agents: bail script support, pid file simplification, cleanup

- Bail command moved from hardcoded closure to external script
  specified in agent JSON header ("bail": "bail-no-competing.sh")
- Runner executes script between steps with pid file path as $1,
  cwd = state dir. Non-zero exit stops the pipeline.
- PID files simplified to just the phase name (no JSON) for easy
  bash inspection (cat pid-*)
- scan_pid_files helper deduplicates pid scanning logic
- Timeout check uses file mtime instead of embedded timestamp
- PID file cleaned up on bail/error (not just success)
- output() tool validates key names (rejects pid-*, /, ..)
- Agent log files append instead of truncate
- Fixed orphaned derive and doc comment on AgentStep/AgentDef
- Phase written after bail check passes, not before

Co-Authored-By: Kent Overstreet <kent.overstreet@linux.dev>

src/agent/tools/memory.rs

@@ -139,6 +139,9 @@ pub fn dispatch(name: &str, args: &serde_json::Value, provenance: Option<&str>)
         }
         "output" => {
             let key = get_str(args, "key")?;
+            if key.starts_with("pid-") || key.contains('/') || key.contains("..") {
+                anyhow::bail!("invalid output key: {}", key);
+            }
             let value = get_str(args, "value")?;
             let dir = std::env::var("POC_AGENT_OUTPUT_DIR")
                 .map_err(|_| anyhow::anyhow!("no output directory set"))?;