fix: macOS dev VM, CA certs, DNS fallback, Portainer Edge integration

- dev-vm.sh: rewrite for macOS (bsdtar ISO extraction, Homebrew mkfs.ext4
  detection, direct kernel boot, TCG acceleration, port 8080 forwarding)
- inject-kubesolo.sh: add CA certificates bundle from builder so containerd
  can verify TLS when pulling from registries (Docker Hub, etc.)
- 50-network.sh: add DNS fallback (10.0.2.3 + 8.8.8.8) when DHCP client
  doesn't populate /etc/resolv.conf
- 90-kubesolo.sh: serve kubeconfig via HTTP on port 8080 for reliable
  retrieval from host, add 127.0.0.1 and 10.0.2.15 to API server SANs
- portainer.go: add headless Service to Edge Agent manifest (required for
  agent peer discovery DNS lookup)
- 10-parse-cmdline.sh + init.sh: add kubesolo.edge_id/edge_key boot params
- 20-persistent-mount.sh: auto-format unformatted data disks on first boot
- hack/fix-portainer-service.sh: helper to patch running cluster

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

build/scripts/inject-kubesolo.sh

@@ -350,7 +350,19 @@ mkdir -p "$ROOTFS/usr/local"
 mkdir -p "$ROOTFS/mnt/data"
 mkdir -p "$ROOTFS/run/containerd"
 
-# --- 8. Ensure /etc/hosts and /etc/resolv.conf exist ---
+# --- 8. CA certificates (required for containerd to pull from registries) ---
+mkdir -p "$ROOTFS/etc/ssl/certs"
+if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
+    cp /etc/ssl/certs/ca-certificates.crt "$ROOTFS/etc/ssl/certs/ca-certificates.crt"
+    echo "    Installed CA certificates bundle"
+elif [ -f /etc/pki/tls/certs/ca-bundle.crt ]; then
+    cp /etc/pki/tls/certs/ca-bundle.crt "$ROOTFS/etc/ssl/certs/ca-certificates.crt"
+    echo "    Installed CA certificates bundle (from ca-bundle.crt)"
+else
+    echo "    WARN: No CA certificates found in builder — TLS verification will fail"
+fi
+
+# --- 9. Ensure /etc/hosts and /etc/resolv.conf exist ---
 if [ ! -f "$ROOTFS/etc/hosts" ]; then
     cat > "$ROOTFS/etc/hosts" << EOF
 127.0.0.1 localhost