feat(sites): add per-server Sites CRUD

[fbarrento]

Summary

Adds the Sites resource under the server chain — $forge->server($id)->sites() / ->site($siteId). The most actively-managed Forge resource and the base for #8 Deployments.

• Data\Site output DTO with nested Data\SiteRepository + Data\SiteMaintenanceMode value objects
• Data\CreateSiteData (type required + common create surface), Data\UpdateSiteData (all optional), Data\ListSitesOptions
• Enums\SiteType, Enums\WwwRedirectType (input) and Enums\SiteStatus (output)
• Requests: GetSites, GetSite, CreateSite (POST), UpdateSite (PUT), DeleteSite
• Resources\SitesResource (all/iterate/create) and Resources\SiteResource (get / update[void] / delete)

Spec-vs-runtime findings (for docs/FINDINGS.md once #20-derived doc lands)

• Individual-site GET is server-less: /orgs/{org}/sites/{site}. The /servers/{server}/sites/{site} path only supports PUT/DELETE (GET there → 405).
• Create requires domain_mode (spec marks it optional); on-forge mode needs a single dotless subdomain name.
• Fresh sites return aliases / deployment_status / maintenance_mode.enabled as null despite required-non-null in spec — DTO loosened.
• PUT update returns 202 empty body → update() is void.
• Provisioning race: an on-forge site is briefly un-GET/PUT-able while installing. The lifecycle test waits on a live un-mocked connector before the individual-site routes (skipped on replay).

Test plan

• composer test — pint, rector, phpstan, 344 tests / 670 assertions, 100% coverage.
• Lifecycle test creates a real on-forge site, exercises update/list/get, then deletes — five fixtures recorded live, redacted (site/repository URLs, deployment_url token, healthcheck URL).

🤖 Generated with Claude Code