fix: Docker Compose missing migrations, network scan []int crash, demo seed data

Three bugs fixed:
- Docker Compose only mounted migration 000001; migrations 000002-000007
  (profiles, agent groups, revocation, discovery, network scans) never ran,
  breaking half the demo features. Now mounts all 7 migrations in order.
- Network Scans page crashed with pq.Array scan error because lib/pq
  doesn't support []int, only []int64. Changed Ports field accordingly.
- Dashboard pie chart displayed "RenewalInProgress" without spaces.
  Added formatStatus() helper for PascalCase → spaced display.

Also adds first-run demo experience improvements:
- 9 discovered certificates (filesystem + network scan mix)
- 3 discovery scans with recent timestamps
- 2 AwaitingApproval renewal jobs for approval workflow demo
- CERTCTL_NETWORK_SCAN_ENABLED=true in Docker Compose
- Network scan targets seeded with last_scan results
- Version badge updated to v2.0.5
- Docs updated (quickstart, advanced demo) to reference seeded data

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/api/handler/network_scan_handler_test.go

@@ -77,8 +77,8 @@ func (m *mockNetworkScanService) TriggerScan(ctx context.Context, targetID strin
 func TestListNetworkScanTargets(t *testing.T) {
 	svc := &mockNetworkScanService{
 		targets: []*domain.NetworkScanTarget{
-			{ID: "nst-1", Name: "target1", CIDRs: []string{"10.0.0.0/24"}, Ports: []int{443}},
-			{ID: "nst-2", Name: "target2", CIDRs: []string{"192.168.0.0/16"}, Ports: []int{443, 8443}},
+			{ID: "nst-1", Name: "target1", CIDRs: []string{"10.0.0.0/24"}, Ports: []int64{443}},
+			{ID: "nst-2", Name: "target2", CIDRs: []string{"192.168.0.0/16"}, Ports: []int64{443, 8443}},
 		},
 	}
 	h := NewNetworkScanHandler(svc)
@@ -118,7 +118,7 @@ func TestCreateNetworkScanTarget(t *testing.T) {
 	body, _ := json.Marshal(map[string]interface{}{
 		"name":  "Production",
 		"cidrs": []string{"10.0.0.0/24"},
-		"ports": []int{443},
+		"ports": []int64{443},
 	})
 
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/network-scan-targets", bytes.NewReader(body))

internal/domain/network_scan.go

@@ -7,7 +7,7 @@ type NetworkScanTarget struct {
 	ID                 string    `json:"id"`
 	Name               string    `json:"name"`
 	CIDRs              []string  `json:"cidrs"`
-	Ports              []int     `json:"ports"`
+	Ports              []int64   `json:"ports"`
 	Enabled            bool      `json:"enabled"`
 	ScanIntervalHours  int       `json:"scan_interval_hours"`
 	TimeoutMs          int       `json:"timeout_ms"`

internal/domain/network_scan_test.go

@@ -10,7 +10,7 @@ func TestNetworkScanTarget_Defaults(t *testing.T) {
 		ID:                "nst-test",
 		Name:              "Test Target",
 		CIDRs:             []string{"10.0.0.0/24"},
-		Ports:             []int{443},
+		Ports:             []int64{443},
 		Enabled:           true,
 		ScanIntervalHours: 6,
 		TimeoutMs:         5000,
@@ -35,7 +35,7 @@ func TestNetworkScanTarget_WithScanResults(t *testing.T) {
 		ID:                 "nst-prod",
 		Name:               "Production Network",
 		CIDRs:              []string{"192.168.1.0/24", "10.0.0.0/16"},
-		Ports:              []int{443, 8443, 636},
+		Ports:              []int64{443, 8443, 636},
 		Enabled:            true,
 		ScanIntervalHours:  1,
 		TimeoutMs:          3000,

internal/service/network_scan.go

@@ -76,7 +76,7 @@ func (s *NetworkScanService) CreateTarget(ctx context.Context, target *domain.Ne
 		}
 	}
 	if len(target.Ports) == 0 {
-		target.Ports = []int{443}
+		target.Ports = []int64{443}
 	}
 	if target.ScanIntervalHours == 0 {
 		target.ScanIntervalHours = 6
@@ -276,7 +276,7 @@ func (s *NetworkScanService) scanTarget(ctx context.Context, target *domain.Netw
 }
 
 // expandEndpoints converts CIDR ranges and ports into a list of "ip:port" endpoints.
-func (s *NetworkScanService) expandEndpoints(cidrs []string, ports []int) []string {
+func (s *NetworkScanService) expandEndpoints(cidrs []string, ports []int64) []string {
 	var endpoints []string
 
 	for _, cidr := range cidrs {

internal/service/network_scan_test.go

@@ -123,7 +123,7 @@ func TestNetworkScanService_CreateTarget(t *testing.T) {
 	target, err := svc.CreateTarget(context.Background(), &domain.NetworkScanTarget{
 		Name:  "Test Network",
 		CIDRs: []string{"10.0.0.0/24"},
-		Ports: []int{443, 8443},
+		Ports: []int64{443, 8443},
 	})
 	if err != nil {
 		t.Fatalf("CreateTarget failed: %v", err)
@@ -221,7 +221,7 @@ func TestNetworkScanService_ListTargets(t *testing.T) {
 
 func TestExpandEndpoints(t *testing.T) {
 	svc := &NetworkScanService{}
-	endpoints := svc.expandEndpoints([]string{"192.168.1.1"}, []int{443, 8443})
+	endpoints := svc.expandEndpoints([]string{"192.168.1.1"}, []int64{443, 8443})
 	if len(endpoints) != 2 {
 		t.Errorf("expected 2 endpoints, got %d: %v", len(endpoints), endpoints)
 	}