feat: ops-agent Fastify service met SSE, whitelist en systemd-unit

- ops-agent/: Node.js Fastify+TypeScript service
  - GET /agent/v1/health
  - POST /agent/v1/exec → SSE stream (stdout/stderr/exit events)
  - Whitelist geladen uit /etc/ops-agent/commands.yml bij opstart
  - Auth via Bearer shared secret (/etc/ops-agent/secret, mode 0640)
  - Vier standaard commando's: docker_ps, git_status, systemctl_status,
    caddy_show_config
- deploy/ops-agent/ops-agent.service: systemd-unit (User=ops-agent,
  Restart=on-failure, StandardOutput=journal)
- deploy/ops-agent/setup.sh: aanmaken system-user, build, deploy,
  systemctl enable --now ops-agent

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ops-agent/commands.yml.example

@@ -0,0 +1,21 @@
+# Whitelist of allowed commands for ops-agent.
+# Copy to /etc/ops-agent/commands.yml on the host.
+# Restart ops-agent after changes.
+
+commands:
+  docker_ps:
+    exec: "docker ps --format table"
+    description: "List running Docker containers"
+
+  git_status:
+    exec: "git -C /srv/ops status --short"
+    description: "Git status of the ops directory"
+
+  systemctl_status:
+    exec: "systemctl status"
+    args_allowed: []
+    description: "Show systemctl status (no args)"
+
+  caddy_show_config:
+    exec: "caddy fmt /etc/caddy/Caddyfile"
+    description: "Print the formatted Caddy config"