v0.42.0: real Let's Encrypt cert via wildcard proactive issuance

traefik's websecure entrypoint now declares http.tls.domains *.<domain>+apex so
it proactively obtains the wildcard via Cloudflare DNS-01 at startup (cert ready
before first client, every router serves it by SNI). Gated on CFAPIToken (DNS-01).
TraefikData gains Domain; ensureTraefik wires cfg.Customer.Domain.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

CHANGELOG.md

@@ -1,5 +1,22 @@
 ## Changelog
 
+### v0.42.0 — real Let's Encrypt cert: wildcard proactive issuance (2026-06-11)
+
+The base-infra traefik obtained **no** real cert (acme.json empty) — both routers relied on the
+websecure entrypoint-default `certResolver`, which does not trigger proactive DNS-01 issuance, so
+everything ran on traefik's self-signed default (masked externally by the tunnel's `noTLSVerify`).
+This blocks LAN-direct (a LAN client TLS-handshakes straight to traefik and needs the real cert).
+
+- **`internal/infra/templates/traefik.yml.tmpl`** — the websecure entrypoint's `http.tls` now declares
+  `domains: [{main: "*.<domain>", sans: ["<domain>"]}]` so traefik **proactively obtains the wildcard
+  `*.<domain>` + apex at startup** (via Cloudflare DNS-01). Every router then serves the real cert by
+  SNI match — no per-app `certresolver` labels to forget, cert ready before the first client connects.
+  Gated on `.CFAPIToken` (wildcards require DNS-01; HTTP-01 can't issue them).
+- **`infra.TraefikData`** gains a `Domain` field; **`stacks.ensureTraefik`** now wires
+  `Domain: cfg.Customer.Domain` into `RenderTraefik` (previously unset).
+- Validated staging→prod on guest 9201 (Fake LE → real LE), then GATE: `felhom.<domain>` +
+  `files.<domain>` return `200 0` (real cert, TLS verify OK) from a real LAN host.
+
 ### v0.41.2 — fix controller-route auto-connect + dead dashboard cross-drive block (2026-06-11)
 
 Two fixes found while live-validating v0.41.1 routing on guest 9201: