cli: promote --force on renew + require --reason on revoke (closes P3-1, P3-2)

Closes findings P3-1 and P3-2 from the 2026-05-05 CLI/API/MCP↔GUI parity
audit (cowork/cli-gui-parity-audit-2026-05-05/RESULTS.md). Both findings
flagged hidden defaults that the CLI was sending without exposing them
to operators: `force=false` baked into every renew payload, and a silent
fallback to `reason="unspecified"` whenever --reason was omitted.

P3-1 — promote --force on `certs renew` (full end-to-end plumbing)

The pre-2026-05-05 CLI sent `{"force": false}` in the renew body. The
API handler never decoded it — a textbook "lying field" per the
operator's CLAUDE.md "complete path, not the easy path" rule: the body
field stored a value, claimed to do something, and silently did nothing
because the wire never reached the consumer. Adding a --force flag that
also went unread would have created another lying field.

This commit takes the complete path:

  service.CertificateService.TriggerRenewal grew a `force bool` parameter
  (internal/service/certificate.go). When force=true, the
  RenewalInProgress block is overridden so operators can recover stuck
  in-flight renewals where a previous job hung without releasing the
  status flag. Archived and Expired remain terminal blockers regardless
  of force — those are semantic dead-ends that --force should not paper
  over (archived = decommissioned, expired = issue a new cert instead of
  renewing a dead one).

  handler.CertificateHandler.TriggerRenewal parses force from
  ?force=true (or ?force=1) query param, OR {"force": true} JSON body,
  whichever the client picks. Defaults to false. Passes through to the
  service.

  internal/cli/client.go::RenewCertificate(id, force bool) sends
  ?force=true on the URL when --force is set. The historical hardcoded
  `{"force": false}` body is gone — no more lying field.

  cmd/cli/main.go dispatches `certs renew <id> [--force]` (ID-first
  flag-second convention matches the existing `agents retire <id>
  [--force]`).

P3-2 — require --reason on `certs revoke` (Option A: strict refusal)

The pre-2026-05-05 CLI dropped to `--reason unspecified` whenever the
operator omitted the flag. Compliance reporting (RFC 5280 §5.3.1, PCI-
DSS §3.6, HIPAA §164.312) relies on the reason code being meaningful;
silent fallback defeats the audit trail because every revocation looks
identical.

  cmd/cli/main.go dispatch refuses to send when --reason is empty,
  prints the canonical RFC 5280 §5.3.1 reason-code menu, and exits
  non-zero.

  internal/cli/client.go exposes ValidRevokeReasons() returning the
  canonical camelCase list (unspecified, keyCompromise, caCompromise,
  affiliationChanged, superseded, cessationOfOperation, certificateHold,
  removeFromCRL, privilegeWithdrawn, aaCompromise) and
  NormalizeRevokeReason() that accepts both camelCase and snake_case
  inputs and normalises to the canonical wire form. Off-list reasons
  are rejected at dispatch with the menu re-printed.

Test pins:

  internal/cli/client_test.go::TestClient_RenewCertificate_ForceFlag —
  --force=true sends ?force=true with empty body; --force=false sends
  no query and no body.

  internal/cli/client_test.go::TestNormalizeRevokeReason +
  TestValidRevokeReasons — canonical-camelCase + snake_case + reject-
  off-enum behaviour.

  cmd/cli/dispatch_test.go::TestHandleCerts_Revoke_RequiresReason +
  TestHandleCerts_Revoke_RejectsUnknownReason +
  TestHandleCerts_Renew_ForceFlag — dispatch-layer pins for the same
  contracts.

  internal/api/handler/certificate_handler_test.go::TestTriggerRenewal_
  ForceQueryParam — query-param passthrough (no-flag, force=true,
  force=1, force=false) flows through to the service-layer parameter.

  internal/service/certificate_test.go::TestTriggerRenewal_
  ForceOverridesInProgress — force=false preserves the
  RenewalInProgress block; force=true clears it.

  Existing TestTriggerRenewal_Archived extended to assert force=true
  still blocks Archived (terminal-state guarantee).

Docs: docs/reference/cli.md updated with the --force example for renew
and the strict --reason semantics for revoke (including snake_case
input acceptance).

Acceptance gate (verified):
  - go build ./cmd/server/... ./cmd/agent/... ./cmd/cli/...
    ./cmd/mcp-server/... clean.
  - go vet ./... clean.
  - go test -short -count=1 ./... pass repo-wide.
  - bash scripts/ci-guards/openapi-handler-parity.sh clean
    (router 178, OpenAPI 144, exceptions 36 — unchanged; we add
    parameter parsing, not routes).
  - gofmt -l clean.

internal/service/certificate_test.go

@@ -294,7 +294,7 @@ func TestTriggerRenewal(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	certService := NewCertificateService(certRepo, policyService, auditService)
 
-	err := certService.TriggerRenewal(ctx, "cert-001", "user-1")
+	err := certService.TriggerRenewal(ctx, "cert-001", "user-1", false)
 	if err != nil {
 		t.Fatalf("TriggerRenewal failed: %v", err)
 	}
@@ -309,6 +309,53 @@ func TestTriggerRenewal(t *testing.T) {
 	}
 }
 
+// TestTriggerRenewal_ForceOverridesInProgress pins the 2026-05-05 parity-
+// defaults-cleanup (P3-1) semantic: force=true clears the
+// RenewalInProgress block so operators can recover stuck in-flight renewals.
+// force=false (the historical default) preserves the block.
+func TestTriggerRenewal_ForceOverridesInProgress(t *testing.T) {
+	ctx := context.Background()
+	now := time.Now()
+	mkCert := func() *domain.ManagedCertificate {
+		return &domain.ManagedCertificate{
+			ID:         "cert-stuck",
+			CommonName: "example.com",
+			IssuerID:   "iss-1",
+			Status:     domain.CertificateStatusRenewalInProgress,
+			ExpiresAt:  now.AddDate(0, 0, 5),
+			CreatedAt:  now,
+			UpdatedAt:  now,
+		}
+	}
+
+	t.Run("force=false blocks", func(t *testing.T) {
+		certRepo := &mockCertRepo{
+			Certs:    map[string]*domain.ManagedCertificate{"cert-stuck": mkCert()},
+			Versions: make(map[string][]*domain.CertificateVersion),
+		}
+		auditRepo := &mockAuditRepo{}
+		policyRepo := &mockPolicyRepo{Rules: make(map[string]*domain.PolicyRule)}
+		svc := NewCertificateService(certRepo, NewPolicyService(policyRepo, NewAuditService(auditRepo)), NewAuditService(auditRepo))
+		err := svc.TriggerRenewal(ctx, "cert-stuck", "user-1", false)
+		if err == nil {
+			t.Fatal("expected error when force=false on RenewalInProgress cert")
+		}
+	})
+
+	t.Run("force=true clears block", func(t *testing.T) {
+		certRepo := &mockCertRepo{
+			Certs:    map[string]*domain.ManagedCertificate{"cert-stuck": mkCert()},
+			Versions: make(map[string][]*domain.CertificateVersion),
+		}
+		auditRepo := &mockAuditRepo{}
+		policyRepo := &mockPolicyRepo{Rules: make(map[string]*domain.PolicyRule)}
+		svc := NewCertificateService(certRepo, NewPolicyService(policyRepo, NewAuditService(auditRepo)), NewAuditService(auditRepo))
+		if err := svc.TriggerRenewal(ctx, "cert-stuck", "user-1", true); err != nil {
+			t.Fatalf("force=true should override RenewalInProgress: %v", err)
+		}
+	})
+}
+
 func TestTriggerRenewal_Archived(t *testing.T) {
 	ctx := context.Background()
 	now := time.Now()
@@ -333,10 +380,15 @@ func TestTriggerRenewal_Archived(t *testing.T) {
 	auditService := NewAuditService(auditRepo)
 	certService := NewCertificateService(certRepo, policyService, auditService)
 
-	err := certService.TriggerRenewal(ctx, "cert-001", "user-1")
+	err := certService.TriggerRenewal(ctx, "cert-001", "user-1", false)
 	if err == nil {
 		t.Fatal("expected error for archived certificate")
 	}
+	// Archived is a terminal state — force=true must NOT magic it open
+	// (parity-defaults-cleanup P3-1 semantic guarantee).
+	if err := certService.TriggerRenewal(ctx, "cert-001", "user-1", true); err == nil {
+		t.Fatal("force=true should still block archived (terminal)")
+	}
 }
 
 func TestListCertificates(t *testing.T) {