refactor: model backend watch support as an optional capability

[abtreece]

Problem

The base backend interface requires all backends to implement watch behavior, even when the backend cannot actually watch.

Verified in:

• pkg/backends/client.go:26-32, where StoreClient requires WatchPrefix.
• pkg/backends/types/noop.go:8-16, where NoopWatcher is provided for polling-only backends.
• Multiple polling-only backends embed types.NoopWatcher, including ACM, DynamoDB, env, IMDS, Secrets Manager, SSM, and Vault.
• CLI commands manually reject watch mode for some backends, e.g. DynamoDB, SSM, ACM, Secrets Manager, and IMDS in cmd/confd/cli.go.

Why this is a problem

Watch support is a capability, not a universal backend operation. Requiring every backend to satisfy WatchPrefix blurs that capability boundary and spreads watch-support knowledge into CLI command handlers.

This also creates risk for per-resource backends. A resource can select a backend config independently, but the watch processor only sees a StoreClient, so unsupported watch behavior is represented as a blocking no-op rather than an explicit capability error.

Suggested refactor

Split the backend interfaces:

• Keep StoreClient focused on GetValues, HealthCheck, and Close.
• Add a separate Watcher interface with WatchPrefix.
• At watch-mode startup, validate that every relevant backend/resource client implements Watcher.
• Return clear errors when watch mode is requested with a non-watch-capable backend.

Acceptance criteria

• Polling-only backends no longer need to embed NoopWatcher.
• Watch support is checked through an explicit capability interface.
• Per-resource backend configs are validated for watch capability when running in watch mode.
• User-facing errors identify which backend/resource cannot watch.