[autodev] Update Jetson test environment and satellite-provider integration

- Added `.env.test` to `.gitignore` to exclude test environment variables.
- Enhanced `docker-compose.test.jetson.yml` to include the real satellite-provider .NET service and its PostgreSQL database, replacing the mock service.
- Updated test execution policy to mandate all tests run exclusively on Jetson hardware, deprecating the previous two-tier model.
- Revised documentation in `_docs/LESSONS.md`, `_docs/02_document/tests/environment.md`, and `_docs/04_deploy/ci_cd_pipeline.md` to reflect the new testing strategy and environment setup.
- Improved `run-tests-jetson.sh` script to ensure proper environment variable handling and satellite-provider integration.

This commit aligns the testing framework with production environments, enhancing reliability and coverage.

scripts/ensure-dev-cert.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+# AZ-688: ensure the dev TLS cert for ../satellite-provider exists.
+#
+# Mirrors the cert-generation step in
+# `../satellite-provider/scripts/run-tests.sh` so the upstream compose can
+# find ./certs/api.pfx at the same relative path both in the upstream repo
+# and here. Self-signed for dev/test only; gitignored under
+# satellite-provider/certs/ and regenerated on demand.
+#
+# Produces three artefacts:
+#   * api.pfx — Kestrel server cert (PKCS#12, passphrase: satellite-dev-cert)
+#   * api.crt — public cert (PEM); AZ-692 mounts this as the CA trust anchor
+#                in gps-denied client containers
+#   * api.key — private key (PEM)
+#
+# SAN includes `api` (upstream compose service name) and `satellite-provider`
+# (the alias added in docker-compose.test.jetson.yml override) so HttpClient
+# can validate the cert against either DNS name.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+
+if [[ ! -d "${REPO_ROOT}/../satellite-provider" ]]; then
+    echo "ERROR: ../satellite-provider not found relative to ${REPO_ROOT}." >&2
+    echo "       Clone the sibling repo before running the Jetson harness." >&2
+    exit 64
+fi
+
+SATPROV_DIR="$(cd "${REPO_ROOT}/../satellite-provider" && pwd)"
+CERTS_DIR="${SATPROV_DIR}/certs"
+PFX="${CERTS_DIR}/api.pfx"
+CRT="${CERTS_DIR}/api.crt"
+KEY="${CERTS_DIR}/api.key"
+
+if [[ -f "${PFX}" && -f "${CRT}" && -f "${KEY}" ]]; then
+    echo "[ensure-dev-cert] cert present at ${PFX}"
+    exit 0
+fi
+
+if ! command -v docker >/dev/null 2>&1; then
+    echo "ERROR: docker not on PATH; cannot generate cert via alpine container." >&2
+    exit 65
+fi
+
+echo "[ensure-dev-cert] generating dev TLS cert in ${CERTS_DIR}"
+mkdir -p "${CERTS_DIR}"
+
+docker run --rm -v "${CERTS_DIR}:/work" -w /work alpine:3.20 sh -c '
+    set -e
+    apk add --no-cache openssl >/dev/null
+    cat > /tmp/openssl.cnf <<EOF
+[req]
+distinguished_name = req_distinguished_name
+x509_extensions    = v3_req
+prompt             = no
+
+[req_distinguished_name]
+CN = satellite-provider-dev
+
+[v3_req]
+keyUsage         = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName   = @alt_names
+
+[alt_names]
+DNS.1 = api
+DNS.2 = satellite-provider
+DNS.3 = localhost
+IP.1  = 127.0.0.1
+EOF
+    openssl req -x509 -newkey rsa:2048 -nodes \
+        -keyout api.key -out api.crt \
+        -days 365 -config /tmp/openssl.cnf >/dev/null 2>&1
+    openssl pkcs12 -export -out api.pfx -inkey api.key -in api.crt \
+        -passout pass:satellite-dev-cert
+    chmod 644 api.pfx api.crt api.key
+'
+
+echo "[ensure-dev-cert] wrote:"
+echo "  ${PFX}      (Kestrel server cert; passphrase: satellite-dev-cert)"
+echo "  ${CRT}      (public cert; mounted as CA in gps-denied clients per AZ-692)"
+echo "  ${KEY}      (private key; DEV ONLY, never deploy to prod)"