Add Caddy-style tls internal local CA

[chrislearn]

Summary

Adds a Caddy-style local CA so users can serve HTTPS for localhost / internal hosts without ACME and without managing PEM files. Mirrors the feature you can quote from Caddy:

https://local.host:443 {
    tls internal
    ...
}

• On first start, gatel generates an ECDSA P-256 root (10 years) + intermediate (7 days) under the platform user-data dir.
• Leaves are signed by the intermediate on demand at TLS handshake time, valid 12 h, cached in memory, re-issued when ≤20% lifetime remains.
• Sites opt in per-site (tls internal) or globally (tls { internal }, used as a fallback only when ACME is not configured). Per-site tls internal always wins.
• The composite resolver now consults: manual certs → local CA → ACME / on-demand. Existing setups are unchanged.
• Two new CLI subcommands install / remove the root in the OS trust store:
  • Windows: writes to current-user Root via schannel — no UAC.
  • macOS: shells out to security add-trusted-cert -k login.keychain-db.
  • Linux: drops the PEM into the distro's anchors dir and runs update-ca-certificates / update-ca-trust extract.

Test plan

• cargo test --lib — 177 passed (3 new in tls::local_ca).
• Local HTTPS smoke test: gatel run with tls internal on localhost, curl --resolve localhost:18443:127.0.0.1 https://localhost:18443/ returns 200.
• gatel trust installs the root into the Windows current-user Root store; verified with PowerShell Get-ChildItem Cert:\CurrentUser\Root and certutil -user -store Root.
• gatel untrust removes it.
• After gatel trust, curl --ssl-no-revoke https://localhost:18443/ validates the chain end-to-end.
• macOS path — not exercised on this dev box; relies on security CLI and follows mkcert/Caddy conventions.
• Linux path — not exercised; uses standard distro anchor dirs.

Docs

• New section in docs/en/tls-and-acme.md and docs/zh/tls-and-acme.md covering quick start, storage layout, lifetimes, and the gatel trust flow.
• New example: examples/tls-internal.kdl.
• README + README.zh feature bullet updated.
• CHANGELOG.

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d64e6e6941

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate global internal fallback when ACME is enabled

Avoid resolving tls internal for every SNI whenever tls { internal } is present. In this resolver path, self.global_internal causes the local CA branch to run before ACME for all hostnames, so a config that enables both ACME and internal will serve local-CA certs instead of ACME certs. This contradicts the documented "internal as fallback only when ACME isn't configured" behavior and can break public HTTPS deployments that expect ACME-issued chains.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Persist global/internal CA state on TLS reload

Make reload update all local-CA resolver state, not just hostnames. reload() recomputes global_internal and new_internal, but only writes internal_hosts; it never updates self.resolver.global_internal and cannot initialize self.resolver.local_ca if internal TLS is enabled after startup. As a result, toggling tls internal via hot reload does not reliably take effect (or disable) until a full process restart.

Useful? React with 👍 / 👎.