server: drop in-process TLS — HTTP-only behind reverse proxy

Self-hosted deployments already terminate TLS at Caddy/Traefik/nginx;
making the server do TLS too means double cert config, dual ACME
plumbing, and an untested code path. Drop RM_TLS_CERT/RM_TLS_KEY,
remove TLSEnabled() and the ListenAndServeTLS branch.

Replace the cookie's "Secure if TLS-in-process" check with a new
RM_COOKIE_SECURE flag (default true). Local HTTP-only testing sets
RM_COOKIE_SECURE=false; production is always behind a TLS proxy and
the cookie stays Secure.

Default port :8443 → :8080. docker-compose binds 127.0.0.1 only and
populates RM_TRUSTED_PROXY. spec.md §4.1/§10.1 rewritten with a
Caddyfile snippet and a hard "do not expose RM_LISTEN publicly"
warning. enrollResponse keeps cert_pin_sha256 in the shape but the
server can't introspect a cert it doesn't terminate — operator
pastes the proxy's hash into -cert-pin at install time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/server/config/config_test.go

@@ -6,14 +6,14 @@ import (
 )
 
 func TestDefaultsValid(t *testing.T) {
-	t.Setenv("RM_LISTEN", ":8443")
+	t.Setenv("RM_LISTEN", ":8080")
 	t.Setenv("RM_DATA_DIR", "/tmp/rm-test")
 
 	c, err := Load("")
 	if err != nil {
 		t.Fatalf("load: %v", err)
 	}
-	if c.Listen != ":8443" {
+	if c.Listen != ":8080" {
 		t.Errorf("listen: %q", c.Listen)
 	}
 	if c.SecretKeyFile != "/tmp/rm-test/secret.key" {
@@ -50,7 +50,7 @@ func TestEnvOverridesYAML(t *testing.T) {
 }
 
 func TestTrustedProxyParsing(t *testing.T) {
-	t.Setenv("RM_LISTEN", ":8443")
+	t.Setenv("RM_LISTEN", ":8080")
 	t.Setenv("RM_DATA_DIR", "/tmp/x")
 	t.Setenv("RM_TRUSTED_PROXY", "10.0.0.0/8, 192.168.1.0/24")
 
@@ -67,7 +67,7 @@ func TestTrustedProxyParsing(t *testing.T) {
 }
 
 func TestTrustedProxyRejectsGarbage(t *testing.T) {
-	t.Setenv("RM_LISTEN", ":8443")
+	t.Setenv("RM_LISTEN", ":8080")
 	t.Setenv("RM_DATA_DIR", "/tmp/x")
 	t.Setenv("RM_TRUSTED_PROXY", "not-a-cidr")
 
@@ -76,14 +76,25 @@ func TestTrustedProxyRejectsGarbage(t *testing.T) {
 	}
 }
 
-func TestTLSPairConsistency(t *testing.T) {
-	t.Setenv("RM_LISTEN", ":8443")
+func TestCookieSecureDefaultAndOverride(t *testing.T) {
+	t.Setenv("RM_LISTEN", ":8080")
 	t.Setenv("RM_DATA_DIR", "/tmp/x")
-	t.Setenv("RM_TLS_CERT", "/some/cert.pem")
-	// key intentionally unset
 
-	if _, err := Load(""); err == nil {
-		t.Fatal("expected error: cert without key")
+	c, err := Load("")
+	if err != nil {
+		t.Fatalf("load: %v", err)
+	}
+	if !c.CookieSecure {
+		t.Errorf("CookieSecure should default to true")
+	}
+
+	t.Setenv("RM_COOKIE_SECURE", "false")
+	c, err = Load("")
+	if err != nil {
+		t.Fatalf("load: %v", err)
+	}
+	if c.CookieSecure {
+		t.Errorf("CookieSecure should be false when RM_COOKIE_SECURE=false")
 	}
 }