fix(web,ci): close orphan-CRUD GUI gaps + dead exportCertificatePEM (B-1 master)

Closes four 2026-04-24 audit findings via per-page Edit modals on five
existing pages, a brand-new RenewalPoliciesPage for the rp-* CRUD surface,
and removal of one dead duplicate so the public client surface stops
growing without consumers. Anchored by a CI grep guardrail that fails
the build if any of the eight previously-orphan client functions loses
its non-test page consumer or if exportCertificatePEM is resurrected.

Per-page Edit modals (mirroring existing CreateXModal scaffolding):
- web/src/pages/OwnersPage.tsx — EditOwnerModal (name/email/team_id)
- web/src/pages/TeamsPage.tsx — EditTeamModal (name/description)
- web/src/pages/AgentGroupsPage.tsx — EditAgentGroupModal (full match-rule
  set: name/description/match_os/match_architecture/match_ip_cidr/
  match_version/enabled)
- web/src/pages/IssuersPage.tsx — EditIssuerModal (rename-only; type
  locked, config blob preserved untouched, footer note about delete+
  recreate for credential rotation)
- web/src/pages/ProfilesPage.tsx — EditProfileModal (rename + description
  only; policy fields preserved untouched, footer note about deferred
  policy editing)

New page (closes cat-b-4631ca092bee — RenewalPolicy CRUD orphan):
- web/src/pages/RenewalPoliciesPage.tsx — full CRUD page with shared
  PolicyFormModal for Create + Edit (form shape identical), 7-column
  DataTable (Policy/RenewalWindow/Auto/Retries/AlertThresholds/Created/
  Actions), comma-separated alert_thresholds_days input parser, and
  alert() surfacing of repository.ErrRenewalPolicyInUse (409) on Delete
  so operators can re-target dependent certs before deletion.
- web/src/main.tsx — adds /renewal-policies route.
- web/src/components/Layout.tsx — adds sidebar nav item slotted between
  Policies and Profiles.

Removed (closes cat-b-9b97ffb35ef7 — dead duplicate):
- web/src/api/client.ts::exportCertificatePEM — zero consumers across
  web/, MCP, CLI, tests; downloadCertificatePEM is the actual call site
  in CertificateDetailPage. Test references in client.test.ts and
  client.error.test.ts also removed.

CI regression guardrail:
- .github/workflows/ci.yml — adds 'Forbidden orphan-CRUD client function
  regression guard (B-1)' step. Greps for all eight previously-orphan
  fns (updateOwner/updateTeam/updateAgentGroup/updateIssuer/updateProfile
  + createRenewalPolicy/updateRenewalPolicy/deleteRenewalPolicy) under
  web/src/pages/ and fails the build if any has zero non-test consumers.
  Also blocks resurrection of exportCertificatePEM. Verified locally
  (all 8 fns have ≥2 consumers; exportCertificatePEM is gone) and
  against synthetic regressions.

Documentation:
- CHANGELOG.md — new B-1 section above L-1 under [unreleased].
- docs/architecture.md — Web Dashboard section gains a new paragraph
  capturing the 'every backend CRUD must have a GUI consumer' rule
  with reference to the CI guardrail.
- coverage-gap-audit-2026-04-24-v5/unified-audit.md — flips four
  findings to ✅ RESOLVED with detailed Status blocks; bumps Live
  Tracker score 16/47 → 20/47 (P1: 9→12, P3: 1→2); adds B-1 row to
  closed-bundle index.

Verification:
- cd web && tsc --noEmit — clean
- cd web && vitest run — 9 test files, 294 tests, all passing
- cd web && vite build — clean (no new warnings)
- B-1 guardrail dry-run — all 8 client fns have ≥2 page consumers,
  exportCertificatePEM removed (good), FAIL=0

Audit findings closed:
- cat-b-31ceb6aaa9f1 (P1, updateOwner/updateTeam/updateAgentGroup orphan)
- cat-b-7a34f893a8f9 (P1, updateIssuer/updateProfile orphan, rename-only)
- cat-b-4631ca092bee (P1, RenewalPolicy CRUD orphan)
- cat-b-9b97ffb35ef7 (P3, exportCertificatePEM dead duplicate)

Deferred follow-ups:
- Fuller EditIssuerModal with credential-rotation flow (needs threat
  model: rotation reuse window, in-flight CSR cancellation, audit-trail
  granularity).
- Fuller EditProfileModal with policy-field editing (max-TTL, allowed
  EKUs, allowed key algorithms — affect already-issued cert evaluation).
- Per-page Vitest coverage for the new Edit modals (CI grep guardrail
  catches the same regression vector at lower cost).

web/src/api/client.error.test.ts

@@ -6,7 +6,6 @@ import {
   createCertificate,
   triggerRenewal,
   revokeCertificate,
-  exportCertificatePEM,
   downloadCertificatePEM,
   exportCertificatePKCS12,
   getAgents,
@@ -106,10 +105,8 @@ describe('API Client - Error Handling', () => {
       );
     });
 
-    it('exportCertificatePEM propagates network error', async () => {
-      mockFetch.mockReturnValueOnce(mockNetworkError());
-      await expect(exportCertificatePEM('mc-test')).rejects.toThrow('Failed to fetch');
-    });
+    // B-1 closure (cat-b-9b97ffb35ef7): exportCertificatePEM removed as a
+    // dead duplicate of downloadCertificatePEM (zero consumers).
 
     it('downloadCertificatePEM propagates network error', async () => {
       mockFetch.mockReturnValueOnce(mockNetworkError());

web/src/api/client.test.ts

@@ -13,7 +13,6 @@ import {
   archiveCertificate,
   revokeCertificate,
   bulkRevokeCertificates,
-  exportCertificatePEM,
   downloadCertificatePEM,
   exportCertificatePKCS12,
   getAgents,
@@ -1151,15 +1150,8 @@ describe('API Client', () => {
   // ─── Certificate Export ────────────────────────────────
 
   describe('Certificate Export', () => {
-    it('exportCertificatePEM fetches PEM data as JSON', async () => {
-      const pemResult = { cert_pem: 'CERT', chain_pem: 'CHAIN', full_pem: 'FULL' };
-      mockFetch.mockReturnValueOnce(mockJsonResponse(pemResult));
-      const result = await exportCertificatePEM('mc-1');
-      const [url] = mockFetch.mock.calls[0];
-      expect(url).toBe('/api/v1/certificates/mc-1/export/pem');
-      expect(result.cert_pem).toBe('CERT');
-      expect(result.full_pem).toBe('FULL');
-    });
+    // B-1 closure (cat-b-9b97ffb35ef7): exportCertificatePEM was removed
+    // from client.ts as a dead duplicate of downloadCertificatePEM.
 
     it('downloadCertificatePEM fetches blob with download=true', async () => {
       const mockBlob = new Blob(['pem-data'], { type: 'application/x-pem-file' });

web/src/api/client.ts

@@ -188,9 +188,14 @@ export const bulkReassignCertificates = (request: BulkReassignmentRequest) =>
   });
 
 // Certificate Export
-export const exportCertificatePEM = (id: string) =>
-  fetchJSON<{ cert_pem: string; chain_pem: string; full_pem: string }>(`${BASE}/certificates/${id}/export/pem`);
-
+//
+// B-1 master closure (cat-b-9b97ffb35ef7): the previous `exportCertificatePEM`
+// helper that returned `{cert_pem, chain_pem, full_pem}` JSON was removed —
+// it had zero consumers across web/, MCP, CLI, and tests, and was a dead
+// duplicate of `downloadCertificatePEM` which is the only call site that
+// actually exists in `CertificateDetailPage` (browser file-download path).
+// If a JSON variant is ever needed again, re-add an explicit fetcher with a
+// page consumer in the same commit; do not resurrect the orphan.
 export const downloadCertificatePEM = (id: string) => {
   const headers: Record<string, string> = {};
   if (apiKey) headers['Authorization'] = `Bearer ${apiKey}`;