fix(web,ci): close orphan-CRUD GUI gaps + dead exportCertificatePEM (B-1 master)

Closes four 2026-04-24 audit findings via per-page Edit modals on five
existing pages, a brand-new RenewalPoliciesPage for the rp-* CRUD surface,
and removal of one dead duplicate so the public client surface stops
growing without consumers. Anchored by a CI grep guardrail that fails
the build if any of the eight previously-orphan client functions loses
its non-test page consumer or if exportCertificatePEM is resurrected.

Per-page Edit modals (mirroring existing CreateXModal scaffolding):
- web/src/pages/OwnersPage.tsx — EditOwnerModal (name/email/team_id)
- web/src/pages/TeamsPage.tsx — EditTeamModal (name/description)
- web/src/pages/AgentGroupsPage.tsx — EditAgentGroupModal (full match-rule
  set: name/description/match_os/match_architecture/match_ip_cidr/
  match_version/enabled)
- web/src/pages/IssuersPage.tsx — EditIssuerModal (rename-only; type
  locked, config blob preserved untouched, footer note about delete+
  recreate for credential rotation)
- web/src/pages/ProfilesPage.tsx — EditProfileModal (rename + description
  only; policy fields preserved untouched, footer note about deferred
  policy editing)

New page (closes cat-b-4631ca092bee — RenewalPolicy CRUD orphan):
- web/src/pages/RenewalPoliciesPage.tsx — full CRUD page with shared
  PolicyFormModal for Create + Edit (form shape identical), 7-column
  DataTable (Policy/RenewalWindow/Auto/Retries/AlertThresholds/Created/
  Actions), comma-separated alert_thresholds_days input parser, and
  alert() surfacing of repository.ErrRenewalPolicyInUse (409) on Delete
  so operators can re-target dependent certs before deletion.
- web/src/main.tsx — adds /renewal-policies route.
- web/src/components/Layout.tsx — adds sidebar nav item slotted between
  Policies and Profiles.

Removed (closes cat-b-9b97ffb35ef7 — dead duplicate):
- web/src/api/client.ts::exportCertificatePEM — zero consumers across
  web/, MCP, CLI, tests; downloadCertificatePEM is the actual call site
  in CertificateDetailPage. Test references in client.test.ts and
  client.error.test.ts also removed.

CI regression guardrail:
- .github/workflows/ci.yml — adds 'Forbidden orphan-CRUD client function
  regression guard (B-1)' step. Greps for all eight previously-orphan
  fns (updateOwner/updateTeam/updateAgentGroup/updateIssuer/updateProfile
  + createRenewalPolicy/updateRenewalPolicy/deleteRenewalPolicy) under
  web/src/pages/ and fails the build if any has zero non-test consumers.
  Also blocks resurrection of exportCertificatePEM. Verified locally
  (all 8 fns have ≥2 consumers; exportCertificatePEM is gone) and
  against synthetic regressions.

Documentation:
- CHANGELOG.md — new B-1 section above L-1 under [unreleased].
- docs/architecture.md — Web Dashboard section gains a new paragraph
  capturing the 'every backend CRUD must have a GUI consumer' rule
  with reference to the CI guardrail.
- coverage-gap-audit-2026-04-24-v5/unified-audit.md — flips four
  findings to ✅ RESOLVED with detailed Status blocks; bumps Live
  Tracker score 16/47 → 20/47 (P1: 9→12, P3: 1→2); adds B-1 row to
  closed-bundle index.

Verification:
- cd web && tsc --noEmit — clean
- cd web && vitest run — 9 test files, 294 tests, all passing
- cd web && vite build — clean (no new warnings)
- B-1 guardrail dry-run — all 8 client fns have ≥2 page consumers,
  exportCertificatePEM removed (good), FAIL=0

Audit findings closed:
- cat-b-31ceb6aaa9f1 (P1, updateOwner/updateTeam/updateAgentGroup orphan)
- cat-b-7a34f893a8f9 (P1, updateIssuer/updateProfile orphan, rename-only)
- cat-b-4631ca092bee (P1, RenewalPolicy CRUD orphan)
- cat-b-9b97ffb35ef7 (P3, exportCertificatePEM dead duplicate)

Deferred follow-ups:
- Fuller EditIssuerModal with credential-rotation flow (needs threat
  model: rotation reuse window, in-flight CSR cancellation, audit-trail
  granularity).
- Fuller EditProfileModal with policy-field editing (max-TTL, allowed
  EKUs, allowed key algorithms — affect already-issued cert evaluation).
- Per-page Vitest coverage for the new Edit modals (CI grep guardrail
  catches the same regression vector at lower cost).

web/src/pages/IssuersPage.tsx

@@ -1,7 +1,7 @@
-import { useState, useMemo } from 'react';
+import { useEffect, useState, useMemo } from 'react';
 import { Link } from 'react-router-dom';
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
-import { getIssuers, testIssuerConnection, deleteIssuer, createIssuer } from '../api/client';
+import { getIssuers, testIssuerConnection, deleteIssuer, createIssuer, updateIssuer } from '../api/client';
 import PageHeader from '../components/PageHeader';
 import DataTable from '../components/DataTable';
 import type { Column } from '../components/DataTable';
@@ -30,6 +30,18 @@ export default function IssuersPage() {
   const [preselectedType, setPreselectedType] = useState<string | null>(null);
   const [typeFilter, setTypeFilter] = useState<string>('');
   const [configModal, setConfigModal] = useState<{ title: string; config: Record<string, unknown> } | null>(null);
+  // B-1 master closure (cat-b-7a34f893a8f9): rename-only Edit affordance.
+  // Pre-B-1 the only way to rename an issuer was delete-and-recreate,
+  // which destroyed cert provenance and forced a re-encryption cycle
+  // through internal/crypto/encryption.go for every cert under the
+  // issuer. Type and credential blob are intentionally NOT editable here
+  // — changing the underlying CA driver type would require
+  // re-encrypting config under a different schema, and credentials are
+  // stored encrypted at rest (we can't decrypt them client-side to
+  // pre-populate). Operators who need to rotate credentials still
+  // delete + recreate. Documented as a deferred follow-up in the L-1
+  // CHANGELOG entry.
+  const [editingIssuer, setEditingIssuer] = useState<Issuer | null>(null);
 
   const { data, isLoading, error, refetch } = useQuery({
     queryKey: ['issuers'],
@@ -57,6 +69,19 @@ export default function IssuersPage() {
     },
   });
 
+  // B-1 master closure: updateIssuer is wired to the rename-only Edit
+  // modal. Type and credential blob are NOT mutated here — see editingIssuer
+  // docblock above. Sends `{ name, type, config }` to satisfy the backend
+  // PUT contract (the handler decodes into a full domain.Issuer struct);
+  // type + config are preserved by reading them from the editing target.
+  const updateMutation = useMutation({
+    mutationFn: ({ id, data }: { id: string; data: Partial<Issuer> }) => updateIssuer(id, data),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['issuers'] });
+      setEditingIssuer(null);
+    },
+  });
+
   const catalogStatus = useMemo(
     () => getIssuerCatalogStatus(data?.data || []),
     [data?.data]
@@ -129,6 +154,12 @@ export default function IssuersPage() {
           >
             Test
           </button>
+          <button
+            onClick={(e) => { e.stopPropagation(); setEditingIssuer(i); }}
+            className="text-xs text-brand-400 hover:text-brand-500 transition-colors"
+          >
+            Edit
+          </button>
           <button
             onClick={(e) => { e.stopPropagation(); if (confirm(`Delete issuer ${i.name}?`)) deleteMutation.mutate(i.id); }}
             className="text-xs text-red-600 hover:text-red-700 transition-colors"
@@ -244,10 +275,91 @@ export default function IssuersPage() {
           isSubmitting={createMutation.isPending}
         />
       )}
+
+      {/* B-1 closure: EditIssuerModal — rename-only. */}
+      <EditIssuerModal
+        issuer={editingIssuer}
+        onClose={() => setEditingIssuer(null)}
+        onSave={(name) => {
+          if (!editingIssuer) return;
+          updateMutation.mutate({
+            id: editingIssuer.id,
+            data: {
+              name,
+              // Preserve type + config + enabled — the rename-only
+              // contract. Credential blob stays encrypted at rest.
+              type: editingIssuer.type,
+              config: editingIssuer.config,
+              enabled: editingIssuer.enabled,
+            },
+          });
+        }}
+        isSaving={updateMutation.isPending}
+        error={updateMutation.error ? (updateMutation.error as Error).message : null}
+      />
     </>
   );
 }
 
+// ─── EditIssuerModal — rename-only Edit modal (B-1) ─────────────
+//
+// Locked: type, config (credentials), enabled. Editable: name only.
+// The audit's "destructive rename workflow" complaint is specifically
+// about renames; B-1 closes that hazard. Credential rotation still
+// requires delete-and-recreate (see CHANGELOG B-1 known follow-ups).
+interface EditIssuerModalProps {
+  issuer: Issuer | null;
+  onClose: () => void;
+  onSave: (name: string) => void;
+  isSaving: boolean;
+  error: string | null;
+}
+
+function EditIssuerModal({ issuer, onClose, onSave, isSaving, error }: EditIssuerModalProps) {
+  const [name, setName] = useState('');
+  useEffect(() => { if (issuer) setName(issuer.name); }, [issuer]);
+
+  if (!issuer) return null;
+
+  const handleSubmit = (e: React.FormEvent) => {
+    e.preventDefault();
+    if (!name.trim()) return;
+    onSave(name.trim());
+  };
+
+  return (
+    <div className="fixed inset-0 bg-black/40 flex items-center justify-center z-50" onClick={onClose}>
+      <div className="bg-surface border border-surface-border rounded p-5 w-full max-w-md shadow-xl" onClick={e => e.stopPropagation()}>
+        <h2 className="text-lg font-semibold text-ink mb-4">Edit Issuer</h2>
+        <p className="text-xs text-ink-muted mb-4 font-mono">{issuer.id}</p>
+        {error && <div className="mb-4 p-3 bg-red-50 border border-red-200 rounded text-sm text-red-700">{error}</div>}
+        <form onSubmit={handleSubmit} className="space-y-4">
+          <div>
+            <label className="block text-sm font-medium text-ink mb-1">Name *</label>
+            <input value={name} onChange={e => setName(e.target.value)} required
+              className="w-full bg-white border border-surface-border rounded px-3 py-2 text-sm text-ink focus:outline-none focus:border-brand-400" />
+          </div>
+          <div>
+            <label className="block text-sm font-medium text-ink-muted mb-1">Type (locked)</label>
+            <input value={issuer.type} disabled
+              className="w-full bg-surface-border/50 border border-surface-border rounded px-3 py-2 text-sm text-ink-muted font-mono" />
+            <p className="text-xs text-ink-faint mt-1">
+              To change issuer type or rotate credentials, delete and recreate.
+              See CHANGELOG B-1 known follow-ups.
+            </p>
+          </div>
+          <div className="flex gap-2 pt-4">
+            <button type="submit" disabled={isSaving} className="flex-1 btn btn-primary disabled:opacity-50 disabled:cursor-not-allowed">
+              {isSaving ? 'Saving...' : 'Save Changes'}
+            </button>
+            <button type="button" onClick={onClose} className="flex-1 btn btn-ghost">Cancel</button>
+          </div>
+        </form>
+      </div>
+    </div>
+  );
+}
+
 // ─── Catalog Card ───────────────────────────────────────────────
 
 interface CatalogCardProps {