feat: tenant CA certificate management with staging

Tenants can upload multiple CA certificates for enterprise SSO providers
that use private certificate authorities.

- New tenant_ca_certs table (V013) with PEM storage in DB
- Stage/activate/delete lifecycle per CA cert
- Aggregated ca.pem rebuild on activate/delete (atomic .wip swap)
- REST API: GET/POST/DELETE on /api/tenant/ca
- UI: CA Certificates section on SSO page with upload, activate, remove

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/main/resources/db/migration/V013__create_tenant_ca_certs.sql

@@ -0,0 +1,16 @@
+-- Per-tenant CA certificates for enterprise SSO trust
+CREATE TABLE tenant_ca_certs (
+    id         UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id  UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
+    status     VARCHAR(10) NOT NULL CHECK (status IN ('ACTIVE', 'STAGED')),
+    label      VARCHAR(200),
+    subject    VARCHAR(500),
+    issuer     VARCHAR(500),
+    fingerprint VARCHAR(128),
+    not_before TIMESTAMPTZ,
+    not_after  TIMESTAMPTZ,
+    cert_pem   TEXT NOT NULL,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+CREATE INDEX idx_tenant_ca_certs_tenant ON tenant_ca_certs(tenant_id);