feat: add SSH agent auth and configurable sudo

[deevus]

Summary

• Add UseAgent and AgentSocket fields to SSHConfig for SSH agent authentication as an alternative to private key auth
• Add NoSudo field to skip the sudo prefix when the SSH user can run midclt directly
• Agent socket resolves from explicit config or SSH_AUTH_SOCK env var
• UseAgent and PrivateKey are mutually exclusive (validated)

Based on work by @f33rx in deevus/terraform-provider-truenas#5.

Closes #5

Test plan

• TestSSHConfig_Validate_AgentMode — valid agent config with explicit socket
• TestSSHConfig_Validate_AgentAndPrivateKeyMutuallyExclusive — rejects both set
• TestSSHConfig_Validate_AgentWithEnvSocket — falls back to SSH_AUTH_SOCK
• TestSSHConfig_Validate_AgentNoSocketAvailable — errors with no socket
• TestSSHConfig_Validate_PrivateKeyRequiredWithoutAgent — still requires key without agent
• TestSSHClient_SudoPrefix_Default / _NoSudo — prefix behavior
• TestSSHClient_Call_NoSudo — command string omits sudo
• TestSSHClient_CallAndWait_NoSudo — same for job calls
• All existing tests pass with race detector

🤖 Generated with Claude Code

[github-actions]

⬇️ Go test coverage decreased from 86.4% to 86.3% compared to c25763d

Updated Package Coverages:

# Package Name                        |  Prior |    New
- github.com/deevus/truenas-go/client |  88.9% |  88.8%

View coverage for all packages

# Package Name                                   | Coverage
+ github.com/deevus/truenas-go                   |    83.2%
+ github.com/deevus/truenas-go/api               |    87.5%
+ github.com/deevus/truenas-go/client            |    88.8%
+ github.com/deevus/truenas-go/cmd/featurematrix |    92.9%