refactor(http): tighten SslContextBuilder throws clause, classpath test fixture, system trust-all test

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cameleer-server-app/src/main/java/com/cameleer/server/app/http/SslContextBuilder.java

@@ -10,7 +10,11 @@ import javax.net.ssl.X509TrustManager;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.KeyManagementException;
 import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -19,7 +23,9 @@ import java.util.List;
 
 public class SslContextBuilder {
 
-    public SSLContext build(OutboundHttpProperties systemProps, OutboundHttpRequestContext ctx) throws Exception {
+    public SSLContext build(OutboundHttpProperties systemProps, OutboundHttpRequestContext ctx)
+            throws NoSuchAlgorithmException, KeyStoreException, KeyManagementException,
+                   CertificateException, IOException {
         SSLContext sslContext = SSLContext.getInstance("TLS");
 
         if (systemProps.trustAll() || ctx.trustMode() == com.cameleer.server.core.http.TrustMode.TRUST_ALL) {
@@ -28,6 +34,7 @@ public class SslContextBuilder {
         }
 
         List<X509Certificate> extraCerts = new ArrayList<>();
+        // System-level extras are always merged; per-request paths apply only in TRUST_PATHS mode.
         List<String> paths = new ArrayList<>(systemProps.trustedCaPemPaths());
         if (ctx.trustMode() == com.cameleer.server.core.http.TrustMode.TRUST_PATHS) {
             paths.addAll(ctx.trustedCaPemPaths());