Implement CA/PKI engine with two-tier X.509 certificate issuance

Add the first concrete engine implementation: a CA (PKI) engine that generates
a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"),
and signs leaf certificates using configurable profiles (server, client, peer).

Engine framework updates:
- Add CallerInfo struct for auth context in engine requests
- Add config parameter to Engine.Initialize for mount-time configuration
- Export Mount.Engine field; add GetEngine/GetMount on Registry

CA engine (internal/engine/ca/):
- Two-tier PKI: root CA → issuers → leaf certificates
- 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers,
  issue, get-cert, list-certs, renew
- Certificate profiles with user-overridable TTL, key usages, and key algorithm
- Private keys never stored in barrier; zeroized from memory on seal
- Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen

Server routes:
- Wire up engine mount/request handlers (replace Phase 1 stubs)
- Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name})
  for unauthenticated TLS trust bootstrapping

Also includes: ARCHITECTURE.md, deploy config updates, operational tooling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/examples/metacrypt-docker.toml

@@ -1,17 +1,17 @@
 # Metacrypt configuration for Docker deployment.
-# Place this file at /data/metacrypt.toml inside the container volume.
+# Place this file at /srv/metacrypt/metacrypt.toml inside the container volume.
 
 [server]
 listen_addr = ":8443"
-tls_cert = "/data/certs/server.crt"
-tls_key  = "/data/certs/server.key"
+tls_cert = "/srv/metacrypt/certs/server.crt"
+tls_key  = "/srv/metacrypt/certs/server.key"
 
 [database]
-path = "/data/metacrypt.db"
+path = "/srv/metacrypt/metacrypt.db"
 
 [mcias]
 server_url = "https://mcias.metacircular.net:8443"
-# ca_cert = "/data/certs/mcias-ca.crt"
+# ca_cert = "/srv/metacrypt/certs/mcias-ca.crt"
 
 [seal]
 # argon2_time    = 3

deploy/examples/metacrypt.toml

@@ -1,18 +1,18 @@
 # Metacrypt production configuration
-# Copy to /etc/metacrypt/metacrypt.toml and adjust for your environment.
+# Copy to /srv/metacrypt/metacrypt.toml and adjust for your environment.
 
 [server]
 # Address to listen on. Use "0.0.0.0:8443" to listen on all interfaces.
 listen_addr = ":8443"
 
 # TLS certificate and key. Metacrypt always terminates TLS.
-tls_cert = "/etc/metacrypt/certs/server.crt"
-tls_key  = "/etc/metacrypt/certs/server.key"
+tls_cert = "/srv/metacrypt/certs/server.crt"
+tls_key  = "/srv/metacrypt/certs/server.key"
 
 [database]
 # SQLite database path. Created automatically on first run.
 # The directory must be writable by the metacrypt user.
-path = "/var/lib/metacrypt/metacrypt.db"
+path = "/srv/metacrypt/metacrypt.db"
 
 [mcias]
 # MCIAS server URL for authentication.
@@ -20,7 +20,7 @@ server_url = "https://mcias.metacircular.net:8443"
 
 # CA certificate for verifying the MCIAS server's TLS certificate.
 # Omit if MCIAS uses a publicly trusted certificate.
-# ca_cert = "/etc/metacrypt/certs/mcias-ca.crt"
+# ca_cert = "/srv/metacrypt/certs/mcias-ca.crt"
 
 [seal]
 # Argon2id parameters for key derivation.