feat: add security header profile assignment to proxy hosts

Implement complete workflow for assigning security header profiles
to proxy hosts via dropdown selector in ProxyHostForm.

Backend Changes:
- Add security_header_profile_id handling to proxy host update endpoint
- Add SecurityHeaderProfile preloading in service layer
- Add 5 comprehensive tests for profile CRUD operations

Frontend Changes:
- Add Security Headers section to ProxyHostForm with dropdown
- Group profiles: System Profiles (presets) vs Custom Profiles
- Remove confusing "Apply" button from SecurityHeaders page
- Rename section to "System Profiles (Read-Only)" for clarity
- Show security score inline when profile selected

UX Improvements:
- Clear workflow: Select profile → Assign to host → Caddy applies
- No more confusion about what "Apply" does
- Discoverable security header assignment
- Visual distinction between presets and custom profiles

Tests: Backend 85.6%, Frontend 87.21% coverage
Docs: Updated workflows in docs/features.md

frontend/src/api/proxyHosts.ts

@@ -40,6 +40,15 @@ export interface ProxyHost {
   certificate_id?: number | null;
   certificate?: Certificate | null;
   access_list_id?: number | null;
+  security_header_profile_id?: number | null;
+  security_header_profile?: {
+    id: number;
+    uuid: string;
+    name: string;
+    description: string;
+    security_score: number;
+    is_preset: boolean;
+  } | null;
   created_at: string;
   updated_at: string;
 }