Add multi-provider DNS registry for ACME DNS-01 challenges

Replace hardcoded Cloudflare DNS-01 with a data-driven provider registry
supporting 11 providers (Cloudflare, Route 53, DigitalOcean, Duck DNS,
Hetzner, Vultr, Porkbun, GoDaddy, Namecheap, OVH, Linode). Users can
configure multiple providers with encrypted credentials and select a
default. Per-certificate provider override is supported via providerOptions.

- Add src/lib/dns-providers.ts with provider definitions, credential
  encrypt/decrypt, and Caddy config builder
- Change DnsProviderSettings to multi-provider format with default selection
- Auto-migrate legacy Cloudflare settings on startup (db.ts)
- Normalize old single-provider format on read (getDnsProviderSettings)
- Refactor buildTlsAutomation() to use provider registry
- Add GET /api/v1/dns-providers endpoint for provider discovery
- Add dns-provider settings group to REST API and instance sync
- Replace Cloudflare settings card with multi-provider UI (add/remove
  providers, set default, dynamic credential forms)
- Add 10 DNS provider modules to Caddy Dockerfile
- Update OpenAPI spec, E2E tests, and unit test mocks

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/lib/db.ts

@@ -252,9 +252,59 @@ function runEnvProviderSync() {
   }
 }
 
+/**
+ * One-time migration: convert legacy Cloudflare DNS settings to the new
+ * generic dns_provider format.  Idempotent — skips if already run or if
+ * the new setting already exists.
+ */
+function runCloudflareToProviderMigration() {
+  if (sqlitePath === ":memory:") return;
+
+  const { settings: settingsTable } = schema;
+
+  // Skip if migration already ran
+  const flag = db.select().from(settingsTable).where(eq(settingsTable.key, "dns_provider_migrated")).get();
+  if (flag) return;
+
+  // Skip if new dns_provider setting already exists (user already configured it)
+  const existing = db.select().from(settingsTable).where(eq(settingsTable.key, "dns_provider")).get();
+  if (existing) {
+    const now = new Date().toISOString();
+    db.insert(settingsTable).values({ key: "dns_provider_migrated", value: "true", updatedAt: now }).run();
+    return;
+  }
+
+  // Check for legacy cloudflare setting
+  const cfRow = db.select().from(settingsTable).where(eq(settingsTable.key, "cloudflare")).get();
+  if (!cfRow) {
+    const now = new Date().toISOString();
+    db.insert(settingsTable).values({ key: "dns_provider_migrated", value: "true", updatedAt: now }).run();
+    return;
+  }
+
+  try {
+    const cf = JSON.parse(cfRow.value) as { apiToken?: string; zoneId?: string; accountId?: string };
+    if (cf.apiToken) {
+      const now = new Date().toISOString();
+      const newSetting = {
+        providers: { cloudflare: { api_token: cf.apiToken } },
+        default: "cloudflare",
+      };
+      db.insert(settingsTable).values({ key: "dns_provider", value: JSON.stringify(newSetting), updatedAt: now }).run();
+      console.log("Migrated legacy Cloudflare DNS settings to dns_provider format");
+    }
+  } catch (e) {
+    console.warn("Failed to parse legacy cloudflare setting during migration:", e);
+  }
+
+  const now = new Date().toISOString();
+  db.insert(settingsTable).values({ key: "dns_provider_migrated", value: "true", updatedAt: now }).run();
+}
+
 try {
   runBetterAuthDataMigration();
   runEnvProviderSync();
+  runCloudflareToProviderMigration();
 } catch (error) {
   console.warn("Better Auth data migration warning:", error);
 }