feat: Zero-downtime certificate management via Runtime API

Changes:
- Replace USR2 signal reload with HAProxy Runtime API for cert updates
  - new ssl cert → set ssl cert → commit ssl cert
  - No connection drops during certificate changes
- Add certificates.json for persistence (domain list only)
- Add haproxy_load_cert tool for manual certificate loading
- Auto-restore certificates on MCP startup
- Update startup sequence to load both servers and certificates

certificates.json format:
{
  "domains": ["inouter.com", "anvil.it.com"]
}

Paths derived from convention:
- Host: /opt/haproxy/certs/{domain}.pem
- Container: /etc/haproxy/certs/{domain}.pem

Total MCP tools: 28 → 29

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

haproxy_mcp/tools/configuration.py

@@ -95,7 +95,7 @@ def restore_servers_from_config() -> int:
 
 
 def startup_restore() -> None:
-    """Restore servers from config file on startup."""
+    """Restore servers and certificates from config files on startup."""
     # Wait for HAProxy to be ready
     for _ in range(STARTUP_RETRY_COUNT):
         try:
@@ -107,6 +107,7 @@ def startup_restore() -> None:
         logger.warning("HAProxy not ready, skipping restore")
         return
 
+    # Restore servers
     try:
         count = restore_servers_from_config()
         if count > 0:
@@ -114,6 +115,15 @@ def startup_restore() -> None:
     except (HaproxyError, OSError, ValueError) as e:
         logger.warning("Failed to restore servers: %s", e)
 
+    # Restore certificates
+    try:
+        from .certificates import restore_certificates
+        cert_count = restore_certificates()
+        if cert_count > 0:
+            logger.info("Restored %d certificates from config", cert_count)
+    except Exception as e:
+        logger.warning("Failed to restore certificates: %s", e)
+
 
 def register_config_tools(mcp):
     """Register configuration management tools with MCP server."""