feat(flows): add YAML flow format, flow-runner, and /agent/v1/flow endpoint

- ops-agent/src/lib/flow-runner.ts: loads YAML flows, validates all steps
  against the command whitelist, executes sequentially; supports dry_run
  (emits WOULD RUN lines) and on_failure: abort|continue per step
- ops-agent/src/routes/flow.ts: POST /agent/v1/flow { flow_key, dry_run }
  streams step_start/stdout/stderr/step_done/done SSE events
- ops-agent/src/index.ts: register flow route, add FLOWS_PATH env var
- ops-agent/flows.example/: three flow definitions — update_scrum4me_web,
  update_mcp_worker, update_caddy_config; deploy to /etc/ops-agent/flows/
- ops-agent/commands.yml.example: add curl_smoke_scrum4me_web and
  docker_compose_ps_worker smoke-test commands
- app/api/flows/run/route.ts: Next.js proxy — creates FlowRun/FlowStep
  DB records per step, forwards SSE stream to browser
- hooks/useFlowRun.ts: add startFlow(flowKey, dryRun) method; handle
  step_start events to display step headers in the terminal
- components/StreamingTerminal.tsx: add 'info' line type (sky-400) for
  step headers

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ops-agent/flows.example/update_caddy_config.yml

@@ -0,0 +1,22 @@
+# Reload Caddy after a config change.
+# Copy to /etc/ops-agent/flows/update_caddy_config.yml on the host.
+#
+# Assumes the new Caddyfile is already written to /srv/scrum4me/caddy/Caddyfile
+# (e.g. via the caddy_write_config command from the Ops Dashboard editor).
+#
+# Steps:
+#   1. Validate the Caddyfile
+#   2. Reload Caddy (zero-downtime config swap)
+#   3. Smoke-test HTTPS connectivity
+
+name: Update Caddy Config
+description: Validate and reload the Caddy configuration
+steps:
+  - command_key: caddy_validate
+    on_failure: abort
+
+  - command_key: caddy_reload
+    on_failure: abort
+
+  - command_key: curl_smoke_scrum4me_web
+    on_failure: continue

ops-agent/flows.example/update_mcp_worker.yml

@@ -0,0 +1,31 @@
+# Deploy the latest MCP worker image.
+# Copy to /etc/ops-agent/flows/update_mcp_worker.yml on the host.
+#
+# Steps:
+#   1. Fetch remote refs
+#   2. Fast-forward pull (aborts if working tree is dirty)
+#   3. Rebuild the Docker image
+#   4. Recreate the container in detached mode
+#   5. Verify the container is running
+
+name: Update MCP Worker
+description: Pull latest code, rebuild Docker image, and restart the MCP worker service
+steps:
+  - command_key: git_fetch
+    args: ["/srv/scrum4me"]
+    on_failure: abort
+
+  - command_key: git_pull
+    args: ["/srv/scrum4me"]
+    on_failure: abort
+
+  - command_key: docker_compose_build
+    args: ["worker-idea"]
+    on_failure: abort
+
+  - command_key: docker_compose_up
+    args: ["worker-idea"]
+    on_failure: abort
+
+  - command_key: docker_compose_ps_worker
+    on_failure: continue

ops-agent/flows.example/update_scrum4me_web.yml

@@ -0,0 +1,31 @@
+# Deploy the latest Scrum4Me web image.
+# Copy to /etc/ops-agent/flows/update_scrum4me_web.yml on the host.
+#
+# Steps:
+#   1. Fetch remote refs
+#   2. Fast-forward pull (aborts if working tree is dirty)
+#   3. Rebuild the Docker image
+#   4. Recreate the container in detached mode
+#   5. Smoke-test the public endpoint
+
+name: Update Scrum4Me Web
+description: Pull latest code, rebuild Docker image, and restart the Scrum4Me web service
+steps:
+  - command_key: git_fetch
+    args: ["/srv/scrum4me"]
+    on_failure: abort
+
+  - command_key: git_pull
+    args: ["/srv/scrum4me"]
+    on_failure: abort
+
+  - command_key: docker_compose_build
+    args: ["scrum4me-web"]
+    on_failure: abort
+
+  - command_key: docker_compose_up
+    args: ["scrum4me-web"]
+    on_failure: abort
+
+  - command_key: curl_smoke_scrum4me_web
+    on_failure: continue