fix(observability): restore broken SSE /logs stream; add build-stamped version and health pulse for remote/Docker deployments

[WareWolf-MoonWall]

Summary

• Base branch: master
• What changed and why:
  • The /logs page in the gateway WebUI has been functionally broken since it was built. The SSE connection itself opened successfully (the browser shows the green “Connected” indicator), but no agent events ever appeared. Every agent entry-point — process_message, agent::run(), the cron scheduler, and the heartbeat worker — each called create_observer() internally and discarded the result, so the BroadcastObserver wired to the SSE bus was never reached. “Waiting for events…” was the permanent state for all users.
  • This is especially severe for remote and Docker deployments where the terminal is inaccessible: the WebUI and configured channels are the only windows into runtime behaviour. A permanently empty /logs page, no version indicator, and no proof-of-life signal between agent turns is a significant trust and UX gap.
  • This PR fixes the broken wiring, extends SSE coverage to cron and heartbeat agent runs, adds a 30-second health pulse so idle systems show proof-of-life, surfaces daemon lifecycle events (reload, restart, shutdown), and adds a build-stamped version display that is useful for both release users and source builders.
• Scope boundary: Does not change observability config schema, memory/provider/channel/security behaviour, Prometheus or OTel observer implementations, or the CLI interactive path. No config keys added. No new crate dependencies.
• Blast radius:
  • execute_job_now (public API): gains a third Option<Arc<dyn Observer>> parameter — breaking for external callers, but this crate is publish = false and the only workspace caller (gateway api.rs) is updated in this PR.
  • agent::run() (public API): same — gains an observer parameter; all five workspace call sites updated (None for CLI and integration tests, Some(observer) for cron and heartbeat).
  • SSE stream: clients receive new event types (pulse, gateway_started, daemon_*, component_restart, heartbeat_tick, channel_message, turn_complete, llm_response); unknown types fall through gracefully in the frontend.
  • spawn_component_supervisor: gains an event_tx parameter — private function, zero external blast radius.
  • Health pulse adds one JSON broadcast every 30 seconds (256-slot buffer); negligible overhead.
• Linked issue(s): None (emerged from operational user feedback on remote/Docker deployments).
• Labels: risk: high, gateway, observability, agent, daemon, cron, heartbeat

Validation Evidence (required)

cargo fmt --all -- --check
cargo clippy --all-targets -- -D warnings
cargo test

• Commands run and tail output:
  • cargo fmt --all -- --check: ✅ clean exit, no output
  • cargo clippy --all-targets -- -D warnings: ✅ Finished dev profile [unoptimized + debuginfo] target(s) in 1m 42s — zero warnings, zero errors
  • cargo test: ✅ all tests pass including scheduled_no_conversation_leak_5415 integration test which exercises the changed agent::run() signature
  • npx tsc --noEmit (web/): ✅ zero TypeScript errors
  • cargo check -p zeroclaw-gateway after adding emit_git_info() to build.rs: ✅ compiles in 2.85s
• Beyond CI — what did you manually verify: Signature changes thread through all five agent::run() call sites and the full cron scheduler chain (run() → catch_up_overdue_jobs → process_due_jobs → execute_and_persist_job → execute_job_with_retry → run_agent_job → agent::run()). Confirmed i18n.ts diff is exactly one line ('dashboard.version': 'Version') — no collateral formatting churn.
• If any command was intentionally skipped, why: N/A

Security & Privacy Impact (required)

• New permissions, capabilities, or file system access scope? No
• New external network calls? No
• Secrets / tokens / credentials handling changed? No — version string is CARGO_PKG_VERSION + git SHA + dirty flag, all build-time constants
• PII, real identities, or personal data in diff, tests, fixtures, or docs? No

Compatibility (required)

• Backward compatible? No — execute_job_now and agent::run() signatures changed. Both crates are publish = false; all workspace callers are updated in this PR.
• Config / env / CLI surface changed? No — /api/status gains an additive version field; SSE gains new event types. Both are backwards-compatible at the consumer level. Custom SSE clients that consume /api/events will receive new event types they can safely ignore.
• Exact upgrade steps for existing users: None required. No config changes needed.

Rollback (required for risk: medium and risk: high)

• Fast rollback command/path: git revert 866861b5e
• Feature flags or config toggles: None — the health pulse task is unconditionally active when the gateway runs; the observer wiring is structural.
• Observable failure symptoms after rollback: /logs returns to “Waiting for events…” permanently; version card shows —; pulse events stop; cron/heartbeat agent activity disappears from the stream.

[WareWolf-MoonWall]

CI note: The matrix-sdk query depth overflow in the Lint job is pre-existing on master and unrelated to this PR. Confirmed by running the full CI clippy command against the master tip before our commit — same failure is present there. Everything else in the lint output is clean.