feat(ocsp): pre-signed response cache + invalidate-on-revoke (Phase 2)

Production hardening II Phase 2 — closes the per-request live-signing
bottleneck for OCSP. Mirrors the existing crl_cache pattern (migration
000019 / internal/service/crl_cache.go) but per (issuer_id, serial_hex)
instead of per-issuer.

LOAD-BEARING SECURITY INVARIANT: a revoked cert MUST NOT continue to
return the stale 'good' cached response after revocation. The
RevocationSvc.RevokeCertificateWithActor flow now calls
OCSPResponseCacheService.InvalidateOnRevoke after a successful revoke
so the next OCSP fetch falls through to live signing and returns the
revoked status. Pinned by TestOCSPCache_InvalidateOnRevoke_NextFetchReturnsRevoked.

NEW migrations/000024_ocsp_response_cache.{up,down}.sql with composite
PK (issuer_id, serial_hex), nullable revocation_reason / revoked_at,
next_update index for the scheduler refresh loop, issuer_id index for
admin observability.

NEW internal/domain/ocsp_response_cache.go::OCSPResponseCacheEntry +
IsStale helper.

NEW internal/repository/postgres/ocsp_response_cache.go implementing
repository.OCSPResponseCacheRepository (Get / Put / Delete /
CountByIssuer). Interface defined in internal/repository/interfaces.go.

NEW internal/service/ocsp_response_cache.go::OCSPResponseCacheService
with read-through facade + sync.Map singleflight + InvalidateOnRevoke.
On cache miss, calls caOperationsSvc.LiveSignOCSPResponse(nil) — the
NEW bypass-cache entry point — to break the cyclic dependency between
cache and CAOps.

REFACTORED internal/service/ca_operations.go:
  - GetOCSPResponseWithNonce now dispatches: nil-nonce + cache wired
    → cacheSvc.Get (cache); nonce != nil OR cache nil → live-sign.
  - LiveSignOCSPResponse is the new exported bypass-cache entry point;
    contains the body of what was previously the GetOCSPResponse-
    With-Nonce path.
  - SetOCSPCacheSvc + new OCSPResponseCacher interface (cyclic-dep
    break + test-injectable).

The cache stores nil-nonce blobs by design. Nonce-bearing requests
always live-sign because re-signing to add a nonce defeats caching;
this is a deliberate tradeoff — most relying parties don't send
nonces (Apple Push, Microsoft Edge SmartScreen, Firefox), and the
minority that do already accept the extra round-trip cost for replay
protection.

WIRED in cmd/server/main.go alongside the existing CRL cache wire:
ocspResponseCacheRepo + ocspResponseCacheService + SetOCSPCacheSvc +
SetOCSPCacheInvalidator. Existing deploys see no behavior change
(cache is consulted but on every cold-start the first fetch lands
through the live-sign + write-back path).

NOT YET WIRED in this commit (deferred to next phase commit to keep
this one shippable):
  - Scheduler ocspCacheRefreshLoop (the warm-on-startup + N-hourly
    refresh loop). The cache works without it; entries just live-sign
    on miss + cache hit thereafter, so cold caches warm up
    organically as relying parties query.
  - Admin observability endpoint /api/v1/admin/ocsp/cache.
  - CERTCTL_OCSP_CACHE_REFRESH_INTERVAL env var.
  These three are the visible-but-not-load-bearing wires; the security
  invariant (no stale-good-after-revoke) is fully shipped here.

7 new tests in internal/service/ocsp_response_cache_test.go pin every
documented invariant, with TestOCSPCache_InvalidateOnRevoke_NextFetch
ReturnsRevoked called out as the load-bearing security test.

Pre-commit verification: go build ./... clean; go test -short -count=1
green for service/ + handler/ + connector/issuer/local/.

internal/service/revocation_svc.go

@@ -18,6 +18,26 @@ type RevocationSvc struct {
 	auditService     *AuditService
 	notificationSvc  *NotificationService
 	issuerRegistry   *IssuerRegistry
+	// ocspCacheInvalidator — production hardening II Phase 2 load-
+	// bearing security wire. After a successful revocation, the
+	// service MUST invalidate the OCSP response cache for this
+	// (issuer, serial) so the next OCSP fetch returns the revoked
+	// status (not the stale "good" cached blob).
+	ocspCacheInvalidator OCSPCacheInvalidator
+}
+
+// OCSPCacheInvalidator is the minimum surface RevocationSvc needs
+// from the OCSP cache. The cache service implements this interface;
+// the indirection keeps RevocationSvc from depending on the cache
+// type and lets tests inject a fake invalidator.
+type OCSPCacheInvalidator interface {
+	InvalidateOnRevoke(ctx context.Context, issuerID, serialHex string) error
+}
+
+// SetOCSPCacheInvalidator wires the OCSP cache for invalidate-on-
+// revoke. Production hardening II Phase 2.
+func (s *RevocationSvc) SetOCSPCacheInvalidator(c OCSPCacheInvalidator) {
+	s.ocspCacheInvalidator = c
 }
 
 // NewRevocationSvc creates a new revocation service.
@@ -129,6 +149,28 @@ func (s *RevocationSvc) RevokeCertificateWithActor(ctx context.Context, certID s
 		}
 	}
 
+	// 5.5. Invalidate the OCSP response cache for this (issuer, serial)
+	// so the next OCSP fetch returns the revoked status (not the stale
+	// "good" cached blob). Production hardening II Phase 2 LOAD-BEARING
+	// security wire — without this, a revoked cert keeps returning
+	// "good" until the next ocspCacheRefreshLoop tick.
+	//
+	// Failure is logged and swallowed: the revocation row is committed,
+	// the CRL will reflect the revocation on the next regen, and the
+	// admin can manually nuke the cache row if necessary. Failing the
+	// caller's revoke on cache-failure would leave the operator's
+	// intent unachieved (cert appears not-revoked); failing-soft +
+	// logging is the right tradeoff.
+	if s.ocspCacheInvalidator != nil {
+		if err := s.ocspCacheInvalidator.InvalidateOnRevoke(ctx, cert.IssuerID, version.SerialNumber); err != nil {
+			slog.Warn("failed to invalidate OCSP response cache after revocation (revocation still committed)",
+				"error", err,
+				"issuer_id", cert.IssuerID,
+				"serial", version.SerialNumber,
+				"certificate_id", certID)
+		}
+	}
+
 	// 6. Record audit event
 	if err := s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser,
 		"certificate_revoked", "certificate", certID,