Add CRL endpoint, sign-CSR web route, and policy-based issuance authorization

- Register handleSignCSR route in webserver (was dead code)
- Add GET /v1/pki/{mount}/issuer/{name}/crl REST endpoint and
  PKIService.GetCRL gRPC RPC for DER-encoded CRL generation
- Replace admin-only gates on issue/renew/sign-csr with policy-based
  access control: admins grant-all, authenticated users subject to
  identifier ownership (CN/SANs not held by another user's active cert)
  and optional policy overrides via ca/{mount}/id/{identifier} resources
- Add PolicyChecker to engine.Request and policy.Match() method to
  distinguish matched rules from default deny
- Update and expand CA engine tests for ownership, revocation freeing,
  and policy override scenarios

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

proto/metacrypt/v2/pki.proto

@@ -10,6 +10,7 @@ service PKIService {
   rpc GetRootCert(GetRootCertRequest) returns (GetRootCertResponse);
   rpc GetChain(GetChainRequest) returns (GetChainResponse);
   rpc GetIssuerCert(GetIssuerCertRequest) returns (GetIssuerCertResponse);
+  rpc GetCRL(GetCRLRequest) returns (GetCRLResponse);
 }
 
 message GetRootCertRequest {
@@ -34,3 +35,11 @@ message GetIssuerCertRequest {
 message GetIssuerCertResponse {
   bytes cert_pem = 1;
 }
+
+message GetCRLRequest {
+  string mount = 1;
+  string issuer = 2;
+}
+message GetCRLResponse {
+  bytes crl_der = 1;
+}