- Replace "dev-unknown" fallback with null to prevent false update
  notifications for dev agents when version string can't be fetched
- Add missing Prisma migration for latestDevAgentRelease fields
- Add comment clarifying VF_CHANNEL is documentation-only

The agent infers its channel from the version string prefix (dev- vs
semver). Writing VF_CHANNEL to the env file served no purpose.

Previously, checksums fetched from GitHub were only held in memory.
After a server restart within the 24h cache window, the version was
loaded from the DB but checksums were empty, causing agent self-update
checksum verification to fail.

Store checksums as JSON in SystemSettings for both stable and dev
channels, and load them on cache hits.

- Always update checkedAt when dev release fetch succeeds, even if
  dev-version.txt is missing, to prevent GitHub API rate limit exhaustion
- Add concurrency group to agent-dev-binaries CI job to prevent race
  conditions on concurrent pushes to main
- Guard stable tag construction against null version to avoid "vnull" URL

The paths filter on the push trigger prevented CI from running when the
workflow file itself was modified in a merge commit (GitHub evaluates
against the pre-merge workflow). Removing it ensures dev binary builds
run on every push to main, matching the design intent.

Also adds workflow_dispatch for manual triggering.

The push-gated jobs (images, dev binaries) excluded workflow_dispatch
events, so manual triggers only ran lint. Now all build jobs run on
both push and workflow_dispatch.

Prevent manual dispatches from feature branches from overwriting the
dev release and Docker images with non-main code.