docs: Phase 14 — Last reviewed line sweep across docs/

Per Phase 1 audit at cowork/docs-overhaul-phase-1-audit-2026-05-04/.
Adds a `> Last reviewed: 2026-05-05` line right after the H1 heading
of every doc that didn't already have one (41 files).

This dates the freshness clock for the future Phase 4 per-doc review.
The discipline going forward: when a doc's content gets a meaningful
edit, bump the date. When the date gets old (e.g., >6 months), the
doc earns a freshness-review pass.

Mechanical insertion via awk one-liner, applied to every docs/*.md
that didn't already match `grep -q 'Last reviewed:'`. Files that
already carried the line from earlier Phase 2 work (the navigation
index, the new connector docs, the new SCEP server / legacy-clients-
TLS-1.2 / release-verification docs, and the 5 per-connector deep
dives) were skipped to avoid duplicate insertion.

Net: every doc in docs/ now has a Last reviewed line.

docs/reference/api.md

@@ -1,5 +1,7 @@
 # OpenAPI Specification Guide
 
+> Last reviewed: 2026-05-05
+
 certctl ships with a complete OpenAPI 3.1 specification at `api/openapi.yaml`. This spec documents all 78 API operations currently specified, every request/response schema, pagination conventions, authentication requirements, and error formats. It's the single source of truth for the documented REST API. (Note: The spec will be updated to include 7 additional certificate discovery endpoints from M18b.)
 
 This guide covers how to use the spec for API exploration, client SDK generation, and integration testing.

docs/reference/architecture.md

@@ -1,5 +1,7 @@
 # Architecture Guide
 
+> Last reviewed: 2026-05-05
+
 ## Contents
 
 1. [Overview](#overview)

docs/reference/deployment-model.md

@@ -1,5 +1,7 @@
 # Deployment Atomicity, Post-Deploy Verification, and Rollback
 
+> Last reviewed: 2026-05-05
+
 > Deploy-hardening I master bundle (v2.X.0). Operator + integrator
 > reference for the atomic-write + post-deploy TLS verify +
 > rollback pipeline that closes the procurement-checklist gap with

docs/reference/intermediate-ca-hierarchy.md

@@ -1,5 +1,7 @@
 # Intermediate CA hierarchy — operator runbook
 
+> Last reviewed: 2026-05-05
+
 Rank 8 of the 2026-05-03 deep-research deliverable. This page is the
 canonical reference for operators running certctl as a multi-level
 internal PKI.

docs/reference/mcp.md

@@ -1,5 +1,7 @@
 # MCP Server Guide
 
+> Last reviewed: 2026-05-05
+
 certctl ships with an MCP (Model Context Protocol) server that lets AI assistants manage your certificate infrastructure through natural language. Ask Claude to "show me all expiring certificates," "revoke the VPN cert," or "what agents are offline?" and the MCP server translates that into API calls against your certctl instance.
 
 This guide covers setup, configuration, and usage with Claude, Cursor, and other MCP-compatible tools.

docs/reference/protocols/acme-server-threat-model.md

@@ -1,5 +1,7 @@
 # ACME Server — Threat Model
 
+> Last reviewed: 2026-05-05
+
 Security posture for the certctl ACME server endpoint
 (`/acme/profile/<id>/*`). Read this before opening a PR that changes
 the JWS verifier, the challenge validators, the rate limiter, or the

docs/reference/protocols/acme-server.md

@@ -1,5 +1,7 @@
 # certctl ACME Server (Built-in)
 
+> Last reviewed: 2026-05-05
+
 certctl ships an RFC 8555 + RFC 9773 ARI ACME server endpoint at
 `/acme/profile/<profile-id>/*`. Any RFC 8555 client (cert-manager 1.15+,
 Caddy, Traefik, win-acme, certbot, Posh-ACME) can integrate with certctl

docs/reference/protocols/async-ca-polling.md

@@ -1,5 +1,7 @@
 # Async-CA Polling — Operator Reference
 
+> Last reviewed: 2026-05-05
+
 Closes audit fix #5 from the 2026-05-01 issuer-coverage acquisition-readiness audit.
 
 ## What this is

docs/reference/protocols/crl-ocsp.md

@@ -1,5 +1,7 @@
 # CRL & OCSP — Revocation Status for Relying Parties
 
+> Last reviewed: 2026-05-05
+
 This guide is the operator + relying-party reference for certctl's revocation
 status surfaces. It covers the wire format, endpoint URLs, configuration knobs,
 the OCSP responder cert lifecycle, and how to point common consumers

docs/reference/protocols/est.md

@@ -1,5 +1,7 @@
 # EST (RFC 7030) — Operator Guide
 
+> Last reviewed: 2026-05-05
+
 > **Status (this document):** EST RFC 7030 hardening master bundle Phases
 > 1–11 shipped on `master`; this guide is the Phase-12 deliverable
 > against the bundle. Every behavior described here is exercised by the

docs/reference/protocols/scep-intune.md

@@ -1,5 +1,7 @@
 # Microsoft Intune SCEP enrollment via certctl
 
+> Last reviewed: 2026-05-05
+
 > **Status (this document):** Phase 11 of the SCEP RFC 8894 + Intune master
 > bundle. The behavior described here is shipped on `master` and exercised
 > end-to-end by `internal/api/handler/scep_intune_e2e_test.go`. The

docs/reference/vendor-matrix.md

@@ -1,5 +1,7 @@
 # Deployment Vendor Compatibility Matrix
 
+> Last reviewed: 2026-05-05
+
 > Deploy-hardening II master bundle deliverable. The procurement-team
 > headline doc — SOC 2 / PCI auditors paste this into evidence packs.
 > Per frozen decision 0.14: a (connector × vendor-version) cell is