Harden Rockxy root CA lifecycle for open-source release safety

[LocNguyenHuu]

Summary

Rockxy is already using the right local per-install root CA model for a debugging proxy, but the CA lifecycle should be hardened for open-source release quality and safer long-term maintenance.

This issue is about practical local hardening, not public CA trust or expensive company-scale PKI work.

Problem

Current concerns:

• root CA lifetime is longer than ideal for a local interception CA
• private-key persistence still includes legacy disk fallback and recovery behavior
• legacy .bak recovery files should not remain the long-term expected storage model

Scope

• reduce root CA validity period to a more conservative lifetime
• move release behavior toward Keychain-only private-key storage
• preserve safe migration from older installs where needed
• clean up legacy disk fallback and .bak recovery paths where safe
• improve CA lifecycle messaging and recovery guidance

Non-Goals

• public CA program enrollment
• automatic browser trust beyond local OS trust
• enterprise PKI / MDM fleet rollout

Acceptance Criteria

• Rockxy still generates a local per-install CA
• release behavior does not depend on new plaintext private-key writes to disk
• migration from older installs remains recoverable
• CA validity and cleanup strategy are documented in code and covered by focused tests

Related

• related to Improve certificate, pinning, and auto-passthrough diagnostics for HTTPS debugging #11

[LocNguyenHuu]

Linking context:

• related to Improve certificate, pinning, and auto-passthrough diagnostics for HTTPS debugging #11 for HTTPS trust and certificate guidance
• should stay separate from Audit traffic capture, request list, and inspector workflow under real session load #14 so traffic-capture workspace fixes do not get coupled to CA storage/lifecycle hardening

This issue should own shorter validity, Keychain-only direction, and legacy disk cleanup strategy.