fix mTLS: use trusted_leaf_certs for issued certs, surface CA delete errors

Two bugs fixed:

1. buildClientAuthentication was placing issued leaf cert PEMs into
   trusted_ca_certs. Caddy uses that field for CA chain validation, not
   leaf pinning — putting leaf certs there made chain verification fail
   for every presented client cert, causing the browser to be asked
   repeatedly. Fixed by using trusted_leaf_certs for managed CAs.

2. If all issued certs for a CA were revoked, the active cert map would
   be empty and the code fell back to trusting the CA cert directly,
   effectively un-revoking everything. Fixed by tracking which CAs have
   ever had issued certs (including revoked) and keeping them in
   trusted_leaf_certs mode permanently (empty list = no one trusted).

Also fix CA certificate delete action not surfacing the error message
to the user in production (Next.js strips thrown error messages in
server actions). Changed to return { success, error } and updated the
client dialog to check the result instead of using try/catch.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/components/ca-certificates/CaCertDialogs.tsx

@@ -518,11 +518,11 @@ export function DeleteCaCertDialog({
   function handleDelete() {
     setError(null);
     startTransition(async () => {
-      try {
-        await deleteCaCertificateAction(cert.id);
+      const result = await deleteCaCertificateAction(cert.id);
+      if (result.success) {
         onClose();
-      } catch (e) {
-        setError(e instanceof Error ? e.message : "Failed to delete");
+      } else {
+        setError(result.error ?? "Failed to delete");
       }
     });
   }