feat(flows): add update_caddy_config flow with validate, reload/force-restart, and smoke test

- Update flows.example/update_caddy_config.yml with caddy_validate → caddy_reload → smoke test steps and hostname comments
- Add flows.example/update_caddy_config_force.yml for docker compose hard restart variant
- Add /flows/update-caddy-config UI page with reload/force-restart toggle, dry-run mode showing pending Caddyfile preview, hostname detection, and audit log link

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ops-agent/flows.example/update_caddy_config.yml

@@ -1,16 +1,34 @@
-# Reload Caddy after a config change.
+# Validate and reload the Caddy configuration (zero-downtime).
 # Copy to /etc/ops-agent/flows/update_caddy_config.yml on the host.
 #
-# Assumes the new Caddyfile is already written to /srv/scrum4me/caddy/Caddyfile
-# (e.g. via the caddy_write_config command from the Ops Dashboard editor).
+# Prerequisites:
+#   - The new Caddyfile must already be written to /srv/scrum4me/caddy/Caddyfile
+#     (e.g. via the Caddy editor in the Ops Dashboard, or edited by hand).
 #
 # Steps:
-#   1. Validate the Caddyfile
-#   2. Reload Caddy (zero-downtime config swap)
-#   3. Smoke-test HTTPS connectivity
+#   1. Validate the Caddyfile syntax (caddy validate)
+#   2. Reload Caddy via its admin API — zero-downtime config swap
+#   3. Smoke-test public hostnames: curl -I, expect 200/301/308/401
+#
+# For a hard container restart instead of a graceful reload, use
+# update_caddy_config_force.yml (needed after port/TLS listener changes).
+#
+# Smoke-test commands must be registered in commands.yml.
+# Add one curl_smoke_<name> entry per public hostname. Example:
+#
+#   curl_smoke_scrum4me_web:
+#     cmd: ["curl", "-sI", "--max-time", "10", "https://scrum4me.example.com/api/health"]
+#     description: "Smoke test scrum4me-web HTTPS endpoint"
+#
+# Then add one step per hostname below:
+#
+#   - command_key: curl_smoke_scrum4me_web
+#     on_failure: continue
+#   - command_key: curl_smoke_other_site
+#     on_failure: continue
 
 name: Update Caddy Config
-description: Validate and reload the Caddy configuration
+description: Validate the Caddyfile and reload Caddy (zero-downtime via admin API)
 steps:
   - command_key: caddy_validate
     on_failure: abort
@@ -18,5 +36,8 @@ steps:
   - command_key: caddy_reload
     on_failure: abort
 
+  # Add one smoke-test step per public hostname served by Caddy.
+  # Accepted exit codes: 0 (200/301/308) or 22 (4xx, use --fail to control).
+  # on_failure: continue keeps the flow going even if a hostname is temporarily slow.
   - command_key: curl_smoke_scrum4me_web
     on_failure: continue

ops-agent/flows.example/update_caddy_config_force.yml

@@ -0,0 +1,27 @@
+# Validate the Caddyfile and recreate the Caddy container (hard restart).
+# Copy to /etc/ops-agent/flows/update_caddy_config_force.yml on the host.
+#
+# Use this flow instead of update_caddy_config.yml when a graceful reload
+# is insufficient — e.g. after adding a new TLS listener, changing ports,
+# or updating the Docker image itself.
+#
+# Steps:
+#   1. Validate the Caddyfile syntax (caddy validate)
+#   2. Recreate the Caddy container via docker compose (hard restart)
+#   3. Smoke-test public hostnames: curl -I, expect 200/301/308/401
+#
+# See update_caddy_config.yml for instructions on registering smoke-test
+# commands in commands.yml.
+
+name: Update Caddy Config (Force Restart)
+description: Validate the Caddyfile and recreate the Caddy container via docker compose
+steps:
+  - command_key: caddy_validate
+    on_failure: abort
+
+  - command_key: caddy_compose_restart
+    on_failure: abort
+
+  # Add one smoke-test step per public hostname served by Caddy.
+  - command_key: curl_smoke_scrum4me_web
+    on_failure: continue