Add mTLS RBAC with path-based access control, role/cert trust model, and comprehensive tests

Implements full role-based access control for mTLS client certificates:
- Database: mtls_roles, mtls_certificate_roles, mtls_access_rules tables with migration
- Models: CRUD for roles, cert-role assignments, path-based access rules
- Caddy config: HTTP-layer RBAC enforcement via CEL fingerprint matching in subroutes
- New trust model: select individual certs or entire roles instead of CAs (derives CAs automatically)
- REST API: /api/v1/mtls-roles, cert assignments, proxy-host access rules endpoints
- UI: Roles management tab (card-based), cert/role trust picker, inline RBAC rule editor
- Fix: dialog autoclose bug after creating proxy host (key-based remount)
- Tests: 85 new tests (785 total) covering models, schema, RBAC route generation, leaf override, edge cases

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/lib/models/proxy-hosts.ts

@@ -218,7 +218,12 @@ type ProxyHostAuthentikMeta = {
 
 export type MtlsConfig = {
   enabled: boolean;
-  ca_certificate_ids: number[];
+  /** Trust specific issued client certificates (derives CAs automatically) */
+  trusted_client_cert_ids?: number[];
+  /** Trust all certificates belonging to these roles */
+  trusted_role_ids?: number[];
+  /** @deprecated Old model: trust entire CAs. Kept for backward compat migration. */
+  ca_certificate_ids?: number[];
 };
 
 type ProxyHostMeta = {