fix(apps.create): clone via HTTPS+bot-PAT; activate bot users on creation

Coolify was failing all Gitea clones with "Permission denied (publickey)"
because the helper container's SSH hits git.vibnai.com:22 (Ubuntu host
sshd, which doesn't know Gitea keys), while Gitea's builtin SSH is on
host port 22222 (not publicly reachable).

Rather than fight the SSH topology, switch every Vibn-provisioned app
to clone over HTTPS with the workspace bot's PAT embedded in the URL.
The PAT is already stored encrypted per workspace and scoped to that
org, so this gives equivalent isolation with zero SSH dependency.

Changes:
- lib/naming.ts: add giteaHttpsUrl() + redactGiteaHttpsUrl(); mark
  giteaSshUrl() as deprecated-for-deploys with a comment.
- lib/coolify.ts: extend CreatePublicAppOpts with install/build/start
  commands, base_directory, dockerfile_location, docker_compose_location,
  manual_webhook_secret_gitea so it's at parity with the SSH variant.
- app/api/mcp/route.ts:
  - apps.create now uses createPublicApp(giteaHttpsUrl(...)) and pulls
    the bot PAT via getWorkspaceBotCredentials(). No more private-
    deploy-key path for new apps.
  - apps.update adds git_commit_sha + docker_compose_location to the
    whitelist.
  - New apps.rewire_git tool: re-points an app's git_repository at the
    canonical HTTPS+PAT URL. Unblocks older apps stuck on SSH URLs
    and provides a path for PAT rotation without rebuilding the app.
- lib/gitea.ts: createUser() now issues an immediate PATCH to set
  active: true. Gitea's admin-create endpoint creates users as inactive
  by default, and inactive users fail permission checks even though
  they're org members. GiteaUser gains optional `active` field.
- scripts/activate-workspace-bots.ts: idempotent backfill that flips
  active=true for any existing workspace bot that was created before
  this fix. Safe to re-run.
- AI_CAPABILITIES.md: document apps.rewire_git; clarify apps.create
  uses HTTPS+PAT (no SSH).

Already unblocked in prod for the mark workspace:
- vibn-bot-mark activated.
- twenty-crm's git_repository PATCHed to HTTPS+PAT form; git clone
  now succeeds (remaining unrelated error: docker-compose file path).

Made-with: Cursor

scripts/activate-workspace-bots.ts

@@ -0,0 +1,73 @@
+/**
+ * Backfill: activate any Gitea bot users that were created before the
+ * provisioner started flipping `active: true` automatically.
+ *
+ * Safe to re-run — bots that are already active stay active.
+ *
+ * Usage:
+ *   npx dotenv-cli -e .env.local -- npx tsx scripts/activate-workspace-bots.ts
+ */
+
+import { query } from '../lib/db-postgres';
+
+const GITEA_API_URL = process.env.GITEA_API_URL ?? 'https://git.vibnai.com';
+const GITEA_API_TOKEN = process.env.GITEA_API_TOKEN ?? '';
+
+if (!GITEA_API_TOKEN) {
+  console.error('GITEA_API_TOKEN not set — cannot proceed');
+  process.exit(1);
+}
+
+async function gitea(path: string, init?: RequestInit) {
+  const res = await fetch(`${GITEA_API_URL}/api/v1${path}`, {
+    ...init,
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `token ${GITEA_API_TOKEN}`,
+      ...(init?.headers ?? {}),
+    },
+  });
+  if (!res.ok && res.status !== 204) {
+    throw new Error(`gitea ${path} → ${res.status}: ${await res.text()}`);
+  }
+  if (res.status === 204) return null;
+  return res.json();
+}
+
+async function main() {
+  const rows = await query<{ slug: string; gitea_bot_username: string }>(
+    `SELECT slug, gitea_bot_username
+       FROM vibn_workspaces
+      WHERE gitea_bot_username IS NOT NULL`
+  );
+  console.log(`Checking ${rows.length} workspace bot(s)…`);
+
+  let touched = 0;
+  for (const { slug, gitea_bot_username: bot } of rows) {
+    try {
+      const u = (await gitea(`/users/${bot}`)) as { active?: boolean } | null;
+      if (!u) {
+        console.warn(`  [${slug}] bot ${bot} not found in Gitea`);
+        continue;
+      }
+      if (u.active) {
+        console.log(`  [${slug}] ${bot} already active`);
+        continue;
+      }
+      await gitea(`/admin/users/${bot}`, {
+        method: 'PATCH',
+        body: JSON.stringify({ source_id: 0, login_name: bot, active: true }),
+      });
+      console.log(`  [${slug}] activated ${bot}`);
+      touched++;
+    } catch (err) {
+      console.error(`  [${slug}] error:`, err instanceof Error ? err.message : err);
+    }
+  }
+  console.log(`Done — activated ${touched} bot(s).`);
+}
+
+main().catch((err) => {
+  console.error('FAILED:', err);
+  process.exit(1);
+});