feat: add self-enrollment workflow for automated PKI provisioning

- Phase 1: CLI args (--enroll flag), enroll module skeleton, config support
- Phase 2: Registration request, polling loop (24h timeout), main.rs integration
- Phase 3: PKI extraction, atomic cert writing, whitelist auto-append, mTLS transition
- Phase 4: E2E test suite, README/DEPLOYMENT docs, CI pipeline
- Phase 5: SPEC.md, API_DOCUMENTATION.md, CHANGELOG.md, ROADMAP.md sync

Security review: APPROVED (0 critical, 0 high findings)
Cross-distro compatible: Debian/Ubuntu, RHEL/CentOS/Fedora, Alpine, Arch Linux

Cargo.toml

@@ -61,6 +61,10 @@ sysinfo = "0.30"
 
 # Network utilities
 addr = "0.15"
+if-addrs = "0.13"
+
+# HTTP client for enrollment communication
+reqwest = { version = "0.12", features = ["json", "rustls-tls"] }
 
 # Clap for CLI arguments
 clap = { version = "4", features = ["derive", "env"] }
@@ -69,6 +73,12 @@ clap = { version = "4", features = ["derive", "env"] }
 systemd = "0.10"
 pidlock = "0.2"
 
+# URL parsing
+url = "2"
+
+# File locking for concurrent-safe whitelist modifications
+fs2 = "0.4"
+
 [dev-dependencies]
 actix-rt = "2"
 tokio-test = "0.4"
@@ -77,6 +87,19 @@ serial_test = "3"
 tempfile = "3"
 criterion = { version = "0.5", features = ["html_reports"] }
 
+# Integration tests in subdirectories
+[[test]]
+name = "enroll_identity"
+path = "tests/unit/enroll_identity.rs"
+
+[[test]]
+name = "enrollment_test"
+path = "tests/integration/enrollment_test.rs"
+
+[[test]]
+name = "enrollment_e2e"
+path = "tests/e2e/test_enrollment_e2e.rs"
+
 [[bench]]
 name = "api_benchmarks"
 harness = false