feat: SSL wildcard certificate picker from NPM

- NPM client: ListCertificates endpoint
- API: GET /api/settings/npm-certificates (wildcard-only filter)
- Settings UI: EntityPicker for selecting wildcard certs
- Deployer: applies certificate_id + ssl_forced to proxy hosts
- Uses HTTPS subdomain URLs when SSL cert is configured

web/src/lib/i18n/en.json

@@ -207,7 +207,14 @@
     "regenerating": "Regenerating...",
     "regenerated": "Webhook URL regenerated",
     "regenerateFailed": "Failed to regenerate webhook URL",
-    "regenerateWarning": "Warning: regenerating will invalidate the current URL. Update your CI pipelines."
+    "regenerateWarning": "Warning: regenerating will invalidate the current URL. Update your CI pipelines.",
+    "sslCertificate": "SSL Certificate",
+    "sslCertificateHelp": "Wildcard certificate from NPM for auto-SSL on proxy hosts",
+    "selectCertificate": "Select Certificate",
+    "noCertificate": "None (no SSL)",
+    "clearCertificate": "Clear",
+    "loadingCertificates": "Loading certificates...",
+    "noCertificatesFound": "No wildcard certificates found in NPM"
   },
   "settingsRegistries": {
     "title": "Container Registries",