Phase C: Automated TLS cert provisioning for L7 routes

Add CertProvisioner that requests TLS certificates from Metacrypt's CA
API during deploy. When a service has L7 routes, the agent checks for
an existing cert, re-issues if missing or within 30 days of expiry,
and writes chain+key to mc-proxy's cert directory before registering
routes.

- Add MetacryptConfig to agent config (server_url, ca_cert, mount,
  issuer, token_path) with defaults and env overrides
- Add CertProvisioner (internal/agent/certs.go): REST client for
  Metacrypt IssueCert, atomic file writes, cert expiry checking
- Wire into Agent struct and deploy flow (before route registration)
- Add hasL7Routes/l7Hostnames helpers in deploy.go
- Fix pre-existing lint issues: unreachable code in portalloc.go,
  gofmt in servicedef.go, gosec suppressions, golangci v2 config
- Update vendored mc-proxy to fix protobuf init panic
- 10 new tests, make all passes with 0 issues

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/agent/agent.go

@@ -33,6 +33,7 @@ type Agent struct {
 	Logger    *slog.Logger
 	PortAlloc *PortAllocator
 	Proxy     *ProxyRouter
+	Certs     *CertProvisioner
 }
 
 // Run starts the agent: opens the database, sets up the gRPC server with
@@ -57,6 +58,11 @@ func Run(cfg *config.AgentConfig) error {
 		return fmt.Errorf("connect to mc-proxy: %w", err)
 	}
 
+	certs, err := NewCertProvisioner(cfg.Metacrypt, cfg.MCProxy.CertDir, logger)
+	if err != nil {
+		return fmt.Errorf("create cert provisioner: %w", err)
+	}
+
 	a := &Agent{
 		Config:    cfg,
 		DB:        db,
@@ -65,6 +71,7 @@ func Run(cfg *config.AgentConfig) error {
 		Logger:    logger,
 		PortAlloc: NewPortAllocator(),
 		Proxy:     proxy,
+		Certs:     certs,
 	}
 
 	tlsCert, err := tls.LoadX509KeyPair(cfg.Server.TLSCert, cfg.Server.TLSKey)