Add mTLS to CP→agent channel

- Internal ECDSA P-256 CA (WRENN_CA_CERT/WRENN_CA_KEY env vars); when absent
  the system falls back to plain HTTP so dev mode works without certificates
- Host leaf cert (7-day TTL, IP SAN) issued at registration and renewed on
  every JWT refresh; fingerprint + expiry stored in DB (cert_expires_at column
  replaces the removed mtls_enabled flag)
- CP ephemeral client cert (24-hour TTL) via CPCertStore with atomic hot-swap;
  background goroutine renews it every 12 hours without restarting the server
- Host agent uses tls.Listen + httpServer.Serve so GetCertificate callback is
  respected (ListenAndServeTLS always reads cert from disk)
- Sandbox reverse proxy now uses pool.Transport() so it shares the same TLS
  config as the Connect RPC clients instead of http.DefaultTransport
- Credentials file renamed host-credentials.json with cert_pem/key_pem/
  ca_cert_pem fields; duplicate register/refresh response structs collapsed
  to authResponse

db/queries/hosts.sql

@@ -20,16 +20,25 @@ SELECT * FROM hosts WHERE status = $1 ORDER BY created_at DESC;
 
 -- name: RegisterHost :execrows
 UPDATE hosts
-SET arch = $2,
-    cpu_cores = $3,
-    memory_mb = $4,
-    disk_gb = $5,
-    address = $6,
-    status = 'online',
+SET arch             = $2,
+    cpu_cores        = $3,
+    memory_mb        = $4,
+    disk_gb          = $5,
+    address          = $6,
+    cert_fingerprint = $7,
+    cert_expires_at  = $8,
+    status           = 'online',
     last_heartbeat_at = NOW(),
-    updated_at = NOW()
+    updated_at        = NOW()
 WHERE id = $1 AND status = 'pending';
 
+-- name: UpdateHostCert :exec
+UPDATE hosts
+SET cert_fingerprint = $2,
+    cert_expires_at  = $3,
+    updated_at       = NOW()
+WHERE id = $1;
+
 -- name: UpdateHostStatus :exec
 UPDATE hosts SET status = $2, updated_at = NOW() WHERE id = $1;