fix(lightning): restore LIGHTNING_API_CERTIFICATE fallback when no cert path is set

[Danswar]

Follow-up to #3861, per David's 06-11 review note: prod dfx-api is not hosted on DFX servers yet (no local lnd / lightning volume to mount), so removing LIGHTNING_API_CERTIFICATE entirely left prod with no cert source once this code reaches it.

This restores the env var as the fallback only when LIGHTNING_API_CERTIFICATE_PATH is unset (hosts without the mount, i.e. today's prod). The fail-loud behavior David asked for is unchanged: when the path is set, the live file is read and a missing/unreadable file still throws at startup — a broken mount can't be masked by a stale env var, because the fallback is never consulted in that case.

• readCert(): unset path → LIGHTNING_API_CERTIFICATE (same <br>→newline handling as before feat(lightning): support loading LND TLS certificate from file #3861); set path → read-or-throw (unchanged)
• .env.example: LIGHTNING_API_CERTIFICATE re-added with a comment explaining the precedence
• dfxdev keeps using the file path (mount restored separately in DFXServer/server#378); the Vault cleanup of the prod env var is deferred until prod migrates onto DFX servers

tsc clean.

[davidleomay]

Duplicate of #3867

[Danswar]

Same fix, you were faster 🙂 — #3867 covers it.