Implement CA/PKI engine with two-tier X.509 certificate issuance

Add the first concrete engine implementation: a CA (PKI) engine that generates
a self-signed root CA at mount time, issues scoped intermediate CAs ("issuers"),
and signs leaf certificates using configurable profiles (server, client, peer).

Engine framework updates:
- Add CallerInfo struct for auth context in engine requests
- Add config parameter to Engine.Initialize for mount-time configuration
- Export Mount.Engine field; add GetEngine/GetMount on Registry

CA engine (internal/engine/ca/):
- Two-tier PKI: root CA → issuers → leaf certificates
- 10 operations: get-root, get-chain, get-issuer, create/delete/list issuers,
  issue, get-cert, list-certs, renew
- Certificate profiles with user-overridable TTL, key usages, and key algorithm
- Private keys never stored in barrier; zeroized from memory on seal
- Supports ECDSA, RSA, and Ed25519 key types via goutils/certlib/certgen

Server routes:
- Wire up engine mount/request handlers (replace Phase 1 stubs)
- Add public PKI routes (/v1/pki/{mount}/ca, /ca/chain, /issuer/{name})
  for unauthenticated TLS trust bootstrapping

Also includes: ARCHITECTURE.md, deploy config updates, operational tooling.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/engine/engine_test.go

@@ -14,22 +14,28 @@ type mockEngine struct {
 	unsealed    bool
 }
 
-func (m *mockEngine) Type() EngineType                                          { return m.engineType }
-func (m *mockEngine) Initialize(_ context.Context, _ barrier.Barrier, _ string) error { m.initialized = true; return nil }
-func (m *mockEngine) Unseal(_ context.Context, _ barrier.Barrier, _ string) error     { m.unsealed = true; return nil }
-func (m *mockEngine) Seal() error                                               { m.unsealed = false; return nil }
+func (m *mockEngine) Type() EngineType { return m.engineType }
+func (m *mockEngine) Initialize(_ context.Context, _ barrier.Barrier, _ string, _ map[string]interface{}) error {
+	m.initialized = true
+	return nil
+}
+func (m *mockEngine) Unseal(_ context.Context, _ barrier.Barrier, _ string) error {
+	m.unsealed = true
+	return nil
+}
+func (m *mockEngine) Seal() error { m.unsealed = false; return nil }
 func (m *mockEngine) HandleRequest(_ context.Context, _ *Request) (*Response, error) {
 	return &Response{Data: map[string]interface{}{"ok": true}}, nil
 }
 
 type mockBarrier struct{}
 
-func (m *mockBarrier) Unseal(_ []byte) error                           { return nil }
-func (m *mockBarrier) Seal() error                                     { return nil }
-func (m *mockBarrier) IsSealed() bool                                  { return false }
-func (m *mockBarrier) Get(_ context.Context, _ string) ([]byte, error) { return nil, barrier.ErrNotFound }
-func (m *mockBarrier) Put(_ context.Context, _ string, _ []byte) error { return nil }
-func (m *mockBarrier) Delete(_ context.Context, _ string) error        { return nil }
+func (m *mockBarrier) Unseal(_ []byte) error                              { return nil }
+func (m *mockBarrier) Seal() error                                        { return nil }
+func (m *mockBarrier) IsSealed() bool                                     { return false }
+func (m *mockBarrier) Get(_ context.Context, _ string) ([]byte, error)    { return nil, barrier.ErrNotFound }
+func (m *mockBarrier) Put(_ context.Context, _ string, _ []byte) error    { return nil }
+func (m *mockBarrier) Delete(_ context.Context, _ string) error           { return nil }
 func (m *mockBarrier) List(_ context.Context, _ string) ([]string, error) { return nil, nil }
 
 func TestRegistryMountUnmount(t *testing.T) {
@@ -39,7 +45,7 @@ func TestRegistryMountUnmount(t *testing.T) {
 	})
 
 	ctx := context.Background()
-	if err := reg.Mount(ctx, "default", EngineTypeTransit); err != nil {
+	if err := reg.Mount(ctx, "default", EngineTypeTransit, nil); err != nil {
 		t.Fatalf("Mount: %v", err)
 	}
 
@@ -52,7 +58,7 @@ func TestRegistryMountUnmount(t *testing.T) {
 	}
 
 	// Duplicate mount should fail.
-	if err := reg.Mount(ctx, "default", EngineTypeTransit); err != ErrMountExists {
+	if err := reg.Mount(ctx, "default", EngineTypeTransit, nil); err != ErrMountExists {
 		t.Fatalf("expected ErrMountExists, got: %v", err)
 	}
 
@@ -75,7 +81,7 @@ func TestRegistryUnmountNotFound(t *testing.T) {
 
 func TestRegistryUnknownType(t *testing.T) {
 	reg := NewRegistry(&mockBarrier{})
-	err := reg.Mount(context.Background(), "test", EngineTypeTransit)
+	err := reg.Mount(context.Background(), "test", EngineTypeTransit, nil)
 	if err == nil {
 		t.Fatal("expected error for unknown engine type")
 	}
@@ -88,7 +94,7 @@ func TestRegistryHandleRequest(t *testing.T) {
 	})
 
 	ctx := context.Background()
-	reg.Mount(ctx, "test", EngineTypeTransit)
+	reg.Mount(ctx, "test", EngineTypeTransit, nil)
 
 	resp, err := reg.HandleRequest(ctx, "test", &Request{Operation: "encrypt"})
 	if err != nil {
@@ -111,8 +117,8 @@ func TestRegistrySealAll(t *testing.T) {
 	})
 
 	ctx := context.Background()
-	reg.Mount(ctx, "eng1", EngineTypeTransit)
-	reg.Mount(ctx, "eng2", EngineTypeTransit)
+	reg.Mount(ctx, "eng1", EngineTypeTransit, nil)
+	reg.Mount(ctx, "eng2", EngineTypeTransit, nil)
 
 	if err := reg.SealAll(); err != nil {
 		t.Fatalf("SealAll: %v", err)