Changelog
- Bundle cert.pem + key.pem as copy-to-output content (next to the host exe)
- Resolve them against the app base directory at startup and configure TLS when
both are present; fall back to unencrypted (dev mode) when they are missing
- Log confirmation that the cert/key were loaded and TLS is active