meta: new hive-c0re module owns /var/lib/hyperhive/meta/

leaf module with no runtime callers yet (every public item is
#[allow(dead_code)] until lifecycle / actions / auto_update
rewire to use it). API surface:

- sync_agents — idempotent: render flake.nix for the given
  agent set, git-init on first call, nix flake lock, commit if
  anything changed.
- prepare_deploy / finalize_deploy / abort_deploy — two-phase
  for the request_apply_commit path. prepare runs nix flake
  lock --update-input agent-<n> without committing; finalize
  commits with a 'deploy <n> deployed/<id> <sha12>' message;
  abort git-restores the lock so a failed build leaves no
  orphan commit.
- lock_update_hyperhive — one-shot for the auto-update path.

flake.nix template defines mkAgent that pulls each agent's
nixosModules.default from its input and wraps with the
identity / HIVE_PORT / HIVE_LABEL / HIVE_DASHBOARD_PORT
module — what setup_applied used to generate inline. nix
invocations carry --extra-experimental-features as a belt
in case flakes aren't enabled in nix.conf.

hive-c0re/src/lifecycle.rs

@@ -396,8 +396,8 @@ fn initial_agent_nix(name: &str) -> String {
 
 /// Module-only flake exposed by every agent's repo. Consumed by the
 /// hive-c0re-owned meta flake at `/var/lib/hyperhive/meta/` as a flake
-/// input. Identity injection (HIVE_PORT / HIVE_LABEL / dashboard port /
-/// git committer) lives in the meta flake's wrapper, not here.
+/// input. Identity injection (`HIVE_PORT` / `HIVE_LABEL` / dashboard
+/// port / git committer) lives in the meta flake's wrapper, not here.
 fn initial_flake_nix() -> &'static str {
     "{\n  description = \"hyperhive agent\";\n  inputs = { };\n  outputs = { self }: {\n    nixosModules.default = import ./agent.nix;\n  };\n}\n"
 }