feat: M11a — certificate profiles, crypto policy enforcement, short-lived cert expiry

Add certificate profiles as named enrollment templates that control allowed
key algorithms, max TTL, permitted EKUs, required SAN patterns, and optional
SPIFFE URI SANs. CSR submissions are validated against profile rules at
signing time (key type + minimum size). Short-lived certs (TTL < 1 hour)
auto-expire via a new scheduler loop — expiry acts as revocation, no
CRL/OCSP needed.

New files:
- Migration 000003: certificate_profiles table, FK columns on
  managed_certificates/renewal_policies, key metadata on certificate_versions
- domain/profile.go: CertificateProfile + KeyAlgorithmRule structs
- repository/postgres/profile.go: full CRUD with JSONB marshaling
- service/profile.go: ProfileService with validation + audit logging
- service/crypto_validation.go: CSR-against-profile validation (RSA/ECDSA/Ed25519)
- handler/profiles.go: 5 HTTP endpoints under /api/v1/profiles
- web/src/pages/ProfilesPage.tsx: profiles management page

Modified:
- renewal.go: CSR validation in CompleteAgentCSRRenewal, ExpireShortLivedCertificates
- scheduler.go: 30s short-lived expiry check loop
- certificate.go (repo): nullable profile FK, key metadata on versions
- main.go: profile repo/service/handler wiring, 8-param NewRenewalService
- router.go: 12-param RegisterHandlers with profile routes
- seed_demo.sql: 4 demo profiles (standard, mtls, short-lived, high-security)
- Frontend: types, API client, routing, sidebar nav

Tests: 40 new tests across handler (15), service (13), crypto validation (12)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/src/pages/ProfilesPage.tsx

@@ -0,0 +1,129 @@
+import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
+import { getProfiles, deleteProfile } from '../api/client';
+import PageHeader from '../components/PageHeader';
+import DataTable from '../components/DataTable';
+import type { Column } from '../components/DataTable';
+import StatusBadge from '../components/StatusBadge';
+import ErrorState from '../components/ErrorState';
+import { formatDateTime } from '../api/utils';
+import type { CertificateProfile } from '../api/types';
+
+function formatTTL(seconds: number): string {
+  if (seconds === 0) return 'No limit';
+  if (seconds < 60) return `${seconds}s`;
+  if (seconds < 3600) return `${Math.floor(seconds / 60)}m`;
+  if (seconds < 86400) return `${Math.floor(seconds / 3600)}h`;
+  return `${Math.floor(seconds / 86400)}d`;
+}
+
+export default function ProfilesPage() {
+  const queryClient = useQueryClient();
+
+  const { data, isLoading, error, refetch } = useQuery({
+    queryKey: ['profiles'],
+    queryFn: () => getProfiles(),
+  });
+
+  const deleteMutation = useMutation({
+    mutationFn: deleteProfile,
+    onSuccess: () => queryClient.invalidateQueries({ queryKey: ['profiles'] }),
+  });
+
+  const columns: Column<CertificateProfile>[] = [
+    {
+      key: 'name',
+      label: 'Profile',
+      render: (p) => (
+        <div>
+          <div className="font-medium text-slate-200">{p.name}</div>
+          <div className="text-xs text-slate-500 font-mono">{p.id}</div>
+          {p.description && (
+            <div className="text-xs text-slate-400 mt-0.5 max-w-xs truncate">{p.description}</div>
+          )}
+        </div>
+      ),
+    },
+    {
+      key: 'algorithms',
+      label: 'Key Algorithms',
+      render: (p) => (
+        <div className="flex flex-wrap gap-1">
+          {(p.allowed_key_algorithms || []).map((alg, i) => (
+            <span key={i} className="badge badge-neutral text-xs">
+              {alg.algorithm} {alg.min_size}+
+            </span>
+          ))}
+        </div>
+      ),
+    },
+    {
+      key: 'ttl',
+      label: 'Max TTL',
+      render: (p) => (
+        <div>
+          <span className="text-slate-200">{formatTTL(p.max_ttl_seconds)}</span>
+          {p.allow_short_lived && (
+            <span className="ml-2 text-xs text-amber-400 bg-amber-400/10 px-1.5 py-0.5 rounded">
+              short-lived
+            </span>
+          )}
+        </div>
+      ),
+    },
+    {
+      key: 'ekus',
+      label: 'EKUs',
+      render: (p) => (
+        <div className="flex flex-wrap gap-1">
+          {(p.allowed_ekus || []).map((eku, i) => (
+            <span key={i} className="text-xs text-slate-400">{eku}</span>
+          ))}
+        </div>
+      ),
+    },
+    {
+      key: 'spiffe',
+      label: 'SPIFFE',
+      render: (p) => (
+        p.spiffe_uri_pattern
+          ? <span className="text-xs text-blue-400 font-mono">{p.spiffe_uri_pattern}</span>
+          : <span className="text-slate-500">&mdash;</span>
+      ),
+    },
+    {
+      key: 'enabled',
+      label: 'Status',
+      render: (p) => <StatusBadge status={p.enabled ? 'active' : 'disabled'} />,
+    },
+    {
+      key: 'created',
+      label: 'Created',
+      render: (p) => <span className="text-xs text-slate-400">{formatDateTime(p.created_at)}</span>,
+    },
+    {
+      key: 'actions',
+      label: '',
+      render: (p) => (
+        <button
+          onClick={(e) => { e.stopPropagation(); if (confirm(`Delete profile ${p.name}?`)) deleteMutation.mutate(p.id); }}
+          className="text-xs text-red-400 hover:text-red-300 transition-colors"
+        >
+          Delete
+        </button>
+      ),
+    },
+  ];
+
+  return (
+    <>
+      <PageHeader title="Certificate Profiles" subtitle={data ? `${data.total} profiles` : undefined} />
+      <div className="flex-1 overflow-y-auto">
+        {error ? (
+          <ErrorState error={error as Error} onRetry={() => refetch()} />
+        ) : (
+          <DataTable columns={columns} data={data?.data || []} isLoading={isLoading} emptyMessage="No profiles configured" />
+        )}
+      </div>
+    </>
+  );
+}