Allow system accounts to issue certificates

Service tokens from MCIAS have account_type "system" but no roles.
Thread AccountType through CallerInfo and treat system accounts as
users for certificate issuance. This allows services to request
their own TLS certificates without admin credentials.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/grpcserver/ca.go

@@ -65,9 +65,10 @@ func (cs *caServer) callerInfo(ctx context.Context) *engine.CallerInfo {
 		return nil
 	}
 	return &engine.CallerInfo{
-		Username: ti.Username,
-		Roles:    ti.Roles,
-		IsAdmin:  ti.IsAdmin,
+		Username:    ti.Username,
+		AccountType: ti.AccountType,
+		Roles:       ti.Roles,
+		IsAdmin:     ti.IsAdmin,
 	}
 }