Add certificate revocation, deletion, and retrieval

Admins can now revoke or delete certificate records from the cert detail
page in the web UI. Revoked certificates display a [REVOKED] badge and
show revocation metadata (time and actor). Deletion redirects to the
issuer page.

The REST API gains three new authenticated endpoints that mirror the
gRPC surface:
  GET    /v1/ca/{mount}/cert/{serial}         (auth required)
  POST   /v1/ca/{mount}/cert/{serial}/revoke  (admin only)
  DELETE /v1/ca/{mount}/cert/{serial}         (admin only)

The CA engine stores revocation state (revoked, revoked_at, revoked_by)
directly in the existing CertRecord barrier entry. The proto CertRecord
message is extended with the same three fields (field numbers 10–12).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.junie/memory/feedback.md

@@ -14,3 +14,11 @@
     "NEW INSTRUCTION": "WHEN editing gRPC server configuration THEN remove v1 config and use only v2 fields"
 }
 
+[2026-03-15 13:34] - Updated by Junie
+{
+    "TYPE": "negative",
+    "CATEGORY": "tarball download",
+    "EXPECTATION": "The tarball download should succeed, or clearly show an error in the browser when it fails.",
+    "NEW INSTRUCTION": "WHEN implementing download endpoints THEN return non-200 on failure with an explanatory message"
+}
+

.junie/memory/language.json

@@ -1 +1 @@
-[{"lang":"en","usageCount":36}]
+[{"lang":"en","usageCount":37}]