feat(M45): ACME certificate profile selection, ARI RFC 9773 renumber, 45-day renewal positioning

Three related ACME ecosystem changes shipped as a single milestone:

1. ACME Certificate Profile Selection: Custom JWS-signed newOrder POST with
   `profile` field (e.g., `tlsserver`, `shortlived` for 6-day certs) bypassing
   acme.Client.AuthorizeOrder() since golang.org/x/crypto lacks profile support.
   ES256 JWS signing with kid mode, nonce management, directory discovery.
   Empty profile delegates to standard library path (zero behavior change).
   Configurable via CERTCTL_ACME_PROFILE env var. GUI: profile dropdown on
   ACME issuer config.

2. ARI RFC 9702 → 9773 Renumber: All 25+ references updated across Go source,
   docs, README, and examples. Zero remaining occurrences of RFC 9702.

3. 45-Day / Short-Lived Certificate Positioning: 5 domain tests validating
   renewal thresholds against SC-081v3 validity reduction timeline (200→100→47
   days) and Let's Encrypt 45-day/6-day profiles. ARI (RFC 9773) is the
   expected renewal path for 6-day shortlived certs.

New tests: 13 profile + 5 domain threshold + 1 frontend = 19 new tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/service/issuer.go

@@ -334,6 +334,7 @@ func (s *IssuerService) buildEnvVarSeeds(cfg *config.Config) []*domain.Issuer {
 			"directory_url":  cfg.ACME.DirectoryURL,
 			"email":          cfg.ACME.Email,
 			"challenge_type": cfg.ACME.ChallengeType,
+			"profile":        cfg.ACME.Profile,
 			"insecure":       cfg.ACME.Insecure,
 			"ari_enabled":    cfg.ACME.ARIEnabled,
 		}),
@@ -352,6 +353,7 @@ func (s *IssuerService) buildEnvVarSeeds(cfg *config.Config) []*domain.Issuer {
 			"directory_url":  cfg.ACME.DirectoryURL,
 			"email":          cfg.ACME.Email,
 			"challenge_type": cfg.ACME.ChallengeType,
+			"profile":        cfg.ACME.Profile,
 			"insecure":       cfg.ACME.Insecure,
 			"ari_enabled":    cfg.ACME.ARIEnabled,
 		}),

internal/service/renewal.go

@@ -54,7 +54,7 @@ type IssuerConnector interface {
 	SignOCSPResponse(ctx context.Context, req OCSPSignRequest) ([]byte, error)
 	// GetCACertPEM returns the PEM-encoded CA certificate chain for this issuer.
 	GetCACertPEM(ctx context.Context) (string, error)
-	// GetRenewalInfo retrieves ACME Renewal Information (ARI) per RFC 9702 for a certificate.
+	// GetRenewalInfo retrieves ACME Renewal Information (ARI) per RFC 9773 for a certificate.
 	// certPEM is the PEM-encoded certificate. Returns nil, nil if the issuer does not support ARI.
 	GetRenewalInfo(ctx context.Context, certPEM string) (*RenewalInfoResult, error)
 }
@@ -174,7 +174,7 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error {
 			continue
 		}
 
-		// ARI check (RFC 9702): if the issuer supports ARI, let the CA direct renewal timing.
+		// ARI check (RFC 9773): if the issuer supports ARI, let the CA direct renewal timing.
 		// Fetch the latest cert version to get the PEM chain for the ARI query.
 		ariChecked := false
 		if version, vErr := s.certRepo.GetLatestVersion(ctx, cert.ID); vErr == nil && version != nil && version.PEMChain != "" {

internal/service/renewal_test.go

@@ -853,7 +853,7 @@ func TestProcessRenewalJob_NoCertificate(t *testing.T) {
 	}
 }
 
-// --- ARI (RFC 9702) Scheduler Integration Tests ---
+// --- ARI (RFC 9773) Scheduler Integration Tests ---
 
 func TestCheckExpiringCertificates_ARI_ShouldRenewNow(t *testing.T) {
 	t.Helper()