docs: synchronize project documentation with codebase

Implements 3 deferred security tickets (TICKET-003, TICKET-007, TICKET-010)
and performs comprehensive documentation audit to eliminate drift between
code and docs.

Code changes:
- TICKET-003: Repository integration tests with testcontainers-go (50+ subtests)
- TICKET-007: CertificateService decomposition into RevocationSvc + CAOperationsSvc
- TICKET-010: Request body size limits via http.MaxBytesReader middleware
- Fix missing slog import in certificate.go after service decomposition

Documentation updates:
- README: Fix endpoint count (97→93), expand env var reference (15→39 vars)
- CLAUDE.md: Fix OpenAPI operation count (85→93), update file locations
- architecture.md: Add body size limits section, middleware chain ordering
- CONTRIBUTING.md: New contributor guide with architecture conventions,
  test patterns, middleware ordering, CI thresholds
- SECURITY_REMEDIATION.md: Removed from repo (moved to cowork, gitignored)
- Test files: Add doc comments to all new test files

Documentation that should exist but doesn't yet:
- Architecture diagrams (C4 model or similar)
- Threat model document
- Testing philosophy guide
- Disaster recovery runbook
- Upgrade guide (migration between versions)
- API versioning strategy document

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

cmd/server/main.go

@@ -192,11 +192,18 @@ func main() {
 	notificationService := service.NewNotificationService(notificationRepo, notifierRegistry)
 	notificationService.SetOwnerRepo(ownerRepo)
 
-	// Wire revocation dependencies into CertificateService
-	certificateService.SetRevocationRepo(revocationRepo)
-	certificateService.SetNotificationService(notificationService)
-	certificateService.SetIssuerRegistry(issuerRegistry)
-	certificateService.SetProfileRepo(profileRepo)
+	// Create RevocationSvc with its dependencies
+	revocationSvc := service.NewRevocationSvc(certificateRepo, revocationRepo, auditService)
+	revocationSvc.SetIssuerRegistry(issuerRegistry)
+	revocationSvc.SetNotificationService(notificationService)
+
+	// Create CAOperationsSvc with its dependencies
+	caOperationsSvc := service.NewCAOperationsSvc(revocationRepo, certificateRepo, profileRepo)
+	caOperationsSvc.SetIssuerRegistry(issuerRegistry)
+
+	// Wire sub-services into CertificateService
+	certificateService.SetRevocationSvc(revocationSvc)
+	certificateService.SetCAOperationsSvc(caOperationsSvc)
 	certificateService.SetTargetRepo(targetRepo)
 	renewalService := service.NewRenewalService(certificateRepo, jobRepo, renewalPolicyRepo, profileRepo, auditService, notificationService, issuerRegistry, cfg.Keygen.Mode)
 	deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certificateRepo, auditService, notificationService)
@@ -341,6 +348,12 @@ func main() {
 
 	structuredLogger := middleware.NewLogging(logger)
 
+	// Request body size limit middleware — prevents memory exhaustion attacks (CWE-400)
+	bodyLimitMiddleware := middleware.NewBodyLimit(middleware.BodyLimitConfig{
+		MaxBytes: cfg.Server.MaxBodySize,
+	})
+	logger.Info("request body size limit enabled", "max_bytes", cfg.Server.MaxBodySize)
+
 	// API audit log middleware — records every API call to the audit trail
 	auditAdapter := middleware.NewAuditServiceAdapter(
 		func(ctx context.Context, actor string, actorType string, action string, resourceType string, resourceID string, details map[string]interface{}) error {
@@ -357,6 +370,7 @@ func main() {
 		middleware.RequestID,
 		structuredLogger,
 		middleware.Recovery,
+		bodyLimitMiddleware,
 		corsMiddleware,
 		authMiddleware,
 		auditMiddleware,
@@ -372,6 +386,7 @@ func main() {
 			middleware.RequestID,
 			structuredLogger,
 			middleware.Recovery,
+			bodyLimitMiddleware,
 			rateLimiter,
 			corsMiddleware,
 			authMiddleware,