feat: add network certificate discovery (M21) and Prometheus metrics (M22)

M21 adds server-side active TLS scanning of CIDR ranges with concurrent
probing, sentinel agent pattern for pipeline reuse, and full CRUD API for
scan targets. M22 adds Prometheus exposition format endpoint alongside
existing JSON metrics. Comprehensive documentation audit updates all docs
to reflect 91 endpoints, 19 tables, 6 scheduler loops, and 900+ tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

migrations/000007_network_discovery.up.sql

@@ -0,0 +1,21 @@
+-- Migration 000007: Network Discovery (Active TLS Scanning)
+-- The control plane actively scans network endpoints for TLS certificates.
+-- Results feed into the existing discovery pipeline (discovered_certificates table).
+
+-- Network scan targets define CIDR ranges and ports to probe for TLS certificates
+CREATE TABLE IF NOT EXISTS network_scan_targets (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL,
+    cidrs TEXT[] NOT NULL DEFAULT '{}',
+    ports INTEGER[] NOT NULL DEFAULT '{443}',
+    enabled BOOLEAN NOT NULL DEFAULT TRUE,
+    scan_interval_hours INTEGER NOT NULL DEFAULT 6,
+    timeout_ms INTEGER NOT NULL DEFAULT 5000,
+    last_scan_at TIMESTAMPTZ,
+    last_scan_duration_ms INTEGER,
+    last_scan_certs_found INTEGER,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_network_scan_targets_enabled ON network_scan_targets(enabled) WHERE enabled = TRUE;