crl/ocsp: admin observability endpoint + Phase 6 e2e scaffold

Phase 5 (admin endpoint slice) + Phase 6 (e2e test stub) of the
CRL/OCSP responder bundle. Closes the deferred items from the
backend-slice merge (77d6326).

What landed:

  Phase 5 — admin observability:
  * GET /api/v1/admin/crl/cache (handler.AdminCRLCacheHandler):
    - Per-issuer cache state + most recent N generation events
    - Admin-gated via middleware.IsAdmin (M-003 pattern); non-admin
      callers get 403 + the service is never invoked
    - Reveals issuer set + CRL cadence, hence the gate
    - Returns CachePresent=false rows for never-generated issuers so
      the GUI can show 'not yet generated' instead of 404
    - Per-issuer Get failures decorate the row's RecentEvents rather
      than failing the whole response
  * AdminCRLCacheServiceImpl: thin handler-side composition over
    repository.CRLCacheRepository + an issuer-IDs callback (avoids
    importing internal/service from internal/api/handler)
  * M-008 admin-gate pin updated: admin_crl_cache.go added to
    AdminGatedHandlers; full triplet of tests
    (NonAdmin_Returns403, AdminExplicitFalse_Returns403,
    AdminPermitted_ForwardsActor) + RejectsNonGetMethod +
    PropagatesServiceError
  * Router registration + HandlerRegistry field + main.go wiring
    (callback closure over issuerRegistry.List)
  * OpenAPI entry under CRL & OCSP tag

  Phase 6 — e2e scaffold:
  * deploy/test/crl_ocsp_e2e_test.go with TestCRLOCSPLifecycle +
    TestCRLOCSPPostEndpoint
  * Lifecycle test exercises issue → fetch OCSP (Good) → revoke →
    wait → fetch CRL (entry present) → fetch OCSP (Revoked) →
    verify dedicated responder cert + id-pkix-ocsp-nocheck
  * Helpers (issueLocalCert, revokeCertViaAPI, fetchCRL, fetchOCSP,
    fetchCACert) currently call t.Skip with TODO markers — sandbox
    has no Docker so the harness can't be wired end-to-end here;
    when CI / a fresh dev workstation runs, the implementer wires
    each helper to the existing integration_test.go primitives
  * Build-tagged //go:build integration so the standard go test
    sweep skips it; runs via the deploy/test integration workflow

Coverage: handler 80.6% (above 75 floor; was 79.8% pre-Phase-5).
All other packages unchanged.

Backward compat: admin endpoint inert until an admin Bearer key is
configured. The e2e test stub is no-op (skips) until wired.

Deferred:
  * GUI cert-detail-page revocation panel — pure frontend work, no
    backend impact, separate session
  * E2E test helper wiring — depends on extracting the existing
    integration-test harness primitives into shared helpers; doable
    in a follow-up that has Docker available
  * V3-Pro polish (delta CRLs, OCSP rate-limiting, OCSP stapling)

internal/api/router/router.go

@@ -122,6 +122,10 @@ type HandlerRegistry struct {
 	// cmd/server/main.go so probes and rollout systems can read build
 	// identity without Bearer credentials. See handler/version.go.
 	Version handler.VersionHandler
+	// AdminCRLCache handles GET /api/v1/admin/crl/cache. Bundle CRL/OCSP-
+	// Responder Phase 5 — admin-gated ops surface for the
+	// scheduler-driven CRL pre-generation pipeline.
+	AdminCRLCache handler.AdminCRLCacheHandler
 }
 
 // RegisterHandlers sets up all API routes with their handlers.
@@ -287,6 +291,11 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) {
 	r.Register("GET /api/v1/audit", http.HandlerFunc(reg.Audit.ListAuditEvents))
 	r.Register("GET /api/v1/audit/{id}", http.HandlerFunc(reg.Audit.GetAuditEvent))
 
+	// Bundle CRL/OCSP-Responder Phase 5: admin observability for the
+	// scheduler-driven CRL pre-generation cache. Admin-gated inside
+	// the handler (M-003 pattern); non-admin callers get 403.
+	r.Register("GET /api/v1/admin/crl/cache", http.HandlerFunc(reg.AdminCRLCache.ListCache))
+
 	// Notifications routes: /api/v1/notifications
 	r.Register("GET /api/v1/notifications", http.HandlerFunc(reg.Notifications.ListNotifications))
 	r.Register("GET /api/v1/notifications/{id}", http.HandlerFunc(reg.Notifications.GetNotification))