feat(M47): add Kubernetes Secrets target + AWS ACM PCA issuer connectors

Implement both M47 connectors with full cross-layer wiring:

Kubernetes Secrets target: DNS-1123 validation, kubernetes.io/tls Secret
create-or-update, chain concatenation, serial number validation, Helm
RBAC gating. 18 tests.

AWS ACM Private CA issuer: synchronous issuance (like Vault), ARN regex
validation, RFC 5280 revocation reason mapping, CA cert retrieval,
factory + env var seeding. 23 tests.

Cross-cutting: domain types, service validation, config, factory, agent
dispatch, frontend (TargetsPage, issuerTypes), OpenAPI, seed data, Helm
chart, connectors docs, README. Testing docs (testing-guide, qa-test-guide,
qa_test.go) with Parts thematically integrated near related connectors.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/src/config/issuerTypes.ts

@@ -154,6 +154,19 @@ export const issuerTypes: IssuerTypeConfig[] = [
       { key: 'ttl', label: 'Default TTL', required: false, placeholder: '8760h' },
     ],
   },
+  {
+    id: 'AWSACMPCA',
+    name: 'AWS ACM Private CA',
+    description: 'AWS Certificate Manager Private Certificate Authority \u2014 managed private CA on AWS',
+    icon: '\u2601\uFE0F',
+    configFields: [
+      { key: 'region', label: 'AWS Region', required: true, placeholder: 'us-east-1' },
+      { key: 'ca_arn', label: 'CA ARN', required: true, placeholder: 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/...' },
+      { key: 'signing_algorithm', label: 'Signing Algorithm', required: false, type: 'select', options: ['SHA256WITHRSA', 'SHA384WITHRSA', 'SHA512WITHRSA', 'SHA256WITHECDSA', 'SHA384WITHECDSA', 'SHA512WITHECDSA'], defaultValue: 'SHA256WITHRSA' },
+      { key: 'validity_days', label: 'Validity (days)', required: false, type: 'number', placeholder: '365' },
+      { key: 'template_arn', label: 'Template ARN (optional)', required: false, placeholder: 'arn:aws:acm-pca:...:template/...' },
+    ],
+  },
   {
     id: 'entrust',
     name: 'Entrust',