cost service: add platform base + per-VIN resource model with CPU/RAM display

- Updated cost model to show: (Platform Base) + (Per-VIN × VINs)
- Platform base: 176 cores / 896GB RAM (Kafka, ClickHouse, MongoDB, Redis, PostgreSQL, gateway, monitoring)
- Per-VIN marginal: 50mc / 82MB per vehicle
- Added RESOURCE USAGE MODEL and COST FORMULA sections to report
- Added CPU (mc) and RAM (MB) columns to TOP COST VEHICLES table
- Updated README with new report output
- virtual-vehicle: documented Vault cert TTL error troubleshooting

services/virtual-vehicle/README.md

@@ -45,3 +45,27 @@ This service simulates a connected vehicle (T.Rex) by:
 | 0x200 | Door status |
 | 0x201 | Light status |
 | 0x300 | HVAC |
+
+
+## Troubleshooting
+
+### 503 Error - Vault Certificate TTL Issue
+
+If the service returns a 503 and logs show a Vault error like:
+
+```json
+{"level":"error","message":"manufacturer API returned 503: {\"message\":\"Vault unable to create certificate, status code: 400 {\\\"errors\\\":[\\\"cannot satisfy request, as TTL would result in notAfter 2034-02-01T02:34:43.379661987Z that is beyond the expiration of the CA certificate at 2032-04-10T20:21:59Z\\\"]}\\n\",\"error\":\"Service Unavailable\"}"}
+```
+
+This happens when the certificate TTL requested (8 years) would extend beyond the CA certificate's expiration date. The manufacturer service requests a cert that expires in 2034, but the Vault CA expires in 2032.
+
+**Fix options:**
+
+1. **Reduce the PKI role TTL in Vault** *(non-disruptive - only affects new certs)*:
+   ```bash
+   vault write pki/roles/vehicle-cert ttl=17520h max_ttl=17520h  # 2 years
+   ```
+2. **Extend the CA certificate** - Regenerate the Vault PKI CA with a longer validity period *(disruptive - all existing certs need reissue)*
+3. **Rotate the CA** - Create a new CA with extended validity *(disruptive - requires cert reissue)*
+
+On dev-cluster, the CA was created with a ~10 year validity but the cert TTL request pushes past that.