Add CRL endpoint, sign-CSR web route, and policy-based issuance authorization

- Register handleSignCSR route in webserver (was dead code)
- Add GET /v1/pki/{mount}/issuer/{name}/crl REST endpoint and
  PKIService.GetCRL gRPC RPC for DER-encoded CRL generation
- Replace admin-only gates on issue/renew/sign-csr with policy-based
  access control: admins grant-all, authenticated users subject to
  identifier ownership (CN/SANs not held by another user's active cert)
  and optional policy overrides via ca/{mount}/id/{identifier} resources
- Add PolicyChecker to engine.Request and policy.Match() method to
  distinguish matched rules from default deny
- Update and expand CA engine tests for ownership, revocation freeing,
  and policy override scenarios

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/engine/engine.go

@@ -50,12 +50,18 @@ func (c *CallerInfo) IsUser() bool {
 	return false
 }
 
+// PolicyChecker evaluates whether the caller has access to a specific resource.
+// Returns the policy effect ("allow" or "deny") and whether a matching rule was found.
+// When matched is false, the caller should fall back to default access rules.
+type PolicyChecker func(resource, action string) (effect string, matched bool)
+
 // Request is a request to an engine.
 type Request struct {
-	Data       map[string]interface{}
-	CallerInfo *CallerInfo
-	Operation  string
-	Path       string
+	Data        map[string]interface{}
+	CallerInfo  *CallerInfo
+	CheckPolicy PolicyChecker
+	Operation   string
+	Path        string
 }
 
 // Response is a response from an engine.