Self-hosted Engine CE deployment documentation

The self-hosted rstream Engine CE documentation has been rewritten around a deployable operating model.

The documentation now explains the CE runtime boundary, the difference between the engine and the hosted Control plane, the DNS model for the base engine host and .t.<engine-host> tunnel hostnames, the static TLS certificate requirements, JWT agent authentication, Prometheus protection, and the CE feature boundary.

A new step-by-step guide walks through a complete Docker Compose deployment. It starts rstream-engine-ce, signs a local JWT, serves a local TLS certificate, runs an upstream HTTP service, launches a separate validation agent, publishes a tunnel, verifies the Engine API, checks Prometheus, calls the published tunnel hostname, and validates certificate reload without restarting the engine. It then maps the same shape to a production domain, ACME DNS validation, a certificate renewal sidecar, production agent token creation, and production smoke checks.

The guide also documents the production substitution for TLS: an ACME sidecar can write renewed cert.pem and key.pem files into the shared TLS directory, and the CE static certificate provider will reload them on later TLS handshakes.

See Self-Hosted, Deployment, Configuration, Operations, and Self-Host rstream Engine CE with Docker Compose.