docs: convert remaining ASCII diagrams to mermaid (audit closure)

Audit pass over docs/ found 4 files with non-mermaid (ASCII
box-drawing) diagrams in fenced code blocks. The other 9 doc files
already used mermaid blocks (architecture.md, demo-advanced.md,
ci-pipeline.md, concepts.md, est.md, legacy-est-scep.md, mcp.md,
qa-test-guide.md, scep-intune.md). Rendering parity for everything
in docs/.

Conversions:

  approval-workflow.md
    1 ASCII swimlane → sequenceDiagram with named participants
    (Operator A / CertificateService / Job+ApprovalRequest /
    Operator B / ApprovalService / Scheduler). Same content: the
    same-actor RBAC reject path, the AwaitingApproval gate, the
    audit + Prometheus side effects.

  intermediate-ca-hierarchy.md
    1 lifecycle ASCII → stateDiagram-v2 (created → active → retiring
    → retired with the drain-first refusal annotation).
    3 ASCII tree patterns → 3 flowchart TD diagrams (FedRAMP 4-level
    boundary CA, financial-services 3-level policy CA, internal-PKI
    2-level). Same depth, same path_len + permitted-DNS labels.

  runbook-cloud-targets.md
    1 dual-column ASCII flow → flowchart TD with two subgraphs
    (AWS ACM path, Azure Key Vault path) joining at the audit +
    Prometheus exposer node. Same 6-step deploy sequence on each
    side with the rollback-on-mismatch step explicit.

  runbook-expiry-alerts.md
    1 nested-loop ASCII flow → flowchart TD with three nested
    subgraphs (per-cert main loop / per-threshold inner / per-channel
    fault-isolating dispatch). Same dedup + Prometheus + audit-row
    side effects per channel.

Verified locally:
  Audit re-run: every fenced block in docs/*.md that does NOT open
    with ```mermaid contains zero ASCII box-drawing characters
    (┌ └ │ ─ ━ ═ ║ ╔ ╚ ▼ ▲).
  Mermaid block tally: 39 across 13 files (up from 32 across 9
    files pre-audit). The +7 new blocks are the 4 conversions plus
    the lifecycle + 3 tree patterns expanded out of the single
    intermediate-ca-hierarchy.md ASCII section.

No code or test changes. Doc-only commit.

docs/runbook-cloud-targets.md

@@ -15,42 +15,39 @@ install certctl.
 
 ## End-to-end flow (cloud targets)
 
-```
-                  cert renewed → renewal job created
-                                          │
-                                          ▼
-            agent picks up DeployCertificate work item
-                                          │
-                                          ▼
-        target.Connector.DeployCertificate(ctx, request)
-                                          │
-                       ┌──────────────────┴──────────────────┐
-                       │                                     │
-                       ▼                                     ▼
-                  AWS ACM path                       Azure Key Vault path
-                       │                                     │
-                       ▼                                     ▼
-       1. (rotate-in-place only)            1. GetCertificate(name, "" /* latest */)
-          DescribeCertificate(arn)             — capture snapshot CER bytes
-       2. GetCertificate(arn) — capture     2. Build PFX from cert+chain+key
-          snapshot bytes for rollback          (PKCS#12 via go-pkcs12)
-       3. ImportCertificate(arn, new_bytes)  3. ImportCertificate(name, PFX, tags)
-          — fresh ARN OR rotate-in-place       — ALWAYS creates a new version
-       4. AddTagsToCertificate(arn,         4. (Tags carried forward
-          provenance) — ACM strips on          automatically)
-          re-import; we re-apply
-       5. DescribeCertificate(arn) — verify 5. GetCertificate(name, "" /* latest */)
-          serial matches expected              — verify serial matches expected
-       6. ON MISMATCH: rollback ←──── (same shape) ────→ 6. ON MISMATCH: rollback
-          ImportCertificate(arn,                            ImportCertificate(name,
-          snapshot_bytes)                                   snapshot_PFX) — new version
-                                          │
-                                          ▼
-       7. Audit row + Prometheus counter
-          certctl_deploy_attempts_total{target_type="AWSACM"|"AzureKeyVault",
-                                        result="success"|"failure"}
-          certctl_deploy_rollback_total{target_type=...,
-                                        outcome="restored"|"also_failed"}
+```mermaid
+flowchart TD
+    Renew["cert renewed → renewal job created"]
+    Pick["agent picks up DeployCertificate work item"]
+    Dispatch["target.Connector.DeployCertificate(ctx, request)"]
+
+    Renew --> Pick --> Dispatch
+    Dispatch --> AWS
+    Dispatch --> AZ
+
+    subgraph AWS["AWS ACM path"]
+        A1["1. rotate-in-place only:<br/>DescribeCertificate(arn)"]
+        A2["2. GetCertificate(arn) —<br/>capture snapshot bytes for rollback"]
+        A3["3. ImportCertificate(arn, new_bytes) —<br/>fresh ARN OR rotate-in-place"]
+        A4["4. AddTagsToCertificate(arn, provenance) —<br/>ACM strips on re-import; we re-apply"]
+        A5["5. DescribeCertificate(arn) —<br/>verify serial matches expected"]
+        A6["6. ON MISMATCH: rollback<br/>ImportCertificate(arn, snapshot_bytes)"]
+        A1 --> A2 --> A3 --> A4 --> A5 --> A6
+    end
+
+    subgraph AZ["Azure Key Vault path"]
+        Z1["1. GetCertificate(name, '' = latest) —<br/>capture snapshot CER bytes"]
+        Z2["2. Build PFX from cert+chain+key<br/>(PKCS#12 via go-pkcs12)"]
+        Z3["3. ImportCertificate(name, PFX, tags) —<br/>ALWAYS creates a new version"]
+        Z4["4. Tags carried forward automatically"]
+        Z5["5. GetCertificate(name, '' = latest) —<br/>verify serial matches expected"]
+        Z6["6. ON MISMATCH: rollback<br/>ImportCertificate(name, snapshot_PFX) —<br/>new version"]
+        Z1 --> Z2 --> Z3 --> Z4 --> Z5 --> Z6
+    end
+
+    A6 --> Audit
+    Z6 --> Audit
+    Audit["7. Audit row + Prometheus counters<br/>certctl_deploy_attempts_total{target_type, result}<br/>certctl_deploy_rollback_total{target_type, outcome}"]
 ```
 
 ---