Phase B: Agent registers routes with mc-proxy on deploy

The agent connects to mc-proxy via Unix socket and automatically
registers/removes routes during deploy and stop. This eliminates
manual mcproxyctl usage or TOML editing.

- New ProxyRouter abstraction wraps mc-proxy client library
- Deploy: after container starts, registers routes with mc-proxy
  using host ports from the registry
- Stop: removes routes from mc-proxy before stopping container
- Config: [mcproxy] section with socket path and cert_dir
- Nil-safe: if mc-proxy socket not configured, route registration
  is silently skipped (backward compatible)
- L7 routes use certs from convention path (<cert_dir>/<service>.pem)
- L4 routes use TLS passthrough (backend_tls=true)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/agent/agent.go

@@ -32,6 +32,7 @@ type Agent struct {
 	Monitor   *monitor.Monitor
 	Logger    *slog.Logger
 	PortAlloc *PortAllocator
+	Proxy     *ProxyRouter
 }
 
 // Run starts the agent: opens the database, sets up the gRPC server with
@@ -51,6 +52,11 @@ func Run(cfg *config.AgentConfig) error {
 
 	mon := monitor.New(db, rt, cfg.Monitor, cfg.Agent.NodeName, logger)
 
+	proxy, err := NewProxyRouter(cfg.MCProxy.Socket, cfg.MCProxy.CertDir, logger)
+	if err != nil {
+		return fmt.Errorf("connect to mc-proxy: %w", err)
+	}
+
 	a := &Agent{
 		Config:    cfg,
 		DB:        db,
@@ -58,6 +64,7 @@ func Run(cfg *config.AgentConfig) error {
 		Monitor:   mon,
 		Logger:    logger,
 		PortAlloc: NewPortAllocator(),
+		Proxy:     proxy,
 	}
 
 	tlsCert, err := tls.LoadX509KeyPair(cfg.Server.TLSCert, cfg.Server.TLSKey)
@@ -108,6 +115,7 @@ func Run(cfg *config.AgentConfig) error {
 		logger.Info("shutting down")
 		mon.Stop()
 		server.GracefulStop()
+		_ = proxy.Close()
 		return nil
 	case err := <-errCh:
 		mon.Stop()