Add CRL endpoint, sign-CSR web route, and policy-based issuance authorization

- Register handleSignCSR route in webserver (was dead code)
- Add GET /v1/pki/{mount}/issuer/{name}/crl REST endpoint and
  PKIService.GetCRL gRPC RPC for DER-encoded CRL generation
- Replace admin-only gates on issue/renew/sign-csr with policy-based
  access control: admins grant-all, authenticated users subject to
  identifier ownership (CN/SANs not held by another user's active cert)
  and optional policy overrides via ca/{mount}/id/{identifier} resources
- Add PolicyChecker to engine.Request and policy.Match() method to
  distinguish matched rules from default deny
- Update and expand CA engine tests for ownership, revocation freeing,
  and policy override scenarios

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/grpcserver/pki.go

@@ -65,6 +65,27 @@ func (ps *pkiServer) GetIssuerCert(_ context.Context, req *pb.GetIssuerCertReque
 	return &pb.GetIssuerCertResponse{CertPem: certPEM}, nil
 }
 
+func (ps *pkiServer) GetCRL(ctx context.Context, req *pb.GetCRLRequest) (*pb.GetCRLResponse, error) {
+	if req.Issuer == "" {
+		return nil, status.Error(codes.InvalidArgument, "issuer is required")
+	}
+	caEng, err := ps.getCAEngine(req.Mount)
+	if err != nil {
+		return nil, err
+	}
+	crlDER, err := caEng.GetCRLDER(ctx, req.Issuer)
+	if err != nil {
+		if errors.Is(err, ca.ErrIssuerNotFound) {
+			return nil, status.Error(codes.NotFound, "issuer not found")
+		}
+		if errors.Is(err, ca.ErrSealed) {
+			return nil, status.Error(codes.Unavailable, "sealed")
+		}
+		return nil, status.Error(codes.Internal, err.Error())
+	}
+	return &pb.GetCRLResponse{CrlDer: crlDER}, nil
+}
+
 func (ps *pkiServer) getCAEngine(mountName string) (*ca.CAEngine, error) {
 	mount, err := ps.s.engines.GetMount(mountName)
 	if err != nil {