docs: remove version labels from public docs to avoid telegraphing roadmap

Strip explicit V2/V3 version labels from planned features in README,
architecture, connectors, and demo docs. F5/IIS now say "interface only"
and "implementation planned" without version targets. DigiCert and other
future issuers say "planned" without version numbers. Keeps completed
milestones detailed (social proof) while keeping future work abstract.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

README.md

@@ -292,7 +292,7 @@ GET    /ready                             Readiness check
 | Local CA (self-signed + sub-CA) | Implemented | `GenericCA` |
 | ACME v2 (Let's Encrypt, Sectigo) | Implemented (HTTP-01 + DNS-01) | `ACME` |
 | step-ca | Implemented | `StepCA` |
-| OpenSSL / Custom CA | Planned (V2) | — |
+| OpenSSL / Custom CA | Planned | — |
 | Vault PKI | Planned | — |
 | DigiCert | Planned | — |
 
@@ -304,8 +304,8 @@ GET    /ready                             Readiness check
 | NGINX | Implemented | `NGINX` |
 | Apache httpd | Implemented | `Apache` |
 | HAProxy | Implemented | `HAProxy` |
-| F5 BIG-IP | Interface only (V2) | `F5` |
-| Microsoft IIS | Interface only (V2) | `IIS` |
+| F5 BIG-IP | Interface only | `F5` |
+| Microsoft IIS | Interface only | `IIS` |
 | Kubernetes Secrets | Planned | — |
 
 ### Notifiers

docs/architecture.md

@@ -459,9 +459,9 @@ type Connector interface {
 
 The `DeploymentRequest` struct carries the full material needed by the target system: the signed certificate, the CA chain, the agent-generated private key, target-specific configuration, and arbitrary metadata. The key field is populated by the agent from its local key store (`CERTCTL_KEY_DIR`) — it never originates from the control plane.
 
-Built-in targets: **NGINX** (writes cert/chain/key files, validates with `nginx -t`, reloads), **Apache httpd** (writes cert/chain/key files, validates with `apachectl configtest`, graceful reload), **HAProxy** (combined PEM file with cert+chain+key, validates config, reloads via systemctl/signal), **F5 BIG-IP** (interface only — proxy agent + iControl REST, planned V2), **IIS** (interface only — dual-mode: agent-local PowerShell primary + proxy agent WinRM for agentless targets, planned V2).
+Built-in targets: **NGINX** (writes cert/chain/key files, validates with `nginx -t`, reloads), **Apache httpd** (writes cert/chain/key files, validates with `apachectl configtest`, graceful reload), **HAProxy** (combined PEM file with cert+chain+key, validates config, reloads via systemctl/signal), **F5 BIG-IP** (interface only — proxy agent + iControl REST, implementation planned), **IIS** (interface only — dual-mode: agent-local PowerShell primary + proxy agent WinRM for agentless targets, implementation planned).
 
-**Planned (V3):** Kubernetes cert-manager external issuer, Kubernetes Secrets, AWS ALB/CloudFront, AWS IAM Roles Anywhere, Azure Key Vault, Azure Managed Identity, Palo Alto, FortiGate, Citrix ADC.
+Additional cloud, network, and Kubernetes target connectors are planned for future releases.
 
 ### Notifier Connector
 

docs/connectors.md

@@ -6,9 +6,9 @@ Connectors extend certctl to integrate with external systems for certificate iss
 
 Three types of connectors:
 
-1. **Issuer Connector** — Obtains certificates from CAs (Local CA with sub-CA support, ACME with HTTP-01 + DNS-01, step-ca implemented; OpenSSL planned V2; DigiCert, Entrust, GlobalSign, EJBCA, Vault PKI, Google CAS planned V3)
-2. **Target Connector** — Deploys certificates to infrastructure (NGINX, Apache httpd, HAProxy implemented; F5 via proxy agent, IIS dual-mode interface only; AWS ALB, Azure Key Vault, Palo Alto, FortiGate, Citrix ADC, Kubernetes Secrets planned V3)
-3. **Notifier Connector** — Sends alerts about certificate events (Email, Webhooks; Slack, Teams, PagerDuty, OpsGenie planned V2)
+1. **Issuer Connector** — Obtains certificates from CAs (Local CA with sub-CA support, ACME with HTTP-01 + DNS-01, step-ca implemented; OpenSSL/Custom CA and additional CA integrations planned)
+2. **Target Connector** — Deploys certificates to infrastructure (NGINX, Apache httpd, HAProxy implemented; F5 via proxy agent, IIS dual-mode interface only; additional cloud and network targets planned)
+3. **Notifier Connector** — Sends alerts about certificate events (Email, Webhooks implemented; Slack, Teams, PagerDuty, OpsGenie planned)
 
 All connectors accept JSON configuration at initialization, support config validation, and are registered in the service layer. Issuer connectors run on the control plane; target connectors run on agents. For network appliances where agents can't be installed, a **proxy agent** in the same network zone handles deployment — the server never initiates outbound connections.
 
@@ -363,7 +363,7 @@ The combined PEM is built in this order: server certificate, intermediate/chain
 
 Location: `internal/connector/target/haproxy/haproxy.go`
 
-### Planned: F5 BIG-IP (V2, Interface Only)
+### Planned: F5 BIG-IP (Interface Only)
 
 The F5 BIG-IP target connector interface is built with the iControl REST flow mapped out, but the actual API calls are not yet implemented. F5 appliances can't run agents directly, so this connector uses the **proxy agent pattern**: a designated agent in the same network zone picks up F5 deployment jobs and calls the iControl REST API. The server assigns the work; the proxy agent executes it.
 

docs/demo-advanced.md

@@ -130,11 +130,11 @@ flowchart TD
     A --> E["Local CA\n(self-signed or sub-CA)"]
     A --> F["ACME\n(Let's Encrypt)"]
     A --> G["step-ca\n(implemented)"]
-    A --> H["OpenSSL / Custom CA\n(planned V2)"]
-    A --> J["DigiCert API\n(planned V3)"]
-    A --> K["Vault PKI\n(planned V3)"]
-    A --> L["Entrust / GlobalSign\n(planned V3)"]
-    A --> M["Google CAS / EJBCA\n(planned V3)"]
+    A --> H["OpenSSL / Custom CA\n(planned)"]
+    A --> J["DigiCert API\n(planned)"]
+    A --> K["Vault PKI\n(planned)"]
+    A --> L["Entrust / GlobalSign\n(planned)"]
+    A --> M["Google CAS / EJBCA\n(planned)"]
 ```
 
 ---