docs(scep): RFC 8894 hardening — README + architecture + connectors

SCEP RFC 8894 + Intune master bundle — Phase 6 of 14.

Closes Half 1 of the bundle (Phases 0-6). The certctl SCEP server now
ships full RFC 8894 wire format (EnvelopedData decrypt + signerInfo POPO
verify + CertRep PKIMessage builder), tested against ChromeOS-shape
hermetic E2E requests, with multi-profile dispatch and must-staple
per-profile policy. Half 2 (Phases 7-12) adds the Microsoft Intune
dynamic-challenge layer; Phase 6.5 (mTLS sibling route) is independently
shippable as an opt-in enterprise-procurement feature.

README.md
  * Standards & Revocation table SCEP row updated to mention full RFC
    8894 wire format (EnvelopedData decryption, signerInfo POPO
    verification, CertRep PKIMessage builder), PKCSReq + RenewalReq +
    GetCertInitial messageType dispatch, multi-profile dispatch
    (/scep/<pathID>), per-profile RA cert + key, MVP fall-through for
    lightweight clients.
  * Enrollment protocols paragraph extended with the same scope, plus
    a link to docs/legacy-est-scep.md for the operator + device-
    integration guide.

docs/architecture.md
  * SCEP wire format paragraph rewritten to describe the two paths
    (RFC 8894 first, MVP fall-through), the messageType dispatch
    table, the EnvelopedData decrypt (constant-time PKCS#7 unpad
    closing the padding-oracle leg), the SET-OF Attribute
    re-serialisation quirk per RFC 5652 §5.4, and the CertRep
    PKIMessage shape (cert chain encrypted to req.SignerCert, NOT
    the RA cert).
  * SCEP service interface updated to show the three new
    *WithEnvelope variants alongside the legacy PKCSReq method.
  * Added 'Capabilities advertised', 'Multi-profile dispatch', and
    'Must-staple per profile' subsections covering the RFC 7633
    extension policy.

docs/connectors.md
  * EST/SCEP Integration section extended with the per-profile
    issuer-binding env-var form (CERTCTL_SCEP_PROFILE_<NAME>_ISSUER_ID).
  * New SCEP RA cert + key paragraph pointing operators at the
    legacy-est-scep.md openssl recipe + ChromeOS Admin Console
    pointer + must-staple per-profile policy.

cowork/CLAUDE.md::Active Focus
  * 2026-04-29 SCEP RFC 8894 + Intune master bundle status updated
    to 'HALF 1 COMPLETE (Phases 0-5 of 14 SHIPPED)' with the full
    chain of commit SHAs (770ddd5 → 6d30493 → f5a20a6 → df0a4dd +
    3023144 → 35fcfa7).
  * Unreleased-on-master bullet extended to enumerate the SCEP
    bundle deliverables alongside the CRL/OCSP work, plus the new
    SCEP env vars (CERTCTL_SCEP_RA_*_PATH, CERTCTL_SCEP_PROFILES,
    CERTCTL_SCEP_PROFILE_<NAME>_*).

cowork/CLAUDE.md::Architecture Decisions
  * Added a new bullet for 'SCEP RFC 8894 native implementation
    (post-2026-04-29)' covering the load-bearing design decisions:
    EnvelopedData decrypt with constant-time padding strip, the
    SET-OF re-serialisation quirk, the dispatch-on-messageType
    pattern, multi-profile dispatch, the MVP fall-through contract,
    capability advertisement, ChromeOS-shape E2E test, must-staple
    per-profile.

Smoke test against fresh make docker-up SKIPPED in this commit — the
sandbox doesn't have Docker available. The full smoke recipe is in
the Phase 6.3 prompt; CI runs the full integration suite via the
standard docker-compose.test.yml workflow on the next push.

Verification (sandbox):
  * gofmt + go vet + staticcheck clean for all touched paths.
  * go test -short -count=1 green across api/handler / api/router /
    service / pkcs7 / connector/issuer/local / domain / cmd/server.
  * Coverage held: handler 79.0% / service 73.2% / pkcs7 80.5% /
    config 96.0% / domain 88.6% / router 100%.

Phase 6 of 14 in SCEP RFC 8894 + Intune master bundle.
Half 1 COMPLETE. Half 2 (Phases 7-12, Microsoft Intune dynamic-
challenge layer) ready to begin.

docs/connectors.md

@@ -327,7 +327,9 @@ The `GetCACertPEM()` method returns the PEM-encoded CA certificate chain, used b
 - **step-ca**: Returns error — step-ca serves its own `/root` endpoint for CA distribution.
 - **OpenSSL/Custom CA**: Returns error — custom script-based CAs have no CA cert access through certctl.
 
-Note: EST and SCEP are not connectors — they are protocol handlers (`internal/api/handler/est.go` and `internal/api/handler/scep.go`) that delegate certificate issuance to whichever issuer connector is configured via `CERTCTL_EST_ISSUER_ID` or `CERTCTL_SCEP_ISSUER_ID`. Both share a common `internal/pkcs7` package for PKCS#7 response encoding. See the [Architecture Guide](architecture.md#est-server-rfc-7030) for details.
+Note: EST and SCEP are not connectors — they are protocol handlers (`internal/api/handler/est.go` and `internal/api/handler/scep.go`) that delegate certificate issuance to whichever issuer connector is configured via `CERTCTL_EST_ISSUER_ID` or `CERTCTL_SCEP_ISSUER_ID` (or the per-profile `CERTCTL_SCEP_PROFILE_<NAME>_ISSUER_ID` form for multi-endpoint SCEP). Both share a common `internal/pkcs7` package for PKCS#7 response encoding. See the [Architecture Guide](architecture.md#est-server-rfc-7030) for details.
+
+**SCEP RA cert + key (post-2026-04-29):** the SCEP server's RFC 8894 path requires an RA cert/key pair (`CERTCTL_SCEP_RA_CERT_PATH` + `CERTCTL_SCEP_RA_KEY_PATH`, mode 0600) — clients encrypt their CSR to the RA cert's public key per RFC 8894 §3.2.2. Multi-profile deployments configure per-profile pairs via `CERTCTL_SCEP_PROFILES=corp,iot` + `CERTCTL_SCEP_PROFILE_<NAME>_RA_*_PATH`. See [`legacy-est-scep.md`](legacy-est-scep.md#scep-rfc-8894-native-implementation-post-2026-04-29) for the openssl recipe + ChromeOS Admin Console pointer + must-staple per-profile policy.
 
 ### Built-in: Vault PKI