add TLS, service persistence, blocking panel, query types

- Local TLS: auto-generated CA + per-service certs (explicit SANs, not
  wildcards — browsers reject *.numa under single-label TLDs). HTTPS
  proxy on :443 via rustls/tokio-rustls. `numa install` trusts CA in
  macOS Keychain / Linux ca-certificates.
- Service persistence: user-added services saved to
  ~/.config/numa/services.json, survive restarts.
- Blocking panel: renamed "Check Domain" to "Blocking" with sources
  display, allowlist management UI, unpause button.
- Query types: recognize SOA, PTR, TXT, SRV, HTTPS (type 65) instead
  of logging as UNKNOWN.
- Blocklist gzip: reqwest now decompresses gzip responses from CDNs.
- Unified config_dir() in lib.rs for consistent path resolution under
  sudo and launchd. TLS certs use /usr/local/var/numa/ (writable as
  root daemon).
- Dashboard UX: panel subtitles differentiating overrides vs services,
  better placeholders, proxy route display, 600px query log height.
- Deploy: make deploy handles build+copy+codesign+restart cycle.
- Demo: scripts/record-demo.sh for recording hero GIF with CDP.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/blocklist.rs

@@ -161,6 +161,10 @@ impl BlocklistStore {
         self.paused_until = Some(Instant::now() + std::time::Duration::from_secs(seconds));
     }
 
+    pub fn unpause(&mut self) {
+        self.paused_until = None;
+    }
+
     pub fn is_paused(&self) -> bool {
         self.paused_until
             .map(|until| Instant::now() < until)
@@ -233,6 +237,7 @@ pub fn parse_blocklist(text: &str) -> HashSet<String> {
 pub async fn download_blocklists(lists: &[String]) -> Vec<(String, String)> {
     let client = reqwest::Client::builder()
         .timeout(std::time::Duration::from_secs(30))
+        .gzip(true)
         .build()
         .unwrap_or_default();