## Refactor: Introduce a Unified CertProvisioner for Certificate Lifecycle

- [x] Ensure Port80Handler is challenge-only:
  - Remove any internal scheduling and deprecated ACME flows (`getAcmeClient`, `processAuthorizations`, `handleAcmeChallenge`) from Port80Handler.
  - Remove legacy ACME options (`renewThresholdDays`, `renewCheckIntervalHours`, `mongoDescriptor`, etc.) from `IPort80HandlerOptions`.
  - Retain only methods for HTTP-01 challenge and direct renewals (`obtainCertificate`, `renewCertificate`, `getDomainCertificateStatus`).
- [x] Clean up deprecated `acme` configuration:
  - Remove the `acme` property from `IPortProxySettings` and all legacy references in code.

- [x] Implement `CertProvisioner` component:
  - [x] Create class `ts/smartproxy/classes.pp.certprovisioner.ts`.
  - [x] Constructor accepts:
    * `domainConfigs: IDomainConfig[]`
    * `port80Handler: Port80Handler`
    * `networkProxyBridge: NetworkProxyBridge`
    * optional `certProvider: (domain) => Promise<ICert | 'http01'>`
    * `renewThresholdDays`, `renewCheckIntervalHours`, `autoRenew` settings.
  - Responsibilities:
    * Initial provisioning: static vs HTTP-01.
    * Subscribe to Port80Handler events (CERTIFICATE_ISSUED/RENEWED) and to static cert updates.
    * Re-emit unified `'certificate'` events to SmartProxy.
    * Central scheduling of renewals via `@push.rocks/taskbuffer`.

- [x] Refactor SmartProxy:
  - [x] Remove existing scheduling / renewal logic.
  - [x] Instantiate `CertProvisioner` in `start()`, delegate cert workflows entirely.
  - [x] Forward CertProvisioner events to SmartProxy’s `'certificate'` listener.

- [x] CertProvisioner lifecycle methods:
  - [x] `start()`: provision all domains, start scheduler.
  - [x] `stop()`: stop scheduler.
  - [x] `requestCertificate(domain)`: on-demand provisioning.

- [x] Handle static certificate auto-refresh:
  - [x] In the renewal scheduler, for domains with static certs, re-call `certProvider(domain)` near expiry.
  - [x] Apply returned cert via `networkProxyBridge.applyExternalCertificate()`.

- [ ] Tests:
  - Unit tests for `CertProvisioner`, mocking Port80Handler and `certProvider`:
    * Validate initial provisioning and dynamic/static flows.
    * Validate scheduling triggers correct renewals.
  - Integration tests:
    * Use actual in-memory Port80Handler with short intervals to verify renewals and event emission.

- [ ] Documentation:
  - Add code-level TS doc for `CertProvisioner` API (options, methods, events).
  - Update root `README.md` and architecture diagrams to show `CertProvisioner` role.