Sync docs and fix flaky renewal e2e test

- ARCHITECTURE.md: add Vault Endpoints section, /unseal UI page,
  vault_sealed/vault_unsealed audit events, sealed interceptor in
  gRPC chain
- openapi.yaml: add /v1/vault/{status,unseal,seal} endpoints, update
  /v1/health sealed-state docs, add VaultSealed response component,
  add vault audit event types and Admin — Vault tag
- web/static/openapi.yaml: kept in sync with root
- test/e2e: increase renewal test token lifetime from 2s to 10s
  (sleep 6s) to eliminate race between token expiry and HTTP round-trip

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

test/e2e/e2e_test.go

@@ -227,9 +227,11 @@ func TestE2ETokenRenewal(t *testing.T) {
 	e := newTestEnv(t)
 	acct := e.createAccount(t, "bob")
 
-	// Issue a short-lived token (2s) directly so we can wait past the 50%
+	// Issue a short-lived token (10s) directly so we can wait past the 50%
 	// renewal threshold (SEC-03) without blocking the test for minutes.
-	oldToken, claims, err := token.IssueToken(e.privKey, e2eIssuer, acct.UUID, nil, 2*time.Second)
+	// 10s gives ample headroom: we sleep 6s (>50%), leaving 4s for the HTTP
+	// round-trip before expiry — eliminating the race that plagued the 2s token.
+	oldToken, claims, err := token.IssueToken(e.privKey, e2eIssuer, acct.UUID, nil, 10*time.Second)
 	if err != nil {
 		t.Fatalf("IssueToken: %v", err)
 	}
@@ -237,8 +239,8 @@ func TestE2ETokenRenewal(t *testing.T) {
 		t.Fatalf("TrackToken: %v", err)
 	}
 
-	// Wait for >50% of the 2s lifetime to elapse.
-	time.Sleep(1100 * time.Millisecond)
+	// Wait for >50% of the 10s lifetime to elapse.
+	time.Sleep(6 * time.Second)
 
 	// Renew.
 	resp2 := e.do(t, "POST", "/v1/auth/renew", nil, oldToken)