Merge branch 'fix/m10-openapi-spec-drift': M-10 OpenAPI spec drift reconciliation

docs(openapi): reconcile api/openapi.yaml with router routes (M-10)
Add 9 missing operations to api/openapi.yaml that exist in router.go but were absent from the spec. Spec-only change with no runtime Go code changes; all 106 pre-existing operationIds preserved byte-identical. New operationIds: - testTargetConnection (POST /api/v1/targets/{id}/test) - verifyDeployment (POST /api/v1/jobs/{id}/verify) - getJobVerification (GET /api/v1/jobs/{id}/verification) - estCACerts (GET /.well-known/est/cacerts) - estSimpleEnroll (POST /.well-known/est/simpleenroll) - estSimpleReEnroll (POST /.well-known/est/simplereenroll) - estCSRAttrs (GET /.well-known/est/csrattrs) - scepGet (GET /scep) - scepPost (POST /scep) Spec operations: 106 → 115 (matches 115 router routes exactly). Verification: - openapi-spec-validator: OK - go build ./...: clean - go vet ./...: clean - go test -race -count=1 -short ./...: 54 packages ok, 0 FAIL - golangci-lint run ./...: 0 issues - govulncheck ./...: 0 vulnerabilities in our code - tsc --noEmit: 0 errors - vitest run: 3 files, 218 tests passed sha256 before: 7c14f77107a86f8de82fe91b7f5e16cca11206d1e1fab7b7bd77ff396620fdf3 sha256 after: 87bd92d0407d63643bec612d27261bf489563beb90d0791ea71cde26346f83d3
2026-06-07 22:31:36 +00:00 · 2026-04-18 03:21:45 +00:00 · 2026-04-18 03:21:40 +00:00 · 2026-04-18 02:53:50 +00:00 · 2026-04-18 02:34:14 +00:00 · 2026-04-18 01:43:56 +00:00
109 changed files with 5951 additions and 1090 deletions
@@ -45,11 +45,11 @@ jobs:
        run: govulncheck ./...

      - name: Race Detection
-        run: go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -timeout 300s
+        run: go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/crypto/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -timeout 300s

      - name: Go Test with Coverage
        run: |
-          go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -cover -coverprofile=coverage.out
+          go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/crypto/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -cover -coverprofile=coverage.out

      - name: Check Coverage Thresholds
        run: |
@@ -73,6 +73,13 @@ jobs:
          MIDDLEWARE_COV=$(go tool cover -func=coverage.out | grep 'internal/api/middleware' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
          echo "Middleware layer coverage: ${MIDDLEWARE_COV}%"

+          # Check crypto package coverage (target: 85%+)
+          # M-8 rationale: encryption primitives are a security-critical gate.
+          # v2 format, key-derivation, fallback, and fail-closed sentinel paths
+          # all need exhaustive coverage to avoid silent regressions (CWE-916 / CWE-329).
+          CRYPTO_COV=$(go tool cover -func=coverage.out | grep 'internal/crypto' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
+          echo "Crypto package coverage: ${CRYPTO_COV}%"
+
          # Fail if thresholds not met
          if [ "$(echo "$SERVICE_COV < 55" | bc -l)" -eq 1 ]; then
            echo "::error::Service layer coverage ${SERVICE_COV}% is below 55% threshold"
@@ -90,6 +97,10 @@ jobs:
            echo "::error::Middleware layer coverage ${MIDDLEWARE_COV}% is below 30% threshold"
            exit 1
          fi
+          if [ "$(echo "$CRYPTO_COV < 85" | bc -l)" -eq 1 ]; then
+            echo "::error::Crypto package coverage ${CRYPTO_COV}% is below 85% threshold"
+            exit 1
+          fi
          echo "Coverage thresholds passed!"

      - name: Upload Coverage Report
@@ -7,40 +7,30 @@ on:

 env:
  REGISTRY: ghcr.io
-  GO_VERSION: '1.22'
+  # Keep in lock-step with .github/workflows/ci.yml (M-3).
+  GO_VERSION: '1.25.9'
+  IMAGE_NAMESPACE: shankar0123

 jobs:
-  # Cross-compile agent and server binaries for multiple platforms
+  # ----------------------------------------------------------------------
+  # build-binaries (M-3): matrix build every (binary × OS × arch) tuple.
+  # For each tuple we produce: the binary, a SPDX-JSON SBOM, a keyless
+  # Cosign signature + certificate bundle, and a single-line sha256sum
+  # file. All artefacts are uploaded to a workflow-scoped artifact; the
+  # aggregate-checksums job fans them back in for release upload.
+  # ----------------------------------------------------------------------
  build-binaries:
-    name: Build Cross-Platform Binaries
+    name: Build ${{ matrix.binary }} (${{ matrix.os }}/${{ matrix.arch }})
    runs-on: ubuntu-latest
    permissions:
-      contents: write
-
+      contents: read
+      id-token: write  # Cosign keyless OIDC identity token
    strategy:
+      fail-fast: false
      matrix:
-        include:
-          # Agent binaries (4 platforms)
-          - os: linux
-            arch: amd64
-            binary: agent
-          - os: linux
-            arch: arm64
-            binary: agent
-          - os: darwin
-            arch: amd64
-            binary: agent
-          - os: darwin
-            arch: arm64
-            binary: agent
-          # Server binaries (2 platforms)
-          - os: linux
-            arch: amd64
-            binary: server
-          - os: linux
-            arch: arm64
-            binary: server
-
+        binary: [agent, server, cli, mcp-server]
+        os: [linux, darwin]
+        arch: [amd64, arm64]
    steps:
      - uses: actions/checkout@v4

@@ -51,35 +41,171 @@ jobs:

      - name: Extract version from tag
        id: version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"

-      - name: Build ${{ matrix.binary }} binary (${{ matrix.os }}-${{ matrix.arch }})
+      - name: Build binary
+        id: build
        env:
          GOOS: ${{ matrix.os }}
          GOARCH: ${{ matrix.arch }}
-          CGO_ENABLED: 0
+          CGO_ENABLED: '0'
+          VERSION: ${{ steps.version.outputs.VERSION }}
        run: |
+          set -euo pipefail
          OUTPUT_NAME="certctl-${{ matrix.binary }}-${{ matrix.os }}-${{ matrix.arch }}"
-          go build -ldflags="-w -s -X main.Version=${{ steps.version.outputs.VERSION }}" \
+          mkdir -p dist
+          go build \
+            -trimpath \
+            -ldflags="-w -s -X main.Version=${VERSION}" \
            -o "dist/${OUTPUT_NAME}" \
            "./cmd/${{ matrix.binary }}"
          ls -lh "dist/${OUTPUT_NAME}"
+          echo "output_name=${OUTPUT_NAME}" >> "$GITHUB_OUTPUT"

-      - name: Upload binaries to release
+      - name: Generate SBOM (SPDX-JSON)
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610  # v0.24.0
+        with:
+          file: dist/${{ steps.build.outputs.output_name }}
+          format: spdx-json
+          output-file: dist/${{ steps.build.outputs.output_name }}.sbom.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
+
+      - name: Keyless-sign binary with Cosign
+        env:
+          OUTPUT_NAME: ${{ steps.build.outputs.output_name }}
+        run: |
+          set -euo pipefail
+          cosign sign-blob \
+            --yes \
+            --output-signature "dist/${OUTPUT_NAME}.sig" \
+            --output-certificate "dist/${OUTPUT_NAME}.pem" \
+            "dist/${OUTPUT_NAME}"
+
+      - name: Compute SHA-256 sidecar
+        env:
+          OUTPUT_NAME: ${{ steps.build.outputs.output_name }}
+        run: |
+          set -euo pipefail
+          cd dist
+          sha256sum "${OUTPUT_NAME}" > "${OUTPUT_NAME}.sha256"
+          cat "${OUTPUT_NAME}.sha256"
+
+      - name: Upload build artefacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-${{ steps.build.outputs.output_name }}
+          path: |
+            dist/${{ steps.build.outputs.output_name }}
+            dist/${{ steps.build.outputs.output_name }}.sig
+            dist/${{ steps.build.outputs.output_name }}.pem
+            dist/${{ steps.build.outputs.output_name }}.sbom.spdx.json
+            dist/${{ steps.build.outputs.output_name }}.sha256
+          if-no-files-found: error
+          retention-days: 7
+
+  # ----------------------------------------------------------------------
+  # aggregate-checksums (M-3): fan in every matrix artefact, produce a
+  # single checksums.txt (sha256sum format, compatible with `sha256sum
+  # -c`), sign it with Cosign, upload everything to the GitHub Release,
+  # and emit a base64-encoded hash manifest for the SLSA generator.
+  # ----------------------------------------------------------------------
+  aggregate-checksums:
+    name: Aggregate checksums & sign
+    runs-on: ubuntu-latest
+    needs: [build-binaries]
+    permissions:
+      contents: write
+      id-token: write  # Cosign keyless OIDC identity token
+    outputs:
+      hashes: ${{ steps.hashes.outputs.hashes }}
+    steps:
+      - name: Download binary artefacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: binary-*
+          path: artifacts
+          merge-multiple: true
+
+      - name: Aggregate SHA-256 sums
+        id: hashes
+        run: |
+          set -euo pipefail
+          cd artifacts
+          : > checksums.txt
+          for f in certctl-*; do
+            case "$f" in
+              *.sig|*.pem|*.sbom.spdx.json|*.sha256|checksums.txt)
+                continue ;;
+            esac
+            sha256sum "$f" >> checksums.txt
+          done
+          echo "=== checksums.txt ==="
+          cat checksums.txt
+          # base64 hashes (single line, no wrapping) for SLSA generator.
+          HASHES=$(base64 -w0 < checksums.txt)
+          echo "hashes=${HASHES}" >> "$GITHUB_OUTPUT"
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
+
+      - name: Keyless-sign checksums.txt
+        run: |
+          set -euo pipefail
+          cd artifacts
+          cosign sign-blob \
+            --yes \
+            --output-signature checksums.txt.sig \
+            --output-certificate checksums.txt.pem \
+            checksums.txt
+
+      - name: Upload artefacts to GitHub Release
        uses: softprops/action-gh-release@v2
        if: startsWith(github.ref, 'refs/tags/')
        with:
          files: |
-            dist/certctl-agent-*
-            dist/certctl-server-*
+            artifacts/certctl-*
+            artifacts/checksums.txt
+            artifacts/checksums.txt.sig
+            artifacts/checksums.txt.pem

-  # Build and push Docker images
+  # ----------------------------------------------------------------------
+  # provenance-binaries (M-3): SLSA Level 3 provenance for every binary.
+  # The SLSA generic generator reusable workflow runs in a hermetic
+  # workflow run, producing multiple.intoto.jsonl from the base64 hash
+  # manifest and uploading it as a release asset.
+  # ----------------------------------------------------------------------
+  provenance-binaries:
+    name: SLSA provenance (binaries)
+    needs: [aggregate-checksums]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      base64-subjects: "${{ needs.aggregate-checksums.outputs.hashes }}"
+      upload-assets: true
+      provenance-name: multiple.intoto.jsonl
+
+  # ----------------------------------------------------------------------
+  # build-and-push-docker: push container images to GHCR with native
+  # SLSA L3 provenance (mode=max) and SBOM attestations emitted by
+  # docker/build-push-action@v6, plus a keyless Cosign signature on the
+  # image digest for identity-bound verification. The M-4 proxy-propagation
+  # build-args block is retained verbatim — M-3 only adds supply-chain
+  # steps; it never touches M-4 wiring.
+  # ----------------------------------------------------------------------
  build-and-push-docker:
    name: Build & Push Docker Images
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: write
+      id-token: write  # Cosign keyless OIDC identity token

    steps:
      - uses: actions/checkout@v4
@@ -93,40 +219,90 @@ jobs:

      - name: Extract version from tag
        id: version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

+      - name: Install Cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1
+
      - name: Build and push server image
+        id: server-push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: true
          tags: |
-            ${{ env.REGISTRY }}/shankar0123/certctl-server:${{ steps.version.outputs.VERSION }}
-            ${{ env.REGISTRY }}/shankar0123/certctl-server:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-server:${{ steps.version.outputs.VERSION }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-server:latest
+          # Proxy propagation (M-4, Issue #9) — forwards runner-level proxy
+          # secrets into the Docker build so self-hosted runners behind
+          # corporate proxies can reach public registries. GitHub-hosted
+          # runners don't need proxies, so the secrets are optional and
+          # resolve to empty strings when unset — byte-identical to the
+          # pre-fix behaviour for the public-runner path.
+          build-args: |
+            HTTP_PROXY=${{ secrets.HTTP_PROXY }}
+            HTTPS_PROXY=${{ secrets.HTTPS_PROXY }}
+            NO_PROXY=${{ secrets.NO_PROXY }}
+          # Supply-chain hardening (M-3): emit native SLSA L3 provenance
+          # and SBOM attestations bound to the image manifest.
+          provenance: mode=max
+          sbom: true
          cache-from: type=gha
          cache-to: type=gha,mode=max

+      - name: Keyless-sign server image with Cosign
+        env:
+          DIGEST: ${{ steps.server-push.outputs.digest }}
+          IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-server
+        run: |
+          set -euo pipefail
+          cosign sign --yes "${IMAGE}@${DIGEST}"
+
      - name: Build and push agent image
+        id: agent-push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile.agent
          push: true
          tags: |
-            ${{ env.REGISTRY }}/shankar0123/certctl-agent:${{ steps.version.outputs.VERSION }}
-            ${{ env.REGISTRY }}/shankar0123/certctl-agent:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-agent:${{ steps.version.outputs.VERSION }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-agent:latest
+          # Proxy propagation (M-4, Issue #9) — see server-image step for
+          # rationale. Empty secrets resolve to empty build args, leaving
+          # the un-proxied code path byte-identical to the pre-fix tree.
+          build-args: |
+            HTTP_PROXY=${{ secrets.HTTP_PROXY }}
+            HTTPS_PROXY=${{ secrets.HTTPS_PROXY }}
+            NO_PROXY=${{ secrets.NO_PROXY }}
+          # Supply-chain hardening (M-3): emit native SLSA L3 provenance
+          # and SBOM attestations bound to the image manifest.
+          provenance: mode=max
+          sbom: true
          cache-from: type=gha
          cache-to: type=gha,mode=max

-  # Create release notes with all artifacts
+      - name: Keyless-sign agent image with Cosign
+        env:
+          DIGEST: ${{ steps.agent-push.outputs.digest }}
+          IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/certctl-agent
+        run: |
+          set -euo pipefail
+          cosign sign --yes "${IMAGE}@${DIGEST}"
+
+  # ----------------------------------------------------------------------
+  # create-release: stamp the release body. The actual asset uploads are
+  # handled by aggregate-checksums (binaries, SBOMs, sigs, certs,
+  # checksums.txt + signature) and the SLSA generator (multiple.intoto.jsonl).
+  # ----------------------------------------------------------------------
  create-release:
    name: Create Release Notes
    runs-on: ubuntu-latest
-    needs: [build-binaries, build-and-push-docker]
+    needs: [build-binaries, aggregate-checksums, provenance-binaries, build-and-push-docker]
    permissions:
      contents: write

@@ -135,7 +311,7 @@ jobs:

      - name: Extract version from tag
        id: version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"

      - name: Create release with notes
        uses: softprops/action-gh-release@v2
@@ -197,6 +373,76 @@ jobs:

            - **Linux x86_64**: `certctl-server-linux-amd64`
            - **Linux ARM64**: `certctl-server-linux-arm64`
+            - **macOS x86_64**: `certctl-server-darwin-amd64`
+            - **macOS ARM64 (Apple Silicon)**: `certctl-server-darwin-arm64`
+
+            ## CLI & MCP Server Binaries
+
+            The `certctl-cli` (REST API wrapper) and `certctl-mcp-server` (Model Context
+            Protocol bridge) binaries ship for all four platforms as well:
+
+            - `certctl-cli-{linux,darwin}-{amd64,arm64}`
+            - `certctl-mcp-server-{linux,darwin}-{amd64,arm64}`
+
+            ## Verifying this release
+
+            Every binary, `checksums.txt`, and container image is signed with Cosign
+            keyless OIDC. Each binary ships with a SPDX-JSON SBOM. Binaries are covered
+            by SLSA Level 3 provenance; container images carry native SLSA L3 provenance
+            and SBOM attestations (docker/build-push-action `provenance: mode=max`,
+            `sbom: true`) in addition to a Cosign signature on the digest.
+
+            **1. Verify SHA-256 checksums:**
+
+            ```bash
+            sha256sum -c checksums.txt
+            ```
+
+            **2. Verify the Cosign signature on checksums.txt (keyless OIDC):**
+
+            ```bash
+            cosign verify-blob \
+              --certificate checksums.txt.pem \
+              --signature checksums.txt.sig \
+              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+              checksums.txt
+            ```
+
+            Replace `checksums.txt` with any individual binary name to verify that
+            artefact directly (each binary ships with its own `.sig` + `.pem` sidecar).
+
+            **3. Verify SLSA Level 3 provenance (binaries):**
+
+            ```bash
+            slsa-verifier verify-artifact \
+              --provenance-path multiple.intoto.jsonl \
+              --source-uri github.com/shankar0123/certctl \
+              --source-tag ${{ steps.version.outputs.VERSION }} \
+              certctl-agent-linux-amd64
+            ```
+
+            **4. Verify container image signature and attestations:**
+
+            ```bash
+            IMAGE=ghcr.io/shankar0123/certctl-server:${{ steps.version.outputs.VERSION }}
+            cosign verify \
+              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+              "$IMAGE"
+
+            # SBOM attestation (SPDX-JSON) emitted by docker/build-push-action
+            cosign verify-attestation --type spdxjson \
+              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+              "$IMAGE"
+
+            # SLSA provenance attestation (mode=max)
+            cosign verify-attestation --type slsaprovenance \
+              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+              "$IMAGE"
+            ```

            ## Helm Chart

@@ -6,6 +6,7 @@ run:
 linters:
  default: none
  enable:
+    - contextcheck
    - govet
    - staticcheck
    - unused
@@ -3,17 +3,43 @@
 # Stage 1: Build frontend
 FROM node:20-alpine AS frontend

+# Proxy propagation (M-4, Issue #9) — defaulted to empty so un-proxied builds
+# behave identically to the pre-fix tree. When `HTTP_PROXY`/`HTTPS_PROXY`/
+# `NO_PROXY` are forwarded via `docker build --build-arg` (or compose
+# `build.args`), they are re-exported as ENV with both upper- and lower-case
+# names because npm/apk/curl read the lowercase variants while Go, Node, and
+# most HTTP libraries read the uppercase ones.
+ARG HTTP_PROXY=
+ARG HTTPS_PROXY=
+ARG NO_PROXY=
+ENV HTTP_PROXY=${HTTP_PROXY} \
+    HTTPS_PROXY=${HTTPS_PROXY} \
+    NO_PROXY=${NO_PROXY} \
+    http_proxy=${HTTP_PROXY} \
+    https_proxy=${HTTPS_PROXY} \
+    no_proxy=${NO_PROXY}
+
 WORKDIR /app/web

-COPY web/package.json web/package-lock.json ./
-RUN npm ci
-
 COPY web/ .
-RUN npm run build
+RUN npm ci --include=dev || npm ci --include=dev && \
+    node_modules/.bin/tsc --version && \
+    npm run build

 # Stage 2: Build Go binary
 FROM golang:1.25-alpine AS builder

+# Proxy propagation (M-4, Issue #9) — see Stage 1 rationale.
+ARG HTTP_PROXY=
+ARG HTTPS_PROXY=
+ARG NO_PROXY=
+ENV HTTP_PROXY=${HTTP_PROXY} \
+    HTTPS_PROXY=${HTTPS_PROXY} \
+    NO_PROXY=${NO_PROXY} \
+    http_proxy=${HTTP_PROXY} \
+    https_proxy=${HTTPS_PROXY} \
+    no_proxy=${NO_PROXY}
+
 RUN apk add --no-cache git ca-certificates tzdata

 WORKDIR /app
@@ -2,6 +2,22 @@
 # Stage 1: Build
 FROM golang:1.25-alpine AS builder

+# Proxy propagation (M-4, Issue #9) — defaulted to empty so un-proxied builds
+# behave identically to the pre-fix tree. When `HTTP_PROXY`/`HTTPS_PROXY`/
+# `NO_PROXY` are forwarded via `docker build --build-arg` (or compose
+# `build.args`), they are re-exported as ENV with both upper- and lower-case
+# names because apk and curl read the lowercase variants while Go reads the
+# uppercase ones.
+ARG HTTP_PROXY=
+ARG HTTPS_PROXY=
+ARG NO_PROXY=
+ENV HTTP_PROXY=${HTTP_PROXY} \
+    HTTPS_PROXY=${HTTPS_PROXY} \
+    NO_PROXY=${NO_PROXY} \
+    http_proxy=${HTTP_PROXY} \
+    https_proxy=${HTTPS_PROXY} \
+    no_proxy=${NO_PROXY}
+
 RUN apk add --no-cache git ca-certificates

 WORKDIR /app
@@ -36,6 +36,10 @@ gantt
        47 days                :crit, 2020-01-01, 47d
 ```

+> **Actively maintained — shipping weekly.** Found something? [Open a GitHub issue](https://github.com/shankar0123/certctl/issues) — issues get triaged same-day. CI runs the full test suite with race detection, static analysis, and vulnerability scanning on every commit.
+
+**Ready to try it?** Jump to the [Quick Start](#quick-start) — you'll have a running dashboard in under 5 minutes.
+
 ## Documentation

 | Guide | Description |
@@ -145,10 +149,6 @@ All connectors are pluggable — build your own by implementing the [connector i

 **[See all screenshots →](docs/screenshots/)**

-> **Actively maintained — shipping weekly.** Found something? [Open a GitHub issue](https://github.com/shankar0123/certctl/issues) — issues get triaged same-day. CI runs the full test suite with race detection, static analysis, and vulnerability scanning on every commit.
-
-**Ready to try it?** Jump to the [Quick Start](#quick-start) — you'll have a running dashboard in under 5 minutes.
-
 ## Why certctl

 Certificate lifecycle tooling falls into two camps: enterprise platforms (Venafi, Keyfactor) that cost six figures and take months to deploy, or single-purpose tools (certbot, cert-manager) that handle one slice of the problem. certctl fills the gap — full lifecycle automation, self-hosted, free, CA-agnostic, and target-agnostic. If you're running certbot cron jobs, manually renewing certs, or stitching together scripts across mixed infrastructure, certctl replaces all of that.
@@ -237,6 +237,72 @@ docker pull shankar0123.docker.scarf.sh/certctl-server
 docker pull shankar0123.docker.scarf.sh/certctl-agent
 ```

+## Verifying this release
+
+Every `v*` tag publishes signed, attested release artefacts. Binaries
+(`certctl-agent`, `certctl-server`, `certctl-cli`, `certctl-mcp-server` for
+`linux|darwin × amd64|arm64`) ship alongside a `checksums.txt`, per-binary
+SPDX-JSON SBOMs, Cosign signatures, and SLSA Level 3 provenance. Container
+images on `ghcr.io/shankar0123/certctl-{server,agent}` are built with
+`docker/build-push-action` `provenance: mode=max` + `sbom: true` and are
+additionally signed with Cosign at the image digest.
+
+All signatures use Cosign keyless OIDC; the signing identity is the
+release workflow running on a signed tag.
+
+**1. Verify SHA-256 checksums:**
+
+```bash
+sha256sum -c checksums.txt
+```
+
+**2. Verify the Cosign signature on `checksums.txt`:**
+
+```bash
+cosign verify-blob \
+  --certificate checksums.txt.pem \
+  --signature checksums.txt.sig \
+  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+  checksums.txt
+```
+
+Every individual binary has its own `.sig` + `.pem` sidecar; swap
+`checksums.txt` for any binary name to verify it directly.
+
+**3. Verify SLSA Level 3 provenance on a binary:**
+
+```bash
+slsa-verifier verify-artifact \
+  --provenance-path multiple.intoto.jsonl \
+  --source-uri github.com/shankar0123/certctl \
+  --source-tag v2.1.0 \
+  certctl-agent-linux-amd64
+```
+
+**4. Verify a container image signature and its SBOM / provenance attestations:**
+
+```bash
+IMAGE=ghcr.io/shankar0123/certctl-server:v2.1.0
+
+cosign verify \
+  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+  "$IMAGE"
+
+# SBOM attestation (SPDX-JSON, emitted by docker/build-push-action)
+cosign verify-attestation --type spdxjson \
+  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+  "$IMAGE"
+
+# SLSA provenance attestation (docker/build-push-action `provenance: mode=max`)
+cosign verify-attestation --type slsaprovenance \
+  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+  "$IMAGE"
+```
+
 ## Examples

 Pick the scenario closest to your setup and have it running in 2 minutes.
@@ -320,7 +386,7 @@ Core lifecycle management — Local CA + ACME v2 issuers, NGINX target connector
 30+ milestones shipping enterprise-grade features for free. Sub-CA mode, ACME DNS-01/DNS-PERSIST-01/EAB/ARI (RFC 9773)/profile selection, step-ca, Vault PKI, DigiCert CertCentral, Sectigo SCM, Google CAS, AWS ACM PCA, Entrust, GlobalSign, EJBCA, OpenSSL/Custom CA issuers. NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS (WinRM), F5 BIG-IP, SSH, Windows Certificate Store, Java Keystore, Kubernetes Secrets targets. EST server (RFC 7030) and SCEP server (RFC 8894) enrollment protocols. RFC 5280 revocation with DER CRL + embedded OCSP responder. Certificate profiles, ownership tracking, team assignment, agent groups, interactive approval workflows. Filesystem, network, and cloud secret manager (AWS SM, Azure KV, GCP SM) certificate discovery with triage GUI. Dynamic issuer/target configuration via GUI with AES-256-GCM encrypted storage. First-run onboarding wizard. Post-deployment TLS verification. Certificate export (PEM/PKCS#12). S/MIME support. Prometheus metrics. Scheduled certificate digest emails. Slack, Teams, PagerDuty, OpsGenie, SMTP notifications. MCP server (80 tools), CLI (12 commands), Helm chart. Compliance mapping (SOC 2, PCI-DSS 4.0, NIST SP 800-57). 5 turnkey deployment examples. Agent install script. Migration guides from certbot, acme.sh, and cert-manager. See the [Feature Inventory](docs/features.md) for details.

 ### V3: certctl Pro
-Team access controls and identity provider integration. Role-based access control with profile-gating. Event-driven architecture with real-time operational views. Advanced search, compliance scoring, and HSM/TPM integration.
+Enterprise capabilities for larger deployments are available in the commercial tier.

 ### V4+: Cloud & Scale
 Kubernetes cert-manager external issuer, cloud infrastructure targets, extended CA support, and platform-scale features.
@@ -66,6 +66,12 @@ tags:
    description: Continuous TLS endpoint health checks with status tracking and probe history
  - name: Digest
    description: Scheduled certificate digest email notifications
+  - name: Verification
+    description: Post-deployment TLS endpoint fingerprint verification
+  - name: EST
+    description: Enrollment over Secure Transport (RFC 7030)
+  - name: SCEP
+    description: Simple Certificate Enrollment Protocol (RFC 8894)

 paths:
  # ─── Health & Auth ───────────────────────────────────────────────────
@@ -816,6 +822,28 @@ paths:
        "500":
          $ref: "#/components/responses/InternalError"

+  /api/v1/targets/{id}/test:
+    post:
+      tags: [Targets]
+      summary: Test target connection
+      description: |
+        Checks target connectivity by verifying the assigned agent's heartbeat status
+        (agent reported within the last 5 minutes). Always returns HTTP 200 — the
+        connectivity result is reflected in the response body's `status` field
+        (`success` when the agent is reachable, `failed` otherwise).
+      operationId: testTargetConnection
+      parameters:
+        - $ref: "#/components/parameters/resourceId"
+      responses:
+        "200":
+          description: Connection test result (success or failed in body)
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/StatusMessageResponse"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+
  # ─── Agents ──────────────────────────────────────────────────────────
  /api/v1/agents:
    get:
@@ -1177,6 +1205,66 @@ paths:
        "500":
          $ref: "#/components/responses/InternalError"

+  /api/v1/jobs/{id}/verify:
+    post:
+      tags: [Verification]
+      summary: Record post-deployment verification result
+      description: |
+        Agents submit the result of probing a deployed certificate's live TLS endpoint.
+        Compares the served certificate's SHA-256 fingerprint against the expected
+        fingerprint. Best-effort: failures are recorded on the job but do not roll
+        back the deployment.
+      operationId: verifyDeployment
+      parameters:
+        - $ref: "#/components/parameters/resourceId"
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/VerifyDeploymentRequest"
+      responses:
+        "200":
+          description: Verification result recorded
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  job_id:
+                    type: string
+                  verified:
+                    type: boolean
+                  verified_at:
+                    type: string
+                    format: date-time
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "500":
+          $ref: "#/components/responses/InternalError"
+
+  /api/v1/jobs/{id}/verification:
+    get:
+      tags: [Verification]
+      summary: Get post-deployment verification status
+      description: |
+        Returns the stored verification result for a deployment job — expected
+        and observed SHA-256 fingerprints, verified flag, and timestamp.
+      operationId: getJobVerification
+      parameters:
+        - $ref: "#/components/parameters/resourceId"
+      responses:
+        "200":
+          description: Verification result for the job
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/VerificationResult"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "500":
+          $ref: "#/components/responses/InternalError"
+
  # ─── Policies ────────────────────────────────────────────────────────
  /api/v1/policies:
    get:
@@ -2718,6 +2806,238 @@ paths:
        "500":
          $ref: "#/components/responses/InternalError"

+  # ─── EST (RFC 7030) ────────────────────────────────────────────────
+  /.well-known/est/cacerts:
+    get:
+      tags: [EST]
+      summary: EST CA certificates distribution
+      description: |
+        Returns the CA certificate chain used to verify certctl-issued certificates.
+        Response is a base64-encoded degenerate PKCS#7 SignedData (certs-only) per
+        RFC 7030 §4.1.3.
+      operationId: estCACerts
+      security: []
+      responses:
+        "200":
+          description: Base64-encoded PKCS#7 certs-only structure
+          headers:
+            Content-Transfer-Encoding:
+              schema:
+                type: string
+                example: base64
+          content:
+            application/pkcs7-mime:
+              schema:
+                type: string
+                format: byte
+                description: "Base64-encoded PKCS#7 (smime-type=certs-only)"
+        "500":
+          $ref: "#/components/responses/InternalError"
+
+  /.well-known/est/simpleenroll:
+    post:
+      tags: [EST]
+      summary: EST simple enrollment
+      description: |
+        Enrolls a new certificate from a PKCS#10 CSR per RFC 7030 §4.2.1.
+        The CSR MAY be supplied as base64-encoded DER (EST standard wire format)
+        or as PEM for convenience. Returns a base64-encoded PKCS#7 certs-only
+        structure containing the issued certificate.
+      operationId: estSimpleEnroll
+      security: []
+      requestBody:
+        required: true
+        description: "Base64-encoded DER PKCS#10 CSR, or PEM-encoded CSR"
+        content:
+          application/pkcs10:
+            schema:
+              type: string
+              format: byte
+      responses:
+        "200":
+          description: Base64-encoded PKCS#7 cert-only response with issued certificate
+          headers:
+            Content-Transfer-Encoding:
+              schema:
+                type: string
+                example: base64
+          content:
+            application/pkcs7-mime:
+              schema:
+                type: string
+                format: byte
+                description: "Base64-encoded PKCS#7 (smime-type=certs-only)"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "405":
+          description: Method not allowed (only POST accepted)
+        "500":
+          $ref: "#/components/responses/InternalError"
+
+  /.well-known/est/simplereenroll:
+    post:
+      tags: [EST]
+      summary: EST simple re-enrollment
+      description: |
+        Re-enrolls an existing certificate (same as simpleenroll in certctl's
+        implementation — re-enrollment is treated as a fresh issuance) per
+        RFC 7030 §4.2.2.
+      operationId: estSimpleReEnroll
+      security: []
+      requestBody:
+        required: true
+        description: "Base64-encoded DER PKCS#10 CSR, or PEM-encoded CSR"
+        content:
+          application/pkcs10:
+            schema:
+              type: string
+              format: byte
+      responses:
+        "200":
+          description: Base64-encoded PKCS#7 cert-only response with re-issued certificate
+          headers:
+            Content-Transfer-Encoding:
+              schema:
+                type: string
+                example: base64
+          content:
+            application/pkcs7-mime:
+              schema:
+                type: string
+                format: byte
+                description: "Base64-encoded PKCS#7 (smime-type=certs-only)"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "405":
+          description: Method not allowed (only POST accepted)
+        "500":
+          $ref: "#/components/responses/InternalError"
+
+  /.well-known/est/csrattrs:
+    get:
+      tags: [EST]
+      summary: EST CSR attributes
+      description: |
+        Returns attributes the EST client should include in its CSR per
+        RFC 7030 §4.5. certctl currently returns an empty attribute set
+        (HTTP 204) — profile-based constraints are enforced server-side
+        during enrollment rather than advertised here.
+      operationId: estCSRAttrs
+      security: []
+      responses:
+        "200":
+          description: Base64-encoded CsrAttrs (when non-empty)
+          headers:
+            Content-Transfer-Encoding:
+              schema:
+                type: string
+                example: base64
+          content:
+            application/csrattrs:
+              schema:
+                type: string
+                format: byte
+        "204":
+          description: No CSR attributes defined (empty response)
+        "500":
+          $ref: "#/components/responses/InternalError"
+
+  # ─── SCEP (RFC 8894) ──────────────────────────────────────────────
+  /scep:
+    get:
+      tags: [SCEP]
+      summary: SCEP operation dispatch (GET)
+      description: |
+        Single SCEP entry point dispatched by the `operation` query parameter
+        per RFC 8894. GET is used for capability discovery (`GetCACaps`) and
+        CA certificate retrieval (`GetCACert`).
+      operationId: scepGet
+      security: []
+      parameters:
+        - name: operation
+          in: query
+          required: true
+          schema:
+            type: string
+            enum: [GetCACaps, GetCACert, PKIOperation]
+          description: SCEP operation selector
+        - name: message
+          in: query
+          required: false
+          schema:
+            type: string
+          description: Optional SCEP message parameter (base64-encoded for GET PKIOperation)
+      responses:
+        "200":
+          description: |
+            Success. Content-Type varies by operation:
+            - `GetCACaps` → `text/plain` capability list
+            - `GetCACert` (single cert) → `application/x-x509-ca-cert` (raw DER)
+            - `GetCACert` (chain) → `application/x-x509-ca-ra-cert` (PKCS#7)
+            - `PKIOperation` → `application/x-pki-message` (PKCS#7 SignedData)
+          content:
+            text/plain:
+              schema:
+                type: string
+                description: "SCEP capabilities (GetCACaps only)"
+            application/x-x509-ca-cert:
+              schema:
+                type: string
+                format: binary
+                description: "CA certificate DER (GetCACert single)"
+            application/x-x509-ca-ra-cert:
+              schema:
+                type: string
+                format: binary
+                description: "CA chain PKCS#7 (GetCACert chain)"
+            application/x-pki-message:
+              schema:
+                type: string
+                format: binary
+                description: "PKCS#7 SignedData response (PKIOperation)"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "500":
+          $ref: "#/components/responses/InternalError"
+    post:
+      tags: [SCEP]
+      summary: SCEP PKIOperation (POST)
+      description: |
+        SCEP enrollment / renewal / revocation request per RFC 8894.
+        Request body is a PKCS#7 SignedData envelope wrapping the PKCS#10 CSR
+        or a degenerate raw CSR (fallback). The challenge password in the CSR
+        attributes is validated against `CERTCTL_SCEP_CHALLENGE_PASSWORD` when
+        configured.
+      operationId: scepPost
+      security: []
+      parameters:
+        - name: operation
+          in: query
+          required: true
+          schema:
+            type: string
+            enum: [PKIOperation]
+      requestBody:
+        required: true
+        description: PKCS#7 SignedData envelope wrapping a PKCS#10 CSR (or raw CSR as fallback)
+        content:
+          application/x-pki-message:
+            schema:
+              type: string
+              format: binary
+      responses:
+        "200":
+          description: PKCS#7 SignedData PKIMessage response
+          content:
+            application/x-pki-message:
+              schema:
+                type: string
+                format: binary
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "500":
+          $ref: "#/components/responses/InternalError"
+
 # ═══════════════════════════════════════════════════════════════════════
 components:
  securitySchemes:
@@ -3805,3 +4125,47 @@ components:
          type: string
          format: date-time
          description: Timestamp of this probe
+
+    # ─── Verification (M25) ──────────────────────────────────────────
+    VerifyDeploymentRequest:
+      type: object
+      required: [target_id, expected_fingerprint, actual_fingerprint, verified]
+      properties:
+        target_id:
+          type: string
+          description: Deployment target the agent probed
+        expected_fingerprint:
+          type: string
+          description: SHA-256 fingerprint of the certificate that should be served (hex, lowercase)
+        actual_fingerprint:
+          type: string
+          description: SHA-256 fingerprint observed on the live TLS endpoint (hex, lowercase)
+        verified:
+          type: boolean
+          description: True when expected and actual fingerprints match
+        error:
+          type: string
+          nullable: true
+          description: Error message when probe failed or fingerprints differ
+
+    VerificationResult:
+      type: object
+      properties:
+        job_id:
+          type: string
+        target_id:
+          type: string
+        expected_fingerprint:
+          type: string
+          description: SHA-256 fingerprint (hex) of the certificate deployed by this job
+        actual_fingerprint:
+          type: string
+          description: SHA-256 fingerprint (hex) observed on the live TLS endpoint
+        verified:
+          type: boolean
+        verified_at:
+          type: string
+          format: date-time
+        error:
+          type: string
+          description: Error message when verification failed
@@ -16,7 +16,6 @@ import (
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/api/router"
 	"github.com/shankar0123/certctl/internal/config"
-	"github.com/shankar0123/certctl/internal/crypto"
 	"github.com/shankar0123/certctl/internal/domain"
 	discoveryawssm "github.com/shankar0123/certctl/internal/connector/discovery/awssm"
 	discoveryazurekv "github.com/shankar0123/certctl/internal/connector/discovery/azurekv"
@@ -82,14 +81,60 @@ func main() {
 	logger.Info("initialized all repositories")

 	// Initialize dynamic issuer registry.
-	// Issuers are loaded from the database (with AES-GCM encrypted config).
+	// Issuers are loaded from the database (with AES-256-GCM encrypted config).
 	// On first boot with an empty database, env var issuers are seeded automatically.
-	var encryptionKey []byte
-	if cfg.Encryption.ConfigEncryptionKey != "" {
-		encryptionKey = crypto.DeriveKey(cfg.Encryption.ConfigEncryptionKey)
-		logger.Info("config encryption enabled (AES-256-GCM)")
+	//
+	// M-8 (CWE-916 / CWE-329): the encryption passphrase is passed as a raw
+	// string into IssuerService / TargetService / IssuerRegistry. Each call to
+	// crypto.EncryptIfKeySet generates a fresh 16-byte PBKDF2 salt and emits a
+	// v2 blob (magic 0x02 || salt || nonce || sealed). Decryption auto-detects
+	// v1 legacy blobs (no magic) and falls back to the fixed v1 salt for
+	// backward compatibility; v1 blobs transparently upgrade to v2 on next
+	// write. DO NOT pre-derive the key here with crypto.DeriveKey — that was
+	// the v1 fixed-salt behaviour that M-8 removes.
+	encryptionKey := cfg.Encryption.ConfigEncryptionKey
+	if encryptionKey != "" {
+		logger.Info("config encryption enabled (AES-256-GCM, per-ciphertext PBKDF2 salt)")
 	} else {
-		logger.Warn("CERTCTL_CONFIG_ENCRYPTION_KEY not set — issuer configs stored in plaintext (not recommended for production)")
+		// C-2 fix: fail closed at startup when database-sourced issuer or target
+		// rows exist without a configured encryption key. Previously the server
+		// would emit a one-line warning and silently persist new GUI-created
+		// configs as plaintext (CWE-311). Refuse to start instead: the operator
+		// must either configure CERTCTL_CONFIG_ENCRYPTION_KEY or remove the
+		// vulnerable rows before the control plane can boot.
+		ctx := context.Background()
+		dbIssuers, ierr := issuerRepo.List(ctx)
+		if ierr != nil {
+			logger.Error("startup check: failed to list issuers", "error", ierr)
+			os.Exit(1)
+		}
+		dbTargets, terr := targetRepo.List(ctx)
+		if terr != nil {
+			logger.Error("startup check: failed to list targets", "error", terr)
+			os.Exit(1)
+		}
+		var dbIssuerCount, dbTargetCount int
+		for _, iss := range dbIssuers {
+			if iss != nil && iss.Source == "database" {
+				dbIssuerCount++
+			}
+		}
+		for _, tgt := range dbTargets {
+			if tgt != nil && tgt.Source == "database" {
+				dbTargetCount++
+			}
+		}
+		if dbIssuerCount > 0 || dbTargetCount > 0 {
+			logger.Error(
+				"startup refused: CERTCTL_CONFIG_ENCRYPTION_KEY is not set but database-sourced configs exist "+
+					"(would expose sensitive fields as plaintext, CWE-311). "+
+					"Set the encryption key or remove the affected rows before restarting.",
+				"database_sourced_issuers", dbIssuerCount,
+				"database_sourced_targets", dbTargetCount,
+			)
+			os.Exit(1)
+		}
+		logger.Warn("CERTCTL_CONFIG_ENCRYPTION_KEY not set — env-seeded issuers will be stored in plaintext; GUI-created issuers and targets will be rejected until a key is configured")
 	}

 	issuerRegistry := service.NewIssuerRegistry(logger)
@@ -208,9 +253,15 @@ func main() {
 			Name:   "Network Scanner (Server-Side)",
 			Status: domain.AgentStatusOnline,
 		}
-		if err := agentRepo.Create(context.Background(), sentinelAgent); err != nil {
-			// Ignore duplicate key errors (agent already exists)
-			logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelAgentID)
+		// M-6: use CreateIfNotExists so duplicate rows on restart/upgrade are
+		// idempotent without swallowing unrelated DB failures (CWE-662).
+		created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelAgent)
+		if err != nil {
+			logger.Error("sentinel agent creation failed", "id", service.SentinelAgentID, "error", err)
+		} else if created {
+			logger.Info("sentinel agent created", "id", service.SentinelAgentID)
+		} else {
+			logger.Debug("sentinel agent already exists", "id", service.SentinelAgentID)
 		}
 	}

@@ -229,8 +280,14 @@ func main() {
 				Name:   "AWS Secrets Manager Discovery",
 				Status: domain.AgentStatusOnline,
 			}
-			if err := agentRepo.Create(context.Background(), sentinelAWS); err != nil {
-				logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelAWSSecretsMgr)
+			// M-6: idempotent create (CWE-662).
+			created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelAWS)
+			if err != nil {
+				logger.Error("sentinel agent creation failed", "id", service.SentinelAWSSecretsMgr, "error", err)
+			} else if created {
+				logger.Info("sentinel agent created", "id", service.SentinelAWSSecretsMgr)
+			} else {
+				logger.Debug("sentinel agent already exists", "id", service.SentinelAWSSecretsMgr)
 			}
 		}

@@ -248,8 +305,14 @@ func main() {
 				Name:   "Azure Key Vault Discovery",
 				Status: domain.AgentStatusOnline,
 			}
-			if err := agentRepo.Create(context.Background(), sentinelAzure); err != nil {
-				logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelAzureKeyVault)
+			// M-6: idempotent create (CWE-662).
+			created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelAzure)
+			if err != nil {
+				logger.Error("sentinel agent creation failed", "id", service.SentinelAzureKeyVault, "error", err)
+			} else if created {
+				logger.Info("sentinel agent created", "id", service.SentinelAzureKeyVault)
+			} else {
+				logger.Debug("sentinel agent already exists", "id", service.SentinelAzureKeyVault)
 			}
 		}

@@ -262,8 +325,14 @@ func main() {
 				Name:   "GCP Secret Manager Discovery",
 				Status: domain.AgentStatusOnline,
 			}
-			if err := agentRepo.Create(context.Background(), sentinelGCP); err != nil {
-				logger.Debug("sentinel agent creation", "status", "exists or created", "id", service.SentinelGCPSecretMgr)
+			// M-6: idempotent create (CWE-662).
+			created, err := agentRepo.CreateIfNotExists(context.Background(), sentinelGCP)
+			if err != nil {
+				logger.Error("sentinel agent creation failed", "id", service.SentinelGCPSecretMgr, "error", err)
+			} else if created {
+				logger.Info("sentinel agent created", "id", service.SentinelGCPSecretMgr)
+			} else {
+				logger.Debug("sentinel agent already exists", "id", service.SentinelGCPSecretMgr)
 			}
 		}

@@ -445,6 +514,24 @@ func main() {

 	// Register SCEP (RFC 8894) handlers if enabled
 	if cfg.SCEP.Enabled {
+		// H-2 fix: fail closed at startup when SCEP is enabled without a
+		// challenge password configured. Previously the service-layer guard
+		// at internal/service/scep.go:72-79 skipped the password check when
+		// s.challengePassword == "", meaning any client that could reach the
+		// /scep endpoint could enroll an arbitrary CSR against the configured
+		// issuer (CWE-306, missing authentication for a critical function).
+		// Refuse to start instead: the operator must set
+		// CERTCTL_SCEP_CHALLENGE_PASSWORD (or disable SCEP) before the control
+		// plane can boot.
+		if err := preflightSCEPChallengePassword(cfg.SCEP.Enabled, cfg.SCEP.ChallengePassword); err != nil {
+			logger.Error(
+				"startup refused: SCEP is enabled but CERTCTL_SCEP_CHALLENGE_PASSWORD is not set "+
+					"(would allow unauthenticated certificate enrollment, CWE-306). "+
+					"Set a non-empty challenge password or disable SCEP before restarting.",
+				"error", err,
+			)
+			os.Exit(1)
+		}
 		issuerConn, ok := issuerRegistry.Get(cfg.SCEP.IssuerID)
 		if !ok {
 			logger.Error("SCEP issuer not found in registry", "issuer_id", cfg.SCEP.IssuerID)
@@ -502,7 +589,7 @@ func main() {
 		bodyLimitMiddleware,
 		corsMiddleware,
 		authMiddleware,
-		auditMiddleware,
+		auditMiddleware.Middleware,
 	}

 	// Add rate limiter if enabled
@@ -519,7 +606,7 @@ func main() {
 			rateLimiter,
 			corsMiddleware,
 			authMiddleware,
-			auditMiddleware,
+			auditMiddleware.Middleware,
 		}
 		logger.Info("rate limiting enabled", "rps", cfg.RateLimit.RPS, "burst", cfg.RateLimit.BurstSize)
 	}
@@ -637,6 +724,17 @@ func main() {
 		logger.Error("HTTP server shutdown error", "error", err)
 	}

+	// Drain in-flight audit-recording goroutines before closing the DB pool.
+	// The audit middleware spawns one goroutine per non-excluded request; those
+	// goroutines run detached from the request context and write to the
+	// audit_events table via the same *sql.DB. Without this drain, SIGTERM
+	// would close the DB pool while recordings were mid-flight, silently
+	// dropping audit events (M-1, CWE-662 / CWE-400).
+	logger.Info("flushing audit middleware in-flight recordings")
+	if err := auditMiddleware.Flush(shutdownCtx); err != nil {
+		logger.Warn("audit middleware flush did not complete in time", "error", err)
+	}
+
 	// Close database connection
 	if err := db.Close(); err != nil {
 		logger.Error("error closing database connection", "error", err)
@@ -645,3 +743,23 @@ func main() {
 	logger.Info("certctl server stopped")
 }

+// preflightSCEPChallengePassword enforces the H-2 fix: if SCEP is enabled, a
+// non-empty challenge password MUST be configured. Returns a non-nil error
+// otherwise so the caller can refuse to start the control plane (CWE-306,
+// missing authentication for a critical function).
+//
+// This helper is extracted so the check can be unit tested without booting
+// the full server. The caller (main) is responsible for translating the
+// returned error into a structured log line and os.Exit(1).
+func preflightSCEPChallengePassword(enabled bool, challengePassword string) error {
+	if !enabled {
+		return nil
+	}
+	if challengePassword == "" {
+		return fmt.Errorf("SCEP enabled but CERTCTL_SCEP_CHALLENGE_PASSWORD is empty: " +
+			"SCEP enrollment would accept any client (CWE-306); " +
+			"configure a non-empty shared secret or set CERTCTL_SCEP_ENABLED=false")
+	}
+	return nil
+}
+
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"strings"
 	"testing"

 	"github.com/shankar0123/certctl/internal/api/middleware"
@@ -538,3 +539,68 @@ func TestMain_ContextPropagation(t *testing.T) {
 		t.Logf("Context value may not be propagated (status %d), this may be expected", w.Code)
 	}
 }
+
+// TestPreflightSCEPChallengePassword is the H-2 regression guard for the
+// startup pre-flight check. The helper MUST return a non-nil error whenever
+// SCEP is enabled with an empty challenge password — that configuration
+// previously allowed unauthenticated certificate enrollment (CWE-306).
+// Disabled-SCEP and configured-password cases must pass cleanly.
+func TestPreflightSCEPChallengePassword(t *testing.T) {
+	tests := []struct {
+		name              string
+		enabled           bool
+		challengePassword string
+		wantErr           bool
+		wantErrSubstring  string
+	}{
+		{
+			name:              "disabled_empty_password_ok",
+			enabled:           false,
+			challengePassword: "",
+			wantErr:           false,
+		},
+		{
+			name:              "disabled_with_password_ok",
+			enabled:           false,
+			challengePassword: "leftover-value",
+			wantErr:           false,
+		},
+		{
+			name:              "enabled_empty_password_rejected",
+			enabled:           true,
+			challengePassword: "",
+			wantErr:           true,
+			wantErrSubstring:  "CERTCTL_SCEP_CHALLENGE_PASSWORD",
+		},
+		{
+			name:              "enabled_with_password_ok",
+			enabled:           true,
+			challengePassword: "hunter2",
+			wantErr:           false,
+		},
+		{
+			name:              "enabled_single_char_password_ok",
+			enabled:           true,
+			challengePassword: "x",
+			wantErr:           false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := preflightSCEPChallengePassword(tt.enabled, tt.challengePassword)
+			if tt.wantErr {
+				if err == nil {
+					t.Fatalf("expected error, got nil")
+				}
+				if tt.wantErrSubstring != "" && !strings.Contains(err.Error(), tt.wantErrSubstring) {
+					t.Errorf("expected error to mention %q, got: %v", tt.wantErrSubstring, err)
+				}
+				if !strings.Contains(err.Error(), "CWE-306") {
+					t.Errorf("expected error to cite CWE-306 for traceability, got: %v", err)
+				}
+			} else if err != nil {
+				t.Errorf("expected no error, got: %v", err)
+			}
+		})
+	}
+}
@@ -9,6 +9,16 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Node frontend stage and Go module
+      # download can reach the public registries behind corporate proxies.
+      # Defaults to empty; omit the variables from the host environment for
+      # un-proxied builds and the behaviour is byte-identical to the pre-fix
+      # tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
    environment:
      # Verbose logging for development
      CERTCTL_LOG_LEVEL: debug
@@ -29,6 +39,15 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile.agent
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Go module download stage can reach
+      # the public Go module proxy behind corporate proxies. Defaults to
+      # empty; omit the variables from the host environment for un-proxied
+      # builds and the behaviour is byte-identical to the pre-fix tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
    environment:
      CERTCTL_LOG_LEVEL: debug

@@ -150,6 +150,16 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Node frontend stage and Go module
+      # download can reach the public registries behind corporate proxies.
+      # Defaults to empty; omit the variables from the host environment for
+      # un-proxied builds and the behaviour is byte-identical to the pre-fix
+      # tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
    container_name: certctl-test-server
    depends_on:
      postgres:
@@ -266,6 +276,15 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile.agent
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Go module download stage can reach
+      # the public Go module proxy behind corporate proxies. Defaults to
+      # empty; omit the variables from the host environment for un-proxied
+      # builds and the behaviour is byte-identical to the pre-fix tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
    container_name: certctl-test-agent
    depends_on:
      certctl-server:
@@ -36,6 +36,16 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Node frontend stage and Go module
+      # download can reach the public registries behind corporate proxies.
+      # Defaults to empty; omit the variables from the host environment for
+      # un-proxied builds and the behaviour is byte-identical to the pre-fix
+      # tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
    container_name: certctl-server
    depends_on:
      postgres:
@@ -75,6 +85,15 @@ services:
    build:
      context: ..
      dockerfile: Dockerfile.agent
+      # Proxy propagation (M-4, Issue #9) — forwards host shell's proxy env
+      # vars into the Docker build so the Go module download stage can reach
+      # the public Go module proxy behind corporate proxies. Defaults to
+      # empty; omit the variables from the host environment for un-proxied
+      # builds and the behaviour is byte-identical to the pre-fix tree.
+      args:
+        HTTP_PROXY: ${HTTP_PROXY:-}
+        HTTPS_PROXY: ${HTTPS_PROXY:-}
+        NO_PROXY: ${NO_PROXY:-}
    container_name: certctl-agent
    depends_on:
      certctl-server:
@@ -458,4 +458,4 @@ For issues, questions, or contributions:
 ## License

 BSL-1.1 (Business Source License)
-Converts to Apache 2.0 on March 28, 2033
+Converts to Apache 2.0 on March 14, 2033
@@ -808,6 +808,34 @@ All shell-facing inputs (connector scripts, domain names, ACME tokens) are valid

 All incoming HTTP request bodies are capped by `http.MaxBytesReader` middleware (default 1MB, configurable via `CERTCTL_MAX_BODY_SIZE`). Requests exceeding the limit receive a 413 Request Entity Too Large response. The middleware is positioned before authentication in the chain so oversized payloads are rejected early, before any auth processing or database work occurs. Requests without bodies (GET, HEAD, nil body) skip the limit check.

+### Config Encryption at Rest
+
+Dynamic issuer and target configurations (rows with `source='database'`) contain credentials — ACME EAB HMACs, Vault tokens, DigiCert/Sectigo API keys, SSH private keys, WinRM passwords, F5 BIG-IP passwords, and similar. These are sealed at rest in PostgreSQL via `internal/crypto/encryption.go` using AES-256-GCM with a key derived from the operator passphrase `CERTCTL_CONFIG_ENCRYPTION_KEY` through PBKDF2-SHA256 (100,000 rounds, 32-byte output).
+
+**v2 wire format (current, M-8 remediation, CWE-916 / CWE-329):**
+
+```
+magic(0x02) || salt(16) || nonce(12) || ciphertext+tag
+```
+
+Every call to `EncryptIfKeySet` draws 16 fresh bytes from `crypto/rand` as the PBKDF2 salt, so the derived AES-256 key is distinct per ciphertext and per re-encryption. The salt is stored alongside the ciphertext; decryption reads the magic byte, splits out the salt, re-derives the key, and verifies the AEAD tag.
+
+**v1 legacy format (read-only):**
+
+```
+nonce(12) || ciphertext+tag
+```
+
+Pre-M-8 blobs were sealed with a package-level fixed salt `"certctl-config-encryption-v1"`. `DecryptIfKeySet` preserves the v1 read path unchanged — a blob whose first byte is not `0x02`, or whose v2 AEAD verification fails (including the 1/256 case where a v1 nonce happens to begin with `0x02`), falls through to a v1 attempt against the legacy fixed salt. v1 blobs are never written by the post-M-8 code path; they re-seal as v2 naturally on the next UPDATE through the normal service CRUD flow. No operator migration ceremony is required.
+
+**Fail-closed behavior (C-2 sentinel, CWE-311):** both `EncryptIfKeySet` and `DecryptIfKeySet` return `ErrEncryptionKeyRequired` when invoked with an empty passphrase. The server refuses to start if any `source='database'` rows already exist without `CERTCTL_CONFIG_ENCRYPTION_KEY` set.
+
+**Low-level primitives preserved byte-identical.** `Encrypt`, `Decrypt`, and `DeriveKey` are kept bit-stable so v1 fixtures on disk remain decryptable unchanged and so callers outside the config-encryption path (none today, but the symbols are exported) do not see a breaking change. The new per-ciphertext salt path is reached via the helper `deriveKeyWithSalt(passphrase, salt)`.
+
+**Passphrase plumbing.** Services (`IssuerService`, `TargetService`, `IssuerRegistry`) hold the operator passphrase as a raw `string` and delegate PBKDF2 to the crypto package per ciphertext. This replaces the pre-M-8 design that pre-derived a single `[]byte` key at service construction and reused it for every row, which was the direct consequence of the fixed-salt KDF.
+
+**Coverage gate.** CI enforces `internal/crypto/...` coverage ≥ 85% (observed 86.7%) — the encryption primitives are a security-critical gate, and the v2 format plus v1 fallback plus C-2 sentinel paths all need exhaustive coverage to avoid silent regressions.
+
 ### CORS

 CORS uses a **deny-by-default** posture: when `CERTCTL_CORS_ORIGINS` is empty, no CORS headers are set and only same-origin requests can read responses. Operators must explicitly configure allowed origins. This prevents accidental exposure of the API to cross-origin requests in production.
@@ -465,9 +465,12 @@ GlobalSign Atlas High Volume CA REST API with dual authentication: mTLS for the
 | `CERTCTL_GLOBALSIGN_API_SECRET` | Yes | — | API secret for request authentication |
 | `CERTCTL_GLOBALSIGN_CLIENT_CERT_PATH` | Yes | — | Path to mTLS client certificate PEM |
 | `CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH` | Yes | — | Path to mTLS client private key PEM |
+| `CERTCTL_GLOBALSIGN_SERVER_CA_PATH` | No | system trust store | PEM bundle used to verify the Atlas API server certificate. Set this for private/lab Atlas deployments whose server TLS chain is not in the host's default trust bundle. |

 **Authentication:** Dual — mTLS client certificate for TLS handshake plus `X-API-Key` and `X-API-Secret` headers on every request.

+**TLS verification:** The connector always verifies the server certificate. When `server_ca_path` is set, the PEM bundle at that path is used as the trust anchor; otherwise the host's system trust store is used. TLS 1.2 is the minimum protocol version.
+
 **Issuance model:** `POST /v2/certificates` returns a serial number. Certificate PEM is available after validation completes. Typically resolves within seconds for DV. `GetOrderStatus` polls the certificate endpoint.

 **Note:** CRL and OCSP are managed by GlobalSign. certctl records revocations locally and notifies GlobalSign via `PUT /v2/certificates/{serial}/revoke`.
@@ -114,6 +114,6 @@ See the [Quickstart Guide](quickstart.md) for a full walkthrough, or explore the

 ## License

-certctl is source-available under the [Business Source License 1.1](../LICENSE). Free for any use except offering a competing managed service. Converts to Apache 2.0 on March 1, 2033.
+certctl is source-available under the [Business Source License 1.1](../LICENSE). Free for any use except offering a competing managed service. Converts to Apache 2.0 on March 14, 2033.

 You own your data, your keys, and your deployment.
@@ -27,6 +27,7 @@ package handler

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -120,7 +121,7 @@ func TestGetCertificate_PathInjection(t *testing.T) {
 			handler, mock := newCertHandlerWithMock()
 			// Force a 404 so we can distinguish "service was called" from
 			// "parser accepted the ID"; a 200 with null body is also fine.
-			mock.GetCertificateFn = func(id string) (*domain.ManagedCertificate, error) {
+			mock.GetCertificateFn = func(_ context.Context, id string) (*domain.ManagedCertificate, error) {
 				return nil, ErrMockNotFound
 			}

@@ -156,7 +157,7 @@ func TestUpdateCertificate_PathInjection(t *testing.T) {
 			}()

 			handler, mock := newCertHandlerWithMock()
-			mock.UpdateCertificateFn = func(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+			mock.UpdateCertificateFn = func(_ context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 				return nil, ErrMockNotFound
 			}

@@ -184,7 +185,7 @@ func TestArchiveCertificate_PathInjection(t *testing.T) {
 			}()

 			handler, mock := newCertHandlerWithMock()
-			mock.ArchiveCertificateFn = func(id string) error { return ErrMockNotFound }
+			mock.ArchiveCertificateFn = func(_ context.Context, id string) error { return ErrMockNotFound }

 			req := httptest.NewRequest(http.MethodDelete, "/api/v1/certificates/x", nil)
 			req.URL.Path = "/api/v1/certificates/" + tc.input
@@ -227,7 +228,7 @@ func TestGetCertificateVersions_MultiSegment(t *testing.T) {
 			}()

 			handler, mock := newCertHandlerWithMock()
-			mock.GetCertificateVersionsFn = func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+			mock.GetCertificateVersionsFn = func(_ context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 				return []domain.CertificateVersion{}, 0, nil
 			}

@@ -277,7 +278,7 @@ func TestHandleOCSP_MultiSegment(t *testing.T) {
 			}()

 			handler, mock := newCertHandlerWithMock()
-			mock.GetOCSPResponseFn = func(issuerID, serialHex string) ([]byte, error) {
+			mock.GetOCSPResponseFn = func(_ context.Context, issuerID, serialHex string) ([]byte, error) {
 				return nil, ErrMockNotFound
 			}

@@ -311,7 +312,7 @@ func TestGetDERCRL_IssuerPathInjection(t *testing.T) {
 			}()

 			handler, mock := newCertHandlerWithMock()
-			mock.GenerateDERCRLFn = func(issuerID string) ([]byte, error) {
+			mock.GenerateDERCRLFn = func(_ context.Context, issuerID string) ([]byte, error) {
 				return nil, ErrMockNotFound
 			}

@@ -19,6 +19,7 @@ package handler

 import (
 	"bytes"
+	"context"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -76,7 +77,7 @@ func TestListCertificates_PaginationAbuse(t *testing.T) {
 			}()

 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				// Sanity: page/perPage on the filter must never be negative
 				// and perPage must never exceed 500 after parsing.
 				if filter.Page < 1 {
@@ -133,7 +134,7 @@ func TestListCertificates_SortAbuse(t *testing.T) {
 			}()

 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}

@@ -175,7 +176,7 @@ func TestListCertificates_FieldsAbuse(t *testing.T) {
 			}()

 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}

@@ -219,7 +220,7 @@ func TestListCertificates_TimeRangeAbuse(t *testing.T) {
 			}()

 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}

@@ -263,7 +264,7 @@ func TestListCertificates_CursorAbuse(t *testing.T) {
 			}()

 			handler, mock := newCertHandlerWithMock()
-			mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+			mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 				return []domain.ManagedCertificate{}, 0, nil
 			}

@@ -314,7 +315,7 @@ func TestListCertificates_FilterInjection(t *testing.T) {
 				}()

 				handler, mock := newCertHandlerWithMock()
-				mock.ListCertificatesWithFilterFn = func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+				mock.ListCertificatesWithFilterFn = func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 					return []domain.ManagedCertificate{}, 0, nil
 				}

@@ -374,7 +375,7 @@ func TestCreateCertificate_BodyAbuse(t *testing.T) {
 			}()

 			handler, mock := newCertHandlerWithMock()
-			mock.CreateCertificateFn = func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+			mock.CreateCertificateFn = func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 				// If we ever reach this, the handler accepted a malformed
 				// body. Return a sentinel that passes but flag it.
 				c := cert
@@ -419,7 +420,7 @@ func TestCreateCertificate_HugeBody(t *testing.T) {
 	sb.WriteString(`]}`)

 	handler, mock := newCertHandlerWithMock()
-	mock.CreateCertificateFn = func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+	mock.CreateCertificateFn = func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 		c := cert
 		c.ID = "mc-huge"
 		return &c, nil
@@ -476,7 +477,7 @@ func TestRevokeCertificate_ReasonAbuse(t *testing.T) {
 			handler, mock := newCertHandlerWithMock()
 			// The mock always returns "invalid revocation reason" so we
 			// verify the handler's errMsg→status mapping turns it into a 400.
-			mock.RevokeCertificateFn = func(id string, reason string) error {
+			mock.RevokeCertificateFn = func(_ context.Context, id string, reason string, _ string) error {
 				// The service uses domain.IsValidRevocationReason. If we got
 				// through to here with something bogus, simulate a real
 				// service error.
@@ -500,7 +501,7 @@ func TestRevokeCertificate_ReasonAbuse(t *testing.T) {
 // service error message, which is fragile — this test catches regressions.
 func TestRevokeCertificate_AlreadyRevoked(t *testing.T) {
 	handler, mock := newCertHandlerWithMock()
-	mock.RevokeCertificateFn = func(id string, reason string) error {
+	mock.RevokeCertificateFn = func(_ context.Context, id string, reason string, _ string) error {
 		return fmt.Errorf("cannot revoke: certificate is already revoked")
 	}

@@ -520,7 +521,7 @@ func TestRevokeCertificate_AlreadyRevoked(t *testing.T) {
 // TestRevokeCertificate_NotFound verifies 404 mapping.
 func TestRevokeCertificate_NotFound(t *testing.T) {
 	handler, mock := newCertHandlerWithMock()
-	mock.RevokeCertificateFn = func(id string, reason string) error {
+	mock.RevokeCertificateFn = func(_ context.Context, id string, reason string, _ string) error {
 		return fmt.Errorf("certificate not found")
 	}

@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"net/http"
 	"strconv"
 	"strings"
@@ -11,8 +12,8 @@ import (

 // AuditService defines the service interface for audit event operations.
 type AuditService interface {
-	ListAuditEvents(page, perPage int) ([]domain.AuditEvent, int64, error)
-	GetAuditEvent(id string) (*domain.AuditEvent, error)
+	ListAuditEvents(ctx context.Context, page, perPage int) ([]domain.AuditEvent, int64, error)
+	GetAuditEvent(ctx context.Context, id string) (*domain.AuditEvent, error)
 }

 // AuditHandler handles HTTP requests for audit event operations.
@@ -49,7 +50,7 @@ func (h AuditHandler) ListAuditEvents(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	events, total, err := h.svc.ListAuditEvents(page, perPage)
+	events, total, err := h.svc.ListAuditEvents(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list audit events", requestID)
 		return
@@ -83,7 +84,7 @@ func (h AuditHandler) GetAuditEvent(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]

-	event, err := h.svc.GetAuditEvent(id)
+	event, err := h.svc.GetAuditEvent(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Audit event not found", requestID)
 		return
@@ -19,14 +19,14 @@ type mockAuditService struct {
 	getFunc   func(id string) (*domain.AuditEvent, error)
 }

-func (m *mockAuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent, int64, error) {
+func (m *mockAuditService) ListAuditEvents(_ context.Context, page, perPage int) ([]domain.AuditEvent, int64, error) {
 	if m.listFunc != nil {
 		return m.listFunc(page, perPage)
 	}
 	return nil, 0, nil
 }

-func (m *mockAuditService) GetAuditEvent(id string) (*domain.AuditEvent, error) {
+func (m *mockAuditService) GetAuditEvent(_ context.Context, id string) (*domain.AuditEvent, error) {
 	if m.getFunc != nil {
 		return m.getFunc(id)
 	}
@@ -17,116 +17,116 @@ import (

 // MockCertificateService is a mock implementation of CertificateService interface.
 type MockCertificateService struct {
-	ListCertificatesFn           func(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
-	ListCertificatesWithFilterFn func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
-	GetCertificateFn             func(id string) (*domain.ManagedCertificate, error)
-	CreateCertificateFn          func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	UpdateCertificateFn          func(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	ArchiveCertificateFn         func(id string) error
-	GetCertificateVersionsFn     func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
-	TriggerRenewalFn             func(certID string) error
-	TriggerDeploymentFn          func(certID string, targetID string) error
-	RevokeCertificateFn          func(certID string, reason string) error
-	GetRevokedCertificatesFn     func() ([]*domain.CertificateRevocation, error)
-	GenerateDERCRLFn             func(issuerID string) ([]byte, error)
-	GetOCSPResponseFn            func(issuerID string, serialHex string) ([]byte, error)
-	GetCertificateDeploymentsFn  func(certID string) ([]domain.DeploymentTarget, error)
+	ListCertificatesFn           func(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
+	ListCertificatesWithFilterFn func(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
+	GetCertificateFn             func(ctx context.Context, id string) (*domain.ManagedCertificate, error)
+	CreateCertificateFn          func(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	UpdateCertificateFn          func(ctx context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	ArchiveCertificateFn         func(ctx context.Context, id string) error
+	GetCertificateVersionsFn     func(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
+	TriggerRenewalFn             func(ctx context.Context, certID string, actor string) error
+	TriggerDeploymentFn          func(ctx context.Context, certID string, targetID string, actor string) error
+	RevokeCertificateFn          func(ctx context.Context, certID string, reason string, actor string) error
+	GetRevokedCertificatesFn     func(ctx context.Context) ([]*domain.CertificateRevocation, error)
+	GenerateDERCRLFn             func(ctx context.Context, issuerID string) ([]byte, error)
+	GetOCSPResponseFn            func(ctx context.Context, issuerID string, serialHex string) ([]byte, error)
+	GetCertificateDeploymentsFn  func(ctx context.Context, certID string) ([]domain.DeploymentTarget, error)
 }

-func (m *MockCertificateService) ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
+func (m *MockCertificateService) ListCertificates(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
 	if m.ListCertificatesFn != nil {
-		return m.ListCertificatesFn(status, environment, ownerID, teamID, issuerID, page, perPage)
+		return m.ListCertificatesFn(ctx, status, environment, ownerID, teamID, issuerID, page, perPage)
 	}
 	return nil, 0, nil
 }

-func (m *MockCertificateService) GetCertificate(id string) (*domain.ManagedCertificate, error) {
+func (m *MockCertificateService) GetCertificate(ctx context.Context, id string) (*domain.ManagedCertificate, error) {
 	if m.GetCertificateFn != nil {
-		return m.GetCertificateFn(id)
+		return m.GetCertificateFn(ctx, id)
 	}
 	return nil, nil
 }

-func (m *MockCertificateService) CreateCertificate(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+func (m *MockCertificateService) CreateCertificate(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 	if m.CreateCertificateFn != nil {
-		return m.CreateCertificateFn(cert)
+		return m.CreateCertificateFn(ctx, cert)
 	}
 	return nil, nil
 }

-func (m *MockCertificateService) UpdateCertificate(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+func (m *MockCertificateService) UpdateCertificate(ctx context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 	if m.UpdateCertificateFn != nil {
-		return m.UpdateCertificateFn(id, cert)
+		return m.UpdateCertificateFn(ctx, id, cert)
 	}
 	return nil, nil
 }

-func (m *MockCertificateService) ArchiveCertificate(id string) error {
+func (m *MockCertificateService) ArchiveCertificate(ctx context.Context, id string) error {
 	if m.ArchiveCertificateFn != nil {
-		return m.ArchiveCertificateFn(id)
+		return m.ArchiveCertificateFn(ctx, id)
 	}
 	return nil
 }

-func (m *MockCertificateService) GetCertificateVersions(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+func (m *MockCertificateService) GetCertificateVersions(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 	if m.GetCertificateVersionsFn != nil {
-		return m.GetCertificateVersionsFn(certID, page, perPage)
+		return m.GetCertificateVersionsFn(ctx, certID, page, perPage)
 	}
 	return nil, 0, nil
 }

-func (m *MockCertificateService) TriggerRenewal(certID string) error {
+func (m *MockCertificateService) TriggerRenewal(ctx context.Context, certID string, actor string) error {
 	if m.TriggerRenewalFn != nil {
-		return m.TriggerRenewalFn(certID)
+		return m.TriggerRenewalFn(ctx, certID, actor)
 	}
 	return nil
 }

-func (m *MockCertificateService) TriggerDeployment(certID string, targetID string) error {
+func (m *MockCertificateService) TriggerDeployment(ctx context.Context, certID string, targetID string, actor string) error {
 	if m.TriggerDeploymentFn != nil {
-		return m.TriggerDeploymentFn(certID, targetID)
+		return m.TriggerDeploymentFn(ctx, certID, targetID, actor)
 	}
 	return nil
 }

-func (m *MockCertificateService) RevokeCertificate(certID string, reason string) error {
+func (m *MockCertificateService) RevokeCertificate(ctx context.Context, certID string, reason string, actor string) error {
 	if m.RevokeCertificateFn != nil {
-		return m.RevokeCertificateFn(certID, reason)
+		return m.RevokeCertificateFn(ctx, certID, reason, actor)
 	}
 	return nil
 }

-func (m *MockCertificateService) GetRevokedCertificates() ([]*domain.CertificateRevocation, error) {
+func (m *MockCertificateService) GetRevokedCertificates(ctx context.Context) ([]*domain.CertificateRevocation, error) {
 	if m.GetRevokedCertificatesFn != nil {
-		return m.GetRevokedCertificatesFn()
+		return m.GetRevokedCertificatesFn(ctx)
 	}
 	return nil, nil
 }

-func (m *MockCertificateService) GenerateDERCRL(issuerID string) ([]byte, error) {
+func (m *MockCertificateService) GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error) {
 	if m.GenerateDERCRLFn != nil {
-		return m.GenerateDERCRLFn(issuerID)
+		return m.GenerateDERCRLFn(ctx, issuerID)
 	}
 	return nil, nil
 }

-func (m *MockCertificateService) GetOCSPResponse(issuerID string, serialHex string) ([]byte, error) {
+func (m *MockCertificateService) GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error) {
 	if m.GetOCSPResponseFn != nil {
-		return m.GetOCSPResponseFn(issuerID, serialHex)
+		return m.GetOCSPResponseFn(ctx, issuerID, serialHex)
 	}
 	return nil, nil
 }

-func (m *MockCertificateService) ListCertificatesWithFilter(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+func (m *MockCertificateService) ListCertificatesWithFilter(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 	if m.ListCertificatesWithFilterFn != nil {
-		return m.ListCertificatesWithFilterFn(filter)
+		return m.ListCertificatesWithFilterFn(ctx, filter)
 	}
 	return nil, 0, nil
 }

-func (m *MockCertificateService) GetCertificateDeployments(certID string) ([]domain.DeploymentTarget, error) {
+func (m *MockCertificateService) GetCertificateDeployments(ctx context.Context, certID string) ([]domain.DeploymentTarget, error) {
 	if m.GetCertificateDeploymentsFn != nil {
-		return m.GetCertificateDeploymentsFn(certID)
+		return m.GetCertificateDeploymentsFn(ctx, certID)
 	}
 	return nil, nil
 }
@@ -158,7 +158,7 @@ func TestListCertificates_Success(t *testing.T) {
 	}

 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Page == 1 && filter.PerPage == 50 {
 				return []domain.ManagedCertificate{cert1, cert2}, 2, nil
 			}
@@ -197,7 +197,7 @@ func TestListCertificates_Success(t *testing.T) {
 // Test ListCertificates - with filters
 func TestListCertificates_WithFilters(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Status == "Active" && filter.Environment == "prod" {
 				return []domain.ManagedCertificate{}, 0, nil
 			}
@@ -236,7 +236,7 @@ func TestListCertificates_MethodNotAllowed(t *testing.T) {
 // Test ListCertificates - service error
 func TestListCertificates_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			return nil, 0, ErrMockServiceFailed
 		},
 	}
@@ -266,7 +266,7 @@ func TestGetCertificate_Success(t *testing.T) {
 	}

 	mock := &MockCertificateService{
-		GetCertificateFn: func(id string) (*domain.ManagedCertificate, error) {
+		GetCertificateFn: func(_ context.Context, id string) (*domain.ManagedCertificate, error) {
 			if id == "mc-prod-001" {
 				return cert, nil
 			}
@@ -298,7 +298,7 @@ func TestGetCertificate_Success(t *testing.T) {
 // Test GetCertificate - not found
 func TestGetCertificate_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateFn: func(id string) (*domain.ManagedCertificate, error) {
+		GetCertificateFn: func(_ context.Context, id string) (*domain.ManagedCertificate, error) {
 			return nil, ErrMockNotFound
 		},
 	}
@@ -345,7 +345,7 @@ func TestCreateCertificate_Success(t *testing.T) {
 	}

 	mock := &MockCertificateService{
-		CreateCertificateFn: func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+		CreateCertificateFn: func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 			return created, nil
 		},
 	}
@@ -403,7 +403,7 @@ func TestCreateCertificate_InvalidBody(t *testing.T) {
 // Test CreateCertificate - service error
 func TestCreateCertificate_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
-		CreateCertificateFn: func(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+		CreateCertificateFn: func(_ context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 			return nil, ErrMockServiceFailed
 		},
 	}
@@ -445,7 +445,7 @@ func TestUpdateCertificate_Success(t *testing.T) {
 	}

 	mock := &MockCertificateService{
-		UpdateCertificateFn: func(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+		UpdateCertificateFn: func(_ context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 			if id == "mc-prod-001" {
 				return updated, nil
 			}
@@ -501,7 +501,7 @@ func TestUpdateCertificate_InvalidBody(t *testing.T) {
 // Test ArchiveCertificate - success case
 func TestArchiveCertificate_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		ArchiveCertificateFn: func(id string) error {
+		ArchiveCertificateFn: func(_ context.Context, id string) error {
 			if id == "mc-prod-001" {
 				return nil
 			}
@@ -524,7 +524,7 @@ func TestArchiveCertificate_Success(t *testing.T) {
 // Test ArchiveCertificate - not found
 func TestArchiveCertificate_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		ArchiveCertificateFn: func(id string) error {
+		ArchiveCertificateFn: func(_ context.Context, id string) error {
 			return ErrMockNotFound
 		},
 	}
@@ -554,7 +554,7 @@ func TestGetCertificateVersions_Success(t *testing.T) {
 	}

 	mock := &MockCertificateService{
-		GetCertificateVersionsFn: func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+		GetCertificateVersionsFn: func(_ context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 			if certID == "mc-prod-001" {
 				return []domain.CertificateVersion{ver1}, 1, nil
 			}
@@ -586,7 +586,7 @@ func TestGetCertificateVersions_Success(t *testing.T) {
 // Test GetCertificateVersions - not found
 func TestGetCertificateVersions_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateVersionsFn: func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+		GetCertificateVersionsFn: func(_ context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 			return nil, 0, ErrMockNotFound
 		},
 	}
@@ -606,7 +606,7 @@ func TestGetCertificateVersions_NotFound(t *testing.T) {
 // Test TriggerRenewal - success case
 func TestTriggerRenewal_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerRenewalFn: func(certID string) error {
+		TriggerRenewalFn: func(_ context.Context, certID string, _ string) error {
 			if certID == "mc-prod-001" {
 				return nil
 			}
@@ -638,7 +638,7 @@ func TestTriggerRenewal_Success(t *testing.T) {
 // Test TriggerRenewal - service error
 func TestTriggerRenewal_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerRenewalFn: func(certID string) error {
+		TriggerRenewalFn: func(_ context.Context, certID string, _ string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -658,7 +658,7 @@ func TestTriggerRenewal_ServiceError(t *testing.T) {
 // Test TriggerDeployment - success case
 func TestTriggerDeployment_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerDeploymentFn: func(certID string, targetID string) error {
+		TriggerDeploymentFn: func(_ context.Context, certID string, targetID string, _ string) error {
 			if certID == "mc-prod-001" {
 				return nil
 			}
@@ -695,7 +695,7 @@ func TestTriggerDeployment_Success(t *testing.T) {
 // Test TriggerDeployment - without target ID
 func TestTriggerDeployment_NoTargetID(t *testing.T) {
 	mock := &MockCertificateService{
-		TriggerDeploymentFn: func(certID string, targetID string) error {
+		TriggerDeploymentFn: func(_ context.Context, certID string, targetID string, _ string) error {
 			// Should accept empty targetID (deploy to all)
 			return nil
 		},
@@ -716,7 +716,7 @@ func TestTriggerDeployment_NoTargetID(t *testing.T) {
 // Test ListCertificates - invalid page parameter
 func TestListCertificates_InvalidPageParam(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			// Should default to page 1
 			if filter.Page == 1 {
 				return []domain.ManagedCertificate{}, 0, nil
@@ -740,7 +740,7 @@ func TestListCertificates_InvalidPageParam(t *testing.T) {
 // Test ListCertificates - per_page exceeds max
 func TestListCertificates_PerPageExceedsMax(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			// Should cap perPage at 500
 			if filter.PerPage == 50 { // defaults to 50 if > 500
 				return []domain.ManagedCertificate{}, 0, nil
@@ -765,7 +765,7 @@ func TestListCertificates_PerPageExceedsMax(t *testing.T) {

 func TestRevokeCertificate_Handler_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			if certID != "mc-prod-001" {
 				t.Errorf("expected certID mc-prod-001, got %s", certID)
 			}
@@ -798,7 +798,7 @@ func TestRevokeCertificate_Handler_Success(t *testing.T) {

 func TestRevokeCertificate_Handler_NoBody(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			// Empty reason is OK — service defaults to "unspecified"
 			return nil
 		},
@@ -818,7 +818,7 @@ func TestRevokeCertificate_Handler_NoBody(t *testing.T) {

 func TestRevokeCertificate_Handler_AlreadyRevoked(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("certificate is already revoked")
 		},
 	}
@@ -839,7 +839,7 @@ func TestRevokeCertificate_Handler_AlreadyRevoked(t *testing.T) {

 func TestRevokeCertificate_Handler_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("failed to fetch certificate: not found")
 		},
 	}
@@ -858,7 +858,7 @@ func TestRevokeCertificate_Handler_NotFound(t *testing.T) {

 func TestRevokeCertificate_Handler_InvalidReason(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("invalid revocation reason: badReason")
 		},
 	}
@@ -922,7 +922,7 @@ func TestRevokeCertificate_Handler_EmptyID(t *testing.T) {

 func TestRevokeCertificate_Handler_CannotRevokeArchived(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("cannot revoke archived certificate")
 		},
 	}
@@ -941,7 +941,7 @@ func TestRevokeCertificate_Handler_CannotRevokeArchived(t *testing.T) {

 func TestRevokeCertificate_Handler_ServerError(t *testing.T) {
 	mock := &MockCertificateService{
-		RevokeCertificateFn: func(certID string, reason string) error {
+		RevokeCertificateFn: func(_ context.Context, certID string, reason string, _ string) error {
 			return fmt.Errorf("database connection lost")
 		},
 	}
@@ -962,7 +962,7 @@ func TestRevokeCertificate_Handler_ServerError(t *testing.T) {

 func TestGetCRL_Success(t *testing.T) {
 	mock := &MockCertificateService{
-		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
+		GetRevokedCertificatesFn: func(_ context.Context) ([]*domain.CertificateRevocation, error) {
 			return []*domain.CertificateRevocation{
 				{
 					ID:            "rev-1",
@@ -1022,7 +1022,7 @@ func TestGetCRL_Success(t *testing.T) {

 func TestGetCRL_Empty(t *testing.T) {
 	mock := &MockCertificateService{
-		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
+		GetRevokedCertificatesFn: func(_ context.Context) ([]*domain.CertificateRevocation, error) {
 			return nil, nil
 		},
 	}
@@ -1047,7 +1047,7 @@ func TestGetCRL_Empty(t *testing.T) {

 func TestGetCRL_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
-		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
+		GetRevokedCertificatesFn: func(_ context.Context) ([]*domain.CertificateRevocation, error) {
 			return nil, fmt.Errorf("revocation repository not configured")
 		},
 	}
@@ -1083,7 +1083,7 @@ func TestGetCRL_MethodNotAllowed(t *testing.T) {
 func TestGetDERCRL_Success(t *testing.T) {
 	derCRLData := []byte{0x30, 0x82, 0x01, 0x00} // Mock DER CRL bytes
 	mock := &MockCertificateService{
-		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+		GenerateDERCRLFn: func(_ context.Context, issuerID string) ([]byte, error) {
 			if issuerID == "iss-local" {
 				return derCRLData, nil
 			}
@@ -1111,7 +1111,7 @@ func TestGetDERCRL_Success(t *testing.T) {

 func TestGetDERCRL_IssuerNotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+		GenerateDERCRLFn: func(_ context.Context, issuerID string) ([]byte, error) {
 			return nil, fmt.Errorf("issuer not found")
 		},
 	}
@@ -1130,7 +1130,7 @@ func TestGetDERCRL_IssuerNotFound(t *testing.T) {

 func TestGetDERCRL_NotSupported(t *testing.T) {
 	mock := &MockCertificateService{
-		GenerateDERCRLFn: func(issuerID string) ([]byte, error) {
+		GenerateDERCRLFn: func(_ context.Context, issuerID string) ([]byte, error) {
 			return nil, fmt.Errorf("issuer does not support CRL generation")
 		},
 	}
@@ -1165,7 +1165,7 @@ func TestGetDERCRL_MethodNotAllowed(t *testing.T) {
 func TestHandleOCSP_Success(t *testing.T) {
 	ocspResponseBytes := []byte{0x30, 0x82, 0x02, 0x00} // Mock OCSP response
 	mock := &MockCertificateService{
-		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+		GetOCSPResponseFn: func(_ context.Context, issuerID string, serialHex string) ([]byte, error) {
 			if issuerID == "iss-local" && serialHex == "12345" {
 				return ocspResponseBytes, nil
 			}
@@ -1206,7 +1206,7 @@ func TestHandleOCSP_MissingSerial(t *testing.T) {

 func TestHandleOCSP_IssuerNotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+		GetOCSPResponseFn: func(_ context.Context, issuerID string, serialHex string) ([]byte, error) {
 			return nil, fmt.Errorf("issuer not found")
 		},
 	}
@@ -1225,7 +1225,7 @@ func TestHandleOCSP_IssuerNotFound(t *testing.T) {

 func TestHandleOCSP_CertNotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetOCSPResponseFn: func(issuerID string, serialHex string) ([]byte, error) {
+		GetOCSPResponseFn: func(_ context.Context, issuerID string, serialHex string) ([]byte, error) {
 			return nil, fmt.Errorf("certificate not found")
 		},
 	}
@@ -1261,7 +1261,7 @@ func TestHandleOCSP_MethodNotAllowed(t *testing.T) {
 // TestListCertificates_SortParam tests sort parameter parsing and passing to service.
 func TestListCertificates_SortParam(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			// Handler strips the '-' prefix and sets SortDesc = true
 			if filter.Sort != "notAfter" || !filter.SortDesc {
 				t.Errorf("expected sort=notAfter desc=true, got sort=%s desc=%v", filter.Sort, filter.SortDesc)
@@ -1284,7 +1284,7 @@ func TestListCertificates_SortParam(t *testing.T) {
 // TestListCertificates_SortParam_Ascending tests sort parameter without '-' prefix (ascending).
 func TestListCertificates_SortParam_Ascending(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Sort != "createdAt" || filter.SortDesc {
 				t.Errorf("expected sort=createdAt desc=false, got sort=%s desc=%v", filter.Sort, filter.SortDesc)
 			}
@@ -1309,7 +1309,7 @@ func TestListCertificates_TimeRangeFilters(t *testing.T) {
 	after := time.Now().AddDate(0, 0, -90)

 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.ExpiresBefore == nil {
 				t.Error("expected ExpiresBefore to be set")
 			}
@@ -1339,7 +1339,7 @@ func TestListCertificates_CreatedAfterFilter(t *testing.T) {
 	past := time.Now().AddDate(-1, 0, 0)

 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.CreatedAfter == nil {
 				t.Error("expected CreatedAfter to be set")
 			}
@@ -1369,7 +1369,7 @@ func TestListCertificates_CursorPagination(t *testing.T) {
 	}

 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			return []domain.ManagedCertificate{cert}, 1, nil
 		},
 	}
@@ -1409,7 +1409,7 @@ func TestListCertificates_SparseFields(t *testing.T) {
 	}

 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if len(filter.Fields) != 2 {
 				t.Errorf("expected 2 fields, got %d", len(filter.Fields))
 			}
@@ -1456,7 +1456,7 @@ func TestListCertificates_SparseFields(t *testing.T) {
 // TestListCertificates_ProfileFilter tests profile_id filter.
 func TestListCertificates_ProfileFilter(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.ProfileID != "prof-standard" {
 				t.Errorf("expected ProfileID=prof-standard, got %s", filter.ProfileID)
 			}
@@ -1479,7 +1479,7 @@ func TestListCertificates_ProfileFilter(t *testing.T) {
 // TestListCertificates_AgentIDFilter tests agent_id filter.
 func TestListCertificates_AgentIDFilter(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.AgentID != "agent-prod-001" {
 				t.Errorf("expected AgentID=agent-prod-001, got %s", filter.AgentID)
 			}
@@ -1502,7 +1502,7 @@ func TestListCertificates_AgentIDFilter(t *testing.T) {
 // TestListCertificates_CombinedFilters tests multiple filters together.
 func TestListCertificates_CombinedFilters(t *testing.T) {
 	mock := &MockCertificateService{
-		ListCertificatesWithFilterFn: func(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+		ListCertificatesWithFilterFn: func(_ context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
 			if filter.Status != "Active" || filter.Environment != "production" || filter.ProfileID != "prof-standard" {
 				t.Error("expected all filters to be set")
 			}
@@ -1540,7 +1540,7 @@ func TestGetCertificateDeployments_Success(t *testing.T) {
 	}

 	mock := &MockCertificateService{
-		GetCertificateDeploymentsFn: func(certID string) ([]domain.DeploymentTarget, error) {
+		GetCertificateDeploymentsFn: func(_ context.Context, certID string) ([]domain.DeploymentTarget, error) {
 			if certID != "mc-prod-001" {
 				return nil, ErrMockNotFound
 			}
@@ -1576,7 +1576,7 @@ func TestGetCertificateDeployments_Success(t *testing.T) {
 // TestGetCertificateDeployments_NotFound tests 404 for nonexistent certificate.
 func TestGetCertificateDeployments_NotFound(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateDeploymentsFn: func(certID string) ([]domain.DeploymentTarget, error) {
+		GetCertificateDeploymentsFn: func(_ context.Context, certID string) ([]domain.DeploymentTarget, error) {
 			return nil, fmt.Errorf("certificate not found")
 		},
 	}
@@ -1596,7 +1596,7 @@ func TestGetCertificateDeployments_NotFound(t *testing.T) {
 // TestGetCertificateDeployments_Empty tests successful response with no deployments.
 func TestGetCertificateDeployments_Empty(t *testing.T) {
 	mock := &MockCertificateService{
-		GetCertificateDeploymentsFn: func(certID string) ([]domain.DeploymentTarget, error) {
+		GetCertificateDeploymentsFn: func(_ context.Context, certID string) ([]domain.DeploymentTarget, error) {
 			if certID == "mc-no-deployments" {
 				return []domain.DeploymentTarget{}, nil
 			}
@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"encoding/json"
 	"log/slog"
 	"net/http"
@@ -15,20 +16,20 @@ import (

 // CertificateService defines the service interface for certificate operations.
 type CertificateService interface {
-	ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
-	ListCertificatesWithFilter(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
-	GetCertificate(id string) (*domain.ManagedCertificate, error)
-	CreateCertificate(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	UpdateCertificate(id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
-	ArchiveCertificate(id string) error
-	GetCertificateVersions(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
-	TriggerRenewal(certID string) error
-	TriggerDeployment(certID string, targetID string) error
-	RevokeCertificate(certID string, reason string) error
-	GetRevokedCertificates() ([]*domain.CertificateRevocation, error)
-	GenerateDERCRL(issuerID string) ([]byte, error)
-	GetOCSPResponse(issuerID string, serialHex string) ([]byte, error)
-	GetCertificateDeployments(certID string) ([]domain.DeploymentTarget, error)
+	ListCertificates(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error)
+	ListCertificatesWithFilter(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error)
+	GetCertificate(ctx context.Context, id string) (*domain.ManagedCertificate, error)
+	CreateCertificate(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	UpdateCertificate(ctx context.Context, id string, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error)
+	ArchiveCertificate(ctx context.Context, id string) error
+	GetCertificateVersions(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
+	TriggerRenewal(ctx context.Context, certID string, actor string) error
+	TriggerDeployment(ctx context.Context, certID string, targetID string, actor string) error
+	RevokeCertificate(ctx context.Context, certID string, reason string, actor string) error
+	GetRevokedCertificates(ctx context.Context) ([]*domain.CertificateRevocation, error)
+	GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error)
+	GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error)
+	GetCertificateDeployments(ctx context.Context, certID string) ([]domain.DeploymentTarget, error)
 }

 // CertificateHandler handles HTTP requests for certificate operations.
@@ -128,7 +129,7 @@ func (h CertificateHandler) ListCertificates(w http.ResponseWriter, r *http.Requ
 		filter.Fields = strings.Split(fieldsStr, ",")
 	}

-	certs, total, err := h.svc.ListCertificatesWithFilter(filter)
+	certs, total, err := h.svc.ListCertificatesWithFilter(r.Context(), filter)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list certificates", requestID)
 		return
@@ -186,7 +187,7 @@ func (h CertificateHandler) GetCertificate(w http.ResponseWriter, r *http.Reques
 		return
 	}

-	cert, err := h.svc.GetCertificate(id)
+	cert, err := h.svc.GetCertificate(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
 		return
@@ -241,7 +242,7 @@ func (h CertificateHandler) CreateCertificate(w http.ResponseWriter, r *http.Req
 		return
 	}

-	created, err := h.svc.CreateCertificate(cert)
+	created, err := h.svc.CreateCertificate(r.Context(), cert)
 	if err != nil {
 		slog.Error("failed to create certificate", "error", err, "request_id", requestID, "common_name", cert.CommonName, "name", cert.Name)
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create certificate", requestID)
@@ -295,7 +296,7 @@ func (h CertificateHandler) UpdateCertificate(w http.ResponseWriter, r *http.Req
 		}
 	}

-	updated, err := h.svc.UpdateCertificate(id, cert)
+	updated, err := h.svc.UpdateCertificate(r.Context(), id, cert)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
@@ -325,7 +326,7 @@ func (h CertificateHandler) ArchiveCertificate(w http.ResponseWriter, r *http.Re
 		return
 	}

-	if err := h.svc.ArchiveCertificate(id); err != nil {
+	if err := h.svc.ArchiveCertificate(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
 			return
@@ -370,7 +371,7 @@ func (h CertificateHandler) GetCertificateVersions(w http.ResponseWriter, r *htt
 		}
 	}

-	versions, total, err := h.svc.GetCertificateVersions(certID, page, perPage)
+	versions, total, err := h.svc.GetCertificateVersions(r.Context(), certID, page, perPage)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
@@ -410,7 +411,7 @@ func (h CertificateHandler) TriggerRenewal(w http.ResponseWriter, r *http.Reques
 	}
 	certID := parts[0]

-	if err := h.svc.TriggerRenewal(certID); err != nil {
+	if err := h.svc.TriggerRenewal(r.Context(), certID, "api"); err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
@@ -466,7 +467,7 @@ func (h CertificateHandler) TriggerDeployment(w http.ResponseWriter, r *http.Req
 		}
 	}

-	if err := h.svc.TriggerDeployment(certID, req.TargetID); err != nil {
+	if err := h.svc.TriggerDeployment(r.Context(), certID, req.TargetID, "api"); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to trigger deployment", requestID)
 		return
 	}
@@ -508,7 +509,7 @@ func (h CertificateHandler) RevokeCertificate(w http.ResponseWriter, r *http.Req
 		}
 	}

-	if err := h.svc.RevokeCertificate(certID, req.Reason); err != nil {
+	if err := h.svc.RevokeCertificate(r.Context(), certID, req.Reason, "api"); err != nil {
 		// Distinguish between client errors and server errors
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "already revoked") ||
@@ -540,7 +541,7 @@ func (h CertificateHandler) GetCRL(w http.ResponseWriter, r *http.Request) {

 	requestID := middleware.GetRequestID(r.Context())

-	revocations, err := h.svc.GetRevokedCertificates()
+	revocations, err := h.svc.GetRevokedCertificates(r.Context())
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to generate CRL", requestID)
 		return
@@ -585,7 +586,7 @@ func (h CertificateHandler) GetDERCRL(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	derBytes, err := h.svc.GenerateDERCRL(issuerID)
+	derBytes, err := h.svc.GenerateDERCRL(r.Context(), issuerID)
 	if err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
@@ -627,7 +628,7 @@ func (h CertificateHandler) HandleOCSP(w http.ResponseWriter, r *http.Request) {
 	issuerID := parts[0]
 	serialHex := parts[1]

-	derBytes, err := h.svc.GetOCSPResponse(issuerID, serialHex)
+	derBytes, err := h.svc.GetOCSPResponse(r.Context(), issuerID, serialHex)
 	if err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
@@ -667,7 +668,7 @@ func (h CertificateHandler) GetCertificateDeployments(w http.ResponseWriter, r *
 	}
 	certID := parts[0]

-	deployments, err := h.svc.GetCertificateDeployments(certID)
+	deployments, err := h.svc.GetCertificateDeployments(r.Context(), certID)
 	if err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
@@ -2,6 +2,7 @@ package handler

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -15,52 +16,52 @@ import (

 // MockIssuerService is a mock implementation of IssuerService interface.
 type MockIssuerService struct {
-	ListIssuersFn    func(page, perPage int) ([]domain.Issuer, int64, error)
-	GetIssuerFn      func(id string) (*domain.Issuer, error)
-	CreateIssuerFn   func(issuer domain.Issuer) (*domain.Issuer, error)
-	UpdateIssuerFn   func(id string, issuer domain.Issuer) (*domain.Issuer, error)
-	DeleteIssuerFn   func(id string) error
-	TestConnectionFn func(id string) error
+	ListIssuersFn    func(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error)
+	GetIssuerFn      func(ctx context.Context, id string) (*domain.Issuer, error)
+	CreateIssuerFn   func(ctx context.Context, issuer domain.Issuer) (*domain.Issuer, error)
+	UpdateIssuerFn   func(ctx context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error)
+	DeleteIssuerFn   func(ctx context.Context, id string) error
+	TestConnectionFn func(ctx context.Context, id string) error
 }

-func (m *MockIssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64, error) {
+func (m *MockIssuerService) ListIssuers(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 	if m.ListIssuersFn != nil {
-		return m.ListIssuersFn(page, perPage)
+		return m.ListIssuersFn(ctx, page, perPage)
 	}
 	return nil, 0, nil
 }

-func (m *MockIssuerService) GetIssuer(id string) (*domain.Issuer, error) {
+func (m *MockIssuerService) GetIssuer(ctx context.Context, id string) (*domain.Issuer, error) {
 	if m.GetIssuerFn != nil {
-		return m.GetIssuerFn(id)
+		return m.GetIssuerFn(ctx, id)
 	}
 	return nil, nil
 }

-func (m *MockIssuerService) CreateIssuer(issuer domain.Issuer) (*domain.Issuer, error) {
+func (m *MockIssuerService) CreateIssuer(ctx context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 	if m.CreateIssuerFn != nil {
-		return m.CreateIssuerFn(issuer)
+		return m.CreateIssuerFn(ctx, issuer)
 	}
 	return nil, nil
 }

-func (m *MockIssuerService) UpdateIssuer(id string, issuer domain.Issuer) (*domain.Issuer, error) {
+func (m *MockIssuerService) UpdateIssuer(ctx context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error) {
 	if m.UpdateIssuerFn != nil {
-		return m.UpdateIssuerFn(id, issuer)
+		return m.UpdateIssuerFn(ctx, id, issuer)
 	}
 	return nil, nil
 }

-func (m *MockIssuerService) DeleteIssuer(id string) error {
+func (m *MockIssuerService) DeleteIssuer(ctx context.Context, id string) error {
 	if m.DeleteIssuerFn != nil {
-		return m.DeleteIssuerFn(id)
+		return m.DeleteIssuerFn(ctx, id)
 	}
 	return nil
 }

-func (m *MockIssuerService) TestConnection(id string) error {
+func (m *MockIssuerService) TestConnection(ctx context.Context, id string) error {
 	if m.TestConnectionFn != nil {
-		return m.TestConnectionFn(id)
+		return m.TestConnectionFn(ctx, id)
 	}
 	return nil
 }
@@ -85,7 +86,7 @@ func TestListIssuers_Success(t *testing.T) {
 	}

 	mock := &MockIssuerService{
-		ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
+		ListIssuersFn: func(_ context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 			return []domain.Issuer{iss1, iss2}, 2, nil
 		},
 	}
@@ -113,7 +114,7 @@ func TestListIssuers_Success(t *testing.T) {
 func TestListIssuers_Pagination(t *testing.T) {
 	var capturedPage, capturedPerPage int
 	mock := &MockIssuerService{
-		ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
+		ListIssuersFn: func(_ context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 			capturedPage = page
 			capturedPerPage = perPage
 			return []domain.Issuer{}, 0, nil
@@ -137,7 +138,7 @@ func TestListIssuers_Pagination(t *testing.T) {

 func TestListIssuers_ServiceError(t *testing.T) {
 	mock := &MockIssuerService{
-		ListIssuersFn: func(page, perPage int) ([]domain.Issuer, int64, error) {
+		ListIssuersFn: func(_ context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 			return nil, 0, ErrMockServiceFailed
 		},
 	}
@@ -169,7 +170,7 @@ func TestListIssuers_MethodNotAllowed(t *testing.T) {
 func TestGetIssuer_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockIssuerService{
-		GetIssuerFn: func(id string) (*domain.Issuer, error) {
+		GetIssuerFn: func(_ context.Context, id string) (*domain.Issuer, error) {
 			return &domain.Issuer{
 				ID:        id,
 				Name:      "Local CA",
@@ -195,7 +196,7 @@ func TestGetIssuer_Success(t *testing.T) {

 func TestGetIssuer_NotFound(t *testing.T) {
 	mock := &MockIssuerService{
-		GetIssuerFn: func(id string) (*domain.Issuer, error) {
+		GetIssuerFn: func(_ context.Context, id string) (*domain.Issuer, error) {
 			return nil, ErrMockNotFound
 		},
 	}
@@ -228,7 +229,7 @@ func TestGetIssuer_EmptyID(t *testing.T) {
 func TestCreateIssuer_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			issuer.ID = "iss-new"
 			issuer.CreatedAt = now
 			issuer.UpdatedAt = now
@@ -328,7 +329,7 @@ func TestCreateIssuer_NameTooLong(t *testing.T) {

 func TestCreateIssuer_DuplicateName(t *testing.T) {
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("failed to create issuer: duplicate key value violates unique constraint \"issuers_name_key\"")
 		},
 	}
@@ -361,7 +362,7 @@ func TestCreateIssuer_DuplicateName(t *testing.T) {

 func TestCreateIssuer_UnsupportedType(t *testing.T) {
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("unsupported issuer type: FakeCA")
 		},
 	}
@@ -394,7 +395,7 @@ func TestCreateIssuer_UnsupportedType(t *testing.T) {

 func TestCreateIssuer_GenericServiceError(t *testing.T) {
 	mock := &MockIssuerService{
-		CreateIssuerFn: func(issuer domain.Issuer) (*domain.Issuer, error) {
+		CreateIssuerFn: func(_ context.Context, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("failed to encrypt config: cipher error")
 		},
 	}
@@ -419,7 +420,7 @@ func TestCreateIssuer_GenericServiceError(t *testing.T) {

 func TestUpdateIssuer_DuplicateName(t *testing.T) {
 	mock := &MockIssuerService{
-		UpdateIssuerFn: func(id string, issuer domain.Issuer) (*domain.Issuer, error) {
+		UpdateIssuerFn: func(_ context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error) {
 			return nil, fmt.Errorf("failed to update issuer: duplicate key value violates unique constraint")
 		},
 	}
@@ -445,7 +446,7 @@ func TestUpdateIssuer_DuplicateName(t *testing.T) {
 func TestDeleteIssuer_Success(t *testing.T) {
 	var deletedID string
 	mock := &MockIssuerService{
-		DeleteIssuerFn: func(id string) error {
+		DeleteIssuerFn: func(_ context.Context, id string) error {
 			deletedID = id
 			return nil
 		},
@@ -468,7 +469,7 @@ func TestDeleteIssuer_Success(t *testing.T) {

 func TestDeleteIssuer_ServiceError(t *testing.T) {
 	mock := &MockIssuerService{
-		DeleteIssuerFn: func(id string) error {
+		DeleteIssuerFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -487,7 +488,7 @@ func TestDeleteIssuer_ServiceError(t *testing.T) {

 func TestTestConnection_Success(t *testing.T) {
 	mock := &MockIssuerService{
-		TestConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return nil
 		},
 	}
@@ -514,7 +515,7 @@ func TestTestConnection_Success(t *testing.T) {

 func TestTestConnection_Failure(t *testing.T) {
 	mock := &MockIssuerService{
-		TestConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"encoding/json"
 	"log/slog"
 	"net/http"
@@ -13,12 +14,12 @@ import (

 // IssuerService defines the service interface for issuer operations.
 type IssuerService interface {
-	ListIssuers(page, perPage int) ([]domain.Issuer, int64, error)
-	GetIssuer(id string) (*domain.Issuer, error)
-	CreateIssuer(issuer domain.Issuer) (*domain.Issuer, error)
-	UpdateIssuer(id string, issuer domain.Issuer) (*domain.Issuer, error)
-	DeleteIssuer(id string) error
-	TestConnection(id string) error
+	ListIssuers(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error)
+	GetIssuer(ctx context.Context, id string) (*domain.Issuer, error)
+	CreateIssuer(ctx context.Context, issuer domain.Issuer) (*domain.Issuer, error)
+	UpdateIssuer(ctx context.Context, id string, issuer domain.Issuer) (*domain.Issuer, error)
+	DeleteIssuer(ctx context.Context, id string) error
+	TestConnection(ctx context.Context, id string) error
 }

 // IssuerHandler handles HTTP requests for issuer operations.
@@ -61,7 +62,7 @@ func (h IssuerHandler) ListIssuers(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	issuers, total, err := h.svc.ListIssuers(page, perPage)
+	issuers, total, err := h.svc.ListIssuers(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list issuers", requestID)
 		return
@@ -93,7 +94,7 @@ func (h IssuerHandler) GetIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	issuer, err := h.svc.GetIssuer(id)
+	issuer, err := h.svc.GetIssuer(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Issuer not found", requestID)
 		return
@@ -132,7 +133,7 @@ func (h IssuerHandler) CreateIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	created, err := h.svc.CreateIssuer(issuer)
+	created, err := h.svc.CreateIssuer(r.Context(), issuer)
 	if err != nil {
 		h.logger.Error("failed to create issuer", "error", err, "name", issuer.Name, "type", issuer.Type)
 		errMsg := err.Error()
@@ -174,7 +175,7 @@ func (h IssuerHandler) UpdateIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	updated, err := h.svc.UpdateIssuer(id, issuer)
+	updated, err := h.svc.UpdateIssuer(r.Context(), id, issuer)
 	if err != nil {
 		h.logger.Error("failed to update issuer", "error", err, "id", id)
 		errMsg := err.Error()
@@ -208,7 +209,7 @@ func (h IssuerHandler) DeleteIssuer(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if err := h.svc.DeleteIssuer(id); err != nil {
+	if err := h.svc.DeleteIssuer(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "violates foreign key") || strings.Contains(err.Error(), "RESTRICT") {
 			ErrorWithRequestID(w, http.StatusConflict, "Cannot delete issuer: certificates are still using this issuer", requestID)
 		} else if strings.Contains(err.Error(), "not found") {
@@ -241,7 +242,7 @@ func (h IssuerHandler) TestConnection(w http.ResponseWriter, r *http.Request) {
 	}
 	issuerID := parts[0]

-	if err := h.svc.TestConnection(issuerID); err != nil {
+	if err := h.svc.TestConnection(r.Context(), issuerID); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Connection test failed", requestID)
 		return
 	}
@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -21,35 +22,35 @@ type MockJobService struct {
 	RejectJobFn  func(id string, reason string) error
 }

-func (m *MockJobService) ListJobs(status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
+func (m *MockJobService) ListJobs(_ context.Context, status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
 	if m.ListJobsFn != nil {
 		return m.ListJobsFn(status, jobType, page, perPage)
 	}
 	return nil, 0, nil
 }

-func (m *MockJobService) GetJob(id string) (*domain.Job, error) {
+func (m *MockJobService) GetJob(_ context.Context, id string) (*domain.Job, error) {
 	if m.GetJobFn != nil {
 		return m.GetJobFn(id)
 	}
 	return nil, nil
 }

-func (m *MockJobService) CancelJob(id string) error {
+func (m *MockJobService) CancelJob(_ context.Context, id string) error {
 	if m.CancelJobFn != nil {
 		return m.CancelJobFn(id)
 	}
 	return nil
 }

-func (m *MockJobService) ApproveJob(id string) error {
+func (m *MockJobService) ApproveJob(_ context.Context, id string) error {
 	if m.ApproveJobFn != nil {
 		return m.ApproveJobFn(id)
 	}
 	return nil
 }

-func (m *MockJobService) RejectJob(id string, reason string) error {
+func (m *MockJobService) RejectJob(_ context.Context, id string, reason string) error {
 	if m.RejectJobFn != nil {
 		return m.RejectJobFn(id, reason)
 	}
@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -13,11 +14,11 @@ import (

 // JobService defines the service interface for job operations.
 type JobService interface {
-	ListJobs(status, jobType string, page, perPage int) ([]domain.Job, int64, error)
-	GetJob(id string) (*domain.Job, error)
-	CancelJob(id string) error
-	ApproveJob(id string) error
-	RejectJob(id string, reason string) error
+	ListJobs(ctx context.Context, status, jobType string, page, perPage int) ([]domain.Job, int64, error)
+	GetJob(ctx context.Context, id string) (*domain.Job, error)
+	CancelJob(ctx context.Context, id string) error
+	ApproveJob(ctx context.Context, id string) error
+	RejectJob(ctx context.Context, id string, reason string) error
 }

 // JobHandler handles HTTP requests for job operations.
@@ -57,7 +58,7 @@ func (h JobHandler) ListJobs(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	jobs, total, err := h.svc.ListJobs(status, jobType, page, perPage)
+	jobs, total, err := h.svc.ListJobs(r.Context(), status, jobType, page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list jobs", requestID)
 		return
@@ -91,7 +92,7 @@ func (h JobHandler) GetJob(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]

-	job, err := h.svc.GetJob(id)
+	job, err := h.svc.GetJob(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
 		return
@@ -119,7 +120,7 @@ func (h JobHandler) CancelJob(w http.ResponseWriter, r *http.Request) {
 	}
 	jobID := parts[0]

-	if err := h.svc.CancelJob(jobID); err != nil {
+	if err := h.svc.CancelJob(r.Context(), jobID); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to cancel job", requestID)
 		return
 	}
@@ -149,7 +150,7 @@ func (h JobHandler) ApproveJob(w http.ResponseWriter, r *http.Request) {
 	}
 	jobID := parts[0]

-	if err := h.svc.ApproveJob(jobID); err != nil {
+	if err := h.svc.ApproveJob(r.Context(), jobID); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
 			return
@@ -193,7 +194,7 @@ func (h JobHandler) RejectJob(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	if err := h.svc.RejectJob(jobID, body.Reason); err != nil {
+	if err := h.svc.RejectJob(r.Context(), jobID, body.Reason); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
 			return
@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -17,21 +18,21 @@ type MockNotificationService struct {
 	MarkAsReadFn        func(id string) error
 }

-func (m *MockNotificationService) ListNotifications(page, perPage int) ([]domain.NotificationEvent, int64, error) {
+func (m *MockNotificationService) ListNotifications(_ context.Context, page, perPage int) ([]domain.NotificationEvent, int64, error) {
 	if m.ListNotificationsFn != nil {
 		return m.ListNotificationsFn(page, perPage)
 	}
 	return nil, 0, nil
 }

-func (m *MockNotificationService) GetNotification(id string) (*domain.NotificationEvent, error) {
+func (m *MockNotificationService) GetNotification(_ context.Context, id string) (*domain.NotificationEvent, error) {
 	if m.GetNotificationFn != nil {
 		return m.GetNotificationFn(id)
 	}
 	return nil, nil
 }

-func (m *MockNotificationService) MarkAsRead(id string) error {
+func (m *MockNotificationService) MarkAsRead(_ context.Context, id string) error {
 	if m.MarkAsReadFn != nil {
 		return m.MarkAsReadFn(id)
 	}
@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"net/http"
 	"strconv"
 	"strings"
@@ -11,9 +12,9 @@ import (

 // NotificationService defines the service interface for notification operations.
 type NotificationService interface {
-	ListNotifications(page, perPage int) ([]domain.NotificationEvent, int64, error)
-	GetNotification(id string) (*domain.NotificationEvent, error)
-	MarkAsRead(id string) error
+	ListNotifications(ctx context.Context, page, perPage int) ([]domain.NotificationEvent, int64, error)
+	GetNotification(ctx context.Context, id string) (*domain.NotificationEvent, error)
+	MarkAsRead(ctx context.Context, id string) error
 }

 // NotificationHandler handles HTTP requests for notification operations.
@@ -50,7 +51,7 @@ func (h NotificationHandler) ListNotifications(w http.ResponseWriter, r *http.Re
 		}
 	}

-	notifications, total, err := h.svc.ListNotifications(page, perPage)
+	notifications, total, err := h.svc.ListNotifications(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list notifications", requestID)
 		return
@@ -84,7 +85,7 @@ func (h NotificationHandler) GetNotification(w http.ResponseWriter, r *http.Requ
 	}
 	id = parts[0]

-	notification, err := h.svc.GetNotification(id)
+	notification, err := h.svc.GetNotification(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Notification not found", requestID)
 		return
@@ -112,7 +113,7 @@ func (h NotificationHandler) MarkAsRead(w http.ResponseWriter, r *http.Request)
 	}
 	notificationID := parts[0]

-	if err := h.svc.MarkAsRead(notificationID); err != nil {
+	if err := h.svc.MarkAsRead(r.Context(), notificationID); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to mark notification as read", requestID)
 		return
 	}
@@ -2,6 +2,7 @@ package handler

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -20,35 +21,35 @@ type MockOwnerService struct {
 	DeleteOwnerFn func(id string) error
 }

-func (m *MockOwnerService) ListOwners(page, perPage int) ([]domain.Owner, int64, error) {
+func (m *MockOwnerService) ListOwners(_ context.Context, page, perPage int) ([]domain.Owner, int64, error) {
 	if m.ListOwnersFn != nil {
 		return m.ListOwnersFn(page, perPage)
 	}
 	return nil, 0, nil
 }

-func (m *MockOwnerService) GetOwner(id string) (*domain.Owner, error) {
+func (m *MockOwnerService) GetOwner(_ context.Context, id string) (*domain.Owner, error) {
 	if m.GetOwnerFn != nil {
 		return m.GetOwnerFn(id)
 	}
 	return nil, nil
 }

-func (m *MockOwnerService) CreateOwner(owner domain.Owner) (*domain.Owner, error) {
+func (m *MockOwnerService) CreateOwner(_ context.Context, owner domain.Owner) (*domain.Owner, error) {
 	if m.CreateOwnerFn != nil {
 		return m.CreateOwnerFn(owner)
 	}
 	return nil, nil
 }

-func (m *MockOwnerService) UpdateOwner(id string, owner domain.Owner) (*domain.Owner, error) {
+func (m *MockOwnerService) UpdateOwner(_ context.Context, id string, owner domain.Owner) (*domain.Owner, error) {
 	if m.UpdateOwnerFn != nil {
 		return m.UpdateOwnerFn(id, owner)
 	}
 	return nil, nil
 }

-func (m *MockOwnerService) DeleteOwner(id string) error {
+func (m *MockOwnerService) DeleteOwner(_ context.Context, id string) error {
 	if m.DeleteOwnerFn != nil {
 		return m.DeleteOwnerFn(id)
 	}
@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,11 +13,11 @@ import (

 // OwnerService defines the service interface for owner operations.
 type OwnerService interface {
-	ListOwners(page, perPage int) ([]domain.Owner, int64, error)
-	GetOwner(id string) (*domain.Owner, error)
-	CreateOwner(owner domain.Owner) (*domain.Owner, error)
-	UpdateOwner(id string, owner domain.Owner) (*domain.Owner, error)
-	DeleteOwner(id string) error
+	ListOwners(ctx context.Context, page, perPage int) ([]domain.Owner, int64, error)
+	GetOwner(ctx context.Context, id string) (*domain.Owner, error)
+	CreateOwner(ctx context.Context, owner domain.Owner) (*domain.Owner, error)
+	UpdateOwner(ctx context.Context, id string, owner domain.Owner) (*domain.Owner, error)
+	DeleteOwner(ctx context.Context, id string) error
 }

 // OwnerHandler handles HTTP requests for owner operations.
@@ -53,7 +54,7 @@ func (h OwnerHandler) ListOwners(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	owners, total, err := h.svc.ListOwners(page, perPage)
+	owners, total, err := h.svc.ListOwners(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list owners", requestID)
 		return
@@ -87,7 +88,7 @@ func (h OwnerHandler) GetOwner(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]

-	owner, err := h.svc.GetOwner(id)
+	owner, err := h.svc.GetOwner(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Owner not found", requestID)
 		return
@@ -122,7 +123,7 @@ func (h OwnerHandler) CreateOwner(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	created, err := h.svc.CreateOwner(owner)
+	created, err := h.svc.CreateOwner(r.Context(), owner)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create owner", requestID)
 		return
@@ -155,7 +156,7 @@ func (h OwnerHandler) UpdateOwner(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	updated, err := h.svc.UpdateOwner(id, owner)
+	updated, err := h.svc.UpdateOwner(r.Context(), id, owner)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update owner", requestID)
 		return
@@ -182,7 +183,7 @@ func (h OwnerHandler) DeleteOwner(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]

-	if err := h.svc.DeleteOwner(id); err != nil {
+	if err := h.svc.DeleteOwner(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "violates foreign key") || strings.Contains(err.Error(), "RESTRICT") {
 			ErrorWithRequestID(w, http.StatusConflict, "Cannot delete owner: certificates are still assigned to this owner", requestID)
 		} else if strings.Contains(err.Error(), "not found") {
@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,12 +13,12 @@ import (

 // PolicyService defines the service interface for policy rule operations.
 type PolicyService interface {
-	ListPolicies(page, perPage int) ([]domain.PolicyRule, int64, error)
-	GetPolicy(id string) (*domain.PolicyRule, error)
-	CreatePolicy(policy domain.PolicyRule) (*domain.PolicyRule, error)
-	UpdatePolicy(id string, policy domain.PolicyRule) (*domain.PolicyRule, error)
-	DeletePolicy(id string) error
-	ListViolations(policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error)
+	ListPolicies(ctx context.Context, page, perPage int) ([]domain.PolicyRule, int64, error)
+	GetPolicy(ctx context.Context, id string) (*domain.PolicyRule, error)
+	CreatePolicy(ctx context.Context, policy domain.PolicyRule) (*domain.PolicyRule, error)
+	UpdatePolicy(ctx context.Context, id string, policy domain.PolicyRule) (*domain.PolicyRule, error)
+	DeletePolicy(ctx context.Context, id string) error
+	ListViolations(ctx context.Context, policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error)
 }

 // PolicyHandler handles HTTP requests for policy rule operations.
@@ -54,7 +55,7 @@ func (h PolicyHandler) ListPolicies(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	policies, total, err := h.svc.ListPolicies(page, perPage)
+	policies, total, err := h.svc.ListPolicies(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list policies", requestID)
 		return
@@ -88,7 +89,7 @@ func (h PolicyHandler) GetPolicy(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]

-	policy, err := h.svc.GetPolicy(id)
+	policy, err := h.svc.GetPolicy(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Policy not found", requestID)
 		return
@@ -127,7 +128,7 @@ func (h PolicyHandler) CreatePolicy(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	created, err := h.svc.CreatePolicy(policy)
+	created, err := h.svc.CreatePolicy(r.Context(), policy)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create policy", requestID)
 		return
@@ -174,7 +175,7 @@ func (h PolicyHandler) UpdatePolicy(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	updated, err := h.svc.UpdatePolicy(id, policy)
+	updated, err := h.svc.UpdatePolicy(r.Context(), id, policy)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update policy", requestID)
 		return
@@ -201,7 +202,7 @@ func (h PolicyHandler) DeletePolicy(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]

-	if err := h.svc.DeletePolicy(id); err != nil {
+	if err := h.svc.DeletePolicy(r.Context(), id); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to delete policy", requestID)
 		return
 	}
@@ -242,7 +243,7 @@ func (h PolicyHandler) ListViolations(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	violations, total, err := h.svc.ListViolations(policyID, page, perPage)
+	violations, total, err := h.svc.ListViolations(r.Context(), policyID, page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list violations", requestID)
 		return
@@ -2,6 +2,7 @@ package handler

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -21,42 +22,42 @@ type MockPolicyService struct {
 	ListViolationsFn func(policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error)
 }

-func (m *MockPolicyService) ListPolicies(page, perPage int) ([]domain.PolicyRule, int64, error) {
+func (m *MockPolicyService) ListPolicies(_ context.Context, page, perPage int) ([]domain.PolicyRule, int64, error) {
 	if m.ListPoliciesFn != nil {
 		return m.ListPoliciesFn(page, perPage)
 	}
 	return nil, 0, nil
 }

-func (m *MockPolicyService) GetPolicy(id string) (*domain.PolicyRule, error) {
+func (m *MockPolicyService) GetPolicy(_ context.Context, id string) (*domain.PolicyRule, error) {
 	if m.GetPolicyFn != nil {
 		return m.GetPolicyFn(id)
 	}
 	return nil, nil
 }

-func (m *MockPolicyService) CreatePolicy(policy domain.PolicyRule) (*domain.PolicyRule, error) {
+func (m *MockPolicyService) CreatePolicy(_ context.Context, policy domain.PolicyRule) (*domain.PolicyRule, error) {
 	if m.CreatePolicyFn != nil {
 		return m.CreatePolicyFn(policy)
 	}
 	return nil, nil
 }

-func (m *MockPolicyService) UpdatePolicy(id string, policy domain.PolicyRule) (*domain.PolicyRule, error) {
+func (m *MockPolicyService) UpdatePolicy(_ context.Context, id string, policy domain.PolicyRule) (*domain.PolicyRule, error) {
 	if m.UpdatePolicyFn != nil {
 		return m.UpdatePolicyFn(id, policy)
 	}
 	return nil, nil
 }

-func (m *MockPolicyService) DeletePolicy(id string) error {
+func (m *MockPolicyService) DeletePolicy(_ context.Context, id string) error {
 	if m.DeletePolicyFn != nil {
 		return m.DeletePolicyFn(id)
 	}
 	return nil
 }

-func (m *MockPolicyService) ListViolations(policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error) {
+func (m *MockPolicyService) ListViolations(_ context.Context, policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error) {
 	if m.ListViolationsFn != nil {
 		return m.ListViolationsFn(policyID, page, perPage)
 	}
@@ -2,6 +2,7 @@ package handler

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -20,35 +21,35 @@ type MockProfileService struct {
 	DeleteProfileFn func(id string) error
 }

-func (m *MockProfileService) ListProfiles(page, perPage int) ([]domain.CertificateProfile, int64, error) {
+func (m *MockProfileService) ListProfiles(_ context.Context, page, perPage int) ([]domain.CertificateProfile, int64, error) {
 	if m.ListProfilesFn != nil {
 		return m.ListProfilesFn(page, perPage)
 	}
 	return nil, 0, nil
 }

-func (m *MockProfileService) GetProfile(id string) (*domain.CertificateProfile, error) {
+func (m *MockProfileService) GetProfile(_ context.Context, id string) (*domain.CertificateProfile, error) {
 	if m.GetProfileFn != nil {
 		return m.GetProfileFn(id)
 	}
 	return nil, nil
 }

-func (m *MockProfileService) CreateProfile(profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *MockProfileService) CreateProfile(_ context.Context, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	if m.CreateProfileFn != nil {
 		return m.CreateProfileFn(profile)
 	}
 	return nil, nil
 }

-func (m *MockProfileService) UpdateProfile(id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *MockProfileService) UpdateProfile(_ context.Context, id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	if m.UpdateProfileFn != nil {
 		return m.UpdateProfileFn(id, profile)
 	}
 	return nil, nil
 }

-func (m *MockProfileService) DeleteProfile(id string) error {
+func (m *MockProfileService) DeleteProfile(_ context.Context, id string) error {
 	if m.DeleteProfileFn != nil {
 		return m.DeleteProfileFn(id)
 	}
@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,11 +13,11 @@ import (

 // ProfileService defines the service interface for certificate profile operations.
 type ProfileService interface {
-	ListProfiles(page, perPage int) ([]domain.CertificateProfile, int64, error)
-	GetProfile(id string) (*domain.CertificateProfile, error)
-	CreateProfile(profile domain.CertificateProfile) (*domain.CertificateProfile, error)
-	UpdateProfile(id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error)
-	DeleteProfile(id string) error
+	ListProfiles(ctx context.Context, page, perPage int) ([]domain.CertificateProfile, int64, error)
+	GetProfile(ctx context.Context, id string) (*domain.CertificateProfile, error)
+	CreateProfile(ctx context.Context, profile domain.CertificateProfile) (*domain.CertificateProfile, error)
+	UpdateProfile(ctx context.Context, id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error)
+	DeleteProfile(ctx context.Context, id string) error
 }

 // ProfileHandler handles HTTP requests for certificate profile operations.
@@ -53,7 +54,7 @@ func (h ProfileHandler) ListProfiles(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	profiles, total, err := h.svc.ListProfiles(page, perPage)
+	profiles, total, err := h.svc.ListProfiles(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list profiles", requestID)
 		return
@@ -85,7 +86,7 @@ func (h ProfileHandler) GetProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	profile, err := h.svc.GetProfile(id)
+	profile, err := h.svc.GetProfile(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Profile not found", requestID)
 		return
@@ -120,7 +121,7 @@ func (h ProfileHandler) CreateProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	created, err := h.svc.CreateProfile(profile)
+	created, err := h.svc.CreateProfile(r.Context(), profile)
 	if err != nil {
 		// Check if it's a validation error from the service
 		if strings.Contains(err.Error(), "invalid") || strings.Contains(err.Error(), "required") ||
@@ -159,7 +160,7 @@ func (h ProfileHandler) UpdateProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	updated, err := h.svc.UpdateProfile(id, profile)
+	updated, err := h.svc.UpdateProfile(r.Context(), id, profile)
 	if err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Profile not found", requestID)
@@ -193,7 +194,7 @@ func (h ProfileHandler) DeleteProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if err := h.svc.DeleteProfile(id); err != nil {
+	if err := h.svc.DeleteProfile(r.Context(), id); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Profile not found", requestID)
 			return
@@ -2,6 +2,7 @@ package handler

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -13,52 +14,52 @@ import (

 // MockTargetService is a mock implementation of TargetService interface.
 type MockTargetService struct {
-	ListTargetsFn        func(page, perPage int) ([]domain.DeploymentTarget, int64, error)
-	GetTargetFn          func(id string) (*domain.DeploymentTarget, error)
-	CreateTargetFn       func(target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	UpdateTargetFn       func(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	DeleteTargetFn       func(id string) error
-	TestTargetConnectionFn func(id string) error
+	ListTargetsFn    func(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error)
+	GetTargetFn      func(ctx context.Context, id string) (*domain.DeploymentTarget, error)
+	CreateTargetFn   func(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	UpdateTargetFn   func(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	DeleteTargetFn   func(ctx context.Context, id string) error
+	TestConnectionFn func(ctx context.Context, id string) error
 }

-func (m *MockTargetService) ListTargets(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+func (m *MockTargetService) ListTargets(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 	if m.ListTargetsFn != nil {
-		return m.ListTargetsFn(page, perPage)
+		return m.ListTargetsFn(ctx, page, perPage)
 	}
 	return nil, 0, nil
 }

-func (m *MockTargetService) GetTarget(id string) (*domain.DeploymentTarget, error) {
+func (m *MockTargetService) GetTarget(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
 	if m.GetTargetFn != nil {
-		return m.GetTargetFn(id)
+		return m.GetTargetFn(ctx, id)
 	}
 	return nil, nil
 }

-func (m *MockTargetService) CreateTarget(target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (m *MockTargetService) CreateTarget(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 	if m.CreateTargetFn != nil {
-		return m.CreateTargetFn(target)
+		return m.CreateTargetFn(ctx, target)
 	}
 	return nil, nil
 }

-func (m *MockTargetService) UpdateTarget(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (m *MockTargetService) UpdateTarget(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 	if m.UpdateTargetFn != nil {
-		return m.UpdateTargetFn(id, target)
+		return m.UpdateTargetFn(ctx, id, target)
 	}
 	return nil, nil
 }

-func (m *MockTargetService) DeleteTarget(id string) error {
+func (m *MockTargetService) DeleteTarget(ctx context.Context, id string) error {
 	if m.DeleteTargetFn != nil {
-		return m.DeleteTargetFn(id)
+		return m.DeleteTargetFn(ctx, id)
 	}
 	return nil
 }

-func (m *MockTargetService) TestTargetConnection(id string) error {
-	if m.TestTargetConnectionFn != nil {
-		return m.TestTargetConnectionFn(id)
+func (m *MockTargetService) TestConnection(ctx context.Context, id string) error {
+	if m.TestConnectionFn != nil {
+		return m.TestConnectionFn(ctx, id)
 	}
 	return nil
 }
@@ -85,7 +86,7 @@ func TestListTargets_Success(t *testing.T) {
 	}

 	mock := &MockTargetService{
-		ListTargetsFn: func(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+		ListTargetsFn: func(_ context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 			return []domain.DeploymentTarget{t1, t2}, 2, nil
 		},
 	}
@@ -113,7 +114,7 @@ func TestListTargets_Success(t *testing.T) {
 func TestListTargets_Pagination(t *testing.T) {
 	var capturedPage, capturedPerPage int
 	mock := &MockTargetService{
-		ListTargetsFn: func(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+		ListTargetsFn: func(_ context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 			capturedPage = page
 			capturedPerPage = perPage
 			return []domain.DeploymentTarget{}, 0, nil
@@ -137,7 +138,7 @@ func TestListTargets_Pagination(t *testing.T) {

 func TestListTargets_ServiceError(t *testing.T) {
 	mock := &MockTargetService{
-		ListTargetsFn: func(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+		ListTargetsFn: func(_ context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 			return nil, 0, ErrMockServiceFailed
 		},
 	}
@@ -169,7 +170,7 @@ func TestListTargets_MethodNotAllowed(t *testing.T) {
 func TestGetTarget_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockTargetService{
-		GetTargetFn: func(id string) (*domain.DeploymentTarget, error) {
+		GetTargetFn: func(_ context.Context, id string) (*domain.DeploymentTarget, error) {
 			return &domain.DeploymentTarget{
 				ID:        id,
 				Name:      "NGINX Proxy",
@@ -196,7 +197,7 @@ func TestGetTarget_Success(t *testing.T) {

 func TestGetTarget_NotFound(t *testing.T) {
 	mock := &MockTargetService{
-		GetTargetFn: func(id string) (*domain.DeploymentTarget, error) {
+		GetTargetFn: func(_ context.Context, id string) (*domain.DeploymentTarget, error) {
 			return nil, ErrMockNotFound
 		},
 	}
@@ -229,7 +230,7 @@ func TestGetTarget_EmptyID(t *testing.T) {
 func TestCreateTarget_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockTargetService{
-		CreateTargetFn: func(target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+		CreateTargetFn: func(_ context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 			target.ID = "t-new"
 			target.CreatedAt = now
 			target.UpdatedAt = now
@@ -342,7 +343,7 @@ func TestCreateTarget_MethodNotAllowed(t *testing.T) {
 func TestUpdateTarget_Success(t *testing.T) {
 	now := time.Now()
 	mock := &MockTargetService{
-		UpdateTargetFn: func(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+		UpdateTargetFn: func(_ context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 			return &domain.DeploymentTarget{
 				ID:        id,
 				Name:      target.Name,
@@ -375,7 +376,7 @@ func TestUpdateTarget_Success(t *testing.T) {
 func TestDeleteTarget_Success(t *testing.T) {
 	var deletedID string
 	mock := &MockTargetService{
-		DeleteTargetFn: func(id string) error {
+		DeleteTargetFn: func(_ context.Context, id string) error {
 			deletedID = id
 			return nil
 		},
@@ -398,7 +399,7 @@ func TestDeleteTarget_Success(t *testing.T) {

 func TestDeleteTarget_ServiceError(t *testing.T) {
 	mock := &MockTargetService{
-		DeleteTargetFn: func(id string) error {
+		DeleteTargetFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -430,7 +431,7 @@ func TestDeleteTarget_EmptyID(t *testing.T) {

 func TestTestTargetConnection_Success(t *testing.T) {
 	mock := &MockTargetService{
-		TestTargetConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return nil
 		},
 	}
@@ -457,7 +458,7 @@ func TestTestTargetConnection_Success(t *testing.T) {

 func TestTestTargetConnection_Failed(t *testing.T) {
 	mock := &MockTargetService{
-		TestTargetConnectionFn: func(id string) error {
+		TestConnectionFn: func(_ context.Context, id string) error {
 			return ErrMockServiceFailed
 		},
 	}
@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,12 +13,12 @@ import (

 // TargetService defines the service interface for deployment target operations.
 type TargetService interface {
-	ListTargets(page, perPage int) ([]domain.DeploymentTarget, int64, error)
-	GetTarget(id string) (*domain.DeploymentTarget, error)
-	CreateTarget(target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	UpdateTarget(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
-	DeleteTarget(id string) error
-	TestTargetConnection(id string) error
+	ListTargets(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error)
+	GetTarget(ctx context.Context, id string) (*domain.DeploymentTarget, error)
+	CreateTarget(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	UpdateTarget(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error)
+	DeleteTarget(ctx context.Context, id string) error
+	TestConnection(ctx context.Context, id string) error
 }

 // TargetHandler handles HTTP requests for deployment target operations.
@@ -54,7 +55,7 @@ func (h TargetHandler) ListTargets(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	targets, total, err := h.svc.ListTargets(page, perPage)
+	targets, total, err := h.svc.ListTargets(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list targets", requestID)
 		return
@@ -86,7 +87,7 @@ func (h TargetHandler) GetTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	target, err := h.svc.GetTarget(id)
+	target, err := h.svc.GetTarget(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Target not found", requestID)
 		return
@@ -125,7 +126,7 @@ func (h TargetHandler) CreateTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	created, err := h.svc.CreateTarget(target)
+	created, err := h.svc.CreateTarget(r.Context(), target)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create target", requestID)
 		return
@@ -158,7 +159,7 @@ func (h TargetHandler) UpdateTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	updated, err := h.svc.UpdateTarget(id, target)
+	updated, err := h.svc.UpdateTarget(r.Context(), id, target)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update target", requestID)
 		return
@@ -183,7 +184,7 @@ func (h TargetHandler) DeleteTarget(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if err := h.svc.DeleteTarget(id); err != nil {
+	if err := h.svc.DeleteTarget(r.Context(), id); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to delete target", requestID)
 		return
 	}
@@ -210,7 +211,7 @@ func (h TargetHandler) TestTargetConnection(w http.ResponseWriter, r *http.Reque
 	}
 	id := parts[0]

-	if err := h.svc.TestTargetConnection(id); err != nil {
+	if err := h.svc.TestConnection(r.Context(), id); err != nil {
 		JSON(w, http.StatusOK, map[string]interface{}{
 			"status":  "failed",
 			"message": err.Error(),
@@ -2,6 +2,7 @@ package handler

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -20,35 +21,35 @@ type MockTeamService struct {
 	DeleteTeamFn func(id string) error
 }

-func (m *MockTeamService) ListTeams(page, perPage int) ([]domain.Team, int64, error) {
+func (m *MockTeamService) ListTeams(_ context.Context, page, perPage int) ([]domain.Team, int64, error) {
 	if m.ListTeamsFn != nil {
 		return m.ListTeamsFn(page, perPage)
 	}
 	return nil, 0, nil
 }

-func (m *MockTeamService) GetTeam(id string) (*domain.Team, error) {
+func (m *MockTeamService) GetTeam(_ context.Context, id string) (*domain.Team, error) {
 	if m.GetTeamFn != nil {
 		return m.GetTeamFn(id)
 	}
 	return nil, nil
 }

-func (m *MockTeamService) CreateTeam(team domain.Team) (*domain.Team, error) {
+func (m *MockTeamService) CreateTeam(_ context.Context, team domain.Team) (*domain.Team, error) {
 	if m.CreateTeamFn != nil {
 		return m.CreateTeamFn(team)
 	}
 	return nil, nil
 }

-func (m *MockTeamService) UpdateTeam(id string, team domain.Team) (*domain.Team, error) {
+func (m *MockTeamService) UpdateTeam(_ context.Context, id string, team domain.Team) (*domain.Team, error) {
 	if m.UpdateTeamFn != nil {
 		return m.UpdateTeamFn(id, team)
 	}
 	return nil, nil
 }

-func (m *MockTeamService) DeleteTeam(id string) error {
+func (m *MockTeamService) DeleteTeam(_ context.Context, id string) error {
 	if m.DeleteTeamFn != nil {
 		return m.DeleteTeamFn(id)
 	}
@@ -1,6 +1,7 @@
 package handler

 import (
+	"context"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -12,11 +13,11 @@ import (

 // TeamService defines the service interface for team operations.
 type TeamService interface {
-	ListTeams(page, perPage int) ([]domain.Team, int64, error)
-	GetTeam(id string) (*domain.Team, error)
-	CreateTeam(team domain.Team) (*domain.Team, error)
-	UpdateTeam(id string, team domain.Team) (*domain.Team, error)
-	DeleteTeam(id string) error
+	ListTeams(ctx context.Context, page, perPage int) ([]domain.Team, int64, error)
+	GetTeam(ctx context.Context, id string) (*domain.Team, error)
+	CreateTeam(ctx context.Context, team domain.Team) (*domain.Team, error)
+	UpdateTeam(ctx context.Context, id string, team domain.Team) (*domain.Team, error)
+	DeleteTeam(ctx context.Context, id string) error
 }

 // TeamHandler handles HTTP requests for team operations.
@@ -53,7 +54,7 @@ func (h TeamHandler) ListTeams(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	teams, total, err := h.svc.ListTeams(page, perPage)
+	teams, total, err := h.svc.ListTeams(r.Context(), page, perPage)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list teams", requestID)
 		return
@@ -87,7 +88,7 @@ func (h TeamHandler) GetTeam(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]

-	team, err := h.svc.GetTeam(id)
+	team, err := h.svc.GetTeam(r.Context(), id)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusNotFound, "Team not found", requestID)
 		return
@@ -122,7 +123,7 @@ func (h TeamHandler) CreateTeam(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	created, err := h.svc.CreateTeam(team)
+	created, err := h.svc.CreateTeam(r.Context(), team)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to create team", requestID)
 		return
@@ -155,7 +156,7 @@ func (h TeamHandler) UpdateTeam(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	updated, err := h.svc.UpdateTeam(id, team)
+	updated, err := h.svc.UpdateTeam(r.Context(), id, team)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to update team", requestID)
 		return
@@ -182,7 +183,7 @@ func (h TeamHandler) DeleteTeam(w http.ResponseWriter, r *http.Request) {
 	}
 	id = parts[0]

-	if err := h.svc.DeleteTeam(id); err != nil {
+	if err := h.svc.DeleteTeam(r.Context(), id); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to delete team", requestID)
 		return
 	}
@@ -4,16 +4,22 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"io"
 	"log/slog"
 	"net/http"
 	"strings"
+	"sync"
 	"time"
 )

 // AuditRecorder is the interface that the audit middleware uses to record API calls.
 // This avoids importing the service package directly, maintaining dependency inversion.
+//
+// Implementations may perform I/O (e.g., database writes). The middleware invokes
+// RecordAPICall from a tracked goroutine so that callers can drain in-flight
+// recordings during graceful shutdown via AuditMiddleware.Flush.
 type AuditRecorder interface {
 	RecordAPICall(ctx context.Context, method, path, actor string, bodyHash string, status int, latencyMs int64) error
 }
@@ -26,10 +32,42 @@ type AuditConfig struct {
 	Logger *slog.Logger
 }

-// NewAuditLog creates a middleware that records every API call to the audit trail.
-// It captures method, path, authenticated actor, request body hash, response status, and latency.
-// Audit recording is best-effort — failures are logged but don't affect the HTTP response.
-func NewAuditLog(recorder AuditRecorder, cfg AuditConfig) func(http.Handler) http.Handler {
+// ErrAuditFlushTimeout is returned by AuditMiddleware.Flush when in-flight audit
+// recordings do not complete before the provided context is cancelled or its
+// deadline elapses. It mirrors scheduler.ErrSchedulerShutdownTimeout so callers
+// can branch on graceful-shutdown timeouts consistently across subsystems.
+var ErrAuditFlushTimeout = errors.New("audit middleware flush timeout")
+
+// AuditMiddleware is the handle returned by NewAuditLog. It wraps the audit
+// logging HTTP middleware and tracks the goroutines spawned to record each API
+// call, so that callers can drain them during graceful shutdown (M-1, CWE-662
+// / CWE-400). The goroutines themselves still run detached from the request
+// context — the shutdown-drain signal flows through this struct's WaitGroup
+// instead of the per-request context.
+type AuditMiddleware struct {
+	recorder   AuditRecorder
+	logger     *slog.Logger
+	excludeSet map[string]bool
+
+	// wg tracks every audit-recording goroutine spawned by Middleware so Flush
+	// can block until they complete before the DB pool is torn down.
+	wg sync.WaitGroup
+}
+
+// NewAuditLog constructs the API audit logging middleware. The returned
+// *AuditMiddleware exposes the HTTP middleware via the Middleware method value
+// (same func(http.Handler) http.Handler shape) and a Flush method that the
+// process shutdown path must call after the HTTP server has stopped accepting
+// new requests but before the audit recorder's backing store (e.g., the
+// database connection pool) is closed.
+//
+// The middleware records method, path, authenticated actor, request body hash,
+// response status, and latency. Recording is best-effort — individual failures
+// are logged and do not affect the HTTP response. Shutdown is NOT best-effort:
+// Flush must succeed (or time out, returning ErrAuditFlushTimeout) so that
+// in-flight events are not lost when the audit recorder's connection pool is
+// closed out from under the goroutines.
+func NewAuditLog(recorder AuditRecorder, cfg AuditConfig) *AuditMiddleware {
 	excludeSet := make(map[string]bool, len(cfg.ExcludePaths))
 	for _, p := range cfg.ExcludePaths {
 		excludeSet[p] = true
@@ -40,68 +78,131 @@ func NewAuditLog(recorder AuditRecorder, cfg AuditConfig) func(http.Handler) htt
 		logger = slog.Default()
 	}

-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// Skip excluded paths (health, readiness probes)
-			for prefix := range excludeSet {
-				if strings.HasPrefix(r.URL.Path, prefix) {
-					next.ServeHTTP(w, r)
-					return
-				}
+	return &AuditMiddleware{
+		recorder:   recorder,
+		logger:     logger,
+		excludeSet: excludeSet,
+	}
+}
+
+// Middleware is the http.Handler wrapper. It has the standard
+// func(http.Handler) http.Handler middleware signature so it can be composed
+// into an existing middleware chain via a method value (auditMiddleware.Middleware).
+func (a *AuditMiddleware) Middleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Skip excluded paths (health, readiness probes)
+		for prefix := range a.excludeSet {
+			if strings.HasPrefix(r.URL.Path, prefix) {
+				next.ServeHTTP(w, r)
+				return
 			}
+		}

-			start := time.Now()
+		start := time.Now()

-			// Hash request body for audit (don't store raw bodies — security + size concerns)
-			bodyHash := ""
-			if r.Body != nil && r.Body != http.NoBody {
-				hasher := sha256.New()
-				body, err := io.ReadAll(r.Body)
-				if err == nil && len(body) > 0 {
-					hasher.Write(body)
-					bodyHash = hex.EncodeToString(hasher.Sum(nil))[:16] // truncated hash
-					// Restore the body for downstream handlers
-					r.Body = io.NopCloser(strings.NewReader(string(body)))
-				}
+		// Hash request body for audit (don't store raw bodies — security + size concerns)
+		bodyHash := ""
+		if r.Body != nil && r.Body != http.NoBody {
+			hasher := sha256.New()
+			body, err := io.ReadAll(r.Body)
+			if err == nil && len(body) > 0 {
+				hasher.Write(body)
+				bodyHash = hex.EncodeToString(hasher.Sum(nil))[:16] // truncated hash
+				// Restore the body for downstream handlers
+				r.Body = io.NopCloser(strings.NewReader(string(body)))
 			}
+		}

-			// Extract actor from auth context
-			actor := "anonymous"
-			if user, ok := GetUser(r.Context()); ok && user != "" {
-				actor = user
+		// Extract actor from auth context
+		actor := "anonymous"
+		if user, ok := GetUser(r.Context()); ok && user != "" {
+			actor = user
+		}
+
+		// Wrap response writer to capture status code
+		wrapped := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
+
+		next.ServeHTTP(wrapped, r)
+
+		latency := time.Since(start).Milliseconds()
+
+		// Snapshot request-derived inputs so the goroutine does not race with
+		// the http.Server reusing r after this handler returns.
+		method := r.Method
+		path := r.URL.Path
+		status := wrapped.statusCode
+
+		// Derive a detached context that preserves request-scoped values
+		// (trace IDs, auth info carried via context keys) but is not cancelled
+		// when the HTTP server finalizes the request. Using r.Context()
+		// directly would cause the async audit write to observe ctx.Done()
+		// as soon as the response completes; using context.Background() would
+		// discard useful observability metadata. WithoutCancel gives us both
+		// (M-2 / D-3).
+		auditCtx := context.WithoutCancel(r.Context())
+
+		// Record audit event asynchronously (best-effort, don't block response).
+		// SECURITY: We intentionally use r.URL.Path (not r.URL.String() or r.RequestURI)
+		// to prevent query parameters from being recorded in the immutable audit trail.
+		// Query strings may contain cursor tokens, API keys passed as params, or other
+		// sensitive filter values. Since the audit trail is append-only with no deletion
+		// capability, any sensitive data recorded would persist permanently.
+		//
+		// The goroutine is tracked in a.wg so AuditMiddleware.Flush can drain
+		// in-flight recordings during graceful shutdown. Without this (M-1,
+		// CWE-662 / CWE-400), SIGTERM would close the DB pool while recordings
+		// were still mid-flight, silently dropping audit events.
+		a.wg.Add(1)
+		go func() {
+			defer a.wg.Done()
+			if err := a.recorder.RecordAPICall(
+				auditCtx,
+				method,
+				path,
+				actor,
+				bodyHash,
+				status,
+				latency,
+			); err != nil {
+				a.logger.Error("failed to record API audit event",
+					"error", err,
+					"method", method,
+					"path", path,
+				)
 			}
+		}()
+	})
+}

-			// Wrap response writer to capture status code
-			wrapped := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
+// Flush blocks until every audit-recording goroutine spawned by Middleware has
+// completed, or until ctx is cancelled / its deadline elapses. It must be
+// called from the process shutdown path after http.Server.Shutdown has
+// returned (so no new requests are being accepted) but before the backing
+// audit recorder's resources (DB pool, etc.) are torn down.
+//
+// On timeout or cancellation Flush returns ErrAuditFlushTimeout wrapped with
+// any context error; in-flight goroutines continue to run and may still write
+// to the recorder once they unblock — the caller is responsible for deciding
+// whether to proceed with teardown anyway or surface the error.
+//
+// Flush mirrors the idiom used by scheduler.Scheduler.WaitForCompletion so
+// that the two subsystems drain identically at shutdown.
+func (a *AuditMiddleware) Flush(ctx context.Context) error {
+	done := make(chan struct{})
+	go func() {
+		a.wg.Wait()
+		close(done)
+	}()

-			next.ServeHTTP(wrapped, r)
-
-			latency := time.Since(start).Milliseconds()
-
-			// Record audit event asynchronously (best-effort, don't block response).
-			// SECURITY: We intentionally use r.URL.Path (not r.URL.String() or r.RequestURI)
-			// to prevent query parameters from being recorded in the immutable audit trail.
-			// Query strings may contain cursor tokens, API keys passed as params, or other
-			// sensitive filter values. Since the audit trail is append-only with no deletion
-			// capability, any sensitive data recorded would persist permanently.
-			go func() {
-				if err := recorder.RecordAPICall(
-					context.Background(),
-					r.Method,
-					r.URL.Path,
-					actor,
-					bodyHash,
-					wrapped.statusCode,
-					latency,
-				); err != nil {
-					logger.Error("failed to record API audit event",
-						"error", err,
-						"method", r.Method,
-						"path", r.URL.Path,
-					)
-				}
-			}()
-		})
+	select {
+	case <-done:
+		a.logger.Info("audit middleware flush complete")
+		return nil
+	case <-ctx.Done():
+		a.logger.Warn("audit middleware flush did not complete before context cancellation",
+			"error", ctx.Err(),
+		)
+		return fmt.Errorf("%w: %w", ErrAuditFlushTimeout, ctx.Err())
 	}
 }

@@ -2,6 +2,7 @@ package middleware

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -16,7 +17,8 @@ import (
 type mockAuditRecorder struct {
 	mu      sync.Mutex
 	calls   []auditCall
-	err     error // if non-nil, RecordAPICall returns this
+	err     error         // if non-nil, RecordAPICall returns this
+	block   chan struct{} // if non-nil, RecordAPICall blocks on receive before returning
 }

 type auditCall struct {
@@ -29,6 +31,13 @@ type auditCall struct {
 }

 func (m *mockAuditRecorder) RecordAPICall(ctx context.Context, method, path, actor, bodyHash string, status int, latencyMs int64) error {
+	// Optional: block the recorder until a signal is received so tests can
+	// exercise the shutdown-drain path deterministically. The block happens
+	// before any state mutation so Flush-timeout tests see the call
+	// "in-flight" (wg counter > 0) with no recorded entries yet.
+	if m.block != nil {
+		<-m.block
+	}
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.calls = append(m.calls, auditCall{
@@ -90,7 +99,7 @@ func (w *waitableAuditRecorder) Wait(timeout time.Duration) bool {

 func TestAuditLog_RecordsAPICall(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware

 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -130,7 +139,7 @@ func TestAuditLog_RecordsAPICall(t *testing.T) {

 func TestAuditLog_CapturesStatusCode(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware

 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusNotFound)
@@ -157,7 +166,7 @@ func TestAuditLog_ExcludesHealth(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
 	mw := NewAuditLog(recorder, AuditConfig{
 		ExcludePaths: []string{"/health", "/ready"},
-	})
+	}).Middleware

 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -193,7 +202,7 @@ func TestAuditLog_ExcludesHealth(t *testing.T) {

 func TestAuditLog_HashesRequestBody(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware

 	// Handler verifies body was restored
 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -228,7 +237,7 @@ func TestAuditLog_HashesRequestBody(t *testing.T) {

 func TestAuditLog_EmptyBodyNoHash(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware

 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -253,7 +262,7 @@ func TestAuditLog_EmptyBodyNoHash(t *testing.T) {

 func TestAuditLog_ExtractsAuthenticatedActor(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware

 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -285,7 +294,7 @@ func TestAuditLog_ExtractsAuthenticatedActor(t *testing.T) {

 func TestAuditLog_RecorderErrorDoesNotBreakResponse(t *testing.T) {
 	recorder := &mockAuditRecorder{err: fmt.Errorf("db connection lost")}
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware

 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -304,7 +313,7 @@ func TestAuditLog_RecorderErrorDoesNotBreakResponse(t *testing.T) {

 func TestAuditLog_CapturesLatency(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware

 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		time.Sleep(10 * time.Millisecond)
@@ -330,7 +339,7 @@ func TestAuditLog_CapturesLatency(t *testing.T) {

 func TestAuditLog_ExcludesQueryParamsFromPath(t *testing.T) {
 	recorder := newWaitableAuditRecorder()
-	mw := NewAuditLog(recorder, AuditConfig{})
+	mw := NewAuditLog(recorder, AuditConfig{}).Middleware

 	handler := mw(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -429,3 +438,112 @@ func TestAuditServiceAdapter_PropagatesError(t *testing.T) {
 		t.Errorf("expected database error, got %v", err)
 	}
 }
+
+// TestAuditLog_FlushDrainsInFlightGoroutines verifies the M-1 shutdown-drain
+// contract: Flush blocks until every audit-recording goroutine spawned by the
+// middleware completes, then returns nil. Without the drain (pre-M-1 code),
+// the DB pool would be closed while in-flight goroutines were still calling
+// RecordAPICall, silently dropping audit events (CWE-662 / CWE-400).
+func TestAuditLog_FlushDrainsInFlightGoroutines(t *testing.T) {
+	// Recorder blocks on `unblock` until the test releases it. This simulates
+	// a slow DB write still in flight when shutdown begins.
+	unblock := make(chan struct{})
+	recorder := &mockAuditRecorder{block: unblock}
+	auditMW := NewAuditLog(recorder, AuditConfig{})
+
+	handler := auditMW.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Fire a request. Handler returns immediately; recorder goroutine is
+	// parked on the `unblock` channel inside RecordAPICall.
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	// Start Flush in a goroutine — it must block on the WaitGroup until we
+	// release the recorder.
+	flushDone := make(chan error, 1)
+	go func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		flushDone <- auditMW.Flush(ctx)
+	}()
+
+	// Confirm Flush is actually blocked (not returning immediately).
+	select {
+	case err := <-flushDone:
+		t.Fatalf("Flush returned before recorder unblocked: err=%v", err)
+	case <-time.After(50 * time.Millisecond):
+		// expected: Flush is blocked on wg.Wait
+	}
+
+	// Release the recorder. Flush should now observe wg counter drop to 0
+	// and return nil.
+	close(unblock)
+
+	select {
+	case err := <-flushDone:
+		if err != nil {
+			t.Fatalf("expected nil from Flush after drain, got %v", err)
+		}
+	case <-time.After(2 * time.Second):
+		t.Fatal("Flush did not return after recorder unblocked")
+	}
+
+	// Verify the audit event was actually recorded (i.e., the goroutine
+	// completed its write — not just that Flush unblocked).
+	calls := recorder.getCalls()
+	if len(calls) != 1 {
+		t.Fatalf("expected 1 recorded audit call, got %d", len(calls))
+	}
+	if calls[0].Path != "/api/v1/certificates" {
+		t.Errorf("expected path /api/v1/certificates, got %s", calls[0].Path)
+	}
+}
+
+// TestAuditLog_FlushTimeoutReturnsErrAuditFlushTimeout verifies that Flush
+// respects its context: when in-flight goroutines exceed the shutdown budget,
+// Flush returns an error wrapping ErrAuditFlushTimeout plus ctx.Err(). The
+// caller can then decide whether to proceed with teardown anyway.
+func TestAuditLog_FlushTimeoutReturnsErrAuditFlushTimeout(t *testing.T) {
+	// Recorder will never unblock on its own — we unblock at end of test for
+	// a clean race-safe teardown.
+	unblock := make(chan struct{})
+	recorder := &mockAuditRecorder{block: unblock}
+	auditMW := NewAuditLog(recorder, AuditConfig{})
+
+	handler := auditMW.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	// Flush with a tiny deadline — must time out.
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Millisecond)
+	defer cancel()
+	err := auditMW.Flush(ctx)
+
+	if err == nil {
+		// Release the blocked goroutine before failing so the race detector
+		// doesn't trip on teardown.
+		close(unblock)
+		t.Fatal("expected Flush to return an error on timeout, got nil")
+	}
+	if !errors.Is(err, ErrAuditFlushTimeout) {
+		close(unblock)
+		t.Fatalf("expected error to wrap ErrAuditFlushTimeout, got %v", err)
+	}
+	if !errors.Is(err, context.DeadlineExceeded) {
+		close(unblock)
+		t.Fatalf("expected error to wrap context.DeadlineExceeded, got %v", err)
+	}
+
+	// Race-safe teardown: unblock the recorder goroutine so it exits cleanly
+	// before the test returns. The goroutine itself is still detached and
+	// will record to the mock even after Flush timed out — that's the
+	// documented behavior (Flush surfaces the timeout; caller decides).
+	close(unblock)
+}
@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/hex"
+	"fmt"
 	"log"
 	"log/slog"
 	"net/http"
@@ -78,10 +79,17 @@ func NewLogging(logger *slog.Logger) func(http.Handler) http.Handler {
 // Recovery middleware recovers from panics and returns a 500 error.
 func Recovery(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
 		defer func() {
 			if err := recover(); err != nil {
-				requestID := getRequestID(r.Context())
-				log.Printf("[%s] PANIC: %v", requestID, err)
+				requestID := getRequestID(ctx)
+				// Use slog.ErrorContext so the panic log carries the same
+				// request-scoped trace/auth metadata as normal request logs
+				// (M-2 / D-3 — preserve ctx propagation on the panic path).
+				slog.ErrorContext(ctx, "panic recovered in HTTP handler",
+					"request_id", requestID,
+					"panic", fmt.Sprintf("%v", err),
+				)
 				http.Error(w, `{"error":"Internal Server Error"}`, http.StatusInternalServerError)
 			}
 		}()
@@ -116,6 +116,14 @@ type GlobalSignConfig struct {
 	// ClientKeyPath is the path to the mTLS client private key PEM file.
 	// Setting: CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH environment variable.
 	ClientKeyPath string
+
+	// ServerCAPath is the optional path to a PEM file containing the CA
+	// certificate(s) used to verify the GlobalSign Atlas HVCA API server
+	// certificate. If empty, the system trust store is used. Set this
+	// for private/lab Atlas deployments whose server TLS chain is not
+	// present in the host's default trust bundle.
+	// Setting: CERTCTL_GLOBALSIGN_SERVER_CA_PATH environment variable.
+	ServerCAPath string
 }

 // EJBCAConfig contains EJBCA (Keyfactor) issuer connector configuration.
@@ -641,7 +649,12 @@ type SCEPConfig struct {

 	// ChallengePassword is the shared secret used to authenticate SCEP enrollment requests.
 	// Clients include this in the PKCS#10 CSR challengePassword attribute.
-	// Required when SCEP is enabled.
+	//
+	// REQUIRED when Enabled is true. If SCEP is enabled and this value is empty,
+	// cmd/server/main.go's preflightSCEPChallengePassword check will refuse to
+	// start the server (H-2, CWE-306): an empty shared secret allowed any client
+	// that could reach /scep to enroll a CSR against the configured issuer. The
+	// service-layer PKCSReq path also rejects this configuration defense-in-depth.
 	ChallengePassword string
 }

@@ -882,6 +895,7 @@ func Load() (*Config, error) {
 			APISecret:      getEnv("CERTCTL_GLOBALSIGN_API_SECRET", ""),
 			ClientCertPath: getEnv("CERTCTL_GLOBALSIGN_CLIENT_CERT_PATH", ""),
 			ClientKeyPath:  getEnv("CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH", ""),
+			ServerCAPath:   getEnv("CERTCTL_GLOBALSIGN_SERVER_CA_PATH", ""),
 		},
 		EJBCA: EJBCAConfig{
 			APIUrl:         getEnv("CERTCTL_EJBCA_API_URL", ""),
@@ -547,7 +547,11 @@ func (c *Connector) solveAuthorizationsHTTP01(ctx context.Context, authzURLs []s
 		return fmt.Errorf("failed to start challenge server: %w", err)
 	}
 	defer func() {
-		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		// Derive the challenge-server shutdown context from the parent ctx so
+		// values (trace IDs, deadlines) propagate, but detach from its
+		// cancellation so Shutdown always gets its full budget even when the
+		// parent was cancelled (M-2 / D-3).
+		shutdownCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 5*time.Second)
 		defer cancel()
 		_ = srv.Shutdown(shutdownCtx)
 		c.logger.Debug("challenge server stopped")
@@ -34,6 +34,7 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
+	"os"
 	"strings"
 	"time"

@@ -64,6 +65,14 @@ type Config struct {
 	// Must match the certificate in ClientCertPath.
 	// Required. Set via CERTCTL_GLOBALSIGN_CLIENT_KEY_PATH environment variable.
 	ClientKeyPath string `json:"client_key_path"`
+
+	// ServerCAPath is the filesystem path to a PEM file containing the CA
+	// certificate(s) used to verify the GlobalSign Atlas HVCA API server certificate.
+	// Optional. If empty, the system trust store is used. This option exists for
+	// private/lab deployments of GlobalSign Atlas that terminate TLS with an
+	// internal CA not present in the host's default trust bundle.
+	// Set via CERTCTL_GLOBALSIGN_SERVER_CA_PATH environment variable.
+	ServerCAPath string `json:"server_ca_path,omitempty"`
 }

 // Connector implements the issuer.Connector interface for GlobalSign Atlas HVCA.
@@ -153,14 +162,12 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 		return fmt.Errorf("failed to load GlobalSign client certificate: %w", err)
 	}

-	// Create an mTLS client for validation
-	tlsConfig := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-		// InsecureSkipVerify=true allows testing against self-signed server certs.
-		// In production, GlobalSign's API uses a proper certificate chain.
-		// This matches the pattern used by other connectors (F5, network scanner, etc.)
-		// that also need to bypass hostname verification for internal/lab environments.
-		InsecureSkipVerify: true,
+	// Build a verifying mTLS TLS config. If ServerCAPath is set, that PEM
+	// bundle is used as the trust anchor for the server certificate;
+	// otherwise the system trust store is used. TLS 1.2 is the minimum.
+	tlsConfig, err := buildServerTLSConfig(&cfg, cert)
+	if err != nil {
+		return fmt.Errorf("failed to build GlobalSign TLS config: %w", err)
 	}

 	validationClient := &http.Client{
@@ -225,9 +232,9 @@ func (c *Connector) getHTTPClient(ctx context.Context) (*http.Client, error) {
 		return nil, fmt.Errorf("failed to load GlobalSign client certificate: %w", err)
 	}

-	tlsConfig := &tls.Config{
-		Certificates:       []tls.Certificate{cert},
-		InsecureSkipVerify: true,
+	tlsConfig, err := buildServerTLSConfig(c.config, cert)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build GlobalSign TLS config: %w", err)
 	}

 	return &http.Client{
@@ -238,6 +245,38 @@ func (c *Connector) getHTTPClient(ctx context.Context) (*http.Client, error) {
 	}, nil
 }

+// buildServerTLSConfig returns a TLS configuration for the GlobalSign Atlas
+// HVCA API client. It always verifies the server certificate. When
+// cfg.ServerCAPath is set, the PEM bundle at that path is used as the
+// trust anchor (enables pinning a private/lab CA); otherwise the host's
+// system trust store is used. TLS 1.2 is the minimum protocol version.
+//
+// This helper is the single source of truth for both the ValidateConfig
+// probe client and the steady-state getHTTPClient production client, so
+// any future TLS policy change applies uniformly.
+func buildServerTLSConfig(cfg *Config, clientCert tls.Certificate) (*tls.Config, error) {
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{clientCert},
+		MinVersion:   tls.VersionTLS12,
+	}
+
+	if cfg.ServerCAPath != "" {
+		caPEM, err := os.ReadFile(cfg.ServerCAPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read server CA bundle at %s: %w", cfg.ServerCAPath, err)
+		}
+
+		pool := x509.NewCertPool()
+		if !pool.AppendCertsFromPEM(caPEM) {
+			return nil, fmt.Errorf("no valid PEM certificates found in server CA bundle at %s", cfg.ServerCAPath)
+		}
+
+		tlsConfig.RootCAs = pool
+	}
+
+	return tlsConfig, nil
+}
+
 // IssueCertificate submits a certificate order to GlobalSign Atlas HVCA.
 // Returns the serial number immediately; typically the cert is available within seconds (DV) to minutes (OV).
 func (c *Connector) IssueCertificate(ctx context.Context, request issuer.IssuanceRequest) (*issuer.IssuanceResult, error) {
@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/json"
@@ -161,11 +160,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testCertPEM, _ := generateTestCert(t)
 		testChainPEM, _ := generateTestCert(t)

-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}

 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -223,11 +218,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})

 	t.Run("IssueCertificate_Pending", func(t *testing.T) {
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}

 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -271,11 +262,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})

 	t.Run("IssueCertificate_Error", func(t *testing.T) {
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}

 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -312,11 +299,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testCertPEM, _ := generateTestCert(t)
 		testChainPEM, _ := generateTestCert(t)

-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}

 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/12345") && r.Method == http.MethodGet {
@@ -356,11 +339,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})

 	t.Run("GetOrderStatus_Pending", func(t *testing.T) {
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}

 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/98765") && r.Method == http.MethodGet {
@@ -401,11 +380,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testCertPEM, _ := generateTestCert(t)
 		testChainPEM, _ := generateTestCert(t)

-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}

 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodPost {
@@ -448,11 +423,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})

 	t.Run("RevokeCertificate_Success", func(t *testing.T) {
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}

 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/") && strings.HasSuffix(r.URL.Path, "/revoke") && r.Method == http.MethodPut {
@@ -492,11 +463,7 @@ func TestGlobalSignConnector(t *testing.T) {
 	})

 	t.Run("RevokeCertificate_Error", func(t *testing.T) {
-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}

 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if strings.HasPrefix(r.URL.Path, "/v2/certificates/") && strings.HasSuffix(r.URL.Path, "/revoke") && r.Method == http.MethodPut {
@@ -532,11 +499,7 @@ func TestGlobalSignConnector(t *testing.T) {
 		testChainPEM, _ := generateTestCert(t)
 		authHeadersChecked := 0

-		httpClient := &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
+		httpClient := &http.Client{}

 		mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Check for auth headers on every request
@@ -584,6 +547,177 @@ func TestGlobalSignConnector(t *testing.T) {
 	})
 }

+// TestGlobalSign_ServerTLSConfig exercises the server-side TLS verification
+// policy added by H-5. The connector must always verify the GlobalSign Atlas
+// HVCA API server certificate: by default against the host's system trust
+// store, and when ServerCAPath is set, against the pinned PEM bundle at that
+// path. InsecureSkipVerify is no longer reachable from any production code path.
+func TestGlobalSign_ServerTLSConfig(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	// writeClientMTLS generates a throwaway client cert+key pair and writes them
+	// to disk. ValidateConfig requires valid ClientCertPath / ClientKeyPath files
+	// before it reaches the server-CA validation path under test.
+	writeClientMTLS := func(t *testing.T) (certPath, keyPath string) {
+		t.Helper()
+		certPEM, keyPEM := generateTestCert(t)
+		dir := t.TempDir()
+		certPath = dir + "/client-cert.pem"
+		keyPath = dir + "/client-key.pem"
+		if err := os.WriteFile(certPath, []byte(certPEM), 0600); err != nil {
+			t.Fatalf("failed to write client cert: %v", err)
+		}
+		if err := os.WriteFile(keyPath, []byte(keyPEM), 0600); err != nil {
+			t.Fatalf("failed to write client key: %v", err)
+		}
+		return certPath, keyPath
+	}
+
+	// certToPEM re-encodes a parsed certificate as a PEM block for trust-store
+	// pinning. httptest.NewTLSServer.Certificate() returns the server's self-
+	// signed cert; pinning that cert trusts exactly that one server.
+	certToPEM := func(t *testing.T, cert *x509.Certificate) string {
+		t.Helper()
+		return string(pem.EncodeToMemory(&pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: cert.Raw,
+		}))
+	}
+
+	t.Run("PinnedCA_TrustsExpectedServer", func(t *testing.T) {
+		// Mock Atlas API served over HTTPS with a self-signed cert. We pin
+		// that cert's PEM as the client's trust anchor; the validation probe
+		// should succeed because the pinned pool contains the server's issuer.
+		srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == "/v2/certificates" && r.Method == http.MethodGet {
+				if r.Header.Get("ApiKey") == "gs-test-key" && r.Header.Get("ApiSecret") == "gs-test-secret" {
+					w.WriteHeader(http.StatusOK)
+					w.Write([]byte(`{"certificates":[]}`))
+					return
+				}
+				w.WriteHeader(http.StatusForbidden)
+				return
+			}
+			http.NotFound(w, r)
+		}))
+		defer srv.Close()
+
+		caPEM := certToPEM(t, srv.Certificate())
+		caPath := t.TempDir() + "/atlas-ca.pem"
+		if err := os.WriteFile(caPath, []byte(caPEM), 0600); err != nil {
+			t.Fatalf("failed to write pinned CA: %v", err)
+		}
+
+		clientCert, clientKey := writeClientMTLS(t)
+		config := globalsign.Config{
+			APIUrl:         srv.URL,
+			APIKey:         "gs-test-key",
+			APISecret:      "gs-test-secret",
+			ClientCertPath: clientCert,
+			ClientKeyPath:  clientKey,
+			ServerCAPath:   caPath,
+		}
+
+		connector := globalsign.New(&config, logger)
+		rawConfig, _ := json.Marshal(config)
+		if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
+			t.Fatalf("ValidateConfig with pinned CA should succeed, got: %v", err)
+		}
+	})
+
+	t.Run("PinnedCA_RejectsUntrustedServer", func(t *testing.T) {
+		// Mock server presents its own self-signed cert; we pin an UNRELATED
+		// cert as the trust anchor. The TLS handshake must fail before any
+		// request is sent — this is exactly what H-5 remediates.
+		srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}))
+		defer srv.Close()
+
+		unrelatedPEM, _ := generateTestCert(t)
+		caPath := t.TempDir() + "/unrelated-ca.pem"
+		if err := os.WriteFile(caPath, []byte(unrelatedPEM), 0600); err != nil {
+			t.Fatalf("failed to write unrelated CA: %v", err)
+		}
+
+		clientCert, clientKey := writeClientMTLS(t)
+		config := globalsign.Config{
+			APIUrl:         srv.URL,
+			APIKey:         "gs-test-key",
+			APISecret:      "gs-test-secret",
+			ClientCertPath: clientCert,
+			ClientKeyPath:  clientKey,
+			ServerCAPath:   caPath,
+		}
+
+		connector := globalsign.New(&config, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("ValidateConfig must fail when the server cert is not signed by the pinned CA")
+		}
+		// The failure must originate from TLS verification, not from any other path.
+		if !strings.Contains(err.Error(), "x509") &&
+			!strings.Contains(err.Error(), "certificate") &&
+			!strings.Contains(err.Error(), "unknown authority") {
+			t.Errorf("expected TLS verification error, got: %v", err)
+		}
+		t.Logf("Untrusted server cert correctly rejected: %v", err)
+	})
+
+	t.Run("ServerCAPath_MissingFile", func(t *testing.T) {
+		clientCert, clientKey := writeClientMTLS(t)
+		config := globalsign.Config{
+			APIUrl:         "https://example.invalid",
+			APIKey:         "gs-test-key",
+			APISecret:      "gs-test-secret",
+			ClientCertPath: clientCert,
+			ClientKeyPath:  clientKey,
+			ServerCAPath:   "/nonexistent/path/to/ca.pem",
+		}
+
+		connector := globalsign.New(&config, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("ValidateConfig must fail when ServerCAPath points to a missing file")
+		}
+		if !strings.Contains(err.Error(), "failed to read server CA bundle") {
+			t.Errorf("expected 'failed to read server CA bundle' error, got: %v", err)
+		}
+		t.Logf("Missing server CA file correctly rejected: %v", err)
+	})
+
+	t.Run("ServerCAPath_InvalidPEM", func(t *testing.T) {
+		clientCert, clientKey := writeClientMTLS(t)
+		badCAPath := t.TempDir() + "/garbage.pem"
+		if err := os.WriteFile(badCAPath, []byte("this is not a PEM certificate at all"), 0600); err != nil {
+			t.Fatalf("failed to write garbage file: %v", err)
+		}
+
+		config := globalsign.Config{
+			APIUrl:         "https://example.invalid",
+			APIKey:         "gs-test-key",
+			APISecret:      "gs-test-secret",
+			ClientCertPath: clientCert,
+			ClientKeyPath:  clientKey,
+			ServerCAPath:   badCAPath,
+		}
+
+		connector := globalsign.New(&config, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("ValidateConfig must fail when ServerCAPath contains no valid PEM certificates")
+		}
+		if !strings.Contains(err.Error(), "no valid PEM certificates") {
+			t.Errorf("expected 'no valid PEM certificates' error, got: %v", err)
+		}
+		t.Logf("Invalid PEM correctly rejected: %v", err)
+	})
+}
+
 // generateTestCert generates a self-signed test certificate and returns PEM strings.
 func generateTestCert(t *testing.T) (certPEM string, keyPEM string) {
 	priv, err := rsa.GenerateKey(rand.Reader, 2048)
@@ -359,6 +359,25 @@ func (c *Connector) loadCAFromDisk() error {
 		return fmt.Errorf("loaded CA certificate does not have KeyUsageCertSign")
 	}

+	// Validate CA certificate validity window (M-5, CWE-672).
+	// An expired or not-yet-valid sub-CA produces child certificates that any
+	// RFC 5280 path-validator will reject. Fail closed at load time so operators
+	// learn about it at startup, not at 3am when a renewal cycle silently
+	// starts minting broken certs. See audit finding M-5.
+	now := time.Now()
+	if now.After(caCert.NotAfter) {
+		return fmt.Errorf("CA certificate %q has expired (not_after=%s, now=%s)",
+			caCert.Subject.CommonName,
+			caCert.NotAfter.UTC().Format(time.RFC3339),
+			now.UTC().Format(time.RFC3339))
+	}
+	if now.Before(caCert.NotBefore) {
+		return fmt.Errorf("CA certificate %q is not yet valid (not_before=%s, now=%s)",
+			caCert.Subject.CommonName,
+			caCert.NotBefore.UTC().Format(time.RFC3339),
+			now.UTC().Format(time.RFC3339))
+	}
+
 	// Load CA private key (supports RSA and ECDSA)
 	keyPEM, err := os.ReadFile(c.config.CAKeyPath)
 	if err != nil {
@@ -14,6 +14,7 @@ import (
 	"math/big"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 	"time"

@@ -360,6 +361,114 @@ func TestSubCAMode(t *testing.T) {
 		t.Logf("Correctly rejected non-CA cert: %v", err)
 	})

+	t.Run("SubCA_ExpiredCert_IsRejected", func(t *testing.T) {
+		// Sub-CA expired 1 hour ago. M-5: loadCAFromDisk must fail closed
+		// instead of minting child certs that immediately fail path validation
+		// at every relying party (CWE-672).
+		notBefore := time.Now().AddDate(-1, 0, 0)
+		notAfter := time.Now().Add(-1 * time.Hour)
+		certPath, keyPath := generateTestSubCAWithValidity(t, "rsa", notBefore, notAfter)
+
+		config := &local.Config{
+			ValidityDays: 30,
+			CACertPath:   certPath,
+			CAKeyPath:    keyPath,
+		}
+		connector := local.New(config, logger)
+
+		_, csrPEM, err := generateTestCSR("app.internal.corp")
+		if err != nil {
+			t.Fatalf("Failed to generate CSR: %v", err)
+		}
+		req := issuer.IssuanceRequest{
+			CommonName: "app.internal.corp",
+			CSRPEM:     csrPEM,
+		}
+
+		_, err = connector.IssueCertificate(ctx, req)
+		if err == nil {
+			t.Fatal("Expected error when loading expired sub-CA; got nil")
+		}
+		if !strings.Contains(err.Error(), "expired") {
+			t.Errorf("Expected error to mention 'expired'; got: %v", err)
+		}
+		if !strings.Contains(err.Error(), "Test Sub-CA") {
+			t.Errorf("Expected error to include CA subject CN 'Test Sub-CA'; got: %v", err)
+		}
+		t.Logf("Correctly rejected expired sub-CA: %v", err)
+	})
+
+	t.Run("SubCA_NotYetValid_IsRejected", func(t *testing.T) {
+		// Sub-CA is not valid for another hour (clock skew or operator error
+		// pushing a pre-production CA into prod). M-5: loadCAFromDisk must
+		// fail closed.
+		notBefore := time.Now().Add(1 * time.Hour)
+		notAfter := time.Now().AddDate(5, 0, 0)
+		certPath, keyPath := generateTestSubCAWithValidity(t, "rsa", notBefore, notAfter)
+
+		config := &local.Config{
+			ValidityDays: 30,
+			CACertPath:   certPath,
+			CAKeyPath:    keyPath,
+		}
+		connector := local.New(config, logger)
+
+		_, csrPEM, err := generateTestCSR("app.internal.corp")
+		if err != nil {
+			t.Fatalf("Failed to generate CSR: %v", err)
+		}
+		req := issuer.IssuanceRequest{
+			CommonName: "app.internal.corp",
+			CSRPEM:     csrPEM,
+		}
+
+		_, err = connector.IssueCertificate(ctx, req)
+		if err == nil {
+			t.Fatal("Expected error when loading not-yet-valid sub-CA; got nil")
+		}
+		if !strings.Contains(err.Error(), "not yet valid") {
+			t.Errorf("Expected error to mention 'not yet valid'; got: %v", err)
+		}
+		if !strings.Contains(err.Error(), "Test Sub-CA") {
+			t.Errorf("Expected error to include CA subject CN 'Test Sub-CA'; got: %v", err)
+		}
+		t.Logf("Correctly rejected not-yet-valid sub-CA: %v", err)
+	})
+
+	t.Run("SubCA_BarelyValid_IsAccepted", func(t *testing.T) {
+		// Sub-CA valid from 1 minute ago to 1 hour from now. Edge case:
+		// proves the M-5 window check doesn't over-reject CAs that are
+		// legitimately live but close to the boundaries.
+		notBefore := time.Now().Add(-1 * time.Minute)
+		notAfter := time.Now().Add(1 * time.Hour)
+		certPath, keyPath := generateTestSubCAWithValidity(t, "rsa", notBefore, notAfter)
+
+		config := &local.Config{
+			ValidityDays: 30,
+			CACertPath:   certPath,
+			CAKeyPath:    keyPath,
+		}
+		connector := local.New(config, logger)
+
+		_, csrPEM, err := generateTestCSR("app.internal.corp")
+		if err != nil {
+			t.Fatalf("Failed to generate CSR: %v", err)
+		}
+		req := issuer.IssuanceRequest{
+			CommonName: "app.internal.corp",
+			CSRPEM:     csrPEM,
+		}
+
+		result, err := connector.IssueCertificate(ctx, req)
+		if err != nil {
+			t.Fatalf("Barely-valid sub-CA was wrongly rejected: %v", err)
+		}
+		if result.CertPEM == "" {
+			t.Error("CertPEM is empty")
+		}
+		t.Logf("Correctly accepted barely-valid sub-CA: serial=%s", result.Serial)
+	})
+
 	t.Run("SubCA_RenewCertificate", func(t *testing.T) {
 		certPath, keyPath := generateTestSubCA(t, "rsa")
 		defer os.Remove(certPath)
@@ -396,8 +505,16 @@ func TestSubCAMode(t *testing.T) {
 }

 // generateTestSubCA creates a self-signed CA cert+key pair and writes them to temp files.
-// keyType can be "rsa" or "ecdsa".
+// keyType can be "rsa" or "ecdsa". Validity window is [now, now+5y].
 func generateTestSubCA(t *testing.T, keyType string) (certPath, keyPath string) {
+	t.Helper()
+	return generateTestSubCAWithValidity(t, keyType, time.Now(), time.Now().AddDate(5, 0, 0))
+}
+
+// generateTestSubCAWithValidity creates a self-signed CA cert+key pair with an
+// explicit NotBefore/NotAfter window. Used by M-5 tests that exercise expired
+// and not-yet-valid CA rejection in loadCAFromDisk.
+func generateTestSubCAWithValidity(t *testing.T, keyType string, notBefore, notAfter time.Time) (certPath, keyPath string) {
 	t.Helper()
 	tmpDir := t.TempDir()
 	certPath = filepath.Join(tmpDir, "ca.pem")
@@ -445,8 +562,8 @@ func generateTestSubCA(t *testing.T, keyType string) (certPath, keyPath string)
 			CommonName:   "Test Sub-CA",
 			Organization: []string{"CertCtl Test"},
 		},
-		NotBefore:             time.Now(),
-		NotAfter:              time.Now().AddDate(5, 0, 0),
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
@@ -13,6 +13,7 @@ import (
 	"time"

 	"github.com/shankar0123/certctl/internal/connector/notifier"
+	"github.com/shankar0123/certctl/internal/validation"
 )

 // Config represents the email notifier configuration.
@@ -123,7 +124,22 @@ func (c *Connector) SendEvent(ctx context.Context, event notifier.Event) error {

 // sendEmail sends an email message using the configured SMTP server.
 // It handles both TLS and plain authentication modes.
+//
+// Header values (From, To, Subject) are validated up-front to reject CR, LF,
+// and NUL characters. This blocks SMTP header injection (CWE-113) and also
+// prevents injection into the SMTP envelope commands MAIL FROM and RCPT TO,
+// since net/smtp does not sanitize those inputs itself.
 func (c *Connector) sendEmail(ctx context.Context, to, subject, body string) error {
+	if err := validation.ValidateHeaderValue("From", c.config.FromAddress); err != nil {
+		return fmt.Errorf("invalid sender: %w", err)
+	}
+	if err := validation.ValidateHeaderValue("To", to); err != nil {
+		return fmt.Errorf("invalid recipient: %w", err)
+	}
+	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
+		return fmt.Errorf("invalid subject: %w", err)
+	}
+
 	addr := net.JoinHostPort(c.config.SMTPHost, strconv.Itoa(c.config.SMTPPort))

 	// Connect to SMTP server
@@ -182,8 +198,13 @@ func (c *Connector) sendEmail(ctx context.Context, to, subject, body string) err
 	}
 	defer wc.Close()

-	// Format and write email headers and body
-	message := c.formatEmailMessage(c.config.FromAddress, to, subject, body)
+	// Format and write email headers and body. The format function
+	// re-validates header values as defense-in-depth; the early-return
+	// above should have already caught any injection attempt.
+	message, err := c.formatEmailMessage(c.config.FromAddress, to, subject, body)
+	if err != nil {
+		return fmt.Errorf("failed to format message: %w", err)
+	}
 	if _, err := wc.Write(message); err != nil {
 		return fmt.Errorf("failed to write message: %w", err)
 	}
@@ -197,7 +218,22 @@ func (c *Connector) sendEmail(ctx context.Context, to, subject, body string) err

 // sendHTMLEmail sends an HTML email message using the configured SMTP server.
 // Used by the digest service for rich HTML digest emails.
+//
+// Header values (From, To, Subject) are validated up-front to reject CR, LF,
+// and NUL characters. This blocks SMTP header injection (CWE-113) and also
+// prevents injection into the SMTP envelope commands MAIL FROM and RCPT TO,
+// since net/smtp does not sanitize those inputs itself.
 func (c *Connector) sendHTMLEmail(ctx context.Context, to, subject, htmlBody string) error {
+	if err := validation.ValidateHeaderValue("From", c.config.FromAddress); err != nil {
+		return fmt.Errorf("invalid sender: %w", err)
+	}
+	if err := validation.ValidateHeaderValue("To", to); err != nil {
+		return fmt.Errorf("invalid recipient: %w", err)
+	}
+	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
+		return fmt.Errorf("invalid subject: %w", err)
+	}
+
 	addr := net.JoinHostPort(c.config.SMTPHost, strconv.Itoa(c.config.SMTPPort))

 	var auth smtp.Auth
@@ -250,7 +286,12 @@ func (c *Connector) sendHTMLEmail(ctx context.Context, to, subject, htmlBody str
 	}
 	defer wc.Close()

-	message := c.formatHTMLEmailMessage(c.config.FromAddress, to, subject, htmlBody)
+	// The format function re-validates header values as defense-in-depth;
+	// the early-return above should have already caught any injection attempt.
+	message, err := c.formatHTMLEmailMessage(c.config.FromAddress, to, subject, htmlBody)
+	if err != nil {
+		return fmt.Errorf("failed to format message: %w", err)
+	}
 	if _, err := wc.Write(message); err != nil {
 		return fmt.Errorf("failed to write message: %w", err)
 	}
@@ -263,7 +304,20 @@ func (c *Connector) sendHTMLEmail(ctx context.Context, to, subject, htmlBody str
 }

 // formatEmailMessage formats an email message with standard headers.
-func (c *Connector) formatEmailMessage(from, to, subject, body string) []byte {
+// It rejects any header value containing CR, LF, or NUL bytes to prevent
+// SMTP header injection (CWE-113). See internal/validation.ValidateHeaderValue.
+// The body is not validated — CR/LF in the body is legitimate content, and
+// SMTP dot-stuffing / length framing are handled by net/smtp.
+func (c *Connector) formatEmailMessage(from, to, subject, body string) ([]byte, error) {
+	if err := validation.ValidateHeaderValue("From", from); err != nil {
+		return nil, err
+	}
+	if err := validation.ValidateHeaderValue("To", to); err != nil {
+		return nil, err
+	}
+	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
+		return nil, err
+	}
 	message := fmt.Sprintf(
 		"From: %s\r\nTo: %s\r\nSubject: %s\r\nDate: %s\r\nContent-Type: text/plain; charset=utf-8\r\n\r\n%s",
 		from,
@@ -272,11 +326,24 @@ func (c *Connector) formatEmailMessage(from, to, subject, body string) []byte {
 		time.Now().Format(time.RFC1123Z),
 		body,
 	)
-	return []byte(message)
+	return []byte(message), nil
 }

 // formatHTMLEmailMessage formats an HTML email message with MIME headers.
-func (c *Connector) formatHTMLEmailMessage(from, to, subject, htmlBody string) []byte {
+// It rejects any header value containing CR, LF, or NUL bytes to prevent
+// SMTP header injection (CWE-113). See internal/validation.ValidateHeaderValue.
+// The HTML body is not validated at this layer — CR/LF in HTML content is
+// legitimate, and SMTP dot-stuffing / length framing are handled by net/smtp.
+func (c *Connector) formatHTMLEmailMessage(from, to, subject, htmlBody string) ([]byte, error) {
+	if err := validation.ValidateHeaderValue("From", from); err != nil {
+		return nil, err
+	}
+	if err := validation.ValidateHeaderValue("To", to); err != nil {
+		return nil, err
+	}
+	if err := validation.ValidateHeaderValue("Subject", subject); err != nil {
+		return nil, err
+	}
 	message := fmt.Sprintf(
 		"From: %s\r\nTo: %s\r\nSubject: %s\r\nDate: %s\r\nMIME-Version: 1.0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n%s",
 		from,
@@ -285,7 +352,7 @@ func (c *Connector) formatHTMLEmailMessage(from, to, subject, htmlBody string) [
 		time.Now().Format(time.RFC1123Z),
 		htmlBody,
 	)
-	return []byte(message)
+	return []byte(message), nil
 }

 // formatAlertBody formats an alert notification as email body text.
@@ -138,7 +138,10 @@ func TestEmail_FormatMessage_RFC822Headers(t *testing.T) {
 	subject := "Test Subject"
 	body := "Test Body"

-	message := conn.formatEmailMessage(from, to, subject, body)
+	message, err := conn.formatEmailMessage(from, to, subject, body)
+	if err != nil {
+		t.Fatalf("expected nil error, got %v", err)
+	}
 	messageStr := string(message)

 	if !strings.Contains(messageStr, "From: "+from) {
@@ -177,7 +180,10 @@ func TestEmail_FormatHTMLEmailMessage_Headers(t *testing.T) {
 	subject := "HTML Test"
 	htmlBody := "<html><body><h1>Test</h1></body></html>"

-	message := conn.formatHTMLEmailMessage(from, to, subject, htmlBody)
+	message, err := conn.formatHTMLEmailMessage(from, to, subject, htmlBody)
+	if err != nil {
+		t.Fatalf("expected nil error, got %v", err)
+	}
 	messageStr := string(message)

 	if !strings.Contains(messageStr, "From: "+from) {
@@ -200,6 +206,67 @@ func TestEmail_FormatHTMLEmailMessage_Headers(t *testing.T) {
 	}
 }

+// TestEmail_FormatEmailMessage_RejectsCRLFInjection exercises the CRLF
+// sanitizer (CWE-113). A subject containing "\r\nBcc: ..." must be rejected
+// rather than silently stripped — authentication-relevant headers are
+// security-critical and silent mutation masks malicious intent.
+func TestEmail_FormatEmailMessage_RejectsCRLFInjection(t *testing.T) {
+	cfg := &Config{
+		SMTPHost:    "smtp.example.com",
+		SMTPPort:    587,
+		FromAddress: "sender@example.com",
+	}
+	logger := newTestLogger()
+	conn := New(cfg, logger)
+
+	cases := []struct {
+		name          string
+		from, to, sub string
+		wantField     string
+	}{
+		{"CRLF in Subject", "sender@example.com", "recipient@example.com", "hello\r\nBcc: attacker@example.com", "Subject"},
+		{"LF in To", "sender@example.com", "recipient@example.com\nBcc: x@y", "ok", "To"},
+		{"CR in From", "sender@example.com\rExtra: header", "recipient@example.com", "ok", "From"},
+		{"NUL in Subject", "sender@example.com", "recipient@example.com", "hi\x00there", "Subject"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := conn.formatEmailMessage(tc.from, tc.to, tc.sub, "body")
+			if err == nil {
+				t.Fatal("expected injection error, got nil")
+			}
+			if !strings.Contains(err.Error(), tc.wantField) {
+				t.Errorf("expected error to mention field %q, got %q", tc.wantField, err.Error())
+			}
+		})
+	}
+}
+
+// TestEmail_FormatHTMLEmailMessage_RejectsCRLFInjection mirrors the plain-text
+// test for the HTML codepath used by the digest service.
+func TestEmail_FormatHTMLEmailMessage_RejectsCRLFInjection(t *testing.T) {
+	cfg := &Config{
+		SMTPHost:    "smtp.example.com",
+		SMTPPort:    587,
+		FromAddress: "sender@example.com",
+	}
+	logger := newTestLogger()
+	conn := New(cfg, logger)
+
+	_, err := conn.formatHTMLEmailMessage(
+		"sender@example.com",
+		"recipient@example.com",
+		"digest\r\nBcc: attacker@example.com",
+		"<p>hi</p>",
+	)
+	if err == nil {
+		t.Fatal("expected CRLF injection error, got nil")
+	}
+	if !strings.Contains(err.Error(), "Subject") {
+		t.Errorf("expected error to mention Subject field, got %q", err.Error())
+	}
+}
+
 func TestEmail_FormatAlertBody(t *testing.T) {
 	cfg := &Config{
 		SMTPHost:    "smtp.example.com",
@@ -14,8 +14,15 @@ import (
 	"time"

 	"github.com/shankar0123/certctl/internal/connector/notifier"
+	"github.com/shankar0123/certctl/internal/validation"
 )

+// webhookClientTimeout bounds every outbound webhook request and its
+// resolution/dial phase. Kept as a package-level constant so the timeout is
+// shared by the transport dialer and the http.Client, and so tests can reason
+// about it without plumbing configuration.
+const webhookClientTimeout = 30 * time.Second
+
 // Config represents the webhook notifier configuration.
 type Config struct {
 	URL     string            `json:"url"`
@@ -25,20 +32,69 @@ type Config struct {

 // Connector implements the notifier.Connector interface for webhook notifications.
 // It sends alert and event notifications via HTTP POST with optional HMAC signing.
+//
+// validateURL is injected so that the production constructor (New) installs the
+// strict validation.ValidateSafeURL guard while newForTest can install a
+// permissive validator. This is the only way to keep the production SSRF
+// defence unconditionally on in real code while still allowing tests to point
+// at httptest loopback servers. Without this seam, every test using
+// httptest.NewServer would be blocked by the guard's loopback rejection — that
+// is the correct behaviour in production but makes legitimate unit tests
+// impossible to write. The test seam is unexported so no external caller can
+// use it to disable the guard.
 type Connector struct {
-	config *Config
-	logger *slog.Logger
-	client *http.Client
+	config      *Config
+	logger      *slog.Logger
+	client      *http.Client
+	validateURL func(string) error
 }

 // New creates a new webhook notifier with the given configuration and logger.
+//
+// The returned connector uses an http.Transport whose DialContext is hardened
+// by validation.SafeHTTPDialContext. That guard re-resolves the target host
+// at dial time and refuses any connection whose resolved address lies in a
+// reserved range (loopback, cloud-metadata link-local, multicast, broadcast,
+// unspecified, IPv6 link-local/multicast). This is the authoritative SSRF
+// defence; validation.ValidateSafeURL inside ValidateConfig/postWebhook is a
+// fast early diagnostic. The two layers together defeat both misconfigured
+// URLs and DNS-rebinding attacks where a name's resolved address changes
+// between validation and dial.
 func New(config *Config, logger *slog.Logger) *Connector {
+	transport := &http.Transport{
+		DialContext:           validation.SafeHTTPDialContext(webhookClientTimeout),
+		TLSHandshakeTimeout:   10 * time.Second,
+		ResponseHeaderTimeout: 10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		ForceAttemptHTTP2:     true,
+	}
 	return &Connector{
 		config: config,
 		logger: logger,
 		client: &http.Client{
-			Timeout: 30 * time.Second,
+			Timeout:   webhookClientTimeout,
+			Transport: transport,
 		},
+		validateURL: validation.ValidateSafeURL,
+	}
+}
+
+// newForTest is an unexported constructor used exclusively by the webhook
+// package's own tests. It installs a permissive URL validator and the stdlib
+// default transport so tests can point the connector at httptest loopback
+// servers (127.0.0.1), which the production SafeHTTPDialContext guard would
+// correctly reject. Production callers cannot reach this constructor because
+// it is unexported; only same-package tests (package webhook) can use it.
+// The SSRF-rejection tests that verify the guard itself still call New so
+// they exercise the real, strict validator.
+func newForTest(config *Config, logger *slog.Logger) *Connector {
+	return &Connector{
+		config: config,
+		logger: logger,
+		client: &http.Client{
+			Timeout: webhookClientTimeout,
+		},
+		validateURL: func(string) error { return nil },
 	}
 }

@@ -54,6 +110,18 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 		return fmt.Errorf("webhook url is required")
 	}

+	// SSRF guard (CWE-918). Reject reserved-address URLs before issuing any
+	// outbound HTTP — this catches the obvious 127.0.0.1 / ::1 /
+	// 169.254.169.254 / 0.0.0.0 cases at config-ingestion time and produces
+	// a clear operator-facing error. The authoritative, TOCTOU-safe check
+	// still runs at dial time inside SafeHTTPDialContext. Routed through
+	// c.validateURL so newForTest can install a permissive validator for
+	// same-package unit tests; production New always wires
+	// validation.ValidateSafeURL here.
+	if err := c.validateURL(cfg.URL); err != nil {
+		return fmt.Errorf("webhook url rejected: %w", err)
+	}
+
 	c.logger.Info("validating webhook configuration", "url", cfg.URL)

 	// Test webhook connectivity with a HEAD request
@@ -150,7 +218,17 @@ func (c *Connector) SendEvent(ctx context.Context, event notifier.Event) error {
 // postWebhook sends a payload to the webhook URL with proper headers and signing.
 // If a secret is configured, it signs the payload using HMAC-SHA256 and includes
 // the signature in the X-Signature header.
+//
+// The URL is re-validated here even though ValidateConfig already accepted it:
+// configuration can be mutated in place, reloaded dynamically, or set directly
+// by tests that bypass ValidateConfig, so this call is a defence-in-depth
+// guard that fails closed before any outbound request is built. Authoritative
+// DNS-rebinding defence still runs at dial time via SafeHTTPDialContext.
 func (c *Connector) postWebhook(ctx context.Context, payload interface{}) error {
+	if err := c.validateURL(c.config.URL); err != nil {
+		return fmt.Errorf("webhook url rejected: %w", err)
+	}
+
 	// Marshal payload to JSON
 	jsonData, err := json.Marshal(payload)
 	if err != nil {
@@ -32,7 +32,7 @@ func TestWebhook_ValidateConfig_ValidURL(t *testing.T) {

 	// Create a new logger (or use test logger)
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)

 	err := conn.ValidateConfig(context.Background(), rawConfig)
 	if err != nil {
@@ -47,7 +47,7 @@ func TestWebhook_ValidateConfig_MissingURL(t *testing.T) {

 	rawConfig, _ := json.Marshal(cfg)
 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)

 	err := conn.ValidateConfig(context.Background(), rawConfig)
 	if err == nil {
@@ -96,7 +96,7 @@ func TestWebhook_SendAlert_Success(t *testing.T) {
 	}

 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)

 	alert := notifier.Alert{
 		ID:        "alert-123",
@@ -160,7 +160,7 @@ func TestWebhook_SendAlert_HMACSignature(t *testing.T) {
 	}

 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)

 	alert := notifier.Alert{
 		ID:        "alert-456",
@@ -199,7 +199,7 @@ func TestWebhook_SendAlert_NoSignatureWithoutSecret(t *testing.T) {
 	}

 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)

 	alert := notifier.Alert{
 		ID:        "alert-789",
@@ -239,7 +239,7 @@ func TestWebhook_SendAlert_CustomHeaders(t *testing.T) {
 	}

 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)

 	alert := notifier.Alert{
 		ID:        "alert-custom",
@@ -276,7 +276,7 @@ func TestWebhook_SendAlert_HTTPError(t *testing.T) {
 	}

 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)

 	alert := notifier.Alert{
 		ID:        "alert-error",
@@ -318,7 +318,7 @@ func TestWebhook_SendEvent_Success(t *testing.T) {
 	}

 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)

 	certID := "mc-api-prod"
 	event := notifier.Event{
@@ -367,7 +367,7 @@ func TestWebhook_SendEvent_WithoutCertificateID(t *testing.T) {
 	}

 	logger := newTestLogger()
-	conn := New(cfg, logger)
+	conn := newForTest(cfg, logger)

 	event := notifier.Event{
 		ID:        "event-456",
@@ -389,6 +389,130 @@ func TestWebhook_SendEvent_WithoutCertificateID(t *testing.T) {
 	}
 }

+// The SSRF tests below exercise the CWE-918 guard added alongside H-4. Each
+// case pairs a reserved-address URL with the call surface that should reject
+// it. ValidateConfig is the early-fail path; SendAlert/SendEvent reach the
+// same guard via postWebhook and are the defence-in-depth that still rejects
+// even when ValidateConfig was bypassed (e.g. dynamic config reload mutating
+// c.config.URL in place).
+
+func TestWebhook_ValidateConfig_RejectsReservedURLs(t *testing.T) {
+	// These must all fail at config-ingestion time without ever opening a
+	// socket — the reserved-address filter is the whole point of H-4.
+	cases := []struct {
+		name string
+		url  string
+	}{
+		{"loopback v4", "http://127.0.0.1/hook"},
+		{"loopback v4 with port", "http://127.0.0.1:8080/"},
+		{"loopback v6 bracketed", "http://[::1]/hook"},
+		{"AWS metadata", "http://169.254.169.254/latest/meta-data/"},
+		{"generic link-local", "http://169.254.1.2/"},
+		{"unspecified v4", "http://0.0.0.0/"},
+		{"unspecified v6", "http://[::]/"},
+		{"IPv6 link-local", "http://[fe80::1]/"},
+		{"multicast", "https://224.0.0.5/"},
+		{"broadcast", "http://255.255.255.255/"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			cfg := &Config{URL: tc.url}
+			rawConfig, _ := json.Marshal(cfg)
+			conn := New(cfg, newTestLogger())
+
+			err := conn.ValidateConfig(context.Background(), rawConfig)
+			if err == nil {
+				t.Fatalf("ValidateConfig(%q) returned nil, want SSRF rejection", tc.url)
+			}
+			if !strings.Contains(err.Error(), "reserved") && !strings.Contains(err.Error(), "rejected") {
+				t.Errorf("expected reserved/rejected error, got %q", err.Error())
+			}
+		})
+	}
+}
+
+func TestWebhook_ValidateConfig_RejectsDangerousSchemes(t *testing.T) {
+	// Only http(s) is a legitimate webhook transport. Every other scheme is
+	// an SSRF amplifier (file, gopher, ftp, javascript, data, ldap, dict,
+	// jar) and must be refused at config time.
+	cases := []struct {
+		name string
+		url  string
+	}{
+		{"file", "file:///etc/passwd"},
+		{"gopher", "gopher://example.com/_x"},
+		{"ftp", "ftp://example.com/"},
+		{"javascript", "javascript:alert(1)"},
+		{"data", "data:text/plain;base64,SGVsbG8="},
+		{"ldap", "ldap://example.com/"},
+		{"dict", "dict://example.com:2628/d:foo"},
+		{"jar", "jar:http://example.com/foo.jar!/"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			cfg := &Config{URL: tc.url}
+			rawConfig, _ := json.Marshal(cfg)
+			conn := New(cfg, newTestLogger())
+
+			err := conn.ValidateConfig(context.Background(), rawConfig)
+			if err == nil {
+				t.Fatalf("ValidateConfig(%q) returned nil, want scheme rejection", tc.url)
+			}
+			if !strings.Contains(err.Error(), "rejected") && !strings.Contains(err.Error(), "scheme") {
+				t.Errorf("expected scheme/rejected error, got %q", err.Error())
+			}
+		})
+	}
+}
+
+func TestWebhook_SendAlert_RejectsReservedURLInPostWebhook(t *testing.T) {
+	// Simulate config drift: URL was legitimate at ValidateConfig time but
+	// has since been rewritten to an SSRF target. postWebhook must catch
+	// this on every call without ever hitting the wire.
+	cfg := &Config{URL: "http://169.254.169.254/latest/meta-data/"}
+	conn := New(cfg, newTestLogger())
+
+	alert := notifier.Alert{
+		ID:        "alert-ssrf",
+		Type:      "test",
+		Severity:  "info",
+		Subject:   "Test",
+		Message:   "Test",
+		Recipient: "ops@example.com",
+		CreatedAt: time.Now(),
+	}
+
+	err := conn.SendAlert(context.Background(), alert)
+	if err == nil {
+		t.Fatal("SendAlert returned nil, want SSRF rejection from postWebhook")
+	}
+	if !strings.Contains(err.Error(), "reserved") && !strings.Contains(err.Error(), "rejected") {
+		t.Errorf("expected reserved/rejected error, got %q", err.Error())
+	}
+}
+
+func TestWebhook_SendEvent_RejectsReservedURLInPostWebhook(t *testing.T) {
+	cfg := &Config{URL: "http://[::1]:9/webhook"}
+	conn := New(cfg, newTestLogger())
+
+	event := notifier.Event{
+		ID:        "event-ssrf",
+		Type:      "test",
+		Subject:   "Test",
+		Body:      "Test",
+		Recipient: "ops@example.com",
+		CreatedAt: time.Now(),
+	}
+
+	err := conn.SendEvent(context.Background(), event)
+	if err == nil {
+		t.Fatal("SendEvent returned nil, want SSRF rejection from postWebhook")
+	}
+	if !strings.Contains(err.Error(), "reserved") && !strings.Contains(err.Error(), "rejected") {
+		t.Errorf("expected reserved/rejected error, got %q", err.Error())
+	}
+}
+
 // Helper function to compute HMAC-SHA256 signature
 func computeHMACSHA256(data []byte, secret string) string {
 	h := hmac.New(sha256.New, []byte(secret))
@@ -1,4 +1,31 @@
 // Package crypto provides AES-256-GCM encryption for sensitive configuration data.
+//
+// The on-disk format for blobs produced by [EncryptIfKeySet] is versioned. Two
+// versions coexist and both can be read by [DecryptIfKeySet]:
+//
+//	v2 (current, M-8)
+//	    magic(0x02) || salt(16) || nonce(12) || ciphertext+tag
+//	    — 32-byte AES-256 key derived via PBKDF2-SHA256 from the operator
+//	      passphrase and the per-ciphertext random salt.
+//
+//	v1 (legacy, pre-M-8)
+//	    nonce(12) || ciphertext+tag
+//	    — 32-byte AES-256 key derived via PBKDF2-SHA256 from the operator
+//	      passphrase and the package-level fixed salt
+//	      "certctl-config-encryption-v1".
+//
+// v1 blobs are accepted by the read path for backward compatibility with rows
+// persisted before the M-8 remediation. They are never produced by the write
+// path. Any row that is updated after M-8 is re-sealed as v2 in-place via the
+// normal UPDATE flow.
+//
+// Rationale for the per-ciphertext salt (see M-8 / CWE-916 / CWE-329): the
+// pre-M-8 design reused a single 28-byte fixed salt for every ciphertext, which
+// (a) removes one defense-in-depth layer against passphrase-space brute force
+// and (b) makes every encrypted column across every row share the exact same
+// derived key. v2 replaces the fixed salt with 16 fresh random bytes per write
+// and stores the salt alongside the ciphertext. Derived keys now differ per
+// row and per re-encryption.
 package crypto

 import (
@@ -6,17 +33,77 @@ import (
 	"crypto/cipher"
 	"crypto/rand"
 	"crypto/sha256"
+	"errors"
 	"fmt"
 	"io"

 	"golang.org/x/crypto/pbkdf2"
 )

+// ErrEncryptionKeyRequired is returned by EncryptIfKeySet and DecryptIfKeySet when
+// the caller provides an empty passphrase but the data on the wire requires
+// protection.
+//
+// Historically these helpers silently returned plaintext when no key was configured,
+// which produced a data-at-rest confidentiality bypass (CWE-311): sensitive fields
+// in dynamically-configured issuer and target records (source='database') were
+// persisted to PostgreSQL without any encryption whenever the operator forgot to
+// set CERTCTL_CONFIG_ENCRYPTION_KEY. Callers could not distinguish the encrypted
+// and plaintext branches at runtime, so the only visible signal was a warning
+// line emitted once at startup.
+//
+// The fix (C-2, commit fb4ce1a) is to fail closed: EncryptIfKeySet/DecryptIfKeySet
+// now require a passphrase whenever they are invoked on sensitive material, and
+// the server refuses to start if any source='database' rows already exist without
+// a configured passphrase.
+var ErrEncryptionKeyRequired = errors.New("crypto: CERTCTL_CONFIG_ENCRYPTION_KEY is required to encrypt or decrypt sensitive config")
+
+// v2Magic is the first byte of every v2-format ciphertext blob. It distinguishes
+// v2 blobs (per-ciphertext random salt, embedded in the blob) from v1 legacy
+// blobs (no magic byte, fixed package-level salt).
+//
+// The choice of 0x02 is deliberate: v1 blobs begin with a random 12-byte AES-GCM
+// nonce. A v1 nonce can coincidentally start with 0x02 with probability 1/256,
+// which makes a pure magic-byte dispatch ambiguous. [DecryptIfKeySet] resolves
+// the ambiguity by falling back to the v1 path when v2 AEAD verification fails.
+const v2Magic byte = 0x02
+
+// v2SaltSize is the length in bytes of the per-ciphertext salt embedded in a
+// v2 blob. 16 bytes (128 bits) matches the lower bound recommended in NIST
+// SP 800-132 §5.1 for PBKDF2 salts and is sufficient given the one-shot-per-row
+// nature of the derivation.
+const v2SaltSize = 16
+
+// pbkdf2Iterations is the PBKDF2-SHA256 work factor applied uniformly to both
+// v1 and v2 key derivations. The value is preserved from the pre-M-8 design so
+// that v1 fallback reads stay bit-identical.
+const pbkdf2Iterations = 100000
+
+// aes256KeySize is the output length in bytes of both [DeriveKey] and
+// [deriveKeyWithSalt]. It is also the only AES key length accepted by [Encrypt]
+// and [Decrypt].
+const aes256KeySize = 32
+
+// legacyV1Salt is the fixed salt used by pre-M-8 config encryption. It is
+// retained exclusively to preserve the v1 read path — any v1 blob that pre-dates
+// M-8 remediation must be decryptable with a key derived from (passphrase,
+// legacyV1Salt). The write path never uses this salt.
+//
+// Exposed as a package-level var rather than a local so that tests can reason
+// about v1 fixture bytes symbolically.
+var legacyV1Salt = []byte("certctl-config-encryption-v1")
+
 // Encrypt encrypts plaintext using AES-256-GCM with a random 12-byte nonce prepended to the output.
 // The key must be exactly 32 bytes (AES-256). Returns [12-byte nonce][ciphertext+tag].
+//
+// Encrypt is a low-level primitive. It is intentionally kept byte-identical to
+// the pre-M-8 implementation so that existing v1 blobs on disk remain
+// decryptable via [Decrypt] when paired with a [DeriveKey]-derived key. New
+// callers should prefer [EncryptIfKeySet], which handles key derivation and
+// emits the v2 wire format.
 func Encrypt(plaintext []byte, key []byte) ([]byte, error) {
-	if len(key) != 32 {
-		return nil, fmt.Errorf("encryption key must be exactly 32 bytes, got %d", len(key))
+	if len(key) != aes256KeySize {
+		return nil, fmt.Errorf("encryption key must be exactly %d bytes, got %d", aes256KeySize, len(key))
 	}

 	block, err := aes.NewCipher(key)
@@ -40,9 +127,14 @@ func Encrypt(plaintext []byte, key []byte) ([]byte, error) {

 // Decrypt decrypts ciphertext that was encrypted with Encrypt.
 // Expects format: [12-byte nonce][ciphertext+tag]. Key must be exactly 32 bytes.
+//
+// Decrypt is a low-level primitive. It is intentionally kept byte-identical to
+// the pre-M-8 implementation so that [DecryptIfKeySet] can delegate to it for
+// both the v2 inner blob (after stripping the magic byte + embedded salt) and
+// the v1 legacy blob (unmodified).
 func Decrypt(ciphertext []byte, key []byte) ([]byte, error) {
-	if len(key) != 32 {
-		return nil, fmt.Errorf("encryption key must be exactly 32 bytes, got %d", len(key))
+	if len(key) != aes256KeySize {
+		return nil, fmt.Errorf("encryption key must be exactly %d bytes, got %d", aes256KeySize, len(key))
 	}

 	block, err := aes.NewCipher(key)
@@ -69,35 +161,133 @@ func Decrypt(ciphertext []byte, key []byte) ([]byte, error) {
 	return plaintext, nil
 }

-// DeriveKey derives a 32-byte AES-256 key from a passphrase using PBKDF2-SHA256.
-// Uses a fixed application-specific salt and 100,000 iterations for resistance
-// to brute-force attacks on weak passphrases.
+// DeriveKey derives a 32-byte AES-256 key from a passphrase using PBKDF2-SHA256
+// with the legacy v1 fixed salt.
+//
+// This helper is preserved byte-identical to the pre-M-8 implementation so that
+// v1 ciphertexts persisted before the M-8 remediation remain decryptable
+// unchanged. New code paths should prefer [EncryptIfKeySet] and
+// [DecryptIfKeySet], which use a per-ciphertext random salt.
 func DeriveKey(passphrase string) []byte {
-	// Fixed salt is acceptable here because:
-	// 1. Each certctl instance has its own passphrase
-	// 2. The salt prevents generic rainbow table attacks
-	// 3. Per-user salts are unnecessary (single server key, not user passwords)
-	salt := []byte("certctl-config-encryption-v1")
-	return pbkdf2.Key([]byte(passphrase), salt, 100000, 32, sha256.New)
+	return deriveKeyWithSalt(passphrase, legacyV1Salt)
 }

-// EncryptIfKeySet encrypts plaintext if a key is provided, otherwise returns plaintext unchanged.
-// This supports the development/demo fallback where encryption isn't configured.
-func EncryptIfKeySet(plaintext []byte, key []byte) ([]byte, bool, error) {
-	if len(key) == 0 {
-		return plaintext, false, nil
+// deriveKeyWithSalt derives a 32-byte AES-256 key from a passphrase and an
+// explicit salt using PBKDF2-SHA256 with [pbkdf2Iterations] rounds.
+//
+// The per-ciphertext random salt path (v2) calls this directly with a fresh
+// 16-byte random salt embedded in the ciphertext blob. The legacy path
+// ([DeriveKey]) calls it with the package-level fixed salt [legacyV1Salt].
+func deriveKeyWithSalt(passphrase string, salt []byte) []byte {
+	return pbkdf2.Key([]byte(passphrase), salt, pbkdf2Iterations, aes256KeySize, sha256.New)
+}
+
+// IsLegacyFormat reports whether blob is in the v1 legacy wire format (no magic
+// byte, fixed-salt derivation) as opposed to the v2 wire format
+// (magic(0x02) || salt(16) || nonce(12) || ciphertext+tag).
+//
+// A return value of false is a necessary but not sufficient condition for a
+// blob to be a valid v2 ciphertext: the shortest possible v2 blob is
+// 1 + v2SaltSize + 12 = 29 bytes, and even a 29+ byte blob that starts with
+// 0x02 may turn out to be a v1 ciphertext whose random nonce happens to begin
+// with 0x02 (probability 1/256). [DecryptIfKeySet] resolves this ambiguity at
+// decrypt time by falling back to v1 when v2 AEAD verification fails; callers
+// of IsLegacyFormat should use it only as a heuristic (e.g. migration
+// tooling, log annotation).
+func IsLegacyFormat(blob []byte) bool {
+	if len(blob) == 0 {
+		return false
 	}
-	encrypted, err := Encrypt(plaintext, key)
+	return blob[0] != v2Magic
+}
+
+// EncryptIfKeySet encrypts plaintext with the supplied passphrase and emits a
+// v2 wire-format blob: magic(0x02) || salt(16) || nonce(12) || ciphertext+tag.
+//
+// Key derivation is performed internally per invocation with a fresh 16-byte
+// random salt, producing a distinct AES-256 key for every ciphertext. The
+// operator-supplied passphrase is the only cross-ciphertext shared secret.
+//
+// The second return value is always true when err == nil — the "wasEncrypted"
+// flag is retained for source-compatibility with callers that previously used
+// it to log provenance. Callers MUST handle err: passing an empty passphrase
+// returns [ErrEncryptionKeyRequired] rather than silently emitting plaintext.
+// See the package-level [ErrEncryptionKeyRequired] documentation for the
+// history behind this behavior change (C-2).
+//
+// The write path never produces a v1 blob. v1 blobs are read-only legacy
+// state — see [DecryptIfKeySet] for the compatibility fallback.
+func EncryptIfKeySet(plaintext []byte, passphrase string) ([]byte, bool, error) {
+	if passphrase == "" {
+		return nil, false, ErrEncryptionKeyRequired
+	}
+
+	salt := make([]byte, v2SaltSize)
+	if _, err := io.ReadFull(rand.Reader, salt); err != nil {
+		return nil, false, fmt.Errorf("failed to generate v2 salt: %w", err)
+	}
+
+	key := deriveKeyWithSalt(passphrase, salt)
+	inner, err := Encrypt(plaintext, key)
 	if err != nil {
 		return nil, false, err
 	}
-	return encrypted, true, nil
+
+	// v2 blob layout: magic(1) || salt(v2SaltSize) || inner
+	blob := make([]byte, 0, 1+v2SaltSize+len(inner))
+	blob = append(blob, v2Magic)
+	blob = append(blob, salt...)
+	blob = append(blob, inner...)
+	return blob, true, nil
 }

-// DecryptIfKeySet decrypts ciphertext if a key is provided, otherwise returns ciphertext unchanged.
-func DecryptIfKeySet(ciphertext []byte, key []byte) ([]byte, error) {
-	if len(key) == 0 {
-		return ciphertext, nil
+// DecryptIfKeySet decrypts blob with the supplied passphrase, supporting both
+// v2 (M-8 and later) and v1 (legacy) on-disk formats.
+//
+// Dispatch is first-byte magic + AEAD fallback. If blob starts with
+// [v2Magic] and is long enough to contain a v2 header plus an AEAD-authenticated
+// inner ciphertext, a v2 decrypt is attempted using a key derived from the
+// embedded salt. If that succeeds, its plaintext is returned. If v2 AEAD
+// verification fails — which covers both the "wrong passphrase" case and the
+// 1/256 case where a v1 blob's first byte happens to be 0x02 — the function
+// falls through to the v1 path and attempts decryption using a key derived
+// from the package-level fixed salt [legacyV1Salt].
+//
+// Passing an empty passphrase returns [ErrEncryptionKeyRequired]. Callers that
+// legitimately store plaintext (e.g. env-seeded source='env' rows that keep the
+// raw JSON in the unencrypted `config` column) must branch on the presence of
+// the ciphertext themselves rather than relying on this helper to silently
+// pass bytes through. See the package-level [ErrEncryptionKeyRequired]
+// documentation for the history behind this behavior change (C-2).
+//
+// The function never re-encrypts in place. A v1 blob that is successfully
+// decrypted is returned to the caller as plaintext; re-sealing as v2 happens
+// naturally on the next UPDATE via [EncryptIfKeySet].
+func DecryptIfKeySet(blob []byte, passphrase string) ([]byte, error) {
+	if passphrase == "" {
+		return nil, ErrEncryptionKeyRequired
 	}
-	return Decrypt(ciphertext, key)
+	if len(blob) == 0 {
+		return nil, fmt.Errorf("ciphertext is empty")
+	}
+
+	// v2 path: magic || salt(16) || nonce(12) || ciphertext+tag (min 29 bytes
+	// ignoring the GCM tag; the AEAD verify inside Decrypt enforces the tag).
+	if blob[0] == v2Magic && len(blob) >= 1+v2SaltSize+12 {
+		salt := blob[1 : 1+v2SaltSize]
+		sealed := blob[1+v2SaltSize:]
+		key := deriveKeyWithSalt(passphrase, salt)
+		if plaintext, err := Decrypt(sealed, key); err == nil {
+			return plaintext, nil
+		}
+		// v2 AEAD verification failed. Fall through to v1 so that a v1 blob
+		// whose first byte happens to be 0x02 (1/256 probability) is still
+		// decryptable. If this is truly a v2 blob with the wrong passphrase,
+		// the v1 attempt below will also fail and the v1 error is returned.
+	}
+
+	// v1 legacy path: blob is the full ciphertext with no header and was
+	// sealed with a key derived from (passphrase, legacyV1Salt).
+	key := DeriveKey(passphrase)
+	return Decrypt(blob, key)
 }
@@ -2,6 +2,9 @@ package crypto

 import (
 	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"errors"
 	"testing"
 )

@@ -125,21 +128,20 @@ func TestDeriveKeyDifferentPassphrases(t *testing.T) {
 }

 func TestEncryptIfKeySet_WithKey(t *testing.T) {
-	key := DeriveKey("test-key")
 	plaintext := []byte("config data")

-	result, wasEncrypted, err := EncryptIfKeySet(plaintext, key)
+	result, wasEncrypted, err := EncryptIfKeySet(plaintext, "test-passphrase")
 	if err != nil {
 		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}
 	if !wasEncrypted {
-		t.Fatal("expected wasEncrypted=true when key provided")
+		t.Fatal("expected wasEncrypted=true when passphrase provided")
 	}
 	if bytes.Equal(result, plaintext) {
 		t.Fatal("result should be encrypted")
 	}

-	decrypted, err := DecryptIfKeySet(result, key)
+	decrypted, err := DecryptIfKeySet(result, "test-passphrase")
 	if err != nil {
 		t.Fatalf("DecryptIfKeySet failed: %v", err)
 	}
@@ -148,31 +150,117 @@ func TestEncryptIfKeySet_WithKey(t *testing.T) {
 	}
 }

-func TestEncryptIfKeySet_NilKey(t *testing.T) {
+// TestEncryptIfKeySet_EmptyKeyFailsClosed asserts the C-2 regression guard:
+// EncryptIfKeySet must refuse to silently emit plaintext when no passphrase is
+// configured. The pre-fix behavior was to return plaintext with
+// wasEncrypted=false, which produced a data-at-rest confidentiality bypass
+// (CWE-311) for GUI-created issuer and target configs.
+func TestEncryptIfKeySet_EmptyKeyFailsClosed(t *testing.T) {
 	plaintext := []byte("config data")

-	result, wasEncrypted, err := EncryptIfKeySet(plaintext, nil)
-	if err != nil {
-		t.Fatalf("EncryptIfKeySet with nil key failed: %v", err)
+	result, wasEncrypted, err := EncryptIfKeySet(plaintext, "")
+	if err == nil {
+		t.Fatal("expected ErrEncryptionKeyRequired, got nil")
+	}
+	if !errors.Is(err, ErrEncryptionKeyRequired) {
+		t.Fatalf("expected ErrEncryptionKeyRequired, got %v", err)
 	}
 	if wasEncrypted {
-		t.Fatal("expected wasEncrypted=false when key is nil")
+		t.Fatal("wasEncrypted must be false on error")
 	}
-	if !bytes.Equal(result, plaintext) {
-		t.Fatal("result should be unchanged plaintext when key is nil")
+	if result != nil {
+		t.Fatalf("expected nil result on error, got %q", result)
 	}
 }

-func TestDecryptIfKeySet_NilKey(t *testing.T) {
+// TestDecryptIfKeySet_EmptyKeyFailsClosed asserts the matching C-2 regression
+// guard on the read path: DecryptIfKeySet must refuse to pass ciphertext
+// through as plaintext when no passphrase is configured.
+func TestDecryptIfKeySet_EmptyKeyFailsClosed(t *testing.T) {
 	data := []byte("plaintext config data")

-	result, err := DecryptIfKeySet(data, nil)
+	result, err := DecryptIfKeySet(data, "")
+	if err == nil {
+		t.Fatal("expected ErrEncryptionKeyRequired, got nil")
+	}
+	if !errors.Is(err, ErrEncryptionKeyRequired) {
+		t.Fatalf("expected ErrEncryptionKeyRequired, got %v", err)
+	}
+	if result != nil {
+		t.Fatalf("expected nil result on error, got %q", result)
+	}
+}
+
+// TestEncryptDecryptIfKeySet_RoundTripProducesDifferentCiphertext proves the
+// "if set" helpers produce real AES-GCM output (not plaintext) and that a full
+// round-trip through both helpers recovers the original bytes.
+func TestEncryptDecryptIfKeySet_RoundTripProducesDifferentCiphertext(t *testing.T) {
+	plaintext := []byte(`{"api_key":"s3cr3t","token":"abc"}`)
+
+	encrypted, wasEncrypted, err := EncryptIfKeySet(plaintext, "round-trip-key")
 	if err != nil {
-		t.Fatalf("DecryptIfKeySet with nil key failed: %v", err)
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}
-	if !bytes.Equal(result, data) {
-		t.Fatal("result should be unchanged when key is nil")
+	if !wasEncrypted {
+		t.Fatal("wasEncrypted must be true when passphrase is present")
 	}
+	if bytes.Equal(encrypted, plaintext) {
+		t.Fatal("EncryptIfKeySet returned plaintext — would regress C-2")
+	}
+
+	decrypted, err := DecryptIfKeySet(encrypted, "round-trip-key")
+	if err != nil {
+		t.Fatalf("DecryptIfKeySet failed: %v", err)
+	}
+	if !bytes.Equal(decrypted, plaintext) {
+		t.Fatalf("round-trip mismatch: got %q, want %q", decrypted, plaintext)
+	}
+}
+
+// TestDecryptIfKeySet_RejectsTamperedCiphertext confirms the AEAD auth tag
+// still rejects modified ciphertext when routed through the helper. The v2
+// wire format is magic(1) || salt(16) || nonce(12) || ciphertext+tag, so
+// flipping a byte anywhere past offset 29 lands squarely inside the AEAD body.
+func TestDecryptIfKeySet_RejectsTamperedCiphertext(t *testing.T) {
+	plaintext := []byte("authenticated data")
+
+	encrypted, _, err := EncryptIfKeySet(plaintext, "tamper-test-key")
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
+	}
+	// Flip a byte past the v2 header (1 + 16 + 12 = 29) to invalidate the tag.
+	const minV2HeaderLen = 1 + v2SaltSize + 12
+	if len(encrypted) <= minV2HeaderLen {
+		t.Fatalf("ciphertext too short to tamper: %d bytes", len(encrypted))
+	}
+	encrypted[minV2HeaderLen] ^= 0xFF
+
+	if _, err := DecryptIfKeySet(encrypted, "tamper-test-key"); err == nil {
+		t.Fatal("DecryptIfKeySet accepted tampered ciphertext — AEAD tag check bypassed")
+	}
+}
+
+// TestEncryptIfKeySet_PreservesErrEncryptionKeyRequiredSentinel guards the
+// stability of the public sentinel error so audit-log detectors and callers
+// outside this package can rely on errors.Is(err, ErrEncryptionKeyRequired).
+func TestEncryptIfKeySet_PreservesErrEncryptionKeyRequiredSentinel(t *testing.T) {
+	if ErrEncryptionKeyRequired == nil {
+		t.Fatal("ErrEncryptionKeyRequired sentinel must be non-nil")
+	}
+	if ErrEncryptionKeyRequired.Error() == "" {
+		t.Fatal("ErrEncryptionKeyRequired must carry a non-empty message")
+	}
+	// Wrap it and confirm errors.Is unwraps correctly — real callers wrap with %w.
+	wrapped := wrapSentinel(ErrEncryptionKeyRequired)
+	if !errors.Is(wrapped, ErrEncryptionKeyRequired) {
+		t.Fatal("errors.Is must unwrap ErrEncryptionKeyRequired through %w-wrapped callers")
+	}
+}
+
+// wrapSentinel is a tiny helper that mimics how production callers propagate
+// the sentinel (e.g. fmt.Errorf("failed to encrypt config: %w", err)).
+func wrapSentinel(err error) error {
+	return errors.Join(errors.New("failed to encrypt config"), err)
 }

 func TestEncryptProducesDifferentCiphertexts(t *testing.T) {
@@ -186,3 +274,217 @@ func TestEncryptProducesDifferentCiphertexts(t *testing.T) {
 		t.Fatal("encrypting same plaintext twice should produce different ciphertexts (random nonce)")
 	}
 }
+
+// ---------------------------------------------------------------------------
+// M-8 additions: per-ciphertext salt + v2 wire format + v1 backward compat.
+// ---------------------------------------------------------------------------
+
+// TestDeriveKey_DifferentSaltsProduceDifferentKeys asserts that
+// deriveKeyWithSalt fans out distinct 32-byte keys for the same passphrase
+// across different salts. This is the core M-8 defense-in-depth property: even
+// if an attacker obtains two v2 ciphertexts encrypted with the same master
+// passphrase, the derived AES keys differ, and a brute-force attempt on one
+// blob cannot be amortized across the other.
+func TestDeriveKey_DifferentSaltsProduceDifferentKeys(t *testing.T) {
+	passphrase := "master-passphrase"
+	saltA := bytes.Repeat([]byte{0xAA}, v2SaltSize)
+	saltB := bytes.Repeat([]byte{0xBB}, v2SaltSize)
+
+	keyA := deriveKeyWithSalt(passphrase, saltA)
+	keyB := deriveKeyWithSalt(passphrase, saltB)
+
+	if len(keyA) != aes256KeySize || len(keyB) != aes256KeySize {
+		t.Fatalf("derived key length wrong: %d / %d", len(keyA), len(keyB))
+	}
+	if bytes.Equal(keyA, keyB) {
+		t.Fatal("deriveKeyWithSalt must produce different keys for different salts")
+	}
+
+	// Sanity-check that deterministic behaviour is preserved under a fixed salt.
+	keyA2 := deriveKeyWithSalt(passphrase, saltA)
+	if !bytes.Equal(keyA, keyA2) {
+		t.Fatal("deriveKeyWithSalt must be deterministic for a fixed (passphrase, salt)")
+	}
+}
+
+// TestEncryptIfKeySet_ProducesV2Format asserts the exact v2 wire-format bytes:
+// magic(0x02) || salt(16) || nonce(12) || ciphertext+tag.
+func TestEncryptIfKeySet_ProducesV2Format(t *testing.T) {
+	blob, _, err := EncryptIfKeySet([]byte("hello"), "any-passphrase")
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
+	}
+
+	const minLen = 1 + v2SaltSize + 12 + 16 // magic + salt + nonce + GCM tag (16)
+	if len(blob) < minLen {
+		t.Fatalf("v2 blob too short: got %d, want >= %d", len(blob), minLen)
+	}
+	if blob[0] != v2Magic {
+		t.Fatalf("v2 blob must start with magic byte 0x%02x, got 0x%02x", v2Magic, blob[0])
+	}
+	if IsLegacyFormat(blob) {
+		t.Fatal("IsLegacyFormat must return false for a freshly produced v2 blob")
+	}
+}
+
+// TestEncryptIfKeySet_SaltIsRandom asserts that two calls with the same
+// passphrase and plaintext produce distinct embedded salts.
+func TestEncryptIfKeySet_SaltIsRandom(t *testing.T) {
+	plaintext := []byte("same plaintext")
+	passphrase := "same-passphrase"
+
+	blob1, _, err := EncryptIfKeySet(plaintext, passphrase)
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet #1 failed: %v", err)
+	}
+	blob2, _, err := EncryptIfKeySet(plaintext, passphrase)
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet #2 failed: %v", err)
+	}
+
+	salt1 := blob1[1 : 1+v2SaltSize]
+	salt2 := blob2[1 : 1+v2SaltSize]
+	if bytes.Equal(salt1, salt2) {
+		t.Fatal("two EncryptIfKeySet invocations must produce distinct per-ciphertext salts")
+	}
+	if bytes.Equal(blob1, blob2) {
+		t.Fatal("two v2 blobs with same (passphrase, plaintext) must differ end-to-end")
+	}
+}
+
+// TestDecryptIfKeySet_V1BackwardCompat builds a deterministic v1-format
+// ciphertext using the pre-M-8 recipe (DeriveKey with the fixed salt, then
+// Encrypt with an all-zero nonce for reproducibility) and asserts that
+// DecryptIfKeySet still decrypts it correctly. This is the migration guarantee:
+// v1 blobs persisted before M-8 must remain decryptable.
+func TestDecryptIfKeySet_V1BackwardCompat(t *testing.T) {
+	passphrase := "legacy-passphrase"
+	plaintext := []byte(`{"api_key":"legacy","org_id":"789"}`)
+
+	// Build a deterministic v1 blob directly: nonce(12 zero bytes) || ct+tag.
+	// This matches the exact wire shape that Encrypt produces, minus the random
+	// nonce, so the test is stable rather than 1/256 flaky.
+	key := DeriveKey(passphrase) // fixed-salt derivation (pre-M-8 behavior)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		t.Fatalf("aes.NewCipher: %v", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		t.Fatalf("cipher.NewGCM: %v", err)
+	}
+	nonce := make([]byte, gcm.NonceSize()) // all zeros → first byte != v2Magic
+	v1Blob := gcm.Seal(nonce, nonce, plaintext, nil)
+	if v1Blob[0] == v2Magic {
+		t.Fatalf("fixture nonce collided with v2 magic byte — test design error")
+	}
+
+	decrypted, err := DecryptIfKeySet(v1Blob, passphrase)
+	if err != nil {
+		t.Fatalf("DecryptIfKeySet(v1) failed: %v", err)
+	}
+	if !bytes.Equal(decrypted, plaintext) {
+		t.Fatalf("v1 decrypt mismatch: got %q, want %q", decrypted, plaintext)
+	}
+
+	// Cross-check: IsLegacyFormat should flag this as legacy.
+	if !IsLegacyFormat(v1Blob) {
+		t.Fatal("IsLegacyFormat must return true for a v1 blob whose first byte != v2Magic")
+	}
+}
+
+// TestDecryptIfKeySet_V1MagicByteCollisionFallsThrough covers the 1/256 edge
+// case where a v1 ciphertext's random 12-byte nonce happens to begin with
+// 0x02. The dispatch must attempt v2, see AEAD failure, and fall through to
+// v1 — never return a decrypt error when the passphrase is correct.
+func TestDecryptIfKeySet_V1MagicByteCollisionFallsThrough(t *testing.T) {
+	passphrase := "collision-passphrase"
+	plaintext := []byte("colliding v1 blob")
+
+	// Craft a v1 blob whose first byte equals v2Magic by choosing a nonce
+	// starting with 0x02 and sealing manually.
+	key := DeriveKey(passphrase)
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		t.Fatalf("aes.NewCipher: %v", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		t.Fatalf("cipher.NewGCM: %v", err)
+	}
+	nonce := make([]byte, gcm.NonceSize())
+	nonce[0] = v2Magic // force collision
+	v1Blob := gcm.Seal(nonce, nonce, plaintext, nil)
+	if v1Blob[0] != v2Magic {
+		t.Fatal("fixture construction bug: first byte must equal v2Magic")
+	}
+
+	decrypted, err := DecryptIfKeySet(v1Blob, passphrase)
+	if err != nil {
+		t.Fatalf("DecryptIfKeySet must fall through to v1 on AEAD failure, got err: %v", err)
+	}
+	if !bytes.Equal(decrypted, plaintext) {
+		t.Fatalf("v1-via-fallback decrypt mismatch: got %q, want %q", decrypted, plaintext)
+	}
+}
+
+// TestDecryptIfKeySet_V2WithWrongPassphraseFails asserts that a v2 blob
+// sealed under passphrase A cannot be decrypted under passphrase B. Both the
+// v2 AEAD verify (with salt from the blob + passphrase B) and the v1 fallback
+// (with fixed salt + passphrase B) must fail, and an error must be returned
+// rather than silently-corrupt plaintext.
+func TestDecryptIfKeySet_V2WithWrongPassphraseFails(t *testing.T) {
+	blob, _, err := EncryptIfKeySet([]byte("secret"), "passphrase-A")
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
+	}
+
+	got, err := DecryptIfKeySet(blob, "passphrase-B")
+	if err == nil {
+		t.Fatalf("DecryptIfKeySet must return error for wrong passphrase, got plaintext %q", got)
+	}
+	if got != nil {
+		t.Fatalf("result must be nil on decrypt error, got %q", got)
+	}
+}
+
+// TestDecryptIfKeySet_TruncatedV2Blob asserts that a blob starting with the v2
+// magic byte but too short to contain a full v2 header does not trip an
+// out-of-bounds slice and does not succeed. It either returns an error (v1
+// fallback on the short bytes fails with "ciphertext too short") or at minimum
+// never returns plaintext.
+func TestDecryptIfKeySet_TruncatedV2Blob(t *testing.T) {
+	truncated := []byte{v2Magic, 0x00, 0x01, 0x02, 0x03} // 5 bytes — well below the 29-byte v2 minimum
+	got, err := DecryptIfKeySet(truncated, "any-passphrase")
+	if err == nil {
+		t.Fatalf("DecryptIfKeySet must reject a truncated v2 blob, got plaintext %q", got)
+	}
+	if got != nil {
+		t.Fatalf("result must be nil on decrypt error, got %q", got)
+	}
+}
+
+// TestIsLegacyFormat covers the three branches of the public magic-byte
+// heuristic: v2 blob → false, v1 blob → true, empty blob → false.
+func TestIsLegacyFormat(t *testing.T) {
+	v2Blob, _, err := EncryptIfKeySet([]byte("data"), "p")
+	if err != nil {
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
+	}
+	if IsLegacyFormat(v2Blob) {
+		t.Fatal("v2 blob must not be flagged as legacy")
+	}
+
+	// Any blob whose first byte isn't v2Magic should be reported as legacy.
+	v1Shape := []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0xFF}
+	if !IsLegacyFormat(v1Shape) {
+		t.Fatal("non-v2-magic blob must be flagged as legacy")
+	}
+
+	if IsLegacyFormat(nil) {
+		t.Fatal("nil blob must not be flagged as legacy (undefined)")
+	}
+	if IsLegacyFormat([]byte{}) {
+		t.Fatal("empty blob must not be flagged as legacy (undefined)")
+	}
+}
@@ -66,7 +66,12 @@ func TestCertificateLifecycle(t *testing.T) {
 	deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certRepo, auditService, notificationService)
 	jobService := service.NewJobService(jobRepo, renewalService, deploymentService, logger)
 	agentService := service.NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, renewalService)
-	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, nil, slog.Default())
+	// 32-byte AES-256 test key — C-2 remediation makes IssuerService fail closed
+	// without a configured CERTCTL_CONFIG_ENCRYPTION_KEY. Happy-path CRUD tests
+	// must supply a real key so the encrypt path runs instead of returning
+	// ErrEncryptionKeyRequired.
+	testEncryptionKey := "0123456789abcdef0123456789abcdef"
+	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, testEncryptionKey, slog.Default())

 	// Initialize handlers
 	certificateHandler := handler.NewCertificateHandler(certificateService)
@@ -677,6 +682,46 @@ func (m *mockJobRepository) ListPendingByAgentID(ctx context.Context, agentID st
 	return result, nil
 }

+// ClaimPendingJobs mirrors the production H-6 semantics: Pending jobs of the given type
+// (or any type when jobType is empty) flip to Running before being returned. limit <= 0
+// means unlimited.
+func (m *mockJobRepository) ClaimPendingJobs(ctx context.Context, jobType domain.JobType, limit int) ([]*domain.Job, error) {
+	var claimed []*domain.Job
+	for _, j := range m.jobs {
+		if j.Status != domain.JobStatusPending {
+			continue
+		}
+		if jobType != "" && j.Type != jobType {
+			continue
+		}
+		j.Status = domain.JobStatusRunning
+		claimed = append(claimed, j)
+		if limit > 0 && len(claimed) >= limit {
+			break
+		}
+	}
+	return claimed, nil
+}
+
+// ClaimPendingByAgentID mirrors the production H-6 semantics: Pending deployment rows for
+// the agent flip to Running; AwaitingCSR rows are returned with state preserved.
+func (m *mockJobRepository) ClaimPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error) {
+	var result []*domain.Job
+	for _, j := range m.jobs {
+		if j.AgentID == nil || *j.AgentID != agentID {
+			continue
+		}
+		switch {
+		case j.Status == domain.JobStatusPending && j.Type == domain.JobTypeDeployment:
+			j.Status = domain.JobStatusRunning
+			result = append(result, j)
+		case j.Status == domain.JobStatusAwaitingCSR:
+			result = append(result, j)
+		}
+	}
+	return result, nil
+}
+
 type mockAuditRepository struct {
 	events []*domain.AuditEvent
 }
@@ -727,6 +772,14 @@ func (m *mockAgentRepository) Create(ctx context.Context, agent *domain.Agent) e
 	return nil
 }

+func (m *mockAgentRepository) CreateIfNotExists(ctx context.Context, agent *domain.Agent) (bool, error) {
+	if _, exists := m.agents[agent.ID]; exists {
+		return false, nil
+	}
+	m.agents[agent.ID] = agent
+	return true, nil
+}
+
 func (m *mockAgentRepository) Update(ctx context.Context, agent *domain.Agent) error {
 	m.agents[agent.ID] = agent
 	return nil
@@ -983,8 +1036,8 @@ type mockTargetService struct {
 	auditService *service.AuditService
 }

-func (m *mockTargetService) ListTargets(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
-	targets, err := m.targetRepo.List(context.Background())
+func (m *mockTargetService) ListTargets(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+	targets, err := m.targetRepo.List(ctx)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -995,99 +1048,99 @@ func (m *mockTargetService) ListTargets(page, perPage int) ([]domain.DeploymentT
 	return result, int64(len(result)), nil
 }

-func (m *mockTargetService) GetTarget(id string) (*domain.DeploymentTarget, error) {
-	return m.targetRepo.Get(context.Background(), id)
+func (m *mockTargetService) GetTarget(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
+	return m.targetRepo.Get(ctx, id)
 }

-func (m *mockTargetService) CreateTarget(target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
-	if err := m.targetRepo.Create(context.Background(), &target); err != nil {
+func (m *mockTargetService) CreateTarget(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+	if err := m.targetRepo.Create(ctx, &target); err != nil {
 		return nil, err
 	}
 	return &target, nil
 }

-func (m *mockTargetService) UpdateTarget(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (m *mockTargetService) UpdateTarget(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 	target.ID = id
-	if err := m.targetRepo.Update(context.Background(), &target); err != nil {
+	if err := m.targetRepo.Update(ctx, &target); err != nil {
 		return nil, err
 	}
 	return &target, nil
 }

-func (m *mockTargetService) DeleteTarget(id string) error {
-	return m.targetRepo.Delete(context.Background(), id)
+func (m *mockTargetService) DeleteTarget(ctx context.Context, id string) error {
+	return m.targetRepo.Delete(ctx, id)
 }

-func (m *mockTargetService) TestTargetConnection(id string) error {
+func (m *mockTargetService) TestConnection(ctx context.Context, id string) error {
 	return nil // No-op for integration tests
 }

 type mockTeamService struct{}

-func (m *mockTeamService) ListTeams(page, perPage int) ([]domain.Team, int64, error) {
+func (m *mockTeamService) ListTeams(_ context.Context, page, perPage int) ([]domain.Team, int64, error) {
 	return []domain.Team{}, 0, nil
 }

-func (m *mockTeamService) GetTeam(id string) (*domain.Team, error) {
+func (m *mockTeamService) GetTeam(_ context.Context, id string) (*domain.Team, error) {
 	return nil, fmt.Errorf("team not found")
 }

-func (m *mockTeamService) CreateTeam(team domain.Team) (*domain.Team, error) {
+func (m *mockTeamService) CreateTeam(_ context.Context, team domain.Team) (*domain.Team, error) {
 	return &team, nil
 }

-func (m *mockTeamService) UpdateTeam(id string, team domain.Team) (*domain.Team, error) {
+func (m *mockTeamService) UpdateTeam(_ context.Context, id string, team domain.Team) (*domain.Team, error) {
 	team.ID = id
 	return &team, nil
 }

-func (m *mockTeamService) DeleteTeam(id string) error {
+func (m *mockTeamService) DeleteTeam(_ context.Context, id string) error {
 	return nil
 }

 type mockOwnerService struct{}

-func (m *mockOwnerService) ListOwners(page, perPage int) ([]domain.Owner, int64, error) {
+func (m *mockOwnerService) ListOwners(_ context.Context, page, perPage int) ([]domain.Owner, int64, error) {
 	return []domain.Owner{}, 0, nil
 }

-func (m *mockOwnerService) GetOwner(id string) (*domain.Owner, error) {
+func (m *mockOwnerService) GetOwner(_ context.Context, id string) (*domain.Owner, error) {
 	return nil, fmt.Errorf("owner not found")
 }

-func (m *mockOwnerService) CreateOwner(owner domain.Owner) (*domain.Owner, error) {
+func (m *mockOwnerService) CreateOwner(_ context.Context, owner domain.Owner) (*domain.Owner, error) {
 	return &owner, nil
 }

-func (m *mockOwnerService) UpdateOwner(id string, owner domain.Owner) (*domain.Owner, error) {
+func (m *mockOwnerService) UpdateOwner(_ context.Context, id string, owner domain.Owner) (*domain.Owner, error) {
 	owner.ID = id
 	return &owner, nil
 }

-func (m *mockOwnerService) DeleteOwner(id string) error {
+func (m *mockOwnerService) DeleteOwner(_ context.Context, id string) error {
 	return nil
 }

 type mockProfileService struct{}

-func (m *mockProfileService) ListProfiles(page, perPage int) ([]domain.CertificateProfile, int64, error) {
+func (m *mockProfileService) ListProfiles(_ context.Context, page, perPage int) ([]domain.CertificateProfile, int64, error) {
 	return []domain.CertificateProfile{}, 0, nil
 }

-func (m *mockProfileService) GetProfile(id string) (*domain.CertificateProfile, error) {
+func (m *mockProfileService) GetProfile(_ context.Context, id string) (*domain.CertificateProfile, error) {
 	return nil, fmt.Errorf("profile not found")
 }

-func (m *mockProfileService) CreateProfile(profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *mockProfileService) CreateProfile(_ context.Context, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	return &profile, nil
 }

-func (m *mockProfileService) UpdateProfile(id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (m *mockProfileService) UpdateProfile(_ context.Context, id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	profile.ID = id
 	return &profile, nil
 }

-func (m *mockProfileService) DeleteProfile(id string) error {
+func (m *mockProfileService) DeleteProfile(_ context.Context, id string) error {
 	return nil
 }

@@ -1134,9 +1187,9 @@ func (m *mockRevocationRepository) Create(ctx context.Context, revocation *domai
 	return nil
 }

-func (m *mockRevocationRepository) GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error) {
+func (m *mockRevocationRepository) GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error) {
 	for _, r := range m.revocations {
-		if r.SerialNumber == serial {
+		if r.IssuerID == issuerID && r.SerialNumber == serial {
 			return r, nil
 		}
 	}
@@ -58,7 +58,12 @@ func setupTestServer(t *testing.T) (*httptest.Server, *mockCertificateRepository
 	deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certRepo, auditService, notificationService)
 	jobService := service.NewJobService(jobRepo, renewalService, deploymentService, logger)
 	agentService := service.NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, renewalService)
-	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, nil, logger)
+	// 32-byte AES-256 test key — C-2 remediation makes IssuerService fail closed
+	// without a configured CERTCTL_CONFIG_ENCRYPTION_KEY. Happy-path CRUD tests
+	// must supply a real key so the encrypt path runs instead of returning
+	// ErrEncryptionKeyRequired.
+	testEncryptionKey := "0123456789abcdef0123456789abcdef"
+	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, testEncryptionKey, logger)

 	certificateHandler := handler.NewCertificateHandler(certificateService)
 	issuerHandler := handler.NewIssuerHandler(issuerService)
@@ -31,10 +31,15 @@ type CertificateRepository interface {

 // RevocationRepository defines operations for managing certificate revocations.
 type RevocationRepository interface {
-	// Create records a new certificate revocation.
+	// Create records a new certificate revocation. Uniqueness is scoped to
+	// (issuer_id, serial_number) per RFC 5280 §5.2.3, so duplicate serials
+	// across different issuers are permitted.
 	Create(ctx context.Context, revocation *domain.CertificateRevocation) error
-	// GetBySerial retrieves a revocation by serial number.
-	GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error)
+	// GetByIssuerAndSerial retrieves a revocation by the (issuer_id, serial_number)
+	// pair. Callers (OCSP, CRL generation) always know the issuer because
+	// protocol endpoints carry it in the request path; RFC 5280 §5.2.3 guarantees
+	// uniqueness only within a single issuer.
+	GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error)
 	// ListAll returns all revocations, ordered by revocation time (for CRL generation).
 	ListAll(ctx context.Context) ([]*domain.CertificateRevocation, error)
 	// ListByCertificate returns all revocations for a certificate.
@@ -85,8 +90,18 @@ type AgentRepository interface {
 	List(ctx context.Context) ([]*domain.Agent, error)
 	// Get retrieves an agent by ID.
 	Get(ctx context.Context, id string) (*domain.Agent, error)
-	// Create stores a new agent.
+	// Create stores a new agent. Callers that want duplicate-key errors surfaced
+	// (e.g. real-agent registration) must use this method; sentinel/bootstrap
+	// paths that expect the row to already exist on restart should call
+	// CreateIfNotExists instead (M-6, CWE-662).
 	Create(ctx context.Context, agent *domain.Agent) error
+	// CreateIfNotExists creates an agent only if the ID doesn't already exist
+	// (INSERT ... ON CONFLICT (id) DO NOTHING). Returns true if the row was
+	// newly inserted, false if a row with the same ID already existed. Used
+	// by the sentinel-agent bootstrap path in cmd/server/main.go so restarts
+	// and upgrades are idempotent without swallowing unrelated database
+	// failures (M-6, CWE-662).
+	CreateIfNotExists(ctx context.Context, agent *domain.Agent) (bool, error)
 	// Update modifies an existing agent.
 	Update(ctx context.Context, agent *domain.Agent) error
 	// Delete removes an agent.
@@ -115,10 +130,20 @@ type JobRepository interface {
 	ListByCertificate(ctx context.Context, certID string) ([]*domain.Job, error)
 	// UpdateStatus updates a job's status and optional error message.
 	UpdateStatus(ctx context.Context, id string, status domain.JobStatus, errMsg string) error
-	// GetPendingJobs returns jobs not yet processed of a specific type.
+	// GetPendingJobs returns jobs not yet processed of a specific type. Prefer ClaimPendingJobs in
+	// production paths where concurrent schedulers may race — see H-6 (CWE-362) remediation.
 	GetPendingJobs(ctx context.Context, jobType domain.JobType) ([]*domain.Job, error)
 	// ListPendingByAgentID returns pending deployment jobs and AwaitingCSR jobs for a specific agent.
+	// Prefer ClaimPendingByAgentID in production paths — see H-6 (CWE-362) remediation.
 	ListPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error)
+	// ClaimPendingJobs atomically claims up to `limit` Pending jobs and transitions them to Running
+	// using SELECT FOR UPDATE SKIP LOCKED inside a transaction. An empty jobType matches any type;
+	// limit <= 0 means no limit. H-6 (CWE-362) race remediation.
+	ClaimPendingJobs(ctx context.Context, jobType domain.JobType, limit int) ([]*domain.Job, error)
+	// ClaimPendingByAgentID atomically claims pending deployment jobs for an agent (flipping them
+	// to Running) and locks AwaitingCSR jobs against concurrent observers (leaving state intact,
+	// since the CSR-submission path drives the next transition). H-6 (CWE-362) race remediation.
+	ClaimPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error)
 }

 // RenewalPolicyRepository defines operations for managing renewal policies.
@@ -70,7 +70,9 @@ func (r *AgentRepository) Get(ctx context.Context, id string) (*domain.Agent, er
 	return agent, nil
 }

-// Create stores a new agent
+// Create stores a new agent. Duplicate-key errors surface to the caller —
+// real-agent registration paths rely on this to detect collisions. Use
+// CreateIfNotExists for sentinel/bootstrap paths where re-inserts are expected.
 func (r *AgentRepository) Create(ctx context.Context, agent *domain.Agent) error {
 	if agent.ID == "" {
 		agent.ID = uuid.New().String()
@@ -92,6 +94,44 @@ func (r *AgentRepository) Create(ctx context.Context, agent *domain.Agent) error
 	return nil
 }

+// CreateIfNotExists creates an agent only if the ID doesn't already exist.
+// Used for sentinel agents (server-scanner, cloud-aws-sm, cloud-azure-kv,
+// cloud-gcp-sm) on first boot AND on every subsequent restart/upgrade — the
+// pre-M-6 code used plain INSERT, swallowed the duplicate-key error, and so
+// silently swallowed every other database failure too (CWE-662 /
+// CWE-209-adjacent). ON CONFLICT (id) DO NOTHING + RETURNING id +
+// sql.ErrNoRows distinguishes "row already existed" (created=false, err=nil)
+// from genuine errors (connectivity, permission, constraint violations
+// other than the id primary key) which still surface. Returns true if the
+// row was newly inserted, false if a row with the same ID already existed.
+func (r *AgentRepository) CreateIfNotExists(ctx context.Context, agent *domain.Agent) (bool, error) {
+	if agent.ID == "" {
+		agent.ID = uuid.New().String()
+	}
+
+	var id string
+	err := r.db.QueryRowContext(ctx, `
+		INSERT INTO agents (id, name, hostname, status, last_heartbeat_at, registered_at, api_key_hash,
+		                    os, architecture, ip_address, version)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)
+		ON CONFLICT (id) DO NOTHING
+		RETURNING id
+	`, agent.ID, agent.Name, agent.Hostname, agent.Status, agent.LastHeartbeatAt,
+		agent.RegisteredAt, agent.APIKeyHash,
+		agent.OS, agent.Architecture, agent.IPAddress, agent.Version).Scan(&id)
+
+	if err != nil {
+		if err == sql.ErrNoRows {
+			// ON CONFLICT DO NOTHING — a row with this ID already existed.
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to create agent: %w", err)
+	}
+
+	agent.ID = id
+	return true, nil
+}
+
 // Update modifies an existing agent
 func (r *AgentRepository) Update(ctx context.Context, agent *domain.Agent) error {
 	result, err := r.db.ExecContext(ctx, `
@@ -190,18 +190,65 @@ func (r *CertificateRepository) List(ctx context.Context, filter *repository.Cer
 	defer rows.Close()

 	var certs []*domain.ManagedCertificate
+	var certIDs []string
 	for rows.Next() {
-		cert, err := scanCertificate(rows)
+		var cert domain.ManagedCertificate
+		var tagsJSON []byte
+		var sans pq.StringArray
+		var profileID sql.NullString
+		var revocationReason sql.NullString
+
+		err := rows.Scan(
+			&cert.ID, &cert.Name, &cert.CommonName, &sans, &cert.Environment, &cert.OwnerID,
+			&cert.TeamID, &cert.IssuerID, &cert.RenewalPolicyID, &profileID,
+			&cert.Status, &cert.ExpiresAt, &tagsJSON,
+			&cert.LastRenewalAt, &cert.LastDeploymentAt, &cert.RevokedAt, &revocationReason,
+			&cert.CreatedAt, &cert.UpdatedAt)
+
 		if err != nil {
-			return nil, 0, err
+			return nil, 0, fmt.Errorf("failed to scan certificate: %w", err)
 		}
-		certs = append(certs, cert)
+
+		cert.SANs = []string(sans)
+		if profileID.Valid {
+			cert.CertificateProfileID = profileID.String
+		}
+		if revocationReason.Valid {
+			cert.RevocationReason = revocationReason.String
+		}
+
+		// Unmarshal tags
+		if len(tagsJSON) > 0 {
+			if err := json.Unmarshal(tagsJSON, &cert.Tags); err != nil {
+				return nil, 0, fmt.Errorf("failed to unmarshal tags: %w", err)
+			}
+		} else {
+			cert.Tags = make(map[string]string)
+		}
+
+		certs = append(certs, &cert)
+		certIDs = append(certIDs, cert.ID)
 	}

 	if err := rows.Err(); err != nil {
 		return nil, 0, fmt.Errorf("error iterating certificate rows: %w", err)
 	}

+	// Fetch target IDs for all certificates in a single query (avoid N+1)
+	if len(certIDs) > 0 {
+		targetIDsMap, err := r.getTargetIDsForCertificates(ctx, certIDs)
+		if err != nil {
+			return nil, 0, err
+		}
+		for _, cert := range certs {
+			if targetIDs, ok := targetIDsMap[cert.ID]; ok {
+				cert.TargetIDs = targetIDs
+			} else {
+				cert.TargetIDs = []string{}
+			}
+		}
+	}
+
 	return certs, total, nil
 }

@@ -214,7 +261,7 @@ func (r *CertificateRepository) Get(ctx context.Context, id string) (*domain.Man
 		WHERE id = $1
 	`, id)

-	cert, err := scanCertificate(row)
+	cert, err := r.scanCertificate(ctx, row)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			return nil, fmt.Errorf("certificate not found")
@@ -421,18 +468,65 @@ func (r *CertificateRepository) GetExpiringCertificates(ctx context.Context, bef
 	defer rows.Close()

 	var certs []*domain.ManagedCertificate
+	var certIDs []string
 	for rows.Next() {
-		cert, err := scanCertificate(rows)
+		var cert domain.ManagedCertificate
+		var tagsJSON []byte
+		var sans pq.StringArray
+		var profileID sql.NullString
+		var revocationReason sql.NullString
+
+		err := rows.Scan(
+			&cert.ID, &cert.Name, &cert.CommonName, &sans, &cert.Environment, &cert.OwnerID,
+			&cert.TeamID, &cert.IssuerID, &cert.RenewalPolicyID, &profileID,
+			&cert.Status, &cert.ExpiresAt, &tagsJSON,
+			&cert.LastRenewalAt, &cert.LastDeploymentAt, &cert.RevokedAt, &revocationReason,
+			&cert.CreatedAt, &cert.UpdatedAt)
+
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to scan certificate: %w", err)
 		}
-		certs = append(certs, cert)
+
+		cert.SANs = []string(sans)
+		if profileID.Valid {
+			cert.CertificateProfileID = profileID.String
+		}
+		if revocationReason.Valid {
+			cert.RevocationReason = revocationReason.String
+		}
+
+		// Unmarshal tags
+		if len(tagsJSON) > 0 {
+			if err := json.Unmarshal(tagsJSON, &cert.Tags); err != nil {
+				return nil, fmt.Errorf("failed to unmarshal tags: %w", err)
+			}
+		} else {
+			cert.Tags = make(map[string]string)
+		}
+
+		certs = append(certs, &cert)
+		certIDs = append(certIDs, cert.ID)
 	}

 	if err := rows.Err(); err != nil {
 		return nil, fmt.Errorf("error iterating expiring certificate rows: %w", err)
 	}

+	// Fetch target IDs for all certificates in a single query (avoid N+1)
+	if len(certIDs) > 0 {
+		targetIDsMap, err := r.getTargetIDsForCertificates(ctx, certIDs)
+		if err != nil {
+			return nil, err
+		}
+		for _, cert := range certs {
+			if targetIDs, ok := targetIDsMap[cert.ID]; ok {
+				cert.TargetIDs = targetIDs
+			} else {
+				cert.TargetIDs = []string{}
+			}
+		}
+	}
+
 	return certs, nil
 }

@@ -462,8 +556,76 @@ func (r *CertificateRepository) GetLatestVersion(ctx context.Context, certID str
 	return &v, nil
 }

-// scanCertificate scans a certificate from a row or rows
-func scanCertificate(scanner interface {
+// getTargetIDs retrieves all target IDs for a given certificate from the junction table.
+// Returns an empty slice (not nil) if no targets are found.
+func (r *CertificateRepository) getTargetIDs(ctx context.Context, certID string) ([]string, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT target_id FROM certificate_target_mappings
+		WHERE certificate_id = $1
+		ORDER BY target_id ASC
+	`, certID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query target mappings: %w", err)
+	}
+	defer rows.Close()
+
+	var targetIDs []string
+	for rows.Next() {
+		var targetID string
+		if err := rows.Scan(&targetID); err != nil {
+			return nil, fmt.Errorf("failed to scan target ID: %w", err)
+		}
+		targetIDs = append(targetIDs, targetID)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating target ID rows: %w", err)
+	}
+
+	// Return empty slice instead of nil for consistency with JSON marshaling
+	if targetIDs == nil {
+		targetIDs = []string{}
+	}
+
+	return targetIDs, nil
+}
+
+// getTargetIDsForCertificates retrieves target IDs for multiple certificates in a single query.
+// Returns a map of certificate_id -> []target_id.
+func (r *CertificateRepository) getTargetIDsForCertificates(ctx context.Context, certIDs []string) (map[string][]string, error) {
+	if len(certIDs) == 0 {
+		return make(map[string][]string), nil
+	}
+
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT certificate_id, target_id FROM certificate_target_mappings
+		WHERE certificate_id = ANY($1)
+		ORDER BY certificate_id, target_id ASC
+	`, pq.Array(certIDs))
+	if err != nil {
+		return nil, fmt.Errorf("failed to query target mappings: %w", err)
+	}
+	defer rows.Close()
+
+	targetIDsMap := make(map[string][]string)
+	for rows.Next() {
+		var certID, targetID string
+		if err := rows.Scan(&certID, &targetID); err != nil {
+			return nil, fmt.Errorf("failed to scan target mapping: %w", err)
+		}
+		targetIDsMap[certID] = append(targetIDsMap[certID], targetID)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating target mapping rows: %w", err)
+	}
+
+	return targetIDsMap, nil
+}
+
+// scanCertificate scans a certificate from a row or rows and populates its TargetIDs
+// by querying the certificate_target_mappings junction table.
+func (r *CertificateRepository) scanCertificate(ctx context.Context, scanner interface {
 	Scan(...interface{}) error
 }) (*domain.ManagedCertificate, error) {
 	var cert domain.ManagedCertificate
@@ -500,6 +662,13 @@ func scanCertificate(scanner interface {
 		cert.Tags = make(map[string]string)
 	}

+	// Populate TargetIDs from junction table
+	targetIDs, err := r.getTargetIDs(ctx, cert.ID)
+	if err != nil {
+		return nil, err
+	}
+	cert.TargetIDs = targetIDs
+
 	return &cert, nil
 }

@@ -0,0 +1,322 @@
+// Package postgres_test — integration tests for M-7: Certificate.TargetIDs
+// must be populated from certificate_target_mappings on read.
+//
+// Before M-7 the repository scan helper never consulted the junction table, so
+// Get / List / GetExpiringCertificates always returned empty TargetIDs even when
+// rows existed in certificate_target_mappings. These tests exercise all three
+// read paths end-to-end against a real PostgreSQL 16 container.
+//
+// Runs against the shared testcontainer from testutil_test.go. Skipped when
+// `-short` is set (CI uses short mode; local runs pick it up by default).
+package postgres_test
+
+import (
+	"context"
+	"database/sql"
+	"testing"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository/postgres"
+)
+
+// insertAgentAndTargetsRaw creates one agent and N deployment_targets, returns
+// the agent ID and the list of target IDs (in insertion order).
+func insertAgentAndTargetsRaw(t *testing.T, db *sql.DB, ctx context.Context, suffix string, n int) (agentID string, targetIDs []string) {
+	t.Helper()
+	now := time.Now().Truncate(time.Microsecond)
+	agentID = "agent-" + suffix
+
+	_, err := db.ExecContext(ctx, `
+		INSERT INTO agents (id, name, hostname, status, registered_at, api_key_hash)
+		VALUES ($1, $2, $3, $4, $5, $6)
+	`, agentID, "agent-"+suffix, "host-"+suffix, "online", now, "hash-"+suffix)
+	if err != nil {
+		t.Fatalf("insertAgent failed: %v", err)
+	}
+
+	for i := 0; i < n; i++ {
+		tid := "t-" + suffix + "-" + intToStr(i)
+		_, err := db.ExecContext(ctx, `
+			INSERT INTO deployment_targets (id, name, type, agent_id, config, enabled, created_at, updated_at)
+			VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+		`, tid, tid, "NGINX", agentID, []byte(`{}`), true, now, now)
+		if err != nil {
+			t.Fatalf("insertTarget %d failed: %v", i, err)
+		}
+		targetIDs = append(targetIDs, tid)
+	}
+	return agentID, targetIDs
+}
+
+// intToStr converts a non-negative int to its decimal string.
+// Local helper to avoid importing strconv for a single use.
+func intToStr(n int) string {
+	if n == 0 {
+		return "0"
+	}
+	var buf [20]byte
+	i := len(buf)
+	for n > 0 {
+		i--
+		buf[i] = byte('0' + n%10)
+		n /= 10
+	}
+	return string(buf[i:])
+}
+
+// insertCertificateRow writes a minimal managed_certificates row via raw SQL.
+// Bypasses the repository Create so we can isolate read-path tests from any
+// write-path behavior. managed_certificates.sans is TEXT[], written here as an
+// empty array literal.
+func insertCertificateRow(t *testing.T, db *sql.DB, ctx context.Context, certID, ownerID, teamID, issuerID, policyID string, expiresAt time.Time) {
+	t.Helper()
+	now := time.Now().Truncate(time.Microsecond)
+	_, err := db.ExecContext(ctx, `
+		INSERT INTO managed_certificates (
+			id, name, common_name, sans, environment,
+			owner_id, team_id, issuer_id, renewal_policy_id,
+			status, expires_at, tags,
+			created_at, updated_at
+		) VALUES (
+			$1, $2, $3, ARRAY[]::TEXT[], $4,
+			$5, $6, $7, $8,
+			$9, $10, $11,
+			$12, $13
+		)
+	`,
+		certID, certID, certID+".example.com", "production",
+		ownerID, teamID, issuerID, policyID,
+		string(domain.CertificateStatusActive), expiresAt, []byte(`{}`),
+		now, now,
+	)
+	if err != nil {
+		t.Fatalf("insertCertificateRow failed: %v", err)
+	}
+}
+
+// insertMapping writes a single row into certificate_target_mappings via raw SQL.
+func insertMapping(t *testing.T, db *sql.DB, ctx context.Context, certID, targetID string) {
+	t.Helper()
+	_, err := db.ExecContext(ctx,
+		`INSERT INTO certificate_target_mappings (certificate_id, target_id) VALUES ($1, $2)`,
+		certID, targetID)
+	if err != nil {
+		t.Fatalf("insertMapping(%s, %s) failed: %v", certID, targetID, err)
+	}
+}
+
+// --------------------------------------------------------------------
+// Get() — single-cert read path
+// --------------------------------------------------------------------
+
+// TestGet_PopulatesTargetIDs_NoMappings: no mapping rows → TargetIDs must be
+// an empty slice, not nil, so JSON serialisation emits "[]".
+func TestGet_PopulatesTargetIDs_NoMappings(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "getnone")
+	certID := "mc-getnone"
+	insertCertificateRow(t, db, ctx, certID, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+
+	got, err := repo.Get(ctx, certID)
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+	if got.TargetIDs == nil {
+		t.Fatalf("TargetIDs = nil, want empty slice (JSON serialises nil as null and [] as [])")
+	}
+	if len(got.TargetIDs) != 0 {
+		t.Errorf("len(TargetIDs) = %d, want 0; got %v", len(got.TargetIDs), got.TargetIDs)
+	}
+}
+
+// TestGet_PopulatesTargetIDs_SingleTarget: one mapping → one entry.
+func TestGet_PopulatesTargetIDs_SingleTarget(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "getone")
+	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "getone", 1)
+
+	certID := "mc-getone"
+	insertCertificateRow(t, db, ctx, certID, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+	insertMapping(t, db, ctx, certID, targets[0])
+
+	got, err := repo.Get(ctx, certID)
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+	if len(got.TargetIDs) != 1 {
+		t.Fatalf("len(TargetIDs) = %d, want 1; got %v", len(got.TargetIDs), got.TargetIDs)
+	}
+	if got.TargetIDs[0] != targets[0] {
+		t.Errorf("TargetIDs[0] = %q, want %q", got.TargetIDs[0], targets[0])
+	}
+}
+
+// TestGet_PopulatesTargetIDs_MultipleTargets: many mappings → sorted by target_id ASC.
+func TestGet_PopulatesTargetIDs_MultipleTargets(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "getmany")
+	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "getmany", 3)
+
+	certID := "mc-getmany"
+	insertCertificateRow(t, db, ctx, certID, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+	// Insert mappings in reverse order to confirm ORDER BY target_id ASC in the query.
+	insertMapping(t, db, ctx, certID, targets[2])
+	insertMapping(t, db, ctx, certID, targets[0])
+	insertMapping(t, db, ctx, certID, targets[1])
+
+	got, err := repo.Get(ctx, certID)
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+	if len(got.TargetIDs) != 3 {
+		t.Fatalf("len(TargetIDs) = %d, want 3; got %v", len(got.TargetIDs), got.TargetIDs)
+	}
+	// Ascending order: t-getmany-0, t-getmany-1, t-getmany-2
+	want := []string{targets[0], targets[1], targets[2]}
+	for i, tid := range want {
+		if got.TargetIDs[i] != tid {
+			t.Errorf("TargetIDs[%d] = %q, want %q (full: %v)", i, got.TargetIDs[i], tid, got.TargetIDs)
+		}
+	}
+}
+
+// --------------------------------------------------------------------
+// List() — batch read path, must avoid N+1
+// --------------------------------------------------------------------
+
+// TestList_PopulatesTargetIDs_BatchFetch: three certs with different mapping counts;
+// all must have their TargetIDs populated correctly, and the cert with no mapping
+// must get an empty (non-nil) slice.
+func TestList_PopulatesTargetIDs_BatchFetch(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "listbatch")
+	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "listbatch", 3)
+
+	certA := "mc-list-a"
+	certB := "mc-list-b"
+	certC := "mc-list-c"
+	insertCertificateRow(t, db, ctx, certA, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+	insertCertificateRow(t, db, ctx, certB, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+	insertCertificateRow(t, db, ctx, certC, ownerID, teamID, issuerID, policyID, time.Now().Add(30*24*time.Hour))
+
+	// certA → 2 targets (t-0, t-1)
+	insertMapping(t, db, ctx, certA, targets[0])
+	insertMapping(t, db, ctx, certA, targets[1])
+	// certB → 1 target (t-2)
+	insertMapping(t, db, ctx, certB, targets[2])
+	// certC → 0 targets
+
+	got, total, err := repo.List(ctx, nil)
+	if err != nil {
+		t.Fatalf("List failed: %v", err)
+	}
+	if total < 3 {
+		t.Fatalf("total = %d, want >= 3", total)
+	}
+
+	want := map[string][]string{
+		certA: {targets[0], targets[1]},
+		certB: {targets[2]},
+		certC: {},
+	}
+	seen := map[string]bool{}
+	for _, c := range got {
+		exp, ok := want[c.ID]
+		if !ok {
+			continue
+		}
+		seen[c.ID] = true
+		if c.TargetIDs == nil {
+			t.Errorf("cert %s: TargetIDs = nil, want %v", c.ID, exp)
+			continue
+		}
+		if len(c.TargetIDs) != len(exp) {
+			t.Errorf("cert %s: len(TargetIDs) = %d, want %d (got %v, want %v)", c.ID, len(c.TargetIDs), len(exp), c.TargetIDs, exp)
+			continue
+		}
+		for i, tid := range exp {
+			if c.TargetIDs[i] != tid {
+				t.Errorf("cert %s: TargetIDs[%d] = %q, want %q", c.ID, i, c.TargetIDs[i], tid)
+			}
+		}
+	}
+	for id := range want {
+		if !seen[id] {
+			t.Errorf("cert %s missing from List() result", id)
+		}
+	}
+}
+
+// --------------------------------------------------------------------
+// GetExpiringCertificates() — scheduler read path
+// --------------------------------------------------------------------
+
+// TestGetExpiringCertificates_PopulatesTargetIDs: expiring certs must also carry
+// their mapping information so renewal-triggered deployments can route work.
+func TestGetExpiringCertificates_PopulatesTargetIDs(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "expiring")
+	_, targets := insertAgentAndTargetsRaw(t, db, ctx, "expiring", 2)
+
+	// Two expiring certs (expires in 3 days). Threshold = 7 days → both selected.
+	certA := "mc-exp-a"
+	certB := "mc-exp-b"
+	expiresSoon := time.Now().Add(3 * 24 * time.Hour)
+	insertCertificateRow(t, db, ctx, certA, ownerID, teamID, issuerID, policyID, expiresSoon)
+	insertCertificateRow(t, db, ctx, certB, ownerID, teamID, issuerID, policyID, expiresSoon)
+
+	insertMapping(t, db, ctx, certA, targets[0])
+	insertMapping(t, db, ctx, certA, targets[1])
+	// certB has no mappings.
+
+	threshold := time.Now().Add(7 * 24 * time.Hour)
+	got, err := repo.GetExpiringCertificates(ctx, threshold)
+	if err != nil {
+		t.Fatalf("GetExpiringCertificates failed: %v", err)
+	}
+
+	found := map[string]*domain.ManagedCertificate{}
+	for _, c := range got {
+		found[c.ID] = c
+	}
+
+	a, ok := found[certA]
+	if !ok {
+		t.Fatalf("cert %s not in expiring list", certA)
+	}
+	if len(a.TargetIDs) != 2 || a.TargetIDs[0] != targets[0] || a.TargetIDs[1] != targets[1] {
+		t.Errorf("cert %s: TargetIDs = %v, want %v", certA, a.TargetIDs, []string{targets[0], targets[1]})
+	}
+
+	b, ok := found[certB]
+	if !ok {
+		t.Fatalf("cert %s not in expiring list", certB)
+	}
+	if b.TargetIDs == nil {
+		t.Errorf("cert %s: TargetIDs = nil, want empty slice", certB)
+	}
+	if len(b.TargetIDs) != 0 {
+		t.Errorf("cert %s: len(TargetIDs) = %d, want 0", certB, len(b.TargetIDs))
+	}
+}
@@ -237,7 +237,14 @@ func (r *JobRepository) UpdateStatus(ctx context.Context, id string, status doma
 	return nil
 }

-// GetPendingJobs returns jobs not yet processed of a specific type
+// GetPendingJobs returns jobs not yet processed of a specific type.
+//
+// The SELECT uses FOR UPDATE SKIP LOCKED so that concurrent scheduler replicas
+// cannot observe the same rows when invoked inside a transaction; combine with
+// a subsequent UPDATE to Running for correct dispatch semantics. For the
+// standard production dispatch path, prefer ClaimPendingJobs which wraps the
+// lock, read, and state transition in a single transaction and is the
+// authoritative race-free claim primitive (CWE-362 fix for H-6).
 func (r *JobRepository) GetPendingJobs(ctx context.Context, jobType domain.JobType) ([]*domain.Job, error) {
 	rows, err := r.db.QueryContext(ctx, `
 		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
@@ -245,6 +252,7 @@ func (r *JobRepository) GetPendingJobs(ctx context.Context, jobType domain.JobTy
 		FROM jobs
 		WHERE type = $1 AND status = $2
 		ORDER BY scheduled_at ASC
+		FOR UPDATE SKIP LOCKED
 	`, jobType, domain.JobStatusPending)

 	if err != nil {
@@ -268,10 +276,115 @@ func (r *JobRepository) GetPendingJobs(ctx context.Context, jobType domain.JobTy
 	return jobs, nil
 }

-// ListPendingByAgentID returns pending deployment jobs and AwaitingCSR jobs for a specific agent.
-// Deployment jobs are matched by agent_id directly (set at creation time), with a fallback
-// for legacy jobs where agent_id is NULL but target_id resolves to the agent via deployment_targets.
-// AwaitingCSR jobs are matched through certificate → target mappings → agent ownership.
+// ClaimPendingJobs atomically claims up to `limit` Pending jobs and transitions
+// them to Running inside a single transaction. The SELECT uses FOR UPDATE SKIP
+// LOCKED so concurrent scheduler replicas observe disjoint result sets — each
+// row can be claimed by exactly one caller per tick (CWE-362 fix for H-6).
+//
+// Passing an empty jobType claims any type. Passing limit<=0 claims all
+// available rows. The claimed rows are returned with Status already set to
+// domain.JobStatusRunning.
+//
+// Downstream processors (ProcessRenewalJob, ProcessDeploymentJob) already call
+// UpdateStatus(Running) unconditionally on entry, so this pre-flip is
+// idempotent with respect to existing processing logic.
+func (r *JobRepository) ClaimPendingJobs(ctx context.Context, jobType domain.JobType, limit int) ([]*domain.Job, error) {
+	tx, err := r.db.BeginTx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to begin claim transaction: %w", err)
+	}
+	// Rollback is a no-op after Commit — safe deferred cleanup if an error path
+	// triggers an early return before Commit().
+	defer func() { _ = tx.Rollback() }()
+
+	// Build the SELECT — jobType="" means any type, limit<=0 means unlimited.
+	query := `
+		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
+		       last_error, scheduled_at, started_at, completed_at, created_at
+		FROM jobs
+		WHERE status = $1`
+	args := []interface{}{domain.JobStatusPending}
+	if jobType != "" {
+		query += ` AND type = $2`
+		args = append(args, jobType)
+	}
+	query += `
+		ORDER BY scheduled_at ASC
+		FOR UPDATE SKIP LOCKED`
+	if limit > 0 {
+		query += fmt.Sprintf(` LIMIT %d`, limit)
+	}
+
+	rows, err := tx.QueryContext(ctx, query, args...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query claimable jobs: %w", err)
+	}
+
+	var jobs []*domain.Job
+	for rows.Next() {
+		job, err := scanJob(rows)
+		if err != nil {
+			rows.Close()
+			return nil, err
+		}
+		jobs = append(jobs, job)
+	}
+	if err := rows.Err(); err != nil {
+		rows.Close()
+		return nil, fmt.Errorf("error iterating claimable job rows: %w", err)
+	}
+	rows.Close()
+
+	if len(jobs) == 0 {
+		// No rows to claim — commit the (read-only) tx and return.
+		if err := tx.Commit(); err != nil {
+			return nil, fmt.Errorf("failed to commit empty claim tx: %w", err)
+		}
+		return nil, nil
+	}
+
+	// Flip claimed rows to Running. Build IN clause safely with placeholders.
+	ids := make([]interface{}, len(jobs))
+	placeholders := make([]byte, 0, len(jobs)*5)
+	for i, job := range jobs {
+		ids[i] = job.ID
+		if i > 0 {
+			placeholders = append(placeholders, ',')
+		}
+		placeholders = append(placeholders, fmt.Sprintf("$%d", i+2)...)
+	}
+	updateQuery := fmt.Sprintf(
+		`UPDATE jobs SET status = $1 WHERE id IN (%s)`,
+		string(placeholders),
+	)
+	updateArgs := append([]interface{}{domain.JobStatusRunning}, ids...)
+	if _, err := tx.ExecContext(ctx, updateQuery, updateArgs...); err != nil {
+		return nil, fmt.Errorf("failed to transition claimed jobs to Running: %w", err)
+	}
+
+	if err := tx.Commit(); err != nil {
+		return nil, fmt.Errorf("failed to commit claim transaction: %w", err)
+	}
+
+	// Reflect the committed state in the returned objects.
+	for _, job := range jobs {
+		job.Status = domain.JobStatusRunning
+	}
+
+	return jobs, nil
+}
+
+// ListPendingByAgentID returns pending deployment jobs and AwaitingCSR jobs for
+// a specific agent. Deployment jobs are matched by agent_id directly (set at
+// creation time), with a fallback for legacy jobs where agent_id is NULL but
+// target_id resolves to the agent via deployment_targets. AwaitingCSR jobs are
+// matched through certificate → target mappings → agent ownership.
+//
+// The SELECT uses FOR UPDATE SKIP LOCKED so concurrent pollers (e.g. two agent
+// instances running with the same agent_id) cannot observe the same rows when
+// this method is invoked inside a transaction. For the production agent work
+// poll path, prefer ClaimPendingByAgentID which additionally transitions
+// claimed Pending deployment rows to Running atomically (H-6 CWE-362 fix).
 func (r *JobRepository) ListPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error) {
 	rows, err := r.db.QueryContext(ctx, `
 		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
@@ -326,6 +439,137 @@ func (r *JobRepository) ListPendingByAgentID(ctx context.Context, agentID string
 	return jobs, nil
 }

+// ClaimPendingByAgentID atomically claims agent work inside a single
+// transaction. Pending Deployment jobs assigned to the agent (directly via
+// agent_id, or via legacy target→agent fallback) are transitioned from
+// Pending to Running. AwaitingCSR Renewal/Issuance jobs linked to the agent
+// via certificate → target mappings are locked with FOR UPDATE SKIP LOCKED
+// and returned without a state transition — the flow requires the agent to
+// submit a CSR to advance state, and pre-flipping AwaitingCSR would violate
+// the renewal state machine (CWE-362 fix for H-6).
+//
+// Claimed rows are invisible to other concurrent claim calls for the lifetime
+// of the transaction; rows claimed as Running remain invisible after commit
+// because ListPendingByAgentID's filter is status='Pending'.
+func (r *JobRepository) ClaimPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error) {
+	tx, err := r.db.BeginTx(ctx, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to begin agent claim transaction: %w", err)
+	}
+	defer func() { _ = tx.Rollback() }()
+
+	// Branch 1 + 2: Pending Deployment jobs (direct agent_id match or legacy
+	// target fallback). These get flipped to Running atomically below.
+	pendingRows, err := tx.QueryContext(ctx, `
+		SELECT id, type, certificate_id, target_id, agent_id, status, attempts, max_attempts,
+		       last_error, scheduled_at, started_at, completed_at, created_at
+		FROM jobs
+		WHERE agent_id = $1 AND status = 'Pending' AND type = 'Deployment'
+
+		UNION ALL
+
+		SELECT j.id, j.type, j.certificate_id, j.target_id, j.agent_id, j.status, j.attempts, j.max_attempts,
+		       j.last_error, j.scheduled_at, j.started_at, j.completed_at, j.created_at
+		FROM jobs j
+		INNER JOIN deployment_targets dt ON j.target_id = dt.id
+		WHERE j.agent_id IS NULL AND j.status = 'Pending' AND j.type = 'Deployment'
+		  AND dt.agent_id = $1
+
+		ORDER BY created_at ASC
+		FOR UPDATE SKIP LOCKED
+	`, agentID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query pending deployment jobs for agent: %w", err)
+	}
+
+	var pendingJobs []*domain.Job
+	for pendingRows.Next() {
+		job, err := scanJob(pendingRows)
+		if err != nil {
+			pendingRows.Close()
+			return nil, err
+		}
+		pendingJobs = append(pendingJobs, job)
+	}
+	if err := pendingRows.Err(); err != nil {
+		pendingRows.Close()
+		return nil, fmt.Errorf("error iterating pending deployment rows: %w", err)
+	}
+	pendingRows.Close()
+
+	// Branch 3: AwaitingCSR jobs for this agent. Locked with FOR UPDATE SKIP
+	// LOCKED to prevent duplicate delivery to concurrent pollers, but state is
+	// NOT transitioned — the agent advances state via CSR submission.
+	csrRows, err := tx.QueryContext(ctx, `
+		SELECT j.id, j.type, j.certificate_id, j.target_id, j.agent_id, j.status, j.attempts, j.max_attempts,
+		       j.last_error, j.scheduled_at, j.started_at, j.completed_at, j.created_at
+		FROM jobs j
+		WHERE j.status = 'AwaitingCSR'
+		  AND j.type IN ('Renewal', 'Issuance')
+		  AND EXISTS (
+		    SELECT 1 FROM certificate_target_mappings ctm
+		    INNER JOIN deployment_targets dt ON ctm.target_id = dt.id
+		    WHERE ctm.certificate_id = j.certificate_id
+		      AND dt.agent_id = $1
+		  )
+		ORDER BY j.created_at ASC
+		FOR UPDATE SKIP LOCKED
+	`, agentID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to query AwaitingCSR jobs for agent: %w", err)
+	}
+
+	var csrJobs []*domain.Job
+	for csrRows.Next() {
+		job, err := scanJob(csrRows)
+		if err != nil {
+			csrRows.Close()
+			return nil, err
+		}
+		csrJobs = append(csrJobs, job)
+	}
+	if err := csrRows.Err(); err != nil {
+		csrRows.Close()
+		return nil, fmt.Errorf("error iterating AwaitingCSR rows: %w", err)
+	}
+	csrRows.Close()
+
+	// Transition locked Pending deployments to Running before commit.
+	if len(pendingJobs) > 0 {
+		ids := make([]interface{}, len(pendingJobs))
+		placeholders := make([]byte, 0, len(pendingJobs)*5)
+		for i, job := range pendingJobs {
+			ids[i] = job.ID
+			if i > 0 {
+				placeholders = append(placeholders, ',')
+			}
+			placeholders = append(placeholders, fmt.Sprintf("$%d", i+2)...)
+		}
+		updateQuery := fmt.Sprintf(
+			`UPDATE jobs SET status = $1 WHERE id IN (%s)`,
+			string(placeholders),
+		)
+		updateArgs := append([]interface{}{domain.JobStatusRunning}, ids...)
+		if _, err := tx.ExecContext(ctx, updateQuery, updateArgs...); err != nil {
+			return nil, fmt.Errorf("failed to transition claimed deployment jobs to Running: %w", err)
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return nil, fmt.Errorf("failed to commit agent claim transaction: %w", err)
+	}
+
+	// Reflect the committed state in returned Pending deployment jobs; leave
+	// AwaitingCSR jobs untouched.
+	for _, job := range pendingJobs {
+		job.Status = domain.JobStatusRunning
+	}
+
+	// Preserve the legacy ordering: Pending deployments first, AwaitingCSR
+	// second. Callers that want a strict created_at merge can re-sort.
+	return append(pendingJobs, csrJobs...), nil
+}
+
 // scanJob scans a job from a row or rows
 func scanJob(scanner interface {
 	Scan(...interface{}) error
@@ -7,6 +7,9 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"fmt"
+	"sync"
+	"sync/atomic"
 	"testing"
 	"time"

@@ -454,6 +457,193 @@ func TestAgentRepository_Delete_NotFound(t *testing.T) {
 	}
 }

+// TestAgentRepository_CreateIfNotExists_FirstInsert verifies that a brand-new
+// sentinel agent row is inserted and the helper reports created=true (M-6).
+func TestAgentRepository_CreateIfNotExists_FirstInsert(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewAgentRepository(db)
+	ctx := context.Background()
+
+	now := time.Now().Truncate(time.Microsecond)
+	agent := &domain.Agent{
+		ID:           "server-scanner",
+		Name:         "Network Scanner (Server-Side)",
+		Status:       domain.AgentStatusOnline,
+		RegisteredAt: now,
+	}
+
+	created, err := repo.CreateIfNotExists(ctx, agent)
+	if err != nil {
+		t.Fatalf("CreateIfNotExists failed: %v", err)
+	}
+	if !created {
+		t.Error("created = false on first insert, want true")
+	}
+
+	got, err := repo.Get(ctx, "server-scanner")
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+	if got.Name != "Network Scanner (Server-Side)" {
+		t.Errorf("Name = %q, want %q", got.Name, "Network Scanner (Server-Side)")
+	}
+}
+
+// TestAgentRepository_CreateIfNotExists_Idempotent verifies that a second
+// call with the same ID returns created=false and err=nil without mutating
+// the existing row — the core M-6 upgrade/restart scenario (CWE-662).
+func TestAgentRepository_CreateIfNotExists_Idempotent(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewAgentRepository(db)
+	ctx := context.Background()
+
+	now := time.Now().Truncate(time.Microsecond)
+	first := &domain.Agent{
+		ID:           "cloud-aws-sm",
+		Name:         "AWS Secrets Manager Discovery",
+		Status:       domain.AgentStatusOnline,
+		RegisteredAt: now,
+	}
+	created, err := repo.CreateIfNotExists(ctx, first)
+	if err != nil {
+		t.Fatalf("first CreateIfNotExists failed: %v", err)
+	}
+	if !created {
+		t.Fatal("first created = false, want true")
+	}
+
+	// Second call with the same ID but a different name must be a no-op.
+	second := &domain.Agent{
+		ID:           "cloud-aws-sm",
+		Name:         "Overwritten Name Should Not Persist",
+		Status:       domain.AgentStatusOffline,
+		RegisteredAt: now.Add(time.Hour),
+	}
+	created, err = repo.CreateIfNotExists(ctx, second)
+	if err != nil {
+		t.Fatalf("second CreateIfNotExists failed: %v", err)
+	}
+	if created {
+		t.Error("second created = true, want false (row already existed)")
+	}
+
+	// Row must still reflect the original insert.
+	got, err := repo.Get(ctx, "cloud-aws-sm")
+	if err != nil {
+		t.Fatalf("Get failed: %v", err)
+	}
+	if got.Name != "AWS Secrets Manager Discovery" {
+		t.Errorf("Name = %q, want %q (ON CONFLICT DO NOTHING must preserve original row)", got.Name, "AWS Secrets Manager Discovery")
+	}
+	if got.Status != domain.AgentStatusOnline {
+		t.Errorf("Status = %q, want %q", got.Status, domain.AgentStatusOnline)
+	}
+}
+
+// TestAgentRepository_CreateIfNotExists_ConcurrentRace fires N concurrent
+// inserts for the same sentinel ID. Exactly one goroutine must see
+// created=true; every other must see created=false and err=nil. No panics,
+// no duplicate rows, no swallowed errors. This is the scenario that the
+// pre-M-6 plain-INSERT path masked with a blanket error log.
+func TestAgentRepository_CreateIfNotExists_ConcurrentRace(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewAgentRepository(db)
+	ctx := context.Background()
+
+	const N = 16
+	now := time.Now().Truncate(time.Microsecond)
+
+	var (
+		wg           sync.WaitGroup
+		createdCount int64
+		errorCount   int64
+	)
+	wg.Add(N)
+	for i := 0; i < N; i++ {
+		go func() {
+			defer wg.Done()
+			agent := &domain.Agent{
+				ID:           "cloud-gcp-sm",
+				Name:         "GCP Secret Manager Discovery",
+				Status:       domain.AgentStatusOnline,
+				RegisteredAt: now,
+			}
+			created, err := repo.CreateIfNotExists(ctx, agent)
+			if err != nil {
+				atomic.AddInt64(&errorCount, 1)
+				t.Errorf("CreateIfNotExists returned error: %v", err)
+				return
+			}
+			if created {
+				atomic.AddInt64(&createdCount, 1)
+			}
+		}()
+	}
+	wg.Wait()
+
+	if errorCount != 0 {
+		t.Fatalf("errorCount = %d, want 0", errorCount)
+	}
+	if createdCount != 1 {
+		t.Errorf("createdCount = %d, want exactly 1 (only one goroutine may win the insert)", createdCount)
+	}
+
+	// Exactly one row must exist.
+	agents, err := repo.List(ctx)
+	if err != nil {
+		t.Fatalf("List failed: %v", err)
+	}
+	count := 0
+	for _, a := range agents {
+		if a.ID == "cloud-gcp-sm" {
+			count++
+		}
+	}
+	if count != 1 {
+		t.Errorf("row count for cloud-gcp-sm = %d, want 1", count)
+	}
+}
+
+// TestAgentRepository_CreateIfNotExists_GenericErrorSurfaces verifies that
+// failures other than the primary-key duplicate (the only collision
+// ON CONFLICT (id) absorbs) propagate to the caller instead of being
+// swallowed. This is the security property that M-6 restores: the
+// pre-fix plain-INSERT path logged every error at Debug level, so a
+// connectivity or permission failure would vanish into the log without
+// the server surfacing a problem on startup (CWE-662 / CWE-209-adjacent).
+//
+// Uses a pre-cancelled context to force QueryRowContext to fail with
+// context.Canceled — a non-duplicate error class that must surface.
+// Does NOT close the shared sql.DB (that would break sibling tests).
+func TestAgentRepository_CreateIfNotExists_GenericErrorSurfaces(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewAgentRepository(db)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel() // pre-cancel so the driver round-trip fails immediately.
+
+	agent := &domain.Agent{
+		ID:           "server-scanner",
+		Name:         "Network Scanner (Server-Side)",
+		Status:       domain.AgentStatusOnline,
+		RegisteredAt: time.Now(),
+	}
+	created, err := repo.CreateIfNotExists(ctx, agent)
+	if err == nil {
+		t.Fatal("expected error on cancelled context, got nil (error would have been swallowed pre-M-6)")
+	}
+	if created {
+		t.Error("created = true on failure, want false")
+	}
+	if err == sql.ErrNoRows {
+		t.Error("got sql.ErrNoRows, want a real connection/context error (ErrNoRows is the duplicate-row sentinel)")
+	}
+}
+
 // ============================================================
 // Issuer Repository Tests
 // ============================================================
@@ -703,10 +893,10 @@ func TestRevocationRepository_CRUD(t *testing.T) {
 		t.Fatalf("Idempotent create failed: %v", err)
 	}

-	// GetBySerial
-	got, err := repo.GetBySerial(ctx, "DEADBEEF01")
+	// GetByIssuerAndSerial — lookups are scoped to (issuer_id, serial) per RFC 5280 §5.2.3.
+	got, err := repo.GetByIssuerAndSerial(ctx, issuerID, "DEADBEEF01")
 	if err != nil {
-		t.Fatalf("GetBySerial failed: %v", err)
+		t.Fatalf("GetByIssuerAndSerial failed: %v", err)
 	}
 	if got.Reason != "keyCompromise" {
 		t.Errorf("Reason = %q, want %q", got.Reason, "keyCompromise")
@@ -734,12 +924,116 @@ func TestRevocationRepository_CRUD(t *testing.T) {
 	if err := repo.MarkIssuerNotified(ctx, "rev-test-1"); err != nil {
 		t.Fatalf("MarkIssuerNotified failed: %v", err)
 	}
-	got, _ = repo.GetBySerial(ctx, "DEADBEEF01")
+	got, _ = repo.GetByIssuerAndSerial(ctx, issuerID, "DEADBEEF01")
 	if !got.IssuerNotified {
 		t.Error("expected IssuerNotified=true after marking")
 	}
 }

+// TestRevocationRepository_CrossIssuerSerialCollision verifies that the same
+// serial number can coexist under two different issuers — RFC 5280 §5.2.3
+// defines serial uniqueness only within a single CA, and certctl supports
+// multi-issuer deployments where serial collisions across issuers are
+// legitimate (e.g., Local CA serial 0x01 and Vault PKI serial 0x01).
+//
+// This test locks in the behavior change from migration 000012: the unique
+// index is on (issuer_id, serial_number), not on serial_number alone.
+func TestRevocationRepository_CrossIssuerSerialCollision(t *testing.T) {
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	repo := postgres.NewRevocationRepository(db)
+	certRepo := postgres.NewCertificateRepository(db)
+	ctx := context.Background()
+
+	now := time.Now().Truncate(time.Microsecond)
+
+	// First issuer + cert + revocation with serial "CAFEBABE01".
+	ownerID1, teamID1, issuerID1, policyID1 := insertCertPrereqsRaw(t, db, ctx, "dup-a")
+	cert1 := &domain.ManagedCertificate{
+		ID: "mc-dup-a", Name: "dup-a", CommonName: "a.example.com",
+		SANs: []string{}, OwnerID: ownerID1, TeamID: teamID1,
+		IssuerID: issuerID1, RenewalPolicyID: policyID1,
+		Status:    domain.CertificateStatusRevoked,
+		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
+		CreatedAt: now, UpdatedAt: now,
+	}
+	if err := certRepo.Create(ctx, cert1); err != nil {
+		t.Fatalf("Create cert1 failed: %v", err)
+	}
+	if err := repo.Create(ctx, &domain.CertificateRevocation{
+		ID: "rev-dup-a", CertificateID: "mc-dup-a", SerialNumber: "CAFEBABE01",
+		Reason: "keyCompromise", RevokedBy: "admin", RevokedAt: now,
+		IssuerID: issuerID1, CreatedAt: now,
+	}); err != nil {
+		t.Fatalf("Create revocation under issuer1 failed: %v", err)
+	}
+
+	// Second issuer + cert + revocation with the SAME serial "CAFEBABE01".
+	// Under the pre-000012 global-unique index this would silently drop via
+	// ON CONFLICT DO NOTHING. Under the new (issuer_id, serial_number) scope
+	// it must succeed.
+	ownerID2, teamID2, issuerID2, policyID2 := insertCertPrereqsRaw(t, db, ctx, "dup-b")
+	cert2 := &domain.ManagedCertificate{
+		ID: "mc-dup-b", Name: "dup-b", CommonName: "b.example.com",
+		SANs: []string{}, OwnerID: ownerID2, TeamID: teamID2,
+		IssuerID: issuerID2, RenewalPolicyID: policyID2,
+		Status:    domain.CertificateStatusRevoked,
+		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
+		CreatedAt: now, UpdatedAt: now,
+	}
+	if err := certRepo.Create(ctx, cert2); err != nil {
+		t.Fatalf("Create cert2 failed: %v", err)
+	}
+	if err := repo.Create(ctx, &domain.CertificateRevocation{
+		ID: "rev-dup-b", CertificateID: "mc-dup-b", SerialNumber: "CAFEBABE01",
+		Reason: "superseded", RevokedBy: "admin", RevokedAt: now,
+		IssuerID: issuerID2, CreatedAt: now,
+	}); err != nil {
+		t.Fatalf("Create revocation under issuer2 failed (cross-issuer duplicate serial must be allowed): %v", err)
+	}
+
+	// Both revocations must be retrievable under their respective issuers.
+	revA, err := repo.GetByIssuerAndSerial(ctx, issuerID1, "CAFEBABE01")
+	if err != nil {
+		t.Fatalf("GetByIssuerAndSerial(issuer1) failed: %v", err)
+	}
+	if revA.ID != "rev-dup-a" || revA.Reason != "keyCompromise" {
+		t.Errorf("issuer1 lookup returned wrong row: id=%q reason=%q", revA.ID, revA.Reason)
+	}
+
+	revB, err := repo.GetByIssuerAndSerial(ctx, issuerID2, "CAFEBABE01")
+	if err != nil {
+		t.Fatalf("GetByIssuerAndSerial(issuer2) failed: %v", err)
+	}
+	if revB.ID != "rev-dup-b" || revB.Reason != "superseded" {
+		t.Errorf("issuer2 lookup returned wrong row: id=%q reason=%q", revB.ID, revB.Reason)
+	}
+
+	// ListAll should see both revocations.
+	all, err := repo.ListAll(ctx)
+	if err != nil {
+		t.Fatalf("ListAll failed: %v", err)
+	}
+	if len(all) != 2 {
+		t.Errorf("len(all) = %d, want 2 (cross-issuer duplicate serials)", len(all))
+	}
+
+	// Same-issuer idempotency guard still works (ON CONFLICT DO NOTHING on
+	// (issuer_id, serial_number) — re-inserting the same (issuer, serial)
+	// pair must not error and must not duplicate the row).
+	if err := repo.Create(ctx, &domain.CertificateRevocation{
+		ID: "rev-dup-a-repeat", CertificateID: "mc-dup-a", SerialNumber: "CAFEBABE01",
+		Reason: "superseded", RevokedBy: "admin", RevokedAt: now,
+		IssuerID: issuerID1, CreatedAt: now,
+	}); err != nil {
+		t.Fatalf("Idempotent create under same issuer failed: %v", err)
+	}
+	all, _ = repo.ListAll(ctx)
+	if len(all) != 2 {
+		t.Errorf("len(all) after idempotent re-insert = %d, want 2", len(all))
+	}
+}
+
 // ============================================================
 // Team Repository Tests
 // ============================================================
@@ -1578,3 +1872,334 @@ func TestEmptyResultSets(t *testing.T) {
 		t.Errorf("expected empty agent groups, got %d", len(groups))
 	}
 }
+
+// ============================================================
+// H-6 (CWE-362) Claim-Based Concurrency Tests
+//
+// These tests exercise the `SELECT ... FOR UPDATE SKIP LOCKED` worker-queue pattern
+// introduced to remediate the H-6 race condition. They validate two invariants:
+//
+//  1. Disjoint claim: under concurrent callers, no Pending row is returned to more
+//     than one worker (i.e. each claim is exclusive).
+//  2. State transition: claimed rows are atomically flipped to Running inside the
+//     same transaction that locked them, so a subsequent query must see the row in
+//     the Running state and no other worker can observe it as Pending again.
+//
+// Skipped automatically in `-short` mode (CI) since they require a real PostgreSQL
+// instance and take ~1s under contention.
+// ============================================================
+
+// seedPendingJobs creates n Pending renewal jobs against a single prerequisite
+// certificate and returns the generated job IDs.
+func seedPendingJobs(t *testing.T, ctx context.Context, db *sql.DB, certID string, n int) []string {
+	t.Helper()
+	certRepo := postgres.NewCertificateRepository(db)
+	jobRepo := postgres.NewJobRepository(db)
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, certID)
+
+	now := time.Now().Truncate(time.Microsecond)
+	cert := &domain.ManagedCertificate{
+		ID: "mc-" + certID, Name: certID, CommonName: certID + ".example.com",
+		SANs: []string{}, OwnerID: ownerID, TeamID: teamID,
+		IssuerID: issuerID, RenewalPolicyID: policyID,
+		Status:    domain.CertificateStatusActive,
+		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
+		CreatedAt: now, UpdatedAt: now,
+	}
+	if err := certRepo.Create(ctx, cert); err != nil {
+		t.Fatalf("seedPendingJobs: create cert failed: %v", err)
+	}
+
+	ids := make([]string, 0, n)
+	for i := 0; i < n; i++ {
+		job := &domain.Job{
+			ID:            fmt.Sprintf("job-%s-%03d", certID, i),
+			Type:          domain.JobTypeRenewal,
+			CertificateID: "mc-" + certID,
+			Status:        domain.JobStatusPending,
+			Attempts:      0,
+			MaxAttempts:   3,
+			ScheduledAt:   now,
+			CreatedAt:     now,
+		}
+		if err := jobRepo.Create(ctx, job); err != nil {
+			t.Fatalf("seedPendingJobs: create job %d failed: %v", i, err)
+		}
+		ids = append(ids, job.ID)
+	}
+	return ids
+}
+
+// TestJobRepository_ClaimPendingJobs_FlipsToRunning validates the basic claim
+// semantics: a single call transitions Pending rows to Running atomically, and
+// the rows returned to the caller reflect the post-update state.
+func TestJobRepository_ClaimPendingJobs_FlipsToRunning(t *testing.T) {
+	if testing.Short() {
+		t.Skip("integration test requires PostgreSQL")
+	}
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	jobRepo := postgres.NewJobRepository(db)
+	ctx := context.Background()
+
+	seeded := seedPendingJobs(t, ctx, db, "claimflip", 5)
+
+	claimed, err := jobRepo.ClaimPendingJobs(ctx, domain.JobTypeRenewal, 0)
+	if err != nil {
+		t.Fatalf("ClaimPendingJobs failed: %v", err)
+	}
+	if len(claimed) != len(seeded) {
+		t.Fatalf("len(claimed) = %d, want %d", len(claimed), len(seeded))
+	}
+
+	// In-memory return values must reflect the transitioned state.
+	for _, j := range claimed {
+		if j.Status != domain.JobStatusRunning {
+			t.Errorf("claimed job %s Status = %q, want %q", j.ID, j.Status, domain.JobStatusRunning)
+		}
+	}
+
+	// Persisted rows must also be Running — a fresh Get must not see Pending.
+	for _, id := range seeded {
+		got, err := jobRepo.Get(ctx, id)
+		if err != nil {
+			t.Fatalf("Get(%s) failed: %v", id, err)
+		}
+		if got.Status != domain.JobStatusRunning {
+			t.Errorf("persisted job %s Status = %q, want %q", id, got.Status, domain.JobStatusRunning)
+		}
+	}
+
+	// A subsequent claim must return zero rows — nothing is Pending anymore.
+	residual, err := jobRepo.ClaimPendingJobs(ctx, domain.JobTypeRenewal, 0)
+	if err != nil {
+		t.Fatalf("residual ClaimPendingJobs failed: %v", err)
+	}
+	if len(residual) != 0 {
+		t.Errorf("residual claims = %d, want 0 (all should be Running now)", len(residual))
+	}
+}
+
+// TestJobRepository_ClaimPendingJobs_ConcurrentDisjoint validates the core H-6
+// invariant: under concurrent access, no row is handed to more than one worker.
+//
+// The test seeds M Pending jobs, fans out N goroutines each of which loops
+// calling ClaimPendingJobs with limit=1, and finally asserts the union of all
+// claimed IDs is exactly M with zero duplicates. Workers that transiently
+// observe zero rows (because peers are holding the only remaining rows) re-check
+// an atomic progress counter before exiting, so transient SKIP-LOCKED zeros do
+// not cause premature termination.
+func TestJobRepository_ClaimPendingJobs_ConcurrentDisjoint(t *testing.T) {
+	if testing.Short() {
+		t.Skip("integration test requires PostgreSQL")
+	}
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	jobRepo := postgres.NewJobRepository(db)
+	ctx := context.Background()
+
+	const M = 40 // seeded Pending jobs
+	const N = 8  // concurrent workers
+	seeded := seedPendingJobs(t, ctx, db, "concurrent", M)
+	seededSet := make(map[string]bool, M)
+	for _, id := range seeded {
+		seededSet[id] = true
+	}
+
+	var (
+		totalClaimed int64
+		allClaims    []string
+		mu           sync.Mutex
+		wg           sync.WaitGroup
+	)
+
+	for w := 0; w < N; w++ {
+		wg.Add(1)
+		go func(worker int) {
+			defer wg.Done()
+			emptyStreak := 0
+			for iter := 0; iter < M*4; iter++ { // generous ceiling to prevent hangs
+				claimed, err := jobRepo.ClaimPendingJobs(ctx, domain.JobTypeRenewal, 1)
+				if err != nil {
+					t.Errorf("worker %d ClaimPendingJobs failed: %v", worker, err)
+					return
+				}
+				if len(claimed) == 0 {
+					// Transient zero (peer holds lock) vs. terminal zero (all claimed).
+					// Bail only once the shared counter proves work is done, but guard
+					// with a streak so we don't spin forever under starvation.
+					if atomic.LoadInt64(&totalClaimed) >= int64(M) {
+						return
+					}
+					emptyStreak++
+					if emptyStreak >= 20 {
+						return
+					}
+					time.Sleep(500 * time.Microsecond)
+					continue
+				}
+				emptyStreak = 0
+				mu.Lock()
+				for _, j := range claimed {
+					if j.Status != domain.JobStatusRunning {
+						t.Errorf("worker %d got job %s in Status=%q (want Running) — claim did not flip state", worker, j.ID, j.Status)
+					}
+					allClaims = append(allClaims, j.ID)
+				}
+				mu.Unlock()
+				atomic.AddInt64(&totalClaimed, int64(len(claimed)))
+			}
+		}(w)
+	}
+	wg.Wait()
+
+	// Invariant 1: no duplicate claims across the worker pool.
+	seen := make(map[string]int, len(allClaims))
+	for _, id := range allClaims {
+		seen[id]++
+	}
+	for id, count := range seen {
+		if count > 1 {
+			t.Errorf("job %s claimed %d times — SKIP LOCKED invariant violated", id, count)
+		}
+	}
+
+	// Invariant 2: every seeded job appears in the claim set exactly once.
+	if len(seen) != M {
+		t.Errorf("distinct claimed IDs = %d, want %d (all seeded jobs must be claimed)", len(seen), M)
+	}
+	for id := range seededSet {
+		if seen[id] == 0 {
+			t.Errorf("seeded job %s was never claimed by any worker", id)
+		}
+	}
+
+	// Invariant 3: persisted state reflects the transition — every seeded row
+	// is now Running; none is Pending.
+	for id := range seededSet {
+		got, err := jobRepo.Get(ctx, id)
+		if err != nil {
+			t.Fatalf("Get(%s) failed: %v", id, err)
+		}
+		if got.Status != domain.JobStatusRunning {
+			t.Errorf("job %s Status = %q, want %q", id, got.Status, domain.JobStatusRunning)
+		}
+	}
+
+	// Final progress counter must match the total number of seeded jobs.
+	if got := atomic.LoadInt64(&totalClaimed); got != int64(M) {
+		t.Errorf("totalClaimed = %d, want %d", got, M)
+	}
+}
+
+// TestJobRepository_ClaimPendingByAgentID_TransitionsDeployments validates the
+// agent-scoped claim variant: Pending deployment rows for a given agent flip to
+// Running; AwaitingCSR rows are returned but their state is preserved (the CSR
+// submission path drives their next transition).
+func TestJobRepository_ClaimPendingByAgentID_TransitionsDeployments(t *testing.T) {
+	if testing.Short() {
+		t.Skip("integration test requires PostgreSQL")
+	}
+	tdb := getTestDB(t)
+	db := tdb.freshSchema(t)
+	jobRepo := postgres.NewJobRepository(db)
+	agentRepo := postgres.NewAgentRepository(db)
+	ctx := context.Background()
+
+	ownerID, teamID, issuerID, policyID := insertCertPrereqsRaw(t, db, ctx, "agentclaim")
+
+	now := time.Now().Truncate(time.Microsecond)
+	cert := &domain.ManagedCertificate{
+		ID: "mc-agentclaim", Name: "agentclaim", CommonName: "agentclaim.example.com",
+		SANs: []string{}, OwnerID: ownerID, TeamID: teamID,
+		IssuerID: issuerID, RenewalPolicyID: policyID,
+		Status:    domain.CertificateStatusActive,
+		ExpiresAt: now.Add(30 * 24 * time.Hour), Tags: map[string]string{},
+		CreatedAt: now, UpdatedAt: now,
+	}
+	if err := postgres.NewCertificateRepository(db).Create(ctx, cert); err != nil {
+		t.Fatalf("create cert failed: %v", err)
+	}
+
+	agent := &domain.Agent{
+		ID:           "a-claim",
+		Name:         "claim-agent",
+		Hostname:     "claim-agent-host",
+		Status:       domain.AgentStatusOnline,
+		RegisteredAt: now,
+		APIKeyHash:   "hash-claim",
+	}
+	if err := agentRepo.Create(ctx, agent); err != nil {
+		t.Fatalf("create agent failed: %v", err)
+	}
+
+	agentID := agent.ID
+	mkJob := func(id string, typ domain.JobType, status domain.JobStatus) *domain.Job {
+		return &domain.Job{
+			ID: id, Type: typ, CertificateID: cert.ID,
+			AgentID:     &agentID,
+			Status:      status,
+			Attempts:    0,
+			MaxAttempts: 3,
+			ScheduledAt: now,
+			CreatedAt:   now,
+		}
+	}
+	jobs := []*domain.Job{
+		mkJob("job-agentclaim-dep-1", domain.JobTypeDeployment, domain.JobStatusPending),
+		mkJob("job-agentclaim-dep-2", domain.JobTypeDeployment, domain.JobStatusPending),
+		mkJob("job-agentclaim-csr-1", domain.JobTypeRenewal, domain.JobStatusAwaitingCSR),
+		// A Pending Renewal (not Deployment) must NOT be returned by the per-agent claim.
+		mkJob("job-agentclaim-ren-pending", domain.JobTypeRenewal, domain.JobStatusPending),
+	}
+	for _, j := range jobs {
+		if err := jobRepo.Create(ctx, j); err != nil {
+			t.Fatalf("create job %s failed: %v", j.ID, err)
+		}
+	}
+
+	claimed, err := jobRepo.ClaimPendingByAgentID(ctx, agentID)
+	if err != nil {
+		t.Fatalf("ClaimPendingByAgentID failed: %v", err)
+	}
+	// Expect exactly the 2 deployments + 1 AwaitingCSR.
+	if len(claimed) != 3 {
+		t.Fatalf("len(claimed) = %d, want 3 (2 deployments + 1 AwaitingCSR)", len(claimed))
+	}
+
+	statusByID := map[string]domain.JobStatus{}
+	for _, j := range claimed {
+		statusByID[j.ID] = j.Status
+	}
+	// Both deployments must be Running in the returned slice (in-memory reflection).
+	for _, id := range []string{"job-agentclaim-dep-1", "job-agentclaim-dep-2"} {
+		if statusByID[id] != domain.JobStatusRunning {
+			t.Errorf("returned deployment %s Status = %q, want Running", id, statusByID[id])
+		}
+	}
+	// AwaitingCSR must remain AwaitingCSR.
+	if statusByID["job-agentclaim-csr-1"] != domain.JobStatusAwaitingCSR {
+		t.Errorf("returned AwaitingCSR Status = %q, want AwaitingCSR", statusByID["job-agentclaim-csr-1"])
+	}
+	// The unrelated Pending Renewal must not be returned.
+	if _, ok := statusByID["job-agentclaim-ren-pending"]; ok {
+		t.Errorf("Pending Renewal job was returned by ClaimPendingByAgentID — scope violation")
+	}
+
+	// Persisted state: deployments Running, AwaitingCSR unchanged, Pending Renewal still Pending.
+	for id, want := range map[string]domain.JobStatus{
+		"job-agentclaim-dep-1":       domain.JobStatusRunning,
+		"job-agentclaim-dep-2":       domain.JobStatusRunning,
+		"job-agentclaim-csr-1":       domain.JobStatusAwaitingCSR,
+		"job-agentclaim-ren-pending": domain.JobStatusPending,
+	} {
+		got, err := jobRepo.Get(ctx, id)
+		if err != nil {
+			t.Fatalf("Get(%s) failed: %v", id, err)
+		}
+		if got.Status != want {
+			t.Errorf("persisted %s Status = %q, want %q", id, got.Status, want)
+		}
+	}
+}
@@ -19,13 +19,18 @@ func NewRevocationRepository(db *sql.DB) *RevocationRepository {
 }

 // Create records a new certificate revocation.
+//
+// Uniqueness is scoped to (issuer_id, serial_number) per RFC 5280 §5.2.3.
+// Serial numbers are only unique within an issuer, so certctl supports
+// collisions across different issuer connectors. The composite ON CONFLICT
+// target matches migration 000012's unique index.
 func (r *RevocationRepository) Create(ctx context.Context, revocation *domain.CertificateRevocation) error {
 	_, err := r.db.ExecContext(ctx, `
 		INSERT INTO certificate_revocations (
 			id, certificate_id, serial_number, reason, revoked_by, revoked_at,
 			issuer_id, issuer_notified, created_at
 		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
-		ON CONFLICT (serial_number) DO NOTHING
+		ON CONFLICT (issuer_id, serial_number) DO NOTHING
 	`, revocation.ID, revocation.CertificateID, revocation.SerialNumber,
 		revocation.Reason, revocation.RevokedBy, revocation.RevokedAt,
 		revocation.IssuerID, revocation.IssuerNotified, revocation.CreatedAt)
@@ -37,20 +42,24 @@ func (r *RevocationRepository) Create(ctx context.Context, revocation *domain.Ce
 	return nil
 }

-// GetBySerial retrieves a revocation by serial number.
-func (r *RevocationRepository) GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error) {
+// GetByIssuerAndSerial retrieves a revocation by the (issuer_id, serial) pair.
+//
+// Per RFC 5280 §5.2.3, serial numbers are unique only within a single issuer.
+// Callers (OCSP handlers, CRL generation) always know the issuer because the
+// OCSP URL carries it as a path parameter and CRLs are generated per-issuer.
+func (r *RevocationRepository) GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error) {
 	var rev domain.CertificateRevocation
 	err := r.db.QueryRowContext(ctx, `
 		SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
 		       issuer_id, issuer_notified, created_at
 		FROM certificate_revocations
-		WHERE serial_number = $1
-	`, serial).Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
+		WHERE issuer_id = $1 AND serial_number = $2
+	`, issuerID, serial).Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
 		&rev.Reason, &rev.RevokedBy, &rev.RevokedAt,
 		&rev.IssuerID, &rev.IssuerNotified, &rev.CreatedAt)

 	if err != nil {
-		return nil, fmt.Errorf("failed to get revocation by serial: %w", err)
+		return nil, fmt.Errorf("failed to get revocation by issuer and serial: %w", err)
 	}

 	return &rev, nil
@@ -2,11 +2,12 @@ package service

 import (
 	"context"
+	"crypto/rand"
 	"crypto/sha256"
+	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"log/slog"
-	"math/rand"
 	"time"

 	"github.com/shankar0123/certctl/internal/domain"
@@ -57,8 +58,11 @@ func (s *AgentService) Register(ctx context.Context, name string, hostname strin
 		return nil, "", fmt.Errorf("agent name and hostname are required")
 	}

-	// Generate API key
-	apiKey := generateAPIKey()
+	// Generate API key. crypto/rand failure is non-recoverable — propagate immediately.
+	apiKey, err := generateAPIKey()
+	if err != nil {
+		return nil, "", fmt.Errorf("failed to generate agent api key: %w", err)
+	}
 	apiKeyHash := hashAPIKey(apiKey)

 	now := time.Now()
@@ -87,8 +91,8 @@ func (s *AgentService) Register(ctx context.Context, name string, hostname strin
 	return agent, apiKey, nil
 }

-// HeartbeatWithContext updates an agent's last seen time, status, and metadata.
-func (s *AgentService) HeartbeatWithContext(ctx context.Context, agentID string, metadata *domain.AgentMetadata) error {
+// Heartbeat updates an agent's last seen time, status, and metadata.
+func (s *AgentService) Heartbeat(ctx context.Context, agentID string, metadata *domain.AgentMetadata) error {
 	agent, err := s.agentRepo.Get(ctx, agentID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch agent: %w", err)
@@ -110,12 +114,6 @@ func (s *AgentService) HeartbeatWithContext(ctx context.Context, agentID string,
 	return nil
 }

-// Heartbeat updates agent heartbeat (handler interface method).
-// Note: This method is called from handlers which have a context; callers should prefer HeartbeatWithContext.
-func (s *AgentService) Heartbeat(ctx context.Context, agentID string, metadata *domain.AgentMetadata) error {
-	return s.HeartbeatWithContext(ctx, agentID, metadata)
-}
-
 // SubmitCSR validates and processes a Certificate Signing Request from an agent.
 // In agent keygen mode, this completes an AwaitingCSR renewal job by signing the CSR
 // and storing the cert version. The private key stays on the agent — only the CSR
@@ -280,8 +278,13 @@ func (s *AgentService) GetPendingWork(ctx context.Context, agentID string) ([]*d
 		return nil, fmt.Errorf("failed to fetch agent: %w", err)
 	}

-	// Return only jobs assigned to this agent (via agent_id or target→agent relationship)
-	return s.jobRepo.ListPendingByAgentID(ctx, agentID)
+	// Atomically claim jobs assigned to this agent. H-6 (CWE-362) remediation:
+	// ClaimPendingByAgentID uses SELECT ... FOR UPDATE SKIP LOCKED so concurrent poll
+	// requests (duplicate agents, retry storms, or a lagging long-poll) never observe
+	// the same Pending deployment row. Pending deployments are flipped to Running inside
+	// the claim transaction; AwaitingCSR jobs keep their state since CSR submission is
+	// the state-machine trigger for their next transition.
+	return s.jobRepo.ClaimPendingByAgentID(ctx, agentID)
 }

 // ReportJobStatus updates a job's status based on agent feedback.
@@ -380,7 +383,10 @@ func (s *AgentService) GetAgent(ctx context.Context, id string) (*domain.Agent,
 // RegisterAgent creates and registers a new agent (handler interface method).
 func (s *AgentService) RegisterAgent(ctx context.Context, agent domain.Agent) (*domain.Agent, error) {
 	agent.ID = generateID("agent")
-	apiKey := generateAPIKey()
+	apiKey, err := generateAPIKey()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate agent api key: %w", err)
+	}
 	agent.APIKeyHash = hashAPIKey(apiKey)
 	agent.Status = domain.AgentStatusOnline
 	now := time.Now()
@@ -487,14 +493,17 @@ func (s *AgentService) CertificatePickup(ctx context.Context, agentID, certID st
 	return string(certPEM), nil
 }

-// generateAPIKey creates a random API key for an agent.
-func generateAPIKey() string {
-	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+// generateAPIKey creates a cryptographically secure random API key for an agent.
+// It fills a 32-byte buffer from crypto/rand (256 bits of entropy) and encodes it with
+// base64.RawURLEncoding, yielding a 43-character URL-safe, unpadded ASCII string.
+// The plaintext key is shown to the caller exactly once; only its SHA-256 hash is stored.
+// Fixes C-1 (CWE-338: previously used math/rand, which is not cryptographically secure).
+func generateAPIKey() (string, error) {
 	b := make([]byte, 32)
-	for i := range b {
-		b[i] = charset[rand.Intn(len(charset))]
+	if _, err := rand.Read(b); err != nil {
+		return "", fmt.Errorf("generate agent api key: %w", err)
 	}
-	return string(b)
+	return base64.RawURLEncoding.EncodeToString(b), nil
 }

 // hashAPIKey hashes an API key using SHA256.
@@ -2,6 +2,7 @@ package service

 import (
 	"context"
+	"encoding/base64"
 	"log/slog"
 	"testing"
 	"time"
@@ -91,7 +92,7 @@ func TestHeartbeat(t *testing.T) {

 	agentService := NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, nil)

-	err := agentService.HeartbeatWithContext(ctx, "agent-001", nil)
+	err := agentService.Heartbeat(ctx, "agent-001", nil)
 	if err != nil {
 		t.Fatalf("Heartbeat failed: %v", err)
 	}
@@ -124,7 +125,7 @@ func TestHeartbeat_NotFound(t *testing.T) {

 	agentService := NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, nil)

-	err := agentService.HeartbeatWithContext(ctx, "nonexistent", nil)
+	err := agentService.Heartbeat(ctx, "nonexistent", nil)
 	if err == nil {
 		t.Fatal("expected error for nonexistent agent")
 	}
@@ -594,3 +595,44 @@ func TestListAgents(t *testing.T) {
 		t.Errorf("expected total 2, got %d", total)
 	}
 }
+
+// TestGenerateAPIKey_Properties is the core regression test for C-1 (CWE-338).
+// It verifies that generateAPIKey produces cryptographically random,
+// unpadded base64url-encoded, 32-byte (256-bit) keys that never collide
+// across consecutive calls. Exact length and alphabet are verified against
+// base64.RawURLEncoding so any silent change to entropy or encoding fails
+// fast.
+//
+// Note on the error branch: since Go 1.24 (issue #66821) crypto/rand.Read
+// treats entropy-source failures as fatal — the process is terminated
+// rather than returning an error. The defensive `if err != nil` branch
+// in generateAPIKey is therefore unreachable from tests on modern Go.
+// It is kept to preserve the documented (string, error) contract and
+// to remain correct on older Go toolchains or future changes.
+func TestGenerateAPIKey_Properties(t *testing.T) {
+	seen := make(map[string]struct{}, 64)
+	for i := 0; i < 64; i++ {
+		k, err := generateAPIKey()
+		if err != nil {
+			t.Fatalf("generateAPIKey failed: %v", err)
+		}
+		if k == "" {
+			t.Fatal("expected non-empty API key")
+		}
+		// base64.RawURLEncoding of 32 bytes yields exactly 43 chars.
+		if got, want := len(k), 43; got != want {
+			t.Fatalf("expected key length %d, got %d (%q)", want, got, k)
+		}
+		decoded, err := base64.RawURLEncoding.DecodeString(k)
+		if err != nil {
+			t.Fatalf("key %q not valid base64url: %v", k, err)
+		}
+		if len(decoded) != 32 {
+			t.Fatalf("expected 32 decoded bytes (256 bits entropy), got %d", len(decoded))
+		}
+		if _, dup := seen[k]; dup {
+			t.Fatalf("collision detected after %d calls; weak PRNG?", i+1)
+		}
+		seen[k] = struct{}{}
+	}
+}
@@ -110,7 +110,7 @@ func (s *AuditService) ListByAction(ctx context.Context, action string, from, to
 }

 // ListAuditEvents returns paginated audit events (handler interface method).
-func (s *AuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent, int64, error) {
+func (s *AuditService) ListAuditEvents(ctx context.Context, page, perPage int) ([]domain.AuditEvent, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -123,7 +123,7 @@ func (s *AuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent,
 		PerPage: perPage,
 	}

-	events, err := s.auditRepo.List(context.Background(), filter)
+	events, err := s.auditRepo.List(ctx, filter)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list audit events: %w", err)
 	}
@@ -143,13 +143,13 @@ func (s *AuditService) ListAuditEvents(page, perPage int) ([]domain.AuditEvent,
 }

 // GetAuditEvent returns a single audit event (handler interface method).
-func (s *AuditService) GetAuditEvent(id string) (*domain.AuditEvent, error) {
+func (s *AuditService) GetAuditEvent(ctx context.Context, id string) (*domain.AuditEvent, error) {
 	filter := &repository.AuditFilter{
 		ResourceID: id,
 		PerPage:    1,
 	}

-	events, err := s.auditRepo.List(context.Background(), filter)
+	events, err := s.auditRepo.List(ctx, filter)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get audit event: %w", err)
 	}
@@ -41,7 +41,7 @@ func (s *CAOperationsSvc) SetIssuerRegistry(registry *IssuerRegistry) {

 // GenerateDERCRL generates a DER-encoded X.509 CRL for the given issuer.
 // Short-lived certificates (profile TTL < 1 hour) are excluded from the CRL.
-func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {
+func (s *CAOperationsSvc) GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error) {
 	if s.revocationRepo == nil {
 		return nil, fmt.Errorf("revocation repository not configured")
 	}
@@ -54,7 +54,7 @@ func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {
 		return nil, fmt.Errorf("issuer not found: %s", issuerID)
 	}

-	revocations, err := s.revocationRepo.ListAll(context.Background())
+	revocations, err := s.revocationRepo.ListAll(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to list revocations: %w", err)
 	}
@@ -69,9 +69,9 @@ func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {

 		// Check short-lived exemption: look up the cert's profile
 		if s.profileRepo != nil && s.certRepo != nil {
-			cert, err := s.certRepo.Get(context.Background(), rev.CertificateID)
+			cert, err := s.certRepo.Get(ctx, rev.CertificateID)
 			if err == nil && cert.CertificateProfileID != "" {
-				profile, err := s.profileRepo.Get(context.Background(), cert.CertificateProfileID)
+				profile, err := s.profileRepo.Get(ctx, cert.CertificateProfileID)
 				if err == nil && profile.IsShortLived() {
 					slog.Debug("skipping short-lived cert from CRL",
 						"certificate_id", rev.CertificateID,
@@ -92,11 +92,11 @@ func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {
 		})
 	}

-	return issuerConn.GenerateCRL(context.Background(), entries)
+	return issuerConn.GenerateCRL(ctx, entries)
 }

 // GetOCSPResponse generates a signed OCSP response for the given certificate serial.
-func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]byte, error) {
+func (s *CAOperationsSvc) GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error) {
 	if s.revocationRepo == nil {
 		return nil, fmt.Errorf("revocation repository not configured")
 	}
@@ -117,14 +117,16 @@ func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]
 	// Short-lived cert exemption: if the cert's profile has TTL < 1 hour,
 	// always return "good" — expiry is sufficient revocation for short-lived certs.
 	if s.profileRepo != nil && s.certRepo != nil {
-		// Look up cert by serial through revocation table
-		rev, _ := s.revocationRepo.GetBySerial(context.Background(), serialHex)
+		// Look up cert by (issuer_id, serial) — per RFC 5280 §5.2.3, serial numbers
+		// are unique only within a single issuer. The OCSP URL path carries issuer_id,
+		// so we scope the lookup to avoid cross-issuer collisions.
+		rev, _ := s.revocationRepo.GetByIssuerAndSerial(ctx, issuerID, serialHex)
 		if rev != nil {
-			cert, err := s.certRepo.Get(context.Background(), rev.CertificateID)
+			cert, err := s.certRepo.Get(ctx, rev.CertificateID)
 			if err == nil && cert.CertificateProfileID != "" {
-				profile, err := s.profileRepo.Get(context.Background(), cert.CertificateProfileID)
+				profile, err := s.profileRepo.Get(ctx, cert.CertificateProfileID)
 				if err == nil && profile.IsShortLived() {
-					return issuerConn.SignOCSPResponse(context.Background(), OCSPSignRequest{
+					return issuerConn.SignOCSPResponse(ctx, OCSPSignRequest{
 						CertSerial: serial,
 						CertStatus: 0, // good — short-lived exemption
 						ThisUpdate: now,
@@ -135,11 +137,11 @@ func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]
 		}
 	}

-	// Check if this serial is revoked
-	rev, err := s.revocationRepo.GetBySerial(context.Background(), serialHex)
+	// Check if this (issuer_id, serial) is revoked — RFC 5280 §5.2.3 scoping.
+	rev, err := s.revocationRepo.GetByIssuerAndSerial(ctx, issuerID, serialHex)
 	if err != nil {
 		// Not revoked — return "good" status
-		return issuerConn.SignOCSPResponse(context.Background(), OCSPSignRequest{
+		return issuerConn.SignOCSPResponse(ctx, OCSPSignRequest{
 			CertSerial: serial,
 			CertStatus: 0, // good
 			ThisUpdate: now,
@@ -148,7 +150,7 @@ func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]
 	}

 	// Revoked
-	return issuerConn.SignOCSPResponse(context.Background(), OCSPSignRequest{
+	return issuerConn.SignOCSPResponse(ctx, OCSPSignRequest{
 		CertSerial:       serial,
 		CertStatus:       1, // revoked
 		RevokedAt:        rev.RevokedAt,
@@ -3,6 +3,7 @@
 package service

 import (
+	"context"
 	"log/slog"
 	"testing"
 	"time"
@@ -48,7 +49,7 @@ func TestCAOperationsSvc_GenerateDERCRL_Success(t *testing.T) {
 		},
 	}

-	crl, err := caSvc.GenerateDERCRL("iss-local")
+	crl, err := caSvc.GenerateDERCRL(context.Background(), "iss-local")

 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -71,7 +72,7 @@ func TestCAOperationsSvc_GenerateDERCRL_EmptyCRL(t *testing.T) {
 	// No revoked certs for this issuer
 	revocationRepo.Revocations = []*domain.CertificateRevocation{}

-	crl, err := caSvc.GenerateDERCRL("iss-local")
+	crl, err := caSvc.GenerateDERCRL(context.Background(), "iss-local")

 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -112,7 +113,7 @@ func TestCAOperationsSvc_GetOCSPResponse_Good(t *testing.T) {
 	certRepo.Versions["cert-ocsp-good"] = []*domain.CertificateVersion{version}

 	// Request OCSP response for good cert
-	resp, err := caSvc.GetOCSPResponse("iss-local", "OCSP-GOOD-001")
+	resp, err := caSvc.GetOCSPResponse(context.Background(), "iss-local", "OCSP-GOOD-001")

 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -165,7 +166,7 @@ func TestCAOperationsSvc_GetOCSPResponse_Revoked(t *testing.T) {
 	}

 	// Request OCSP response for revoked cert
-	resp, err := caSvc.GetOCSPResponse("iss-local", "OCSP-REVOKED-001")
+	resp, err := caSvc.GetOCSPResponse(context.Background(), "iss-local", "OCSP-REVOKED-001")

 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -71,8 +71,8 @@ func (s *CertificateService) List(ctx context.Context, filter *repository.Certif

 // ListCertificatesWithFilter returns a list of certificates with advanced filtering (M20).
 // This method supports the new M20 filters and returns domain.ManagedCertificate (not pointers).
-func (s *CertificateService) ListCertificatesWithFilter(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
-	certs, total, err := s.certRepo.List(context.Background(), filter)
+func (s *CertificateService) ListCertificatesWithFilter(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
+	certs, total, err := s.certRepo.List(ctx, filter)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list certificates with filter: %w", err)
 	}
@@ -206,10 +206,10 @@ func (s *CertificateService) GetVersions(ctx context.Context, certID string) ([]
 	return versions, nil
 }

-// TriggerRenewalWithActor initiates a renewal job if the certificate is eligible.
+// TriggerRenewal initiates a renewal job if the certificate is eligible.
 // Creates a Renewal job (or Issuance for new certs) so the scheduler's job processor
 // can pick it up and route it through the issuer connector.
-func (s *CertificateService) TriggerRenewalWithActor(ctx context.Context, certID string, actor string) error {
+func (s *CertificateService) TriggerRenewal(ctx context.Context, certID string, actor string) error {
 	cert, err := s.certRepo.Get(ctx, certID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch certificate: %w", err)
@@ -283,8 +283,11 @@ func (s *CertificateService) TriggerRenewalWithActor(ctx context.Context, certID
 	return nil
 }

-// TriggerDeploymentWithActor creates deployment jobs for all targets of a certificate.
-func (s *CertificateService) TriggerDeploymentWithActor(ctx context.Context, certID string, actor string) error {
+// TriggerDeployment creates deployment jobs for all targets of a certificate.
+// The targetID parameter is accepted from the handler interface but currently unused;
+// deployment coordination happens per-certificate across all of its targets.
+func (s *CertificateService) TriggerDeployment(ctx context.Context, certID string, targetID string, actor string) error {
+	_ = targetID
 	cert, err := s.certRepo.Get(ctx, certID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch certificate: %w", err)
@@ -306,7 +309,7 @@ func (s *CertificateService) TriggerDeploymentWithActor(ctx context.Context, cer
 }

 // ListCertificates returns paginated certificates with optional filtering (handler interface method).
-func (s *CertificateService) ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
+func (s *CertificateService) ListCertificates(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -325,7 +328,7 @@ func (s *CertificateService) ListCertificates(status, environment, ownerID, team
 		PerPage:     perPage,
 	}

-	certs, total, err := s.certRepo.List(context.Background(), filter)
+	certs, total, err := s.certRepo.List(ctx, filter)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list certificates: %w", err)
 	}
@@ -341,12 +344,12 @@ func (s *CertificateService) ListCertificates(status, environment, ownerID, team
 }

 // GetCertificate returns a single certificate (handler interface method).
-func (s *CertificateService) GetCertificate(id string) (*domain.ManagedCertificate, error) {
-	return s.certRepo.Get(context.Background(), id)
+func (s *CertificateService) GetCertificate(ctx context.Context, id string) (*domain.ManagedCertificate, error) {
+	return s.certRepo.Get(ctx, id)
 }

 // CreateCertificate creates a new certificate (handler interface method).
-func (s *CertificateService) CreateCertificate(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
+func (s *CertificateService) CreateCertificate(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 	if cert.ID == "" {
 		cert.ID = generateID("cert")
 	}
@@ -365,16 +368,14 @@ func (s *CertificateService) CreateCertificate(cert domain.ManagedCertificate) (
 	if cert.Tags == nil {
 		cert.Tags = make(map[string]string)
 	}
-	if err := s.certRepo.Create(context.Background(), &cert); err != nil {
+	if err := s.certRepo.Create(ctx, &cert); err != nil {
 		return nil, fmt.Errorf("failed to create certificate: %w", err)
 	}
 	return &cert, nil
 }

 // UpdateCertificate modifies a certificate (handler interface method).
-func (s *CertificateService) UpdateCertificate(id string, patch domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
-	ctx := context.Background()
-
+func (s *CertificateService) UpdateCertificate(ctx context.Context, id string, patch domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
 	// Fetch existing certificate so partial updates don't zero out fields
 	existing, err := s.certRepo.Get(ctx, id)
 	if err != nil {
@@ -425,12 +426,12 @@ func (s *CertificateService) UpdateCertificate(id string, patch domain.ManagedCe
 }

 // ArchiveCertificate marks a certificate as archived (handler interface method).
-func (s *CertificateService) ArchiveCertificate(id string) error {
-	return s.certRepo.Archive(context.Background(), id)
+func (s *CertificateService) ArchiveCertificate(ctx context.Context, id string) error {
+	return s.certRepo.Archive(ctx, id)
 }

 // GetCertificateVersions returns certificate versions (handler interface method).
-func (s *CertificateService) GetCertificateVersions(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
+func (s *CertificateService) GetCertificateVersions(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -438,7 +439,7 @@ func (s *CertificateService) GetCertificateVersions(certID string, page, perPage
 		perPage = 50
 	}

-	versions, err := s.certRepo.ListVersions(context.Background(), certID)
+	versions, err := s.certRepo.ListVersions(ctx, certID)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list certificate versions: %w", err)
 	}
@@ -463,24 +464,8 @@ func (s *CertificateService) GetCertificateVersions(certID string, page, perPage
 	return result, total, nil
 }

-// TriggerRenewal initiates renewal (handler interface method).
-func (s *CertificateService) TriggerRenewal(certID string) error {
-	return s.TriggerRenewalWithActor(context.Background(), certID, "api")
-}
-
-// TriggerDeployment triggers deployment (handler interface method).
-func (s *CertificateService) TriggerDeployment(certID string, targetID string) error {
-	return s.TriggerDeploymentWithActor(context.Background(), certID, "api")
-}
-
-// RevokeCertificate revokes a certificate with the given reason (handler interface method).
-func (s *CertificateService) RevokeCertificate(certID string, reason string) error {
-	return s.RevokeCertificateWithActor(context.Background(), certID, reason, "api")
-}
-
-// RevokeCertificateWithActor performs revocation with actor tracking.
-// Delegates to RevocationSvc.
-func (s *CertificateService) RevokeCertificateWithActor(ctx context.Context, certID string, reason string, actor string) error {
+// RevokeCertificate performs revocation with actor tracking. Delegates to RevocationSvc.
+func (s *CertificateService) RevokeCertificate(ctx context.Context, certID string, reason string, actor string) error {
 	if s.revSvc == nil {
 		return fmt.Errorf("revocation service not configured")
 	}
@@ -489,35 +474,35 @@ func (s *CertificateService) RevokeCertificateWithActor(ctx context.Context, cer

 // GetRevokedCertificates returns all revoked certificate records (for CRL generation).
 // Delegates to RevocationSvc.
-func (s *CertificateService) GetRevokedCertificates() ([]*domain.CertificateRevocation, error) {
+func (s *CertificateService) GetRevokedCertificates(ctx context.Context) ([]*domain.CertificateRevocation, error) {
 	if s.revSvc == nil {
 		return nil, fmt.Errorf("revocation service not configured")
 	}
-	return s.revSvc.GetRevokedCertificates()
+	return s.revSvc.GetRevokedCertificates(ctx)
 }

 // GenerateDERCRL generates a DER-encoded X.509 CRL for the given issuer.
 // Delegates to CAOperationsSvc.
-func (s *CertificateService) GenerateDERCRL(issuerID string) ([]byte, error) {
+func (s *CertificateService) GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error) {
 	if s.caSvc == nil {
 		return nil, fmt.Errorf("CA operations service not configured")
 	}
-	return s.caSvc.GenerateDERCRL(issuerID)
+	return s.caSvc.GenerateDERCRL(ctx, issuerID)
 }

 // GetOCSPResponse generates a signed OCSP response for the given certificate serial.
 // Delegates to CAOperationsSvc.
-func (s *CertificateService) GetOCSPResponse(issuerID string, serialHex string) ([]byte, error) {
+func (s *CertificateService) GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error) {
 	if s.caSvc == nil {
 		return nil, fmt.Errorf("CA operations service not configured")
 	}
-	return s.caSvc.GetOCSPResponse(issuerID, serialHex)
+	return s.caSvc.GetOCSPResponse(ctx, issuerID, serialHex)
 }

 // GetCertificateDeployments returns all deployment targets for a certificate (M20).
-func (s *CertificateService) GetCertificateDeployments(certID string) ([]domain.DeploymentTarget, error) {
+func (s *CertificateService) GetCertificateDeployments(ctx context.Context, certID string) ([]domain.DeploymentTarget, error) {
 	// Verify certificate exists
-	_, err := s.certRepo.Get(context.Background(), certID)
+	_, err := s.certRepo.Get(ctx, certID)
 	if err != nil {
 		return nil, fmt.Errorf("certificate not found: %w", err)
 	}
@@ -527,7 +512,7 @@ func (s *CertificateService) GetCertificateDeployments(certID string) ([]domain.
 	}

 	// Get targets from repository
-	targets, err := s.targetRepo.ListByCertificate(context.Background(), certID)
+	targets, err := s.targetRepo.ListByCertificate(ctx, certID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to list deployment targets: %w", err)
 	}
@@ -34,7 +34,7 @@ func TestCertificateService_RevokeCertificate_RevocationSvcNil(t *testing.T) {
 	certRepo.AddCert(cert)

 	// Call RevokeCertificateWithActor with nil RevocationSvc
-	err := certService.RevokeCertificateWithActor(context.Background(), "cert-1", "keyCompromise", "admin")
+	err := certService.RevokeCertificate(context.Background(), "cert-1", "keyCompromise", "admin")

 	// Assert: Should return error, NOT panic
 	if err == nil {
@@ -64,7 +64,7 @@ func TestCertificateService_GenerateDERCRL_CAOpsSvcNil(t *testing.T) {
 	// Note: NOT calling certService.SetCAOperationsSvc(...)

 	// Call GenerateDERCRL with nil CAOperationsSvc
-	_, err := certService.GenerateDERCRL("iss-local")
+	_, err := certService.GenerateDERCRL(context.Background(), "iss-local")

 	// Assert: Should return error, NOT panic
 	if err == nil {
@@ -94,7 +94,7 @@ func TestCertificateService_GetOCSPResponse_CAOpsSvcNil(t *testing.T) {
 	// Note: NOT calling certService.SetCAOperationsSvc(...)

 	// Call GetOCSPResponse with nil CAOperationsSvc
-	_, err := certService.GetOCSPResponse("iss-local", "serial123")
+	_, err := certService.GetOCSPResponse(context.Background(), "iss-local", "serial123")

 	// Assert: Should return error, NOT panic
 	if err == nil {
@@ -124,7 +124,7 @@ func TestCertificateService_GetRevokedCertificates_RevocationSvcNil(t *testing.T
 	// Note: NOT calling certService.SetRevocationSvc(...)

 	// Call GetRevokedCertificates with nil RevocationSvc
-	_, err := certService.GetRevokedCertificates()
+	_, err := certService.GetRevokedCertificates(context.Background())

 	// Assert: Should return error, NOT panic
 	if err == nil {
@@ -177,7 +177,7 @@ func TestCertificateService_GetCertificateDeployments_Success(t *testing.T) {
 	targetRepo.AddTarget(target2)

 	// Call GetCertificateDeployments
-	deployments, err := certService.GetCertificateDeployments("cert-1")
+	deployments, err := certService.GetCertificateDeployments(context.Background(), "cert-1")

 	// Assert: Should return deployment list successfully
 	if err != nil {
@@ -218,7 +218,7 @@ func TestCertificateService_GetCertificateDeployments_RepositoryError(t *testing
 	certRepo.AddCert(cert)

 	// Call GetCertificateDeployments with repo error
-	_, err := certService.GetCertificateDeployments("cert-1")
+	_, err := certService.GetCertificateDeployments(context.Background(), "cert-1")

 	// Assert: Should return error, NOT panic
 	if err == nil {
@@ -247,7 +247,7 @@ func TestCertificateService_GetCertificateDeployments_CertNotFound(t *testing.T)
 	certService.SetTargetRepo(targetRepo)

 	// Call GetCertificateDeployments with nonexistent certificate
-	_, err := certService.GetCertificateDeployments("nonexistent-cert")
+	_, err := certService.GetCertificateDeployments(context.Background(), "nonexistent-cert")

 	// Assert: Should return error
 	if err == nil {
@@ -283,7 +283,7 @@ func TestCertificateService_GetCertificateDeployments_NilTargetRepo(t *testing.T
 	certRepo.AddCert(cert)

 	// Call GetCertificateDeployments with nil TargetRepo
-	deployments, err := certService.GetCertificateDeployments("cert-1")
+	deployments, err := certService.GetCertificateDeployments(context.Background(), "cert-1")

 	// Assert: Should return empty list gracefully (not panic)
 	if err != nil {
@@ -337,19 +337,19 @@ func TestCertificateService_Multiple_NilSafetyChecks(t *testing.T) {
 	revSvc.SetIssuerRegistry(registry)

 	// Test 1: RevokeCertificateWithActor should succeed (RevocationSvc is set)
-	errRevoke := certService.RevokeCertificateWithActor(context.Background(), "cert-1", "keyCompromise", "admin")
+	errRevoke := certService.RevokeCertificate(context.Background(), "cert-1", "keyCompromise", "admin")
 	if errRevoke != nil {
 		t.Fatalf("RevokeCertificateWithActor failed unexpectedly: %v", errRevoke)
 	}

 	// Test 2: GenerateDERCRL should fail gracefully (CAOperationsSvc is nil)
-	_, errCRL := certService.GenerateDERCRL("iss-local")
+	_, errCRL := certService.GenerateDERCRL(context.Background(), "iss-local")
 	if errCRL == nil {
 		t.Fatal("GenerateDERCRL expected error, got nil")
 	}

 	// Test 3: GetOCSPResponse should fail gracefully (CAOperationsSvc is nil)
-	_, errOCSP := certService.GetOCSPResponse("iss-local", "ABC123")
+	_, errOCSP := certService.GetOCSPResponse(context.Background(), "iss-local", "ABC123")
 	if errOCSP == nil {
 		t.Fatal("GetOCSPResponse expected error, got nil")
 	}
@@ -294,7 +294,7 @@ func TestTriggerRenewal(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	certService := NewCertificateService(certRepo, policyService, auditService)

-	err := certService.TriggerRenewalWithActor(ctx, "cert-001", "user-1")
+	err := certService.TriggerRenewal(ctx, "cert-001", "user-1")
 	if err != nil {
 		t.Fatalf("TriggerRenewal failed: %v", err)
 	}
@@ -333,13 +333,14 @@ func TestTriggerRenewal_Archived(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	certService := NewCertificateService(certRepo, policyService, auditService)

-	err := certService.TriggerRenewalWithActor(ctx, "cert-001", "user-1")
+	err := certService.TriggerRenewal(ctx, "cert-001", "user-1")
 	if err == nil {
 		t.Fatal("expected error for archived certificate")
 	}
 }

 func TestListCertificates(t *testing.T) {
+	ctx := context.Background()
 	now := time.Now()
 	cert1 := &domain.ManagedCertificate{
 		ID:         "cert-001",
@@ -369,7 +370,7 @@ func TestListCertificates(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	certService := NewCertificateService(certRepo, policyService, auditService)

-	certs, total, err := certService.ListCertificates("", "", "", "", "", 1, 50)
+	certs, total, err := certService.ListCertificates(ctx, "", "", "", "", "", 1, 50)
 	if err != nil {
 		t.Fatalf("ListCertificates failed: %v", err)
 	}
@@ -159,7 +159,7 @@ func TestConcurrentAgentHeartbeats(t *testing.T) {
 				Architecture: "x86_64",
 			}

-			err := agentSvc.HeartbeatWithContext(ctx, agentID, metadata)
+			err := agentSvc.Heartbeat(ctx, agentID, metadata)
 			if err != nil {
 				errChan <- fmt.Errorf("goroutine %d: failed heartbeat for agent %s: %w", idx, agentID, err)
 				return
@@ -194,7 +194,7 @@ func TestConcurrentTargetCRUD(t *testing.T) {
 		Targets: make(map[string]*domain.DeploymentTarget),
 	}

-	targetSvc := NewTargetService(mockTargetRepo, nil, nil, nil, slog.New(slog.NewTextHandler(os.Stderr, nil)))
+	targetSvc := NewTargetService(mockTargetRepo, nil, nil, "", slog.New(slog.NewTextHandler(os.Stderr, nil)))

 	var mu sync.Mutex
 	createdTargets := make([]string, 0)
@@ -403,7 +403,7 @@ func TestConcurrentMixedOperations(t *testing.T) {
 	// Setup services
 	auditSvc := &AuditService{auditRepo: mockAuditRepo}
 	certSvc := NewCertificateService(mockCertRepo, nil, auditSvc)
-	targetSvc := NewTargetService(mockTargetRepo, auditSvc, nil, nil, slog.New(slog.NewTextHandler(os.Stderr, nil)))
+	targetSvc := NewTargetService(mockTargetRepo, auditSvc, nil, "", slog.New(slog.NewTextHandler(os.Stderr, nil)))

 	var wg sync.WaitGroup
 	errChan := make(chan error, 30)
@@ -142,7 +142,7 @@ func TestTargetService_ListWithCancelledContext(t *testing.T) {
 	mockTargetRepo := &mockTargetRepo{
 		Targets: make(map[string]*domain.DeploymentTarget),
 	}
-	targetSvc := NewTargetService(mockTargetRepo, nil, nil, nil, slog.New(slog.NewTextHandler(os.Stderr, nil)))
+	targetSvc := NewTargetService(mockTargetRepo, nil, nil, "", slog.New(slog.NewTextHandler(os.Stderr, nil)))

 	_, _, err := targetSvc.List(ctx, 1, 50)

@@ -176,13 +176,13 @@ func TestAgentService_HeartbeatWithCancelledContext(t *testing.T) {
 		nil, // renewalService
 	)

-	err := agentSvc.HeartbeatWithContext(ctx, "agent-1", &domain.AgentMetadata{})
+	err := agentSvc.Heartbeat(ctx, "agent-1", &domain.AgentMetadata{})

 	// Service should handle cancelled context
 	if err == nil || ctx.Err() == context.Canceled {
 		return
 	}
-	t.Logf("HeartbeatWithContext with cancelled context returned: %v", err)
+	t.Logf("Heartbeat with cancelled context returned: %v", err)
 }

 // Test with timeout context (should trigger deadline exceeded)
@@ -229,11 +229,11 @@ func TestAgentService_HeartbeatWithDeadlineExceeded(t *testing.T) {

 	time.Sleep(10 * time.Millisecond) // Ensure deadline is exceeded

-	err := agentSvc.HeartbeatWithContext(ctx, "agent-1", &domain.AgentMetadata{})
+	err := agentSvc.Heartbeat(ctx, "agent-1", &domain.AgentMetadata{})

 	// Service should handle deadline exceeded
 	if err == nil || ctx.Err() == context.DeadlineExceeded {
 		return
 	}
-	t.Logf("HeartbeatWithContext with deadline exceeded returned: %v", err)
+	t.Logf("Heartbeat with deadline exceeded returned: %v", err)
 }
@@ -17,20 +17,27 @@ import (
 )

 // IssuerService provides business logic for certificate issuer management.
+//
+// The encryptionKey field holds the raw passphrase (not a pre-derived 32-byte
+// key). Per-ciphertext salt derivation is performed inside
+// [crypto.EncryptIfKeySet] / [crypto.DecryptIfKeySet] on each call. See M-8
+// in certctl-audit-report.md.
 type IssuerService struct {
 	issuerRepo    repository.IssuerRepository
 	auditService  *AuditService
 	registry      *IssuerRegistry
-	encryptionKey []byte
+	encryptionKey string
 	logger        *slog.Logger
 }

-// NewIssuerService creates a new issuer service.
+// NewIssuerService creates a new issuer service. The encryptionKey is the raw
+// passphrase; it MUST NOT be pre-derived via crypto.DeriveKey (that was the
+// v1 behavior, replaced in M-8 with per-ciphertext random salt).
 func NewIssuerService(
 	issuerRepo repository.IssuerRepository,
 	auditService *AuditService,
 	registry *IssuerRegistry,
-	encryptionKey []byte,
+	encryptionKey string,
 	logger *slog.Logger,
 ) *IssuerService {
 	return &IssuerService{
@@ -253,9 +260,9 @@ func (s *IssuerService) Delete(ctx context.Context, id string, actor string) err
 	return nil
 }

-// TestConnectionWithContext tests the connection to an issuer by instantiating a throwaway
+// TestConnection tests the connection to an issuer by instantiating a throwaway
 // connector and calling ValidateConfig. Records the result in the database.
-func (s *IssuerService) TestConnectionWithContext(ctx context.Context, id string) error {
+func (s *IssuerService) TestConnection(ctx context.Context, id string) error {
 	iss, err := s.issuerRepo.Get(ctx, id)
 	if err != nil {
 		return fmt.Errorf("issuer not found: %w", err)
@@ -284,11 +291,6 @@ func (s *IssuerService) TestConnectionWithContext(ctx context.Context, id string
 	return nil
 }

-// TestConnection verifies the issuer connection (handler interface method).
-func (s *IssuerService) TestConnection(id string) error {
-	return s.TestConnectionWithContext(context.Background(), id)
-}
-
 // BuildRegistry loads all enabled issuers from the database and rebuilds the dynamic registry.
 // Called at server startup. Partial failures (individual issuers failing to load) are logged
 // as warnings but don't prevent the server from starting.
@@ -327,8 +329,20 @@ func (s *IssuerService) SeedFromEnvVars(ctx context.Context, cfg *config.Config)
 	seeds := s.buildEnvVarSeeds(cfg)
 	seeded := 0
 	for _, seed := range seeds {
-		// Encrypt the config if key is set
-		if len(seed.Config) > 0 {
+		// Encrypt the config only when an encryption key is configured.
+		//
+		// Env-seeded issuers carry Source="env" and are reconstructable on every
+		// boot from process environment, so persisting their config in plaintext
+		// adds no new exposure: the same bytes already live in the operator's
+		// deployment manifest. When no key is configured we therefore leave
+		// EncryptedConfig nil and keep the raw JSON in the `config` column —
+		// IssuerRegistry.Rebuild falls through to `cfg.Config` when there is no
+		// ciphertext to decrypt, so registry load still works.
+		//
+		// Database-sourced rows (Source="database") never reach this branch:
+		// they are created through the GUI/API write paths, which require the
+		// encryption key and fail closed via crypto.ErrEncryptionKeyRequired.
+		if len(seed.Config) > 0 && len(s.encryptionKey) > 0 {
 			encrypted, _, encErr := crypto.EncryptIfKeySet([]byte(seed.Config), s.encryptionKey)
 			if encErr != nil {
 				s.logger.Error("failed to encrypt seed config", "id", seed.ID, "error", encErr)
@@ -565,17 +579,21 @@ func (s *IssuerService) buildEnvVarSeeds(cfg *config.Config) []*domain.Issuer {

 	// Conditional: GlobalSign — only seed if API URL and API key are set
 	if cfg.GlobalSign.APIUrl != "" && cfg.GlobalSign.APIKey != "" {
+		globalSignConfig := map[string]interface{}{
+			"api_url":          cfg.GlobalSign.APIUrl,
+			"api_key":          cfg.GlobalSign.APIKey,
+			"api_secret":       cfg.GlobalSign.APISecret,
+			"client_cert_path": cfg.GlobalSign.ClientCertPath,
+			"client_key_path":  cfg.GlobalSign.ClientKeyPath,
+		}
+		if cfg.GlobalSign.ServerCAPath != "" {
+			globalSignConfig["server_ca_path"] = cfg.GlobalSign.ServerCAPath
+		}
 		seeds = append(seeds, &domain.Issuer{
-			ID:   "iss-globalsign",
-			Name: "GlobalSign Atlas",
-			Type: domain.IssuerTypeGlobalSign,
-			Config: mustJSON(map[string]interface{}{
-				"api_url":          cfg.GlobalSign.APIUrl,
-				"api_key":          cfg.GlobalSign.APIKey,
-				"api_secret":       cfg.GlobalSign.APISecret,
-				"client_cert_path": cfg.GlobalSign.ClientCertPath,
-				"client_key_path":  cfg.GlobalSign.ClientKeyPath,
-			}),
+			ID:        "iss-globalsign",
+			Name:      "GlobalSign Atlas",
+			Type:      domain.IssuerTypeGlobalSign,
+			Config:    mustJSON(globalSignConfig),
 			Enabled:   true,
 			Source:    "env",
 			CreatedAt: now,
@@ -610,7 +628,7 @@ func (s *IssuerService) buildEnvVarSeeds(cfg *config.Config) []*domain.Issuer {
 }

 // ListIssuers returns paginated issuers (handler interface method).
-func (s *IssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64, error) {
+func (s *IssuerService) ListIssuers(ctx context.Context, page, perPage int) ([]domain.Issuer, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -618,7 +636,7 @@ func (s *IssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64,
 		perPage = 50
 	}

-	issuers, err := s.issuerRepo.List(context.Background())
+	issuers, err := s.issuerRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list issuers: %w", err)
 	}
@@ -635,12 +653,12 @@ func (s *IssuerService) ListIssuers(page, perPage int) ([]domain.Issuer, int64,
 }

 // GetIssuer returns a single issuer (handler interface method).
-func (s *IssuerService) GetIssuer(id string) (*domain.Issuer, error) {
-	return s.issuerRepo.Get(context.Background(), id)
+func (s *IssuerService) GetIssuer(ctx context.Context, id string) (*domain.Issuer, error) {
+	return s.issuerRepo.Get(ctx, id)
 }

 // CreateIssuer creates a new issuer (handler interface method).
-func (s *IssuerService) CreateIssuer(iss domain.Issuer) (*domain.Issuer, error) {
+func (s *IssuerService) CreateIssuer(ctx context.Context, iss domain.Issuer) (*domain.Issuer, error) {
 	iss.Type = normalizeIssuerType(iss.Type)
 	if !isValidIssuerType(iss.Type) {
 		return nil, fmt.Errorf("unsupported issuer type: %s", iss.Type)
@@ -677,26 +695,26 @@ func (s *IssuerService) CreateIssuer(iss domain.Issuer) (*domain.Issuer, error)
 		iss.Config = redactConfigJSON(iss.Config)
 	}

-	if err := s.issuerRepo.Create(context.Background(), &iss); err != nil {
+	if err := s.issuerRepo.Create(ctx, &iss); err != nil {
 		return nil, fmt.Errorf("failed to create issuer: %w", err)
 	}

 	// Rebuild registry
 	if iss.Enabled {
-		s.rebuildRegistryQuiet(context.Background())
+		s.rebuildRegistryQuiet(ctx)
 	}

 	return &iss, nil
 }

 // UpdateIssuer modifies an issuer (handler interface method).
-func (s *IssuerService) UpdateIssuer(id string, iss domain.Issuer) (*domain.Issuer, error) {
+func (s *IssuerService) UpdateIssuer(ctx context.Context, id string, iss domain.Issuer) (*domain.Issuer, error) {
 	iss.ID = id
 	iss.UpdatedAt = time.Now()

 	// Merge redacted fields with existing config
 	if len(iss.Config) > 0 {
-		mergedConfig, err := s.mergeRedactedConfig(context.Background(), id, iss.Config)
+		mergedConfig, err := s.mergeRedactedConfig(ctx, id, iss.Config)
 		if err != nil {
 			return nil, fmt.Errorf("failed to merge config: %w", err)
 		}
@@ -709,18 +727,18 @@ func (s *IssuerService) UpdateIssuer(id string, iss domain.Issuer) (*domain.Issu
 		iss.Config = redactConfigJSON(json.RawMessage(mergedConfig))
 	}

-	if err := s.issuerRepo.Update(context.Background(), &iss); err != nil {
+	if err := s.issuerRepo.Update(ctx, &iss); err != nil {
 		return nil, fmt.Errorf("failed to update issuer: %w", err)
 	}

-	s.rebuildRegistryQuiet(context.Background())
+	s.rebuildRegistryQuiet(ctx)

 	return &iss, nil
 }

 // DeleteIssuer removes an issuer (handler interface method).
-func (s *IssuerService) DeleteIssuer(id string) error {
-	if err := s.issuerRepo.Delete(context.Background(), id); err != nil {
+func (s *IssuerService) DeleteIssuer(ctx context.Context, id string) error {
+	if err := s.issuerRepo.Delete(ctx, id); err != nil {
 		return err
 	}
 	if s.registry != nil {
@@ -26,7 +26,7 @@ func TestBuildEnvVarSeeds_ACMEConfig(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

 	// Call buildEnvVarSeeds (unexported method, but testable from same package)
 	seeds := service.buildEnvVarSeeds(cfg)
@@ -82,7 +82,7 @@ func TestBuildEnvVarSeeds_VaultConfig(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

 	seeds := service.buildEnvVarSeeds(cfg)

@@ -136,7 +136,7 @@ func TestBuildEnvVarSeeds_NoConfig(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

 	seeds := service.buildEnvVarSeeds(cfg)

@@ -186,7 +186,7 @@ func TestBuildEnvVarSeeds_MultipleConfigs(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

 	seeds := service.buildEnvVarSeeds(cfg)

@@ -232,7 +232,7 @@ func TestSeedFromEnvVars_Empty(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

 	// Call SeedFromEnvVars on empty repo
 	service.SeedFromEnvVars(ctx, cfg)
@@ -280,7 +280,7 @@ func TestSeedFromEnvVars_AlreadyExists(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

 	// Get count before seeding
 	beforeSeeding, _ := repo.List(ctx)
@@ -328,7 +328,7 @@ func TestBuildRegistry_Success(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())

 	// Call BuildRegistry
 	err := service.BuildRegistry(ctx)
@@ -351,7 +351,7 @@ func TestBuildRegistry_EmptyDatabase(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())

 	// Call BuildRegistry on empty database
 	err := service.BuildRegistry(ctx)
@@ -72,7 +72,12 @@ func (r *IssuerRegistry) Len() int {
 // For each enabled issuer, it decrypts the config (if encryption key is set),
 // instantiates a connector via the factory, wraps it in an adapter, and
 // atomically swaps the entire map.
-func (r *IssuerRegistry) Rebuild(configs []*domain.Issuer, encryptionKey []byte) error {
+//
+// The encryption passphrase is passed as a string; per-ciphertext salt derivation
+// for v2 blobs is performed inside [crypto.DecryptIfKeySet]. Empty passphrase
+// fails closed via [crypto.ErrEncryptionKeyRequired] when encrypted configs
+// are encountered. See M-8 in certctl-audit-report.md.
+func (r *IssuerRegistry) Rebuild(configs []*domain.Issuer, encryptionKey string) error {
 	newIssuers := make(map[string]IssuerConnector)
 	var errors []string

@@ -101,7 +101,7 @@ func TestIssuerRegistry_Rebuild_Enabled(t *testing.T) {
 		},
 	}

-	err := reg.Rebuild(configs, nil)
+	err := reg.Rebuild(configs, "")
 	if err != nil {
 		t.Fatalf("Rebuild failed: %v", err)
 	}
@@ -124,11 +124,12 @@ func TestIssuerRegistry_Rebuild_Enabled(t *testing.T) {
 func TestIssuerRegistry_Rebuild_WithEncryption(t *testing.T) {
 	reg := NewIssuerRegistry(registryTestLogger())

-	key := crypto.DeriveKey("test-key")
 	configJSON := []byte(`{"ca_common_name":"Encrypted CA"}`)
-	encrypted, err := crypto.Encrypt(configJSON, key)
+	// M-8: EncryptIfKeySet now emits v2 (magic 0x02 || per-ciphertext salt || sealed).
+	// IssuerRegistry.Rebuild accepts the raw passphrase and delegates PBKDF2 to crypto.DecryptIfKeySet.
+	encrypted, _, err := crypto.EncryptIfKeySet(configJSON, "test-key")
 	if err != nil {
-		t.Fatalf("encrypt failed: %v", err)
+		t.Fatalf("EncryptIfKeySet failed: %v", err)
 	}

 	configs := []*domain.Issuer{
@@ -141,7 +142,7 @@ func TestIssuerRegistry_Rebuild_WithEncryption(t *testing.T) {
 		},
 	}

-	err = reg.Rebuild(configs, key)
+	err = reg.Rebuild(configs, "test-key")
 	if err != nil {
 		t.Fatalf("Rebuild with encryption failed: %v", err)
 	}
@@ -165,10 +166,11 @@ func TestIssuerRegistry_Rebuild_NilKeyFallback(t *testing.T) {
 		},
 	}

-	// nil key should work — falls back to config column
-	err := reg.Rebuild(configs, nil)
+	// Empty passphrase is safe when no EncryptedConfig is present — falls back to config column.
+	// The C-2 fail-closed sentinel only fires when EncryptedConfig is non-empty.
+	err := reg.Rebuild(configs, "")
 	if err != nil {
-		t.Fatalf("Rebuild with nil key failed: %v", err)
+		t.Fatalf("Rebuild with empty key failed: %v", err)
 	}

 	_, ok := reg.Get("iss-plain")
@@ -198,7 +200,7 @@ func TestIssuerRegistry_Rebuild_InvalidConfig(t *testing.T) {
 	}

 	// Should return an error indicating partial failure, but still load valid issuers
-	err := reg.Rebuild(configs, nil)
+	err := reg.Rebuild(configs, "")
 	if err == nil {
 		t.Fatal("Rebuild should return error when some issuers fail to load")
 	}
@@ -230,7 +232,7 @@ func TestIssuerRegistry_Rebuild_ReplacesExisting(t *testing.T) {
 		},
 	}

-	err := reg.Rebuild(configs, nil)
+	err := reg.Rebuild(configs, "")
 	if err != nil {
 		t.Fatalf("Rebuild failed: %v", err)
 	}
@@ -275,7 +277,7 @@ func TestIssuerRegistry_Rebuild_Empty(t *testing.T) {

 	reg.Set("iss-existing", &mockIssuerConnector{})

-	err := reg.Rebuild([]*domain.Issuer{}, nil)
+	err := reg.Rebuild([]*domain.Issuer{}, "")
 	if err != nil {
 		t.Fatalf("Rebuild with empty configs failed: %v", err)
 	}
@@ -50,7 +50,7 @@ func TestIssuerService_List(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

 	issuers, total, err := service.List(ctx, 1, 2)

@@ -87,7 +87,7 @@ func TestIssuerService_List_DefaultPagination(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())

 	// Call with invalid page and perPage
 	issuers, total, err := service.List(ctx, 0, 0)
@@ -115,7 +115,7 @@ func TestIssuerService_List_RepositoryError(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

 	_, _, err := service.List(ctx, 1, 50)

@@ -137,7 +137,7 @@ func TestIssuerService_List_EmptyResult(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())

 	issuers, total, err := service.List(ctx, 1, 50)

@@ -173,7 +173,7 @@ func TestIssuerService_Get(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

 	retrieved, err := service.Get(ctx, "iss-acme-prod")

@@ -199,7 +199,7 @@ func TestIssuerService_Get_NotFound(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())

 	_, err := service.Get(ctx, "nonexistent-issuer")

@@ -217,7 +217,7 @@ func TestIssuerService_Create(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())

 	config := map[string]interface{}{"endpoint": "https://acme.example.com/v2/new-account"}
 	configJSON, _ := json.Marshal(config)
@@ -280,7 +280,7 @@ func TestIssuerService_Create_EmptyName(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())

 	issuer := &domain.Issuer{
 		Name:    "",
@@ -314,7 +314,7 @@ func TestIssuerService_Create_RepositoryError(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

 	issuer := &domain.Issuer{
 		Name:    "Test Issuer",
@@ -342,7 +342,7 @@ func TestIssuerService_Update(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())

 	config := map[string]interface{}{"endpoint": "https://acme.example.com"}
 	configJSON, _ := json.Marshal(config)
@@ -387,7 +387,7 @@ func TestIssuerService_Update_EmptyName(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())

 	issuer := &domain.Issuer{
 		Name:    "",
@@ -415,7 +415,7 @@ func TestIssuerService_Delete(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())

 	err := service.Delete(ctx, "iss-to-delete", "user-frank")

@@ -447,7 +447,7 @@ func TestIssuerService_Delete_RepositoryError(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

 	err := service.Delete(ctx, "iss-bad-id", "user-grace")

@@ -482,12 +482,12 @@ func TestIssuerService_TestConnection_Success(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	svc := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	svc := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

-	err := svc.TestConnectionWithContext(ctx, "iss-test-conn")
+	err := svc.TestConnection(ctx, "iss-test-conn")

 	if err != nil {
-		t.Fatalf("TestConnectionWithContext failed: %v", err)
+		t.Fatalf("TestConnection failed: %v", err)
 	}
 }

@@ -500,9 +500,9 @@ func TestIssuerService_TestConnection_NotFound(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())

-	err := service.TestConnectionWithContext(ctx, "nonexistent-issuer")
+	err := service.TestConnection(ctx, "nonexistent-issuer")

 	if err == nil {
 		t.Fatal("expected error for nonexistent issuer")
@@ -540,9 +540,10 @@ func TestIssuerService_ListIssuers_HandlerInterface(t *testing.T) {
 	auditRepo := newMockAuditRepository()
 	auditService := NewAuditService(auditRepo)

-	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), nil, slog.Default())
+	service := NewIssuerService(repo, auditService, NewIssuerRegistry(slog.Default()), "", slog.Default())

-	issuers, total, err := service.ListIssuers(1, 50)
+	ctx := context.Background()
+	issuers, total, err := service.ListIssuers(ctx, 1, 50)

 	if err != nil {
 		t.Fatalf("ListIssuers failed: %v", err)
@@ -568,7 +569,7 @@ func TestIssuerService_CreateIssuer_HandlerInterface(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())

 	config := map[string]interface{}{"url": "https://example.com"}
 	configJSON, _ := json.Marshal(config)
@@ -580,7 +581,8 @@ func TestIssuerService_CreateIssuer_HandlerInterface(t *testing.T) {
 		Enabled: true,
 	}

-	result, err := service.CreateIssuer(issuer)
+	ctx := context.Background()
+	result, err := service.CreateIssuer(ctx, issuer)

 	if err != nil {
 		t.Fatalf("CreateIssuer failed: %v", err)
@@ -606,9 +608,10 @@ func TestIssuerService_DeleteIssuer_HandlerInterface(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, "", slog.Default())

-	err := service.DeleteIssuer("iss-handler-delete")
+	ctx := context.Background()
+	err := service.DeleteIssuer(ctx, "iss-handler-delete")

 	if err != nil {
 		t.Fatalf("DeleteIssuer failed: %v", err)
@@ -680,7 +683,7 @@ func TestIssuerService_Create_LowercaseType(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())

 	config := map[string]interface{}{"endpoint": "https://acme.example.com"}
 	configJSON, _ := json.Marshal(config)
@@ -710,7 +713,7 @@ func TestIssuerService_CreateIssuer_LowercaseType(t *testing.T) {
 	auditService := NewAuditService(auditRepo)

 	registry := NewIssuerRegistry(slog.Default())
-	service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+	service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())

 	config := map[string]interface{}{"url": "https://example.com"}
 	configJSON, _ := json.Marshal(config)
@@ -722,7 +725,8 @@ func TestIssuerService_CreateIssuer_LowercaseType(t *testing.T) {
 		Enabled: true,
 	}

-	result, err := service.CreateIssuer(issuer)
+	ctx := context.Background()
+	result, err := service.CreateIssuer(ctx, issuer)
 	if err != nil {
 		t.Fatalf("CreateIssuer with lowercase 'stepca' should succeed, got: %v", err)
 	}
@@ -752,7 +756,7 @@ func TestIssuerService_Create_M49Types(t *testing.T) {
 			auditService := NewAuditService(auditRepo)

 			registry := NewIssuerRegistry(slog.Default())
-			service := NewIssuerService(repo, auditService, registry, nil, slog.Default())
+			service := NewIssuerService(repo, auditService, registry, testEncryptionKey, slog.Default())

 			config := map[string]interface{}{"api_url": "https://example.com"}
 			configJSON, _ := json.Marshal(config)
@@ -35,11 +35,18 @@ func NewJobService(

 // ProcessPendingJobs fetches and processes all pending jobs.
 // It routes jobs to the appropriate service based on job type and handles errors gracefully.
+//
+// Concurrency (H-6 CWE-362): jobs are claimed via ClaimPendingJobs which uses
+// SELECT ... FOR UPDATE SKIP LOCKED and flips Pending → Running atomically. Concurrent
+// scheduler replicas in HA deployments will therefore never observe the same Pending row,
+// and the subsequent UpdateStatus(Running) calls inside the downstream service methods are
+// idempotent against the pre-flipped state.
 func (s *JobService) ProcessPendingJobs(ctx context.Context) error {
-	// Fetch pending jobs
-	pendingJobs, err := s.jobRepo.ListByStatus(ctx, domain.JobStatusPending)
+	// Claim pending jobs atomically (H-6 remediation: was ListByStatus which had no row lock).
+	// Empty jobType matches all types; zero limit means unlimited (preserves prior semantics).
+	pendingJobs, err := s.jobRepo.ClaimPendingJobs(ctx, "", 0)
 	if err != nil {
-		return fmt.Errorf("failed to list pending jobs: %w", err)
+		return fmt.Errorf("failed to claim pending jobs: %w", err)
 	}

 	if len(pendingJobs) == 0 {
@@ -182,8 +189,8 @@ func (s *JobService) GetJobStatus(ctx context.Context, jobID string) (*domain.Jo
 	return job, nil
 }

-// CancelJobWithContext cancels a pending or running job.
-func (s *JobService) CancelJobWithContext(ctx context.Context, jobID string) error {
+// CancelJob cancels a pending or running job (handler interface method).
+func (s *JobService) CancelJob(ctx context.Context, jobID string) error {
 	job, err := s.jobRepo.Get(ctx, jobID)
 	if err != nil {
 		return fmt.Errorf("failed to fetch job: %w", err)
@@ -201,13 +208,8 @@ func (s *JobService) CancelJobWithContext(ctx context.Context, jobID string) err
 	return nil
 }

-// CancelJob cancels a job (handler interface method).
-func (s *JobService) CancelJob(id string) error {
-	return s.CancelJobWithContext(context.Background(), id)
-}
-
 // ListJobs returns paginated jobs with optional filtering (handler interface method).
-func (s *JobService) ListJobs(status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
+func (s *JobService) ListJobs(ctx context.Context, status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -215,7 +217,7 @@ func (s *JobService) ListJobs(status, jobType string, page, perPage int) ([]doma
 		perPage = 50
 	}

-	allJobs, err := s.jobRepo.List(context.Background())
+	allJobs, err := s.jobRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list jobs: %w", err)
 	}
@@ -256,14 +258,13 @@ func (s *JobService) ListJobs(status, jobType string, page, perPage int) ([]doma
 }

 // GetJob returns a single job (handler interface method).
-func (s *JobService) GetJob(id string) (*domain.Job, error) {
-	return s.jobRepo.Get(context.Background(), id)
+func (s *JobService) GetJob(ctx context.Context, id string) (*domain.Job, error) {
+	return s.jobRepo.Get(ctx, id)
 }

 // ApproveJob approves a renewal job that is awaiting approval.
 // Transitions the job from AwaitingApproval to Pending so the scheduler picks it up.
-func (s *JobService) ApproveJob(id string) error {
-	ctx := context.Background()
+func (s *JobService) ApproveJob(ctx context.Context, id string) error {
 	job, err := s.jobRepo.Get(ctx, id)
 	if err != nil {
 		return fmt.Errorf("job not found: %w", err)
@@ -283,8 +284,7 @@ func (s *JobService) ApproveJob(id string) error {

 // RejectJob rejects a renewal job that is awaiting approval.
 // Transitions the job to Cancelled with a rejection reason.
-func (s *JobService) RejectJob(id string, reason string) error {
-	ctx := context.Background()
+func (s *JobService) RejectJob(ctx context.Context, id string, reason string) error {
 	job, err := s.jobRepo.Get(ctx, id)
 	if err != nil {
 		return fmt.Errorf("job not found: %w", err)
@@ -99,7 +99,7 @@ func TestCancelJob(t *testing.T) {

 	jobService := newTestJobService(jobRepo)

-	err := jobService.CancelJobWithContext(ctx, "job-001")
+	err := jobService.CancelJob(ctx, "job-001")
 	if err != nil {
 		t.Fatalf("CancelJob failed: %v", err)
 	}
@@ -129,13 +129,15 @@ func TestCancelJob_AlreadyCompleted(t *testing.T) {

 	jobService := newTestJobService(jobRepo)

-	err := jobService.CancelJobWithContext(ctx, "job-001")
+	err := jobService.CancelJob(ctx, "job-001")
 	if err == nil {
 		t.Fatal("expected error for completed job")
 	}
 }

 func TestGetJob(t *testing.T) {
+	ctx := context.Background()
+
 	now := time.Now()
 	job := &domain.Job{
 		ID:            "job-001",
@@ -153,7 +155,7 @@ func TestGetJob(t *testing.T) {

 	jobService := newTestJobService(jobRepo)

-	retrieved, err := jobService.GetJob("job-001")
+	retrieved, err := jobService.GetJob(ctx, "job-001")
 	if err != nil {
 		t.Fatalf("GetJob failed: %v", err)
 	}
@@ -167,6 +169,8 @@ func TestGetJob(t *testing.T) {
 }

 func TestListJobs(t *testing.T) {
+	ctx := context.Background()
+
 	now := time.Now()
 	job1 := &domain.Job{
 		ID:            "job-001",
@@ -192,7 +196,7 @@ func TestListJobs(t *testing.T) {

 	jobService := newTestJobService(jobRepo)

-	jobs, total, err := jobService.ListJobs("", "", 1, 50)
+	jobs, total, err := jobService.ListJobs(ctx, "", "", 1, 50)
 	if err != nil {
 		t.Fatalf("ListJobs failed: %v", err)
 	}
@@ -206,6 +210,8 @@ func TestListJobs(t *testing.T) {
 }

 func TestListJobs_FilterByStatus(t *testing.T) {
+	ctx := context.Background()
+
 	now := time.Now()
 	job1 := &domain.Job{
 		ID:            "job-001",
@@ -231,7 +237,7 @@ func TestListJobs_FilterByStatus(t *testing.T) {

 	jobService := newTestJobService(jobRepo)

-	jobs, total, err := jobService.ListJobs(string(domain.JobStatusPending), "", 1, 50)
+	jobs, total, err := jobService.ListJobs(ctx, string(domain.JobStatusPending), "", 1, 50)
 	if err != nil {
 		t.Fatalf("ListJobs failed: %v", err)
 	}
@@ -119,7 +119,10 @@ func TestESTService_MaxTTL_ForwardedToIssuer(t *testing.T) {

 func TestSCEPService_CryptoValidation_RejectsWeakKey(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{}
-	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	// H-2: SCEPService now requires a configured challenge password. Pass a
+	// matching client password so this test exercises the crypto-policy path
+	// rather than being short-circuited by the challenge-password guard.
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")

 	// Profile requiring ECDSA P-384 minimum
 	profileRepo := newM11cProfileRepo()
@@ -136,7 +139,7 @@ func TestSCEPService_CryptoValidation_RejectsWeakKey(t *testing.T) {
 	// P-256 CSR should be rejected
 	csrPEM := generateCSRPEM(t, "device.example.com", nil)

-	_, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-001")
+	_, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-001")
 	if err == nil {
 		t.Fatal("expected rejection for ECDSA P-256 against P-384 minimum")
 	}
@@ -152,7 +155,8 @@ func TestSCEPService_CryptoValidation_AcceptsStrongKey(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{}
 	auditRepo := newMockAuditRepository()
 	auditSvc := NewAuditService(auditRepo)
-	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	// H-2: happy path exercises the authenticated branch.
+	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")

 	profileRepo := newM11cProfileRepo()
 	profileRepo.profiles["prof-standard"] = &domain.CertificateProfile{
@@ -167,7 +171,7 @@ func TestSCEPService_CryptoValidation_AcceptsStrongKey(t *testing.T) {

 	csrPEM := generateCSRPEM(t, "device-ok.example.com", nil)

-	result, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-002")
+	result, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-002")
 	if err != nil {
 		t.Fatalf("expected success: %v", err)
 	}
@@ -179,7 +183,8 @@ func TestSCEPService_CryptoValidation_AcceptsStrongKey(t *testing.T) {
 func TestSCEPService_MaxTTL_ForwardedToIssuer(t *testing.T) {
 	capturingMock := &capturingIssuerConnector{}

-	svc := NewSCEPService("iss-local", capturingMock, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	// H-2: challenge password required for enrollment.
+	svc := NewSCEPService("iss-local", capturingMock, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")

 	profileRepo := newM11cProfileRepo()
 	profileRepo.profiles["prof-device"] = &domain.CertificateProfile{
@@ -192,7 +197,7 @@ func TestSCEPService_MaxTTL_ForwardedToIssuer(t *testing.T) {

 	csrPEM := generateCSRPEM(t, "mdm-device.example.com", nil)

-	_, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-003")
+	_, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-003")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -341,12 +346,13 @@ func TestESTService_NoProfileRepo_PassesThrough(t *testing.T) {

 func TestSCEPService_NoProfileRepo_PassesThrough(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{}
-	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	// H-2: challenge password required for enrollment.
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")
 	svc.SetProfileID("nonexistent-profile")

 	csrPEM := generateCSRPEM(t, "no-profile-scep.example.com", nil)

-	result, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-004")
+	result, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-004")
 	if err != nil {
 		t.Fatalf("expected success when no profile repo set: %v", err)
 	}
@@ -14,6 +14,7 @@ import (
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/repository"
 	"github.com/shankar0123/certctl/internal/tlsprobe"
+	"github.com/shankar0123/certctl/internal/validation"
 )

 // SentinelAgentID is the agent ID used for network-discovered certificates.
@@ -234,21 +235,19 @@ func (s *NetworkScanService) scanTarget(ctx context.Context, target *domain.Netw
 	timeout := time.Duration(target.TimeoutMs) * time.Millisecond
 	results := s.scanEndpoints(ctx, endpoints, timeout)

-	// Collect discovered cert entries
-	var entries []domain.DiscoveredCertEntry
-	var scanErrors []string
-	for _, result := range results {
-		if result.Error != "" {
-			// Only log connection errors at debug level (many hosts won't have TLS)
-			if s.logger != nil {
-				s.logger.Debug("scan endpoint error",
-					"address", result.Address,
-					"error", result.Error)
-			}
-			continue
-		}
-		entries = append(entries, result.Certs...)
-	}
+	// Collect discovered cert entries and per-endpoint errors.
+	//
+	// M-9 (operator-observability): before this fix, scanErrors was declared
+	// but never appended to, so the "errors" count in the summary Info log
+	// and the Errors field on the DiscoveryReport were always zero/nil —
+	// silently hiding per-endpoint failures from operators and from the
+	// downstream scan history record. Per-endpoint failures are still logged
+	// at Debug (sweep scans generate high connection-refused noise by design
+	// — most hosts in a CIDR won't have TLS on the probed port), but the
+	// aggregate count and the report's Errors field now reflect reality so
+	// operators can see, via the scan summary and the stored scan record,
+	// how many endpoints failed without having to enable Debug logging.
+	entries, scanErrors := s.collectScanResults(results)

 	scanDuration := time.Since(startTime)
 	if s.logger != nil {
@@ -318,51 +317,27 @@ func (s *NetworkScanService) expandEndpoints(cidrs []string, ports []int64) []st
 	return endpoints
 }

-// isReservedCIDR checks if an IP address falls within reserved ranges that should not be scanned.
-// Filters out loopback, link-local (including cloud metadata), and multicast ranges.
-// Does NOT filter RFC 1918 ranges since certctl is self-hosted and internal networks are a primary use case.
-func isReservedIP(ip net.IP) bool {
-	// Loopback: 127.0.0.0/8
-	if ip.IsLoopback() {
-		return true
-	}
-
-	// Link-local: 169.254.0.0/16 (includes cloud metadata 169.254.169.254)
-	if linkLocal := net.ParseIP("169.254.0.0"); linkLocal != nil {
-		if _, linkLocalNet, _ := net.ParseCIDR("169.254.0.0/16"); linkLocalNet != nil {
-			if linkLocalNet.Contains(ip) {
-				return true
-			}
-		}
-	}
-
-	// Multicast: 224.0.0.0/4
-	if multicast := net.ParseIP("224.0.0.0"); multicast != nil {
-		if _, multicastNet, _ := net.ParseCIDR("224.0.0.0/4"); multicastNet != nil {
-			if multicastNet.Contains(ip) {
-				return true
-			}
-		}
-	}
-
-	// Broadcast: 255.255.255.255
-	if ip.String() == "255.255.255.255" {
-		return true
-	}
-
-	return false
-}
+// The reserved-IP filter used by expandCIDR previously lived here as an
+// unexported isReservedIP helper. It has been moved to
+// internal/validation.IsReservedIP so the webhook notifier can share a single
+// authoritative implementation (H-4, CWE-918). The behaviour is
+// byte-identical with the previous helper — RFC 1918 is intentionally NOT
+// filtered, matching certctl's self-hosted design. If you change the
+// validation package's IsReservedIP, you are changing the network-scanner's
+// behaviour; audit both code paths together.

 // expandCIDR expands a CIDR notation or single IP into a list of IPs.
 // Limits expansion to /20 (4096 IPs) to prevent accidental huge scans.
-// Filters out reserved IP ranges to prevent SSRF attacks.
+// Filters out reserved IP ranges (via validation.IsReservedIP) to prevent
+// SSRF amplification via network-scan targets pointed at cloud metadata or
+// loopback.
 func expandCIDR(cidr string) []string {
 	// Try as CIDR first
 	ip, ipNet, err := net.ParseCIDR(cidr)
 	if err != nil {
 		// Try as single IP
 		if singleIP := net.ParseIP(cidr); singleIP != nil {
-			if isReservedIP(singleIP) {
+			if validation.IsReservedIP(singleIP) {
 				return nil
 			}
 			return []string{singleIP.String()}
@@ -380,7 +355,7 @@ func expandCIDR(cidr string) []string {
 	var ips []string
 	for ip := ip.Mask(ipNet.Mask); ipNet.Contains(ip); incrementIP(ip) {
 		// Skip reserved IPs
-		if isReservedIP(ip) {
+		if validation.IsReservedIP(ip) {
 			continue
 		}

@@ -408,6 +383,44 @@ func incrementIP(ip net.IP) {
 	}
 }

+// collectScanResults partitions per-endpoint scan results into discovered
+// certificate entries and a list of per-endpoint error strings.
+//
+// M-9 (operator-observability): the summary Info log and the DiscoveryReport
+// both report the count of endpoints that failed to probe. Before this helper
+// existed, the caller accumulated entries but never populated the errors
+// slice, so the aggregate error count was always zero and the scan record's
+// Errors field was always nil — silently hiding per-endpoint failures.
+//
+// Per-endpoint errors remain logged at Debug (sweep scans generate high
+// connection-refused noise by design — most hosts in a CIDR won't have TLS
+// on the probed port). Aggregation surfaces the count at Info, preserving
+// Debug-level detail for operators who want it without creating log spam
+// at default verbosity.
+func (s *NetworkScanService) collectScanResults(results []domain.NetworkScanResult) ([]domain.DiscoveredCertEntry, []string) {
+	var entries []domain.DiscoveredCertEntry
+	var scanErrors []string
+	for _, result := range results {
+		if result.Error != "" {
+			// Debug-level is intentional: a sweep scan of a /24 typically
+			// produces 200+ connection-refused results, and logging each
+			// at Warn would create log spam at default verbosity. The
+			// aggregate count in the Info-level scan-completed log surfaces
+			// the failure volume to operators; Debug provides the detail
+			// when diagnosing a specific endpoint.
+			if s.logger != nil {
+				s.logger.Debug("scan endpoint error",
+					"address", result.Address,
+					"error", result.Error)
+			}
+			scanErrors = append(scanErrors, fmt.Sprintf("%s: %s", result.Address, result.Error))
+			continue
+		}
+		entries = append(entries, result.Certs...)
+	}
+	return entries, scanErrors
+}
+
 // scanEndpoints probes TLS endpoints concurrently and returns results.
 func (s *NetworkScanService) scanEndpoints(ctx context.Context, endpoints []string, timeout time.Duration) []domain.NetworkScanResult {
 	results := make([]domain.NetworkScanResult, len(endpoints))
@@ -8,6 +8,7 @@ import (
 	"time"

 	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/validation"
 )

 // mockNetworkScanRepo for testing
@@ -248,9 +249,9 @@ func TestIsReservedIP_Loopback(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.ip, func(t *testing.T) {
-			result := isReservedIP(net.ParseIP(tt.ip))
+			result := validation.IsReservedIP(net.ParseIP(tt.ip))
 			if result != tt.expected {
-				t.Errorf("isReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
+				t.Errorf("validation.IsReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
 			}
 		})
 	}
@@ -269,9 +270,9 @@ func TestIsReservedIP_LinkLocal(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.ip, func(t *testing.T) {
-			result := isReservedIP(net.ParseIP(tt.ip))
+			result := validation.IsReservedIP(net.ParseIP(tt.ip))
 			if result != tt.expected {
-				t.Errorf("isReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
+				t.Errorf("validation.IsReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
 			}
 		})
 	}
@@ -289,18 +290,18 @@ func TestIsReservedIP_Multicast(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.ip, func(t *testing.T) {
-			result := isReservedIP(net.ParseIP(tt.ip))
+			result := validation.IsReservedIP(net.ParseIP(tt.ip))
 			if result != tt.expected {
-				t.Errorf("isReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
+				t.Errorf("validation.IsReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
 			}
 		})
 	}
 }

 func TestIsReservedIP_Broadcast(t *testing.T) {
-	result := isReservedIP(net.ParseIP("255.255.255.255"))
+	result := validation.IsReservedIP(net.ParseIP("255.255.255.255"))
 	if !result {
-		t.Errorf("isReservedIP(255.255.255.255) = %v, expected true", result)
+		t.Errorf("validation.IsReservedIP(255.255.255.255) = %v, expected true", result)
 	}
 }

@@ -320,9 +321,9 @@ func TestIsReservedIP_AllowsPrivateRanges(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
-			result := isReservedIP(net.ParseIP(tt.ip))
+			result := validation.IsReservedIP(net.ParseIP(tt.ip))
 			if result != tt.expected {
-				t.Errorf("isReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
+				t.Errorf("validation.IsReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
 			}
 		})
 	}
@@ -340,9 +341,9 @@ func TestIsReservedIP_AllowsPublic(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.ip, func(t *testing.T) {
-			result := isReservedIP(net.ParseIP(tt.ip))
+			result := validation.IsReservedIP(net.ParseIP(tt.ip))
 			if result != tt.expected {
-				t.Errorf("isReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
+				t.Errorf("validation.IsReservedIP(%s) = %v, expected %v", tt.ip, result, tt.expected)
 			}
 		})
 	}
@@ -490,3 +491,113 @@ func TestExpandCIDR_SingleLinkLocalIP(t *testing.T) {
 		t.Errorf("expected empty for cloud metadata IP, got %v", ips)
 	}
 }
+
+// TestCollectScanResults_AggregatesErrors is the M-9 regression guard:
+// per-endpoint probe failures must accumulate into the errors slice so the
+// summary Info log and the DiscoveryReport reflect the true failure count.
+// Before the M-9 fix, scanErrors was declared but never appended to, so the
+// aggregate count was always zero and the scan record's Errors field was
+// always nil — silently hiding per-endpoint failures from operators.
+func TestCollectScanResults_AggregatesErrors(t *testing.T) {
+	svc := &NetworkScanService{}
+	results := []domain.NetworkScanResult{
+		{Address: "203.0.113.1:443", Error: "connection refused"},
+		{Address: "203.0.113.2:443", Certs: []domain.DiscoveredCertEntry{
+			{CommonName: "example.com"},
+		}},
+		{Address: "203.0.113.3:443", Error: "tls handshake failure"},
+		{Address: "203.0.113.4:443", Certs: []domain.DiscoveredCertEntry{
+			{CommonName: "internal.example.com"},
+		}},
+		{Address: "203.0.113.5:443", Error: "i/o timeout"},
+	}
+
+	entries, errs := svc.collectScanResults(results)
+
+	if len(entries) != 2 {
+		t.Errorf("expected 2 entries (one per successful probe), got %d", len(entries))
+	}
+	if len(errs) != 3 {
+		t.Fatalf("expected 3 error strings (one per failed probe), got %d: %v", len(errs), errs)
+	}
+
+	// Each error string must be non-empty and include the endpoint address so
+	// the scan record lets operators correlate failures back to endpoints
+	// without needing Debug logging enabled.
+	for i, e := range errs {
+		if e == "" {
+			t.Errorf("error[%d]: expected non-empty error string", i)
+		}
+	}
+
+	// Spot-check that address is threaded through the error strings.
+	if want := "203.0.113.1:443"; errs[0] == "" || errs[0][:len(want)] != want {
+		t.Errorf("errs[0] should start with %q, got %q", want, errs[0])
+	}
+	if want := "203.0.113.3:443"; errs[1] == "" || errs[1][:len(want)] != want {
+		t.Errorf("errs[1] should start with %q, got %q", want, errs[1])
+	}
+	if want := "203.0.113.5:443"; errs[2] == "" || errs[2][:len(want)] != want {
+		t.Errorf("errs[2] should start with %q, got %q", want, errs[2])
+	}
+}
+
+// TestCollectScanResults_AllSuccess exercises the happy path: a scan where
+// every endpoint returned certificates. The errors slice must be nil (not an
+// empty non-nil slice) so the downstream DiscoveryReport.Errors field stays
+// nil as well, preserving the JSON-omitempty behavior that callers rely on.
+func TestCollectScanResults_AllSuccess(t *testing.T) {
+	svc := &NetworkScanService{}
+	results := []domain.NetworkScanResult{
+		{Address: "203.0.113.10:443", Certs: []domain.DiscoveredCertEntry{
+			{CommonName: "a.example.com"},
+		}},
+		{Address: "203.0.113.11:443", Certs: []domain.DiscoveredCertEntry{
+			{CommonName: "b.example.com"},
+		}},
+	}
+
+	entries, errs := svc.collectScanResults(results)
+
+	if len(entries) != 2 {
+		t.Errorf("expected 2 entries, got %d", len(entries))
+	}
+	if errs != nil {
+		t.Errorf("expected nil errors slice on all-success, got %v", errs)
+	}
+}
+
+// TestCollectScanResults_AllFailed exercises the worst-case sweep: every
+// endpoint failed to probe. Entries must be nil, and every failure must be
+// recorded in the errors slice so the scan record is complete.
+func TestCollectScanResults_AllFailed(t *testing.T) {
+	svc := &NetworkScanService{}
+	results := []domain.NetworkScanResult{
+		{Address: "203.0.113.20:443", Error: "connection refused"},
+		{Address: "203.0.113.21:443", Error: "connection refused"},
+		{Address: "203.0.113.22:443", Error: "connection refused"},
+	}
+
+	entries, errs := svc.collectScanResults(results)
+
+	if entries != nil {
+		t.Errorf("expected nil entries on all-failed, got %v", entries)
+	}
+	if len(errs) != 3 {
+		t.Errorf("expected 3 error strings, got %d: %v", len(errs), errs)
+	}
+}
+
+// TestCollectScanResults_Empty guards against a degenerate empty-input case
+// (scanEndpoints returns no results, e.g. if ctx was cancelled before the
+// first probe ran). Both return slices must be nil.
+func TestCollectScanResults_Empty(t *testing.T) {
+	svc := &NetworkScanService{}
+	entries, errs := svc.collectScanResults(nil)
+	if entries != nil {
+		t.Errorf("expected nil entries for empty input, got %v", entries)
+	}
+	if errs != nil {
+		t.Errorf("expected nil errors for empty input, got %v", errs)
+	}
+}
@@ -319,7 +319,7 @@ func (s *NotificationService) GetNotificationHistory(ctx context.Context, certID
 }

 // ListNotifications returns paginated notifications (handler interface method).
-func (s *NotificationService) ListNotifications(page, perPage int) ([]domain.NotificationEvent, int64, error) {
+func (s *NotificationService) ListNotifications(ctx context.Context, page, perPage int) ([]domain.NotificationEvent, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -332,7 +332,7 @@ func (s *NotificationService) ListNotifications(page, perPage int) ([]domain.Not
 		PerPage: perPage,
 	}

-	notifications, err := s.notifRepo.List(context.Background(), filter)
+	notifications, err := s.notifRepo.List(ctx, filter)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list notifications: %w", err)
 	}
@@ -349,12 +349,12 @@ func (s *NotificationService) ListNotifications(page, perPage int) ([]domain.Not
 }

 // GetNotification returns a single notification (handler interface method).
-func (s *NotificationService) GetNotification(id string) (*domain.NotificationEvent, error) {
+func (s *NotificationService) GetNotification(ctx context.Context, id string) (*domain.NotificationEvent, error) {
 	filter := &repository.NotificationFilter{
 		PerPage: 1,
 	}

-	notifications, err := s.notifRepo.List(context.Background(), filter)
+	notifications, err := s.notifRepo.List(ctx, filter)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get notification: %w", err)
 	}
@@ -370,6 +370,6 @@ func (s *NotificationService) GetNotification(id string) (*domain.NotificationEv
 }

 // MarkAsRead marks a notification as read (handler interface method).
-func (s *NotificationService) MarkAsRead(id string) error {
-	return s.notifRepo.UpdateStatus(context.Background(), id, "read", time.Now())
+func (s *NotificationService) MarkAsRead(ctx context.Context, id string) error {
+	return s.notifRepo.UpdateStatus(ctx, id, "read", time.Now())
 }
@@ -370,7 +370,7 @@ func TestListNotifications(t *testing.T) {
 	}

 	// List with pagination
-	notifs, total, err := svc.ListNotifications(1, 3)
+	notifs, total, err := svc.ListNotifications(context.Background(), 1, 3)
 	if err != nil {
 		t.Fatalf("ListNotifications failed: %v", err)
 	}
@@ -404,7 +404,7 @@ func TestMarkAsRead(t *testing.T) {
 	notifRepo.AddNotification(notif)

 	// Mark as read
-	err := svc.MarkAsRead(notif.ID)
+	err := svc.MarkAsRead(context.Background(), notif.ID)
 	if err != nil {
 		t.Fatalf("MarkAsRead failed: %v", err)
 	}
@@ -434,7 +434,7 @@ func TestGetNotification(t *testing.T) {
 	notifRepo.AddNotification(notif)

 	// Get the notification
-	retrieved, err := svc.GetNotification(notif.ID)
+	retrieved, err := svc.GetNotification(context.Background(), notif.ID)
 	if err != nil {
 		t.Fatalf("GetNotification failed: %v", err)
 	}
@@ -126,7 +126,7 @@ func (s *OwnerService) Delete(ctx context.Context, id string, actor string) erro
 }

 // ListOwners returns paginated owners (handler interface method).
-func (s *OwnerService) ListOwners(page, perPage int) ([]domain.Owner, int64, error) {
+func (s *OwnerService) ListOwners(ctx context.Context, page, perPage int) ([]domain.Owner, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -134,7 +134,7 @@ func (s *OwnerService) ListOwners(page, perPage int) ([]domain.Owner, int64, err
 		perPage = 50
 	}

-	owners, err := s.ownerRepo.List(context.Background())
+	owners, err := s.ownerRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list owners: %w", err)
 	}
@@ -151,12 +151,12 @@ func (s *OwnerService) ListOwners(page, perPage int) ([]domain.Owner, int64, err
 }

 // GetOwner returns a single owner (handler interface method).
-func (s *OwnerService) GetOwner(id string) (*domain.Owner, error) {
-	return s.ownerRepo.Get(context.Background(), id)
+func (s *OwnerService) GetOwner(ctx context.Context, id string) (*domain.Owner, error) {
+	return s.ownerRepo.Get(ctx, id)
 }

 // CreateOwner creates a new owner (handler interface method).
-func (s *OwnerService) CreateOwner(owner domain.Owner) (*domain.Owner, error) {
+func (s *OwnerService) CreateOwner(ctx context.Context, owner domain.Owner) (*domain.Owner, error) {
 	if owner.ID == "" {
 		owner.ID = generateID("owner")
 	}
@@ -167,22 +167,22 @@ func (s *OwnerService) CreateOwner(owner domain.Owner) (*domain.Owner, error) {
 	if owner.UpdatedAt.IsZero() {
 		owner.UpdatedAt = now
 	}
-	if err := s.ownerRepo.Create(context.Background(), &owner); err != nil {
+	if err := s.ownerRepo.Create(ctx, &owner); err != nil {
 		return nil, fmt.Errorf("failed to create owner: %w", err)
 	}
 	return &owner, nil
 }

 // UpdateOwner modifies an owner (handler interface method).
-func (s *OwnerService) UpdateOwner(id string, owner domain.Owner) (*domain.Owner, error) {
+func (s *OwnerService) UpdateOwner(ctx context.Context, id string, owner domain.Owner) (*domain.Owner, error) {
 	owner.ID = id
-	if err := s.ownerRepo.Update(context.Background(), &owner); err != nil {
+	if err := s.ownerRepo.Update(ctx, &owner); err != nil {
 		return nil, fmt.Errorf("failed to update owner: %w", err)
 	}
 	return &owner, nil
 }

 // DeleteOwner removes an owner (handler interface method).
-func (s *OwnerService) DeleteOwner(id string) error {
-	return s.ownerRepo.Delete(context.Background(), id)
+func (s *OwnerService) DeleteOwner(ctx context.Context, id string) error {
+	return s.ownerRepo.Delete(ctx, id)
 }
@@ -638,7 +638,7 @@ func TestOwnerService_ListOwners_HandlerInterface(t *testing.T) {

 	ownerService := NewOwnerService(ownerRepo, auditService)

-	owners, total, err := ownerService.ListOwners(1, 50)
+	owners, total, err := ownerService.ListOwners(context.Background(), 1, 50)
 	if err != nil {
 		t.Fatalf("ListOwners failed: %v", err)
 	}
@@ -678,7 +678,7 @@ func TestOwnerService_GetOwner_HandlerInterface(t *testing.T) {

 	ownerService := NewOwnerService(ownerRepo, auditService)

-	retrieved, err := ownerService.GetOwner("owner-001")
+	retrieved, err := ownerService.GetOwner(context.Background(), "owner-001")
 	if err != nil {
 		t.Fatalf("GetOwner failed: %v", err)
 	}
@@ -702,7 +702,7 @@ func TestOwnerService_CreateOwner_HandlerInterface(t *testing.T) {
 		TeamID: "team-001",
 	}

-	created, err := ownerService.CreateOwner(owner)
+	created, err := ownerService.CreateOwner(context.Background(), owner)
 	if err != nil {
 		t.Fatalf("CreateOwner failed: %v", err)
 	}
@@ -752,7 +752,7 @@ func TestOwnerService_UpdateOwner_HandlerInterface(t *testing.T) {
 		TeamID: "team-002",
 	}

-	updated, err := ownerService.UpdateOwner("owner-001", updatedOwner)
+	updated, err := ownerService.UpdateOwner(context.Background(), "owner-001", updatedOwner)
 	if err != nil {
 		t.Fatalf("UpdateOwner failed: %v", err)
 	}
@@ -798,7 +798,7 @@ func TestOwnerService_DeleteOwner_HandlerInterface(t *testing.T) {

 	ownerService := NewOwnerService(ownerRepo, auditService)

-	err := ownerService.DeleteOwner("owner-001")
+	err := ownerService.DeleteOwner(context.Background(), "owner-001")
 	if err != nil {
 		t.Fatalf("DeleteOwner failed: %v", err)
 	}
@@ -230,7 +230,7 @@ func (s *PolicyService) ListViolationsWithContext(ctx context.Context, filter *r
 }

 // ListPolicies returns paginated policies (handler interface method).
-func (s *PolicyService) ListPolicies(page, perPage int) ([]domain.PolicyRule, int64, error) {
+func (s *PolicyService) ListPolicies(ctx context.Context, page, perPage int) ([]domain.PolicyRule, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -238,7 +238,7 @@ func (s *PolicyService) ListPolicies(page, perPage int) ([]domain.PolicyRule, in
 		perPage = 50
 	}

-	rules, err := s.policyRepo.ListRules(context.Background())
+	rules, err := s.policyRepo.ListRules(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list policies: %w", err)
 	}
@@ -264,12 +264,12 @@ func (s *PolicyService) ListPolicies(page, perPage int) ([]domain.PolicyRule, in
 }

 // GetPolicy returns a single policy (handler interface method).
-func (s *PolicyService) GetPolicy(id string) (*domain.PolicyRule, error) {
-	return s.policyRepo.GetRule(context.Background(), id)
+func (s *PolicyService) GetPolicy(ctx context.Context, id string) (*domain.PolicyRule, error) {
+	return s.policyRepo.GetRule(ctx, id)
 }

 // CreatePolicy creates a new policy (handler interface method).
-func (s *PolicyService) CreatePolicy(policy domain.PolicyRule) (*domain.PolicyRule, error) {
+func (s *PolicyService) CreatePolicy(ctx context.Context, policy domain.PolicyRule) (*domain.PolicyRule, error) {
 	if policy.ID == "" {
 		policy.ID = generateID("rule")
 	}
@@ -277,30 +277,30 @@ func (s *PolicyService) CreatePolicy(policy domain.PolicyRule) (*domain.PolicyRu
 		policy.CreatedAt = time.Now()
 	}

-	if err := s.policyRepo.CreateRule(context.Background(), &policy); err != nil {
+	if err := s.policyRepo.CreateRule(ctx, &policy); err != nil {
 		return nil, fmt.Errorf("failed to create policy: %w", err)
 	}
 	return &policy, nil
 }

 // UpdatePolicy modifies a policy (handler interface method).
-func (s *PolicyService) UpdatePolicy(id string, policy domain.PolicyRule) (*domain.PolicyRule, error) {
+func (s *PolicyService) UpdatePolicy(ctx context.Context, id string, policy domain.PolicyRule) (*domain.PolicyRule, error) {
 	policy.ID = id
 	policy.UpdatedAt = time.Now()

-	if err := s.policyRepo.UpdateRule(context.Background(), &policy); err != nil {
+	if err := s.policyRepo.UpdateRule(ctx, &policy); err != nil {
 		return nil, fmt.Errorf("failed to update policy: %w", err)
 	}
 	return &policy, nil
 }

 // DeletePolicy removes a policy (handler interface method).
-func (s *PolicyService) DeletePolicy(id string) error {
-	return s.policyRepo.DeleteRule(context.Background(), id)
+func (s *PolicyService) DeletePolicy(ctx context.Context, id string) error {
+	return s.policyRepo.DeleteRule(ctx, id)
 }

 // ListViolations returns policy violations with pagination (handler interface method).
-func (s *PolicyService) ListViolations(policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error) {
+func (s *PolicyService) ListViolations(ctx context.Context, policyID string, page, perPage int) ([]domain.PolicyViolation, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -313,7 +313,7 @@ func (s *PolicyService) ListViolations(policyID string, page, perPage int) ([]do
 		PerPage:    1000, // Get all violations for the policy
 	}

-	violations, err := s.policyRepo.ListViolations(context.Background(), filter)
+	violations, err := s.policyRepo.ListViolations(ctx, filter)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list violations: %w", err)
 	}
@@ -376,7 +376,7 @@ func TestListPolicies(t *testing.T) {

 	policyService := NewPolicyService(policyRepo, auditService)

-	policies, total, err := policyService.ListPolicies(1, 50)
+	policies, total, err := policyService.ListPolicies(context.Background(), 1, 50)
 	if err != nil {
 		t.Fatalf("ListPolicies failed: %v", err)
 	}
@@ -407,7 +407,7 @@ func TestCreatePolicy(t *testing.T) {
 		CreatedAt: now,
 	}

-	created, err := policyService.CreatePolicy(policy)
+	created, err := policyService.CreatePolicy(context.Background(), policy)
 	if err != nil {
 		t.Fatalf("CreatePolicy failed: %v", err)
 	}
@@ -28,7 +28,7 @@ func NewProfileService(
 }

 // ListProfiles returns all profiles (handler interface method).
-func (s *ProfileService) ListProfiles(page, perPage int) ([]domain.CertificateProfile, int64, error) {
+func (s *ProfileService) ListProfiles(ctx context.Context, page, perPage int) ([]domain.CertificateProfile, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -36,7 +36,7 @@ func (s *ProfileService) ListProfiles(page, perPage int) ([]domain.CertificatePr
 		perPage = 50
 	}

-	profiles, err := s.profileRepo.List(context.Background())
+	profiles, err := s.profileRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list profiles: %w", err)
 	}
@@ -53,12 +53,12 @@ func (s *ProfileService) ListProfiles(page, perPage int) ([]domain.CertificatePr
 }

 // GetProfile returns a single profile (handler interface method).
-func (s *ProfileService) GetProfile(id string) (*domain.CertificateProfile, error) {
-	return s.profileRepo.Get(context.Background(), id)
+func (s *ProfileService) GetProfile(ctx context.Context, id string) (*domain.CertificateProfile, error) {
+	return s.profileRepo.Get(ctx, id)
 }

 // CreateProfile creates a new profile with validation (handler interface method).
-func (s *ProfileService) CreateProfile(profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (s *ProfileService) CreateProfile(ctx context.Context, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	if err := validateProfile(&profile); err != nil {
 		return nil, err
 	}
@@ -82,12 +82,12 @@ func (s *ProfileService) CreateProfile(profile domain.CertificateProfile) (*doma
 		profile.AllowedEKUs = domain.DefaultEKUs()
 	}

-	if err := s.profileRepo.Create(context.Background(), &profile); err != nil {
+	if err := s.profileRepo.Create(ctx, &profile); err != nil {
 		return nil, fmt.Errorf("failed to create profile: %w", err)
 	}

 	if s.auditService != nil {
-		if auditErr := s.auditService.RecordEvent(context.Background(), "api", domain.ActorTypeUser,
+		if auditErr := s.auditService.RecordEvent(context.WithoutCancel(ctx), "api", domain.ActorTypeUser,
 			"create_profile", "certificate_profile", profile.ID, nil); auditErr != nil {
 			slog.Error("failed to record audit event", "error", auditErr)
 		}
@@ -97,18 +97,18 @@ func (s *ProfileService) CreateProfile(profile domain.CertificateProfile) (*doma
 }

 // UpdateProfile modifies an existing profile (handler interface method).
-func (s *ProfileService) UpdateProfile(id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
+func (s *ProfileService) UpdateProfile(ctx context.Context, id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
 	if err := validateProfile(&profile); err != nil {
 		return nil, err
 	}

 	profile.ID = id
-	if err := s.profileRepo.Update(context.Background(), &profile); err != nil {
+	if err := s.profileRepo.Update(ctx, &profile); err != nil {
 		return nil, fmt.Errorf("failed to update profile: %w", err)
 	}

 	if s.auditService != nil {
-		if auditErr := s.auditService.RecordEvent(context.Background(), "api", domain.ActorTypeUser,
+		if auditErr := s.auditService.RecordEvent(context.WithoutCancel(ctx), "api", domain.ActorTypeUser,
 			"update_profile", "certificate_profile", id, nil); auditErr != nil {
 			slog.Error("failed to record audit event", "error", auditErr)
 		}
@@ -118,13 +118,13 @@ func (s *ProfileService) UpdateProfile(id string, profile domain.CertificateProf
 }

 // DeleteProfile removes a profile (handler interface method).
-func (s *ProfileService) DeleteProfile(id string) error {
-	if err := s.profileRepo.Delete(context.Background(), id); err != nil {
+func (s *ProfileService) DeleteProfile(ctx context.Context, id string) error {
+	if err := s.profileRepo.Delete(ctx, id); err != nil {
 		return fmt.Errorf("failed to delete profile: %w", err)
 	}

 	if s.auditService != nil {
-		if auditErr := s.auditService.RecordEvent(context.Background(), "api", domain.ActorTypeUser,
+		if auditErr := s.auditService.RecordEvent(context.WithoutCancel(ctx), "api", domain.ActorTypeUser,
 			"delete_profile", "certificate_profile", id, nil); auditErr != nil {
 			slog.Error("failed to record audit event", "error", auditErr)
 		}
@@ -82,7 +82,7 @@ func TestProfileService_ListProfiles(t *testing.T) {
 	repo.AddProfile(&domain.CertificateProfile{ID: "prof-2", Name: "Internal mTLS", Enabled: true})

 	svc := NewProfileService(repo, nil)
-	profiles, total, err := svc.ListProfiles(1, 50)
+	profiles, total, err := svc.ListProfiles(context.Background(), 1, 50)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -98,7 +98,7 @@ func TestProfileService_ListProfiles_Empty(t *testing.T) {
 	repo := newMockProfileRepository()
 	svc := NewProfileService(repo, nil)

-	profiles, total, err := svc.ListProfiles(1, 50)
+	profiles, total, err := svc.ListProfiles(context.Background(), 1, 50)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -115,7 +115,7 @@ func TestProfileService_ListProfiles_RepoError(t *testing.T) {
 	repo.ListErr = errors.New("db error")
 	svc := NewProfileService(repo, nil)

-	_, _, err := svc.ListProfiles(1, 50)
+	_, _, err := svc.ListProfiles(context.Background(), 1, 50)
 	if err == nil {
 		t.Fatal("expected error, got nil")
 	}
@@ -126,7 +126,7 @@ func TestProfileService_GetProfile(t *testing.T) {
 	repo.AddProfile(&domain.CertificateProfile{ID: "prof-1", Name: "Standard TLS"})
 	svc := NewProfileService(repo, nil)

-	profile, err := svc.GetProfile("prof-1")
+	profile, err := svc.GetProfile(context.Background(), "prof-1")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -139,7 +139,7 @@ func TestProfileService_GetProfile_NotFound(t *testing.T) {
 	repo := newMockProfileRepository()
 	svc := NewProfileService(repo, nil)

-	_, err := svc.GetProfile("nonexistent")
+	_, err := svc.GetProfile(context.Background(), "nonexistent")
 	if err == nil {
 		t.Fatal("expected error, got nil")
 	}
@@ -156,7 +156,7 @@ func TestProfileService_CreateProfile_Defaults(t *testing.T) {
 		MaxTTLSeconds: 86400,
 	}

-	created, err := svc.CreateProfile(profile)
+	created, err := svc.CreateProfile(context.Background(), profile)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -258,7 +258,7 @@ func TestProfileService_CreateProfile_ValidationErrors(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, err := svc.CreateProfile(tt.profile)
+			_, err := svc.CreateProfile(context.Background(), tt.profile)
 			if err == nil {
 				t.Fatalf("expected error containing %q, got nil", tt.errMsg)
 			}
@@ -274,7 +274,7 @@ func TestProfileService_CreateProfile_RepoError(t *testing.T) {
 	repo.CreateErr = errors.New("db create failed")
 	svc := NewProfileService(repo, nil)

-	_, err := svc.CreateProfile(domain.CertificateProfile{Name: "Valid"})
+	_, err := svc.CreateProfile(context.Background(), domain.CertificateProfile{Name: "Valid"})
 	if err == nil {
 		t.Fatal("expected error, got nil")
 	}
@@ -287,7 +287,7 @@ func TestProfileService_UpdateProfile(t *testing.T) {
 	auditSvc := NewAuditService(auditRepo)
 	svc := NewProfileService(repo, auditSvc)

-	updated, err := svc.UpdateProfile("prof-1", domain.CertificateProfile{
+	updated, err := svc.UpdateProfile(context.Background(), "prof-1", domain.CertificateProfile{
 		Name:          "Updated",
 		MaxTTLSeconds: 43200,
 	})
@@ -306,7 +306,7 @@ func TestProfileService_UpdateProfile_ValidationError(t *testing.T) {
 	repo := newMockProfileRepository()
 	svc := NewProfileService(repo, nil)

-	_, err := svc.UpdateProfile("prof-1", domain.CertificateProfile{Name: ""})
+	_, err := svc.UpdateProfile(context.Background(), "prof-1", domain.CertificateProfile{Name: ""})
 	if err == nil {
 		t.Fatal("expected validation error, got nil")
 	}
@@ -319,7 +319,7 @@ func TestProfileService_DeleteProfile(t *testing.T) {
 	auditSvc := NewAuditService(auditRepo)
 	svc := NewProfileService(repo, auditSvc)

-	err := svc.DeleteProfile("prof-1")
+	err := svc.DeleteProfile(context.Background(), "prof-1")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -333,7 +333,7 @@ func TestProfileService_DeleteProfile_RepoError(t *testing.T) {
 	repo.DeleteErr = errors.New("db delete failed")
 	svc := NewProfileService(repo, nil)

-	err := svc.DeleteProfile("prof-1")
+	err := svc.DeleteProfile(context.Background(), "prof-1")
 	if err == nil {
 		t.Fatal("expected error, got nil")
 	}
@@ -344,7 +344,7 @@ func TestProfileService_CreateProfile_ValidShortLived(t *testing.T) {
 	svc := NewProfileService(repo, nil)

 	// Short-lived with TTL under 1 hour should succeed
-	created, err := svc.CreateProfile(domain.CertificateProfile{
+	created, err := svc.CreateProfile(context.Background(), domain.CertificateProfile{
 		Name:            "CI Ephemeral",
 		AllowShortLived: true,
 		MaxTTLSeconds:   300, // 5 minutes
@@ -151,9 +151,9 @@ func (s *RevocationSvc) RevokeCertificateWithActor(ctx context.Context, certID s
 }

 // GetRevokedCertificates returns all revoked certificate records (for CRL generation).
-func (s *RevocationSvc) GetRevokedCertificates() ([]*domain.CertificateRevocation, error) {
+func (s *RevocationSvc) GetRevokedCertificates(ctx context.Context) ([]*domain.CertificateRevocation, error) {
 	if s.revocationRepo == nil {
 		return nil, fmt.Errorf("revocation repository not configured")
 	}
-	return s.revocationRepo.ListAll(context.Background())
+	return s.revocationRepo.ListAll(ctx)
 }
@@ -122,7 +122,7 @@ func TestRevocationSvc_GetRevokedCertificates_Success(t *testing.T) {
 		{ID: "rev-2", CertificateID: "cert-2", SerialNumber: "SER-2", Reason: "superseded", RevokedAt: time.Now()},
 	}

-	revocations, err := revSvc.GetRevokedCertificates()
+	revocations, err := revSvc.GetRevokedCertificates(context.Background())
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
@@ -62,7 +62,7 @@ func TestRevokeCertificate_Success(t *testing.T) {
 	certRepo.Versions["cert-1"] = []*domain.CertificateVersion{version}

 	// Revoke
-	err := svc.RevokeCertificateWithActor(context.Background(), "cert-1", "keyCompromise", "admin")
+	err := svc.RevokeCertificate(context.Background(), "cert-1", "keyCompromise", "admin")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
@@ -125,7 +125,7 @@ func TestRevokeCertificate_DefaultReason(t *testing.T) {
 	}

 	// Revoke with empty reason — should default to "unspecified"
-	err := svc.RevokeCertificateWithActor(context.Background(), "cert-2", "", "api")
+	err := svc.RevokeCertificate(context.Background(), "cert-2", "", "api")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
@@ -158,7 +158,7 @@ func TestRevokeCertificate_AlreadyRevoked(t *testing.T) {
 	}
 	certRepo.AddCert(cert)

-	err := svc.RevokeCertificateWithActor(context.Background(), "cert-3", "superseded", "admin")
+	err := svc.RevokeCertificate(context.Background(), "cert-3", "superseded", "admin")
 	if err == nil {
 		t.Fatal("expected error for already revoked certificate")
 	}
@@ -179,7 +179,7 @@ func TestRevokeCertificate_ArchivedCert(t *testing.T) {
 	}
 	certRepo.AddCert(cert)

-	err := svc.RevokeCertificateWithActor(context.Background(), "cert-4", "keyCompromise", "admin")
+	err := svc.RevokeCertificate(context.Background(), "cert-4", "keyCompromise", "admin")
 	if err == nil {
 		t.Fatal("expected error for archived certificate")
 	}
@@ -200,7 +200,7 @@ func TestRevokeCertificate_InvalidReason(t *testing.T) {
 	}
 	certRepo.AddCert(cert)

-	err := svc.RevokeCertificateWithActor(context.Background(), "cert-5", "notAValidReason", "admin")
+	err := svc.RevokeCertificate(context.Background(), "cert-5", "notAValidReason", "admin")
 	if err == nil {
 		t.Fatal("expected error for invalid reason")
 	}
@@ -212,7 +212,7 @@ func TestRevokeCertificate_InvalidReason(t *testing.T) {
 func TestRevokeCertificate_NotFound(t *testing.T) {
 	svc, _, _, _ := newRevocationTestService()

-	err := svc.RevokeCertificateWithActor(context.Background(), "nonexistent-cert", "keyCompromise", "admin")
+	err := svc.RevokeCertificate(context.Background(), "nonexistent-cert", "keyCompromise", "admin")
 	if err == nil {
 		t.Fatal("expected error for nonexistent certificate")
 	}
@@ -231,7 +231,7 @@ func TestRevokeCertificate_NoVersion(t *testing.T) {
 	certRepo.AddCert(cert)
 	// No versions added — should fail

-	err := svc.RevokeCertificateWithActor(context.Background(), "cert-6", "keyCompromise", "admin")
+	err := svc.RevokeCertificate(context.Background(), "cert-6", "keyCompromise", "admin")
 	if err == nil {
 		t.Fatal("expected error when no certificate version exists")
 	}
@@ -258,7 +258,7 @@ func TestRevokeCertificate_WithIssuerNotification(t *testing.T) {
 		{ID: "ver-7", CertificateID: "cert-7", SerialNumber: "GHI789", CreatedAt: time.Now()},
 	}

-	err := svc.RevokeCertificateWithActor(context.Background(), "cert-7", "cessationOfOperation", "admin")
+	err := svc.RevokeCertificate(context.Background(), "cert-7", "cessationOfOperation", "admin")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
@@ -293,7 +293,7 @@ func TestRevokeCertificate_WithNotificationService(t *testing.T) {
 		{ID: "ver-8", CertificateID: "cert-8", SerialNumber: "JKL012", CreatedAt: time.Now()},
 	}

-	err := svc.RevokeCertificateWithActor(context.Background(), "cert-8", "keyCompromise", "admin")
+	err := svc.RevokeCertificate(context.Background(), "cert-8", "keyCompromise", "admin")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
@@ -336,7 +336,7 @@ func TestRevokeCertificate_AllValidReasons(t *testing.T) {
 				{ID: "ver-" + reason, CertificateID: "cert-" + reason, SerialNumber: "SER-" + reason, CreatedAt: time.Now()},
 			}

-			err := svc.RevokeCertificateWithActor(context.Background(), "cert-"+reason, reason, "admin")
+			err := svc.RevokeCertificate(context.Background(), "cert-"+reason, reason, "admin")
 			if err != nil {
 				t.Fatalf("expected no error for reason %s, got: %v", reason, err)
 			}
@@ -358,7 +358,7 @@ func TestGetRevokedCertificates_Success(t *testing.T) {
 		{ID: "rev-2", CertificateID: "cert-2", SerialNumber: "SER-2", Reason: "superseded", RevokedAt: time.Now()},
 	}

-	revocations, err := svc.GetRevokedCertificates()
+	revocations, err := svc.GetRevokedCertificates(context.Background())
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
@@ -370,7 +370,7 @@ func TestGetRevokedCertificates_Success(t *testing.T) {
 func TestGetRevokedCertificates_Empty(t *testing.T) {
 	svc, _, _, _ := newRevocationTestService()

-	revocations, err := svc.GetRevokedCertificates()
+	revocations, err := svc.GetRevokedCertificates(context.Background())
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
@@ -390,7 +390,7 @@ func TestGetRevokedCertificates_NoRepo(t *testing.T) {
 	svc := NewCertificateService(certRepo, policyService, auditService)
 	// Do NOT set revocation repo

-	_, err := svc.GetRevokedCertificates()
+	_, err := svc.GetRevokedCertificates(context.Background())
 	if err == nil {
 		t.Fatal("expected error when revocation repo not configured")
 	}
@@ -411,8 +411,8 @@ func TestRevokeCertificate_HandlerInterfaceMethod(t *testing.T) {
 		{ID: "ver-handler", CertificateID: "cert-handler", SerialNumber: "SER-HANDLER", CreatedAt: time.Now()},
 	}

-	// Test the handler interface method (no actor param)
-	err := svc.RevokeCertificate("cert-handler", "superseded")
+	// Test the handler interface method (actor collapsed to required positional arg per D-2)
+	err := svc.RevokeCertificate(context.Background(), "cert-handler", "superseded", "api")
 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
 	}
@@ -449,7 +449,7 @@ func TestGenerateDERCRL_Success(t *testing.T) {
 		},
 	}

-	crl, err := svc.GenerateDERCRL("iss-local")
+	crl, err := svc.GenerateDERCRL(context.Background(), "iss-local")

 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -472,7 +472,7 @@ func TestGenerateDERCRL_EmptyCRL(t *testing.T) {
 	// No revoked certs for this issuer
 	revocationRepo.Revocations = []*domain.CertificateRevocation{}

-	crl, err := svc.GenerateDERCRL("iss-local")
+	crl, err := svc.GenerateDERCRL(context.Background(), "iss-local")

 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -493,7 +493,7 @@ func TestGenerateDERCRL_IssuerNotFound(t *testing.T) {
 	svc, _, _, _ := newRevocationTestService()

 	// Try to generate CRL for unknown issuer
-	crl, err := svc.GenerateDERCRL("iss-unknown")
+	crl, err := svc.GenerateDERCRL(context.Background(), "iss-unknown")

 	// Should return error or nil CRL depending on implementation
 	if crl != nil && err == nil {
@@ -527,7 +527,7 @@ func TestGetOCSPResponse_Good(t *testing.T) {
 	certRepo.Versions["cert-ocsp-good"] = []*domain.CertificateVersion{version}

 	// Request OCSP response for good cert
-	resp, err := svc.GetOCSPResponse("iss-local", "OCSP-GOOD-001")
+	resp, err := svc.GetOCSPResponse(context.Background(), "iss-local", "OCSP-GOOD-001")

 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -580,7 +580,7 @@ func TestGetOCSPResponse_Revoked(t *testing.T) {
 	}

 	// Request OCSP response for revoked cert
-	resp, err := svc.GetOCSPResponse("iss-local", "OCSP-REVOKED-001")
+	resp, err := svc.GetOCSPResponse(context.Background(), "iss-local", "OCSP-REVOKED-001")

 	if err != nil {
 		t.Fatalf("expected no error, got: %v", err)
@@ -597,7 +597,7 @@ func TestGetOCSPResponse_Unknown(t *testing.T) {
 	svc, _, _, _ := newRevocationTestService()

 	// Request OCSP response for unknown cert
-	resp, err := svc.GetOCSPResponse("iss-local", "UNKNOWN-SERIAL")
+	resp, err := svc.GetOCSPResponse(context.Background(), "iss-local", "UNKNOWN-SERIAL")

 	if err != nil {
 		t.Fatalf("expected no error (should return unknown status), got: %v", err)
@@ -615,7 +615,7 @@ func TestGetOCSPResponse_IssuerNotFound(t *testing.T) {
 	svc, _, _, _ := newRevocationTestService()

 	// Request OCSP response for unknown issuer
-	resp, err := svc.GetOCSPResponse("iss-unknown", "SOME-SERIAL")
+	resp, err := svc.GetOCSPResponse(context.Background(), "iss-unknown", "SOME-SERIAL")

 	// Should return error since issuer doesn't exist
 	if err == nil && resp != nil {
@@ -629,7 +629,7 @@ func TestGetOCSPResponse_InvalidSerial(t *testing.T) {
 	svc, _, _, _ := newRevocationTestService()

 	// Request OCSP response with invalid serial format
-	resp, err := svc.GetOCSPResponse("iss-local", "")
+	resp, err := svc.GetOCSPResponse(context.Background(), "iss-local", "")

 	if err == nil && resp != nil {
 		// Empty serial might return unknown status; that's ok
@@ -2,6 +2,7 @@ package service

 import (
 	"context"
+	"crypto/subtle"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
@@ -68,14 +69,34 @@ func (s *SCEPService) GetCACert(ctx context.Context) (string, error) {
 // PKCSReq processes a SCEP enrollment request.
 // RFC 8894 Section 3.3.1: PKCSReq contains a PKCS#10 CSR for certificate enrollment.
 // The CSR PEM and challenge password are extracted by the handler from the PKCS#7 envelope.
+//
+// H-2 fix (CWE-306): the previous implementation skipped the shared-secret
+// check entirely when s.challengePassword was empty, meaning any unauthenticated
+// client that could reach /scep could enroll a CSR against the configured
+// issuer. Reject that configuration defense-in-depth even though main() already
+// refuses to start in the same state (see preflightSCEPChallengePassword). The
+// non-empty branch now uses crypto/subtle.ConstantTimeCompare to avoid leaking
+// the shared secret through a response-time side channel.
 func (s *SCEPService) PKCSReq(ctx context.Context, csrPEM string, challengePassword string, transactionID string) (*domain.SCEPEnrollResult, error) {
-	// Validate challenge password
-	if s.challengePassword != "" {
-		if challengePassword != s.challengePassword {
-			s.logger.Warn("SCEP enrollment rejected: invalid challenge password",
-				"transaction_id", transactionID)
-			return nil, fmt.Errorf("invalid challenge password")
-		}
+	// Defense-in-depth: refuse any enrollment when no shared secret is
+	// configured. The server-level pre-flight check in cmd/server/main.go
+	// normally prevents the service from being constructed in this state, but
+	// this branch also protects future call sites (tests, library reuse, a
+	// future REST-over-HTTPS wrapper) from silently accepting unauthenticated
+	// CSRs.
+	if s.challengePassword == "" {
+		s.logger.Warn("SCEP enrollment rejected: server has no challenge password configured",
+			"transaction_id", transactionID)
+		return nil, fmt.Errorf("SCEP challenge password not configured on server")
+	}
+	// Constant-time compare avoids leaking the configured secret through
+	// response-time variance. ConstantTimeCompare returns 1 only when both
+	// slices have equal length AND equal content; a mismatched-length input
+	// still takes the same path as a content mismatch.
+	if subtle.ConstantTimeCompare([]byte(challengePassword), []byte(s.challengePassword)) != 1 {
+		s.logger.Warn("SCEP enrollment rejected: invalid challenge password",
+			"transaction_id", transactionID)
+		return nil, fmt.Errorf("invalid challenge password")
 	}

 	return s.processEnrollment(ctx, csrPEM, transactionID, "scep_pkcsreq")
@@ -58,11 +58,13 @@ func TestSCEPService_PKCSReq_Success(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{}
 	auditRepo := newMockAuditRepository()
 	auditSvc := NewAuditService(auditRepo)
-	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	// H-2: SCEPService now requires a configured challenge password; the happy
+	// path exercises a matching client-submitted password.
+	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")

 	csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})

-	result, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-001")
+	result, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-001")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -81,9 +83,9 @@ func TestSCEPService_PKCSReq_Success(t *testing.T) {

 func TestSCEPService_PKCSReq_InvalidCSR(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{}
-	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")

-	_, err := svc.PKCSReq(context.Background(), "not-valid-pem", "", "txn-002")
+	_, err := svc.PKCSReq(context.Background(), "not-valid-pem", "secret123", "txn-002")
 	if err == nil {
 		t.Fatal("expected error for invalid CSR")
 	}
@@ -91,11 +93,11 @@ func TestSCEPService_PKCSReq_InvalidCSR(t *testing.T) {

 func TestSCEPService_PKCSReq_MissingCN(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{}
-	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")

 	csrPEM := generateCSRPEM(t, "", []string{"test.example.com"})

-	_, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-003")
+	_, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-003")
 	if err == nil {
 		t.Fatal("expected error for missing CN")
 	}
@@ -106,11 +108,11 @@ func TestSCEPService_PKCSReq_MissingCN(t *testing.T) {

 func TestSCEPService_PKCSReq_IssuerError(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{Err: errors.New("issuance failed")}
-	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")

 	csrPEM := generateCSRPEM(t, "test.example.com", nil)

-	_, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-004")
+	_, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-004")
 	if err == nil {
 		t.Fatal("expected error")
 	}
@@ -151,19 +153,49 @@ func TestSCEPService_PKCSReq_ChallengePassword_Invalid(t *testing.T) {
 	}
 }

-func TestSCEPService_PKCSReq_ChallengePassword_NotRequired(t *testing.T) {
-	// When server has no challenge password configured, any value should be accepted
+// TestSCEPService_PKCSReq_ChallengePassword_EmptyServerConfigRejected is the
+// H-2 regression guard. Before the fix (internal/service/scep.go:72-79 skipped
+// the password check when s.challengePassword was empty), an unconfigured
+// server accepted any enrollment (CWE-306). The service now rejects PKCSReq
+// defense-in-depth even if main()'s pre-flight is somehow bypassed.
+func TestSCEPService_PKCSReq_ChallengePassword_EmptyServerConfigRejected(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{}
 	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")

 	csrPEM := generateCSRPEM(t, "device.example.com", nil)

-	result, err := svc.PKCSReq(context.Background(), csrPEM, "any-value", "txn-007")
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
+	// Any client-submitted password (including empty) must be rejected when
+	// the server has no shared secret configured.
+	for _, clientPassword := range []string{"", "any-value", "guess"} {
+		_, err := svc.PKCSReq(context.Background(), csrPEM, clientPassword, "txn-empty")
+		if err == nil {
+			t.Fatalf("expected rejection when server challenge password is empty (client=%q)", clientPassword)
+		}
+		if !strings.Contains(err.Error(), "not configured") {
+			t.Errorf("expected 'not configured' in error, got: %v", err)
+		}
 	}
-	if result == nil {
-		t.Fatal("expected non-nil result")
+}
+
+// TestSCEPService_PKCSReq_ChallengePassword_ConstantTimeLengthIndependence
+// guards against regression from crypto/subtle.ConstantTimeCompare to a
+// short-circuiting byte compare. ConstantTimeCompare returns 0 whenever the
+// two slices differ in length OR content, so a same-prefix-but-longer input
+// must be rejected the same way as a completely different string.
+func TestSCEPService_PKCSReq_ChallengePassword_ConstantTimeLengthIndependence(t *testing.T) {
+	mockIssuer := &mockIssuerConnector{}
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")
+
+	csrPEM := generateCSRPEM(t, "device.example.com", nil)
+
+	for _, bad := range []string{"secret", "secret12", "secret1234", "SECRET123", "wrong"} {
+		_, err := svc.PKCSReq(context.Background(), csrPEM, bad, "txn-ct")
+		if err == nil {
+			t.Fatalf("expected rejection for bad password %q", bad)
+		}
+		if !strings.Contains(err.Error(), "invalid challenge password") {
+			t.Errorf("expected 'invalid challenge password' for %q, got: %v", bad, err)
+		}
 	}
 }

@@ -171,12 +203,12 @@ func TestSCEPService_PKCSReq_WithProfile(t *testing.T) {
 	mockIssuer := &mockIssuerConnector{}
 	auditRepo := newMockAuditRepository()
 	auditSvc := NewAuditService(auditRepo)
-	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")
 	svc.SetProfileID("profile-mdm-device")

 	csrPEM := generateCSRPEM(t, "device.example.com", nil)

-	result, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-008")
+	result, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-008")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -36,20 +36,27 @@ func isValidTargetType(t domain.TargetType) bool {
 }

 // TargetService provides business logic for deployment target management.
+//
+// The encryptionKey field holds the raw passphrase (not a pre-derived 32-byte
+// key). Per-ciphertext salt derivation is performed inside
+// [crypto.EncryptIfKeySet] / [crypto.DecryptIfKeySet] on each call. See M-8
+// in certctl-audit-report.md.
 type TargetService struct {
 	targetRepo    repository.TargetRepository
 	agentRepo     repository.AgentRepository
 	auditService  *AuditService
-	encryptionKey []byte
+	encryptionKey string
 	logger        *slog.Logger
 }

-// NewTargetService creates a new target service.
+// NewTargetService creates a new target service. The encryptionKey is the raw
+// passphrase; it MUST NOT be pre-derived via crypto.DeriveKey (that was the
+// v1 behavior, replaced in M-8 with per-ciphertext random salt).
 func NewTargetService(
 	targetRepo repository.TargetRepository,
 	auditService *AuditService,
 	agentRepo repository.AgentRepository,
-	encryptionKey []byte,
+	encryptionKey string,
 	logger *slog.Logger,
 ) *TargetService {
 	return &TargetService{
@@ -235,7 +242,7 @@ func (s *TargetService) TestConnection(ctx context.Context, id string) error {
 }

 // ListTargets returns paginated targets (handler interface method).
-func (s *TargetService) ListTargets(page, perPage int) ([]domain.DeploymentTarget, int64, error) {
+func (s *TargetService) ListTargets(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -243,7 +250,7 @@ func (s *TargetService) ListTargets(page, perPage int) ([]domain.DeploymentTarge
 		perPage = 50
 	}

-	targets, err := s.targetRepo.List(context.Background())
+	targets, err := s.targetRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list targets: %w", err)
 	}
@@ -260,12 +267,12 @@ func (s *TargetService) ListTargets(page, perPage int) ([]domain.DeploymentTarge
 }

 // GetTarget returns a single target (handler interface method).
-func (s *TargetService) GetTarget(id string) (*domain.DeploymentTarget, error) {
-	return s.targetRepo.Get(context.Background(), id)
+func (s *TargetService) GetTarget(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
+	return s.targetRepo.Get(ctx, id)
 }

 // CreateTarget creates a new target (handler interface method).
-func (s *TargetService) CreateTarget(target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (s *TargetService) CreateTarget(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 	if !isValidTargetType(target.Type) {
 		return nil, fmt.Errorf("unsupported target type: %s", target.Type)
 	}
@@ -301,20 +308,20 @@ func (s *TargetService) CreateTarget(target domain.DeploymentTarget) (*domain.De
 		target.Config = redactConfigJSON(target.Config)
 	}

-	if err := s.targetRepo.Create(context.Background(), &target); err != nil {
+	if err := s.targetRepo.Create(ctx, &target); err != nil {
 		return nil, fmt.Errorf("failed to create target: %w", err)
 	}
 	return &target, nil
 }

 // UpdateTarget modifies a target (handler interface method).
-func (s *TargetService) UpdateTarget(id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
+func (s *TargetService) UpdateTarget(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
 	target.ID = id
 	target.UpdatedAt = time.Now()

 	// Merge redacted fields with existing config
 	if len(target.Config) > 0 {
-		mergedConfig, err := s.mergeRedactedConfig(context.Background(), id, target.Config)
+		mergedConfig, err := s.mergeRedactedConfig(ctx, id, target.Config)
 		if err != nil {
 			return nil, fmt.Errorf("failed to merge config: %w", err)
 		}
@@ -327,20 +334,15 @@ func (s *TargetService) UpdateTarget(id string, target domain.DeploymentTarget)
 		target.Config = redactConfigJSON(json.RawMessage(mergedConfig))
 	}

-	if err := s.targetRepo.Update(context.Background(), &target); err != nil {
+	if err := s.targetRepo.Update(ctx, &target); err != nil {
 		return nil, fmt.Errorf("failed to update target: %w", err)
 	}
 	return &target, nil
 }

 // DeleteTarget removes a target (handler interface method).
-func (s *TargetService) DeleteTarget(id string) error {
-	return s.targetRepo.Delete(context.Background(), id)
-}
-
-// TestTargetConnection tests target connectivity (handler interface method).
-func (s *TargetService) TestTargetConnection(id string) error {
-	return s.TestConnection(context.Background(), id)
+func (s *TargetService) DeleteTarget(ctx context.Context, id string) error {
+	return s.targetRepo.Delete(ctx, id)
 }

 // --- Internal helpers ---
@@ -18,7 +18,7 @@ func newTestTargetService() (*TargetService, *mockTargetRepo, *mockAuditRepo, *m
 	auditSvc := NewAuditService(auditRepo)
 	agentRepo := &mockAgentRepo{Agents: make(map[string]*domain.Agent), HeartbeatUpdates: make(map[string]time.Time)}
 	logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError}))
-	return NewTargetService(targetRepo, auditSvc, agentRepo, nil, logger), targetRepo, auditRepo, agentRepo
+	return NewTargetService(targetRepo, auditSvc, agentRepo, testEncryptionKey, logger), targetRepo, auditRepo, agentRepo
 }

 func TestTargetService_List_Success(t *testing.T) {
@@ -344,7 +344,8 @@ func TestTargetService_ListTargets_Success(t *testing.T) {
 	targetRepo.AddTarget(target2)

 	// Call handler-interface method
-	targets, total, err := svc.ListTargets(1, 50)
+	ctx := context.Background()
+	targets, total, err := svc.ListTargets(ctx, 1, 50)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -364,7 +365,8 @@ func TestTargetService_GetTarget_Success(t *testing.T) {
 	target := &domain.DeploymentTarget{ID: "t-1", Name: "Target 1", Type: domain.TargetTypeNGINX}
 	targetRepo.AddTarget(target)

-	result, err := svc.GetTarget("t-1")
+	ctx := context.Background()
+	result, err := svc.GetTarget(ctx, "t-1")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -382,7 +384,8 @@ func TestTargetService_CreateTarget_Success(t *testing.T) {
 		Type: domain.TargetTypeNGINX,
 	}

-	result, err := svc.CreateTarget(target)
+	ctx := context.Background()
+	result, err := svc.CreateTarget(ctx, target)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -405,7 +408,8 @@ func TestTargetService_CreateTarget_InvalidType(t *testing.T) {
 		Type: domain.TargetType("Unknown"),
 	}

-	_, err := svc.CreateTarget(target)
+	ctx := context.Background()
+	_, err := svc.CreateTarget(ctx, target)
 	if err == nil {
 		t.Fatalf("expected error for invalid type, got nil")
 	}
@@ -424,7 +428,8 @@ func TestTargetService_UpdateTarget_Success(t *testing.T) {
 		Type: domain.TargetTypeApache,
 	}

-	result, err := svc.UpdateTarget("t-1", updated)
+	ctx := context.Background()
+	result, err := svc.UpdateTarget(ctx, "t-1", updated)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -442,7 +447,8 @@ func TestTargetService_DeleteTarget_Success(t *testing.T) {
 	targetRepo.AddTarget(target)

 	// Delete it
-	err := svc.DeleteTarget("t-1")
+	ctx := context.Background()
+	err := svc.DeleteTarget(ctx, "t-1")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -126,7 +126,7 @@ func (s *TeamService) Delete(ctx context.Context, id string, actor string) error
 }

 // ListTeams returns paginated teams (handler interface method).
-func (s *TeamService) ListTeams(page, perPage int) ([]domain.Team, int64, error) {
+func (s *TeamService) ListTeams(ctx context.Context, page, perPage int) ([]domain.Team, int64, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -134,7 +134,7 @@ func (s *TeamService) ListTeams(page, perPage int) ([]domain.Team, int64, error)
 		perPage = 50
 	}

-	teams, err := s.teamRepo.List(context.Background())
+	teams, err := s.teamRepo.List(ctx)
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to list teams: %w", err)
 	}
@@ -151,12 +151,12 @@ func (s *TeamService) ListTeams(page, perPage int) ([]domain.Team, int64, error)
 }

 // GetTeam returns a single team (handler interface method).
-func (s *TeamService) GetTeam(id string) (*domain.Team, error) {
-	return s.teamRepo.Get(context.Background(), id)
+func (s *TeamService) GetTeam(ctx context.Context, id string) (*domain.Team, error) {
+	return s.teamRepo.Get(ctx, id)
 }

 // CreateTeam creates a new team (handler interface method).
-func (s *TeamService) CreateTeam(team domain.Team) (*domain.Team, error) {
+func (s *TeamService) CreateTeam(ctx context.Context, team domain.Team) (*domain.Team, error) {
 	if team.ID == "" {
 		team.ID = generateID("team")
 	}
@@ -167,22 +167,22 @@ func (s *TeamService) CreateTeam(team domain.Team) (*domain.Team, error) {
 	if team.UpdatedAt.IsZero() {
 		team.UpdatedAt = now
 	}
-	if err := s.teamRepo.Create(context.Background(), &team); err != nil {
+	if err := s.teamRepo.Create(ctx, &team); err != nil {
 		return nil, fmt.Errorf("failed to create team: %w", err)
 	}
 	return &team, nil
 }

 // UpdateTeam modifies a team (handler interface method).
-func (s *TeamService) UpdateTeam(id string, team domain.Team) (*domain.Team, error) {
+func (s *TeamService) UpdateTeam(ctx context.Context, id string, team domain.Team) (*domain.Team, error) {
 	team.ID = id
-	if err := s.teamRepo.Update(context.Background(), &team); err != nil {
+	if err := s.teamRepo.Update(ctx, &team); err != nil {
 		return nil, fmt.Errorf("failed to update team: %w", err)
 	}
 	return &team, nil
 }

 // DeleteTeam removes a team (handler interface method).
-func (s *TeamService) DeleteTeam(id string) error {
-	return s.teamRepo.Delete(context.Background(), id)
+func (s *TeamService) DeleteTeam(ctx context.Context, id string) error {
+	return s.teamRepo.Delete(ctx, id)
 }
@@ -544,7 +544,7 @@ func TestTeamService_ListTeams_HandlerInterface(t *testing.T) {
 		})
 	}

-	teams, total, err := teamService.ListTeams(1, 2)
+	teams, total, err := teamService.ListTeams(context.Background(), 1, 2)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -571,7 +571,7 @@ func TestTeamService_GetTeam_HandlerInterface(t *testing.T) {
 	}
 	mockTeamRepo.AddTeam(testTeam)

-	team, err := teamService.GetTeam("handler-team")
+	team, err := teamService.GetTeam(context.Background(), "handler-team")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -593,7 +593,7 @@ func TestTeamService_CreateTeam_HandlerInterface(t *testing.T) {
 		Description: "Created via handler",
 	}

-	result, err := teamService.CreateTeam(team)
+	result, err := teamService.CreateTeam(context.Background(), team)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -629,7 +629,7 @@ func TestTeamService_UpdateTeam_HandlerInterface(t *testing.T) {
 		Description: "Handler update",
 	}

-	result, err := teamService.UpdateTeam("handler-update-team", updateTeam)
+	result, err := teamService.UpdateTeam(context.Background(), "handler-update-team", updateTeam)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -656,7 +656,7 @@ func TestTeamService_DeleteTeam_HandlerInterface(t *testing.T) {
 		Name: "To Delete",
 	})

-	err := teamService.DeleteTeam("handler-delete-team")
+	err := teamService.DeleteTeam(context.Background(), "handler-delete-team")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -12,6 +12,16 @@ import (

 var errNotFound = errors.New("not found")

+// testEncryptionKey is a deterministic passphrase for unit tests that
+// exercise IssuerService/TargetService write paths. After the C-2 remediation
+// these services fail closed when no key is configured, so happy-path tests
+// must supply a real passphrase. M-8 reshaped the type from []byte to string
+// because services now hold the raw passphrase and delegate PBKDF2 to
+// crypto.EncryptIfKeySet / crypto.DecryptIfKeySet (which apply a fresh random
+// salt per ciphertext). Using a constant keeps wire-format assertions stable
+// across runs.
+var testEncryptionKey = "0123456789abcdef0123456789abcdef"
+
 // mockCertRepo is a test implementation of CertificateRepository
 type mockCertRepo struct {
 	Certs              map[string]*domain.ManagedCertificate
@@ -271,6 +281,56 @@ func (m *mockJobRepo) ListPendingByAgentID(ctx context.Context, agentID string)
 	return result, nil
 }

+// ClaimPendingJobs simulates the H-6 atomic claim semantics: matching rows are transitioned
+// Pending → Running before being returned. The in-memory mock has no concurrency primitives
+// beyond the existing mutex, which is sufficient for single-goroutine service tests.
+func (m *mockJobRepo) ClaimPendingJobs(ctx context.Context, jobType domain.JobType, limit int) ([]*domain.Job, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.ListErr != nil {
+		return nil, m.ListErr
+	}
+	var claimed []*domain.Job
+	for _, j := range m.Jobs {
+		if j.Status != domain.JobStatusPending {
+			continue
+		}
+		if jobType != "" && j.Type != jobType {
+			continue
+		}
+		j.Status = domain.JobStatusRunning
+		claimed = append(claimed, j)
+		if limit > 0 && len(claimed) >= limit {
+			break
+		}
+	}
+	return claimed, nil
+}
+
+// ClaimPendingByAgentID simulates the H-6 per-agent claim: Pending deployment rows scoped
+// to the agent flip to Running; AwaitingCSR rows are returned but keep their state.
+func (m *mockJobRepo) ClaimPendingByAgentID(ctx context.Context, agentID string) ([]*domain.Job, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.ListErr != nil {
+		return nil, m.ListErr
+	}
+	var result []*domain.Job
+	for _, j := range m.Jobs {
+		if j.AgentID == nil || *j.AgentID != agentID {
+			continue
+		}
+		switch {
+		case j.Status == domain.JobStatusPending && j.Type == domain.JobTypeDeployment:
+			j.Status = domain.JobStatusRunning
+			result = append(result, j)
+		case j.Status == domain.JobStatusAwaitingCSR:
+			result = append(result, j)
+		}
+	}
+	return result, nil
+}
+
 func (m *mockJobRepo) AddJob(job *domain.Job) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
@@ -542,6 +602,19 @@ func (m *mockAgentRepo) Create(ctx context.Context, agent *domain.Agent) error {
 	return nil
 }

+func (m *mockAgentRepo) CreateIfNotExists(ctx context.Context, agent *domain.Agent) (bool, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.CreateErr != nil {
+		return false, m.CreateErr
+	}
+	if _, exists := m.Agents[agent.ID]; exists {
+		return false, nil
+	}
+	m.Agents[agent.ID] = agent
+	return true, nil
+}
+
 func (m *mockAgentRepo) Update(ctx context.Context, agent *domain.Agent) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
@@ -922,9 +995,9 @@ func (m *mockRevocationRepo) Create(ctx context.Context, revocation *domain.Cert
 	return nil
 }

-func (m *mockRevocationRepo) GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error) {
+func (m *mockRevocationRepo) GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error) {
 	for _, r := range m.Revocations {
-		if r.SerialNumber == serial {
+		if r.IssuerID == issuerID && r.SerialNumber == serial {
 			return r, nil
 		}
 	}
--- a/Show More
+++ b/Show More