feat(m28+m29+m30): ACME ARI, email digest, and Helm chart

M28: ACME Renewal Information (RFC 9702) — CA-directed renewal timing
with cert ID computation, directory endpoint discovery, graceful
degradation for non-ARI CAs. 19 tests.

M29: Email notifier wiring + scheduled certificate digest — SMTP
connector bridged to service layer via NotifierAdapter, DigestService
with HTML email template, 7th scheduler loop (24h), digest preview/send
API endpoints and GUI card. 21 tests.

M30: Production-ready Helm chart — server Deployment, PostgreSQL
StatefulSet, agent DaemonSet, ConfigMaps, Secrets, Ingress, security
contexts, health probes, example values for dev/prod/ACME scenarios.

Also: OpenAPI spec updates, MCP tool additions, CI helm-lint job,
documentation updates across 5 doc files and README.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/connector/issuer/acme/acme.go

@@ -54,6 +54,10 @@ type Config struct {
 	// Used to construct the TXT record value: "<issuer-domain>; accounturi=<account-uri>".
 	// Required when ChallengeType is "dns-persist-01". For Let's Encrypt, use "letsencrypt.org".
 	DNSPersistIssuerDomain string `json:"dns_persist_issuer_domain,omitempty"`
+
+	// ARIEnabled enables ACME Renewal Information (RFC 9702) support per CERTCTL_ACME_ARI_ENABLED.
+	// When enabled, the connector queries the CA's ARI endpoint to get CA-directed renewal timing.
+	ARIEnabled bool `json:"ari_enabled,omitempty"`
 }
 
 // Connector implements the issuer.Connector interface for ACME-compatible CAs