Loads the service-principal cert at boot and a Macula SDK client handle. Held in a gen_server so every other process can borrow the pool through hecate_om:macula_client/0.

Each hecate-service has its OWN realm-signed credential (NOT a user's). The credential lives at /etc/hecate/secrets/service-cert.pem inside the container; the host mounts the per-service directory from /etc/hecate/secrets/<service-name>/ onto that path.

v1: long-lived realm-signed cert provisioned out-of-band by a realm-admin script. v2: short-lived UCAN auto-rotated from a realm HTTP endpoint. The v2 swap-in lands here without touching consumers.

Connect-degradation: when seeds aren't reachable (early boot, test harness, no station nearby), macula_client/0 returns {error, no_client} and consumers should fall back to no-op behaviour. The service stays up; it just doesn't talk to the mesh.