fix(packaging): enable mTLS for local packages

[drew]

Summary

Enable TLS and client certificate auth for package-managed local gateways on Homebrew and Debian. Both packages now bootstrap local certs through openshell-gateway generate-certs --output-dir and register https://127.0.0.1:17670.

Related Issue

Addresses Linear OS-177

Changes

• Configure the Debian user service with TLS server certs, sandbox guest TLS bundle paths, and an HTTPS callback endpoint.
• Generate Homebrew local PKI during post_install with the shared gateway cert helper and update service environment and caveats.
• Update install-dev and Debian package smoke registration to use the openshell HTTPS/mTLS local gateway.
• Reuse existing local PKI when generate-certs --output-dir is re-run so CLI mTLS copies stay paired with the gateway certs.

Testing

• cargo test -p openshell-server certgen
• Generated Homebrew formula syntax check
• Shell syntax checks for installer scripts
• mise run pre-commit after moving the worktree: Python/docs/Helm/Rust check phases passed; Rust workspace tests then failed in openshell-ocsf because stale Cargo artifacts still referenced the old worktree path /Users/anewberry/dev/openshell.security-fixes.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1271.docs.buildwithfern.com/openshell

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.