Add policy CRUD, cert management, and web UI updates

- Add PUT /v1/policy/rule endpoint for updating policy rules; expose
  full policy CRUD through the web UI with a dedicated policy page
- Add certificate revoke, delete, and get-cert to CA engine and wire
  REST + gRPC routes; fix missing interceptor registrations
- Update ARCHITECTURE.md to reflect v2 gRPC as the active implementation,
  document ACME endpoints, correct CA permission levels, and add policy/cert
  management route tables
- Add POLICY.md documenting the priority-based ACL engine design
- Add web/templates/policy.html for policy management UI

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.junie/memory/feedback.md

@@ -22,3 +22,19 @@
     "NEW INSTRUCTION": "WHEN implementing download endpoints THEN return non-200 on failure with an explanatory message"
 }
 
+[2026-03-15 13:52] - Updated by Junie
+{
+    "TYPE": "negative",
+    "CATEGORY": "tarball download",
+    "EXPECTATION": "If the cert/key tgz cannot be generated correctly, the response should not be a 200 attachment; it should clearly show an error in the browser.",
+    "NEW INSTRUCTION": "WHEN download content is invalid or generation fails THEN return non-200 with visible error page"
+}
+
+[2026-03-15 13:55] - Updated by Junie
+{
+    "TYPE": "correction",
+    "CATEGORY": "root cause update",
+    "EXPECTATION": "The tgz download failure was caused by the aria2 download manager, not the server.",
+    "NEW INSTRUCTION": "WHEN user reports aria2 caused the issue THEN acknowledge client-side cause and reassess server changes"
+}
+