feat(scep): per-issuer SCEP profiles — multi-endpoint dispatch

SCEP RFC 8894 + Intune master bundle — Phase 1.5 of 14.

Restructures SCEPConfig from a single flat struct (one IssuerID + one
RA pair + one challenge password) to a Profiles slice where each
profile binds its own URL path (/scep/<pathID>), issuer, optional
CertificateProfile, RA cert+key, and challenge password.

This phase is the FOUNDATION for Phases 2-12: every downstream handler
signature, service envelope, CertRep builder, GUI counter, and test
fixture takes a profile_id parameter from here on. Adding multi-profile
support post-bundle would cost 3x what greenfielding it now does.

Backward compat: legacy CERTCTL_SCEP_* flat env vars synthesise a
single-element Profiles[0] with PathID="" (legacy /scep root) when
CERTCTL_SCEP_PROFILES is unset. Existing operators see no behavior
change. New operators write multi-profile config directly via the
indexed env-var form.

Indexed env-var convention:
  CERTCTL_SCEP_PROFILES=corp,iot,server
  CERTCTL_SCEP_PROFILE_CORP_ISSUER_ID=iss-corp-laptop
  CERTCTL_SCEP_PROFILE_CORP_PROFILE_ID=prof-corp-tls
  CERTCTL_SCEP_PROFILE_CORP_CHALLENGE_PASSWORD=...
  CERTCTL_SCEP_PROFILE_CORP_RA_CERT_PATH=/etc/certctl/scep/corp-ra.crt
  CERTCTL_SCEP_PROFILE_CORP_RA_KEY_PATH=/etc/certctl/scep/corp-ra.key
  ... (etc per profile name)

internal/config/config.go
  * SCEPConfig.Profiles []SCEPProfileConfig — primary multi-profile
    dispatch source.
  * Legacy flat fields (IssuerID, ProfileID, ChallengePassword,
    RACertPath, RAKeyPath) preserved with updated docblocks marking
    them as merge sources for the backward-compat shim.
  * SCEPProfileConfig new struct (PathID, IssuerID, ProfileID,
    ChallengePassword, RACertPath, RAKeyPath).
  * loadSCEPProfilesFromEnv: reads CERTCTL_SCEP_PROFILES (comma-list
    of names), expands each to per-profile env vars
    CERTCTL_SCEP_PROFILE_<NAME>_*. Returns nil when unset so the
    legacy-shim path takes over.
  * mergeSCEPLegacyIntoProfiles: when SCEP enabled + Profiles empty +
    any legacy flat field populated, synthesises Profiles[0] with
    PathID="". No-op when Profiles already populated (structured form
    wins) or SCEP disabled.
  * validSCEPPathID: empty allowed (legacy /scep root); non-empty
    must be [a-z0-9-] with no leading/trailing hyphen.
  * Per-profile Validate gates: PathID format, uniqueness across the
    slice, ChallengePassword presence (CWE-306 per profile), RA pair
    presence (RFC 8894 §3.2.2), IssuerID presence.
  * Legacy single-profile gates skip when Profiles is non-empty so
    the per-profile loop owns the gating in the structured case
    (avoids double-fire with overlapping error messages).

internal/api/router/router.go
  * RegisterSCEPHandlers signature: map[string]handler.SCEPHandler
    (was a single SCEPHandler).
  * Empty PathID handler registered with literal r.Register('GET /scep'
    + 'POST /scep') so the openapi-parity AST scanner (Bundle D /
    Audit M-027) continues to see the documented /scep route. Without
    this preservation, the parity test fails because dynamic
    string-built routes don't appear in *ast.BasicLit walks.
  * Non-empty PathIDs registered dynamically as /scep/<pathID>.
  * AuthExempt prefix /scep already covers all /scep[/...] paths via
    prefix match — no change needed there.

cmd/server/main.go
  * SCEP startup block iterates cfg.SCEP.Profiles, builds one service
    + one handler per profile, stuffs them into a {pathID -> handler}
    map, hands the map to apiRouter.RegisterSCEPHandlers.
  * Per-profile preflight: preflightSCEPChallengePassword,
    preflightSCEPRACertKey, preflightEnrollmentIssuer fire ONCE PER
    PROFILE with a profile-scoped slog.Logger so failures report
    PathID + IssuerID. Each per-profile failure os.Exits(1) with a
    targeted error message.
  * Final 'SCEP server enabled' info log reports profile_count.

internal/config/config_scep_profiles_test.go (new, 9 tests / 22 sub-cases)
  * TestSCEPConfig_LegacyFlatFields_SynthesizeSingleProfile — the
    backward-compat smoke test.
  * TestSCEPConfig_MultipleProfiles_LoadFromEnv — structured-form
    happy path with two profiles.
  * TestSCEPConfig_StructuredFormBeatsLegacy — when both forms set,
    structured wins; legacy flat field MUST NOT leak into
    Profiles[0].ChallengePassword.
  * TestSCEPConfig_PathIDValidation — 13 sub-cases covering valid +
    every reject mode (uppercase, slash, leading/trailing hyphen,
    underscore, dot, space, non-ASCII).
  * TestSCEPConfig_DuplicatePathID_Refuses.
  * TestSCEPConfig_MissingPerProfileChallengePassword,
    _MissingPerProfileRAPair (3 sub-cases),
    _MissingPerProfileIssuerID — per-profile gate triplet.
  * TestSCEPConfig_DisabledIgnoresProfiles — gates only fire when
    SCEP is enabled.

internal/api/router/router_scep_profiles_test.go (new, 4 tests)
  * TestRouter_RegisterSCEPHandlers_LegacyEmptyPathIDMapsToRoot —
    empty PathID gets /scep root; both GET + POST routes registered.
  * TestRouter_RegisterSCEPHandlers_NonEmptyPathIDMapsToSubpath —
    non-empty PathID gets /scep/<pathID>; /scep root NOT registered
    when no empty-PathID profile exists.
  * TestRouter_RegisterSCEPHandlers_MultipleProfilesNoCrossBleed —
    three profiles (default, corp, iot); each path reaches the right
    handler instance, verified via per-profile-tagged GetCACaps mock
    response.
  * TestRouter_RegisterSCEPHandlers_EmptyMapRegistersNoRoutes — no
    profiles → no /scep routes (deploy with SCEP disabled).

Verification:
  * gofmt clean for the files I touched.
  * go vet clean across config / router / cmd/server / domain.
  * go test -short -count=1 green across config / router / cmd/server /
    api/handler / service / domain / pkcs7.
  * Coverage held: handler 79.0% / service 73.2% / pkcs7 100% /
    config 96.0% / domain 88.6% / router 100% / cmd/server 19.2%.
  * openapi-parity test green (literal /scep registrations preserved).

Phase 1.5 of 14 in SCEP RFC 8894 + Intune master bundle.
Living progress at cowork/scep-rfc8894-intune/progress.md.

internal/api/router/router.go

@@ -376,16 +376,53 @@ func (r *Router) RegisterESTHandlers(est handler.ESTHandler) {
 }
 
 // RegisterSCEPHandlers sets up SCEP (RFC 8894) routes.
-// SCEP uses a single endpoint with operation-based dispatch via query parameters.
-// Authentication is via the challengePassword attribute in the PKCS#10 CSR, not
-// via HTTP Bearer tokens or TLS client certs. cmd/server/main.go's finalHandler
-// routes /scep* through the no-auth middleware chain (M-001 audit 2026-04-19,
-// option D), and Config.Validate() refuses to start the server if SCEP is enabled
-// without a non-empty CERTCTL_SCEP_CHALLENGE_PASSWORD (H-2, CWE-306).
-func (r *Router) RegisterSCEPHandlers(scep handler.SCEPHandler) {
-	// SCEP uses a single path; the handler dispatches on ?operation= query param
-	r.Register("GET /scep", http.HandlerFunc(scep.HandleSCEP))
-	r.Register("POST /scep", http.HandlerFunc(scep.HandleSCEP))
+// SCEP uses a single endpoint per profile with operation-based dispatch via
+// query parameters. Authentication is via the challengePassword attribute in
+// the PKCS#10 CSR, not via HTTP Bearer tokens or TLS client certs.
+// cmd/server/main.go's finalHandler routes /scep* through the no-auth
+// middleware chain (M-001 audit 2026-04-19, option D), and Config.Validate()
+// refuses to start the server if any SCEP profile is enabled without a
+// non-empty challenge password (H-2, CWE-306).
+//
+// SCEP RFC 8894 Phase 1.5: the handlers map is keyed by SCEPProfileConfig.PathID.
+// Empty PathID maps to the legacy /scep root for backward compatibility;
+// non-empty PathID values map to /scep/<pathID>. Registering N profiles
+// produces 2N routes (GET + POST per profile). Validate() guards PathID
+// uniqueness + slug-shape so this loop never gets a collision or an invalid
+// path segment.
+//
+// The auth-exempt prefix `/scep` in AuthExemptDispatchPrefixes already covers
+// every /scep[/...] path via prefix-match, so the multi-profile routes inherit
+// the no-auth dispatch from the same dispatch table — no router-side change
+// to the auth-exempt list is required.
+func (r *Router) RegisterSCEPHandlers(handlers map[string]handler.SCEPHandler) {
+	// Legacy /scep route for the empty-PathID profile is registered with
+	// literal strings so the openapi-parity scanner (Bundle D / Audit M-027,
+	// see openapi_parity_test.go) sees `GET /scep` + `POST /scep` as
+	// AST literals exactly the way it did pre-Phase-1.5. The scanner walks
+	// for *ast.BasicLit string args to r.Register, so dynamically-built
+	// paths would not appear in its index. Keeping the empty-PathID case
+	// static preserves the spec parity contract for the documented
+	// /scep endpoint that openapi.yaml still describes.
+	if h, ok := handlers[""]; ok {
+		r.Register("GET /scep", http.HandlerFunc(h.HandleSCEP))
+		r.Register("POST /scep", http.HandlerFunc(h.HandleSCEP))
+	}
+	// Multi-profile routes register dynamically. These per-deployment paths
+	// (/scep/<pathID>) aren't in openapi.yaml because the path segment is
+	// operator-defined; the spec covers the canonical /scep root only. The
+	// parity scanner correctly skips dynamic routes (it only checks literals).
+	for pathID, h := range handlers {
+		if pathID == "" {
+			continue // already handled by the static block above
+		}
+		hCopy := h // h is captured by value — SCEPHandler is a small struct
+		// (one interface field) so the per-iteration copy is cheap and avoids
+		// any loop-variable-capture surprise if SCEPHandler ever grows
+		// pointer receivers in the future.
+		r.Register("GET /scep/"+pathID, http.HandlerFunc(hCopy.HandleSCEP))
+		r.Register("POST /scep/"+pathID, http.HandlerFunc(hCopy.HandleSCEP))
+	}
 }
 
 // RegisterPKIHandlers sets up RFC 5280 CRL and RFC 6960 OCSP routes under