[AZ-505] AC-5 fix: enable TLS for HTTP/2 via ALPN

Kestrel with HttpProtocols.Http1AndHttp2 on a plaintext listener
silently downgrades to HTTP/1.1-only (logs "HTTP/2 is not enabled
... TLS is not enabled"), so AC-5's multiplexed-GET test failed
with HTTP_1_1_REQUIRED. ALPN cannot run over plaintext, so the
fix switches the dev listener to TLS on https://+:8080:

- scripts/run-tests.sh generates a self-signed dev cert idempotently
  (./certs/api.pfx + api.crt) via openssl in an alpine container;
  certs/ is gitignored.
- docker-compose.yml binds Kestrel to ASPNETCORE_URLS=https://+:8080
  with Kestrel__Certificates__Default__Path bound to the .pfx.
- docker-compose.tests.yml mounts api.crt into the integration-tests
  container's CA store and runs update-ca-certificates so HttpClient
  trusts the cert transparently; default API_URL is now https://api:8080.
- Drop the obsolete Http2UnencryptedSupport AppContext switch from
  Http2MultiplexingTests; ALPN over TLS handles negotiation.

Test-data fixes caught on the post-TLS rerun (independent of the TLS
switch but surfaced together):

- Http2MultiplexingTests: switch slippy coords from (154321, 95812)
  -- which Google Maps returns 404 for -- to (158485, 91707), the
  slippy projection of (47.461747, 37.647063) already exercised by
  JwtIntegrationTests.
- TileInventoryTests + LeafletPathIndexOnlyTests: SpecifyKind to
  Unspecified at the binding site for raw Npgsql seed paths writing
  into tiles.captured_at / created_at / updated_at (TIMESTAMP without
  tz). Npgsql v6+ refuses Kind=Utc into plain timestamp columns;
  production goes through Dapper and never hits this code path.
- MigrationTests Az503NewUniqueIndexCoversIntegerKeyAndFlightId:
  accept either idx_tiles_location_hash (migration 014) or its
  AZ-505 successor tiles_leaflet_path (migration 015) -- both have
  location_hash as the leading column, which is the AC-9 intent.

Docs updated to reflect the TLS+ALPN path: tile-inventory.md
Non-Goals, modules/api_program.md, module-layout.md, the AZ-505
task spec's Risk 3, and the cycle 6 implementation + completeness
reports. The full integration test suite passes (mode=full, exit 0).

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.Api/Program.cs

@@ -40,12 +40,14 @@ builder.Services.Configure<KestrelServerOptions>(options =>
 {
     options.Limits.MaxRequestBodySize = uavBatchBodyLimit;
     // AZ-505: enable HTTP/2 alongside HTTP/1.1 on every Kestrel endpoint so
-    // programmatic clients (httpx http2=True, .NET HttpClient with
-    // HttpVersionPolicy.RequestVersionExact) can multiplex tile reads on a
-    // single TCP connection. Browsers cannot use h2c (HTTP/2 cleartext)
-    // without ALPN+TLS, so they continue on HTTP/1.1 — the win for browsers
-    // is the AZ-505 covering-index hot path, not multiplexing. HTTP/3/QUIC
-    // is intentionally out of scope (see AZ-505 task spec § Excluded).
+    // programmatic clients (httpx http2=True, .NET HttpClient) can multiplex
+    // tile reads on a single TCP connection. Kestrel requires TLS+ALPN for
+    // HTTP/2 — the dev/test compose files mount a self-signed cert at
+    // /app/certs/api.pfx and set ASPNETCORE_URLS=https://+:8080; production
+    // is expected to terminate TLS at the same layer or upstream. Browsers
+    // negotiate HTTP/2 via ALPN once TLS is present; legacy HTTP/1.1
+    // callers continue to work over the same listener. HTTP/3/QUIC is
+    // intentionally out of scope (see AZ-505 task spec § Excluded).
     options.ConfigureEndpointDefaults(listen =>
     {
         listen.Protocols = HttpProtocols.Http1AndHttp2;