feat(onboarding/phase-1): admin-editable telephony, ai, and setup-state config

Phase 1 of hospital onboarding & self-service plan
(docs/superpowers/plans/2026-04-06-hospital-onboarding-self-service.md).

Backend foundations to support the upcoming staff-portal Settings hub and
6-step setup wizard. No frontend in this phase.

New config services (mirroring ThemeService / WidgetConfigService):
- SetupStateService    — tracks completion of 6 wizard steps; isWizardRequired()
                         drives the post-login redirect
- TelephonyConfigService — Ozonetel + Exotel + SIP, replaces 8 env vars,
                           seeds from env on first boot, masks secrets on GET,
                           '***masked***' sentinel on PUT means "keep existing"
- AiConfigService      — provider, model, temperature, system prompt addendum;
                         API keys remain in env

New endpoints under /api/config:
- GET  /api/config/setup-state                returns state + wizardRequired flag
- PUT  /api/config/setup-state/steps/:step    mark step complete/incomplete
- POST /api/config/setup-state/dismiss        dismiss wizard
- POST /api/config/setup-state/reset
- GET  /api/config/telephony                  masked
- PUT  /api/config/telephony
- POST /api/config/telephony/reset
- GET  /api/config/ai
- PUT  /api/config/ai
- POST /api/config/ai/reset

ConfigThemeModule is now @Global() so the new sidecar config services are
injectable from AuthModule, OzonetelAgentModule, MaintModule without creating
a circular dependency (ConfigThemeModule already imports AuthModule for
SessionService).

Migrated 11 env-var read sites to use the new services:
- ozonetel-agent.service: exotel API + ozonetel did/sipId via read-through getters
- ozonetel-agent.controller: defaultAgentId/Password/SipId via getters
- kookoo-ivr.controller: sipId/callerId via getters
- auth.controller: OZONETEL_AGENT_PASSWORD (login + logout)
- agent-config.service: sipDomain/wsPort/campaignName via getters
- maint.controller: forceReady + unlockAgent
- ai-provider: createAiModel and isAiConfigured refactored to pure factories
  taking AiProviderOpts; no more ConfigService dependency
- widget-chat.service, recordings.service, ai-enrichment.service,
  ai-chat.controller, ai-insight.consumer, call-assist.service: each builds
  the AI model from AiConfigService.getConfig() + ConfigService API keys

Hot-reload guarantee: every consumer reads via a getter or builds per-call,
so admin updates take effect without sidecar restart. WidgetChatService
specifically rebuilds the model on each streamReply().

Bug fix bundled: dropped widget.json.hospitalName field (the original
duplicate that started this whole thread). WidgetConfigService now reads
brand.hospitalName from ThemeService at the 2 generateKey call sites.
Single source of truth for hospital name is workspace branding.

First-boot env seeding: TelephonyConfigService and AiConfigService both
copy their respective env vars into a fresh data/*.json on onModuleInit if
the file doesn't exist. Existing deployments auto-migrate without manual
intervention.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/auth/agent-config.service.ts

@@ -1,6 +1,6 @@
 import { Injectable, Logger } from '@nestjs/common';
-import { ConfigService } from '@nestjs/config';
 import { PlatformGraphqlService } from '../platform/platform-graphql.service';
+import { TelephonyConfigService } from '../config/telephony-config.service';
 
 export type AgentConfig = {
     id: string;
@@ -16,15 +16,20 @@ export type AgentConfig = {
 export class AgentConfigService {
     private readonly logger = new Logger(AgentConfigService.name);
     private readonly cache = new Map<string, AgentConfig>();
-    private readonly sipDomain: string;
-    private readonly sipWsPort: string;
 
     constructor(
         private platform: PlatformGraphqlService,
-        private config: ConfigService,
-    ) {
-        this.sipDomain = config.get<string>('sip.domain', 'blr-pub-rtc4.ozonetel.com');
-        this.sipWsPort = config.get<string>('sip.wsPort', '444');
+        private telephony: TelephonyConfigService,
+    ) {}
+
+    private get sipDomain(): string {
+        return this.telephony.getConfig().sip.domain || 'blr-pub-rtc4.ozonetel.com';
+    }
+    private get sipWsPort(): string {
+        return this.telephony.getConfig().sip.wsPort || '444';
+    }
+    private get defaultCampaignName(): string {
+        return this.telephony.getConfig().ozonetel.campaignName || 'Inbound_918041763265';
     }
 
     async getByMemberId(memberId: string): Promise<AgentConfig | null> {
@@ -46,7 +51,7 @@ export class AgentConfigService {
                 ozonetelAgentId: node.ozonetelagentid,
                 sipExtension: node.sipextension,
                 sipPassword: node.sippassword ?? node.sipextension,
-                campaignName: node.campaignname ?? process.env.OZONETEL_CAMPAIGN_NAME ?? 'Inbound_918041763265',
+                campaignName: node.campaignname ?? this.defaultCampaignName,
                 sipUri: `sip:${node.sipextension}@${this.sipDomain}`,
                 sipWsServer: `wss://${this.sipDomain}:${this.sipWsPort}`,
             };

src/auth/auth.controller.ts

@@ -5,6 +5,7 @@ import axios from 'axios';
 import { OzonetelAgentService } from '../ozonetel/ozonetel-agent.service';
 import { SessionService } from './session.service';
 import { AgentConfigService } from './agent-config.service';
+import { TelephonyConfigService } from '../config/telephony-config.service';
 
 @Controller('auth')
 export class AuthController {
@@ -18,6 +19,7 @@ export class AuthController {
         private ozonetelAgent: OzonetelAgentService,
         private sessionService: SessionService,
         private agentConfigService: AgentConfigService,
+        private telephony: TelephonyConfigService,
     ) {
         this.graphqlUrl = config.get<string>('platform.graphqlUrl')!;
         this.workspaceSubdomain = process.env.PLATFORM_WORKSPACE_SUBDOMAIN ?? 'fortytwo-dev';
@@ -138,7 +140,7 @@ export class AuthController {
                         this.logger.warn(`Ozonetel token refresh on login failed: ${err.message}`);
                     });
 
-                    const ozAgentPassword = process.env.OZONETEL_AGENT_PASSWORD ?? 'Test123$';
+                    const ozAgentPassword = this.telephony.getConfig().ozonetel.agentPassword || 'Test123$';
                     this.ozonetelAgent.loginAgent({
                         agentId: agentConfig.ozonetelAgentId,
                         password: ozAgentPassword,
@@ -252,7 +254,7 @@ export class AuthController {
 
                 this.ozonetelAgent.logoutAgent({
                     agentId: agentConfig.ozonetelAgentId,
-                    password: process.env.OZONETEL_AGENT_PASSWORD ?? 'Test123$',
+                    password: this.telephony.getConfig().ozonetel.agentPassword || 'Test123$',
                 }).catch(err => this.logger.warn(`Ozonetel logout failed: ${err.message}`));
 
                 this.agentConfigService.clearCache(memberId);