`sni-certs` folder auto-scan with reload modes

Parent: #115
Depends on: #116

## Scope

Add a new `sni-certs` block for automatic folder scanning of cert/key pairs, with configurable reload modes.

## Tasks

- [ ] New `sni-certs` block with `cert-folder`, `reload-mode`, `reload-interval`
- [ ] `reload-mode` options: `off`, `interval`, `watch` (platform-native with interval fallback)
- [ ] Full rescan + diff + atomic swap on reload
- [ ] Skip + warn for malformed/unpaired certs in folder scans
- [ ] Metrics: `zentinel_tls_certificates_loaded`, `zentinel_tls_reload_total`, etc.
- [ ] `allow-sni-overlaps` flag (default `false`), deterministic tie-breaking when enabled
- [ ] Update config validation and docs

## Example

```kdl
sni-certs {
    cert-folder "/etc/zentinel/certs/dynamic/"
    reload-mode "watch"
    reload-interval "30s"
}
```

## Context

See discussion in #115 for full design rationale. Builds on #116 (CN/SAN extraction).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

`sni-certs` folder auto-scan with reload modes #117

Scope

Tasks

Example

Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

sni-certs folder auto-scan with reload modes #117

Description

Scope

Tasks

Example

Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

`sni-certs` folder auto-scan with reload modes #117