feat(M38): SSH target connector for agentless deployment via SSH/SFTP

Adds a new target connector enabling certificate deployment to any
Linux/Unix server without installing the certctl agent binary. Uses the
proxy agent pattern — a single agent in the same network zone deploys
certs to remote servers over SSH/SFTP.

Key additions:
- SSH/SFTP connector with key auth (file/inline) + password auth
- Injectable SSHClient interface for cross-platform testing (25 tests)
- Shell injection prevention via validation.ValidateShellCommand()
- Configurable cert/key/chain paths with octal permissions
- GUI: 11 SSH config fields in target create wizard

Also fixes pre-existing frontend bug where all target type strings
(nginx, apache, etc.) were sent as lowercase but the backend expects
proper-case (NGINX, Apache, etc.), breaking GUI-created targets.
Adds missing TargetTypeSSH to validTargetTypes service map.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/service/target.go

@@ -24,6 +24,7 @@ var validTargetTypes = map[domain.TargetType]bool{
 	domain.TargetTypeEnvoy:   true,
 	domain.TargetTypePostfix: true,
 	domain.TargetTypeDovecot: true,
+	domain.TargetTypeSSH:     true,
 }
 
 // isValidTargetType checks if a type string is a known target type.