feat: certificate management with stage/activate/restore lifecycle

Provider-based architecture (Docker now, K8s later):
- CertificateManager interface + DockerCertificateManager (file-based)
- Atomic swap via .wip files for safe cert replacement
- Stage -> Activate -> Archive lifecycle with one-deep rollback
- Bootstrap supports user-supplied certs via CERT_FILE/KEY_FILE/CA_FILE
- CA bundle aggregates platform + tenant CAs, distributed to containers
- Vendor UI: Certificates page with upload, activate, restore, discard
- Stale tenant tracking (ca_applied_at) with restart banner
- Conditional TLS skip removal when CA bundle exists

Includes design spec, migration V012, service + controller tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/main/resources/db/migration/V012__create_certificates.sql

@@ -0,0 +1,19 @@
+-- Certificate management: track platform TLS certs and CA bundles
+CREATE TABLE certificates (
+    id           UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    status       VARCHAR(10) NOT NULL CHECK (status IN ('ACTIVE', 'STAGED', 'ARCHIVED')),
+    subject      VARCHAR(500),
+    issuer       VARCHAR(500),
+    not_before   TIMESTAMPTZ,
+    not_after    TIMESTAMPTZ,
+    fingerprint  VARCHAR(128),
+    has_ca       BOOLEAN NOT NULL DEFAULT FALSE,
+    self_signed  BOOLEAN NOT NULL DEFAULT FALSE,
+    uploaded_by  UUID,
+    created_at   TIMESTAMPTZ NOT NULL DEFAULT now(),
+    activated_at TIMESTAMPTZ,
+    archived_at  TIMESTAMPTZ
+);
+
+-- Track when each tenant last picked up the CA bundle
+ALTER TABLE tenants ADD COLUMN ca_applied_at TIMESTAMPTZ;