Terminal: job image tools (neovim/tmux), build-arg wiring, docs

- agent-job image: add neovim, tmux, less, unzip, wget, locales for the
  interactive shell (tmux powers cross-reconnect session persistence)
- Wire NEXT_PUBLIC_SPOON_AGENT_WORKER_WS_URL as a build arg (Dockerfile +
  compose.yml) since NEXT_PUBLIC vars are inlined at build time
- docs/agent-terminal.md: architecture, env, nginx WS exposure, dev testing,
  security; note the build-time var in docs/compose.prod.yml

docker/Dockerfile

@@ -15,6 +15,7 @@ ARG NEXT_PUBLIC_SENTRY_DSN
 ARG NEXT_PUBLIC_SENTRY_URL
 ARG NEXT_PUBLIC_SENTRY_ORG
 ARG NEXT_PUBLIC_SENTRY_PROJECT_NAME
+ARG NEXT_PUBLIC_SPOON_AGENT_WORKER_WS_URL
 
 ENV SENTRY_AUTH_TOKEN=$SENTRY_AUTH_TOKEN
 ENV SENTRY_DISABLE_AUTO_UPLOAD=$SENTRY_DISABLE_AUTO_UPLOAD
@@ -25,6 +26,7 @@ ENV NEXT_PUBLIC_SENTRY_DSN=$NEXT_PUBLIC_SENTRY_DSN
 ENV NEXT_PUBLIC_SENTRY_URL=$NEXT_PUBLIC_SENTRY_URL
 ENV NEXT_PUBLIC_SENTRY_ORG=$NEXT_PUBLIC_SENTRY_ORG
 ENV NEXT_PUBLIC_SENTRY_PROJECT_NAME=$NEXT_PUBLIC_SENTRY_PROJECT_NAME
+ENV NEXT_PUBLIC_SPOON_AGENT_WORKER_WS_URL=$NEXT_PUBLIC_SPOON_AGENT_WORKER_WS_URL
 
 # Copy source code (node_modules excluded via .dockerignore)
 COPY . .

docker/agent-job.Dockerfile

@@ -11,9 +11,15 @@ RUN apt-get update \
     curl \
     git \
     jq \
+    less \
+    locales \
+    neovim \
     openssh-client \
     python3 \
     ripgrep \
+    tmux \
+    unzip \
+    wget \
   && corepack enable \
   && corepack prepare pnpm@latest --activate \
   && corepack prepare yarn@stable --activate \

docker/compose.yml

@@ -17,6 +17,7 @@ services:
         NEXT_PUBLIC_SENTRY_URL: ${NEXT_PUBLIC_SENTRY_URL}
         NEXT_PUBLIC_SENTRY_ORG: ${NEXT_PUBLIC_SENTRY_ORG}
         NEXT_PUBLIC_SENTRY_PROJECT_NAME: ${NEXT_PUBLIC_SENTRY_PROJECT_NAME}
+        NEXT_PUBLIC_SPOON_AGENT_WORKER_WS_URL: ${NEXT_PUBLIC_SPOON_AGENT_WORKER_WS_URL:-}
     image: spoon-next:latest
     #image: git.gbrown.org/gib/spoon-next:latest
     container_name: ${NEXT_CONTAINER_NAME}