docs: fix 16 discrepancies found by cross-validating all docs against source code

CLI syntax corrected across 5 files (concepts, demo-guide, demo-advanced,
architecture, features): list-certs→certs list, get-cert→certs get, etc.
Removed non-existent health/metrics commands, replaced with status.
Subcommand count 10→12 everywhere.

architecture.md: Go 1.22→1.25, endpoint count 91→93, ER diagram expanded
from 15 to 21 tables (added renewal_policies, certificate_revocations,
discovered_certificates, discovery_scans, network_scan_targets).

connectors.md: added GenerateCRL and SignOCSPResponse to issuer interface,
added Email and Webhook rows to notifier config table.

compliance docs: fixed keygen warning messages to match actual log output,
CERTCTL_STEPCA_PROVISIONER_KEY→CERTCTL_STEPCA_KEY_PATH, openssl genrsa→
crypto/ecdsa.GenerateKey, CERTCTL_SERVER_ADDR→CERTCTL_SERVER_HOST+PORT.

README.md: v2.0.0 version bump, solo developer mention, feature list,
table of contents, documentation table moved to top, 7 fact-check fixes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/demo-guide.md

@@ -154,30 +154,29 @@ export CERTCTL_SERVER_URL="http://localhost:8443"
 export CERTCTL_API_KEY="test-key-123"
 
 # List certificates (JSON or table format)
-./certctl-cli list-certs --format json
-./certctl-cli list-certs --format table
+./certctl-cli --format json certs list
+./certctl-cli certs list
 
 # Get certificate details
-./certctl-cli get-cert mc-api-prod
+./certctl-cli certs get mc-api-prod
 
 # Trigger renewal
-./certctl-cli renew-cert mc-api-prod
+./certctl-cli certs renew mc-api-prod
 
 # Revoke a certificate (with RFC 5280 reason)
-./certctl-cli revoke-cert mc-api-prod --reason keyCompromise
+./certctl-cli certs revoke mc-api-prod --reason keyCompromise
 
 # List agents
-./certctl-cli list-agents
+./certctl-cli agents list
 
 # List pending jobs
-./certctl-cli list-jobs
+./certctl-cli jobs list
 
 # Bulk import certificates from PEM files
 ./certctl-cli import /path/to/certs.pem
 
-# Check health and metrics
-./certctl-cli health
-./certctl-cli metrics
+# Check system health and stats
+./certctl-cli status
 ```
 
 ## MCP Server for AI Integration
@@ -243,7 +242,7 @@ If you're demoing to a team or customer, here's a suggested flow:
 10. **Show certificate discovery** — "We discover certificates two ways: agents scan local filesystems, and the server actively probes TLS endpoints on your network. We deduplicate by fingerprint, show you what we found, and let you claim them or dismiss them"
 11. **Show the immutable audit trail** — "Every action in the system is recorded: who did it, what they did, when, what changed. Export to CSV/JSON for compliance"
 12. **Show advanced query features** — "Sort by any field, filter by date range, paginate efficiently with cursor-based pagination, select just the fields you need"
-13. **Show the CLI and MCP server** — "Terminal users get `certctl-cli` with 10 subcommands. AI assistants get MCP integration with 78 tools. Everything is API-first"
+13. **Show the CLI and MCP server** — "Terminal users get `certctl-cli` with 12 subcommands. AI assistants get MCP integration with 78 tools. Everything is API-first"
 
 The whole walkthrough takes 5-10 minutes.