Fix ECDH zeroization, add audit logging, and remediate high findings

- Fix #61: handleRotateKey and handleDeleteUser now zeroize stored
  privBytes instead of calling Bytes() (which returns a copy). New
  state populates privBytes; old references nil'd for GC.
- Add audit logging subsystem (internal/audit) with structured event
  recording for cryptographic operations.
- Add audit log engine spec (engines/auditlog.md).
- Add ValidateName checks across all engines for path traversal (#48).
- Update AUDIT.md: all High findings resolved (0 open).
- Add REMEDIATION.md with detailed remediation tracking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/engine/ca/profiles.go

@@ -29,11 +29,13 @@ func GetProfile(name string) (certgen.Profile, bool) {
 	}
 	// Return a copy so callers can modify.
 	cp := certgen.Profile{
-		IsCA:         p.IsCA,
-		PathLen:      p.PathLen,
-		Expiry:       p.Expiry,
-		KeyUse:       make([]string, len(p.KeyUse)),
-		ExtKeyUsages: make([]string, len(p.ExtKeyUsages)),
+		IsCA:                  p.IsCA,
+		PathLen:               p.PathLen,
+		Expiry:                p.Expiry,
+		KeyUse:                make([]string, len(p.KeyUse)),
+		ExtKeyUsages:          make([]string, len(p.ExtKeyUsages)),
+		OCSPServer:            append([]string(nil), p.OCSPServer...),
+		IssuingCertificateURL: append([]string(nil), p.IssuingCertificateURL...),
 	}
 	copy(cp.KeyUse, p.KeyUse)
 	copy(cp.ExtKeyUsages, p.ExtKeyUsages)