[Ops]: Add local demo login and runtime smoke gate

[meiiie]

Objective

Make the local demo path repeatable and reliable before deeper runtime/provider refactors. The demo should use the same JWT/session path as the desktop app instead of legacy API-key smoke checks.

Category

Release readiness / Runtime configuration / Security/auth hardening

Scope

In scope:

• Add a local demo smoke script that uses /api/v1/auth/dev-login, then verifies backend health, authenticated profile/admin context, organization permissions, sync chat, SSE V3 completion, and the local frontend URL when requested.
• Document the recommended local demo login flow, including how to recover from stale API-key state in the desktop/web frontend.
• Capture OpenAI Agents SDK-inspired runtime lessons as guardrails for future Wiii work without adding a new framework dependency.

Out of scope:

• Replacing WiiiRunner or adding openai-agents-python as a runtime dependency.
• Removing LangGraph compatibility naming.
• Changing production auth behavior or secrets.

Acceptance Criteria

• Maintainers can run one command before a local demo to confirm the dev-login/admin/chat/stream path is healthy.
• The command fails loudly on API key mistakes, missing dev-login, missing admin/org permissions, backend health failures, or missing SSE done events.
• The docs clearly state that local demo login should use dev-login/JWT, while production still uses OAuth/LMS-approved auth paths.
• Rollback is deleting the new script/docs only; no database migration is required.

Verification Plan

• python scripts/local_demo_smoke.py --help
• Unit tests for script parsing/contract helpers where practical.
• Existing backend endpoint smoke tests remain green.

Rollback / Recovery

Remove the local smoke script and runbook update. No schema/data migration is involved.