fix(security): generate per-machine CA and cleanup trusted certs

[oines]

Summary

• replace the shared embedded root certificate/private key with a per-machine local CA generated on first run
• stop relying on install.lock and detect certificate installation against the real system trust store
• cleanup trusted certs during app exit, reset, and Windows uninstall via a non-UI cleanup entrypoint
• update troubleshooting docs to reflect the new cert path and behavior

Verification

• npm install
• npm run build
• go test ./...
• go build ./...
• GOOS=windows GOARCH=amd64 go build ./...
• GOOS=linux GOARCH=amd64 go build ./...
• go run /tmp/res_downloader_cert_smoke.go
• go run . --cleanup-system

Notes

• this keeps the existing install/proxy API surface intact while removing the shared CA material from source control
• normal app exit now attempts best-effort certificate cleanup, so users may need to re-install trust on the next launch if they want interception again