docs: app.md + deploy artifacts (systemd unit, deploy README)

- app.md: frontmatter (service, port 8480, systemd unibus-admin.service on magnus),
  architecture, capabilities, security, known gaps. uses_functions:
  sign_ed25519_go_cybersecurity. e2e_checks (build/vet/web_build/smoke_mock).
- deploy/unibus-admin.service: systemd unit (Restart=always per the SIGTERM gotcha).
- deploy/README.md: reproducible deploy steps (no secrets), Caddy additive-site recipe.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

deploy/unibus-admin.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=unibus admin panel (web administration gateway)
+Documentation=https://gitea-dgg044oo04woo4ggcsws4gk0.organic-machine.com/dataforge/unibus_admin
+After=network-online.target membershipd-cluster.service
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/unibus_admin
+ExecStart=/opt/unibus_admin/unibus_admin \
+  --port 8480 --bind 127.0.0.1 \
+  --ctrl-url https://127.0.0.1:8470 \
+  --nats-url tls://127.0.0.1:4250 \
+  --ca /opt/unibus/tls/ca.crt \
+  --identity-file /opt/unibus_admin/identity.json \
+  --nodes "magnus=https://127.0.0.1:8470,homer=https://141.94.69.66:8470,datardos=https://51.91.100.142:8470"
+# Restart=always (NO on-failure): un SIGTERM limpio sale con exit success y
+# on-failure NO reiniciaria, dejando el panel muerto en silencio.
+Restart=always
+RestartSec=2
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target