feat: M25 post-deployment TLS verification + M26 Traefik/Caddy targets

M25: After deploying a certificate, the agent probes the live TLS
endpoint and compares SHA-256 fingerprints to verify the correct cert
is being served. Best-effort — failures don't block deployments.
New endpoints: POST /jobs/{id}/verify, GET /jobs/{id}/verification.
Migration 000008 adds verification columns to jobs table.

M26: Traefik target connector (file provider, auto-reload) and Caddy
target connector (dual-mode: admin API hot-reload or file-based).
Both wired into agent dispatch.

Also: restructured README to highlight supported integrations (issuers,
targets, notifiers) earlier, moved API/CLI/MCP sections lower. Updated
all docs (features, connectors, architecture, testing guide, why-certctl)
and fixed integration tests for 18-param RegisterHandlers signature.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/domain/connector.go

@@ -75,9 +75,11 @@ const (
 type TargetType string
 
 const (
-	TargetTypeNGINX   TargetType = "NGINX"
-	TargetTypeApache  TargetType = "Apache"
-	TargetTypeHAProxy TargetType = "HAProxy"
-	TargetTypeF5      TargetType = "F5"
-	TargetTypeIIS     TargetType = "IIS"
+	TargetTypeNGINX    TargetType = "NGINX"
+	TargetTypeApache   TargetType = "Apache"
+	TargetTypeHAProxy  TargetType = "HAProxy"
+	TargetTypeF5       TargetType = "F5"
+	TargetTypeIIS      TargetType = "IIS"
+	TargetTypeTraefik  TargetType = "Traefik"
+	TargetTypeCaddy    TargetType = "Caddy"
 )