fix(gateway): correct ECDSA key usage and dispose CertificateRequest

Drop KeyEncipherment from the self-signed cert's key-usage extension — it
is semantically wrong for ECDSA (RSA key-transport only); DigitalSignature
alone is correct for TLS 1.3 / ECDHE server certs.  CertificateRequest is
unchanged (not IDisposable in .NET 10).  Test now also asserts MachineName,
127.0.0.1 and IPv6 loopback are present in the SAN extension.

src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs

@@ -39,7 +39,7 @@ public sealed class SelfSignedCertificateProvider
 
         request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, true));
         request.CertificateExtensions.Add(new X509KeyUsageExtension(
-            X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment,
+            X509KeyUsageFlags.DigitalSignature,
             critical: true));
         request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(
             [new Oid(ServerAuthOid, "Server Authentication")],

src/ZB.MOM.WW.MxGateway.Tests/Security/Tls/SelfSignedCertificateProviderTests.cs

@@ -27,6 +27,12 @@ public sealed class SelfSignedCertificateProviderTests
         string sans = ReadSubjectAltNames(cert);
         Assert.Contains("localhost", sans);
         Assert.Contains("gw.internal", sans);
+        Assert.Contains(Environment.MachineName, sans);
+        // Format() renders IP SANs as "IP Address:<addr>"; the IPv6 loopback may appear
+        // as "::1" or its expanded form depending on the platform crypto library.
+        Assert.Contains("127.0.0.1", sans);
+        Assert.True(sans.Contains("::1") || sans.Contains("0:0:0:0:0:0:0:1"),
+            $"Expected IPv6 loopback in SANs but got: {sans}");
 
         X509EnhancedKeyUsageExtension eku = cert.Extensions.OfType<X509EnhancedKeyUsageExtension>().Single();
         Assert.Contains(eku.EnhancedKeyUsages.Cast<System.Security.Cryptography.Oid>(),