feat(M11c): crypto policy enforcement — CSR validation, MaxTTL caps, key metadata

Enforce certificate profile crypto constraints across all 5 issuance paths
(renewal, agent CSR, EST, SCEP). ValidateCSRAgainstProfile() rejects CSRs
with key algorithm/size that don't match profile rules. MaxTTL enforcement
caps certificate validity per issuer connector (Local CA, Vault, step-ca
enforce directly; ACME/DigiCert/Sectigo pass through). Key algorithm and
size are now persisted in certificate_versions for audit compliance.

16 new tests (12 service-layer + 4 Local CA connector). Removes hardcoded
version number from GUI sidebar. Documentation updated across architecture,
features, connectors, and README.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/connector/issuer/openssl/openssl.go

@@ -148,6 +148,14 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
 		"common_name", request.CommonName,
 		"san_count", len(request.SANs))
 
+	// MaxTTLSeconds is advisory for script-based issuers — the sign script controls validity.
+	// Log a warning so operators know the profile TTL cap isn't enforced server-side.
+	if request.MaxTTLSeconds > 0 {
+		c.logger.Warn("MaxTTLSeconds specified but OpenSSL/custom CA delegates signing to external script; TTL cap is advisory only",
+			"max_ttl_seconds", request.MaxTTLSeconds,
+			"common_name", request.CommonName)
+	}
+
 	// Write CSR to a temporary file
 	csrFile, err := c.writeTempFile([]byte(request.CSRPEM), "csr-")
 	if err != nil {