.
+	tlsConfig, err := buildServerTLSConfig(&cfg, cert)
-		// In production, GlobalSign's API uses a proper certificate chain.
+	if err != nil {
-		// This matches the pattern used by other connectors (F5, network scanner, etc.)
+		return fmt.Errorf("failed to build GlobalSign TLS config: %w", err)
 		// that also need to bypass hostname verification for internal/lab environments.
 		InsecureSkipVerify: true,
 	}
 	validationClient := &http.Client{
@@ -225,9 +232,9 @@ func (c *Connector) getHTTPClient(ctx context.Context) (*http.Client, error) {
 		return nil, fmt.Errorf("failed to load GlobalSign client certificate: %w", err)
 	}
-	tlsConfig := &tls.Config{
+	tlsConfig, err := buildServerTLSConfig(c.config, cert)
-		Certificates:       []tls.Certificate{cert},
+	if err != nil {
-		InsecureSkipVerify: true,
+		return nil, fmt.Errorf("failed to build GlobalSign TLS config: %w", err)
 	}
 	return &http.Client{
@@ -238,6 +245,38 @@ func (c *Connector) getHTTPClient(ctx context.Context) (*http.Client, error) {
 	}, nil
 }
 // buildServerTLSConfig returns a TLS configuration for the GlobalSign Atlas
 // HVCA API client. It always verifies the server certificate. When
 // cfg.ServerCAPath is set, the PEM bundle at that path is used as the
 // trust anchor (enables pinning a private/lab CA); otherwise the host's
 // system trust store is used. TLS 1.2 is the minimum protocol version.
 //
 // This helper is the single source of truth for both the ValidateConfig
 // probe client and the steady-state getHTTPClient production client, so
 // any future TLS policy change applies uniformly.
 func buildServerTLSConfig(cfg *Config, clientCert tls.Certificate) (*tls.Config, error) {
 	tlsConfig := &tls.Config{
 		Certificates: []tls.Certificate{clientCert},
 		MinVersion:   tls.VersionTLS12,
 	}
 	if cfg.ServerCAPath != "" {
 		caPEM, err := os.ReadFile(cfg.ServerCAPath)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read server CA bundle at %s: %w", cfg.ServerCAPath, err)
 		}
 		pool := x509.NewCertPool()
 		if !pool.AppendCertsFromPEM(caPEM) {
 			return nil, fmt.Errorf("no valid PEM certificates found in server CA bundle at %s", cfg.ServerCAPath)
 		}
 		tlsConfig.RootCAs = pool
 	}
 	return tlsConfig, nil
 }
 // IssueCertificate submits a certificate order to GlobalSign Atlas HVCA.
 // Returns the serial number immediately; typically the cert is available within seconds (DV) to minutes (OV).
 func (c *Connector) IssueCertificate(ctx context.Context, request issuer.IssuanceRequest) (*issuer.IssuanceResult, error) {
@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/json"
@@ -161,11 +160,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testCertPEM, _ := generateTestCert(t)
 		testChainPEM, _ := generateTestCert(t)
-		httpClient := &http.Client{
+		httpClient := &http.Client{}
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
 		}
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -223,11 +218,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 	t.Run("IssueCertificate_Pending", func(t *testing.T) {
-		httpClient := &http.Client{
+		httpClient := &http.Client{}
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
 		}
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -271,11 +262,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 	t.Run("IssueCertificate_Error", func(t *testing.T) {
-		httpClient := &http.Client{
+		httpClient := &http.Client{}
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
 		}
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -312,11 +299,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testCertPEM, _ := generateTestCert(t)
 		testChainPEM, _ := generateTestCert(t)
-		httpClient := &http.Client{
+		httpClient := &http.Client{}
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
 		}
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/12345") && r.Method == http.MethodGet {
@@ -356,11 +339,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 	t.Run("GetOrderStatus_Pending", func(t *testing.T) {
-		httpClient := &http.Client{
+		httpClient := &http.Client{}
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
 		}
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/98765") && r.Method == http.MethodGet {
@@ -401,11 +380,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testCertPEM, _ := generateTestCert(t)
 		testChainPEM, _ := generateTestCert(t)
-		httpClient := &http.Client{
+		httpClient := &http.Client{}
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
 		}
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -448,11 +423,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 	t.Run("RevokeCertificate_Success", func(t *testing.T) {
-		httpClient := &http.Client{
+		httpClient := &http.Client{}
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
 		}
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/") && strings.HasSuffix(r.URL.Path, "/revoke") && r.Method == http.MethodPut {
@@ -492,11 +463,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 	t.Run("RevokeCertificate_Error", func(t *testing.T) {
-		httpClient := &http.Client{
+		httpClient := &http.Client{}
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
 		}
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/") && strings.HasSuffix(r.URL.Path, "/revoke") && r.Method == http.MethodPut {
@@ -532,11 +499,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testChainPEM, _ := generateTestCert(t)
 		authHeadersChecked := 0
-		httpClient := &http.Client{
+		httpClient := &http.Client{}
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
 		}
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Check for auth headers on every request
@@ -584,6 +547,177 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 }
 // TestGlobalSign_ServerTLSConfig exercises the server-side TLS verification
 // policy added by H-5. The connector must always verify the GlobalSign Atlas
 // HVCA API server certificate: by default against the host's system trust
 // store, and when ServerCAPath is set, against the pinned PEM bundle at that
 // path. InsecureSkipVerify is no longer reachable from any production code path.
 func TestGlobalSign_ServerTLSConfig(t *testing.T) {
 	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
 	ctx := context.Background()
 	// writeClientMTLS generates a throwaway client cert+key pair and writes them
 	// to disk. ValidateConfig requires valid ClientCertPath / ClientKeyPath files
 	// before it reaches the server-CA validation path under test.
 	writeClientMTLS := func(t *testing.T) (certPath, keyPath string) {
 		t.Helper()
 		certPEM, keyPEM := generateTestCert(t)
 		dir := t.TempDir()
 		certPath = dir + "/client-cert.pem"
 		keyPath = dir + "/client-key.pem"
 		if err := os.WriteFile(certPath, []byte(certPEM), 0600); err != nil {
 			t.Fatalf("failed to write client cert: %v", err)
 		}
 		if err := os.WriteFile(keyPath, []byte(keyPEM), 0600); err != nil {
 			t.Fatalf("failed to write client key: %v", err)
 		}
 		return certPath, keyPath
 	}
 	// certToPEM re-encodes a parsed certificate as a PEM block for trust-store
 	// pinning. httptest.NewTLSServer.Certificate() returns the server's self-
 	// signed cert; pinning that cert trusts exactly that one server.
 	certToPEM := func(t *testing.T, cert *x509.Certificate) string {
 		t.Helper()
 		return string(pem.EncodeToMemory(&pem.Block{
 			Type:  "CERTIFICATE",
 			Bytes: cert.Raw,
 		}))
 	}
 	t.Run("PinnedCA_TrustsExpectedServer", func(t *testing.T) {
 		// Mock Atlas API served over HTTPS with a self-signed cert. We pin
 		// that cert's PEM as the client's trust anchor; the validation probe
 		// should succeed because the pinned pool contains the server's issuer.
 		srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodGet {
 				if r.Header.Get("ApiKey") == "gs-test-key" && r.Header.Get("ApiSecret") == "gs-test-secret" {
 					w.WriteHeader(http.StatusOK)
 					w.Write([]byte(`{"certificates":[]}`))
 					return
 				}
 				w.WriteHeader(http.StatusForbidden)
 				return
 			}
 			http.NotFound(w, r)
 		}))
 		defer srv.Close()
 		caPEM := certToPEM(t, srv.Certificate())
 		caPath := t.TempDir() + "/atlas-ca.pem"
 		if err := os.WriteFile(caPath, []byte(caPEM), 0600); err != nil {
 			t.Fatalf("failed to write pinned CA: %v", err)
 		}
 		clientCert, clientKey := writeClientMTLS(t)
 		config := globalsign.Config{
 			APIUrl:         srv.URL,
 			APIKey:         "gs-test-key",
 			APISecret:      "gs-test-secret",
 			ClientCertPath: clientCert,
 			ClientKeyPath:  clientKey,
 			ServerCAPath:   caPath,
 		}
 		connector := globalsign.New(&config, logger)
 		rawConfig, _ := json.Marshal(config)
 		if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
 			t.Fatalf("ValidateConfig with pinned CA should succeed, got: %v", err)
 		}
 	})
 	t.Run("PinnedCA_RejectsUntrustedServer", func(t *testing.T) {
 		// Mock server presents its own self-signed cert; we pin an UNRELATED
 		// cert as the trust anchor. The TLS handshake must fail before any
 		// request is sent — this is exactly what H-5 remediates.
 		srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusOK)
 		}))
 		defer srv.Close()
 		unrelatedPEM, _ := generateTestCert(t)
 		caPath := t.TempDir() + "/unrelated-ca.pem"
 		if err := os.WriteFile(caPath, []byte(unrelatedPEM), 0600); err != nil {
 			t.Fatalf("failed to write unrelated CA: %v", err)
 		}
 		clientCert, clientKey := writeClientMTLS(t)
 		config := globalsign.Config{
 			APIUrl:         srv.URL,
 			APIKey:         "gs-test-key",
 			APISecret:      "gs-test-secret",
 			ClientCertPath: clientCert,
 			ClientKeyPath:  clientKey,
 			ServerCAPath:   caPath,
 		}
 		connector := globalsign.New(&config, logger)
 		rawConfig, _ := json.Marshal(config)
 		err := connector.ValidateConfig(ctx, rawConfig)
 		if err == nil {
 			t.Fatal("ValidateConfig must fail when the server cert is not signed by the pinned CA")
 		}
 		// The failure must originate from TLS verification, not from any other path.
 		if !strings.Contains(err.Error(), "x509") &&
 			!strings.Contains(err.Error(), "certificate") &&
 			!strings.Contains(err.Error(), "unknown authority") {
 			t.Errorf("expected TLS verification error, got: %v", err)
 		}
 		t.Logf("Untrusted server cert correctly rejected: %v", err)
 	})
 	t.Run("ServerCAPath_MissingFile", func(t *testing.T) {
 		clientCert, clientKey := writeClientMTLS(t)
 		config := globalsign.Config{
 			APIUrl:         "https://example.invalid",
 			APIKey:         "gs-test-key",
 			APISecret:      "gs-test-secret",
 			ClientCertPath: clientCert,
 			ClientKeyPath:  clientKey,
 			ServerCAPath:   "/nonexistent/path/to/ca.pem",
 		}
 		connector := globalsign.New(&config, logger)
 		rawConfig, _ := json.Marshal(config)
 		err := connector.ValidateConfig(ctx, rawConfig)
 		if err == nil {
 			t.Fatal("ValidateConfig must fail when ServerCAPath points to a missing file")
 		}
 		if !strings.Contains(err.Error(), "failed to read server CA bundle") {
 			t.Errorf("expected 'failed to read server CA bundle' error, got: %v", err)
 		}
 		t.Logf("Missing server CA file correctly rejected: %v", err)
 	})
 	t.Run("ServerCAPath_InvalidPEM", func(t *testing.T) {
 		clientCert, clientKey := writeClientMTLS(t)
 		badCAPath := t.TempDir() + "/garbage.pem"
 		if err := os.WriteFile(badCAPath, []byte("this is not a PEM certificate at all"), 0600); err != nil {
 			t.Fatalf("failed to write garbage file: %v", err)
 		}
 		config := globalsign.Config{
 			APIUrl:         "https://example.invalid",
 			APIKey:         "gs-test-key",
 			APISecret:      "gs-test-secret",
 			ClientCertPath: clientCert,
 			ClientKeyPath:  clientKey,
 			ServerCAPath:   badCAPath,
 		}
 		connector := globalsign.New(&config, logger)
 		rawConfig, _ := json.Marshal(config)
 		err := connector.ValidateConfig(ctx, rawConfig)
 		if err == nil {
 			t.Fatal("ValidateConfig must fail when ServerCAPath contains no valid PEM certificates")
 		}
 		if !strings.Contains(err.Error(), "no valid PEM certificates") {
 			t.Errorf("expected 'no valid PEM certificates' error, got: %v", err)
 		}
 		t.Logf("Invalid PEM correctly rejected: %v", err)
 	})
 }
 // generateTestCert generates a self-signed test certificate and returns PEM strings.
 func generateTestCert(t *testing.T) (certPEM string, keyPEM string) {
 	priv, err := rsa.GenerateKey(rand.Reader, 2048)
@@ -359,6 +359,25 @@ func (c *Connector) loadCAFromDisk() error {
 		return fmt.Errorf("loaded CA certificate does not have KeyUsageCertSign")
 	}
 	// Validate CA certificate validity window (M-5, CWE-672).
 	// An expired or not-yet-valid sub-CA produces child certificates that any
 	// RFC 5280 path-validator will reject. Fail closed at load time so operators
 	// learn about it at startup, not at 3am when a renewal cycle silently
 	// starts minting broken certs. See audit finding M-5.
 	now := time.Now()
 	if now.After(caCert.NotAfter) {
 		return fmt.Errorf("CA certificate %q has expired (not_after=%s, now=%s)",
 			caCert.Subject.CommonName,
 			caCert.NotAfter.UTC().Format(time.RFC3339),
 			now.UTC().Format(time.RFC3339))
 	}
 	if now.Before(caCert.NotBefore) {
 		return fmt.Errorf("CA certificate %q is not yet valid (not_before=%s, now=%s)",
 			caCert.Subject.CommonName,
 			caCert.NotBefore.UTC().Format(time.RFC3339),
 			now.UTC().Format(time.RFC3339))
 	}
 	// Load CA private key (supports RSA and ECDSA)
 	keyPEM, err := os.ReadFile(c.config.CAKeyPath)
 	if err != nil {
@@ -14,6 +14,7 @@ import (
 	"math/big"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 	"time"
@@ -360,6 +361,114 @@ func TestSubCAMode(t *testing.T) {
 		t.Logf("Correctly rejected non-CA cert: %v", err)
 	})
 	t.Run("SubCA_ExpiredCert_IsRejected", func(t *testing.T) {
 		// Sub-CA expired 1 hour ago. M-5: loadCAFromDisk must fail closed
 		// instead of minting child certs that immediately fail path validation
 		// at every relying party (CWE-672).
 		notBefore := time.Now().AddDate(-1, 0, 0)
 		notAfter := time.Now().Add(-1 * time.Hour)
 		certPath, keyPath := generateTestSubCAWithValidity(t, "rsa", notBefore, notAfter)
 		config := &local.Config{
 			ValidityDays: 30,
 			CACertPath:   certPath,
 			CAKeyPath:    keyPath,
 		}
 		connector := local.New(config, logger)
 		_, csrPEM, err := generateTestCSR("app.internal.corp")
 		if err != nil {
 			t.Fatalf("Failed to generate CSR: %v", err)
 		}
 		req := issuer.IssuanceRequest{
 			CommonName: "app.internal.corp",
 			CSRPEM:     csrPEM,
 		}
 		_, err = connector.IssueCertificate(ctx, req)
 		if err == nil {
 			t.Fatal("Expected error when loading expired sub-CA; got nil")
 		}
 		if !strings.Contains(err.Error(), "expired") {
 			t.Errorf("Expected error to mention 'expired'; got: %v", err)
 		}
 		if !strings.Contains(err.Error(), "Test Sub-CA") {
 			t.Errorf("Expected error to include CA subject CN 'Test Sub-CA'; got: %v", err)
 		}
 		t.Logf("Correctly rejected expired sub-CA: %v", err)
 	})
 	t.Run("SubCA_NotYetValid_IsRejected", func(t *testing.T) {
 		// Sub-CA is not valid for another hour (clock skew or operator error
 		// pushing a pre-production CA into prod). M-5: loadCAFromDisk must
 		// fail closed.
 		notBefore := time.Now().Add(1 * time.Hour)
 		notAfter := time.Now().AddDate(5, 0, 0)
 		certPath, keyPath := generateTestSubCAWithValidity(t, "rsa", notBefore, notAfter)
 		config := &local.Config{
 			ValidityDays: 30,
 			CACertPath:   certPath,
 			CAKeyPath:    keyPath,
 		}
 		connector := local.New(config, logger)
 		_, csrPEM, err := generateTestCSR("app.internal.corp")
 		if err != nil {
 			t.Fatalf("Failed to generate CSR: %v", err)
 		}
 		req := issuer.IssuanceRequest{
 			CommonName: "app.internal.corp",
 			CSRPEM:     csrPEM,
 		}
 		_, err = connector.IssueCertificate(ctx, req)
 		if err == nil {
 			t.Fatal("Expected error when loading not-yet-valid sub-CA; got nil")
 		}
 		if !strings.Contains(err.Error(), "not yet valid") {
 			t.Errorf("Expected error to mention 'not yet valid'; got: %v", err)
 		}
 		if !strings.Contains(err.Error(), "Test Sub-CA") {
 			t.Errorf("Expected error to include CA subject CN 'Test Sub-CA'; got: %v", err)
 		}
 		t.Logf("Correctly rejected not-yet-valid sub-CA: %v", err)
 	})
 	t.Run("SubCA_BarelyValid_IsAccepted", func(t *testing.T) {
 		// Sub-CA valid from 1 minute ago to 1 hour from now. Edge case:
 		// proves the M-5 window check doesn't over-reject CAs that are
 		// legitimately live but close to the boundaries.
 		notBefore := time.Now().Add(-1 * time.Minute)
 		notAfter := time.Now().Add(1 * time.Hour)
 		certPath, keyPath := generateTestSubCAWithValidity(t, "rsa", notBefore, notAfter)
 		config := &local.Config{
 			ValidityDays: 30,
 			CACertPath:   certPath,
 			CAKeyPath:    keyPath,
 		}
 		connector := local.New(config, logger)
 		_, csrPEM, err := generateTestCSR("app.internal.corp")
 		if err != nil {
 			t.Fatalf("Failed to generate CSR: %v", err)
 		}
 		req := issuer.IssuanceRequest{
 			CommonName: "app.internal.corp",
 			CSRPEM:     csrPEM,
 		}
 		result, err := connector.IssueCertificate(ctx, req)
 		if err != nil {
 			t.Fatalf("Barely-valid sub-CA was wrongly rejected: %v", err)
 		}
 		if result.CertPEM == "" {
 			t.Error("CertPEM is empty")
 		}
 		t.Logf("Correctly accepted barely-valid sub-CA: serial=%s", result.Serial)
 	})
 	t.Run("SubCA_RenewCertificate", func(t *testing.T) {
 		certPath, keyPath := generateTestSubCA(t, "rsa")
 		defer os.Remove(certPath)
@@ -396,8 +505,16 @@ func TestSubCAMode(t *testing.T) {
 }
 // generateTestSubCA creates a self-signed CA cert+key pair and writes them to temp files.
-// keyType can be "rsa" or "ecdsa".
+// keyType can be "rsa" or "ecdsa". Validity window is [now, now+5y].
 func generateTestSubCA(t *testing.T, keyType string) (certPath, keyPath string) {
 	t.Helper()
 	return generateTestSubCAWithValidity(t, keyType, time.Now(), time.Now().AddDate(5, 0, 0))
 }
 // generateTestSubCAWithValidity creates a self-signed CA cert+key pair with an
 // explicit NotBefore/NotAfter window. Used by M-5 tests that exercise expired
 // and not-yet-valid CA rejection in loadCAFromDisk.
 func generateTestSubCAWithValidity(t *testing.T, keyType string, notBefore, notAfter time.Time) (certPath, keyPath string) {
 	t.Helper()
 	tmpDir := t.TempDir()
 	certPath = filepath.Join(tmpDir, "ca.pem")
@@ -445,8 +562,8 @@ func generateTestSubCA(t *testing.T, keyType string) (certPath, keyPath string)
 			CommonName:   "Test Sub-CA",
 			Organization: []string{"CertCtl Test"},
 		},
-		NotBefore:             time.Now(),
+		NotBefore:             notBefore,
-		NotAfter:              time.Now().AddDate(5, 0, 0),
+		NotAfter:              notAfter,
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
@@ -13,6 +13,7 @@ import (
 	"time"
 	"github.com/shankar0123/certctl/internal/connector/notifier"
 	"github.com/shankar0123/certctl/internal/validation"
 )
 // Config represents the email notifier configuration.
@@ -123,7 +124,22 @@ func (c *Connector) SendEvent(ctx context.Context, event notifier.Event) error {
 // sendEmail sends an email message using the configured SMTP server.
 // It handles both TLS and plain authentication modes.
 //
 // Header values (From, To, Subject) are validated up-front to reject CR, LF,
 // and NUL characters. This blocks SMTP header injection (CWE-113) and also
 // prevents injection into the SMTP envelope commands MAIL FROM and RCPT TO,
 // since net/smtp does not sanitize those inputs itself.
 func (c *Connector) sendEmail(ctx context.Context, to, subject, body string) error {
 	if err := validation.ValidateHeaderValue("From", c.config.FromAddress); err != nil {
 		return fmt.Errorf("invalid sender: %w", err)
 	}
 	if err := validation.ValidateHeaderValue("To", to); err != nil {
 		return fmt.Errorf("invalid recipient: %w", err)
 	}
 	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
 		return fmt.Errorf("invalid subject: %w", err)
 	}
 	addr := net.JoinHostPort(c.config.SMTPHost, strconv.Itoa(c.config.SMTPPort))
 	// Connect to SMTP server
@@ -182,8 +198,13 @@ func (c *Connector) sendEmail(ctx context.Context, to, subject, body string) err
 	}
 	defer wc.Close()
-	// Format and write email headers and body
+	// Format and write email headers and body. The format function
-	message := c.formatEmailMessage(c.config.FromAddress, to, subject, body)
+	// re-validates header values as defense-in-depth; the early-return
 	// above should have already caught any injection attempt.
 	message, err := c.formatEmailMessage(c.config.FromAddress, to, subject, body)
 	if err != nil {
 		return fmt.Errorf("failed to format message: %w", err)
 	}
 	if _, err := wc.Write(message); err != nil {
 		return fmt.Errorf("failed to write message: %w", err)
 	}
@@ -197,7 +218,22 @@ func (c *Connector) sendEmail(ctx context.Context, to, subject, body string) err
 // sendHTMLEmail sends an HTML email message using the configured SMTP server.
 // Used by the digest service for rich HTML digest emails.
 //
 // Header values (From, To, Subject) are validated up-front to reject CR, LF,
 // and NUL characters. This blocks SMTP header injection (CWE-113) and also
 // prevents injection into the SMTP envelope commands MAIL FROM and RCPT TO,
 // since net/smtp does not sanitize those inputs itself.
 func (c *Connector) sendHTMLEmail(ctx context.Context, to, subject, htmlBody string) error {
 	if err := validation.ValidateHeaderValue("From", c.config.FromAddress); err != nil {
 		return fmt.Errorf("invalid sender: %w", err)
 	}
 	if err := validation.ValidateHeaderValue("To", to); err != nil {
 		return fmt.Errorf("invalid recipient: %w", err)
 	}
 	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
 		return fmt.Errorf("invalid subject: %w", err)
 	}
 	addr := net.JoinHostPort(c.config.SMTPHost, strconv.Itoa(c.config.SMTPPort))
 	var auth smtp.Auth
@@ -250,7 +286,12 @@ func (c *Connector) sendHTMLEmail(ctx context.Context, to, subject, htmlBody str
 	}
 	defer wc.Close()
-	message := c.formatHTMLEmailMessage(c.config.FromAddress, to, subject, htmlBody)
+	// The format function re-validates header values as defense-in-depth;
 	// the early-return above should have already caught any injection attempt.
 	message, err := c.formatHTMLEmailMessage(c.config.FromAddress, to, subject, htmlBody)
 	if err != nil {
 		return fmt.Errorf("failed to format message: %w", err)
 	}
 	if _, err := wc.Write(message); err != nil {
 		return fmt.Errorf("failed to write message: %w", err)
 	}
@@ -263,7 +304,20 @@ func (c *Connector) sendHTMLEmail(ctx context.Context, to, subject, htmlBody str
 }
 // formatEmailMessage formats an email message with standard headers.
-func (c *Connector) formatEmailMessage(from, to, subject, body string) []byte {
+// It rejects any header value containing CR, LF, or NUL bytes to prevent
 // SMTP header injection (CWE-113). See internal/validation.ValidateHeaderValue.
 // The body is not validated — CR/LF in the body is legitimate content, and
 // SMTP dot-stuffing / length framing are handled by net/smtp.
 func (c *Connector) formatEmailMessage(from, to, subject, body string) ([]byte, error) {
 	if err := validation.ValidateHeaderValue("From", from); err != nil {
 		return nil, err
 	}
 	if err := validation.ValidateHeaderValue("To", to); err != nil {
 		return nil, err
 	}
 	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
 		return nil, err
 	}
 	message := fmt.Sprintf(
 		"From: %s\r\nTo: %s\r\nSubject: %s\r\nDate: %s\r\nContent-Type: text/plain; charset=utf-8\r\n\r\n%s",
 		from,
@@ -272,11 +326,24 @@ func (c *Connector) formatEmailMessage(from, to, subject, body string) []byte {
 		time.Now().Format(time.RFC1123Z),
 		body,
 	)
-	return []byte(message)
+	return []byte(message), nil
 }
 // formatHTMLEmailMessage formats an HTML email message with MIME headers.
-func (c *Connector) formatHTMLEmailMessage(from, to, subject, htmlBody string) []byte {
+// It rejects any header value containing CR, LF, or NUL bytes to prevent
 // SMTP header injection (CWE-113). See internal/validation.ValidateHeaderValue.
 // The HTML body is not validated at this layer — CR/LF in HTML content is
 // legitimate, and SMTP dot-stuffing / length framing are handled by net/smtp.
 func (c *Connector) formatHTMLEmailMessage(from, to, subject, htmlBody string) ([]byte, error) {
 	if err := validation.ValidateHeaderValue("From", from); err != nil {
 		return nil, err
 	}
 	if err := validation.ValidateHeaderValue("To", to); err != nil {
 		return nil, err
 	}
 	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
 		return nil, err
 	}
 	message := fmt.Sprintf(
 		"From: %s\r\nTo: %s\r\nSubject: %s\r\nDate: %s\r\nMIME-Version: 1.0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n%s",
 		from,
@@ -285,7 +352,7 @@ func (c *Connector) formatHTMLEmailMessage(from, to, subject, htmlBody string) [
 		time.Now().Format(time.RFC1123Z),
 		htmlBody,
 	)
-	return []byte(message)
+	return []byte(message), nil
 }
 // formatAlertBody formats an alert notification as email body text.
@@ -138,7 +138,10 @@ func TestEmail_FormatMessage_RFC822Headers(t *testing.T) {
 	subject := "Test Subject"
 	body := "Test Body"
-	message := conn.formatEmailMessage(from, to, subject, body)
+	message, err := conn.formatEmailMessage(from, to, subject, body)
 	if err != nil {
 		t.Fatalf("expected nil error, got %v", err)
 	}
 	messageStr := string(message)
 	if !strings.Contains(messageStr, "From: "+from) {
@@ -177,7 +180,10 @@ func TestEmail_FormatHTMLEmailMessage_Headers(t *testing.T) {
 	subject := "HTML Test"
 	htmlBody := "<html><body><h1>Test</h1></body></html>"
-	message := conn.formatHTMLEmailMessage(from, to, subject, htmlBody)
+	message, err := conn.formatHTMLEmailMessage(from, to, subject, htmlBody)
 	if err != nil {
 		t.Fatalf("expected nil error, got %v", err)
 	}
 	messageStr := string(message)
 	if !strings.Contains(messageStr, "From: "+from) {
@@ -200,6 +206,67 @@ func TestEmail_FormatHTMLEmailMessage_Headers(t *testing.T) {
 	}
 }
 // TestEmail_FormatEmailMessage_RejectsCRLFInjection exercises the CRLF
 // sanitizer (CWE-113). A subject containing "\r\nBcc: ..." must be rejected
 // rather than silently stripped — authentication-relevant headers are
 // security-critical and silent mutation masks malicious intent.
 func TestEmail_FormatEmailMessage_RejectsCRLFInjection(t *testing.T) {
 	cfg := &Config{
 		SMTPHost:    "smtp.example.com",
 		SMTPPort:    587,
 		FromAddress: "sender@example.com",
 	}
 	logger := newTestLogger()
 	conn := New(cfg, logger)
 	cases := []struct {
 		name          string
 		from, to, sub string
 		wantField     string
 	}{
 		{"CRLF in Subject", "sender@example.com", "recipient@example.com", "hello\r\nBcc: attacker@example.com", "Subject"},
 		{"LF in To", "sender@example.com", "recipient@example.com\nBcc: x@y", "ok", "To"},
 		{"CR in From", "sender@example.com\rExtra: header", "recipient@example.com", "ok", "From"},
 		{"NUL in Subject", "sender@example.com", "recipient@example.com", "hi\x00there", "Subject"},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			_, err := conn.formatEmailMessage(tc.from, tc.to, tc.sub, "body")
 			if err == nil {
 				t.Fatal("expected injection error, got nil")
 			}
 			if !strings.Contains(err.Error(), tc.wantField) {
 				t.Errorf("expected error to mention field %q, got %q", tc.wantField, err.Error())
 			}
 		})
 	}
 }
 // TestEmail_FormatHTMLEmailMessage_RejectsCRLFInjection mirrors the plain-text
 // test for the HTML codepath used by the digest service.
 func TestEmail_FormatHTMLEmailMessage_RejectsCRLFInjection(t *testing.T) {
 	cfg := &Config{
 		SMTPHost:    "smtp.example.com",
 		SMTPPort:    587,
 		FromAddress: "sender@example.com",
 	}
 	logger := newTestLogger()
 	conn := New(cfg, logger)
 	_, err := conn.formatHTMLEmailMessage(
 		"sender@example.com",
 		"recipient@example.com",
 		"digest\r\nBcc: attacker@example.com",
 		"<p>hi</p>",
 	)
 	if err == nil {
 		t.Fatal("expected CRLF injection error, got nil")
 	}
 	if !strings.Contains(err.Error(), "Subject") {
 		t.Errorf("expected error to mention Subject field, got %q", err.Error())
 	}
 }
 func TestEmail_FormatAlertBody(t *testing.T) {
 	cfg := &Config{
 		SMTPHost:    "smtp.example.com",
@@ -14,8 +14,15 @@ import (
 	"time"
 	"github.com/shankar0123/certctl/internal/connector/notifier"
 	"github.com/shankar0123/certctl/internal/validation"
 )
 // webhookClientTimeout bounds every outbound webhook request and its
 // resolution/dial phase. Kept as a package-level constant so the timeout is
 // shared by the transport dialer and the http.Client, and so tests can reason
 // about it without plumbing configuration.
 const webhookClientTimeout = 30 * time.Second
 // Config represents the webhook notifier configuration.
 type Config struct {
 	URL     string            `json:"url"`
@@ -25,20 +32,69 @@ type Config struct {
 // Connector implements the notifier.Connector interface for webhook notifications.
 // It sends alert and event notifications via HTTP POST with optional HMAC signing.
 //
 // validateURL is injected so that the production constructor (New) installs the
 // strict validation.ValidateSafeURL guard while newForTest can install a
 // permissive validator. This is the only way to keep the production SSRF
 // defence unconditionally on in real code while still allowing tests to point
 // at httptest loopback servers. Without this seam, every test using
 // httptest.NewServer would be blocked by the guard's loopback rejection — that
 // is the correct behaviour in production but makes legitimate unit tests
 // impossible to write. The test seam is unexported so no external caller can
 // use it to disable the guard.
 type Connector struct {
-	config *Config
+	config      *Config
-	logger *slog.Logger
+	logger      *slog.Logger
-	client *http.Client
+	client      *http.Client
 	validateURL func(string) error
 }
 // New creates a new webhook notifier with the given configuration and logger.
 //
 // The returned connector uses an http.Transport whose DialContext is hardened
 // by validation.SafeHTTPDialContext. That guard re-resolves the target host
 // at dial time and refuses any connection whose resolved address lies in a
 // reserved range (loopback, cloud-metadata link-local, multicast, broadcast,
 // unspecified, IPv6 link-local/multicast). This is the authoritative SSRF
 // defence; validation.ValidateSafeURL inside ValidateConfig/postWebhook is a
 // fast early diagnostic. The two layers together defeat both misconfigured
 // URLs and DNS-rebinding attacks where a name's resolved address changes
 // between validation and dial.
 func New(config *Config, logger *slog.Logger) *Connector {
 	transport := &http.Transport{
 		DialContext:           validation.SafeHTTPDialContext(webhookClientTimeout),
 		TLSHandshakeTimeout:   10 * time.Second,
 		ResponseHeaderTimeout: 10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		ForceAttemptHTTP2:     true,
 	}
 	return &Connector{
 		config: config,
 		logger: logger,
 		client: &http.Client{
-			Timeout: 30 * time.Second,
+			Timeout:   webhookClientTimeout,
 			Transport: transport,
 		},
 		validateURL: validation.ValidateSafeURL,
 	}
 }
 // newForTest is an unexported constructor used exclusively by the webhook
 // package's own tests. It installs a permissive URL validator and the stdlib
 // default transport so tests can point the connector at httptest loopback
 // servers (127.0.0.1), which the production SafeHTTPDialContext guard would
 // correctly reject. Production callers cannot reach this constructor because
 // it is unexported; only same-package tests (package webhook) can use it.
 // The SSRF-rejection tests that verify the guard itself still call New so
 // they exercise the real, strict validator.
 func newForTest(config *Config, logger *slog.Logger) *Connector {
 	return &Connector{
 		config: config,
 		logger: logger,
 		client: &http.Client{
 			Timeout: webhookClientTimeout,
 		},
 		validateURL: func(string) error { return nil },
 	}
 }
@@ -54,6 +110,18 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 		return fmt.Errorf("webhook url is required")
 	}
 	// SSRF guard (CWE-918). Reject reserved-address URLs before issuing any
 	// outbound HTTP — this catches the obvious 127.0.0.1 / ::1 /
 	// 169.254.169.254 / 0.0.0.0 cases at config-ingestion time and produces
 	// a clear operator-facing error. The authoritative, TOCTOU-safe check
 	// still runs at dial time inside SafeHTTPDialContext. Routed through
 	// c.validateURL so newForTest can install a permissive validator for
 	// same-package unit tests; production New always wires
 	// validation.ValidateSafeURL here.
 	if err := c.validateURL(cfg.URL); err != nil {
 		return fmt.Errorf("webhook url rejected: %w", err)
 	}
 	c.logger.Info("validating webhook configuration", "url", cfg.URL)
 	// Test webhook connectivity with a HEAD request
@@ -150,7 +218,17 @@ func (c *Connector) SendEvent(ctx context.Context, event notifier.Event) error {
 // postWebhook sends a payload to the webhook URL with proper headers and signing.
 // If a secret is configured, it signs the payload using HMAC-SHA256 and includes
 // the signature in the X-Signature header.
 //
 // The URL is re-validated here even though ValidateConfig already accepted it:
 // configuration can be mutated in place, reloaded dynamically, or set directly
 // by tests that bypass ValidateConfig, so this call is a defence-in-depth
 // guard that fails closed before any outbound request is built. Authoritative
 // DNS-rebinding defence still runs at dial time via SafeHTTPDialContext.
 func (c *Connector) postWebhook(ctx context.Context, payload interface{}) error {
 	if err := c.validateURL(c.config.URL); err != nil {
 		return fmt.Errorf("webhook url rejected: %w", err)
 	}
 	// Marshal payload to JSON
 	jsonData, err := json.Marshal(payload)
 	if err != nil {
@@ -32,7 +32,7 @@ func TestWebhook_ValidateConfig_ValidURL(t *testing.T) {
 	// Create a new logger (or use test logger)
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 	err := conn.ValidateConfig(context.Background(), rawConfig)
 	if err != nil {
@@ -47,7 +47,7 @@ func TestWebhook_ValidateConfig_MissingURL(t *testing.T) {
 	rawConfig, _ := json.Marshal(cfg)
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 	err := conn.ValidateConfig(context.Background(), rawConfig)
 	if err == nil {
@@ -96,7 +96,7 @@ func TestWebhook_SendAlert_Success(t *testing.T) {
 	}
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 	alert := notifier.Alert{
 		ID:        "alert-123",
@@ -160,7 +160,7 @@ func TestWebhook_SendAlert_HMACSignature(t *testing.T) {
 	}
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 	alert := notifier.Alert{
 		ID:        "alert-456",
@@ -199,7 +199,7 @@ func TestWebhook_SendAlert_NoSignatureWithoutSecret(t *testing.T) {
 	}
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 	alert := notifier.Alert{
 		ID:        "alert-789",
@@ -239,7 +239,7 @@ func TestWebhook_SendAlert_CustomHeaders(t *testing.T) {
 	}
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 	alert := notifier.Alert{
 		ID:        "alert-custom",
@@ -276,7 +276,7 @@ func TestWebhook_SendAlert_HTTPError(t *testing.T) {
 	}
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 	alert := notifier.Alert{
 		ID:        "alert-error",
@@ -318,7 +318,7 @@ func TestWebhook_SendEvent_Success(t *testing.T) {
 	}
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 	certID := "mc-api-prod"
 	event := notifier.Event{
@@ -367,7 +367,7 @@ func TestWebhook_SendEvent_WithoutCertificateID(t *testing.T) {
 	}
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 	event := notifier.Event{
 		ID:        "event-456",
@@ -389,6 +389,130 @@ func TestWebhook_SendEvent_WithoutCertificateID(t *testing.T) {
 	}
 }
 // The SSRF tests below exercise the CWE-918 guard added alongside H-4. Each
 // case pairs a reserved-address URL with the call surface that should reject
 // it. ValidateConfig is the early-fail path; SendAlert/SendEvent reach the
 // same guard via postWebhook and are the defence-in-depth that still rejects
 // even when ValidateConfig was bypassed (e.g. dynamic config reload mutating
 // c.config.URL in place).
 func TestWebhook_ValidateConfig_RejectsReservedURLs(t *testing.T) {
 	// These must all fail at config-ingestion time without ever opening a
 	// socket — the reserved-address filter is the whole point of H-4.
 	cases := []struct {
 		name string
 		url  string
 	}{
 		{"loopback v4", "http://127.0.0.1/hook"},
 		{"loopback v4 with port", "http://127.0.0.1:8080/"},
 		{"loopback v6 bracketed", "http://[::1]/hook"},
 		{"AWS metadata", "http://169.254.169.254/latest/meta-data/"},
 		{"generic link-local", "http://169.254.1.2/"},
 		{"unspecified v4", "http://0.0.0.0/"},
 		{"unspecified v6", "http://[::]/"},
 		{"IPv6 link-local", "http://[fe80::1]/"},
 		{"multicast", "https://224.0.0.5/"},
 		{"broadcast", "http://255.255.255.255/"},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			cfg := &Config{URL: tc.url}
 			rawConfig, _ := json.Marshal(cfg)
 			conn := New(cfg, newTestLogger())
 			err := conn.ValidateConfig(context.Background(), rawConfig)
 			if err == nil {
 				t.Fatalf("ValidateConfig(%q) returned nil, want SSRF rejection", tc.url)
 			}
 			if !strings.Contains(err.Error(), "reserved") && !strings.Contains(err.Error(), "rejected") {
 				t.Errorf("expected reserved/rejected error, got %q", err.Error())
 			}
 		})
 	}
 }
 func TestWebhook_ValidateConfig_RejectsDangerousSchemes(t *testing.T) {
 	// Only http(s) is a legitimate webhook transport. Every other scheme is
 	// an SSRF amplifier (file, gopher, ftp, javascript, data, ldap, dict,
 	// jar) and must be refused at config time.
 	cases := []struct {
 		name string
 		url  string
 	}{
 		{"file", "file:///etc/passwd"},
 		{"gopher", "gopher://example.com/_x"},
 		{"ftp", "ftp://example.com/"},
 		{"javascript", "javascript:alert(1)"},
 		{"data", "data:text/plain;base64,SGVsbG8="},
 		{"ldap", "ldap://example.com/"},
 		{"dict", "dict://example.com:2628/d:foo"},
 		{"jar", "jar:http://example.com/foo.jar!/"},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			cfg := &Config{URL: tc.url}
 			rawConfig, _ := json.Marshal(cfg)
 			conn := New(cfg, newTestLogger())
 			err := conn.ValidateConfig(context.Background(), rawConfig)
 			if err == nil {
 				t.Fatalf("ValidateConfig(%q) returned nil, want scheme rejection", tc.url)
 			}
 			if !strings.Contains(err.Error(), "rejected") && !strings.Contains(err.Error(), "scheme") {
 				t.Errorf("expected scheme/rejected error, got %q", err.Error())
 			}
 		})
 	}
 }
 func TestWebhook_SendAlert_RejectsReservedURLInPostWebhook(t *testing.T) {
 	// Simulate config drift: URL was legitimate at ValidateConfig time but
 	// has since been rewritten to an SSRF target. postWebhook must catch
 	// this on every call without ever hitting the wire.
 	cfg := &Config{URL: "http://169.254.169.254/latest/meta-data/"}
 	conn := New(cfg, newTestLogger())
 	alert := notifier.Alert{
 		ID:        "alert-ssrf",
 		Type:      "test",
 		Severity:  "info",
 		Subject:   "Test",
 		Message:   "Test",
 		Recipient: "ops@example.com",
 		CreatedAt: time.Now(),
 	}
 	err := conn.SendAlert(context.Background(), alert)
 	if err == nil {
 		t.Fatal("SendAlert returned nil, want SSRF rejection from postWebhook")
 	}
 	if !strings.Contains(err.Error(), "reserved") && !strings.Contains(err.Error(), "rejected") {
 		t.Errorf("expected reserved/rejected error, got %q", err.Error())
 	}
 }
 func TestWebhook_SendEvent_RejectsReservedURLInPostWebhook(t *testing.T) {
 	cfg := &Config{URL: "http://[::1]:9/webhook"}
 	conn := New(cfg, newTestLogger())
 	event := notifier.Event{
 		ID:        "event-ssrf",
 		Type:      "test",
 		Subject:   "Test",
 		Body:      "Test",
 		Recipient: "ops@example.com",
 		CreatedAt: time.Now(),
 	}
 	err := conn.SendEvent(context.Background(), event)
 	if err == nil {
 		t.Fatal("SendEvent returned nil, want SSRF rejection from postWebhook")
 	}
 	if !strings.Contains(err.Error(), "reserved") && !strings.Contains(err.Error(), "rejected") {
 		t.Errorf("expected reserved/rejected error, got %q", err.Error())
 	}
 }
 // Helper function to compute HMAC-SHA256 signature
 func computeHMACSHA256(data []byte, secret string) string {
 	h := hmac.New(sha256.New, []byte(secret))
@@ -1,4 +1,31 @@
 // Package crypto provides AES-256-GCM encryption for sensitive configuration data.
 //
 // The on-disk format for blobs produced by [EncryptIfKeySet] is versioned. Two
 // versions coexist and both can be read by [DecryptIfKeySet]:
 //
 //	v2 (current, M-8)
 //	    magic(0x02) || salt(16) || nonce(12) || ciphertext+tag
 //	    — 32-byte AES-256 key derived via PBKDF2-SHA256 from the operator
 //	      passphrase and the per-ciphertext random salt.
 //
 //	v1 (legacy, pre-M-8)
 //	    nonce(12) || ciphertext+tag
 //	    — 32-byte AES-256 key derived via PBKDF2-SHA256 from the operator
 //	      passphrase and the package-level fixed salt
 //	      "certctl-config-encryption-v1".
 //
 // v1 blobs are accepted by the read path for backward compatibility with rows
 // persisted before the M-8 remediation. They are never produced by the write
 // path. Any row that is updated after M-8 is re-sealed as v2 in-place via the
 // normal UPDATE flow.
 //
 // Rationale for the per-ciphertext salt (see M-8 / CWE-916 / CWE-329): the
 // pre-M-8 design reused a single 28-byte fixed salt for every ciphertext, which
 // (a) removes one defense-in-depth layer against passphrase-space brute force
 // and (b) makes every encrypted column across every row share the exact same
 // derived key. v2 replaces the fixed salt with 16 fresh random bytes per write
 // and stores the salt alongside the ciphertext. Derived keys now differ per
 // row and per re-encryption.
 package crypto
 import (
@@ -6,17 +33,77 @@ import (
 	"crypto/cipher"
 	"crypto/rand"
 	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io"
 	"golang.org/x/crypto/pbkdf2"
 )
 // ErrEncryptionKeyRequired is returned by EncryptIfKeySet and DecryptIfKeySet when
 // the caller provides an empty passphrase but the data on the wire requires
 // protection.
 //
 // Historically these helpers silently returned plaintext when no key was configured,
 // which produced a data-at-rest confidentiality bypass (CWE-311): sensitive fields
 // in dynamically-configured issuer and target records (source='database') were
 // persisted to PostgreSQL without any encryption whenever the operator forgot to
 // set CERTCTL_CONFIG_ENCRYPTION_KEY. Callers could not distinguish the encrypted
 // and plaintext branches at runtime, so the only visible signal was a warning
 // line emitted once at startup.
 //
 // The fix (C-2, commit fb4ce1a) is to fail closed: EncryptIfKeySet/DecryptIfKeySet
 // now require a passphrase whenever they are invoked on sensitive material, and
 // the server refuses to start if any source='database' rows already exist without
 // a configured passphrase.
 var ErrEncryptionKeyRequired = errors.New("crypto: CERTCTL_CONFIG_ENCRYPTION_KEY is required to encrypt or decrypt sensitive config")
 // v2Magic is the first byte of every v2-format ciphertext blob. It distinguishes
 // v2 blobs (per-ciphertext random salt, embedded in the blob) from v1 legacy
 // blobs (no magic byte, fixed package-level salt).
 //
 // The choice of 0x02 is deliberate: v1 blobs begin with a random 12-byte AES-GCM
 // nonce. A v1 nonce can coincidentally start with 0x02 with probability 1/256,
 // which makes a pure magic-byte dispatch ambiguous. [DecryptIfKeySet] resolves
 // the ambiguity by falling back to the v1 path when v2 AEAD verification fails.
 const v2Magic byte = 0x02
 // v2SaltSize is the length in bytes of the per-ciphertext salt embedded in a
 // v2 blob. 16 bytes (128 bits) matches the lower bound recommended in NIST
 // SP 800-132 §5.1 for PBKDF2 salts and is sufficient given the one-shot-per-row
 // nature of the derivation.
 const v2SaltSize = 16
 // pbkdf2Iterations is the PBKDF2-SHA256 work factor applied uniformly to both
 // v1 and v2 key derivations. The value is preserved from the pre-M-8 design so
 // that v1 fallback reads stay bit-identical.
 const pbkdf2Iterations = 100000
 // aes256KeySize is the output length in bytes of both [DeriveKey] and
 // [deriveKeyWithSalt]. It is also the only AES key length accepted by [Encrypt]
 // and [Decrypt].
 const aes256KeySize = 32
 // legacyV1Salt is the fixed salt used by pre-M-8 config encryption. It is
 // retained exclusively to preserve the v1 read path — any v1 blob that pre-dates
 // M-8 remediation must be decryptable with a key derived from (passphrase,
 // legacyV1Salt). The write path never uses this salt.
 //
 // Exposed as a package-level var rather than a local so that tests can reason
 // about v1 fixture bytes symbolically.
 var legacyV1Salt = []byte("certctl-config-encryption-v1")
 // Encrypt encrypts plaintext using AES-256-GCM with a random 12-byte nonce prepended to the output.
 // The key must be exactly 32 bytes (AES-256). Returns [12-byte nonce][ciphertext+tag].
 //
 // Encrypt is a low-level primitive. It is intentionally kept byte-identical to
 // the pre-M-8 implementation so that existing v1 blobs on disk remain
 // decryptable via [Decrypt] when paired with a [DeriveKey]-derived key. New
 // callers should prefer [EncryptIfKeySet], which handles key derivation and
 // emits the v2 wire format.
 func Encrypt(plaintext []byte, key []byte) ([]byte, error) {
-	if len(key) != 32 {
+	if len(key) != aes256KeySize {
-		return nil, fmt.Errorf("encryption key must be exactly 32 bytes, got %d", len(key))
+		return nil, fmt.Errorf("encryption key must be exactly %d bytes, got %d", aes256KeySize, len(key))
 	}
 	block, err := aes.NewCipher(key)
@@ -40,9 +127,14 @@ func Encrypt(plaintext []byte, key []byte) ([]byte, error) {
 // Decrypt decrypts ciphertext that was encrypted with Encrypt.
 // Expects format: [12-byte nonce][ciphertext+tag]. Key must be exactly 32 bytes.
 //
 // Decrypt is a low-level primitive. It is intentionally kept byte-identical to
 // the pre-M-8 implementation so that [DecryptIfKeySet] can delegate to it for
 // both the v2 inner blob (after stripping the magic byte + embedded salt) and
 // the v1 legacy blob (unmodified).
 func Decrypt(ciphertext []byte, key []byte) ([]byte, error) {
-	if len(key) != 32 {
+	if len(key) != aes256KeySize {
-		return nil, fmt.Errorf("encryption key must be exactly 32 bytes, got %d", len(key))
+		return nil, fmt.Errorf("encryption key must be exactly %d bytes, got %d", aes256KeySize, len(key))
 	}
 	block, err := aes.NewCipher(key)
@@ -69,35 +161,133 @@ func Decrypt(ciphertext []byte, key []byte) ([]byte, error) {
 	return plaintext, nil
 }
-// DeriveKey derives a 32-byte AES-256 key from a passphrase using PBKDF2-SHA256.
+// DeriveKey derives a 32-byte AES-256 key from a passphrase using PBKDF2-SHA256
-// Uses a fixed application-specific salt and 100,000 iterations for resistance
+// with the legacy v1 fixed salt.
-// to brute-force attacks on weak passphrases.
+//
 // This helper is preserved byte-identical to the pre-M-8 implementation so that
 // v1 ciphertexts persisted before the M-8 remediation remain decryptable
 // unchanged. New code paths should prefer [EncryptIfKeySet] and
 // [DecryptIfKeySet], which use a per-ciphertext random salt.
 func DeriveKey(passphrase string) []byte {
-	// Fixed salt is acceptable here because:
+	return deriveKeyWithSalt(passphrase, legacyV1Salt)
 	// 1. Each certctl instance has its own passphrase
 	// 2. The salt prevents generic rainbow table attacks
 	// 3. Per-user salts are unnecessary (single server key, not user passwords)
 	salt := []byte("certctl-config-encryption-v1")
 	return pbkdf2.Key([]byte(passphrase), salt, 100000, 32, sha256.New)
 }
-// EncryptIfKeySet encrypts plaintext if a key is provided, otherwise returns plaintext unchanged.
+// deriveKeyWithSalt derives a 32-byte AES-256 key from a passphrase and an
-// This supports the development/demo fallback where encryption isn't configured.
+// explicit salt using PBKDF2-SHA256 with [pbkdf2Iterations] rounds.
-func EncryptIfKeySet(plaintext []byte, key []byte) ([]byte, bool, error) {
+//
-	if len(key) == 0 {
+// The per-ciphertext random salt path (v2) calls this directly with a fresh
-		return plaintext, false, nil
+// 16-byte random salt embedded in the ciphertext blob. The legacy path
 // ([DeriveKey]) calls it with the package-level fixed salt [legacyV1Salt].
 func deriveKeyWithSalt(passphrase string, salt []byte) []byte {
 	return pbkdf2.Key([]byte(passphrase), salt, pbkdf2Iterations, aes256KeySize, sha256.New)
 }
 // IsLegacyFormat reports whether blob is in the v1 legacy wire format (no magic
 // byte, fixed-salt derivation) as opposed to the v2 wire format
 // (magic(0x02) || salt(16) || nonce(12) || ciphertext+tag).
 //
 // A return value of false is a necessary but not sufficient condition for a
 // blob to be a valid v2 ciphertext: the shortest possible v2 blob is
 // 1 + v2SaltSize + 12 = 29 bytes, and even a 29+ byte blob that starts with
 // 0x02 may turn out to be a v1 ciphertext whose random nonce happens to begin
 // with 0x02 (probability 1/256). [DecryptIfKeySet] resolves this ambiguity at
 // decrypt time by falling back to v1 when v2 AEAD verification fails; callers
 // of IsLegacyFormat should use it only as a heuristic (e.g. migration
 // tooling, log annotation).
 func IsLegacyFormat(blob []byte) bool {
 	if len(blob) == 0 {
 		return false
 	}
-	encrypted, err := Encrypt(plaintext, key)
+	return blob[0] != v2Magic
 }
 // EncryptIfKeySet encrypts plaintext with the supplied passphrase and emits a
 // v2 wire-format blob: magic(0x02) || salt(16) || nonce(12) || ciphertext+tag.
 //
 // Key derivation is performed internally per invocation with a fresh 16-byte
 // random salt, producing a distinct AES-256 key for every ciphertext. The
 // operator-supplied passphrase is the only cross-ciphertext shared secret.
 //
 // The second return value is always true when err == nil — the "wasEncrypted"
 // flag is retained for source-compatibility with callers that previously used
 // it to log provenance. Callers MUST handle err: passing an empty passphrase
 // returns [ErrEncryptionKeyRequired] rather than silently emitting plaintext.
 // See the package-level [ErrEncryptionKeyRequired] documentation for the
 // history behind this behavior change (C-2).
 //
 // The write path never produces a v1 blob. v1 blobs are read-only legacy
 // state — see [DecryptIfKeySet] for the compatibility fallback.
 func EncryptIfKeySet(plaintext []byte, passphrase string) ([]byte, bool, error) {
 	if passphrase == "" {
 		return nil, false, ErrEncryptionKeyRequired
 	}
 	salt := make([]byte, v2SaltSize)
 	if _, err := io.ReadFull(rand.Reader, salt); err != nil {
 		return nil, false, fmt.Errorf("failed to generate v2 salt: %w", err)
 	}
 	key := deriveKeyWithSalt(passphrase, salt)
 	inner, err := Encrypt(plaintext, key)
 	if err != nil {
 		return nil, false, err
 	}
-	return encrypted, true, nil
+
 	// v2 blob layout: magic(1) || salt(v2SaltSize) || inner
 	blob := make([]byte, 0, 1+v2SaltSize+len(inner))
 	blob = append(blob, v2Magic)
 	blob = append(blob, salt...)
 	blob = append(blob, inner...)
 	return blob, true, nil
 }
-// DecryptIfKeySet decrypts ciphertext if a key is provided, otherwise returns ciphertext unchanged.
+// DecryptIfKeySet decrypts blob with the supplied passphrase, supporting both
-func DecryptIfKeySet(ciphertext []byte, key []byte) ([]byte, error) {
+// v2 (M-8 and later) and v1 (legacy) on-disk formats.
-	if len(key) == 0 {
+//
-		return ciphertext, nil
+// Dispatch is first-byte magic + AEAD fallback. If blob starts with
 // [v2Magic] and is long enough to contain a v2 header plus an AEAD-authenticated
 // inner ciphertext, a v2 decrypt is attempted using a key derived from the
 // embedded salt. If that succeeds, its plaintext is returned. If v2 AEAD
 // verification fails — which covers both the "wrong passphrase" case and the
 // 1/256 case where a v1 blob's first byte happens to be 0x02 — the function
 // falls through to the v1 path and attempts decryption using a key derived
 // from the package-level fixed salt [legacyV1Salt].
 //
 // Passing an empty passphrase returns [ErrEncryptionKeyRequired]. Callers that
 // legitimately store plaintext (e.g. env-seeded source='env' rows that keep the
 // raw JSON in the unencrypted `config` column) must branch on the presence of
 // the ciphertext themselves rather than relying on this helper to silently
 // pass bytes through. See the package-level [ErrEncryptionKeyRequired]
 // documentation for the history behind this behavior change (C-2).
 //
 // The function never re-encrypts in place. A v1 blob that is successfully
 // decrypted is returned to the caller as plaintext; re-sealing as v2 happens
 // naturally on the next UPDATE via [EncryptIfKeySet].
 func DecryptIfKeySet(blob []byte, passphrase string) ([]byte, error) {
 	if passphrase == "" {
 		return nil, ErrEncryptionKeyRequired
 	}
-	return Decrypt(ciphertext, key)
+	if len(blob) == 0 {
 		return nil, fmt.Errorf("ciphertext is empty")
 	}
 	// v2 path: magic || salt(16) || nonce(12) || ciphertext+tag (min 29 bytes
 	// ignoring the GCM tag; the AEAD verify inside Decrypt enforces the tag).
 	if blob[0] == v2Magic && len(blob) >= 1+v2SaltSize+12 {
 		salt := blob[1 : 1+v2SaltSize]
 		sealed := blob[1+v2SaltSize:]
 		key := deriveKeyWithSalt(passphrase, salt)
 		if plaintext, err := Decrypt(sealed, key); err == nil {
 			return plaintext, nil
 		}
 		// v2 AEAD verification failed. Fall through to v1 so that a v1 blob
 		// whose first byte happens to be 0x02 (1/256 probability) is still
 		// decryptable. If this is truly a v2 blob with the wrong passphrase,
 		// the v1 attempt below will also fail and the v1 error is returned.
 	}
 	// v1 legacy path: blob is the full ciphertext with no header and was
 	// sealed with a key derived from (passphrase, legacyV1Salt).
 	key := DeriveKey(passphrase)
 	return Decrypt(blob, key)
 }
@@ -2,6 +2,9 @@ package crypto
 import (
 	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
 	"errors"
 	"testing"
 )
@@ -125,21 +128,20 @@ func TestDeriveKeyDifferentPassphrases(t *testing.T) {
 }
 func TestEncryptIfKeySet_WithKey(t *testing.T) {
 	key := DeriveKey("test-key")
 	plaintext := []byte("config data")
-	result, wasEncrypted, err := EncryptIfKeySet(plaintext, key)
+	result, wasEncrypted, err := EncryptIfKeySet(plaintext, "test-passphrase")
 	if err != nil {
 		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}
 	if !wasEncrypted {
-		t.Fatal("expected wasEncrypted=true when key provided")
+		t.Fatal("expected wasEncrypted=true when passphrase provided")
 	}
 	if bytes.Equal(result, plaintext) {
 		t.Fatal("result should be encrypted")
 	}
-	decrypted, err := DecryptIfKeySet(result, key)
+	decrypted, err := DecryptIfKeySet(result, "test-passphrase")
 	if err != nil {
 		t.Fatalf("DecryptIfKeySet failed: %v", err)
 	}
@@ -148,31 +150,117 @@ func TestEncryptIfKeySet_WithKey(t *testing.T) {
 	}
 }
-func TestEncryptIfKeySet_NilKey(t *testing.T) {
+// TestEncryptIfKeySet_EmptyKeyFailsClosed asserts the C-2 regression guard:
 // EncryptIfKeySet must refuse to silently emit plaintext when no passphrase is
 // configured. The pre-fix behavior was to return plaintext with
 // wasEncrypted=false, which produced a data-at-rest confidentiality bypass
 // (CWE-311) for GUI-created issuer and target configs.
 func TestEncryptIfKeySet_EmptyKeyFailsClosed(t *testing.T) {
 	plaintext := []byte("config data")
-	result, wasEncrypted, err := EncryptIfKeySet(plaintext, nil)
+	result, wasEncrypted, err := EncryptIfKeySet(plaintext, "")
-	if err != nil {
+	if err == nil {
-		t.Fatalf("EncryptIfKeySet with nil key failed: %v", err)
+		t.Fatal("expected ErrEncryptionKeyRequired, got nil")
 	}
 	if !errors.Is(err, ErrEncryptionKeyRequired) {
 		t.Fatalf("expected ErrEncryptionKeyRequired, got %v", err)
 	}
 	if wasEncrypted {
-		t.Fatal("expected wasEncrypted=false when key is nil")
+		t.Fatal("wasEncrypted must be false on error")
 	}
-	if !bytes.Equal(result, plaintext) {
+	if result != nil {
-		t.Fatal("result should be unchanged plaintext when key is nil")
+		t.Fatalf("expected nil result on error, got %q", result)
 	}
 }
-func TestDecryptIfKeySet_NilKey(t *testing.T) {
+// TestDecryptIfKeySet_EmptyKeyFailsClosed asserts the matching C-2 regression
 // guard on the read path: DecryptIfKeySet must refuse to pass ciphertext
 // through as plaintext when no passphrase is configured.
 func TestDecryptIfKeySet_EmptyKeyFailsClosed(t *testing.T) {
 	data := []byte("plaintext config data")
-	result, err := DecryptIfKeySet(data, nil)
+	result, err := DecryptIfKeySet(data, "")
 	if err == nil {
 		t.Fatal("expected ErrEncryptionKeyRequired, got nil")
 	}
 	if !errors.Is(err, ErrEncryptionKeyRequired) {
 		t.Fatalf("expected ErrEncryptionKeyRequired, got %v", err)
 	}
 	if result != nil {
 		t.Fatalf("expected nil result on error, got %q", result)
 	}
 }
 // TestEncryptDecryptIfKeySet_RoundTripProducesDifferentCiphertext proves the
 // "if set" helpers produce real AES-GCM output (not plaintext) and that a full
 // round-trip through both helpers recovers the original bytes.
 func TestEncryptDecryptIfKeySet_RoundTripProducesDifferentCiphertext(t *testing.T) {
 	plaintext := []byte(`{"api_key":"s3cr3t","token":"abc"}`)
 	encrypted, wasEncrypted, err := EncryptIfKeySet(plaintext, "round-trip-key")
 	if err != nil {
-		t.Fatalf("DecryptIfKeySet with nil key failed: %v", err)
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}
-	if !bytes.Equal(result, data) {
+	if !wasEncrypted {
-		t.Fatal("result should be unchanged when key is nil")
+		t.Fatal("wasEncrypted must be true when passphrase is present")
 	}
 	if bytes.Equal(encrypted, plaintext) {
 		t.Fatal("EncryptIfKeySet returned plaintext — would regress C-2")
 	}
 	decrypted, err := DecryptIfKeySet(encrypted, "round-trip-key")
 	if err != nil {
 		t.Fatalf("DecryptIfKeySet failed: %v", err)
 	}
 	if !bytes.Equal(decrypted, plaintext) {
 		t.Fatalf("round-trip mismatch: got %q, want %q", decrypted, plaintext)
 	}
 }
 // TestDecryptIfKeySet_RejectsTamperedCiphertext confirms the AEAD auth tag
 // still rejects modified ciphertext when routed through the helper. The v2
 // wire format is magic(1) || salt(16) || nonce(12) || ciphertext+tag, so
 // flipping a byte anywhere past offset 29 lands squarely inside the AEAD body.
 func TestDecryptIfKeySet_RejectsTamperedCiphertext(t *testing.T) {
 	plaintext := []byte("authenticated data")
 	encrypted, _, err := EncryptIfKeySet(plaintext, "tamper-test-key")
 	if err != nil {
 		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}
 	// Flip a byte past the v2 header (1 + 16 + 12 = 29) to invalidate the tag.
 	const minV2HeaderLen = 1 + v2SaltSize + 12
 	if len(encrypted) <= minV2HeaderLen {
 		t.Fatalf("ciphertext too short to tamper: %d bytes", len(encrypted))
 	}
 	encrypted[minV2HeaderLen] ^= 0xFF
 	if _, err := DecryptIfKeySet(encrypted, "tamper-test-key"); err == nil {
 		t.Fatal("DecryptIfKeySet accepted tampered ciphertext — AEAD tag check bypassed")
 	}
 }
 // TestEncryptIfKeySet_PreservesErrEncryptionKeyRequiredSentinel guards the
 // stability of the public sentinel error so audit-log detectors and callers
 // outside this package can rely on errors.Is(err, ErrEncryptionKeyRequired).
 func TestEncryptIfKeySet_PreservesErrEncryptionKeyRequiredSentinel(t *testing.T) {
 	if ErrEncryptionKeyRequired == nil {
 		t.Fatal("ErrEncryptionKeyRequired sentinel must be non-nil")
 	}
 	if ErrEncryptionKeyRequired.Error() == "" {
 		t.Fatal("ErrEncryptionKeyRequired must carry a non-empty message")
 	}
 	// Wrap it and confirm errors.Is unwraps correctly — real callers wrap with %w.
 	wrapped := wrapSentinel(ErrEncryptionKeyRequired)
 	if !errors.Is(wrapped, ErrEncryptionKeyRequired) {
 		t.Fatal("errors.Is must unwrap ErrEncryptionKeyRequired through %w-wrapped callers")
 	}
 }
 // wrapSentinel is a tiny helper that mimics how production callers propagate
 // the sentinel (e.g. fmt.Errorf("failed to encrypt config: %w", err)).
 func wrapSentinel(err error) error {
 	return errors.Join(errors.New("failed to encrypt config"), err)
 }
 func TestEncryptProducesDifferentCiphertexts(t *testing.T) {
@@ -186,3 +274,217 @@ func TestEncryptProducesDifferentCiphertexts(t *testing.T) {
 		t.Fatal("encrypting same plaintext twice should produce different ciphertexts (random nonce)")
 	}
 }
 // ---------------------------------------------------------------------------
 // M-8 additions: per-ciphertext salt + v2 wire format + v1 backward compat.
 // ---------------------------------------------------------------------------
 // TestDeriveKey_DifferentSaltsProduceDifferentKeys asserts that
 // deriveKeyWithSalt fans out distinct 32-byte keys for the same passphrase
 // across different salts. This is the core M-8 defense-in-depth property: even
 // if an attacker obtains two v2 ciphertexts encrypted with the same master
 // passphrase, the derived AES keys differ, and a brute-force attempt on one
 // blob cannot be amortized across the other.
 func TestDeriveKey_DifferentSaltsProduceDifferentKeys(t *testing.T) {
 	passphrase := "master-passphrase"
 	saltA := bytes.Repeat([]byte{0xAA}, v2SaltSize)
 	saltB := bytes.Repeat([]byte{0xBB}, v2SaltSize)
 	keyA := deriveKeyWithSalt(passphrase, saltA)
 	keyB := deriveKeyWithSalt(passphrase, saltB)
 	if len(keyA) != aes256KeySize || len(keyB) != aes256KeySize {
 		t.Fatalf("derived key length wrong: %d / %d", len(keyA), len(keyB))
 	}
 	if bytes.Equal(keyA, keyB) {
 		t.Fatal("deriveKeyWithSalt must produce different keys for different salts")
 	}
 	// Sanity-check that deterministic behaviour is preserved under a fixed salt.
 	keyA2 := deriveKeyWithSalt(passphrase, saltA)
 	if !bytes.Equal(keyA, keyA2) {
 		t.Fatal("deriveKeyWithSalt must be deterministic for a fixed (passphrase, salt)")
 	}
 }
 // TestEncryptIfKeySet_ProducesV2Format asserts the exact v2 wire-format bytes:
 // magic(0x02) || salt(16) || nonce(12) || ciphertext+tag.
 func TestEncryptIfKeySet_ProducesV2Format(t *testing.T) {
 	blob, _, err := EncryptIfKeySet([]byte("hello"), "any-passphrase")
 	if err != nil {
 		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}
 	const minLen = 1 + v2SaltSize + 12 + 16 // magic + salt + nonce + GCM tag (16)
 	if len(blob) < minLen {
 		t.Fatalf("v2 blob too short: got %d, want >= %d", len(blob), minLen)
 	}
 	if blob[0] != v2Magic {
 		t.Fatalf("v2 blob must start with magic byte 0x%02x, got 0x%02x", v2Magic, blob[0])
 	}
 	if IsLegacyFormat(blob) {
 		t.Fatal("IsLegacyFormat must return false for a freshly produced v2 blob")
 	}
 }
 // TestEncryptIfKeySet_SaltIsRandom asserts that two calls with the same
 // passphrase and plaintext produce distinct embedded salts.
 func TestEncryptIfKeySet_SaltIsRandom(t *testing.T) {
 	plaintext := []byte("same plaintext")
 	passphrase := "same-passphrase"
 	blob1, _, err := EncryptIfKeySet(plaintext, passphrase)
 	if err != nil {
 		t.Fatalf("EncryptIfKeySet #1 failed: %v", err)
 	}
 	blob2, _, err := EncryptIfKeySet(plaintext, passphrase)
 	if err != nil {
 		t.Fatalf("EncryptIfKeySet #2 failed: %v", err)
 	}
 	salt1 := blob1[1 : 1+v2SaltSize]
 	salt2 := blob2[1 : 1+v2SaltSize]
 	if bytes.Equal(salt1, salt2) {
 		t.Fatal("two EncryptIfKeySet invocations must produce distinct per-ciphertext salts")
 	}
 	if bytes.Equal(blob1, blob2) {
 		t.Fatal("two v2 blobs with same (passphrase, plaintext) must differ end-to-end")
 	}
 }
 // TestDecryptIfKeySet_V1BackwardCompat builds a deterministic v1-format
 // ciphertext using the pre-M-8 recipe (DeriveKey with the fixed salt, then
 // Encrypt with an all-zero nonce for reproducibility) and asserts that
 // DecryptIfKeySet still decrypts it correctly. This is the migration guarantee:
 // v1 blobs persisted before M-8 must remain decryptable.
 func TestDecryptIfKeySet_V1BackwardCompat(t *testing.T) {
 	passphrase := "legacy-passphrase"
 	plaintext := []byte(`{"api_key":"legacy","org_id":"789"}`)
 	// Build a deterministic v1 blob directly: nonce(12 zero bytes) || ct+tag.
 	// This matches the exact wire shape that Encrypt produces, minus the random
 	// nonce, so the test is stable rather than 1/256 flaky.
 	key := DeriveKey(passphrase) // fixed-salt derivation (pre-M-8 behavior)
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		t.Fatalf("aes.NewCipher: %v", err)
 	}
 	gcm, err := cipher.NewGCM(block)
 	if err != nil {
 		t.Fatalf("cipher.NewGCM: %v", err)
 	}
 	nonce := make([]byte, gcm.NonceSize()) // all zeros → first byte != v2Magic
 	v1Blob := gcm.Seal(nonce, nonce, plaintext, nil)
 	if v1Blob[0] == v2Magic {
 		t.Fatalf("fixture nonce collided with v2 magic byte — test design error")
 	}
 	decrypted, err := DecryptIfKeySet(v1Blob, passphrase)
 	if err != nil {
 		t.Fatalf("DecryptIfKeySet(v1) failed: %v", err)
 	}
 	if !bytes.Equal(decrypted, plaintext) {
 		t.Fatalf("v1 decrypt mismatch: got %q, want %q", decrypted, plaintext)
 	}
 	// Cross-check: IsLegacyFormat should flag this as legacy.
 	if !IsLegacyFormat(v1Blob) {
 		t.Fatal("IsLegacyFormat must return true for a v1 blob whose first byte != v2Magic")
 	}
 }
 // TestDecryptIfKeySet_V1MagicByteCollisionFallsThrough covers the 1/256 edge
 // case where a v1 ciphertext's random 12-byte nonce happens to begin with
 // 0x02. The dispatch must attempt v2, see AEAD failure, and fall through to
 // v1 — never return a decrypt error when the passphrase is correct.
 func TestDecryptIfKeySet_V1MagicByteCollisionFallsThrough(t *testing.T) {
 	passphrase := "collision-passphrase"
 	plaintext := []byte("colliding v1 blob")
 	// Craft a v1 blob whose first byte equals v2Magic by choosing a nonce
 	// starting with 0x02 and sealing manually.
 	key := DeriveKey(passphrase)
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		t.Fatalf("aes.NewCipher: %v", err)
 	}
 	gcm, err := cipher.NewGCM(block)
 	if err != nil {
 		t.Fatalf("cipher.NewGCM: %v", err)
 	}
 	nonce := make([]byte, gcm.NonceSize())
 	nonce[0] = v2Magic // force collision
 	v1Blob := gcm.Seal(nonce, nonce, plaintext, nil)
 	if v1Blob[0] != v2Magic {
 		t.Fatal("fixture construction bug: first byte must equal v2Magic")
 	}
 	decrypted, err := DecryptIfKeySet(v1Blob, passphrase)
 	if err != nil {
 		t.Fatalf("DecryptIfKeySet must fall through to v1 on AEAD failure, got err: %v", err)
 	}
 	if !bytes.Equal(decrypted, plaintext) {
 		t.Fatalf("v1-via-fallback decrypt mismatch: got %q, want %q", decrypted, plaintext)
 	}
 }
 // TestDecryptIfKeySet_V2WithWrongPassphraseFails asserts that a v2 blob
 // sealed under passphrase A cannot be decrypted under passphrase B. Both the
 // v2 AEAD verify (with salt from the blob + passphrase B) and the v1 fallback
 // (with fixed salt + passphrase B) must fail, and an error must be returned
 // rather than silently-corrupt plaintext.
 func TestDecryptIfKeySet_V2WithWrongPassphraseFails(t *testing.T) {
 	blob, _, err := EncryptIfKeySet([]byte("secret"), "passphrase-A")
 	if err != nil {
 		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}
 	got, err := DecryptIfKeySet(blob, "passphrase-B")
 	if err == nil {
 		t.Fatalf("DecryptIfKeySet must return error for wrong passphrase, got plaintext %q", got)
 	}
 	if got != nil {
 		t.Fatalf("result must be nil on decrypt error, got %q", got)
 	}
 }
 // TestDecryptIfKeySet_TruncatedV2Blob asserts that a blob starting with the v2
 // magic byte but too short to contain a full v2 header does not trip an
 // out-of-bounds slice and does not succeed. It either returns an error (v1
 // fallback on the short bytes fails with "ciphertext too short") or at minimum
 // never returns plaintext.
 func TestDecryptIfKeySet_TruncatedV2Blob(t *testing.T) {
 	truncated := []byte{v2Magic, 0x00, 0x01, 0x02, 0x03} // 5 bytes — well below the 29-byte v2 minimum
 	got, err := DecryptIfKeySet(truncated, "any-passphrase")
 	if err == nil {
 		t.Fatalf("DecryptIfKeySet must reject a truncated v2 blob, got plaintext %q", got)
 	}
 	if got != nil {
 		t.Fatalf("result must be nil on decrypt error, got %q", got)
 	}
 }
 // TestIsLegacyFormat covers the three branches of the public magic-byte
 // heuristic: v2 blob → false, v1 blob → true, empty blob → false.
 func TestIsLegacyFormat(t *testing.T) {
 	v2Blob, _, err := EncryptIfKeySet([]byte("data"), "p")
 	if err != nil {
 		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}
 	if IsLegacyFormat(v2Blob) {
 		t.Fatal("v2 blob must not be flagged as legacy")
 	}
 	// Any blob whose first byte isn't v2Magic should be reported as legacy.
 	v1Shape := []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0xFF}
 	if !IsLegacyFormat(v1Shape) {
 		t.Fatal("non-v2-magic blob must be flagged as legacy")
 	}
 	if IsLegacyFormat(nil) {
 		t.Fatal("nil blob must not be flagged as legacy (undefined)")
 	}
 	if IsLegacyFormat([]byte{}) {
 		t.Fatal("empty blob must not be flagged as legacy (undefined)")
 	}
 }
@@ -43,6 +43,38 @@ func CRLReasonCode(reason RevocationReason) int {
 	return 0 // unspecified
 }
 // BulkRevocationCriteria defines the filter criteria for bulk certificate revocation.
 // At least one field must be set — empty criteria is rejected as a safety guard.
 type BulkRevocationCriteria struct {
 	ProfileID      string   `json:"profile_id,omitempty"`
 	OwnerID        string   `json:"owner_id,omitempty"`
 	AgentID        string   `json:"agent_id,omitempty"`
 	IssuerID       string   `json:"issuer_id,omitempty"`
 	TeamID         string   `json:"team_id,omitempty"`
 	CertificateIDs []string `json:"certificate_ids,omitempty"`
 }
 // IsEmpty returns true if no filter criteria are set.
 func (c BulkRevocationCriteria) IsEmpty() bool {
 	return c.ProfileID == "" && c.OwnerID == "" && c.AgentID == "" &&
 		c.IssuerID == "" && c.TeamID == "" && len(c.CertificateIDs) == 0
 }
 // BulkRevocationResult contains the outcome of a bulk revocation operation.
 type BulkRevocationResult struct {
 	TotalMatched int                    `json:"total_matched"`
 	TotalRevoked int                    `json:"total_revoked"`
 	TotalSkipped int                    `json:"total_skipped"`
 	TotalFailed  int                    `json:"total_failed"`
 	Errors       []BulkRevocationError  `json:"errors,omitempty"`
 }
 // BulkRevocationError records a per-certificate revocation failure.
 type BulkRevocationError struct {
 	CertificateID string `json:"certificate_id"`
 	Error         string `json:"error"`
 }
 // CertificateRevocation records the revocation of a specific certificate version.
 // Used as the authoritative source for CRL generation.
 type CertificateRevocation struct {
@@ -66,7 +66,12 @@ func TestCertificateLifecycle(t *testing.T) {
 	deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certRepo, auditService, notificationService)
 	jobService := service.NewJobService(jobRepo, renewalService, deploymentService, logger)
 	agentService := service.NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, renewalService)
-	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, nil, slog.Default())
+	// 32-byte AES-256 test key — C-2 remediation makes IssuerService fail closed
 	// without a configured CERTCTL_CONFIG_ENCRYPTION_KEY. Happy-path CRUD tests
 	// must supply a real key so the encrypt path runs instead of returning
 	// ErrEncryptionKeyRequired.
 	testEncryptionKey := "0123456789abcdef0123456789abcdef"
 	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, testEncryptionKey, slog.Default())
 	// Initialize handlers
 	certificateHandler := handler.NewCertificateHandler(certificateService)
@@ -113,7 +118,8 @@ func TestCertificateLifecycle(t *testing.T) {
 		Health:        healthHandler,
 		Discovery:     discoveryHandler,
 		NetworkScan:   networkScanHandler,
-		Verification:  verificationHandler,
+		Verification:    verificationHandler,
 		BulkRevocation:  handler.BulkRevocationHandler{},
 	})
 	r.RegisterESTHandlers(estHandler)
@@ -676,6 +682,46 @@ func (m *mockJobRepository) ListPendingByAgentID(ctx context.Context, agentID st
 	return result, nil
 }
 // ClaimPendingJobs mirrors the production H-6 semantics: Pending jobs of the given type
 // (or any type when jobType is empty) flip to Running before being returned. limit <= 0
 // means unlimited.
 func (m *mockJobRepository) ClaimPendingJobs(ctx context.Context, jobType domain.JobType, limit int) ([]*domain.Job, error) {
 	var claimed []*domain.Job
 	for _, j := range m.jobs {
 		if j.Status != domain.JobStatusPending {
 			continue
 		}
 		if jobType != "" && j.Type != jobType {
 			continue
 		}
 		j.Status = domain.JobStatusRunning
 		claimed = append(claimed, j)
 		if limit > 0 && len(claimed) >= limit {
 			break
 		}
 	}
 	return claimed, nil
 }
 // ClaimPendingByAgentID mirrors the production H-6 semantics: Pending deployment rows for
 // the agent flip to Running; AwaitingCSR rows are returned with state preserved.
 func (m *mockJobRepository) ClaimPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error) {
 	var result []*domain.Job
 	for _, j := range m.jobs {
 		if j.AgentID == nil || *j.AgentID != agentID {
 			continue
 		}
 		switch {
 		case j.Status == domain.JobStatusPending && j.Type == domain.JobTypeDeployment:
 			j.Status = domain.JobStatusRunning
 			result = append(result, j)
 		case j.Status == domain.JobStatusAwaitingCSR:
 			result = append(result, j)
 		}
 	}
 	return result, nil
 }
 type mockAuditRepository struct {
 	events []*domain.AuditEvent
 }
@@ -726,6 +772,14 @@ func (m *mockAgentRepository) Create(ctx context.Context, agent *domain.Agent) e
 	return nil
 }
 func (m *mockAgentRepository) CreateIfNotExists(ctx context.Context, agent *domain.Agent) (bool, error) {
 	if _, exists := m.agents[agent.ID]; exists {
 		return false, nil
 	}
 	m.agents[agent.ID] = agent
 	return true, nil
 }
 func (m *mockAgentRepository) Update(ctx context.Context, agent *domain.Agent) error {
 	m.agents[agent.ID] = agent
 	return nil
@@ -982,8 +1036,8 @@ type mockTargetService struct {
 	auditService *service.AuditService
 }
-func (m *mockTargetService) ListTargets(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+func (m *mockTargetService) ListTargets(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
-	targets, err := m.targetRepo.List(context.Background())
+	targets, err := m.targetRepo.List(ctx)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -994,99 +1048,99 @@ func (m *mockTargetService) ListTargets(page, perPage int) ([]domain.DeploymentT
 	return result, int64(len(result)), nil
 }
-func (m *mockTargetService) GetTarget(id string) (*domain.DeploymentTarget, error) {
+func (m *mockTargetService) GetTarget(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
-	return m.targetRepo.Get(context.Background(), id)
+	return m.targetRepo.Get(ctx, id)
 }
-func (m *mockTargetService) CreateTarget(target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (m *mockTargetService) CreateTarget(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
-	if err := m.targetRepo.Create(context.Background(), &target); err != nil {
+	if err := m.targetRepo.Create(ctx, &target); err != nil {
 		return nil, err
 	}
 	return &target, nil
 }
-func (m *mockTargetService) UpdateTarget(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (m *mockTargetService) UpdateTarget(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 	target.ID = id
-	if err := m.targetRepo.Update(context.Background(), &target); err != nil {
+	if err := m.targetRepo.Update(ctx, &target); err != nil {
 		return nil, err
 	}
 	return &target, nil
 }
-func (m *mockTargetService) DeleteTarget(id string) error {
+func (m *mockTargetService) DeleteTarget(ctx context.Context, id string) error {
-	return m.targetRepo.Delete(context.Background(), id)
+	return m.targetRepo.Delete(ctx, id)
 }
-func (m *mockTargetService) TestTargetConnection(id string) error {
+func (m *mockTargetService) TestConnection(ctx context.Context, id string) error {
 	return nil // No-op for integration tests
 }
 type mockTeamService struct{}
-func (m *mockTeamService) ListTeams(page, perPage int) ([]domain.Team, int64, error) {
+func (m *mockTeamService) ListTeams(_ context.Context, page, perPage int) ([]domain.Team, int64, error) {
 	return []domain.Team{}, 0, nil
 }
-func (m *mockTeamService) GetTeam(id string) (*domain.Team, error) {
+func (m *mockTeamService) GetTeam(_ context.Context, id string) (*domain.Team, error) {
 	return nil, fmt.Errorf("team not found")
 }
-func (m *mockTeamService) CreateTeam(team domain.Team) (*domain.Team, error) {
+func (m *mockTeamService) CreateTeam(_ context.Context, team domain.Team) (*domain.Team, error) {
 	return &team, nil
 }
-func (m *mockTeamService) UpdateTeam(id string, team domain.Team) (*domain.Team, error) {
+func (m *mockTeamService) UpdateTeam(_ context.Context, id string, team domain.Team) (*domain.Team, error) {
 	team.ID = id
 	return &team, nil
 }
-func (m *mockTeamService) DeleteTeam(id string) error {
+func (m *mockTeamService) DeleteTeam(_ context.Context, id string) error {
 	return nil
 }
 type mockOwnerService struct{}
-func (m *mockOwnerService) ListOwners(page, perPage int) ([]domain.Owner, int64, error) {
+func (m *mockOwnerService) ListOwners(_ context.Context, page, perPage int) ([]domain.Owner, int64, error) {
 	return []domain.Owner{}, 0, nil
 }
-func (m *mockOwnerService) GetOwner(id string) (*domain.Owner, error) {
+func (m *mockOwnerService) GetOwner(_ context.Context, id string) (*domain.Owner, error) {
 	return nil, fmt.Errorf("owner not found")
 }
-func (m *mockOwnerService) CreateOwner(owner domain.Owner) (*domain.Owner, error) {
+func (m *mockOwnerService) CreateOwner(_ context.Context, owner domain.Owner) (*domain.Owner, error) {
 	return &owner, nil
 }
-func (m *mockOwnerService) UpdateOwner(id string, owner domain.Owner) (*domain.Owner, error) {
+func (m *mockOwnerService) UpdateOwner(_ context.Context, id string, owner domain.Owner) (*domain.Owner, error) {
 	owner.ID = id
 	return &owner, nil
 }
-func (m *mockOwnerService) DeleteOwner(id string) error {
+func (m *mockOwnerService) DeleteOwner(_ context.Context, id string) error {
 	return nil
 }
 type mockProfileService struct{}
-func (m *mockProfileService) ListProfiles(page, perPage int) ([]domain.CertificateProfile, int64, error) {
+func (m *mockProfileService) ListProfiles(_ context.Context, page, perPage int) ([]domain.CertificateProfile, int64, error) {
 	return []domain.CertificateProfile{}, 0, nil
 }
-func (m *mockProfileService) GetProfile(id string) (*domain.CertificateProfile, error) {
+func (m *mockProfileService) GetProfile(_ context.Context, id string) (*domain.CertificateProfile, error) {
 	return nil, fmt.Errorf("profile not found")
 }
-func (m *mockProfileService) CreateProfile(profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *mockProfileService) CreateProfile(_ context.Context, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	return &profile, nil
 }
-func (m *mockProfileService) UpdateProfile(id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *mockProfileService) UpdateProfile(_ context.Context, id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	profile.ID = id
 	return &profile, nil
 }
-func (m *mockProfileService) DeleteProfile(id string) error {
+func (m *mockProfileService) DeleteProfile(_ context.Context, id string) error {
 	return nil
 }
@@ -1133,9 +1187,9 @@ func (m *mockRevocationRepository) Create(ctx context.Context, revocation *domai
 	return nil
 }
-func (m *mockRevocationRepository) GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error) {
+func (m *mockRevocationRepository) GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error) {
 	for _, r := range m.revocations {
-		if r.SerialNumber == serial {
+		if r.IssuerID == issuerID && r.SerialNumber == serial {
 			return r, nil
 		}
 	}
@@ -58,7 +58,12 @@ func setupTestServer(t *testing.T) (*httptest.Server, *mockCertificateRepository
 	deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certRepo, auditService, notificationService)
 	jobService := service.NewJobService(jobRepo, renewalService, deploymentService, logger)
 	agentService := service.NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, renewalService)
-	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, nil, logger)
+	// 32-byte AES-256 test key — C-2 remediation makes IssuerService fail closed
 	// without a configured CERTCTL_CONFIG_ENCRYPTION_KEY. Happy-path CRUD tests
 	// must supply a real key so the encrypt path runs instead of returning
 	// ErrEncryptionKeyRequired.
 	testEncryptionKey := "0123456789abcdef0123456789abcdef"
 	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, testEncryptionKey, logger)
 	certificateHandler := handler.NewCertificateHandler(certificateService)
 	issuerHandler := handler.NewIssuerHandler(issuerService)
@@ -103,7 +108,8 @@ func setupTestServer(t *testing.T) (*httptest.Server, *mockCertificateRepository
 		Health:        healthHandler,
 		Discovery:     discoveryHandler,
 		NetworkScan:   networkScanHandler,
-		Verification:  verificationHandler,
+		Verification:    verificationHandler,
 		BulkRevocation:  handler.BulkRevocationHandler{},
 	})
 	r.RegisterESTHandlers(estHandler)
@@ -182,6 +182,38 @@ func registerCertificateTools(s *gomcp.Server, c *Client) {
 		}
 		return textResult(data)
 	})
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_bulk_revoke_certificates",
 		Description: "Bulk revoke certificates matching filter criteria. At least one criterion (profile_id, owner_id, agent_id, issuer_id, team_id, or certificate_ids) is required. Returns counts of matched, revoked, skipped, and failed certificates.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input BulkRevokeCertificatesInput) (*gomcp.CallToolResult, any, error) {
 		body := map[string]interface{}{
 			"reason": input.Reason,
 		}
 		if input.ProfileID != "" {
 			body["profile_id"] = input.ProfileID
 		}
 		if input.OwnerID != "" {
 			body["owner_id"] = input.OwnerID
 		}
 		if input.AgentID != "" {
 			body["agent_id"] = input.AgentID
 		}
 		if input.IssuerID != "" {
 			body["issuer_id"] = input.IssuerID
 		}
 		if input.TeamID != "" {
 			body["team_id"] = input.TeamID
 		}
 		if len(input.CertificateIDs) > 0 {
 			body["certificate_ids"] = input.CertificateIDs
 		}
 		data, err := c.Post("/api/v1/certificates/bulk-revoke", body)
 		if err != nil {
 			return errorResult(err)
 		}
 		return textResult(data)
 	})
 }
 // ── CRL & OCSP ──────────────────────────────────────────────────────
@@ -62,6 +62,16 @@ type RevokeCertificateInput struct {
 	Reason string `json:"reason,omitempty" jsonschema:"RFC 5280 reason: unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn"`
 }
 type BulkRevokeCertificatesInput struct {
 	Reason         string   `json:"reason" jsonschema:"RFC 5280 reason: unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn"`
 	ProfileID      string   `json:"profile_id,omitempty" jsonschema:"Revoke all certs matching this profile ID"`
 	OwnerID        string   `json:"owner_id,omitempty" jsonschema:"Revoke all certs owned by this owner"`
 	AgentID        string   `json:"agent_id,omitempty" jsonschema:"Revoke all certs deployed via this agent"`
 	IssuerID       string   `json:"issuer_id,omitempty" jsonschema:"Revoke all certs issued by this issuer"`
 	TeamID         string   `json:"team_id,omitempty" jsonschema:"Revoke all certs owned by members of this team"`
 	CertificateIDs []string `json:"certificate_ids,omitempty" jsonschema:"Explicit list of certificate IDs to revoke"`
 }
 type ListVersionsInput struct {
 	ID string `json:"id" jsonschema:"Certificate ID"`
 	ListParams
@@ -31,10 +31,15 @@ type CertificateRepository interface {
 // RevocationRepository defines operations for managing certificate revocations.
 type RevocationRepository interface {
-	// Create records a new certificate revocation.
+	// Create records a new certificate revocation. Uniqueness is scoped to
 	// (issuer_id, serial_number) per RFC 5280 §5.2.3, so duplicate serials
 	// across different issuers are permitted.
 	Create(ctx context.Context, revocation *domain.CertificateRevocation) error
-	// GetBySerial retrieves a revocation by serial number.
+	// GetByIssuerAndSerial retrieves a revocation by the (issuer_id, serial_number)
-	GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error)
+	// pair. Callers (OCSP, CRL generation) always know the issuer because
 	// protocol endpoints carry it in the request path; RFC 5280 §5.2.3 guarantees
 	// uniqueness only within a single issuer.
 	GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error)
 	// ListAll returns all revocations, ordered by revocation time (for CRL generation).
 	ListAll(ctx context.Context) ([]*domain.CertificateRevocation, error)
 	// ListByCertificate returns all revocations for a certificate.
@@ -85,8 +90,18 @@ type AgentRepository interface {
 	List(ctx context.Context) ([]*domain.Agent, error)
 	// Get retrieves an agent by ID.
 	Get(ctx context.Context, id string) (*domain.Agent, error)
-	// Create stores a new agent.
+	// Create stores a new agent. Callers that want duplicate-key errors surfaced
 	// (e.g. real-agent registration) must use this method; sentinel/bootstrap
 	// paths that expect the row to already exist on restart should call
 	// CreateIfNotExists instead (M-6, CWE-662).
 	Create(ctx context.Context, agent *domain.Agent) error
 	// CreateIfNotExists creates an agent only if the ID doesn't already exist
 	// (INSERT ... ON CONFLICT (id) DO NOTHING). Returns true if the row was
 	// newly inserted, false if a row with the same ID already existed. Used
 	// by the sentinel-agent bootstrap path in cmd/server/main.go so restarts
 	// and upgrades are idempotent without swallowing unrelated database
 	// failures (M-6, CWE-662).
 	CreateIfNotExists(ctx context.Context, agent *domain.Agent) (bool, error)
 	// Update modifies an existing agent.
 	Update(ctx context.Context, agent *domain.Agent) error
 	// Delete removes an agent.
@@ -115,10 +130,20 @@ type JobRepository interface {
 	ListByCertificate(ctx context.Context, certID string) ([]*domain.Job, error)
 	// UpdateStatus updates a job's status and optional error message.
 	UpdateStatus(ctx context.Context, id string, status domain.JobStatus, errMsg string) error
-	// GetPendingJobs returns jobs not yet processed of a specific type.
+	// GetPendingJobs returns jobs not yet processed of a specific type. Prefer ClaimPendingJobs in
 	// production paths where concurrent schedulers may race — see H-6 (CWE-362) remediation.
 	GetPendingJobs(ctx context.Context, jobType domain.JobType) ([]*domain.Job, error)
 	// ListPendingByAgentID returns pending deployment jobs and AwaitingCSR jobs for a specific agent.
 	// Prefer ClaimPendingByAgentID in production paths — see H-6 (CWE-362) remediation.
 	ListPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error)
 	// ClaimPendingJobs atomically claims up to `limit` Pending jobs and transitions them to Running
 	// using SELECT FOR UPDATE SKIP LOCKED inside a transaction. An empty jobType matches any type;
 	// limit <= 0 means no limit. H-6 (CWE-362) race remediation.
 	ClaimPendingJobs(ctx context.Context, jobType domain.JobType, limit int) ([]*domain.Job, error)
 	// ClaimPendingByAgentID atomically claims pending deployment jobs for an agent (flipping them
 	// to Running) and locks AwaitingCSR jobs against concurrent observers (leaving state intact,
 	// since the CSR-submission path drives the next transition). H-6 (CWE-362) race remediation.
 	ClaimPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error)
 }
 // RenewalPolicyRepository defines operations for managing renewal policies.
@@ -70,7 +70,9 @@ func (r *AgentRepository) Get(ctx context.Context, id string) (*domain.Agent, er
 	return agent, nil
 }
-// Create stores a new agent
+// Create stores a new agent. Duplicate-key errors surface to the caller —
 // real-agent registration paths rely on this to detect collisions. Use
 // CreateIfNotExists for sentinel/bootstrap paths where re-inserts are expected.
 func (r *AgentRepository) Create(ctx context.Context, agent *domain.Agent) error {
 	if agent.ID == "" {
 		agent.ID = uuid.New().String()
@@ -92,6 +94,44 @@ func (r *AgentRepository) Create(ctx context.Context, agent *domain.Agent) error
 	return nil
 }
 // CreateIfNotExists creates an agent only if the ID doesn't already exist.
 // Used for sentinel agents (server-scanner, cloud-aws-sm, cloud-azure-kv,
 // cloud-gcp-sm) on first boot AND on every subsequent restart/upgrade — the
 // pre-M-6 code used plain INSERT, swallowed the duplicate-key error, and so
 // silently swallowed every other database failure too (CWE-662 /
 // CWE-209-adjacent). ON CONFLICT (id) DO NOTHING + RETURNING id +
 // sql.ErrNoRows distinguishes "row already existed" (created=false, err=nil)
 // from genuine errors (connectivity, permission, constraint violations
 // other than the id primary key) which still surface. Returns true if the
 // row was newly inserted, false if a row with the same ID already existed.
 func (r *AgentRepository) CreateIfNotExists(ctx context.Context, agent *domain.Agent) (bool, error) {
 	if agent.ID == "" {
 		agent.ID = uuid.New().String()
 	}
 	var id string
 	err := r.db.QueryRowContext(ctx, `
 		INSERT INTO agents (id, name, hostname, status, last_heartbeat_at, registered_at, api_key_hash,
 		                    os, architecture, ip_address, version)
 		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
 		ON CONFLICT (id) DO NOTHING
 		RETURNING id
 	`, agent.ID, agent.Name, agent.Hostname, agent.Status, agent.LastHeartbeatAt,
 		agent.RegisteredAt, agent.APIKeyHash,
 		agent.OS, agent.Architecture, agent.IPAddress, agent.Version).Scan(&id)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			// ON CONFLICT DO NOTHING — a row with this ID already existed.
 			return false, nil
 		}
 		return false, fmt.Errorf("failed to create agent: %w", err)
 	}
 	agent.ID = id
 	return true, nil
 }
 // Update modifies an existing agent
 func (r *AgentRepository) Update(ctx context.Context, agent *domain.Agent) error {
 	result, err := r.db.ExecContext(ctx, `
@@ -190,18 +190,65 @@ func (r *CertificateRepository) List(ctx context.Context, filter *repository.Cer
 	defer rows.Close()
 	var certs []*domain.ManagedCertificate
 	var certIDs []string
 	for rows.Next() {
-		cert, err := scanCertificate(rows)
+		var cert domain.ManagedCertificate
 		var tagsJSON []byte
 		var sans pq.StringArray
 		var profileID sql.NullString
 		var revocationReason sql.NullString
 		err := rows.Scan(
 			&cert.ID, &cert.Name, &cert.CommonName, &sans, &cert.Environment, &cert.OwnerID,
 			&cert.TeamID, &cert.IssuerID, &cert.RenewalPolicyID, &profileID,
 			&cert.Status, &cert.ExpiresAt, &tagsJSON,
 			&cert.LastRenewalAt, &cert.LastDeploymentAt, &cert.RevokedAt, &revocationReason,
 			&cert.CreatedAt, &cert.UpdatedAt)
 		if err != nil {
-			return nil, 0, err
+			return nil, 0, fmt.Errorf("failed to scan certificate: %w", err)
 		}
-		certs = append(certs, cert)
+
 		cert.SANs = []string(sans)
 		if profileID.Valid {
 			cert.CertificateProfileID = profileID.String
 		}
 		if revocationReason.Valid {
 			cert.RevocationReason = revocationReason.String
 		}
 		// Unmarshal tags
 		if len(tagsJSON) > 0 {
 			if err := json.Unmarshal(tagsJSON, &cert.Tags); err != nil {
 				return nil, 0, fmt.Errorf("failed to unmarshal tags: %w", err)
 			}
 		} else {
 			cert.Tags = make(map[string]string)
 		}
 		certs = append(certs, &cert)
 		certIDs = append(certIDs, cert.ID)
 	}
 	if err := rows.Err(); err != nil {
 		return nil, 0, fmt.Errorf("error iterating certificate rows: %w", err)
 	}
 	// Fetch target IDs for all certificates in a single query (avoid N+1)
 	if len(certIDs) > 0 {
 		targetIDsMap, err := r.getTargetIDsForCertificates(ctx, certIDs)
 		if err != nil {
 			return nil, 0, err
 		}
 		for _, cert := range certs {
 			if targetIDs, ok := targetIDsMap[cert.ID]; ok {
 				cert.TargetIDs = targetIDs
 			} else {
 				cert.TargetIDs = []string{}
 			}
 		}
 	}
 	return certs, total, nil
 }
@@ -214,7 +261,7 @@ func (r *CertificateRepository) Get(ctx context.Context, id string) (*domain.Man
 		WHERE id = $1
 	`, id)
-	cert, err := scanCertificate(row)
+	cert, err := r.scanCertificate(ctx, row)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			return nil, fmt.Errorf("certificate not found")
@@ -421,18 +468,65 @@ func (r *CertificateRepository) GetExpiringCertificates(ctx context.Context, bef
 	defer rows.Close()
 	var certs []*domain.ManagedCertificate
 	var certIDs []string
 	for rows.Next() {
-		cert, err := scanCertificate(rows)
+		var cert domain.ManagedCertificate
 		var tagsJSON []byte
 		var sans pq.StringArray
 		var profileID sql.NullString
 		var revocationReason sql.NullString
 		err := rows.Scan(
 			&cert.ID, &cert.Name, &cert.CommonName, &sans, &cert.Environment, &cert.OwnerID,
 			&cert.TeamID, &cert.IssuerID, &cert.RenewalPolicyID, &profileID,
 			&cert.Status, &cert.ExpiresAt, &tagsJSON,
 			&cert.LastRenewalAt, &cert.LastDeploymentAt, &cert.RevokedAt, &revocationReason,
 			&cert.CreatedAt, &cert.UpdatedAt)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to scan certificate: %w", err)
 		}
-		certs = append(certs, cert)
+
 		cert.SANs = []string(sans)
 		if profileID.Valid {
 			cert.CertificateProfileID = profileID.String
 		}
 		if revocationReason.Valid {
 			cert.RevocationReason = revocationReason.String
 		}
 		// Unmarshal tags
 		if len(tagsJSON) > 0 {
 			if err := json.Unmarshal(tagsJSON, &cert.Tags); err != nil {
 				return nil, fmt.Errorf("failed to unmarshal tags: %w", err)
 			}
 		} else {
 			cert.Tags = make(map[string]string)
 		}
 		certs = append(certs, &cert)
 		certIDs = append(certIDs, cert.ID)
 	}
 	if err := rows.Err(); err != nil {
 		return nil, fmt.Errorf("error iterating expiring certificate rows: %w", err)
 	}
 	// Fetch target IDs for all certificates in a single query (avoid N+1)
 	if len(certIDs) > 0 {
 		targetIDsMap, err := r.getTargetIDsForCertificates(ctx, certIDs)
 		if err != nil {
 			return nil, err
 		}
 		for _, cert := range certs {
 			if targetIDs, ok := targetIDsMap[cert.ID]; ok {
 				cert.TargetIDs = targetIDs
 			} else {
 				cert.TargetIDs = []string{}
 			}
 		}
 	}
 	return certs, nil
 }
@@ -462,8 +556,76 @@ func (r *CertificateRepository) GetLatestVersion(ctx context.Context, certID str
 	return &v, nil
 }
-// scanCertificate scans a certificate from a row or rows
+// getTargetIDs retrieves all target IDs for a given certificate from the junction table.
-func scanCertificate(scanner interface {
+// Returns an empty slice (not nil) if no targets are found.
 func (r *CertificateRepository) getTargetIDs(ctx context.Context, certID string) ([]string, error) {
 	rows, err := r.db.QueryContext(ctx, `
 		SELECT target_id FROM certificate_target_mappings
 		WHERE certificate_id = $1
 		ORDER BY target_id ASC
 	`, certID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to query target mappings: %w", err)
 	}
 	defer rows.Close()
 	var targetIDs []string
 	for rows.Next() {
 		var targetID string
 		if err := rows.Scan(&targetID); err != nil {
 			return nil, fmt.Errorf("failed to scan target ID: %w", err)
 		}
 		targetIDs = append(targetIDs, targetID)
 	}
 	if err := rows.Err(); err != nil {
 		return nil, fmt.Errorf("error iterating target ID rows: %w", err)
 	}
 	// Return empty slice instead of nil for consistency with JSON marshaling
 	if targetIDs == nil {
 		targetIDs = []string{}
 	}
 	return targetIDs, nil
 }
 // getTargetIDsForCertificates retrieves target IDs for multiple certificates in a single query.
 // Returns a map of certificate_id -> []target_id.
 func (r *CertificateRepository) getTargetIDsForCertificates(ctx context.Context, certIDs []string) (map[string][]string, error) {
 	if len(certIDs) == 0 {
 		return make(map[string][]string), nil
 	}
 	rows, err := r.db.QueryContext(ctx, `
 		SELECT certificate_id, target_id FROM certificate_target_mappings
 		WHERE certificate_id = ANY($1)
 		ORDER BY certificate_id, target_id ASC
 	`, pq.Array(certIDs))
 	if err != nil {
 		return nil, fmt.Errorf("failed to query target mappings: %w", err)
 	}
 	defer rows.Close()
 	targetIDsMap := make(map[string][]string)
 	for rows.Next() {
 		var certID, targetID string
 		if err := rows.Scan(&certID, &targetID); err != nil {
 			return nil, fmt.Errorf("failed to scan target mapping: %w", err)
 		}
 		targetIDsMap[certID] = append(targetIDsMap[certID], targetID)
 	}
 	if err := rows.Err(); err != nil {
 		return nil, fmt.Errorf("error iterating target mapping rows: %w", err)
 	}
 	return targetIDsMap, nil
 }
 // scanCertificate scans a certificate from a row or rows and populates its TargetIDs
 // by querying the certificate_target_mappings junction table.
 func (r *CertificateRepository) scanCertificate(ctx context.Context, scanner interface {
 	Scan(...interface{}) error
 }) (*domain.ManagedCertificate, error) {
 	var cert domain.ManagedCertificate
@@ -500,6 +662,13 @@ func scanCertificate(scanner interface {
 		cert.Tags = make(map[string]string)
 	}
 	// Populate TargetIDs from junction table
 	targetIDs, err := r.getTargetIDs(ctx, cert.ID)
 	if err != nil {
 		return nil, err
 	}
 	cert.TargetIDs = targetIDs
 	return &cert, nil
 }
@@ -0,0 +1,322 @@
 // Package postgres_test — integration tests for M-7: Certificate.TargetIDs
 // must be populated from certificate_target_mappings on read.
 //
 // Before M-7 the repository scan helper never consulted the junction table, so
 // Get / List / GetExpiringCertificates always returned empty TargetIDs even when
 // rows existed in certificate_target_mappings. These tests exercise all three
 // read paths end-to-end against a real PostgreSQL 16 container.
 //
 // Runs against the shared testcontainer from testutil_test.go. Skipped when
 // `-short` is set (CI uses short mode; local runs pick it up by default).
 package postgres_test
 import (
 	"context"
 	"database/sql"
 	"testing"
 	"time"
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/repository/postgres"
 )
 // insertAgentAndTargetsRaw creates one agent and N deployment_targets, returns
 // the agent ID and the list of target IDs (in insertion order).
 func insertAgentAndTargetsRaw(t *testing.T, db *sql.DB, ctx context.Context, suffix string, n int) (agentID string, targetIDs []string) {
 	t.Helper()
 	now := time.Now().Truncate(time.Microsecond)
 	agentID = "agent-" + suffix
 	_, err := db.ExecContext(ctx, `
 		INSERT INTO agents (id, name, hostname, status, registered_at, api_key_hash)
 		VALUES ($1, $2, $3, $4, $5, $6)
 	`, agentID, "agent-"+suffix, "host-"+suffix, "online", now, "hash-"+suffix)
 	if err != nil {
 		t.Fatalf("insertAgent failed: %v", err)
 	}
 	for i := 0; i < n; i++ {
 		tid := "t-" + suffix + "-" + intToStr(i)
 		_, err := db.ExecContext(ctx, `
 			INSERT INTO deployment_targets (id, name, type, agent_id, config, enabled, created_at, updated_at)
 			VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
 		`, tid, tid, "NGINX", agentID, []byte(`{}`), true, now, now)
 		if err != nil {
 			t.Fatalf("insertTarget %d failed: %v", i, err)
 		}
 		targetIDs = append(targetIDs, tid)
 	}
 	return agentID, targetIDs
 }
 // intToStr converts a non-negative int to its decimal string.
 // Local helper to avoid importing strconv for a single use.
 func intToStr(n int) string {
 	if n == 0 {
 		return "0"
 	}
 	var buf [20]byte
 	i := len(buf)
 	for n > 0 {
 		i--
 		buf[i] = byte('0' + n%10)
 		n /= 10
 	}
 	return string(buf[i:])
 }
 // insertCertificateRow writes a minimal managed_certificates row via raw SQL.
 // Bypasses the repository Create so we can isolate read-path tests from any
 // write-path behavior. managed_certificates.sans is TEXT[], written here as an
 // empty array literal.
 func insertCertificateRow(t *testing.T, db *sql.DB, ctx context.Context, certID, ownerID, teamID, issuerID, policyID string, expiresAt time.Time) {
 	t.Helper()
 	now := time.Now().Truncate(time.Microsecond)
 	_, err := db.ExecContext(ctx, `
 		INSERT INTO managed_certificates (
 			id, name, common_name, sans, environment,
 			owner_id, team_id, issuer_id, renewal_policy_id,
 			status, expires_at, tags,
 			created_at, updated_at
 		) VALUES (
 			$1, $2, $3, ARRAY[]::TEXT[], $4,
 			$5, $6, $7, $8,
 			$9, $10, $11,
 			$12, $13
 		)
 	`,
 		certID, certID, certID+".example.com", "production",
 		ownerID, teamID, issuerID, policyID,
 		string(domain.CertificateStatusActive), expiresAt, []byte(`{}`),
 		now, now,
 	)
 	if err != nil {
 		t.Fatalf("insertCertificateRow failed: %v", err)
 	}
 }
 // insertMapping writes a single row into certificate_target_mappings via raw SQL.
 func insertMapping(t *testing.T, db *sql.DB, ctx context.Context, certID, targetID string) {
 	t.Helper()
 	_, err := db.ExecContext(ctx,
 		`INSERT INTO certificate_target_mappings (certificate_id, target_id) VALUES ($1, $2)`,
 		certID, targetID)
 	if err != nil {
 		t.Fatalf("insertMapping(%s, %s) failed: %v", certID, targetID, err)
 	}
 }
 // --------------------------------------------------------------------
 // Get() — single-cert read path
 // --------------------------------------------------------------------
 // TestGet_PopulatesTargetIDs_NoMappings: no mapping rows → TargetIDs must be
 // an empty slice, not nil, so JSON serialisation emits "[]".
 func TestGet_PopulatesTargetIDs_NoMappings(t *testing.T) {
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	repo := postgres.NewCertificateRepository(db)
 	ctx := context.Background()
 	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "getnone")
 	certID := "mc-getnone"
 	insertCertificateRow(t, db, ctx, certID, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
 	got, err := repo.Get(ctx, certID)
 	if err != nil {
 		t.Fatalf("Get failed: %v", err)
 	}
 	if got.TargetIDs == nil {
 		t.Fatalf("TargetIDs = nil, want empty slice (JSON serialises nil as null and [] as [])")
 	}
 	if len(got.TargetIDs) != 0 {
 		t.Errorf("len(TargetIDs) = %d, want 0; got %v", len(got.TargetIDs), got.TargetIDs)
 	}
 }
 // TestGet_PopulatesTargetIDs_SingleTarget: one mapping → one entry.
 func TestGet_PopulatesTargetIDs_SingleTarget(t *testing.T) {
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	repo := postgres.NewCertificateRepository(db)
 	ctx := context.Background()
 	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "getone")
 	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "getone", 1)
 	certID := "mc-getone"
 	insertCertificateRow(t, db, ctx, certID, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
 	insertMapping(t, db, ctx, certID, targets[0])
 	got, err := repo.Get(ctx, certID)
 	if err != nil {
 		t.Fatalf("Get failed: %v", err)
 	}
 	if len(got.TargetIDs) != 1 {
 		t.Fatalf("len(TargetIDs) = %d, want 1; got %v", len(got.TargetIDs), got.TargetIDs)
 	}
 	if got.TargetIDs[0] != targets[0] {
 		t.Errorf("TargetIDs[0] = %q, want %q", got.TargetIDs[0], targets[0])
 	}
 }
 // TestGet_PopulatesTargetIDs_MultipleTargets: many mappings → sorted by target_id ASC.
 func TestGet_PopulatesTargetIDs_MultipleTargets(t *testing.T) {
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	repo := postgres.NewCertificateRepository(db)
 	ctx := context.Background()
 	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "getmany")
 	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "getmany", 3)
 	certID := "mc-getmany"
 	insertCertificateRow(t, db, ctx, certID, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
 	// Insert mappings in reverse order to confirm ORDER BY target_id ASC in the query.
 	insertMapping(t, db, ctx, certID, targets[2])
 	insertMapping(t, db, ctx, certID, targets[0])
 	insertMapping(t, db, ctx, certID, targets[1])
 	got, err := repo.Get(ctx, certID)
 	if err != nil {
 		t.Fatalf("Get failed: %v", err)
 	}
 	if len(got.TargetIDs) != 3 {
 		t.Fatalf("len(TargetIDs) = %d, want 3; got %v", len(got.TargetIDs), got.TargetIDs)
 	}
 	// Ascending order: t-getmany-0, t-getmany-1, t-getmany-2
 	want := []string{targets[0], targets[1], targets[2]}
 	for i, tid := range want {
 		if got.TargetIDs[i] != tid {
 			t.Errorf("TargetIDs[%d] = %q, want %q (full: %v)", i, got.TargetIDs[i], tid, got.TargetIDs)
 		}
 	}
 }
 // --------------------------------------------------------------------
 // List() — batch read path, must avoid N+1
 // --------------------------------------------------------------------
 // TestList_PopulatesTargetIDs_BatchFetch: three certs with different mapping counts;
 // all must have their TargetIDs populated correctly, and the cert with no mapping
 // must get an empty (non-nil) slice.
 func TestList_PopulatesTargetIDs_BatchFetch(t *testing.T) {
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	repo := postgres.NewCertificateRepository(db)
 	ctx := context.Background()
 	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "listbatch")
 	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "listbatch", 3)
 	certA := "mc-list-a"
 	certB := "mc-list-b"
 	certC := "mc-list-c"
 	insertCertificateRow(t, db, ctx, certA, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
 	insertCertificateRow(t, db, ctx, certB, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
 	insertCertificateRow(t, db, ctx, certC, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
 	// certA → 2 targets (t-0, t-1)
 	insertMapping(t, db, ctx, certA, targets[0])
 	insertMapping(t, db, ctx, certA, targets[1])
 	// certB → 1 target (t-2)
 	insertMapping(t, db, ctx, certB, targets[2])
 	// certC → 0 targets
 	got, total, err := repo.List(ctx, nil)
 	if err != nil {
 		t.Fatalf("List failed: %v", err)
 	}
 	if total < 3 {
 		t.Fatalf("total = %d, want >= 3", total)
 	}
 	want := map[string][]string{
 		certA: {targets[0], targets[1]},
 		certB: {targets[2]},
 		certC: {},
 	}
 	seen := map[string]bool{}
 	for _, c := range got {
 		exp, ok := want[c.ID]
 		if !ok {
 			continue
 		}
 		seen[c.ID] = true
 		if c.TargetIDs == nil {
 			t.Errorf("cert %s: TargetIDs = nil, want %v", c.ID, exp)
 			continue
 		}
 		if len(c.TargetIDs) != len(exp) {
 			t.Errorf("cert %s: len(TargetIDs) = %d, want %d (got %v, want %v)", c.ID, len(c.TargetIDs), len(exp), c.TargetIDs, exp)
 			continue
 		}
 		for i, tid := range exp {
 			if c.TargetIDs[i] != tid {
 				t.Errorf("cert %s: TargetIDs[%d] = %q, want %q", c.ID, i, c.TargetIDs[i], tid)
 			}
 		}
 	}
 	for id := range want {
 		if !seen[id] {
 			t.Errorf("cert %s missing from List() result", id)
 		}
 	}
 }
 // --------------------------------------------------------------------
 // GetExpiringCertificates() — scheduler read path
 // --------------------------------------------------------------------
 // TestGetExpiringCertificates_PopulatesTargetIDs: expiring certs must also carry
 // their mapping information so renewal-triggered deployments can route work.
 func TestGetExpiringCertificates_PopulatesTargetIDs(t *testing.T) {
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	repo := postgres.NewCertificateRepository(db)
 	ctx := context.Background()
 	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "expiring")
 	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "expiring", 2)
 	// Two expiring certs (expires in 3 days). Threshold = 7 days → both selected.
 	certA := "mc-exp-a"
 	certB := "mc-exp-b"
 	expiresSoon := time.Now().Add(3 * 24 * time.Hour)
 	insertCertificateRow(t, db, ctx, certA, ownerID, teamID, issuerID, policyID, expiresSoon)
 	insertCertificateRow(t, db, ctx, certB, ownerID, teamID, issuerID, policyID, expiresSoon)
 	insertMapping(t, db, ctx, certA, targets[0])
 	insertMapping(t, db, ctx, certA, targets[1])
 	// certB has no mappings.
 	threshold := time.Now().Add(7 * 24 * time.Hour)
 	got, err := repo.GetExpiringCertificates(ctx, threshold)
 	if err != nil {
 		t.Fatalf("GetExpiringCertificates failed: %v", err)
 	}
 	found := map[string]*domain.ManagedCertificate{}
 	for _, c := range got {
 		found[c.ID] = c
 	}
 	a, ok := found[certA]
 	if !ok {
 		t.Fatalf("cert %s not in expiring list", certA)
 	}
 	if len(a.TargetIDs) != 2 || a.TargetIDs[0] != targets[0] || a.TargetIDs[1] != targets[1] {
 		t.Errorf("cert %s: TargetIDs = %v, want %v", certA, a.TargetIDs, []string{targets[0], targets[1]})
 	}
 	b, ok := found[certB]
 	if !ok {
 		t.Fatalf("cert %s not in expiring list", certB)
 	}
 	if b.TargetIDs == nil {
 		t.Errorf("cert %s: TargetIDs = nil, want empty slice", certB)
 	}
 	if len(b.TargetIDs) != 0 {
 		t.Errorf("cert %s: len(TargetIDs) = %d, want 0", certB, len(b.TargetIDs))
 	}
 }
@@ -237,7 +237,14 @@ func (r *JobRepository) UpdateStatus(ctx context.Context, id string, status doma
 	return nil
 }
-// GetPendingJobs returns jobs not yet processed of a specific type
+// GetPendingJobs returns jobs not yet processed of a specific type.
 //
 // The SELECT uses FOR UPDATE SKIP LOCKED so that concurrent scheduler replicas
 // cannot observe the same rows when invoked inside a transaction; combine with
 // a subsequent UPDATE to Running for correct dispatch semantics. For the
 // standard production dispatch path, prefer ClaimPendingJobs which wraps the
 // lock, read, and state transition in a single transaction and is the
 // authoritative race-free claim primitive (CWE-362 fix for H-6).
 func (r *JobRepository) GetPendingJobs(ctx context.Context, jobType domain.JobType) ([]*domain.Job, error) {
 	rows, err := r.db.QueryContext(ctx, `
 		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
@@ -245,6 +252,7 @@ func (r *JobRepository) GetPendingJobs(ctx context.Context, jobType domain.JobTy
 		FROM jobs
 		WHERE type = $1 AND status = $2
 		ORDER BY scheduled_at ASC
 		FOR UPDATE SKIP LOCKED
 	`, jobType, domain.JobStatusPending)
 	if err != nil {
@@ -268,10 +276,115 @@ func (r *JobRepository) GetPendingJobs(ctx context.Context, jobType domain.JobTy
 	return jobs, nil
 }
-// ListPendingByAgentID returns pending deployment jobs and AwaitingCSR jobs for a specific agent.
+// ClaimPendingJobs atomically claims up to `limit` Pending jobs and transitions
-// Deployment jobs are matched by agent_id directly (set at creation time), with a fallback
+// them to Running inside a single transaction. The SELECT uses FOR UPDATE SKIP
-// for legacy jobs where agent_id is NULL but target_id resolves to the agent via deployment_targets.
+// LOCKED so concurrent scheduler replicas observe disjoint result sets — each
-// AwaitingCSR jobs are matched through certificate → target mappings → agent ownership.
+// row can be claimed by exactly one caller per tick (CWE-362 fix for H-6).
 //
 // Passing an empty jobType claims any type. Passing limit<=0 claims all
 // available rows. The claimed rows are returned with Status already set to
 // domain.JobStatusRunning.
 //
 // Downstream processors (ProcessRenewalJob, ProcessDeploymentJob) already call
 // UpdateStatus(Running) unconditionally on entry, so this pre-flip is
 // idempotent with respect to existing processing logic.
 func (r *JobRepository) ClaimPendingJobs(ctx context.Context, jobType domain.JobType, limit int) ([]*domain.Job, error) {
 	tx, err := r.db.BeginTx(ctx, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to begin claim transaction: %w", err)
 	}
 	// Rollback is a no-op after Commit — safe deferred cleanup if an error path
 	// triggers an early return before Commit().
 	defer func() { _ = tx.Rollback() }()
 	// Build the SELECT — jobType="" means any type, limit<=0 means unlimited.
 	query := `
 		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
 		       last_error, scheduled_at, started_at, completed_at, created_at
 		FROM jobs
 		WHERE status = $1`
 	args := []interface{}{domain.JobStatusPending}
 	if jobType != "" {
 		query += ` AND type = $2`
 		args = append(args, jobType)
 	}
 	query += `
 		ORDER BY scheduled_at ASC
 		FOR UPDATE SKIP LOCKED`
 	if limit > 0 {
 		query += fmt.Sprintf(` LIMIT %d`, limit)
 	}
 	rows, err := tx.QueryContext(ctx, query, args...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to query claimable jobs: %w", err)
 	}
 	var jobs []*domain.Job
 	for rows.Next() {
 		job, err := scanJob(rows)
 		if err != nil {
 			rows.Close()
 			return nil, err
 		}
 		jobs = append(jobs, job)
 	}
 	if err := rows.Err(); err != nil {
 		rows.Close()
 		return nil, fmt.Errorf("error iterating claimable job rows: %w", err)
 	}
 	rows.Close()
 	if len(jobs) == 0 {
 		// No rows to claim — commit the (read-only) tx and return.
 		if err := tx.Commit(); err != nil {
 			return nil, fmt.Errorf("failed to commit empty claim tx: %w", err)
 		}
 		return nil, nil
 	}
 	// Flip claimed rows to Running. Build IN clause safely with placeholders.
 	ids := make([]interface{}, len(jobs))
 	placeholders := make([]byte, 0, len(jobs)*5)
 	for i, job := range jobs {
 		ids[i] = job.ID
 		if i > 0 {
 			placeholders = append(placeholders, ',')
 		}
 		placeholders = append(placeholders, fmt.Sprintf("$%d", i+2)...)
 	}
 	updateQuery := fmt.Sprintf(
 		`UPDATE jobs SET status = $1 WHERE id IN (%s)`,
 		string(placeholders),
 	)
 	updateArgs := append([]interface{}{domain.JobStatusRunning}, ids...)
 	if _, err := tx.ExecContext(ctx, updateQuery, updateArgs...); err != nil {
 		return nil, fmt.Errorf("failed to transition claimed jobs to Running: %w", err)
 	}
 	if err := tx.Commit(); err != nil {
 		return nil, fmt.Errorf("failed to commit claim transaction: %w", err)
 	}
 	// Reflect the committed state in the returned objects.
 	for _, job := range jobs {
 		job.Status = domain.JobStatusRunning
 	}
 	return jobs, nil
 }
 // ListPendingByAgentID returns pending deployment jobs and AwaitingCSR jobs for
 // a specific agent. Deployment jobs are matched by agent_id directly (set at
 // creation time), with a fallback for legacy jobs where agent_id is NULL but
 // target_id resolves to the agent via deployment_targets. AwaitingCSR jobs are
 // matched through certificate → target mappings → agent ownership.
 //
 // The SELECT uses FOR UPDATE SKIP LOCKED so concurrent pollers (e.g. two agent
 // instances running with the same agent_id) cannot observe the same rows when
 // this method is invoked inside a transaction. For the production agent work
 // poll path, prefer ClaimPendingByAgentID which additionally transitions
 // claimed Pending deployment rows to Running atomically (H-6 CWE-362 fix).
 func (r *JobRepository) ListPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error) {
 	rows, err := r.db.QueryContext(ctx, `
 		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
@@ -326,6 +439,137 @@ func (r *JobRepository) ListPendingByAgentID(ctx context.Context, agentID string
 	return jobs, nil
 }
 // ClaimPendingByAgentID atomically claims agent work inside a single
 // transaction. Pending Deployment jobs assigned to the agent (directly via
 // agent_id, or via legacy target→agent fallback) are transitioned from
 // Pending to Running. AwaitingCSR Renewal/Issuance jobs linked to the agent
 // via certificate → target mappings are locked with FOR UPDATE SKIP LOCKED
 // and returned without a state transition — the flow requires the agent to
 // submit a CSR to advance state, and pre-flipping AwaitingCSR would violate
 // the renewal state machine (CWE-362 fix for H-6).
 //
 // Claimed rows are invisible to other concurrent claim calls for the lifetime
 // of the transaction; rows claimed as Running remain invisible after commit
 // because ListPendingByAgentID's filter is status='Pending'.
 func (r *JobRepository) ClaimPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error) {
 	tx, err := r.db.BeginTx(ctx, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to begin agent claim transaction: %w", err)
 	}
 	defer func() { _ = tx.Rollback() }()
 	// Branch 1 + 2: Pending Deployment jobs (direct agent_id match or legacy
 	// target fallback). These get flipped to Running atomically below.
 	pendingRows, err := tx.QueryContext(ctx, `
 		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
 		       last_error, scheduled_at, started_at, completed_at, created_at
 		FROM jobs
 		WHERE agent_id = $1 AND status = 'Pending' AND type = 'Deployment'
 		UNION ALL
 		SELECT j.id, j.type, j.certificate_id, j.target_id, j.agent_id, j.status, j.attempts, j.max_attempts,
 		       j.last_error, j.scheduled_at, j.started_at, j.completed_at, j.created_at
 		FROM jobs j
 		INNER JOIN deployment_targets dt ON j.target_id = dt.id
 		WHERE j.agent_id IS NULL AND j.status = 'Pending' AND j.type = 'Deployment'
 		  AND dt.agent_id = $1
 		ORDER BY created_at ASC
 		FOR UPDATE SKIP LOCKED
 	`, agentID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to query pending deployment jobs for agent: %w", err)
 	}
 	var pendingJobs []*domain.Job
 	for pendingRows.Next() {
 		job, err := scanJob(pendingRows)
 		if err != nil {
 			pendingRows.Close()
 			return nil, err
 		}
 		pendingJobs = append(pendingJobs, job)
 	}
 	if err := pendingRows.Err(); err != nil {
 		pendingRows.Close()
 		return nil, fmt.Errorf("error iterating pending deployment rows: %w", err)
 	}
 	pendingRows.Close()
 	// Branch 3: AwaitingCSR jobs for this agent. Locked with FOR UPDATE SKIP
 	// LOCKED to prevent duplicate delivery to concurrent pollers, but state is
 	// NOT transitioned — the agent advances state via CSR submission.
 	csrRows, err := tx.QueryContext(ctx, `
 		SELECT j.id, j.type, j.certificate_id, j.target_id, j.agent_id, j.status, j.attempts, j.max_attempts,
 		       j.last_error, j.scheduled_at, j.started_at, j.completed_at, j.created_at
 		FROM jobs j
 		WHERE j.status = 'AwaitingCSR'
 		  AND j.type IN ('Renewal', 'Issuance')
 		  AND EXISTS (
 		    SELECT 1 FROM certificate_target_mappings ctm
 		    INNER JOIN deployment_targets dt ON ctm.target_id = dt.id
 		    WHERE ctm.certificate_id = j.certificate_id
 		      AND dt.agent_id = $1
 		  )
 		ORDER BY j.created_at ASC
 		FOR UPDATE SKIP LOCKED
 	`, agentID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to query AwaitingCSR jobs for agent: %w", err)
 	}
 	var csrJobs []*domain.Job
 	for csrRows.Next() {
 		job, err := scanJob(csrRows)
 		if err != nil {
 			csrRows.Close()
 			return nil, err
 		}
 		csrJobs = append(csrJobs, job)
 	}
 	if err := csrRows.Err(); err != nil {
 		csrRows.Close()
 		return nil, fmt.Errorf("error iterating AwaitingCSR rows: %w", err)
 	}
 	csrRows.Close()
 	// Transition locked Pending deployments to Running before commit.
 	if len(pendingJobs) > 0 {
 		ids := make([]interface{}, len(pendingJobs))
 		placeholders := make([]byte, 0, len(pendingJobs)*5)
 		for i, job := range pendingJobs {
 			ids[i] = job.ID
 			if i > 0 {
 				placeholders = append(placeholders, ',')
 			}
 			placeholders = append(placeholders, fmt.Sprintf("$%d", i+2)...)
 		}
 		updateQuery := fmt.Sprintf(
 			`UPDATE jobs SET status = $1 WHERE id IN (%s)`,
 			string(placeholders),
 		)
 		updateArgs := append([]interface{}{domain.JobStatusRunning}, ids...)
 		if _, err := tx.ExecContext(ctx, updateQuery, updateArgs...); err != nil {
 			return nil, fmt.Errorf("failed to transition claimed deployment jobs to Running: %w", err)
 		}
 	}
 	if err := tx.Commit(); err != nil {
 		return nil, fmt.Errorf("failed to commit agent claim transaction: %w", err)
 	}
 	// Reflect the committed state in returned Pending deployment jobs; leave
 	// AwaitingCSR jobs untouched.
 	for _, job := range pendingJobs {
 		job.Status = domain.JobStatusRunning
 	}
 	// Preserve the legacy ordering: Pending deployments first, AwaitingCSR
 	// second. Callers that want a strict created_at merge can re-sort.
 	return append(pendingJobs, csrJobs...), nil
 }
 // scanJob scans a job from a row or rows
 func scanJob(scanner interface {
 	Scan(...interface{}) error
@@ -7,6 +7,9 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
 	"fmt"
 	"sync"
 	"sync/atomic"
 	"testing"
 	"time"
@@ -454,6 +457,193 @@ func TestAgentRepository_Delete_NotFound(t *testing.T) {
 	}
 }
 // TestAgentRepository_CreateIfNotExists_FirstInsert verifies that a brand-new
 // sentinel agent row is inserted and the helper reports created=true (M-6).
 func TestAgentRepository_CreateIfNotExists_FirstInsert(t *testing.T) {
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	repo := postgres.NewAgentRepository(db)
 	ctx := context.Background()
 	now := time.Now().Truncate(time.Microsecond)
 	agent := &domain.Agent{
 		ID:           "server-scanner",
 		Name:         "Network Scanner (Server-Side)",
 		Status:       domain.AgentStatusOnline,
 		RegisteredAt: now,
 	}
 	created, err := repo.CreateIfNotExists(ctx, agent)
 	if err != nil {
 		t.Fatalf("CreateIfNotExists failed: %v", err)
 	}
 	if !created {
 		t.Error("created = false on first insert, want true")
 	}
 	got, err := repo.Get(ctx, "server-scanner")
 	if err != nil {
 		t.Fatalf("Get failed: %v", err)
 	}
 	if got.Name != "Network Scanner (Server-Side)" {
 		t.Errorf("Name = %q, want %q", got.Name, "Network Scanner (Server-Side)")
 	}
 }
 // TestAgentRepository_CreateIfNotExists_Idempotent verifies that a second
 // call with the same ID returns created=false and err=nil without mutating
 // the existing row — the core M-6 upgrade/restart scenario (CWE-662).
 func TestAgentRepository_CreateIfNotExists_Idempotent(t *testing.T) {
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	repo := postgres.NewAgentRepository(db)
 	ctx := context.Background()
 	now := time.Now().Truncate(time.Microsecond)
 	first := &domain.Agent{
 		ID:           "cloud-aws-sm",
 		Name:         "AWS Secrets Manager Discovery",
 		Status:       domain.AgentStatusOnline,
 		RegisteredAt: now,
 	}
 	created, err := repo.CreateIfNotExists(ctx, first)
 	if err != nil {
 		t.Fatalf("first CreateIfNotExists failed: %v", err)
 	}
 	if !created {
 		t.Fatal("first created = false, want true")
 	}
 	// Second call with the same ID but a different name must be a no-op.
 	second := &domain.Agent{
 		ID:           "cloud-aws-sm",
 		Name:         "Overwritten Name Should Not Persist",
 		Status:       domain.AgentStatusOffline,
 		RegisteredAt: now.Add(time.Hour),
 	}
 	created, err = repo.CreateIfNotExists(ctx, second)
 	if err != nil {
 		t.Fatalf("second CreateIfNotExists failed: %v", err)
 	}
 	if created {
 		t.Error("second created = true, want false (row already existed)")
 	}
 	// Row must still reflect the original insert.
 	got, err := repo.Get(ctx, "cloud-aws-sm")
 	if err != nil {
 		t.Fatalf("Get failed: %v", err)
 	}
 	if got.Name != "AWS Secrets Manager Discovery" {
 		t.Errorf("Name = %q, want %q (ON CONFLICT DO NOTHING must preserve original row)", got.Name, "AWS Secrets Manager Discovery")
 	}
 	if got.Status != domain.AgentStatusOnline {
 		t.Errorf("Status = %q, want %q", got.Status, domain.AgentStatusOnline)
 	}
 }
 // TestAgentRepository_CreateIfNotExists_ConcurrentRace fires N concurrent
 // inserts for the same sentinel ID. Exactly one goroutine must see
 // created=true; every other must see created=false and err=nil. No panics,
 // no duplicate rows, no swallowed errors. This is the scenario that the
 // pre-M-6 plain-INSERT path masked with a blanket error log.
 func TestAgentRepository_CreateIfNotExists_ConcurrentRace(t *testing.T) {
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	repo := postgres.NewAgentRepository(db)
 	ctx := context.Background()
 	const N = 16
 	now := time.Now().Truncate(time.Microsecond)
 	var (
 		wg           sync.WaitGroup
 		createdCount int64
 		errorCount   int64
 	)
 	wg.Add(N)
 	for i := 0; i < N; i++ {
 		go func() {
 			defer wg.Done()
 			agent := &domain.Agent{
 				ID:           "cloud-gcp-sm",
 				Name:         "GCP Secret Manager Discovery",
 				Status:       domain.AgentStatusOnline,
 				RegisteredAt: now,
 			}
 			created, err := repo.CreateIfNotExists(ctx, agent)
 			if err != nil {
 				atomic.AddInt64(&errorCount, 1)
 				t.Errorf("CreateIfNotExists returned error: %v", err)
 				return
 			}
 			if created {
 				atomic.AddInt64(&createdCount, 1)
 			}
 		}()
 	}
 	wg.Wait()
 	if errorCount != 0 {
 		t.Fatalf("errorCount = %d, want 0", errorCount)
 	}
 	if createdCount != 1 {
 		t.Errorf("createdCount = %d, want exactly 1 (only one goroutine may win the insert)", createdCount)
 	}
 	// Exactly one row must exist.
 	agents, err := repo.List(ctx)
 	if err != nil {
 		t.Fatalf("List failed: %v", err)
 	}
 	count := 0
 	for _, a := range agents {
 		if a.ID == "cloud-gcp-sm" {
 			count++
 		}
 	}
 	if count != 1 {
 		t.Errorf("row count for cloud-gcp-sm = %d, want 1", count)
 	}
 }
 // TestAgentRepository_CreateIfNotExists_GenericErrorSurfaces verifies that
 // failures other than the primary-key duplicate (the only collision
 // ON CONFLICT (id) absorbs) propagate to the caller instead of being
 // swallowed. This is the security property that M-6 restores: the
 // pre-fix plain-INSERT path logged every error at Debug level, so a
 // connectivity or permission failure would vanish into the log without
 // the server surfacing a problem on startup (CWE-662 / CWE-209-adjacent).
 //
 // Uses a pre-cancelled context to force QueryRowContext to fail with
 // context.Canceled — a non-duplicate error class that must surface.
 // Does NOT close the shared sql.DB (that would break sibling tests).
 func TestAgentRepository_CreateIfNotExists_GenericErrorSurfaces(t *testing.T) {
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	repo := postgres.NewAgentRepository(db)
 	ctx, cancel := context.WithCancel(context.Background())
 	cancel() // pre-cancel so the driver round-trip fails immediately.
 	agent := &domain.Agent{
 		ID:           "server-scanner",
 		Name:         "Network Scanner (Server-Side)",
 		Status:       domain.AgentStatusOnline,
 		RegisteredAt: time.Now(),
 	}
 	created, err := repo.CreateIfNotExists(ctx, agent)
 	if err == nil {
 		t.Fatal("expected error on cancelled context, got nil (error would have been swallowed pre-M-6)")
 	}
 	if created {
 		t.Error("created = true on failure, want false")
 	}
 	if err == sql.ErrNoRows {
 		t.Error("got sql.ErrNoRows, want a real connection/context error (ErrNoRows is the duplicate-row sentinel)")
 	}
 }
 // ============================================================
 // Issuer Repository Tests
 // ============================================================
@@ -703,10 +893,10 @@ func TestRevocationRepository_CRUD(t *testing.T) {
 		t.Fatalf("Idempotent create failed: %v", err)
 	}
-	// GetBySerial
+	// GetByIssuerAndSerial — lookups are scoped to (issuer_id, serial) per RFC 5280 §5.2.3.
-	got, err := repo.GetBySerial(ctx, "DEADBEEF01")
+	got, err := repo.GetByIssuerAndSerial(ctx, issuerID, "DEADBEEF01")
 	if err != nil {
-		t.Fatalf("GetBySerial failed: %v", err)
+		t.Fatalf("GetByIssuerAndSerial failed: %v", err)
 	}
 	if got.Reason != "keyCompromise" {
 		t.Errorf("Reason = %q, want %q", got.Reason, "keyCompromise")
@@ -734,12 +924,116 @@ func TestRevocationRepository_CRUD(t *testing.T) {
 	if err := repo.MarkIssuerNotified(ctx, "rev-test-1"); err != nil {
 		t.Fatalf("MarkIssuerNotified failed: %v", err)
 	}
-	got, _ = repo.GetBySerial(ctx, "DEADBEEF01")
+	got, _ = repo.GetByIssuerAndSerial(ctx, issuerID, "DEADBEEF01")
 	if !got.IssuerNotified {
 		t.Error("expected IssuerNotified=true after marking")
 	}
 }
 // TestRevocationRepository_CrossIssuerSerialCollision verifies that the same
 // serial number can coexist under two different issuers — RFC 5280 §5.2.3
 // defines serial uniqueness only within a single CA, and certctl supports
 // multi-issuer deployments where serial collisions across issuers are
 // legitimate (e.g., Local CA serial 0x01 and Vault PKI serial 0x01).
 //
 // This test locks in the behavior change from migration 000012: the unique
 // index is on (issuer_id, serial_number), not on serial_number alone.
 func TestRevocationRepository_CrossIssuerSerialCollision(t *testing.T) {
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	repo := postgres.NewRevocationRepository(db)
 	certRepo := postgres.NewCertificateRepository(db)
 	ctx := context.Background()
 	now := time.Now().Truncate(time.Microsecond)
 	// First issuer + cert + revocation with serial "CAFEBABE01".
 	ownerID1, teamID1, issuerID1, policyID1 := insertCertPrereqsRaw(t, db, ctx, "dup-a")
 	cert1 := &domain.ManagedCertificate{
 		ID: "mc-dup-a", Name: "dup-a", CommonName: "a.example.com",
 		SANs: []string{}, OwnerID: ownerID1, TeamID: teamID1,
 		IssuerID: issuerID1, RenewalPolicyID: policyID1,
 		Status:    domain.CertificateStatusRevoked,
 		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
 		CreatedAt: now, UpdatedAt: now,
 	}
 	if err := certRepo.Create(ctx, cert1); err != nil {
 		t.Fatalf("Create cert1 failed: %v", err)
 	}
 	if err := repo.Create(ctx, &domain.CertificateRevocation{
 		ID: "rev-dup-a", CertificateID: "mc-dup-a", SerialNumber: "CAFEBABE01",
 		Reason: "keyCompromise", RevokedBy: "admin", RevokedAt: now,
 		IssuerID: issuerID1, CreatedAt: now,
 	}); err != nil {
 		t.Fatalf("Create revocation under issuer1 failed: %v", err)
 	}
 	// Second issuer + cert + revocation with the SAME serial "CAFEBABE01".
 	// Under the pre-000012 global-unique index this would silently drop via
 	// ON CONFLICT DO NOTHING. Under the new (issuer_id, serial_number) scope
 	// it must succeed.
 	ownerID2, teamID2, issuerID2, policyID2 := insertCertPrereqsRaw(t, db, ctx, "dup-b")
 	cert2 := &domain.ManagedCertificate{
 		ID: "mc-dup-b", Name: "dup-b", CommonName: "b.example.com",
 		SANs: []string{}, OwnerID: ownerID2, TeamID: teamID2,
 		IssuerID: issuerID2, RenewalPolicyID: policyID2,
 		Status:    domain.CertificateStatusRevoked,
 		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
 		CreatedAt: now, UpdatedAt: now,
 	}
 	if err := certRepo.Create(ctx, cert2); err != nil {
 		t.Fatalf("Create cert2 failed: %v", err)
 	}
 	if err := repo.Create(ctx, &domain.CertificateRevocation{
 		ID: "rev-dup-b", CertificateID: "mc-dup-b", SerialNumber: "CAFEBABE01",
 		Reason: "superseded", RevokedBy: "admin", RevokedAt: now,
 		IssuerID: issuerID2, CreatedAt: now,
 	}); err != nil {
 		t.Fatalf("Create revocation under issuer2 failed (cross-issuer duplicate serial must be allowed): %v", err)
 	}
 	// Both revocations must be retrievable under their respective issuers.
 	revA, err := repo.GetByIssuerAndSerial(ctx, issuerID1, "CAFEBABE01")
 	if err != nil {
 		t.Fatalf("GetByIssuerAndSerial(issuer1) failed: %v", err)
 	}
 	if revA.ID != "rev-dup-a" || revA.Reason != "keyCompromise" {
 		t.Errorf("issuer1 lookup returned wrong row: id=%q reason=%q", revA.ID, revA.Reason)
 	}
 	revB, err := repo.GetByIssuerAndSerial(ctx, issuerID2, "CAFEBABE01")
 	if err != nil {
 		t.Fatalf("GetByIssuerAndSerial(issuer2) failed: %v", err)
 	}
 	if revB.ID != "rev-dup-b" || revB.Reason != "superseded" {
 		t.Errorf("issuer2 lookup returned wrong row: id=%q reason=%q", revB.ID, revB.Reason)
 	}
 	// ListAll should see both revocations.
 	all, err := repo.ListAll(ctx)
 	if err != nil {
 		t.Fatalf("ListAll failed: %v", err)
 	}
 	if len(all) != 2 {
 		t.Errorf("len(all) = %d, want 2 (cross-issuer duplicate serials)", len(all))
 	}
 	// Same-issuer idempotency guard still works (ON CONFLICT DO NOTHING on
 	// (issuer_id, serial_number) — re-inserting the same (issuer, serial)
 	// pair must not error and must not duplicate the row).
 	if err := repo.Create(ctx, &domain.CertificateRevocation{
 		ID: "rev-dup-a-repeat", CertificateID: "mc-dup-a", SerialNumber: "CAFEBABE01",
 		Reason: "superseded", RevokedBy: "admin", RevokedAt: now,
 		IssuerID: issuerID1, CreatedAt: now,
 	}); err != nil {
 		t.Fatalf("Idempotent create under same issuer failed: %v", err)
 	}
 	all, _ = repo.ListAll(ctx)
 	if len(all) != 2 {
 		t.Errorf("len(all) after idempotent re-insert = %d, want 2", len(all))
 	}
 }
 // ============================================================
 // Team Repository Tests
 // ============================================================
@@ -1578,3 +1872,334 @@ func TestEmptyResultSets(t *testing.T) {
 		t.Errorf("expected empty agent groups, got %d", len(groups))
 	}
 }
 // ============================================================
 // H-6 (CWE-362) Claim-Based Concurrency Tests
 //
 // These tests exercise the `SELECT ... FOR UPDATE SKIP LOCKED` worker-queue pattern
 // introduced to remediate the H-6 race condition. They validate two invariants:
 //
 //  1. Disjoint claim: under concurrent callers, no Pending row is returned to more
 //     than one worker (i.e. each claim is exclusive).
 //  2. State transition: claimed rows are atomically flipped to Running inside the
 //     same transaction that locked them, so a subsequent query must see the row in
 //     the Running state and no other worker can observe it as Pending again.
 //
 // Skipped automatically in `-short` mode (CI) since they require a real PostgreSQL
 // instance and take ~1s under contention.
 // ============================================================
 // seedPendingJobs creates n Pending renewal jobs against a single prerequisite
 // certificate and returns the generated job IDs.
 func seedPendingJobs(t *testing.T, ctx context.Context, db *sql.DB, certID string, n int) []string {
 	t.Helper()
 	certRepo := postgres.NewCertificateRepository(db)
 	jobRepo := postgres.NewJobRepository(db)
 	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, certID)
 	now := time.Now().Truncate(time.Microsecond)
 	cert := &domain.ManagedCertificate{
 		ID: "mc-" + certID, Name: certID, CommonName: certID + ".example.com",
 		SANs: []string{}, OwnerID: ownerID, TeamID: teamID,
 		IssuerID: issuerID, RenewalPolicyID: policyID,
 		Status:    domain.CertificateStatusActive,
 		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
 		CreatedAt: now, UpdatedAt: now,
 	}
 	if err := certRepo.Create(ctx, cert); err != nil {
 		t.Fatalf("seedPendingJobs: create cert failed: %v", err)
 	}
 	ids := make([]string, 0, n)
 	for i := 0; i < n; i++ {
 		job := &domain.Job{
 			ID:            fmt.Sprintf("job-%s-%03d", certID, i),
 			Type:          domain.JobTypeRenewal,
 			CertificateID: "mc-" + certID,
 			Status:        domain.JobStatusPending,
 			Attempts:      0,
 			MaxAttempts:   3,
 			ScheduledAt:   now,
 			CreatedAt:     now,
 		}
 		if err := jobRepo.Create(ctx, job); err != nil {
 			t.Fatalf("seedPendingJobs: create job %d failed: %v", i, err)
 		}
 		ids = append(ids, job.ID)
 	}
 	return ids
 }
 // TestJobRepository_ClaimPendingJobs_FlipsToRunning validates the basic claim
 // semantics: a single call transitions Pending rows to Running atomically, and
 // the rows returned to the caller reflect the post-update state.
 func TestJobRepository_ClaimPendingJobs_FlipsToRunning(t *testing.T) {
 	if testing.Short() {
 		t.Skip("integration test requires PostgreSQL")
 	}
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	jobRepo := postgres.NewJobRepository(db)
 	ctx := context.Background()
 	seeded := seedPendingJobs(t, ctx, db, "claimflip", 5)
 	claimed, err := jobRepo.ClaimPendingJobs(ctx, domain.JobTypeRenewal, 0)
 	if err != nil {
 		t.Fatalf("ClaimPendingJobs failed: %v", err)
 	}
 	if len(claimed) != len(seeded) {
 		t.Fatalf("len(claimed) = %d, want %d", len(claimed), len(seeded))
 	}
 	// In-memory return values must reflect the transitioned state.
 	for _, j := range claimed {
 		if j.Status != domain.JobStatusRunning {
 			t.Errorf("claimed job %s Status = %q, want %q", j.ID, j.Status, domain.JobStatusRunning)
 		}
 	}
 	// Persisted rows must also be Running — a fresh Get must not see Pending.
 	for _, id := range seeded {
 		got, err := jobRepo.Get(ctx, id)
 		if err != nil {
 			t.Fatalf("Get(%s) failed: %v", id, err)
 		}
 		if got.Status != domain.JobStatusRunning {
 			t.Errorf("persisted job %s Status = %q, want %q", id, got.Status, domain.JobStatusRunning)
 		}
 	}
 	// A subsequent claim must return zero rows — nothing is Pending anymore.
 	residual, err := jobRepo.ClaimPendingJobs(ctx, domain.JobTypeRenewal, 0)
 	if err != nil {
 		t.Fatalf("residual ClaimPendingJobs failed: %v", err)
 	}
 	if len(residual) != 0 {
 		t.Errorf("residual claims = %d, want 0 (all should be Running now)", len(residual))
 	}
 }
 // TestJobRepository_ClaimPendingJobs_ConcurrentDisjoint validates the core H-6
 // invariant: under concurrent access, no row is handed to more than one worker.
 //
 // The test seeds M Pending jobs, fans out N goroutines each of which loops
 // calling ClaimPendingJobs with limit=1, and finally asserts the union of all
 // claimed IDs is exactly M with zero duplicates. Workers that transiently
 // observe zero rows (because peers are holding the only remaining rows) re-check
 // an atomic progress counter before exiting, so transient SKIP-LOCKED zeros do
 // not cause premature termination.
 func TestJobRepository_ClaimPendingJobs_ConcurrentDisjoint(t *testing.T) {
 	if testing.Short() {
 		t.Skip("integration test requires PostgreSQL")
 	}
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	jobRepo := postgres.NewJobRepository(db)
 	ctx := context.Background()
 	const M = 40 // seeded Pending jobs
 	const N = 8  // concurrent workers
 	seeded := seedPendingJobs(t, ctx, db, "concurrent", M)
 	seededSet := make(map[string]bool, M)
 	for _, id := range seeded {
 		seededSet[id] = true
 	}
 	var (
 		totalClaimed int64
 		allClaims    []string
 		mu           sync.Mutex
 		wg           sync.WaitGroup
 	)
 	for w := 0; w < N; w++ {
 		wg.Add(1)
 		go func(worker int) {
 			defer wg.Done()
 			emptyStreak := 0
 			for iter := 0; iter < M*4; iter++ { // generous ceiling to prevent hangs
 				claimed, err := jobRepo.ClaimPendingJobs(ctx, domain.JobTypeRenewal, 1)
 				if err != nil {
 					t.Errorf("worker %d ClaimPendingJobs failed: %v", worker, err)
 					return
 				}
 				if len(claimed) == 0 {
 					// Transient zero (peer holds lock) vs. terminal zero (all claimed).
 					// Bail only once the shared counter proves work is done, but guard
 					// with a streak so we don't spin forever under starvation.
 					if atomic.LoadInt64(&totalClaimed) >= int64(M) {
 						return
 					}
 					emptyStreak++
 					if emptyStreak >= 20 {
 						return
 					}
 					time.Sleep(500 * time.Microsecond)
 					continue
 				}
 				emptyStreak = 0
 				mu.Lock()
 				for _, j := range claimed {
 					if j.Status != domain.JobStatusRunning {
 						t.Errorf("worker %d got job %s in Status=%q (want Running) — claim did not flip state", worker, j.ID, j.Status)
 					}
 					allClaims = append(allClaims, j.ID)
 				}
 				mu.Unlock()
 				atomic.AddInt64(&totalClaimed, int64(len(claimed)))
 			}
 		}(w)
 	}
 	wg.Wait()
 	// Invariant 1: no duplicate claims across the worker pool.
 	seen := make(map[string]int, len(allClaims))
 	for _, id := range allClaims {
 		seen[id]++
 	}
 	for id, count := range seen {
 		if count > 1 {
 			t.Errorf("job %s claimed %d times — SKIP LOCKED invariant violated", id, count)
 		}
 	}
 	// Invariant 2: every seeded job appears in the claim set exactly once.
 	if len(seen) != M {
 		t.Errorf("distinct claimed IDs = %d, want %d (all seeded jobs must be claimed)", len(seen), M)
 	}
 	for id := range seededSet {
 		if seen[id] == 0 {
 			t.Errorf("seeded job %s was never claimed by any worker", id)
 		}
 	}
 	// Invariant 3: persisted state reflects the transition — every seeded row
 	// is now Running; none is Pending.
 	for id := range seededSet {
 		got, err := jobRepo.Get(ctx, id)
 		if err != nil {
 			t.Fatalf("Get(%s) failed: %v", id, err)
 		}
 		if got.Status != domain.JobStatusRunning {
 			t.Errorf("job %s Status = %q, want %q", id, got.Status, domain.JobStatusRunning)
 		}
 	}
 	// Final progress counter must match the total number of seeded jobs.
 	if got := atomic.LoadInt64(&totalClaimed); got != int64(M) {
 		t.Errorf("totalClaimed = %d, want %d", got, M)
 	}
 }
 // TestJobRepository_ClaimPendingByAgentID_TransitionsDeployments validates the
 // agent-scoped claim variant: Pending deployment rows for a given agent flip to
 // Running; AwaitingCSR rows are returned but their state is preserved (the CSR
 // submission path drives their next transition).
 func TestJobRepository_ClaimPendingByAgentID_TransitionsDeployments(t *testing.T) {
 	if testing.Short() {
 		t.Skip("integration test requires PostgreSQL")
 	}
 	tdb := getTestDB(t)
 	db := tdb.freshSchema(t)
 	jobRepo := postgres.NewJobRepository(db)
 	agentRepo := postgres.NewAgentRepository(db)
 	ctx := context.Background()
 	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "agentclaim")
 	now := time.Now().Truncate(time.Microsecond)
 	cert := &domain.ManagedCertificate{
 		ID: "mc-agentclaim", Name: "agentclaim", CommonName: "agentclaim.example.com",
 		SANs: []string{}, OwnerID: ownerID, TeamID: teamID,
 		IssuerID: issuerID, RenewalPolicyID: policyID,
 		Status:    domain.CertificateStatusActive,
 		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
 		CreatedAt: now, UpdatedAt: now,
 	}
 	if err := postgres.NewCertificateRepository(db).Create(ctx, cert); err != nil {
 		t.Fatalf("create cert failed: %v", err)
 	}
 	agent := &domain.Agent{
 		ID:           "a-claim",
 		Name:         "claim-agent",
 		Hostname:     "claim-agent-host",
 		Status:       domain.AgentStatusOnline,
 		RegisteredAt: now,
 		APIKeyHash:   "hash-claim",
 	}
 	if err := agentRepo.Create(ctx, agent); err != nil {
 		t.Fatalf("create agent failed: %v", err)
 	}
 	agentID := agent.ID
 	mkJob := func(id string, typ domain.JobType, status domain.JobStatus) *domain.Job {
 		return &domain.Job{
 			ID: id, Type: typ, CertificateID: cert.ID,
 			AgentID:     &agentID,
 			Status:      status,
 			Attempts:    0,
 			MaxAttempts: 3,
 			ScheduledAt: now,
 			CreatedAt:   now,
 		}
 	}
 	jobs := []*domain.Job{
 		mkJob("job-agentclaim-dep-1", domain.JobTypeDeployment, domain.JobStatusPending),
 		mkJob("job-agentclaim-dep-2", domain.JobTypeDeployment, domain.JobStatusPending),
 		mkJob("job-agentclaim-csr-1", domain.JobTypeRenewal, domain.JobStatusAwaitingCSR),
 		// A Pending Renewal (not Deployment) must NOT be returned by the per-agent claim.
 		mkJob("job-agentclaim-ren-pending", domain.JobTypeRenewal, domain.JobStatusPending),
 	}
 	for _, j := range jobs {
 		if err := jobRepo.Create(ctx, j); err != nil {
 			t.Fatalf("create job %s failed: %v", j.ID, err)
 		}
 	}
 	claimed, err := jobRepo.ClaimPendingByAgentID(ctx, agentID)
 	if err != nil {
 		t.Fatalf("ClaimPendingByAgentID failed: %v", err)
 	}
 	// Expect exactly the 2 deployments + 1 AwaitingCSR.
 	if len(claimed) != 3 {
 		t.Fatalf("len(claimed) = %d, want 3 (2 deployments + 1 AwaitingCSR)", len(claimed))
 	}
 	statusByID := map[string]domain.JobStatus{}
 	for _, j := range claimed {
 		statusByID[j.ID] = j.Status
 	}
 	// Both deployments must be Running in the returned slice (in-memory reflection).
 	for _, id := range []string{"job-agentclaim-dep-1", "job-agentclaim-dep-2"} {
 		if statusByID[id] != domain.JobStatusRunning {
 			t.Errorf("returned deployment %s Status = %q, want Running", id, statusByID[id])
 		}
 	}
 	// AwaitingCSR must remain AwaitingCSR.
 	if statusByID["job-agentclaim-csr-1"] != domain.JobStatusAwaitingCSR {
 		t.Errorf("returned AwaitingCSR Status = %q, want AwaitingCSR", statusByID["job-agentclaim-csr-1"])
 	}
 	// The unrelated Pending Renewal must not be returned.
 	if _, ok := statusByID["job-agentclaim-ren-pending"]; ok {
 		t.Errorf("Pending Renewal job was returned by ClaimPendingByAgentID — scope violation")
 	}
 	// Persisted state: deployments Running, AwaitingCSR unchanged, Pending Renewal still Pending.
 	for id, want := range map[string]domain.JobStatus{
 		"job-agentclaim-dep-1":       domain.JobStatusRunning,
 		"job-agentclaim-dep-2":       domain.JobStatusRunning,
 		"job-agentclaim-csr-1":       domain.JobStatusAwaitingCSR,
 		"job-agentclaim-ren-pending": domain.JobStatusPending,
 	} {
 		got, err := jobRepo.Get(ctx, id)
 		if err != nil {
 			t.Fatalf("Get(%s) failed: %v", id, err)
 		}
 		if got.Status != want {
 			t.Errorf("persisted %s Status = %q, want %q", id, got.Status, want)
 		}
 	}
 }
@@ -19,13 +19,18 @@ func NewRevocationRepository(db *sql.DB) *RevocationRepository {
 }
 // Create records a new certificate revocation.
 //
 // Uniqueness is scoped to (issuer_id, serial_number) per RFC 5280 §5.2.3.
 // Serial numbers are only unique within an issuer, so certctl supports
 // collisions across different issuer connectors. The composite ON CONFLICT
 // target matches migration 000012's unique index.
 func (r *RevocationRepository) Create(ctx context.Context, revocation *domain.CertificateRevocation) error {
 	_, err := r.db.ExecContext(ctx, `
 		INSERT INTO certificate_revocations (
 			id, certificate_id, serial_number, reason, revoked_by, revoked_at,
 			issuer_id, issuer_notified, created_at
 		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
-		ON CONFLICT (serial_number) DO NOTHING
+		ON CONFLICT (issuer_id, serial_number) DO NOTHING
 	`, revocation.ID, revocation.CertificateID, revocation.SerialNumber,
 		revocation.Reason, revocation.RevokedBy, revocation.RevokedAt,
 		revocation.IssuerID, revocation.IssuerNotified, revocation.CreatedAt)
@@ -37,20 +42,24 @@ func (r *RevocationRepository) Create(ctx context.Context, revocation *domain.Ce
 	return nil
 }
-// GetBySerial retrieves a revocation by serial number.
+// GetByIssuerAndSerial retrieves a revocation by the (issuer_id, serial) pair.
-func (r *RevocationRepository) GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error) {
+//
 // Per RFC 5280 §5.2.3, serial numbers are unique only within a single issuer.
 // Callers (OCSP handlers, CRL generation) always know the issuer because the
 // OCSP URL carries it as a path parameter and CRLs are generated per-issuer.
 func (r *RevocationRepository) GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error) {
 	var rev domain.CertificateRevocation
 	err := r.db.QueryRowContext(ctx, `
 		SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
 		       issuer_id, issuer_notified, created_at
 		FROM certificate_revocations
-		WHERE serial_number = $1
+		WHERE issuer_id = $1 AND serial_number = $2
-	`, serial).Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
+	`, issuerID, serial).Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
 		&rev.Reason, &rev.RevokedBy, &rev.RevokedAt,
 		&rev.IssuerID, &rev.IssuerNotified, &rev.CreatedAt)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get revocation by serial: %w", err)
+		return nil, fmt.Errorf("failed to get revocation by issuer and serial: %w", err)
 	}
 	return &rev, nil
@@ -2,11 +2,12 @@ package service
 import (
 	"context"
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"log/slog"
 	"math/rand"
 	"time"
 	"github.com/shankar0123/certctl/internal/domain"
@@ -57,8 +58,11 @@ func (s *AgentService) Register(ctx context.Context, name string, hostname strin
 		return nil, "", fmt.Errorf("agent name and hostname are required")
 	}
-	// Generate API key
+	// Generate API key. crypto/rand failure is non-recoverable — propagate immediately.
-	apiKey := generateAPIKey()
+	apiKey, err := generateAPIKey()
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to generate agent api key: %w", err)
 	}
 	apiKeyHash := hashAPIKey(apiKey)
 	now := time.Now()
@@ -87,8 +91,8 @@ func (s *AgentService) Register(ctx context.Context, name string, hostname strin
 	return agent, apiKey, nil
 }
-// HeartbeatWithContext updates an agent's last seen time, status, and metadata.
+// Heartbeat updates an agent's last seen time, status, and metadata.
-func (s *AgentService) HeartbeatWithContext(ctx context.Context, agentID string, metadata *domain.AgentMetadata) error {
+func (s *AgentService) Heartbeat(ctx context.Context, agentID string, metadata *domain.AgentMetadata) error {
 	agent, err := s.agentRepo.Get(ctx, agentID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch agent: %w", err)
@@ -110,12 +114,6 @@ func (s *AgentService) HeartbeatWithContext(ctx context.Context, agentID string,
 	return nil
 }
 // Heartbeat updates agent heartbeat (handler interface method).
 // Note: This method is called from handlers which have a context; callers should prefer HeartbeatWithContext.
 func (s *AgentService) Heartbeat(ctx context.Context, agentID string, metadata *domain.AgentMetadata) error {
 	return s.HeartbeatWithContext(ctx, agentID, metadata)
 }
 // SubmitCSR validates and processes a Certificate Signing Request from an agent.
 // In agent keygen mode, this completes an AwaitingCSR renewal job by signing the CSR
 // and storing the cert version. The private key stays on the agent — only the CSR
@@ -280,8 +278,13 @@ func (s *AgentService) GetPendingWork(ctx context.Context, agentID string) ([]*d
 		return nil, fmt.Errorf("failed to fetch agent: %w", err)
 	}
-	// Return only jobs assigned to this agent (via agent_id or target→agent relationship)
+	// Atomically claim jobs assigned to this agent. H-6 (CWE-362) remediation:
-	return s.jobRepo.ListPendingByAgentID(ctx, agentID)
+	// ClaimPendingByAgentID uses SELECT ... FOR UPDATE SKIP LOCKED so concurrent poll
 	// requests (duplicate agents, retry storms, or a lagging long-poll) never observe
 	// the same Pending deployment row. Pending deployments are flipped to Running inside
 	// the claim transaction; AwaitingCSR jobs keep their state since CSR submission is
 	// the state-machine trigger for their next transition.
 	return s.jobRepo.ClaimPendingByAgentID(ctx, agentID)
 }
 // ReportJobStatus updates a job's status based on agent feedback.
@@ -380,7 +383,10 @@ func (s *AgentService) GetAgent(ctx context.Context, id string) (*domain.Agent,
 // RegisterAgent creates and registers a new agent (handler interface method).
 func (s *AgentService) RegisterAgent(ctx context.Context, agent domain.Agent) (*domain.Agent, error) {
 	agent.ID = generateID("agent")
-	apiKey := generateAPIKey()
+	apiKey, err := generateAPIKey()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate agent api key: %w", err)
 	}
 	agent.APIKeyHash = hashAPIKey(apiKey)
 	agent.Status = domain.AgentStatusOnline
 	now := time.Now()
@@ -487,14 +493,17 @@ func (s *AgentService) CertificatePickup(ctx context.Context, agentID, certID st
 	return string(certPEM), nil
 }
-// generateAPIKey creates a random API key for an agent.
+// generateAPIKey creates a cryptographically secure random API key for an agent.
-func generateAPIKey() string {
+// It fills a 32-byte buffer from crypto/rand (256 bits of entropy) and encodes it with
-	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+// base64.RawURLEncoding, yielding a 43-character URL-safe, unpadded ASCII string.
 // The plaintext key is shown to the caller exactly once; only its SHA-256 hash is stored.
 // Fixes C-1 (CWE-338: previously used math/rand, which is not cryptographically secure).
 func generateAPIKey() (string, error) {
 	b := make([]byte, 32)
-	for i := range b {
+	if _, err := rand.Read(b); err != nil {
-		b[i] = charset[rand.Intn(len(charset))]
+		return "", fmt.Errorf("generate agent api key: %w", err)
 	}
-	return string(b)
+	return base64.RawURLEncoding.EncodeToString(b), nil
 }
 // hashAPIKey hashes an API key using SHA256.
@@ -2,6 +2,7 @@ package service
 import (
 	"context"
 	"encoding/base64"
 	"log/slog"
 	"testing"
 	"time"
@@ -91,7 +92,7 @@ func TestHeartbeat(t *testing.T) {
 	agentService := NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, nil)
-	err := agentService.HeartbeatWithContext(ctx, "agent-001", nil)
+	err := agentService.Heartbeat(ctx, "agent-001", nil)
 	if err != nil {
 		t.Fatalf("Heartbeat failed: %v", err)
 	}
@@ -124,7 +125,7 @@ func TestHeartbeat_NotFound(t *testing.T) {
 	agentService := NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, nil)
-	err := agentService.HeartbeatWithContext(ctx, "nonexistent", nil)
+	err := agentService.Heartbeat(ctx, "nonexistent", nil)
 	if err == nil {
 		t.Fatal("expected error for nonexistent agent")
 	}
@@ -594,3 +595,44 @@ func TestListAgents(t *testing.T) {
 		t.Errorf("expected total 2, got %d", total)
 	}
 }
 // TestGenerateAPIKey_Properties is the core regression test for C-1 (CWE-338).
 // It verifies that generateAPIKey produces cryptographically random,
 // unpadded base64url-encoded, 32-byte (256-bit) keys that never collide
 // across consecutive calls. Exact length and alphabet are verified against
 // base64.RawURLEncoding so any silent change to entropy or encoding fails
 // fast.
 //
 // Note on the error branch: since Go 1.24 (issue #66821) crypto/rand.Read
 // treats entropy-source failures as fatal — the process is terminated
 // rather than returning an error. The defensive `if err != nil` branch
 // in generateAPIKey is therefore unreachable from tests on modern Go.
 // It is kept to preserve the documented (string, error) contract and
 // to remain correct on older Go toolchains or future changes.
 func TestGenerateAPIKey_Properties(t *testing.T) {
 	seen := make(map[string]struct{}, 64)
 	for i := 0; i < 64; i++ {
 		k, err := generateAPIKey()
 		if err != nil {
 			t.Fatalf("generateAPIKey failed: %v", err)
 		}
 		if k == "" {
 			t.Fatal("expected non-empty API key")
 		}
 		// base64.RawURLEncoding of 32 bytes yields exactly 43 chars.
 		if got, want := len(k), 43; got != want {
 			t.Fatalf("expected key length %d, got %d (%q)", want, got, k)
 		}
 		decoded, err := base64.RawURLEncoding.DecodeString(k)
 		if err != nil {
 			t.Fatalf("key %q not valid base64url: %v", k, err)
 		}
 		if len(decoded) != 32 {
 			t.Fatalf("expected 32 decoded bytes (256 bits entropy), got %d", len(decoded))
 		}
 		if _, dup := seen[k]; dup {
 			t.Fatalf("collision detected after %d calls; weak PRNG?", i+1)
 		}
 		seen[k] = struct{}{}
 	}
 }
@@ -110,7 +110,7 @@ func (s *AuditService) ListByAction(ctx context.Context, action string, from, to
 }
 // ListAuditEvents returns paginated audit events (handler interface method).
-func (s *AuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent, int64, error) {
+func (s *AuditService) ListAuditEvents(ctx context.Context, page, perPage int) ([]domain.AuditEvent, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -123,7 +123,7 @@ func (s *AuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent,
 		PerPage: perPage,
 	}
-	events, err := s.auditRepo.List(context.Background(), filter)
+	events, err := s.auditRepo.List(ctx, filter)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list audit events: %w", err)
 	}
@@ -143,13 +143,13 @@ func (s *AuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent,
 }
 // GetAuditEvent returns a single audit event (handler interface method).
-func (s *AuditService) GetAuditEvent(id string) (*domain.AuditEvent, error) {
+func (s *AuditService) GetAuditEvent(ctx context.Context, id string) (*domain.AuditEvent, error) {
 	filter := &repository.AuditFilter{
 		ResourceID: id,
 		PerPage:    1,
 	}
-	events, err := s.auditRepo.List(context.Background(), filter)
+	events, err := s.auditRepo.List(ctx, filter)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get audit event: %w", err)
 	}
@@ -0,0 +1,182 @@
 package service
 import (
 	"context"
 	"fmt"
 	"log/slog"
 	"strings"
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/repository"
 )
 // BulkRevocationService coordinates bulk certificate revocation operations.
 // It builds on the single-cert RevokeCertificateWithActor flow — no duplicate logic.
 type BulkRevocationService struct {
 	revSvc       *RevocationSvc
 	certRepo     repository.CertificateRepository
 	auditService *AuditService
 	logger       *slog.Logger
 }
 // NewBulkRevocationService creates a new BulkRevocationService.
 func NewBulkRevocationService(
 	revSvc *RevocationSvc,
 	certRepo repository.CertificateRepository,
 	auditService *AuditService,
 	logger *slog.Logger,
 ) *BulkRevocationService {
 	return &BulkRevocationService{
 		revSvc:       revSvc,
 		certRepo:     certRepo,
 		auditService: auditService,
 		logger:       logger,
 	}
 }
 // BulkRevoke revokes all certificates matching the given criteria.
 // It reuses RevokeCertificateWithActor for each cert — partial failures don't abort the batch.
 func (s *BulkRevocationService) BulkRevoke(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
 	// Validate inputs
 	if criteria.IsEmpty() {
 		return nil, fmt.Errorf("at least one filter criterion is required")
 	}
 	if reason == "" {
 		return nil, fmt.Errorf("revocation reason is required")
 	}
 	if !domain.IsValidRevocationReason(reason) {
 		return nil, fmt.Errorf("invalid revocation reason: %s", reason)
 	}
 	// Resolve matching certificates
 	certs, err := s.resolveCertificates(ctx, criteria)
 	if err != nil {
 		return nil, fmt.Errorf("failed to resolve certificates: %w", err)
 	}
 	result := &domain.BulkRevocationResult{
 		TotalMatched: len(certs),
 	}
 	// Revoke each certificate, continuing on individual failures
 	for _, cert := range certs {
 		// Skip already-revoked or archived certs
 		if cert.Status == domain.CertificateStatusRevoked {
 			result.TotalSkipped++
 			continue
 		}
 		if cert.Status == domain.CertificateStatusArchived {
 			result.TotalSkipped++
 			continue
 		}
 		err := s.revSvc.RevokeCertificateWithActor(ctx, cert.ID, reason, actor)
 		if err != nil {
 			result.TotalFailed++
 			result.Errors = append(result.Errors, domain.BulkRevocationError{
 				CertificateID: cert.ID,
 				Error:         err.Error(),
 			})
 			s.logger.Warn("bulk revocation: individual cert failed",
 				"certificate_id", cert.ID,
 				"error", err)
 		} else {
 			result.TotalRevoked++
 		}
 	}
 	// Record audit event for the bulk operation
 	criteriaDetails := s.buildAuditDetails(criteria)
 	criteriaDetails["reason"] = reason
 	criteriaDetails["total_matched"] = result.TotalMatched
 	criteriaDetails["total_revoked"] = result.TotalRevoked
 	criteriaDetails["total_skipped"] = result.TotalSkipped
 	criteriaDetails["total_failed"] = result.TotalFailed
 	if err := s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser,
 		"bulk_revocation_initiated", "certificate", "bulk",
 		criteriaDetails); err != nil {
 		s.logger.Error("failed to record bulk revocation audit event", "error", err)
 	}
 	return result, nil
 }
 // resolveCertificates fetches the set of certificates matching the bulk revocation criteria.
 // When CertificateIDs are provided, it fetches each cert by ID individually.
 // When filter criteria (profile, owner, etc.) are provided, it uses the repository List method.
 // When both are provided, it intersects: only IDs that also match the filter criteria.
 func (s *BulkRevocationService) resolveCertificates(ctx context.Context, criteria domain.BulkRevocationCriteria) ([]*domain.ManagedCertificate, error) {
 	hasFilterCriteria := criteria.ProfileID != "" || criteria.OwnerID != "" ||
 		criteria.AgentID != "" || criteria.IssuerID != "" || criteria.TeamID != ""
 	hasExplicitIDs := len(criteria.CertificateIDs) > 0
 	if hasExplicitIDs && !hasFilterCriteria {
 		// Only explicit IDs — fetch each cert by ID
 		var certs []*domain.ManagedCertificate
 		for _, id := range criteria.CertificateIDs {
 			cert, err := s.certRepo.Get(ctx, id)
 			if err != nil {
 				// Skip not-found certs — they'll count as "matched" but skipped
 				continue
 			}
 			certs = append(certs, cert)
 		}
 		return certs, nil
 	}
 	// Use filter-based query
 	filter := &repository.CertificateFilter{
 		OwnerID:   criteria.OwnerID,
 		TeamID:    criteria.TeamID,
 		IssuerID:  criteria.IssuerID,
 		AgentID:   criteria.AgentID,
 		ProfileID: criteria.ProfileID,
 		PerPage:   10000, // High limit to get all matching certs in one query
 	}
 	certs, _, err := s.certRepo.List(ctx, filter)
 	if err != nil {
 		return nil, err
 	}
 	// If explicit IDs also provided, intersect
 	if hasExplicitIDs {
 		idSet := make(map[string]bool, len(criteria.CertificateIDs))
 		for _, id := range criteria.CertificateIDs {
 			idSet[id] = true
 		}
 		var filtered []*domain.ManagedCertificate
 		for _, cert := range certs {
 			if idSet[cert.ID] {
 				filtered = append(filtered, cert)
 			}
 		}
 		return filtered, nil
 	}
 	return certs, nil
 }
 // buildAuditDetails constructs a map of criteria fields for the audit event.
 func (s *BulkRevocationService) buildAuditDetails(criteria domain.BulkRevocationCriteria) map[string]interface{} {
 	details := map[string]interface{}{}
 	if criteria.ProfileID != "" {
 		details["profile_id"] = criteria.ProfileID
 	}
 	if criteria.OwnerID != "" {
 		details["owner_id"] = criteria.OwnerID
 	}
 	if criteria.AgentID != "" {
 		details["agent_id"] = criteria.AgentID
 	}
 	if criteria.IssuerID != "" {
 		details["issuer_id"] = criteria.IssuerID
 	}
 	if criteria.TeamID != "" {
 		details["team_id"] = criteria.TeamID
 	}
 	if len(criteria.CertificateIDs) > 0 {
 		details["certificate_ids"] = strings.Join(criteria.CertificateIDs, ",")
 	}
 	return details
 }
@@ -0,0 +1,379 @@
 package service
 import (
 	"context"
 	"errors"
 	"log/slog"
 	"strings"
 	"testing"
 	"time"
 	"github.com/shankar0123/certctl/internal/domain"
 )
 // helper to create a test BulkRevocationService wired for bulk revocation tests
 func newBulkRevocationTestService() (*BulkRevocationService, *mockCertRepo, *mockRevocationRepo, *mockAuditRepo) {
 	certRepo := newMockCertificateRepository()
 	auditRepo := newMockAuditRepository()
 	revocationRepo := newMockRevocationRepository()
 	auditService := NewAuditService(auditRepo)
 	// Create RevocationSvc (underlying single-cert revocation)
 	revSvc := NewRevocationSvc(certRepo, revocationRepo, auditService)
 	registry := NewIssuerRegistry(slog.Default())
 	registry.Set("iss-local", &mockIssuerConnector{})
 	revSvc.SetIssuerRegistry(registry)
 	bulkSvc := NewBulkRevocationService(revSvc, certRepo, auditService, slog.Default())
 	return bulkSvc, certRepo, revocationRepo, auditRepo
 }
 func addTestCert(repo *mockCertRepo, id, status, issuerID string) {
 	cert := &domain.ManagedCertificate{
 		ID:        id,
 		CommonName: id + ".example.com",
 		Status:    domain.CertificateStatus(status),
 		IssuerID:  issuerID,
 		ExpiresAt: time.Now().AddDate(0, 6, 0),
 	}
 	repo.AddCert(cert)
 	// Add a version with serial number (needed by RevokeCertificateWithActor)
 	repo.Versions[id] = []*domain.CertificateVersion{
 		{
 			ID:            "ver-" + id,
 			CertificateID: id,
 			SerialNumber:  "serial-" + id,
 			NotBefore:     time.Now(),
 			NotAfter:      time.Now().AddDate(1, 0, 0),
 			CreatedAt:     time.Now(),
 		},
 	}
 }
 func addTestCertWithProfile(repo *mockCertRepo, id, status, issuerID, profileID, ownerID string) {
 	cert := &domain.ManagedCertificate{
 		ID:        id,
 		CommonName: id + ".example.com",
 		Status:    domain.CertificateStatus(status),
 		IssuerID:  issuerID,
 		CertificateProfileID: profileID,
 		OwnerID:   ownerID,
 		ExpiresAt: time.Now().AddDate(0, 6, 0),
 	}
 	repo.AddCert(cert)
 	repo.Versions[id] = []*domain.CertificateVersion{
 		{
 			ID:            "ver-" + id,
 			CertificateID: id,
 			SerialNumber:  "serial-" + id,
 			NotBefore:     time.Now(),
 			NotAfter:      time.Now().AddDate(1, 0, 0),
 			CreatedAt:     time.Now(),
 		},
 	}
 }
 func TestBulkRevoke_ByExplicitIDs(t *testing.T) {
 	svc, certRepo, _, _ := newBulkRevocationTestService()
 	addTestCert(certRepo, "mc-1", "Active", "iss-local")
 	addTestCert(certRepo, "mc-2", "Active", "iss-local")
 	addTestCert(certRepo, "mc-3", "Active", "iss-local")
 	criteria := domain.BulkRevocationCriteria{
 		CertificateIDs: []string{"mc-1", "mc-2", "mc-3"},
 	}
 	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
 	if result.TotalMatched != 3 {
 		t.Errorf("expected TotalMatched=3, got %d", result.TotalMatched)
 	}
 	if result.TotalRevoked != 3 {
 		t.Errorf("expected TotalRevoked=3, got %d", result.TotalRevoked)
 	}
 	if result.TotalSkipped != 0 {
 		t.Errorf("expected TotalSkipped=0, got %d", result.TotalSkipped)
 	}
 	if result.TotalFailed != 0 {
 		t.Errorf("expected TotalFailed=0, got %d", result.TotalFailed)
 	}
 	// Verify certs are revoked
 	for _, id := range []string{"mc-1", "mc-2", "mc-3"} {
 		cert, _ := certRepo.Get(context.Background(), id)
 		if cert.Status != domain.CertificateStatusRevoked {
 			t.Errorf("expected cert %s to be Revoked, got %s", id, cert.Status)
 		}
 	}
 }
 func TestBulkRevoke_ByProfile(t *testing.T) {
 	svc, certRepo, _, _ := newBulkRevocationTestService()
 	// The mock List returns all certs regardless of filter (mock limitation).
 	// We test the code path — real repo would filter by profile.
 	addTestCert(certRepo, "mc-1", "Active", "iss-local")
 	addTestCert(certRepo, "mc-2", "Active", "iss-local")
 	criteria := domain.BulkRevocationCriteria{
 		ProfileID: "prof-tls",
 	}
 	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
 	if result.TotalMatched != 2 {
 		t.Errorf("expected TotalMatched=2, got %d", result.TotalMatched)
 	}
 	if result.TotalRevoked != 2 {
 		t.Errorf("expected TotalRevoked=2, got %d", result.TotalRevoked)
 	}
 }
 func TestBulkRevoke_ByOwner(t *testing.T) {
 	svc, certRepo, _, _ := newBulkRevocationTestService()
 	addTestCertWithProfile(certRepo, "mc-1", "Active", "iss-local", "", "o-alice")
 	addTestCertWithProfile(certRepo, "mc-2", "Active", "iss-local", "", "o-alice")
 	criteria := domain.BulkRevocationCriteria{
 		OwnerID: "o-alice",
 	}
 	result, err := svc.BulkRevoke(context.Background(), criteria, "cessationOfOperation", "admin")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
 	if result.TotalRevoked != 2 {
 		t.Errorf("expected TotalRevoked=2, got %d", result.TotalRevoked)
 	}
 }
 func TestBulkRevoke_MultipleCriteria(t *testing.T) {
 	svc, certRepo, _, _ := newBulkRevocationTestService()
 	addTestCertWithProfile(certRepo, "mc-1", "Active", "iss-local", "prof-tls", "o-alice")
 	addTestCertWithProfile(certRepo, "mc-2", "Active", "iss-local", "prof-tls", "o-bob")
 	criteria := domain.BulkRevocationCriteria{
 		ProfileID:      "prof-tls",
 		CertificateIDs: []string{"mc-1"}, // Intersect: only mc-1 from the filter results
 	}
 	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
 	// Both certs match the filter, but intersection with IDs gives 1
 	if result.TotalMatched != 1 {
 		t.Errorf("expected TotalMatched=1, got %d", result.TotalMatched)
 	}
 	if result.TotalRevoked != 1 {
 		t.Errorf("expected TotalRevoked=1, got %d", result.TotalRevoked)
 	}
 	// mc-1 should be revoked, mc-2 should not
 	cert1, _ := certRepo.Get(context.Background(), "mc-1")
 	if cert1.Status != domain.CertificateStatusRevoked {
 		t.Errorf("expected mc-1 to be Revoked, got %s", cert1.Status)
 	}
 	cert2, _ := certRepo.Get(context.Background(), "mc-2")
 	if cert2.Status == domain.CertificateStatusRevoked {
 		t.Error("expected mc-2 to NOT be revoked")
 	}
 }
 func TestBulkRevoke_EmptyCriteria_Error(t *testing.T) {
 	svc, _, _, _ := newBulkRevocationTestService()
 	criteria := domain.BulkRevocationCriteria{}
 	_, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
 	if err == nil {
 		t.Fatal("expected error for empty criteria")
 	}
 	if !strings.Contains(err.Error(), "at least one filter criterion") {
 		t.Errorf("expected 'at least one filter criterion' error, got: %v", err)
 	}
 }
 func TestBulkRevoke_InvalidReason_Error(t *testing.T) {
 	svc, _, _, _ := newBulkRevocationTestService()
 	criteria := domain.BulkRevocationCriteria{
 		CertificateIDs: []string{"mc-1"},
 	}
 	_, err := svc.BulkRevoke(context.Background(), criteria, "totallyBogus", "admin")
 	if err == nil {
 		t.Fatal("expected error for invalid reason")
 	}
 	if !strings.Contains(err.Error(), "invalid revocation reason") {
 		t.Errorf("expected 'invalid revocation reason' error, got: %v", err)
 	}
 }
 func TestBulkRevoke_EmptyReason_Error(t *testing.T) {
 	svc, _, _, _ := newBulkRevocationTestService()
 	criteria := domain.BulkRevocationCriteria{
 		CertificateIDs: []string{"mc-1"},
 	}
 	_, err := svc.BulkRevoke(context.Background(), criteria, "", "admin")
 	if err == nil {
 		t.Fatal("expected error for empty reason")
 	}
 	if !strings.Contains(err.Error(), "revocation reason is required") {
 		t.Errorf("expected 'revocation reason is required' error, got: %v", err)
 	}
 }
 func TestBulkRevoke_SkipsRevokedAndArchived(t *testing.T) {
 	svc, certRepo, _, _ := newBulkRevocationTestService()
 	addTestCert(certRepo, "mc-active", "Active", "iss-local")
 	addTestCert(certRepo, "mc-revoked", "Revoked", "iss-local")
 	addTestCert(certRepo, "mc-archived", "Archived", "iss-local")
 	criteria := domain.BulkRevocationCriteria{
 		CertificateIDs: []string{"mc-active", "mc-revoked", "mc-archived"},
 	}
 	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
 	if result.TotalMatched != 3 {
 		t.Errorf("expected TotalMatched=3, got %d", result.TotalMatched)
 	}
 	if result.TotalRevoked != 1 {
 		t.Errorf("expected TotalRevoked=1, got %d", result.TotalRevoked)
 	}
 	if result.TotalSkipped != 2 {
 		t.Errorf("expected TotalSkipped=2, got %d", result.TotalSkipped)
 	}
 }
 func TestBulkRevoke_PartialFailure(t *testing.T) {
 	svc, certRepo, _, _ := newBulkRevocationTestService()
 	// mc-1 is active with version — will succeed
 	addTestCert(certRepo, "mc-1", "Active", "iss-local")
 	// mc-2 is active but has NO version — RevokeCertificateWithActor will fail on GetLatestVersion
 	cert2 := &domain.ManagedCertificate{
 		ID:        "mc-2",
 		CommonName: "mc-2.example.com",
 		Status:    domain.CertificateStatusActive,
 		IssuerID:  "iss-local",
 		ExpiresAt: time.Now().AddDate(0, 6, 0),
 	}
 	certRepo.AddCert(cert2)
 	// Don't add versions for mc-2 so GetLatestVersion returns errNotFound
 	criteria := domain.BulkRevocationCriteria{
 		CertificateIDs: []string{"mc-1", "mc-2"},
 	}
 	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
 	if err != nil {
 		t.Fatalf("expected no error (partial failure is ok), got: %v", err)
 	}
 	if result.TotalMatched != 2 {
 		t.Errorf("expected TotalMatched=2, got %d", result.TotalMatched)
 	}
 	if result.TotalRevoked != 1 {
 		t.Errorf("expected TotalRevoked=1, got %d", result.TotalRevoked)
 	}
 	if result.TotalFailed != 1 {
 		t.Errorf("expected TotalFailed=1, got %d", result.TotalFailed)
 	}
 	if len(result.Errors) != 1 {
 		t.Fatalf("expected 1 error entry, got %d", len(result.Errors))
 	}
 	if result.Errors[0].CertificateID != "mc-2" {
 		t.Errorf("expected error for mc-2, got %s", result.Errors[0].CertificateID)
 	}
 }
 func TestBulkRevoke_AuditEvent(t *testing.T) {
 	svc, certRepo, _, auditRepo := newBulkRevocationTestService()
 	addTestCert(certRepo, "mc-1", "Active", "iss-local")
 	criteria := domain.BulkRevocationCriteria{
 		CertificateIDs: []string{"mc-1"},
 	}
 	_, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
 	// Find the bulk_revocation_initiated audit event
 	var found bool
 	for _, event := range auditRepo.Events {
 		if event.Action == "bulk_revocation_initiated" {
 			found = true
 			if event.Actor != "admin" {
 				t.Errorf("expected actor 'admin', got '%s'", event.Actor)
 			}
 			if event.ResourceType != "certificate" {
 				t.Errorf("expected resource type 'certificate', got '%s'", event.ResourceType)
 			}
 			break
 		}
 	}
 	if !found {
 		t.Error("expected bulk_revocation_initiated audit event")
 	}
 }
 func TestBulkRevoke_NoMatches(t *testing.T) {
 	svc, _, _, _ := newBulkRevocationTestService()
 	// IDs that don't exist in the repo
 	criteria := domain.BulkRevocationCriteria{
 		CertificateIDs: []string{"mc-nonexistent-1", "mc-nonexistent-2"},
 	}
 	result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
 	if result.TotalMatched != 0 {
 		t.Errorf("expected TotalMatched=0, got %d", result.TotalMatched)
 	}
 	if result.TotalRevoked != 0 {
 		t.Errorf("expected TotalRevoked=0, got %d", result.TotalRevoked)
 	}
 }
 func TestBulkRevoke_ListError(t *testing.T) {
 	svc, certRepo, _, _ := newBulkRevocationTestService()
 	certRepo.ListErr = errors.New("database connection failed")
 	criteria := domain.BulkRevocationCriteria{
 		ProfileID: "prof-tls",
 	}
 	_, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
 	if err == nil {
 		t.Fatal("expected error from list failure")
 	}
 	if !strings.Contains(err.Error(), "failed to resolve certificates") {
 		t.Errorf("expected 'failed to resolve certificates' error, got: %v", err)
 	}
 }
@@ -41,7 +41,7 @@ func (s *CAOperationsSvc) SetIssuerRegistry(registry *IssuerRegistry) {
 // GenerateDERCRL generates a DER-encoded X.509 CRL for the given issuer.
 // Short-lived certificates (profile TTL < 1 hour) are excluded from the CRL.
-func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {
+func (s *CAOperationsSvc) GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error) {
 	if s.revocationRepo == nil {
 		return nil, fmt.Errorf("revocation repository not configured")
 	}
@@ -54,7 +54,7 @@ func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {
 		return nil, fmt.Errorf("issuer not found: %s", issuerID)
 	}
-	revocations, err := s.revocationRepo.ListAll(context.Background())
+	revocations, err := s.revocationRepo.ListAll(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to list revocations: %w", err)
 	}
@@ -69,9 +69,9 @@ func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {
 		// Check short-lived exemption: look up the cert's profile
 		if s.profileRepo != nil && s.certRepo != nil {
-			cert, err := s.certRepo.Get(context.Background(), rev.CertificateID)
+			cert, err := s.certRepo.Get(ctx, rev.CertificateID)
 			if err == nil && cert.CertificateProfileID != "" {
-				profile, err := s.profileRepo.Get(context.Background(), cert.CertificateProfileID)
+				profile, err := s.profileRepo.Get(ctx, cert.CertificateProfileID)
 				if err == nil && profile.IsShortLived() {
 					slog.Debug("skipping short-lived cert from CRL",
 						"certificate_id", rev.CertificateID,
@@ -92,11 +92,11 @@ func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {
 		})
 	}
-	return issuerConn.GenerateCRL(context.Background(), entries)
+	return issuerConn.GenerateCRL(ctx, entries)
 }
 // GetOCSPResponse generates a signed OCSP response for the given certificate serial.
-func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]byte, error) {
+func (s *CAOperationsSvc) GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error) {
 	if s.revocationRepo == nil {
 		return nil, fmt.Errorf("revocation repository not configured")
 	}
@@ -117,14 +117,16 @@ func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]
 	// Short-lived cert exemption: if the cert's profile has TTL < 1 hour,
 	// always return "good" — expiry is sufficient revocation for short-lived certs.
 	if s.profileRepo != nil && s.certRepo != nil {
-		// Look up cert by serial through revocation table
+		// Look up cert by (issuer_id, serial) — per RFC 5280 §5.2.3, serial numbers
-		rev, _ := s.revocationRepo.GetBySerial(context.Background(), serialHex)
+		// are unique only within a single issuer. The OCSP URL path carries issuer_id,
 		// so we scope the lookup to avoid cross-issuer collisions.
 		rev, _ := s.revocationRepo.GetByIssuerAndSerial(ctx, issuerID, serialHex)
 		if rev != nil {
-			cert, err := s.certRepo.Get(context.Background(), rev.CertificateID)
+			cert, err := s.certRepo.Get(ctx, rev.CertificateID)
 			if err == nil && cert.CertificateProfileID != "" {
-				profile, err := s.profileRepo.Get(context.Background(), cert.CertificateProfileID)
+				profile, err := s.profileRepo.Get(ctx, cert.CertificateProfileID)
 				if err == nil && profile.IsShortLived() {
-					return issuerConn.SignOCSPResponse(context.Background(), OCSPSignRequest{
+					return issuerConn.SignOCSPResponse(ctx, OCSPSignRequest{
 						CertSerial: serial,
 						CertStatus: 0, // good — short-lived exemption
 						ThisUpdate: now,
@@ -135,11 +137,11 @@ func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]
 		}
 	}
-	// Check if this serial is revoked
+	// Check if this (issuer_id, serial) is revoked — RFC 5280 §5.2.3 scoping.
-	rev, err := s.revocationRepo.GetBySerial(context.Background(), serialHex)
+	rev, err := s.revocationRepo.GetByIssuerAndSerial(ctx, issuerID, serialHex)
 	if err != nil {
 		// Not revoked — return "good" status
-		return issuerConn.SignOCSPResponse(context.Background(), OCSPSignRequest{
+		return issuerConn.SignOCSPResponse(ctx, OCSPSignRequest{
 			CertSerial: serial,
 			CertStatus: 0, // good
 			ThisUpdate: now,
@@ -148,7 +150,7 @@ func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]
 	}
 	// Revoked
-	return issuerConn.SignOCSPResponse(context.Background(), OCSPSignRequest{
+	return issuerConn.SignOCSPResponse(ctx, OCSPSignRequest{
 		CertSerial:       serial,
 		CertStatus:       1, // revoked
 		RevokedAt:        rev.RevokedAt,
@@ -3,6 +3,7 @@
 package service
 import (
 	"context"
 	"log/slog"
 	"testing"
 	"time"
@@ -48,7 +49,7 @@ func TestCAOperationsSvc_GenerateDERCRL_Success(t *testing.T) {
 		},
 	}
-	crl, err := caSvc.GenerateDERCRL("iss-local")
+	crl, err := caSvc.GenerateDERCRL(context.Background(), "iss-local")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -71,7 +72,7 @@ func TestCAOperationsSvc_GenerateDERCRL_EmptyCRL(t *testing.T) {
 	// No revoked certs for this issuer
 	revocationRepo.Revocations = []*domain.CertificateRevocation{}
-	crl, err := caSvc.GenerateDERCRL("iss-local")
+	crl, err := caSvc.GenerateDERCRL(context.Background(), "iss-local")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -112,7 +113,7 @@ func TestCAOperationsSvc_GetOCSPResponse_Good(t *testing.T) {
 	certRepo.Versions["cert-ocsp-good"] = []*domain.CertificateVersion{version}
 	// Request OCSP response for good cert
-	resp, err := caSvc.GetOCSPResponse("iss-local", "OCSP-GOOD-001")
+	resp, err := caSvc.GetOCSPResponse(context.Background(), "iss-local", "OCSP-GOOD-001")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -165,7 +166,7 @@ func TestCAOperationsSvc_GetOCSPResponse_Revoked(t *testing.T) {
 	}
 	// Request OCSP response for revoked cert
-	resp, err := caSvc.GetOCSPResponse("iss-local", "OCSP-REVOKED-001")
+	resp, err := caSvc.GetOCSPResponse(context.Background(), "iss-local", "OCSP-REVOKED-001")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -71,8 +71,8 @@ func (s *CertificateService) List(ctx context.Context, filter *repository.Certif
 // ListCertificatesWithFilter returns a list of certificates with advanced filtering (M20).
 // This method supports the new M20 filters and returns domain.ManagedCertificate (not pointers).
-func (s *CertificateService) ListCertificatesWithFilter(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+func (s *CertificateService) ListCertificatesWithFilter(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
-	certs, total, err := s.certRepo.List(context.Background(), filter)
+	certs, total, err := s.certRepo.List(ctx, filter)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list certificates with filter: %w", err)
 	}
@@ -206,10 +206,10 @@ func (s *CertificateService) GetVersions(ctx context.Context, certID string) ([]
 	return versions, nil
 }
-// TriggerRenewalWithActor initiates a renewal job if the certificate is eligible.
+// TriggerRenewal initiates a renewal job if the certificate is eligible.
 // Creates a Renewal job (or Issuance for new certs) so the scheduler's job processor
 // can pick it up and route it through the issuer connector.
-func (s *CertificateService) TriggerRenewalWithActor(ctx context.Context, certID string, actor string) error {
+func (s *CertificateService) TriggerRenewal(ctx context.Context, certID string, actor string) error {
 	cert, err := s.certRepo.Get(ctx, certID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch certificate: %w", err)
@@ -283,8 +283,11 @@ func (s *CertificateService) TriggerRenewalWithActor(ctx context.Context, certID
 	return nil
 }
-// TriggerDeploymentWithActor creates deployment jobs for all targets of a certificate.
+// TriggerDeployment creates deployment jobs for all targets of a certificate.
-func (s *CertificateService) TriggerDeploymentWithActor(ctx context.Context, certID string, actor string) error {
+// The targetID parameter is accepted from the handler interface but currently unused;
 // deployment coordination happens per-certificate across all of its targets.
 func (s *CertificateService) TriggerDeployment(ctx context.Context, certID string, targetID string, actor string) error {
 	_ = targetID
 	cert, err := s.certRepo.Get(ctx, certID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch certificate: %w", err)
@@ -306,7 +309,7 @@ func (s *CertificateService) TriggerDeploymentWithActor(ctx context.Context, cer
 }
 // ListCertificates returns paginated certificates with optional filtering (handler interface method).
-func (s *CertificateService) ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
+func (s *CertificateService) ListCertificates(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -325,7 +328,7 @@ func (s *CertificateService) ListCertificates(status, environment, ownerID, team
 		PerPage:     perPage,
 	}
-	certs, total, err := s.certRepo.List(context.Background(), filter)
+	certs, total, err := s.certRepo.List(ctx, filter)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list certificates: %w", err)
 	}
@@ -341,12 +344,12 @@ func (s *CertificateService) ListCertificates(status, environment, ownerID, team
 }
 // GetCertificate returns a single certificate (handler interface method).
-func (s *CertificateService) GetCertificate(id string) (*domain.ManagedCertificate, error) {
+func (s *CertificateService) GetCertificate(ctx context.Context, id string) (*domain.ManagedCertificate, error) {
-	return s.certRepo.Get(context.Background(), id)
+	return s.certRepo.Get(ctx, id)
 }
 // CreateCertificate creates a new certificate (handler interface method).
-func (s *CertificateService) CreateCertificate(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+func (s *CertificateService) CreateCertificate(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 	if cert.ID == "" {
 		cert.ID = generateID("cert")
 	}
@@ -365,16 +368,14 @@ func (s *CertificateService) CreateCertificate(cert domain.ManagedCertificate) (
 	if cert.Tags == nil {
 		cert.Tags = make(map[string]string)
 	}
-	if err := s.certRepo.Create(context.Background(), &cert); err != nil {
+	if err := s.certRepo.Create(ctx, &cert); err != nil {
 		return nil, fmt.Errorf("failed to create certificate: %w", err)
 	}
 	return &cert, nil
 }
 // UpdateCertificate modifies a certificate (handler interface method).
-func (s *CertificateService) UpdateCertificate(id string, patch domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+func (s *CertificateService) UpdateCertificate(ctx context.Context, id string, patch domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 	ctx := context.Background()
 	// Fetch existing certificate so partial updates don't zero out fields
 	existing, err := s.certRepo.Get(ctx, id)
 	if err != nil {
@@ -425,12 +426,12 @@ func (s *CertificateService) UpdateCertificate(id string, patch domain.ManagedCe
 }
 // ArchiveCertificate marks a certificate as archived (handler interface method).
-func (s *CertificateService) ArchiveCertificate(id string) error {
+func (s *CertificateService) ArchiveCertificate(ctx context.Context, id string) error {
-	return s.certRepo.Archive(context.Background(), id)
+	return s.certRepo.Archive(ctx, id)
 }
 // GetCertificateVersions returns certificate versions (handler interface method).
-func (s *CertificateService) GetCertificateVersions(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+func (s *CertificateService) GetCertificateVersions(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -438,7 +439,7 @@ func (s *CertificateService) GetCertificateVersions(certID string, page, perPage
 		perPage = 50
 	}
-	versions, err := s.certRepo.ListVersions(context.Background(), certID)
+	versions, err := s.certRepo.ListVersions(ctx, certID)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list certificate versions: %w", err)
 	}
@@ -463,24 +464,8 @@ func (s *CertificateService) GetCertificateVersions(certID string, page, perPage
 	return result, total, nil
 }
-// TriggerRenewal initiates renewal (handler interface method).
+// RevokeCertificate performs revocation with actor tracking. Delegates to RevocationSvc.
-func (s *CertificateService) TriggerRenewal(certID string) error {
+func (s *CertificateService) RevokeCertificate(ctx context.Context, certID string, reason string, actor string) error {
 	return s.TriggerRenewalWithActor(context.Background(), certID, "api")
 }
 // TriggerDeployment triggers deployment (handler interface method).
 func (s *CertificateService) TriggerDeployment(certID string, targetID string) error {
 	return s.TriggerDeploymentWithActor(context.Background(), certID, "api")
 }
 // RevokeCertificate revokes a certificate with the given reason (handler interface method).
 func (s *CertificateService) RevokeCertificate(certID string, reason string) error {
 	return s.RevokeCertificateWithActor(context.Background(), certID, reason, "api")
 }
 // RevokeCertificateWithActor performs revocation with actor tracking.
 // Delegates to RevocationSvc.
 func (s *CertificateService) RevokeCertificateWithActor(ctx context.Context, certID string, reason string, actor string) error {
 	if s.revSvc == nil {
 		return fmt.Errorf("revocation service not configured")
 	}
@@ -489,35 +474,35 @@ func (s *CertificateService) RevokeCertificateWithActor(ctx context.Context, cer
 // GetRevokedCertificates returns all revoked certificate records (for CRL generation).
 // Delegates to RevocationSvc.
-func (s *CertificateService) GetRevokedCertificates() ([]*domain.CertificateRevocation, error) {
+func (s *CertificateService) GetRevokedCertificates(ctx context.Context) ([]*domain.CertificateRevocation, error) {
 	if s.revSvc == nil {
 		return nil, fmt.Errorf("revocation service not configured")
 	}
-	return s.revSvc.GetRevokedCertificates()
+	return s.revSvc.GetRevokedCertificates(ctx)
 }
 // GenerateDERCRL generates a DER-encoded X.509 CRL for the given issuer.
 // Delegates to CAOperationsSvc.
-func (s *CertificateService) GenerateDERCRL(issuerID string) ([]byte, error) {
+func (s *CertificateService) GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error) {
 	if s.caSvc == nil {
 		return nil, fmt.Errorf("CA operations service not configured")
 	}
-	return s.caSvc.GenerateDERCRL(issuerID)
+	return s.caSvc.GenerateDERCRL(ctx, issuerID)
 }
 // GetOCSPResponse generates a signed OCSP response for the given certificate serial.
 // Delegates to CAOperationsSvc.
-func (s *CertificateService) GetOCSPResponse(issuerID string, serialHex string) ([]byte, error) {
+func (s *CertificateService) GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error) {
 	if s.caSvc == nil {
 		return nil, fmt.Errorf("CA operations service not configured")
 	}
-	return s.caSvc.GetOCSPResponse(issuerID, serialHex)
+	return s.caSvc.GetOCSPResponse(ctx, issuerID, serialHex)
 }
 // GetCertificateDeployments returns all deployment targets for a certificate (M20).
-func (s *CertificateService) GetCertificateDeployments(certID string) ([]domain.DeploymentTarget, error) {
+func (s *CertificateService) GetCertificateDeployments(ctx context.Context, certID string) ([]domain.DeploymentTarget, error) {
 	// Verify certificate exists
-	_, err := s.certRepo.Get(context.Background(), certID)
+	_, err := s.certRepo.Get(ctx, certID)
 	if err != nil {
 		return nil, fmt.Errorf("certificate not found: %w", err)
 	}
@@ -527,7 +512,7 @@ func (s *CertificateService) GetCertificateDeployments(certID string) ([]domain.
 	}
 	// Get targets from repository
-	targets, err := s.targetRepo.ListByCertificate(context.Background(), certID)
+	targets, err := s.targetRepo.ListByCertificate(ctx, certID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to list deployment targets: %w", err)
 	}
@@ -34,7 +34,7 @@ func TestCertificateService_RevokeCertificate_RevocationSvcNil(t *testing.T) {
 	certRepo.AddCert(cert)
 	// Call RevokeCertificateWithActor with nil RevocationSvc
-	err := certService.RevokeCertificateWithActor(context.Background(), "cert-1", "keyCompromise", "admin")
+	err := certService.RevokeCertificate(context.Background(), "cert-1", "keyCompromise", "admin")
 	// Assert: Should return error, NOT panic
 	if err == nil {
@@ -64,7 +64,7 @@ func TestCertificateService_GenerateDERCRL_CAOpsSvcNil(t *testing.T) {
 	// Note: NOT calling certService.SetCAOperationsSvc(...)
 	// Call GenerateDERCRL with nil CAOperationsSvc
-	_, err := certService.GenerateDERCRL("iss-local")
+	_, err := certService.GenerateDERCRL(context.Background(), "iss-local")
 	// Assert: Should return error, NOT panic
 	if err == nil {
@@ -94,7 +94,7 @@ func TestCertificateService_GetOCSPResponse_CAOpsSvcNil(t *testing.T) {
 	// Note: NOT calling certService.SetCAOperationsSvc(...)
 	// Call GetOCSPResponse with nil CAOperationsSvc
-	_, err := certService.GetOCSPResponse("iss-local", "serial123")
+	_, err := certService.GetOCSPResponse(context.Background(), "iss-local", "serial123")
 	// Assert: Should return error, NOT panic
 	if err == nil {
@@ -124,7 +124,7 @@ func TestCertificateService_GetRevokedCertificates_RevocationSvcNil(t *testing.T
 	// Note: NOT calling certService.SetRevocationSvc(...)
 	// Call GetRevokedCertificates with nil RevocationSvc
-	_, err := certService.GetRevokedCertificates()
+	_, err := certService.GetRevokedCertificates(context.Background())
 	// Assert: Should return error, NOT panic
 	if err == nil {
@@ -177,7 +177,7 @@ func TestCertificateService_GetCertificateDeployments_Success(t *testing.T) {
 	targetRepo.AddTarget(target2)
 	// Call GetCertificateDeployments
-	deployments, err := certService.GetCertificateDeployments("cert-1")
+	deployments, err := certService.GetCertificateDeployments(context.Background(), "cert-1")
 	// Assert: Should return deployment list successfully
 	if err != nil {
@@ -218,7 +218,7 @@ func TestCertificateService_GetCertificateDeployments_RepositoryError(t *testing
 	certRepo.AddCert(cert)
 	// Call GetCertificateDeployments with repo error
-	_, err := certService.GetCertificateDeployments("cert-1")
+	_, err := certService.GetCertificateDeployments(context.Background(), "cert-1")
 	// Assert: Should return error, NOT panic
 	if err == nil {
@@ -247,7 +247,7 @@ func TestCertificateService_GetCertificateDeployments_CertNotFound(t *testing.T)
 	certService.SetTargetRepo(targetRepo)
 	// Call GetCertificateDeployments with nonexistent certificate
-	_, err := certService.GetCertificateDeployments("nonexistent-cert")
+	_, err := certService.GetCertificateDeployments(context.Background(), "nonexistent-cert")
 	// Assert: Should return error
 	if err == nil {
@@ -283,7 +283,7 @@ func TestCertificateService_GetCertificateDeployments_NilTargetRepo(t *testing.T
 	certRepo.AddCert(cert)
 	// Call GetCertificateDeployments with nil TargetRepo
-	deployments, err := certService.GetCertificateDeployments("cert-1")
+	deployments, err := certService.GetCertificateDeployments(context.Background(), "cert-1")
 	// Assert: Should return empty list gracefully (not panic)
 	if err != nil {
@@ -337,19 +337,19 @@ func TestCertificateService_Multiple_NilSafetyChecks(t *testing.T) {
 	revSvc.SetIssuerRegistry(registry)
 	// Test 1: RevokeCertificateWithActor should succeed (RevocationSvc is set)
-	errRevoke := certService.RevokeCertificateWithActor(context.Background(), "cert-1", "keyCompromise", "admin")
+	errRevoke := certService.RevokeCertificate(context.Background(), "cert-1", "keyCompromise", "admin")
 	if errRevoke != nil {
 		t.Fatalf("RevokeCertificateWithActor failed unexpectedly: %v", errRevoke)
 	}
 	// Test 2: GenerateDERCRL should fail gracefully (CAOperationsSvc is nil)
-	_, errCRL := certService.GenerateDERCRL("iss-local")
+	_, errCRL := certService.GenerateDERCRL(context.Background(), "iss-local")
 	if errCRL == nil {
 		t.Fatal("GenerateDERCRL expected error, got nil")
 	}
 	// Test 3: GetOCSPResponse should fail gracefully (CAOperationsSvc is nil)
-	_, errOCSP := certService.GetOCSPResponse("iss-local", "ABC123")
+	_, errOCSP := certService.GetOCSPResponse(context.Background(), "iss-local", "ABC123")
 	if errOCSP == nil {
 		t.Fatal("GetOCSPResponse expected error, got nil")
 	}
@@ -294,7 +294,7 @@ func TestTriggerRenewal(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	certService := NewCertificateService(certRepo, policyService, auditService)
-	err := certService.TriggerRenewalWithActor(ctx, "cert-001", "user-1")
+	err := certService.TriggerRenewal(ctx, "cert-001", "user-1")
 	if err != nil {
 		t.Fatalf("TriggerRenewal failed: %v", err)
 	}
@@ -333,13 +333,14 @@ func TestTriggerRenewal_Archived(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	certService := NewCertificateService(certRepo, policyService, auditService)
-	err := certService.TriggerRenewalWithActor(ctx, "cert-001", "user-1")
+	err := certService.TriggerRenewal(ctx, "cert-001", "user-1")
 	if err == nil {
 		t.Fatal("expected error for archived certificate")
 	}
 }
 func TestListCertificates(t *testing.T) {
 	ctx := context.Background()
 	now := time.Now()
 	cert1 := &domain.ManagedCertificate{
 		ID:         "cert-001",
@@ -369,7 +370,7 @@ func TestListCertificates(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	certService := NewCertificateService(certRepo, policyService, auditService)
-	certs, total, err := certService.ListCertificates("", "", "", "", "", 1, 50)
+	certs, total, err := certService.ListCertificates(ctx, "", "", "", "", "", 1, 50)
 	if err != nil {
 		t.Fatalf("ListCertificates failed: %v", err)
 	}
@@ -159,7 +159,7 @@ func TestConcurrentAgentHeartbeats(t *testing.T) {
 				Architecture: "x86_64",
 			}
-			err := agentSvc.HeartbeatWithContext(ctx, agentID, metadata)
+			err := agentSvc.Heartbeat(ctx, agentID, metadata)
 			if err != nil {
 				errChan <- fmt.Errorf("goroutine %d: failed heartbeat for agent %s: %w", idx, agentID, err)
 				return
@@ -194,7 +194,7 @@ func TestConcurrentTargetCRUD(t *testing.T) {
 		Targets: make(map[string]*domain.DeploymentTarget),
 	}
-	targetSvc := NewTargetService(mockTargetRepo, nil, nil, nil, slog.New(slog.NewTextHandler(os.Stderr, nil)))
+	targetSvc := NewTargetService(mockTargetRepo, nil, nil, "", slog.New(slog.NewTextHandler(os.Stderr, nil)))
 	var mu sync.Mutex
 	createdTargets := make([]string, 0)
@@ -403,7 +403,7 @@ func TestConcurrentMixedOperations(t *testing.T) {
 	// Setup services
 	auditSvc := &AuditService{auditRepo: mockAuditRepo}
 	certSvc := NewCertificateService(mockCertRepo, nil, auditSvc)
-	targetSvc := NewTargetService(mockTargetRepo, auditSvc, nil, nil, slog.New(slog.NewTextHandler(os.Stderr, nil)))
+	targetSvc := NewTargetService(mockTargetRepo, auditSvc, nil, "", slog.New(slog.NewTextHandler(os.Stderr, nil)))
 	var wg sync.WaitGroup
 	errChan := make(chan error, 30)
@@ -142,7 +142,7 @@ func TestTargetService_ListWithCancelledContext(t *testing.T) {
 	mockTargetRepo := &mockTargetRepo{
 		Targets: make(map[string]*domain.DeploymentTarget),
 	}
-	targetSvc := NewTargetService(mockTargetRepo, nil, nil, nil, slog.New(slog.NewTextHandler(os.Stderr, nil)))
+	targetSvc := NewTargetService(mockTargetRepo, nil, nil, "", slog.New(slog.NewTextHandler(os.Stderr, nil)))
 	_, _, err := targetSvc.List(ctx, 1, 50)
@@ -176,13 +176,13 @@ func TestAgentService_HeartbeatWithCancelledContext(t *testing.T) {
 		nil, // renewalService
 	)
-	err := agentSvc.HeartbeatWithContext(ctx, "agent-1", &domain.AgentMetadata{})
+	err := agentSvc.Heartbeat(ctx, "agent-1", &domain.AgentMetadata{})
 	// Service should handle cancelled context
 	if err == nil || ctx.Err() == context.Canceled {
 		return
 	}
-	t.Logf("HeartbeatWithContext with cancelled context returned: %v", err)
+	t.Logf("Heartbeat with cancelled context returned: %v", err)
 }
 // Test with timeout context (should trigger deadline exceeded)
@@ -229,11 +229,11 @@ func TestAgentService_HeartbeatWithDeadlineExceeded(t *testing.T) {
 	time.Sleep(10 * time.Millisecond) // Ensure deadline is exceeded
-	err := agentSvc.HeartbeatWithContext(ctx, "agent-1", &domain.AgentMetadata{})
+	err := agentSvc.Heartbeat(ctx, "agent-1", &domain.AgentMetadata{})
 	// Service should handle deadline exceeded
 	if err == nil || ctx.Err() == context.DeadlineExceeded {
 		return
 	}
-	t.Logf("HeartbeatWithContext with deadline exceeded returned: %v", err)
+	t.Logf("Heartbeat with deadline exceeded returned: %v", err)
 }
@@ -17,20 +17,27 @@ import (
 )
 // IssuerService provides business logic for certificate issuer management.
 //
 // The encryptionKey field holds the raw passphrase (not a pre-derived 32-byte
 // key). Per-ciphertext salt derivation is performed inside
 // [crypto.EncryptIfKeySet] / [crypto.DecryptIfKeySet] on each call. See M-8
 // in certctl-audit-report.md.
 type IssuerService struct {
 	issuerRepo    repository.IssuerRepository
 	auditService  *AuditService
 	registry      *IssuerRegistry
-	encryptionKey []byte
+	encryptionKey string
 	logger        *slog.Logger
 }
-// NewIssuerService creates a new issuer service.
+// NewIssuerService creates a new issuer service. The encryptionKey is the raw
 // passphrase; it MUST NOT be pre-derived via crypto.DeriveKey (that was the
 // v1 behavior, replaced in M-8 with per-ciphertext random salt).
 func NewIssuerService(
 	issuerRepo repository.IssuerRepository,
 	auditService *AuditService,
 	registry *IssuerRegistry,
-	encryptionKey []byte,
+	encryptionKey string,
 	logger *slog.Logger,
 ) *IssuerService {
 	return &IssuerService{
@@ -253,9 +260,9 @@ func (s *IssuerService) Delete(ctx context.Context, id string, actor string) err
 	return nil
 }
-// TestConnectionWithContext tests the connection to an issuer by instantiating a throwaway
+// TestConnection tests the connection to an issuer by instantiating a throwaway
 // connector and calling ValidateConfig. Records the result in the database.
-func (s *IssuerService) TestConnectionWithContext(ctx context.Context, id string) error {
+func (s *IssuerService) TestConnection(ctx context.Context, id string) error {
 	iss, err := s.issuerRepo.Get(ctx, id)
 	if err != nil {
 		return fmt.Errorf("issuer not found: %w", err)
@@ -284,11 +291,6 @@ func (s *IssuerService) TestConnectionWithContext(ctx context.Context, id string
 	return nil
 }
 // TestConnection verifies the issuer connection (handler interface method).
 func (s *IssuerService) TestConnection(id string) error {
 	return s.TestConnectionWithContext(context.Background(), id)
 }
 // BuildRegistry loads all enabled issuers from the database and rebuilds the dynamic registry.
 // Called at server startup. Partial failures (individual issuers failing to load) are logged
 // as warnings but don't prevent the server from starting.
@@ -327,8 +329,20 @@ func (s *IssuerService) SeedFromEnvVars(ctx context.Context, cfg *config.Config)
 	seeds := s.buildEnvVarSeeds(cfg)
 	seeded := 0
 	for _, seed := range seeds {
-		// Encrypt the config if key is set
+		// Encrypt the config only when an encryption key is configured.
-		if len(seed.Config) > 0 {
+		//
 		// Env-seeded issuers carry Source="env" and are reconstructable on every
 		// boot from process environment, so persisting their config in plaintext
 		// adds no new exposure: the same bytes already live in the operator's
 		// deployment manifest. When no key is configured we therefore leave
 		// EncryptedConfig nil and keep the raw JSON in the `config` column —
 		// IssuerRegistry.Rebuild falls through to `cfg.Config` when there is no
 		// ciphertext to decrypt, so registry load still works.
 		//
 		// Database-sourced rows (Source="database") never reach this branch:
 		// they are created through the GUI/API write paths, which require the
 		// encryption key and fail closed via crypto.ErrEncryptionKeyRequired.
 		if len(seed.Config) > 0 && len(s.encryptionKey) > 0 {
 			encrypted, _, encErr := crypto.EncryptIfKeySet([]byte(seed.Config), s.encryptionKey)
 			if encErr != nil {
 				s.logger.Error("failed to encrypt seed config", "id", seed.ID, "error", encErr)
@@ -565,17 +579,21 @@ func (s *IssuerService) buildEnvVarSeeds(cfg *config.Config) []*domain.Issuer {
 	// Conditional: GlobalSign — only seed if API URL and API key are set
 	if cfg.GlobalSign.APIUrl != "" && cfg.GlobalSign.APIKey != "" {
 		globalSignConfig := map[string]interface{}{
 			"api_url":          cfg.GlobalSign.APIUrl,
 			"api_key":          cfg.GlobalSign.APIKey,
 			"api_secret":       cfg.GlobalSign.APISecret,
 			"client_cert_path": cfg.GlobalSign.ClientCertPath,
 			"client_key_path":  cfg.GlobalSign.ClientKeyPath,
 		}
 		if cfg.GlobalSign.ServerCAPath != "" {
 			globalSignConfig["server_ca_path"] = cfg.GlobalSign.ServerCAPath
 		}
 		seeds = append(seeds, &domain.Issuer{
-			ID:   "iss-globalsign",
+			ID:        "iss-globalsign",
-			Name: "GlobalSign Atlas",
+			Name:      "GlobalSign Atlas",
-			Type: domain.IssuerTypeGlobalSign,
+			Type:      domain.IssuerTypeGlobalSign,
-			Config: mustJSON(map[string]interface{}{
+			Config:    mustJSON(globalSignConfig),
 				"api_url":          cfg.GlobalSign.APIUrl,
 				"api_key":          cfg.GlobalSign.APIKey,
 				"api_secret":       cfg.GlobalSign.APISecret,
 				"client_cert_path": cfg.GlobalSign.ClientCertPath,
 				"client_key_path":  cfg.GlobalSign.ClientKeyPath,
 			}),
 			Enabled:   true,
 			Source:    "env",
 			CreatedAt: now,
@@ -610,7 +628,7 @@ func (s *IssuerService) buildEnvVarSeeds(cfg *config.Config) []*domain.Issuer {
 }
 // ListIssuers returns paginated issuers (handler interface method).
-func (s *IssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64, error) {
+func (s *IssuerService) ListIssuers(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -618,7 +636,7 @@ func (s *IssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64,
 		perPage = 50
 	}
-	issuers, err := s.issuerRepo.List(context.Background())
+	issuers, err := s.issuerRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list issuers: %w", err)
 	}
@@ -635,12 +653,12 @@ func (s *IssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64,
 }
 // GetIssuer returns a single issuer (handler interface method).
-func (s *IssuerService) GetIssuer(id string) (*domain.Issuer, error) {
+func (s *IssuerService) GetIssuer(ctx context.Context, id string) (*domain.Issuer, error) {
-	return s.issuerRepo.Get(context.Background(), id)
+	return s.issuerRepo.Get(ctx, id)
 }
 // CreateIssuer creates a new issuer (handler interface method).
-func (s *IssuerService) CreateIssuer(iss domain.Issuer) (*domain.Issuer, error) {
+func (s *IssuerService) CreateIssuer(ctx context.Context, iss domain.Issuer) (*domain.Issuer, error) {
 	iss.Type = normalizeIssuerType(iss.Type)
 	if !isValidIssuerType(iss.Type) {
 		return nil, fmt.Errorf("unsupported issuer type: %s", iss.Type)
@@ -677,26 +695,26 @@ func (s *IssuerService) CreateIssuer(iss domain.Issuer) (*domain.Issuer, error)
 		iss.Config = redactConfigJSON(iss.Config)
 	}
-	if err := s.issuerRepo.Create(context.Background(), &iss); err != nil {
+	if err := s.issuerRepo.Create(ctx, &iss); err != nil {
 		return nil, fmt.Errorf("failed to create issuer: %w", err)
 	}
 	// Rebuild registry
 	if iss.Enabled {
-		s.rebuildRegistryQuiet(context.Background())
+		s.rebuildRegistryQuiet(ctx)
 	}
 	return &iss, nil
 }
 // UpdateIssuer modifies an issuer (handler interface method).
-func (s *IssuerService) UpdateIssuer(id string, iss domain.Issuer) (*domain.Issuer, error) {
+func (s *IssuerService) UpdateIssuer(ctx context.Context, id string, iss domain.Issuer) (*domain.Issuer, error) {
 	iss.ID = id
 	iss.UpdatedAt = time.Now()
 	// Merge redacted fields with existing config
 	if len(iss.Config) > 0 {
-		mergedConfig, err := s.mergeRedactedConfig(context.Background(), id, iss.Config)
+		mergedConfig, err := s.mergeRedactedConfig(ctx, id, iss.Config)
 		if err != nil {
 			return nil, fmt.Errorf("failed to merge config: %w", err)
 		}
@@ -709,18 +727,18 @@ func (s *IssuerService) UpdateIssuer(id string, iss domain.Issuer) (*domain.Issu
 		iss.Config = redactConfigJSON(json.RawMessage(mergedConfig))
 	}
-	if err := s.issuerRepo.Update(context.Background(), &iss); err != nil {
+	if err := s.issuerRepo.Update(ctx, &iss); err != nil {
 		return nil, fmt.Errorf("failed to update issuer: %w", err)
 	}
-	s.rebuildRegistryQuiet(context.Background())
+	s.rebuildRegistryQuiet(ctx)
 	return &iss, nil
 }
 // DeleteIssuer removes an issuer (handler interface method).
-func (s *IssuerService) DeleteIssuer(id string) error {
+func (s *IssuerService) DeleteIssuer(ctx context.Context, id string) error {
-	if err := s.issuerRepo.Delete(context.Background(), id); err != nil {
+	if err := s.issuerRepo.Delete(ctx, id); err != nil {
 		return err
 	}
 	if s.registry != nil {
@@ -26,7 +26,7 @@ func TestBuildEnvVarSeeds_ACMEConfig(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
 	// Call buildEnvVarSeeds (unexported method, but testable from same package)
 	seeds := service.buildEnvVarSeeds(cfg)
@@ -82,7 +82,7 @@ func TestBuildEnvVarSeeds_VaultConfig(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
 	seeds := service.buildEnvVarSeeds(cfg)
@@ -136,7 +136,7 @@ func TestBuildEnvVarSeeds_NoConfig(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
 	seeds := service.buildEnvVarSeeds(cfg)
@@ -186,7 +186,7 @@ func TestBuildEnvVarSeeds_MultipleConfigs(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
 	seeds := service.buildEnvVarSeeds(cfg)
@@ -232,7 +232,7 @@ func TestSeedFromEnvVars_Empty(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
 	// Call SeedFromEnvVars on empty repo
 	service.SeedFromEnvVars(ctx, cfg)
@@ -280,7 +280,7 @@ func TestSeedFromEnvVars_AlreadyExists(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
 	// Get count before seeding
 	beforeSeeding, _ := repo.List(ctx)
@@ -328,7 +328,7 @@ func TestBuildRegistry_Success(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())
 	// Call BuildRegistry
 	err := service.BuildRegistry(ctx)
@@ -351,7 +351,7 @@ func TestBuildRegistry_EmptyDatabase(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())
 	// Call BuildRegistry on empty database
 	err := service.BuildRegistry(ctx)
@@ -72,7 +72,12 @@ func (r *IssuerRegistry) Len() int {
 // For each enabled issuer, it decrypts the config (if encryption key is set),
 // instantiates a connector via the factory, wraps it in an adapter, and
 // atomically swaps the entire map.
-func (r *IssuerRegistry) Rebuild(configs []*domain.Issuer, encryptionKey []byte) error {
+//
 // The encryption passphrase is passed as a string; per-ciphertext salt derivation
 // for v2 blobs is performed inside [crypto.DecryptIfKeySet]. Empty passphrase
 // fails closed via [crypto.ErrEncryptionKeyRequired] when encrypted configs
 // are encountered. See M-8 in certctl-audit-report.md.
 func (r *IssuerRegistry) Rebuild(configs []*domain.Issuer, encryptionKey string) error {
 	newIssuers := make(map[string]IssuerConnector)
 	var errors []string
@@ -101,7 +101,7 @@ func TestIssuerRegistry_Rebuild_Enabled(t *testing.T) {
 		},
 	}
-	err := reg.Rebuild(configs, nil)
+	err := reg.Rebuild(configs, "")
 	if err != nil {
 		t.Fatalf("Rebuild failed: %v", err)
 	}
@@ -124,11 +124,12 @@ func TestIssuerRegistry_Rebuild_Enabled(t *testing.T) {
 func TestIssuerRegistry_Rebuild_WithEncryption(t *testing.T) {
 	reg := NewIssuerRegistry(registryTestLogger())
 	key := crypto.DeriveKey("test-key")
 	configJSON := []byte(`{"ca_common_name":"Encrypted CA"}`)
-	encrypted, err := crypto.Encrypt(configJSON, key)
+	// M-8: EncryptIfKeySet now emits v2 (magic 0x02 || per-ciphertext salt || sealed).
 	// IssuerRegistry.Rebuild accepts the raw passphrase and delegates PBKDF2 to crypto.DecryptIfKeySet.
 	encrypted, _, err := crypto.EncryptIfKeySet(configJSON, "test-key")
 	if err != nil {
-		t.Fatalf("encrypt failed: %v", err)
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}
 	configs := []*domain.Issuer{
@@ -141,7 +142,7 @@ func TestIssuerRegistry_Rebuild_WithEncryption(t *testing.T) {
 		},
 	}
-	err = reg.Rebuild(configs, key)
+	err = reg.Rebuild(configs, "test-key")
 	if err != nil {
 		t.Fatalf("Rebuild with encryption failed: %v", err)
 	}
@@ -165,10 +166,11 @@ func TestIssuerRegistry_Rebuild_NilKeyFallback(t *testing.T) {
 		},
 	}
-	// nil key should work — falls back to config column
+	// Empty passphrase is safe when no EncryptedConfig is present — falls back to config column.
-	err := reg.Rebuild(configs, nil)
+	// The C-2 fail-closed sentinel only fires when EncryptedConfig is non-empty.
 	err := reg.Rebuild(configs, "")
 	if err != nil {
-		t.Fatalf("Rebuild with nil key failed: %v", err)
+		t.Fatalf("Rebuild with empty key failed: %v", err)
 	}
 	_, ok := reg.Get("iss-plain")
@@ -198,7 +200,7 @@ func TestIssuerRegistry_Rebuild_InvalidConfig(t *testing.T) {
 	}
 	// Should return an error indicating partial failure, but still load valid issuers
-	err := reg.Rebuild(configs, nil)
+	err := reg.Rebuild(configs, "")
 	if err == nil {
 		t.Fatal("Rebuild should return error when some issuers fail to load")
 	}
@@ -230,7 +232,7 @@ func TestIssuerRegistry_Rebuild_ReplacesExisting(t *testing.T) {
 		},
 	}
-	err := reg.Rebuild(configs, nil)
+	err := reg.Rebuild(configs, "")
 	if err != nil {
 		t.Fatalf("Rebuild failed: %v", err)
 	}
@@ -275,7 +277,7 @@ func TestIssuerRegistry_Rebuild_Empty(t *testing.T) {
 	reg.Set("iss-existing", &mockIssuerConnector{})
-	err := reg.Rebuild([]*domain.Issuer{}, nil)
+	err := reg.Rebuild([]*domain.Issuer{}, "")
 	if err != nil {
 		t.Fatalf("Rebuild with empty configs failed: %v", err)
 	}
@@ -50,7 +50,7 @@ func TestIssuerService_List(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
 	issuers, total, err := service.List(ctx, 1, 2)
@@ -87,7 +87,7 @@ func TestIssuerService_List_DefaultPagination(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())
 	// Call with invalid page and perPage
 	issuers, total, err := service.List(ctx, 0, 0)
@@ -115,7 +115,7 @@ func TestIssuerService_List_RepositoryError(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
 	_, _, err := service.List(ctx, 1, 50)
@@ -137,7 +137,7 @@ func TestIssuerService_List_EmptyResult(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())
 	issuers, total, err := service.List(ctx, 1, 50)
@@ -173,7 +173,7 @@ func TestIssuerService_Get(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
 	retrieved, err := service.Get(ctx, "iss-acme-prod")
@@ -199,7 +199,7 @@ func TestIssuerService_Get_NotFound(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())
 	_, err := service.Get(ctx, "nonexistent-issuer")
@@ -217,7 +217,7 @@ func TestIssuerService_Create(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())
 	config := map[string]interface{}{"endpoint": "https://acme.example.com/v2/new-account"}
 	configJSON, _ := json.Marshal(config)
@@ -280,7 +280,7 @@ func TestIssuerService_Create_EmptyName(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())
 	issuer := &domain.Issuer{
 		Name:    "",
@@ -314,7 +314,7 @@ func TestIssuerService_Create_RepositoryError(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
 	issuer := &domain.Issuer{
 		Name:    "Test Issuer",
@@ -342,7 +342,7 @@ func TestIssuerService_Update(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())
 	config := map[string]interface{}{"endpoint": "https://acme.example.com"}
 	configJSON, _ := json.Marshal(config)
@@ -387,7 +387,7 @@ func TestIssuerService_Update_EmptyName(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())
 	issuer := &domain.Issuer{
 		Name:    "",
@@ -415,7 +415,7 @@ func TestIssuerService_Delete(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())
 	err := service.Delete(ctx, "iss-to-delete", "user-frank")
@@ -447,7 +447,7 @@ func TestIssuerService_Delete_RepositoryError(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
 	err := service.Delete(ctx, "iss-bad-id", "user-grace")
@@ -482,12 +482,12 @@ func TestIssuerService_TestConnection_Success(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	svc := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	svc := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
-	err := svc.TestConnectionWithContext(ctx, "iss-test-conn")
+	err := svc.TestConnection(ctx, "iss-test-conn")
 	if err != nil {
-		t.Fatalf("TestConnectionWithContext failed: %v", err)
+		t.Fatalf("TestConnection failed: %v", err)
 	}
 }
@@ -500,9 +500,9 @@ func TestIssuerService_TestConnection_NotFound(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())
-	err := service.TestConnectionWithContext(ctx, "nonexistent-issuer")
+	err := service.TestConnection(ctx, "nonexistent-issuer")
 	if err == nil {
 		t.Fatal("expected error for nonexistent issuer")
@@ -540,9 +540,10 @@ func TestIssuerService_ListIssuers_HandlerInterface(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)
-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())
-	issuers, total, err := service.ListIssuers(1, 50)
+	ctx := context.Background()
 	issuers, total, err := service.ListIssuers(ctx, 1, 50)
 	if err != nil {
 		t.Fatalf("ListIssuers failed: %v", err)
@@ -568,7 +569,7 @@ func TestIssuerService_CreateIssuer_HandlerInterface(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())
 	config := map[string]interface{}{"url": "https://example.com"}
 	configJSON, _ := json.Marshal(config)
@@ -580,7 +581,8 @@ func TestIssuerService_CreateIssuer_HandlerInterface(t *testing.T) {
 		Enabled: true,
 	}
-	result, err := service.CreateIssuer(issuer)
+	ctx := context.Background()
 	result, err := service.CreateIssuer(ctx, issuer)
 	if err != nil {
 		t.Fatalf("CreateIssuer failed: %v", err)
@@ -606,9 +608,10 @@ func TestIssuerService_DeleteIssuer_HandlerInterface(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())
-	err := service.DeleteIssuer("iss-handler-delete")
+	ctx := context.Background()
 	err := service.DeleteIssuer(ctx, "iss-handler-delete")
 	if err != nil {
 		t.Fatalf("DeleteIssuer failed: %v", err)
@@ -680,7 +683,7 @@ func TestIssuerService_Create_LowercaseType(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())
 	config := map[string]interface{}{"endpoint": "https://acme.example.com"}
 	configJSON, _ := json.Marshal(config)
@@ -710,7 +713,7 @@ func TestIssuerService_CreateIssuer_LowercaseType(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())
 	config := map[string]interface{}{"url": "https://example.com"}
 	configJSON, _ := json.Marshal(config)
@@ -722,7 +725,8 @@ func TestIssuerService_CreateIssuer_LowercaseType(t *testing.T) {
 		Enabled: true,
 	}
-	result, err := service.CreateIssuer(issuer)
+	ctx := context.Background()
 	result, err := service.CreateIssuer(ctx, issuer)
 	if err != nil {
 		t.Fatalf("CreateIssuer with lowercase 'stepca' should succeed, got: %v", err)
 	}
@@ -752,7 +756,7 @@ func TestIssuerService_Create_M49Types(t *testing.T) {
 			auditService := NewAuditService(auditRepo)
 			registry := NewIssuerRegistry(slog.Default())
-			service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+			service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())
 			config := map[string]interface{}{"api_url": "https://example.com"}
 			configJSON, _ := json.Marshal(config)
@@ -35,11 +35,18 @@ func NewJobService(
 // ProcessPendingJobs fetches and processes all pending jobs.
 // It routes jobs to the appropriate service based on job type and handles errors gracefully.
 //
 // Concurrency (H-6 CWE-362): jobs are claimed via ClaimPendingJobs which uses
 // SELECT ... FOR UPDATE SKIP LOCKED and flips Pending → Running atomically. Concurrent
 // scheduler replicas in HA deployments will therefore never observe the same Pending row,
 // and the subsequent UpdateStatus(Running) calls inside the downstream service methods are
 // idempotent against the pre-flipped state.
 func (s *JobService) ProcessPendingJobs(ctx context.Context) error {
-	// Fetch pending jobs
+	// Claim pending jobs atomically (H-6 remediation: was ListByStatus which had no row lock).
-	pendingJobs, err := s.jobRepo.ListByStatus(ctx, domain.JobStatusPending)
+	// Empty jobType matches all types; zero limit means unlimited (preserves prior semantics).
 	pendingJobs, err := s.jobRepo.ClaimPendingJobs(ctx, "", 0)
 	if err != nil {
-		return fmt.Errorf("failed to list pending jobs: %w", err)
+		return fmt.Errorf("failed to claim pending jobs: %w", err)
 	}
 	if len(pendingJobs) == 0 {
@@ -182,8 +189,8 @@ func (s *JobService) GetJobStatus(ctx context.Context, jobID string) (*domain.Jo
 	return job, nil
 }
-// CancelJobWithContext cancels a pending or running job.
+// CancelJob cancels a pending or running job (handler interface method).
-func (s *JobService) CancelJobWithContext(ctx context.Context, jobID string) error {
+func (s *JobService) CancelJob(ctx context.Context, jobID string) error {
 	job, err := s.jobRepo.Get(ctx, jobID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch job: %w", err)
@@ -201,13 +208,8 @@ func (s *JobService) CancelJobWithContext(ctx context.Context, jobID string) err
 	return nil
 }
 // CancelJob cancels a job (handler interface method).
 func (s *JobService) CancelJob(id string) error {
 	return s.CancelJobWithContext(context.Background(), id)
 }
 // ListJobs returns paginated jobs with optional filtering (handler interface method).
-func (s *JobService) ListJobs(status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
+func (s *JobService) ListJobs(ctx context.Context, status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -215,7 +217,7 @@ func (s *JobService) ListJobs(status, jobType string, page, perPage int) ([]doma
 		perPage = 50
 	}
-	allJobs, err := s.jobRepo.List(context.Background())
+	allJobs, err := s.jobRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list jobs: %w", err)
 	}
@@ -256,14 +258,13 @@ func (s *JobService) ListJobs(status, jobType string, page, perPage int) ([]doma
 }
 // GetJob returns a single job (handler interface method).
-func (s *JobService) GetJob(id string) (*domain.Job, error) {
+func (s *JobService) GetJob(ctx context.Context, id string) (*domain.Job, error) {
-	return s.jobRepo.Get(context.Background(), id)
+	return s.jobRepo.Get(ctx, id)
 }
 // ApproveJob approves a renewal job that is awaiting approval.
 // Transitions the job from AwaitingApproval to Pending so the scheduler picks it up.
-func (s *JobService) ApproveJob(id string) error {
+func (s *JobService) ApproveJob(ctx context.Context, id string) error {
 	ctx := context.Background()
 	job, err := s.jobRepo.Get(ctx, id)
 	if err != nil {
 		return fmt.Errorf("job not found: %w", err)
@@ -283,8 +284,7 @@ func (s *JobService) ApproveJob(id string) error {
 // RejectJob rejects a renewal job that is awaiting approval.
 // Transitions the job to Cancelled with a rejection reason.
-func (s *JobService) RejectJob(id string, reason string) error {
+func (s *JobService) RejectJob(ctx context.Context, id string, reason string) error {
 	ctx := context.Background()
 	job, err := s.jobRepo.Get(ctx, id)
 	if err != nil {
 		return fmt.Errorf("job not found: %w", err)
@@ -99,7 +99,7 @@ func TestCancelJob(t *testing.T) {
 	jobService := newTestJobService(jobRepo)
-	err := jobService.CancelJobWithContext(ctx, "job-001")
+	err := jobService.CancelJob(ctx, "job-001")
 	if err != nil {
 		t.Fatalf("CancelJob failed: %v", err)
 	}
@@ -129,13 +129,15 @@ func TestCancelJob_AlreadyCompleted(t *testing.T) {
 	jobService := newTestJobService(jobRepo)
-	err := jobService.CancelJobWithContext(ctx, "job-001")
+	err := jobService.CancelJob(ctx, "job-001")
 	if err == nil {
 		t.Fatal("expected error for completed job")
 	}
 }
 func TestGetJob(t *testing.T) {
 	ctx := context.Background()
 	now := time.Now()
 	job := &domain.Job{
 		ID:            "job-001",
@@ -153,7 +155,7 @@ func TestGetJob(t *testing.T) {
 	jobService := newTestJobService(jobRepo)
-	retrieved, err := jobService.GetJob("job-001")
+	retrieved, err := jobService.GetJob(ctx, "job-001")
 	if err != nil {
 		t.Fatalf("GetJob failed: %v", err)
 	}
@@ -167,6 +169,8 @@ func TestGetJob(t *testing.T) {
 }
 func TestListJobs(t *testing.T) {
 	ctx := context.Background()
 	now := time.Now()
 	job1 := &domain.Job{
 		ID:            "job-001",
@@ -192,7 +196,7 @@ func TestListJobs(t *testing.T) {
 	jobService := newTestJobService(jobRepo)
-	jobs, total, err := jobService.ListJobs("", "", 1, 50)
+	jobs, total, err := jobService.ListJobs(ctx, "", "", 1, 50)
 	if err != nil {
 		t.Fatalf("ListJobs failed: %v", err)
 	}
@@ -206,6 +210,8 @@ func TestListJobs(t *testing.T) {
 }
 func TestListJobs_FilterByStatus(t *testing.T) {
 	ctx := context.Background()
 	now := time.Now()
 	job1 := &domain.Job{
 		ID:            "job-001",
@@ -231,7 +237,7 @@ func TestListJobs_FilterByStatus(t *testing.T) {
 	jobService := newTestJobService(jobRepo)
-	jobs, total, err := jobService.ListJobs(string(domain.JobStatusPending), "", 1, 50)
+	jobs, total, err := jobService.ListJobs(ctx, string(domain.JobStatusPending), "", 1, 50)
 	if err != nil {
 		t.Fatalf("ListJobs failed: %v", err)
 	}
@@ -119,7 +119,10 @@ func TestESTService_MaxTTL_ForwardedToIssuer(t *testing.T) {
 func TestSCEPService_CryptoValidation_RejectsWeakKey(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{}
-	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	// H-2: SCEPService now requires a configured challenge password. Pass a
 	// matching client password so this test exercises the crypto-policy path
 	// rather than being short-circuited by the challenge-password guard.
 	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")
 	// Profile requiring ECDSA P-384 minimum
 	profileRepo := newM11cProfileRepo()
@@ -136,7 +139,7 @@ func TestSCEPService_CryptoValidation_RejectsWeakKey(t *testing.T) {
 	// P-256 CSR should be rejected
 	csrPEM := generateCSRPEM(t, "device.example.com", nil)
-	_, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-001")
+	_, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-001")
 	if err == nil {
 		t.Fatal("expected rejection for ECDSA P-256 against P-384 minimum")
 	}
@@ -152,7 +155,8 @@ func TestSCEPService_CryptoValidation_AcceptsStrongKey(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{}
 	auditRepo := newMockAuditRepository()
 	auditSvc := NewAuditService(auditRepo)
-	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	// H-2: happy path exercises the authenticated branch.
 	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")
 	profileRepo := newM11cProfileRepo()
 	profileRepo.profiles["prof-standard"] = &domain.CertificateProfile{
@@ -167,7 +171,7 @@ func TestSCEPService_CryptoValidation_AcceptsStrongKey(t *testing.T) {
 	csrPEM := generateCSRPEM(t, "device-ok.example.com", nil)
-	result, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-002")
+	result, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-002")
 	if err != nil {
 		t.Fatalf("expected success: %v", err)
 	}
@@ -179,7 +183,8 @@ func TestSCEPService_CryptoValidation_AcceptsStrongKey(t *testing.T) {
 func TestSCEPService_MaxTTL_ForwardedToIssuer(t *testing.T) {
 	capturingMock := &capturingIssuerConnector{}
-	svc := NewSCEPService("iss-local", capturingMock, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	// H-2: challenge password required for enrollment.
 	svc := NewSCEPService("iss-local", capturingMock, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")
 	profileRepo := newM11cProfileRepo()
 	profileRepo.profiles["prof-device"] = &domain.CertificateProfile{
@@ -192,7 +197,7 @@ func TestSCEPService_MaxTTL_ForwardedToIssuer(t *testing.T) {
 	csrPEM := generateCSRPEM(t, "mdm-device.example.com", nil)
-	_, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-003")
+	_, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-003")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -341,12 +346,13 @@ func TestESTService_NoProfileRepo_PassesThrough(t *testing.T) {
 func TestSCEPService_NoProfileRepo_PassesThrough(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{}
-	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	// H-2: challenge password required for enrollment.
 	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")
 	svc.SetProfileID("nonexistent-profile")
 	csrPEM := generateCSRPEM(t, "no-profile-scep.example.com", nil)
-	result, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-004")
+	result, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-004")
 	if err != nil {
 		t.Fatalf("expected success when no profile repo set: %v", err)
 	}
@@ -14,6 +14,7 @@ import (
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/repository"
 	"github.com/shankar0123/certctl/internal/tlsprobe"
 	"github.com/shankar0123/certctl/internal/validation"
 )
 // SentinelAgentID is the agent ID used for network-discovered certificates.
@@ -234,21 +235,19 @@ func (s *NetworkScanService) scanTarget(ctx context.Context, target *domain.Netw
 	timeout := time.Duration(target.TimeoutMs) * time.Millisecond
 	results := s.scanEndpoints(ctx, endpoints, timeout)
-	// Collect discovered cert entries
+	// Collect discovered cert entries and per-endpoint errors.
-	var entries []domain.DiscoveredCertEntry
+	//
-	var scanErrors []string
+	// M-9 (operator-observability): before this fix, scanErrors was declared
-	for _, result := range results {
+	// but never appended to, so the "errors" count in the summary Info log
-		if result.Error != "" {
+	// and the Errors field on the DiscoveryReport were always zero/nil —
-			// Only log connection errors at debug level (many hosts won't have TLS)
+	// silently hiding per-endpoint failures from operators and from the
-			if s.logger != nil {
+	// downstream scan history record. Per-endpoint failures are still logged
-				s.logger.Debug("scan endpoint error",
+	// at Debug (sweep scans generate high connection-refused noise by design
-					"address", result.Address,
+	// — most hosts in a CIDR won't have TLS on the probed port), but the
-					"error", result.Error)
+	// aggregate count and the report's Errors field now reflect reality so
-			}
+	// operators can see, via the scan summary and the stored scan record,
-			continue
+	// how many endpoints failed without having to enable Debug logging.
-		}
+	entries, scanErrors := s.collectScanResults(results)
 		entries = append(entries, result.Certs...)
 	}
 	scanDuration := time.Since(startTime)
 	if s.logger != nil {
@@ -318,51 +317,27 @@ func (s *NetworkScanService) expandEndpoints(cidrs []string, ports []int64) []st
 	return endpoints
 }
-// isReservedCIDR checks if an IP address falls within reserved ranges that should not be scanned.
+// The reserved-IP filter used by expandCIDR previously lived here as an
-// Filters out loopback, link-local (including cloud metadata), and multicast ranges.
+// unexported isReservedIP helper. It has been moved to
-// Does NOT filter RFC 1918 ranges since certctl is self-hosted and internal networks are a primary use case.
+// internal/validation.IsReservedIP so the webhook notifier can share a single
-func isReservedIP(ip net.IP) bool {
+// authoritative implementation (H-4, CWE-918). The behaviour is
-	// Loopback: 127.0.0.0/8
+// byte-identical with the previous helper — RFC 1918 is intentionally NOT
-	if ip.IsLoopback() {
+// filtered, matching certctl's self-hosted design. If you change the
-		return true
+// validation package's IsReservedIP, you are changing the network-scanner's
-	}
+// behaviour; audit both code paths together.
 	// Link-local: 169.254.0.0/16 (includes cloud metadata 169.254.169.254)
 	if linkLocal := net.ParseIP("169.254.0.0"); linkLocal != nil {
 		if _, linkLocalNet, _ := net.ParseCIDR("169.254.0.0/16"); linkLocalNet != nil {
 			if linkLocalNet.Contains(ip) {
 				return true
 			}
 		}
 	}
 	// Multicast: 224.0.0.0/4
 	if multicast := net.ParseIP("224.0.0.0"); multicast != nil {
 		if _, multicastNet, _ := net.ParseCIDR("224.0.0.0/4"); multicastNet != nil {
 			if multicastNet.Contains(ip) {
 				return true
 			}
 		}
 	}
 	// Broadcast: 255.255.255.255
 	if ip.String() == "255.255.255.255" {
 		return true
 	}
 	return false
 }
 // expandCIDR expands a CIDR notation or single IP into a list of IPs.
 // Limits expansion to /20 (4096 IPs) to prevent accidental huge scans.
-// Filters out reserved IP ranges to prevent SSRF attacks.
+// Filters out reserved IP ranges (via validation.IsReservedIP) to prevent
 // SSRF amplification via network-scan targets pointed at cloud metadata or
 // loopback.
 func expandCIDR(cidr string) []string {
 	// Try as CIDR first
 	ip, ipNet, err := net.ParseCIDR(cidr)
 	if err != nil {
 		// Try as single IP
 		if singleIP := net.ParseIP(cidr); singleIP != nil {
-			if isReservedIP(singleIP) {
+			if validation.IsReservedIP(singleIP) {
 				return nil
 			}
 			return []string{singleIP.String()}
@@ -380,7 +355,7 @@ func expandCIDR(cidr string) []string {
 	var ips []string
 	for ip := ip.Mask(ipNet.Mask); ipNet.Contains(ip); incrementIP(ip) {
 		// Skip reserved IPs
-		if isReservedIP(ip) {
+		if validation.IsReservedIP(ip) {
 			continue
 		}
@@ -408,6 +383,44 @@ func incrementIP(ip net.IP) {
 	}
 }
 // collectScanResults partitions per-endpoint scan results into discovered
 // certificate entries and a list of per-endpoint error strings.
 //
 // M-9 (operator-observability): the summary Info log and the DiscoveryReport
 // both report the count of endpoints that failed to probe. Before this helper
 // existed, the caller accumulated entries but never populated the errors
 // slice, so the aggregate error count was always zero and the scan record's
 // Errors field was always nil — silently hiding per-endpoint failures.
 //
 // Per-endpoint errors remain logged at Debug (sweep scans generate high
 // connection-refused noise by design — most hosts in a CIDR won't have TLS
 // on the probed port). Aggregation surfaces the count at Info, preserving
 // Debug-level detail for operators who want it without creating log spam
 // at default verbosity.
 func (s *NetworkScanService) collectScanResults(results []domain.NetworkScanResult) ([]domain.DiscoveredCertEntry, []string) {
 	var entries []domain.DiscoveredCertEntry
 	var scanErrors []string
 	for _, result := range results {
 		if result.Error != "" {
 			// Debug-level is intentional: a sweep scan of a /24 typically
 			// produces 200+ connection-refused results, and logging each
 			// at Warn would create log spam at default verbosity. The
 			// aggregate count in the Info-level scan-completed log surfaces
 			// the failure volume to operators; Debug provides the detail
 			// when diagnosing a specific endpoint.
 			if s.logger != nil {
 				s.logger.Debug("scan endpoint error",
 					"address", result.Address,
 					"error", result.Error)
 			}
 			scanErrors = append(scanErrors, fmt.Sprintf("%s: %s", result.Address, result.Error))
 			continue
 		}
 		entries = append(entries, result.Certs...)
 	}
 	return entries, scanErrors
 }
 // scanEndpoints probes TLS endpoints concurrently and returns results.
 func (s *NetworkScanService) scanEndpoints(ctx context.Context, endpoints []string, timeout time.Duration) []domain.NetworkScanResult {
 	results := make([]domain.NetworkScanResult, len(endpoints))
@@ -8,6 +8,7 @@ import (
 	"time"
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/validation"
 )
 // mockNetworkScanRepo for testing
@@ -248,9 +249,9 @@ func TestIsReservedIP_Loopback(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.ip, func(t *testing.T) {
-			result := isReservedIP(net.ParseIP(tt.ip))
+			result := validation.IsReservedIP(net.ParseIP(tt.ip))
 			if result != tt.expected {
-				t.Errorf("isReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
+				t.Errorf("validation.IsReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
 			}
 		})
 	}
@@ -269,9 +270,9 @@ func TestIsReservedIP_LinkLocal(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.ip, func(t *testing.T) {
-			result := isReservedIP(net.ParseIP(tt.ip))
+			result := validation.IsReservedIP(net.ParseIP(tt.ip))
 			if result != tt.expected {
-				t.Errorf("isReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
+				t.Errorf("validation.IsReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
 			}
 		})
 	}
@@ -289,18 +290,18 @@ func TestIsReservedIP_Multicast(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.ip, func(t *testing.T) {
-			result := isReservedIP(net.ParseIP(tt.ip))
+			result := validation.IsReservedIP(net.ParseIP(tt.ip))
 			if result != tt.expected {
-				t.Errorf("isReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
+				t.Errorf("validation.IsReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
 			}
 		})
 	}
 }
 func TestIsReservedIP_Broadcast(t *testing.T) {
-	result := isReservedIP(net.ParseIP("255.255.255.255"))
+	result := validation.IsReservedIP(net.ParseIP("255.255.255.255"))
 	if !result {
-		t.Errorf("isReservedIP(255.255.255.255) = %v, expected true", result)
+		t.Errorf("validation.IsReservedIP(255.255.255.255) = %v, expected true", result)
 	}
 }
@@ -320,9 +321,9 @@ func TestIsReservedIP_AllowsPrivateRanges(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
-			result := isReservedIP(net.ParseIP(tt.ip))
+			result := validation.IsReservedIP(net.ParseIP(tt.ip))
 			if result != tt.expected {
-				t.Errorf("isReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
+				t.Errorf("validation.IsReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
 			}
 		})
 	}
@@ -340,9 +341,9 @@ func TestIsReservedIP_AllowsPublic(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.ip, func(t *testing.T) {
-			result := isReservedIP(net.ParseIP(tt.ip))
+			result := validation.IsReservedIP(net.ParseIP(tt.ip))
 			if result != tt.expected {
-				t.Errorf("isReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
+				t.Errorf("validation.IsReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
 			}
 		})
 	}
@@ -490,3 +491,113 @@ func TestExpandCIDR_SingleLinkLocalIP(t *testing.T) {
 		t.Errorf("expected empty for cloud metadata IP, got %v", ips)
 	}
 }
 // TestCollectScanResults_AggregatesErrors is the M-9 regression guard:
 // per-endpoint probe failures must accumulate into the errors slice so the
 // summary Info log and the DiscoveryReport reflect the true failure count.
 // Before the M-9 fix, scanErrors was declared but never appended to, so the
 // aggregate count was always zero and the scan record's Errors field was
 // always nil — silently hiding per-endpoint failures from operators.
 func TestCollectScanResults_AggregatesErrors(t *testing.T) {
 	svc := &NetworkScanService{}
 	results := []domain.NetworkScanResult{
 		{Address: "203.0.113.1:443", Error: "connection refused"},
 		{Address: "203.0.113.2:443", Certs: []domain.DiscoveredCertEntry{
 			{CommonName: "example.com"},
 		}},
 		{Address: "203.0.113.3:443", Error: "tls handshake failure"},
 		{Address: "203.0.113.4:443", Certs: []domain.DiscoveredCertEntry{
 			{CommonName: "internal.example.com"},
 		}},
 		{Address: "203.0.113.5:443", Error: "i/o timeout"},
 	}
 	entries, errs := svc.collectScanResults(results)
 	if len(entries) != 2 {
 		t.Errorf("expected 2 entries (one per successful probe), got %d", len(entries))
 	}
 	if len(errs) != 3 {
 		t.Fatalf("expected 3 error strings (one per failed probe), got %d: %v", len(errs), errs)
 	}
 	// Each error string must be non-empty and include the endpoint address so
 	// the scan record lets operators correlate failures back to endpoints
 	// without needing Debug logging enabled.
 	for i, e := range errs {
 		if e == "" {
 			t.Errorf("error[%d]: expected non-empty error string", i)
 		}
 	}
 	// Spot-check that address is threaded through the error strings.
 	if want := "203.0.113.1:443"; errs[0] == "" || errs[0][:len(want)] != want {
 		t.Errorf("errs[0] should start with %q, got %q", want, errs[0])
 	}
 	if want := "203.0.113.3:443"; errs[1] == "" || errs[1][:len(want)] != want {
 		t.Errorf("errs[1] should start with %q, got %q", want, errs[1])
 	}
 	if want := "203.0.113.5:443"; errs[2] == "" || errs[2][:len(want)] != want {
 		t.Errorf("errs[2] should start with %q, got %q", want, errs[2])
 	}
 }
 // TestCollectScanResults_AllSuccess exercises the happy path: a scan where
 // every endpoint returned certificates. The errors slice must be nil (not an
 // empty non-nil slice) so the downstream DiscoveryReport.Errors field stays
 // nil as well, preserving the JSON-omitempty behavior that callers rely on.
 func TestCollectScanResults_AllSuccess(t *testing.T) {
 	svc := &NetworkScanService{}
 	results := []domain.NetworkScanResult{
 		{Address: "203.0.113.10:443", Certs: []domain.DiscoveredCertEntry{
 			{CommonName: "a.example.com"},
 		}},
 		{Address: "203.0.113.11:443", Certs: []domain.DiscoveredCertEntry{
 			{CommonName: "b.example.com"},
 		}},
 	}
 	entries, errs := svc.collectScanResults(results)
 	if len(entries) != 2 {
 		t.Errorf("expected 2 entries, got %d", len(entries))
 	}
 	if errs != nil {
 		t.Errorf("expected nil errors slice on all-success, got %v", errs)
 	}
 }
 // TestCollectScanResults_AllFailed exercises the worst-case sweep: every
 // endpoint failed to probe. Entries must be nil, and every failure must be
 // recorded in the errors slice so the scan record is complete.
 func TestCollectScanResults_AllFailed(t *testing.T) {
 	svc := &NetworkScanService{}
 	results := []domain.NetworkScanResult{
 		{Address: "203.0.113.20:443", Error: "connection refused"},
 		{Address: "203.0.113.21:443", Error: "connection refused"},
 		{Address: "203.0.113.22:443", Error: "connection refused"},
 	}
 	entries, errs := svc.collectScanResults(results)
 	if entries != nil {
 		t.Errorf("expected nil entries on all-failed, got %v", entries)
 	}
 	if len(errs) != 3 {
 		t.Errorf("expected 3 error strings, got %d: %v", len(errs), errs)
 	}
 }
 // TestCollectScanResults_Empty guards against a degenerate empty-input case
 // (scanEndpoints returns no results, e.g. if ctx was cancelled before the
 // first probe ran). Both return slices must be nil.
 func TestCollectScanResults_Empty(t *testing.T) {
 	svc := &NetworkScanService{}
 	entries, errs := svc.collectScanResults(nil)
 	if entries != nil {
 		t.Errorf("expected nil entries for empty input, got %v", entries)
 	}
 	if errs != nil {
 		t.Errorf("expected nil errors for empty input, got %v", errs)
 	}
 }
@@ -319,7 +319,7 @@ func (s *NotificationService) GetNotificationHistory(ctx context.Context, certID
 }
 // ListNotifications returns paginated notifications (handler interface method).
-func (s *NotificationService) ListNotifications(page, perPage int) ([]domain.NotificationEvent, int64, error) {
+func (s *NotificationService) ListNotifications(ctx context.Context, page, perPage int) ([]domain.NotificationEvent, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -332,7 +332,7 @@ func (s *NotificationService) ListNotifications(page, perPage int) ([]domain.Not
 		PerPage: perPage,
 	}
-	notifications, err := s.notifRepo.List(context.Background(), filter)
+	notifications, err := s.notifRepo.List(ctx, filter)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list notifications: %w", err)
 	}
@@ -349,12 +349,12 @@ func (s *NotificationService) ListNotifications(page, perPage int) ([]domain.Not
 }
 // GetNotification returns a single notification (handler interface method).
-func (s *NotificationService) GetNotification(id string) (*domain.NotificationEvent, error) {
+func (s *NotificationService) GetNotification(ctx context.Context, id string) (*domain.NotificationEvent, error) {
 	filter := &repository.NotificationFilter{
 		PerPage: 1,
 	}
-	notifications, err := s.notifRepo.List(context.Background(), filter)
+	notifications, err := s.notifRepo.List(ctx, filter)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get notification: %w", err)
 	}
@@ -370,6 +370,6 @@ func (s *NotificationService) GetNotification(id string) (*domain.NotificationEv
 }
 // MarkAsRead marks a notification as read (handler interface method).
-func (s *NotificationService) MarkAsRead(id string) error {
+func (s *NotificationService) MarkAsRead(ctx context.Context, id string) error {
-	return s.notifRepo.UpdateStatus(context.Background(), id, "read", time.Now())
+	return s.notifRepo.UpdateStatus(ctx, id, "read", time.Now())
 }
@@ -370,7 +370,7 @@ func TestListNotifications(t *testing.T) {
 	}
 	// List with pagination
-	notifs, total, err := svc.ListNotifications(1, 3)
+	notifs, total, err := svc.ListNotifications(context.Background(), 1, 3)
 	if err != nil {
 		t.Fatalf("ListNotifications failed: %v", err)
 	}
@@ -404,7 +404,7 @@ func TestMarkAsRead(t *testing.T) {
 	notifRepo.AddNotification(notif)
 	// Mark as read
-	err := svc.MarkAsRead(notif.ID)
+	err := svc.MarkAsRead(context.Background(), notif.ID)
 	if err != nil {
 		t.Fatalf("MarkAsRead failed: %v", err)
 	}
@@ -434,7 +434,7 @@ func TestGetNotification(t *testing.T) {
 	notifRepo.AddNotification(notif)
 	// Get the notification
-	retrieved, err := svc.GetNotification(notif.ID)
+	retrieved, err := svc.GetNotification(context.Background(), notif.ID)
 	if err != nil {
 		t.Fatalf("GetNotification failed: %v", err)
 	}
--- a/Show More
+++ b/Show More