Closes out the theming rollout and fixes a long-standing 500.
Theming — component layer (Phase 9)
The R-3 component definitions in input.css were the last token blind spot: the --check codemod gate scans class="...", not @apply rules, so .card, .form-input/.form-select/.form-label, .btn-secondary, .btn-ghost, .nav-active and .nav-inactive still carried raw gray/blue classes. They now use the tokens (.card -> bg-surface/border-border is an exact match). Adds a theme-aware accent token (blue-600 -> blue-400 on dark) so .nav-active no longer hard-codes blue.
Call-site adoption of .btn/.form-* was intentionally not done — the inline sites are already tokenised and forcing the components would shift button sizing for no decoupling gain. .btn-danger and .badge-* stay literal (action/status colours).
Fix — dead UI routes (was 500)
/certificates and /audit rendered templates that never existed and 500'd on every request. They now redirect to the unified views (/ and /activity respectively), mirroring the existing /client-certificates alias.
Verification
Full E2E gate green on both merged branches: Docker smoke + CSP/auth/settings/pages/backup (incl. new redirect tests) + real Let's Encrypt issuance and renewal over Cloudflare DNS-01 (90/90). No upgrade steps required.