pki: first registered user gets admin rights

Auto-detect first certificate issuance and grant admin flag.
Add is_admin column to issued_certificates table.
Add is_admin_certificate() helper function.
Include is_admin in /pki/issue response and X-Is-Admin header in registration.

app/api/routes.py

@@ -1043,6 +1043,7 @@ class RegisterView(MethodView):
         response.headers["Content-Disposition"] = f'attachment; filename="{common_name}.p12"'
         response.headers["X-Fingerprint-SHA1"] = cert_info["fingerprint_sha1"]
         response.headers["X-Certificate-Expires"] = str(cert_info["expires_at"])
+        response.headers["X-Is-Admin"] = "1" if cert_info.get("is_admin") else "0"
         return response
 
 
@@ -1611,6 +1612,7 @@ class PKIIssueView(MethodView):
                 "expires_at": cert_info["expires_at"],
                 "certificate_pem": cert_info["certificate_pem"],
                 "private_key_pem": cert_info["private_key_pem"],
+                "is_admin": cert_info.get("is_admin", False),
             },
             201,
         )