forge: auto-create a user + token per agent on spawn / startup

new forge module probes the hive-forge nixos-container (no-op when
absent), and ensures every agent + the manager has a forgejo user
named after them with an access token at `<state>/forge-token`
(visible inside the container as `/state/forge-token`).

idempotent: skips user creation when forgejo reports 'already
exists', skips token issuance when the file is present, scopes the
token to read:user,write:repository,write:issue. token-name suffixed
with a clock so re-issuing doesn't collide with a stale name. shells
out via `nixos-container run hive-forge -- runuser -u forgejo --
forgejo admin` (runuser instead of sudo since sudo isn't in the
container by default).

hooks: ensure_all sweeps existing containers at hive-c0re startup
(backgrounded), and the actions.rs spawn task calls ensure_user_for
the new agent right after lifecycle::spawn succeeds. failures log a
warning but don't abort spawn — a missing token is recoverable from
the next startup sweep.

hive-c0re/src/main.rs

@@ -15,6 +15,7 @@ mod coordinator;
 mod crash_watch;
 mod dashboard;
 mod events_vacuum;
+mod forge;
 mod lifecycle;
 mod manager_server;
 mod meta;
@@ -134,6 +135,13 @@ async fn main() -> Result<()> {
                     tracing::warn!(error = ?e, "auto-update task failed");
                 }
             });
+            // Forge user sweep: ensure every existing container has a
+            // forgejo user + access token. No-op when the hive-forge
+            // container isn't running. Backgrounded — touches the
+            // forge state dir via `nixos-container run` which is slow.
+            tokio::spawn(async move {
+                forge::ensure_all().await;
+            });
             // Periodic broker vacuum: drop delivered messages older than
             // 30 days. Undelivered messages are always kept (still in
             // flight). Runs hourly; first sweep happens immediately.