feat: per-endpoint SSH agent forwarding toggle

[rado0x54]

Summary

Moves SSH agent forwarding from an account-wide setting to a per-endpoint setting so endpoints that disallow forwarding (e.g. AllowAgentForwarding no in sshd_config) can opt out without disabling forwarding everywhere. Matches the granularity already used for userVerification and description.

• New endpoints.agent_forward column (defaults to true); migration 0007_endpoint_agent_forward backfills every existing endpoint to true and drops accounts.agent_forward.
• New UI toggle inside the Add / Edit Endpoint modal (default on); list rows surface forward: on / forward: off next to the UV chip.
• SshTransportFactory.create reads endpoint.agentForward directly — replaces the per-connect accountRepo.findById DB hop.
• Seed config: seedAdminEndpoints[].agentForward is optional, defaults to true; the seed-export YAML only emits the field when false.
• Removes the now-redundant Settings → General toggle, account.agentForward API surface, and the getAgentForward factory option.

Default-flip note

Existing deployments where the account-wide flag was off will, post-migration, have forwarding on for every endpoint. This is intentional — most endpoints allow forwarding and per-signature passkey approval bounds the blast radius — but users who previously turned the account-wide flag off may want to review and toggle off the specific endpoints where forwarding is genuinely disallowed.

Test plan

• pnpm typecheck
• pnpm lint
• pnpm spdx:check
• Unit suites: ssh-transport-factory, accounts route, endpoint-repo, terminal-manager, loader
• Full integration suite (12 files / 131 tests) — agent-forward integration test now drives the flag via EndpointInfo
• Manual UI: add a new endpoint (toggle defaults on), toggle off, verify badge flips, open a session and confirm forwarding behavior matches the toggle
• Manual seed: export YAML with one off-endpoint, confirm agentForward: false is emitted; reseed against a fresh DB and confirm both states round-trip