feat(M47): add Kubernetes Secrets target + AWS ACM PCA issuer connectors

Implement both M47 connectors with full cross-layer wiring:

Kubernetes Secrets target: DNS-1123 validation, kubernetes.io/tls Secret
create-or-update, chain concatenation, serial number validation, Helm
RBAC gating. 18 tests.

AWS ACM Private CA issuer: synchronous issuance (like Vault), ARN regex
validation, RFC 5280 revocation reason mapping, CA cert retrieval,
factory + env var seeding. 23 tests.

Cross-cutting: domain types, service validation, config, factory, agent
dispatch, frontend (TargetsPage, issuerTypes), OpenAPI, seed data, Helm
chart, connectors docs, README. Testing docs (testing-guide, qa-test-guide,
qa_test.go) with Parts thematically integrated near related connectors.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/domain/connector.go

@@ -81,6 +81,7 @@ const (
 	IssuerTypeDigiCert  IssuerType = "DigiCert"
 	IssuerTypeSectigo   IssuerType = "Sectigo"
 	IssuerTypeGoogleCAS IssuerType = "GoogleCAS"
+	IssuerTypeAWSACMPCA IssuerType = "AWSACMPCA"
 )
 
 // TargetType represents the type of deployment target.
@@ -97,7 +98,8 @@ const (
 	TargetTypeEnvoy    TargetType = "Envoy"
 	TargetTypePostfix  TargetType = "Postfix"
 	TargetTypeDovecot  TargetType = "Dovecot"
-	TargetTypeSSH          TargetType = "SSH"
-	TargetTypeWinCertStore TargetType = "WinCertStore"
-	TargetTypeJavaKeystore TargetType = "JavaKeystore"
+	TargetTypeSSH               TargetType = "SSH"
+	TargetTypeWinCertStore      TargetType = "WinCertStore"
+	TargetTypeJavaKeystore      TargetType = "JavaKeystore"
+	TargetTypeKubernetesSecrets TargetType = "KubernetesSecrets"
 )