Fix encryption certificate refresh when store lacks symmetric-key usage

[artpods56]

Context

Reviewing src/ksef2/clients/async_authenticated.py found that _ensure_encryption_certificates_loaded() returns as soon as CertificateStore.all() is non-empty.

That is too broad for authenticated encryption flows. The shared store can already contain a valid ksef_token_encryption certificate from token auth while still lacking a valid symmetric_key_encryption certificate. In that case online sessions, batch sessions, and invoice export scheduling skip the fetch and then fail at get_valid("symmetric_key_encryption").

Expected fix

Make the load guard usage-aware:

• If the store already has a valid symmetric_key_encryption certificate, do not fetch.
• If the store is empty or only has other/expired usages, fetch public encryption certificates and reload the store.
• Preserve the eventual NoCertificateAvailableError if KSeF still does not provide a valid symmetric-key cert.

Add a behavioral test for a non-empty store that is missing the required usage. Cover the async source and keep the generated sync client in parity. [R43: Tests Are Behavioral Contracts]

Design note

src/ksef2/clients/async_authenticated.py is the generator source for src/ksef2/clients/authenticated.py, so edit the async source and run just gen-sync.