docs: convert remaining ASCII diagrams to mermaid (audit closure)

Audit pass over docs/ found 4 files with non-mermaid (ASCII
box-drawing) diagrams in fenced code blocks. The other 9 doc files
already used mermaid blocks (architecture.md, demo-advanced.md,
ci-pipeline.md, concepts.md, est.md, legacy-est-scep.md, mcp.md,
qa-test-guide.md, scep-intune.md). Rendering parity for everything
in docs/.

Conversions:

  approval-workflow.md
    1 ASCII swimlane → sequenceDiagram with named participants
    (Operator A / CertificateService / Job+ApprovalRequest /
    Operator B / ApprovalService / Scheduler). Same content: the
    same-actor RBAC reject path, the AwaitingApproval gate, the
    audit + Prometheus side effects.

  intermediate-ca-hierarchy.md
    1 lifecycle ASCII → stateDiagram-v2 (created → active → retiring
    → retired with the drain-first refusal annotation).
    3 ASCII tree patterns → 3 flowchart TD diagrams (FedRAMP 4-level
    boundary CA, financial-services 3-level policy CA, internal-PKI
    2-level). Same depth, same path_len + permitted-DNS labels.

  runbook-cloud-targets.md
    1 dual-column ASCII flow → flowchart TD with two subgraphs
    (AWS ACM path, Azure Key Vault path) joining at the audit +
    Prometheus exposer node. Same 6-step deploy sequence on each
    side with the rollback-on-mismatch step explicit.

  runbook-expiry-alerts.md
    1 nested-loop ASCII flow → flowchart TD with three nested
    subgraphs (per-cert main loop / per-threshold inner / per-channel
    fault-isolating dispatch). Same dedup + Prometheus + audit-row
    side effects per channel.

Verified locally:
  Audit re-run: every fenced block in docs/*.md that does NOT open
    with ```mermaid contains zero ASCII box-drawing characters
    (┌ └ │ ─ ━ ═ ║ ╔ ╚ ▼ ▲).
  Mermaid block tally: 39 across 13 files (up from 32 across 9
    files pre-audit). The +7 new blocks are the 4 conversions plus
    the lifecycle + 3 tree patterns expanded out of the single
    intermediate-ca-hierarchy.md ASCII section.

No code or test changes. Doc-only commit.

docs/runbook-expiry-alerts.md

@@ -14,36 +14,37 @@ walkthrough of how to install certctl — that lives in the README.
 
 ## End-to-end flow
 
-```
-                          daily ticker (renewalCheckLoop)
-                                        │
-                                        ▼
-                       RenewalService.CheckExpiringCertificates
-                                        │
-                       ┌────────────────┴────────────────┐
-                       │  for cert in expiring (≤30 days):│
-                       │    1. Resolve RenewalPolicy      │
-                       │    2. Compute daysUntil          │
-                       │    3. updateCertExpiryStatus     │
-                       │    4. sendThresholdAlerts ──────►│  per threshold:
-                       │    5. Create renewal job (if     │    a. resolve severity tier
-                       │       issuer registered + ARI    │       via AlertSeverityMap
-                       │       allows)                    │    b. resolve channel set
-                       └──────────────────────────────────┘       via AlertChannels[tier]
-                                                                  c. for each channel:
-                                                                     i.  dedup via
-                                                                         notification_events
-                                                                         (cert,threshold,channel)
-                                                                     ii. SendThresholdAlertOnChannel
-                                                                         → notifierRegistry[channel]
-                                                                         → Send(recipient,subj,body)
-                                                                     iii. record audit row
-                                                                          (event_type=expiration_alert_sent,
-                                                                           metadata.channel,
-                                                                           metadata.severity_tier)
-                                                                     iv.  bump Prometheus counter
-                                                                          certctl_expiry_alerts_total
-                                                                          {channel,threshold,result}
+```mermaid
+flowchart TD
+    Tick["daily ticker (renewalCheckLoop)"]
+    Check["RenewalService.CheckExpiringCertificates"]
+
+    Tick --> Check --> Loop
+
+    subgraph Loop["for cert in expiring (≤30 days)"]
+        L1["1. Resolve RenewalPolicy"]
+        L2["2. Compute daysUntil"]
+        L3["3. updateCertExpiryStatus"]
+        L4["4. sendThresholdAlerts"]
+        L5["5. Create renewal job<br/>(if issuer registered +<br/>ARI allows)"]
+        L1 --> L2 --> L3 --> L4 --> L5
+    end
+
+    L4 --> Threshold
+
+    subgraph Threshold["per threshold"]
+        T1["a. resolve severity tier<br/>via AlertSeverityMap"]
+        T2["b. resolve channel set<br/>via AlertChannels[tier]"]
+        T1 --> T2 --> Channel
+    end
+
+    subgraph Channel["for each channel (fault-isolating)"]
+        C1["i. dedup via notification_events<br/>(cert, threshold, channel)"]
+        C2["ii. SendThresholdAlertOnChannel<br/>→ notifierRegistry[channel]<br/>→ Send(recipient, subj, body)"]
+        C3["iii. record audit row<br/>event_type=expiration_alert_sent<br/>metadata.channel, metadata.severity_tier"]
+        C4["iv. bump Prometheus counter<br/>certctl_expiry_alerts_total<br/>{channel, threshold, result}"]
+        C1 --> C2 --> C3 --> C4
+    end
 ```
 
 The dispatch loop's per-channel error handling is