feat(agent): per-agent direct-TLS cert client + HTTPS listener wiring

The agent obtains a valid wildcard cert for *.<hash>.agent.unarr.app from
the web broker (ACME DNS-01) so the https web player reaches it directly
over HTTPS instead of the CloudFlare funnel.

- internal/acme: generate EC P-256 key + CSR locally (private key never
  leaves the machine), fetch the signed chain from the broker, persist it
  atomically, NeedsIssue renewal check
- daemon: generate + persist a stable agent_hash in config.toml; register
  before requesting the cert (broker ownership check needs the row); arm
  the HTTPS listener with the cert; 6h renewal poll hot-swaps it (no restart)
- report httpsStreamPort + agentHash on register/sync
- stream_server: emit Access-Control-Allow-Private-Network on PNA preflight
  so an https page can reach the agent on loopback / LAN

internal/config/config.go

@@ -37,6 +37,11 @@ type AuthConfig struct {
 type AgentConfig struct {
 	ID   string `toml:"id"`
 	Name string `toml:"name"`
+	// Hash is a stable high-entropy label (hex) for the per-agent direct-TLS
+	// feature. Distinct from ID (a UUID that could be guessed/enumerated): the
+	// cert broker issues *.<hash>.agent.unarr.app and the web encodes the agent's
+	// IP into a hostname under that wildcard. Generated + persisted on first run.
+	Hash string `toml:"agent_hash,omitempty"`
 }
 
 type DownloadConfig struct {