feat: S/MIME certificate support in integration tests + test env docs

Add S/MIME (emailProtection EKU) end-to-end test coverage:
- ValidateCommonName() now accepts email addresses for S/MIME certs
- S/MIME test profile (prof-test-smime) in seed data
- Phase 11 test: issuance, EKU, KeyUsage, email SAN verification
- EST config enabled in test Docker Compose
- Portable KeyUsage parsing (awk, works on BSD/GNU)
- Full test environment documentation (docs/test-env.md)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

migrations/seed_test.sql

@@ -115,6 +115,19 @@ VALUES (
   '[{"algorithm": "ECDSA", "min_size": 256}, {"algorithm": "RSA", "min_size": 2048}]'::jsonb
 ) ON CONFLICT (id) DO NOTHING;
 
+-- ---------------------------------------------------------------------------
+-- Certificate Profile — S/MIME email protection
+-- ---------------------------------------------------------------------------
+INSERT INTO certificate_profiles (id, name, description, max_ttl_seconds, allowed_ekus, allowed_key_algorithms)
+VALUES (
+  'prof-test-smime',
+  'Test S/MIME Email',
+  'S/MIME certificate profile for email signing and encryption',
+  31536000,  -- 365 days
+  '["emailProtection"]'::jsonb,
+  '[{"algorithm": "ECDSA", "min_size": 256}, {"algorithm": "RSA", "min_size": 2048}]'::jsonb
+) ON CONFLICT (id) DO NOTHING;
+
 -- ---------------------------------------------------------------------------
 -- Deployment Target — NGINX (references agent-test-01)
 -- ---------------------------------------------------------------------------