feat(scripts): stage 02 per-env product codes; document SignerPlace + code mapping

- Add PRODUCT_CODE_MAP_JSON to stage 02 so each Templates[] entry carries the
  correct per-environment CERTInext ProductCode. The plugin's built-in defaults
  are production codes (e.g. DV SSL=838); sandbox accounts use different codes
  (842-851) which the gateway validates at config-PUT time.
- Fix a ${VAR:-{}} brace-default bug that appended a stray '}' to a set value
  (broke --argjson when PRODUCT_CODE_MAP_JSON was provided).
- Document in scripts/register/README.md: product codes are per-environment
  (names are stable), SignerPlace is required by CERTInext (no fallback), and
  /config/configuration has no GET so PUT replaces the full object.

Verified end-to-end: a Command PFX enrollment for AnyCA_DV SSL now reaches
CERTInext and parks at EXTERNAL_VALIDATION (DCV off), instead of failing on a
missing template mapping.

Author: spbsoluble

scripts/register/02-gateway-ca-config.sh

@@ -34,7 +34,17 @@ MANIFEST="${MANIFEST:-$REPO_ROOT/integration-manifest.json}"
 DRY_RUN="${DRY_RUN:-0}"
 GATEWAY_LOGICAL_NAME="${GATEWAY_LOGICAL_NAME:-$CONFIGURATION_TENANT}"
 GATEWAY_CERT_FILE="${GATEWAY_CERT_FILE:-$REPO_ROOT/certinext-sandbox-chain.pem}"
-TEMPLATE_PARAMS_JSON="${TEMPLATE_PARAMS_JSON:-{}}"
+# NOTE: do not use ${VAR:-{}} — the first } closes the expansion, appending a
+# stray } when VAR is set. Guard with an explicit empty check instead.
+[ -n "${TEMPLATE_PARAMS_JSON:-}" ] || TEMPLATE_PARAMS_JSON='{}'
+# Per-product CERTInext product code overrides, keyed by product_id, e.g.
+#   {"DV SSL":"842","OV SSL":"846"}. CERTInext numeric product codes are
+# PER-ENVIRONMENT (the plugin's built-in defaults are PRODUCTION codes like
+# 838; sandbox accounts use different codes). When a product_id has an entry
+# here, Parameters.ProductCode is set so the gateway validates against a code
+# that exists in the target account. Discover codes via GetProductDetails
+# (scripts/get-product-details.sh). Products not listed fall back to defaults.
+[ -n "${PRODUCT_CODE_MAP_JSON:-}" ] || PRODUCT_CODE_MAP_JSON='{}'
 FULL_SCAN_MINUTES="${FULL_SCAN_MINUTES:-720}"
 INCR_SCAN_MINUTES="${INCR_SCAN_MINUTES:-5}"
 
@@ -89,7 +99,10 @@ fi
 # --- Templates[] (one per product_id) ---------------------------------------
 TEMPLATES="$(manifest_product_ids "$MANIFEST" | jq -R . | jq -s \
     --argjson params "$TEMPLATE_PARAMS_JSON" \
-    '[.[] | {ProductID: ., CertificateProfile: ., Parameters: $params}]')"
+    --argjson codes "$PRODUCT_CODE_MAP_JSON" \
+    '[.[] | . as $p
+      | {ProductID: $p, CertificateProfile: $p,
+         Parameters: ($params + (if $codes[$p] then {ProductCode: $codes[$p]} else {} end))}]')"
 
 # --- Assemble configuration body --------------------------------------------
 BODY="$(jq -n \

scripts/register/README.md

@@ -87,6 +87,35 @@ make register-enrollment          # stage 06: patterns + KeyRetention=Indefinite
 
 Per-stage env knobs are documented in each script's header comment.
 
+## Stage 02 — gateway CA config (verified 2026-06-09)
+
+The gateway CA config (`PUT /<instance>/config/configuration`) is what maps each
+product to a certificate profile so enrollment can resolve a CA. Two things bite:
+
+- **Product codes are per-environment.** The plugin's built-in `DefaultProductCodes`
+  are PRODUCTION codes (e.g. `DV SSL` → `838`). A sandbox account has different
+  numeric codes (e.g. `842`–`851`) and the gateway validates them at PUT time —
+  you'll get `Profile '838' was not found in CERTInext. Available profiles: …`.
+  Set `PRODUCT_CODE_MAP_JSON` (product_id → code) so each `Templates[].Parameters`
+  carries the right `ProductCode`. Discover codes via `scripts/get-product-details.sh`.
+  Product **IDs/names** are stable across environments; only the numeric codes differ.
+- **`SignerPlace` is required by CERTInext** for every order. It has no fallback
+  (unlike `SignerIp`, which defaults to `127.0.0.1`). If it's absent the order
+  fails with a generic `certificate request failed … see CA logs`. Provide it via
+  `CERTINEXT_SIGNER_PLACE` (the test fixture uses `"Gateway"`); the stage assembles
+  it into `CAConnection`.
+- The gateway has **no GET** for `/config/configuration` (405, POST/PUT only) — it's
+  not introspectable, so a PUT sends the FULL object. Stage 02 rebuilds `CAConnection`
+  from the `CERTINEXT_*` env vars; make sure those match the account the CA uses, or
+  you'll change the live connection. (A successful PUT means the creds validated.)
+
+```sh
+export GATEWAY_LOGICAL_NAME=CertiNext           # the live CA's LogicalName
+export CERTINEXT_SIGNER_PLACE=Gateway
+export PRODUCT_CODE_MAP_JSON='{"DV SSL":"842","OV SSL":"846", ...}'
+make register-ca-config
+```
+
 ## Stage 06 — Command EnrollmentPatterns schema (verified 2026-06-09)
 
 The `/KeyfactorProxy/EnrollmentPatterns` (API v1) POST body that works — the stub