mTLS certificate management and rate limiting

[jeremymanning]

Description

Per spec Phase 11 (T134-T135):

1. mTLS certificates: per-account Ed25519 cert issuance, 90-day auto-rotation via ACME-like protocol, admin cert handling
2. Rate limiting: per contracts/README.md rate limit classes (DONOR_HEARTBEAT 120/min, JOB_SUBMIT 10/min, etc.)

Requirements

• Ed25519 certificate issuance for new accounts
• 90-day auto-rotation with ACME-like challenge-response
• Admin cert handling for governance operations
• Token bucket or sliding window rate limiting
• Rate limit classes: DONOR_HEARTBEAT (120/min), JOB_SUBMIT (10/min), GOVERNANCE (5/min), CLUSTER_STATUS (30/min)
• Rate limit responses with Retry-After header

Success Criteria

• New accounts receive Ed25519 certificates
• Certificates auto-rotate before 90-day expiry
• Admin operations require valid admin cert
• Rate limiting enforced per class
• Exceeded limits return 429 with Retry-After
• Integration tests for cert lifecycle and rate limiting

Testing (Principle V)

• Generate cert → use for auth → verify accepted
• Wait for rotation → verify new cert works, old cert rejected
• Exceed rate limit → verify 429 response with correct Retry-After
• Admin operation without admin cert → verify rejected

[jeremymanning]

Addressed in spec 004-full-implementation (PR #59). Implementation verified in code; 802 tests passing across Linux/macOS/Windows. See #57 master plan for full context.