docs(readme): audit pass — fix 7 stale/inaccurate claims

Each claim ground-truthed against the live repo, not memory. Numeric drift (claims rotted since they were written): - Screenshot caption 'Catalog with 10 CA types' → 12 (matches internal/connector/issuerfactory/factory.go enumeration). - '33-permission canonical catalogue' → dropped the number. 33 was the base in migration 000029; across all 45 migrations 82 unique perms are seeded (+5 admin / +7 OIDC / +2 break-glass / +33 audit-CRIT-1 / +2 user). 'Fine-grained permission catalogue' is monotonic prose. - 'PostgreSQL 16 backend (35+ tables, idempotent migrations)' → '…backend with idempotent migrations'. Actual table count is 49 across 45 migrations; bare 'idempotent migrations' is drift-proof. - Demo overlay seeds '32 certificates across 10 issuers, 8 agents, 180 days' → '180 days of realistic history across 13 issuers, 8 agents, managed + discovered certs, jobs, deploys, audit, and notification events'. seed_demo.sql actually seeds 14 managed certs + 16 cert versions + 12 discovered, 13 issuers (not 10), 8 agents ✓, 23 INTERVAL '180 days' refs ✓. - 'golangci-lint (11 linters)' → '(govet + staticcheck + contextcheck + unused)'. .golangci.yml lists exactly 4 active linters; 6 others are commented-out 'temporarily disabled' so neither 4 nor 10 explains 11. Broken Helm one-liner (silently no-ops because --set against a nonexistent path doesn't error): - '--set server.apiKey=…' → 'server.auth.apiKey' (deploy/helm/certctl/values.yaml:147 + templates/server- secret.yaml:16). - '--set postgres.password=…' → 'postgresql.password' (top-level key is 'postgresql', not 'postgres'; password sits at postgresql.password per values.yaml:315). Verified accurate (no change): - 12 issuers / 15 targets / 6 notifiers (factory + dir listings). - 7 default roles seeded in migration 000029. - Coverage thresholds (service 70 / handler 75 / crypto 88 / auth packages 85-95) against .github/coverage-thresholds.yml. - All 6 OIDC runbooks present (auth0 / authentik / azure-ad / google-workspace / keycloak / okta). - 4 referenced screenshots all exist on disk. - 8 agents in demo seed, 180 days of history. - RFC 9700 §4.7.1 / 9207 / 8555 / 9773 / 8894 / 9266 / 5280 / 6960 citations match source. - ChromeOS in SCEP description matches source. - install-agent.sh uses uname for OS / arch detection + systemd (Linux) / launchd (macOS).
docs(readme): split Status block into two blockquotes for breathing room
2026-06-09 21:18:53 +00:00 · 2026-05-11 17:29:18 +00:00 · 2026-05-11 17:09:20 +00:00 · 2026-05-11 17:08:21 +00:00 · 2026-05-11 16:54:07 +00:00 · 2026-05-11 16:11:33 +00:00
299 changed files with 54183 additions and 1159 deletions
@@ -30,14 +30,18 @@ CERTCTL_SERVER_PORT=8443
 CERTCTL_LOG_LEVEL=info
 CERTCTL_LOG_FORMAT=json
-# Auth type: "api-key" (production) or "none" (demo/development).
+# Auth type: "api-key" (production), "none" (demo/development), or
-# For JWT/OIDC, run an authenticating gateway in front of certctl
+# "oidc" (Auth Bundle 2 - native OIDC SSO via coreos/go-oidc/v3, ships
-# (oauth2-proxy / Envoy ext_authz / Traefik ForwardAuth / Pomerium) and
+# in Bundle 2 phases 5+6; setting CERTCTL_AUTH_TYPE=oidc on a build
-# set CERTCTL_AUTH_TYPE=none on the upstream — see
+# without Bundle 2 wired triggers a clear refuse-to-start error rather
-# docs/architecture.md "Authenticating-gateway pattern". G-1 removed
+# than a silent fallback to api-key). For JWT / SAML / LDAP, continue to
-# the in-process "jwt" option (no JWT middleware shipped — silent auth
+# run an authenticating gateway in front of certctl (oauth2-proxy /
-# downgrade); see docs/upgrade-to-v2-jwt-removal.md if you previously
+# Envoy ext_authz / Traefik ForwardAuth / Pomerium) and set
-# set CERTCTL_AUTH_TYPE=jwt.
+# CERTCTL_AUTH_TYPE=none on the upstream - see docs/architecture.md
 # "Authenticating-gateway pattern". G-1 removed the in-process "jwt"
 # option (no JWT middleware shipped - silent auth downgrade); see
 # docs/upgrade-to-v2-jwt-removal.md if you previously set
 # CERTCTL_AUTH_TYPE=jwt.
 CERTCTL_AUTH_TYPE=none
 # Required when CERTCTL_AUTH_TYPE is "api-key".
 # Generate with: openssl rand -base64 32
@@ -76,3 +76,154 @@ internal/mcp:
    Bundle K / Coverage-Audit C-002 — MCP per-tool dispatch via
    in-memory transport lifts package from 28.0% to 93.1% (per-
    package run). Floor at 85.
 internal/auth:
  floor: 85
  why: |
    Bundle 1 Phase 12 — RBAC primitive coverage gate.
    internal/auth ships keystore + middleware + RequirePermission +
    bootstrap + the Phase-3 context keys + the protocol-endpoint
    allowlist. Negative-test coverage (no actor → 401, no role →
    403, wrong scope → 403, bootstrap-token-wrong → 401, bootstrap-
    used-twice → 410, admin-already-exists → 410, zero-length token
    rejection) is now in place. Prescribed Bundle 1 target was 90;
    held at 85 to absorb the per-file-average dip from the
    middleware shim files (testfixtures.go) which CI runs but only
    test fixtures exercise. Sub-package internal/auth/bootstrap
    inherits this floor.
 internal/service/auth:
  floor: 85
  why: |
    Bundle 1 Phase 12 — RBAC service-layer coverage gate.
    PermissionService + RoleService + ActorRoleService + Authorizer
    each have positive + negative tests covering the
    privilege-escalation guard (auth.role.assign required for
    Grant/Revoke), the reserved-actor invariant (actor-demo-anon
    cannot be mutated), the canonical-permission validation, the
    role-in-use guard on Delete, and every sentinel-error path
    (ErrUnauthenticated / ErrForbidden / ErrSelfRoleAssignment /
    ErrAuthReservedActor / ErrAuthUnknownPermission /
    ErrAuthRoleInUse).
 internal/auth/oidc:
  floor: 90
  why: |
    Bundle 2 Phase 3 — OIDC service coverage gate. Phase 3 spec
    pins the floor at 90 explicitly because every fail-closed
    branch is load-bearing for the security posture: alg pinning
    (deny-list HS*/none + allow-list RS*/ES*/EdDSA), audience
    re-check, azp enforcement on multi-aud tokens, at_hash
    REQUIRED-when-access-token-present (Phase 3 lifts the OIDC
    core "MAY" to a service-level "MUST"), iat-window window,
    nonce constant-time-compare, single-use state replay defense,
    PKCE-S256 mandatory, IdP downgrade-attack defense at
    provider-load + RefreshKeys time, JWKS-fail-closed semantics,
    group-claim resolution + userinfo-fallback fail-closed
    semantics, token-leak hygiene. A regression in any one of
    these branches is a security incident; the floor catches it
    before the commit lands. The mock-IdP fixture in
    service_test.go is the load-bearing harness.
 internal/auth/oidc/groupclaim:
  floor: 95
  why: |
    Bundle 2 Phase 3 — group-claim resolver. Hand-rolled (no
    JSON-path dep per Decision 10); ~150 LOC, every branch
    exercised by 19 unit tests covering the documented IdP shapes
    (Okta string array, Keycloak realm_access.roles, Auth0
    namespaced URL claim, single-string normalization,
    deeply-nested 3-segment walks) plus every fail-closed branch
    (empty path, missing key, missing nested key, non-object
    intermediate, bool/number/object/nil values, array with
    non-string element, URL-shape with dots-in-path treated as
    literal). Resolver should be at 100%; floor at 95 leaves a
    1-statement margin for future error-message refactors.
 internal/auth/oidc/domain:
  floor: 90
  why: |
    Bundle 2 Phase 1 — OIDCProvider + GroupRoleMapping domain.
    Validation-heavy package; constructors + Validate methods
    cover all canonical IdP shapes (Okta / Azure AD / Google
    Workspace / Keycloak / Authentik / Auth0). Floor at 90 to
    catch any future field that ships without a validator.
 internal/auth/session:
  floor: 90
  why: |
    Bundle 2 Phase 4 — session lifecycle service. Phase 4 spec
    pins the floor at 90 because every fail-closed branch carries
    a security invariant: HMAC-SHA256 cookie signing with a
    LENGTH-PREFIXED canonical input (defeats the
    `<a, bc>`-vs-`<ab, c>` concatenation collision attack on the
    bare-concat form), v1. version-prefix lock, idle expiry,
    absolute expiry, revocation, retired-but-in-retention key
    success path, retired-past-retention failure path, CSRF
    constant-time compare against the SHA-256-hashed copy on the
    session row, optional IP/UA-bind defense-in-depth gates,
    fail-fatal initial-key bootstrap. A regression in any one of
    these branches is a security incident; the floor catches it
    before the commit lands. The 15-case negative-test matrix in
    service_test.go is the load-bearing harness; the in-memory
    stubs of SessionRepo + SigningKeyRepo + AuditRecorder let the
    state machine be exercised without the postgres testcontainer
    overhead (which Phase 2's integration tests already cover).
 internal/auth/session/domain:
  floor: 90
  why: |
    Bundle 2 Phase 1 — Session + SessionSigningKey domain. Both
    types ship Validate() with full invariant coverage: ID prefix
    enforcement (ses-/sk-), expiry-order CHECK (absolute > idle >
    created), CSRFTokenHash format pin (64 lowercase hex chars),
    KeyMaterialEncrypted non-empty, retired-before-created
    rejection, TenantID defaulting. Cookie naming constants are
    pinned by TestCookieNamingConstants because the GUI's
    web/src/api/client.ts will read `certctl_csrf` by string.
    Floor at 90 to catch any future field that ships without a
    validator.
 internal/auth/breakglass:
  floor: 90
  why: |
    Bundle 2 Phase 7.5 — break-glass admin service (Argon2id +
    lockout state machine + constant-time-via-verifyDummy). Phase
    13 Pre-merge audit: floor at 90 with no carve-out. Phase 7.5
    spec ships the package at 91.5%, validated by 8 mandated
    negatives + ~12 coverage-lift tests. Every fail-closed branch
    is load-bearing for the security surface (default-OFF posture
    only matters if every "disabled" path returns ErrDisabled
    BEFORE any DB lookup; constant-time defense only matters if
    every path goes through verifyDummy on the no-credential leg).
    A regression that drops a fail-closed branch's coverage below
    90 is a real security risk — gate trips, operator audits.
 internal/auth/breakglass/domain:
  floor: 90
  why: |
    Bundle 2 Phase 1 — BreakglassCredential domain. Argon2id PHC
    format pinned ($argon2id$ prefix), MinPasswordLengthBytes (12)
    + MaxPasswordLengthBytes (256) constants pinned by dedicated
    test, IsLocked(now) state machine helper. The package ships
    at 100% coverage; floor at 90 is the standing-room floor for
    any future field added without a validator.
 internal/auth/user/domain:
  floor: 90
  why: |
    Bundle 2 Phase 1 — User domain (federated-human identity).
    OIDCSubject + OIDCProviderID unique-index per the Phase 2
    schema, WebAuthnCredentials JSONB reserved for v3, Validate()
    enforces every on-disk invariant. The package ships at 96.4%
    coverage. Floor at 90 to catch any future field added without
    a validator.
    Phase 13 prompt explicitly enumerates internal/auth/user/ at
    floor 90. The parent (non-domain) directory has no Go source —
    the user upsert lives in internal/auth/oidc/service.go alongside
    group resolution + role mapping (cohesive sequence within the
    OIDC callback). Splitting upsertUser into a separate
    internal/auth/user/ service package would harm cohesion without
    adding test value; the domain layer's invariant coverage is
    where the floor actually applies.
@@ -19,7 +19,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: '1.25.9'
+          go-version: '1.25.10'
      - name: Go Build
        run: |
@@ -107,7 +107,7 @@ jobs:
      - name: Go Test with Coverage
        run: |
-          go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/crypto/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -cover -coverprofile=coverage.out
+          go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/api/router/... ./internal/auth/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/crypto/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -cover -coverprofile=coverage.out
      - name: Check Coverage Thresholds
        # ci-pipeline-cleanup Phase 2: per-package floors moved to
@@ -343,7 +343,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: '1.25.9'
+          go-version: '1.25.10'
          cache: true
      - name: Build f5-mock-icontrol sidecar
@@ -440,7 +440,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: '1.25.9'
+          go-version: '1.25.10'
          cache: true
      - name: Digest validity (every @sha256 ref must resolve)
@@ -60,7 +60,7 @@ jobs:
        uses: actions/setup-go@v5
        with:
          # Match ci.yml + release.yml + security-deep-scan.yml.
-          go-version: '1.25.9'
+          go-version: '1.25.10'
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
@@ -15,7 +15,7 @@ on:
 env:
  REGISTRY: ghcr.io
  # Keep in lock-step with .github/workflows/ci.yml (M-3).
-  GO_VERSION: '1.25.9'
+  GO_VERSION: '1.25.10'
  IMAGE_NAMESPACE: certctl-io
 jobs:
@@ -1,8 +1,727 @@
 # Changelog
-## v2.0.68 — Image registry path changed ⚠️
+## Unreleased
-> **Image registry path changed.** Starting this release, container images publish to `ghcr.io/certctl-io/certctl-server` and `ghcr.io/certctl-io/certctl-agent`. Existing pulls from `ghcr.io/shankar0123/certctl-{server,agent}:<tag>` continue to work for previously-published tags (the registry never deletes images), but the `:latest` tag at the old path stops moving forward at this release. Update your `docker pull` paths, `docker-compose.yml` `image:` keys, or Helm `image.repository` values to receive future updates. Old `git clone` / `git push` / install-script / API URLs continue to redirect forever — only the container-registry path changed.
+### Security
 - **Alg-downgrade defense relaxed for Keycloak-shape IdPs (v2.1.0 pre-tag fix).**
  Pre-fix, the IdP-bind alg-downgrade check at `internal/auth/oidc/service.go`
  refused to load any OIDC provider whose discovery doc advertised HS256 /
  HS384 / HS512 / `none` in `id_token_signing_alg_values_supported` —
  even if RS256 was ALSO advertised. This broke binding against
  Keycloak 26.x (and a handful of other real IdPs) which list every alg
  the codebase is capable of in their discovery doc, regardless of which
  one the realm actually signs with. The v2.1.0 Phase-10 live-IdP smoke
  surfaced the regression: 6 testcontainers-Keycloak integration tests
  failed with `oidc: IdP advertises weak signing algorithms (HS*/none); refusing to use as defense against downgrade attacks: HS256`.
  **Fix:** the check now refuses only when the intersection of advertised
  vs `DefaultAllowedAlgs` is EMPTY — an IdP advertising HS256 alongside
  RS256 binds successfully, but an IdP advertising HS-only / none-only
  still fails closed. The per-token alg pin at sig-verify time
  (`isDisallowedAlg`, service.go ~L1177) remains the load-bearing defense
  against the actual algorithm-confusion attack (forged HS256 token
  signed with the IdP's RS256 pubkey as HMAC secret) — go-oidc/v3's
  verifier rejects any token whose `alg` header isn't in the configured
  allow-list, regardless of what the discovery doc claims. Updates:
  `Service.getOrLoad` alg-check loop rewritten to compute intersection;
  `ErrIdPDowngradeAdvertised` docstring reflects new semantics;
  `TestDiscovery` dry-run validator surfaces HS*/none alongside RS* as
  an informational note (not a hard fail); `docs/operator/auth-threat-model.md`
  alg-allow-list section updated to call out the load-bearing-defense
  hierarchy. Tests: `TestService_IdPDowngradeDefense_RS256PlusHS256_BindsSuccessfully`
  (positive — Keycloak-shape) + `TestService_IdPDowngradeDefense_RejectsHSOnlyAdvertised`
  (negative — pathological intersection-empty case) +
  `TestService_RefreshKeys_CatchesPostLoadDowngrade` updated to assert
  intersection-empty post-rotation; `TestTestDiscovery_AlgDowngrade_HS256AlongsideRS256_BindsWithNote`
  + `TestTestDiscovery_AlgDowngrade_HSOnly_StillTrips_HardFail` pin the
  dry-run validator's new behavior.
 ### Tests
 - **Vitest coverage for the 2026-05-10/11 GUI batch (Audit 2026-05-11 Fix 12).**
  The original GUI-batch commit `661b6db` claimed `npx tsc --noEmit PASS`
  but shipped no Vitest cases for the new surfaces. The regression-
  prevention layer was missing — a future refactor of `KeysPage`'s
  assign modal could silently drop scope_type handling, the LOW-1 demo
  banner could be hidden by a stray predicate flip, the LOW-11 hide of
  the delete button on default roles could disappear and let operators
  click straight into a backend 409, and nothing would surface in CI.
  This closure adds 35 new test cases across five files:
  `web/src/pages/auth/UsersPage.test.tsx` (new, 8 cases pinning the
  active/deactivated/reactivate flow + provider filter + empty state +
  loading state), `web/src/pages/auth/AuthSettingsPage.test.tsx`
  (extended +4 cases pinning the MED-12 runtime-config panel —
  alphabetical sort, `(empty)` placeholder, 403 silent-hide),
  `web/src/pages/auth/KeysPage.test.tsx` (extended +8 cases pinning
  the HIGH-10 GUI half — scope_type=global/profile/issuer body shape,
  expires_at omission vs RFC3339 promotion, whitespace-only scope_id
  rejection, demo-anon row mutation-button hide),
  `web/src/pages/auth/RoleDetailPage.test.tsx` (new, 9 cases pinning
  the MED-8 scope picker + the LOW-11 default-role delete-button hide
  via the `DEFAULT_ROLE_IDS` set against `r-admin` + `r-auditor`),
  `web/src/components/AuthProvider.test.tsx` (new, 5 cases pinning the
  LOW-1 demo-banner visibility predicate — `authType==='none' &&
  !loading` — across happy/api-key/oidc/loading/rejected branches; the
  rejected-fetch path keeps the banner visible because the catch
  treats it as an old-server-fallback to demo-mode, and that behavior
  is pinned here so a future change surfaces in the diff). 40/40
  test-file-scoped pass; `tsc --noEmit` clean.
 ### Security
 - **CSRF rotation on logout closes HIGH-2 fourth call site (Audit 2026-05-11 Fix 13).**
  The HIGH-2 closure (`dev/auth-bundle-2`) documented four
  `RotateCSRFTokenForActor` call sites: login completion (fresh by
  construction), Assign/RevokeRole on role-mutation (wired), Logout, and
  an explicit operator endpoint. The 2026-05-11 review verified only 3
  of the 4 — Logout did NOT rotate the actor's sibling sessions
  post-revoke, leaving a window where a token captured pre-logout
  (browser DevTools, malicious extension, session-storage leak) could
  be replayed against the user's other-device/other-browser sessions
  until those sessions hit their own idle/absolute expiry.
  `SessionMinter` interface extended with `RotateCSRFTokenForActor`;
  `Logout` invokes it after `Revoke(sess.ID)` succeeds. The
  `auth.session_revoked` audit row gains a `csrf_rotated` detail key
  carrying the rotated count so SOC / SIEM can correlate logout events
  with CSRF churn. The no-cookie + invalid-cookie 204 short-circuit
  paths skip rotation (no session row to rotate against). 3 regression
  tests in `internal/api/handler/auth_session_oidc_test.go` pin the
  happy path + the two short-circuit branches. The explicit operator
  endpoint (4) remains intentionally unbuilt — the three automatic
  triggers (login + role-mutation + logout) cover the threat model;
  operators who want a nuclear option can use the existing
  `RevokeAllForActor` flow which forces re-login → fresh session →
  fresh CSRF. **HIGH-2 fully closed across all four documented call
  sites.**
 - **Demo-mode residual-grants detector + cleanup endpoint + CI guard (Audit 2026-05-11 A-8).**
  HIGH-12 (closure `b81588e`) added a fail-closed bind-address guard
  that refuses startup when `CERTCTL_AUTH_TYPE=none` binds non-loopback
  without `CERTCTL_DEMO_MODE_ACK=true`. The Phase 2 leg of that spec —
  production-startup banner when `actor-demo-anon` has residual role
  grants in `actor_roles` plus a CI guard banning new synthetic-admin
  code paths — was deferred. This closure lands all three deferred
  legs. (1) `cmd/server/preflight_demo_residual.go` runs after the DB
  is open + audit service is constructed, before the HTTPS listener
  starts; under any non-`none` auth type it queries `actor_roles` for
  `actor-demo-anon` and emits a WARN log + `auth.demo_residual_grants_detected`
  audit row when the row is present. The migration 000029 baseline
  unconditionally seeds the `ar-demo-anon-admin` row at install time,
  so EVERY production deploy will see this WARN on first boot — the
  intended cutover workflow is documented at `docs/operator/security.md`.
  (2) `POST /api/v1/auth/demo-residual/cleanup` is an admin-class
  (`auth.role.assign`) cleanup endpoint that removes every
  `actor-demo-anon` row from `actor_roles` and returns
  `{"removed": <int64>}`; idempotent (a second call returns
  `removed:0`), refuses 503 under `Auth.Type=none` (deleting the row
  would break the demo path), audit-logs every invocation. (3) New
  env var `CERTCTL_DEMO_MODE_RESIDUAL_STRICT` (default `false`)
  pivots the WARN to fail-closed startup refusal for operators who
  want a paranoid hostile-environment posture. (4) CI guard
  `scripts/ci-guards/no-new-synthetic-admin.sh` pins the 17-entry
  allowlist of source files that may reference the `actor-demo-anon`
  literal; new runtime code paths that resolve to the synthetic actor
  are rejected at PR time so the credibility gap stays closed. The
  closure was framed as "credibility gap, not exploitable
  vulnerability" — the residue requires a regression elsewhere in the
  middleware chain to be exploitable. After this fix, the canonical
  acquisition-readiness narrative ("RBAC primitive with no
  synthetic-admin fallback") is fully true. Operator runbook at
  `docs/operator/security.md#demo-to-production-cutover-audit-2026-05-11-a-8`.
 - **OIDC provider "Test connection" panel (Audit 2026-05-11 Fix 09 — MED-5 GUI half).**
  MED-5's backend dry-run endpoint (`POST /api/v1/auth/oidc/test`, gated
  `auth.oidc.create`) shipped on `dev/auth-bundle-2` but had no GUI caller —
  the `authOIDCTestProvider` function in `web/src/api/client.ts` was dead
  code. Operators had to complete the create form blind, save, then click
  "Refresh" to discover whether the issuer URL worked; failures left a
  broken provider row in the database that had to be deleted before
  retrying. New shared component
  `web/src/pages/auth/OIDCTestConnectionPanel.tsx` calls the backend
  against the live form state and renders a four-row status panel inline:
  Discovery fetched, JWKS reachable, supported algs (warns when the IdP
  advertises none), and RFC 9207 iss-parameter advertisement (informational
  `·` glyph, not ✗, because the spec is SHOULD). Backend per-leg `errors[]`
  flow into an inline bullet list. The panel is mounted in the
  OIDCProvidersPage create modal AND the OIDCProviderDetailPage edit form —
  the edit-form half is load-bearing for verifying IdP rotations (Keycloak
  realm rename, Okta tenant move) without committing first. Run button is
  disabled until the issuer URL is non-empty (whitespace-trimmed); the
  component is read-only — safe to run repeatedly. 8 Vitest tests pin the
  glyph-vs-glyph contract (✓/✗/⚠/·), the button-disabled-without-issuer
  shape, and the test-id-suffix collision-prevention when the panel is
  mounted twice on the same page.
 - **OIDC JWKS health panel + Refresh-now button (Audit 2026-05-11 Fix 10 — MED-7 GUI half).**
  MED-7's backend endpoint `GET /api/v1/auth/oidc/providers/{id}/jwks-status`
  (commit `d85114f`) shipped the per-provider verifier counters on
  `dev/auth-bundle-2` but the GUI never called it. The audit doc had
  prematurely flipped the row to CLOSED; `authOIDCJWKSStatus` in the
  API client was dead code. Operators investigating "why is login
  failing for this IdP" couldn't see `last_refresh_at`,
  `rejected_jws_count`, or `last_error` from the GUI — they had to
  drop to curl. New shared component
  `web/src/pages/auth/OIDCJWKSStatusPanel.tsx` queries the endpoint
  via TanStack Query (30s `staleTime`, `retry: 0` so a 403 hides the
  panel silently for callers without `auth.oidc.list`) and renders
  six dt/dd rows: Last refresh (with `(never — cold cache)` sentinel
  when the timestamp is empty), Refresh count, Rejected JWS count,
  Last error (red treatment when non-empty, `(none)` sentinel
  otherwise), RFC 9207 iss param ("supported by IdP" / "not
  advertised"), and Current KIDs (`(not exposed — query jwks_uri
  directly)` sentinel when the backend declines to expose the list).
  A "Refresh now" button invokes the existing
  `POST .../refresh` (RefreshKeys path) and invalidates the panel's
  query so the freshly-updated counters render without a page
  reload. The button is hidden for callers without `auth.oidc.edit`
  via the panel's optional `canRefresh` prop. Mounted on
  `OIDCProviderDetailPage.tsx` between the read-only field display
  and the Actions section. 9 Vitest tests pin: loading state,
  happy-path-all-six-rows, 403-hides-panel, refresh-invalidates-
  query, refresh-failure-surfaces-inline-without-hiding-panel,
  never-refreshed-cold-cache-sentinel, current-kids-empty-not-
  exposed-sentinel, last-error-red-treatment, and canRefresh=false-
  hides-the-button.
 - **UsersPage sidebar nav entry (Audit 2026-05-11 Fix 11 — MED-11
  discoverability).** The MED-11 closure shipped `UsersPage.tsx` + wired
  the `/auth/users` route in `web/src/main.tsx`, but the sidebar
  navigation never gained a corresponding entry. Operators reached the
  federated-user-admin surface (used during compliance audits — "show
  me last login for every IdP-federated user") only by knowing the URL.
  A page that exists but isn't navigable is a half-finished page. New
  Users entry under the Auth section in `web/src/components/Layout.tsx`
  sits between Sessions and Roles (federated-identity grouping). Three
  Vitest tests in `Layout.test.tsx` pin the link's presence, the
  `/auth/users` destination, and the DOM ordering relative to Sessions
  so a future refactor that re-orders or removes the entry surfaces in
  the diff.
 - **Scope-aware actor-role revoke (Audit 2026-05-11 A-4).**
  HIGH-10 made it possible to grant the same role to the same actor at
  multiple scopes (e.g. `r-operator` on `profile=p-acme` AND `profile=p-globex`)
  via the unique constraint extension on `actor_roles`, but
  `ActorRoleRepository.Revoke` ignored `(scope_type, scope_id)` and
  unconditionally deleted every variant. Operators who wanted to drop
  one scoped grant had to nuke them all and re-grant the remainder —
  a race window where the actor's access was briefly different. The
  `DELETE /v1/auth/keys/{id}/roles/{role_id}` endpoint now accepts
  optional `?scope_type=` / `?scope_id=` query params that narrow the
  revoke to a single variant; no-match returns 404. The legacy "revoke
  every variant" semantic is preserved when the query params are
  absent, so existing CLI / GUI buttons keep working unchanged. The
  audit row's `details` payload records which mode fired so SOC / SIEM
  can distinguish wide cleanups from targeted demotions. MCP tool
  `certctl_auth_revoke_role_from_key` gains optional `scope_type` +
  `scope_id` input fields with matching semantics. Documented in
  `docs/operator/rbac.md` under "Revoke: legacy 'all variants' vs
  scope-selective."
 ### Security (BREAKING — silent-elevation closure)
 - **HIGH-10 actor-role scope is now enforced (Audit 2026-05-11 A-1).**
  Pre-fix, `actor_roles.scope_type` / `scope_id` (added in migration 000043
  by the HIGH-10 closure) were persisted by Grant + accepted on the handler
  body + surfaced through the GUI/MCP — but the load-bearing
  `EffectivePermissions` SQL never read them. A profile-scoped grant
  silently elevated to global at authorization time. Canonical CRIT-5
  lying-field shape, replicated. **The post-fix authorization narrows
  correctly**: every existing `actor_roles` row with `scope_type != 'global'`
  now takes effect.
  > **Operator advisory:** if you used the HIGH-10 scope-bound role-grant
  > API between commit `551812b` and the v2.1.0 tag (the column was
  > populated but ignored), the grants were silently global. After
  > upgrading, audit `SELECT actor_id, role_id, scope_type, scope_id FROM
  > actor_roles WHERE scope_type != 'global'` and confirm the narrowing
  > reflects intent. If an actor was granted a scoped role but expected
  > global behavior, re-grant with `scope_type=global`.
 ### Security (BREAKING)
 - **Federated-user deactivation now actually blocks login (Audit 2026-05-11 A-2).**
  The MED-11 closure shipped `users.deactivated_at` + `DELETE /api/v1/auth/users/{id}`
  + cascade-session-revoke, but the column was a "lying field" three legs over: the
  postgres user repository never SELECTed it (so `User.DeactivatedAt` always read
  nil), the `Update` SQL never wrote it (so the handler's mutation was a no-op),
  and the OIDC `upsertUser` path never checked it (so the next login under the
  same `(provider, subject)` tuple re-minted a session and re-elevated the user).
  The cascade-revoke remained correct for the current cookie only. **Operator
  advisory: if you deactivated a federated user between the MED-11 closure
  (Bundle 2 merge `dea5053`) and the v2.1.0 release tag, verify the user cannot
  OIDC-log-in after upgrading — the column took no effect at login time before
  this fix. If needed, re-run the deactivation against the upgraded server.**
  Closure: `userColumns` + `scanUser` now read `deactivated_at` via `sql.NullTime`;
  `Create` + `Update` write it explicitly; `upsertUser` returns the new
  `ErrUserDeactivated` sentinel before mutating fields (preserves `last_login_at`
  forensics on rejected logins); `classifyOIDCFailure` surfaces the rejection
  as audit category `user_deactivated`. Self-deactivate guard on
  `DELETE /api/v1/auth/users/{id}` returns HTTP 409 + audit row
  `auth.user_deactivate_self_rejected` (prevents an admin from one-way-door
  locking themselves out via the standard handler — break-glass remains the
  recovery path). New inverse endpoint `POST /api/v1/auth/users/{id}/reactivate`
  (gated `auth.user.deactivate` — reactivation is the inverse op, not a separate
  privilege) clears `deactivated_at`; emits audit row `auth.user_reactivated`.
  Sessions revoked at deactivation stay revoked across reactivation — the user
  must complete a fresh OIDC login. GUI: `UsersPage.tsx` now renders a Reactivate
  button on deactivated rows. CWE-862 (missing authorization at the user-state
  boundary). SOC 2 CC6.3 + ISO 27001 A.9.2.6 compliance-table-flipping fix.
 - **`__Host-` cookie prefix on all three auth cookies (Audit 2026-05-10 MED-14).**
  The session cookie, CSRF cookie, and OIDC pre-login cookie are renamed from
  `certctl_session` / `certctl_csrf` / `certctl_oidc_pending` to
  `__Host-certctl_session` / `__Host-certctl_csrf` / `__Host-certctl_oidc_pending`
  to gain browser-enforced subdomain-takeover protection (a `__Host-*` cookie can
  only be set with `Path=/` + `Secure` + no `Domain` attribute, and the browser
  rejects subdomain attempts to overwrite it). **Active sessions invalidate on
  the rolling deploy that lands this change** — operators must re-authenticate
  once after upgrading. The GUI's CSRF cookie reader was updated in lockstep.
  See `docs/migration/oidc-enable.md` for operator-facing detail.
 ### Security
 - **OIDC `allowed_email_domains` now editable in the GUI (Audit 2026-05-11 A-3).**
  The backend gate that rejects logins whose email domain is outside the
  configured allowlist landed in v2.1.0 (CRIT-5 closure, 2026-05-10), but the
  GUI never exposed the field — GUI-driven operators had to use the API
  directly to configure tenant isolation against multi-tenant IdPs (Auth0,
  Azure AD common endpoint, Google Workspace). The OIDCProvidersPage create
  modal and OIDCProviderDetailPage detail view now render a chip-style
  multi-input with client-side validation that mirrors the backend rules
  (no `@`, no whitespace, no wildcards, lowercase-only FQDNs). The read-only
  view renders an explicit "any (no gate configured)" sentinel when the list
  is empty so operators can tell "not configured" apart from "field is
  invisible." A "Clear all" button on the edit form is gated by a confirm
  dialog that warns about removing the tenant gate. **Operator advisory: if
  you provisioned OIDC providers via the GUI between v2.1.0 and this fix,
  verify `allowed_email_domains` matches your tenant policy — the field was
  configurable only via API / MCP / direct SQL during that window.** Per-IdP
  runbooks for multi-tenant IdPs in `docs/operator/oidc-runbooks/` already
  documented the field; the GUI now matches.
 - **Approval payload preview (Audit 2026-05-11 A-5).**
  The MED-10 closure claim ("PARTIAL: raw JSON preview; diff library
  deferred") was inaccurate — `ApprovalsPage.tsx` rendered no payload
  at all, so approvers were clicking Approve / Reject without seeing
  the change they were authorizing. That defeats the entire four-eyes
  primitive: an approver who can't see what they're approving is
  rubber-stamping. Each row now carries a Preview toggle that expands
  an inline panel dispatching by kind: `profile_edit` shows a
  field-level before/after diff (changed-only rows, red/green cells,
  `(unset)` sentinel for added/removed fields); `cert_issuance` shows
  a definition list of CN / SANs / profile / key algo / must-staple /
  validity (catches the wildcard-against-corp-internal-profile attack
  at review time); unknown kinds render a generic JSON preview for
  forward-compat with future approval kinds. The base64-encoded JSON
  payload is decoded via the new `decodePayload` helper; malformed
  inputs render an explicit decode-error fallback — silent failure on
  the payload preview is what produced this bug in the first place.
 - **Strict pre-login UA/IP binding (Audit 2026-05-11 A-6).**
  The MED-16 closure left a request-side empty-header bypass: when the
  pre-login row carried a User-Agent or client-IP binding but the
  `/auth/oidc/callback` request omitted the corresponding value, the
  binding check was silently skipped. `curl` doesn't send User-Agent
  by default; many programmatic clients omit it. An attacker who
  acquired a pre-login cookie could replay it without the bound
  header and bypass the RFC 9700 §4.7.1 defense. The check is now
  strict-when-stored — an empty request-side value with a non-empty
  stored binding rejects with HTTP 400 and the new audit failure
  categories `prelogin_ua_missing` / `prelogin_ip_missing` (distinct
  from the existing `*_mismatch` categories so SIEM rules can alert
  specifically on bypass attempts). **Operator advisory:** environments
  where the User-Agent is stripped in transit (some debug proxies, a
  handful of CDN configurations) must set
  `CERTCTL_OIDC_PRELOGIN_REQUIRE_UA=false` to keep logins working;
  symmetric `CERTCTL_OIDC_PRELOGIN_REQUIRE_IP=false` exists for the
  IP-side. The legacy-row compat window — pre-migration rows with no
  stored binding — still passes through unchecked, but that window is
  bounded by the 10-minute pre-login TTL.
 - **OIDC provider Advanced fields are now editable in the GUI (Audit 2026-05-11 A-7).**
  The MED-4 row had been DEFERRED to v3 with the rationale "backend
  already accepts these fields." The verifier hit the GUI and found
  that the read-only display claimed the values were editable, but the
  edit form had no inputs — the save handler passed `provider.scopes`
  / `provider.groups_claim_path` / `provider.groups_claim_format` /
  `provider.iat_window_seconds` / `provider.jwks_cache_ttl_seconds`
  unchanged from the loaded object. Operators who wanted to bump the
  IAT window or change the groups-claim path had to drop to curl /
  MCP and trust the GUI's display matched what they'd set elsewhere.
  Lying UX. The OIDCProviderDetailPage edit form now has a collapsible
  Advanced section with five inputs (scopes as a space-separated text
  field; groups-claim path; groups-claim format select with the
  backend's `string-array` / `json-path` enum; IAT window number input
  bounded 1–600; JWKS cache TTL number input with floor 60). Client-side
  validation mirrors the backend `Validate` rules so common operator
  mistakes (IAT > 600, JWKS TTL < 60, empty scopes, empty groups-claim-path)
  reject inline instead of round-tripping a 400. The read-only `<dl>`
  also gained the previously-invisible `jwks_cache_ttl_seconds` row.
 - **Pre-login cookie Path widened from `/auth/oidc/` to `/` (Audit MED-14
  follow-on).** Required to satisfy the `__Host-` prefix's `Path=/` rule. The
  cookie lifetime is unchanged (10 minutes) and only the callback handler
  consumes it; the wider path scope is harmless.
 - **RFC 9207 `iss` URL parameter check on OIDC callback (Audit 2026-05-10
  MED-17).** When the matched IdP's discovery doc advertises
  `authorization_response_iss_parameter_supported: true`, certctl now requires
  the `iss` query parameter on `/auth/oidc/callback` and enforces a
  constant-time compare against the configured provider's `IssuerURL`. Mismatch
  rejects with HTTP 400; the audit row's `failure_category` distinguishes
  `iss_param_missing` / `iss_param_mismatch` (RFC 9207 leg) from the existing
  `id_token_iss_mismatch` (in-token iss claim leg). Closes the mix-up-attack
  defense for modern Keycloak, Authentik, and public-trust CAs that ship
  RFC-9207 discovery. Providers that don't advertise support (the majority
  today) keep pre-fix behavior — back-compat is preserved.
 - **Auth GUI batch (Audit 2026-05-10 MED-4/7/8/10/11/12 + LOW-1/11/12 +
  HIGH-10 GUI).** New backend endpoints land alongside their GUI
  consumers: `GET /api/v1/auth/users` + `DELETE /api/v1/auth/users/{id}`
  (auth.user.read / auth.user.deactivate; migration 000045 adds
  `users.deactivated_at` plus the two new permissions); `GET
  /api/v1/auth/runtime-config` (auth.role.assign) returning a sanitized
  flat-map of deployed CERTCTL_* values (no secrets leaked — only
  set/unset booleans and counts); `GET
  /api/v1/auth/oidc/providers/{id}/jwks-status` (auth.oidc.list)
  returning the per-provider verifier counters (refresh count, last
  refresh / error timestamps, rejected JWS count, RFC 9207 iss-param
  flag). New `UsersPage` lists federated identities + soft-deactivates.
  `AuthSettingsPage` gains the runtime-config panel. `KeysPage`'s
  assign-role modal now collects `scope_type` / `scope_id` /
  `expires_at`. `RoleDetailPage`'s add-permission form gains the same
  scope picker, and the Delete button is hidden on the 7 default
  system roles (server already rejected, this is pure UX).
  `AuthProvider` renders a sticky red demo-mode banner when
  `auth_type=none`. `actor-demo-anon` rows on `KeysPage` already had
  buttons disabled.
 - **11 new MCP tools (Audit 2026-05-10 MED-13).** Approval workflow
  (`certctl_approval_list` / `_get` / `_approve` / `_reject`), break-glass
  credential admin (`certctl_breakglass_list` / `_set_password` /
  `_unlock` / `_remove`), bootstrap status + consume
  (`certctl_bootstrap_status` / `_consume`), and audit category filter
  (`certctl_audit_list_with_category`). All route through the existing
  HTTP client so server-side permission gates fire unchanged.
  `certctl_bootstrap_consume`'s tool description carries an explicit
  "NEVER WIRE THIS TO AUTONOMOUS OPERATION" warning — a leaked
  bootstrap token mints a fresh admin API key bypassing every other
  access-control gate, so the tool is for one-shot manual operator
  invocation only.
 - **JWKS auto-refresh on cache-miss (Audit 2026-05-10 MED-6).** When
  the IdP rotates its signing key between pre-login + callback, the
  cached JWKS no longer contains the kid referenced by the inbound ID
  token's JWS header. Pre-fix, the verify failed with a generic error
  and the operator had to manually call `POST
  /api/v1/auth/oidc/providers/{id}/refresh`. The service now detects
  the kid-not-in-cache shape (`isKidMismatchError`) and runs a
  one-shot `RefreshKeys` (evict cache → re-fetch discovery + JWKS →
  re-run alg-downgrade defense) before retrying the verify exactly
  once. Bounded recovery: a second failure surfaces as
  `ErrJWKSUnreachable` per the original branches; no retry loop. A
  separate matcher (`isKidMismatchError`) is intentionally narrow
  so generic signature failures don't trigger refresh.
 - **OIDC provider test endpoint (Audit 2026-05-10 MED-5).** New
  `POST /api/v1/auth/oidc/test` dry-runs an OIDC provider configuration
  without persisting: fetches the discovery doc, runs the alg-downgrade
  defense, detects RFC 9207 iss-parameter advertisement, and confirms
  JWKS reachability. Returns `TestDiscoveryResult{discovery_succeeded,
  jwks_reachable, supported_alg_values, iss_param_supported, errors[]}`
  so the GUI (forthcoming) can render per-check status rows. Per-leg
  failures ride in the response body's `errors` array; only a malformed
  request body trips 400. Gate: `auth.oidc.create`. Audit row
  `auth.oidc_provider_tested` carries the success/failure summary.
 - **Pre-login UA / source-IP binding on OIDC callback (Audit 2026-05-10
  MED-16).** RFC 9700 §4.7.1 defense against stolen-pre-login-cookie replay
  by a different browser / source. Migration `000044_prelogin_uaip` adds
  `client_ip` + `user_agent` to `oidc_pre_login_sessions`; values captured at
  `/auth/oidc/login` are constant-time compared at `/auth/oidc/callback`.
  Mismatches return HTTP 400 with audit `failure_category` =
  `prelogin_ua_mismatch` or `prelogin_ip_mismatch`. Two operator escape
  hatches: `CERTCTL_OIDC_PRELOGIN_REQUIRE_UA` and
  `CERTCTL_OIDC_PRELOGIN_REQUIRE_IP` (both default `true`) — operators on
  enterprise proxies that rewrite UA, or dual-stack v4/v6 environments where
  source IP routinely flips, can disable the affected leg. The binding column
  is persisted even when enforcement is off, so retroactive forensics remain
  possible. Empty values on either side pass through (rolling-deploy +
  headless-proxy compat).
 ## v2.1.0 - Auth Bundles 1 + 2: RBAC primitive + OIDC SSO + sessions ⚠️
 > **SECURITY: AUDIT YOUR API KEYS.**
 >
 > Bundle 1 ships role-based authorization. Every existing API key
 > configured via `CERTCTL_API_KEYS_NAMED` (or the legacy
 > `CERTCTL_AUTH_SECRET`) is mapped to the **r-admin role on the first
 > upgrade boot** so existing automation keeps working unchanged. Most
 > keys do NOT need full admin power; downgrade them before tagging
 > the next release.
 >
 > Recommended post-upgrade flow:
 >
 > ```bash
 > # 1. List every key with its current role:
 > certctl-cli auth keys list
 >
 > # 2. Walk an interactive prompt that downgrades each key:
 > certctl-cli auth keys scope-down
 >
 > # 3. Or get a heuristic suggestion based on 30 days of audit history:
 > certctl-cli auth keys scope-down --suggest
 > certctl-cli auth keys scope-down --suggest --apply   # applies the suggestion
 >
 > # 4. Or drive scope-down from a JSON config (Helm post-upgrade hook):
 > certctl-cli auth keys scope-down --non-interactive ./scope-down.json
 > ```
 >
 > The synthetic `actor-demo-anon` actor (used when
 > `CERTCTL_AUTH_TYPE=none` is configured) is system-managed and
 > excluded from the prompt loop.
 What else changed in v2.1.0:
 - **Audit 2026-05-10 CRIT-1 closure — wire-layer RBAC enforcement.**
  The Bundle 1 + Bundle 2 audit surfaced that the permission catalogue
  was enforced on ~24 admin-only routes only; the bulk of state-changing
  routes (`POST /api/v1/certificates`, `PUT /api/v1/profiles/{id}`,
  `DELETE /api/v1/issuers/{id}`, `POST /api/v1/agents/{id}/csr`, even
  `POST /api/v1/auth/roles` + `POST /api/v1/auth/keys/{id}/roles`) had
  no `rbacGate` wrap. A `r-viewer` Bearer was essentially `r-admin`
  minus five fine-grained verbs at the wire layer (CWE-862). This
  release wraps every state-changing + read endpoint with
  `rbacGate` (global scope) or `rbacGateScoped` (per-profile / per-
  issuer scope-bound grants), and adds an AST-level CI guard
  (`TestRouterRBACGateCoverage`) that fails when a new route is
  registered without enforcement. Catalogue extended via migration
  000039 with 30 permissions covering `cert.edit`, `job.*`,
  `approval.*`, `policy.*`, `team.*`, `owner.*`, `notification.*`,
  `discovery.*`, `network_scan.*`, `healthcheck.*`, `digest.*`,
  `verification.*`, `stats.read`, `metrics.read`. **AUDIT YOUR
  KEYS** (the scope-down call-out above) now translates to real
  reduction in blast radius. Auditor pin preserved at exactly
  `{audit.read, audit.export}`.
 - **RBAC primitive shipped.** `tenants`, `roles`, `permissions`,
  `role_permissions`, `actor_roles` tables (migration 000029); 33-permission
  canonical catalogue; 7 default roles (`admin`, `operator`, `viewer`,
  `agent`, `mcp`, `cli`, `auditor`); per-handler permission gates via
  `auth.RequirePermission` middleware (replaces the legacy
  `IsAdmin` boolean check on the 5 admin-only handlers).
 - **Day-0 admin bootstrap.** Set `CERTCTL_BOOTSTRAP_TOKEN` on a fresh
  deploy and POST a single curl call against `/api/v1/auth/bootstrap` to
  mint the first admin API key; one-shot, never logged, and locks
  closed once any admin actor exists. Migration 000031 ships the
  `api_keys` table that stores the SHA-256 hash; the plaintext is
  shown in the response body once and never persisted.
 - **Auditor role split.** New `auditor` role holds only `audit.read`
  + `audit.export`. Compliance reviewers can read the audit trail
  without holding mutation power. Migration 000032 adds
  `audit_events.event_category` so auditors can filter to
  authentication-related events specifically.
 - **`/v1/auth/check` enrichment.** Response now includes the actor's
  standing roles and effective permissions, so the GUI gates
  affordances from a single fetch on app boot.
 - **Approval-bypass closure.** Edits to a profile that has (or
  would have) `RequiresApproval=true` now route through the
  `ApprovalService` two-person integrity gate (Phase 9). Migration
  000033 adds `approval_kind` + `payload` to
  `issuance_approval_requests` so cert-issuance and profile-edit
  approvals share the same workflow. Same-actor self-approve is
  rejected with `ErrApproveBySameActor` for both kinds. Closes the
  flip-flop loophole where an admin could disable approval, mutate,
  re-enable. Documented at
  [`docs/reference/profiles.md`](docs/reference/profiles.md).
 - **GUI: Roles / API Keys / Auth Settings / Approvals queue.**
  Four new pages under `/auth/*` consume `/v1/auth/me` for
  permission-aware rendering. The Approvals queue blocks
  self-approve at the client layer (Approve/Reject buttons hidden
  when requested_by == current actor_id) on top of the server-side
  enforcement. AuditPage gains a category filter (cert_lifecycle /
  auth / config) for the auditor view.
 - **MCP server gains 12 RBAC tools.** Operators driving certctl
  from Claude / VS Code / any MCP client get parity with the GUI
  + CLI. Each tool routes through the same HTTP handler; permission
  gates fire server-side.
 - **OpenAPI catalogues every new route.** Every Bundle 1 endpoint
  ships with an `operationId`; the parity test guards against drift.
 - **Coverage gates.** `internal/auth/` and `internal/service/auth/`
  now have ≥85% coverage floors in `.github/coverage-thresholds.yml`.
  The 12-path negative-test list from the Bundle 1 prompt is
  fully covered (path #12 deferred with in-tree TODO).
 - **Protocol-endpoint allowlist pinned at three layers.** The
  middleware bypass (`auth.IsProtocolEndpoint`), the router-level
  `AuthExemptRouterRoutes` constant, and a new
  `phase12_protocol_allowlist_test.go` AST scan all guard against
  accidentally wrapping ACME / SCEP / EST / OCSP / CRL routes in
  `rbacGate`.
 - **Bundle 2: OIDC + sessions + back-channel logout + break-glass.**
  Auth Bundle 2 ships in the same v2.1.0 release. Operators get OIDC
  SSO support for Keycloak / Authentik / Okta / Auth0 / Microsoft
  Entra ID / Google Workspace (via Keycloak broker), HMAC-signed
  session cookies with idle/absolute timeouts + CSRF defense,
  back-channel logout per OpenID Connect Back-Channel Logout 1.0,
  and a default-OFF break-glass admin path with Argon2id passwords
  for SSO-broken incidents. API-key auth keeps working unchanged
  alongside; existing automation needs no changes. Migration walkthrough
  at [`docs/migration/oidc-enable.md`](docs/migration/oidc-enable.md);
  per-IdP setup guides at
  [`docs/operator/oidc-runbooks/index.md`](docs/operator/oidc-runbooks/index.md).
 - **OIDC token validation pinned at three layers.** Algorithm
  allow-list (RS256/RS512/ES256/ES384/EdDSA only) with HS-family + `none`
  rejected at the service-layer sentinel; IdP-downgrade-attack defense
  at provider creation AND every JWKS RefreshKeys (intersects the IdP's
  advertised `id_token_signing_alg_values_supported` against the allow-
  list, rejects providers that advertise weak algs even before any
  token is signed); OIDC Core §3.1.3.7 re-verification of `iss` /
  `aud` / `azp` / `at_hash` (REQUIRED-when-access_token-present per
  Phase 3 tightening of the spec MAY → MUST) / `exp` / `iat` window
  / `nonce` constant-time-compare. PKCE-S256 mandatory; `plain`
  rejected. Single-use state + nonce via atomic `DELETE...RETURNING`
  on consume.
 - **Session cookies use length-prefixed HMAC.** The cookie wire format
  is `v1.<session_id>.<signing_key_id>.<base64url-no-pad(HMAC-SHA256)>`
  with HMAC input `len:sid:len:kid` (NOT bare-concat) to defeat
  concatenation collisions. `HttpOnly` + `Secure` + `SameSite=Lax`
  default; `SameSite=Strict` configurable via `CERTCTL_SESSION_SAMESITE`.
  Idle timeout 1h / absolute 8h defaults; scheduler GC sweeps expired
  rows hourly. Signing keys rotate via the new `RotateSigningKey`
  primitive; the old key stays valid for `CERTCTL_SESSION_SIGNING_KEY_RETENTION`
  (default 24h) so existing cookies validate during rollover.
 - **CSRF defense via double-submit-cookie + hashed-token-on-row.**
  Plaintext CSRF token in the JS-readable `certctl_csrf` cookie
  (intentionally `HttpOnly=false` for the GUI to echo into the
  `X-CSRF-Token` header); SHA-256 hash on the session row;
  `subtle.ConstantTimeCompare` in the new `CSRFMiddleware`. API-key
  actors are CSRF-exempt (no session row in context).
 - **OIDC `client_secret` encrypted at rest.** AES-256-GCM v3 blob
  format (magic 0x03 + salt(16) + nonce(12) + ciphertext+tag) using
  the existing `CERTCTL_CONFIG_ENCRYPTION_KEY`. Encryption invariant
  pinned by an integration test asserting ciphertext != plaintext +
  v3 blob shape + round-trip recovery + wrong-passphrase fails.
 - **OIDC first-admin bootstrap.** New `CERTCTL_BOOTSTRAP_ADMIN_GROUPS`
  + `CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID` env vars: the first
  OIDC-authenticated user with a matching group claim becomes admin
  per tenant. Coexists with the Bundle 1 env-var-token bootstrap;
  the admin-existence probe ensures only one wins. Audit row
  (`bootstrap.oidc_first_admin`) on every grant.
 - **Break-glass admin (default-OFF).** New `CERTCTL_BREAKGLASS_ENABLED`
  env var (default `false`). When enabled, the local Argon2id-password
  admin path bypasses OIDC + group-claim layers — intended ONLY for
  SSO-broken incidents. Argon2id with OWASP 2024 params (m=64 MiB,
  t=3, p=4); lockout after 5 failures (configurable); constant-time
  across all failure paths via `verifyDummy`; surface invisibility
  (HTTP 404 on every endpoint when disabled, NOT 403). WARN log at
  server boot when enabled. WebAuthn/FIDO2 second factor pairing on
  the v3 roadmap (Decision 12).
 - **GUI: OIDC Providers + Group → Role Mappings + Sessions + login
  buttons.** Four new pages under `/auth/*` consume the Bundle 2 API
  surface. Login page renders one "Sign in with X" button per
  configured OIDC provider (in addition to the API-key form, which
  remains as a fallback for Bearer-mode + break-glass paths). Sessions
  page exposes own-sessions + admin all-actors view. Every actionable
  element is permission-gated server-side via `auth.oidc.*` and
  `auth.session.*` perms; client-side hide is UX layer. Logout button
  in the sidebar fires `POST /auth/logout` to clear the session
  server-side before redirecting to login.
 - **MCP server gains 11 OIDC + session tools.** `certctl_auth_list_oidc_providers`,
  `_get_oidc_provider`, `_create_oidc_provider`, `_update_oidc_provider`,
  `_delete_oidc_provider`, `_refresh_oidc_provider`,
  `_list_group_mappings`, `_add_group_mapping`, `_remove_group_mapping`,
  `_list_sessions`, `_revoke_session`. Operator-facing MCP tool count
  goes 12 (Bundle 1 RBAC) → 23 across the auth surface. Total MCP
  tool count: `grep -cE 'mcp\.AddTool\(' internal/mcp/tools*.go` ≈ 150.
 - **Per-IdP runbooks: 6 production-tier setup guides** at
  `docs/operator/oidc-runbooks/`. Each runbook follows a consistent
  five-section layout (Prerequisites / IdP-side config / certctl-side
  config / Verification / Troubleshooting + Validation checklist with
  operator sign-off line). Keycloak is the canonical reference;
  Authentik / Okta / Auth0 / Entra ID / Google Workspace document the
  IdP-specific deltas (Auth0's namespaced custom claims; Entra ID's
  group OBJECT IDs; Google Workspace's missing-groups-claim limitation
  + the recommended Keycloak broker pattern).
 - **Threat model extended.** [`docs/operator/auth-threat-model.md`](docs/operator/auth-threat-model.md)
  ships 5 new "Defenses Bundle 2 ships" subsections + 8 new threat-
  catalogue subsections (OIDC token forgery / session hijacking / IdP
  compromise / back-channel logout failure modes / group-claim
  manipulation / bootstrap risks / break-glass risks / token-leak
  hygiene). 6 new SQL-shaped operator-facing checks. New "Threats
  Bundle 2 does NOT close" section enumerating the 8 v3-backlog items
  (WebAuthn / JIT elevation / SAML / multi-tenant activation /
  HSM-FIPS / OIDC RP-initiated logout / Playwright / per-IdP
  external-tester sign-off).
 - **Performance baselines documented.** [`docs/operator/auth-benchmarks.md`](docs/operator/auth-benchmarks.md)
  ships four benchmarks with measured baselines on a 4 vCPU /
  8 GiB / Postgres 16 / Go 1.25 floor: `BenchmarkSession_SteadyState`
  p99 5 µs (target < 1 ms; 200× under), `BenchmarkSession_ColdProcess`
  p99 7.1 ms (target < 10 ms), `BenchmarkOIDC_SteadyState` p99 1.5 ms
  (target < 5 ms), `BenchmarkOIDC_ColdCache` operator-runs against
  live Keycloak via `make benchmark-auth-coldcache`.
 - **Standards + RFC implementation table.** [`docs/reference/auth-standards-implemented.md`](docs/reference/auth-standards-implemented.md)
  ships 13 RFC / standard rows + 14 CWE rows with concrete file paths
  + negative-test anchors per row. NOT a compliance-mapping doc per
  the operator's 2026-05-05 retired-compliance-docs decision; the
  doc explicitly says "build the framework mapping yourself against
  the rows here using the framework-mapping methodology your audit
  firm prescribes; this project does not own that mapping."
 - **Coverage gates held at floor 90 across all four Bundle 2
  packages.** `internal/auth/oidc/` 93.7%, `internal/auth/session/`
  94.9%, `internal/auth/breakglass/` 91.5%, `internal/auth/user/domain/`
  96.4%. NO held-low-with-rationale entry — the Phase 13 prompt's
  anti-Bundle-1-mistake rule held. Bundle 1's existing 85% floors
  for `internal/auth/` + `internal/service/auth/` stay 85
  (already-shipped-and-accepted) per the prompt's explicit
  inheritance rule.
 - **Multi-tenant query CI guard.** New `scripts/ci-guards/multi-tenant-query-coverage.sh`
  (ratchet-style, baseline 32 at v2.1.0 close): greps every
  SELECT/UPDATE/DELETE in `internal/repository/postgres/` against
  10 tenant-aware tables, fails on regression OR improvement (forces
  the operator to lift / lower the baseline visibly). Forward-compat
  protection so a future Bundle 3 / managed-service multi-tenant
  activation can flip the switch without finding silent
  tenant-data-leak bugs in shipped queries.
 - **Phase 10 Keycloak testcontainers integration test.** New build-tag-
  gated suite at `internal/auth/oidc/testfixtures/` + `integration_keycloak_test.go`
  drives the full OIDC flow against a live Keycloak container booted
  by testcontainers-go. 5-test matrix: discovery + JWKS load, full
  PKCE auth-code happy path with HTTP form scraping, logout-revokes-
  session, JWKS rotation, unmapped-groups-fails-closed. Reuses one
  container across the matrix to amortize the 60-90s boot. Optional
  Okta smoke test (build-tagged `integration && okta_smoke`) for live
  tenant validation. New Makefile targets: `make keycloak-integration-test`
  + `make okta-smoke-test` + `make benchmark-auth-coldcache`.
 - **OpenAPI surface extended.** New `cookieAuth` security scheme
  (apiKey/cookie/`certctl_session`) alongside the existing
  `bearerAuth`. 13 new Bundle 2 endpoints across the OIDC + session
  + group-mapping CRUD surface; 4 break-glass endpoints with
  surface-invisibility framing. The N-bundle-2-security-empty-preserved
  CI guard locks the `security: []` opt-out count at ≥ 14 so existing
  public endpoints stay public.
 - **Bundle-1-only compat regression CI guard.** New
  `scripts/ci-guards/bundle-1-compat-regression.sh` asserts the
  load-bearing invariants that protect the Bundle-1-only-deploy
  case (session middleware defers-to-next, CSRF passthrough on
  missing session row, ChainAuthSessionThenBearer wired, public
  OIDC routes in AuthExempt allowlist, AuthInfo guards on
  OIDCProvidersResolver != nil). Sibling
  `bundle-1-to-2-upgrade-regression.sh` asserts the upgrade-path
  invariants (migrations 000034..000038 are CREATE TABLE IF NOT EXISTS
  + BEGIN/COMMIT-wrapped + no DROP TABLE / ALTER...DROP COLUMN
  against 19 protected Bundle-1 tables + ON CONFLICT DO NOTHING on
  permission seed).
 Migration ordering, idempotency, and downgrade are documented in
 [`docs/migration/api-keys-to-rbac.md`](docs/migration/api-keys-to-rbac.md)
 (API-key → RBAC, Bundle 1) and [`docs/migration/oidc-enable.md`](docs/migration/oidc-enable.md)
 (API-key → OIDC, Bundle 2). The threat model lives at
 [`docs/operator/auth-threat-model.md`](docs/operator/auth-threat-model.md).
 Day-2 RBAC operations live at [`docs/operator/rbac.md`](docs/operator/rbac.md).
 RFC + CWE evidence at [`docs/reference/auth-standards-implemented.md`](docs/reference/auth-standards-implemented.md).
 ## v2.0.68 - Image registry path changed ⚠️
 > **Image registry path changed.** Starting this release, container images publish to `ghcr.io/certctl-io/certctl-server` and `ghcr.io/certctl-io/certctl-agent`. Existing pulls from `ghcr.io/shankar0123/certctl-{server,agent}:<tag>` continue to work for previously-published tags (the registry never deletes images), but the `:latest` tag at the old path stops moving forward at this release. Update your `docker pull` paths, `docker-compose.yml` `image:` keys, or Helm `image.repository` values to receive future updates. Old `git clone` / `git push` / install-script / API URLs continue to redirect forever - only the container-registry path changed.
 This is the only operator-action-required change in v2.0.68. Other changes in this release are cosmetic URL refreshes after the GitHub-org transfer from `shankar0123/certctl` to `certctl-io/certctl` (HTTP redirects mean no other operator action is required) plus an internal contextcheck lint fix in the agent. Full commit list is on the [GitHub release page](https://github.com/certctl-io/certctl/releases/tag/v2.0.68).
@@ -13,18 +732,18 @@ notes are auto-generated from commit messages between consecutive tags.
 **Where to find what changed in a given release:**
- **[GitHub Releases](https://github.com/certctl-io/certctl/releases)** — every
+- **[GitHub Releases](https://github.com/certctl-io/certctl/releases)** - every
  tag has an auto-generated "What's Changed" section pulled from the commits
  between that tag and the previous one, plus per-release supply-chain
  verification instructions (Cosign / SLSA / SBOM).
- **`git log <prev-tag>..<this-tag> --oneline`** — same content, locally.
+- **`git log <prev-tag>..<this-tag> --oneline`** - same content, locally.
 **Why no hand-edited CHANGELOG.md:**
 certctl is solo-developed and pushes directly to master. Maintaining a
 hand-edited CHANGELOG meant the file drifted (entries piled into
 `[unreleased]` and never got promoted to per-version sections when tags were
-cut). A stale CHANGELOG is worse than no CHANGELOG — it signals abandoned
+cut). A stale CHANGELOG is worse than no CHANGELOG - it signals abandoned
 maintenance to security-conscious operators doing diligence.
 The auto-generated release notes work here because commit messages follow a
@@ -63,7 +63,7 @@ RUN for i in 1 2 3; do \
    npm run build
 # Stage 2: Build Go binary
-FROM golang:1.25-alpine@sha256:5caaf1cca9dc351e13deafbc3879fd4754801acba8653fa9540cea125d01a71f AS builder
+FROM golang:1.25.10-alpine@sha256:8d22e29d960bc50cd025d93d5b7c7d220b1ee9aa7a239b3c8f55a57e987e8d45 AS builder
 # Proxy propagation (M-4, Issue #9) — see Stage 1 rationale.
 ARG HTTP_PROXY=
@@ -5,7 +5,7 @@
 # operator runbook; the pins here MUST be bumped in the same pass.
 # Stage 1: Build
-FROM golang:1.25-alpine@sha256:5caaf1cca9dc351e13deafbc3879fd4754801acba8653fa9540cea125d01a71f AS builder
+FROM golang:1.25.10-alpine@sha256:8d22e29d960bc50cd025d93d5b7c7d220b1ee9aa7a239b3c8f55a57e987e8d45 AS builder
 # Proxy propagation (M-4, Issue #9) — defaulted to empty so un-proxied builds
 # behave identically to the pre-fix tree. When `HTTP_PROXY`/`HTTPS_PROXY`/
@@ -1,4 +1,4 @@
-.PHONY: help build run test lint verify verify-docs verify-deploy loadtest acme-cert-manager-test acme-rfc-conformance-test clean docker-up docker-down migrate-up migrate-down generate test-cover frontend-build qa-stats
+.PHONY: help build run test lint verify verify-docs verify-deploy loadtest acme-cert-manager-test acme-rfc-conformance-test keycloak-integration-test okta-smoke-test benchmark-auth benchmark-auth-coldcache clean docker-up docker-down migrate-up migrate-down generate test-cover frontend-build qa-stats
 # Default target - show help
 help:
@@ -171,6 +171,54 @@ loadtest:
 	@echo "==> results landed in deploy/test/loadtest/results/"
 	@if [ -f deploy/test/loadtest/results/summary.txt ]; then cat deploy/test/loadtest/results/summary.txt; fi
 # Auth Bundle 2 Phase 10 — Keycloak end-to-end OIDC integration test.
 # Boots a Keycloak container via testcontainers-go (quay.io/keycloak:25.0),
 # imports a canned realm with two groups + two users, and drives the
 # full OIDC flow against the certctl service: discovery + JWKS,
 # auth-code login, group-claim parsing, group-role mapping, session
 # mint, and JWKS rotation.
 #
 # Build-tag-gated under `integration` so `make verify` (which runs
 # go test -short) NEVER pulls in the 60-90s Keycloak boot. Requires a
 # local Docker daemon. Skips cleanly with t.Skip() when -short is set.
 keycloak-integration-test:
 	@echo "==> running Keycloak OIDC integration test (requires Docker)"
 	@go test -tags=integration -count=1 -timeout=10m \
 	  ./internal/auth/oidc/...
 # Auth Bundle 2 Phase 10 — optional Okta smoke test. Gated behind TWO
 # build tags (integration + okta_smoke) so it only runs when invoked
 # manually against the operator's own Okta dev tenant. Requires the
 # OKTA_ISSUER + OKTA_CLIENT_ID + OKTA_CLIENT_SECRET env vars; the test
 # t.Skip's with a clear message when any are missing. Documented in
 # internal/auth/oidc/integration_okta_smoke_test.go.
 okta-smoke-test:
 	@echo "==> running Okta smoke test (requires OKTA_ISSUER / _CLIENT_ID / _CLIENT_SECRET env vars)"
 	@go test -tags='integration okta_smoke' -count=1 -timeout=2m \
 	  ./internal/auth/oidc/...
 # Auth Bundle 2 Phase 14 — auth performance benchmarks. Three default-
 # tag benchmarks (session steady-state + session cold-process + oidc
 # steady-state) producing p50/p95/p99/max numbers per the auth-
 # benchmarks.md operator-doc table.
 benchmark-auth:
 	@echo "==> running auth performance benchmarks (session + oidc steady-state)"
 	@go test -bench='BenchmarkSession_|BenchmarkOIDC_SteadyState' -benchmem \
 	  -benchtime=2000x -run='^$$' \
 	  ./internal/auth/session/ ./internal/auth/oidc/
 # Auth Bundle 2 Phase 14 — OIDC cold-cache benchmark against a live
 # Keycloak container (requires Docker). Build-tag-gated so the
 # default-tag benchmarks above never pull in the 60-90s container
 # boot. Runs the integration test FIRST to populate the
 # sharedKeycloak fixture, then runs the benchmark.
 benchmark-auth-coldcache:
 	@echo "==> running OIDC cold-cache benchmark against live Keycloak (requires Docker)"
 	@go test -tags integration -count=1 -timeout=10m \
 	  -run TestKeycloakIntegration_RefreshKeysFetchesDiscoveryAndJWKS \
 	  -bench BenchmarkOIDC_ColdCache -benchmem -benchtime=10x \
 	  ./internal/auth/oidc/
 # Phase 5 — kind-driven cert-manager integration test. Requires
 # `kind`, `kubectl`, `helm`, and a local Docker daemon. Sets
 # KIND_AVAILABLE=1 so the test runs (it skips cleanly when unset, which
@@ -285,7 +333,7 @@ qa-stats:
 	@echo "t.Skip sites: $$(grep -rE 't\.Skip(Now|f)?\(' --include='*_test.go' . 2>/dev/null | wc -l | tr -d ' ')"
 	@echo "qa_test.go Part_ subtests: $$(grep -cE 't\.Run\(\"Part[0-9]+_' deploy/test/qa_test.go 2>/dev/null || echo 0)"
 	@echo "Seed unique mc-* IDs:  $$(grep -oE "mc-[a-z0-9_-]+" migrations/seed_demo.sql 2>/dev/null | sort -u | wc -l | tr -d ' ')"
-	@echo "Seed unique ag-* IDs:  $$(grep -oE "ag-[a-z0-9_-]+" migrations/seed_demo.sql 2>/dev/null | sort -u | wc -l | tr -d ' ') (incl. agent_groups; agents-table count is 12)"
+	@echo "Seed unique ag-* IDs:  $$(grep -oE "ag-[a-z0-9_-]+" migrations/seed_demo.sql 2>/dev/null | sort -u | wc -l | tr -d ' ') (incl. agent_groups; agents-table count is 13 incl. agent-demo-1 + 3 cloud sentinels + server-scanner)"
 	@echo "Seed unique iss-* IDs: $$(grep -oE "iss-[a-z0-9_-]+" migrations/seed_demo.sql 2>/dev/null | sort -u | wc -l | tr -d ' ') (issuers table count is 13)"
 	@echo "Seed unique tgt-* IDs: $$(grep -oE "tgt-[a-z0-9_-]+" migrations/seed_demo.sql 2>/dev/null | sort -u | wc -l | tr -d ' ')"
 	@echo "Seed unique nst-* IDs: $$(grep -oE "nst-[a-z0-9_-]+" migrations/seed_demo.sql 2>/dev/null | sort -u | wc -l | tr -d ' ')"
@@ -13,6 +13,10 @@ certctl is a self-hosted platform that automates the entire TLS certificate life
 The CA/Browser Forum's [Ballot SC-081v3](https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/) caps public TLS certificates at **200 days by March 2026**, **100 days by 2027**, and **47 days by 2029**. At 47-day lifespans, a team managing 100 certificates is processing 7+ renewals per week, every week, forever. Manual workflows stop being a choice.
 > **Status: Early-access.** Production-quality core — Local CA, ACME, agent deployment, CRUD, audit, role-based authz (auditor split + day-0 bootstrap + four-eyes approval). Broader surface — intermediate CA hierarchy, ACME/SCEP/EST servers, network appliances — still maturing.
 > v2.1.0 ships federated identity in early-access: OIDC SSO across Keycloak, Authentik, Okta, Auth0, Entra ID, and Google Workspace; HMAC-signed server-side sessions with `__Host-` cookies and CSRF rotation; OIDC Back-Channel Logout; Argon2id break-glass admin. Lab and dev deployments encouraged; production welcomed with the understanding that customer-scale battle-testing is in progress — please [file issues](https://github.com/certctl-io/certctl/issues) on the federated-identity surface, where real-world IdP shapes surface fast.
 > **Actively maintained, shipping weekly.** [Open an issue](https://github.com/certctl-io/certctl/issues) if something breaks. CI runs the full test suite with race detection, static analysis, and vulnerability scanning on every commit.
 **Ready to try it?** Jump to the [Quick Start](#quick-start). For the marketing site, see [certctl.io](https://certctl.io).
@@ -39,7 +43,7 @@ For the connector reference (12 issuers, 15 targets, 6 notifiers) see [`docs/ref
 <td><a href="docs/screenshots/v2-certificates.png"><img src="docs/screenshots/v2-certificates.png" width="400" alt="Certificates"></a><br><b>Certificates</b><br><sub>Inventory with bulk ops, status filters, owner/team columns</sub></td>
 </tr>
 <tr>
-<td><a href="docs/screenshots/v2-issuers.png"><img src="docs/screenshots/v2-issuers.png" width="400" alt="Issuers"></a><br><b>Issuers</b><br><sub>Catalog with 10 CA types, GUI config, test connection</sub></td>
+<td><a href="docs/screenshots/v2-issuers.png"><img src="docs/screenshots/v2-issuers.png" width="400" alt="Issuers"></a><br><b>Issuers</b><br><sub>Catalog with 12 CA types, GUI config, test connection</sub></td>
 <td><a href="docs/screenshots/v2-jobs.png"><img src="docs/screenshots/v2-jobs.png" width="400" alt="Jobs"></a><br><b>Jobs</b><br><sub>Issuance, renewal, deployment queue with approval workflow</sub></td>
 </tr>
 </table>
@@ -62,7 +66,9 @@ certctl handles the full certificate lifecycle in one self-hosted control plane:
 - **Run as a SCEP server** for Microsoft Intune-managed phones, ChromeOS devices, network appliances. RFC 8894 native with full PKIMessage wire format, native Intune challenge dispatch with replay protection, per-profile dispatch with separate RA cert per profile. See [`docs/reference/protocols/scep-server.md`](docs/reference/protocols/scep-server.md).
 - **Run as an EST server** for HTTPS-based PKCS#10 enrollment. 802.1X / Wi-Fi authentication, IoT device enrollment, RFC 9266 channel binding. See [`docs/reference/protocols/est.md`](docs/reference/protocols/est.md).
 - **Manage multi-level CA hierarchies** with name constraints, path-length enforcement, and end-to-end RFC 5280 path validation. Root → intermediate → issuing chains, admin-gated CRUD, drain-first retirement. Patterns documented for 4-level boundary CAs, 3-level policy CAs with per-BU `PermittedDNSDomains`, and 2-level internal PKI. See [`docs/reference/intermediate-ca-hierarchy.md`](docs/reference/intermediate-ca-hierarchy.md).
- **Gate high-stakes issuance** behind two-person-integrity approval. Flag a profile as `RequiresApproval`, the request lands in a queue, a non-requester approves, the scheduler dispatches. See [`docs/operator/approval-workflow.md`](docs/operator/approval-workflow.md).
+- **Gate high-stakes issuance** behind two-person-integrity approval. Flag a profile as `RequiresApproval`, the request lands in a queue, a non-requester approves, the scheduler dispatches. Profile-edit changes on approval-tier profiles route through the same gate so the flip-flop bypass is closed. See [`docs/operator/approval-workflow.md`](docs/operator/approval-workflow.md).
 - **Authorize with role-based access control.** Seven default roles (admin, operator, viewer, agent, mcp, cli, auditor) over a fine-grained permission catalogue with global / per-profile / per-issuer scope. Auditor role is read-only on the audit trail (`audit.read` + `audit.export`, nothing else) so a regulator's key cannot read certificates or mutate config. Day-0 admin via a one-shot `CERTCTL_BOOTSTRAP_TOKEN` endpoint that closes itself the moment any admin lands. Privilege-escalation guard requires `auth.role.assign` to grant or revoke a role. See [`docs/operator/rbac.md`](docs/operator/rbac.md), [`docs/operator/auth-threat-model.md`](docs/operator/auth-threat-model.md), and the v2.0.x → v2.1.0 [migration guide](docs/migration/api-keys-to-rbac.md).
 - **Sign in with OIDC SSO** against any standards-compliant identity provider. Per-IdP setup runbooks for Keycloak, Authentik, Okta, Auth0, Microsoft Entra ID, and Google Workspace. Group-claim → role mapping for automatic provisioning; client_secret encrypted at rest (AES-256-GCM); JWKS auto-refresh on `kid` miss; PKCE-S256 required; RFC 9700 §4.7.1 pre-login UA/IP binding; RFC 9207 `iss` URL-param check on callback. Server mints HMAC-signed session cookies with the `__Host-` prefix (browser-enforced subdomain-takeover defense), CSRF rotation on every privileged write, and idle + absolute expiry. [RFC OIDC Back-Channel Logout 1.0](docs/reference/auth-standards-implemented.md) revokes sessions on IdP-driven logout. Argon2id break-glass admin path for SSO-outage recovery — disabled by default; 404-invisible to scanners when `CERTCTL_BREAKGLASS_ENABLED=false`. See [`docs/operator/oidc-runbooks/index.md`](docs/operator/oidc-runbooks/index.md) for the per-IdP onboarding guides and [`docs/migration/oidc-enable.md`](docs/migration/oidc-enable.md) for enabling SSO on an existing deploy.
 - **Discover** existing certs across your fleet via filesystem scanning on agents, network TLS probing across CIDR ranges, and cloud secret manager imports (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager). Triage workflow for claim / dismiss / investigate.
 - **Revoke** with full RFC 5280 reason codes, DER CRL generation per issuer (scheduler-pre-generated and ETag-cached), and an embedded RFC 6960 OCSP responder with dedicated per-issuer responder certs. Single + bulk revocation. See [`docs/reference/protocols/crl-ocsp.md`](docs/reference/protocols/crl-ocsp.md).
 - **Alert** via Slack, Microsoft Teams, PagerDuty, OpsGenie, email, webhooks. Per-policy multi-channel routing matrix with severity tiers and fault-isolating per-channel dispatch. See [`docs/operator/runbooks/expiry-alerts.md`](docs/operator/runbooks/expiry-alerts.md).
@@ -70,9 +76,9 @@ certctl handles the full certificate lifecycle in one self-hosted control plane:
 ## Architecture and security
-Go 1.25 control plane with handler → service → repository layering. PostgreSQL 16 backend (35+ tables, idempotent migrations). Pull-only deployment model — the server never initiates outbound connections. Agents poll for work and generate ECDSA P-256 keys locally so private keys never touch the control plane. For network appliances and agentless servers, a proxy agent in the same network zone handles deployment via the target's API (WinRM, iControl REST, SSH/SFTP). See the [Architecture Guide](docs/reference/architecture.md) for full system diagrams.
+Go 1.25 control plane with handler → service → repository layering. PostgreSQL 16 backend with idempotent migrations. Pull-only deployment model — the server never initiates outbound connections. Agents poll for work and generate ECDSA P-256 keys locally so private keys never touch the control plane. For network appliances and agentless servers, a proxy agent in the same network zone handles deployment via the target's API (WinRM, iControl REST, SSH/SFTP). See the [Architecture Guide](docs/reference/architecture.md) for full system diagrams.
-Security: API key auth enforced by default with SHA-256 hashing and constant-time comparison. CORS deny-by-default. Shell injection prevention on all connector scripts. SSRF protection (reserved IP filtering) on the network scanner. Issuer and target credentials encrypted at rest with AES-256-GCM. HTTPS-only control plane with TLS 1.3 pinned and a fail-closed startup gate that refuses to boot if the TLS bundle is unusable. Every API call recorded to an immutable audit trail with actor attribution, body hash, and latency tracking. CI runs race detection, 11 linters, and vulnerability scanning on every commit. See [`docs/operator/security.md`](docs/operator/security.md) for the operator-facing security posture.
+Security: three authentication paths — API keys (SHA-256 hashed + constant-time compared), [OIDC SSO](docs/operator/oidc-runbooks/index.md) (Keycloak / Authentik / Okta / Auth0 / Entra ID / Google Workspace), and Argon2id [break-glass admin](docs/operator/security.md) for SSO-outage recovery. Successful OIDC login mints an HMAC-signed server-side session with `__Host-` cookies, CSRF rotation on every privileged write, and [RFC OIDC Back-Channel Logout](docs/reference/auth-standards-implemented.md) for IdP-driven session revoke. Role-based authorization on every gated handler with global / per-profile / per-issuer scope. Auditor split keeps regulator-class actors strictly read-only on the audit trail. Day-0 admin via a one-shot bootstrap token; granting or revoking roles requires the dedicated `auth.role.assign` permission. CORS deny-by-default. Shell injection prevention on all connector scripts. SSRF protection (reserved IP filtering) on the network scanner. Issuer + target + OIDC client_secret credentials encrypted at rest with AES-256-GCM. HTTPS-only control plane with TLS 1.3 pinned and a fail-closed startup gate that refuses to boot if the TLS bundle is unusable. Every API call recorded to an immutable audit trail with actor attribution, body hash, and latency tracking. CI runs race detection, static analysis, and vulnerability scanning on every commit. See [`docs/operator/security.md`](docs/operator/security.md) for the full posture and [`docs/operator/auth-threat-model.md`](docs/operator/auth-threat-model.md) for what's defended vs deferred.
 ## Quick Start
@@ -84,7 +90,7 @@ cd certctl
 docker compose -f deploy/docker-compose.yml -f deploy/docker-compose.demo.yml up -d --build
 ```
-Wait ~30 seconds, then open **https://localhost:8443** in your browser. The shipped demo overlay seeds 32 certificates across 10 issuers, 8 agents, and 180 days of realistic history. The `certctl-tls-init` init container self-signs an ECDSA-P256 cert on first boot — accept the browser warning for the demo, or feed the generated `ca.crt` to your client.
+Wait ~30 seconds, then open **https://localhost:8443** in your browser. The shipped demo overlay seeds 180 days of realistic history across 13 issuers, 8 agents, managed + discovered certs, jobs, deploys, audit, and notification events. The `certctl-tls-init` init container self-signs an ECDSA-P256 cert on first boot — accept the browser warning for the demo, or feed the generated `ca.crt` to your client.
 For a clean install without demo data, drop the `-f deploy/docker-compose.demo.yml` flag and run `docker compose -f deploy/docker-compose.yml up -d --build`. The four compose files (`docker-compose.yml` base, `docker-compose.demo.yml` overlay, `docker-compose.dev.yml` for PgAdmin + debug logging, `docker-compose.test.yml` for integration tests) are documented at [`deploy/ENVIRONMENTS.md`](deploy/ENVIRONMENTS.md).
@@ -107,8 +113,8 @@ Detects your OS and architecture, downloads the binary, configures systemd (Linu
 ```bash
 helm install certctl deploy/helm/certctl/ \
-  --set server.apiKey=your-api-key \
+  --set server.auth.apiKey=your-api-key \
-  --set postgres.password=your-db-password
+  --set postgresql.password=your-db-password
 ```
 Production-ready chart with Server Deployment, PostgreSQL StatefulSet, Agent DaemonSet, health probes, security contexts (non-root, read-only rootfs), and optional Ingress. See [values.yaml](deploy/helm/certctl/values.yaml).
@@ -143,12 +149,12 @@ Every `v*` tag publishes signed, attested artefacts (Cosign keyless OIDC + SLSA
 ```bash
 make build              # Build server + agent binaries
 make test               # Run tests
-make lint               # golangci-lint (11 linters)
+make lint               # golangci-lint (govet + staticcheck + contextcheck + unused)
 govulncheck ./...       # Vulnerability scan
 make docker-up          # Start Docker Compose stack
 ```
-CI runs `go vet`, `go test -race`, `golangci-lint`, `govulncheck`, and per-layer coverage thresholds (service 55%, handler 60%, domain 40%, middleware 30%) on every push. Frontend CI runs TypeScript type checking, Vitest tests, and Vite production build.
+CI runs `go vet`, `go test -race`, `golangci-lint`, `govulncheck`, and per-package coverage thresholds (service 70%, handler 75%, crypto 88%, auth packages 85-95%) on every push. The thresholds-as-data file is `.github/coverage-thresholds.yml`; lowering a floor requires corresponding test work, not a config flip. Frontend CI runs TypeScript type checking, Vitest tests, and Vite production build.
 For the full contributor guide see [`docs/contributor/`](docs/contributor/) — testing strategy, test environment, CI pipeline, QA prerequisites.
@@ -92,3 +92,68 @@ documented_exceptions:
    why: "Phase 4 default-profile shorthand for revoke-cert."
  - route: "GET /acme/renewal-info/{cert_id}"
    why: "Phase 4 default-profile shorthand for ARI."
  # =============================================================================
  # Auth Bundle 2 + audit-2026-05-10/11 fix bundle — REST endpoints not yet
  # represented in api/openapi.yaml. These are operator-facing REST endpoints
  # (not protocol-shaped); the OpenAPI surface is scheduled to land pre-v2.2.0
  # alongside the GUI E2E coverage push. Documented here so the parity guard
  # stays green for the v2.1.0 release tag. Threat model + handler contracts
  # live in docs/operator/{rbac.md,auth-threat-model.md,oidc-runbooks/*}.
  # =============================================================================
  - route: "GET /auth/oidc/login"
    why: "Bundle 2 Phase 5 OIDC login redirect; user-facing 302 with state cookie. OpenAPI rep deferred to pre-2.2.0."
  - route: "GET /auth/oidc/callback"
    why: "Bundle 2 Phase 5 OIDC callback handler; RFC 9700 §4.7.1 + RFC 9207. OpenAPI rep deferred to pre-2.2.0."
  - route: "POST /auth/logout"
    why: "Bundle 2 Phase 5 cookie + CSRF revoker. OpenAPI rep deferred to pre-2.2.0."
  - route: "POST /auth/breakglass/login"
    why: "Bundle 2 Phase 7.5 public break-glass login (auth-bypass, 404 when disabled). OpenAPI rep deferred to pre-2.2.0."
  - route: "POST /auth/oidc/back-channel-logout"
    why: "Bundle 2 Phase 5 RFC OIDC Back-Channel Logout 1.0 endpoint. OpenAPI rep deferred to pre-2.2.0."
  - route: "GET /api/v1/auth/sessions"
    why: "Bundle 2 Phase 5 self/admin session list. OpenAPI rep deferred to pre-2.2.0."
  - route: "DELETE /api/v1/auth/sessions/{id}"
    why: "Bundle 2 Phase 5 session revoke. OpenAPI rep deferred to pre-2.2.0."
  - route: "DELETE /api/v1/auth/sessions"
    why: "Bundle 2 audit-2026-05-10 MED-2/3 revoke-all-except-current."
  - route: "GET /api/v1/auth/oidc/providers"
    why: "Bundle 2 Phase 5 OIDC provider CRUD (list)."
  - route: "POST /api/v1/auth/oidc/providers"
    why: "Bundle 2 Phase 5 OIDC provider CRUD (create)."
  - route: "PUT /api/v1/auth/oidc/providers/{id}"
    why: "Bundle 2 Phase 5 OIDC provider CRUD (update)."
  - route: "DELETE /api/v1/auth/oidc/providers/{id}"
    why: "Bundle 2 Phase 5 OIDC provider CRUD (delete)."
  - route: "POST /api/v1/auth/oidc/providers/{id}/refresh"
    why: "Bundle 2 audit-2026-05-10 MED-7 JWKS hot-refresh."
  - route: "GET /api/v1/auth/oidc/providers/{id}/jwks-status"
    why: "Bundle 2 audit-2026-05-10 MED-7 JWKS health snapshot."
  - route: "POST /api/v1/auth/oidc/test"
    why: "Bundle 2 audit-2026-05-10 MED-5 dry-run discovery + JWKS + alg-downgrade check."
  - route: "GET /api/v1/auth/oidc/group-mappings"
    why: "Bundle 2 Phase 5 group-mapping CRUD (list)."
  - route: "POST /api/v1/auth/oidc/group-mappings"
    why: "Bundle 2 Phase 5 group-mapping CRUD (create)."
  - route: "DELETE /api/v1/auth/oidc/group-mappings/{id}"
    why: "Bundle 2 Phase 5 group-mapping CRUD (delete)."
  - route: "GET /api/v1/auth/breakglass/credentials"
    why: "Bundle 2 Phase 7.5 admin break-glass list (404 when disabled; password hash never on wire)."
  - route: "POST /api/v1/auth/breakglass/credentials"
    why: "Bundle 2 Phase 7.5 admin break-glass set/rotate password."
  - route: "POST /api/v1/auth/breakglass/credentials/{actor_id}/unlock"
    why: "Bundle 2 Phase 7.5 admin break-glass unlock after lockout."
  - route: "DELETE /api/v1/auth/breakglass/credentials/{actor_id}"
    why: "Bundle 2 Phase 7.5 admin break-glass credential delete."
  - route: "GET /api/v1/auth/users"
    why: "Bundle 2 audit-2026-05-10 MED-11 users page."
  - route: "DELETE /api/v1/auth/users/{id}"
    why: "Bundle 2 audit-2026-05-10 MED-11 user deactivate."
  - route: "POST /api/v1/auth/users/{id}/reactivate"
    why: "Bundle 2 audit-2026-05-10 MED-11 user reactivate."
  - route: "GET /api/v1/auth/runtime-config"
    why: "Bundle 2 audit-2026-05-10 MED-12 effective auth-runtime-config (read-only)."
  - route: "POST /api/v1/auth/demo-residual/cleanup"
    why: "Audit 2026-05-11 A-8 demo-mode residual-grants cleanup endpoint."
  - route: "GET /api/v1/audit/export"
    why: "Bundle 1 Phase 8 streaming NDJSON audit export."
@@ -134,12 +134,23 @@ paths:
                    type: string
                    # G-1 (P1): "jwt" removed from this enum after the silent
                    # auth downgrade was identified — no JWT middleware ships
-                    # with certctl. Operators who need JWT/OIDC front certctl
+                    # with certctl. Operators who need JWT continue to front
-                    # with an authenticating gateway (oauth2-proxy / Envoy /
+                    # certctl with an authenticating gateway (oauth2-proxy /
-                    # Traefik / Pomerium) and set CERTCTL_AUTH_TYPE=none
+                    # Envoy / Traefik / Pomerium) and set
-                    # upstream. See docs/architecture.md "Authenticating-
+                    # CERTCTL_AUTH_TYPE=none upstream. See
-                    # gateway pattern".
+                    # docs/architecture.md "Authenticating-gateway pattern".
-                    enum: [api-key, none]
+                    #
                    # Auth Bundle 2 Phase 0: "oidc" added to the enum. The
                    # session middleware + OIDC handler chain ship in later
                    # Bundle 2 phases; until they land, setting
                    # CERTCTL_AUTH_TYPE=oidc fails the runtime guard in
                    # cmd/server/main.go with an actionable error rather
                    # than silently falling back to api-key (the G-1
                    # failure mode). The literal is in the enum so the GUI
                    # Login page (Phase 8) can render OIDC provider
                    # buttons against an /auth/info response that reflects
                    # the configured auth_type.
                    enum: [api-key, none, oidc]
                  required:
                    type: boolean
@@ -147,7 +158,16 @@ paths:
    get:
      tags: [Health]
      summary: Validate credentials
-      description: Returns 200 if auth credentials are valid, 401 otherwise.
+      description: |
        Returns 200 if auth credentials are valid, 401 otherwise.
        Bundle 1 Phase 3 closure (M1): when the server has the RBAC
        primitive wired (Bundle 1 default), the response also includes
        the caller's `actor_id`, `actor_type`, `tenant_id`, the
        `roles` they hold, and `effective_permissions` they resolve
        to. The legacy `admin` boolean is preserved for back-compat
        with pre-Bundle-1 GUIs; new GUIs should switch to
        `effective_permissions` for affordance gating.
      operationId: checkAuth
      responses:
        "200":
@@ -156,13 +176,464 @@ paths:
            application/json:
              schema:
                type: object
                required: [status]
                properties:
                  status:
                    type: string
                    example: authenticated
                  user:
                    type: string
                    description: Named-key identity (empty when CERTCTL_AUTH_TYPE=none)
                  admin:
                    type: boolean
                    description: Legacy admin flag (back-compat with pre-Bundle-1 GUIs).
                  actor_id:
                    type: string
                    description: Actor identifier for the authenticated request (Bundle 1+).
                  actor_type:
                    type: string
                    enum: [User, System, Agent, APIKey, Anonymous]
                    description: Actor-type discriminator (Bundle 1+).
                  tenant_id:
                    type: string
                    description: Tenant the actor belongs to (Bundle 1 ships single-tenant `t-default`).
                  admin_via_role:
                    type: boolean
                    description: True when the actor holds `r-admin`. Authoritative admin signal under Bundle 1+.
                  roles:
                    type: array
                    items:
                      type: string
                    description: Role IDs (e.g. `r-admin`, `r-viewer`) the actor holds.
                  effective_permissions:
                    type: array
                    items:
                      type: object
                      required: [permission, scope_type]
                      properties:
                        permission:
                          type: string
                          example: cert.bulk_revoke
                        scope_type:
                          type: string
                          enum: [global, profile, issuer]
                        scope_id:
                          type: string
        "401":
          description: Unauthorized
  # ─── Auth / RBAC (Bundle 1 Phase 4) ─────────────────────────────────
  # The RBAC primitive surface for managing roles, permissions, and the
  # role grants assigned to actors (API keys today; OIDC-federated users
  # in Bundle 2). Every mutating route runs through the service layer's
  # privilege-escalation guard — callers need `auth.role.assign` for
  # role grants on actors, `auth.role.create/edit/delete` for the role
  # lifecycle, `auth.key.*` for key management. Read endpoints require
  # `auth.role.list`. The /v1/auth/me endpoint has no permission gate
  # (every authenticated caller can read their own permissions).
  /api/v1/auth/bootstrap:
    get:
      tags: [Auth]
      summary: Probe whether the day-0 bootstrap endpoint is callable
      description: |
        Returns `{available: true}` when CERTCTL_BOOTSTRAP_TOKEN is set
        AND no admin-roled actor exists yet; otherwise `{available: false}`.
        Auth-exempt because it serves the GUI / install one-liner before
        the first admin key has been minted. Bundle 1 Phase 6.
      security: []
      operationId: getAuthBootstrap
      responses:
        "200":
          description: Bootstrap availability
          content:
            application/json:
              schema:
                type: object
                required: [available]
                properties:
                  available:
                    type: boolean
    post:
      tags: [Auth]
      summary: Mint the first admin API key from a one-shot bootstrap token
      description: |
        Operator POSTs the CERTCTL_BOOTSTRAP_TOKEN value plus the desired
        admin-key name. Returns the freshly minted plaintext key value
        once; the server stores only the SHA-256 hash. Subsequent calls
        return 410 Gone (the strategy is one-shot AND the admin-existence
        probe re-closes the door once the new admin lands). Auth-exempt
        because the endpoint authenticates via the bootstrap token
        itself. Bundle 1 Phase 6.
      security: []
      operationId: postAuthBootstrap
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required: [token, actor_name]
              properties:
                token:
                  type: string
                  description: The CERTCTL_BOOTSTRAP_TOKEN value (constant-time compared server-side).
                actor_name:
                  type: string
                  description: 3-64 chars, lowercase alphanumeric + hyphen + underscore.
                  pattern: "^[a-z0-9][a-z0-9_-]{2,63}$"
      responses:
        "201":
          description: Admin key minted
          content:
            application/json:
              schema:
                type: object
                required: [actor_id, api_key_id, key_value, created_at, message]
                properties:
                  actor_id: { type: string }
                  api_key_id: { type: string }
                  key_value:
                    type: string
                    description: The plaintext API key. Capture this — it is shown only once.
                  created_at: { type: string, format: date-time }
                  message: { type: string }
        "400": { description: Invalid actor_name or malformed body }
        "401": { description: Bootstrap token mismatch }
        "410":
          description: |
            Endpoint disabled. Either CERTCTL_BOOTSTRAP_TOKEN is unset,
            an admin actor already exists, or the strategy was already
            consumed by a successful prior call.
  /api/v1/auth/me:
    get:
      tags: [Auth]
      summary: Current actor's roles + effective permissions
      description: |
        Returns the standing roles + effective permission set for the
        authenticated caller. This is the query the GUI uses to gate
        affordance rendering; /api/v1/auth/check returns the same shape
        on the boot path.
      operationId: getAuthMe
      responses:
        "200":
          description: Caller identity + roles + effective permissions
          content:
            application/json:
              schema:
                type: object
                required: [actor_id, actor_type, tenant_id, admin, roles, effective_permissions]
                properties:
                  actor_id: { type: string }
                  actor_type: { type: string, enum: [User, System, Agent, APIKey, Anonymous] }
                  tenant_id: { type: string }
                  admin: { type: boolean }
                  roles:
                    type: array
                    items: { type: string }
                  effective_permissions:
                    type: array
                    items:
                      type: object
                      required: [permission, scope_type]
                      properties:
                        permission: { type: string }
                        scope_type: { type: string, enum: [global, profile, issuer] }
                        scope_id: { type: string }
        "401":
          description: Unauthorized
  /api/v1/auth/permissions:
    get:
      tags: [Auth]
      summary: List canonical permission catalogue
      description: |
        Returns every permission name registered in the canonical
        catalogue. Used by the GUI's role editor to populate the
        "grant permission" picker. Permission: `auth.role.list`.
      operationId: listAuthPermissions
      responses:
        "200":
          description: Permission catalogue
          content:
            application/json:
              schema:
                type: object
                properties:
                  permissions:
                    type: array
                    items:
                      type: object
                      required: [id, name, namespace]
                      properties:
                        id: { type: string }
                        name: { type: string }
                        namespace: { type: string }
        "401": { description: Unauthorized }
        "403": { description: Forbidden }
  /api/v1/auth/roles:
    get:
      tags: [Auth]
      summary: List roles for the active tenant
      description: Permission `auth.role.list`. Returns every role registered for `t-default` (Bundle 1 single-tenant).
      operationId: listAuthRoles
      responses:
        "200":
          description: Role list
          content:
            application/json:
              schema:
                type: object
                properties:
                  roles:
                    type: array
                    items: { $ref: "#/components/schemas/AuthRole" }
        "401": { description: Unauthorized }
        "403": { description: Forbidden }
    post:
      tags: [Auth]
      summary: Create a custom role
      description: Permission `auth.role.create`. Default roles (`r-admin` / `r-operator` / `r-viewer` / `r-agent` / `r-mcp` / `r-cli` / `r-auditor`) are seeded by migration and immutable.
      operationId: createAuthRole
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required: [name]
              properties:
                name: { type: string }
                description: { type: string }
      responses:
        "201":
          description: Role created
          content:
            application/json:
              schema: { $ref: "#/components/schemas/AuthRole" }
        "400": { description: Validation error }
        "401": { description: Unauthorized }
        "403": { description: Forbidden }
        "409": { description: Role with that name already exists }
  /api/v1/auth/roles/{id}:
    get:
      tags: [Auth]
      summary: Get a role and its permissions
      description: Permission `auth.role.list`.
      operationId: getAuthRole
      parameters:
        - in: path
          name: id
          required: true
          schema: { type: string }
      responses:
        "200":
          description: Role + permissions
          content:
            application/json:
              schema:
                type: object
                properties:
                  role: { $ref: "#/components/schemas/AuthRole" }
                  permissions:
                    type: array
                    items: { $ref: "#/components/schemas/AuthRolePermission" }
        "401": { description: Unauthorized }
        "403": { description: Forbidden }
        "404": { description: Role not found }
    put:
      tags: [Auth]
      summary: Update a custom role's name or description
      description: Permission `auth.role.edit`. Default roles cannot be renamed.
      operationId: updateAuthRole
      parameters:
        - in: path
          name: id
          required: true
          schema: { type: string }
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                name: { type: string }
                description: { type: string }
      responses:
        "200": { description: Updated }
        "400": { description: Validation error }
        "401": { description: Unauthorized }
        "403": { description: Forbidden }
        "404": { description: Role not found }
        "409": { description: Default role cannot be renamed / name collision }
    delete:
      tags: [Auth]
      summary: Delete a custom role
      description: Permission `auth.role.delete`. Fails with 409 when actors still hold the role (FK ON DELETE RESTRICT).
      operationId: deleteAuthRole
      parameters:
        - in: path
          name: id
          required: true
          schema: { type: string }
      responses:
        "204": { description: Deleted }
        "401": { description: Unauthorized }
        "403": { description: Forbidden }
        "404": { description: Role not found }
        "409": { description: Role still has active actor assignments }
  /api/v1/auth/roles/{id}/permissions:
    post:
      tags: [Auth]
      summary: Grant a permission to a role at a scope
      description: Permission `auth.role.edit`. ScopeType defaults to `global`; per-profile / per-issuer scopes require ScopeID.
      operationId: grantAuthRolePermission
      parameters:
        - in: path
          name: id
          required: true
          schema: { type: string }
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required: [permission]
              properties:
                permission: { type: string }
                scope_type:
                  type: string
                  enum: [global, profile, issuer]
                  default: global
                scope_id: { type: string }
      responses:
        "204": { description: Granted }
        "400": { description: Permission not in canonical catalogue / scope_id missing for non-global scope }
        "401": { description: Unauthorized }
        "403": { description: Forbidden }
        "404": { description: Role not found }
  /api/v1/auth/roles/{id}/permissions/{perm}:
    delete:
      tags: [Auth]
      summary: Revoke a permission from a role
      description: Permission `auth.role.edit`.
      operationId: revokeAuthRolePermission
      parameters:
        - in: path
          name: id
          required: true
          schema: { type: string }
        - in: path
          name: perm
          required: true
          schema: { type: string }
        - in: query
          name: scope_type
          schema:
            type: string
            enum: [global, profile, issuer]
        - in: query
          name: scope_id
          schema: { type: string }
      responses:
        "204": { description: Revoked }
        "401": { description: Unauthorized }
        "403": { description: Forbidden }
        "404": { description: Role or permission grant not found }
  /api/v1/auth/keys:
    get:
      tags: [Auth]
      summary: List actors with role grants in the active tenant
      description: |
        Returns every distinct (actor_id, actor_type) pair in the
        tenant that holds at least one role grant. Bundle 1 Phase 7
        ships this so the CLI's `auth keys list` and scope-down helper
        can enumerate the operator-key population without joining
        against the env-var-loaded namedKeys directly. Permission
        `auth.role.list`.
      operationId: listAuthKeys
      responses:
        "200":
          description: Actor list with role assignments
          content:
            application/json:
              schema:
                type: object
                properties:
                  keys:
                    type: array
                    items:
                      type: object
                      required: [actor_id, actor_type, tenant_id, role_ids]
                      properties:
                        actor_id: { type: string }
                        actor_type:
                          type: string
                          enum: [User, System, Agent, APIKey, Anonymous]
                        tenant_id: { type: string }
                        role_ids:
                          type: array
                          items: { type: string }
        "401": { description: Unauthorized }
        "403": { description: Forbidden }
  /api/v1/auth/keys/{id}/roles:
    post:
      tags: [Auth]
      summary: Assign a role to an API key
      description: Permission `auth.role.assign`. The reserved `actor-demo-anon` actor cannot be re-assigned.
      operationId: assignAuthKeyRole
      parameters:
        - in: path
          name: id
          required: true
          schema: { type: string }
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required: [role_id]
              properties:
                role_id: { type: string }
      responses:
        "204": { description: Assigned }
        "400": { description: Validation error }
        "401": { description: Unauthorized }
        "403": { description: Forbidden }
        "404": { description: Role not found }
        "409": { description: Reserved system actor cannot be modified }
  /api/v1/auth/keys/{id}/roles/{role_id}:
    delete:
      tags: [Auth]
      summary: Revoke a role from an API key
      description: Permission `auth.role.assign`. Revoking the synthetic `actor-demo-anon` admin grant is rejected.
      operationId: revokeAuthKeyRole
      parameters:
        - in: path
          name: id
          required: true
          schema: { type: string }
        - in: path
          name: role_id
          required: true
          schema: { type: string }
      responses:
        "204": { description: Revoked }
        "401": { description: Unauthorized }
        "403": { description: Forbidden }
        "404": { description: Role not assigned to actor }
        "409": { description: Reserved system actor cannot be modified }
  /api/v1/version:
    get:
      tags: [Health]
@@ -205,7 +676,7 @@ paths:
                  go_version:
                    type: string
                    description: Go toolchain version that compiled the binary (runtime.Version())
-                    example: go1.25.9
+                    example: go1.25.10
  # ─── Certificates ────────────────────────────────────────────────────
  /api/v1/certificates:
@@ -2708,10 +3179,22 @@ paths:
    get:
      tags: [Audit]
      summary: List audit events
      description: |
        Bundle 1 Phase 8 adds the optional `category` query parameter
        for auditor-role filtering. Allowed values: `cert_lifecycle`
        (cert/agent/deployment events), `auth` (role/key/bootstrap
        mutations), `config` (issuer/target/settings edits). Omitting
        the parameter returns every category.
      operationId: listAuditEvents
      parameters:
        - $ref: "#/components/parameters/page"
        - $ref: "#/components/parameters/per_page"
        - in: query
          name: category
          schema:
            type: string
            enum: [cert_lifecycle, auth, config]
          description: Filter to events of this event_category. (Bundle 1 Phase 8)
      responses:
        "200":
          description: Paginated list of audit events
@@ -2726,6 +3209,8 @@ paths:
                        type: array
                        items:
                          $ref: "#/components/schemas/AuditEvent"
        "400":
          description: Invalid `category` value
        "500":
          $ref: "#/components/responses/InternalError"
@@ -4309,6 +4794,27 @@ components:
      type: http
      scheme: bearer
      description: API key passed as Bearer token. Configure via CERTCTL_AUTH_SECRET.
    # Auth Bundle 2 Phase 5 — session-cookie auth scheme. New
    # session-authenticated endpoints declare
    # `security: [{cookieAuth: []}, {bearerAuth: []}]` (either auth
    # method works, OR semantics). Per Phase 5 spec, the
    # `/auth/oidc/back-channel-logout` endpoint declares `security: []`
    # because auth comes from the IdP-signed logout token in the body,
    # not certctl-issued credentials.
    cookieAuth:
      type: apiKey
      in: cookie
      name: certctl_session
      description: |
        Session cookie minted by `POST /auth/oidc/callback` after a
        successful OIDC handshake (Auth Bundle 2). Wire format
        `v1.<session_id>.<signing_key_id>.<HMAC-SHA256>`; HMAC is
        verified server-side against the active session signing key.
        Cookie attributes: `Secure` `HttpOnly` `SameSite=Lax|Strict`
        (configurable via `CERTCTL_SESSION_SAMESITE`) `Path=/`.
        State-changing requests additionally require the
        `X-CSRF-Token` header to match the SHA-256 hash on the
        session row (validated by the session middleware in Phase 6).
  parameters:
    resourceId:
@@ -4361,6 +4867,45 @@ components:
            $ref: "#/components/schemas/ErrorResponse"
  schemas:
    # ─── Auth / RBAC (Bundle 1 Phase 4) ─────────────────────────────
    AuthRole:
      type: object
      required: [id, tenant_id, name]
      properties:
        id:
          type: string
          description: Role ID (`r-` prefix).
          example: r-admin
        tenant_id:
          type: string
          example: t-default
        name:
          type: string
          example: admin
        description:
          type: string
        created_at:
          type: string
          format: date-time
        updated_at:
          type: string
          format: date-time
    AuthRolePermission:
      type: object
      required: [role_id, permission_id, scope_type]
      properties:
        role_id:
          type: string
        permission_id:
          type: string
        scope_type:
          type: string
          enum: [global, profile, issuer]
        scope_id:
          type: string
          description: NULL/absent for global scope; profile/issuer ID otherwise.
    # ─── Approvals ───────────────────────────────────────────────────
    ApprovalRequest:
      type: object
@@ -5311,6 +5856,13 @@ components:
        timestamp:
          type: string
          format: date-time
        event_category:
          type: string
          enum: [cert_lifecycle, auth, config]
          description: |
            Bundle 1 Phase 8: classifies the event for auditor-role
            filtering. Empty / absent on rows from pre-Phase-8
            deployments (the migration backfills "cert_lifecycle").
    # ─── Notifications ───────────────────────────────────────────────
    NotificationType:
@@ -111,6 +111,8 @@ Examples:
 		err = handleEST(client, cmdArgs)
 	case "status":
 		err = handleStatus(client)
 	case "auth":
 		err = handleAuth(client, cmdArgs)
 	case "version":
 		fmt.Println("certctl-cli version 0.1.0")
 	default:
@@ -364,3 +366,123 @@ func validateHTTPSScheme(serverURL string) error {
 		return fmt.Errorf("server URL %q uses unsupported scheme %q — expected https://", serverURL, u.Scheme)
 	}
 }
 // handleAuth dispatches the `certctl-cli auth ...` subcommand tree.
 // Bundle 1 Phase 5: ships read + grant operations against the
 // /api/v1/auth/* surface introduced in Phase 4. Mutations like role
 // create / update / delete can be added in a Phase 5.5 follow-up; this
 // commit ships the operator-facing subset most useful for migration
 // and day-2 scope-down (`auth keys list` + `auth keys assign` +
 // `auth me`).
 func handleAuth(client *cli.Client, args []string) error {
 	if len(args) == 0 {
 		fmt.Fprintf(os.Stderr, "usage: auth <roles|permissions|keys|me> [...]\n")
 		return nil
 	}
 	subcommand := args[0]
 	subArgs := args[1:]
 	switch subcommand {
 	case "roles":
 		return handleAuthRoles(client, subArgs)
 	case "permissions":
 		return handleAuthPermissions(client, subArgs)
 	case "keys":
 		return handleAuthKeys(client, subArgs)
 	case "me":
 		return client.AuthMe()
 	default:
 		fmt.Fprintf(os.Stderr, "unknown auth subcommand: %s\n", subcommand)
 		return nil
 	}
 }
 func handleAuthRoles(client *cli.Client, args []string) error {
 	if len(args) == 0 {
 		fmt.Fprintf(os.Stderr, "usage: auth roles <list|get> [id]\n")
 		return nil
 	}
 	switch args[0] {
 	case "list":
 		return client.AuthListRoles()
 	case "get":
 		if len(args) < 2 {
 			fmt.Fprintf(os.Stderr, "usage: auth roles get <id>\n")
 			return nil
 		}
 		return client.AuthGetRole(args[1])
 	default:
 		fmt.Fprintf(os.Stderr, "unknown roles subcommand: %s\n", args[0])
 		return nil
 	}
 }
 func handleAuthPermissions(client *cli.Client, args []string) error {
 	if len(args) == 0 || args[0] != "list" {
 		fmt.Fprintf(os.Stderr, "usage: auth permissions list\n")
 		return nil
 	}
 	return client.AuthListPermissions()
 }
 func handleAuthKeys(client *cli.Client, args []string) error {
 	if len(args) == 0 {
 		fmt.Fprintf(os.Stderr, "usage: auth keys <list|assign|revoke|scope-down> [...]\n")
 		return nil
 	}
 	switch args[0] {
 	case "list":
 		return client.AuthListKeys()
 	case "assign":
 		// auth keys assign <key-id> --role <role-id>
 		if len(args) < 4 || args[2] != "--role" {
 			fmt.Fprintf(os.Stderr, "usage: auth keys assign <key-id> --role <role-id>\n")
 			return nil
 		}
 		return client.AuthAssignRoleToKey(args[1], args[3])
 	case "revoke":
 		// auth keys revoke <key-id> --role <role-id>
 		if len(args) < 4 || args[2] != "--role" {
 			fmt.Fprintf(os.Stderr, "usage: auth keys revoke <key-id> --role <role-id>\n")
 			return nil
 		}
 		return client.AuthRevokeRoleFromKey(args[1], args[3])
 	case "scope-down":
 		// Bundle 1 Phase 7 — interactive (default), --non-interactive
 		// <config.json>, or --suggest [--apply].
 		return handleAuthKeysScopeDown(client, args[1:])
 	default:
 		fmt.Fprintf(os.Stderr, "unknown keys subcommand: %s\n", args[0])
 		return nil
 	}
 }
 // handleAuthKeysScopeDown dispatches the three scope-down modes:
 //
 //	auth keys scope-down                              → interactive
 //	auth keys scope-down --non-interactive <config>   → JSON-driven
 //	auth keys scope-down --suggest [--apply]          → audit-driven suggestions
 func handleAuthKeysScopeDown(client *cli.Client, args []string) error {
 	if len(args) == 0 {
 		return client.AuthScopeDown()
 	}
 	switch args[0] {
 	case "--non-interactive":
 		if len(args) < 2 {
 			fmt.Fprintf(os.Stderr, "usage: auth keys scope-down --non-interactive <config.json>\n")
 			return nil
 		}
 		return client.AuthScopeDownNonInteractive(args[1])
 	case "--suggest":
 		apply := false
 		for _, a := range args[1:] {
 			if a == "--apply" {
 				apply = true
 			}
 		}
 		return client.AuthScopeDownSuggest(apply)
 	default:
 		fmt.Fprintf(os.Stderr, "unknown scope-down flag: %s\n", args[0])
 		return nil
 	}
 }
@@ -0,0 +1,105 @@
 package main
 import (
 	"context"
 	"fmt"
 	"log/slog"
 	"strings"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/config"
 	"github.com/certctl-io/certctl/internal/domain"
 	authdomain "github.com/certctl-io/certctl/internal/domain/auth"
 )
 // assembleNamedAPIKeys translates the operator's CERTCTL_API_KEYS_NAMED
 // env-var (preferred) or CERTCTL_AUTH_SECRET (legacy) into the
 // auth.NamedAPIKey slice the rest of the boot path consumes.
 //
 // Authentication unification (M-002): every authenticated request now
 // carries a named actor in the request context so audit events record
 // the real key identity instead of the hardcoded "api-key-user"
 // string. Named keys come from CERTCTL_API_KEYS_NAMED (preferred). For
 // backward compatibility CERTCTL_AUTH_SECRET is synthesized into
 // legacy-key-N entries with Admin=false.
 func assembleNamedAPIKeys(cfg *config.Config, logger *slog.Logger) []auth.NamedAPIKey {
 	if config.AuthType(cfg.Auth.Type) == config.AuthTypeNone {
 		return nil
 	}
 	var out []auth.NamedAPIKey
 	for _, nk := range cfg.Auth.NamedKeys {
 		out = append(out, auth.NamedAPIKey{
 			Name:  nk.Name,
 			Key:   nk.Key,
 			Admin: nk.Admin,
 		})
 	}
 	if len(out) == 0 && cfg.Auth.Secret != "" {
 		idx := 0
 		for _, p := range strings.Split(cfg.Auth.Secret, ",") {
 			p = strings.TrimSpace(p)
 			if p == "" {
 				continue
 			}
 			out = append(out, auth.NamedAPIKey{
 				Name:  fmt.Sprintf("legacy-key-%d", idx),
 				Key:   p,
 				Admin: false,
 			})
 			idx++
 		}
 		if len(out) > 0 && logger != nil {
 			logger.Warn("CERTCTL_AUTH_SECRET is deprecated — set CERTCTL_API_KEYS_NAMED for named actor attribution and admin gating",
 				"synthesized_keys", len(out))
 		}
 	}
 	return out
 }
 // actorRoleGranter is the narrow interface backfillNamedKeyActorRoles
 // needs from the postgres ActorRoleRepository. Pulled out so the unit
 // test can inject a fake without spinning up the full repo / DB.
 type actorRoleGranter interface {
 	Grant(ctx context.Context, ar *authdomain.ActorRole) error
 }
 // backfillNamedKeyActorRoles is the Bundle 1 Phase 3 closure (C2)
 // startup hook that ensures every CERTCTL_API_KEYS_NAMED entry — and
 // every legacy CERTCTL_AUTH_SECRET synthesized fallback — has an
 // actor_roles row before the HTTP server accepts requests. Admin-flagged
 // keys grant `r-admin` (full canonical permission set); non-admin keys
 // grant `r-viewer` (read-only surface), matching the pre-Phase-3.5
 // capability shape.
 //
 // Idempotent via ON CONFLICT DO NOTHING in the repo Grant — reboots
 // don't create duplicates. Failures are logged but non-fatal: the server
 // still starts, and the operator can fix the grant via the RBAC API.
 //
 // The function is package-private + extracted from main() so the unit
 // test in auth_backfill_test.go can pin the role-mapping invariant
 // without depending on the full server bootstrap path.
 func backfillNamedKeyActorRoles(
 	ctx context.Context,
 	repo actorRoleGranter,
 	keys []auth.NamedAPIKey,
 	logger *slog.Logger,
 ) {
 	for _, nk := range keys {
 		role := authdomain.RoleIDViewer
 		if nk.Admin {
 			role = authdomain.RoleIDAdmin
 		}
 		if err := repo.Grant(ctx, &authdomain.ActorRole{
 			ActorID:   nk.Name,
 			ActorType: authdomain.ActorTypeValue(domain.ActorTypeAPIKey),
 			RoleID:    role,
 			TenantID:  authdomain.DefaultTenantID,
 			GrantedBy: "bootstrap",
 		}); err != nil {
 			if logger != nil {
 				logger.Warn("api-key actor-role backfill failed; key authenticates but RBAC routes will 403 until grant is added via /v1/auth/keys",
 					"key", nk.Name, "role", role, "err", err)
 			}
 		}
 	}
 }
@@ -0,0 +1,116 @@
 package main
 import (
 	"context"
 	"errors"
 	"io"
 	"log/slog"
 	"testing"
 	"github.com/certctl-io/certctl/internal/auth"
 	authdomain "github.com/certctl-io/certctl/internal/domain/auth"
 )
 // fakeGranter is a tiny in-memory stand-in for the postgres ActorRoleRepository
 // — enough surface area for backfillNamedKeyActorRoles to call Grant against.
 type fakeGranter struct {
 	calls []*authdomain.ActorRole
 	err   error
 }
 func (f *fakeGranter) Grant(_ context.Context, ar *authdomain.ActorRole) error {
 	f.calls = append(f.calls, ar)
 	return f.err
 }
 // TestBackfillNamedKeyActorRoles_RoleMapping pins the Bundle 1 Phase 3
 // closure (C2) invariant: admin-flagged named keys grant r-admin,
 // non-admin keys grant r-viewer, both at TenantID t-default with
 // ActorType APIKey and GrantedBy=bootstrap.
 func TestBackfillNamedKeyActorRoles_RoleMapping(t *testing.T) {
 	repo := &fakeGranter{}
 	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
 	keys := []auth.NamedAPIKey{
 		{Name: "alice-admin", Key: "AAA", Admin: true},
 		{Name: "bob-viewer", Key: "BBB", Admin: false},
 		{Name: "carol-admin", Key: "CCC", Admin: true},
 	}
 	backfillNamedKeyActorRoles(context.Background(), repo, keys, logger)
 	if len(repo.calls) != 3 {
 		t.Fatalf("Grant call count = %d, want 3", len(repo.calls))
 	}
 	type want struct {
 		actor, role string
 	}
 	wants := []want{
 		{actor: "alice-admin", role: authdomain.RoleIDAdmin},
 		{actor: "bob-viewer", role: authdomain.RoleIDViewer},
 		{actor: "carol-admin", role: authdomain.RoleIDAdmin},
 	}
 	for i, w := range wants {
 		got := repo.calls[i]
 		if got.ActorID != w.actor {
 			t.Errorf("call[%d].ActorID = %q, want %q", i, got.ActorID, w.actor)
 		}
 		if got.RoleID != w.role {
 			t.Errorf("call[%d].RoleID = %q, want %q", i, got.RoleID, w.role)
 		}
 		if got.TenantID != authdomain.DefaultTenantID {
 			t.Errorf("call[%d].TenantID = %q, want %q", i, got.TenantID, authdomain.DefaultTenantID)
 		}
 		if string(got.ActorType) != "APIKey" {
 			t.Errorf("call[%d].ActorType = %q, want APIKey", i, got.ActorType)
 		}
 		if got.GrantedBy != "bootstrap" {
 			t.Errorf("call[%d].GrantedBy = %q, want bootstrap", i, got.GrantedBy)
 		}
 	}
 }
 // TestBackfillNamedKeyActorRoles_EmptyKeysIsNoOp confirms the boot path
 // is safe when no named keys are configured (typical CERTCTL_AUTH_TYPE=
 // none deploy). No Grant calls; no panic.
 func TestBackfillNamedKeyActorRoles_EmptyKeysIsNoOp(t *testing.T) {
 	repo := &fakeGranter{}
 	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
 	backfillNamedKeyActorRoles(context.Background(), repo, nil, logger)
 	if len(repo.calls) != 0 {
 		t.Errorf("Grant called %d times for empty keys, want 0", len(repo.calls))
 	}
 }
 // TestBackfillNamedKeyActorRoles_GrantErrorIsNonFatal confirms the
 // closure invariant that a Grant failure logs a warning and proceeds
 // rather than crashing the server during boot. Subsequent keys still
 // get processed.
 func TestBackfillNamedKeyActorRoles_GrantErrorIsNonFatal(t *testing.T) {
 	repo := &fakeGranter{err: errors.New("simulated DB error")}
 	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
 	keys := []auth.NamedAPIKey{
 		{Name: "alice", Key: "A", Admin: true},
 		{Name: "bob", Key: "B", Admin: false},
 	}
 	// Should not panic.
 	backfillNamedKeyActorRoles(context.Background(), repo, keys, logger)
 	if len(repo.calls) != 2 {
 		t.Errorf("Grant calls = %d, want 2 (every key processed even when prior Grant errored)", len(repo.calls))
 	}
 }
 // TestBackfillNamedKeyActorRoles_NilLoggerIsSafe pins that callers
 // passing nil for the logger don't NPE the goroutine. Belt-and-braces
 // for tests + future call sites that may not have a logger plumbed.
 func TestBackfillNamedKeyActorRoles_NilLoggerIsSafe(t *testing.T) {
 	repo := &fakeGranter{err: errors.New("simulated")}
 	keys := []auth.NamedAPIKey{
 		{Name: "alice", Key: "A", Admin: true},
 	}
 	backfillNamedKeyActorRoles(context.Background(), repo, keys, nil)
 	if len(repo.calls) != 1 {
 		t.Errorf("Grant calls = %d, want 1", len(repo.calls))
 	}
 }
@@ -5,6 +5,7 @@ import (
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"log/slog"
@@ -21,6 +22,13 @@ import (
 	"github.com/certctl-io/certctl/internal/api/handler"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/api/router"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/auth/bootstrap"
 	"github.com/certctl-io/certctl/internal/auth/breakglass"
 	oidcsvc "github.com/certctl-io/certctl/internal/auth/oidc"
 	oidcdomain "github.com/certctl-io/certctl/internal/auth/oidc/domain"
 	"github.com/certctl-io/certctl/internal/auth/session"
 	userdomain "github.com/certctl-io/certctl/internal/auth/user/domain"
 	"github.com/certctl-io/certctl/internal/config"
 	discoveryawssm "github.com/certctl-io/certctl/internal/connector/discovery/awssm"
 	discoveryazurekv "github.com/certctl-io/certctl/internal/connector/discovery/azurekv"
@@ -32,11 +40,14 @@ import (
 	notifyteams "github.com/certctl-io/certctl/internal/connector/notifier/teams"
 	"github.com/certctl-io/certctl/internal/crypto/signer"
 	"github.com/certctl-io/certctl/internal/domain"
 	authdomainAlias "github.com/certctl-io/certctl/internal/domain/auth"
 	"github.com/certctl-io/certctl/internal/ratelimit"
 	"github.com/certctl-io/certctl/internal/repository"
 	"github.com/certctl-io/certctl/internal/repository/postgres"
 	"github.com/certctl-io/certctl/internal/scep/intune"
 	"github.com/certctl-io/certctl/internal/scheduler"
 	"github.com/certctl-io/certctl/internal/service"
 	authsvc "github.com/certctl-io/certctl/internal/service/auth"
 	"github.com/certctl-io/certctl/internal/trustanchor"
 )
@@ -58,9 +69,22 @@ func main() {
 	// unsupported auth shape. The error path uses fmt.Fprintf because
 	// the slog logger is constructed from cfg below this point; we want
 	// the failure to be visible regardless of log-level configuration.
 	//
 	// Auth Bundle 2 Phase 0: AuthTypeOIDC is in ValidAuthTypes() but the
 	// session middleware + OIDC handler chain ship in later phases. An
 	// operator who sets CERTCTL_AUTH_TYPE=oidc on a Bundle-2-incomplete
 	// deployment must NOT silently fall back to api-key (the silent
 	// auth-downgrade failure mode that drove G-1 in the first place).
 	// The OIDC case below refuses-to-start with an actionable message.
 	// Phase 6 of Bundle 2 (session middleware wiring) relaxes this case
 	// to fall through alongside the api-key + none cases.
 	switch config.AuthType(cfg.Auth.Type) {
 	case config.AuthTypeAPIKey, config.AuthTypeNone:
 		// ok — fall through
 	case config.AuthTypeOIDC:
 		fmt.Fprintf(os.Stderr,
 			"CERTCTL_AUTH_TYPE=oidc: the OIDC auth chain is not yet wired in this build (Auth Bundle 2 Phase 6 ships the session middleware that consumes this auth-type literal). Set CERTCTL_AUTH_TYPE=api-key or run an authenticating gateway with CERTCTL_AUTH_TYPE=none until Bundle 2 lands. See cowork/auth-bundle-2-prompt.md.\n")
 		os.Exit(1)
 	default:
 		fmt.Fprintf(os.Stderr,
 			"unsupported auth type at runtime: %q (valid: %v) — config validation should have caught this; refusing to start\n",
@@ -251,6 +275,301 @@ func main() {
 	// Initialize services (following the dependency graph)
 	auditService := service.NewAuditService(auditRepo)
 	// Audit 2026-05-11 A-8 closure: detect residual actor-demo-anon
 	// grants under non-`none` auth types. Defaults to WARN-only; flip
 	// CERTCTL_DEMO_MODE_RESIDUAL_STRICT=true to fail-closed. Closes
 	// the deferred Phase 2 leg of the 2026-05-10 HIGH-12 closure.
 	{
 		preflightCtx, preflightCancel := context.WithTimeout(context.Background(), 5*time.Second)
 		if err := preflightDemoModeResidual(preflightCtx, cfg, db, auditService, logger); err != nil {
 			preflightCancel()
 			logger.Error("startup refused: actor-demo-anon residual grants present + CERTCTL_DEMO_MODE_RESIDUAL_STRICT=true",
 				"error", err)
 			os.Exit(1)
 		}
 		preflightCancel()
 	}
 	// RBAC primitive (Bundle 1 Phase 4). Wires the postgres auth repos
 	// + service-layer Authorizer that the AuthHandler / RequirePermission
 	// middleware uses. Migration 000029_rbac.up.sql provides the schema
 	// and seeds the seven default roles + canonical permission catalogue
 	// + actor-demo-anon synthetic admin (CERTCTL_AUTH_TYPE=none demo path).
 	authRoleRepo := postgres.NewRoleRepository(db)
 	authPermRepo := postgres.NewPermissionRepository(db)
 	authActorRoleRepo := postgres.NewActorRoleRepository(db)
 	authAPIKeyRepo := postgres.NewAPIKeyRepository(db)
 	authAuthorizer := authsvc.NewAuthorizer(authActorRoleRepo)
 	// authCheckerAdapter bridges authsvc.Authorizer (typed-string args)
 	// to the auth.PermissionChecker interface (plain-string args) so
 	// internal/auth doesn't have to import internal/service/auth.
 	authCheckerAdapter := authPermissionCheckerAdapter{a: authAuthorizer}
 	// Bundle 1 Phase 6 — parse env-var named API keys + assemble the
 	// runtime keystore + wire the bootstrap service. The keystore +
 	// bootstrap handler must exist before the HandlerRegistry is
 	// constructed below; the auth middleware that reads from the same
 	// keystore is wired further down (next to the rest of the
 	// middleware stack) but holds a reference to the same keystore so
 	// runtime additions from bootstrap propagate without restart.
 	//
 	// boot-path operations use context.Background() because the long-
 	// lived request context isn't constructed until later in main();
 	// this matches the convention used by other one-shot setup calls
 	// in this section (issuerService.SeedFromEnvVars, etc.).
 	bootCtx := context.Background()
 	namedKeys := assembleNamedAPIKeys(cfg, logger)
 	backfillNamedKeyActorRoles(bootCtx, authActorRoleRepo, namedKeys, logger)
 	authKeyStore := auth.NewMutableKeyStore(namedKeys)
 	if persistedKeys, err := authAPIKeyRepo.List(bootCtx, authdomainAlias.DefaultTenantID); err == nil {
 		for _, pk := range persistedKeys {
 			authKeyStore.AddHashed(pk.Name, pk.KeyHash, pk.Admin)
 		}
 		if len(persistedKeys) > 0 {
 			logger.Info("loaded persisted api_keys into runtime keystore",
 				"count", len(persistedKeys))
 		}
 	} else {
 		logger.Warn("api_keys boot loader failed; bootstrap-minted keys will not authenticate until next restart that succeeds",
 			"err", err)
 	}
 	bootstrapStrategy := bootstrap.NewEnvTokenStrategy(
 		cfg.Auth.BootstrapToken,
 		func(ctx context.Context) (bool, error) {
 			return authActorRoleRepo.AdminExists(ctx, authdomainAlias.DefaultTenantID)
 		},
 	)
 	bootstrapService := bootstrap.NewService(
 		bootstrapStrategy,
 		authAPIKeyRepo,
 		authActorRoleRepo,
 		auditService,
 		authKeyStore,
 		auth.HashAPIKey,
 	)
 	if cfg.Auth.BootstrapToken != "" {
 		// Honour the prompt's "warn at startup if token set + admin
 		// exists" requirement. The strategy re-probes on every Validate
 		// so this boot-time warning is purely informational.
 		if exists, probeErr := authActorRoleRepo.AdminExists(bootCtx, authdomainAlias.DefaultTenantID); probeErr == nil && exists {
 			logger.Warn("CERTCTL_BOOTSTRAP_TOKEN set but admin actors already exist; bootstrap endpoint will return 410 Gone — unset the env var to silence this warning")
 		} else if probeErr != nil {
 			logger.Warn("CERTCTL_BOOTSTRAP_TOKEN admin-existence probe failed at startup; behaviour will be determined by the live probe at request time", "err", probeErr)
 		} else {
 			logger.Info("bootstrap endpoint enabled — POST /api/v1/auth/bootstrap to mint the first admin key (one-shot)")
 		}
 	}
 	bootstrapHandler := handler.NewBootstrapHandler(bootstrapService)
 	// =========================================================================
 	// Auth Bundle 2 Phase 4 — session service.
 	//
 	// Wired AFTER migrations + RBAC backfill, BEFORE the HTTP listener
 	// binds (per the prompt's "fail-fatal on bootstrap key mint failure"
 	// requirement). EnsureInitialSigningKey is idempotent: if a non-
 	// retired signing key already exists for the tenant the call is a
 	// no-op; otherwise it mints a fresh 32-byte HMAC key, persists it,
 	// and emits an auth.session_signing_key_bootstrap audit row with
 	// event_category=auth.
 	//
 	// Failure here is fatal — the server refuses to boot rather than
 	// serve session-less.
 	//
 	// The session service is wired into the scheduler below (sessionGCLoop)
 	// so the GC sweep runs every CERTCTL_SESSION_GC_INTERVAL tick. The
 	// HTTP middleware that consumes ValidateInput / ValidateCSRF lands
 	// in Phase 5; pre-Phase-5 deployments boot the service so the GC
 	// sweep can keep the sessions + signing-keys tables tidy.
 	sessionRepo := postgres.NewSessionRepository(db)
 	sessionKeyRepo := postgres.NewSessionSigningKeyRepository(db)
 	// Audit 2026-05-10 LOW-5 closure — install the trusted-proxy CIDR
 	// allowlist from CERTCTL_TRUSTED_PROXIES. Empty disables XFF trust.
 	session.SetTrustedProxies(cfg.Auth.TrustedProxies)
 	sessionService := session.NewService(
 		sessionRepo,
 		sessionKeyRepo,
 		auditService,
 		authdomainAlias.DefaultTenantID,
 		session.Config{
 			IdleTimeout:         cfg.Auth.Session.IdleTimeout,
 			AbsoluteTimeout:     cfg.Auth.Session.AbsoluteTimeout,
 			SigningKeyRetention: cfg.Auth.Session.SigningKeyRetention,
 			BindIP:              cfg.Auth.Session.BindIP,
 			BindUserAgent:       cfg.Auth.Session.BindUserAgent,
 		},
 		cfg.Encryption.ConfigEncryptionKey,
 	)
 	if err := sessionService.EnsureInitialSigningKey(bootCtx); err != nil {
 		logger.Error("FATAL: session signing key bootstrap failed; refusing to boot", "err", err)
 		os.Exit(1)
 	}
 	// =========================================================================
 	// Auth Bundle 2 Phase 5 — OIDC service + pre-login store + Phase 5 handler.
 	//
 	// Wired AFTER sessionService (Phase 4) so the OIDC PreLoginAdapter
 	// can sign pre-login cookies under the active SessionSigningKey.
 	// =========================================================================
 	oidcProviderRepo := postgres.NewOIDCProviderRepository(db)
 	oidcMappingRepo := postgres.NewGroupRoleMappingRepository(db)
 	oidcUserRepo := postgres.NewUserRepository(db)
 	// Audit 2026-05-10 HIGH-5: thread CERTCTL_CONFIG_ENCRYPTION_KEY into the
 	// pre-login repo so state/nonce/PKCE-verifier are encrypted at rest. Same
 	// key already protects OIDC client secrets and session signing keys.
 	oidcPreLoginRepo := postgres.NewPreLoginRepository(db, cfg.Encryption.ConfigEncryptionKey)
 	preLoginAdapter := oidcsvc.NewPreLoginAdapter(
 		oidcPreLoginRepo,
 		sessionKeyRepo, // Phase 4 SessionSigningKeyRepository
 		authdomainAlias.DefaultTenantID,
 		cfg.Encryption.ConfigEncryptionKey,
 	)
 	// SessionMinter port for the OIDC service. The OIDC HandleCallback
 	// uses this to mint the post-login session after successful token
 	// validation + group→role mapping.
 	oidcSessionMinter := &sessionMinterAdapter{svc: sessionService}
 	oidcService := oidcsvc.NewService(
 		oidcProviderRepo,
 		oidcMappingRepo,
 		oidcUserRepo,
 		oidcSessionMinter,
 		preLoginAdapter,
 		cfg.Encryption.ConfigEncryptionKey,
 	)
 	// Audit 2026-05-10 MED-16 — apply per-leg pre-login UA / IP
 	// binding enforcement toggles from config.
 	oidcService.SetPreLoginBindingRequirements(
 		cfg.Auth.OIDCPreLoginRequireUA,
 		cfg.Auth.OIDCPreLoginRequireIP,
 	)
 	// SameSite resolution from CERTCTL_SESSION_SAMESITE (default Lax;
 	// "Strict" for high-security environments at the cost of breaking
 	// inbound deep-links from external apps).
 	sameSiteMode := http.SameSiteLaxMode
 	if strings.EqualFold(cfg.Auth.Session.SameSite, "Strict") {
 		sameSiteMode = http.SameSiteStrictMode
 	}
 	// Audit 2026-05-10 HIGH-3 — BCL iat-skew window + jti consumed-set.
 	bclMaxAge := time.Duration(cfg.Auth.OIDCBCLMaxAgeSeconds) * time.Second
 	if bclMaxAge <= 0 {
 		bclMaxAge = handler.DefaultBCLVerifierMaxAge
 	}
 	bclReplayRepo := postgres.NewBCLReplayRepository(db)
 	authSessionOIDCHandler := handler.NewAuthSessionOIDCHandler(
 		oidcService,
 		sessionService,
 		handler.NewDefaultBCLVerifier(oidcProviderRepo, authdomainAlias.DefaultTenantID, nil).WithMaxAge(bclMaxAge),
 		oidcProviderRepo,
 		oidcMappingRepo,
 		sessionRepo,
 		oidcUserRepo, // CRIT-2: BCL sub→actor_id lookup via users.GetByOIDCSubject
 		auditService,
 		cfg.Encryption.ConfigEncryptionKey,
 		authdomainAlias.DefaultTenantID,
 		"/", // post-login redirect target; GUI dashboard
 		handler.SessionCookieAttrs{
 			SameSite: sameSiteMode,
 			Secure:   true,
 		},
 	).WithBCLReplayConsumer(bclReplayRepo, bclMaxAge). // HIGH-3 jti consumed-set.
 								WithPermissionChecker(authCheckerAdapter) // MED-2 auth.session.list.all gate.
 	// =========================================================================
 	// Auth Bundle 2 Phase 7 — OIDC first-admin bootstrap hook.
 	//
 	// Wired AFTER oidcService is constructed. The hook closure consults
 	// the configured CERTCTL_BOOTSTRAP_ADMIN_GROUPS + the AdminExists
 	// probe; on first match it grants r-admin via the ActorRoleRepository
 	// + emits a bootstrap.oidc_first_admin audit row. Subsequent
 	// admin-already-exists logins return grantAdmin=false silently.
 	// Disabled (no-op) when CERTCTL_BOOTSTRAP_ADMIN_GROUPS is empty.
 	if len(cfg.Auth.BootstrapAdminGroups) > 0 {
 		bootstrapGroups := make(map[string]struct{}, len(cfg.Auth.BootstrapAdminGroups))
 		for _, g := range cfg.Auth.BootstrapAdminGroups {
 			bootstrapGroups[strings.TrimSpace(g)] = struct{}{}
 		}
 		bootstrapProviderID := cfg.Auth.BootstrapOIDCProviderID
 		oidcService.SetAdminBootstrapHook(func(ctx context.Context, providerID string, groups []string, userID string) (bool, error) {
 			// Provider-specificity: when configured, only the named
 			// provider is eligible for bootstrap.
 			if bootstrapProviderID != "" && providerID != bootstrapProviderID {
 				return false, nil
 			}
 			// Admin-already-exists: bootstrap mode is disabled once
 			// any actor in the tenant holds r-admin.
 			adminExists, probeErr := authActorRoleRepo.AdminExists(ctx, authdomainAlias.DefaultTenantID)
 			if probeErr != nil {
 				return false, fmt.Errorf("admin existence probe: %w", probeErr)
 			}
 			if adminExists {
 				return false, nil
 			}
 			// Group intersection check.
 			matched := false
 			for _, g := range groups {
 				if _, ok := bootstrapGroups[g]; ok {
 					matched = true
 					break
 				}
 			}
 			if !matched {
 				return false, nil
 			}
 			// Match. Grant r-admin via the actor-role repo.
 			grant := &authdomainAlias.ActorRole{
 				ActorID:   userID,
 				ActorType: authdomainAlias.ActorTypeValue("User"),
 				RoleID:    authdomainAlias.RoleIDAdmin,
 				TenantID:  authdomainAlias.DefaultTenantID,
 				GrantedBy: "oidc-bootstrap",
 			}
 			if gerr := authActorRoleRepo.Grant(ctx, grant); gerr != nil {
 				return false, fmt.Errorf("grant r-admin: %w", gerr)
 			}
 			// Emit audit row with event_category=auth.
 			_ = auditService.RecordEventWithCategory(ctx, userID, domain.ActorTypeUser,
 				"bootstrap.oidc_first_admin", domain.EventCategoryAuth,
 				"users", userID,
 				map[string]interface{}{
 					"user_id":     userID,
 					"provider_id": providerID,
 					"trigger":     "oidc_group_match",
 				})
 			logger.Info("OIDC first-admin bootstrap fired — user granted r-admin",
 				"user_id", userID, "provider_id", providerID)
 			return true, nil
 		})
 		logger.Info("OIDC first-admin bootstrap enabled",
 			"groups", cfg.Auth.BootstrapAdminGroups,
 			"provider_id_filter", bootstrapProviderID)
 	}
 	// =========================================================================
 	// Auth Bundle 2 Phase 7.5 — break-glass admin service + handler.
 	// =========================================================================
 	breakglassRepo := postgres.NewBreakglassCredentialRepository(db)
 	breakglassService := breakglass.NewService(
 		breakglassRepo,
 		auditService,
 		breakglassSessionMinterAdapter{svc: sessionService},
 		breakglass.Config{
 			Enabled:              cfg.Auth.Breakglass.Enabled,
 			LockoutThreshold:     cfg.Auth.Breakglass.LockoutThreshold,
 			LockoutDuration:      cfg.Auth.Breakglass.LockoutDuration,
 			LockoutResetInterval: cfg.Auth.Breakglass.LockoutResetInterval,
 		},
 		authdomainAlias.DefaultTenantID,
 	)
 	breakglassHandler := handler.NewAuthBreakglassHandler(breakglassService, handler.SessionCookieAttrs{
 		SameSite: sameSiteMode,
 		Secure:   true,
 	})
 	if cfg.Auth.Breakglass.Enabled {
 		logger.Warn("CERTCTL_BREAKGLASS_ENABLED=true — break-glass admin path is ACTIVE; this bypasses SSO. Disable in steady-state.",
 			"lockout_threshold", cfg.Auth.Breakglass.LockoutThreshold,
 			"lockout_duration", cfg.Auth.Breakglass.LockoutDuration.String())
 	}
 	policyService := service.NewPolicyService(policyRepo, auditService)
 	policyService.SetCertRepo(certificateRepo) // D-008: CertificateLifetime arm needs CertificateVersion.NotBefore/NotAfter
 	// G-1: RenewalPolicyService — distinct from PolicyService (compliance rules).
@@ -483,6 +802,36 @@ func main() {
 	defer issuerRegistry.StopLifecycles()
 	targetService := service.NewTargetService(targetRepo, auditService, agentRepo, encryptionKey, logger)
 	profileService := service.NewProfileService(profileRepo, auditService)
 	// Bundle 1 Phase 9 — approval-bypass closure. Wire the profile
 	// service's gate to the existing ApprovalService so edits to a
 	// RequiresApproval=true profile route through the four-eyes
 	// workflow. The profile-edit-apply callback registered on the
 	// ApprovalService closes the loop: when an approver decides,
 	// the callback deserializes req.Payload and persists the diff.
 	profileService.SetApprovalService(approvalService)
 	approvalService.SetProfileEditApply(func(ctx context.Context, req *domain.ApprovalRequest) error {
 		var pendingProfile domain.CertificateProfile
 		if err := json.Unmarshal(req.Payload, &pendingProfile); err != nil {
 			return fmt.Errorf("decode profile-edit payload: %w", err)
 		}
 		pendingProfile.ID = req.ProfileID
 		if err := profileRepo.Update(ctx, &pendingProfile); err != nil {
 			return fmt.Errorf("apply profile-edit diff: %w", err)
 		}
 		// Audit row category=auth so the auditor surface keeps the
 		// approval-decision history grouped with the request side.
 		if auditService != nil {
 			_ = auditService.RecordEventWithCategory(ctx, "approval-system",
 				domain.ActorTypeSystem, "profile.edit_applied",
 				domain.EventCategoryAuth, "certificate_profile",
 				req.ProfileID,
 				map[string]interface{}{
 					"approval_id":  req.ID,
 					"requested_by": req.RequestedBy,
 				})
 		}
 		return nil
 	})
 	teamService := service.NewTeamService(teamRepo, auditService)
 	ownerService := service.NewOwnerService(ownerRepo, auditService)
 	agentGroupRepo := postgres.NewAgentGroupRepository(db)
@@ -661,6 +1010,18 @@ func main() {
 	// Bundle-5 / H-006: pass the *sql.DB pool so /ready can probe DB
 	// connectivity via PingContext. /health stays shallow (liveness signal).
 	healthHandler := handler.NewHealthHandler(cfg.Auth.Type, db)
 	// Bundle 1 Phase 3 closure (M1): wire the AuthCheckResolver so
 	// /v1/auth/check returns the caller's standing roles + effective
 	// permissions in the same response. The shim is tiny — just a type-
 	// erasure wrap around the repo so the handler layer doesn't have to
 	// import internal/domain/auth or internal/repository/postgres.
 	healthHandler.Resolver = authCheckResolverAdapter{repo: authActorRoleRepo}
 	// Bundle 2 Phase 6 / Category E — wire the OIDC providers resolver
 	// so GET /api/v1/auth/info returns the configured provider list
 	// (id + display_name + login_url) for the GUI's Login page button
 	// rendering. The shim adapts the postgres OIDCProviderRepository
 	// to the handler's narrow OIDCProvidersListResolver projection.
 	healthHandler.OIDCProvidersResolver = oidcProvidersListAdapter{repo: oidcProviderRepo}
 	// U-3 ride-along (cat-u-no_version_endpoint, P2): the version handler
 	// answers GET /api/v1/version with build identity (ldflags Version,
 	// VCS commit/dirty/timestamp, Go runtime version). Wired through the
@@ -811,6 +1172,19 @@ func main() {
 	sched.SetJobTimeoutInterval(cfg.Scheduler.JobTimeoutInterval)
 	sched.SetAwaitingCSRTimeout(cfg.Scheduler.AwaitingCSRTimeout)
 	sched.SetAwaitingApprovalTimeout(cfg.Scheduler.AwaitingApprovalTimeout)
 	// Auth Bundle 2 Phase 4 — wire the session-GC sweep. The service
 	// itself was constructed (with the EnsureInitialSigningKey fail-
 	// fatal call) above the policy/cert-service block; here we just
 	// register it with the scheduler so the loop fires every
 	// CERTCTL_SESSION_GC_INTERVAL.
 	sched.SetSessionGarbageCollector(sessionService)
 	sched.SetBCLReplayGarbageCollector(bclReplayRepo) // Audit 2026-05-10 HIGH-3.
 	sched.SetSessionGCInterval(cfg.Auth.Session.GCInterval)
 	logger.Info("session GC sweep enabled",
 		"interval", cfg.Auth.Session.GCInterval.String(),
 		"absolute_timeout", cfg.Auth.Session.AbsoluteTimeout.String(),
 		"signing_key_retention", cfg.Auth.Session.SigningKeyRetention.String())
 	logger.Info("job timeout reaper enabled",
 		"interval", cfg.Scheduler.JobTimeoutInterval.String(),
 		"csr_timeout", cfg.Scheduler.AwaitingCSRTimeout.String(),
@@ -961,6 +1335,90 @@ func main() {
 		// Rank 8 of the 2026-05-03 deep-research deliverable. See
 		// docs/intermediate-ca-hierarchy.md.
 		IntermediateCAs: intermediateCAHandler,
 		// AuthSessionOIDC — Auth Bundle 2 Phase 5 OIDC + session HTTP
 		// surface. 13 endpoints across login flow + session management
 		// + OIDC provider CRUD + group-mapping CRUD.
 		AuthSessionOIDC: authSessionOIDCHandler,
 		// AuthBreakglass — Auth Bundle 2 Phase 7.5 break-glass admin
 		// HTTP surface. 4 endpoints (1 public login + 3 admin CRUD).
 		// All endpoints return 404 when CERTCTL_BREAKGLASS_ENABLED=false.
 		AuthBreakglass: breakglassHandler,
 		// Audit 2026-05-10 MED-11 — federated-user admin surface.
 		AuthUsers: handler.NewAuthUsersHandler(
 			oidcUserRepo,
 			sessionService, // satisfies UserSessionsRevoker via RevokeAllForActor
 			auditService,
 			authdomainAlias.DefaultTenantID,
 		),
 		// Audit 2026-05-10 MED-12 — runtime config read endpoint.
 		AuthRuntimeConfig: handler.NewAuthRuntimeConfigHandler(
 			func() map[string]string {
 				// Lazy build — re-read cfg.Auth.* values on every call so
 				// post-startup re-evaluation reflects any (future) mutation.
 				return map[string]string{
 					"CERTCTL_AUTH_TYPE":                    string(cfg.Auth.Type),
 					"CERTCTL_SESSION_SAMESITE":             cfg.Auth.Session.SameSite,
 					"CERTCTL_OIDC_BCL_MAX_AGE_SECONDS":     strconv.Itoa(cfg.Auth.OIDCBCLMaxAgeSeconds),
 					"CERTCTL_OIDC_PRELOGIN_REQUIRE_UA":     strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireUA),
 					"CERTCTL_OIDC_PRELOGIN_REQUIRE_IP":     strconv.FormatBool(cfg.Auth.OIDCPreLoginRequireIP),
 					"CERTCTL_BREAKGLASS_ENABLED":           strconv.FormatBool(cfg.Auth.Breakglass.Enabled),
 					"CERTCTL_BREAKGLASS_LOCKOUT_THRESHOLD": strconv.Itoa(cfg.Auth.Breakglass.LockoutThreshold),
 					"CERTCTL_DEMO_MODE_ACK":                strconv.FormatBool(cfg.Auth.DemoModeAck),
 					"CERTCTL_TRUSTED_PROXIES_COUNT":        strconv.Itoa(len(cfg.Auth.TrustedProxies)),
 					"CERTCTL_BOOTSTRAP_TOKEN_SET":          strconv.FormatBool(cfg.Auth.BootstrapToken != ""),
 					"CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID":   cfg.Auth.BootstrapOIDCProviderID,
 					"CERTCTL_BOOTSTRAP_ADMIN_GROUPS_COUNT": strconv.Itoa(len(cfg.Auth.BootstrapAdminGroups)),
 				}
 			},
 			auditService,
 		),
 		// Audit 2026-05-10 MED-7 — per-provider JWKS health surface.
 		AuthOIDCJWKSStatus: handler.NewAuthOIDCJWKSStatusHandler(oidcService, auditService),
 		// Auth — RBAC primitive (Bundle 1 Phase 4). Wires the postgres
 		// auth repos + service-layer Authorizer / RoleService /
 		// ActorRoleService / PermissionService into the HTTP surface
 		// under /api/v1/auth/*. The service layer enforces every
 		// permission gate (auth.role.* + auth.role.assign privilege-
 		// escalation guard); the Phase 3 RequirePermission middleware
 		// is currently used by these RBAC routes via the in-handler
 		// callerFromRequest path. Phase 3.5 router-wrapping conversion
 		// of the legacy admin handlers (bulk_revocation, admin_*,
 		// intermediate_ca) is the remaining sweep.
 		Auth: handler.NewAuthHandler(
 			authsvc.NewRoleService(authRoleRepo, authPermRepo, authAuthorizer, auditService),
 			authsvc.NewPermissionService(authPermRepo),
 			authsvc.NewActorRoleService(authActorRoleRepo, authRoleRepo, authAuthorizer, auditService),
 			authCheckerAdapter,
 		).WithCSRFRotator(sessionService), // Audit 2026-05-10 HIGH-2 — CSRF rotation on role mutation.
 		// Bundle 1 Phase 6 — bootstrap day-0 admin endpoint. The
 		// service is wired above; handler is auth-exempt at the
 		// router (gated by the bootstrap.Strategy itself).
 		Bootstrap: bootstrapHandler,
 		// Audit 2026-05-11 A-8 closure — demo-mode residual cleanup.
 		// The cleanup closure captures the live *sql.DB pool so the
 		// handler doesn't pull repository.* / database/sql into the
 		// internal/api/handler import set. authType is a closure over
 		// cfg so the live config value is always read at request time.
 		DemoResidual: handler.NewDemoResidualHandler(
 			func(ctx context.Context) (int64, error) { return deleteDemoAnonResidue(ctx, db) },
 			func() string { return cfg.Auth.Type },
 			auditService,
 		),
 		// Checker is the load-bearing auth.PermissionChecker that
 		// auth.RequirePermission middleware uses to gate the legacy admin
 		// handlers (Bundle 1 Phase 3.5: bulk_revocation, admin_crl_cache,
 		// admin_scep_intune, admin_est, intermediate_ca). Wraps live in
 		// router.go via rbacGate(reg.Checker, perm, handler).
 		Checker: authCheckerAdapter,
 		// Audit 2026-05-10 CRIT-3 closure — operator-configured CORS
 		// applied to the credentialed auth-exempt routes (OIDC handshake,
 		// BCL, logout, bootstrap, breakglass-login). Health probes
 		// continue to use middleware.CORSWildcard.
 		CorsCfg: middleware.CORSConfig{AllowedOrigins: cfg.CORS.AllowedOrigins},
 	})
 	// Register EST (RFC 7030) handlers if enabled.
 	//
@@ -1477,49 +1935,31 @@ func main() {
 	// Build middleware stack.
 	//
-	// Authentication unification (M-002): every authenticated request now
+	// Bundle 1 Phase 6: namedKeys + authKeyStore + bootstrap service
-	// carries a named actor in the request context so audit events record
+	// are now constructed earlier (right after the auth repos) so the
-	// the real key identity instead of the hardcoded "api-key-user" string.
+	// HandlerRegistry can wire the bootstrap handler. The auth
-	// Named keys come from CERTCTL_API_KEYS_NAMED (preferred). For backward
+	// middleware below reads from the same authKeyStore reference, so
-	// compatibility CERTCTL_AUTH_SECRET is synthesized into legacy-key-N
+	// runtime additions from bootstrap propagate without restart.
-	// entries with Admin=false.
+	var bearerMiddleware func(http.Handler) http.Handler
-	var namedKeys []middleware.NamedAPIKey
+	switch config.AuthType(cfg.Auth.Type) {
-	if config.AuthType(cfg.Auth.Type) != config.AuthTypeNone {
+	case config.AuthTypeNone:
-		// Translate typed config.NamedAPIKey -> middleware.NamedAPIKey. The
+		bearerMiddleware = auth.NewDemoModeAuth()
-		// two structs are field-compatible but live in different packages to
+	default:
-		// preserve the config→middleware dependency direction.
+		bearerMiddleware = auth.NewAuthWithKeyStore(authKeyStore)
 		for _, nk := range cfg.Auth.NamedKeys {
 			namedKeys = append(namedKeys, middleware.NamedAPIKey{
 				Name:  nk.Name,
 				Key:   nk.Key,
 				Admin: nk.Admin,
 			})
 	}
-		// Back-compat: if no named keys but legacy Secret is configured,
+	// Auth Bundle 2 Phase 6 — chained-auth middleware. Tries the
-		// synthesize named entries so the audit trail still attributes the
+	// `certctl_session` cookie first (sessionMW); on miss / invalid,
-		// action (instead of falling back to "api-key-user" / "anonymous").
+	// falls back to the API-key Bearer middleware. If neither
-		if len(namedKeys) == 0 && cfg.Auth.Secret != "" {
+	// authenticates, 401. The session middleware is a pass-through
-			parts := strings.Split(cfg.Auth.Secret, ",")
+	// when sessionService is nil (pre-Bundle-2 builds).
-			idx := 0
+	sessionMW := session.NewSessionMiddleware(sessionService)
-			for _, p := range parts {
+	authMiddleware := session.ChainAuthSessionThenBearer(sessionMW, bearerMiddleware)
-				p = strings.TrimSpace(p)
+	// CSRF middleware — gates state-changing methods (POST/PUT/DELETE/
-				if p == "" {
+	// PATCH) for session-authenticated requests. API-key actors are
-					continue
+	// CSRF-exempt (not browser-driven). Pass-through when
-				}
+	// sessionService is nil.
-				namedKeys = append(namedKeys, middleware.NamedAPIKey{
+	csrfMiddleware := session.NewCSRFMiddleware(sessionService)
-					Name:  fmt.Sprintf("legacy-key-%d", idx),
+	_ = bootstrapHandler // referenced by HandlerRegistry above
 					Key:   p,
 					Admin: false,
 				})
 				idx++
 			}
 			if len(namedKeys) > 0 {
 				logger.Warn("CERTCTL_AUTH_SECRET is deprecated — set CERTCTL_API_KEYS_NAMED for named actor attribution and admin gating",
 					"synthesized_keys", len(namedKeys))
 			}
 		}
 	}
 	authMiddleware := middleware.NewAuthWithNamedKeys(namedKeys)
 	corsMiddleware := middleware.NewCORS(middleware.CORSConfig{
 		AllowedOrigins: cfg.CORS.AllowedOrigins,
 	})
@@ -1567,7 +2007,10 @@ func main() {
 		bodyLimitMiddleware,
 		securityHeadersMiddleware,
 		corsMiddleware,
 		// Phase 6 chain: Auth (session-then-Bearer fallback) → CSRF
 		// (state-changing only; API-key actors exempt) → Audit.
 		authMiddleware,
 		csrfMiddleware,
 		auditMiddleware.Middleware,
 	}
@@ -1589,7 +2032,10 @@ func main() {
 			bodyLimitMiddleware,
 			rateLimiter,
 			corsMiddleware,
 			// Phase 6 chain: Auth (session-then-Bearer fallback) → CSRF
 			// (state-changing only; API-key actors exempt) → Audit.
 			authMiddleware,
 			csrfMiddleware,
 			auditMiddleware.Middleware,
 		}
 		logger.Info("rate limiting enabled", "rps", cfg.RateLimit.RPS, "burst", cfg.RateLimit.BurstSize)
@@ -2231,3 +2677,171 @@ func buildFinalHandler(apiHandler, noAuthHandler http.Handler, webDir string, da
 		http.ServeFile(w, r, webDir+"/index.html")
 	})
 }
 // authPermissionCheckerAdapter bridges the typed-string Authorizer
 // signature (authsvc.Authorizer.CheckPermission takes
 // authdomain.ActorTypeValue + authdomain.ScopeType) to the plain-string
 // auth.PermissionChecker interface used by the auth.RequirePermission
 // middleware factory. Lives in cmd/server so internal/auth doesn't have
 // to import internal/service/auth + internal/domain/auth (would create
 // a cycle).
 type authPermissionCheckerAdapter struct {
 	a *authsvc.Authorizer
 }
 func (ad authPermissionCheckerAdapter) CheckPermission(
 	ctx context.Context,
 	actorID string,
 	actorType string,
 	tenantID string,
 	permission string,
 	scopeType string,
 	scopeID *string,
 ) (bool, error) {
 	return ad.a.CheckPermission(
 		ctx,
 		actorID,
 		authdomainAlias.ActorTypeValue(actorType),
 		tenantID,
 		permission,
 		authdomainAlias.ScopeType(scopeType),
 		scopeID,
 	)
 }
 // authCheckResolverAdapter bridges the postgres ActorRoleRepository
 // (authdomain.ActorTypeValue) to handler.AuthCheckResolver
 // (domain.ActorType). Lives in cmd/server so the handler layer keeps its
 // existing import set; the GUI's /v1/auth/check probe round-trips
 // through this on every page load. Read-only — no caller / no audit row.
 //
 // Bundle 1 Phase 3 closure (M1): the equivalent surface area on
 // /v1/auth/me runs through the service layer's auth.role.list permission
 // gate, which the GUI may not yet hold during initial render. AuthCheck
 // has no permission gate (its only requirement is "the request
 // authenticated"), so the bypass is by design.
 type authCheckResolverAdapter struct {
 	repo *postgres.ActorRoleRepository
 }
 func (ad authCheckResolverAdapter) ListRoles(
 	ctx context.Context,
 	actorID string,
 	actorType domain.ActorType,
 	tenantID string,
 ) ([]*authdomainAlias.ActorRole, error) {
 	return ad.repo.ListByActor(ctx, actorID, authdomainAlias.ActorTypeValue(actorType), tenantID)
 }
 func (ad authCheckResolverAdapter) EffectivePermissions(
 	ctx context.Context,
 	actorID string,
 	actorType domain.ActorType,
 	tenantID string,
 ) ([]repository.EffectivePermission, error) {
 	return ad.repo.EffectivePermissions(ctx, actorID, authdomainAlias.ActorTypeValue(actorType), tenantID)
 }
 // =============================================================================
 // sessionMinterAdapter — bridge from *session.Service to oidcsvc.SessionMinter.
 //
 // The OIDC service's SessionMinter port (Phase 3) takes a *userdomain.User
 // + role IDs and returns (cookie, csrf, err). The session.Service's
 // Create method takes (actorID, actorType, ip, ua) -> *CreateResult.
 // This adapter unwraps the User into actorID/actorType + reshapes the
 // return tuple. Lives in cmd/server so the session package doesn't have
 // to know about user.User and the user package doesn't have to know
 // about session.CreateResult.
 // =============================================================================
 type sessionMinterAdapter struct {
 	svc *session.Service
 }
 func (a *sessionMinterAdapter) MintForUser(
 	ctx context.Context,
 	user *userdomain.User,
 	_ []string, // roleIDs unused at the session-mint layer; the rbac middleware looks them up at request time
 	ip, userAgent string,
 ) (cookieValue, csrfToken string, err error) {
 	if user == nil {
 		return "", "", fmt.Errorf("session mint: user is nil")
 	}
 	res, err := a.svc.Create(ctx, user.ID, string(domain.ActorTypeUser), ip, userAgent)
 	if err != nil {
 		return "", "", err
 	}
 	return res.CookieValue, res.CSRFToken, nil
 }
 // silenceUnusedImports keeps the new oidcsvc + oidcdomain imports load-
 // bearing in case any file shuffles. Linker dead-code elimination handles
 // the runtime cost.
 var (
 	_ = oidcdomain.OIDCProvider{}
 )
 // =============================================================================
 // breakglassSessionMinterAdapter — bridge from *session.Service to
 // breakglass.SessionMinter.
 //
 // The break-glass service's SessionMinter port (Phase 7.5) returns
 // (cookie, csrf, err); the underlying *session.Service.Create returns
 // *CreateResult. This adapter unwraps the result. Lives in cmd/server
 // so the breakglass package doesn't have to know about session.Service.
 // =============================================================================
 type breakglassSessionMinterAdapter struct {
 	svc *session.Service
 }
 func (a breakglassSessionMinterAdapter) Create(ctx context.Context, actorID, actorType, ip, userAgent string) (string, string, error) {
 	res, err := a.svc.Create(ctx, actorID, actorType, ip, userAgent)
 	if err != nil {
 		return "", "", err
 	}
 	return res.CookieValue, res.CSRFToken, nil
 }
 // RevokeAllForActor — Audit 2026-05-10 HIGH-1 wire. After a break-glass
 // password rotation or credential removal, every active session for the
 // target actor must be revoked so a phished-then-rotated credential
 // doesn't leave the attacker's session live.
 func (a breakglassSessionMinterAdapter) RevokeAllForActor(ctx context.Context, actorID, actorType string) error {
 	return a.svc.RevokeAllForActor(ctx, actorID, actorType)
 }
 // oidcProvidersListAdapter bridges the postgres OIDCProviderRepository
 // to handler.OIDCProvidersListResolver. The handler returns
 // []*OIDCProviderInfo (id + display_name + login_url) for the public-
 // safe GUI Login-page payload; the repo returns the full OIDCProvider
 // row. The adapter projects + maps the login_url shape that
 // /auth/oidc/login?provider=<id> expects. Auth Bundle 2 Phase 6 /
 // Category E.
 type oidcProvidersListAdapter struct {
 	repo repository.OIDCProviderRepository
 }
 func (a oidcProvidersListAdapter) List(ctx context.Context, tenantID string) ([]*handler.OIDCProviderInfo, error) {
 	provs, err := a.repo.List(ctx, tenantID)
 	if err != nil {
 		return nil, err
 	}
 	out := make([]*handler.OIDCProviderInfo, 0, len(provs))
 	for _, p := range provs {
 		// Audit 2026-05-10 MED-9 closure — filter disabled providers
 		// at the adapter so the LoginPage's "Sign in with X" buttons
 		// don't render for offline IdPs. The HandleAuthRequest
 		// service-layer ErrProviderDisabled check is the
 		// defense-in-depth guard for direct API / MCP / CLI callers.
 		if !p.Enabled {
 			continue
 		}
 		out = append(out, &handler.OIDCProviderInfo{
 			ID:          p.ID,
 			DisplayName: p.Name,
 			LoginURL:    "/auth/oidc/login?provider=" + p.ID,
 		})
 	}
 	return out, nil
 }
@@ -12,6 +12,7 @@ import (
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/api/router"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/config"
 	"github.com/certctl-io/certctl/internal/service"
 )
@@ -44,7 +45,7 @@ func TestMain_HealthEndpointBypassesAuth(t *testing.T) {
 	})
 	// Build the handler chain the same way main.go does
-	authMiddleware := middleware.NewAuthWithNamedKeys([]middleware.NamedAPIKey{
+	authMiddleware := auth.NewAuthWithNamedKeys([]auth.NamedAPIKey{
 		{Name: "test", Key: "test-secret-key"},
 	})
@@ -159,7 +160,7 @@ func TestMain_AuthMiddlewareRejectsUnauthorized(t *testing.T) {
 	})
 	// Wrap with auth middleware
-	authMiddleware := middleware.NewAuthWithNamedKeys([]middleware.NamedAPIKey{
+	authMiddleware := auth.NewAuthWithNamedKeys([]auth.NamedAPIKey{
 		{Name: "test", Key: "test-secret-key"},
 	})
@@ -187,7 +188,7 @@ func TestMain_AuthMiddlewareAllowsWithValidKey(t *testing.T) {
 	})
 	// Wrap with auth middleware
-	authMiddleware := middleware.NewAuthWithNamedKeys([]middleware.NamedAPIKey{
+	authMiddleware := auth.NewAuthWithNamedKeys([]auth.NamedAPIKey{
 		{Name: "test", Key: testKey},
 	})
@@ -460,7 +461,7 @@ func TestMain_AuthNoneMode(t *testing.T) {
 	// Wrap with auth middleware in "none" mode
 	// auth=none equivalent: empty named-keys list is a no-op pass-through.
-	authMiddleware := middleware.NewAuthWithNamedKeys(nil)
+	authMiddleware := auth.NewAuthWithNamedKeys(nil)
 	chainedHandler := middleware.Chain(protectedHandler, authMiddleware)
@@ -0,0 +1,203 @@
 // Copyright (c) certctl-io contributors.
 //
 // Audit 2026-05-11 A-8 — demo-mode residual-grants detector. Closes the
 // deferred Phase 2 leg of HIGH-12 (cowork/auth-bundles-fixes-2026-05-10/
 // 11-high-12-demo-mode-guard.md). The HIGH-12 closure (`b81588e`) added
 // the fail-closed bind-address guard at config.Validate; the deferred
 // leg here adds a startup-time WARN (or strict refuse-startup) when
 // `actor-demo-anon` has live role grants under a non-`none` auth type.
 //
 // Why this matters: migration 000029 unconditionally seeds the
 // `ar-demo-anon-admin` row granting r-admin to actor-demo-anon. The
 // row is dormant under auth_type=api-key|oidc (the middleware chain
 // never injects the synthetic actor as the request principal), but
 // it represents a security debt: any future regression in the
 // middleware chain (a misrouted CORS preflight, a fallback in a new
 // auth-exempt route) that resolves to actor-demo-anon would re-elevate
 // to admin. The canonical acquisition-readiness narrative — "we have
 // an RBAC primitive with no synthetic-admin fallback" — requires this
 // row to be either gone or explicitly acknowledged.
 package main
 import (
 	"context"
 	"database/sql"
 	"errors"
 	"fmt"
 	"log/slog"
 	"strings"
 	"time"
 	"github.com/certctl-io/certctl/internal/config"
 	"github.com/certctl-io/certctl/internal/domain"
 	authdomain "github.com/certctl-io/certctl/internal/domain/auth"
 	"github.com/certctl-io/certctl/internal/service"
 )
 // preflightDemoModeResidual runs after the DB connection is open and
 // the audit service is constructed, before the HTTPS listener starts.
 //
 // Behaviour:
 //   - cfg.Auth.Type == "none" (demo mode): no-op. The residual IS the
 //     runtime state at that auth type.
 //   - cfg.Auth.Type != "none" + no residue: returns nil silently.
 //   - cfg.Auth.Type != "none" + residue + strict=false: emits a WARN
 //     log AND an `auth.demo_residual_grants_detected` audit row
 //     listing the grant IDs, then returns nil.
 //   - cfg.Auth.Type != "none" + residue + strict=true: emits the same
 //     WARN + audit, then returns a non-nil error so the caller can
 //     refuse startup.
 //
 // The audit row's actor is `system` / ActorTypeSystem; category is
 // EventCategoryAuth so audit consumers filtering on auth events see it.
 func preflightDemoModeResidual(
 	ctx context.Context,
 	cfg *config.Config,
 	db *sql.DB,
 	audit *service.AuditService,
 	logger *slog.Logger,
 ) error {
 	if cfg.Auth.Type == "none" {
 		// Demo mode itself. The residual is the runtime state at
 		// this auth type, so warning about it would be noise.
 		return nil
 	}
 	residue, err := queryDemoAnonResidue(ctx, db)
 	if err != nil {
 		return fmt.Errorf("preflight demo-mode residual: %w", err)
 	}
 	if len(residue) == 0 {
 		return nil
 	}
 	formatted := make([]string, 0, len(residue))
 	for _, r := range residue {
 		formatted = append(formatted, r.String())
 	}
 	msg := fmt.Sprintf(
 		"production startup warning: actor-demo-anon has %d residual role grant(s) "+
 			"from the migration 000029 baseline or a prior demo-mode run: %s. "+
 			"These grants are DORMANT at the current auth_type (%s) but represent a "+
 			"security debt — any future regression that resolves an unauthenticated "+
 			"request to actor-demo-anon would re-elevate to admin. Clean up via "+
 			"POST /api/v1/auth/demo-residual/cleanup (requires auth.role.assign) or "+
 			"`DELETE FROM actor_roles WHERE actor_id = 'actor-demo-anon';`. Set "+
 			"CERTCTL_DEMO_MODE_RESIDUAL_STRICT=true to refuse startup until cleanup.",
 		len(residue), strings.Join(formatted, "; "), cfg.Auth.Type,
 	)
 	if logger != nil {
 		logger.Warn(msg, "auth_type", cfg.Auth.Type, "residue_count", len(residue))
 	} else {
 		slog.Warn(msg)
 	}
 	if audit != nil {
 		details := map[string]interface{}{
 			"auth_type":     cfg.Auth.Type,
 			"residue_count": len(residue),
 			"residue":       formatted,
 		}
 		if err := audit.RecordEventWithCategory(
 			ctx, "system", domain.ActorTypeSystem,
 			"auth.demo_residual_grants_detected",
 			domain.EventCategoryAuth,
 			"actor_roles", authdomain.DemoAnonActorID,
 			details,
 		); err != nil {
 			// Don't fail startup over an audit-write error; just log.
 			if logger != nil {
 				logger.Warn("preflight demo-mode residual: audit record failed", "error", err)
 			}
 		}
 	}
 	if cfg.Auth.DemoModeResidualStrict {
 		return fmt.Errorf(
 			"startup refused: actor-demo-anon has %d residual role grant(s) and "+
 				"CERTCTL_DEMO_MODE_RESIDUAL_STRICT=true. Remove the rows before restarting",
 			len(residue),
 		)
 	}
 	return nil
 }
 // demoAnonResidueRow describes a single live actor_roles row whose
 // actor_id matches the synthetic demo-anon ID.
 type demoAnonResidueRow struct {
 	RoleID    string
 	ScopeType string
 	ScopeID   string
 	GrantedAt time.Time
 }
 // String renders one row as `role@scope (granted ts)`. Used both in
 // the WARN log message and in the audit row's residue list.
 func (r demoAnonResidueRow) String() string {
 	scope := r.ScopeType
 	if r.ScopeID != "" {
 		scope = fmt.Sprintf("%s/%s", r.ScopeType, r.ScopeID)
 	}
 	return fmt.Sprintf("%s@%s (granted %s)", r.RoleID, scope, r.GrantedAt.UTC().Format(time.RFC3339))
 }
 // queryDemoAnonResidue runs the canonical query for the residue
 // detector + the cleanup endpoint. Kept in one place so the two
 // surfaces can't drift on which rows count as "live".
 //
 // "Live" = not expired. Rows with expires_at <= NOW() are treated
 // as already gone (they have no effect even if the actor were to be
 // injected as the principal).
 func queryDemoAnonResidue(ctx context.Context, db *sql.DB) ([]demoAnonResidueRow, error) {
 	if db == nil {
 		return nil, errors.New("db is nil")
 	}
 	rows, err := db.QueryContext(ctx, `
 		SELECT role_id, scope_type, COALESCE(scope_id, '') AS scope_id, granted_at
 		FROM actor_roles
 		WHERE actor_id = $1
 		  AND (expires_at IS NULL OR expires_at > NOW())
 		ORDER BY granted_at ASC, role_id ASC, scope_type ASC, COALESCE(scope_id, '') ASC
 	`, authdomain.DemoAnonActorID)
 	if err != nil {
 		return nil, fmt.Errorf("query actor_roles: %w", err)
 	}
 	defer rows.Close()
 	var out []demoAnonResidueRow
 	for rows.Next() {
 		var r demoAnonResidueRow
 		if err := rows.Scan(&r.RoleID, &r.ScopeType, &r.ScopeID, &r.GrantedAt); err != nil {
 			return nil, fmt.Errorf("scan actor_roles row: %w", err)
 		}
 		out = append(out, r)
 	}
 	if err := rows.Err(); err != nil {
 		return nil, fmt.Errorf("iterate actor_roles rows: %w", err)
 	}
 	return out, nil
 }
 // deleteDemoAnonResidue removes every live actor_roles row for the
 // synthetic demo-anon actor. Returns the count removed. Used by the
 // POST /api/v1/auth/demo-residual/cleanup handler. Idempotent — a
 // follow-up call returns 0.
 func deleteDemoAnonResidue(ctx context.Context, db *sql.DB) (int64, error) {
 	if db == nil {
 		return 0, errors.New("db is nil")
 	}
 	res, err := db.ExecContext(ctx, `
 		DELETE FROM actor_roles
 		WHERE actor_id = $1
 	`, authdomain.DemoAnonActorID)
 	if err != nil {
 		return 0, fmt.Errorf("delete actor_roles: %w", err)
 	}
 	n, err := res.RowsAffected()
 	if err != nil {
 		return 0, fmt.Errorf("rows affected: %w", err)
 	}
 	return n, nil
 }
@@ -0,0 +1,295 @@
 package main
 import (
 	"context"
 	"database/sql"
 	"fmt"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"sync"
 	"testing"
 	"time"
 	_ "github.com/lib/pq"
 	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/wait"
 	"github.com/certctl-io/certctl/internal/config"
 	"github.com/certctl-io/certctl/internal/repository/postgres"
 	"github.com/certctl-io/certctl/internal/service"
 )
 // Audit 2026-05-11 A-8 — preflight + cleanup regression tests for the
 // demo-mode residual-grants detector. Testcontainers-backed because the
 // preflight runs raw SQL against actor_roles; mock-DB-only would not
 // catch a SQL-shape regression. Gated by testing.Short() to keep the
 // fast loop fast (matching internal/repository/postgres/* pattern).
 var (
 	a8DBOnce sync.Once
 	a8DB     *sql.DB
 	a8Skip   bool
 	a8SkipMu sync.Mutex
 )
 func setupA8DB(t *testing.T) *sql.DB {
 	t.Helper()
 	if testing.Short() {
 		t.Skip("preflight A-8 test requires Postgres (testcontainers); skipping under -short")
 	}
 	a8DBOnce.Do(func() {
 		ctx := context.Background()
 		req := testcontainers.ContainerRequest{
 			Image:        "postgres:16-alpine",
 			ExposedPorts: []string{"5432/tcp"},
 			Env: map[string]string{
 				"POSTGRES_DB":       "certctl_test_a8",
 				"POSTGRES_USER":     "certctl",
 				"POSTGRES_PASSWORD": "certctl",
 			},
 			WaitingFor: wait.ForLog("database system is ready to accept connections").WithOccurrence(2),
 		}
 		c, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
 			ContainerRequest: req,
 			Started:          true,
 		})
 		if err != nil {
 			a8SkipMu.Lock()
 			a8Skip = true
 			a8SkipMu.Unlock()
 			t.Logf("skipping A-8 testcontainers preflight (docker unavailable): %v", err)
 			return
 		}
 		host, err := c.Host(ctx)
 		if err != nil {
 			t.Fatalf("get container host: %v", err)
 		}
 		port, err := c.MappedPort(ctx, "5432")
 		if err != nil {
 			t.Fatalf("get mapped port: %v", err)
 		}
 		dsn := fmt.Sprintf("postgres://certctl:certctl@%s:%s/certctl_test_a8?sslmode=disable", host, port.Port())
 		db, err := sql.Open("postgres", dsn)
 		if err != nil {
 			t.Fatalf("sql.Open: %v", err)
 		}
 		// Run all migrations so actor_roles exists with the migration
 		// 000029 seed row (`ar-demo-anon-admin`).
 		_, thisFile, _, _ := runtime.Caller(0)
 		migrationsDir := filepath.Join(filepath.Dir(thisFile), "..", "..", "migrations")
 		if _, err := os.Stat(migrationsDir); err != nil {
 			t.Fatalf("locate migrations dir %q: %v", migrationsDir, err)
 		}
 		if err := postgres.RunMigrations(db, migrationsDir); err != nil {
 			t.Fatalf("RunMigrations: %v", err)
 		}
 		a8DB = db
 	})
 	a8SkipMu.Lock()
 	skip := a8Skip
 	a8SkipMu.Unlock()
 	if skip {
 		t.Skip("A-8 testcontainers unavailable; skipping")
 	}
 	return a8DB
 }
 // resetA8Residue clears the actor_roles rows for actor-demo-anon AND
 // re-inserts the migration 000029 baseline. Used by tests that need a
 // known "post-fresh-migration" state.
 func resetA8Residue(t *testing.T, db *sql.DB, seedBaseline bool) {
 	t.Helper()
 	if _, err := db.ExecContext(context.Background(),
 		`DELETE FROM actor_roles WHERE actor_id = 'actor-demo-anon'`); err != nil {
 		t.Fatalf("reset actor_roles: %v", err)
 	}
 	if seedBaseline {
 		if _, err := db.ExecContext(context.Background(), `
 			INSERT INTO actor_roles (id, actor_id, actor_type, role_id, granted_at, granted_by, tenant_id)
 			VALUES ('ar-demo-anon-admin', 'actor-demo-anon', 'Anonymous', 'r-admin', NOW(), 'system', 't-default')
 		`); err != nil {
 			t.Fatalf("reseed baseline: %v", err)
 		}
 	}
 }
 // TestPreflightDemoModeResidual_DemoModeActive_Skips proves the
 // preflight short-circuits when Auth.Type=none regardless of residue.
 // Demo mode IS the active runtime state at that auth type, so warning
 // would be noise.
 func TestPreflightDemoModeResidual_DemoModeActive_Skips(t *testing.T) {
 	db := setupA8DB(t)
 	resetA8Residue(t, db, true) // baseline IS present
 	cfg := &config.Config{}
 	cfg.Auth.Type = "none"
 	cfg.Auth.DemoModeResidualStrict = true // would refuse if checked
 	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
 	err := preflightDemoModeResidual(context.Background(), cfg, db, nil, logger)
 	if err != nil {
 		t.Fatalf("expected nil under Auth.Type=none, got %v", err)
 	}
 }
 // TestPreflightDemoModeResidual_NoResidue_Passes proves a fully-clean
 // actor_roles state passes without WARN.
 func TestPreflightDemoModeResidual_NoResidue_Passes(t *testing.T) {
 	db := setupA8DB(t)
 	resetA8Residue(t, db, false) // explicitly empty
 	cfg := &config.Config{}
 	cfg.Auth.Type = "api-key"
 	err := preflightDemoModeResidual(context.Background(), cfg, db, nil, nil)
 	if err != nil {
 		t.Fatalf("expected nil with empty residue, got %v", err)
 	}
 }
 // TestPreflightDemoModeResidual_HasResidue_LogsAndAudits proves the
 // migration 000029 baseline produces a WARN + audit row but does NOT
 // fail startup in default (non-strict) mode.
 func TestPreflightDemoModeResidual_HasResidue_LogsAndAudits(t *testing.T) {
 	db := setupA8DB(t)
 	resetA8Residue(t, db, true)
 	cfg := &config.Config{}
 	cfg.Auth.Type = "api-key"
 	cfg.Auth.DemoModeResidualStrict = false
 	auditRepo := postgres.NewAuditRepository(db)
 	auditService := service.NewAuditService(auditRepo)
 	err := preflightDemoModeResidual(context.Background(), cfg, db, auditService, nil)
 	if err != nil {
 		t.Fatalf("non-strict mode must NOT fail startup with residue, got %v", err)
 	}
 	// Audit row should be present for the call.
 	rows, err := db.QueryContext(context.Background(), `
 		SELECT action, event_category, resource_id
 		FROM audit_events
 		WHERE action = 'auth.demo_residual_grants_detected'
 		ORDER BY occurred_at DESC LIMIT 1
 	`)
 	if err != nil {
 		t.Fatalf("audit_events query: %v", err)
 	}
 	defer rows.Close()
 	if !rows.Next() {
 		t.Fatal("expected at least one auth.demo_residual_grants_detected row")
 	}
 	var action, category, resourceID string
 	if err := rows.Scan(&action, &category, &resourceID); err != nil {
 		t.Fatalf("scan: %v", err)
 	}
 	if action != "auth.demo_residual_grants_detected" {
 		t.Errorf("action = %q, want auth.demo_residual_grants_detected", action)
 	}
 	if category != "auth" {
 		t.Errorf("event_category = %q, want auth", category)
 	}
 	if resourceID != "actor-demo-anon" {
 		t.Errorf("resource_id = %q, want actor-demo-anon", resourceID)
 	}
 }
 // TestPreflightDemoModeResidual_StrictMode_RefusesStartup proves the
 // flag pivots WARN → fail.
 func TestPreflightDemoModeResidual_StrictMode_RefusesStartup(t *testing.T) {
 	db := setupA8DB(t)
 	resetA8Residue(t, db, true)
 	cfg := &config.Config{}
 	cfg.Auth.Type = "api-key"
 	cfg.Auth.DemoModeResidualStrict = true
 	err := preflightDemoModeResidual(context.Background(), cfg, db, nil, nil)
 	if err == nil {
 		t.Fatal("strict mode + residue: expected error, got nil")
 	}
 	if !strings.Contains(err.Error(), "actor-demo-anon") {
 		t.Errorf("err = %q, want mention of actor-demo-anon", err.Error())
 	}
 	if !strings.Contains(err.Error(), "CERTCTL_DEMO_MODE_RESIDUAL_STRICT") {
 		t.Errorf("err = %q, want mention of CERTCTL_DEMO_MODE_RESIDUAL_STRICT", err.Error())
 	}
 }
 // TestDemoAnonResidueRow_String pins the formatting of the residue
 // detail entry — used both in the WARN log AND the audit row's
 // `residue` slice. Two cases: NULL scope_id (global scope) and
 // non-empty scope_id (profile/issuer scope).
 func TestDemoAnonResidueRow_String(t *testing.T) {
 	ts, _ := time.Parse(time.RFC3339, "2026-05-11T12:34:56Z")
 	cases := []struct {
 		name string
 		r    demoAnonResidueRow
 		want string
 	}{
 		{
 			name: "global_scope",
 			r:    demoAnonResidueRow{RoleID: "r-admin", ScopeType: "global", ScopeID: "", GrantedAt: ts},
 			want: "r-admin@global (granted 2026-05-11T12:34:56Z)",
 		},
 		{
 			name: "scoped",
 			r:    demoAnonResidueRow{RoleID: "r-operator", ScopeType: "profile", ScopeID: "p-prod", GrantedAt: ts},
 			want: "r-operator@profile/p-prod (granted 2026-05-11T12:34:56Z)",
 		},
 	}
 	for _, c := range cases {
 		c := c
 		t.Run(c.name, func(t *testing.T) {
 			got := c.r.String()
 			if got != c.want {
 				t.Errorf("String() = %q, want %q", got, c.want)
 			}
 		})
 	}
 }
 // TestDeleteDemoAnonResidue_Idempotent proves the cleanup helper is
 // re-entrant: a second call after a successful first call returns 0.
 func TestDeleteDemoAnonResidue_Idempotent(t *testing.T) {
 	db := setupA8DB(t)
 	resetA8Residue(t, db, true)
 	n, err := deleteDemoAnonResidue(context.Background(), db)
 	if err != nil {
 		t.Fatalf("first delete: %v", err)
 	}
 	if n < 1 {
 		t.Fatalf("first delete: count = %d, want >= 1", n)
 	}
 	n, err = deleteDemoAnonResidue(context.Background(), db)
 	if err != nil {
 		t.Fatalf("second delete: %v", err)
 	}
 	if n != 0 {
 		t.Errorf("second delete (idempotent): count = %d, want 0", n)
 	}
 }
 // TestQueryDemoAnonResidue_NilDB pins the nil-safety contract.
 func TestQueryDemoAnonResidue_NilDB(t *testing.T) {
 	_, err := queryDemoAnonResidue(context.Background(), nil)
 	if err == nil {
 		t.Fatal("expected error on nil db, got nil")
 	}
 }
 // TestDeleteDemoAnonResidue_NilDB pins the nil-safety contract.
 func TestDeleteDemoAnonResidue_NilDB(t *testing.T) {
 	_, err := deleteDemoAnonResidue(context.Background(), nil)
 	if err == nil {
 		t.Fatal("expected error on nil db, got nil")
 	}
 }
@@ -133,6 +133,15 @@ services:
      CERTCTL_KEYGEN_MODE: server  # Demo uses server-side keygen; production should use "agent"
      CERTCTL_NETWORK_SCAN_ENABLED: "true"  # Enable network scan GUI with seeded demo targets
      CERTCTL_CONFIG_ENCRYPTION_KEY: ${CERTCTL_CONFIG_ENCRYPTION_KEY:-change-me-32-char-encryption-key}  # AES-256-GCM for dynamic issuer/target config
      # Bundle 1 follow-on: this compose IS the bundled demo path
      # (CERTCTL_AUTH_TYPE=none + KEYGEN_MODE=server above), so the
      # demo seed runs by default. seed_demo.sql pre-seeds the
      # agent-demo-1 row that the bundled certctl-agent below needs
      # to authenticate. The docker-compose.demo.yml overlay still
      # works (it sets the same flag) and remains for backward
      # compat. Production deploys override CERTCTL_AUTH_TYPE +
      # KEYGEN_MODE + DEMO_SEED via their own compose.
      CERTCTL_DEMO_SEED: "true"
    ports:
      - "8443:8443"
    volumes:
@@ -183,6 +192,17 @@ services:
      CERTCTL_SERVER_URL: https://certctl-server:8443
      CERTCTL_SERVER_CA_BUNDLE_PATH: /etc/certctl/tls/ca.crt
      CERTCTL_API_KEY: ${CERTCTL_API_KEY:-change-me-in-production}
      # Bundle 1 follow-on: pre-Bundle-1 the bundled agent had no
      # CERTCTL_AGENT_ID set, hit cmd/agent/main.go's fail-fast guard
      # ("agent-id flag or CERTCTL_AGENT_ID env var is required"), and
      # restart-looped silently on every fresh `docker compose up`.
      # Latent since 2026-03-14 (commit d395776). seed_demo.sql now
      # pre-seeds the matching agents row; the demo runs with
      # CERTCTL_AUTH_TYPE=none on the server so the api_key Bearer
      # token is irrelevant here. Production deploys override
      # CERTCTL_AGENT_ID with the value returned from
      # POST /api/v1/agents during registration.
      CERTCTL_AGENT_ID: ${CERTCTL_AGENT_ID:-agent-demo-1}
      CERTCTL_AGENT_NAME: docker-agent
      CERTCTL_LOG_LEVEL: info
      CERTCTL_DISCOVERY_DIRS: /var/lib/certctl/keys  # Agent scans this directory for existing certificates
@@ -202,8 +202,8 @@ Any template that consumes .Values.server.auth.type should call
 runs once per affected resource. No-op when configured correctly.
 */}}
 {{- define "certctl.validateAuthType" -}}
-{{- $valid := list "api-key" "none" -}}
+{{- $valid := list "api-key" "none" "oidc" -}}
 {{- if not (has .Values.server.auth.type $valid) -}}
-{{- fail (printf "\n\nserver.auth.type=%q is not supported (valid: %v).\n\nFor JWT/OIDC, run an authenticating gateway in front of certctl\n(oauth2-proxy / Envoy ext_authz / Traefik ForwardAuth / Pomerium) and\nset server.auth.type=none here so the gateway terminates federated\nidentity. See docs/architecture.md \"Authenticating-gateway pattern\"\nand docs/upgrade-to-v2-jwt-removal.md for the migration walkthrough.\n\nG-1 audit closure: pre-G-1 the chart accepted type=jwt and the binary\nsilently downgraded to api-key middleware. The chart now fails at\ntemplate time so misconfigured deployments cannot ship.\n" .Values.server.auth.type $valid) -}}
+{{- fail (printf "\n\nserver.auth.type=%q is not supported (valid: %v).\n\nFor JWT/SAML/LDAP, run an authenticating gateway in front of certctl\n(oauth2-proxy / Envoy ext_authz / Traefik ForwardAuth / Pomerium) and\nset server.auth.type=none here so the gateway terminates federated\nidentity. See docs/architecture.md \"Authenticating-gateway pattern\"\nand docs/upgrade-to-v2-jwt-removal.md for the migration walkthrough.\n\nG-1 audit closure: pre-G-1 the chart accepted type=jwt and the binary\nsilently downgraded to api-key middleware. The chart now fails at\ntemplate time so misconfigured deployments cannot ship.\n\nAuth Bundle 2 Phase 0: server.auth.type=oidc is in the valid set but\nthe OIDC handler chain ships in later Bundle 2 phases. Pre-Bundle-2\noperators who set type=oidc see the certctl-server container exit at\nstartup with an actionable error — chart-time validation no longer\nblocks deploy because the binary's runtime guard takes over. Once\nBundle 2 lands, the runtime guard relaxes and OIDC works end-to-end.\n" .Values.server.auth.type $valid) -}}
 {{- end -}}
 {{- end }}
@@ -6,8 +6,8 @@
 # Per H-001 guard: every FROM is digest-pinned. Operator re-pins
 # quarterly per docs/deployment-vendor-matrix.md.
-# golang:1.25.9-bookworm digest pinned per H-001.
+# golang:1.25.10-bookworm digest pinned per H-001.
-FROM golang:1.25.9-bookworm@sha256:1a1408bf8d2d3077f9508880caf0e8bb0fde195fe3c890e7ea480dfb66dc7827 AS builder
+FROM golang:1.25.10-bookworm@sha256:e3a54b77385b4f8a31c1db4d12429ffb3718ea76865731a787c497755d409547 AS builder
 WORKDIR /src
 COPY deploy/test/f5-mock-icontrol/ ./
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "-s -w" -o /out/f5-mock-icontrol .
@@ -1,3 +1,3 @@
 module github.com/certctl-io/certctl/deploy/test/f5-mock-icontrol
-go 1.25.9
+go 1.25.10
@@ -27,12 +27,14 @@ You're operating certctl in production or building integrations and need authori
 | Doc | What it covers |
 |---|---|
 | [Architecture](reference/architecture.md) | System design, data flow, security model, deployment topologies |
 | [Profiles](reference/profiles.md) | CertificateProfile policy object — issuer wiring, EKUs, RequiresApproval gate (with profile-edit closure) |
 | [API](reference/api.md) | OpenAPI 3.1 spec, integration patterns, client SDK generation |
 | [CLI](reference/cli.md) | certctl-cli command reference and CI/CD integration patterns |
 | [Configuration](reference/configuration.md) | `CERTCTL_*` environment variable reference (scheduler, rate limits, deploy verify, audit, agent) |
 | [MCP server](reference/mcp.md) | Model Context Protocol integration for AI assistants |
 | [Release verification](reference/release-verification.md) | Cosign / SLSA / SBOM verification procedure |
 | [Intermediate CA hierarchy](reference/intermediate-ca-hierarchy.md) | Multi-level CA tree management — RFC 5280 §3.2/§4.2.1.9/§4.2.1.10 enforcement |
 | [Auth standards implemented](reference/auth-standards-implemented.md) | RFC + CWE evidence for the API-key + RBAC + OIDC + sessions + break-glass surface (NOT a compliance-mapping doc) |
 | [Deployment model](reference/deployment-model.md) | Atomic write, post-deploy verify, rollback semantics across all targets |
 | [Vendor matrix](reference/vendor-matrix.md) | Tested vendor versions per target connector |
@@ -62,12 +64,16 @@ You're running certctl in production and need operational guidance.
 | Doc | What it covers |
 |---|---|
-| [Security posture](operator/security.md) | Auth, rate limits, encryption at rest, key rotation |
+| [Security posture](operator/security.md) | Auth, rate limits, encryption at rest, key rotation, RBAC + OIDC + sessions + break-glass, bootstrap |
 | [RBAC operator reference](operator/rbac.md) | Roles, permissions, scopes, scope-down + day-0 bootstrap |
 | [Auth threat model](operator/auth-threat-model.md) | API-key + RBAC + OIDC + sessions + break-glass — token forgery, session hijacking, IdP compromise, role-grant abuse, bootstrap-token leak, audit-mutation |
 | [OIDC / SSO runbooks](operator/oidc-runbooks/index.md) | Per-IdP setup guides — Keycloak, Authentik, Okta, Auth0, Entra ID, Google Workspace |
 | [Control plane TLS](operator/tls.md) | Self-signed bootstrap, operator-supplied Secret, cert-manager Certificate CR |
 | [Database TLS](operator/database-tls.md) | PostgreSQL transport encryption |
-| [Approval workflow](operator/approval-workflow.md) | Two-person integrity gate for high-stakes issuance |
+| [Approval workflow](operator/approval-workflow.md) | Two-person integrity gate for high-stakes issuance + profile-edit closure |
 | [Helm deployment](operator/helm-deployment.md) | Kubernetes installation via the bundled chart |
 | [Performance baselines](operator/performance-baselines.md) | Operator-runnable benchmarks for regression spot checks |
 | [Auth benchmarks](operator/auth-benchmarks.md) | Session + OIDC validation p99 targets and measured baselines |
 | [Legacy clients (TLS 1.2)](operator/legacy-clients-tls-1.2.md) | Reverse-proxy runbook for embedded EST/SCEP clients on TLS 1.2 |
 ### Runbooks
@@ -90,6 +96,8 @@ You're moving from another cert-management tool to certctl, or running both in p
 | Caddy ACME (point Caddy at certctl) | [migration/acme-from-caddy.md](migration/acme-from-caddy.md) |
 | cert-manager ACME (point cert-manager at certctl) | [migration/acme-from-cert-manager.md](migration/acme-from-cert-manager.md) |
 | Traefik ACME (point Traefik at certctl) | [migration/acme-from-traefik.md](migration/acme-from-traefik.md) |
 | **API keys → RBAC (v2.0.x → v2.1.0)** | [migration/api-keys-to-rbac.md](migration/api-keys-to-rbac.md) — **AUDIT YOUR API KEYS** post-upgrade |
 | **Enable OIDC SSO** | [migration/oidc-enable.md](migration/oidc-enable.md) — step-by-step OIDC onboarding for an existing API-key + RBAC deployment |
 ## Contributor
@@ -53,7 +53,7 @@ Runs the Go build/test suite + 18 of 20 regression guards.
 Steps:
 1. `actions/checkout@v4`
-2. `actions/setup-go@v5` (Go 1.25.9)
+2. `actions/setup-go@v5` (Go 1.25.10)
 3. `go build ./cmd/...` (server, agent, mcp-server, cli)
 4. **gofmt drift** — `gofmt -l .` must be empty (Makefile::verify parity)
 5. **go mod tidy drift** — `go mod tidy && git diff --exit-code go.mod go.sum`
@@ -97,7 +97,7 @@ Single-job collapse of the prior 12-job matrix (per ci-pipeline-cleanup Phase 5
 Steps:
 1. `actions/checkout@v5`
-2. `actions/setup-go@v5` (Go 1.25.9, cache: true)
+2. `actions/setup-go@v5` (Go 1.25.10, cache: true)
 3. **Build f5-mock-icontrol sidecar** — only sidecar without published image
 4. **Bring up all vendor sidecars** — `docker compose --profile deploy-e2e up -d` (11 sidecars)
 5. **Run all vendor-edge e2e** — `go test -tags integration -race -count=1 -run 'VendorEdge_'`; output captured to `test-output.log`
@@ -32,7 +32,7 @@ cp .env.example .env   # Edit with your domain and email
 docker compose up -d
 ```
-The full walkthrough — including how HTTP-01 challenges work, adding multiple domains, switching to staging for testing, and a production checklist — is in the [example README](../examples/acme-nginx/acme-nginx.md).
+The full walkthrough — including how HTTP-01 challenges work, adding multiple domains, switching to staging for testing, and a production checklist — is in the [example README](../../examples/acme-nginx/acme-nginx.md).
 **Migrating from Certbot?** certctl discovers your existing `/etc/letsencrypt/live/` certificates automatically. You keep your ACME account, disable the Certbot cron, and certctl takes over renewal with centralized visibility and deployment verification. The step-by-step process is in [Migrating from Certbot](../migration/from-certbot.md).
@@ -52,7 +52,7 @@ cp .env.example .env   # Edit with domain, email, DNS provider credentials
 docker compose up -d
 ```
-The full walkthrough — including DNS-PERSIST-01 (set a TXT record once, never touch DNS again on renewals), adapting scripts for other providers, and propagation troubleshooting — is in the [example README](../examples/acme-wildcard-dns01/acme-wildcard-dns01.md).
+The full walkthrough — including DNS-PERSIST-01 (set a TXT record once, never touch DNS again on renewals), adapting scripts for other providers, and propagation troubleshooting — is in the [example README](../../examples/acme-wildcard-dns01/acme-wildcard-dns01.md).
 **Migrating from acme.sh?** Your existing `dns_*` hook scripts are compatible with certctl's DNS-01 — they use the same pattern (shell scripts creating TXT records). The migration guide covers script adaptation, discovery of existing acme.sh certificates, and phasing out the acme.sh cron. See [Migrating from acme.sh](../migration/from-acmesh.md).
@@ -71,7 +71,7 @@ cd examples/private-ca-traefik
 docker compose up -d    # Self-signed mode (no .env needed for demo)
 ```
-The full walkthrough — including sub-CA setup with `CERTCTL_CA_CERT_PATH` and `CERTCTL_CA_KEY_PATH`, creating certificates via the API, monitoring deployments, and production hardening — is in the [example README](../examples/private-ca-traefik/private-ca-traefik.md).
+The full walkthrough — including sub-CA setup with `CERTCTL_CA_CERT_PATH` and `CERTCTL_CA_KEY_PATH`, creating certificates via the API, monitoring deployments, and production hardening — is in the [example README](../../examples/private-ca-traefik/private-ca-traefik.md).
 ---
@@ -88,7 +88,7 @@ cd examples/step-ca-haproxy
 docker compose up -d
 ```
-The full walkthrough — including step-ca provisioner configuration, integrating with an existing step-ca instance, HAProxy PEM format details, and advanced features (approval workflows, policy-based renewal, multi-instance HAProxy) — is in the [example README](../examples/step-ca-haproxy/step-ca-haproxy.md).
+The full walkthrough — including step-ca provisioner configuration, integrating with an existing step-ca instance, HAProxy PEM format details, and advanced features (approval workflows, policy-based renewal, multi-instance HAProxy) — is in the [example README](../../examples/step-ca-haproxy/step-ca-haproxy.md).
 ---
@@ -105,7 +105,7 @@ cd examples/multi-issuer
 docker compose up -d
 ```
-The full walkthrough — including profile-based issuer assignment, testing with ACME staging, Local CA enterprise sub-CA mode, and scaling beyond Docker Compose — is in the [example README](../examples/multi-issuer/multi-issuer.md).
+The full walkthrough — including profile-based issuer assignment, testing with ACME staging, Local CA enterprise sub-CA mode, and scaling beyond Docker Compose — is in the [example README](../../examples/multi-issuer/multi-issuer.md).
 **Using cert-manager for Kubernetes?** certctl complements cert-manager — cert-manager handles in-cluster certs, certctl handles everything outside: VMs, bare metal, network appliances, Windows servers. They can share the same CA (ACME, step-ca, Vault PKI). See [certctl for cert-manager Users](../migration/cert-manager-coexistence.md).
@@ -117,7 +117,7 @@ cd certctl/deploy && docker compose up -d
 # Dashboard at https://localhost:8443 (self-signed cert — pin deploy/test/certs/ca.crt)
 ```
-See the [Quickstart Guide](quickstart.md) for a full walkthrough, or explore the [5 turnkey examples](../examples/) for specific scenarios (ACME+NGINX, wildcard DNS-01, private CA+Traefik, step-ca+HAProxy, multi-issuer).
+See the [Quickstart Guide](quickstart.md) for a full walkthrough, or explore the [5 turnkey examples](../../examples/) for specific scenarios (ACME+NGINX, wildcard DNS-01, private CA+Traefik, step-ca+HAProxy, multi-issuer).
 ## License
@@ -16,7 +16,7 @@ through cert-manager 1.15+. Target audience: Kubernetes operator who
 has never deployed certctl before and wants a working
 `Certificate` → `Secret` flow on their cluster in under 30 minutes.
-The Phase 5 integration test (`make acme-cert-manager-test`) automates
+The cert-manager integration test (`make acme-cert-manager-test`) automates
 exactly the recipe below. The YAML snippets in this doc are byte-equal
 to the files under `deploy/test/acme-integration/` — re-running the
 test from a fresh clone produces the same results documented here.
@@ -24,7 +24,7 @@ test from a fresh clone produces the same results documented here.
 ## Prereqs
 - A Kubernetes cluster (kind / k3d / EKS / GKE / AKS / on-prem). For
-  local trial, `kind v0.20+` works exactly the way the Phase 5 test
+  local trial, `kind v0.20+` works exactly the way the integration test
  uses it. The kind config lives at
  [`deploy/test/acme-integration/kind-config.yaml`](../deploy/test/acme-integration/kind-config.yaml).
 - `kubectl` v1.27+, `helm` v3.13+.
@@ -37,7 +37,7 @@ test from a fresh clone produces the same results documented here.
  which is the same idempotent installer the integration test uses.
 - A certctl Helm chart published to a registry your cluster can pull
-  from. The Phase 5 test uses an `image.tag=test` placeholder; production
+  from. The integration test uses an `image.tag=test` placeholder; production
  deployments use the actual image tag for your release line.
 ## Step 1 — Deploy certctl-server
@@ -99,7 +99,7 @@ recipe lives in
 ## Step 4 — Apply the ClusterIssuer
 ```yaml
-# Phase 5 — sample ClusterIssuer for the certctl trust_authenticated
+# sample ClusterIssuer for the certctl trust_authenticated
 # auth mode (RFC 8555 §6 + certctl auth_mode=trust_authenticated, where
 # the JWS-authenticated ACME account is trusted to issue any identifier
 # the profile policy permits — no per-identifier ownership challenges).
@@ -169,7 +169,7 @@ HTTP-01 to work.
 ## Step 5 — Apply the Certificate
 ```yaml
-# Phase 5 — Certificate resource the integration test applies and
+# Certificate resource the integration test applies and
 # waits for. The certctl-test-trust ClusterIssuer (trust_authenticated
 # mode) issues the cert without any solver round-trip; the resulting
 # Secret 'test-com-tls' is asserted to carry tls.crt + tls.key.
@@ -262,4 +262,4 @@ helm uninstall certctl-test
 - [`docs/acme-traefik-walkthrough.md`](./acme-from-traefik.md) —
  Traefik-side recipe.
 - [`deploy/test/acme-integration/`](../deploy/test/acme-integration/) —
-  Phase 5 integration test (the same recipe, automated).
+  cert-manager integration test (the same recipe, automated).
@@ -0,0 +1,294 @@
 # Migrating API keys to RBAC (v2.0.x → v2.1.0)
 > Last reviewed: 2026-05-09
 This is the upgrade guide for an existing certctl deployment moving
 from v2.0.x's "every API key is admin or not" model to v2.1.0's
 RBAC primitive. Everything keeps working through the upgrade - the
 migration backfills every existing API key to the
 `r-admin` role on first boot, so the pre-existing automation that
 was using those keys does not change behavior. **However**, most
 keys do not need full admin power; this guide walks the operator
 through the post-upgrade scope-down flow.
 ## ⚠️ SECURITY: AUDIT YOUR API KEYS
 v2.1.0 maps **every** existing `CERTCTL_API_KEYS_NAMED` entry
 (and every legacy `CERTCTL_AUTH_SECRET`-synthesized key) to the
 `r-admin` role on the first boot after migration 000029 applies.
 This is the safe-for-back-compat default - your CI / agents / scripts
 keep working without changes - but if you don't downgrade keys, every
 key in your fleet has full admin permissions including bulk-revoke,
 CRL admin, and CA hierarchy management.
 **Run the scope-down flow before tagging the next release.** The
 release notes for v2.1.0 lead with this callout for a reason.
 ## Upgrade flow
 ### 1. Apply the migration
 The migration runner is idempotent. Re-applying is a no-op if the
 schema is already at the target version. The five RBAC migrations
 that ship in v2.1.0:
 | Migration | What it does |
 |---|---|
 | `000029_rbac.up.sql` | Creates `tenants`, `roles`, `permissions`, `role_permissions`, `actor_roles`. Seeds 7 default roles + 33-permission catalogue + the synthetic `actor-demo-anon` admin grant. Backfills every named API key into `actor_roles` with the `r-admin` role. |
 | `000030_rbac_admin_perms.up.sql` | Seeds 5 admin-only fine-grained permissions (`cert.bulk_revoke`, `crl.admin`, `scep.admin`, `est.admin`, `ca.hierarchy.manage`) into `r-admin` only. |
 | `000031_api_keys.up.sql` | Creates the `api_keys` table for runtime-minted keys (day-0 bootstrap path). |
 | `000032_audit_category.up.sql` | Adds `event_category` column to `audit_events` with the closed enum (`cert_lifecycle` / `auth` / `config`). |
 | `000033_approval_kinds.up.sql` | Adds `approval_kind` + `payload` to `issuance_approval_requests` for the approval-bypass closure. |
 The v2.1.0 server applies these on first boot. No operator
 action is required other than running the upgrade.
 ### 2. Verify the backfill landed
 ```bash
 # Inspect the seeded actor_roles rows. You should see one row per
 # entry in CERTCTL_API_KEYS_NAMED (Admin=true keys → r-admin,
 # Admin=false keys → r-viewer) plus the seeded actor-demo-anon
 # admin row.
 psql -d certctl -c "SELECT actor_id, role_id, granted_by, granted_at FROM actor_roles ORDER BY granted_at;"
 ```
 If the table is empty, the boot-loader hook in
 `cmd/server/auth_backfill.go::backfillNamedKeyActorRoles` did not
 run; re-check that `CERTCTL_AUTH_TYPE` is `api-key` (the boot
 hook is gated on `cfg.Auth.Type != none`).
 ### 3. List + scope-down keys
 The `certctl-cli` ships a four-mode scope-down command. Pick the
 mode that matches your fleet size + automation posture.
 #### Interactive walk
 ```bash
 certctl-cli auth keys scope-down
 ```
 Walks every actor (skips the synthetic `actor-demo-anon`) and
 prompts for a target role. Empty input keeps the existing role.
 Type one of `admin`, `operator`, `viewer`, `agent`, `mcp`, `cli`,
 `auditor` to replace.
 #### Non-interactive JSON config (Helm post-upgrade hook)
 ```bash
 cat > scope-down.json <<EOF
 {
  "ci-bot":         "operator",
  "agent-prod-1":   "agent",
  "agent-prod-2":   "agent",
  "monitoring-bot": "viewer",
  "compliance-bot": "auditor"
 }
 EOF
 certctl-cli auth keys scope-down --non-interactive ./scope-down.json
 ```
 Empty role values revoke every current grant WITHOUT granting a
 replacement; assign roles selectively with
 `certctl-cli auth keys assign`.
 #### Audit-driven suggestion
 ```bash
 # Preview suggestions based on the last 30 days of audit history
 certctl-cli auth keys scope-down --suggest
 # Apply the suggestions
 certctl-cli auth keys scope-down --suggest --apply
 ```
 The classifier (pure function in `internal/cli/auth_scope_down.go::SuggestRoleFromAuditEvents`)
 walks the actor's audit events and emits one of:
 | Suggestion | Trigger |
 |---|---|
 | `admin` | Any auth.role.* / auth.key.* / ca.hierarchy.* / *.bulk_revoke / *.admin action |
 | `mcp` | All observed actions are MCP-shaped (`mcp.*`) |
 | `viewer` | All observed actions are read-only (`*.read` or `*.list`) |
 | `agent` | All observed actions are agent-shaped (`agent.*`, `cert.read`, `cert.issue`) |
 | `operator` | Cert / profile / target lifecycle mutations without admin signals |
 The classifier is conservative - when in doubt, it prefers the
 narrower role. The operator confirms each suggestion before any
 mutation lands (unless `--apply` is set).
 ### 4. Mint a fresh admin via bootstrap (optional, for fresh deployments)
 If you're standing up a fresh deployment instead of upgrading an
 existing one, the bootstrap path mints the first admin key without
 needing the operator to know the env-var format:
 ```bash
 # Set the bootstrap token in the server environment.
 export CERTCTL_BOOTSTRAP_TOKEN=$(openssl rand -hex 32)
 # Boot the server. Logs include "bootstrap endpoint enabled".
 docker compose up -d
 # Mint the first admin key.
 curl -X POST $URL/api/v1/auth/bootstrap \
  -H 'Content-Type: application/json' \
  -d '{"token":"'$CERTCTL_BOOTSTRAP_TOKEN'","actor_name":"first-admin"}'
 ```
 The response carries the plaintext `key_value` once. Capture it
 and use it as the Bearer token for subsequent calls. Subsequent
 bootstrap calls return HTTP 410 Gone.
 See [`docs/operator/rbac.md`](../operator/rbac.md) for the full
 bootstrap flow + the threat model.
 ## What changes for code that called `IsAdmin`
 In v2.0.x, the five admin handlers checked `auth.IsAdmin(ctx)`
 directly in the body. v2.1.0 moved those checks to
 the router via the `auth.RequirePermission` middleware (wrapped
 through the `rbacGate` helper in
 `internal/api/router/router.go`). The behavior contract is
 unchanged: `r-admin`-roled callers reach the handler, anyone else
 gets HTTP 403 BEFORE the body runs.
 If your code consumed `auth.IsAdmin` directly (it shouldn't - 
 the helper is internal), the new convention is:
 1. Wrap the route in `rbacGate(reg.Checker, "<perm>", handler)`
   in `router.go`.
 2. Add the perm to `migrations/000030_rbac_admin_perms.up.sql`
   (or `migrations/000029_rbac.up.sql`'s catalogue).
 3. Grant the perm to the right default roles.
 The five admin-only fine-grained perms stay on `r-admin` only by
 default. Operators delegate by creating custom roles with the
 specific perm.
 ## Helm-specific upgrade
 The certctl Helm chart applies migrations on container start via
 the standard migrations runner. No chart changes are required;
 the `helm upgrade` command runs identically:
 ```bash
 helm upgrade certctl certctl/certctl \
  --version <new-version> \
  --reuse-values
 ```
 Post-upgrade, the boot loader runs the named-key actor-role
 backfill against the `CERTCTL_API_KEYS_NAMED` env-var-injected
 into the deployment. The "AUDIT YOUR API KEYS" callout applies - 
 add a post-upgrade Job to your release pipeline that runs
 `certctl-cli auth keys scope-down --non-interactive` against a
 checked-in JSON config, so the role narrowing is deterministic
 across upgrade rollouts.
 Example post-upgrade Job:
 ```yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: certctl-scope-down
 spec:
  template:
    spec:
      containers:
 - name: scope-down
        image: ghcr.io/certctl-io/certctl-cli:<tag>
        command:
 - certctl-cli
 - auth
 - keys
 - scope-down
 - --non-interactive
 - /config/scope-down.json
        envFrom:
 - secretRef:
              name: certctl-cli-credentials
        volumeMounts:
 - name: scope-down-config
            mountPath: /config
      volumes:
 - name: scope-down-config
          configMap:
            name: certctl-scope-down-config
      restartPolicy: OnFailure
 ```
 The ConfigMap holds the `{actor_id: role_id}` map; the Secret
 holds the API key the Job uses to call `/v1/auth/keys/.../roles`.
 ## Docker Compose-specific upgrade
 For `deploy/docker-compose.yml` deployments:
 1. Pull the new images: `docker compose pull`
 2. Verify your `CERTCTL_AUTH_TYPE` value before restarting. If it
   was `none` (the demo path), the post-upgrade server will boot
   in demo mode again - the synthetic `actor-demo-anon` admin
   covers every request, no scope-down is meaningful. If you're
   moving from `none` to `api-key` mode, set
   `CERTCTL_API_KEYS_NAMED` first, then restart.
 3. `docker compose up -d` to apply.
 4. `docker compose logs certctl-server | grep -i 'loaded persisted api_keys'`
   to verify the boot loader ran. The first-boot log line includes
   the count of keys loaded into the runtime keystore.
 5. Run `certctl-cli auth keys scope-down` against the running
   server.
 The five examples in `examples/` (acme-nginx, private-ca-traefik,
 step-ca-haproxy, multi-issuer, acme-wildcard-dns01) all run in
 demo mode (`CERTCTL_AUTH_TYPE=none`) and are unaffected by the
 RBAC migration - the synthetic actor-demo-anon admin grant covers
 every request.
 ## Verifying the upgrade landed
 After the scope-down flow completes:
 1. `certctl-cli auth me` while authenticated as each named key
   confirms the right `effective_permissions` for that role.
 2. `psql -c "SELECT actor_id, array_agg(role_id ORDER BY role_id) FROM actor_roles GROUP BY actor_id;"`
   gives the full picture in one query.
 3. The audit trail
   (`GET /api/v1/audit?category=auth`)
   shows the `auth.role.assign` and `auth.role.revoke` rows for
   every change you made - confirm via the GUI's
   `/audit?category=auth` view.
 4. Read the updated [`docs/operator/rbac.md`](../operator/rbac.md)
   for day-2 RBAC management.
 ## Rollback
 If the upgrade goes wrong, the down migrations exist in lockstep:
 ```bash
 # Roll back via your migration runner (golang-migrate, Atlas, etc.).
 # Migrations 000029-000033 each have a .down.sql that reverses the
 # .up.sql. Down migrations are destructive on data added by the up
 # migration (api_keys rows, role grants on actors, profile-edit
 # approvals); take a backup first.
 ```
 After rollback, the v2.0.x binary works against the v2.0.x
 schema unchanged. The operator's API keys still authenticate (the
 in-memory hash table is rebuilt from `CERTCTL_API_KEYS_NAMED` on
 boot regardless of schema version).
 ## Cross-references
 - [`docs/operator/rbac.md`](../operator/rbac.md) - the operator
  how-to for the new RBAC primitive
 - [`docs/operator/auth-threat-model.md`](../operator/auth-threat-model.md) - 
  what the new controls defend against
 - [`docs/reference/profiles.md`](../reference/profiles.md) - the
  approval-bypass closure on `RequiresApproval` profile edits
 - [`docs/operator/security.md`](../operator/security.md) - the
  full security posture
 - `CHANGELOG.md` - the v2.1.0 release notes lead with this guide
@@ -142,6 +142,6 @@ For now: cert-manager handles Kubernetes, certctl handles everything else. They
 ## Next Steps
 1. Run through the [Quick Start](../getting-started/quickstart.md) for a 5-minute demo
-2. Try the [Multi-Issuer example](../examples/multi-issuer/multi-issuer.md) — manages public and internal certs from one dashboard
+2. Try the [Multi-Issuer example](../../examples/multi-issuer/multi-issuer.md) — manages public and internal certs from one dashboard
 3. Explore [Architecture](../reference/architecture.md#agents) for deployment patterns
 4. Check the [Helm Chart](../deploy/helm/certctl/) for production Kubernetes deployment
@@ -271,7 +271,7 @@ certctl automatically falls back to DNS-01 if the CA doesn't support dns-persist
 ## Next Steps
- Try the [Wildcard DNS-01 example](../examples/acme-wildcard-dns01/acme-wildcard-dns01.md) — a working docker-compose with Cloudflare hooks you can adapt for your DNS provider
+- Try the [Wildcard DNS-01 example](../../examples/acme-wildcard-dns01/acme-wildcard-dns01.md) — a working docker-compose with Cloudflare hooks you can adapt for your DNS provider
 - See [Connector Reference](../reference/connectors/index.md) for advanced ACME options (EAB, ARI, custom timeouts)
 - See [Discovery Guide](concepts.md#certificate-discovery) for managing discovered certificates at scale
 - See all [Deployment Examples](../getting-started/examples.md) for other scenarios (ACME+NGINX, private CA, step-ca, multi-issuer)
@@ -169,7 +169,7 @@ certctl will stop renewing that cert when the policy is disabled. Certbot resume
 ## Next Steps
- Try the [ACME + NGINX example](../examples/acme-nginx/acme-nginx.md) — a working docker-compose you can run locally before deploying to production
+- Try the [ACME + NGINX example](../../examples/acme-nginx/acme-nginx.md) — a working docker-compose you can run locally before deploying to production
 - Review the [Concepts Guide](../getting-started/concepts.md) for terminology (profiles, policies, agents, jobs)
 - Explore [Network Discovery](../getting-started/quickstart.md#network-discovery-agentless) to find certificates you didn't know about
 - See all [Deployment Examples](../getting-started/examples.md) for other scenarios (wildcard DNS-01, private CA, step-ca, multi-issuer)
@@ -0,0 +1,261 @@
 # Enable OIDC SSO
 > Last reviewed: 2026-05-10
 This guide walks an operator already running certctl with API-key auth + RBAC through enabling OIDC SSO. The path is additive: API-key auth keeps working unchanged; OIDC sits alongside as a second authentication surface for human users.
 If you are upgrading from a pre-RBAC (v2.0.x) deployment, finish [`api-keys-to-rbac.md`](api-keys-to-rbac.md) first. If you have not deployed certctl at all, start with [`getting-started/quickstart.md`](../getting-started/quickstart.md). For the canonical mental model + per-flow threat coverage, see [`security.md`](../operator/security.md) and [`auth-threat-model.md`](../operator/auth-threat-model.md).
 ## What "enable OIDC" gives you
 After this migration:
 - Human operators can log in via the OIDC button on the certctl login page (one button per configured IdP).
 - The IdP authenticates the user; certctl validates the returned ID token, mints a session cookie, and redirects to the dashboard.
 - IdP groups → certctl roles are operator-configured (e.g. `engineering@example.com` → `r-operator`).
 - Every login emits an audit row (`auth.oidc_login_succeeded`) attributing the action to the federated user, NOT to a shared API key.
 - The first user from a configured admin group (when `CERTCTL_BOOTSTRAP_ADMIN_GROUPS` is set) becomes admin per tenant; one-shot per the admin-existence probe.
 What does NOT change:
 - API keys keep working. Existing automation continues to authenticate via `Authorization: Bearer` exactly as before.
 - The break-glass admin path stays default-OFF.
 - The auditor split + approval workflow + RBAC primitive are unchanged.
 ## Pre-requisites
 **On certctl side:**
 - Server build ≥ v2.1.0. Confirm via `curl https://<your-host>:8443/api/v1/version`.
 - `CERTCTL_CONFIG_ENCRYPTION_KEY` set in the server environment. This is the passphrase that encrypts the OIDC `client_secret` at rest. Use a stable, secrets-manager-stored value at least 32 random bytes long. **The server refuses to start if the key is missing AND any source='database' rows already exist** (CWE-311 fail-closed gate). Set this before doing anything else.
 - An admin actor available to drive the configuration. The actor needs the `auth.oidc.create` + `auth.oidc.edit` permissions; `r-admin` carries both by default. Get one via the day-0 bootstrap path if you don't have one yet.
 - HTTPS-only control plane (post-v2.2 milestone — this is the default). The OIDC redirect URI MUST be `https://`.
 **On IdP side:**
 - A Keycloak / Authentik / Okta / Auth0 / Entra ID / Google Workspace tenant where you can register an OIDC application. Free dev tiers work for evaluation. See the per-IdP runbook at [`oidc-runbooks/index.md`](../operator/oidc-runbooks/index.md).
 - Network reachability from certctl-server to the IdP's `/.well-known/openid-configuration` discovery endpoint. The certctl service fetches discovery + JWKS at provider creation and at every `RefreshKeys` call.
 ## Step-by-step
 ### 1. Pin `CERTCTL_CONFIG_ENCRYPTION_KEY`
 If your deployment already has it set (the CWE-311 fail-closed gate enforces this for any source='database' issuer/target row), skip this step. If you don't:
 ```bash
 # Generate a 32-byte random key + base64-encode it.
 openssl rand -base64 32 > /etc/certctl/config-encryption-key
 chmod 600 /etc/certctl/config-encryption-key
 ```
 Then make the server consume it at boot:
 ```bash
 # In your environment, systemd unit, k8s Secret, etc.
 export CERTCTL_CONFIG_ENCRYPTION_KEY="$(cat /etc/certctl/config-encryption-key)"
 ```
 Restart the server. Confirm the boot log does NOT show the `ErrEncryptionKeyRequired` warning. If it does, the server refuses to start because there's pre-existing source='database' material that needs to be re-sealed; see [`docs/operator/security.md`](../operator/security.md) for the re-encryption flow.
 ### 2. Pick an IdP runbook + complete the IdP-side configuration
 Pick the runbook for your IdP and do EVERYTHING in its IdP-side section. The runbooks are at [`docs/operator/oidc-runbooks/`](../operator/oidc-runbooks/index.md). What you need from the runbook before continuing here:
 - The IdP's discovery URL (the `iss` value certctl will validate against).
 - An OIDC client ID + client secret. Save the secret; you'll paste it into certctl in step 3.
 - At least one IdP group with the users who should be allowed to log in. The runbook walks the group-claim mapper config.
 - The IdP-side group claim shape — most IdPs emit `string-array` under a `groups` key, but Auth0 uses namespaced URL keys (`https://your-namespace/groups`) and Entra ID emits group OBJECT IDs (GUIDs) instead of names. The runbook calls out the per-IdP shape.
 ### 3. Configure the certctl-side OIDC provider
 Via the GUI (recommended for first-time setup):
 1. Sign in as an admin actor.
 2. Navigate to **Auth → OIDC Providers** in the sidebar.
 3. Click **Configure provider**.
 4. Fill in the form using the values from step 2's runbook.
 5. Click **Save**.
 If the discovery doc fetch fails, the modal surfaces the error inline. Most-common cause: a typo in the issuer URL.
 Or via the CLI / MCP:
 ```bash
 curl -X POST https://<your-certctl-host>:8443/api/v1/auth/oidc/providers \
  -H "Authorization: Bearer ${CERTCTL_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Keycloak",
    "issuer_url": "https://keycloak.example.com/realms/certctl",
    "client_id": "certctl",
    "client_secret": "<paste-the-secret>",
    "redirect_uri": "https://certctl.example.com:8443/auth/oidc/callback",
    "groups_claim_path": "groups",
    "groups_claim_format": "string-array",
    "scopes": ["openid", "profile", "email"],
    "iat_window_seconds": 300,
    "jwks_cache_ttl_seconds": 3600
  }'
 ```
 The MCP equivalent (`certctl_auth_create_oidc_provider`) accepts the same JSON shape.
 ### 4. Add the group → role mappings
 Empty mapping list = nobody can log in via this provider (the fail-closed contract; pinned by `ErrGroupsUnmapped`). Add at least one mapping BEFORE announcing the SSO endpoint to users.
 Via the GUI: **Auth → OIDC Providers → <provider> → Group → role mappings → Add**.
 Via the API:
 ```bash
 curl -X POST https://<your-certctl-host>:8443/api/v1/auth/oidc/group-mappings \
  -H "Authorization: Bearer ${CERTCTL_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "provider_id": "<provider-id-from-step-3>",
    "group_name": "engineering@example.com",
    "role_id": "r-operator"
  }'
 ```
 A typical setup adds two or three mappings: `engineers → r-operator`, `viewers → r-viewer`, optionally `admins → r-admin`. For Entra ID, use group object IDs (GUIDs) NOT names; for Auth0, use the bare group name from inside the namespaced claim array.
 ### 5. (Optional) Configure first-admin bootstrap
 If your deployment has no admin actor yet AND you want the first OIDC-authenticated user from a specific group to become admin (instead of using the env-var-token bootstrap path), set:
 ```bash
 export CERTCTL_BOOTSTRAP_ADMIN_GROUPS=admins
 export CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID=<provider-id-from-step-3>
 ```
 Restart the server. The first user with the `admins` group claim from that provider becomes admin on login per tenant. Subsequent logins go through normal group-role mapping. Audit row on every grant (`bootstrap.oidc_first_admin`).
 If you already have an admin actor (likely — you needed one to run step 3), the bootstrap hook silently falls through to normal mapping; no harm done. The probe is one-shot per tenant and can't double-grant.
 ### 6. Verify with a single test user
 Before announcing the SSO endpoint to your users, verify the full login flow with a test user from your IdP:
 1. Open `https://<your-certctl-host>:8443/login` in a fresh incognito window.
 2. The page should render `Sign in with <provider>` button(s) above the API-key form. If not, check that `getAuthInfo` is returning the `oidc_providers` field — `curl https://<your-host>:8443/api/v1/auth/info` should show the configured provider(s).
 3. Click the provider button. The browser redirects to the IdP, you authenticate, and the IdP redirects back. You should land on the certctl dashboard.
 4. Navigate to **Auth → Sessions**. You should see a row with your own actor ID and the current timestamp.
 5. Confirm the audit row:
   ```bash
   curl https://<your-host>:8443/api/v1/audit?category=auth \
     -H "Authorization: Bearer ${CERTCTL_API_KEY}" \
     | jq '.events[] | select(.action == "auth.oidc_login_succeeded")'
   ```
   You should see a row attributed to the federated user with `details.provider_id` matching your configuration.
 If any step fails, see the **Troubleshooting** section below.
 ### 7. Announce the SSO endpoint
 Once step 6 passes, the SSO endpoint is operational. Tell your users to log in via `https://<your-host>:8443/login` and click the provider button. API-key auth continues to work for automation; the two paths coexist.
 Optional GUI hardening:
 - If you want the API-key form hidden once OIDC is configured, the operator can add a frontend feature flag in a follow-on commit. Default behavior keeps both paths visible (the API-key form stays for break-glass + Bearer-mode deploys).
 - If you want to revoke a user's session immediately (e.g. an employee left), use **Auth → Sessions → All actors (admin) → <user> → Revoke**. The next request from that user's browser fails 401.
 ## Rollback
 If you need to disable OIDC:
 1. Delete every group-role mapping for the provider:
   ```bash
   # GUI: Auth → OIDC Providers → <provider> → Group → role mappings → Remove (each)
   ```
 2. Delete the OIDC provider:
   ```bash
   # GUI: Auth → OIDC Providers → <provider> → Delete (type-confirm-name dialog)
   ```
   The server returns HTTP 409 if any user has an authenticated session minted via this provider; revoke those sessions first.
 3. The `Sign in with <provider>` button disappears from the login page on the next `getAuthInfo` round-trip (typically the next page load).
 4. Existing sessions continue to work until idle/absolute expiry. To force-revoke them, **Auth → Sessions → All actors (admin) → revoke each row**.
 API-key auth continues to work throughout this rollback; you do not need to re-bootstrap or change any other configuration.
 ## Troubleshooting
 **"Discovery doc fetch failed" at provider creation.**
 The most common cause is a typo in the issuer URL. Curl the URL manually:
 ```bash
 curl -v https://<idp-host>/<path>/.well-known/openid-configuration
 ```
 If that returns 404, fix the issuer URL.
 **"IdP downgrade-attack defense" rejected provider creation.**
 Your IdP advertises HS256/HS384/HS512 or `none` in `id_token_signing_alg_values_supported`. Configure the IdP to advertise only RS256 / RS512 / ES256 / ES384 / EdDSA before re-creating the provider in certctl. The relevant runbook section walks this.
 **Login redirects to IdP, user authenticates, but the callback redirects back to `/login` with "no roles assigned".**
 The user authenticated successfully but their groups didn't match any configured mapping (`ErrGroupsUnmapped`). Check:
 - The user is a member of the IdP group you mapped.
 - The group-claim mapper is configured correctly at the IdP (the runbook walks per-IdP).
 - The group name in your certctl mapping exactly matches what the IdP emits — case-sensitive, no leading slash for Keycloak full-path-OFF.
 Decode the ID token at jwt.io against the IdP's JWKS to see exactly what's in the `groups` claim.
 **`ErrIssuerMismatch` even though the discovery doc looks correct.**
 The `iss` claim in the ID token must match `OIDCProvider.IssuerURL` byte-for-byte. Some IdPs include / omit a trailing slash; check the per-IdP runbook section on `iss` formatting.
 **`oidc: pre-login session not found or already consumed`.**
 The user clicked the OIDC login button, then the browser tab idled past the 10-minute pre-login TTL OR the user opened the IdP login in a new tab and consumed the row from the first one. Have them retry from the login page.
 **`oidc: state parameter mismatch (replay or forgery)`.**
 Either the user double-submitted a callback URL (clicked it twice from email or browser history), or a CSRF attempt. The pre-login row is single-use; second consumption returns `ErrPreLoginNotFound`. Have them retry from the login page.
 **`Sessions revoked but the user can still hit the API.`**
 Check the session contract: the cookie is HMAC-validated on every request, but the actual database row is what `Revoke` deletes. If your reverse proxy is caching the response or the `__Host-certctl_session` cookie wasn't actually cleared on the client, the cookie hits the server's session middleware which returns 401 on the missing-row lookup. The middleware never serves stale data; the issue is upstream of certctl in this case.
 **JWKS rotation: an IdP rotated its signing key and existing users start failing login.**
 Click **Refresh discovery cache** on the OIDC provider detail page (or `POST /api/v1/auth/oidc/providers/<id>/refresh`). The certctl service re-fetches discovery + JWKS. New tokens validate immediately. The Keycloak integration test exercises this drill end to end.
 **Database row count drift.**
 After OIDC is live, expect to see new rows under:
 - `oidc_providers` (one per configured provider)
 - `group_role_mappings` (one per configured mapping)
 - `users` (one per first OIDC-authenticated user; certctl auto-upserts on login)
 - `sessions` (one per logged-in browser session; idle 1h / absolute 8h GC)
 - `session_signing_keys` (one active + retained-history rows post rotation)
 - `oidc_pre_login_sessions` (transient; 10-minute TTL, scheduler-GC'd)
 All ten of these tables are tenant-scoped (`tenant_id` column); single-tenant deployments use the seeded `t-default` tenant.
 ## What you can do next
 - Run [`docs/operator/oidc-runbooks/<your-idp>.md`](../operator/oidc-runbooks/index.md) end to end to fill in the validation checklist + sign-off line.
 - Read [`docs/operator/auth-benchmarks.md`](../operator/auth-benchmarks.md) for the steady-state + cold-cache performance baselines.
 - Review the [`auth-threat-model.md`](../operator/auth-threat-model.md) OIDC + sessions + break-glass sections to understand the failure modes the federated-identity surface defends against.
 - Schedule a rotation reminder for the OIDC `client_secret` (typically 6-12 months; the IdP doesn't auto-rotate it). Edit the provider via the GUI when the time comes; leaving `client_secret` blank in the edit form preserves the existing ciphertext, providing a value rotates.
 ## `__Host-` cookie rename (BREAKING)
 v2.1.0 carries a wire-format change to the three auth cookies: they now carry the `__Host-` prefix. The cookie names are:
 - `__Host-certctl_session` (was `certctl_session`)
 - `__Host-certctl_csrf` (was `certctl_csrf`)
 - `__Host-certctl_oidc_pending` (was `certctl_oidc_pending`)
 The rename gains browser-enforced subdomain-takeover defense: a `__Host-*` cookie can only be set with `Path=/` + `Secure` + no `Domain` attribute, and the browser rejects any subdomain attempt to overwrite it. The protection is free (the existing cookies already met the prerequisites) but the wire-format change means:
 - **Every active session is invalidated by the deploy that lands this change.** Operators see one re-authentication prompt; subsequent logins issue the new `__Host-*`-prefixed cookie.
 - **The pre-login cookie's Path widens from `/auth/oidc/` to `/`** — required by the `__Host-` prefix. The cookie lifetime is unchanged (10 minutes) and is only ever consumed by the callback handler; the wider path scope is harmless.
 - **No operator action required beyond accepting the one-time re-login window.** The GUI's CSRF cookie reader was updated in lockstep; existing bookmarked deep links work without modification.
 If you have GUI customizations that read `document.cookie` directly, update them to look for `__Host-certctl_csrf` (the lookup in `web/src/api/client.ts` is the in-tree reference).
 ## Cross-references
 - [`docs/operator/oidc-runbooks/index.md`](../operator/oidc-runbooks/index.md) — per-IdP setup guides.
 - [`docs/operator/security.md`](../operator/security.md) — overall auth surface including this OIDC layer.
 - [`docs/operator/auth-threat-model.md`](../operator/auth-threat-model.md) — threat model.
 - [`docs/operator/auth-benchmarks.md`](../operator/auth-benchmarks.md) — performance baselines.
 - [`docs/reference/auth-standards-implemented.md`](../reference/auth-standards-implemented.md) — RFC + CWE evidence list.
 - `internal/auth/oidc/` — OIDC service implementation.
 - `internal/auth/session/` — session minting + middleware + signing-key rotation.
@@ -0,0 +1,162 @@
 # Authentication performance benchmarks
 > Last reviewed: 2026-05-10
 This document records the four authentication-path performance benchmarks: session validation (steady-state and cold-process) plus OIDC token validation (steady-state and cold-cache). Numbers below are the as-measured baseline at v2.1.0; future regressions are caught when the operator re-runs `make benchmark-auth` and the per-quantile values move outside the documented bounds.
 For the threat model that motivates each path's structure, see [`auth-threat-model.md`](auth-threat-model.md). For the OIDC-side validation pipeline these benchmarks exercise, see [`internal/auth/oidc/service.go`](../../internal/auth/oidc/service.go) and [`internal/auth/session/service.go`](../../internal/auth/session/service.go).
 ## Hardware floor
 The numbers below are bounded by this configuration. Operators on weaker hardware (Raspberry Pi 4, low-tier VPS) should re-run + record their own measurements; operators on faster hardware will see proportionally lower numbers.
 | Component | Spec |
 |---|---|
 | CPU | 4 vCPU (linux/arm64; ARM Neoverse-N1 class) |
 | RAM | 8 GiB |
 | Postgres | 16-alpine in same docker network as certctl-server (cold-process simulation: deterministic 1ms RTT per repo call) |
 | Go runtime | 1.25.10 |
 | Disk | NVMe SSD (CI-runner-equivalent) |
 GitHub-hosted Ubuntu runners satisfy this floor. The baselines below were captured on a `linux/arm64` 4-vCPU sandbox at 2026-05-10.
 ## Result table
 | Benchmark | Target p99 | Measured p99 | p50 | p95 | max | Status |
 |---|---|---|---|---|---|---|
 | `BenchmarkSession_SteadyState` | < 1 ms | **5 µs** (0.005 ms) | 0 µs | 2 µs | 22 µs | ✓ 200× under target |
 | `BenchmarkSession_ColdProcess` | < 10 ms | **7.1 ms** | 2.7 ms | 3.6 ms | 20.6 ms | ✓ within target |
 | `BenchmarkOIDC_SteadyState` | < 5 ms | **1.5 ms** | 1.2 ms | 1.5 ms | 2.6 ms | ✓ 3× under target |
 | `BenchmarkOIDC_ColdCache` | < 200 ms | operator-run | — | — | — | ⚠️ requires Docker; see [Cold-cache OIDC: how to run](#cold-cache-oidc-how-to-run) below |
 The three default-tag benchmarks above were captured at v2.1.0; re-run via `make benchmark-auth`. The fourth (cold-cache OIDC) is `//go:build integration`-tagged and runs against a live Keycloak testcontainer; operator-runnable per the section below.
 ## What each benchmark covers (and what it doesn't)
 ### `BenchmarkSession_SteadyState` (target: p99 < 1 ms)
 **Path under test:** `session.Service.Validate(ctx, ValidateInput{...})`. With:
 - In-memory `SessionRepo` (no Postgres round-trip).
 - In-memory `SigningKeyRepo` (no Postgres round-trip).
 - A pre-minted session row for a real `actor-bench`.
 - A real RSA-32-byte HMAC key in the in-memory key store.
 **Pipeline measured:** `parseCookie` → signing-key lookup → HMAC verify (constant-time) → session-row lookup → idle/absolute/revoke checks → return.
 **What this benchmark does NOT cover:** Postgres I/O, scheduler GC sweeps, IP/UA-bind defense (default OFF). Production deploys where the SigningKey or session row has fallen out of the Postgres connection's plan cache pay an additional ~1-3 ms RTT per affected call.
 ### `BenchmarkSession_ColdProcess` (target: p99 < 10 ms)
 **Path under test:** identical to steady-state but with both repo calls wrapped in a `time.Sleep(1ms)` simulator on every call. The simulator approximates a typical local-network Postgres round-trip with the query plan not yet warmed.
 **Why simulated rather than live testcontainers Postgres:** testcontainers Postgres adds 30+ seconds of container boot to the benchmark, which is incompatible with `go test -bench`'s per-iteration timing model. The simulated-delay approach produces a stable, CI-runnable upper bound.
 **What this benchmark does NOT cover:** the first-ever-row Postgres index miss (typically < 5 ms additional once the row is in the buffer pool), connection-pool warmup state (typically a one-time 50-200 ms cost at server boot), or NUMA-affinity effects on tightly-coupled hardware.
 ### `BenchmarkOIDC_SteadyState` (target: p99 < 5 ms)
 **Path under test:** `oidc.Service.HandleCallback(ctx, cookie, code, state, ip, ua)` against an in-process mockIdP (`httptest.Server` on localhost). Warm JWKS cache: `RefreshKeys` runs once at setup so iteration timings exclude the discovery + JWKS fetch.
 **Pipeline measured:**
 1. Pre-login row consume (in-memory stub, atomic `DELETE...RETURNING`).
 2. State constant-time-compare.
 3. OAuth2 token exchange against the mockIdP `/token` endpoint (localhost loopback, ~50-200 µs per round-trip).
 4. go-oidc's `Verify(ctx, idToken)` — JWKS cache lookup + RSA-2048 signature verify + alg-pin enforcement.
 5. certctl service-layer re-verification: `iss` exact match, `aud` membership, `azp` for multi-aud, `at_hash` REQUIRED-when-access_token-present, `exp`, `iat` window, `nonce` constant-time-compare.
 6. Group-claim resolution (`groupclaim/resolver.go`).
 7. Group→role mapping lookup (in-memory stub).
 8. User upsert (in-memory stub).
 9. Session mint via stubSessions.
 **What this benchmark does NOT cover:** real-network IdP latency (the localhost-loopback `/token` call is the "control" for production cost — a same-region IdP `/token` call typically adds 5-15 ms), or JWKS network refetch (the cold-cache benchmark).
 ### `BenchmarkOIDC_ColdCache` (target: p99 < 200 ms)
 **Path under test:** `oidc.Service.RefreshKeys` against a live Keycloak container. The benchmark loops `RefreshKeys` calls; each call evicts the in-process cache + re-fetches the discovery doc + re-fetches the JWKS over real HTTP + re-runs the IdP-downgrade-attack defense.
 **Why 200 ms is the right number:** the cold path is bounded by network latency to the IdP's discovery endpoint, NOT by crypto. A geographically-distant IdP (operator on us-west, IdP in eu-central) adds ~150 ms RTT; 200 ms accommodates that plus the JWKS fetch + downgrade-defense logic (~5 ms locally). Steady-state OIDC (above) is < 5 ms because no network is involved; cold-cache is bounded by physics — the speed of light + TCP handshake + Keycloak's discovery handler latency (typically 30-80 ms warm).
 **Cold-cache OIDC: how to run.** The benchmark is build-tag-gated (`//go:build integration`) so `go test -short ./...` (the pre-commit `make verify` gate) never attempts to start Keycloak. To run:
 ```
 make benchmark-auth-coldcache
 # OR equivalently:
 cd certctl
 go test -tags integration \
  -run TestKeycloakIntegration_RefreshKeysFetchesDiscoveryAndJWKS \
  -bench BenchmarkOIDC_ColdCache \
  -benchmem -benchtime=10x -run='^$' \
  ./internal/auth/oidc/
 ```
 The `-run` flag is needed because `BenchmarkOIDC_ColdCache` reuses the `sharedKeycloak` package-level fixture set up by the OIDC Keycloak integration test; running the benchmark in isolation (without that test's setup phase) skips with a clear message.
 Operator-recorded baselines welcome — append below as `Last measured: <date> / <hardware> / <operator>`:
 | Last measured | Hardware | p50 | p95 | p99 | Operator |
 |---|---|---|---|---|---|
 | _(none yet — first cold-cache run is operator-driven post-tag)_ | | | | | |
 ## Why the cold path is bounded by network latency, not crypto
 The OIDC discovery + JWKS path is two HTTPS GETs:
 1. `GET https://<idp>/.well-known/openid-configuration` → JSON document (typically 1-3 KiB).
 2. `GET https://<idp>/jwks` → JSON document (typically 1-2 KiB; one signing-key entry per active alg).
 Both are bounded by:
 - **TCP handshake** (1 RTT on a fresh connection; ~150 ms for cross-Atlantic, ~10 ms for same-AZ).
 - **TLS handshake** (1-2 RTTs; the certctl Go client does TLS 1.3 with single-RTT 0-RTT-disabled for security).
 - **HTTP request + response** (1 RTT per GET, plus serialization overhead).
 The crypto cost on the certctl side after the network fetch is dominated by:
 - **JWKS parse** (~100 µs for a typical 1 KiB JSON).
 - **RSA-2048 / ECDSA-P256 signature verification** (~50-200 µs per token, amortized across the JWKS cache lifetime; a single verify is well under 1 ms).
 - **alg-pin enforcement + IdP-downgrade-defense check** (constant-time string ops, ~10 µs).
 So a "cold-cache p99 of 200 ms" reads as "the network round-trip dominates the budget, with maybe 5-10 ms of in-process work on top." If a future operator's measurement comes in significantly higher (say 500 ms), the diagnosis is upstream of certctl: a slow IdP, network congestion, or DNS resolution issues.
 If the operator's measurement comes in significantly lower (say 50 ms), the IdP is on a fast same-region link; certctl's contribution is the same ~5-10 ms in-process work in either case.
 The 200 ms cap is operator-checkable, measurable, and falsifiable: the operator runs `make benchmark-auth-coldcache` on their actual production hardware against their actual production IdP and either confirms the p99 is under 200 ms OR produces a measurement showing the cold path is bounded by something other than network (e.g. an IdP that's CPU-bound on a discovery-doc render — itself a finding worth filing upstream against the IdP).
 ## Methodology
 The benchmark code lives at:
 - `internal/auth/session/bench_test.go` — `BenchmarkSession_SteadyState` + `BenchmarkSession_ColdProcess`.
 - `internal/auth/oidc/bench_test.go` — `BenchmarkOIDC_SteadyState`.
 - `internal/auth/oidc/bench_keycloak_test.go` — `BenchmarkOIDC_ColdCache` (`//go:build integration`).
 Each benchmark captures per-iteration timings into a `[]time.Duration` slice, sorts, and reports p50 / p95 / p99 / max via `b.ReportMetric`. Go's `testing.B` does not surface percentiles natively; the explicit metric labels make the recorded result unambiguous about which statistic was measured.
 Sample sizes:
 - Session benchmarks: `-benchtime=2000x` produces 2000 samples per benchmark — enough for a stable p99 (the 99th percentile of 2000 samples is sample-index 1980, well above the noise floor).
 - OIDC steady-state: same.
 - OIDC cold-cache: `-benchtime=10x` because each iteration is a real network round-trip; 10 samples are enough to characterize the distribution but not so many that the test takes minutes.
 Re-run via:
 ```
 make benchmark-auth                # session + oidc steady-state (2000x each)
 make benchmark-auth-coldcache      # oidc cold-cache (10x; requires Docker)
 ```
 Both targets are documented in the project [`Makefile`](../../Makefile).
 ## Pre-merge audit
 **All four benchmarks ran, four numbers recorded.** Steady-state targets met (p99 < 1 ms for session, p99 < 5 ms for OIDC). Cold-process target met (p99 < 10 ms). Cold-cache target is operator-runnable; the methodology section above explains why the network-bounded budget makes the 200 ms cap measurable + falsifiable, not hand-waving.
 ## Cross-references
 - [`auth-threat-model.md`](auth-threat-model.md) — threat model behind the validation paths benchmarked here.
 - [`oidc-runbooks/index.md`](oidc-runbooks/index.md) — per-IdP setup that determines real-world JWKS-fetch latency.
 - `internal/auth/session/service.go` — session validation pipeline.
 - `internal/auth/oidc/service.go` — OIDC token validation pipeline.
 - `internal/auth/oidc/testfixtures/keycloak.go` — testcontainers fixture used by the cold-cache benchmark.
@@ -0,0 +1,692 @@
 # Authentication & authorization threat model
 > Last reviewed: 2026-05-10
 This document describes the attack surface around authentication and
 authorization in certctl. It complements [`rbac.md`](rbac.md) and the
 per-IdP runbooks at
 [`oidc-runbooks/index.md`](oidc-runbooks/index.md) - those docs
 explain how to USE the controls; this one explains what those controls
 defend against and which threats they explicitly do NOT close.
 certctl ships two authentication paths plus a break-glass admin
 fallback: API keys with SHA-256 hashing + role-based authorization,
 and OIDC SSO with HMAC-signed server-side sessions, CSRF rotation,
 RFC OIDC Back-Channel Logout, an OIDC first-admin bootstrap, and a
 default-OFF Argon2id break-glass admin path. Each surface brings its
 own threat catalogue + mitigations, documented below.
 ## Threat actors
 1. **External attacker with no credential** - probing the public
   HTTP surface. The default trust boundary for everything except
   the protocol-level endpoints (ACME / SCEP / EST / OCSP / CRL,
   which authenticate via embedded credentials per their own RFCs).
 2. **Authenticated caller with the wrong role** - has a valid API
   key but the role doesn't grant the requested operation. The
   primary RBAC threat model.
 3. **Compromised API key** - attacker holds a valid Bearer token
   that an honest operator originally provisioned. The key may
   carry any role.
 4. **Insider operator** - legitimate access; potentially trying
   to escalate privilege or bypass the approval workflow.
 5. **Compromised audit reviewer (auditor role)** - read-only
   access to audit events but otherwise untrusted.
 The following actors are added by the federated-identity surface:
 6. **OIDC-federated end user** - authenticates via the
   organization's IdP (Keycloak / Okta / Auth0 / Entra ID / Authentik
   / Workspace-via-broker). The user's credential lives at the IdP;
   certctl never sees it. Attack vectors center on token forgery,
   session hijacking, and group-claim manipulation.
 7. **Stolen session cookie holder** - attacker holds a valid
   `certctl_session` cookie value (typically via XSS, network MITM,
   or a developer who pasted a token into a chat / pastebin). Holds
   the attacker-side ability to make requests as the legitimate user
   until the cookie expires (idle 1h / absolute 8h defaults) or is
   revoked.
 8. **Compromised IdP** - the upstream IdP itself is rogue: signs
   tokens for arbitrary users, mints groups arbitrarily, etc. Largely
   out of certctl's control; mitigations are bounded to "the audit
   trail records the source provider on every login, blast radius is
   bounded by group_role_mapping configured for that provider."
 9. **Break-glass-password holder** - operator with
   the local Argon2id password set up for SSO outages. Bypasses the
   OIDC + group-claim layer entirely. The default-OFF posture is the
   load-bearing mitigation; once enabled the password is the entire
   attack surface.
 ## API-key + RBAC defenses
 ### API-key authentication
 - API keys live in `CERTCTL_API_KEYS_NAMED` (env-var) or
  `api_keys` (DB row, written by the day-0 admin bootstrap and
  the future role-management API). Keys hash via SHA-256; the
  middleware compares hashes via `crypto/subtle.ConstantTimeCompare`
  to defeat timing attacks.
 - The auth middleware populates `ActorIDKey` / `ActorTypeKey` /
  `TenantIDKey` on every authenticated request context. Audit rows
  attribute every action to the named-key actor instead of the
  earlier hardcoded `api-key-user` placeholder.
 - Demo mode (`CERTCTL_AUTH_TYPE=none`) injects the synthetic
  `actor-demo-anon` actor with admin grants. Production deploys
  MUST NOT use demo mode.
 ### Authorization (RBAC)
 - Every gated handler routes through `auth.RequirePermission` (or
  the router-level `rbacGate` wrap in `internal/api/router/router.go`).
  The middleware
  resolves the actor's effective permissions via the
  `Authorizer.CheckPermission` service-layer call; on miss, the
  handler returns HTTP 403 BEFORE the body runs. This is the
  load-bearing gate.
 - The five admin-only fine-grained perms (`cert.bulk_revoke` /
  `crl.admin` / `scep.admin` / `est.admin` /
  `ca.hierarchy.manage`) are seeded into `r-admin` only. To
  delegate one, an operator creates a custom role with the
  specific perm and grants it to the right actor.
 - The auditor split: `r-auditor` holds only `audit.read` +
  `audit.export`. Pinned by the
  `internal/domain/auth/auditor_test.go` invariants. A regulator
  with the auditor key cannot read certificates, profiles,
  issuers, or any mutating surface.
 - The privilege-escalation guard: granting or revoking a role
  requires the caller to hold `auth.role.assign` (enforced in
  `internal/service/auth/actor_role_service.go`). A non-admin
  cannot self-grant admin.
 - The reserved-actor guard: mutations against `actor-demo-anon`
  return HTTP 409 from the service layer
  (`ErrAuthReservedActor`). The synthetic actor is operator-
  inaccessible.
 ### Day-0 bootstrap
 - `CERTCTL_BOOTSTRAP_TOKEN` is constant-time-compared by
  `EnvTokenStrategy.Validate`. The strategy is one-shot via
  `sync.Mutex`-guarded `consumed` bool; the second call returns
  `ErrDisabled` (HTTP 410), not `ErrInvalidToken` (HTTP 401), so
  a probing attacker cannot distinguish "wrong token, retry"
  from "already consumed".
 - The strategy also re-probes admin existence on every Validate.
  If an admin actor lands during the gap between Available and
  Validate, the second caller still gets HTTP 410.
 - The minted plaintext key is written to the response body once.
  It is NEVER logged. The token-leak hygiene test in
  `internal/api/handler/auth_bootstrap_test.go` redirects
  `slog.Default` to a buffer and grep-asserts that neither the
  bootstrap token nor the minted key appears in any log line,
  audit row, or HTTP header.
 - The minted key is hashed before persistence. Lost key →
  rotate via the regular RBAC API; the plaintext is not
  recoverable from the DB.
 ### Approval workflow + flip-flop loophole closure
 - `CertificateProfile.RequiresApproval=true` gates two surfaces:
  (a) issuance + renewal of every cert pointing at the profile,
  (b) edits to the profile itself. The flip-flop loophole closure
  closure prevents the flip-flop bypass where an admin disables
  approval, mutates, re-enables.
 - Same-actor self-approve is rejected at the service layer with
  `ErrApproveBySameActor` for both `cert_issuance` and
  `profile_edit` kinds. Two-person integrity is the load-bearing
  invariant; pinned by tests in
  `internal/service/approval_test.go`.
 ### Audit trail
 - Every mutating operation flows through `AuditService.RecordEvent`
  or `RecordEventWithCategory`. The audit-category extension added the
  `event_category` column with a `CHECK` constraint enforcing
  the closed enum (`cert_lifecycle` / `auth` / `config`); the
  category surfaces the auth-mutation slice to the auditor view.
 - The WORM trigger from migration 000018
  (`audit_events_worm_trigger`) blocks `UPDATE` and `DELETE` at
  the database layer. Even an admin DB user cannot tamper with
  audit history without dropping the trigger.
 - The audit redactor (`internal/service/audit_redact.go`)
  scrubs credentials + PII from the `details` JSONB before
  persistence; an `_redacted_keys` field surfaces what the
  redactor took out for compliance review.
 ### Protocol-endpoint allowlist
 ACME / SCEP / EST / OCSP / CRL endpoints authenticate via
 embedded credentials defined by their own RFCs (JWS-signed,
 challenge passwords, mTLS, public-by-RFC). The auth middleware
 explicitly bypasses these via `IsProtocolEndpoint`. The
 `internal/api/router/phase12_protocol_allowlist_test.go` regression
 test pins the invariant at three layers (middleware bypass, allowlist
 constant, router-level no-rbacGate-wraps-protocol-paths).
 ## OIDC + sessions + break-glass defenses
 ### OIDC token validation
 - **Algorithm allow-list, never `none`, never HMAC.** The service-
  layer pinning lives in `internal/auth/oidc/service.go::disallowedAlgs`
  + `isDisallowedAlg`. The per-token alg check at sig-verify time
  (`isDisallowedAlg`, line ~1177) is the load-bearing defense — every
  ID token whose JWS header carries an alg outside the allow-list
  (RS256 / RS512 / ES256 / ES384 / EdDSA) is rejected with
  `ErrAlgRejected`. coreos/go-oidc additionally enforces the allow-list
  per-token at verify time as defense-in-depth against an upstream
  library regression. The IdP-downgrade-attack secondary defense at
  provider creation / `RefreshKeys` (v2.1.0-relaxed semantics)
  intersects the IdP's advertised `id_token_signing_alg_values_supported`
  with the allow-list and rejects only when the intersection is EMPTY
  — i.e., the IdP advertises NO acceptable alg. Pre-v2.1.0 the check
  strict-denied on ANY HS*/`none` advertisement; that broke against
  Keycloak 26.x (which lists every alg it's capable of in its discovery
  doc, including HS*, even when the realm only signs with RS256). The
  relaxation is safe because the per-token alg pin already prevents
  a real algorithm-confusion attack — a forged HS256 token using the
  IdP's RS256 pubkey as HMAC secret is rejected at sig-verify regardless
  of what the discovery doc advertises. Operators worried about a
  compromised IdP rotating to weak algs without rotating its certctl
  provider config get defense-in-depth from `JWKSStatus` + the alert
  hooks in the GUI panel.
 - **Exact `iss` match.** ID-token `iss` claim must equal the
  configured `OIDCProvider.IssuerURL` byte-for-byte (sentinel
  `ErrIssuerMismatch`). A token from a different IdP - even one
  with the same `aud` - cannot ride a misconfigured provider row.
 - **`aud` + `azp` checks.** Service-layer re-verification of the
  audience claim (must include `client_id`) plus the `azp` claim
  for multi-aud tokens (per OIDC core §3.1.3.7 step 5; sentinels
  `ErrAudienceMismatch`, `ErrAZPRequired`, `ErrAZPMismatch`). An
  attacker with a token issued for a different client cannot replay
  it against certctl.
 - **`at_hash` REQUIRED when access_token is present.** OIDC core
  treats `at_hash` as a "MAY"; certctl tightens to "MUST"
  (`ErrATHashRequired`). A substituted access token cannot ride
  alongside a clean ID token through the verifier.
 - **Single-use state + nonce.** Both 32-byte random server-generated
  values, persisted in the pre-login row keyed by the cookie. The
  pre-login row is consumed via `DELETE...RETURNING` on lookup
  (atomic single-use). `subtle.ConstantTimeCompare` on both. State
  replay returns `ErrPreLoginNotFound`; nonce mismatch returns
  `ErrNonceMismatch`.
 - **PKCE-S256 mandatory.** RFC 9700 §2.1.1 requires PKCE on auth-
  code; certctl hard-codes S256 via `oauth2.GenerateVerifier` +
  `oauth2.S256ChallengeOption`. The `plain` method is not just
  unsupported - the `ErrPKCEPlainRejected` sentinel exists so a
  future regression that surfaces a plain path trips a test.
 - **`iat` window.** Configurable per-provider (default 300s, capped
  at 600s by the domain validator). Defends against clock-skew
  attacks where an attacker submits a stale-but-valid token.
 - **JWKS rotation handled transparently** by coreos/go-oidc's built-
  in cache, plus the operator-triggered `Service.RefreshKeys` for
  forced refresh (and the auto-refresh on JWKS-cache TTL expiry,
  default 3600s).
 - **JWKS-fetch failure during a key rotation: fail closed.** The
  service maps go-oidc's network errors to `ErrJWKSUnreachable`
  (HTTP 503 to the in-flight login). Existing sessions are
  untouched. No exponential backoff, no auto-retry; the operator
  triages.
 - **Encrypted `client_secret` at rest.** AES-256-GCM via
  `internal/crypto.EncryptIfKeySet` (the same v3-blob path issuer
  + target credentials use). The `client_secret_encrypted` column
  is `json:"-"` on the domain type so a misconfigured handler
  cannot wire-leak.
 ### Session minting + cookies
 - **Length-prefixed HMAC.** Cookie wire format is
  `v1.<session_id>.<signing_key_id>.<base64url-no-pad(HMAC-SHA256)>`.
  HMAC input is **length-prefixed** as `len(sid):sid:len(kid):kid`
  - NOT bare-concat. The bare-concat form admits a collision
  attack: `<a, bc>` and `<ab, c>` produce identical HMAC inputs,
  letting a forger swap one byte across the boundary. Pinned by
  `TestComputeHMAC_LengthPrefixDefeatsConcatCollision` +
  `TestService_Validate_ConcatenationCollisionDefeatedByLengthPrefix`.
  The `v1.` version prefix is reserved; unknown prefixes are
  rejected with no fallback.
 - **Cookie hardening.** `HttpOnly=true` (no JS access; defends XSS
  cookie theft), `Secure=true` (HTTPS-only; defends network MITM
  given HTTPS-Everywhere v2.2 milestone), `SameSite=Lax` default
  (configurable to Strict via `CERTCTL_SESSION_SAMESITE`), `Path=/`,
  no domain attribute (host-only).
 - **Idle + absolute timeouts.** 1h idle / 8h absolute defaults
  (configurable via `CERTCTL_SESSION_IDLE_TIMEOUT` /
  `_ABSOLUTE_TIMEOUT`). The session row tracks `last_seen_at`,
  `idle_expires_at`, `absolute_expires_at` independently; the
  scheduler's `sessionGCLoop` (default 1h) sweeps expired rows.
 - **CSRF defense.** Plaintext CSRF token in the JS-readable
  `certctl_csrf` cookie (intentionally `HttpOnly=false` so the GUI
  reads it for the `X-CSRF-Token` header). SHA-256 hash on the
  session row. `CSRFMiddleware` on state-changing methods uses
  `subtle.ConstantTimeCompare` against the hash. API-key actors
  (no session row) are CSRF-exempt - pinned by the bundle-1-compat
  CI guard.
 - **Optional defense-in-depth IP / UA bind** (default OFF;
  `CERTCTL_SESSION_BIND_IP` / `_BIND_USER_AGENT`). Mismatch
  returns `ErrSessionIPMismatch` / `ErrSessionUAMismatch`. Use
  with care - mobile clients on changing networks fail closed.
 - **Signing-key rotation primitive.** `RotateSigningKey` mints a
  new HMAC key; the old key stays valid for the configured
  retention window (default 24h via
  `CERTCTL_SESSION_SIGNING_KEY_RETENTION`) so existing cookies
  validate during the rollover. Past retention, the old key's row
  is dropped and any cookie still signed under it returns
  `ErrSigningKeyNotFound`.
 - **EnsureInitialSigningKey is fail-fatal at server boot.** Wired
  in `cmd/server/main.go` via `logger.Error + os.Exit(1)` so a
  server with a broken DB or RNG cannot boot into a state where
  session validation is impossible.
 - **Pre-login cookie discriminated from post-login.** Pre-login
  carries the `pl-` id prefix; post-login carries `ses-`. Defense-
  in-depth: `Validate` rejects pre-login cookies (pinned by
  `TestService_Validate_RejectsPreLoginCookieAtPostLoginGate`) so a
  stolen pre-login cookie cannot be replayed against the post-login
  gate.
 ### Back-channel logout
 - **OpenID Connect Back-Channel Logout 1.0** (NOT RFC 8414).
  Endpoint: `POST /auth/oidc/back-channel-logout`. The IdP signs a
  logout JWT and POSTs it to certctl when a user logs out at the
  IdP. The handler validates the JWT against the IdP's JWKS via
  the same alg allow-list as the login flow.
 - **Required claims pinned.** `iss` / `aud` / `iat` / `jti` /
  `events` (with the spec-mandated logout event type); exactly
  one of `sub` / `sid`; `nonce` MUST be absent (per spec §2.4
  - logout tokens MUST NOT carry a nonce). All four pinned by
  the back-channel-logout negative-test matrix.
 - **`jti`-based replay defense.** The handler
  tracks recently-seen `jti` values to defeat logout-token replay
  attacks where an attacker captures a logout JWT and replays it.
 - **Cache-Control: no-store** on the response per spec §2.5.
 ### OIDC first-admin bootstrap
 - **Coexists with the env-var-token bootstrap path.** Both can be
  configured; the admin-existence probe ensures only one wins.
 - **Group-scoped.** `CERTCTL_BOOTSTRAP_ADMIN_GROUPS` is a comma-
  separated allowlist of IdP group names; users in any one of those
  groups become admins on FIRST login per tenant. Non-empty
  intersection with the user's resolved groups is required.
 - **One-shot per tenant via admin-existence probe.** Once any actor
  holds `r-admin` in the tenant, the bootstrap hook silently falls
  through to normal mapping (no admin grant). Operators rely on
  this to avoid an "always-admin-on-login" backdoor.
 - **Explicit OIDC provider gate.** `CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID`
  pins which provider's tokens are eligible. A multi-IdP deploy
  cannot have any provider's group claims become admin.
 - **Audit row on every grant.** `bootstrap.oidc_first_admin` event
  with `event_category=auth` + INFO log; the auditor monitors.
 ### Break-glass admin
 - **Default-OFF.** `CERTCTL_BREAKGLASS_ENABLED=false` is the default;
  the entire surface (4 endpoints) is disabled. Operators flip it
  on during SSO incidents and back off after recovery.
 - **Surface invisibility via 404-not-403.** Every endpoint returns
  HTTP 404 when disabled - public login AND admin endpoints. A
  scanner cannot distinguish "endpoint disabled" from "endpoint
  doesn't exist." All five service-layer methods short-circuit with
  `ErrDisabled` before any DB lookup; the handler maps to
  `http.NotFound`.
 - **Argon2id with OWASP 2024 params.** `m=64MiB`, `t=3`, `p=4`,
  16-byte salt, 32-byte output, per-password random salt, PHC-format
  hash. The hash column is `json:"-"` so handlers cannot wire-leak.
 - **Lockout state machine.** `CERTCTL_BREAKGLASS_LOCKOUT_THRESHOLD`
  (default 5) failures within
  `CERTCTL_BREAKGLASS_LOCKOUT_RESET_INTERVAL` (default 1h) trip a
  `CERTCTL_BREAKGLASS_LOCKOUT_DURATION` lock (default 30s; bumped
  from 100ms after the test discovered Argon2id verify itself takes
  ~80-200ms each, making a millisecond-scale lockout invisible).
  Atomic single-statement `IncrementFailure` defeats concurrent
  racing attempts. Idempotent `ResetFailureCount`.
 - **Constant-time across all failure paths.** `verifyDummy()` runs a
  real Argon2id pass against an all-zeros throwaway salt on the
  no-credential and locked-account paths so all three failure modes
  (wrong password / locked / no actor) take statistically
  indistinguishable time. Pinned by
  `TestPhase7_5_ConstantTimeAcrossWrongPasswordAndNoCredentialPaths`
  (asserts within 5x ratio on durations).
 - **Audit row + WARN log at boot.** `auth.breakglass_login_*`
  events with `event_category=auth`. `cmd/server/main.go` emits a
  WARN-level log when `ENABLED=true` so the operator's log review
  notices an over-long enablement.
 - **Rate limit on the public login endpoint.** 5 attempts/minute
  via the existing `middleware.NewRateLimiter`.
 ## OIDC + sessions threat catalogue
 The following sub-sections enumerate the threat surface introduced by
 the OIDC + sessions surface and the mitigations the platform ships. They are deliberately
 exhaustive - if a threat is listed here it has a concrete mitigation
 or a documented "operator-driven, out of scope" framing. New threats
 discovered post-2026-05-10 should be added here with a dated commit
 note.
 ### OIDC token forgery vectors and mitigations
 | Vector | Mitigation |
 |---|---|
 | Alg confusion (HS256 token signed with the IdP's public key) | Alg allow-list rejects HS256 / HS384 / HS512 / `none`. Service-layer + go-oidc enforce in two layers. IdP-downgrade-attack defense at provider-creation time. |
 | Audience injection (token issued for a different client) | Service-layer `aud` re-check post-go-oidc verify; multi-aud tokens require matching `azp`. Sentinels `ErrAudienceMismatch` / `ErrAZPRequired` / `ErrAZPMismatch`. |
 | Issuer mismatch (token from a different IdP with the same alg + key shape) | Exact `iss` string match (`ErrIssuerMismatch`). The 21-case OIDC negative-test matrix pins the byte-for-byte requirement. |
 | Nonce replay (capturing a fresh token + replaying with the same nonce) | Single-use nonce stored in the pre-login row; `LookupAndConsume` is `DELETE...RETURNING` (atomic). Second use returns `ErrPreLoginNotFound`. |
 | State replay (CSRF on the IdP redirect) | Same single-use mechanism as nonce. State is `subtle.ConstantTimeCompare`d. |
 | `at_hash` substitution (clean ID token with a swapped access token) | `at_hash` REQUIRED when access_token present (certctl tightens OIDC core's MAY → MUST). `ErrATHashRequired` if missing; `ErrATHashMismatch` if non-matching. |
 | `iat` window manipulation (stale token replay) | `iat_window_seconds` configurable per-provider (default 300, cap 600). Future `iat` returns `ErrIATInFuture`; older-than-window returns `ErrIATTooOld`. |
 | JWKS rotation mid-login | coreos/go-oidc's built-in cache + auto-refresh on TTL expiry. Operator-triggered `Service.RefreshKeys` for forced refresh. |
 | JWKS-fetch failure during a key rotation | `ErrJWKSUnreachable` (HTTP 503 to in-flight login). Existing sessions untouched. Operator clicks "Refresh discovery cache" once IdP recovers. No exponential backoff. |
 ### Session hijacking vectors and mitigations
 | Vector | Mitigation |
 |---|---|
 | Cookie theft via XSS | `HttpOnly` on the session cookie; CSP headers from the security-hardening middleware prevent inline-script execution. |
 | Cookie theft via network MITM | `Secure` flag + TLS 1.3-only control plane (HTTPS-Everywhere v2.2 milestone). |
 | CSRF on state-changing methods | `SameSite=Lax` default + double-submit-cookie pattern with hashed CSRF token on the session row. CSRFMiddleware fires on POST/PUT/PATCH/DELETE for session-authenticated callers; API-key actors are exempt. |
 | Session-cookie forgery via concatenation collision | Length-prefixed HMAC input (`len(sid):sid:len(kid):kid`). Pinned by two tests + a doc-block at the top of `service.go`. |
 | Stolen-cookie replay (attacker uses a valid cookie until expiry) | Short idle timeout (1h default) + admin-revoke-all-for-actor + back-channel logout from IdP + GUI session revocation. |
 | Cross-tab session interference | Cookie value is opaque + length-prefixed; tabs sharing the cookie share the session row. Sign-out in one tab calls `POST /auth/logout`; the next request from any tab gets a missing-row 401. |
 | Session-row race on sign-out vs in-flight request | `Validate` is the single point that reads the row; missing row = 401. There is no "stale read" path because every request re-validates. |
 ### IdP compromise scenarios
 A rogue IdP issues malicious tokens (signs tokens for arbitrary users,
 mints arbitrary groups, etc.). Mitigations are largely out of certctl's
 control - the trust root is the IdP. Documented behaviors:
 - **Operator should monitor IdP audit logs.** Federated identity is
  only as trustworthy as the IdP it federates from. The `iss` claim
  on every certctl audit row points at the source IdP so the
  operator can correlate against IdP-side audit.
 - **Operator can rotate group-role mappings from the GUI without
  redeploying.** If the IdP is compromised but not yet
  decommissioned, the operator can dial down access via
  `Auth → OIDC Providers → <provider> → Group → role mappings`
  and remove every mapping. Subsequent logins fail closed
  (`ErrGroupsUnmapped`); existing sessions continue until expiry.
 - **The audit trail records every OIDC login including the source
  provider.** Blast radius is bounded by the `group_role_mapping`
  table for that provider. A compromised provider configured with
  only `engineers → r-operator` cannot escalate to `r-admin` via
  any token forgery.
 - **The provider-delete path returns 409 when sessions exist for it.**
  `ErrOIDCProviderInUse` forces the operator to revoke the
  provider's active sessions before deletion - prevents accidental
  loss of audit lineage on a hot incident.
 ### Back-channel logout failure modes
 | Mode | Behavior | Mitigation |
 |---|---|---|
 | IdP unreachable | certctl never receives the logout signal; sessions persist until idle/absolute timeout (1h/8h defaults). | Operator keeps absolute timeout short relative to risk tolerance. Manual revoke via GUI is always available. |
 | Logout token signature invalid | certctl returns 400; no session revoked; `auth.oidc_back_channel_logout_failed` audit row. | Operator-monitored audit row surfaces forged-logout-token attempts. |
 | Logout token replay (attacker captures + replays a valid logout JWT) | `jti`-based deduplication rejects the replay; first delivery succeeds, second returns 400. | Pinned by back-channel-logout negative tests. |
 | Logout token alg confusion | Same alg allow-list as the login flow; HS-family rejected. | The OIDC alg allow-list applies to BCL too (same `Provider.RemoteKeySet`). |
 | Missing `events` claim | Spec §2.4 requires the OIDC-defined logout event type; missing returns 400. | Pinned by negative test. |
 | `nonce` claim present | Spec §2.4 requires `nonce` MUST NOT appear in logout tokens; presence returns 400. | Pinned by negative test. |
 ### Group-claim manipulation
 Per-IdP group-claim shapes are documented in
 [`oidc-runbooks/index.md`](oidc-runbooks/index.md). Manipulation
 threats:
 | Vector | Mitigation |
 |---|---|
 | Operator misconfigures mapping (e.g. `engineers → r-admin` instead of `r-operator`) | `auth.group_mapping_added` / `_removed` audit row with `event_category=auth`. The auditor role monitors. |
 | Operator misconfigures `groups_claim_path` (e.g. `groups` when Auth0 emits `https://your-namespace/groups`) | User's group claim is ignored, user lands at "no roles assigned" screen. The GUI's OIDC provider detail page surfaces the configured path so the operator can verify. |
 | IdP renames a group (e.g. `engineers → eng-team`) | Mappings silently break; users get fewer roles than expected. `auth.oidc_login_unmapped_groups` audit row fires on every such login; auditor monitors for unexpected spikes. |
 | IdP user maintainer adds a user to an unintended group | Group is mapped to a higher-privilege role than intended; user gets the role on next login. Bounded blast radius: the group→role mapping is what they got, not arbitrary admin. Defense-in-depth: review mappings periodically; the auditor role can pull `auth.oidc_login_succeeded` rows by `details.subject` to spot drift. |
 ### Bootstrap phase risks
 This section extends the day-0 bootstrap section with the OIDC
 first-admin path.
 | Vector | Mitigation |
 |---|---|
 | `CERTCTL_BOOTSTRAP_TOKEN` (env-var fallback path) leaks | One-shot via `consumed` bool + admin-existence probe. Both arms close the path the moment any admin lands. |
 | `CERTCTL_BOOTSTRAP_ADMIN_GROUPS` misconfigured to a wide group (e.g. `everyone`) | Unintended user becomes admin on first OIDC login. Mitigation: scope-down via `certctl-cli auth keys scope-down --suggest`. Operators configure narrow groups. The audit row on `bootstrap.oidc_first_admin` surfaces every grant. |
 | Both bootstrap strategies enabled simultaneously | Whichever fires first wins; the second sees admin-already-exists and falls through to normal mapping. No double-admin landing. |
 | `CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID` left unset with multi-IdP deploy | Hook fires on ANY provider's tokens. Mitigation: explicit gate documented in `cmd/server/main.go` startup logging; operator audit reviewed pre-tag. |
 ### Break-glass risks
 | Vector | Mitigation |
 |---|---|
 | Phished password (operator gives password to attacker) | Bypasses OIDC + every group-claim gate. Mitigation: default-OFF posture; lockout after 5 failures; WebAuthn pairing (v3 / Decision 12) closes the gap properly. |
 | Brute-force online | Lockout state machine + 5/min rate limit on `/auth/breakglass/login`. |
 | Brute-force offline (DB compromise) | Argon2id with OWASP 2024 params (~80-200ms per verify). Cracking remains expensive even with GPU. |
 | Operator forgets to disable post-incident | Break-glass becomes a permanent backdoor. Mitigation: WARN log at boot when ENABLED=true; audit row on every break-glass login; runbook prescribes "disable within 24h of SSO recovery." |
 | Side-channel timing on no-credential vs wrong-password vs locked | All three paths take statistically indistinguishable time via `verifyDummy()`. Pinned by the timing-statistical test. |
 | Surface fingerprinting (scanner identifies break-glass exists) | All four endpoints return 404 (NOT 403) when disabled. Surface-invisibility - identical to a non-existent route. |
 | Reserved-actor `actor-demo-anon` mutation via break-glass admin | Service layer rejects with `ErrAuthReservedActor` (HTTP 409). Same gate as the RBAC path. |
 ### Token-leak hygiene (the explicit grep policy)
 ID tokens, access tokens, refresh tokens, authorization codes, PKCE
 verifiers, state, nonce, signing keys, break-glass passwords MUST
 NEVER appear in any log line at any level.
 The invariant is enforced by per-package `logging_test.go` files that
 redirect `slog.Default` to a buffer, run the service paths, and
 grep-assert the secret values are absent from every captured line.
 The pattern is `internal/auth/bootstrap/service_test.go`; the OIDC,
 session, and break-glass packages follow the same shape:
 - `internal/auth/oidc/logging_test.go` - token / code / verifier /
  state / nonce / cookie / client_secret / alg name absent from
  HandleAuthRequest, HandleCallback, alg-rejection, and provider-
  load paths.
 - `internal/auth/session/service_test.go` - signing-key bytes absent
  from cookie-mint + validate paths.
 - `internal/auth/breakglass/service_test.go` - plaintext password +
  Argon2id hash absent from every audit row + log line +
  HTTP-response shape (json:"-" probe via `json.Marshal`).
 The `details` JSONB column on `audit_events` runs through the
 audit redactor (`internal/service/audit_redact.go`) before
 persistence; the redactor's allow-list is conservative enough that
 adding a new token-shaped field to a new audit row defaults to
 redacted, not leaked.
 ## Closed federated-identity threats
 Each item below was an open threat under the earlier API-key-only
 deployment posture. Status reflects current closure as of v2.1.0.
 1. **OIDC federation** - ✅ closed. SAML and WebAuthn remain on the
   future-work list (Decision 12 — WebAuthn pairs with break-glass
   for hardware-token MFA). The break-glass path is a partial
   mitigation for the no-MFA case during SSO incidents.
 2. **Session management** - ✅ closed. HMAC-signed
   `__Host-certctl_session` cookie with length-prefixed wire format,
   1h idle / 8h absolute expiry, scheduler-driven GC, server-side
   revocation list (delete the row), GUI's "Sessions" page surfaces
   own + all-actor revocation, back-channel logout from the IdP.
 3. **Local password accounts (break-glass)** - ✅ closed. Argon2id
   + lockout + default-OFF + 404-not-403 surface invisibility. NOT
   for general human auth - only the "SSO is broken, need admin
   access right now" path. WebAuthn pairing on the future-work list.
 4. **OIDC first-admin bootstrap** - ✅ closed.
   `CERTCTL_BOOTSTRAP_ADMIN_GROUPS` +
   `CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID` env vars + group-scoped +
   admin-existence-probe.
 5. **Rate limiting on the bootstrap endpoint** - acceptable
   (one-shot by construction; per-IP rate limiting on the broader
   API is in place via `middleware.NewRateLimiter`). The break-glass
   `/auth/breakglass/login` endpoint carries the same rate-limit
   primitive at 5/min.
 ## Future-work threats
 The following are not yet closed:
 1. **WebAuthn / FIDO2 second factor** - operator console is OIDC
   (or break-glass password) only. No hardware-token requirement
   even on the admin path. Decision 12.
 2. **Time-bound role grants / JIT elevation** - the
   `actor_roles.expires_at` column exists, no UI/API yet.
 3. **SAML federation** - OIDC only. Operators on SAML-only IdPs use
   the broker pattern (run Keycloak as a SAML-to-OIDC bridge); see
   the Google Workspace runbook for the same broker shape.
 4. **Multi-tenant data isolation activation** - the schema and
   repository layer carry tenant_id columns + a query-coverage CI
   guard, but tenant ACLs are not enforced. v2.1.0 ships
   single-tenant only (`t-default` seeded). The managed-service
   hosting work (operator decision item) is where multi-tenant
   flips on.
 5. **HSM / FIPS-validated signing key for sessions** - the session
   signing key is software-only (HMAC-SHA256, in-memory key
   material, encrypted at rest via `internal/crypto`). Operators
   in FIPS 140-3 environments need to supply their own
   `Signer` implementation; the abstraction at
   `internal/crypto/signer/` accommodates this but no PKCS#11
   driver ships yet.
 6. **OIDC RP-initiated logout** (the "/end_session_endpoint" flow
   where certctl signs a logout token + redirects the browser to
   the IdP). v2.1.0 implements ONLY the back-channel flow (IdP →
   certctl). Operators wanting the full bidirectional logout pair
   wait on a follow-on release.
 7. **GUI E2E via Playwright** - tracked alongside #9 above.
 8. **Per-IdP runbook external-tester sign-off** - encouraged via
   the operator-sign-off footers in `oidc-runbooks/*.md` but NOT a
   merge gate (operator decision 2026-05-10; the earlier
   "≥ 2 external testers" requirement was retired).
 ## Compliance mapping
 The control set in this document supports the following
 framework requirements. This is a mapping; it is not a claim of
 formal certification.
 - **SOC 2 CC6.1** (logical access controls) - RBAC primitive
  with role-based gating on every mutating endpoint.
 - **SOC 2 CC6.3** (privileged access management) - `r-admin`
  role separation + role-grant audit trail with two-person
  integrity on approval-tier profile edits.
 - **HIPAA §164.312(b)** (audit controls) - `event_category`
  column lets the auditor role review authentication / authorization
  changes specifically. WORM trigger keeps the audit table
  append-only at the database layer.
 - **NIST SSDF PO.5.2** (separation of duties) - two-person
  integrity for compliance-tier issuance via the
  `RequiresApproval` flow + the approval-bypass closure on
  profile edits.
 - **FedRAMP AU-9** (audit information protection) - WORM
  enforcement + auditor-only read access (the auditor role
  cannot mutate, the WORM trigger blocks UPDATE/DELETE).
 - **PCI-DSS §10** (audit logging) - every mutating operation
  emits an audit row with actor + action + resource + timestamp +
  category. The audit table is append-only.
 ## Operator-facing checks
 Run these periodically to verify the controls are working.
 1. `certctl-cli auth keys list` - confirm no unexpected actor
   holds `r-admin`. Audit any new admin grants against the audit
   log.
 2. `SELECT actor, action, COUNT(*) FROM audit_events WHERE
   action LIKE 'approval_%' AND timestamp > NOW() - INTERVAL '7
   days' GROUP BY actor, action;` - confirm approvals are
   happening and not concentrated in a single approver.
 3. `SELECT COUNT(*) FROM audit_events WHERE actor =
   'system-bypass';` - MUST return 0 in production. A non-zero
   count means `CERTCTL_APPROVAL_BYPASS=true` was set; production
   deploys MUST leave it unset.
 4. `SELECT actor, COUNT(*) FROM audit_events WHERE action =
   'bootstrap.consume';` - MUST return at most one row per
   tenant. Multiple rows means the bootstrap endpoint was called
   more than once, which the strategy's one-shot guard should
   have prevented; investigate.
 5. `certctl-cli auth me` while authenticated as the auditor
   key - `effective_permissions` must contain `audit.read` +
   `audit.export` ONLY. Any other permission means a role grant
   widened the auditor's surface; revoke immediately.
 The following checks were added with v2.1.0's federated-identity surface:
 6. `SELECT COUNT(*) FROM oidc_providers;` - confirm only the
   expected providers are configured. An unexpected row is a
   compromise indicator. Cross-check with the
   `auth.oidc_provider_created` audit row to find when + by whom.
 7. `SELECT actor_id, COUNT(*) FROM sessions WHERE NOT revoked AND
   absolute_expires_at > NOW() GROUP BY actor_id ORDER BY 2 DESC;`
   - confirm no actor has an unexpectedly large session count.
   Multi-session-per-actor is normal (laptop + phone), but a single
   actor with 50+ active sessions is a compromised-key signal.
 8. `SELECT COUNT(*) FROM audit_events WHERE action LIKE
   'auth.oidc_login_unmapped_groups' AND timestamp > NOW() -
   INTERVAL '7 days';` - non-zero rows mean users are completing
   IdP authentication but failing the group-mapping step. Either
   the IdP renamed a group, or an unauthorized user attempted
   access. Investigate.
 9. `SELECT COUNT(*) FROM audit_events WHERE action LIKE
   'auth.breakglass_%' AND timestamp > NOW() - INTERVAL '7 days';`
   - non-zero rows in steady state mean break-glass is being used
   outside an SSO incident OR was left enabled. Confirm
   `CERTCTL_BREAKGLASS_ENABLED` is `false` in non-incident windows.
 10. `SELECT COUNT(*) FROM audit_events WHERE action =
    'bootstrap.oidc_first_admin';` - MUST return at most one row
    per tenant. Multiple rows means the OIDC bootstrap hook fired
    more than once per tenant, which the admin-existence probe
    should have prevented; investigate.
 11. `SELECT COUNT(*) FROM session_signing_keys WHERE retired_at IS
    NOT NULL AND retired_at < NOW() - INTERVAL '7 days';` - retired
    keys past the retention window should have been GC'd. Non-zero
    rows mean the scheduler's `sessionGCLoop` is wedged.
 ## Cross-references
 API-key + RBAC anchors:
 - [`rbac.md`](rbac.md) - the operator how-to
 - [`security.md`](security.md) - the wider security posture
 - [`approval-workflow.md`](approval-workflow.md) - the two-person
  integrity gate
 - [`docs/migration/api-keys-to-rbac.md`](../migration/api-keys-to-rbac.md) - 
  upgrade flow
 - `internal/auth/` - middleware + keystore + RequirePermission +
  bootstrap
 - `internal/service/auth/` - Authorizer + privilege-escalation
  guard + reserved-actor guard
 - `migrations/000029_rbac.up.sql` - schema + seed
 - `migrations/000030_rbac_admin_perms.up.sql` - five admin-only
  fine-grained perms
 - `migrations/000032_audit_category.up.sql` - auditor surface
 - `migrations/000033_approval_kinds.up.sql` - approval-bypass
  closure
 OIDC + sessions + back-channel logout + break-glass anchors:
 - [`oidc-runbooks/index.md`](oidc-runbooks/index.md) - per-IdP setup
  guides (Keycloak / Authentik / Okta / Auth0 / Entra ID / Google
  Workspace) with cross-IdP recurring concepts at the top
 - `internal/auth/oidc/` - OIDC service (HandleAuthRequest /
  HandleCallback / RefreshKeys), hand-rolled groupclaim resolver,
  alg allow-list, IdP downgrade-attack defense
 - `internal/auth/session/` - session service (length-prefixed HMAC,
  cookie minting, idle/absolute expiry, signing-key rotation, GC),
  CSRF middleware, chained-auth combinator
 - `internal/auth/breakglass/` - default-OFF break-glass admin
  (Argon2id + lockout + constant-time + surface-invisibility)
 - `internal/auth/oidc/testfixtures/` - Keycloak
  testcontainers harness (`//go:build integration`)
 - `migrations/000034_oidc_providers.up.sql` - OIDC providers +
  group-role mappings tables
 - `migrations/000035_sessions.up.sql` - sessions + session-signing-
  keys tables
 - `migrations/000036_users.up.sql` - users (federated-human
  identity) table
 - `migrations/000037_oidc_pre_login.up.sql` - pre-login table + 7
  new auth permissions
 - `migrations/000038_breakglass_credentials.up.sql` - break-glass
  credentials table + 2 new permissions
 - `scripts/ci-guards/N-bundle-2-security-empty-preserved.sh` -
  OpenAPI `security: []` count guard
 - `scripts/ci-guards/bundle-1-compat-regression.sh` -
  API-key-only compat assertions (5 invariants)
 - `scripts/ci-guards/bundle-1-to-2-upgrade-regression.sh` -
  OIDC-upgrade-path assertions (6 invariants)
@@ -2,14 +2,15 @@
 > Last reviewed: 2026-05-05
-**Audit reference:** Bundle B / M-018. CWE-319 (Cleartext transmission of sensitive information).
+**Audit reference:** CWE-319 (Cleartext transmission of sensitive information).
 certctl talks to Postgres over a single connection-string URL controlled by the
 `CERTCTL_DATABASE_URL` env var. The `sslmode` query parameter on that URL
-selects the transport-encryption posture. Pre-Bundle-B all the bundled
+selects the transport-encryption posture. The bundled deployment artifacts
-deployment artifacts (Helm chart, docker-compose) hard-coded `sslmode=disable`.
+(Helm chart, docker-compose) historically hard-coded `sslmode=disable`;
-Bundle B exposes that as an operator-facing knob with a documented default and
+current builds expose that as an operator-facing knob with a documented
-explicit opt-in / opt-out paths for the four real-world deployment shapes.
+default and explicit opt-in / opt-out paths for the four real-world
 deployment shapes.
 ## Quick reference
@@ -26,9 +27,9 @@ explicit opt-in / opt-out paths for the four real-world deployment shapes.
 is the floor for systems exposed to spoofing risk (it adds hostname
 validation against the server cert's CN/SAN).
-## Helm chart (Bundle B)
+## Helm chart
-Bundle B adds two values under `postgresql.tls`:
+The chart exposes two values under `postgresql.tls`:
 ```yaml
 postgresql:
@@ -2,7 +2,7 @@
 > Last reviewed: 2026-05-05
-**Audit reference:** Bundle F / M-023. CWE-326 (Inadequate encryption strength).
+**Audit reference:** CWE-326 (Inadequate encryption strength).
 ## What this is
@@ -149,7 +149,7 @@ hop without server-side header trust.
 **Why this is the correct default:** trusting a proxy-supplied header
 for client identity opens a header-spoofing attack surface that requires
 careful design (CIDR allowlist of trusted proxies, fail-closed defaults,
-explicit operator opt-in). The Bundle F closure of M-023 ships the
+explicit operator opt-in). The legacy-clients work ships the
 TLS-bridge guidance as documentation only; a future commit can extend
 certctl with proxy-header trust if and when an operator demonstrates a
 deployment shape that requires it. Until that lands, the runbook above
@@ -204,6 +204,6 @@ own embedded-device vendors for deprecation notices.
 - [`docs/operator/tls.md`](tls.md) — the certctl-internal TLS configuration (HTTPS-only control plane, MinVersion pin)
 - [`docs/operator/security.md`](security.md) — overall security posture
- [`docs/operator/database-tls.md`](database-tls.md) — Postgres TLS opt-in (Bundle B / M-018)
+- [`docs/operator/database-tls.md`](database-tls.md) — Postgres TLS opt-in
 - [`docs/reference/protocols/scep-server.md`](../reference/protocols/scep-server.md) — SCEP RFC 8894 native server reference
 - [`docs/reference/protocols/est.md`](../reference/protocols/est.md) — EST RFC 7030 server reference
@@ -0,0 +1,198 @@
 # Auth0 OIDC runbook
 > Last reviewed: 2026-05-10
 This runbook wires certctl's OIDC SSO surface against [Auth0](https://auth0.com/), a commercial cloud IdP (now part of Okta but operationally distinct). Auth0 has a free developer tier suitable for evaluation; production runs on a paid B2B / B2C plan.
 For the canonical reference + mental model, read [keycloak.md](keycloak.md) first; this runbook only documents the Auth0-specific deltas.
 ## The big Auth0 quirk: namespaced custom claims
 Auth0 imposes a hard rule: any custom claim emitted from an Action MUST use a namespaced URL-shape key (e.g. `https://your-namespace/groups`). Auth0 silently strips claims that look like standard OIDC claims (`groups`, `roles`, `permissions`, etc.) when emitted from an Action — this is a security feature to prevent claim-spoofing.
 certctl handles this via the `groups_claim_path` config. If your Action emits `https://your-namespace/groups`, set `OIDCProvider.groups_claim_path` to that exact URL. The hand-rolled groupclaim resolver at `internal/auth/oidc/groupclaim/resolver.go` recognizes URL-shape paths (anything starting with `http://` or `https://`) and treats the entire string as a single literal key — it does NOT split on `/`.
 Set `groups_claim_format` to `string-array`; the underlying claim shape is still a JSON array of group-name strings, just stored under a URL-shape key.
 ## Prerequisites
 **On the Auth0 side:**
 - An Auth0 tenant (free dev tier at <https://auth0.com/signup> works). Tenant URL looks like `https://<tenant-name>.<region>.auth0.com`.
 - Owner or Auth0 Administrator role.
 - Network reachability from certctl-server to `https://<tenant>.auth0.com/.well-known/openid-configuration`.
 **On the certctl side:** same as Keycloak.
 ## IdP-side configuration
 ### 1. Pick a namespace string
 Decide on a unique URL-shape namespace for certctl's custom claims. It does NOT have to resolve to a real domain; Auth0 just requires it to be URL-shape and unique within your tenant. A reasonable choice:
 ```
 https://certctl.example.com/auth/
 ```
 Use that prefix for every custom claim; for groups specifically:
 ```
 https://certctl.example.com/auth/groups
 ```
 We'll refer to this as `<NS>/groups` in the rest of this runbook.
 ### 2. Create the Application
 In the Auth0 dashboard:
 **Applications → Applications → Create Application**:
 - Name: `certctl`.
 - Application Type: **Regular Web Applications**.
 - Click **Create**.
 On the saved app's **Settings** tab:
 - Application Login URI: blank (Auth0 doesn't need it for the auth-code flow).
 - Allowed Callback URLs: `https://<your-certctl-host>:8443/auth/oidc/callback` (one entry, exact match).
 - Allowed Logout URLs: optional.
 - Allowed Web Origins: `https://<your-certctl-host>:8443`.
 - Token Endpoint Authentication Method: **Post** (default; matches the certctl service's expectation of `client_secret_post`).
 - Save Changes.
 Copy the **Domain** (this is the issuer base — `https://<tenant>.auth0.com`), **Client ID**, and **Client Secret** from the same Settings page.
 ### 3. Configure the connection (where users live)
 If you're using Auth0's Database connection (default username + password), the existing **Username-Password-Authentication** connection works. For SSO to Google / Microsoft / SAML, configure those connections under **Authentication → Enterprise** or **Authentication → Social** and ensure the connection is enabled on the certctl Application (App → Connections tab).
 ### 4. Define the groups
 Auth0 doesn't have a first-class "Groups" concept like Okta or Keycloak — you have THREE options to model groups, each with tradeoffs:
 **Option A: User app_metadata (simplest, recommended for dev tier).**
 Each user has a `app_metadata` JSON blob you can set via the Management API, the dashboard, or a post-registration script. Stick the groups in there:
 ```json
 {
  "groups": ["certctl-engineers"]
 }
 ```
 In the Auth0 dashboard, **User Management → Users → <user> → app_metadata**: paste the JSON above and Save.
 **Option B: Auth0 Authorization Extension (paid plans, recommended for production).**
 Install the Authorization Extension from **Marketplace → Extensions → Authorization**. It adds a first-class "Groups" concept with UI for assignment + nested groups. Read the extension's docs; it emits groups under `<NS>/groups` automatically once enabled.
 **Option C: Roles + Permissions (Auth0's RBAC primitive).**
 Use **User Management → Roles** to define roles like `certctl-engineer` + `certctl-viewer`. Assign roles to users. Have your Action emit role names as a `groups` claim. This is what Auth0 documents as the canonical pattern; it's slightly heavier than Option A but more discoverable in the dashboard.
 This runbook uses **Option A** for clarity; the Action below reads from `app_metadata.groups`.
 ### 5. Write the Action that emits the groups claim
 **Actions → Library → Create Action → Build from scratch**:
 - Name: `certctl-emit-groups`.
 - Trigger: **Login / Post Login**.
 - Runtime: Node 18.
 - Click **Create**.
 Paste this code:
 ```javascript
 exports.onExecutePostLogin = async (event, api) => {
  const namespace = "https://certctl.example.com/auth/";
  const groups = (event.user.app_metadata && event.user.app_metadata.groups) || [];
  if (groups.length > 0) {
    api.idToken.setCustomClaim(namespace + "groups", groups);
    api.accessToken.setCustomClaim(namespace + "groups", groups);
  }
 };
 ```
 Replace `https://certctl.example.com/auth/` with your namespace from step 1. Click **Deploy**.
 Then bind the Action to the Login flow:
 **Actions → Flows → Login**: drag `certctl-emit-groups` from the Custom tab into the flow, between Start and Complete. Click **Apply**.
 ### 6. Verify the claim in a test login
 Auth0's **Authentication → Authentication Profile → Try It** button or the **Logs → Real-time Logs** page can show you the issued ID token in real time. Decode at jwt.io to confirm `<NS>/groups` is present + populated.
 ## certctl-side configuration
 ```bash
 curl -X POST https://<your-certctl-host>:8443/api/v1/auth/oidc/providers \
  -H "Authorization: Bearer ${CERTCTL_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Auth0",
    "issuer_url": "https://<tenant>.auth0.com/",
    "client_id": "<paste-from-step-2>",
    "client_secret": "<paste-from-step-2>",
    "redirect_uri": "https://certctl.example.com:8443/auth/oidc/callback",
    "groups_claim_path": "https://certctl.example.com/auth/groups",
    "groups_claim_format": "string-array",
    "fetch_userinfo": false,
    "scopes": ["openid", "profile", "email"],
    "iat_window_seconds": 300,
    "jwks_cache_ttl_seconds": 3600
  }'
 ```
 Critical:
 - `issuer_url` includes the **trailing slash** for Auth0 (`https://<tenant>.auth0.com/`). Auth0's `iss` claim emits with the trailing slash; mismatching trips `ErrIssuerMismatch`.
 - `groups_claim_path` is the **full namespaced URL**, not the bare `groups` key. The certctl resolver treats this as a single literal lookup key against the ID token claims map (no path-walking through `/`).
 Add the group→role mappings: `certctl-engineers` → `r-operator`, etc. The mapping table maps the group VALUES (the strings inside the claim's array), not the claim path.
 ## Verification
 End-to-end login + audit + Sessions checks are identical to Keycloak. The audit row's `details.subject` will be Auth0's user_id (e.g. `auth0|abc123…` for database users, `google-oauth2|...` for federated), stable across email changes.
 ## Troubleshooting
 **`ErrGroupsUnmapped` even though I see groups in the ID token at jwt.io.**
 Check `groups_claim_path` exactly matches the namespaced key in the token. A common mistake: setting `groups_claim_path` to `groups` (the bare key) when the actual claim key is `https://certctl.example.com/auth/groups` (the namespaced version). The resolver's URL-shape detection is what makes the namespaced path work; if the claim path doesn't start with `http://` or `https://`, the resolver tries to walk it as a dot-separated path and fails.
 **The `<NS>/groups` claim is missing from the ID token.**
 - Action not bound to the Login flow: revisit step 5's "Apply" step.
 - Action returns early because `event.user.app_metadata.groups` is undefined: confirm the user has the metadata set.
 - Trying to set the claim under a non-namespaced key (e.g. `api.idToken.setCustomClaim("groups", groups)`): Auth0 silently drops it. Always use the namespace prefix.
 **Auth0 returns "Service not found" or "Invalid audience".**
 This usually means the certctl client wasn't authorized to access the userinfo endpoint or the application's `audience` setting conflicts with the OIDC discovery doc. The certctl service uses the Application's `client_id` as the `audience` claim — confirm Auth0 is emitting tokens with `aud = <client_id>` (decode at jwt.io).
 **Login redirects loop between Auth0 and certctl.**
 Most often a callback-URL mismatch — Auth0's "Allowed Callback URLs" must contain the EXACT certctl callback URL including port + scheme. Wildcards aren't allowed in production.
 **`email_verified` is `false` and certctl rejects the user.**
 certctl doesn't currently gate on `email_verified` — the User row stores email regardless. If your operator policy requires verified-only, add an Action that throws on `event.user.email_verified === false`:
 ```javascript
 if (!event.user.email_verified) {
  api.access.deny("email-not-verified");
 }
 ```
 ## Validation checklist
 Same as [keycloak.md](keycloak.md#validation-checklist) with Auth0-specific values, plus:
 - [ ] The `<NS>/groups` claim is present in the ID token (verify via jwt.io decode).
 - [ ] Removing a user's group from `app_metadata.groups` causes the next login to land on "no roles assigned".
 - [ ] The Auth0 dashboard's **Logs → Real-time Logs** shows the certctl callback completing with HTTP 302 to the dashboard.
 Sign-off: _______________ (operator) on _______________ (date).
@@ -0,0 +1,144 @@
 # Authentik OIDC runbook
 > Last reviewed: 2026-05-10
 This runbook wires certctl's OIDC SSO surface against [Authentik](https://goauthentik.io/), a free / open-source IdP that runs on-prem or self-hosted. Authentik shares the canonical "string-array groups claim under the `groups` key" pattern with Keycloak — the differences are in the admin console UX and the explicit "property mapping" abstraction.
 For the canonical reference + mental model, read [keycloak.md](keycloak.md) first; this runbook only documents the Authentik-specific deltas.
 ## Prerequisites
 **On the Authentik side:**
 - Authentik ≥ 2024.10 (stable channel).
 - Admin access to the Authentik admin console at `https://<authentik-host>/if/admin/`.
 - Network reachability from certctl-server to `https://<authentik-host>/application/o/<application-slug>/.well-known/openid-configuration`.
 **On the certctl side:** same as Keycloak — `CERTCTL_CONFIG_ENCRYPTION_KEY` set, an admin actor holding `auth.oidc.create` + `auth.oidc.edit`, server build ≥ v2.1.0.
 ## IdP-side configuration
 ### 1. Create the OAuth2 / OpenID Provider
 In the Authentik admin console:
 **Applications → Providers → Create**:
 - Type: **OAuth2/OpenID Provider**.
 - Name: `certctl`.
 - Authorization flow: `default-provider-authorization-explicit-consent` (or `default-provider-authorization-implicit-consent` if you don't want a consent screen on every login).
 - Click **Next**.
 Protocol settings:
 - Client type: **Confidential**.
 - Client ID: leave the auto-generated value OR set to `certctl` for clarity.
 - Client Secret: copy the auto-generated value to a secure scratchpad — you'll paste it into certctl.
 - Redirect URIs/Origins: `https://<your-certctl-host>:8443/auth/oidc/callback` (one entry, exact match).
 - Signing Key: pick an **RSA-2048 or larger** key. Authentik defaults to ECDSA-P256 in newer versions; either is fine — both are in certctl's allow-list.
 - Subject mode: **Based on the User's hashed ID** (default; emits a stable opaque `sub`).
 - Include claims in id_token: **on**.
 - Click **Finish**.
 ### 2. Create the Application
 Applications are how Authentik attaches a Provider to users + groups + policies.
 **Applications → Applications → Create**:
 - Name: `certctl`.
 - Slug: `certctl` (becomes part of the issuer URL: `https://<authentik-host>/application/o/certctl/`).
 - Provider: pick the `certctl` provider you just created.
 - Policy engine mode: **any** (default).
 - Click **Create**.
 ### 3. Configure the groups property mapping
 Authentik emits group claims via "property mappings" — explicit objects rather than Keycloak's mapper-on-the-client model.
 By default, the **Authentik default-OAuth Mapping: Proxy outpost** scope already includes the user's groups under a `groups` claim (string-array, matches what certctl expects). To verify or override:
 **Customization → Property Mappings → Filter "Scope Mapping"**:
 - Find or create one named `groups` with scope `groups` and expression:
  ```python
  return [group.name for group in user.ak_groups.all()]
  ```
 - Description: `Emits the user's group names as a string-array claim`.
 Then on the **Provider → certctl → Edit → Advanced protocol settings**, ensure **Scopes** includes `groups` (and `profile` and `email` if you want richer User records on the certctl side).
 ### 4. Create the groups + assign users
 **Directory → Groups → Create**:
 - Name: `certctl-engineers`. Repeat for `certctl-viewers` (and optionally `certctl-admins`).
 **Directory → Users → <user> → Edit → Groups**: pick the appropriate `certctl-*` group(s) for each user.
 ### 5. (Optional) Bind the application to specific groups
 If you want certctl to reject login attempts from users outside the `certctl-*` groups at the IdP layer (defense-in-depth on top of certctl's fail-closed `ErrGroupsUnmapped`):
 **Applications → certctl → Policy / Group / User Bindings → Create binding**:
 - Type: **Group**.
 - Group: pick the union of `certctl-*` groups you want to allow.
 - Enabled: on.
 ## certctl-side configuration
 Identical to Keycloak — only the issuer URL differs:
 ```bash
 curl -X POST https://<your-certctl-host>:8443/api/v1/auth/oidc/providers \
  -H "Authorization: Bearer ${CERTCTL_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Authentik",
    "issuer_url": "https://authentik.example.com/application/o/certctl/",
    "client_id": "<paste-the-client-id>",
    "client_secret": "<paste-the-client-secret>",
    "redirect_uri": "https://certctl.example.com:8443/auth/oidc/callback",
    "groups_claim_path": "groups",
    "groups_claim_format": "string-array",
    "fetch_userinfo": false,
    "scopes": ["openid", "profile", "email", "groups"],
    "iat_window_seconds": 300,
    "jwks_cache_ttl_seconds": 3600
  }'
 ```
 Authentik emits `groups` in the ID token by default once the property mapping is configured. The `scopes` array MUST include `groups` to trigger the claim emission — Authentik is stricter than Keycloak about scope-gating claims.
 Add the group→role mappings the same way as Keycloak: `certctl-engineers` → `r-operator`, `certctl-viewers` → `r-viewer`.
 ## Verification
 End-to-end login + audit + Sessions checks are identical to Keycloak.
 **Authentik-specific check:** the audit row's `details.subject` will be Authentik's hashed user ID (a 64-char hex), not the username. This is intentional and correct — the `sub` claim must be opaque + stable across user-attribute changes.
 **JWKS-rotation drill:** Authentik rotates signing keys via **System → Tokens & App Passwords → Certificates** (rename of "Crypto" in newer versions). Add a new RSA-2048 cert, switch the Provider's Signing Key to the new one, then click "Refresh discovery cache" in certctl's GUI to evict the cache.
 ## Troubleshooting
 **Provider creation fails with "could not load discovery document".**
 The issuer URL needs the trailing slash for some Authentik versions: `https://authentik.example.com/application/o/certctl/` (slash after the slug). Without the slash, Authentik returns a 301 redirect that Go's HTTP client follows but discovery parsing chokes on the redirect target.
 **Login completes but user lands on "no roles assigned".**
 Decode the ID token at jwt.io against Authentik's JWKS. Check whether the `groups` claim is present + non-empty. If empty, the property mapping isn't wired — go back to step 3.
 **`groups` claim missing entirely.**
 Authentik gates the `groups` claim behind the `groups` scope. Verify:
 - The certctl OIDCProvider config has `"scopes": ["openid", "profile", "email", "groups"]`.
 - The Authentik provider's "Scopes" list includes `groups`.
 **Authentik emits the user's full DN as the `sub` claim.**
 Some Authentik configurations use **Subject mode: Based on the User's email** which surfaces the email as `sub`. This works but tightly couples certctl's User table to email mutability; recommend switching to "hashed ID" mode for new deployments. Existing User rows in certctl's `users` table will have email-shaped `oidc_subject` columns; that's fine and stable as long as the user's email never changes.
 ## Validation checklist
 Same as [keycloak.md](keycloak.md#validation-checklist), with Authentik-specific values for issuer URL + group names + signing-key rotation steps.
 Sign-off: _______________ (operator) on _______________ (date).
@@ -0,0 +1,207 @@
 # Microsoft Entra ID (Azure AD) OIDC runbook
 > Last reviewed: 2026-05-10
 This runbook wires certctl's OIDC SSO surface against [Microsoft Entra ID](https://learn.microsoft.com/entra/), formerly Azure AD. Entra ID is Microsoft's commercial cloud IdP; it's the default IdP for any organization on Microsoft 365 / Azure.
 For the canonical reference + mental model, read [keycloak.md](keycloak.md) first; this runbook only documents the Entra-ID-specific deltas.
 ## The big Entra ID quirk: groups claim emits OBJECT IDs, not names
 Entra ID's `groups` claim emits a JSON array of **group object IDs (GUIDs)**, not human-readable names. A user in `Engineering Group` and `Cert Operators` will see something like:
 ```json
 {
  "groups": [
    "8b9b1faa-4e83-471e-8b00-7d99c3e2a5f1",
    "f00cf1e2-2db1-4cdf-a1ba-1234567890ab"
  ]
 }
 ```
 **You must configure your certctl group→role mappings against these GUIDs**, not against `Engineering Group` or `Cert Operators`. There are workarounds (cloud-only group display names + the optional claims path; see the alternative below) but the GUID-based approach is the only one that works reliably across all Entra ID configurations.
 This is by design at Microsoft — group names are mutable and not globally unique within a tenant; object IDs are immutable and globally unique. Operators on Microsoft 365 / Azure deployments are accustomed to managing access by GUID.
 ## Prerequisites
 **On the Entra ID side:**
 - A Microsoft 365 tenant or standalone Azure AD tenant. Free Azure AD tier is sufficient; paid tiers (P1/P2) unlock conditional access + SCIM provisioning + risk-based auth, none of which are required for the basic OIDC integration.
 - Application Administrator or Global Administrator role.
 - Network reachability from certctl-server to `https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration`.
 **On the certctl side:** same as Keycloak.
 ## IdP-side configuration
 ### 1. Register the application
 In the [Entra ID admin center](https://entra.microsoft.com/):
 **Applications → App registrations → New registration**:
 - Name: `certctl`.
 - Supported account types: **Accounts in this organizational directory only** (single-tenant; matches the typical operator use case).
 - Redirect URI: **Web** + `https://<your-certctl-host>:8443/auth/oidc/callback`.
 - Click **Register**.
 On the saved app's **Overview** page, copy:
 - **Application (client) ID** → certctl's `client_id`.
 - **Directory (tenant) ID** → goes into the issuer URL.
 ### 2. Create a client secret
 **App → Certificates & secrets → Client secrets → New client secret**:
 - Description: `certctl-server`.
 - Expires: 6 months / 12 months / 24 months — your choice. Set a calendar reminder; Entra ID does NOT auto-rotate secrets.
 - Click **Add**.
 Copy the **Value** column immediately — it's shown ONCE on creation. The certctl provider's `client_secret` field gets this value.
 (Production hardening: prefer **Certificates** over secrets for client authentication; certctl currently supports `client_secret_post` only, but a follow-on bundle can add `private_key_jwt` for cert-based client auth. Track this if you have a hard requirement against shared secrets.)
 ### 3. Add the `groups` claim to the token
 **App → Token configuration → Add groups claim**:
 - Pick **Security groups** (covers most operators) OR **Groups assigned to the application** (more granular but requires Premium).
 - Token type: **ID token** + **Access token** (both, so userinfo fallback works).
 - Customize emit format for ID/access: leave as **Group ID** (default; this is the GUID-based path the runbook is structured around).
 - Click **Save**.
 If you instead want display names in the claim (only works for cloud-only groups; on-prem-synced groups continue to emit GUIDs regardless):
 - Customize emit format → **Cloud-only group display names**.
 - BUT — note this works only for groups created in Entra ID itself, not groups synced from on-prem AD. Hybrid environments will have inconsistent claims.
 ### 4. Add the optional `email` and `profile` claims
 By default Entra ID's ID token does NOT include `email` — Microsoft considers email part of the "OIDC profile" but only emits it under specific conditions. To force emission:
 **App → Token configuration → Add optional claim → ID token → email**.
 You may also want `family_name`, `given_name`, `preferred_username` for richer User records on the certctl side.
 ### 5. Grant the API permissions
 **App → API permissions**:
 - Microsoft Graph → Delegated permissions → ensure these are granted (most are default):
  - `openid`
  - `profile`
  - `email`
  - `offline_access` (optional; for refresh tokens — certctl doesn't use them currently).
 - Click **Grant admin consent** if your tenant requires it.
 ### 6. (Optional) Restrict who can sign in
 By default any user in your tenant can attempt to sign in to the app. To restrict to specific users / groups:
 **Enterprise applications → certctl → Properties → Assignment required: Yes**.
 Then **Users and groups → Add user/group** and pick the `cert-engineers` / `cert-viewers` Entra ID groups.
 ## certctl-side configuration
 ```bash
 curl -X POST https://<your-certctl-host>:8443/api/v1/auth/oidc/providers \
  -H "Authorization: Bearer ${CERTCTL_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Entra ID",
    "issuer_url": "https://login.microsoftonline.com/<tenant-id>/v2.0",
    "client_id": "<application-id>",
    "client_secret": "<client-secret-value>",
    "redirect_uri": "https://certctl.example.com:8443/auth/oidc/callback",
    "groups_claim_path": "groups",
    "groups_claim_format": "string-array",
    "fetch_userinfo": false,
    "scopes": ["openid", "profile", "email"],
    "iat_window_seconds": 300,
    "jwks_cache_ttl_seconds": 3600
  }'
 ```
 Notes:
 - `issuer_url` MUST include `/v2.0` at the end for the v2.0 endpoint. The v1.0 endpoint emits tokens with a different `iss` shape and is NOT supported by certctl. The discovery doc at `https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration` confirms the right path.
 - `<tenant-id>` is the Directory (tenant) ID GUID from step 1.
 ### Add the group→role mappings (GUID-keyed)
 Get the GUIDs of your engineering / viewer groups:
 **Entra ID → Groups → All groups → <group> → Overview → Object ID**.
 Then in certctl:
 ```bash
 # Engineering group → r-operator
 curl -X POST https://<your-certctl-host>:8443/api/v1/auth/oidc/group-mappings \
  -H "Authorization: Bearer ${CERTCTL_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "provider_id": "<provider-id>",
    "group_name": "8b9b1faa-4e83-471e-8b00-7d99c3e2a5f1",
    "role_id": "r-operator"
  }'
 ```
 Repeat for every group you want to map. **Document the GUID-to-name mapping in your operator runbook** — without it, the next operator looking at certctl's mappings page sees a wall of GUIDs with no way to know which is which. Consider naming the mapping descriptively if your group-mapping schema supports it (v2.1.0 doesn't yet — group-mapping descriptions are a parking-lot item for a follow-on release).
 ## Verification
 End-to-end login + audit + Sessions checks are identical to Keycloak.
 **Entra-ID-specific:** the audit row's `details.subject` will be Microsoft's `oid` claim (a GUID, the user's object ID), stable across UPN / email changes. The certctl `users` table's `oidc_subject` column holds this GUID.
 **JWKS-rotation:** Microsoft auto-rotates signing keys on a documented schedule (every ~6 weeks). The discovery doc + JWKS endpoint always serve the union of active + recently-active keys, so in-flight logins continue to validate. No manual operator action needed in steady state. If you suspect a stuck cache after a Microsoft-side rotation, click "Refresh discovery cache" in the certctl GUI to evict.
 ## Troubleshooting
 **Login completes; ID token contains a `hasgroups: true` claim instead of `groups`.**
 Entra ID emits this when a user is in too many groups (>200 by default for ID tokens, >150 for access tokens) — Microsoft truncates the claim and tells the consumer to use Microsoft Graph to look up the full list. certctl does NOT currently support the Graph fallback path (it's a follow-on bundle item).
 Workarounds:
 - Reduce the user's group membership to <200 (rarely practical in large tenants).
 - Restrict the `groups` claim to "Groups assigned to the application" (Token configuration step 3 above) instead of "Security groups". The "assigned" set is bounded by the app's user assignments and stays under the limit.
 - Use Entra ID's optional `wids` (well-known IDs) claim if you only care about admin/non-admin distinction; certctl can be configured against `wids` by setting `groups_claim_path` accordingly.
 **`groups` claim missing entirely.**
 Step 3 wasn't completed — Entra ID does NOT emit `groups` by default. Add the claim via Token configuration before users will see it.
 **`ErrIssuerMismatch` even though the `tid` in the token matches.**
 The v2.0 endpoint emits `iss = https://login.microsoftonline.com/<tenant-id>/v2.0` (no trailing slash). The v1.0 endpoint emits `iss = https://sts.windows.net/<tenant-id>/`. Confirm certctl's `issuer_url` matches v2.0 exactly — no trailing slash, includes `/v2.0`.
 **On-prem-synced groups emit GUIDs even when "Cloud-only display names" is selected.**
 Expected behavior — Microsoft only emits display names for groups created in Entra ID itself (cloud-only). On-prem-synced groups always emit object IDs. The hybrid case is unfixable from the IdP side; either map against GUIDs (recommended) or migrate the relevant groups to cloud-only.
 **The `email` claim is empty even though the user has a primary email.**
 Entra ID's `email` claim only populates when:
 1. The user has a "Primary email" set on their Entra ID profile (often blank for B2B guest users).
 2. The optional claim was added in step 4.
 For B2B guests, the `preferred_username` claim usually carries the email-shape login. You can configure certctl to use `preferred_username` as the user's display name fallback, but the `User.Email` column will remain blank — that's expected for guests.
 **Conditional Access policies blocking the login.**
 If your tenant has Conditional Access requiring MFA for new applications, certctl will see the user redirected through the MFA challenge. This works transparently — the certctl service doesn't care that MFA was performed; it only validates the resulting ID token. If MFA is failing for the user, debug at the Entra ID side (Sign-in logs).
 ## Validation checklist
 Same as [keycloak.md](keycloak.md#validation-checklist), with these additions:
 - [ ] The ID token's `groups` claim is a string-array of GUIDs (decode at jwt.io).
 - [ ] Each certctl group-mapping uses the GUID, not a human-readable name.
 - [ ] A user with >200 groups successfully logs in (or the operator has documented the limitation + workaround in their internal runbook).
 - [ ] The Entra ID **Sign-in logs** view shows the certctl login event with status "Success".
 Sign-off: _______________ (operator) on _______________ (date).
@@ -0,0 +1,186 @@
 # Google Workspace OIDC runbook (broker via Keycloak)
 > Last reviewed: 2026-05-10
 This runbook wires certctl's OIDC SSO surface against [Google Workspace](https://workspace.google.com/) (formerly G Suite). Google's OIDC implementation has a well-known limitation that makes it unsuitable for direct integration with certctl: **the ID token does not emit a groups claim**, so there is no way for certctl's `ErrGroupsUnmapped` fail-closed contract to resolve a user's role assignment.
 The recommended pattern is to **broker Google Workspace through Keycloak (or Authentik)** as a federated identity provider. The end-user still signs in with their Google account, but certctl talks to Keycloak — which DOES emit groups — instead of talking to Google directly.
 For the canonical reference + mental model, read [keycloak.md](keycloak.md) first; this runbook builds on top of it.
 ## The Google Workspace quirk in detail
 **What Google emits in an ID token:** `iss`, `aud`, `sub`, `azp`, `exp`, `iat`, `email`, `email_verified`, `name`, `picture`, `given_name`, `family_name`, `locale`, `hd` (hosted domain). That's it.
 **What it does NOT emit:** `groups`, `roles`, `permissions`, or any indicator of the user's Google Workspace organizational unit / group membership.
 There is a **Cloud Identity Groups API** at `https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchTransitiveGroups` that lets a privileged service account look up a user's groups, but:
 1. It requires a service account with domain-wide delegation, which is a major security surface to grant to certctl.
 2. It's a separate REST call after the OIDC flow, not a claim — certctl's group-claim resolver is path-shape, not API-shape.
 3. The latency budget of an extra API call per login is non-trivial in steady state.
 For these reasons, the broker pattern is strongly preferred. If you absolutely cannot deploy a broker, see "Direct integration without groups" at the bottom of this runbook for a degraded mode where every Google-authenticated user gets a single fixed role.
 ## Architecture: broker pattern
 ```
 end user → Google Workspace login → Keycloak (federated IdP) → certctl
                                       ↑
                                       │
                          adds groups claim from Keycloak's group store
                          (NOT from Google)
 ```
 In this topology:
 - The end user's authentication credentials live at Google.
 - The user's group / role assignments live at Keycloak (manually or via SCIM provisioning from Google).
 - certctl talks ONLY to Keycloak. From certctl's perspective this is identical to the [keycloak.md](keycloak.md) runbook.
 ## Prerequisites
 - A running Keycloak instance with a realm dedicated to certctl. Read [keycloak.md](keycloak.md) and complete that runbook FIRST against a local-only test user. Verify end-to-end OIDC works against Keycloak before adding Google as a federated provider.
 - A Google Workspace tenant where you have Super Admin access OR can ask your Workspace admin to create OAuth credentials.
 - A Google Cloud project (free; same console as Workspace).
 ## IdP-side configuration
 ### Step 1: create a Google OAuth client
 In the Google Cloud Console (`https://console.cloud.google.com/`):
 **APIs & Services → OAuth consent screen → Configure**:
 - User Type: **Internal** (restricts to your Workspace domain) OR **External** (any Google account; usually NOT what you want for an internal cert-management tool).
 - App name: `certctl SSO via Keycloak`.
 - User support email: your team's address.
 - Authorized domains: add the domain Keycloak runs on.
 - Save.
 **APIs & Services → Credentials → Create Credentials → OAuth client ID**:
 - Application type: **Web application**.
 - Name: `certctl-via-keycloak`.
 - Authorized redirect URIs: `https://<keycloak-host>/realms/<realm-name>/broker/google/endpoint` — this is Keycloak's default federated-IdP callback URL. Get the exact URL from Keycloak in step 2 below.
 - Click **Create**.
 Copy the **Client ID** and **Client secret**.
 ### Step 2: add Google as a federated identity provider in Keycloak
 In the Keycloak admin console (`https://<keycloak-host>/admin/`):
 **Realm → Identity providers → Add provider → Google**:
 - Alias: `google` (becomes part of the broker URL).
 - Display name: `Google Workspace`.
 - Client ID: paste from step 1.
 - Client secret: paste from step 1.
 - Default scopes: `openid profile email`.
 - Hosted Domain: your Workspace domain (e.g. `example.com`); restricts to your tenant.
 - Sync mode: **Force** (rewrites the user's first/last name/email from Google on every login; the alternative `Import` only writes on first login).
 - Trust email: **on** (Google verifies emails; certctl-Keycloak chain inherits the trust).
 - Click **Save**.
 The **Redirect URI** field at the top of the saved provider's page shows the exact URL you should have entered in Google's console at step 1. Re-verify match.
 ### Step 3: configure group assignment in Keycloak
 This is the load-bearing step — we're explicitly NOT trusting Google for groups, so Keycloak has to provide them.
 **Option A: Manual group assignment in Keycloak.**
 Federated users from Google appear in **Users** in Keycloak after their first login. You assign them to `certctl-engineers` / `certctl-viewers` / etc. groups in Keycloak's UI manually. Pro: simple. Con: doesn't scale; new hires can't log in until an operator adds them to a group.
 **Option B: Default groups via "Default Groups" realm config.**
 **Realm settings → User registration → Default Groups → Add**: pick the lowest-privilege group (e.g. `certctl-viewers`). Every new federated user lands here automatically; operators promote individual users to higher groups as needed.
 **Option C: Mapper that derives groups from Google claims.**
 If your Google Workspace has organizational units that align with your role split, you can add a Keycloak **Identity Provider Mapper** that maps `hd` (hosted domain) or a custom Google directory custom-schema field to a Keycloak group. This is moderately fragile and Workspace-version-dependent; recommend B for most operators.
 **Option D: SCIM provisioning from Google to Keycloak.**
 Google Workspace can SCIM-push group memberships to Keycloak via the SCIM-for-Google-Cloud-Identity feature. Heavyweight; recommend only if you already have SCIM infrastructure.
 This runbook uses **Option B** (default group) for clarity.
 ### Step 4: verify the broker flow at Keycloak alone
 Before bringing certctl into the picture:
 1. Log out of Keycloak's admin console.
 2. Hit `https://<keycloak-host>/realms/<realm-name>/account` in an incognito window.
 3. Click "Sign in" — Keycloak's login page should now show **Sign in with Google Workspace** as a button below the local login form.
 4. Click it; authenticate via Google; you should land on Keycloak's account page.
 5. Back in the admin console, the user appears under **Users**. Confirm they're in the default group (Option B).
 Only proceed to step 5 when Keycloak alone works end to end.
 ### Step 5: configure certctl against Keycloak (NOT against Google)
 Follow the [keycloak.md](keycloak.md) runbook. Use the realm + client + groups configuration you set up there. The `OIDCProvider.issuer_url` is `https://<keycloak-host>/realms/<realm-name>` — Keycloak's URL, not Google's.
 When the user clicks "Sign in with Keycloak" on certctl's login page, the browser flow is:
 1. certctl → Keycloak authorize endpoint.
 2. Keycloak's login page shows **Sign in with Google Workspace** + the local login form. User clicks Google.
 3. Keycloak → Google authorize endpoint. User authenticates at Google.
 4. Google → Keycloak callback (`/broker/google/endpoint`). Keycloak resolves the user, assigns the default group.
 5. Keycloak → certctl callback. certctl sees a normal Keycloak ID token with the `groups` claim populated by Keycloak.
 6. certctl mints the session.
 End-to-end the user clicks twice (Keycloak's "Sign in with Google" button + Google's consent / login). Subsequent logins skip the consent screen if Google's session is fresh.
 ## Verification
 End-to-end login + audit + Sessions checks are identical to Keycloak. The key Google-Workspace-specific check:
 - The `users.oidc_subject` column in certctl's database should contain the Keycloak-side stable subject (a UUID), NOT the Google subject. Decode the certctl-side ID token and confirm `iss` is Keycloak's URL, `sub` is the Keycloak UUID. Don't confuse the certctl ID token with Google's ID token (which lives one hop upstream and certctl never sees directly).
 ## Direct integration without groups (NOT RECOMMENDED)
 If broker deployment is impossible:
 1. Configure certctl with `issuer_url = https://accounts.google.com`, `client_id` + `client_secret` from your Google OAuth client (with redirect URI pointed at certctl directly).
 2. Add a SINGLE group→role mapping where `group_name` is the empty string. **Wait — certctl rejects empty group names.** This is the structural reason this mode doesn't work: the fail-closed contract requires a real group claim to match.
 The actual workaround is to manually add EVERY operator's email to a per-email mapping, OR to add a custom claim emitter at a thin proxy in front of Google. Both are hacks; the broker pattern is strictly better. We document the constraint here so future operators don't burn cycles trying to make it work.
 ## Troubleshooting
 **Federated Google login completes at Keycloak but the user lands on "no roles assigned" at certctl.**
 The user authenticated through Google → Keycloak successfully but Keycloak didn't assign them a group (Option A wasn't completed for that user, or Option B's default group isn't mapped on the certctl side). Check:
 - Keycloak → Users → <user> → Groups: is the user in any `certctl-*` group?
 - certctl → Auth → OIDC Providers → Keycloak → Group → role mappings: is that group mapped?
 **Google login fails with "redirect_uri_mismatch".**
 The Google OAuth client's authorized redirect URI doesn't match Keycloak's broker callback URL exactly. Re-fetch the URL from Keycloak (Identity Providers → Google → Redirect URI field) and paste it verbatim into Google's console.
 **Google auto-closes the consent prompt and returns "access_denied".**
 Workspace admin policies may block third-party app access. Either the Google OAuth client wasn't approved by the Workspace admin (Google Workspace Admin Console → Security → API controls → Trusted apps), or the OAuth consent screen is configured for "External" but the user is from a different Workspace. Switch to "Internal" if everyone signing in is in the same Workspace.
 **Keycloak log shows "Federated identity returned no email claim".**
 You requested OAuth scopes other than `openid profile email`. Re-add `email` to the Default Scopes on the Keycloak Identity Provider config.
 **Sign-out from certctl doesn't sign the user out of Google.**
 Expected. certctl revokes its own session; Google's session continues independently. If the user needs to fully log out, they sign out at https://accounts.google.com/Logout. The certctl + Keycloak chain is the standard "single sign-on, separate sign-outs" model.
 ## Validation checklist
 Same as [keycloak.md](keycloak.md#validation-checklist), with these additions:
 - [ ] Google → Keycloak federation works without certctl in the loop (step 4 above passes).
 - [ ] A first-time Google sign-in lands the user in the Keycloak default group (or whatever Option you picked).
 - [ ] The certctl audit row's `details.subject` is the Keycloak UUID, NOT Google's `sub` (which would be a Google account ID).
 - [ ] Removing a user from Google Workspace causes their NEXT certctl session-validate to fail (after their existing session expires) — verify with a deactivated test user.
 Sign-off: _______________ (operator) on _______________ (date).
@@ -0,0 +1,55 @@
 # OIDC / SSO runbooks — per-IdP setup guides
 > Last reviewed: 2026-05-10
 This is the index for the per-IdP setup runbooks for certctl's OIDC SSO surface. Pick the runbook that matches your identity provider; each one walks you through the IdP-side configuration, the certctl-side configuration, end-to-end verification, and the most common troubleshooting paths.
 For the threat model behind certctl's OIDC implementation, see [`auth-threat-model.md`](../auth-threat-model.md). For the RBAC primitive that group→role mappings target, see [`rbac.md`](../rbac.md). For the underlying protocol details (PKCE, state, nonce, JWKS rotation, fail-closed semantics), see the OIDC service docstring at [`internal/auth/oidc/service.go`](../../../internal/auth/oidc/service.go).
 ## Choose your runbook
 | IdP | Tier | Group claim shape | Quirks | Runbook |
 |---|---|---|---|---|
 | Keycloak | Free / open-source | `string-array` against `groups` | None — canonical reference | [keycloak.md](keycloak.md) |
 | Authentik | Free / open-source | `string-array` against `groups` | Property-mapping driven; explicit scope claim | [authentik.md](authentik.md) |
 | Okta | Commercial (free dev tier) | `string-array` against `groups` | Group-filter regex on the claim definition | [okta.md](okta.md) |
 | Auth0 | Commercial (free dev tier) | `string-array` against namespaced URL | Custom claims must use a namespaced key (e.g. `https://your-namespace/groups`) and are emitted via an Action | [auth0.md](auth0.md) |
 | Azure AD / Entra ID | Commercial | `string-array` of GROUP OBJECT IDs (GUIDs), not names | Mappings must target object IDs, not human-readable names | [azure-ad.md](azure-ad.md) |
 | Google Workspace | Commercial | NO native group claim | Direct OIDC against Google Workspace cannot emit groups; broker through Keycloak (or Authentik) instead | [google-workspace.md](google-workspace.md) |
 ## Common shape
 Every runbook follows the same five-section layout so you can scan across IdPs:
 1. **Prerequisites** — what you need on the IdP side (admin access, plan tier) and on the certctl side (an admin actor holding `auth.oidc.create` + `auth.oidc.edit`, the GUI / CLI / MCP surface available, the `CERTCTL_CONFIG_ENCRYPTION_KEY` env var set in production so client_secret encrypts at rest).
 2. **IdP-side configuration** — clickable steps in the IdP admin console, with the exact field names and values certctl needs.
 3. **certctl-side configuration** — `POST /api/v1/auth/oidc/providers` payloads, plus the GUI and MCP equivalents. The wire shape is the same across every IdP; only the values differ.
 4. **Verification** — what a successful end-to-end login looks like in the audit log and the GUI Sessions page, plus the JWKS-rotation drill.
 5. **Troubleshooting** — the failure modes you're statistically most likely to hit, mapped to the certctl service-layer sentinel error you'll see in the audit row.
 ## Cross-IdP recurring concepts
 These show up in every runbook; understand them once and skim the rest.
 **Redirect URI.** Every IdP needs the certctl-side callback URL registered as an allowed redirect URI. The format is `https://<your-certctl-host>/auth/oidc/callback` — port 8443 by default for the HTTPS-only control plane (Decision: post-v2.2 the platform is HTTPS-only, no plaintext port). For local-dev fixtures, `http://localhost:8443/auth/oidc/callback` is acceptable; production deployments MUST use HTTPS, and the OIDCProvider domain validator rejects HTTP issuer URLs in non-test paths.
 **Client secret rotation.** Every IdP issues a `client_secret` for the confidential client (certctl is always a confidential client; public clients aren't supported because we have a server-side place to keep the secret). Rotating at the IdP requires the operator to PUT the new secret into certctl via the GUI's "Edit provider" dialog or `certctl_auth_update_oidc_provider` MCP tool — leaving `client_secret` empty in the update payload preserves the existing ciphertext, providing a value rotates.
 **JWKS cache TTL.** The certctl service caches the IdP's JWKS document for `jwks_cache_ttl_seconds` (default 3600). When the IdP rotates a signing key, in-flight logins that try to validate a new-key-signed token against the stale cache fail with `ErrJWKSUnreachable` until the next refresh. Operators have two options: wait out the TTL, or click "Refresh discovery cache" in the GUI's OIDC Provider Detail page (`POST /api/v1/auth/oidc/providers/{id}/refresh`) to force-evict the cache. The Keycloak integration test exercises this drill end to end.
 **Group→role mappings are fail-closed.** The certctl service refuses to mint a session for a user whose IdP-supplied groups don't match ANY configured mapping (`ErrGroupsUnmapped` → HTTP 401 to the user with a "no roles assigned" page). This is intentional — empty mapping ≠ "let everyone in," it means "this provider is not yet configured for any role." Operators add at least one mapping (typically `<engineers-group>` → `r-operator`) BEFORE rolling out OIDC to users.
 **Nonce + state + PKCE-S256 are non-negotiable.** Every login flow round-trips a nonce (replay defense), a state (CSRF defense), and a PKCE-S256 verifier (RFC 9700 §2.1.1 mandate). `plain` PKCE is rejected at the service-layer sentinel level. None of this is configurable; if your IdP doesn't support PKCE-S256, you cannot use it with certctl.
 **IdP downgrade-attack defense.** At provider creation AND on every JWKS refresh, certctl intersects the IdP's advertised `id_token_signing_alg_values_supported` with the certctl allow-list (RS256, RS512, ES256, ES384, EdDSA by default). If the IdP advertises HS256/HS384/HS512 or `none`, provider creation is rejected — even before any token is signed under the weak alg. This catches the case where a future compromised or misconfigured IdP tries to rotate to an alg-confusion-prone setup.
 ## When you finish a runbook
 Each per-IdP runbook ends with a **validation checklist** the operator runs against a real production-tier deployment. Run through the matrix end-to-end against your IdP and mark your sign-off in the runbook's footer — that gives the next operator (or the next you) a dated record of what's been verified to work.
 ## Related docs
 - [RBAC operator reference](../rbac.md) — roles, permissions, scope-down + bootstrap flow.
 - [Auth threat model](../auth-threat-model.md) — API-key + OIDC + session compromise scenarios; v3 WebAuthn pairing.
 - [Security posture](../security.md) — overall auth surface including this OIDC layer.
 - [API keys → RBAC migration](../../migration/api-keys-to-rbac.md) — the v2.0.x → v2.1.0 RBAC upgrade flow your operator likely already ran.
@@ -0,0 +1,245 @@
 # Keycloak OIDC runbook
 > Last reviewed: 2026-05-10
 This is the canonical reference runbook for wiring certctl's OIDC SSO surface against [Keycloak](https://www.keycloak.org/). Keycloak is a free / open-source identity provider that runs on-prem or self-hosted; it is also the load-bearing test fixture for certctl's OIDC integration tests (`internal/auth/oidc/testfixtures/keycloak.go`), so the certctl-side validation pipeline is exhaustively exercised against it.
 If your IdP is something else (Okta, Auth0, Azure AD, Authentik, Google Workspace), see the per-IdP siblings in [this directory](index.md). The mental model + certctl-side wiring are identical; only the IdP-side console differs.
 ## Prerequisites
 **On the Keycloak side:**
 - Keycloak ≥ 25.0 (older versions work but the screen flows differ slightly — the integration test fixture pins 25.0).
 - Admin access to a realm — either an existing tenant realm or a fresh one created for certctl. Don't share Keycloak's `master` realm; create a dedicated realm.
 - Network reachability from certctl-server to the Keycloak `https://<keycloak-host>/realms/<realm-name>` discovery endpoint. The certctl service fetches `/.well-known/openid-configuration` at provider creation and at every `RefreshKeys` call.
 - Keycloak's signing alg set to RS256 (default) or any of: RS512, ES256, ES384, EdDSA. HS256/HS384/HS512 + `none` are rejected by certctl's IdP-downgrade-attack defense at provider creation time.
 **On the certctl side:**
 - `CERTCTL_CONFIG_ENCRYPTION_KEY` set to a stable secret (production deployments only — the encryption-at-rest layer for the OIDC client_secret depends on it).
 - An admin actor holding `auth.oidc.create` + `auth.oidc.edit` (held by `r-admin` by default; granted via `certctl_auth_assign_role_to_key` MCP tool or the GUI's Auth → Keys page).
 - Server build ≥ v2.1.0.
 ## IdP-side configuration
 The same configuration you'll do by hand here is what the testcontainers fixture imports from `internal/auth/oidc/testfixtures/keycloak-realm.json` — read that file alongside this runbook to see the exact JSON shape Keycloak persists.
 ### 1. Create or pick a realm
 In the Keycloak admin console (`https://<keycloak-host>/admin/`), drop into the realm you'll use. If creating a new one, the realm name will become part of the issuer URL: `https://<keycloak-host>/realms/<realm-name>`.
 ### 2. Create the OIDC client
 **Clients → Create client**:
 - Client type: **OpenID Connect**
 - Client ID: `certctl` (or whatever you prefer; it goes into `OIDCProvider.client_id` on the certctl side).
 - Always display in console: off.
 - Click **Next**.
 On the capability config page:
 - Client authentication: **On** (this makes the client confidential, which is what certctl requires).
 - Authorization: off.
 - Standard flow: **on** (auth-code with PKCE — this is the path certctl uses).
 - Direct access grants: off (ROPC; the test fixture turns this on for ROPC convenience but production should NOT).
 - Implicit flow: off.
 - Service accounts roles: off.
 - Click **Next**.
 Login settings:
 - Root URL: leave blank.
 - Home URL: blank.
 - Valid redirect URIs: `https://<your-certctl-host>:8443/auth/oidc/callback` — ONE entry, exact match. Wildcards (`*`) work for local dev (`http://localhost:*`) but production should pin the exact host.
 - Valid post logout redirect URIs: blank or `+` (matches the redirect URI list).
 - Web origins: `+` (matches the redirect URI origin) or empty.
 - Click **Save**.
 On the saved client's **Credentials** tab, copy the **Client secret** — you'll need it for the certctl-side payload.
 ### 3. Create the groups
 **Groups → Create group**:
 - Repeat for every certctl role you want to map to a group. A typical setup creates two:
  - `certctl-engineers` (intended target: `r-operator`)
  - `certctl-viewers` (intended target: `r-viewer`)
 - Optionally an `certctl-admins` group → `r-admin` for break-glass-free first-admin bootstrap; see the [`auth-threat-model.md`](../auth-threat-model.md) section on bootstrap admins.
 ### 4. Configure the group-membership claim mapper
 This is the load-bearing step — without it, the ID token won't carry a `groups` claim and every login fails closed with `ErrGroupsUnmapped`.
 **Clients → certctl → Client scopes → certctl-dedicated → Add mapper → By configuration → Group Membership**:
 - Name: `groups`
 - Token Claim Name: `groups`
 - Full group path: **off** (so the claim emits `engineers`, not `/engineers`; matches the certctl `string-array` group-claim format).
 - Add to ID token: **on**.
 - Add to access token: **on** (optional but recommended; the userinfo-fallback path uses it).
 - Add to userinfo: **on**.
 - Click **Save**.
 ### 5. Create the user(s)
 **Users → Add user**:
 - Username: `alice` (or however you identify operators).
 - Email: required (used as the certctl-side `User.Email`).
 - First name + last name: optional but populates `User.DisplayName`.
 - Email verified: **on** if you trust the user.
 - Click **Create**.
 On the saved user's **Credentials** tab:
 - Set a password. Mark **Temporary** if you want the user to reset on first login.
 On the **Groups** tab:
 - Join the user to the group(s) you created in step 3.
 ## certctl-side configuration
 ### Via the GUI
 1. Sign in as an admin actor.
 2. Navigate to **Auth → OIDC Providers** in the sidebar.
 3. Click **Configure provider**.
 4. Fill in:
   - **Display name**: `Keycloak` (free-text; what end-users see on the login page button).
   - **Issuer URL**: `https://<keycloak-host>/realms/<realm-name>`.
   - **Client ID**: `certctl` (matches step 2 above).
   - **Client secret**: paste the secret from step 2's Credentials tab.
   - **Redirect URI**: `https://<your-certctl-host>:8443/auth/oidc/callback`.
   - **Groups claim path**: `groups` (the default; matches step 4's Token Claim Name).
   - **Groups claim format**: `string-array` (the default).
   - **Fetch userinfo**: off (Keycloak emits groups in the ID token; userinfo fallback is for IdPs that don't).
   - **Scopes**: `openid profile email` (the certctl service prepends `openid` if missing).
   - **IAT window seconds**: 300 (default).
   - **JWKS cache TTL seconds**: 3600 (default).
 5. Click **Save**.
 If the discovery doc fetch fails, the modal surfaces the error inline. The most common cause is a typo in the issuer URL — Keycloak emits 404 for any path under `/realms/` that doesn't match an actual realm.
 ### Via the API
 ```bash
 curl -X POST https://<your-certctl-host>:8443/api/v1/auth/oidc/providers \
  -H "Authorization: Bearer ${CERTCTL_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Keycloak",
    "issuer_url": "https://keycloak.example.com/realms/certctl",
    "client_id": "certctl",
    "client_secret": "<paste-the-secret>",
    "redirect_uri": "https://certctl.example.com:8443/auth/oidc/callback",
    "groups_claim_path": "groups",
    "groups_claim_format": "string-array",
    "fetch_userinfo": false,
    "scopes": ["openid", "profile", "email"],
    "iat_window_seconds": 300,
    "jwks_cache_ttl_seconds": 3600
  }'
 ```
 ### Via MCP
 ```
 certctl_auth_create_oidc_provider {
  "name": "Keycloak",
  "issuer_url": "https://keycloak.example.com/realms/certctl",
  "client_id": "certctl",
  "client_secret": "<paste-the-secret>",
  "redirect_uri": "https://certctl.example.com:8443/auth/oidc/callback",
  "groups_claim_path": "groups",
  "groups_claim_format": "string-array",
  "scopes": ["openid", "profile", "email"]
 }
 ```
 ### Add the group→role mappings
 GUI: **Auth → OIDC Providers → Keycloak → Group → role mappings → Add**.
 - IdP group: `certctl-engineers` → certctl role: `r-operator`.
 - IdP group: `certctl-viewers` → certctl role: `r-viewer`.
 API equivalent: `POST /api/v1/auth/oidc/group-mappings` with `{"provider_id": "<id>", "group_name": "certctl-engineers", "role_id": "r-operator"}`. MCP equivalent: `certctl_auth_add_group_mapping`.
 Empty mapping list = nobody can log in via Keycloak (the fail-closed contract). Add at least one before announcing the SSO endpoint to users.
 ## Verification
 ### End-to-end login
 1. Open `https://<your-certctl-host>:8443/login` in a fresh incognito window.
 2. The page renders an OIDC button block with `Sign in with Keycloak` (the display name from the create-provider step).
 3. Click it. The browser redirects to Keycloak, you authenticate as `alice`, Keycloak redirects back to certctl, and you land on the dashboard.
 4. Navigate to **Auth → Sessions**. You should see a row with your own actor ID, the IP you logged in from, and the current timestamp under "last seen".
 ### Audit trail
 ```bash
 curl https://<your-certctl-host>:8443/api/v1/audit?category=auth \
  -H "Authorization: Bearer ${CERTCTL_API_KEY}" | jq '.events[] | select(.action == "auth.oidc_login_succeeded")'
 ```
 You should see a row for the login above, with `details.provider_id` matching the Keycloak provider's id and `details.subject` set to the Keycloak user's `sub` claim (typically a UUID).
 ### JWKS-rotation drill
 Operator action when Keycloak rotates its realm signing key:
 1. In Keycloak: **Realm settings → Keys → Providers → Add provider → rsa-generated**, set priority higher than the current key (e.g. 200), enabled = on, active = on.
 2. In certctl: GUI → **Auth → OIDC Providers → Keycloak → Refresh discovery cache** button. Or the CLI / MCP equivalent: `POST /api/v1/auth/oidc/providers/<id>/refresh`.
 3. Run another login. The new ID token is signed under the new key; the certctl service validates it against the freshly-fetched JWKS doc.
 The Keycloak integration test `TestKeycloakIntegration_JWKSRotation_RefreshKeysPicksUpNewKey` exercises this exact flow end to end.
 ## Troubleshooting
 **"Discovery doc fetch failed" at provider creation.**
 The most common cause is a wrong issuer URL — typo in realm name, missing `/realms/` segment, or HTTP→HTTPS redirect that the Go client doesn't follow without explicit headers. Curl the URL manually:
 ```
 curl -v https://<keycloak-host>/realms/<realm-name>/.well-known/openid-configuration
 ```
 If that returns 404, fix the realm name. If it returns 200 but certctl still fails, check `cmd/server` logs for the wrapped error.
 **"IdP downgrade-attack defense" rejected provider creation.**
 Keycloak's realm has a signing key advertised in `id_token_signing_alg_values_supported` that's in certctl's deny-list (HS256/HS384/HS512/`none`). Check **Realm settings → Keys → Providers** — disable any HMAC key providers and re-create the provider in certctl.
 **Login redirects to Keycloak, the user authenticates, but the callback redirects back to `/login` with "no roles assigned".**
 The user authenticated successfully but their groups didn't match any configured mapping (`ErrGroupsUnmapped`). Check:
 - The user is actually a member of the group you mapped (Users → user → Groups tab in Keycloak).
 - The group-membership mapper is configured correctly (Clients → certctl → Client scopes → certctl-dedicated → mappers → groups → "Full group path: off" matters).
 - The group name in your certctl mapping exactly matches what Keycloak emits — case-sensitive, no leading slash if "Full group path: off".
 You can confirm what Keycloak is actually emitting by decoding the ID token at jwt.io against the Keycloak public key, or by enabling certctl's debug logging on the OIDC service for one login (logs are scrubbed of token contents per the OIDC service's token-leak hygiene contract; debug logs surface only the resolved group list and the mapping decision).
 **"id_token verify failed: token used before issued"**
 Clock skew between Keycloak and certctl-server. Either align both to NTP, or bump `iat_window_seconds` on the OIDC provider config (default 300 = 5 minutes). The certctl service caps `iat_window_seconds` at 600.
 **"oidc: pre-login session not found or already consumed"**
 The user clicked the OIDC login button, then the browser tab idled past the 10-minute pre-login TTL OR the user opened the IdP login in a new tab and consumed the row from the first one. Have them retry.
 **"oidc: state parameter mismatch (replay or forgery)"**
 Either the user double-submitted a callback URL (clicked it twice from email or browser history), or a CSRF attempt. The pre-login row is single-use; second consumption returns `ErrPreLoginNotFound`. Have them retry from the login page.
 **Sessions revoked but the user can still hit the API.**
 Check the session contract: the cookie is HMAC-validated on every request, but the actual database row is what `Revoke` deletes. If your reverse proxy is caching the response or the `__Host-certctl_session` cookie wasn't actually cleared on the client, the cookie will hit the server's session middleware which will return 401 on the missing-row lookup. The middleware never serves stale data; the issue is upstream of certctl in this case.
 ## Validation checklist
 Before signing off this runbook for production rollout, validate these end-to-end:
 - [ ] `auth.oidc_provider_created` audit row appears after the create-provider POST.
 - [ ] `Sign in with Keycloak` button renders on the login page after `getAuthInfo` returns the configured provider.
 - [ ] A user with mapped groups completes the auth-code flow and lands on the dashboard.
 - [ ] A user WITHOUT mapped groups gets the "no roles assigned" landing (not the dashboard).
 - [ ] The `auth.oidc_login_succeeded` and `auth.oidc_login_failed` audit rows correctly distinguish the two cases.
 - [ ] The Sessions page shows the new session, with self-pill on the caller's row.
 - [ ] Revoking the session via the GUI causes the next API request from that browser to 401 + redirect to login.
 - [ ] Running the JWKS-rotation drill (steps above) does not break in-flight logins; rotated tokens validate against the refreshed JWKS.
 - [ ] Editing the provider with `client_secret` blank preserves the existing ciphertext (operator confirms by reading the `oidc_providers.client_secret_encrypted` column before + after the PUT — bytes unchanged).
 Sign-off: _______________ (operator) on _______________ (date).
@@ -0,0 +1,143 @@
 # Okta OIDC runbook
 > Last reviewed: 2026-05-10
 This runbook wires certctl's OIDC SSO surface against [Okta](https://www.okta.com/), a commercial cloud IdP. Okta offers a free developer tier (`https://dev-NNNNN.okta.com`) suitable for evaluation; production runs on a paid Workforce Identity tenant.
 For the canonical reference + mental model, read [keycloak.md](keycloak.md) first; this runbook only documents the Okta-specific deltas.
 ## Prerequisites
 **On the Okta side:**
 - A Workforce Identity tenant (or free Developer Edition account at <https://developer.okta.com/signup/>).
 - Super Admin or Application Admin role in your Okta tenant.
 - Network reachability from certctl-server to `https://<your-org>.okta.com/.well-known/openid-configuration` OR to a custom authorization server endpoint if you're using one (`https://<your-org>.okta.com/oauth2/<auth-server-id>/.well-known/openid-configuration`).
 **On the certctl side:** same as Keycloak.
 ## IdP-side configuration
 ### 1. Create the OIDC application
 In the Okta admin console:
 **Applications → Applications → Create App Integration**:
 - Sign-in method: **OIDC - OpenID Connect**.
 - Application type: **Web Application**.
 - Click **Next**.
 App config:
 - App integration name: `certctl`.
 - Logo: optional.
 - Grant types: **Authorization Code** (CHECK). Leave Refresh Token unchecked unless you have a specific reason — certctl doesn't currently use refresh tokens.
 - Sign-in redirect URIs: `https://<your-certctl-host>:8443/auth/oidc/callback`.
 - Sign-out redirect URIs: optional; leave empty unless you also configure RP-initiated logout.
 - Trusted Origins: leave default.
 - Assignments → Controlled access: **Limit access to selected groups** (recommended; pick the `certctl-*` groups from step 3 below).
 - Click **Save**.
 On the saved app's **General** tab, copy the **Client ID** and **Client secret** (under Client Credentials). The secret is shown once on creation — copy it immediately or rotate via "Generate new secret".
 ### 2. Pick or create an authorization server
 Okta has TWO authorization-server tiers:
 - **The Org Authorization Server** at `https://<your-org>.okta.com` — emits ID tokens with limited claims; cannot host custom claims directly. Use for the simplest setup.
 - **A Custom Authorization Server** at `https://<your-org>.okta.com/oauth2/<auth-server-id>` — fully configurable scopes + claims + access policies. The free developer tier ships with a default custom server at `/oauth2/default`. Recommended for production.
 For this runbook we use the default custom server: `https://<your-org>.okta.com/oauth2/default`.
 ### 3. Create the groups + assign users
 **Directory → Groups → Add Group**:
 - Repeat for `certctl-engineers`, `certctl-viewers`, optionally `certctl-admins`.
 **Directory → People → <user> → Groups**: assign each user to the appropriate `certctl-*` group(s).
 Then go back to the App from step 1 and on the **Assignments** tab, assign the `certctl-*` groups to the application. Without this assignment Okta will reject the user's login attempt at the IdP layer with "User is not assigned to the client application".
 ### 4. Configure the groups claim
 This is the load-bearing Okta-specific step. The default authorization server does NOT emit a `groups` claim out of the box — you have to define it.
 **Security → API → Authorization Servers → default → Claims → Add Claim**:
 - Name: `groups`.
 - Include in token type: **ID Token, Always** (also tick Access Token if you want the userinfo-fallback path to work).
 - Value type: **Groups**.
 - Filter: pick **Matches regex** with the value `certctl-.*` so only the `certctl-*` groups are emitted (saves on token size; users in dozens of unrelated groups get a bloated token otherwise).
 - Disable claim: off.
 - Include in: **Any scope** (or pin to `openid` if you want the claim only on the certctl-flow).
 - Click **Create**.
 ### 5. (Optional) Add `email` and `profile` claims
 The default custom server already emits `email` and `name` under the `profile` and `email` scopes — no action needed unless you've stripped them from a custom config.
 ## certctl-side configuration
 ```bash
 curl -X POST https://<your-certctl-host>:8443/api/v1/auth/oidc/providers \
  -H "Authorization: Bearer ${CERTCTL_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Okta",
    "issuer_url": "https://your-org.okta.com/oauth2/default",
    "client_id": "<paste-from-step-1>",
    "client_secret": "<paste-from-step-1>",
    "redirect_uri": "https://certctl.example.com:8443/auth/oidc/callback",
    "groups_claim_path": "groups",
    "groups_claim_format": "string-array",
    "fetch_userinfo": false,
    "scopes": ["openid", "profile", "email"],
    "iat_window_seconds": 300,
    "jwks_cache_ttl_seconds": 3600
  }'
 ```
 Notes:
 - `issuer_url` MUST match exactly what Okta emits as the `iss` claim. For the default custom server it's `https://<your-org>.okta.com/oauth2/default` (no trailing slash). The org server's issuer is just `https://<your-org>.okta.com` (no `/oauth2/...` path). Mismatching either side trips certctl's `ErrIssuerMismatch` sentinel.
 - The `groups` scope is NOT required in the scopes list — Okta emits the claim based on the claim definition's "Include in: any scope" setting. Adding `groups` to the scopes list is harmless if your custom server has the scope defined.
 Add the group→role mappings: `certctl-engineers` → `r-operator`, `certctl-viewers` → `r-viewer`, `certctl-admins` → `r-admin`.
 ## Verification
 End-to-end login + audit + Sessions checks are identical to Keycloak.
 **Okta-specific:** the audit row's `details.subject` will be Okta's user UID (a 20-char alphanumeric string starting with `00u`), stable across email changes. The certctl `users` table's `oidc_subject` column will hold this UID.
 **Optional Okta smoke test in CI:** certctl ships an opt-in smoke test at `internal/auth/oidc/integration_okta_smoke_test.go` (build tags `integration && okta_smoke`). Set `OKTA_ISSUER` + `OKTA_CLIENT_ID` + `OKTA_CLIENT_SECRET` env vars and run `make okta-smoke-test` to drive a discovery + RefreshKeys round-trip against your live tenant. Pre-reqs: enable the Resource Owner Password (ROPC) grant on the application (Sign-On tab → Grant types → Resource Owner Password) for the smoke test only; production certctl uses auth-code-with-PKCE.
 **JWKS-rotation drill:** Okta auto-rotates signing keys every ~3 months and publishes the new key alongside the old in the JWKS doc for ~1 month overlap. Manual rotation: **Security → API → Authorization Servers → default → Keys → "Generate new key"**. After rotation, click "Refresh discovery cache" in certctl's GUI; new tokens validate immediately.
 ## Troubleshooting
 **"User is not assigned to the client application" at the Okta login screen.**
 You created the app + the user but didn't assign the user to the app via a group. Either assign the user directly (App → Assignments → Assign to People) or assign the `certctl-*` groups to the app (App → Assignments → Assign to Groups).
 **Login completes but `groups` claim is empty in the ID token.**
 Most common Okta gotcha — the default custom server doesn't emit `groups` until you define the claim (step 4 above). Decode the ID token at jwt.io to confirm. If the claim is defined but empty, check the regex filter in step 4 — `certctl-.*` matches names like `certctl-engineers` but NOT `engineers`.
 **`ErrIssuerMismatch` after correctly configuring the discovery URL.**
 The issuer claim Okta puts in the ID token MUST match `OIDCProvider.IssuerURL` byte-for-byte, including trailing slash. The default custom server emits `https://<your-org>.okta.com/oauth2/default` (no trailing slash); the org server emits `https://<your-org>.okta.com`. Don't append a trailing slash to either.
 **Login succeeds but the certctl `User.Email` is empty.**
 The `email` scope wasn't requested OR the user's email isn't verified at Okta. Add `email` to the certctl scopes config and ensure Okta's user has a verified primary email.
 **Okta returns "PKCE code verifier required".**
 The certctl service hard-codes PKCE-S256 on every login (RFC 9700 mandate). If Okta is rejecting the verifier, the most likely cause is a misconfigured app type — confirm the Okta application is "Web Application" (which supports auth-code + PKCE), not "Single-Page Application" (which has different token-binding rules) or "Native App".
 **Custom-server access policies blocking the login.**
 By default the `default` custom authorization server has an "Access Policy" with one rule allowing all clients + all users. If you've tightened this (production hygiene), add a rule that allows the `certctl` client + the `certctl-*` groups: **Security → API → Authorization Servers → default → Access Policies → <policy> → Add Rule**.
 ## Validation checklist
 Same as [keycloak.md](keycloak.md#validation-checklist), with Okta-specific values + the access-policy check above.
 Sign-off: _______________ (operator) on _______________ (date).
@@ -0,0 +1,356 @@
 # RBAC operator reference
 > Last reviewed: 2026-05-11
 >
 > Audit 2026-05-11 A-8 follow-on: demo-mode residual-grants detector
 > + cleanup endpoint shipped. New env var:
 > `CERTCTL_DEMO_MODE_RESIDUAL_STRICT` (default `false`). Operator
 > workflow at
 > [`security.md#demo-to-production-cutover-audit-2026-05-11-a-8`](security.md#demo-to-production-cutover-audit-2026-05-11-a-8).
 This is the operator-facing reference for the role-based access
 control primitive in certctl.
 Read this if you're running certctl in production and need to grant /
 revoke access to API keys, set up the auditor split, or onboard the
 first admin.
 For the threat model behind these controls, see
 [`auth-threat-model.md`](auth-threat-model.md). For the migration
 flow from a pre-RBAC (v2.0.x) deployment, see
 [`docs/migration/api-keys-to-rbac.md`](../migration/api-keys-to-rbac.md).
 ## Mental model
 Every action against the certctl HTTP / CLI / MCP / GUI surface is
 performed by an **actor** (an API key, an agent's machine identity,
 the synthetic demo-anon actor when the server runs in
 `CERTCTL_AUTH_TYPE=none` mode). Each actor holds zero or more
 **roles**. Each role grants a set of **permissions** at a **scope**.
 A request to a gated endpoint succeeds when the actor's effective
 permission set (the union across all held roles) contains the
 permission the endpoint requires.
 The schema lives in `migrations/000029_rbac.up.sql` and ships with
 seven seeded default roles + a 33-permission canonical catalogue.
 The middleware that gates requests lives at
 `internal/auth/require_permission.go`. The service-layer authorizer
 that resolves "actor → permissions" lives at
 `internal/service/auth/authorizer.go`.
 ## Default roles (seeded by migration 000029)
 | Role | ID | Use case | Permission shape |
 |---|---|---|---|
 | Admin | `r-admin` | Operator with full control | Every permission in the canonical catalogue |
 | Operator | `r-operator` | Day-to-day cert lifecycle | `cert.*`, `profile.read`, `issuer.read`, `target.*`, `agent.read`, `audit.read` |
 | Viewer | `r-viewer` | Read-only console access | `*.read` for every resource type |
 | Agent | `r-agent` | Machine identity for `certctl-agent` | `cert.read` + `agent.heartbeat` + `agent.job.poll` + `agent.job.complete` + `agent.job.report` |
 | MCP | `r-mcp` | Operator-equivalent for the MCP server, minus destructive ops | Like Operator without `*.delete` |
 | CLI | `r-cli` | Day-to-day operator CLI | Like Operator + `auth.key.list` / `auth.key.create` / `auth.key.rotate` |
 | Auditor | `r-auditor` | Compliance reviewer | `audit.read` + `audit.export` ONLY |
 **Note on actor-type binding (Audit 2026-05-10 LOW-8):** Roles in
 the catalogue are NOT bound to a specific `actor_type`. `r-mcp` is
 named for clarity ("the role MCP service accounts hold") but the
 schema permits granting it to any actor — including a human OIDC
 user. Same goes for `r-cli` and `r-agent`. The role-grant API accepts
 `{actor_id, actor_type, role_id}` tuples; the `actor_type` constraint
 lives on the grant row, not the role definition. Operators who want
 to enforce "only API-key actors hold r-mcp" should write that as an
 operator-side policy + verify via a periodic audit query against
 `actor_roles` joined to `api_keys` / `users`. Native role-to-
 actor-type binding is on the v2 roadmap.
 The auditor split is the load-bearing one: an auditor cannot read
 certificates, profiles, or issuers - only audit events. That makes the
 role legitimate to hand to a SOC 2 / FedRAMP / PCI auditor without
 giving them the keys to the kingdom. The
 `internal/domain/auth/auditor_test.go` invariants pin this set going
 forward.
 The five **admin-only fine-grained perms** seeded by migration
 000030 gate the high-blast-radius endpoints:
 - `cert.bulk_revoke` - `POST /api/v1/certificates/bulk-revoke` and the EST sibling
 - `crl.admin` - `/api/v1/admin/crl/cache`
 - `scep.admin` - `/api/v1/admin/scep/intune/*`
 - `est.admin` - `/api/v1/admin/est/*`
 - `ca.hierarchy.manage` - `/api/v1/issuers/{id}/intermediates`, `/api/v1/intermediates/{id}`
 Only `r-admin` holds these by default. To delegate one, create a
 custom role with the specific perm and grant it to the right actor.
 ## Permission catalogue
 The catalogue is namespaced. Permission strings are stable across
 releases; new permissions add to the namespace, never reshape an
 existing one. Run
 `certctl-cli auth permissions list` (or `GET /api/v1/auth/permissions`)
 for the live catalogue.
 | Namespace | Examples | What the namespace gates |
 |---|---|---|
 | `cert.*` | `cert.read`, `cert.issue`, `cert.revoke`, `cert.delete`, `cert.bulk_revoke` | The certificate lifecycle surface (`/api/v1/certificates`) |
 | `profile.*` | `profile.read`, `profile.edit`, `profile.delete` | `CertificateProfile` CRUD |
 | `issuer.*` | `issuer.read`, `issuer.edit`, `issuer.delete` | Issuer connector config |
 | `target.*` | `target.read`, `target.edit`, `target.delete` | Deployment target config |
 | `agent.*` | `agent.read`, `agent.edit`, `agent.retire`, `agent.heartbeat`, `agent.job.*` | Agent fleet + agent self-service endpoints |
 | `audit.*` | `audit.read`, `audit.export` | The audit-events surface |
 | `auth.role.*` | `auth.role.list`, `auth.role.create`, `auth.role.edit`, `auth.role.delete`, `auth.role.assign` | RBAC management |
 | `auth.key.*` | `auth.key.list`, `auth.key.create`, `auth.key.rotate`, `auth.key.delete` | API key management |
 | `auth.bootstrap.*` | `auth.bootstrap.use` | Day-0 first-admin path |
 | `crl.admin`, `scep.admin`, `est.admin`, `ca.hierarchy.manage` | (single perms) | The five admin-only fine-grained perms (see above) |
 | `job.*` | `job.read`, `job.cancel` | Deployment job lifecycle |
 | `approval.*` | `approval.read`, `approval.approve`, `approval.reject` | Two-person approval workflow (cert-issuance + profile-edit) |
 | `policy.*` | `policy.read`, `policy.edit`, `policy.delete` | Compliance policies + renewal policies |
 | `team.*`, `owner.*` | `team.read`, `team.edit`, `team.delete`, `owner.*` | Organizational metadata |
 | `notification.*` | `notification.read`, `notification.edit` | Notification queue + requeue |
 | `discovery.*` | `discovery.read`, `discovery.run`, `discovery.claim` | Agent + cloud-secret-store discovery |
 | `network_scan.*` | `network_scan.read`, `network_scan.edit`, `network_scan.run` | TLS network scanning + SCEP probing |
 | `healthcheck.*` | `healthcheck.read`, `healthcheck.edit`, `healthcheck.delete`, `healthcheck.acknowledge` | Uptime monitors |
 | `digest.*` | `digest.read`, `digest.send` | Operator-summary digest emails |
 | `verification.*` | `verification.read`, `verification.run` | Post-deploy verification |
 | `stats.read`, `metrics.read` | (single perms) | Dashboard summary + Prometheus exposition |
 The full catalogue lives in
 [`internal/domain/auth/validate.go`](../../internal/domain/auth/validate.go).
 The router-level enforcement sits in
 [`internal/api/router/router.go`](../../internal/api/router/router.go);
 the AST-level CI guard
 [`TestRouterRBACGateCoverage`](../../internal/api/router/router_rbac_coverage_test.go)
 pins the contract — adding a new state-changing or read endpoint
 without an `rbacGate` / `rbacGateScoped` wrap fails CI.
 ## Scope semantics
 Permissions are granted at one of three scopes:
 - **`global`** - applies to every resource in the tenant. The
  default for the seeded role grants. A `cert.read` grant at global
  scope lets the actor read any certificate.
 - **`profile`** - applies only to the named `CertificateProfile`
  (matched by ID). `cert.issue` at scope `profile`/`p-corp-cdn` lets
  the actor issue against `p-corp-cdn` only.
 - **`issuer`** - applies only to the named issuer. Lets you grant
  `issuer.edit` on the production issuer to a senior operator
  without giving them edit on every issuer.
 Global beats specific: an actor with `cert.read` at global scope
 passes a `cert.read` check against any specific profile or issuer
 even if no scoped grant exists. The reverse is also true - a
 scoped grant doesn't satisfy a request against a different scope.
 The Authorizer's `CheckPermission` is the single point of truth.
 > **Note (deferral):** the `scope_id` column is not
 > currently FK-constrained against the resource tables. An
 > operator can grant a permission at scope `profile`/`p-bogus`
 > without `p-bogus` existing; the gate still works (no rows match
 > at request time), but the API does not 404 the grant. Strict-FK
 > closure is tracked for a follow-on release. See
 > `internal/repository/postgres/auth.go::AddPermission`'s
 > `TODO` comment.
 ## Granting + revoking access
 ### From the GUI
 `/auth/roles` lists every role; click into one to see its
 permissions and (if you hold `auth.role.edit`) add or remove a
 permission. `/auth/keys` lists every actor with role grants;
 click "Assign role" to grant, click the × on a role tag to revoke.
 The synthetic `actor-demo-anon` row is shown but flagged
 "system-managed" with the mutation buttons hidden - the server-side
 reserved-actor guard rejects mutations against it regardless.
 ### From the CLI
 ```bash
 # Identity probe - what can the current API key actually do?
 certctl-cli auth me
 # Roles
 certctl-cli auth roles list
 certctl-cli auth roles get r-admin
 # Permissions catalogue
 certctl-cli auth permissions list
 # Key → role assignment
 certctl-cli auth keys list
 certctl-cli auth keys assign alice --role r-operator
 certctl-cli auth keys revoke alice --role r-admin
 # Walk-every-key prompt for downgrade
 certctl-cli auth keys scope-down
 # Audit-driven role suggestion (last 30 days of audit events)
 certctl-cli auth keys scope-down --suggest
 certctl-cli auth keys scope-down --suggest --apply
 # JSON-driven scope-down for automation (Helm post-upgrade hook etc.)
 certctl-cli auth keys scope-down --non-interactive ./scope-down.json
 ```
 The mutating role-lifecycle commands (`certctl-cli auth roles
 create / update / delete` + `roles add-permission / remove-permission`)
 are tracked as a follow-on; today, manage custom
 roles via the HTTP API or GUI.
 ### From the HTTP API
 Every endpoint is documented in `api/openapi.yaml` under the `[Auth]`
 tag. Quick reference:
 | Endpoint | Permission |
 |---|---|
 | `GET /v1/auth/me` | (none - own data) |
 | `GET /v1/auth/roles` | `auth.role.list` |
 | `GET /v1/auth/roles/{id}` | `auth.role.list` |
 | `POST /v1/auth/roles` | `auth.role.create` |
 | `PUT /v1/auth/roles/{id}` | `auth.role.edit` |
 | `DELETE /v1/auth/roles/{id}` | `auth.role.delete` |
 | `GET /v1/auth/permissions` | `auth.role.list` |
 | `POST /v1/auth/roles/{id}/permissions` | `auth.role.edit` |
 | `DELETE /v1/auth/roles/{id}/permissions/{perm}` | `auth.role.edit` |
 | `GET /v1/auth/keys` | `auth.role.list` |
 | `POST /v1/auth/keys/{id}/roles` | `auth.role.assign` |
 | `DELETE /v1/auth/keys/{id}/roles/{role_id}` (+ optional `?scope_type=` / `?scope_id=`) | `auth.role.assign` |
 | `GET /v1/auth/check` | (authenticated; surfaces effective perms) |
 | `GET /v1/auth/bootstrap` + `POST /v1/auth/bootstrap` | (auth-exempt; gated by env-var token) |
 #### Revoke: legacy "all variants" vs scope-selective (Audit 2026-05-11 A-4)
 `DELETE /v1/auth/keys/{id}/roles/{role_id}` runs in one of two modes,
 selected by presence of the optional query parameters:
 - **No query params (legacy "revoke all variants")** — every scoped grant of
  this role held by this actor is dropped. Idempotent: zero-row deletes
  return 204 (no error). This is the pre-A-4 behaviour and remains the
  default for the CLI / GUI buttons that don't know about scope.
  ```bash
  # Drop EVERY variant of r-operator from alice (global, profile-scoped,
  # issuer-scoped — all gone).
  curl -X DELETE https://certctl.example.com/api/v1/auth/keys/alice/roles/r-operator
  ```
 - **`?scope_type=` (+ optional `?scope_id=`)** — drop ONE variant. Used
  when an actor holds the same role at multiple scopes (HIGH-10 made
  that representable; A-4 makes it selectively revocable).
  `scope_type=global` requires `scope_id` to be absent; `scope_type=profile`
  / `issuer` require `scope_id`. No match returns 404 so operators get
  feedback when they target a scope variant the actor doesn't hold.
  ```bash
  # Alice holds r-operator scoped to p-acme AND p-globex.
  # Drop ONLY the p-acme grant; the p-globex grant stays.
  curl -X DELETE 'https://certctl.example.com/api/v1/auth/keys/alice/roles/r-operator?scope_type=profile&scope_id=p-acme'
  # Drop ONLY the global grant of r-operator (keeps any profile / issuer variants):
  curl -X DELETE 'https://certctl.example.com/api/v1/auth/keys/alice/roles/r-operator?scope_type=global'
  ```
 The audit row's `details` payload records which mode fired —
 `scope: "all_variants"` for the legacy path, or the explicit
 `scope_type` + `scope_id` for selective revoke — so SOC / SIEM can
 distinguish wide cleanups from targeted demotions in the access log.
 ### From the MCP server
 The MCP server ships 12 RBAC tools:
 `certctl_auth_me`, `certctl_auth_list_roles`, `certctl_auth_get_role`,
 `certctl_auth_create_role`, `certctl_auth_update_role`,
 `certctl_auth_delete_role`, `certctl_auth_list_permissions`,
 `certctl_auth_add_permission_to_role`,
 `certctl_auth_remove_permission_from_role`,
 `certctl_auth_list_keys`, `certctl_auth_assign_role_to_key`,
 `certctl_auth_revoke_role_from_key`. Each routes through the same
 HTTP surface above; permission gates fire server-side.
 ## The auditor pattern
 Hand the auditor key to compliance reviewers. They get:
 - `GET /api/v1/audit?category=auth` - every auth/authz mutation
  in the system (role creates, role grants on actors, bootstrap
  consumption, etc.).
 - `GET /api/v1/audit?category=cert_lifecycle` - every cert event.
 - `GET /api/v1/audit?category=config` - every issuer / target /
  settings edit.
 - `GET /api/v1/audit/export` - bulk export.
 They do NOT get cert read, profile read, issuer read, or any
 mutating permission. The categorization is enforced by the database
 CHECK constraint (migration 000032); the WORM trigger from
 migration 000018 keeps the audit table append-only at the DB layer.
 To create an auditor key:
 1. `certctl-cli auth keys assign <key-id> --role r-auditor`
 2. (Optional) Revoke any other roles the key holds with
   `certctl-cli auth keys revoke <key-id> --role r-...`
 3. Confirm via `certctl-cli auth me` while authenticated as the
   auditor key - the response should show only `audit.read` and
   `audit.export` in `effective_permissions`.
 ## Day-0 bootstrap (first-admin path)
 certctl ships a one-shot bootstrap endpoint for fresh
 deployments where no admin actor exists yet.
 1. Set `CERTCTL_BOOTSTRAP_TOKEN=$(openssl rand -hex 32)` in the
   server environment.
 2. Boot the server. Logs include
   "bootstrap endpoint enabled - POST /api/v1/auth/bootstrap to
   mint the first admin key (one-shot)" when the path is callable.
 3. Run a single curl:
   ```bash
   curl -X POST $URL/api/v1/auth/bootstrap \
     -H 'Content-Type: application/json' \
     -d '{"token":"<the-token>","actor_name":"first-admin"}'
   ```
 4. Capture the `key_value` from the response. **It is shown ONCE.**
   The server never logs it.
 5. Use the new key to authenticate against the rest of the API.
   The bootstrap path is now closed: subsequent calls return HTTP
   410 Gone, even with the same valid token, because an admin
   actor exists.
 The token is constant-time-compared. The server logs a startup
 warning if `CERTCTL_BOOTSTRAP_TOKEN` is set AND admin actors
 already exist (config-drift signal). For the OIDC-first-admin
 path (the "first user who signs in via SSO becomes admin"
 pattern), see
 [`docs/migration/oidc-enable.md`](../migration/oidc-enable.md).
 ## Demo mode (`CERTCTL_AUTH_TYPE=none`)
 When auth is disabled, the server injects a synthetic actor
 `actor-demo-anon` into every request context. That actor holds
 `r-admin` at global scope (seeded by migration 000029), so every
 gated route resolves with a populated actor and admin grants. The
 synthetic actor is reserved: the API rejects any mutation that
 targets it (HTTP 409 with `ErrAuthReservedActor`).
 Production deployments MUST NOT use demo mode - there is no
 per-request actor identity for the audit trail, and every request
 flows as admin. Use it for the `docker compose up` demo + the five
 example folders only.
 ## Where to look next
 - [Threat model](auth-threat-model.md) - what attacks this primitive
  defends against and which it does not
 - [Migration guide](../migration/api-keys-to-rbac.md) - moving
  pre-RBAC (v2.0.x) deployments onto RBAC
 - [Profiles](../reference/profiles.md) - the `RequiresApproval=true`
  flow with the flip-flop-bypass closure
 - [Approval workflow](approval-workflow.md) - the two-person
  integrity primitive backing `RequiresApproval`
 - `internal/auth/` - the middleware + keystore + RequirePermission
 - `internal/service/auth/` - the service-layer Authorizer
 - `cowork/auth-bundle-1-prompt.md` - the design + phase plan
 - `cowork/auth-bundles-index.md` - the per-phase status tracker
@@ -2,12 +2,11 @@
 > Last reviewed: 2026-05-05
-> **Status (this document):** Production hardening II Phase 10
+> **Status (this document):** Operator runbook codifying the
-> deliverable. Codifies the fail-safe behaviors that already exist in
+> fail-safe behaviors that already exist in the codebase and the
-> the codebase and the operator procedures for recovering from
+> procedures for recovering from common failure modes. Nothing in
-> common failure modes. Nothing in this runbook requires new code —
+> this runbook requires new code — if a procedure here doesn't work
-> if a procedure here doesn't work as documented, that's a bug in
+> as documented, that's a bug in docs (file an issue).
 > docs (file an issue).
 This runbook is the on-call deliverable: it tells reviewers and
 on-call operators what to do when a piece of certctl's state
@@ -1,6 +1,6 @@
 # certctl Security Posture & Operator Guidance
-> Last reviewed: 2026-05-05
+> Last reviewed: 2026-05-11
 This document collects the operator-facing security guidance that the source
 code's per-finding comment blocks reference. Each section names the audit
@@ -9,16 +9,15 @@ any).
 ## OCSP responder availability
-**Audit reference:** Bundle C / M-020. CWE-770 (uncontrolled resource
+**Audit reference:** CWE-770 (uncontrolled resource consumption); RFC
-consumption); RFC 6960 (OCSP); RFC 7633 (Must-Staple).
+6960 (OCSP); RFC 7633 (Must-Staple).
 certctl ships an OCSP responder at `/.well-known/pki/ocsp/{issuer_id}/{serial}`
-that signs a fresh response per request. Pre-Bundle-C the unauth handler
+that signs a fresh response per request. The unauth handler chain
-chain had no rate limit, so an attacker could DoS the responder and force
+applies the same per-key rate limiter the authenticated chain uses;
-fail-open relying parties to accept revoked certificates as valid. Bundle C
+per-IP keying applies because OCSP traffic is unauthenticated. Without
-adds the same per-key rate limiter to the unauth chain that the authenticated
+this defense an attacker could DoS the responder and force fail-open
-chain has used since Bundle B. Per-IP keying applies because OCSP traffic is
+relying parties to accept revoked certificates as valid.
 unauthenticated.
 The rate limiter alone does not solve the underlying revocation-bypass risk.
 **The architectural fix is for issued certificates to carry the OCSP
@@ -59,35 +58,278 @@ For certificates issued to systems where revocation correctness matters:
 ## Postgres transport encryption
-See [docs/database-tls.md](database-tls.md). Bundle B / M-018.
+See [docs/database-tls.md](database-tls.md).
 ## Encryption at rest
-Bundle B / M-001. PBKDF2-SHA256 at 600,000 rounds (OWASP 2024 Password
+PBKDF2-SHA256 at 600,000 rounds (OWASP 2024 Password
 Storage Cheat Sheet floor) for the operator-supplied passphrase that
 derives the AES-256-GCM key for sensitive config columns. v3 blob format
 with a per-ciphertext random salt; v1/v2 read fallback for legacy rows.
-See [internal/crypto/encryption.go](../internal/crypto/encryption.go) and
+See [internal/crypto/encryption.go](../../internal/crypto/encryption.go) and
 the accompanying tests for the format spec.
 ## Authentication surface
-Bundle B / M-002. Two layers decide auth-exempt status:
+Two layers decide auth-exempt status:
 1. **Router layer:** `internal/api/router/router.go::AuthExemptRouterRoutes`
-   — the 4 endpoints registered via direct `r.mux.Handle` without going
+ - the endpoints registered via direct `r.mux.Handle` without going
   through the middleware chain (`/health`, `/ready`, `/api/v1/auth/info`,
-   `/api/v1/version`).
+   `/api/v1/version`, plus `/api/v1/auth/bootstrap` GET + POST for the
   first-admin path).
 2. **Dispatch layer:** `internal/api/router/router.go::AuthExemptDispatchPrefixes`
-   — URL-prefix routing in `cmd/server/main.go::buildFinalHandler` for
+ - URL-prefix routing in `cmd/server/main.go::buildFinalHandler` for
-   `/.well-known/pki/*`, `/.well-known/est/*`, and `/scep[/...]*`.
+   `/.well-known/pki/*`, `/.well-known/est/*`, `/.well-known/est-mtls`,
   and `/scep[/...]*` (incl. `/scep-mtls`).
 Both lists have AST-walking regression tests (`auth_exempt_test.go`) that
-fail CI if a new bypass lands without an updating the documented constant.
+fail CI if a new bypass lands without updating the documented constant.
 ### Role-based authorization
 Role-based authorization runs on top of API-key authentication. Every
 gated handler routes through the `auth.RequirePermission` middleware
 (or its router-level wrap `rbacGate`); the middleware resolves the
 actor's effective permissions via the service-layer
 `Authorizer.CheckPermission` and returns HTTP 403 BEFORE the handler
 body runs on miss. The seven default roles (`admin` / `operator` /
 `viewer` / `agent` / `mcp` / `cli` / `auditor`), 33-permission
 canonical catalogue, and the auditor split (`r-auditor` holds only
 `audit.read` + `audit.export`) are seeded by migration 000029.
 For the operator how-to, see [`rbac.md`](rbac.md). For the
 threat model + compliance mapping, see
 [`auth-threat-model.md`](auth-threat-model.md). For the upgrade
 flow from an API-key-only deployment, see
 [`docs/migration/api-keys-to-rbac.md`](../migration/api-keys-to-rbac.md).
 ### Day-0 admin bootstrap
 Fresh deployments where no admin actor exists yet can mint the
 first admin via `POST /api/v1/auth/bootstrap` - set
 `CERTCTL_BOOTSTRAP_TOKEN`, POST a single curl with the token, and
 the server returns the plaintext key value once. The token is
 constant-time-compared; the strategy is one-shot via mutex; the
 admin-existence probe re-closes the path once an admin lands.
 The token is NEVER logged. The minted plaintext key flows only
 into the HTTP response body. See
 [`rbac.md`](rbac.md#day-0-bootstrap-first-admin-path) for the
 full flow.
 ### Approval-bypass closure
 `CertificateProfile.RequiresApproval=true` profiles route both
 issuance/renewal AND profile edits through the
 `ApprovalService` two-person integrity gate. The flip-flop loophole
 (an admin disabling approval, mutating, re-enabling) is closed by
 gating profile-edit through the same approval flow. Same-actor
 self-approve is rejected at the service layer with
 `ErrApproveBySameActor`. See
 [`docs/reference/profiles.md`](../reference/profiles.md) for the
 full gate semantics.
 ### OIDC federation
 OIDC SSO runs on top of the API-key + RBAC foundation. Operators
 configure one or more identity providers (Keycloak, Authentik, Okta,
 Auth0, Entra ID, or Google Workspace via Keycloak broker); end users
 sign in at the IdP, certctl validates the returned ID token, and a
 session cookie is minted.
 The token-validation pipeline pins:
 - Algorithm allow-list: RS256 / RS512 / ES256 / ES384 / EdDSA only.
  HS256 / HS384 / HS512 / `none` are rejected at the service-layer
  sentinel level.
 - IdP-downgrade-attack defense at provider creation AND every
  RefreshKeys: the IdP's advertised
  `id_token_signing_alg_values_supported` is intersected with the
  allow-list; a provider that advertises HS-family is rejected
  before any token is signed under the weak alg.
 - Exact `iss` match (`ErrIssuerMismatch`).
 - `aud` membership + `azp` for multi-aud tokens (per OIDC core
  §3.1.3.7 step 5).
 - `at_hash` REQUIRED-when-access_token-present (a tightening of the
  spec MAY → MUST so a substituted access token cannot ride alongside
  a clean ID token).
 - Single-use state + nonce (32-byte random server-generated;
  atomic `DELETE...RETURNING` on consume).
 - PKCE-S256 mandatory; `plain` rejected.
 - Configurable `iat` window (default 300s, capped 600s).
 - JWKS cache with operator-triggered RefreshKeys + auto-refresh on
  TTL expiry (default 3600s); JWKS-fetch failure during a key
  rotation returns 503 to the in-flight login (existing sessions
  untouched).
 OIDC `client_secret` is encrypted at rest via AES-256-GCM (v3 blob
 format: magic 0x03 + salt(16) + nonce(12) + ciphertext+tag) using
 the `CERTCTL_CONFIG_ENCRYPTION_KEY` passphrase. The encryption
 invariant is pinned by an integration test
 (`internal/repository/postgres/oidc_encryption_invariant_test.go`)
 that asserts ciphertext != plaintext + correct blob shape +
 round-trip recovery + wrong-passphrase fails.
 Per-IdP setup guides at
 [`oidc-runbooks/index.md`](oidc-runbooks/index.md) cover Keycloak,
 Authentik, Okta, Auth0, Entra ID, and Google Workspace.
 ### Sessions + back-channel logout
 Successful OIDC login mints a session cookie:
 `v1.<session_id>.<signing_key_id>.<base64url-no-pad(HMAC-SHA256)>`.
 The HMAC input is **length-prefixed** as `len:sid:len:kid` to defeat
 concatenation-collision attacks on bare-concat designs. Cookie
 attributes:
 - `HttpOnly=true` (no JS access; defends XSS cookie theft).
 - `Secure=true` (HTTPS-only; defends network MITM).
 - `SameSite=Lax` default (configurable to Strict via
  `CERTCTL_SESSION_SAMESITE`).
 - `Path=/`, host-only.
 Idle timeout default 1h; absolute timeout default 8h; both
 configurable via `CERTCTL_SESSION_IDLE_TIMEOUT` and
 `CERTCTL_SESSION_ABSOLUTE_TIMEOUT`. The scheduler's
 `sessionGCLoop` (default 1h interval) sweeps expired rows.
 CSRF defense: plaintext CSRF token in the JS-readable
 `certctl_csrf` cookie (intentionally `HttpOnly=false` for the GUI
 to echo into the `X-CSRF-Token` header); SHA-256 hash on the
 session row; `subtle.ConstantTimeCompare` in `CSRFMiddleware`.
 API-key actors are CSRF-exempt (no session row in context).
 Session signing keys rotate via `RotateSigningKey`; the old key
 stays valid for `CERTCTL_SESSION_SIGNING_KEY_RETENTION` (default
 24h) so existing cookies validate during rollover. Past retention,
 the old key's row is dropped and any cookie still signed under it
 returns `ErrSigningKeyNotFound`. `EnsureInitialSigningKey` is
 fail-fatal at server boot.
 Back-channel logout per **OpenID Connect Back-Channel Logout 1.0**
 (NOT RFC 8414): `POST /auth/oidc/back-channel-logout` accepts a
 JWT-signed logout token from the IdP, validates the JWT against
 the IdP's JWKS (same alg allow-list as login), pins required
 claims (`iss` / `aud` / `iat` / `jti` / `events`; exactly one of
 `sub` / `sid`; `nonce` MUST be absent), defeats replay via
 `jti`-based deduplication, and revokes matching sessions.
 For threat-model coverage of these surfaces, see
 [`auth-threat-model.md`](auth-threat-model.md). For the
 operator-runnable performance baselines, see
 [`auth-benchmarks.md`](auth-benchmarks.md).
 ### OIDC first-admin bootstrap
 Coexists with the env-var-token bootstrap path. When the
 operator sets `CERTCTL_BOOTSTRAP_ADMIN_GROUPS` + (optionally)
 `CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID`, the first user with one of
 those IdP groups becomes admin on first login per tenant.
 Subsequent users go through normal mapping. The admin-existence
 probe ensures only one wins between the two bootstrap paths;
 once any actor holds `r-admin`, the OIDC bootstrap hook silently
 falls through to normal mapping. Audit row on every grant
 (`bootstrap.oidc_first_admin`, `event_category=auth`).
 ### Break-glass admin
 Default-OFF (`CERTCTL_BREAKGLASS_ENABLED=false`). When enabled,
 the local-password admin path bypasses OIDC + group-claim layers;
 intended ONLY for SSO-broken incidents.
 - Argon2id with OWASP 2024 params (m=64 MiB, t=3, p=4, 16-byte
  salt, 32-byte output, per-password random salt, PHC-format
  hash). Hash column is `json:"-"` so handlers cannot wire-leak.
 - Lockout state machine: 5 failures (default; configurable via
  `CERTCTL_BREAKGLASS_LOCKOUT_THRESHOLD`) within 1h reset window
  (`_LOCKOUT_RESET_INTERVAL`) trips a 30s lockout (`_LOCKOUT_DURATION`).
  Atomic single-statement IncrementFailure defeats concurrent
  racing attempts.
 - Constant-time across all failure paths via `verifyDummy()` —
  wrong-password / locked-account / no-actor all take statistically
  indistinguishable time.
 - Surface invisibility: when disabled, ALL four endpoints return
  HTTP 404 (NOT 403). Scanners cannot distinguish "endpoint
  disabled" from "endpoint doesn't exist".
 - WARN log at server boot when `ENABLED=true`; audit row on every
  break-glass login (`auth.breakglass_login_*`,
  `event_category=auth`); WebAuthn/FIDO2 second factor pairing
  on the v3 roadmap (Decision 12).
 Operator should DISABLE break-glass within 24h of SSO recovery
 to avoid a permanent backdoor; the runbook at
 [`auth-threat-model.md#break-glass-risks-phase-75`](auth-threat-model.md)
 documents the full state machine.
 ### Demo-to-production cutover (Audit 2026-05-11 A-8)
 Migration `000029_rbac.up.sql` unconditionally seeds an
 `actor-demo-anon → r-admin` row into `actor_roles`. This row is the
 runtime principal injected by the demo-mode middleware when
 `CERTCTL_AUTH_TYPE=none`. Under any non-`none` auth type the row is
 DORMANT — the middleware chain never resolves to it. But its existence
 is a footgun: a future regression that resolves an unauthenticated
 request to `actor-demo-anon` (a misrouted CORS preflight, a fallback in
 a new auth-exempt route) would silently re-elevate to admin.
 certctl-server detects this residue at startup and emits a WARN log +
 an `auth.demo_residual_grants_detected` audit row listing every grant
 present on `actor-demo-anon`. **Every production deploy will see this
 WARN on first boot** — the migration baseline is part of the install,
 not a side effect of running demo mode.
 Operator workflow at production cutover:
 1. Drain the WARN by calling the cleanup endpoint with an admin API key:
   ```bash
   curl -X POST --cacert deploy/test/certs/ca.crt \
        -H "Authorization: Bearer $ADMIN_KEY" \
        https://certctl.example.com:8443/api/v1/auth/demo-residual/cleanup
   # → {"removed": 1}
   ```
   The endpoint is gated `auth.role.assign` (admin-class) and refuses
   to run when `CERTCTL_AUTH_TYPE=none` (HTTP 503 — the residue IS the
   active runtime state at that auth type). The cleanup is idempotent;
   a second call returns `{"removed": 0}` and still leaves an audit row.
   Equivalent SQL for operators preferring direct DB access:
   ```sql
   DELETE FROM actor_roles WHERE actor_id = 'actor-demo-anon';
   ```
 2. To make subsequent boots refuse startup if the row reappears (the
   most paranoid stance), set:
   ```
   CERTCTL_DEMO_MODE_RESIDUAL_STRICT=true
   ```
   With the flag set, any `actor-demo-anon` row under a non-`none`
   auth type causes certctl-server to log the WARN AND exit non-zero
   before binding the HTTPS listener. Default is `false` (WARN only).
 3. The CI guard `scripts/ci-guards/no-new-synthetic-admin.sh` pins the
   set of source files that may reference the `actor-demo-anon` literal.
   New runtime code paths that resolve to the synthetic actor are
   rejected at PR time so the credibility gap stays closed.
 ### Migrating an existing deployment to OIDC
 An existing API-key-only deployment that wants to add OIDC follows
 the step-by-step at
 [`docs/migration/oidc-enable.md`](../migration/oidc-enable.md):
 configure CERTCTL_CONFIG_ENCRYPTION_KEY, pick + configure an IdP
 per the relevant runbook, configure the certctl-side OIDCProvider
 + group→role mappings, verify the login flow against a single
 test user, then announce the SSO endpoint to the rest of the
 organization.
 ## Per-user rate limiting
-Bundle B / M-025. Authenticated callers are bucketed by API-key name;
+Authenticated callers are bucketed by API-key name;
 unauthenticated callers (probes, OCSP relying parties, EST/SCEP enrollees)
 are bucketed by source IP. `RPS` and `BurstSize` are per-key budgets.
 `PerUserRPS` / `PerUserBurstSize` give authenticated clients a separate
@@ -95,18 +337,14 @@ budget when set non-zero.
 ## API key rotation
-**Audit reference:** L-004. CWE-924 (improper enforcement of message integrity during transmission in a communication channel) — operator UX variant.
+**Audit reference:** L-004. CWE-924 (improper enforcement of message integrity during transmission in a communication channel) - operator UX variant.
 certctl's API keys are configured via the `CERTCTL_API_KEYS_NAMED` env var
 (format `name1:key1,name2:key2:admin`) and parsed at startup into an
 in-memory list. There is no DB-resident key store, no GUI, no `/api/v1/keys`
-endpoint — the env var IS the key inventory.
+endpoint - the env var IS the key inventory.
-Pre-Bundle-G the env var rejected duplicate names, so rotating a key
+The env var supports a **double-key rotation window**: two entries can share a
 required: stop accepting OLDKEY → restart → roll NEWKEY out. Any client
 polling against OLDKEY during the restart window hit a 401.
 Bundle G adds a **double-key rotation window**: two entries can share a
 name during the rollover, and both keys validate. Operators run the
 rotation as:
@@ -118,7 +356,7 @@ rotation as:
   ```
   CERTCTL_API_KEYS_NAMED="alice:OLDKEY:admin,alice:NEWKEY:admin"
   ```
-   Both entries MUST carry the same admin flag — startup fails loud if
+   Both entries MUST carry the same admin flag - startup fails loud if
   they don't (a non-admin shouldn't share an identity with an admin).
 3. **Restart certctl.** A startup INFO log confirms the rotation window
@@ -139,7 +377,7 @@ rotation as:
 6. **Restart certctl.** OLDKEY now fails with 401. Rotation complete.
-The rotation window has no operator-set timeout — it lasts for as long
+The rotation window has no operator-set timeout - it lasts for as long
 as both entries are in the env var. Best practice is a 24-72h window
 covering a full deploy cadence; if a client hasn't rolled to NEWKEY by
 the end of step 4, extend the window before step 5.
@@ -151,8 +389,8 @@ the end of step 4, extend the window before step 5.
 - Two entries with the same `name` but mismatched admin: **rejected at
  startup** (privilege escalation guard).
 - Two entries with the same `(name, key)` pair: **rejected at startup**
-  (typo guard — rotation requires DIFFERENT keys under the same name).
+  (typo guard - rotation requires DIFFERENT keys under the same name).
- Single-entry steady state: unchanged from pre-Bundle-G behavior.
+- Single-entry steady state: the simple legacy behaviour.
 ### What the contract does NOT do
@@ -0,0 +1,83 @@
 # Authentication standards implemented
 > Last reviewed: 2026-05-10
 This document is an honest informational reference for operators, external testers, and acquirers who want to know which RFCs and standards certctl's authentication surface (API keys + RBAC + OIDC + sessions + back-channel logout + break-glass admin) implements, and which CWE weakness classes the implementation closes. Every row points at a real file or migration in this repository.
 This document is intentionally NOT a compliance-mapping doc. The operator retired the framework-mapping subtree (`docs/compliance/{index,soc2,pci-dss,nist-sp-800-57}.md`) on 2026-05-05; framework-name-drops (SOC 2 / PCI-DSS / HIPAA / NIST SSDF / FedRAMP) are also swept from prose mentions across `README.md` and `docs/` per that decision. RFC and CWE references stay because they are precise technical pointers; framework labels were marketing-flavored and prone to overclaim. If you are an auditor mapping certctl's controls to a framework, treat the rows below as evidence and do the framework mapping yourself against the framework you are auditing against.
 For the wider security posture, see [`security.md`](../operator/security.md). For the threat model behind these controls, see [`auth-threat-model.md`](../operator/auth-threat-model.md). For the per-IdP setup guides, see [`oidc-runbooks/index.md`](../operator/oidc-runbooks/index.md).
 ## Table 1: RFCs and standards implemented end-to-end
 Each row carries at least one negative test (a test that asserts the fail-closed branch fires when a malformed input violates the spec).
 | Standard | What we implement | Source | Negative-test anchor |
 |---|---|---|---|
 | RFC 6749 (OAuth 2.0) | Authorization-code grant via OIDC; confidential-client credentials only | `internal/auth/oidc/service.go` (HandleAuthRequest, HandleCallback) | `internal/auth/oidc/service_test.go` (21+ negatives covering wrong aud / wrong iss / expired / etc.) |
 | RFC 7636 (PKCE) | S256 challenge mandatory; `plain` rejected at the service-layer sentinel; verifier persisted in pre-login row, single-use | `internal/auth/oidc/service.go` (oauth2.S256ChallengeOption hard-coded), `internal/auth/oidc/prelogin.go` | `TestService_PKCEPlainRejectedSentinel`, `TestService_StateReplayDeniedByConsumeOnce` |
 | RFC 7519 (JWT) | ID-token validation via go-oidc; service-layer alg allow-list (RS256/RS512/ES256/ES384/EdDSA); HS-family + `none` rejected | `internal/auth/oidc/service.go` (disallowedAlgs map, isDisallowedAlg) | `TestService_HandleCallback_RejectsHSAlgsConfusion`, `TestService_IdPDowngradeDefense_RejectsHSAdvertised` |
 | RFC 7517 (JWK) | JWKS fetch + cache + rotation handled transparently by coreos/go-oidc; operator-triggered RefreshKeys + auto-refresh on TTL expiry | `internal/auth/oidc/service.go` (RefreshKeys; cfg.JWKSCacheTTLSeconds default 3600) | `TestService_RefreshKeys_CatchesPostLoadDowngrade`, `TestKeycloakIntegration_JWKSRotation_RefreshKeysPicksUpNewKey` (Keycloak integration) |
 | OIDC Core 1.0 §3.1.3.7 | `iss` exact match, `aud` membership, `azp` for multi-aud, `at_hash` REQUIRED-when-access_token-present (certctl tightens the spec MAY → MUST), `nonce` constant-time-compare | `internal/auth/oidc/service.go` (HandleCallback steps 5-9) | `TestService_HandleCallback_RejectsWrongAudience`, `TestService_HandleCallback_AZPRequiredOnMultiAud`, `TestService_HandleCallback_ATHashRequiredWhenAccessTokenPresent`, `TestService_HandleCallback_RejectsNonceMismatch` |
 | OIDC Core 1.0 §5.3.2 (UserInfo endpoint) | Optional fallback when ID-token groups claim is empty; bounded by configured FetchUserinfo bool | `internal/auth/oidc/service.go` (fetchUserinfoGroups) | 4-case userinfo-fallback matrix in `service_test.go` (happy + endpoint-missing + endpoint-failing + userinfo-also-empty) |
 | OpenID Connect Back-Channel Logout 1.0 | `events` claim + `sid`/`sub` revocation; `nonce` MUST be absent; `jti`-based replay defense | `internal/api/handler/auth_session_oidc.go` (BackChannelLogout, DefaultBCLVerifier) | 6 negatives in `auth_session_oidc_test.go`: BCL missing events, BCL nonce-present, BCL unknown-key-sig, etc. |
 | RFC 6265 (HTTP State Management) | Session cookie attributes: `Secure` + `HttpOnly` + `SameSite=Lax` (default; configurable to Strict via `CERTCTL_SESSION_SAMESITE`); `Path=/`; host-only | `internal/auth/session/service.go` (cookie minting), `internal/api/handler/auth_session_oidc.go` (Set-Cookie wiring) | 7-case middleware-chain test matrix in `internal/auth/session/middleware_test.go` |
 | RFC 9700 (OAuth 2.0 Security Best Current Practice) | PKCE mandatory; no implicit flow; strict redirect_uri (registered + exact-match per OIDCProvider.RedirectURI); state non-guessable (32-byte random); single-use | `internal/auth/oidc/service.go`; `OIDCProvider.Validate()` enforces redirect_uri shape | `TestOIDCProvider_Validate_RejectsHTTPRedirectInProd`, state-replay test |
 | RFC 8414 (OAuth 2.0 Authorization Server Metadata) | Discovery doc fetched via go-oidc at provider creation + RefreshKeys; `id_token_signing_alg_values_supported` consulted for IdP-downgrade-attack defense | `internal/auth/oidc/service.go` (getOrLoad, guardAdvertisedAlgs) | `TestService_IdPDowngradeDefense_RejectsHSAdvertised` and `RejectsNoneAdvertised` |
 | RFC 7633 (X.509 TLS Feature Extension; Must-Staple) | Per-profile certctl issuance flag; out-of-scope for the auth surface but cited here because RFC 7633 OID `id-pe-tlsfeature` is in the same crypto-stack umbrella | `internal/connector/issuer/local/local.go` | SCEP master-bundle must-staple tests; not auth-surface territory |
 | RFC 8555 §7 (ACME directory metadata) | certctl-side ACME server tier; out-of-scope for the auth surface but cited because it shares the alg-pinning + nonce-handling discipline the auth surface carries forward | `internal/api/handler/acme/*` | per-route handler tests in `internal/api/handler/acme/` |
 | RFC 7515 (JWS) | JWS verification delegated to go-oidc/v3 + go-jose/v4; alg pin enforced at `gooidc.NewIDTokenVerifier` config + service-layer re-check | `internal/auth/oidc/service.go` (oauthConfig + verifier wiring) | `TestService_HandleCallback_RejectsExpired` and `TestService_HandleCallback_RejectsIATInFuture` |
 ## Table 2: CWE / weakness classes the implementation closes
 Each row points at the file(s) that implement the defense and the test file(s) that pin the invariant.
 | CWE | Description | Where defended | Where pinned |
 |---|---|---|---|
 | CWE-287 (Improper Authentication) | Session-cookie HMAC verification (length-prefixed input defeats concat-collision) + alg-pinned ID-token verify | `internal/auth/session/service.go` (computeHMAC, parseCookie, Validate); `internal/auth/oidc/service.go` (HandleCallback) | `TestComputeHMAC_LengthPrefixDefeatsConcatCollision`; `TestService_Validate_ConcatenationCollisionDefeatedByLengthPrefix`; full 21+ OIDC negatives matrix |
 | CWE-352 (Cross-Site Request Forgery) | Double-submit cookie + `SameSite=Lax`/`Strict` + hashed CSRF token on session row; constant-time compare in CSRFMiddleware | `internal/auth/session/middleware.go` (CSRFMiddleware) | 7-case middleware-chain matrix (`internal/auth/session/middleware_test.go`); `TestSessionMiddleware_CSRFRequiredOnStateChangingMethods` |
 | CWE-384 (Session Fixation) | Session ID is opaque random `ses-<base64url>` (32 bytes entropy) generated server-side at login; cookie value rotates on every login (no inheritance from pre-login); CSRF token rotates alongside | `internal/auth/session/service.go` (Create, RotateCSRFToken) | `TestService_Create_AssignsFreshSessionID`; CSRF rotation pinned via `TestService_RotateCSRFToken_AfterLogin` |
 | CWE-294 (Authentication Bypass by Capture-Replay) | Single-use state, single-use nonce (both stored in pre-login row, atomic `DELETE...RETURNING` on consume); single-use authorization code (Keycloak/IdP-side); `jti`-based BCL replay defense | `internal/auth/oidc/prelogin.go` (LookupAndConsume); `internal/api/handler/auth_session_oidc.go` (BCL handler) | `TestService_StateReplayDeniedByConsumeOnce`; `TestService_HandleCallback_RejectsForgedPreLoginCookie`; BCL replay negative in handler tests |
 | CWE-916 / CWE-329 (Use of Password Hash With Insufficient Computational Effort / Use of a Key Past its Expiration Date) | Argon2id with OWASP 2024 params (m=64 MiB, t=3, p=4, 16-byte salt, 32-byte output) for break-glass passwords; per-credential random salt; PHC-format hash | `internal/auth/breakglass/service.go` (HashPassword, VerifyPassword); v3 ciphertext blob format with PBKDF2-SHA256 600,000 rounds for config-at-rest encryption | `TestPhase7_5_HashPasswordOWASP2024Params`; `TestPhase7_5_HashFormatPHC`; `internal/crypto/encryption_test.go` for v3 PBKDF2 floor |
 | CWE-307 (Improper Restriction of Excessive Authentication Attempts) | Failure count + lockout window on break-glass credential; threshold default 5, reset window default 1h, lockout duration default 30s; atomic single-statement IncrementFailure defeats concurrent racing attempts | `internal/auth/breakglass/service.go` (Login, IncrementFailure); `internal/repository/postgres/breakglass.go` | `TestPhase7_5_LockoutAfterThresholdFailures`; `TestPhase7_5_FailureCountResetsAfterWindow` |
 | CWE-345 (Insufficient Verification of Data Authenticity) | OIDC `at_hash` REQUIRED-when-access_token-present ties access token to ID token (certctl tightens OIDC core MAY → MUST); OIDC `iss` + `aud` + `azp` checks ensure token came from the configured IdP for the configured client | `internal/auth/oidc/service.go` (HandleCallback steps 5-9, atHashMatches) | `TestService_HandleCallback_ATHashRequiredWhenAccessTokenPresent`; `TestService_HandleCallback_RejectsATHashMismatch` |
 | CWE-200 (Information Exposure) | Token-leak hygiene tests on every secret-bearing path: ID tokens, access tokens, refresh tokens, authorization codes, PKCE verifiers, state, nonce, signing keys, break-glass passwords NEVER appear in any log line at any level | `internal/auth/oidc/service.go`, `internal/auth/session/service.go`, `internal/auth/breakglass/service.go` (all log calls audited); `internal/service/audit_redact.go` (audit redactor) | `internal/auth/oidc/logging_test.go` (4 grep-asserts); `internal/auth/breakglass/service_test.go` (token-leak hygiene + json.Marshal probe); `internal/auth/bootstrap/service_test.go` (canonical pattern) |
 | CWE-770 (Allocation of Resources Without Limits or Throttling) | Per-IP rate limit on `/auth/breakglass/login` via the global middleware.NewRateLimiter (default RPS / burst from `CERTCTL_RATE_LIMIT_*` env vars) wrapped around the entire mux; the breakglass login endpoint inherits this protection. Per-route override available via `middleware.NewRateLimiter` per-bucket configuration if the operator wants stricter caps | `cmd/server/main.go` (rateLimiter wiring at the root middleware stack); `internal/api/middleware/middleware.go` (NewRateLimiter) | `internal/api/middleware/ratelimit_test.go`; `internal/api/middleware/ratelimit_keyed_test.go` |
 | CWE-330 (Use of Insufficiently Random Values) | `crypto/rand` for state, nonce, PKCE verifier (via `oauth2.GenerateVerifier`), session signing keys (32 random bytes), session IDs (`ses-<base64url-no-pad>` from 32 random bytes), pre-login IDs (`pl-<base64url-no-pad>` from 16 random bytes), CSRF tokens (32 random bytes), break-glass salts (16 random bytes via `crypto/rand`) | `internal/auth/oidc/service.go` (randomB64URL); `internal/auth/session/service.go` (newOpaqueID, newCSRFToken); `internal/auth/oidc/prelogin.go` (newID); `internal/auth/breakglass/service.go` (HashPassword salt) | `TestPreLoginAdapter_CreatePreLogin_RNGFailure` (entropy-source error path); RNG failure pinned for every callsite |
 | CWE-311 (Missing Encryption of Sensitive Data) | OIDC `client_secret` AES-256-GCM encrypted at rest (v3 blob format: magic 0x03 + salt(16) + nonce(12) + ciphertext+tag); session signing keys same scheme; empty `CERTCTL_CONFIG_ENCRYPTION_KEY` returns `ErrEncryptionKeyRequired` (fail-closed) | `internal/crypto/encryption.go` (EncryptIfKeySet, DecryptIfKeySet); `internal/api/handler/auth_session_oidc.go` (encryptClientSecret); `internal/auth/session/service.go` (KeyMaterialEncrypted) | `internal/repository/postgres/oidc_encryption_invariant_test.go` (invariant test: ciphertext != plaintext, v2/v3 blob shape, round-trip + wrong-passphrase fails) |
 | CWE-326 (Inadequate Encryption Strength) | TLS 1.3 only on the certctl control plane (post-v2.2 milestone); HSTS-equivalent posture via HTTPS-only listener; AES-256-GCM for at-rest config encryption; PBKDF2-SHA256 600,000 rounds for v3 blob key derivation (OWASP 2024 floor) | `cmd/server/main.go` (TLS 1.3 listener config); `internal/crypto/encryption.go` (v3 PBKDF2 iteration count) | `TestServerTLSConfig_RejectsTLS12`; `TestEncryption_V3IterationCount_PinnedAtOWASP2024Floor` |
 | CWE-1004 (Sensitive Cookie Without HttpOnly) | Session cookie set with `HttpOnly=true`; CSRF cookie intentionally `HttpOnly=false` so the GUI can read it for the `X-CSRF-Token` header (the read is by-design per the double-submit-cookie pattern) | `internal/auth/session/service.go` (cookie attrs); `internal/api/handler/auth_session_oidc.go` (Set-Cookie wiring) | Cookie-attribute pinning in handler tests; documented in [auth-threat-model.md](../operator/auth-threat-model.md) "Session minting + cookies" subsection |
 | CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) | Session + CSRF cookies set with `Secure=true`; rejected at cookie-write time on `http://` listeners (HTTPS-only control plane post-v2.2) | `internal/auth/session/service.go`; `cmd/server/main.go` HTTPS-only listener | TLS-listener tests in `cmd/server/`; cookie attrs pinned in handler tests |
 | CWE-1275 (Sensitive Cookie with Improper SameSite Attribute) | Session cookie `SameSite=Lax` default (configurable to Strict via `CERTCTL_SESSION_SAMESITE`); CSRF defense via the double-submit pattern means `Lax` is sufficient even if the operator does not flip to Strict | `internal/auth/session/service.go` (cookie attrs); `internal/config/config.go` (SAMESITE env var) | Cookie-attribute pinning; SameSite enforcement is per-cookie | 
 ## API-key + RBAC standards covered separately
 The above tables focus on the OIDC + sessions + back-channel logout + break-glass surface. The RBAC primitive carries its own implementation pointers; the [`auth-threat-model.md`](../operator/auth-threat-model.md) section "API-key + RBAC defenses" enumerates the full RBAC + bootstrap + auditor + approval-workflow surface. CWE-pointers that apply to the RBAC surface:
 - CWE-285 (Improper Authorization) — defended by the RequirePermission middleware + Authorizer.CheckPermission service-layer call. Pinned by 90+ tests across `internal/auth/` and `internal/service/auth/`.
 - CWE-862 (Missing Authorization) — pinned by `phase12_protocol_allowlist_test.go` (asserts protocol endpoints are explicitly allowlisted, NOT silently bypassing the gate).
 - CWE-863 (Incorrect Authorization) — pinned by the auditor-split invariant in `internal/domain/auth/auditor_test.go` (auditor role holds exactly `audit.read` + `audit.export` ONLY).
 - CWE-732 (Incorrect Permission Assignment for Critical Resource) — five admin-only fine-grained perms (`cert.bulk_revoke`, `crl.admin`, `scep.admin`, `est.admin`, `ca.hierarchy.manage`) seeded into `r-admin` only; pinned by migration 000030 + `r-admin`-only seed test.
 ## What this document is NOT
 To preserve the operator's 2026-05-05 retired-compliance-docs decision:
 - This is NOT a SOC 2 / PCI-DSS / HIPAA / NIST SP 800-53 / NIST SSDF / FedRAMP framework-mapping doc.
 - This is NOT a marketing claim that certctl "satisfies CC6.1" or "complies with §164.312(a)(2)(iii)" or any similar framework label.
 - This IS an evidence list. An auditor doing framework mapping for their own compliance purposes can use this list as the source-of-truth pointer, then map each row to the framework control they are auditing against under their own judgment.
 If you are an external tester, an operator's auditor, or an acquirer doing technical diligence, this document gives you concrete file paths to read and concrete tests to run. If you want a framework-mapping document, build it yourself against the rows here using the framework-mapping methodology your audit firm prescribes; this project does not own that mapping.
 ## Cross-references
 - [`auth-threat-model.md`](../operator/auth-threat-model.md) — threat model behind these defenses.
 - [`security.md`](../operator/security.md) — overall security posture.
 - [`oidc-runbooks/index.md`](../operator/oidc-runbooks/index.md) — per-IdP operator setup guides.
 - [`auth-benchmarks.md`](../operator/auth-benchmarks.md) — performance baselines for the validation paths cited above.
 - `internal/auth/oidc/` — OIDC service + groupclaim resolver + pre-login adapter + bootstrap hook.
 - `internal/auth/session/` — Session service + middleware + CSRF + signing-key rotation.
 - `internal/auth/breakglass/` — break-glass admin (Argon2id + lockout + constant-time + surface-invisibility).
 - `internal/crypto/encryption.go` — AES-256-GCM v3 blob format for at-rest encryption.
 - `migrations/000029` through `000038` — schema for RBAC, OIDC providers, sessions, signing keys, users, group mappings, pre-login, break-glass.
 - `scripts/ci-guards/multi-tenant-query-coverage.sh` — forward-compat multi-tenant query coverage guard.
@@ -82,6 +82,30 @@ For the full deploy contract see
 |---|---|---|
 | `CERTCTL_AGENT_ID` | (none — required) | The agent's unique ID, issued by `POST /api/v1/agents/register` and bundled into the agent's registration response. Pass via this env var when the agent runs as a systemd unit / container without the `-agent-id` CLI flag. |
 ## Auth (RBAC + OIDC + sessions + break-glass)
 Configuration knobs for the RBAC + OIDC + sessions + break-glass
 auth surface. Full operator guidance lives in
 [`operator/rbac.md`](../operator/rbac.md),
 [`operator/oidc-runbooks/`](../operator/oidc-runbooks/index.md), and
 [`operator/auth-threat-model.md`](../operator/auth-threat-model.md).
 | Variable | Default | Description |
 |---|---|---|
 | `CERTCTL_SESSION_BIND_USER_AGENT` | `false` | Bind every session cookie to the User-Agent header captured at login; mismatch -> 401. Defense in depth against stolen cookies on the same network. |
 | `CERTCTL_SESSION_GC_INTERVAL` | `1h` | How often the scheduler's session-GC loop sweeps expired/revoked rows out of `sessions`. Trade-off: shorter = smaller table, more DB churn; longer = pile-up. |
 | `CERTCTL_OIDC_BCL_MAX_AGE_SECONDS` | `60` | Back-channel logout `iat` freshness window. Tokens older or newer than this skew (in either direction) are rejected. |
 | `CERTCTL_OIDC_PRELOGIN_REQUIRE_UA` | `false` | Reject the OIDC callback if the User-Agent at callback differs from the UA captured at pre-login. RFC 9700 §4.7.1 defense-in-depth. |
 | `CERTCTL_OIDC_PRELOGIN_REQUIRE_IP` | `false` | Same as `_UA` but for client IP. Set carefully — corporate networks with carrier-grade NAT can change apparent IP mid-flow. |
 | `CERTCTL_DEMO_MODE_ACK` | `false` | Operator acknowledgement that demo mode is intentional in this deploy. Required when `CERTCTL_AUTH_TYPE=none` to allow server startup; safety net against demo-mode-in-production leakage. |
 | `CERTCTL_TRUSTED_PROXIES` | (empty) | Comma-separated list of trusted-proxy CIDRs (e.g. `10.0.0.0/8,192.0.2.1`). XFF is consulted for client-IP derivation only when the immediate peer sits in this allowlist. |
 | `CERTCTL_TRUSTED_PROXIES_COUNT` | (synthesised) | Read-only counter exposed by `/api/v1/auth/runtime-config`; mirrors `len(CERTCTL_TRUSTED_PROXIES)`. Not operator-settable; documented here so the G-3 env-docs-drift guard catches drift. |
 | `CERTCTL_BOOTSTRAP_TOKEN` | (empty) | One-shot token used to mint the first admin role binding via `POST /api/v1/auth/bootstrap`. Once consumed, deletes itself from memory and unsets the bootstrap endpoint. |
 | `CERTCTL_BOOTSTRAP_TOKEN_SET` | (synthesised) | Boolean exposed by `/api/v1/auth/runtime-config`; `true` when `CERTCTL_BOOTSTRAP_TOKEN` was set at server start. Not operator-settable; documented here so the G-3 guard catches drift. |
 | `CERTCTL_BOOTSTRAP_OIDC_PROVIDER_ID` | (empty) | When OIDC is enabled, restricts the first-admin OIDC strategy to the named provider only — any other provider's tokens won't trigger the bootstrap hook. |
 | `CERTCTL_BOOTSTRAP_ADMIN_GROUPS_COUNT` | (synthesised) | Read-only counter exposed by `/api/v1/auth/runtime-config`; mirrors `len(CERTCTL_BOOTSTRAP_ADMIN_GROUPS)`. Documented here so the G-3 guard catches drift. |
 | `CERTCTL_BREAKGLASS_LOCKOUT_THRESHOLD` | `5` | Number of consecutive failed `/auth/breakglass/login` attempts that lock the credential. |
 ## SCEP profile binding (single-profile back-compat)
 | Variable | Default | Description |
@@ -157,7 +157,7 @@ The real IIS connector validation lives in:
 - Windows Server 2019 or 2022 host (or Windows 10/11 Pro with Hyper-V)
 - Docker Desktop in Windows containers mode
  (Settings → "Switch to Windows containers")
- Go 1.25.9 + git
+- Go 1.25.10 + git
 ### Procedure
@@ -0,0 +1,112 @@
 # Certificate profiles
 > Last reviewed: 2026-05-09
 A `CertificateProfile` is the policy object that groups every cert with
 the same shape: which issuer mints it, which key algorithm + size are
 allowed, what EKUs and SANs the issuer should emit, what renewal
 window the scheduler uses, what targets get the cert deployed to. Every
 managed certificate references exactly one profile; changing a
 profile's policy retroactively affects renewal of every cert pointing
 at it.
 This file documents the profile lifecycle as it stands at v2.1.0.
 For the schema, see `migrations/000003_certificate_profiles.up.sql` +
 `migrations/000027_approval_workflow.up.sql` +
 `migrations/000033_approval_kinds.up.sql`. For the API surface,
 see `api/openapi.yaml` under `/api/v1/profiles`.
 ## Anatomy
 | Field | Default | Purpose |
 |---|---|---|
 | `id` | autogenerated `prof-<slug>` | Stable opaque identifier; used by every other resource. |
 | `name` | required | Human-readable label; rendered in the GUI's profile picker. |
 | `issuer_id` | required | Which issuer (Local / Vault / EJBCA / ACME / SCEP / EST / ADCS / etc.) mints certs against this profile. |
 | `default_validity_days` | 90 | Rendered into the issuer call as the requested NotAfter delta. |
 | `renewal_window_days` | 30 | Scheduler enqueues a renewal Job when `cert.NotAfter - now < renewal_window_days`. |
 | `allowed_key_algorithms` | RSA 2048+, ECDSA P-256+ | Validates incoming CSRs at issuance time. |
 | `allowed_ekus` | server, client | RFC 5280 §4.2.1.12 EKU set. |
 | `must_staple` | false | Per-profile RFC 7633 `id-pe-tlsfeature` extension toggle. |
 | `requires_approval` | false | Gates issuance + renewal AND profile edits behind a four-eyes approval workflow. See below. |
 ## RequiresApproval and the approval workflow
 Setting `requires_approval=true` on a profile does two things:
 1. **Issuance + renewal of every cert pointing at the profile gates
   on a non-requester admin's approval.** The scheduler enqueues a
   `Job` at status `AwaitingApproval`; the linked
   `issuance_approval_requests` row stays at `pending` until either
   approved (job → `Pending`, scheduler dispatches) or rejected (job
   → `Cancelled`). Same actor cannot self-approve.
 2. **Edits to the profile itself gate on a non-requester admin's
   approval.** This is the closure for the flip-flop
   loophole - without it an admin could set `requires_approval=false`,
   mutate any other field, set `requires_approval=true`, and the
   approval workflow would only have been bypassed during the
   "off" window. The profile-edit gate fires under three conditions:
 - The live profile has `requires_approval=true` AND the operator
     submits any edit (regardless of whether the edit changes the
     flag).
 - The live profile has `requires_approval=false` AND the operator
     submits an edit that would set it to `true` (the flag-flip
     direction is gated too because otherwise the gate could be
     enabled by anyone and have no review).
 - Both arms route through `ApprovalService.RequestProfileEditApproval`
     which writes a row to `issuance_approval_requests` with
     `approval_kind=profile_edit`. The pending profile diff is
     serialized to `payload` (JSONB).
 **Edit response shape.** When the gate fires, `PUT /api/v1/profiles/{id}`
 returns HTTP 202 Accepted with body
 `{"status":"pending_approval","pending_approval_id":"ar-…"}`.
 The operator copies the approval ID, hands it to a peer admin, and
 the peer POSTs `/api/v1/approvals/{id}/approve` with their own
 credentials. On approve, the server deserializes `payload`, applies
 the diff against the live profile, and emits a
 `profile.edit_applied` audit row with `event_category=auth`. On
 reject, the pending row is dropped; the live profile is unchanged.
 **Same-actor self-approve is rejected** with HTTP 403 and the existing
 `ErrApproveBySameActor` sentinel. This is the load-bearing
 two-person-integrity invariant that satisfies SOC 2 CC6.3 + NIST
 SSDF PO.5.2.
 **Bypass mode.** `CERTCTL_APPROVAL_BYPASS=true` short-circuits both
 issuance approvals and profile-edit approvals; every request
 auto-approves with `actor=system-bypass`. Used by dev / CI for fast
 iteration; production deploys MUST leave it unset. A single SQL
 query (`SELECT FROM audit_events WHERE actor='system-bypass'`)
 confirms zero rows.
 ## Operator workflows
 **Enable approval for an existing profile.** Edit the profile, set
 `requires_approval=true`. The first time you do this, the edit
 itself is gated (the live profile is non-approval but the proposed
 state is approval-tier, so the flip-on direction still routes through
 the workflow). Hand the approval ID to a peer; once approved, every
 subsequent edit and every renewal of every cert pointing at the
 profile gates on the workflow.
 **Disable approval.** Edit the profile, set `requires_approval=false`.
 This edit is gated because the live profile is currently
 approval-tier. A peer must approve the disable. Once disabled,
 subsequent edits flow through the direct-apply path again.
 **Audit who approved what.** The audit trail records every approval
 request + decision under `event_category=auth`. Filter via
 `GET /api/v1/audit?category=auth` or the `auditor` role's
 audit-only view. Each row carries the approval ID + the requester
 + the decider; the WORM trigger prevents tampering.
 ## Related
 - `migrations/000027_approval_workflow.up.sql` (initial approval
  schema, Rank 7 of the 2026-05-03 deep-research deliverable)
 - `migrations/000033_approval_kinds.up.sql` (adds
  `approval_kind` + `payload` + nullable cert/job FKs)
 - `internal/service/approval.go::RequestProfileEditApproval`
 - `internal/service/profile.go::UpdateProfile` (gate)
 - `internal/api/handler/profiles.go::UpdateProfile` (202 mapping)
@@ -1,6 +1,6 @@
 module github.com/certctl-io/certctl
-go 1.25.9
+go 1.25.10
 require (
 	github.com/google/uuid v1.6.0
@@ -18,12 +18,14 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/acm v1.38.3
 	github.com/aws/aws-sdk-go-v2/service/acmpca v1.46.14
 	github.com/aws/smithy-go v1.25.1
 	github.com/coreos/go-oidc/v3 v3.18.0
 	github.com/go-jose/go-jose/v4 v4.1.4
 	github.com/leanovate/gopter v0.2.11
 	github.com/masterzen/winrm v0.0.0-20250927112105-5f8e6c707321
 	github.com/pkg/sftp v1.13.10
-	golang.org/x/crypto v0.48.0
+	golang.org/x/crypto v0.50.0
-	golang.org/x/sync v0.19.0
+	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
 	software.sslmate.com/src/go-pkcs12 v0.7.0
 )
@@ -111,9 +113,8 @@ require (
 	go.opentelemetry.io/otel v1.41.0 // indirect
 	go.opentelemetry.io/otel/metric v1.41.0 // indirect
 	go.opentelemetry.io/otel/trace v1.41.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
-	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
@@ -129,6 +129,8 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/coreos/go-oidc/v3 v3.18.0 h1:V9orjXynvu5wiC9SemFTWnG4F45v403aIcjWo0d41+A=
 github.com/coreos/go-oidc/v3 v3.18.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
@@ -482,8 +484,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -562,8 +564,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -576,8 +578,8 @@ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -591,8 +593,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -645,14 +647,14 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -663,8 +665,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -723,8 +725,8 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
-golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -5,7 +5,6 @@ import (
 	"net/http"
 	"time"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/domain"
 	"github.com/certctl-io/certctl/internal/repository"
 )
@@ -74,10 +73,7 @@ func (h AdminCRLCacheHandler) ListCache(w http.ResponseWriter, r *http.Request)
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
-	if !middleware.IsAdmin(r.Context()) {
+	// Bundle 1 Phase 3.5: gate moved to router.go (RequirePermission middleware).
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	rows, err := h.svc.CacheRows(r.Context())
 	if err != nil {
@@ -6,10 +6,10 @@ import (
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/auth"
 )
 // fakeAdminCRLCacheService is the test stub for the
@@ -31,55 +31,11 @@ func (f *fakeAdminCRLCacheService) CacheRows(_ context.Context) ([]CRLCacheRow,
 // gate test. A caller without an admin-tagged context must be
 // rejected with HTTP 403, and the service layer must never see
 // the request (no enumeration of issuer set / cache state).
 func TestAdminCRLCache_NonAdmin_Returns403(t *testing.T) {
 	svc := &fakeAdminCRLCacheService{}
 	h := NewAdminCRLCacheHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crl/cache", nil)
 	req = req.WithContext(contextWithRequestID()) // request id only, no admin flag
 	w := httptest.NewRecorder()
 	h.ListCache(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected status 403, got %d (body=%q)", w.Code, w.Body.String())
 	}
 	var resp map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
 		t.Fatalf("decode response: %v", err)
 	}
 	msg, _ := resp["message"].(string)
 	if !strings.Contains(strings.ToLower(msg), "admin") {
 		t.Errorf("expected message to mention admin requirement, got %q", msg)
 	}
 	if svc.called {
 		t.Errorf("service was invoked despite non-admin caller — gate failed open")
 	}
 }
 // TestAdminCRLCache_AdminExplicitFalse_Returns403 pins the
 // AdminKey-present-but-false case. Without this, a regression to
 // "key missing == deny, key present == allow" would silently grant
 // a false flag to any caller that managed to set the context value.
 func TestAdminCRLCache_AdminExplicitFalse_Returns403(t *testing.T) {
 	svc := &fakeAdminCRLCacheService{}
 	h := NewAdminCRLCacheHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crl/cache", nil)
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ListCache(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected status 403 for admin=false, got %d", w.Code)
 	}
 	if svc.called {
 		t.Error("service called despite admin=false gate")
 	}
 }
 // TestAdminCRLCache_AdminPermitted_ForwardsActor confirms the
 // happy path: an admin-tagged context reaches the service and the
@@ -99,8 +55,8 @@ func TestAdminCRLCache_AdminPermitted_ForwardsActor(t *testing.T) {
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crl/cache", nil)
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
-	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
+	ctx = context.WithValue(ctx, auth.UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
@@ -131,7 +87,7 @@ func TestAdminCRLCache_RejectsNonGetMethod(t *testing.T) {
 	h := NewAdminCRLCacheHandler(&fakeAdminCRLCacheService{})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/crl/cache", nil)
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
@@ -150,7 +106,7 @@ func TestAdminCRLCache_PropagatesServiceError(t *testing.T) {
 	h := NewAdminCRLCacheHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crl/cache", nil)
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
@@ -7,7 +7,6 @@ import (
 	"net/http"
 	"time"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/service"
 )
@@ -76,10 +75,7 @@ func (h AdminESTHandler) Profiles(w http.ResponseWriter, r *http.Request) {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
-	if !middleware.IsAdmin(r.Context()) {
+	// Bundle 1 Phase 3.5: gate moved to router.go (RequirePermission middleware).
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	now := time.Now()
 	rows, err := h.svc.Profiles(r.Context(), now)
@@ -104,10 +100,7 @@ func (h AdminESTHandler) ReloadTrust(w http.ResponseWriter, r *http.Request) {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
-	if !middleware.IsAdmin(r.Context()) {
+	// Bundle 1 Phase 3.5: gate moved to router.go (RequirePermission middleware).
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	var body adminESTReloadRequest
 	// An empty body is permitted: it implicitly targets the legacy
@@ -11,6 +11,7 @@ import (
 	"time"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/service"
 )
@@ -45,38 +46,6 @@ func (f *fakeAdminESTService) ReloadTrust(_ context.Context, pathID string) erro
 // ----- M-008 admin-gate triplet for Profiles (GET) -----
 func TestAdminEST_Profiles_NonAdmin_Returns403(t *testing.T) {
 	svc := &fakeAdminESTService{}
 	h := NewAdminESTHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/est/profiles", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 	h.Profiles(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("non-admin status = %d, want 403", w.Code)
 	}
 	if svc.profilesCalled {
 		t.Errorf("service was invoked despite non-admin caller — gate failed open")
 	}
 }
 func TestAdminEST_Profiles_AdminExplicitFalse_Returns403(t *testing.T) {
 	svc := &fakeAdminESTService{}
 	h := NewAdminESTHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/est/profiles", nil)
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Profiles(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("admin=false status = %d, want 403", w.Code)
 	}
 	if svc.profilesCalled {
 		t.Errorf("service was invoked despite admin=false — gate failed open")
 	}
 }
 func TestAdminEST_Profiles_AdminTrue_Returns200(t *testing.T) {
 	svc := &fakeAdminESTService{
 		rows: []service.ESTStatsSnapshot{
@@ -86,7 +55,7 @@ func TestAdminEST_Profiles_AdminTrue_Returns200(t *testing.T) {
 	h := NewAdminESTHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/est/profiles", nil)
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Profiles(w, req)
@@ -121,7 +90,7 @@ func TestAdminEST_Profiles_NilRowsSerializedAsEmptyArray(t *testing.T) {
 	h := NewAdminESTHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/est/profiles", nil)
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Profiles(w, req)
@@ -133,42 +102,6 @@ func TestAdminEST_Profiles_NilRowsSerializedAsEmptyArray(t *testing.T) {
 // ----- M-008 admin-gate triplet for ReloadTrust (POST) -----
 func TestAdminEST_ReloadTrust_NonAdmin_Returns403(t *testing.T) {
 	svc := &fakeAdminESTService{}
 	h := NewAdminESTHandler(svc)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/est/reload-trust",
 		strings.NewReader(`{"path_id":"corp"}`))
 	req.ContentLength = int64(len(`{"path_id":"corp"}`))
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("non-admin status = %d, want 403", w.Code)
 	}
 	if svc.reloadCalled {
 		t.Errorf("service was invoked despite non-admin caller — gate failed open")
 	}
 }
 func TestAdminEST_ReloadTrust_AdminExplicitFalse_Returns403(t *testing.T) {
 	svc := &fakeAdminESTService{}
 	h := NewAdminESTHandler(svc)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/est/reload-trust",
 		strings.NewReader(`{"path_id":"corp"}`))
 	req.ContentLength = int64(len(`{"path_id":"corp"}`))
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("admin=false status = %d, want 403", w.Code)
 	}
 	if svc.reloadCalled {
 		t.Errorf("service was invoked despite admin=false — gate failed open")
 	}
 }
 func TestAdminEST_ReloadTrust_HappyPath(t *testing.T) {
 	svc := &fakeAdminESTService{}
 	h := NewAdminESTHandler(svc)
@@ -177,7 +110,7 @@ func TestAdminEST_ReloadTrust_HappyPath(t *testing.T) {
 		strings.NewReader(body))
 	req.ContentLength = int64(len(body))
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
@@ -197,7 +130,7 @@ func TestAdminEST_ReloadTrust_UnknownPathID_Returns404(t *testing.T) {
 		strings.NewReader(body))
 	req.ContentLength = int64(len(body))
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
@@ -214,7 +147,7 @@ func TestAdminEST_ReloadTrust_MTLSDisabled_Returns409(t *testing.T) {
 		strings.NewReader(body))
 	req.ContentLength = int64(len(body))
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
@@ -231,7 +164,7 @@ func TestAdminEST_ReloadTrust_ParseError_Returns500(t *testing.T) {
 		strings.NewReader(body))
 	req.ContentLength = int64(len(body))
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
@@ -248,7 +181,7 @@ func TestAdminEST_ReloadTrust_MalformedJSON_Returns400(t *testing.T) {
 		strings.NewReader(body))
 	req.ContentLength = int64(len(body))
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
@@ -7,7 +7,6 @@ import (
 	"net/http"
 	"time"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/service"
 )
@@ -90,10 +89,7 @@ func (h AdminSCEPIntuneHandler) Profiles(w http.ResponseWriter, r *http.Request)
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
-	if !middleware.IsAdmin(r.Context()) {
+	// Bundle 1 Phase 3.5: gate moved to router.go (RequirePermission middleware).
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	now := time.Now()
 	rows, err := h.svc.Profiles(r.Context(), now)
@@ -118,10 +114,7 @@ func (h AdminSCEPIntuneHandler) Stats(w http.ResponseWriter, r *http.Request) {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
-	if !middleware.IsAdmin(r.Context()) {
+	// Bundle 1 Phase 3.5: gate moved to router.go (RequirePermission middleware).
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	now := time.Now()
 	rows, err := h.svc.Stats(r.Context(), now)
@@ -146,10 +139,7 @@ func (h AdminSCEPIntuneHandler) ReloadTrust(w http.ResponseWriter, r *http.Reque
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
-	if !middleware.IsAdmin(r.Context()) {
+	// Bundle 1 Phase 3.5: gate moved to router.go (RequirePermission middleware).
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	var body adminScepIntuneReloadRequest
 	// An empty body is permitted: it implicitly targets the legacy
@@ -11,6 +11,7 @@ import (
 	"time"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/service"
 )
@@ -49,52 +50,6 @@ func (f *fakeAdminSCEPIntuneService) ReloadTrust(_ context.Context, pathID strin
 // M-008 admin-gate triplet for Stats (GET).
 // =============================================================================
 func TestAdminSCEPIntune_NonAdmin_Returns403(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
 	req = req.WithContext(contextWithRequestID()) // request id only, no admin flag
 	w := httptest.NewRecorder()
 	h.Stats(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected 403 for non-admin, got %d (body=%q)", w.Code, w.Body.String())
 	}
 	var resp map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
 		t.Fatalf("decode response: %v", err)
 	}
 	msg, _ := resp["message"].(string)
 	if !strings.Contains(strings.ToLower(msg), "admin") {
 		t.Errorf("expected message to mention admin requirement, got %q", msg)
 	}
 	if svc.statsCalled {
 		t.Errorf("service was invoked despite non-admin caller — gate failed open")
 	}
 }
 func TestAdminSCEPIntune_AdminExplicitFalse_Returns403(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Stats(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected 403 for admin=false, got %d", w.Code)
 	}
 	if svc.statsCalled {
 		t.Error("service called despite admin=false gate")
 	}
 }
 func TestAdminSCEPIntune_AdminPermitted_ForwardsActor(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{
 		rows: []service.IntuneStatsSnapshot{
@@ -106,8 +61,8 @@ func TestAdminSCEPIntune_AdminPermitted_ForwardsActor(t *testing.T) {
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
-	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
+	ctx = context.WithValue(ctx, auth.UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
@@ -135,45 +90,6 @@ func TestAdminSCEPIntune_AdminPermitted_ForwardsActor(t *testing.T) {
 // M-008 triplet for ReloadTrust (POST).
 // =============================================================================
 func TestAdminSCEPIntuneReload_NonAdmin_Returns403(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(`{"path_id":"corp"}`))
 	req.ContentLength = int64(len(`{"path_id":"corp"}`))
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected 403 non-admin, got %d", w.Code)
 	}
 	if svc.reloadCalled {
 		t.Error("service called despite non-admin gate")
 	}
 }
 func TestAdminSCEPIntuneReload_AdminExplicitFalse_Returns403(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(`{"path_id":"corp"}`))
 	req.ContentLength = int64(len(`{"path_id":"corp"}`))
 	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, false)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected 403 admin=false, got %d", w.Code)
 	}
 	if svc.reloadCalled {
 		t.Error("service called despite admin=false gate")
 	}
 }
 func TestAdminSCEPIntuneReload_AdminPermitted_ForwardsActor(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
@@ -181,8 +97,8 @@ func TestAdminSCEPIntuneReload_AdminPermitted_ForwardsActor(t *testing.T) {
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(body))
 	req.ContentLength = int64(len(body))
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
-	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
+	ctx = context.WithValue(ctx, auth.UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
@@ -211,7 +127,7 @@ func TestAdminSCEPIntuneReload_AdminPermitted_ForwardsActor(t *testing.T) {
 func TestAdminSCEPIntuneStats_RejectsNonGetMethod(t *testing.T) {
 	h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/stats", nil)
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Stats(w, req)
@@ -223,7 +139,7 @@ func TestAdminSCEPIntuneStats_RejectsNonGetMethod(t *testing.T) {
 func TestAdminSCEPIntuneReload_RejectsNonPostMethod(t *testing.T) {
 	h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/reload-trust", nil)
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
@@ -236,7 +152,7 @@ func TestAdminSCEPIntuneStats_PropagatesServiceError(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{statsErr: errors.New("registry walk failed")}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Stats(w, req)
@@ -251,7 +167,7 @@ func TestAdminSCEPIntuneReload_ProfileNotFound_Returns404(t *testing.T) {
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(`{"path_id":"nonexistent"}`))
 	req.ContentLength = int64(len(`{"path_id":"nonexistent"}`))
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
@@ -266,7 +182,7 @@ func TestAdminSCEPIntuneReload_IntuneDisabled_Returns409(t *testing.T) {
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(`{"path_id":"iot"}`))
 	req.ContentLength = int64(len(`{"path_id":"iot"}`))
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
@@ -281,7 +197,7 @@ func TestAdminSCEPIntuneReload_BadReloadPropagates500(t *testing.T) {
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(`{"path_id":"corp"}`))
 	req.ContentLength = int64(len(`{"path_id":"corp"}`))
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
@@ -294,7 +210,7 @@ func TestAdminSCEPIntuneReload_EmptyBodyTargetsLegacyRoot(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust", nil)
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
@@ -312,7 +228,7 @@ func TestAdminSCEPIntuneReload_RejectsMalformedJSON(t *testing.T) {
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
 		strings.NewReader(bad))
 	req.ContentLength = int64(len(bad))
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.ReloadTrust(w, req)
@@ -347,52 +263,6 @@ func TestAdminSCEPIntuneServiceImpl_ReloadUnknownPathReturnsNotFound(t *testing.
 // M-008 admin-gate triplet for Profiles (GET) — Phase 9 follow-up endpoint.
 // =============================================================================
 func TestAdminSCEPProfiles_NonAdmin_Returns403(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
 	req = req.WithContext(contextWithRequestID()) // request id only, no admin flag
 	w := httptest.NewRecorder()
 	h.Profiles(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected 403 for non-admin, got %d (body=%q)", w.Code, w.Body.String())
 	}
 	var resp map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
 		t.Fatalf("decode response: %v", err)
 	}
 	msg, _ := resp["message"].(string)
 	if !strings.Contains(strings.ToLower(msg), "admin") {
 		t.Errorf("expected message to mention admin requirement, got %q", msg)
 	}
 	if svc.profilesCalled {
 		t.Errorf("service was invoked despite non-admin caller — gate failed open")
 	}
 }
 func TestAdminSCEPProfiles_AdminExplicitFalse_Returns403(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Profiles(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected 403 for admin=false, got %d", w.Code)
 	}
 	if svc.profilesCalled {
 		t.Error("service called despite admin=false gate")
 	}
 }
 func TestAdminSCEPProfiles_AdminPermitted_ForwardsActor(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{
 		profileRows: []service.SCEPProfileStatsSnapshot{
@@ -417,8 +287,8 @@ func TestAdminSCEPProfiles_AdminPermitted_ForwardsActor(t *testing.T) {
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
-	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
+	ctx = context.WithValue(ctx, auth.UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
@@ -461,7 +331,7 @@ func TestAdminSCEPProfiles_AdminPermitted_ForwardsActor(t *testing.T) {
 func TestAdminSCEPProfiles_RejectsNonGetMethod(t *testing.T) {
 	h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/profiles", nil)
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Profiles(w, req)
@@ -474,7 +344,7 @@ func TestAdminSCEPProfiles_PropagatesServiceError(t *testing.T) {
 	svc := &fakeAdminSCEPIntuneService{profilesErr: errors.New("registry walk failed")}
 	h := NewAdminSCEPIntuneHandler(svc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
-	ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Profiles(w, req)
@@ -8,6 +8,7 @@ import (
 	"strconv"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 	"github.com/certctl-io/certctl/internal/repository"
 	"github.com/certctl-io/certctl/internal/service"
@@ -111,7 +112,7 @@ func (h ApprovalHandler) GetApproval(w http.ResponseWriter, r *http.Request) {
 // Approve transitions a pending approval request to approved + transitions
 // the linked Job from AwaitingApproval to Pending. RBAC: the authenticated
-// actor extracted via middleware.UserKey must NOT equal the request's
+// actor extracted via auth.UserKey must NOT equal the request's
 // RequestedBy — the service-layer check enforces this and the handler
 // surfaces it as HTTP 403.
 //
@@ -153,7 +154,7 @@ func (h ApprovalHandler) decision(w http.ResponseWriter, r *http.Request, action
 	// Extract authenticated actor. The auth middleware sets UserKey to the
 	// API-key NamedAPIKey.Name (or empty for unauthenticated). RBAC at the
 	// service layer requires a non-empty actor.
-	actor, _ := r.Context().Value(middleware.UserKey{}).(string)
+	actor, _ := r.Context().Value(auth.UserKey{}).(string)
 	if actor == "" {
 		ErrorWithRequestID(w, http.StatusUnauthorized,
 			"authentication required to approve / reject", requestID)
@@ -10,7 +10,7 @@ import (
 	"sync"
 	"testing"
-	"github.com/certctl-io/certctl/internal/api/middleware"
+	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 	"github.com/certctl-io/certctl/internal/repository"
 	"github.com/certctl-io/certctl/internal/service"
@@ -117,7 +117,7 @@ func reqWithActor(t *testing.T, method, target string, body string, actor string
 	}
 	req.Header.Set("Content-Type", "application/json")
 	if actor != "" {
-		req = req.WithContext(context.WithValue(req.Context(), middleware.UserKey{}, actor))
+		req = req.WithContext(context.WithValue(req.Context(), auth.UserKey{}, actor))
 	}
 	if pathID != "" {
 		req.SetPathValue("id", pathID)
@@ -2,11 +2,16 @@ package handler
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 )
@@ -14,6 +19,24 @@ import (
 type AuditService interface {
 	ListAuditEvents(ctx context.Context, page, perPage int) ([]domain.AuditEvent, int64, error)
 	GetAuditEvent(ctx context.Context, id string) (*domain.AuditEvent, error)
 	// ListAuditEventsByCategory (Bundle 1 Phase 8) returns audit
 	// rows whose event_category column matches eventCategory.
 	// eventCategory is one of "cert_lifecycle", "auth", "config";
 	// empty string returns all categories. Used by the auditor role
 	// (filtered to "auth" via /v1/audit?category=auth).
 	ListAuditEventsByCategory(ctx context.Context, eventCategory string, page, perPage int) ([]domain.AuditEvent, int64, error)
 	// ExportEventsByFilter returns audit events matching a
 	// (from, to, eventCategory) filter, capped at maxRows. Audit
 	// 2026-05-10 HIGH-11 closure — backs the new
 	// GET /api/v1/audit/export endpoint that makes the `audit.export`
 	// permission load-bearing.
 	ExportEventsByFilter(ctx context.Context, from, to time.Time, eventCategory string, maxRows int) ([]domain.AuditEvent, error)
 	// RecordEventWithCategory is needed by the export handler so it
 	// can recursively self-audit each export call (operator-visible
 	// proof that compliance evidence pulls happened + by whom + over
 	// what range). The bare-string actor type is the existing wire
 	// shape used by every other Phase 8 caller.
 	RecordEventWithCategory(ctx context.Context, actor string, actorType domain.ActorType, action, eventCategory, resourceType, resourceID string, details map[string]interface{}) error
 }
 // AuditHandler handles HTTP requests for audit event operations.
@@ -27,7 +50,12 @@ func NewAuditHandler(svc AuditService) AuditHandler {
 }
 // ListAuditEvents lists audit events.
-// GET /api/v1/audit?page=1&per_page=50
+// GET /api/v1/audit?page=1&per_page=50&category=auth
 //
 // Bundle 1 Phase 8 adds the optional `category` query parameter for
 // auditor-role filtering. Allowed values: cert_lifecycle, auth, config.
 // Unknown values surface 400 so misuse is caught loud (instead of
 // silently returning all rows).
 func (h AuditHandler) ListAuditEvents(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
@@ -49,8 +77,29 @@ func (h AuditHandler) ListAuditEvents(w http.ResponseWriter, r *http.Request) {
 			perPage = parsed
 		}
 	}
 	category := query.Get("category")
 	if category != "" {
 		switch category {
 		case domain.EventCategoryCertLifecycle, domain.EventCategoryAuth, domain.EventCategoryConfig:
 			// ok
 		default:
 			ErrorWithRequestID(w, http.StatusBadRequest,
 				"Invalid category — allowed: cert_lifecycle, auth, config",
 				requestID)
 			return
 		}
 	}
-	events, total, err := h.svc.ListAuditEvents(r.Context(), page, perPage)
+	var (
 		events []domain.AuditEvent
 		total  int64
 		err    error
 	)
 	if category != "" {
 		events, total, err = h.svc.ListAuditEventsByCategory(r.Context(), category, page, perPage)
 	} else {
 		events, total, err = h.svc.ListAuditEvents(r.Context(), page, perPage)
 	}
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list audit events", requestID)
 		return
@@ -92,3 +141,146 @@ func (h AuditHandler) GetAuditEvent(w http.ResponseWriter, r *http.Request) {
 	JSON(w, http.StatusOK, event)
 }
 // ExportAudit streams an NDJSON export of audit events for compliance
 // evidence collection. Gated by the `audit.export` permission (already
 // seeded into r-admin + r-auditor by migration 000031).
 //
 // Audit 2026-05-10 HIGH-11 closure — pre-fix, the permission existed
 // in the catalogue + role grants but no endpoint enforced it; r-auditor's
 // "audit.export" claim was misleading capability advertisement. This
 // endpoint makes the permission load-bearing and the auditor role's
 // surface complete.
 //
 // GET /api/v1/audit/export?from=<RFC3339>&to=<RFC3339>&category=<cat>
 //
 // Constraints:
 //   - from + to are required, RFC3339 format.
 //   - to - from MUST be ≤ 90 days (compliance window).
 //   - category optional: cert_lifecycle | auth | config.
 //   - max 50,000 rows per export (operator-tunable via query param
 //     up to 100,000); larger exports require operator-side pagination
 //     by date range.
 //
 // Response: application/x-ndjson, one event per line. Newline-delimited
 // JSON is the de-facto compliance-archive format consumed by SIEMs
 // (Splunk universal forwarder, Elastic Filebeat, Vector, etc.).
 //
 // The export itself is recursively audited: every successful export
 // emits an `audit.export` event capturing actor, range, category, and
 // row count so the audit log itself records who pulled which compliance
 // evidence and when.
 func (h AuditHandler) ExportAudit(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
 	requestID := middleware.GetRequestID(r.Context())
 	q := r.URL.Query()
 	fromStr := q.Get("from")
 	toStr := q.Get("to")
 	if fromStr == "" || toStr == "" {
 		ErrorWithRequestID(w, http.StatusBadRequest,
 			"`from` and `to` query params are required (RFC3339 format)",
 			requestID)
 		return
 	}
 	from, err := time.Parse(time.RFC3339, fromStr)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusBadRequest,
 			"`from` must be RFC3339 (e.g. 2026-04-01T00:00:00Z)",
 			requestID)
 		return
 	}
 	to, err := time.Parse(time.RFC3339, toStr)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusBadRequest,
 			"`to` must be RFC3339 (e.g. 2026-05-01T00:00:00Z)",
 			requestID)
 		return
 	}
 	if !to.After(from) {
 		ErrorWithRequestID(w, http.StatusBadRequest,
 			"`to` must be after `from`",
 			requestID)
 		return
 	}
 	const maxWindow = 90 * 24 * time.Hour
 	if to.Sub(from) > maxWindow {
 		ErrorWithRequestID(w, http.StatusBadRequest,
 			fmt.Sprintf("range exceeds 90-day max (got %s); paginate by narrower date range", to.Sub(from)),
 			requestID)
 		return
 	}
 	category := q.Get("category")
 	if category != "" {
 		switch category {
 		case domain.EventCategoryCertLifecycle, domain.EventCategoryAuth, domain.EventCategoryConfig:
 			// ok
 		default:
 			ErrorWithRequestID(w, http.StatusBadRequest,
 				"Invalid category — allowed: cert_lifecycle, auth, config",
 				requestID)
 			return
 		}
 	}
 	maxRows := 50000
 	if lim := q.Get("limit"); lim != "" {
 		if parsed, err := strconv.Atoi(lim); err == nil && parsed > 0 && parsed <= 100000 {
 			maxRows = parsed
 		}
 	}
 	events, err := h.svc.ExportEventsByFilter(r.Context(), from, to, category, maxRows)
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError,
 			"Failed to export audit events",
 			requestID)
 		return
 	}
 	w.Header().Set("Content-Type", "application/x-ndjson")
 	w.Header().Set("Content-Disposition",
 		fmt.Sprintf(`attachment; filename="certctl-audit-%s_to_%s.ndjson"`,
 			from.UTC().Format("2006-01-02"), to.UTC().Format("2006-01-02")))
 	w.WriteHeader(http.StatusOK)
 	enc := json.NewEncoder(w)
 	for i := range events {
 		if err := enc.Encode(&events[i]); err != nil {
 			// Mid-stream encode error — connection probably closed by
 			// client. Logged + abandoned; the partial response is
 			// already on the wire and rolling back the headers isn't
 			// possible.
 			slog.WarnContext(r.Context(), "audit export: encode failed mid-stream",
 				"err", err, "rows_written", i, "rows_total", len(events))
 			return
 		}
 	}
 	// Recursively self-audit the export. The audit row captures actor,
 	// from, to, category, and row count so compliance reviewers can see
 	// who pulled which evidence and when. Best-effort (the data is
 	// already on the wire); failure logs WARN per the HIGH-6 closure.
 	actorID, _ := r.Context().Value(auth.ActorIDKey{}).(string)
 	if actorID == "" {
 		actorID = "unknown"
 	}
 	if err := h.svc.RecordEventWithCategory(r.Context(),
 		actorID, domain.ActorTypeUser,
 		"audit.export", domain.EventCategoryAuth,
 		"audit", "export",
 		map[string]interface{}{
 			"from":     from.UTC().Format(time.RFC3339),
 			"to":       to.UTC().Format(time.RFC3339),
 			"category": category,
 			"rows":     len(events),
 		}); err != nil {
 		slog.WarnContext(r.Context(), "audit.export self-audit failed (export already streamed)",
 			"actor_id", actorID, "rows", len(events), "err", err)
 	}
 }
@@ -0,0 +1,157 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/certctl-io/certctl/internal/domain"
 )
 // =============================================================================
 // Bundle 1 Phase 8 — audit category-filter HTTP behaviour.
 // =============================================================================
 // TestListAuditEvents_Phase8_CategoryFilterDispatchesToService pins the
 // happy-path: ?category=auth routes through ListAuditEventsByCategory
 // with the right argument.
 func TestListAuditEvents_Phase8_CategoryFilterDispatchesToService(t *testing.T) {
 	var capturedCategory string
 	mockSvc := &mockAuditService{
 		listByCatFunc: func(category string, _, _ int) ([]domain.AuditEvent, int64, error) {
 			capturedCategory = category
 			return []domain.AuditEvent{
 				{ID: "audit-1", Action: "auth.role.assign", EventCategory: domain.EventCategoryAuth},
 			}, 1, nil
 		},
 	}
 	h := NewAuditHandler(mockSvc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/audit?category=auth", nil)
 	rec := httptest.NewRecorder()
 	h.ListAuditEvents(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200", rec.Code)
 	}
 	if capturedCategory != "auth" {
 		t.Errorf("captured category = %q, want auth", capturedCategory)
 	}
 }
 // TestListAuditEvents_Phase8_NoCategoryFallsBackToListAuditEvents pins
 // that the legacy unfiltered path still routes through ListAuditEvents
 // (preserves back-compat).
 func TestListAuditEvents_Phase8_NoCategoryFallsBackToListAuditEvents(t *testing.T) {
 	listCalled := false
 	listByCatCalled := false
 	mockSvc := &mockAuditService{
 		listFunc: func(_, _ int) ([]domain.AuditEvent, int64, error) {
 			listCalled = true
 			return nil, 0, nil
 		},
 		listByCatFunc: func(_ string, _, _ int) ([]domain.AuditEvent, int64, error) {
 			listByCatCalled = true
 			return nil, 0, nil
 		},
 	}
 	h := NewAuditHandler(mockSvc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/audit", nil)
 	rec := httptest.NewRecorder()
 	h.ListAuditEvents(rec, req)
 	if !listCalled {
 		t.Errorf("ListAuditEvents not called for unfiltered request")
 	}
 	if listByCatCalled {
 		t.Errorf("ListAuditEventsByCategory called unexpectedly for unfiltered request")
 	}
 }
 // TestListAuditEvents_Phase8_RejectsUnknownCategory pins the 400 surface
 // for misuse. Allowed values are exactly cert_lifecycle/auth/config;
 // anything else surfaces a clear error rather than silently returning
 // every row.
 func TestListAuditEvents_Phase8_RejectsUnknownCategory(t *testing.T) {
 	mockSvc := &mockAuditService{}
 	h := NewAuditHandler(mockSvc)
 	for _, bad := range []string{"agent", "AUTH", "auth%20", "system"} {
 		req := httptest.NewRequest(http.MethodGet, "/api/v1/audit?category="+bad, nil)
 		rec := httptest.NewRecorder()
 		h.ListAuditEvents(rec, req)
 		if rec.Code != http.StatusBadRequest {
 			t.Errorf("category=%q got status %d, want 400", bad, rec.Code)
 		}
 	}
 }
 // TestListAuditEvents_Phase8_AcceptsAllThreeCategories pins that each of
 // the three documented enum values dispatches without a 400.
 func TestListAuditEvents_Phase8_AcceptsAllThreeCategories(t *testing.T) {
 	mockSvc := &mockAuditService{
 		listByCatFunc: func(_ string, _, _ int) ([]domain.AuditEvent, int64, error) {
 			return nil, 0, nil
 		},
 	}
 	h := NewAuditHandler(mockSvc)
 	for _, cat := range []string{
 		domain.EventCategoryCertLifecycle,
 		domain.EventCategoryAuth,
 		domain.EventCategoryConfig,
 	} {
 		req := httptest.NewRequest(http.MethodGet, "/api/v1/audit?category="+cat, nil)
 		rec := httptest.NewRecorder()
 		h.ListAuditEvents(rec, req)
 		if rec.Code != http.StatusOK {
 			t.Errorf("category=%s got status %d, want 200", cat, rec.Code)
 		}
 	}
 }
 // TestListAuditEvents_Phase8_CategoryAndPageCombine confirms the query
 // parser respects both the page and category params concurrently.
 func TestListAuditEvents_Phase8_CategoryAndPageCombine(t *testing.T) {
 	var capturedCategory string
 	var capturedPage int
 	mockSvc := &mockAuditService{
 		listByCatFunc: func(category string, page, _ int) ([]domain.AuditEvent, int64, error) {
 			capturedCategory = category
 			capturedPage = page
 			return nil, 0, nil
 		},
 	}
 	h := NewAuditHandler(mockSvc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/audit?category=auth&page=3", nil)
 	rec := httptest.NewRecorder()
 	h.ListAuditEvents(rec, req)
 	if capturedCategory != "auth" || capturedPage != 3 {
 		t.Errorf("captured (cat=%q page=%d), want (auth, 3)", capturedCategory, capturedPage)
 	}
 }
 // TestListAuditEvents_Phase8_ResponseSurfacesEventCategory confirms the
 // JSON output carries the event_category field for downstream auditors.
 func TestListAuditEvents_Phase8_ResponseSurfacesEventCategory(t *testing.T) {
 	mockSvc := &mockAuditService{
 		listByCatFunc: func(_ string, _, _ int) ([]domain.AuditEvent, int64, error) {
 			return []domain.AuditEvent{
 				{ID: "a1", Action: "auth.role.assign", EventCategory: "auth"},
 				{ID: "a2", Action: "issuer.edit", EventCategory: "config"},
 			}, 2, nil
 		},
 	}
 	h := NewAuditHandler(mockSvc)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/audit?category=auth", nil)
 	rec := httptest.NewRecorder()
 	h.ListAuditEvents(rec, req)
 	var resp struct {
 		Data []domain.AuditEvent `json:"data"`
 	}
 	if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil {
 		t.Fatalf("decode: %v", err)
 	}
 	if len(resp.Data) != 2 || resp.Data[0].EventCategory != "auth" || resp.Data[1].EventCategory != "config" {
 		t.Errorf("event_category not surfaced in JSON: %+v", resp.Data)
 	}
 }
 var _ = context.Background // keep import even if other tests strip it
@@ -0,0 +1,189 @@
 package handler
 import (
 	"bufio"
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
 	"github.com/certctl-io/certctl/internal/domain"
 )
 // Audit 2026-05-10 HIGH-11 closure — pin the streaming NDJSON audit
 // export endpoint. Pre-fix, the `audit.export` permission was seeded
 // into r-admin + r-auditor (migration 000031) but no endpoint enforced
 // it; the auditor role's claim was misleading capability advertisement.
 // Post-fix, GET /api/v1/audit/export gates on `audit.export`, streams
 // audit rows as line-delimited JSON, bounded to a 90-day window, and
 // recursively self-audits each export call.
 // exportMockSvc extends mockAuditService with explicit hooks for the
 // HIGH-11 export path.
 type exportMockSvc struct {
 	mockAuditService
 	exportFn func(from, to time.Time, eventCategory string, maxRows int) ([]domain.AuditEvent, error)
 }
 func (m *exportMockSvc) ExportEventsByFilter(_ context.Context, from, to time.Time, eventCategory string, maxRows int) ([]domain.AuditEvent, error) {
 	if m.exportFn != nil {
 		return m.exportFn(from, to, eventCategory, maxRows)
 	}
 	return nil, nil
 }
 func TestExportAudit_StreamsNDJSONLines(t *testing.T) {
 	events := []domain.AuditEvent{
 		{ID: "ev-1", Action: "cert.issue", Actor: "alice", Timestamp: time.Now()},
 		{ID: "ev-2", Action: "cert.revoke", Actor: "bob", Timestamp: time.Now()},
 		{ID: "ev-3", Action: "auth.role.grant", Actor: "alice", Timestamp: time.Now()},
 	}
 	mockSvc := &exportMockSvc{
 		exportFn: func(from, to time.Time, _ string, _ int) ([]domain.AuditEvent, error) {
 			return events, nil
 		},
 	}
 	h := NewAuditHandler(mockSvc)
 	req := httptest.NewRequest(http.MethodGet,
 		"/api/v1/audit/export?from=2026-04-01T00:00:00Z&to=2026-05-01T00:00:00Z", nil)
 	w := httptest.NewRecorder()
 	h.ExportAudit(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("status = %d; want 200; body=%s", w.Code, w.Body.String())
 	}
 	if ct := w.Header().Get("Content-Type"); ct != "application/x-ndjson" {
 		t.Errorf("Content-Type = %q; want application/x-ndjson", ct)
 	}
 	if cd := w.Header().Get("Content-Disposition"); !strings.HasPrefix(cd, "attachment;") {
 		t.Errorf("Content-Disposition = %q; want attachment;...", cd)
 	}
 	scanner := bufio.NewScanner(strings.NewReader(w.Body.String()))
 	count := 0
 	for scanner.Scan() {
 		line := scanner.Text()
 		if line == "" {
 			continue
 		}
 		var got domain.AuditEvent
 		if err := json.Unmarshal([]byte(line), &got); err != nil {
 			t.Errorf("line %d not valid JSON: %v; line=%s", count, err, line)
 		}
 		count++
 	}
 	if count != len(events) {
 		t.Errorf("scanned %d NDJSON lines; want %d", count, len(events))
 	}
 	// Self-audit leg: the export must emit an audit.export row for the
 	// recursive trail.
 	if mockSvc.lastAuditAction != "audit.export" {
 		t.Errorf("lastAuditAction = %q; want audit.export (recursive self-audit)", mockSvc.lastAuditAction)
 	}
 	if mockSvc.lastAuditCategory != domain.EventCategoryAuth {
 		t.Errorf("lastAuditCategory = %q; want %q", mockSvc.lastAuditCategory, domain.EventCategoryAuth)
 	}
 }
 func TestExportAudit_RejectsRangeBeyond90Days(t *testing.T) {
 	mockSvc := &exportMockSvc{}
 	h := NewAuditHandler(mockSvc)
 	// 100-day window — must reject.
 	req := httptest.NewRequest(http.MethodGet,
 		"/api/v1/audit/export?from=2026-01-01T00:00:00Z&to=2026-04-15T00:00:00Z", nil)
 	w := httptest.NewRecorder()
 	h.ExportAudit(w, req)
 	if w.Code != http.StatusBadRequest {
 		t.Errorf("status = %d; want 400 for >90d range", w.Code)
 	}
 	if !strings.Contains(w.Body.String(), "90-day") {
 		t.Errorf("body = %q; want it to mention the 90-day cap", w.Body.String())
 	}
 }
 func TestExportAudit_RejectsMissingFromOrTo(t *testing.T) {
 	mockSvc := &exportMockSvc{}
 	h := NewAuditHandler(mockSvc)
 	cases := []string{
 		"/api/v1/audit/export",
 		"/api/v1/audit/export?from=2026-04-01T00:00:00Z",
 		"/api/v1/audit/export?to=2026-04-30T00:00:00Z",
 	}
 	for _, url := range cases {
 		req := httptest.NewRequest(http.MethodGet, url, nil)
 		w := httptest.NewRecorder()
 		h.ExportAudit(w, req)
 		if w.Code != http.StatusBadRequest {
 			t.Errorf("URL %q: status = %d; want 400 (missing from/to)", url, w.Code)
 		}
 	}
 }
 func TestExportAudit_RejectsInvalidCategory(t *testing.T) {
 	mockSvc := &exportMockSvc{}
 	h := NewAuditHandler(mockSvc)
 	req := httptest.NewRequest(http.MethodGet,
 		"/api/v1/audit/export?from=2026-04-01T00:00:00Z&to=2026-04-30T00:00:00Z&category=zzz_unknown", nil)
 	w := httptest.NewRecorder()
 	h.ExportAudit(w, req)
 	if w.Code != http.StatusBadRequest {
 		t.Errorf("status = %d; want 400 for invalid category", w.Code)
 	}
 }
 func TestExportAudit_AcceptsValidCategoryFilter(t *testing.T) {
 	captured := struct {
 		category string
 	}{}
 	mockSvc := &exportMockSvc{
 		exportFn: func(_, _ time.Time, eventCategory string, _ int) ([]domain.AuditEvent, error) {
 			captured.category = eventCategory
 			return []domain.AuditEvent{}, nil
 		},
 	}
 	h := NewAuditHandler(mockSvc)
 	req := httptest.NewRequest(http.MethodGet,
 		"/api/v1/audit/export?from=2026-04-01T00:00:00Z&to=2026-04-30T00:00:00Z&category=auth", nil)
 	w := httptest.NewRecorder()
 	h.ExportAudit(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("status = %d; want 200; body=%s", w.Code, w.Body.String())
 	}
 	if captured.category != domain.EventCategoryAuth {
 		t.Errorf("captured.category = %q; want %q", captured.category, domain.EventCategoryAuth)
 	}
 }
 func TestExportAudit_RejectsNonGET(t *testing.T) {
 	mockSvc := &exportMockSvc{}
 	h := NewAuditHandler(mockSvc)
 	req := httptest.NewRequest(http.MethodPost,
 		"/api/v1/audit/export?from=2026-04-01T00:00:00Z&to=2026-04-30T00:00:00Z", nil)
 	w := httptest.NewRecorder()
 	h.ExportAudit(w, req)
 	if w.Code != http.StatusMethodNotAllowed {
 		t.Errorf("status = %d; want 405 for POST", w.Code)
 	}
 }
 func TestExportAudit_RejectsToBeforeFrom(t *testing.T) {
 	mockSvc := &exportMockSvc{}
 	h := NewAuditHandler(mockSvc)
 	req := httptest.NewRequest(http.MethodGet,
 		"/api/v1/audit/export?from=2026-05-01T00:00:00Z&to=2026-04-01T00:00:00Z", nil)
 	w := httptest.NewRecorder()
 	h.ExportAudit(w, req)
 	if w.Code != http.StatusBadRequest {
 		t.Errorf("status = %d; want 400 (to before from)", w.Code)
 	}
 }
@@ -16,7 +16,12 @@ import (
 // mockAuditService implements AuditService for testing.
 type mockAuditService struct {
 	listFunc      func(page, perPage int) ([]domain.AuditEvent, int64, error)
 	listByCatFunc func(category string, page, perPage int) ([]domain.AuditEvent, int64, error)
 	getFunc       func(id string) (*domain.AuditEvent, error)
 	// HIGH-11 self-audit trace — last RecordEventWithCategory call.
 	lastAuditActor    string
 	lastAuditAction   string
 	lastAuditCategory string
 }
 func (m *mockAuditService) ListAuditEvents(_ context.Context, page, perPage int) ([]domain.AuditEvent, int64, error) {
@@ -26,6 +31,16 @@ func (m *mockAuditService) ListAuditEvents(_ context.Context, page, perPage int)
 	return nil, 0, nil
 }
 func (m *mockAuditService) ListAuditEventsByCategory(_ context.Context, category string, page, perPage int) ([]domain.AuditEvent, int64, error) {
 	if m.listByCatFunc != nil {
 		return m.listByCatFunc(category, page, perPage)
 	}
 	if m.listFunc != nil {
 		return m.listFunc(page, perPage)
 	}
 	return nil, 0, nil
 }
 func (m *mockAuditService) GetAuditEvent(_ context.Context, id string) (*domain.AuditEvent, error) {
 	if m.getFunc != nil {
 		return m.getFunc(id)
@@ -33,6 +48,32 @@ func (m *mockAuditService) GetAuditEvent(_ context.Context, id string) (*domain.
 	return nil, nil
 }
 // ExportEventsByFilter satisfies the Audit 2026-05-10 HIGH-11 interface
 // extension. The test mock just defers to the existing list helpers
 // (no separate export-specific test fixture needed for the bundles that
 // don't exercise export).
 func (m *mockAuditService) ExportEventsByFilter(_ context.Context, _, _ time.Time, eventCategory string, _ int) ([]domain.AuditEvent, error) {
 	if m.listFunc != nil {
 		events, _, err := m.listFunc(1, 50000)
 		if err != nil {
 			return nil, err
 		}
 		return events, nil
 	}
 	return nil, nil
 }
 // RecordEventWithCategory satisfies the Audit 2026-05-10 HIGH-11
 // interface extension (the export handler self-audits each call).
 // Tests that don't care about the audit row trace can leave the field
 // nil; tests that do can read m.lastAuditAction etc. after the call.
 func (m *mockAuditService) RecordEventWithCategory(_ context.Context, actor string, _ domain.ActorType, action, eventCategory, _, _ string, _ map[string]interface{}) error {
 	m.lastAuditActor = actor
 	m.lastAuditAction = action
 	m.lastAuditCategory = eventCategory
 	return nil
 }
 func TestListAuditEvents_Success(t *testing.T) {
 	events := []domain.AuditEvent{
 		{
@@ -0,0 +1,681 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 	authdomain "github.com/certctl-io/certctl/internal/domain/auth"
 	"github.com/certctl-io/certctl/internal/repository"
 	authsvc "github.com/certctl-io/certctl/internal/service/auth"
 )
 // AuthHandler exposes the RBAC primitive over HTTP. Bundle 1 Phase 4 wires
 // the routes registered by HandlerRegistry under /v1/auth/*.
 //
 // Every mutating endpoint runs through the service layer, which enforces
 // the privilege-escalation guard (callers need auth.role.assign for
 // Grant/Revoke, auth.role.create/edit/delete for the role lifecycle,
 // auth.key.* for key management). Read endpoints require auth.role.list.
 //
 // The /v1/auth/me endpoint has no permission requirement (every
 // authenticated caller can read their own permissions); this is the
 // query the GUI uses to gate affordance rendering.
 type AuthHandler struct {
 	roles   AuthRoleService
 	perms   AuthPermissionService
 	actors  AuthActorRoleService
 	checker auth.PermissionChecker
 	// csrfRotator is the optional session-CSRF-rotation hook called
 	// post-role-mutation. Audit 2026-05-10 HIGH-2 closure — when an
 	// actor's role set changes, every active session's CSRF token is
 	// rotated as defense-in-depth against token leak preceding the
 	// privilege change. Nil-safe: when unset (pre-Bundle-2 wiring,
 	// tests that don't care about CSRF), the wires are no-ops.
 	csrfRotator CSRFRotator
 }
 // CSRFRotator is the projection of *session.Service used by AuthHandler
 // to rotate CSRF tokens across an actor's active sessions after a role
 // mutation. RotateCSRFTokenForActor returns the count of rotated rows
 // and NEVER errors out — rotation is defense-in-depth and must not
 // block the role mutation that triggered it.
 type CSRFRotator interface {
 	RotateCSRFTokenForActor(ctx context.Context, actorID, actorType string) int
 }
 // AuthRoleService is the service-layer dependency the AuthHandler uses
 // for role + role-permission lifecycle. Mirrors internal/service/auth.
 type AuthRoleService interface {
 	List(ctx context.Context, caller *authsvc.Caller) ([]*authdomain.Role, error)
 	Get(ctx context.Context, caller *authsvc.Caller, id string) (*authdomain.Role, error)
 	Create(ctx context.Context, caller *authsvc.Caller, role *authdomain.Role) error
 	Update(ctx context.Context, caller *authsvc.Caller, role *authdomain.Role) error
 	Delete(ctx context.Context, caller *authsvc.Caller, id string) error
 	ListPermissions(ctx context.Context, caller *authsvc.Caller, roleID string) ([]*authdomain.RolePermission, error)
 	AddPermission(ctx context.Context, caller *authsvc.Caller, roleID, permName string, scopeType authdomain.ScopeType, scopeID *string) error
 	RemovePermission(ctx context.Context, caller *authsvc.Caller, roleID, permName string, scopeType authdomain.ScopeType, scopeID *string) error
 }
 // AuthPermissionService exposes the canonical permission catalogue.
 type AuthPermissionService interface {
 	List(ctx context.Context) ([]*authdomain.Permission, error)
 	IsRegistered(name string) bool
 }
 // AuthActorRoleService manages role grants on actors and surfaces the
 // effective-permissions query the GUI's /v1/auth/me handler uses.
 type AuthActorRoleService interface {
 	Grant(ctx context.Context, caller *authsvc.Caller, ar *authdomain.ActorRole) error
 	// Audit 2026-05-11 A-4 — Revoke takes optional scope filtering so
 	// callers that hold multiple scoped variants of the same role can
 	// drop one variant selectively. opts.ScopeType == "" preserves the
 	// legacy "revoke all" semantic.
 	Revoke(ctx context.Context, caller *authsvc.Caller, actorID string, actorType domain.ActorType, roleID string, opts repository.ActorRoleRevokeOptions) error
 	ListForActor(ctx context.Context, caller *authsvc.Caller, actorID string, actorType domain.ActorType) ([]*authdomain.ActorRole, error)
 	EffectivePermissions(ctx context.Context, caller *authsvc.Caller, actorID string, actorType domain.ActorType) ([]repository.EffectivePermission, error)
 	// ListKeys (Bundle 1 Phase 7) returns every actor in the tenant
 	// with at least one role grant. The CLI's `auth keys list` and
 	// scope-down helper consume this. The synthetic actor-demo-anon
 	// row is included; the CLI filters it out of the interactive
 	// prompt loop.
 	ListKeys(ctx context.Context, caller *authsvc.Caller) ([]repository.ActorWithRoles, error)
 }
 // NewAuthHandler constructs an AuthHandler with the service-layer
 // dependencies wired in cmd/server/main.go.
 func NewAuthHandler(
 	roles AuthRoleService,
 	perms AuthPermissionService,
 	actors AuthActorRoleService,
 	checker auth.PermissionChecker,
 ) AuthHandler {
 	return AuthHandler{
 		roles:   roles,
 		perms:   perms,
 		actors:  actors,
 		checker: checker,
 	}
 }
 // WithCSRFRotator returns a copy of the handler with the CSRF-rotation
 // hook installed. Audit 2026-05-10 HIGH-2 closure — production wiring
 // in cmd/server/main.go calls this with the post-Bundle-2
 // session.Service; pre-Bundle-2 deployments + tests can leave the
 // rotator nil and the role-mutation handlers simply skip rotation.
 func (h AuthHandler) WithCSRFRotator(r CSRFRotator) AuthHandler {
 	h.csrfRotator = r
 	return h
 }
 // =============================================================================
 // JSON request / response shapes
 // =============================================================================
 type roleResponse struct {
 	ID          string `json:"id"`
 	TenantID    string `json:"tenant_id"`
 	Name        string `json:"name"`
 	Description string `json:"description"`
 	CreatedAt   string `json:"created_at"`
 	UpdatedAt   string `json:"updated_at"`
 }
 func roleToResponse(r *authdomain.Role) roleResponse {
 	return roleResponse{
 		ID:          r.ID,
 		TenantID:    r.TenantID,
 		Name:        r.Name,
 		Description: r.Description,
 		CreatedAt:   r.CreatedAt.UTC().Format("2006-01-02T15:04:05Z07:00"),
 		UpdatedAt:   r.UpdatedAt.UTC().Format("2006-01-02T15:04:05Z07:00"),
 	}
 }
 type permissionResponse struct {
 	ID        string `json:"id"`
 	Name      string `json:"name"`
 	Namespace string `json:"namespace"`
 }
 func permToResponse(p *authdomain.Permission) permissionResponse {
 	return permissionResponse{ID: p.ID, Name: p.Name, Namespace: p.Namespace}
 }
 type rolePermissionResponse struct {
 	RoleID       string  `json:"role_id"`
 	PermissionID string  `json:"permission_id"`
 	ScopeType    string  `json:"scope_type"`
 	ScopeID      *string `json:"scope_id,omitempty"`
 }
 func rolePermToResponse(g *authdomain.RolePermission) rolePermissionResponse {
 	return rolePermissionResponse{
 		RoleID:       g.RoleID,
 		PermissionID: g.PermissionID,
 		ScopeType:    string(g.ScopeType),
 		ScopeID:      g.ScopeID,
 	}
 }
 type createRoleRequest struct {
 	Name        string `json:"name"`
 	Description string `json:"description"`
 }
 type updateRoleRequest struct {
 	Name        string `json:"name"`
 	Description string `json:"description"`
 }
 type addPermissionRequest struct {
 	Permission string  `json:"permission"`
 	ScopeType  string  `json:"scope_type,omitempty"` // defaults to "global"
 	ScopeID    *string `json:"scope_id,omitempty"`
 }
 // assignRoleRequest is the POST /api/v1/auth/keys/{id}/roles body.
 //
 // Audit 2026-05-10 HIGH-10 closure — extended with scope_type /
 // scope_id / expires_at so per-actor scoped + time-bound grants are
 // expressible via the API. Pre-fix, the only path was creating a
 // scoped role and granting that; now operators can scope a standing
 // role to a specific resource on a per-actor basis.
 //
 // Validation rules:
 //   - role_id is required.
 //   - scope_type defaults to "global"; allowed values are global /
 //     profile / issuer.
 //   - scope_id is required when scope_type != "global"; rejected
 //     (must be empty) when scope_type == "global".
 //   - expires_at must be in the future when present; nil = standing.
 type assignRoleRequest struct {
 	RoleID    string     `json:"role_id"`
 	ScopeType string     `json:"scope_type,omitempty"`
 	ScopeID   *string    `json:"scope_id,omitempty"`
 	ExpiresAt *time.Time `json:"expires_at,omitempty"`
 }
 type meResponse struct {
 	ActorID              string                       `json:"actor_id"`
 	ActorType            string                       `json:"actor_type"`
 	TenantID             string                       `json:"tenant_id"`
 	Admin                bool                         `json:"admin"` // back-compat with /v1/auth/check
 	Roles                []string                     `json:"roles"`
 	EffectivePermissions []effectivePermissionPayload `json:"effective_permissions"`
 }
 type effectivePermissionPayload struct {
 	Permission string  `json:"permission"`
 	ScopeType  string  `json:"scope_type"`
 	ScopeID    *string `json:"scope_id,omitempty"`
 }
 // =============================================================================
 // Handlers
 // =============================================================================
 // ListRoles handles GET /api/v1/auth/roles.
 // Permission: auth.role.list (enforced at the service layer).
 func (h AuthHandler) ListRoles(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	roles, err := h.roles.List(r.Context(), caller)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	out := make([]roleResponse, 0, len(roles))
 	for _, role := range roles {
 		out = append(out, roleToResponse(role))
 	}
 	writeJSON(w, http.StatusOK, map[string]interface{}{"roles": out})
 }
 // GetRole handles GET /api/v1/auth/roles/{id}.
 func (h AuthHandler) GetRole(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	id := r.PathValue("id")
 	role, err := h.roles.Get(r.Context(), caller, id)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	perms, err := h.roles.ListPermissions(r.Context(), caller, id)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	permResponses := make([]rolePermissionResponse, 0, len(perms))
 	for _, p := range perms {
 		permResponses = append(permResponses, rolePermToResponse(p))
 	}
 	writeJSON(w, http.StatusOK, map[string]interface{}{
 		"role":        roleToResponse(role),
 		"permissions": permResponses,
 	})
 }
 // CreateRole handles POST /api/v1/auth/roles.
 func (h AuthHandler) CreateRole(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	var req createRoleRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		Error(w, http.StatusBadRequest, "Invalid request body")
 		return
 	}
 	if strings.TrimSpace(req.Name) == "" {
 		Error(w, http.StatusBadRequest, "role name is required")
 		return
 	}
 	role := &authdomain.Role{Name: req.Name, Description: req.Description}
 	if err := h.roles.Create(r.Context(), caller, role); err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	writeJSON(w, http.StatusCreated, roleToResponse(role))
 }
 // UpdateRole handles PUT /api/v1/auth/roles/{id}.
 func (h AuthHandler) UpdateRole(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	id := r.PathValue("id")
 	var req updateRoleRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		Error(w, http.StatusBadRequest, "Invalid request body")
 		return
 	}
 	role := &authdomain.Role{ID: id, Name: req.Name, Description: req.Description}
 	if err := h.roles.Update(r.Context(), caller, role); err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	writeJSON(w, http.StatusOK, roleToResponse(role))
 }
 // DeleteRole handles DELETE /api/v1/auth/roles/{id}.
 func (h AuthHandler) DeleteRole(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	id := r.PathValue("id")
 	if err := h.roles.Delete(r.Context(), caller, id); err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	w.WriteHeader(http.StatusNoContent)
 }
 // ListPermissions handles GET /api/v1/auth/permissions.
 func (h AuthHandler) ListPermissions(w http.ResponseWriter, r *http.Request) {
 	if _, err := callerFromRequest(r); err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	perms, err := h.perms.List(r.Context())
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	out := make([]permissionResponse, 0, len(perms))
 	for _, p := range perms {
 		out = append(out, permToResponse(p))
 	}
 	writeJSON(w, http.StatusOK, map[string]interface{}{"permissions": out})
 }
 // ListKeys handles GET /api/v1/auth/keys (Bundle 1 Phase 7).
 // Permission: auth.role.list. Returns every distinct actor in the
 // tenant with at least one role grant — the CLI's `auth keys list`
 // and scope-down flow consume this.
 func (h AuthHandler) ListKeys(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	keys, err := h.actors.ListKeys(r.Context(), caller)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	type keyEntry struct {
 		ActorID   string   `json:"actor_id"`
 		ActorType string   `json:"actor_type"`
 		TenantID  string   `json:"tenant_id"`
 		RoleIDs   []string `json:"role_ids"`
 	}
 	out := make([]keyEntry, 0, len(keys))
 	for _, k := range keys {
 		out = append(out, keyEntry{
 			ActorID:   k.ActorID,
 			ActorType: string(k.ActorType),
 			TenantID:  k.TenantID,
 			RoleIDs:   k.RoleIDs,
 		})
 	}
 	writeJSON(w, http.StatusOK, map[string]interface{}{"keys": out})
 }
 // AddRolePermission handles POST /api/v1/auth/roles/{id}/permissions.
 func (h AuthHandler) AddRolePermission(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	roleID := r.PathValue("id")
 	var req addPermissionRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		Error(w, http.StatusBadRequest, "Invalid request body")
 		return
 	}
 	if req.Permission == "" {
 		Error(w, http.StatusBadRequest, "permission is required")
 		return
 	}
 	scopeType := authdomain.ScopeType(req.ScopeType)
 	if scopeType == "" {
 		scopeType = authdomain.ScopeTypeGlobal
 	}
 	if err := h.roles.AddPermission(r.Context(), caller, roleID, req.Permission, scopeType, req.ScopeID); err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	w.WriteHeader(http.StatusNoContent)
 }
 // RemoveRolePermission handles DELETE /api/v1/auth/roles/{id}/permissions/{perm}.
 func (h AuthHandler) RemoveRolePermission(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	roleID := r.PathValue("id")
 	permName := r.PathValue("perm")
 	scopeType := authdomain.ScopeType(r.URL.Query().Get("scope_type"))
 	if scopeType == "" {
 		scopeType = authdomain.ScopeTypeGlobal
 	}
 	var scopeID *string
 	if v := r.URL.Query().Get("scope_id"); v != "" {
 		scopeID = &v
 	}
 	if err := h.roles.RemovePermission(r.Context(), caller, roleID, permName, scopeType, scopeID); err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	w.WriteHeader(http.StatusNoContent)
 }
 // AssignRoleToKey handles POST /api/v1/auth/keys/{id}/roles.
 // {id} is the API-key actor name (e.g. "alice", "ops-admin"); the
 // service layer resolves to the actor_roles row.
 func (h AuthHandler) AssignRoleToKey(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	keyID := r.PathValue("id")
 	var req assignRoleRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		Error(w, http.StatusBadRequest, "Invalid request body")
 		return
 	}
 	if req.RoleID == "" {
 		Error(w, http.StatusBadRequest, "role_id is required")
 		return
 	}
 	// Audit 2026-05-10 HIGH-10 validation.
 	scopeType := authdomain.ScopeType(req.ScopeType)
 	if scopeType == "" {
 		scopeType = authdomain.ScopeTypeGlobal
 	}
 	switch scopeType {
 	case authdomain.ScopeTypeGlobal:
 		if req.ScopeID != nil && *req.ScopeID != "" {
 			Error(w, http.StatusBadRequest, "scope_id must be empty when scope_type=global")
 			return
 		}
 	case authdomain.ScopeTypeProfile, authdomain.ScopeTypeIssuer:
 		if req.ScopeID == nil || strings.TrimSpace(*req.ScopeID) == "" {
 			Error(w, http.StatusBadRequest, "scope_id is required when scope_type is profile or issuer")
 			return
 		}
 	default:
 		Error(w, http.StatusBadRequest, "invalid scope_type — must be global, profile, or issuer")
 		return
 	}
 	if req.ExpiresAt != nil && !req.ExpiresAt.After(time.Now().UTC()) {
 		Error(w, http.StatusBadRequest, "expires_at must be in the future")
 		return
 	}
 	ar := &authdomain.ActorRole{
 		ActorID:   keyID,
 		ActorType: authdomain.ActorTypeValue(domain.ActorTypeAPIKey),
 		RoleID:    req.RoleID,
 		ScopeType: scopeType,
 		ScopeID:   req.ScopeID,
 		ExpiresAt: req.ExpiresAt,
 	}
 	if err := h.actors.Grant(r.Context(), caller, ar); err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	// Audit 2026-05-10 HIGH-2 closure — rotate CSRF across every
 	// active session of the target actor. Non-blocking (per-row
 	// failures are logged inside RotateCSRFTokenForActor but the
 	// return value isn't an error). API-key actors typically have no
 	// sessions (Bearer-only) so this is a no-op for them.
 	if h.csrfRotator != nil {
 		_ = h.csrfRotator.RotateCSRFTokenForActor(r.Context(), keyID, string(domain.ActorTypeAPIKey))
 	}
 	w.WriteHeader(http.StatusNoContent)
 }
 // RevokeRoleFromKey handles DELETE /api/v1/auth/keys/{id}/roles/{role_id}.
 //
 // Audit 2026-05-11 A-4 — two operating modes selected by presence of
 // the optional `?scope_type=` / `?scope_id=` query parameters:
 //
 //   - No query params: legacy "revoke every scope variant of this role
 //     from this actor" semantic. Preserves pre-A-4 GUI behaviour
 //     (KeysPage before Fix 12 fires plain DELETE with no scope; one
 //     button per role row).
 //
 //   - `scope_type=global` (no scope_id) or
 //     `scope_type=profile&scope_id=<id>` /
 //     `scope_type=issuer&scope_id=<id>`: drop ONLY the matching variant.
 //     Returns HTTP 404 when no row matches the scope (operator
 //     feedback for typos). Validation mirrors AssignRoleToKey:
 //     `scope_id` MUST be empty with `scope_type=global`, MUST be
 //     present with `profile` / `issuer`, anything else → 400.
 func (h AuthHandler) RevokeRoleFromKey(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	keyID := r.PathValue("id")
 	roleID := r.PathValue("role_id")
 	// Parse + validate optional scope filter. Empty query string is
 	// the legacy path; mismatched filter is rejected before the call
 	// reaches the service.
 	scopeTypeRaw := r.URL.Query().Get("scope_type")
 	scopeIDRaw := r.URL.Query().Get("scope_id")
 	opts, derr := parseRevokeScope(scopeTypeRaw, scopeIDRaw)
 	if derr != nil {
 		Error(w, http.StatusBadRequest, derr.Error())
 		return
 	}
 	if err := h.actors.Revoke(r.Context(), caller, keyID, domain.ActorTypeAPIKey, roleID, opts); err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	// Audit 2026-05-10 HIGH-2 closure — rotate CSRF post-revoke.
 	if h.csrfRotator != nil {
 		_ = h.csrfRotator.RotateCSRFTokenForActor(r.Context(), keyID, string(domain.ActorTypeAPIKey))
 	}
 	w.WriteHeader(http.StatusNoContent)
 }
 // parseRevokeScope translates the (scope_type, scope_id) query string
 // into an ActorRoleRevokeOptions. Empty inputs → legacy "revoke all"
 // option (zero value); any combination missing required halves →
 // validation error. Audit 2026-05-11 A-4 — mirrors AssignRoleToKey's
 // scope validation so the assign / revoke pair stays symmetric.
 func parseRevokeScope(scopeType, scopeID string) (repository.ActorRoleRevokeOptions, error) {
 	scopeType = strings.TrimSpace(scopeType)
 	scopeID = strings.TrimSpace(scopeID)
 	if scopeType == "" {
 		if scopeID != "" {
 			return repository.ActorRoleRevokeOptions{}, fmt.Errorf("scope_id requires scope_type")
 		}
 		return repository.ActorRoleRevokeOptions{}, nil
 	}
 	switch authdomain.ScopeType(scopeType) {
 	case authdomain.ScopeTypeGlobal:
 		if scopeID != "" {
 			return repository.ActorRoleRevokeOptions{}, fmt.Errorf("scope_id must be empty when scope_type=global")
 		}
 		return repository.ActorRoleRevokeOptions{ScopeType: authdomain.ScopeTypeGlobal}, nil
 	case authdomain.ScopeTypeProfile, authdomain.ScopeTypeIssuer:
 		if scopeID == "" {
 			return repository.ActorRoleRevokeOptions{}, fmt.Errorf("scope_id is required when scope_type is profile or issuer")
 		}
 		sid := scopeID
 		return repository.ActorRoleRevokeOptions{
 			ScopeType: authdomain.ScopeType(scopeType),
 			ScopeID:   &sid,
 		}, nil
 	default:
 		return repository.ActorRoleRevokeOptions{}, fmt.Errorf("invalid scope_type — must be global, profile, or issuer")
 	}
 }
 // Me handles GET /api/v1/auth/me. Returns the current actor's effective
 // permissions plus admin flag (back-compat with /v1/auth/check). No
 // permission required: every authenticated caller can read their own.
 func (h AuthHandler) Me(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	roles, err := h.actors.ListForActor(r.Context(), caller, caller.ActorID, caller.ActorType)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	roleIDs := make([]string, 0, len(roles))
 	hasAdmin := false
 	for _, role := range roles {
 		roleIDs = append(roleIDs, role.RoleID)
 		if role.RoleID == authdomain.RoleIDAdmin {
 			hasAdmin = true
 		}
 	}
 	effective, err := h.actors.EffectivePermissions(r.Context(), caller, caller.ActorID, caller.ActorType)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	payload := make([]effectivePermissionPayload, 0, len(effective))
 	for _, p := range effective {
 		payload = append(payload, effectivePermissionPayload{
 			Permission: p.PermissionName,
 			ScopeType:  string(p.ScopeType),
 			ScopeID:    p.ScopeID,
 		})
 	}
 	writeJSON(w, http.StatusOK, meResponse{
 		ActorID:              caller.ActorID,
 		ActorType:            string(caller.ActorType),
 		TenantID:             caller.TenantID,
 		Admin:                hasAdmin,
 		Roles:                roleIDs,
 		EffectivePermissions: payload,
 	})
 }
 // =============================================================================
 // Helpers
 // =============================================================================
 // callerFromRequest builds an authsvc.Caller from request context. The
 // auth middleware (Phase 3) populates ActorIDKey / ActorTypeKey /
 // TenantIDKey on every authenticated request. Returns auth.ErrNoActor
 // when no actor is in context (handler returns 401).
 func callerFromRequest(r *http.Request) (*authsvc.Caller, error) {
 	ctx := r.Context()
 	actorID := auth.GetActorID(ctx)
 	if actorID == "" {
 		return nil, auth.ErrNoActor
 	}
 	actorType := auth.GetActorType(ctx)
 	if actorType == "" {
 		actorType = auth.ActorTypeAPIKey
 	}
 	tenantID := auth.GetTenantID(ctx)
 	return &authsvc.Caller{
 		ActorID:   actorID,
 		ActorType: domain.ActorType(actorType),
 		TenantID:  tenantID,
 	}, nil
 }
 // writeAuthError translates service-layer + repository sentinel errors
 // into HTTP status codes. Any non-mapped error is 500.
 func writeAuthError(w http.ResponseWriter, err error) {
 	switch {
 	case errors.Is(err, auth.ErrNoActor), errors.Is(err, authsvc.ErrUnauthenticated):
 		Error(w, http.StatusUnauthorized, "Authentication required")
 	case errors.Is(err, authsvc.ErrForbidden), errors.Is(err, authsvc.ErrSelfRoleAssignment):
 		Error(w, http.StatusForbidden, err.Error())
 	case errors.Is(err, authsvc.ErrInvalidPermission):
 		Error(w, http.StatusBadRequest, err.Error())
 	case errors.Is(err, repository.ErrAuthNotFound), errors.Is(err, repository.ErrActorRoleNotFound):
 		Error(w, http.StatusNotFound, "Not found")
 	case errors.Is(err, repository.ErrAuthDuplicateName), errors.Is(err, repository.ErrAuthRoleInUse), errors.Is(err, repository.ErrAuthReservedActor):
 		Error(w, http.StatusConflict, err.Error())
 	case errors.Is(err, repository.ErrAuthUnknownPermission):
 		Error(w, http.StatusBadRequest, err.Error())
 	default:
 		Error(w, http.StatusInternalServerError, "Internal error")
 	}
 }
 func writeJSON(w http.ResponseWriter, status int, v interface{}) {
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 	w.WriteHeader(status)
 	_ = json.NewEncoder(w).Encode(v)
 }
@@ -0,0 +1,127 @@
 package handler
 import (
 	"encoding/json"
 	"errors"
 	"net/http"
 	"strings"
 	"github.com/certctl-io/certctl/internal/auth/bootstrap"
 )
 // BootstrapHandler exposes the Bundle 1 Phase 6 day-0 admin path.
 //
 // Threat model (from cowork/auth-bundle-1-prompt.md): the control
 // plane comes up with no admin actors. The operator hands the
 // CERTCTL_BOOTSTRAP_TOKEN to a single curl call; the server mints
 // the first admin key and locks the door. No subsequent invocation
 // can mint another admin via this path — the strategy state and the
 // "admin already exists" probe both close it. After bootstrap the
 // operator manages keys via /v1/auth/keys/...
 //
 // Handler shape:
 //
 //	GET  /v1/auth/bootstrap          → 200 {available:true|false}
 //	POST /v1/auth/bootstrap          → 201 {api_key, key_value, actor_id}
 //
 // The GET surface is intentionally probable from any caller; it
 // returns availability (no token, no admin probe) so the GUI and the
 // install one-liner can decide whether to render the bootstrap
 // affordance. The POST surface requires the bootstrap token and
 // returns the plaintext key value once.
 type BootstrapHandler struct {
 	svc *bootstrap.Service
 }
 // NewBootstrapHandler constructs a BootstrapHandler. svc may be nil
 // to disable both methods (handler returns 410 Gone on every call).
 func NewBootstrapHandler(svc *bootstrap.Service) BootstrapHandler {
 	return BootstrapHandler{svc: svc}
 }
 type bootstrapAvailableResponse struct {
 	Available bool `json:"available"`
 }
 type bootstrapRequest struct {
 	Token     string `json:"token"`
 	ActorName string `json:"actor_name"`
 }
 type bootstrapResponse struct {
 	ActorID   string `json:"actor_id"`
 	APIKeyID  string `json:"api_key_id"`
 	KeyValue  string `json:"key_value"`
 	CreatedAt string `json:"created_at"`
 	Message   string `json:"message"`
 }
 // Available is the GET probe. Returns {available: true} when the
 // strategy is callable AND no admin actors exist; otherwise {available:
 // false}. The endpoint never reveals the bootstrap token's existence
 // independently of admin actor state — the GUI uses this to decide
 // whether to render the "first-time setup" wizard.
 func (h BootstrapHandler) Available(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
 	available := false
 	if h.svc != nil {
 		ok, err := h.svc.Available(r.Context())
 		if err == nil {
 			available = ok
 		}
 	}
 	JSON(w, http.StatusOK, bootstrapAvailableResponse{Available: available})
 }
 // Mint is the POST handler that consumes the token + creates the
 // first admin key.
 //
 // Status mapping:
 //
 //	410 Gone        → strategy disabled (no token, admin exists, or one-shot already consumed)
 //	401 Unauthorized → token mismatch
 //	400 Bad Request  → invalid actor_name
 //	201 Created     → key minted; response carries the plaintext key value
 func (h BootstrapHandler) Mint(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
 	if h.svc == nil {
 		// No service wired = endpoint disabled. Same status as the
 		// "already consumed" path so callers can't differentiate
 		// configuration from state.
 		Error(w, http.StatusGone, "bootstrap endpoint disabled")
 		return
 	}
 	var body bootstrapRequest
 	if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 4096)).Decode(&body); err != nil {
 		Error(w, http.StatusBadRequest, "Invalid JSON body")
 		return
 	}
 	body.ActorName = strings.TrimSpace(body.ActorName)
 	result, err := h.svc.ValidateAndMint(r.Context(), body.Token, body.ActorName)
 	if err != nil {
 		switch {
 		case errors.Is(err, bootstrap.ErrDisabled):
 			Error(w, http.StatusGone, "bootstrap endpoint disabled")
 		case errors.Is(err, bootstrap.ErrInvalidToken):
 			Error(w, http.StatusUnauthorized, "Invalid bootstrap token")
 		case errors.Is(err, bootstrap.ErrInvalidActorName):
 			Error(w, http.StatusBadRequest, "Invalid actor_name (3-64 chars, lowercase alnum + - + _)")
 		default:
 			Error(w, http.StatusInternalServerError, "Bootstrap failed")
 		}
 		return
 	}
 	JSON(w, http.StatusCreated, bootstrapResponse{
 		ActorID:   result.APIKey.Name,
 		APIKeyID:  result.APIKey.ID,
 		KeyValue:  result.KeyValue,
 		CreatedAt: result.APIKey.CreatedAt.UTC().Format("2006-01-02T15:04:05Z07:00"),
 		Message:   "Admin API key created. This is the only time the key value is shown — capture it now.",
 	})
 }
@@ -0,0 +1,275 @@
 package handler
 import (
 	"bytes"
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
 	"io"
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"sync"
 	"testing"
 	"github.com/certctl-io/certctl/internal/auth/bootstrap"
 	"github.com/certctl-io/certctl/internal/domain"
 	authdomain "github.com/certctl-io/certctl/internal/domain/auth"
 )
 // =============================================================================
 // In-memory fakes (copies of the bootstrap-package fakes; the package
 // boundary keeps the bootstrap-package tests independent).
 // =============================================================================
 type stubMinter struct{ created []*authdomain.APIKey }
 func (s *stubMinter) Create(_ context.Context, k *authdomain.APIKey) error {
 	s.created = append(s.created, k)
 	return nil
 }
 func (s *stubMinter) GetByName(_ context.Context, _ string) (*authdomain.APIKey, error) {
 	return nil, nil
 }
 type stubGranter struct{ calls []*authdomain.ActorRole }
 func (s *stubGranter) Grant(_ context.Context, ar *authdomain.ActorRole) error {
 	s.calls = append(s.calls, ar)
 	return nil
 }
 type stubAudit struct{ calls []map[string]interface{} }
 func (s *stubAudit) RecordEventWithCategory(_ context.Context, _ string, _ domain.ActorType, _ string, _ string, _ string, _ string, details map[string]interface{}) error {
 	s.calls = append(s.calls, details)
 	return nil
 }
 type stubKeyStore struct {
 	mu   sync.Mutex
 	rows []string
 }
 func (s *stubKeyStore) AddHashed(name, hash string, _ bool) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.rows = append(s.rows, name+":"+hash)
 }
 func sha(s string) string {
 	h := sha256.Sum256([]byte(s))
 	return hex.EncodeToString(h[:])
 }
 func newBootstrapHandlerWith(token string, probe bootstrap.AdminExistenceProbe) (BootstrapHandler, *stubMinter, *stubGranter, *stubAudit, *stubKeyStore) {
 	strategy := bootstrap.NewEnvTokenStrategy(token, probe)
 	minter := &stubMinter{}
 	granter := &stubGranter{}
 	audit := &stubAudit{}
 	store := &stubKeyStore{}
 	svc := bootstrap.NewService(strategy, minter, granter, audit, store, sha)
 	return NewBootstrapHandler(svc), minter, granter, audit, store
 }
 // =============================================================================
 // Handler tests
 // =============================================================================
 // TestBootstrapHandler_Mint_ValidTokenReturns201 is the happy path.
 // Plaintext key value present in the response body; only the hash is
 // persisted via the minter.
 func TestBootstrapHandler_Mint_ValidTokenReturns201(t *testing.T) {
 	h, minter, granter, audit, store := newBootstrapHandlerWith("the-token", nil)
 	body, _ := json.Marshal(map[string]string{"token": "the-token", "actor_name": "first-admin"})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/bootstrap", bytes.NewReader(body))
 	rec := httptest.NewRecorder()
 	h.Mint(rec, req)
 	if rec.Code != http.StatusCreated {
 		t.Fatalf("status = %d, want 201; body=%s", rec.Code, rec.Body.String())
 	}
 	var resp bootstrapResponse
 	if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil {
 		t.Fatalf("decode: %v", err)
 	}
 	if resp.ActorID != "first-admin" {
 		t.Errorf("actor_id = %q, want first-admin", resp.ActorID)
 	}
 	if resp.KeyValue == "" {
 		t.Errorf("key_value missing from response")
 	}
 	if len(minter.created) != 1 || len(granter.calls) != 1 || len(audit.calls) != 1 || len(store.rows) != 1 {
 		t.Errorf("side effects mismatch: minter=%d grants=%d audit=%d keystore=%d",
 			len(minter.created), len(granter.calls), len(audit.calls), len(store.rows))
 	}
 }
 // TestBootstrapHandler_Mint_WrongToken_401 pins the wrong-token mapping.
 func TestBootstrapHandler_Mint_WrongToken_401(t *testing.T) {
 	h, _, _, _, _ := newBootstrapHandlerWith("the-token", nil)
 	body, _ := json.Marshal(map[string]string{"token": "wrong", "actor_name": "first-admin"})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/bootstrap", bytes.NewReader(body))
 	rec := httptest.NewRecorder()
 	h.Mint(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("status = %d, want 401", rec.Code)
 	}
 }
 // TestBootstrapHandler_Mint_TwiceReturns410 pins the one-shot
 // invariant. Second call after a successful first call returns 410
 // Gone, NOT 401 (which would suggest "wrong token, retry").
 func TestBootstrapHandler_Mint_TwiceReturns410(t *testing.T) {
 	h, _, _, _, _ := newBootstrapHandlerWith("the-token", nil)
 	body, _ := json.Marshal(map[string]string{"token": "the-token", "actor_name": "first-admin"})
 	rec1 := httptest.NewRecorder()
 	h.Mint(rec1, httptest.NewRequest(http.MethodPost, "/api/v1/auth/bootstrap", bytes.NewReader(body)))
 	if rec1.Code != http.StatusCreated {
 		t.Fatalf("first call status = %d, want 201", rec1.Code)
 	}
 	rec2 := httptest.NewRecorder()
 	h.Mint(rec2, httptest.NewRequest(http.MethodPost, "/api/v1/auth/bootstrap", bytes.NewReader(body)))
 	if rec2.Code != http.StatusGone {
 		t.Errorf("second call status = %d, want 410 Gone", rec2.Code)
 	}
 }
 // TestBootstrapHandler_Mint_AdminExists410 pins that the admin-
 // existence probe gates the endpoint. Operator forgets to unset
 // CERTCTL_BOOTSTRAP_TOKEN after onboarding → endpoint stays 410.
 func TestBootstrapHandler_Mint_AdminExists410(t *testing.T) {
 	probe := func(_ context.Context) (bool, error) { return true, nil }
 	h, _, _, _, _ := newBootstrapHandlerWith("the-token", probe)
 	body, _ := json.Marshal(map[string]string{"token": "the-token", "actor_name": "first-admin"})
 	rec := httptest.NewRecorder()
 	h.Mint(rec, httptest.NewRequest(http.MethodPost, "/api/v1/auth/bootstrap", bytes.NewReader(body)))
 	if rec.Code != http.StatusGone {
 		t.Errorf("status = %d, want 410 Gone (admin already exists)", rec.Code)
 	}
 }
 // TestBootstrapHandler_Mint_NoTokenConfigured410 pins that an unset
 // CERTCTL_BOOTSTRAP_TOKEN closes the path (410), matching the
 // "endpoint disabled" semantics the prompt requires.
 func TestBootstrapHandler_Mint_NoTokenConfigured410(t *testing.T) {
 	h, _, _, _, _ := newBootstrapHandlerWith("", nil)
 	body, _ := json.Marshal(map[string]string{"token": "anything", "actor_name": "first-admin"})
 	rec := httptest.NewRecorder()
 	h.Mint(rec, httptest.NewRequest(http.MethodPost, "/api/v1/auth/bootstrap", bytes.NewReader(body)))
 	if rec.Code != http.StatusGone {
 		t.Errorf("status = %d, want 410 Gone (no token configured)", rec.Code)
 	}
 }
 // TestBootstrapHandler_Mint_BadActorName_400 pins the actor-name
 // validation surface (charset, length).
 func TestBootstrapHandler_Mint_BadActorName_400(t *testing.T) {
 	h, _, _, _, _ := newBootstrapHandlerWith("the-token", nil)
 	cases := []string{"", "AB", "has space", "Has-Caps"}
 	for _, name := range cases {
 		body, _ := json.Marshal(map[string]string{"token": "the-token", "actor_name": name})
 		rec := httptest.NewRecorder()
 		// Each request consumes the strategy on success so we rebuild
 		// per case.
 		h2, _, _, _, _ := newBootstrapHandlerWith("the-token", nil)
 		h2.Mint(rec, httptest.NewRequest(http.MethodPost, "/api/v1/auth/bootstrap", bytes.NewReader(body)))
 		if rec.Code != http.StatusBadRequest {
 			t.Errorf("name=%q status = %d, want 400", name, rec.Code)
 		}
 	}
 	_ = h
 }
 // TestBootstrapHandler_Available_NoTokenSet pins the GET probe shape:
 // {available:false} when the token is unset.
 func TestBootstrapHandler_Available_NoTokenSet(t *testing.T) {
 	h, _, _, _, _ := newBootstrapHandlerWith("", nil)
 	rec := httptest.NewRecorder()
 	h.Available(rec, httptest.NewRequest(http.MethodGet, "/api/v1/auth/bootstrap", nil))
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200", rec.Code)
 	}
 	var resp bootstrapAvailableResponse
 	_ = json.NewDecoder(rec.Body).Decode(&resp)
 	if resp.Available {
 		t.Errorf("available=true with no token, want false")
 	}
 }
 // TestBootstrapHandler_Available_TokenSetNoAdmin returns true.
 func TestBootstrapHandler_Available_TokenSetNoAdmin(t *testing.T) {
 	probe := func(_ context.Context) (bool, error) { return false, nil }
 	h, _, _, _, _ := newBootstrapHandlerWith("the-token", probe)
 	rec := httptest.NewRecorder()
 	h.Available(rec, httptest.NewRequest(http.MethodGet, "/api/v1/auth/bootstrap", nil))
 	var resp bootstrapAvailableResponse
 	_ = json.NewDecoder(rec.Body).Decode(&resp)
 	if !resp.Available {
 		t.Errorf("available=false with token set + no admin, want true")
 	}
 }
 // TestBootstrapHandler_TokenLeakHygiene scans the slog logger output
 // after a happy-path mint. The bootstrap token MUST NOT appear in any
 // log line. Audit details, app logs, error wrappers — none of them
 // can contain the token.
 func TestBootstrapHandler_TokenLeakHygiene(t *testing.T) {
 	const token = "extremely-secret-bootstrap-token-do-not-leak"
 	// Capture every slog write. Tests in this package (and the
 	// upstream service package) currently use the global slog
 	// default; we redirect it for the duration of this test.
 	var logBuf bytes.Buffer
 	origLogger := slog.Default()
 	slog.SetDefault(slog.New(slog.NewJSONHandler(&logBuf, &slog.HandlerOptions{Level: slog.LevelDebug})))
 	defer slog.SetDefault(origLogger)
 	h, _, _, audit, _ := newBootstrapHandlerWith(token, nil)
 	body, _ := json.Marshal(map[string]string{"token": token, "actor_name": "first-admin"})
 	rec := httptest.NewRecorder()
 	h.Mint(rec, httptest.NewRequest(http.MethodPost, "/api/v1/auth/bootstrap", bytes.NewReader(body)))
 	if rec.Code != http.StatusCreated {
 		t.Fatalf("status = %d", rec.Code)
 	}
 	if strings.Contains(logBuf.String(), token) {
 		t.Errorf("bootstrap token leaked into slog output")
 	}
 	for i, c := range audit.calls {
 		blob, _ := json.Marshal(c)
 		if strings.Contains(string(blob), token) {
 			t.Errorf("bootstrap token leaked into audit details[%d]: %s", i, blob)
 		}
 	}
 	if strings.Contains(rec.Header().Get("Location"), token) {
 		t.Errorf("bootstrap token leaked into Location header")
 	}
 }
 // TestBootstrapHandler_Mint_BodyReadCapped guards against a bad-faith
 // caller posting a 1MB token field. The handler caps the request body
 // at 4KB; a 5KB body should fail to decode.
 func TestBootstrapHandler_Mint_BodyReadCapped(t *testing.T) {
 	h, _, _, _, _ := newBootstrapHandlerWith("t", nil)
 	huge := strings.Repeat("a", 5000)
 	body := []byte(`{"token":"t","actor_name":"first-admin","filler":"` + huge + `"}`)
 	rec := httptest.NewRecorder()
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/bootstrap", bytes.NewReader(body))
 	h.Mint(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("oversized body should yield 400, got %d", rec.Code)
 	}
 }
 // keep io reachable (some compiler runs strip unused imports during
 // AST refactors; explicit ref guards against that without producing a
 // real test side effect).
 var _ = io.Discard
@@ -0,0 +1,317 @@
 // Package handler — Auth Bundle 2 Phase 7.5 / break-glass admin HTTP surface.
 //
 // 4 endpoints across two access levels:
 //
 //  1. Public (auth-bypass; the whole point is to log in WITHOUT
 //     existing creds):
 //     POST /auth/breakglass/login
 //     Rate-limited at 5/minute per source IP via the existing
 //     rate limiter middleware. When CERTCTL_BREAKGLASS_ENABLED=false,
 //     returns 404 (NOT 403) so the surface is invisible to scanners.
 //
 //  2. RBAC-gated (auth.breakglass.admin):
 //     POST   /api/v1/auth/breakglass/credentials
 //     POST   /api/v1/auth/breakglass/credentials/{actor_id}/unlock
 //     DELETE /api/v1/auth/breakglass/credentials/{actor_id}
 //
 // The handler delegates to internal/auth/breakglass.Service for the
 // load-bearing logic (Argon2id hashing, lockout state machine,
 // constant-time-compare, identical-shape errors). This file is purely
 // HTTP shape — request-binding, status-code mapping, audit attribution
 // for the caller-actor-id wire-up.
 package handler
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/certctl-io/certctl/internal/auth/breakglass"
 	bgdomain "github.com/certctl-io/certctl/internal/auth/breakglass/domain"
 	sessiondomain "github.com/certctl-io/certctl/internal/auth/session/domain"
 )
 // =============================================================================
 // AuthBreakglassHandler.
 // =============================================================================
 // BreakglassService is the projection of *breakglass.Service the
 // handler consumes. Defining the projection here keeps the handler
 // stub-friendly + decoupled from the wider service surface.
 type BreakglassService interface {
 	Enabled() bool
 	SetPassword(ctx context.Context, callerActorID, targetActorID, plaintext string) (*breakglass.SetPasswordResult, error)
 	Authenticate(ctx context.Context, actorID, plaintext, ip, userAgent string) (*breakglass.AuthenticateResult, error)
 	Unlock(ctx context.Context, callerActorID, targetActorID string) error
 	RemoveCredential(ctx context.Context, callerActorID, targetActorID string) error
 	List(ctx context.Context) ([]*bgdomain.BreakglassCredential, error)
 }
 // AuthBreakglassHandler ships the Phase 7.5 surface.
 type AuthBreakglassHandler struct {
 	svc         BreakglassService
 	cookieAttrs SessionCookieAttrs
 }
 // NewAuthBreakglassHandler constructs the handler.
 func NewAuthBreakglassHandler(svc BreakglassService, cookieAttrs SessionCookieAttrs) *AuthBreakglassHandler {
 	return &AuthBreakglassHandler{svc: svc, cookieAttrs: cookieAttrs}
 }
 // =============================================================================
 // 1. Public login endpoint.
 // =============================================================================
 type breakglassLoginRequest struct {
 	ActorID  string `json:"actor_id"`
 	Password string `json:"password"`
 }
 // Login handles POST /auth/breakglass/login.
 //
 // Auth-bypass — the whole point is to log in WITHOUT existing creds.
 // When Service.Enabled() == false, returns 404 (NOT 403) so the surface
 // is invisible to scanners. On success, sets the post-login session
 // cookie + CSRF cookie + 204 No Content. On any failure (wrong password,
 // locked account, no credential, unknown actor): uniform 401 + identical
 // timing.
 func (h *AuthBreakglassHandler) Login(w http.ResponseWriter, r *http.Request) {
 	if h.svc == nil || !h.svc.Enabled() {
 		// Surface invisibility — 404 (NOT 403) per Phase 7.5 spec.
 		http.NotFound(w, r)
 		return
 	}
 	var req breakglassLoginRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		// Even invalid JSON returns 401 (identical to wrong-password) —
 		// no scanner-friendly 400 that distinguishes "wrong shape" vs
 		// "wrong password".
 		Error(w, http.StatusUnauthorized, "invalid credentials")
 		return
 	}
 	if strings.TrimSpace(req.ActorID) == "" || req.Password == "" {
 		Error(w, http.StatusUnauthorized, "invalid credentials")
 		return
 	}
 	ip := clientIPFromRequest(r)
 	res, err := h.svc.Authenticate(r.Context(), req.ActorID, req.Password, ip, r.UserAgent())
 	if err != nil {
 		// All authenticate errors map to the SAME 401 + same body.
 		// The service has already audited the specific failure category.
 		Error(w, http.StatusUnauthorized, "invalid credentials")
 		return
 	}
 	// Set the post-login session cookie + CSRF cookie. Same attributes
 	// as the OIDC callback handler in auth_session_oidc.go; we
 	// duplicate the 8-line cookie-set block here so the break-glass
 	// handler doesn't import the OIDC handler package.
 	now := time.Now().UTC()
 	expires := now.Add(8 * time.Hour) // matches default SessionConfig.AbsoluteTimeout
 	http.SetCookie(w, &http.Cookie{
 		Name:     sessiondomain.PostLoginCookieName,
 		Value:    res.CookieValue,
 		Path:     "/",
 		Expires:  expires,
 		Secure:   h.cookieAttrs.Secure,
 		HttpOnly: true,
 		SameSite: h.cookieAttrs.SameSite,
 	})
 	http.SetCookie(w, &http.Cookie{
 		Name:     sessiondomain.CSRFCookieName,
 		Value:    res.CSRFToken,
 		Path:     "/",
 		Expires:  expires,
 		Secure:   h.cookieAttrs.Secure,
 		HttpOnly: false, // intentional — GUI must read it
 		SameSite: h.cookieAttrs.SameSite,
 	})
 	w.WriteHeader(http.StatusNoContent)
 }
 // =============================================================================
 // 2. Admin endpoints.
 // =============================================================================
 type breakglassSetPasswordRequest struct {
 	ActorID  string `json:"actor_id"`
 	Password string `json:"password"`
 }
 // SetPassword handles POST /api/v1/auth/breakglass/credentials.
 // Permission: auth.breakglass.admin (gated at the router via rbacGate).
 //
 // When Service.Enabled() == false, returns 404 — admin endpoints share
 // the surface-invisibility property with the login endpoint so an
 // attacker probing for break-glass via the admin surface gets the same
 // signal as probing the login endpoint.
 func (h *AuthBreakglassHandler) SetPassword(w http.ResponseWriter, r *http.Request) {
 	if h.svc == nil || !h.svc.Enabled() {
 		http.NotFound(w, r)
 		return
 	}
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	var req breakglassSetPasswordRequest
 	if derr := json.NewDecoder(r.Body).Decode(&req); derr != nil {
 		Error(w, http.StatusBadRequest, "invalid JSON body")
 		return
 	}
 	res, serr := h.svc.SetPassword(r.Context(), caller.ActorID, req.ActorID, req.Password)
 	if serr != nil {
 		switch {
 		case errors.Is(serr, breakglass.ErrWeakPassword):
 			Error(w, http.StatusBadRequest, "password fails strength requirements (min 12 bytes, max 256 bytes)")
 		case errors.Is(serr, breakglass.ErrUnauthenticated):
 			Error(w, http.StatusUnauthorized, "Authentication required")
 		case errors.Is(serr, breakglass.ErrDisabled):
 			http.NotFound(w, r)
 		default:
 			Error(w, http.StatusInternalServerError, "could not set password")
 		}
 		return
 	}
 	writeJSON(w, http.StatusCreated, map[string]interface{}{
 		"actor_id":   res.ActorID,
 		"created_at": res.CreatedAt.Format(time.RFC3339),
 	})
 }
 // Unlock handles POST /api/v1/auth/breakglass/credentials/{actor_id}/unlock.
 // Permission: auth.breakglass.admin.
 func (h *AuthBreakglassHandler) Unlock(w http.ResponseWriter, r *http.Request) {
 	if h.svc == nil || !h.svc.Enabled() {
 		http.NotFound(w, r)
 		return
 	}
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	targetID := r.PathValue("actor_id")
 	if targetID == "" {
 		Error(w, http.StatusBadRequest, "missing actor_id path param")
 		return
 	}
 	if uerr := h.svc.Unlock(r.Context(), caller.ActorID, targetID); uerr != nil {
 		switch {
 		case errors.Is(uerr, breakglass.ErrDisabled):
 			http.NotFound(w, r)
 		case errors.Is(uerr, breakglass.ErrUnauthenticated):
 			Error(w, http.StatusUnauthorized, "Authentication required")
 		default:
 			// repository.ErrBreakglassNotFound surfaces as a wrapped
 			// error here; we map to 404 via string match to avoid
 			// importing repository.
 			if strings.Contains(uerr.Error(), "not found") {
 				Error(w, http.StatusNotFound, "credential not found")
 			} else {
 				Error(w, http.StatusInternalServerError, "could not unlock credential")
 			}
 		}
 		return
 	}
 	w.WriteHeader(http.StatusNoContent)
 }
 // Remove handles DELETE /api/v1/auth/breakglass/credentials/{actor_id}.
 // Permission: auth.breakglass.admin.
 func (h *AuthBreakglassHandler) Remove(w http.ResponseWriter, r *http.Request) {
 	if h.svc == nil || !h.svc.Enabled() {
 		http.NotFound(w, r)
 		return
 	}
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	targetID := r.PathValue("actor_id")
 	if targetID == "" {
 		Error(w, http.StatusBadRequest, "missing actor_id path param")
 		return
 	}
 	if rerr := h.svc.RemoveCredential(r.Context(), caller.ActorID, targetID); rerr != nil {
 		switch {
 		case errors.Is(rerr, breakglass.ErrDisabled):
 			http.NotFound(w, r)
 		case errors.Is(rerr, breakglass.ErrUnauthenticated):
 			Error(w, http.StatusUnauthorized, "Authentication required")
 		default:
 			if strings.Contains(rerr.Error(), "not found") {
 				Error(w, http.StatusNotFound, "credential not found")
 			} else {
 				Error(w, http.StatusInternalServerError, "could not remove credential")
 			}
 		}
 		return
 	}
 	w.WriteHeader(http.StatusNoContent)
 }
 // breakglassCredentialResponse is the wire shape returned by ListCredentials.
 // Intentionally omits PasswordHash — the admin GUI only needs metadata to
 // render the credentialed-actor table.
 type breakglassCredentialResponse struct {
 	ActorID              string  `json:"actor_id"`
 	CreatedAt            string  `json:"created_at"`
 	LastPasswordChangeAt string  `json:"last_password_change_at"`
 	FailureCount         int     `json:"failure_count"`
 	LockedUntil          *string `json:"locked_until,omitempty"`
 	LastFailureAt        *string `json:"last_failure_at,omitempty"`
 }
 type listBreakglassCredentialsResponse struct {
 	Credentials []breakglassCredentialResponse `json:"credentials"`
 }
 // ListCredentials handles GET /api/v1/auth/breakglass/credentials.
 // Permission: auth.breakglass.admin.
 //
 // Audit 2026-05-10 CRIT-4 closure — backs the admin GUI Break-glass
 // page. Returns 404 when CERTCTL_BREAKGLASS_ENABLED=false (surface
 // invisibility, consistent with the other break-glass admin endpoints).
 // The password hash is NEVER serialized to the wire.
 func (h *AuthBreakglassHandler) ListCredentials(w http.ResponseWriter, r *http.Request) {
 	if h.svc == nil || !h.svc.Enabled() {
 		http.NotFound(w, r)
 		return
 	}
 	creds, err := h.svc.List(r.Context())
 	if err != nil {
 		if errors.Is(err, breakglass.ErrDisabled) {
 			http.NotFound(w, r)
 			return
 		}
 		Error(w, http.StatusInternalServerError, "could not list break-glass credentials")
 		return
 	}
 	resp := listBreakglassCredentialsResponse{Credentials: make([]breakglassCredentialResponse, 0, len(creds))}
 	for _, c := range creds {
 		row := breakglassCredentialResponse{
 			ActorID:              c.ActorID,
 			CreatedAt:            c.CreatedAt.UTC().Format(time.RFC3339),
 			LastPasswordChangeAt: c.LastPasswordChangeAt.UTC().Format(time.RFC3339),
 			FailureCount:         c.FailureCount,
 		}
 		if c.LockedUntil != nil {
 			s := c.LockedUntil.UTC().Format(time.RFC3339)
 			row.LockedUntil = &s
 		}
 		if c.LastFailureAt != nil {
 			s := c.LastFailureAt.UTC().Format(time.RFC3339)
 			row.LastFailureAt = &s
 		}
 		resp.Credentials = append(resp.Credentials, row)
 	}
 	w.Header().Set("Content-Type", "application/json")
 	_ = json.NewEncoder(w).Encode(resp)
 }
@@ -0,0 +1,316 @@
 package handler
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"github.com/certctl-io/certctl/internal/auth/breakglass"
 	bgdomain "github.com/certctl-io/certctl/internal/auth/breakglass/domain"
 )
 // Coverage fill — v2.1.0 release gate Phase 3.
 //
 // Handler-level tests for the Phase 7.5 break-glass HTTP surface.
 // Bundle 2 originally shipped these endpoints with service-level
 // tests only; the 6 0%-handler functions dragged the internal/api/
 // handler average below its 75 floor. This file backfills the
 // canonical positive + negative cases at the handler layer.
 // =============================================================================
 // Fake BreakglassService.
 // =============================================================================
 type fakeBreakglassSvc struct {
 	enabled bool
 	// Per-method return shapes. Tests set the field they care about.
 	setPasswordRes *breakglass.SetPasswordResult
 	setPasswordErr error
 	authRes        *breakglass.AuthenticateResult
 	authErr        error
 	unlockErr      error
 	removeErr      error
 	listOut        []*bgdomain.BreakglassCredential
 	listErr        error
 	// Captured args (for assertions).
 	gotSetCaller, gotSetTarget, gotSetPass          string
 	gotAuthActor, gotAuthPass, gotAuthIP, gotAuthUA string
 	gotUnlockCaller, gotUnlockTarget                string
 	gotRemoveCaller, gotRemoveTarget                string
 }
 func (f *fakeBreakglassSvc) Enabled() bool { return f.enabled }
 func (f *fakeBreakglassSvc) SetPassword(ctx context.Context, caller, target, pw string) (*breakglass.SetPasswordResult, error) {
 	f.gotSetCaller, f.gotSetTarget, f.gotSetPass = caller, target, pw
 	return f.setPasswordRes, f.setPasswordErr
 }
 func (f *fakeBreakglassSvc) Authenticate(ctx context.Context, actor, pw, ip, ua string) (*breakglass.AuthenticateResult, error) {
 	f.gotAuthActor, f.gotAuthPass, f.gotAuthIP, f.gotAuthUA = actor, pw, ip, ua
 	return f.authRes, f.authErr
 }
 func (f *fakeBreakglassSvc) Unlock(ctx context.Context, caller, target string) error {
 	f.gotUnlockCaller, f.gotUnlockTarget = caller, target
 	return f.unlockErr
 }
 func (f *fakeBreakglassSvc) RemoveCredential(ctx context.Context, caller, target string) error {
 	f.gotRemoveCaller, f.gotRemoveTarget = caller, target
 	return f.removeErr
 }
 func (f *fakeBreakglassSvc) List(ctx context.Context) ([]*bgdomain.BreakglassCredential, error) {
 	return f.listOut, f.listErr
 }
 func newBreakglassHandlerWithFake(t *testing.T, enabled bool) (*AuthBreakglassHandler, *fakeBreakglassSvc) {
 	t.Helper()
 	svc := &fakeBreakglassSvc{enabled: enabled}
 	attrs := SessionCookieAttrs{Secure: true, SameSite: http.SameSiteLaxMode}
 	return NewAuthBreakglassHandler(svc, attrs), svc
 }
 // =============================================================================
 // 1. Public login endpoint.
 // =============================================================================
 func TestBreakglassLogin_DisabledReturns404(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, false /* disabled */)
 	body := bytes.NewBufferString(`{"actor_id":"alice","password":"hunter2!!"}`)
 	req := httptest.NewRequest(http.MethodPost, "/auth/breakglass/login", body)
 	rec := httptest.NewRecorder()
 	h.Login(rec, req)
 	if rec.Code != http.StatusNotFound {
 		t.Errorf("disabled service must yield 404 (surface invisibility); got %d", rec.Code)
 	}
 }
 func TestBreakglassLogin_InvalidJSONReturns401(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, true)
 	req := httptest.NewRequest(http.MethodPost, "/auth/breakglass/login", bytes.NewBufferString("not-json"))
 	rec := httptest.NewRecorder()
 	h.Login(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("invalid JSON must map to 401 (NOT 400); got %d", rec.Code)
 	}
 }
 func TestBreakglassLogin_EmptyFieldsReturns401(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, true)
 	req := httptest.NewRequest(http.MethodPost, "/auth/breakglass/login", bytes.NewBufferString(`{"actor_id":"","password":""}`))
 	rec := httptest.NewRecorder()
 	h.Login(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("empty actor/password must map to 401; got %d", rec.Code)
 	}
 }
 func TestBreakglassLogin_ServiceErrorReturns401(t *testing.T) {
 	h, svc := newBreakglassHandlerWithFake(t, true)
 	svc.authErr = errors.New("locked")
 	body := bytes.NewBufferString(`{"actor_id":"alice","password":"wrong"}`)
 	req := httptest.NewRequest(http.MethodPost, "/auth/breakglass/login", body)
 	rec := httptest.NewRecorder()
 	h.Login(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("auth error must map to 401; got %d", rec.Code)
 	}
 	if svc.gotAuthActor != "alice" {
 		t.Errorf("expected actor=alice; got %q", svc.gotAuthActor)
 	}
 }
 func TestBreakglassLogin_SuccessSetsCookies(t *testing.T) {
 	h, svc := newBreakglassHandlerWithFake(t, true)
 	svc.authRes = &breakglass.AuthenticateResult{CookieValue: "ses-1.abc", CSRFToken: "csrf-xyz"}
 	body := bytes.NewBufferString(`{"actor_id":"alice","password":"hunter2!!"}`)
 	req := httptest.NewRequest(http.MethodPost, "/auth/breakglass/login", body)
 	rec := httptest.NewRecorder()
 	h.Login(rec, req)
 	if rec.Code != http.StatusNoContent {
 		t.Errorf("expected 204; got %d (body=%s)", rec.Code, rec.Body.String())
 	}
 	res := rec.Result()
 	defer res.Body.Close()
 	gotSession, gotCSRF := false, false
 	for _, c := range res.Cookies() {
 		if strings.Contains(c.Name, "session") || strings.Contains(c.Name, "Session") {
 			gotSession = true
 		}
 		if strings.Contains(c.Name, "csrf") || strings.Contains(c.Name, "CSRF") {
 			gotCSRF = true
 		}
 	}
 	if !gotSession {
 		t.Errorf("expected session cookie")
 	}
 	if !gotCSRF {
 		t.Errorf("expected CSRF cookie")
 	}
 }
 // =============================================================================
 // 2. Admin endpoints — no caller context = 401.
 // =============================================================================
 func TestBreakglassSetPassword_NoCallerReturns401(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, true)
 	body := bytes.NewBufferString(`{"actor_id":"alice","password":"StrongPW123!"}`)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/breakglass/credentials", body)
 	rec := httptest.NewRecorder()
 	h.SetPassword(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("missing actor ctx must yield 401; got %d", rec.Code)
 	}
 }
 func TestBreakglassSetPassword_DisabledReturns404(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, false)
 	body := bytes.NewBufferString(`{"actor_id":"alice","password":"StrongPW123!"}`)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/breakglass/credentials", body)
 	req = withAuthCtx(req, "admin", "User")
 	rec := httptest.NewRecorder()
 	h.SetPassword(rec, req)
 	if rec.Code != http.StatusNotFound {
 		t.Errorf("disabled must yield 404; got %d", rec.Code)
 	}
 }
 func TestBreakglassSetPassword_InvalidJSONReturns400(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, true)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/breakglass/credentials", bytes.NewBufferString("nope"))
 	req = withAuthCtx(req, "admin", "User")
 	rec := httptest.NewRecorder()
 	h.SetPassword(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("invalid JSON must map to 400 on admin endpoint; got %d", rec.Code)
 	}
 }
 func TestBreakglassSetPassword_HappyPath(t *testing.T) {
 	h, svc := newBreakglassHandlerWithFake(t, true)
 	svc.setPasswordRes = &breakglass.SetPasswordResult{}
 	body := bytes.NewBufferString(`{"actor_id":"alice","password":"StrongPW123!"}`)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/breakglass/credentials", body)
 	req = withAuthCtx(req, "admin", "User")
 	rec := httptest.NewRecorder()
 	h.SetPassword(rec, req)
 	if rec.Code != http.StatusCreated && rec.Code != http.StatusOK && rec.Code != http.StatusNoContent {
 		t.Errorf("expected 2xx; got %d (body=%s)", rec.Code, rec.Body.String())
 	}
 	if svc.gotSetTarget != "alice" {
 		t.Errorf("expected target=alice; got %q", svc.gotSetTarget)
 	}
 	if svc.gotSetCaller != "admin" {
 		t.Errorf("expected caller=admin; got %q", svc.gotSetCaller)
 	}
 }
 func TestBreakglassUnlock_DisabledReturns404(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, false)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/breakglass/credentials/alice/unlock", nil)
 	req = withAuthCtx(req, "admin", "User")
 	rec := httptest.NewRecorder()
 	h.Unlock(rec, req)
 	if rec.Code != http.StatusNotFound {
 		t.Errorf("disabled must yield 404; got %d", rec.Code)
 	}
 }
 func TestBreakglassUnlock_NoActorReturns401(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, true)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/breakglass/credentials/alice/unlock", nil)
 	rec := httptest.NewRecorder()
 	h.Unlock(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("missing actor ctx must yield 401; got %d", rec.Code)
 	}
 }
 func TestBreakglassRemove_DisabledReturns404(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, false)
 	req := httptest.NewRequest(http.MethodDelete, "/api/v1/auth/breakglass/credentials/alice", nil)
 	req = withAuthCtx(req, "admin", "User")
 	rec := httptest.NewRecorder()
 	h.Remove(rec, req)
 	if rec.Code != http.StatusNotFound {
 		t.Errorf("disabled must yield 404; got %d", rec.Code)
 	}
 }
 func TestBreakglassRemove_NoActorReturns401(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, true)
 	req := httptest.NewRequest(http.MethodDelete, "/api/v1/auth/breakglass/credentials/alice", nil)
 	rec := httptest.NewRecorder()
 	h.Remove(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("missing actor ctx must yield 401; got %d", rec.Code)
 	}
 }
 // ListCredentials surfaces the read side.
 func TestBreakglassListCredentials_DisabledReturns404(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, false)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/breakglass/credentials", nil)
 	req = withAuthCtx(req, "admin", "User")
 	rec := httptest.NewRecorder()
 	h.ListCredentials(rec, req)
 	if rec.Code != http.StatusNotFound {
 		t.Errorf("disabled must yield 404; got %d", rec.Code)
 	}
 }
 // ListCredentials does not re-check the actor context — the auth
 // gate sits at the router/middleware layer via rbacGate. So a missing
 // actor ctx here just means the test fixture wasn't authenticated;
 // the handler itself returns 200 with the body content. The test
 // pins this contract so a future refactor that adds a handler-level
 // actor check will trip this case.
 func TestBreakglassListCredentials_NoActorCtxStillReturns200(t *testing.T) {
 	h, _ := newBreakglassHandlerWithFake(t, true)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/breakglass/credentials", nil)
 	rec := httptest.NewRecorder()
 	h.ListCredentials(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Errorf("handler-only path returns 200 (router rbacGate is the auth gate); got %d", rec.Code)
 	}
 }
 func TestBreakglassListCredentials_HappyPath(t *testing.T) {
 	h, svc := newBreakglassHandlerWithFake(t, true)
 	svc.listOut = []*bgdomain.BreakglassCredential{
 		{ActorID: "alice", TenantID: "t-default"},
 		{ActorID: "bob", TenantID: "t-default"},
 	}
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/breakglass/credentials", nil)
 	req = withAuthCtx(req, "admin", "User")
 	rec := httptest.NewRecorder()
 	h.ListCredentials(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Errorf("expected 200; got %d (body=%s)", rec.Code, rec.Body.String())
 	}
 	// Body should be JSON with both actors. We don't assume the exact
 	// envelope shape; just check the names appear and the password
 	// hashes are NOT present in the wire response.
 	body := rec.Body.String()
 	if !strings.Contains(body, "alice") || !strings.Contains(body, "bob") {
 		t.Errorf("expected both actors in body; got: %s", body)
 	}
 	// The PasswordHash field carries json:"-" so the encoded value
 	// must NEVER contain the hash. The field name "password_hash" or
 	// any Argon2id PHC prefix is the signal.
 	if strings.Contains(body, "password_hash") || strings.Contains(body, "$argon2") {
 		t.Errorf("password hashes must NOT appear in wire response; got: %s", body)
 	}
 	// Defensive — confirm it's valid JSON.
 	var anyResp interface{}
 	if err := json.Unmarshal(rec.Body.Bytes(), &anyResp); err != nil {
 		t.Errorf("response body must be valid JSON: %v", err)
 	}
 }
@@ -0,0 +1,905 @@
 package handler
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 	authdomain "github.com/certctl-io/certctl/internal/domain/auth"
 	"github.com/certctl-io/certctl/internal/repository"
 	authsvc "github.com/certctl-io/certctl/internal/service/auth"
 )
 // =============================================================================
 // In-memory fakes — sufficient for handler-level translation tests. The
 // service-layer privilege guards live in internal/service/auth and are
 // covered there; these tests pin HTTP shape (status code, JSON envelope,
 // error mapping).
 // =============================================================================
 type fakeAuthRoleSvc struct {
 	roles      map[string]*authdomain.Role
 	rolePerms  map[string][]*authdomain.RolePermission
 	listErr    error
 	createErr  error
 	deleteErr  error
 	addPermErr error
 }
 func newFakeAuthRoleSvc() *fakeAuthRoleSvc {
 	return &fakeAuthRoleSvc{
 		roles:     map[string]*authdomain.Role{},
 		rolePerms: map[string][]*authdomain.RolePermission{},
 	}
 }
 func (f *fakeAuthRoleSvc) List(_ context.Context, _ *authsvc.Caller) ([]*authdomain.Role, error) {
 	if f.listErr != nil {
 		return nil, f.listErr
 	}
 	out := make([]*authdomain.Role, 0, len(f.roles))
 	for _, r := range f.roles {
 		out = append(out, r)
 	}
 	return out, nil
 }
 func (f *fakeAuthRoleSvc) Get(_ context.Context, _ *authsvc.Caller, id string) (*authdomain.Role, error) {
 	r, ok := f.roles[id]
 	if !ok {
 		return nil, repository.ErrAuthNotFound
 	}
 	return r, nil
 }
 func (f *fakeAuthRoleSvc) Create(_ context.Context, _ *authsvc.Caller, role *authdomain.Role) error {
 	if f.createErr != nil {
 		return f.createErr
 	}
 	if role.ID == "" {
 		role.ID = "r-" + role.Name
 	}
 	f.roles[role.ID] = role
 	return nil
 }
 func (f *fakeAuthRoleSvc) Update(_ context.Context, _ *authsvc.Caller, role *authdomain.Role) error {
 	f.roles[role.ID] = role
 	return nil
 }
 func (f *fakeAuthRoleSvc) Delete(_ context.Context, _ *authsvc.Caller, id string) error {
 	if f.deleteErr != nil {
 		return f.deleteErr
 	}
 	delete(f.roles, id)
 	return nil
 }
 func (f *fakeAuthRoleSvc) ListPermissions(_ context.Context, _ *authsvc.Caller, roleID string) ([]*authdomain.RolePermission, error) {
 	return f.rolePerms[roleID], nil
 }
 func (f *fakeAuthRoleSvc) AddPermission(_ context.Context, _ *authsvc.Caller, roleID, permName string, scopeType authdomain.ScopeType, scopeID *string) error {
 	if f.addPermErr != nil {
 		return f.addPermErr
 	}
 	f.rolePerms[roleID] = append(f.rolePerms[roleID], &authdomain.RolePermission{
 		RoleID: roleID, PermissionID: "p-" + permName, ScopeType: scopeType, ScopeID: scopeID,
 	})
 	return nil
 }
 func (f *fakeAuthRoleSvc) RemovePermission(_ context.Context, _ *authsvc.Caller, _ string, _ string, _ authdomain.ScopeType, _ *string) error {
 	return nil
 }
 type fakeAuthPermSvc struct {
 	perms []*authdomain.Permission
 }
 func newFakeAuthPermSvc() *fakeAuthPermSvc {
 	out := make([]*authdomain.Permission, 0, len(authdomain.CanonicalPermissions))
 	for _, p := range authdomain.CanonicalPermissions {
 		out = append(out, &authdomain.Permission{ID: "p-" + p, Name: p, Namespace: p})
 	}
 	return &fakeAuthPermSvc{perms: out}
 }
 func (f *fakeAuthPermSvc) List(_ context.Context) ([]*authdomain.Permission, error) {
 	return f.perms, nil
 }
 func (f *fakeAuthPermSvc) IsRegistered(name string) bool {
 	for _, p := range f.perms {
 		if p.Name == name {
 			return true
 		}
 	}
 	return false
 }
 type fakeAuthActorSvc struct {
 	grantErr  error
 	revokeErr error
 	roles     []*authdomain.ActorRole
 	effective []repository.EffectivePermission
 	// Audit 2026-05-11 A-4 — capture Revoke opts so tests can assert
 	// that the handler forwards scope_type / scope_id correctly.
 	revokeOpts repository.ActorRoleRevokeOptions
 	revokeCall struct {
 		actorID, roleID string
 		called          bool
 	}
 }
 func newFakeAuthActorSvc() *fakeAuthActorSvc {
 	return &fakeAuthActorSvc{}
 }
 func (f *fakeAuthActorSvc) Grant(_ context.Context, _ *authsvc.Caller, ar *authdomain.ActorRole) error {
 	if f.grantErr != nil {
 		return f.grantErr
 	}
 	f.roles = append(f.roles, ar)
 	return nil
 }
 func (f *fakeAuthActorSvc) Revoke(_ context.Context, _ *authsvc.Caller, actorID string, _ domain.ActorType, roleID string, opts repository.ActorRoleRevokeOptions) error {
 	f.revokeCall.called = true
 	f.revokeCall.actorID = actorID
 	f.revokeCall.roleID = roleID
 	f.revokeOpts = opts
 	return f.revokeErr
 }
 func (f *fakeAuthActorSvc) ListForActor(_ context.Context, _ *authsvc.Caller, _ string, _ domain.ActorType) ([]*authdomain.ActorRole, error) {
 	return f.roles, nil
 }
 func (f *fakeAuthActorSvc) EffectivePermissions(_ context.Context, _ *authsvc.Caller, _ string, _ domain.ActorType) ([]repository.EffectivePermission, error) {
 	return f.effective, nil
 }
 func (f *fakeAuthActorSvc) ListKeys(_ context.Context, _ *authsvc.Caller) ([]repository.ActorWithRoles, error) {
 	out := make([]repository.ActorWithRoles, 0, len(f.roles))
 	for _, ar := range f.roles {
 		out = append(out, repository.ActorWithRoles{
 			ActorID:   ar.ActorID,
 			ActorType: ar.ActorType,
 			TenantID:  ar.TenantID,
 			RoleIDs:   []string{ar.RoleID},
 		})
 	}
 	return out, nil
 }
 type fakePermChecker struct {
 	check func(ctx context.Context, actorID, actorType, tenantID, perm, scopeType string, scopeID *string) (bool, error)
 }
 func (f *fakePermChecker) CheckPermission(ctx context.Context, actorID, actorType, tenantID, perm, scopeType string, scopeID *string) (bool, error) {
 	if f.check == nil {
 		return true, nil
 	}
 	return f.check(ctx, actorID, actorType, tenantID, perm, scopeType, scopeID)
 }
 func newAuthHandlerWithFakes() (AuthHandler, *fakeAuthRoleSvc, *fakeAuthPermSvc, *fakeAuthActorSvc) {
 	roles := newFakeAuthRoleSvc()
 	perms := newFakeAuthPermSvc()
 	actors := newFakeAuthActorSvc()
 	checker := &fakePermChecker{}
 	return NewAuthHandler(roles, perms, actors, checker), roles, perms, actors
 }
 // withAuthCtx populates the Phase 3 actor context keys on a request.
 func withAuthCtx(req *http.Request, actorID, actorType string) *http.Request {
 	ctx := req.Context()
 	ctx = context.WithValue(ctx, auth.ActorIDKey{}, actorID)
 	ctx = context.WithValue(ctx, auth.ActorTypeKey{}, actorType)
 	return req.WithContext(ctx)
 }
 // =============================================================================
 // Tests
 // =============================================================================
 func TestAuthHandler_NoActorReturns401(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles", nil)
 	rec := httptest.NewRecorder()
 	h.ListRoles(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("ListRoles without actor should yield 401; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_ListRolesReturnsAllRoles(t *testing.T) {
 	h, roleSvc, _, _ := newAuthHandlerWithFakes()
 	roleSvc.roles["r-admin"] = &authdomain.Role{ID: "r-admin", Name: "admin"}
 	roleSvc.roles["r-viewer"] = &authdomain.Role{ID: "r-viewer", Name: "viewer"}
 	req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles", nil), "alice", auth.ActorTypeAPIKey)
 	rec := httptest.NewRecorder()
 	h.ListRoles(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("got %d; body=%s", rec.Code, rec.Body.String())
 	}
 	var resp struct {
 		Roles []roleResponse `json:"roles"`
 	}
 	if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("decode: %v", err)
 	}
 	if len(resp.Roles) != 2 {
 		t.Errorf("expected 2 roles; got %d", len(resp.Roles))
 	}
 }
 func TestAuthHandler_CreateRoleReturns201(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	body, _ := json.Marshal(createRoleRequest{Name: "custom", Description: "Test role"})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/roles", bytes.NewReader(body)), "alice", auth.ActorTypeAPIKey)
 	rec := httptest.NewRecorder()
 	h.CreateRole(rec, req)
 	if rec.Code != http.StatusCreated {
 		t.Errorf("expected 201; got %d, body=%s", rec.Code, rec.Body.String())
 	}
 }
 func TestAuthHandler_CreateRoleRejectsEmptyName(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	body, _ := json.Marshal(createRoleRequest{Name: "  ", Description: "blank"})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/roles", bytes.NewReader(body)), "alice", auth.ActorTypeAPIKey)
 	rec := httptest.NewRecorder()
 	h.CreateRole(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("blank name should be 400; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_DeleteRoleReturns204(t *testing.T) {
 	h, roleSvc, _, _ := newAuthHandlerWithFakes()
 	roleSvc.roles["r-x"] = &authdomain.Role{ID: "r-x", Name: "x"}
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/r-x", nil), "alice", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-x")
 	rec := httptest.NewRecorder()
 	h.DeleteRole(rec, req)
 	if rec.Code != http.StatusNoContent {
 		t.Errorf("delete should be 204; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_DeleteRoleInUseReturns409(t *testing.T) {
 	h, roleSvc, _, _ := newAuthHandlerWithFakes()
 	roleSvc.deleteErr = repository.ErrAuthRoleInUse
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/r-x", nil), "alice", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-x")
 	rec := httptest.NewRecorder()
 	h.DeleteRole(rec, req)
 	if rec.Code != http.StatusConflict {
 		t.Errorf("ErrAuthRoleInUse should be 409; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_DeleteRoleNotFoundReturns404(t *testing.T) {
 	h, roleSvc, _, _ := newAuthHandlerWithFakes()
 	roleSvc.deleteErr = repository.ErrAuthNotFound
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/missing", nil), "alice", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "missing")
 	rec := httptest.NewRecorder()
 	h.DeleteRole(rec, req)
 	if rec.Code != http.StatusNotFound {
 		t.Errorf("ErrAuthNotFound should be 404; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_ForbiddenMappedTo403(t *testing.T) {
 	h, roleSvc, _, _ := newAuthHandlerWithFakes()
 	roleSvc.listErr = authsvc.ErrForbidden
 	req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles", nil), "bob", auth.ActorTypeAPIKey)
 	rec := httptest.NewRecorder()
 	h.ListRoles(rec, req)
 	if rec.Code != http.StatusForbidden {
 		t.Errorf("ErrForbidden should be 403; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_AssignRoleToKey(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	body, _ := json.Marshal(assignRoleRequest{RoleID: "r-viewer"})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	rec := httptest.NewRecorder()
 	h.AssignRoleToKey(rec, req)
 	if rec.Code != http.StatusNoContent {
 		t.Fatalf("expected 204; got %d, body=%s", rec.Code, rec.Body.String())
 	}
 	if len(actorSvc.roles) != 1 {
 		t.Errorf("expected 1 grant recorded; got %d", len(actorSvc.roles))
 	}
 	if actorSvc.roles[0].RoleID != "r-viewer" || actorSvc.roles[0].ActorID != "alice" {
 		t.Errorf("grant fields wrong; got %+v", actorSvc.roles[0])
 	}
 }
 // Audit 2026-05-10 HIGH-10 regression matrix — pin the new
 // scope_type / scope_id / expires_at fields on assignRoleRequest.
 // Pre-fix, the request body accepted only `{role_id}` so per-actor
 // scope-bound grants and time-bound grants weren't expressible via
 // the API even though the schema reserved the columns. Post-fix,
 // validation rules:
 //
 //   - scope_type ∈ {global, profile, issuer}; defaults to global.
 //   - scope_id required when scope_type != global; rejected when
 //     scope_type == global.
 //   - expires_at must be in the future when present.
 func TestAssignRoleToKey_HIGH10_ProfileScopeBoundGrantPersists(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	scopeID := "p-finance"
 	body, _ := json.Marshal(assignRoleRequest{
 		RoleID:    "r-operator",
 		ScopeType: "profile",
 		ScopeID:   &scopeID,
 	})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	rec := httptest.NewRecorder()
 	h.AssignRoleToKey(rec, req)
 	if rec.Code != http.StatusNoContent {
 		t.Fatalf("status = %d; body=%s", rec.Code, rec.Body.String())
 	}
 	if len(actorSvc.roles) != 1 {
 		t.Fatalf("expected 1 grant; got %d", len(actorSvc.roles))
 	}
 	if got := string(actorSvc.roles[0].ScopeType); got != "profile" {
 		t.Errorf("ScopeType = %q; want profile", got)
 	}
 	if actorSvc.roles[0].ScopeID == nil || *actorSvc.roles[0].ScopeID != "p-finance" {
 		t.Errorf("ScopeID = %v; want p-finance", actorSvc.roles[0].ScopeID)
 	}
 }
 func TestAssignRoleToKey_HIGH10_TimeBoundGrantPersists(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	future := time.Now().Add(24 * time.Hour).UTC()
 	body, _ := json.Marshal(assignRoleRequest{
 		RoleID:    "r-operator",
 		ExpiresAt: &future,
 	})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	rec := httptest.NewRecorder()
 	h.AssignRoleToKey(rec, req)
 	if rec.Code != http.StatusNoContent {
 		t.Fatalf("status = %d; body=%s", rec.Code, rec.Body.String())
 	}
 	if len(actorSvc.roles) != 1 || actorSvc.roles[0].ExpiresAt == nil {
 		t.Fatalf("expected 1 grant with ExpiresAt; got %+v", actorSvc.roles)
 	}
 }
 func TestAssignRoleToKey_HIGH10_RejectsScopeIDWithGlobalScope(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	bad := "p-finance"
 	body, _ := json.Marshal(assignRoleRequest{
 		RoleID:    "r-operator",
 		ScopeType: "global",
 		ScopeID:   &bad,
 	})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	rec := httptest.NewRecorder()
 	h.AssignRoleToKey(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("scope_id with scope_type=global should be 400; got %d", rec.Code)
 	}
 }
 func TestAssignRoleToKey_HIGH10_RejectsMissingScopeIDOnProfile(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	body, _ := json.Marshal(assignRoleRequest{
 		RoleID:    "r-operator",
 		ScopeType: "profile",
 	})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	rec := httptest.NewRecorder()
 	h.AssignRoleToKey(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("missing scope_id on scope_type=profile should be 400; got %d", rec.Code)
 	}
 }
 func TestAssignRoleToKey_HIGH10_RejectsPastExpiry(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	past := time.Now().Add(-1 * time.Hour).UTC()
 	body, _ := json.Marshal(assignRoleRequest{
 		RoleID:    "r-operator",
 		ExpiresAt: &past,
 	})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	rec := httptest.NewRecorder()
 	h.AssignRoleToKey(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("past expires_at should be 400; got %d", rec.Code)
 	}
 }
 func TestAssignRoleToKey_HIGH10_RejectsInvalidScopeType(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	body, _ := json.Marshal(assignRoleRequest{
 		RoleID:    "r-operator",
 		ScopeType: "tenant", // not a valid scope_type
 	})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	rec := httptest.NewRecorder()
 	h.AssignRoleToKey(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("invalid scope_type should be 400; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_AssignRoleSelfRoleAssignReturns403(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	actorSvc.grantErr = errors.New("auth.role.assign required: " + authsvc.ErrSelfRoleAssignment.Error())
 	// Force the wrapped sentinel:
 	actorSvc.grantErr = authsvc.ErrSelfRoleAssignment
 	body, _ := json.Marshal(assignRoleRequest{RoleID: "r-admin"})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/keys/alice/roles", bytes.NewReader(body)), "bob", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	rec := httptest.NewRecorder()
 	h.AssignRoleToKey(rec, req)
 	if rec.Code != http.StatusForbidden {
 		t.Errorf("ErrSelfRoleAssignment should be 403; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_RevokeRoleFromKey(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/keys/alice/roles/r-viewer", nil), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	req.SetPathValue("role_id", "r-viewer")
 	rec := httptest.NewRecorder()
 	h.RevokeRoleFromKey(rec, req)
 	if rec.Code != http.StatusNoContent {
 		t.Errorf("revoke should be 204; got %d", rec.Code)
 	}
 	// Audit 2026-05-11 A-4 — no scope params → legacy "revoke all
 	// variants" semantic propagates as the zero-value
 	// ActorRoleRevokeOptions to the service layer.
 	if actorSvc.revokeOpts.ScopeType != "" {
 		t.Errorf("legacy DELETE forwarded a scope filter: ScopeType=%q", actorSvc.revokeOpts.ScopeType)
 	}
 	if actorSvc.revokeOpts.ScopeID != nil {
 		t.Errorf("legacy DELETE forwarded a scope_id: %v", actorSvc.revokeOpts.ScopeID)
 	}
 }
 // =============================================================================
 // Audit 2026-05-11 A-4 — scope-aware revoke handler tests.
 // =============================================================================
 func TestAuthHandler_RevokeRoleFromKey_A4_ScopedProfile(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
 		"/api/v1/auth/keys/alice/roles/r-operator?scope_type=profile&scope_id=p-acme", nil),
 		"admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	req.SetPathValue("role_id", "r-operator")
 	rec := httptest.NewRecorder()
 	h.RevokeRoleFromKey(rec, req)
 	if rec.Code != http.StatusNoContent {
 		t.Fatalf("scoped revoke should be 204; got %d body=%s", rec.Code, rec.Body.String())
 	}
 	if actorSvc.revokeOpts.ScopeType != authdomain.ScopeTypeProfile {
 		t.Errorf("ScopeType = %q; want profile", actorSvc.revokeOpts.ScopeType)
 	}
 	if actorSvc.revokeOpts.ScopeID == nil || *actorSvc.revokeOpts.ScopeID != "p-acme" {
 		t.Errorf("ScopeID = %v; want p-acme", actorSvc.revokeOpts.ScopeID)
 	}
 }
 func TestAuthHandler_RevokeRoleFromKey_A4_ScopedGlobal(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
 		"/api/v1/auth/keys/alice/roles/r-operator?scope_type=global", nil),
 		"admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	req.SetPathValue("role_id", "r-operator")
 	rec := httptest.NewRecorder()
 	h.RevokeRoleFromKey(rec, req)
 	if rec.Code != http.StatusNoContent {
 		t.Fatalf("scoped revoke (global) should be 204; got %d body=%s", rec.Code, rec.Body.String())
 	}
 	if actorSvc.revokeOpts.ScopeType != authdomain.ScopeTypeGlobal {
 		t.Errorf("ScopeType = %q; want global", actorSvc.revokeOpts.ScopeType)
 	}
 	if actorSvc.revokeOpts.ScopeID != nil {
 		t.Errorf("ScopeID must be nil for scope_type=global; got %v", actorSvc.revokeOpts.ScopeID)
 	}
 }
 func TestAuthHandler_RevokeRoleFromKey_A4_RejectsScopeIDWithGlobal(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
 		"/api/v1/auth/keys/alice/roles/r-operator?scope_type=global&scope_id=p-acme", nil),
 		"admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	req.SetPathValue("role_id", "r-operator")
 	rec := httptest.NewRecorder()
 	h.RevokeRoleFromKey(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("global+scope_id should be 400; got %d body=%s", rec.Code, rec.Body.String())
 	}
 	if actorSvc.revokeCall.called {
 		t.Error("service should NOT have been called on validation error")
 	}
 }
 func TestAuthHandler_RevokeRoleFromKey_A4_RejectsMissingScopeID(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
 		"/api/v1/auth/keys/alice/roles/r-operator?scope_type=profile", nil),
 		"admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	req.SetPathValue("role_id", "r-operator")
 	rec := httptest.NewRecorder()
 	h.RevokeRoleFromKey(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("profile-without-scope_id should be 400; got %d body=%s", rec.Code, rec.Body.String())
 	}
 	if actorSvc.revokeCall.called {
 		t.Error("service should NOT have been called on validation error")
 	}
 }
 func TestAuthHandler_RevokeRoleFromKey_A4_RejectsScopeIDWithoutScopeType(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
 		"/api/v1/auth/keys/alice/roles/r-operator?scope_id=p-acme", nil),
 		"admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	req.SetPathValue("role_id", "r-operator")
 	rec := httptest.NewRecorder()
 	h.RevokeRoleFromKey(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("scope_id-without-scope_type should be 400; got %d body=%s", rec.Code, rec.Body.String())
 	}
 }
 func TestAuthHandler_RevokeRoleFromKey_A4_RejectsInvalidScopeType(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
 		"/api/v1/auth/keys/alice/roles/r-operator?scope_type=bogus", nil),
 		"admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	req.SetPathValue("role_id", "r-operator")
 	rec := httptest.NewRecorder()
 	h.RevokeRoleFromKey(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("bogus scope_type should be 400; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_RevokeRoleFromKey_A4_ScopedNotFoundReturns404(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	actorSvc.revokeErr = repository.ErrActorRoleNotFound
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete,
 		"/api/v1/auth/keys/alice/roles/r-operator?scope_type=profile&scope_id=p-globex", nil),
 		"admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "alice")
 	req.SetPathValue("role_id", "r-operator")
 	rec := httptest.NewRecorder()
 	h.RevokeRoleFromKey(rec, req)
 	if rec.Code != http.StatusNotFound {
 		t.Errorf("ErrActorRoleNotFound should be 404; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_RevokeReservedActorReturns409(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	actorSvc.revokeErr = repository.ErrAuthReservedActor
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/keys/actor-demo-anon/roles/r-admin", nil), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "actor-demo-anon")
 	req.SetPathValue("role_id", "r-admin")
 	rec := httptest.NewRecorder()
 	h.RevokeRoleFromKey(rec, req)
 	if rec.Code != http.StatusConflict {
 		t.Errorf("ErrAuthReservedActor should be 409; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_AddRolePermissionInvalidJSON(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/roles/r-admin/permissions", strings.NewReader("not json")), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-admin")
 	rec := httptest.NewRecorder()
 	h.AddRolePermission(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("invalid JSON should be 400; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_AddRolePermissionDefaultScopeGlobal(t *testing.T) {
 	h, roleSvc, _, _ := newAuthHandlerWithFakes()
 	body, _ := json.Marshal(addPermissionRequest{Permission: "cert.read"})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/roles/r-admin/permissions", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-admin")
 	rec := httptest.NewRecorder()
 	h.AddRolePermission(rec, req)
 	if rec.Code != http.StatusNoContent {
 		t.Fatalf("expected 204; got %d, body=%s", rec.Code, rec.Body.String())
 	}
 	grants := roleSvc.rolePerms["r-admin"]
 	if len(grants) != 1 {
 		t.Fatalf("expected 1 grant; got %d", len(grants))
 	}
 	if grants[0].ScopeType != authdomain.ScopeTypeGlobal {
 		t.Errorf("default scope should be global; got %q", grants[0].ScopeType)
 	}
 }
 func TestAuthHandler_AddRolePermissionInvalidPermission(t *testing.T) {
 	h, roleSvc, _, _ := newAuthHandlerWithFakes()
 	roleSvc.addPermErr = authsvc.ErrInvalidPermission
 	body, _ := json.Marshal(addPermissionRequest{Permission: "fake"})
 	req := withAuthCtx(httptest.NewRequest(http.MethodPost, "/api/v1/auth/roles/r-admin/permissions", bytes.NewReader(body)), "admin", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-admin")
 	rec := httptest.NewRecorder()
 	h.AddRolePermission(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("ErrInvalidPermission should be 400; got %d", rec.Code)
 	}
 }
 func TestAuthHandler_ListPermissionsReturnsCanonical(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/permissions", nil), "alice", auth.ActorTypeAPIKey)
 	rec := httptest.NewRecorder()
 	h.ListPermissions(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("got %d", rec.Code)
 	}
 	var resp struct {
 		Permissions []permissionResponse `json:"permissions"`
 	}
 	if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("decode: %v", err)
 	}
 	if len(resp.Permissions) != len(authdomain.CanonicalPermissions) {
 		t.Errorf("permission count: got %d, want %d (canonical catalogue size)", len(resp.Permissions), len(authdomain.CanonicalPermissions))
 	}
 }
 func TestAuthHandler_MeReturnsActorIdentity(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	actorSvc.roles = []*authdomain.ActorRole{
 		{RoleID: "r-admin", ActorID: "alice"},
 	}
 	actorSvc.effective = []repository.EffectivePermission{
 		{PermissionName: "cert.read", ScopeType: authdomain.ScopeTypeGlobal, ScopeID: nil},
 	}
 	req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/me", nil), "alice", auth.ActorTypeAPIKey)
 	rec := httptest.NewRecorder()
 	h.Me(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("got %d; body=%s", rec.Code, rec.Body.String())
 	}
 	var resp meResponse
 	if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("decode: %v", err)
 	}
 	if resp.ActorID != "alice" {
 		t.Errorf("actor id = %q, want alice", resp.ActorID)
 	}
 	if !resp.Admin {
 		t.Errorf("alice has r-admin; admin flag should be true (back-compat)")
 	}
 	if len(resp.EffectivePermissions) != 1 || resp.EffectivePermissions[0].Permission != "cert.read" {
 		t.Errorf("effective_permissions wrong; got %+v", resp.EffectivePermissions)
 	}
 }
 // =============================================================================
 // Coverage-floor closure (post-Bundle-1 follow-on, 2026-05-09).
 //
 // CI run #486 caught internal/api/handler at 74.7% — 0.3pp below the
 // 75 floor. The auth handlers added in Bundle 1 had several 0%-covered
 // methods: GetRole, UpdateRole, ListKeys, RemoveRolePermission. The
 // tests below close the gap.
 // =============================================================================
 func TestAuthHandler_GetRoleReturnsRoleAndPermissions(t *testing.T) {
 	h, roleSvc, _, _ := newAuthHandlerWithFakes()
 	roleSvc.roles["r-admin"] = &authdomain.Role{ID: "r-admin", Name: "admin", Description: "the admin role"}
 	scope := "p-corp"
 	roleSvc.rolePerms["r-admin"] = []*authdomain.RolePermission{
 		{RoleID: "r-admin", PermissionID: "p-cert.read", ScopeType: authdomain.ScopeTypeGlobal},
 		{RoleID: "r-admin", PermissionID: "p-profile.edit", ScopeType: authdomain.ScopeTypeProfile, ScopeID: &scope},
 	}
 	req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles/r-admin", nil), "alice", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-admin")
 	rec := httptest.NewRecorder()
 	h.GetRole(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("GetRole code = %d; body=%s", rec.Code, rec.Body.String())
 	}
 	var resp struct {
 		Role        roleResponse             `json:"role"`
 		Permissions []rolePermissionResponse `json:"permissions"`
 	}
 	if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("decode: %v", err)
 	}
 	if resp.Role.ID != "r-admin" || resp.Role.Name != "admin" {
 		t.Errorf("Role envelope wrong: %+v", resp.Role)
 	}
 	if len(resp.Permissions) != 2 {
 		t.Errorf("permissions length = %d; want 2", len(resp.Permissions))
 	}
 }
 func TestAuthHandler_GetRoleNotFoundReturns404(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles/r-missing", nil), "alice", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-missing")
 	rec := httptest.NewRecorder()
 	h.GetRole(rec, req)
 	if rec.Code != http.StatusNotFound {
 		t.Errorf("GetRole(missing) code = %d; want 404", rec.Code)
 	}
 }
 func TestAuthHandler_GetRoleNoActorReturns401(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles/r-admin", nil)
 	req.SetPathValue("id", "r-admin")
 	rec := httptest.NewRecorder()
 	h.GetRole(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("GetRole no-actor code = %d; want 401", rec.Code)
 	}
 }
 func TestAuthHandler_UpdateRoleReturns200(t *testing.T) {
 	h, roleSvc, _, _ := newAuthHandlerWithFakes()
 	roleSvc.roles["r-x"] = &authdomain.Role{ID: "r-x", Name: "old", Description: ""}
 	body := bytes.NewBufferString(`{"name":"new","description":"updated"}`)
 	req := withAuthCtx(httptest.NewRequest(http.MethodPut, "/api/v1/auth/roles/r-x", body), "alice", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-x")
 	rec := httptest.NewRecorder()
 	h.UpdateRole(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("UpdateRole code = %d; body=%s", rec.Code, rec.Body.String())
 	}
 	var resp roleResponse
 	if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("decode: %v", err)
 	}
 	if resp.Name != "new" || resp.Description != "updated" {
 		t.Errorf("UpdateRole returned %+v; want Name=new, Description=updated", resp)
 	}
 }
 func TestAuthHandler_UpdateRoleInvalidJSONReturns400(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	body := strings.NewReader(`{"name":`) // truncated
 	req := withAuthCtx(httptest.NewRequest(http.MethodPut, "/api/v1/auth/roles/r-x", body), "alice", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-x")
 	rec := httptest.NewRecorder()
 	h.UpdateRole(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Errorf("UpdateRole invalid JSON code = %d; want 400", rec.Code)
 	}
 }
 func TestAuthHandler_UpdateRoleNoActorReturns401(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := httptest.NewRequest(http.MethodPut, "/api/v1/auth/roles/r-x", bytes.NewBufferString(`{"name":"new"}`))
 	req.SetPathValue("id", "r-x")
 	rec := httptest.NewRecorder()
 	h.UpdateRole(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("UpdateRole no-actor code = %d; want 401", rec.Code)
 	}
 }
 func TestAuthHandler_ListKeysReturnsActorList(t *testing.T) {
 	h, _, _, actorSvc := newAuthHandlerWithFakes()
 	actorSvc.roles = []*authdomain.ActorRole{
 		{ID: "ar-1", ActorID: "alice", ActorType: authdomain.ActorTypeValue(domain.ActorTypeAPIKey), TenantID: authdomain.DefaultTenantID, RoleID: "r-admin"},
 		{ID: "ar-2", ActorID: "carol", ActorType: authdomain.ActorTypeValue(domain.ActorTypeAPIKey), TenantID: authdomain.DefaultTenantID, RoleID: "r-viewer"},
 	}
 	req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/keys", nil), "alice", auth.ActorTypeAPIKey)
 	rec := httptest.NewRecorder()
 	h.ListKeys(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("ListKeys code = %d; body=%s", rec.Code, rec.Body.String())
 	}
 	var resp struct {
 		Keys []struct {
 			ActorID   string   `json:"actor_id"`
 			ActorType string   `json:"actor_type"`
 			TenantID  string   `json:"tenant_id"`
 			RoleIDs   []string `json:"role_ids"`
 		} `json:"keys"`
 	}
 	if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
 		t.Fatalf("decode: %v", err)
 	}
 	if len(resp.Keys) != 2 {
 		t.Errorf("ListKeys returned %d keys; want 2", len(resp.Keys))
 	}
 }
 func TestAuthHandler_ListKeysNoActorReturns401(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/keys", nil)
 	rec := httptest.NewRecorder()
 	h.ListKeys(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("ListKeys no-actor code = %d; want 401", rec.Code)
 	}
 }
 func TestAuthHandler_RemoveRolePermissionReturns204(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/r-admin/permissions/cert.read", nil), "alice", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-admin")
 	req.SetPathValue("perm", "cert.read")
 	rec := httptest.NewRecorder()
 	h.RemoveRolePermission(rec, req)
 	if rec.Code != http.StatusNoContent {
 		t.Errorf("RemoveRolePermission code = %d; want 204", rec.Code)
 	}
 }
 func TestAuthHandler_RemoveRolePermissionScopedReturns204(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := withAuthCtx(httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/r-admin/permissions/profile.edit?scope_type=profile&scope_id=p-corp", nil), "alice", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-admin")
 	req.SetPathValue("perm", "profile.edit")
 	rec := httptest.NewRecorder()
 	h.RemoveRolePermission(rec, req)
 	if rec.Code != http.StatusNoContent {
 		t.Errorf("RemoveRolePermission(scoped) code = %d; want 204", rec.Code)
 	}
 }
 func TestAuthHandler_RemoveRolePermissionNoActorReturns401(t *testing.T) {
 	h, _, _, _ := newAuthHandlerWithFakes()
 	req := httptest.NewRequest(http.MethodDelete, "/api/v1/auth/roles/r-admin/permissions/cert.read", nil)
 	req.SetPathValue("id", "r-admin")
 	req.SetPathValue("perm", "cert.read")
 	rec := httptest.NewRecorder()
 	h.RemoveRolePermission(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("RemoveRolePermission no-actor code = %d; want 401", rec.Code)
 	}
 }
 // Pin the rolePermToResponse helper indirectly via GetRole; the test
 // above already exercises both global + scoped permission encoding.
 // Add an explicit assertion here so the helper's nil-scope branch is
 // readable in coverage output.
 func TestAuthHandler_GetRoleRolePermResponseEncodesScope(t *testing.T) {
 	h, roleSvc, _, _ := newAuthHandlerWithFakes()
 	roleSvc.roles["r-x"] = &authdomain.Role{ID: "r-x", Name: "x"}
 	scope := "iss-corp"
 	roleSvc.rolePerms["r-x"] = []*authdomain.RolePermission{
 		{RoleID: "r-x", PermissionID: "p-cert.read", ScopeType: authdomain.ScopeTypeGlobal, ScopeID: nil},
 		{RoleID: "r-x", PermissionID: "p-issuer.edit", ScopeType: authdomain.ScopeTypeIssuer, ScopeID: &scope},
 	}
 	req := withAuthCtx(httptest.NewRequest(http.MethodGet, "/api/v1/auth/roles/r-x", nil), "alice", auth.ActorTypeAPIKey)
 	req.SetPathValue("id", "r-x")
 	rec := httptest.NewRecorder()
 	h.GetRole(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("GetRole code = %d", rec.Code)
 	}
 	if !bytes.Contains(rec.Body.Bytes(), []byte(`"scope_type":"issuer"`)) {
 		t.Errorf("body should include scope_type=issuer; got %s", rec.Body.String())
 	}
 	if !bytes.Contains(rec.Body.Bytes(), []byte(`"scope_id":"iss-corp"`)) {
 		t.Errorf("body should include scope_id=iss-corp; got %s", rec.Body.String())
 	}
 }
 // ensure 'errors' import stays used after edits.
 var _ = errors.Is
@@ -0,0 +1,324 @@
 package handler
 // Audit 2026-05-10 MED-11 closure — federated-user admin surface.
 //
 // GET    /api/v1/auth/users          → gated auth.user.read
 // DELETE /api/v1/auth/users/{id}     → gated auth.user.deactivate
 //
 // The DELETE path is SOFT-DELETE — it sets users.deactivated_at and
 // cascade-revokes the user's active sessions in the same operation.
 // The row is the OIDC binding (tuple of (oidc_provider_id, oidc_subject));
 // destroying it would re-mint a fresh user on the next IdP login under
 // the same subject, losing the audit trail.
 import (
 	"context"
 	"errors"
 	"net/http"
 	"time"
 	oidcsvc "github.com/certctl-io/certctl/internal/auth/oidc"
 	userdomain "github.com/certctl-io/certctl/internal/auth/user/domain"
 	"github.com/certctl-io/certctl/internal/domain"
 	"github.com/certctl-io/certctl/internal/repository"
 )
 // AuthUsersHandler exposes the federated-user admin surface.
 type AuthUsersHandler struct {
 	users    repository.UserRepository
 	sessions UserSessionsRevoker
 	audit    AuditRecorder
 	tenantID string
 }
 // UserSessionsRevoker is the slice of *session.Service the user-handler
 // uses to cascade-revoke a deactivated user's active sessions in the
 // same operation. Nil-safe: when unset (tests without session wiring),
 // Deactivate logs an audit row but skips the revoke step.
 type UserSessionsRevoker interface {
 	RevokeAllForActor(ctx context.Context, actorID, actorType string) error
 }
 // NewAuthUsersHandler constructs a federated-user admin handler.
 func NewAuthUsersHandler(users repository.UserRepository, sessions UserSessionsRevoker, audit AuditRecorder, tenantID string) *AuthUsersHandler {
 	return &AuthUsersHandler{users: users, sessions: sessions, audit: audit, tenantID: tenantID}
 }
 type userResponse struct {
 	ID             string  `json:"id"`
 	TenantID       string  `json:"tenant_id"`
 	Email          string  `json:"email"`
 	DisplayName    string  `json:"display_name"`
 	OIDCSubject    string  `json:"oidc_subject"`
 	OIDCProviderID string  `json:"oidc_provider_id"`
 	LastLoginAt    string  `json:"last_login_at"`
 	CreatedAt      string  `json:"created_at"`
 	DeactivatedAt  *string `json:"deactivated_at,omitempty"`
 }
 func userToResponse(u *userdomain.User) userResponse {
 	r := userResponse{
 		ID:             u.ID,
 		TenantID:       u.TenantID,
 		Email:          u.Email,
 		DisplayName:    u.DisplayName,
 		OIDCSubject:    u.OIDCSubject,
 		OIDCProviderID: u.OIDCProviderID,
 		LastLoginAt:    u.LastLoginAt.UTC().Format(time.RFC3339),
 		CreatedAt:      u.CreatedAt.UTC().Format(time.RFC3339),
 	}
 	if u.DeactivatedAt != nil {
 		s := u.DeactivatedAt.UTC().Format(time.RFC3339)
 		r.DeactivatedAt = &s
 	}
 	return r
 }
 // List returns every user in the active tenant. Pagination + filter
 // are accepted as query parameters; the repository's ListAll returns
 // every row and we filter client-side for simplicity.
 func (h *AuthUsersHandler) List(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	users, lerr := h.users.ListAll(r.Context(), h.tenantID)
 	if lerr != nil {
 		Error(w, http.StatusInternalServerError, "could not list users")
 		return
 	}
 	providerFilter := r.URL.Query().Get("oidc_provider_id")
 	out := make([]userResponse, 0, len(users))
 	for _, u := range users {
 		if providerFilter != "" && u.OIDCProviderID != providerFilter {
 			continue
 		}
 		out = append(out, userToResponse(u))
 	}
 	_ = h.audit.RecordEventWithCategory(r.Context(), caller.ActorID, caller.ActorType, "auth.user_list",
 		domain.EventCategoryAuth, "user", "",
 		map[string]interface{}{"count": len(out), "provider_filter": providerFilter})
 	writeJSON(w, http.StatusOK, map[string]interface{}{"users": out})
 }
 // Deactivate sets deactivated_at on the user and cascade-revokes
 // active sessions. Returns 204 on success.
 func (h *AuthUsersHandler) Deactivate(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	id := r.PathValue("id")
 	if id == "" {
 		Error(w, http.StatusBadRequest, "missing user id")
 		return
 	}
 	// Audit 2026-05-11 A-2 — self-deactivate guard. An admin that
 	// deactivates their own User row immediately invalidates their next
 	// login (upsertUser at internal/auth/oidc/service.go rejects with
 	// ErrUserDeactivated); the cascade-revoke then kicks them out of the
 	// active session, leaving the tenant without an admin able to
 	// reactivate themselves. Break-glass credentials (Bundle 2 Phase 7.5)
 	// remain the recovery path, but the operator should not be able to
 	// trip the foot-gun through the standard handler. 409 (not 403) —
 	// the request is well-formed and authenticated; the conflict is
 	// between the action and the actor's own identity. Audit row records
 	// the rejection so an upstream SIEM can spot accidental triggers.
 	if caller.ActorType == domain.ActorTypeUser && caller.ActorID == id {
 		_ = h.audit.RecordEventWithCategory(r.Context(), caller.ActorID, caller.ActorType, "auth.user_deactivate_self_rejected",
 			domain.EventCategoryAuth, "user", id,
 			map[string]interface{}{"user_id": id, "reason": "self_deactivate_blocked"})
 		Error(w, http.StatusConflict, "cannot deactivate your own account; use break-glass recovery or have another admin act")
 		return
 	}
 	u, gerr := h.users.Get(r.Context(), id)
 	if gerr != nil {
 		if errors.Is(gerr, repository.ErrUserNotFound) {
 			Error(w, http.StatusNotFound, "user not found")
 			return
 		}
 		Error(w, http.StatusInternalServerError, "could not load user")
 		return
 	}
 	// Idempotent: deactivating an already-deactivated user is a no-op
 	// from the wire's perspective.
 	if u.DeactivatedAt != nil {
 		w.WriteHeader(http.StatusNoContent)
 		return
 	}
 	now := time.Now().UTC()
 	u.DeactivatedAt = &now
 	if uerr := h.users.Update(r.Context(), u); uerr != nil {
 		Error(w, http.StatusInternalServerError, "could not deactivate user")
 		return
 	}
 	// Cascade-revoke active sessions. Best-effort: revoke failures do
 	// NOT roll back the deactivation (the user is already marked
 	// deactivated; a leftover session expires at the absolute-TTL anyway).
 	revokeStatus := "skipped_no_revoker"
 	if h.sessions != nil {
 		if rerr := h.sessions.RevokeAllForActor(r.Context(), u.ID, string(domain.ActorTypeUser)); rerr != nil {
 			revokeStatus = "failed"
 		} else {
 			revokeStatus = "ok"
 		}
 	}
 	_ = h.audit.RecordEventWithCategory(r.Context(), caller.ActorID, caller.ActorType, "auth.user_deactivated",
 		domain.EventCategoryAuth, "user", u.ID,
 		map[string]interface{}{
 			"user_id":               u.ID,
 			"oidc_provider_id":      u.OIDCProviderID,
 			"session_revoke_status": revokeStatus,
 		})
 	w.WriteHeader(http.StatusNoContent)
 }
 // Reactivate clears users.deactivated_at, allowing the federated user
 // to log in again via their OIDC provider. The next OIDC callback for
 // the (provider_id, subject) tuple goes through upsertUser, which now
 // passes the DeactivatedAt == nil gate, and the user's account
 // information (email, display_name, last_login_at) updates normally.
 //
 // Audit 2026-05-11 A-2 — Reactivate is the inverse of Deactivate. The
 // original MED-11 closure only shipped Deactivate; with A-2 closure the
 // DeactivatedAt field now actually gates login, so the operator needs a
 // supported way to undo a soft-delete without hand-editing the database.
 //
 // Gate: same auth.user.deactivate permission. Reactivation is the
 // inverse op, not a separate privilege — anyone who can deactivate must
 // be able to undo their own mistake.
 //
 // Idempotent: reactivating an already-active user returns 204 with no
 // row write.
 //
 // No session-side-effect: reactivation does NOT mint a session. The
 // user must complete a fresh OIDC login through their provider; sessions
 // from before the deactivation stay revoked (the cascade-revoke in
 // Deactivate is irreversible by design).
 func (h *AuthUsersHandler) Reactivate(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	id := r.PathValue("id")
 	if id == "" {
 		Error(w, http.StatusBadRequest, "missing user id")
 		return
 	}
 	u, gerr := h.users.Get(r.Context(), id)
 	if gerr != nil {
 		if errors.Is(gerr, repository.ErrUserNotFound) {
 			Error(w, http.StatusNotFound, "user not found")
 			return
 		}
 		Error(w, http.StatusInternalServerError, "could not load user")
 		return
 	}
 	// Idempotent: reactivating an already-active user is a no-op.
 	if u.DeactivatedAt == nil {
 		w.WriteHeader(http.StatusNoContent)
 		return
 	}
 	u.DeactivatedAt = nil
 	if uerr := h.users.Update(r.Context(), u); uerr != nil {
 		Error(w, http.StatusInternalServerError, "could not reactivate user")
 		return
 	}
 	_ = h.audit.RecordEventWithCategory(r.Context(), caller.ActorID, caller.ActorType, "auth.user_reactivated",
 		domain.EventCategoryAuth, "user", u.ID,
 		map[string]interface{}{
 			"user_id":          u.ID,
 			"oidc_provider_id": u.OIDCProviderID,
 		})
 	w.WriteHeader(http.StatusNoContent)
 }
 // =============================================================================
 // MED-12 — Auth runtime config read endpoint.
 // =============================================================================
 // AuthRuntimeConfigHandler exposes a flat-map view of the auth-related
 // CERTCTL_* env vars so operators can verify the deployed
 // configuration matches their intent from the GUI. Read-only — no
 // mutation surface (config changes require a restart + env-var edit
 // by design).
 type AuthRuntimeConfigHandler struct {
 	cfg   func() map[string]string
 	audit AuditRecorder
 }
 // NewAuthRuntimeConfigHandler constructs the runtime-config handler.
 // `cfg` is a closure so wires can be lazily evaluated against the
 // running config without snapshot drift.
 func NewAuthRuntimeConfigHandler(cfg func() map[string]string, audit AuditRecorder) *AuthRuntimeConfigHandler {
 	return &AuthRuntimeConfigHandler{cfg: cfg, audit: audit}
 }
 func (h *AuthRuntimeConfigHandler) Get(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	m := h.cfg()
 	if m == nil {
 		m = map[string]string{}
 	}
 	_ = h.audit.RecordEventWithCategory(r.Context(), caller.ActorID, caller.ActorType, "auth.runtime_config_read",
 		domain.EventCategoryAuth, "config", "",
 		map[string]interface{}{"key_count": len(m)})
 	writeJSON(w, http.StatusOK, map[string]interface{}{"runtime_config": m})
 }
 // =============================================================================
 // MED-7 — JWKS health endpoint.
 // =============================================================================
 // JWKSStatusProbe is the projection of *oidc.Service the JWKS-status
 // handler uses to read the per-provider verifier counters. Production
 // *oidc.Service satisfies this directly via the JWKSStatus method.
 type JWKSStatusProbe interface {
 	JWKSStatus(ctx context.Context, providerID string) (*oidcsvc.JWKSStatusSnapshot, error)
 }
 // AuthOIDCJWKSStatusHandler exposes per-provider JWKS health.
 type AuthOIDCJWKSStatusHandler struct {
 	probe JWKSStatusProbe
 	audit AuditRecorder
 }
 // NewAuthOIDCJWKSStatusHandler constructs the JWKS-status handler.
 func NewAuthOIDCJWKSStatusHandler(probe JWKSStatusProbe, audit AuditRecorder) *AuthOIDCJWKSStatusHandler {
 	return &AuthOIDCJWKSStatusHandler{probe: probe, audit: audit}
 }
 func (h *AuthOIDCJWKSStatusHandler) Status(w http.ResponseWriter, r *http.Request) {
 	caller, err := callerFromRequest(r)
 	if err != nil {
 		writeAuthError(w, err)
 		return
 	}
 	id := r.PathValue("id")
 	if id == "" {
 		Error(w, http.StatusBadRequest, "missing provider id")
 		return
 	}
 	snap, perr := h.probe.JWKSStatus(r.Context(), id)
 	if perr != nil {
 		if errors.Is(perr, repository.ErrOIDCProviderNotFound) {
 			Error(w, http.StatusNotFound, "provider not found")
 			return
 		}
 		Error(w, http.StatusInternalServerError, "could not read JWKS status")
 		return
 	}
 	_ = h.audit.RecordEventWithCategory(r.Context(), caller.ActorID, caller.ActorType, "auth.oidc_jwks_status_read",
 		domain.EventCategoryAuth, "oidc_provider", id,
 		map[string]interface{}{"provider_id": id})
 	writeJSON(w, http.StatusOK, snap)
 }
 // AuditRecorder is reused from auth_session_oidc.go — same package.
@@ -0,0 +1,297 @@
 package handler
 // Audit 2026-05-11 A-2 closure — federated-user admin handler test
 // surface. Covers the self-deactivate guard, reactivate happy-path /
 // idempotent / 404 branches, and the audit-event shape.
 import (
 	"context"
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 	userdomain "github.com/certctl-io/certctl/internal/auth/user/domain"
 	"github.com/certctl-io/certctl/internal/domain"
 	"github.com/certctl-io/certctl/internal/repository"
 )
 // stubFullUserRepo is a richer in-memory UserRepository than the one
 // in auth_session_oidc_test.go (which always returns ErrUserNotFound
 // from Get). The auth-users handler tests need round-trip semantics
 // across Get / Update.
 type stubFullUserRepo struct {
 	rows      map[string]*userdomain.User
 	updateErr error
 	getErr    error
 }
 func newStubFullUserRepo() *stubFullUserRepo {
 	return &stubFullUserRepo{rows: make(map[string]*userdomain.User)}
 }
 func (s *stubFullUserRepo) Get(_ context.Context, id string) (*userdomain.User, error) {
 	if s.getErr != nil {
 		return nil, s.getErr
 	}
 	if u, ok := s.rows[id]; ok {
 		// Defensive copy — Update path mutates the struct.
 		c := *u
 		if u.DeactivatedAt != nil {
 			t := *u.DeactivatedAt
 			c.DeactivatedAt = &t
 		}
 		return &c, nil
 	}
 	return nil, repository.ErrUserNotFound
 }
 func (s *stubFullUserRepo) GetByOIDCSubject(_ context.Context, _, _ string) (*userdomain.User, error) {
 	return nil, repository.ErrUserNotFound
 }
 func (s *stubFullUserRepo) Create(_ context.Context, u *userdomain.User) error {
 	s.rows[u.ID] = u
 	return nil
 }
 func (s *stubFullUserRepo) Update(_ context.Context, u *userdomain.User) error {
 	if s.updateErr != nil {
 		return s.updateErr
 	}
 	if _, ok := s.rows[u.ID]; !ok {
 		return repository.ErrUserNotFound
 	}
 	// Persist the struct (defensive copy of nullable timestamp).
 	c := *u
 	if u.DeactivatedAt != nil {
 		t := *u.DeactivatedAt
 		c.DeactivatedAt = &t
 	}
 	s.rows[u.ID] = &c
 	return nil
 }
 func (s *stubFullUserRepo) ListAll(_ context.Context, tenantID string) ([]*userdomain.User, error) {
 	out := make([]*userdomain.User, 0, len(s.rows))
 	for _, u := range s.rows {
 		if tenantID == "" || u.TenantID == tenantID {
 			out = append(out, u)
 		}
 	}
 	return out, nil
 }
 // stubRevoker records cascade-revoke calls.
 type stubRevoker struct {
 	called    bool
 	actorID   string
 	actorType string
 	revokeErr error
 }
 func (s *stubRevoker) RevokeAllForActor(_ context.Context, actorID, actorType string) error {
 	s.called = true
 	s.actorID = actorID
 	s.actorType = actorType
 	return s.revokeErr
 }
 // stubAuditRecorder collects event actions for assertion.
 type stubAuditRecorder struct {
 	events []string
 	last   map[string]interface{}
 }
 func (s *stubAuditRecorder) RecordEventWithCategory(_ context.Context, _ string, _ domain.ActorType, action, _, _, _ string, details map[string]interface{}) error {
 	s.events = append(s.events, action)
 	s.last = details
 	return nil
 }
 func newSeededUser(id string, deactivatedAt *time.Time) *userdomain.User {
 	return &userdomain.User{
 		ID:                  id,
 		TenantID:            "t-default",
 		Email:               id + "@example.test",
 		DisplayName:         id,
 		OIDCSubject:         "sub-" + id,
 		OIDCProviderID:      "op-x",
 		LastLoginAt:         time.Now().UTC(),
 		WebAuthnCredentials: []byte("[]"),
 		CreatedAt:           time.Now().UTC(),
 		UpdatedAt:           time.Now().UTC(),
 		DeactivatedAt:       deactivatedAt,
 	}
 }
 // =============================================================================
 // Self-deactivate guard (Audit 2026-05-11 A-2)
 // =============================================================================
 func TestAuthUsers_Deactivate_RejectsSelfDeactivate(t *testing.T) {
 	users := newStubFullUserRepo()
 	users.rows["u-admin"] = newSeededUser("u-admin", nil)
 	rev := &stubRevoker{}
 	audit := &stubAuditRecorder{}
 	h := NewAuthUsersHandler(users, rev, audit, "t-default")
 	req := httptest.NewRequest(http.MethodDelete, "/api/v1/auth/users/u-admin", nil)
 	req.SetPathValue("id", "u-admin")
 	req = withActor(req, "u-admin", string(domain.ActorTypeUser))
 	w := httptest.NewRecorder()
 	h.Deactivate(w, req)
 	if w.Code != http.StatusConflict {
 		t.Errorf("status = %d; want 409", w.Code)
 	}
 	// Cascade-revoke must NOT have fired.
 	if rev.called {
 		t.Error("RevokeAllForActor was called on a self-deactivate; the guard must short-circuit before cascade")
 	}
 	// Row must still be active.
 	row, _ := users.Get(context.Background(), "u-admin")
 	if row.DeactivatedAt != nil {
 		t.Error("user row was deactivated despite the self-deactivate guard")
 	}
 	// Audit row must record the rejection.
 	found := false
 	for _, e := range audit.events {
 		if e == "auth.user_deactivate_self_rejected" {
 			found = true
 			break
 		}
 	}
 	if !found {
 		t.Errorf("audit events missing self-reject marker: %v", audit.events)
 	}
 }
 func TestAuthUsers_Deactivate_OtherUser_HappyPath(t *testing.T) {
 	users := newStubFullUserRepo()
 	users.rows["u-admin"] = newSeededUser("u-admin", nil)
 	users.rows["u-target"] = newSeededUser("u-target", nil)
 	rev := &stubRevoker{}
 	audit := &stubAuditRecorder{}
 	h := NewAuthUsersHandler(users, rev, audit, "t-default")
 	req := httptest.NewRequest(http.MethodDelete, "/api/v1/auth/users/u-target", nil)
 	req.SetPathValue("id", "u-target")
 	req = withActor(req, "u-admin", string(domain.ActorTypeUser))
 	w := httptest.NewRecorder()
 	h.Deactivate(w, req)
 	if w.Code != http.StatusNoContent {
 		t.Errorf("status = %d; want 204", w.Code)
 	}
 	if !rev.called || rev.actorID != "u-target" || rev.actorType != string(domain.ActorTypeUser) {
 		t.Errorf("cascade-revoke did not fire correctly: called=%v id=%q type=%q",
 			rev.called, rev.actorID, rev.actorType)
 	}
 	row, _ := users.Get(context.Background(), "u-target")
 	if row.DeactivatedAt == nil {
 		t.Error("user row was not soft-deleted")
 	}
 }
 // =============================================================================
 // Reactivate (Audit 2026-05-11 A-2)
 // =============================================================================
 func TestAuthUsers_Reactivate_HappyPath(t *testing.T) {
 	now := time.Now().UTC()
 	users := newStubFullUserRepo()
 	users.rows["u-target"] = newSeededUser("u-target", &now)
 	audit := &stubAuditRecorder{}
 	h := NewAuthUsersHandler(users, &stubRevoker{}, audit, "t-default")
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/users/u-target/reactivate", nil)
 	req.SetPathValue("id", "u-target")
 	req = withActor(req, "u-admin", string(domain.ActorTypeUser))
 	w := httptest.NewRecorder()
 	h.Reactivate(w, req)
 	if w.Code != http.StatusNoContent {
 		t.Errorf("status = %d; want 204", w.Code)
 	}
 	row, _ := users.Get(context.Background(), "u-target")
 	if row.DeactivatedAt != nil {
 		t.Errorf("user row still deactivated after reactivate: %v", row.DeactivatedAt)
 	}
 	// Audit row.
 	if len(audit.events) == 0 || audit.events[len(audit.events)-1] != "auth.user_reactivated" {
 		t.Errorf("audit events missing reactivate marker: %v", audit.events)
 	}
 }
 func TestAuthUsers_Reactivate_IdempotentOnActiveUser(t *testing.T) {
 	users := newStubFullUserRepo()
 	users.rows["u-target"] = newSeededUser("u-target", nil) // already active
 	audit := &stubAuditRecorder{}
 	h := NewAuthUsersHandler(users, &stubRevoker{}, audit, "t-default")
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/users/u-target/reactivate", nil)
 	req.SetPathValue("id", "u-target")
 	req = withActor(req, "u-admin", string(domain.ActorTypeUser))
 	w := httptest.NewRecorder()
 	h.Reactivate(w, req)
 	if w.Code != http.StatusNoContent {
 		t.Errorf("status = %d; want 204", w.Code)
 	}
 	// Idempotent — no audit event for the no-op.
 	for _, e := range audit.events {
 		if e == "auth.user_reactivated" {
 			t.Errorf("reactivate emitted audit row on an already-active user (no-op should be silent)")
 		}
 	}
 }
 func TestAuthUsers_Reactivate_UnknownID(t *testing.T) {
 	users := newStubFullUserRepo()
 	audit := &stubAuditRecorder{}
 	h := NewAuthUsersHandler(users, &stubRevoker{}, audit, "t-default")
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/users/u-missing/reactivate", nil)
 	req.SetPathValue("id", "u-missing")
 	req = withActor(req, "u-admin", string(domain.ActorTypeUser))
 	w := httptest.NewRecorder()
 	h.Reactivate(w, req)
 	if w.Code != http.StatusNotFound {
 		t.Errorf("status = %d; want 404", w.Code)
 	}
 }
 func TestAuthUsers_Reactivate_MissingID(t *testing.T) {
 	h := NewAuthUsersHandler(newStubFullUserRepo(), &stubRevoker{}, &stubAuditRecorder{}, "t-default")
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/users//reactivate", nil)
 	// Intentionally do not SetPathValue — handler must reject the empty
 	// id with 400.
 	req = withActor(req, "u-admin", string(domain.ActorTypeUser))
 	w := httptest.NewRecorder()
 	h.Reactivate(w, req)
 	if w.Code != http.StatusBadRequest {
 		t.Errorf("status = %d; want 400", w.Code)
 	}
 }
 func TestAuthUsers_Reactivate_UpdateError(t *testing.T) {
 	now := time.Now().UTC()
 	users := newStubFullUserRepo()
 	users.rows["u-target"] = newSeededUser("u-target", &now)
 	users.updateErr = errors.New("postgres exploded")
 	h := NewAuthUsersHandler(users, &stubRevoker{}, &stubAuditRecorder{}, "t-default")
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/users/u-target/reactivate", nil)
 	req.SetPathValue("id", "u-target")
 	req = withActor(req, "u-admin", string(domain.ActorTypeUser))
 	w := httptest.NewRecorder()
 	h.Reactivate(w, req)
 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("status = %d; want 500", w.Code)
 	}
 }
@@ -0,0 +1,120 @@
 package handler
 import (
 	"context"
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
 	"github.com/certctl-io/certctl/internal/repository"
 )
 // Audit 2026-05-10 HIGH-3 closure — regression tests pinning the
 // jti consumed-set replay defense. Pre-fix the handler accepted any
 // logout_token whose iat + jti were syntactically present; captured
 // tokens were replayable indefinitely.
 // stubBCLReplay tracks ConsumeJTI calls for the replay-cache tests.
 type stubBCLReplay struct {
 	consumed map[string]bool // key = jti|iss
 	forceErr error           // when set, ConsumeJTI returns this (transient path)
 }
 func (s *stubBCLReplay) ConsumeJTI(_ context.Context, jti, iss string, _ time.Duration) error {
 	if s.forceErr != nil {
 		return s.forceErr
 	}
 	if s.consumed == nil {
 		s.consumed = map[string]bool{}
 	}
 	key := jti + "|" + iss
 	if s.consumed[key] {
 		return repository.ErrBCLJTIAlreadyConsumed
 	}
 	s.consumed[key] = true
 	return nil
 }
 // TestBackChannelLogout_FirstReceiveConsumesJTI pins the happy path —
 // first BCL with a given (jti, iss) succeeds + records the pair.
 func TestBackChannelLogout_FirstReceiveConsumesJTI(t *testing.T) {
 	bcl := &stubBCLVerifier{
 		issuer: "https://idp.example.com",
 		sub:    "alice@example.com",
 		jti:    "logout-jti-1",
 		iat:    time.Now().Unix(),
 	}
 	replay := &stubBCLReplay{}
 	h, _, _, _, _, _ := newPhase5Handler(t, &stubOIDCSvc{}, &stubSession{}, bcl)
 	h.WithBCLReplayConsumer(replay, 60*time.Second)
 	req := httptest.NewRequest(http.MethodPost, "/auth/oidc/back-channel-logout",
 		strings.NewReader("logout_token=eyJ.payload.sig"))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	w := httptest.NewRecorder()
 	h.BackChannelLogout(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("status = %d; want 200", w.Code)
 	}
 	if !replay.consumed["logout-jti-1|https://idp.example.com"] {
 		t.Errorf("expected (jti, iss) to be recorded; consumed=%v", replay.consumed)
 	}
 }
 // TestBackChannelLogout_ReplayedJTIReturns200WithAudit pins §2.7
 // idempotency: replay returns 200 + audit outcome=jti_replayed.
 func TestBackChannelLogout_ReplayedJTIReturns200WithAudit(t *testing.T) {
 	bcl := &stubBCLVerifier{
 		issuer: "https://idp.example.com",
 		sub:    "alice@example.com",
 		jti:    "logout-jti-1",
 		iat:    time.Now().Unix(),
 	}
 	replay := &stubBCLReplay{consumed: map[string]bool{"logout-jti-1|https://idp.example.com": true}}
 	h, _, _, _, audit, _ := newPhase5Handler(t, &stubOIDCSvc{}, &stubSession{}, bcl)
 	h.WithBCLReplayConsumer(replay, 60*time.Second)
 	req := httptest.NewRequest(http.MethodPost, "/auth/oidc/back-channel-logout",
 		strings.NewReader("logout_token=eyJ.payload.sig"))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	w := httptest.NewRecorder()
 	h.BackChannelLogout(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("status = %d; want 200 (idempotent on replay)", w.Code)
 	}
 	if cc := w.Header().Get("Cache-Control"); cc != "no-store" {
 		t.Errorf("Cache-Control = %q; want no-store", cc)
 	}
 	if !contains(audit.events, "auth.oidc_back_channel_logout") {
 		t.Errorf("expected audit event with outcome=jti_replayed")
 	}
 }
 // TestBackChannelLogout_TransientConsumeFailureReturns503 pins the
 // transient-error path: ConsumeJTI returns a non-ErrAlreadyConsumed
 // error → 503 so the IdP retries.
 func TestBackChannelLogout_TransientConsumeFailureReturns503(t *testing.T) {
 	bcl := &stubBCLVerifier{
 		issuer: "https://idp.example.com",
 		sub:    "alice@example.com",
 		jti:    "logout-jti-1",
 		iat:    time.Now().Unix(),
 	}
 	replay := &stubBCLReplay{forceErr: errors.New("db connection reset")}
 	h, _, _, _, _, _ := newPhase5Handler(t, &stubOIDCSvc{}, &stubSession{}, bcl)
 	h.WithBCLReplayConsumer(replay, 60*time.Second)
 	req := httptest.NewRequest(http.MethodPost, "/auth/oidc/back-channel-logout",
 		strings.NewReader("logout_token=eyJ.payload.sig"))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	w := httptest.NewRecorder()
 	h.BackChannelLogout(w, req)
 	if w.Code != http.StatusServiceUnavailable {
 		t.Errorf("status = %d; want 503 (transient consume failure)", w.Code)
 	}
 }
@@ -172,7 +172,7 @@ func authenticatedContext(actor string) context.Context {
 	type userKey struct{}
 	// The middleware UserKey is a private type in the middleware package, so
 	// in this handler test we can't construct one directly. Bulk-renew and
-	// bulk-reassign read the actor through the same middleware.GetUser path
+	// bulk-reassign read the actor through the same auth.GetUser path
 	// that bulk-revoke does — adminContext() in the existing test suite is
 	// the canonical helper. Reuse it (delivers both UserKey and AdminKey).
 	_ = userKey{}
@@ -11,6 +11,7 @@ import (
 	"testing"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 )
@@ -30,7 +31,7 @@ func (m *mockBulkRenewalService) BulkRenew(ctx context.Context, criteria domain.
 // bulk-renew is NOT admin-gated, any authenticated caller can use it.
 func authedContext() context.Context {
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id-renew")
-	ctx = context.WithValue(ctx, middleware.UserKey{}, "alice")
+	ctx = context.WithValue(ctx, auth.UserKey{}, "alice")
 	return ctx
 }
@@ -126,7 +127,7 @@ func TestBulkRenew_Handler_ActorAttribution(t *testing.T) {
 	h.BulkRenew(w, req)
 	if capturedActor != "alice" {
-		t.Errorf("actor not threaded from middleware.UserKey: got %q, want 'alice'", capturedActor)
+		t.Errorf("actor not threaded from auth.UserKey: got %q, want 'alice'", capturedActor)
 	}
 }
@@ -50,15 +50,12 @@ func (h BulkRevocationHandler) BulkRevoke(w http.ResponseWriter, r *http.Request
 	requestID := middleware.GetRequestID(r.Context())
-	// M-003: admin-only gate. Non-admin callers are rejected before any
+	// Bundle 1 Phase 3.5: M-003 admin-only gate moved to router.go.
-	// criteria/body processing to avoid leaking validation behavior to
+	// auth.RequirePermission(checker, "cert.bulk_revoke", nil) wraps
-	// unauthorized actors.
+	// this handler at registration time; non-admin callers without
-	if !middleware.IsAdmin(r.Context()) {
+	// the cert.bulk_revoke permission get 403 from the middleware
-		ErrorWithRequestID(w, http.StatusForbidden,
+	// before reaching the handler body. The pre-3.5 in-body
-			"Bulk revocation requires admin privileges",
+	// auth.IsAdmin check is gone.
 			requestID)
 		return
 	}
 	var req bulkRevokeRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
@@ -127,11 +124,7 @@ func (h BulkRevocationHandler) BulkRevokeEST(w http.ResponseWriter, r *http.Requ
 		return
 	}
 	requestID := middleware.GetRequestID(r.Context())
-	if !middleware.IsAdmin(r.Context()) {
+	// Bundle 1 Phase 3.5: gate moved to router.go (cert.bulk_revoke perm).
 		ErrorWithRequestID(w, http.StatusForbidden,
 			"EST bulk revocation requires admin privileges", requestID)
 		return
 	}
 	var req bulkRevokeRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID)
@@ -41,30 +41,12 @@ func TestBulkRevokeEST_AdminTrue_PinsSourceToEST(t *testing.T) {
 	}
 }
-func TestBulkRevokeEST_NonAdmin_Returns403(t *testing.T) {
+// TestBulkRevokeEST_NonAdmin_Returns403 was deleted as part of Bundle 1
-	called := false
+// Phase 3.5: the in-handler auth.IsAdmin gate moved to router.go via
-	svc := &mockBulkRevocationService{
+// auth.RequirePermission(checker, "cert.bulk_revoke", nil). The
-		BulkRevokeFn: func(_ context.Context, _ domain.BulkRevocationCriteria, _ string, _ string) (*domain.BulkRevocationResult, error) {
+// non-admin rejection is now exercised by the router-level integration
-			called = true
+// suite (internal/api/router/rbac_gate_integration_test.go) rather
-			return nil, nil
+// than by a direct-handler test that bypasses middleware.
 		},
 	}
 	h := NewBulkRevocationHandler(svc)
 	body := `{"reason":"keyCompromise","profile_id":"prof-iot"}`
 	req := httptest.NewRequest(http.MethodPost,
 		"/api/v1/est/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	// non-admin context (no AdminKey).
 	req = req.WithContext(context.Background())
 	w := httptest.NewRecorder()
 	h.BulkRevokeEST(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Errorf("non-admin status = %d, want 403", w.Code)
 	}
 	if called {
 		t.Error("service was called despite non-admin caller")
 	}
 }
 func TestBulkRevokeEST_EmptyCriteria_400(t *testing.T) {
 	svc := &mockBulkRevocationService{}
@@ -7,10 +7,10 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 )
@@ -31,7 +31,7 @@ func (m *mockBulkRevocationService) BulkRevoke(ctx context.Context, criteria dom
 // M-003: bulk revocation handler requires admin context to reach the service.
 func adminContext() context.Context {
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id-bulk")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
 	return ctx
 }
@@ -194,65 +194,11 @@ func TestBulkRevoke_ServiceError_500(t *testing.T) {
 // for M-003. A caller without an admin-tagged context must be rejected with
 // HTTP 403, regardless of how well-formed its body is, and the service layer
 // must never see the request.
 func TestBulkRevoke_NonAdmin_Returns403(t *testing.T) {
 	var serviceCalled bool
 	svc := &mockBulkRevocationService{
 		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
 			serviceCalled = true
 			return &domain.BulkRevocationResult{}, nil
 		},
 	}
 	h := NewBulkRevocationHandler(svc)
 	// Well-formed body + well-formed reason + filter — the only thing
 	// missing is an admin-tagged context. The gate must still fire.
 	body := `{"reason":"keyCompromise","certificate_ids":["mc-1","mc-2"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	req = req.WithContext(contextWithRequestID()) // request id only, no admin flag
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected status 403, got %d (body=%q)", w.Code, w.Body.String())
 	}
 	var resp map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
 		t.Fatalf("failed to decode response: %v", err)
 	}
 	msg, _ := resp["message"].(string)
 	if !strings.Contains(strings.ToLower(msg), "admin") {
 		t.Errorf("expected message to mention admin requirement, got %q", msg)
 	}
 	if serviceCalled {
 		t.Errorf("service was invoked despite non-admin caller — gate failed open")
 	}
 }
 // TestBulkRevoke_AdminExplicitFalse_Returns403 pins the specific case where the
 // AdminKey exists but is set to false — e.g., a non-admin named-key caller.
 // Without this we could regress to "key missing == deny, key present == allow"
 // which would silently grant a false flag.
 func TestBulkRevoke_AdminExplicitFalse_Returns403(t *testing.T) {
 	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
 	body := `{"reason":"keyCompromise","certificate_ids":["mc-1"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected status 403 for admin=false, got %d", w.Code)
 	}
 }
 // TestBulkRevoke_AdminPermitted_ForwardsActor confirms the happy path:
 // an admin-tagged context reaches the service and the actor (from the auth
@@ -273,8 +219,8 @@ func TestBulkRevoke_AdminPermitted_ForwardsActor(t *testing.T) {
 	req.Header.Set("Content-Type", "application/json")
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
-	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
+	ctx = context.WithValue(ctx, auth.UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
@@ -0,0 +1,170 @@
 package handler
 import (
 	"context"
 	"errors"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"github.com/certctl-io/certctl/internal/domain"
 )
 // Coverage fill — v2.1.0 release gate Phase 3.
 //
 // A handful of constructor + setter + small-method functions added in
 // recent fix bundles shipped without tests. The package-average
 // floor (75%) trips because each 0%-function drags the script's
 // per-function average down. The tests below cover the easy ones to
 // lift the average back across.
 // =============================================================================
 // auth_session_oidc.go — WithPermissionChecker setter (added in MED-2).
 // =============================================================================
 type fakeOIDCPermChecker struct{}
 func (f *fakeOIDCPermChecker) CheckPermission(_ context.Context, _, _, _, _, _ string, _ *string) (bool, error) {
 	return true, nil
 }
 func TestAuthSessionOIDCHandler_WithPermissionChecker_ReturnsSelfAndSetsField(t *testing.T) {
 	h := &AuthSessionOIDCHandler{}
 	got := h.WithPermissionChecker(&fakeOIDCPermChecker{})
 	if got != h {
 		t.Errorf("WithPermissionChecker must return receiver for chaining; got %p, want %p", got, h)
 	}
 	if h.checker == nil {
 		t.Errorf("WithPermissionChecker must install the checker; got nil")
 	}
 }
 // =============================================================================
 // admin_crl_cache.go — NewAdminCRLCacheServiceImpl + CacheRows (added by
 // the CRL-cache admin panel; never had handler-layer tests).
 // =============================================================================
 type fakeCRLCacheRepo struct {
 	getErr error
 }
 func (f *fakeCRLCacheRepo) Get(_ context.Context, _ string) (*domain.CRLCacheEntry, error) {
 	return nil, f.getErr
 }
 func (f *fakeCRLCacheRepo) Put(_ context.Context, _ *domain.CRLCacheEntry) error {
 	return nil
 }
 func (f *fakeCRLCacheRepo) NextCRLNumber(_ context.Context, _ string) (int64, error) {
 	return 1, nil
 }
 func (f *fakeCRLCacheRepo) RecordGenerationEvent(_ context.Context, _ *domain.CRLGenerationEvent) error {
 	return nil
 }
 func (f *fakeCRLCacheRepo) ListGenerationEvents(_ context.Context, _ string, _ int) ([]*domain.CRLGenerationEvent, error) {
 	return nil, nil
 }
 func TestNewAdminCRLCacheServiceImpl_ConstructsWithDefaults(t *testing.T) {
 	repo := &fakeCRLCacheRepo{}
 	idsFn := func() []string { return []string{"iss-1", "iss-2"} }
 	svc := NewAdminCRLCacheServiceImpl(repo, idsFn)
 	if svc == nil {
 		t.Fatalf("NewAdminCRLCacheServiceImpl returned nil")
 	}
 	if svc.cacheRepo == nil || svc.issuerIDs == nil || svc.now == nil {
 		t.Errorf("constructor must wire all fields; got cacheRepo=%v issuerIDs!=nil=%v now!=nil=%v",
 			svc.cacheRepo, svc.issuerIDs != nil, svc.now != nil)
 	}
 	if svc.eventLimit != 5 {
 		t.Errorf("expected default eventLimit=5; got %d", svc.eventLimit)
 	}
 }
 func TestAdminCRLCacheServiceImpl_CacheRows_EmptyIssuerListYieldsEmptyResult(t *testing.T) {
 	svc := NewAdminCRLCacheServiceImpl(&fakeCRLCacheRepo{}, func() []string { return nil })
 	rows, err := svc.CacheRows(context.Background())
 	if err != nil {
 		t.Fatalf("CacheRows on empty issuer list: %v", err)
 	}
 	if len(rows) != 0 {
 		t.Errorf("expected 0 rows for empty issuer list; got %d", len(rows))
 	}
 }
 // =============================================================================
 // acme.go small helpers — itoaForRetryAfter + challengeURLBuilder.
 // These are pure-helper functions added to the ACME surface; tested
 // here to lift the package-average over the 75 floor.
 // =============================================================================
 func TestItoaForRetryAfter(t *testing.T) {
 	cases := []struct {
 		in   int
 		want string
 	}{
 		{0, "0"},
 		{1, "1"},
 		{42, "42"},
 		{-5, "-5"},
 		{12345, "12345"},
 	}
 	for _, c := range cases {
 		got := itoaForRetryAfter(c.in)
 		if got != c.want {
 			t.Errorf("itoaForRetryAfter(%d) = %q, want %q", c.in, got, c.want)
 		}
 	}
 }
 func TestChallengeURLBuilder_ProfilePrefixAndHTTPS(t *testing.T) {
 	req := httptest.NewRequest("GET", "https://certctl.local/acme/profile/p1/order", nil)
 	req.TLS = nil  // simulate HTTP
 	req.Host = "x" // override
 	h := ACMEHandler{}
 	build := h.challengeURLBuilder(req, "p1")
 	got := build("chal-abc")
 	if !strings.HasPrefix(got, "http://x/acme/profile/p1/challenge/") {
 		t.Errorf("unexpected URL: %q", got)
 	}
 	if !strings.HasSuffix(got, "/chal-abc") {
 		t.Errorf("unexpected URL suffix: %q", got)
 	}
 }
 func TestChallengeURLBuilder_NoProfileFallsBackToShortPath(t *testing.T) {
 	req := httptest.NewRequest("GET", "http://certctl.local/acme/order", nil)
 	req.Host = "y"
 	h := ACMEHandler{}
 	build := h.challengeURLBuilder(req, "")
 	got := build("chal-1")
 	if !strings.Contains(got, "/acme/challenge/chal-1") {
 		t.Errorf("expected /acme/challenge/chal-1 fallback; got %q", got)
 	}
 	if strings.Contains(got, "/profile/") {
 		t.Errorf("must NOT contain /profile/ when profileID is empty; got %q", got)
 	}
 }
 func TestAdminCRLCacheServiceImpl_CacheRows_PerIssuerErrorSurfacesAsEvent(t *testing.T) {
 	svc := NewAdminCRLCacheServiceImpl(
 		&fakeCRLCacheRepo{getErr: errors.New("lookup failed")},
 		func() []string { return []string{"iss-broken"} },
 	)
 	rows, err := svc.CacheRows(context.Background())
 	if err != nil {
 		t.Fatalf("CacheRows must NOT short-circuit on per-issuer failure: %v", err)
 	}
 	if len(rows) != 1 {
 		t.Fatalf("expected 1 row; got %d", len(rows))
 	}
 	if rows[0].IssuerID != "iss-broken" {
 		t.Errorf("expected issuer-id passthrough; got %q", rows[0].IssuerID)
 	}
 	if len(rows[0].RecentEvents) == 0 {
 		t.Fatalf("expected at least 1 RecentEvent for the lookup failure")
 	}
 	ev := rows[0].RecentEvents[0]
 	if ev.Succeeded {
 		t.Errorf("expected Succeeded=false on lookup failure")
 	}
 }
@@ -0,0 +1,134 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 	authdomain "github.com/certctl-io/certctl/internal/domain/auth"
 )
 // DemoResidualCleanupFn deletes every live actor_roles row for the
 // synthetic actor-demo-anon and returns the count removed. Provided by
 // cmd/server/main.go which holds the *sql.DB. Returning an error from
 // this func surfaces as HTTP 500; returning (0, nil) is the legitimate
 // "nothing to clean up" idempotent response.
 type DemoResidualCleanupFn func(ctx context.Context) (int64, error)
 // DemoResidualHandler exposes POST /api/v1/auth/demo-residual/cleanup —
 // an admin-gated convenience endpoint that removes residual
 // actor-demo-anon role grants from a deployment that previously ran
 // CERTCTL_AUTH_TYPE=none (or any deployment, since migration 000029
 // seeds the row unconditionally). Audit 2026-05-11 A-8 closure.
 //
 // The endpoint refuses to run when the server is currently in demo
 // mode (Auth.Type == "none") because the residual IS the active
 // runtime state at that auth type; deleting it would break the demo
 // path. The 503 response makes the constraint observable to the GUI.
 type DemoResidualHandler struct {
 	cleanup     DemoResidualCleanupFn
 	authType    func() string
 	auditWriter AuditWriter
 }
 // AuditWriter is the minimal projection of *service.AuditService that
 // the DemoResidualHandler uses. Kept local to avoid pulling the full
 // service package into the handler's import set.
 type AuditWriter interface {
 	RecordEventWithCategory(
 		ctx context.Context, actor string, actorType domain.ActorType,
 		action, eventCategory, resourceType, resourceID string,
 		details map[string]interface{},
 	) error
 }
 // NewDemoResidualHandler wires the cleanup function and auth-type
 // getter. authType is a closure so the handler always sees the
 // live config value (post-startup mutation is unsupported, but
 // the closure pattern keeps the dependency direction clean).
 func NewDemoResidualHandler(
 	cleanup DemoResidualCleanupFn,
 	authType func() string,
 	audit AuditWriter,
 ) DemoResidualHandler {
 	return DemoResidualHandler{
 		cleanup:     cleanup,
 		authType:    authType,
 		auditWriter: audit,
 	}
 }
 // demoResidualCleanupResponse is the JSON body returned by POST
 // /api/v1/auth/demo-residual/cleanup. Removed is the count of
 // actor_roles rows that were live for actor-demo-anon at the time
 // of the call. Always present; idempotent calls return removed=0.
 type demoResidualCleanupResponse struct {
 	Removed int64 `json:"removed"`
 }
 // Cleanup handles POST /api/v1/auth/demo-residual/cleanup. RBAC-gated
 // at the router via auth.role.assign (the admin-class permission).
 // Rejects requests when the server is in demo mode (Auth.Type=none)
 // with HTTP 503. Emits an audit row recording the count removed +
 // the caller actor on every successful run.
 func (h DemoResidualHandler) Cleanup(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	if h.cleanup == nil {
 		_ = Error(w, http.StatusInternalServerError, "demo-residual cleanup not configured")
 		return
 	}
 	authType := ""
 	if h.authType != nil {
 		authType = h.authType()
 	}
 	if authType == "none" {
 		// Refusing to "clean up" the active demo-mode state. The
 		// GUI surface should hide the button when /api/v1/auth/info
 		// reports auth_type=none; this guard is defense-in-depth.
 		_ = Error(w, http.StatusServiceUnavailable,
 			"demo-residual cleanup refused: server is currently in demo mode (CERTCTL_AUTH_TYPE=none); the actor-demo-anon grants are the active runtime state at this auth type")
 		return
 	}
 	removed, err := h.cleanup(ctx)
 	if err != nil {
 		_ = Error(w, http.StatusInternalServerError, "demo-residual cleanup failed")
 		return
 	}
 	// Audit row records the count removed + the caller. The actor is
 	// pulled from the request context (set by the auth middleware
 	// chain after the rbacGate at the router level has authorized).
 	if h.auditWriter != nil {
 		actorID, _ := r.Context().Value(auth.ActorIDKey{}).(string)
 		if actorID == "" {
 			actorID = "unknown"
 		}
 		actorTypeRaw, _ := r.Context().Value(auth.ActorTypeKey{}).(string)
 		actorType := domain.ActorType(actorTypeRaw)
 		if actorType == "" {
 			actorType = domain.ActorTypeAPIKey
 		}
 		_ = h.auditWriter.RecordEventWithCategory(
 			ctx, actorID, actorType,
 			"auth.demo_residual_grants_cleaned",
 			domain.EventCategoryAuth,
 			"actor_roles", authdomain.DemoAnonActorID,
 			map[string]interface{}{"removed": removed},
 		)
 	}
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
 	_ = json.NewEncoder(w).Encode(demoResidualCleanupResponse{Removed: removed})
 }
 // ErrDemoResidualNotConfigured is returned by callers that probe the
 // handler's wiring state. Currently unused outside tests but exported
 // to keep the contract observable for documentation purposes.
 var ErrDemoResidualNotConfigured = errors.New("demo-residual cleanup not configured")
@@ -0,0 +1,229 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"sync/atomic"
 	"testing"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 )
 // Audit 2026-05-11 A-8 — DemoResidualHandler regression coverage.
 // Uses fake closures for the cleanup + authType deps so the test
 // stays stdlib + httptest only (no DB needed). DB-shape coverage
 // lives in cmd/server/preflight_demo_residual_test.go.
 func fakeAuthType(s string) func() string { return func() string { return s } }
 // fakeAuditWriter captures the last RecordEventWithCategory invocation.
 type fakeAuditWriter struct {
 	called   atomic.Bool
 	lastCall struct {
 		actor, action, category, resourceType, resourceID string
 		details                                           map[string]interface{}
 	}
 }
 func (f *fakeAuditWriter) RecordEventWithCategory(
 	ctx context.Context, actor string, actorType domain.ActorType,
 	action, eventCategory, resourceType, resourceID string,
 	details map[string]interface{},
 ) error {
 	f.called.Store(true)
 	f.lastCall.actor = actor
 	f.lastCall.action = action
 	f.lastCall.category = eventCategory
 	f.lastCall.resourceType = resourceType
 	f.lastCall.resourceID = resourceID
 	f.lastCall.details = details
 	return nil
 }
 func authCtxReq(method, path string, actor string) *http.Request {
 	req := httptest.NewRequest(method, path, nil)
 	ctx := context.WithValue(req.Context(), auth.ActorIDKey{}, actor)
 	ctx = context.WithValue(ctx, auth.ActorTypeKey{}, string(domain.ActorTypeAPIKey))
 	return req.WithContext(ctx)
 }
 // TestDemoResidualCleanup_HappyPath — fake cleanup returns 3 rows
 // removed; handler emits 200 + JSON body {removed:3} + audit row.
 func TestDemoResidualCleanup_HappyPath(t *testing.T) {
 	audit := &fakeAuditWriter{}
 	h := NewDemoResidualHandler(
 		func(ctx context.Context) (int64, error) { return 3, nil },
 		fakeAuthType("api-key"),
 		audit,
 	)
 	rec := httptest.NewRecorder()
 	h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	var body demoResidualCleanupResponse
 	if err := json.Unmarshal(rec.Body.Bytes(), &body); err != nil {
 		t.Fatalf("decode body: %v", err)
 	}
 	if body.Removed != 3 {
 		t.Errorf("removed = %d, want 3", body.Removed)
 	}
 	// Audit row must be emitted with the right category + caller actor.
 	if !audit.called.Load() {
 		t.Fatal("expected audit RecordEventWithCategory to be called")
 	}
 	if audit.lastCall.action != "auth.demo_residual_grants_cleaned" {
 		t.Errorf("audit action = %q, want auth.demo_residual_grants_cleaned", audit.lastCall.action)
 	}
 	if audit.lastCall.category != domain.EventCategoryAuth {
 		t.Errorf("audit category = %q, want %q", audit.lastCall.category, domain.EventCategoryAuth)
 	}
 	if audit.lastCall.actor != "k-admin" {
 		t.Errorf("audit actor = %q, want k-admin", audit.lastCall.actor)
 	}
 	if audit.lastCall.resourceID != "actor-demo-anon" {
 		t.Errorf("audit resource_id = %q, want actor-demo-anon", audit.lastCall.resourceID)
 	}
 	if got, ok := audit.lastCall.details["removed"].(int64); !ok || got != 3 {
 		t.Errorf("audit details.removed = %v, want 3", audit.lastCall.details["removed"])
 	}
 }
 // TestDemoResidualCleanup_Idempotent_ReturnsZero — fake cleanup returns
 // (0, nil); the handler still emits 200 + body {removed:0} + audit.
 func TestDemoResidualCleanup_Idempotent_ReturnsZero(t *testing.T) {
 	audit := &fakeAuditWriter{}
 	h := NewDemoResidualHandler(
 		func(ctx context.Context) (int64, error) { return 0, nil },
 		fakeAuthType("api-key"),
 		audit,
 	)
 	rec := httptest.NewRecorder()
 	h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200", rec.Code)
 	}
 	var body demoResidualCleanupResponse
 	if err := json.Unmarshal(rec.Body.Bytes(), &body); err != nil {
 		t.Fatalf("decode body: %v", err)
 	}
 	if body.Removed != 0 {
 		t.Errorf("removed = %d, want 0", body.Removed)
 	}
 	// Audit row should STILL fire on a no-op cleanup so the operator's
 	// action is recorded. This is intentional — the cleanup endpoint is
 	// admin-class and every invocation should leave a trail.
 	if !audit.called.Load() {
 		t.Error("audit row must fire even on no-op cleanup")
 	}
 }
 // TestDemoResidualCleanup_RejectsInDemoMode — Auth.Type=none returns 503.
 func TestDemoResidualCleanup_RejectsInDemoMode(t *testing.T) {
 	audit := &fakeAuditWriter{}
 	var cleanupCalled atomic.Bool
 	h := NewDemoResidualHandler(
 		func(ctx context.Context) (int64, error) {
 			cleanupCalled.Store(true)
 			return 0, nil
 		},
 		fakeAuthType("none"),
 		audit,
 	)
 	rec := httptest.NewRecorder()
 	h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
 	if rec.Code != http.StatusServiceUnavailable {
 		t.Fatalf("status = %d, want 503; body=%s", rec.Code, rec.Body.String())
 	}
 	if !strings.Contains(rec.Body.String(), "demo mode") {
 		t.Errorf("body = %q, want mention of demo mode", rec.Body.String())
 	}
 	// The cleanup closure must NOT have been called.
 	if cleanupCalled.Load() {
 		t.Error("cleanup closure called despite demo-mode reject")
 	}
 	// No audit row should fire on rejection — the action didn't happen.
 	if audit.called.Load() {
 		t.Error("audit row fired on rejected cleanup; should not")
 	}
 }
 // TestDemoResidualCleanup_CleanupError_Surfaces500 — cleanup func
 // returns an error; handler emits 500.
 func TestDemoResidualCleanup_CleanupError_Surfaces500(t *testing.T) {
 	audit := &fakeAuditWriter{}
 	h := NewDemoResidualHandler(
 		func(ctx context.Context) (int64, error) { return 0, errors.New("boom") },
 		fakeAuthType("api-key"),
 		audit,
 	)
 	rec := httptest.NewRecorder()
 	h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
 	if rec.Code != http.StatusInternalServerError {
 		t.Fatalf("status = %d, want 500", rec.Code)
 	}
 	if audit.called.Load() {
 		t.Error("audit row fired on cleanup error; should not")
 	}
 }
 // TestDemoResidualCleanup_NilCleanupFn — handler with no wired
 // cleanup returns 500 (defensive — should never happen in prod, but
 // the contract should be observable).
 func TestDemoResidualCleanup_NilCleanupFn(t *testing.T) {
 	h := DemoResidualHandler{cleanup: nil, authType: fakeAuthType("api-key")}
 	rec := httptest.NewRecorder()
 	h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
 	if rec.Code != http.StatusInternalServerError {
 		t.Fatalf("status = %d, want 500", rec.Code)
 	}
 }
 // TestDemoResidualCleanup_NilAuditWriter_DoesNotPanic — audit is
 // optional (Bundle-2 wiring may set it nil in tests / minimal configs).
 // Handler must still succeed with valid cleanup.
 func TestDemoResidualCleanup_NilAuditWriter_DoesNotPanic(t *testing.T) {
 	h := NewDemoResidualHandler(
 		func(ctx context.Context) (int64, error) { return 1, nil },
 		fakeAuthType("api-key"),
 		nil,
 	)
 	rec := httptest.NewRecorder()
 	h.Cleanup(rec, authCtxReq(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", "k-admin"))
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200", rec.Code)
 	}
 }
 // TestDemoResidualCleanup_MissingActorContext — caller without
 // ActorIDKey gets "unknown" recorded; the cleanup still runs. The
 // rbacGate at the router enforces that authenticated callers reach
 // this point, so missing actor context is purely a test-shape thing.
 func TestDemoResidualCleanup_MissingActorContext(t *testing.T) {
 	audit := &fakeAuditWriter{}
 	h := NewDemoResidualHandler(
 		func(ctx context.Context) (int64, error) { return 1, nil },
 		fakeAuthType("api-key"),
 		audit,
 	)
 	rec := httptest.NewRecorder()
 	// No auth context — bare httptest.NewRequest.
 	h.Cleanup(rec, httptest.NewRequest(http.MethodPost, "/api/v1/auth/demo-residual/cleanup", nil))
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200", rec.Code)
 	}
 	if audit.lastCall.actor != "unknown" {
 		t.Errorf("audit actor = %q, want unknown for missing actor context", audit.lastCall.actor)
 	}
 }
@@ -6,9 +6,34 @@ import (
 	"net/http"
 	"time"
-	"github.com/certctl-io/certctl/internal/api/middleware"
+	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 	authdomain "github.com/certctl-io/certctl/internal/domain/auth"
 	"github.com/certctl-io/certctl/internal/repository"
 )
 // AuthCheckResolver is the optional dependency HealthHandler uses to enrich
 // the /v1/auth/check response with the caller's standing roles and
 // effective permission set. The auth handler's /v1/auth/me endpoint
 // returns the same shape; we duplicate it here so the GUI can render the
 // auth gate from a single round-trip on app boot. main.go wires this
 // from the same authsvc.ActorRoleService used by AuthHandler; tests pass
 // nil and AuthCheck degrades to the legacy minimal payload.
 //
 // Bundle 1 Phase 3 closure (M1): pre-closure, /v1/auth/check returned
 // only {status, user, admin}. The GUI had to second-fetch /v1/auth/me to
 // know which buttons to render — and Me is gated by the rbacGate on
 // auth.role.list which the GUI's pre-render path may not yet hold (chicken-
 // and-egg with the role-list affordance). Folding the same payload into
 // AuthCheck keeps the GUI's boot path single-shot.
 type AuthCheckResolver interface {
 	// ListRoles returns the actor's standing role grants.
 	ListRoles(ctx context.Context, actorID string, actorType domain.ActorType, tenantID string) ([]*authdomain.ActorRole, error)
 	// EffectivePermissions returns the deduplicated (perm, scope) triples
 	// the actor holds across all of its roles.
 	EffectivePermissions(ctx context.Context, actorID string, actorType domain.ActorType, tenantID string) ([]repository.EffectivePermission, error)
 }
 // HealthHandler handles health and readiness check endpoints.
 //
 // Bundle-5 / Audit H-006 / CWE-754 (Improper Check for Unusual or
@@ -45,6 +70,42 @@ type HealthHandler struct {
 	// ReadyProbeTimeout is the per-probe ceiling for the DB ping. Defaults
 	// to 2s when zero. Exposed so tests can shorten it.
 	ReadyProbeTimeout time.Duration
 	// AuthCheck (M1) — optional. When set, AuthCheck includes the caller's
 	// standing roles + effective permissions in the response so the GUI
 	// can gate affordances from a single fetch. Nil resolver degrades to
 	// the legacy {status, user, admin} payload (preserves test fixtures
 	// and the no-db deploy path).
 	Resolver AuthCheckResolver
 	// OIDCProvidersResolver (Bundle 2 Phase 6 / Category E) — optional.
 	// When set, AuthInfo additionally returns the list of configured
 	// OIDC providers (id, display_name, login_url) so the GUI Login
 	// page can render the correct buttons. Wired in cmd/server/main.go
 	// from the postgres OIDCProviderRepository. The endpoint stays
 	// auth-exempt; the providers list is public configuration (provider
 	// name + IdP URL — same info present in the IdP's discovery doc).
 	// Nil resolver preserves the pre-Phase-6 minimal payload shape so
 	// existing test fixtures + no-db deploys keep compiling.
 	OIDCProvidersResolver OIDCProvidersListResolver
 }
 // OIDCProvidersListResolver is the slice of repository.OIDCProviderRepository
 // the AuthInfo handler consumes for the Phase 6 GUI-facing providers
 // list. Defining the projection here keeps the handler decoupled from
 // the wider repo surface.
 type OIDCProvidersListResolver interface {
 	List(ctx context.Context, tenantID string) ([]*OIDCProviderInfo, error)
 }
 // OIDCProviderInfo is the minimal public-safe payload returned by
 // AuthInfo for each configured OIDC provider. The login_url is the
 // `/auth/oidc/login?provider=<id>` redirect target the GUI navigates
 // to when the user clicks the corresponding "Sign in with X" button.
 type OIDCProviderInfo struct {
 	ID          string `json:"id"`
 	DisplayName string `json:"display_name"`
 	LoginURL    string `json:"login_url"`
 }
 // NewHealthHandler creates a new HealthHandler.
@@ -53,6 +114,10 @@ type HealthHandler struct {
 // Ready returns 200 with {"db":"not_configured"} — preserves backwards
 // compatibility for the call sites that haven't wired the dependency yet.
 // Production main.go always passes a non-nil pool.
 //
 // Bundle 1 Phase 3 closure (M1): the resolver is wired separately via
 // HealthHandler.Resolver after construction so existing call sites
 // (legacy tests, no-db deploys) keep compiling without churn.
 func NewHealthHandler(authType string, db *sql.DB) HealthHandler {
 	return HealthHandler{
 		AuthType:          authType,
@@ -129,11 +194,31 @@ func (h HealthHandler) Ready(w http.ResponseWriter, r *http.Request) {
 // AuthInfo responds with the server's authentication configuration.
 // This lets the GUI know whether to show a login screen.
 // GET /api/v1/auth/info (served without auth middleware)
 //
 // Bundle 2 Phase 6 / Category E: when h.OIDCProvidersResolver is wired,
 // the response is extended with the list of configured OIDC providers
 // (id, display_name, login_url) so the GUI's Login page can render the
 // correct "Sign in with X" buttons. The endpoint stays auth-exempt;
 // the providers list is public configuration. Resolver lookups are
 // best-effort: failures fall back to the minimal payload rather than
 // 500-ing the GUI's auth probe.
 func (h HealthHandler) AuthInfo(w http.ResponseWriter, r *http.Request) {
 	response := map[string]interface{}{
 		"auth_type": h.AuthType,
 		"required":  h.AuthType != "none",
 	}
 	if h.OIDCProvidersResolver != nil {
 		// Audit 2026-05-10 MED-9 closure — the adapter
 		// (cmd/server/main.go::oidcProvidersListAdapter.List) filters
 		// disabled providers before constructing OIDCProviderInfo, so
 		// the LoginPage never sees a button for an offline IdP. The
 		// HandleAuthRequest service-layer ErrProviderDisabled check
 		// is the defense-in-depth guard for direct API / MCP / CLI
 		// callers that bypass the GUI.
 		if provs, err := h.OIDCProvidersResolver.List(r.Context(), authdomain.DefaultTenantID); err == nil {
 			response["oidc_providers"] = provs
 		}
 	}
 	JSON(w, http.StatusOK, response)
 }
@@ -145,15 +230,69 @@ func (h HealthHandler) AuthInfo(w http.ResponseWriter, r *http.Request) {
 // that would otherwise 403 at the server. This is a hint for UX only —
 // authorization remains enforced at the handler layer (bulk_revocation.go).
 //
 // Bundle 1 Phase 3 closure (M1): when HealthHandler.Resolver is wired,
 // the response is enriched with the caller's standing roles and effective
 // permissions. This mirrors the /v1/auth/me payload but lives on /auth/check
 // so the GUI can gate affordance rendering with a single fetch on app
 // boot. Resolver lookups are best-effort: failures fall back to the
 // legacy minimal payload rather than 500-ing the GUI's auth probe.
 //
 // The auth middleware runs before this handler, so reaching here means auth
 // passed. `user` falls back to an empty string when auth is disabled
 // (CERTCTL_AUTH_TYPE=none).
 // GET /api/v1/auth/check
 func (h HealthHandler) AuthCheck(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	response := map[string]interface{}{
 		"status": "authenticated",
-		"user":   middleware.GetUser(r.Context()),
+		"user":   auth.GetUser(ctx),
-		"admin":  middleware.IsAdmin(r.Context()),
+		"admin":  auth.IsAdmin(ctx),
 	}
 	if h.Resolver != nil {
 		actorID, _ := ctx.Value(auth.ActorIDKey{}).(string)
 		actorType, _ := ctx.Value(auth.ActorTypeKey{}).(string)
 		tenantID, _ := ctx.Value(auth.TenantIDKey{}).(string)
 		if tenantID == "" {
 			tenantID = authdomain.DefaultTenantID
 		}
 		if actorID != "" && actorType != "" {
 			at := domain.ActorType(actorType)
 			roles, rerr := h.Resolver.ListRoles(ctx, actorID, at, tenantID)
 			perms, perr := h.Resolver.EffectivePermissions(ctx, actorID, at, tenantID)
 			if rerr == nil && perr == nil {
 				roleIDs := make([]string, 0, len(roles))
 				hasAdmin := false
 				for _, role := range roles {
 					roleIDs = append(roleIDs, role.RoleID)
 					if role.RoleID == authdomain.RoleIDAdmin {
 						hasAdmin = true
 					}
 				}
 				permPayload := make([]map[string]interface{}, 0, len(perms))
 				for _, p := range perms {
 					entry := map[string]interface{}{
 						"permission": p.PermissionName,
 						"scope_type": string(p.ScopeType),
 					}
 					if p.ScopeID != nil {
 						entry["scope_id"] = *p.ScopeID
 					}
 					permPayload = append(permPayload, entry)
 				}
 				response["actor_id"] = actorID
 				response["actor_type"] = actorType
 				response["tenant_id"] = tenantID
 				response["roles"] = roleIDs
 				response["effective_permissions"] = permPayload
 				// Authoritative admin signal: the standing-roles list. The
 				// legacy `admin` boolean above is preserved for back-compat
 				// (in-handler IsAdmin for non-rbacGate routes), but the
 				// rbacGate-gated routes now key off effective_permissions.
 				response["admin_via_role"] = hasAdmin
 			}
 		}
 	}
 	JSON(w, http.StatusOK, response)
 }
@@ -9,7 +9,10 @@ import (
 	"testing"
 	"time"
-	"github.com/certctl-io/certctl/internal/api/middleware"
+	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 	authdomain "github.com/certctl-io/certctl/internal/domain/auth"
 	"github.com/certctl-io/certctl/internal/repository"
 	_ "github.com/lib/pq" // Bundle-5 / H-006: postgres driver for /ready DB-probe regression test
 )
@@ -238,8 +241,8 @@ func TestAuthCheck_AdminCaller_ReportsAdminTrue(t *testing.T) {
 	handler := NewHealthHandler("api-key", nil)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/check", nil)
-	ctx := context.WithValue(req.Context(), middleware.AdminKey{}, true)
+	ctx := context.WithValue(req.Context(), auth.AdminKey{}, true)
-	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
+	ctx = context.WithValue(ctx, auth.UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
@@ -276,8 +279,8 @@ func TestAuthCheck_NonAdminCaller_ReportsAdminFalse(t *testing.T) {
 	handler := NewHealthHandler("api-key", nil)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/check", nil)
-	ctx := context.WithValue(req.Context(), middleware.AdminKey{}, false)
+	ctx := context.WithValue(req.Context(), auth.AdminKey{}, false)
-	ctx = context.WithValue(ctx, middleware.UserKey{}, "alice")
+	ctx = context.WithValue(ctx, auth.UserKey{}, "alice")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
@@ -338,6 +341,120 @@ func TestAuthCheck_NoAuthContext_DefaultsToEmptyUserAndFalseAdmin(t *testing.T)
 	}
 }
 // fakeAuthCheckResolver is a tiny in-memory stand-in for the postgres
 // ActorRoleRepository so the M1 enrichment can be tested without a DB.
 type fakeAuthCheckResolver struct {
 	roles []*authdomain.ActorRole
 	perms []repository.EffectivePermission
 	err   error
 }
 func (f fakeAuthCheckResolver) ListRoles(_ context.Context, _ string, _ domain.ActorType, _ string) ([]*authdomain.ActorRole, error) {
 	return f.roles, f.err
 }
 func (f fakeAuthCheckResolver) EffectivePermissions(_ context.Context, _ string, _ domain.ActorType, _ string) ([]repository.EffectivePermission, error) {
 	return f.perms, f.err
 }
 // TestAuthCheck_M1_ResolverEnrichesResponseWithRolesAndPerms is the
 // Bundle 1 Phase 3 closure (M1) regression: when HealthHandler.Resolver
 // is wired, the response includes actor_id / actor_type / tenant_id /
 // roles / effective_permissions / admin_via_role. The legacy `admin`
 // boolean is preserved for back-compat with pre-Bundle-1 GUIs.
 func TestAuthCheck_M1_ResolverEnrichesResponseWithRolesAndPerms(t *testing.T) {
 	handler := NewHealthHandler("api-key", nil)
 	scopeID := "profile-prod"
 	handler.Resolver = fakeAuthCheckResolver{
 		roles: []*authdomain.ActorRole{
 			{ActorID: "alice", RoleID: authdomain.RoleIDAdmin, TenantID: authdomain.DefaultTenantID},
 			{ActorID: "alice", RoleID: authdomain.RoleIDOperator, TenantID: authdomain.DefaultTenantID},
 		},
 		perms: []repository.EffectivePermission{
 			{PermissionName: "cert.bulk_revoke", ScopeType: authdomain.ScopeTypeGlobal},
 			{PermissionName: "cert.issue", ScopeType: authdomain.ScopeTypeProfile, ScopeID: &scopeID},
 		},
 	}
 	ctx := context.Background()
 	ctx = context.WithValue(ctx, auth.ActorIDKey{}, "alice")
 	ctx = context.WithValue(ctx, auth.ActorTypeKey{}, "APIKey")
 	ctx = context.WithValue(ctx, auth.TenantIDKey{}, "t-default")
 	ctx = context.WithValue(ctx, auth.UserKey{}, "alice")
 	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/check", nil).WithContext(ctx)
 	w := httptest.NewRecorder()
 	handler.AuthCheck(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected status 200, got %d", w.Code)
 	}
 	var result map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
 		t.Fatalf("decode: %v", err)
 	}
 	if result["actor_id"] != "alice" {
 		t.Errorf("actor_id = %v, want alice", result["actor_id"])
 	}
 	if result["actor_type"] != "APIKey" {
 		t.Errorf("actor_type = %v, want APIKey", result["actor_type"])
 	}
 	if result["tenant_id"] != "t-default" {
 		t.Errorf("tenant_id = %v, want t-default", result["tenant_id"])
 	}
 	if result["admin_via_role"] != true {
 		t.Errorf("admin_via_role = %v, want true (alice holds r-admin)", result["admin_via_role"])
 	}
 	roles, ok := result["roles"].([]any)
 	if !ok || len(roles) != 2 {
 		t.Fatalf("roles = %v, want 2-element slice", result["roles"])
 	}
 	perms, ok := result["effective_permissions"].([]any)
 	if !ok || len(perms) != 2 {
 		t.Fatalf("effective_permissions = %v, want 2-element slice", result["effective_permissions"])
 	}
 	first := perms[0].(map[string]any)
 	if first["permission"] != "cert.bulk_revoke" || first["scope_type"] != "global" {
 		t.Errorf("perm[0] = %v, want cert.bulk_revoke/global", first)
 	}
 	second := perms[1].(map[string]any)
 	if second["permission"] != "cert.issue" || second["scope_type"] != "profile" || second["scope_id"] != "profile-prod" {
 		t.Errorf("perm[1] = %v, want cert.issue/profile/profile-prod", second)
 	}
 }
 // TestAuthCheck_M1_NilResolverPreservesLegacyShape pins backwards
 // compatibility: when no resolver is wired, the response keeps the
 // original {status, user, admin} contract that pre-Bundle-1 GUIs key
 // off. New keys (actor_id, roles, ...) must be absent.
 func TestAuthCheck_M1_NilResolverPreservesLegacyShape(t *testing.T) {
 	handler := NewHealthHandler("api-key", nil) // Resolver left nil
 	ctx := context.Background()
 	ctx = context.WithValue(ctx, auth.ActorIDKey{}, "alice")
 	ctx = context.WithValue(ctx, auth.ActorTypeKey{}, "APIKey")
 	ctx = context.WithValue(ctx, auth.UserKey{}, "alice")
 	ctx = context.WithValue(ctx, auth.AdminKey{}, true)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/check", nil).WithContext(ctx)
 	w := httptest.NewRecorder()
 	handler.AuthCheck(w, req)
 	var result map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
 		t.Fatalf("decode: %v", err)
 	}
 	for _, k := range []string{"actor_id", "actor_type", "tenant_id", "roles", "effective_permissions", "admin_via_role"} {
 		if _, present := result[k]; present {
 			t.Errorf("%s should be absent in legacy (nil resolver) response, got %v", k, result[k])
 		}
 	}
 	if result["admin"] != true || result["user"] != "alice" {
 		t.Errorf("legacy fields not preserved: admin=%v user=%v", result["admin"], result["user"])
 	}
 }
 // --- Bundle-5 / H-006: /ready DB-probe regression coverage ---
 // TestReady_DBPingSuccess_Returns200WithReachable confirms that when the
@@ -9,6 +9,7 @@ import (
 	"time"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/crypto/signer"
 	"github.com/certctl-io/certctl/internal/domain"
 	"github.com/certctl-io/certctl/internal/service"
@@ -36,12 +37,15 @@ type IntermediateCAServicer interface {
 // All routes are pinned at /api/v1/issuers/{id}/intermediates and
 // /api/v1/intermediates/{id}.
 //
-// Admin gate: every method calls middleware.IsAdmin first and surfaces
+// Bundle 1 Phase 3.5: the admin gate moved from in-handler auth.IsAdmin
-// HTTP 403 for non-admin Bearer callers (M-003 admin-gating pattern,
+// checks to router-level auth.RequirePermission middleware (rbacGate
-// matches AdminCRLCacheHandler / AdminESTHandler / AdminSCEPIntuneHandler).
+// wraps the handler with the ca.hierarchy.manage permission gate before
-// CA hierarchy management is a high-blast-radius surface — adding a
+// the handler body runs — non-admin Bearer callers get 403 from the
-// child CA mints a new sub-CA cert that becomes a trust root for every
+// middleware layer instead of from each handler method). CA hierarchy
-// downstream leaf. Operators expect this gated behind admin role.
+// management is a high-blast-radius surface — adding a child CA mints a
 // new sub-CA cert that becomes a trust root for every downstream leaf.
 // The router gate guarantees the only callers reaching this handler
 // hold the admin role at global scope.
 type IntermediateCAHandler struct {
 	svc IntermediateCAServicer
 }
@@ -111,10 +115,7 @@ func (h IntermediateCAHandler) Create(w http.ResponseWriter, r *http.Request) {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
-	if !middleware.IsAdmin(r.Context()) {
+	// Bundle 1 Phase 3.5: gate moved to router.go (RequirePermission middleware).
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	requestID := middleware.GetRequestID(r.Context())
 	issuerID := r.PathValue("id")
@@ -122,7 +123,7 @@ func (h IntermediateCAHandler) Create(w http.ResponseWriter, r *http.Request) {
 		ErrorWithRequestID(w, http.StatusBadRequest, "issuer id required", requestID)
 		return
 	}
-	actor, _ := r.Context().Value(middleware.UserKey{}).(string)
+	actor, _ := r.Context().Value(auth.UserKey{}).(string)
 	if actor == "" {
 		ErrorWithRequestID(w, http.StatusUnauthorized,
 			"authentication required", requestID)
@@ -211,10 +212,7 @@ func (h IntermediateCAHandler) List(w http.ResponseWriter, r *http.Request) {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
-	if !middleware.IsAdmin(r.Context()) {
+	// Bundle 1 Phase 3.5: gate moved to router.go (RequirePermission middleware).
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	requestID := middleware.GetRequestID(r.Context())
 	issuerID := r.PathValue("id")
@@ -237,10 +235,7 @@ func (h IntermediateCAHandler) Get(w http.ResponseWriter, r *http.Request) {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
-	if !middleware.IsAdmin(r.Context()) {
+	// Bundle 1 Phase 3.5: gate moved to router.go (RequirePermission middleware).
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	requestID := middleware.GetRequestID(r.Context())
 	id := r.PathValue("id")
@@ -270,10 +265,7 @@ func (h IntermediateCAHandler) Retire(w http.ResponseWriter, r *http.Request) {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
-	if !middleware.IsAdmin(r.Context()) {
+	// Bundle 1 Phase 3.5: gate moved to router.go (RequirePermission middleware).
 		Error(w, http.StatusForbidden, "Admin access required")
 		return
 	}
 	requestID := middleware.GetRequestID(r.Context())
 	id := r.PathValue("id")
@@ -281,7 +273,7 @@ func (h IntermediateCAHandler) Retire(w http.ResponseWriter, r *http.Request) {
 		ErrorWithRequestID(w, http.StatusBadRequest, "id required", requestID)
 		return
 	}
-	actor, _ := r.Context().Value(middleware.UserKey{}).(string)
+	actor, _ := r.Context().Value(auth.UserKey{}).(string)
 	if actor == "" {
 		ErrorWithRequestID(w, http.StatusUnauthorized,
 			"authentication required", requestID)
@@ -16,7 +16,7 @@ import (
 	"testing"
 	"time"
-	"github.com/certctl-io/certctl/internal/api/middleware"
+	"github.com/certctl-io/certctl/internal/auth"
 	"github.com/certctl-io/certctl/internal/domain"
 	"github.com/certctl-io/certctl/internal/service"
 )
@@ -80,8 +80,8 @@ func (m *mockIntermediateCAService) LoadHierarchy(ctx context.Context, issuerID
 // authenticated user — the standard "admin caller" shape for these
 // tests.
 func withAdmin(actor string, admin bool) context.Context {
-	ctx := context.WithValue(context.Background(), middleware.UserKey{}, actor)
+	ctx := context.WithValue(context.Background(), auth.UserKey{}, actor)
-	ctx = context.WithValue(ctx, middleware.AdminKey{}, admin)
+	ctx = context.WithValue(ctx, auth.AdminKey{}, admin)
 	return ctx
 }
@@ -111,81 +111,12 @@ func helperRootCertPEM(t *testing.T) []byte {
 // authenticated one — must get HTTP 403 from every endpoint. CA
 // hierarchy management is a high-blast-radius surface; the gate is
 // non-negotiable. M-008 admin-gate triplet test #1.
 func TestIntermediateCA_Handler_NonAdmin_Returns403(t *testing.T) {
 	cases := []struct {
 		name     string
 		method   string
 		path     string
 		pathArgs map[string]string
 		invoke   func(h IntermediateCAHandler) http.HandlerFunc
 	}{
 		{
 			name:     "Create",
 			method:   http.MethodPost,
 			path:     "/api/v1/issuers/iss-1/intermediates",
 			pathArgs: map[string]string{"id": "iss-1"},
 			invoke:   func(h IntermediateCAHandler) http.HandlerFunc { return h.Create },
 		},
 		{
 			name:     "List",
 			method:   http.MethodGet,
 			path:     "/api/v1/issuers/iss-1/intermediates",
 			pathArgs: map[string]string{"id": "iss-1"},
 			invoke:   func(h IntermediateCAHandler) http.HandlerFunc { return h.List },
 		},
 		{
 			name:     "Get",
 			method:   http.MethodGet,
 			path:     "/api/v1/intermediates/ica-1",
 			pathArgs: map[string]string{"id": "ica-1"},
 			invoke:   func(h IntermediateCAHandler) http.HandlerFunc { return h.Get },
 		},
 		{
 			name:     "Retire",
 			method:   http.MethodPost,
 			path:     "/api/v1/intermediates/ica-1/retire",
 			pathArgs: map[string]string{"id": "ica-1"},
 			invoke:   func(h IntermediateCAHandler) http.HandlerFunc { return h.Retire },
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			h := NewIntermediateCAHandler(&mockIntermediateCAService{})
 			req := httptest.NewRequest(tc.method, tc.path, bytes.NewReader([]byte("{}")))
 			for k, v := range tc.pathArgs {
 				req.SetPathValue(k, v)
 			}
 			// Authenticated user but admin=false.
 			req = req.WithContext(withAdmin("alice", false))
 			w := httptest.NewRecorder()
 			tc.invoke(h)(w, req)
 			if w.Code != http.StatusForbidden {
 				t.Fatalf("%s: expected 403 for non-admin, got %d body=%s", tc.name, w.Code, w.Body.String())
 			}
 		})
 	}
 }
 // TestIntermediateCA_Handler_AdminExplicitFalse_Returns403 pins the
 // "AdminKey present but false" path — distinct from the
 // AdminKey-absent path. Without this distinction a regression that
 // reads AdminKey as "presence implies admin" would slip past the
 // non-admin check. M-008 admin-gate triplet test #2.
 func TestIntermediateCA_Handler_AdminExplicitFalse_Returns403(t *testing.T) {
 	h := NewIntermediateCAHandler(&mockIntermediateCAService{})
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/issuers/iss-1/intermediates",
 		bytes.NewReader([]byte(`{"name":"r"}`)))
 	req.SetPathValue("id", "iss-1")
 	// AdminKey explicitly set to false — distinct from missing key.
 	ctx := context.WithValue(context.Background(), middleware.UserKey{}, "alice")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.Create(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected 403 for AdminKey=false, got %d", w.Code)
 	}
 }
 // TestIntermediateCA_Handler_AdminPermitted_ForwardsActor pins the
 // admin-allowed actor-attribution path. An admin caller's actor
@@ -14,19 +14,19 @@ import (
 //
 // The audit's request is "Admin-gated operation role-gate test coverage
 // needs verification". Verified-already-clean recon: only one handler
-// in internal/api/handler/ calls middleware.IsAdmin to gate access:
+// in internal/api/handler/ calls auth.IsAdmin to gate access:
 // bulk_revocation.go — which has 3 dedicated tests
 // (NonAdmin_Returns403, AdminExplicitFalse_Returns403,
 // AdminPermitted_ForwardsActor) covering all three branches.
 //
 // This test enforces the invariant going forward by walking every
-// .go file in this package, finding every middleware.IsAdmin call
+// .go file in this package, finding every auth.IsAdmin call
 // site, and asserting the file appears in AdminGatedHandlers below.
-// Adding a new middleware.IsAdmin call without updating the constant
+// Adding a new auth.IsAdmin call without updating the constant
 // AND adding a parallel test triplet fails CI.
 // AdminGatedHandlers is the documented allowlist of handler files that
-// gate access on middleware.IsAdmin. Every entry MUST have:
+// gate access on auth.IsAdmin. Every entry MUST have:
 //   - a non-admin-rejection test ("_NonAdmin_Returns403")
 //   - an explicit-false-admin-rejection test ("_AdminExplicitFalse_Returns403")
 //   - an admin-allowed actor-attribution test ("_AdminPermitted_ForwardsActor")
@@ -34,16 +34,18 @@ import (
 // Keys are the handler filenames; values are short descriptions of why
 // the gate exists. health.go is an INFORMATIONAL caller of IsAdmin (it
 // surfaces the flag to the GUI but does not gate) — explicitly excluded.
-var AdminGatedHandlers = map[string]string{
+// Bundle 1 Phase 3.5: the five legacy admin-gated handlers
-	"bulk_revocation.go":   "M-003: bulk revocation is fleet-scale destructive — admin-only",
+// (bulk_revocation, admin_crl_cache, admin_scep_intune, admin_est,
-	"admin_crl_cache.go":   "CRL/OCSP-Responder Phase 5: cache state reveals issuer set + CRL cadence — admin-only",
+// intermediate_ca) had their in-body auth.IsAdmin checks removed and
-	"admin_scep_intune.go": "SCEP RFC 8894 + Intune master bundle Phase 9.2 + Phase 9 follow-up: profiles + stats endpoints reveal per-profile RA cert expiries + Intune trust anchor expiries + mTLS bundle paths; reload-trust is a privileged action — admin-only",
+// the gate moved to router.go via auth.RequirePermission middleware.
-	"admin_est.go":         "EST RFC 7030 hardening master bundle Phase 7.2: profiles endpoint reveals per-profile counter snapshot + mTLS trust-anchor expiries + auth modes; reload-trust is a privileged action — admin-only",
+// AdminGatedHandlers is now empty; the only legitimate auth.IsAdmin
-	"intermediate_ca.go":   "Rank 8: CA hierarchy management mints sub-CA certs that become trust roots for every downstream leaf — admin-only fleet-scale destructive surface",
+// call site in this package is health.go (informational, surfaces the
-}
+// admin flag to the GUI but doesn't gate). New routes should not add
 // in-handler auth.IsAdmin checks; gate at the router level instead.
 var AdminGatedHandlers = map[string]string{}
 // InformationalIsAdminCallers is the documented allowlist of files that
-// call middleware.IsAdmin without using the result to gate access. The
+// call auth.IsAdmin without using the result to gate access. The
 // only legitimate use of an informational call is reporting the flag to
 // a downstream consumer (e.g. health.go::AuthCheck reports admin to the
 // GUI so it can hide admin-only buttons).
@@ -64,15 +66,13 @@ func TestM008_AdminGatedHandlers_PinExpectedSet(t *testing.T) {
 	if !slicesEqual008(actual, expected) {
 		t.Errorf(
-			"middleware.IsAdmin call sites changed:\n"+
+			"auth.IsAdmin call sites changed:\n"+
 				"  actual:   %v\n"+
 				"  expected: %v\n"+
 				"\n"+
-				"If you added a new admin gate, append it to AdminGatedHandlers AND\n"+
+				"Bundle 1 Phase 3.5 removed in-handler auth.IsAdmin checks; new\n"+
-				"add the 3-test triplet (_NonAdmin_Returns403 / _AdminExplicitFalse_Returns403 /\n"+
+				"admin-gated routes wrap at the router level via\n"+
-				"_AdminPermitted_ForwardsActor) — see bulk_revocation_handler_test.go for\n"+
+				"auth.RequirePermission middleware (see router.go::rbacGate).\n"+
 				"the template.\n"+
 				"\n"+
 				"If you added an informational caller (no gating), append to\n"+
 				"InformationalIsAdminCallers with a justification.",
 			actual, expected)
@@ -143,10 +143,10 @@ func scanIsAdminCallers(dir string) ([]string, error) {
 		if parseErr != nil {
 			continue
 		}
-		// Substring-match middleware.IsAdmin — cheap and sufficient
+		// Substring-match auth.IsAdmin — cheap and sufficient
 		// because the import path is fixed and there's no aliasing
 		// shenanigans elsewhere in this package.
-		if strings.Contains(string(body), "middleware.IsAdmin(") {
+		if strings.Contains(string(body), "auth.IsAdmin(") {
 			out = append(out, name)
 		}
 	}
@@ -0,0 +1,140 @@
 package handler
 import (
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	oidcsvc "github.com/certctl-io/certctl/internal/auth/oidc"
 	sessiondomain "github.com/certctl-io/certctl/internal/auth/session/domain"
 )
 // Audit 2026-05-10 HIGH-7 regression matrix — pin every classified
 // failure category to its post-redirect query reason. Pre-fix, every
 // failure surfaced as "OIDC login failed" with status 400 and no
 // machine-readable hint; the LoginPage couldn't tell idle-timeout
 // from email-domain rejection from PKCE breakage. Post-fix, the
 // handler 302-redirects to /login?error=oidc_failed&reason=<cat>
 // where the GUI renders an operator-friendly cause.
 func TestLoginCallback_RedirectsWithReason_AllCategories(t *testing.T) {
 	cases := []struct {
 		name       string
 		err        error
 		wantReason string
 	}{
 		{
 			name:       "pre_login_consume_failed",
 			err:        oidcsvc.ErrPreLoginNotFound,
 			wantReason: "pre_login_consume_failed",
 		},
 		{
 			name:       "state_mismatch",
 			err:        errors.New("state mismatch"),
 			wantReason: "state_mismatch",
 		},
 		{
 			name:       "nonce_mismatch",
 			err:        errors.New("nonce mismatch"),
 			wantReason: "nonce_mismatch",
 		},
 		{
 			name:       "audience_mismatch",
 			err:        errors.New("audience mismatch"),
 			wantReason: "audience_mismatch",
 		},
 		{
 			name:       "token_expired",
 			err:        errors.New("token expired"),
 			wantReason: "token_expired",
 		},
 		{
 			name:       "azp_mismatch",
 			err:        errors.New("azp does not match"),
 			wantReason: "azp_mismatch",
 		},
 		{
 			name:       "at_hash_mismatch",
 			err:        errors.New("at_hash mismatch"),
 			wantReason: "at_hash_mismatch",
 		},
 		{
 			name:       "iat_window",
 			err:        errors.New("iat outside window"),
 			wantReason: "iat_window",
 		},
 		{
 			name:       "alg_rejected",
 			err:        errors.New("alg not in allowlist"),
 			wantReason: "alg_rejected",
 		},
 		{
 			name:       "unmapped_groups",
 			err:        oidcsvc.ErrGroupsUnmapped,
 			wantReason: "unmapped_groups",
 		},
 		{
 			name:       "groups_missing",
 			err:        errors.New("groups missing"),
 			wantReason: "groups_missing",
 		},
 		{
 			name:       "jwks_unreachable",
 			err:        errors.New("jwks fetch failed"),
 			wantReason: "jwks_unreachable",
 		},
 		// HIGH-7 added these three categories so CRIT-5 (email domain)
 		// and PKCE failures get distinguishable GUI rendering.
 		{
 			name:       "email_domain_not_allowed",
 			err:        errors.New("email domain not in allowlist"),
 			wantReason: "email_domain_not_allowed",
 		},
 		{
 			name:       "email_missing_but_required",
 			err:        errors.New("provider requires email but token has none"),
 			wantReason: "email_missing_but_required",
 		},
 		{
 			name:       "pkce_invalid",
 			err:        errors.New("pkce verifier mismatch"),
 			wantReason: "pkce_invalid",
 		},
 		{
 			name:       "unspecified_fallback",
 			err:        errors.New("totally unrecognized error"),
 			wantReason: "unspecified",
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			o := &stubOIDCSvc{callbackErr: tc.err}
 			h, _, _, _, audit, _ := newPhase5Handler(t, o, &stubSession{}, &stubBCLVerifier{})
 			req := httptest.NewRequest(http.MethodGet,
 				"/auth/oidc/callback?code=abc&state=xyz", nil)
 			req.AddCookie(&http.Cookie{
 				Name:  sessiondomain.PreLoginCookieName,
 				Value: "v1.pl-abc.sk-xyz.mac",
 			})
 			w := httptest.NewRecorder()
 			h.LoginCallback(w, req)
 			if w.Code != http.StatusFound {
 				t.Fatalf("status = %d; want 302", w.Code)
 			}
 			loc := w.Header().Get("Location")
 			wantPrefix := "/login?error=oidc_failed&reason=" + tc.wantReason
 			if !strings.HasPrefix(loc, wantPrefix) {
 				t.Errorf("Location = %q; want prefix %q", loc, wantPrefix)
 			}
 			// The audit row must still record the failure_category for
 			// server-side observability — that's the load-bearing leg
 			// of the HIGH-7 fix (audit retention is not narrowed by the
 			// GUI redirect).
 			if !contains(audit.events, "auth.oidc_login_failed") {
 				t.Errorf("expected auth.oidc_login_failed audit event; got %v", audit.events)
 			}
 		})
 	}
 }
@@ -4,13 +4,14 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
 	"github.com/certctl-io/certctl/internal/repository"
 	"net/http"
 	"strconv"
 	"strings"
 	"github.com/certctl-io/certctl/internal/api/middleware"
 	"github.com/certctl-io/certctl/internal/domain"
 	"github.com/certctl-io/certctl/internal/repository"
 	"github.com/certctl-io/certctl/internal/service"
 )
 // ProfileService defines the service interface for certificate profile operations.
@@ -164,6 +165,24 @@ func (h ProfileHandler) UpdateProfile(w http.ResponseWriter, r *http.Request) {
 	updated, err := h.svc.UpdateProfile(r.Context(), id, profile)
 	if err != nil {
 		// Bundle 1 Phase 9: a profile with RequiresApproval=true (or
 		// an edit that would set it true) routes through the approval
 		// workflow. The service returns ErrProfileEditPendingApproval
 		// wrapped with the new approval ID; surface 202 Accepted +
 		// pending_approval_id so the operator knows to chase a
 		// non-requester admin to approve via /v1/approvals/{id}/approve.
 		if errors.Is(err, service.ErrProfileEditPendingApproval) {
 			approvalID := ""
 			if msg := err.Error(); strings.Contains(msg, "approval=") {
 				approvalID = msg[strings.Index(msg, "approval=")+len("approval="):]
 			}
 			JSON(w, http.StatusAccepted, map[string]interface{}{
 				"status":              "pending_approval",
 				"pending_approval_id": approvalID,
 				"message":             "profile edit requires approval (see /v1/approvals/{id}/approve)",
 			})
 			return
 		}
 		if errors.Is(err, repository.ErrNotFound) {
 			ErrorWithRequestID(w, http.StatusNotFound, "Profile not found", requestID)
 			return
@@ -9,7 +9,7 @@ import (
 	"strings"
 	"time"
-	"github.com/certctl-io/certctl/internal/api/middleware"
+	"github.com/certctl-io/certctl/internal/auth"
 )
 // resolveActor extracts the authenticated named-key identity from the request
@@ -23,7 +23,7 @@ import (
 // or "api" — always go through this helper so the named-key identity flows to
 // services and the audit trail.
 func resolveActor(ctx context.Context) string {
-	if user := middleware.GetUser(ctx); user != "" {
+	if user := auth.GetUser(ctx); user != "" {
 		return user
 	}
 	return "api"
@@ -86,7 +86,7 @@ type VersionInfo struct {
 	BuildTime string `json:"build_time"`
 	// GoVersion is the Go toolchain version that compiled the binary
-	// (runtime.Version, e.g. "go1.25.9"). Useful when triaging stdlib
+	// (runtime.Version, e.g. "go1.25.10"). Useful when triaging stdlib
 	// behavior differences ("the deploy that broke was on 1.24, this one
 	// is on 1.25").
 	GoVersion string `json:"go_version"`
@@ -12,6 +12,8 @@ import (
 	"strings"
 	"sync"
 	"time"
 	"github.com/certctl-io/certctl/internal/auth"
 )
 // AuditRecorder is the interface that the audit middleware uses to record API calls.
@@ -107,7 +109,15 @@ func (a *AuditMiddleware) Middleware(next http.Handler) http.Handler {
 			body, err := io.ReadAll(r.Body)
 			if err == nil && len(body) > 0 {
 				hasher.Write(body)
-				bodyHash = hex.EncodeToString(hasher.Sum(nil))[:16] // truncated hash
+				// Audit 2026-05-10 MED-15 closure — emit the full
 				// 64-hex-char SHA-256 hash instead of the prior
 				// [:16] truncation. The audit_events schema column
 				// is CHAR(64); the truncation was a residual from
 				// an earlier prototype with no integrity-collision
 				// margin (16 hex chars = 64 bits, well within
 				// brute-force reach for an attacker tampering with
 				// audit payloads to coincide with the same prefix).
 				bodyHash = hex.EncodeToString(hasher.Sum(nil))
 				// Restore the body for downstream handlers
 				r.Body = io.NopCloser(strings.NewReader(string(body)))
 			}
@@ -115,7 +125,7 @@ func (a *AuditMiddleware) Middleware(next http.Handler) http.Handler {
 		// Extract actor from auth context
 		actor := "anonymous"
-		if user := GetUser(r.Context()); user != "" {
+		if user := auth.GetUser(r.Context()); user != "" {
 			actor = user
 		}
@@ -11,6 +11,8 @@ import (
 	"sync"
 	"testing"
 	"time"
 	"github.com/certctl-io/certctl/internal/auth"
 )
 // mockAuditRecorder captures RecordAPICall invocations for testing.
@@ -226,9 +228,13 @@ func TestAuditLog_HashesRequestBody(t *testing.T) {
 	if len(calls) != 1 {
 		t.Fatalf("expected 1 audit call, got %d", len(calls))
 	}
-	// Body hash should be a 16-char hex string (truncated SHA-256)
+	// Audit 2026-05-10 MED-15 closure — body hash is now the full
-	if len(calls[0].BodyHash) != 16 {
+	// 64-char hex SHA-256 (was [:16] truncated). The body_hash schema
-		t.Errorf("expected 16-char body hash, got %q (len=%d)", calls[0].BodyHash, len(calls[0].BodyHash))
+	// column is CHAR(64); the truncation was an integrity-collision
 	// hole that allowed an attacker to craft tampered audit payloads
 	// matching the 16-hex prefix.
 	if len(calls[0].BodyHash) != 64 {
 		t.Errorf("expected 64-char SHA-256 body hash, got %q (len=%d)", calls[0].BodyHash, len(calls[0].BodyHash))
 	}
 	if calls[0].Status != 201 {
 		t.Errorf("expected status 201, got %d", calls[0].Status)
@@ -271,7 +277,7 @@ func TestAuditLog_ExtractsAuthenticatedActor(t *testing.T) {
 	req := httptest.NewRequest(http.MethodDelete, "/api/v1/certificates/mc-1", nil)
 	// Simulate auth middleware having set the named-key identity in context
 	// (post-M-002: actor is the named-key name, not the old "api-key-user").
-	ctx := context.WithValue(req.Context(), UserKey{}, "ops-admin")
+	ctx := context.WithValue(req.Context(), auth.UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	rr := httptest.NewRecorder()
@@ -2,9 +2,6 @@ package middleware
 import (
 	"context"
 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/hex"
 	"fmt"
 	"log"
 	"log/slog"
@@ -14,24 +11,22 @@ import (
 	"time"
 	"github.com/google/uuid"
 	"github.com/certctl-io/certctl/internal/auth"
 )
 // Bundle 1 / Phase 0: the auth surface (NamedAPIKey, HashAPIKey, AuthConfig,
 // NewAuthWithNamedKeys, NewAuth, UserKey, AdminKey, GetUser, IsAdmin) moved
 // to internal/auth/. The rate limiter below still keys per-user via
 // auth.GetUser(ctx); other middlewares in this package are auth-agnostic.
 //
 // Existing callers continue to import internal/auth/middleware "as
 // middleware" only for the non-auth helpers below; auth-related references
 // have been migrated to the new package.
 // RequestIDKey is the context key for storing request IDs.
 type RequestIDKey struct{}
 // UserKey is the context key for storing authenticated user information.
 type UserKey struct{}
 // AdminKey is the context key for storing admin flag information.
 type AdminKey struct{}
 // NamedAPIKey represents a named API key with optional admin flag.
 type NamedAPIKey struct {
 	Name  string
 	Key   string
 	Admin bool
 }
 // RequestID middleware generates a unique request ID and adds it to the request context and response headers.
 func RequestID(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -46,7 +41,7 @@ func RequestID(next http.Handler) http.Handler {
 // Deprecated: Use NewLogging for structured logging with slog.
 //
 // CWE-117 log-injection defense: r.Method and r.URL.Path are
-// attacker-controllable (request-line bytes — Go's net/http leaves
+// attacker-controllable (request-line bytes; Go's net/http leaves
 // percent-decoded path segments in r.URL.Path, which can include CR/LF
 // in the decoded form even though the raw HTTP request line cannot).
 // strings.ReplaceAll on CR/LF/NUL strips the forgery vector before the
@@ -54,7 +49,7 @@ func RequestID(next http.Handler) http.Handler {
 //
 // The replacement is intentionally inlined at the call site (literal
 // strings.ReplaceAll chains) because CodeQL's go/log-injection
-// taint tracker only recognizes that exact pattern as a sanitizer —
+// taint tracker only recognizes that exact pattern as a sanitizer;
 // strings.NewReplacer / wrapper helpers don't trigger the recognition,
 // reopening the alert. The OWASP example in the CodeQL rule docs uses
 // the same pattern.
@@ -71,7 +66,7 @@ func Logging(next http.Handler) http.Handler {
 		requestID := getRequestID(r.Context())
 		// Strip CR/LF/NUL from attacker-controllable request fields
-		// before logging. Inlined per CodeQL #32 — the ReplaceAll
+		// before logging. Inlined per CodeQL #32; the ReplaceAll
 		// chain is the pattern the analyzer pattern-matches as a
 		// sanitizer.
 		method := strings.ReplaceAll(r.Method, "\n", "")
@@ -133,143 +128,11 @@ func Recovery(next http.Handler) http.Handler {
 	})
 }
 // HashAPIKey computes the SHA-256 hash of an API key for secure storage.
 // We use SHA-256 rather than bcrypt because API keys are high-entropy
 // random strings (not user-chosen passwords), so rainbow tables and
 // brute-force attacks are not a practical concern.
 func HashAPIKey(key string) string {
 	h := sha256.Sum256([]byte(key))
 	return hex.EncodeToString(h[:])
 }
 // AuthConfig holds configuration for the Auth middleware.
 //
 // G-1 (P1): valid Type values are "api-key" or "none" only. "jwt" was
 // removed because no JWT middleware ships with certctl (silent auth
 // downgrade pre-G-1). The single source of truth for the allowed set
 // lives at internal/config.AuthType / config.ValidAuthTypes() — prefer
 // those constants over string literals when comparing.
 type AuthConfig struct {
 	Type   string // "api-key" or "none" (see config.AuthType constants)
 	Secret string // The raw API key or comma-separated list of valid API keys
 }
 // NewAuthWithNamedKeys creates an authentication middleware that validates
 // Bearer tokens against a set of named API keys. Each key carries a name
 // (propagated as the actor via context) and an admin flag (consulted by
 // authorization gates such as bulk revocation).
 //
 // When namedKeys is empty the returned middleware is a no-op pass-through,
 // which is used in demo/development mode (CERTCTL_AUTH_TYPE=none). When one
 // or more keys are provided, requests must include a matching Bearer token
 // or they are rejected with 401.
 func NewAuthWithNamedKeys(namedKeys []NamedAPIKey) func(http.Handler) http.Handler {
 	if len(namedKeys) == 0 {
 		return func(next http.Handler) http.Handler {
 			return next
 		}
 	}
 	// Pre-compute hashes of all valid keys for constant-time comparison.
 	type keyEntry struct {
 		hash  string
 		name  string
 		admin bool
 	}
 	var entries []keyEntry
 	for _, nk := range namedKeys {
 		entries = append(entries, keyEntry{
 			hash:  HashAPIKey(nk.Key),
 			name:  nk.Name,
 			admin: nk.Admin,
 		})
 	}
 	// Warn if only one key is configured in production mode
 	if len(entries) == 1 {
 		slog.Warn("only one API key configured — consider adding a rotation key for zero-downtime rotation")
 	}
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			authHeader := r.Header.Get("Authorization")
 			if authHeader == "" {
 				w.Header().Set("Content-Type", "application/json; charset=utf-8")
 				w.Header().Set("WWW-Authenticate", `Bearer realm="certctl"`)
 				http.Error(w, `{"error":"Authorization header required"}`, http.StatusUnauthorized)
 				return
 			}
 			// Extract Bearer token
 			if len(authHeader) < 8 || authHeader[:7] != "Bearer " {
 				w.Header().Set("Content-Type", "application/json; charset=utf-8")
 				http.Error(w, `{"error":"Invalid Authorization header format, expected: Bearer <token>"}`, http.StatusUnauthorized)
 				return
 			}
 			token := authHeader[7:]
 			tokenHash := HashAPIKey(token)
 			// Check against all valid keys using constant-time comparison
 			var matched *keyEntry
 			for i := range entries {
 				if subtle.ConstantTimeCompare([]byte(tokenHash), []byte(entries[i].hash)) == 1 {
 					matched = &entries[i]
 					break
 				}
 			}
 			if matched == nil {
 				w.Header().Set("Content-Type", "application/json; charset=utf-8")
 				http.Error(w, `{"error":"Invalid API key"}`, http.StatusUnauthorized)
 				return
 			}
 			// Store the authenticated identity and admin flag in context
 			ctx := context.WithValue(r.Context(), UserKey{}, matched.name)
 			ctx = context.WithValue(ctx, AdminKey{}, matched.admin)
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
 // NewAuth is a legacy shim that converts a comma-separated Secret list into
 // synthesized legacy-key-N named entries and delegates to NewAuthWithNamedKeys.
 // It preserves the pre-M-002 behavior for callers that still pass raw AuthConfig
 // (primarily cmd/server/main_test.go). The synthesized actor is "legacy-key-N"
 // rather than the old hardcoded "api-key-user" so audit events carry
 // meaningful identity even on the legacy path.
 //
 // Deprecated: Use NewAuthWithNamedKeys with explicit NamedAPIKey entries.
 func NewAuth(cfg AuthConfig) func(http.Handler) http.Handler {
 	if cfg.Type == "none" {
 		return func(next http.Handler) http.Handler {
 			return next
 		}
 	}
 	var namedKeys []NamedAPIKey
 	idx := 0
 	for _, k := range strings.Split(cfg.Secret, ",") {
 		k = strings.TrimSpace(k)
 		if k == "" {
 			continue
 		}
 		namedKeys = append(namedKeys, NamedAPIKey{
 			Name:  fmt.Sprintf("legacy-key-%d", idx),
 			Key:   k,
 			Admin: false,
 		})
 		idx++
 	}
 	return NewAuthWithNamedKeys(namedKeys)
 }
 // RateLimitConfig holds configuration for the rate limiter.
 //
 // Bundle B / Audit M-025 (OWASP ASVS L2 §11.2.1) extends this with per-user
 // and per-IP keying. The historic RPS / BurstSize fields are preserved for
-// source compatibility — they now describe the per-key budget rather than
+// source compatibility; they now describe the per-key budget rather than
 // the global budget. PerUserRPS / PerUserBurstSize, when non-zero, override
 // RPS / BurstSize for authenticated callers; the IP-keyed fallback
 // continues to use RPS / BurstSize so unauthenticated callers don't get
@@ -278,8 +141,9 @@ type RateLimitConfig struct {
 	RPS       float64 // Tokens per second per key (default applies to IP-keyed buckets)
 	BurstSize int     // Max tokens per key (default applies to IP-keyed buckets)
-	// PerUserRPS overrides RPS for authenticated callers (keyed by UserKey
+	// PerUserRPS overrides RPS for authenticated callers (keyed by
-	// in context). Zero means "use RPS as the authenticated budget too".
+	// auth.UserKey in context). Zero means "use RPS as the authenticated
 	// budget too".
 	PerUserRPS float64
 	// PerUserBurstSize overrides BurstSize for authenticated callers.
@@ -295,11 +159,11 @@ type RateLimitConfig struct {
 // authenticated user and each unauthenticated IP gets its own bucket. Keys
 // are computed per request:
 //
-//   - Authenticated: "user:" + middleware.GetUser(ctx)
+//   - Authenticated: "user:" + auth.GetUser(ctx)
 //   - Unauthenticated: "ip:" + r.RemoteAddr's host portion
 //
 // The bucket map is sync.RWMutex-guarded; create-on-demand for new keys.
-// There is no eviction — for a long-running server with millions of unique
+// There is no eviction; for a long-running server with millions of unique
 // IPs this can leak memory. A future enhancement is per-key TTL via a
 // lazy sweeper. For now the leak is bounded by realistic operator IP
 // fan-out and is acceptable per OWASP ASVS L2 (the threat model is abuse
@@ -339,9 +203,9 @@ func NewRateLimiter(cfg RateLimitConfig) func(http.Handler) http.Handler {
 // rateLimitKey computes the per-request bucket key. Authenticated callers
 // get a "user:<name>" key derived from the UserKey context value populated
-// by NewAuthWithNamedKeys; everyone else falls back to "ip:<host>" parsed
+// by auth.NewAuthWithNamedKeys; everyone else falls back to "ip:<host>"
-// from r.RemoteAddr (X-Forwarded-For is intentionally NOT consulted here
+// parsed from r.RemoteAddr (X-Forwarded-For is intentionally NOT consulted
-// — operators behind a trusted proxy must configure that proxy to set
+// here; operators behind a trusted proxy must configure that proxy to set
 // RemoteAddr correctly, or the rate limiter would be trivially bypassable
 // by spoofing the header).
 //
@@ -349,7 +213,7 @@ func NewRateLimiter(cfg RateLimitConfig) func(http.Handler) http.Handler {
 // unauthenticated so a misconfigured auth middleware doesn't grant the
 // same bucket to every anonymous request.
 func rateLimitKey(r *http.Request) (string, bool) {
-	if user := GetUser(r.Context()); user != "" {
+	if user := auth.GetUser(r.Context()); user != "" {
 		return "user:" + user, true
 	}
 	host := r.RemoteAddr
@@ -463,7 +327,7 @@ func NewCORS(cfg CORSConfig) func(http.Handler) http.Handler {
 			// Security default: deny CORS when no origins are configured.
 			// This prevents CSRF attacks from arbitrary origins.
 			if len(cfg.AllowedOrigins) == 0 {
-				// No CORS headers set — only same-origin requests can read response
+				// No CORS headers set; only same-origin requests can read response
 				if r.Method == http.MethodOptions {
 					w.WriteHeader(http.StatusNoContent)
 					return
@@ -507,9 +371,25 @@ func ContentType(next http.Handler) http.Handler {
 	})
 }
-// CORS middleware adds CORS headers to allow cross-origin requests.
+// CORSWildcard emits Access-Control-Allow-Origin: * unconditionally. ONLY use
-// Deprecated: Use NewCORS for configurable origins. Kept for health endpoints.
+// for endpoints that (a) carry no credentials and (b) must be reachable from
-func CORS(next http.Handler) http.Handler {
+// any origin (e.g. K8s/Docker health probes, Prometheus scrapers, the GUI's
 // pre-login auth-info probe). Every call site MUST appear in
 // scripts/ci-guards/cors-wildcard-allowlist.sh — adding a new call site
 // without listing it in the allowlist fails CI.
 //
 // For credentialed endpoints (sessions, OIDC handshake, BCL, bootstrap,
 // breakglass-login, every /api/v1/* mutation route) use
 // middleware.NewCORS(corsCfg) which honors CERTCTL_CORS_ORIGINS and emits
 // per-origin headers (with Vary: Origin for cache correctness).
 //
 // History: this function was named `CORS` pre-2026-05-10 and was applied as
 // the default CORS middleware on the OIDC handshake, BCL, logout, bootstrap,
 // and breakglass-login routes — CRIT-3 of the 2026-05-10 audit
 // (cowork/auth-bundles-audit-2026-05-10.md). The fix narrowed those call
 // sites to NewCORS(corsCfg) and renamed the wildcard form to make the
 // security tradeoff explicit at every remaining call site.
 func CORSWildcard(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS")
@@ -538,23 +418,6 @@ func getRequestID(ctx context.Context) string {
 	return id
 }
 // GetUser extracts the authenticated user from context.
 // Returns the name of the matched API key and whether it was found.
 func GetUser(ctx context.Context) string {
 	user, ok := ctx.Value(UserKey{}).(string)
 	if !ok {
 		return ""
 	}
 	return user
 }
 // IsAdmin extracts the admin flag from context.
 // Returns true if the authenticated user has admin privileges.
 func IsAdmin(ctx context.Context) bool {
 	admin, ok := ctx.Value(AdminKey{}).(bool)
 	return ok && admin
 }
 // responseWriter wraps http.ResponseWriter to capture the status code.
 type responseWriter struct {
 	http.ResponseWriter
@@ -5,6 +5,8 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/certctl-io/certctl/internal/auth"
 )
 // Bundle B / Audit M-025 (OWASP ASVS L2 §11.2.1): per-key rate-limiter
@@ -61,7 +63,7 @@ func TestRateLimiter_M025_SameUserDifferentIPsShareBucket(t *testing.T) {
 	mkReq := func(remote string) *http.Request {
 		req := httptest.NewRequest(http.MethodGet, "/", nil)
 		req.RemoteAddr = remote
-		ctx := context.WithValue(req.Context(), UserKey{}, "alice")
+		ctx := context.WithValue(req.Context(), auth.UserKey{}, "alice")
 		return req.WithContext(ctx)
 	}
@@ -88,7 +90,7 @@ func TestRateLimiter_M025_TwoUsersHaveIndependentBuckets(t *testing.T) {
 	mkReq := func(user string) *http.Request {
 		req := httptest.NewRequest(http.MethodGet, "/", nil)
 		req.RemoteAddr = "10.0.0.1:54321"
-		ctx := context.WithValue(req.Context(), UserKey{}, user)
+		ctx := context.WithValue(req.Context(), auth.UserKey{}, user)
 		return req.WithContext(ctx)
 	}
@@ -145,7 +147,7 @@ func TestRateLimiter_M025_PerUserBudgetOverride(t *testing.T) {
 	userReq := func() *http.Request {
 		req := httptest.NewRequest(http.MethodGet, "/", nil)
 		req.RemoteAddr = "10.0.0.42:54321"
-		ctx := context.WithValue(req.Context(), UserKey{}, "carol")
+		ctx := context.WithValue(req.Context(), auth.UserKey{}, "carol")
 		return req.WithContext(ctx)
 	}
 	for i := 1; i <= 5; i++ {
@@ -171,7 +173,7 @@ func TestRateLimiter_M025_EmptyUserKeyTreatedAsAnonymous(t *testing.T) {
 	mkReq := func(remote string) *http.Request {
 		req := httptest.NewRequest(http.MethodGet, "/", nil)
 		req.RemoteAddr = remote
-		ctx := context.WithValue(req.Context(), UserKey{}, "")
+		ctx := context.WithValue(req.Context(), auth.UserKey{}, "")
 		return req.WithContext(ctx)
 	}
@@ -92,6 +92,103 @@ var SpecParityExceptions = map[string]string{
 	"POST /acme/key-change":                         "Phase 4 default-profile shorthand for key rollover.",
 	"POST /acme/revoke-cert":                        "Phase 4 default-profile shorthand for revoke-cert.",
 	"GET /acme/renewal-info/{cert_id}":              "Phase 4 default-profile shorthand for ARI.",
 	// Bundle 1 / Phase 4 RBAC API: shipped with full OpenAPI schema in
 	// the Phase 0-5 closure commit. The 11 routes (auth/me + permissions
 	// catalogue + 5 role-lifecycle + 2 role-permission grant/revoke + 2
 	// actor-role grant/revoke) live in api/openapi.yaml under tag
 	// `[Auth]`. Shared shapes: AuthRole + AuthRolePermission in the
 	// schemas section. AuthCheck (Bundle 1 M1) now returns the same
 	// effective_permissions + roles fields as auth/me on the boot path.
 	// Auth Bundle 2 Phase 5 — OIDC + session HTTP surface (13 routes).
 	// The `cookieAuth` security scheme is documented in api/openapi.yaml
 	// under components.securitySchemes (load-bearing — the post-Phase-6
 	// session middleware consumes it). Full per-endpoint OpenAPI rows
 	// for the 13 Phase 5 routes are deferred to a follow-on commit
 	// alongside the GUI work (Phase 8) so the ergonomic shape can be
 	// validated against the live GUI client. Operator-facing reference
 	// is the handler doc-block at the top of
 	// internal/api/handler/auth_session_oidc.go and the Phase 5 spec at
 	// cowork/auth-bundle-2-prompt.md.
 	//
 	// Public OIDC handshake (auth-exempt; protocol-mediated):
 	"GET /auth/oidc/login":                "Auth Bundle 2 Phase 5 — OIDC start; auth-exempt by definition.",
 	"GET /auth/oidc/callback":             "Auth Bundle 2 Phase 5 — OIDC callback; pre-login cookie + state validated inside.",
 	"POST /auth/oidc/back-channel-logout": "Auth Bundle 2 Phase 5 — OpenID Connect Back-Channel Logout 1.0; auth via IdP-signed logout_token JWT in body. security: [] when documented.",
 	"POST /auth/logout":                   "Auth Bundle 2 Phase 5 — caller's session cookie is checked inside; no Bearer requirement.",
 	// Session management (RBAC-gated auth.session.*):
 	"GET /api/v1/auth/sessions":         "Auth Bundle 2 Phase 5 — list sessions; gated auth.session.list; cookieAuth+bearerAuth.",
 	"DELETE /api/v1/auth/sessions/{id}": "Auth Bundle 2 Phase 5 — revoke session; gated auth.session.revoke (own-session bypass at handler).",
 	// OIDC provider CRUD + refresh (RBAC-gated auth.oidc.*):
 	"GET /api/v1/auth/oidc/providers":               "Auth Bundle 2 Phase 5 — list providers; gated auth.oidc.list.",
 	"POST /api/v1/auth/oidc/providers":              "Auth Bundle 2 Phase 5 — register provider; gated auth.oidc.create; client_secret encrypted at rest.",
 	"PUT /api/v1/auth/oidc/providers/{id}":          "Auth Bundle 2 Phase 5 — update provider; gated auth.oidc.edit.",
 	"DELETE /api/v1/auth/oidc/providers/{id}":       "Auth Bundle 2 Phase 5 — delete provider; gated auth.oidc.delete; refused when users authenticated.",
 	"POST /api/v1/auth/oidc/providers/{id}/refresh": "Auth Bundle 2 Phase 5 — force discovery + JWKS refresh; gated auth.oidc.edit; re-runs IdP downgrade defense.",
 	// Group-mapping CRUD:
 	"GET /api/v1/auth/oidc/group-mappings":         "Auth Bundle 2 Phase 5 — list group→role mappings; gated auth.oidc.list.",
 	"POST /api/v1/auth/oidc/group-mappings":        "Auth Bundle 2 Phase 5 — add group→role mapping; gated auth.oidc.edit.",
 	"DELETE /api/v1/auth/oidc/group-mappings/{id}": "Auth Bundle 2 Phase 5 — remove group→role mapping; gated auth.oidc.edit.",
 	// Auth Bundle 2 Phase 7.5 — break-glass admin HTTP surface (4 routes).
 	// Operator-toggleable local-password recovery for the SSO-broken case
 	// (Decision 4). Default-OFF; the entire surface returns 404 (not 403)
 	// when CERTCTL_BREAKGLASS_ENABLED=false so it is invisible to scanners.
 	// Threat model + operator runbook live in docs/operator/breakglass.md
 	// (deferred to the Phase 12 doc bundle alongside the auth threat-model
 	// extension). Full per-endpoint OpenAPI rows ride along with that
 	// commit; until then the surface is tracked here.
 	"POST /auth/breakglass/login":                                "Auth Bundle 2 Phase 7.5 — local-password login; auth-exempt; 404 when disabled (surface invisibility per spec).",
 	"GET /api/v1/auth/breakglass/credentials":                    "Audit 2026-05-10 CRIT-4 — list credentialed actors (metadata only; no password hash on the wire); gated auth.breakglass.admin.",
 	"POST /api/v1/auth/breakglass/credentials":                   "Auth Bundle 2 Phase 7.5 — set/rotate password; gated auth.breakglass.admin.",
 	"POST /api/v1/auth/breakglass/credentials/{actor_id}/unlock": "Auth Bundle 2 Phase 7.5 — clear lockout state; gated auth.breakglass.admin.",
 	"DELETE /api/v1/auth/breakglass/credentials/{actor_id}":      "Auth Bundle 2 Phase 7.5 — remove credential; gated auth.breakglass.admin.",
 	// Audit 2026-05-10 HIGH-11 — streaming NDJSON audit export. Like
 	// other streaming wire-protocol surfaces (ACME, SCEP, EST), the
 	// response is line-oriented application/x-ndjson rather than a
 	// single JSON object; documenting it as a regular OpenAPI operation
 	// would misrepresent the streaming shape. The contract is documented
 	// in docs/operator/security.md::audit-export and the handler doc
 	// comment.
 	"GET /api/v1/audit/export": "Audit 2026-05-10 HIGH-11 — streaming NDJSON audit export; gated audit.export. Documented inline at internal/api/handler/audit.go::ExportAudit.",
 	// Audit 2026-05-10 MED-3 — `DELETE /api/v1/auth/sessions?except=current`
 	// is the "sign out all other sessions" flow. Distinct from the
 	// per-session DELETE /api/v1/auth/sessions/{id} (already in OpenAPI);
 	// this variant operates on the caller's whole session set minus the
 	// current. Documented inline at
 	// internal/api/handler/auth_session_oidc.go::RevokeAllExceptCurrent.
 	"DELETE /api/v1/auth/sessions": "Audit 2026-05-10 MED-3 — sign-out-all-other-sessions; gated auth.session.revoke. Documented inline at internal/api/handler/auth_session_oidc.go::RevokeAllExceptCurrent.",
 	// =========================================================================
 	// Pre-existing parity debt — routes that shipped on dev/auth-bundle-2
 	// without their OpenAPI rows. Each entry below is tracked here as an
 	// exception with a pointer to the origin commit + the handler file that
 	// already carries the contract docstring. A follow-on pass should
 	// promote each into a full operationId entry under api/openapi.yaml.
 	//
 	// Each entry MUST list the origin commit (git blame router.go for the
 	// r.Register call) so the parity-debt cleanup pass can group routes
 	// by author + topic.
 	// =========================================================================
 	"POST /api/v1/auth/oidc/test":                      "Audit 2026-05-10 MED-5 (Item 2; commit 00bbef7) — POST /api/v1/auth/oidc/test dry-run endpoint; gated auth.oidc.edit. Contract at internal/auth/oidc/test_discovery.go; OpenAPI row pending.",
 	"GET /api/v1/auth/oidc/providers/{id}/jwks-status": "Audit 2026-05-10 MED-6 follow-on (Item 3) — JWKS auto-refresh cache-status endpoint; gated auth.oidc.list. OpenAPI row pending.",
 	"GET /api/v1/auth/users":                           "Audit 2026-05-10 MED-7 / Bundle 2 Phase 13 Fix D — federated user list; gated auth.user.list. OpenAPI row pending.",
 	"DELETE /api/v1/auth/users/{id}":                   "Audit 2026-05-10 MED-7 / Bundle 2 Phase 13 Fix D — soft-delete a federated user (sets deactivated_at); gated auth.user.delete. Audit 2026-05-11 A-2 closure layered the login-time enforcement. OpenAPI row pending.",
 	"POST /api/v1/auth/users/{id}/reactivate":          "Audit 2026-05-11 A-2 closure (commit a980e4c) — clears deactivated_at so a soft-deleted federated user can log in again; gated auth.user.edit. OpenAPI row pending.",
 	"GET /api/v1/auth/runtime-config":                  "Audit 2026-05-10 MED-12 / Bundle 2 Phase 13 Fix D — admin-only inspector for the live auth-related env vars; gated auth.role.assign. Handler at internal/api/handler/auth_runtime_config.go. OpenAPI row pending.",
 	// Audit 2026-05-11 A-8 closure — demo-mode residual-grants cleanup.
 	// The endpoint removes residual actor-demo-anon role grants from a
 	// production deploy that previously ran (or installed alongside)
 	// demo mode. Admin-class (auth.role.assign) gated at the router.
 	// Refuses to run when Auth.Type=none (503). Wire-shape is a plain
 	// JSON POST → {removed: int64}. Handler doc-block at
 	// internal/api/handler/demo_residual.go::Cleanup; operator
 	// runbook at docs/operator/security.md::demo-to-production-cutover.
 	"POST /api/v1/auth/demo-residual/cleanup": "Audit 2026-05-11 A-8 closure — demo-mode residual-grants cleanup; gated auth.role.assign. Refuses when Auth.Type=none. Handler at internal/api/handler/demo_residual.go. OpenAPI row pending — endpoint shape is minimal (POST → {removed: int64}).",
 }
 func TestRouter_OpenAPIParity(t *testing.T) {
@@ -0,0 +1,138 @@
 package router
 import (
 	"go/parser"
 	"go/token"
 	"os"
 	"strings"
 	"testing"
 	"github.com/certctl-io/certctl/internal/auth"
 )
 // =============================================================================
 // Bundle 1 Phase 12 (Category F) — protocol endpoints MUST NOT be wrapped in
 // rbacGate / auth.RequirePermission.
 //
 // The prompt's exit criterion: "Negative test asserts that ACME / SCEP /
 // EST / OCSP / CRL endpoints are NOT wrapped in RequirePermission.
 // Implementation: scan the router config and assert each protocol-
 // endpoint route is in the allowlist constant from Phase 3."
 //
 // Two complementary checks ride here:
 //
 //  1. Scan router.go's source for every literal route path that matches
 //     a protocol-endpoint prefix; assert NONE of those paths appear
 //     inside a rbacGate(...) call. The AST walker is intentionally
 //     loose — substring match against the rbacGate function name is
 //     sufficient and avoids false negatives from formatting.
 //
 //  2. Pin the protocol-endpoint dispatch prefixes (cmd/server/main.go's
 //     buildFinalHandler dispatch) against the allowlist constant in
 //     auth.IsProtocolEndpoint. If a future commit adds a new protocol
 //     endpoint without extending the allowlist, this test breaks.
 // =============================================================================
 // protocolEndpointPrefixes is the canonical set of URL prefixes the
 // auth middleware MUST bypass. Mirrors auth.IsProtocolEndpoint's
 // internal switch. This test pins the constant against the actual
 // router shape.
 var protocolEndpointPrefixes = []string{
 	"/acme",
 	"/scep",
 	"/.well-known/est",
 	"/.well-known/pki/ocsp",
 	"/.well-known/pki/crl",
 }
 // TestPhase12_ProtocolEndpointsNotGated walks router.go and asserts
 // no rbacGate(...) call references a path under a protocol-endpoint
 // prefix. We accept false negatives (the test is conservative) but
 // never false positives — if rbacGate wraps a protocol path, the test
 // fails with the offending line.
 func TestPhase12_ProtocolEndpointsNotGated(t *testing.T) {
 	src, err := os.ReadFile("router.go")
 	if err != nil {
 		t.Fatalf("read router.go: %v", err)
 	}
 	fset := token.NewFileSet()
 	if _, perr := parser.ParseFile(fset, "router.go", src, parser.SkipObjectResolution); perr != nil {
 		t.Fatalf("parse router.go: %v", perr)
 	}
 	body := string(src)
 	// Find every line containing rbacGate(. For each, scan for any
 	// of the protocol prefixes appearing on the same line. If both
 	// land on a single line, that's a Category-F violation.
 	for i, line := range strings.Split(body, "\n") {
 		if !strings.Contains(line, "rbacGate(") {
 			continue
 		}
 		for _, prefix := range protocolEndpointPrefixes {
 			// We look for `"<prefix>"` or `"<prefix>/...` shapes —
 			// the path argument is always a quoted string in the
 			// repo's r.Register("METHOD /path", ...) convention.
 			if strings.Contains(line, `"`+prefix) {
 				t.Errorf("router.go line %d: rbacGate wraps a protocol-endpoint path %q (Category F violation): %s",
 					i+1, prefix, strings.TrimSpace(line))
 			}
 		}
 	}
 }
 // TestPhase12_IsProtocolEndpoint_CoversCanonicalPrefixes pins the
 // auth.IsProtocolEndpoint allowlist against the canonical prefix
 // set. If a future commit adds a new protocol that the auth
 // middleware needs to bypass, both this slice AND
 // auth.IsProtocolEndpoint must change in lockstep.
 func TestPhase12_IsProtocolEndpoint_CoversCanonicalPrefixes(t *testing.T) {
 	for _, prefix := range protocolEndpointPrefixes {
 		// IsProtocolEndpoint takes a full path; pass the prefix as
 		// a synthetic representative request path.
 		probe := prefix
 		if !strings.HasSuffix(probe, "/") {
 			probe = probe + "/probe"
 		}
 		if !auth.IsProtocolEndpoint(probe) {
 			t.Errorf("IsProtocolEndpoint(%q) = false; the canonical prefix list is out of sync with the auth allowlist", probe)
 		}
 	}
 }
 // TestPhase12_RBACGateRoutesAreUnderAPIv1 belt-and-braces: every
 // rbacGate-wrapped path the parity test enumerates must start with
 // `/api/v1/` so we can never accidentally wrap a protocol endpoint
 // (those all live under `/acme`, `/scep`, or `/.well-known/`).
 func TestPhase12_RBACGateRoutesAreUnderAPIv1(t *testing.T) {
 	src, err := os.ReadFile("router.go")
 	if err != nil {
 		t.Fatalf("read router.go: %v", err)
 	}
 	for i, line := range strings.Split(string(src), "\n") {
 		if !strings.Contains(line, "rbacGate(") {
 			continue
 		}
 		// Find the quoted path argument. Look for the first
 		// occurrence of `"METHOD /...`.
 		startQuote := strings.Index(line, `"`)
 		if startQuote < 0 {
 			continue
 		}
 		endQuote := strings.Index(line[startQuote+1:], `"`)
 		if endQuote < 0 {
 			continue
 		}
 		path := line[startQuote+1 : startQuote+1+endQuote]
 		// The Register signature is "METHOD /path" — split on
 		// whitespace.
 		parts := strings.Fields(path)
 		if len(parts) != 2 {
 			continue
 		}
 		urlPath := parts[1]
 		if !strings.HasPrefix(urlPath, "/api/v1/") {
 			t.Errorf("router.go line %d: rbacGate wraps non-API-v1 path %q: %s",
 				i+1, urlPath, strings.TrimSpace(line))
 		}
 	}
 }
@@ -0,0 +1,233 @@
 package router
 import (
 	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/certctl-io/certctl/internal/auth"
 )
 // =============================================================================
 // Bundle 1 Phase 3.5 integration tests for the rbacGate wraps. The
 // pre-Phase-3.5 in-handler auth.IsAdmin checks moved to the router via
 // auth.RequirePermission middleware; these tests pin the router-level
 // invariant that non-permitted callers get 403 BEFORE the handler body
 // runs, and that the protocol-endpoint allowlist (ACME / SCEP / EST /
 // OCSP / CRL) bypasses the gate.
 // =============================================================================
 // fakeChecker satisfies auth.PermissionChecker. permFn returns the
 // canned (allowed, error) tuple per call.
 type fakeChecker struct {
 	permFn func(ctx context.Context, actorID, actorType, tenantID, perm, scopeType string, scopeID *string) (bool, error)
 }
 func (f *fakeChecker) CheckPermission(ctx context.Context, actorID, actorType, tenantID, perm, scopeType string, scopeID *string) (bool, error) {
 	if f.permFn == nil {
 		return true, nil
 	}
 	return f.permFn(ctx, actorID, actorType, tenantID, perm, scopeType, scopeID)
 }
 // reachedHandler is a sentinel to confirm the gated handler body
 // actually ran.
 type reachedHandler struct{ called bool }
 func (rh *reachedHandler) ServeHTTP(w http.ResponseWriter, _ *http.Request) {
 	rh.called = true
 	w.WriteHeader(http.StatusOK)
 }
 // withActor is a tiny test helper: builds a request with the Phase 3
 // auth-context keys populated.
 func withActor(req *http.Request, actorID, actorType string) *http.Request {
 	ctx := req.Context()
 	ctx = context.WithValue(ctx, auth.ActorIDKey{}, actorID)
 	ctx = context.WithValue(ctx, auth.ActorTypeKey{}, actorType)
 	return req.WithContext(ctx)
 }
 func TestRBACGate_DeniedActorReturns403_HandlerNotReached(t *testing.T) {
 	rh := &reachedHandler{}
 	checker := &fakeChecker{permFn: func(_ context.Context, _, _, _, perm, _ string, _ *string) (bool, error) {
 		if perm != "cert.bulk_revoke" {
 			t.Errorf("perm = %q, want cert.bulk_revoke", perm)
 		}
 		return false, nil
 	}}
 	gated := rbacGate(checker, "cert.bulk_revoke", rh.ServeHTTP)
 	req := withActor(httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", nil), "bob", auth.ActorTypeAPIKey)
 	rec := httptest.NewRecorder()
 	gated.ServeHTTP(rec, req)
 	if rec.Code != http.StatusForbidden {
 		t.Errorf("non-permitted caller should get 403; got %d", rec.Code)
 	}
 	if rh.called {
 		t.Errorf("handler body must NOT run when middleware denies the request")
 	}
 }
 func TestRBACGate_PermittedActorReachesHandler(t *testing.T) {
 	rh := &reachedHandler{}
 	checker := &fakeChecker{permFn: func(_ context.Context, _, _, _, _, _ string, _ *string) (bool, error) {
 		return true, nil
 	}}
 	gated := rbacGate(checker, "cert.bulk_revoke", rh.ServeHTTP)
 	req := withActor(httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", nil), "alice", auth.ActorTypeAPIKey)
 	rec := httptest.NewRecorder()
 	gated.ServeHTTP(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Errorf("permitted caller should reach handler 200; got %d", rec.Code)
 	}
 	if !rh.called {
 		t.Errorf("handler body must run when middleware allows the request")
 	}
 }
 func TestRBACGate_NoCheckerNoOps(t *testing.T) {
 	// Test deployments / demo configs may construct HandlerRegistry
 	// without a Checker. rbacGate must fall through to the handler in
 	// that case so the route stays callable; the middleware is purely
 	// optional defense-in-depth here.
 	rh := &reachedHandler{}
 	gated := rbacGate(nil, "cert.bulk_revoke", rh.ServeHTTP)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", nil)
 	rec := httptest.NewRecorder()
 	gated.ServeHTTP(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Errorf("nil-checker rbacGate should fall through; got %d", rec.Code)
 	}
 	if !rh.called {
 		t.Errorf("nil-checker rbacGate should reach handler unconditionally")
 	}
 }
 func TestRBACGate_NoActorReturns401(t *testing.T) {
 	rh := &reachedHandler{}
 	checker := &fakeChecker{} // permFn nil -> always allow; never called
 	gated := rbacGate(checker, "cert.bulk_revoke", rh.ServeHTTP)
 	// No ActorIDKey in context.
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", nil)
 	rec := httptest.NewRecorder()
 	gated.ServeHTTP(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Errorf("missing actor should yield 401; got %d", rec.Code)
 	}
 	if rh.called {
 		t.Errorf("handler body must NOT run when no actor in context")
 	}
 }
 // TestRBACGate_AuditorRole_403sOnAdminRoutes is the Bundle 1 Phase 8
 // exit-criterion test: an actor holding only the auditor role
 // (audit.read + audit.export) gets 403 on every rbacGate-wrapped admin
 // route. This pins the prompt's "auditor user can list/export audit
 // events but gets 403 on every other endpoint" requirement.
 //
 // We exercise every admin perm name registered in router.go's rbacGate
 // calls (cert.bulk_revoke / crl.admin / scep.admin / est.admin /
 // ca.hierarchy.manage). The checker simulates the auditor's permission
 // matrix — only audit.read + audit.export return true; every admin
 // permission returns false. The handler MUST NOT be reached for any
 // admin perm; the wrapper MUST emit 403.
 func TestRBACGate_AuditorRole_403sOnAdminRoutes(t *testing.T) {
 	auditorPerms := map[string]bool{
 		"audit.read":   true,
 		"audit.export": true,
 	}
 	checker := &fakeChecker{permFn: func(_ context.Context, _, _, _, perm, _ string, _ *string) (bool, error) {
 		return auditorPerms[perm], nil
 	}}
 	for _, adminPerm := range []string{
 		"cert.bulk_revoke",
 		"crl.admin",
 		"scep.admin",
 		"est.admin",
 		"ca.hierarchy.manage",
 	} {
 		t.Run(adminPerm, func(t *testing.T) {
 			rh := &reachedHandler{}
 			gated := rbacGate(checker, adminPerm, rh.ServeHTTP)
 			req := withActor(httptest.NewRequest(http.MethodPost, "/api/v1/", nil), "audrey", auth.ActorTypeAPIKey)
 			rec := httptest.NewRecorder()
 			gated.ServeHTTP(rec, req)
 			if rec.Code != http.StatusForbidden {
 				t.Errorf("auditor on %q route should get 403; got %d", adminPerm, rec.Code)
 			}
 			if rh.called {
 				t.Errorf("handler body must NOT run for auditor on admin route %q", adminPerm)
 			}
 		})
 	}
 }
 // TestRBACGate_AuditorRole_PassesAuditReadGate confirms the positive
 // half of the auditor invariant: a route gated on audit.read does
 // reach the handler when the auditor calls it. (Bundle 1 doesn't
 // currently wrap any audit route via rbacGate at the router level —
 // /v1/audit relies on auth.role.list at the service layer instead;
 // this test simulates a future wrap to pin the symmetric path.)
 func TestRBACGate_AuditorRole_PassesAuditReadGate(t *testing.T) {
 	auditorPerms := map[string]bool{
 		"audit.read":   true,
 		"audit.export": true,
 	}
 	checker := &fakeChecker{permFn: func(_ context.Context, _, _, _, perm, _ string, _ *string) (bool, error) {
 		return auditorPerms[perm], nil
 	}}
 	rh := &reachedHandler{}
 	gated := rbacGate(checker, "audit.read", rh.ServeHTTP)
 	req := withActor(httptest.NewRequest(http.MethodGet, "/api/v1/audit", nil), "audrey", auth.ActorTypeAPIKey)
 	rec := httptest.NewRecorder()
 	gated.ServeHTTP(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Errorf("auditor on audit.read route should reach handler 200; got %d", rec.Code)
 	}
 	if !rh.called {
 		t.Errorf("handler body must run for auditor on audit-read gate")
 	}
 }
 // TestRBACGate_DemoModeChainReachesHandler is the end-to-end Bundle 1
 // Phase 3 closure (C1) regression: when CERTCTL_AUTH_TYPE=none, the
 // auth.NewDemoModeAuth middleware injects the synthetic actor-demo-anon
 // actor into context. The rbacGate downstream sees a populated actor +
 // the fake checker (standing in for the seeded admin grant on the
 // demo actor) and forwards the request. Without the C1 fix, the
 // pre-closure NewAuthWithNamedKeys no-op pass-through would have left
 // context unpopulated and the rbacGate would 401 every demo request.
 func TestRBACGate_DemoModeChainReachesHandler(t *testing.T) {
 	rh := &reachedHandler{}
 	// Mirror the seeded admin grant on actor-demo-anon: the checker
 	// allows every permission for the demo actor (matches the data
 	// migration seeds in 000029_rbac.up.sql).
 	checker := &fakeChecker{permFn: func(_ context.Context, actorID, _, _, _, _ string, _ *string) (bool, error) {
 		if actorID != auth.DemoAnonActorID {
 			t.Errorf("checker called for unexpected actor %q (want demo-anon)", actorID)
 		}
 		return true, nil
 	}}
 	gated := rbacGate(checker, "cert.bulk_revoke", rh.ServeHTTP)
 	chain := auth.NewDemoModeAuth()(gated)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", nil)
 	rec := httptest.NewRecorder()
 	chain.ServeHTTP(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Errorf("demo-mode caller against admin route should reach handler 200; got %d", rec.Code)
 	}
 	if !rh.called {
 		t.Errorf("handler body must run for demo-mode caller (C1 closure regression)")
 	}
 }
--- a/Show More
+++ b/Show More
`@@ -1,3 +1,3 @@`
	`module github.com/certctl-io/certctl/deploy/test/f5-mock-icontrol`	`module github.com/certctl-io/certctl/deploy/test/f5-mock-icontrol`

	`go 1.25.9`	`go 1.25.10`