feat: add auto-enrollment, cert validation, and crash loop fixes

- Auto-enrollment on startup when certs are missing/invalid and enrollment.manager_url configured
- Certificate validation (existence, parse, expiry, key match, CA trust)
- --enroll exits after completion (no port conflict with systemd service)
- --renew-certs flag for manual cert renewal
- SO_REUSEADDR on TcpListener::bind (prevents Address already in use)
- Polling token persistence for enrollment resume after restart
- Exit code strategy (0=clean, 1=error, 2=enrollment in progress)
- HTTP 409 (host already exists) handling during enrollment
- Move 'Listening on' log after actual bind
- Increase RestartSec to 10s and add StartLimitBurst=5
- Postinst checks for certs and enrollment URL, prints guidance
- EnrollmentConfig.manager_url changed to Option<String>
- cert_renewal_threshold_days and polling_token config fields
- Updated SPEC.md and DEPLOYMENT_GUIDE.md with new workflow
- RCA document for crash loop root cause analysis
- Version bumped to 1.2.0

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "linux-patch-api"
-version = "1.1.17"
+version = "1.2.0"
 edition = "2021"
 authors = ["Echo <echo@moon-dragon.us>"]
 description = "Secure remote package management API for Linux systems"
@@ -48,6 +48,7 @@ uuid = { version = "1", features = ["v4", "serde"] }
 
 # Time/Date
 chrono = { version = "0.4", features = ["serde"] }
+time = "0.3"
 
 # Error handling
 thiserror = "1"
@@ -76,6 +77,9 @@ pidlock = "0.2"
 # URL parsing
 url = "2"
 
+# Socket options (SO_REUSEADDR)
+socket2 = { version = "0.5", features = ["all"] }
+
 # File locking for concurrent-safe whitelist modifications
 fs2 = "0.4"