Implement CA/PKI engine with two-tier X.509 certificate issuance

Add the first concrete engine implementation: a CA (PKI) engine that generates
a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"),
and signs leaf certificates using configurable profiles (server, client, peer).

Engine framework updates:
- Add CallerInfo struct for auth context in engine requests
- Add config parameter to Engine.Initialize for mount-time configuration
- Export Mount.Engine field; add GetEngine/GetMount on Registry

CA engine (internal/engine/ca/):
- Two-tier PKI: root CA → issuers → leaf certificates
- 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers,
  issue, get-cert, list-certs, renew
- Certificate profiles with user-overridable TTL, key usages, and key algorithm
- Private keys never stored in barrier; zeroized from memory on seal
- Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen

Server routes:
- Wire up engine mount/request handlers (replace Phase 1 stubs)
- Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name})
  for unauthenticated TLS trust bootstrapping

Also includes: ARCHITECTURE.md, deploy config updates, operational tooling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/systemd/metacrypt.service

@@ -9,7 +9,7 @@ Type=simple
 User=metacrypt
 Group=metacrypt
 
-ExecStart=/usr/local/bin/metacrypt server --config /etc/metacrypt/metacrypt.toml
+ExecStart=/usr/local/bin/metacrypt server --config /srv/metacrypt/metacrypt.toml
 ExecReload=/bin/kill -HUP $MAINPID
 
 Restart=on-failure
@@ -30,8 +30,8 @@ LockPersonality=true
 MemoryDenyWriteExecute=true
 RestrictRealtime=true
 
-# Allow write access to the database directory and log
-ReadWritePaths=/var/lib/metacrypt
+# Allow write access to the data directory
+ReadWritePaths=/srv/metacrypt
 
 # Limit file descriptor count
 LimitNOFILE=65535