feat(M49): Entrust, GlobalSign & EJBCA issuer connectors

Add three new issuer connectors completing commercial and open-source CA
coverage. Entrust uses mTLS client certificate auth with sync/async
issuance. GlobalSign Atlas uses mTLS + API key/secret dual auth with
serial-based tracking. EJBCA supports dual auth (mTLS or OAuth2) for
self-hosted Keyfactor CAs.

Each connector implements the full issuer.Connector interface (9 methods),
includes httptest-based unit tests (~14 each), and follows established
patterns (injectable HTTP clients, RFC 5280 revocation reason mapping,
CRL/OCSP delegated to CA).

Also includes: issuer factory cases, env var seeding, config structs,
domain types, seed data (3 rows, all disabled), OpenAPI enum updates,
frontend issuer catalog entries with config fields, and full docs
(connectors.md, architecture.md, features.md, README).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/domain/connector.go

@@ -81,7 +81,10 @@ const (
 	IssuerTypeDigiCert  IssuerType = "DigiCert"
 	IssuerTypeSectigo   IssuerType = "Sectigo"
 	IssuerTypeGoogleCAS IssuerType = "GoogleCAS"
-	IssuerTypeAWSACMPCA IssuerType = "AWSACMPCA"
+	IssuerTypeAWSACMPCA  IssuerType = "AWSACMPCA"
+	IssuerTypeEntrust    IssuerType = "Entrust"
+	IssuerTypeGlobalSign IssuerType = "GlobalSign"
+	IssuerTypeEJBCA      IssuerType = "EJBCA"
 )
 
 // TargetType represents the type of deployment target.