feat(agent): per-agent direct-TLS cert client + HTTPS listener wiring

The agent obtains a valid wildcard cert for *.<hash>.agent.unarr.app from
the web broker (ACME DNS-01) so the https web player reaches it directly
over HTTPS instead of the CloudFlare funnel.

- internal/acme: generate EC P-256 key + CSR locally (private key never
  leaves the machine), fetch the signed chain from the broker, persist it
  atomically, NeedsIssue renewal check
- daemon: generate + persist a stable agent_hash in config.toml; register
  before requesting the cert (broker ownership check needs the row); arm
  the HTTPS listener with the cert; 6h renewal poll hot-swaps it (no restart)
- report httpsStreamPort + agentHash on register/sync
- stream_server: emit Access-Control-Allow-Private-Network on PNA preflight
  so an https page can reach the agent on loopback / LAN

internal/agent/sync.go

@@ -165,17 +165,19 @@ func (sc *SyncClient) doSync(ctx context.Context) {
 
 func (sc *SyncClient) buildRequest() SyncRequest {
 	req := SyncRequest{
-		AgentID:     sc.cfg.AgentID,
-		Name:        sc.cfg.AgentName,
-		Version:     sc.cfg.Version,
-		OS:          runtime.GOOS,
-		Arch:        runtime.GOARCH,
-		DownloadDir: sc.cfg.DownloadDir,
-		StreamPort:  sc.cfg.StreamPort,
-		LanIP:       sc.cfg.LanIP,
-		TailscaleIP: sc.cfg.TailscaleIP,
-		CanDelete:   sc.cfg.CanDelete,
-		IsDocker:    RunningInDocker(),
+		AgentID:         sc.cfg.AgentID,
+		Name:            sc.cfg.AgentName,
+		Version:         sc.cfg.Version,
+		OS:              runtime.GOOS,
+		Arch:            runtime.GOARCH,
+		DownloadDir:     sc.cfg.DownloadDir,
+		StreamPort:      sc.cfg.StreamPort,
+		HTTPSStreamPort: sc.cfg.HTTPSStreamPort,
+		AgentHash:       sc.cfg.AgentHash,
+		LanIP:           sc.cfg.LanIP,
+		TailscaleIP:     sc.cfg.TailscaleIP,
+		CanDelete:       sc.cfg.CanDelete,
+		IsDocker:        RunningInDocker(),
 	}
 	if sc.GetTaskStates != nil {
 		req.Tasks = sc.GetTaskStates()