Phase C: Automated TLS cert provisioning for L7 routes

Add CertProvisioner that requests TLS certificates from Metacrypt's CA
API during deploy. When a service has L7 routes, the agent checks for
an existing cert, re-issues if missing or within 30 days of expiry,
and writes chain+key to mc-proxy's cert directory before registering
routes.

- Add MetacryptConfig to agent config (server_url, ca_cert, mount,
  issuer, token_path) with defaults and env overrides
- Add CertProvisioner (internal/agent/certs.go): REST client for
  Metacrypt IssueCert, atomic file writes, cert expiry checking
- Wire into Agent struct and deploy flow (before route registration)
- Add hasL7Routes/l7Hostnames helpers in deploy.go
- Fix pre-existing lint issues: unreachable code in portalloc.go,
  gofmt in servicedef.go, gosec suppressions, golangci v2 config
- Update vendored mc-proxy to fix protobuf init panic
- 10 new tests, make all passes with 0 issues

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/servicedef/servicedef.go

@@ -25,8 +25,8 @@ type ServiceDef struct {
 
 // BuildDef describes how to build container images for a service.
 type BuildDef struct {
-	Images   map[string]string `toml:"images"`
-	UsesMCDSL bool            `toml:"uses_mcdsl,omitempty"`
+	Images    map[string]string `toml:"images"`
+	UsesMCDSL bool              `toml:"uses_mcdsl,omitempty"`
 }
 
 // RouteDef describes a route for a component, used for automatic port
@@ -210,7 +210,7 @@ func ToProto(def *ServiceDef) *mcpv1.ServiceSpec {
 		for _, r := range c.Routes {
 			cs.Routes = append(cs.Routes, &mcpv1.RouteSpec{
 				Name:     r.Name,
-				Port:     int32(r.Port),
+				Port:     int32(r.Port), //nolint:gosec // port range validated
 				Mode:     r.Mode,
 				Hostname: r.Hostname,
 			})