Add test coverage: cross-owner 403 on per-item routes and Status Report checks

Follow-up from a full module audit. Two surfaces are correct in code but were not exercised by tests, so a regression could land silently. No production code changes; tests only.

1. Per-item route ownership (cross-owner 403)

The per-item routes (pdv.record.view, pdv.record.edit, pdv.item.edit, pdv.item.delete, pdv.item.download) gate only on the 'manage own pdv vault' permission, which every vault owner holds. Ownership is then enforced inside the controller/form by a uid comparison that throws AccessDeniedHttpException. Item ids are sequential and guessable, so that comparison is the only thing keeping one owner out of another owner's items, and nothing exercised it over HTTP.

2. Status Report checks

Of the four hook_runtime_requirements checks, only the Master KEK check had coverage. The storage, garbage-collector backlog and rotation checks were untested: their wiring and their non-OK branches were unverified.

Added tests

• VaultOwnerUiTest::testItemActionsAreOwnerOnly: a second vault owner is denied (403) on every per-item route for another owner's document and record, with an owner-side 200 sanity so the 403s are proven to be the ownership guard rather than a 404.
• StatusReportChecksTest: storage, backlog and rotation all report OK on a healthy vault; storage flips to Error when the private filesystem is gone; rotation flips to Warning while a subject key is still wrapped under a superseded Master KEK.