feat(node-agent): production ops kit — Windows service + WireGuard mesh

config:
- LoadEnvFile(): reads agent.env beside the exe (or $AGENT_ENV_FILE) before env,
  so the sc.exe service needs no per-service environment plumbing; real env wins

deploy/ (new):
- build-windows.ps1     cross-compile → dist\ + stage the deploy kit
- agent.env.example     fully documented config template
- install-service.ps1   register as auto-start Windows service (native sc.exe),
                        crash-restart 3×/5s, no NSSM dependency
- uninstall-service.ps1 stop + remove
- wireguard-node.conf.template + setup-wireguard.ps1  node dials out only, no
                        public IP / inbound rules; tunnel installed as boot service
- README.md             full control-plane + node walkthrough, ops table, troubleshooting

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

services/node-agent/internal/config/config.go

@@ -2,12 +2,58 @@
 package config
 
 import (
+	"bufio"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
+	"strings"
 )
 
+// LoadEnvFile reads a simple KEY=VALUE file and sets any variables that are not
+// already present in the environment. This lets the Windows service (installed
+// via sc.exe, which has no per-service env support) be configured by dropping an
+// `agent.env` file next to the executable — no registry edits required.
+//
+// Lookup order: $AGENT_ENV_FILE, then `agent.env` beside the exe, then `./agent.env`.
+// Lines starting with # and blank lines are ignored. Existing env vars win, so an
+// operator can still override any single value at the process level.
+func LoadEnvFile() {
+	candidates := []string{}
+	if p := os.Getenv("AGENT_ENV_FILE"); p != "" {
+		candidates = append(candidates, p)
+	}
+	if exe, err := os.Executable(); err == nil {
+		candidates = append(candidates, filepath.Join(filepath.Dir(exe), "agent.env"))
+	}
+	candidates = append(candidates, "agent.env")
+
+	for _, path := range candidates {
+		f, err := os.Open(path)
+		if err != nil {
+			continue
+		}
+		scanner := bufio.NewScanner(f)
+		for scanner.Scan() {
+			line := strings.TrimSpace(scanner.Text())
+			if line == "" || strings.HasPrefix(line, "#") {
+				continue
+			}
+			key, val, ok := strings.Cut(line, "=")
+			if !ok {
+				continue
+			}
+			key = strings.TrimSpace(key)
+			val = strings.Trim(strings.TrimSpace(val), `"'`)
+			if _, exists := os.LookupEnv(key); !exists {
+				_ = os.Setenv(key, val)
+			}
+		}
+		f.Close()
+		return // first file found wins
+	}
+}
+
 // Config holds all runtime settings for the node agent.
 type Config struct {
 	// NodeID is the UUID of this render node, registered in the orchestrator.
@@ -59,6 +105,8 @@ type Config struct {
 // Load reads configuration from environment variables, returning an error
 // if any required variable is missing.
 func Load() (*Config, error) {
+	// Pull in agent.env (if present) before reading the environment.
+	LoadEnvFile()
 	c := &Config{
 		NodeID:               os.Getenv("NODE_ID"),
 		OrchestratorURL:      getEnv("ORCHESTRATOR_URL", "http://localhost:8088"),