pki: first registered user gets admin rights

Auto-detect first certificate issuance and grant admin flag.
Add is_admin column to issued_certificates table.
Add is_admin_certificate() helper function.
Include is_admin in /pki/issue response and X-Is-Admin header in registration.

tests/test_pki.py

@@ -157,6 +157,30 @@ class TestCertificateIssuance:
         assert data1["serial"] != data2["serial"]
         assert data1["fingerprint_sha1"] != data2["fingerprint_sha1"]
 
+    def test_first_user_is_admin(self, app, client):
+        """First issued certificate gets admin rights."""
+        from app.pki import is_admin_certificate
+
+        client.post("/pki/ca")
+
+        # First user becomes admin
+        response1 = client.post("/pki/issue", json={"common_name": "admin"})
+        assert response1.status_code == 201
+        data1 = response1.get_json()
+        assert data1.get("is_admin") is True
+
+        with app.app_context():
+            assert is_admin_certificate(data1["fingerprint_sha1"]) is True
+
+        # Second user is not admin
+        response2 = client.post("/pki/issue", json={"common_name": "user"})
+        assert response2.status_code == 201
+        data2 = response2.get_json()
+        assert data2.get("is_admin") is False
+
+        with app.app_context():
+            assert is_admin_certificate(data2["fingerprint_sha1"]) is False
+
 
 class TestCertificateListing:
     """Test GET /pki/certs endpoint."""