docs: fix stale references, seed data case bugs, and convert ASCII diagrams to Mermaid

Audit all docs and examples against current codebase state. Fix seed_demo.sql
domain constant casing (IssuerType, TargetType, AgentStatus) that would cause
agent dispatch failures. Fix example docker-compose health endpoints (/health
not /api/v1/health) and env var names (CERTCTL_DATABASE_URL). Update connector
counts, test numbers, and planned→implemented status across docs. Convert 3
ASCII flow diagrams to Mermaid.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/architecture.md

@@ -90,8 +90,10 @@ flowchart TB
         T5["HAProxy\n(combined PEM + reload)"]
         T6["Traefik\n(file provider)"]
         T7["Caddy\n(admin API / file)"]
+        T8["Envoy\n(file-based SDS)"]
+        T9["Postfix/Dovecot\n(file + service reload)"]
         T2["F5 BIG-IP\n(proxy agent + iControl REST, planned)"]
-        T3["IIS\n(agent-local PowerShell, planned)"]
+        T3["IIS\n(WinRM + local)"]
     end
 
     DASH --> API
@@ -119,7 +121,7 @@ The server exposes a REST API under `/api/v1/` and optionally serves the web das
 
 ### Agents
 
-Lightweight Go processes that run on or near your infrastructure. Agents generate ECDSA P-256 private keys locally, create CSRs, and submit them to the control plane for signing — private keys never leave agent infrastructure. Agents also handle certificate deployment to target systems (NGINX, Apache httpd, HAProxy fully implemented; F5 BIG-IP, IIS interface only with V2 implementations planned) and report job status. They communicate with the control plane via HTTP and authenticate with API keys.
+Lightweight Go processes that run on or near your infrastructure. Agents generate ECDSA P-256 private keys locally, create CSRs, and submit them to the control plane for signing — private keys never leave agent infrastructure. Agents also handle certificate deployment to target systems (NGINX, Apache httpd, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS fully implemented; F5 BIG-IP interface stub only) and report job status. They communicate with the control plane via HTTP and authenticate with API keys.
 
 The agent runs two background loops: a heartbeat (every 60 seconds) to signal it's alive, and a work poll (every 30 seconds) to check for actionable jobs via `GET /api/v1/agents/{id}/work`. Jobs may be `AwaitingCSR` (agent needs to generate key + submit CSR) or `Deployment` (agent needs to deploy a certificate). Private keys are stored in `CERTCTL_KEY_DIR` (default `/var/lib/certctl/keys`) with 0600 permissions.
 
@@ -521,8 +523,10 @@ flowchart TB
         TI --> HP["HAProxy"]
         TI --> TF["Traefik"]
         TI --> CD["Caddy"]
+        TI --> EV["Envoy"]
+        TI --> PO["Postfix/Dovecot"]
+        TI --> IIS["IIS"]
         TI --> F5["F5 BIG-IP (interface only)"]
-        TI --> IIS["IIS (interface only)"]
     end
 
     subgraph "Notifier Connectors"

docs/concepts.md

@@ -125,9 +125,9 @@ Agents also report **metadata** about themselves — their operating system, CPU
 
 ### Deployment Targets
 
-Targets are the systems where certificates actually get installed — NGINX web servers, Apache httpd servers, HAProxy load balancers, F5 BIG-IP appliances, Microsoft IIS servers. Each target type has a **connector** that knows how to deploy certificates to that specific system (e.g., writing files and reloading NGINX or Apache config, building a combined PEM for HAProxy).
+Targets are the systems where certificates actually get installed — NGINX web servers, Apache httpd servers, HAProxy load balancers, Traefik reverse proxies, Caddy servers, Envoy gateways, Postfix/Dovecot mail servers, Microsoft IIS servers, and network appliances. Each target type has a **connector** that knows how to deploy certificates to that specific system (e.g., writing files and reloading NGINX or Apache config, building a combined PEM for HAProxy).
 
-For targets where an agent runs directly on the machine (NGINX, Apache, HAProxy, IIS), the agent deploys certificates locally — no remote access needed. For network appliances where you can't install an agent (F5 BIG-IP, Palo Alto, etc.), a **proxy agent** in the same network zone picks up the deployment job and calls the appliance's API. The server never initiates outbound connections to any target.
+For targets where an agent runs directly on the machine (NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS), the agent deploys certificates locally — no remote access needed. For network appliances where you can't install an agent (F5 BIG-IP, Palo Alto, etc.), a **proxy agent** in the same network zone picks up the deployment job and calls the appliance's API. The server never initiates outbound connections to any target.
 
 ## The Certificate Lifecycle
 

docs/connectors.md

@@ -53,8 +53,8 @@ Connectors extend certctl to integrate with external systems for certificate iss
 
 Three types of connectors:
 
-1. **Issuer Connector** — Obtains certificates from CAs (Local CA with sub-CA support, ACME with HTTP-01 + DNS-01 + DNS-PERSIST-01, step-ca, OpenSSL/Custom CA implemented; additional CA integrations planned)
-2. **Target Connector** — Deploys certificates to infrastructure (NGINX, Apache httpd, HAProxy, Traefik, Caddy, Envoy, IIS implemented; F5 via proxy agent planned; additional cloud and network targets planned)
+1. **Issuer Connector** — Obtains certificates from CAs (Local CA with sub-CA support, ACME with HTTP-01 + DNS-01 + DNS-PERSIST-01, step-ca, OpenSSL/Custom CA, Vault PKI, DigiCert implemented; additional CA integrations planned)
+2. **Target Connector** — Deploys certificates to infrastructure (NGINX, Apache httpd, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS implemented; F5 via proxy agent planned; additional cloud and network targets planned)
 3. **Notifier Connector** — Sends alerts about certificate events (Email, Webhooks, Slack, Microsoft Teams, PagerDuty, OpsGenie implemented)
 
 All connectors accept JSON configuration at initialization, support config validation, and are registered in the service layer. Issuer connectors run on the control plane; target connectors run on agents. For network appliances where agents can't be installed, a **proxy agent** in the same network zone handles deployment — the server never initiates outbound connections.

docs/demo-advanced.md

@@ -307,8 +307,8 @@ flowchart TD
     A --> F["ACME\n(Let's Encrypt)"]
     A --> G["step-ca\n(implemented)"]
     A --> H["OpenSSL / Custom CA\n(script-based)"]
-    A --> J["DigiCert API\n(planned)"]
-    A --> K["Vault PKI\n(planned)"]
+    A --> J["DigiCert API\n(implemented)"]
+    A --> K["Vault PKI\n(implemented)"]
     A --> L["Entrust / GlobalSign\n(planned)"]
     A --> M["Google CAS / EJBCA\n(planned)"]
 ```

docs/features.md

@@ -1286,11 +1286,11 @@ The web dashboard is the primary operational interface for certctl. Built with *
 - **Docker Tags** — `:latest`, `:v{version}` (`shankar0123.docker.scarf.sh/certctl-server`, `shankar0123.docker.scarf.sh/certctl-agent`)
 
 ### Test Suite
-- **Unit Tests** — 625+ test functions across service, handler, middleware, domain layers
+- **Unit Tests** — 1,088+ test functions across service, handler, middleware, domain layers
 - **Integration Tests** — End-to-end workflows (issuance→renewal→deployment)
 - **Negative Tests** — Malformed input, nonexistent resources, error conditions
-- **Frontend Tests** — 86 Vitest tests (API client, utilities, stats/metrics, full endpoint coverage)
-- **Total Coverage** — 900+ tests (Go + frontend combined)
+- **Frontend Tests** — 211 Vitest tests (API client, utilities, stats/metrics, full endpoint coverage)
+- **Total Coverage** — 1,554+ tests (Go + frontend combined)
 
 ### Licensing
 - **License** — Business Source License 1.1 (BSL 1.1)
@@ -1478,10 +1478,10 @@ Each guide includes an evidence summary table mapping specific criteria to certc
 
 | Category | Count |
 |----------|-------|
-| **API Endpoints** | 95 (under /api/v1/ + /.well-known/est/) |
+| **API Endpoints** | 97 (under /api/v1/ + /.well-known/est/) |
 | **Dashboard** | Full web GUI |
-| **Issuer Connectors** | 4 (Local CA, ACME, step-ca, OpenSSL) |
-| **Target Connectors** | 5 (3 impl: NGINX, Apache, HAProxy; 2 stubs: F5, IIS) |
+| **Issuer Connectors** | 6 (Local CA, ACME, step-ca, OpenSSL, Vault PKI, DigiCert) |
+| **Target Connectors** | 10 (9 impl: NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, IIS, Postfix, Dovecot; 1 stub: F5) |
 | **Notifier Channels** | 6 (Email, Webhook, Slack, Teams, PagerDuty, OpsGenie) |
 | **Job Types** | 4 (Issuance, Renewal, Deployment, Validation) |
 | **Job States** | 7 (Pending, AwaitingCSR, AwaitingApproval, Running, Completed, Failed, Cancelled) |
@@ -1492,6 +1492,6 @@ Each guide includes an evidence summary table mapping specific criteria to certc
 | **MCP Tools** | 76 (16 resource domains) |
 | **CLI Subcommands** | 10 |
 | **Database Tables** | 19 |
-| **Test Suite** | 900+ tests (Go backend + frontend) |
+| **Test Suite** | 1,554+ tests (Go backend + frontend) |
 | **Environment Variables** | 41+ configuration options |
 

docs/testing-guide.md

@@ -1600,7 +1600,7 @@ curl -s -w "\nHTTP %{http_code}\n" -X POST -H "$AUTH" -H "$CT" \
 
 ---
 
-**Test 7.1.6 — Create IIS target (stub)**
+**Test 7.1.6 — Create IIS target**
 
 ```bash
 curl -s -w "\nHTTP %{http_code}\n" -X POST -H "$AUTH" -H "$CT" \
@@ -5833,7 +5833,7 @@ These must be green before starting manual QA:
 | 7.1.3 | Create Apache target | Manual | ☐ |  |  |
 | 7.1.4 | Create HAProxy target | Manual | ☐ |  |  |
 | 7.1.5 | Create F5 BIG-IP target (stub) | Auto | ☑ | 2026-03-30 |  |
-| 7.1.6 | Create IIS target (stub) | Auto | ☑ | 2026-03-30 |  |
+| 7.1.6 | Create IIS target | Auto | ☑ | 2026-03-30 |  |
 | 7.1.7 | Get target verifies type-specific config stored | Manual | ☐ |  |  |
 | 7.1.8 | Update target config | Manual | ☐ |  |  |
 | 7.1.9 | Delete target returns 204 | Auto | ☑ | 2026-03-30 |  |