docs(features): reconcile env-var inventory with config.go (G-3 master)

Closes three 2026-04-24 audit findings (all P2, all category cat-g):

  - cat-g-renewal_check_interval_rename_drift: features.md:152
    advertised CERTCTL_RENEWAL_CHECK_INTERVAL but config.go renamed
    that to CERTCTL_SCHEDULER_RENEWAL_CHECK_INTERVAL. Fixed in prose
    + the scheduler-loops table on line 1117.

  - cat-g-b8f8f8796159: 6 env vars in config.go that were never
    documented:
      CERTCTL_DATABASE_MIGRATIONS_PATH
      CERTCTL_JOB_AWAITING_APPROVAL_TIMEOUT
      CERTCTL_JOB_AWAITING_CSR_TIMEOUT
      CERTCTL_SCHEDULER_AGENT_HEALTH_CHECK_INTERVAL
      CERTCTL_SCHEDULER_JOB_PROCESSOR_INTERVAL
      CERTCTL_SCHEDULER_NOTIFICATION_PROCESS_INTERVAL
    Added to the scheduler-loops table at features.md:1117 and
    (DATABASE_MIGRATIONS_PATH) to the new Database Schema preamble.

  - cat-g-163dae19bc59: 37 env vars in docs not defined in config.go.
    The audit's strict comm over-flagged this set: most "phantoms"
    are integration-surface contracts (script env vars certctl
    EXPORTS to user-provided ACME DNS-01 / OpenSSL CA scripts;
    StepCA / Webhook per-issuer-or-notifier config-blob field
    names; CERTCTL_QA_* test fixtures; agent-side env vars defined
    in cmd/agent/main.go). The closure narrows the gate to the
    one true phantom (the rename) and allowlists the documented
    integration contracts in the CI guard. Each allowlist entry
    has a one-line justification.

CI regression guardrail:
- .github/workflows/ci.yml::"Forbidden env-var docs drift regression
  guard (G-3)" — runs `comm -23` both ways between the env vars
  defined in Go source (config.go + cmd/* + ACME DNS export +
  test fixtures) and env vars mentioned in README + docs/ +
  deploy/helm/. Fails the build if either set is non-empty modulo
  the documented integration-surface allowlist.

Verification:
- comm -23 docs vs defined → empty post-fix (allowlist applied)
- comm -23 defined vs docs → empty post-fix
- golangci-lint v2.11.4 run ./... → 0 issues
- tsc --noEmit → clean
- S-1 stale-counts guardrail still passes

Audit findings closed:
- cat-g-163dae19bc59 (P2, docs-only env vars)
- cat-g-b8f8f8796159 (P2, config-only env vars)
- cat-g-renewal_check_interval_rename_drift (P2, renamed env var still in docs)

Deferred follow-ups:
- The 26 documented-but-unimplemented integration contracts on the
  allowlist (CERTCTL_OPENSSL_*, CERTCTL_ACME_EAB_*, CERTCTL_WEBHOOK_*,
  CERTCTL_AUDIT_EXCLUDE_PATHS, CERTCTL_TLS_*, CERTCTL_ACME_DNS_PROPAGATION_WAIT)
  are documented in features.md / connectors.md / demo-advanced.md but
  not yet read by any Go source. Either implement in config.go (each is
  its own M-X) or delete from docs (separate cleanup PR). Neither
  expansion fits inside G-3's "reconcile drift" scope.

docs/features.md

@@ -149,7 +149,7 @@ Every API call is recorded to the immutable audit trail. Best-effort (non-blocki
 
 <!-- Source: internal/scheduler/scheduler.go (renewalCheckLoop, 1-hour default interval) -->
 
-The renewal scheduler runs every hour (configurable via `CERTCTL_RENEWAL_CHECK_INTERVAL`). For each certificate approaching expiration:
+The renewal scheduler runs every hour (configurable via `CERTCTL_SCHEDULER_RENEWAL_CHECK_INTERVAL`). For each certificate approaching expiration:
 
 1. Checks ACME ARI (RFC 9773) if available — CA-directed renewal timing takes priority
 2. Falls back to threshold-based logic using per-policy `alert_thresholds_days` (default `[30, 14, 7, 0]`)
@@ -1114,12 +1114,12 @@ Single SQL `UNION` query replaces the previous "fetch all, filter in Go" approac
 
 | Loop | Default Interval | Always-on | Env Var | Description |
 |---|---|---|---|---|
-| Renewal check | 1 hour | Yes | — | Check expiring certs, query ARI, create renewal jobs |
-| Job processor | 30 seconds | Yes | — | Process pending jobs |
+| Renewal check | 1 hour | Yes | `CERTCTL_SCHEDULER_RENEWAL_CHECK_INTERVAL` | Check expiring certs, query ARI, create renewal jobs |
+| Job processor | 30 seconds | Yes | `CERTCTL_SCHEDULER_JOB_PROCESSOR_INTERVAL` | Process pending jobs |
 | Job retry | 5 minutes | Yes | `CERTCTL_SCHEDULER_RETRY_INTERVAL` | Retry Failed jobs (I-001) |
-| Job timeout reaper | 10 minutes | Yes | `CERTCTL_JOB_TIMEOUT_INTERVAL` | Fail AwaitingCSR/AwaitingApproval jobs past timeout (I-003) |
-| Agent health check | 2 minutes | Yes | — | Check agent heartbeat staleness |
-| Notification processor | 1 minute | Yes | — | Send queued notifications |
+| Job timeout reaper | 10 minutes | Yes | `CERTCTL_JOB_TIMEOUT_INTERVAL` (per-state thresholds: `CERTCTL_JOB_AWAITING_APPROVAL_TIMEOUT`, `CERTCTL_JOB_AWAITING_CSR_TIMEOUT`) | Fail AwaitingCSR/AwaitingApproval jobs past timeout (I-003) |
+| Agent health check | 2 minutes | Yes | `CERTCTL_SCHEDULER_AGENT_HEALTH_CHECK_INTERVAL` | Check agent heartbeat staleness |
+| Notification processor | 1 minute | Yes | `CERTCTL_SCHEDULER_NOTIFICATION_PROCESS_INTERVAL` | Send queued notifications |
 | Notification retry | 2 minutes | Yes | `CERTCTL_NOTIFICATION_RETRY_INTERVAL` | Exponential backoff retry for failed notifications; promote to dead-letter after 5 attempts (I-005) |
 | Short-lived expiry check | 30 seconds | Yes | — | Mark short-lived certs expired |
 | Network scan | 6 hours | Opt-in | `CERTCTL_NETWORK_SCAN_ENABLED` | Run network discovery scans |
@@ -1369,7 +1369,9 @@ Config via `values.yaml`. Secrets for API key, database password, SMTP password.
 
 <!-- Source: migrations/ -->
 
-21 tables across 10 numbered migrations. PostgreSQL 16. `database/sql` + `lib/pq` (no ORM). TEXT primary keys with human-readable prefixed IDs.
+PostgreSQL 16, `database/sql` + `lib/pq` (no ORM). TEXT primary keys with human-readable prefixed IDs. The catalog of tables and migrations rebuilds via the commands in the "At a Glance" table at the top of this doc — re-derive at release time rather than reading hardcoded numbers from prose.
+
+The migration runner reads SQL files from `./migrations/` by default; the path is configurable via `CERTCTL_DATABASE_MIGRATIONS_PATH` for operators running certctl out of a non-standard layout (e.g. a Helm chart that bind-mounts migrations into `/etc/certctl/migrations/`).
 
 ### Migrations