Phase B: Agent registers routes with mc-proxy on deploy

The agent connects to mc-proxy via Unix socket and automatically
registers/removes routes during deploy and stop. This eliminates
manual mcproxyctl usage or TOML editing.

- New ProxyRouter abstraction wraps mc-proxy client library
- Deploy: after container starts, registers routes with mc-proxy
  using host ports from the registry
- Stop: removes routes from mc-proxy before stopping container
- Config: [mcproxy] section with socket path and cert_dir
- Nil-safe: if mc-proxy socket not configured, route registration
  is silently skipped (backward compatible)
- L7 routes use certs from convention path (<cert_dir>/<service>.pem)
- L4 routes use TLS passthrough (backend_tls=true)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/agent/deploy.go

@@ -146,6 +146,16 @@ func (a *Agent) deployComponent(ctx context.Context, serviceName string, cs *mcp
 		}
 	}
 
+	// Register routes with mc-proxy after the container is running.
+	if len(regRoutes) > 0 && a.Proxy != nil {
+		hostPorts, err := registry.GetRouteHostPorts(a.DB, serviceName, compName)
+		if err != nil {
+			a.Logger.Warn("failed to get host ports for route registration", "service", serviceName, "component", compName, "err", err)
+		} else if err := a.Proxy.RegisterRoutes(ctx, serviceName, regRoutes, hostPorts); err != nil {
+			a.Logger.Warn("failed to register routes with mc-proxy", "service", serviceName, "component", compName, "err", err)
+		}
+	}
+
 	if err := registry.UpdateComponentState(a.DB, serviceName, compName, "running", "running"); err != nil {
 		a.Logger.Warn("failed to update component state", "service", serviceName, "component", compName, "err", err)
 	}