Implement CA/PKI engine with two-tier X.509 certificate issuance

Add the first concrete engine implementation: a CA (PKI) engine that generates
a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"),
and signs leaf certificates using configurable profiles (server, client, peer).

Engine framework updates:
- Add CallerInfo struct for auth context in engine requests
- Add config parameter to Engine.Initialize for mount-time configuration
- Export Mount.Engine field; add GetEngine/GetMount on Registry

CA engine (internal/engine/ca/):
- Two-tier PKI: root CA → issuers → leaf certificates
- 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers,
  issue, get-cert, list-certs, renew
- Certificate profiles with user-overridable TTL, key usages, and key algorithm
- Private keys never stored in barrier; zeroized from memory on seal
- Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen

Server routes:
- Wire up engine mount/request handlers (replace Phase 1 stubs)
- Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name})
  for unauthenticated TLS trust bootstrapping

Also includes: ARCHITECTURE.md, deploy config updates, operational tooling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cmd/metacrypt/init.go

@@ -29,7 +29,7 @@ func init() {
 func runInit(cmd *cobra.Command, args []string) error {
 	configPath := cfgFile
 	if configPath == "" {
-		configPath = "metacrypt.toml"
+		configPath = "/srv/metacrypt/metacrypt.toml"
 	}
 
 	cfg, err := config.Load(configPath)

cmd/metacrypt/root.go

@@ -15,7 +15,7 @@ var rootCmd = &cobra.Command{
 
 func init() {
 	cobra.OnInitialize(initConfig)
-	rootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default metacrypt.toml)")
+	rootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default /srv/metacrypt/metacrypt.toml)")
 }
 
 func initConfig() {
@@ -25,7 +25,7 @@ func initConfig() {
 		viper.SetConfigName("metacrypt")
 		viper.SetConfigType("toml")
 		viper.AddConfigPath(".")
-		viper.AddConfigPath("/etc/metacrypt")
+		viper.AddConfigPath("/srv/metacrypt")
 	}
 	viper.AutomaticEnv()
 	viper.SetEnvPrefix("METACRYPT")

cmd/metacrypt/server.go

@@ -15,6 +15,7 @@ import (
 	"git.wntrmute.dev/kyle/metacrypt/internal/config"
 	"git.wntrmute.dev/kyle/metacrypt/internal/db"
 	"git.wntrmute.dev/kyle/metacrypt/internal/engine"
+	"git.wntrmute.dev/kyle/metacrypt/internal/engine/ca"
 	"git.wntrmute.dev/kyle/metacrypt/internal/policy"
 	"git.wntrmute.dev/kyle/metacrypt/internal/seal"
 	"git.wntrmute.dev/kyle/metacrypt/internal/server"
@@ -36,7 +37,7 @@ func runServer(cmd *cobra.Command, args []string) error {
 
 	configPath := cfgFile
 	if configPath == "" {
-		configPath = "metacrypt.toml"
+		configPath = "/srv/metacrypt/metacrypt.toml"
 	}
 
 	cfg, err := config.Load(configPath)
@@ -71,6 +72,7 @@ func runServer(cmd *cobra.Command, args []string) error {
 	authenticator := auth.NewAuthenticator(mcClient)
 	policyEngine := policy.NewEngine(b)
 	engineRegistry := engine.NewRegistry(b)
+	engineRegistry.RegisterFactory(engine.EngineTypeCA, ca.NewCAEngine)
 
 	srv := server.New(cfg, sealMgr, authenticator, policyEngine, engineRegistry, logger)
 

cmd/metacrypt/snapshot.go

@@ -28,7 +28,7 @@ func init() {
 func runSnapshot(cmd *cobra.Command, args []string) error {
 	configPath := cfgFile
 	if configPath == "" {
-		configPath = "metacrypt.toml"
+		configPath = "/srv/metacrypt/metacrypt.toml"
 	}
 
 	cfg, err := config.Load(configPath)