ci-pipeline-cleanup Phase 6 follow-up: IIS operator playbook + matrix doc

Bundle: ci-pipeline-cleanup, Phase 6 follow-up.

Phase 5+6 commit removed the deploy-vendor-e2e-windows matrix from
ci.yml; this commit closes the Phase 6 deliverables that aren't
ci.yml-side:

1. NEW docs/connector-iis.md::Operator validation playbook
   (Windows host) — the procedure operators run pre-release to flip
   the IIS / WinCertStore vendor-matrix cells from
   'operator-playbook' → '✓'. Mirrors the Bundle II frozen decision
   0.14 third-criterion (operator manual smoke required).

2. docs/deployment-vendor-matrix.md — IIS + WinCertStore rows status
   updated from 'pending' → 'operator-playbook' with link to the
   new playbook section.

3. deploy/docker-compose.test.yml — windows-iis-test sidecar comment
   updated to reflect that CI no longer activates this profile;
   sidecar definition preserved for operator local use via
   'docker compose --profile deploy-e2e-windows up -d windows-iis-test'.

Operator workflow going forward:
- Pre-release: run the playbook on a Windows host
- Record validation date + Windows Server version in
  cowork/<bundle>/iis-validation-receipts.md
- Update docs/deployment-vendor-matrix.md cells if applicable

docs/connector-iis.md

@@ -128,3 +128,68 @@ hostname.
 
 - [Atomic deploy + post-verify + rollback](deployment-atomicity.md)
 - [Vendor compatibility matrix](deployment-vendor-matrix.md)
+
+## Operator validation playbook (Windows host)
+
+CI no longer runs the IIS + WinCertStore vendor-e2e tests on every
+push. Per ci-pipeline-cleanup bundle frozen decision 0.5 (which
+revises Bundle II decision 0.4), the Windows matrix was deleted
+because (a) it couldn't physically work on `windows-latest` GitHub
+runners (Docker not started in Windows-containers mode by default;
+`bridge` network driver doesn't exist on Windows Docker — uses
+`nat`), and (b) all IIS + WinCertStore vendor-edge tests are
+`t.Log` placeholder stubs that exercise no IIS-specific behavior.
+
+The real IIS connector validation lives in:
+
+1. `internal/connector/target/iis/` unit tests (run on Linux in the
+   regular Go Build & Test job — already green on every push).
+2. This playbook — operator manual smoke against a real Windows host
+   pre-release.
+
+### Prerequisites
+
+- Windows Server 2019 or 2022 host (or Windows 10/11 Pro with Hyper-V)
+- Docker Desktop in Windows containers mode
+  (Settings → "Switch to Windows containers")
+- Go 1.25.9 + git
+
+### Procedure
+
+```powershell
+# Clone + checkout
+git clone https://github.com/shankar0123/certctl.git
+cd certctl
+git fetch --tags
+git checkout v2.X.0  # whichever release is being validated
+
+# Bring up the Windows IIS sidecar
+docker compose --profile deploy-e2e-windows `
+  -f deploy/docker-compose.test.yml `
+  up -d windows-iis-test
+Start-Sleep -Seconds 30
+
+# Run IIS + WinCertStore vendor-edge tests
+$env:INTEGRATION = "1"
+go test -tags integration -race -count=1 `
+  -run 'VendorEdge_(IIS|WinCertStore)' `
+  ./deploy/test/... | Tee-Object -FilePath iis-validation.log
+
+# Tear down
+docker compose --profile deploy-e2e-windows `
+  -f deploy/docker-compose.test.yml `
+  down -v
+```
+
+### Acceptance
+
+Per Bundle II frozen decision 0.14, the IIS / WinCertStore cells in
+`docs/deployment-vendor-matrix.md` flip from "CI" / "pending" → "✓"
+only when ALL of the following are true:
+
+- ≥1 happy-path e2e passes against the real Windows IIS sidecar
+- ≥1 specific-quirk test for that Windows Server version passes
+- This playbook's full procedure ran clean once on a real Windows host
+
+Operator records the validation date + Windows Server version in
+`cowork/<bundle>/iis-validation-receipts.md` for audit trail.

docs/deployment-vendor-matrix.md

@@ -39,15 +39,15 @@ vendor. EOL versions explicitly excluded.
 | **Postfix** | postfix.org | 3.6 | CI | per-listener cert binding | configure cert per-listener block | `TestVendorEdge_Postfix_MultiListenerCertBinding_DeployUpdatesCorrectListener_E2E` |
 | Postfix | postfix.org | 3.8 | CI | (same) | (same) | (same) |
 | **Dovecot** | dovecot.org | 2.3 | CI | submission/submissions port variants | configure both inet_listener blocks | `TestVendorEdge_Dovecot_SubmissionSubmissionsPortVariants_E2E` |
-| **IIS** | microsoft.com | IIS 10 (Server 2019) | pending | Windows-host-only CI; app-pool recycle opt-in | `AppPoolRecycle: true` per-target if needed | `TestVendorEdge_IIS_AppPoolRecycle_OptInForCertChange_E2E` |
-| IIS | microsoft.com | IIS 10 (Server 2022) | pending | (same) | (same) | (same) |
+| **IIS** | microsoft.com | IIS 10 (Server 2019) | operator-playbook | Windows-host-only validation per [operator playbook](connector-iis.md#operator-validation-playbook-windows-host); app-pool recycle opt-in | `AppPoolRecycle: true` per-target if needed | `TestVendorEdge_IIS_AppPoolRecycle_OptInForCertChange_E2E` |
+| IIS | microsoft.com | IIS 10 (Server 2022) | operator-playbook | (same) | (same) | (same) |
 | **F5 BIG-IP** | f5.com | v15.1 LTS | mock | larger cert chain (>4 links) historical issue | use cert chain ≤4 links OR upgrade to v17 | `TestVendorEdge_F5_LargeCertChainHandling_E2E` |
 | F5 BIG-IP | f5.com | v17.0 | mock | (chain limit lifted) | n/a | (same) |
 | F5 BIG-IP | f5.com | v17.5 | mock | (same) | n/a | (same) |
 | **SSH** | openssh.com | OpenSSH 8.x | CI | sftp subsystem may be disabled | connector falls back to scp | `TestVendorEdge_SSH_SFTPSubsystemAbsent_FallsBackToSCP_E2E` |
 | SSH | openssh.com | OpenSSH 9.x | CI | (same) | (same) | (same) |
-| **WinCertStore** | microsoft.com | Windows Server 2019 | pending | cert store ACL: NS vs IIS_IUSRS | configure store ACL per IIS app-pool identity | `TestVendorEdge_WinCertStore_CertStoreACL_NetworkServiceAccess_E2E` |
-| WinCertStore | microsoft.com | Windows Server 2022 | pending | (same) | (same) | (same) |
+| **WinCertStore** | microsoft.com | Windows Server 2019 | operator-playbook | Windows-host-only validation per [operator playbook](connector-iis.md#operator-validation-playbook-windows-host); cert store ACL: NS vs IIS_IUSRS | configure store ACL per IIS app-pool identity | `TestVendorEdge_WinCertStore_CertStoreACL_NetworkServiceAccess_E2E` |
+| WinCertStore | microsoft.com | Windows Server 2022 | operator-playbook | (same) | (same) | (same) |
 | **JavaKeystore** | adoptium.net | JDK 11 LTS | pending | keytool `-importkeystore` semantics | use `KeytoolPath` config to pin to JDK | `TestVendorEdge_JavaKeystore_JDK11_vs_17_vs_21_KeytoolBehavior_E2E` |
 | JavaKeystore | adoptium.net | JDK 17 LTS | pending | (same) | (same) | (same) |
 | JavaKeystore | adoptium.net | JDK 21 LTS | pending | (same) | (same) | (same) |