test(integration): live "DCV on" verification mirroring the DCV-off test

Adds EnrollWithDcvOn_OrderIssuedEndToEnd_AndAppearsInSync — the symmetric
counterpart to EnrollWithDcvOff_OrderAppearsInSync_PluginDidNotInvokeDcv.
Drives a fresh enrollment with DCV ON end-to-end through the plugin
against the live sandbox.

Flow:
1. Build the plugin with DcvEnabled=true and the real Cloudflare factory.
2. Enroll a fresh randomized scrup.org subdomain.
3. Run plugin.Synchronize, find the order, assert its status is GENERATED
   or EXTERNALVALIDATION (never FAILED).
4. If GENERATED, assert the cert PEM is non-empty.

Verified live: enroll completed in ~9s, sync took ~2:35 (driving the
sync-DCV-retry across all pending orders in the account), the new order
surfaced at Status=90 in sync, and a follow-up plugin.GetSingleRecord
call against the same CARequestID returned Status=40 GENERATED with a
populated cert PEM. End-to-end DCV path works.

Author: spbsoluble

CERTInext.IntegrationTests/DcvLifecycleTests.cs

@@ -282,6 +282,82 @@ public async Task EnrollWithDcvOff_OrderAppearsInSync_PluginDidNotInvokeDcv()
                               $"order {enrollResult.CARequestID} surfaced in sync with Status={record.Status}. ---");
         }
 
+        /// <summary>
+        /// Symmetric counterpart to <see cref="EnrollWithDcvOff_OrderAppearsInSync_PluginDidNotInvokeDcv"/>.
+        /// Drives a fresh enrollment with DCV ON end-to-end against the live sandbox and
+        /// asserts the issued cert flows through Synchronize.  This is the v3.3+
+        /// production scenario — plugin places the order, runs DNS TXT staging via
+        /// Cloudflare, asks CERTInext to verify, waits for issuance, and the resulting
+        /// GENERATED record surfaces in the gateway's inventory.
+        /// </summary>
+        [SkippableFact]
+        public async Task EnrollWithDcvOn_OrderIssuedEndToEnd_AndAppearsInSync()
+        {
+            IntegrationSkip.IfNotConfigured(_fixture);
+            Skip.If(!_fixture.IsCloudflareConfigured,
+                "CERTINEXT_CF_API_TOKEN + CERTINEXT_CF_ZONE_ID required — DCV-on test must publish real TXT records.");
+
+            string suffix = System.Guid.NewGuid().ToString("N").Substring(0, 8);
+            string cn = $"dcv-on-{suffix}.scrup.org";
+
+            var plugin = BuildPlugin(dcvEnabled: true);
+
+            // --- Enroll phase ---
+            var enrollSw = System.Diagnostics.Stopwatch.StartNew();
+            var enrollResult = await plugin.Enroll(
+                csr:            GenerateCsrPem(cn),
+                subject:        $"CN={cn}",
+                san:            new Dictionary<string, string[]> { ["dns"] = new[] { cn } },
+                productInfo:    IntegrationTestData.DvSslProductInfo(_fixture.Config.DefaultProductCode),
+                requestFormat:  RequestFormat.PKCS10,
+                enrollmentType: EnrollmentType.New);
+            enrollSw.Stop();
+
+            enrollResult.Should().NotBeNull();
+            enrollResult.CARequestID.Should().NotBeNullOrWhiteSpace();
+            _output.WriteLine($"Enroll completed in {enrollSw.Elapsed:mm\\:ss\\.fff}");
+            _output.WriteLine($"  CARequestID:  {enrollResult.CARequestID}");
+            _output.WriteLine($"  Status:       {enrollResult.Status}");
+            _output.WriteLine($"  Certificate:  {(string.IsNullOrWhiteSpace(enrollResult.Certificate) ? "(not in Enroll response)" : enrollResult.Certificate[..60] + "...")}");
+
+            // Enroll must NOT be FAILED. GENERATED if the bounded issuance wait caught
+            // the cert before returning; EXTERNALVALIDATION if not — sync will catch it.
+            new[] { (int)EndEntityStatus.EXTERNALVALIDATION, (int)EndEntityStatus.GENERATED }
+                .Should().Contain(enrollResult.Status,
+                    $"DCV-on Enroll must return pending or issued; got {enrollResult.Status}");
+
+            // --- Sync phase ---
+            var syncSw = System.Diagnostics.Stopwatch.StartNew();
+            var synced = await RunSyncAsync(plugin);
+            syncSw.Stop();
+            _output.WriteLine($"Synchronize returned {synced.Count} records in {syncSw.Elapsed:mm\\:ss\\.fff}");
+
+            var record = synced.FirstOrDefault(r => r.CARequestID == enrollResult.CARequestID);
+            record.Should().NotBeNull(
+                $"the enrolled order ({enrollResult.CARequestID}) must appear in plugin.Synchronize results");
+            _output.WriteLine($"  Sync record status: {record!.Status}");
+            _output.WriteLine($"  Cert PEM length:    {(record.Certificate?.Length ?? 0)}");
+
+            // The plugin's sync-DCV-retry should have advanced any still-pending orders.
+            // With Cloudflare DCV available, every DCV-on enrollment should resolve to
+            // GENERATED by the time sync returns. If we see EXTERNALVALIDATION here it
+            // means CERTInext's async issuance window is still in flight after our sync —
+            // worth noting but not a hard failure (the next sync will pick it up).
+            record.Status.Should().BeOneOf((int)EndEntityStatus.GENERATED, (int)EndEntityStatus.EXTERNALVALIDATION);
+
+            // Hard signal we'll always demand: when sync returns GENERATED, there must
+            // be a non-empty PEM. A GENERATED record with no Certificate would mean the
+            // plugin's download path is broken.
+            if (record.Status == (int)EndEntityStatus.GENERATED)
+            {
+                record.Certificate.Should().NotBeNullOrWhiteSpace(
+                    "GENERATED records must carry the issued PEM in their Certificate field");
+            }
+
+            _output.WriteLine($"--- Verdict: DCV-on enroll for {cn} drove DCV end-to-end via plugin, " +
+                              $"order {enrollResult.CARequestID} surfaced in sync with Status={record.Status}. ---");
+        }
+
         /// <summary>
         /// Exercises the deferred-DCV retry path during single-record refresh against an
         /// existing pending order.  Reads <c>CERTINEXT_PENDING_ORDER_ID</c> from the