Collector milestone 6: packaging — install.sh, systemd unit, docs

systemd/agent-watcher.service: --user unit with on-failure restart,
ProtectSystem=strict, ProtectHome=read-write, NoNewPrivileges=yes,
PrivateTmp=yes. JSON logs to journald. Survives reboot via
'loginctl enable-linger'.

examples/collector.yaml: working starter config for both sources with
inline comments, per-route examples, and the spec §3.1.2 schema for
drop files.

install.sh: idempotent installer following the agent-ping pattern.
Builds the binary, installs it + the unit, drops the example config if
absent, reloads systemd, enables, and (unless --no-start) starts the
service. Adds drop-folder lifecycle artifacts (*.tmp, .dead-letter/)
to workspace .stignore so they don't replicate during processing.
Skips Syncthing-related steps gracefully when ~/Nyx/workspace is not
present.

INSTALL.md: prerequisites, install, configure, verify (drop-file +
webhook end-to-end probes), survive-logout, uninstall, troubleshooting
table.

README.md: rewritten to reflect actual status — v0 working with 43
tests, packaging ready, Layer 2 in progress on Bob's side.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

systemd/agent-watcher.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=agent-watcher Collector — converts external events to ping inbox writes
+Documentation=https://git.botbought.ai/foreman/agent-watcher
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=%h/.local/bin/agent-watcher --json-log
+Restart=on-failure
+RestartSec=5
+# small daemon; no need for elevated limits
+LimitNOFILE=4096
+# read-only by intent; the daemon writes only to the inbox dir which is
+# inside $HOME and unaffected by ProtectSystem.
+ProtectSystem=strict
+ProtectHome=read-write
+PrivateTmp=yes
+NoNewPrivileges=yes
+# stdout/stderr go to journald automatically; --json-log makes them parseable
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=agent-watcher
+
+[Install]
+WantedBy=default.target