add core client cert validation

[wojcik91]

Validate core cert when establishing gRPC connection.

Related DefGuard/defguard#2695

Needs:

• send core certs during component setup proto#74
• add mTLS for gateway & proxy communication defguard#2726

[Copilot]

Pull request overview

Adds mTLS hardening for the Core↔Proxy gRPC channel by introducing Core client certificate chain validation and serial pinning, and updates setup to accept/store the CA + Core client cert alongside the component cert.

Changes:

• Replace the old gRPC TLS Configuration with TlsConfig (server cert/key + CA cert + pinned Core client cert DER).
• Validate the certificate bundle received during setup and configure gRPC server with CA-validated mTLS + serial-pin interceptor.
• Add integration-style mTLS tests covering valid client, missing client cert, wrong serial, and rogue CA scenarios.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/setup.rs	Accepts CertBundle, validates CA-signed component + Core client certs, and passes TlsConfig via oneshot.
src/grpc.rs	Configures gRPC server TLS using CA + serial pinning; purge removes additional cert files.
src/http.rs	Writes/reads additional TLS artifacts (CA cert + Core client cert) during setup and restart.
src/main.rs	Loads full TlsConfig (including CA + Core client cert) from disk at startup.
src/lib.rs	Registers new test module and removes unused CommsChannel type.
src/tests/mtls.rs	Adds mTLS/serial-pinning integration tests for the gRPC server.
src/tests/mod.rs	Wires the mTLS test module.
Cargo.toml	Adds defguard_grpc_tls, rustls-webpki, rustls-pki-types, and a tokio dev-dependency.
Cargo.lock	Locks dependency updates required by the new TLS validation stack.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.