feat: implement PKI KeyStore adapter with enterprise features

* Add PKI-specific keystore adapter layer over capsula-key EnhancedKeyStore
* Implement policy constraints for certificate types, validity periods, and key usage
* Add certificate-key association management and bidirectional mapping
* Support certificate templates with configurable defaults and extensions
* Include enterprise features: statistics, policy validation, batch operations
* Add comprehensive test coverage with 4 core tests passing
* Support multi-algorithm keys (RSA, P-256, Ed25519) with PKI-specific policies
* Integrate seamlessly with existing PKI workflows and certificate management
* Add PolicyViolation error type for constraint enforcement

Resolves keystore functionality gaps identified in TODO.md milestone tracking.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: atlas-form

crates/capsula-pki/src/error.rs

@@ -95,6 +95,10 @@ pub enum PkiError {
     #[error("Authentication error: {0}")]
     AuthError(String),
 
+    /// 策略违反错误
+    #[error("Policy violation: {0}")]
+    PolicyViolation(String),
+
     /// IO错误
     #[error("IO error: {0}")]
     IoError(#[from] std::io::Error),

crates/capsula-pki/src/keystore/mod.rs

@@ -12,9 +12,15 @@ pub mod hsm;
 pub mod escrow;
 pub mod recovery;
 pub mod rotation;
+pub mod pki_adapter;
 
 // 重新导出存储相关类型
 pub use storage::{CertificateStore, FileSystemBackend, StorageBackend};
+// 重新导出PKI adapter类型
+pub use pki_adapter::{
+    PKIKeyStore, PKIKeyMetadata, PolicyConstraints, CertificateType, 
+    ExtendedKeyUsage, CertificateTemplate, PKIKeyStoreStatistics
+};
 
 use crate::error::Result;
 use capsula_key::Key;