Add mTLS to CP→agent channel

- Internal ECDSA P-256 CA (WRENN_CA_CERT/WRENN_CA_KEY env vars); when absent
  the system falls back to plain HTTP so dev mode works without certificates
- Host leaf cert (7-day TTL, IP SAN) issued at registration and renewed on
  every JWT refresh; fingerprint + expiry stored in DB (cert_expires_at column
  replaces the removed mtls_enabled flag)
- CP ephemeral client cert (24-hour TTL) via CPCertStore with atomic hot-swap;
  background goroutine renews it every 12 hours without restarting the server
- Host agent uses tls.Listen + httpServer.Serve so GetCertificate callback is
  respected (ListenAndServeTLS always reads cert from disk)
- Sandbox reverse proxy now uses pool.Transport() so it shares the same TLS
  config as the Connect RPC clients instead of http.DefaultTransport
- Credentials file renamed host-credentials.json with cert_pem/key_pem/
  ca_cert_pem fields; duplicate register/refresh response structs collapsed
  to authResponse

internal/config/config.go

@@ -13,6 +13,11 @@ type Config struct {
 	ListenAddr  string
 	JWTSecret   string
 
+	// mTLS — CP→Agent channel. Both must be set to enable mTLS; omitting either
+	// disables cert issuance and leaves agent connections on plain HTTP (dev mode).
+	CACert string // WRENN_CA_CERT — PEM-encoded internal CA certificate
+	CAKey  string // WRENN_CA_KEY  — PEM-encoded internal CA private key
+
 	OAuthGitHubClientID     string
 	OAuthGitHubClientSecret string
 	OAuthRedirectURL        string
@@ -31,6 +36,9 @@ func Load() Config {
 		ListenAddr:  envOrDefault("WRENN_CP_LISTEN_ADDR", ":8080"),
 		JWTSecret:   os.Getenv("JWT_SECRET"),
 
+		CACert: os.Getenv("WRENN_CA_CERT"),
+		CAKey:  os.Getenv("WRENN_CA_KEY"),
+
 		OAuthGitHubClientID:     os.Getenv("OAUTH_GITHUB_CLIENT_ID"),
 		OAuthGitHubClientSecret: os.Getenv("OAUTH_GITHUB_CLIENT_SECRET"),
 		OAuthRedirectURL:        envOrDefault("OAUTH_REDIRECT_URL", "https://app.wrenn.dev"),