Add prod deployment for the agent fleet (docker-compose.prod.yml)

- docker-compose.prod.yml + .env.prod.example: one container per agent, Quince
  first; deployed under /opt/gu_agents and wired into the server's start/stop.sh.
- Route API + git via host-gateway (containers can't hairpin the host's public IP).
- Dockerfile: drop the base image's uid-1000 user before creating quince.
- entrypoint: pip install --break-system-packages (Debian bookworm PEP 668).

Verified on prod: image builds, API reachable (200), PyPI egress ok, gutask
installs and runs, git clone from ramanujan works via host-gateway.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

deploy/.env.prod.example

@@ -0,0 +1,29 @@
+# Glitch University agents — production env (passed via --env-file).
+# Real secrets live ONLY on the server at /opt/gu_agents/.env.prod (never committed).
+# This is the committed template.
+
+# ── Claude Code auth (REQUIRED) ─────────────────────────────────────────────
+# One key can power the whole agent fleet. Create at https://console.anthropic.com/
+ANTHROPIC_API_KEY=
+# Optional model pin, e.g. claude-opus-4-8
+CLAUDE_MODEL=
+
+# ── Glitch Content API (gutask) ─────────────────────────────────────────────
+API_URL=https://glitch.university
+CONTENT_API_KEY=
+
+# ── Scheduling / runtime (shared) ───────────────────────────────────────────
+TZ=Etc/UTC
+WAKE_TIME=09:00
+RUN_ON_START=0
+QUINCE_UID=1000
+
+# ── Quince (agent #9) ───────────────────────────────────────────────────────
+QUINCE_AGENT_ID=9
+QUINCE_AGENT_NAME=Quince
+QUINCE_AGENT_PASSWORD=
+
+# ── Add more agents below, e.g.: ────────────────────────────────────────────
+# GUNNAR_AGENT_ID=3
+# GUNNAR_AGENT_NAME=Gunnar
+# GUNNAR_AGENT_PASSWORD=