docs: synchronize project documentation with codebase

Implements 3 deferred security tickets (TICKET-003, TICKET-007, TICKET-010)
and performs comprehensive documentation audit to eliminate drift between
code and docs.

Code changes:
- TICKET-003: Repository integration tests with testcontainers-go (50+ subtests)
- TICKET-007: CertificateService decomposition into RevocationSvc + CAOperationsSvc
- TICKET-010: Request body size limits via http.MaxBytesReader middleware
- Fix missing slog import in certificate.go after service decomposition

Documentation updates:
- README: Fix endpoint count (97→93), expand env var reference (15→39 vars)
- CLAUDE.md: Fix OpenAPI operation count (85→93), update file locations
- architecture.md: Add body size limits section, middleware chain ordering
- CONTRIBUTING.md: New contributor guide with architecture conventions,
  test patterns, middleware ordering, CI thresholds
- SECURITY_REMEDIATION.md: Removed from repo (moved to cowork, gitignored)
- Test files: Add doc comments to all new test files

Documentation that should exist but doesn't yet:
- Architecture diagrams (C4 model or similar)
- Threat model document
- Testing philosophy guide
- Disaster recovery runbook
- Upgrade guide (migration between versions)
- API versioning strategy document

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/config/config.go

@@ -203,8 +203,9 @@ type VerificationConfig struct {
 
 // ServerConfig contains HTTP server configuration.
 type ServerConfig struct {
-	Host string
-	Port int
+	Host        string // Server host (default: 127.0.0.1). Set via CERTCTL_SERVER_HOST.
+	Port        int    // Server port (default: 8080). Set via CERTCTL_SERVER_PORT.
+	MaxBodySize int64  // Maximum request body size in bytes (default: 1MB). Set via CERTCTL_MAX_BODY_SIZE.
 }
 
 // DatabaseConfig contains database connection configuration.
@@ -301,8 +302,9 @@ type CORSConfig struct {
 func Load() (*Config, error) {
 	cfg := &Config{
 		Server: ServerConfig{
-			Host: getEnv("CERTCTL_SERVER_HOST", "127.0.0.1"),
-			Port: getEnvInt("CERTCTL_SERVER_PORT", 8080),
+			Host:        getEnv("CERTCTL_SERVER_HOST", "127.0.0.1"),
+			Port:        getEnvInt("CERTCTL_SERVER_PORT", 8080),
+			MaxBodySize: getEnvInt64("CERTCTL_MAX_BODY_SIZE", 1024*1024), // 1MB default
 		},
 		Database: DatabaseConfig{
 			URL:            getEnv("CERTCTL_DATABASE_URL", "postgres://localhost/certctl"),
@@ -471,6 +473,18 @@ func getEnvInt(key string, defaultValue int) int {
 	return defaultValue
 }
 
+// getEnvInt64 reads an int64 environment variable with the given key and default value.
+func getEnvInt64(key string, defaultValue int64) int64 {
+	if value := os.Getenv(key); value != "" {
+		intVal, err := strconv.ParseInt(value, 10, 64)
+		if err != nil {
+			return defaultValue
+		}
+		return intVal
+	}
+	return defaultValue
+}
+
 // getEnvDuration reads a time.Duration environment variable.
 // The value should be a valid Go duration string (e.g., "1h", "30s", "5m").
 func getEnvDuration(key string, defaultValue time.Duration) time.Duration {