feat: setup wizard and token management

added ed25519 key generation to setup endpoint
deployment handler for token CRUD with install commands
wired routes for /api/setup/generate-keys and /admin/deployment

setup generates keypair on demand
deployment endpoints provide one-liner install commands
ready for v0.1.22 testing

aggregator-server/internal/api/handlers/setup.go

@@ -1,7 +1,10 @@
 package handlers
 
 import (
+	"crypto/ed25519"
+	"crypto/rand"
 	"database/sql"
+	"encoding/hex"
 	"fmt"
 	"net/http"
 	"strconv"
@@ -409,3 +412,28 @@ func (h *SetupHandler) ConfigureServer(c *gin.Context) {
 	})
 }
 
+// GenerateSigningKeys generates Ed25519 keypair for agent update signing
+func (h *SetupHandler) GenerateSigningKeys(c *gin.Context) {
+	// Generate Ed25519 keypair
+	publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to generate keypair"})
+		return
+	}
+
+	// Encode to hex
+	publicKeyHex := hex.EncodeToString(publicKey)
+	privateKeyHex := hex.EncodeToString(privateKey)
+
+	// Generate fingerprint (first 16 chars)
+	fingerprint := publicKeyHex[:16]
+
+	c.JSON(http.StatusOK, gin.H{
+		"public_key":  publicKeyHex,
+		"private_key": privateKeyHex,
+		"fingerprint": fingerprint,
+		"algorithm":   "ed25519",
+		"key_size":    32,
+	})
+}
+