feat(M35): dynamic target configuration with encrypted config, test connection, and GUI updates

Mirror M34's dynamic issuer config pattern for deployment targets: AES-256-GCM
encrypted config storage, sensitive field redaction in API responses, agent
heartbeat-based test connection endpoint, and full frontend updates including
test status indicators, source badges, and removal of stale hostname/status
fields from the Target interface.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/src/api/client.test.ts

@@ -36,6 +36,7 @@ import {
   getTargets,
   createTarget,
   deleteTarget,
+  testTargetConnection,
   getProfiles,
   getProfile,
   createProfile,
@@ -425,6 +426,14 @@ describe('API Client', () => {
       expect(url).toBe('/api/v1/targets/t-nginx');
       expect(init.method).toBe('DELETE');
     });
+
+    it('testTargetConnection sends POST', async () => {
+      mockFetch.mockReturnValueOnce(mockJsonResponse({ status: 'success', message: 'Agent is online' }));
+      await testTargetConnection('t-nginx');
+      const [url, init] = mockFetch.mock.calls[0];
+      expect(url).toBe('/api/v1/targets/t-nginx/test');
+      expect(init.method).toBe('POST');
+    });
   });
 
   // ─── Approval ──────────────────────────────────────