improvement(pki): add metadata support to certificate and certificate requests including searching

[saifsmailbox98]

Context

Allows addition of metadata to certs and cert requests, also allows searching with them

Screenshots

Please check the docs for the screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[linear]

ENG-4595 Add metadata support in PKI

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR adds comprehensive metadata support to certificates and certificate requests, enabling users to attach custom key-value pairs for organization and tracking.

Key Changes:

• Database migration adds certificateId and certificateRequestId columns to ResourceMetadata table with proper foreign keys and composite FK support
• Backend implements metadata insertion across all certificate issuance flows (CSR, managed, ACME order)
• Metadata filtering added to certificate and certificate request listing endpoints with custom query parameter parsing
• Frontend adds UI for attaching metadata during issuance, editing metadata on certificate details page, and filtering by metadata
• Metadata automatically carries over when certificates are renewed
• Comprehensive documentation added with screenshots

Security & Quality:

• All previous issues addressed: regex replaced with string splitting, composite FK fields added, actorOrgId used correctly
• Authorization properly checked at certificate level using existing permission system
• SQL queries use parameterized inputs preventing injection
• Migration is idempotent with proper hasColumn checks
• No breaking API changes - all metadata parameters are optional

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - all critical issues from previous review rounds have been addressed
• Score reflects thorough implementation with proper security practices: parameterized queries prevent SQL injection, authorization checks are in place, migration is idempotent, and no breaking API changes introduced. Previous issues with regex usage, composite FK handling, and orgId assignment have been resolved.
• No files require special attention - all implementations follow established patterns and security best practices

Important Files Changed

Filename	Overview
backend/src/db/migrations/20260227211617_add-certificate-to-resource-metadata.ts	Idempotent migration adds certificateId and certificateRequestId columns with proper foreign keys to ResourceMetadata table
backend/src/server/routes/v1/certificate-router.ts	Adds optional metadata parameter to certificate issuance endpoints and new PATCH endpoint for updating certificate metadata with proper validation
backend/src/services/certificate/certificate-dal.ts	Implements metadata filtering using whereExists subqueries and adds findByIdWithMetadata method for fetching certificates with metadata
backend/src/services/certificate-request/certificate-request-dal.ts	Implements metadata filtering for certificate requests and adds findByIdWithMetadata method using nested relationship handling
backend/src/services/certificate-v3/certificate-v3-service.ts	Integrates metadata insertion across all certificate issuance flows and implements metadata copying during renewal with proper composite FK handling
frontend/src/pages/cert-manager/CertificateDetailsByIDPage/components/CertificateMetadataSection.tsx	New component for viewing and editing certificate metadata with proper permission checks and optimistic UI updates

_{Last reviewed commit: b96a9b1}

[greptile-apps]

_{29 files reviewed, 6 comments}

_{Edit Code Review Agent Settings | Greptile}

[saifsmailbox98]

@greptile review this again

[saifsmailbox98]

@greptile review this again

[saifsmailbox98]

@greptile review this again

Regarding your comment on the confidence score
(1) Lack of docs: I have added docs to support this
(2) Special character handling in metadata filter: We do something similar v4/secret-router.ts:72. We can fix them all together later.