Phase C: Automated TLS cert provisioning for L7 routes

Add CertProvisioner that requests TLS certificates from Metacrypt's CA
API during deploy. When a service has L7 routes, the agent checks for
an existing cert, re-issues if missing or within 30 days of expiry,
and writes chain+key to mc-proxy's cert directory before registering
routes.

- Add MetacryptConfig to agent config (server_url, ca_cert, mount,
  issuer, token_path) with defaults and env overrides
- Add CertProvisioner (internal/agent/certs.go): REST client for
  Metacrypt IssueCert, atomic file writes, cert expiry checking
- Wire into Agent struct and deploy flow (before route registration)
- Add hasL7Routes/l7Hostnames helpers in deploy.go
- Fix pre-existing lint issues: unreachable code in portalloc.go,
  gofmt in servicedef.go, gosec suppressions, golangci v2 config
- Update vendored mc-proxy to fix protobuf init panic
- 10 new tests, make all passes with 0 issues

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/agent/portalloc.go

@@ -33,8 +33,8 @@ func (pa *PortAllocator) Allocate() (int, error) {
 	pa.mu.Lock()
 	defer pa.mu.Unlock()
 
-	for i := range maxRetries {
-		port := portRangeMin + rand.IntN(portRangeMax-portRangeMin)
+	for range maxRetries {
+		port := portRangeMin + rand.IntN(portRangeMax-portRangeMin) //nolint:gosec // port selection, not security
 		if pa.allocated[port] {
 			continue
 		}
@@ -45,7 +45,6 @@ func (pa *PortAllocator) Allocate() (int, error) {
 
 		pa.allocated[port] = true
 		return port, nil
-		_ = i
 	}
 
 	return 0, fmt.Errorf("failed to allocate port after %d attempts", maxRetries)