Mints an ephemeral IP-SAN leaf certificate from an injected CA for mutually verified TLS on NATS cluster routes.

Co-authored-by: Mux <mux@coder.com>

Adds Options.ClusterTLS so buildServerOptions configures the route listener with the minted leaf and a 10s handshake timeout; nil preserves plaintext routes.

Co-authored-by: Mux <mux@coder.com>

…ctor

Adds ClusterTLSOptionsFromRelayURL for deriving the leaf SAN from a replica's relay URL, plus mesh tests covering TLS delivery, wrong-CA rejection, SAN mismatch, and mixed TLS/plaintext.

Co-authored-by: Mux <mux@coder.com>

Adds cryptokeys support for a CA that will sign the ephemeral leaf
certificates replicas use for NATS cluster mTLS:

- New crypto_key_feature enum value nats_ca; the rotator generates a
  self-signed ECDSA P-256 CA (PEM cert+key bundle in the secret column)
  and rotates it on the shared key duration with a 30 day token
  duration matching the maximum leaf lifetime.
- FetchNATSCA accessor returns the active CA (parsed cert and signer)
  plus a trust bundle of all valid CA rows and the active row sequence
  so callers can detect rotation. It creates the CA on first fetch
  under an advisory lock since the NATS pubsub is constructed before
  the rotator starts.
- The CA bundle contains a private key and stays excluded from the
  wsproxy crypto-keys endpoint allowlist and the signing/encryption
  keycaches.

The feature is dormant: nothing fetches the CA until cli/server.go is
wired up in a follow-up branch.

…llum/nats-mtls-integration

When the NATS pubsub experiment is enabled and a DERP relay URL is
configured (HA), enable mutual TLS on inter-replica cluster routes. The
per-replica leaf certificate's IP SAN is derived from the relay URL host
(the address peers dial), and the cluster CA is fetched from cryptokeys.

Adds an integration test that meshes three nodes over TLS using a CA
minted by cryptokeys.FetchNATSCA and verifies a cross-route pubsub
round-trip.

Co-authored-by: Mux <mux@coder.com>