feat(M46): Windows Certificate Store + Java Keystore target connectors, shared certutil package

Extract shared certutil helpers (CreatePFX, ParsePrivateKey, ComputeThumbprint,
GenerateRandomPassword, ParseCertificatePEM) from IIS connector for reuse.
Add WinCertStore connector (PowerShell Import-PfxCertificate, dual local/WinRM
mode, configurable store/location, expired cert cleanup) and JavaKeystore
connector (PEM→PKCS#12→keytool pipeline, JKS/PKCS12 support, shell injection
prevention, path traversal protection). 53 new tests, all passing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/src/pages/TargetDetailPage.tsx

@@ -22,6 +22,8 @@ const typeLabels: Record<string, string> = {
   Postfix: 'Postfix',
   Dovecot: 'Dovecot',
   SSH: 'SSH',
+  WinCertStore: 'Windows Cert Store',
+  JavaKeystore: 'Java Keystore',
 };
 
 function InfoRow({ label, value }: { label: string; value: React.ReactNode }) {
@@ -229,7 +231,7 @@ export default function TargetDetailPage() {
             {target.config && Object.keys(target.config).length > 0 ? (
               <div className="space-y-0">
                 {Object.entries(target.config).map(([key, val]) => {
-                  const sensitiveKeys = ['password', 'secret', 'token', 'key', 'winrm_password'];
+                  const sensitiveKeys = ['password', 'secret', 'token', 'key', 'winrm_password', 'keystore_password'];
                   const isSensitive = sensitiveKeys.some(s => key.toLowerCase().includes(s));
                   const displayVal = isSensitive && val ? '********' : String(val);
                   return (