feat: virtual demo endpoints + Settings UX overhaul (closes #211)

[rado0x54]

Closes #211.

Summary

• Adds demoEndpoints config — virtual, config-only endpoints merged into every account's endpoint list, gated by a per-account showDemoEndpoints toggle (default on).
• Trims onboarding to 3 steps (Welcome → Passkey → Notifications); users land in the app and see demo endpoints immediately.
• Consolidates per-integration help into a new collapsible Settings → Setup tab and aligns the primary-action affordances across all Settings pages.
• Renames Settings → Keys to Passkeys; file-based SSH keys split into a separate admin-only Other SSH Keys tab.
• Demo endpoints are exposed to MCP agents (list, read, connect), and operator-supplied descriptions flow through to the MCP list_endpoints response.

What's in

Demo endpoints

• New demoEndpoints config block (same shape as seedAdminEndpoints, plus optional description).
• Virtual / config-only — never copied into the endpoints table; merged into GET /api/endpoints at read time via stable demo:<hash> ids.
• New accounts.show_demo_endpoints column (migration 0008_demo_endpoints_support); default on for everyone.
• /api/auth/me returns showDemoEndpoints + demoEndpointsAvailable so the UI hides the whole Demo section on deployments with no demo entries configured.
• Mutation endpoints reject demo:* ids (REST + MCP) with a clear "read-only" error.
• Audit log relies on the existing no-FK design — demo session rows resolve labels at read time from the merged live list.
• seedAdminEndpoints also gains the optional description field, plumbed through to the seed insert.

MCP integration

• AgentSession.listEndpoints() merges demo entries when the account's toggle is on.
• AgentSession.createSession() resolves demo:* ids via the synthesizer, so agents can open demo sessions.
• shellwatch_manage_endpoints list/read merge demo entries (list gated by toggle; read works regardless so a known id stays resolvable); create/update/delete refuse demo:* ids.

Onboarding

• Stripped Server Setup, Endpoints, MCP/API key, and Advanced steps.

Settings → Setup tab (new)

• Five collapsible cards: SSH Server, Endpoint Setup, MCP Client, ShellWatch Agent, ShellWatch PAM. Each carries a brief explanation and minimum-step setup; Endpoint Setup includes a full field reference (Label / Address / Description / UV / Agent Forwarding) with an explicit callout on the Description's role for MCP agents.
• Docs footer links to docs.shellwatch.ai. Agent install link points at the agent/v* release stream on GitHub.
• MCP URL renders the actual origin. Notes OpenSSH 10.3+ client requirement for the agent flow.

Settings → Passkeys (renamed from Keys)

• File-based SSH keys split into a separate admin-only Other SSH Keys tab (only visible when admin AND has file keys registered).

Add Endpoint

• When the user has no own endpoints, the modal prepends a Server Setup wizard step (sshd config + their actual passkey's authorized_keys line, scoped with the real account name).
• Address input shows a gray shellwatch@ prefix + yellow warning on blur when no user was typed; both disappear on focus.
• formatEndpointAddress always renders the username (even the default shellwatch) so the wire-level user is unambiguous in the UI.

Aligned action affordances

• Add passkey / Add Endpoint / Generate API Key all live below their lists, left-aligned (.register-section pattern).
• Generate API Key now opens a two-stage modal: form (label + scopes) → key reveal (copy once).

Sidebar

• Demo endpoints get a demo signal-chip below the label, reusing the global .badge convention (6px accent-colored dot + lowercase text).

Out of scope (decided)

• Per-endpoint key-delivery mechanism — withdrawn after the design conversation. The demo container handles auth via blanket-allow on a private Docker network + ForceCommand pinning. The feat /demo/authorized-keys and its revert commit in this branch document that decision.

Test plan

• pnpm typecheck, pnpm check:svelte, pnpm lint, pnpm spdx:check clean
• pnpm test — 336 unit tests pass (was 330)
• pnpm test:integration — 138 integration tests pass (was 131)
• New: src/test/integration/demo-endpoints-flow.test.ts — REST merge (toggle on/off), PUT/DELETE rejection on demo:*, POST /api/sessions opens demo regardless of toggle, 404 on unknown demo id.
• New: extended src/mcp/server.test.ts — MCP list merges/excludes per toggle, read resolves demo regardless, create/update/delete reject demo:*.
• Manual: walk register flow as a new user — 3 steps, lands in app, sees demo endpoints
• Manual: with no own endpoints, Add Endpoint → server-setup wizard step; Continue → form
• Manual: with own endpoints, Add Endpoint → form modal directly
• Manual: Settings → Setup: each card expands/collapses; SSH Server copy buttons work
• Manual: Settings → API Keys: Generate → form modal → key reveal modal → Copy works
• Manual: Address input: type "host" + blur → gray shellwatch@ prefix + yellow warning; focus → both disappear
• Manual: Demo endpoints toggle off hides them, on shows them; audit log resolves the label
• Manual: Other SSH Keys tab visible only when admin AND has file keys
• Manual: Vanilla deployment (no demoEndpoints in config) does NOT show the Demo section
• Manual: MCP list_endpoints call surfaces demo entries with their description