P2.2-P2.9, P3.2-P3.10, P4.1-P4.3: Complete Phases 2, 3, and 4

11 work units built in parallel and merged:

Agent handlers (Phase 2):
- P2.2 Deploy: pull images, stop/remove/run containers, update registry
- P2.3 Lifecycle: stop/start/restart with desired_state tracking
- P2.4 Status: list (registry), live check (runtime), get status (drift+events)
- P2.5 Sync: receive desired state, reconcile unmanaged containers
- P2.6 File transfer: push/pull scoped to /srv/<service>/, path validation
- P2.7 Adopt: match <service>-* containers, derive component names
- P2.8 Monitor: continuous watch loop, drift/flap alerting, event pruning
- P2.9 Snapshot: VACUUM INTO database backup command

CLI commands (Phase 3):
- P3.2 Login, P3.3 Deploy, P3.4 Stop/Start/Restart
- P3.5 List/Ps/Status, P3.6 Sync, P3.7 Adopt
- P3.8 Service show/edit/export, P3.9 Push/Pull, P3.10 Node list/add/remove

Deployment artifacts (Phase 4):
- Systemd units (agent service + backup timer)
- Example configs (CLI + agent)
- Install script (idempotent)

All packages: build, vet, lint (0 issues), test (all pass).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/examples/mcp-agent.toml

@@ -0,0 +1,91 @@
+# MCP Agent configuration
+#
+# Default location: /srv/mcp/mcp-agent.toml
+# Override with: mcp-agent server --config /path/to/mcp-agent.toml
+
+# ------------------------------------------------------------------
+# gRPC server
+# ------------------------------------------------------------------
+[server]
+# Listen address for the gRPC server. Bind to the overlay network
+# interface only -- the agent does not sit behind mc-proxy.
+# Env override: MCP_AGENT_SERVER_GRPC_ADDR
+grpc_addr = "100.95.252.120:9444"
+
+# TLS certificate and private key for the gRPC server. The certificate
+# should be issued by the Metacrypt CA and valid for the overlay IP.
+# Env overrides: MCP_AGENT_SERVER_TLS_CERT, MCP_AGENT_SERVER_TLS_KEY
+tls_cert = "/srv/mcp/certs/mcp-agent.crt"
+tls_key  = "/srv/mcp/certs/mcp-agent.key"
+
+# ------------------------------------------------------------------
+# Database
+# ------------------------------------------------------------------
+[database]
+# Path to the SQLite database. The agent stores desired state, observed
+# state, deployed specs, and events here. WAL mode, foreign keys on.
+# Env override: MCP_AGENT_DATABASE_PATH
+path = "/srv/mcp/mcp.db"
+
+# ------------------------------------------------------------------
+# MCIAS authentication
+# ------------------------------------------------------------------
+[mcias]
+# URL of the MCIAS server used to validate bearer tokens from the CLI.
+server_url = "https://mcias.svc.mcp.metacircular.net:8443"
+
+# Path to the CA certificate that signed the MCIAS TLS certificate.
+# If empty, the system trust store is used.
+ca_cert = "/usr/local/share/ca-certificates/metacircular-ca.crt"
+
+# Service name presented to MCIAS during token validation. Must match
+# a service registered in MCIAS.
+service_name = "mcp"
+
+# ------------------------------------------------------------------
+# Agent settings
+# ------------------------------------------------------------------
+[agent]
+# Unique name for this node. Must match the name used in [[nodes]]
+# entries in the CLI config.
+# Env override: MCP_AGENT_NODE_NAME
+node_name = "rift"
+
+# Container runtime binary. Currently only "podman" is supported.
+# Env override: MCP_AGENT_CONTAINER_RUNTIME
+container_runtime = "podman"
+
+# ------------------------------------------------------------------
+# Monitoring
+# ------------------------------------------------------------------
+[monitor]
+# How often the monitor checks container state against desired state.
+# Default: 60s
+interval = "60s"
+
+# Command to execute when an alert fires. Uses exec-style invocation
+# (argv array, no shell). The alert message is passed as the final
+# argument. Omit to disable alerting.
+# alert_command = ["/usr/local/bin/notify", "--channel", "ops"]
+
+# Minimum time between repeated alerts for the same condition.
+# Default: 15m
+cooldown = "15m"
+
+# Number of state transitions within flap_window that triggers a
+# flapping alert. Default: 3
+flap_threshold = 3
+
+# Time window for flap detection. Default: 10m
+flap_window = "10m"
+
+# How long to retain event records in the database. Default: 30d
+retention = "30d"
+
+# ------------------------------------------------------------------
+# Logging
+# ------------------------------------------------------------------
+[log]
+# Log level: debug, info, warn, error. Default: info
+# Env override: MCP_AGENT_LOG_LEVEL
+level = "info"