refactor(scep-gui): rebrand SCEP admin surface to per-profile tabbed interface (Profiles + Intune + Recent Activity)

Phase 9 follow-up to the SCEP RFC 8894 + Intune master bundle. The
Phase 9.4 GUI shipped 'SCEP Intune Monitoring' at /scep/intune, which
made the per-profile observability surface look Intune-only — operators
running EJBCA + Jamf would never click that nav link expecting per-
profile RA cert + mTLS observability. The page is per-profile keyed
under the hood; this commit rebrands + restructures so the surface
matches what operators actually need.

Spec: cowork/scep-gui-restructure-prompt.md.

User-visible change:

  - Nav link renamed: 'SCEP Intune' → 'SCEP Admin'.
  - Route: /scep is the new canonical path; /scep/intune kept as a
    backward-compat alias that lands directly on the Intune tab.
  - Page header: 'SCEP Administration'.
  - Three tabs:
      * Profiles (default) — per-profile lean cards with RA cert
        expiry countdown, mTLS sibling-route status badge, Intune
        enabled/disabled badge, challenge-password-set indicator.
        'View Intune details →' link on Intune-enabled cards
        deep-links into the Intune tab.
      * Intune Monitoring — the existing Phase 9.4 deep-dive
        (per-status counters, trust anchor expiry, recent failures
        table, reload-trust button + confirmation modal).
      * Recent Activity — full SCEP audit log filter merging all
        four action codes (scep_pkcsreq + scep_renewalreq +
        scep_pkcsreq_intune + scep_renewalreq_intune); chip filters
        for All / Initial / Renewal / Intune / Static.

Backend:

  * internal/service/scep.go — new SCEPProfileStatsSnapshot type +
    IntuneSection sub-block + ProfileStats(now) accessor. Adds
    raCertSubject/raCertNotBefore/raCertNotAfter + mtlsEnabled +
    mtlsTrustBundlePath fields with SetRACert + SetMTLSConfig setters.
    Existing IntuneStatsSnapshot + IntuneStats(now) preserved
    UNCHANGED for /admin/scep/intune/stats backward compat (the
    JSON shape stays byte-stable for external consumers — the
    aliasing approach the prompt initially suggested doesn't work
    because the new shape nests Intune while the old one is flat).
    ChallengePasswordSet is derived from challengePassword != ''
    (the secret value itself is never surfaced).

  * internal/api/handler/admin_scep_intune.go — new Profiles handler
    method on AdminSCEPIntuneHandler with the same M-008 admin gate.
    AdminSCEPIntuneServiceImpl extended (in place; same
    map[string]*service.SCEPService) to satisfy the new
    AdminSCEPProfileService interface. Single handler file gets the
    third method so the M-008 pin entry count stays steady (no new
    file, no new triplet of admin-gate test files — just three new
    Profiles tests inside the existing test file).

  * internal/api/router/router.go — one new route
    'GET /api/v1/admin/scep/profiles' registered to
    reg.AdminSCEPIntune.Profiles. HandlerRegistry unchanged.

  * api/openapi.yaml — new operation 'listSCEPProfiles' documenting
    the request body / response shape / error mapping. Existing
    Intune entries unchanged.

  * cmd/server/main.go — per-profile loop now calls
    scepService.SetMTLSConfig(profile.MTLSEnabled,
    profile.MTLSClientCATrustBundlePath) right after SetPathID, and
    scepService.SetRACert(raCert) right after loadSCEPRAPair returns
    the leaf cert. Both setters are nil-safe.

  * internal/api/handler/m008_admin_gate_test.go — extended the
    existing admin_scep_intune.go entry's justification to mention
    the third endpoint. No new map entry needed (file already
    listed).

Backend tests (8 new):

  * TestAdminSCEPProfiles_NonAdmin_Returns403
  * TestAdminSCEPProfiles_AdminExplicitFalse_Returns403
  * TestAdminSCEPProfiles_AdminPermitted_ForwardsActor — also pins
    that Intune-enabled profiles emit an 'intune' sub-block while
    Intune-disabled profiles OMIT it.
  * TestAdminSCEPProfiles_RejectsNonGetMethod
  * TestAdminSCEPProfiles_PropagatesServiceError
  * TestAdminSCEPProfilesServiceImpl_NilMapReturnsEmpty
  * (existing 16 Phase 9 admin tests still pass — backward-compat
    preserved)

Frontend:

  * web/src/api/types.ts — new SCEPProfileStatsSnapshot +
    IntuneSection + SCEPProfilesResponse types. Existing
    IntuneStatsSnapshot et al unchanged.
  * web/src/api/client.ts — new getAdminSCEPProfiles helper.
  * web/src/pages/SCEPAdminPage.tsx — full rewrite as the tabbed
    surface. Reuses the existing ConfirmReloadModal and Intune
    deep-dive card components verbatim; adds ProfileSummaryCard
    (lean card for the Profiles tab) and ActivityTab. URL state
    sync via useSearchParams so deep links survive reloads + browser
    back/forward. The legacy /scep/intune route alias defaults the
    activeTab to 'intune' on mount.
  * web/src/main.tsx — new <Route path='scep' /> + preserved
    <Route path='scep/intune' /> alias. Both render SCEPAdminPage.
  * web/src/components/Layout.tsx — nav link rebranded:
    label 'SCEP Intune' → 'SCEP Admin', to '/scep/intune' → '/scep'.

Frontend tests (20 — full rebuild):

  * Admin gate (non-admin sees gated banner + zero admin API calls)
  * Profiles tab default + Intune tab tabswitch + ?tab=intune deep
    link + legacy /scep/intune alias all land on Intune
  * Profiles tab status badges (Intune + mTLS + challenge-set)
    reflect each profile's flags
  * RA cert expiry tone bands (good ≥30d / warn 7-30d / bad <7d /
    EXPIRED) verified across three fixture profiles
  * 'View Intune details →' only renders for Intune-enabled
    profiles AND switches tabs on click
  * Empty-state banner when no profiles configured
  * Intune tab counters render with the existing Phase 9 deep-dive
    shape; reload modal Open/Confirm/Cancel/Error paths all pinned
  * Recent Activity tab merges all four SCEP audit actions across
    four parallel useQuery calls; filter chips
    (all/initial/renewal/intune/static) narrow correctly
  * Error path surfaces ErrorState on the active tab

Docs:

  * docs/scep-intune.md — Operational monitoring section heading
    expanded to '(SCEP Administration → Intune Monitoring tab)'.
    Page-surface description rewritten for the tabbed shape;
    admin-endpoints list extended with the new /admin/scep/profiles
    entry.
  * docs/architecture.md — Microsoft Intune Connector trust anchor
    subsection updated to reference the Intune Monitoring tab inside
    the SCEP Administration page + lists all three admin endpoints.
  * docs/legacy-est-scep.md — forward-ref expanded with a parallel
    sentence for the per-profile observability surface (independent
    of Intune).
  * README.md — Enrollment Protocols bullet for Intune updated to
    'admin GUI SCEP Administration page at /scep' with the three
    tabs called out.

Verification:
  * gofmt clean on touched files
  * go vet ./... clean
  * staticcheck on intune+service+handler+router+cmd-server clean
  * go test -short across intune+service+handler+router+cmd-server:
    all green (existing Phase 9 tests + new Profiles tests)
  * Frontend tsc --noEmit clean
  * Vitest: 20/20 SCEPAdminPage tests + 3/3 sibling AuditPage tests
    pass
  * G-3 docs-drift CI guard reproduced locally: clean (no new env
    vars; existing CERTCTL_SCEP_ allowlist prefix covers everything)
  * M-009 hard-zero useMutation guard reproduced locally: clean
    (the existing reload mutation already used useTrackedMutation
    from the Phase 9 follow-up commit 28e277a)
  * openapi-parity test green (new GET /api/v1/admin/scep/profiles
    operation documented)
  * M-008 admin-gate scanner green (existing admin_scep_intune.go
    entry covers all three handler methods; the test scanner
    enforces the triplet by file, not by endpoint, and the new
    Profiles triplet was added to the existing test file)

Backward compat preserved:
  * /api/v1/admin/scep/intune/stats unchanged — same JSON shape,
    same error codes, same M-008 gate
  * /api/v1/admin/scep/intune/reload-trust unchanged
  * /scep/intune route still works (alias to /scep with activeTab=intune)
  * IntuneStatsSnapshot Go type unchanged
  * IntuneStats(now) accessor unchanged

Refs: cowork/scep-gui-restructure-prompt.md
      cowork/scep-rfc8894-intune-master-prompt.md::Phase 9
      Phase 11.5 (SCEP probe in scanner — opt-in) and Phase 12
      (release prep + tag) of the master bundle resume after this.

internal/service/scep.go

@@ -53,6 +53,18 @@ type SCEPService struct {
 	complianceCheck   ComplianceCheck   // V3-Pro plug-in seam; nil-default no-op
 	intuneCounters    *intuneCounterTab // per-status atomic counters for the admin endpoint
 	pathID            string            // SCEP profile path ID; surfaced by admin endpoints
+
+	// Per-profile metadata surfaced by the new /admin/scep/profiles
+	// endpoint. SCEP RFC 8894 + Intune master bundle Phase 9 follow-up
+	// (cowork/scep-gui-restructure-prompt.md). All fields are nil/zero
+	// when the operator runs without Intune AND without mTLS — we still
+	// surface the always-present challenge-password-set + RA cert
+	// expiry on the Profiles tab for those.
+	raCertSubject       string
+	raCertNotBefore     time.Time
+	raCertNotAfter      time.Time
+	mtlsEnabled         bool
+	mtlsTrustBundlePath string
 }
 
 // intuneCounterTab is the in-memory equivalent of the
@@ -235,6 +247,142 @@ func (s *SCEPService) ReloadIntuneTrust() error {
 	return s.intuneTrust.Reload()
 }
 
+// SetRACert records the RA cert metadata the admin Profiles endpoint
+// surfaces (subject + NotBefore + NotAfter for the expiry countdown).
+// Called from cmd/server/main.go right after loadSCEPRAPair returns the
+// leaf cert. Nil-safe — passing nil leaves the fields zero-valued so
+// the snapshot's RACertSubject is empty (the GUI then renders
+// "RA cert not loaded").
+//
+// SCEP RFC 8894 + Intune master bundle Phase 9 follow-up.
+func (s *SCEPService) SetRACert(cert *x509.Certificate) {
+	if cert == nil {
+		return
+	}
+	s.raCertSubject = cert.Subject.CommonName
+	s.raCertNotBefore = cert.NotBefore
+	s.raCertNotAfter = cert.NotAfter
+}
+
+// SetMTLSConfig records this profile's mTLS sibling-route status for
+// the admin Profiles endpoint. The trust bundle PATH is surfaced (not
+// the bundle contents) so operators can correlate against their own
+// secret manager / file system audit. Called from cmd/server/main.go
+// in the per-profile loop, parallel to SetIntuneIntegration.
+//
+// SCEP RFC 8894 + Intune master bundle Phase 9 follow-up.
+func (s *SCEPService) SetMTLSConfig(enabled bool, bundlePath string) {
+	s.mtlsEnabled = enabled
+	s.mtlsTrustBundlePath = bundlePath
+}
+
+// SCEPProfileStatsSnapshot is the per-profile observability shape the
+// new /admin/scep/profiles endpoint emits. Surfaces every always-
+// present per-profile field PLUS an optional Intune sub-block.
+// Profiles that don't have Intune enabled get Intune=nil (the GUI
+// renders the lean per-profile card without the Intune deep-dive
+// button).
+//
+// Distinct from IntuneStatsSnapshot (which the existing
+// /admin/scep/intune/stats endpoint emits) so the existing endpoint's
+// JSON shape stays byte-stable for external consumers — backward
+// compatibility for the Phase 9 admin contract.
+//
+// SCEP RFC 8894 + Intune master bundle Phase 9 follow-up
+// (cowork/scep-gui-restructure-prompt.md).
+type SCEPProfileStatsSnapshot struct {
+	// Always-present per-profile fields.
+	PathID               string    `json:"path_id"`
+	IssuerID             string    `json:"issuer_id"`
+	ChallengePasswordSet bool      `json:"challenge_password_set"`
+	RACertSubject        string    `json:"ra_cert_subject,omitempty"`
+	RACertNotBefore      time.Time `json:"ra_cert_not_before,omitempty"`
+	RACertNotAfter       time.Time `json:"ra_cert_not_after,omitempty"`
+	RACertDaysToExpiry   int       `json:"ra_cert_days_to_expiry"`
+	RACertExpired        bool      `json:"ra_cert_expired"`
+	MTLSEnabled          bool      `json:"mtls_enabled"`
+	MTLSTrustBundlePath  string    `json:"mtls_trust_bundle_path,omitempty"`
+	GeneratedAt          time.Time `json:"generated_at"`
+
+	// Optional Intune sub-block; nil when this profile has Intune
+	// disabled. Mirrors the IntuneStatsSnapshot fields minus the
+	// always-present per-profile ones (which now live on the parent).
+	Intune *IntuneSection `json:"intune,omitempty"`
+}
+
+// IntuneSection is the Intune-specific data a per-profile snapshot
+// carries when INTUNE_ENABLED=true. Same fields as IntuneStatsSnapshot
+// minus the always-present per-profile ones (PathID, IssuerID,
+// GeneratedAt) which live on SCEPProfileStatsSnapshot.
+type IntuneSection struct {
+	TrustAnchorPath   string                  `json:"trust_anchor_path,omitempty"`
+	TrustAnchors      []IntuneTrustAnchorInfo `json:"trust_anchors,omitempty"`
+	Audience          string                  `json:"audience,omitempty"`
+	ChallengeValidity time.Duration           `json:"challenge_validity_ns,omitempty"`
+	RateLimitDisabled bool                    `json:"rate_limit_disabled"`
+	ReplayCacheSize   int                     `json:"replay_cache_size"`
+	Counters          map[string]uint64       `json:"counters"`
+}
+
+// ProfileStats returns the per-profile observability snapshot in the
+// new shape (always-present fields + optional Intune sub-block).
+// Safe for concurrent callers; reads only; uses the same atomic
+// counter snapshots as IntuneStats.
+//
+// SCEP RFC 8894 + Intune master bundle Phase 9 follow-up.
+func (s *SCEPService) ProfileStats(now time.Time) SCEPProfileStatsSnapshot {
+	out := SCEPProfileStatsSnapshot{
+		PathID:               s.pathID,
+		IssuerID:             s.issuerID,
+		ChallengePasswordSet: s.challengePassword != "",
+		RACertSubject:        s.raCertSubject,
+		RACertNotBefore:      s.raCertNotBefore,
+		RACertNotAfter:       s.raCertNotAfter,
+		MTLSEnabled:          s.mtlsEnabled,
+		MTLSTrustBundlePath:  s.mtlsTrustBundlePath,
+		GeneratedAt:          now.UTC(),
+	}
+	if !s.raCertNotAfter.IsZero() {
+		out.RACertExpired = now.After(s.raCertNotAfter)
+		if !out.RACertExpired {
+			out.RACertDaysToExpiry = int(s.raCertNotAfter.Sub(now).Hours() / 24)
+		}
+	}
+	if !s.intuneEnabled {
+		return out
+	}
+	intuneSection := IntuneSection{
+		Audience:          s.intuneAudience,
+		ChallengeValidity: s.intuneValidity,
+		Counters:          s.intuneCounters.snapshot(),
+	}
+	if s.intuneRateLimiter != nil {
+		intuneSection.RateLimitDisabled = s.intuneRateLimiter.Disabled()
+	}
+	if s.intuneReplayCache != nil {
+		intuneSection.ReplayCacheSize = s.intuneReplayCache.Len()
+	}
+	if s.intuneTrust != nil {
+		intuneSection.TrustAnchorPath = s.intuneTrust.Path()
+		certs := s.intuneTrust.Get()
+		intuneSection.TrustAnchors = make([]IntuneTrustAnchorInfo, 0, len(certs))
+		for _, c := range certs {
+			info := IntuneTrustAnchorInfo{
+				Subject:   c.Subject.CommonName,
+				NotBefore: c.NotBefore,
+				NotAfter:  c.NotAfter,
+				Expired:   now.After(c.NotAfter),
+			}
+			if !info.Expired {
+				info.DaysToExpiry = int(c.NotAfter.Sub(now).Hours() / 24)
+			}
+			intuneSection.TrustAnchors = append(intuneSection.TrustAnchors, info)
+		}
+	}
+	out.Intune = &intuneSection
+	return out
+}
+
 // ErrSCEPProfileIntuneDisabled is returned by ReloadIntuneTrust when
 // invoked on a profile that has Intune turned off. Lets the admin
 // handler distinguish "operator targeted the wrong profile" (HTTP 409)