feat(M11c): crypto policy enforcement — CSR validation, MaxTTL caps, key metadata

Enforce certificate profile crypto constraints across all 5 issuance paths
(renewal, agent CSR, EST, SCEP). ValidateCSRAgainstProfile() rejects CSRs
with key algorithm/size that don't match profile rules. MaxTTL enforcement
caps certificate validity per issuer connector (Local CA, Vault, step-ca
enforce directly; ACME/DigiCert/Sectigo pass through). Key algorithm and
size are now persisted in certificate_versions for audit compliance.

16 new tests (12 service-layer + 4 Local CA connector). Removes hardcoded
version number from GUI sidebar. Documentation updated across architecture,
features, connectors, and README.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/service/agent_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/shankar0123/certctl/internal/domain"
 )
 
+
 func TestRegisterAgent(t *testing.T) {
 	ctx := context.Background()
 	agentRepo := &mockAgentRepo{
@@ -484,7 +485,7 @@ func TestSubmitCSR(t *testing.T) {
 
 	agentService := NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, nil)
 
-	csrPEM := "-----BEGIN CERTIFICATE REQUEST-----\ntest-csr\n-----END CERTIFICATE REQUEST-----"
+	csrPEM := generateTestCSR(t, "ECDSA", 256)
 	err := agentService.SubmitCSR(ctx, "agent-001", "cert-001", []byte(csrPEM))
 	if err != nil {
 		t.Fatalf("SubmitCSR failed: %v", err)