feat(M35): dynamic target configuration with encrypted config, test connection, and GUI updates

Mirror M34's dynamic issuer config pattern for deployment targets: AES-256-GCM
encrypted config storage, sensitive field redaction in API responses, agent
heartbeat-based test connection endpoint, and full frontend updates including
test status indicators, source badges, and removal of stale hostname/status
fields from the Target interface.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

migrations/000010_target_config.down.sql

@@ -0,0 +1,5 @@
+-- Rollback migration 000010: Remove dynamic target configuration columns
+ALTER TABLE deployment_targets DROP COLUMN IF EXISTS encrypted_config;
+ALTER TABLE deployment_targets DROP COLUMN IF EXISTS last_tested_at;
+ALTER TABLE deployment_targets DROP COLUMN IF EXISTS test_status;
+ALTER TABLE deployment_targets DROP COLUMN IF EXISTS source;

migrations/000010_target_config.up.sql

@@ -0,0 +1,16 @@
+-- Migration 000010: Add dynamic target configuration columns
+-- Supports M35: Dynamic Target Configuration (GUI)
+
+-- encrypted_config stores AES-GCM encrypted config blob containing all fields including secrets.
+-- The existing `config` JSONB column is retained for backward compatibility and holds a redacted copy.
+ALTER TABLE deployment_targets ADD COLUMN IF NOT EXISTS encrypted_config BYTEA;
+
+-- last_tested_at tracks when the target connection was last tested (agent heartbeat check).
+ALTER TABLE deployment_targets ADD COLUMN IF NOT EXISTS last_tested_at TIMESTAMPTZ;
+
+-- test_status tracks the latest connection test result.
+ALTER TABLE deployment_targets ADD COLUMN IF NOT EXISTS test_status TEXT NOT NULL DEFAULT 'untested';
+
+-- source tracks where the target configuration originated from.
+-- 'database' = created via GUI, 'env' = seeded from environment variables.
+ALTER TABLE deployment_targets ADD COLUMN IF NOT EXISTS source TEXT NOT NULL DEFAULT 'database';