agent flake.nix: forward inputs as flakeInputs module arg

new boilerplate wraps agent.nix as a sub-module + passes every
flake input (minus self) through to it via _module.args.flake
Inputs. manager edits the inputs block of flake.nix to pull in
out-of-tree flakes (MCP servers etc.) and references them in
agent.nix as flakeInputs.<name>.packages.${pkgs.system}.default
— the new input's pinned sha lands in the agent's own flake
.lock (already tracked + part of the proposal flow), and
transitively rolls up into meta's lock.

migrate's MODULE_FLAKE_MARKER swaps to _module.args.flakeInputs
so existing agents on the old 'nixosModules.default = import
./agent.nix' template get re-rendered onto the new shape on
next hive-c0re start.

manager_server's flake.nix tamper-check goes away — the build
path's failed/<id> annotated tag already provides the safety
net when a manager edit breaks the flake; enforcing 'no
flake.nix edits at all' was overly strict (blocks the inputs-
addition pattern that's the whole point of this change).

manager prompt updated with a worked example for adding an
MCP-server flake input + wiring it through agent.nix.

hive-c0re/src/migrate.rs

@@ -37,7 +37,12 @@ fn repoint_marker() -> PathBuf {
     PathBuf::from("/var/lib/hyperhive/.meta-migration-done")
 }
 
-const MODULE_FLAKE_MARKER: &str = "nixosModules.default = import ./agent.nix";
+/// Substring that identifies the *current* agent flake boilerplate.
+/// Bumped whenever the template changes so the startup migration
+/// re-renders existing agents onto the new shape. Today the marker
+/// is the `flakeInputs` module-arg forwarding line — older templates
+/// (raw `import ./agent.nix`) get rewritten on next hive-c0re start.
+const MODULE_FLAKE_MARKER: &str = "_module.args.flakeInputs";
 
 pub async fn run(coord: &Arc<Coordinator>) -> Result<()> {
     if std::env::var(KILL_SWITCH).is_ok() {