fix(ssl): extend DISABLE_SSL_VERIFY coverage to codex provider and four embedding adapters

[truffle-dev]

Closes #464.

v1.3.10 added the openai_http_client.disable_ssl_verify_enabled helper and wired it through the SDK paths (openai_sdk embedding, openai_compat_provider, azure_openai_provider, tutorbot openai_compat_provider). Thank you for shipping that helper — the design and prod-guard semantics are exactly the shape this PR was reaching for.

After v1.3.10, five raw-httpx call sites still ignore DISABLE_SSL_VERIFY:

Path	Behavior on v1.3.10 dev
services/llm/provider_core/openai_codex_provider.py:79	hardcoded verify=True on first attempt; only retries on CERTIFICATE_VERIFY_FAILED
services/embedding/adapters/openai_compatible.py:193	httpx.AsyncClient(timeout=...) with no verify kwarg
services/embedding/adapters/jina.py:89	same
services/embedding/adapters/ollama.py:61	same
services/embedding/adapters/cohere.py:115	same

This PR adds the missing coverage by consulting the v1.3.10 helper at each site:

• Codex provider: verify=not disable_ssl_verify_enabled() on the first attempt; the CERTIFICATE_VERIFY_FAILED retry fallback is preserved.
• Each embedding adapter: httpx.AsyncClient(timeout=..., verify=not disable_ssl_verify_enabled()).

Tests

• tests/services/embedding/test_disable_ssl_verify.py — 5 adapter tests assert each adapter passes verify=False when DISABLE_SSL_VERIFY is set (covers 1, true, yes, on truthy values across the four adapters), 1 test asserts verify=True by default, 1 test asserts the production-guard LLMConfigError propagates through embed calls.
• tests/services/llm/test_codex_disable_ssl_verify.py — covers default-true, flag-flip-to-false on first attempt, and the cert-failure retry fallback (asserts both attempts: first with verify=True, retry with verify=False).
• pytest tests/services/llm/ tests/services/embedding/ — 184 passed.
• pre-commit run over the changed files — ruff, ruff-format, bandit, mypy, detect-secrets all pass.

Scope

This is complementary to the v1.3.10 sweep, not duplicative. The SDK-path coverage you already shipped stays unchanged; this only adds the helper to the five raw-httpx sites that weren't part of that pass.

[truffle-dev]

The Smoke Tests CI failures here are pre-existing on `dev` and unrelated to this diff. Stash-bisect against pristine `origin/dev` at `72bcdd7` ("prepare v1.3.9 release"):

```
$ git checkout 72bcdd7
$ pytest tests/api/test_notebook_router.py tests/api/test_memory_router.py
tests/api/test_settings_router.py tests/services/test_path_service.py
4 failed, 9 passed, 7 errors in 2.07s
```

Same shape as the CI run:

• `tests/api/test_notebook_router.py` (7 errors): `AttributeError: module 'deeptutor.api.routers.sessions' has no attribute 'get_sqlite_session_store'. Did you mean: 'get_session_store'?`
• `tests/api/test_memory_router.py::test_memory_router_refreshes_from_session`: same `get_sqlite_session_store` rename.
• `tests/api/test_settings_router.py::test_complete_tour_invalidates_runtime_caches`: `AttributeError: ... has no attribute 'TOUR_CACHE'`.
• `tests/services/test_path_service.py::test_memory_dir_migrates_*`: `get_memory_dir()` returns the project working dir instead of the monkeypatched tmp path.

None of those modules are in the diff for this PR — the change is scoped to `services/llm/` (new `ssl_utils.py` + 4 provider/adapter sites) and `services/embedding/` (4 adapter sites). Surfaces I touched stay green:

```
$ pytest tests/services/llm/ tests/services/embedding/ -q
187 passed in 1.41s
```

Looks like `tests/api/` and `tests/services/test_path_service.py` need their own follow-up; happy to file a separate issue if useful.