Add mTLS to CP→agent channel

- Internal ECDSA P-256 CA (WRENN_CA_CERT/WRENN_CA_KEY env vars); when absent
  the system falls back to plain HTTP so dev mode works without certificates
- Host leaf cert (7-day TTL, IP SAN) issued at registration and renewed on
  every JWT refresh; fingerprint + expiry stored in DB (cert_expires_at column
  replaces the removed mtls_enabled flag)
- CP ephemeral client cert (24-hour TTL) via CPCertStore with atomic hot-swap;
  background goroutine renews it every 12 hours without restarting the server
- Host agent uses tls.Listen + httpServer.Serve so GetCertificate callback is
  respected (ListenAndServeTLS always reads cert from disk)
- Sandbox reverse proxy now uses pool.Transport() so it shares the same TLS
  config as the Connect RPC clients instead of http.DefaultTransport
- Credentials file renamed host-credentials.json with cert_pem/key_pem/
  ca_cert_pem fields; duplicate register/refresh response structs collapsed
  to authResponse

internal/db/models.go

@@ -48,7 +48,7 @@ type Host struct {
 	CreatedAt        pgtype.Timestamptz `json:"created_at"`
 	UpdatedAt        pgtype.Timestamptz `json:"updated_at"`
 	CertFingerprint  string             `json:"cert_fingerprint"`
-	MtlsEnabled      bool               `json:"mtls_enabled"`
+	CertExpiresAt    pgtype.Timestamptz `json:"cert_expires_at"`
 }
 
 type HostRefreshToken struct {
@@ -171,6 +171,7 @@ type TemplateBuild struct {
 	CompletedAt  pgtype.Timestamptz `json:"completed_at"`
 	TemplateID   pgtype.UUID        `json:"template_id"`
 	TeamID       pgtype.UUID        `json:"team_id"`
+	SkipPrePost  bool               `json:"skip_pre_post"`
 }
 
 type User struct {