C2(hephd-self-update): impl service-env-forge-access (public HTTPS, cargo on PATH)

The repo is public, so self-update needs no credentials: cargo install
--git is a plain anonymous clone (NOT the access-restricted Forgejo cargo
registry, which is what required forge.ops.eblu.me). Point INSTALL_GIT_URL
and the releases poll at the canonical public host over HTTPS — verified
end-to-end (cargo install --git https://forge.eblu.me/... --tag v1.0.3
builds a working hephd with zero auth).

Make the headless service able to run the apply path: 'heph daemon
start --self-update' (default off) generates a launchd/systemd service
that passes --self-update and bakes a PATH (incl ~/.cargo/bin) + HOME so
the minimal service env can find cargo. restart preserves the setting.
Default (no flag) services are byte-identical to before. Template + URL
behavior covered by unit tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/how-to/run-the-daemon.md

@@ -53,6 +53,16 @@ still the old binary until you restart it:
 heph daemon restart
 ```
 
+## Self-update (opt-in)
+
+`hephd` can keep itself current: `heph daemon start --self-update` generates a
+service that polls the forge for newer releases and, when one appears, rebuilds
+via `cargo install` (anonymous HTTPS clone of the public repo — no credentials)
+and restarts onto the new binary. It is **off by default**; the generated
+service also gets a `PATH` that can find cargo. `heph daemon restart` preserves
+the setting (pass `--self-update` again to turn it on later). Requires the Rust
+toolchain (`cargo`) installed for the service user.
+
 ## Development isolation
 
 `heph daemon` manages the **installed** daemon on the default paths. For in-repo