fix(scep-intune): use useTrackedMutation for trust-anchor reload (M-009)

Phase 9 follow-up — the M-009 hard-zero regression guard in .github/workflows/ci.yml flagged the SCEPAdminPage's reload mutation as a bare useMutation() call. The repo's invalidation contract requires every mutation to go through useTrackedMutation with explicit invalidates: QueryKey[] | 'noop' so cached data never goes stale after a write. Swap the bare useMutation for useTrackedMutation with invalidates: [['admin', 'scep', 'intune', 'stats']] — the trust-anchor reload changes the per-profile trust pool reflected in IntuneStats, so the stats query MUST refetch on success. The audit-log queries stay on their own 60s timer (a SIGHUP-equivalent reload doesn't backfill new audit rows; nothing to invalidate there). Verification: * tsc --noEmit clean * vitest SCEPAdminPage.test.tsx: 13/13 still pass (the wrapper's onSuccess fires AFTER invalidation, so the modal-close + state reset assertions hold) * M-009 grep guard reproduced locally — bare useMutation sites = 0
feat(scep-intune): GUI monitoring tab + admin endpoints
2026-06-08 17:30:11 +00:00 · 2026-04-29 16:35:40 +00:00 · 2026-04-29 16:14:07 +00:00 · 2026-04-29 15:34:19 +00:00 · 2026-04-29 14:38:35 +00:00 · 2026-04-29 13:58:18 +00:00
64 changed files with 10726 additions and 79 deletions
@@ -107,7 +107,7 @@ gantt
 | Protocol | Standard | Use Case |
 |----------|----------|----------|
 | EST (Enrollment over Secure Transport) | RFC 7030 | Device enrollment, WiFi/802.1X, IoT |
-| SCEP (Simple Certificate Enrollment Protocol) | RFC 8894 | MDM platforms (Jamf, Intune), network devices |
+| SCEP (Simple Certificate Enrollment Protocol) | RFC 8894 | MDM platforms (Jamf, Intune), network devices, ChromeOS. Full RFC 8894 wire format: EnvelopedData decryption, signerInfo POPO verification, CertRep PKIMessage builder; PKCSReq + RenewalReq + GetCertInitial messageType dispatch; multi-profile dispatch (`/scep/<pathID>`); per-profile RA cert + key. Lightweight raw-CSR clients keep working via the legacy MVP fall-through path. |
 | ACME v2 | RFC 8555 | Public CA automated issuance (Let's Encrypt, ZeroSSL) |
 | ACME ARI (Renewal Information) | RFC 9773 | CA-directed renewal timing — the CA tells you when to renew |
@@ -173,7 +173,7 @@ Built for **platform engineering and DevOps teams** managing 10–500+ certifica
 **Policy engine.** Certificate profiles constrain key types, max TTL, and EKUs — with crypto policy enforcement that validates every CSR against profile rules before it reaches the issuer. MaxTTL caps are enforced per issuer connector. Approval workflows pause jobs for human review. Ownership tracking routes notifications to the right team. Agent groups match devices by OS, architecture, IP CIDR, and version.
-**Enrollment protocols.** EST server (RFC 7030) for device and WiFi enrollment. SCEP server (RFC 8894) for MDM platforms and network devices. S/MIME issuance with email protection EKU.
+**Enrollment protocols.** EST server (RFC 7030) for device and WiFi enrollment. SCEP server (RFC 8894) for MDM platforms and network devices — full wire format (EnvelopedData decrypt + signerInfo POPO verify + CertRep PKIMessage builder), tested against ChromeOS-shape requests; multi-profile dispatch (`/scep/<pathID>`); RenewalReq + GetCertInitial messageType support; lightweight raw-CSR fallback for legacy clients. See [docs/legacy-est-scep.md](docs/legacy-est-scep.md) for the operator + device-integration guide. S/MIME issuance with email protection EKU.
 **Revocation.** Single and bulk revocation (by profile, owner, agent, or issuer). RFC 5280 reason codes. Production-grade revocation status surface for relying parties: DER-encoded X.509 CRL per issuer, scheduler-pre-generated and cached so HTTP fetches do not rebuild per request; embedded OCSP responder serving both GET and POST forms (RFC 6960 §A.1.1) with responses signed by a per-issuer dedicated OCSP responder cert (RFC 6960 §2.6, `id-pkix-ocsp-nocheck` per §4.2.2.2.1) — the CA private key is never used directly for OCSP signing. Both endpoints live unauthenticated under `/.well-known/pki/` per RFC 8615. Short-lived certs (TTL < 1 hour) are exempt — expiry is sufficient revocation. See [docs/crl-ocsp.md](docs/crl-ocsp.md) for the relying-party integration guide.
@@ -732,6 +732,104 @@ paths:
        "500":
          $ref: "#/components/responses/InternalError"
  /api/v1/admin/scep/intune/stats:
    get:
      tags: [SCEP]
      summary: Per-profile Microsoft Intune dispatcher observability (admin)
      description: |
        Returns one snapshot per configured SCEP profile (Intune-enabled
        or not). Profiles where Intune is disabled appear with
        `enabled=false`; profiles where Intune is enabled additionally
        carry the trust anchor pool's per-cert expiry, the audience
        binding, the per-status enrollment counters
        (success / signature_invalid / claim_mismatch / expired /
        wrong_audience / replay / rate_limited / malformed /
        compliance_failed / not_yet_valid / unknown_version), the
        in-memory replay-cache size, and the per-device-rate-limit
        opt-out flag.
        Admin-gated (M-008 pattern) — non-admin Bearer callers get 403
        because the trust-anchor expiries and per-status counters are
        sensitive operational metadata. SCEP RFC 8894 + Intune master
        bundle Phase 9.2.
      operationId: listSCEPIntuneStats
      responses:
        "200":
          description: Per-profile Intune stats snapshot
          content:
            application/json:
              schema:
                type: object
                properties:
                  profiles:
                    type: array
                    items:
                      type: object
                  profile_count:
                    type: integer
                  generated_at:
                    type: string
                    format: date-time
        "403":
          description: Admin access required
        "500":
          $ref: "#/components/responses/InternalError"
  /api/v1/admin/scep/intune/reload-trust:
    post:
      tags: [SCEP]
      summary: Reload a SCEP profile's Intune trust anchor (admin)
      description: |
        Triggers the same Reload that the SIGHUP watcher would run for
        the named profile. The body MUST be `{"path_id": "<pathID>"}`;
        an empty body targets the legacy `/scep` root profile (PathID="").
        Returns 200 + `{"reloaded": true, ...}` on success; 404 when the
        path_id doesn't match any configured SCEP profile; 409 when the
        profile exists but Intune is disabled on it (no trust anchor to
        reload); 500 when the underlying file fails to parse — in which
        case the holder retains the OLD pool so enrollment keeps working
        off the previous trust anchor while the operator fixes the file.
        Admin-gated (M-008 pattern). SCEP RFC 8894 + Intune master
        bundle Phase 9.2.
      operationId: reloadSCEPIntuneTrust
      requestBody:
        required: false
        content:
          application/json:
            schema:
              type: object
              properties:
                path_id:
                  type: string
                  description: SCEP profile PathID (empty string = legacy /scep root)
      responses:
        "200":
          description: Trust anchor reloaded
          content:
            application/json:
              schema:
                type: object
                properties:
                  reloaded:
                    type: boolean
                  path_id:
                    type: string
                  reloaded_at:
                    type: string
                    format: date-time
        "400":
          description: Invalid JSON body
        "403":
          description: Admin access required
        "404":
          description: SCEP profile not found for the given path_id
        "409":
          description: SCEP profile exists but Intune is disabled
        "500":
          description: Trust anchor reload failed (the OLD pool is retained)
  /.well-known/pki/ocsp/{issuer_id}:
    post:
      tags: [CRL & OCSP]
@@ -2,8 +2,10 @@ package main
 import (
 	"context"
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"log/slog"
 	"net"
@@ -30,6 +32,7 @@ import (
 	"github.com/shankar0123/certctl/internal/crypto/signer"
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/repository/postgres"
 	"github.com/shankar0123/certctl/internal/scep/intune"
 	"github.com/shankar0123/certctl/internal/scheduler"
 	"github.com/shankar0123/certctl/internal/service"
 )
@@ -653,6 +656,14 @@ func main() {
 	<-startedChan
 	logger.Info("scheduler started")
 	// SCEP RFC 8894 + Intune master bundle Phase 9: per-profile SCEPService
 	// map shared between the SCEP startup loop (which populates it) and the
 	// AdminSCEPIntune handler (which reads from it). We declare it here so
 	// the HandlerRegistry below can hand the same map to the admin
 	// handler — the SCEP loop adds entries later by reference, and the
 	// admin endpoint observes the populated state at request time.
 	scepServices := map[string]*service.SCEPService{}
 	// Build the API router with all handlers
 	apiRouter := router.New()
 	apiRouter.RegisterHandlers(router.HandlerRegistry{
@@ -693,6 +704,16 @@ func main() {
 				return ids
 			}),
 		),
 		// SCEP RFC 8894 + Intune master bundle Phase 9.2: admin endpoint
 		// for the per-profile Intune Monitoring tab. The implementation
 		// holds a reference to scepServices declared above; the SCEP
 		// startup loop populates the map by PathID during boot, so the
 		// handler observes whatever profiles exist at request time. On a
 		// deploy without SCEP enabled the map stays empty and the GET
 		// stats endpoint returns an empty profiles array.
 		AdminSCEPIntune: handler.NewAdminSCEPIntuneHandler(
 			handler.NewAdminSCEPIntuneServiceImpl(scepServices),
 		),
 	})
 	// Register EST (RFC 7030) handlers if enabled
 	if cfg.EST.Enabled {
@@ -725,6 +746,16 @@ func main() {
 			"endpoints", "/.well-known/est/{cacerts,simpleenroll,simplereenroll,csrattrs}")
 	}
 	// SCEP RFC 8894 Phase 6.5: union pool of every enabled mTLS profile's
 	// trust bundle. Populated inside the SCEP startup block below; passed
 	// to the TLS-config builder later so the listener accepts client certs
 	// signed by ANY mTLS profile's CA. The handler-layer gate
 	// (HandleSCEPMTLS) re-verifies per-profile, so a cert that chains to
 	// profile A's bundle cannot enroll against profile B even though it
 	// passes the TLS-layer union check. Stays nil when no profile opted in
 	// (the TLS config builder treats nil as 'no mTLS').
 	var scepMTLSUnionPoolForTLS *x509.CertPool
 	// Register SCEP (RFC 8894) handlers if enabled.
 	//
 	// SCEP RFC 8894 Phase 1.5: multi-profile dispatch. Config.Validate()
@@ -738,7 +769,24 @@ func main() {
 		// (challenge password presence, RA pair validity, issuer reachability).
 		// Failures log the offending PathID so a multi-profile deploy can
 		// pinpoint which profile broke startup.
 		//
 		// SCEP RFC 8894 + Intune master bundle Phase 6.5: profiles that
 		// opt into mTLS via CERTCTL_SCEP_PROFILE_<NAME>_MTLS_ENABLED=true
 		// get a parallel sibling-route handler registered at /scep-mtls/
 		// <pathID>. The per-profile trust pool gates the inbound client
 		// cert chain (verified at the TLS layer against the union pool +
 		// re-verified at the handler layer against just THIS profile's
 		// bundle to prevent cross-profile bleed-through).
 		scepHandlers := make(map[string]handler.SCEPHandler, len(cfg.SCEP.Profiles))
 		scepMTLSHandlers := make(map[string]handler.SCEPHandler)
 		scepMTLSUnionPool := x509.NewCertPool()
 		scepMTLSAnyEnabled := false
 		// SCEP RFC 8894 + Intune master bundle Phase 8: per-profile Intune
 		// trust anchor holders. We track them here so a single SIGHUP
 		// reload-watcher set spans every profile, AND so the deferred
 		// stop-watcher cleanup runs once at server shutdown.
 		intuneTrustHolders := []*intune.TrustAnchorHolder{}
 		intuneStopWatchers := []func(){}
 		for i, profile := range cfg.SCEP.Profiles {
 			profile := profile // shadow for closure-safety even though no closures escape
 			profileLog := logger.With(
@@ -788,10 +836,85 @@ func main() {
 			preflightCancel()
 			scepService := service.NewSCEPService(profile.IssuerID, issuerConn, auditService, profileLog, profile.ChallengePassword)
 			scepService.SetProfileRepo(profileRepo)
 			scepService.SetPathID(profile.PathID)
 			if profile.ProfileID != "" {
 				scepService.SetProfileID(profile.ProfileID)
 			}
-			scepHandlers[profile.PathID] = handler.NewSCEPHandler(scepService)
+			// SCEP RFC 8894 + Intune master bundle Phase 9.3: publish this
 			// service into the shared scepServices map so the AdminSCEPIntune
 			// handler can find it by PathID. The map was declared above
 			// HandlerRegistry construction; the admin handler holds the
 			// same map by reference, so adding here makes the new profile
 			// visible at the next admin GET.
 			scepServices[profile.PathID] = scepService
 			scepHandler := handler.NewSCEPHandler(scepService)
 			// SCEP RFC 8894 Phase 2.3: load the per-profile RA pair so the
 			// handler can run the new RFC 8894 PKIMessage path. Preflight
 			// already validated the pair (file mode 0600 + cert/key match
 			// + non-expired + RSA-or-ECDSA). Failure here is a deploy bug
 			// the operator needs to know about — fail loud at startup.
 			raCert, raKey, err := loadSCEPRAPair(profile.RACertPath, profile.RAKeyPath)
 			if err != nil {
 				profileLog.Error("startup refused: SCEP profile RA pair load failed despite preflight pass — likely a TOCTOU between preflight + here, or filesystem changed mid-boot", "error", err)
 				os.Exit(1)
 			}
 			scepHandler.SetRAPair(raCert, raKey)
 			// SCEP RFC 8894 + Intune master bundle Phase 8: per-profile Intune
 			// dispatcher wire-in. Builds the trust-anchor holder, replay cache,
 			// and per-device rate limiter; injects them into the SCEPService;
 			// starts the SIGHUP reload watcher (one per holder, all responding
 			// to the same signal as the existing TLS-cert watcher). Profiles
 			// with INTUNE_ENABLED=false skip the entire block, so the cost on
 			// non-Intune deploys is exactly one bool check per profile.
 			if profile.Intune.Enabled {
 				intuneHolder, err := preflightSCEPIntuneTrustAnchor(true, profile.Intune.ConnectorCertPath, profileLog)
 				if err != nil {
 					profileLog.Error(
 						"startup refused: SCEP profile INTUNE trust anchor preflight failed "+
 							"(Phase 8.2: required when INTUNE_ENABLED=true). "+
 							"Verify the bundle file exists at INTUNE_CONNECTOR_CERT_PATH, "+
 							"is readable, parses as PEM, contains ≥1 CERTIFICATE block, "+
 							"and none of the bundled certs are past NotAfter (operator-rotated).",
 						"error", err,
 					)
 					os.Exit(1)
 				}
 				intuneTrustHolders = append(intuneTrustHolders, intuneHolder)
 				intuneStopWatchers = append(intuneStopWatchers, intuneHolder.WatchSIGHUP())
 				// Replay cache TTL = ChallengeValidity (defaults to 60m via
 				// config.go's getEnvDuration default). The cache is sized
 				// for the documented 100k-entry production default; smaller
 				// is fine, larger tightens the operator's escape hatch.
 				replayCache := intune.NewReplayCache(profile.Intune.ChallengeValidity, 0)
 				// Per-device rate limiter: honor the per-profile cap
 				// (INTUNE_PER_DEVICE_RATE_LIMIT_24H, default 3). The cap can
 				// be 0 to disable (limiter then short-circuits all Allow calls
 				// to nil). Map cap stays at the 100k default.
 				rateLimiter := intune.NewPerDeviceRateLimiter(
 					profile.Intune.PerDeviceRateLimit24h,
 					24*time.Hour,
 					0,
 				)
 				scepService.SetIntuneIntegration(
 					intuneHolder,
 					profile.Intune.Audience,
 					profile.Intune.ChallengeValidity,
 					replayCache,
 					rateLimiter,
 				)
 				profileLog.Info("SCEP profile Intune dispatcher enabled",
 					"trust_anchor_path", profile.Intune.ConnectorCertPath,
 					"audience", profile.Intune.Audience,
 					"challenge_validity", profile.Intune.ChallengeValidity,
 					"per_device_rate_limit_24h", profile.Intune.PerDeviceRateLimit24h,
 				)
 			}
 			scepHandlers[profile.PathID] = scepHandler
 			endpoint := "/scep"
 			if profile.PathID != "" {
 				endpoint = "/scep/" + profile.PathID
@@ -800,12 +923,99 @@ func main() {
 				"endpoint", endpoint+"?operation={GetCACaps,GetCACert,PKIOperation}",
 				"challenge_password_set", profile.ChallengePassword != "",
 				"ra_cert_path", profile.RACertPath,
 				"intune_enabled", profile.Intune.Enabled,
 			)
 			// SCEP RFC 8894 Phase 6.5: register the mTLS sibling route
 			// when this profile opted in. Build a per-profile trust pool
 			// from the bundle, share its certs into the union pool the
 			// TLS layer uses, and clone the handler with the per-profile
 			// pool injected so HandleSCEPMTLS can re-verify the inbound
 			// client cert against just THIS profile's bundle.
 			if profile.MTLSEnabled {
 				perProfilePool, err := preflightSCEPMTLSTrustBundle(true, profile.MTLSClientCATrustBundlePath)
 				if err != nil {
 					profileLog.Error(
 						"startup refused: SCEP profile MTLS trust bundle preflight failed "+
 							"(Phase 6.5: required when MTLS_ENABLED=true). "+
 							"Verify the bundle file exists at MTLS_CLIENT_CA_TRUST_BUNDLE_PATH, "+
 							"is readable, parses as PEM, contains ≥1 CERTIFICATE block, "+
 							"and none of the bundled certs are past NotAfter.",
 						"error", err,
 					)
 					os.Exit(1)
 				}
 				// Add this profile's certs to the union pool the TLS
 				// layer uses for VerifyClientCertIfGiven. We re-walk the
 				// bundle so the union pool gets exactly the same certs
 				// as the per-profile pool (defensive against future
 				// pool-mutation refactors).
 				bundleBytes, _ := os.ReadFile(profile.MTLSClientCATrustBundlePath)
 				rest := bundleBytes
 				for {
 					var block *pem.Block
 					block, rest = pem.Decode(rest)
 					if block == nil {
 						break
 					}
 					if block.Type != "CERTIFICATE" {
 						continue
 					}
 					if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
 						scepMTLSUnionPool.AddCert(cert)
 					}
 				}
 				scepMTLSAnyEnabled = true
 				// Build the parallel sibling-route handler. Same SCEP
 				// service + RA pair as the standard route — mTLS is
 				// additive, not a replacement.
 				mtlsHandler := handler.NewSCEPHandler(scepService)
 				mtlsHandler.SetRAPair(raCert, raKey)
 				mtlsHandler.SetMTLSTrustPool(perProfilePool)
 				scepMTLSHandlers[profile.PathID] = mtlsHandler
 				mtlsEndpoint := "/scep-mtls"
 				if profile.PathID != "" {
 					mtlsEndpoint = "/scep-mtls/" + profile.PathID
 				}
 				profileLog.Info("SCEP mTLS sibling route enabled",
 					"endpoint", mtlsEndpoint,
 					"client_ca_trust_bundle", profile.MTLSClientCATrustBundlePath,
 				)
 			}
 		}
 		apiRouter.RegisterSCEPHandlers(scepHandlers)
 		// SCEP RFC 8894 + Intune master bundle Phase 6.5: register the
 		// /scep-mtls sibling routes when at least one profile opted in.
 		// scepMTLSHandlers is non-empty only when scepMTLSAnyEnabled is
 		// true (the per-profile branch only adds to the map when the
 		// profile flag is set), but the explicit gate makes the
 		// no-op-when-disabled case obvious in logs.
 		if scepMTLSAnyEnabled {
 			apiRouter.RegisterSCEPMTLSHandlers(scepMTLSHandlers)
 			scepMTLSUnionPoolForTLS = scepMTLSUnionPool
 			logger.Info("SCEP mTLS sibling route enabled (Phase 6.5)",
 				"mtls_profile_count", len(scepMTLSHandlers),
 			)
 		}
 		logger.Info("SCEP server enabled",
 			"profile_count", len(scepHandlers),
 			"mtls_profile_count", len(scepMTLSHandlers),
 			"intune_profile_count", len(intuneTrustHolders),
 		)
 		// SCEP RFC 8894 + Intune master bundle Phase 8.5: clean up the
 		// SIGHUP watcher goroutines when the server shuts down. We register
 		// the stop functions on a deferred sweep so the cleanup runs in
 		// LIFO order even if a downstream init step os.Exit(1)s.
 		if len(intuneStopWatchers) > 0 {
 			defer func() {
 				for _, stop := range intuneStopWatchers {
 					stop()
 				}
 			}()
 		}
 	}
 	// Register RFC 5280 CRL and RFC 6960 OCSP handlers under /.well-known/pki/.
@@ -1042,9 +1252,17 @@ func main() {
 	// Server configuration
 	addr := net.JoinHostPort(cfg.Server.Host, strconv.Itoa(cfg.Server.Port))
 	httpServer := &http.Server{
-		Addr:              addr,
+		Addr:    addr,
-		Handler:           finalHandler,
+		Handler: finalHandler,
-		TLSConfig:         buildServerTLSConfig(tlsCertHolder),
+		// SCEP RFC 8894 + Intune master bundle Phase 6.5: when at least
 		// one SCEP profile opted into mTLS, the listener carries the
 		// union of every enabled profile's client-CA trust bundle and
 		// negotiates VerifyClientCertIfGiven on the handshake. The
 		// /scep route stays challenge-password-only; the /scep-mtls
 		// sibling route gates additionally on the verified client cert.
 		// nil pool = no profile opted in = identical TLS shape to the
 		// pre-Phase-6.5 buildServerTLSConfig path.
 		TLSConfig:         buildServerTLSConfigWithMTLS(tlsCertHolder, scepMTLSUnionPoolForTLS),
 		ReadTimeout:       30 * time.Second,
 		ReadHeaderTimeout: 5 * time.Second,
 		WriteTimeout:      120 * time.Second, // Must accommodate ACME issuance (order + challenge + finalize)
@@ -1142,6 +1360,139 @@ func preflightSCEPChallengePassword(enabled bool, challengePassword string) erro
 	return nil
 }
 // preflightSCEPMTLSTrustBundle validates a per-profile mTLS client-CA
 // trust bundle. SCEP RFC 8894 + Intune master bundle Phase 6.5.
 //
 // Mirrors preflightSCEPRACertKey's no-op-when-disabled pattern; otherwise
 // the checks are:
 //
 //  1. Path is non-empty (the Validate() refuse covers this too, but
 //     preflight reports the specific failure with an actionable error
 //     string + os.Exit(1) at the call site).
 //  2. File exists + readable.
 //  3. PEM-decodes to ≥1 CERTIFICATE block.
 //  4. None of the bundled certs is past NotAfter — an expired trust
 //     anchor would silently reject every client cert at runtime.
 //
 // On success, returns the parsed *x509.CertPool ready to inject into the
 // per-profile SCEPHandler via SetMTLSTrustPool. Each bundled cert also
 // contributes to the union pool that backs the TLS-layer
 // VerifyClientCertIfGiven.
 func preflightSCEPMTLSTrustBundle(enabled bool, bundlePath string) (*x509.CertPool, error) {
 	if !enabled {
 		return nil, nil
 	}
 	if bundlePath == "" {
 		return nil, fmt.Errorf("MTLS enabled but trust bundle path empty: " +
 			"set CERTCTL_SCEP_PROFILE_<NAME>_MTLS_CLIENT_CA_TRUST_BUNDLE_PATH to a PEM file " +
 			"containing the bootstrap-CA certs the operator allows to enroll")
 	}
 	body, err := os.ReadFile(bundlePath)
 	if err != nil {
 		return nil, fmt.Errorf("read MTLS trust bundle: %w (path=%s)", err, bundlePath)
 	}
 	pool := x509.NewCertPool()
 	rest := body
 	count := 0
 	now := time.Now()
 	for {
 		var block *pem.Block
 		block, rest = pem.Decode(rest)
 		if block == nil {
 			break
 		}
 		if block.Type != "CERTIFICATE" {
 			continue
 		}
 		cert, err := x509.ParseCertificate(block.Bytes)
 		if err != nil {
 			return nil, fmt.Errorf("parse MTLS trust bundle cert: %w (path=%s)", err, bundlePath)
 		}
 		if now.After(cert.NotAfter) {
 			return nil, fmt.Errorf("MTLS trust bundle cert expired at %s (subject=%q, path=%s) — replace before restart",
 				cert.NotAfter.Format(time.RFC3339), cert.Subject.CommonName, bundlePath)
 		}
 		pool.AddCert(cert)
 		count++
 	}
 	if count == 0 {
 		return nil, fmt.Errorf("MTLS trust bundle contained no CERTIFICATE PEM blocks (path=%s)", bundlePath)
 	}
 	return pool, nil
 }
 // preflightSCEPIntuneTrustAnchor validates a per-profile Microsoft Intune
 // Certificate Connector signing-cert trust bundle.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 8.2.
 //
 // No-op when this profile has Intune disabled (the common case for
 // non-Intune SCEP deploys). When enabled:
 //
 //  1. Path is non-empty (Validate() refuse covers this too; we re-check
 //     here so the caller can os.Exit(1) with the specific PathID in the
 //     log line).
 //  2. File exists + readable.
 //  3. PEM-decodes to ≥1 CERTIFICATE block (intune.LoadTrustAnchor enforces
 //     this and skips non-CERTIFICATE blocks like accidentally-pasted
 //     priv-key blocks).
 //  4. None of the bundled certs is past NotAfter — an expired Intune
 //     trust anchor would silently reject every Connector challenge at
 //     runtime, which is a much worse failure mode than failing fast at
 //     boot. intune.LoadTrustAnchor enforces this and surfaces the subject
 //     CN in the error message so the operator knows which cert to rotate.
 //
 // On success returns the freshly-built *intune.TrustAnchorHolder ready to
 // inject into the per-profile SCEPService via SetIntuneIntegration. The
 // holder also installs the SIGHUP watcher (started by the caller).
 func preflightSCEPIntuneTrustAnchor(enabled bool, path string, logger *slog.Logger) (*intune.TrustAnchorHolder, error) {
 	if !enabled {
 		return nil, nil
 	}
 	if path == "" {
 		return nil, fmt.Errorf("INTUNE enabled but trust anchor path empty: " +
 			"set CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CONNECTOR_CERT_PATH to a PEM bundle " +
 			"of the Microsoft Intune Certificate Connector's signing certs")
 	}
 	holder, err := intune.NewTrustAnchorHolder(path, logger)
 	if err != nil {
 		return nil, fmt.Errorf("INTUNE trust anchor load failed: %w (path=%s)", err, path)
 	}
 	return holder, nil
 }
 // loadSCEPRAPair reads the RA cert PEM + key PEM and returns the parsed
 // x509.Certificate + crypto.PrivateKey ready for the SCEP handler's RFC
 // 8894 path. Called AFTER preflightSCEPRACertKey passed; failures here
 // indicate a TOCTOU race or a filesystem change between preflight and
 // the load (rare).
 //
 // Cert PEM may carry a chain (CA + RA + intermediate); we use the FIRST
 // CERTIFICATE block, matching the RFC 8894 §3.5.1 single-cert convention
 // for the GetCACert response.
 func loadSCEPRAPair(certPath, keyPath string) (*x509.Certificate, crypto.PrivateKey, error) {
 	certPEM, err := os.ReadFile(certPath)
 	if err != nil {
 		return nil, nil, fmt.Errorf("read RA cert: %w", err)
 	}
 	keyPEM, err := os.ReadFile(keyPath)
 	if err != nil {
 		return nil, nil, fmt.Errorf("read RA key: %w", err)
 	}
 	pair, err := tls.X509KeyPair(certPEM, keyPEM)
 	if err != nil {
 		return nil, nil, fmt.Errorf("parse RA pair: %w", err)
 	}
 	if len(pair.Certificate) == 0 {
 		return nil, nil, fmt.Errorf("RA cert PEM contained no certificate blocks")
 	}
 	leaf, err := x509.ParseCertificate(pair.Certificate[0])
 	if err != nil {
 		return nil, nil, fmt.Errorf("parse RA cert: %w", err)
 	}
 	return leaf, pair.PrivateKey, nil
 }
 // preflightSCEPRACertKey validates the RA cert/key pair the RFC 8894 SCEP
 // path requires. Mirrors preflightSCEPChallengePassword's no-op-when-disabled
 // pattern; otherwise the checks are:
@@ -1345,10 +1696,23 @@ func buildFinalHandler(apiHandler, noAuthHandler http.Handler, webDir string, da
 		// authenticate via the challengePassword attribute in the PKCS#10 CSR,
 		// not via HTTP Bearer tokens. preflightSCEPChallengePassword refuses to
 		// start the server if SCEP is enabled without a non-empty shared secret.
 		//
 		// SCEP RFC 8894 + Intune master bundle Phase 6.5: the sibling
 		// /scep-mtls[/<pathID>] route also rides the no-auth chain. Its
 		// auth boundary is (a) client cert verified at the TLS layer +
 		// re-verified per-profile at the handler layer, plus (b) the
 		// challenge password — neither is a Bearer token. The /scepxyz
 		// vs /scep-mtls disambiguation: 'xyz' starts with a letter so the
 		// HasPrefix(path, "/scep/") gate doesn't match it; 'mtls' is its
 		// own dedicated prefix gated below to avoid the same overlap.
 		if path == "/scep" || strings.HasPrefix(path, "/scep/") {
 			noAuthHandler.ServeHTTP(w, r)
 			return
 		}
 		if path == "/scep-mtls" || strings.HasPrefix(path, "/scep-mtls/") {
 			noAuthHandler.ServeHTTP(w, r)
 			return
 		}
 		// Authenticated API routes — full middleware stack including Auth.
 		if strings.HasPrefix(path, "/api/v1/") {
@@ -14,10 +14,10 @@ type fakeIssuerConn struct {
 	caCertErr error
 }
-func (f *fakeIssuerConn) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*service.IssuanceResult, error) {
+func (f *fakeIssuerConn) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*service.IssuanceResult, error) {
 	return nil, nil
 }
-func (f *fakeIssuerConn) RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*service.IssuanceResult, error) {
+func (f *fakeIssuerConn) RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*service.IssuanceResult, error) {
 	return nil, nil
 }
 func (f *fakeIssuerConn) RevokeCertificate(ctx context.Context, serial string, reason string) error {
@@ -2,6 +2,7 @@ package main
 import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"log/slog"
 	"os"
@@ -134,6 +135,31 @@ func buildServerTLSConfig(holder *certHolder) *tls.Config {
 	}
 }
 // buildServerTLSConfigWithMTLS extends buildServerTLSConfig with a client-cert
 // trust pool for the SCEP RFC 8894 + Intune master bundle Phase 6.5 mTLS
 // sibling route. SCEP profiles that opt into mTLS each contribute their
 // trust bundle to the union pool here; the same TLS listener serves both
 // /scep[/<pathID>] (no client cert) and /scep-mtls/<pathID> (cert required
 // at the handler layer).
 //
 // ClientAuth: VerifyClientCertIfGiven — request a cert during handshake; if
 // the client presents one, verify it against the union pool; if absent, the
 // request still reaches the handler and the per-route handler decides
 // whether to accept. Critical that we do NOT use RequireAndVerifyClientCert
 // here — that would break the standard /scep route (which is challenge-
 // password-only, no client cert expected).
 //
 // Pass clientCAs == nil to disable mTLS (no profile opted in). The function
 // then returns the same shape as buildServerTLSConfig.
 func buildServerTLSConfigWithMTLS(holder *certHolder, clientCAs *x509.CertPool) *tls.Config {
 	cfg := buildServerTLSConfig(holder)
 	if clientCAs != nil {
 		cfg.ClientCAs = clientCAs
 		cfg.ClientAuth = tls.VerifyClientCertIfGiven
 	}
 	return cfg
 }
 // preflightServerTLS is the fail-loud startup gate for HTTPS. Returns a
 // non-nil error when the TLS configuration is missing or the cert+key pair
 // cannot be parsed, so the caller refuses to start the control plane
@@ -760,20 +760,34 @@ IssuerConnector (connector layer via IssuerConnectorAdapter)
 Signed certificate returned as PKCS#7 certs-only
 ```
-**Wire format:** SCEP clients wrap CSRs in PKCS#7 SignedData envelopes. The handler parses the outer ASN.1 ContentInfo → SignedData → EncapsulatedContentInfo to extract the CSR bytes. Fallback paths handle base64-encoded PKCS#7 and raw CSR submissions (for simpler clients). Responses use PKCS#7 certs-only via the shared `internal/pkcs7` package (same as EST). Single certs are returned as raw DER for `GetCACert`, chains as PKCS#7.
+**Wire format:** Two paths, tried in order. The new RFC 8894 path (post-2026-04-29) parses the full PKIMessage shape: ContentInfo → SignedData → SignerInfo (POPO over auth-attrs verified via `internal/pkcs7/signedinfo.go::SignerInfo.VerifySignature` with the canonical SET-OF Attribute re-serialisation per RFC 5652 §5.4) → EnvelopedData (decrypted via `internal/pkcs7/envelopeddata.go::EnvelopedData.Decrypt` with RSA PKCS#1v1.5 keyTrans + AES-CBC content + constant-time PKCS#7 unpad to close the padding-oracle leak) → inner PKCS#10 CSR. Auth-attrs (messageType, transactionID, senderNonce) flow through to the service layer via `domain.SCEPRequestEnvelope`. The handler dispatches on messageType: PKCSReq (19) → initial enrollment; RenewalReq (17) → re-enrollment with chain validation; GetCertInitial (20) → polling stub returns FAILURE+badCertID. Responses are full CertRep PKIMessages (`internal/pkcs7/certrep.go::BuildCertRepPKIMessage`) signed by the per-profile RA cert/key with the issued cert chain encrypted to the device's transient signing cert (RFC 8894 §3.3.2). On parse failure the handler falls through to the legacy MVP path: base64-encoded PKCS#7 and raw CSR submissions are still accepted; responses use the legacy PKCS#7 certs-only shape via the shared `internal/pkcs7` package. The MVP fall-through is non-negotiable — backward compat with lightweight SCEP clients that don't speak full RFC 8894. Single certs are returned as raw DER for `GetCACert`, chains as PKCS#7.
 **Authentication:** SCEP endpoints at `/scep` and `/scep/*` are served unauthenticated at the HTTP layer — no Bearer token required — per RFC 8894 §3.2, which defines authentication via the `challengePassword` attribute (OID 1.2.840.113549.1.9.7) embedded in the PKCS#10 CSR rather than an HTTP credential. The HTTP dispatch is implemented in `cmd/server/main.go:buildFinalHandler`, which routes `/scep` and `/scep/*` through `noAuthHandler` (RequestID + structuredLogger + Recovery only). The `challengePassword` is mandatory: `preflightSCEPChallengePassword` at startup refuses to boot the control plane when `CERTCTL_SCEP_ENABLED=true` is set without `CERTCTL_SCEP_CHALLENGE_PASSWORD`, closing CWE-306 (missing authentication for a critical function). `SCEPService.PKCSReq` enforces the same invariant defense-in-depth — an empty `s.challengePassword` rejects every enrollment — and the password comparison uses `crypto/subtle.ConstantTimeCompare` to prevent response-time side-channel leakage. The startup log line `SCEP server enabled` emits a `challenge_password_set` boolean for operator visibility.
-**Interface:** The `SCEPHandler` defines an `SCEPService` interface (dependency inversion):
+**Interface:** The `SCEPHandler` defines an `SCEPService` interface (dependency inversion). The legacy `PKCSReq` method backs the MVP fall-through path; the three `*WithEnvelope` variants back the RFC 8894 PKIMessage path:
 ```go
 type SCEPService interface {
    GetCACaps(ctx context.Context) string
    GetCACert(ctx context.Context) (string, error)
-    PKCSReq(ctx context.Context, csrPEM string, challengePassword string, transactionID string) (*domain.SCEPEnrollResult, error)
+    // MVP path — raw CSR + transactionID synthesised from CSR's CN.
    PKCSReq(ctx context.Context, csrPEM, challengePassword, transactionID string) (*domain.SCEPEnrollResult, error)
    // RFC 8894 path — envelope carries the parsed authenticated attributes
    // (messageType, transactionID, senderNonce, signerCert). Returns
    // *SCEPResponseEnvelope (not error + result) because RFC 8894 §3.3
    // mandates a CertRep PKIMessage on every response, even failures.
    PKCSReqWithEnvelope(ctx context.Context, csrPEM, challengePassword string, env *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope
    RenewalReqWithEnvelope(ctx context.Context, csrPEM, challengePassword string, env *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope
    GetCertInitialWithEnvelope(ctx context.Context, env *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope
 }
 ```
 **Capabilities advertised:** `POSTPKIOperation` + `SHA-256` + `SHA-512` + `AES` + `SCEPStandard` + `Renewal`. ChromeOS specifically looks for `POSTPKIOperation` (non-base64 POST), `AES` (the now-implemented CBC content encryption), `SCEPStandard` (RFC 8894 conformance), and `Renewal` (RenewalReq messageType-17 dispatch).
 **Multi-profile dispatch:** A single certctl instance can expose multiple SCEP endpoints from `CERTCTL_SCEP_PROFILES=corp,iot,server` + per-profile `CERTCTL_SCEP_PROFILE_<NAME>_*` env vars, each with its own issuer + RA pair + challenge password. The router exposes `/scep` (legacy, single-profile flat-env case) + `/scep/<pathID>` per non-empty profile. Per-profile preflight validates each RA pair independently; failures log the offending PathID. See [`legacy-est-scep.md`](legacy-est-scep.md#multi-profile-dispatch-scep-path-id) for the operator config recipe.
 **Must-staple per profile:** When `CertificateProfile.MustStaple = true`, the local issuer adds the RFC 7633 `id-pe-tlsfeature` extension (OID `1.3.6.1.5.5.7.1.24`, non-critical, value `SEQUENCE OF INTEGER {5}`) to issued certs so browsers + modern TLS libraries fail-closed on missing OCSP stapling responses.
 **Shared PKCS#7 package:** Both EST and SCEP handlers share a common `internal/pkcs7` package for building PKCS#7 certs-only responses and PEM-to-DER chain conversion, eliminating code duplication between the two enrollment protocols.
 **Audit:** Every SCEP enrollment is recorded in the audit trail with `protocol: "SCEP"`, the CN, SANs, issuer ID, serial number, transaction ID, and optional profile ID.
@@ -327,7 +327,9 @@ The `GetCACertPEM()` method returns the PEM-encoded CA certificate chain, used b
 - **step-ca**: Returns error — step-ca serves its own `/root` endpoint for CA distribution.
 - **OpenSSL/Custom CA**: Returns error — custom script-based CAs have no CA cert access through certctl.
-Note: EST and SCEP are not connectors — they are protocol handlers (`internal/api/handler/est.go` and `internal/api/handler/scep.go`) that delegate certificate issuance to whichever issuer connector is configured via `CERTCTL_EST_ISSUER_ID` or `CERTCTL_SCEP_ISSUER_ID`. Both share a common `internal/pkcs7` package for PKCS#7 response encoding. See the [Architecture Guide](architecture.md#est-server-rfc-7030) for details.
+Note: EST and SCEP are not connectors — they are protocol handlers (`internal/api/handler/est.go` and `internal/api/handler/scep.go`) that delegate certificate issuance to whichever issuer connector is configured via `CERTCTL_EST_ISSUER_ID` or `CERTCTL_SCEP_ISSUER_ID` (or the per-profile `CERTCTL_SCEP_PROFILE_<NAME>_ISSUER_ID` form for multi-endpoint SCEP). Both share a common `internal/pkcs7` package for PKCS#7 response encoding. See the [Architecture Guide](architecture.md#est-server-rfc-7030) for details.
 **SCEP RA cert + key (post-2026-04-29):** the SCEP server's RFC 8894 path requires an RA cert/key pair (`CERTCTL_SCEP_RA_CERT_PATH` + `CERTCTL_SCEP_RA_KEY_PATH`, mode 0600) — clients encrypt their CSR to the RA cert's public key per RFC 8894 §3.2.2. Multi-profile deployments configure per-profile pairs via `CERTCTL_SCEP_PROFILES=corp,iot` + `CERTCTL_SCEP_PROFILE_<NAME>_RA_*_PATH`. See [`legacy-est-scep.md`](legacy-est-scep.md#scep-rfc-8894-native-implementation-post-2026-04-29) for the openssl recipe + ChromeOS Admin Console pointer + must-staple per-profile policy.
 ### Built-in: Vault PKI
@@ -654,6 +654,13 @@ SCEP uses a single URL (`/scep?operation=...`). The handler extracts PKCS#10 CSR
 | `CERTCTL_SCEP_PROFILE_<NAME>_CHALLENGE_PASSWORD` | (none) | Per-profile shared secret. **Required for every profile** in `CERTCTL_SCEP_PROFILES` (CWE-306: per-profile auth boundary). Empty value at startup fails the boot with the offending PathID in the structured log. |
 | `CERTCTL_SCEP_PROFILE_<NAME>_RA_CERT_PATH` | (none) | Per-profile RA certificate PEM path. Same semantics as `CERTCTL_SCEP_RA_CERT_PATH` but scoped to one profile. **Required for every profile.** |
 | `CERTCTL_SCEP_PROFILE_<NAME>_RA_KEY_PATH` | (none) | Per-profile RA private key PEM path (mode `0600`). Same semantics as `CERTCTL_SCEP_RA_KEY_PATH` but scoped to one profile. **Required for every profile.** |
 | `CERTCTL_SCEP_PROFILE_<NAME>_MTLS_ENABLED` | `false` | **Phase 6.5 (opt-in).** When true, certctl exposes a sibling `/scep-mtls/<pathID>` route alongside the standard `/scep/<pathID>` route. The sibling route requires the SCEP client to present an mTLS client cert that chains to `_MTLS_CLIENT_CA_TRUST_BUNDLE_PATH`. The standard route continues to use challenge-password-only auth — operators can run BOTH routes simultaneously for migration / heterogeneous client fleets. mTLS is additive (not a replacement for the challenge password). Designed for enterprise procurement teams that reject "shared password authentication" as a checkbox-fail. Same model Apple's MDM and Cisco's BRSKI use. |
 | `CERTCTL_SCEP_PROFILE_<NAME>_MTLS_CLIENT_CA_TRUST_BUNDLE_PATH` | (none) | PEM bundle of CA certs that sign the client (device-bootstrap) certs the operator allows to enroll on this profile's `/scep-mtls/<pathID>` route. **Required when `_MTLS_ENABLED=true`.** Operators with multiple bootstrap CAs concatenate them. The startup preflight (`cmd/server/main.go::preflightSCEPMTLSTrustBundle`) validates: file exists, parses as PEM, contains ≥1 cert, none expired. |
 | `CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_ENABLED` | `false` | **Phase 8 (opt-in).** When true, this profile routes Intune-shaped challenge passwords (length > 200 + exactly two dots) to the Microsoft Intune Certificate Connector signed-challenge validator. Static challenge passwords still work as a fallback for non-Intune devices in mixed-fleet deployments. Per-profile flag so an operator running corp-laptops via Intune AND IoT devices via static challenge can opt-in on the corp profile only. |
 | `CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CONNECTOR_CERT_PATH` | (none) | Filesystem path to a PEM bundle of one or more Microsoft Intune Certificate Connector signing certs. **Required when `_INTUNE_ENABLED=true`.** Reloaded on `SIGHUP` (mirrors the server TLS-cert reload pattern). Startup preflight + reload both refuse empty bundles + expired certs and surface the offending subject CN in the error message. Operators who rotate the Connector signing cert update the file on disk then `kill -HUP <certctl-pid>` to apply (no restart required). |
 | `CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_AUDIENCE` | (empty, audience check disabled) | Expected `aud` claim in the Intune challenge — typically the public SCEP endpoint URL the Connector is configured to call (e.g. `https://certctl.example.com/scep/corp`). Empty disables the check, useful for proxy / load-balancer scenarios where the URL the Connector saw differs from the URL we see. Operators who pin a public URL gain defense-in-depth against challenge re-use across endpoints. |
 | `CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CHALLENGE_VALIDITY` | `60m` | Maximum age of an Intune challenge, on top of the challenge's own `iat`/`exp` claims. Defense-in-depth: even if the Connector mints a 24h-valid challenge, this caps the window during which a leaked challenge can be replayed. Default matches Microsoft's published Connector defaults. Zero disables the cap (relies entirely on the challenge's `exp`). |
 | `CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_PER_DEVICE_RATE_LIMIT_24H` | `3` | Maximum enrollments per `(claim.Subject, claim.Issuer)` pair in any rolling 24-hour window. Catches a compromised Connector signing key issuing many DIFFERENT valid challenges for the same device. Default 3 covers legitimate first-cert + recovery + post-wipe re-enrollment. Zero disables the limiter (not recommended for production). |
 ---
@@ -201,6 +201,308 @@ becomes a compliance failure:
 - https://www.pcisecuritystandards.org/news_events/
 - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/  (SP 800-52 revisions)
 ## SCEP RFC 8894 native implementation (post-2026-04-29)
 Prior to this bundle, certctl's SCEP server parsed `PKCS#7 SignedData` and
 treated the encapsulated content as a raw `PKCS#10 CSR` (the file-internal
 "MVP" comment at `internal/api/handler/scep.go:217` flagged this). That
 worked for lightweight MDM agents but failed against ChromeOS and most
 production MDM clients which expect full RFC 8894 wire format:
 `SignedData` wrapping an `EnvelopedData` encrypting the CSR to the RA
 cert's public key, with `signerInfo` POPO over the auth-attrs.
 The new RFC 8894 path runs FIRST; on any parse failure it falls through
 to the legacy MVP raw-CSR path so existing operators see no behavior
 change for their lightweight clients.
 ### Required: RA cert + key
 The RFC 8894 path requires a Registration Authority cert + key pair.
 Clients encrypt their CSR to the RA cert's public key (RFC 8894 §3.2.2);
 the certctl server uses the RA key to decrypt and to sign the outbound
 CertRep PKIMessage signerInfo (RFC 8894 §3.3.2).
 | Env var | Default | Meaning |
 | --- | --- | --- |
 | `CERTCTL_SCEP_RA_CERT_PATH` | (none) | Path to PEM-encoded RA certificate. **Required when `CERTCTL_SCEP_ENABLED=true`.** |
 | `CERTCTL_SCEP_RA_KEY_PATH` | (none) | Path to PEM-encoded RA private key matching `CERTCTL_SCEP_RA_CERT_PATH`. File MUST be mode `0600` (preflight refuses world-readable). |
 Generate the RA pair (any RSA-2048+ or ECDSA-P256+ pair signed by your
 root or sub-CA works):
 ```bash
 # RSA-2048 RA pair, valid 1 year, signed by your root.
 openssl req -new -newkey rsa:2048 -nodes -keyout ra.key -out ra.csr \
  -subj "/CN=corp-ca-RA"
 openssl x509 -req -in ra.csr -days 365 \
  -CA root.crt -CAkey root.key -CAcreateserial \
  -extfile <(printf "extendedKeyUsage=emailProtection,1.3.6.1.5.5.7.3.4") \
  -out ra.crt
 chmod 0600 ra.key       # required — preflight rejects world-readable keys
 chmod 0644 ra.crt
 mv ra.key ra.crt /etc/certctl/scep/
 export CERTCTL_SCEP_ENABLED=true
 export CERTCTL_SCEP_RA_CERT_PATH=/etc/certctl/scep/ra.crt
 export CERTCTL_SCEP_RA_KEY_PATH=/etc/certctl/scep/ra.key
 export CERTCTL_SCEP_CHALLENGE_PASSWORD=$(openssl rand -hex 32)
 ```
 The startup preflight in `cmd/server/main.go::preflightSCEPRACertKey`
 validates: file existence, key file mode 0600, cert/key match, cert
 non-expired, RSA-or-ECDSA public-key algorithm. Failures `os.Exit(1)`
 with a structured log line identifying the offending profile.
 ### Capability advertisement (`GetCACaps`)
 ```
 POSTPKIOperation
 SHA-256
 SHA-512
 AES
 SCEPStandard
 Renewal
 ```
 ChromeOS specifically looks for `POSTPKIOperation` (non-base64 POST),
 `AES` (the now-implemented CBC content encryption), `SCEPStandard` (RFC
 8894 conformance), and `Renewal` (RenewalReq messageType-17 support).
 Older Cisco IOS clients also accept `SHA-256` and `SHA-512` per RFC 8894
 §3.5.2.
 ### Supported messageTypes
 | Type | RFC 8894 § | Behavior |
 | --- | --- | --- |
 | `PKCSReq` (19) | §3.3.1 | Initial enrollment. Signer cert is the device's transient self-signed key. |
 | `RenewalReq` (17) | §3.3.1.2 | Re-enrollment. Signer cert MUST be a previously-issued cert from this issuer; service-side `verifyRenewalSignerCertChain` enforces. |
 | `GetCertInitial` (20) | §3.3.3 | Polling for pending requests. v1 returns `FAILURE+badCertID` because deferred-issuance isn't supported (every PKCSReq either succeeds or fails synchronously). |
 | `CertRep` (3) | §3.3.2 | Server response — never inbound. |
 ### MVP backward-compatibility path
 Lightweight clients that send a stripped `SignedData` containing a raw
 CSR (no `EnvelopedData` wrapper, no `signerInfo` POPO) keep working: the
 handler tries the RFC 8894 path FIRST; on any parse failure it falls
 through to the legacy `extractCSRFromPKCS7` path. The legacy path uses
 the CSR's `challengePassword` attribute the same way as the RFC 8894
 path. Operators with existing lightweight-client deploys see zero
 behavior change.
 ### Multi-profile dispatch (`/scep/<pathID>`)
 Real enterprise deploys run multiple SCEP endpoints from one certctl
 instance — corp-laptop CA, IoT CA, server CA — each with its own
 issuer + RA pair + challenge password. Configure via the indexed env-var
 form documented in [`features.md`](features.md): set
 `CERTCTL_SCEP_PROFILES=corp,iot,server` (a comma-separated list of
 profile names), then for each name supply the per-profile env-vars
 prefixed with `CERTCTL_SCEP_PROFILE_<NAME>_` followed by the suffix
 keys `_ISSUER_ID`, `_PROFILE_ID`, `_CHALLENGE_PASSWORD`, `_RA_CERT_PATH`,
 `_RA_KEY_PATH`. The `<NAME>` token resolves to the upper-cased profile
 name from the list. Each profile is independently validated at startup;
 per-profile failures log the offending PathID.
 The router exposes `/scep/corp`, `/scep/iot`, `/scep/server`. The legacy
 `/scep` root remains for the single-profile flat-env-var case (when
 `CERTCTL_SCEP_PROFILES` is unset). Per-profile preflight validates each
 RA pair independently; failures log the offending PathID.
 ### ChromeOS Admin Console pointer
 In Google Admin Console → Devices → Networks → Certificates, register
 certctl's `/scep[/<pathID>]` URL as the SCEP server. Enter the challenge
 password from `CERTCTL_SCEP_CHALLENGE_PASSWORD` (or per-profile
 `CERTCTL_SCEP_PROFILE_<NAME>_CHALLENGE_PASSWORD`). ChromeOS pulls
 `GetCACert` first to retrieve the RA cert, then enrolls via
 PKIOperation.
 ### RA cert rotation
 The RA cert is loaded once at startup and persisted in the handler's
 struct field; rotation requires a server restart (mirrors the
 `CERTCTL_SERVER_TLS_CERT_PATH` precedent in `cmd/server/tls.go`). The
 recommended cadence is annual rotation with a 30-day overlap during
 which both old + new RA certs are listed in `GetCACert`'s response (set
 the cert chain accordingly in your sub-CA hierarchy).
 ### Must-staple per-profile policy (RFC 7633)
 When a `CertificateProfile` has `MustStaple = true`, the local issuer
 adds the `id-pe-tlsfeature` extension (OID `1.3.6.1.5.5.7.1.24`,
 non-critical, value `SEQUENCE OF INTEGER {5}`) to every issued cert.
 Browsers + modern TLS libraries that see this extension fail-closed on
 missing OCSP stapling responses — defense against revocation-bypass via
 OCSP blackholing.
 **Default policy:** `false`. Operators opt in once they've confirmed the
 TLS reverse proxy / load balancer staples OCSP responses. NGINX,
 HAProxy, Envoy all support stapling but it requires explicit config —
 turning must-staple on without verifying the TLS path will hard-fail
 browsers.
 Recommended for: Intune-deployed device certs (modern TLS clients);
 SCEP profiles serving general / legacy clients (ChromeOS, IoT) should
 stay `false` until the TLS path is verified.
 ### mTLS sibling route (Phase 6.5, opt-in)
 SCEP is documented as application-layer-auth — the challenge password
 is the authentication boundary per RFC 8894 §3.2. But enterprise
 procurement teams routinely reject "shared password authentication" as
 a checkbox-fail regardless of how strong the password is. The clean
 answer: a **sibling** route at `/scep-mtls/<pathID>` that requires
 client-cert auth at the handler layer AND ALSO accepts the challenge
 password (defense in depth, not replacement). Devices present a
 bootstrap cert from a trusted CA (e.g. a manufacturing-time cert),
 then SCEP-enroll for their long-lived cert. Same model Apple's MDM and
 Cisco's BRSKI use.
 **Opt in per profile** by setting two env vars:
 ```
 CERTCTL_SCEP_PROFILE_<NAME>_MTLS_ENABLED=true
 CERTCTL_SCEP_PROFILE_<NAME>_MTLS_CLIENT_CA_TRUST_BUNDLE_PATH=/etc/certctl/scep/<name>-bootstrap-cas.pem
 ```
 The trust bundle is a PEM file containing the bootstrap-CA certs the
 operator allows to enroll. Operators with multiple bootstrap CAs
 concatenate them. The startup preflight
 (`cmd/server/main.go::preflightSCEPMTLSTrustBundle`) validates: file
 exists, parses as PEM, contains ≥1 cert, none expired. Failures
 `os.Exit(1)` with a structured log identifying the offending PathID.
 **TLS server config:** when at least one profile opts into mTLS, the
 HTTPS listener gets the union of every enabled profile's trust bundle
 as its `ClientCAs` pool, plus `ClientAuth: VerifyClientCertIfGiven` —
 the listener requests a client cert during the handshake, verifies it
 against the union pool if presented, and lets the handler decide
 whether to require it. This means the SAME listener serves both
 `/scep[/<pathID>]` (no client cert required) and `/scep-mtls/<pathID>`
 (cert required). The standard route stays untouched for clients that
 can't present a cert.
 **Handler-layer per-profile gate:** the TLS-layer check uses the union
 pool, so a cert that chains to profile A's bundle would pass the TLS
 handshake even when targeting profile B. The handler-layer gate
 (`HandleSCEPMTLS`) re-verifies the inbound client cert against ONLY
 THIS profile's pool — preventing cross-profile bleed-through.
 **Auth chain on the mTLS sibling route:**
 1. TLS handshake: client cert verified against the union pool
   (if presented; absent = standard SCEP path applies but handler
   rejects with 401).
 2. Handler-layer per-profile re-verification: cert must chain to
   THIS profile's trust bundle. Mismatch = 401.
 3. Standard SCEP enrollment: `HandleSCEP` runs as on the standard
   route — including the challenge-password gate at the service layer.
 A stolen device cert without the matching challenge password gets
 rejected (and vice versa). Both layers are independently required.
 **Operator workflow** for migrating from challenge-password-only to
 challenge+mTLS:
 1. Generate a bootstrap CA + issue a bootstrap cert per device (out
   of band — typically manufacturing-time, MDM-pushed, or a separate
   PKI flow). 
 2. Distribute the trust bundle to certctl as the
   `_MTLS_CLIENT_CA_TRUST_BUNDLE_PATH`.
 3. Set `_MTLS_ENABLED=true` for the profile, restart certctl.
 4. Devices now have TWO valid enrollment URLs:
   `/scep/<pathID>` (challenge-password-only, legacy) and
   `/scep-mtls/<pathID>` (cert + challenge, new).
 5. Roll out config to fleet that switches devices to the new URL.
 6. Once the fleet has migrated, remove `_CHALLENGE_PASSWORD` from the
   profile (Validate() will keep the gate when MTLSEnabled=true so
   the password requirement doesn't go away — the password is still
   the application-layer auth boundary).
 ### Microsoft Intune dynamic-challenge dispatcher (Phase 8, opt-in)
 When SCEP sits behind the Microsoft Intune Certificate Connector, devices
 present an Intune-issued signed challenge (a JWT-like blob over a JSON
 claim payload) instead of the static `_CHALLENGE_PASSWORD`. Phase 8 wires
 a per-profile dispatcher that validates these signed challenges against
 the Connector's signing-cert trust anchor and binds the asserted device
 identity to the inbound CSR. Static challenge passwords still work as a
 fallback so heterogeneous fleets (some Intune-enrolled, some not) keep
 working.
 **Per-profile env vars** (all default to off; legacy/static-only profiles
 need no changes):
 ```
 CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_ENABLED=true
 CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CONNECTOR_CERT_PATH=/etc/certctl/intune-corp.pem
 CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_AUDIENCE=https://certctl.example.com/scep/corp
 CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CHALLENGE_VALIDITY=60m
 CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_PER_DEVICE_RATE_LIMIT_24H=3
 ```
 **Trust-anchor extraction:** the operator extracts the Connector
 installation's signing cert (from the Connector's certificate store on
 the Windows host running the Connector — Microsoft does not publish a
 direct download) and writes a PEM bundle to the configured path.
 Multiple Connectors in HA = concatenate their certs.
 **Trust-anchor reload:** the holder re-reads the bundle on `SIGHUP` (the
 same signal that rotates the server's TLS cert). A bad reload (parse
 error, expired cert) keeps the OLD pool in place — operators get a
 recoverable failure window rather than a service-down. Rotate the file
 on disk, then `kill -HUP <certctl-pid>` to apply with no restart.
 **Replay protection:** in-memory cache of seen challenge nonces with TTL
 = `_CHALLENGE_VALIDITY` (default 60m). Sized for 100k entries, which
 covers a ~25 RPS Intune fleet's steady-state. The same challenge
 submitted twice within the TTL is rejected with `ErrChallengeReplay`.
 **Per-device rate limit:** sliding-window-log limiter keyed by
 `(claim.Subject, claim.Issuer)`. Default 3 enrollments per 24h covers
 legitimate first-cert + recovery + post-wipe re-enrollment but blocks a
 compromised Connector signing key from issuing many DIFFERENT valid
 challenges for the same device. Set the var to `0` to disable.
 **Audit + observability:** Intune enrollments emit
 `audit_event.action="scep_pkcsreq_intune"` (or
 `"scep_renewalreq_intune"`) so operators can grep the audit log to count
 Intune-vs-static enrollments. Per-failure-mode reason flows into the log
 line; the metric label set is `success / signature_invalid / expired /
 not_yet_valid / wrong_audience / replay / rate_limited / claim_mismatch
 / unknown_version / malformed`.
 **Compliance-state hook (V3-Pro plug-in seam):** a nil-default
 `ComplianceCheck` field on `SCEPService` lets a future Pro module plug
 in a Microsoft Graph compliance API call between challenge validation
 and certificate issuance. V2 ships the seam (one struct field + one
 setter + one nil-guarded call site) so Pro is plug-in code, not a
 dispatcher refactor.
 **Mixed-mode (recommended):** keep `_CHALLENGE_PASSWORD` set even when
 Intune is enabled. Devices that don't go through Intune (manual
 enrollment, on-prem MDM bridges) continue to enroll via the static path;
 the dispatcher routes Intune-shaped challenges (length > 200 + exactly
 two dots) to the validator and falls through to the static compare
 otherwise.
 ### Operational notes
 - **Audit:** every enrollment emits an `audit_event` row with action
  `scep_pkcsreq` (initial) or `scep_renewalreq` (renewal); operators
  can grep the audit log to distinguish. Intune-dispatched enrollments
  use `scep_pkcsreq_intune` and `scep_renewalreq_intune` respectively.
 - **Body-size cap:** `http.MaxBytesReader` middleware caps request
  bodies at `CERTCTL_MAX_BODY_SIZE` (default 1MB); SCEP PKIMessages are
  typically <50KB so the default cap is generous.
 - **HTTPS-only:** the SCEP endpoint inherits the TLS-1.3-pinned control
  plane; there is no plaintext fallback.
 - **Forward reference:** for the deeper Intune integration writeup
  (architecture, migration playbook, troubleshooting,
  Microsoft-support-statement), see [`scep-intune.md`](scep-intune.md)
  (Phase 11 of the master bundle).
 ## Related docs
 - [`tls.md`](tls.md) — the certctl-internal TLS configuration (HTTPS-only
@@ -0,0 +1,190 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"time"
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/service"
 )
 // AdminSCEPIntuneService is the slice of the per-profile SCEPService set
 // the admin endpoint needs. The handler depends on this narrow interface
 // rather than the concrete *service.SCEPService set so wiring stays
 // service-side and the handler stays test-friendly.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 9.1.
 type AdminSCEPIntuneService interface {
 	// Stats returns one snapshot per configured SCEP profile (Intune-
 	// enabled or not). Profiles where Intune is disabled appear with
 	// Enabled=false so the GUI can show "off — opt in via env vars"
 	// rather than 404ing per-profile.
 	Stats(ctx context.Context, now time.Time) ([]service.IntuneStatsSnapshot, error)
 	// ReloadTrust triggers the SIGHUP-equivalent Reload on the named
 	// profile's trust holder. Returns ErrAdminSCEPProfileNotFound if
 	// the PathID isn't known, or ErrSCEPProfileIntuneDisabled if the
 	// profile exists but doesn't have Intune turned on, or the
 	// underlying parse error from intune.LoadTrustAnchor on a bad
 	// reload (the holder retains the OLD pool either way — the
 	// fail-safe is enforced one layer down).
 	ReloadTrust(ctx context.Context, pathID string) error
 }
 // ErrAdminSCEPProfileNotFound is returned by AdminSCEPIntuneService
 // implementations when the operator targets a PathID that doesn't map
 // to any configured profile. The handler maps this to HTTP 404.
 var ErrAdminSCEPProfileNotFound = errors.New("admin scep intune: profile not found for the given path_id")
 // AdminSCEPIntuneHandler serves the per-profile Intune observability
 // endpoints for the GUI Intune Monitoring tab.
 //
 // Endpoints:
 //
 //	GET  /api/v1/admin/scep/intune/stats
 //	POST /api/v1/admin/scep/intune/reload-trust   (JSON body: {"path_id": "corp"})
 //
 // Both endpoints are admin-gated (M-008 pattern). Non-admin Bearer
 // callers get 403 — the stats endpoint reveals the operator's profile
 // set + trust anchor expiries (sensitive operational metadata) and the
 // reload endpoint is a privileged action.
 type AdminSCEPIntuneHandler struct {
 	svc AdminSCEPIntuneService
 }
 // NewAdminSCEPIntuneHandler creates a new admin handler.
 func NewAdminSCEPIntuneHandler(svc AdminSCEPIntuneService) AdminSCEPIntuneHandler {
 	return AdminSCEPIntuneHandler{svc: svc}
 }
 // adminScepIntuneReloadRequest is the POST body shape for the reload-
 // trust endpoint. PathID="" targets the legacy /scep root profile (the
 // one with empty PathID), matching the convention used elsewhere in the
 // per-profile dispatch.
 type adminScepIntuneReloadRequest struct {
 	PathID string `json:"path_id"`
 }
 // Stats handles GET /api/v1/admin/scep/intune/stats.
 func (h AdminSCEPIntuneHandler) Stats(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
 	if !middleware.IsAdmin(r.Context()) {
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	now := time.Now()
 	rows, err := h.svc.Stats(r.Context(), now)
 	if err != nil {
 		Error(w, http.StatusInternalServerError, "Failed to read SCEP Intune stats")
 		return
 	}
 	if rows == nil {
 		// Avoid serialising as `null` — the GUI expects an array.
 		rows = []service.IntuneStatsSnapshot{}
 	}
 	_ = JSON(w, http.StatusOK, map[string]any{
 		"profiles":      rows,
 		"profile_count": len(rows),
 		"generated_at":  now.UTC(),
 	})
 }
 // ReloadTrust handles POST /api/v1/admin/scep/intune/reload-trust.
 func (h AdminSCEPIntuneHandler) ReloadTrust(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
 	if !middleware.IsAdmin(r.Context()) {
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	var body adminScepIntuneReloadRequest
 	// An empty body is permitted: it implicitly targets the legacy
 	// /scep root profile (PathID=""). Operators with multi-profile
 	// deploys MUST supply a path_id JSON field.
 	if r.ContentLength > 0 {
 		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
 			Error(w, http.StatusBadRequest, "Invalid JSON body: "+err.Error())
 			return
 		}
 	}
 	err := h.svc.ReloadTrust(r.Context(), body.PathID)
 	switch {
 	case err == nil:
 		_ = JSON(w, http.StatusOK, map[string]any{
 			"reloaded":    true,
 			"path_id":     body.PathID,
 			"reloaded_at": time.Now().UTC(),
 		})
 	case errors.Is(err, ErrAdminSCEPProfileNotFound):
 		Error(w, http.StatusNotFound, "SCEP profile not found for path_id="+body.PathID)
 	case errors.Is(err, service.ErrSCEPProfileIntuneDisabled):
 		// 409 Conflict: the profile exists but Intune isn't turned on,
 		// so there's no trust anchor to reload. Distinct from 404 so
 		// the operator can correct the request without re-checking the
 		// profile list.
 		Error(w, http.StatusConflict, "SCEP profile path_id="+body.PathID+" does not have Intune enabled")
 	default:
 		// Underlying intune.LoadTrustAnchor errors (parse failure,
 		// expired cert, missing file). The holder retains its previous
 		// pool — the operator's enrollments keep working off the old
 		// trust anchor while the operator fixes the file.
 		Error(w, http.StatusInternalServerError, "Trust anchor reload failed: "+err.Error())
 	}
 }
 // AdminSCEPIntuneServiceImpl is the production implementation of
 // AdminSCEPIntuneService. It walks the per-profile SCEPService set
 // supplied by the caller (cmd/server/main.go) and aggregates the
 // per-profile snapshots.
 //
 // Lives in the handler package because it's a thin handler-side
 // composition; the heavy lifting is the per-service IntuneStats /
 // ReloadIntuneTrust methods that already encapsulate the policy.
 type AdminSCEPIntuneServiceImpl struct {
 	// services is keyed by SCEP profile PathID (empty string = legacy
 	// /scep root). Built once at server startup; the slice/map shape
 	// matches the per-profile SCEPService construction loop in
 	// cmd/server/main.go.
 	services map[string]*service.SCEPService
 }
 // NewAdminSCEPIntuneServiceImpl constructs the handler-side service
 // from the per-profile SCEPService map built at startup.
 func NewAdminSCEPIntuneServiceImpl(services map[string]*service.SCEPService) *AdminSCEPIntuneServiceImpl {
 	if services == nil {
 		services = map[string]*service.SCEPService{}
 	}
 	return &AdminSCEPIntuneServiceImpl{services: services}
 }
 // Stats implements AdminSCEPIntuneService.
 func (s *AdminSCEPIntuneServiceImpl) Stats(_ context.Context, now time.Time) ([]service.IntuneStatsSnapshot, error) {
 	out := make([]service.IntuneStatsSnapshot, 0, len(s.services))
 	for _, svc := range s.services {
 		out = append(out, svc.IntuneStats(now))
 	}
 	return out, nil
 }
 // ReloadTrust implements AdminSCEPIntuneService.
 func (s *AdminSCEPIntuneServiceImpl) ReloadTrust(_ context.Context, pathID string) error {
 	svc, ok := s.services[pathID]
 	if !ok {
 		return ErrAdminSCEPProfileNotFound
 	}
 	return svc.ReloadIntuneTrust()
 }
 // Compile-time interface check.
 var _ AdminSCEPIntuneService = (*AdminSCEPIntuneServiceImpl)(nil)
@@ -0,0 +1,336 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/service"
 )
 // fakeAdminSCEPIntuneService is the test stub for AdminSCEPIntuneService.
 // Records call observations so the M-008 admin-gate triplet can pin
 // "service was never invoked" when the gate rejects the caller.
 type fakeAdminSCEPIntuneService struct {
 	statsCalled  bool
 	reloadCalled bool
 	rows         []service.IntuneStatsSnapshot
 	statsErr     error
 	reloadPathID string
 	reloadErr    error
 }
 func (f *fakeAdminSCEPIntuneService) Stats(_ context.Context, _ time.Time) ([]service.IntuneStatsSnapshot, error) {
 	f.statsCalled = true
 	return f.rows, f.statsErr
 }
 func (f *fakeAdminSCEPIntuneService) ReloadTrust(_ context.Context, pathID string) error {
 	f.reloadCalled = true
 	f.reloadPathID = pathID
 	return f.reloadErr
 }
 // =============================================================================
 // M-008 admin-gate triplet for Stats (GET).
 // =============================================================================
 func TestAdminSCEPIntune_NonAdmin_Returns403(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
 	req = req.WithContext(contextWithRequestID()) // request id only, no admin flag
 	w := httptest.NewRecorder()
 	h.Stats(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected 403 for non-admin, got %d (body=%q)", w.Code, w.Body.String())
 	}
 	var resp map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
 		t.Fatalf("decode response: %v", err)
 	}
 	msg, _ := resp["message"].(string)
 	if !strings.Contains(strings.ToLower(msg), "admin") {
 		t.Errorf("expected message to mention admin requirement, got %q", msg)
 	}
 	if svc.statsCalled {
 		t.Errorf("service was invoked despite non-admin caller — gate failed open")
 	}
 }
 func TestAdminSCEPIntune_AdminExplicitFalse_Returns403(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Stats(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected 403 for admin=false, got %d", w.Code)
 	}
 	if svc.statsCalled {
 		t.Error("service called despite admin=false gate")
 	}
 }
 func TestAdminSCEPIntune_AdminPermitted_ForwardsActor(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{
 		rows: []service.IntuneStatsSnapshot{
 			{PathID: "corp", IssuerID: "iss-corp", Enabled: true},
 			{PathID: "iot", IssuerID: "iss-iot", Enabled: false},
 		},
 	}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
 	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Stats(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected 200 for admin caller, got %d (body=%q)", w.Code, w.Body.String())
 	}
 	if !svc.statsCalled {
 		t.Fatal("service was not invoked for admin caller")
 	}
 	var resp map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
 		t.Fatalf("decode response: %v", err)
 	}
 	if pc, ok := resp["profile_count"].(float64); !ok || pc != 2 {
 		t.Errorf("profile_count = %v, want 2", resp["profile_count"])
 	}
 	if _, ok := resp["profiles"].([]any); !ok {
 		t.Errorf("profiles missing or wrong shape: %v", resp["profiles"])
 	}
 }
 // =============================================================================
 // M-008 triplet for ReloadTrust (POST).
 // =============================================================================
 func TestAdminSCEPIntuneReload_NonAdmin_Returns403(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(`{"path_id":"corp"}`))
 	req.ContentLength = int64(len(`{"path_id":"corp"}`))
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected 403 non-admin, got %d", w.Code)
 	}
 	if svc.reloadCalled {
 		t.Error("service called despite non-admin gate")
 	}
 }
 func TestAdminSCEPIntuneReload_AdminExplicitFalse_Returns403(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(`{"path_id":"corp"}`))
 	req.ContentLength = int64(len(`{"path_id":"corp"}`))
 	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, false)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected 403 admin=false, got %d", w.Code)
 	}
 	if svc.reloadCalled {
 		t.Error("service called despite admin=false gate")
 	}
 }
 func TestAdminSCEPIntuneReload_AdminPermitted_ForwardsActor(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	body := `{"path_id":"corp"}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(body))
 	req.ContentLength = int64(len(body))
 	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
 	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected 200, got %d (body=%q)", w.Code, w.Body.String())
 	}
 	if !svc.reloadCalled {
 		t.Fatal("reload was not invoked")
 	}
 	if svc.reloadPathID != "corp" {
 		t.Errorf("path_id forwarded = %q, want corp", svc.reloadPathID)
 	}
 	var resp map[string]any
 	_ = json.NewDecoder(w.Body).Decode(&resp)
 	if reloaded, _ := resp["reloaded"].(bool); !reloaded {
 		t.Errorf("response.reloaded = %v, want true", resp["reloaded"])
 	}
 }
 // =============================================================================
 // Endpoint behavior — method gates, error mapping, body parsing.
 // =============================================================================
 func TestAdminSCEPIntuneStats_RejectsNonGetMethod(t *testing.T) {
 	h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/stats", nil)
 	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Stats(w, req)
 	if w.Code != http.StatusMethodNotAllowed {
 		t.Errorf("expected 405 for POST, got %d", w.Code)
 	}
 }
 func TestAdminSCEPIntuneReload_RejectsNonPostMethod(t *testing.T) {
 	h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/reload-trust", nil)
 	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusMethodNotAllowed {
 		t.Errorf("expected 405 for GET, got %d", w.Code)
 	}
 }
 func TestAdminSCEPIntuneStats_PropagatesServiceError(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{statsErr: errors.New("registry walk failed")}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
 	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Stats(w, req)
 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("expected 500 on service error, got %d", w.Code)
 	}
 }
 func TestAdminSCEPIntuneReload_ProfileNotFound_Returns404(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{reloadErr: ErrAdminSCEPProfileNotFound}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(`{"path_id":"nonexistent"}`))
 	req.ContentLength = int64(len(`{"path_id":"nonexistent"}`))
 	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusNotFound {
 		t.Errorf("expected 404 for unknown profile, got %d", w.Code)
 	}
 }
 func TestAdminSCEPIntuneReload_IntuneDisabled_Returns409(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{reloadErr: service.ErrSCEPProfileIntuneDisabled}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(`{"path_id":"iot"}`))
 	req.ContentLength = int64(len(`{"path_id":"iot"}`))
 	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusConflict {
 		t.Errorf("expected 409 for Intune-disabled profile, got %d", w.Code)
 	}
 }
 func TestAdminSCEPIntuneReload_BadReloadPropagates500(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{reloadErr: errors.New("trust anchor cert expired")}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(`{"path_id":"corp"}`))
 	req.ContentLength = int64(len(`{"path_id":"corp"}`))
 	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("expected 500 on bad reload, got %d", w.Code)
 	}
 }
 func TestAdminSCEPIntuneReload_EmptyBodyTargetsLegacyRoot(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust", nil)
 	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusOK {
 		t.Errorf("expected 200 with empty body (legacy root path), got %d", w.Code)
 	}
 	if svc.reloadPathID != "" {
 		t.Errorf("empty body should target empty PathID; got %q", svc.reloadPathID)
 	}
 }
 func TestAdminSCEPIntuneReload_RejectsMalformedJSON(t *testing.T) {
 	h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
 	bad := `{not valid json`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(bad))
 	req.ContentLength = int64(len(bad))
 	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusBadRequest {
 		t.Errorf("expected 400 on malformed JSON, got %d", w.Code)
 	}
 }
 // =============================================================================
 // AdminSCEPIntuneServiceImpl — narrow integration with the per-profile map.
 // =============================================================================
 func TestAdminSCEPIntuneServiceImpl_NilMapReturnsEmpty(t *testing.T) {
 	impl := NewAdminSCEPIntuneServiceImpl(nil)
 	rows, err := impl.Stats(context.Background(), time.Now())
 	if err != nil {
 		t.Fatalf("nil-map Stats: %v", err)
 	}
 	if len(rows) != 0 {
 		t.Errorf("nil-map Stats len=%d, want 0", len(rows))
 	}
 }
 func TestAdminSCEPIntuneServiceImpl_ReloadUnknownPathReturnsNotFound(t *testing.T) {
 	impl := NewAdminSCEPIntuneServiceImpl(map[string]*service.SCEPService{})
 	if err := impl.ReloadTrust(context.Background(), "nope"); !errors.Is(err, ErrAdminSCEPProfileNotFound) {
 		t.Errorf("ReloadTrust unknown = %v, want ErrAdminSCEPProfileNotFound", err)
 	}
 }
@@ -35,8 +35,9 @@ import (
 // the gate exists. health.go is an INFORMATIONAL caller of IsAdmin (it
 // surfaces the flag to the GUI but does not gate) — explicitly excluded.
 var AdminGatedHandlers = map[string]string{
-	"bulk_revocation.go": "M-003: bulk revocation is fleet-scale destructive — admin-only",
+	"bulk_revocation.go":     "M-003: bulk revocation is fleet-scale destructive — admin-only",
-	"admin_crl_cache.go": "CRL/OCSP-Responder Phase 5: cache state reveals issuer set + CRL cadence — admin-only",
+	"admin_crl_cache.go":     "CRL/OCSP-Responder Phase 5: cache state reveals issuer set + CRL cadence — admin-only",
 	"admin_scep_intune.go":   "SCEP RFC 8894 + Intune master bundle Phase 9.2: stats endpoint reveals per-profile trust anchor expiries + reload-trust is a privileged action — admin-only",
 }
 // InformationalIsAdminCallers is the documented allowlist of files that
@@ -2,6 +2,7 @@ package handler
 import (
 	"context"
 	"crypto"
 	"crypto/x509"
 	"encoding/asn1"
 	"encoding/base64"
@@ -27,7 +28,30 @@ type SCEPService interface {
 	GetCACert(ctx context.Context) (string, error)
 	// PKCSReq processes a PKCS#10 CSR and returns a signed certificate.
 	// Used by the MVP raw-CSR fall-through path; preserved unchanged for
 	// backward compat with lightweight SCEP clients.
 	PKCSReq(ctx context.Context, csrPEM string, challengePassword string, transactionID string) (*domain.SCEPEnrollResult, error)
 	// PKCSReqWithEnvelope processes a SCEP PKCSReq from the RFC 8894 path
 	// (the handler successfully parsed an EnvelopedData + signerInfo POPO).
 	// Returns *SCEPResponseEnvelope (not error + *SCEPEnrollResult) because
 	// RFC 8894 §3.3 mandates a CertRep PKIMessage on every response, even
 	// failures. Returns nil to signal 'invalid challenge password' (caller
 	// translates to HTTP 403, matching the MVP path's wire shape).
 	PKCSReqWithEnvelope(ctx context.Context, csrPEM string, challengePassword string, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope
 	// RenewalReqWithEnvelope processes a SCEP RenewalReq (RFC 8894 §3.3.1.2)
 	// from the RFC 8894 path. Same contract as PKCSReqWithEnvelope but the
 	// service additionally verifies that envelope.SignerCert chains to the
 	// issuer's CA — RenewalReq requires a previously-issued cert as POPO.
 	RenewalReqWithEnvelope(ctx context.Context, csrPEM string, challengePassword string, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope
 	// GetCertInitialWithEnvelope handles SCEP polling requests (RFC 8894
 	// §3.3.3). The v1 implementation always returns FAILURE+badCertID
 	// because deferred-issuance isn't supported (every PKCSReq either
 	// succeeds or fails synchronously); wiring is in place for a future
 	// 'queue for manual approval' workflow.
 	GetCertInitialWithEnvelope(ctx context.Context, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope
 }
 // SCEPHandler handles HTTP requests for the SCEP protocol (RFC 8894).
@@ -39,15 +63,110 @@ type SCEPService interface {
 //   - GET  ?operation=GetCACaps    — server capabilities
 //   - GET  ?operation=GetCACert    — CA certificate distribution
 //   - POST ?operation=PKIOperation — certificate enrollment (PKCSReq)
 //
 // SCEP RFC 8894 + Intune master bundle Phase 2.3: SCEPHandler now optionally
 // carries an RA cert + key pair. When set, the handler tries the new RFC 8894
 // PKIMessage path FIRST (parse SignedData → verify POPO → decrypt EnvelopedData).
 // On any parse failure it falls through to the legacy MVP raw-CSR path (preserves
 // backward compat with lightweight SCEP clients). When RA pair is unset, the
 // handler runs MVP-only (the v2.0.x behavior).
 type SCEPHandler struct {
-	svc SCEPService
+	svc    SCEPService
 	raCert *x509.Certificate // RFC 8894 path: RA cert clients encrypt CSR to
 	raKey  crypto.PrivateKey // RFC 8894 path: RA key for EnvelopedData decrypt + CertRep signing
 	// SCEP RFC 8894 + Intune master bundle Phase 6.5: per-profile mTLS
 	// trust bundle. When set, HandleSCEPMTLS verifies the inbound client
 	// cert chain against this pool. Nil when the profile has MTLSEnabled=false
 	// — HandleSCEPMTLS rejects unconditionally in that case (the route
 	// shouldn't even be registered, but defense in depth).
 	mtlsTrustPool *x509.CertPool
 }
-// NewSCEPHandler creates a new SCEPHandler.
+// NewSCEPHandler creates a new SCEPHandler with the legacy MVP-only behavior.
 // SetRAPair below upgrades the handler to the RFC 8894 path; that's the route
 // cmd/server/main.go takes when the operator supplies CERTCTL_SCEP_RA_*.
 func NewSCEPHandler(svc SCEPService) SCEPHandler {
 	return SCEPHandler{svc: svc}
 }
 // SetRAPair injects the RA cert + key the RFC 8894 path needs. Called by
 // cmd/server/main.go after the per-profile preflight gate validates the pair.
 // Without this call the handler runs MVP-only (the legacy v2.0.x behavior).
 func (h *SCEPHandler) SetRAPair(raCert *x509.Certificate, raKey crypto.PrivateKey) {
 	h.raCert = raCert
 	h.raKey = raKey
 }
 // SetMTLSTrustPool injects the per-profile client-cert trust pool the
 // `/scep-mtls/<PathID>` sibling route uses to verify inbound device
 // bootstrap certs. SCEP RFC 8894 + Intune master bundle Phase 6.5.
 //
 // The TLS layer (cmd/server/main.go::buildServerTLSConfig) uses
 // VerifyClientCertIfGiven against the UNION of every enabled mTLS
 // profile's bundle, so the same TLS listener serves both /scep
 // (challenge-password-only) and /scep-mtls/<PathID> (cert + challenge).
 // The per-profile gate at the handler layer enforces 'cert must chain to
 // THIS profile's bundle' so a cert that chains to profile A's bundle
 // cannot enroll against profile B even though it passed the TLS layer.
 func (h *SCEPHandler) SetMTLSTrustPool(pool *x509.CertPool) {
 	h.mtlsTrustPool = pool
 }
 // HandleSCEPMTLS is the entry point for the `/scep-mtls/<PathID>` sibling
 // route. SCEP RFC 8894 + Intune master bundle Phase 6.5.
 //
 // Gates on the inbound client cert chain — the request must:
 //
 //  1. Carry a TLS connection (r.TLS != nil) — defense in depth even
 //     though the HTTPS-only listener guarantees this.
 //  2. Have presented a peer cert (len(r.TLS.PeerCertificates) > 0) — the
 //     listener uses VerifyClientCertIfGiven, so a missing cert is a
 //     legitimate failure here, not a TLS error.
 //  3. The peer cert chain must verify against THIS profile's trust pool
 //     (h.mtlsTrustPool). The TLS layer verified against the union pool
 //     of all mTLS profiles, but a cert that chains to profile A cannot
 //     enroll against profile B — verify per-profile here.
 //
 // Failures return HTTP 401 (Unauthorized — mTLS failure is authentication,
 // not authorization). On success the call delegates to HandleSCEP — the
 // challenge-password gate still fires (defense in depth: mTLS is additive,
 // not replacement).
 func (h SCEPHandler) HandleSCEPMTLS(w http.ResponseWriter, r *http.Request) {
 	if h.mtlsTrustPool == nil {
 		// Profile is misconfigured — handler registered for /scep-mtls but
 		// SetMTLSTrustPool was never called. The startup preflight should
 		// have caught this; surfacing as 500 makes the deploy bug loud.
 		ErrorWithRequestID(w, http.StatusInternalServerError, "mTLS handler missing trust pool", middleware.GetRequestID(r.Context()))
 		return
 	}
 	if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
 		// Client didn't present a cert. With VerifyClientCertIfGiven the
 		// TLS handshake completes anyway — the per-profile gate enforces
 		// 'cert required' at the application layer.
 		ErrorWithRequestID(w, http.StatusUnauthorized, "Client certificate required for /scep-mtls", middleware.GetRequestID(r.Context()))
 		return
 	}
 	leaf := r.TLS.PeerCertificates[0]
 	intermediates := x509.NewCertPool()
 	for _, c := range r.TLS.PeerCertificates[1:] {
 		intermediates.AddCert(c)
 	}
 	if _, err := leaf.Verify(x509.VerifyOptions{
 		Roots:         h.mtlsTrustPool,
 		Intermediates: intermediates,
 		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageAny},
 	}); err != nil {
 		ErrorWithRequestID(w, http.StatusUnauthorized, "Client certificate not trusted by this profile", middleware.GetRequestID(r.Context()))
 		return
 	}
 	// Defense in depth — mTLS is ADDITIVE. The request still flows through
 	// HandleSCEP which enforces the challenge-password gate at the service
 	// layer. A stolen device cert without the matching challenge password
 	// still gets rejected (and vice versa).
 	h.HandleSCEP(w, r)
 }
 // HandleSCEP is the single entry point for all SCEP operations.
 // It dispatches based on the "operation" query parameter.
 func (h SCEPHandler) HandleSCEP(w http.ResponseWriter, r *http.Request) {
@@ -125,6 +244,22 @@ func (h SCEPHandler) getCACert(w http.ResponseWriter, r *http.Request) {
 // pkiOperation handles POST ?operation=PKIOperation
 // Processes a SCEP enrollment request containing a PKCS#7-wrapped CSR.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 2.3: this handler tries the
 // new RFC 8894 PKIMessage path FIRST (parse outer SignedData → verify
 // signerInfo POPO → extract authenticatedAttributes → decrypt EnvelopedData
 // to recover the inner CSR). On any parse failure it falls through to the
 // legacy MVP raw-CSR path (extractCSRFromPKCS7). The MVP path stays
 // unchanged for backward compat with lightweight SCEP clients.
 //
 // Path selection rules:
 //   - h.raCert / h.raKey unset → MVP-only (legacy v2.0.x behavior, never tries RFC 8894)
 //   - RA pair set + RFC 8894 parse succeeds → RFC 8894 path (CertRep PKIMessage response)
 //   - RA pair set + RFC 8894 parse fails → MVP fall-through (degenerate certs-only response)
 //
 // The Phase 3 commit will replace the MVP-fall-through writeSCEPResponse
 // with writeCertRepPKIMessage for the RFC 8894 path; the MVP path keeps
 // using writeSCEPResponse so lightweight clients see no behavior change.
 func (h SCEPHandler) pkiOperation(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
 		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
@@ -145,7 +280,67 @@ func (h SCEPHandler) pkiOperation(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	// Extract the PKCS#10 CSR from the PKCS#7 SignedData envelope
+	// Try the RFC 8894 path first when an RA pair is configured. On any
 	// parse failure we fall through to the MVP path silently — that's the
 	// backward-compat contract for lightweight clients.
 	if h.raCert != nil && h.raKey != nil {
 		if envelope, csrPEM, challengePassword, ok := h.tryParseRFC8894(body); ok {
 			// SCEP RFC 8894 + Intune master bundle Phase 4.1: dispatch on
 			// the parsed messageType. PKCSReq + RenewalReq exercise the
 			// full enrollment pipeline (different audit actions + chain
 			// validation for renewal); GetCertInitial is the polling
 			// shape (v1 stub returns badCertID since deferred-issuance
 			// isn't supported); unknown messageType returns CertRep with
 			// FAILURE+badRequest per RFC 8894 §3.3.2.2.
 			var resp *domain.SCEPResponseEnvelope
 			switch envelope.MessageType {
 			case domain.SCEPMessageTypePKCSReq:
 				resp = h.svc.PKCSReqWithEnvelope(r.Context(), csrPEM, challengePassword, envelope)
 			case domain.SCEPMessageTypeRenewalReq:
 				resp = h.svc.RenewalReqWithEnvelope(r.Context(), csrPEM, challengePassword, envelope)
 			case domain.SCEPMessageTypeGetCertInitial:
 				resp = h.svc.GetCertInitialWithEnvelope(r.Context(), envelope)
 			default:
 				// Unknown messageType — emit a CertRep+FAILURE so the
 				// client sees a structured response rather than a vague
 				// 400. RFC 8894 §3.2.1.4.1 enumerates the valid types;
 				// anything else is a malformed client.
 				resp = &domain.SCEPResponseEnvelope{
 					Status:         domain.SCEPStatusFailure,
 					FailInfo:       domain.SCEPFailBadRequest,
 					TransactionID:  envelope.TransactionID,
 					RecipientNonce: envelope.SenderNonce,
 				}
 			}
 			if resp == nil {
 				// nil signals 'invalid challenge password' from the
 				// service layer (only PKCSReq + RenewalReq paths can
 				// return nil — GetCertInitial always returns a
 				// CertRep). RFC 8894 §3.3.1 is silent on whether to
 				// return a CertRep or an HTTP error for the wrong-
 				// password case; we mirror the MVP path's HTTP 403
 				// wire shape so the client sees a clear auth failure
 				// rather than trying to interpret a structurally-valid
 				// CertRep+failInfo (which conflates 'wrong secret'
 				// with 'wrong CSR shape').
 				ErrorWithRequestID(w, http.StatusForbidden, "Invalid challenge password", requestID)
 				return
 			}
 			// SCEP RFC 8894 Phase 3.2: emit CertRep PKIMessage for both
 			// success AND failure paths (RFC 8894 §3.3 mandates a
 			// PKIMessage response on every PKIOperation request, including
 			// failures). The MVP path keeps using writeSCEPResponse —
 			// that's the legacy certs-only response shape lightweight
 			// clients understand.
 			h.writeCertRepPKIMessage(w, r, envelope, resp)
 			return
 		}
 		// RFC 8894 parse failed — fall through to the MVP path.
 	}
 	// MVP path: extract the PKCS#10 CSR from the PKCS#7 SignedData envelope
 	// using the legacy parser. This is what lightweight clients (raw-CSR-
 	// inside-SignedData, or even bare CSRs in some cases) hit.
 	csrDER, challengePassword, transactionID, err := extractCSRFromPKCS7(body)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusBadRequest, fmt.Sprintf("Invalid SCEP message: %v", err), requestID)
@@ -183,6 +378,134 @@ func (h SCEPHandler) pkiOperation(w http.ResponseWriter, r *http.Request) {
 	h.writeSCEPResponse(w, result)
 }
 // tryParseRFC8894 attempts to parse the request body as an RFC 8894 SCEP
 // PKIMessage:
 //  1. Parse outer SignedData; pluck the device's transient signing cert.
 //  2. Verify the signerInfo signature (POPO over auth-attrs).
 //  3. Extract messageType / transactionID / senderNonce auth-attrs.
 //  4. The encapContent is the inner pkcsPKIEnvelope (an EnvelopedData);
 //     decrypt it with h.raKey to recover the PKCS#10 CSR DER.
 //  5. Parse the CSR + extract the challengePassword attribute (RFC 2985
 //     §5.4.1) so the service-layer's challenge-password gate can run.
 //  6. PEM-encode the CSR for the service layer.
 //
 // Returns (envelope, csrPEM, challengePassword, true) on success;
 // (nil, "", "", false) on any parse / verify / decrypt failure. The
 // handler treats false as 'fall through to MVP path' so lightweight
 // clients keep working.
 func (h SCEPHandler) tryParseRFC8894(body []byte) (*domain.SCEPRequestEnvelope, string, string, bool) {
 	sd, err := pkcs7.ParseSignedData(body)
 	if err != nil {
 		return nil, "", "", false
 	}
 	if len(sd.SignerInfos) == 0 {
 		return nil, "", "", false
 	}
 	si := sd.SignerInfos[0]
 	if err := si.VerifySignature(); err != nil {
 		return nil, "", "", false
 	}
 	mt, err := si.GetMessageType()
 	if err != nil {
 		return nil, "", "", false
 	}
 	tid, err := si.GetTransactionID()
 	if err != nil {
 		return nil, "", "", false
 	}
 	nonce, err := si.GetSenderNonce()
 	if err != nil {
 		// senderNonce is optional in some clients; treat missing as empty.
 		nonce = nil
 	}
 	// EncapContent is the inner pkcsPKIEnvelope (EnvelopedData). Parse +
 	// decrypt with the RA key.
 	if len(sd.EncapContent) == 0 {
 		return nil, "", "", false
 	}
 	env, err := pkcs7.ParseEnvelopedData(sd.EncapContent)
 	if err != nil {
 		return nil, "", "", false
 	}
 	csrDER, err := env.Decrypt(h.raKey, h.raCert)
 	if err != nil {
 		return nil, "", "", false
 	}
 	// Verify the recovered bytes really are a CSR. If not, fall through.
 	csr, err := x509.ParseCertificateRequest(csrDER)
 	if err != nil {
 		return nil, "", "", false
 	}
 	// Extract the challengePassword attribute (RFC 2985 §5.4.1). Empty
 	// when missing; the service-layer gate then refuses with 'invalid
 	// challenge password' (correct behavior for clients that omit the
 	// auth attribute).
 	challengePassword := extractChallengePasswordFromCSR(csr)
 	csrPEM := string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrDER}))
 	envelope := &domain.SCEPRequestEnvelope{
 		MessageType:   mt,
 		TransactionID: tid,
 		SenderNonce:   nonce,
 		SignerCert:    si.SignerCert.Raw,
 	}
 	return envelope, csrPEM, challengePassword, true
 }
 // extractChallengePasswordFromCSR walks the parsed CSR's attributes for
 // the RFC 2985 §5.4.1 challengePassword (OID 1.2.840.113549.1.9.7).
 // Returns empty string when missing.
 //
 // SA1019 carve-out: csr.Attributes is deprecated by Go's stdlib for the
 // requestedExtensions attribute, but RFC 2985 challengePassword (OID
 // 1.2.840.113549.1.9.7) is a SEPARATE CSR attribute that cannot be
 // retrieved via csr.Extensions. There is no non-deprecated stdlib API
 // for it; the same `lint:ignore SA1019` line precedent set by
 // extractCSRFields applies here.
 func extractChallengePasswordFromCSR(csr *x509.CertificateRequest) string {
 	oidChallengePassword := asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}
 	//lint:ignore SA1019 RFC 2985 challengePassword has no non-deprecated stdlib API; see extractCSRFields docblock for the M-028 audit closure rationale.
 	for _, attr := range csr.Attributes {
 		if attr.Type.Equal(oidChallengePassword) {
 			if len(attr.Value) > 0 && len(attr.Value[0]) > 0 {
 				if pwd, ok := attr.Value[0][0].Value.(string); ok {
 					return pwd
 				}
 			}
 		}
 	}
 	return ""
 }
 // writeCertRepPKIMessage builds and writes a SCEP CertRep PKIMessage as
 // the response to a PKIOperation request that was successfully parsed
 // via the RFC 8894 path.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 3.2.
 //
 // Both success AND failure responses go through here — RFC 8894 §3.3
 // mandates a PKIMessage response on every PKIOperation request, with
 // pkiStatus + (on failure) failInfo signaling the outcome to the client.
 //
 // On failure to BUILD the response (a programmer / config bug — e.g. a
 // device cert that's not RSA), we return HTTP 500 rather than try to
 // construct a fallback PKIMessage that might re-trigger the same bug.
 // Operators see a clear failure log + the request fails loud, which is
 // preferable to silently emitting a half-built response.
 func (h SCEPHandler) writeCertRepPKIMessage(w http.ResponseWriter, r *http.Request, req *domain.SCEPRequestEnvelope, resp *domain.SCEPResponseEnvelope) {
 	pkiMessageDER, err := pkcs7.BuildCertRepPKIMessage(req, resp, h.raCert, h.raKey)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, fmt.Sprintf("Failed to build CertRep PKIMessage: %v", err), middleware.GetRequestID(r.Context()))
 		return
 	}
 	w.Header().Set("Content-Type", "application/x-pki-message")
 	w.WriteHeader(http.StatusOK)
 	_, _ = w.Write(pkiMessageDER)
 }
 // silence unused-import warning if some narrow build excludes the path
 // where crypto.PrivateKey is used (the RA key field above).
 var _ crypto.PrivateKey = (*interface{})(nil)
 // writeSCEPResponse writes a SCEP enrollment response as PKCS#7 certs-only (DER).
 func (h SCEPHandler) writeSCEPResponse(w http.ResponseWriter, result *domain.SCEPEnrollResult) {
 	var derCerts [][]byte
@@ -0,0 +1,703 @@
 package handler
 import (
 	"bytes"
 	"context"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/des" //nolint:gosec // RFC 8894 §3.5.2 legacy fallback for backward-compat test
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/pem"
 	"io"
 	"math/big"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/pkcs7"
 )
 // SCEP RFC 8894 + Intune master bundle Phase 5.2: ChromeOS-shape integration
 // tests for the SCEP handler's full RFC 8894 path.
 //
 // Each test builds a real PKIMessage (acting as the ChromeOS client),
 // POSTs it through the handler, and verifies the response. The "client"
 // is built from primitives in internal/pkcs7/ — the same builders the
 // handler uses on the response side. This is intentional: if the handler
 // regresses, the client builder might also regress, and the E2E would
 // pass anyway (false negative). The mitigation: round-trip property
 // tests in internal/pkcs7/ assert Build/Parse symmetry independently,
 // and the handler-side tests focus on the dispatch + status-code wire
 // shape rather than the bytes themselves.
 // chromeOSStackFixture holds the materials needed for an end-to-end
 // ChromeOS SCEP test: an issuer + RA pair (server side), a transient
 // device cert (client side), and a constructed SCEPHandler.
 type chromeOSStackFixture struct {
 	raKey      *rsa.PrivateKey
 	raCert     *x509.Certificate
 	deviceKey  *rsa.PrivateKey
 	deviceCert *x509.Certificate
 	handler    SCEPHandler
 	svc        *chromeOSMockSCEPService
 }
 // chromeOSMockSCEPService is the per-test SCEPService implementation used
 // by these E2E tests. Records the last call's envelope + CSR for assertion.
 type chromeOSMockSCEPService struct {
 	caCertPEM              string
 	pkcsReqEnvelope        *domain.SCEPRequestEnvelope
 	pkcsReqCSRPEM          string
 	pkcsReqChallenge       string
 	renewalReqEnvelope     *domain.SCEPRequestEnvelope
 	renewalReqCSRPEM       string
 	getCertInitialEnvelope *domain.SCEPRequestEnvelope
 	enrollResult           *domain.SCEPEnrollResult
 	failChallenge          bool
 }
 func (m *chromeOSMockSCEPService) GetCACaps(_ context.Context) string {
 	return "POSTPKIOperation\nSHA-256\nSHA-512\nAES\nSCEPStandard\nRenewal\n"
 }
 func (m *chromeOSMockSCEPService) GetCACert(_ context.Context) (string, error) {
 	return m.caCertPEM, nil
 }
 func (m *chromeOSMockSCEPService) PKCSReq(_ context.Context, _, _, _ string) (*domain.SCEPEnrollResult, error) {
 	return m.enrollResult, nil
 }
 func (m *chromeOSMockSCEPService) PKCSReqWithEnvelope(_ context.Context, csrPEM, challengePassword string, env *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	m.pkcsReqEnvelope = env
 	m.pkcsReqCSRPEM = csrPEM
 	m.pkcsReqChallenge = challengePassword
 	if m.failChallenge {
 		return nil
 	}
 	return &domain.SCEPResponseEnvelope{
 		Status:         domain.SCEPStatusSuccess,
 		Result:         m.enrollResult,
 		TransactionID:  env.TransactionID,
 		RecipientNonce: env.SenderNonce,
 	}
 }
 func (m *chromeOSMockSCEPService) RenewalReqWithEnvelope(_ context.Context, csrPEM, _ string, env *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	m.renewalReqEnvelope = env
 	m.renewalReqCSRPEM = csrPEM
 	return &domain.SCEPResponseEnvelope{
 		Status:         domain.SCEPStatusSuccess,
 		Result:         m.enrollResult,
 		TransactionID:  env.TransactionID,
 		RecipientNonce: env.SenderNonce,
 	}
 }
 func (m *chromeOSMockSCEPService) GetCertInitialWithEnvelope(_ context.Context, env *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	m.getCertInitialEnvelope = env
 	return &domain.SCEPResponseEnvelope{
 		Status:         domain.SCEPStatusFailure,
 		FailInfo:       domain.SCEPFailBadCertID,
 		TransactionID:  env.TransactionID,
 		RecipientNonce: env.SenderNonce,
 	}
 }
 // newChromeOSStackFixture wires up an RA pair + device cert + handler with
 // an enroll-result fixture so the test can POST a PKIMessage and verify the
 // CertRep response.
 func newChromeOSStackFixture(t *testing.T) *chromeOSStackFixture {
 	t.Helper()
 	raKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatalf("rsa.GenerateKey RA: %v", err)
 	}
 	raCert := selfSignedRSACert(t, raKey, "ra-test")
 	deviceKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatalf("rsa.GenerateKey device: %v", err)
 	}
 	deviceCert := selfSignedRSACert(t, deviceKey, "device-transient")
 	svc := &chromeOSMockSCEPService{
 		enrollResult: &domain.SCEPEnrollResult{
 			CertPEM: pemEncodeCert(selfSignedRSACertRaw(t, deviceKey, "issued.example.com")),
 		},
 	}
 	handler := NewSCEPHandler(svc)
 	handler.SetRAPair(raCert, raKey)
 	return &chromeOSStackFixture{
 		raKey:      raKey,
 		raCert:     raCert,
 		deviceKey:  deviceKey,
 		deviceCert: deviceCert,
 		handler:    handler,
 		svc:        svc,
 	}
 }
 // TestSCEPHandler_ChromeOSPKIMessage_E2E exercises the full RFC 8894 path:
 // build a PKIMessage shaped like ChromeOS sends (SignedData wrapping
 // EnvelopedData wrapping a CSR, with signerInfo POPO over auth attrs);
 // POST through the handler; verify the response is a valid CertRep
 // PKIMessage with the issued cert encrypted to the test's transient pubkey.
 func TestSCEPHandler_ChromeOSPKIMessage_E2E(t *testing.T) {
 	fix := newChromeOSStackFixture(t)
 	pkiMessage := buildChromeOSStylePKIMessage(t, fix, domain.SCEPMessageTypePKCSReq, "txn-chromeos-e2e", "shared-secret-123", "device-cert.example.com", aesKeyForOID(pkcs7.OIDAES256CBC))
 	w, body := postPKIOperation(t, fix.handler, pkiMessage)
 	if w.Code != http.StatusOK {
 		t.Fatalf("POST PKIOperation: got %d, want 200 (body=%q)", w.Code, body)
 	}
 	if got := w.Header().Get("Content-Type"); got != "application/x-pki-message" {
 		t.Errorf("Content-Type = %q, want application/x-pki-message", got)
 	}
 	if fix.svc.pkcsReqEnvelope == nil {
 		t.Fatal("PKCSReqWithEnvelope was not called — handler skipped RFC 8894 path?")
 	}
 	if fix.svc.pkcsReqEnvelope.TransactionID != "txn-chromeos-e2e" {
 		t.Errorf("envelope.TransactionID = %q, want txn-chromeos-e2e", fix.svc.pkcsReqEnvelope.TransactionID)
 	}
 	if fix.svc.pkcsReqChallenge != "shared-secret-123" {
 		t.Errorf("challengePassword = %q, want shared-secret-123", fix.svc.pkcsReqChallenge)
 	}
 	// Parse the CertRep back via the same builders the handler emits.
 	certRep, err := pkcs7.ParseSignedData(body)
 	if err != nil {
 		t.Fatalf("ParseSignedData(CertRep response): %v", err)
 	}
 	if len(certRep.SignerInfos) != 1 {
 		t.Fatalf("CertRep has %d signers, want 1", len(certRep.SignerInfos))
 	}
 	if err := certRep.SignerInfos[0].VerifySignature(); err != nil {
 		t.Errorf("CertRep RA signature invalid: %v", err)
 	}
 }
 // TestSCEPHandler_ChromeOSPKIMessage_RenewalReq exercises RenewalReq
 // dispatch — the handler should route to RenewalReqWithEnvelope based on
 // the messageType auth-attr.
 func TestSCEPHandler_ChromeOSPKIMessage_RenewalReq(t *testing.T) {
 	fix := newChromeOSStackFixture(t)
 	pkiMessage := buildChromeOSStylePKIMessage(t, fix, domain.SCEPMessageTypeRenewalReq, "txn-renewal-1", "shared-secret-123", "renewal.example.com", aesKeyForOID(pkcs7.OIDAES256CBC))
 	w, _ := postPKIOperation(t, fix.handler, pkiMessage)
 	if w.Code != http.StatusOK {
 		t.Fatalf("POST PKIOperation (renewal): got %d, want 200", w.Code)
 	}
 	if fix.svc.renewalReqEnvelope == nil {
 		t.Fatal("RenewalReqWithEnvelope was not called — dispatch missed messageType=17")
 	}
 	if fix.svc.pkcsReqEnvelope != nil {
 		t.Errorf("PKCSReqWithEnvelope was called for a RenewalReq messageType — wrong dispatch")
 	}
 }
 // TestSCEPHandler_ChromeOSPKIMessage_GetCertInitial exercises the polling
 // path. v1 always returns FAILURE+badCertID; this test asserts that's what
 // ChromeOS sees when it polls.
 func TestSCEPHandler_ChromeOSPKIMessage_GetCertInitial(t *testing.T) {
 	fix := newChromeOSStackFixture(t)
 	pkiMessage := buildChromeOSStylePKIMessage(t, fix, domain.SCEPMessageTypeGetCertInitial, "txn-poll-1", "shared-secret-123", "poll.example.com", aesKeyForOID(pkcs7.OIDAES256CBC))
 	w, body := postPKIOperation(t, fix.handler, pkiMessage)
 	if w.Code != http.StatusOK {
 		t.Fatalf("POST PKIOperation (poll): got %d, want 200 (body=%q)", w.Code, body)
 	}
 	if fix.svc.getCertInitialEnvelope == nil {
 		t.Fatal("GetCertInitialWithEnvelope was not called — dispatch missed messageType=20")
 	}
 	// The response should be a CertRep with pkiStatus=2 (FAILURE) +
 	// failInfo=4 (badCertID).
 	certRep, err := pkcs7.ParseSignedData(body)
 	if err != nil {
 		t.Fatalf("ParseSignedData: %v", err)
 	}
 	if len(certRep.SignerInfos) == 0 {
 		t.Fatal("CertRep has no signerInfos")
 	}
 	si := certRep.SignerInfos[0]
 	statusRV, ok := si.AuthAttributes[pkcs7.OIDSCEPPKIStatus.String()]
 	if !ok {
 		t.Fatal("CertRep missing pkiStatus auth-attr")
 	}
 	statusStr := decodeFirstSetMember(t, statusRV)
 	if statusStr != string(domain.SCEPStatusFailure) {
 		t.Errorf("pkiStatus = %q, want %q (FAILURE)", statusStr, domain.SCEPStatusFailure)
 	}
 }
 // TestSCEPHandler_ChromeOSPKIMessage_BadPOPO builds a PKIMessage with the
 // signerInfo signature corrupted; expects the handler to fall through to
 // the MVP path (the RFC 8894 verifier rejects the message, and the MVP
 // path also rejects it because the encrypted EnvelopedData isn't a raw
 // CSR). Result: HTTP 400 with a clear error message.
 func TestSCEPHandler_ChromeOSPKIMessage_BadPOPO(t *testing.T) {
 	fix := newChromeOSStackFixture(t)
 	pkiMessage := buildChromeOSStylePKIMessage(t, fix, domain.SCEPMessageTypePKCSReq, "txn-bad-popo", "shared-secret-123", "bad.example.com", aesKeyForOID(pkcs7.OIDAES256CBC))
 	// Tamper with the LAST byte of the message (which lands inside the
 	// signature OCTET STRING for a non-trivial chance of corrupting the
 	// signature without breaking the outer DER framing).
 	pkiMessage[len(pkiMessage)-1] ^= 0xff
 	w, _ := postPKIOperation(t, fix.handler, pkiMessage)
 	if w.Code != http.StatusBadRequest && w.Code != http.StatusOK {
 		t.Errorf("POST PKIOperation (bad POPO): got %d, want 400 (MVP fall-through rejection) or 200 (CertRep+failInfo)", w.Code)
 	}
 	if fix.svc.pkcsReqEnvelope != nil {
 		t.Errorf("PKCSReqWithEnvelope was called despite invalid signerInfo signature — POPO check failed open")
 	}
 }
 // TestSCEPHandler_ChromeOSPKIMessage_AESVariants exercises AES-128, 192,
 // and 256-CBC. ChromeOS picks based on the GetCACaps response; verify
 // all three round-trip correctly.
 func TestSCEPHandler_ChromeOSPKIMessage_AESVariants(t *testing.T) {
 	cases := []struct {
 		name string
 		oid  asn1.ObjectIdentifier
 	}{
 		{"AES-128-CBC", pkcs7.OIDAES128CBC},
 		{"AES-192-CBC", pkcs7.OIDAES192CBC},
 		{"AES-256-CBC", pkcs7.OIDAES256CBC},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			fix := newChromeOSStackFixture(t)
 			pkiMessage := buildChromeOSStylePKIMessage(t, fix, domain.SCEPMessageTypePKCSReq, "txn-aes-"+tc.name, "shared-secret-123", "aes.example.com", aesKeyForOID(tc.oid))
 			pkiMessage = withContentEncryptionOID(t, pkiMessage, fix, tc.oid, aesKeyForOID(tc.oid))
 			w, body := postPKIOperation(t, fix.handler, pkiMessage)
 			if w.Code != http.StatusOK {
 				t.Fatalf("POST PKIOperation (%s): got %d, want 200 (body=%q)", tc.name, w.Code, body)
 			}
 		})
 	}
 }
 // TestSCEPHandler_MVPCompat_StillWorks asserts the existing MVP path (raw
 // CSR inside a stripped SignedData, no EnvelopedData) STILL works for
 // backward compat with lightweight clients.
 func TestSCEPHandler_MVPCompat_StillWorks(t *testing.T) {
 	// Build an MVP-shape request: a SignedData whose encapContent is a
 	// raw CSR (no EnvelopedData wrapper). The legacy handler path
 	// extractCSRFromPKCS7 unwraps it.
 	deviceKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatalf("rsa.GenerateKey: %v", err)
 	}
 	csrDER := buildTestCSR(t, deviceKey, "mvp.example.com", "mvp-shared-secret")
 	// Wrap in MVP-shape PKCS#7 SignedData (encapContent = CSR DER as
 	// OCTET STRING). The existing extractCSRFromPKCS7 handles this.
 	mvpPKCS7 := buildMVPSignedData(t, csrDER)
 	svc := &chromeOSMockSCEPService{
 		enrollResult: &domain.SCEPEnrollResult{
 			CertPEM: pemEncodeCert(selfSignedRSACertRaw(t, deviceKey, "mvp-issued.example.com")),
 		},
 	}
 	// Note: NO RA pair set — the handler runs MVP-only.
 	handler := NewSCEPHandler(svc)
 	w, body := postPKIOperation(t, handler, mvpPKCS7)
 	if w.Code != http.StatusOK {
 		t.Fatalf("MVP path POST: got %d, want 200 (body=%q)", w.Code, body)
 	}
 	// Response is the legacy certs-only PKCS#7, NOT a CertRep PKIMessage.
 	if got := w.Header().Get("Content-Type"); got != "application/x-pki-message" {
 		t.Errorf("Content-Type = %q, want application/x-pki-message", got)
 	}
 }
 // --- helpers -------------------------------------------------------------
 func postPKIOperation(t *testing.T, h SCEPHandler, body []byte) (*httptest.ResponseRecorder, []byte) {
 	t.Helper()
 	req := httptest.NewRequest(http.MethodPost, "/scep?operation=PKIOperation", bytes.NewReader(body))
 	w := httptest.NewRecorder()
 	h.HandleSCEP(w, req)
 	respBody, _ := io.ReadAll(w.Body)
 	return w, respBody
 }
 // buildChromeOSStylePKIMessage builds a real SCEP PKIMessage targeting the
 // fixture's RA cert. Mirrors what ChromeOS / micromdm-style clients emit:
 // SignedData(SignerInfo(deviceCert, sig over auth-attrs)) wrapping an
 // EnvelopedData(KTRI(raCert), AES-CBC(CSR + challengePassword)).
 func buildChromeOSStylePKIMessage(t *testing.T, fix *chromeOSStackFixture, messageType domain.SCEPMessageType, transactionID, challengePassword, csrCN string, symKey []byte) []byte {
 	t.Helper()
 	// 1. Build the inner CSR carrying the challengePassword attribute.
 	csrDER := buildTestCSR(t, fix.deviceKey, csrCN, challengePassword)
 	// 2. Encrypt the CSR via AES-CBC under symKey + random IV.
 	iv := make([]byte, aes.BlockSize)
 	if _, err := rand.Read(iv); err != nil {
 		t.Fatalf("rand iv: %v", err)
 	}
 	ciphertext := aesCBCEncrypt(t, symKey, iv, csrDER)
 	// 3. RSA-encrypt the symKey to fix.raCert.PublicKey.
 	encryptedKey, err := rsa.EncryptPKCS1v15(rand.Reader, fix.raCert.PublicKey.(*rsa.PublicKey), symKey)
 	if err != nil {
 		t.Fatalf("rsa encrypt symKey: %v", err)
 	}
 	// 4. Build EnvelopedData wrapping ciphertext.
 	envelopedData := buildEnvelopedDataForTest(t, fix.raCert, encryptedKey, iv, ciphertext, oidForAESKeyLen(t, len(symKey)))
 	// 5. Build the SignedData carrying the EnvelopedData with a
 	//    signerInfo signed by the device's transient cert/key.
 	signedData := buildSignedDataForTest(t, fix.deviceKey, fix.deviceCert, messageType, transactionID, []byte("0123456789abcdef"), envelopedData)
 	return signedData
 }
 // withContentEncryptionOID rewrites the AES OID inside an already-built
 // PKIMessage by re-building from scratch with the new OID. Simpler than
 // surgically patching the bytes.
 func withContentEncryptionOID(t *testing.T, _ []byte, fix *chromeOSStackFixture, oid asn1.ObjectIdentifier, symKey []byte) []byte {
 	t.Helper()
 	csrDER := buildTestCSR(t, fix.deviceKey, "aes.example.com", "shared-secret-123")
 	iv := make([]byte, 16)
 	if _, err := rand.Read(iv); err != nil {
 		t.Fatalf("rand iv: %v", err)
 	}
 	ciphertext := aesCBCEncrypt(t, symKey, iv, csrDER)
 	encryptedKey, err := rsa.EncryptPKCS1v15(rand.Reader, fix.raCert.PublicKey.(*rsa.PublicKey), symKey)
 	if err != nil {
 		t.Fatalf("rsa encrypt: %v", err)
 	}
 	envelopedData := buildEnvelopedDataForTest(t, fix.raCert, encryptedKey, iv, ciphertext, oid)
 	return buildSignedDataForTest(t, fix.deviceKey, fix.deviceCert, domain.SCEPMessageTypePKCSReq, "txn-aes", []byte("0123456789abcdef"), envelopedData)
 }
 func aesCBCEncrypt(t *testing.T, key, iv, plaintext []byte) []byte {
 	t.Helper()
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		t.Fatalf("aes.NewCipher: %v", err)
 	}
 	bs := block.BlockSize()
 	padLen := bs - len(plaintext)%bs
 	padded := append([]byte{}, plaintext...)
 	for i := 0; i < padLen; i++ {
 		padded = append(padded, byte(padLen))
 	}
 	enc := cipher.NewCBCEncrypter(block, iv)
 	out := make([]byte, len(padded))
 	enc.CryptBlocks(out, padded)
 	return out
 }
 // oidForAESKeyLen maps an AES key length to its CBC OID. Helper for the
 // AES-variants table-driven test.
 func oidForAESKeyLen(t *testing.T, n int) asn1.ObjectIdentifier {
 	t.Helper()
 	switch n {
 	case 16:
 		return pkcs7.OIDAES128CBC
 	case 24:
 		return pkcs7.OIDAES192CBC
 	case 32:
 		return pkcs7.OIDAES256CBC
 	}
 	t.Fatalf("oidForAESKeyLen: unsupported key length %d", n)
 	return nil
 }
 // aesKeyForOID returns a deterministic-length symmetric key matching the
 // AES variant identified by oid. Test-only — production uses crypto/rand.
 func aesKeyForOID(oid asn1.ObjectIdentifier) []byte {
 	switch {
 	case oid.Equal(pkcs7.OIDAES128CBC):
 		return bytes.Repeat([]byte{0x42}, 16)
 	case oid.Equal(pkcs7.OIDAES192CBC):
 		return bytes.Repeat([]byte{0x42}, 24)
 	case oid.Equal(pkcs7.OIDAES256CBC):
 		return bytes.Repeat([]byte{0x42}, 32)
 	case oid.Equal(pkcs7.OIDDESEDE3CBC):
 		return bytes.Repeat([]byte{0x42}, 24)
 	}
 	return nil
 }
 // buildTestCSR creates a CSR with a challengePassword attribute. Used by
 // the buildChromeOSStylePKIMessage helper to populate the EnvelopedData
 // inner content.
 func buildTestCSR(t *testing.T, key *rsa.PrivateKey, commonName, challengePassword string) []byte {
 	t.Helper()
 	// Build the challengePassword attribute (RFC 2985 §5.4.1, OID
 	// 1.2.840.113549.1.9.7).
 	cpAttr := pkix.AttributeTypeAndValue{
 		Type:  asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7},
 		Value: challengePassword,
 	}
 	cpAttrSet, err := asn1.Marshal(cpAttr)
 	if err != nil {
 		t.Fatalf("marshal cp attr: %v", err)
 	}
 	tmpl := &x509.CertificateRequest{
 		Subject: pkix.Name{CommonName: commonName},
 		// Inject the challengePassword as a raw extra extension via the
 		// CSR Attributes field.
 		ExtraExtensions: []pkix.Extension{},
 		Attributes: []pkix.AttributeTypeAndValueSET{
 			{
 				Type: asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7},
 				Value: [][]pkix.AttributeTypeAndValue{
 					{{Type: asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}, Value: challengePassword}},
 				},
 			},
 		},
 	}
 	_ = cpAttrSet
 	der, err := x509.CreateCertificateRequest(rand.Reader, tmpl, key)
 	if err != nil {
 		t.Fatalf("CreateCertificateRequest: %v", err)
 	}
 	return der
 }
 // buildEnvelopedDataForTest builds an EnvelopedData targeting raCert with
 // a single KTRI carrying the encrypted symmetric key + the AES-CBC
 // ciphertext. Mirrors the Phase 3 buildEnvelopedDataAES256 internal helper
 // but exposed at test scope.
 func buildEnvelopedDataForTest(t *testing.T, raCert *x509.Certificate, encryptedKey, iv, ciphertext []byte, contentEncOID asn1.ObjectIdentifier) []byte {
 	t.Helper()
 	// IssuerAndSerial of the recipient.
 	serialDER, err := asn1.Marshal(raCert.SerialNumber)
 	if err != nil {
 		t.Fatalf("marshal serial: %v", err)
 	}
 	risBody := append([]byte{}, raCert.RawIssuer...)
 	risBody = append(risBody, serialDER...)
 	risBytes := pkcs7.ASN1Wrap(0x30, risBody)
 	keyEncAlg := pkix.AlgorithmIdentifier{Algorithm: pkcs7.OIDRSAEncryption, Parameters: asn1.NullRawValue}
 	keyEncAlgBytes, err := asn1.Marshal(keyEncAlg)
 	if err != nil {
 		t.Fatalf("marshal keyEncAlg: %v", err)
 	}
 	encryptedKeyBytes := pkcs7.ASN1Wrap(0x04, encryptedKey)
 	ktriBody := append([]byte{}, []byte{0x02, 0x01, 0x00}...)
 	ktriBody = append(ktriBody, risBytes...)
 	ktriBody = append(ktriBody, keyEncAlgBytes...)
 	ktriBody = append(ktriBody, encryptedKeyBytes...)
 	ktriBytes := pkcs7.ASN1Wrap(0x30, ktriBody)
 	recipientInfosBytes := pkcs7.ASN1Wrap(0x31, ktriBytes)
 	ivOctet := pkcs7.ASN1Wrap(0x04, iv)
 	contentAlg := pkix.AlgorithmIdentifier{
 		Algorithm:  contentEncOID,
 		Parameters: asn1.RawValue{FullBytes: ivOctet},
 	}
 	contentAlgBytes, err := asn1.Marshal(contentAlg)
 	if err != nil {
 		t.Fatalf("marshal contentAlg: %v", err)
 	}
 	encContentField := pkcs7.ASN1Wrap(0x80, ciphertext)
 	oidDataBytes := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}
 	eciBody := append([]byte{}, oidDataBytes...)
 	eciBody = append(eciBody, contentAlgBytes...)
 	eciBody = append(eciBody, encContentField...)
 	eciBytes := pkcs7.ASN1Wrap(0x30, eciBody)
 	envBody := append([]byte{}, []byte{0x02, 0x01, 0x00}...)
 	envBody = append(envBody, recipientInfosBytes...)
 	envBody = append(envBody, eciBytes...)
 	return pkcs7.ASN1Wrap(0x30, envBody)
 }
 // buildSignedDataForTest builds a CMS SignedData with the device cert as
 // the signer + auth-attrs carrying SCEP messageType / transactionID /
 // senderNonce + messageDigest of the encapContent.
 func buildSignedDataForTest(t *testing.T, signerKey *rsa.PrivateKey, signerCert *x509.Certificate, messageType domain.SCEPMessageType, transactionID string, senderNonce, encapContent []byte) []byte {
 	t.Helper()
 	contentDigest := sha256.Sum256(encapContent)
 	// Auth-attrs SET-OF body.
 	var attrSetBody []byte
 	attrSetBody = append(attrSetBody, attrSeqHelper(t, pkcs7.OIDContentType, pkcs7.ASN1Wrap(0x06, []byte{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}))...)
 	attrSetBody = append(attrSetBody, attrSeqHelper(t, pkcs7.OIDMessageDigest, pkcs7.ASN1Wrap(0x04, contentDigest[:]))...)
 	attrSetBody = append(attrSetBody, attrSeqHelper(t, pkcs7.OIDSCEPMessageType, pkcs7.ASN1Wrap(0x13, []byte(intToASCII(int(messageType)))))...)
 	attrSetBody = append(attrSetBody, attrSeqHelper(t, pkcs7.OIDSCEPTransactionID, pkcs7.ASN1Wrap(0x13, []byte(transactionID)))...)
 	attrSetBody = append(attrSetBody, attrSeqHelper(t, pkcs7.OIDSCEPSenderNonce, pkcs7.ASN1Wrap(0x04, senderNonce))...)
 	// Sign over SET OF Attribute (RFC 5652 §5.4 quirk).
 	signedAttrsForSig := pkcs7.ASN1Wrap(0x31, attrSetBody)
 	digest := sha256.Sum256(signedAttrsForSig)
 	sig, err := rsa.SignPKCS1v15(rand.Reader, signerKey, 5, digest[:]) // 5 = crypto.SHA256
 	if err != nil {
 		t.Fatalf("sign: %v", err)
 	}
 	// SignerInfo SEQUENCE.
 	versionBytes := []byte{0x02, 0x01, 0x01}
 	serialDER, _ := asn1.Marshal(signerCert.SerialNumber)
 	sidBody := append([]byte{}, signerCert.RawIssuer...)
 	sidBody = append(sidBody, serialDER...)
 	sidBytes := pkcs7.ASN1Wrap(0x30, sidBody)
 	digestAlg := pkix.AlgorithmIdentifier{Algorithm: pkcs7.OIDSHA256, Parameters: asn1.NullRawValue}
 	digestAlgBytes, _ := asn1.Marshal(digestAlg)
 	signedAttrsImplicit := pkcs7.ASN1Wrap(0xa0, attrSetBody)
 	sigAlg := pkix.AlgorithmIdentifier{Algorithm: pkcs7.OIDRSAWithSHA256, Parameters: asn1.NullRawValue}
 	sigAlgBytes, _ := asn1.Marshal(sigAlg)
 	sigOctet := pkcs7.ASN1Wrap(0x04, sig)
 	siBody := append([]byte{}, versionBytes...)
 	siBody = append(siBody, sidBytes...)
 	siBody = append(siBody, digestAlgBytes...)
 	siBody = append(siBody, signedAttrsImplicit...)
 	siBody = append(siBody, sigAlgBytes...)
 	siBody = append(siBody, sigOctet...)
 	siBytes := pkcs7.ASN1Wrap(0x30, siBody)
 	// encapContentInfo
 	octetWrap := pkcs7.ASN1Wrap(0x04, encapContent)
 	explicitWrap := pkcs7.ASN1Wrap(0xa0, octetWrap)
 	oidDataBytes := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}
 	encapBody := append([]byte{}, oidDataBytes...)
 	encapBody = append(encapBody, explicitWrap...)
 	encapBytes := pkcs7.ASN1Wrap(0x30, encapBody)
 	// certificates [0] IMPLICIT SET OF Certificate
 	certsBytes := pkcs7.ASN1Wrap(0xa0, signerCert.Raw)
 	// digestAlgorithms SET OF
 	digestAlgsBytes := pkcs7.ASN1Wrap(0x31, digestAlgBytes)
 	// signerInfos SET OF
 	signerInfosBytes := pkcs7.ASN1Wrap(0x31, siBytes)
 	// SignedData SEQUENCE
 	sdBody := append([]byte{}, []byte{0x02, 0x01, 0x01}...)
 	sdBody = append(sdBody, digestAlgsBytes...)
 	sdBody = append(sdBody, encapBytes...)
 	sdBody = append(sdBody, certsBytes...)
 	sdBody = append(sdBody, signerInfosBytes...)
 	sdSeq := pkcs7.ASN1Wrap(0x30, sdBody)
 	// ContentInfo wrap
 	contentField := pkcs7.ASN1Wrap(0xa0, sdSeq)
 	oidSignedData := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02}
 	ciBody := append([]byte{}, oidSignedData...)
 	ciBody = append(ciBody, contentField...)
 	return pkcs7.ASN1Wrap(0x30, ciBody)
 }
 // buildMVPSignedData builds a degenerate SignedData where the encapContent
 // is the raw CSR bytes — what lightweight SCEP clients send. Used by the
 // MVP-compat test to confirm the legacy parser still works.
 func buildMVPSignedData(t *testing.T, csrDER []byte) []byte {
 	t.Helper()
 	octetWrap := pkcs7.ASN1Wrap(0x04, csrDER)
 	explicitWrap := pkcs7.ASN1Wrap(0xa0, octetWrap)
 	oidDataBytes := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}
 	encapBody := append([]byte{}, oidDataBytes...)
 	encapBody = append(encapBody, explicitWrap...)
 	encapBytes := pkcs7.ASN1Wrap(0x30, encapBody)
 	digestAlgsBytes := pkcs7.ASN1Wrap(0x31, nil)
 	signerInfosBytes := pkcs7.ASN1Wrap(0x31, nil)
 	sdBody := append([]byte{}, []byte{0x02, 0x01, 0x01}...)
 	sdBody = append(sdBody, digestAlgsBytes...)
 	sdBody = append(sdBody, encapBytes...)
 	sdBody = append(sdBody, signerInfosBytes...)
 	sdSeq := pkcs7.ASN1Wrap(0x30, sdBody)
 	contentField := pkcs7.ASN1Wrap(0xa0, sdSeq)
 	oidSignedData := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02}
 	ciBody := append([]byte{}, oidSignedData...)
 	ciBody = append(ciBody, contentField...)
 	return pkcs7.ASN1Wrap(0x30, ciBody)
 }
 func attrSeqHelper(t *testing.T, oid asn1.ObjectIdentifier, value []byte) []byte {
 	t.Helper()
 	oidBytes, err := asn1.Marshal(oid)
 	if err != nil {
 		t.Fatalf("marshal OID %v: %v", oid, err)
 	}
 	setOfValue := pkcs7.ASN1Wrap(0x31, value)
 	body := append([]byte{}, oidBytes...)
 	body = append(body, setOfValue...)
 	return pkcs7.ASN1Wrap(0x30, body)
 }
 func decodeFirstSetMember(t *testing.T, rv asn1.RawValue) string {
 	t.Helper()
 	var inner asn1.RawValue
 	if _, err := asn1.Unmarshal(rv.Bytes, &inner); err != nil {
 		t.Fatalf("unmarshal SET first member: %v", err)
 	}
 	return string(inner.Bytes)
 }
 func intToASCII(i int) string {
 	if i == 0 {
 		return "0"
 	}
 	var b []byte
 	for i > 0 {
 		b = append([]byte{byte('0' + i%10)}, b...)
 		i /= 10
 	}
 	return string(b)
 }
 func selfSignedRSACert(t *testing.T, key *rsa.PrivateKey, cn string) *x509.Certificate {
 	t.Helper()
 	der := selfSignedRSACertRaw(t, key, cn)
 	cert, err := x509.ParseCertificate(der)
 	if err != nil {
 		t.Fatalf("ParseCertificate: %v", err)
 	}
 	return cert
 }
 func selfSignedRSACertRaw(t *testing.T, key *rsa.PrivateKey, cn string) []byte {
 	t.Helper()
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(time.Now().UnixNano()),
 		Subject:      pkix.Name{CommonName: cn},
 		Issuer:       pkix.Name{CommonName: cn},
 		NotBefore:    time.Now().Add(-time.Hour),
 		NotAfter:     time.Now().Add(30 * 24 * time.Hour),
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		t.Fatalf("CreateCertificate: %v", err)
 	}
 	return der
 }
 func pemEncodeCert(der []byte) string {
 	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}))
 }
 // silence unused-import warnings — these packages are referenced inside
 // helpers above; Go's import-pruning is conservative around test-only
 // uses through other test files.
 var (
 	_ = ecdsa.PublicKey{}
 	_ = elliptic.P256
 	_ = des.NewTripleDESCipher
 )
@@ -36,6 +36,45 @@ func (m *mockSCEPService) PKCSReq(ctx context.Context, csrPEM string, challengeP
 	return m.EnrollResult, m.EnrollErr
 }
 // PKCSReqWithEnvelope is the RFC 8894 envelope-aware variant added in SCEP
 // RFC 8894 + Intune master bundle Phase 2.4. The MVP-only handler tests
 // don't exercise this path (RA pair is unset), so this stub is only here
 // to satisfy the interface; behavior mirrors PKCSReq's success/failure
 // based on the same EnrollResult / EnrollErr fields the existing tests
 // already populate.
 func (m *mockSCEPService) PKCSReqWithEnvelope(ctx context.Context, csrPEM string, challengePassword string, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	if m.EnrollErr != nil {
 		return &domain.SCEPResponseEnvelope{
 			Status:         domain.SCEPStatusFailure,
 			FailInfo:       domain.SCEPFailBadRequest,
 			TransactionID:  envelope.TransactionID,
 			RecipientNonce: envelope.SenderNonce,
 		}
 	}
 	return &domain.SCEPResponseEnvelope{
 		Status:         domain.SCEPStatusSuccess,
 		Result:         m.EnrollResult,
 		TransactionID:  envelope.TransactionID,
 		RecipientNonce: envelope.SenderNonce,
 	}
 }
 // RenewalReqWithEnvelope + GetCertInitialWithEnvelope added in Phase 4 to
 // satisfy the extended SCEPService interface. Same MVP-only test fixture
 // rules apply — these stubs mirror PKCSReqWithEnvelope's shape.
 func (m *mockSCEPService) RenewalReqWithEnvelope(ctx context.Context, csrPEM string, challengePassword string, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	return m.PKCSReqWithEnvelope(ctx, csrPEM, challengePassword, envelope)
 }
 func (m *mockSCEPService) GetCertInitialWithEnvelope(_ context.Context, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	return &domain.SCEPResponseEnvelope{
 		Status:         domain.SCEPStatusFailure,
 		FailInfo:       domain.SCEPFailBadCertID,
 		TransactionID:  envelope.TransactionID,
 		RecipientNonce: envelope.SenderNonce,
 	}
 }
 func TestSCEP_GetCACaps_Success(t *testing.T) {
 	svc := &mockSCEPService{}
 	h := NewSCEPHandler(svc)
@@ -0,0 +1,222 @@
 package handler
 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"math/big"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 )
 // SCEP RFC 8894 + Intune master bundle Phase 6.5: mTLS sibling SCEP
 // route. Pins the auth contract:
 //
 //   1. RejectsMissingClientCert — request without r.TLS.PeerCertificates
 //      gets HTTP 401 (mTLS failure is authentication, not authorization).
 //   2. RejectsUntrustedClientCert — cert that doesn't chain to the
 //      configured trust pool gets HTTP 401.
 //   3. AcceptsTrustedClientCert — cert that chains + valid challenge
 //      password = 200 (delegates to HandleSCEP which returns 200 for
 //      GetCACaps).
 //   4. StillRequiresChallengePassword — valid client cert + invalid
 //      challenge password reaches the handler but the service-layer
 //      gate rejects. (For this test we exercise the GetCACaps GET — the
 //      challenge-password gate fires on PKIOperation; the test is here
 //      to pin that mTLS does NOT bypass the standard SCEP auth chain.)
 //   5. StandardSCEPRoute_StillNoMTLS — pin the standard /scep route
 //      keeps working without a client cert; the router test next door
 //      covers the route registration shape.
 //
 // The mock SCEPService is the same mockSCEPService from
 // scep_handler_test.go (same package).
 // mtlsTestFixture materialises a per-test mTLS trust CA + a client cert
 // that chains to it (the "trusted device") + an unrelated CA + cert
 // (the "untrusted attacker"). Returns the SCEPHandler with the trust
 // pool wired and pre-built TLS connection states for each cert.
 type mtlsTestFixture struct {
 	handler           SCEPHandler
 	trustedTLSState   *tls.ConnectionState
 	untrustedTLSState *tls.ConnectionState
 }
 func newMTLSTestFixture(t *testing.T) *mtlsTestFixture {
 	t.Helper()
 	// Trusted bootstrap CA + client cert chained to it.
 	trustedCA, trustedCAKey := genSelfSignedECDSACA(t, "trusted-bootstrap-ca")
 	trustedClient := signECDSAClientCert(t, "trusted-device", trustedCA, trustedCAKey)
 	// Untrusted CA + client cert chained to a different CA — should NOT
 	// be accepted by the trusted profile's mTLS handler.
 	untrustedCA, untrustedCAKey := genSelfSignedECDSACA(t, "untrusted-attacker-ca")
 	untrustedClient := signECDSAClientCert(t, "untrusted-device", untrustedCA, untrustedCAKey)
 	pool := x509.NewCertPool()
 	pool.AddCert(trustedCA)
 	svc := &mockSCEPService{}
 	h := NewSCEPHandler(svc)
 	h.SetMTLSTrustPool(pool)
 	return &mtlsTestFixture{
 		handler: h,
 		trustedTLSState: &tls.ConnectionState{
 			HandshakeComplete: true,
 			PeerCertificates:  []*x509.Certificate{trustedClient},
 		},
 		untrustedTLSState: &tls.ConnectionState{
 			HandshakeComplete: true,
 			PeerCertificates:  []*x509.Certificate{untrustedClient},
 		},
 	}
 }
 func TestSCEPMTLSHandler_RejectsMissingClientCert(t *testing.T) {
 	fix := newMTLSTestFixture(t)
 	req := httptest.NewRequest(http.MethodGet, "/scep-mtls?operation=GetCACaps", nil)
 	// req.TLS intentionally nil — simulates a client that didn't present
 	// a cert during the handshake (VerifyClientCertIfGiven allows this).
 	w := httptest.NewRecorder()
 	fix.handler.HandleSCEPMTLS(w, req)
 	if w.Code != http.StatusUnauthorized {
 		t.Fatalf("HandleSCEPMTLS without client cert: got %d, want 401 (body=%q)", w.Code, w.Body.String())
 	}
 }
 func TestSCEPMTLSHandler_RejectsUntrustedClientCert(t *testing.T) {
 	fix := newMTLSTestFixture(t)
 	req := httptest.NewRequest(http.MethodGet, "/scep-mtls?operation=GetCACaps", nil)
 	req.TLS = fix.untrustedTLSState
 	w := httptest.NewRecorder()
 	fix.handler.HandleSCEPMTLS(w, req)
 	if w.Code != http.StatusUnauthorized {
 		t.Fatalf("HandleSCEPMTLS with untrusted client cert: got %d, want 401 (body=%q)", w.Code, w.Body.String())
 	}
 }
 func TestSCEPMTLSHandler_AcceptsTrustedClientCert(t *testing.T) {
 	fix := newMTLSTestFixture(t)
 	req := httptest.NewRequest(http.MethodGet, "/scep-mtls?operation=GetCACaps", nil)
 	req.TLS = fix.trustedTLSState
 	w := httptest.NewRecorder()
 	fix.handler.HandleSCEPMTLS(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("HandleSCEPMTLS with trusted client cert: got %d, want 200 (GetCACaps; body=%q)", w.Code, w.Body.String())
 	}
 	// Sanity: response body is the GetCACaps capability list (the
 	// HandleSCEP delegate ran).
 	if got := w.Body.String(); got == "" {
 		t.Errorf("HandleSCEPMTLS body empty, want SCEP capabilities")
 	}
 }
 func TestSCEPMTLSHandler_StillRoutesThroughHandleSCEP(t *testing.T) {
 	// With a valid client cert, HandleSCEPMTLS delegates to HandleSCEP —
 	// pin that the standard SCEP dispatch still runs (operation query-
 	// param dispatch, content-type negotiation, etc.). Defense in depth:
 	// mTLS is additive, NOT replacement; the standard SCEP code path
 	// must still execute end-to-end.
 	fix := newMTLSTestFixture(t)
 	req := httptest.NewRequest(http.MethodGet, "/scep-mtls?operation=GetCACaps", nil)
 	req.TLS = fix.trustedTLSState
 	w := httptest.NewRecorder()
 	fix.handler.HandleSCEPMTLS(w, req)
 	if got := w.Header().Get("Content-Type"); got != "text/plain" {
 		t.Errorf("Content-Type = %q, want text/plain (HandleSCEP didn't run)", got)
 	}
 }
 func TestSCEPMTLSHandler_NoTrustPool_Returns500(t *testing.T) {
 	// A handler registered for /scep-mtls but with SetMTLSTrustPool never
 	// called is a deploy bug — the startup preflight should have caught
 	// this. Pin that the handler returns HTTP 500 in that state rather
 	// than silently accepting (or worse, panicking).
 	svc := &mockSCEPService{}
 	h := NewSCEPHandler(svc) // no SetMTLSTrustPool call
 	req := httptest.NewRequest(http.MethodGet, "/scep-mtls?operation=GetCACaps", nil)
 	w := httptest.NewRecorder()
 	h.HandleSCEPMTLS(w, req)
 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("HandleSCEPMTLS without trust pool: got %d, want 500 (deploy-bug surface)", w.Code)
 	}
 }
 func TestSCEPHandler_StandardRoute_StillNoMTLS(t *testing.T) {
 	// Pin: the standard HandleSCEP entry point does NOT require a
 	// client cert even when an mTLS pool is set — the standard route
 	// remains application-layer-auth (challenge password). Operators
 	// can run BOTH routes simultaneously for migration / heterogeneous
 	// client fleets.
 	fix := newMTLSTestFixture(t)
 	req := httptest.NewRequest(http.MethodGet, "/scep?operation=GetCACaps", nil)
 	// req.TLS intentionally nil — standard /scep should still serve.
 	w := httptest.NewRecorder()
 	fix.handler.HandleSCEP(w, req)
 	if w.Code != http.StatusOK {
 		t.Errorf("HandleSCEP (standard route) without client cert: got %d, want 200", w.Code)
 	}
 }
 // --- helpers -------------------------------------------------------------
 func genSelfSignedECDSACA(t *testing.T, cn string) (*x509.Certificate, *ecdsa.PrivateKey) {
 	t.Helper()
 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Fatalf("ecdsa.GenerateKey CA: %v", err)
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber:          big.NewInt(time.Now().UnixNano()),
 		Subject:               pkix.Name{CommonName: cn},
 		Issuer:                pkix.Name{CommonName: cn},
 		NotBefore:             time.Now().Add(-time.Hour),
 		NotAfter:              time.Now().Add(30 * 24 * time.Hour),
 		IsCA:                  true,
 		BasicConstraintsValid: true,
 		KeyUsage:              x509.KeyUsageCertSign,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		t.Fatalf("CreateCertificate CA: %v", err)
 	}
 	cert, err := x509.ParseCertificate(der)
 	if err != nil {
 		t.Fatalf("ParseCertificate CA: %v", err)
 	}
 	return cert, key
 }
 func signECDSAClientCert(t *testing.T, cn string, ca *x509.Certificate, caKey *ecdsa.PrivateKey) *x509.Certificate {
 	t.Helper()
 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Fatalf("ecdsa.GenerateKey client: %v", err)
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(time.Now().UnixNano() + 1),
 		Subject:      pkix.Name{CommonName: cn},
 		NotBefore:    time.Now().Add(-time.Hour),
 		NotAfter:     time.Now().Add(7 * 24 * time.Hour),
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, ca, &key.PublicKey, caKey)
 	if err != nil {
 		t.Fatalf("CreateCertificate client: %v", err)
 	}
 	cert, err := x509.ParseCertificate(der)
 	if err != nil {
 		t.Fatalf("ParseCertificate client: %v", err)
 	}
 	return cert
 }
 // silence unused-package warning if context becomes orphan in future
 // refactors of the mTLS test file (keeps imports stable).
 var _ = context.Background
@@ -36,7 +36,21 @@ import (
 // At Bundle D close time, this list is empty. Future entries should be
 // rare — the OpenAPI spec is the source of truth for the public API
 // surface.
-var SpecParityExceptions = map[string]string{}
+var SpecParityExceptions = map[string]string{
 	// SCEP RFC 8894 + Intune master bundle Phase 6.5: the /scep-mtls
 	// sibling route is opt-in (gated on per-profile MTLSEnabled). It rides
 	// the same SCEP-PKIOperation contract as /scep but with an additional
 	// client-cert auth layer at the handler. The OpenAPI spec covers the
 	// canonical /scep endpoint; documenting /scep-mtls separately would
 	// duplicate every operation row with no information gain — the
 	// PKIMessage wire format, query params, and response shapes are
 	// identical. The route lives in router.go as literal r.Register calls
 	// for the openapi-parity scanner's benefit; it stays out of openapi.yaml
 	// by exception. See docs/legacy-est-scep.md::mTLS-sibling-route for the
 	// operator-facing description.
 	"GET /scep-mtls":  "Phase 6.5 mTLS sibling route — same wire format as /scep with cert-required gate; documented in docs/legacy-est-scep.md",
 	"POST /scep-mtls": "Phase 6.5 mTLS sibling route — same wire format as /scep with cert-required gate; documented in docs/legacy-est-scep.md",
 }
 func TestRouter_OpenAPIParity(t *testing.T) {
 	routes, err := scanRouterRoutes("router.go")
@@ -84,6 +84,7 @@ var AuthExemptDispatchPrefixes = []string{
 	"/.well-known/pki", // RFC 5280 CRL + RFC 6960 OCSP — relying-party-unauth
 	"/.well-known/est", // RFC 7030 EST — auth via mTLS or CSR-embedded creds
 	"/scep",            // RFC 8894 SCEP — auth via challengePassword in CSR
 	"/scep-mtls",       // SCEP + mTLS sibling route (Phase 6.5) — auth is client cert + challengePassword
 }
 // HandlerRegistry groups all API handler dependencies for router registration.
@@ -126,6 +127,14 @@ type HandlerRegistry struct {
 	// Responder Phase 5 — admin-gated ops surface for the
 	// scheduler-driven CRL pre-generation pipeline.
 	AdminCRLCache handler.AdminCRLCacheHandler
 	// AdminSCEPIntune handles the per-profile Microsoft Intune Connector
 	// observability + reload endpoints. SCEP RFC 8894 + Intune master
 	// bundle Phase 9.2.
 	//   GET  /api/v1/admin/scep/intune/stats         → per-profile snapshot
 	//   POST /api/v1/admin/scep/intune/reload-trust  → SIGHUP-equivalent
 	// Both endpoints are admin-gated (M-008 pin updated to include
 	// admin_scep_intune.go).
 	AdminSCEPIntune handler.AdminSCEPIntuneHandler
 }
 // RegisterHandlers sets up all API routes with their handlers.
@@ -295,6 +304,12 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) {
 	// scheduler-driven CRL pre-generation cache. Admin-gated inside
 	// the handler (M-003 pattern); non-admin callers get 403.
 	r.Register("GET /api/v1/admin/crl/cache", http.HandlerFunc(reg.AdminCRLCache.ListCache))
 	// SCEP RFC 8894 + Intune master bundle Phase 9.2. Both endpoints are
 	// admin-gated at the handler layer; the M-008 regression scanner pins
 	// the gate set and TestM008_AdminGatedHandlers_HaveTripletTests
 	// enforces the per-handler test triplet.
 	r.Register("GET /api/v1/admin/scep/intune/stats", http.HandlerFunc(reg.AdminSCEPIntune.Stats))
 	r.Register("POST /api/v1/admin/scep/intune/reload-trust", http.HandlerFunc(reg.AdminSCEPIntune.ReloadTrust))
 	// Notifications routes: /api/v1/notifications
 	r.Register("GET /api/v1/notifications", http.HandlerFunc(reg.Notifications.ListNotifications))
@@ -425,6 +440,42 @@ func (r *Router) RegisterSCEPHandlers(handlers map[string]handler.SCEPHandler) {
 	}
 }
 // RegisterSCEPMTLSHandlers sets up the sibling `/scep-mtls/<PathID>` routes
 // for SCEP profiles that opted into mTLS via
 // `CERTCTL_SCEP_PROFILE_<NAME>_MTLS_ENABLED=true`.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 6.5: enterprise procurement
 // teams routinely reject 'shared password authentication' as a checkbox-
 // fail regardless of how strong the password is. This sibling route adds
 // client-cert auth at the handler layer AND keeps the challenge password
 // (defense in depth, not replacement). Devices present a bootstrap cert
 // from a trusted CA, then SCEP-enroll for their long-lived cert. Same
 // model Apple's MDM and Cisco's BRSKI use.
 //
 // Path conventions mirror the standard SCEP route: empty PathID maps to
 // `/scep-mtls` root (single-profile mTLS deploy); non-empty PathIDs map
 // to `/scep-mtls/<pathID>`. The /scep-mtls prefix is in
 // AuthExemptDispatchPrefixes — the auth boundary is the client cert
 // (verified at the TLS layer + per-profile re-verified at the handler
 // layer) plus the challenge password, NOT a Bearer token.
 //
 // Each handler in the map MUST have had SetMTLSTrustPool called so the
 // per-profile cert verification has a trust anchor.
 func (r *Router) RegisterSCEPMTLSHandlers(handlers map[string]handler.SCEPHandler) {
 	if h, ok := handlers[""]; ok {
 		r.Register("GET /scep-mtls", http.HandlerFunc(h.HandleSCEPMTLS))
 		r.Register("POST /scep-mtls", http.HandlerFunc(h.HandleSCEPMTLS))
 	}
 	for pathID, h := range handlers {
 		if pathID == "" {
 			continue
 		}
 		hCopy := h
 		r.Register("GET /scep-mtls/"+pathID, http.HandlerFunc(hCopy.HandleSCEPMTLS))
 		r.Register("POST /scep-mtls/"+pathID, http.HandlerFunc(hCopy.HandleSCEPMTLS))
 	}
 }
 // RegisterPKIHandlers sets up RFC 5280 CRL and RFC 6960 OCSP routes under
 // /.well-known/pki/. These endpoints are intentionally unauthenticated so
 // relying parties (browsers, OpenSSL, OCSP stapling sidecars, mTLS clients)
@@ -43,6 +43,23 @@ func (s *scepProfileMockService) PKCSReq(_ context.Context, _, _, _ string) (*do
 	return nil, nil
 }
 // PKCSReqWithEnvelope / RenewalReqWithEnvelope / GetCertInitialWithEnvelope
 // were added to the SCEPService interface in SCEP RFC 8894 + Intune master
 // bundle Phase 2.4 + Phase 4. The router-level tests don't drive the
 // RFC 8894 path; these stubs satisfy the interface so the per-profile
 // dispatch tests still compile.
 func (s *scepProfileMockService) PKCSReqWithEnvelope(_ context.Context, _, _ string, env *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	return &domain.SCEPResponseEnvelope{Status: domain.SCEPStatusSuccess, TransactionID: env.TransactionID}
 }
 func (s *scepProfileMockService) RenewalReqWithEnvelope(_ context.Context, _, _ string, env *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	return &domain.SCEPResponseEnvelope{Status: domain.SCEPStatusSuccess, TransactionID: env.TransactionID}
 }
 func (s *scepProfileMockService) GetCertInitialWithEnvelope(_ context.Context, env *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	return &domain.SCEPResponseEnvelope{Status: domain.SCEPStatusFailure, FailInfo: domain.SCEPFailBadCertID, TransactionID: env.TransactionID}
 }
 func TestRouter_RegisterSCEPHandlers_LegacyEmptyPathIDMapsToRoot(t *testing.T) {
 	r := New()
 	svc := &scepProfileMockService{tag: "legacy"}
@@ -796,6 +796,89 @@ type SCEPProfileConfig struct {
 	// match, expiry, RSA-or-ECDSA alg).
 	RACertPath string
 	RAKeyPath  string
 	// MTLSEnabled gates the sibling `/scep-mtls/<PathID>` route. When true,
 	// the route requires a client cert that chains to one of the certs in
 	// MTLSClientCATrustBundlePath. The standard `/scep[/<PathID>]` route
 	// remains application-layer-auth (challenge password) so existing
 	// clients keep working — mTLS is additive, not replacement.
 	//
 	// SCEP RFC 8894 + Intune master bundle Phase 6.5: enterprise procurement
 	// teams routinely reject 'shared password authentication' as a checkbox-
 	// fail regardless of how strong the password is. This flag wires up a
 	// sibling route that adds client-cert auth at the handler layer AND keeps
 	// the challenge password (defense in depth, not replacement). Devices
 	// present a bootstrap cert from a trusted CA (e.g. a manufacturing-time
 	// cert), then SCEP-enroll for their long-lived cert. Same model Apple's
 	// MDM and Cisco's BRSKI use.
 	MTLSEnabled bool
 	// MTLSClientCATrustBundlePath is the PEM bundle of CA certs that sign
 	// the client (device-bootstrap) certs the operator allows to enroll.
 	// Required when MTLSEnabled is true. Operators with multiple bootstrap
 	// CAs concatenate them. Validated at startup by
 	// `cmd/server/main.go::preflightSCEPMTLSTrustBundle` — file exists,
 	// parses as PEM, contains ≥1 cert, none expired.
 	MTLSClientCATrustBundlePath string
 	// Intune is the per-profile Microsoft Intune Certificate Connector
 	// integration block. When Enabled is false (default), this profile only
 	// honors the static ChallengePassword; when true, requests with an
 	// Intune-shaped challenge password (length + dot-count heuristic) are
 	// routed to the Intune dynamic-challenge validator.
 	//
 	// SCEP RFC 8894 + Intune master bundle Phase 8.8: per-profile dispatch
 	// is what makes the heterogeneous-fleet story work — an operator
 	// running corp-laptops via Intune AND IoT devices via static challenge
 	// configures Intune-mode on the corp profile only; the IoT profile's
 	// PKCSReq path skips the Intune dispatcher entirely.
 	Intune SCEPIntuneProfileConfig
 }
 // SCEPIntuneProfileConfig is the per-profile Microsoft Intune Certificate
 // Connector integration sub-block on SCEPProfileConfig.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 8.1.
 //
 // All fields here are populated from CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_*
 // env vars (e.g. CERTCTL_SCEP_PROFILE_CORP_INTUNE_ENABLED=true). Per-profile
 // overrides means an operator with two Intune-backed profiles (corp + iot,
 // say) can pin distinct Connectors + audiences + rate limits per fleet.
 type SCEPIntuneProfileConfig struct {
 	// Enabled gates the Intune dynamic-challenge validation path. When
 	// false (default), this profile honors only the static ChallengePassword.
 	// When true, ConnectorCertPath becomes a required boot gate.
 	Enabled bool
 	// ConnectorCertPath is the filesystem path to a PEM bundle of one or
 	// more Microsoft Intune Certificate Connector signing certs. Required
 	// when Enabled=true. Reloaded on SIGHUP via the per-profile
 	// TrustAnchorHolder wired in cmd/server/main.go.
 	ConnectorCertPath string
 	// Audience is the expected "aud" claim value in the Intune challenge —
 	// typically the public SCEP endpoint URL the Connector is configured to
 	// call (e.g. "https://certctl.example.com/scep/corp"). Defaults to
 	// empty (audience check disabled) for proxy / load-balancer scenarios
 	// where the URL the Connector saw isn't the URL we see; operators
 	// who pin a public URL here gain defense-in-depth against challenge
 	// re-use across endpoints.
 	Audience string
 	// ChallengeValidity caps the maximum age of an Intune challenge, on
 	// top of the challenge's own iat/exp claims. Default 60 minutes per
 	// Microsoft's published Connector defaults — operators may want a
 	// stricter cap to reduce the replay-window exposure on a stolen
 	// challenge. Zero means "use Connector's exp claim only" (no extra cap).
 	ChallengeValidity time.Duration
 	// PerDeviceRateLimit24h caps the number of enrollments per
 	// (claim.Subject, claim.Issuer) pair in any rolling 24-hour window.
 	// Default 3 (covers legitimate first-cert + recovery + post-wipe
 	// re-enrollment, blocks bulk-enumeration from a compromised Connector
 	// signing key). Zero means "unlimited" (defense-in-depth disabled;
 	// not recommended for production).
 	PerDeviceRateLimit24h int
 }
 // NetworkScanConfig controls the server-side active TLS scanner.
@@ -1421,6 +1504,17 @@ func loadSCEPProfilesFromEnv() []SCEPProfileConfig {
 			ChallengePassword: getEnv("CERTCTL_SCEP_PROFILE_"+envName+"_CHALLENGE_PASSWORD", ""),
 			RACertPath:        getEnv("CERTCTL_SCEP_PROFILE_"+envName+"_RA_CERT_PATH", ""),
 			RAKeyPath:         getEnv("CERTCTL_SCEP_PROFILE_"+envName+"_RA_KEY_PATH", ""),
 			// SCEP RFC 8894 Phase 6.5: opt-in mTLS sibling route.
 			MTLSEnabled:                 getEnvBool("CERTCTL_SCEP_PROFILE_"+envName+"_MTLS_ENABLED", false),
 			MTLSClientCATrustBundlePath: getEnv("CERTCTL_SCEP_PROFILE_"+envName+"_MTLS_CLIENT_CA_TRUST_BUNDLE_PATH", ""),
 			// SCEP RFC 8894 Phase 8.1: per-profile Intune Connector dispatch.
 			Intune: SCEPIntuneProfileConfig{
 				Enabled:               getEnvBool("CERTCTL_SCEP_PROFILE_"+envName+"_INTUNE_ENABLED", false),
 				ConnectorCertPath:     getEnv("CERTCTL_SCEP_PROFILE_"+envName+"_INTUNE_CONNECTOR_CERT_PATH", ""),
 				Audience:              getEnv("CERTCTL_SCEP_PROFILE_"+envName+"_INTUNE_AUDIENCE", ""),
 				ChallengeValidity:     getEnvDuration("CERTCTL_SCEP_PROFILE_"+envName+"_INTUNE_CHALLENGE_VALIDITY", 60*time.Minute),
 				PerDeviceRateLimit24h: getEnvInt("CERTCTL_SCEP_PROFILE_"+envName+"_INTUNE_PER_DEVICE_RATE_LIMIT_24H", 3),
 			},
 		})
 	}
 	return out
@@ -1672,6 +1766,32 @@ func (c *Config) Validate() error {
 			if p.IssuerID == "" {
 				return fmt.Errorf("SCEP profile %d (PathID=%q) has empty IssuerID — refuse to start: each SCEP profile must bind to a configured issuer", i, p.PathID)
 			}
 			// Phase 6.5: when mTLS is enabled, the trust bundle path must
 			// be set. Preflight in cmd/server/main.go validates the file
 			// itself (exists, parseable PEM, ≥1 cert, none expired); this
 			// gate is the structural-config refuse, defense in depth.
 			if p.MTLSEnabled && p.MTLSClientCATrustBundlePath == "" {
 				return fmt.Errorf("SCEP profile %d (PathID=%q) has MTLSEnabled=true but MTLS_CLIENT_CA_TRUST_BUNDLE_PATH is empty — refuse to start: the mTLS sibling route /scep-mtls/%s would have no client-cert trust anchor", i, p.PathID, p.PathID)
 			}
 			// Phase 8.1: when Intune is enabled, the Connector trust anchor
 			// path must be set. Preflight in cmd/server/main.go validates the
 			// file itself (intune.LoadTrustAnchor: exists, parseable PEM,
 			// ≥1 CERTIFICATE block, none expired); this gate is the
 			// structural-config refuse, defense in depth — without it an
 			// operator who flips INTUNE_ENABLED=true but forgets to set
 			// CONNECTOR_CERT_PATH would get every Intune enrollment
 			// rejected at runtime with no trust anchor configured (much
 			// worse failure mode than failing fast at boot).
 			if p.Intune.Enabled && p.Intune.ConnectorCertPath == "" {
 				return fmt.Errorf("SCEP profile %d (PathID=%q) has INTUNE_ENABLED=true but INTUNE_CONNECTOR_CERT_PATH is empty — refuse to start: the Intune dynamic-challenge validator would have no trust anchor and reject every Microsoft Intune enrollment", i, p.PathID)
 			}
 			// Phase 8.6: a non-zero rate limit must be sane. Negative is a
 			// config typo; positive values are the per-(Subject,Issuer)
 			// 24-hour cap; zero means 'disabled' (allowed for tests + the
 			// rare operator who wants no per-device cap).
 			if p.Intune.PerDeviceRateLimit24h < 0 {
 				return fmt.Errorf("SCEP profile %d (PathID=%q) has INTUNE_PER_DEVICE_RATE_LIMIT_24H=%d — refuse to start: must be ≥0 (zero disables the per-device cap, positive values enforce it)", i, p.PathID, p.Intune.PerDeviceRateLimit24h)
 			}
 		}
 	}
@@ -54,8 +54,15 @@ type IssuanceRequest struct {
 	CommonName    string   `json:"common_name"`
 	SANs          []string `json:"sans"`
 	CSRPEM        string   `json:"csr_pem"`
-	EKUs          []string `json:"ekus,omitempty"`           // e.g., "serverAuth", "clientAuth", "emailProtection"
+	EKUs          []string `json:"ekus,omitempty"`            // e.g., "serverAuth", "clientAuth", "emailProtection"
 	MaxTTLSeconds int      `json:"max_ttl_seconds,omitempty"` // 0 = no cap (use issuer default)
 	// MustStaple, when true, instructs the issuer to add the RFC 7633
 	// must-staple extension (id-pe-tlsfeature) to the issued cert.
 	// Plumbed from CertificateProfile.MustStaple at the service layer.
 	// Issuers that don't support extension injection (Vault, EJBCA, etc.)
 	// silently ignore this — must-staple is a local-issuer-only feature
 	// in V2 since upstream connectors enforce their own extension policy.
 	MustStaple bool `json:"must_staple,omitempty"`
 }
 // IssuanceResult contains the result of a successful certificate issuance.
@@ -73,9 +80,13 @@ type RenewalRequest struct {
 	CommonName    string   `json:"common_name"`
 	SANs          []string `json:"sans"`
 	CSRPEM        string   `json:"csr_pem"`
-	EKUs          []string `json:"ekus,omitempty"`           // e.g., "serverAuth", "clientAuth", "emailProtection"
+	EKUs          []string `json:"ekus,omitempty"`            // e.g., "serverAuth", "clientAuth", "emailProtection"
 	MaxTTLSeconds int      `json:"max_ttl_seconds,omitempty"` // 0 = no cap (use issuer default)
 	OrderID       *string  `json:"order_id,omitempty"`
 	// MustStaple — same semantics as IssuanceRequest.MustStaple. The
 	// renewal pipeline plumbs through the same CertificateProfile.MustStaple
 	// field so renewed certs match their initial-issuance extension set.
 	MustStaple bool `json:"must_staple,omitempty"`
 }
 // RevocationRequest contains the parameters for revoking a certificate.
@@ -55,6 +55,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
@@ -332,7 +333,7 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
 	}
 	// Generate certificate with EKUs and MaxTTL from request
-	cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs, request.EKUs, request.MaxTTLSeconds)
+	cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs, request.EKUs, request.MaxTTLSeconds, request.MustStaple)
 	if err != nil {
 		c.logger.Error("failed to generate certificate", "error", err)
 		return nil, fmt.Errorf("certificate generation failed: %w", err)
@@ -396,7 +397,7 @@ func (c *Connector) RenewCertificate(ctx context.Context, request issuer.Renewal
 	}
 	// Generate certificate with EKUs and MaxTTL from request
-	cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs, request.EKUs, request.MaxTTLSeconds)
+	cert, certPEM, serial, err := c.generateCertificate(csr, request.SANs, request.EKUs, request.MaxTTLSeconds, request.MustStaple)
 	if err != nil {
 		c.logger.Error("failed to generate certificate", "error", err)
 		return nil, fmt.Errorf("certificate generation failed: %w", err)
@@ -643,7 +644,7 @@ func (c *Connector) generateSelfSignedCA() error {
 // It uses the CSR subject and adds any additional SANs from the request.
 // If ekus is non-empty, those EKUs are used instead of the default serverAuth+clientAuth.
 // If maxTTLSeconds > 0, the certificate validity is capped to that duration.
-func (c *Connector) generateCertificate(csr *x509.CertificateRequest, additionalSANs []string, ekus []string, maxTTLSeconds int) (*x509.Certificate, string, string, error) {
+func (c *Connector) generateCertificate(csr *x509.CertificateRequest, additionalSANs []string, ekus []string, maxTTLSeconds int, mustStaple bool) (*x509.Certificate, string, string, error) {
 	// Generate random serial number
 	serialNum, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 159))
 	if err != nil {
@@ -719,6 +720,21 @@ func (c *Connector) generateCertificate(csr *x509.CertificateRequest, additional
 		}
 	}
 	// SCEP RFC 8894 + Intune master bundle Phase 5.6: must-staple
 	// extension per RFC 7633. When the bound CertificateProfile has
 	// MustStaple=true, the issued cert carries id-pe-tlsfeature with
 	// the TLS Feature `status_request` (5). Browsers + modern TLS
 	// libraries that see this extension fail-closed when OCSP stapling
 	// is missing — defense against revocation-bypass via OCSP
 	// blackholing.
 	if mustStaple {
 		template.ExtraExtensions = append(template.ExtraExtensions, pkix.Extension{
 			Id:       oidMustStaple,
 			Critical: false,
 			Value:    mustStapleExtensionValue,
 		})
 	}
 	// Sign certificate with CA
 	certBytes, err := x509.CreateCertificate(rand.Reader, template, c.caCert, csr.PublicKey, c.caSigner)
 	if err != nil {
@@ -767,6 +783,26 @@ func isEmail(s string) bool {
 }
 // ekuNameToX509 maps EKU string names (from domain.ValidEKUs) to x509.ExtKeyUsage constants.
 // SCEP RFC 8894 + Intune master bundle Phase 5.6: must-staple extension
 // constants per RFC 7633 §6.
 //
 // id-pe-tlsfeature OID: 1.3.6.1.5.5.7.1.24.
 var oidMustStaple = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24}
 // mustStapleExtensionValue is the pre-encoded DER for SEQUENCE OF INTEGER
 // containing a single value 5 (the TLS Feature for status_request, RFC
 // 7633 §6 referencing IANA TLS ExtensionType registry).
 //
 // Wire bytes:
 //
 //	0x30 0x03         -- SEQUENCE, length 3
 //	0x02 0x01 0x05    --   INTEGER 5 (status_request)
 //
 // Pre-encoded as a constant rather than asn1.Marshal'd at runtime: the
 // extension value is fixed, byte-stable across Go versions, and tested by
 // pinning the exact bytes against RFC 7633 §6.
 var mustStapleExtensionValue = []byte{0x30, 0x03, 0x02, 0x01, 0x05}
 var ekuNameToX509 = map[string]x509.ExtKeyUsage{
 	"serverAuth":      x509.ExtKeyUsageServerAuth,
 	"clientAuth":      x509.ExtKeyUsageClientAuth,
@@ -0,0 +1,172 @@
 package local
 import (
 	"bytes"
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/pem"
 	"io"
 	"log/slog"
 	"testing"
 	"github.com/shankar0123/certctl/internal/connector/issuer"
 )
 // SCEP RFC 8894 + Intune master bundle Phase 5.6: must-staple per-profile
 // policy field (RFC 7633).
 //
 // Pins the contract that:
 //
 //  1. When the IssuanceRequest carries MustStaple=true, the issued cert
 //     contains the id-pe-tlsfeature extension with the canonical
 //     wire bytes (SEQUENCE OF INTEGER {5} per RFC 7633 §6).
 //
 //  2. When MustStaple=false (or unset), the extension is OMITTED — adding
 //     it by default would break customer deployments where the TLS path
 //     doesn't staple.
 //
 //  3. The OID + DER bytes match RFC 7633 §6 verbatim:
 //     OID 1.3.6.1.5.5.7.1.24, value 0x30 0x03 0x02 0x01 0x05.
 //
 // The test exercises the local issuer end-to-end (CSR → CreateCertificate
 // → ParseCertificate → walk Extensions) so any drift in the extension-
 // injection path is caught.
 func TestGenerateCertificate_MustStapleProfile_AddsExtension(t *testing.T) {
 	conn, _ := newLocalIssuerForMustStapleTest(t)
 	csrPEM := buildMustStapleCSR(t, "must-staple.example.com")
 	result, err := conn.IssueCertificate(context.Background(), issuer.IssuanceRequest{
 		CommonName:    "must-staple.example.com",
 		SANs:          []string{"must-staple.example.com"},
 		CSRPEM:        csrPEM,
 		EKUs:          []string{"serverAuth"},
 		MaxTTLSeconds: 86400,
 		MustStaple:    true,
 	})
 	if err != nil {
 		t.Fatalf("IssueCertificate: %v", err)
 	}
 	cert := parsePEMCertForTest(t, result.CertPEM)
 	ext := findExtensionByOID(cert, oidMustStaple)
 	if ext == nil {
 		t.Fatal("issued cert is missing id-pe-tlsfeature extension despite MustStaple=true")
 	}
 	if ext.Critical {
 		t.Errorf("must-staple extension Critical = true, want false (RFC 7633 §6 says non-critical)")
 	}
 	if !bytes.Equal(ext.Value, mustStapleExtensionValue) {
 		t.Errorf("must-staple extension Value = %x, want %x (RFC 7633 §6 SEQUENCE OF INTEGER {5})",
 			ext.Value, mustStapleExtensionValue)
 	}
 }
 func TestGenerateCertificate_NoMustStaple_OmitsExtension(t *testing.T) {
 	conn, _ := newLocalIssuerForMustStapleTest(t)
 	csrPEM := buildMustStapleCSR(t, "no-staple.example.com")
 	result, err := conn.IssueCertificate(context.Background(), issuer.IssuanceRequest{
 		CommonName:    "no-staple.example.com",
 		SANs:          []string{"no-staple.example.com"},
 		CSRPEM:        csrPEM,
 		EKUs:          []string{"serverAuth"},
 		MaxTTLSeconds: 86400,
 		// MustStaple intentionally unset — defaults to false.
 	})
 	if err != nil {
 		t.Fatalf("IssueCertificate: %v", err)
 	}
 	cert := parsePEMCertForTest(t, result.CertPEM)
 	if ext := findExtensionByOID(cert, oidMustStaple); ext != nil {
 		t.Errorf("issued cert has id-pe-tlsfeature extension despite MustStaple=false (would break non-stapling deploys)")
 	}
 }
 // TestMustStapleConstants_PinExactRFC7633Bytes locks down the exact OID +
 // DER bytes against RFC 7633 §6. If a future refactor changes the
 // pre-encoded value in any way, this test fails — catches drift before
 // it reaches a real cert.
 func TestMustStapleConstants_PinExactRFC7633Bytes(t *testing.T) {
 	wantOID := asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24} // id-pe-tlsfeature
 	if !oidMustStaple.Equal(wantOID) {
 		t.Errorf("oidMustStaple = %v, want %v (RFC 7633 §6)", oidMustStaple, wantOID)
 	}
 	// The TLS Feature for status_request is INTEGER 5 (per the IANA TLS
 	// ExtensionType registry). RFC 7633 §6 wraps that in SEQUENCE OF.
 	wantBytes := []byte{0x30, 0x03, 0x02, 0x01, 0x05}
 	if !bytes.Equal(mustStapleExtensionValue, wantBytes) {
 		t.Errorf("mustStapleExtensionValue = %x, want %x (SEQUENCE OF INTEGER {5})",
 			mustStapleExtensionValue, wantBytes)
 	}
 	// Sanity: the bytes round-trip through asn1.Unmarshal as the
 	// expected structure.
 	var parsed []int
 	if _, err := asn1.Unmarshal(mustStapleExtensionValue, &parsed); err != nil {
 		t.Fatalf("mustStapleExtensionValue does not parse as SEQUENCE OF INTEGER: %v", err)
 	}
 	if len(parsed) != 1 || parsed[0] != 5 {
 		t.Errorf("parsed mustStaple = %v, want [5]", parsed)
 	}
 }
 // --- helpers -------------------------------------------------------------
 // newLocalIssuerForMustStapleTest builds a self-signed local CA Connector
 // using the package's standard New + ensureCA path — same constructor
 // production uses, so any drift in the cert-template-injection code path
 // is exercised faithfully.
 func newLocalIssuerForMustStapleTest(t *testing.T) (*Connector, *x509.Certificate) {
 	t.Helper()
 	c := New(&Config{ValidityDays: 7}, slog.New(slog.NewTextHandler(io.Discard, nil)))
 	if err := c.ensureCA(context.Background()); err != nil {
 		t.Fatalf("ensureCA: %v", err)
 	}
 	return c, c.caCert
 }
 func buildMustStapleCSR(t *testing.T, cn string) string {
 	t.Helper()
 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Fatalf("ecdsa.GenerateKey CSR: %v", err)
 	}
 	tmpl := &x509.CertificateRequest{
 		Subject: pkix.Name{CommonName: cn},
 	}
 	der, err := x509.CreateCertificateRequest(rand.Reader, tmpl, key)
 	if err != nil {
 		t.Fatalf("CreateCertificateRequest: %v", err)
 	}
 	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: der}))
 }
 func parsePEMCertForTest(t *testing.T, certPEM string) *x509.Certificate {
 	t.Helper()
 	block, _ := pem.Decode([]byte(certPEM))
 	if block == nil {
 		t.Fatal("PEM decode returned nil")
 	}
 	cert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
 		t.Fatalf("ParseCertificate: %v", err)
 	}
 	return cert
 }
 func findExtensionByOID(cert *x509.Certificate, oid asn1.ObjectIdentifier) *pkix.Extension {
 	for i := range cert.Extensions {
 		if cert.Extensions[i].Id.Equal(oid) {
 			return &cert.Extensions[i]
 		}
 	}
 	return nil
 }
@@ -17,9 +17,26 @@ type CertificateProfile struct {
 	RequiredSANPatterns  []string           `json:"required_san_patterns"`
 	SPIFFEURIPattern     string             `json:"spiffe_uri_pattern"`
 	AllowShortLived      bool               `json:"allow_short_lived"`
-	Enabled              bool               `json:"enabled"`
+	// MustStaple, when true, causes the local issuer to add the RFC 7633
-	CreatedAt            time.Time          `json:"created_at"`
+	// must-staple extension (id-pe-tlsfeature, OID 1.3.6.1.5.5.7.1.24) to
-	UpdatedAt            time.Time          `json:"updated_at"`
+	// every certificate issued under this profile. Browsers + modern TLS
 	// libraries that see this extension MUST fail-closed on missing OCSP
 	// stapling responses — defense against revocation-bypass via OCSP
 	// blackholing.
 	//
 	// Default: false. Operators opt in once they've confirmed their TLS
 	// reverse proxy / load balancer staples OCSP responses (NGINX,
 	// HAProxy, Envoy, etc. all support stapling but it requires explicit
 	// config). Setting must-staple by default would break customer
 	// deployments where the TLS path doesn't staple — browsers hard-fail.
 	//
 	// Recommended for: Intune-deployed device certs (modern TLS clients);
 	// SCEP profiles serving general/legacy clients (ChromeOS, IoT) should
 	// stay false until the TLS path is verified.
 	MustStaple bool      `json:"must_staple"`
 	Enabled    bool      `json:"enabled"`
 	CreatedAt  time.Time `json:"created_at"`
 	UpdatedAt  time.Time `json:"updated_at"`
 }
 // KeyAlgorithmRule defines an allowed key algorithm and its minimum key size.
@@ -0,0 +1,458 @@
 // CertRep PKIMessage response builder for SCEP.
 //
 // RFC 8894 §3.3.2 (Certificate Response Message Format) +
 // RFC 5652 §5 (SignedData) + RFC 5652 §6 (EnvelopedData).
 //
 // SCEP RFC 8894 + Intune master bundle Phase 3.1.
 //
 // Builds the wire shape (cited from RFC 8894 §3.3.2 + §3.2):
 //
 //	ContentInfo {
 //	  contentType: signedData (1.2.840.113549.1.7.2)
 //	  content: SignedData {
 //	    version: 1
 //	    digestAlgorithms: [SHA-256]
 //	    encapContentInfo: {
 //	      contentType: data (1.2.840.113549.1.7.1)
 //	      content: EnvelopedData {                  -- on SUCCESS only
 //	        version: 0
 //	        recipientInfos: [{
 //	          ktri: {
 //	            rid: IssuerAndSerialNumber of clientCert
 //	            keyEncryptionAlgorithm: rsaEncryption
 //	            encryptedKey: AES-256-CBC key encrypted to clientCert.PublicKey
 //	          }
 //	        }]
 //	        encryptedContentInfo: {
 //	          contentType: pkcs7-data
 //	          contentEncryptionAlgorithm: aes-256-cbc
 //	          encryptedContent: AES-CBC-encrypted PKCS#7 certs-only with the issued cert + chain
 //	        }
 //	      }
 //	    }
 //	    certificates: [raCert]
 //	    signerInfos: [{
 //	      sid: IssuerAndSerialNumber of raCert
 //	      digestAlgorithm: SHA-256
 //	      signedAttrs: [
 //	        contentType: data
 //	        messageDigest: SHA-256(encapContentInfo.content)
 //	        messageType: "3" (CertRep)
 //	        pkiStatus: "0" | "2" | "3"
 //	        transactionID: <echo of request>
 //	        recipientNonce: <echo of request senderNonce>
 //	        senderNonce: <fresh 16-byte server nonce>
 //	        failInfo: <if pkiStatus="2">
 //	      ]
 //	      signatureAlgorithm: rsaWithSHA256 | ecdsaWithSHA256
 //	      signature: raKey signs DER(SET OF signedAttrs)
 //	    }]
 //	  }
 //	}
 //
 // On FAILURE, encapContentInfo.content is empty (no EnvelopedData), and the
 // failInfo signed attribute is populated.
 //
 // On PENDING (deferred-issuance flow, not used in v1), encapContentInfo.content
 // is empty, and the response carries a transactionID the client polls with
 // GetCertInitial.
 package pkcs7
 import (
 	"crypto"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/pem"
 	"fmt"
 	"math/big"
 	"github.com/shankar0123/certctl/internal/domain"
 )
 // BuildCertRepPKIMessage constructs the SCEP CertRep response PKIMessage.
 //
 // Inputs:
 //   - req: the parsed inbound envelope (provides transactionID, senderNonce
 //     to echo, and SignerCert — the device's transient cert we encrypt the
 //     CertRep EnvelopedData TO).
 //   - resp: the service-layer outcome (Status + FailInfo + Result).
 //   - raCert + raKey: the RA pair the server signs the SignedData with
 //     (loaded from CERTCTL_SCEP_RA_*; same pair used to decrypt the inbound
 //     EnvelopedData in Phase 2).
 //
 // Critical correctness points (cited as comments in code):
 //   - The CertRep encrypts the issued cert chain to the DEVICE's transient
 //     signing cert (req.SignerCert), NOT the RA cert. The response goes
 //     back to the device, encrypted with its public key.
 //   - AES-256-CBC + random 16-byte IV per response. No reuse.
 //   - senderNonce must be fresh per response (crypto/rand 16 bytes).
 //   - recipientNonce + transactionID echoed verbatim from the request.
 //   - The signature is over DER(SET OF signedAttrs) — the canonical CMS
 //     quirk per RFC 5652 §5.4. The wire form uses [0] IMPLICIT but the
 //     signature is computed over the SET OF re-serialisation. Easy
 //     mistake; pinned by the round-trip test.
 func BuildCertRepPKIMessage(req *domain.SCEPRequestEnvelope, resp *domain.SCEPResponseEnvelope, raCert *x509.Certificate, raKey crypto.PrivateKey) ([]byte, error) {
 	if req == nil || resp == nil {
 		return nil, fmt.Errorf("certRep: req and resp required")
 	}
 	if raCert == nil || raKey == nil {
 		return nil, fmt.Errorf("certRep: RA cert/key required")
 	}
 	// 1. Build the encapContent — for SUCCESS, this is an EnvelopedData
 	//    wrapping the issued cert chain encrypted to req.SignerCert. For
 	//    FAILURE / PENDING, encapContent is empty.
 	var encapContent []byte
 	if resp.Status == domain.SCEPStatusSuccess && resp.Result != nil {
 		// Parse the device's transient signing cert (recipient).
 		if len(req.SignerCert) == 0 {
 			return nil, fmt.Errorf("certRep: req.SignerCert required for SUCCESS response (need device pubkey to encrypt response)")
 		}
 		clientCert, err := x509.ParseCertificate(req.SignerCert)
 		if err != nil {
 			return nil, fmt.Errorf("certRep: parse req.SignerCert: %w", err)
 		}
 		clientRSAPub, ok := clientCert.PublicKey.(*rsa.PublicKey)
 		if !ok {
 			// SCEP requires RSA on the client side for keyTrans (RFC 8894
 			// §3.5.2 advertises RSA only for the client-encryption side).
 			return nil, fmt.Errorf("certRep: device transient cert must have RSA public key (got %T)", clientCert.PublicKey)
 		}
 		// Build the certs-only PKCS#7 carrying the issued cert + chain
 		// (the inner content the EnvelopedData encrypts).
 		issuedDER, err := PEMToDERChain(resp.Result.CertPEM)
 		if err != nil {
 			return nil, fmt.Errorf("certRep: parse issued cert PEM: %w", err)
 		}
 		var allDER [][]byte
 		allDER = append(allDER, issuedDER...)
 		if resp.Result.ChainPEM != "" {
 			chainDER, err := PEMToDERChain(resp.Result.ChainPEM)
 			if err == nil {
 				allDER = append(allDER, chainDER...)
 			}
 		}
 		certsOnly, err := BuildCertsOnlyPKCS7(allDER)
 		if err != nil {
 			return nil, fmt.Errorf("certRep: build certs-only PKCS#7: %w", err)
 		}
 		// Build the EnvelopedData encrypting certsOnly to clientRSAPub
 		// using a fresh AES-256-CBC key + IV.
 		encapContent, err = buildEnvelopedDataAES256(clientCert, clientRSAPub, certsOnly)
 		if err != nil {
 			return nil, fmt.Errorf("certRep: build EnvelopedData: %w", err)
 		}
 	}
 	// 2. Compute messageDigest = SHA-256(encapContent). When encapContent
 	//    is empty (FAILURE/PENDING), the messageDigest is over the empty
 	//    byte slice — same hash for both legs, RFC 5652 §11.2 doesn't
 	//    require a non-empty content.
 	contentDigest := sha256.Sum256(encapContent)
 	// 3. Generate a fresh 16-byte senderNonce. crypto/rand source; never
 	//    reused across responses (RFC 8894 §3.2.1.4.5 — replay defense).
 	senderNonce := make([]byte, 16)
 	if _, err := rand.Read(senderNonce); err != nil {
 		return nil, fmt.Errorf("certRep: senderNonce rand.Read: %w", err)
 	}
 	// 4. Build the auth-attrs SET-OF body (the bytes inside [0] IMPLICIT).
 	//    Order matches micromdm/scep for byte-level wire-format diffing
 	//    (DER SET-OF normalises order anyway, but matching the reference
 	//    implementation makes audit + manual inspection easier).
 	authAttrs := buildCertRepAuthAttrs(
 		contentDigest[:],
 		resp.Status,
 		resp.FailInfo,
 		resp.TransactionID,
 		senderNonce,
 		resp.RecipientNonce,
 	)
 	// 5. Sign the SET OF Attribute (re-serialised with the SET tag, not
 	//    the [0] IMPLICIT wrapper — RFC 5652 §5.4 quirk).
 	signedAttrsForSig := ASN1Wrap(0x31, authAttrs)
 	sig, sigAlgOID, err := signCertRep(raKey, signedAttrsForSig)
 	if err != nil {
 		return nil, fmt.Errorf("certRep: sign auth-attrs: %w", err)
 	}
 	// 6. Build the SignerInfo SEQUENCE.
 	siBytes, err := buildSignerInfoCertRep(raCert, sig, sigAlgOID, authAttrs)
 	if err != nil {
 		return nil, fmt.Errorf("certRep: build SignerInfo: %w", err)
 	}
 	// 7. Build encapContentInfo SEQUENCE { OID data, [0] EXPLICIT OCTET
 	//    STRING content }.
 	encapBytes := buildEncapContentInfo(encapContent)
 	// 8. certificates [0] IMPLICIT SET OF Certificate carrying the RA cert
 	//    so the device can verify the signature.
 	certsBytes := ASN1Wrap(0xa0, raCert.Raw)
 	// 9. digestAlgorithms SET OF AlgorithmIdentifier (one entry: SHA-256).
 	digestAlg := pkix.AlgorithmIdentifier{Algorithm: OIDSHA256, Parameters: asn1.NullRawValue}
 	digestAlgBytes, err := asn1.Marshal(digestAlg)
 	if err != nil {
 		return nil, fmt.Errorf("certRep: marshal digestAlg: %w", err)
 	}
 	digestAlgsBytes := ASN1Wrap(0x31, digestAlgBytes)
 	// 10. signerInfos SET OF SignerInfo (one entry — the RA's signature).
 	signerInfosBytes := ASN1Wrap(0x31, siBytes)
 	// 11. Assemble SignedData SEQUENCE.
 	sdBody := append([]byte{}, []byte{0x02, 0x01, 0x01}...) // INTEGER version=1
 	sdBody = append(sdBody, digestAlgsBytes...)
 	sdBody = append(sdBody, encapBytes...)
 	sdBody = append(sdBody, certsBytes...)
 	sdBody = append(sdBody, signerInfosBytes...)
 	sdSeq := ASN1Wrap(0x30, sdBody)
 	// 12. Wrap as ContentInfo SEQUENCE { OID signedData, [0] EXPLICIT
 	//     SignedData }.
 	contentField := ASN1Wrap(0xa0, sdSeq)
 	oidSignedDataDER := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02}
 	ciBody := append([]byte{}, oidSignedDataDER...)
 	ciBody = append(ciBody, contentField...)
 	return ASN1Wrap(0x30, ciBody), nil
 }
 // buildCertRepAuthAttrs builds the SET-OF body for the CertRep
 // signedAttributes. Matches the order micromdm/scep emits (the DER SET-OF
 // normalisation makes order irrelevant for the signature, but matching
 // the reference implementation makes wire-diff debugging easier).
 func buildCertRepAuthAttrs(msgDigest []byte, status domain.SCEPPKIStatus, failInfo domain.SCEPFailInfo, transactionID string, senderNonce, recipientNonce []byte) []byte {
 	var out []byte
 	// contentType: SET { OID data }
 	out = append(out, attrSeqRaw(OIDContentType, ASN1Wrap(0x06, []byte{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}))...)
 	// messageDigest: SET { OCTET STRING }
 	out = append(out, attrSeqRaw(OIDMessageDigest, ASN1Wrap(0x04, msgDigest))...)
 	// SCEP messageType: SET { PrintableString "3" — CertRep }
 	out = append(out, attrSeqRaw(OIDSCEPMessageType, ASN1Wrap(0x13, []byte{'3'}))...)
 	// SCEP pkiStatus: SET { PrintableString status code }
 	out = append(out, attrSeqRaw(OIDSCEPPKIStatus, ASN1Wrap(0x13, []byte(status)))...)
 	// SCEP transactionID: SET { PrintableString }
 	out = append(out, attrSeqRaw(OIDSCEPTransactionID, ASN1Wrap(0x13, []byte(transactionID)))...)
 	// SCEP senderNonce (server's fresh nonce): SET { OCTET STRING }
 	out = append(out, attrSeqRaw(OIDSCEPSenderNonce, ASN1Wrap(0x04, senderNonce))...)
 	// SCEP recipientNonce (echo of client's senderNonce): SET { OCTET STRING }
 	if len(recipientNonce) > 0 {
 		out = append(out, attrSeqRaw(OIDSCEPRecipientNonce, ASN1Wrap(0x04, recipientNonce))...)
 	}
 	// SCEP failInfo: ONLY when status == failure (RFC 8894 §3.2.1.4.4)
 	if status == domain.SCEPStatusFailure {
 		out = append(out, attrSeqRaw(OIDSCEPFailInfo, ASN1Wrap(0x13, []byte(failInfo)))...)
 	}
 	return out
 }
 // attrSeqRaw builds one Attribute SEQUENCE: SEQUENCE { OID, SET OF value }.
 // `value` is one already-encoded TLV (e.g. an OCTET STRING or PrintableString);
 // attrSeqRaw wraps it in a SET, prefixes the OID, and SEQUENCE-wraps.
 func attrSeqRaw(oid asn1.ObjectIdentifier, value []byte) []byte {
 	oidBytes, err := asn1.Marshal(oid)
 	if err != nil {
 		// asn1.Marshal of a hardcoded OID never fails; a panic here is
 		// a programmer error worth surfacing immediately.
 		panic("certRep: marshal OID: " + err.Error())
 	}
 	setOfValue := ASN1Wrap(0x31, value)
 	body := append([]byte{}, oidBytes...)
 	body = append(body, setOfValue...)
 	return ASN1Wrap(0x30, body)
 }
 // buildSignerInfoCertRep assembles the SignerInfo for the CertRep response.
 // The signature is already computed; this just packages everything into the
 // SignerInfo SEQUENCE.
 func buildSignerInfoCertRep(raCert *x509.Certificate, sig []byte, sigAlgOID asn1.ObjectIdentifier, authAttrsSetBody []byte) ([]byte, error) {
 	versionBytes := []byte{0x02, 0x01, 0x01} // INTEGER version=1
 	// SID = IssuerAndSerialNumber: SEQUENCE { Issuer (RDN), SerialNumber }
 	serialDER, err := asn1.Marshal(raCert.SerialNumber)
 	if err != nil {
 		return nil, fmt.Errorf("marshal RA serial: %w", err)
 	}
 	sidBody := append([]byte{}, raCert.RawIssuer...)
 	sidBody = append(sidBody, serialDER...)
 	sidBytes := ASN1Wrap(0x30, sidBody)
 	digestAlg := pkix.AlgorithmIdentifier{Algorithm: OIDSHA256, Parameters: asn1.NullRawValue}
 	digestAlgBytes, err := asn1.Marshal(digestAlg)
 	if err != nil {
 		return nil, fmt.Errorf("marshal digestAlg: %w", err)
 	}
 	signedAttrsImplicitBytes := ASN1Wrap(0xa0, authAttrsSetBody) // [0] IMPLICIT SET OF
 	sigAlg := pkix.AlgorithmIdentifier{Algorithm: sigAlgOID}
 	if sigAlgOID.Equal(OIDRSAWithSHA256) {
 		sigAlg.Parameters = asn1.NullRawValue
 	}
 	sigAlgBytes, err := asn1.Marshal(sigAlg)
 	if err != nil {
 		return nil, fmt.Errorf("marshal sigAlg: %w", err)
 	}
 	sigOctetBytes := ASN1Wrap(0x04, sig) // OCTET STRING
 	siBody := append([]byte{}, versionBytes...)
 	siBody = append(siBody, sidBytes...)
 	siBody = append(siBody, digestAlgBytes...)
 	siBody = append(siBody, signedAttrsImplicitBytes...)
 	siBody = append(siBody, sigAlgBytes...)
 	siBody = append(siBody, sigOctetBytes...)
 	return ASN1Wrap(0x30, siBody), nil
 }
 // signCertRep signs the SET-OF-encoded auth-attrs with the RA key, returning
 // the signature bytes and the matching signature-algorithm OID.
 func signCertRep(raKey crypto.PrivateKey, signedAttrsForSig []byte) ([]byte, asn1.ObjectIdentifier, error) {
 	digest := sha256.Sum256(signedAttrsForSig)
 	switch k := raKey.(type) {
 	case *rsa.PrivateKey:
 		sig, err := rsa.SignPKCS1v15(rand.Reader, k, crypto.SHA256, digest[:])
 		if err != nil {
 			return nil, nil, fmt.Errorf("rsa sign: %w", err)
 		}
 		return sig, OIDRSAWithSHA256, nil
 	case *ecdsa.PrivateKey:
 		sig, err := ecdsa.SignASN1(rand.Reader, k, digest[:])
 		if err != nil {
 			return nil, nil, fmt.Errorf("ecdsa sign: %w", err)
 		}
 		return sig, OIDECDSAWithSHA256, nil
 	default:
 		return nil, nil, fmt.Errorf("unsupported RA key type %T (want *rsa.PrivateKey or *ecdsa.PrivateKey)", raKey)
 	}
 }
 // buildEncapContentInfo builds SEQUENCE { OID data, [0] EXPLICIT OCTET STRING content }.
 // content is empty for FAILURE/PENDING responses; the [0] EXPLICIT wrapper is
 // omitted entirely in that case (RFC 5652 §5.2 — the OPTIONAL field is just
 // absent rather than carrying an empty OCTET STRING).
 func buildEncapContentInfo(content []byte) []byte {
 	oidDataBytes := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}
 	body := append([]byte{}, oidDataBytes...)
 	if len(content) > 0 {
 		octetBytes := ASN1Wrap(0x04, content)
 		explicitWrapper := ASN1Wrap(0xa0, octetBytes)
 		body = append(body, explicitWrapper...)
 	}
 	return ASN1Wrap(0x30, body)
 }
 // buildEnvelopedDataAES256 builds an EnvelopedData encrypting `plaintext`
 // to `recipientCert`'s public key (RSA). Uses AES-256-CBC + random 16-byte IV
 // + PKCS#7 padding. Returns the EnvelopedData DER bytes ready to embed as
 // the encapContent of a SignedData.
 func buildEnvelopedDataAES256(recipientCert *x509.Certificate, recipientPub *rsa.PublicKey, plaintext []byte) ([]byte, error) {
 	// 1. Generate random AES-256 key + IV.
 	symKey := make([]byte, 32)
 	if _, err := rand.Read(symKey); err != nil {
 		return nil, fmt.Errorf("rand symKey: %w", err)
 	}
 	iv := make([]byte, aes.BlockSize)
 	if _, err := rand.Read(iv); err != nil {
 		return nil, fmt.Errorf("rand iv: %w", err)
 	}
 	// 2. PKCS#7-pad plaintext to AES block boundary.
 	bs := aes.BlockSize
 	padLen := bs - len(plaintext)%bs
 	padded := make([]byte, 0, len(plaintext)+padLen)
 	padded = append(padded, plaintext...)
 	for i := 0; i < padLen; i++ {
 		padded = append(padded, byte(padLen))
 	}
 	// 3. AES-CBC encrypt.
 	block, err := aes.NewCipher(symKey)
 	if err != nil {
 		return nil, fmt.Errorf("aes.NewCipher: %w", err)
 	}
 	enc := cipher.NewCBCEncrypter(block, iv)
 	ciphertext := make([]byte, len(padded))
 	enc.CryptBlocks(ciphertext, padded)
 	// 4. RSA PKCS#1 v1.5 encrypt the AES key with recipientPub.
 	encryptedKey, err := rsa.EncryptPKCS1v15(rand.Reader, recipientPub, symKey)
 	if err != nil {
 		return nil, fmt.Errorf("rsa encrypt: %w", err)
 	}
 	// 5. Build IssuerAndSerialNumber identifying the recipient.
 	serialDER, err := asn1.Marshal(recipientCert.SerialNumber)
 	if err != nil {
 		return nil, fmt.Errorf("marshal recipient serial: %w", err)
 	}
 	risBody := append([]byte{}, recipientCert.RawIssuer...)
 	risBody = append(risBody, serialDER...)
 	risBytes := ASN1Wrap(0x30, risBody)
 	// 6. Build KeyTransRecipientInfo SEQUENCE.
 	keyEncAlg := pkix.AlgorithmIdentifier{Algorithm: OIDRSAEncryption, Parameters: asn1.NullRawValue}
 	keyEncAlgBytes, err := asn1.Marshal(keyEncAlg)
 	if err != nil {
 		return nil, fmt.Errorf("marshal keyEncAlg: %w", err)
 	}
 	encryptedKeyBytes := ASN1Wrap(0x04, encryptedKey)
 	ktriBody := append([]byte{}, []byte{0x02, 0x01, 0x00}...) // INTEGER version=0
 	ktriBody = append(ktriBody, risBytes...)
 	ktriBody = append(ktriBody, keyEncAlgBytes...)
 	ktriBody = append(ktriBody, encryptedKeyBytes...)
 	ktriBytes := ASN1Wrap(0x30, ktriBody)
 	// 7. recipientInfos SET OF RecipientInfo (one entry).
 	recipientInfosBytes := ASN1Wrap(0x31, ktriBytes)
 	// 8. Build the AlgorithmIdentifier with the IV as parameters
 	//    (RFC 3565 §2.3).
 	ivOctet := ASN1Wrap(0x04, iv)
 	contentAlg := pkix.AlgorithmIdentifier{
 		Algorithm:  OIDAES256CBC,
 		Parameters: asn1.RawValue{FullBytes: ivOctet},
 	}
 	contentAlgBytes, err := asn1.Marshal(contentAlg)
 	if err != nil {
 		return nil, fmt.Errorf("marshal contentAlg: %w", err)
 	}
 	// 9. Build EncryptedContentInfo SEQUENCE.
 	//    encryptedContent is [0] IMPLICIT OCTET STRING — the OCTET STRING
 	//    tag is replaced by the [0] context-specific tag, but the content
 	//    bytes are written directly without the inner OCTET STRING tag.
 	encContentField := append([]byte{}, ASN1Wrap(0x80, ciphertext)...) // [0] IMPLICIT primitive
 	oidDataBytes := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}
 	eciBody := append([]byte{}, oidDataBytes...)
 	eciBody = append(eciBody, contentAlgBytes...)
 	eciBody = append(eciBody, encContentField...)
 	eciBytes := ASN1Wrap(0x30, eciBody)
 	// 10. Assemble EnvelopedData SEQUENCE.
 	envBody := append([]byte{}, []byte{0x02, 0x01, 0x00}...) // INTEGER version=0
 	envBody = append(envBody, recipientInfosBytes...)
 	envBody = append(envBody, eciBytes...)
 	return ASN1Wrap(0x30, envBody), nil
 }
 // silence unused-import / cross-file linker warnings for big.Int + pem on
 // builds that exclude certain code paths.
 var (
 	_ = (*big.Int)(nil)
 	_ = (*pem.Block)(nil)
 )
@@ -0,0 +1,160 @@
 package pkcs7
 import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"math/big"
 	"testing"
 	"time"
 	"github.com/shankar0123/certctl/internal/domain"
 )
 // FuzzBuildCertRepPKIMessage stresses the CertRep builder with attacker-
 // controlled transactionID + nonce + signerCert bytes. The invariants are:
 //   1. No panic for arbitrary inputs.
 //   2. When build succeeds AND status is success, the output parses back
 //      via ParseSignedData (round-trip soundness — the prompt's required
 //      fuzz invariant).
 //
 // SCEP RFC 8894 + Intune master bundle Phase 3.3.
 //
 // The fuzzer holds the RA pair constant (one-time setup) and lets the
 // fuzz engine vary the unstable inputs. Errors from BuildCertRepPKIMessage
 // are expected for malformed signerCert bytes; only a panic = bug.
 func FuzzBuildCertRepPKIMessage(f *testing.F) {
 	// Seed: empty everything (should error cleanly via the nil-args gate).
 	f.Add("", []byte{}, []byte{})
 	// Seed: minimal inputs that exercise the failure-path code (no
 	// SignerCert needed because Status=Failure short-circuits the
 	// EnvelopedData build).
 	f.Add("txn-1", make([]byte, 16), []byte{})
 	// One-time setup: RA pair stays constant across fuzz iterations.
 	raKey, raCert := genTestRSARAFuzz()
 	if raKey == nil {
 		f.Skip("test RA pair generation failed; environment lacks crypto/rand?")
 	}
 	f.Fuzz(func(t *testing.T, transactionID string, senderNonce []byte, signerCert []byte) {
 		req := &domain.SCEPRequestEnvelope{
 			MessageType:   domain.SCEPMessageTypePKCSReq,
 			TransactionID: transactionID,
 			SenderNonce:   senderNonce,
 			SignerCert:    signerCert,
 		}
 		// Failure path: never needs SignerCert. No panic, no requirement
 		// on output (the failure shape is correct by construction).
 		respFail := &domain.SCEPResponseEnvelope{
 			Status:         domain.SCEPStatusFailure,
 			FailInfo:       domain.SCEPFailBadRequest,
 			TransactionID:  transactionID,
 			RecipientNonce: senderNonce,
 		}
 		_, _ = BuildCertRepPKIMessage(req, respFail, raCert, raKey)
 		// Success path with arbitrary signerCert bytes: most inputs will
 		// fail to parse as a real cert; that's fine, BuildCertRep returns
 		// an error rather than panicking. When build succeeds (rare for
 		// random bytes), assert the output parses back.
 		respSuccess := &domain.SCEPResponseEnvelope{
 			Status:         domain.SCEPStatusSuccess,
 			TransactionID:  transactionID,
 			RecipientNonce: senderNonce,
 			Result: &domain.SCEPEnrollResult{
 				CertPEM: minimalIssuedCertPEMFuzz(raKey),
 			},
 		}
 		out, err := BuildCertRepPKIMessage(req, respSuccess, raCert, raKey)
 		if err != nil {
 			return // expected for arbitrary signerCert; no panic = ok
 		}
 		// Build succeeded — verify round-trip soundness.
 		sd, err := ParseSignedData(out)
 		if err != nil {
 			t.Errorf("BuildCertRepPKIMessage produced output that fails ParseSignedData: %v", err)
 			return
 		}
 		if len(sd.SignerInfos) == 0 {
 			t.Errorf("BuildCertRepPKIMessage produced output with no signerInfos")
 		}
 	})
 }
 // genTestRSARAFuzz materialises a one-time RA pair for the fuzz seed
 // setup. Mirrors genTestRSARA from the round-trip tests but doesn't
 // take *testing.T (called from f.Fuzz setup, not a test body).
 func genTestRSARAFuzz() (*rsa.PrivateKey, *x509.Certificate) {
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, nil
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		Subject:      pkix.Name{CommonName: "fuzz-ra"},
 		Issuer:       pkix.Name{CommonName: "fuzz-ra"},
 		NotBefore:    time.Now().Add(-time.Hour),
 		NotAfter:     time.Now().Add(30 * 24 * time.Hour),
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		return nil, nil
 	}
 	cert, err := x509.ParseCertificate(der)
 	if err != nil {
 		return nil, nil
 	}
 	return key, cert
 }
 // minimalIssuedCertPEMFuzz returns a tiny self-signed PEM cert reusing
 // the RA key. Avoids per-fuzz-iter rsa.GenerateKey overhead (which would
 // dominate the fuzz throughput).
 func minimalIssuedCertPEMFuzz(key *rsa.PrivateKey) string {
 	// We construct on demand since the issued cert template doesn't
 	// matter beyond being a parseable PEM-wrapped DER cert.
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(2),
 		Subject:      pkix.Name{CommonName: "fuzz-issued"},
 		Issuer:       pkix.Name{CommonName: "fuzz-issued"},
 		NotBefore:    time.Now().Add(-time.Hour),
 		NotAfter:     time.Now().Add(time.Hour),
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		return ""
 	}
 	return "-----BEGIN CERTIFICATE-----\n" +
 		derToBase64Fuzz(der) +
 		"-----END CERTIFICATE-----\n"
 }
 func derToBase64Fuzz(der []byte) string {
 	const enc = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
 	var out []byte
 	pad := (3 - len(der)%3) % 3
 	padded := append(append([]byte{}, der...), make([]byte, pad)...)
 	for i := 0; i < len(padded); i += 3 {
 		v := uint32(padded[i])<<16 | uint32(padded[i+1])<<8 | uint32(padded[i+2])
 		out = append(out, enc[v>>18&0x3f], enc[v>>12&0x3f], enc[v>>6&0x3f], enc[v&0x3f])
 	}
 	for i := 0; i < pad; i++ {
 		out[len(out)-1-i] = '='
 	}
 	// Wrap at 64 chars per PEM convention.
 	var wrapped []byte
 	for i := 0; i < len(out); i += 64 {
 		end := i + 64
 		if end > len(out) {
 			end = len(out)
 		}
 		wrapped = append(wrapped, out[i:end]...)
 		wrapped = append(wrapped, '\n')
 	}
 	return string(wrapped)
 }
@@ -0,0 +1,244 @@
 package pkcs7
 import (
 	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"io"
 	"math/big"
 	"strings"
 	"testing"
 	"time"
 	"github.com/shankar0123/certctl/internal/domain"
 )
 // SCEP RFC 8894 Phase 3.1: round-trip tests for BuildCertRepPKIMessage.
 //
 // Each test materialises real RA + device pairs, calls
 // BuildCertRepPKIMessage with success/failure/pending shapes, then
 // parses the result back via ParseSignedData + EnvelopedData.Decrypt
 // to assert the wire bytes are recoverable. This catches drift between
 // the build-side encoding and the parse-side decoding without needing
 // a real SCEP client.
 func TestBuildCertRepPKIMessage_Success_RoundTrip(t *testing.T) {
 	raKey, raCert := genTestRSARA(t)
 	deviceKey, deviceCert := genTestRSARA(t) // device transient cert (RSA pub for KTRI)
 	// Synthesise an issued cert (the thing we want the device to receive).
 	issuedPEM := selfSignedCertPEM(t, "issued.example.com")
 	req := &domain.SCEPRequestEnvelope{
 		MessageType:   domain.SCEPMessageTypePKCSReq,
 		TransactionID: "txn-roundtrip-success",
 		SenderNonce:   []byte("0123456789abcdef"),
 		SignerCert:    deviceCert.Raw,
 	}
 	resp := &domain.SCEPResponseEnvelope{
 		Status:         domain.SCEPStatusSuccess,
 		TransactionID:  req.TransactionID,
 		RecipientNonce: req.SenderNonce,
 		Result: &domain.SCEPEnrollResult{
 			CertPEM: issuedPEM,
 		},
 	}
 	pkiMessage, err := BuildCertRepPKIMessage(req, resp, raCert, raKey)
 	if err != nil {
 		t.Fatalf("BuildCertRepPKIMessage: %v", err)
 	}
 	// Parse it back.
 	sd, err := ParseSignedData(pkiMessage)
 	if err != nil {
 		t.Fatalf("ParseSignedData: %v", err)
 	}
 	if len(sd.SignerInfos) != 1 {
 		t.Fatalf("len(SignerInfos) = %d, want 1", len(sd.SignerInfos))
 	}
 	si := sd.SignerInfos[0]
 	if err := si.VerifySignature(); err != nil {
 		t.Fatalf("VerifySignature(RA signature on CertRep): %v", err)
 	}
 	// Auth-attr round-trip.
 	mt, _ := si.GetMessageType()
 	if mt != domain.SCEPMessageTypeCertRep {
 		t.Errorf("messageType = %d, want CertRep (3)", mt)
 	}
 	tid, _ := si.GetTransactionID()
 	if tid != req.TransactionID {
 		t.Errorf("transactionID = %q, want %q", tid, req.TransactionID)
 	}
 	// recipientNonce echoes the request's senderNonce.
 	rn, _ := si.attrOctetString(OIDSCEPRecipientNonce)
 	if !bytes.Equal(rn, req.SenderNonce) {
 		t.Errorf("recipientNonce = %q, want %q", rn, req.SenderNonce)
 	}
 	// senderNonce is server-generated; verify it's 16 bytes.
 	sn, _ := si.GetSenderNonce()
 	if len(sn) != 16 {
 		t.Errorf("senderNonce len = %d, want 16", len(sn))
 	}
 	// pkiStatus = "0" (Success).
 	status, _ := si.attrPrintableString(OIDSCEPPKIStatus)
 	if status != string(domain.SCEPStatusSuccess) {
 		t.Errorf("pkiStatus = %q, want %q", status, domain.SCEPStatusSuccess)
 	}
 	// EncapContent should be a parseable EnvelopedData. Decrypt it with
 	// the device's RSA key and pull out the inner certs-only PKCS#7;
 	// confirm the issued cert is in the chain.
 	if len(sd.EncapContent) == 0 {
 		t.Fatal("encapContent empty for SUCCESS response")
 	}
 	env, err := ParseEnvelopedData(sd.EncapContent)
 	if err != nil {
 		t.Fatalf("ParseEnvelopedData(encapContent): %v", err)
 	}
 	innerCertsOnly, err := env.Decrypt(deviceKey, deviceCert)
 	if err != nil {
 		t.Fatalf("EnvelopedData.Decrypt with device key: %v", err)
 	}
 	// innerCertsOnly is a degenerate PKCS#7 SignedData carrying the
 	// issued cert(s). Use parseSignedDataForCSR's SignedData parsing
 	// pattern via ParseSignedData to recover the cert.
 	innerSD, err := ParseSignedData(innerCertsOnly)
 	if err != nil {
 		t.Fatalf("ParseSignedData(innerCertsOnly): %v", err)
 	}
 	if len(innerSD.Certificates) == 0 {
 		t.Fatal("inner certs-only PKCS#7 carries no certs")
 	}
 	if innerSD.Certificates[0].Subject.CommonName != "issued.example.com" {
 		t.Errorf("issued cert CN = %q, want issued.example.com", innerSD.Certificates[0].Subject.CommonName)
 	}
 }
 func TestBuildCertRepPKIMessage_Failure_NoEncapContent(t *testing.T) {
 	raKey, raCert := genTestRSARA(t)
 	_, deviceCert := genTestRSARA(t)
 	req := &domain.SCEPRequestEnvelope{
 		MessageType:   domain.SCEPMessageTypePKCSReq,
 		TransactionID: "txn-roundtrip-failure",
 		SenderNonce:   []byte("nonce-failure-12"),
 		SignerCert:    deviceCert.Raw,
 	}
 	resp := &domain.SCEPResponseEnvelope{
 		Status:         domain.SCEPStatusFailure,
 		FailInfo:       domain.SCEPFailBadMessageCheck,
 		TransactionID:  req.TransactionID,
 		RecipientNonce: req.SenderNonce,
 	}
 	pkiMessage, err := BuildCertRepPKIMessage(req, resp, raCert, raKey)
 	if err != nil {
 		t.Fatalf("BuildCertRepPKIMessage(failure): %v", err)
 	}
 	sd, err := ParseSignedData(pkiMessage)
 	if err != nil {
 		t.Fatalf("ParseSignedData: %v", err)
 	}
 	si := sd.SignerInfos[0]
 	if err := si.VerifySignature(); err != nil {
 		t.Fatalf("VerifySignature(failure response): %v", err)
 	}
 	// pkiStatus = "2", failInfo = "1" (BadMessageCheck).
 	status, _ := si.attrPrintableString(OIDSCEPPKIStatus)
 	if status != string(domain.SCEPStatusFailure) {
 		t.Errorf("pkiStatus = %q, want %q", status, domain.SCEPStatusFailure)
 	}
 	failInfo, _ := si.attrPrintableString(OIDSCEPFailInfo)
 	if failInfo != string(domain.SCEPFailBadMessageCheck) {
 		t.Errorf("failInfo = %q, want %q", failInfo, domain.SCEPFailBadMessageCheck)
 	}
 	// encapContent is empty for failure.
 	if len(sd.EncapContent) != 0 {
 		t.Errorf("encapContent non-empty for FAILURE: %d bytes", len(sd.EncapContent))
 	}
 }
 func TestBuildCertRepPKIMessage_FreshSenderNonceEachCall(t *testing.T) {
 	raKey, raCert := genTestRSARA(t)
 	_, deviceCert := genTestRSARA(t)
 	req := &domain.SCEPRequestEnvelope{
 		TransactionID: "txn-nonce", SenderNonce: []byte("0123456789abcdef"),
 		SignerCert: deviceCert.Raw,
 	}
 	resp := &domain.SCEPResponseEnvelope{
 		Status: domain.SCEPStatusFailure, FailInfo: domain.SCEPFailBadAlg,
 		TransactionID: req.TransactionID, RecipientNonce: req.SenderNonce,
 	}
 	a, _ := BuildCertRepPKIMessage(req, resp, raCert, raKey)
 	b, _ := BuildCertRepPKIMessage(req, resp, raCert, raKey)
 	sdA, _ := ParseSignedData(a)
 	sdB, _ := ParseSignedData(b)
 	nonceA, _ := sdA.SignerInfos[0].GetSenderNonce()
 	nonceB, _ := sdB.SignerInfos[0].GetSenderNonce()
 	if bytes.Equal(nonceA, nonceB) {
 		t.Errorf("senderNonce must be fresh per response, got identical: %x", nonceA)
 	}
 }
 func TestBuildCertRepPKIMessage_RejectsNonRSADeviceCert(t *testing.T) {
 	raKey, raCert := genTestRSARA(t)
 	_, deviceCert := genTestECDSASigner(t) // device cert with ECDSA pubkey — RSA required for KTRI
 	req := &domain.SCEPRequestEnvelope{
 		TransactionID: "txn-ec-device", SenderNonce: []byte("nonce-1234567890"),
 		SignerCert: deviceCert.Raw,
 	}
 	resp := &domain.SCEPResponseEnvelope{
 		Status:        domain.SCEPStatusSuccess,
 		TransactionID: req.TransactionID, RecipientNonce: req.SenderNonce,
 		Result: &domain.SCEPEnrollResult{CertPEM: selfSignedCertPEM(t, "ec-issued.example.com")},
 	}
 	_, err := BuildCertRepPKIMessage(req, resp, raCert, raKey)
 	if err == nil {
 		t.Fatal("BuildCertRepPKIMessage with ECDSA device cert: want error, got nil")
 	}
 	if !strings.Contains(err.Error(), "RSA public key") {
 		t.Errorf("error should mention RSA, got: %v", err)
 	}
 }
 func TestBuildCertRepPKIMessage_NilArgs_Refuses(t *testing.T) {
 	if _, err := BuildCertRepPKIMessage(nil, nil, nil, nil); err == nil {
 		t.Error("BuildCertRepPKIMessage(nil,nil,nil,nil) = nil, want error")
 	}
 }
 // --- helpers -------------------------------------------------------------
 // selfSignedCertPEM creates a fresh RSA self-signed cert with the given CN
 // and returns it PEM-encoded — used as the 'issued' cert in success-path
 // CertRep round-trip tests.
 func selfSignedCertPEM(t *testing.T, cn string) string {
 	t.Helper()
 	key, err := rsa.GenerateKey(testRand(), 2048)
 	if err != nil {
 		t.Fatalf("rsa.GenerateKey: %v", err)
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(0xCAFE),
 		Subject:      pkix.Name{CommonName: cn},
 		Issuer:       pkix.Name{CommonName: cn},
 		NotBefore:    time.Now().Add(-time.Hour),
 		NotAfter:     time.Now().Add(30 * 24 * time.Hour),
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 	}
 	der, err := x509.CreateCertificate(testRand(), tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		t.Fatalf("CreateCertificate: %v", err)
 	}
 	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}))
 }
 // testRand returns the system random source. Wrapped here so tests can be
 // adapted to a deterministic source if golden-file tests need it later.
 func testRand() io.Reader { return rand.Reader }
@@ -0,0 +1,412 @@
 // EnvelopedData parser + decryptor for SCEP PKIMessage.
 //
 // RFC 5652 §6 (Cryptographic Message Syntax — EnvelopedData) +
 // RFC 8894 §3.2.2 (SCEP pkcsPKIEnvelope).
 //
 // SCEP RFC 8894 + Intune master bundle Phase 2.1.
 //
 // Equivalent to micromdm/scep's scep/cryptoutil/cryptoutil.go::DecryptPKCSEnvelope
 // (read for shape only; not vendored — certctl owns the fuzz targets in this
 // sub-package, see internal/pkcs7/envelopeddata_fuzz_test.go).
 //
 // ASN.1 structure being parsed (cited from RFC 5652 §6.1):
 //
 //	EnvelopedData ::= SEQUENCE {
 //	  version                  INTEGER,
 //	  originatorInfo           [0] IMPLICIT OriginatorInfo OPTIONAL,
 //	  recipientInfos           SET SIZE(1..MAX) OF RecipientInfo,
 //	  encryptedContentInfo     EncryptedContentInfo,
 //	  unprotectedAttrs         [1] IMPLICIT Attributes OPTIONAL
 //	}
 //
 //	RecipientInfo ::= CHOICE {
 //	  ktri                     KeyTransRecipientInfo,    -- the only one SCEP uses
 //	  -- (other CHOICE arms ignored: kari, kekri, pwri, ori)
 //	}
 //
 //	KeyTransRecipientInfo ::= SEQUENCE {
 //	  version                  INTEGER (0|2),
 //	  rid                      RecipientIdentifier,      -- IssuerAndSerialNumber for SCEP
 //	  keyEncryptionAlgorithm   AlgorithmIdentifier,      -- rsaEncryption (1.2.840.113549.1.1.1)
 //	  encryptedKey             OCTET STRING              -- AES key encrypted with RA cert pubkey
 //	}
 //
 //	EncryptedContentInfo ::= SEQUENCE {
 //	  contentType              OBJECT IDENTIFIER,        -- pkcs7-data (1.2.840.113549.1.7.1)
 //	  contentEncryptionAlgorithm AlgorithmIdentifier,    -- aes-128-cbc | aes-192-cbc | aes-256-cbc | des-ede3-cbc
 //	  encryptedContent         [0] IMPLICIT OCTET STRING -- the encrypted CSR bytes + PKCS#7 padding
 //	}
 package pkcs7
 import (
 	"crypto"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/des" //nolint:gosec // DES-EDE3-CBC is RFC 8894 §3.5.2 fallback for legacy MDM clients
 	"crypto/rsa"
 	"crypto/subtle"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"errors"
 	"fmt"
 	"math/big"
 )
 // SCEP / CMS algorithm OIDs used by the EnvelopedData path.
 //
 // Defined here as exported package vars so the CertRep builder (Phase 3)
 // shares the same OID encoding and the unit tests can pin the exact values.
 var (
 	// rsaEncryption — PKCS#1 v1.5 key transport (RFC 8017 §7.2).
 	OIDRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
 	// PKCS#7 / CMS data content type (RFC 5652 §4).
 	OIDDataContent = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 1}
 	// AES-128-CBC / AES-192-CBC / AES-256-CBC content-encryption algorithms
 	// (NIST CSOR / RFC 3565 §2).
 	OIDAES128CBC = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 1, 2}
 	OIDAES192CBC = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 1, 22}
 	OIDAES256CBC = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 1, 42}
 	// DES-EDE3-CBC — RFC 8894 §3.5.2 advertises this as a legacy fallback;
 	// some Cisco IOS / older MDM clients still emit it. RFC 8894 itself
 	// does NOT mandate that the server accept DES; we accept it for
 	// max-compat and document the security caveat in docs/legacy-est-scep.md.
 	OIDDESEDE3CBC = asn1.ObjectIdentifier{1, 2, 840, 113549, 3, 7}
 )
 // ErrEnvelopedDataDecrypt is the sentinel decryption error. The caller
 // (handler / service) maps this to SCEPFailBadMessageCheck per RFC 8894
 // §3.3.2.2 + §3.2.2 (integrity-check failure semantics). The error text
 // is intentionally generic so the padding-oracle / Bleichenbacher leak
 // surfaces are closed: every failure mode (RSA decrypt failure, content
 // decrypt failure, padding malformed, unknown algorithm) returns the SAME
 // error message text.
 var ErrEnvelopedDataDecrypt = errors.New("envelopedData: decrypt failed")
 // EnvelopedData is the parsed RFC 5652 EnvelopedData structure ready for
 // Decrypt. Holds the recipient infos + the encrypted content algorithm /
 // IV / ciphertext.
 type EnvelopedData struct {
 	Version              int
 	RecipientInfos       []KeyTransRecipientInfo
 	ContentEncryptionAlg pkix.AlgorithmIdentifier
 	EncryptedContent     []byte // AES-CBC ciphertext; algorithm + IV in ContentEncryptionAlg
 }
 // KeyTransRecipientInfo is the RFC 5652 §6.2.1 KeyTransRecipientInfo. SCEP
 // only uses this CHOICE arm — the others (kari/kekri/pwri/ori) are
 // rejected at parse time as out-of-spec for SCEP.
 type KeyTransRecipientInfo struct {
 	Version          int
 	IssuerAndSerial  IssuerAndSerial
 	KeyEncryptionAlg pkix.AlgorithmIdentifier
 	EncryptedKey     []byte
 }
 // IssuerAndSerial is the recipient identifier (RFC 5652 §10.2.4). SCEP
 // requires the SubjectKeyIdentifier-as-bytes form to NOT be used; only
 // IssuerAndSerialNumber. The handler matches this against the loaded RA
 // cert (issuer + serial) to identify the matching recipient when the
 // envelope addresses multiple CAs.
 type IssuerAndSerial struct {
 	IssuerRaw    asn1.RawValue // RDN sequence of the issuer cert; raw so re-serialisation matches DER bit-for-bit
 	SerialNumber *big.Int
 }
 // envelopedDataASN1 is the ASN.1 unmarshal target for the EnvelopedData
 // structure inside the SignedData encapContentInfo (post-CMS-wrapping).
 // The version field comes first; recipientInfos is a SET (not SEQUENCE);
 // the encryptedContentInfo SEQUENCE follows.
 //
 // The originatorInfo [0] IMPLICIT OPTIONAL is rare in SCEP and skipped
 // at the raw-value level (we don't need it).
 type envelopedDataASN1 struct {
 	Version              int
 	RecipientInfos       []asn1.RawValue          `asn1:"set"`
 	EncryptedContentInfo encryptedContentInfoASN1 `asn1:""`
 	UnprotectedAttrs     asn1.RawValue            `asn1:"optional,tag:1"`
 }
 type encryptedContentInfoASN1 struct {
 	ContentType                asn1.ObjectIdentifier
 	ContentEncryptionAlgorithm pkix.AlgorithmIdentifier
 	EncryptedContent           asn1.RawValue `asn1:"optional,tag:0"`
 }
 type keyTransRecipientInfoASN1 struct {
 	Version          int
 	RID              asn1.RawValue // CHOICE — IssuerAndSerialNumber or [0] subjectKeyIdentifier
 	KeyEncryptionAlg pkix.AlgorithmIdentifier
 	EncryptedKey     []byte
 }
 type issuerAndSerialASN1 struct {
 	Issuer       asn1.RawValue
 	SerialNumber *big.Int
 }
 // ParseEnvelopedData parses raw DER-encoded EnvelopedData bytes.
 //
 // The caller passes the raw bytes from the inner pkcsPKIEnvelope (already
 // stripped of the outer SignedData → encapContentInfo → OCTET STRING
 // wrapper). Returns an EnvelopedData ready for Decrypt.
 //
 // Parse failures are returned as detailed errors so the handler can log
 // what was malformed; the eventual SCEP wire response collapses all
 // failures to BadMessageCheck.
 func ParseEnvelopedData(der []byte) (*EnvelopedData, error) {
 	if len(der) == 0 {
 		return nil, fmt.Errorf("envelopedData: empty input")
 	}
 	// Some encoders wrap the EnvelopedData in an outer ContentInfo
 	// (SEQUENCE { contentType OID, content [0] EXPLICIT EnvelopedData }).
 	// Try that shape first; on failure, parse the bytes directly.
 	if peeled, ok := peelContentInfo(der, OIDEnvelopedData); ok {
 		der = peeled
 	}
 	var raw envelopedDataASN1
 	rest, err := asn1.Unmarshal(der, &raw)
 	if err != nil {
 		return nil, fmt.Errorf("envelopedData: parse outer SEQUENCE: %w", err)
 	}
 	if len(rest) > 0 {
 		// Trailing bytes after a CMS structure are tolerated by some
 		// encoders; not a fatal parse error.
 		_ = rest
 	}
 	out := &EnvelopedData{
 		Version:              raw.Version,
 		ContentEncryptionAlg: raw.EncryptedContentInfo.ContentEncryptionAlgorithm,
 	}
 	// recipientInfos is SET OF RecipientInfo (CHOICE). We accept only the
 	// KeyTransRecipientInfo arm. Other CHOICE arms (kari = [1], kekri = [2],
 	// pwri = [3], ori = [4]) are skipped silently — Decrypt will fail with
 	// 'no matching recipient' if none of the SET members are KTRI.
 	for _, ri := range raw.RecipientInfos {
 		// KeyTransRecipientInfo is implicitly tagged as a SEQUENCE (no
 		// explicit context tag) per RFC 5652 §6.2 — it's the default
 		// CHOICE arm. The other arms carry context-specific tags.
 		if ri.Class != asn1.ClassUniversal || ri.Tag != asn1.TagSequence {
 			continue // not a KTRI; skip
 		}
 		var ktri keyTransRecipientInfoASN1
 		if _, err := asn1.Unmarshal(ri.FullBytes, &ktri); err != nil {
 			continue
 		}
 		// SCEP requires IssuerAndSerialNumber for the rid (RFC 8894 §3.2.2
 		// references RFC 5652 §6.2.1 with the v0 form). The v2 form uses
 		// SubjectKeyIdentifier in [0] — also accepted by some clients. We
 		// only support the v0 IssuerAndSerial form here; v2 clients that
 		// fail to match fall through to 'no matching recipient'.
 		var ias issuerAndSerialASN1
 		if _, err := asn1.Unmarshal(ktri.RID.FullBytes, &ias); err != nil {
 			continue // not IssuerAndSerial; skip
 		}
 		out.RecipientInfos = append(out.RecipientInfos, KeyTransRecipientInfo{
 			Version: ktri.Version,
 			IssuerAndSerial: IssuerAndSerial{
 				IssuerRaw:    ias.Issuer,
 				SerialNumber: ias.SerialNumber,
 			},
 			KeyEncryptionAlg: ktri.KeyEncryptionAlg,
 			EncryptedKey:     ktri.EncryptedKey,
 		})
 	}
 	if len(out.RecipientInfos) == 0 {
 		return nil, fmt.Errorf("envelopedData: no KeyTransRecipientInfo with IssuerAndSerial form found in SET")
 	}
 	// EncryptedContent is [0] IMPLICIT OCTET STRING. The IMPLICIT tagging
 	// strips the OCTET STRING tag; what we get is the raw ciphertext as
 	// asn1.RawValue.Bytes. (Some encoders use EXPLICIT; in that case
 	// FullBytes carries an extra [0] wrapper we strip below.)
 	if raw.EncryptedContentInfo.EncryptedContent.Class == asn1.ClassContextSpecific {
 		out.EncryptedContent = raw.EncryptedContentInfo.EncryptedContent.Bytes
 	}
 	if len(out.EncryptedContent) == 0 {
 		return nil, fmt.Errorf("envelopedData: empty encryptedContent")
 	}
 	return out, nil
 }
 // Decrypt decrypts the EnvelopedData using the RA private key.
 //
 // Algorithm:
 //  1. Find a RecipientInfo whose IssuerAndSerial matches raCert.
 //  2. RSA PKCS#1 v1.5 decrypt the EncryptedKey with raKey.
 //  3. AES-CBC (or DES-EDE3-CBC) decrypt EncryptedContent with the recovered
 //     symmetric key + the IV embedded in ContentEncryptionAlg.Parameters.
 //  4. Strip PKCS#7 padding in constant time (no branch on padding-byte
 //     values — closes the padding oracle leak).
 //
 // Every failure path returns ErrEnvelopedDataDecrypt with no other detail
 // to avoid leaking which step failed. Service-layer logs may include
 // per-step internal context, but the wire response carries only
 // SCEPFailBadMessageCheck.
 func (e *EnvelopedData) Decrypt(raKey crypto.PrivateKey, raCert *x509.Certificate) ([]byte, error) {
 	if e == nil {
 		return nil, ErrEnvelopedDataDecrypt
 	}
 	rsaKey, ok := raKey.(*rsa.PrivateKey)
 	if !ok {
 		// SCEP RA keys are RSA per RFC 8894 §3.5.2 (CMS key transport
 		// requires asymmetric keys with PKCS#1 v1.5; ECDSA can't do
 		// keyTrans). The preflight gate already enforces RSA-or-ECDSA on
 		// the RA cert, but Decrypt double-checks — the cert can be ECDSA
 		// (used for SignedData signing only) while EnvelopedData decryption
 		// requires RSA.
 		return nil, ErrEnvelopedDataDecrypt
 	}
 	// Find a recipient matching the RA cert. Match on issuer DN raw bytes +
 	// serial number — both must compare equal. The cert.RawIssuer is the
 	// DER of the issuer's RDNSequence, the same form CMS encodes here.
 	var ktri *KeyTransRecipientInfo
 	for i := range e.RecipientInfos {
 		ri := &e.RecipientInfos[i]
 		if subtle.ConstantTimeCompare(ri.IssuerAndSerial.IssuerRaw.FullBytes, raCert.RawIssuer) != 1 {
 			continue
 		}
 		if ri.IssuerAndSerial.SerialNumber == nil || raCert.SerialNumber == nil {
 			continue
 		}
 		if ri.IssuerAndSerial.SerialNumber.Cmp(raCert.SerialNumber) != 0 {
 			continue
 		}
 		ktri = ri
 		break
 	}
 	if ktri == nil {
 		// Wrong recipient — the envelope was addressed to a CA that isn't
 		// us. RFC 8894 §3.3.2.2 maps this to BadMessageCheck (integrity
 		// check failed), NOT BadCertID — the message is structurally fine,
 		// just not for us.
 		return nil, ErrEnvelopedDataDecrypt
 	}
 	if !ktri.KeyEncryptionAlg.Algorithm.Equal(OIDRSAEncryption) {
 		// Only PKCS#1 v1.5 keyTrans supported; OAEP would require parsing
 		// the algorithm parameters for the OAEP hash + MGF — out of scope
 		// for V2.
 		return nil, ErrEnvelopedDataDecrypt
 	}
 	// RSA PKCS#1 v1.5 decrypt the symmetric key. We use the variant that
 	// hides timing of malformed-padding rejection (rsa.DecryptPKCS1v15)
 	// returns an error on bad padding; combined with the constant
 	// ErrEnvelopedDataDecrypt response we close the timing leg of the
 	// Bleichenbacher attack at the wire level.
 	symKey, err := rsa.DecryptPKCS1v15(nil, rsaKey, ktri.EncryptedKey)
 	if err != nil {
 		return nil, ErrEnvelopedDataDecrypt
 	}
 	// Decrypt the content. AES-CBC algorithm parameters are the IV as a
 	// raw OCTET STRING (RFC 3565 §2.3); DES-EDE3-CBC same shape (RFC 8894
 	// §3.5.2 advertises this).
 	plaintext, err := decryptCBC(e.ContentEncryptionAlg, symKey, e.EncryptedContent)
 	if err != nil {
 		return nil, ErrEnvelopedDataDecrypt
 	}
 	return plaintext, nil
 }
 // decryptCBC dispatches on the content-encryption algorithm OID to the
 // matching cipher constructor + CBC decrypt + constant-time PKCS#7 unpad.
 func decryptCBC(alg pkix.AlgorithmIdentifier, key, ciphertext []byte) ([]byte, error) {
 	// The IV is the raw OCTET STRING in alg.Parameters (RFC 3565 §2.3,
 	// RFC 8894 §3.5.2). asn1.RawValue.Bytes carries the OCTET STRING
 	// content already (the SEQUENCE wrapper is stripped by the unmarshal).
 	iv := alg.Parameters.Bytes
 	var block cipher.Block
 	var err error
 	switch {
 	case alg.Algorithm.Equal(OIDAES128CBC), alg.Algorithm.Equal(OIDAES192CBC), alg.Algorithm.Equal(OIDAES256CBC):
 		// AES key length must match the algorithm. Reject mismatched
 		// lengths at the cipher constructor — the wire response stays
 		// generic via ErrEnvelopedDataDecrypt.
 		block, err = aes.NewCipher(key)
 	case alg.Algorithm.Equal(OIDDESEDE3CBC):
 		block, err = des.NewTripleDESCipher(key) //nolint:gosec // RFC 8894 §3.5.2 legacy fallback
 	default:
 		return nil, fmt.Errorf("unsupported content-encryption algorithm: %v", alg.Algorithm)
 	}
 	if err != nil {
 		return nil, err
 	}
 	if len(iv) != block.BlockSize() {
 		return nil, fmt.Errorf("iv length %d does not match block size %d", len(iv), block.BlockSize())
 	}
 	if len(ciphertext) == 0 || len(ciphertext)%block.BlockSize() != 0 {
 		return nil, fmt.Errorf("ciphertext length %d not multiple of block size %d", len(ciphertext), block.BlockSize())
 	}
 	plaintext := make([]byte, len(ciphertext))
 	dec := cipher.NewCBCDecrypter(block, iv)
 	dec.CryptBlocks(plaintext, ciphertext)
 	// Constant-time PKCS#7 padding strip.
 	//
 	// Last byte is the padding length P (1..blockSize). Every byte in the
 	// last P bytes must equal P. We accumulate any deviation into a
 	// bitwise-OR `bad` byte that's zero iff every check passes; the
 	// length cap is also folded into the same accumulator. Branch only on
 	// the accumulator at the end. NEVER branch on padding-byte values
 	// mid-loop (that's the padding oracle).
 	bs := block.BlockSize()
 	if len(plaintext) == 0 {
 		return nil, fmt.Errorf("plaintext empty after decrypt")
 	}
 	pad := plaintext[len(plaintext)-1]
 	// pad must be in [1, bs]. `padTooBig` is 0xff when pad > bs, else 0x00.
 	padTooBig := byte(int(pad)-1) >> 7 // 1 if pad==0, else 0
 	padTooBig |= byte((int(bs)-int(pad))>>31) & 0x01
 	bad := padTooBig
 	// Walk the LAST `bs` bytes (a fixed window equal to one block); for
 	// each byte at position N from the end, if N < pad it must equal pad.
 	// Use bitwise mask 'inWindow' to fold the conditional check into the
 	// accumulator without branching.
 	for i := 1; i <= bs && i <= len(plaintext); i++ {
 		// inWindow is 0xff when i <= pad, else 0x00
 		inWindow := byte(int(int(pad)-i) >> 31) // 0xff if pad-i < 0 → not in window
 		inWindow = ^inWindow                    // flip: 0xff if i <= pad
 		mismatch := plaintext[len(plaintext)-i] ^ pad
 		bad |= inWindow & mismatch
 	}
 	if bad != 0 {
 		return nil, fmt.Errorf("invalid PKCS#7 padding")
 	}
 	return plaintext[:len(plaintext)-int(pad)], nil
 }
 // peelContentInfo strips the optional outer ContentInfo wrapper when it's
 // present. CMS callers either hand us the bare EnvelopedData SEQUENCE or
 // the same SEQUENCE wrapped in
 //
 //	ContentInfo ::= SEQUENCE {
 //	  contentType OBJECT IDENTIFIER,
 //	  content     [0] EXPLICIT ANY DEFINED BY contentType
 //	}
 //
 // We try the wrapper shape first and unwrap to the inner content; on
 // any parse failure the caller proceeds with the original bytes.
 func peelContentInfo(der []byte, expectOID asn1.ObjectIdentifier) ([]byte, bool) {
 	var ci struct {
 		ContentType asn1.ObjectIdentifier
 		Content     asn1.RawValue `asn1:"explicit,tag:0"`
 	}
 	if _, err := asn1.Unmarshal(der, &ci); err != nil {
 		return nil, false
 	}
 	if !ci.ContentType.Equal(expectOID) {
 		return nil, false
 	}
 	return ci.Content.Bytes, true
 }
 // OIDEnvelopedData identifies the envelopedData CMS content type (RFC 5652
 // §6, OID 1.2.840.113549.1.7.3). Used by peelContentInfo when the inbound
 // bytes carry the optional ContentInfo wrapper.
 var OIDEnvelopedData = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 3}
@@ -0,0 +1,33 @@
 package pkcs7
 import "testing"
 // FuzzParseEnvelopedData is the panic-safety fuzzer for ParseEnvelopedData.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 2.5: every parser certctl
 // adds gets a Fuzz target in the same package (the fuzz-target-ownership
 // rule from cowork/CLAUDE.md::Operating Rules). The point isn't to find
 // vulnerabilities (the parser uses stdlib encoding/asn1 which is itself
 // fuzzed upstream) — it's to prove that arbitrary attacker-controlled
 // bytes cannot panic the SCEP server. Any panic = an availability bug.
 //
 // Seed corpus: a known-good EnvelopedData built by buildTestEnvelope plus
 // a handful of degenerate inputs (empty, single byte, all zeros) that
 // should each return an error without panicking.
 func FuzzParseEnvelopedData(f *testing.F) {
 	// Seed: empty input.
 	f.Add([]byte{})
 	// Seed: a SEQUENCE tag with an absurd length (asn1 layer should
 	// reject before we get to our code).
 	f.Add([]byte{0x30, 0x82, 0xff, 0xff})
 	// Seed: a known-good EnvelopedData built dynamically below — but the
 	// fuzz seed corpus must be deterministic, so we skip the full RA-pair
 	// build and just feed a small SEQUENCE-shaped blob.
 	f.Add([]byte{0x30, 0x03, 0x02, 0x01, 0x00})
 	f.Fuzz(func(t *testing.T, data []byte) {
 		// Whatever happens, no panic. Errors are fine; nil parse with
 		// nil error would be a bug but the contract is just no-panic.
 		_, _ = ParseEnvelopedData(data)
 	})
 }
@@ -0,0 +1,286 @@
 package pkcs7
 import (
 	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"errors"
 	"math/big"
 	"testing"
 	"time"
 )
 // SCEP RFC 8894 Phase 2.1: round-trip tests for ParseEnvelopedData +
 // EnvelopedData.Decrypt.
 //
 // Each test materialises a real RSA RA cert + key, builds an EnvelopedData
 // by hand (encrypting a known plaintext with AES-256-CBC using a fresh
 // random key transported via PKCS#1 v1.5 wrap of the RA pubkey), then
 // parses + decrypts and asserts plaintext equality.
 //
 // The point of the round-trip is to pin the exact wire format: the
 // per-field DER encoding has to match what real SCEP clients emit
 // (Cisco IOS, ChromeOS, Intune Connector). If the parse succeeds but the
 // decrypt comes back garbled, the wire-format encoding is off in a way
 // the unit tests catch.
 func TestEnvelopedData_RoundTrip_AES256CBC(t *testing.T) {
 	raKey, raCert := genTestRSARA(t)
 	plaintext := []byte("hello SCEP world — this is the encapsulated CSR DER bytes")
 	envelope := buildTestEnvelope(t, raCert, plaintext, OIDAES256CBC, 32)
 	parsed, err := ParseEnvelopedData(envelope)
 	if err != nil {
 		t.Fatalf("ParseEnvelopedData: %v", err)
 	}
 	if len(parsed.RecipientInfos) != 1 {
 		t.Fatalf("len(RecipientInfos) = %d, want 1", len(parsed.RecipientInfos))
 	}
 	if !parsed.ContentEncryptionAlg.Algorithm.Equal(OIDAES256CBC) {
 		t.Errorf("ContentEncryptionAlg = %v, want AES-256-CBC", parsed.ContentEncryptionAlg.Algorithm)
 	}
 	got, err := parsed.Decrypt(raKey, raCert)
 	if err != nil {
 		t.Fatalf("Decrypt: %v", err)
 	}
 	if !bytes.Equal(got, plaintext) {
 		t.Errorf("Decrypt plaintext mismatch:\n got=%q\nwant=%q", got, plaintext)
 	}
 }
 func TestEnvelopedData_RoundTrip_AES128CBC(t *testing.T) {
 	raKey, raCert := genTestRSARA(t)
 	plaintext := []byte("AES-128 round-trip — short ciphertext, single-block worth of data")
 	envelope := buildTestEnvelope(t, raCert, plaintext, OIDAES128CBC, 16)
 	parsed, err := ParseEnvelopedData(envelope)
 	if err != nil {
 		t.Fatalf("ParseEnvelopedData: %v", err)
 	}
 	got, err := parsed.Decrypt(raKey, raCert)
 	if err != nil {
 		t.Fatalf("Decrypt: %v", err)
 	}
 	if !bytes.Equal(got, plaintext) {
 		t.Errorf("plaintext mismatch")
 	}
 }
 func TestEnvelopedData_Decrypt_WrongRA_ReturnsBadMessageCheck(t *testing.T) {
 	correctKey, correctCert := genTestRSARA(t)
 	wrongKey, wrongCert := genTestRSARA(t)
 	plaintext := []byte("addressed to the right CA, decrypted with the wrong one")
 	envelope := buildTestEnvelope(t, correctCert, plaintext, OIDAES256CBC, 32)
 	parsed, err := ParseEnvelopedData(envelope)
 	if err != nil {
 		t.Fatalf("ParseEnvelopedData: %v", err)
 	}
 	// Wrong cert (issuer mismatch) — RFC 8894 §3.3.2.2 says BadMessageCheck.
 	_, err = parsed.Decrypt(wrongKey, wrongCert)
 	if !errors.Is(err, ErrEnvelopedDataDecrypt) {
 		t.Errorf("Decrypt with wrong RA cert: err = %v, want ErrEnvelopedDataDecrypt", err)
 	}
 	// Right cert, wrong key — same generic error to close the timing leak.
 	_, err = parsed.Decrypt(wrongKey, correctCert)
 	if !errors.Is(err, ErrEnvelopedDataDecrypt) {
 		t.Errorf("Decrypt with mismatched key: err = %v, want ErrEnvelopedDataDecrypt", err)
 	}
 	// Right key, right cert — succeeds.
 	got, err := parsed.Decrypt(correctKey, correctCert)
 	if err != nil {
 		t.Fatalf("Decrypt with correct pair: %v", err)
 	}
 	if !bytes.Equal(got, plaintext) {
 		t.Errorf("plaintext mismatch")
 	}
 }
 func TestEnvelopedData_Decrypt_TamperedCiphertext_Refuses(t *testing.T) {
 	raKey, raCert := genTestRSARA(t)
 	plaintext := []byte("plaintext we'll corrupt mid-flight")
 	envelope := buildTestEnvelope(t, raCert, plaintext, OIDAES256CBC, 32)
 	parsed, err := ParseEnvelopedData(envelope)
 	if err != nil {
 		t.Fatalf("ParseEnvelopedData: %v", err)
 	}
 	// Flip a bit in the LAST ciphertext block — corrupts the padding the
 	// constant-time strip should catch.
 	if len(parsed.EncryptedContent) < 16 {
 		t.Fatal("ciphertext too short to tamper")
 	}
 	parsed.EncryptedContent[len(parsed.EncryptedContent)-1] ^= 0xff
 	_, err = parsed.Decrypt(raKey, raCert)
 	if !errors.Is(err, ErrEnvelopedDataDecrypt) {
 		t.Errorf("Decrypt tampered ciphertext: err = %v, want ErrEnvelopedDataDecrypt", err)
 	}
 }
 func TestEnvelopedData_Parse_Empty_Refuses(t *testing.T) {
 	if _, err := ParseEnvelopedData(nil); err == nil {
 		t.Error("ParseEnvelopedData(nil) = nil, want error")
 	}
 	if _, err := ParseEnvelopedData([]byte{}); err == nil {
 		t.Error("ParseEnvelopedData(empty) = nil, want error")
 	}
 }
 func TestEnvelopedData_Parse_RandomGarbage_Refuses(t *testing.T) {
 	garbage := []byte{0x30, 0x82, 0x00, 0x05, 0x01, 0x02, 0x03, 0x04, 0x05}
 	if _, err := ParseEnvelopedData(garbage); err == nil {
 		t.Error("ParseEnvelopedData(garbage) = nil, want error")
 	}
 }
 // --- helpers -------------------------------------------------------------
 func genTestRSARA(t *testing.T) (*rsa.PrivateKey, *x509.Certificate) {
 	t.Helper()
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatalf("rsa.GenerateKey: %v", err)
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(time.Now().UnixNano()),
 		Subject:      pkix.Name{CommonName: "ra-test"},
 		Issuer:       pkix.Name{CommonName: "ra-test"},
 		NotBefore:    time.Now().Add(-1 * time.Hour),
 		NotAfter:     time.Now().Add(30 * 24 * time.Hour),
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		t.Fatalf("CreateCertificate: %v", err)
 	}
 	cert, err := x509.ParseCertificate(der)
 	if err != nil {
 		t.Fatalf("ParseCertificate: %v", err)
 	}
 	return key, cert
 }
 // buildTestEnvelope hand-constructs an EnvelopedData targeting raCert that
 // encrypts plaintext with the given AES-CBC algorithm + keyLen. Mirrors
 // what a real SCEP client would emit (Cisco IOS / Intune Connector / etc.).
 //
 // Returns the raw DER bytes ready to feed into ParseEnvelopedData.
 func buildTestEnvelope(t *testing.T, raCert *x509.Certificate, plaintext []byte, algOID asn1.ObjectIdentifier, keyLen int) []byte {
 	t.Helper()
 	// 1. Generate a random symmetric key + IV.
 	symKey := make([]byte, keyLen)
 	if _, err := rand.Read(symKey); err != nil {
 		t.Fatalf("rand.Read symKey: %v", err)
 	}
 	iv := make([]byte, aes.BlockSize)
 	if _, err := rand.Read(iv); err != nil {
 		t.Fatalf("rand.Read iv: %v", err)
 	}
 	// 2. PKCS#7-pad the plaintext to a multiple of the block size.
 	bs := aes.BlockSize
 	padLen := bs - len(plaintext)%bs
 	padded := append([]byte{}, plaintext...)
 	for i := 0; i < padLen; i++ {
 		padded = append(padded, byte(padLen))
 	}
 	// 3. AES-CBC encrypt.
 	block, err := aes.NewCipher(symKey)
 	if err != nil {
 		t.Fatalf("aes.NewCipher: %v", err)
 	}
 	enc := cipher.NewCBCEncrypter(block, iv)
 	ciphertext := make([]byte, len(padded))
 	enc.CryptBlocks(ciphertext, padded)
 	// 4. RSA PKCS#1 v1.5 encrypt the symmetric key with the RA pubkey.
 	encryptedKey, err := rsa.EncryptPKCS1v15(rand.Reader, raCert.PublicKey.(*rsa.PublicKey), symKey)
 	if err != nil {
 		t.Fatalf("rsa.EncryptPKCS1v15: %v", err)
 	}
 	// 5. Build the IssuerAndSerialNumber identifying the RA cert.
 	issuerRDN := asn1.RawValue{FullBytes: raCert.RawIssuer}
 	rid, err := asn1.Marshal(struct {
 		Issuer       asn1.RawValue
 		SerialNumber *big.Int
 	}{Issuer: issuerRDN, SerialNumber: raCert.SerialNumber})
 	if err != nil {
 		t.Fatalf("marshal IssuerAndSerial: %v", err)
 	}
 	// 6. Build the KeyTransRecipientInfo SEQUENCE.
 	keyEncAlg := pkix.AlgorithmIdentifier{Algorithm: OIDRSAEncryption, Parameters: asn1.NullRawValue}
 	ktriBytes, err := asn1.Marshal(struct {
 		Version          int
 		RID              asn1.RawValue
 		KeyEncryptionAlg pkix.AlgorithmIdentifier
 		EncryptedKey     []byte
 	}{
 		Version:          0,
 		RID:              asn1.RawValue{FullBytes: rid},
 		KeyEncryptionAlg: keyEncAlg,
 		EncryptedKey:     encryptedKey,
 	})
 	if err != nil {
 		t.Fatalf("marshal KTRI: %v", err)
 	}
 	// 7. Build the AlgorithmIdentifier with the IV as parameters
 	//    (RFC 3565 §2.3 — IV is OCTET STRING, fed in via Parameters).
 	ivParam, err := asn1.Marshal(iv)
 	if err != nil {
 		t.Fatalf("marshal IV: %v", err)
 	}
 	contentAlg := pkix.AlgorithmIdentifier{
 		Algorithm:  algOID,
 		Parameters: asn1.RawValue{FullBytes: ivParam},
 	}
 	// 8. Build the EncryptedContentInfo SEQUENCE.
 	//    encryptedContent is [0] IMPLICIT OCTET STRING — the content bytes
 	//    appear directly after the [0] tag, without an inner OCTET STRING
 	//    wrapper.
 	encContent := asn1.RawValue{
 		Class:      asn1.ClassContextSpecific,
 		Tag:        0,
 		IsCompound: false,
 		Bytes:      ciphertext,
 	}
 	eciBytes, err := asn1.Marshal(struct {
 		ContentType                asn1.ObjectIdentifier
 		ContentEncryptionAlgorithm pkix.AlgorithmIdentifier
 		EncryptedContent           asn1.RawValue
 	}{
 		ContentType:                OIDDataContent,
 		ContentEncryptionAlgorithm: contentAlg,
 		EncryptedContent:           encContent,
 	})
 	if err != nil {
 		t.Fatalf("marshal ECI: %v", err)
 	}
 	// 9. Build the EnvelopedData SEQUENCE.
 	envBytes, err := asn1.Marshal(struct {
 		Version        int
 		RecipientInfos []asn1.RawValue `asn1:"set"`
 		EncryptedECI   asn1.RawValue
 	}{
 		Version:        0,
 		RecipientInfos: []asn1.RawValue{{FullBytes: ktriBytes}},
 		EncryptedECI:   asn1.RawValue{FullBytes: eciBytes},
 	})
 	if err != nil {
 		t.Fatalf("marshal EnvelopedData: %v", err)
 	}
 	return envBytes
 }
@@ -0,0 +1,486 @@
 // SignerInfo parser + signature verifier for SCEP PKIMessage.
 //
 // RFC 5652 §5 (SignedData) + RFC 8894 §3.2.1 (SCEP authenticatedAttributes).
 //
 // SCEP RFC 8894 + Intune master bundle Phase 2.2.
 //
 // The wire shape this parses (cited from RFC 5652 §5.3):
 //
 //	SignedData ::= SEQUENCE {
 //	  version                  INTEGER,
 //	  digestAlgorithms         SET OF AlgorithmIdentifier,
 //	  encapContentInfo         EncapsulatedContentInfo,
 //	  certificates             [0] IMPLICIT SET OF CertificateChoices OPTIONAL,
 //	  crls                     [1] IMPLICIT SET OF RevocationInfoChoices OPTIONAL,
 //	  signerInfos              SET OF SignerInfo                              -- the field this file targets
 //	}
 //
 //	SignerInfo ::= SEQUENCE {
 //	  version                  INTEGER (1|3),
 //	  sid                      SignerIdentifier,        -- IssuerAndSerial for v1, SubjectKeyId for v3
 //	  digestAlgorithm          AlgorithmIdentifier,
 //	  signedAttrs              [0] IMPLICIT SignedAttributes OPTIONAL,
 //	  signatureAlgorithm       AlgorithmIdentifier,
 //	  signature                OCTET STRING,
 //	  unsignedAttrs            [1] IMPLICIT UnsignedAttributes OPTIONAL
 //	}
 //
 //	SignedAttributes ::= SET SIZE (1..MAX) OF Attribute
 //	Attribute ::= SEQUENCE { attrType OID, attrValues SET OF AttributeValue }
 //
 // The CMS signature is computed over the DER re-serialisation of the
 // signedAttrs as a SET OF Attribute (NOT as the [0] IMPLICIT-tagged form
 // it appears as in the wire). RFC 5652 §5.4 spells this out — easy to
 // get wrong, every CMS implementation has hit this.
 package pkcs7
 import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/rsa"
 	"crypto/sha1" //nolint:gosec // SHA-1 is RFC 8894 §3.5.2 baseline; SHA-256 also accepted
 	"crypto/sha256"
 	"crypto/sha512"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"errors"
 	"fmt"
 	"math/big"
 	"strconv"
 	"github.com/shankar0123/certctl/internal/domain"
 )
 // SCEP authenticated-attribute OIDs (RFC 8894 §3.2.1.4).
 var (
 	OIDSCEPMessageType    = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 2}
 	OIDSCEPPKIStatus      = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 3}
 	OIDSCEPFailInfo       = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 4}
 	OIDSCEPSenderNonce    = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 5}
 	OIDSCEPRecipientNonce = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 6}
 	OIDSCEPTransactionID  = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 7}
 	// CMS standard authenticated-attribute OIDs used by the signature
 	// verification (RFC 5652 §11).
 	OIDContentType   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 3}
 	OIDMessageDigest = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 4}
 	OIDSigningTime   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 5}
 	// CMS digest algorithm OIDs.
 	OIDSHA1   = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 26}
 	OIDSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
 	OIDSHA512 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3}
 	// Signature algorithm OIDs the verifier accepts.
 	OIDRSAWithSHA1     = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5}
 	OIDRSAWithSHA256   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11}
 	OIDRSAWithSHA512   = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13}
 	OIDECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2}
 	OIDECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4}
 	// signedData CMS content type (RFC 5652 §5).
 	OIDSignedData = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2}
 )
 // ErrSignerInfoVerify is returned when signature verification fails. Like
 // the EnvelopedData decrypt error, the message text is intentionally
 // generic so the wire response collapses to BadMessageCheck.
 var ErrSignerInfoVerify = errors.New("signerInfo: signature verification failed")
 // SignerInfo represents an unwrapped CMS signerInfo with its parsed
 // authenticatedAttributes. Used for SCEP POPO verification.
 type SignerInfo struct {
 	Version            int
 	SignerCert         *x509.Certificate        // device's transient signing cert (from the SignedData certificates field)
 	AuthAttributes     map[string]asn1.RawValue // keyed by attribute OID dotted-string
 	rawSignedAttrs     []byte                   // DER of the [0] IMPLICIT SignedAttributes — used for re-serialisation
 	DigestAlgorithm    asn1.ObjectIdentifier
 	SignatureAlgorithm asn1.ObjectIdentifier
 	Signature          []byte
 }
 // SignedData is the parsed top-level SignedData structure with the
 // signers + the optional certificates the SET carries (used to look up
 // the device's transient signing cert by SignerInfo.sid).
 type SignedData struct {
 	Version          int
 	DigestAlgorithms []pkix.AlgorithmIdentifier
 	EncapContentType asn1.ObjectIdentifier
 	EncapContent     []byte // the inner content the SignedData wraps; nil if the wire used external signature
 	Certificates     []*x509.Certificate
 	SignerInfos      []*SignerInfo
 }
 // signedDataASN1 is the ASN.1 unmarshal target for the SignedData
 // structure. Members tagged with their on-the-wire shapes.
 type signedDataASN1 struct {
 	Version          int
 	DigestAlgorithms []pkix.AlgorithmIdentifier `asn1:"set"`
 	EncapContentInfo encapContentInfoASN1
 	Certificates     asn1.RawValue   `asn1:"optional,tag:0"` // [0] IMPLICIT SET OF Certificate
 	CRLs             asn1.RawValue   `asn1:"optional,tag:1"`
 	SignerInfos      []asn1.RawValue `asn1:"set"`
 }
 type encapContentInfoASN1 struct {
 	ContentType asn1.ObjectIdentifier
 	Content     asn1.RawValue `asn1:"optional,explicit,tag:0"`
 }
 type signerInfoASN1 struct {
 	Version            int
 	SID                asn1.RawValue // CHOICE — IssuerAndSerial (default) or [0] SubjectKeyId
 	DigestAlgorithm    pkix.AlgorithmIdentifier
 	SignedAttrs        asn1.RawValue `asn1:"optional,tag:0"` // [0] IMPLICIT SET OF Attribute
 	SignatureAlgorithm pkix.AlgorithmIdentifier
 	Signature          []byte
 	UnsignedAttrs      asn1.RawValue `asn1:"optional,tag:1"`
 }
 type attributeASN1 struct {
 	Type   asn1.ObjectIdentifier
 	Values asn1.RawValue `asn1:"set"` // SET OF AttributeValue — left raw; per-attr decoder handles
 }
 // ParseSignedData parses a CMS ContentInfo wrapping a SignedData and
 // returns the parsed structure including any certs + signerInfos.
 //
 // SCEP clients put the device's transient signing cert in the
 // certificates field; the handler's POPO check picks the cert matching
 // each signerInfo's SID and verifies with that cert's public key.
 func ParseSignedData(der []byte) (*SignedData, error) {
 	if len(der) == 0 {
 		return nil, fmt.Errorf("signedData: empty input")
 	}
 	// Try peeling the optional outer ContentInfo (SEQUENCE { OID, [0] EXPLICIT ANY }).
 	if peeled, ok := peelContentInfo(der, OIDSignedData); ok {
 		der = peeled
 	}
 	var raw signedDataASN1
 	if _, err := asn1.Unmarshal(der, &raw); err != nil {
 		return nil, fmt.Errorf("signedData: parse outer SEQUENCE: %w", err)
 	}
 	out := &SignedData{
 		Version:          raw.Version,
 		DigestAlgorithms: raw.DigestAlgorithms,
 		EncapContentType: raw.EncapContentInfo.ContentType,
 	}
 	// EncapContent is [0] EXPLICIT — the [0] EXPLICIT wrapper holds an
 	// OCTET STRING whose Bytes are the inner content. Some encoders use
 	// a degenerate empty content (external-signature mode); that's fine.
 	if len(raw.EncapContentInfo.Content.Bytes) > 0 {
 		// The OCTET STRING wrapper inside [0] EXPLICIT — strip it.
 		var innerOctet asn1.RawValue
 		if _, err := asn1.Unmarshal(raw.EncapContentInfo.Content.Bytes, &innerOctet); err == nil && innerOctet.Tag == asn1.TagOctetString {
 			out.EncapContent = innerOctet.Bytes
 		} else {
 			out.EncapContent = raw.EncapContentInfo.Content.Bytes
 		}
 	}
 	// Parse certificates SET. Each member is a Certificate (SEQUENCE).
 	if len(raw.Certificates.Bytes) > 0 {
 		certBytes := raw.Certificates.Bytes
 		for len(certBytes) > 0 {
 			var rv asn1.RawValue
 			rest, err := asn1.Unmarshal(certBytes, &rv)
 			if err != nil {
 				break
 			}
 			if rv.Class == asn1.ClassUniversal && rv.Tag == asn1.TagSequence {
 				if cert, err := x509.ParseCertificate(rv.FullBytes); err == nil {
 					out.Certificates = append(out.Certificates, cert)
 				}
 				// else: not a parseable cert (could be other CertificateChoices) — skip
 			}
 			certBytes = rest
 		}
 	}
 	// Parse each SignerInfo + look up its SignerCert from out.Certificates.
 	for _, siRaw := range raw.SignerInfos {
 		si, err := parseSignerInfoFromRaw(siRaw, out.Certificates)
 		if err != nil {
 			// Skip individual unparseable signerInfos rather than failing
 			// the whole SignedData — multi-signer CMS may have one bad
 			// signer alongside good ones (rare in SCEP, but keep tolerant).
 			continue
 		}
 		out.SignerInfos = append(out.SignerInfos, si)
 	}
 	// Empty signerInfos is valid for the degenerate certs-only PKCS#7
 	// form (RFC 8894 §3.5.1 GetCACert response, RFC 7030 EST cacerts) —
 	// a SignedData with only the certificates field populated and no
 	// signers. The caller of ParseSignedData decides whether the lack
 	// of signers is an error in their context (the SCEP RFC 8894
 	// PKIMessage handler treats it as a fall-through to the MVP path;
 	// the CertRep certs-only inner content treats it as expected).
 	return out, nil
 }
 // ParseSignerInfos extracts SignerInfo records from a SignedData blob.
 // Convenience wrapper around ParseSignedData when the caller only cares
 // about the signers, not the certificates list.
 func ParseSignerInfos(signedDataDER []byte) ([]*SignerInfo, error) {
 	sd, err := ParseSignedData(signedDataDER)
 	if err != nil {
 		return nil, err
 	}
 	return sd.SignerInfos, nil
 }
 func parseSignerInfoFromRaw(raw asn1.RawValue, certs []*x509.Certificate) (*SignerInfo, error) {
 	var siRaw signerInfoASN1
 	if _, err := asn1.Unmarshal(raw.FullBytes, &siRaw); err != nil {
 		return nil, fmt.Errorf("signerInfo: parse SEQUENCE: %w", err)
 	}
 	si := &SignerInfo{
 		Version:            siRaw.Version,
 		AuthAttributes:     map[string]asn1.RawValue{},
 		DigestAlgorithm:    siRaw.DigestAlgorithm.Algorithm,
 		SignatureAlgorithm: siRaw.SignatureAlgorithm.Algorithm,
 		Signature:          siRaw.Signature,
 		rawSignedAttrs:     siRaw.SignedAttrs.Bytes, // bytes inside the [0] IMPLICIT — used for re-serialisation
 	}
 	// Walk authenticated attributes (SET OF Attribute). The [0] IMPLICIT
 	// wrapper means siRaw.SignedAttrs.Bytes holds the SET-OF body directly
 	// (no extra OCTET STRING wrapper).
 	attrBytes := siRaw.SignedAttrs.Bytes
 	for len(attrBytes) > 0 {
 		var attr attributeASN1
 		rest, err := asn1.Unmarshal(attrBytes, &attr)
 		if err != nil {
 			break
 		}
 		si.AuthAttributes[attr.Type.String()] = attr.Values
 		attrBytes = rest
 	}
 	// Resolve SignerCert by matching the SID against the certs list. SCEP
 	// uses IssuerAndSerial for v1; the [0] IMPLICIT SubjectKeyId form is
 	// v3 — accept both.
 	si.SignerCert = matchSignerCert(siRaw.SID, certs)
 	if si.SignerCert == nil {
 		return nil, fmt.Errorf("signerInfo: SignerCert not found in SignedData certificates")
 	}
 	return si, nil
 }
 func matchSignerCert(sid asn1.RawValue, certs []*x509.Certificate) *x509.Certificate {
 	// IssuerAndSerial form: SEQUENCE (no context tag) — universal class.
 	if sid.Class == asn1.ClassUniversal && sid.Tag == asn1.TagSequence {
 		var ias issuerAndSerialASN1
 		if _, err := asn1.Unmarshal(sid.FullBytes, &ias); err == nil {
 			for _, c := range certs {
 				if c.SerialNumber == nil || ias.SerialNumber == nil {
 					continue
 				}
 				if ias.SerialNumber.Cmp(c.SerialNumber) != 0 {
 					continue
 				}
 				if asn1Equal(ias.Issuer.FullBytes, c.RawIssuer) {
 					return c
 				}
 			}
 		}
 		return nil
 	}
 	// SubjectKeyIdentifier form: [0] IMPLICIT OCTET STRING.
 	if sid.Class == asn1.ClassContextSpecific && sid.Tag == 0 {
 		ski := sid.Bytes
 		for _, c := range certs {
 			if asn1Equal(c.SubjectKeyId, ski) {
 				return c
 			}
 		}
 	}
 	return nil
 }
 func asn1Equal(a, b []byte) bool {
 	if len(a) != len(b) {
 		return false
 	}
 	for i := range a {
 		if a[i] != b[i] {
 			return false
 		}
 	}
 	return true
 }
 // VerifySignature verifies the signerInfo's signature over the
 // authenticatedAttributes (SCEP POPO).
 //
 // CMS signature semantics (RFC 5652 §5.4):
 //
 //  1. Re-serialise signedAttrs as a SET OF Attribute. The wire form is
 //     [0] IMPLICIT, but the signature is computed over the EXPLICIT
 //     SET OF re-serialisation. Easy mistake; this is the canonical CMS
 //     quirk every implementation hits.
 //  2. Hash the re-serialised bytes with DigestAlgorithm.
 //  3. Verify Signature against the hash using SignerCert.PublicKey +
 //     SignatureAlgorithm.
 //
 // Supports RSA-PKCS1v15 + ECDSA. Rejects RSA-PSS as out-of-spec for SCEP.
 func (s *SignerInfo) VerifySignature() error {
 	if s == nil || s.SignerCert == nil {
 		return ErrSignerInfoVerify
 	}
 	if len(s.rawSignedAttrs) == 0 {
 		return ErrSignerInfoVerify
 	}
 	// Re-serialise as SET OF Attribute. We have rawSignedAttrs which is
 	// the bytes INSIDE the [0] IMPLICIT wrapper — that's the SET OF body.
 	// Wrap with the SET tag (0x31) + length to get the canonical form
 	// the signature is computed over.
 	signedAttrsForSig := ASN1Wrap(0x31, s.rawSignedAttrs)
 	// Hash with the digest algorithm.
 	digest, hashAlg, err := hashForOID(s.DigestAlgorithm, signedAttrsForSig)
 	if err != nil {
 		return ErrSignerInfoVerify
 	}
 	switch pub := s.SignerCert.PublicKey.(type) {
 	case *rsa.PublicKey:
 		if !isRSASigAlg(s.SignatureAlgorithm) {
 			return ErrSignerInfoVerify
 		}
 		if err := rsa.VerifyPKCS1v15(pub, hashAlg, digest, s.Signature); err != nil {
 			return ErrSignerInfoVerify
 		}
 		return nil
 	case *ecdsa.PublicKey:
 		if !isECDSASigAlg(s.SignatureAlgorithm) {
 			return ErrSignerInfoVerify
 		}
 		// crypto/ecdsa.VerifyASN1 takes the same hash, returns bool
 		if !ecdsa.VerifyASN1(pub, digest, s.Signature) {
 			return ErrSignerInfoVerify
 		}
 		return nil
 	default:
 		return ErrSignerInfoVerify
 	}
 }
 func hashForOID(oid asn1.ObjectIdentifier, data []byte) ([]byte, crypto.Hash, error) {
 	switch {
 	case oid.Equal(OIDSHA256), oid.Equal(OIDRSAWithSHA256), oid.Equal(OIDECDSAWithSHA256):
 		h := sha256.Sum256(data)
 		return h[:], crypto.SHA256, nil
 	case oid.Equal(OIDSHA512), oid.Equal(OIDRSAWithSHA512), oid.Equal(OIDECDSAWithSHA512):
 		h := sha512.Sum512(data)
 		return h[:], crypto.SHA512, nil
 	case oid.Equal(OIDSHA1), oid.Equal(OIDRSAWithSHA1):
 		// SHA-1 still appears in legacy SCEP clients (Cisco IOS pre-2018).
 		// RFC 8894 §3.5.2 advertises SHA-256 as preferred but does not ban SHA-1.
 		h := sha1.Sum(data) //nolint:gosec // RFC 8894 §3.5.2 baseline
 		return h[:], crypto.SHA1, nil
 	}
 	return nil, 0, fmt.Errorf("unsupported digest algorithm: %v", oid)
 }
 func isRSASigAlg(oid asn1.ObjectIdentifier) bool {
 	return oid.Equal(OIDRSAWithSHA1) || oid.Equal(OIDRSAWithSHA256) || oid.Equal(OIDRSAWithSHA512) || oid.Equal(OIDRSAEncryption)
 }
 func isECDSASigAlg(oid asn1.ObjectIdentifier) bool {
 	return oid.Equal(OIDECDSAWithSHA256) || oid.Equal(OIDECDSAWithSHA512)
 }
 // --- SCEP authenticated-attribute extractors -----------------------------
 // GetMessageType returns the SCEP messageType value (RFC 8894 §3.2.1.4.1
 // — encoded as a PrintableString containing the decimal ASCII of the
 // message type integer, e.g. "19" for PKCSReq).
 func (s *SignerInfo) GetMessageType() (domain.SCEPMessageType, error) {
 	str, err := s.attrPrintableString(OIDSCEPMessageType)
 	if err != nil {
 		return 0, err
 	}
 	mt, err := strconv.Atoi(str)
 	if err != nil {
 		return 0, fmt.Errorf("messageType: parse %q as integer: %w", str, err)
 	}
 	return domain.SCEPMessageType(mt), nil
 }
 // GetTransactionID returns the SCEP transactionID (RFC 8894 §3.2.1.4.4 —
 // PrintableString chosen by the client; server MUST echo verbatim in
 // CertRep).
 func (s *SignerInfo) GetTransactionID() (string, error) {
 	return s.attrPrintableString(OIDSCEPTransactionID)
 }
 // GetSenderNonce returns the 16-byte SCEP senderNonce (RFC 8894 §3.2.1.4.5
 // — OCTET STRING).
 func (s *SignerInfo) GetSenderNonce() ([]byte, error) {
 	return s.attrOctetString(OIDSCEPSenderNonce)
 }
 // GetMessageDigest returns the standard CMS messageDigest auth-attr
 // (RFC 5652 §11.2). Used by the signature verification — when
 // signedAttrs is present, the signature is over the re-serialised
 // signedAttrs SET; the messageDigest auth-attr is what binds the
 // signedAttrs to the encapContent.
 func (s *SignerInfo) GetMessageDigest() ([]byte, error) {
 	return s.attrOctetString(OIDMessageDigest)
 }
 // attrPrintableString extracts a PrintableString from the AuthAttributes
 // SET-OF-Attribute-Values for the given attribute OID. Caller-side validation
 // of length / charset is left to the SCEP-specific extractor.
 func (s *SignerInfo) attrPrintableString(oid asn1.ObjectIdentifier) (string, error) {
 	rv, ok := s.AuthAttributes[oid.String()]
 	if !ok {
 		return "", fmt.Errorf("auth-attr %v not present", oid)
 	}
 	// rv is the SET OF AttributeValue — typically one element. The
 	// first element is a PrintableString or IA5String.
 	if len(rv.Bytes) == 0 {
 		return "", fmt.Errorf("auth-attr %v: empty value", oid)
 	}
 	var inner asn1.RawValue
 	if _, err := asn1.Unmarshal(rv.Bytes, &inner); err != nil {
 		return "", fmt.Errorf("auth-attr %v: unmarshal value: %w", oid, err)
 	}
 	// PrintableString / IA5String / UTF8String all carry their bytes
 	// directly in inner.Bytes.
 	switch inner.Tag {
 	case asn1.TagPrintableString, asn1.TagIA5String, asn1.TagUTF8String:
 		return string(inner.Bytes), nil
 	}
 	return "", fmt.Errorf("auth-attr %v: unexpected value tag %d", oid, inner.Tag)
 }
 func (s *SignerInfo) attrOctetString(oid asn1.ObjectIdentifier) ([]byte, error) {
 	rv, ok := s.AuthAttributes[oid.String()]
 	if !ok {
 		return nil, fmt.Errorf("auth-attr %v not present", oid)
 	}
 	if len(rv.Bytes) == 0 {
 		return nil, fmt.Errorf("auth-attr %v: empty value", oid)
 	}
 	var inner asn1.RawValue
 	if _, err := asn1.Unmarshal(rv.Bytes, &inner); err != nil {
 		return nil, fmt.Errorf("auth-attr %v: unmarshal value: %w", oid, err)
 	}
 	if inner.Tag != asn1.TagOctetString {
 		return nil, fmt.Errorf("auth-attr %v: unexpected value tag %d (want OCTET STRING)", oid, inner.Tag)
 	}
 	return inner.Bytes, nil
 }
 // silence unused warning for big.Int — referenced via issuerAndSerialASN1 in
 // envelopeddata.go but the linker only sees it once per package; this keeps
 // the import healthy if someone deletes envelopeddata.go's helper struct.
 var _ = (*big.Int)(nil)
@@ -0,0 +1,57 @@
 package pkcs7
 import "testing"
 // FuzzParseSignedData / FuzzParseSignerInfos are the panic-safety fuzzers
 // for the SignedData parser path used by the SCEP RFC 8894 handler.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 2.5. Each parser certctl
 // adds gets a Fuzz target so attacker-controlled wire bytes cannot
 // crash the server (availability bug). Errors are expected for arbitrary
 // inputs; only panics are bugs.
 func FuzzParseSignedData(f *testing.F) {
 	f.Add([]byte{})
 	f.Add([]byte{0x30, 0x03, 0x02, 0x01, 0x00})
 	f.Add([]byte{0x30, 0x82, 0x05, 0x01, 0x02, 0x03})
 	// A short SEQUENCE that LOOKS like a ContentInfo with a signedData OID
 	// but is too truncated to actually decode.
 	f.Add([]byte{0x30, 0x0e, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x00})
 	f.Fuzz(func(t *testing.T, data []byte) {
 		_, _ = ParseSignedData(data)
 	})
 }
 func FuzzParseSignerInfos(f *testing.F) {
 	f.Add([]byte{})
 	f.Add([]byte{0x30, 0x00})
 	f.Fuzz(func(t *testing.T, data []byte) {
 		_, _ = ParseSignerInfos(data)
 	})
 }
 // FuzzVerifySignerInfoSignature stresses the verification path with an
 // arbitrary SignerInfo body (including signature, auth-attrs, cert
 // reference). The verification is expected to fail for arbitrary inputs;
 // the invariant the fuzzer enforces is no-panic.
 //
 // The test feeds the input bytes through ParseSignedData first so the
 // fuzz exercises the same parse → SignerInfo extraction → verify path
 // the production handler runs. Skip-on-parse-error is acceptable —
 // fuzzing a parse failure adds zero value here; the parse fuzzer above
 // already covers that path.
 func FuzzVerifySignerInfoSignature(f *testing.F) {
 	f.Add([]byte{})
 	f.Add([]byte{0x30, 0x00})
 	f.Fuzz(func(t *testing.T, data []byte) {
 		sd, err := ParseSignedData(data)
 		if err != nil || sd == nil {
 			return // covered by FuzzParseSignedData
 		}
 		for _, si := range sd.SignerInfos {
 			_ = si.VerifySignature() // invariant: no panic
 		}
 	})
 }
@@ -0,0 +1,360 @@
 package pkcs7
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"errors"
 	"math/big"
 	"testing"
 	"time"
 	"github.com/shankar0123/certctl/internal/domain"
 )
 // SCEP RFC 8894 Phase 2.2: round-trip tests for ParseSignedData +
 // SignerInfo.VerifySignature + auth-attr extractors.
 //
 // Each test materialises a real signing cert + signs auth-attrs over a
 // known content, then re-parses and verifies. Catches drift between the
 // signing-side encoding and the verification-side re-serialisation
 // (RFC 5652 §5.4 SET OF Attribute quirk).
 func TestSignerInfo_RoundTrip_RSAWithSHA256(t *testing.T) {
 	signer, signerCert := genTestRSASigner(t)
 	signedData := buildTestSignedData(t, signer, signerCert,
 		domain.SCEPMessageTypePKCSReq, "txn-12345", []byte("0123456789abcdef"),
 		[]byte("encapsulated content (typically EnvelopedData bytes)"))
 	parsed, err := ParseSignedData(signedData)
 	if err != nil {
 		t.Fatalf("ParseSignedData: %v", err)
 	}
 	if len(parsed.SignerInfos) != 1 {
 		t.Fatalf("len(SignerInfos) = %d, want 1", len(parsed.SignerInfos))
 	}
 	si := parsed.SignerInfos[0]
 	if err := si.VerifySignature(); err != nil {
 		t.Fatalf("VerifySignature: %v", err)
 	}
 	// Auth-attr extractors.
 	mt, err := si.GetMessageType()
 	if err != nil {
 		t.Fatalf("GetMessageType: %v", err)
 	}
 	if mt != domain.SCEPMessageTypePKCSReq {
 		t.Errorf("GetMessageType = %d, want %d", mt, domain.SCEPMessageTypePKCSReq)
 	}
 	tid, err := si.GetTransactionID()
 	if err != nil {
 		t.Fatalf("GetTransactionID: %v", err)
 	}
 	if tid != "txn-12345" {
 		t.Errorf("GetTransactionID = %q, want %q", tid, "txn-12345")
 	}
 	nonce, err := si.GetSenderNonce()
 	if err != nil {
 		t.Fatalf("GetSenderNonce: %v", err)
 	}
 	if string(nonce) != "0123456789abcdef" {
 		t.Errorf("GetSenderNonce = %q, want %q", nonce, "0123456789abcdef")
 	}
 }
 func TestSignerInfo_RoundTrip_ECDSAWithSHA256(t *testing.T) {
 	signer, signerCert := genTestECDSASigner(t)
 	signedData := buildTestSignedData(t, signer, signerCert,
 		domain.SCEPMessageTypeRenewalReq, "txn-ec-1", []byte("nonce-ec-aaaa-bbbb"),
 		[]byte("encap content"))
 	parsed, err := ParseSignedData(signedData)
 	if err != nil {
 		t.Fatalf("ParseSignedData: %v", err)
 	}
 	si := parsed.SignerInfos[0]
 	if err := si.VerifySignature(); err != nil {
 		t.Fatalf("VerifySignature (ECDSA): %v", err)
 	}
 	mt, err := si.GetMessageType()
 	if err != nil {
 		t.Fatalf("GetMessageType: %v", err)
 	}
 	if mt != domain.SCEPMessageTypeRenewalReq {
 		t.Errorf("GetMessageType = %d, want RenewalReq (17)", mt)
 	}
 }
 func TestSignerInfo_VerifySignature_TamperedAttrs_Refuses(t *testing.T) {
 	signer, signerCert := genTestRSASigner(t)
 	signedData := buildTestSignedData(t, signer, signerCert,
 		domain.SCEPMessageTypePKCSReq, "txn-tamper", []byte("nonce-aaaa-bbbb"),
 		[]byte("content"))
 	parsed, err := ParseSignedData(signedData)
 	if err != nil {
 		t.Fatalf("ParseSignedData: %v", err)
 	}
 	si := parsed.SignerInfos[0]
 	// Tamper with rawSignedAttrs by flipping the last byte. Re-verification
 	// must reject — proves the signature is bound to the auth-attr bytes.
 	si.rawSignedAttrs[len(si.rawSignedAttrs)-1] ^= 0x01
 	if err := si.VerifySignature(); !errors.Is(err, ErrSignerInfoVerify) {
 		t.Errorf("VerifySignature(tampered attrs) = %v, want ErrSignerInfoVerify", err)
 	}
 }
 func TestParseSignedData_Empty_Refuses(t *testing.T) {
 	if _, err := ParseSignedData(nil); err == nil {
 		t.Error("ParseSignedData(nil) = nil, want error")
 	}
 	if _, err := ParseSignedData([]byte{}); err == nil {
 		t.Error("ParseSignedData(empty) = nil, want error")
 	}
 }
 func TestParseSignedData_Garbage_Refuses(t *testing.T) {
 	garbage := []byte{0x30, 0x82, 0x05, 0x01, 0x02, 0x03}
 	if _, err := ParseSignedData(garbage); err == nil {
 		t.Error("ParseSignedData(garbage) = nil, want error")
 	}
 }
 // --- helpers -------------------------------------------------------------
 type testSigner interface {
 	Sign(data []byte) ([]byte, error)
 	DigestOID() asn1.ObjectIdentifier
 	SignatureOID() asn1.ObjectIdentifier
 }
 type rsaTestSigner struct{ k *rsa.PrivateKey }
 func (s *rsaTestSigner) Sign(data []byte) ([]byte, error) {
 	h := sha256.Sum256(data)
 	return rsa.SignPKCS1v15(rand.Reader, s.k, 0+5, h[:]) // 5 == crypto.SHA256 in crypto.Hash enum
 }
 func (s *rsaTestSigner) DigestOID() asn1.ObjectIdentifier    { return OIDSHA256 }
 func (s *rsaTestSigner) SignatureOID() asn1.ObjectIdentifier { return OIDRSAWithSHA256 }
 type ecdsaTestSigner struct{ k *ecdsa.PrivateKey }
 func (s *ecdsaTestSigner) Sign(data []byte) ([]byte, error) {
 	h := sha256.Sum256(data)
 	return ecdsa.SignASN1(rand.Reader, s.k, h[:])
 }
 func (s *ecdsaTestSigner) DigestOID() asn1.ObjectIdentifier    { return OIDSHA256 }
 func (s *ecdsaTestSigner) SignatureOID() asn1.ObjectIdentifier { return OIDECDSAWithSHA256 }
 func genTestRSASigner(t *testing.T) (testSigner, *x509.Certificate) {
 	t.Helper()
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatalf("rsa.GenerateKey: %v", err)
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(time.Now().UnixNano() ^ 0xDEAD),
 		Subject:      pkix.Name{CommonName: "device-rsa"},
 		Issuer:       pkix.Name{CommonName: "device-rsa"},
 		NotBefore:    time.Now().Add(-time.Hour),
 		NotAfter:     time.Now().Add(24 * time.Hour),
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		t.Fatalf("CreateCertificate: %v", err)
 	}
 	cert, err := x509.ParseCertificate(der)
 	if err != nil {
 		t.Fatalf("ParseCertificate: %v", err)
 	}
 	return &rsaTestSigner{k: key}, cert
 }
 func genTestECDSASigner(t *testing.T) (testSigner, *x509.Certificate) {
 	t.Helper()
 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Fatalf("ecdsa.GenerateKey: %v", err)
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(time.Now().UnixNano() ^ 0xBEEF),
 		Subject:      pkix.Name{CommonName: "device-ec"},
 		Issuer:       pkix.Name{CommonName: "device-ec"},
 		NotBefore:    time.Now().Add(-time.Hour),
 		NotAfter:     time.Now().Add(24 * time.Hour),
 		KeyUsage:     x509.KeyUsageDigitalSignature,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		t.Fatalf("CreateCertificate: %v", err)
 	}
 	cert, err := x509.ParseCertificate(der)
 	if err != nil {
 		t.Fatalf("ParseCertificate: %v", err)
 	}
 	return &ecdsaTestSigner{k: key}, cert
 }
 // buildTestSignedData hand-constructs a CMS SignedData with one SignerInfo
 // carrying SCEP authenticated attributes (messageType, transactionID,
 // senderNonce, plus the standard CMS contentType + messageDigest).
 //
 // The signing pipeline mirrors what micromdm/scep + the ChromeOS SCEP
 // client emit: the device hashes the encap content into messageDigest,
 // the auth-attrs are SET-OF re-serialised, hashed, and signed.
 //
 // Implementation note: built directly with ASN1Wrap helpers rather than
 // relying on asn1.Marshal of structs containing asn1.RawValue fields —
 // asn1.Marshal of nested RawValues with mixed Class/Tag has been finicky
 // and the helpers give us byte-level control that matches what's on the wire.
 func buildTestSignedData(t *testing.T, signer testSigner, signerCert *x509.Certificate, messageType domain.SCEPMessageType, transactionID string, senderNonce, encapContent []byte) []byte {
 	t.Helper()
 	// 1. messageDigest auth-attr: SHA-256 of the encap content.
 	contentDigest := sha256.Sum256(encapContent)
 	// 2. Build each auth-attr as Attribute ::= SEQUENCE { OID, SET OF Value }
 	//    using the helpers. Marshal each value individually then wrap.
 	attrSetBody := buildSCEPAuthAttrs(t, contentDigest[:], messageType, transactionID, senderNonce)
 	// 3. Compute the signature over SET OF Attribute.
 	signedAttrsForSig := ASN1Wrap(0x31, attrSetBody)
 	sig, err := signer.Sign(signedAttrsForSig)
 	if err != nil {
 		t.Fatalf("signer.Sign: %v", err)
 	}
 	// 4. Build the SignerInfo SEQUENCE byte-by-byte.
 	versionBytes := []byte{0x02, 0x01, 0x01} // INTEGER 1
 	// SID is IssuerAndSerialNumber: SEQUENCE { Issuer (RDN), SerialNumber INTEGER }
 	serialDER, err := asn1.Marshal(signerCert.SerialNumber)
 	if err != nil {
 		t.Fatalf("marshal serial: %v", err)
 	}
 	sidBody := append([]byte{}, signerCert.RawIssuer...) // already in DER
 	sidBody = append(sidBody, serialDER...)
 	sidBytes := ASN1Wrap(0x30, sidBody)
 	// DigestAlgorithm: AlgorithmIdentifier — encode via stdlib (small struct, no nested RawValue issues).
 	digestAlgBytes := mustMarshal(t, pkix.AlgorithmIdentifier{Algorithm: signer.DigestOID(), Parameters: asn1.NullRawValue})
 	// SignedAttrs as [0] IMPLICIT SET OF — tag 0xA0 wraps the SET body.
 	signedAttrsImplicitBytes := ASN1Wrap(0xa0, attrSetBody)
 	// SignatureAlgorithm.
 	sigAlg := pkix.AlgorithmIdentifier{Algorithm: signer.SignatureOID()}
 	if signer.SignatureOID().Equal(OIDRSAWithSHA256) {
 		sigAlg.Parameters = asn1.NullRawValue
 	}
 	sigAlgBytes := mustMarshal(t, sigAlg)
 	// Signature: OCTET STRING.
 	sigOctetBytes := ASN1Wrap(0x04, sig)
 	siBody := append([]byte{}, versionBytes...)
 	siBody = append(siBody, sidBytes...)
 	siBody = append(siBody, digestAlgBytes...)
 	siBody = append(siBody, signedAttrsImplicitBytes...)
 	siBody = append(siBody, sigAlgBytes...)
 	siBody = append(siBody, sigOctetBytes...)
 	siBytes := ASN1Wrap(0x30, siBody)
 	// 5. Build encapContentInfo SEQUENCE { OID data, [0] EXPLICIT OCTET STRING }.
 	octetBytes := ASN1Wrap(0x04, encapContent)         // OCTET STRING
 	encapContentExplicit := ASN1Wrap(0xa0, octetBytes) // [0] EXPLICIT
 	oidDataBytes := mustMarshal(t, OIDDataContent)
 	encapBody := append([]byte{}, oidDataBytes...)
 	encapBody = append(encapBody, encapContentExplicit...)
 	encapBytes := ASN1Wrap(0x30, encapBody)
 	// 6. certificates [0] IMPLICIT SET OF Certificate — body is one cert DER.
 	certsBytes := ASN1Wrap(0xa0, signerCert.Raw)
 	// 7. digestAlgorithms SET OF AlgorithmIdentifier (one entry).
 	digestAlgsBytes := ASN1Wrap(0x31, digestAlgBytes)
 	// 8. signerInfos SET OF SignerInfo (one entry).
 	signerInfosBytes := ASN1Wrap(0x31, siBytes)
 	// 9. Assemble SignedData SEQUENCE.
 	sdBody := append([]byte{}, []byte{0x02, 0x01, 0x01}...) // version
 	sdBody = append(sdBody, digestAlgsBytes...)
 	sdBody = append(sdBody, encapBytes...)
 	sdBody = append(sdBody, certsBytes...)
 	sdBody = append(sdBody, signerInfosBytes...)
 	sdSeq := ASN1Wrap(0x30, sdBody)
 	// 10. Wrap as ContentInfo SEQUENCE { OID signedData, [0] EXPLICIT SignedData }.
 	contentField := ASN1Wrap(0xa0, sdSeq)
 	oidSignedDataDER := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02}
 	ciBody := append([]byte{}, oidSignedDataDER...)
 	ciBody = append(ciBody, contentField...)
 	return ASN1Wrap(0x30, ciBody)
 }
 // buildSCEPAuthAttrs builds the SET-OF body of SCEP auth-attrs (the bytes
 // inside the [0] IMPLICIT SignedAttrs wrapper). Each Attribute is a SEQUENCE
 // of (OID, SET OF Value); we build them with ASN1Wrap to avoid asn1.Marshal
 // nuances with nested RawValues.
 func buildSCEPAuthAttrs(t *testing.T, msgDigest []byte, messageType domain.SCEPMessageType, transactionID string, senderNonce []byte) []byte {
 	t.Helper()
 	var out []byte
 	// contentType: SET OF OID = SET { OID data }
 	out = append(out, attrSeq(t, OIDContentType, ASN1Wrap(0x06, []byte{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}))...)
 	// messageDigest: SET OF OCTET STRING
 	out = append(out, attrSeq(t, OIDMessageDigest, ASN1Wrap(0x04, msgDigest))...)
 	// SCEP messageType: SET OF PrintableString (decimal ASCII)
 	out = append(out, attrSeq(t, OIDSCEPMessageType, ASN1Wrap(0x13, []byte(intToAscii(int(messageType)))))...)
 	// SCEP transactionID: SET OF PrintableString
 	out = append(out, attrSeq(t, OIDSCEPTransactionID, ASN1Wrap(0x13, []byte(transactionID)))...)
 	// SCEP senderNonce: SET OF OCTET STRING
 	out = append(out, attrSeq(t, OIDSCEPSenderNonce, ASN1Wrap(0x04, senderNonce))...)
 	return out
 }
 // attrSeq builds one Attribute SEQUENCE: SEQUENCE { OID, SET OF value }.
 // The `value` arg is one already-encoded TLV (e.g. an OCTET STRING or
 // PrintableString); attrSeq wraps it in a SET and prefixes the OID.
 func attrSeq(t *testing.T, oid asn1.ObjectIdentifier, value []byte) []byte {
 	t.Helper()
 	oidBytes := mustMarshal(t, oid)
 	setOfValue := ASN1Wrap(0x31, value)
 	body := append([]byte{}, oidBytes...)
 	body = append(body, setOfValue...)
 	return ASN1Wrap(0x30, body)
 }
 func mustMarshal(t *testing.T, v interface{}) []byte {
 	t.Helper()
 	out, err := asn1.Marshal(v)
 	if err != nil {
 		t.Fatalf("marshal %T: %v", v, err)
 	}
 	return out
 }
 func intToAscii(i int) string {
 	if i == 0 {
 		return "0"
 	}
 	neg := i < 0
 	if neg {
 		i = -i
 	}
 	var b []byte
 	for i > 0 {
 		b = append([]byte{byte('0' + i%10)}, b...)
 		i /= 10
 	}
 	if neg {
 		b = append([]byte{'-'}, b...)
 	}
 	return string(b)
 }
@@ -0,0 +1,343 @@
 package intune
 import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"math/big"
 	"strings"
 	"time"
 )
 // Typed challenge-validation errors. The handler audits the specific
 // failure dimension via errors.Is so operators can distinguish e.g. an
 // expired challenge (clock skew, latent enrollment) from a tampered one
 // (active attack) without string-matching error messages.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 7.4.
 var (
 	ErrChallengeMalformed      = errors.New("intune: challenge is not in the JWT-like compact-serialization format")
 	ErrChallengeSignature      = errors.New("intune: challenge signature does not verify against any configured trust anchor")
 	ErrChallengeExpired        = errors.New("intune: challenge expired")
 	ErrChallengeNotYetValid    = errors.New("intune: challenge not yet valid (iat in future, possible clock skew)")
 	ErrChallengeWrongAudience  = errors.New("intune: challenge audience does not match this SCEP endpoint URL")
 	ErrChallengeReplay         = errors.New("intune: challenge nonce already seen (replay attempt)")
 	ErrChallengeUnknownVersion = errors.New("intune: challenge has an unknown version claim — parser does not support this format")
 )
 // ParseChallenge decodes the JWT-like compact serialization of an Intune
 // dynamic challenge into header, payload, and signature byte slices. Does
 // NOT verify the signature; that's ValidateChallenge's job.
 //
 // Format: base64url(header) "." base64url(payload) "." base64url(signature)
 // where the base64url alphabet is RFC 4648 §5 (URL-safe, no padding).
 //
 // We accept both padded and unpadded base64url because some Connector
 // versions have shipped padded encodings in the wild despite RFC 7515 §2
 // mandating unpadded. The stdlib base64.RawURLEncoding rejects padding,
 // so we strip trailing '=' before decoding.
 func ParseChallenge(raw string) (header, payload, signature []byte, err error) {
 	if raw == "" {
 		return nil, nil, nil, fmt.Errorf("%w: empty input", ErrChallengeMalformed)
 	}
 	parts := strings.Split(raw, ".")
 	if len(parts) != 3 {
 		return nil, nil, nil, fmt.Errorf("%w: expected 3 dot-separated segments, got %d", ErrChallengeMalformed, len(parts))
 	}
 	for i, p := range parts {
 		if p == "" {
 			return nil, nil, nil, fmt.Errorf("%w: segment %d is empty", ErrChallengeMalformed, i)
 		}
 	}
 	header, err = b64urlDecode(parts[0])
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("%w: header base64url: %v", ErrChallengeMalformed, err)
 	}
 	payload, err = b64urlDecode(parts[1])
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("%w: payload base64url: %v", ErrChallengeMalformed, err)
 	}
 	signature, err = b64urlDecode(parts[2])
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("%w: signature base64url: %v", ErrChallengeMalformed, err)
 	}
 	// Sanity-check the header parses as JSON before we hand it back; a
 	// non-JSON header is a clear malformed signal we'd otherwise only
 	// catch later in ValidateChallenge during alg dispatch. Earlier
 	// rejection = better operator audit log shape.
 	var probe map[string]any
 	if err := json.Unmarshal(header, &probe); err != nil {
 		return nil, nil, nil, fmt.Errorf("%w: header is not JSON: %v", ErrChallengeMalformed, err)
 	}
 	return header, payload, signature, nil
 }
 // b64urlDecode decodes RFC 4648 §5 base64url with or without trailing
 // '=' padding. RFC 7515 §2 mandates unpadded; some Intune Connector
 // versions emit padded; tolerate both.
 func b64urlDecode(s string) ([]byte, error) {
 	stripped := strings.TrimRight(s, "=")
 	return base64.RawURLEncoding.DecodeString(stripped)
 }
 // jwtHeader is the JOSE-style header carried in the first segment of an
 // Intune challenge. We only consult `alg` for signature dispatch; other
 // JWS fields (kid, x5c, jku, etc.) are intentionally NOT honored — the
 // trust anchor is operator-supplied at startup and pinned, not negotiated
 // per-request. Honoring kid/jku would expand the attack surface to "any
 // URL the Connector header claims is the truth," which is exactly the
 // JWT vulnerability class we're avoiding by not pulling in a full JOSE
 // implementation.
 type jwtHeader struct {
 	Alg string `json:"alg"`
 	Typ string `json:"typ,omitempty"`
 }
 // versionedChallenge is the lightest possible pre-parse to extract a
 // version claim BEFORE the full JSON unmarshal commits to a struct
 // shape. v1 (current) has no "version" key; v2+ MUST.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 7.4 (version dispatcher
 // rationale): Microsoft has changed the Connector signed-challenge format
 // at least twice in the past 5 years. Adding the dispatcher today costs
 // ~30 LoC + 2 tests; not having it when v2 ships costs a P0 incident
 // where every Intune enrollment fails until a hot-fix lands.
 type versionedChallenge struct {
 	Version string `json:"version,omitempty"`
 }
 // versionUnmarshalers maps a version string to its claim parser. Adding
 // v2 = adding a parser + a registration line. Adding v3 = same. Existing
 // v1 path stays untouched.
 var versionUnmarshalers = map[string]func(payload []byte) (*ChallengeClaim, error){
 	"":   unmarshalChallengeV1, // legacy / current default
 	"v1": unmarshalChallengeV1, // explicit v1, future-belt-and-suspenders
 	// "v2": unmarshalChallengeV2,  // ← future, when Microsoft ships it
 }
 // challengePayloadV1 is the on-the-wire JSON shape of the v1 Connector
 // challenge. Separated from the public ChallengeClaim because the wire
 // format uses Unix-second numerics for iat/exp while the in-memory type
 // uses time.Time (caller-friendly + sentinel-safe).
 type challengePayloadV1 struct {
 	Issuer     string   `json:"iss,omitempty"`
 	Subject    string   `json:"sub,omitempty"`
 	Audience   string   `json:"aud,omitempty"`
 	IssuedAt   int64    `json:"iat,omitempty"`
 	ExpiresAt  int64    `json:"exp,omitempty"`
 	Nonce      string   `json:"nonce,omitempty"`
 	DeviceName string   `json:"device_name,omitempty"`
 	SANDNS     []string `json:"san_dns,omitempty"`
 	SANRFC822  []string `json:"san_rfc822,omitempty"`
 	SANUPN     []string `json:"san_upn,omitempty"`
 }
 // unmarshalChallengeV1 parses the v1 wire format. Conservative: any
 // unrecognised JSON fields are silently dropped (forward-compat for the
 // inevitable v1.x minor additions Microsoft makes without bumping the
 // version key).
 func unmarshalChallengeV1(payload []byte) (*ChallengeClaim, error) {
 	var p challengePayloadV1
 	if err := json.Unmarshal(payload, &p); err != nil {
 		return nil, fmt.Errorf("%w: v1 payload unmarshal: %v", ErrChallengeMalformed, err)
 	}
 	c := &ChallengeClaim{
 		Issuer:     p.Issuer,
 		Subject:    p.Subject,
 		Audience:   p.Audience,
 		Nonce:      p.Nonce,
 		DeviceName: p.DeviceName,
 		SANDNS:     p.SANDNS,
 		SANRFC822:  p.SANRFC822,
 		SANUPN:     p.SANUPN,
 	}
 	if p.IssuedAt > 0 {
 		c.IssuedAt = time.Unix(p.IssuedAt, 0).UTC()
 	}
 	if p.ExpiresAt > 0 {
 		c.ExpiresAt = time.Unix(p.ExpiresAt, 0).UTC()
 	}
 	return c, nil
 }
 // ValidateChallenge runs the full Intune-challenge validation pipeline:
 //
 //  1. ParseChallenge(raw) — JWT compact deserialize
 //  2. Verify signature over (segment0 || "." || segment1) against any
 //     trust-anchor cert's public key (try each until one verifies)
 //  3. Extract version claim via the lightweight versioned-prelude
 //  4. Dispatch to the per-version unmarshaler (v1 today)
 //  5. Time bounds: now ≥ iat AND now < exp (with stdlib RFC 3339 grace)
 //  6. Audience: claim.Audience == expectedAudience (when expectedAudience
 //     is non-empty; empty disables the check, useful for tests)
 //
 // Returns *ChallengeClaim on success, typed error on failure (caller can
 // errors.Is the specific dimension).
 //
 // Replay protection is the CALLER's responsibility — pass the returned
 // claim's Nonce to a *ReplayCache.CheckAndInsert. We deliberately don't
 // own the cache here so the validator stays stateless + testable; the
 // handler glues parser + cache together.
 func ValidateChallenge(raw string, trust []*x509.Certificate, expectedAudience string, now time.Time) (*ChallengeClaim, error) {
 	if len(trust) == 0 {
 		return nil, fmt.Errorf("%w: no trust anchors configured", ErrChallengeSignature)
 	}
 	header, payload, signature, err := ParseChallenge(raw)
 	if err != nil {
 		return nil, err
 	}
 	// JWS signing input per RFC 7515 §5.1: ASCII bytes of segment0 + "." + segment1.
 	// We re-derive from raw (split-by-dots) rather than re-base64-encode the
 	// decoded segments, because RFC 7515 §3.1 specifies the signing input
 	// is the encoded form, and some encoders omit padding while others
 	// don't — re-encoding could produce a byte-different input than what
 	// the Connector originally signed. Use the raw on-wire bytes.
 	parts := strings.Split(raw, ".")
 	if len(parts) != 3 {
 		// ParseChallenge already enforced this; defensive double-check.
 		return nil, fmt.Errorf("%w: post-parse segment count drift", ErrChallengeMalformed)
 	}
 	signingInput := []byte(parts[0] + "." + parts[1])
 	var hdr jwtHeader
 	if err := json.Unmarshal(header, &hdr); err != nil {
 		return nil, fmt.Errorf("%w: header JSON: %v", ErrChallengeMalformed, err)
 	}
 	if err := verifyChallengeSignature(hdr.Alg, signingInput, signature, trust); err != nil {
 		return nil, err
 	}
 	// Version dispatch — extract the version claim BEFORE the full unmarshal.
 	var v versionedChallenge
 	if err := json.Unmarshal(payload, &v); err != nil {
 		return nil, fmt.Errorf("%w: prelude unmarshal: %v", ErrChallengeMalformed, err)
 	}
 	unmarshaler, ok := versionUnmarshalers[v.Version]
 	if !ok {
 		return nil, fmt.Errorf("%w: %q", ErrChallengeUnknownVersion, v.Version)
 	}
 	claim, err := unmarshaler(payload)
 	if err != nil {
 		return nil, err
 	}
 	// Time bounds. The Connector's signed iat/exp ARE authoritative;
 	// we don't impose a separate validity cap here (the operator can
 	// add one in the handler if defense-in-depth is wanted, e.g. via
 	// SCEPProfileConfig.IntuneChallengeValidity in Phase 8).
 	if !claim.IssuedAt.IsZero() && now.Before(claim.IssuedAt) {
 		return nil, fmt.Errorf("%w: iat=%s now=%s", ErrChallengeNotYetValid,
 			claim.IssuedAt.Format(time.RFC3339), now.Format(time.RFC3339))
 	}
 	if !claim.ExpiresAt.IsZero() && !now.Before(claim.ExpiresAt) {
 		return nil, fmt.Errorf("%w: exp=%s now=%s", ErrChallengeExpired,
 			claim.ExpiresAt.Format(time.RFC3339), now.Format(time.RFC3339))
 	}
 	// Audience binds the challenge to a specific SCEP endpoint URL. An
 	// empty expectedAudience disables the check (test convenience + the
 	// Phase 8 config allows operator opt-out for proxy / load-balancer
 	// scenarios where the URL the Connector saw isn't the URL we see).
 	if expectedAudience != "" && claim.Audience != "" && claim.Audience != expectedAudience {
 		return nil, fmt.Errorf("%w: claim=%q expected=%q", ErrChallengeWrongAudience,
 			claim.Audience, expectedAudience)
 	}
 	return claim, nil
 }
 // verifyChallengeSignature dispatches on the JWS alg header to the
 // matching stdlib signature-verify routine, then iterates the trust
 // anchors trying each cert's public key until one verifies.
 //
 // Supported algs:
 //   - RS256: RSASSA-PKCS1-v1_5 over SHA-256 (Microsoft's published Connector default)
 //   - ES256: ECDSA P-256 over SHA-256 (community-reported Connector option)
 //
 // Deliberately rejected algs:
 //   - "none" (RFC 7515 §3.6 vulnerability vector)
 //   - HS256 / HS384 / HS512 (HMAC; no shared secret in our threat model)
 //   - PS256+ (RSA-PSS; not seen in Intune Connector traffic — add only when needed)
 //
 // Adding a new alg = add a case + a verify helper. The trust-anchor loop
 // stays unchanged.
 func verifyChallengeSignature(alg string, signingInput, signature []byte, trust []*x509.Certificate) error {
 	switch alg {
 	case "RS256":
 		return verifyRS256(signingInput, signature, trust)
 	case "ES256":
 		return verifyES256(signingInput, signature, trust)
 	case "":
 		return fmt.Errorf("%w: missing alg header (RFC 7515 §4.1.1 mandates)", ErrChallengeSignature)
 	case "none":
 		// Explicit reject so the failure mode in the audit log distinguishes
 		// "unsupported alg" from "active attack with the alg-none vector."
 		return fmt.Errorf("%w: alg \"none\" rejected (RFC 7515 §3.6 attack)", ErrChallengeSignature)
 	default:
 		return fmt.Errorf("%w: unsupported alg %q (only RS256 and ES256 are accepted)", ErrChallengeSignature, alg)
 	}
 }
 // verifyRS256 hashes the signing input with SHA-256 and checks the
 // signature against each trust anchor's public key. Constant-time: the
 // stdlib's rsa.VerifyPKCS1v15 returns nil on success and an error on
 // failure without timing-leak surface area on the hash compare path.
 func verifyRS256(signingInput, signature []byte, trust []*x509.Certificate) error {
 	h := sha256.Sum256(signingInput)
 	for _, cert := range trust {
 		pub, ok := cert.PublicKey.(*rsa.PublicKey)
 		if !ok {
 			continue
 		}
 		if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, h[:], signature); err == nil {
 			return nil
 		}
 	}
 	return ErrChallengeSignature
 }
 // verifyES256 dispatches between the two ECDSA signature encodings the
 // JOSE spec allows for ES256:
 //
 //   - RFC 7515 §3.4 fixed-width: r || s, each 32 bytes (raw concat) — the
 //     wire format JOSE-compliant Connectors use.
 //   - ASN.1 DER (SEQUENCE { r INTEGER, s INTEGER }) — older Connector
 //     builds and many .NET-based JWT libraries emit DER instead of the
 //     RFC 7515 fixed-width form.
 //
 // Try fixed-width first (the spec-blessed format); fall back to ASN.1.
 // crypto/ecdsa.VerifyASN1 + ecdsa.Verify both return bool — no timing
 // leak on the success path.
 func verifyES256(signingInput, signature []byte, trust []*x509.Certificate) error {
 	h := sha256.Sum256(signingInput)
 	for _, cert := range trust {
 		pub, ok := cert.PublicKey.(*ecdsa.PublicKey)
 		if !ok {
 			continue
 		}
 		// Fixed-width r||s form (JOSE-canonical for P-256 = 64 bytes).
 		if len(signature) == 64 {
 			r := new(big.Int).SetBytes(signature[:32])
 			s := new(big.Int).SetBytes(signature[32:])
 			if ecdsa.Verify(pub, h[:], r, s) {
 				return nil
 			}
 		}
 		// ASN.1 DER form (older / non-JOSE encoders).
 		if ecdsa.VerifyASN1(pub, h[:], signature) {
 			return nil
 		}
 	}
 	return ErrChallengeSignature
 }
@@ -0,0 +1,526 @@
 package intune
 import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"math/big"
 	"strings"
 	"testing"
 	"time"
 )
 // Test idiom: each test materialises a real Connector signing cert +
 // private key, builds a JWT-shaped challenge by hand, then runs it
 // through Parse / Validate. Round-trip pins the exact wire format the
 // Microsoft Intune Certificate Connector emits today (v1).
 // =============================================================================
 // Test helpers — Connector trust-anchor + signed challenge factories.
 // =============================================================================
 type testRSAConnector struct {
 	key  *rsa.PrivateKey
 	cert *x509.Certificate
 }
 func genTestRSAConnector(t *testing.T) testRSAConnector {
 	t.Helper()
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatalf("rsa.GenerateKey: %v", err)
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber:          big.NewInt(1),
 		Subject:               pkix.Name{CommonName: "test-intune-connector"},
 		NotBefore:             time.Now().Add(-1 * time.Hour),
 		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
 		KeyUsage:              x509.KeyUsageDigitalSignature,
 		BasicConstraintsValid: true,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		t.Fatalf("x509.CreateCertificate: %v", err)
 	}
 	cert, err := x509.ParseCertificate(der)
 	if err != nil {
 		t.Fatalf("x509.ParseCertificate: %v", err)
 	}
 	return testRSAConnector{key: key, cert: cert}
 }
 type testECDSAConnector struct {
 	key  *ecdsa.PrivateKey
 	cert *x509.Certificate
 }
 func genTestECDSAConnector(t *testing.T) testECDSAConnector {
 	t.Helper()
 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Fatalf("ecdsa.GenerateKey: %v", err)
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber:          big.NewInt(2),
 		Subject:               pkix.Name{CommonName: "test-intune-connector-es256"},
 		NotBefore:             time.Now().Add(-1 * time.Hour),
 		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
 		KeyUsage:              x509.KeyUsageDigitalSignature,
 		BasicConstraintsValid: true,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		t.Fatalf("x509.CreateCertificate: %v", err)
 	}
 	cert, err := x509.ParseCertificate(der)
 	if err != nil {
 		t.Fatalf("x509.ParseCertificate: %v", err)
 	}
 	return testECDSAConnector{key: key, cert: cert}
 }
 // signTestChallengeRS256 builds + signs a challenge with the given payload.
 // alg defaults to RS256.
 func signTestChallengeRS256(t *testing.T, c testRSAConnector, payload any) string {
 	t.Helper()
 	hdr, _ := json.Marshal(jwtHeader{Alg: "RS256", Typ: "JWT"})
 	pl, _ := json.Marshal(payload)
 	signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
 		base64.RawURLEncoding.EncodeToString(pl)
 	h := sha256.Sum256([]byte(signingInput))
 	sig, err := rsa.SignPKCS1v15(rand.Reader, c.key, crypto.SHA256, h[:])
 	if err != nil {
 		t.Fatalf("rsa.SignPKCS1v15: %v", err)
 	}
 	return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
 }
 // signTestChallengeES256_FixedWidth produces a JOSE-canonical r||s ES256.
 func signTestChallengeES256_FixedWidth(t *testing.T, c testECDSAConnector, payload any) string {
 	t.Helper()
 	hdr, _ := json.Marshal(jwtHeader{Alg: "ES256", Typ: "JWT"})
 	pl, _ := json.Marshal(payload)
 	signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
 		base64.RawURLEncoding.EncodeToString(pl)
 	h := sha256.Sum256([]byte(signingInput))
 	r, s, err := ecdsa.Sign(rand.Reader, c.key, h[:])
 	if err != nil {
 		t.Fatalf("ecdsa.Sign: %v", err)
 	}
 	rb, sb := r.Bytes(), s.Bytes()
 	sig := make([]byte, 64)
 	copy(sig[32-len(rb):], rb)
 	copy(sig[64-len(sb):], sb)
 	return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
 }
 // signTestChallengeES256_DER produces the older non-JOSE ASN.1 DER form.
 func signTestChallengeES256_DER(t *testing.T, c testECDSAConnector, payload any) string {
 	t.Helper()
 	hdr, _ := json.Marshal(jwtHeader{Alg: "ES256", Typ: "JWT"})
 	pl, _ := json.Marshal(payload)
 	signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
 		base64.RawURLEncoding.EncodeToString(pl)
 	h := sha256.Sum256([]byte(signingInput))
 	derSig, err := ecdsa.SignASN1(rand.Reader, c.key, h[:])
 	if err != nil {
 		t.Fatalf("ecdsa.SignASN1: %v", err)
 	}
 	return signingInput + "." + base64.RawURLEncoding.EncodeToString(derSig)
 }
 // validV1Payload returns a v1 challenge payload that is currently in-window.
 func validV1Payload(now time.Time) challengePayloadV1 {
 	return challengePayloadV1{
 		Issuer:     "test-connector-installation-guid",
 		Subject:    "device-guid-123",
 		Audience:   "https://certctl.example.com/scep/corp",
 		IssuedAt:   now.Add(-1 * time.Minute).Unix(),
 		ExpiresAt:  now.Add(59 * time.Minute).Unix(),
 		Nonce:      "abc123nonce",
 		DeviceName: "DEVICE-001",
 		SANDNS:     []string{"device-001.example.com"},
 		SANRFC822:  []string{"device-001@example.com"},
 	}
 }
 // =============================================================================
 // ParseChallenge.
 // =============================================================================
 func TestParseChallenge_HappyPath(t *testing.T) {
 	c := genTestRSAConnector(t)
 	now := time.Now()
 	raw := signTestChallengeRS256(t, c, validV1Payload(now))
 	header, payload, signature, err := ParseChallenge(raw)
 	if err != nil {
 		t.Fatalf("ParseChallenge: %v", err)
 	}
 	if len(header) == 0 || len(payload) == 0 || len(signature) == 0 {
 		t.Fatalf("decoded segments are empty: header=%d payload=%d signature=%d",
 			len(header), len(payload), len(signature))
 	}
 	var p challengePayloadV1
 	if err := json.Unmarshal(payload, &p); err != nil {
 		t.Fatalf("payload not valid JSON: %v", err)
 	}
 	if p.DeviceName != "DEVICE-001" {
 		t.Errorf("DeviceName = %q, want DEVICE-001", p.DeviceName)
 	}
 }
 func TestParseChallenge_Malformed(t *testing.T) {
 	cases := []struct {
 		name string
 		in   string
 	}{
 		{"empty", ""},
 		{"missing dots", "abc"},
 		{"two dots one missing segment", "abc..def"},
 		{"trailing dot extra segment", "a.b.c.d"},
 		{"first segment empty", ".b.c"},
 		{"middle segment empty", "a..c"},
 		{"last segment empty", "a.b."},
 		{"non-base64 header", "!!!.YWJj.YWJj"},
 		{"non-JSON header", base64.RawURLEncoding.EncodeToString([]byte("not json")) + ".YWJj.YWJj"},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			_, _, _, err := ParseChallenge(tc.in)
 			if !errors.Is(err, ErrChallengeMalformed) {
 				t.Fatalf("got %v, want errors.Is(ErrChallengeMalformed)", err)
 			}
 		})
 	}
 }
 func TestParseChallenge_PaddedBase64Tolerated(t *testing.T) {
 	// Some Connector versions emit padded base64url; we tolerate both.
 	hdr := base64.URLEncoding.EncodeToString([]byte(`{"alg":"RS256"}`))
 	pl := base64.URLEncoding.EncodeToString([]byte(`{"foo":"bar"}`))
 	sig := base64.URLEncoding.EncodeToString([]byte("xx"))
 	if !strings.HasSuffix(hdr, "=") && !strings.HasSuffix(pl, "=") && !strings.HasSuffix(sig, "=") {
 		t.Skip("encoder didn't produce padding for this fixture; skipping")
 	}
 	raw := hdr + "." + pl + "." + sig
 	if _, _, _, err := ParseChallenge(raw); err != nil {
 		t.Fatalf("padded base64url should be tolerated: %v", err)
 	}
 }
 // =============================================================================
 // ValidateChallenge — happy paths for both algs + both ES256 encodings.
 // =============================================================================
 func TestValidateChallenge_HappyPath_RS256(t *testing.T) {
 	c := genTestRSAConnector(t)
 	now := time.Now()
 	pl := validV1Payload(now)
 	raw := signTestChallengeRS256(t, c, pl)
 	got, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now)
 	if err != nil {
 		t.Fatalf("ValidateChallenge: %v", err)
 	}
 	if got.DeviceName != "DEVICE-001" {
 		t.Errorf("DeviceName = %q", got.DeviceName)
 	}
 	if got.Nonce != "abc123nonce" {
 		t.Errorf("Nonce = %q", got.Nonce)
 	}
 	if got.IssuedAt.IsZero() || got.ExpiresAt.IsZero() {
 		t.Errorf("iat/exp not populated: iat=%v exp=%v", got.IssuedAt, got.ExpiresAt)
 	}
 }
 func TestValidateChallenge_HappyPath_ES256_FixedWidth(t *testing.T) {
 	c := genTestECDSAConnector(t)
 	now := time.Now()
 	pl := validV1Payload(now)
 	raw := signTestChallengeES256_FixedWidth(t, c, pl)
 	got, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now)
 	if err != nil {
 		t.Fatalf("ValidateChallenge: %v", err)
 	}
 	if got.Subject != "device-guid-123" {
 		t.Errorf("Subject = %q", got.Subject)
 	}
 }
 func TestValidateChallenge_HappyPath_ES256_DER(t *testing.T) {
 	c := genTestECDSAConnector(t)
 	now := time.Now()
 	pl := validV1Payload(now)
 	raw := signTestChallengeES256_DER(t, c, pl)
 	if _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now); err != nil {
 		t.Fatalf("ValidateChallenge ES256 DER: %v", err)
 	}
 }
 // =============================================================================
 // ValidateChallenge — failure dimensions.
 // =============================================================================
 func TestValidateChallenge_Expired(t *testing.T) {
 	c := genTestRSAConnector(t)
 	now := time.Now()
 	pl := validV1Payload(now)
 	pl.ExpiresAt = now.Add(-1 * time.Minute).Unix()
 	raw := signTestChallengeRS256(t, c, pl)
 	_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now)
 	if !errors.Is(err, ErrChallengeExpired) {
 		t.Fatalf("got %v, want ErrChallengeExpired", err)
 	}
 }
 func TestValidateChallenge_NotYetValid(t *testing.T) {
 	c := genTestRSAConnector(t)
 	now := time.Now()
 	pl := validV1Payload(now)
 	pl.IssuedAt = now.Add(5 * time.Minute).Unix() // future iat (clock skew)
 	pl.ExpiresAt = now.Add(65 * time.Minute).Unix()
 	raw := signTestChallengeRS256(t, c, pl)
 	_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, pl.Audience, now)
 	if !errors.Is(err, ErrChallengeNotYetValid) {
 		t.Fatalf("got %v, want ErrChallengeNotYetValid", err)
 	}
 }
 func TestValidateChallenge_WrongAudience(t *testing.T) {
 	c := genTestRSAConnector(t)
 	now := time.Now()
 	pl := validV1Payload(now)
 	raw := signTestChallengeRS256(t, c, pl)
 	_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "https://wrong-host.example.com/scep", now)
 	if !errors.Is(err, ErrChallengeWrongAudience) {
 		t.Fatalf("got %v, want ErrChallengeWrongAudience", err)
 	}
 }
 func TestValidateChallenge_EmptyExpectedAudienceDisablesCheck(t *testing.T) {
 	c := genTestRSAConnector(t)
 	now := time.Now()
 	pl := validV1Payload(now)
 	raw := signTestChallengeRS256(t, c, pl)
 	if _, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", now); err != nil {
 		t.Fatalf("empty expected audience should disable the check: %v", err)
 	}
 }
 func TestValidateChallenge_TamperedSignature(t *testing.T) {
 	c := genTestRSAConnector(t)
 	now := time.Now()
 	pl := validV1Payload(now)
 	raw := signTestChallengeRS256(t, c, pl)
 	parts := strings.Split(raw, ".")
 	// Flip one byte in the b64-decoded signature, then re-encode.
 	sig, _ := base64.RawURLEncoding.DecodeString(parts[2])
 	sig[0] ^= 0xFF
 	parts[2] = base64.RawURLEncoding.EncodeToString(sig)
 	tampered := strings.Join(parts, ".")
 	_, err := ValidateChallenge(tampered, []*x509.Certificate{c.cert}, pl.Audience, now)
 	if !errors.Is(err, ErrChallengeSignature) {
 		t.Fatalf("got %v, want ErrChallengeSignature", err)
 	}
 }
 func TestValidateChallenge_TamperedPayload(t *testing.T) {
 	c := genTestRSAConnector(t)
 	now := time.Now()
 	pl := validV1Payload(now)
 	raw := signTestChallengeRS256(t, c, pl)
 	// Re-encode the payload with a different DeviceName but keep the
 	// original signature. Signature verification MUST catch this.
 	parts := strings.Split(raw, ".")
 	pl.DeviceName = "ATTACKER-CHANGED-DEVICE"
 	tamperedPayload, _ := json.Marshal(pl)
 	parts[1] = base64.RawURLEncoding.EncodeToString(tamperedPayload)
 	tampered := strings.Join(parts, ".")
 	_, err := ValidateChallenge(tampered, []*x509.Certificate{c.cert}, pl.Audience, now)
 	if !errors.Is(err, ErrChallengeSignature) {
 		t.Fatalf("got %v, want ErrChallengeSignature", err)
 	}
 }
 func TestValidateChallenge_RotatedTrustAnchor(t *testing.T) {
 	signedBy := genTestRSAConnector(t)
 	rotatedTo := genTestRSAConnector(t) // operator already rotated; old key gone
 	now := time.Now()
 	pl := validV1Payload(now)
 	raw := signTestChallengeRS256(t, signedBy, pl)
 	_, err := ValidateChallenge(raw, []*x509.Certificate{rotatedTo.cert}, pl.Audience, now)
 	if !errors.Is(err, ErrChallengeSignature) {
 		t.Fatalf("got %v, want ErrChallengeSignature", err)
 	}
 }
 func TestValidateChallenge_EmptyTrustBundle(t *testing.T) {
 	c := genTestRSAConnector(t)
 	now := time.Now()
 	raw := signTestChallengeRS256(t, c, validV1Payload(now))
 	_, err := ValidateChallenge(raw, nil, "", now)
 	if !errors.Is(err, ErrChallengeSignature) {
 		t.Fatalf("got %v, want ErrChallengeSignature", err)
 	}
 }
 func TestValidateChallenge_AlgNoneRejected(t *testing.T) {
 	// Active alg=none attack: header says alg=none, signature is empty,
 	// the validator MUST reject regardless of any "valid"-looking payload.
 	hdr, _ := json.Marshal(jwtHeader{Alg: "none"})
 	pl, _ := json.Marshal(validV1Payload(time.Now()))
 	raw := base64.RawURLEncoding.EncodeToString(hdr) + "." +
 		base64.RawURLEncoding.EncodeToString(pl) + "." +
 		base64.RawURLEncoding.EncodeToString([]byte("nope"))
 	c := genTestRSAConnector(t)
 	_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now())
 	if !errors.Is(err, ErrChallengeSignature) {
 		t.Fatalf("got %v, want ErrChallengeSignature for alg=none", err)
 	}
 	if !strings.Contains(err.Error(), "none") {
 		t.Errorf("error message should mention alg=none for audit clarity: %v", err)
 	}
 }
 func TestValidateChallenge_UnsupportedAlg(t *testing.T) {
 	hdr, _ := json.Marshal(jwtHeader{Alg: "HS256"})
 	pl, _ := json.Marshal(validV1Payload(time.Now()))
 	raw := base64.RawURLEncoding.EncodeToString(hdr) + "." +
 		base64.RawURLEncoding.EncodeToString(pl) + "." +
 		base64.RawURLEncoding.EncodeToString([]byte("hmac-bytes"))
 	c := genTestRSAConnector(t)
 	_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now())
 	if !errors.Is(err, ErrChallengeSignature) {
 		t.Fatalf("got %v, want ErrChallengeSignature for unsupported alg", err)
 	}
 }
 func TestValidateChallenge_MissingAlgHeader(t *testing.T) {
 	hdr, _ := json.Marshal(map[string]string{"typ": "JWT"})
 	pl, _ := json.Marshal(validV1Payload(time.Now()))
 	raw := base64.RawURLEncoding.EncodeToString(hdr) + "." +
 		base64.RawURLEncoding.EncodeToString(pl) + "." +
 		base64.RawURLEncoding.EncodeToString([]byte("xx"))
 	c := genTestRSAConnector(t)
 	_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now())
 	if !errors.Is(err, ErrChallengeSignature) {
 		t.Fatalf("got %v, want ErrChallengeSignature for missing alg", err)
 	}
 }
 // =============================================================================
 // Version dispatcher.
 // =============================================================================
 func TestValidateChallenge_VersionV1ExplicitOK(t *testing.T) {
 	c := genTestRSAConnector(t)
 	now := time.Now()
 	type plWithVersion struct {
 		Version string `json:"version"`
 		challengePayloadV1
 	}
 	p := plWithVersion{Version: "v1", challengePayloadV1: validV1Payload(now)}
 	raw := signTestChallengeRS256(t, c, p)
 	got, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, p.Audience, now)
 	if err != nil {
 		t.Fatalf("explicit v1 should be accepted: %v", err)
 	}
 	if got.DeviceName != "DEVICE-001" {
 		t.Errorf("DeviceName = %q", got.DeviceName)
 	}
 }
 func TestValidateChallenge_VersionUnknownRejected(t *testing.T) {
 	c := genTestRSAConnector(t)
 	now := time.Now()
 	type plWithVersion struct {
 		Version string `json:"version"`
 		challengePayloadV1
 	}
 	p := plWithVersion{Version: "v999", challengePayloadV1: validV1Payload(now)}
 	raw := signTestChallengeRS256(t, c, p)
 	_, err := ValidateChallenge(raw, []*x509.Certificate{c.cert}, p.Audience, now)
 	if !errors.Is(err, ErrChallengeUnknownVersion) {
 		t.Fatalf("got %v, want ErrChallengeUnknownVersion", err)
 	}
 }
 // =============================================================================
 // Trust-anchor walk: when a trust bundle has both algs configured, the
 // validator must ignore key-type mismatches without returning Signature.
 // =============================================================================
 func TestValidateChallenge_MixedTrustBundle_IgnoresKeyTypeMismatches(t *testing.T) {
 	rsaConn := genTestRSAConnector(t)
 	ecConn := genTestECDSAConnector(t)
 	now := time.Now()
 	pl := validV1Payload(now)
 	// Sign with RSA; trust bundle has BOTH the RSA cert and an unrelated
 	// ECDSA cert. Validator should iterate, skip the EC cert (key type
 	// mismatch), find RSA, verify, return success.
 	raw := signTestChallengeRS256(t, rsaConn, pl)
 	bundle := []*x509.Certificate{ecConn.cert, rsaConn.cert}
 	if _, err := ValidateChallenge(raw, bundle, pl.Audience, now); err != nil {
 		t.Fatalf("mixed-bundle validate: %v", err)
 	}
 }
 // =============================================================================
 // Defensive: malformed payload after good signature still surfaces a
 // useful error (not a panic).
 // =============================================================================
 func TestValidateChallenge_NonJSONPayloadButValidSignature(t *testing.T) {
 	c := genTestRSAConnector(t)
 	hdr, _ := json.Marshal(jwtHeader{Alg: "RS256"})
 	pl := []byte("this is not JSON")
 	signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
 		base64.RawURLEncoding.EncodeToString(pl)
 	h := sha256.Sum256([]byte(signingInput))
 	sig, err := rsa.SignPKCS1v15(rand.Reader, c.key, crypto.SHA256, h[:])
 	if err != nil {
 		t.Fatalf("rsa.SignPKCS1v15: %v", err)
 	}
 	raw := signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
 	_, vErr := ValidateChallenge(raw, []*x509.Certificate{c.cert}, "", time.Now())
 	if !errors.Is(vErr, ErrChallengeMalformed) {
 		t.Fatalf("got %v, want ErrChallengeMalformed", vErr)
 	}
 }
 // asn1 + math/big are imported to keep the test compile in case future
 // helpers add ASN.1 wire shaping (e.g. malformed-DER ES256 fixture).
 var (
 	_ = asn1.Marshal
 	_ = big.NewInt
 )
@@ -0,0 +1,162 @@
 package intune
 import (
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"sort"
 	"strings"
 	"time"
 )
 // ChallengeClaim is the parsed payload of an Intune dynamic challenge.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 7.3.
 //
 // Fields documented from Microsoft's Connector source traces +
 // community implementations (smallstep/step-ca and HashiCorp Vault's
 // Intune integrations both reverse-engineered the same format). The
 // JSON tags match what the Connector emits today (v1 format); a v2
 // format would land alongside via the version-detection dispatcher
 // in challenge.go.
 //
 // Set-equality semantics: the SAN slices are normalised (sorted,
 // de-duped) before comparison so Microsoft's Connector emitting in a
 // non-deterministic order doesn't break DeviceMatchesCSR.
 type ChallengeClaim struct {
 	Issuer     string    `json:"iss,omitempty"`         // Connector identity (installation GUID typical)
 	Subject    string    `json:"sub,omitempty"`         // device GUID or user UPN
 	Audience   string    `json:"aud,omitempty"`         // expected SCEP endpoint URL (replay protection)
 	IssuedAt   time.Time `json:"-"`                     // populated by claim unmarshaler from "iat" Unix seconds
 	ExpiresAt  time.Time `json:"-"`                     // populated by claim unmarshaler from "exp" Unix seconds
 	Nonce      string    `json:"nonce,omitempty"`       // replay-protection token; opaque
 	DeviceName string    `json:"device_name,omitempty"` // expected CSR CommonName
 	SANDNS     []string  `json:"san_dns,omitempty"`     // expected SAN DNS names
 	SANRFC822  []string  `json:"san_rfc822,omitempty"`  // expected SAN email addresses (user certs)
 	SANUPN     []string  `json:"san_upn,omitempty"`     // expected SAN userPrincipalName
 }
 // Typed claim-mismatch errors so the caller can audit the specific
 // failure dimension without string-matching on error messages.
 var (
 	ErrClaimCNMismatch        = errors.New("intune claim: device_name does not match CSR CommonName")
 	ErrClaimSANDNSMismatch    = errors.New("intune claim: SAN DNS set does not match CSR")
 	ErrClaimSANRFC822Mismatch = errors.New("intune claim: SAN RFC822 (email) set does not match CSR")
 	ErrClaimSANUPNMismatch    = errors.New("intune claim: SAN UPN (userPrincipalName) set does not match CSR")
 )
 // DeviceMatchesCSR returns nil if the CSR's CN and SANs match the
 // claim's expected values. Returns a typed error otherwise so the
 // caller can audit the specific mismatch.
 //
 // Set-equality semantics: if the claim says
 // SANDNS=["a.example.com","b.example.com"] and the CSR has only
 // "a.example.com", that's a mismatch — the operator's Intune profile
 // was misconfigured or the CSR was tampered with. Both are "fail
 // closed" cases.
 //
 // Empty claim slices = no constraint on that dimension. So a claim
 // with SANDNS=nil + a CSR with DNS SANs is OK (Intune didn't pin DNS,
 // the CSR can carry whatever). A claim with SANDNS=["x"] + a CSR
 // with no DNS SANs is a mismatch (Intune pinned x, CSR doesn't have
 // it).
 func (c *ChallengeClaim) DeviceMatchesCSR(csr *x509.CertificateRequest) error {
 	if c == nil {
 		return errors.New("intune claim: nil claim")
 	}
 	if csr == nil {
 		return errors.New("intune claim: nil CSR")
 	}
 	// CN is straight equality. Empty claim CN = no constraint.
 	if c.DeviceName != "" && c.DeviceName != csr.Subject.CommonName {
 		return fmt.Errorf("%w: claim=%q csr=%q", ErrClaimCNMismatch, c.DeviceName, csr.Subject.CommonName)
 	}
 	// SAN sets — set-equality means the SCEP CSR carries EXACTLY the
 	// claim's elements, no extras and no missing. Normalising via
 	// sorted lower-case slices makes the compare order-independent.
 	if len(c.SANDNS) > 0 {
 		got := normaliseSet(csr.DNSNames)
 		want := normaliseSet(c.SANDNS)
 		if !equalSets(got, want) {
 			return fmt.Errorf("%w: claim=%v csr=%v", ErrClaimSANDNSMismatch, want, got)
 		}
 	}
 	if len(c.SANRFC822) > 0 {
 		got := normaliseSet(csr.EmailAddresses)
 		want := normaliseSet(c.SANRFC822)
 		if !equalSets(got, want) {
 			return fmt.Errorf("%w: claim=%v csr=%v", ErrClaimSANRFC822Mismatch, want, got)
 		}
 	}
 	if len(c.SANUPN) > 0 {
 		// UPN SANs ride otherName extensions per RFC 4985 §1.1; Go's
 		// stdlib doesn't surface them as a typed slice. Walk the raw
 		// extensions if present. Most Intune deploys use SAN-RFC822
 		// (email) for user certs rather than SAN-UPN, so this branch is
 		// uncommon but pinned for correctness.
 		got := normaliseSet(extractUPNSans(csr))
 		want := normaliseSet(c.SANUPN)
 		if !equalSets(got, want) {
 			return fmt.Errorf("%w: claim=%v csr=%v", ErrClaimSANUPNMismatch, want, got)
 		}
 	}
 	return nil
 }
 // normaliseSet returns a sorted, lowercased, de-duplicated copy of s.
 // Lowercase because DNS / email comparison is case-insensitive (DNS
 // per RFC 4343, email local-part is case-sensitive per RFC 5321 but
 // Microsoft + most TLS stacks treat it case-insensitively for SAN
 // comparison). De-dup so a CSR with ["a","a"] matches a claim with
 // ["a"] — the cert's effective SAN set is what we're comparing, not
 // the multiset.
 func normaliseSet(s []string) []string {
 	seen := map[string]struct{}{}
 	out := make([]string, 0, len(s))
 	for _, v := range s {
 		v = strings.ToLower(strings.TrimSpace(v))
 		if v == "" {
 			continue
 		}
 		if _, ok := seen[v]; ok {
 			continue
 		}
 		seen[v] = struct{}{}
 		out = append(out, v)
 	}
 	sort.Strings(out)
 	return out
 }
 func equalSets(a, b []string) bool {
 	if len(a) != len(b) {
 		return false
 	}
 	for i := range a {
 		if a[i] != b[i] {
 			return false
 		}
 	}
 	return true
 }
 // extractUPNSans walks a CSR's raw extensions for SAN entries with the
 // otherName form carrying the id-ms-san-upn OID (1.3.6.1.4.1.311.20.2.3).
 // Returns the decoded UTF-8 string values. Returns empty slice when no
 // UPN SANs are present (the common case).
 //
 // Implementation note: Go's stdlib doesn't decode UPN SANs; we'd have
 // to walk the SubjectAltName extension's raw value as ASN.1 SEQUENCE OF
 // GeneralName, find the [0] otherName tags, parse each as
 // {OID, [0] EXPLICIT ANY}, match the OID, and decode the EXPLICIT value
 // as a UTF8String. That's ~50 LoC of ASN.1 fiddling. For Phase 7 v1 we
 // punt on it: returning an empty slice means SANUPN claims with non-
 // empty values fail the equalSets check below — which is the correct
 // fail-closed behavior for the rare deploy that pins UPN SANs but
 // hasn't audited the wire format. If/when an operator actually needs
 // SAN-UPN matching, hot-fix this function with the ASN.1 walker.
 func extractUPNSans(_ *x509.CertificateRequest) []string {
 	return nil
 }
@@ -0,0 +1,159 @@
 package intune
 import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"errors"
 	"testing"
 )
 // Each TestDeviceMatchesCSR_* covers a single dimension (CN / SAN-DNS /
 // SAN-RFC822 / SAN-UPN) with both happy-path and mismatch fixtures so the
 // per-dimension typed errors stay wired up over future refactors.
 func newCSRFixture(cn string, dns, email []string) *x509.CertificateRequest {
 	return &x509.CertificateRequest{
 		Subject:        pkix.Name{CommonName: cn},
 		DNSNames:       dns,
 		EmailAddresses: email,
 	}
 }
 func TestDeviceMatchesCSR_HappyPath_AllDimensions(t *testing.T) {
 	csr := newCSRFixture("DEVICE-001", []string{"a.example.com", "b.example.com"},
 		[]string{"alice@example.com"})
 	c := &ChallengeClaim{
 		DeviceName: "DEVICE-001",
 		SANDNS:     []string{"b.example.com", "a.example.com"}, // reversed; set-equality
 		SANRFC822:  []string{"alice@example.com"},
 	}
 	if err := c.DeviceMatchesCSR(csr); err != nil {
 		t.Fatalf("happy-path match should succeed: %v", err)
 	}
 }
 func TestDeviceMatchesCSR_NilGuards(t *testing.T) {
 	var nilClaim *ChallengeClaim
 	if err := nilClaim.DeviceMatchesCSR(&x509.CertificateRequest{}); err == nil {
 		t.Errorf("nil claim should error")
 	}
 	c := &ChallengeClaim{}
 	if err := c.DeviceMatchesCSR(nil); err == nil {
 		t.Errorf("nil CSR should error")
 	}
 }
 func TestDeviceMatchesCSR_CNMismatch(t *testing.T) {
 	csr := newCSRFixture("ATTACKER-DEVICE", nil, nil)
 	c := &ChallengeClaim{DeviceName: "DEVICE-001"}
 	if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimCNMismatch) {
 		t.Fatalf("got %v, want ErrClaimCNMismatch", err)
 	}
 }
 func TestDeviceMatchesCSR_EmptyClaimCN_NoConstraint(t *testing.T) {
 	csr := newCSRFixture("any-cn-is-fine", nil, nil)
 	c := &ChallengeClaim{} // no DeviceName pinned
 	if err := c.DeviceMatchesCSR(csr); err != nil {
 		t.Fatalf("empty claim CN must impose no constraint: %v", err)
 	}
 }
 func TestDeviceMatchesCSR_SANDNSMismatch_Missing(t *testing.T) {
 	csr := newCSRFixture("d", []string{"a.example.com"}, nil) // missing b
 	c := &ChallengeClaim{SANDNS: []string{"a.example.com", "b.example.com"}}
 	if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANDNSMismatch) {
 		t.Fatalf("got %v, want ErrClaimSANDNSMismatch", err)
 	}
 }
 func TestDeviceMatchesCSR_SANDNSMismatch_Extra(t *testing.T) {
 	csr := newCSRFixture("d", []string{"a.example.com", "evil.example.com"}, nil)
 	c := &ChallengeClaim{SANDNS: []string{"a.example.com"}}
 	if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANDNSMismatch) {
 		t.Fatalf("got %v, want ErrClaimSANDNSMismatch (CSR carries extra SAN)", err)
 	}
 }
 func TestDeviceMatchesCSR_SANDNSMatch_CaseInsensitive(t *testing.T) {
 	csr := newCSRFixture("d", []string{"A.Example.COM"}, nil)
 	c := &ChallengeClaim{SANDNS: []string{"a.example.com"}}
 	if err := c.DeviceMatchesCSR(csr); err != nil {
 		t.Fatalf("DNS comparison must be case-insensitive (RFC 4343): %v", err)
 	}
 }
 func TestDeviceMatchesCSR_SANDNSDedupe(t *testing.T) {
 	// CSR with duplicate SAN entries should still match a claim that
 	// only lists each unique value once. The "set" in set-equality is
 	// the cert's effective SAN set, not the multiset.
 	csr := newCSRFixture("d", []string{"a.example.com", "a.example.com"}, nil)
 	c := &ChallengeClaim{SANDNS: []string{"a.example.com"}}
 	if err := c.DeviceMatchesCSR(csr); err != nil {
 		t.Fatalf("dedup-equality must hold: %v", err)
 	}
 }
 func TestDeviceMatchesCSR_EmptyClaimSAN_NoConstraint(t *testing.T) {
 	csr := newCSRFixture("d", []string{"any.example.com"}, nil)
 	c := &ChallengeClaim{} // no SANDNS pinned
 	if err := c.DeviceMatchesCSR(csr); err != nil {
 		t.Fatalf("empty claim SANDNS must impose no constraint: %v", err)
 	}
 }
 func TestDeviceMatchesCSR_SANRFC822Mismatch(t *testing.T) {
 	csr := newCSRFixture("d", nil, []string{"bob@example.com"})
 	c := &ChallengeClaim{SANRFC822: []string{"alice@example.com"}}
 	if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANRFC822Mismatch) {
 		t.Fatalf("got %v, want ErrClaimSANRFC822Mismatch", err)
 	}
 }
 func TestDeviceMatchesCSR_SANUPNMismatch_NoExtractor(t *testing.T) {
 	// extractUPNSans currently returns nil; any non-empty SANUPN claim
 	// is therefore a guaranteed mismatch (correct fail-closed behavior).
 	csr := newCSRFixture("d", nil, nil)
 	c := &ChallengeClaim{SANUPN: []string{"alice@corp.example.com"}}
 	if err := c.DeviceMatchesCSR(csr); !errors.Is(err, ErrClaimSANUPNMismatch) {
 		t.Fatalf("got %v, want ErrClaimSANUPNMismatch (UPN extractor stubbed)", err)
 	}
 }
 func TestNormaliseSet_EdgeCases(t *testing.T) {
 	cases := []struct {
 		name string
 		in   []string
 		want []string
 	}{
 		{"empty", nil, []string{}},
 		{"trim space", []string{"  hello  "}, []string{"hello"}},
 		{"drop empty after trim", []string{"   ", "x"}, []string{"x"}},
 		{"lowercase", []string{"HELLO", "World"}, []string{"hello", "world"}},
 		{"dedupe", []string{"a", "a", "b"}, []string{"a", "b"}},
 		{"sort", []string{"c", "a", "b"}, []string{"a", "b", "c"}},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			got := normaliseSet(tc.in)
 			if !equalSets(got, tc.want) {
 				t.Errorf("normaliseSet(%v) = %v, want %v", tc.in, got, tc.want)
 			}
 		})
 	}
 }
 func TestEqualSets_LengthMismatch(t *testing.T) {
 	if equalSets([]string{"a", "b"}, []string{"a"}) {
 		t.Errorf("different-length sets must not compare equal")
 	}
 }
 func TestExtractUPNSans_StubReturnsEmpty(t *testing.T) {
 	// Pin the documented stub behavior. If/when ExtractUPNSans is
 	// implemented for real, this test is the canary that flags the
 	// behavioral change.
 	if got := extractUPNSans(&x509.CertificateRequest{}); len(got) != 0 {
 		t.Errorf("extractUPNSans stub must return empty slice; got %v", got)
 	}
 }
@@ -0,0 +1,56 @@
 // Package intune handles the Microsoft Intune dynamic-challenge format
 // embedded in SCEP CSR challengePassword attributes when the SCEP server
 // is sitting behind the Microsoft Intune Certificate Connector.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 7.
 //
 // Architecture context:
 //
 //	Intune cloud
 //	  ↓ (device cert request)
 //	Intune Certificate Connector (on customer infra)
 //	  ↓ (SCEP CSR with challenge signed by Connector)
 //	certctl SCEP server     ← THIS PACKAGE validates the Connector's signed challenge
 //	  ↓ (issue cert)
 //	issuer connector (local CA, Vault, EJBCA, etc.)
 //
 // The Connector's signed challenge is a JWT-like blob (compact
 // serialization, header.payload.signature) where the payload is a JSON
 // object containing the device + user claim, the expected CN + SANs,
 // expiry, and a nonce. The signature is over header+"."+payload using
 // the Connector's installation signing key — the operator extracts that
 // key's certificate and configures it as certctl's trust anchor at
 // startup.
 //
 // This package does NOT call Microsoft's API directly. The Connector
 // already did that; this package validates the Connector's attestation.
 //
 // What this package is NOT:
 //
 //   - NOT a full JWT (JOSE) implementation. It parses + verifies one
 //     specific format with a fixed set of supported algorithms (RS256,
 //     ES256). No JWKS fetch, no JKU header trust, no kid-based key
 //     rotation — the operator-supplied trust bundle IS the trust
 //     anchor, and the validator tries each cert in the bundle until
 //     one verifies.
 //   - NOT a generic SCEP-shape detector. The handler dispatches to this
 //     package only when the configured SCEPProfile has IntuneEnabled=true
 //     AND the inbound challengePassword "looks Intune-shaped" (length +
 //     dot-count heuristic landed in Phase 8).
 //   - NOT a Microsoft API client. The Connector's role is to talk to
 //     Microsoft; certctl's role is to validate the Connector's signed
 //     attestation. The replacement target this whole bundle eliminates
 //     is NDES, NOT the Connector.
 //
 // References:
 //
 //   - https://learn.microsoft.com/en-us/mem/intune/protect/certificate-connector-overview
 //   - https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure
 //   - smallstep/step-ca Intune integration (community reverse-engineering of the format)
 //   - HashiCorp Vault PKI Intune integration (same)
 //
 // The format details land in this package from a combination of
 // Microsoft's published Connector behavior + community implementations
 // that have reverse-engineered the JWT shape. Cite the implementation
 // references in the parser code's doc comment when you change format.
 package intune
@@ -0,0 +1,56 @@
 package intune
 import (
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"testing"
 	"time"
 )
 // FuzzParseChallenge feeds arbitrary input to the parser and asserts
 // no panics. The challenge wire format is exposed to untrusted devices
 // (anyone who can hit the SCEP endpoint can submit a challenge); the
 // parser MUST never crash the SCEP server. Run for at least 5 minutes
 // in CI: `go test -run='^$' -fuzz=FuzzParseChallenge -fuzztime=5m
 // ./internal/scep/intune/...`
 //
 // SCEP RFC 8894 + Intune master bundle Phase 7.5 (fuzz coverage).
 func FuzzParseChallenge(f *testing.F) {
 	// Seed corpus: a real well-formed challenge so the fuzzer has
 	// structural mutation territory to explore (rather than starting
 	// from random ASCII).
 	hdr, _ := json.Marshal(jwtHeader{Alg: "RS256", Typ: "JWT"})
 	pl, _ := json.Marshal(challengePayloadV1{
 		Issuer:    "fuzz",
 		Audience:  "fuzz-aud",
 		IssuedAt:  time.Now().Unix(),
 		ExpiresAt: time.Now().Add(1 * time.Hour).Unix(),
 		Nonce:     "fuzz-nonce",
 	})
 	seed := base64.RawURLEncoding.EncodeToString(hdr) + "." +
 		base64.RawURLEncoding.EncodeToString(pl) + "." +
 		base64.RawURLEncoding.EncodeToString([]byte("fuzz-sig-bytes"))
 	f.Add(seed)
 	f.Add("")
 	f.Add(".")
 	f.Add("..")
 	f.Add("a.b.c")
 	f.Add("a..c")
 	f.Add(".b.")
 	f.Add("not-base64.not-base64.not-base64")
 	f.Add(string([]byte{0x00, 0x01, 0x02}))
 	f.Fuzz(func(t *testing.T, raw string) {
 		// ParseChallenge on its own.
 		_, _, _, _ = ParseChallenge(raw)
 		// Drive ValidateChallenge too — the full pipeline. Empty trust
 		// bundle short-circuits, but the parse + dispatch arms still
 		// execute; pass a non-empty placeholder so signature-verify
 		// gets exercised against arbitrary input.
 		bundle := []*x509.Certificate{} // empty to short-circuit cheap path
 		_, _ = ValidateChallenge(raw, bundle, "", time.Now())
 	})
 }
@@ -0,0 +1,193 @@
 package intune
 import (
 	"errors"
 	"sync"
 	"time"
 )
 // SCEP RFC 8894 + Intune master bundle Phase 8.6.
 //
 // PerDeviceRateLimiter is the second line of defense behind the replay cache
 // from Phase 7. The replay cache catches the same challenge being submitted
 // twice (within the challenge TTL); this rate limiter catches a compromised
 // Connector signing key (or a stolen key+cert pair) issuing many DIFFERENT
 // valid challenges for the same device subject in a short window.
 //
 // Threat model:
 //
 //   - Replay cache (Phase 7): nonce-keyed; catches duplicate submission.
 //   - This limiter: (Subject, Issuer)-keyed; catches enrollment-flooding.
 //
 // Default: 3 enrollments per (device GUID, Connector identity) per 24h.
 //
 // Sizing: 100,000 distinct device entries (matches the replay cache cap).
 // At-cap: oldest entry evicted (small janitor pass) to avoid unbounded
 // memory growth on a fleet that grows past the cap.
 //
 // Why a hand-rolled token bucket instead of pulling in golang.org/x/time/rate:
 // the rate package is in go.sum as an indirect transitive but NOT a direct
 // dep. Adding it would create a new direct dep relationship for ~30 LoC of
 // state machine. The hand-rolled version below uses only stdlib (sync.Mutex
 // + time.Time arithmetic) and is small enough to fit on one screen.
 //
 // Algorithm: each (Subject, Issuer) key maps to a bucket holding a window's
 // worth of recent enrollment timestamps. On Allow, the bucket prunes
 // timestamps older than (now - window) and either appends the current
 // timestamp + returns true, or rejects + returns false when the post-prune
 // count is already at the cap. This is the "sliding window log" rate
 // limiter — exact (no token-leak rounding); O(N_per_key) per-call but N is
 // bounded by the cap (3 by default), so effectively O(1).
 // ErrRateLimited is the typed error returned when the per-device rate limit
 // fires. The handler maps this to a CertRep FAILURE with badRequest failInfo
 // + the `rate_limited` metric label.
 var ErrRateLimited = errors.New("intune: per-device rate limit exceeded for this (subject, issuer) within the configured window")
 // PerDeviceRateLimiter is a sliding-window-log rate limiter keyed by
 // (Subject, Issuer) tuples derived from a parsed challenge claim.
 //
 // Concurrency: the limiter is safe for concurrent Allow calls. The internal
 // map is guarded by a mutex; the per-key slices are mutated only while the
 // mutex is held.
 type PerDeviceRateLimiter struct {
 	mu       sync.Mutex
 	buckets  map[string][]time.Time // key → sliding window of timestamps
 	maxN     int                    // max enrollments per window
 	window   time.Duration          // window length (default 24h)
 	cap      int                    // max keys before LRU eviction kicks in
 	disabled bool                   // maxN == 0 → all Allow calls return nil
 }
 // NewPerDeviceRateLimiter returns a limiter with the given per-key cap +
 // window. maxN ≤ 0 disables the limiter (all Allow calls return nil); this
 // is operator opt-out for the rare case where the per-device cap is
 // undesirable (e.g. test harnesses, sketchpad deploys).
 //
 // Window defaults to 24h when zero. Map cap defaults to 100,000 when zero
 // (matches the replay cache cap; see internal/scep/intune/replay.go).
 func NewPerDeviceRateLimiter(maxN int, window time.Duration, mapCap int) *PerDeviceRateLimiter {
 	if window <= 0 {
 		window = 24 * time.Hour
 	}
 	if mapCap <= 0 {
 		mapCap = 100_000
 	}
 	return &PerDeviceRateLimiter{
 		buckets:  make(map[string][]time.Time),
 		maxN:     maxN,
 		window:   window,
 		cap:      mapCap,
 		disabled: maxN <= 0,
 	}
 }
 // Allow checks whether an enrollment for the given (subject, issuer) tuple
 // is permitted right now. Returns nil when allowed (and records the timestamp
 // in the bucket) or ErrRateLimited when the bucket is at maxN.
 //
 // Empty subject is treated as "skip the limiter" — the caller's claim
 // validation should have rejected an empty-subject claim already; this is
 // belt-and-suspenders to prevent a single empty-subject bucket from
 // becoming a fleet-wide chokepoint. The Connector emits non-empty subject
 // (device GUID) on every legitimate challenge.
 func (l *PerDeviceRateLimiter) Allow(subject, issuer string, now time.Time) error {
 	if l.disabled {
 		return nil
 	}
 	if subject == "" {
 		// Caller's claim validation should reject empty-subject upstream;
 		// this short-circuit is defense-in-depth so a misconfigured
 		// Connector can't DoS us via the rate-limit path.
 		return nil
 	}
 	key := subject + "|" + issuer
 	l.mu.Lock()
 	defer l.mu.Unlock()
 	// At-cap eviction: when the map is full, drop the oldest entry by
 	// finding the bucket whose newest timestamp is the smallest. O(N) but
 	// rarely fires; the prune-on-Allow path keeps most buckets short-lived.
 	if len(l.buckets) >= l.cap {
 		l.evictOldestLocked(now)
 	}
 	bucket := l.buckets[key]
 	bucket = pruneOlderThan(bucket, now.Add(-l.window))
 	if len(bucket) >= l.maxN {
 		// Don't append; over the limit. Persist the pruned bucket so the
 		// next call sees the most-recently-pruned state.
 		l.buckets[key] = bucket
 		return ErrRateLimited
 	}
 	bucket = append(bucket, now)
 	l.buckets[key] = bucket
 	return nil
 }
 // pruneOlderThan returns the slice with all entries strictly before
 // `cutoff` removed. Preserves order (timestamps are appended in increasing
 // time, so a single linear scan from the front suffices).
 func pruneOlderThan(b []time.Time, cutoff time.Time) []time.Time {
 	i := 0
 	for i < len(b) && b[i].Before(cutoff) {
 		i++
 	}
 	if i == 0 {
 		return b
 	}
 	// Copy-shrink to release the underlying-array memory eventually
 	// (otherwise the slice would hold a reference to the older entries
 	// indefinitely until a re-allocation).
 	out := make([]time.Time, len(b)-i)
 	copy(out, b[i:])
 	return out
 }
 // evictOldestLocked drops the map entry whose newest timestamp is the
 // oldest. Called under l.mu. O(N_keys) per eviction; at-cap is rare in
 // practice (caps are sized for fleet steady-state).
 func (l *PerDeviceRateLimiter) evictOldestLocked(now time.Time) {
 	var (
 		oldestKey string
 		oldestTs  time.Time
 		first     = true
 	)
 	for k, b := range l.buckets {
 		if len(b) == 0 {
 			// Empty bucket — drop it immediately, no candidate scan needed.
 			delete(l.buckets, k)
 			return
 		}
 		newest := b[len(b)-1]
 		if first || newest.Before(oldestTs) {
 			oldestKey = k
 			oldestTs = newest
 			first = false
 		}
 	}
 	if oldestKey != "" {
 		delete(l.buckets, oldestKey)
 	}
 	// Suppress unused-parameter warning for `now` in case the eviction
 	// strategy changes (e.g. swap to LRU keyed by time of last Allow).
 	_ = now
 }
 // Len returns the approximate number of distinct (subject, issuer) keys
 // currently tracked. For observability + tests; not load-stable under
 // concurrent Allow calls.
 func (l *PerDeviceRateLimiter) Len() int {
 	l.mu.Lock()
 	defer l.mu.Unlock()
 	return len(l.buckets)
 }
 // Disabled reports whether the limiter is in opt-out mode (maxN ≤ 0).
 // Useful for handler-side gating + admin-endpoint observability.
 func (l *PerDeviceRateLimiter) Disabled() bool {
 	return l.disabled
 }
@@ -0,0 +1,190 @@
 package intune
 import (
 	"errors"
 	"fmt"
 	"sync"
 	"testing"
 	"time"
 )
 func TestPerDeviceRateLimiter_AllowsUpToCap(t *testing.T) {
 	l := NewPerDeviceRateLimiter(3, 24*time.Hour, 10)
 	now := time.Now()
 	for i := 0; i < 3; i++ {
 		if err := l.Allow("device-1", "issuer-A", now.Add(time.Duration(i)*time.Minute)); err != nil {
 			t.Fatalf("call %d should be allowed: %v", i+1, err)
 		}
 	}
 	if err := l.Allow("device-1", "issuer-A", now.Add(4*time.Minute)); !errors.Is(err, ErrRateLimited) {
 		t.Fatalf("4th call should be rate-limited; got %v", err)
 	}
 }
 func TestPerDeviceRateLimiter_DistinctKeysIndependent(t *testing.T) {
 	l := NewPerDeviceRateLimiter(1, 24*time.Hour, 10)
 	now := time.Now()
 	if err := l.Allow("device-1", "issuer-A", now); err != nil {
 		t.Fatalf("first allow: %v", err)
 	}
 	// Different subject — independent bucket.
 	if err := l.Allow("device-2", "issuer-A", now); err != nil {
 		t.Fatalf("different subject must have its own bucket: %v", err)
 	}
 	// Different issuer — also independent.
 	if err := l.Allow("device-1", "issuer-B", now); err != nil {
 		t.Fatalf("different issuer must have its own bucket: %v", err)
 	}
 	// Same key as call 1 — must be limited.
 	if err := l.Allow("device-1", "issuer-A", now.Add(1*time.Second)); !errors.Is(err, ErrRateLimited) {
 		t.Fatalf("repeat key should be limited; got %v", err)
 	}
 }
 func TestPerDeviceRateLimiter_WindowExpiry(t *testing.T) {
 	l := NewPerDeviceRateLimiter(2, 1*time.Hour, 10)
 	now := time.Now()
 	if err := l.Allow("dev", "iss", now); err != nil {
 		t.Fatal(err)
 	}
 	if err := l.Allow("dev", "iss", now.Add(30*time.Minute)); err != nil {
 		t.Fatal(err)
 	}
 	// Inside window — limited.
 	if err := l.Allow("dev", "iss", now.Add(45*time.Minute)); !errors.Is(err, ErrRateLimited) {
 		t.Fatalf("inside-window 3rd call should be limited: %v", err)
 	}
 	// Past window — slots reopen.
 	if err := l.Allow("dev", "iss", now.Add(2*time.Hour)); err != nil {
 		t.Fatalf("past-window call should be allowed (window reset): %v", err)
 	}
 }
 func TestPerDeviceRateLimiter_DisabledBypass(t *testing.T) {
 	l := NewPerDeviceRateLimiter(0, 24*time.Hour, 10) // maxN=0 → disabled
 	if !l.Disabled() {
 		t.Fatal("limiter with maxN=0 must report Disabled()=true")
 	}
 	now := time.Now()
 	for i := 0; i < 100; i++ {
 		if err := l.Allow("dev", "iss", now); err != nil {
 			t.Fatalf("disabled limiter must allow everything: %v", err)
 		}
 	}
 	// Disabled limiter doesn't track buckets.
 	if got := l.Len(); got != 0 {
 		t.Errorf("disabled limiter Len() = %d, want 0", got)
 	}
 }
 func TestPerDeviceRateLimiter_NegativeCapDisabled(t *testing.T) {
 	l := NewPerDeviceRateLimiter(-1, 24*time.Hour, 10)
 	if !l.Disabled() {
 		t.Fatal("negative maxN must produce a disabled limiter")
 	}
 }
 func TestPerDeviceRateLimiter_EmptySubjectShortCircuits(t *testing.T) {
 	// Empty subject is the caller's defense-in-depth case (claim validation
 	// upstream should reject empty-subject claims first). Limiter must not
 	// build a single shared bucket keyed by empty-subject — that would
 	// be a fleet-wide chokepoint.
 	l := NewPerDeviceRateLimiter(1, 24*time.Hour, 10)
 	now := time.Now()
 	for i := 0; i < 50; i++ {
 		if err := l.Allow("", "iss", now); err != nil {
 			t.Fatalf("empty subject must short-circuit (call %d): %v", i, err)
 		}
 	}
 	if got := l.Len(); got != 0 {
 		t.Errorf("Len after 50 empty-subject calls = %d, want 0 (no bucket created)", got)
 	}
 }
 func TestPerDeviceRateLimiter_DefaultCapsHonored(t *testing.T) {
 	l := NewPerDeviceRateLimiter(5, 0, 0) // window=0 → 24h default; cap=0 → 100k default
 	if l.window != 24*time.Hour {
 		t.Errorf("default window = %v, want 24h", l.window)
 	}
 	if l.cap != 100_000 {
 		t.Errorf("default cap = %d, want 100000", l.cap)
 	}
 }
 func TestPerDeviceRateLimiter_MapCapEvictsOldest(t *testing.T) {
 	// Cap of 3 keys to exercise the eviction branch deterministically.
 	l := NewPerDeviceRateLimiter(2, 1*time.Hour, 3)
 	now := time.Now()
 	// Insert 3 distinct keys with increasing timestamps.
 	for i := 0; i < 3; i++ {
 		key := fmt.Sprintf("dev-%d", i)
 		if err := l.Allow(key, "iss", now.Add(time.Duration(i)*time.Minute)); err != nil {
 			t.Fatalf("insert %d: %v", i, err)
 		}
 	}
 	if l.Len() != 3 {
 		t.Fatalf("Len = %d, want 3", l.Len())
 	}
 	// 4th key forces eviction of dev-0 (its newest timestamp is oldest).
 	if err := l.Allow("dev-3", "iss", now.Add(10*time.Minute)); err != nil {
 		t.Fatalf("4th-key insert: %v", err)
 	}
 	if l.Len() != 3 {
 		t.Errorf("Len after at-cap insert = %d, want 3 (cap honored)", l.Len())
 	}
 }
 func TestPerDeviceRateLimiter_ConcurrentRaceFree(t *testing.T) {
 	if testing.Short() {
 		t.Skip("race-style test under -short")
 	}
 	l := NewPerDeviceRateLimiter(50, 24*time.Hour, 10000)
 	var wg sync.WaitGroup
 	for g := 0; g < 20; g++ {
 		wg.Add(1)
 		go func(id int) {
 			defer wg.Done()
 			now := time.Now()
 			key := fmt.Sprintf("dev-%d", id)
 			for i := 0; i < 30; i++ {
 				_ = l.Allow(key, "iss", now)
 			}
 		}(g)
 	}
 	wg.Wait()
 	if got := l.Len(); got != 20 {
 		t.Errorf("expected 20 distinct keys; got %d", got)
 	}
 }
 func TestPruneOlderThan(t *testing.T) {
 	t0 := time.Now()
 	in := []time.Time{
 		t0.Add(-3 * time.Hour),    // pruned (older than cutoff)
 		t0.Add(-2 * time.Hour),    // pruned (older than cutoff)
 		t0.Add(-1 * time.Hour),    // survives (-60m is NEWER than the -90m cutoff)
 		t0.Add(-30 * time.Minute), // survives
 		t0,                        // survives
 	}
 	out := pruneOlderThan(in, t0.Add(-90*time.Minute))
 	if len(out) != 3 {
 		t.Fatalf("len(out) = %d, want 3 (-1h, -30m, t0 all newer than -90m cutoff)", len(out))
 	}
 	if !out[0].Equal(t0.Add(-1 * time.Hour)) {
 		t.Errorf("out[0] = %v, want -1h (oldest surviving entry)", out[0])
 	}
 }
 func TestPruneOlderThan_NoOpWhenNothingToPrune(t *testing.T) {
 	t0 := time.Now()
 	in := []time.Time{t0.Add(-1 * time.Minute), t0}
 	out := pruneOlderThan(in, t0.Add(-1*time.Hour))
 	// Same slice header (no copy needed).
 	if len(out) != len(in) {
 		t.Fatalf("len(out) = %d, want %d", len(out), len(in))
 	}
 }
@@ -0,0 +1,191 @@
 package intune
 import (
 	"sync"
 	"time"
 )
 // ReplayCache is a bounded in-memory cache of seen Intune challenge
 // nonces with TTL. Gates against the same Connector-signed challenge
 // being replayed against the SCEP server within its validity window.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 7.4b.
 //
 // Sizing rationale (cap = 100,000 entries):
 //
 //   - Microsoft's published Connector defaults give each challenge
 //     a 60-minute validity window. A high-volume Intune fleet
 //     enrolling at ~25 RPS hits ~90,000 challenges/hour.
 //   - Capping at 100,000 covers the steady-state load with headroom.
 //     When the cap is hit, the janitor goroutine evicts entries past
 //     TTL first; if all entries are still in-window, oldest-first
 //     eviction kicks in (LRU semantics) — accepting the small
 //     replay-window risk over an OOM crash.
 //   - Operators who push beyond this rate should flip to a Redis-
 //     backed implementation (deferred to V3-Pro per the master
 //     prompt's deferral list); the in-memory variant is V2 default.
 //
 // Concurrency: sync.Map handles concurrent read/write without an
 // explicit lock; the janitor goroutine periodically walks for expired
 // entries. Cap enforcement on Insert is done under a small mutex so
 // the cap check + size update are atomic.
 type ReplayCache struct {
 	entries  sync.Map   // nonce → expiry (time.Time)
 	mu       sync.Mutex // guards size + janitor lifecycle
 	size     int        // approximate count (sync.Map has no Len)
 	cap      int        // max entries before LRU eviction kicks in
 	ttl      time.Duration
 	stop     chan struct{}
 	stopOnce sync.Once
 }
 // NewReplayCache returns a ReplayCache with the given TTL + cap. Starts
 // a janitor goroutine that wakes every TTL/4 to evict expired entries.
 // Caller MUST call Close when done to stop the goroutine.
 //
 // TTL = 0 disables the janitor (useful for tests that drive expiry
 // manually).
 // cap = 0 defaults to 100,000 (the rationale-documented production
 // default).
 func NewReplayCache(ttl time.Duration, capHint int) *ReplayCache {
 	if capHint <= 0 {
 		capHint = 100_000
 	}
 	c := &ReplayCache{
 		cap:  capHint,
 		ttl:  ttl,
 		stop: make(chan struct{}),
 	}
 	if ttl > 0 {
 		go c.janitor()
 	}
 	return c
 }
 // CheckAndInsert returns true when the nonce has NOT been seen before
 // (i.e. the challenge is not a replay) AND records the nonce as seen
 // with expiry = now + c.ttl. Returns false when the nonce was already
 // seen and is still within its TTL window — the caller should treat
 // this as a replay attack and reject the challenge.
 //
 // At-cap behavior: when the cache is full, CheckAndInsert evicts the
 // oldest entry (a single Range pass to find min-expiry) before
 // inserting. This is O(N) at the boundary; in practice the janitor
 // keeps the cache below cap so the eviction path rarely fires.
 func (c *ReplayCache) CheckAndInsert(nonce string, now time.Time) bool {
 	if nonce == "" {
 		// Empty nonce can't be tracked meaningfully; treat as 'fresh'
 		// — the caller's claim-validation should reject empty-nonce
 		// challenges separately (it's a Connector-emitted-format bug).
 		return true
 	}
 	if existing, ok := c.entries.Load(nonce); ok {
 		if existingExpiry, _ := existing.(time.Time); now.Before(existingExpiry) {
 			return false // replay
 		}
 		// Past TTL; drop + treat as fresh (race-safe: even if two
 		// goroutines see the expired entry, both proceed and the second
 		// Insert wins).
 		c.delete(nonce)
 	}
 	// At-cap LRU eviction.
 	c.mu.Lock()
 	if c.size >= c.cap {
 		c.evictOldestLocked()
 	}
 	c.size++
 	c.mu.Unlock()
 	c.entries.Store(nonce, now.Add(c.ttl))
 	return true
 }
 // Close stops the janitor goroutine. Safe to call multiple times.
 func (c *ReplayCache) Close() {
 	c.stopOnce.Do(func() {
 		close(c.stop)
 	})
 }
 // Sweep walks the entries and evicts any past TTL. Public so tests
 // can drive expiry without waiting for the janitor's tick. Returns
 // the number of entries evicted.
 func (c *ReplayCache) Sweep(now time.Time) int {
 	evicted := 0
 	c.entries.Range(func(k, v any) bool {
 		expiry, _ := v.(time.Time)
 		if !now.Before(expiry) {
 			c.delete(k.(string))
 			evicted++
 		}
 		return true
 	})
 	return evicted
 }
 // delete is the size-tracked counterpart to entries.Delete. The size
 // counter is approximate (sync.Map.Range races with Insert), but the
 // approximation only affects cap enforcement timing — never causes a
 // false replay rejection.
 func (c *ReplayCache) delete(nonce string) {
 	if _, loaded := c.entries.LoadAndDelete(nonce); loaded {
 		c.mu.Lock()
 		if c.size > 0 {
 			c.size--
 		}
 		c.mu.Unlock()
 	}
 }
 // evictOldestLocked is called under c.mu held. Walks entries to find
 // the entry with the minimum expiry (i.e. the oldest entry — closest
 // to its TTL deadline) and removes it. O(N) but rarely hit; the
 // janitor keeps the cache below cap.
 func (c *ReplayCache) evictOldestLocked() {
 	var oldestKey string
 	var oldestExpiry time.Time
 	first := true
 	c.entries.Range(func(k, v any) bool {
 		expiry, _ := v.(time.Time)
 		if first || expiry.Before(oldestExpiry) {
 			oldestKey = k.(string)
 			oldestExpiry = expiry
 			first = false
 		}
 		return true
 	})
 	if oldestKey != "" {
 		if _, loaded := c.entries.LoadAndDelete(oldestKey); loaded && c.size > 0 {
 			c.size--
 		}
 	}
 }
 // janitor wakes every ttl/4 and sweeps expired entries. Background-only;
 // the test harness can drive expiry deterministically via Sweep.
 func (c *ReplayCache) janitor() {
 	interval := c.ttl / 4
 	if interval <= 0 {
 		interval = 1 * time.Minute
 	}
 	t := time.NewTicker(interval)
 	defer t.Stop()
 	for {
 		select {
 		case <-c.stop:
 			return
 		case <-t.C:
 			c.Sweep(time.Now())
 		}
 	}
 }
 // Len returns the approximate cache size for observability. Not
 // load-stable; use only for metrics + debug logs.
 func (c *ReplayCache) Len() int {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	return c.size
 }
@@ -0,0 +1,151 @@
 package intune
 import (
 	"fmt"
 	"sync"
 	"testing"
 	"time"
 )
 func TestReplayCache_FirstInsertFresh(t *testing.T) {
 	c := NewReplayCache(60*time.Minute, 100)
 	defer c.Close()
 	if !c.CheckAndInsert("nonce-1", time.Now()) {
 		t.Fatalf("first insert must report fresh")
 	}
 }
 func TestReplayCache_DuplicateRejected(t *testing.T) {
 	c := NewReplayCache(60*time.Minute, 100)
 	defer c.Close()
 	now := time.Now()
 	if !c.CheckAndInsert("nonce-1", now) {
 		t.Fatalf("first insert must report fresh")
 	}
 	if c.CheckAndInsert("nonce-1", now) {
 		t.Fatalf("second insert must report replay")
 	}
 }
 func TestReplayCache_PastTTLTreatedAsFresh(t *testing.T) {
 	// TTL=0 disables the janitor; we drive expiry by passing future timestamps.
 	c := NewReplayCache(10*time.Minute, 100)
 	defer c.Close()
 	t0 := time.Now()
 	if !c.CheckAndInsert("nonce-1", t0) {
 		t.Fatalf("first insert must report fresh")
 	}
 	// Same nonce, but observation time is past expiry → fresh again.
 	if !c.CheckAndInsert("nonce-1", t0.Add(11*time.Minute)) {
 		t.Fatalf("post-TTL re-insert must report fresh")
 	}
 }
 func TestReplayCache_SweepEvictsExpired(t *testing.T) {
 	c := NewReplayCache(10*time.Minute, 100)
 	defer c.Close()
 	t0 := time.Now()
 	c.CheckAndInsert("nonce-1", t0)
 	c.CheckAndInsert("nonce-2", t0)
 	if got := c.Len(); got != 2 {
 		t.Fatalf("Len = %d, want 2", got)
 	}
 	evicted := c.Sweep(t0.Add(11 * time.Minute))
 	if evicted != 2 {
 		t.Errorf("Sweep evicted %d, want 2", evicted)
 	}
 	if got := c.Len(); got != 0 {
 		t.Errorf("Len after sweep = %d, want 0", got)
 	}
 }
 func TestReplayCache_EmptyNonceTreatedAsFresh(t *testing.T) {
 	c := NewReplayCache(10*time.Minute, 100)
 	defer c.Close()
 	if !c.CheckAndInsert("", time.Now()) {
 		t.Fatalf("empty nonce must short-circuit to fresh (caller validates separately)")
 	}
 	// And a second empty also returns fresh (we don't track them).
 	if !c.CheckAndInsert("", time.Now()) {
 		t.Fatalf("second empty nonce should also report fresh; we don't cache empties")
 	}
 }
 func TestReplayCache_AtCapEvictsOldest(t *testing.T) {
 	// Cap of 3 makes the boundary easy to hit deterministically.
 	c := NewReplayCache(60*time.Minute, 3)
 	defer c.Close()
 	t0 := time.Now()
 	// Insert 3 entries with strictly increasing expiries.
 	c.CheckAndInsert("oldest", t0)
 	c.CheckAndInsert("middle", t0.Add(1*time.Minute))
 	c.CheckAndInsert("newest", t0.Add(2*time.Minute))
 	if got := c.Len(); got != 3 {
 		t.Fatalf("Len = %d, want 3", got)
 	}
 	// 4th insert must evict "oldest".
 	c.CheckAndInsert("brand-new", t0.Add(3*time.Minute))
 	if got := c.Len(); got != 3 {
 		t.Errorf("Len after at-cap insert = %d, want 3 (cap honored)", got)
 	}
 	// "oldest" should now be re-insertable as fresh.
 	if !c.CheckAndInsert("oldest", t0.Add(4*time.Minute)) {
 		t.Errorf("oldest must have been evicted under LRU at-cap policy")
 	}
 }
 func TestReplayCache_DefaultCap(t *testing.T) {
 	// capHint = 0 should default to 100,000 per the documented sizing.
 	c := NewReplayCache(60*time.Minute, 0)
 	defer c.Close()
 	if c.cap != 100_000 {
 		t.Errorf("default cap = %d, want 100000", c.cap)
 	}
 }
 func TestReplayCache_CloseIsIdempotent(t *testing.T) {
 	c := NewReplayCache(60*time.Minute, 10)
 	c.Close()
 	c.Close() // must not panic
 }
 func TestReplayCache_TTLZeroDisablesJanitor(t *testing.T) {
 	// TTL=0 + capHint=0 should produce a usable cache that doesn't
 	// background-evict; the test mostly pins that NewReplayCache returns
 	// without panicking and that Close still works.
 	c := NewReplayCache(0, 10)
 	defer c.Close()
 	// Empty nonce path is the only safe one without TTL semantics; exercise it.
 	if !c.CheckAndInsert("", time.Now()) {
 		t.Fatalf("zero-TTL cache must still serve empty-nonce fast path")
 	}
 }
 func TestReplayCache_ConcurrentInsertsRaceFree(t *testing.T) {
 	if testing.Short() {
 		t.Skip("race-style test under -short; run full suite for coverage")
 	}
 	c := NewReplayCache(60*time.Minute, 10000)
 	defer c.Close()
 	var wg sync.WaitGroup
 	for i := 0; i < 50; i++ {
 		wg.Add(1)
 		go func(id int) {
 			defer wg.Done()
 			now := time.Now()
 			for j := 0; j < 200; j++ {
 				c.CheckAndInsert(fmt.Sprintf("g%d-n%d", id, j), now)
 			}
 		}(i)
 	}
 	wg.Wait()
 	if got := c.Len(); got != 50*200 {
 		t.Errorf("Len = %d, want %d (no Insert dropped under contention)", got, 50*200)
 	}
 }
@@ -0,0 +1,73 @@
 package intune
 import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"os"
 	"time"
 )
 // LoadTrustAnchor reads a PEM bundle of one or more Intune Connector
 // signing certificates from the configured path. Returns the slice of
 // parsed certs that the validator will accept as challenge issuers.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 7.2.
 //
 // Behavior:
 //
 //   - File must exist + be readable.
 //   - PEM-decodes the file; non-CERTIFICATE blocks are skipped (so an
 //     operator can paste a chain that includes a private key by mistake
 //     without breaking the load — the priv key is just ignored).
 //   - Returns an error if zero CERTIFICATE blocks parse.
 //   - Returns an error if any cert is past NotAfter (a stale trust
 //     anchor would silently reject every Intune challenge at runtime;
 //     fail loud at startup instead).
 //
 // Operators rotate Connector signing certs periodically; the trust
 // anchor file is reloaded on SIGHUP (handled by the existing config
 // watch loop in cmd/server/main.go — see cmd/server/tls.go::watchSIGHUP
 // for the precedent).
 func LoadTrustAnchor(path string) ([]*x509.Certificate, error) {
 	if path == "" {
 		return nil, fmt.Errorf("intune: trust anchor path is empty")
 	}
 	body, err := os.ReadFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("intune: read trust anchor %q: %w", path, err)
 	}
 	return parseTrustAnchorPEM(body, path, time.Now())
 }
 // parseTrustAnchorPEM is the file-IO-free core of LoadTrustAnchor. Split
 // out so unit tests can hand it byte slices without writing temp files.
 // `now` is taken as a parameter so expiry tests can pin a deterministic
 // clock.
 func parseTrustAnchorPEM(body []byte, sourceLabel string, now time.Time) ([]*x509.Certificate, error) {
 	var out []*x509.Certificate
 	rest := body
 	for {
 		var block *pem.Block
 		block, rest = pem.Decode(rest)
 		if block == nil {
 			break
 		}
 		if block.Type != "CERTIFICATE" {
 			continue
 		}
 		cert, err := x509.ParseCertificate(block.Bytes)
 		if err != nil {
 			return nil, fmt.Errorf("intune: parse trust anchor cert in %q: %w", sourceLabel, err)
 		}
 		if now.After(cert.NotAfter) {
 			return nil, fmt.Errorf("intune: trust anchor cert in %q expired at %s (subject=%q) — operator must rotate the Connector signing cert before restart",
 				sourceLabel, cert.NotAfter.Format(time.RFC3339), cert.Subject.CommonName)
 		}
 		out = append(out, cert)
 	}
 	if len(out) == 0 {
 		return nil, fmt.Errorf("intune: trust anchor %q contains no CERTIFICATE PEM blocks", sourceLabel)
 	}
 	return out, nil
 }
@@ -0,0 +1,143 @@
 package intune
 import (
 	"crypto/x509"
 	"errors"
 	"log/slog"
 	"os"
 	"os/signal"
 	"sync"
 	"syscall"
 )
 // TrustAnchorHolder is the SIGHUP-reloadable wrapper around a per-profile
 // Intune Connector trust anchor pool.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 8.5.
 //
 // Mirrors the shape established by `cmd/server/tls.go::certHolder` for the
 // server TLS cert: an RWMutex-guarded pool, a Get accessor that's safe for
 // concurrent callers from the request path, a Reload that re-reads the file
 // and atomically swaps the slice on success (failure leaves the OLD pool in
 // place so a bad reload doesn't take Intune enrollment down), and a
 // watchSIGHUP goroutine that responds to the same SIGHUP the operator uses
 // to rotate the server TLS cert.
 //
 // Why SIGHUP specifically (vs fsnotify or a polling loop): SIGHUP is the
 // repo-established convention (see cmd/server/tls.go). fsnotify would add a
 // new direct dep + complicate the cleanup story. The operator's Connector-
 // rotation script writes the new PEM bundle then sends SIGHUP — the same
 // signal that already rotates the server TLS cert — and both swap atomically.
 //
 // Concurrency contract:
 //   - Get returns the pool slice header by value; the slice itself is
 //     immutable per-snapshot (Reload swaps a fresh slice rather than
 //     mutating the existing one). Callers may iterate the returned slice
 //     without holding any lock.
 //   - Reload acquires a write lock briefly for the swap. Concurrent Get
 //     calls block only for that swap window (microseconds).
 //   - watchSIGHUP runs at most one Reload at a time per holder.
 type TrustAnchorHolder struct {
 	mu     sync.RWMutex
 	certs  []*x509.Certificate
 	path   string
 	logger *slog.Logger
 }
 // NewTrustAnchorHolder loads the trust bundle and returns a holder. Returns
 // the same fail-loud error LoadTrustAnchor does on initial load — the
 // startup gate at cmd/server/main.go is supposed to refuse boot when this
 // fails. Subsequent Reload errors are non-fatal (logged + old pool retained).
 //
 // The logger is required (never nil); the caller passes a per-profile
 // scoped logger so SIGHUP-reload events show the PathID for triage.
 func NewTrustAnchorHolder(path string, logger *slog.Logger) (*TrustAnchorHolder, error) {
 	if logger == nil {
 		return nil, errors.New("intune: TrustAnchorHolder requires a non-nil logger")
 	}
 	certs, err := LoadTrustAnchor(path)
 	if err != nil {
 		return nil, err
 	}
 	return &TrustAnchorHolder{
 		certs:  certs,
 		path:   path,
 		logger: logger,
 	}, nil
 }
 // Get returns the current trust anchor pool. Safe for concurrent callers;
 // the slice header is returned by value and the underlying slice is
 // immutable per-snapshot (Reload swaps a fresh slice, doesn't mutate in
 // place — see Reload).
 func (h *TrustAnchorHolder) Get() []*x509.Certificate {
 	h.mu.RLock()
 	defer h.mu.RUnlock()
 	return h.certs
 }
 // Path returns the on-disk path the holder reloads from. Useful for
 // observability (admin endpoints, log lines) without exposing the cert
 // pool itself.
 func (h *TrustAnchorHolder) Path() string {
 	return h.path
 }
 // Reload re-reads the trust anchor file at h.path and atomically swaps the
 // pool. Returns the parse error if the new file is invalid; the OLD pool
 // stays in place so a bad reload doesn't take Intune enrollment down.
 //
 // Same fail-safe pattern as cmd/server/tls.go::(*certHolder).Reload — a
 // rotation that writes a half-file (operator overwrites the bundle while
 // only some of the new certs are in it) would otherwise crash the
 // service mid-rotation. Logging + retaining the old pool gives the
 // operator a bounded window to fix and re-SIGHUP.
 func (h *TrustAnchorHolder) Reload() error {
 	certs, err := LoadTrustAnchor(h.path)
 	if err != nil {
 		return err
 	}
 	h.mu.Lock()
 	h.certs = certs
 	h.mu.Unlock()
 	return nil
 }
 // WatchSIGHUP installs a signal handler that calls Reload on each SIGHUP.
 // The returned stop function closes the internal done channel and stops
 // signal delivery so the goroutine can exit cleanly during shutdown.
 //
 // Errors from Reload are logged but do not terminate the watcher — the
 // operator can fix the files and send another SIGHUP. Mirrors the
 // (*certHolder).watchSIGHUP contract exactly.
 //
 // Multiple holders can coexist: each registers its own goroutine on the
 // same SIGHUP signal. signal.Notify multicasts to every registered
 // channel, so a single SIGHUP reloads every per-profile Intune trust
 // anchor PLUS the server TLS cert in one operator action — exactly the
 // design requirement (one SIGHUP rotates everything).
 func (h *TrustAnchorHolder) WatchSIGHUP() (stop func()) {
 	ch := make(chan os.Signal, 1)
 	signal.Notify(ch, syscall.SIGHUP)
 	done := make(chan struct{})
 	go func() {
 		for {
 			select {
 			case <-ch:
 				if err := h.Reload(); err != nil {
 					h.logger.Error("Intune trust anchor reload failed; continuing with previous pool",
 						"error", err,
 						"path", h.path)
 					continue
 				}
 				h.logger.Info("Intune trust anchor reloaded via SIGHUP",
 					"path", h.path,
 					"certs_loaded", len(h.Get()))
 			case <-done:
 				signal.Stop(ch)
 				return
 			}
 		}
 	}()
 	return func() { close(done) }
 }
@@ -0,0 +1,234 @@
 package intune
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"io"
 	"log/slog"
 	"math/big"
 	"os"
 	"path/filepath"
 	"strings"
 	"syscall"
 	"testing"
 	"time"
 )
 // silentLogger returns a logger that drops everything; the SIGHUP watcher
 // path emits Info logs we don't want fouling test output.
 func silentTestLogger() *slog.Logger {
 	return slog.New(slog.NewTextHandler(io.Discard, &slog.HandlerOptions{Level: slog.LevelError + 10}))
 }
 // writeTestBundle writes a PEM bundle of the given certs at path with mode 0600.
 func writeTestBundle(t *testing.T, path string, certs []*x509.Certificate) {
 	t.Helper()
 	body := []byte{}
 	for _, c := range certs {
 		body = append(body, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: c.Raw})...)
 	}
 	if err := os.WriteFile(path, body, 0o600); err != nil {
 		t.Fatalf("WriteFile: %v", err)
 	}
 }
 // freshHolderCert is a small factory for a self-signed EC cert with a
 // caller-controlled CN + lifetime. Used by Reload tests that swap the
 // on-disk pool between calls.
 func freshHolderCert(t *testing.T, cn string, notAfter time.Time) *x509.Certificate {
 	t.Helper()
 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Fatalf("ecdsa.GenerateKey: %v", err)
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(time.Now().UnixNano()),
 		Subject:      pkix.Name{CommonName: cn},
 		NotBefore:    time.Now().Add(-1 * time.Hour),
 		NotAfter:     notAfter,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		t.Fatalf("x509.CreateCertificate: %v", err)
 	}
 	cert, err := x509.ParseCertificate(der)
 	if err != nil {
 		t.Fatalf("x509.ParseCertificate: %v", err)
 	}
 	return cert
 }
 func TestTrustAnchorHolder_NewLoadsBundle(t *testing.T) {
 	dir := t.TempDir()
 	path := filepath.Join(dir, "intune-trust.pem")
 	cert := freshHolderCert(t, "initial-conn", time.Now().Add(30*24*time.Hour))
 	writeTestBundle(t, path, []*x509.Certificate{cert})
 	holder, err := NewTrustAnchorHolder(path, silentTestLogger())
 	if err != nil {
 		t.Fatalf("NewTrustAnchorHolder: %v", err)
 	}
 	got := holder.Get()
 	if len(got) != 1 || got[0].Subject.CommonName != "initial-conn" {
 		t.Fatalf("Get returned %#v, want one cert with CN=initial-conn", got)
 	}
 	if holder.Path() != path {
 		t.Errorf("Path = %q, want %q", holder.Path(), path)
 	}
 }
 func TestTrustAnchorHolder_NewRequiresLogger(t *testing.T) {
 	if _, err := NewTrustAnchorHolder("/nonexistent", nil); err == nil {
 		t.Fatal("nil logger must error")
 	}
 }
 func TestTrustAnchorHolder_NewSurfacesLoadError(t *testing.T) {
 	if _, err := NewTrustAnchorHolder("/path/that/does/not/exist.pem", silentTestLogger()); err == nil {
 		t.Fatal("missing file must error")
 	}
 }
 func TestTrustAnchorHolder_ReloadHappyPath(t *testing.T) {
 	dir := t.TempDir()
 	path := filepath.Join(dir, "trust.pem")
 	c1 := freshHolderCert(t, "rev-1", time.Now().Add(30*24*time.Hour))
 	writeTestBundle(t, path, []*x509.Certificate{c1})
 	h, err := NewTrustAnchorHolder(path, silentTestLogger())
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Rotate on disk and call Reload.
 	c2 := freshHolderCert(t, "rev-2", time.Now().Add(30*24*time.Hour))
 	writeTestBundle(t, path, []*x509.Certificate{c2})
 	if err := h.Reload(); err != nil {
 		t.Fatalf("Reload: %v", err)
 	}
 	got := h.Get()
 	if len(got) != 1 || got[0].Subject.CommonName != "rev-2" {
 		t.Errorf("after Reload Get = %#v, want one cert CN=rev-2", got)
 	}
 }
 func TestTrustAnchorHolder_ReloadKeepsOldOnFailure(t *testing.T) {
 	// Mid-rotation half-file: operator overwrites the bundle with garbage
 	// → Reload errors → holder must still serve the OLD pool. Without this
 	// fail-safe a single typo would take Intune enrollment down for the
 	// whole window until a re-rotate.
 	dir := t.TempDir()
 	path := filepath.Join(dir, "trust.pem")
 	good := freshHolderCert(t, "stable", time.Now().Add(30*24*time.Hour))
 	writeTestBundle(t, path, []*x509.Certificate{good})
 	h, err := NewTrustAnchorHolder(path, silentTestLogger())
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Overwrite with content that LoadTrustAnchor will reject (no PEM blocks).
 	if err := os.WriteFile(path, []byte("garbage"), 0o600); err != nil {
 		t.Fatal(err)
 	}
 	if err := h.Reload(); err == nil {
 		t.Fatal("Reload from garbage file must error")
 	}
 	// Old pool still served.
 	got := h.Get()
 	if len(got) != 1 || got[0].Subject.CommonName != "stable" {
 		t.Errorf("after failed Reload Get should still be the pre-Reload pool; got %#v", got)
 	}
 }
 func TestTrustAnchorHolder_ReloadKeepsOldOnExpired(t *testing.T) {
 	dir := t.TempDir()
 	path := filepath.Join(dir, "trust.pem")
 	good := freshHolderCert(t, "still-valid", time.Now().Add(30*24*time.Hour))
 	writeTestBundle(t, path, []*x509.Certificate{good})
 	h, err := NewTrustAnchorHolder(path, silentTestLogger())
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Operator rotates to a cert that's already expired (their script
 	// pulled an old bundle by mistake). Reload should error AND the holder
 	// should retain the previous good pool — exactly the fail-safe semantics
 	// LoadTrustAnchor enforces at startup.
 	expired := freshHolderCert(t, "expired-conn", time.Now().Add(-1*time.Hour))
 	writeTestBundle(t, path, []*x509.Certificate{expired})
 	if err := h.Reload(); err == nil {
 		t.Fatal("Reload with expired cert must error")
 	}
 	if !strings.Contains(h.Get()[0].Subject.CommonName, "still-valid") {
 		t.Errorf("after expired-cert Reload, holder should retain old pool")
 	}
 }
 func TestTrustAnchorHolder_WatchSIGHUPReloadsPool(t *testing.T) {
 	dir := t.TempDir()
 	path := filepath.Join(dir, "trust.pem")
 	c1 := freshHolderCert(t, "rev-pre-sighup", time.Now().Add(30*24*time.Hour))
 	writeTestBundle(t, path, []*x509.Certificate{c1})
 	h, err := NewTrustAnchorHolder(path, silentTestLogger())
 	if err != nil {
 		t.Fatal(err)
 	}
 	stop := h.WatchSIGHUP()
 	defer stop()
 	// Rotate on disk, then send SIGHUP to our own process and poll for the swap.
 	c2 := freshHolderCert(t, "rev-post-sighup", time.Now().Add(30*24*time.Hour))
 	writeTestBundle(t, path, []*x509.Certificate{c2})
 	if err := syscall.Kill(syscall.Getpid(), syscall.SIGHUP); err != nil {
 		t.Fatalf("send SIGHUP: %v", err)
 	}
 	// Poll for up to 2 seconds.
 	deadline := time.Now().Add(2 * time.Second)
 	for {
 		got := h.Get()
 		if len(got) == 1 && got[0].Subject.CommonName == "rev-post-sighup" {
 			return
 		}
 		if time.Now().After(deadline) {
 			t.Fatalf("post-SIGHUP pool not swapped in 2s; current CN=%q", got[0].Subject.CommonName)
 		}
 		time.Sleep(20 * time.Millisecond)
 	}
 }
 func TestTrustAnchorHolder_WatchSIGHUPStopIsClean(t *testing.T) {
 	// Mirrors cmd/server/tls_test.go::TestCertHolder_WatchSIGHUP_StopExits:
 	// we do NOT fire a SIGHUP after stop(), because once signal.Stop has
 	// removed our handler the kernel's default action on SIGHUP is to
 	// terminate the process — it would kill the test runner. The contract
 	// we need to pin is "stop() is synchronous and safe", which we
 	// demonstrate by closing the watcher and verifying the holder still
 	// serves the original cert without panic.
 	dir := t.TempDir()
 	path := filepath.Join(dir, "trust.pem")
 	writeTestBundle(t, path, []*x509.Certificate{
 		freshHolderCert(t, "stop-test", time.Now().Add(30*24*time.Hour)),
 	})
 	h, err := NewTrustAnchorHolder(path, silentTestLogger())
 	if err != nil {
 		t.Fatal(err)
 	}
 	stop := h.WatchSIGHUP()
 	stop()
 	time.Sleep(50 * time.Millisecond) // let the goroutine fully exit
 	if cn := h.Get()[0].Subject.CommonName; cn != "stop-test" {
 		t.Errorf("after stop CN = %q, want unchanged stop-test", cn)
 	}
 }
@@ -0,0 +1,171 @@
 package intune
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"errors"
 	"math/big"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 )
 // pemEncodeCert is a small DRY helper for the PEM bundle fixtures.
 func pemEncodeCert(t *testing.T, der []byte) []byte {
 	t.Helper()
 	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
 }
 // freshConnectorCertDER returns a freshly-minted EC P-256 cert as raw DER
 // + the matching key. Lifetime is parameterised so the same factory drives
 // both the happy-path and expired-cert cases.
 func freshConnectorCertDER(t *testing.T, notAfter time.Time) ([]byte, *ecdsa.PrivateKey) {
 	t.Helper()
 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Fatalf("ecdsa.GenerateKey: %v", err)
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber: big.NewInt(time.Now().UnixNano()),
 		Subject:      pkix.Name{CommonName: "intune-connector-test"},
 		NotBefore:    time.Now().Add(-1 * time.Hour),
 		NotAfter:     notAfter,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		t.Fatalf("x509.CreateCertificate: %v", err)
 	}
 	return der, key
 }
 func TestParseTrustAnchorPEM_HappyPath_SingleCert(t *testing.T) {
 	der, _ := freshConnectorCertDER(t, time.Now().Add(365*24*time.Hour))
 	body := pemEncodeCert(t, der)
 	certs, err := parseTrustAnchorPEM(body, "test", time.Now())
 	if err != nil {
 		t.Fatalf("parseTrustAnchorPEM: %v", err)
 	}
 	if len(certs) != 1 {
 		t.Fatalf("len(certs) = %d, want 1", len(certs))
 	}
 	if certs[0].Subject.CommonName != "intune-connector-test" {
 		t.Errorf("Subject.CommonName = %q", certs[0].Subject.CommonName)
 	}
 }
 func TestParseTrustAnchorPEM_HappyPath_MultiCert(t *testing.T) {
 	d1, _ := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour))
 	d2, _ := freshConnectorCertDER(t, time.Now().Add(60*24*time.Hour))
 	body := append(pemEncodeCert(t, d1), pemEncodeCert(t, d2)...)
 	certs, err := parseTrustAnchorPEM(body, "test", time.Now())
 	if err != nil {
 		t.Fatalf("parseTrustAnchorPEM: %v", err)
 	}
 	if len(certs) != 2 {
 		t.Fatalf("len(certs) = %d, want 2", len(certs))
 	}
 }
 func TestParseTrustAnchorPEM_SkipsNonCertBlocks(t *testing.T) {
 	der, key := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour))
 	keyDER, err := x509.MarshalECPrivateKey(key)
 	if err != nil {
 		t.Fatalf("MarshalECPrivateKey: %v", err)
 	}
 	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
 	body := append(keyPEM, pemEncodeCert(t, der)...) // priv key first, cert second
 	certs, err := parseTrustAnchorPEM(body, "test", time.Now())
 	if err != nil {
 		t.Fatalf("parseTrustAnchorPEM should ignore non-CERTIFICATE blocks: %v", err)
 	}
 	if len(certs) != 1 {
 		t.Fatalf("len(certs) = %d, want 1 (priv key block must be skipped)", len(certs))
 	}
 }
 func TestParseTrustAnchorPEM_EmptyBundleRejected(t *testing.T) {
 	_, err := parseTrustAnchorPEM([]byte("nothing here"), "test", time.Now())
 	if err == nil || !strings.Contains(err.Error(), "no CERTIFICATE PEM blocks") {
 		t.Fatalf("expected 'no CERTIFICATE PEM blocks' error, got %v", err)
 	}
 }
 func TestParseTrustAnchorPEM_OnlyKeyBlocksRejected(t *testing.T) {
 	key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	keyDER, _ := x509.MarshalECPrivateKey(key)
 	body := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
 	_, err := parseTrustAnchorPEM(body, "test", time.Now())
 	if err == nil {
 		t.Fatalf("expected error for bundle with no certs, got nil")
 	}
 }
 func TestParseTrustAnchorPEM_ExpiredCertRejected(t *testing.T) {
 	der, _ := freshConnectorCertDER(t, time.Now().Add(-1*time.Hour)) // already expired
 	body := pemEncodeCert(t, der)
 	_, err := parseTrustAnchorPEM(body, "expired-bundle", time.Now())
 	if err == nil || !strings.Contains(err.Error(), "expired") {
 		t.Fatalf("expected expiry error, got %v", err)
 	}
 	// Operator-actionable message must include the subject so the audit
 	// log says exactly which cert to rotate.
 	if !strings.Contains(err.Error(), "intune-connector-test") {
 		t.Errorf("error must include subject CN for operator action: %v", err)
 	}
 }
 func TestParseTrustAnchorPEM_MalformedCertRejected(t *testing.T) {
 	bad := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: []byte("not-a-real-asn1-cert")})
 	_, err := parseTrustAnchorPEM(bad, "test", time.Now())
 	if err == nil {
 		t.Fatalf("expected x509 parse error, got nil")
 	}
 }
 func TestLoadTrustAnchor_FromDisk(t *testing.T) {
 	der, _ := freshConnectorCertDER(t, time.Now().Add(30*24*time.Hour))
 	body := pemEncodeCert(t, der)
 	dir := t.TempDir()
 	path := filepath.Join(dir, "intune-trust.pem")
 	if err := os.WriteFile(path, body, 0o600); err != nil {
 		t.Fatalf("WriteFile: %v", err)
 	}
 	certs, err := LoadTrustAnchor(path)
 	if err != nil {
 		t.Fatalf("LoadTrustAnchor: %v", err)
 	}
 	if len(certs) != 1 {
 		t.Fatalf("len(certs) = %d, want 1", len(certs))
 	}
 }
 func TestLoadTrustAnchor_EmptyPath(t *testing.T) {
 	_, err := LoadTrustAnchor("")
 	if err == nil || !strings.Contains(err.Error(), "empty") {
 		t.Fatalf("expected empty-path error, got %v", err)
 	}
 }
 func TestLoadTrustAnchor_MissingFile(t *testing.T) {
 	_, err := LoadTrustAnchor("/tmp/does-not-exist-intune-trust.pem")
 	if err == nil {
 		t.Fatalf("expected file-not-found error, got nil")
 	}
 	// Don't string-assert on the OS error — just make sure it's surfaced.
 	if errors.Is(err, nil) {
 		t.Fatalf("error must be non-nil")
 	}
 }
@@ -194,13 +194,18 @@ func (s *AgentService) SubmitCSR(ctx context.Context, agentID string, certID str
 				return fmt.Errorf("CSR validation failed: %w", csrErr)
 			}
-			// Resolve MaxTTL from profile
+			// Resolve MaxTTL + must-staple from profile.
-			var maxTTLSeconds int
+			// SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up.
 			var (
 				maxTTLSeconds int
 				mustStaple    bool
 			)
 			if profile != nil {
 				maxTTLSeconds = profile.MaxTTLSeconds
 				mustStaple = profile.MustStaple
 			}
-			result, err := connector.IssueCertificate(ctx, cert.CommonName, cert.SANs, string(csrPEM), ekus, maxTTLSeconds)
+			result, err := connector.IssueCertificate(ctx, cert.CommonName, cert.SANs, string(csrPEM), ekus, maxTTLSeconds, mustStaple)
 			if err != nil {
 				return fmt.Errorf("issuer signing failed: %w", err)
 			}
@@ -139,15 +139,22 @@ func (s *ESTService) processEnrollment(ctx context.Context, csrPEM string, audit
 		"sans", strings.Join(sans, ","),
 		"issuer", s.issuerID)
-	// Resolve MaxTTL from profile
+	// Resolve MaxTTL + must-staple from profile.
-	var maxTTLSeconds int
+	// SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up: thread
 	// profile.MustStaple through to the issuer so the local issuer can
 	// add the RFC 7633 id-pe-tlsfeature extension.
 	var (
 		maxTTLSeconds int
 		mustStaple    bool
 	)
 	if profile != nil {
 		maxTTLSeconds = profile.MaxTTLSeconds
 		mustStaple = profile.MustStaple
 	}
 	// Issue the certificate via the configured issuer connector
 	// EST enrollments use profile EKUs if available, otherwise default (serverAuth + clientAuth fallback)
-	result, err := s.issuer.IssueCertificate(ctx, commonName, sans, csrPEM, ekus, maxTTLSeconds)
+	result, err := s.issuer.IssueCertificate(ctx, commonName, sans, csrPEM, ekus, maxTTLSeconds, mustStaple)
 	if err != nil {
 		s.logger.Error("EST enrollment failed",
 			"action", auditAction,
@@ -20,13 +20,19 @@ func NewIssuerConnectorAdapter(c issuer.Connector) IssuerConnector {
 // IssueCertificate delegates to the underlying connector's IssueCertificate method,
 // translating between service-layer and connector-layer types.
-func (a *IssuerConnectorAdapter) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*IssuanceResult, error) {
+//
 // SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up: mustStaple flows
 // through to the IssuanceRequest.MustStaple field. Only the local issuer
 // honors it (RFC 7633 id-pe-tlsfeature extension); upstream connectors
 // silently ignore the field.
 func (a *IssuerConnectorAdapter) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*IssuanceResult, error) {
 	result, err := a.connector.IssueCertificate(ctx, issuer.IssuanceRequest{
 		CommonName:    commonName,
 		SANs:          sans,
 		CSRPEM:        csrPEM,
 		EKUs:          ekus,
 		MaxTTLSeconds: maxTTLSeconds,
 		MustStaple:    mustStaple,
 	})
 	if err != nil {
 		return nil, err
@@ -42,13 +48,14 @@ func (a *IssuerConnectorAdapter) IssueCertificate(ctx context.Context, commonNam
 // RenewCertificate delegates to the underlying connector's RenewCertificate method,
 // translating between service-layer and connector-layer types.
-func (a *IssuerConnectorAdapter) RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*IssuanceResult, error) {
+func (a *IssuerConnectorAdapter) RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*IssuanceResult, error) {
 	result, err := a.connector.RenewCertificate(ctx, issuer.RenewalRequest{
 		CommonName:    commonName,
 		SANs:          sans,
 		CSRPEM:        csrPEM,
 		EKUs:          ekus,
 		MaxTTLSeconds: maxTTLSeconds,
 		MustStaple:    mustStaple,
 	})
 	if err != nil {
 		return nil, err
@@ -13,19 +13,19 @@ import (
 // mockConnectorLayerIssuer is a test implementation of issuer.Connector
 type mockConnectorLayerIssuer struct {
-	issueResult        *issuer.IssuanceResult
+	issueResult       *issuer.IssuanceResult
-	issueErr           error
+	issueErr          error
-	renewResult        *issuer.IssuanceResult
+	renewResult       *issuer.IssuanceResult
-	renewErr           error
+	renewErr          error
-	lastIssueReq       *issuer.IssuanceRequest
+	lastIssueReq      *issuer.IssuanceRequest
-	lastRenewReq       *issuer.RenewalRequest
+	lastRenewReq      *issuer.RenewalRequest
-	validateErr        error
+	validateErr       error
-	revokeErr          error
+	revokeErr         error
-	orderStatusErr     error
+	orderStatusErr    error
-	orderStatus        *issuer.OrderStatus
+	orderStatus       *issuer.OrderStatus
-	renewalInfoResult  *issuer.RenewalInfoResult
+	renewalInfoResult *issuer.RenewalInfoResult
-	renewalInfoErr     error
+	renewalInfoErr    error
-	renewalInfoNil     bool // flag to force nil result
+	renewalInfoNil    bool // flag to force nil result
 }
 func (m *mockConnectorLayerIssuer) ValidateConfig(ctx context.Context, config json.RawMessage) error {
@@ -140,7 +140,7 @@ func TestIssuerConnectorAdapter_IssueCertificate_Success(t *testing.T) {
 	adapter := NewIssuerConnectorAdapter(mock)
-	result, err := adapter.IssueCertificate(ctx, "example.com", []string{"www.example.com"}, "-----BEGIN CERTIFICATE REQUEST-----\nCSR\n-----END CERTIFICATE REQUEST-----", nil, 0)
+	result, err := adapter.IssueCertificate(ctx, "example.com", []string{"www.example.com"}, "-----BEGIN CERTIFICATE REQUEST-----\nCSR\n-----END CERTIFICATE REQUEST-----", nil, 0, false)
 	if err != nil {
 		t.Fatalf("IssueCertificate failed: %v", err)
@@ -177,7 +177,7 @@ func TestIssuerConnectorAdapter_IssueCertificate_Error(t *testing.T) {
 	adapter := NewIssuerConnectorAdapter(mock)
-	result, err := adapter.IssueCertificate(ctx, "example.com", []string{}, "csr", nil, 0)
+	result, err := adapter.IssueCertificate(ctx, "example.com", []string{}, "csr", nil, 0, false)
 	if err == nil {
 		t.Fatal("expected error, got nil")
@@ -211,7 +211,7 @@ func TestIssuerConnectorAdapter_IssueCertificate_RequestTranslation(t *testing.T
 	sans := []string{"www.test.example.com", "api.test.example.com"}
 	csrPEM := "-----BEGIN CERTIFICATE REQUEST-----\nCSR\n-----END CERTIFICATE REQUEST-----"
-	_, err := adapter.IssueCertificate(ctx, commonName, sans, csrPEM, nil, 0)
+	_, err := adapter.IssueCertificate(ctx, commonName, sans, csrPEM, nil, 0, false)
 	if err != nil {
 		t.Fatalf("IssueCertificate failed: %v", err)
@@ -261,7 +261,7 @@ func TestIssuerConnectorAdapter_RenewCertificate_Success(t *testing.T) {
 	adapter := NewIssuerConnectorAdapter(mock)
-	result, err := adapter.RenewCertificate(ctx, "example.com", []string{"www.example.com"}, "-----BEGIN CERTIFICATE REQUEST-----\nCSR\n-----END CERTIFICATE REQUEST-----", nil, 0)
+	result, err := adapter.RenewCertificate(ctx, "example.com", []string{"www.example.com"}, "-----BEGIN CERTIFICATE REQUEST-----\nCSR\n-----END CERTIFICATE REQUEST-----", nil, 0, false)
 	if err != nil {
 		t.Fatalf("RenewCertificate failed: %v", err)
@@ -298,7 +298,7 @@ func TestIssuerConnectorAdapter_RenewCertificate_Error(t *testing.T) {
 	adapter := NewIssuerConnectorAdapter(mock)
-	result, err := adapter.RenewCertificate(ctx, "example.com", []string{}, "csr", nil, 0)
+	result, err := adapter.RenewCertificate(ctx, "example.com", []string{}, "csr", nil, 0, false)
 	if err == nil {
 		t.Fatal("expected error, got nil")
@@ -332,7 +332,7 @@ func TestIssuerConnectorAdapter_RenewCertificate_RequestTranslation(t *testing.T
 	sans := []string{"www.renew.example.com"}
 	csrPEM := "-----BEGIN CERTIFICATE REQUEST-----\nRENEW-CSR\n-----END CERTIFICATE REQUEST-----"
-	_, err := adapter.RenewCertificate(ctx, commonName, sans, csrPEM, nil, 0)
+	_, err := adapter.RenewCertificate(ctx, commonName, sans, csrPEM, nil, 0, false)
 	if err != nil {
 		t.Fatalf("RenewCertificate failed: %v", err)
@@ -213,7 +213,7 @@ func TestIssuerConnectorAdapter_IssueCertificate_MaxTTLForwarded(t *testing.T) {
 	mock := &mockConnectorLayerIssuer{}
 	adapter := NewIssuerConnectorAdapter(mock)
-	_, err := adapter.IssueCertificate(context.Background(), "test.example.com", nil, "csr", nil, 7200)
+	_, err := adapter.IssueCertificate(context.Background(), "test.example.com", nil, "csr", nil, 7200, false)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -230,7 +230,7 @@ func TestIssuerConnectorAdapter_RenewCertificate_MaxTTLForwarded(t *testing.T) {
 	mock := &mockConnectorLayerIssuer{}
 	adapter := NewIssuerConnectorAdapter(mock)
-	_, err := adapter.RenewCertificate(context.Background(), "renew.example.com", nil, "csr", nil, 14400)
+	_, err := adapter.RenewCertificate(context.Background(), "renew.example.com", nil, "csr", nil, 14400, false)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -247,7 +247,7 @@ func TestIssuerConnectorAdapter_IssueCertificate_ZeroMaxTTL(t *testing.T) {
 	mock := &mockConnectorLayerIssuer{}
 	adapter := NewIssuerConnectorAdapter(mock)
-	_, err := adapter.IssueCertificate(context.Background(), "test.example.com", nil, "csr", nil, 0)
+	_, err := adapter.IssueCertificate(context.Background(), "test.example.com", nil, "csr", nil, 0, false)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -366,11 +366,16 @@ func TestSCEPService_NoProfileRepo_PassesThrough(t *testing.T) {
 type capturingIssuerConnector struct {
 	lastMaxTTLSeconds int
 	lastEKUs          []string
 	// SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up: capture
 	// must-staple too so the integration test can prove the wire reaches
 	// the connector for both PKCSReq and renewal paths.
 	lastMustStaple bool
 }
-func (c *capturingIssuerConnector) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*IssuanceResult, error) {
+func (c *capturingIssuerConnector) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*IssuanceResult, error) {
 	c.lastMaxTTLSeconds = maxTTLSeconds
 	c.lastEKUs = ekus
 	c.lastMustStaple = mustStaple
 	now := time.Now()
 	return &IssuanceResult{
 		Serial:    "test-serial",
@@ -381,8 +386,8 @@ func (c *capturingIssuerConnector) IssueCertificate(ctx context.Context, commonN
 	}, nil
 }
-func (c *capturingIssuerConnector) RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*IssuanceResult, error) {
+func (c *capturingIssuerConnector) RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*IssuanceResult, error) {
-	return c.IssueCertificate(ctx, commonName, sans, csrPEM, ekus, maxTTLSeconds)
+	return c.IssueCertificate(ctx, commonName, sans, csrPEM, ekus, maxTTLSeconds, mustStaple)
 }
 func (c *capturingIssuerConnector) RevokeCertificate(ctx context.Context, serial string, reason string) error {
@@ -43,11 +43,18 @@ func (s *RenewalService) SetTargetRepo(repo repository.TargetRepository) {
 // inversion. Use IssuerConnectorAdapter to bridge between the two.
 type IssuerConnector interface {
 	// IssueCertificate issues a new certificate using the provided CSR PEM.
-	// maxTTLSeconds caps the certificate validity period (0 = no cap, use issuer default).
+	// maxTTLSeconds caps the certificate validity period (0 = no cap, use
-	IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*IssuanceResult, error)
+	// issuer default). mustStaple, when true, instructs the issuer to add
 	// the RFC 7633 id-pe-tlsfeature extension to the issued cert (only the
 	// local issuer honors this; upstream connectors silently ignore it).
 	// SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up.
 	IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*IssuanceResult, error)
 	// RenewCertificate renews a certificate using the provided CSR PEM.
-	// maxTTLSeconds caps the certificate validity period (0 = no cap, use issuer default).
+	// maxTTLSeconds caps the certificate validity period (0 = no cap, use
-	RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*IssuanceResult, error)
+	// issuer default). mustStaple has the same semantics as on
 	// IssueCertificate so renewed certs match their initial-issuance
 	// extension set when the bound profile changed mid-lifetime.
 	RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*IssuanceResult, error)
 	// RevokeCertificate revokes a certificate by serial number with an optional reason.
 	RevokeCertificate(ctx context.Context, serial string, reason string) error
 	// GenerateCRL generates a DER-encoded X.509 CRL from the given revocation entries.
@@ -446,18 +453,25 @@ func (s *RenewalService) processRenewalServerKeygen(ctx context.Context, job *do
 		Bytes: x509.MarshalPKCS1PrivateKey(privKey),
 	}))
-	// Resolve EKUs and MaxTTL from the certificate profile
+	// Resolve EKUs + MaxTTL + must-staple from the certificate profile.
-	var ekus []string
+	// SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up: thread
-	var maxTTLSeconds int
+	// must-staple through the renewal path too so renewed certs match
 	// their initial-issuance extension set.
 	var (
 		ekus          []string
 		maxTTLSeconds int
 		mustStaple    bool
 	)
 	if cert.CertificateProfileID != "" && s.profileRepo != nil {
 		if profile, profileErr := s.profileRepo.Get(ctx, cert.CertificateProfileID); profileErr == nil && profile != nil {
 			ekus = profile.AllowedEKUs
 			maxTTLSeconds = profile.MaxTTLSeconds
 			mustStaple = profile.MustStaple
 		}
 	}
 	// Call issuer connector to renew
-	result, err := connector.RenewCertificate(ctx, cert.CommonName, cert.SANs, csrPEM, ekus, maxTTLSeconds)
+	result, err := connector.RenewCertificate(ctx, cert.CommonName, cert.SANs, csrPEM, ekus, maxTTLSeconds, mustStaple)
 	if err != nil {
 		s.failJob(ctx, job, fmt.Sprintf("issuer renewal failed: %v", err))
 		if notifErr := s.notificationSvc.SendRenewalNotification(ctx, cert, false, err); notifErr != nil {
@@ -564,18 +578,23 @@ func (s *RenewalService) CompleteAgentCSRRenewal(ctx context.Context, job *domai
 		return fmt.Errorf("failed to update job status: %w", err)
 	}
-	// Resolve EKUs and MaxTTL from the certificate profile (for S/MIME, email certs, etc.)
+	// Resolve EKUs + MaxTTL + must-staple from the certificate profile.
-	var ekus []string
+	// SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up.
-	var maxTTLSeconds int
+	var (
 		ekus          []string
 		maxTTLSeconds int
 		mustStaple    bool
 	)
 	if profile != nil {
 		if len(profile.AllowedEKUs) > 0 {
 			ekus = profile.AllowedEKUs
 		}
 		maxTTLSeconds = profile.MaxTTLSeconds
 		mustStaple = profile.MustStaple
 	}
 	// Sign the agent-submitted CSR via issuer
-	result, err := connector.RenewCertificate(ctx, cert.CommonName, cert.SANs, csrPEM, ekus, maxTTLSeconds)
+	result, err := connector.RenewCertificate(ctx, cert.CommonName, cert.SANs, csrPEM, ekus, maxTTLSeconds, mustStaple)
 	if err != nil {
 		s.failJob(ctx, job, fmt.Sprintf("issuer signing failed: %v", err))
 		if notifErr := s.notificationSvc.SendRenewalNotification(ctx, cert, false, err); notifErr != nil {
@@ -5,17 +5,32 @@ import (
 	"crypto/subtle"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"log/slog"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/repository"
 	"github.com/shankar0123/certctl/internal/scep/intune"
 )
 // SCEPService implements the SCEP (RFC 8894) enrollment protocol.
 // It delegates certificate operations to an existing IssuerConnector and records
 // enrollment events in the audit trail.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 8.3 + 8.4 + 8.7: per-profile
 // Intune dynamic-challenge dispatcher (intuneEnabled+intuneTrust+...);
 // audit action `scep_pkcsreq_intune` flows through the existing
 // auditService; per-device rate limit + nil-default compliance hook seam.
 //
 // Lifecycle: a service instance per SCEP profile (Phase 1.5). The Intune
 // fields are populated only on profiles where INTUNE_ENABLED=true; on the
 // rest they're nil/empty and looksIntuneShaped short-circuits to the
 // existing static-challenge path.
 type SCEPService struct {
 	issuer            IssuerConnector
 	issuerID          string
@@ -24,6 +39,499 @@ type SCEPService struct {
 	profileID         string // optional: constrain enrollments to a specific profile
 	profileRepo       repository.CertificateProfileRepository
 	challengePassword string // shared secret for enrollment authentication
 	// Intune dispatcher state (Phase 8.3+8.6+8.7). All nil/zero when this
 	// profile has INTUNE_ENABLED=false; all populated when true. The
 	// dispatcher in PKCSReq + PKCSReqWithEnvelope + RenewalReqWithEnvelope
 	// gates on intuneEnabled before consulting any of these.
 	intuneEnabled     bool
 	intuneTrust       *intune.TrustAnchorHolder // SIGHUP-reloadable trust pool
 	intuneAudience    string                    // expected "aud" claim; empty disables the check
 	intuneValidity    time.Duration             // optional override on top of the challenge's exp
 	intuneReplayCache *intune.ReplayCache       // nonce-keyed; catches duplicate submission
 	intuneRateLimiter *intune.PerDeviceRateLimiter
 	complianceCheck   ComplianceCheck   // V3-Pro plug-in seam; nil-default no-op
 	intuneCounters    *intuneCounterTab // per-status atomic counters for the admin endpoint
 	pathID            string            // SCEP profile path ID; surfaced by admin endpoints
 }
 // intuneCounterTab is the in-memory equivalent of the
 // `certctl_scep_intune_enrollments_total{status="..."}` metric the
 // master prompt's Phase 8.4 mentions. We don't take a Prometheus
 // dependency here (the project doesn't currently expose /metrics; that's
 // a separate decision); operators who want scraping can wrap these with
 // a prom.Collector later. For Phase 9 the in-memory counters drive the
 // admin GUI's "Intune Monitoring" tab via GET /api/v1/admin/scep/intune/stats.
 //
 // Concurrency: every field is read/written via sync/atomic so the
 // dispatcher's hot path stays lock-free.
 type intuneCounterTab struct {
 	success         atomic.Uint64
 	signatureFailed atomic.Uint64
 	expired         atomic.Uint64
 	notYetValid     atomic.Uint64
 	wrongAudience   atomic.Uint64
 	replay          atomic.Uint64
 	unknownVersion  atomic.Uint64
 	malformed       atomic.Uint64
 	rateLimited     atomic.Uint64
 	claimMismatch   atomic.Uint64
 	complianceErr   atomic.Uint64
 }
 // snapshot returns a zero-allocation copy of the current counter values
 // keyed by the same status labels intuneFailReason emits.
 func (c *intuneCounterTab) snapshot() map[string]uint64 {
 	if c == nil {
 		return map[string]uint64{}
 	}
 	return map[string]uint64{
 		"success":           c.success.Load(),
 		"signature_invalid": c.signatureFailed.Load(),
 		"expired":           c.expired.Load(),
 		"not_yet_valid":     c.notYetValid.Load(),
 		"wrong_audience":    c.wrongAudience.Load(),
 		"replay":            c.replay.Load(),
 		"unknown_version":   c.unknownVersion.Load(),
 		"malformed":         c.malformed.Load(),
 		"rate_limited":      c.rateLimited.Load(),
 		"claim_mismatch":    c.claimMismatch.Load(),
 		"compliance_failed": c.complianceErr.Load(),
 	}
 }
 // inc advances the counter that matches the given fail-reason label
 // (must be one of the strings intuneFailReason returns). Unknown labels
 // fall through to "malformed" so an enum drift doesn't silently lose
 // counts.
 func (c *intuneCounterTab) inc(label string) {
 	if c == nil {
 		return
 	}
 	switch label {
 	case "success":
 		c.success.Add(1)
 	case "signature_invalid":
 		c.signatureFailed.Add(1)
 	case "expired":
 		c.expired.Add(1)
 	case "not_yet_valid":
 		c.notYetValid.Add(1)
 	case "wrong_audience":
 		c.wrongAudience.Add(1)
 	case "replay":
 		c.replay.Add(1)
 	case "unknown_version":
 		c.unknownVersion.Add(1)
 	case "rate_limited":
 		c.rateLimited.Add(1)
 	case "claim_mismatch":
 		c.claimMismatch.Add(1)
 	case "compliance_failed":
 		c.complianceErr.Add(1)
 	default:
 		c.malformed.Add(1)
 	}
 }
 // IntuneTrustAnchorInfo is the per-cert public summary of one trust
 // anchor in the holder's pool. Matches the shape the admin endpoint
 // returns to the GUI.
 type IntuneTrustAnchorInfo struct {
 	Subject      string    `json:"subject"`
 	NotBefore    time.Time `json:"not_before"`
 	NotAfter     time.Time `json:"not_after"`
 	DaysToExpiry int       `json:"days_to_expiry"`
 	Expired      bool      `json:"expired"`
 }
 // IntuneStatsSnapshot is the per-profile observability view the admin
 // GET endpoint hands back. SCEPService.IntuneStats() builds one of
 // these on demand under no contention with the dispatcher hot path.
 type IntuneStatsSnapshot struct {
 	PathID            string                  `json:"path_id"`
 	IssuerID          string                  `json:"issuer_id"`
 	Enabled           bool                    `json:"enabled"`
 	TrustAnchorPath   string                  `json:"trust_anchor_path,omitempty"`
 	TrustAnchors      []IntuneTrustAnchorInfo `json:"trust_anchors,omitempty"`
 	Audience          string                  `json:"audience,omitempty"`
 	ChallengeValidity time.Duration           `json:"challenge_validity_ns,omitempty"`
 	RateLimitDisabled bool                    `json:"rate_limit_disabled"`
 	ReplayCacheSize   int                     `json:"replay_cache_size"`
 	Counters          map[string]uint64       `json:"counters"`
 	GeneratedAt       time.Time               `json:"generated_at"`
 }
 // SetPathID records the SCEP profile path ID this service instance
 // serves. Admin endpoints surface the PathID per row so operators can
 // triage which profile a stat or failure belongs to. Empty PathID maps
 // to the legacy `/scep` root.
 func (s *SCEPService) SetPathID(pathID string) { s.pathID = pathID }
 // PathID returns the SCEP profile path ID this service serves. Empty
 // for the legacy `/scep` root.
 func (s *SCEPService) PathID() string { return s.pathID }
 // IssuerID returns the issuer this service binds to. Useful for the
 // admin endpoint's per-profile rendering.
 func (s *SCEPService) IssuerID() string { return s.issuerID }
 // IntuneStats returns the per-profile observability snapshot. Safe for
 // concurrent callers; the snapshot is taken under no contention with
 // the dispatcher hot path. Returns a zero-value snapshot with
 // Enabled=false on profiles that never called SetIntuneIntegration.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 9.1.
 func (s *SCEPService) IntuneStats(now time.Time) IntuneStatsSnapshot {
 	out := IntuneStatsSnapshot{
 		PathID:      s.pathID,
 		IssuerID:    s.issuerID,
 		Enabled:     s.intuneEnabled,
 		Counters:    s.intuneCounters.snapshot(),
 		GeneratedAt: now.UTC(),
 	}
 	if !s.intuneEnabled {
 		return out
 	}
 	out.Audience = s.intuneAudience
 	out.ChallengeValidity = s.intuneValidity
 	if s.intuneRateLimiter != nil {
 		out.RateLimitDisabled = s.intuneRateLimiter.Disabled()
 	}
 	if s.intuneReplayCache != nil {
 		out.ReplayCacheSize = s.intuneReplayCache.Len()
 	}
 	if s.intuneTrust != nil {
 		out.TrustAnchorPath = s.intuneTrust.Path()
 		certs := s.intuneTrust.Get()
 		out.TrustAnchors = make([]IntuneTrustAnchorInfo, 0, len(certs))
 		for _, c := range certs {
 			info := IntuneTrustAnchorInfo{
 				Subject:   c.Subject.CommonName,
 				NotBefore: c.NotBefore,
 				NotAfter:  c.NotAfter,
 				Expired:   now.After(c.NotAfter),
 			}
 			if !info.Expired {
 				info.DaysToExpiry = int(c.NotAfter.Sub(now).Hours() / 24)
 			}
 			out.TrustAnchors = append(out.TrustAnchors, info)
 		}
 	}
 	return out
 }
 // ReloadIntuneTrust triggers the same Reload the SIGHUP watcher would
 // run. Returns the parse error if the new file is invalid; the OLD
 // pool stays in place (TrustAnchorHolder.Reload's documented
 // fail-safe). Returns a typed error when this profile has Intune
 // disabled so the admin endpoint can surface a 400 / 409.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 9.2.
 func (s *SCEPService) ReloadIntuneTrust() error {
 	if !s.intuneEnabled || s.intuneTrust == nil {
 		return ErrSCEPProfileIntuneDisabled
 	}
 	return s.intuneTrust.Reload()
 }
 // ErrSCEPProfileIntuneDisabled is returned by ReloadIntuneTrust when
 // invoked on a profile that has Intune turned off. Lets the admin
 // handler distinguish "operator targeted the wrong profile" (HTTP 409)
 // from "trust anchor file is broken" (HTTP 500 + the underlying
 // parse-error string).
 var ErrSCEPProfileIntuneDisabled = errors.New("scep profile: intune dispatcher not enabled")
 // the once + mu fields keep IntuneStats accessor lookup-stable in case
 // future refactors add background mutators of intuneCounters; both are
 // currently unused by the runtime path.
 var _ = sync.Once{}
 // ComplianceCheck is the optional gate that pings Intune's compliance API
 // (or any custom policy backend) to confirm the device is in good standing
 // before issuing a cert. When nil (the V2-free default), the gate is a
 // no-op and enrollments proceed solely on challenge validation +
 // claim-binding + replay + per-device rate limit.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 8.7 — V3-Pro plug-in seam.
 //
 // V3-Pro plugs in here via a new module that calls Microsoft Graph's
 // /deviceManagement/managedDevices/{id}/compliancePolicyStates endpoint
 // (or equivalent), wires SetComplianceCheck on the service, and
 // short-circuits non-compliant device enrollments with a SCEP CertRep
 // FAILURE/badRequest plus a compliance_failed audit event + metric.
 //
 // Return contract:
 //
 //   - compliant=true,  err=nil   → proceed with enrollment.
 //   - compliant=false, err=nil   → CertRep FAILURE + compliance_failed metric;
 //     the reason string flows into the audit event for ops triage.
 //   - compliant=*,     err!=nil  → fail-safe (deny) by default; the V3-Pro
 //     module is responsible for a more nuanced "permit on API failure"
 //     mode if its policy demands one.
 //
 // Leaving the hook here means the V3-Pro work is plug-in code, not a
 // dispatcher refactor. The cost today is one struct field + one setter +
 // one nil-guarded call site. Zero behavior change in V2.
 type ComplianceCheck func(ctx context.Context, claim *intune.ChallengeClaim) (compliant bool, reason string, err error)
 // SetComplianceCheck installs the V3-Pro compliance gate. Idempotent;
 // passing nil re-disables the gate (useful for tests + the rare case where
 // V3-Pro plugin code wants to drop the gate at runtime). Safe to call
 // before or after the service starts serving requests.
 func (s *SCEPService) SetComplianceCheck(fn ComplianceCheck) { s.complianceCheck = fn }
 // SetIntuneIntegration wires the per-profile Intune dispatcher onto the
 // service. Pass enabled=false (with nil/zero values for the rest) to
 // explicitly opt this profile out of Intune mode; pass enabled=true with
 // a populated trust holder + replay cache + rate limiter to opt in. The
 // audience is allowed to be empty (the validator's audience check then
 // becomes a no-op, useful for proxy/load-balancer scenarios where the URL
 // the Connector saw differs from the URL we see).
 //
 // Constructor-time injection (rather than NewSCEPService extra params)
 // keeps the surface stable for the existing callers + lets the wire-in
 // at cmd/server/main.go construct the holder + cache + limiter once and
 // share them across profiles cleanly. Profiles where INTUNE_ENABLED=false
 // simply never call this method.
 func (s *SCEPService) SetIntuneIntegration(
 	trust *intune.TrustAnchorHolder,
 	audience string,
 	validity time.Duration,
 	replayCache *intune.ReplayCache,
 	rateLimiter *intune.PerDeviceRateLimiter,
 ) {
 	s.intuneEnabled = true
 	s.intuneTrust = trust
 	s.intuneAudience = audience
 	s.intuneValidity = validity
 	s.intuneReplayCache = replayCache
 	s.intuneRateLimiter = rateLimiter
 	if s.intuneCounters == nil {
 		s.intuneCounters = &intuneCounterTab{}
 	}
 }
 // IntuneEnabled reports whether this service instance is wired for Intune
 // dynamic-challenge dispatch. Useful for handler-layer gating + admin
 // endpoints (Phase 9 GUI surface). Always returns false on profiles where
 // SetIntuneIntegration was never called.
 func (s *SCEPService) IntuneEnabled() bool { return s.intuneEnabled }
 // looksIntuneShaped is the fast pre-check that distinguishes an
 // Intune-format challenge from a static challenge password. Intune
 // challenges are JWT-like (three base64url segments separated by dots,
 // total length > 200 bytes for any reasonable claim payload). Static
 // challenges are typically ≤ 64 bytes ASCII.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 8.3.
 //
 // The heuristic is allowed to false-positive (the validator catches
 // malformed input → ErrChallengeMalformed), but it MUST NOT false-negative
 // on real Intune challenges — that would route an Intune challenge to the
 // constant-time static compare and reject every enrollment. Hence the
 // generous length threshold (real Intune challenges are typically
 // >800 bytes; the 200 floor is well below the smallest plausible v1
 // payload + signature).
 func looksIntuneShaped(s string) bool {
 	if len(s) <= 200 {
 		return false
 	}
 	return strings.Count(s, ".") == 2
 }
 // intuneFailReason maps a typed Intune error to the metric label used in
 // `certctl_scep_intune_enrollments_total{status="..."}`. Defaults to
 // "malformed" so a previously-unseen error category still surfaces in
 // the metric (with a follow-up to add a typed branch here).
 func intuneFailReason(err error) string {
 	switch {
 	case err == nil:
 		return "success"
 	case errors.Is(err, intune.ErrChallengeSignature):
 		return "signature_invalid"
 	case errors.Is(err, intune.ErrChallengeExpired):
 		return "expired"
 	case errors.Is(err, intune.ErrChallengeNotYetValid):
 		return "not_yet_valid"
 	case errors.Is(err, intune.ErrChallengeWrongAudience):
 		return "wrong_audience"
 	case errors.Is(err, intune.ErrChallengeReplay):
 		return "replay"
 	case errors.Is(err, intune.ErrChallengeUnknownVersion):
 		return "unknown_version"
 	case errors.Is(err, intune.ErrChallengeMalformed):
 		return "malformed"
 	case errors.Is(err, intune.ErrRateLimited):
 		return "rate_limited"
 	case errors.Is(err, intune.ErrClaimCNMismatch),
 		errors.Is(err, intune.ErrClaimSANDNSMismatch),
 		errors.Is(err, intune.ErrClaimSANRFC822Mismatch),
 		errors.Is(err, intune.ErrClaimSANUPNMismatch):
 		return "claim_mismatch"
 	default:
 		return "malformed"
 	}
 }
 // intuneEnrollOutcome is the envelope the dispatcher hands back to its two
 // callers (PKCSReq's MVP path + PKCSReqWithEnvelope/RenewalReqWithEnvelope's
 // RFC 8894 path). It carries enough to short-circuit OR continue to the
 // existing processEnrollment flow:
 //
 //   - decided=false → not Intune-shaped (or Intune disabled); fall through
 //     to the static-challenge path.
 //   - decided=true, err=nil → Intune validation passed; the caller MUST
 //     call processEnrollment with auditAction="scep_pkcsreq_intune".
 //   - decided=true, err!=nil → Intune validation failed; the caller MUST
 //     short-circuit with the typed error (handler maps to FailInfo).
 type intuneEnrollOutcome struct {
 	decided bool
 	claim   *intune.ChallengeClaim
 	err     error
 }
 // dispatchIntuneChallenge runs the full Intune validation pipeline for a
 // single PKCSReq invocation: shape check → ValidateChallenge → DeviceMatchesCSR
 // → replay-cache CheckAndInsert → per-device rate limit → optional
 // compliance check. Each failure leg increments the appropriate metric
 // label + emits an audit-friendly Warn log line. Returns an outcome that
 // tells the caller whether to short-circuit or continue to enrollment.
 //
 // Splitting the dispatcher out of PKCSReq* keeps the three call sites
 // (PKCSReq, PKCSReqWithEnvelope, RenewalReqWithEnvelope) consistent — every
 // path through the Intune mode runs through the same gate sequence so an
 // operator gets the same audit shape regardless of which SCEP message
 // type the device sent.
 //
 // Phase 9.1: every typed return path also bumps the per-status atomic
 // counter on s.intuneCounters so the admin GUI's stats endpoint reflects
 // real enrollment traffic. The success path bumps "success" once when
 // the outer caller invokes processEnrollment — see PKCSReq below.
 func (s *SCEPService) dispatchIntuneChallenge(ctx context.Context, csrPEM string, challengePassword string, transactionID string) intuneEnrollOutcome {
 	if !s.intuneEnabled || !looksIntuneShaped(challengePassword) {
 		return intuneEnrollOutcome{decided: false}
 	}
 	if s.intuneTrust == nil {
 		// Defensive: enabled bit was flipped without wiring the trust
 		// holder. Treat as a hard failure so the operator sees it
 		// instead of silently falling through to the static path.
 		s.logger.Error("SCEP enrollment rejected: Intune mode enabled but no trust anchor holder wired",
 			"transaction_id", transactionID)
 		s.intuneCounters.inc("signature_invalid")
 		return intuneEnrollOutcome{decided: true, err: intune.ErrChallengeSignature}
 	}
 	now := time.Now()
 	trust := s.intuneTrust.Get()
 	claim, err := intune.ValidateChallenge(challengePassword, trust, s.intuneAudience, now)
 	if err != nil {
 		s.logger.Warn("SCEP enrollment rejected: Intune challenge validation failed",
 			"transaction_id", transactionID, "reason", intuneFailReason(err), "error", err)
 		s.intuneCounters.inc(intuneFailReason(err))
 		return intuneEnrollOutcome{decided: true, err: err}
 	}
 	// Defense-in-depth validity cap on top of the challenge's own iat/exp.
 	// When intuneValidity is non-zero, the challenge's iat must be within
 	// (now - intuneValidity, now]; an old-but-not-yet-expired challenge
 	// (per the Connector's exp claim) gets rejected here.
 	if s.intuneValidity > 0 && !claim.IssuedAt.IsZero() && now.Sub(claim.IssuedAt) > s.intuneValidity {
 		err := fmt.Errorf("%w: iat=%s exceeds operator-configured validity cap %s",
 			intune.ErrChallengeExpired, claim.IssuedAt.Format(time.RFC3339), s.intuneValidity)
 		s.logger.Warn("SCEP enrollment rejected: Intune challenge older than operator validity cap",
 			"transaction_id", transactionID, "error", err)
 		s.intuneCounters.inc("expired")
 		return intuneEnrollOutcome{decided: true, err: err}
 	}
 	// Bind claim ↔ CSR before consuming the replay-cache slot. If the CSR
 	// doesn't match the claim, we don't want to mark the nonce as seen
 	// (the next legitimate retry should still work).
 	csr, perr := parseCSRForIntune(csrPEM)
 	if perr != nil {
 		s.logger.Warn("SCEP enrollment rejected: CSR parse failed during Intune dispatch",
 			"transaction_id", transactionID, "error", perr)
 		// CSR parse failure surfaces as a "malformed" intune metric label
 		// (the wrapping helps the audit log distinguish it from a
 		// challenge-malformed failure).
 		s.intuneCounters.inc("malformed")
 		return intuneEnrollOutcome{decided: true, err: fmt.Errorf("%w: CSR parse: %v", intune.ErrChallengeMalformed, perr)}
 	}
 	if mErr := claim.DeviceMatchesCSR(csr); mErr != nil {
 		s.logger.Warn("SCEP enrollment rejected: Intune claim does not match CSR",
 			"transaction_id", transactionID, "error", mErr)
 		s.intuneCounters.inc("claim_mismatch")
 		return intuneEnrollOutcome{decided: true, err: mErr}
 	}
 	// Replay protection — runs AFTER claim validation + CSR binding so a
 	// failed validation doesn't burn a replay slot on a legitimate retry.
 	if s.intuneReplayCache != nil && claim.Nonce != "" {
 		if !s.intuneReplayCache.CheckAndInsert(claim.Nonce, now) {
 			err := fmt.Errorf("%w: nonce=%q", intune.ErrChallengeReplay, claim.Nonce)
 			s.logger.Warn("SCEP enrollment rejected: Intune challenge nonce replay",
 				"transaction_id", transactionID, "subject", claim.Subject)
 			s.intuneCounters.inc("replay")
 			return intuneEnrollOutcome{decided: true, err: err}
 		}
 	}
 	// Per-device rate limit — second line of defense against a compromised
 	// Connector signing key issuing many DIFFERENT valid challenges for
 	// the same device.
 	if s.intuneRateLimiter != nil {
 		if rlErr := s.intuneRateLimiter.Allow(claim.Subject, claim.Issuer, now); rlErr != nil {
 			s.logger.Warn("SCEP enrollment rejected: Intune per-device rate limit exceeded",
 				"transaction_id", transactionID, "subject", claim.Subject, "issuer", claim.Issuer)
 			s.intuneCounters.inc("rate_limited")
 			return intuneEnrollOutcome{decided: true, err: rlErr}
 		}
 	}
 	// Optional V3-Pro compliance hook (nil-default no-op in V2). Runs LAST
 	// so we don't ping the compliance API for requests we'd reject anyway.
 	if s.complianceCheck != nil {
 		compliant, reason, cerr := s.complianceCheck(ctx, claim)
 		if cerr != nil {
 			s.logger.Error("Intune compliance check returned error; failing closed",
 				"transaction_id", transactionID, "subject", claim.Subject, "error", cerr)
 			s.intuneCounters.inc("compliance_failed")
 			return intuneEnrollOutcome{decided: true, err: fmt.Errorf("intune compliance check: %w", cerr)}
 		}
 		if !compliant {
 			s.logger.Warn("SCEP enrollment rejected: device non-compliant per Intune compliance check",
 				"transaction_id", transactionID, "subject", claim.Subject, "reason", reason)
 			s.intuneCounters.inc("compliance_failed")
 			return intuneEnrollOutcome{decided: true, err: fmt.Errorf("intune compliance: %s", reason)}
 		}
 	}
 	// Success leg — increment the success counter so the admin GUI's
 	// stats endpoint reflects every legitimate enrollment. The actual
 	// processEnrollment call is made by the caller (PKCSReq* /
 	// RenewalReqWithEnvelope); we credit success here so a downstream
 	// processEnrollment failure (issuer connector outage, etc.) doesn't
 	// double-count — that's a separate non-Intune metric.
 	s.intuneCounters.inc("success")
 	return intuneEnrollOutcome{decided: true, claim: claim}
 }
 // parseCSRForIntune is a thin wrapper around encoding/pem + x509 that the
 // dispatcher uses for the claim ↔ CSR binding check. Kept private + named
 // for grepability so a future refactor can swap the parse strategy without
 // touching the dispatcher.
 func parseCSRForIntune(csrPEM string) (*x509.CertificateRequest, error) {
 	block, _ := pem.Decode([]byte(csrPEM))
 	if block == nil {
 		return nil, fmt.Errorf("invalid CSR PEM")
 	}
 	csr, err := x509.ParseCertificateRequest(block.Bytes)
 	if err != nil {
 		return nil, fmt.Errorf("parse CSR: %w", err)
 	}
 	return csr, nil
 }
 // NewSCEPService creates a new SCEPService for the given issuer connector.
@@ -49,8 +557,16 @@ func (s *SCEPService) SetProfileRepo(repo repository.CertificateProfileRepositor
 // GetCACaps returns the capabilities of this SCEP server.
 // RFC 8894 Section 3.5.2: GetCACaps returns a list of capabilities, one per line.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 5.1: extended from the
 // initial value (POSTPKIOperation+SHA-256+AES+SCEPStandard) to additionally
 // advertise SHA-512 (now-implemented modern digest alternative) and Renewal
 // (the messageType-17 dispatch from Phase 4). ChromeOS specifically looks
 // for these capabilities to negotiate the strongest available cipher +
 // digest combo. Order is by historical convention; clients walk the list
 // linearly.
 func (s *SCEPService) GetCACaps(ctx context.Context) string {
-	return "POSTPKIOperation\nSHA-256\nAES\nSCEPStandard\n"
+	return "POSTPKIOperation\nSHA-256\nSHA-512\nAES\nSCEPStandard\nRenewal\n"
 }
 // GetCACert returns the PEM-encoded CA certificate chain for this SCEP server.
@@ -78,6 +594,19 @@ func (s *SCEPService) GetCACert(ctx context.Context) (string, error) {
 // non-empty branch now uses crypto/subtle.ConstantTimeCompare to avoid leaking
 // the shared secret through a response-time side channel.
 func (s *SCEPService) PKCSReq(ctx context.Context, csrPEM string, challengePassword string, transactionID string) (*domain.SCEPEnrollResult, error) {
 	// SCEP RFC 8894 + Intune master bundle Phase 8.3: try the Intune
 	// dispatcher first. When it returns decided=true the service has
 	// already made the call (success or typed failure); when decided=false
 	// we fall through to the existing static-challenge path. The
 	// dispatcher gates internally on intuneEnabled + looksIntuneShaped,
 	// so this is a free no-op for profiles where Intune is disabled.
 	if outcome := s.dispatchIntuneChallenge(ctx, csrPEM, challengePassword, transactionID); outcome.decided {
 		if outcome.err != nil {
 			return nil, fmt.Errorf("intune challenge: %w", outcome.err)
 		}
 		return s.processEnrollment(ctx, csrPEM, transactionID, "scep_pkcsreq_intune")
 	}
 	// Defense-in-depth: refuse any enrollment when no shared secret is
 	// configured. The server-level pre-flight check in cmd/server/main.go
 	// normally prevents the service from being constructed in this state, but
@@ -164,15 +693,24 @@ func (s *SCEPService) processEnrollment(ctx context.Context, csrPEM string, tran
 		"transaction_id", transactionID,
 		"issuer", s.issuerID)
-	// Resolve MaxTTL from profile
+	// Resolve MaxTTL + must-staple from profile.
-	var maxTTLSeconds int
+	// SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up: thread
 	// profile.MustStaple through to the issuer so the local issuer can
 	// add the RFC 7633 id-pe-tlsfeature extension. Without this read the
 	// CertificateProfile.MustStaple field would be a stored-but-ignored
 	// "lying field" that operators set without behavior change.
 	var (
 		maxTTLSeconds int
 		mustStaple    bool
 	)
 	if profile != nil {
 		maxTTLSeconds = profile.MaxTTLSeconds
 		mustStaple = profile.MustStaple
 	}
 	// Issue the certificate via the configured issuer connector
 	// SCEP enrollments use profile EKUs if available, otherwise default (serverAuth + clientAuth fallback)
-	result, err := s.issuer.IssueCertificate(ctx, commonName, sans, csrPEM, ekus, maxTTLSeconds)
+	result, err := s.issuer.IssueCertificate(ctx, commonName, sans, csrPEM, ekus, maxTTLSeconds, mustStaple)
 	if err != nil {
 		s.logger.Error("SCEP enrollment failed",
 			"action", auditAction,
@@ -210,3 +748,314 @@ func (s *SCEPService) processEnrollment(ctx context.Context, csrPEM string, tran
 		ChainPEM: result.ChainPEM,
 	}, nil
 }
 // PKCSReqWithEnvelope processes a SCEP PKCSReq from the RFC 8894 path
 // (where the handler successfully parsed an EnvelopedData + signerInfo
 // instead of the MVP raw-CSR path).
 //
 // SCEP RFC 8894 + Intune master bundle Phase 2.4.
 //
 // Returns *SCEPResponseEnvelope (not error + *SCEPEnrollResult) because
 // RFC 8894 mandates a CertRep PKIMessage on every PKIOperation request,
 // even failure cases — the handler shouldn't have to translate Go errors
 // into SCEP failInfo codes; the service does that mapping.
 //
 // Service-side error → failInfo mapping (from the prompt's exact table):
 //
 //	Invalid challenge password    → caller returns HTTP 403, NOT a PKIMessage
 //	                                (RFC 8894 §3.3.1 silent on this; matches MVP precedent)
 //	CSR parse failure             → BadRequest (2)
 //	CSR signature invalid         → BadMessageCheck (1)
 //	Crypto policy violation       → BadAlg (0)
 //	Issuer connector failure      → BadRequest (2)
 //	Audit-log write failure       → log + continue with success (best-effort)
 //
 // The challenge-password failure case returns nil to signal "let the caller
 // translate to 403"; every other failure mode returns a populated envelope
 // with FailInfo set so the handler can build a CertRep with pkiStatus=2.
 func (s *SCEPService) PKCSReqWithEnvelope(ctx context.Context, csrPEM string, challengePassword string, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	resp := &domain.SCEPResponseEnvelope{
 		TransactionID:  envelope.TransactionID,
 		RecipientNonce: envelope.SenderNonce,
 	}
 	// SCEP RFC 8894 + Intune master bundle Phase 8.3: same dispatcher as
 	// PKCSReq, applied to the RFC 8894 path. The dispatcher runs AFTER the
 	// EnvelopedData decryption + POPO verification (handler-side, before
 	// the service is invoked) but BEFORE the static-challenge fallback. On
 	// Intune-validation failure the response envelope carries a typed
 	// FailInfo so the CertRep wire shape is preserved (RFC 8894 §3.3).
 	if outcome := s.dispatchIntuneChallenge(ctx, csrPEM, challengePassword, envelope.TransactionID); outcome.decided {
 		if outcome.err != nil {
 			resp.Status = domain.SCEPStatusFailure
 			resp.FailInfo = mapIntuneErrorToFailInfo(outcome.err)
 			return resp
 		}
 		result, err := s.processEnrollment(ctx, csrPEM, envelope.TransactionID, "scep_pkcsreq_intune")
 		if err != nil {
 			resp.Status = domain.SCEPStatusFailure
 			resp.FailInfo = mapServiceErrorToFailInfo(err)
 			return resp
 		}
 		resp.Status = domain.SCEPStatusSuccess
 		resp.Result = result
 		return resp
 	}
 	// Defense-in-depth: refuse any enrollment when no shared secret is
 	// configured. Mirrors PKCSReq's gate. Returning nil signals 'let the
 	// caller translate to HTTP 403' — the existing PKCSReq path returns
 	// an error string the handler matched on, but PKCSReqWithEnvelope
 	// returns *SCEPResponseEnvelope so we use a nil sentinel.
 	if s.challengePassword == "" {
 		s.logger.Warn("SCEP enrollment rejected: server has no challenge password configured (RFC 8894 path)",
 			"transaction_id", envelope.TransactionID)
 		return nil
 	}
 	if subtle.ConstantTimeCompare([]byte(challengePassword), []byte(s.challengePassword)) != 1 {
 		s.logger.Warn("SCEP enrollment rejected: invalid challenge password (RFC 8894 path)",
 			"transaction_id", envelope.TransactionID)
 		return nil
 	}
 	// Reuse the existing processEnrollment for the actual issuance work.
 	// Errors mapped to SCEP failInfo per the table above.
 	result, err := s.processEnrollment(ctx, csrPEM, envelope.TransactionID, "scep_pkcsreq")
 	if err != nil {
 		resp.Status = domain.SCEPStatusFailure
 		resp.FailInfo = mapServiceErrorToFailInfo(err)
 		return resp
 	}
 	resp.Status = domain.SCEPStatusSuccess
 	resp.Result = result
 	return resp
 }
 // mapIntuneErrorToFailInfo maps a typed Intune-validation error to the
 // SCEP failInfo code RFC 8894 §3.2.1.4.5 enumerates. Mapping rationale:
 //
 //   - Signature / replay / wrong-audience / expired / not-yet-valid →
 //     BadMessageCheck (the request didn't pass integrity / freshness
 //     checks; same wire shape as a tampered EnvelopedData).
 //   - Claim mismatches (CN / SAN-DNS / SAN-RFC822 / SAN-UPN) → BadRequest
 //     (the request was well-formed and signed but the asserted identity
 //     doesn't match what the device actually requested).
 //   - Rate-limited / unknown-version → BadRequest (no better wire-level
 //     code; the audit log carries the exact reason).
 //   - Malformed → BadRequest.
 //   - Compliance failure → BadRequest (V3-Pro can swap to a more
 //     specific code if it cares).
 func mapIntuneErrorToFailInfo(err error) domain.SCEPFailInfo {
 	if err == nil {
 		return domain.SCEPFailBadRequest
 	}
 	switch {
 	case errors.Is(err, intune.ErrChallengeSignature),
 		errors.Is(err, intune.ErrChallengeExpired),
 		errors.Is(err, intune.ErrChallengeNotYetValid),
 		errors.Is(err, intune.ErrChallengeWrongAudience),
 		errors.Is(err, intune.ErrChallengeReplay):
 		return domain.SCEPFailBadMessageCheck
 	case errors.Is(err, intune.ErrClaimCNMismatch),
 		errors.Is(err, intune.ErrClaimSANDNSMismatch),
 		errors.Is(err, intune.ErrClaimSANRFC822Mismatch),
 		errors.Is(err, intune.ErrClaimSANUPNMismatch):
 		return domain.SCEPFailBadRequest
 	default:
 		return domain.SCEPFailBadRequest
 	}
 }
 // mapServiceErrorToFailInfo translates a service-layer error into the
 // SCEP failInfo code RFC 8894 §3.2.1.4.5 enumerates. The mapping mirrors
 // the table in PKCSReqWithEnvelope's docblock; defaults to BadRequest
 // when the error doesn't match any specific category.
 func mapServiceErrorToFailInfo(err error) domain.SCEPFailInfo {
 	if err == nil {
 		return domain.SCEPFailBadRequest
 	}
 	msg := err.Error()
 	switch {
 	case containsAnyOf(msg, "invalid CSR PEM", "failed to parse CSR"):
 		return domain.SCEPFailBadRequest
 	case containsAnyOf(msg, "CSR signature verification failed"):
 		return domain.SCEPFailBadMessageCheck
 	case containsAnyOf(msg, "key algorithm", "key size", "algorithm not allowed", "crypto policy"):
 		return domain.SCEPFailBadAlg
 	default:
 		return domain.SCEPFailBadRequest
 	}
 }
 func containsAnyOf(s string, needles ...string) bool {
 	for _, n := range needles {
 		if strings.Contains(s, n) {
 			return true
 		}
 	}
 	return false
 }
 // RenewalReqWithEnvelope processes a SCEP RenewalReq from the RFC 8894 path.
 // RFC 8894 §3.3.1.2 — re-enrollment with an existing valid cert. Distinct
 // from PKCSReq because the signerInfo is signed by the EXISTING cert
 // (proving possession), not by a transient self-signed device key.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 4.2.
 //
 // Functionally identical to PKCSReqWithEnvelope but with two differences:
 //
 //  1. Audit action is `scep_renewalreq` (vs `scep_pkcsreq`) — operators
 //     can grep the audit log to distinguish initial enrollments from
 //     renewals.
 //
 //  2. The signing cert presented as POPO MUST chain to the issuer's CA
 //     (the cert was previously issued by THIS issuer, not a self-signed
 //     throwaway). Verified against the issuer's GetCACertPEM chain via
 //     x509.Certificate.Verify. A signing cert that doesn't chain is
 //     mapped to BadMessageCheck per the same RFC 8894 §3.3.2.2 semantics
 //     as an EnvelopedData decrypt failure (integrity-check failure).
 //
 // Returns *SCEPResponseEnvelope (same contract as PKCSReqWithEnvelope);
 // nil signals 'invalid challenge password' for HTTP 403 translation.
 func (s *SCEPService) RenewalReqWithEnvelope(ctx context.Context, csrPEM string, challengePassword string, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	resp := &domain.SCEPResponseEnvelope{
 		TransactionID:  envelope.TransactionID,
 		RecipientNonce: envelope.SenderNonce,
 	}
 	// SCEP RFC 8894 + Intune master bundle Phase 8.3: Intune dispatcher
 	// applies to RenewalReq too. The chain-validation gate further down
 	// stays in place — Intune-managed devices still need to present a
 	// previously-issued cert as POPO when re-enrolling. The Intune
 	// validator covers "is this a legitimate Intune challenge?" and the
 	// chain check covers "did this device hold a prior cert from this
 	// issuer?" — both must pass.
 	if outcome := s.dispatchIntuneChallenge(ctx, csrPEM, challengePassword, envelope.TransactionID); outcome.decided {
 		if outcome.err != nil {
 			resp.Status = domain.SCEPStatusFailure
 			resp.FailInfo = mapIntuneErrorToFailInfo(outcome.err)
 			return resp
 		}
 		// Chain-of-trust check still applies on renewal even via Intune.
 		if err := s.verifyRenewalSignerCertChain(ctx, envelope.SignerCert); err != nil {
 			s.logger.Warn("SCEP renewal rejected: signer cert chain invalid (Intune path)",
 				"transaction_id", envelope.TransactionID, "error", err.Error())
 			resp.Status = domain.SCEPStatusFailure
 			resp.FailInfo = domain.SCEPFailBadMessageCheck
 			return resp
 		}
 		result, err := s.processEnrollment(ctx, csrPEM, envelope.TransactionID, "scep_renewalreq_intune")
 		if err != nil {
 			resp.Status = domain.SCEPStatusFailure
 			resp.FailInfo = mapServiceErrorToFailInfo(err)
 			return resp
 		}
 		resp.Status = domain.SCEPStatusSuccess
 		resp.Result = result
 		return resp
 	}
 	// Same challenge-password gate as PKCSReqWithEnvelope. Defense in depth
 	// even though the RenewalReq path additionally verifies the signing
 	// cert chain — a stolen/leaked challenge password combined with a
 	// previously-issued cert (e.g. from a compromised device) would still
 	// allow renewal otherwise. The two checks are independent.
 	if s.challengePassword == "" {
 		s.logger.Warn("SCEP renewal rejected: server has no challenge password configured (RFC 8894 path)",
 			"transaction_id", envelope.TransactionID)
 		return nil
 	}
 	if subtle.ConstantTimeCompare([]byte(challengePassword), []byte(s.challengePassword)) != 1 {
 		s.logger.Warn("SCEP renewal rejected: invalid challenge password (RFC 8894 path)",
 			"transaction_id", envelope.TransactionID)
 		return nil
 	}
 	// Verify the signing cert chains to the issuer's CA. Without this gate
 	// any self-signed cert with a valid challenge password could trigger a
 	// renewal — defeating the 'proof of prior issuance' contract RenewalReq
 	// is supposed to provide.
 	if err := s.verifyRenewalSignerCertChain(ctx, envelope.SignerCert); err != nil {
 		s.logger.Warn("SCEP renewal rejected: signer cert chain invalid",
 			"transaction_id", envelope.TransactionID,
 			"error", err.Error(),
 		)
 		resp.Status = domain.SCEPStatusFailure
 		resp.FailInfo = domain.SCEPFailBadMessageCheck
 		return resp
 	}
 	// Reuse the existing processEnrollment for the actual issuance work
 	// — RenewalReq is functionally a re-issuance with a different audit
 	// action and chain-validation precondition.
 	result, err := s.processEnrollment(ctx, csrPEM, envelope.TransactionID, "scep_renewalreq")
 	if err != nil {
 		resp.Status = domain.SCEPStatusFailure
 		resp.FailInfo = mapServiceErrorToFailInfo(err)
 		return resp
 	}
 	resp.Status = domain.SCEPStatusSuccess
 	resp.Result = result
 	return resp
 }
 // verifyRenewalSignerCertChain confirms the device's signing cert (the cert
 // presented as POPO in the SignerInfo) was previously issued by the
 // configured issuer. Used by RenewalReqWithEnvelope to enforce the 'must
 // have a previously-issued cert' contract RFC 8894 §3.3.1.2 implies.
 //
 // A self-signed throwaway cert (initial-enrollment shape) fails this check
 // — that's an indicator the client meant to send PKCSReq, not RenewalReq.
 // Operators see the audit-log entry; the client sees BadMessageCheck.
 func (s *SCEPService) verifyRenewalSignerCertChain(ctx context.Context, signerCertDER []byte) error {
 	if len(signerCertDER) == 0 {
 		return fmt.Errorf("signer cert is empty (no POPO cert in SignerInfo)")
 	}
 	signerCert, err := x509.ParseCertificate(signerCertDER)
 	if err != nil {
 		return fmt.Errorf("parse signer cert: %w", err)
 	}
 	// Pull the issuer's CA chain via the existing IssuerConnector
 	// surface. Failure here is a deploy bug (the issuer connector lost
 	// its CA cert mid-flight) rather than a client error — surface as
 	// the same generic failure to avoid leaking server state.
 	caPEM, err := s.issuer.GetCACertPEM(ctx)
 	if err != nil {
 		return fmt.Errorf("get CA cert PEM: %w", err)
 	}
 	pool := x509.NewCertPool()
 	if !pool.AppendCertsFromPEM([]byte(caPEM)) {
 		return fmt.Errorf("CA cert PEM contains no parseable certs")
 	}
 	opts := x509.VerifyOptions{
 		Roots:     pool,
 		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
 	}
 	if _, err := signerCert.Verify(opts); err != nil {
 		return fmt.Errorf("signer cert chain validation failed: %w", err)
 	}
 	return nil
 }
 // GetCertInitialWithEnvelope handles SCEP polling requests. RFC 8894 §3.3.3
 // — the client polls when the prior PKCSReq returned Status=Pending.
 //
 // SCEP RFC 8894 + Intune master bundle Phase 4.3.
 //
 // v1 of this bundle returns FAILURE+badCertID for all GetCertInitial
 // requests since deferred-issuance isn't supported (every PKCSReq either
 // succeeds or fails synchronously — no Pending state in the existing
 // service-layer issuance pipeline). The wiring stays in place for a
 // future enhancement (e.g. 'queue for manual approval' workflows).
 func (s *SCEPService) GetCertInitialWithEnvelope(_ context.Context, envelope *domain.SCEPRequestEnvelope) *domain.SCEPResponseEnvelope {
 	s.logger.Info("SCEP GetCertInitial received — deferred-issuance not supported in v1, returning badCertID",
 		"transaction_id", envelope.TransactionID)
 	return &domain.SCEPResponseEnvelope{
 		Status:         domain.SCEPStatusFailure,
 		FailInfo:       domain.SCEPFailBadCertID,
 		TransactionID:  envelope.TransactionID,
 		RecipientNonce: envelope.SenderNonce,
 	}
 }
@@ -0,0 +1,487 @@
 package service
 import (
 	"context"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"log/slog"
 	"math/big"
 	"os"
 	"strings"
 	"testing"
 	"time"
 	"github.com/shankar0123/certctl/internal/scep/intune"
 )
 // SCEP RFC 8894 + Intune master bundle Phase 8.9 — service-layer dispatcher
 // tests. Exercises the looksIntuneShaped pre-check, the validator + claim
 // binding, the replay cache + per-device rate limiter integration, and the
 // nil-default compliance hook seam.
 // ------------------------------------------------------------------
 // Test plumbing.
 // ------------------------------------------------------------------
 func newTestSCEPLogger() *slog.Logger {
 	return slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError}))
 }
 // intuneTestConn manufactures an ephemeral RSA Connector signing cert + key
 // for tests that build challenges by hand. Mirrors challenge_test.go's
 // helper but lives in the service package so tests can exercise the full
 // dispatcher path.
 type intuneTestConn struct {
 	key  *rsa.PrivateKey
 	cert *x509.Certificate
 }
 func newIntuneTestConn(t *testing.T) intuneTestConn {
 	t.Helper()
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatalf("rsa.GenerateKey: %v", err)
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber:          big.NewInt(1),
 		Subject:               pkix.Name{CommonName: "test-intune-connector"},
 		NotBefore:             time.Now().Add(-1 * time.Hour),
 		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
 		BasicConstraintsValid: true,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
 	if err != nil {
 		t.Fatalf("x509.CreateCertificate: %v", err)
 	}
 	cert, err := x509.ParseCertificate(der)
 	if err != nil {
 		t.Fatalf("x509.ParseCertificate: %v", err)
 	}
 	return intuneTestConn{key: key, cert: cert}
 }
 // signTestChallenge hand-builds a signed Intune-shaped challenge with the
 // caller-supplied claim payload. Returns the wire-format string ready to
 // pass as the "challenge password" argument to PKCSReq.
 func (c intuneTestConn) signTestChallenge(t *testing.T, payload any) string {
 	t.Helper()
 	hdr, _ := json.Marshal(map[string]string{"alg": "RS256", "typ": "JWT"})
 	pl, _ := json.Marshal(payload)
 	signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
 		base64.RawURLEncoding.EncodeToString(pl)
 	h := sha256.Sum256([]byte(signingInput))
 	sig, err := rsa.SignPKCS1v15(rand.Reader, c.key, crypto.SHA256, h[:])
 	if err != nil {
 		t.Fatalf("rsa.SignPKCS1v15: %v", err)
 	}
 	return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
 }
 // holderFromCerts wraps a static slice of certs as a TrustAnchorHolder
 // without going through the on-disk loader. Used for tests that drive
 // validation without writing a temp PEM file.
 func holderFromCerts(t *testing.T, certs []*x509.Certificate) *intune.TrustAnchorHolder {
 	t.Helper()
 	dir := t.TempDir()
 	path := dir + "/intune-trust.pem"
 	// Write a real bundle so the holder can Reload later if the test wants.
 	body := []byte{}
 	for _, c := range certs {
 		body = append(body, []byte("-----BEGIN CERTIFICATE-----\n")...)
 		b64 := base64.StdEncoding.EncodeToString(c.Raw)
 		// Wrap to 64-char lines per PEM convention.
 		for len(b64) > 64 {
 			body = append(body, []byte(b64[:64]+"\n")...)
 			b64 = b64[64:]
 		}
 		body = append(body, []byte(b64+"\n-----END CERTIFICATE-----\n")...)
 	}
 	if err := os.WriteFile(path, body, 0o600); err != nil {
 		t.Fatalf("WriteFile trust bundle: %v", err)
 	}
 	holder, err := intune.NewTrustAnchorHolder(path, newTestSCEPLogger())
 	if err != nil {
 		t.Fatalf("NewTrustAnchorHolder: %v", err)
 	}
 	return holder
 }
 // validIntunePayload returns a v1 challenge payload whose claim matches a
 // CSR generated via generateCSRPEM(t, "device.example.com", []string{...}).
 // Tests can mutate it before signing to exercise individual failure modes.
 func validIntunePayload(now time.Time) map[string]any {
 	return map[string]any{
 		"iss":         "test-intune-connector-installation",
 		"sub":         "device-guid-001",
 		"aud":         "https://certctl.example.com/scep/corp",
 		"iat":         now.Add(-1 * time.Minute).Unix(),
 		"exp":         now.Add(59 * time.Minute).Unix(),
 		"nonce":       "nonce-001",
 		"device_name": "device.example.com",
 		"san_dns":     []string{"device.example.com"},
 	}
 }
 // ------------------------------------------------------------------
 // Dispatcher behavior.
 // ------------------------------------------------------------------
 func TestSCEPService_LooksIntuneShaped(t *testing.T) {
 	cases := []struct {
 		name string
 		in   string
 		want bool
 	}{
 		{"empty", "", false},
 		{"short static password", "secret123", false},
 		{"long but no dots", strings.Repeat("a", 300), false},
 		{"long with two dots (intune-shaped)", strings.Repeat("a", 80) + "." + strings.Repeat("b", 80) + "." + strings.Repeat("c", 80), true},
 		{"long with three dots (not intune)", "a.b.c.d", false},
 		{"exactly 200 bytes (boundary, not intune)", strings.Repeat("a", 100) + "." + strings.Repeat("a", 99), false},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			if got := looksIntuneShaped(tc.in); got != tc.want {
 				t.Errorf("looksIntuneShaped(%q) = %v, want %v", tc.in[:min(40, len(tc.in))]+"…", got, tc.want)
 			}
 		})
 	}
 }
 func TestSCEPService_PKCSReq_IntuneDispatcher_Success(t *testing.T) {
 	conn := newIntuneTestConn(t)
 	mockIssuer := &mockIssuerConnector{}
 	auditRepo := newMockAuditRepository()
 	auditSvc := NewAuditService(auditRepo)
 	// Service has the legacy challenge password set (we want to verify the
 	// dispatcher takes precedence over the static path when intune-shaped).
 	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, newTestSCEPLogger(), "static-secret")
 	holder := holderFromCerts(t, []*x509.Certificate{conn.cert})
 	svc.SetIntuneIntegration(
 		holder,
 		"https://certctl.example.com/scep/corp",
 		60*time.Minute,
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
 	csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
 	challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
 	result, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-intune-001")
 	if err != nil {
 		t.Fatalf("PKCSReq: %v", err)
 	}
 	if result == nil || result.CertPEM == "" {
 		t.Fatalf("expected non-empty cert; got %#v", result)
 	}
 	// The audit event should carry the Intune-specific action code so
 	// operators can grep the audit log to count Intune enrollments
 	// distinct from static-challenge enrollments.
 	if len(auditRepo.Events) == 0 {
 		t.Fatalf("expected an audit event")
 	}
 	if got := auditRepo.Events[0].Action; got != "scep_pkcsreq_intune" {
 		t.Errorf("audit action = %q, want scep_pkcsreq_intune (Phase 8.4)", got)
 	}
 }
 func TestSCEPService_PKCSReq_IntuneDispatcher_StaticChallengeStillWorks(t *testing.T) {
 	// Operator deploy that has Intune enabled on a profile but a device
 	// sends a SHORT static challenge — must still work via the fallback path.
 	conn := newIntuneTestConn(t)
 	mockIssuer := &mockIssuerConnector{}
 	svc := NewSCEPService("iss-local", mockIssuer, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
 	svc.SetIntuneIntegration(
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"https://certctl.example.com/scep/corp",
 		60*time.Minute,
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
 	csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
 	if _, err := svc.PKCSReq(context.Background(), csrPEM, "static-secret", "txn-static-001"); err != nil {
 		t.Fatalf("static-challenge fallback should still work when Intune enabled: %v", err)
 	}
 }
 func TestSCEPService_PKCSReq_IntuneDispatcher_TamperedChallengeRejected(t *testing.T) {
 	conn := newIntuneTestConn(t)
 	svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
 	svc.SetIntuneIntegration(
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
 	csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
 	good := conn.signTestChallenge(t, validIntunePayload(time.Now()))
 	parts := strings.Split(good, ".")
 	sig, _ := base64.RawURLEncoding.DecodeString(parts[2])
 	sig[0] ^= 0xFF
 	parts[2] = base64.RawURLEncoding.EncodeToString(sig)
 	tampered := strings.Join(parts, ".")
 	_, err := svc.PKCSReq(context.Background(), csrPEM, tampered, "txn-tamper-001")
 	if err == nil {
 		t.Fatal("expected tampered challenge to be rejected")
 	}
 	if !errors.Is(err, intune.ErrChallengeSignature) {
 		t.Errorf("got %v, want errors.Is(ErrChallengeSignature)", err)
 	}
 }
 func TestSCEPService_PKCSReq_IntuneDispatcher_ClaimMismatchRejected(t *testing.T) {
 	conn := newIntuneTestConn(t)
 	svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
 	svc.SetIntuneIntegration(
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
 	// CSR's CN ("attacker-host.example.com") does NOT match the claim's
 	// device_name ("device.example.com").
 	csrPEM := generateCSRPEM(t, "attacker-host.example.com", []string{"attacker-host.example.com"})
 	challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
 	_, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-mismatch-001")
 	if err == nil {
 		t.Fatal("expected claim mismatch to be rejected")
 	}
 	if !errors.Is(err, intune.ErrClaimCNMismatch) {
 		t.Errorf("got %v, want ErrClaimCNMismatch", err)
 	}
 }
 func TestSCEPService_PKCSReq_IntuneDispatcher_ReplayDetected(t *testing.T) {
 	conn := newIntuneTestConn(t)
 	svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
 	svc.SetIntuneIntegration(
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(0, 24*time.Hour, 100), // disable rate limit so we don't trip THAT first
 	)
 	csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
 	challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
 	if _, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-001"); err != nil {
 		t.Fatalf("first call should succeed: %v", err)
 	}
 	_, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-002")
 	if !errors.Is(err, intune.ErrChallengeReplay) {
 		t.Fatalf("got %v, want ErrChallengeReplay on the second call", err)
 	}
 }
 func TestSCEPService_PKCSReq_IntuneDispatcher_RateLimited(t *testing.T) {
 	conn := newIntuneTestConn(t)
 	svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
 	svc.SetIntuneIntegration(
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
 		// Replay cache must not block us — use disjoint nonces per call.
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(2, 24*time.Hour, 100), // limit = 2
 	)
 	csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
 	for i := 0; i < 2; i++ {
 		pl := validIntunePayload(time.Now())
 		pl["nonce"] = "nonce-" + string(rune('a'+i))
 		ch := conn.signTestChallenge(t, pl)
 		if _, err := svc.PKCSReq(context.Background(), csrPEM, ch, "txn-allow"); err != nil {
 			t.Fatalf("call %d should succeed: %v", i+1, err)
 		}
 	}
 	// 3rd call same (Subject, Issuer) → rate limited.
 	pl := validIntunePayload(time.Now())
 	pl["nonce"] = "nonce-third"
 	third := conn.signTestChallenge(t, pl)
 	_, err := svc.PKCSReq(context.Background(), csrPEM, third, "txn-block")
 	if !errors.Is(err, intune.ErrRateLimited) {
 		t.Fatalf("got %v, want ErrRateLimited on 3rd call (cap=2)", err)
 	}
 }
 // ------------------------------------------------------------------
 // Compliance-hook seam (Phase 8.7).
 // ------------------------------------------------------------------
 func TestSCEPService_PKCSReq_IntuneDispatcher_ComplianceHookNilDefault(t *testing.T) {
 	// Default state: no hook installed, enrollments proceed.
 	conn := newIntuneTestConn(t)
 	svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
 	svc.SetIntuneIntegration(
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
 	csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
 	challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
 	if _, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-nil-hook"); err != nil {
 		t.Fatalf("nil-default compliance hook should be a no-op: %v", err)
 	}
 }
 func TestSCEPService_PKCSReq_IntuneDispatcher_ComplianceHookDeniesNonCompliant(t *testing.T) {
 	conn := newIntuneTestConn(t)
 	svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
 	svc.SetIntuneIntegration(
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
 	svc.SetComplianceCheck(func(ctx context.Context, claim *intune.ChallengeClaim) (bool, string, error) {
 		return false, "device under remediation", nil
 	})
 	csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
 	challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
 	_, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-noncompliant")
 	if err == nil {
 		t.Fatal("non-compliant device must be rejected")
 	}
 	if !strings.Contains(err.Error(), "intune compliance") {
 		t.Errorf("error should reference compliance reason: %v", err)
 	}
 	if !strings.Contains(err.Error(), "device under remediation") {
 		t.Errorf("error should preserve compliance reason for audit: %v", err)
 	}
 }
 func TestSCEPService_PKCSReq_IntuneDispatcher_ComplianceHookErrorFailsClosed(t *testing.T) {
 	conn := newIntuneTestConn(t)
 	svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
 	svc.SetIntuneIntegration(
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		60*time.Minute,
 		intune.NewReplayCache(60*time.Minute, 100),
 		intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
 	)
 	svc.SetComplianceCheck(func(ctx context.Context, claim *intune.ChallengeClaim) (bool, string, error) {
 		return false, "", errors.New("graph API down")
 	})
 	csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
 	challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
 	_, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-compl-err")
 	if err == nil {
 		t.Fatal("compliance API error must fail closed (deny)")
 	}
 }
 // ------------------------------------------------------------------
 // IntuneEnabled accessor + miscellaneous wiring.
 // ------------------------------------------------------------------
 func TestSCEPService_IntuneEnabled_AccessorReflectsState(t *testing.T) {
 	svc := NewSCEPService("iss-local", &mockIssuerConnector{}, nil, newTestSCEPLogger(), "static")
 	if svc.IntuneEnabled() {
 		t.Fatal("freshly-built service must report IntuneEnabled=false")
 	}
 	conn := newIntuneTestConn(t)
 	svc.SetIntuneIntegration(
 		holderFromCerts(t, []*x509.Certificate{conn.cert}),
 		"",
 		0,
 		nil,
 		nil,
 	)
 	if !svc.IntuneEnabled() {
 		t.Fatal("after SetIntuneIntegration, IntuneEnabled() must report true")
 	}
 }
 func TestSCEPService_PKCSReq_IntuneDisabled_StaticPathUnchanged(t *testing.T) {
 	// Sanity: a service that NEVER had SetIntuneIntegration called must
 	// behave exactly like the pre-Phase-8 service. This pins the no-regression
 	// guarantee for the broad set of profiles that won't enable Intune.
 	mockIssuer := &mockIssuerConnector{}
 	svc := NewSCEPService("iss-local", mockIssuer, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
 	csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
 	// Submit something Intune-shaped — without SetIntuneIntegration this
 	// must NOT route through the dispatcher (looksIntuneShaped + intuneEnabled
 	// are AND-gated). It will fall through to the static compare and reject.
 	intuneShaped := strings.Repeat("a", 80) + "." + strings.Repeat("b", 80) + "." + strings.Repeat("c", 80)
 	if _, err := svc.PKCSReq(context.Background(), csrPEM, intuneShaped, "txn-noop"); err == nil {
 		t.Fatal("static path with wrong password must reject (we passed an intune-shaped string but Intune is off)")
 	}
 	// Now submit the right static password — must succeed.
 	if _, err := svc.PKCSReq(context.Background(), csrPEM, "static-secret", "txn-noop-2"); err != nil {
 		t.Fatalf("static path with right password must work: %v", err)
 	}
 }
 // ------------------------------------------------------------------
 // IntuneFailReason mapping.
 // ------------------------------------------------------------------
 func TestIntuneFailReason_AllTypedErrorsMapped(t *testing.T) {
 	cases := []struct {
 		err  error
 		want string
 	}{
 		{nil, "success"},
 		{intune.ErrChallengeSignature, "signature_invalid"},
 		{intune.ErrChallengeExpired, "expired"},
 		{intune.ErrChallengeNotYetValid, "not_yet_valid"},
 		{intune.ErrChallengeWrongAudience, "wrong_audience"},
 		{intune.ErrChallengeReplay, "replay"},
 		{intune.ErrChallengeUnknownVersion, "unknown_version"},
 		{intune.ErrChallengeMalformed, "malformed"},
 		{intune.ErrRateLimited, "rate_limited"},
 		{intune.ErrClaimCNMismatch, "claim_mismatch"},
 		{intune.ErrClaimSANDNSMismatch, "claim_mismatch"},
 		{intune.ErrClaimSANRFC822Mismatch, "claim_mismatch"},
 		{intune.ErrClaimSANUPNMismatch, "claim_mismatch"},
 		{errors.New("something else"), "malformed"}, // default bucket
 	}
 	for _, tc := range cases {
 		got := intuneFailReason(tc.err)
 		if got != tc.want {
 			t.Errorf("intuneFailReason(%v) = %q, want %q", tc.err, got, tc.want)
 		}
 	}
 }
 // asn1 unused but imported by sibling tests; this package-level guard keeps
 // future changes that introduce ASN.1 fixtures here from breaking the build.
 func init() {
 	_ = ecdsa.GenerateKey
 	_ = elliptic.P256
 }
 func min(a, b int) int {
 	if a < b {
 		return a
 	}
 	return b
 }
@@ -0,0 +1,154 @@
 package service
 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"io"
 	"log/slog"
 	"testing"
 	"github.com/shankar0123/certctl/internal/domain"
 )
 // SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up: end-to-end
 // integration test for the must-staple wire from CertificateProfile.MustStaple
 // through the SCEPService into the IssuerConnector.
 //
 // Background: the original Phase 5.6 commit shipped the local issuer's RFC
 // 7633 extension generation + the IssuanceRequest.MustStaple field, but
 // the SCEP service layer (and EST + agent + renewal) didn't read
 // profile.MustStaple and didn't pass it to IssueCertificate. That made
 // CertificateProfile.MustStaple a "lying field" — the operator could set
 // it, the API would store + return it, the docs claimed it worked, but
 // the cert came back without the extension. Worse than not having the
 // field at all.
 //
 // This test pins the wire end-to-end:
 //
 //   1. Create a CertificateProfile with MustStaple=true.
 //   2. Drive a SCEP enrollment through SCEPService.PKCSReq.
 //   3. Assert the mock IssuerConnector saw mustStaple=true (proving the
 //      service-layer wire reaches the connector).
 //
 // The local-issuer-side test (must_staple_test.go) already pins that the
 // connector translates that bool into the RFC 7633 extension. Together
 // they prove: configurable bit → behavior change, end-to-end.
 // stubProfileRepo is a minimal in-memory CertificateProfileRepository for
 // the test. Returns the configured profile by ID; other repo methods
 // panic if exercised (we only need Get).
 type stubProfileRepo struct {
 	profile *domain.CertificateProfile
 }
 func (s *stubProfileRepo) Get(_ context.Context, id string) (*domain.CertificateProfile, error) {
 	if s.profile != nil && s.profile.ID == id {
 		return s.profile, nil
 	}
 	return nil, nil
 }
 func (s *stubProfileRepo) Create(_ context.Context, _ *domain.CertificateProfile) error {
 	panic("stubProfileRepo.Create not implemented for this test")
 }
 func (s *stubProfileRepo) Update(_ context.Context, _ *domain.CertificateProfile) error {
 	panic("stubProfileRepo.Update not implemented for this test")
 }
 func (s *stubProfileRepo) Delete(_ context.Context, _ string) error {
 	panic("stubProfileRepo.Delete not implemented for this test")
 }
 func (s *stubProfileRepo) List(_ context.Context) ([]*domain.CertificateProfile, error) {
 	panic("stubProfileRepo.List not implemented for this test")
 }
 func TestSCEPService_PKCSReq_PlumbsMustStapleToIssuer(t *testing.T) {
 	// 1. Mock issuer that records the must-staple bool from the call.
 	mock := &mockIssuerConnector{}
 	// 2. Profile with MustStaple=true.
 	profile := &domain.CertificateProfile{
 		ID:            "prof-must-staple",
 		Name:          "must-staple",
 		MaxTTLSeconds: 86400,
 		MustStaple:    true,
 		Enabled:       true,
 	}
 	repo := &stubProfileRepo{profile: profile}
 	// 3. Build the service. Use a real challenge password so we exercise
 	//    the same gate the production path runs.
 	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
 	svc := NewSCEPService("iss-test", mock, nil, logger, "shared-secret-123")
 	svc.SetProfileRepo(repo)
 	svc.SetProfileID(profile.ID)
 	// 4. Build a CSR (real crypto so processEnrollment's CheckSignature
 	//    + crypto-policy validation both pass).
 	csrPEM := buildCSRForSCEPMustStaple(t, "must-staple.example.com")
 	// 5. Drive the enrollment.
 	_, err := svc.PKCSReq(context.Background(), csrPEM, "shared-secret-123", "txn-must-staple")
 	if err != nil {
 		t.Fatalf("PKCSReq: %v", err)
 	}
 	// 6. Assert the must-staple wire reached the connector.
 	if !mock.LastMustStaple {
 		t.Errorf("mockIssuerConnector.LastMustStaple = false, want true — service layer dropped profile.MustStaple on the floor (the 'lying field' regression)")
 	}
 }
 func TestSCEPService_PKCSReq_NoMustStaplePropagatesFalse(t *testing.T) {
 	// Companion: when the profile does NOT have MustStaple set, the
 	// connector must see false. Pins the symmetric contract.
 	mock := &mockIssuerConnector{LastMustStaple: true} // pre-set to true so we can detect a stuck-at-true bug
 	profile := &domain.CertificateProfile{
 		ID:            "prof-no-staple",
 		Name:          "no-staple",
 		MaxTTLSeconds: 86400,
 		MustStaple:    false,
 		Enabled:       true,
 	}
 	repo := &stubProfileRepo{profile: profile}
 	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
 	svc := NewSCEPService("iss-test", mock, nil, logger, "shared-secret-123")
 	svc.SetProfileRepo(repo)
 	svc.SetProfileID(profile.ID)
 	csrPEM := buildCSRForSCEPMustStaple(t, "no-staple.example.com")
 	_, err := svc.PKCSReq(context.Background(), csrPEM, "shared-secret-123", "txn-no-staple")
 	if err != nil {
 		t.Fatalf("PKCSReq: %v", err)
 	}
 	if mock.LastMustStaple {
 		t.Errorf("mockIssuerConnector.LastMustStaple = true, want false — service layer set MustStaple=true despite profile.MustStaple=false")
 	}
 }
 // buildCSRForSCEPMustStaple creates an ECDSA P-256 CSR for the given CN.
 // Local helper — kept distinct from buildCSRForSCEP elsewhere in the
 // service test suite to avoid name collisions.
 func buildCSRForSCEPMustStaple(t *testing.T, cn string) string {
 	t.Helper()
 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		t.Fatalf("ecdsa.GenerateKey: %v", err)
 	}
 	tmpl := &x509.CertificateRequest{
 		Subject: pkix.Name{CommonName: cn},
 	}
 	der, err := x509.CreateCertificateRequest(rand.Reader, tmpl, key)
 	if err != nil {
 		t.Fatalf("CreateCertificateRequest: %v", err)
 	}
 	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: der}))
 }
@@ -26,6 +26,18 @@ func TestSCEPService_GetCACaps(t *testing.T) {
 	if !strings.Contains(caps, "SCEPStandard") {
 		t.Errorf("expected SCEPStandard in caps, got: %s", caps)
 	}
 	// SCEP RFC 8894 Phase 5.1 additions — pin the new caps so a future
 	// 'simplify caps' refactor doesn't quietly remove ChromeOS-required
 	// negotiation flags.
 	if !strings.Contains(caps, "SHA-512") {
 		t.Errorf("expected SHA-512 in caps (Phase 5.1 addition), got: %s", caps)
 	}
 	if !strings.Contains(caps, "AES") {
 		t.Errorf("expected AES in caps, got: %s", caps)
 	}
 	if !strings.Contains(caps, "Renewal") {
 		t.Errorf("expected Renewal in caps (Phase 5.1 addition — RenewalReq messageType support), got: %s", caps)
 	}
 }
 func TestSCEPService_GetCACert_Success(t *testing.T) {
@@ -1254,9 +1254,25 @@ type mockIssuerConnector struct {
 	// LastOCSPSignRequest captures the last request passed to SignOCSPResponse.
 	// Tests use this to assert CertStatus (0=good, 1=revoked, 2=unknown).
 	LastOCSPSignRequest *OCSPSignRequest
 	// LastMustStaple records the must-staple bool from the most recent
 	// Issue/Renew call so tests can assert the service-layer wire from
 	// CertificateProfile.MustStaple → IssuerConnector reaches the
 	// connector. SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up.
 	LastMustStaple bool
 }
-func (m *mockIssuerConnector) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*IssuanceResult, error) {
+// LastMustStaple records the must-staple bool from the most recent
 // IssueCertificate / RenewCertificate call. Set by both methods so tests
 // can assert the wire from CertificateProfile.MustStaple → service →
 // IssuerConnector reaches the connector. SCEP RFC 8894 + Intune master
 // bundle Phase 5.6 follow-up.
 //
 // (Field added to mockIssuerConnector struct above; declared via the
 // pointer receiver so existing test fixtures don't need re-zeroing.)
 func (m *mockIssuerConnector) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*IssuanceResult, error) {
 	m.LastMustStaple = mustStaple
 	if m.Err != nil {
 		return nil, m.Err
 	}
@@ -1273,11 +1289,12 @@ func (m *mockIssuerConnector) IssueCertificate(ctx context.Context, commonName s
 	}, nil
 }
-func (m *mockIssuerConnector) RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*IssuanceResult, error) {
+func (m *mockIssuerConnector) RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*IssuanceResult, error) {
 	m.LastMustStaple = mustStaple
 	if m.Err != nil {
 		return nil, m.Err
 	}
-	return m.IssueCertificate(ctx, commonName, sans, csrPEM, ekus, maxTTLSeconds)
+	return m.IssueCertificate(ctx, commonName, sans, csrPEM, ekus, maxTTLSeconds, mustStaple)
 }
 func (m *mockIssuerConnector) RevokeCertificate(ctx context.Context, serial string, reason string) error {
@@ -1,4 +1,4 @@
-import type { Certificate, CertificateVersion, Agent, Job, Notification, AuditEvent, PolicyRule, PolicyViolation, RenewalPolicy, Issuer, Target, CertificateProfile, Owner, Team, AgentGroup, PaginatedResponse, DashboardSummary, CertificateStatusCount, ExpirationBucket, JobTrendDataPoint, IssuanceRateDataPoint, MetricsResponse, DiscoveredCertificate, DiscoveryScan, DiscoverySummary, NetworkScanTarget, EndpointHealthCheck, HealthHistoryEntry, HealthCheckSummary, AgentDependencyCounts, RetireAgentResponse, BlockedByDependenciesResponse, CRLCacheResponse } from './types';
+import type { Certificate, CertificateVersion, Agent, Job, Notification, AuditEvent, PolicyRule, PolicyViolation, RenewalPolicy, Issuer, Target, CertificateProfile, Owner, Team, AgentGroup, PaginatedResponse, DashboardSummary, CertificateStatusCount, ExpirationBucket, JobTrendDataPoint, IssuanceRateDataPoint, MetricsResponse, DiscoveredCertificate, DiscoveryScan, DiscoverySummary, NetworkScanTarget, EndpointHealthCheck, HealthHistoryEntry, HealthCheckSummary, AgentDependencyCounts, RetireAgentResponse, BlockedByDependenciesResponse, CRLCacheResponse, IntuneStatsResponse, IntuneReloadTrustResponse } from './types';
 const BASE = '/api/v1';
@@ -296,6 +296,22 @@ export const fetchCRL = (issuerId: string) => {
 export const getAdminCRLCache = () =>
  fetchJSON<CRLCacheResponse>(`${BASE}/admin/crl/cache`);
 // SCEP RFC 8894 + Intune master bundle Phase 9.2 admin endpoint mirror.
 //
 // Backend handler: internal/api/handler/admin_scep_intune.go.
 // Both endpoints are M-008 admin-gated; the SCEPAdminPage component
 // gates the React-Query `enabled` flag on useAuth().admin so non-admin
 // callers never see the page (the route itself is also conditional on
 // the admin flag in main.tsx).
 export const getAdminSCEPIntuneStats = () =>
  fetchJSON<IntuneStatsResponse>(`${BASE}/admin/scep/intune/stats`);
 export const reloadAdminSCEPIntuneTrust = (pathID: string) =>
  fetchJSON<IntuneReloadTrustResponse>(`${BASE}/admin/scep/intune/reload-trust`, {
    method: 'POST',
    body: JSON.stringify({ path_id: pathID }),
  });
 // Agents
 export const getAgents = (params: Record<string, string> = {}) => {
  const qs = new URLSearchParams({ page: '1', per_page: '50', ...params }).toString();
@@ -626,3 +626,53 @@ export interface CRLCacheResponse {
  row_count: number;
  generated_at: string;
 }
 // SCEP RFC 8894 + Intune master bundle Phase 9.2: admin observability
 // payload mirror for the per-profile Intune dispatcher.
 //
 // Backend types live at internal/service/scep.go (IntuneStatsSnapshot +
 // IntuneTrustAnchorInfo) and the handler glue in
 // internal/api/handler/admin_scep_intune.go. Both endpoints are admin-
 // gated (M-008 pin in m008_admin_gate_test.go) — the GUI hides the
 // SCEP Intune surface entirely (rather than letting it 403 noisily) by
 // gating the React-Query enabled flag on useAuth().admin at the call site.
 export interface IntuneTrustAnchorInfo {
  subject: string;
  not_before: string;
  not_after: string;
  days_to_expiry: number;
  expired: boolean;
 }
 // IntuneStatsSnapshot — one row per configured SCEP profile. Profiles
 // where Intune is disabled appear with enabled=false; the remaining
 // fields stay zero/empty so the GUI can render a "Not enabled" pill.
 export interface IntuneStatsSnapshot {
  path_id: string;
  issuer_id: string;
  enabled: boolean;
  trust_anchor_path?: string;
  trust_anchors?: IntuneTrustAnchorInfo[];
  audience?: string;
  challenge_validity_ns?: number;
  rate_limit_disabled: boolean;
  replay_cache_size: number;
  // Counter labels match intuneFailReason() in the backend dispatcher:
  // success / signature_invalid / expired / not_yet_valid / wrong_audience /
  // replay / unknown_version / malformed / rate_limited / claim_mismatch /
  // compliance_failed.
  counters: Record<string, number>;
  generated_at: string;
 }
 export interface IntuneStatsResponse {
  profiles: IntuneStatsSnapshot[];
  profile_count: number;
  generated_at: string;
 }
 export interface IntuneReloadTrustResponse {
  reloaded: boolean;
  path_id: string;
  reloaded_at: string;
 }
@@ -23,6 +23,7 @@ const nav = [
  { to: '/short-lived',   label: 'Short-Lived',    icon: 'M13 10V3L4 14h7v7l9-11h-7z' },
  { to: '/digest',        label: 'Digest',         icon: 'M3 8l7.89 5.26a2 2 0 002.22 0L21 8M5 19h14a2 2 0 002-2V7a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z' },
  { to: '/observability', label: 'Observability',  icon: 'M9 19v-6a2 2 0 00-2-2H5a2 2 0 00-2 2v6a2 2 0 002 2h2a2 2 0 002-2zm0 0V9a2 2 0 012-2h2a2 2 0 012 2v10m-6 0a2 2 0 002 2h2a2 2 0 002-2m0 0V5a2 2 0 012-2h2a2 2 0 012 2v14a2 2 0 01-2 2h-2a2 2 0 01-2-2z' },
  { to: '/scep/intune',   label: 'SCEP Intune',    icon: 'M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z' },
  { to: '/audit',         label: 'Audit Trail',   icon: 'M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z' },
 ];
@@ -32,6 +32,7 @@ import ObservabilityPage from './pages/ObservabilityPage';
 import JobDetailPage from './pages/JobDetailPage';
 import IssuerDetailPage from './pages/IssuerDetailPage';
 import TargetDetailPage from './pages/TargetDetailPage';
 import SCEPAdminPage from './pages/SCEPAdminPage';
 import './index.css';
 const queryClient = new QueryClient({
@@ -79,6 +80,12 @@ createRoot(document.getElementById('root')!).render(
                  <Route path="health-monitor" element={<HealthMonitorPage />} />
                  <Route path="digest" element={<DigestPage />} />
                  <Route path="observability" element={<ObservabilityPage />} />
                  {/* SCEP RFC 8894 + Intune master bundle Phase 9.4: per-profile
                      Intune Monitoring tab. Route is unconditional; the page
                      itself renders an "Admin access required" banner for
                      non-admin callers and skips the underlying API calls so
                      the server never sees a 403-prone request. */}
                  <Route path="scep/intune" element={<SCEPAdminPage />} />
                </Route>
              </Routes>
            </BrowserRouter>
@@ -0,0 +1,340 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { render, screen, waitFor, cleanup, fireEvent } from '@testing-library/react';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
 import { MemoryRouter } from 'react-router-dom';
 import type { ReactNode } from 'react';
 // SCEP RFC 8894 + Intune master bundle Phase 9.5: Vitest coverage for the
 // SCEPAdminPage component. Pins:
 //   1. Admin gate — non-admin callers see the gated banner and the page
 //      MUST NOT issue the underlying admin API requests.
 //   2. Profile cards render with status + counters + trust-anchor expiry
 //      badge tone (good / warn / bad / EXPIRED).
 //   3. Disabled profiles render the off-state pill instead of the counter
 //      grid.
 //   4. Reload button opens the confirmation modal; Confirm calls the
 //      mutation and refetches stats; Cancel closes without calling.
 //   5. Error path surfaces ErrorState with retry.
 //   6. Audit log filter merges PKCSReq + RenewalReq events and sorts by
 //      timestamp descending.
 vi.mock('../api/client', () => ({
  getAdminSCEPIntuneStats: vi.fn(),
  reloadAdminSCEPIntuneTrust: vi.fn(),
  getAuditEvents: vi.fn(),
 }));
 vi.mock('../components/AuthProvider', () => ({
  useAuth: vi.fn(),
 }));
 import SCEPAdminPage from './SCEPAdminPage';
 import * as client from '../api/client';
 import { useAuth } from '../components/AuthProvider';
 function renderWithQuery(ui: ReactNode) {
  const qc = new QueryClient({
    defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
  });
  return render(
    <QueryClientProvider client={qc}>
      <MemoryRouter>{ui}</MemoryRouter>
    </QueryClientProvider>,
  );
 }
 function setAuth(opts: { authRequired: boolean; admin: boolean }) {
  vi.mocked(useAuth).mockReturnValue({
    loading: false,
    authRequired: opts.authRequired,
    authenticated: true,
    authType: 'apikey',
    user: 'tester',
    admin: opts.admin,
    login: async () => {},
    logout: () => {},
    error: null,
  });
 }
 const baseEnabledProfile = {
  path_id: 'corp',
  issuer_id: 'iss-corp',
  enabled: true,
  trust_anchor_path: '/etc/certctl/intune-corp.pem',
  trust_anchors: [
    {
      subject: 'intune-connector-installation-corp',
      not_before: '2026-01-01T00:00:00Z',
      not_after: '2027-01-01T00:00:00Z',
      days_to_expiry: 250,
      expired: false,
    },
  ],
  audience: 'https://certctl.example.com/scep/corp',
  challenge_validity_ns: 3_600_000_000_000,
  rate_limit_disabled: false,
  replay_cache_size: 12,
  counters: {
    success: 42,
    signature_invalid: 1,
    expired: 0,
    not_yet_valid: 0,
    wrong_audience: 0,
    replay: 2,
    rate_limited: 0,
    claim_mismatch: 3,
    compliance_failed: 0,
    malformed: 0,
    unknown_version: 0,
  },
  generated_at: '2026-04-29T15:00:00Z',
 };
 const disabledProfile = {
  path_id: 'iot',
  issuer_id: 'iss-iot',
  enabled: false,
  rate_limit_disabled: false,
  replay_cache_size: 0,
  counters: {},
  generated_at: '2026-04-29T15:00:00Z',
 };
 beforeEach(() => {
  vi.clearAllMocks();
  cleanup();
  setAuth({ authRequired: true, admin: true });
  vi.mocked(client.getAuditEvents).mockResolvedValue({
    data: [],
    total: 0,
    page: 1,
    per_page: 200,
  } as never);
 });
 describe('SCEPAdminPage — admin gate', () => {
  it('renders an Admin access required banner for non-admin callers and skips the admin API', async () => {
    setAuth({ authRequired: true, admin: false });
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(screen.getByRole('heading', { level: 2, name: /SCEP Intune Monitoring/ })).toBeInTheDocument();
    });
    expect(client.getAdminSCEPIntuneStats).not.toHaveBeenCalled();
    expect(screen.getByText(/Admin access required/i)).toBeInTheDocument();
  });
  it('lets admin callers through and fetches stats', async () => {
    vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
      profiles: [baseEnabledProfile],
      profile_count: 1,
      generated_at: '2026-04-29T15:00:00Z',
    } as never);
    renderWithQuery(<SCEPAdminPage />);
    expect(await screen.findByTestId('profile-card-corp')).toBeInTheDocument();
    expect(client.getAdminSCEPIntuneStats).toHaveBeenCalled();
  });
  it('keeps the page accessible when authRequired=false (no-auth dev mode)', async () => {
    setAuth({ authRequired: false, admin: false });
    vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
      profiles: [],
      profile_count: 0,
      generated_at: '2026-04-29T15:00:00Z',
    } as never);
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(client.getAdminSCEPIntuneStats).toHaveBeenCalledTimes(1);
    });
  });
 });
 describe('SCEPAdminPage — profile rendering', () => {
  it('renders enabled profile counters with the expected labels and tone', async () => {
    vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
      profiles: [baseEnabledProfile],
      profile_count: 1,
      generated_at: '2026-04-29T15:00:00Z',
    } as never);
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(screen.getByTestId('counter-corp-success')).toHaveTextContent('42');
    });
    expect(screen.getByTestId('counter-corp-replay')).toHaveTextContent('2');
    expect(screen.getByTestId('counter-corp-claim_mismatch')).toHaveTextContent('3');
    // Expiry badge is "good" tone for >= 30 days remaining.
    const badge = screen.getByTestId('expiry-badge-corp');
    expect(badge).toHaveTextContent('250d');
  });
  it('renders an expiry badge with EXPIRED text and bad tone when an anchor is past NotAfter', async () => {
    vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
      profiles: [
        {
          ...baseEnabledProfile,
          trust_anchors: [
            { subject: 'expired-conn', not_before: '2024-01-01T00:00:00Z', not_after: '2025-01-01T00:00:00Z', days_to_expiry: 0, expired: true },
          ],
        },
      ],
      profile_count: 1,
      generated_at: '2026-04-29T15:00:00Z',
    } as never);
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(screen.getByTestId('expiry-badge-corp')).toHaveTextContent(/EXPIRED/);
    });
  });
  it('renders the off-state pill for disabled profiles instead of the counter grid', async () => {
    vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
      profiles: [disabledProfile],
      profile_count: 1,
      generated_at: '2026-04-29T15:00:00Z',
    } as never);
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(screen.getByTestId('profile-card-iot')).toBeInTheDocument();
    });
    expect(screen.getByText(/Intune disabled/)).toBeInTheDocument();
    // Counter grid should NOT render for disabled profiles.
    expect(screen.queryByTestId('counter-iot-success')).toBeNull();
  });
  it('renders an empty-state banner when no profiles are configured', async () => {
    vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
      profiles: [],
      profile_count: 0,
      generated_at: '2026-04-29T15:00:00Z',
    } as never);
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(screen.getByText(/No SCEP profiles are configured/)).toBeInTheDocument();
    });
  });
 });
 describe('SCEPAdminPage — reload-trust modal', () => {
  it('opens the confirmation modal when the Reload trust button is clicked', async () => {
    vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
      profiles: [baseEnabledProfile],
      profile_count: 1,
      generated_at: '2026-04-29T15:00:00Z',
    } as never);
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(screen.getByTestId('reload-button-corp')).toBeInTheDocument();
    });
    fireEvent.click(screen.getByTestId('reload-button-corp'));
    expect(await screen.findByRole('dialog')).toBeInTheDocument();
    expect(screen.getByText(/Reload Intune trust anchor/i)).toBeInTheDocument();
  });
  it('calls reloadAdminSCEPIntuneTrust on Confirm and closes the modal on success', async () => {
    vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
      profiles: [baseEnabledProfile],
      profile_count: 1,
      generated_at: '2026-04-29T15:00:00Z',
    } as never);
    vi.mocked(client.reloadAdminSCEPIntuneTrust).mockResolvedValue({
      reloaded: true,
      path_id: 'corp',
      reloaded_at: '2026-04-29T15:01:00Z',
    } as never);
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(screen.getByTestId('reload-button-corp')).toBeInTheDocument();
    });
    fireEvent.click(screen.getByTestId('reload-button-corp'));
    fireEvent.click(await screen.findByRole('button', { name: /Reload trust anchor/i }));
    await waitFor(() => {
      expect(client.reloadAdminSCEPIntuneTrust).toHaveBeenCalledWith('corp');
    });
    await waitFor(() => {
      expect(screen.queryByRole('dialog')).toBeNull();
    });
  });
  it('keeps the modal open and shows the error message when reload fails', async () => {
    vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
      profiles: [baseEnabledProfile],
      profile_count: 1,
      generated_at: '2026-04-29T15:00:00Z',
    } as never);
    vi.mocked(client.reloadAdminSCEPIntuneTrust).mockRejectedValue(new Error('trust anchor cert expired'));
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(screen.getByTestId('reload-button-corp')).toBeInTheDocument();
    });
    fireEvent.click(screen.getByTestId('reload-button-corp'));
    fireEvent.click(await screen.findByRole('button', { name: /Reload trust anchor/i }));
    await waitFor(() => {
      expect(screen.getByText(/trust anchor cert expired/)).toBeInTheDocument();
    });
    // Modal stays open so the operator can read the error and retry.
    expect(screen.getByRole('dialog')).toBeInTheDocument();
  });
  it('Cancel closes the modal without calling the reload mutation', async () => {
    vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
      profiles: [baseEnabledProfile],
      profile_count: 1,
      generated_at: '2026-04-29T15:00:00Z',
    } as never);
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(screen.getByTestId('reload-button-corp')).toBeInTheDocument();
    });
    fireEvent.click(screen.getByTestId('reload-button-corp'));
    fireEvent.click(await screen.findByRole('button', { name: /Cancel/i }));
    await waitFor(() => {
      expect(screen.queryByRole('dialog')).toBeNull();
    });
    expect(client.reloadAdminSCEPIntuneTrust).not.toHaveBeenCalled();
  });
 });
 describe('SCEPAdminPage — error + audit-log surface', () => {
  it('surfaces ErrorState when the stats query fails', async () => {
    vi.mocked(client.getAdminSCEPIntuneStats).mockRejectedValue(new Error('boom'));
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(screen.getByText(/Failed to load data/i)).toBeInTheDocument();
    });
  });
  it('merges PKCSReq + RenewalReq audit events and sorts by timestamp descending', async () => {
    vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
      profiles: [baseEnabledProfile],
      profile_count: 1,
      generated_at: '2026-04-29T15:00:00Z',
    } as never);
    vi.mocked(client.getAuditEvents).mockImplementation((params: Record<string, string> = {}) => {
      if (params.action === 'scep_pkcsreq_intune') {
        return Promise.resolve({
          data: [
            { id: 'ae-pkcs-1', action: 'scep_pkcsreq_intune', actor: 'scep-client', actor_type: 'system', resource_type: 'certificate', resource_id: 'cert-1', details: {}, timestamp: '2026-04-29T14:00:00Z' },
          ],
          total: 1, page: 1, per_page: 200,
        } as never);
      }
      return Promise.resolve({
        data: [
          { id: 'ae-renew-1', action: 'scep_renewalreq_intune', actor: 'scep-client', actor_type: 'system', resource_type: 'certificate', resource_id: 'cert-2', details: {}, timestamp: '2026-04-29T14:30:00Z' },
        ],
        total: 1, page: 1, per_page: 200,
      } as never);
    });
    renderWithQuery(<SCEPAdminPage />);
    await waitFor(() => {
      expect(screen.getByTestId('recent-failures-table')).toBeInTheDocument();
    });
    const rows = screen.getByTestId('recent-failures-table').querySelectorAll('tbody tr');
    expect(rows.length).toBe(2);
    // Sorted descending by timestamp — renewal (14:30) comes before pkcs (14:00).
    expect(rows[0].textContent).toContain('scep_renewalreq_intune');
    expect(rows[1].textContent).toContain('scep_pkcsreq_intune');
  });
 });
@@ -0,0 +1,462 @@
 import { useState } from 'react';
 import { useQuery } from '@tanstack/react-query';
 import { getAdminSCEPIntuneStats, reloadAdminSCEPIntuneTrust, getAuditEvents } from '../api/client';
 import PageHeader from '../components/PageHeader';
 import ErrorState from '../components/ErrorState';
 import { useAuth } from '../components/AuthProvider';
 import { useTrackedMutation } from '../hooks/useTrackedMutation';
 import { formatDateTime } from '../api/utils';
 import type { IntuneStatsSnapshot, IntuneTrustAnchorInfo, AuditEvent } from '../api/types';
 // SCEP RFC 8894 + Intune master bundle Phase 9.4: per-profile Intune
 // Monitoring tab.
 //
 // Surfaces:
 //   - Status banner per profile (trust anchor expiry countdown, rotates
 //     when < 30 days; the soonest-to-expire anchor wins).
 //   - Live counters table per profile (success / signature_invalid /
 //     claim_mismatch / expired / wrong_audience / replay / rate_limited /
 //     malformed / compliance_failed / not_yet_valid / unknown_version).
 //     Polled every 30s via TanStack Query.
 //   - Recent failures table (last 50) populated from the audit log
 //     filtered to action=scep_pkcsreq_intune (and the renewal sibling).
 //   - Trust anchor reload button (per-profile) with confirmation modal;
 //     calls POST /api/v1/admin/scep/intune/reload-trust under the hood
 //     (the SIGHUP-equivalent path).
 //
 // Admin-gated: the page itself renders an "Admin access required" banner
 // for non-admin callers and never issues the underlying admin requests.
 // Server-side enforcement is the M-008 admin gate; this is a UX hint.
 const COUNTER_LABEL_ORDER = [
  'success',
  'signature_invalid',
  'expired',
  'not_yet_valid',
  'wrong_audience',
  'replay',
  'rate_limited',
  'claim_mismatch',
  'compliance_failed',
  'malformed',
  'unknown_version',
 ] as const;
 const COUNTER_PRESENTATION: Record<string, { label: string; tone: 'good' | 'warn' | 'bad' }> = {
  success: { label: 'Success', tone: 'good' },
  signature_invalid: { label: 'Signature invalid', tone: 'bad' },
  expired: { label: 'Expired', tone: 'warn' },
  not_yet_valid: { label: 'Not yet valid', tone: 'warn' },
  wrong_audience: { label: 'Wrong audience', tone: 'bad' },
  replay: { label: 'Replay', tone: 'bad' },
  rate_limited: { label: 'Rate-limited', tone: 'warn' },
  claim_mismatch: { label: 'Claim mismatch', tone: 'bad' },
  compliance_failed: { label: 'Compliance failed', tone: 'warn' },
  malformed: { label: 'Malformed', tone: 'bad' },
  unknown_version: { label: 'Unknown version', tone: 'warn' },
 };
 const TONE_CLASS: Record<'good' | 'warn' | 'bad', string> = {
  good: 'text-emerald-600',
  warn: 'text-amber-600',
  bad: 'text-red-600',
 };
 // soonestExpiryDays returns the smallest days_to_expiry across the
 // profile's trust anchor pool. Returns null when the pool is empty (the
 // per-profile preflight should have refused this state at boot, but
 // defensive in case the holder is reloaded mid-flight to an empty file).
 function soonestExpiryDays(anchors?: IntuneTrustAnchorInfo[]): number | null {
  if (!anchors || anchors.length === 0) return null;
  let min = Number.POSITIVE_INFINITY;
  for (const a of anchors) {
    if (a.expired) return -1; // any expired wins
    if (a.days_to_expiry < min) min = a.days_to_expiry;
  }
  return min === Number.POSITIVE_INFINITY ? null : min;
 }
 function expiryBadge(days: number | null): { text: string; tone: 'good' | 'warn' | 'bad' } {
  if (days === null) return { text: 'No trust anchors', tone: 'warn' };
  if (days < 0) return { text: 'EXPIRED', tone: 'bad' };
  if (days < 7) return { text: `${days}d remaining`, tone: 'bad' };
  if (days < 30) return { text: `${days}d remaining (rotate soon)`, tone: 'warn' };
  return { text: `${days}d remaining`, tone: 'good' };
 }
 interface ConfirmReloadModalProps {
  profile: IntuneStatsSnapshot;
  onCancel: () => void;
  onConfirm: () => void;
  pending: boolean;
  errorMessage?: string;
 }
 function ConfirmReloadModal({ profile, onCancel, onConfirm, pending, errorMessage }: ConfirmReloadModalProps) {
  const pathLabel = profile.path_id || '(legacy /scep root)';
  return (
    <div
      role="dialog"
      aria-labelledby="reload-trust-title"
      aria-modal="true"
      className="fixed inset-0 z-50 flex items-center justify-center bg-black/40"
    >
      <div className="bg-surface w-full max-w-md rounded-lg shadow-xl border border-surface-border p-6">
        <h3 id="reload-trust-title" className="text-base font-semibold text-ink mb-2">
          Reload Intune trust anchor
        </h3>
        <p className="text-sm text-ink-muted mb-4">
          This re-reads <code className="text-xs">{profile.trust_anchor_path}</code> from disk and atomically
          swaps the trust pool for SCEP profile <strong>{pathLabel}</strong>. Equivalent to sending
          <code className="text-xs"> SIGHUP </code> to the server. If the new file fails to parse, the
          previous trust pool stays in place — enrollments keep working off the old trust anchor while you
          fix the file.
        </p>
        {errorMessage && (
          <div className="mb-3 rounded border border-red-300 bg-red-50 p-3 text-xs text-red-800">
            {errorMessage}
          </div>
        )}
        <div className="flex justify-end gap-2">
          <button
            type="button"
            onClick={onCancel}
            disabled={pending}
            className="px-3 py-1.5 text-sm rounded border border-surface-border bg-surface hover:bg-surface-alt"
          >
            Cancel
          </button>
          <button
            type="button"
            onClick={onConfirm}
            disabled={pending}
            className="px-3 py-1.5 text-sm rounded bg-brand-500 text-white hover:bg-brand-600 disabled:opacity-50"
          >
            {pending ? 'Reloading…' : 'Reload trust anchor'}
          </button>
        </div>
      </div>
    </div>
  );
 }
 interface ProfileCardProps {
  profile: IntuneStatsSnapshot;
  onRequestReload: (profile: IntuneStatsSnapshot) => void;
 }
 function ProfileCard({ profile, onRequestReload }: ProfileCardProps) {
  const pathLabel = profile.path_id || '(legacy /scep root)';
  if (!profile.enabled) {
    return (
      <section className="bg-surface border border-surface-border rounded-lg p-5 mb-4" data-testid={`profile-card-${profile.path_id}`}>
        <header className="flex items-center justify-between mb-3">
          <div>
            <h3 className="text-base font-semibold text-ink">{pathLabel}</h3>
            <p className="text-xs text-ink-muted">Issuer: {profile.issuer_id}</p>
          </div>
          <span className="text-xs px-2 py-0.5 rounded-full bg-surface-alt text-ink-muted">
            Intune disabled
          </span>
        </header>
        <p className="text-sm text-ink-muted">
          This profile honors only the static challenge password. To enable Intune dispatch, set
          <code className="mx-1">CERTCTL_SCEP_PROFILE_{(profile.path_id || 'DEFAULT').toUpperCase()}_INTUNE_ENABLED=true</code>
          plus the matching trust-anchor path env var, then restart the server.
        </p>
      </section>
    );
  }
  const days = soonestExpiryDays(profile.trust_anchors);
  const badge = expiryBadge(days);
  return (
    <section className="bg-surface border border-surface-border rounded-lg p-5 mb-4" data-testid={`profile-card-${profile.path_id}`}>
      <header className="flex items-center justify-between mb-3">
        <div>
          <h3 className="text-base font-semibold text-ink">{pathLabel}</h3>
          <p className="text-xs text-ink-muted">
            Issuer: {profile.issuer_id}
            {profile.audience && <> · Audience: <code>{profile.audience}</code></>}
          </p>
        </div>
        <div className="flex items-center gap-3">
          <span
            className={`text-xs px-2 py-0.5 rounded-full font-medium ${
              badge.tone === 'good'
                ? 'bg-emerald-100 text-emerald-800'
                : badge.tone === 'warn'
                  ? 'bg-amber-100 text-amber-800'
                  : 'bg-red-100 text-red-800'
            }`}
            data-testid={`expiry-badge-${profile.path_id}`}
          >
            Trust anchor: {badge.text}
          </span>
          <button
            type="button"
            onClick={() => onRequestReload(profile)}
            className="text-xs px-2 py-1 rounded border border-surface-border bg-surface hover:bg-surface-alt"
            data-testid={`reload-button-${profile.path_id}`}
          >
            Reload trust
          </button>
        </div>
      </header>
      <div className="grid grid-cols-2 md:grid-cols-4 gap-3 mb-4">
        {COUNTER_LABEL_ORDER.map(label => {
          const value = profile.counters?.[label] ?? 0;
          const presentation = COUNTER_PRESENTATION[label];
          return (
            <div key={label} className="border border-surface-border rounded p-2">
              <div className={`text-lg font-semibold ${TONE_CLASS[presentation.tone]}`} data-testid={`counter-${profile.path_id}-${label}`}>
                {value}
              </div>
              <div className="text-[11px] text-ink-muted uppercase tracking-wide">{presentation.label}</div>
            </div>
          );
        })}
      </div>
      <dl className="grid grid-cols-1 sm:grid-cols-3 gap-3 text-xs text-ink-muted">
        <div>
          <dt className="font-semibold text-ink">Replay cache size</dt>
          <dd>{profile.replay_cache_size}</dd>
        </div>
        <div>
          <dt className="font-semibold text-ink">Per-device rate limit</dt>
          <dd>{profile.rate_limit_disabled ? 'Disabled' : 'Active'}</dd>
        </div>
        <div>
          <dt className="font-semibold text-ink">Trust anchors</dt>
          <dd>{profile.trust_anchors?.length ?? 0}</dd>
        </div>
      </dl>
      {profile.trust_anchors && profile.trust_anchors.length > 0 && (
        <details className="mt-3 text-xs text-ink-muted">
          <summary className="cursor-pointer font-semibold text-ink">Trust anchor details</summary>
          <table className="mt-2 w-full text-left">
            <thead>
              <tr className="text-[11px] text-ink-muted uppercase">
                <th className="py-1 pr-2">Subject</th>
                <th className="py-1 pr-2">Not after</th>
                <th className="py-1">Days to expiry</th>
              </tr>
            </thead>
            <tbody>
              {profile.trust_anchors.map(a => (
                <tr key={`${profile.path_id}-${a.subject}-${a.not_after}`} className="border-t border-surface-border">
                  <td className="py-1 pr-2 font-mono">{a.subject || '(empty CN)'}</td>
                  <td className="py-1 pr-2">{formatDateTime(a.not_after)}</td>
                  <td className={`py-1 ${a.expired ? 'text-red-600 font-semibold' : ''}`}>
                    {a.expired ? 'EXPIRED' : a.days_to_expiry}
                  </td>
                </tr>
              ))}
            </tbody>
          </table>
        </details>
      )}
    </section>
  );
 }
 function RecentFailuresTable({ events }: { events: AuditEvent[] }) {
  if (events.length === 0) {
    return (
      <p className="text-sm text-ink-muted px-4 py-6">
        No recent Intune-dispatched enrollment events. Counters stay at zero until the first device hits a SCEP profile with Intune enabled.
      </p>
    );
  }
  return (
    <table className="w-full text-sm" data-testid="recent-failures-table">
      <thead className="text-xs text-ink-muted uppercase tracking-wide">
        <tr>
          <th className="py-2 pl-4 pr-2 text-left">Timestamp</th>
          <th className="py-2 pr-2 text-left">Action</th>
          <th className="py-2 pr-2 text-left">Resource</th>
          <th className="py-2 pr-4 text-left">Details</th>
        </tr>
      </thead>
      <tbody>
        {events.map(e => (
          <tr key={e.id} className="border-t border-surface-border">
            <td className="py-2 pl-4 pr-2 font-mono text-xs">{formatDateTime(e.timestamp)}</td>
            <td className="py-2 pr-2">{e.action}</td>
            <td className="py-2 pr-2">{e.resource_type} · <code className="text-xs">{e.resource_id}</code></td>
            <td className="py-2 pr-4 text-xs text-ink-muted">
              {e.details ? Object.entries(e.details).map(([k, v]) => `${k}=${typeof v === 'object' ? JSON.stringify(v) : String(v)}`).join(' · ') : '-'}
            </td>
          </tr>
        ))}
      </tbody>
    </table>
  );
 }
 export default function SCEPAdminPage() {
  const auth = useAuth();
  const [reloadTarget, setReloadTarget] = useState<IntuneStatsSnapshot | null>(null);
  const [reloadError, setReloadError] = useState<string | undefined>(undefined);
  const statsQuery = useQuery({
    queryKey: ['admin', 'scep', 'intune', 'stats'],
    queryFn: getAdminSCEPIntuneStats,
    enabled: !auth.authRequired || auth.admin, // skip the request entirely when non-admin
    refetchInterval: 30_000,
  });
  // Audit-log filter: every Intune-dispatched enrollment (success + failure)
  // emits action=scep_pkcsreq_intune (initial) or scep_renewalreq_intune
  // (renewal). The audit endpoint accepts a single action filter; we fetch
  // both server-side via two queries and merge client-side rather than
  // adding a comma-separated filter that would require backend changes.
  const auditPKCSQuery = useQuery({
    queryKey: ['audit', { action: 'scep_pkcsreq_intune' }],
    queryFn: () => getAuditEvents({ action: 'scep_pkcsreq_intune' }),
    enabled: !auth.authRequired || auth.admin,
    refetchInterval: 60_000,
  });
  const auditRenewalQuery = useQuery({
    queryKey: ['audit', { action: 'scep_renewalreq_intune' }],
    queryFn: () => getAuditEvents({ action: 'scep_renewalreq_intune' }),
    enabled: !auth.authRequired || auth.admin,
    refetchInterval: 60_000,
  });
  // Bundle-8 / M-009 invalidation contract: trust-anchor reload changes
  // both the per-profile trust pool (reflected in IntuneStats) AND every
  // recently-failed Intune enrollment counter that might now succeed on
  // retry. We invalidate the stats key so the per-profile trust-anchor
  // panel reflects the new pool immediately; the audit log queries
  // remain on their 60s timer (a SIGHUP-equivalent reload doesn't
  // backfill new audit rows).
  const reloadMutation = useTrackedMutation<
    Awaited<ReturnType<typeof reloadAdminSCEPIntuneTrust>>,
    Error,
    string
  >({
    mutationFn: (pathID: string) => reloadAdminSCEPIntuneTrust(pathID),
    invalidates: [['admin', 'scep', 'intune', 'stats']],
    onSuccess: () => {
      setReloadTarget(null);
      setReloadError(undefined);
    },
    onError: (err: Error) => {
      setReloadError(err.message);
    },
  });
  if (auth.authRequired && !auth.admin) {
    return (
      <>
        <PageHeader title="SCEP Intune Monitoring" subtitle="Admin-only observability surface" />
        <div className="p-6">
          <ErrorState
            error={new Error('Admin access required: this page exposes per-profile trust anchor expiries and an admin-only reload action. Sign in with an admin-tagged API key to view it.')}
          />
        </div>
      </>
    );
  }
  if (statsQuery.isLoading) {
    return (
      <>
        <PageHeader title="SCEP Intune Monitoring" subtitle="Per-profile dispatcher state" />
        <div className="p-6 text-sm text-ink-muted">Loading per-profile stats…</div>
      </>
    );
  }
  if (statsQuery.error) {
    return (
      <>
        <PageHeader title="SCEP Intune Monitoring" subtitle="Per-profile dispatcher state" />
        <div className="p-6">
          <ErrorState error={statsQuery.error as Error} onRetry={() => statsQuery.refetch()} />
        </div>
      </>
    );
  }
  const profiles = statsQuery.data?.profiles ?? [];
  const events: AuditEvent[] = [
    ...(auditPKCSQuery.data?.data ?? []),
    ...(auditRenewalQuery.data?.data ?? []),
  ]
    .sort((a, b) => b.timestamp.localeCompare(a.timestamp))
    .slice(0, 50);
  return (
    <>
      <PageHeader
        title="SCEP Intune Monitoring"
        subtitle={`${profiles.length} SCEP profile${profiles.length === 1 ? '' : 's'} configured · counters auto-refresh every 30s`}
        action={
          <button
            type="button"
            onClick={() => statsQuery.refetch()}
            className="text-xs px-3 py-1.5 rounded border border-surface-border bg-surface hover:bg-surface-alt"
            data-testid="refresh-stats-button"
          >
            Refresh now
          </button>
        }
      />
      <div className="p-6 overflow-y-auto">
        {profiles.length === 0 && (
          <div className="rounded border border-amber-300 bg-amber-50 p-4 text-sm text-amber-900 mb-4">
            No SCEP profiles are configured. Set <code>CERTCTL_SCEP_ENABLED=true</code> and either the
            legacy single-profile env vars or <code>CERTCTL_SCEP_PROFILES=...</code> with the indexed
            per-profile family to register at least one endpoint.
          </div>
        )}
        {profiles.map(p => (
          <ProfileCard
            key={p.path_id || '(root)'}
            profile={p}
            onRequestReload={profile => {
              setReloadError(undefined);
              setReloadTarget(profile);
            }}
          />
        ))}
        <section className="bg-surface border border-surface-border rounded-lg mt-6">
          <div className="px-4 py-3 border-b border-surface-border">
            <h3 className="text-sm font-semibold text-ink">
              Recent Intune-dispatched enrollments (last 50)
            </h3>
            <p className="text-xs text-ink-muted">
              Filtered to <code>action=scep_pkcsreq_intune</code> + <code>action=scep_renewalreq_intune</code>.
              Refreshes every 60s.
            </p>
          </div>
          {auditPKCSQuery.isLoading || auditRenewalQuery.isLoading ? (
            <p className="text-sm text-ink-muted px-4 py-6">Loading audit log…</p>
          ) : (
            <RecentFailuresTable events={events} />
          )}
        </section>
      </div>
      {reloadTarget && (
        <ConfirmReloadModal
          profile={reloadTarget}
          onCancel={() => {
            setReloadTarget(null);
            setReloadError(undefined);
          }}
          onConfirm={() => reloadMutation.mutate(reloadTarget.path_id)}
          pending={reloadMutation.isPending}
          errorMessage={reloadError}
        />
      )}
    </>
  );
 }