Complete M1, M1.1, M2: end-to-end lifecycle, agent deployment, ACME v2

- Wire issuer connector end-to-end with IssuerConnectorAdapter (dependency inversion)
- Renewal/issuance job processor: RSA key + CSR generation, Local CA signing, cert version storage
- Agent work API (GET /agents/{id}/work) and job status API (POST /agents/{id}/jobs/{job_id}/status)
- Agent-side deployment: WorkItem enrichment with target type/config, NGINX/F5/IIS connector invocation
- Full ACME v2 implementation: HTTP-01 challenge solving, account registration, order lifecycle
- Update all docs (README, architecture, connectors, demo-advanced, quickstart) for M1-M2
- Fix go vet warning in deployment.go (non-constant format string)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/domain/job.go

@@ -48,3 +48,15 @@ type DeploymentJob struct {
 	AgentID            string          `json:"agent_id"`
 	DeploymentResult   json.RawMessage `json:"deployment_result,omitempty"`
 }
+
+// WorkItem enriches a Job with target details so the agent knows which connector to use.
+// Returned by GET /api/v1/agents/{id}/work.
+type WorkItem struct {
+	ID            string          `json:"id"`
+	Type          JobType         `json:"type"`
+	CertificateID string          `json:"certificate_id"`
+	TargetID      *string         `json:"target_id,omitempty"`
+	TargetType    string          `json:"target_type,omitempty"`
+	TargetConfig  json.RawMessage `json:"target_config,omitempty"`
+	Status        JobStatus       `json:"status"`
+}