Add CRL endpoint, sign-CSR web route, and policy-based issuance authorization

- Register handleSignCSR route in webserver (was dead code)
- Add GET /v1/pki/{mount}/issuer/{name}/crl REST endpoint and
  PKIService.GetCRL gRPC RPC for DER-encoded CRL generation
- Replace admin-only gates on issue/renew/sign-csr with policy-based
  access control: admins grant-all, authenticated users subject to
  identifier ownership (CN/SANs not held by another user's active cert)
  and optional policy overrides via ca/{mount}/id/{identifier} resources
- Add PolicyChecker to engine.Request and policy.Match() method to
  distinguish matched rules from default deny
- Update and expand CA engine tests for ownership, revocation freeing,
  and policy override scenarios

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

gen/metacrypt/v2/pki.pb.go

@@ -301,6 +301,102 @@ func (x *GetIssuerCertResponse) GetCertPem() []byte {
 	return nil
 }
 
+type GetCRLRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Mount         string                 `protobuf:"bytes,1,opt,name=mount,proto3" json:"mount,omitempty"`
+	Issuer        string                 `protobuf:"bytes,2,opt,name=issuer,proto3" json:"issuer,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GetCRLRequest) Reset() {
+	*x = GetCRLRequest{}
+	mi := &file_proto_metacrypt_v2_pki_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GetCRLRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetCRLRequest) ProtoMessage() {}
+
+func (x *GetCRLRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_proto_metacrypt_v2_pki_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetCRLRequest.ProtoReflect.Descriptor instead.
+func (*GetCRLRequest) Descriptor() ([]byte, []int) {
+	return file_proto_metacrypt_v2_pki_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *GetCRLRequest) GetMount() string {
+	if x != nil {
+		return x.Mount
+	}
+	return ""
+}
+
+func (x *GetCRLRequest) GetIssuer() string {
+	if x != nil {
+		return x.Issuer
+	}
+	return ""
+}
+
+type GetCRLResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	CrlDer        []byte                 `protobuf:"bytes,1,opt,name=crl_der,json=crlDer,proto3" json:"crl_der,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GetCRLResponse) Reset() {
+	*x = GetCRLResponse{}
+	mi := &file_proto_metacrypt_v2_pki_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GetCRLResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetCRLResponse) ProtoMessage() {}
+
+func (x *GetCRLResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_proto_metacrypt_v2_pki_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetCRLResponse.ProtoReflect.Descriptor instead.
+func (*GetCRLResponse) Descriptor() ([]byte, []int) {
+	return file_proto_metacrypt_v2_pki_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *GetCRLResponse) GetCrlDer() []byte {
+	if x != nil {
+		return x.CrlDer
+	}
+	return nil
+}
+
 var File_proto_metacrypt_v2_pki_proto protoreflect.FileDescriptor
 
 const file_proto_metacrypt_v2_pki_proto_rawDesc = "" +
@@ -319,12 +415,18 @@ const file_proto_metacrypt_v2_pki_proto_rawDesc = "" +
 	"\x05mount\x18\x01 \x01(\tR\x05mount\x12\x16\n" +
 	"\x06issuer\x18\x02 \x01(\tR\x06issuer\"2\n" +
 	"\x15GetIssuerCertResponse\x12\x19\n" +
-	"\bcert_pem\x18\x01 \x01(\fR\acertPem2\x85\x02\n" +
+	"\bcert_pem\x18\x01 \x01(\fR\acertPem\"=\n" +
+	"\rGetCRLRequest\x12\x14\n" +
+	"\x05mount\x18\x01 \x01(\tR\x05mount\x12\x16\n" +
+	"\x06issuer\x18\x02 \x01(\tR\x06issuer\")\n" +
+	"\x0eGetCRLResponse\x12\x17\n" +
+	"\acrl_der\x18\x01 \x01(\fR\x06crlDer2\xca\x02\n" +
 	"\n" +
 	"PKIService\x12R\n" +
 	"\vGetRootCert\x12 .metacrypt.v2.GetRootCertRequest\x1a!.metacrypt.v2.GetRootCertResponse\x12I\n" +
 	"\bGetChain\x12\x1d.metacrypt.v2.GetChainRequest\x1a\x1e.metacrypt.v2.GetChainResponse\x12X\n" +
-	"\rGetIssuerCert\x12\".metacrypt.v2.GetIssuerCertRequest\x1a#.metacrypt.v2.GetIssuerCertResponseB>Z<git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
+	"\rGetIssuerCert\x12\".metacrypt.v2.GetIssuerCertRequest\x1a#.metacrypt.v2.GetIssuerCertResponse\x12C\n" +
+	"\x06GetCRL\x12\x1b.metacrypt.v2.GetCRLRequest\x1a\x1c.metacrypt.v2.GetCRLResponseB>Z<git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2;metacryptv2b\x06proto3"
 
 var (
 	file_proto_metacrypt_v2_pki_proto_rawDescOnce sync.Once
@@ -338,7 +440,7 @@ func file_proto_metacrypt_v2_pki_proto_rawDescGZIP() []byte {
 	return file_proto_metacrypt_v2_pki_proto_rawDescData
 }
 
-var file_proto_metacrypt_v2_pki_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
+var file_proto_metacrypt_v2_pki_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
 var file_proto_metacrypt_v2_pki_proto_goTypes = []any{
 	(*GetRootCertRequest)(nil),    // 0: metacrypt.v2.GetRootCertRequest
 	(*GetRootCertResponse)(nil),   // 1: metacrypt.v2.GetRootCertResponse
@@ -346,16 +448,20 @@ var file_proto_metacrypt_v2_pki_proto_goTypes = []any{
 	(*GetChainResponse)(nil),      // 3: metacrypt.v2.GetChainResponse
 	(*GetIssuerCertRequest)(nil),  // 4: metacrypt.v2.GetIssuerCertRequest
 	(*GetIssuerCertResponse)(nil), // 5: metacrypt.v2.GetIssuerCertResponse
+	(*GetCRLRequest)(nil),         // 6: metacrypt.v2.GetCRLRequest
+	(*GetCRLResponse)(nil),        // 7: metacrypt.v2.GetCRLResponse
 }
 var file_proto_metacrypt_v2_pki_proto_depIdxs = []int32{
 	0, // 0: metacrypt.v2.PKIService.GetRootCert:input_type -> metacrypt.v2.GetRootCertRequest
 	2, // 1: metacrypt.v2.PKIService.GetChain:input_type -> metacrypt.v2.GetChainRequest
 	4, // 2: metacrypt.v2.PKIService.GetIssuerCert:input_type -> metacrypt.v2.GetIssuerCertRequest
-	1, // 3: metacrypt.v2.PKIService.GetRootCert:output_type -> metacrypt.v2.GetRootCertResponse
-	3, // 4: metacrypt.v2.PKIService.GetChain:output_type -> metacrypt.v2.GetChainResponse
-	5, // 5: metacrypt.v2.PKIService.GetIssuerCert:output_type -> metacrypt.v2.GetIssuerCertResponse
-	3, // [3:6] is the sub-list for method output_type
-	0, // [0:3] is the sub-list for method input_type
+	6, // 3: metacrypt.v2.PKIService.GetCRL:input_type -> metacrypt.v2.GetCRLRequest
+	1, // 4: metacrypt.v2.PKIService.GetRootCert:output_type -> metacrypt.v2.GetRootCertResponse
+	3, // 5: metacrypt.v2.PKIService.GetChain:output_type -> metacrypt.v2.GetChainResponse
+	5, // 6: metacrypt.v2.PKIService.GetIssuerCert:output_type -> metacrypt.v2.GetIssuerCertResponse
+	7, // 7: metacrypt.v2.PKIService.GetCRL:output_type -> metacrypt.v2.GetCRLResponse
+	4, // [4:8] is the sub-list for method output_type
+	0, // [0:4] is the sub-list for method input_type
 	0, // [0:0] is the sub-list for extension type_name
 	0, // [0:0] is the sub-list for extension extendee
 	0, // [0:0] is the sub-list for field type_name
@@ -372,7 +478,7 @@ func file_proto_metacrypt_v2_pki_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_proto_metacrypt_v2_pki_proto_rawDesc), len(file_proto_metacrypt_v2_pki_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   6,
+			NumMessages:   8,
 			NumExtensions: 0,
 			NumServices:   1,
 		},