docs: synchronize project documentation with codebase

Implements 3 deferred security tickets (TICKET-003, TICKET-007, TICKET-010)
and performs comprehensive documentation audit to eliminate drift between
code and docs.

Code changes:
- TICKET-003: Repository integration tests with testcontainers-go (50+ subtests)
- TICKET-007: CertificateService decomposition into RevocationSvc + CAOperationsSvc
- TICKET-010: Request body size limits via http.MaxBytesReader middleware
- Fix missing slog import in certificate.go after service decomposition

Documentation updates:
- README: Fix endpoint count (97→93), expand env var reference (15→39 vars)
- CLAUDE.md: Fix OpenAPI operation count (85→93), update file locations
- architecture.md: Add body size limits section, middleware chain ordering
- CONTRIBUTING.md: New contributor guide with architecture conventions,
  test patterns, middleware ordering, CI thresholds
- SECURITY_REMEDIATION.md: Removed from repo (moved to cowork, gitignored)
- Test files: Add doc comments to all new test files

Documentation that should exist but doesn't yet:
- Architecture diagrams (C4 model or similar)
- Threat model document
- Testing philosophy guide
- Disaster recovery runbook
- Upgrade guide (migration between versions)
- API versioning strategy document

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/service/revocation_test.go

@@ -14,15 +14,27 @@ func newRevocationTestService() (*CertificateService, *mockCertRepo, *mockRevoca
 	auditRepo := newMockAuditRepository()
 	policyRepo := newMockPolicyRepository()
 	revocationRepo := newMockRevocationRepository()
+	profileRepo := newMockProfileRepository()
 
 	auditService := NewAuditService(auditRepo)
 	policyService := NewPolicyService(policyRepo, auditService)
-	certService := NewCertificateService(certRepo, policyService, auditService)
-	certService.SetRevocationRepo(revocationRepo)
-	certService.SetIssuerRegistry(map[string]IssuerConnector{
+
+	// Create RevocationSvc
+	revSvc := NewRevocationSvc(certRepo, revocationRepo, auditService)
+	revSvc.SetIssuerRegistry(map[string]IssuerConnector{
 		"iss-local": &mockIssuerConnector{},
 	})
 
+	// Create CAOperationsSvc
+	caSvc := NewCAOperationsSvc(revocationRepo, certRepo, profileRepo)
+	caSvc.SetIssuerRegistry(map[string]IssuerConnector{
+		"iss-local": &mockIssuerConnector{},
+	})
+
+	certService := NewCertificateService(certRepo, policyService, auditService)
+	certService.SetRevocationSvc(revSvc)
+	certService.SetCAOperationsSvc(caSvc)
+
 	return certService, certRepo, revocationRepo, auditRepo
 }
 
@@ -229,9 +241,9 @@ func TestRevokeCertificate_NoVersion(t *testing.T) {
 func TestRevokeCertificate_WithIssuerNotification(t *testing.T) {
 	svc, certRepo, revocationRepo, _ := newRevocationTestService()
 
-	// Wire up issuer registry with mock
+	// Wire up issuer registry on RevocationSvc with mock
 	mockIssuer := &mockIssuerConnector{}
-	svc.SetIssuerRegistry(map[string]IssuerConnector{
+	svc.revSvc.SetIssuerRegistry(map[string]IssuerConnector{
 		"iss-local": mockIssuer,
 	})
 
@@ -264,10 +276,10 @@ func TestRevokeCertificate_WithIssuerNotification(t *testing.T) {
 func TestRevokeCertificate_WithNotificationService(t *testing.T) {
 	svc, certRepo, _, _ := newRevocationTestService()
 
-	// Wire up notification service
+	// Wire up notification service on RevocationSvc
 	notifRepo := newMockNotificationRepository()
 	notifService := NewNotificationService(notifRepo, make(map[string]Notifier))
-	svc.SetNotificationService(notifService)
+	svc.revSvc.SetNotificationService(notifService)
 
 	cert := &domain.ManagedCertificate{
 		ID:         "cert-8",