feat(agent): per-agent direct-TLS cert client + HTTPS listener wiring

The agent obtains a valid wildcard cert for *.<hash>.agent.unarr.app from
the web broker (ACME DNS-01) so the https web player reaches it directly
over HTTPS instead of the CloudFlare funnel.

- internal/acme: generate EC P-256 key + CSR locally (private key never
  leaves the machine), fetch the signed chain from the broker, persist it
  atomically, NeedsIssue renewal check
- daemon: generate + persist a stable agent_hash in config.toml; register
  before requesting the cert (broker ownership check needs the row); arm
  the HTTPS listener with the cert; 6h renewal poll hot-swaps it (no restart)
- report httpsStreamPort + agentHash on register/sync
- stream_server: emit Access-Control-Allow-Private-Network on PNA preflight
  so an https page can reach the agent on loopback / LAN

internal/engine/stream_server.go

@@ -300,6 +300,16 @@ func (ss *StreamServer) writeCORSHeaders(w http.ResponseWriter, r *http.Request,
 	w.Header().Set("Access-Control-Allow-Origin", origin)
 	w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
 	w.Header().Set("Access-Control-Allow-Headers", "Range")
+	// Private Network Access: an https:// page (public) fetching this agent on a
+	// loopback/LAN address (private) triggers a PNA preflight carrying
+	// `Access-Control-Request-Private-Network: true`. Without echoing
+	// `Allow-Private-Network: true` Chrome blocks the request — so the
+	// loopback (127.0.0.1) + LAN-IP direct-play candidates would never connect
+	// from the production https player. Only emitted for already-allowlisted
+	// origins (above), so it widens nothing beyond the existing CORS trust.
+	if r.Header.Get("Access-Control-Request-Private-Network") == "true" {
+		w.Header().Set("Access-Control-Allow-Private-Network", "true")
+	}
 	if expose != "" {
 		w.Header().Set("Access-Control-Expose-Headers", expose)
 	}