fix(config): add RetryInterval to TestValidate_ValidConfig + TestValidate_AuthTypeNone fixtures (I-001 follow-up)

Problem:
  TestValidate_ValidConfig and TestValidate_AuthTypeNone construct a
  SchedulerConfig without RetryInterval, so Validate() fails the
  'retry interval must be at least 1 second' check at config.go:1086
  with 'retry interval must be at least 1 second'. Both tests expect
  success, so they fail whenever run.

Root cause (re-derived from source, not inherited from memory):
  git log -S 'retry interval must be at least' --source --all shows
  the validation was introduced in 0200c7f (I-001, RetryFailedJobs
  scheduler wiring). git log -- internal/config/config_test.go shows
  the test file was last touched in 7382e5f, which predates 0200c7f.
  I-001 added a new Validate() rule without updating the two positive
  test fixtures — a gap in I-001's verification pass.

  This is NOT C-001 fallout. The config_test.go file was untouched by
  the C-001 closure commits 91642e2 and 4696116. The failure surfaced
  during the full test suite run after C-001 landed because no one
  had run 'go test ./internal/config/...' since I-001.

Scope:
  - internal/config/config_test.go (2 fixtures: TestValidate_ValidConfig,
    TestValidate_AuthTypeNone).

Implementation:
  Added 'RetryInterval: 5 * time.Minute' to both SchedulerConfig
  literals. 5 minutes matches the I-001 default at config.go:818:

    RetryInterval: getEnvDuration("CERTCTL_SCHEDULER_RETRY_INTERVAL", 5*time.Minute)

  The other two TestValidate_* tests (InvalidAuthType, APIKeyAuth_
  MissingSecret) are unaffected because they expect Validate() to
  error at the auth-type check (line 1052) or auth-secret check
  (line 1057), both of which fire before the RetryInterval check at
  line 1086.

Verification:
  - go test -count=1 -run 'TestValidate_' ./internal/config/...: PASS
  - go test -short -count=1 ./...: all packages PASS
  - go vet ./...: exit 0

Residual:
  None. This is a pure test-fixture fix — production code is unchanged.

Commit:
  0200c7f (I-001) should have included this edit. Attributed here for
  traceability.

.github/workflows/ci.yml

@@ -45,11 +45,11 @@ jobs:
         run: govulncheck ./...
 
       - name: Race Detection
-        run: go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -timeout 300s
+        run: go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/crypto/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -timeout 300s
 
       - name: Go Test with Coverage
         run: |
-          go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -cover -coverprofile=coverage.out
+          go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/crypto/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -cover -coverprofile=coverage.out
 
       - name: Check Coverage Thresholds
         run: |
@@ -73,6 +73,13 @@ jobs:
           MIDDLEWARE_COV=$(go tool cover -func=coverage.out | grep 'internal/api/middleware' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
           echo "Middleware layer coverage: ${MIDDLEWARE_COV}%"
 
+          # Check crypto package coverage (target: 85%+)
+          # M-8 rationale: encryption primitives are a security-critical gate.
+          # v2 format, key-derivation, fallback, and fail-closed sentinel paths
+          # all need exhaustive coverage to avoid silent regressions (CWE-916 / CWE-329).
+          CRYPTO_COV=$(go tool cover -func=coverage.out | grep 'internal/crypto' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
+          echo "Crypto package coverage: ${CRYPTO_COV}%"
+
           # Fail if thresholds not met
           if [ "$(echo "$SERVICE_COV < 55" | bc -l)" -eq 1 ]; then
             echo "::error::Service layer coverage ${SERVICE_COV}% is below 55% threshold"
@@ -90,6 +97,10 @@ jobs:
             echo "::error::Middleware layer coverage ${MIDDLEWARE_COV}% is below 30% threshold"
             exit 1
           fi
+          if [ "$(echo "$CRYPTO_COV < 85" | bc -l)" -eq 1 ]; then
+            echo "::error::Crypto package coverage ${CRYPTO_COV}% is below 85% threshold"
+            exit 1
+          fi
           echo "Coverage thresholds passed!"
 
       - name: Upload Coverage Report

.github/workflows/release.yml

@@ -7,40 +7,30 @@ on:
 
 env:
   REGISTRY: ghcr.io
-  GO_VERSION: '1.22'
+  # Keep in lock-step with .github/workflows/ci.yml (M-3).
+  GO_VERSION: '1.25.9'
+  IMAGE_NAMESPACE: shankar0123
 
 jobs:
-  # Cross-compile agent and server binaries for multiple platforms
+  # ----------------------------------------------------------------------
+  # build-binaries (M-3): matrix build every (binary × OS × arch) tuple.
+  # For each tuple we produce: the binary, a SPDX-JSON SBOM, a keyless
+  # Cosign signature + certificate bundle, and a single-line sha256sum
+  # file. All artefacts are uploaded to a workflow-scoped artifact; the
+  # aggregate-checksums job fans them back in for release upload.
+  # ----------------------------------------------------------------------
   build-binaries:
-    name: Build Cross-Platform Binaries
+    name: Build ${{ matrix.binary }} (${{ matrix.os }}/${{ matrix.arch }})
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-
+      contents: read
+      id-token: write  # Cosign keyless OIDC identity token
     strategy:
+      fail-fast: false
       matrix:
-        include:
-          # Agent binaries (4 platforms)
-          - os: linux
-            arch: amd64
-            binary: agent
-          - os: linux
-            arch: arm64
-            binary: agent
-          - os: darwin
-            arch: amd64
-            binary: agent
-          - os: darwin
-            arch: arm64
-            binary: agent
-          # Server binaries (2 platforms)
-          - os: linux
-            arch: amd64
-            binary: server
-          - os: linux
-            arch: arm64
-            binary: server
-
+        binary: [agent, server, cli, mcp-server]
+        os: [linux, darwin]
+        arch: [amd64, arm64]
     steps:
       - uses: actions/checkout@v4
 
@@ -51,35 +41,174 @@ jobs:
 
       - name: Extract version from tag
         id: version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
 
-      - name: Build ${{ matrix.binary }} binary (${{ matrix.os }}-${{ matrix.arch }})
+      - name: Build binary
+        id: build
         env:
           GOOS: ${{ matrix.os }}
           GOARCH: ${{ matrix.arch }}
-          CGO_ENABLED: 0
+          CGO_ENABLED: '0'
+          VERSION: ${{ steps.version.outputs.VERSION }}
         run: |
+          set -euo pipefail
           OUTPUT_NAME="certctl-${{ matrix.binary }}-${{ matrix.os }}-${{ matrix.arch }}"
-          go build -ldflags="-w -s -X main.Version=${{ steps.version.outputs.VERSION }}" \
+          mkdir -p dist
+          go build \
+            -trimpath \
+            -ldflags="-w -s -X main.Version=${VERSION}" \
             -o "dist/${OUTPUT_NAME}" \
             "./cmd/${{ matrix.binary }}"
           ls -lh "dist/${OUTPUT_NAME}"
+          echo "output_name=${OUTPUT_NAME}" >> "$GITHUB_OUTPUT"
 
-      - name: Upload binaries to release
+      - name: Generate SBOM (SPDX-JSON)
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610  # v0.24.0
+        with:
+          file: dist/${{ steps.build.outputs.output_name }}
+          format: spdx-json
+          output-file: dist/${{ steps.build.outputs.output_name }}.sbom.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
+
+      - name: Keyless-sign binary with Cosign
+        env:
+          OUTPUT_NAME: ${{ steps.build.outputs.output_name }}
+        run: |
+          set -euo pipefail
+          # Cosign v3.0 (shipped by cosign-installer@v4.1.1 default
+          # cosign-release=v3.0.5) removed --output-signature/--output-certificate
+          # on sign-blob. The replacement is --bundle, which emits a unified
+          # Sigstore bundle (signature + cert chain + Rekor inclusion proof) as
+          # a single .sigstore.json artefact. M-11.
+          cosign sign-blob \
+            --yes \
+            --bundle "dist/${OUTPUT_NAME}.sigstore.json" \
+            "dist/${OUTPUT_NAME}"
+
+      - name: Compute SHA-256 sidecar
+        env:
+          OUTPUT_NAME: ${{ steps.build.outputs.output_name }}
+        run: |
+          set -euo pipefail
+          cd dist
+          sha256sum "${OUTPUT_NAME}" > "${OUTPUT_NAME}.sha256"
+          cat "${OUTPUT_NAME}.sha256"
+
+      - name: Upload build artefacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-${{ steps.build.outputs.output_name }}
+          path: |
+            dist/${{ steps.build.outputs.output_name }}
+            dist/${{ steps.build.outputs.output_name }}.sigstore.json
+            dist/${{ steps.build.outputs.output_name }}.sbom.spdx.json
+            dist/${{ steps.build.outputs.output_name }}.sha256
+          if-no-files-found: error
+          retention-days: 7
+
+  # ----------------------------------------------------------------------
+  # aggregate-checksums (M-3): fan in every matrix artefact, produce a
+  # single checksums.txt (sha256sum format, compatible with `sha256sum
+  # -c`), sign it with Cosign, upload everything to the GitHub Release,
+  # and emit a base64-encoded hash manifest for the SLSA generator.
+  # ----------------------------------------------------------------------
+  aggregate-checksums:
+    name: Aggregate checksums & sign
+    runs-on: ubuntu-latest
+    needs: [build-binaries]
+    permissions:
+      contents: write
+      id-token: write  # Cosign keyless OIDC identity token
+    outputs:
+      hashes: ${{ steps.hashes.outputs.hashes }}
+    steps:
+      - name: Download binary artefacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: binary-*
+          path: artifacts
+          merge-multiple: true
+
+      - name: Aggregate SHA-256 sums
+        id: hashes
+        run: |
+          set -euo pipefail
+          cd artifacts
+          : > checksums.txt
+          for f in certctl-*; do
+            case "$f" in
+              *.sigstore.json|*.sbom.spdx.json|*.sha256|checksums.txt)
+                continue ;;
+            esac
+            sha256sum "$f" >> checksums.txt
+          done
+          echo "=== checksums.txt ==="
+          cat checksums.txt
+          # base64 hashes (single line, no wrapping) for SLSA generator.
+          HASHES=$(base64 -w0 < checksums.txt)
+          echo "hashes=${HASHES}" >> "$GITHUB_OUTPUT"
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
+
+      - name: Keyless-sign checksums.txt
+        run: |
+          set -euo pipefail
+          cd artifacts
+          # Cosign v3.0 --bundle replaces the removed v2 flag pair
+          # --output-signature / --output-certificate. See M-11.
+          cosign sign-blob \
+            --yes \
+            --bundle checksums.txt.sigstore.json \
+            checksums.txt
+
+      - name: Upload artefacts to GitHub Release
         uses: softprops/action-gh-release@v2
         if: startsWith(github.ref, 'refs/tags/')
         with:
           files: |
-            dist/certctl-agent-*
-            dist/certctl-server-*
+            artifacts/certctl-*
+            artifacts/checksums.txt
+            artifacts/checksums.txt.sigstore.json
 
-  # Build and push Docker images
+  # ----------------------------------------------------------------------
+  # provenance-binaries (M-3): SLSA Level 3 provenance for every binary.
+  # The SLSA generic generator reusable workflow runs in a hermetic
+  # workflow run, producing multiple.intoto.jsonl from the base64 hash
+  # manifest and uploading it as a release asset.
+  # ----------------------------------------------------------------------
+  provenance-binaries:
+    name: SLSA provenance (binaries)
+    needs: [aggregate-checksums]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      base64-subjects: "${{ needs.aggregate-checksums.outputs.hashes }}"
+      upload-assets: true
+      provenance-name: multiple.intoto.jsonl
+
+  # ----------------------------------------------------------------------
+  # build-and-push-docker: push container images to GHCR with native
+  # SLSA L3 provenance (mode=max) and SBOM attestations emitted by
+  # docker/build-push-action@v6, plus a keyless Cosign signature on the
+  # image digest for identity-bound verification. The M-4 proxy-propagation
+  # build-args block is retained verbatim — M-3 only adds supply-chain
+  # steps; it never touches M-4 wiring.
+  # ----------------------------------------------------------------------
   build-and-push-docker:
     name: Build & Push Docker Images
     runs-on: ubuntu-latest
     permissions:
       contents: write
       packages: write
+      id-token: write  # Cosign keyless OIDC identity token
 
     steps:
       - uses: actions/checkout@v4
@@ -93,40 +222,90 @@ jobs:
 
       - name: Extract version from tag
         id: version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
+
       - name: Build and push server image
+        id: server-push
         uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
           push: true
           tags: |
-            ${{ env.REGISTRY }}/shankar0123/certctl-server:${{ steps.version.outputs.VERSION }}
-            ${{ env.REGISTRY }}/shankar0123/certctl-server:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-server:${{ steps.version.outputs.VERSION }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-server:latest
+          # Proxy propagation (M-4, Issue #9) — forwards runner-level proxy
+          # secrets into the Docker build so self-hosted runners behind
+          # corporate proxies can reach public registries. GitHub-hosted
+          # runners don't need proxies, so the secrets are optional and
+          # resolve to empty strings when unset — byte-identical to the
+          # pre-fix behaviour for the public-runner path.
+          build-args: |
+            HTTP_PROXY=${{ secrets.HTTP_PROXY }}
+            HTTPS_PROXY=${{ secrets.HTTPS_PROXY }}
+            NO_PROXY=${{ secrets.NO_PROXY }}
+          # Supply-chain hardening (M-3): emit native SLSA L3 provenance
+          # and SBOM attestations bound to the image manifest.
+          provenance: mode=max
+          sbom: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Keyless-sign server image with Cosign
+        env:
+          DIGEST: ${{ steps.server-push.outputs.digest }}
+          IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-server
+        run: |
+          set -euo pipefail
+          cosign sign --yes "${IMAGE}@${DIGEST}"
+
       - name: Build and push agent image
+        id: agent-push
         uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile.agent
           push: true
           tags: |
-            ${{ env.REGISTRY }}/shankar0123/certctl-agent:${{ steps.version.outputs.VERSION }}
-            ${{ env.REGISTRY }}/shankar0123/certctl-agent:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-agent:${{ steps.version.outputs.VERSION }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-agent:latest
+          # Proxy propagation (M-4, Issue #9) — see server-image step for
+          # rationale. Empty secrets resolve to empty build args, leaving
+          # the un-proxied code path byte-identical to the pre-fix tree.
+          build-args: |
+            HTTP_PROXY=${{ secrets.HTTP_PROXY }}
+            HTTPS_PROXY=${{ secrets.HTTPS_PROXY }}
+            NO_PROXY=${{ secrets.NO_PROXY }}
+          # Supply-chain hardening (M-3): emit native SLSA L3 provenance
+          # and SBOM attestations bound to the image manifest.
+          provenance: mode=max
+          sbom: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-  # Create release notes with all artifacts
+      - name: Keyless-sign agent image with Cosign
+        env:
+          DIGEST: ${{ steps.agent-push.outputs.digest }}
+          IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-agent
+        run: |
+          set -euo pipefail
+          cosign sign --yes "${IMAGE}@${DIGEST}"
+
+  # ----------------------------------------------------------------------
+  # create-release: stamp the release body. The actual asset uploads are
+  # handled by aggregate-checksums (binaries, SBOMs, sigs, certs,
+  # checksums.txt + signature) and the SLSA generator (multiple.intoto.jsonl).
+  # ----------------------------------------------------------------------
   create-release:
     name: Create Release Notes
     runs-on: ubuntu-latest
-    needs: [build-binaries, build-and-push-docker]
+    needs: [build-binaries, aggregate-checksums, provenance-binaries, build-and-push-docker]
     permissions:
       contents: write
 
@@ -135,7 +314,7 @@ jobs:
 
       - name: Extract version from tag
         id: version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
 
       - name: Create release with notes
         uses: softprops/action-gh-release@v2
@@ -197,6 +376,76 @@ jobs:
 
             - **Linux x86_64**: `certctl-server-linux-amd64`
             - **Linux ARM64**: `certctl-server-linux-arm64`
+            - **macOS x86_64**: `certctl-server-darwin-amd64`
+            - **macOS ARM64 (Apple Silicon)**: `certctl-server-darwin-arm64`
+
+            ## CLI & MCP Server Binaries
+
+            The `certctl-cli` (REST API wrapper) and `certctl-mcp-server` (Model Context
+            Protocol bridge) binaries ship for all four platforms as well:
+
+            - `certctl-cli-{linux,darwin}-{amd64,arm64}`
+            - `certctl-mcp-server-{linux,darwin}-{amd64,arm64}`
+
+            ## Verifying this release
+
+            Every binary, `checksums.txt`, and container image is signed with Cosign
+            keyless OIDC. Each binary ships with a SPDX-JSON SBOM. Binaries are covered
+            by SLSA Level 3 provenance; container images carry native SLSA L3 provenance
+            and SBOM attestations (docker/build-push-action `provenance: mode=max`,
+            `sbom: true`) in addition to a Cosign signature on the digest.
+
+            **1. Verify SHA-256 checksums:**
+
+            ```bash
+            sha256sum -c checksums.txt
+            ```
+
+            **2. Verify the Cosign signature on checksums.txt (keyless OIDC):**
+
+            ```bash
+            cosign verify-blob \
+              --bundle checksums.txt.sigstore.json \
+              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+              checksums.txt
+            ```
+
+            Replace `checksums.txt` with any individual binary name to verify that
+            artefact directly (each binary ships with its own `.sigstore.json`
+            bundle, e.g. `cosign verify-blob --bundle certctl-agent-linux-amd64.sigstore.json …`).
+
+            **3. Verify SLSA Level 3 provenance (binaries):**
+
+            ```bash
+            slsa-verifier verify-artifact \
+              --provenance-path multiple.intoto.jsonl \
+              --source-uri github.com/shankar0123/certctl \
+              --source-tag ${{ steps.version.outputs.VERSION }} \
+              certctl-agent-linux-amd64
+            ```
+
+            **4. Verify container image signature and attestations:**
+
+            ```bash
+            IMAGE=ghcr.io/shankar0123/certctl-server:${{ steps.version.outputs.VERSION }}
+            cosign verify \
+              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+              "$IMAGE"
+
+            # SBOM attestation (SPDX-JSON) emitted by docker/build-push-action
+            cosign verify-attestation --type spdxjson \
+              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+              "$IMAGE"
+
+            # SLSA provenance attestation (mode=max)
+            cosign verify-attestation --type slsaprovenance \
+              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+              "$IMAGE"
+            ```
 
             ## Helm Chart
 

.gitignore

@@ -72,3 +72,8 @@ SECURITY_REMEDIATION.md
 .DS_Store
 Thumbs.db
 mcp-server
+
+# Local Go build/module caches (session-scoped, never committed)
+/.gocache/
+/.gomodcache/
+/.gopath/

.golangci.yml

@@ -6,6 +6,7 @@ run:
 linters:
   default: none
   enable:
+    - contextcheck
     - govet
     - staticcheck
     - unused

Dockerfile

@@ -3,17 +3,43 @@
 # Stage 1: Build frontend
 FROM node:20-alpine AS frontend
 
+# Proxy propagation (M-4, Issue #9) — defaulted to empty so un-proxied builds
+# behave identically to the pre-fix tree. When `HTTP_PROXY`/`HTTPS_PROXY`/
+# `NO_PROXY` are forwarded via `docker build --build-arg` (or compose
+# `build.args`), they are re-exported as ENV with both upper- and lower-case
+# names because npm/apk/curl read the lowercase variants while Go, Node, and
+# most HTTP libraries read the uppercase ones.
+ARG HTTP_PROXY=
+ARG HTTPS_PROXY=
+ARG NO_PROXY=
+ENV HTTP_PROXY=${HTTP_PROXY} \
+    HTTPS_PROXY=${HTTPS_PROXY} \
+    NO_PROXY=${NO_PROXY} \
+    http_proxy=${HTTP_PROXY} \
+    https_proxy=${HTTPS_PROXY} \
+    no_proxy=${NO_PROXY}
+
 WORKDIR /app/web
 
-COPY web/package.json web/package-lock.json ./
-RUN npm ci
-
 COPY web/ .
-RUN npm run build
+RUN npm ci --include=dev || npm ci --include=dev && \
+    node_modules/.bin/tsc --version && \
+    npm run build
 
 # Stage 2: Build Go binary
 FROM golang:1.25-alpine AS builder
 
+# Proxy propagation (M-4, Issue #9) — see Stage 1 rationale.
+ARG HTTP_PROXY=
+ARG HTTPS_PROXY=
+ARG NO_PROXY=
+ENV HTTP_PROXY=${HTTP_PROXY} \
+    HTTPS_PROXY=${HTTPS_PROXY} \
+    NO_PROXY=${NO_PROXY} \
+    http_proxy=${HTTP_PROXY} \
+    https_proxy=${HTTPS_PROXY} \
+    no_proxy=${NO_PROXY}
+
 RUN apk add --no-cache git ca-certificates tzdata
 
 WORKDIR /app

Dockerfile.agent

@@ -2,6 +2,22 @@
 # Stage 1: Build
 FROM golang:1.25-alpine AS builder
 
+# Proxy propagation (M-4, Issue #9) — defaulted to empty so un-proxied builds
+# behave identically to the pre-fix tree. When `HTTP_PROXY`/`HTTPS_PROXY`/
+# `NO_PROXY` are forwarded via `docker build --build-arg` (or compose
+# `build.args`), they are re-exported as ENV with both upper- and lower-case
+# names because apk and curl read the lowercase variants while Go reads the
+# uppercase ones.
+ARG HTTP_PROXY=
+ARG HTTPS_PROXY=
+ARG NO_PROXY=
+ENV HTTP_PROXY=${HTTP_PROXY} \
+    HTTPS_PROXY=${HTTPS_PROXY} \
+    NO_PROXY=${NO_PROXY} \
+    http_proxy=${HTTP_PROXY} \
+    https_proxy=${HTTPS_PROXY} \
+    no_proxy=${NO_PROXY}
+
 RUN apk add --no-cache git ca-certificates
 
 WORKDIR /app

README.md

@@ -36,6 +36,10 @@ gantt
         47 days                :crit, 2020-01-01, 47d
 ```
 
+> **Actively maintained — shipping weekly.** Found something? [Open a GitHub issue](https://github.com/shankar0123/certctl/issues) — issues get triaged same-day. CI runs the full test suite with race detection, static analysis, and vulnerability scanning on every commit.
+
+**Ready to try it?** Jump to the [Quick Start](#quick-start) — you'll have a running dashboard in under 5 minutes.
+
 ## Documentation
 
 | Guide | Description |
@@ -145,10 +149,6 @@ All connectors are pluggable — build your own by implementing the [connector i
 
 **[See all screenshots →](docs/screenshots/)**
 
-> **Actively maintained — shipping weekly.** Found something? [Open a GitHub issue](https://github.com/shankar0123/certctl/issues) — issues get triaged same-day. CI runs the full test suite with race detection, static analysis, and vulnerability scanning on every commit.
-
-**Ready to try it?** Jump to the [Quick Start](#quick-start) — you'll have a running dashboard in under 5 minutes.
-
 ## Why certctl
 
 Certificate lifecycle tooling falls into two camps: enterprise platforms (Venafi, Keyfactor) that cost six figures and take months to deploy, or single-purpose tools (certbot, cert-manager) that handle one slice of the problem. certctl fills the gap — full lifecycle automation, self-hosted, free, CA-agnostic, and target-agnostic. If you're running certbot cron jobs, manually renewing certs, or stitching together scripts across mixed infrastructure, certctl replaces all of that.
@@ -175,7 +175,7 @@ Built for **platform engineering and DevOps teams** managing 10–500+ certifica
 
 **Enrollment protocols.** EST server (RFC 7030) for device and WiFi enrollment. SCEP server (RFC 8894) for MDM platforms and network devices. S/MIME issuance with email protection EKU.
 
-**Revocation.** DER-encoded X.509 CRL per issuer, signed by the issuing CA. Embedded OCSP responder. RFC 5280 reason codes. Short-lived certs (TTL < 1 hour) are exempt — expiry is sufficient revocation.
+**Revocation.** Single and bulk revocation (by profile, owner, agent, or issuer). DER-encoded X.509 CRL per issuer, signed by the issuing CA. Embedded OCSP responder. RFC 5280 reason codes. Short-lived certs (TTL < 1 hour) are exempt — expiry is sufficient revocation.
 
 **Audit and observability.** Immutable append-only audit trail records every lifecycle action, every API call, and every approval decision. Prometheus metrics endpoint. Scheduled certificate digest emails. Continuous endpoint health monitoring with state machine transitions and real-time alerts.
 
@@ -237,6 +237,74 @@ docker pull shankar0123.docker.scarf.sh/certctl-server
 docker pull shankar0123.docker.scarf.sh/certctl-agent
 ```
 
+## Verifying this release
+
+Every `v*` tag publishes signed, attested release artefacts. Binaries
+(`certctl-agent`, `certctl-server`, `certctl-cli`, `certctl-mcp-server` for
+`linux|darwin × amd64|arm64`) ship alongside a `checksums.txt`, per-binary
+SPDX-JSON SBOMs, Cosign signatures, and SLSA Level 3 provenance. Container
+images on `ghcr.io/shankar0123/certctl-{server,agent}` are built with
+`docker/build-push-action` `provenance: mode=max` + `sbom: true` and are
+additionally signed with Cosign at the image digest.
+
+All signatures use Cosign keyless OIDC; the signing identity is the
+release workflow running on a signed tag.
+
+**1. Verify SHA-256 checksums:**
+
+```bash
+sha256sum -c checksums.txt
+```
+
+**2. Verify the Cosign signature on `checksums.txt`:**
+
+```bash
+cosign verify-blob \
+  --bundle checksums.txt.sigstore.json \
+  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+  checksums.txt
+```
+
+Every individual binary ships with its own `.sigstore.json` bundle
+(unified Sigstore bundle containing signature, certificate chain, and
+Rekor inclusion proof). Swap `checksums.txt` for any binary name and
+point `--bundle` at the matching `<binary>.sigstore.json` to verify it
+directly.
+
+**3. Verify SLSA Level 3 provenance on a binary:**
+
+```bash
+slsa-verifier verify-artifact \
+  --provenance-path multiple.intoto.jsonl \
+  --source-uri github.com/shankar0123/certctl \
+  --source-tag v2.1.0 \
+  certctl-agent-linux-amd64
+```
+
+**4. Verify a container image signature and its SBOM / provenance attestations:**
+
+```bash
+IMAGE=ghcr.io/shankar0123/certctl-server:v2.1.0
+
+cosign verify \
+  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+  "$IMAGE"
+
+# SBOM attestation (SPDX-JSON, emitted by docker/build-push-action)
+cosign verify-attestation --type spdxjson \
+  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+  "$IMAGE"
+
+# SLSA provenance attestation (docker/build-push-action `provenance: mode=max`)
+cosign verify-attestation --type slsaprovenance \
+  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+  "$IMAGE"
+```
+
 ## Examples
 
 Pick the scenario closest to your setup and have it running in 2 minutes.
@@ -320,7 +388,7 @@ Core lifecycle management — Local CA + ACME v2 issuers, NGINX target connector
 30+ milestones shipping enterprise-grade features for free. Sub-CA mode, ACME DNS-01/DNS-PERSIST-01/EAB/ARI (RFC 9773)/profile selection, step-ca, Vault PKI, DigiCert CertCentral, Sectigo SCM, Google CAS, AWS ACM PCA, Entrust, GlobalSign, EJBCA, OpenSSL/Custom CA issuers. NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS (WinRM), F5 BIG-IP, SSH, Windows Certificate Store, Java Keystore, Kubernetes Secrets targets. EST server (RFC 7030) and SCEP server (RFC 8894) enrollment protocols. RFC 5280 revocation with DER CRL + embedded OCSP responder. Certificate profiles, ownership tracking, team assignment, agent groups, interactive approval workflows. Filesystem, network, and cloud secret manager (AWS SM, Azure KV, GCP SM) certificate discovery with triage GUI. Dynamic issuer/target configuration via GUI with AES-256-GCM encrypted storage. First-run onboarding wizard. Post-deployment TLS verification. Certificate export (PEM/PKCS#12). S/MIME support. Prometheus metrics. Scheduled certificate digest emails. Slack, Teams, PagerDuty, OpsGenie, SMTP notifications. MCP server (80 tools), CLI (12 commands), Helm chart. Compliance mapping (SOC 2, PCI-DSS 4.0, NIST SP 800-57). 5 turnkey deployment examples. Agent install script. Migration guides from certbot, acme.sh, and cert-manager. See the [Feature Inventory](docs/features.md) for details.
 
 ### V3: certctl Pro
-Team access controls and identity provider integration. Role-based access control with profile-gating. Event-driven architecture with real-time operational views. Advanced search, compliance scoring, bulk fleet operations.
+Enterprise capabilities for larger deployments are available in the commercial tier.
 
 ### V4+: Cloud & Scale
 Kubernetes cert-manager external issuer, cloud infrastructure targets, extended CA support, and platform-scale features.

api/openapi.yaml

@@ -29,7 +29,11 @@ tags:
   - name: Certificates
     description: Certificate lifecycle — CRUD, versions, renewal, deployment, revocation
   - name: CRL & OCSP
-    description: Certificate revocation list and OCSP responder
+    description: |
+      Certificate revocation list (RFC 5280) and OCSP responder (RFC 6960).
+      Served unauthenticated under `/.well-known/pki/*` (RFC 8615) so
+      relying parties can retrieve revocation status without a certctl
+      API key.
   - name: Issuers
     description: CA issuer connector management (Local CA, ACME, step-ca)
   - name: Targets
@@ -66,6 +70,12 @@ tags:
     description: Continuous TLS endpoint health checks with status tracking and probe history
   - name: Digest
     description: Scheduled certificate digest email notifications
+  - name: Verification
+    description: Post-deployment TLS endpoint fingerprint verification
+  - name: EST
+    description: Enrollment over Secure Transport (RFC 7030)
+  - name: SCEP
+    description: Simple Certificate Enrollment Protocol (RFC 8894)
 
 paths:
   # ─── Health & Auth ───────────────────────────────────────────────────
@@ -381,6 +391,34 @@ paths:
         "500":
           $ref: "#/components/responses/InternalError"
 
+  # ─── Bulk Revocation ─────────────────────────────────────────────────
+  /api/v1/certificates/bulk-revoke:
+    post:
+      tags: [Certificates]
+      summary: Bulk revoke certificates
+      description: |
+        Revokes all certificates matching the given filter criteria. At least one criterion
+        is required (safety guard against accidental mass revocation). Reuses the single-cert
+        revocation flow per certificate with partial-failure tolerance.
+      operationId: bulkRevokeCertificates
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/BulkRevokeRequest"
+      responses:
+        "200":
+          description: Bulk revocation result
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/BulkRevokeResult"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "500":
+          $ref: "#/components/responses/InternalError"
+
   # ─── Certificate Export ──────────────────────────────────────────────
   /api/v1/certificates/{id}/export/pem:
     get:
@@ -459,50 +497,28 @@ paths:
         "500":
           $ref: "#/components/responses/InternalError"
 
-  # ─── CRL & OCSP ─────────────────────────────────────────────────────
-  /api/v1/crl:
+  # ─── PKI (CRL & OCSP, RFC 5280 / 6960 / 8615) ──────────────────────
+  #
+  # Relying parties (browsers, OpenSSL clients, OCSP stapling sidecars,
+  # mTLS clients) cannot present a certctl Bearer token, so these two
+  # endpoints are unauthenticated and live under the RFC 8615
+  # `.well-known` namespace. They were previously mounted at
+  # /api/v1/crl/{issuer_id} and /api/v1/ocsp/{issuer_id}/{serial}; those
+  # paths were removed in M-006.
+  #
+  # The non-standard JSON CRL endpoint (GET /api/v1/crl) was also
+  # removed — RFC 5280 defines only the DER wire format.
+  /.well-known/pki/crl/{issuer_id}:
     get:
       tags: [CRL & OCSP]
-      summary: Get JSON CRL
-      description: Returns all revoked certificates in JSON format.
-      operationId: getCRL
-      responses:
-        "200":
-          description: JSON CRL
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  version:
-                    type: integer
-                    example: 1
-                  entries:
-                    type: array
-                    items:
-                      type: object
-                      properties:
-                        serial_number:
-                          type: string
-                        revocation_date:
-                          type: string
-                          format: date-time
-                        revocation_reason:
-                          type: string
-                  total:
-                    type: integer
-                  generated_at:
-                    type: string
-                    format: date-time
-        "500":
-          $ref: "#/components/responses/InternalError"
-
-  /api/v1/crl/{issuer_id}:
-    get:
-      tags: [CRL & OCSP]
-      summary: Get DER-encoded X.509 CRL
-      description: Returns a proper DER-encoded CRL signed by the issuing CA. 24-hour validity.
+      summary: Get DER-encoded X.509 CRL (RFC 5280)
+      description: |
+        Returns a DER-encoded CRL signed by the issuing CA (RFC 5280 §5),
+        served unauthenticated per RFC 8615 `.well-known` semantics so
+        relying parties can retrieve it without a certctl API key.
+        Validity is 24 hours.
       operationId: getDERCRL
+      security: []
       parameters:
         - name: issuer_id
           in: path
@@ -526,12 +542,17 @@ paths:
         "501":
           description: Issuer does not support CRL generation
 
-  /api/v1/ocsp/{issuer_id}/{serial}:
+  /.well-known/pki/ocsp/{issuer_id}/{serial}:
     get:
       tags: [CRL & OCSP]
-      summary: OCSP responder
-      description: Returns signed OCSP response (good/revoked/unknown) for the given serial number.
+      summary: OCSP responder (RFC 6960)
+      description: |
+        Returns a signed OCSP response (good/revoked/unknown) for the
+        given serial number per RFC 6960 §2.1, served unauthenticated
+        per RFC 8615 so relying parties and OCSP stapling sidecars can
+        query revocation status without a certctl API key.
       operationId: handleOCSP
+      security: []
       parameters:
         - name: issuer_id
           in: path
@@ -788,6 +809,28 @@ paths:
         "500":
           $ref: "#/components/responses/InternalError"
 
+  /api/v1/targets/{id}/test:
+    post:
+      tags: [Targets]
+      summary: Test target connection
+      description: |
+        Checks target connectivity by verifying the assigned agent's heartbeat status
+        (agent reported within the last 5 minutes). Always returns HTTP 200 — the
+        connectivity result is reflected in the response body's `status` field
+        (`success` when the agent is reachable, `failed` otherwise).
+      operationId: testTargetConnection
+      parameters:
+        - $ref: "#/components/parameters/resourceId"
+      responses:
+        "200":
+          description: Connection test result (success or failed in body)
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/StatusMessageResponse"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+
   # ─── Agents ──────────────────────────────────────────────────────────
   /api/v1/agents:
     get:
@@ -1149,6 +1192,66 @@ paths:
         "500":
           $ref: "#/components/responses/InternalError"
 
+  /api/v1/jobs/{id}/verify:
+    post:
+      tags: [Verification]
+      summary: Record post-deployment verification result
+      description: |
+        Agents submit the result of probing a deployed certificate's live TLS endpoint.
+        Compares the served certificate's SHA-256 fingerprint against the expected
+        fingerprint. Best-effort: failures are recorded on the job but do not roll
+        back the deployment.
+      operationId: verifyDeployment
+      parameters:
+        - $ref: "#/components/parameters/resourceId"
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/VerifyDeploymentRequest"
+      responses:
+        "200":
+          description: Verification result recorded
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  job_id:
+                    type: string
+                  verified:
+                    type: boolean
+                  verified_at:
+                    type: string
+                    format: date-time
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "500":
+          $ref: "#/components/responses/InternalError"
+
+  /api/v1/jobs/{id}/verification:
+    get:
+      tags: [Verification]
+      summary: Get post-deployment verification status
+      description: |
+        Returns the stored verification result for a deployment job — expected
+        and observed SHA-256 fingerprints, verified flag, and timestamp.
+      operationId: getJobVerification
+      parameters:
+        - $ref: "#/components/parameters/resourceId"
+      responses:
+        "200":
+          description: Verification result for the job
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/VerificationResult"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "500":
+          $ref: "#/components/responses/InternalError"
+
   # ─── Policies ────────────────────────────────────────────────────────
   /api/v1/policies:
     get:
@@ -2690,6 +2793,238 @@ paths:
         "500":
           $ref: "#/components/responses/InternalError"
 
+  # ─── EST (RFC 7030) ────────────────────────────────────────────────
+  /.well-known/est/cacerts:
+    get:
+      tags: [EST]
+      summary: EST CA certificates distribution
+      description: |
+        Returns the CA certificate chain used to verify certctl-issued certificates.
+        Response is a base64-encoded degenerate PKCS#7 SignedData (certs-only) per
+        RFC 7030 §4.1.3.
+      operationId: estCACerts
+      security: []
+      responses:
+        "200":
+          description: Base64-encoded PKCS#7 certs-only structure
+          headers:
+            Content-Transfer-Encoding:
+              schema:
+                type: string
+                example: base64
+          content:
+            application/pkcs7-mime:
+              schema:
+                type: string
+                format: byte
+                description: "Base64-encoded PKCS#7 (smime-type=certs-only)"
+        "500":
+          $ref: "#/components/responses/InternalError"
+
+  /.well-known/est/simpleenroll:
+    post:
+      tags: [EST]
+      summary: EST simple enrollment
+      description: |
+        Enrolls a new certificate from a PKCS#10 CSR per RFC 7030 §4.2.1.
+        The CSR MAY be supplied as base64-encoded DER (EST standard wire format)
+        or as PEM for convenience. Returns a base64-encoded PKCS#7 certs-only
+        structure containing the issued certificate.
+      operationId: estSimpleEnroll
+      security: []
+      requestBody:
+        required: true
+        description: "Base64-encoded DER PKCS#10 CSR, or PEM-encoded CSR"
+        content:
+          application/pkcs10:
+            schema:
+              type: string
+              format: byte
+      responses:
+        "200":
+          description: Base64-encoded PKCS#7 cert-only response with issued certificate
+          headers:
+            Content-Transfer-Encoding:
+              schema:
+                type: string
+                example: base64
+          content:
+            application/pkcs7-mime:
+              schema:
+                type: string
+                format: byte
+                description: "Base64-encoded PKCS#7 (smime-type=certs-only)"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "405":
+          description: Method not allowed (only POST accepted)
+        "500":
+          $ref: "#/components/responses/InternalError"
+
+  /.well-known/est/simplereenroll:
+    post:
+      tags: [EST]
+      summary: EST simple re-enrollment
+      description: |
+        Re-enrolls an existing certificate (same as simpleenroll in certctl's
+        implementation — re-enrollment is treated as a fresh issuance) per
+        RFC 7030 §4.2.2.
+      operationId: estSimpleReEnroll
+      security: []
+      requestBody:
+        required: true
+        description: "Base64-encoded DER PKCS#10 CSR, or PEM-encoded CSR"
+        content:
+          application/pkcs10:
+            schema:
+              type: string
+              format: byte
+      responses:
+        "200":
+          description: Base64-encoded PKCS#7 cert-only response with re-issued certificate
+          headers:
+            Content-Transfer-Encoding:
+              schema:
+                type: string
+                example: base64
+          content:
+            application/pkcs7-mime:
+              schema:
+                type: string
+                format: byte
+                description: "Base64-encoded PKCS#7 (smime-type=certs-only)"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "405":
+          description: Method not allowed (only POST accepted)
+        "500":
+          $ref: "#/components/responses/InternalError"
+
+  /.well-known/est/csrattrs:
+    get:
+      tags: [EST]
+      summary: EST CSR attributes
+      description: |
+        Returns attributes the EST client should include in its CSR per
+        RFC 7030 §4.5. certctl currently returns an empty attribute set
+        (HTTP 204) — profile-based constraints are enforced server-side
+        during enrollment rather than advertised here.
+      operationId: estCSRAttrs
+      security: []
+      responses:
+        "200":
+          description: Base64-encoded CsrAttrs (when non-empty)
+          headers:
+            Content-Transfer-Encoding:
+              schema:
+                type: string
+                example: base64
+          content:
+            application/csrattrs:
+              schema:
+                type: string
+                format: byte
+        "204":
+          description: No CSR attributes defined (empty response)
+        "500":
+          $ref: "#/components/responses/InternalError"
+
+  # ─── SCEP (RFC 8894) ──────────────────────────────────────────────
+  /scep:
+    get:
+      tags: [SCEP]
+      summary: SCEP operation dispatch (GET)
+      description: |
+        Single SCEP entry point dispatched by the `operation` query parameter
+        per RFC 8894. GET is used for capability discovery (`GetCACaps`) and
+        CA certificate retrieval (`GetCACert`).
+      operationId: scepGet
+      security: []
+      parameters:
+        - name: operation
+          in: query
+          required: true
+          schema:
+            type: string
+            enum: [GetCACaps, GetCACert, PKIOperation]
+          description: SCEP operation selector
+        - name: message
+          in: query
+          required: false
+          schema:
+            type: string
+          description: Optional SCEP message parameter (base64-encoded for GET PKIOperation)
+      responses:
+        "200":
+          description: |
+            Success. Content-Type varies by operation:
+            - `GetCACaps` → `text/plain` capability list
+            - `GetCACert` (single cert) → `application/x-x509-ca-cert` (raw DER)
+            - `GetCACert` (chain) → `application/x-x509-ca-ra-cert` (PKCS#7)
+            - `PKIOperation` → `application/x-pki-message` (PKCS#7 SignedData)
+          content:
+            text/plain:
+              schema:
+                type: string
+                description: "SCEP capabilities (GetCACaps only)"
+            application/x-x509-ca-cert:
+              schema:
+                type: string
+                format: binary
+                description: "CA certificate DER (GetCACert single)"
+            application/x-x509-ca-ra-cert:
+              schema:
+                type: string
+                format: binary
+                description: "CA chain PKCS#7 (GetCACert chain)"
+            application/x-pki-message:
+              schema:
+                type: string
+                format: binary
+                description: "PKCS#7 SignedData response (PKIOperation)"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "500":
+          $ref: "#/components/responses/InternalError"
+    post:
+      tags: [SCEP]
+      summary: SCEP PKIOperation (POST)
+      description: |
+        SCEP enrollment / renewal / revocation request per RFC 8894.
+        Request body is a PKCS#7 SignedData envelope wrapping the PKCS#10 CSR
+        or a degenerate raw CSR (fallback). The challenge password in the CSR
+        attributes is validated against `CERTCTL_SCEP_CHALLENGE_PASSWORD` when
+        configured.
+      operationId: scepPost
+      security: []
+      parameters:
+        - name: operation
+          in: query
+          required: true
+          schema:
+            type: string
+            enum: [PKIOperation]
+      requestBody:
+        required: true
+        description: PKCS#7 SignedData envelope wrapping a PKCS#10 CSR (or raw CSR as fallback)
+        content:
+          application/x-pki-message:
+            schema:
+              type: string
+              format: binary
+      responses:
+        "200":
+          description: PKCS#7 SignedData PKIMessage response
+          content:
+            application/x-pki-message:
+              schema:
+                type: string
+                format: binary
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "500":
+          $ref: "#/components/responses/InternalError"
+
 # ═══════════════════════════════════════════════════════════════════════
 components:
   securitySchemes:
@@ -2892,6 +3227,59 @@ components:
         - certificateHold
         - privilegeWithdrawn
 
+    BulkRevokeRequest:
+      type: object
+      required: [reason]
+      properties:
+        reason:
+          $ref: "#/components/schemas/RevocationReason"
+        profile_id:
+          type: string
+          description: Revoke all certificates matching this profile
+        owner_id:
+          type: string
+          description: Revoke all certificates owned by this owner
+        agent_id:
+          type: string
+          description: Revoke all certificates deployed via this agent
+        issuer_id:
+          type: string
+          description: Revoke all certificates issued by this issuer
+        team_id:
+          type: string
+          description: Revoke all certificates owned by members of this team
+        certificate_ids:
+          type: array
+          items:
+            type: string
+          description: Explicit list of certificate IDs to revoke
+
+    BulkRevokeResult:
+      type: object
+      properties:
+        total_matched:
+          type: integer
+          description: Number of certificates matching the criteria
+        total_revoked:
+          type: integer
+          description: Number of certificates successfully revoked
+        total_skipped:
+          type: integer
+          description: Number of certificates skipped (already revoked or archived)
+        total_failed:
+          type: integer
+          description: Number of certificates that failed to revoke
+        errors:
+          type: array
+          items:
+            type: object
+            properties:
+              certificate_id:
+                type: string
+              error:
+                type: string
+          description: Per-certificate error details for failed revocations
+
     # ─── Issuers ─────────────────────────────────────────────────────
     IssuerType:
       type: string
@@ -2925,6 +3313,7 @@ components:
 
     DeploymentTarget:
       type: object
+      required: [name, type, agent_id]
       properties:
         id:
           type: string
@@ -2934,6 +3323,12 @@ components:
           $ref: "#/components/schemas/TargetType"
         agent_id:
           type: string
+          description: |
+            ID of the agent that manages this target. Required because
+            deployment_targets.agent_id is a NOT NULL foreign key to agents(id)
+            (migration 000001). Empty or nonexistent agent IDs are rejected
+            with HTTP 400 by the service layer (see C-002 in the coverage-gap
+            audit).
         config:
           type: object
           description: Target-specific configuration (varies by type)
@@ -3060,6 +3455,7 @@ components:
         - RequiredMetadata
         - AllowedEnvironments
         - RenewalLeadTime
+        - CertificateLifetime
 
     PolicySeverity:
       type: string
@@ -3079,6 +3475,9 @@ components:
           description: Policy-specific configuration (varies by type)
         enabled:
           type: boolean
+        severity:
+          $ref: "#/components/schemas/PolicySeverity"
+          description: Severity level applied to violations of this rule. Defaults to Warning on create when omitted.
         created_at:
           type: string
           format: date-time
@@ -3724,3 +4123,47 @@ components:
           type: string
           format: date-time
           description: Timestamp of this probe
+
+    # ─── Verification (M25) ──────────────────────────────────────────
+    VerifyDeploymentRequest:
+      type: object
+      required: [target_id, expected_fingerprint, actual_fingerprint, verified]
+      properties:
+        target_id:
+          type: string
+          description: Deployment target the agent probed
+        expected_fingerprint:
+          type: string
+          description: SHA-256 fingerprint of the certificate that should be served (hex, lowercase)
+        actual_fingerprint:
+          type: string
+          description: SHA-256 fingerprint observed on the live TLS endpoint (hex, lowercase)
+        verified:
+          type: boolean
+          description: True when expected and actual fingerprints match
+        error:
+          type: string
+          nullable: true
+          description: Error message when probe failed or fingerprints differ
+
+    VerificationResult:
+      type: object
+      properties:
+        job_id:
+          type: string
+        target_id:
+          type: string
+        expected_fingerprint:
+          type: string
+          description: SHA-256 fingerprint (hex) of the certificate deployed by this job
+        actual_fingerprint:
+          type: string
+          description: SHA-256 fingerprint (hex) observed on the live TLS endpoint
+        verified:
+          type: boolean
+        verified_at:
+          type: string
+          format: date-time
+        error:
+          type: string
+          description: Error message when verification failed

cmd/cli/main.go

@@ -35,6 +35,8 @@ Commands:
   jobs cancel ID   Cancel a pending job
 
   import FILE      Bulk import certificates from PEM file(s)
+                   Required: --owner-id, --team-id, --renewal-policy-id, --issuer-id
+                   Optional: --name-template (default {cn}), --environment (default imported)
 
   status           Show server health + summary stats
   version          Show CLI version
@@ -130,6 +132,8 @@ func handleCerts(client *cli.Client, args []string) error {
 			reason = subArgs[2]
 		}
 		return client.RevokeCertificate(id, reason)
+	case "bulk-revoke":
+		return client.BulkRevokeCertificates(subArgs)
 	default:
 		fmt.Fprintf(os.Stderr, "unknown subcommand: certs %s\n", subcommand)
 		return nil

cmd/server/main.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"os/signal"
 	"strconv"
+	"strings"
 	"syscall"
 	"time"
 
@@ -16,7 +17,6 @@ import (
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/api/router"
 	"github.com/shankar0123/certctl/internal/config"
-	"github.com/shankar0123/certctl/internal/crypto"
 	"github.com/shankar0123/certctl/internal/domain"
 	discoveryawssm "github.com/shankar0123/certctl/internal/connector/discovery/awssm"
 	discoveryazurekv "github.com/shankar0123/certctl/internal/connector/discovery/azurekv"
@@ -82,14 +82,60 @@ func main() {
 	logger.Info("initialized all repositories")
 
 	// Initialize dynamic issuer registry.
-	// Issuers are loaded from the database (with AES-GCM encrypted config).
+	// Issuers are loaded from the database (with AES-256-GCM encrypted config).
 	// On first boot with an empty database, env var issuers are seeded automatically.
-	var encryptionKey []byte
-	if cfg.Encryption.ConfigEncryptionKey != "" {
-		encryptionKey = crypto.DeriveKey(cfg.Encryption.ConfigEncryptionKey)
-		logger.Info("config encryption enabled (AES-256-GCM)")
+	//
+	// M-8 (CWE-916 / CWE-329): the encryption passphrase is passed as a raw
+	// string into IssuerService / TargetService / IssuerRegistry. Each call to
+	// crypto.EncryptIfKeySet generates a fresh 16-byte PBKDF2 salt and emits a
+	// v2 blob (magic 0x02 || salt || nonce || sealed). Decryption auto-detects
+	// v1 legacy blobs (no magic) and falls back to the fixed v1 salt for
+	// backward compatibility; v1 blobs transparently upgrade to v2 on next
+	// write. DO NOT pre-derive the key here with crypto.DeriveKey — that was
+	// the v1 fixed-salt behaviour that M-8 removes.
+	encryptionKey := cfg.Encryption.ConfigEncryptionKey
+	if encryptionKey != "" {
+		logger.Info("config encryption enabled (AES-256-GCM, per-ciphertext PBKDF2 salt)")
 	} else {
-		logger.Warn("CERTCTL_CONFIG_ENCRYPTION_KEY not set — issuer configs stored in plaintext (not recommended for production)")
+		// C-2 fix: fail closed at startup when database-sourced issuer or target
+		// rows exist without a configured encryption key. Previously the server
+		// would emit a one-line warning and silently persist new GUI-created
+		// configs as plaintext (CWE-311). Refuse to start instead: the operator
+		// must either configure CERTCTL_CONFIG_ENCRYPTION_KEY or remove the
+		// vulnerable rows before the control plane can boot.
+		ctx := context.Background()
+		dbIssuers, ierr := issuerRepo.List(ctx)
+		if ierr != nil {
+			logger.Error("startup check: failed to list issuers", "error", ierr)
+			os.Exit(1)
+		}
+		dbTargets, terr := targetRepo.List(ctx)
+		if terr != nil {
+			logger.Error("startup check: failed to list targets", "error", terr)
+			os.Exit(1)
+		}
+		var dbIssuerCount, dbTargetCount int
+		for _, iss := range dbIssuers {
+			if iss != nil && iss.Source == "database" {
+				dbIssuerCount++
+			}
+		}
+		for _, tgt := range dbTargets {
+			if tgt != nil && tgt.Source == "database" {
+				dbTargetCount++
+			}
+		}
+		if dbIssuerCount > 0 || dbTargetCount > 0 {
+			logger.Error(
+				"startup refused: CERTCTL_CONFIG_ENCRYPTION_KEY is not set but database-sourced configs exist "+
+					"(would expose sensitive fields as plaintext, CWE-311). "+
+					"Set the encryption key or remove the affected rows before restarting.",
+				"database_sourced_issuers", dbIssuerCount,
+				"database_sourced_targets", dbTargetCount,
+			)
+			os.Exit(1)
+		}
+		logger.Warn("CERTCTL_CONFIG_ENCRYPTION_KEY not set — env-seeded issuers will be stored in plaintext; GUI-created issuers and targets will be rejected until a key is configured")
 	}
 
 	issuerRegistry := service.NewIssuerRegistry(logger)
@@ -100,6 +146,7 @@ func main() {
 	// Initialize services (following the dependency graph)
 	auditService := service.NewAuditService(auditRepo)
 	policyService := service.NewPolicyService(policyRepo, auditService)
+	policyService.SetCertRepo(certificateRepo) // D-008: CertificateLifetime arm needs CertificateVersion.NotBefore/NotAfter
 	certificateService := service.NewCertificateService(certificateRepo, policyService, auditService)
 	notifierRegistry := make(map[string]service.Notifier)
 
@@ -177,7 +224,10 @@ func main() {
 	renewalService := service.NewRenewalService(certificateRepo, jobRepo, renewalPolicyRepo, profileRepo, auditService, notificationService, issuerRegistry, cfg.Keygen.Mode)
 	renewalService.SetTargetRepo(targetRepo)
 	deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certificateRepo, auditService, notificationService)
-	jobService := service.NewJobService(jobRepo, renewalService, deploymentService, logger)
+	jobService := service.NewJobService(jobRepo, certificateRepo, ownerRepo, renewalService, deploymentService, logger)
+	// I-001: emit "job_retry" audit events when the scheduler resets Failed→Pending.
+	// SetAuditService is optional — JobService falls back to nil-guarded no-op if unwired.
+	jobService.SetAuditService(auditService)
 	agentService := service.NewAgentService(agentRepo, certificateRepo, jobRepo, targetRepo, auditService, issuerRegistry, renewalService)
 	agentService.SetProfileRepo(profileRepo)
 	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, encryptionKey, logger)
@@ -208,9 +258,15 @@ func main() {
 			Name:   "Network Scanner (Server-Side)",
 			Status: domain.AgentStatusOnline,
 		}
-		if err := agentRepo.Create(context.Background(), sentinelAgent); err != nil {
-			// Ignore duplicate key errors (agent already exists)
-			logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelAgentID)
+		// M-6: use CreateIfNotExists so duplicate rows on restart/upgrade are
+		// idempotent without swallowing unrelated DB failures (CWE-662).
+		created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelAgent)
+		if err != nil {
+			logger.Error("sentinel agent creation failed", "id", service.SentinelAgentID, "error", err)
+		} else if created {
+			logger.Info("sentinel agent created", "id", service.SentinelAgentID)
+		} else {
+			logger.Debug("sentinel agent already exists", "id", service.SentinelAgentID)
 		}
 	}
 
@@ -229,8 +285,14 @@ func main() {
 				Name:   "AWS Secrets Manager Discovery",
 				Status: domain.AgentStatusOnline,
 			}
-			if err := agentRepo.Create(context.Background(), sentinelAWS); err != nil {
-				logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelAWSSecretsMgr)
+			// M-6: idempotent create (CWE-662).
+			created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelAWS)
+			if err != nil {
+				logger.Error("sentinel agent creation failed", "id", service.SentinelAWSSecretsMgr, "error", err)
+			} else if created {
+				logger.Info("sentinel agent created", "id", service.SentinelAWSSecretsMgr)
+			} else {
+				logger.Debug("sentinel agent already exists", "id", service.SentinelAWSSecretsMgr)
 			}
 		}
 
@@ -248,8 +310,14 @@ func main() {
 				Name:   "Azure Key Vault Discovery",
 				Status: domain.AgentStatusOnline,
 			}
-			if err := agentRepo.Create(context.Background(), sentinelAzure); err != nil {
-				logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelAzureKeyVault)
+			// M-6: idempotent create (CWE-662).
+			created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelAzure)
+			if err != nil {
+				logger.Error("sentinel agent creation failed", "id", service.SentinelAzureKeyVault, "error", err)
+			} else if created {
+				logger.Info("sentinel agent created", "id", service.SentinelAzureKeyVault)
+			} else {
+				logger.Debug("sentinel agent already exists", "id", service.SentinelAzureKeyVault)
 			}
 		}
 
@@ -262,8 +330,14 @@ func main() {
 				Name:   "GCP Secret Manager Discovery",
 				Status: domain.AgentStatusOnline,
 			}
-			if err := agentRepo.Create(context.Background(), sentinelGCP); err != nil {
-				logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelGCPSecretMgr)
+			// M-6: idempotent create (CWE-662).
+			created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelGCP)
+			if err != nil {
+				logger.Error("sentinel agent creation failed", "id", service.SentinelGCPSecretMgr, "error", err)
+			} else if created {
+				logger.Info("sentinel agent created", "id", service.SentinelGCPSecretMgr)
+			} else {
+				logger.Debug("sentinel agent already exists", "id", service.SentinelGCPSecretMgr)
 			}
 		}
 
@@ -274,6 +348,9 @@ func main() {
 
 	logger.Info("initialized all services")
 
+	// Initialize bulk revocation service
+	bulkRevocationService := service.NewBulkRevocationService(revocationSvc, certificateRepo, auditService, logger)
+
 	// Initialize stats and metrics services
 	statsService := service.NewStatsService(certificateRepo, jobRepo, agentRepo)
 	logger.Info("initialized stats service")
@@ -301,6 +378,8 @@ func main() {
 	exportService := service.NewExportService(certificateRepo, auditService)
 	exportHandler := handler.NewExportHandler(exportService)
 
+	bulkRevocationHandler := handler.NewBulkRevocationHandler(bulkRevocationService)
+
 	// Initialize digest service (requires email notifier)
 	var digestService *service.DigestService
 	var digestHandler *handler.DigestHandler
@@ -362,6 +441,10 @@ func main() {
 	// Configure scheduler intervals from config
 	sched.SetRenewalCheckInterval(cfg.Scheduler.RenewalCheckInterval)
 	sched.SetJobProcessorInterval(cfg.Scheduler.JobProcessorInterval)
+	// I-001: drive the failed-job retry loop. Runs on start + every RetryInterval
+	// (default 5m, CERTCTL_SCHEDULER_RETRY_INTERVAL). Kept adjacent to the job
+	// processor setter because they share the JobServicer dependency.
+	sched.SetJobRetryInterval(cfg.Scheduler.RetryInterval)
 	sched.SetAgentHealthCheckInterval(cfg.Scheduler.AgentHealthCheckInterval)
 	sched.SetNotificationProcessInterval(cfg.Scheduler.NotificationProcessInterval)
 	if cfg.NetworkScan.Enabled {
@@ -415,7 +498,8 @@ func main() {
 		Verification:  verificationHandler,
 		Export:        exportHandler,
 		Digest:        *digestHandler,
-		HealthChecks:  healthCheckHandler,
+		HealthChecks:     healthCheckHandler,
+		BulkRevocation:   bulkRevocationHandler,
 	})
 	// Register EST (RFC 7030) handlers if enabled
 	if cfg.EST.Enabled {
@@ -439,6 +523,24 @@ func main() {
 
 	// Register SCEP (RFC 8894) handlers if enabled
 	if cfg.SCEP.Enabled {
+		// H-2 fix: fail closed at startup when SCEP is enabled without a
+		// challenge password configured. Previously the service-layer guard
+		// at internal/service/scep.go:72-79 skipped the password check when
+		// s.challengePassword == "", meaning any client that could reach the
+		// /scep endpoint could enroll an arbitrary CSR against the configured
+		// issuer (CWE-306, missing authentication for a critical function).
+		// Refuse to start instead: the operator must set
+		// CERTCTL_SCEP_CHALLENGE_PASSWORD (or disable SCEP) before the control
+		// plane can boot.
+		if err := preflightSCEPChallengePassword(cfg.SCEP.Enabled, cfg.SCEP.ChallengePassword); err != nil {
+			logger.Error(
+				"startup refused: SCEP is enabled but CERTCTL_SCEP_CHALLENGE_PASSWORD is not set "+
+					"(would allow unauthenticated certificate enrollment, CWE-306). "+
+					"Set a non-empty challenge password or disable SCEP before restarting.",
+				"error", err,
+			)
+			os.Exit(1)
+		}
 		issuerConn, ok := issuerRegistry.Get(cfg.SCEP.IssuerID)
 		if !ok {
 			logger.Error("SCEP issuer not found in registry", "issuer_id", cfg.SCEP.IssuerID)
@@ -458,13 +560,63 @@ func main() {
 			"endpoints", "/scep?operation={GetCACaps,GetCACert,PKIOperation}")
 	}
 
+	// Register RFC 5280 CRL and RFC 6960 OCSP handlers under /.well-known/pki/.
+	// These are always enabled (no config gate) — revocation data must be
+	// reachable to relying parties for any cert certctl issues. The finalHandler
+	// routing gate below strips auth middleware for this prefix so browsers,
+	// OpenSSL, OCSP stapling sidecars, and mTLS clients can fetch without
+	// presenting certctl Bearer tokens.
+	apiRouter.RegisterPKIHandlers(certificateHandler)
+	logger.Info("PKI endpoints registered",
+		"endpoints", "/.well-known/pki/{crl/{issuer_id},ocsp/{issuer_id}/{serial}}")
+
 	logger.Info("registered all API handlers")
 
-	// Build middleware stack
-	authMiddleware := middleware.NewAuth(middleware.AuthConfig{
-		Type:   cfg.Auth.Type,
-		Secret: cfg.Auth.Secret,
-	})
+	// Build middleware stack.
+	//
+	// Authentication unification (M-002): every authenticated request now
+	// carries a named actor in the request context so audit events record
+	// the real key identity instead of the hardcoded "api-key-user" string.
+	// Named keys come from CERTCTL_API_KEYS_NAMED (preferred). For backward
+	// compatibility CERTCTL_AUTH_SECRET is synthesized into legacy-key-N
+	// entries with Admin=false.
+	var namedKeys []middleware.NamedAPIKey
+	if cfg.Auth.Type != "none" {
+		// Translate typed config.NamedAPIKey -> middleware.NamedAPIKey. The
+		// two structs are field-compatible but live in different packages to
+		// preserve the config→middleware dependency direction.
+		for _, nk := range cfg.Auth.NamedKeys {
+			namedKeys = append(namedKeys, middleware.NamedAPIKey{
+				Name:  nk.Name,
+				Key:   nk.Key,
+				Admin: nk.Admin,
+			})
+		}
+		// Back-compat: if no named keys but legacy Secret is configured,
+		// synthesize named entries so the audit trail still attributes the
+		// action (instead of falling back to "api-key-user" / "anonymous").
+		if len(namedKeys) == 0 && cfg.Auth.Secret != "" {
+			parts := strings.Split(cfg.Auth.Secret, ",")
+			idx := 0
+			for _, p := range parts {
+				p = strings.TrimSpace(p)
+				if p == "" {
+					continue
+				}
+				namedKeys = append(namedKeys, middleware.NamedAPIKey{
+					Name:  fmt.Sprintf("legacy-key-%d", idx),
+					Key:   p,
+					Admin: false,
+				})
+				idx++
+			}
+			if len(namedKeys) > 0 {
+				logger.Warn("CERTCTL_AUTH_SECRET is deprecated — set CERTCTL_API_KEYS_NAMED for named actor attribution and admin gating",
+					"synthesized_keys", len(namedKeys))
+			}
+		}
+	}
+	authMiddleware := middleware.NewAuthWithNamedKeys(namedKeys)
 	corsMiddleware := middleware.NewCORS(middleware.CORSConfig{
 		AllowedOrigins: cfg.CORS.AllowedOrigins,
 	})
@@ -496,7 +648,7 @@ func main() {
 		bodyLimitMiddleware,
 		corsMiddleware,
 		authMiddleware,
-		auditMiddleware,
+		auditMiddleware.Middleware,
 	}
 
 	// Add rate limiter if enabled
@@ -513,7 +665,7 @@ func main() {
 			rateLimiter,
 			corsMiddleware,
 			authMiddleware,
-			auditMiddleware,
+			auditMiddleware.Middleware,
 		}
 		logger.Info("rate limiting enabled", "rps", cfg.RateLimit.RPS, "burst", cfg.RateLimit.BurstSize)
 	}
@@ -560,6 +712,14 @@ func main() {
 				noAuthHandler.ServeHTTP(w, r)
 				return
 			}
+			// RFC 5280 CRL and RFC 6960 OCSP live under /.well-known/pki/ and
+			// MUST be served unauthenticated — relying parties (browsers,
+			// OpenSSL, OCSP stapling sidecars, mTLS clients) cannot present
+			// certctl Bearer tokens. See router.RegisterPKIHandlers.
+			if len(path) >= 16 && path[:16] == "/.well-known/pki" {
+				noAuthHandler.ServeHTTP(w, r)
+				return
+			}
 			// All other API and EST routes go through the full middleware stack (with auth)
 			if (len(path) >= 8 && path[:8] == "/api/v1/") ||
 				(len(path) >= 16 && path[:16] == "/.well-known/est") {
@@ -576,13 +736,18 @@ func main() {
 		})
 		logger.Info("dashboard available at /", "web_dir", webDir)
 	} else {
-		// No dashboard: route health/auth-info without auth, everything else through full stack
+		// No dashboard: route health/auth-info and /.well-known/pki without
+		// auth, everything else through full stack.
 		finalHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			path := r.URL.Path
 			if path == "/health" || path == "/ready" || path == "/api/v1/auth/info" {
 				noAuthHandler.ServeHTTP(w, r)
 				return
 			}
+			if len(path) >= 16 && path[:16] == "/.well-known/pki" {
+				noAuthHandler.ServeHTTP(w, r)
+				return
+			}
 			apiHandler.ServeHTTP(w, r)
 		})
 		logger.Info("dashboard directory not found, serving API only")
@@ -631,6 +796,17 @@ func main() {
 		logger.Error("HTTP server shutdown error", "error", err)
 	}
 
+	// Drain in-flight audit-recording goroutines before closing the DB pool.
+	// The audit middleware spawns one goroutine per non-excluded request; those
+	// goroutines run detached from the request context and write to the
+	// audit_events table via the same *sql.DB. Without this drain, SIGTERM
+	// would close the DB pool while recordings were mid-flight, silently
+	// dropping audit events (M-1, CWE-662 / CWE-400).
+	logger.Info("flushing audit middleware in-flight recordings")
+	if err := auditMiddleware.Flush(shutdownCtx); err != nil {
+		logger.Warn("audit middleware flush did not complete in time", "error", err)
+	}
+
 	// Close database connection
 	if err := db.Close(); err != nil {
 		logger.Error("error closing database connection", "error", err)
@@ -639,3 +815,23 @@ func main() {
 	logger.Info("certctl server stopped")
 }
 
+// preflightSCEPChallengePassword enforces the H-2 fix: if SCEP is enabled, a
+// non-empty challenge password MUST be configured. Returns a non-nil error
+// otherwise so the caller can refuse to start the control plane (CWE-306,
+// missing authentication for a critical function).
+//
+// This helper is extracted so the check can be unit tested without booting
+// the full server. The caller (main) is responsible for translating the
+// returned error into a structured log line and os.Exit(1).
+func preflightSCEPChallengePassword(enabled bool, challengePassword string) error {
+	if !enabled {
+		return nil
+	}
+	if challengePassword == "" {
+		return fmt.Errorf("SCEP enabled but CERTCTL_SCEP_CHALLENGE_PASSWORD is empty: " +
+			"SCEP enrollment would accept any client (CWE-306); " +
+			"configure a non-empty shared secret or set CERTCTL_SCEP_ENABLED=false")
+	}
+	return nil
+}
+

cmd/server/main_test.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"strings"
 	"testing"
 
 	"github.com/shankar0123/certctl/internal/api/middleware"
@@ -538,3 +539,68 @@ func TestMain_ContextPropagation(t *testing.T) {
 		t.Logf("Context value may not be propagated (status %d), this may be expected", w.Code)
 	}
 }
+
+// TestPreflightSCEPChallengePassword is the H-2 regression guard for the
+// startup pre-flight check. The helper MUST return a non-nil error whenever
+// SCEP is enabled with an empty challenge password — that configuration
+// previously allowed unauthenticated certificate enrollment (CWE-306).
+// Disabled-SCEP and configured-password cases must pass cleanly.
+func TestPreflightSCEPChallengePassword(t *testing.T) {
+	tests := []struct {
+		name              string
+		enabled           bool
+		challengePassword string
+		wantErr           bool
+		wantErrSubstring  string
+	}{
+		{
+			name:              "disabled_empty_password_ok",
+			enabled:           false,
+			challengePassword: "",
+			wantErr:           false,
+		},
+		{
+			name:              "disabled_with_password_ok",
+			enabled:           false,
+			challengePassword: "leftover-value",
+			wantErr:           false,
+		},
+		{
+			name:              "enabled_empty_password_rejected",
+			enabled:           true,
+			challengePassword: "",
+			wantErr:           true,
+			wantErrSubstring:  "CERTCTL_SCEP_CHALLENGE_PASSWORD",
+		},
+		{
+			name:              "enabled_with_password_ok",
+			enabled:           true,
+			challengePassword: "hunter2",
+			wantErr:           false,
+		},
+		{
+			name:              "enabled_single_char_password_ok",
+			enabled:           true,
+			challengePassword: "x",
+			wantErr:           false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := preflightSCEPChallengePassword(tt.enabled, tt.challengePassword)
+			if tt.wantErr {
+				if err == nil {
+					t.Fatalf("expected error, got nil")
+				}
+				if tt.wantErrSubstring != "" && !strings.Contains(err.Error(), tt.wantErrSubstring) {
+					t.Errorf("expected error to mention %q, got: %v", tt.wantErrSubstring, err)
+				}
+				if !strings.Contains(err.Error(), "CWE-306") {
+					t.Errorf("expected error to cite CWE-306 for traceability, got: %v", err)
+				}
+			} else if err != nil {
+				t.Errorf("expected no error, got: %v", err)
+			}
+		})
+	}
+}

deploy/docker-compose.dev.yml

@@ -9,6 +9,16 @@ services:
     build:
       context: ..
       dockerfile: Dockerfile
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Node frontend stage and Go module
+      # download can reach the public registries behind corporate proxies.
+      # Defaults to empty; omit the variables from the host environment for
+      # un-proxied builds and the behaviour is byte-identical to the pre-fix
+      # tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
     environment:
       # Verbose logging for development
       CERTCTL_LOG_LEVEL: debug
@@ -29,6 +39,15 @@ services:
     build:
       context: ..
       dockerfile: Dockerfile.agent
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Go module download stage can reach
+      # the public Go module proxy behind corporate proxies. Defaults to
+      # empty; omit the variables from the host environment for un-proxied
+      # builds and the behaviour is byte-identical to the pre-fix tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
     environment:
       CERTCTL_LOG_LEVEL: debug
 

deploy/docker-compose.test.yml

@@ -150,6 +150,16 @@ services:
     build:
       context: ..
       dockerfile: Dockerfile
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Node frontend stage and Go module
+      # download can reach the public registries behind corporate proxies.
+      # Defaults to empty; omit the variables from the host environment for
+      # un-proxied builds and the behaviour is byte-identical to the pre-fix
+      # tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
     container_name: certctl-test-server
     depends_on:
       postgres:
@@ -266,6 +276,15 @@ services:
     build:
       context: ..
       dockerfile: Dockerfile.agent
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Go module download stage can reach
+      # the public Go module proxy behind corporate proxies. Defaults to
+      # empty; omit the variables from the host environment for un-proxied
+      # builds and the behaviour is byte-identical to the pre-fix tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
     container_name: certctl-test-agent
     depends_on:
       certctl-server:

deploy/docker-compose.yml

@@ -36,6 +36,16 @@ services:
     build:
       context: ..
       dockerfile: Dockerfile
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Node frontend stage and Go module
+      # download can reach the public registries behind corporate proxies.
+      # Defaults to empty; omit the variables from the host environment for
+      # un-proxied builds and the behaviour is byte-identical to the pre-fix
+      # tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
     container_name: certctl-server
     depends_on:
       postgres:
@@ -75,6 +85,15 @@ services:
     build:
       context: ..
       dockerfile: Dockerfile.agent
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Go module download stage can reach
+      # the public Go module proxy behind corporate proxies. Defaults to
+      # empty; omit the variables from the host environment for un-proxied
+      # builds and the behaviour is byte-identical to the pre-fix tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
     container_name: certctl-agent
     depends_on:
       certctl-server:

deploy/helm/CHART_SUMMARY.md

@@ -458,4 +458,4 @@ For issues, questions, or contributions:
 ## License
 
 BSL-1.1 (Business Source License)
-Converts to Apache 2.0 on March 28, 2033
+Converts to Apache 2.0 on March 14, 2033

deploy/test/integration_test.go

@@ -195,16 +195,11 @@ type metricsResponse struct {
 	Uptime  float64                `json:"uptime_seconds"`
 }
 
-// crlResponse for the CRL endpoint.
-type crlResponse struct {
-	Version int `json:"version"`
-	Total   int `json:"total"`
-	Entries []struct {
-		Serial    string `json:"serial_number"`
-		Reason    string `json:"reason"`
-		RevokedAt string `json:"revoked_at"`
-	} `json:"entries"`
-}
+// M-006: The non-standard JSON CRL endpoint (`GET /api/v1/crl`) was removed.
+// RFC 5280 §5 defines only the DER wire format, which is now served
+// unauthenticated at `/.well-known/pki/crl/{issuer_id}` per RFC 8615.
+// The `crlResponse` Go struct that used to decode the JSON envelope is gone;
+// Phase 7 parses the DER bytes directly via `x509.ParseRevocationList`.
 
 // ---------------------------------------------------------------------------
 // PostgreSQL test helper
@@ -728,18 +723,41 @@ func TestIntegrationSuite(t *testing.T) {
 			t.Fatalf("revocation response unexpected: %s", body)
 		}
 
-		// Check CRL
-		t.Run("CRL", func(t *testing.T) {
-			resp, err := c.Get("/api/v1/crl")
+		// Check DER CRL served unauthenticated under /.well-known/pki/ per
+		// RFC 5280 §5 + RFC 8615 (M-006). Use a plain http.Get — no Bearer
+		// token — to prove the endpoint is reachable by relying parties that
+		// have no certctl API credentials.
+		t.Run("CRL_DER_Unauthenticated", func(t *testing.T) {
+			resp, err := http.Get(serverURL + "/.well-known/pki/crl/iss-local")
 			if err != nil {
-				t.Fatalf("GET CRL: %v", err)
+				t.Fatalf("GET DER CRL: %v", err)
 			}
-			var crl crlResponse
-			if err := decodeJSON(resp, &crl); err != nil {
-				t.Fatalf("decode CRL: %v", err)
+			defer resp.Body.Close()
+
+			if resp.StatusCode != http.StatusOK {
+				body, _ := io.ReadAll(resp.Body)
+				t.Fatalf("unexpected status: got %d, want 200 (body=%s)", resp.StatusCode, string(body))
 			}
-			if crl.Total < 1 {
-				t.Fatalf("CRL total: got %d, want >= 1", crl.Total)
+			if ct := resp.Header.Get("Content-Type"); ct != "application/pkix-crl" {
+				t.Errorf("Content-Type: got %q, want %q", ct, "application/pkix-crl")
+			}
+
+			body, err := io.ReadAll(resp.Body)
+			if err != nil {
+				t.Fatalf("read CRL body: %v", err)
+			}
+			if len(body) == 0 {
+				t.Fatal("CRL body empty")
+			}
+
+			// Parse the DER bytes as an X.509 CRL (RFC 5280) and verify the
+			// just-revoked certificate is listed.
+			crl, err := x509.ParseRevocationList(body)
+			if err != nil {
+				t.Fatalf("parse DER CRL: %v", err)
+			}
+			if len(crl.RevokedCertificateEntries) < 1 {
+				t.Fatalf("CRL entries: got %d, want >= 1", len(crl.RevokedCertificateEntries))
 			}
 		})
 

deploy/test/qa_test.go

@@ -26,6 +26,7 @@
 package integration_test
 
 import (
+	"crypto/x509"
 	"database/sql"
 	"encoding/json"
 	"io"
@@ -434,10 +435,19 @@ func TestQA(t *testing.T) {
 	// ===================================================================
 	t.Run("Part03_CertCRUD", func(t *testing.T) {
 		t.Run("Create_Minimal", func(t *testing.T) {
+			// C-001 scope-expansion: the handler's ValidateRequired
+			// contract now gates common_name, owner_id, team_id,
+			// issuer_id, name, and renewal_policy_id. A 3-field
+			// payload would 400 regardless of the id hint, so the
+			// "minimal" variant carries every required field.
 			code, body := c.bodyStr(t, "POST", "/api/v1/certificates", `{
 				"id": "mc-qa-minimal",
+				"name": "qa-minimal",
 				"common_name": "qa-minimal.example.com",
-				"issuer_id": "iss-local"
+				"issuer_id": "iss-local",
+				"owner_id": "o-alice",
+				"team_id": "t-platform",
+				"renewal_policy_id": "rp-standard"
 			}`)
 			if code != 201 && code != 200 {
 				t.Fatalf("create cert: status %d, body: %s", code, body)
@@ -447,11 +457,14 @@ func TestQA(t *testing.T) {
 		t.Run("Create_Full", func(t *testing.T) {
 			code, body := c.bodyStr(t, "POST", "/api/v1/certificates", `{
 				"id": "mc-qa-full",
+				"name": "qa-full",
 				"common_name": "qa-full.example.com",
 				"sans": ["qa-full-alt.example.com"],
 				"issuer_id": "iss-local",
 				"environment": "staging",
-				"owner_id": "o-alice"
+				"owner_id": "o-alice",
+				"team_id": "t-platform",
+				"renewal_policy_id": "rp-standard"
 			}`)
 			if code != 201 && code != 200 {
 				t.Fatalf("create cert: status %d, body: %s", code, body)
@@ -596,13 +609,37 @@ func TestQA(t *testing.T) {
 			}
 		})
 
-		t.Run("CRL_JSON", func(t *testing.T) {
-			code, body := c.bodyStr(t, "GET", "/api/v1/crl", "")
-			if code != 200 {
-				t.Fatalf("CRL = %d", code)
+		// M-006: The non-standard JSON CRL endpoint was removed. RFC 5280 §5
+		// defines only the DER wire format, now served unauthenticated at
+		// `/.well-known/pki/crl/{issuer_id}` per RFC 8615. Use a plain
+		// http.Get — no Bearer — to prove the endpoint is reachable by
+		// relying parties with no API credentials.
+		t.Run("CRL_DER_Unauthenticated", func(t *testing.T) {
+			resp, err := http.Get(qaServerURL + "/.well-known/pki/crl/iss-local")
+			if err != nil {
+				t.Fatalf("GET DER CRL: %v", err)
 			}
-			if !strings.Contains(body, "entries") {
-				t.Fatalf("CRL response missing entries field")
+			defer resp.Body.Close()
+			if resp.StatusCode != 200 {
+				b, _ := io.ReadAll(resp.Body)
+				t.Fatalf("CRL = %d (body=%s)", resp.StatusCode, string(b))
+			}
+			if ct := resp.Header.Get("Content-Type"); ct != "application/pkix-crl" {
+				t.Errorf("Content-Type: got %q, want %q", ct, "application/pkix-crl")
+			}
+			body, err := io.ReadAll(resp.Body)
+			if err != nil {
+				t.Fatalf("read CRL body: %v", err)
+			}
+			if len(body) == 0 {
+				t.Fatal("CRL body empty")
+			}
+			crl, err := x509.ParseRevocationList(body)
+			if err != nil {
+				t.Fatalf("parse DER CRL: %v", err)
+			}
+			if len(crl.RevokedCertificateEntries) < 1 {
+				t.Fatalf("CRL entries: got %d, want >= 1", len(crl.RevokedCertificateEntries))
 			}
 		})
 	})

deploy/test/run-test.sh

@@ -608,13 +608,22 @@ else
   fail "Revocation failed" "$REVOKE_RESP"
 fi
 
-info "Checking CRL..."
-CRL_RESP=$(api_get "/api/v1/crl" 2>/dev/null || echo '{"total":0}')
-CRL_TOTAL=$(echo "$CRL_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('total',0))" 2>/dev/null || echo 0)
-if [ "$CRL_TOTAL" -ge 1 ]; then
-  pass "CRL contains $CRL_TOTAL revoked certificate(s)"
+info "Checking DER CRL under /.well-known/pki (RFC 5280 §5, RFC 8615)..."
+# The JSON CRL endpoint (`GET /api/v1/crl`) was removed in M-006. RFC 5280
+# defines only the DER wire format, now served unauthenticated at
+# `/.well-known/pki/crl/{issuer_id}`. Fetch without the Bearer header to
+# prove the endpoint is reachable by relying parties with no API key.
+CRL_TMP=$(mktemp)
+CRL_HEADERS=$(mktemp)
+CRL_HTTP_CODE=$(curl -s -o "$CRL_TMP" -D "$CRL_HEADERS" -w "%{http_code}" "${API_URL}/.well-known/pki/crl/iss-local" 2>/dev/null || echo "000")
+CRL_SIZE=$(wc -c < "$CRL_TMP" | tr -d ' ')
+CRL_CONTENT_TYPE=$(awk 'tolower($1)=="content-type:" { sub(/\r$/,"",$2); print tolower($2) }' "$CRL_HEADERS" | head -n1)
+rm -f "$CRL_TMP" "$CRL_HEADERS"
+
+if [ "$CRL_HTTP_CODE" = "200" ] && [ "$CRL_CONTENT_TYPE" = "application/pkix-crl" ] && [ "$CRL_SIZE" -gt 0 ]; then
+  pass "DER CRL served unauthenticated (HTTP 200, Content-Type application/pkix-crl, ${CRL_SIZE} bytes)"
 else
-  fail "CRL empty after revocation"
+  fail "DER CRL fetch failed: HTTP=$CRL_HTTP_CODE Content-Type=$CRL_CONTENT_TYPE size=$CRL_SIZE"
 fi
 
 CERT_STATUS=$(api_get "/api/v1/certificates/mc-local-test" | python3 -c "import sys,json; print(json.load(sys.stdin).get('status',''))" 2>/dev/null || echo "unknown")

docs/architecture.md

@@ -463,10 +463,14 @@ sequenceDiagram
     API-->>U: 200 OK
 ```
 
-The revocation is recorded in the `certificate_revocations` table (separate from the certificate status update) for CRL generation. The DER-encoded CRL at `GET /api/v1/crl/{issuer_id}` is generated on-demand by querying this table and signing with the issuing CA's key. The OCSP responder at `GET /api/v1/ocsp/{issuer_id}/{serial}` checks both the certificate status and the revocations table to return signed good/revoked/unknown responses.
+The revocation is recorded in the `certificate_revocations` table (separate from the certificate status update) for CRL generation. The DER-encoded CRL at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5, RFC 8615) is generated on-demand by querying this table and signing with the issuing CA's key. The OCSP responder at `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960) checks both the certificate status and the revocations table to return signed good/revoked/unknown responses. Both endpoints are served unauthenticated — relying parties (TLS clients, hardware appliances, browsers) must be able to reach them without a certctl API key — and carry the IANA-registered media types `application/pkix-crl` and `application/ocsp-response` respectively.
 
 Short-lived certificates (those with profile TTL < 1 hour) return "good" from OCSP and are excluded from CRL — their rapid expiry is treated as sufficient revocation.
 
+#### Bulk Revocation
+
+For compliance events requiring fleet-wide revocation (key compromise, CA distrust, mass decommission), certctl supports bulk revocation by filter criteria. The `POST /api/v1/certificates/bulk-revoke` endpoint accepts filter parameters (profile_id, owner_id, agent_id, issuer_id) and creates individual revocation jobs for each matching certificate. Bulk revocation reuses the same 7-step single-cert flow for each certificate — no new issuer notification or audit mechanics. The operation is idempotent: revoking an already-revoked certificate is a no-op. Partial failures are tolerated — if one certificate fails to revoke (e.g., issuer unavailable), the operation continues for remaining certs and returns a summary. A single `bulk_revocation_initiated` audit event logs the operation with filter criteria, operator actor, and summary (total requested, succeeded, failed counts). Audit events for individual certificate revocations record the operator identity separately. The GUI bulk revoke button on the certificates list filters by visible selections and displays an affected-cert count modal before confirmation.
+
 ### 4. Automatic Renewal
 
 The control plane runs a scheduler with seven background loops:
@@ -804,6 +808,34 @@ All shell-facing inputs (connector scripts, domain names, ACME tokens) are valid
 
 All incoming HTTP request bodies are capped by `http.MaxBytesReader` middleware (default 1MB, configurable via `CERTCTL_MAX_BODY_SIZE`). Requests exceeding the limit receive a 413 Request Entity Too Large response. The middleware is positioned before authentication in the chain so oversized payloads are rejected early, before any auth processing or database work occurs. Requests without bodies (GET, HEAD, nil body) skip the limit check.
 
+### Config Encryption at Rest
+
+Dynamic issuer and target configurations (rows with `source='database'`) contain credentials — ACME EAB HMACs, Vault tokens, DigiCert/Sectigo API keys, SSH private keys, WinRM passwords, F5 BIG-IP passwords, and similar. These are sealed at rest in PostgreSQL via `internal/crypto/encryption.go` using AES-256-GCM with a key derived from the operator passphrase `CERTCTL_CONFIG_ENCRYPTION_KEY` through PBKDF2-SHA256 (100,000 rounds, 32-byte output).
+
+**v2 wire format (current, M-8 remediation, CWE-916 / CWE-329):**
+
+```
+magic(0x02) || salt(16) || nonce(12) || ciphertext+tag
+```
+
+Every call to `EncryptIfKeySet` draws 16 fresh bytes from `crypto/rand` as the PBKDF2 salt, so the derived AES-256 key is distinct per ciphertext and per re-encryption. The salt is stored alongside the ciphertext; decryption reads the magic byte, splits out the salt, re-derives the key, and verifies the AEAD tag.
+
+**v1 legacy format (read-only):**
+
+```
+nonce(12) || ciphertext+tag
+```
+
+Pre-M-8 blobs were sealed with a package-level fixed salt `"certctl-config-encryption-v1"`. `DecryptIfKeySet` preserves the v1 read path unchanged — a blob whose first byte is not `0x02`, or whose v2 AEAD verification fails (including the 1/256 case where a v1 nonce happens to begin with `0x02`), falls through to a v1 attempt against the legacy fixed salt. v1 blobs are never written by the post-M-8 code path; they re-seal as v2 naturally on the next UPDATE through the normal service CRUD flow. No operator migration ceremony is required.
+
+**Fail-closed behavior (C-2 sentinel, CWE-311):** both `EncryptIfKeySet` and `DecryptIfKeySet` return `ErrEncryptionKeyRequired` when invoked with an empty passphrase. The server refuses to start if any `source='database'` rows already exist without `CERTCTL_CONFIG_ENCRYPTION_KEY` set.
+
+**Low-level primitives preserved byte-identical.** `Encrypt`, `Decrypt`, and `DeriveKey` are kept bit-stable so v1 fixtures on disk remain decryptable unchanged and so callers outside the config-encryption path (none today, but the symbols are exported) do not see a breaking change. The new per-ciphertext salt path is reached via the helper `deriveKeyWithSalt(passphrase, salt)`.
+
+**Passphrase plumbing.** Services (`IssuerService`, `TargetService`, `IssuerRegistry`) hold the operator passphrase as a raw `string` and delegate PBKDF2 to the crypto package per ciphertext. This replaces the pre-M-8 design that pre-derived a single `[]byte` key at service construction and reused it for every row, which was the direct consequence of the fixed-salt KDF.
+
+**Coverage gate.** CI enforces `internal/crypto/...` coverage ≥ 85% (observed 86.7%) — the encryption primitives are a security-critical gate, and the v2 format plus v1 fallback plus C-2 sentinel paths all need exhaustive coverage to avoid silent regressions.
+
 ### CORS
 
 CORS uses a **deny-by-default** posture: when `CERTCTL_CORS_ORIGINS` is empty, no CORS headers are set and only same-origin requests can read responses. Operators must explicitly configure allowed origins. This prevents accidental exposure of the API to cross-origin requests in production.
@@ -846,6 +878,8 @@ The full API is documented in an OpenAPI 3.1 specification at `api/openapi.yaml`
 
 Jobs support additional action endpoints: `POST /api/v1/jobs/{id}/cancel`, `POST /api/v1/jobs/{id}/approve`, `POST /api/v1/jobs/{id}/reject`.
 
+**Bulk Operations:** `POST /api/v1/certificates/bulk-revoke` — Bulk revocation by filter criteria (profile_id, owner_id, agent_id, issuer_id). Creates individual revocation jobs for matching certificates, with partial-failure tolerance and a summary audit event.
+
 **Enhanced Query Features (M20):** Certificate list endpoints support additional query capabilities beyond basic pagination:
 
 - **Sorting**: `?sort=notAfter` (ascending) or `?sort=-createdAt` (descending). Whitelist: notAfter, expiresAt, createdAt, updatedAt, commonName, name, status, environment.
@@ -855,7 +889,7 @@ Jobs support additional action endpoints: `POST /api/v1/jobs/{id}/cancel`, `POST
 - **Additional filters**: `?agent_id=`, `?profile_id=` (in addition to existing status, environment, owner_id, team_id, issuer_id).
 - **Deployments**: `GET /api/v1/certificates/{id}/deployments` returns deployment targets for a certificate.
 
-Certificate revocation: `POST /api/v1/certificates/{id}/revoke` with optional `{"reason": "keyCompromise"}`. Supports RFC 5280 reason codes (unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn). Returns the updated certificate status. Best-effort issuer notification — the revocation succeeds even if the issuer connector is unavailable. A JSON-formatted CRL is available at `GET /api/v1/crl`, and a DER-encoded X.509 CRL signed by the issuing CA at `GET /api/v1/crl/{issuer_id}`. An embedded OCSP responder serves signed responses at `GET /api/v1/ocsp/{issuer_id}/{serial}`. Short-lived certificates (profile TTL < 1 hour) are exempt from CRL/OCSP — expiry is sufficient revocation.
+Certificate revocation: `POST /api/v1/certificates/{id}/revoke` with optional `{"reason": "keyCompromise"}`. Supports RFC 5280 reason codes (unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn). Returns the updated certificate status. Best-effort issuer notification — the revocation succeeds even if the issuer connector is unavailable. The DER-encoded X.509 CRL signed by the issuing CA is served unauthenticated at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5 + RFC 8615, `Content-Type: application/pkix-crl`). The embedded OCSP responder serves signed responses unauthenticated at `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960, `Content-Type: application/ocsp-response`). Both endpoints are accessible to relying parties with no certctl API credentials, as RFC-compliant PKI consumers expect. Short-lived certificates (profile TTL < 1 hour) are exempt from CRL/OCSP — expiry is sufficient revocation.
 
 Certificate export (M27): `GET /api/v1/certificates/{id}/export/pem` returns PEM-encoded certificate and chain, and `POST /api/v1/certificates/{id}/export/pkcs12` returns a PKCS#12 bundle (binary). Private keys are never exported — they remain on agents. All exports are audited with actor, timestamp, and format.
 
@@ -1063,9 +1097,9 @@ Beyond one-time discovery, certctl continuously monitors TLS endpoints for certi
 
 certctl is extensively tested across eight layers with CI-enforced coverage gates that act as regression floors. The goal is high-confidence regression prevention at the service and handler layers (where the most complex business logic lives), combined with integration tests that exercise the full request path from HTTP to database.
 
-**Service layer unit tests** (`internal/service/*_test.go`) — Mock-based tests across all service files covering certificate CRUD, revocation (all RFC 5280 reason codes, OCSP/CRL generation), agent lifecycle, job state machine, policy evaluation, renewal/issuance flow (both keygen modes), notification deduplication, team/owner/agent group CRUD, issuer service CRUD with connection testing, and the issuer connector adapter. Mock repositories are simple structs with function fields — no heavy mocking frameworks.
+**Service layer unit tests** (`internal/service/*_test.go`) — Mock-based tests across all service files covering certificate CRUD, revocation (all RFC 5280 reason codes, OCSP/CRL generation, bulk revocation by filter with partial-failure tolerance), agent lifecycle, job state machine, policy evaluation, renewal/issuance flow (both keygen modes), notification deduplication, team/owner/agent group CRUD, issuer service CRUD with connection testing, and the issuer connector adapter. Mock repositories are simple structs with function fields — no heavy mocking frameworks.
 
-**Handler layer tests** (`internal/api/handler/*_test.go`) — Every handler file has a corresponding test file using Go's `httptest` package: certificates (including revocation, DER CRL, OCSP), agents, jobs (including approve/reject), notifications, policies, profiles, issuers, targets, agent groups, teams, owners, discovery, network scan, verification, export, EST, digest, stats, and metrics. Tests cover the happy path, input validation, error propagation, method-not-allowed, and pagination.
+**Handler layer tests** (`internal/api/handler/*_test.go`) — Every handler file has a corresponding test file using Go's `httptest` package: certificates (including revocation, bulk revocation by profile/owner/agent/issuer, DER CRL, OCSP), agents, jobs (including approve/reject), notifications, policies, profiles, issuers, targets, agent groups, teams, owners, discovery, network scan, verification, export, EST, digest, stats, and metrics. Tests cover the happy path, input validation, error propagation, method-not-allowed, pagination, and bulk operation partial-failure scenarios.
 
 **Integration tests** (`internal/integration/`) — Three test files exercising the full stack from HTTP request through router, handler, service, and repository layers. `lifecycle_test.go` covers the complete certificate lifecycle (team/owner creation through deployment and status reporting). `negative_test.go` covers error paths, endpoint validation, and revocation scenarios. `e2e_test.go` exercises cross-milestone features end-to-end (agent metadata, profiles, issuer registry, GUI operations, stats, revocation, notifications, enhanced query API).
 

docs/compliance-nist.md

@@ -210,15 +210,17 @@ NIST SP 800-57 Part 1 Section 6.2 addresses secure key distribution to minimize
   - Proxy agent executes deployment via appliance API
 
 **Revocation Distribution**
-- Certificate Revocation List (CRL) via `GET /api/v1/crl/{issuer_id}`
-  - Returns DER-encoded X.509 CRL signed by issuing CA
+- Certificate Revocation List (CRL) via `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5, RFC 8615)
+  - Returns DER-encoded X.509 CRL signed by issuing CA (`Content-Type: application/pkix-crl`)
   - 24-hour validity period
   - Includes all revoked serials, reasons, and revocation timestamps
+  - Served unauthenticated so relying parties without certctl API credentials can fetch it
   - Subject to URL caching; OCSP preferred for real-time revocation
-- OCSP via `GET /api/v1/ocsp/{issuer_id}/{serial}`
-  - Returns DER-encoded OCSP response (OCSPResponse ASN.1 structure)
+- OCSP via `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960)
+  - Returns DER-encoded OCSP response (OCSPResponse ASN.1 structure, `Content-Type: application/ocsp-response`)
   - Signed by issuing CA (or delegated OCSP signing cert)
   - Responds with good/revoked/unknown status
+  - Served unauthenticated — the RFC 6960 relying-party model does not assume API credentials
   - Real-time, more bandwidth-efficient than CRL polling
 
 ## Revocation and Compromise (NIST SP 800-57 Part 3)
@@ -272,13 +274,16 @@ NIST SP 800-57 Part 3 covers revocation (Section 2.5) when keys are suspected co
 - OCSP responder queries revocation table in real-time
 - Short-lived certificate exemption: certs with TTL < 1 hour skip CRL/OCSP (expiry is sufficient revocation)
 
+**Bulk Revocation for Large-Scale Compromise Response** (V2.2) — NIST SP 800-57 Part 3 emphasizes rapid revocation when keys are compromised. `POST /api/v1/certificates/bulk-revoke` revokes all certificates matching filter criteria (profile, owner, agent, issuer) in a single operation. This enables operators to execute fleet-wide revocation for key compromise events affecting multiple certificates. Each bulk revocation creates individual jobs reusing the existing revocation pipeline, ensuring every certificate is recorded in the audit trail with the incident reason.
+
 **Revocation Audit Trail**
 All revocation events logged:
-- Event type: `certificate_revoked`
+- Event type: `certificate_revoked` or `bulk_revocation_initiated` (for fleet operations)
 - Actor: authenticated user or service
-- Reason code: RFC 5280 enum
+- Reason code: RFC 5280 enum (or incident justification for bulk operations)
 - Timestamp: RFC3339
 - Issuer notification status: success or error reason
+- Filter criteria: profile_id, owner_id, agent_id, issuer_id (for bulk revocation)
 
 ## Alignment Summary Table
 
@@ -301,9 +306,11 @@ All revocation events logged:
 - [x] RFC 5280 revocation support
 - [x] Immutable audit trail
 
+### V2.2 (Planned: 2026)
+- Bulk revocation by profile/owner/agent/issuer (fleet-level revocation for incident response)
+
 ### V3 (Planned: 2026)
 - Role-based access control (limit revocation/approval to authorized operators)
-- Bulk revocation by profile/owner/agent (fleet-level revocation policy)
 
 ### V3 Pro (Planned)
 - HSM support for CA key storage and agent key storage (TPM 2.0, PKCS#11)

docs/compliance-pci-dss.md

@@ -92,9 +92,11 @@ Your QSA will request evidence that your certificate and key management systems
 
 - **Certificate Status Tracking** — Four statuses: Active (deployed, not yet expired), Expiring (within threshold, awaiting renewal), Expired (past not-after date), Revoked (revoked via RFC 5280 revocation API). Dashboard charts show status distribution.
 
-- **Revocation Infrastructure** (M15a, M15b):
-  - CRL endpoint: `GET /api/v1/crl` (JSON format) or `GET /api/v1/crl/{issuer_id}` (DER X.509 CRL, 24h validity, signed by issuing CA)
-  - OCSP responder: `GET /api/v1/ocsp/{issuer_id}/{serial}` (returns DER-encoded OCSP response: good/revoked/unknown)
+- **Revocation Infrastructure** (M15a, M15b, M-006):
+  - Revocation API: `POST /api/v1/certificates/{id}/revoke` with RFC 5280 reason codes
+  - CRL endpoint: `GET /.well-known/pki/crl/{issuer_id}` — DER X.509 CRL, 24h validity, signed by issuing CA, served unauthenticated (RFC 5280 §5, RFC 8615, `Content-Type: application/pkix-crl`)
+  - OCSP responder: `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` — DER-encoded OCSP response (good/revoked/unknown), served unauthenticated (RFC 6960, `Content-Type: application/ocsp-response`)
+  - Bulk revocation (V2.2): `POST /api/v1/certificates/bulk-revoke` with filter criteria (profile, owner, agent, issuer) for fleet-wide incident response
   - Short-lived cert exemption: certs with TTL < 1 hour skip CRL/OCSP (expiry is sufficient revocation)
 
 - **Stats API** (M14) — Real-time visibility:
@@ -107,7 +109,7 @@ Your QSA will request evidence that your certificate and key management systems
 - Discovered certificate report: `GET /api/v1/discovered-certificates` JSON export showing all certs on systems, fingerprints, and status.
 - Managed certificate inventory: `GET /api/v1/certificates` with filters (`?status=Expiring` for upcoming renewals).
 - Expiration alert configuration: policy JSON showing `alert_thresholds_days` for each environment.
-- CRL/OCSP availability proof: HTTP GET requests to `/api/v1/crl` and `/api/v1/ocsp/{issuer}/{serial}` with signed responses.
+- CRL/OCSP availability proof: unauthenticated HTTP GET requests to `/.well-known/pki/crl/{issuer_id}` (DER, `application/pkix-crl`) and `/.well-known/pki/ocsp/{issuer_id}/{serial}` (DER, `application/ocsp-response`) with signed responses.
 - Audit trail for certificate creation/renewal/revocation: `GET /api/v1/audit?type=certificate_issued,certificate_renewed,certificate_revoked`.
 - Dashboard charts showing expiration timeline, renewal success trends, status distribution.
 
@@ -326,11 +328,14 @@ This requirement covers key generation, storage, rotation, and destruction. Cert
   - Issuer notified (best-effort; ACME lacks standard revocation, Local CA skips issuer step).
   - Revocation notifications sent to owner via email/webhook/Slack/Teams/PagerDuty.
 
-- **CRL and OCSP Publication** (M15b) — Revoked certificates published in:
-  - CRL: `GET /api/v1/crl` (JSON format) or `GET /api/v1/crl/{issuer_id}` (DER X.509, signed by CA, 24h validity)
-  - OCSP: `GET /api/v1/ocsp/{issuer_id}/{serial}` (returns revoked status for clients validating certificate chain)
+- **CRL and OCSP Publication** (M15b, M-006) — Revoked certificates published in:
+  - CRL: `GET /.well-known/pki/crl/{issuer_id}` (DER X.509 signed by CA, 24h validity, RFC 5280 §5 + RFC 8615, `Content-Type: application/pkix-crl`)
+  - OCSP: `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (returns revoked status for clients validating certificate chain, RFC 6960, `Content-Type: application/ocsp-response`)
+  - Both endpoints are served unauthenticated so relying parties (browsers, TLS appliances) without certctl API keys can verify revocation — this is the RFC-compliant PKI model.
   - Clients checking certificate status via OCSP or CRL see revoked status within 24 hours.
 
+- **Bulk Revocation for Incident Response** (V2.2) — `POST /api/v1/certificates/bulk-revoke` with filter criteria (profile, owner, agent, issuer) revokes all matching certificates in a single operation. PCI-DSS Req 4 requires rapid response to data transmission security incidents — bulk revocation enables operators to revoke an entire certificate set (e.g., all certs used by a compromised team or endpoint) in minutes rather than hours.
+
 - **Private Key Destruction on Agent** — When certificate renewed or revoked:
   - Agent removes old private key file from `CERTCTL_KEY_DIR` when new certificate deployed.
   - Job status tracking confirms old key is no longer needed.
@@ -338,8 +343,8 @@ This requirement covers key generation, storage, rotation, and destruction. Cert
 
 **Evidence You Can Provide**:
 - Revocation requests: `GET /api/v1/audit?type=certificate_revoked` with RFC 5280 reason codes.
-- CRL publication: HTTP GET `/api/v1/crl` and parse JSON to show revoked serial numbers and timestamps.
-- OCSP responder validation: Query `GET /api/v1/ocsp/{issuer}/{serial}` for a known-revoked cert; response includes `revoked` status.
+- CRL publication: HTTP GET `/.well-known/pki/crl/{issuer_id}` (unauthenticated) returns a DER X.509 CRL — parse with `openssl crl -inform der -noout -text` to show revoked serial numbers, reasons, and timestamps.
+- OCSP responder validation: Query `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (unauthenticated) for a known-revoked cert; response includes `revoked` status and can be parsed with `openssl ocsp` tooling.
 - Audit trail: Certificate status transitions (Active → Revoked) recorded in `audit_events`.
 
 **Operator Responsibility**:
@@ -717,12 +722,12 @@ This requirement covers key generation, storage, rotation, and destruction. Cert
 | PCI-DSS Requirement | certctl Feature | API/UI Evidence | Database/Config | Audit Trail | Status |
 |---|---|---|---|---|---|
 | **4.2.1** Strong Crypto | TLS cert issuance, ACME/step-ca/Local CA, RSA 2048+/ECDSA P-256 | `GET /api/v1/certificates` (key_type, key_size) | Certificate profiles | `GET /api/v1/audit?type=certificate_issued` | Available |
-| **4.2.2** Cert Inventory & Validation | Managed cert CRUD, discovery (M18b), expiration alerting, CRL/OCSP | `GET /api/v1/certificates`, `GET /api/v1/discovered-certificates`, `GET /api/v1/crl`, `GET /api/v1/ocsp/{issuer}/{serial}` | `managed_certificates`, `discovered_certificates` tables | `GET /api/v1/audit?type=certificate_*` | Available |
+| **4.2.2** Cert Inventory & Validation | Managed cert CRUD, discovery (M18b), expiration alerting, CRL/OCSP | `GET /api/v1/certificates`, `GET /api/v1/discovered-certificates`, `GET /.well-known/pki/crl/{issuer_id}`, `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (both unauthenticated, RFC 5280 / RFC 6960) | `managed_certificates`, `discovered_certificates` tables | `GET /api/v1/audit?type=certificate_*` | Available |
 | **3.6** Key Documentation | Profiles, owner/team tracking, issuer config, audit trail | `GET /api/v1/profiles`, `GET /api/v1/issuers`, certificate detail with owner/team | Profiles, certificate owner/team fields, issuer config | `GET /api/v1/audit?resource_type=certificate` | Available |
 | **3.7.1** Key Generation | Agent-side ECDSA P-256, server keygen (demo only) | Agent logs, renewal job detail, CSR audit | `CERTCTL_KEYGEN_MODE=agent` (config), job_type=AwaitingCSR | `GET /api/v1/audit?type=certificate_issued` with CSR hash | Available |
 | **3.7.2** Key Storage | Agent `/var/lib/certctl/keys` (0600), env var secrets, .env excluded | Deployment manifest (env var refs), agent key dir listing | `.env` file (git-ignored), `CERTCTL_KEY_DIR`, `CERTCTL_CA_KEY_PATH` | No API audit (keys off-platform) | Available |
 | **3.7.3** Key Rotation | Auto renewal, expiration thresholds, renewal jobs | Dashboard renewal trends, `GET /api/v1/jobs?type=Renewal`, certificate versions | Renewal policies, certificate version history | `GET /api/v1/audit?type=certificate_renewed` | Available |
-| **3.7.4** Key Destruction | Revocation API (RFC 5280), CRL/OCSP, private key cleanup | `POST /api/v1/certificates/{id}/revoke`, `GET /api/v1/crl`, OCSP endpoint | `certificate_revocations` table, CRL publication | `GET /api/v1/audit?type=certificate_revoked` | Available |
+| **3.7.4** Key Destruction | Revocation API (RFC 5280), CRL/OCSP, private key cleanup | `POST /api/v1/certificates/{id}/revoke`, unauthenticated `GET /.well-known/pki/crl/{issuer_id}` and `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` | `certificate_revocations` table, CRL publication | `GET /api/v1/audit?type=certificate_revoked` | Available |
 | **8.3** Strong Authentication | API key (SHA-256 hash, TLS), GUI login, 401 redirect | GUI login screenshot, API key auth header, TLS cert | API key hash in database | `GET /api/v1/audit` showing API calls | Available |
 | **8.6** Acct Management | Credentials out of source, .env excluded, env var config | Code review (no hardcoded secrets), `.gitignore` check | Deployment manifests showing env var refs only | No account lifecycle audit (outside scope) | Available in part |
 | **10.2** Audit Logging | API audit middleware (M19), certificate lifecycle events | `GET /api/v1/audit` with filter/pagination | `audit_events` table (every API call) | Real-time via API | Available |

docs/compliance-soc2.md

@@ -282,12 +282,13 @@ Each section includes:
   - `certificateHold` — temporary revocation (can be "unhold" by reissue)
   - `privilegeWithdrawn` — access rights revoked
   Revocation is **immediate** (no approval workflow). The certificate is marked `Revoked` in inventory, an audit event is logged, and optional issuer notification is best-effort. All revoked certs are excluded from active deployments.
-- **CRL Endpoint** — `GET /api/v1/crl` returns a JSON-formatted Certificate Revocation List (serial, reason, timestamp for each revoked cert). `GET /api/v1/crl/{issuer_id}` returns a DER-encoded X.509 CRL signed by the issuing CA (useful for legacy clients that don't support OCSP).
-- **OCSP Responder** — `GET /api/v1/ocsp/{issuer_id}/{serial}` returns a signed OCSP response indicating whether a cert is good, revoked, or unknown. Clients (browsers, TLS libraries) query this endpoint to verify cert validity in real-time.
+- **CRL Endpoint** — `GET /.well-known/pki/crl/{issuer_id}` returns a DER-encoded X.509 CRL signed by the issuing CA (RFC 5280 §5, RFC 8615, `Content-Type: application/pkix-crl`), served unauthenticated for relying parties that don't hold certctl API credentials.
+- **OCSP Responder** — `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` returns a signed OCSP response indicating whether a cert is good, revoked, or unknown (RFC 6960, `Content-Type: application/ocsp-response`). Also unauthenticated. Clients (browsers, TLS libraries) query this endpoint to verify cert validity in real-time.
 - **Revocation Notifications** — When a cert is revoked, notifications are sent to:
   - Certificate owner (email)
   - Configured webhooks (if you have a SIEM that subscribes)
   - Slack/Teams channels (if notifiers are configured)
+- **Bulk Revocation for Fleet-Wide Incidents** (V2.2) — `POST /api/v1/certificates/bulk-revoke` with filter criteria (profile, owner, agent, issuer) revokes all matching certificates in a single operation. Essential for incident response: key compromise affecting multiple certs, CA distrust events, decommissioning a team's infrastructure. Each bulk revocation creates individual jobs reusing the existing revocation pipeline, ensuring audit trail and notifications for every certificate.
 - **Short-Lived Cert Exemption** — Certificates with TTL < 1 hour (configured in profile) skip CRL/OCSP publication. Expiry is the revocation mechanism for short-lived certs (e.g., Kubernetes pod certs, session tokens).
 - **Deployment Rollback** — If a revoked cert is still deployed (shouldn't happen, but race conditions exist), operators can manually redeploy a previous version via the GUI. Rollback is audited.
 
@@ -302,7 +303,6 @@ Each section includes:
 
 **V3 Enhancement**:
 
-- **Bulk Revocation** — Revoke all certs issued by a specific profile, owner, or agent in a single API call (useful for large-scale incidents like CA compromise)
 - **Revocation Automation** — Trigger revocation based on external events (e.g., employee termination, security breach alert from CT Log monitoring)
 
 **Operator Responsibility**:
@@ -460,8 +460,8 @@ Each section includes:
 | | Notification Routing | Email, Slack, Teams, PagerDuty, OpsGenie | ✅ | ✅ | Configure notifiers, on-call integration |
 | | Deployment Rollback | Redeploy previous cert version via GUI | ✅ | ✅ | Audit rollback decisions |
 | **CC7.3** Incident Response | Revocation API (RFC 5280 reasons) | `POST /api/v1/certificates/{id}/revoke` | ✅ | Enhanced (bulk revocation) | Establish incident response policy |
-| | CRL Endpoint (JSON + DER) | `GET /api/v1/crl`, `GET /api/v1/crl/{issuer_id}` | ✅ | ✅ | Ensure CRL/OCSP accessible to all clients |
-| | OCSP Responder | `GET /api/v1/ocsp/{issuer_id}/{serial}` | ✅ | ✅ | Test revocation in staging |
+| | CRL Endpoint (DER, RFC 5280 §5) | `GET /.well-known/pki/crl/{issuer_id}` (unauthenticated, `application/pkix-crl`) | ✅ | ✅ | Ensure CRL/OCSP accessible to all clients without API keys |
+| | OCSP Responder (RFC 6960) | `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (unauthenticated, `application/ocsp-response`) | ✅ | ✅ | Test revocation in staging |
 | | Revocation Notifications | Email, webhook, Slack/Teams on revocation | ✅ | ✅ | Integrate into on-call, document justification separately |
 | | Short-Lived Cert Exemption | TTL < 1h skip CRL/OCSP | ✅ | ✅ | Configure profiles appropriately |
 | **CC7.4** Risk Mitigation | Renewal Job Tracking | Job state machine (Pending → Running → Completed/Failed) | ✅ | ✅ | Monitor renewal success rate |

docs/concepts.md

@@ -214,9 +214,11 @@ certctl implements revocation using three complementary mechanisms:
 
 **Revocation API**: `POST /api/v1/certificates/{id}/revoke` marks a certificate as revoked in the inventory, records the revocation in a dedicated `certificate_revocations` table, notifies the issuing CA (best-effort — the revocation succeeds even if the CA is unreachable), creates an audit trail entry, and sends notifications. You can specify an RFC 5280 reason code (keyCompromise, superseded, cessationOfOperation, etc.) or let it default to "unspecified."
 
-**Certificate Revocation List (CRL)**: certctl serves both a JSON-formatted CRL at `GET /api/v1/crl` and DER-encoded X.509 CRLs per issuer at `GET /api/v1/crl/{issuer_id}`. The DER CRL is signed by the issuing CA's key and has 24-hour validity — clients can download it periodically to check revocation status offline.
+**Bulk Revocation** (Fleet-Level Incident Response): For large-scale incidents like CA compromise or team infrastructure decommissioning, `POST /api/v1/certificates/bulk-revoke` revokes all certificates matching filter criteria in a single operation. Filter by profile, owner, team, agent group, or issuer to target the affected certificate set. This is essential for incident response — instead of revoking certificates one-by-one, operators can revoke an entire fleet in minutes. Bulk revocation creates individual revocation jobs that reuse the existing revocation pipeline, ensuring every certificate is audited and notifications are sent.
 
-**OCSP Responder**: For real-time revocation checking, certctl includes an embedded OCSP responder at `GET /api/v1/ocsp/{issuer_id}/{serial}`. It returns signed OCSP responses (good, revoked, or unknown) so clients can verify certificate status without downloading the full CRL.
+**Certificate Revocation List (CRL)**: certctl serves DER-encoded X.509 CRLs per issuer at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5 wire format, RFC 8615 well-known namespace). The endpoint is unauthenticated so any relying party — browser, TLS client, hardware appliance — can fetch it without a certctl API key. The CRL is signed by the issuing CA's key and has 24-hour validity; clients can download it periodically to check revocation status offline. The response carries `Content-Type: application/pkix-crl`.
+
+**OCSP Responder**: For real-time revocation checking, certctl includes an embedded OCSP responder at `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960). Like the CRL endpoint, it is unauthenticated and returns signed OCSP responses (good, revoked, or unknown) with `Content-Type: application/ocsp-response`, so clients can verify certificate status without downloading the full CRL.
 
 Short-lived certificates (those assigned to profiles with TTL under 1 hour) are exempt from CRL and OCSP — their rapid expiry is considered sufficient revocation. This is a deliberate design choice to reduce infrastructure overhead for ephemeral machine-to-machine credentials.
 

docs/connectors.md

@@ -155,7 +155,7 @@ The Local CA issuer signs certificates using Go's `crypto/x509` library. It supp
 
 **Sub-CA mode:** Loads a CA certificate and private key from disk (`CERTCTL_CA_CERT_PATH` + `CERTCTL_CA_KEY_PATH`). The CA cert is signed by an upstream CA (e.g., ADCS), so all issued certificates chain to the enterprise root trust hierarchy. Clients that already trust the enterprise root automatically trust certctl-issued certs. Supports RSA, ECDSA, and PKCS#8 key formats. If the paths are not set, falls back to self-signed mode. The loaded certificate must have `IsCA=true` and `KeyUsageCertSign`.
 
-**CRL and OCSP support (M15b):** The Local CA supports DER-encoded X.509 CRL generation via `GET /api/v1/crl/{issuer_id}` with 24-hour validity. An embedded OCSP responder at `GET /api/v1/ocsp/{issuer_id}/{serial}` returns signed OCSP responses for issued certificates (good/revoked/unknown status). Certificates with profile TTL < 1 hour automatically skip CRL/OCSP — expiry is treated as sufficient revocation for short-lived credentials.
+**CRL and OCSP support (M15b):** The Local CA supports DER-encoded X.509 CRL generation served unauthenticated at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5, RFC 8615, `Content-Type: application/pkix-crl`) with 24-hour validity. An embedded OCSP responder at `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960, `Content-Type: application/ocsp-response`) returns signed OCSP responses for issued certificates (good/revoked/unknown status). Both endpoints are reachable by relying parties with no certctl API credentials, which is how standard TLS clients, browsers, and hardware appliances consume these resources. Certificates with profile TTL < 1 hour automatically skip CRL/OCSP — expiry is treated as sufficient revocation for short-lived credentials.
 
 **Extended Key Usage (EKU) support (M27):** The Local CA respects EKU constraints from certificate profiles and adjusts key usage flags accordingly. For S/MIME certificates (emailProtection EKU), it uses `DigitalSignature | ContentCommitment` instead of the TLS default. For TLS certificates (serverAuth/clientAuth EKU), it uses `DigitalSignature | KeyEncipherment`. This enables support for multiple certificate types — TLS, S/MIME, code signing, timestamping — from a single CA.
 
@@ -287,7 +287,7 @@ Environment variables:
 
 The connector is registered in the issuer registry under `iss-stepca`. step-ca also works with the existing ACME connector (point `iss-acme-*` at step-ca's ACME directory URL for ACME-based issuance).
 
-**Note:** step-ca-issued certificates rely on step-ca's own CRL/OCSP infrastructure. certctl's local CRL/OCSP endpoints (`GET /api/v1/crl/{issuer_id}` and `GET /api/v1/ocsp/{issuer_id}/{serial}`) are populated from step-ca's revocation data if available, but clients should validate against step-ca's endpoints for the authoritative status.
+**Note:** step-ca-issued certificates rely on step-ca's own CRL/OCSP infrastructure. certctl's local CRL/OCSP endpoints (`GET /.well-known/pki/crl/{issuer_id}` and `GET /.well-known/pki/ocsp/{issuer_id}/{serial}`, served unauthenticated per RFC 5280 §5 / RFC 6960 / RFC 8615) are populated from step-ca's revocation data if available, but clients should validate against step-ca's endpoints for the authoritative status.
 
 **MaxTTL enforcement (M11c):** When a certificate profile defines a maximum TTL, the step-ca connector caps the `NotAfter` field to ensure the issued certificate does not exceed the profile limit, regardless of the step-ca provisioner's own maximum.
 
@@ -465,9 +465,12 @@ GlobalSign Atlas High Volume CA REST API with dual authentication: mTLS for the
 | `CERTCTL_GLOBALSIGN_API_SECRET` | Yes | — | API secret for request authentication |
 | `CERTCTL_GLOBALSIGN_CLIENT_CERT_PATH` | Yes | — | Path to mTLS client certificate PEM |
 | `CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH` | Yes | — | Path to mTLS client private key PEM |
+| `CERTCTL_GLOBALSIGN_SERVER_CA_PATH` | No | system trust store | PEM bundle used to verify the Atlas API server certificate. Set this for private/lab Atlas deployments whose server TLS chain is not in the host's default trust bundle. |
 
 **Authentication:** Dual — mTLS client certificate for TLS handshake plus `X-API-Key` and `X-API-Secret` headers on every request.
 
+**TLS verification:** The connector always verifies the server certificate. When `server_ca_path` is set, the PEM bundle at that path is used as the trust anchor; otherwise the host's system trust store is used. TLS 1.2 is the minimum protocol version.
+
 **Issuance model:** `POST /v2/certificates` returns a serial number. Certificate PEM is available after validation completes. Typically resolves within seconds for DV. `GetOrderStatus` polls the certificate endpoint.
 
 **Note:** CRL and OCSP are managed by GlobalSign. certctl records revocations locally and notifies GlobalSign via `PUT /v2/certificates/{serial}/revoke`.

docs/demo-advanced.md

@@ -724,22 +724,24 @@ curl -s -X POST $API/api/v1/certificates/mc-demo-payments/revoke \
 6. Creates an audit trail entry
 7. Sends revocation notifications via configured channels
 
-Check the CRL (Certificate Revocation List):
+Check the CRL (Certificate Revocation List) — served unauthenticated under the RFC 8615 well-known namespace so relying parties without a certctl API key can still verify revocation (RFC 5280 §5):
 
 ```bash
-# JSON-formatted CRL
-curl -s $API/api/v1/crl | jq .
-
-# DER-encoded X.509 CRL for the local CA (binary — pipe to openssl for inspection)
-curl -s $API/api/v1/crl/iss-local -o /tmp/crl.der
+# DER-encoded X.509 CRL for the local CA (binary — pipe to openssl for inspection).
+# Note: no -H "Authorization: Bearer ..." — the endpoint is deliberately
+# unauthenticated. Content-Type is application/pkix-crl.
+curl -s http://localhost:8443/.well-known/pki/crl/iss-local -o /tmp/crl.der
 openssl crl -inform DER -in /tmp/crl.der -text -noout
 ```
 
-Check OCSP status:
+Check OCSP status (RFC 6960, also unauthenticated, `application/ocsp-response`):
 
 ```bash
-# Replace SERIAL with the actual serial number from the certificate version
-curl -s $API/api/v1/ocsp/iss-local/SERIAL | jq .
+# Replace SERIAL with the actual serial number from the certificate version.
+# The embedded OCSP responder returns a signed DER response — parse it with
+# `openssl ocsp -respin` or similar tooling.
+curl -s http://localhost:8443/.well-known/pki/ocsp/iss-local/SERIAL -o /tmp/ocsp.der
+openssl ocsp -respin /tmp/ocsp.der -noverify -resp_text | head -40
 ```
 
 **Why RFC 5280 reason codes:** The reason code isn't just metadata — it tells clients *why* the certificate was revoked. A `keyCompromise` revocation means the private key was exposed and the certificate should be distrusted immediately. A `superseded` revocation means a newer certificate replaced it — less urgent. CRLs and OCSP responses include the reason code so client software can make informed trust decisions.

docs/features.md

@@ -182,14 +182,61 @@ Configurable per-policy thresholds stored as `alert_thresholds_days` JSONB (defa
 
 Revocation is a 7-step process: validate eligibility → get serial → update status → record in `certificate_revocations` table → notify issuer (best-effort) → audit → send notification.
 
-### CRL Endpoints
+### Bulk Revocation
 
-- `GET /api/v1/crl` — JSON-formatted CRL (version, entries array, total count, timestamp)
-- `GET /api/v1/crl/{issuer_id}` — DER-encoded X.509 CRL signed by issuing CA, 24-hour validity
+`POST /api/v1/certificates/bulk-revoke` revokes multiple certificates matching filter criteria in a single operation.
+
+**Filter criteria** (at least one required):
+
+- `profile_id` — revoke all certs issued with this profile
+- `owner_id` — revoke all certs owned by this owner
+- `agent_id` — revoke all certs deployed to this agent
+- `issuer_id` — revoke all certs from this issuer
+- `team_id` — revoke all certs owned by members of this team
+- `certificate_ids` — array of specific cert IDs to revoke
+
+**Request body** example:
+
+```json
+{
+  "reason": "keyCompromise",
+  "profile_id": "prof-staging",
+  "team_id": "team-platform"
+}
+```
+
+**Response:**
+
+```json
+{
+  "job_id": "job-bulk-rev-123",
+  "criteria": {
+    "reason": "keyCompromise",
+    "profile_id": "prof-staging",
+    "team_id": "team-platform"
+  },
+  "affected_count": 47,
+  "status": "Pending"
+}
+```
+
+**Behavior:**
+
+- Individual revocation jobs created for each matching cert (reuses existing revocation flow)
+- Progress tracked via job system (job status: Pending → Running → Completed)
+- Partial failures tolerated — if 47 certs match but 3 fail, the other 44 still revoke
+- Audit trail: single `bulk_revocation_initiated` event logs the criteria and actor
+- Optional `--reason` defaults to `unspecified` if omitted
+
+### CRL Endpoint
+
+- `GET /.well-known/pki/crl/{issuer_id}` — DER-encoded X.509 CRL signed by the issuing CA, 24-hour validity (RFC 5280 §5 + RFC 8615). Served unauthenticated with `Content-Type: application/pkix-crl` so relying parties without certctl API credentials can fetch it.
+
+Prior non-standard JSON CRL and authenticated `/api/v1/crl*` paths were removed in M-006 — RFC 5280 defines only the DER wire format and relying parties do not have API keys.
 
 ### OCSP Responder
 
-`GET /api/v1/ocsp/{issuer_id}/{serial}` — signed OCSP responses (good/revoked/unknown). Signs with issuing CA key. Requires CA key access (Local CA, step-CA connectors).
+`GET /.well-known/pki/ocsp/{issuer_id}/{serial}` — signed OCSP responses (good/revoked/unknown) per RFC 6960. Served unauthenticated with `Content-Type: application/ocsp-response`. Signs with the issuing CA key; requires CA key access (Local CA, step-CA connectors).
 
 ### Short-Lived Certificate Exemption
 
@@ -1110,7 +1157,7 @@ Same pattern as issuer configuration:
 | Page | Route | Description |
 |---|---|---|
 | Dashboard | `/` | Summary stats, 4 charts (status donut, expiration heatmap, renewal trends, issuance rate) |
-| Certificates | `/certificates` | List with bulk ops (renew, revoke, reassign owner), multi-select |
+| Certificates | `/certificates` | List with bulk ops (renew, revoke by filter criteria, reassign owner), multi-select. Bulk revoke via server-side filter API, not client-side sequential calls. |
 | Certificate Detail | `/certificates/:id` | Versions, deployment timeline, inline policy editor, export buttons |
 | Agents | `/agents` | List with OS/arch metadata |
 | Agent Detail | `/agents/:id` | System info, heartbeat status, capabilities, recent jobs |
@@ -1163,6 +1210,7 @@ Latching state prevents refetch-driven dismissal. `localStorage` dismissal key:
 | `certs get ID` | Certificate details |
 | `certs renew ID` | Trigger renewal |
 | `certs revoke ID` | Revoke (with `--reason`) |
+| `certs bulk-revoke` | Bulk revoke by filter criteria (see below) |
 | `agents list` | List agents |
 | `agents get ID` | Agent details |
 | `jobs list` | List jobs |
@@ -1180,6 +1228,39 @@ Latching state prevents refetch-driven dismissal. `localStorage` dismissal key:
 | `--api-key` | `CERTCTL_API_KEY` | (none) | API key |
 | `--format` | (none) | `table` | Output: `table` or `json` |
 
+### Bulk Revocation Command
+
+`certs bulk-revoke` revokes multiple certificates matching filter criteria.
+
+**Usage:** `certs bulk-revoke [CERT_IDs...] [flags]`
+
+**Flags:**
+
+| Flag | Description |
+|---|---|
+| `--reason` | RFC 5280 revocation reason (`keyCompromise`, `caCompromise`, `affiliationChanged`, `superseded`, `cessationOfOperation`, `certificateHold`, `privilegeWithdrawn`, `unspecified` — default). |
+| `--profile-id` | Revoke all certs with this profile ID |
+| `--owner-id` | Revoke all certs owned by this owner |
+| `--agent-id` | Revoke all certs deployed to this agent |
+| `--issuer-id` | Revoke all certs issued by this issuer |
+| `--team-id` | Revoke all certs owned by members of this team |
+
+**Examples:**
+
+```bash
+# Revoke certs with specific IDs (positional args)
+certctl-cli certs bulk-revoke mc-api-prod mc-web-prod --reason keyCompromise
+
+# Revoke by profile
+certctl-cli certs bulk-revoke --profile-id prof-staging --reason cessationOfOperation
+
+# Revoke by team
+certctl-cli certs bulk-revoke --team-id team-platform --reason superseded
+
+# Revoke by issuer (all certs from one CA)
+certctl-cli certs bulk-revoke --issuer-id iss-letsencrypt --reason caCompromise
+```
+
 ---
 
 ## MCP Server

docs/quickstart.md

@@ -286,9 +286,11 @@ curl -s -X POST http://localhost:8443/api/v1/certificates/$CERT_ID/revoke \
 
 Supported RFC 5280 reason codes: `unspecified`, `keyCompromise`, `caCompromise`, `affiliationChanged`, `superseded`, `cessationOfOperation`, `certificateHold`, `privilegeWithdrawn`.
 
-Confirm via CRL:
+Confirm via the unauthenticated DER CRL (RFC 5280 §5, RFC 8615):
 ```bash
-curl -s http://localhost:8443/api/v1/crl | jq .
+# Fetch the CRL without any API key — relying parties shouldn't need one.
+curl -s http://localhost:8443/.well-known/pki/crl/iss-local -o /tmp/crl.der
+openssl crl -inform der -in /tmp/crl.der -noout -text | head -40
 ```
 
 ### Interactive approval workflow

docs/test-env.md

@@ -512,12 +512,15 @@ curl -s -X POST http://localhost:8443/api/v1/certificates/mc-local-test/revoke \
 
 ### Step 7b: Check the CRL (Certificate Revocation List)
 
+The CRL is a DER-encoded X.509 v2 CRL (RFC 5280 §5) served under the RFC 8615 well-known namespace. It is deliberately unauthenticated — relying parties that need to verify revocation don't have certctl API keys.
+
 ```bash
-curl -s -H "Authorization: Bearer test-key-2026" \
-  http://localhost:8443/api/v1/crl | python3 -m json.tool
+# No Authorization header — the endpoint is public by design.
+curl -s http://localhost:8443/.well-known/pki/crl/iss-local -o /tmp/crl.der
+openssl crl -inform der -in /tmp/crl.der -noout -text | head -40
 ```
 
-**What you should see**: A list that includes the revoked certificate's serial number, the reason, and the timestamp.
+**What you should see**: `openssl` prints the CRL issuer DN, `This Update` / `Next Update` timestamps, and at least one entry whose `Serial Number` matches the cert you just revoked, with `CRL Reason Code: Superseded` (or whichever reason you passed in step 7a). The response's `Content-Type` header is `application/pkix-crl`.
 
 ### Step 7c: Check in the dashboard
 

docs/testing-guide.md

@@ -1297,66 +1297,59 @@ curl -s -H "$AUTH" "$SERVER/api/v1/audit?per_page=5" | jq '[.items[] | select(.a
 
 ### 5.3 CRL & OCSP
 
-**Test 5.3.1 — JSON CRL endpoint**
+> **M-006 note:** The non-standard JSON CRL (`GET /api/v1/crl`) and the authenticated DER CRL (`GET /api/v1/crl/{issuer_id}`) and OCSP (`GET /api/v1/ocsp/{issuer_id}/{serial}`) paths were removed. Revocation-status distribution now lives under the RFC 8615 well-known namespace (`/.well-known/pki/crl/{issuer_id}` and `/.well-known/pki/ocsp/{issuer_id}/{serial}`), served unauthenticated because relying parties (browsers, TLS clients, hardware appliances) do not have certctl API keys.
+
+**Test 5.3.1 — DER CRL endpoint (RFC 5280 §5, unauthenticated)**
 
 ```bash
-curl -s -w "\nHTTP %{http_code}\n" -H "$AUTH" "$SERVER/api/v1/crl" | jq '{total: .total, entries_count: (.entries | length)}'
+curl -s -D - -o /tmp/crl.der "$SERVER/.well-known/pki/crl/iss-local" | grep -i "content-type"
+openssl crl -inform der -in /tmp/crl.der -noout -text | head -40
 ```
 
-**What:** Fetches the JSON-formatted Certificate Revocation List.
-**Why:** CRL is how relying parties check if a certificate has been revoked. The JSON CRL is the machine-readable API view.
-**Expected:** HTTP 200. `total` > 0 (we revoked several certs above). Entries array contains serial numbers.
-**PASS if** HTTP 200 and `total` > 0. **FAIL** if total = 0 or 500.
+**What:** Fetches the DER-encoded X.509 CRL for the local issuer without presenting any API credentials.
+**Why:** Relying parties (browsers, TLS libraries, network appliances) don't have certctl API keys. RFC 5280 §5 defines only the DER wire format, and RFC 8615 defines `.well-known/pki/*` as the relying-party namespace. The Content-Type must be `application/pkix-crl` and `openssl crl -inform der` must parse the body.
+**Expected:** `Content-Type: application/pkix-crl`, `openssl` prints a valid CRL with the revoked serials we created above.
+**PASS if** Content-Type matches and `openssl crl` parses the body. **FAIL** if JSON/HTML, 401/403, or parse error.
 
 ---
 
-**Test 5.3.2 — DER CRL endpoint**
+**Test 5.3.2 — OCSP: good response for non-revoked cert (RFC 6960, unauthenticated)**
 
 ```bash
-curl -s -D - -o /dev/null -H "$AUTH" "$SERVER/api/v1/crl/iss-local" | grep -i "content-type"
+curl -s -w "\nHTTP %{http_code}\n" "$SERVER/.well-known/pki/ocsp/iss-local/mc-api-prod" -o /tmp/ocsp.der
+openssl ocsp -respin /tmp/ocsp.der -noverify -text 2>/dev/null | head -20
 ```
 
-**What:** Fetches the DER-encoded X.509 CRL for the local issuer.
-**Why:** Standard CRL consumers (browsers, TLS libraries) expect DER-encoded CRLs, not JSON. The Content-Type must be correct.
-**Expected:** `Content-Type: application/pkix-crl`
-**PASS if** Content-Type is `application/pkix-crl`. **FAIL** if JSON or other.
+**What:** Queries the OCSP responder for a non-revoked certificate without any Authorization header.
+**Why:** OCSP is the real-time alternative to CRL. RFC 6960 relying parties do not authenticate to the responder, so the endpoint must be public and return `Content-Type: application/ocsp-response`.
+**Expected:** HTTP 200 with OCSP response indicating "good" status when `openssl ocsp -respin` parses the body.
+**PASS if** HTTP 200 and cert status prints "good". **FAIL** if 401/403/500 or "revoked"/"unknown".
 
 ---
 
-**Test 5.3.3 — OCSP: good response for non-revoked cert**
+**Test 5.3.3 — OCSP: revoked response for revoked cert (unauthenticated)**
 
 ```bash
-curl -s -w "\nHTTP %{http_code}\n" -H "$AUTH" "$SERVER/api/v1/ocsp/iss-local/mc-api-prod"
-```
-
-**What:** Queries the OCSP responder for a non-revoked certificate.
-**Why:** OCSP is the real-time alternative to CRL. A "good" response means the cert is valid.
-**Expected:** HTTP 200 with OCSP response indicating "good" status.
-**PASS if** HTTP 200. **FAIL** if 500.
-
----
-
-**Test 5.3.4 — OCSP: revoked response for revoked cert**
-
-```bash
-curl -s -w "\nHTTP %{http_code}\n" -H "$AUTH" "$SERVER/api/v1/ocsp/iss-local/mc-test-full"
+curl -s -w "\nHTTP %{http_code}\n" "$SERVER/.well-known/pki/ocsp/iss-local/mc-test-full" -o /tmp/ocsp.der
+openssl ocsp -respin /tmp/ocsp.der -noverify -text 2>/dev/null | grep -i "cert status"
 ```
 
 **What:** Queries OCSP for a certificate we revoked earlier.
-**Why:** OCSP must return "revoked" status for revoked certs. If it still returns "good," relying parties will trust a compromised certificate.
+**Why:** OCSP must return "revoked" status for revoked certs. If it still returns "good," relying parties will trust a compromised certificate. Endpoint is unauthenticated per RFC 6960.
 **Expected:** HTTP 200 with OCSP response indicating "revoked" status.
-**PASS if** HTTP 200 and response indicates revoked. **FAIL** if response indicates "good".
+**PASS if** HTTP 200 and status prints "revoked". **FAIL** if status is "good".
 
 ---
 
-**Test 5.3.5 — OCSP: unknown serial**
+**Test 5.3.4 — OCSP: unknown serial (unauthenticated)**
 
 ```bash
-curl -s -w "\nHTTP %{http_code}\n" -H "$AUTH" "$SERVER/api/v1/ocsp/iss-local/nonexistent-serial"
+curl -s -w "\nHTTP %{http_code}\n" "$SERVER/.well-known/pki/ocsp/iss-local/nonexistent-serial" -o /tmp/ocsp.der
+openssl ocsp -respin /tmp/ocsp.der -noverify -text 2>/dev/null | grep -i "cert status"
 ```
 
 **What:** Queries OCSP for a serial number the server doesn't recognize.
-**Why:** OCSP must return "unknown" for serials it doesn't manage, not "good" (which would be a false positive).
+**Why:** OCSP must return "unknown" for serials it doesn't manage, not "good" (which would be a false positive). Endpoint is public per RFC 6960.
 **Expected:** HTTP 200 with OCSP "unknown" response, or HTTP 404.
 **PASS if** response is "unknown" or 404. **FAIL** if "good".
 
@@ -2102,9 +2095,10 @@ go test ./internal/connector/issuer/local/ -run "TestSubCA" -v
 **What:** In sub-CA mode, the DER CRL (Part 31.1) should be signed by the sub-CA key, not a self-signed root.
 
 ```bash
-# After starting in sub-CA mode and revoking a cert:
-curl -s -H "Authorization: Bearer $API_KEY" \
-  "http://localhost:8443/api/v1/crl/iss-local" -o /tmp/subca-crl.der
+# After starting in sub-CA mode and revoking a cert. The CRL is
+# published unauthenticated under the RFC 8615 well-known namespace
+# because relying parties don't carry certctl API keys.
+curl -s "http://localhost:8443/.well-known/pki/crl/iss-local" -o /tmp/subca-crl.der
 
 openssl crl -in /tmp/subca-crl.der -inform DER -noout -issuer
 ```
@@ -3706,23 +3700,24 @@ go test ./internal/service/ -run TestCSRRenewal -v
 
 **Why:** TLS clients need to verify that certificates haven't been revoked. Without OCSP/CRL, a compromised certificate remains trusted until it expires. The short-lived exemption avoids bloating the CRL with certs that expire before distribution.
 
-### 24.1: DER-Encoded CRL
+> **M-006 note:** CRL and OCSP are published at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5, `application/pkix-crl`) and `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960, `application/ocsp-response`). Per RFC 8615, `.well-known/pki/*` is the relying-party namespace, and the endpoints are served **unauthenticated** — browsers, TLS libraries, and network appliances do not have certctl API keys. The legacy `GET /api/v1/crl`, `GET /api/v1/crl/{issuer_id}`, and `GET /api/v1/ocsp/{issuer_id}/{serial}` routes were removed.
 
-**What:** `GET /api/v1/crl/{issuer_id}` returns a DER-encoded X.509 CRL signed by the issuing CA. Content-Type is `application/pkix-crl`. The CRL has 24-hour validity.
+### 24.1: DER-Encoded CRL (unauthenticated)
 
-**Why:** This is the standard CRL format that browsers, TLS libraries, and LDAP directories consume. The existing JSON CRL at `GET /api/v1/crl` is certctl-specific; the DER CRL is interoperable.
+**What:** `GET /.well-known/pki/crl/{issuer_id}` returns a DER-encoded X.509 CRL signed by the issuing CA. Content-Type is `application/pkix-crl`. The CRL has 24-hour validity.
+
+**Why:** This is the RFC 5280 §5 wire format that browsers, TLS libraries, and LDAP directories consume. It must be reachable without any Authorization header so that relying parties — who have no certctl credentials — can fetch it.
 
 ```bash
-# Request DER CRL for the local issuer
-curl -s -D - -H "Authorization: Bearer $API_KEY" \
-  "http://localhost:8443/api/v1/crl/iss-local" \
+# Request DER CRL for the local issuer. No Authorization header.
+curl -s -D - "http://localhost:8443/.well-known/pki/crl/iss-local" \
   -o /tmp/crl.der
 
 # Verify it's valid DER CRL with openssl
 openssl crl -in /tmp/crl.der -inform DER -noout -text
 ```
 
-**Expected:** 200 OK, Content-Type `application/pkix-crl`, Cache-Control `public, max-age=3600`.
+**Expected:** 200 OK, Content-Type `application/pkix-crl`.
 
 **PASS if:**
 - `openssl crl` parses the DER file successfully
@@ -3730,33 +3725,34 @@ openssl crl -in /tmp/crl.der -inform DER -noout -text
 - Validity period is present (thisUpdate / nextUpdate)
 - If any certs have been revoked, they appear in the revocation list with serial + reason
 
-**FAIL if:** Response is JSON (wrong endpoint), `openssl` rejects the DER format, or headers are wrong.
+**FAIL if:** Response is JSON (wrong endpoint), `openssl` rejects the DER format, headers are wrong, or the server returns 401/403 (auth must NOT be required).
 
 ### 24.2: DER CRL — Nonexistent Issuer
 
 ```bash
-curl -s -w "\n%{http_code}" -H "Authorization: Bearer $API_KEY" \
-  "http://localhost:8443/api/v1/crl/iss-nonexistent"
+curl -s -w "\n%{http_code}" \
+  "http://localhost:8443/.well-known/pki/crl/iss-nonexistent"
 ```
 
 **Expected:** 404 Not Found.
 **PASS if** status code is 404 and body contains "not found".
 
-### 24.3: OCSP Responder — Good Status
+### 24.3: OCSP Responder — Good Status (unauthenticated)
 
-**What:** `GET /api/v1/ocsp/{issuer_id}/{serial}` returns a signed OCSP response. For a non-revoked certificate, the status is "good".
+**What:** `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` returns a signed OCSP response. For a non-revoked certificate, the status is "good".
 
-**Why:** OCSP is the real-time revocation check that TLS clients perform during the handshake. A "good" response tells the client the cert is still valid.
+**Why:** OCSP is the real-time RFC 6960 revocation check that TLS clients perform during the handshake. A "good" response tells the client the cert is still valid. Relying parties fetch this without API credentials.
 
 ```bash
-# First, get a certificate's serial number
+# First, get a certificate's serial number (this uses the authenticated API
+# because the operator has an API key — that is different from the relying
+# party fetching the OCSP response).
 SERIAL=$(curl -s -H "Authorization: Bearer $API_KEY" \
   "http://localhost:8443/api/v1/certificates/mc-api-prod" | jq -r '.latest_version.serial_number // empty')
 
-# If serial is available, query OCSP
+# Query OCSP without any Authorization header.
 if [ -n "$SERIAL" ]; then
-  curl -s -D - -H "Authorization: Bearer $API_KEY" \
-    "http://localhost:8443/api/v1/ocsp/iss-local/$SERIAL" \
+  curl -s -D - "http://localhost:8443/.well-known/pki/ocsp/iss-local/$SERIAL" \
     -o /tmp/ocsp.der
 
   # Parse OCSP response
@@ -3771,7 +3767,7 @@ fi
 - Certificate status is "good" for a non-revoked cert
 - Response is signed (producedAt timestamp present)
 
-**FAIL if:** Response is JSON, OCSP status is wrong, or `openssl` rejects the response.
+**FAIL if:** Response is JSON, OCSP status is wrong, `openssl` rejects the response, or the endpoint requires auth.
 
 ### 24.4: OCSP Responder — Revoked Status
 
@@ -3784,9 +3780,8 @@ curl -s -X POST -H "Authorization: Bearer $API_KEY" \
   -d '{"reason": "keyCompromise"}' \
   "http://localhost:8443/api/v1/certificates/$CERT_ID/revoke"
 
-# Then query OCSP
-curl -s -H "Authorization: Bearer $API_KEY" \
-  "http://localhost:8443/api/v1/ocsp/iss-local/$SERIAL" \
+# Then query OCSP — unauthenticated.
+curl -s "http://localhost:8443/.well-known/pki/ocsp/iss-local/$SERIAL" \
   -o /tmp/ocsp-revoked.der
 
 openssl ocsp -respin /tmp/ocsp-revoked.der -text -noverify
@@ -3801,8 +3796,7 @@ openssl ocsp -respin /tmp/ocsp-revoked.der -text -noverify
 **What:** Querying a serial number that doesn't exist in the inventory returns an "unknown" OCSP status (not an error — this is the correct OCSP behavior per RFC 6960).
 
 ```bash
-curl -s -H "Authorization: Bearer $API_KEY" \
-  "http://localhost:8443/api/v1/ocsp/iss-local/DEADBEEF" \
+curl -s "http://localhost:8443/.well-known/pki/ocsp/iss-local/DEADBEEF" \
   -o /tmp/ocsp-unknown.der
 
 openssl ocsp -respin /tmp/ocsp-unknown.der -text -noverify
@@ -3820,9 +3814,8 @@ openssl ocsp -respin /tmp/ocsp-unknown.der -text -noverify
 To test: revoke a cert that was issued under the `prof-short-lived` profile, then check the DER CRL. The revoked short-lived cert should NOT appear.
 
 ```bash
-# After revoking a short-lived cert (serial SHORT_SERIAL):
-curl -s -H "Authorization: Bearer $API_KEY" \
-  "http://localhost:8443/api/v1/crl/iss-local" -o /tmp/crl.der
+# After revoking a short-lived cert (serial SHORT_SERIAL). No auth needed.
+curl -s "http://localhost:8443/.well-known/pki/crl/iss-local" -o /tmp/crl.der
 
 openssl crl -in /tmp/crl.der -inform DER -text | grep -i "$SHORT_SERIAL"
 ```

docs/why-certctl.md

@@ -114,6 +114,6 @@ See the [Quickstart Guide](quickstart.md) for a full walkthrough, or explore the
 
 ## License
 
-certctl is source-available under the [Business Source License 1.1](../LICENSE). Free for any use except offering a competing managed service. Converts to Apache 2.0 on March 1, 2033.
+certctl is source-available under the [Business Source License 1.1](../LICENSE). Free for any use except offering a competing managed service. Converts to Apache 2.0 on March 14, 2033.
 
 You own your data, your keys, and your deployment.

internal/api/handler/adversarial_path_test.go

@@ -27,6 +27,7 @@ package handler
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -120,7 +121,7 @@ func TestGetCertificate_PathInjection(t *testing.T) {
 			handler, mock := newCertHandlerWithMock()
 			// Force a 404 so we can distinguish "service was called" from
 			// "parser accepted the ID"; a 200 with null body is also fine.
-			mock.GetCertificateFn = func(id string) (*domain.ManagedCertificate, error) {
+			mock.GetCertificateFn = func(_ context.Context, id string) (*domain.ManagedCertificate, error) {
 				return nil, ErrMockNotFound
 			}
 
@@ -156,7 +157,7 @@ func TestUpdateCertificate_PathInjection(t *testing.T) {
 			}()
 
 			handler, mock := newCertHandlerWithMock()
-			mock.UpdateCertificateFn = func(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+			mock.UpdateCertificateFn = func(_ context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 				return nil, ErrMockNotFound
 			}
 
@@ -184,7 +185,7 @@ func TestArchiveCertificate_PathInjection(t *testing.T) {
 			}()
 
 			handler, mock := newCertHandlerWithMock()
-			mock.ArchiveCertificateFn = func(id string) error { return ErrMockNotFound }
+			mock.ArchiveCertificateFn = func(_ context.Context, id string) error { return ErrMockNotFound }
 
 			req := httptest.NewRequest(http.MethodDelete, "/api/v1/certificates/x", nil)
 			req.URL.Path = "/api/v1/certificates/" + tc.input
@@ -227,7 +228,7 @@ func TestGetCertificateVersions_MultiSegment(t *testing.T) {
 			}()
 
 			handler, mock := newCertHandlerWithMock()
-			mock.GetCertificateVersionsFn = func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+			mock.GetCertificateVersionsFn = func(_ context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 				return []domain.CertificateVersion{}, 0, nil
 			}
 
@@ -246,26 +247,30 @@ func TestGetCertificateVersions_MultiSegment(t *testing.T) {
 }
 
 // TestHandleOCSP_MultiSegment exercises the OCSP responder's 2-segment path
-// parser (/api/v1/ocsp/{issuer_id}/{serial_hex}). Each leg is attacker-
-// controlled and the serial can be arbitrary length. This is a key adversarial
-// surface because the serial is passed directly to the CA-operations service,
-// which is expected to treat it as an opaque identifier.
+// parser (/.well-known/pki/ocsp/{issuer_id}/{serial_hex}). Each leg is
+// attacker-controlled and the serial can be arbitrary length. This is a key
+// adversarial surface because the serial is passed directly to the
+// CA-operations service, which is expected to treat it as an opaque
+// identifier.
+//
+// M-006 relocation: these paths were previously served at /api/v1/ocsp/*;
+// under RFC 8615 and RFC 6960 they now live under /.well-known/pki/ocsp/*.
 func TestHandleOCSP_MultiSegment(t *testing.T) {
 	cases := []struct {
 		name string
 		path string
 	}{
-		{"missing_serial", "/api/v1/ocsp/iss-local"},
-		{"missing_both", "/api/v1/ocsp/"},
-		{"empty_issuer", "/api/v1/ocsp//01ABCDEF"},
-		{"empty_serial", "/api/v1/ocsp/iss-local/"},
-		{"traversal_issuer", "/api/v1/ocsp/..%2F..%2Fetc/passwd/01"},
-		{"null_byte_serial", "/api/v1/ocsp/iss-local/01\x00FF"},
-		{"sql_injection_serial", "/api/v1/ocsp/iss-local/01'; DROP TABLE--"},
-		{"negative_hex_serial", "/api/v1/ocsp/iss-local/-1"},
-		{"unicode_serial", "/api/v1/ocsp/iss-local/01\u2010FF"},
-		{"extremely_long_serial", "/api/v1/ocsp/iss-local/" + strings.Repeat("F", 10000)},
-		{"extra_segments", "/api/v1/ocsp/iss-local/01FF/extra/segments"},
+		{"missing_serial", "/.well-known/pki/ocsp/iss-local"},
+		{"missing_both", "/.well-known/pki/ocsp/"},
+		{"empty_issuer", "/.well-known/pki/ocsp//01ABCDEF"},
+		{"empty_serial", "/.well-known/pki/ocsp/iss-local/"},
+		{"traversal_issuer", "/.well-known/pki/ocsp/..%2F..%2Fetc/passwd/01"},
+		{"null_byte_serial", "/.well-known/pki/ocsp/iss-local/01\x00FF"},
+		{"sql_injection_serial", "/.well-known/pki/ocsp/iss-local/01'; DROP TABLE--"},
+		{"negative_hex_serial", "/.well-known/pki/ocsp/iss-local/-1"},
+		{"unicode_serial", "/.well-known/pki/ocsp/iss-local/01\u2010FF"},
+		{"extremely_long_serial", "/.well-known/pki/ocsp/iss-local/" + strings.Repeat("F", 10000)},
+		{"extra_segments", "/.well-known/pki/ocsp/iss-local/01FF/extra/segments"},
 	}
 
 	for _, tc := range cases {
@@ -277,7 +282,7 @@ func TestHandleOCSP_MultiSegment(t *testing.T) {
 			}()
 
 			handler, mock := newCertHandlerWithMock()
-			mock.GetOCSPResponseFn = func(issuerID, serialHex string) ([]byte, error) {
+			mock.GetOCSPResponseFn = func(_ context.Context, issuerID, serialHex string) ([]byte, error) {
 				return nil, ErrMockNotFound
 			}
 
@@ -300,7 +305,9 @@ func TestHandleOCSP_MultiSegment(t *testing.T) {
 	}
 }
 
-// TestGetDERCRL_IssuerPathInjection exercises /api/v1/crl/{issuer_id}.
+// TestGetDERCRL_IssuerPathInjection exercises
+// /.well-known/pki/crl/{issuer_id} (RFC 5280 CRL; M-006 relocation from
+// /api/v1/crl/{issuer_id}).
 func TestGetDERCRL_IssuerPathInjection(t *testing.T) {
 	for _, tc := range adversarialPathInputs() {
 		t.Run(tc.name, func(t *testing.T) {
@@ -311,12 +318,12 @@ func TestGetDERCRL_IssuerPathInjection(t *testing.T) {
 			}()
 
 			handler, mock := newCertHandlerWithMock()
-			mock.GenerateDERCRLFn = func(issuerID string) ([]byte, error) {
+			mock.GenerateDERCRLFn = func(_ context.Context, issuerID string) ([]byte, error) {
 				return nil, ErrMockNotFound
 			}
 
-			req := httptest.NewRequest(http.MethodGet, "/api/v1/crl/x", nil)
-			req.URL.Path = "/api/v1/crl/" + tc.input
+			req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/crl/x", nil)
+			req.URL.Path = "/.well-known/pki/crl/" + tc.input
 			req = req.WithContext(contextWithRequestID())
 
 			w := httptest.NewRecorder()

internal/api/handler/adversarial_query_test.go

@@ -19,6 +19,7 @@ package handler
 
 import (
 	"bytes"
+	"context"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -76,7 +77,7 @@ func TestListCertificates_PaginationAbuse(t *testing.T) {
 			}()
 
 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				// Sanity: page/perPage on the filter must never be negative
 				// and perPage must never exceed 500 after parsing.
 				if filter.Page < 1 {
@@ -133,7 +134,7 @@ func TestListCertificates_SortAbuse(t *testing.T) {
 			}()
 
 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}
 
@@ -175,7 +176,7 @@ func TestListCertificates_FieldsAbuse(t *testing.T) {
 			}()
 
 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}
 
@@ -219,7 +220,7 @@ func TestListCertificates_TimeRangeAbuse(t *testing.T) {
 			}()
 
 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}
 
@@ -263,7 +264,7 @@ func TestListCertificates_CursorAbuse(t *testing.T) {
 			}()
 
 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}
 
@@ -314,7 +315,7 @@ func TestListCertificates_FilterInjection(t *testing.T) {
 				}()
 
 				handler, mock := newCertHandlerWithMock()
-				mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+				mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 					return []domain.ManagedCertificate{}, 0, nil
 				}
 
@@ -374,7 +375,7 @@ func TestCreateCertificate_BodyAbuse(t *testing.T) {
 			}()
 
 			handler, mock := newCertHandlerWithMock()
-			mock.CreateCertificateFn = func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+			mock.CreateCertificateFn = func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 				// If we ever reach this, the handler accepted a malformed
 				// body. Return a sentinel that passes but flag it.
 				c := cert
@@ -419,7 +420,7 @@ func TestCreateCertificate_HugeBody(t *testing.T) {
 	sb.WriteString(`]}`)
 
 	handler, mock := newCertHandlerWithMock()
-	mock.CreateCertificateFn = func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+	mock.CreateCertificateFn = func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 		c := cert
 		c.ID = "mc-huge"
 		return &c, nil
@@ -476,7 +477,7 @@ func TestRevokeCertificate_ReasonAbuse(t *testing.T) {
 			handler, mock := newCertHandlerWithMock()
 			// The mock always returns "invalid revocation reason" so we
 			// verify the handler's errMsg→status mapping turns it into a 400.
-			mock.RevokeCertificateFn = func(id string, reason string) error {
+			mock.RevokeCertificateFn = func(_ context.Context, id string, reason string, _ string) error {
 				// The service uses domain.IsValidRevocationReason. If we got
 				// through to here with something bogus, simulate a real
 				// service error.
@@ -500,7 +501,7 @@ func TestRevokeCertificate_ReasonAbuse(t *testing.T) {
 // service error message, which is fragile — this test catches regressions.
 func TestRevokeCertificate_AlreadyRevoked(t *testing.T) {
 	handler, mock := newCertHandlerWithMock()
-	mock.RevokeCertificateFn = func(id string, reason string) error {
+	mock.RevokeCertificateFn = func(_ context.Context, id string, reason string, _ string) error {
 		return fmt.Errorf("cannot revoke: certificate is already revoked")
 	}
 
@@ -520,7 +521,7 @@ func TestRevokeCertificate_AlreadyRevoked(t *testing.T) {
 // TestRevokeCertificate_NotFound verifies 404 mapping.
 func TestRevokeCertificate_NotFound(t *testing.T) {
 	handler, mock := newCertHandlerWithMock()
-	mock.RevokeCertificateFn = func(id string, reason string) error {
+	mock.RevokeCertificateFn = func(_ context.Context, id string, reason string, _ string) error {
 		return fmt.Errorf("certificate not found")
 	}
 

internal/api/handler/audit.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"net/http"
 	"strconv"
 	"strings"
@@ -11,8 +12,8 @@ import (
 
 // AuditService defines the service interface for audit event operations.
 type AuditService interface {
-	ListAuditEvents(page, perPage int) ([]domain.AuditEvent, int64, error)
-	GetAuditEvent(id string) (*domain.AuditEvent, error)
+	ListAuditEvents(ctx context.Context, page, perPage int) ([]domain.AuditEvent, int64, error)
+	GetAuditEvent(ctx context.Context, id string) (*domain.AuditEvent, error)
 }
 
 // AuditHandler handles HTTP requests for audit event operations.
@@ -49,7 +50,7 @@ func (h AuditHandler) ListAuditEvents(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	events, total, err := h.svc.ListAuditEvents(page, perPage)
+	events, total, err := h.svc.ListAuditEvents(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list audit events", requestID)
 		return
@@ -83,7 +84,7 @@ func (h AuditHandler) GetAuditEvent(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
 
-	event, err := h.svc.GetAuditEvent(id)
+	event, err := h.svc.GetAuditEvent(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Audit event not found", requestID)
 		return

internal/api/handler/audit_handler_test.go

@@ -19,14 +19,14 @@ type mockAuditService struct {
 	getFunc   func(id string) (*domain.AuditEvent, error)
 }
 
-func (m *mockAuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent, int64, error) {
+func (m *mockAuditService) ListAuditEvents(_ context.Context, page, perPage int) ([]domain.AuditEvent, int64, error) {
 	if m.listFunc != nil {
 		return m.listFunc(page, perPage)
 	}
 	return nil, 0, nil
 }
 
-func (m *mockAuditService) GetAuditEvent(id string) (*domain.AuditEvent, error) {
+func (m *mockAuditService) GetAuditEvent(_ context.Context, id string) (*domain.AuditEvent, error) {
 	if m.getFunc != nil {
 		return m.getFunc(id)
 	}

internal/api/handler/bulk_revocation.go

@@ -0,0 +1,106 @@
+package handler
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+
+	"github.com/shankar0123/certctl/internal/api/middleware"
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// BulkRevocationService defines the service interface for bulk certificate revocation.
+type BulkRevocationService interface {
+	BulkRevoke(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error)
+}
+
+// BulkRevocationHandler handles HTTP requests for bulk revocation operations.
+type BulkRevocationHandler struct {
+	svc BulkRevocationService
+}
+
+// NewBulkRevocationHandler creates a new BulkRevocationHandler.
+func NewBulkRevocationHandler(svc BulkRevocationService) BulkRevocationHandler {
+	return BulkRevocationHandler{svc: svc}
+}
+
+// bulkRevokeRequest represents the JSON request body for bulk revocation.
+type bulkRevokeRequest struct {
+	Reason         string   `json:"reason"`
+	ProfileID      string   `json:"profile_id,omitempty"`
+	OwnerID        string   `json:"owner_id,omitempty"`
+	AgentID        string   `json:"agent_id,omitempty"`
+	IssuerID       string   `json:"issuer_id,omitempty"`
+	TeamID         string   `json:"team_id,omitempty"`
+	CertificateIDs []string `json:"certificate_ids,omitempty"`
+}
+
+// BulkRevoke handles bulk certificate revocation.
+// POST /api/v1/certificates/bulk-revoke
+//
+// M-003: admin-only. Bulk revocation is a fleet-scale destructive operation —
+// a non-admin caller must not be able to invalidate certificates across
+// profiles/owners/agents. The gate is enforced here (before body parsing) so a
+// non-admin never sees its request criteria evaluated.
+func (h BulkRevocationHandler) BulkRevoke(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	// M-003: admin-only gate. Non-admin callers are rejected before any
+	// criteria/body processing to avoid leaking validation behavior to
+	// unauthorized actors.
+	if !middleware.IsAdmin(r.Context()) {
+		ErrorWithRequestID(w, http.StatusForbidden,
+			"Bulk revocation requires admin privileges",
+			requestID)
+		return
+	}
+
+	var req bulkRevokeRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID)
+		return
+	}
+
+	// Validate reason is present
+	if req.Reason == "" {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Revocation reason is required", requestID)
+		return
+	}
+
+	// Validate reason is a valid RFC 5280 code
+	if !domain.IsValidRevocationReason(req.Reason) {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid revocation reason: "+req.Reason, requestID)
+		return
+	}
+
+	criteria := domain.BulkRevocationCriteria{
+		ProfileID:      req.ProfileID,
+		OwnerID:        req.OwnerID,
+		AgentID:        req.AgentID,
+		IssuerID:       req.IssuerID,
+		TeamID:         req.TeamID,
+		CertificateIDs: req.CertificateIDs,
+	}
+
+	// Safety guard: at least one criterion required
+	if criteria.IsEmpty() {
+		ErrorWithRequestID(w, http.StatusBadRequest, "At least one filter criterion is required (profile_id, owner_id, agent_id, issuer_id, team_id, or certificate_ids)", requestID)
+		return
+	}
+
+	// Extract actor from auth context (M-002: named-key identity → audit trail)
+	actor := resolveActor(r.Context())
+
+	result, err := h.svc.BulkRevoke(r.Context(), criteria, req.Reason, actor)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Bulk revocation failed: "+err.Error(), requestID)
+		return
+	}
+
+	JSON(w, http.StatusOK, result)
+}

internal/api/handler/bulk_revocation_handler_test.go

@@ -0,0 +1,289 @@
+package handler
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/api/middleware"
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// mockBulkRevocationService is a test implementation of BulkRevocationService
+type mockBulkRevocationService struct {
+	BulkRevokeFn func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error)
+}
+
+func (m *mockBulkRevocationService) BulkRevoke(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
+	if m.BulkRevokeFn != nil {
+		return m.BulkRevokeFn(ctx, criteria, reason, actor)
+	}
+	return &domain.BulkRevocationResult{}, nil
+}
+
+// adminContext returns a context carrying the admin flag, mimicking what the
+// auth middleware sets for named-key callers whose entry is admin-tagged.
+// M-003: bulk revocation handler requires admin context to reach the service.
+func adminContext() context.Context {
+	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id-bulk")
+	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	return ctx
+}
+
+func TestBulkRevoke_Success_WithIDs(t *testing.T) {
+	svc := &mockBulkRevocationService{
+		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
+			if len(criteria.CertificateIDs) != 2 {
+				t.Errorf("expected 2 IDs, got %d", len(criteria.CertificateIDs))
+			}
+			if reason != "keyCompromise" {
+				t.Errorf("expected reason keyCompromise, got %s", reason)
+			}
+			return &domain.BulkRevocationResult{
+				TotalMatched: 2,
+				TotalRevoked: 2,
+			}, nil
+		},
+	}
+	h := NewBulkRevocationHandler(svc)
+
+	body := `{"reason":"keyCompromise","certificate_ids":["mc-1","mc-2"]}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(adminContext())
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+
+	var result domain.BulkRevocationResult
+	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if result.TotalMatched != 2 {
+		t.Errorf("expected TotalMatched=2, got %d", result.TotalMatched)
+	}
+	if result.TotalRevoked != 2 {
+		t.Errorf("expected TotalRevoked=2, got %d", result.TotalRevoked)
+	}
+}
+
+func TestBulkRevoke_Success_WithProfile(t *testing.T) {
+	svc := &mockBulkRevocationService{
+		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
+			if criteria.ProfileID != "prof-tls" {
+				t.Errorf("expected profile prof-tls, got %s", criteria.ProfileID)
+			}
+			return &domain.BulkRevocationResult{
+				TotalMatched: 5,
+				TotalRevoked: 4,
+				TotalSkipped: 1,
+			}, nil
+		},
+	}
+	h := NewBulkRevocationHandler(svc)
+
+	body := `{"reason":"keyCompromise","profile_id":"prof-tls"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(adminContext())
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+}
+
+func TestBulkRevoke_MissingReason_400(t *testing.T) {
+	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
+
+	body := `{"certificate_ids":["mc-1"]}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(adminContext())
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestBulkRevoke_EmptyCriteria_400(t *testing.T) {
+	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
+
+	body := `{"reason":"keyCompromise"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(adminContext())
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestBulkRevoke_InvalidReason_400(t *testing.T) {
+	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
+
+	body := `{"reason":"totallyBogus","certificate_ids":["mc-1"]}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(adminContext())
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestBulkRevoke_MethodNotAllowed_405(t *testing.T) {
+	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
+
+	// Method check fires before the admin gate, so 405 must hold even for a
+	// non-admin caller — asserting this keeps the ordering explicit.
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates/bulk-revoke", nil)
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected 405, got %d", w.Code)
+	}
+}
+
+func TestBulkRevoke_ServiceError_500(t *testing.T) {
+	svc := &mockBulkRevocationService{
+		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
+			return nil, fmt.Errorf("database connection failed")
+		},
+	}
+	h := NewBulkRevocationHandler(svc)
+
+	body := `{"reason":"keyCompromise","certificate_ids":["mc-1"]}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(adminContext())
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d", w.Code)
+	}
+}
+
+// --- M-003: admin-only gate on bulk revocation ---
+
+// TestBulkRevoke_NonAdmin_Returns403 is the central authorization regression
+// for M-003. A caller without an admin-tagged context must be rejected with
+// HTTP 403, regardless of how well-formed its body is, and the service layer
+// must never see the request.
+func TestBulkRevoke_NonAdmin_Returns403(t *testing.T) {
+	var serviceCalled bool
+	svc := &mockBulkRevocationService{
+		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
+			serviceCalled = true
+			return &domain.BulkRevocationResult{}, nil
+		},
+	}
+	h := NewBulkRevocationHandler(svc)
+
+	// Well-formed body + well-formed reason + filter — the only thing
+	// missing is an admin-tagged context. The gate must still fire.
+	body := `{"reason":"keyCompromise","certificate_ids":["mc-1","mc-2"]}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(contextWithRequestID()) // request id only, no admin flag
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusForbidden {
+		t.Fatalf("expected status 403, got %d (body=%q)", w.Code, w.Body.String())
+	}
+
+	var resp map[string]any
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	msg, _ := resp["message"].(string)
+	if !strings.Contains(strings.ToLower(msg), "admin") {
+		t.Errorf("expected message to mention admin requirement, got %q", msg)
+	}
+	if serviceCalled {
+		t.Errorf("service was invoked despite non-admin caller — gate failed open")
+	}
+}
+
+// TestBulkRevoke_AdminExplicitFalse_Returns403 pins the specific case where the
+// AdminKey exists but is set to false — e.g., a non-admin named-key caller.
+// Without this we could regress to "key missing == deny, key present == allow"
+// which would silently grant a false flag.
+func TestBulkRevoke_AdminExplicitFalse_Returns403(t *testing.T) {
+	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
+
+	body := `{"reason":"keyCompromise","certificate_ids":["mc-1"]}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
+	ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
+	req = req.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusForbidden {
+		t.Fatalf("expected status 403 for admin=false, got %d", w.Code)
+	}
+}
+
+// TestBulkRevoke_AdminPermitted_ForwardsActor confirms the happy path:
+// an admin-tagged context reaches the service and the actor (from the auth
+// UserKey) is propagated through to BulkRevoke. This keeps the admin gate and
+// the M-002 actor-propagation wired together in a single regression.
+func TestBulkRevoke_AdminPermitted_ForwardsActor(t *testing.T) {
+	var capturedActor string
+	svc := &mockBulkRevocationService{
+		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
+			capturedActor = actor
+			return &domain.BulkRevocationResult{TotalMatched: 1, TotalRevoked: 1}, nil
+		},
+	}
+	h := NewBulkRevocationHandler(svc)
+
+	body := `{"reason":"keyCompromise","certificate_ids":["mc-1"]}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
+	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
+	req = req.WithContext(ctx)
+	w := httptest.NewRecorder()
+
+	h.BulkRevoke(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status 200 for admin caller, got %d (body=%q)", w.Code, w.Body.String())
+	}
+	if capturedActor != "ops-admin" {
+		t.Errorf("expected actor ops-admin, got %q", capturedActor)
+	}
+}

internal/api/handler/certificate_handler_test.go

@@ -17,116 +17,116 @@ import (
 
 // MockCertificateService is a mock implementation of CertificateService interface.
 type MockCertificateService struct {
-	ListCertificatesFn           func(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
-	ListCertificatesWithFilterFn func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
-	GetCertificateFn             func(id string) (*domain.ManagedCertificate, error)
-	CreateCertificateFn          func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	UpdateCertificateFn          func(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	ArchiveCertificateFn         func(id string) error
-	GetCertificateVersionsFn     func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
-	TriggerRenewalFn             func(certID string) error
-	TriggerDeploymentFn          func(certID string, targetID string) error
-	RevokeCertificateFn          func(certID string, reason string) error
-	GetRevokedCertificatesFn     func() ([]*domain.CertificateRevocation, error)
-	GenerateDERCRLFn             func(issuerID string) ([]byte, error)
-	GetOCSPResponseFn            func(issuerID string, serialHex string) ([]byte, error)
-	GetCertificateDeploymentsFn  func(certID string) ([]domain.DeploymentTarget, error)
+	ListCertificatesFn           func(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
+	ListCertificatesWithFilterFn func(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
+	GetCertificateFn             func(ctx context.Context, id string) (*domain.ManagedCertificate, error)
+	CreateCertificateFn          func(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	UpdateCertificateFn          func(ctx context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	ArchiveCertificateFn         func(ctx context.Context, id string) error
+	GetCertificateVersionsFn     func(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
+	TriggerRenewalFn             func(ctx context.Context, certID string, actor string) error
+	TriggerDeploymentFn          func(ctx context.Context, certID string, targetID string, actor string) error
+	RevokeCertificateFn          func(ctx context.Context, certID string, reason string, actor string) error
+	GetRevokedCertificatesFn     func(ctx context.Context) ([]*domain.CertificateRevocation, error)
+	GenerateDERCRLFn             func(ctx context.Context, issuerID string) ([]byte, error)
+	GetOCSPResponseFn            func(ctx context.Context, issuerID string, serialHex string) ([]byte, error)
+	GetCertificateDeploymentsFn  func(ctx context.Context, certID string) ([]domain.DeploymentTarget, error)
 }
 
-func (m *MockCertificateService) ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
+func (m *MockCertificateService) ListCertificates(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
 	if m.ListCertificatesFn != nil {
-		return m.ListCertificatesFn(status, environment, ownerID, teamID, issuerID, page, perPage)
+		return m.ListCertificatesFn(ctx, status, environment, ownerID, teamID, issuerID, page, perPage)
 	}
 	return nil, 0, nil
 }
 
-func (m *MockCertificateService) GetCertificate(id string) (*domain.ManagedCertificate, error) {
+func (m *MockCertificateService) GetCertificate(ctx context.Context, id string) (*domain.ManagedCertificate, error) {
 	if m.GetCertificateFn != nil {
-		return m.GetCertificateFn(id)
+		return m.GetCertificateFn(ctx, id)
 	}
 	return nil, nil
 }
 
-func (m *MockCertificateService) CreateCertificate(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+func (m *MockCertificateService) CreateCertificate(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 	if m.CreateCertificateFn != nil {
-		return m.CreateCertificateFn(cert)
+		return m.CreateCertificateFn(ctx, cert)
 	}
 	return nil, nil
 }
 
-func (m *MockCertificateService) UpdateCertificate(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+func (m *MockCertificateService) UpdateCertificate(ctx context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 	if m.UpdateCertificateFn != nil {
-		return m.UpdateCertificateFn(id, cert)
+		return m.UpdateCertificateFn(ctx, id, cert)
 	}
 	return nil, nil
 }
 
-func (m *MockCertificateService) ArchiveCertificate(id string) error {
+func (m *MockCertificateService) ArchiveCertificate(ctx context.Context, id string) error {
 	if m.ArchiveCertificateFn != nil {
-		return m.ArchiveCertificateFn(id)
+		return m.ArchiveCertificateFn(ctx, id)
 	}
 	return nil
 }
 
-func (m *MockCertificateService) GetCertificateVersions(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+func (m *MockCertificateService) GetCertificateVersions(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 	if m.GetCertificateVersionsFn != nil {
-		return m.GetCertificateVersionsFn(certID, page, perPage)
+		return m.GetCertificateVersionsFn(ctx, certID, page, perPage)
 	}
 	return nil, 0, nil
 }
 
-func (m *MockCertificateService) TriggerRenewal(certID string) error {
+func (m *MockCertificateService) TriggerRenewal(ctx context.Context, certID string, actor string) error {
 	if m.TriggerRenewalFn != nil {
-		return m.TriggerRenewalFn(certID)
+		return m.TriggerRenewalFn(ctx, certID, actor)
 	}
 	return nil
 }
 
-func (m *MockCertificateService) TriggerDeployment(certID string, targetID string) error {
+func (m *MockCertificateService) TriggerDeployment(ctx context.Context, certID string, targetID string, actor string) error {
 	if m.TriggerDeploymentFn != nil {
-		return m.TriggerDeploymentFn(certID, targetID)
+		return m.TriggerDeploymentFn(ctx, certID, targetID, actor)
 	}
 	return nil
 }
 
-func (m *MockCertificateService) RevokeCertificate(certID string, reason string) error {
+func (m *MockCertificateService) RevokeCertificate(ctx context.Context, certID string, reason string, actor string) error {
 	if m.RevokeCertificateFn != nil {
-		return m.RevokeCertificateFn(certID, reason)
+		return m.RevokeCertificateFn(ctx, certID, reason, actor)
 	}
 	return nil
 }
 
-func (m *MockCertificateService) GetRevokedCertificates() ([]*domain.CertificateRevocation, error) {
+func (m *MockCertificateService) GetRevokedCertificates(ctx context.Context) ([]*domain.CertificateRevocation, error) {
 	if m.GetRevokedCertificatesFn != nil {
-		return m.GetRevokedCertificatesFn()
+		return m.GetRevokedCertificatesFn(ctx)
 	}
 	return nil, nil
 }
 
-func (m *MockCertificateService) GenerateDERCRL(issuerID string) ([]byte, error) {
+func (m *MockCertificateService) GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error) {
 	if m.GenerateDERCRLFn != nil {
-		return m.GenerateDERCRLFn(issuerID)
+		return m.GenerateDERCRLFn(ctx, issuerID)
 	}
 	return nil, nil
 }
 
-func (m *MockCertificateService) GetOCSPResponse(issuerID string, serialHex string) ([]byte, error) {
+func (m *MockCertificateService) GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error) {
 	if m.GetOCSPResponseFn != nil {
-		return m.GetOCSPResponseFn(issuerID, serialHex)
+		return m.GetOCSPResponseFn(ctx, issuerID, serialHex)
 	}
 	return nil, nil
 }
 
-func (m *MockCertificateService) ListCertificatesWithFilter(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+func (m *MockCertificateService) ListCertificatesWithFilter(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 	if m.ListCertificatesWithFilterFn != nil {
-		return m.ListCertificatesWithFilterFn(filter)
+		return m.ListCertificatesWithFilterFn(ctx, filter)
 	}
 	return nil, 0, nil
 }
 
-func (m *MockCertificateService) GetCertificateDeployments(certID string) ([]domain.DeploymentTarget, error) {
+func (m *MockCertificateService) GetCertificateDeployments(ctx context.Context, certID string) ([]domain.DeploymentTarget, error) {
 	if m.GetCertificateDeploymentsFn != nil {
-		return m.GetCertificateDeploymentsFn(certID)
+		return m.GetCertificateDeploymentsFn(ctx, certID)
 	}
 	return nil, nil
 }
@@ -158,7 +158,7 @@ func TestListCertificates_Success(t *testing.T) {
 	}
 
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Page == 1 && filter.PerPage == 50 {
 				return []domain.ManagedCertificate{cert1, cert2}, 2, nil
 			}
@@ -197,7 +197,7 @@ func TestListCertificates_Success(t *testing.T) {
 // Test ListCertificates - with filters
 func TestListCertificates_WithFilters(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Status == "Active" && filter.Environment == "prod" {
 				return []domain.ManagedCertificate{}, 0, nil
 			}
@@ -236,7 +236,7 @@ func TestListCertificates_MethodNotAllowed(t *testing.T) {
 // Test ListCertificates - service error
 func TestListCertificates_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			return nil, 0, ErrMockServiceFailed
 		},
 	}
@@ -266,7 +266,7 @@ func TestGetCertificate_Success(t *testing.T) {
 	}
 
 	mock := &MockCertificateService{
-		GetCertificateFn: func(id string) (*domain.ManagedCertificate, error) {
+		GetCertificateFn: func(_ context.Context, id string) (*domain.ManagedCertificate, error) {
 			if id == "mc-prod-001" {
 				return cert, nil
 			}
@@ -298,7 +298,7 @@ func TestGetCertificate_Success(t *testing.T) {
 // Test GetCertificate - not found
 func TestGetCertificate_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateFn: func(id string) (*domain.ManagedCertificate, error) {
+		GetCertificateFn: func(_ context.Context, id string) (*domain.ManagedCertificate, error) {
 			return nil, ErrMockNotFound
 		},
 	}
@@ -345,7 +345,7 @@ func TestCreateCertificate_Success(t *testing.T) {
 	}
 
 	mock := &MockCertificateService{
-		CreateCertificateFn: func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+		CreateCertificateFn: func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 			return created, nil
 		},
 	}
@@ -403,7 +403,7 @@ func TestCreateCertificate_InvalidBody(t *testing.T) {
 // Test CreateCertificate - service error
 func TestCreateCertificate_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
-		CreateCertificateFn: func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+		CreateCertificateFn: func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 			return nil, ErrMockServiceFailed
 		},
 	}
@@ -432,6 +432,66 @@ func TestCreateCertificate_ServiceError(t *testing.T) {
 	}
 }
 
+// TestCreateCertificate_MissingRequiredField_Returns400 pins the C-001 handler
+// contract: handler MUST reject a create payload that omits any of the five
+// required fields (name, common_name, owner_id, team_id, issuer_id,
+// renewal_policy_id) with HTTP 400 before the service is invoked. The mock
+// service here would succeed if called; every subtest proving 400 therefore
+// proves the handler guard fires.
+func TestCreateCertificate_MissingRequiredField_Returns400(t *testing.T) {
+	baseBody := map[string]interface{}{
+		"name":              "API Prod",
+		"common_name":       "api.example.com",
+		"owner_id":          "o-alice",
+		"team_id":           "t-platform",
+		"issuer_id":         "iss-local",
+		"renewal_policy_id": "rp-standard",
+	}
+
+	cases := []struct {
+		name         string
+		missingField string
+	}{
+		{"missing name", "name"},
+		{"missing common_name", "common_name"},
+		{"missing owner_id", "owner_id"},
+		{"missing team_id", "team_id"},
+		{"missing issuer_id", "issuer_id"},
+		{"missing renewal_policy_id", "renewal_policy_id"},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			body := make(map[string]interface{}, len(baseBody))
+			for k, v := range baseBody {
+				body[k] = v
+			}
+			delete(body, tc.missingField)
+			bodyBytes, _ := json.Marshal(body)
+
+			mock := &MockCertificateService{
+				CreateCertificateFn: func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+					// Would succeed if handler guard did not fire.
+					cert.ID = "mc-would-be-created"
+					return &cert, nil
+				},
+			}
+			handler := NewCertificateHandler(mock)
+
+			req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates", bytes.NewReader(bodyBytes))
+			req = req.WithContext(contextWithRequestID())
+			req.Header.Set("Content-Type", "application/json")
+			w := httptest.NewRecorder()
+
+			handler.CreateCertificate(w, req)
+
+			if w.Code != http.StatusBadRequest {
+				t.Fatalf("%s: expected 400, got %d — body=%s", tc.name, w.Code, w.Body.String())
+			}
+		})
+	}
+}
+
 // Test UpdateCertificate - success case
 func TestUpdateCertificate_Success(t *testing.T) {
 	updated := &domain.ManagedCertificate{
@@ -445,7 +505,7 @@ func TestUpdateCertificate_Success(t *testing.T) {
 	}
 
 	mock := &MockCertificateService{
-		UpdateCertificateFn: func(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+		UpdateCertificateFn: func(_ context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 			if id == "mc-prod-001" {
 				return updated, nil
 			}
@@ -501,7 +561,7 @@ func TestUpdateCertificate_InvalidBody(t *testing.T) {
 // Test ArchiveCertificate - success case
 func TestArchiveCertificate_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		ArchiveCertificateFn: func(id string) error {
+		ArchiveCertificateFn: func(_ context.Context, id string) error {
 			if id == "mc-prod-001" {
 				return nil
 			}
@@ -524,7 +584,7 @@ func TestArchiveCertificate_Success(t *testing.T) {
 // Test ArchiveCertificate - not found
 func TestArchiveCertificate_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		ArchiveCertificateFn: func(id string) error {
+		ArchiveCertificateFn: func(_ context.Context, id string) error {
 			return ErrMockNotFound
 		},
 	}
@@ -554,7 +614,7 @@ func TestGetCertificateVersions_Success(t *testing.T) {
 	}
 
 	mock := &MockCertificateService{
-		GetCertificateVersionsFn: func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+		GetCertificateVersionsFn: func(_ context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 			if certID == "mc-prod-001" {
 				return []domain.CertificateVersion{ver1}, 1, nil
 			}
@@ -586,7 +646,7 @@ func TestGetCertificateVersions_Success(t *testing.T) {
 // Test GetCertificateVersions - not found
 func TestGetCertificateVersions_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateVersionsFn: func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+		GetCertificateVersionsFn: func(_ context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 			return nil, 0, ErrMockNotFound
 		},
 	}
@@ -606,7 +666,7 @@ func TestGetCertificateVersions_NotFound(t *testing.T) {
 // Test TriggerRenewal - success case
 func TestTriggerRenewal_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerRenewalFn: func(certID string) error {
+		TriggerRenewalFn: func(_ context.Context, certID string, _ string) error {
 			if certID == "mc-prod-001" {
 				return nil
 			}
@@ -638,7 +698,7 @@ func TestTriggerRenewal_Success(t *testing.T) {
 // Test TriggerRenewal - service error
 func TestTriggerRenewal_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerRenewalFn: func(certID string) error {
+		TriggerRenewalFn: func(_ context.Context, certID string, _ string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -658,7 +718,7 @@ func TestTriggerRenewal_ServiceError(t *testing.T) {
 // Test TriggerDeployment - success case
 func TestTriggerDeployment_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerDeploymentFn: func(certID string, targetID string) error {
+		TriggerDeploymentFn: func(_ context.Context, certID string, targetID string, _ string) error {
 			if certID == "mc-prod-001" {
 				return nil
 			}
@@ -695,7 +755,7 @@ func TestTriggerDeployment_Success(t *testing.T) {
 // Test TriggerDeployment - without target ID
 func TestTriggerDeployment_NoTargetID(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerDeploymentFn: func(certID string, targetID string) error {
+		TriggerDeploymentFn: func(_ context.Context, certID string, targetID string, _ string) error {
 			// Should accept empty targetID (deploy to all)
 			return nil
 		},
@@ -716,7 +776,7 @@ func TestTriggerDeployment_NoTargetID(t *testing.T) {
 // Test ListCertificates - invalid page parameter
 func TestListCertificates_InvalidPageParam(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			// Should default to page 1
 			if filter.Page == 1 {
 				return []domain.ManagedCertificate{}, 0, nil
@@ -740,7 +800,7 @@ func TestListCertificates_InvalidPageParam(t *testing.T) {
 // Test ListCertificates - per_page exceeds max
 func TestListCertificates_PerPageExceedsMax(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			// Should cap perPage at 500
 			if filter.PerPage == 50 { // defaults to 50 if > 500
 				return []domain.ManagedCertificate{}, 0, nil
@@ -765,7 +825,7 @@ func TestListCertificates_PerPageExceedsMax(t *testing.T) {
 
 func TestRevokeCertificate_Handler_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			if certID != "mc-prod-001" {
 				t.Errorf("expected certID mc-prod-001, got %s", certID)
 			}
@@ -798,7 +858,7 @@ func TestRevokeCertificate_Handler_Success(t *testing.T) {
 
 func TestRevokeCertificate_Handler_NoBody(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			// Empty reason is OK — service defaults to "unspecified"
 			return nil
 		},
@@ -818,7 +878,7 @@ func TestRevokeCertificate_Handler_NoBody(t *testing.T) {
 
 func TestRevokeCertificate_Handler_AlreadyRevoked(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("certificate is already revoked")
 		},
 	}
@@ -839,7 +899,7 @@ func TestRevokeCertificate_Handler_AlreadyRevoked(t *testing.T) {
 
 func TestRevokeCertificate_Handler_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("failed to fetch certificate: not found")
 		},
 	}
@@ -858,7 +918,7 @@ func TestRevokeCertificate_Handler_NotFound(t *testing.T) {
 
 func TestRevokeCertificate_Handler_InvalidReason(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("invalid revocation reason: badReason")
 		},
 	}
@@ -922,7 +982,7 @@ func TestRevokeCertificate_Handler_EmptyID(t *testing.T) {
 
 func TestRevokeCertificate_Handler_CannotRevokeArchived(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("cannot revoke archived certificate")
 		},
 	}
@@ -941,7 +1001,7 @@ func TestRevokeCertificate_Handler_CannotRevokeArchived(t *testing.T) {
 
 func TestRevokeCertificate_Handler_ServerError(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("database connection lost")
 		},
 	}
@@ -958,132 +1018,18 @@ func TestRevokeCertificate_Handler_ServerError(t *testing.T) {
 	}
 }
 
-// === CRL Handler Tests ===
-
-func TestGetCRL_Success(t *testing.T) {
-	mock := &MockCertificateService{
-		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
-			return []*domain.CertificateRevocation{
-				{
-					ID:            "rev-1",
-					CertificateID: "cert-1",
-					SerialNumber:  "ABC123",
-					Reason:        "keyCompromise",
-					RevokedAt:     time.Date(2026, 3, 20, 10, 0, 0, 0, time.UTC),
-				},
-				{
-					ID:            "rev-2",
-					CertificateID: "cert-2",
-					SerialNumber:  "DEF456",
-					Reason:        "superseded",
-					RevokedAt:     time.Date(2026, 3, 21, 14, 30, 0, 0, time.UTC),
-				},
-			}, nil
-		},
-	}
-
-	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl", nil)
-	req = req.WithContext(contextWithRequestID())
-	w := httptest.NewRecorder()
-
-	handler.GetCRL(w, req)
-
-	if w.Code != http.StatusOK {
-		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
-	}
-
-	var resp map[string]interface{}
-	json.NewDecoder(w.Body).Decode(&resp)
-
-	if resp["version"] != float64(1) {
-		t.Errorf("expected version 1, got %v", resp["version"])
-	}
-	if resp["total"] != float64(2) {
-		t.Errorf("expected total 2, got %v", resp["total"])
-	}
-
-	entries, ok := resp["entries"].([]interface{})
-	if !ok {
-		t.Fatal("expected entries to be an array")
-	}
-	if len(entries) != 2 {
-		t.Errorf("expected 2 entries, got %d", len(entries))
-	}
-
-	entry1 := entries[0].(map[string]interface{})
-	if entry1["serial_number"] != "ABC123" {
-		t.Errorf("expected serial ABC123, got %v", entry1["serial_number"])
-	}
-	if entry1["revocation_reason"] != "keyCompromise" {
-		t.Errorf("expected reason keyCompromise, got %v", entry1["revocation_reason"])
-	}
-}
-
-func TestGetCRL_Empty(t *testing.T) {
-	mock := &MockCertificateService{
-		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
-			return nil, nil
-		},
-	}
-
-	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl", nil)
-	req = req.WithContext(contextWithRequestID())
-	w := httptest.NewRecorder()
-
-	handler.GetCRL(w, req)
-
-	if w.Code != http.StatusOK {
-		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
-	}
-
-	var resp map[string]interface{}
-	json.NewDecoder(w.Body).Decode(&resp)
-	if resp["total"] != float64(0) {
-		t.Errorf("expected total 0, got %v", resp["total"])
-	}
-}
-
-func TestGetCRL_ServiceError(t *testing.T) {
-	mock := &MockCertificateService{
-		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
-			return nil, fmt.Errorf("revocation repository not configured")
-		},
-	}
-
-	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl", nil)
-	req = req.WithContext(contextWithRequestID())
-	w := httptest.NewRecorder()
-
-	handler.GetCRL(w, req)
-
-	if w.Code != http.StatusInternalServerError {
-		t.Errorf("expected status %d, got %d", http.StatusInternalServerError, w.Code)
-	}
-}
-
-func TestGetCRL_MethodNotAllowed(t *testing.T) {
-	mock := &MockCertificateService{}
-	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodPost, "/api/v1/crl", nil)
-	req = req.WithContext(contextWithRequestID())
-	w := httptest.NewRecorder()
-
-	handler.GetCRL(w, req)
-
-	if w.Code != http.StatusMethodNotAllowed {
-		t.Errorf("expected status %d, got %d", http.StatusMethodNotAllowed, w.Code)
-	}
-}
-
-// M15b: DER CRL and OCSP Handler Tests
+// === CRL and OCSP Handler Tests (RFC 5280 / RFC 6960, served under /.well-known/pki/) ===
+//
+// M-006 relocated these endpoints from /api/v1/crl* and /api/v1/ocsp/* to the
+// RFC-compliant /.well-known/pki/ namespace and deleted the non-standard JSON
+// CRL endpoint. The DER-encoded X.509 CRL (application/pkix-crl) and the
+// DER-encoded OCSP response (application/ocsp-response) are the only wire
+// formats certctl supports for revocation data.
 
 func TestGetDERCRL_Success(t *testing.T) {
 	derCRLData := []byte{0x30, 0x82, 0x01, 0x00} // Mock DER CRL bytes
 	mock := &MockCertificateService{
-		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+		GenerateDERCRLFn: func(_ context.Context, issuerID string) ([]byte, error) {
 			if issuerID == "iss-local" {
 				return derCRLData, nil
 			}
@@ -1092,7 +1038,7 @@ func TestGetDERCRL_Success(t *testing.T) {
 	}
 
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl/iss-local", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/crl/iss-local", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 
@@ -1107,17 +1053,20 @@ func TestGetDERCRL_Success(t *testing.T) {
 	if len(responseBody) == 0 {
 		t.Error("expected non-empty response body")
 	}
+	if ct := w.Header().Get("Content-Type"); ct != "application/pkix-crl" {
+		t.Errorf("expected Content-Type application/pkix-crl, got %q", ct)
+	}
 }
 
 func TestGetDERCRL_IssuerNotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+		GenerateDERCRLFn: func(_ context.Context, issuerID string) ([]byte, error) {
 			return nil, fmt.Errorf("issuer not found")
 		},
 	}
 
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl/nonexistent", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/crl/nonexistent", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 
@@ -1130,13 +1079,13 @@ func TestGetDERCRL_IssuerNotFound(t *testing.T) {
 
 func TestGetDERCRL_NotSupported(t *testing.T) {
 	mock := &MockCertificateService{
-		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+		GenerateDERCRLFn: func(_ context.Context, issuerID string) ([]byte, error) {
 			return nil, fmt.Errorf("issuer does not support CRL generation")
 		},
 	}
 
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl/iss-acme", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/crl/iss-acme", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 
@@ -1151,7 +1100,7 @@ func TestGetDERCRL_NotSupported(t *testing.T) {
 func TestGetDERCRL_MethodNotAllowed(t *testing.T) {
 	mock := &MockCertificateService{}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodPost, "/api/v1/crl/iss-local", nil)
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/pki/crl/iss-local", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 
@@ -1165,7 +1114,7 @@ func TestGetDERCRL_MethodNotAllowed(t *testing.T) {
 func TestHandleOCSP_Success(t *testing.T) {
 	ocspResponseBytes := []byte{0x30, 0x82, 0x02, 0x00} // Mock OCSP response
 	mock := &MockCertificateService{
-		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+		GetOCSPResponseFn: func(_ context.Context, issuerID string, serialHex string) ([]byte, error) {
 			if issuerID == "iss-local" && serialHex == "12345" {
 				return ocspResponseBytes, nil
 			}
@@ -1174,7 +1123,7 @@ func TestHandleOCSP_Success(t *testing.T) {
 	}
 
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/ocsp/iss-local/12345", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/ocsp/iss-local/12345", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 
@@ -1188,12 +1137,15 @@ func TestHandleOCSP_Success(t *testing.T) {
 	if len(responseBody) == 0 {
 		t.Error("expected non-empty OCSP response body")
 	}
+	if ct := w.Header().Get("Content-Type"); ct != "application/ocsp-response" {
+		t.Errorf("expected Content-Type application/ocsp-response, got %q", ct)
+	}
 }
 
 func TestHandleOCSP_MissingSerial(t *testing.T) {
 	mock := &MockCertificateService{}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/ocsp/iss-local/", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/ocsp/iss-local/", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 
@@ -1206,13 +1158,13 @@ func TestHandleOCSP_MissingSerial(t *testing.T) {
 
 func TestHandleOCSP_IssuerNotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+		GetOCSPResponseFn: func(_ context.Context, issuerID string, serialHex string) ([]byte, error) {
 			return nil, fmt.Errorf("issuer not found")
 		},
 	}
 
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/ocsp/nonexistent/ABC123", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/ocsp/nonexistent/ABC123", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 
@@ -1225,13 +1177,13 @@ func TestHandleOCSP_IssuerNotFound(t *testing.T) {
 
 func TestHandleOCSP_CertNotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+		GetOCSPResponseFn: func(_ context.Context, issuerID string, serialHex string) ([]byte, error) {
 			return nil, fmt.Errorf("certificate not found")
 		},
 	}
 
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/ocsp/iss-local/UNKNOWN", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/ocsp/iss-local/UNKNOWN", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 
@@ -1245,7 +1197,7 @@ func TestHandleOCSP_CertNotFound(t *testing.T) {
 func TestHandleOCSP_MethodNotAllowed(t *testing.T) {
 	mock := &MockCertificateService{}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodPost, "/api/v1/ocsp/iss-local/12345", nil)
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/pki/ocsp/iss-local/12345", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 
@@ -1261,7 +1213,7 @@ func TestHandleOCSP_MethodNotAllowed(t *testing.T) {
 // TestListCertificates_SortParam tests sort parameter parsing and passing to service.
 func TestListCertificates_SortParam(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			// Handler strips the '-' prefix and sets SortDesc = true
 			if filter.Sort != "notAfter" || !filter.SortDesc {
 				t.Errorf("expected sort=notAfter desc=true, got sort=%s desc=%v", filter.Sort, filter.SortDesc)
@@ -1284,7 +1236,7 @@ func TestListCertificates_SortParam(t *testing.T) {
 // TestListCertificates_SortParam_Ascending tests sort parameter without '-' prefix (ascending).
 func TestListCertificates_SortParam_Ascending(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Sort != "createdAt" || filter.SortDesc {
 				t.Errorf("expected sort=createdAt desc=false, got sort=%s desc=%v", filter.Sort, filter.SortDesc)
 			}
@@ -1309,7 +1261,7 @@ func TestListCertificates_TimeRangeFilters(t *testing.T) {
 	after := time.Now().AddDate(0, 0, -90)
 
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.ExpiresBefore == nil {
 				t.Error("expected ExpiresBefore to be set")
 			}
@@ -1339,7 +1291,7 @@ func TestListCertificates_CreatedAfterFilter(t *testing.T) {
 	past := time.Now().AddDate(-1, 0, 0)
 
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.CreatedAfter == nil {
 				t.Error("expected CreatedAfter to be set")
 			}
@@ -1369,7 +1321,7 @@ func TestListCertificates_CursorPagination(t *testing.T) {
 	}
 
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			return []domain.ManagedCertificate{cert}, 1, nil
 		},
 	}
@@ -1409,7 +1361,7 @@ func TestListCertificates_SparseFields(t *testing.T) {
 	}
 
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if len(filter.Fields) != 2 {
 				t.Errorf("expected 2 fields, got %d", len(filter.Fields))
 			}
@@ -1456,7 +1408,7 @@ func TestListCertificates_SparseFields(t *testing.T) {
 // TestListCertificates_ProfileFilter tests profile_id filter.
 func TestListCertificates_ProfileFilter(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.ProfileID != "prof-standard" {
 				t.Errorf("expected ProfileID=prof-standard, got %s", filter.ProfileID)
 			}
@@ -1479,7 +1431,7 @@ func TestListCertificates_ProfileFilter(t *testing.T) {
 // TestListCertificates_AgentIDFilter tests agent_id filter.
 func TestListCertificates_AgentIDFilter(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.AgentID != "agent-prod-001" {
 				t.Errorf("expected AgentID=agent-prod-001, got %s", filter.AgentID)
 			}
@@ -1502,7 +1454,7 @@ func TestListCertificates_AgentIDFilter(t *testing.T) {
 // TestListCertificates_CombinedFilters tests multiple filters together.
 func TestListCertificates_CombinedFilters(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Status != "Active" || filter.Environment != "production" || filter.ProfileID != "prof-standard" {
 				t.Error("expected all filters to be set")
 			}
@@ -1540,7 +1492,7 @@ func TestGetCertificateDeployments_Success(t *testing.T) {
 	}
 
 	mock := &MockCertificateService{
-		GetCertificateDeploymentsFn: func(certID string) ([]domain.DeploymentTarget, error) {
+		GetCertificateDeploymentsFn: func(_ context.Context, certID string) ([]domain.DeploymentTarget, error) {
 			if certID != "mc-prod-001" {
 				return nil, ErrMockNotFound
 			}
@@ -1576,7 +1528,7 @@ func TestGetCertificateDeployments_Success(t *testing.T) {
 // TestGetCertificateDeployments_NotFound tests 404 for nonexistent certificate.
 func TestGetCertificateDeployments_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateDeploymentsFn: func(certID string) ([]domain.DeploymentTarget, error) {
+		GetCertificateDeploymentsFn: func(_ context.Context, certID string) ([]domain.DeploymentTarget, error) {
 			return nil, fmt.Errorf("certificate not found")
 		},
 	}
@@ -1596,7 +1548,7 @@ func TestGetCertificateDeployments_NotFound(t *testing.T) {
 // TestGetCertificateDeployments_Empty tests successful response with no deployments.
 func TestGetCertificateDeployments_Empty(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateDeploymentsFn: func(certID string) ([]domain.DeploymentTarget, error) {
+		GetCertificateDeploymentsFn: func(_ context.Context, certID string) ([]domain.DeploymentTarget, error) {
 			if certID == "mc-no-deployments" {
 				return []domain.DeploymentTarget{}, nil
 			}

internal/api/handler/certificates.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
 	"log/slog"
 	"net/http"
@@ -15,20 +16,20 @@ import (
 
 // CertificateService defines the service interface for certificate operations.
 type CertificateService interface {
-	ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
-	ListCertificatesWithFilter(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
-	GetCertificate(id string) (*domain.ManagedCertificate, error)
-	CreateCertificate(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	UpdateCertificate(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	ArchiveCertificate(id string) error
-	GetCertificateVersions(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
-	TriggerRenewal(certID string) error
-	TriggerDeployment(certID string, targetID string) error
-	RevokeCertificate(certID string, reason string) error
-	GetRevokedCertificates() ([]*domain.CertificateRevocation, error)
-	GenerateDERCRL(issuerID string) ([]byte, error)
-	GetOCSPResponse(issuerID string, serialHex string) ([]byte, error)
-	GetCertificateDeployments(certID string) ([]domain.DeploymentTarget, error)
+	ListCertificates(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
+	ListCertificatesWithFilter(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
+	GetCertificate(ctx context.Context, id string) (*domain.ManagedCertificate, error)
+	CreateCertificate(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	UpdateCertificate(ctx context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	ArchiveCertificate(ctx context.Context, id string) error
+	GetCertificateVersions(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
+	TriggerRenewal(ctx context.Context, certID string, actor string) error
+	TriggerDeployment(ctx context.Context, certID string, targetID string, actor string) error
+	RevokeCertificate(ctx context.Context, certID string, reason string, actor string) error
+	GetRevokedCertificates(ctx context.Context) ([]*domain.CertificateRevocation, error)
+	GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error)
+	GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error)
+	GetCertificateDeployments(ctx context.Context, certID string) ([]domain.DeploymentTarget, error)
 }
 
 // CertificateHandler handles HTTP requests for certificate operations.
@@ -128,7 +129,7 @@ func (h CertificateHandler) ListCertificates(w http.ResponseWriter, r *http.Requ
 		filter.Fields = strings.Split(fieldsStr, ",")
 	}
 
-	certs, total, err := h.svc.ListCertificatesWithFilter(filter)
+	certs, total, err := h.svc.ListCertificatesWithFilter(r.Context(), filter)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list certificates", requestID)
 		return
@@ -186,7 +187,7 @@ func (h CertificateHandler) GetCertificate(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	cert, err := h.svc.GetCertificate(id)
+	cert, err := h.svc.GetCertificate(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
 		return
@@ -241,7 +242,7 @@ func (h CertificateHandler) CreateCertificate(w http.ResponseWriter, r *http.Req
 		return
 	}
 
-	created, err := h.svc.CreateCertificate(cert)
+	created, err := h.svc.CreateCertificate(r.Context(), cert)
 	if err != nil {
 		slog.Error("failed to create certificate", "error", err, "request_id", requestID, "common_name", cert.CommonName, "name", cert.Name)
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create certificate", requestID)
@@ -295,7 +296,7 @@ func (h CertificateHandler) UpdateCertificate(w http.ResponseWriter, r *http.Req
 		}
 	}
 
-	updated, err := h.svc.UpdateCertificate(id, cert)
+	updated, err := h.svc.UpdateCertificate(r.Context(), id, cert)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
@@ -325,7 +326,7 @@ func (h CertificateHandler) ArchiveCertificate(w http.ResponseWriter, r *http.Re
 		return
 	}
 
-	if err := h.svc.ArchiveCertificate(id); err != nil {
+	if err := h.svc.ArchiveCertificate(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
 			return
@@ -370,7 +371,7 @@ func (h CertificateHandler) GetCertificateVersions(w http.ResponseWriter, r *htt
 		}
 	}
 
-	versions, total, err := h.svc.GetCertificateVersions(certID, page, perPage)
+	versions, total, err := h.svc.GetCertificateVersions(r.Context(), certID, page, perPage)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
@@ -410,7 +411,9 @@ func (h CertificateHandler) TriggerRenewal(w http.ResponseWriter, r *http.Reques
 	}
 	certID := parts[0]
 
-	if err := h.svc.TriggerRenewal(certID); err != nil {
+	actor := resolveActor(r.Context())
+
+	if err := h.svc.TriggerRenewal(r.Context(), certID, actor); err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
@@ -466,7 +469,9 @@ func (h CertificateHandler) TriggerDeployment(w http.ResponseWriter, r *http.Req
 		}
 	}
 
-	if err := h.svc.TriggerDeployment(certID, req.TargetID); err != nil {
+	actor := resolveActor(r.Context())
+
+	if err := h.svc.TriggerDeployment(r.Context(), certID, req.TargetID, actor); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to trigger deployment", requestID)
 		return
 	}
@@ -508,7 +513,9 @@ func (h CertificateHandler) RevokeCertificate(w http.ResponseWriter, r *http.Req
 		}
 	}
 
-	if err := h.svc.RevokeCertificate(certID, req.Reason); err != nil {
+	actor := resolveActor(r.Context())
+
+	if err := h.svc.RevokeCertificate(r.Context(), certID, req.Reason, actor); err != nil {
 		// Distinguish between client errors and server errors
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "already revoked") ||
@@ -528,49 +535,12 @@ func (h CertificateHandler) RevokeCertificate(w http.ResponseWriter, r *http.Req
 	JSON(w, http.StatusOK, map[string]string{"status": "revoked"})
 }
 
-// GetCRL returns the Certificate Revocation List as structured JSON.
-// GET /api/v1/crl
-// Note: DER-encoded X.509 CRL generation (requiring CA key access) is planned for M15b
-// alongside the embedded OCSP responder. This endpoint provides the same data in JSON format.
-func (h CertificateHandler) GetCRL(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodGet {
-		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
-		return
-	}
-
-	requestID := middleware.GetRequestID(r.Context())
-
-	revocations, err := h.svc.GetRevokedCertificates()
-	if err != nil {
-		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to generate CRL", requestID)
-		return
-	}
-
-	type CRLEntry struct {
-		SerialNumber     string `json:"serial_number"`
-		RevocationDate   string `json:"revocation_date"`
-		RevocationReason string `json:"revocation_reason"`
-	}
-
-	entries := make([]CRLEntry, 0, len(revocations))
-	for _, rev := range revocations {
-		entries = append(entries, CRLEntry{
-			SerialNumber:     rev.SerialNumber,
-			RevocationDate:   rev.RevokedAt.Format("2006-01-02T15:04:05Z"),
-			RevocationReason: rev.Reason,
-		})
-	}
-
-	JSON(w, http.StatusOK, map[string]interface{}{
-		"version":      1,
-		"entries":      entries,
-		"total":        len(entries),
-		"generated_at": time.Now().UTC().Format("2006-01-02T15:04:05Z"),
-	})
-}
-
 // GetDERCRL returns a DER-encoded X.509 CRL signed by the specified issuer.
-// GET /api/v1/crl/{issuer_id}
+// GET /.well-known/pki/crl/{issuer_id}
+//
+// RFC 5280 § 5. Served unauthenticated under the /.well-known/pki/ namespace so
+// relying parties (browsers, OpenSSL, OCSP stapling sidecars) can fetch the CRL
+// without presenting certctl API credentials.
 func (h CertificateHandler) GetDERCRL(w http.ResponseWriter, r *http.Request) {
 	requestID, _ := r.Context().Value("request_id").(string)
 
@@ -579,13 +549,13 @@ func (h CertificateHandler) GetDERCRL(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	issuerID := strings.TrimPrefix(r.URL.Path, "/api/v1/crl/")
+	issuerID := strings.TrimPrefix(r.URL.Path, "/.well-known/pki/crl/")
 	if issuerID == "" {
 		ErrorWithRequestID(w, http.StatusBadRequest, "Issuer ID is required", requestID)
 		return
 	}
 
-	derBytes, err := h.svc.GenerateDERCRL(issuerID)
+	derBytes, err := h.svc.GenerateDERCRL(r.Context(), issuerID)
 	if err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
@@ -607,8 +577,11 @@ func (h CertificateHandler) GetDERCRL(w http.ResponseWriter, r *http.Request) {
 }
 
 // HandleOCSP processes OCSP requests.
-// GET /api/v1/ocsp/{issuer_id}/{serial_hex}
-// For simplicity, use GET with path params instead of binary POST.
+// GET /.well-known/pki/ocsp/{issuer_id}/{serial_hex}
+//
+// RFC 6960. Served unauthenticated under the /.well-known/pki/ namespace. For
+// simplicity we accept GET with path params rather than the binary POST body
+// form — the response is a valid DER-encoded OCSP response either way.
 func (h CertificateHandler) HandleOCSP(w http.ResponseWriter, r *http.Request) {
 	requestID, _ := r.Context().Value("request_id").(string)
 
@@ -617,8 +590,8 @@ func (h CertificateHandler) HandleOCSP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Extract issuer_id and serial from path: /api/v1/ocsp/{issuer_id}/{serial_hex}
-	path := strings.TrimPrefix(r.URL.Path, "/api/v1/ocsp/")
+	// Extract issuer_id and serial from path: /.well-known/pki/ocsp/{issuer_id}/{serial_hex}
+	path := strings.TrimPrefix(r.URL.Path, "/.well-known/pki/ocsp/")
 	parts := strings.SplitN(path, "/", 2)
 	if len(parts) < 2 || parts[0] == "" || parts[1] == "" {
 		ErrorWithRequestID(w, http.StatusBadRequest, "Issuer ID and serial number are required", requestID)
@@ -627,7 +600,7 @@ func (h CertificateHandler) HandleOCSP(w http.ResponseWriter, r *http.Request) {
 	issuerID := parts[0]
 	serialHex := parts[1]
 
-	derBytes, err := h.svc.GetOCSPResponse(issuerID, serialHex)
+	derBytes, err := h.svc.GetOCSPResponse(r.Context(), issuerID, serialHex)
 	if err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
@@ -667,7 +640,7 @@ func (h CertificateHandler) GetCertificateDeployments(w http.ResponseWriter, r *
 	}
 	certID := parts[0]
 
-	deployments, err := h.svc.GetCertificateDeployments(certID)
+	deployments, err := h.svc.GetCertificateDeployments(r.Context(), certID)
 	if err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {

internal/api/handler/discovery.go

@@ -11,12 +11,17 @@ import (
 )
 
 // DiscoveryService defines the interface used by the discovery handler.
+// ClaimDiscovered and DismissDiscovered accept an explicit actor parameter so
+// the handler can flow the authenticated named-key identity into the audit
+// trail (M-005). Services that call these methods from non-request contexts
+// pass a descriptive sentinel (e.g., "system") or "" (which falls back to
+// "api").
 type DiscoveryService interface {
 	ProcessDiscoveryReport(ctx context.Context, report *domain.DiscoveryReport) (*domain.DiscoveryScan, error)
 	ListDiscovered(ctx context.Context, agentID, status string, page, perPage int) ([]*domain.DiscoveredCertificate, int, error)
 	GetDiscovered(ctx context.Context, id string) (*domain.DiscoveredCertificate, error)
-	ClaimDiscovered(ctx context.Context, id string, managedCertID string) error
-	DismissDiscovered(ctx context.Context, id string) error
+	ClaimDiscovered(ctx context.Context, id string, managedCertID string, actor string) error
+	DismissDiscovered(ctx context.Context, id string, actor string) error
 	ListScans(ctx context.Context, agentID string, page, perPage int) ([]*domain.DiscoveryScan, int, error)
 	GetScan(ctx context.Context, id string) (*domain.DiscoveryScan, error)
 	GetDiscoverySummary(ctx context.Context) (map[string]int, error)
@@ -142,7 +147,7 @@ func (h DiscoveryHandler) ClaimDiscovered(w http.ResponseWriter, r *http.Request
 		return
 	}
 
-	if err := h.svc.ClaimDiscovered(r.Context(), id, body.ManagedCertificateID); err != nil {
+	if err := h.svc.ClaimDiscovered(r.Context(), id, body.ManagedCertificateID, resolveActor(r.Context())); err != nil {
 		Error(w, http.StatusInternalServerError, fmt.Sprintf("failed to claim certificate: %v", err))
 		return
 	}
@@ -166,7 +171,7 @@ func (h DiscoveryHandler) DismissDiscovered(w http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	if err := h.svc.DismissDiscovered(r.Context(), id); err != nil {
+	if err := h.svc.DismissDiscovered(r.Context(), id, resolveActor(r.Context())); err != nil {
 		Error(w, http.StatusInternalServerError, fmt.Sprintf("failed to dismiss certificate: %v", err))
 		return
 	}

internal/api/handler/discovery_handler_test.go

@@ -19,8 +19,8 @@ type MockDiscoveryService struct {
 	ProcessDiscoveryReportFn func(ctx context.Context, report *domain.DiscoveryReport) (*domain.DiscoveryScan, error)
 	ListDiscoveredFn         func(ctx context.Context, agentID, status string, page, perPage int) ([]*domain.DiscoveredCertificate, int, error)
 	GetDiscoveredFn          func(ctx context.Context, id string) (*domain.DiscoveredCertificate, error)
-	ClaimDiscoveredFn        func(ctx context.Context, id string, managedCertID string) error
-	DismissDiscoveredFn      func(ctx context.Context, id string) error
+	ClaimDiscoveredFn        func(ctx context.Context, id string, managedCertID string, actor string) error
+	DismissDiscoveredFn      func(ctx context.Context, id string, actor string) error
 	ListScansFn              func(ctx context.Context, agentID string, page, perPage int) ([]*domain.DiscoveryScan, int, error)
 	GetScanFn                func(ctx context.Context, id string) (*domain.DiscoveryScan, error)
 	GetDiscoverySummaryFn    func(ctx context.Context) (map[string]int, error)
@@ -47,16 +47,16 @@ func (m *MockDiscoveryService) GetDiscovered(ctx context.Context, id string) (*d
 	return nil, nil
 }
 
-func (m *MockDiscoveryService) ClaimDiscovered(ctx context.Context, id string, managedCertID string) error {
+func (m *MockDiscoveryService) ClaimDiscovered(ctx context.Context, id string, managedCertID string, actor string) error {
 	if m.ClaimDiscoveredFn != nil {
-		return m.ClaimDiscoveredFn(ctx, id, managedCertID)
+		return m.ClaimDiscoveredFn(ctx, id, managedCertID, actor)
 	}
 	return nil
 }
 
-func (m *MockDiscoveryService) DismissDiscovered(ctx context.Context, id string) error {
+func (m *MockDiscoveryService) DismissDiscovered(ctx context.Context, id string, actor string) error {
 	if m.DismissDiscoveredFn != nil {
-		return m.DismissDiscoveredFn(ctx, id)
+		return m.DismissDiscoveredFn(ctx, id, actor)
 	}
 	return nil
 }
@@ -352,7 +352,7 @@ func TestGetDiscovered_NotFound(t *testing.T) {
 // Test ClaimDiscovered - success case
 func TestClaimDiscovered_Success(t *testing.T) {
 	mock := &MockDiscoveryService{
-		ClaimDiscoveredFn: func(ctx context.Context, id string, managedCertID string) error {
+		ClaimDiscoveredFn: func(ctx context.Context, id string, managedCertID string, actor string) error {
 			if id == "dcert-1" && managedCertID == "mc-prod-1" {
 				return nil
 			}
@@ -411,7 +411,7 @@ func TestClaimDiscovered_MissingManagedCertID(t *testing.T) {
 // Test ClaimDiscovered - discovered cert not found
 func TestClaimDiscovered_NotFound(t *testing.T) {
 	mock := &MockDiscoveryService{
-		ClaimDiscoveredFn: func(ctx context.Context, id string, managedCertID string) error {
+		ClaimDiscoveredFn: func(ctx context.Context, id string, managedCertID string, actor string) error {
 			return fmt.Errorf("discovered certificate not found")
 		},
 	}
@@ -438,7 +438,7 @@ func TestClaimDiscovered_NotFound(t *testing.T) {
 // Test DismissDiscovered - success case
 func TestDismissDiscovered_Success(t *testing.T) {
 	mock := &MockDiscoveryService{
-		DismissDiscoveredFn: func(ctx context.Context, id string) error {
+		DismissDiscoveredFn: func(ctx context.Context, id string, actor string) error {
 			if id == "dcert-1" {
 				return nil
 			}
@@ -614,7 +614,7 @@ func TestGetDiscoverySummary_MethodNotAllowed(t *testing.T) {
 // Test DismissDiscovered - service error
 func TestDismissDiscovered_ServiceError(t *testing.T) {
 	mock := &MockDiscoveryService{
-		DismissDiscoveredFn: func(ctx context.Context, id string) error {
+		DismissDiscoveredFn: func(ctx context.Context, id string, actor string) error {
 			return fmt.Errorf("database error")
 		},
 	}

internal/api/handler/health.go

@@ -2,6 +2,8 @@ package handler
 
 import (
 	"net/http"
+
+	"github.com/shankar0123/certctl/internal/api/middleware"
 )
 
 // HealthHandler handles health and readiness check endpoints.
@@ -55,9 +57,23 @@ func (h HealthHandler) AuthInfo(w http.ResponseWriter, r *http.Request) {
 	JSON(w, http.StatusOK, response)
 }
 
-// AuthCheck returns 200 if the request has valid auth credentials.
-// The auth middleware runs before this handler, so reaching here means auth passed.
+// AuthCheck returns 200 if the request has valid auth credentials, along with
+// the resolved named-key identity and admin flag so the GUI can gate
+// admin-only affordances (e.g., the bulk-revoke button).
+//
+// M-003 (Phase B.4): surface the admin flag so the frontend hides affordances
+// that would otherwise 403 at the server. This is a hint for UX only —
+// authorization remains enforced at the handler layer (bulk_revocation.go).
+//
+// The auth middleware runs before this handler, so reaching here means auth
+// passed. `user` falls back to an empty string when auth is disabled
+// (CERTCTL_AUTH_TYPE=none).
 // GET /api/v1/auth/check
 func (h HealthHandler) AuthCheck(w http.ResponseWriter, r *http.Request) {
-	JSON(w, http.StatusOK, map[string]string{"status": "authenticated"})
+	response := map[string]interface{}{
+		"status": "authenticated",
+		"user":   middleware.GetUser(r.Context()),
+		"admin":  middleware.IsAdmin(r.Context()),
+	}
+	JSON(w, http.StatusOK, response)
 }

internal/api/handler/health_test.go

@@ -1,10 +1,13 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"testing"
+
+	"github.com/shankar0123/certctl/internal/api/middleware"
 )
 
 func TestHealth_ReturnsOK(t *testing.T) {
@@ -204,8 +207,8 @@ func TestAuthCheck_ReturnsOK(t *testing.T) {
 		t.Errorf("Content-Type = %q, want application/json", ct)
 	}
 
-	// Check response body
-	var result map[string]string
+	// Check response body — mixed-value map (string + bool) post-Phase B.4.
+	var result map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
 		t.Fatalf("failed to decode response: %v", err)
 	}
@@ -232,3 +235,113 @@ func TestAuthCheck_MethodNotAllowed(t *testing.T) {
 		t.Logf("AuthCheck returned status %d (note: method not enforced in handler)", status)
 	}
 }
+
+// --- M-003 (Phase B.4): /auth/check surfaces admin flag + user identity ---
+
+// TestAuthCheck_AdminCaller_ReportsAdminTrue confirms that when the auth
+// middleware sets AdminKey{}=true (i.e., named key was admin-tagged), the
+// /auth/check endpoint reports admin=true so the GUI can show admin-only
+// affordances.
+func TestAuthCheck_AdminCaller_ReportsAdminTrue(t *testing.T) {
+	handler := NewHealthHandler("api-key")
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/check", nil)
+	ctx := context.WithValue(req.Context(), middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
+	req = req.WithContext(ctx)
+
+	w := httptest.NewRecorder()
+	handler.AuthCheck(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status 200, got %d", w.Code)
+	}
+
+	var result map[string]any
+	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+
+	if result["status"] != "authenticated" {
+		t.Errorf("status = %q, want authenticated", result["status"])
+	}
+	admin, ok := result["admin"].(bool)
+	if !ok {
+		t.Fatalf("admin field missing or wrong type: %T", result["admin"])
+	}
+	if !admin {
+		t.Errorf("admin = false, want true")
+	}
+	if result["user"] != "ops-admin" {
+		t.Errorf("user = %q, want ops-admin", result["user"])
+	}
+}
+
+// TestAuthCheck_NonAdminCaller_ReportsAdminFalse pins the negative case: the
+// auth middleware has stored AdminKey{}=false (non-admin named key) — the
+// endpoint must report admin=false so the GUI hides admin-only affordances.
+func TestAuthCheck_NonAdminCaller_ReportsAdminFalse(t *testing.T) {
+	handler := NewHealthHandler("api-key")
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/check", nil)
+	ctx := context.WithValue(req.Context(), middleware.AdminKey{}, false)
+	ctx = context.WithValue(ctx, middleware.UserKey{}, "alice")
+	req = req.WithContext(ctx)
+
+	w := httptest.NewRecorder()
+	handler.AuthCheck(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status 200, got %d", w.Code)
+	}
+
+	var result map[string]any
+	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+
+	admin, ok := result["admin"].(bool)
+	if !ok {
+		t.Fatalf("admin field missing or wrong type: %T", result["admin"])
+	}
+	if admin {
+		t.Errorf("admin = true, want false")
+	}
+	if result["user"] != "alice" {
+		t.Errorf("user = %q, want alice", result["user"])
+	}
+}
+
+// TestAuthCheck_NoAuthContext_DefaultsToEmptyUserAndFalseAdmin covers the
+// CERTCTL_AUTH_TYPE=none deployment, where the auth middleware doesn't set
+// any keys. Response must still be well-formed with empty user + admin=false.
+func TestAuthCheck_NoAuthContext_DefaultsToEmptyUserAndFalseAdmin(t *testing.T) {
+	handler := NewHealthHandler("none")
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/check", nil)
+	w := httptest.NewRecorder()
+	handler.AuthCheck(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected status 200, got %d", w.Code)
+	}
+
+	var result map[string]any
+	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+
+	if result["status"] != "authenticated" {
+		t.Errorf("status = %q, want authenticated", result["status"])
+	}
+	admin, ok := result["admin"].(bool)
+	if !ok {
+		t.Fatalf("admin field missing or wrong type: %T", result["admin"])
+	}
+	if admin {
+		t.Errorf("admin = true for no-auth context, want false")
+	}
+	if result["user"] != "" {
+		t.Errorf("user = %q, want empty string", result["user"])
+	}
+}

internal/api/handler/issuer_handler_test.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -15,52 +16,52 @@ import (
 
 // MockIssuerService is a mock implementation of IssuerService interface.
 type MockIssuerService struct {
-	ListIssuersFn    func(page, perPage int) ([]domain.Issuer, int64, error)
-	GetIssuerFn      func(id string) (*domain.Issuer, error)
-	CreateIssuerFn   func(issuer domain.Issuer) (*domain.Issuer, error)
-	UpdateIssuerFn   func(id string, issuer domain.Issuer) (*domain.Issuer, error)
-	DeleteIssuerFn   func(id string) error
-	TestConnectionFn func(id string) error
+	ListIssuersFn    func(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error)
+	GetIssuerFn      func(ctx context.Context, id string) (*domain.Issuer, error)
+	CreateIssuerFn   func(ctx context.Context, issuer domain.Issuer) (*domain.Issuer, error)
+	UpdateIssuerFn   func(ctx context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error)
+	DeleteIssuerFn   func(ctx context.Context, id string) error
+	TestConnectionFn func(ctx context.Context, id string) error
 }
 
-func (m *MockIssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64, error) {
+func (m *MockIssuerService) ListIssuers(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 	if m.ListIssuersFn != nil {
-		return m.ListIssuersFn(page, perPage)
+		return m.ListIssuersFn(ctx, page, perPage)
 	}
 	return nil, 0, nil
 }
 
-func (m *MockIssuerService) GetIssuer(id string) (*domain.Issuer, error) {
+func (m *MockIssuerService) GetIssuer(ctx context.Context, id string) (*domain.Issuer, error) {
 	if m.GetIssuerFn != nil {
-		return m.GetIssuerFn(id)
+		return m.GetIssuerFn(ctx, id)
 	}
 	return nil, nil
 }
 
-func (m *MockIssuerService) CreateIssuer(issuer domain.Issuer) (*domain.Issuer, error) {
+func (m *MockIssuerService) CreateIssuer(ctx context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 	if m.CreateIssuerFn != nil {
-		return m.CreateIssuerFn(issuer)
+		return m.CreateIssuerFn(ctx, issuer)
 	}
 	return nil, nil
 }
 
-func (m *MockIssuerService) UpdateIssuer(id string, issuer domain.Issuer) (*domain.Issuer, error) {
+func (m *MockIssuerService) UpdateIssuer(ctx context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error) {
 	if m.UpdateIssuerFn != nil {
-		return m.UpdateIssuerFn(id, issuer)
+		return m.UpdateIssuerFn(ctx, id, issuer)
 	}
 	return nil, nil
 }
 
-func (m *MockIssuerService) DeleteIssuer(id string) error {
+func (m *MockIssuerService) DeleteIssuer(ctx context.Context, id string) error {
 	if m.DeleteIssuerFn != nil {
-		return m.DeleteIssuerFn(id)
+		return m.DeleteIssuerFn(ctx, id)
 	}
 	return nil
 }
 
-func (m *MockIssuerService) TestConnection(id string) error {
+func (m *MockIssuerService) TestConnection(ctx context.Context, id string) error {
 	if m.TestConnectionFn != nil {
-		return m.TestConnectionFn(id)
+		return m.TestConnectionFn(ctx, id)
 	}
 	return nil
 }
@@ -85,7 +86,7 @@ func TestListIssuers_Success(t *testing.T) {
 	}
 
 	mock := &MockIssuerService{
-		ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
+		ListIssuersFn: func(_ context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 			return []domain.Issuer{iss1, iss2}, 2, nil
 		},
 	}
@@ -113,7 +114,7 @@ func TestListIssuers_Success(t *testing.T) {
 func TestListIssuers_Pagination(t *testing.T) {
 	var capturedPage, capturedPerPage int
 	mock := &MockIssuerService{
-		ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
+		ListIssuersFn: func(_ context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 			capturedPage = page
 			capturedPerPage = perPage
 			return []domain.Issuer{}, 0, nil
@@ -137,7 +138,7 @@ func TestListIssuers_Pagination(t *testing.T) {
 
 func TestListIssuers_ServiceError(t *testing.T) {
 	mock := &MockIssuerService{
-		ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
+		ListIssuersFn: func(_ context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 			return nil, 0, ErrMockServiceFailed
 		},
 	}
@@ -169,7 +170,7 @@ func TestListIssuers_MethodNotAllowed(t *testing.T) {
 func TestGetIssuer_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockIssuerService{
-		GetIssuerFn: func(id string) (*domain.Issuer, error) {
+		GetIssuerFn: func(_ context.Context, id string) (*domain.Issuer, error) {
 			return &domain.Issuer{
 				ID:        id,
 				Name:      "Local CA",
@@ -195,7 +196,7 @@ func TestGetIssuer_Success(t *testing.T) {
 
 func TestGetIssuer_NotFound(t *testing.T) {
 	mock := &MockIssuerService{
-		GetIssuerFn: func(id string) (*domain.Issuer, error) {
+		GetIssuerFn: func(_ context.Context, id string) (*domain.Issuer, error) {
 			return nil, ErrMockNotFound
 		},
 	}
@@ -228,7 +229,7 @@ func TestGetIssuer_EmptyID(t *testing.T) {
 func TestCreateIssuer_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			issuer.ID = "iss-new"
 			issuer.CreatedAt = now
 			issuer.UpdatedAt = now
@@ -328,7 +329,7 @@ func TestCreateIssuer_NameTooLong(t *testing.T) {
 
 func TestCreateIssuer_DuplicateName(t *testing.T) {
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("failed to create issuer: duplicate key value violates unique constraint \"issuers_name_key\"")
 		},
 	}
@@ -361,7 +362,7 @@ func TestCreateIssuer_DuplicateName(t *testing.T) {
 
 func TestCreateIssuer_UnsupportedType(t *testing.T) {
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("unsupported issuer type: FakeCA")
 		},
 	}
@@ -394,7 +395,7 @@ func TestCreateIssuer_UnsupportedType(t *testing.T) {
 
 func TestCreateIssuer_GenericServiceError(t *testing.T) {
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("failed to encrypt config: cipher error")
 		},
 	}
@@ -419,7 +420,7 @@ func TestCreateIssuer_GenericServiceError(t *testing.T) {
 
 func TestUpdateIssuer_DuplicateName(t *testing.T) {
 	mock := &MockIssuerService{
-		UpdateIssuerFn: func(id string, issuer domain.Issuer) (*domain.Issuer, error) {
+		UpdateIssuerFn: func(_ context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("failed to update issuer: duplicate key value violates unique constraint")
 		},
 	}
@@ -445,7 +446,7 @@ func TestUpdateIssuer_DuplicateName(t *testing.T) {
 func TestDeleteIssuer_Success(t *testing.T) {
 	var deletedID string
 	mock := &MockIssuerService{
-		DeleteIssuerFn: func(id string) error {
+		DeleteIssuerFn: func(_ context.Context, id string) error {
 			deletedID = id
 			return nil
 		},
@@ -468,7 +469,7 @@ func TestDeleteIssuer_Success(t *testing.T) {
 
 func TestDeleteIssuer_ServiceError(t *testing.T) {
 	mock := &MockIssuerService{
-		DeleteIssuerFn: func(id string) error {
+		DeleteIssuerFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -487,7 +488,7 @@ func TestDeleteIssuer_ServiceError(t *testing.T) {
 
 func TestTestConnection_Success(t *testing.T) {
 	mock := &MockIssuerService{
-		TestConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return nil
 		},
 	}
@@ -514,7 +515,7 @@ func TestTestConnection_Success(t *testing.T) {
 
 func TestTestConnection_Failure(t *testing.T) {
 	mock := &MockIssuerService{
-		TestConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}

internal/api/handler/issuers.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
 	"log/slog"
 	"net/http"
@@ -13,12 +14,12 @@ import (
 
 // IssuerService defines the service interface for issuer operations.
 type IssuerService interface {
-	ListIssuers(page, perPage int) ([]domain.Issuer, int64, error)
-	GetIssuer(id string) (*domain.Issuer, error)
-	CreateIssuer(issuer domain.Issuer) (*domain.Issuer, error)
-	UpdateIssuer(id string, issuer domain.Issuer) (*domain.Issuer, error)
-	DeleteIssuer(id string) error
-	TestConnection(id string) error
+	ListIssuers(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error)
+	GetIssuer(ctx context.Context, id string) (*domain.Issuer, error)
+	CreateIssuer(ctx context.Context, issuer domain.Issuer) (*domain.Issuer, error)
+	UpdateIssuer(ctx context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error)
+	DeleteIssuer(ctx context.Context, id string) error
+	TestConnection(ctx context.Context, id string) error
 }
 
 // IssuerHandler handles HTTP requests for issuer operations.
@@ -61,7 +62,7 @@ func (h IssuerHandler) ListIssuers(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	issuers, total, err := h.svc.ListIssuers(page, perPage)
+	issuers, total, err := h.svc.ListIssuers(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list issuers", requestID)
 		return
@@ -93,7 +94,7 @@ func (h IssuerHandler) GetIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	issuer, err := h.svc.GetIssuer(id)
+	issuer, err := h.svc.GetIssuer(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Issuer not found", requestID)
 		return
@@ -132,7 +133,7 @@ func (h IssuerHandler) CreateIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	created, err := h.svc.CreateIssuer(issuer)
+	created, err := h.svc.CreateIssuer(r.Context(), issuer)
 	if err != nil {
 		h.logger.Error("failed to create issuer", "error", err, "name", issuer.Name, "type", issuer.Type)
 		errMsg := err.Error()
@@ -174,7 +175,7 @@ func (h IssuerHandler) UpdateIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	updated, err := h.svc.UpdateIssuer(id, issuer)
+	updated, err := h.svc.UpdateIssuer(r.Context(), id, issuer)
 	if err != nil {
 		h.logger.Error("failed to update issuer", "error", err, "id", id)
 		errMsg := err.Error()
@@ -208,7 +209,7 @@ func (h IssuerHandler) DeleteIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := h.svc.DeleteIssuer(id); err != nil {
+	if err := h.svc.DeleteIssuer(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "violates foreign key") || strings.Contains(err.Error(), "RESTRICT") {
 			ErrorWithRequestID(w, http.StatusConflict, "Cannot delete issuer: certificates are still using this issuer", requestID)
 		} else if strings.Contains(err.Error(), "not found") {
@@ -241,7 +242,7 @@ func (h IssuerHandler) TestConnection(w http.ResponseWriter, r *http.Request) {
 	}
 	issuerID := parts[0]
 
-	if err := h.svc.TestConnection(issuerID); err != nil {
+	if err := h.svc.TestConnection(r.Context(), issuerID); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Connection test failed", requestID)
 		return
 	}

internal/api/handler/job_handler_test.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -10,48 +11,51 @@ import (
 	"time"
 
 	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/service"
 )
 
 // MockJobService is a mock implementation of JobService interface.
+// Approve/Reject closures now take the actor string so tests can assert
+// actor propagation from the auth middleware → handler → service.
 type MockJobService struct {
 	ListJobsFn   func(status, jobType string, page, perPage int) ([]domain.Job, int64, error)
 	GetJobFn     func(id string) (*domain.Job, error)
 	CancelJobFn  func(id string) error
-	ApproveJobFn func(id string) error
-	RejectJobFn  func(id string, reason string) error
+	ApproveJobFn func(id, actor string) error
+	RejectJobFn  func(id, reason, actor string) error
 }
 
-func (m *MockJobService) ListJobs(status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
+func (m *MockJobService) ListJobs(_ context.Context, status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
 	if m.ListJobsFn != nil {
 		return m.ListJobsFn(status, jobType, page, perPage)
 	}
 	return nil, 0, nil
 }
 
-func (m *MockJobService) GetJob(id string) (*domain.Job, error) {
+func (m *MockJobService) GetJob(_ context.Context, id string) (*domain.Job, error) {
 	if m.GetJobFn != nil {
 		return m.GetJobFn(id)
 	}
 	return nil, nil
 }
 
-func (m *MockJobService) CancelJob(id string) error {
+func (m *MockJobService) CancelJob(_ context.Context, id string) error {
 	if m.CancelJobFn != nil {
 		return m.CancelJobFn(id)
 	}
 	return nil
 }
 
-func (m *MockJobService) ApproveJob(id string) error {
+func (m *MockJobService) ApproveJob(_ context.Context, id, actor string) error {
 	if m.ApproveJobFn != nil {
-		return m.ApproveJobFn(id)
+		return m.ApproveJobFn(id, actor)
 	}
 	return nil
 }
 
-func (m *MockJobService) RejectJob(id string, reason string) error {
+func (m *MockJobService) RejectJob(_ context.Context, id, reason, actor string) error {
 	if m.RejectJobFn != nil {
-		return m.RejectJobFn(id, reason)
+		return m.RejectJobFn(id, reason, actor)
 	}
 	return nil
 }
@@ -347,7 +351,7 @@ func TestCancelJob_EmptyID(t *testing.T) {
 func TestApproveJob_Success(t *testing.T) {
 	var approvedID string
 	mock := &MockJobService{
-		ApproveJobFn: func(id string) error {
+		ApproveJobFn: func(id, actor string) error {
 			approvedID = id
 			return nil
 		},
@@ -378,7 +382,7 @@ func TestApproveJob_Success(t *testing.T) {
 
 func TestApproveJob_NotFound(t *testing.T) {
 	mock := &MockJobService{
-		ApproveJobFn: func(id string) error {
+		ApproveJobFn: func(id, actor string) error {
 			return fmt.Errorf("job not found: no rows")
 		},
 	}
@@ -397,7 +401,7 @@ func TestApproveJob_NotFound(t *testing.T) {
 
 func TestApproveJob_BadStatus(t *testing.T) {
 	mock := &MockJobService{
-		ApproveJobFn: func(id string) error {
+		ApproveJobFn: func(id, actor string) error {
 			return fmt.Errorf("cannot approve job with status Running")
 		},
 	}
@@ -426,10 +430,56 @@ func TestApproveJob_MethodNotAllowed(t *testing.T) {
 	}
 }
 
+// TestApproveJob_SelfApproval_Returns403 verifies the M-003 separation-of-duties
+// wire: when the service returns ErrSelfApproval the handler must surface HTTP
+// 403 Forbidden (NOT 500). The error sentinel crosses the service boundary via
+// errors.Is so the handler can pattern-match regardless of any fmt.Errorf
+// wrapping that may be added later.
+func TestApproveJob_SelfApproval_Returns403(t *testing.T) {
+	var capturedActor string
+	mock := &MockJobService{
+		ApproveJobFn: func(id, actor string) error {
+			capturedActor = actor
+			return service.ErrSelfApproval
+		},
+	}
+
+	h := NewJobHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/jobs/job-self/approve", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	h.ApproveJob(w, req)
+
+	if w.Code != http.StatusForbidden {
+		t.Fatalf("expected status 403, got %d", w.Code)
+	}
+
+	var resp map[string]any
+	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	// Response body should name the self-approval condition explicitly so
+	// operators triaging a 403 can distinguish it from other forbid paths.
+	// The ErrorResponse envelope uses "error" for the status text and
+	// "message" for the human-readable explanation — we assert on message.
+	msg, _ := resp["message"].(string)
+	if !strings.Contains(strings.ToLower(msg), "self-approval") {
+		t.Errorf("expected message to mention self-approval, got %q", msg)
+	}
+
+	// The handler resolves the actor from the auth context; in this test the
+	// request has no auth context, so the propagated actor is the anonymous
+	// fallback ("" or "anonymous" depending on middleware wiring). We only
+	// assert the closure observed *some* actor string — the detailed actor
+	// threading is covered by resolveActor unit tests.
+	_ = capturedActor
+}
+
 func TestRejectJob_Success(t *testing.T) {
 	var rejectedID, capturedReason string
 	mock := &MockJobService{
-		RejectJobFn: func(id string, reason string) error {
+		RejectJobFn: func(id, reason, actor string) error {
 			rejectedID = id
 			capturedReason = reason
 			return nil
@@ -457,7 +507,7 @@ func TestRejectJob_Success(t *testing.T) {
 
 func TestRejectJob_NoReason(t *testing.T) {
 	mock := &MockJobService{
-		RejectJobFn: func(id string, reason string) error {
+		RejectJobFn: func(id, reason, actor string) error {
 			return nil
 		},
 	}
@@ -476,7 +526,7 @@ func TestRejectJob_NoReason(t *testing.T) {
 
 func TestRejectJob_NotFound(t *testing.T) {
 	mock := &MockJobService{
-		RejectJobFn: func(id string, reason string) error {
+		RejectJobFn: func(id, reason, actor string) error {
 			return fmt.Errorf("job not found: no rows")
 		},
 	}

internal/api/handler/jobs.go

@@ -1,7 +1,9 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
+	"errors"
 	"io"
 	"net/http"
 	"strconv"
@@ -9,15 +11,21 @@ import (
 
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/service"
 )
 
 // JobService defines the service interface for job operations.
 type JobService interface {
-	ListJobs(status, jobType string, page, perPage int) ([]domain.Job, int64, error)
-	GetJob(id string) (*domain.Job, error)
-	CancelJob(id string) error
-	ApproveJob(id string) error
-	RejectJob(id string, reason string) error
+	ListJobs(ctx context.Context, status, jobType string, page, perPage int) ([]domain.Job, int64, error)
+	GetJob(ctx context.Context, id string) (*domain.Job, error)
+	CancelJob(ctx context.Context, id string) error
+	// ApproveJob approves a renewal job. actor is the named-key identity
+	// resolved from the auth middleware; the service returns ErrSelfApproval
+	// (mapped to 403) when actor matches the certificate owner.
+	ApproveJob(ctx context.Context, id, actor string) error
+	// RejectJob rejects a renewal job. actor is the named-key identity
+	// recorded for audit attribution; no not-self restriction.
+	RejectJob(ctx context.Context, id, reason, actor string) error
 }
 
 // JobHandler handles HTTP requests for job operations.
@@ -57,7 +65,7 @@ func (h JobHandler) ListJobs(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	jobs, total, err := h.svc.ListJobs(status, jobType, page, perPage)
+	jobs, total, err := h.svc.ListJobs(r.Context(), status, jobType, page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list jobs", requestID)
 		return
@@ -91,7 +99,7 @@ func (h JobHandler) GetJob(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
 
-	job, err := h.svc.GetJob(id)
+	job, err := h.svc.GetJob(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
 		return
@@ -119,7 +127,7 @@ func (h JobHandler) CancelJob(w http.ResponseWriter, r *http.Request) {
 	}
 	jobID := parts[0]
 
-	if err := h.svc.CancelJob(jobID); err != nil {
+	if err := h.svc.CancelJob(r.Context(), jobID); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to cancel job", requestID)
 		return
 	}
@@ -149,7 +157,16 @@ func (h JobHandler) ApproveJob(w http.ResponseWriter, r *http.Request) {
 	}
 	jobID := parts[0]
 
-	if err := h.svc.ApproveJob(jobID); err != nil {
+	actor := resolveActor(r.Context())
+
+	if err := h.svc.ApproveJob(r.Context(), jobID, actor); err != nil {
+		// M-003: self-approval by the certificate owner is forbidden.
+		if errors.Is(err, service.ErrSelfApproval) {
+			ErrorWithRequestID(w, http.StatusForbidden,
+				"Self-approval is forbidden: the certificate owner cannot approve their own renewal",
+				requestID)
+			return
+		}
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
 			return
@@ -193,7 +210,9 @@ func (h JobHandler) RejectJob(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if err := h.svc.RejectJob(jobID, body.Reason); err != nil {
+	actor := resolveActor(r.Context())
+
+	if err := h.svc.RejectJob(r.Context(), jobID, body.Reason, actor); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
 			return

internal/api/handler/notification_handler_test.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -17,21 +18,21 @@ type MockNotificationService struct {
 	MarkAsReadFn        func(id string) error
 }
 
-func (m *MockNotificationService) ListNotifications(page, perPage int) ([]domain.NotificationEvent, int64, error) {
+func (m *MockNotificationService) ListNotifications(_ context.Context, page, perPage int) ([]domain.NotificationEvent, int64, error) {
 	if m.ListNotificationsFn != nil {
 		return m.ListNotificationsFn(page, perPage)
 	}
 	return nil, 0, nil
 }
 
-func (m *MockNotificationService) GetNotification(id string) (*domain.NotificationEvent, error) {
+func (m *MockNotificationService) GetNotification(_ context.Context, id string) (*domain.NotificationEvent, error) {
 	if m.GetNotificationFn != nil {
 		return m.GetNotificationFn(id)
 	}
 	return nil, nil
 }
 
-func (m *MockNotificationService) MarkAsRead(id string) error {
+func (m *MockNotificationService) MarkAsRead(_ context.Context, id string) error {
 	if m.MarkAsReadFn != nil {
 		return m.MarkAsReadFn(id)
 	}

internal/api/handler/notifications.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"net/http"
 	"strconv"
 	"strings"
@@ -11,9 +12,9 @@ import (
 
 // NotificationService defines the service interface for notification operations.
 type NotificationService interface {
-	ListNotifications(page, perPage int) ([]domain.NotificationEvent, int64, error)
-	GetNotification(id string) (*domain.NotificationEvent, error)
-	MarkAsRead(id string) error
+	ListNotifications(ctx context.Context, page, perPage int) ([]domain.NotificationEvent, int64, error)
+	GetNotification(ctx context.Context, id string) (*domain.NotificationEvent, error)
+	MarkAsRead(ctx context.Context, id string) error
 }
 
 // NotificationHandler handles HTTP requests for notification operations.
@@ -50,7 +51,7 @@ func (h NotificationHandler) ListNotifications(w http.ResponseWriter, r *http.Re
 		}
 	}
 
-	notifications, total, err := h.svc.ListNotifications(page, perPage)
+	notifications, total, err := h.svc.ListNotifications(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list notifications", requestID)
 		return
@@ -84,7 +85,7 @@ func (h NotificationHandler) GetNotification(w http.ResponseWriter, r *http.Requ
 	}
 	id = parts[0]
 
-	notification, err := h.svc.GetNotification(id)
+	notification, err := h.svc.GetNotification(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Notification not found", requestID)
 		return
@@ -112,7 +113,7 @@ func (h NotificationHandler) MarkAsRead(w http.ResponseWriter, r *http.Request)
 	}
 	notificationID := parts[0]
 
-	if err := h.svc.MarkAsRead(notificationID); err != nil {
+	if err := h.svc.MarkAsRead(r.Context(), notificationID); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to mark notification as read", requestID)
 		return
 	}

internal/api/handler/owner_handler_test.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -20,35 +21,35 @@ type MockOwnerService struct {
 	DeleteOwnerFn func(id string) error
 }
 
-func (m *MockOwnerService) ListOwners(page, perPage int) ([]domain.Owner, int64, error) {
+func (m *MockOwnerService) ListOwners(_ context.Context, page, perPage int) ([]domain.Owner, int64, error) {
 	if m.ListOwnersFn != nil {
 		return m.ListOwnersFn(page, perPage)
 	}
 	return nil, 0, nil
 }
 
-func (m *MockOwnerService) GetOwner(id string) (*domain.Owner, error) {
+func (m *MockOwnerService) GetOwner(_ context.Context, id string) (*domain.Owner, error) {
 	if m.GetOwnerFn != nil {
 		return m.GetOwnerFn(id)
 	}
 	return nil, nil
 }
 
-func (m *MockOwnerService) CreateOwner(owner domain.Owner) (*domain.Owner, error) {
+func (m *MockOwnerService) CreateOwner(_ context.Context, owner domain.Owner) (*domain.Owner, error) {
 	if m.CreateOwnerFn != nil {
 		return m.CreateOwnerFn(owner)
 	}
 	return nil, nil
 }
 
-func (m *MockOwnerService) UpdateOwner(id string, owner domain.Owner) (*domain.Owner, error) {
+func (m *MockOwnerService) UpdateOwner(_ context.Context, id string, owner domain.Owner) (*domain.Owner, error) {
 	if m.UpdateOwnerFn != nil {
 		return m.UpdateOwnerFn(id, owner)
 	}
 	return nil, nil
 }
 
-func (m *MockOwnerService) DeleteOwner(id string) error {
+func (m *MockOwnerService) DeleteOwner(_ context.Context, id string) error {
 	if m.DeleteOwnerFn != nil {
 		return m.DeleteOwnerFn(id)
 	}

internal/api/handler/owners.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,11 +13,11 @@ import (
 
 // OwnerService defines the service interface for owner operations.
 type OwnerService interface {
-	ListOwners(page, perPage int) ([]domain.Owner, int64, error)
-	GetOwner(id string) (*domain.Owner, error)
-	CreateOwner(owner domain.Owner) (*domain.Owner, error)
-	UpdateOwner(id string, owner domain.Owner) (*domain.Owner, error)
-	DeleteOwner(id string) error
+	ListOwners(ctx context.Context, page, perPage int) ([]domain.Owner, int64, error)
+	GetOwner(ctx context.Context, id string) (*domain.Owner, error)
+	CreateOwner(ctx context.Context, owner domain.Owner) (*domain.Owner, error)
+	UpdateOwner(ctx context.Context, id string, owner domain.Owner) (*domain.Owner, error)
+	DeleteOwner(ctx context.Context, id string) error
 }
 
 // OwnerHandler handles HTTP requests for owner operations.
@@ -53,7 +54,7 @@ func (h OwnerHandler) ListOwners(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	owners, total, err := h.svc.ListOwners(page, perPage)
+	owners, total, err := h.svc.ListOwners(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list owners", requestID)
 		return
@@ -87,7 +88,7 @@ func (h OwnerHandler) GetOwner(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
 
-	owner, err := h.svc.GetOwner(id)
+	owner, err := h.svc.GetOwner(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Owner not found", requestID)
 		return
@@ -122,7 +123,7 @@ func (h OwnerHandler) CreateOwner(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	created, err := h.svc.CreateOwner(owner)
+	created, err := h.svc.CreateOwner(r.Context(), owner)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create owner", requestID)
 		return
@@ -155,7 +156,7 @@ func (h OwnerHandler) UpdateOwner(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	updated, err := h.svc.UpdateOwner(id, owner)
+	updated, err := h.svc.UpdateOwner(r.Context(), id, owner)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update owner", requestID)
 		return
@@ -182,7 +183,7 @@ func (h OwnerHandler) DeleteOwner(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
 
-	if err := h.svc.DeleteOwner(id); err != nil {
+	if err := h.svc.DeleteOwner(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "violates foreign key") || strings.Contains(err.Error(), "RESTRICT") {
 			ErrorWithRequestID(w, http.StatusConflict, "Cannot delete owner: certificates are still assigned to this owner", requestID)
 		} else if strings.Contains(err.Error(), "not found") {

internal/api/handler/policies.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,12 +13,12 @@ import (
 
 // PolicyService defines the service interface for policy rule operations.
 type PolicyService interface {
-	ListPolicies(page, perPage int) ([]domain.PolicyRule, int64, error)
-	GetPolicy(id string) (*domain.PolicyRule, error)
-	CreatePolicy(policy domain.PolicyRule) (*domain.PolicyRule, error)
-	UpdatePolicy(id string, policy domain.PolicyRule) (*domain.PolicyRule, error)
-	DeletePolicy(id string) error
-	ListViolations(policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error)
+	ListPolicies(ctx context.Context, page, perPage int) ([]domain.PolicyRule, int64, error)
+	GetPolicy(ctx context.Context, id string) (*domain.PolicyRule, error)
+	CreatePolicy(ctx context.Context, policy domain.PolicyRule) (*domain.PolicyRule, error)
+	UpdatePolicy(ctx context.Context, id string, policy domain.PolicyRule) (*domain.PolicyRule, error)
+	DeletePolicy(ctx context.Context, id string) error
+	ListViolations(ctx context.Context, policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error)
 }
 
 // PolicyHandler handles HTTP requests for policy rule operations.
@@ -54,7 +55,7 @@ func (h PolicyHandler) ListPolicies(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	policies, total, err := h.svc.ListPolicies(page, perPage)
+	policies, total, err := h.svc.ListPolicies(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list policies", requestID)
 		return
@@ -88,7 +89,7 @@ func (h PolicyHandler) GetPolicy(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
 
-	policy, err := h.svc.GetPolicy(id)
+	policy, err := h.svc.GetPolicy(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Policy not found", requestID)
 		return
@@ -126,8 +127,19 @@ func (h PolicyHandler) CreatePolicy(w http.ResponseWriter, r *http.Request) {
 		ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
 		return
 	}
+	// Severity is optional on create; default matches the DB default.
+	// Any explicit value must pass the TitleCase allowlist; the DB CHECK
+	// constraint enforces the same set, but catching it here gives a 400
+	// with a clear message instead of a 500 on constraint violation.
+	if policy.Severity == "" {
+		policy.Severity = domain.PolicySeverityWarning
+	}
+	if err := ValidatePolicySeverity(policy.Severity); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
+		return
+	}
 
-	created, err := h.svc.CreatePolicy(policy)
+	created, err := h.svc.CreatePolicy(r.Context(), policy)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create policy", requestID)
 		return
@@ -173,8 +185,14 @@ func (h PolicyHandler) UpdatePolicy(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
+	if policy.Severity != "" {
+		if err := ValidatePolicySeverity(policy.Severity); err != nil {
+			ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
+			return
+		}
+	}
 
-	updated, err := h.svc.UpdatePolicy(id, policy)
+	updated, err := h.svc.UpdatePolicy(r.Context(), id, policy)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update policy", requestID)
 		return
@@ -201,7 +219,7 @@ func (h PolicyHandler) DeletePolicy(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
 
-	if err := h.svc.DeletePolicy(id); err != nil {
+	if err := h.svc.DeletePolicy(r.Context(), id); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to delete policy", requestID)
 		return
 	}
@@ -242,7 +260,7 @@ func (h PolicyHandler) ListViolations(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	violations, total, err := h.svc.ListViolations(policyID, page, perPage)
+	violations, total, err := h.svc.ListViolations(r.Context(), policyID, page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list violations", requestID)
 		return

internal/api/handler/policy_handler_test.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -21,42 +22,42 @@ type MockPolicyService struct {
 	ListViolationsFn func(policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error)
 }
 
-func (m *MockPolicyService) ListPolicies(page, perPage int) ([]domain.PolicyRule, int64, error) {
+func (m *MockPolicyService) ListPolicies(_ context.Context, page, perPage int) ([]domain.PolicyRule, int64, error) {
 	if m.ListPoliciesFn != nil {
 		return m.ListPoliciesFn(page, perPage)
 	}
 	return nil, 0, nil
 }
 
-func (m *MockPolicyService) GetPolicy(id string) (*domain.PolicyRule, error) {
+func (m *MockPolicyService) GetPolicy(_ context.Context, id string) (*domain.PolicyRule, error) {
 	if m.GetPolicyFn != nil {
 		return m.GetPolicyFn(id)
 	}
 	return nil, nil
 }
 
-func (m *MockPolicyService) CreatePolicy(policy domain.PolicyRule) (*domain.PolicyRule, error) {
+func (m *MockPolicyService) CreatePolicy(_ context.Context, policy domain.PolicyRule) (*domain.PolicyRule, error) {
 	if m.CreatePolicyFn != nil {
 		return m.CreatePolicyFn(policy)
 	}
 	return nil, nil
 }
 
-func (m *MockPolicyService) UpdatePolicy(id string, policy domain.PolicyRule) (*domain.PolicyRule, error) {
+func (m *MockPolicyService) UpdatePolicy(_ context.Context, id string, policy domain.PolicyRule) (*domain.PolicyRule, error) {
 	if m.UpdatePolicyFn != nil {
 		return m.UpdatePolicyFn(id, policy)
 	}
 	return nil, nil
 }
 
-func (m *MockPolicyService) DeletePolicy(id string) error {
+func (m *MockPolicyService) DeletePolicy(_ context.Context, id string) error {
 	if m.DeletePolicyFn != nil {
 		return m.DeletePolicyFn(id)
 	}
 	return nil
 }
 
-func (m *MockPolicyService) ListViolations(policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error) {
+func (m *MockPolicyService) ListViolations(_ context.Context, policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error) {
 	if m.ListViolationsFn != nil {
 		return m.ListViolationsFn(policyID, page, perPage)
 	}

internal/api/handler/profile_handler_test.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -20,35 +21,35 @@ type MockProfileService struct {
 	DeleteProfileFn func(id string) error
 }
 
-func (m *MockProfileService) ListProfiles(page, perPage int) ([]domain.CertificateProfile, int64, error) {
+func (m *MockProfileService) ListProfiles(_ context.Context, page, perPage int) ([]domain.CertificateProfile, int64, error) {
 	if m.ListProfilesFn != nil {
 		return m.ListProfilesFn(page, perPage)
 	}
 	return nil, 0, nil
 }
 
-func (m *MockProfileService) GetProfile(id string) (*domain.CertificateProfile, error) {
+func (m *MockProfileService) GetProfile(_ context.Context, id string) (*domain.CertificateProfile, error) {
 	if m.GetProfileFn != nil {
 		return m.GetProfileFn(id)
 	}
 	return nil, nil
 }
 
-func (m *MockProfileService) CreateProfile(profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *MockProfileService) CreateProfile(_ context.Context, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	if m.CreateProfileFn != nil {
 		return m.CreateProfileFn(profile)
 	}
 	return nil, nil
 }
 
-func (m *MockProfileService) UpdateProfile(id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *MockProfileService) UpdateProfile(_ context.Context, id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	if m.UpdateProfileFn != nil {
 		return m.UpdateProfileFn(id, profile)
 	}
 	return nil, nil
 }
 
-func (m *MockProfileService) DeleteProfile(id string) error {
+func (m *MockProfileService) DeleteProfile(_ context.Context, id string) error {
 	if m.DeleteProfileFn != nil {
 		return m.DeleteProfileFn(id)
 	}

internal/api/handler/profiles.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,11 +13,11 @@ import (
 
 // ProfileService defines the service interface for certificate profile operations.
 type ProfileService interface {
-	ListProfiles(page, perPage int) ([]domain.CertificateProfile, int64, error)
-	GetProfile(id string) (*domain.CertificateProfile, error)
-	CreateProfile(profile domain.CertificateProfile) (*domain.CertificateProfile, error)
-	UpdateProfile(id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error)
-	DeleteProfile(id string) error
+	ListProfiles(ctx context.Context, page, perPage int) ([]domain.CertificateProfile, int64, error)
+	GetProfile(ctx context.Context, id string) (*domain.CertificateProfile, error)
+	CreateProfile(ctx context.Context, profile domain.CertificateProfile) (*domain.CertificateProfile, error)
+	UpdateProfile(ctx context.Context, id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error)
+	DeleteProfile(ctx context.Context, id string) error
 }
 
 // ProfileHandler handles HTTP requests for certificate profile operations.
@@ -53,7 +54,7 @@ func (h ProfileHandler) ListProfiles(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	profiles, total, err := h.svc.ListProfiles(page, perPage)
+	profiles, total, err := h.svc.ListProfiles(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list profiles", requestID)
 		return
@@ -85,7 +86,7 @@ func (h ProfileHandler) GetProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	profile, err := h.svc.GetProfile(id)
+	profile, err := h.svc.GetProfile(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Profile not found", requestID)
 		return
@@ -120,7 +121,7 @@ func (h ProfileHandler) CreateProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	created, err := h.svc.CreateProfile(profile)
+	created, err := h.svc.CreateProfile(r.Context(), profile)
 	if err != nil {
 		// Check if it's a validation error from the service
 		if strings.Contains(err.Error(), "invalid") || strings.Contains(err.Error(), "required") ||
@@ -159,7 +160,7 @@ func (h ProfileHandler) UpdateProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	updated, err := h.svc.UpdateProfile(id, profile)
+	updated, err := h.svc.UpdateProfile(r.Context(), id, profile)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Profile not found", requestID)
@@ -193,7 +194,7 @@ func (h ProfileHandler) DeleteProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := h.svc.DeleteProfile(id); err != nil {
+	if err := h.svc.DeleteProfile(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Profile not found", requestID)
 			return

internal/api/handler/response.go

@@ -1,14 +1,34 @@
 package handler
 
 import (
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"strings"
 	"time"
+
+	"github.com/shankar0123/certctl/internal/api/middleware"
 )
 
+// resolveActor extracts the authenticated named-key identity from the request
+// context for audit-trail attribution. Returns the named-key name when set by
+// the auth middleware, or "api" as a safe sentinel when the auth middleware
+// did not populate the context (e.g., AUTH_TYPE=none, or internal/system calls
+// that bypass auth).
+//
+// Post-M-002: this is the single source of truth for handler-layer actor
+// resolution. Handlers must NOT hardcode string literals like "api-key-user"
+// or "api" — always go through this helper so the named-key identity flows to
+// services and the audit trail.
+func resolveActor(ctx context.Context) string {
+	if user := middleware.GetUser(ctx); user != "" {
+		return user
+	}
+	return "api"
+}
+
 // PagedResponse represents a paginated API response.
 type PagedResponse struct {
 	Data    interface{} `json:"data"`

internal/api/handler/target_handler_test.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -9,56 +10,57 @@ import (
 	"time"
 
 	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/service"
 )
 
 // MockTargetService is a mock implementation of TargetService interface.
 type MockTargetService struct {
-	ListTargetsFn        func(page, perPage int) ([]domain.DeploymentTarget, int64, error)
-	GetTargetFn          func(id string) (*domain.DeploymentTarget, error)
-	CreateTargetFn       func(target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	UpdateTargetFn       func(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	DeleteTargetFn       func(id string) error
-	TestTargetConnectionFn func(id string) error
+	ListTargetsFn    func(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error)
+	GetTargetFn      func(ctx context.Context, id string) (*domain.DeploymentTarget, error)
+	CreateTargetFn   func(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	UpdateTargetFn   func(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	DeleteTargetFn   func(ctx context.Context, id string) error
+	TestConnectionFn func(ctx context.Context, id string) error
 }
 
-func (m *MockTargetService) ListTargets(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+func (m *MockTargetService) ListTargets(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 	if m.ListTargetsFn != nil {
-		return m.ListTargetsFn(page, perPage)
+		return m.ListTargetsFn(ctx, page, perPage)
 	}
 	return nil, 0, nil
 }
 
-func (m *MockTargetService) GetTarget(id string) (*domain.DeploymentTarget, error) {
+func (m *MockTargetService) GetTarget(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
 	if m.GetTargetFn != nil {
-		return m.GetTargetFn(id)
+		return m.GetTargetFn(ctx, id)
 	}
 	return nil, nil
 }
 
-func (m *MockTargetService) CreateTarget(target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (m *MockTargetService) CreateTarget(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 	if m.CreateTargetFn != nil {
-		return m.CreateTargetFn(target)
+		return m.CreateTargetFn(ctx, target)
 	}
 	return nil, nil
 }
 
-func (m *MockTargetService) UpdateTarget(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (m *MockTargetService) UpdateTarget(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 	if m.UpdateTargetFn != nil {
-		return m.UpdateTargetFn(id, target)
+		return m.UpdateTargetFn(ctx, id, target)
 	}
 	return nil, nil
 }
 
-func (m *MockTargetService) DeleteTarget(id string) error {
+func (m *MockTargetService) DeleteTarget(ctx context.Context, id string) error {
 	if m.DeleteTargetFn != nil {
-		return m.DeleteTargetFn(id)
+		return m.DeleteTargetFn(ctx, id)
 	}
 	return nil
 }
 
-func (m *MockTargetService) TestTargetConnection(id string) error {
-	if m.TestTargetConnectionFn != nil {
-		return m.TestTargetConnectionFn(id)
+func (m *MockTargetService) TestConnection(ctx context.Context, id string) error {
+	if m.TestConnectionFn != nil {
+		return m.TestConnectionFn(ctx, id)
 	}
 	return nil
 }
@@ -85,7 +87,7 @@ func TestListTargets_Success(t *testing.T) {
 	}
 
 	mock := &MockTargetService{
-		ListTargetsFn: func(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+		ListTargetsFn: func(_ context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 			return []domain.DeploymentTarget{t1, t2}, 2, nil
 		},
 	}
@@ -113,7 +115,7 @@ func TestListTargets_Success(t *testing.T) {
 func TestListTargets_Pagination(t *testing.T) {
 	var capturedPage, capturedPerPage int
 	mock := &MockTargetService{
-		ListTargetsFn: func(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+		ListTargetsFn: func(_ context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 			capturedPage = page
 			capturedPerPage = perPage
 			return []domain.DeploymentTarget{}, 0, nil
@@ -137,7 +139,7 @@ func TestListTargets_Pagination(t *testing.T) {
 
 func TestListTargets_ServiceError(t *testing.T) {
 	mock := &MockTargetService{
-		ListTargetsFn: func(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+		ListTargetsFn: func(_ context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 			return nil, 0, ErrMockServiceFailed
 		},
 	}
@@ -169,7 +171,7 @@ func TestListTargets_MethodNotAllowed(t *testing.T) {
 func TestGetTarget_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockTargetService{
-		GetTargetFn: func(id string) (*domain.DeploymentTarget, error) {
+		GetTargetFn: func(_ context.Context, id string) (*domain.DeploymentTarget, error) {
 			return &domain.DeploymentTarget{
 				ID:        id,
 				Name:      "NGINX Proxy",
@@ -196,7 +198,7 @@ func TestGetTarget_Success(t *testing.T) {
 
 func TestGetTarget_NotFound(t *testing.T) {
 	mock := &MockTargetService{
-		GetTargetFn: func(id string) (*domain.DeploymentTarget, error) {
+		GetTargetFn: func(_ context.Context, id string) (*domain.DeploymentTarget, error) {
 			return nil, ErrMockNotFound
 		},
 	}
@@ -229,7 +231,7 @@ func TestGetTarget_EmptyID(t *testing.T) {
 func TestCreateTarget_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockTargetService{
-		CreateTargetFn: func(target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+		CreateTargetFn: func(_ context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 			target.ID = "t-new"
 			target.CreatedAt = now
 			target.UpdatedAt = now
@@ -238,8 +240,9 @@ func TestCreateTarget_Success(t *testing.T) {
 	}
 
 	body := map[string]interface{}{
-		"name": "New Target",
-		"type": "nginx",
+		"name":     "New Target",
+		"type":     "nginx",
+		"agent_id": "agent-001",
 	}
 	bodyBytes, _ := json.Marshal(body)
 
@@ -257,7 +260,8 @@ func TestCreateTarget_Success(t *testing.T) {
 
 func TestCreateTarget_MissingName(t *testing.T) {
 	body := map[string]interface{}{
-		"type": "nginx",
+		"type":     "nginx",
+		"agent_id": "agent-001",
 	}
 	bodyBytes, _ := json.Marshal(body)
 
@@ -275,7 +279,8 @@ func TestCreateTarget_MissingName(t *testing.T) {
 
 func TestCreateTarget_MissingType(t *testing.T) {
 	body := map[string]interface{}{
-		"name": "New Target",
+		"name":     "New Target",
+		"agent_id": "agent-001",
 	}
 	bodyBytes, _ := json.Marshal(body)
 
@@ -310,8 +315,9 @@ func TestCreateTarget_NameTooLong(t *testing.T) {
 		longName += "x"
 	}
 	body := map[string]interface{}{
-		"name": longName,
-		"type": "nginx",
+		"name":     longName,
+		"type":     "nginx",
+		"agent_id": "agent-001",
 	}
 	bodyBytes, _ := json.Marshal(body)
 
@@ -339,10 +345,69 @@ func TestCreateTarget_MethodNotAllowed(t *testing.T) {
 	}
 }
 
+// TestCreateTarget_MissingAgentID_Returns400 pins the C-002 handler contract:
+// handler MUST reject a create payload that omits agent_id with HTTP 400
+// before the service is invoked. Using a mock that would return 201-worthy
+// success proves the guard fires.
+func TestCreateTarget_MissingAgentID_Returns400(t *testing.T) {
+	body := map[string]interface{}{
+		"name": "New Target",
+		"type": "nginx",
+		// agent_id intentionally omitted
+	}
+	bodyBytes, _ := json.Marshal(body)
+
+	mock := &MockTargetService{
+		CreateTargetFn: func(_ context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+			// Would succeed if handler guard did not fire.
+			target.ID = "t-would-be-created"
+			return &target, nil
+		},
+	}
+	handler := NewTargetHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/targets", bytes.NewReader(bodyBytes))
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.CreateTarget(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d — body=%s", w.Code, w.Body.String())
+	}
+}
+
+// TestCreateTarget_NonexistentAgent_Returns400 pins the C-002 handler↔service
+// translation: when the service returns service.ErrAgentNotFound, the handler
+// MUST map it to HTTP 400, not the generic 500 used for other service errors.
+func TestCreateTarget_NonexistentAgent_Returns400(t *testing.T) {
+	mock := &MockTargetService{
+		CreateTargetFn: func(_ context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+			return nil, service.ErrAgentNotFound
+		},
+	}
+	body := map[string]interface{}{
+		"name":     "New Target",
+		"type":     "nginx",
+		"agent_id": "agent-does-not-exist",
+	}
+	bodyBytes, _ := json.Marshal(body)
+
+	handler := NewTargetHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/targets", bytes.NewReader(bodyBytes))
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.CreateTarget(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400 for nonexistent agent, got %d — body=%s", w.Code, w.Body.String())
+	}
+}
+
 func TestUpdateTarget_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockTargetService{
-		UpdateTargetFn: func(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+		UpdateTargetFn: func(_ context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 			return &domain.DeploymentTarget{
 				ID:        id,
 				Name:      target.Name,
@@ -375,7 +440,7 @@ func TestUpdateTarget_Success(t *testing.T) {
 func TestDeleteTarget_Success(t *testing.T) {
 	var deletedID string
 	mock := &MockTargetService{
-		DeleteTargetFn: func(id string) error {
+		DeleteTargetFn: func(_ context.Context, id string) error {
 			deletedID = id
 			return nil
 		},
@@ -398,7 +463,7 @@ func TestDeleteTarget_Success(t *testing.T) {
 
 func TestDeleteTarget_ServiceError(t *testing.T) {
 	mock := &MockTargetService{
-		DeleteTargetFn: func(id string) error {
+		DeleteTargetFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -430,7 +495,7 @@ func TestDeleteTarget_EmptyID(t *testing.T) {
 
 func TestTestTargetConnection_Success(t *testing.T) {
 	mock := &MockTargetService{
-		TestTargetConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return nil
 		},
 	}
@@ -457,7 +522,7 @@ func TestTestTargetConnection_Success(t *testing.T) {
 
 func TestTestTargetConnection_Failed(t *testing.T) {
 	mock := &MockTargetService{
-		TestTargetConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}

internal/api/handler/targets.go

@@ -1,23 +1,26 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
+	"errors"
 	"net/http"
 	"strconv"
 	"strings"
 
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/service"
 )
 
 // TargetService defines the service interface for deployment target operations.
 type TargetService interface {
-	ListTargets(page, perPage int) ([]domain.DeploymentTarget, int64, error)
-	GetTarget(id string) (*domain.DeploymentTarget, error)
-	CreateTarget(target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	UpdateTarget(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	DeleteTarget(id string) error
-	TestTargetConnection(id string) error
+	ListTargets(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error)
+	GetTarget(ctx context.Context, id string) (*domain.DeploymentTarget, error)
+	CreateTarget(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	UpdateTarget(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	DeleteTarget(ctx context.Context, id string) error
+	TestConnection(ctx context.Context, id string) error
 }
 
 // TargetHandler handles HTTP requests for deployment target operations.
@@ -54,7 +57,7 @@ func (h TargetHandler) ListTargets(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	targets, total, err := h.svc.ListTargets(page, perPage)
+	targets, total, err := h.svc.ListTargets(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list targets", requestID)
 		return
@@ -86,7 +89,7 @@ func (h TargetHandler) GetTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	target, err := h.svc.GetTarget(id)
+	target, err := h.svc.GetTarget(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Target not found", requestID)
 		return
@@ -124,9 +127,23 @@ func (h TargetHandler) CreateTarget(w http.ResponseWriter, r *http.Request) {
 		ErrorWithRequestID(w, http.StatusBadRequest, "type is required", requestID)
 		return
 	}
+	// C-002: agent_id is a NOT NULL FK in deployment_targets (migration 000001
+	// line 104). Reject empty values at the boundary so callers get a clean 400
+	// with the field name rather than a generic "Failed to create target" 500.
+	if err := ValidateRequired("agent_id", target.AgentID); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
+		return
+	}
 
-	created, err := h.svc.CreateTarget(target)
+	created, err := h.svc.CreateTarget(r.Context(), target)
 	if err != nil {
+		// C-002: a nonexistent agent_id is a client error, not a server error.
+		// The service returns ErrAgentNotFound (wrapped via fmt.Errorf %w) when
+		// agentRepo.Get fails; we translate that to 400 via errors.Is.
+		if errors.Is(err, service.ErrAgentNotFound) {
+			ErrorWithRequestID(w, http.StatusBadRequest, err.Error(), requestID)
+			return
+		}
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create target", requestID)
 		return
 	}
@@ -158,7 +175,7 @@ func (h TargetHandler) UpdateTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	updated, err := h.svc.UpdateTarget(id, target)
+	updated, err := h.svc.UpdateTarget(r.Context(), id, target)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update target", requestID)
 		return
@@ -183,7 +200,7 @@ func (h TargetHandler) DeleteTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := h.svc.DeleteTarget(id); err != nil {
+	if err := h.svc.DeleteTarget(r.Context(), id); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to delete target", requestID)
 		return
 	}
@@ -210,7 +227,7 @@ func (h TargetHandler) TestTargetConnection(w http.ResponseWriter, r *http.Reque
 	}
 	id := parts[0]
 
-	if err := h.svc.TestTargetConnection(id); err != nil {
+	if err := h.svc.TestConnection(r.Context(), id); err != nil {
 		JSON(w, http.StatusOK, map[string]interface{}{
 			"status":  "failed",
 			"message": err.Error(),

internal/api/handler/team_handler_test.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -20,35 +21,35 @@ type MockTeamService struct {
 	DeleteTeamFn func(id string) error
 }
 
-func (m *MockTeamService) ListTeams(page, perPage int) ([]domain.Team, int64, error) {
+func (m *MockTeamService) ListTeams(_ context.Context, page, perPage int) ([]domain.Team, int64, error) {
 	if m.ListTeamsFn != nil {
 		return m.ListTeamsFn(page, perPage)
 	}
 	return nil, 0, nil
 }
 
-func (m *MockTeamService) GetTeam(id string) (*domain.Team, error) {
+func (m *MockTeamService) GetTeam(_ context.Context, id string) (*domain.Team, error) {
 	if m.GetTeamFn != nil {
 		return m.GetTeamFn(id)
 	}
 	return nil, nil
 }
 
-func (m *MockTeamService) CreateTeam(team domain.Team) (*domain.Team, error) {
+func (m *MockTeamService) CreateTeam(_ context.Context, team domain.Team) (*domain.Team, error) {
 	if m.CreateTeamFn != nil {
 		return m.CreateTeamFn(team)
 	}
 	return nil, nil
 }
 
-func (m *MockTeamService) UpdateTeam(id string, team domain.Team) (*domain.Team, error) {
+func (m *MockTeamService) UpdateTeam(_ context.Context, id string, team domain.Team) (*domain.Team, error) {
 	if m.UpdateTeamFn != nil {
 		return m.UpdateTeamFn(id, team)
 	}
 	return nil, nil
 }
 
-func (m *MockTeamService) DeleteTeam(id string) error {
+func (m *MockTeamService) DeleteTeam(_ context.Context, id string) error {
 	if m.DeleteTeamFn != nil {
 		return m.DeleteTeamFn(id)
 	}

internal/api/handler/teams.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,11 +13,11 @@ import (
 
 // TeamService defines the service interface for team operations.
 type TeamService interface {
-	ListTeams(page, perPage int) ([]domain.Team, int64, error)
-	GetTeam(id string) (*domain.Team, error)
-	CreateTeam(team domain.Team) (*domain.Team, error)
-	UpdateTeam(id string, team domain.Team) (*domain.Team, error)
-	DeleteTeam(id string) error
+	ListTeams(ctx context.Context, page, perPage int) ([]domain.Team, int64, error)
+	GetTeam(ctx context.Context, id string) (*domain.Team, error)
+	CreateTeam(ctx context.Context, team domain.Team) (*domain.Team, error)
+	UpdateTeam(ctx context.Context, id string, team domain.Team) (*domain.Team, error)
+	DeleteTeam(ctx context.Context, id string) error
 }
 
 // TeamHandler handles HTTP requests for team operations.
@@ -53,7 +54,7 @@ func (h TeamHandler) ListTeams(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	teams, total, err := h.svc.ListTeams(page, perPage)
+	teams, total, err := h.svc.ListTeams(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list teams", requestID)
 		return
@@ -87,7 +88,7 @@ func (h TeamHandler) GetTeam(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
 
-	team, err := h.svc.GetTeam(id)
+	team, err := h.svc.GetTeam(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Team not found", requestID)
 		return
@@ -122,7 +123,7 @@ func (h TeamHandler) CreateTeam(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	created, err := h.svc.CreateTeam(team)
+	created, err := h.svc.CreateTeam(r.Context(), team)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create team", requestID)
 		return
@@ -155,7 +156,7 @@ func (h TeamHandler) UpdateTeam(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	updated, err := h.svc.UpdateTeam(id, team)
+	updated, err := h.svc.UpdateTeam(r.Context(), id, team)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update team", requestID)
 		return
@@ -182,7 +183,7 @@ func (h TeamHandler) DeleteTeam(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]
 
-	if err := h.svc.DeleteTeam(id); err != nil {
+	if err := h.svc.DeleteTeam(r.Context(), id); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to delete team", requestID)
 		return
 	}

internal/api/handler/validation.go

@@ -71,10 +71,11 @@ func ValidatePolicyType(policyType interface{}) error {
 		"RequiredMetadata":    true,
 		"AllowedEnvironments": true,
 		"RenewalLeadTime":     true,
+		"CertificateLifetime": true,
 	}
 	typeStr := fmt.Sprintf("%v", policyType)
 	if !validTypes[typeStr] {
-		return ValidationError{Field: "type", Message: "type must be one of: AllowedIssuers, AllowedDomains, RequiredMetadata, AllowedEnvironments, RenewalLeadTime"}
+		return ValidationError{Field: "type", Message: "type must be one of: AllowedIssuers, AllowedDomains, RequiredMetadata, AllowedEnvironments, RenewalLeadTime, CertificateLifetime"}
 	}
 	return nil
 }

internal/api/middleware/audit.go

@@ -4,16 +4,22 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"io"
 	"log/slog"
 	"net/http"
 	"strings"
+	"sync"
 	"time"
 )
 
 // AuditRecorder is the interface that the audit middleware uses to record API calls.
 // This avoids importing the service package directly, maintaining dependency inversion.
+//
+// Implementations may perform I/O (e.g., database writes). The middleware invokes
+// RecordAPICall from a tracked goroutine so that callers can drain in-flight
+// recordings during graceful shutdown via AuditMiddleware.Flush.
 type AuditRecorder interface {
 	RecordAPICall(ctx context.Context, method, path, actor string, bodyHash string, status int, latencyMs int64) error
 }
@@ -26,10 +32,42 @@ type AuditConfig struct {
 	Logger *slog.Logger
 }
 
-// NewAuditLog creates a middleware that records every API call to the audit trail.
-// It captures method, path, authenticated actor, request body hash, response status, and latency.
-// Audit recording is best-effort — failures are logged but don't affect the HTTP response.
-func NewAuditLog(recorder AuditRecorder, cfg AuditConfig) func(http.Handler) http.Handler {
+// ErrAuditFlushTimeout is returned by AuditMiddleware.Flush when in-flight audit
+// recordings do not complete before the provided context is cancelled or its
+// deadline elapses. It mirrors scheduler.ErrSchedulerShutdownTimeout so callers
+// can branch on graceful-shutdown timeouts consistently across subsystems.
+var ErrAuditFlushTimeout = errors.New("audit middleware flush timeout")
+
+// AuditMiddleware is the handle returned by NewAuditLog. It wraps the audit
+// logging HTTP middleware and tracks the goroutines spawned to record each API
+// call, so that callers can drain them during graceful shutdown (M-1, CWE-662
+// / CWE-400). The goroutines themselves still run detached from the request
+// context — the shutdown-drain signal flows through this struct's WaitGroup
+// instead of the per-request context.
+type AuditMiddleware struct {
+	recorder   AuditRecorder
+	logger     *slog.Logger
+	excludeSet map[string]bool
+
+	// wg tracks every audit-recording goroutine spawned by Middleware so Flush
+	// can block until they complete before the DB pool is torn down.
+	wg sync.WaitGroup
+}
+
+// NewAuditLog constructs the API audit logging middleware. The returned
+// *AuditMiddleware exposes the HTTP middleware via the Middleware method value
+// (same func(http.Handler) http.Handler shape) and a Flush method that the
+// process shutdown path must call after the HTTP server has stopped accepting
+// new requests but before the audit recorder's backing store (e.g., the
+// database connection pool) is closed.
+//
+// The middleware records method, path, authenticated actor, request body hash,
+// response status, and latency. Recording is best-effort — individual failures
+// are logged and do not affect the HTTP response. Shutdown is NOT best-effort:
+// Flush must succeed (or time out, returning ErrAuditFlushTimeout) so that
+// in-flight events are not lost when the audit recorder's connection pool is
+// closed out from under the goroutines.
+func NewAuditLog(recorder AuditRecorder, cfg AuditConfig) *AuditMiddleware {
 	excludeSet := make(map[string]bool, len(cfg.ExcludePaths))
 	for _, p := range cfg.ExcludePaths {
 		excludeSet[p] = true
@@ -40,68 +78,131 @@ func NewAuditLog(recorder AuditRecorder, cfg AuditConfig) func(http.Handler) htt
 		logger = slog.Default()
 	}
 
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// Skip excluded paths (health, readiness probes)
-			for prefix := range excludeSet {
-				if strings.HasPrefix(r.URL.Path, prefix) {
-					next.ServeHTTP(w, r)
-					return
-				}
+	return &AuditMiddleware{
+		recorder:   recorder,
+		logger:     logger,
+		excludeSet: excludeSet,
+	}
+}
+
+// Middleware is the http.Handler wrapper. It has the standard
+// func(http.Handler) http.Handler middleware signature so it can be composed
+// into an existing middleware chain via a method value (auditMiddleware.Middleware).
+func (a *AuditMiddleware) Middleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Skip excluded paths (health, readiness probes)
+		for prefix := range a.excludeSet {
+			if strings.HasPrefix(r.URL.Path, prefix) {
+				next.ServeHTTP(w, r)
+				return
 			}
+		}
 
-			start := time.Now()
+		start := time.Now()
 
-			// Hash request body for audit (don't store raw bodies — security + size concerns)
-			bodyHash := ""
-			if r.Body != nil && r.Body != http.NoBody {
-				hasher := sha256.New()
-				body, err := io.ReadAll(r.Body)
-				if err == nil && len(body) > 0 {
-					hasher.Write(body)
-					bodyHash = hex.EncodeToString(hasher.Sum(nil))[:16] // truncated hash
-					// Restore the body for downstream handlers
-					r.Body = io.NopCloser(strings.NewReader(string(body)))
-				}
+		// Hash request body for audit (don't store raw bodies — security + size concerns)
+		bodyHash := ""
+		if r.Body != nil && r.Body != http.NoBody {
+			hasher := sha256.New()
+			body, err := io.ReadAll(r.Body)
+			if err == nil && len(body) > 0 {
+				hasher.Write(body)
+				bodyHash = hex.EncodeToString(hasher.Sum(nil))[:16] // truncated hash
+				// Restore the body for downstream handlers
+				r.Body = io.NopCloser(strings.NewReader(string(body)))
 			}
+		}
 
-			// Extract actor from auth context
-			actor := "anonymous"
-			if user, ok := GetUser(r.Context()); ok && user != "" {
-				actor = user
+		// Extract actor from auth context
+		actor := "anonymous"
+		if user := GetUser(r.Context()); user != "" {
+			actor = user
+		}
+
+		// Wrap response writer to capture status code
+		wrapped := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
+
+		next.ServeHTTP(wrapped, r)
+
+		latency := time.Since(start).Milliseconds()
+
+		// Snapshot request-derived inputs so the goroutine does not race with
+		// the http.Server reusing r after this handler returns.
+		method := r.Method
+		path := r.URL.Path
+		status := wrapped.statusCode
+
+		// Derive a detached context that preserves request-scoped values
+		// (trace IDs, auth info carried via context keys) but is not cancelled
+		// when the HTTP server finalizes the request. Using r.Context()
+		// directly would cause the async audit write to observe ctx.Done()
+		// as soon as the response completes; using context.Background() would
+		// discard useful observability metadata. WithoutCancel gives us both
+		// (M-2 / D-3).
+		auditCtx := context.WithoutCancel(r.Context())
+
+		// Record audit event asynchronously (best-effort, don't block response).
+		// SECURITY: We intentionally use r.URL.Path (not r.URL.String() or r.RequestURI)
+		// to prevent query parameters from being recorded in the immutable audit trail.
+		// Query strings may contain cursor tokens, API keys passed as params, or other
+		// sensitive filter values. Since the audit trail is append-only with no deletion
+		// capability, any sensitive data recorded would persist permanently.
+		//
+		// The goroutine is tracked in a.wg so AuditMiddleware.Flush can drain
+		// in-flight recordings during graceful shutdown. Without this (M-1,
+		// CWE-662 / CWE-400), SIGTERM would close the DB pool while recordings
+		// were still mid-flight, silently dropping audit events.
+		a.wg.Add(1)
+		go func() {
+			defer a.wg.Done()
+			if err := a.recorder.RecordAPICall(
+				auditCtx,
+				method,
+				path,
+				actor,
+				bodyHash,
+				status,
+				latency,
+			); err != nil {
+				a.logger.Error("failed to record API audit event",
+					"error", err,
+					"method", method,
+					"path", path,
+				)
 			}
+		}()
+	})
+}
 
-			// Wrap response writer to capture status code
-			wrapped := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
+// Flush blocks until every audit-recording goroutine spawned by Middleware has
+// completed, or until ctx is cancelled / its deadline elapses. It must be
+// called from the process shutdown path after http.Server.Shutdown has
+// returned (so no new requests are being accepted) but before the backing
+// audit recorder's resources (DB pool, etc.) are torn down.
+//
+// On timeout or cancellation Flush returns ErrAuditFlushTimeout wrapped with
+// any context error; in-flight goroutines continue to run and may still write
+// to the recorder once they unblock — the caller is responsible for deciding
+// whether to proceed with teardown anyway or surface the error.
+//
+// Flush mirrors the idiom used by scheduler.Scheduler.WaitForCompletion so
+// that the two subsystems drain identically at shutdown.
+func (a *AuditMiddleware) Flush(ctx context.Context) error {
+	done := make(chan struct{})
+	go func() {
+		a.wg.Wait()
+		close(done)
+	}()
 
-			next.ServeHTTP(wrapped, r)
-
-			latency := time.Since(start).Milliseconds()
-
-			// Record audit event asynchronously (best-effort, don't block response).
-			// SECURITY: We intentionally use r.URL.Path (not r.URL.String() or r.RequestURI)
-			// to prevent query parameters from being recorded in the immutable audit trail.
-			// Query strings may contain cursor tokens, API keys passed as params, or other
-			// sensitive filter values. Since the audit trail is append-only with no deletion
-			// capability, any sensitive data recorded would persist permanently.
-			go func() {
-				if err := recorder.RecordAPICall(
-					context.Background(),
-					r.Method,
-					r.URL.Path,
-					actor,
-					bodyHash,
-					wrapped.statusCode,
-					latency,
-				); err != nil {
-					logger.Error("failed to record API audit event",
-						"error", err,
-						"method", r.Method,
-						"path", r.URL.Path,
-					)
-				}
-			}()
-		})
+	select {
+	case <-done:
+		a.logger.Info("audit middleware flush complete")
+		return nil
+	case <-ctx.Done():
+		a.logger.Warn("audit middleware flush did not complete before context cancellation",
+			"error", ctx.Err(),
+		)
+		return fmt.Errorf("%w: %w", ErrAuditFlushTimeout, ctx.Err())
 	}
 }
 

internal/api/middleware/audit_test.go

@@ -2,6 +2,7 @@ package middleware
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -16,7 +17,8 @@ import (
 type mockAuditRecorder struct {
 	mu      sync.Mutex
 	calls   []auditCall
-	err     error // if non-nil, RecordAPICall returns this
+	err     error         // if non-nil, RecordAPICall returns this
+	block   chan struct{} // if non-nil, RecordAPICall blocks on receive before returning
 }
 
 type auditCall struct {
@@ -29,6 +31,13 @@ type auditCall struct {
 }
 
 func (m *mockAuditRecorder) RecordAPICall(ctx context.Context, method, path, actor, bodyHash string, status int, latencyMs int64) error {
+	// Optional: block the recorder until a signal is received so tests can
+	// exercise the shutdown-drain path deterministically. The block happens
+	// before any state mutation so Flush-timeout tests see the call
+	// "in-flight" (wg counter > 0) with no recorded entries yet.
+	if m.block != nil {
+		<-m.block
+	}
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.calls = append(m.calls, auditCall{
@@ -90,7 +99,7 @@ func (w *waitableAuditRecorder) Wait(timeout time.Duration) bool {
 
 func TestAuditLog_RecordsAPICall(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -130,7 +139,7 @@ func TestAuditLog_RecordsAPICall(t *testing.T) {
 
 func TestAuditLog_CapturesStatusCode(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusNotFound)
@@ -157,7 +166,7 @@ func TestAuditLog_ExcludesHealth(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
 	mw := NewAuditLog(recorder, AuditConfig{
 		ExcludePaths: []string{"/health", "/ready"},
-	})
+	}).Middleware
 
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -193,7 +202,7 @@ func TestAuditLog_ExcludesHealth(t *testing.T) {
 
 func TestAuditLog_HashesRequestBody(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 
 	// Handler verifies body was restored
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -228,7 +237,7 @@ func TestAuditLog_HashesRequestBody(t *testing.T) {
 
 func TestAuditLog_EmptyBodyNoHash(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -253,15 +262,16 @@ func TestAuditLog_EmptyBodyNoHash(t *testing.T) {
 
 func TestAuditLog_ExtractsAuthenticatedActor(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
 	req := httptest.NewRequest(http.MethodDelete, "/api/v1/certificates/mc-1", nil)
-	// Simulate auth middleware having set the user in context
-	ctx := context.WithValue(req.Context(), UserKey{}, "api-key-user")
+	// Simulate auth middleware having set the named-key identity in context
+	// (post-M-002: actor is the named-key name, not the old "api-key-user").
+	ctx := context.WithValue(req.Context(), UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 
 	rr := httptest.NewRecorder()
@@ -275,8 +285,8 @@ func TestAuditLog_ExtractsAuthenticatedActor(t *testing.T) {
 	if len(calls) != 1 {
 		t.Fatalf("expected 1 audit call, got %d", len(calls))
 	}
-	if calls[0].Actor != "api-key-user" {
-		t.Errorf("expected actor api-key-user, got %s", calls[0].Actor)
+	if calls[0].Actor != "ops-admin" {
+		t.Errorf("expected actor ops-admin, got %s", calls[0].Actor)
 	}
 	if calls[0].Method != "DELETE" {
 		t.Errorf("expected method DELETE, got %s", calls[0].Method)
@@ -285,7 +295,7 @@ func TestAuditLog_ExtractsAuthenticatedActor(t *testing.T) {
 
 func TestAuditLog_RecorderErrorDoesNotBreakResponse(t *testing.T) {
 	recorder := &mockAuditRecorder{err: fmt.Errorf("db connection lost")}
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -304,7 +314,7 @@ func TestAuditLog_RecorderErrorDoesNotBreakResponse(t *testing.T) {
 
 func TestAuditLog_CapturesLatency(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		time.Sleep(10 * time.Millisecond)
@@ -330,7 +340,7 @@ func TestAuditLog_CapturesLatency(t *testing.T) {
 
 func TestAuditLog_ExcludesQueryParamsFromPath(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware
 
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -429,3 +439,112 @@ func TestAuditServiceAdapter_PropagatesError(t *testing.T) {
 		t.Errorf("expected database error, got %v", err)
 	}
 }
+
+// TestAuditLog_FlushDrainsInFlightGoroutines verifies the M-1 shutdown-drain
+// contract: Flush blocks until every audit-recording goroutine spawned by the
+// middleware completes, then returns nil. Without the drain (pre-M-1 code),
+// the DB pool would be closed while in-flight goroutines were still calling
+// RecordAPICall, silently dropping audit events (CWE-662 / CWE-400).
+func TestAuditLog_FlushDrainsInFlightGoroutines(t *testing.T) {
+	// Recorder blocks on `unblock` until the test releases it. This simulates
+	// a slow DB write still in flight when shutdown begins.
+	unblock := make(chan struct{})
+	recorder := &mockAuditRecorder{block: unblock}
+	auditMW := NewAuditLog(recorder, AuditConfig{})
+
+	handler := auditMW.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Fire a request. Handler returns immediately; recorder goroutine is
+	// parked on the `unblock` channel inside RecordAPICall.
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	// Start Flush in a goroutine — it must block on the WaitGroup until we
+	// release the recorder.
+	flushDone := make(chan error, 1)
+	go func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		flushDone <- auditMW.Flush(ctx)
+	}()
+
+	// Confirm Flush is actually blocked (not returning immediately).
+	select {
+	case err := <-flushDone:
+		t.Fatalf("Flush returned before recorder unblocked: err=%v", err)
+	case <-time.After(50 * time.Millisecond):
+		// expected: Flush is blocked on wg.Wait
+	}
+
+	// Release the recorder. Flush should now observe wg counter drop to 0
+	// and return nil.
+	close(unblock)
+
+	select {
+	case err := <-flushDone:
+		if err != nil {
+			t.Fatalf("expected nil from Flush after drain, got %v", err)
+		}
+	case <-time.After(2 * time.Second):
+		t.Fatal("Flush did not return after recorder unblocked")
+	}
+
+	// Verify the audit event was actually recorded (i.e., the goroutine
+	// completed its write — not just that Flush unblocked).
+	calls := recorder.getCalls()
+	if len(calls) != 1 {
+		t.Fatalf("expected 1 recorded audit call, got %d", len(calls))
+	}
+	if calls[0].Path != "/api/v1/certificates" {
+		t.Errorf("expected path /api/v1/certificates, got %s", calls[0].Path)
+	}
+}
+
+// TestAuditLog_FlushTimeoutReturnsErrAuditFlushTimeout verifies that Flush
+// respects its context: when in-flight goroutines exceed the shutdown budget,
+// Flush returns an error wrapping ErrAuditFlushTimeout plus ctx.Err(). The
+// caller can then decide whether to proceed with teardown anyway.
+func TestAuditLog_FlushTimeoutReturnsErrAuditFlushTimeout(t *testing.T) {
+	// Recorder will never unblock on its own — we unblock at end of test for
+	// a clean race-safe teardown.
+	unblock := make(chan struct{})
+	recorder := &mockAuditRecorder{block: unblock}
+	auditMW := NewAuditLog(recorder, AuditConfig{})
+
+	handler := auditMW.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	// Flush with a tiny deadline — must time out.
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Millisecond)
+	defer cancel()
+	err := auditMW.Flush(ctx)
+
+	if err == nil {
+		// Release the blocked goroutine before failing so the race detector
+		// doesn't trip on teardown.
+		close(unblock)
+		t.Fatal("expected Flush to return an error on timeout, got nil")
+	}
+	if !errors.Is(err, ErrAuditFlushTimeout) {
+		close(unblock)
+		t.Fatalf("expected error to wrap ErrAuditFlushTimeout, got %v", err)
+	}
+	if !errors.Is(err, context.DeadlineExceeded) {
+		close(unblock)
+		t.Fatalf("expected error to wrap context.DeadlineExceeded, got %v", err)
+	}
+
+	// Race-safe teardown: unblock the recorder goroutine so it exits cleanly
+	// before the test returns. The goroutine itself is still detached and
+	// will record to the mock even after Flush timed out — that's the
+	// documented behavior (Flush surfaces the timeout; caller decides).
+	close(unblock)
+}

internal/api/middleware/middleware.go

@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/hex"
+	"fmt"
 	"log"
 	"log/slog"
 	"net/http"
@@ -21,6 +22,16 @@ type RequestIDKey struct{}
 // UserKey is the context key for storing authenticated user information.
 type UserKey struct{}
 
+// AdminKey is the context key for storing admin flag information.
+type AdminKey struct{}
+
+// NamedAPIKey represents a named API key with optional admin flag.
+type NamedAPIKey struct {
+	Name  string
+	Key   string
+	Admin bool
+}
+
 // RequestID middleware generates a unique request ID and adds it to the request context and response headers.
 func RequestID(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -78,10 +89,17 @@ func NewLogging(logger *slog.Logger) func(http.Handler) http.Handler {
 // Recovery middleware recovers from panics and returns a 500 error.
 func Recovery(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
 		defer func() {
 			if err := recover(); err != nil {
-				requestID := getRequestID(r.Context())
-				log.Printf("[%s] PANIC: %v", requestID, err)
+				requestID := getRequestID(ctx)
+				// Use slog.ErrorContext so the panic log carries the same
+				// request-scoped trace/auth metadata as normal request logs
+				// (M-2 / D-3 — preserve ctx propagation on the panic path).
+				slog.ErrorContext(ctx, "panic recovered in HTTP handler",
+					"request_id", requestID,
+					"panic", fmt.Sprintf("%v", err),
+				)
 				http.Error(w, `{"error":"Internal Server Error"}`, http.StatusInternalServerError)
 			}
 		}()
@@ -104,35 +122,40 @@ type AuthConfig struct {
 	Secret string // The raw API key or comma-separated list of valid API keys
 }
 
-// NewAuth creates an authentication middleware based on config.
-// When Type is "none", all requests pass through (demo/development mode).
-// When Type is "api-key", requests must include a valid Bearer token.
-// The Secret field supports a comma-separated list of valid API keys for
-// zero-downtime key rotation. Rotation workflow:
-//  1. Add new key to comma-separated list, restart server
-//  2. Update all agents/clients to use new key
-//  3. Remove old key from list, restart server
-func NewAuth(cfg AuthConfig) func(http.Handler) http.Handler {
-	if cfg.Type == "none" {
+// NewAuthWithNamedKeys creates an authentication middleware that validates
+// Bearer tokens against a set of named API keys. Each key carries a name
+// (propagated as the actor via context) and an admin flag (consulted by
+// authorization gates such as bulk revocation).
+//
+// When namedKeys is empty the returned middleware is a no-op pass-through,
+// which is used in demo/development mode (CERTCTL_AUTH_TYPE=none). When one
+// or more keys are provided, requests must include a matching Bearer token
+// or they are rejected with 401.
+func NewAuthWithNamedKeys(namedKeys []NamedAPIKey) func(http.Handler) http.Handler {
+	if len(namedKeys) == 0 {
 		return func(next http.Handler) http.Handler {
 			return next
 		}
 	}
 
 	// Pre-compute hashes of all valid keys for constant-time comparison.
-	// Supports comma-separated list for zero-downtime key rotation.
-	keys := strings.Split(cfg.Secret, ",")
-	var expectedHashes []string
-	for _, k := range keys {
-		k = strings.TrimSpace(k)
-		if k != "" {
-			expectedHashes = append(expectedHashes, HashAPIKey(k))
-		}
+	type keyEntry struct {
+		hash  string
+		name  string
+		admin bool
+	}
+	var entries []keyEntry
+	for _, nk := range namedKeys {
+		entries = append(entries, keyEntry{
+			hash:  HashAPIKey(nk.Key),
+			name:  nk.Name,
+			admin: nk.Admin,
+		})
 	}
 
 	// Warn if only one key is configured in production mode
-	if len(expectedHashes) == 1 {
-		slog.Warn("only one API key configured — consider adding a rotation key via comma-separated CERTCTL_AUTH_SECRET for zero-downtime rotation")
+	if len(entries) == 1 {
+		slog.Warn("only one API key configured — consider adding a rotation key for zero-downtime rotation")
 	}
 
 	return func(next http.Handler) http.Handler {
@@ -156,27 +179,60 @@ func NewAuth(cfg AuthConfig) func(http.Handler) http.Handler {
 			tokenHash := HashAPIKey(token)
 
 			// Check against all valid keys using constant-time comparison
-			authorized := false
-			for _, expectedHash := range expectedHashes {
-				if subtle.ConstantTimeCompare([]byte(tokenHash), []byte(expectedHash)) == 1 {
-					authorized = true
+			var matched *keyEntry
+			for i := range entries {
+				if subtle.ConstantTimeCompare([]byte(tokenHash), []byte(entries[i].hash)) == 1 {
+					matched = &entries[i]
 					break
 				}
 			}
 
-			if !authorized {
+			if matched == nil {
 				w.Header().Set("Content-Type", "application/json; charset=utf-8")
 				http.Error(w, `{"error":"Invalid API key"}`, http.StatusUnauthorized)
 				return
 			}
 
-			// Store the authenticated identity in context
-			ctx := context.WithValue(r.Context(), UserKey{}, "api-key-user")
+			// Store the authenticated identity and admin flag in context
+			ctx := context.WithValue(r.Context(), UserKey{}, matched.name)
+			ctx = context.WithValue(ctx, AdminKey{}, matched.admin)
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
 
+// NewAuth is a legacy shim that converts a comma-separated Secret list into
+// synthesized legacy-key-N named entries and delegates to NewAuthWithNamedKeys.
+// It preserves the pre-M-002 behavior for callers that still pass raw AuthConfig
+// (primarily cmd/server/main_test.go). The synthesized actor is "legacy-key-N"
+// rather than the old hardcoded "api-key-user" so audit events carry
+// meaningful identity even on the legacy path.
+//
+// Deprecated: Use NewAuthWithNamedKeys with explicit NamedAPIKey entries.
+func NewAuth(cfg AuthConfig) func(http.Handler) http.Handler {
+	if cfg.Type == "none" {
+		return func(next http.Handler) http.Handler {
+			return next
+		}
+	}
+
+	var namedKeys []NamedAPIKey
+	idx := 0
+	for _, k := range strings.Split(cfg.Secret, ",") {
+		k = strings.TrimSpace(k)
+		if k == "" {
+			continue
+		}
+		namedKeys = append(namedKeys, NamedAPIKey{
+			Name:  fmt.Sprintf("legacy-key-%d", idx),
+			Key:   k,
+			Admin: false,
+		})
+		idx++
+	}
+	return NewAuthWithNamedKeys(namedKeys)
+}
+
 // RateLimitConfig holds configuration for the rate limiter.
 type RateLimitConfig struct {
 	RPS       float64 // Requests per second
@@ -336,9 +392,20 @@ func getRequestID(ctx context.Context) string {
 }
 
 // GetUser extracts the authenticated user from context.
-func GetUser(ctx context.Context) (string, bool) {
+// Returns the name of the matched API key and whether it was found.
+func GetUser(ctx context.Context) string {
 	user, ok := ctx.Value(UserKey{}).(string)
-	return user, ok
+	if !ok {
+		return ""
+	}
+	return user
+}
+
+// IsAdmin extracts the admin flag from context.
+// Returns true if the authenticated user has admin privileges.
+func IsAdmin(ctx context.Context) bool {
+	admin, ok := ctx.Value(AdminKey{}).(bool)
+	return ok && admin
 }
 
 // responseWriter wraps http.ResponseWriter to capture the status code.

internal/api/router/router.go

@@ -65,7 +65,8 @@ type HandlerRegistry struct {
 	Verification  handler.VerificationHandler
 	Export        handler.ExportHandler
 	Digest        handler.DigestHandler
-	HealthChecks  *handler.HealthCheckHandler
+	HealthChecks     *handler.HealthCheckHandler
+	BulkRevocation   handler.BulkRevocationHandler
 }
 
 // RegisterHandlers sets up all API routes with their handlers.
@@ -91,6 +92,8 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) {
 	r.Register("GET /api/v1/auth/check", http.HandlerFunc(reg.Health.AuthCheck))
 
 	// Certificates routes: /api/v1/certificates
+	// Bulk revoke must be registered before {id} routes to avoid path conflict
+	r.Register("POST /api/v1/certificates/bulk-revoke", http.HandlerFunc(reg.BulkRevocation.BulkRevoke))
 	r.Register("GET /api/v1/certificates", http.HandlerFunc(reg.Certificates.ListCertificates))
 	r.Register("POST /api/v1/certificates", http.HandlerFunc(reg.Certificates.CreateCertificate))
 	r.Register("GET /api/v1/certificates/{id}", http.HandlerFunc(reg.Certificates.GetCertificate))
@@ -106,12 +109,10 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) {
 	r.Register("GET /api/v1/certificates/{id}/export/pem", http.HandlerFunc(reg.Export.ExportPEM))
 	r.Register("POST /api/v1/certificates/{id}/export/pkcs12", http.HandlerFunc(reg.Export.ExportPKCS12))
 
-	// CRL endpoints: /api/v1/crl (JSON) and /api/v1/crl/{issuer_id} (DER)
-	r.Register("GET /api/v1/crl", http.HandlerFunc(reg.Certificates.GetCRL))
-	r.Register("GET /api/v1/crl/{issuer_id}", http.HandlerFunc(reg.Certificates.GetDERCRL))
-
-	// OCSP responder: /api/v1/ocsp/{issuer_id}/{serial}
-	r.Register("GET /api/v1/ocsp/{issuer_id}/{serial}", http.HandlerFunc(reg.Certificates.HandleOCSP))
+	// NOTE: RFC 5280 CRL and RFC 6960 OCSP endpoints are registered separately
+	// via RegisterPKIHandlers under /.well-known/pki/ so relying parties can
+	// fetch them without presenting certctl API credentials. The legacy
+	// /api/v1/crl and /api/v1/ocsp paths have been retired (see M-006).
 
 	// Issuers routes: /api/v1/issuers
 	r.Register("GET /api/v1/issuers", http.HandlerFunc(reg.Issuers.ListIssuers))
@@ -259,6 +260,21 @@ func (r *Router) RegisterSCEPHandlers(scep handler.SCEPHandler) {
 	r.Register("POST /scep", http.HandlerFunc(scep.HandleSCEP))
 }
 
+// RegisterPKIHandlers sets up RFC 5280 CRL and RFC 6960 OCSP routes under
+// /.well-known/pki/. These endpoints are intentionally unauthenticated so
+// relying parties (browsers, OpenSSL, OCSP stapling sidecars, mTLS clients)
+// can fetch revocation data without presenting certctl API credentials.
+// The response bodies are DER-encoded and carry the IANA-registered content
+// types application/pkix-crl and application/ocsp-response.
+//
+// Precedent: EST (RFC 7030) and SCEP (RFC 8894) follow the same pattern —
+// standards-defined wire formats served via a dedicated router registration
+// that cmd/server wires into a no-auth middleware chain.
+func (r *Router) RegisterPKIHandlers(pki handler.CertificateHandler) {
+	r.Register("GET /.well-known/pki/crl/{issuer_id}", http.HandlerFunc(pki.GetDERCRL))
+	r.Register("GET /.well-known/pki/ocsp/{issuer_id}/{serial}", http.HandlerFunc(pki.HandleOCSP))
+}
+
 // GetMux returns the underlying http.ServeMux for direct access if needed.
 func (r *Router) GetMux() *http.ServeMux {
 	return r.mux

internal/api/router/router_test.go

@@ -138,10 +138,9 @@ func TestRegisterHandlers_RoutesDispatch(t *testing.T) {
 		// Export
 		{"GET", "/api/v1/certificates/mc-test/export/pem"},
 
-		// CRL & OCSP
-		{"GET", "/api/v1/crl"},
-		{"GET", "/api/v1/crl/iss-local"},
-		{"GET", "/api/v1/ocsp/iss-local/12345"},
+		// NOTE: CRL/OCSP moved out of /api/v1/* in M-006. They are now served
+		// unauthenticated at /.well-known/pki/* via RegisterPKIHandlers and
+		// are verified in TestRegisterPKIHandlers_AllPaths below.
 
 		// Issuers
 		{"GET", "/api/v1/issuers"},
@@ -336,6 +335,60 @@ func TestRegisterESTHandlers_AllPaths(t *testing.T) {
 	}
 }
 
+// TestRegisterPKIHandlers_AllPaths verifies that RegisterPKIHandlers registers
+// the two RFC-compliant unauthenticated endpoints relocated in M-006:
+//
+//   - GET /.well-known/pki/crl/{issuer_id}    (RFC 5280 §5 DER CRL)
+//   - GET /.well-known/pki/ocsp/{issuer_id}/{serial}  (RFC 6960 §2.1 OCSP)
+//
+// Registration and middleware gating are complementary: this test proves the
+// router matches the path; the unauthenticated contract is enforced separately
+// by cmd/server/main.go's finalHandler routing /.well-known/pki/* through the
+// noAuthHandler.
+func TestRegisterPKIHandlers_AllPaths(t *testing.T) {
+	r := New()
+
+	// Zero-value CertificateHandler will panic on real calls; the only thing
+	// this test is verifying is that the route dispatches (i.e. the URL
+	// pattern is registered), so catch the downstream panic.
+	recoverMW := func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			defer func() {
+				if rv := recover(); rv != nil {
+					w.WriteHeader(http.StatusOK)
+				}
+			}()
+			next.ServeHTTP(w, r)
+		})
+	}
+
+	r.RegisterPKIHandlers(handler.CertificateHandler{})
+	testHandler := recoverMW(r)
+
+	routes := []struct {
+		method string
+		path   string
+	}{
+		{"GET", "/.well-known/pki/crl/iss-local"},
+		{"GET", "/.well-known/pki/ocsp/iss-local/01ABCDEF"},
+	}
+
+	for _, tc := range routes {
+		t.Run(tc.method+" "+tc.path, func(t *testing.T) {
+			req := httptest.NewRequest(tc.method, tc.path, nil)
+			w := httptest.NewRecorder()
+			testHandler.ServeHTTP(w, req)
+
+			if w.Code == http.StatusNotFound {
+				t.Errorf("PKI route %s %s returned 404 — route not registered", tc.method, tc.path)
+			}
+			if w.Code == http.StatusMethodNotAllowed {
+				t.Errorf("PKI route %s %s returned 405", tc.method, tc.path)
+			}
+		})
+	}
+}
+
 // TestGetMux_ReturnsUnderlyingMux tests that GetMux returns the underlying mux.
 func TestGetMux_ReturnsUnderlyingMux(t *testing.T) {
 	r := New()

internal/cli/client.go

@@ -12,6 +12,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"strings"
 	"text/tabwriter"
 	"time"
 )
@@ -198,6 +199,65 @@ func (c *Client) RevokeCertificate(id, reason string) error {
 	return nil
 }
 
+// BulkRevokeCertificates revokes certificates matching filter criteria.
+func (c *Client) BulkRevokeCertificates(args []string) error {
+	fs := flag.NewFlagSet("certs bulk-revoke", flag.ContinueOnError)
+	reason := fs.String("reason", "unspecified", "RFC 5280 revocation reason")
+	profileID := fs.String("profile-id", "", "Revoke certs matching this profile")
+	ownerID := fs.String("owner-id", "", "Revoke certs owned by this owner")
+	agentID := fs.String("agent-id", "", "Revoke certs deployed via this agent")
+	issuerID := fs.String("issuer-id", "", "Revoke certs issued by this issuer")
+	teamID := fs.String("team-id", "", "Revoke certs owned by team members")
+	if err := fs.Parse(args); err != nil {
+		return err
+	}
+
+	body := map[string]interface{}{
+		"reason": *reason,
+	}
+	if *profileID != "" {
+		body["profile_id"] = *profileID
+	}
+	if *ownerID != "" {
+		body["owner_id"] = *ownerID
+	}
+	if *agentID != "" {
+		body["agent_id"] = *agentID
+	}
+	if *issuerID != "" {
+		body["issuer_id"] = *issuerID
+	}
+	if *teamID != "" {
+		body["team_id"] = *teamID
+	}
+
+	// Remaining positional args are certificate IDs
+	if fs.NArg() > 0 {
+		body["certificate_ids"] = fs.Args()
+	}
+
+	resp, err := c.do("POST", "/api/v1/certificates/bulk-revoke", nil, body)
+	if err != nil {
+		return err
+	}
+
+	var result map[string]interface{}
+	if err := json.Unmarshal(resp, &result); err != nil {
+		return fmt.Errorf("parsing response: %w", err)
+	}
+
+	if c.format == "json" {
+		return c.outputJSON(result)
+	}
+
+	fmt.Printf("Bulk revocation complete:\n")
+	fmt.Printf("  Matched: %v\n", result["total_matched"])
+	fmt.Printf("  Revoked: %v\n", result["total_revoked"])
+	fmt.Printf("  Skipped: %v\n", result["total_skipped"])
+	fmt.Printf("  Failed:  %v\n", result["total_failed"])
+	return nil
+}
+
 // ListAgents lists all agents.
 func (c *Client) ListAgents(args []string) error {
 	fs := flag.NewFlagSet("agents list", flag.ContinueOnError)
@@ -371,7 +431,54 @@ func (c *Client) GetStatus() error {
 }
 
 // ImportCertificates bulk imports certificates from PEM files.
-func (c *Client) ImportCertificates(files []string) error {
+//
+// C-001 scope-expansion closure: the create-certificate handler's
+// six-field required contract (name, common_name, renewal_policy_id,
+// issuer_id, owner_id, team_id) is enforced server-side via
+// ValidateRequired. The bulk importer must therefore be told which
+// owner / team / renewal-policy / issuer to assign to every imported
+// cert — otherwise every POST comes back 400. All four IDs are
+// required flags; missing flags error out with a user-legible message
+// before any files are read.
+func (c *Client) ImportCertificates(args []string) error {
+	fs := flag.NewFlagSet("import", flag.ContinueOnError)
+	ownerID := fs.String("owner-id", "", "Owner ID to assign to each imported certificate (required)")
+	teamID := fs.String("team-id", "", "Team ID to assign to each imported certificate (required)")
+	renewalPolicyID := fs.String("renewal-policy-id", "", "Renewal policy ID to assign to each imported certificate (required)")
+	issuerID := fs.String("issuer-id", "", "Issuer ID to assign to each imported certificate (required)")
+	nameTemplate := fs.String("name-template", "{cn}", "Template for the certificate name; {cn} is substituted with the cert's common name")
+	environment := fs.String("environment", "imported", "Environment tag for each imported certificate")
+	if err := fs.Parse(args); err != nil {
+		return err
+	}
+
+	// Validate required flags up front — a clear error here beats six
+	// parallel 400s from the server.
+	missing := []string{}
+	if *ownerID == "" {
+		missing = append(missing, "--owner-id")
+	}
+	if *teamID == "" {
+		missing = append(missing, "--team-id")
+	}
+	if *renewalPolicyID == "" {
+		missing = append(missing, "--renewal-policy-id")
+	}
+	if *issuerID == "" {
+		missing = append(missing, "--issuer-id")
+	}
+	if len(missing) > 0 {
+		return fmt.Errorf("missing required flag(s): %s", strings.Join(missing, ", "))
+	}
+	if *nameTemplate == "" {
+		return fmt.Errorf("--name-template must be non-empty")
+	}
+
+	files := fs.Args()
+	if len(files) == 0 {
+		return fmt.Errorf("at least one PEM file path is required")
+	}
+
 	var imported, failed int
 
 	for _, filePath := range files {
@@ -393,12 +500,18 @@ func (c *Client) ImportCertificates(files []string) error {
 			total := len(certs)
 			fmt.Printf("Importing %d/%d certificates from %s...\r", i+1, total, filepath.Base(filePath))
 
+			name := strings.ReplaceAll(*nameTemplate, "{cn}", cert.Subject.CommonName)
+
 			req := map[string]interface{}{
-				"common_name": cert.Subject.CommonName,
-				"sans":        cert.DNSNames,
-				"issuer_id":   "iss-local",
-				"environment": "imported",
-				"status":      "Active",
+				"name":              name,
+				"common_name":       cert.Subject.CommonName,
+				"sans":              cert.DNSNames,
+				"issuer_id":         *issuerID,
+				"owner_id":          *ownerID,
+				"team_id":           *teamID,
+				"renewal_policy_id": *renewalPolicyID,
+				"environment":       *environment,
+				"status":            "Active",
 			}
 
 			if cert.SerialNumber != nil {

internal/cli/client_test.go

@@ -10,6 +10,8 @@ import (
 	"math/big"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"path/filepath"
 	"testing"
 	"time"
 )
@@ -112,6 +114,43 @@ func TestClient_RevokeCertificate(t *testing.T) {
 	}
 }
 
+func TestClient_BulkRevokeCertificates(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "POST" || r.URL.Path != "/api/v1/certificates/bulk-revoke" {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+
+		// Verify request body contains expected fields
+		var body map[string]interface{}
+		json.NewDecoder(r.Body).Decode(&body)
+		if body["reason"] != "keyCompromise" {
+			t.Errorf("expected reason keyCompromise, got %v", body["reason"])
+		}
+		if body["profile_id"] != "prof-tls" {
+			t.Errorf("expected profile_id prof-tls, got %v", body["profile_id"])
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(map[string]interface{}{
+			"total_matched": 3,
+			"total_revoked": 2,
+			"total_skipped": 1,
+			"total_failed":  0,
+		})
+	}))
+	defer server.Close()
+
+	client := NewClient(server.URL, "", "table")
+	err := client.BulkRevokeCertificates([]string{
+		"--reason", "keyCompromise",
+		"--profile-id", "prof-tls",
+	})
+	if err != nil {
+		t.Fatalf("BulkRevokeCertificates failed: %v", err)
+	}
+}
+
 func TestClient_ListAgents(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != "GET" || r.URL.Path != "/api/v1/agents" {
@@ -350,6 +389,178 @@ func TestClient_AuthHeader(t *testing.T) {
 	}
 }
 
+// TestClient_ImportCertificates_MissingRequiredFlags verifies the CLI
+// import command rejects invocations missing any of the four required
+// flags (--owner-id, --team-id, --renewal-policy-id, --issuer-id)
+// before any network call is attempted. This is the C-001 scope-expansion
+// closure for the CLI layer: the handler now requires all six cert
+// fields, so the importer must collect ownership / team / policy /
+// issuer up front rather than hard-coding iss-local and letting the
+// server 400 on every POST.
+func TestClient_ImportCertificates_MissingRequiredFlags(t *testing.T) {
+	var requestCount int
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		requestCount++
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	cases := []struct {
+		name    string
+		args    []string
+		missing string
+	}{
+		{
+			name:    "missing owner-id",
+			args:    []string{"--team-id", "t-platform", "--renewal-policy-id", "rp-default", "--issuer-id", "iss-local", "certs.pem"},
+			missing: "--owner-id",
+		},
+		{
+			name:    "missing team-id",
+			args:    []string{"--owner-id", "o-alice", "--renewal-policy-id", "rp-default", "--issuer-id", "iss-local", "certs.pem"},
+			missing: "--team-id",
+		},
+		{
+			name:    "missing renewal-policy-id",
+			args:    []string{"--owner-id", "o-alice", "--team-id", "t-platform", "--issuer-id", "iss-local", "certs.pem"},
+			missing: "--renewal-policy-id",
+		},
+		{
+			name:    "missing issuer-id",
+			args:    []string{"--owner-id", "o-alice", "--team-id", "t-platform", "--renewal-policy-id", "rp-default", "certs.pem"},
+			missing: "--issuer-id",
+		},
+		{
+			name:    "no flags at all",
+			args:    []string{"certs.pem"},
+			missing: "--owner-id",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			client := NewClient(server.URL, "", "table")
+			err := client.ImportCertificates(tc.args)
+			if err == nil {
+				t.Fatalf("expected error for %s, got nil", tc.name)
+			}
+			msg := err.Error()
+			if !containsStr(msg, tc.missing) {
+				t.Fatalf("expected error to name %q, got: %v", tc.missing, err)
+			}
+			if !containsStr(msg, "required") {
+				t.Fatalf("expected error message to mention 'required', got: %v", err)
+			}
+		})
+	}
+
+	if requestCount != 0 {
+		t.Fatalf("expected zero HTTP requests before flag validation, got %d", requestCount)
+	}
+}
+
+// TestClient_ImportCertificates_MissingPositionalArgs verifies the
+// import command errors out when flags are present but no PEM file
+// paths follow them.
+func TestClient_ImportCertificates_MissingPositionalArgs(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Errorf("unexpected HTTP request: %s %s", r.Method, r.URL.Path)
+	}))
+	defer server.Close()
+
+	client := NewClient(server.URL, "", "table")
+	err := client.ImportCertificates([]string{
+		"--owner-id", "o-alice",
+		"--team-id", "t-platform",
+		"--renewal-policy-id", "rp-default",
+		"--issuer-id", "iss-local",
+	})
+	if err == nil {
+		t.Fatal("expected error when no PEM file paths are supplied")
+	}
+	if !containsStr(err.Error(), "PEM file") {
+		t.Fatalf("expected error to mention 'PEM file', got: %v", err)
+	}
+}
+
+// TestClient_ImportCertificates_SixFieldPayload verifies the happy
+// path: given all four required flags plus a PEM file, the importer
+// POSTs a request containing all six required fields plus the
+// name-template–resolved name. The httptest handler decodes the
+// request body and asserts every required field is populated with
+// the values supplied via flags.
+func TestClient_ImportCertificates_SixFieldPayload(t *testing.T) {
+	// Generate a test cert and write it to a temp PEM file.
+	cert := generateTestCert()
+	pemBlock := &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
+	pemPath := filepath.Join(t.TempDir(), "test.pem")
+	if err := os.WriteFile(pemPath, pem.EncodeToMemory(pemBlock), 0o600); err != nil {
+		t.Fatalf("write temp PEM: %v", err)
+	}
+
+	var gotBody map[string]interface{}
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "POST" || r.URL.Path != "/api/v1/certificates" {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+		if err := json.NewDecoder(r.Body).Decode(&gotBody); err != nil {
+			t.Errorf("decode request body: %v", err)
+		}
+		w.WriteHeader(http.StatusCreated)
+		w.Header().Set("Content-Type", "application/json")
+		_, _ = w.Write([]byte(`{"id":"mc-imported"}`))
+	}))
+	defer server.Close()
+
+	client := NewClient(server.URL, "", "table")
+	err := client.ImportCertificates([]string{
+		"--owner-id", "o-alice",
+		"--team-id", "t-platform",
+		"--renewal-policy-id", "rp-default",
+		"--issuer-id", "iss-local",
+		"--name-template", "imported-{cn}",
+		pemPath,
+	})
+	if err != nil {
+		t.Fatalf("ImportCertificates failed: %v", err)
+	}
+
+	// Verify every required field from the six-field contract is present.
+	required := []struct {
+		field string
+		want  interface{}
+	}{
+		{"name", "imported-test.example.com"},
+		{"common_name", "test.example.com"},
+		{"issuer_id", "iss-local"},
+		{"owner_id", "o-alice"},
+		{"team_id", "t-platform"},
+		{"renewal_policy_id", "rp-default"},
+	}
+	for _, r := range required {
+		got, ok := gotBody[r.field]
+		if !ok {
+			t.Errorf("payload missing required field %q (body: %+v)", r.field, gotBody)
+			continue
+		}
+		if got != r.want {
+			t.Errorf("field %q = %v, want %v", r.field, got, r.want)
+		}
+	}
+}
+
+// containsStr is a tiny substring helper so the test file doesn't
+// need a `strings` import dependency aside from what's already there.
+func containsStr(haystack, needle string) bool {
+	for i := 0; i+len(needle) <= len(haystack); i++ {
+		if haystack[i:i+len(needle)] == needle {
+			return true
+		}
+	}
+	return false
+}
+
 // Helper function to generate a test certificate
 func generateTestCert() *x509.Certificate {
 	now := time.Now()

internal/config/config.go

@@ -5,6 +5,7 @@ import (
 	"log/slog"
 	"os"
 	"strconv"
+	"strings"
 	"time"
 )
 
@@ -116,6 +117,14 @@ type GlobalSignConfig struct {
 	// ClientKeyPath is the path to the mTLS client private key PEM file.
 	// Setting: CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH environment variable.
 	ClientKeyPath string
+
+	// ServerCAPath is the optional path to a PEM file containing the CA
+	// certificate(s) used to verify the GlobalSign Atlas HVCA API server
+	// certificate. If empty, the system trust store is used. Set this
+	// for private/lab Atlas deployments whose server TLS chain is not
+	// present in the host's default trust bundle.
+	// Setting: CERTCTL_GLOBALSIGN_SERVER_CA_PATH environment variable.
+	ServerCAPath string
 }
 
 // EJBCAConfig contains EJBCA (Keyfactor) issuer connector configuration.
@@ -641,7 +650,12 @@ type SCEPConfig struct {
 
 	// ChallengePassword is the shared secret used to authenticate SCEP enrollment requests.
 	// Clients include this in the PKCS#10 CSR challengePassword attribute.
-	// Required when SCEP is enabled.
+	//
+	// REQUIRED when Enabled is true. If SCEP is enabled and this value is empty,
+	// cmd/server/main.go's preflightSCEPChallengePassword check will refuse to
+	// start the server (H-2, CWE-306): an empty shared secret allowed any client
+	// that could reach /scep to enroll a CSR against the configured issuer. The
+	// service-layer PKCSReq path also rejects this configuration defense-in-depth.
 	ChallengePassword string
 }
 
@@ -693,6 +707,14 @@ type SchedulerConfig struct {
 	// Default: 1 minute. Minimum: 1 second. Sends notifications to Slack, Teams, PagerDuty, etc.
 	// Setting: CERTCTL_SCHEDULER_NOTIFICATION_PROCESS_INTERVAL environment variable.
 	NotificationProcessInterval time.Duration
+
+	// RetryInterval is how often the scheduler retries failed jobs whose Attempts
+	// counter is below MaxAttempts. Default: 5 minutes. Minimum: 1 second.
+	// Transitions eligible Failed jobs back to Pending so the job processor can
+	// pick them up again (closes coverage gap I-001 — JobService.RetryFailedJobs
+	// had no caller prior to this loop being wired).
+	// Setting: CERTCTL_SCHEDULER_RETRY_INTERVAL environment variable.
+	RetryInterval time.Duration
 }
 
 // LogConfig contains logging configuration.
@@ -708,6 +730,19 @@ type LogConfig struct {
 	Format string
 }
 
+// NamedAPIKey represents a single named API key with an optional admin flag.
+// Named keys allow real actor attribution in the audit trail (M-002) and provide
+// the admin-gate basis for privileged endpoints like bulk revocation (M-003).
+type NamedAPIKey struct {
+	// Name is the identifier for the key (alphanumeric, hyphens, underscores).
+	// This value is recorded as the actor on every audit event the key authenticates.
+	Name string
+	// Key is the raw API-key secret the client presents as `Authorization: Bearer <key>`.
+	Key string
+	// Admin controls whether the key has admin privileges (bulk revocation, etc.).
+	Admin bool
+}
+
 // AuthConfig contains authentication configuration.
 type AuthConfig struct {
 	// Type sets the authentication mechanism for the REST API.
@@ -717,12 +752,19 @@ type AuthConfig struct {
 	// Setting: CERTCTL_AUTH_TYPE environment variable. Default: "api-key".
 	Type string
 
-	// Secret is the authentication secret (API key hash, JWT signing key, etc.).
-	// For "api-key": the base64-encoded API key to validate against.
-	// For "jwt": the secret used to verify JWT token signatures.
-	// For "none": ignored.
-	// Setting: CERTCTL_AUTH_SECRET environment variable. Required for "api-key" and "jwt".
+	// Secret is the legacy authentication secret (comma-separated API keys).
+	// DEPRECATED in favor of NamedKeys — retained for backward compatibility.
+	// When NamedKeys is empty and Secret is set, each comma-separated key is
+	// registered as a synthesized named key (legacy-key-0, legacy-key-1, ...)
+	// with actor attribution defaulting to "legacy-key-<index>".
+	// Setting: CERTCTL_AUTH_SECRET environment variable.
 	Secret string
+
+	// NamedKeys is the parsed set of named API keys. Populated from
+	// CERTCTL_API_KEYS_NAMED via ParseNamedAPIKeys during Load(). When
+	// non-empty, this takes precedence over the legacy Secret field.
+	// Setting: CERTCTL_API_KEYS_NAMED="name1:key1,name2:key2:admin"
+	NamedKeys []NamedAPIKey
 }
 
 // RateLimitConfig contains rate limiting configuration.
@@ -773,6 +815,7 @@ func Load() (*Config, error) {
 			JobProcessorInterval:        getEnvDuration("CERTCTL_SCHEDULER_JOB_PROCESSOR_INTERVAL", 30*time.Second),
 			AgentHealthCheckInterval:    getEnvDuration("CERTCTL_SCHEDULER_AGENT_HEALTH_CHECK_INTERVAL", 2*time.Minute),
 			NotificationProcessInterval: getEnvDuration("CERTCTL_SCHEDULER_NOTIFICATION_PROCESS_INTERVAL", 1*time.Minute),
+			RetryInterval:               getEnvDuration("CERTCTL_SCHEDULER_RETRY_INTERVAL", 5*time.Minute),
 		},
 		Log: LogConfig{
 			Level:  getEnv("CERTCTL_LOG_LEVEL", "info"),
@@ -781,6 +824,8 @@ func Load() (*Config, error) {
 		Auth: AuthConfig{
 			Type:   getEnv("CERTCTL_AUTH_TYPE", "api-key"),
 			Secret: getEnv("CERTCTL_AUTH_SECRET", ""),
+			// NamedKeys is populated from CERTCTL_API_KEYS_NAMED below so Load()
+			// can surface parse errors alongside other config errors.
 		},
 		RateLimit: RateLimitConfig{
 			Enabled:   getEnvBool("CERTCTL_RATE_LIMIT_ENABLED", true),
@@ -882,6 +927,7 @@ func Load() (*Config, error) {
 			APISecret:      getEnv("CERTCTL_GLOBALSIGN_API_SECRET", ""),
 			ClientCertPath: getEnv("CERTCTL_GLOBALSIGN_CLIENT_CERT_PATH", ""),
 			ClientKeyPath:  getEnv("CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH", ""),
+			ServerCAPath:   getEnv("CERTCTL_GLOBALSIGN_SERVER_CA_PATH", ""),
 		},
 		EJBCA: EJBCAConfig{
 			APIUrl:         getEnv("CERTCTL_EJBCA_API_URL", ""),
@@ -945,6 +991,14 @@ func Load() (*Config, error) {
 		},
 	}
 
+	// Parse CERTCTL_API_KEYS_NAMED for named key authentication (M-002).
+	// Parse errors surface here so invalid config fails fast at startup.
+	named, err := ParseNamedAPIKeys(getEnv("CERTCTL_API_KEYS_NAMED", ""))
+	if err != nil {
+		return nil, fmt.Errorf("parse CERTCTL_API_KEYS_NAMED: %w", err)
+	}
+	cfg.Auth.NamedKeys = named
+
 	if err := cfg.Validate(); err != nil {
 		return nil, err
 	}
@@ -1029,6 +1083,10 @@ func (c *Config) Validate() error {
 		return fmt.Errorf("notification process interval must be at least 1 second")
 	}
 
+	if c.Scheduler.RetryInterval < 1*time.Second {
+		return fmt.Errorf("retry interval must be at least 1 second")
+	}
+
 	return nil
 }
 
@@ -1153,3 +1211,79 @@ func (c *Config) GetLogLevel() slog.Level {
 		return slog.LevelInfo
 	}
 }
+
+// ParseNamedAPIKeys parses the CERTCTL_API_KEYS_NAMED environment variable.
+// Format: "name1:key1,name2:key2:admin,name3:key3"
+// The ":admin" suffix is optional; if present, the key has admin privileges.
+// Returns a typed []NamedAPIKey so main.go can pass it directly to the
+// middleware layer without type assertion gymnastics.
+func ParseNamedAPIKeys(input string) ([]NamedAPIKey, error) {
+	if input == "" {
+		return nil, nil
+	}
+
+	parts := splitComma(input)
+	var keys []NamedAPIKey
+	seen := make(map[string]bool)
+
+	for _, part := range parts {
+		part = trimSpace(part)
+		if part == "" {
+			continue
+		}
+
+		// Split by colon: name:key or name:key:admin
+		fields := strings.Split(part, ":")
+		if len(fields) < 2 || len(fields) > 3 {
+			return nil, fmt.Errorf("invalid named key format: %s (expected name:key or name:key:admin)", part)
+		}
+
+		name := trimSpace(fields[0])
+		key := trimSpace(fields[1])
+		admin := false
+
+		if len(fields) == 3 {
+			adminStr := trimSpace(fields[2])
+			if adminStr == "admin" {
+				admin = true
+			} else {
+				return nil, fmt.Errorf("invalid admin flag: %s (expected 'admin')", adminStr)
+			}
+		}
+
+		// Validate name format: alphanumeric, hyphens, underscores
+		if !isValidKeyName(name) {
+			return nil, fmt.Errorf("invalid key name: %s (must be alphanumeric, hyphens, underscores)", name)
+		}
+
+		if seen[name] {
+			return nil, fmt.Errorf("duplicate key name: %s", name)
+		}
+		seen[name] = true
+
+		if key == "" {
+			return nil, fmt.Errorf("empty key for name: %s", name)
+		}
+
+		keys = append(keys, NamedAPIKey{
+			Name:  name,
+			Key:   key,
+			Admin: admin,
+		})
+	}
+
+	return keys, nil
+}
+
+// isValidKeyName checks if a key name is valid (alphanumeric, hyphens, underscores).
+func isValidKeyName(s string) bool {
+	if len(s) == 0 {
+		return false
+	}
+	for _, c := range s {
+		if !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '-' || c == '_') {
+			return false
+		}
+	}
+	return true
+}

internal/config/config_test.go

@@ -328,6 +328,7 @@ func TestValidate_ValidConfig(t *testing.T) {
 			JobProcessorInterval:        30 * time.Second,
 			AgentHealthCheckInterval:    2 * time.Minute,
 			NotificationProcessInterval: 1 * time.Minute,
+			RetryInterval:               5 * time.Minute,
 		},
 	}
 	if err := cfg.Validate(); err != nil {
@@ -347,6 +348,7 @@ func TestValidate_AuthTypeNone(t *testing.T) {
 			JobProcessorInterval:        30 * time.Second,
 			AgentHealthCheckInterval:    2 * time.Minute,
 			NotificationProcessInterval: 1 * time.Minute,
+			RetryInterval:               5 * time.Minute,
 		},
 	}
 	if err := cfg.Validate(); err != nil {

internal/connector/issuer/acme/acme.go

@@ -547,7 +547,11 @@ func (c *Connector) solveAuthorizationsHTTP01(ctx context.Context, authzURLs []s
 		return fmt.Errorf("failed to start challenge server: %w", err)
 	}
 	defer func() {
-		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		// Derive the challenge-server shutdown context from the parent ctx so
+		// values (trace IDs, deadlines) propagate, but detach from its
+		// cancellation so Shutdown always gets its full budget even when the
+		// parent was cancelled (M-2 / D-3).
+		shutdownCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 5*time.Second)
 		defer cancel()
 		_ = srv.Shutdown(shutdownCtx)
 		c.logger.Debug("challenge server stopped")

internal/connector/issuer/globalsign/globalsign.go

@@ -34,6 +34,7 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
+	"os"
 	"strings"
 	"time"
 
@@ -64,6 +65,14 @@ type Config struct {
 	// Must match the certificate in ClientCertPath.
 	// Required. Set via CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH environment variable.
 	ClientKeyPath string `json:"client_key_path"`
+
+	// ServerCAPath is the filesystem path to a PEM file containing the CA
+	// certificate(s) used to verify the GlobalSign Atlas HVCA API server certificate.
+	// Optional. If empty, the system trust store is used. This option exists for
+	// private/lab deployments of GlobalSign Atlas that terminate TLS with an
+	// internal CA not present in the host's default trust bundle.
+	// Set via CERTCTL_GLOBALSIGN_SERVER_CA_PATH environment variable.
+	ServerCAPath string `json:"server_ca_path,omitempty"`
 }
 
 // Connector implements the issuer.Connector interface for GlobalSign Atlas HVCA.
@@ -153,14 +162,12 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 		return fmt.Errorf("failed to load GlobalSign client certificate: %w", err)
 	}
 
-	// Create an mTLS client for validation
-	tlsConfig := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-		// InsecureSkipVerify=true allows testing against self-signed server certs.
-		// In production, GlobalSign's API uses a proper certificate chain.
-		// This matches the pattern used by other connectors (F5, network scanner, etc.)
-		// that also need to bypass hostname verification for internal/lab environments.
-		InsecureSkipVerify: true,
+	// Build a verifying mTLS TLS config. If ServerCAPath is set, that PEM
+	// bundle is used as the trust anchor for the server certificate;
+	// otherwise the system trust store is used. TLS 1.2 is the minimum.
+	tlsConfig, err := buildServerTLSConfig(&cfg, cert)
+	if err != nil {
+		return fmt.Errorf("failed to build GlobalSign TLS config: %w", err)
 	}
 
 	validationClient := &http.Client{
@@ -225,9 +232,9 @@ func (c *Connector) getHTTPClient(ctx context.Context) (*http.Client, error) {
 		return nil, fmt.Errorf("failed to load GlobalSign client certificate: %w", err)
 	}
 
-	tlsConfig := &tls.Config{
-		Certificates:       []tls.Certificate{cert},
-		InsecureSkipVerify: true,
+	tlsConfig, err := buildServerTLSConfig(c.config, cert)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build GlobalSign TLS config: %w", err)
 	}
 
 	return &http.Client{
@@ -238,6 +245,38 @@ func (c *Connector) getHTTPClient(ctx context.Context) (*http.Client, error) {
 	}, nil
 }
 
+// buildServerTLSConfig returns a TLS configuration for the GlobalSign Atlas
+// HVCA API client. It always verifies the server certificate. When
+// cfg.ServerCAPath is set, the PEM bundle at that path is used as the
+// trust anchor (enables pinning a private/lab CA); otherwise the host's
+// system trust store is used. TLS 1.2 is the minimum protocol version.
+//
+// This helper is the single source of truth for both the ValidateConfig
+// probe client and the steady-state getHTTPClient production client, so
+// any future TLS policy change applies uniformly.
+func buildServerTLSConfig(cfg *Config, clientCert tls.Certificate) (*tls.Config, error) {
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{clientCert},
+		MinVersion:   tls.VersionTLS12,
+	}
+
+	if cfg.ServerCAPath != "" {
+		caPEM, err := os.ReadFile(cfg.ServerCAPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read server CA bundle at %s: %w", cfg.ServerCAPath, err)
+		}
+
+		pool := x509.NewCertPool()
+		if !pool.AppendCertsFromPEM(caPEM) {
+			return nil, fmt.Errorf("no valid PEM certificates found in server CA bundle at %s", cfg.ServerCAPath)
+		}
+
+		tlsConfig.RootCAs = pool
+	}
+
+	return tlsConfig, nil
+}
+
 // IssueCertificate submits a certificate order to GlobalSign Atlas HVCA.
 // Returns the serial number immediately; typically the cert is available within seconds (DV) to minutes (OV).
 func (c *Connector) IssueCertificate(ctx context.Context, request issuer.IssuanceRequest) (*issuer.IssuanceResult, error) {

internal/connector/issuer/globalsign/globalsign_test.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/json"
@@ -161,11 +160,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testCertPEM, _ := generateTestCert(t)
 		testChainPEM, _ := generateTestCert(t)
 
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}
 
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -223,11 +218,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 
 	t.Run("IssueCertificate_Pending", func(t *testing.T) {
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}
 
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -271,11 +262,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 
 	t.Run("IssueCertificate_Error", func(t *testing.T) {
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}
 
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -312,11 +299,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testCertPEM, _ := generateTestCert(t)
 		testChainPEM, _ := generateTestCert(t)
 
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}
 
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/12345") && r.Method == http.MethodGet {
@@ -356,11 +339,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 
 	t.Run("GetOrderStatus_Pending", func(t *testing.T) {
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}
 
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/98765") && r.Method == http.MethodGet {
@@ -401,11 +380,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testCertPEM, _ := generateTestCert(t)
 		testChainPEM, _ := generateTestCert(t)
 
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}
 
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -448,11 +423,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 
 	t.Run("RevokeCertificate_Success", func(t *testing.T) {
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}
 
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/") && strings.HasSuffix(r.URL.Path, "/revoke") && r.Method == http.MethodPut {
@@ -492,11 +463,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 
 	t.Run("RevokeCertificate_Error", func(t *testing.T) {
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}
 
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/") && strings.HasSuffix(r.URL.Path, "/revoke") && r.Method == http.MethodPut {
@@ -532,11 +499,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testChainPEM, _ := generateTestCert(t)
 		authHeadersChecked := 0
 
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}
 
 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Check for auth headers on every request
@@ -584,6 +547,177 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 }
 
+// TestGlobalSign_ServerTLSConfig exercises the server-side TLS verification
+// policy added by H-5. The connector must always verify the GlobalSign Atlas
+// HVCA API server certificate: by default against the host's system trust
+// store, and when ServerCAPath is set, against the pinned PEM bundle at that
+// path. InsecureSkipVerify is no longer reachable from any production code path.
+func TestGlobalSign_ServerTLSConfig(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	// writeClientMTLS generates a throwaway client cert+key pair and writes them
+	// to disk. ValidateConfig requires valid ClientCertPath / ClientKeyPath files
+	// before it reaches the server-CA validation path under test.
+	writeClientMTLS := func(t *testing.T) (certPath, keyPath string) {
+		t.Helper()
+		certPEM, keyPEM := generateTestCert(t)
+		dir := t.TempDir()
+		certPath = dir + "/client-cert.pem"
+		keyPath = dir + "/client-key.pem"
+		if err := os.WriteFile(certPath, []byte(certPEM), 0600); err != nil {
+			t.Fatalf("failed to write client cert: %v", err)
+		}
+		if err := os.WriteFile(keyPath, []byte(keyPEM), 0600); err != nil {
+			t.Fatalf("failed to write client key: %v", err)
+		}
+		return certPath, keyPath
+	}
+
+	// certToPEM re-encodes a parsed certificate as a PEM block for trust-store
+	// pinning. httptest.NewTLSServer.Certificate() returns the server's self-
+	// signed cert; pinning that cert trusts exactly that one server.
+	certToPEM := func(t *testing.T, cert *x509.Certificate) string {
+		t.Helper()
+		return string(pem.EncodeToMemory(&pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: cert.Raw,
+		}))
+	}
+
+	t.Run("PinnedCA_TrustsExpectedServer", func(t *testing.T) {
+		// Mock Atlas API served over HTTPS with a self-signed cert. We pin
+		// that cert's PEM as the client's trust anchor; the validation probe
+		// should succeed because the pinned pool contains the server's issuer.
+		srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodGet {
+				if r.Header.Get("ApiKey") == "gs-test-key" && r.Header.Get("ApiSecret") == "gs-test-secret" {
+					w.WriteHeader(http.StatusOK)
+					w.Write([]byte(`{"certificates":[]}`))
+					return
+				}
+				w.WriteHeader(http.StatusForbidden)
+				return
+			}
+			http.NotFound(w, r)
+		}))
+		defer srv.Close()
+
+		caPEM := certToPEM(t, srv.Certificate())
+		caPath := t.TempDir() + "/atlas-ca.pem"
+		if err := os.WriteFile(caPath, []byte(caPEM), 0600); err != nil {
+			t.Fatalf("failed to write pinned CA: %v", err)
+		}
+
+		clientCert, clientKey := writeClientMTLS(t)
+		config := globalsign.Config{
+			APIUrl:         srv.URL,
+			APIKey:         "gs-test-key",
+			APISecret:      "gs-test-secret",
+			ClientCertPath: clientCert,
+			ClientKeyPath:  clientKey,
+			ServerCAPath:   caPath,
+		}
+
+		connector := globalsign.New(&config, logger)
+		rawConfig, _ := json.Marshal(config)
+		if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
+			t.Fatalf("ValidateConfig with pinned CA should succeed, got: %v", err)
+		}
+	})
+
+	t.Run("PinnedCA_RejectsUntrustedServer", func(t *testing.T) {
+		// Mock server presents its own self-signed cert; we pin an UNRELATED
+		// cert as the trust anchor. The TLS handshake must fail before any
+		// request is sent — this is exactly what H-5 remediates.
+		srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}))
+		defer srv.Close()
+
+		unrelatedPEM, _ := generateTestCert(t)
+		caPath := t.TempDir() + "/unrelated-ca.pem"
+		if err := os.WriteFile(caPath, []byte(unrelatedPEM), 0600); err != nil {
+			t.Fatalf("failed to write unrelated CA: %v", err)
+		}
+
+		clientCert, clientKey := writeClientMTLS(t)
+		config := globalsign.Config{
+			APIUrl:         srv.URL,
+			APIKey:         "gs-test-key",
+			APISecret:      "gs-test-secret",
+			ClientCertPath: clientCert,
+			ClientKeyPath:  clientKey,
+			ServerCAPath:   caPath,
+		}
+
+		connector := globalsign.New(&config, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("ValidateConfig must fail when the server cert is not signed by the pinned CA")
+		}
+		// The failure must originate from TLS verification, not from any other path.
+		if !strings.Contains(err.Error(), "x509") &&
+			!strings.Contains(err.Error(), "certificate") &&
+			!strings.Contains(err.Error(), "unknown authority") {
+			t.Errorf("expected TLS verification error, got: %v", err)
+		}
+		t.Logf("Untrusted server cert correctly rejected: %v", err)
+	})
+
+	t.Run("ServerCAPath_MissingFile", func(t *testing.T) {
+		clientCert, clientKey := writeClientMTLS(t)
+		config := globalsign.Config{
+			APIUrl:         "https://example.invalid",
+			APIKey:         "gs-test-key",
+			APISecret:      "gs-test-secret",
+			ClientCertPath: clientCert,
+			ClientKeyPath:  clientKey,
+			ServerCAPath:   "/nonexistent/path/to/ca.pem",
+		}
+
+		connector := globalsign.New(&config, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("ValidateConfig must fail when ServerCAPath points to a missing file")
+		}
+		if !strings.Contains(err.Error(), "failed to read server CA bundle") {
+			t.Errorf("expected 'failed to read server CA bundle' error, got: %v", err)
+		}
+		t.Logf("Missing server CA file correctly rejected: %v", err)
+	})
+
+	t.Run("ServerCAPath_InvalidPEM", func(t *testing.T) {
+		clientCert, clientKey := writeClientMTLS(t)
+		badCAPath := t.TempDir() + "/garbage.pem"
+		if err := os.WriteFile(badCAPath, []byte("this is not a PEM certificate at all"), 0600); err != nil {
+			t.Fatalf("failed to write garbage file: %v", err)
+		}
+
+		config := globalsign.Config{
+			APIUrl:         "https://example.invalid",
+			APIKey:         "gs-test-key",
+			APISecret:      "gs-test-secret",
+			ClientCertPath: clientCert,
+			ClientKeyPath:  clientKey,
+			ServerCAPath:   badCAPath,
+		}
+
+		connector := globalsign.New(&config, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("ValidateConfig must fail when ServerCAPath contains no valid PEM certificates")
+		}
+		if !strings.Contains(err.Error(), "no valid PEM certificates") {
+			t.Errorf("expected 'no valid PEM certificates' error, got: %v", err)
+		}
+		t.Logf("Invalid PEM correctly rejected: %v", err)
+	})
+}
+
 // generateTestCert generates a self-signed test certificate and returns PEM strings.
 func generateTestCert(t *testing.T) (certPEM string, keyPEM string) {
 	priv, err := rsa.GenerateKey(rand.Reader, 2048)

internal/connector/issuer/local/local.go

@@ -359,6 +359,25 @@ func (c *Connector) loadCAFromDisk() error {
 		return fmt.Errorf("loaded CA certificate does not have KeyUsageCertSign")
 	}
 
+	// Validate CA certificate validity window (M-5, CWE-672).
+	// An expired or not-yet-valid sub-CA produces child certificates that any
+	// RFC 5280 path-validator will reject. Fail closed at load time so operators
+	// learn about it at startup, not at 3am when a renewal cycle silently
+	// starts minting broken certs. See audit finding M-5.
+	now := time.Now()
+	if now.After(caCert.NotAfter) {
+		return fmt.Errorf("CA certificate %q has expired (not_after=%s, now=%s)",
+			caCert.Subject.CommonName,
+			caCert.NotAfter.UTC().Format(time.RFC3339),
+			now.UTC().Format(time.RFC3339))
+	}
+	if now.Before(caCert.NotBefore) {
+		return fmt.Errorf("CA certificate %q is not yet valid (not_before=%s, now=%s)",
+			caCert.Subject.CommonName,
+			caCert.NotBefore.UTC().Format(time.RFC3339),
+			now.UTC().Format(time.RFC3339))
+	}
+
 	// Load CA private key (supports RSA and ECDSA)
 	keyPEM, err := os.ReadFile(c.config.CAKeyPath)
 	if err != nil {

internal/connector/issuer/local/local_test.go

@@ -14,6 +14,7 @@ import (
 	"math/big"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 	"time"
 
@@ -360,6 +361,114 @@ func TestSubCAMode(t *testing.T) {
 		t.Logf("Correctly rejected non-CA cert: %v", err)
 	})
 
+	t.Run("SubCA_ExpiredCert_IsRejected", func(t *testing.T) {
+		// Sub-CA expired 1 hour ago. M-5: loadCAFromDisk must fail closed
+		// instead of minting child certs that immediately fail path validation
+		// at every relying party (CWE-672).
+		notBefore := time.Now().AddDate(-1, 0, 0)
+		notAfter := time.Now().Add(-1 * time.Hour)
+		certPath, keyPath := generateTestSubCAWithValidity(t, "rsa", notBefore, notAfter)
+
+		config := &local.Config{
+			ValidityDays: 30,
+			CACertPath:   certPath,
+			CAKeyPath:    keyPath,
+		}
+		connector := local.New(config, logger)
+
+		_, csrPEM, err := generateTestCSR("app.internal.corp")
+		if err != nil {
+			t.Fatalf("Failed to generate CSR: %v", err)
+		}
+		req := issuer.IssuanceRequest{
+			CommonName: "app.internal.corp",
+			CSRPEM:     csrPEM,
+		}
+
+		_, err = connector.IssueCertificate(ctx, req)
+		if err == nil {
+			t.Fatal("Expected error when loading expired sub-CA; got nil")
+		}
+		if !strings.Contains(err.Error(), "expired") {
+			t.Errorf("Expected error to mention 'expired'; got: %v", err)
+		}
+		if !strings.Contains(err.Error(), "Test Sub-CA") {
+			t.Errorf("Expected error to include CA subject CN 'Test Sub-CA'; got: %v", err)
+		}
+		t.Logf("Correctly rejected expired sub-CA: %v", err)
+	})
+
+	t.Run("SubCA_NotYetValid_IsRejected", func(t *testing.T) {
+		// Sub-CA is not valid for another hour (clock skew or operator error
+		// pushing a pre-production CA into prod). M-5: loadCAFromDisk must
+		// fail closed.
+		notBefore := time.Now().Add(1 * time.Hour)
+		notAfter := time.Now().AddDate(5, 0, 0)
+		certPath, keyPath := generateTestSubCAWithValidity(t, "rsa", notBefore, notAfter)
+
+		config := &local.Config{
+			ValidityDays: 30,
+			CACertPath:   certPath,
+			CAKeyPath:    keyPath,
+		}
+		connector := local.New(config, logger)
+
+		_, csrPEM, err := generateTestCSR("app.internal.corp")
+		if err != nil {
+			t.Fatalf("Failed to generate CSR: %v", err)
+		}
+		req := issuer.IssuanceRequest{
+			CommonName: "app.internal.corp",
+			CSRPEM:     csrPEM,
+		}
+
+		_, err = connector.IssueCertificate(ctx, req)
+		if err == nil {
+			t.Fatal("Expected error when loading not-yet-valid sub-CA; got nil")
+		}
+		if !strings.Contains(err.Error(), "not yet valid") {
+			t.Errorf("Expected error to mention 'not yet valid'; got: %v", err)
+		}
+		if !strings.Contains(err.Error(), "Test Sub-CA") {
+			t.Errorf("Expected error to include CA subject CN 'Test Sub-CA'; got: %v", err)
+		}
+		t.Logf("Correctly rejected not-yet-valid sub-CA: %v", err)
+	})
+
+	t.Run("SubCA_BarelyValid_IsAccepted", func(t *testing.T) {
+		// Sub-CA valid from 1 minute ago to 1 hour from now. Edge case:
+		// proves the M-5 window check doesn't over-reject CAs that are
+		// legitimately live but close to the boundaries.
+		notBefore := time.Now().Add(-1 * time.Minute)
+		notAfter := time.Now().Add(1 * time.Hour)
+		certPath, keyPath := generateTestSubCAWithValidity(t, "rsa", notBefore, notAfter)
+
+		config := &local.Config{
+			ValidityDays: 30,
+			CACertPath:   certPath,
+			CAKeyPath:    keyPath,
+		}
+		connector := local.New(config, logger)
+
+		_, csrPEM, err := generateTestCSR("app.internal.corp")
+		if err != nil {
+			t.Fatalf("Failed to generate CSR: %v", err)
+		}
+		req := issuer.IssuanceRequest{
+			CommonName: "app.internal.corp",
+			CSRPEM:     csrPEM,
+		}
+
+		result, err := connector.IssueCertificate(ctx, req)
+		if err != nil {
+			t.Fatalf("Barely-valid sub-CA was wrongly rejected: %v", err)
+		}
+		if result.CertPEM == "" {
+			t.Error("CertPEM is empty")
+		}
+		t.Logf("Correctly accepted barely-valid sub-CA: serial=%s", result.Serial)
+	})
+
 	t.Run("SubCA_RenewCertificate", func(t *testing.T) {
 		certPath, keyPath := generateTestSubCA(t, "rsa")
 		defer os.Remove(certPath)
@@ -396,8 +505,16 @@ func TestSubCAMode(t *testing.T) {
 }
 
 // generateTestSubCA creates a self-signed CA cert+key pair and writes them to temp files.
-// keyType can be "rsa" or "ecdsa".
+// keyType can be "rsa" or "ecdsa". Validity window is [now, now+5y].
 func generateTestSubCA(t *testing.T, keyType string) (certPath, keyPath string) {
+	t.Helper()
+	return generateTestSubCAWithValidity(t, keyType, time.Now(), time.Now().AddDate(5, 0, 0))
+}
+
+// generateTestSubCAWithValidity creates a self-signed CA cert+key pair with an
+// explicit NotBefore/NotAfter window. Used by M-5 tests that exercise expired
+// and not-yet-valid CA rejection in loadCAFromDisk.
+func generateTestSubCAWithValidity(t *testing.T, keyType string, notBefore, notAfter time.Time) (certPath, keyPath string) {
 	t.Helper()
 	tmpDir := t.TempDir()
 	certPath = filepath.Join(tmpDir, "ca.pem")
@@ -445,8 +562,8 @@ func generateTestSubCA(t *testing.T, keyType string) (certPath, keyPath string)
 			CommonName:   "Test Sub-CA",
 			Organization: []string{"CertCtl Test"},
 		},
-		NotBefore:             time.Now(),
-		NotAfter:              time.Now().AddDate(5, 0, 0),
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		BasicConstraintsValid: true,
 		IsCA:                  true,

internal/connector/notifier/email/email.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/shankar0123/certctl/internal/connector/notifier"
+	"github.com/shankar0123/certctl/internal/validation"
 )
 
 // Config represents the email notifier configuration.
@@ -123,7 +124,22 @@ func (c *Connector) SendEvent(ctx context.Context, event notifier.Event) error {
 
 // sendEmail sends an email message using the configured SMTP server.
 // It handles both TLS and plain authentication modes.
+//
+// Header values (From, To, Subject) are validated up-front to reject CR, LF,
+// and NUL characters. This blocks SMTP header injection (CWE-113) and also
+// prevents injection into the SMTP envelope commands MAIL FROM and RCPT TO,
+// since net/smtp does not sanitize those inputs itself.
 func (c *Connector) sendEmail(ctx context.Context, to, subject, body string) error {
+	if err := validation.ValidateHeaderValue("From", c.config.FromAddress); err != nil {
+		return fmt.Errorf("invalid sender: %w", err)
+	}
+	if err := validation.ValidateHeaderValue("To", to); err != nil {
+		return fmt.Errorf("invalid recipient: %w", err)
+	}
+	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
+		return fmt.Errorf("invalid subject: %w", err)
+	}
+
 	addr := net.JoinHostPort(c.config.SMTPHost, strconv.Itoa(c.config.SMTPPort))
 
 	// Connect to SMTP server
@@ -182,8 +198,13 @@ func (c *Connector) sendEmail(ctx context.Context, to, subject, body string) err
 	}
 	defer wc.Close()
 
-	// Format and write email headers and body
-	message := c.formatEmailMessage(c.config.FromAddress, to, subject, body)
+	// Format and write email headers and body. The format function
+	// re-validates header values as defense-in-depth; the early-return
+	// above should have already caught any injection attempt.
+	message, err := c.formatEmailMessage(c.config.FromAddress, to, subject, body)
+	if err != nil {
+		return fmt.Errorf("failed to format message: %w", err)
+	}
 	if _, err := wc.Write(message); err != nil {
 		return fmt.Errorf("failed to write message: %w", err)
 	}
@@ -197,7 +218,22 @@ func (c *Connector) sendEmail(ctx context.Context, to, subject, body string) err
 
 // sendHTMLEmail sends an HTML email message using the configured SMTP server.
 // Used by the digest service for rich HTML digest emails.
+//
+// Header values (From, To, Subject) are validated up-front to reject CR, LF,
+// and NUL characters. This blocks SMTP header injection (CWE-113) and also
+// prevents injection into the SMTP envelope commands MAIL FROM and RCPT TO,
+// since net/smtp does not sanitize those inputs itself.
 func (c *Connector) sendHTMLEmail(ctx context.Context, to, subject, htmlBody string) error {
+	if err := validation.ValidateHeaderValue("From", c.config.FromAddress); err != nil {
+		return fmt.Errorf("invalid sender: %w", err)
+	}
+	if err := validation.ValidateHeaderValue("To", to); err != nil {
+		return fmt.Errorf("invalid recipient: %w", err)
+	}
+	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
+		return fmt.Errorf("invalid subject: %w", err)
+	}
+
 	addr := net.JoinHostPort(c.config.SMTPHost, strconv.Itoa(c.config.SMTPPort))
 
 	var auth smtp.Auth
@@ -250,7 +286,12 @@ func (c *Connector) sendHTMLEmail(ctx context.Context, to, subject, htmlBody str
 	}
 	defer wc.Close()
 
-	message := c.formatHTMLEmailMessage(c.config.FromAddress, to, subject, htmlBody)
+	// The format function re-validates header values as defense-in-depth;
+	// the early-return above should have already caught any injection attempt.
+	message, err := c.formatHTMLEmailMessage(c.config.FromAddress, to, subject, htmlBody)
+	if err != nil {
+		return fmt.Errorf("failed to format message: %w", err)
+	}
 	if _, err := wc.Write(message); err != nil {
 		return fmt.Errorf("failed to write message: %w", err)
 	}
@@ -263,7 +304,20 @@ func (c *Connector) sendHTMLEmail(ctx context.Context, to, subject, htmlBody str
 }
 
 // formatEmailMessage formats an email message with standard headers.
-func (c *Connector) formatEmailMessage(from, to, subject, body string) []byte {
+// It rejects any header value containing CR, LF, or NUL bytes to prevent
+// SMTP header injection (CWE-113). See internal/validation.ValidateHeaderValue.
+// The body is not validated — CR/LF in the body is legitimate content, and
+// SMTP dot-stuffing / length framing are handled by net/smtp.
+func (c *Connector) formatEmailMessage(from, to, subject, body string) ([]byte, error) {
+	if err := validation.ValidateHeaderValue("From", from); err != nil {
+		return nil, err
+	}
+	if err := validation.ValidateHeaderValue("To", to); err != nil {
+		return nil, err
+	}
+	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
+		return nil, err
+	}
 	message := fmt.Sprintf(
 		"From: %s\r\nTo: %s\r\nSubject: %s\r\nDate: %s\r\nContent-Type: text/plain; charset=utf-8\r\n\r\n%s",
 		from,
@@ -272,11 +326,24 @@ func (c *Connector) formatEmailMessage(from, to, subject, body string) []byte {
 		time.Now().Format(time.RFC1123Z),
 		body,
 	)
-	return []byte(message)
+	return []byte(message), nil
 }
 
 // formatHTMLEmailMessage formats an HTML email message with MIME headers.
-func (c *Connector) formatHTMLEmailMessage(from, to, subject, htmlBody string) []byte {
+// It rejects any header value containing CR, LF, or NUL bytes to prevent
+// SMTP header injection (CWE-113). See internal/validation.ValidateHeaderValue.
+// The HTML body is not validated at this layer — CR/LF in HTML content is
+// legitimate, and SMTP dot-stuffing / length framing are handled by net/smtp.
+func (c *Connector) formatHTMLEmailMessage(from, to, subject, htmlBody string) ([]byte, error) {
+	if err := validation.ValidateHeaderValue("From", from); err != nil {
+		return nil, err
+	}
+	if err := validation.ValidateHeaderValue("To", to); err != nil {
+		return nil, err
+	}
+	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
+		return nil, err
+	}
 	message := fmt.Sprintf(
 		"From: %s\r\nTo: %s\r\nSubject: %s\r\nDate: %s\r\nMIME-Version: 1.0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n%s",
 		from,
@@ -285,7 +352,7 @@ func (c *Connector) formatHTMLEmailMessage(from, to, subject, htmlBody string) [
 		time.Now().Format(time.RFC1123Z),
 		htmlBody,
 	)
-	return []byte(message)
+	return []byte(message), nil
 }
 
 // formatAlertBody formats an alert notification as email body text.

internal/connector/notifier/email/email_test.go

@@ -138,7 +138,10 @@ func TestEmail_FormatMessage_RFC822Headers(t *testing.T) {
 	subject := "Test Subject"
 	body := "Test Body"
 
-	message := conn.formatEmailMessage(from, to, subject, body)
+	message, err := conn.formatEmailMessage(from, to, subject, body)
+	if err != nil {
+		t.Fatalf("expected nil error, got %v", err)
+	}
 	messageStr := string(message)
 
 	if !strings.Contains(messageStr, "From: "+from) {
@@ -177,7 +180,10 @@ func TestEmail_FormatHTMLEmailMessage_Headers(t *testing.T) {
 	subject := "HTML Test"
 	htmlBody := "<html><body><h1>Test</h1></body></html>"
 
-	message := conn.formatHTMLEmailMessage(from, to, subject, htmlBody)
+	message, err := conn.formatHTMLEmailMessage(from, to, subject, htmlBody)
+	if err != nil {
+		t.Fatalf("expected nil error, got %v", err)
+	}
 	messageStr := string(message)
 
 	if !strings.Contains(messageStr, "From: "+from) {
@@ -200,6 +206,67 @@ func TestEmail_FormatHTMLEmailMessage_Headers(t *testing.T) {
 	}
 }
 
+// TestEmail_FormatEmailMessage_RejectsCRLFInjection exercises the CRLF
+// sanitizer (CWE-113). A subject containing "\r\nBcc: ..." must be rejected
+// rather than silently stripped — authentication-relevant headers are
+// security-critical and silent mutation masks malicious intent.
+func TestEmail_FormatEmailMessage_RejectsCRLFInjection(t *testing.T) {
+	cfg := &Config{
+		SMTPHost:    "smtp.example.com",
+		SMTPPort:    587,
+		FromAddress: "sender@example.com",
+	}
+	logger := newTestLogger()
+	conn := New(cfg, logger)
+
+	cases := []struct {
+		name          string
+		from, to, sub string
+		wantField     string
+	}{
+		{"CRLF in Subject", "sender@example.com", "recipient@example.com", "hello\r\nBcc: attacker@example.com", "Subject"},
+		{"LF in To", "sender@example.com", "recipient@example.com\nBcc: x@y", "ok", "To"},
+		{"CR in From", "sender@example.com\rExtra: header", "recipient@example.com", "ok", "From"},
+		{"NUL in Subject", "sender@example.com", "recipient@example.com", "hi\x00there", "Subject"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := conn.formatEmailMessage(tc.from, tc.to, tc.sub, "body")
+			if err == nil {
+				t.Fatal("expected injection error, got nil")
+			}
+			if !strings.Contains(err.Error(), tc.wantField) {
+				t.Errorf("expected error to mention field %q, got %q", tc.wantField, err.Error())
+			}
+		})
+	}
+}
+
+// TestEmail_FormatHTMLEmailMessage_RejectsCRLFInjection mirrors the plain-text
+// test for the HTML codepath used by the digest service.
+func TestEmail_FormatHTMLEmailMessage_RejectsCRLFInjection(t *testing.T) {
+	cfg := &Config{
+		SMTPHost:    "smtp.example.com",
+		SMTPPort:    587,
+		FromAddress: "sender@example.com",
+	}
+	logger := newTestLogger()
+	conn := New(cfg, logger)
+
+	_, err := conn.formatHTMLEmailMessage(
+		"sender@example.com",
+		"recipient@example.com",
+		"digest\r\nBcc: attacker@example.com",
+		"<p>hi</p>",
+	)
+	if err == nil {
+		t.Fatal("expected CRLF injection error, got nil")
+	}
+	if !strings.Contains(err.Error(), "Subject") {
+		t.Errorf("expected error to mention Subject field, got %q", err.Error())
+	}
+}
+
 func TestEmail_FormatAlertBody(t *testing.T) {
 	cfg := &Config{
 		SMTPHost:    "smtp.example.com",

internal/connector/notifier/webhook/webhook.go

@@ -14,8 +14,15 @@ import (
 	"time"
 
 	"github.com/shankar0123/certctl/internal/connector/notifier"
+	"github.com/shankar0123/certctl/internal/validation"
 )
 
+// webhookClientTimeout bounds every outbound webhook request and its
+// resolution/dial phase. Kept as a package-level constant so the timeout is
+// shared by the transport dialer and the http.Client, and so tests can reason
+// about it without plumbing configuration.
+const webhookClientTimeout = 30 * time.Second
+
 // Config represents the webhook notifier configuration.
 type Config struct {
 	URL     string            `json:"url"`
@@ -25,20 +32,69 @@ type Config struct {
 
 // Connector implements the notifier.Connector interface for webhook notifications.
 // It sends alert and event notifications via HTTP POST with optional HMAC signing.
+//
+// validateURL is injected so that the production constructor (New) installs the
+// strict validation.ValidateSafeURL guard while newForTest can install a
+// permissive validator. This is the only way to keep the production SSRF
+// defence unconditionally on in real code while still allowing tests to point
+// at httptest loopback servers. Without this seam, every test using
+// httptest.NewServer would be blocked by the guard's loopback rejection — that
+// is the correct behaviour in production but makes legitimate unit tests
+// impossible to write. The test seam is unexported so no external caller can
+// use it to disable the guard.
 type Connector struct {
-	config *Config
-	logger *slog.Logger
-	client *http.Client
+	config      *Config
+	logger      *slog.Logger
+	client      *http.Client
+	validateURL func(string) error
 }
 
 // New creates a new webhook notifier with the given configuration and logger.
+//
+// The returned connector uses an http.Transport whose DialContext is hardened
+// by validation.SafeHTTPDialContext. That guard re-resolves the target host
+// at dial time and refuses any connection whose resolved address lies in a
+// reserved range (loopback, cloud-metadata link-local, multicast, broadcast,
+// unspecified, IPv6 link-local/multicast). This is the authoritative SSRF
+// defence; validation.ValidateSafeURL inside ValidateConfig/postWebhook is a
+// fast early diagnostic. The two layers together defeat both misconfigured
+// URLs and DNS-rebinding attacks where a name's resolved address changes
+// between validation and dial.
 func New(config *Config, logger *slog.Logger) *Connector {
+	transport := &http.Transport{
+		DialContext:           validation.SafeHTTPDialContext(webhookClientTimeout),
+		TLSHandshakeTimeout:   10 * time.Second,
+		ResponseHeaderTimeout: 10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		ForceAttemptHTTP2:     true,
+	}
 	return &Connector{
 		config: config,
 		logger: logger,
 		client: &http.Client{
-			Timeout: 30 * time.Second,
+			Timeout:   webhookClientTimeout,
+			Transport: transport,
 		},
+		validateURL: validation.ValidateSafeURL,
+	}
+}
+
+// newForTest is an unexported constructor used exclusively by the webhook
+// package's own tests. It installs a permissive URL validator and the stdlib
+// default transport so tests can point the connector at httptest loopback
+// servers (127.0.0.1), which the production SafeHTTPDialContext guard would
+// correctly reject. Production callers cannot reach this constructor because
+// it is unexported; only same-package tests (package webhook) can use it.
+// The SSRF-rejection tests that verify the guard itself still call New so
+// they exercise the real, strict validator.
+func newForTest(config *Config, logger *slog.Logger) *Connector {
+	return &Connector{
+		config: config,
+		logger: logger,
+		client: &http.Client{
+			Timeout: webhookClientTimeout,
+		},
+		validateURL: func(string) error { return nil },
 	}
 }
 
@@ -54,6 +110,18 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 		return fmt.Errorf("webhook url is required")
 	}
 
+	// SSRF guard (CWE-918). Reject reserved-address URLs before issuing any
+	// outbound HTTP — this catches the obvious 127.0.0.1 / ::1 /
+	// 169.254.169.254 / 0.0.0.0 cases at config-ingestion time and produces
+	// a clear operator-facing error. The authoritative, TOCTOU-safe check
+	// still runs at dial time inside SafeHTTPDialContext. Routed through
+	// c.validateURL so newForTest can install a permissive validator for
+	// same-package unit tests; production New always wires
+	// validation.ValidateSafeURL here.
+	if err := c.validateURL(cfg.URL); err != nil {
+		return fmt.Errorf("webhook url rejected: %w", err)
+	}
+
 	c.logger.Info("validating webhook configuration", "url", cfg.URL)
 
 	// Test webhook connectivity with a HEAD request
@@ -150,7 +218,17 @@ func (c *Connector) SendEvent(ctx context.Context, event notifier.Event) error {
 // postWebhook sends a payload to the webhook URL with proper headers and signing.
 // If a secret is configured, it signs the payload using HMAC-SHA256 and includes
 // the signature in the X-Signature header.
+//
+// The URL is re-validated here even though ValidateConfig already accepted it:
+// configuration can be mutated in place, reloaded dynamically, or set directly
+// by tests that bypass ValidateConfig, so this call is a defence-in-depth
+// guard that fails closed before any outbound request is built. Authoritative
+// DNS-rebinding defence still runs at dial time via SafeHTTPDialContext.
 func (c *Connector) postWebhook(ctx context.Context, payload interface{}) error {
+	if err := c.validateURL(c.config.URL); err != nil {
+		return fmt.Errorf("webhook url rejected: %w", err)
+	}
+
 	// Marshal payload to JSON
 	jsonData, err := json.Marshal(payload)
 	if err != nil {

internal/connector/notifier/webhook/webhook_test.go

@@ -32,7 +32,7 @@ func TestWebhook_ValidateConfig_ValidURL(t *testing.T) {
 
 	// Create a new logger (or use test logger)
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 
 	err := conn.ValidateConfig(context.Background(), rawConfig)
 	if err != nil {
@@ -47,7 +47,7 @@ func TestWebhook_ValidateConfig_MissingURL(t *testing.T) {
 
 	rawConfig, _ := json.Marshal(cfg)
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 
 	err := conn.ValidateConfig(context.Background(), rawConfig)
 	if err == nil {
@@ -96,7 +96,7 @@ func TestWebhook_SendAlert_Success(t *testing.T) {
 	}
 
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 
 	alert := notifier.Alert{
 		ID:        "alert-123",
@@ -160,7 +160,7 @@ func TestWebhook_SendAlert_HMACSignature(t *testing.T) {
 	}
 
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 
 	alert := notifier.Alert{
 		ID:        "alert-456",
@@ -199,7 +199,7 @@ func TestWebhook_SendAlert_NoSignatureWithoutSecret(t *testing.T) {
 	}
 
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 
 	alert := notifier.Alert{
 		ID:        "alert-789",
@@ -239,7 +239,7 @@ func TestWebhook_SendAlert_CustomHeaders(t *testing.T) {
 	}
 
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 
 	alert := notifier.Alert{
 		ID:        "alert-custom",
@@ -276,7 +276,7 @@ func TestWebhook_SendAlert_HTTPError(t *testing.T) {
 	}
 
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 
 	alert := notifier.Alert{
 		ID:        "alert-error",
@@ -318,7 +318,7 @@ func TestWebhook_SendEvent_Success(t *testing.T) {
 	}
 
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 
 	certID := "mc-api-prod"
 	event := notifier.Event{
@@ -367,7 +367,7 @@ func TestWebhook_SendEvent_WithoutCertificateID(t *testing.T) {
 	}
 
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)
 
 	event := notifier.Event{
 		ID:        "event-456",
@@ -389,6 +389,130 @@ func TestWebhook_SendEvent_WithoutCertificateID(t *testing.T) {
 	}
 }
 
+// The SSRF tests below exercise the CWE-918 guard added alongside H-4. Each
+// case pairs a reserved-address URL with the call surface that should reject
+// it. ValidateConfig is the early-fail path; SendAlert/SendEvent reach the
+// same guard via postWebhook and are the defence-in-depth that still rejects
+// even when ValidateConfig was bypassed (e.g. dynamic config reload mutating
+// c.config.URL in place).
+
+func TestWebhook_ValidateConfig_RejectsReservedURLs(t *testing.T) {
+	// These must all fail at config-ingestion time without ever opening a
+	// socket — the reserved-address filter is the whole point of H-4.
+	cases := []struct {
+		name string
+		url  string
+	}{
+		{"loopback v4", "http://127.0.0.1/hook"},
+		{"loopback v4 with port", "http://127.0.0.1:8080/"},
+		{"loopback v6 bracketed", "http://[::1]/hook"},
+		{"AWS metadata", "http://169.254.169.254/latest/meta-data/"},
+		{"generic link-local", "http://169.254.1.2/"},
+		{"unspecified v4", "http://0.0.0.0/"},
+		{"unspecified v6", "http://[::]/"},
+		{"IPv6 link-local", "http://[fe80::1]/"},
+		{"multicast", "https://224.0.0.5/"},
+		{"broadcast", "http://255.255.255.255/"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			cfg := &Config{URL: tc.url}
+			rawConfig, _ := json.Marshal(cfg)
+			conn := New(cfg, newTestLogger())
+
+			err := conn.ValidateConfig(context.Background(), rawConfig)
+			if err == nil {
+				t.Fatalf("ValidateConfig(%q) returned nil, want SSRF rejection", tc.url)
+			}
+			if !strings.Contains(err.Error(), "reserved") && !strings.Contains(err.Error(), "rejected") {
+				t.Errorf("expected reserved/rejected error, got %q", err.Error())
+			}
+		})
+	}
+}
+
+func TestWebhook_ValidateConfig_RejectsDangerousSchemes(t *testing.T) {
+	// Only http(s) is a legitimate webhook transport. Every other scheme is
+	// an SSRF amplifier (file, gopher, ftp, javascript, data, ldap, dict,
+	// jar) and must be refused at config time.
+	cases := []struct {
+		name string
+		url  string
+	}{
+		{"file", "file:///etc/passwd"},
+		{"gopher", "gopher://example.com/_x"},
+		{"ftp", "ftp://example.com/"},
+		{"javascript", "javascript:alert(1)"},
+		{"data", "data:text/plain;base64,SGVsbG8="},
+		{"ldap", "ldap://example.com/"},
+		{"dict", "dict://example.com:2628/d:foo"},
+		{"jar", "jar:http://example.com/foo.jar!/"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			cfg := &Config{URL: tc.url}
+			rawConfig, _ := json.Marshal(cfg)
+			conn := New(cfg, newTestLogger())
+
+			err := conn.ValidateConfig(context.Background(), rawConfig)
+			if err == nil {
+				t.Fatalf("ValidateConfig(%q) returned nil, want scheme rejection", tc.url)
+			}
+			if !strings.Contains(err.Error(), "rejected") && !strings.Contains(err.Error(), "scheme") {
+				t.Errorf("expected scheme/rejected error, got %q", err.Error())
+			}
+		})
+	}
+}
+
+func TestWebhook_SendAlert_RejectsReservedURLInPostWebhook(t *testing.T) {
+	// Simulate config drift: URL was legitimate at ValidateConfig time but
+	// has since been rewritten to an SSRF target. postWebhook must catch
+	// this on every call without ever hitting the wire.
+	cfg := &Config{URL: "http://169.254.169.254/latest/meta-data/"}
+	conn := New(cfg, newTestLogger())
+
+	alert := notifier.Alert{
+		ID:        "alert-ssrf",
+		Type:      "test",
+		Severity:  "info",
+		Subject:   "Test",
+		Message:   "Test",
+		Recipient: "ops@example.com",
+		CreatedAt: time.Now(),
+	}
+
+	err := conn.SendAlert(context.Background(), alert)
+	if err == nil {
+		t.Fatal("SendAlert returned nil, want SSRF rejection from postWebhook")
+	}
+	if !strings.Contains(err.Error(), "reserved") && !strings.Contains(err.Error(), "rejected") {
+		t.Errorf("expected reserved/rejected error, got %q", err.Error())
+	}
+}
+
+func TestWebhook_SendEvent_RejectsReservedURLInPostWebhook(t *testing.T) {
+	cfg := &Config{URL: "http://[::1]:9/webhook"}
+	conn := New(cfg, newTestLogger())
+
+	event := notifier.Event{
+		ID:        "event-ssrf",
+		Type:      "test",
+		Subject:   "Test",
+		Body:      "Test",
+		Recipient: "ops@example.com",
+		CreatedAt: time.Now(),
+	}
+
+	err := conn.SendEvent(context.Background(), event)
+	if err == nil {
+		t.Fatal("SendEvent returned nil, want SSRF rejection from postWebhook")
+	}
+	if !strings.Contains(err.Error(), "reserved") && !strings.Contains(err.Error(), "rejected") {
+		t.Errorf("expected reserved/rejected error, got %q", err.Error())
+	}
+}
+
 // Helper function to compute HMAC-SHA256 signature
 func computeHMACSHA256(data []byte, secret string) string {
 	h := hmac.New(sha256.New, []byte(secret))

internal/crypto/encryption.go

@@ -1,4 +1,31 @@
 // Package crypto provides AES-256-GCM encryption for sensitive configuration data.
+//
+// The on-disk format for blobs produced by [EncryptIfKeySet] is versioned. Two
+// versions coexist and both can be read by [DecryptIfKeySet]:
+//
+//	v2 (current, M-8)
+//	    magic(0x02) || salt(16) || nonce(12) || ciphertext+tag
+//	    — 32-byte AES-256 key derived via PBKDF2-SHA256 from the operator
+//	      passphrase and the per-ciphertext random salt.
+//
+//	v1 (legacy, pre-M-8)
+//	    nonce(12) || ciphertext+tag
+//	    — 32-byte AES-256 key derived via PBKDF2-SHA256 from the operator
+//	      passphrase and the package-level fixed salt
+//	      "certctl-config-encryption-v1".
+//
+// v1 blobs are accepted by the read path for backward compatibility with rows
+// persisted before the M-8 remediation. They are never produced by the write
+// path. Any row that is updated after M-8 is re-sealed as v2 in-place via the
+// normal UPDATE flow.
+//
+// Rationale for the per-ciphertext salt (see M-8 / CWE-916 / CWE-329): the
+// pre-M-8 design reused a single 28-byte fixed salt for every ciphertext, which
+// (a) removes one defense-in-depth layer against passphrase-space brute force
+// and (b) makes every encrypted column across every row share the exact same
+// derived key. v2 replaces the fixed salt with 16 fresh random bytes per write
+// and stores the salt alongside the ciphertext. Derived keys now differ per
+// row and per re-encryption.
 package crypto
 
 import (
@@ -6,17 +33,77 @@ import (
 	"crypto/cipher"
 	"crypto/rand"
 	"crypto/sha256"
+	"errors"
 	"fmt"
 	"io"
 
 	"golang.org/x/crypto/pbkdf2"
 )
 
+// ErrEncryptionKeyRequired is returned by EncryptIfKeySet and DecryptIfKeySet when
+// the caller provides an empty passphrase but the data on the wire requires
+// protection.
+//
+// Historically these helpers silently returned plaintext when no key was configured,
+// which produced a data-at-rest confidentiality bypass (CWE-311): sensitive fields
+// in dynamically-configured issuer and target records (source='database') were
+// persisted to PostgreSQL without any encryption whenever the operator forgot to
+// set CERTCTL_CONFIG_ENCRYPTION_KEY. Callers could not distinguish the encrypted
+// and plaintext branches at runtime, so the only visible signal was a warning
+// line emitted once at startup.
+//
+// The fix (C-2, commit fb4ce1a) is to fail closed: EncryptIfKeySet/DecryptIfKeySet
+// now require a passphrase whenever they are invoked on sensitive material, and
+// the server refuses to start if any source='database' rows already exist without
+// a configured passphrase.
+var ErrEncryptionKeyRequired = errors.New("crypto: CERTCTL_CONFIG_ENCRYPTION_KEY is required to encrypt or decrypt sensitive config")
+
+// v2Magic is the first byte of every v2-format ciphertext blob. It distinguishes
+// v2 blobs (per-ciphertext random salt, embedded in the blob) from v1 legacy
+// blobs (no magic byte, fixed package-level salt).
+//
+// The choice of 0x02 is deliberate: v1 blobs begin with a random 12-byte AES-GCM
+// nonce. A v1 nonce can coincidentally start with 0x02 with probability 1/256,
+// which makes a pure magic-byte dispatch ambiguous. [DecryptIfKeySet] resolves
+// the ambiguity by falling back to the v1 path when v2 AEAD verification fails.
+const v2Magic byte = 0x02
+
+// v2SaltSize is the length in bytes of the per-ciphertext salt embedded in a
+// v2 blob. 16 bytes (128 bits) matches the lower bound recommended in NIST
+// SP 800-132 §5.1 for PBKDF2 salts and is sufficient given the one-shot-per-row
+// nature of the derivation.
+const v2SaltSize = 16
+
+// pbkdf2Iterations is the PBKDF2-SHA256 work factor applied uniformly to both
+// v1 and v2 key derivations. The value is preserved from the pre-M-8 design so
+// that v1 fallback reads stay bit-identical.
+const pbkdf2Iterations = 100000
+
+// aes256KeySize is the output length in bytes of both [DeriveKey] and
+// [deriveKeyWithSalt]. It is also the only AES key length accepted by [Encrypt]
+// and [Decrypt].
+const aes256KeySize = 32
+
+// legacyV1Salt is the fixed salt used by pre-M-8 config encryption. It is
+// retained exclusively to preserve the v1 read path — any v1 blob that pre-dates
+// M-8 remediation must be decryptable with a key derived from (passphrase,
+// legacyV1Salt). The write path never uses this salt.
+//
+// Exposed as a package-level var rather than a local so that tests can reason
+// about v1 fixture bytes symbolically.
+var legacyV1Salt = []byte("certctl-config-encryption-v1")
+
 // Encrypt encrypts plaintext using AES-256-GCM with a random 12-byte nonce prepended to the output.
 // The key must be exactly 32 bytes (AES-256). Returns [12-byte nonce][ciphertext+tag].
+//
+// Encrypt is a low-level primitive. It is intentionally kept byte-identical to
+// the pre-M-8 implementation so that existing v1 blobs on disk remain
+// decryptable via [Decrypt] when paired with a [DeriveKey]-derived key. New
+// callers should prefer [EncryptIfKeySet], which handles key derivation and
+// emits the v2 wire format.
 func Encrypt(plaintext []byte, key []byte) ([]byte, error) {
-	if len(key) != 32 {
-		return nil, fmt.Errorf("encryption key must be exactly 32 bytes, got %d", len(key))
+	if len(key) != aes256KeySize {
+		return nil, fmt.Errorf("encryption key must be exactly %d bytes, got %d", aes256KeySize, len(key))
 	}
 
 	block, err := aes.NewCipher(key)
@@ -40,9 +127,14 @@ func Encrypt(plaintext []byte, key []byte) ([]byte, error) {
 
 // Decrypt decrypts ciphertext that was encrypted with Encrypt.
 // Expects format: [12-byte nonce][ciphertext+tag]. Key must be exactly 32 bytes.
+//
+// Decrypt is a low-level primitive. It is intentionally kept byte-identical to
+// the pre-M-8 implementation so that [DecryptIfKeySet] can delegate to it for
+// both the v2 inner blob (after stripping the magic byte + embedded salt) and
+// the v1 legacy blob (unmodified).
 func Decrypt(ciphertext []byte, key []byte) ([]byte, error) {
-	if len(key) != 32 {
-		return nil, fmt.Errorf("encryption key must be exactly 32 bytes, got %d", len(key))
+	if len(key) != aes256KeySize {
+		return nil, fmt.Errorf("encryption key must be exactly %d bytes, got %d", aes256KeySize, len(key))
 	}
 
 	block, err := aes.NewCipher(key)
@@ -69,35 +161,133 @@ func Decrypt(ciphertext []byte, key []byte) ([]byte, error) {
 	return plaintext, nil
 }
 
-// DeriveKey derives a 32-byte AES-256 key from a passphrase using PBKDF2-SHA256.
-// Uses a fixed application-specific salt and 100,000 iterations for resistance
-// to brute-force attacks on weak passphrases.
+// DeriveKey derives a 32-byte AES-256 key from a passphrase using PBKDF2-SHA256
+// with the legacy v1 fixed salt.
+//
+// This helper is preserved byte-identical to the pre-M-8 implementation so that
+// v1 ciphertexts persisted before the M-8 remediation remain decryptable
+// unchanged. New code paths should prefer [EncryptIfKeySet] and
+// [DecryptIfKeySet], which use a per-ciphertext random salt.
 func DeriveKey(passphrase string) []byte {
-	// Fixed salt is acceptable here because:
-	// 1. Each certctl instance has its own passphrase
-	// 2. The salt prevents generic rainbow table attacks
-	// 3. Per-user salts are unnecessary (single server key, not user passwords)
-	salt := []byte("certctl-config-encryption-v1")
-	return pbkdf2.Key([]byte(passphrase), salt, 100000, 32, sha256.New)
+	return deriveKeyWithSalt(passphrase, legacyV1Salt)
 }
 
-// EncryptIfKeySet encrypts plaintext if a key is provided, otherwise returns plaintext unchanged.
-// This supports the development/demo fallback where encryption isn't configured.
-func EncryptIfKeySet(plaintext []byte, key []byte) ([]byte, bool, error) {
-	if len(key) == 0 {
-		return plaintext, false, nil
+// deriveKeyWithSalt derives a 32-byte AES-256 key from a passphrase and an
+// explicit salt using PBKDF2-SHA256 with [pbkdf2Iterations] rounds.
+//
+// The per-ciphertext random salt path (v2) calls this directly with a fresh
+// 16-byte random salt embedded in the ciphertext blob. The legacy path
+// ([DeriveKey]) calls it with the package-level fixed salt [legacyV1Salt].
+func deriveKeyWithSalt(passphrase string, salt []byte) []byte {
+	return pbkdf2.Key([]byte(passphrase), salt, pbkdf2Iterations, aes256KeySize, sha256.New)
+}
+
+// IsLegacyFormat reports whether blob is in the v1 legacy wire format (no magic
+// byte, fixed-salt derivation) as opposed to the v2 wire format
+// (magic(0x02) || salt(16) || nonce(12) || ciphertext+tag).
+//
+// A return value of false is a necessary but not sufficient condition for a
+// blob to be a valid v2 ciphertext: the shortest possible v2 blob is
+// 1 + v2SaltSize + 12 = 29 bytes, and even a 29+ byte blob that starts with
+// 0x02 may turn out to be a v1 ciphertext whose random nonce happens to begin
+// with 0x02 (probability 1/256). [DecryptIfKeySet] resolves this ambiguity at
+// decrypt time by falling back to v1 when v2 AEAD verification fails; callers
+// of IsLegacyFormat should use it only as a heuristic (e.g. migration
+// tooling, log annotation).
+func IsLegacyFormat(blob []byte) bool {
+	if len(blob) == 0 {
+		return false
 	}
-	encrypted, err := Encrypt(plaintext, key)
+	return blob[0] != v2Magic
+}
+
+// EncryptIfKeySet encrypts plaintext with the supplied passphrase and emits a
+// v2 wire-format blob: magic(0x02) || salt(16) || nonce(12) || ciphertext+tag.
+//
+// Key derivation is performed internally per invocation with a fresh 16-byte
+// random salt, producing a distinct AES-256 key for every ciphertext. The
+// operator-supplied passphrase is the only cross-ciphertext shared secret.
+//
+// The second return value is always true when err == nil — the "wasEncrypted"
+// flag is retained for source-compatibility with callers that previously used
+// it to log provenance. Callers MUST handle err: passing an empty passphrase
+// returns [ErrEncryptionKeyRequired] rather than silently emitting plaintext.
+// See the package-level [ErrEncryptionKeyRequired] documentation for the
+// history behind this behavior change (C-2).
+//
+// The write path never produces a v1 blob. v1 blobs are read-only legacy
+// state — see [DecryptIfKeySet] for the compatibility fallback.
+func EncryptIfKeySet(plaintext []byte, passphrase string) ([]byte, bool, error) {
+	if passphrase == "" {
+		return nil, false, ErrEncryptionKeyRequired
+	}
+
+	salt := make([]byte, v2SaltSize)
+	if _, err := io.ReadFull(rand.Reader, salt); err != nil {
+		return nil, false, fmt.Errorf("failed to generate v2 salt: %w", err)
+	}
+
+	key := deriveKeyWithSalt(passphrase, salt)
+	inner, err := Encrypt(plaintext, key)
 	if err != nil {
 		return nil, false, err
 	}
-	return encrypted, true, nil
+
+	// v2 blob layout: magic(1) || salt(v2SaltSize) || inner
+	blob := make([]byte, 0, 1+v2SaltSize+len(inner))
+	blob = append(blob, v2Magic)
+	blob = append(blob, salt...)
+	blob = append(blob, inner...)
+	return blob, true, nil
 }
 
-// DecryptIfKeySet decrypts ciphertext if a key is provided, otherwise returns ciphertext unchanged.
-func DecryptIfKeySet(ciphertext []byte, key []byte) ([]byte, error) {
-	if len(key) == 0 {
-		return ciphertext, nil
+// DecryptIfKeySet decrypts blob with the supplied passphrase, supporting both
+// v2 (M-8 and later) and v1 (legacy) on-disk formats.
+//
+// Dispatch is first-byte magic + AEAD fallback. If blob starts with
+// [v2Magic] and is long enough to contain a v2 header plus an AEAD-authenticated
+// inner ciphertext, a v2 decrypt is attempted using a key derived from the
+// embedded salt. If that succeeds, its plaintext is returned. If v2 AEAD
+// verification fails — which covers both the "wrong passphrase" case and the
+// 1/256 case where a v1 blob's first byte happens to be 0x02 — the function
+// falls through to the v1 path and attempts decryption using a key derived
+// from the package-level fixed salt [legacyV1Salt].
+//
+// Passing an empty passphrase returns [ErrEncryptionKeyRequired]. Callers that
+// legitimately store plaintext (e.g. env-seeded source='env' rows that keep the
+// raw JSON in the unencrypted `config` column) must branch on the presence of
+// the ciphertext themselves rather than relying on this helper to silently
+// pass bytes through. See the package-level [ErrEncryptionKeyRequired]
+// documentation for the history behind this behavior change (C-2).
+//
+// The function never re-encrypts in place. A v1 blob that is successfully
+// decrypted is returned to the caller as plaintext; re-sealing as v2 happens
+// naturally on the next UPDATE via [EncryptIfKeySet].
+func DecryptIfKeySet(blob []byte, passphrase string) ([]byte, error) {
+	if passphrase == "" {
+		return nil, ErrEncryptionKeyRequired
 	}
-	return Decrypt(ciphertext, key)
+	if len(blob) == 0 {
+		return nil, fmt.Errorf("ciphertext is empty")
+	}
+
+	// v2 path: magic || salt(16) || nonce(12) || ciphertext+tag (min 29 bytes
+	// ignoring the GCM tag; the AEAD verify inside Decrypt enforces the tag).
+	if blob[0] == v2Magic && len(blob) >= 1+v2SaltSize+12 {
+		salt := blob[1 : 1+v2SaltSize]
+		sealed := blob[1+v2SaltSize:]
+		key := deriveKeyWithSalt(passphrase, salt)
+		if plaintext, err := Decrypt(sealed, key); err == nil {
+			return plaintext, nil
+		}
+		// v2 AEAD verification failed. Fall through to v1 so that a v1 blob
+		// whose first byte happens to be 0x02 (1/256 probability) is still
+		// decryptable. If this is truly a v2 blob with the wrong passphrase,
+		// the v1 attempt below will also fail and the v1 error is returned.
+	}
+
+	// v1 legacy path: blob is the full ciphertext with no header and was
+	// sealed with a key derived from (passphrase, legacyV1Salt).
+	key := DeriveKey(passphrase)
+	return Decrypt(blob, key)
 }

internal/crypto/encryption_test.go

@@ -2,6 +2,9 @@ package crypto
 
 import (
 	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"errors"
 	"testing"
 )
 
@@ -125,21 +128,20 @@ func TestDeriveKeyDifferentPassphrases(t *testing.T) {
 }
 
 func TestEncryptIfKeySet_WithKey(t *testing.T) {
-	key := DeriveKey("test-key")
 	plaintext := []byte("config data")
 
-	result, wasEncrypted, err := EncryptIfKeySet(plaintext, key)
+	result, wasEncrypted, err := EncryptIfKeySet(plaintext, "test-passphrase")
 	if err != nil {
 		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}
 	if !wasEncrypted {
-		t.Fatal("expected wasEncrypted=true when key provided")
+		t.Fatal("expected wasEncrypted=true when passphrase provided")
 	}
 	if bytes.Equal(result, plaintext) {
 		t.Fatal("result should be encrypted")
 	}
 
-	decrypted, err := DecryptIfKeySet(result, key)
+	decrypted, err := DecryptIfKeySet(result, "test-passphrase")
 	if err != nil {
 		t.Fatalf("DecryptIfKeySet failed: %v", err)
 	}
@@ -148,31 +150,117 @@ func TestEncryptIfKeySet_WithKey(t *testing.T) {
 	}
 }
 
-func TestEncryptIfKeySet_NilKey(t *testing.T) {
+// TestEncryptIfKeySet_EmptyKeyFailsClosed asserts the C-2 regression guard:
+// EncryptIfKeySet must refuse to silently emit plaintext when no passphrase is
+// configured. The pre-fix behavior was to return plaintext with
+// wasEncrypted=false, which produced a data-at-rest confidentiality bypass
+// (CWE-311) for GUI-created issuer and target configs.
+func TestEncryptIfKeySet_EmptyKeyFailsClosed(t *testing.T) {
 	plaintext := []byte("config data")
 
-	result, wasEncrypted, err := EncryptIfKeySet(plaintext, nil)
-	if err != nil {
-		t.Fatalf("EncryptIfKeySet with nil key failed: %v", err)
+	result, wasEncrypted, err := EncryptIfKeySet(plaintext, "")
+	if err == nil {
+		t.Fatal("expected ErrEncryptionKeyRequired, got nil")
+	}
+	if !errors.Is(err, ErrEncryptionKeyRequired) {
+		t.Fatalf("expected ErrEncryptionKeyRequired, got %v", err)
 	}
 	if wasEncrypted {
-		t.Fatal("expected wasEncrypted=false when key is nil")
+		t.Fatal("wasEncrypted must be false on error")
 	}
-	if !bytes.Equal(result, plaintext) {
-		t.Fatal("result should be unchanged plaintext when key is nil")
+	if result != nil {
+		t.Fatalf("expected nil result on error, got %q", result)
 	}
 }
 
-func TestDecryptIfKeySet_NilKey(t *testing.T) {
+// TestDecryptIfKeySet_EmptyKeyFailsClosed asserts the matching C-2 regression
+// guard on the read path: DecryptIfKeySet must refuse to pass ciphertext
+// through as plaintext when no passphrase is configured.
+func TestDecryptIfKeySet_EmptyKeyFailsClosed(t *testing.T) {
 	data := []byte("plaintext config data")
 
-	result, err := DecryptIfKeySet(data, nil)
+	result, err := DecryptIfKeySet(data, "")
+	if err == nil {
+		t.Fatal("expected ErrEncryptionKeyRequired, got nil")
+	}
+	if !errors.Is(err, ErrEncryptionKeyRequired) {
+		t.Fatalf("expected ErrEncryptionKeyRequired, got %v", err)
+	}
+	if result != nil {
+		t.Fatalf("expected nil result on error, got %q", result)
+	}
+}
+
+// TestEncryptDecryptIfKeySet_RoundTripProducesDifferentCiphertext proves the
+// "if set" helpers produce real AES-GCM output (not plaintext) and that a full
+// round-trip through both helpers recovers the original bytes.
+func TestEncryptDecryptIfKeySet_RoundTripProducesDifferentCiphertext(t *testing.T) {
+	plaintext := []byte(`{"api_key":"s3cr3t","token":"abc"}`)
+
+	encrypted, wasEncrypted, err := EncryptIfKeySet(plaintext, "round-trip-key")
 	if err != nil {
-		t.Fatalf("DecryptIfKeySet with nil key failed: %v", err)
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}
-	if !bytes.Equal(result, data) {
-		t.Fatal("result should be unchanged when key is nil")
+	if !wasEncrypted {
+		t.Fatal("wasEncrypted must be true when passphrase is present")
 	}
+	if bytes.Equal(encrypted, plaintext) {
+		t.Fatal("EncryptIfKeySet returned plaintext — would regress C-2")
+	}
+
+	decrypted, err := DecryptIfKeySet(encrypted, "round-trip-key")
+	if err != nil {
+		t.Fatalf("DecryptIfKeySet failed: %v", err)
+	}
+	if !bytes.Equal(decrypted, plaintext) {
+		t.Fatalf("round-trip mismatch: got %q, want %q", decrypted, plaintext)
+	}
+}
+
+// TestDecryptIfKeySet_RejectsTamperedCiphertext confirms the AEAD auth tag
+// still rejects modified ciphertext when routed through the helper. The v2
+// wire format is magic(1) || salt(16) || nonce(12) || ciphertext+tag, so
+// flipping a byte anywhere past offset 29 lands squarely inside the AEAD body.
+func TestDecryptIfKeySet_RejectsTamperedCiphertext(t *testing.T) {
+	plaintext := []byte("authenticated data")
+
+	encrypted, _, err := EncryptIfKeySet(plaintext, "tamper-test-key")
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
+	}
+	// Flip a byte past the v2 header (1 + 16 + 12 = 29) to invalidate the tag.
+	const minV2HeaderLen = 1 + v2SaltSize + 12
+	if len(encrypted) <= minV2HeaderLen {
+		t.Fatalf("ciphertext too short to tamper: %d bytes", len(encrypted))
+	}
+	encrypted[minV2HeaderLen] ^= 0xFF
+
+	if _, err := DecryptIfKeySet(encrypted, "tamper-test-key"); err == nil {
+		t.Fatal("DecryptIfKeySet accepted tampered ciphertext — AEAD tag check bypassed")
+	}
+}
+
+// TestEncryptIfKeySet_PreservesErrEncryptionKeyRequiredSentinel guards the
+// stability of the public sentinel error so audit-log detectors and callers
+// outside this package can rely on errors.Is(err, ErrEncryptionKeyRequired).
+func TestEncryptIfKeySet_PreservesErrEncryptionKeyRequiredSentinel(t *testing.T) {
+	if ErrEncryptionKeyRequired == nil {
+		t.Fatal("ErrEncryptionKeyRequired sentinel must be non-nil")
+	}
+	if ErrEncryptionKeyRequired.Error() == "" {
+		t.Fatal("ErrEncryptionKeyRequired must carry a non-empty message")
+	}
+	// Wrap it and confirm errors.Is unwraps correctly — real callers wrap with %w.
+	wrapped := wrapSentinel(ErrEncryptionKeyRequired)
+	if !errors.Is(wrapped, ErrEncryptionKeyRequired) {
+		t.Fatal("errors.Is must unwrap ErrEncryptionKeyRequired through %w-wrapped callers")
+	}
+}
+
+// wrapSentinel is a tiny helper that mimics how production callers propagate
+// the sentinel (e.g. fmt.Errorf("failed to encrypt config: %w", err)).
+func wrapSentinel(err error) error {
+	return errors.Join(errors.New("failed to encrypt config"), err)
 }
 
 func TestEncryptProducesDifferentCiphertexts(t *testing.T) {
@@ -186,3 +274,217 @@ func TestEncryptProducesDifferentCiphertexts(t *testing.T) {
 		t.Fatal("encrypting same plaintext twice should produce different ciphertexts (random nonce)")
 	}
 }
+
+// ---------------------------------------------------------------------------
+// M-8 additions: per-ciphertext salt + v2 wire format + v1 backward compat.
+// ---------------------------------------------------------------------------
+
+// TestDeriveKey_DifferentSaltsProduceDifferentKeys asserts that
+// deriveKeyWithSalt fans out distinct 32-byte keys for the same passphrase
+// across different salts. This is the core M-8 defense-in-depth property: even
+// if an attacker obtains two v2 ciphertexts encrypted with the same master
+// passphrase, the derived AES keys differ, and a brute-force attempt on one
+// blob cannot be amortized across the other.
+func TestDeriveKey_DifferentSaltsProduceDifferentKeys(t *testing.T) {
+	passphrase := "master-passphrase"
+	saltA := bytes.Repeat([]byte{0xAA}, v2SaltSize)
+	saltB := bytes.Repeat([]byte{0xBB}, v2SaltSize)
+
+	keyA := deriveKeyWithSalt(passphrase, saltA)
+	keyB := deriveKeyWithSalt(passphrase, saltB)
+
+	if len(keyA) != aes256KeySize || len(keyB) != aes256KeySize {
+		t.Fatalf("derived key length wrong: %d / %d", len(keyA), len(keyB))
+	}
+	if bytes.Equal(keyA, keyB) {
+		t.Fatal("deriveKeyWithSalt must produce different keys for different salts")
+	}
+
+	// Sanity-check that deterministic behaviour is preserved under a fixed salt.
+	keyA2 := deriveKeyWithSalt(passphrase, saltA)
+	if !bytes.Equal(keyA, keyA2) {
+		t.Fatal("deriveKeyWithSalt must be deterministic for a fixed (passphrase, salt)")
+	}
+}
+
+// TestEncryptIfKeySet_ProducesV2Format asserts the exact v2 wire-format bytes:
+// magic(0x02) || salt(16) || nonce(12) || ciphertext+tag.
+func TestEncryptIfKeySet_ProducesV2Format(t *testing.T) {
+	blob, _, err := EncryptIfKeySet([]byte("hello"), "any-passphrase")
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
+	}
+
+	const minLen = 1 + v2SaltSize + 12 + 16 // magic + salt + nonce + GCM tag (16)
+	if len(blob) < minLen {
+		t.Fatalf("v2 blob too short: got %d, want >= %d", len(blob), minLen)
+	}
+	if blob[0] != v2Magic {
+		t.Fatalf("v2 blob must start with magic byte 0x%02x, got 0x%02x", v2Magic, blob[0])
+	}
+	if IsLegacyFormat(blob) {
+		t.Fatal("IsLegacyFormat must return false for a freshly produced v2 blob")
+	}
+}
+
+// TestEncryptIfKeySet_SaltIsRandom asserts that two calls with the same
+// passphrase and plaintext produce distinct embedded salts.
+func TestEncryptIfKeySet_SaltIsRandom(t *testing.T) {
+	plaintext := []byte("same plaintext")
+	passphrase := "same-passphrase"
+
+	blob1, _, err := EncryptIfKeySet(plaintext, passphrase)
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet #1 failed: %v", err)
+	}
+	blob2, _, err := EncryptIfKeySet(plaintext, passphrase)
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet #2 failed: %v", err)
+	}
+
+	salt1 := blob1[1 : 1+v2SaltSize]
+	salt2 := blob2[1 : 1+v2SaltSize]
+	if bytes.Equal(salt1, salt2) {
+		t.Fatal("two EncryptIfKeySet invocations must produce distinct per-ciphertext salts")
+	}
+	if bytes.Equal(blob1, blob2) {
+		t.Fatal("two v2 blobs with same (passphrase, plaintext) must differ end-to-end")
+	}
+}
+
+// TestDecryptIfKeySet_V1BackwardCompat builds a deterministic v1-format
+// ciphertext using the pre-M-8 recipe (DeriveKey with the fixed salt, then
+// Encrypt with an all-zero nonce for reproducibility) and asserts that
+// DecryptIfKeySet still decrypts it correctly. This is the migration guarantee:
+// v1 blobs persisted before M-8 must remain decryptable.
+func TestDecryptIfKeySet_V1BackwardCompat(t *testing.T) {
+	passphrase := "legacy-passphrase"
+	plaintext := []byte(`{"api_key":"legacy","org_id":"789"}`)
+
+	// Build a deterministic v1 blob directly: nonce(12 zero bytes) || ct+tag.
+	// This matches the exact wire shape that Encrypt produces, minus the random
+	// nonce, so the test is stable rather than 1/256 flaky.
+	key := DeriveKey(passphrase) // fixed-salt derivation (pre-M-8 behavior)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		t.Fatalf("aes.NewCipher: %v", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		t.Fatalf("cipher.NewGCM: %v", err)
+	}
+	nonce := make([]byte, gcm.NonceSize()) // all zeros → first byte != v2Magic
+	v1Blob := gcm.Seal(nonce, nonce, plaintext, nil)
+	if v1Blob[0] == v2Magic {
+		t.Fatalf("fixture nonce collided with v2 magic byte — test design error")
+	}
+
+	decrypted, err := DecryptIfKeySet(v1Blob, passphrase)
+	if err != nil {
+		t.Fatalf("DecryptIfKeySet(v1) failed: %v", err)
+	}
+	if !bytes.Equal(decrypted, plaintext) {
+		t.Fatalf("v1 decrypt mismatch: got %q, want %q", decrypted, plaintext)
+	}
+
+	// Cross-check: IsLegacyFormat should flag this as legacy.
+	if !IsLegacyFormat(v1Blob) {
+		t.Fatal("IsLegacyFormat must return true for a v1 blob whose first byte != v2Magic")
+	}
+}
+
+// TestDecryptIfKeySet_V1MagicByteCollisionFallsThrough covers the 1/256 edge
+// case where a v1 ciphertext's random 12-byte nonce happens to begin with
+// 0x02. The dispatch must attempt v2, see AEAD failure, and fall through to
+// v1 — never return a decrypt error when the passphrase is correct.
+func TestDecryptIfKeySet_V1MagicByteCollisionFallsThrough(t *testing.T) {
+	passphrase := "collision-passphrase"
+	plaintext := []byte("colliding v1 blob")
+
+	// Craft a v1 blob whose first byte equals v2Magic by choosing a nonce
+	// starting with 0x02 and sealing manually.
+	key := DeriveKey(passphrase)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		t.Fatalf("aes.NewCipher: %v", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		t.Fatalf("cipher.NewGCM: %v", err)
+	}
+	nonce := make([]byte, gcm.NonceSize())
+	nonce[0] = v2Magic // force collision
+	v1Blob := gcm.Seal(nonce, nonce, plaintext, nil)
+	if v1Blob[0] != v2Magic {
+		t.Fatal("fixture construction bug: first byte must equal v2Magic")
+	}
+
+	decrypted, err := DecryptIfKeySet(v1Blob, passphrase)
+	if err != nil {
+		t.Fatalf("DecryptIfKeySet must fall through to v1 on AEAD failure, got err: %v", err)
+	}
+	if !bytes.Equal(decrypted, plaintext) {
+		t.Fatalf("v1-via-fallback decrypt mismatch: got %q, want %q", decrypted, plaintext)
+	}
+}
+
+// TestDecryptIfKeySet_V2WithWrongPassphraseFails asserts that a v2 blob
+// sealed under passphrase A cannot be decrypted under passphrase B. Both the
+// v2 AEAD verify (with salt from the blob + passphrase B) and the v1 fallback
+// (with fixed salt + passphrase B) must fail, and an error must be returned
+// rather than silently-corrupt plaintext.
+func TestDecryptIfKeySet_V2WithWrongPassphraseFails(t *testing.T) {
+	blob, _, err := EncryptIfKeySet([]byte("secret"), "passphrase-A")
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
+	}
+
+	got, err := DecryptIfKeySet(blob, "passphrase-B")
+	if err == nil {
+		t.Fatalf("DecryptIfKeySet must return error for wrong passphrase, got plaintext %q", got)
+	}
+	if got != nil {
+		t.Fatalf("result must be nil on decrypt error, got %q", got)
+	}
+}
+
+// TestDecryptIfKeySet_TruncatedV2Blob asserts that a blob starting with the v2
+// magic byte but too short to contain a full v2 header does not trip an
+// out-of-bounds slice and does not succeed. It either returns an error (v1
+// fallback on the short bytes fails with "ciphertext too short") or at minimum
+// never returns plaintext.
+func TestDecryptIfKeySet_TruncatedV2Blob(t *testing.T) {
+	truncated := []byte{v2Magic, 0x00, 0x01, 0x02, 0x03} // 5 bytes — well below the 29-byte v2 minimum
+	got, err := DecryptIfKeySet(truncated, "any-passphrase")
+	if err == nil {
+		t.Fatalf("DecryptIfKeySet must reject a truncated v2 blob, got plaintext %q", got)
+	}
+	if got != nil {
+		t.Fatalf("result must be nil on decrypt error, got %q", got)
+	}
+}
+
+// TestIsLegacyFormat covers the three branches of the public magic-byte
+// heuristic: v2 blob → false, v1 blob → true, empty blob → false.
+func TestIsLegacyFormat(t *testing.T) {
+	v2Blob, _, err := EncryptIfKeySet([]byte("data"), "p")
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
+	}
+	if IsLegacyFormat(v2Blob) {
+		t.Fatal("v2 blob must not be flagged as legacy")
+	}
+
+	// Any blob whose first byte isn't v2Magic should be reported as legacy.
+	v1Shape := []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0xFF}
+	if !IsLegacyFormat(v1Shape) {
+		t.Fatal("non-v2-magic blob must be flagged as legacy")
+	}
+
+	if IsLegacyFormat(nil) {
+		t.Fatal("nil blob must not be flagged as legacy (undefined)")
+	}
+	if IsLegacyFormat([]byte{}) {
+		t.Fatal("empty blob must not be flagged as legacy (undefined)")
+	}
+}

internal/domain/policy.go

@@ -12,6 +12,7 @@ type PolicyRule struct {
 	Type      PolicyType      `json:"type"`
 	Config    json.RawMessage `json:"config"`
 	Enabled   bool            `json:"enabled"`
+	Severity  PolicySeverity  `json:"severity"`
 	CreatedAt time.Time       `json:"created_at"`
 	UpdatedAt time.Time       `json:"updated_at"`
 }
@@ -20,11 +21,12 @@ type PolicyRule struct {
 type PolicyType string
 
 const (
-	PolicyTypeAllowedIssuers      PolicyType = "AllowedIssuers"
-	PolicyTypeAllowedDomains      PolicyType = "AllowedDomains"
-	PolicyTypeRequiredMetadata    PolicyType = "RequiredMetadata"
-	PolicyTypeAllowedEnvironments PolicyType = "AllowedEnvironments"
-	PolicyTypeRenewalLeadTime     PolicyType = "RenewalLeadTime"
+	PolicyTypeAllowedIssuers       PolicyType = "AllowedIssuers"
+	PolicyTypeAllowedDomains       PolicyType = "AllowedDomains"
+	PolicyTypeRequiredMetadata     PolicyType = "RequiredMetadata"
+	PolicyTypeAllowedEnvironments  PolicyType = "AllowedEnvironments"
+	PolicyTypeRenewalLeadTime      PolicyType = "RenewalLeadTime"
+	PolicyTypeCertificateLifetime  PolicyType = "CertificateLifetime"
 )
 
 // PolicyViolation records an instance of a certificate violating a policy rule.

internal/domain/revocation.go

@@ -43,6 +43,38 @@ func CRLReasonCode(reason RevocationReason) int {
 	return 0 // unspecified
 }
 
+// BulkRevocationCriteria defines the filter criteria for bulk certificate revocation.
+// At least one field must be set — empty criteria is rejected as a safety guard.
+type BulkRevocationCriteria struct {
+	ProfileID      string   `json:"profile_id,omitempty"`
+	OwnerID        string   `json:"owner_id,omitempty"`
+	AgentID        string   `json:"agent_id,omitempty"`
+	IssuerID       string   `json:"issuer_id,omitempty"`
+	TeamID         string   `json:"team_id,omitempty"`
+	CertificateIDs []string `json:"certificate_ids,omitempty"`
+}
+
+// IsEmpty returns true if no filter criteria are set.
+func (c BulkRevocationCriteria) IsEmpty() bool {
+	return c.ProfileID == "" && c.OwnerID == "" && c.AgentID == "" &&
+		c.IssuerID == "" && c.TeamID == "" && len(c.CertificateIDs) == 0
+}
+
+// BulkRevocationResult contains the outcome of a bulk revocation operation.
+type BulkRevocationResult struct {
+	TotalMatched int                    `json:"total_matched"`
+	TotalRevoked int                    `json:"total_revoked"`
+	TotalSkipped int                    `json:"total_skipped"`
+	TotalFailed  int                    `json:"total_failed"`
+	Errors       []BulkRevocationError  `json:"errors,omitempty"`
+}
+
+// BulkRevocationError records a per-certificate revocation failure.
+type BulkRevocationError struct {
+	CertificateID string `json:"certificate_id"`
+	Error         string `json:"error"`
+}
+
 // CertificateRevocation records the revocation of a specific certificate version.
 // Used as the authoritative source for CRL generation.
 type CertificateRevocation struct {

internal/integration/e2e_test.go

@@ -158,7 +158,7 @@ func TestCrossResourceWorkflow(t *testing.T) {
 		payload := map[string]interface{}{
 			"name":        "Allowed Domains Policy",
 			"type":        "AllowedDomains",
-			"severity":    "High",
+			"severity":    "Error",
 			"config":      json.RawMessage(`{"domains": ["example.com", "*.example.com"]}`),
 			"description": "Restrict issuance to example.com domains",
 		}
@@ -517,12 +517,18 @@ func TestNotificationEndpoints(t *testing.T) {
 	})
 }
 
-// TestCRLEndpoint exercises the CRL listing endpoint (M15a).
+// TestCRLEndpoint exercises the RFC 5280 DER-encoded CRL endpoint served
+// unauthenticated at /.well-known/pki/crl/{issuer_id} (M-006 relocation from
+// the pre-M-006 JSON CRL at /api/v1/crl, which was removed entirely because
+// RFC 5280 §5 defines only the DER wire format).
 func TestCRLEndpoint(t *testing.T) {
 	server, _, _, _ := setupTestServer(t)
 
-	t.Run("GetCRL_JSON", func(t *testing.T) {
-		resp, err := http.Get(server.URL + "/api/v1/crl")
+	t.Run("GetDERCRL_Unauthenticated", func(t *testing.T) {
+		// Intentionally no Authorization header — relying parties can't present
+		// a certctl API key, so the PKI endpoints are exposed under the
+		// RFC 8615 `.well-known` namespace with auth bypassed.
+		resp, err := http.Get(server.URL + "/.well-known/pki/crl/iss-local")
 		if err != nil {
 			t.Fatalf("request failed: %v", err)
 		}
@@ -531,15 +537,17 @@ func TestCRLEndpoint(t *testing.T) {
 			bodyBytes, _ := io.ReadAll(resp.Body)
 			t.Fatalf("expected 200, got %d: %s", resp.StatusCode, string(bodyBytes))
 		}
-		var crl map[string]interface{}
-		json.NewDecoder(resp.Body).Decode(&crl)
-		if crl["version"] == nil {
-			t.Error("expected version field in CRL response")
+		if ct := resp.Header.Get("Content-Type"); ct != "application/pkix-crl" {
+			t.Errorf("expected Content-Type application/pkix-crl, got %s", ct)
 		}
-		if crl["entries"] == nil {
-			t.Error("expected entries field in CRL response")
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			t.Fatalf("read body failed: %v", err)
 		}
-		t.Logf("CRL response: version=%v, entries_count=%v", crl["version"], crl["total"])
+		if len(body) == 0 {
+			t.Error("expected non-empty DER CRL body")
+		}
+		t.Logf("DER CRL response: %d bytes", len(body))
 	})
 }
 

internal/integration/lifecycle_test.go

@@ -3,6 +3,7 @@ package integration
 import (
 	"bytes"
 	"context"
+	"database/sql"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -64,9 +65,15 @@ func TestCertificateLifecycle(t *testing.T) {
 	certificateService.SetTargetRepo(targetRepo)
 	renewalService := service.NewRenewalService(certRepo, jobRepo, renewalPolicyRepo, nil, auditService, notificationService, issuerRegistry, "server")
 	deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certRepo, auditService, notificationService)
-	jobService := service.NewJobService(jobRepo, renewalService, deploymentService, logger)
+	ownerRepo := newMockOwnerRepository()
+	jobService := service.NewJobService(jobRepo, certRepo, ownerRepo, renewalService, deploymentService, logger)
 	agentService := service.NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, renewalService)
-	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, nil, slog.Default())
+	// 32-byte AES-256 test key — C-2 remediation makes IssuerService fail closed
+	// without a configured CERTCTL_CONFIG_ENCRYPTION_KEY. Happy-path CRUD tests
+	// must supply a real key so the encrypt path runs instead of returning
+	// ErrEncryptionKeyRequired.
+	testEncryptionKey := "0123456789abcdef0123456789abcdef"
+	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, testEncryptionKey, slog.Default())
 
 	// Initialize handlers
 	certificateHandler := handler.NewCertificateHandler(certificateService)
@@ -113,7 +120,8 @@ func TestCertificateLifecycle(t *testing.T) {
 		Health:        healthHandler,
 		Discovery:     discoveryHandler,
 		NetworkScan:   networkScanHandler,
-		Verification:  verificationHandler,
+		Verification:    verificationHandler,
+		BulkRevocation:  handler.BulkRevocationHandler{},
 	})
 	r.RegisterESTHandlers(estHandler)
 
@@ -579,6 +587,24 @@ func (m *mockCertificateRepository) GetLatestVersion(ctx context.Context, certID
 	return versions[len(versions)-1], nil
 }
 
+// GetByIssuerAndSerial emulates the PostgreSQL JOIN that scopes cert lookup to
+// (issuer_id, serial). Returns sql.ErrNoRows when no match exists so callers
+// that branch on errors.Is(err, sql.ErrNoRows) (notably the OCSP handler's
+// M-004 "unknown" fallback) behave the same in-memory as against PostgreSQL.
+func (m *mockCertificateRepository) GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.ManagedCertificate, error) {
+	for _, cert := range m.certs {
+		if cert.IssuerID != issuerID {
+			continue
+		}
+		for _, v := range m.versions[cert.ID] {
+			if v.SerialNumber == serial {
+				return cert, nil
+			}
+		}
+	}
+	return nil, sql.ErrNoRows
+}
+
 type mockJobRepository struct {
 	jobs map[string]*domain.Job
 }
@@ -676,6 +702,46 @@ func (m *mockJobRepository) ListPendingByAgentID(ctx context.Context, agentID st
 	return result, nil
 }
 
+// ClaimPendingJobs mirrors the production H-6 semantics: Pending jobs of the given type
+// (or any type when jobType is empty) flip to Running before being returned. limit <= 0
+// means unlimited.
+func (m *mockJobRepository) ClaimPendingJobs(ctx context.Context, jobType domain.JobType, limit int) ([]*domain.Job, error) {
+	var claimed []*domain.Job
+	for _, j := range m.jobs {
+		if j.Status != domain.JobStatusPending {
+			continue
+		}
+		if jobType != "" && j.Type != jobType {
+			continue
+		}
+		j.Status = domain.JobStatusRunning
+		claimed = append(claimed, j)
+		if limit > 0 && len(claimed) >= limit {
+			break
+		}
+	}
+	return claimed, nil
+}
+
+// ClaimPendingByAgentID mirrors the production H-6 semantics: Pending deployment rows for
+// the agent flip to Running; AwaitingCSR rows are returned with state preserved.
+func (m *mockJobRepository) ClaimPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error) {
+	var result []*domain.Job
+	for _, j := range m.jobs {
+		if j.AgentID == nil || *j.AgentID != agentID {
+			continue
+		}
+		switch {
+		case j.Status == domain.JobStatusPending && j.Type == domain.JobTypeDeployment:
+			j.Status = domain.JobStatusRunning
+			result = append(result, j)
+		case j.Status == domain.JobStatusAwaitingCSR:
+			result = append(result, j)
+		}
+	}
+	return result, nil
+}
+
 type mockAuditRepository struct {
 	events []*domain.AuditEvent
 }
@@ -726,6 +792,14 @@ func (m *mockAgentRepository) Create(ctx context.Context, agent *domain.Agent) e
 	return nil
 }
 
+func (m *mockAgentRepository) CreateIfNotExists(ctx context.Context, agent *domain.Agent) (bool, error) {
+	if _, exists := m.agents[agent.ID]; exists {
+		return false, nil
+	}
+	m.agents[agent.ID] = agent
+	return true, nil
+}
+
 func (m *mockAgentRepository) Update(ctx context.Context, agent *domain.Agent) error {
 	m.agents[agent.ID] = agent
 	return nil
@@ -808,6 +882,48 @@ func (m *mockTargetRepository) ListByCertificate(ctx context.Context, certID str
 	return m.List(ctx)
 }
 
+// mockOwnerRepository satisfies repository.OwnerRepository for the M-003
+// not-self approval wiring. Tests that don't care about owner lookup get an
+// empty map (Get returns errNotFound, which checkNotSelf permits).
+type mockOwnerRepository struct {
+	owners map[string]*domain.Owner
+}
+
+func newMockOwnerRepository() *mockOwnerRepository {
+	return &mockOwnerRepository{owners: make(map[string]*domain.Owner)}
+}
+
+func (m *mockOwnerRepository) List(ctx context.Context) ([]*domain.Owner, error) {
+	var out []*domain.Owner
+	for _, o := range m.owners {
+		out = append(out, o)
+	}
+	return out, nil
+}
+
+func (m *mockOwnerRepository) Get(ctx context.Context, id string) (*domain.Owner, error) {
+	o, ok := m.owners[id]
+	if !ok {
+		return nil, fmt.Errorf("owner not found")
+	}
+	return o, nil
+}
+
+func (m *mockOwnerRepository) Create(ctx context.Context, o *domain.Owner) error {
+	m.owners[o.ID] = o
+	return nil
+}
+
+func (m *mockOwnerRepository) Update(ctx context.Context, o *domain.Owner) error {
+	m.owners[o.ID] = o
+	return nil
+}
+
+func (m *mockOwnerRepository) Delete(ctx context.Context, id string) error {
+	delete(m.owners, id)
+	return nil
+}
+
 type mockNotificationRepository struct {
 	notifications []*domain.NotificationEvent
 }
@@ -982,8 +1098,8 @@ type mockTargetService struct {
 	auditService *service.AuditService
 }
 
-func (m *mockTargetService) ListTargets(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
-	targets, err := m.targetRepo.List(context.Background())
+func (m *mockTargetService) ListTargets(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+	targets, err := m.targetRepo.List(ctx)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -994,99 +1110,99 @@ func (m *mockTargetService) ListTargets(page, perPage int) ([]domain.DeploymentT
 	return result, int64(len(result)), nil
 }
 
-func (m *mockTargetService) GetTarget(id string) (*domain.DeploymentTarget, error) {
-	return m.targetRepo.Get(context.Background(), id)
+func (m *mockTargetService) GetTarget(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
+	return m.targetRepo.Get(ctx, id)
 }
 
-func (m *mockTargetService) CreateTarget(target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
-	if err := m.targetRepo.Create(context.Background(), &target); err != nil {
+func (m *mockTargetService) CreateTarget(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+	if err := m.targetRepo.Create(ctx, &target); err != nil {
 		return nil, err
 	}
 	return &target, nil
 }
 
-func (m *mockTargetService) UpdateTarget(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (m *mockTargetService) UpdateTarget(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 	target.ID = id
-	if err := m.targetRepo.Update(context.Background(), &target); err != nil {
+	if err := m.targetRepo.Update(ctx, &target); err != nil {
 		return nil, err
 	}
 	return &target, nil
 }
 
-func (m *mockTargetService) DeleteTarget(id string) error {
-	return m.targetRepo.Delete(context.Background(), id)
+func (m *mockTargetService) DeleteTarget(ctx context.Context, id string) error {
+	return m.targetRepo.Delete(ctx, id)
 }
 
-func (m *mockTargetService) TestTargetConnection(id string) error {
+func (m *mockTargetService) TestConnection(ctx context.Context, id string) error {
 	return nil // No-op for integration tests
 }
 
 type mockTeamService struct{}
 
-func (m *mockTeamService) ListTeams(page, perPage int) ([]domain.Team, int64, error) {
+func (m *mockTeamService) ListTeams(_ context.Context, page, perPage int) ([]domain.Team, int64, error) {
 	return []domain.Team{}, 0, nil
 }
 
-func (m *mockTeamService) GetTeam(id string) (*domain.Team, error) {
+func (m *mockTeamService) GetTeam(_ context.Context, id string) (*domain.Team, error) {
 	return nil, fmt.Errorf("team not found")
 }
 
-func (m *mockTeamService) CreateTeam(team domain.Team) (*domain.Team, error) {
+func (m *mockTeamService) CreateTeam(_ context.Context, team domain.Team) (*domain.Team, error) {
 	return &team, nil
 }
 
-func (m *mockTeamService) UpdateTeam(id string, team domain.Team) (*domain.Team, error) {
+func (m *mockTeamService) UpdateTeam(_ context.Context, id string, team domain.Team) (*domain.Team, error) {
 	team.ID = id
 	return &team, nil
 }
 
-func (m *mockTeamService) DeleteTeam(id string) error {
+func (m *mockTeamService) DeleteTeam(_ context.Context, id string) error {
 	return nil
 }
 
 type mockOwnerService struct{}
 
-func (m *mockOwnerService) ListOwners(page, perPage int) ([]domain.Owner, int64, error) {
+func (m *mockOwnerService) ListOwners(_ context.Context, page, perPage int) ([]domain.Owner, int64, error) {
 	return []domain.Owner{}, 0, nil
 }
 
-func (m *mockOwnerService) GetOwner(id string) (*domain.Owner, error) {
+func (m *mockOwnerService) GetOwner(_ context.Context, id string) (*domain.Owner, error) {
 	return nil, fmt.Errorf("owner not found")
 }
 
-func (m *mockOwnerService) CreateOwner(owner domain.Owner) (*domain.Owner, error) {
+func (m *mockOwnerService) CreateOwner(_ context.Context, owner domain.Owner) (*domain.Owner, error) {
 	return &owner, nil
 }
 
-func (m *mockOwnerService) UpdateOwner(id string, owner domain.Owner) (*domain.Owner, error) {
+func (m *mockOwnerService) UpdateOwner(_ context.Context, id string, owner domain.Owner) (*domain.Owner, error) {
 	owner.ID = id
 	return &owner, nil
 }
 
-func (m *mockOwnerService) DeleteOwner(id string) error {
+func (m *mockOwnerService) DeleteOwner(_ context.Context, id string) error {
 	return nil
 }
 
 type mockProfileService struct{}
 
-func (m *mockProfileService) ListProfiles(page, perPage int) ([]domain.CertificateProfile, int64, error) {
+func (m *mockProfileService) ListProfiles(_ context.Context, page, perPage int) ([]domain.CertificateProfile, int64, error) {
 	return []domain.CertificateProfile{}, 0, nil
 }
 
-func (m *mockProfileService) GetProfile(id string) (*domain.CertificateProfile, error) {
+func (m *mockProfileService) GetProfile(_ context.Context, id string) (*domain.CertificateProfile, error) {
 	return nil, fmt.Errorf("profile not found")
 }
 
-func (m *mockProfileService) CreateProfile(profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *mockProfileService) CreateProfile(_ context.Context, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	return &profile, nil
 }
 
-func (m *mockProfileService) UpdateProfile(id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *mockProfileService) UpdateProfile(_ context.Context, id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	profile.ID = id
 	return &profile, nil
 }
 
-func (m *mockProfileService) DeleteProfile(id string) error {
+func (m *mockProfileService) DeleteProfile(_ context.Context, id string) error {
 	return nil
 }
 
@@ -1133,9 +1249,9 @@ func (m *mockRevocationRepository) Create(ctx context.Context, revocation *domai
 	return nil
 }
 
-func (m *mockRevocationRepository) GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error) {
+func (m *mockRevocationRepository) GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error) {
 	for _, r := range m.revocations {
-		if r.SerialNumber == serial {
+		if r.IssuerID == issuerID && r.SerialNumber == serial {
 			return r, nil
 		}
 	}
@@ -1204,11 +1320,11 @@ func (m *mockDiscoveryService) GetDiscovered(ctx context.Context, id string) (*d
 	return nil, fmt.Errorf("not found")
 }
 
-func (m *mockDiscoveryService) ClaimDiscovered(ctx context.Context, id string, managedCertID string) error {
+func (m *mockDiscoveryService) ClaimDiscovered(ctx context.Context, id string, managedCertID string, actor string) error {
 	return nil
 }
 
-func (m *mockDiscoveryService) DismissDiscovered(ctx context.Context, id string) error {
+func (m *mockDiscoveryService) DismissDiscovered(ctx context.Context, id string, actor string) error {
 	return nil
 }
 

internal/integration/negative_test.go

@@ -56,9 +56,15 @@ func setupTestServer(t *testing.T) (*httptest.Server, *mockCertificateRepository
 	certificateService.SetCAOperationsSvc(caOperationsSvc)
 	renewalService := service.NewRenewalService(certRepo, jobRepo, renewalPolicyRepo, nil, auditService, notificationService, issuerRegistry, "server")
 	deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certRepo, auditService, notificationService)
-	jobService := service.NewJobService(jobRepo, renewalService, deploymentService, logger)
+	ownerRepo := newMockOwnerRepository()
+	jobService := service.NewJobService(jobRepo, certRepo, ownerRepo, renewalService, deploymentService, logger)
 	agentService := service.NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, renewalService)
-	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, nil, logger)
+	// 32-byte AES-256 test key — C-2 remediation makes IssuerService fail closed
+	// without a configured CERTCTL_CONFIG_ENCRYPTION_KEY. Happy-path CRUD tests
+	// must supply a real key so the encrypt path runs instead of returning
+	// ErrEncryptionKeyRequired.
+	testEncryptionKey := "0123456789abcdef0123456789abcdef"
+	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, testEncryptionKey, logger)
 
 	certificateHandler := handler.NewCertificateHandler(certificateService)
 	issuerHandler := handler.NewIssuerHandler(issuerService)
@@ -103,9 +109,14 @@ func setupTestServer(t *testing.T) (*httptest.Server, *mockCertificateRepository
 		Health:        healthHandler,
 		Discovery:     discoveryHandler,
 		NetworkScan:   networkScanHandler,
-		Verification:  verificationHandler,
+		Verification:    verificationHandler,
+		BulkRevocation:  handler.BulkRevocationHandler{},
 	})
 	r.RegisterESTHandlers(estHandler)
+	// M-006: CRL + OCSP live under /.well-known/pki/ (RFC 5280 + RFC 6960 + RFC 8615).
+	// The negative_test integration suite exercises the DER CRL at this path with
+	// no Authorization header to verify the relying-party contract.
+	r.RegisterPKIHandlers(certificateHandler)
 
 	server := httptest.NewServer(r)
 	t.Cleanup(func() { server.Close() })
@@ -783,8 +794,14 @@ func TestRevocationEndpoints(t *testing.T) {
 		}
 	})
 
-	t.Run("GetCRL_Success", func(t *testing.T) {
-		resp, err := http.Get(server.URL + "/api/v1/crl")
+	// M-006: the non-standard JSON CRL at GET /api/v1/crl was removed entirely.
+	// RFC 5280 §5 defines only the DER wire format, which is now served
+	// unauthenticated under /.well-known/pki/crl/{issuer_id} (RFC 8615) so
+	// relying parties can fetch revocation data without a certctl API key.
+	// We verify the contract by requesting with no Authorization header and
+	// asserting DER content-type + a non-empty body.
+	t.Run("GetDERCRL_Unauthenticated", func(t *testing.T) {
+		resp, err := http.Get(server.URL + "/.well-known/pki/crl/iss-local")
 		if err != nil {
 			t.Fatalf("request failed: %v", err)
 		}
@@ -795,17 +812,17 @@ func TestRevocationEndpoints(t *testing.T) {
 			t.Fatalf("expected 200, got %d: %s", resp.StatusCode, string(bodyBytes))
 		}
 
-		var crl map[string]interface{}
-		json.NewDecoder(resp.Body).Decode(&crl)
-
-		if crl["version"] != float64(1) {
-			t.Errorf("expected CRL version 1, got %v", crl["version"])
+		ct := resp.Header.Get("Content-Type")
+		if ct != "application/pkix-crl" {
+			t.Errorf("expected Content-Type application/pkix-crl, got %s", ct)
 		}
 
-		// Should have at least 1 entry from the revocation above
-		total, _ := crl["total"].(float64)
-		if total < 1 {
-			t.Errorf("expected at least 1 CRL entry, got %v", total)
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			t.Fatalf("read body failed: %v", err)
+		}
+		if len(body) == 0 {
+			t.Error("expected non-empty DER CRL body")
 		}
 	})
 }

internal/mcp/client_test.go

@@ -203,7 +203,7 @@ func TestClient_GetRaw(t *testing.T) {
 	defer server.Close()
 
 	c := NewClient(server.URL, "test-key")
-	data, contentType, err := c.GetRaw("/api/v1/crl/iss-local")
+	data, contentType, err := c.GetRaw("/.well-known/pki/crl/iss-local")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -223,7 +223,7 @@ func TestClient_GetRaw_Error(t *testing.T) {
 	defer server.Close()
 
 	c := NewClient(server.URL, "test-key")
-	_, _, err := c.GetRaw("/api/v1/crl/nonexistent")
+	_, _, err := c.GetRaw("/.well-known/pki/crl/nonexistent")
 	if err == nil {
 		t.Fatal("expected error for 404 response")
 	}

internal/mcp/tools.go

@@ -182,27 +182,54 @@ func registerCertificateTools(s *gomcp.Server, c *Client) {
 		}
 		return textResult(data)
 	})
-}
 
-// ── CRL & OCSP ──────────────────────────────────────────────────────
-
-func registerCRLOCSPTools(s *gomcp.Server, c *Client) {
 	gomcp.AddTool(s, &gomcp.Tool{
-		Name:        "certctl_get_crl",
-		Description: "Get the Certificate Revocation List in JSON format. Lists all revoked certificate serial numbers with reasons and timestamps.",
-	}, func(ctx context.Context, req *gomcp.CallToolRequest, input EmptyInput) (*gomcp.CallToolResult, any, error) {
-		data, err := c.Get("/api/v1/crl", nil)
+		Name:        "certctl_bulk_revoke_certificates",
+		Description: "Bulk revoke certificates matching filter criteria. At least one criterion (profile_id, owner_id, agent_id, issuer_id, team_id, or certificate_ids) is required. Returns counts of matched, revoked, skipped, and failed certificates.",
+	}, func(ctx context.Context, req *gomcp.CallToolRequest, input BulkRevokeCertificatesInput) (*gomcp.CallToolResult, any, error) {
+		body := map[string]interface{}{
+			"reason": input.Reason,
+		}
+		if input.ProfileID != "" {
+			body["profile_id"] = input.ProfileID
+		}
+		if input.OwnerID != "" {
+			body["owner_id"] = input.OwnerID
+		}
+		if input.AgentID != "" {
+			body["agent_id"] = input.AgentID
+		}
+		if input.IssuerID != "" {
+			body["issuer_id"] = input.IssuerID
+		}
+		if input.TeamID != "" {
+			body["team_id"] = input.TeamID
+		}
+		if len(input.CertificateIDs) > 0 {
+			body["certificate_ids"] = input.CertificateIDs
+		}
+		data, err := c.Post("/api/v1/certificates/bulk-revoke", body)
 		if err != nil {
 			return errorResult(err)
 		}
 		return textResult(data)
 	})
+}
 
+// ── CRL & OCSP ──────────────────────────────────────────────────────
+//
+// M-006 relocation: CRL and OCSP are served unauthenticated under the
+// RFC 8615 `.well-known/pki/*` namespace (RFC 5280 §5 for CRL, RFC 6960
+// §2.1 for OCSP) so relying parties can retrieve them without a certctl
+// API key. The non-standard JSON CRL tool (`certctl_get_crl`) has been
+// removed — RFC 5280 defines only the DER wire format.
+
+func registerCRLOCSPTools(s *gomcp.Server, c *Client) {
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_get_der_crl",
-		Description: "Get DER-encoded X.509 CRL for a specific issuer. Returns binary CRL data signed by the issuing CA.",
+		Description: "Get DER-encoded X.509 CRL for a specific issuer (RFC 5280). Served unauthenticated at /.well-known/pki/crl/{issuer_id}. Returns binary CRL data signed by the issuing CA.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input GetDERCRLInput) (*gomcp.CallToolResult, any, error) {
-		raw, contentType, err := c.GetRaw("/api/v1/crl/" + input.IssuerID)
+		raw, contentType, err := c.GetRaw("/.well-known/pki/crl/" + input.IssuerID)
 		if err != nil {
 			return errorResult(err)
 		}
@@ -215,9 +242,9 @@ func registerCRLOCSPTools(s *gomcp.Server, c *Client) {
 
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_ocsp_check",
-		Description: "Check OCSP status for a certificate by issuer ID and hex serial number. Returns good, revoked, or unknown.",
+		Description: "Check OCSP status for a certificate by issuer ID and hex serial number (RFC 6960). Served unauthenticated at /.well-known/pki/ocsp/{issuer_id}/{serial}. Returns good, revoked, or unknown.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input OCSPInput) (*gomcp.CallToolResult, any, error) {
-		raw, contentType, err := c.GetRaw("/api/v1/ocsp/" + input.IssuerID + "/" + input.Serial)
+		raw, contentType, err := c.GetRaw("/.well-known/pki/ocsp/" + input.IssuerID + "/" + input.Serial)
 		if err != nil {
 			return errorResult(err)
 		}
@@ -578,7 +605,7 @@ func registerPolicyTools(s *gomcp.Server, c *Client) {
 
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_create_policy",
-		Description: "Create a new policy rule. Requires name and type.",
+		Description: "Create a new policy rule. Requires name and type. Optional severity (Warning, Error, Critical) defaults to Warning.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input CreatePolicyInput) (*gomcp.CallToolResult, any, error) {
 		data, err := c.Post("/api/v1/policies", input)
 		if err != nil {
@@ -589,7 +616,7 @@ func registerPolicyTools(s *gomcp.Server, c *Client) {
 
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_update_policy",
-		Description: "Update a policy rule's name, type, configuration, or enabled status.",
+		Description: "Update a policy rule's name, type, configuration, enabled status, or severity.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input UpdatePolicyInput) (*gomcp.CallToolResult, any, error) {
 		data, err := c.Put("/api/v1/policies/"+input.ID, input)
 		if err != nil {

internal/mcp/tools_test.go

@@ -378,7 +378,7 @@ func TestToolEndToEnd_GetRawBinary(t *testing.T) {
 	defer server.Close()
 
 	client := NewClient(server.URL, "test-key")
-	data, ct, err := client.GetRaw("/api/v1/crl/iss-local")
+	data, ct, err := client.GetRaw("/.well-known/pki/crl/iss-local")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}

internal/mcp/types.go

@@ -35,7 +35,7 @@ type CreateCertificateInput struct {
 	TeamID          string            `json:"team_id" jsonschema:"Team ID (required)"`
 	IssuerID        string            `json:"issuer_id" jsonschema:"Issuer connector ID"`
 	TargetIDs       []string          `json:"target_ids,omitempty" jsonschema:"Deployment target IDs"`
-	RenewalPolicyID string            `json:"renewal_policy_id,omitempty" jsonschema:"Renewal policy ID"`
+	RenewalPolicyID string            `json:"renewal_policy_id" jsonschema:"Renewal policy ID (required)"`
 	ProfileID       string            `json:"certificate_profile_id,omitempty" jsonschema:"Certificate profile ID"`
 	Tags            map[string]string `json:"tags,omitempty" jsonschema:"Key-value tags"`
 }
@@ -62,6 +62,16 @@ type RevokeCertificateInput struct {
 	Reason string `json:"reason,omitempty" jsonschema:"RFC 5280 reason: unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn"`
 }
 
+type BulkRevokeCertificatesInput struct {
+	Reason         string   `json:"reason" jsonschema:"RFC 5280 reason: unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn"`
+	ProfileID      string   `json:"profile_id,omitempty" jsonschema:"Revoke all certs matching this profile ID"`
+	OwnerID        string   `json:"owner_id,omitempty" jsonschema:"Revoke all certs owned by this owner"`
+	AgentID        string   `json:"agent_id,omitempty" jsonschema:"Revoke all certs deployed via this agent"`
+	IssuerID       string   `json:"issuer_id,omitempty" jsonschema:"Revoke all certs issued by this issuer"`
+	TeamID         string   `json:"team_id,omitempty" jsonschema:"Revoke all certs owned by members of this team"`
+	CertificateIDs []string `json:"certificate_ids,omitempty" jsonschema:"Explicit list of certificate IDs to revoke"`
+}
+
 type ListVersionsInput struct {
 	ID string `json:"id" jsonschema:"Certificate ID"`
 	ListParams
@@ -102,7 +112,7 @@ type CreateTargetInput struct {
 	ID      string      `json:"id,omitempty" jsonschema:"Target ID"`
 	Name    string      `json:"name" jsonschema:"Target display name"`
 	Type    string      `json:"type" jsonschema:"Target type: NGINX, Apache, HAProxy, F5, IIS"`
-	AgentID string      `json:"agent_id,omitempty" jsonschema:"Agent ID that manages this target"`
+	AgentID string      `json:"agent_id" jsonschema:"Agent ID that manages this target (required)"`
 	Config  interface{} `json:"config,omitempty" jsonschema:"Target-specific configuration"`
 	Enabled bool        `json:"enabled,omitempty" jsonschema:"Whether the target is enabled"`
 }
@@ -158,19 +168,21 @@ type RejectJobInput struct {
 // ── Policies ────────────────────────────────────────────────────────
 
 type CreatePolicyInput struct {
-	ID      string      `json:"id,omitempty" jsonschema:"Policy ID"`
-	Name    string      `json:"name" jsonschema:"Policy display name"`
-	Type    string      `json:"type" jsonschema:"Policy type: AllowedIssuers, AllowedDomains, RequiredMetadata, AllowedEnvironments, RenewalLeadTime"`
-	Config  interface{} `json:"config,omitempty" jsonschema:"Policy-specific configuration"`
-	Enabled bool        `json:"enabled,omitempty" jsonschema:"Whether the policy is enabled"`
+	ID       string      `json:"id,omitempty" jsonschema:"Policy ID"`
+	Name     string      `json:"name" jsonschema:"Policy display name"`
+	Type     string      `json:"type" jsonschema:"Policy type: AllowedIssuers, AllowedDomains, RequiredMetadata, AllowedEnvironments, RenewalLeadTime"`
+	Config   interface{} `json:"config,omitempty" jsonschema:"Policy-specific configuration"`
+	Enabled  bool        `json:"enabled,omitempty" jsonschema:"Whether the policy is enabled"`
+	Severity string      `json:"severity,omitempty" jsonschema:"Violation severity: Warning, Error, or Critical (default: Warning)"`
 }
 
 type UpdatePolicyInput struct {
-	ID      string      `json:"id" jsonschema:"Policy ID to update"`
-	Name    string      `json:"name,omitempty" jsonschema:"Policy display name"`
-	Type    string      `json:"type,omitempty" jsonschema:"Policy type"`
-	Config  interface{} `json:"config,omitempty" jsonschema:"Policy-specific configuration"`
-	Enabled *bool       `json:"enabled,omitempty" jsonschema:"Whether the policy is enabled"`
+	ID       string      `json:"id" jsonschema:"Policy ID to update"`
+	Name     string      `json:"name,omitempty" jsonschema:"Policy display name"`
+	Type     string      `json:"type,omitempty" jsonschema:"Policy type"`
+	Config   interface{} `json:"config,omitempty" jsonschema:"Policy-specific configuration"`
+	Enabled  *bool       `json:"enabled,omitempty" jsonschema:"Whether the policy is enabled"`
+	Severity string      `json:"severity,omitempty" jsonschema:"Violation severity: Warning, Error, or Critical"`
 }
 
 type ListViolationsInput struct {

internal/repository/interfaces.go

@@ -27,14 +27,26 @@ type CertificateRepository interface {
 	GetExpiringCertificates(ctx context.Context, before time.Time) ([]*domain.ManagedCertificate, error)
 	// GetLatestVersion returns the most recent certificate version for a certificate.
 	GetLatestVersion(ctx context.Context, certID string) (*domain.CertificateVersion, error)
+	// GetByIssuerAndSerial retrieves a certificate by the (issuer_id, serial_number)
+	// pair via a JOIN on certificate_versions. Callers (OCSP, revocation lookup)
+	// always know the issuer because protocol endpoints carry it in the request
+	// path; RFC 5280 §5.2.3 guarantees serial uniqueness only within a single
+	// issuer. Returns sql.ErrNoRows when no match exists so callers can
+	// distinguish "unknown cert" from a real repository error.
+	GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.ManagedCertificate, error)
 }
 
 // RevocationRepository defines operations for managing certificate revocations.
 type RevocationRepository interface {
-	// Create records a new certificate revocation.
+	// Create records a new certificate revocation. Uniqueness is scoped to
+	// (issuer_id, serial_number) per RFC 5280 §5.2.3, so duplicate serials
+	// across different issuers are permitted.
 	Create(ctx context.Context, revocation *domain.CertificateRevocation) error
-	// GetBySerial retrieves a revocation by serial number.
-	GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error)
+	// GetByIssuerAndSerial retrieves a revocation by the (issuer_id, serial_number)
+	// pair. Callers (OCSP, CRL generation) always know the issuer because
+	// protocol endpoints carry it in the request path; RFC 5280 §5.2.3 guarantees
+	// uniqueness only within a single issuer.
+	GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error)
 	// ListAll returns all revocations, ordered by revocation time (for CRL generation).
 	ListAll(ctx context.Context) ([]*domain.CertificateRevocation, error)
 	// ListByCertificate returns all revocations for a certificate.
@@ -85,8 +97,18 @@ type AgentRepository interface {
 	List(ctx context.Context) ([]*domain.Agent, error)
 	// Get retrieves an agent by ID.
 	Get(ctx context.Context, id string) (*domain.Agent, error)
-	// Create stores a new agent.
+	// Create stores a new agent. Callers that want duplicate-key errors surfaced
+	// (e.g. real-agent registration) must use this method; sentinel/bootstrap
+	// paths that expect the row to already exist on restart should call
+	// CreateIfNotExists instead (M-6, CWE-662).
 	Create(ctx context.Context, agent *domain.Agent) error
+	// CreateIfNotExists creates an agent only if the ID doesn't already exist
+	// (INSERT ... ON CONFLICT (id) DO NOTHING). Returns true if the row was
+	// newly inserted, false if a row with the same ID already existed. Used
+	// by the sentinel-agent bootstrap path in cmd/server/main.go so restarts
+	// and upgrades are idempotent without swallowing unrelated database
+	// failures (M-6, CWE-662).
+	CreateIfNotExists(ctx context.Context, agent *domain.Agent) (bool, error)
 	// Update modifies an existing agent.
 	Update(ctx context.Context, agent *domain.Agent) error
 	// Delete removes an agent.
@@ -115,10 +137,20 @@ type JobRepository interface {
 	ListByCertificate(ctx context.Context, certID string) ([]*domain.Job, error)
 	// UpdateStatus updates a job's status and optional error message.
 	UpdateStatus(ctx context.Context, id string, status domain.JobStatus, errMsg string) error
-	// GetPendingJobs returns jobs not yet processed of a specific type.
+	// GetPendingJobs returns jobs not yet processed of a specific type. Prefer ClaimPendingJobs in
+	// production paths where concurrent schedulers may race — see H-6 (CWE-362) remediation.
 	GetPendingJobs(ctx context.Context, jobType domain.JobType) ([]*domain.Job, error)
 	// ListPendingByAgentID returns pending deployment jobs and AwaitingCSR jobs for a specific agent.
+	// Prefer ClaimPendingByAgentID in production paths — see H-6 (CWE-362) remediation.
 	ListPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error)
+	// ClaimPendingJobs atomically claims up to `limit` Pending jobs and transitions them to Running
+	// using SELECT FOR UPDATE SKIP LOCKED inside a transaction. An empty jobType matches any type;
+	// limit <= 0 means no limit. H-6 (CWE-362) race remediation.
+	ClaimPendingJobs(ctx context.Context, jobType domain.JobType, limit int) ([]*domain.Job, error)
+	// ClaimPendingByAgentID atomically claims pending deployment jobs for an agent (flipping them
+	// to Running) and locks AwaitingCSR jobs against concurrent observers (leaving state intact,
+	// since the CSR-submission path drives the next transition). H-6 (CWE-362) race remediation.
+	ClaimPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error)
 }
 
 // RenewalPolicyRepository defines operations for managing renewal policies.

internal/repository/postgres/agent.go

@@ -70,7 +70,9 @@ func (r *AgentRepository) Get(ctx context.Context, id string) (*domain.Agent, er
 	return agent, nil
 }
 
-// Create stores a new agent
+// Create stores a new agent. Duplicate-key errors surface to the caller —
+// real-agent registration paths rely on this to detect collisions. Use
+// CreateIfNotExists for sentinel/bootstrap paths where re-inserts are expected.
 func (r *AgentRepository) Create(ctx context.Context, agent *domain.Agent) error {
 	if agent.ID == "" {
 		agent.ID = uuid.New().String()
@@ -92,6 +94,44 @@ func (r *AgentRepository) Create(ctx context.Context, agent *domain.Agent) error
 	return nil
 }
 
+// CreateIfNotExists creates an agent only if the ID doesn't already exist.
+// Used for sentinel agents (server-scanner, cloud-aws-sm, cloud-azure-kv,
+// cloud-gcp-sm) on first boot AND on every subsequent restart/upgrade — the
+// pre-M-6 code used plain INSERT, swallowed the duplicate-key error, and so
+// silently swallowed every other database failure too (CWE-662 /
+// CWE-209-adjacent). ON CONFLICT (id) DO NOTHING + RETURNING id +
+// sql.ErrNoRows distinguishes "row already existed" (created=false, err=nil)
+// from genuine errors (connectivity, permission, constraint violations
+// other than the id primary key) which still surface. Returns true if the
+// row was newly inserted, false if a row with the same ID already existed.
+func (r *AgentRepository) CreateIfNotExists(ctx context.Context, agent *domain.Agent) (bool, error) {
+	if agent.ID == "" {
+		agent.ID = uuid.New().String()
+	}
+
+	var id string
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO agents (id, name, hostname, status, last_heartbeat_at, registered_at, api_key_hash,
+		                    os, architecture, ip_address, version)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
+		ON CONFLICT (id) DO NOTHING
+		RETURNING id
+	`, agent.ID, agent.Name, agent.Hostname, agent.Status, agent.LastHeartbeatAt,
+		agent.RegisteredAt, agent.APIKeyHash,
+		agent.OS, agent.Architecture, agent.IPAddress, agent.Version).Scan(&id)
+
+	if err != nil {
+		if err == sql.ErrNoRows {
+			// ON CONFLICT DO NOTHING — a row with this ID already existed.
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to create agent: %w", err)
+	}
+
+	agent.ID = id
+	return true, nil
+}
+
 // Update modifies an existing agent
 func (r *AgentRepository) Update(ctx context.Context, agent *domain.Agent) error {
 	result, err := r.db.ExecContext(ctx, `

internal/repository/postgres/certificate.go

@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"strings"
 	"time"
@@ -190,18 +191,65 @@ func (r *CertificateRepository) List(ctx context.Context, filter *repository.Cer
 	defer rows.Close()
 
 	var certs []*domain.ManagedCertificate
+	var certIDs []string
 	for rows.Next() {
-		cert, err := scanCertificate(rows)
+		var cert domain.ManagedCertificate
+		var tagsJSON []byte
+		var sans pq.StringArray
+		var profileID sql.NullString
+		var revocationReason sql.NullString
+
+		err := rows.Scan(
+			&cert.ID, &cert.Name, &cert.CommonName, &sans, &cert.Environment, &cert.OwnerID,
+			&cert.TeamID, &cert.IssuerID, &cert.RenewalPolicyID, &profileID,
+			&cert.Status, &cert.ExpiresAt, &tagsJSON,
+			&cert.LastRenewalAt, &cert.LastDeploymentAt, &cert.RevokedAt, &revocationReason,
+			&cert.CreatedAt, &cert.UpdatedAt)
+
 		if err != nil {
-			return nil, 0, err
+			return nil, 0, fmt.Errorf("failed to scan certificate: %w", err)
 		}
-		certs = append(certs, cert)
+
+		cert.SANs = []string(sans)
+		if profileID.Valid {
+			cert.CertificateProfileID = profileID.String
+		}
+		if revocationReason.Valid {
+			cert.RevocationReason = revocationReason.String
+		}
+
+		// Unmarshal tags
+		if len(tagsJSON) > 0 {
+			if err := json.Unmarshal(tagsJSON, &cert.Tags); err != nil {
+				return nil, 0, fmt.Errorf("failed to unmarshal tags: %w", err)
+			}
+		} else {
+			cert.Tags = make(map[string]string)
+		}
+
+		certs = append(certs, &cert)
+		certIDs = append(certIDs, cert.ID)
 	}
 
 	if err := rows.Err(); err != nil {
 		return nil, 0, fmt.Errorf("error iterating certificate rows: %w", err)
 	}
 
+	// Fetch target IDs for all certificates in a single query (avoid N+1)
+	if len(certIDs) > 0 {
+		targetIDsMap, err := r.getTargetIDsForCertificates(ctx, certIDs)
+		if err != nil {
+			return nil, 0, err
+		}
+		for _, cert := range certs {
+			if targetIDs, ok := targetIDsMap[cert.ID]; ok {
+				cert.TargetIDs = targetIDs
+			} else {
+				cert.TargetIDs = []string{}
+			}
+		}
+	}
+
 	return certs, total, nil
 }
 
@@ -214,7 +262,7 @@ func (r *CertificateRepository) Get(ctx context.Context, id string) (*domain.Man
 		WHERE id = $1
 	`, id)
 
-	cert, err := scanCertificate(row)
+	cert, err := r.scanCertificate(ctx, row)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			return nil, fmt.Errorf("certificate not found")
@@ -225,6 +273,38 @@ func (r *CertificateRepository) Get(ctx context.Context, id string) (*domain.Man
 	return cert, nil
 }
 
+// GetByIssuerAndSerial retrieves a certificate by the (issuer_id, serial_number)
+// pair via a JOIN on certificate_versions. Per RFC 5280 §5.2.3, serial numbers
+// are unique only within a single issuer — callers that know the issuer (OCSP,
+// CRL generation, revocation lookup) use this method to scope lookups
+// correctly. Returns sql.ErrNoRows when no match exists so callers can
+// distinguish "unknown cert" (return OCSP status unknown) from a real
+// repository error.
+func (r *CertificateRepository) GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.ManagedCertificate, error) {
+	row := r.db.QueryRowContext(ctx, `
+		SELECT mc.id, mc.name, mc.common_name, mc.sans, mc.environment, mc.owner_id, mc.team_id,
+		       mc.issuer_id, mc.renewal_policy_id, mc.certificate_profile_id, mc.status, mc.expires_at,
+		       mc.tags, mc.last_renewal_at, mc.last_deployment_at, mc.revoked_at, mc.revocation_reason,
+		       mc.created_at, mc.updated_at
+		FROM managed_certificates mc
+		JOIN certificate_versions cv ON cv.certificate_id = mc.id
+		WHERE mc.issuer_id = $1 AND cv.serial_number = $2
+		LIMIT 1
+	`, issuerID, serial)
+
+	cert, err := r.scanCertificate(ctx, row)
+	if err != nil {
+		// scanCertificate wraps sql.ErrNoRows via %w, so surface the bare
+		// sentinel here for callers that branch on it with errors.Is.
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, sql.ErrNoRows
+		}
+		return nil, fmt.Errorf("failed to query certificate by issuer+serial: %w", err)
+	}
+
+	return cert, nil
+}
+
 // Create stores a new certificate
 func (r *CertificateRepository) Create(ctx context.Context, cert *domain.ManagedCertificate) error {
 	if cert.ID == "" {
@@ -421,18 +501,65 @@ func (r *CertificateRepository) GetExpiringCertificates(ctx context.Context, bef
 	defer rows.Close()
 
 	var certs []*domain.ManagedCertificate
+	var certIDs []string
 	for rows.Next() {
-		cert, err := scanCertificate(rows)
+		var cert domain.ManagedCertificate
+		var tagsJSON []byte
+		var sans pq.StringArray
+		var profileID sql.NullString
+		var revocationReason sql.NullString
+
+		err := rows.Scan(
+			&cert.ID, &cert.Name, &cert.CommonName, &sans, &cert.Environment, &cert.OwnerID,
+			&cert.TeamID, &cert.IssuerID, &cert.RenewalPolicyID, &profileID,
+			&cert.Status, &cert.ExpiresAt, &tagsJSON,
+			&cert.LastRenewalAt, &cert.LastDeploymentAt, &cert.RevokedAt, &revocationReason,
+			&cert.CreatedAt, &cert.UpdatedAt)
+
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to scan certificate: %w", err)
 		}
-		certs = append(certs, cert)
+
+		cert.SANs = []string(sans)
+		if profileID.Valid {
+			cert.CertificateProfileID = profileID.String
+		}
+		if revocationReason.Valid {
+			cert.RevocationReason = revocationReason.String
+		}
+
+		// Unmarshal tags
+		if len(tagsJSON) > 0 {
+			if err := json.Unmarshal(tagsJSON, &cert.Tags); err != nil {
+				return nil, fmt.Errorf("failed to unmarshal tags: %w", err)
+			}
+		} else {
+			cert.Tags = make(map[string]string)
+		}
+
+		certs = append(certs, &cert)
+		certIDs = append(certIDs, cert.ID)
 	}
 
 	if err := rows.Err(); err != nil {
 		return nil, fmt.Errorf("error iterating expiring certificate rows: %w", err)
 	}
 
+	// Fetch target IDs for all certificates in a single query (avoid N+1)
+	if len(certIDs) > 0 {
+		targetIDsMap, err := r.getTargetIDsForCertificates(ctx, certIDs)
+		if err != nil {
+			return nil, err
+		}
+		for _, cert := range certs {
+			if targetIDs, ok := targetIDsMap[cert.ID]; ok {
+				cert.TargetIDs = targetIDs
+			} else {
+				cert.TargetIDs = []string{}
+			}
+		}
+	}
+
 	return certs, nil
 }
 
@@ -462,8 +589,76 @@ func (r *CertificateRepository) GetLatestVersion(ctx context.Context, certID str
 	return &v, nil
 }
 
-// scanCertificate scans a certificate from a row or rows
-func scanCertificate(scanner interface {
+// getTargetIDs retrieves all target IDs for a given certificate from the junction table.
+// Returns an empty slice (not nil) if no targets are found.
+func (r *CertificateRepository) getTargetIDs(ctx context.Context, certID string) ([]string, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT target_id FROM certificate_target_mappings
+		WHERE certificate_id = $1
+		ORDER BY target_id ASC
+	`, certID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query target mappings: %w", err)
+	}
+	defer rows.Close()
+
+	var targetIDs []string
+	for rows.Next() {
+		var targetID string
+		if err := rows.Scan(&targetID); err != nil {
+			return nil, fmt.Errorf("failed to scan target ID: %w", err)
+		}
+		targetIDs = append(targetIDs, targetID)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating target ID rows: %w", err)
+	}
+
+	// Return empty slice instead of nil for consistency with JSON marshaling
+	if targetIDs == nil {
+		targetIDs = []string{}
+	}
+
+	return targetIDs, nil
+}
+
+// getTargetIDsForCertificates retrieves target IDs for multiple certificates in a single query.
+// Returns a map of certificate_id -> []target_id.
+func (r *CertificateRepository) getTargetIDsForCertificates(ctx context.Context, certIDs []string) (map[string][]string, error) {
+	if len(certIDs) == 0 {
+		return make(map[string][]string), nil
+	}
+
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT certificate_id, target_id FROM certificate_target_mappings
+		WHERE certificate_id = ANY($1)
+		ORDER BY certificate_id, target_id ASC
+	`, pq.Array(certIDs))
+	if err != nil {
+		return nil, fmt.Errorf("failed to query target mappings: %w", err)
+	}
+	defer rows.Close()
+
+	targetIDsMap := make(map[string][]string)
+	for rows.Next() {
+		var certID, targetID string
+		if err := rows.Scan(&certID, &targetID); err != nil {
+			return nil, fmt.Errorf("failed to scan target mapping: %w", err)
+		}
+		targetIDsMap[certID] = append(targetIDsMap[certID], targetID)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating target mapping rows: %w", err)
+	}
+
+	return targetIDsMap, nil
+}
+
+// scanCertificate scans a certificate from a row or rows and populates its TargetIDs
+// by querying the certificate_target_mappings junction table.
+func (r *CertificateRepository) scanCertificate(ctx context.Context, scanner interface {
 	Scan(...interface{}) error
 }) (*domain.ManagedCertificate, error) {
 	var cert domain.ManagedCertificate
@@ -500,6 +695,13 @@ func scanCertificate(scanner interface {
 		cert.Tags = make(map[string]string)
 	}
 
+	// Populate TargetIDs from junction table
+	targetIDs, err := r.getTargetIDs(ctx, cert.ID)
+	if err != nil {
+		return nil, err
+	}
+	cert.TargetIDs = targetIDs
+
 	return &cert, nil
 }
 

internal/repository/postgres/certificate_targetids_test.go

@@ -0,0 +1,322 @@
+// Package postgres_test — integration tests for M-7: Certificate.TargetIDs
+// must be populated from certificate_target_mappings on read.
+//
+// Before M-7 the repository scan helper never consulted the junction table, so
+// Get / List / GetExpiringCertificates always returned empty TargetIDs even when
+// rows existed in certificate_target_mappings. These tests exercise all three
+// read paths end-to-end against a real PostgreSQL 16 container.
+//
+// Runs against the shared testcontainer from testutil_test.go. Skipped when
+// `-short` is set (CI uses short mode; local runs pick it up by default).
+package postgres_test
+
+import (
+	"context"
+	"database/sql"
+	"testing"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository/postgres"
+)
+
+// insertAgentAndTargetsRaw creates one agent and N deployment_targets, returns
+// the agent ID and the list of target IDs (in insertion order).
+func insertAgentAndTargetsRaw(t *testing.T, db *sql.DB, ctx context.Context, suffix string, n int) (agentID string, targetIDs []string) {
+	t.Helper()
+	now := time.Now().Truncate(time.Microsecond)
+	agentID = "agent-" + suffix
+
+	_, err := db.ExecContext(ctx, `
+		INSERT INTO agents (id, name, hostname, status, registered_at, api_key_hash)
+		VALUES ($1, $2, $3, $4, $5, $6)
+	`, agentID, "agent-"+suffix, "host-"+suffix, "online", now, "hash-"+suffix)
+	if err != nil {
+		t.Fatalf("insertAgent failed: %v", err)
+	}
+
+	for i := 0; i < n; i++ {
+		tid := "t-" + suffix + "-" + intToStr(i)
+		_, err := db.ExecContext(ctx, `
+			INSERT INTO deployment_targets (id, name, type, agent_id, config, enabled, created_at, updated_at)
+			VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+		`, tid, tid, "NGINX", agentID, []byte(`{}`), true, now, now)
+		if err != nil {
+			t.Fatalf("insertTarget %d failed: %v", i, err)
+		}
+		targetIDs = append(targetIDs, tid)
+	}
+	return agentID, targetIDs
+}
+
+// intToStr converts a non-negative int to its decimal string.
+// Local helper to avoid importing strconv for a single use.
+func intToStr(n int) string {
+	if n == 0 {
+		return "0"
+	}
+	var buf [20]byte
+	i := len(buf)
+	for n > 0 {
+		i--
+		buf[i] = byte('0' + n%10)
+		n /= 10
+	}
+	return string(buf[i:])
+}
+
+// insertCertificateRow writes a minimal managed_certificates row via raw SQL.
+// Bypasses the repository Create so we can isolate read-path tests from any
+// write-path behavior. managed_certificates.sans is TEXT[], written here as an
+// empty array literal.
+func insertCertificateRow(t *testing.T, db *sql.DB, ctx context.Context, certID, ownerID, teamID, issuerID, policyID string, expiresAt time.Time) {
+	t.Helper()
+	now := time.Now().Truncate(time.Microsecond)
+	_, err := db.ExecContext(ctx, `
+		INSERT INTO managed_certificates (
+			id, name, common_name, sans, environment,
+			owner_id, team_id, issuer_id, renewal_policy_id,
+			status, expires_at, tags,
+			created_at, updated_at
+		) VALUES (
+			$1, $2, $3, ARRAY[]::TEXT[], $4,
+			$5, $6, $7, $8,
+			$9, $10, $11,
+			$12, $13
+		)
+	`,
+		certID, certID, certID+".example.com", "production",
+		ownerID, teamID, issuerID, policyID,
+		string(domain.CertificateStatusActive), expiresAt, []byte(`{}`),
+		now, now,
+	)
+	if err != nil {
+		t.Fatalf("insertCertificateRow failed: %v", err)
+	}
+}
+
+// insertMapping writes a single row into certificate_target_mappings via raw SQL.
+func insertMapping(t *testing.T, db *sql.DB, ctx context.Context, certID, targetID string) {
+	t.Helper()
+	_, err := db.ExecContext(ctx,
+		`INSERT INTO certificate_target_mappings (certificate_id, target_id) VALUES ($1, $2)`,
+		certID, targetID)
+	if err != nil {
+		t.Fatalf("insertMapping(%s, %s) failed: %v", certID, targetID, err)
+	}
+}
+
+// --------------------------------------------------------------------
+// Get() — single-cert read path
+// --------------------------------------------------------------------
+
+// TestGet_PopulatesTargetIDs_NoMappings: no mapping rows → TargetIDs must be
+// an empty slice, not nil, so JSON serialisation emits "[]".
+func TestGet_PopulatesTargetIDs_NoMappings(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "getnone")
+	certID := "mc-getnone"
+	insertCertificateRow(t, db, ctx, certID, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+
+	got, err := repo.Get(ctx, certID)
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+	if got.TargetIDs == nil {
+		t.Fatalf("TargetIDs = nil, want empty slice (JSON serialises nil as null and [] as [])")
+	}
+	if len(got.TargetIDs) != 0 {
+		t.Errorf("len(TargetIDs) = %d, want 0; got %v", len(got.TargetIDs), got.TargetIDs)
+	}
+}
+
+// TestGet_PopulatesTargetIDs_SingleTarget: one mapping → one entry.
+func TestGet_PopulatesTargetIDs_SingleTarget(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "getone")
+	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "getone", 1)
+
+	certID := "mc-getone"
+	insertCertificateRow(t, db, ctx, certID, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+	insertMapping(t, db, ctx, certID, targets[0])
+
+	got, err := repo.Get(ctx, certID)
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+	if len(got.TargetIDs) != 1 {
+		t.Fatalf("len(TargetIDs) = %d, want 1; got %v", len(got.TargetIDs), got.TargetIDs)
+	}
+	if got.TargetIDs[0] != targets[0] {
+		t.Errorf("TargetIDs[0] = %q, want %q", got.TargetIDs[0], targets[0])
+	}
+}
+
+// TestGet_PopulatesTargetIDs_MultipleTargets: many mappings → sorted by target_id ASC.
+func TestGet_PopulatesTargetIDs_MultipleTargets(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "getmany")
+	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "getmany", 3)
+
+	certID := "mc-getmany"
+	insertCertificateRow(t, db, ctx, certID, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+	// Insert mappings in reverse order to confirm ORDER BY target_id ASC in the query.
+	insertMapping(t, db, ctx, certID, targets[2])
+	insertMapping(t, db, ctx, certID, targets[0])
+	insertMapping(t, db, ctx, certID, targets[1])
+
+	got, err := repo.Get(ctx, certID)
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+	if len(got.TargetIDs) != 3 {
+		t.Fatalf("len(TargetIDs) = %d, want 3; got %v", len(got.TargetIDs), got.TargetIDs)
+	}
+	// Ascending order: t-getmany-0, t-getmany-1, t-getmany-2
+	want := []string{targets[0], targets[1], targets[2]}
+	for i, tid := range want {
+		if got.TargetIDs[i] != tid {
+			t.Errorf("TargetIDs[%d] = %q, want %q (full: %v)", i, got.TargetIDs[i], tid, got.TargetIDs)
+		}
+	}
+}
+
+// --------------------------------------------------------------------
+// List() — batch read path, must avoid N+1
+// --------------------------------------------------------------------
+
+// TestList_PopulatesTargetIDs_BatchFetch: three certs with different mapping counts;
+// all must have their TargetIDs populated correctly, and the cert with no mapping
+// must get an empty (non-nil) slice.
+func TestList_PopulatesTargetIDs_BatchFetch(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "listbatch")
+	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "listbatch", 3)
+
+	certA := "mc-list-a"
+	certB := "mc-list-b"
+	certC := "mc-list-c"
+	insertCertificateRow(t, db, ctx, certA, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+	insertCertificateRow(t, db, ctx, certB, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+	insertCertificateRow(t, db, ctx, certC, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+
+	// certA → 2 targets (t-0, t-1)
+	insertMapping(t, db, ctx, certA, targets[0])
+	insertMapping(t, db, ctx, certA, targets[1])
+	// certB → 1 target (t-2)
+	insertMapping(t, db, ctx, certB, targets[2])
+	// certC → 0 targets
+
+	got, total, err := repo.List(ctx, nil)
+	if err != nil {
+		t.Fatalf("List failed: %v", err)
+	}
+	if total < 3 {
+		t.Fatalf("total = %d, want >= 3", total)
+	}
+
+	want := map[string][]string{
+		certA: {targets[0], targets[1]},
+		certB: {targets[2]},
+		certC: {},
+	}
+	seen := map[string]bool{}
+	for _, c := range got {
+		exp, ok := want[c.ID]
+		if !ok {
+			continue
+		}
+		seen[c.ID] = true
+		if c.TargetIDs == nil {
+			t.Errorf("cert %s: TargetIDs = nil, want %v", c.ID, exp)
+			continue
+		}
+		if len(c.TargetIDs) != len(exp) {
+			t.Errorf("cert %s: len(TargetIDs) = %d, want %d (got %v, want %v)", c.ID, len(c.TargetIDs), len(exp), c.TargetIDs, exp)
+			continue
+		}
+		for i, tid := range exp {
+			if c.TargetIDs[i] != tid {
+				t.Errorf("cert %s: TargetIDs[%d] = %q, want %q", c.ID, i, c.TargetIDs[i], tid)
+			}
+		}
+	}
+	for id := range want {
+		if !seen[id] {
+			t.Errorf("cert %s missing from List() result", id)
+		}
+	}
+}
+
+// --------------------------------------------------------------------
+// GetExpiringCertificates() — scheduler read path
+// --------------------------------------------------------------------
+
+// TestGetExpiringCertificates_PopulatesTargetIDs: expiring certs must also carry
+// their mapping information so renewal-triggered deployments can route work.
+func TestGetExpiringCertificates_PopulatesTargetIDs(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "expiring")
+	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "expiring", 2)
+
+	// Two expiring certs (expires in 3 days). Threshold = 7 days → both selected.
+	certA := "mc-exp-a"
+	certB := "mc-exp-b"
+	expiresSoon := time.Now().Add(3 * 24 * time.Hour)
+	insertCertificateRow(t, db, ctx, certA, ownerID, teamID, issuerID, policyID, expiresSoon)
+	insertCertificateRow(t, db, ctx, certB, ownerID, teamID, issuerID, policyID, expiresSoon)
+
+	insertMapping(t, db, ctx, certA, targets[0])
+	insertMapping(t, db, ctx, certA, targets[1])
+	// certB has no mappings.
+
+	threshold := time.Now().Add(7 * 24 * time.Hour)
+	got, err := repo.GetExpiringCertificates(ctx, threshold)
+	if err != nil {
+		t.Fatalf("GetExpiringCertificates failed: %v", err)
+	}
+
+	found := map[string]*domain.ManagedCertificate{}
+	for _, c := range got {
+		found[c.ID] = c
+	}
+
+	a, ok := found[certA]
+	if !ok {
+		t.Fatalf("cert %s not in expiring list", certA)
+	}
+	if len(a.TargetIDs) != 2 || a.TargetIDs[0] != targets[0] || a.TargetIDs[1] != targets[1] {
+		t.Errorf("cert %s: TargetIDs = %v, want %v", certA, a.TargetIDs, []string{targets[0], targets[1]})
+	}
+
+	b, ok := found[certB]
+	if !ok {
+		t.Fatalf("cert %s not in expiring list", certB)
+	}
+	if b.TargetIDs == nil {
+		t.Errorf("cert %s: TargetIDs = nil, want empty slice", certB)
+	}
+	if len(b.TargetIDs) != 0 {
+		t.Errorf("cert %s: len(TargetIDs) = %d, want 0", certB, len(b.TargetIDs))
+	}
+}

internal/repository/postgres/job.go

@@ -237,7 +237,14 @@ func (r *JobRepository) UpdateStatus(ctx context.Context, id string, status doma
 	return nil
 }
 
-// GetPendingJobs returns jobs not yet processed of a specific type
+// GetPendingJobs returns jobs not yet processed of a specific type.
+//
+// The SELECT uses FOR UPDATE SKIP LOCKED so that concurrent scheduler replicas
+// cannot observe the same rows when invoked inside a transaction; combine with
+// a subsequent UPDATE to Running for correct dispatch semantics. For the
+// standard production dispatch path, prefer ClaimPendingJobs which wraps the
+// lock, read, and state transition in a single transaction and is the
+// authoritative race-free claim primitive (CWE-362 fix for H-6).
 func (r *JobRepository) GetPendingJobs(ctx context.Context, jobType domain.JobType) ([]*domain.Job, error) {
 	rows, err := r.db.QueryContext(ctx, `
 		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
@@ -245,6 +252,7 @@ func (r *JobRepository) GetPendingJobs(ctx context.Context, jobType domain.JobTy
 		FROM jobs
 		WHERE type = $1 AND status = $2
 		ORDER BY scheduled_at ASC
+		FOR UPDATE SKIP LOCKED
 	`, jobType, domain.JobStatusPending)
 
 	if err != nil {
@@ -268,10 +276,115 @@ func (r *JobRepository) GetPendingJobs(ctx context.Context, jobType domain.JobTy
 	return jobs, nil
 }
 
-// ListPendingByAgentID returns pending deployment jobs and AwaitingCSR jobs for a specific agent.
-// Deployment jobs are matched by agent_id directly (set at creation time), with a fallback
-// for legacy jobs where agent_id is NULL but target_id resolves to the agent via deployment_targets.
-// AwaitingCSR jobs are matched through certificate → target mappings → agent ownership.
+// ClaimPendingJobs atomically claims up to `limit` Pending jobs and transitions
+// them to Running inside a single transaction. The SELECT uses FOR UPDATE SKIP
+// LOCKED so concurrent scheduler replicas observe disjoint result sets — each
+// row can be claimed by exactly one caller per tick (CWE-362 fix for H-6).
+//
+// Passing an empty jobType claims any type. Passing limit<=0 claims all
+// available rows. The claimed rows are returned with Status already set to
+// domain.JobStatusRunning.
+//
+// Downstream processors (ProcessRenewalJob, ProcessDeploymentJob) already call
+// UpdateStatus(Running) unconditionally on entry, so this pre-flip is
+// idempotent with respect to existing processing logic.
+func (r *JobRepository) ClaimPendingJobs(ctx context.Context, jobType domain.JobType, limit int) ([]*domain.Job, error) {
+	tx, err := r.db.BeginTx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to begin claim transaction: %w", err)
+	}
+	// Rollback is a no-op after Commit — safe deferred cleanup if an error path
+	// triggers an early return before Commit().
+	defer func() { _ = tx.Rollback() }()
+
+	// Build the SELECT — jobType="" means any type, limit<=0 means unlimited.
+	query := `
+		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
+		       last_error, scheduled_at, started_at, completed_at, created_at
+		FROM jobs
+		WHERE status = $1`
+	args := []interface{}{domain.JobStatusPending}
+	if jobType != "" {
+		query += ` AND type = $2`
+		args = append(args, jobType)
+	}
+	query += `
+		ORDER BY scheduled_at ASC
+		FOR UPDATE SKIP LOCKED`
+	if limit > 0 {
+		query += fmt.Sprintf(` LIMIT %d`, limit)
+	}
+
+	rows, err := tx.QueryContext(ctx, query, args...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query claimable jobs: %w", err)
+	}
+
+	var jobs []*domain.Job
+	for rows.Next() {
+		job, err := scanJob(rows)
+		if err != nil {
+			rows.Close()
+			return nil, err
+		}
+		jobs = append(jobs, job)
+	}
+	if err := rows.Err(); err != nil {
+		rows.Close()
+		return nil, fmt.Errorf("error iterating claimable job rows: %w", err)
+	}
+	rows.Close()
+
+	if len(jobs) == 0 {
+		// No rows to claim — commit the (read-only) tx and return.
+		if err := tx.Commit(); err != nil {
+			return nil, fmt.Errorf("failed to commit empty claim tx: %w", err)
+		}
+		return nil, nil
+	}
+
+	// Flip claimed rows to Running. Build IN clause safely with placeholders.
+	ids := make([]interface{}, len(jobs))
+	placeholders := make([]byte, 0, len(jobs)*5)
+	for i, job := range jobs {
+		ids[i] = job.ID
+		if i > 0 {
+			placeholders = append(placeholders, ',')
+		}
+		placeholders = append(placeholders, fmt.Sprintf("$%d", i+2)...)
+	}
+	updateQuery := fmt.Sprintf(
+		`UPDATE jobs SET status = $1 WHERE id IN (%s)`,
+		string(placeholders),
+	)
+	updateArgs := append([]interface{}{domain.JobStatusRunning}, ids...)
+	if _, err := tx.ExecContext(ctx, updateQuery, updateArgs...); err != nil {
+		return nil, fmt.Errorf("failed to transition claimed jobs to Running: %w", err)
+	}
+
+	if err := tx.Commit(); err != nil {
+		return nil, fmt.Errorf("failed to commit claim transaction: %w", err)
+	}
+
+	// Reflect the committed state in the returned objects.
+	for _, job := range jobs {
+		job.Status = domain.JobStatusRunning
+	}
+
+	return jobs, nil
+}
+
+// ListPendingByAgentID returns pending deployment jobs and AwaitingCSR jobs for
+// a specific agent. Deployment jobs are matched by agent_id directly (set at
+// creation time), with a fallback for legacy jobs where agent_id is NULL but
+// target_id resolves to the agent via deployment_targets. AwaitingCSR jobs are
+// matched through certificate → target mappings → agent ownership.
+//
+// The SELECT uses FOR UPDATE SKIP LOCKED so concurrent pollers (e.g. two agent
+// instances running with the same agent_id) cannot observe the same rows when
+// this method is invoked inside a transaction. For the production agent work
+// poll path, prefer ClaimPendingByAgentID which additionally transitions
+// claimed Pending deployment rows to Running atomically (H-6 CWE-362 fix).
 func (r *JobRepository) ListPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error) {
 	rows, err := r.db.QueryContext(ctx, `
 		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
@@ -326,6 +439,137 @@ func (r *JobRepository) ListPendingByAgentID(ctx context.Context, agentID string
 	return jobs, nil
 }
 
+// ClaimPendingByAgentID atomically claims agent work inside a single
+// transaction. Pending Deployment jobs assigned to the agent (directly via
+// agent_id, or via legacy target→agent fallback) are transitioned from
+// Pending to Running. AwaitingCSR Renewal/Issuance jobs linked to the agent
+// via certificate → target mappings are locked with FOR UPDATE SKIP LOCKED
+// and returned without a state transition — the flow requires the agent to
+// submit a CSR to advance state, and pre-flipping AwaitingCSR would violate
+// the renewal state machine (CWE-362 fix for H-6).
+//
+// Claimed rows are invisible to other concurrent claim calls for the lifetime
+// of the transaction; rows claimed as Running remain invisible after commit
+// because ListPendingByAgentID's filter is status='Pending'.
+func (r *JobRepository) ClaimPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error) {
+	tx, err := r.db.BeginTx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to begin agent claim transaction: %w", err)
+	}
+	defer func() { _ = tx.Rollback() }()
+
+	// Branch 1 + 2: Pending Deployment jobs (direct agent_id match or legacy
+	// target fallback). These get flipped to Running atomically below.
+	pendingRows, err := tx.QueryContext(ctx, `
+		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
+		       last_error, scheduled_at, started_at, completed_at, created_at
+		FROM jobs
+		WHERE agent_id = $1 AND status = 'Pending' AND type = 'Deployment'
+
+		UNION ALL
+
+		SELECT j.id, j.type, j.certificate_id, j.target_id, j.agent_id, j.status, j.attempts, j.max_attempts,
+		       j.last_error, j.scheduled_at, j.started_at, j.completed_at, j.created_at
+		FROM jobs j
+		INNER JOIN deployment_targets dt ON j.target_id = dt.id
+		WHERE j.agent_id IS NULL AND j.status = 'Pending' AND j.type = 'Deployment'
+		  AND dt.agent_id = $1
+
+		ORDER BY created_at ASC
+		FOR UPDATE SKIP LOCKED
+	`, agentID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query pending deployment jobs for agent: %w", err)
+	}
+
+	var pendingJobs []*domain.Job
+	for pendingRows.Next() {
+		job, err := scanJob(pendingRows)
+		if err != nil {
+			pendingRows.Close()
+			return nil, err
+		}
+		pendingJobs = append(pendingJobs, job)
+	}
+	if err := pendingRows.Err(); err != nil {
+		pendingRows.Close()
+		return nil, fmt.Errorf("error iterating pending deployment rows: %w", err)
+	}
+	pendingRows.Close()
+
+	// Branch 3: AwaitingCSR jobs for this agent. Locked with FOR UPDATE SKIP
+	// LOCKED to prevent duplicate delivery to concurrent pollers, but state is
+	// NOT transitioned — the agent advances state via CSR submission.
+	csrRows, err := tx.QueryContext(ctx, `
+		SELECT j.id, j.type, j.certificate_id, j.target_id, j.agent_id, j.status, j.attempts, j.max_attempts,
+		       j.last_error, j.scheduled_at, j.started_at, j.completed_at, j.created_at
+		FROM jobs j
+		WHERE j.status = 'AwaitingCSR'
+		  AND j.type IN ('Renewal', 'Issuance')
+		  AND EXISTS (
+		    SELECT 1 FROM certificate_target_mappings ctm
+		    INNER JOIN deployment_targets dt ON ctm.target_id = dt.id
+		    WHERE ctm.certificate_id = j.certificate_id
+		      AND dt.agent_id = $1
+		  )
+		ORDER BY j.created_at ASC
+		FOR UPDATE SKIP LOCKED
+	`, agentID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query AwaitingCSR jobs for agent: %w", err)
+	}
+
+	var csrJobs []*domain.Job
+	for csrRows.Next() {
+		job, err := scanJob(csrRows)
+		if err != nil {
+			csrRows.Close()
+			return nil, err
+		}
+		csrJobs = append(csrJobs, job)
+	}
+	if err := csrRows.Err(); err != nil {
+		csrRows.Close()
+		return nil, fmt.Errorf("error iterating AwaitingCSR rows: %w", err)
+	}
+	csrRows.Close()
+
+	// Transition locked Pending deployments to Running before commit.
+	if len(pendingJobs) > 0 {
+		ids := make([]interface{}, len(pendingJobs))
+		placeholders := make([]byte, 0, len(pendingJobs)*5)
+		for i, job := range pendingJobs {
+			ids[i] = job.ID
+			if i > 0 {
+				placeholders = append(placeholders, ',')
+			}
+			placeholders = append(placeholders, fmt.Sprintf("$%d", i+2)...)
+		}
+		updateQuery := fmt.Sprintf(
+			`UPDATE jobs SET status = $1 WHERE id IN (%s)`,
+			string(placeholders),
+		)
+		updateArgs := append([]interface{}{domain.JobStatusRunning}, ids...)
+		if _, err := tx.ExecContext(ctx, updateQuery, updateArgs...); err != nil {
+			return nil, fmt.Errorf("failed to transition claimed deployment jobs to Running: %w", err)
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return nil, fmt.Errorf("failed to commit agent claim transaction: %w", err)
+	}
+
+	// Reflect the committed state in returned Pending deployment jobs; leave
+	// AwaitingCSR jobs untouched.
+	for _, job := range pendingJobs {
+		job.Status = domain.JobStatusRunning
+	}
+
+	// Preserve the legacy ordering: Pending deployments first, AwaitingCSR
+	// second. Callers that want a strict created_at merge can re-sort.
+	return append(pendingJobs, csrJobs...), nil
+}
+
 // scanJob scans a job from a row or rows
 func scanJob(scanner interface {
 	Scan(...interface{}) error

internal/repository/postgres/policy.go

@@ -24,7 +24,7 @@ func NewPolicyRepository(db *sql.DB) *PolicyRepository {
 // ListRules returns all policy rules
 func (r *PolicyRepository) ListRules(ctx context.Context) ([]*domain.PolicyRule, error) {
 	rows, err := r.db.QueryContext(ctx, `
-		SELECT id, name, type, config, enabled, created_at, updated_at
+		SELECT id, name, type, config, enabled, severity, created_at, updated_at
 		FROM policy_rules
 		ORDER BY created_at DESC
 	`)
@@ -38,7 +38,7 @@ func (r *PolicyRepository) ListRules(ctx context.Context) ([]*domain.PolicyRule,
 	for rows.Next() {
 		var rule domain.PolicyRule
 		if err := rows.Scan(&rule.ID, &rule.Name, &rule.Type, &rule.Config,
-			&rule.Enabled, &rule.CreatedAt, &rule.UpdatedAt); err != nil {
+			&rule.Enabled, &rule.Severity, &rule.CreatedAt, &rule.UpdatedAt); err != nil {
 			return nil, fmt.Errorf("failed to scan policy rule: %w", err)
 		}
 		rules = append(rules, &rule)
@@ -55,11 +55,11 @@ func (r *PolicyRepository) ListRules(ctx context.Context) ([]*domain.PolicyRule,
 func (r *PolicyRepository) GetRule(ctx context.Context, id string) (*domain.PolicyRule, error) {
 	var rule domain.PolicyRule
 	err := r.db.QueryRowContext(ctx, `
-		SELECT id, name, type, config, enabled, created_at, updated_at
+		SELECT id, name, type, config, enabled, severity, created_at, updated_at
 		FROM policy_rules
 		WHERE id = $1
 	`, id).Scan(&rule.ID, &rule.Name, &rule.Type, &rule.Config,
-		&rule.Enabled, &rule.CreatedAt, &rule.UpdatedAt)
+		&rule.Enabled, &rule.Severity, &rule.CreatedAt, &rule.UpdatedAt)
 
 	if err != nil {
 		if err == sql.ErrNoRows {
@@ -78,11 +78,11 @@ func (r *PolicyRepository) CreateRule(ctx context.Context, rule *domain.PolicyRu
 	}
 
 	err := r.db.QueryRowContext(ctx, `
-		INSERT INTO policy_rules (id, name, type, config, enabled, created_at, updated_at)
-		VALUES ($1, $2, $3, $4, $5, $6, $7)
+		INSERT INTO policy_rules (id, name, type, config, enabled, severity, created_at, updated_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
 		RETURNING id
 	`, rule.ID, rule.Name, rule.Type, rule.Config, rule.Enabled,
-		rule.CreatedAt, rule.UpdatedAt).Scan(&rule.ID)
+		rule.Severity, rule.CreatedAt, rule.UpdatedAt).Scan(&rule.ID)
 
 	if err != nil {
 		return fmt.Errorf("failed to create policy rule: %w", err)
@@ -99,9 +99,10 @@ func (r *PolicyRepository) UpdateRule(ctx context.Context, rule *domain.PolicyRu
 			type = $2,
 			config = $3,
 			enabled = $4,
-			updated_at = $5
-		WHERE id = $6
-	`, rule.Name, rule.Type, rule.Config, rule.Enabled, rule.UpdatedAt, rule.ID)
+			severity = $5,
+			updated_at = $6
+		WHERE id = $7
+	`, rule.Name, rule.Type, rule.Config, rule.Enabled, rule.Severity, rule.UpdatedAt, rule.ID)
 
 	if err != nil {
 		return fmt.Errorf("failed to update policy rule: %w", err)

internal/repository/postgres/repo_test.go

@@ -7,6 +7,9 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"fmt"
+	"sync"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -454,6 +457,193 @@ func TestAgentRepository_Delete_NotFound(t *testing.T) {
 	}
 }
 
+// TestAgentRepository_CreateIfNotExists_FirstInsert verifies that a brand-new
+// sentinel agent row is inserted and the helper reports created=true (M-6).
+func TestAgentRepository_CreateIfNotExists_FirstInsert(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewAgentRepository(db)
+	ctx := context.Background()
+
+	now := time.Now().Truncate(time.Microsecond)
+	agent := &domain.Agent{
+		ID:           "server-scanner",
+		Name:         "Network Scanner (Server-Side)",
+		Status:       domain.AgentStatusOnline,
+		RegisteredAt: now,
+	}
+
+	created, err := repo.CreateIfNotExists(ctx, agent)
+	if err != nil {
+		t.Fatalf("CreateIfNotExists failed: %v", err)
+	}
+	if !created {
+		t.Error("created = false on first insert, want true")
+	}
+
+	got, err := repo.Get(ctx, "server-scanner")
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+	if got.Name != "Network Scanner (Server-Side)" {
+		t.Errorf("Name = %q, want %q", got.Name, "Network Scanner (Server-Side)")
+	}
+}
+
+// TestAgentRepository_CreateIfNotExists_Idempotent verifies that a second
+// call with the same ID returns created=false and err=nil without mutating
+// the existing row — the core M-6 upgrade/restart scenario (CWE-662).
+func TestAgentRepository_CreateIfNotExists_Idempotent(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewAgentRepository(db)
+	ctx := context.Background()
+
+	now := time.Now().Truncate(time.Microsecond)
+	first := &domain.Agent{
+		ID:           "cloud-aws-sm",
+		Name:         "AWS Secrets Manager Discovery",
+		Status:       domain.AgentStatusOnline,
+		RegisteredAt: now,
+	}
+	created, err := repo.CreateIfNotExists(ctx, first)
+	if err != nil {
+		t.Fatalf("first CreateIfNotExists failed: %v", err)
+	}
+	if !created {
+		t.Fatal("first created = false, want true")
+	}
+
+	// Second call with the same ID but a different name must be a no-op.
+	second := &domain.Agent{
+		ID:           "cloud-aws-sm",
+		Name:         "Overwritten Name Should Not Persist",
+		Status:       domain.AgentStatusOffline,
+		RegisteredAt: now.Add(time.Hour),
+	}
+	created, err = repo.CreateIfNotExists(ctx, second)
+	if err != nil {
+		t.Fatalf("second CreateIfNotExists failed: %v", err)
+	}
+	if created {
+		t.Error("second created = true, want false (row already existed)")
+	}
+
+	// Row must still reflect the original insert.
+	got, err := repo.Get(ctx, "cloud-aws-sm")
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+	if got.Name != "AWS Secrets Manager Discovery" {
+		t.Errorf("Name = %q, want %q (ON CONFLICT DO NOTHING must preserve original row)", got.Name, "AWS Secrets Manager Discovery")
+	}
+	if got.Status != domain.AgentStatusOnline {
+		t.Errorf("Status = %q, want %q", got.Status, domain.AgentStatusOnline)
+	}
+}
+
+// TestAgentRepository_CreateIfNotExists_ConcurrentRace fires N concurrent
+// inserts for the same sentinel ID. Exactly one goroutine must see
+// created=true; every other must see created=false and err=nil. No panics,
+// no duplicate rows, no swallowed errors. This is the scenario that the
+// pre-M-6 plain-INSERT path masked with a blanket error log.
+func TestAgentRepository_CreateIfNotExists_ConcurrentRace(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewAgentRepository(db)
+	ctx := context.Background()
+
+	const N = 16
+	now := time.Now().Truncate(time.Microsecond)
+
+	var (
+		wg           sync.WaitGroup
+		createdCount int64
+		errorCount   int64
+	)
+	wg.Add(N)
+	for i := 0; i < N; i++ {
+		go func() {
+			defer wg.Done()
+			agent := &domain.Agent{
+				ID:           "cloud-gcp-sm",
+				Name:         "GCP Secret Manager Discovery",
+				Status:       domain.AgentStatusOnline,
+				RegisteredAt: now,
+			}
+			created, err := repo.CreateIfNotExists(ctx, agent)
+			if err != nil {
+				atomic.AddInt64(&errorCount, 1)
+				t.Errorf("CreateIfNotExists returned error: %v", err)
+				return
+			}
+			if created {
+				atomic.AddInt64(&createdCount, 1)
+			}
+		}()
+	}
+	wg.Wait()
+
+	if errorCount != 0 {
+		t.Fatalf("errorCount = %d, want 0", errorCount)
+	}
+	if createdCount != 1 {
+		t.Errorf("createdCount = %d, want exactly 1 (only one goroutine may win the insert)", createdCount)
+	}
+
+	// Exactly one row must exist.
+	agents, err := repo.List(ctx)
+	if err != nil {
+		t.Fatalf("List failed: %v", err)
+	}
+	count := 0
+	for _, a := range agents {
+		if a.ID == "cloud-gcp-sm" {
+			count++
+		}
+	}
+	if count != 1 {
+		t.Errorf("row count for cloud-gcp-sm = %d, want 1", count)
+	}
+}
+
+// TestAgentRepository_CreateIfNotExists_GenericErrorSurfaces verifies that
+// failures other than the primary-key duplicate (the only collision
+// ON CONFLICT (id) absorbs) propagate to the caller instead of being
+// swallowed. This is the security property that M-6 restores: the
+// pre-fix plain-INSERT path logged every error at Debug level, so a
+// connectivity or permission failure would vanish into the log without
+// the server surfacing a problem on startup (CWE-662 / CWE-209-adjacent).
+//
+// Uses a pre-cancelled context to force QueryRowContext to fail with
+// context.Canceled — a non-duplicate error class that must surface.
+// Does NOT close the shared sql.DB (that would break sibling tests).
+func TestAgentRepository_CreateIfNotExists_GenericErrorSurfaces(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewAgentRepository(db)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel() // pre-cancel so the driver round-trip fails immediately.
+
+	agent := &domain.Agent{
+		ID:           "server-scanner",
+		Name:         "Network Scanner (Server-Side)",
+		Status:       domain.AgentStatusOnline,
+		RegisteredAt: time.Now(),
+	}
+	created, err := repo.CreateIfNotExists(ctx, agent)
+	if err == nil {
+		t.Fatal("expected error on cancelled context, got nil (error would have been swallowed pre-M-6)")
+	}
+	if created {
+		t.Error("created = true on failure, want false")
+	}
+	if err == sql.ErrNoRows {
+		t.Error("got sql.ErrNoRows, want a real connection/context error (ErrNoRows is the duplicate-row sentinel)")
+	}
+}
+
 // ============================================================
 // Issuer Repository Tests
 // ============================================================
@@ -703,10 +893,10 @@ func TestRevocationRepository_CRUD(t *testing.T) {
 		t.Fatalf("Idempotent create failed: %v", err)
 	}
 
-	// GetBySerial
-	got, err := repo.GetBySerial(ctx, "DEADBEEF01")
+	// GetByIssuerAndSerial — lookups are scoped to (issuer_id, serial) per RFC 5280 §5.2.3.
+	got, err := repo.GetByIssuerAndSerial(ctx, issuerID, "DEADBEEF01")
 	if err != nil {
-		t.Fatalf("GetBySerial failed: %v", err)
+		t.Fatalf("GetByIssuerAndSerial failed: %v", err)
 	}
 	if got.Reason != "keyCompromise" {
 		t.Errorf("Reason = %q, want %q", got.Reason, "keyCompromise")
@@ -734,12 +924,116 @@ func TestRevocationRepository_CRUD(t *testing.T) {
 	if err := repo.MarkIssuerNotified(ctx, "rev-test-1"); err != nil {
 		t.Fatalf("MarkIssuerNotified failed: %v", err)
 	}
-	got, _ = repo.GetBySerial(ctx, "DEADBEEF01")
+	got, _ = repo.GetByIssuerAndSerial(ctx, issuerID, "DEADBEEF01")
 	if !got.IssuerNotified {
 		t.Error("expected IssuerNotified=true after marking")
 	}
 }
 
+// TestRevocationRepository_CrossIssuerSerialCollision verifies that the same
+// serial number can coexist under two different issuers — RFC 5280 §5.2.3
+// defines serial uniqueness only within a single CA, and certctl supports
+// multi-issuer deployments where serial collisions across issuers are
+// legitimate (e.g., Local CA serial 0x01 and Vault PKI serial 0x01).
+//
+// This test locks in the behavior change from migration 000012: the unique
+// index is on (issuer_id, serial_number), not on serial_number alone.
+func TestRevocationRepository_CrossIssuerSerialCollision(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewRevocationRepository(db)
+	certRepo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	now := time.Now().Truncate(time.Microsecond)
+
+	// First issuer + cert + revocation with serial "CAFEBABE01".
+	ownerID1, teamID1, issuerID1, policyID1 := insertCertPrereqsRaw(t, db, ctx, "dup-a")
+	cert1 := &domain.ManagedCertificate{
+		ID: "mc-dup-a", Name: "dup-a", CommonName: "a.example.com",
+		SANs: []string{}, OwnerID: ownerID1, TeamID: teamID1,
+		IssuerID: issuerID1, RenewalPolicyID: policyID1,
+		Status:    domain.CertificateStatusRevoked,
+		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
+		CreatedAt: now, UpdatedAt: now,
+	}
+	if err := certRepo.Create(ctx, cert1); err != nil {
+		t.Fatalf("Create cert1 failed: %v", err)
+	}
+	if err := repo.Create(ctx, &domain.CertificateRevocation{
+		ID: "rev-dup-a", CertificateID: "mc-dup-a", SerialNumber: "CAFEBABE01",
+		Reason: "keyCompromise", RevokedBy: "admin", RevokedAt: now,
+		IssuerID: issuerID1, CreatedAt: now,
+	}); err != nil {
+		t.Fatalf("Create revocation under issuer1 failed: %v", err)
+	}
+
+	// Second issuer + cert + revocation with the SAME serial "CAFEBABE01".
+	// Under the pre-000012 global-unique index this would silently drop via
+	// ON CONFLICT DO NOTHING. Under the new (issuer_id, serial_number) scope
+	// it must succeed.
+	ownerID2, teamID2, issuerID2, policyID2 := insertCertPrereqsRaw(t, db, ctx, "dup-b")
+	cert2 := &domain.ManagedCertificate{
+		ID: "mc-dup-b", Name: "dup-b", CommonName: "b.example.com",
+		SANs: []string{}, OwnerID: ownerID2, TeamID: teamID2,
+		IssuerID: issuerID2, RenewalPolicyID: policyID2,
+		Status:    domain.CertificateStatusRevoked,
+		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
+		CreatedAt: now, UpdatedAt: now,
+	}
+	if err := certRepo.Create(ctx, cert2); err != nil {
+		t.Fatalf("Create cert2 failed: %v", err)
+	}
+	if err := repo.Create(ctx, &domain.CertificateRevocation{
+		ID: "rev-dup-b", CertificateID: "mc-dup-b", SerialNumber: "CAFEBABE01",
+		Reason: "superseded", RevokedBy: "admin", RevokedAt: now,
+		IssuerID: issuerID2, CreatedAt: now,
+	}); err != nil {
+		t.Fatalf("Create revocation under issuer2 failed (cross-issuer duplicate serial must be allowed): %v", err)
+	}
+
+	// Both revocations must be retrievable under their respective issuers.
+	revA, err := repo.GetByIssuerAndSerial(ctx, issuerID1, "CAFEBABE01")
+	if err != nil {
+		t.Fatalf("GetByIssuerAndSerial(issuer1) failed: %v", err)
+	}
+	if revA.ID != "rev-dup-a" || revA.Reason != "keyCompromise" {
+		t.Errorf("issuer1 lookup returned wrong row: id=%q reason=%q", revA.ID, revA.Reason)
+	}
+
+	revB, err := repo.GetByIssuerAndSerial(ctx, issuerID2, "CAFEBABE01")
+	if err != nil {
+		t.Fatalf("GetByIssuerAndSerial(issuer2) failed: %v", err)
+	}
+	if revB.ID != "rev-dup-b" || revB.Reason != "superseded" {
+		t.Errorf("issuer2 lookup returned wrong row: id=%q reason=%q", revB.ID, revB.Reason)
+	}
+
+	// ListAll should see both revocations.
+	all, err := repo.ListAll(ctx)
+	if err != nil {
+		t.Fatalf("ListAll failed: %v", err)
+	}
+	if len(all) != 2 {
+		t.Errorf("len(all) = %d, want 2 (cross-issuer duplicate serials)", len(all))
+	}
+
+	// Same-issuer idempotency guard still works (ON CONFLICT DO NOTHING on
+	// (issuer_id, serial_number) — re-inserting the same (issuer, serial)
+	// pair must not error and must not duplicate the row).
+	if err := repo.Create(ctx, &domain.CertificateRevocation{
+		ID: "rev-dup-a-repeat", CertificateID: "mc-dup-a", SerialNumber: "CAFEBABE01",
+		Reason: "superseded", RevokedBy: "admin", RevokedAt: now,
+		IssuerID: issuerID1, CreatedAt: now,
+	}); err != nil {
+		t.Fatalf("Idempotent create under same issuer failed: %v", err)
+	}
+	all, _ = repo.ListAll(ctx)
+	if len(all) != 2 {
+		t.Errorf("len(all) after idempotent re-insert = %d, want 2", len(all))
+	}
+}
+
 // ============================================================
 // Team Repository Tests
 // ============================================================
@@ -1578,3 +1872,334 @@ func TestEmptyResultSets(t *testing.T) {
 		t.Errorf("expected empty agent groups, got %d", len(groups))
 	}
 }
+
+// ============================================================
+// H-6 (CWE-362) Claim-Based Concurrency Tests
+//
+// These tests exercise the `SELECT ... FOR UPDATE SKIP LOCKED` worker-queue pattern
+// introduced to remediate the H-6 race condition. They validate two invariants:
+//
+//  1. Disjoint claim: under concurrent callers, no Pending row is returned to more
+//     than one worker (i.e. each claim is exclusive).
+//  2. State transition: claimed rows are atomically flipped to Running inside the
+//     same transaction that locked them, so a subsequent query must see the row in
+//     the Running state and no other worker can observe it as Pending again.
+//
+// Skipped automatically in `-short` mode (CI) since they require a real PostgreSQL
+// instance and take ~1s under contention.
+// ============================================================
+
+// seedPendingJobs creates n Pending renewal jobs against a single prerequisite
+// certificate and returns the generated job IDs.
+func seedPendingJobs(t *testing.T, ctx context.Context, db *sql.DB, certID string, n int) []string {
+	t.Helper()
+	certRepo := postgres.NewCertificateRepository(db)
+	jobRepo := postgres.NewJobRepository(db)
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, certID)
+
+	now := time.Now().Truncate(time.Microsecond)
+	cert := &domain.ManagedCertificate{
+		ID: "mc-" + certID, Name: certID, CommonName: certID + ".example.com",
+		SANs: []string{}, OwnerID: ownerID, TeamID: teamID,
+		IssuerID: issuerID, RenewalPolicyID: policyID,
+		Status:    domain.CertificateStatusActive,
+		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
+		CreatedAt: now, UpdatedAt: now,
+	}
+	if err := certRepo.Create(ctx, cert); err != nil {
+		t.Fatalf("seedPendingJobs: create cert failed: %v", err)
+	}
+
+	ids := make([]string, 0, n)
+	for i := 0; i < n; i++ {
+		job := &domain.Job{
+			ID:            fmt.Sprintf("job-%s-%03d", certID, i),
+			Type:          domain.JobTypeRenewal,
+			CertificateID: "mc-" + certID,
+			Status:        domain.JobStatusPending,
+			Attempts:      0,
+			MaxAttempts:   3,
+			ScheduledAt:   now,
+			CreatedAt:     now,
+		}
+		if err := jobRepo.Create(ctx, job); err != nil {
+			t.Fatalf("seedPendingJobs: create job %d failed: %v", i, err)
+		}
+		ids = append(ids, job.ID)
+	}
+	return ids
+}
+
+// TestJobRepository_ClaimPendingJobs_FlipsToRunning validates the basic claim
+// semantics: a single call transitions Pending rows to Running atomically, and
+// the rows returned to the caller reflect the post-update state.
+func TestJobRepository_ClaimPendingJobs_FlipsToRunning(t *testing.T) {
+	if testing.Short() {
+		t.Skip("integration test requires PostgreSQL")
+	}
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	jobRepo := postgres.NewJobRepository(db)
+	ctx := context.Background()
+
+	seeded := seedPendingJobs(t, ctx, db, "claimflip", 5)
+
+	claimed, err := jobRepo.ClaimPendingJobs(ctx, domain.JobTypeRenewal, 0)
+	if err != nil {
+		t.Fatalf("ClaimPendingJobs failed: %v", err)
+	}
+	if len(claimed) != len(seeded) {
+		t.Fatalf("len(claimed) = %d, want %d", len(claimed), len(seeded))
+	}
+
+	// In-memory return values must reflect the transitioned state.
+	for _, j := range claimed {
+		if j.Status != domain.JobStatusRunning {
+			t.Errorf("claimed job %s Status = %q, want %q", j.ID, j.Status, domain.JobStatusRunning)
+		}
+	}
+
+	// Persisted rows must also be Running — a fresh Get must not see Pending.
+	for _, id := range seeded {
+		got, err := jobRepo.Get(ctx, id)
+		if err != nil {
+			t.Fatalf("Get(%s) failed: %v", id, err)
+		}
+		if got.Status != domain.JobStatusRunning {
+			t.Errorf("persisted job %s Status = %q, want %q", id, got.Status, domain.JobStatusRunning)
+		}
+	}
+
+	// A subsequent claim must return zero rows — nothing is Pending anymore.
+	residual, err := jobRepo.ClaimPendingJobs(ctx, domain.JobTypeRenewal, 0)
+	if err != nil {
+		t.Fatalf("residual ClaimPendingJobs failed: %v", err)
+	}
+	if len(residual) != 0 {
+		t.Errorf("residual claims = %d, want 0 (all should be Running now)", len(residual))
+	}
+}
+
+// TestJobRepository_ClaimPendingJobs_ConcurrentDisjoint validates the core H-6
+// invariant: under concurrent access, no row is handed to more than one worker.
+//
+// The test seeds M Pending jobs, fans out N goroutines each of which loops
+// calling ClaimPendingJobs with limit=1, and finally asserts the union of all
+// claimed IDs is exactly M with zero duplicates. Workers that transiently
+// observe zero rows (because peers are holding the only remaining rows) re-check
+// an atomic progress counter before exiting, so transient SKIP-LOCKED zeros do
+// not cause premature termination.
+func TestJobRepository_ClaimPendingJobs_ConcurrentDisjoint(t *testing.T) {
+	if testing.Short() {
+		t.Skip("integration test requires PostgreSQL")
+	}
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	jobRepo := postgres.NewJobRepository(db)
+	ctx := context.Background()
+
+	const M = 40 // seeded Pending jobs
+	const N = 8  // concurrent workers
+	seeded := seedPendingJobs(t, ctx, db, "concurrent", M)
+	seededSet := make(map[string]bool, M)
+	for _, id := range seeded {
+		seededSet[id] = true
+	}
+
+	var (
+		totalClaimed int64
+		allClaims    []string
+		mu           sync.Mutex
+		wg           sync.WaitGroup
+	)
+
+	for w := 0; w < N; w++ {
+		wg.Add(1)
+		go func(worker int) {
+			defer wg.Done()
+			emptyStreak := 0
+			for iter := 0; iter < M*4; iter++ { // generous ceiling to prevent hangs
+				claimed, err := jobRepo.ClaimPendingJobs(ctx, domain.JobTypeRenewal, 1)
+				if err != nil {
+					t.Errorf("worker %d ClaimPendingJobs failed: %v", worker, err)
+					return
+				}
+				if len(claimed) == 0 {
+					// Transient zero (peer holds lock) vs. terminal zero (all claimed).
+					// Bail only once the shared counter proves work is done, but guard
+					// with a streak so we don't spin forever under starvation.
+					if atomic.LoadInt64(&totalClaimed) >= int64(M) {
+						return
+					}
+					emptyStreak++
+					if emptyStreak >= 20 {
+						return
+					}
+					time.Sleep(500 * time.Microsecond)
+					continue
+				}
+				emptyStreak = 0
+				mu.Lock()
+				for _, j := range claimed {
+					if j.Status != domain.JobStatusRunning {
+						t.Errorf("worker %d got job %s in Status=%q (want Running) — claim did not flip state", worker, j.ID, j.Status)
+					}
+					allClaims = append(allClaims, j.ID)
+				}
+				mu.Unlock()
+				atomic.AddInt64(&totalClaimed, int64(len(claimed)))
+			}
+		}(w)
+	}
+	wg.Wait()
+
+	// Invariant 1: no duplicate claims across the worker pool.
+	seen := make(map[string]int, len(allClaims))
+	for _, id := range allClaims {
+		seen[id]++
+	}
+	for id, count := range seen {
+		if count > 1 {
+			t.Errorf("job %s claimed %d times — SKIP LOCKED invariant violated", id, count)
+		}
+	}
+
+	// Invariant 2: every seeded job appears in the claim set exactly once.
+	if len(seen) != M {
+		t.Errorf("distinct claimed IDs = %d, want %d (all seeded jobs must be claimed)", len(seen), M)
+	}
+	for id := range seededSet {
+		if seen[id] == 0 {
+			t.Errorf("seeded job %s was never claimed by any worker", id)
+		}
+	}
+
+	// Invariant 3: persisted state reflects the transition — every seeded row
+	// is now Running; none is Pending.
+	for id := range seededSet {
+		got, err := jobRepo.Get(ctx, id)
+		if err != nil {
+			t.Fatalf("Get(%s) failed: %v", id, err)
+		}
+		if got.Status != domain.JobStatusRunning {
+			t.Errorf("job %s Status = %q, want %q", id, got.Status, domain.JobStatusRunning)
+		}
+	}
+
+	// Final progress counter must match the total number of seeded jobs.
+	if got := atomic.LoadInt64(&totalClaimed); got != int64(M) {
+		t.Errorf("totalClaimed = %d, want %d", got, M)
+	}
+}
+
+// TestJobRepository_ClaimPendingByAgentID_TransitionsDeployments validates the
+// agent-scoped claim variant: Pending deployment rows for a given agent flip to
+// Running; AwaitingCSR rows are returned but their state is preserved (the CSR
+// submission path drives their next transition).
+func TestJobRepository_ClaimPendingByAgentID_TransitionsDeployments(t *testing.T) {
+	if testing.Short() {
+		t.Skip("integration test requires PostgreSQL")
+	}
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	jobRepo := postgres.NewJobRepository(db)
+	agentRepo := postgres.NewAgentRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "agentclaim")
+
+	now := time.Now().Truncate(time.Microsecond)
+	cert := &domain.ManagedCertificate{
+		ID: "mc-agentclaim", Name: "agentclaim", CommonName: "agentclaim.example.com",
+		SANs: []string{}, OwnerID: ownerID, TeamID: teamID,
+		IssuerID: issuerID, RenewalPolicyID: policyID,
+		Status:    domain.CertificateStatusActive,
+		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
+		CreatedAt: now, UpdatedAt: now,
+	}
+	if err := postgres.NewCertificateRepository(db).Create(ctx, cert); err != nil {
+		t.Fatalf("create cert failed: %v", err)
+	}
+
+	agent := &domain.Agent{
+		ID:           "a-claim",
+		Name:         "claim-agent",
+		Hostname:     "claim-agent-host",
+		Status:       domain.AgentStatusOnline,
+		RegisteredAt: now,
+		APIKeyHash:   "hash-claim",
+	}
+	if err := agentRepo.Create(ctx, agent); err != nil {
+		t.Fatalf("create agent failed: %v", err)
+	}
+
+	agentID := agent.ID
+	mkJob := func(id string, typ domain.JobType, status domain.JobStatus) *domain.Job {
+		return &domain.Job{
+			ID: id, Type: typ, CertificateID: cert.ID,
+			AgentID:     &agentID,
+			Status:      status,
+			Attempts:    0,
+			MaxAttempts: 3,
+			ScheduledAt: now,
+			CreatedAt:   now,
+		}
+	}
+	jobs := []*domain.Job{
+		mkJob("job-agentclaim-dep-1", domain.JobTypeDeployment, domain.JobStatusPending),
+		mkJob("job-agentclaim-dep-2", domain.JobTypeDeployment, domain.JobStatusPending),
+		mkJob("job-agentclaim-csr-1", domain.JobTypeRenewal, domain.JobStatusAwaitingCSR),
+		// A Pending Renewal (not Deployment) must NOT be returned by the per-agent claim.
+		mkJob("job-agentclaim-ren-pending", domain.JobTypeRenewal, domain.JobStatusPending),
+	}
+	for _, j := range jobs {
+		if err := jobRepo.Create(ctx, j); err != nil {
+			t.Fatalf("create job %s failed: %v", j.ID, err)
+		}
+	}
+
+	claimed, err := jobRepo.ClaimPendingByAgentID(ctx, agentID)
+	if err != nil {
+		t.Fatalf("ClaimPendingByAgentID failed: %v", err)
+	}
+	// Expect exactly the 2 deployments + 1 AwaitingCSR.
+	if len(claimed) != 3 {
+		t.Fatalf("len(claimed) = %d, want 3 (2 deployments + 1 AwaitingCSR)", len(claimed))
+	}
+
+	statusByID := map[string]domain.JobStatus{}
+	for _, j := range claimed {
+		statusByID[j.ID] = j.Status
+	}
+	// Both deployments must be Running in the returned slice (in-memory reflection).
+	for _, id := range []string{"job-agentclaim-dep-1", "job-agentclaim-dep-2"} {
+		if statusByID[id] != domain.JobStatusRunning {
+			t.Errorf("returned deployment %s Status = %q, want Running", id, statusByID[id])
+		}
+	}
+	// AwaitingCSR must remain AwaitingCSR.
+	if statusByID["job-agentclaim-csr-1"] != domain.JobStatusAwaitingCSR {
+		t.Errorf("returned AwaitingCSR Status = %q, want AwaitingCSR", statusByID["job-agentclaim-csr-1"])
+	}
+	// The unrelated Pending Renewal must not be returned.
+	if _, ok := statusByID["job-agentclaim-ren-pending"]; ok {
+		t.Errorf("Pending Renewal job was returned by ClaimPendingByAgentID — scope violation")
+	}
+
+	// Persisted state: deployments Running, AwaitingCSR unchanged, Pending Renewal still Pending.
+	for id, want := range map[string]domain.JobStatus{
+		"job-agentclaim-dep-1":       domain.JobStatusRunning,
+		"job-agentclaim-dep-2":       domain.JobStatusRunning,
+		"job-agentclaim-csr-1":       domain.JobStatusAwaitingCSR,
+		"job-agentclaim-ren-pending": domain.JobStatusPending,
+	} {
+		got, err := jobRepo.Get(ctx, id)
+		if err != nil {
+			t.Fatalf("Get(%s) failed: %v", id, err)
+		}
+		if got.Status != want {
+			t.Errorf("persisted %s Status = %q, want %q", id, got.Status, want)
+		}
+	}
+}

internal/repository/postgres/revocation.go

@@ -19,13 +19,18 @@ func NewRevocationRepository(db *sql.DB) *RevocationRepository {
 }
 
 // Create records a new certificate revocation.
+//
+// Uniqueness is scoped to (issuer_id, serial_number) per RFC 5280 §5.2.3.
+// Serial numbers are only unique within an issuer, so certctl supports
+// collisions across different issuer connectors. The composite ON CONFLICT
+// target matches migration 000012's unique index.
 func (r *RevocationRepository) Create(ctx context.Context, revocation *domain.CertificateRevocation) error {
 	_, err := r.db.ExecContext(ctx, `
 		INSERT INTO certificate_revocations (
 			id, certificate_id, serial_number, reason, revoked_by, revoked_at,
 			issuer_id, issuer_notified, created_at
 		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
-		ON CONFLICT (serial_number) DO NOTHING
+		ON CONFLICT (issuer_id, serial_number) DO NOTHING
 	`, revocation.ID, revocation.CertificateID, revocation.SerialNumber,
 		revocation.Reason, revocation.RevokedBy, revocation.RevokedAt,
 		revocation.IssuerID, revocation.IssuerNotified, revocation.CreatedAt)
@@ -37,20 +42,24 @@ func (r *RevocationRepository) Create(ctx context.Context, revocation *domain.Ce
 	return nil
 }
 
-// GetBySerial retrieves a revocation by serial number.
-func (r *RevocationRepository) GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error) {
+// GetByIssuerAndSerial retrieves a revocation by the (issuer_id, serial) pair.
+//
+// Per RFC 5280 §5.2.3, serial numbers are unique only within a single issuer.
+// Callers (OCSP handlers, CRL generation) always know the issuer because the
+// OCSP URL carries it as a path parameter and CRLs are generated per-issuer.
+func (r *RevocationRepository) GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error) {
 	var rev domain.CertificateRevocation
 	err := r.db.QueryRowContext(ctx, `
 		SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
 		       issuer_id, issuer_notified, created_at
 		FROM certificate_revocations
-		WHERE serial_number = $1
-	`, serial).Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
+		WHERE issuer_id = $1 AND serial_number = $2
+	`, issuerID, serial).Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
 		&rev.Reason, &rev.RevokedBy, &rev.RevokedAt,
 		&rev.IssuerID, &rev.IssuerNotified, &rev.CreatedAt)
 
 	if err != nil {
-		return nil, fmt.Errorf("failed to get revocation by serial: %w", err)
+		return nil, fmt.Errorf("failed to get revocation by issuer and serial: %w", err)
 	}
 
 	return &rev, nil

internal/scheduler/scheduler.go

@@ -16,8 +16,16 @@ type RenewalServicer interface {
 }
 
 // JobServicer defines the interface for job processing used by the scheduler.
+//
+// RetryFailedJobs was added to close coverage gap I-001: JobService.RetryFailedJobs
+// existed and was unit-tested but had no runtime caller prior to this loop being
+// wired. The scheduler now drives it on an independent tick so failed jobs whose
+// attempt counter is below MaxAttempts are periodically reset to Pending for the
+// job processor to pick up again. maxRetries is advisory (per-job gating uses
+// each job's own Attempts/MaxAttempts fields).
 type JobServicer interface {
 	ProcessPendingJobs(ctx context.Context) error
+	RetryFailedJobs(ctx context.Context, maxRetries int) error
 }
 
 // AgentServicer defines the interface for agent health checks used by the scheduler.
@@ -67,6 +75,7 @@ type Scheduler struct {
 	// Configurable tick intervals
 	renewalCheckInterval            time.Duration
 	jobProcessorInterval            time.Duration
+	jobRetryInterval                time.Duration
 	agentHealthCheckInterval        time.Duration
 	notificationProcessInterval     time.Duration
 	shortLivedExpiryCheckInterval   time.Duration
@@ -78,6 +87,7 @@ type Scheduler struct {
 	// Idempotency guards: prevent duplicate execution of slow jobs
 	renewalCheckRunning           atomic.Bool
 	jobProcessorRunning           atomic.Bool
+	jobRetryRunning               atomic.Bool
 	agentHealthCheckRunning       atomic.Bool
 	notificationProcessRunning    atomic.Bool
 	shortLivedExpiryCheckRunning  atomic.Bool
@@ -110,6 +120,7 @@ func NewScheduler(
 		// Default intervals
 		renewalCheckInterval:          1 * time.Hour,
 		jobProcessorInterval:          30 * time.Second,
+		jobRetryInterval:              5 * time.Minute,
 		agentHealthCheckInterval:      2 * time.Minute,
 		notificationProcessInterval:   1 * time.Minute,
 		shortLivedExpiryCheckInterval: 30 * time.Second,
@@ -141,6 +152,13 @@ func (s *Scheduler) SetJobProcessorInterval(d time.Duration) {
 	s.jobProcessorInterval = d
 }
 
+// SetJobRetryInterval configures the interval for the failed-job retry loop
+// (coverage gap I-001). Defaults to 5 minutes; honors
+// CERTCTL_SCHEDULER_RETRY_INTERVAL when wired from config.
+func (s *Scheduler) SetJobRetryInterval(d time.Duration) {
+	s.jobRetryInterval = d
+}
+
 // SetAgentHealthCheckInterval configures the interval for agent health checks.
 func (s *Scheduler) SetAgentHealthCheckInterval(d time.Duration) {
 	s.agentHealthCheckInterval = d
@@ -193,7 +211,10 @@ func (s *Scheduler) Start(ctx context.Context) <-chan struct{} {
 
 		// Track all loop goroutines in the WaitGroup so WaitForCompletion
 		// blocks until they've fully exited (prevents test races).
-		loopCount := 5
+		// Base count is 6: renewal, job processor, job retry (I-001),
+		// agent health, notification, short-lived expiry. Optional loops
+		// (network scan, digest, health check, cloud discovery) add to this.
+		loopCount := 6
 		if s.networkScanService != nil {
 			loopCount++
 		}
@@ -210,6 +231,7 @@ func (s *Scheduler) Start(ctx context.Context) <-chan struct{} {
 
 		go func() { defer s.wg.Done(); s.renewalCheckLoop(ctx) }()
 		go func() { defer s.wg.Done(); s.jobProcessorLoop(ctx) }()
+		go func() { defer s.wg.Done(); s.jobRetryLoop(ctx) }()
 		go func() { defer s.wg.Done(); s.agentHealthCheckLoop(ctx) }()
 		go func() { defer s.wg.Done(); s.notificationProcessLoop(ctx) }()
 		go func() { defer s.wg.Done(); s.shortLivedExpiryCheckLoop(ctx) }()
@@ -334,6 +356,63 @@ func (s *Scheduler) runJobProcessor(ctx context.Context) {
 	}
 }
 
+// jobRetryLoop runs every jobRetryInterval and transitions eligible Failed jobs
+// back to Pending so the job processor can pick them up again. Closes coverage
+// gap I-001 — JobService.RetryFailedJobs had no runtime caller prior to this
+// loop being wired. Runs immediately on start, then every interval.
+// Uses atomic.Bool to prevent duplicate execution if the previous retry sweep
+// is still running.
+func (s *Scheduler) jobRetryLoop(ctx context.Context) {
+	ticker := time.NewTicker(s.jobRetryInterval)
+	defer ticker.Stop()
+
+	// Run immediately on start (with idempotency guard)
+	s.jobRetryRunning.Store(true)
+	s.wg.Add(1)
+	go func() {
+		defer s.wg.Done()
+		defer s.jobRetryRunning.Store(false)
+		s.runJobRetry(ctx)
+	}()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			if !s.jobRetryRunning.CompareAndSwap(false, true) {
+				s.logger.Warn("job retry still running, skipping tick")
+				continue
+			}
+			s.wg.Add(1)
+			go func() {
+				defer s.wg.Done()
+				defer s.jobRetryRunning.Store(false)
+				s.runJobRetry(ctx)
+			}()
+		}
+	}
+}
+
+// runJobRetry executes a single failed-job retry cycle with error recovery.
+// Uses the same 2-minute per-tick timeout as runJobProcessor; RetryFailedJobs
+// issues one SELECT and one UPDATE per eligible job (cheap), so this headroom
+// covers very large failure backlogs without starving the loop.
+func (s *Scheduler) runJobRetry(ctx context.Context) {
+	opCtx, cancel := context.WithTimeout(ctx, 2*time.Minute)
+	defer cancel()
+	// maxRetries is advisory at the service layer (per-job gating uses each
+	// job's own Attempts/MaxAttempts). Passing 3 matches the conventional
+	// default seen across the codebase's job creation paths.
+	if err := s.jobService.RetryFailedJobs(opCtx, 3); err != nil {
+		s.logger.Error("job retry failed",
+			"error", err,
+			"interval", s.jobRetryInterval.String())
+	} else {
+		s.logger.Debug("job retry completed")
+	}
+}
+
 // agentHealthCheckLoop runs every agentHealthCheckInterval and marks stale agents as offline.
 // An agent is considered stale if it hasn't sent a heartbeat within the health check interval.
 // If an error occurs, it logs the error but continues running.

internal/scheduler/scheduler_test.go

@@ -68,12 +68,23 @@ func (m *mockRenewalService) ExpireShortLivedCertificates(ctx context.Context) e
 }
 
 // mockJobService is a mock implementation for testing.
+//
+// Tracks ProcessPendingJobs and RetryFailedJobs separately. retrySlowDelay and
+// retryShouldError let tests exercise the retry loop independently of the
+// processor loop without coupling their timing/failure modes.
 type mockJobService struct {
 	mu          sync.Mutex
 	callCount   int
 	callTimes   []time.Time
 	slowDelay   time.Duration
 	shouldError bool
+
+	// Retry loop tracking (coverage gap I-001)
+	retryCallCount      int
+	retryCallTimes      []time.Time
+	retryMaxRetriesSeen []int
+	retrySlowDelay      time.Duration
+	retryShouldError    bool
 }
 
 func (m *mockJobService) ProcessPendingJobs(ctx context.Context) error {
@@ -96,6 +107,30 @@ func (m *mockJobService) ProcessPendingJobs(ctx context.Context) error {
 	return nil
 }
 
+// RetryFailedJobs is the scheduler-driven counterpart to ProcessPendingJobs that
+// covers coverage gap I-001: JobService.RetryFailedJobs had no runtime caller
+// prior to the jobRetryLoop being wired.
+func (m *mockJobService) RetryFailedJobs(ctx context.Context, maxRetries int) error {
+	m.mu.Lock()
+	m.retryCallCount++
+	m.retryCallTimes = append(m.retryCallTimes, time.Now())
+	m.retryMaxRetriesSeen = append(m.retryMaxRetriesSeen, maxRetries)
+	m.mu.Unlock()
+
+	if m.retrySlowDelay > 0 {
+		select {
+		case <-time.After(m.retrySlowDelay):
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+
+	if m.retryShouldError {
+		return context.Canceled
+	}
+	return nil
+}
+
 // mockAgentService is a mock implementation for testing.
 type mockAgentService struct {
 	mu          sync.Mutex
@@ -948,3 +983,161 @@ func TestScheduler_DigestLoop_SetDigestInterval(t *testing.T) {
 		t.Errorf("digestInterval should be %v after SetDigestInterval, got %v", customInterval, sched.digestInterval)
 	}
 }
+
+// TestScheduler_JobRetryLoop_CallsService verifies that the job retry loop
+// invokes JobService.RetryFailedJobs on each tick. Closes coverage gap I-001 —
+// prior to the loop being wired, RetryFailedJobs had no runtime caller.
+//
+// Also verifies that the scheduler forwards the conventional advisory maxRetries
+// constant (3) to the service layer; per-job gating still lives in each job's
+// own Attempts/MaxAttempts fields.
+func TestScheduler_JobRetryLoop_CallsService(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	renewalMock := &mockRenewalService{}
+	jobMock := &mockJobService{}
+	agentMock := &mockAgentService{}
+	notificationMock := &mockNotificationService{}
+	networkMock := &mockNetworkScanService{}
+
+	sched := NewScheduler(renewalMock, jobMock, agentMock, notificationMock, networkMock, logger)
+	// Quiet every other loop so only the retry loop's calls are visible on jobMock.
+	sched.SetRenewalCheckInterval(10 * time.Second)
+	sched.SetJobProcessorInterval(10 * time.Second)
+	sched.SetAgentHealthCheckInterval(10 * time.Second)
+	sched.SetNotificationProcessInterval(10 * time.Second)
+	sched.SetNetworkScanInterval(10 * time.Second)
+	sched.SetJobRetryInterval(50 * time.Millisecond)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	startedChan := sched.Start(ctx)
+	<-startedChan
+
+	// Run long enough for the immediate start + at least one tick.
+	time.Sleep(200 * time.Millisecond)
+	cancel()
+	_ = sched.WaitForCompletion(2 * time.Second)
+
+	jobMock.mu.Lock()
+	retryCount := jobMock.retryCallCount
+	var firstMaxRetries int
+	if len(jobMock.retryMaxRetriesSeen) > 0 {
+		firstMaxRetries = jobMock.retryMaxRetriesSeen[0]
+	}
+	jobMock.mu.Unlock()
+
+	if retryCount < 1 {
+		t.Fatalf("expected job retry service to be called at least once, got %d", retryCount)
+	}
+	if firstMaxRetries != 3 {
+		t.Fatalf("expected scheduler to forward advisory maxRetries=3, got %d", firstMaxRetries)
+	}
+	t.Logf("job retry loop called %d times (maxRetries=%d)", retryCount, firstMaxRetries)
+}
+
+// TestScheduler_JobRetryLoop_IdempotencyGuard verifies that a slow retry sweep
+// does not cause overlapping executions. Mirrors the shape of
+// TestScheduler_DigestLoop_WithIdempotencyGuard.
+//
+// The guard is the atomic.Bool jobRetryRunning in scheduler.go. Without it, a
+// 100ms tick against a 150ms operation would fire ~4 times in 400ms; with the
+// guard we expect ~2–3 calls.
+func TestScheduler_JobRetryLoop_IdempotencyGuard(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	renewalMock := &mockRenewalService{}
+	jobMock := &mockJobService{
+		retrySlowDelay: 150 * time.Millisecond, // slower than tick interval
+	}
+	agentMock := &mockAgentService{}
+	notificationMock := &mockNotificationService{}
+	networkMock := &mockNetworkScanService{}
+
+	sched := NewScheduler(renewalMock, jobMock, agentMock, notificationMock, networkMock, logger)
+	sched.SetRenewalCheckInterval(10 * time.Second)
+	sched.SetJobProcessorInterval(10 * time.Second)
+	sched.SetAgentHealthCheckInterval(10 * time.Second)
+	sched.SetNotificationProcessInterval(10 * time.Second)
+	sched.SetNetworkScanInterval(10 * time.Second)
+	sched.SetJobRetryInterval(100 * time.Millisecond)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	startedChan := sched.Start(ctx)
+	<-startedChan
+
+	time.Sleep(400 * time.Millisecond)
+
+	jobMock.mu.Lock()
+	retryCount := jobMock.retryCallCount
+	jobMock.mu.Unlock()
+
+	// With a 150ms sweep and 100ms interval, a functioning guard should yield
+	// roughly 2–3 calls (immediate + any ticks whose previous sweep finished).
+	// Anything above 3 suggests the guard isn't holding.
+	if retryCount > 3 {
+		t.Logf("WARNING: retry called %d times in 400ms with 100ms interval and 150ms sweep — guard may not be working", retryCount)
+	}
+
+	t.Logf("job retry idempotency guard: %d calls in 400ms (100ms interval, 150ms sweep)", retryCount)
+
+	cancel()
+	if err := sched.WaitForCompletion(2 * time.Second); err != nil {
+		t.Fatalf("WaitForCompletion should succeed: %v", err)
+	}
+}
+
+// TestScheduler_JobRetryLoop_WaitForCompletion verifies that a retry sweep
+// which is still in flight at shutdown is awaited by WaitForCompletion (same
+// sync.WaitGroup contract as every other loop).
+func TestScheduler_JobRetryLoop_WaitForCompletion(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	renewalMock := &mockRenewalService{}
+	jobMock := &mockJobService{
+		retrySlowDelay: 100 * time.Millisecond,
+	}
+	agentMock := &mockAgentService{}
+	notificationMock := &mockNotificationService{}
+	networkMock := &mockNetworkScanService{}
+
+	sched := NewScheduler(renewalMock, jobMock, agentMock, notificationMock, networkMock, logger)
+	sched.SetRenewalCheckInterval(10 * time.Second)
+	sched.SetJobProcessorInterval(10 * time.Second)
+	sched.SetAgentHealthCheckInterval(10 * time.Second)
+	sched.SetNotificationProcessInterval(10 * time.Second)
+	sched.SetNetworkScanInterval(10 * time.Second)
+	sched.SetJobRetryInterval(50 * time.Millisecond)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	startedChan := sched.Start(ctx)
+	<-startedChan
+
+	// Let the immediate-start retry goroutine begin its 100ms sweep.
+	time.Sleep(30 * time.Millisecond)
+
+	// Initiate shutdown mid-sweep.
+	cancel()
+
+	start := time.Now()
+	err := sched.WaitForCompletion(5 * time.Second)
+	elapsed := time.Since(start)
+
+	if err != nil {
+		t.Fatalf("WaitForCompletion should not error: %v", err)
+	}
+	if elapsed > 5*time.Second {
+		t.Fatalf("WaitForCompletion took longer than expected: %v", elapsed)
+	}
+
+	jobMock.mu.Lock()
+	retryCount := jobMock.retryCallCount
+	jobMock.mu.Unlock()
+
+	if retryCount < 1 {
+		t.Fatalf("expected retry service to have started at least once before shutdown, got %d", retryCount)
+	}
+	t.Logf("retry loop graceful shutdown completed in %v after %d in-flight sweep(s)", elapsed, retryCount)
+}

internal/service/agent.go

@@ -2,11 +2,12 @@ package service
 
 import (
 	"context"
+	"crypto/rand"
 	"crypto/sha256"
+	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"log/slog"
-	"math/rand"
 	"time"
 
 	"github.com/shankar0123/certctl/internal/domain"
@@ -57,8 +58,11 @@ func (s *AgentService) Register(ctx context.Context, name string, hostname strin
 		return nil, "", fmt.Errorf("agent name and hostname are required")
 	}
 
-	// Generate API key
-	apiKey := generateAPIKey()
+	// Generate API key. crypto/rand failure is non-recoverable — propagate immediately.
+	apiKey, err := generateAPIKey()
+	if err != nil {
+		return nil, "", fmt.Errorf("failed to generate agent api key: %w", err)
+	}
 	apiKeyHash := hashAPIKey(apiKey)
 
 	now := time.Now()
@@ -87,8 +91,8 @@ func (s *AgentService) Register(ctx context.Context, name string, hostname strin
 	return agent, apiKey, nil
 }
 
-// HeartbeatWithContext updates an agent's last seen time, status, and metadata.
-func (s *AgentService) HeartbeatWithContext(ctx context.Context, agentID string, metadata *domain.AgentMetadata) error {
+// Heartbeat updates an agent's last seen time, status, and metadata.
+func (s *AgentService) Heartbeat(ctx context.Context, agentID string, metadata *domain.AgentMetadata) error {
 	agent, err := s.agentRepo.Get(ctx, agentID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch agent: %w", err)
@@ -110,12 +114,6 @@ func (s *AgentService) HeartbeatWithContext(ctx context.Context, agentID string,
 	return nil
 }
 
-// Heartbeat updates agent heartbeat (handler interface method).
-// Note: This method is called from handlers which have a context; callers should prefer HeartbeatWithContext.
-func (s *AgentService) Heartbeat(ctx context.Context, agentID string, metadata *domain.AgentMetadata) error {
-	return s.HeartbeatWithContext(ctx, agentID, metadata)
-}
-
 // SubmitCSR validates and processes a Certificate Signing Request from an agent.
 // In agent keygen mode, this completes an AwaitingCSR renewal job by signing the CSR
 // and storing the cert version. The private key stays on the agent — only the CSR
@@ -280,8 +278,13 @@ func (s *AgentService) GetPendingWork(ctx context.Context, agentID string) ([]*d
 		return nil, fmt.Errorf("failed to fetch agent: %w", err)
 	}
 
-	// Return only jobs assigned to this agent (via agent_id or target→agent relationship)
-	return s.jobRepo.ListPendingByAgentID(ctx, agentID)
+	// Atomically claim jobs assigned to this agent. H-6 (CWE-362) remediation:
+	// ClaimPendingByAgentID uses SELECT ... FOR UPDATE SKIP LOCKED so concurrent poll
+	// requests (duplicate agents, retry storms, or a lagging long-poll) never observe
+	// the same Pending deployment row. Pending deployments are flipped to Running inside
+	// the claim transaction; AwaitingCSR jobs keep their state since CSR submission is
+	// the state-machine trigger for their next transition.
+	return s.jobRepo.ClaimPendingByAgentID(ctx, agentID)
 }
 
 // ReportJobStatus updates a job's status based on agent feedback.
@@ -380,7 +383,10 @@ func (s *AgentService) GetAgent(ctx context.Context, id string) (*domain.Agent,
 // RegisterAgent creates and registers a new agent (handler interface method).
 func (s *AgentService) RegisterAgent(ctx context.Context, agent domain.Agent) (*domain.Agent, error) {
 	agent.ID = generateID("agent")
-	apiKey := generateAPIKey()
+	apiKey, err := generateAPIKey()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate agent api key: %w", err)
+	}
 	agent.APIKeyHash = hashAPIKey(apiKey)
 	agent.Status = domain.AgentStatusOnline
 	now := time.Now()
@@ -487,14 +493,17 @@ func (s *AgentService) CertificatePickup(ctx context.Context, agentID, certID st
 	return string(certPEM), nil
 }
 
-// generateAPIKey creates a random API key for an agent.
-func generateAPIKey() string {
-	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+// generateAPIKey creates a cryptographically secure random API key for an agent.
+// It fills a 32-byte buffer from crypto/rand (256 bits of entropy) and encodes it with
+// base64.RawURLEncoding, yielding a 43-character URL-safe, unpadded ASCII string.
+// The plaintext key is shown to the caller exactly once; only its SHA-256 hash is stored.
+// Fixes C-1 (CWE-338: previously used math/rand, which is not cryptographically secure).
+func generateAPIKey() (string, error) {
 	b := make([]byte, 32)
-	for i := range b {
-		b[i] = charset[rand.Intn(len(charset))]
+	if _, err := rand.Read(b); err != nil {
+		return "", fmt.Errorf("generate agent api key: %w", err)
 	}
-	return string(b)
+	return base64.RawURLEncoding.EncodeToString(b), nil
 }
 
 // hashAPIKey hashes an API key using SHA256.