Fix SSH agent and systemd service race conditions

- bw-ssh-keys.service: use ssh-agent.service, add SSH_AUTH_SOCK env
- Stage 08: enable ssh-agent.socket, mask gcr-ssh-agent before services
- Stage 11: remove SSH agent section (moved to stage 08 for ordering)
- Stage 09: remove stale bw-load-ssh autostart config
- .zshrc: export SSH_AUTH_SOCK to match OpenSSH agent socket
- Remove config/autostart/ (no longer needed)
- porridge daemon: no longer exits on missing API key;
  add SIGHUP handler for live config reload

config/shell/zshrc

@@ -22,6 +22,10 @@ fi
 # ---- PATH setup ----
 export PATH=$HOME/bin:$HOME/.local/bin:/usr/local/bin:$PATH
 
+# ---- SSH agent socket ----
+# Match the socket used by ssh-agent.socket (OpenSSH), not GCR/gnome-keyring.
+export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.sock"
+
 # ---- Oh My Zsh ----
 export ZSH="$HOME/.oh-my-zsh"
 ZSH_THEME="powerlevel10k/powerlevel10k"
@@ -73,3 +77,7 @@ if [ -n "${BW_SESSION:-}" ]; then
     "export " + (.name | gsub(" "; "_")) + "=" + (.value | @sh)
   ' 2>/dev/null)" 2>/dev/null
 fi
+
+# Signal porridge daemon to reload config (picks up newly loaded env vars)
+_pidfile="$HOME/.local/state/porridge/daemon.pid"
+[[ -f "$_pidfile" ]] && kill -HUP "$(cat "$_pidfile")" 2>/dev/null || true

config/systemd/bw-ssh-keys.service

@@ -1,11 +1,14 @@
 [Unit]
 Description=Load Bitwarden SSH keys into ssh-agent
-After=graphical-session.target
-Wants=graphical-session.target
+# Use ssh-agent.service (OpenSSH) instead of GCR/gnome-keyring SSH agent
+# to avoid conflicts — keys are loaded into the socket the terminal sees.
+After=ssh-agent.service
+Wants=ssh-agent.service
 
 [Service]
 Type=oneshot
 Environment=PATH=%h/.local/bin:/usr/local/bin:/usr/bin:/bin
+Environment=SSH_AUTH_SOCK=%t/ssh-agent.sock
 ExecStart=%h/.local/bin/bw-load-ssh.sh
 RemainAfterExit=yes
 Restart=on-failure