docs: add v2.1.0 release gate note to README and testing guide

v2.1.0 will be tagged after all 34 manual QA sections pass.
Updates sign-off table version reference from v2.0.7 to v2.1.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

README.md

@@ -39,6 +39,8 @@ certctl is a self-hosted platform that automates the entire certificate lifecycl
 | [Connectors](docs/connectors.md) | Build custom issuer, target, and notifier connectors |
 | [Compliance Mapping](docs/compliance.md) | SOC 2 Type II, PCI-DSS 4.0, NIST SP 800-57 alignment guides |
 
+> **Next release:** v2.1.0 will be tagged after the full V2 feature suite passes manual QA across all 34 sections of the [testing guide](docs/testing-guide.md). Automated CI (1,471 Go tests + 193 frontend tests) gates every commit; the manual playbook covers integration, deployment, and UX verification that unit tests can't reach.
+
 ## Why certctl Exists
 
 Certificate lifecycle tooling today falls into two camps: expensive enterprise platforms (Venafi, Keyfactor, Sectigo) that cost six figures and take months to deploy, or single-purpose tools (cert-manager, certbot) that handle one slice of the problem. If you run a mixed infrastructure — some NGINX, some Apache, a few HAProxy nodes, maybe an F5 — and you need to manage certificates from multiple CAs, there's nothing self-hosted that covers the full lifecycle without vendor lock-in.

docs/testing-guide.md

@@ -5071,7 +5071,7 @@ openssl crl -in /tmp/subca-crl.der -inform DER -noout -issuer
 
 ## Release Sign-Off
 
-All 34 parts must pass before tagging v2.0.7.
+All 34 parts must pass before tagging v2.1.0.
 
 | Section | Pass? | Tester | Date | Notes |
 |---------|-------|--------|------|-------|