feat: SSE agent state, maint module, timestamp fix, missed call lead lookup

- SSE agent state stream: supervisor maintains state map from Ozonetel webhooks, streams via /api/supervisor/agent-state/stream
- Force-logout via SSE: distinct force-logout event type avoids conflict with normal login cycle
- Maint module (/api/maint): OTP-guarded endpoints for force-ready, unlock-agent, backfill-missed-calls, fix-timestamps
- Fix Ozonetel IST→UTC timestamp conversion: istToUtc() in webhook controller and missed-queue service
- Missed call lead lookup: ingestion queries leads by phone, stores leadId + leadName on Call entity
- Timestamp backfill endpoint: throttled at 700ms/mutation, idempotent (skips already-fixed records)
- Structured logging: full JSON payloads for agent/call webhooks, [DISPOSE] trace with agentId
- Fix dead code: agent-state endpoint auto-assign was after return statement
- Export SupervisorService for cross-module injection

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/maint/maint.guard.ts

@@ -0,0 +1,20 @@
+import { CanActivate, ExecutionContext, Injectable, HttpException } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+
+@Injectable()
+export class MaintGuard implements CanActivate {
+    private readonly otp: string;
+
+    constructor(private config: ConfigService) {
+        this.otp = process.env.MAINT_OTP ?? '400168';
+    }
+
+    canActivate(context: ExecutionContext): boolean {
+        const request = context.switchToHttp().getRequest();
+        const provided = request.headers['x-maint-otp'] ?? request.body?.otp;
+        if (!provided || provided !== this.otp) {
+            throw new HttpException('Invalid maintenance OTP', 403);
+        }
+        return true;
+    }
+}