feat(deploy): add sudoers config + setup.sh integration for systemctl_restart

/etc/sudoers.d/ops-agent grants NOPASSWD to ops-agent for the exact
systemctl restart invocations whitelisted in commands.yml.
setup.sh installs and validates it via visudo -c.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

deploy/ops-agent/setup.sh

@@ -46,6 +46,10 @@ chmod 0640 "${CONFIG_DIR}/secret"
 echo "==> Installing systemd unit"
 cp "${REPO_DIR}/deploy/ops-agent/ops-agent.service" "${SERVICE_FILE}"
 
+echo "==> Installing sudoers config"
+install -m 0440 -o root -g root "${REPO_DIR}/deploy/ops-agent/sudoers" /etc/sudoers.d/ops-agent
+visudo -c -f /etc/sudoers.d/ops-agent
+
 echo "==> Enabling and starting ops-agent"
 systemctl daemon-reload
 systemctl enable --now ops-agent