feat: optional mTLS between DAPI and ML nodes

[x0152]

What

Optional mTLS between the DAPI and ML nodes (alternative to #537).

Why

Protects all PoC endpoints with transport-level auth + encryption, instead of per-request signatures. Locks down PoC traffic both ways: only the holder of the pinned cert can reach the ML node's PoC port (8080) or post callbacks to the DAPI (9100). No CA, nothing expires - just two self-signed certs that pin each other. It's fully optional and off by default.

How to enable

Same host:

cd deploy/join
./gen-mlnode-certs.sh        # generate the two self-signed certs
source config.env
docker compose -f docker-compose.yml -f docker-compose.mlnode.yml -f docker-compose.mtls.yml up -d

Remote ML node (separate machine):

DAPI_SANS="DNS:api,DNS:dapi.example.com" MLNODE_SANS="DNS:inference,DNS:mlnode.example.com" ./gen-mlnode-certs.sh

Then:

1. Copy mtls-certs/ to both machines.
2. On the DAPI host, set export MTLS_POC_CALLBACK_URL=https://dapi.example.com:9100.
3. Use the ML node's public name as host in node-config.json.

How to disable

Drop -f docker-compose.mtls.yml from the docker compose up command and restart:

docker compose -f docker-compose.yml -f docker-compose.mlnode.yml up -d

There's no silent fallback - mTLS is fully off once the override file is removed.