[v18] Add tctl acl commands for managing access list reviews

[r0mant]

Backport of #63672 to branch/v18.

Manual Test Plan

Test Environment

platform.teleport.sh

Test Cases

• View access lists requiring review in our platform cluster
• Submit a review for one of the lists
• List reviews and verify the list was reviewed

# Show lists requiring review
$ tctl acl ls --review-only --format=text
ID                                                             Title                                                             Next Audit Granted Roles                                                                Granted Traits
-------------------------------------------------------------- ----------------------------------------------------------------- ---------- ---------------------------------------------------------------------------- --------------
...
00g9gqbfl...........                                           app-Salesforce-TechnicalSupport                                   2026-01-31 app-salesforce-technicalsupport-access-okta-acl-role-00g9gqbfl.....
...

# Submit a review
$ tctl acl reviews create 00g9gqbfl........... --notes="Reviewed via CLI"
Successfully submitted review for access list 00g9gqbfl...........
Next audit date: 2026-04-30

# View reviews
$ tctl acl reviews ls 00g9gqbfl...........
ID                                   Reviewer             Review Date Removed Members Notes
------------------------------------ -------------------- ----------- --------------- ----------------
2abea045-b800-4694-b337-6f01485265e3 roman@goteleport.com 2026-03-12                  Reviewed via CLI
...

changelog: Add tctl acl commands for managing access list reviews

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1e24493fe6

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Truncate oversized review notes on rune boundaries

This byte-level truncation can split a multi-byte UTF-8 character when notes exceed the 200 KB limit, leaving ReviewSpec.Notes with invalid text. Because notes is later serialized as a protobuf string (api/proto/teleport/accesslist/v1/accesslist.proto), this can corrupt the final character or cause serialization failures for large non-ASCII notes; trimming at rune boundaries (or validating UTF-8 after truncation) avoids that edge case.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Deduplicate --remove-members entries before submit

The CLI forwards duplicate member IDs unchanged, so input like --remove-members=a,a sends repeated removals in one review. The backend applies removals one-by-one and errors on deleting a missing member (lib/services/local/access_list.go), which means this request can fail after partial side effects (review creation and first removal), so deduplicating this slice client-side would prevent non-idempotent failures from simple input duplication.

Useful? React with 👍 / 👎.