feat(M34): dynamic issuer configuration with encrypted config storage

Replace static env-var-based issuer wiring with GUI-driven dynamic
configuration stored encrypted in PostgreSQL. Operators can now
configure, test, enable/disable, and manage issuers from the dashboard
without restarting the server.

Key changes:
- AES-256-GCM encryption for sensitive issuer config at rest (PBKDF2
  key derivation with 100k iterations)
- Dynamic IssuerRegistry with sync.RWMutex replacing static map
- Connector factory pattern (issuerfactory.NewFromConfig) replacing
  140 lines of static wiring in main.go
- Migration 000009: encrypted_config, last_tested_at, test_status,
  source columns on issuers table
- Env var seeding on first boot with ON CONFLICT DO NOTHING
- Registry Rebuild() for atomic map swap after CRUD operations
- Issuer type validation against domain constants on Create
- Audit trail for test connection results
- Conditional seeding for step-ca/OpenSSL (only when env vars set)
- GUI: source badge, connection test status on issuer detail page

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/src/api/types.ts

@@ -142,6 +142,12 @@ export interface Issuer {
   status: string;
   /** Backend returns enabled boolean; status is derived from this */
   enabled: boolean;
+  /** Timestamp of last connection test */
+  last_tested_at?: string;
+  /** Result of last connection test: "untested", "success", or "failed" */
+  test_status?: string;
+  /** Config source: "database" (GUI-created) or "env" (env var seeded) */
+  source?: string;
   created_at: string;
   updated_at?: string;
 }