docs: synchronize project documentation with codebase

Implements 3 deferred security tickets (TICKET-003, TICKET-007, TICKET-010)
and performs comprehensive documentation audit to eliminate drift between
code and docs.

Code changes:
- TICKET-003: Repository integration tests with testcontainers-go (50+ subtests)
- TICKET-007: CertificateService decomposition into RevocationSvc + CAOperationsSvc
- TICKET-010: Request body size limits via http.MaxBytesReader middleware
- Fix missing slog import in certificate.go after service decomposition

Documentation updates:
- README: Fix endpoint count (97→93), expand env var reference (15→39 vars)
- CLAUDE.md: Fix OpenAPI operation count (85→93), update file locations
- architecture.md: Add body size limits section, middleware chain ordering
- CONTRIBUTING.md: New contributor guide with architecture conventions,
  test patterns, middleware ordering, CI thresholds
- SECURITY_REMEDIATION.md: Removed from repo (moved to cowork, gitignored)
- Test files: Add doc comments to all new test files

Documentation that should exist but doesn't yet:
- Architecture diagrams (C4 model or similar)
- Threat model document
- Testing philosophy guide
- Disaster recovery runbook
- Upgrade guide (migration between versions)
- API versioning strategy document

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/service/ca_operations_test.go

@@ -0,0 +1,179 @@
+// Tests for CAOperationsSvc, the focused sub-service that handles CRL generation
+// and OCSP response signing extracted from CertificateService (TICKET-007).
+package service
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// helper to create a CAOperationsSvc for testing
+func newCAOperationsSvcTest() (*CAOperationsSvc, *mockRevocationRepo, *mockCertRepo) {
+	revocationRepo := newMockRevocationRepository()
+	certRepo := newMockCertificateRepository()
+	profileRepo := newMockProfileRepository()
+
+	caSvc := NewCAOperationsSvc(revocationRepo, certRepo, profileRepo)
+	caSvc.SetIssuerRegistry(map[string]IssuerConnector{
+		"iss-local": &mockIssuerConnector{},
+	})
+
+	return caSvc, revocationRepo, certRepo
+}
+
+func TestCAOperationsSvc_GenerateDERCRL_Success(t *testing.T) {
+	caSvc, revocationRepo, _ := newCAOperationsSvcTest()
+
+	// Add some revoked certificates to the repo
+	now := time.Now()
+	revocationRepo.Revocations = []*domain.CertificateRevocation{
+		{
+			SerialNumber:  "SERIAL-001",
+			CertificateID: "cert-1",
+			IssuerID:      "iss-local",
+			Reason:        "keyCompromise",
+			RevokedAt:     now.Add(-24 * time.Hour),
+			RevokedBy:     "admin",
+		},
+		{
+			SerialNumber:  "SERIAL-002",
+			CertificateID: "cert-2",
+			IssuerID:      "iss-local",
+			Reason:        "superseded",
+			RevokedAt:     now.Add(-12 * time.Hour),
+			RevokedBy:     "admin",
+		},
+	}
+
+	crl, err := caSvc.GenerateDERCRL("iss-local")
+
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+
+	if crl == nil {
+		t.Fatal("expected non-nil CRL")
+	}
+
+	if len(crl) == 0 {
+		t.Fatal("expected non-empty CRL")
+	}
+
+	t.Logf("DER CRL generated successfully: %d bytes", len(crl))
+}
+
+func TestCAOperationsSvc_GenerateDERCRL_EmptyCRL(t *testing.T) {
+	caSvc, revocationRepo, _ := newCAOperationsSvcTest()
+
+	// No revoked certs for this issuer
+	revocationRepo.Revocations = []*domain.CertificateRevocation{}
+
+	crl, err := caSvc.GenerateDERCRL("iss-local")
+
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+
+	if crl == nil {
+		t.Fatal("expected non-nil CRL even when empty")
+	}
+
+	if len(crl) == 0 {
+		t.Fatal("expected non-empty CRL bytes (at least the CRL structure)")
+	}
+
+	t.Logf("Empty DER CRL generated successfully: %d bytes", len(crl))
+}
+
+func TestCAOperationsSvc_GetOCSPResponse_Good(t *testing.T) {
+	caSvc, _, certRepo := newCAOperationsSvcTest()
+
+	// Add a non-revoked certificate
+	cert := &domain.ManagedCertificate{
+		ID:         "cert-ocsp-good",
+		CommonName: "good.example.com",
+		IssuerID:   "iss-local",
+		Status:     domain.CertificateStatusActive,
+		ExpiresAt:  time.Now().AddDate(1, 0, 0),
+	}
+	certRepo.AddCert(cert)
+
+	version := &domain.CertificateVersion{
+		ID:            "ver-ocsp-good",
+		CertificateID: "cert-ocsp-good",
+		SerialNumber:  "OCSP-GOOD-001",
+		NotBefore:     time.Now(),
+		NotAfter:      time.Now().AddDate(1, 0, 0),
+		CreatedAt:     time.Now(),
+	}
+	certRepo.Versions["cert-ocsp-good"] = []*domain.CertificateVersion{version}
+
+	// Request OCSP response for good cert
+	resp, err := caSvc.GetOCSPResponse("iss-local", "OCSP-GOOD-001")
+
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+
+	if resp == nil || len(resp) == 0 {
+		t.Fatal("expected non-empty OCSP response for good cert")
+	}
+
+	t.Logf("OCSP response for good cert generated: %d bytes", len(resp))
+}
+
+func TestCAOperationsSvc_GetOCSPResponse_Revoked(t *testing.T) {
+	caSvc, revocationRepo, certRepo := newCAOperationsSvcTest()
+
+	now := time.Now()
+
+	// Add a revoked certificate
+	cert := &domain.ManagedCertificate{
+		ID:               "cert-ocsp-revoked",
+		CommonName:       "revoked.example.com",
+		IssuerID:         "iss-local",
+		Status:           domain.CertificateStatusRevoked,
+		RevokedAt:        &now,
+		RevocationReason: "keyCompromise",
+		ExpiresAt:        time.Now().AddDate(1, 0, 0),
+	}
+	certRepo.AddCert(cert)
+
+	version := &domain.CertificateVersion{
+		ID:            "ver-ocsp-revoked",
+		CertificateID: "cert-ocsp-revoked",
+		SerialNumber:  "OCSP-REVOKED-001",
+		NotBefore:     time.Now().Add(-24 * time.Hour),
+		NotAfter:      time.Now().AddDate(1, 0, 0),
+		CreatedAt:     time.Now(),
+	}
+	certRepo.Versions["cert-ocsp-revoked"] = []*domain.CertificateVersion{version}
+
+	// Add revocation record
+	revocationRepo.Revocations = []*domain.CertificateRevocation{
+		{
+			SerialNumber:  "OCSP-REVOKED-001",
+			CertificateID: "cert-ocsp-revoked",
+			IssuerID:      "iss-local",
+			Reason:        "keyCompromise",
+			RevokedAt:     now.Add(-24 * time.Hour),
+			RevokedBy:     "admin",
+		},
+	}
+
+	// Request OCSP response for revoked cert
+	resp, err := caSvc.GetOCSPResponse("iss-local", "OCSP-REVOKED-001")
+
+	if err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+
+	if resp == nil || len(resp) == 0 {
+		t.Fatal("expected non-empty OCSP response for revoked cert")
+	}
+
+	t.Logf("OCSP response for revoked cert generated: %d bytes", len(resp))
+}