Issue #3595947: add cross-owner 403 and Status Report check test coverage

Audit follow-up. Tests only, no production code change.

1. Per-item route ownership (cross-owner 403). The per-item routes (pdv.record.view, pdv.record.edit, pdv.item.edit, pdv.item.delete, pdv.item.download) gate only on the manage own pdv vault permission, which every vault owner holds; ownership is enforced inside the controller/form by a uid comparison that throws AccessDeniedHttpException. Item ids are sequential and guessable, so that comparison is the only thing keeping one owner out of another owner's items, and nothing exercised it over HTTP. VaultOwnerUiTest::testItemActionsAreOwnerOnly denies a second owner (403) on every per-item route for another owner's document and record, with an owner-side 200 sanity proving the 403s are the ownership guard rather than a 404.

2. Status Report checks. Of the four hook_runtime_requirements checks, only the Master KEK check had coverage. StatusReportChecksTest covers the other three: storage/backlog/rotation all report OK on a healthy vault, storage flips to Error when private:// is gone, and rotation flips to Warning while a subject key is still wrapped under a superseded Master KEK.

Verified locally: VaultOwnerUiTest 5 tests / 80 assertions, StatusReportChecksTest 3 tests / 42 assertions, both exit 0; phpcs and phpstan clean.