feat(M50): cloud secret manager discovery — AWS SM, Azure KV, GCP SM

Extend certificate discovery from filesystem + network to cloud secret
managers. Three pluggable DiscoverySource connectors feed into the
existing discovery pipeline via sentinel agent pattern, with a 9th
scheduler loop for periodic cloud scanning.

- AWS Secrets Manager: aws-sdk-go-v2, tag/prefix filtering, 10 tests
- Azure Key Vault: stdlib HTTP + OAuth2, base64 DER/PEM, 16 tests
- GCP Secret Manager: stdlib HTTP + JWT OAuth2, label filter, 14 tests
- CloudDiscoveryService orchestrator with 9 tests
- 9th scheduler loop (6h default, atomic.Bool idempotency)
- Discovery page: color-coded source type badges
- 14 new env vars across CloudDiscoveryConfig structs
- Docs: connectors.md, architecture.md, features.md, README updated

49 new tests. All CI checks pass (go vet, race, lint, coverage).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/domain/discovery.go

@@ -1,6 +1,7 @@
 package domain
 
 import (
+	"context"
 	"time"
 )
 
@@ -111,3 +112,17 @@ type DiscoveredCertEntry struct {
 	SourcePath        string   `json:"source_path"`
 	SourceFormat      string   `json:"source_format"`
 }
+
+// DiscoverySource defines the interface for pluggable certificate discovery sources.
+// Each source (filesystem, network, cloud) implements this interface to discover
+// certificates from a specific backend and produce a DiscoveryReport.
+type DiscoverySource interface {
+	// Name returns a human-readable name for this discovery source (e.g., "AWS Secrets Manager").
+	Name() string
+	// Type returns a short type identifier (e.g., "aws-sm", "azure-kv", "gcp-sm").
+	Type() string
+	// Discover scans the source and returns a DiscoveryReport with found certificates.
+	Discover(ctx context.Context) (*DiscoveryReport, error)
+	// ValidateConfig checks that the source is properly configured.
+	ValidateConfig() error
+}