Add bun + pi-coding-agent + oh-my-pi to bootstrap; age encryption

Three parts:

1. .chezmoi.yaml.tmpl: reworked age config block
   - recipients moved under 'age:' key (correct structure per chezmoi docs)
   - identity: ~/.config/chezmoi/key.txt
   - recipients list with recovery key + miche per-machine key
   - recovery key pubkey: age1yyq42ctqwp5s5yd64week3aav9getk3p8aeyr5n5454d0v59a4dsjljsgs
   - miche pubkey: age1eja7trs8mmsgf0qga0h5fsdltaryxgk4ksumshar5xxtdx0exy3q0a5hc5
   - placeholders for byte/kaiser/rye/crouton (TODO: generate per-box keys
     and add when bootstrapping those boxes)

2. private_dot_omp/agent/: omp/oh-my-pi config from byte
   - config.yml (1.7KB) — model roles, fallback chains, theme, tools
   - mcp.json (351B) — firecrawl MCP server config
   - zai.key.age (540B) — zai-coding provider API key, age-encrypted to
     recovery + miche recipients. Decrypts to live ~/.omp/agent/zai.key
     on apply.

3. run_once_20: install bun + pi-coding-agent on both OSes
   - arch: bun from pacman (now in [extra])
   - debian: bun via curl-install to ~/.local (not in apt)
   - both: bun add -g @oh-my-pi/pi-coding-agent → omp binary in ~/.bun/bin
   - .zshrc.tmpl already adds ~/.bun/bin to PATH

To onboard a new box:
  1. ssh into the box
  2. age-keygen -o ~/.config/chezmoi/key.txt
  3. paste the public key into .chezmoi.yaml.tmpl recipients
  4. chezmoi age rekey   # rewrites *.age files to include new recipient
  5. commit + push
  6. chezmoi init --apply  # decrypts and writes zai.key live

run_once_20-install-user-packages.sh.tmpl

@@ -30,11 +30,23 @@ PACMAN_PKGS=(
     lazygit yt-dlp jq
     unzip p7zip
     openssh
+    bun
 )
 
 log "installing pacman packages"
 sudo pacman -S --needed --noconfirm "${PACMAN_PKGS[@]}"
 
+# --------------------------- Pi coding agent + oh-my-pi ---------------------
+# Arch: bun comes from pacman (above), used here for the global install.
+if command -v bun >/dev/null 2>&1; then
+    if ! command -v omp >/dev/null 2>&1; then
+        log "installing @oh-my-pi/pi-coding-agent via bun global"
+        bun add -g @oh-my-pi/pi-coding-agent 2>&1 | tail -10
+    else
+        log "omp already installed: $(omp --version 2>&1 | head -1)"
+    fi
+fi
+
 {{ else if eq .os_family "debian" -}}
 # ----------------------------- DEBIAN --------------------------------------
 export DEBIAN_FRONTEND=noninteractive
@@ -55,6 +67,14 @@ APT_PKGS=(
 log "installing apt packages"
 sudo apt-get install -y --no-install-recommends "${APT_PKGS[@]}"
 
+# bun isn't in debian repos. Install via official script into ~/.local
+# (so the binary lands at ~/.local/bin/bun, which is already in PATH
+# via .zshrc — no extra PATH config needed).
+if ! command -v bun >/dev/null 2>&1; then
+    log "installing bun to ~/.local/bin (debian: not in apt)"
+    curl -fsSL https://bun.sh/install | BUN_INSTALL="$HOME/.local" bash
+fi
+
 # fd on Debian ships as 'fdfind' to avoid clashing with fd (the dedupe tool).
 # Symlink so .zshrc can find 'fd' on PATH.
 if command -v fdfind >/dev/null 2>&1 && ! command -v fd >/dev/null 2>&1; then
@@ -67,6 +87,18 @@ fi
 # package. The install happens in run_onchange_30 (after rustup is ready,
 # via `cargo install bat`).
 
+# --------------------------- Pi coding agent + oh-my-pi ---------------------
+# Install via bun global (arch already has /usr/bin/bun from pacman, debian
+# got it from the curl install above). Both OSes land in the same dir.
+if command -v bun >/dev/null 2>&1; then
+    if ! command -v omp >/dev/null 2>&1; then
+        log "installing @oh-my-pi/pi-coding-agent via bun global"
+        bun add -g @oh-my-pi/pi-coding-agent 2>&1 | tail -10
+    else
+        log "omp already installed: $(omp --version 2>&1 | head -1)"
+    fi
+fi
+
 # Neovim — install official binary tarball, pinned to a known-good version.
 # Bump NVIM_TARGET_VERSION to upgrade. ~/.local/bin/update-neovim.sh does
 # the same check + download so topgrade can invoke it for upgrades.