feat: setup wizard and token management

added ed25519 key generation to setup endpoint
deployment handler for token CRUD with install commands
wired routes for /api/setup/generate-keys and /admin/deployment

setup generates keypair on demand
deployment endpoints provide one-liner install commands
ready for v0.1.22 testing

aggregator-server/cmd/server/main.go

@@ -42,6 +42,7 @@ func startWelcomeModeServer() {
 
 	// Setup endpoint for web configuration
 	router.POST("/api/setup/configure", setupHandler.ConfigureServer)
+	router.POST("/api/setup/generate-keys", setupHandler.GenerateSigningKeys)
 
 	// Setup endpoint for web configuration
 	router.GET("/setup", setupHandler.ShowSetupPage)
@@ -171,6 +172,7 @@ func main() {
 	rateLimitHandler := handlers.NewRateLimitHandler(rateLimiter)
 	downloadHandler := handlers.NewDownloadHandler(filepath.Join("/app"), cfg)
 	subsystemHandler := handlers.NewSubsystemHandler(subsystemQueries, commandQueries)
+	deploymentHandler := handlers.NewDeploymentHandler(registrationTokenQueries, agentQueries)
 
 	// Initialize verification handler
 	var verificationHandler *handlers.VerificationHandler
@@ -318,6 +320,12 @@ func main() {
 				admin.GET("/registration-tokens/stats", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), registrationTokenHandler.GetTokenStats)
 				admin.GET("/registration-tokens/validate", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), registrationTokenHandler.ValidateRegistrationToken)
 
+				// Deployment routes (token management with install commands)
+				admin.GET("/deployment/tokens", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), deploymentHandler.ListTokens)
+				admin.POST("/deployment/tokens", rateLimiter.RateLimit("admin_token_gen", middleware.KeyByUserID), deploymentHandler.CreateToken)
+				admin.GET("/deployment/tokens/:id", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), deploymentHandler.GetToken)
+				admin.DELETE("/deployment/tokens/:id", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), deploymentHandler.RevokeToken)
+
 				// Rate Limit Management
 				admin.GET("/rate-limits", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), rateLimitHandler.GetRateLimitSettings)
 				admin.PUT("/rate-limits", rateLimiter.RateLimit("admin_operations", middleware.KeyByUserID), rateLimitHandler.UpdateRateLimitSettings)

aggregator-server/internal/api/handlers/deployment.go

@@ -0,0 +1,96 @@
+package handlers
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/Fimeg/RedFlag/aggregator-server/internal/database/queries"
+	"github.com/gin-gonic/gin"
+)
+
+type DeploymentHandler struct {
+	registrationTokenQueries *queries.RegistrationTokenQueries
+	agentQueries            *queries.AgentQueries
+}
+
+func NewDeploymentHandler(regTokenQueries *queries.RegistrationTokenQueries, agentQueries *queries.AgentQueries) *DeploymentHandler {
+	return &DeploymentHandler{
+		registrationTokenQueries: regTokenQueries,
+		agentQueries:            agentQueries,
+	}
+}
+
+// ListTokens returns all registration tokens
+func (h *DeploymentHandler) ListTokens(c *gin.Context) {
+	tokens, err := h.registrationTokenQueries.ListAllTokens()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list tokens"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"tokens": tokens})
+}
+
+// CreateToken creates a new registration token
+func (h *DeploymentHandler) CreateToken(c *gin.Context) {
+	var req struct {
+		MaxSeats  int    `json:"max_seats" binding:"required,min=1"`
+		ExpiresIn string `json:"expires_in"` // e.g., "24h", "7d"
+		Note      string `json:"note"`        // Optional note/label
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	// Parse expiration duration
+	var duration time.Duration
+	var err error
+	if req.ExpiresIn != "" {
+		duration, err = time.ParseDuration(req.ExpiresIn)
+		if err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "invalid expires_in format - use Go duration (e.g., 24h, 168h)"})
+			return
+		}
+	} else {
+		duration = 24 * time.Hour // Default 24 hours
+	}
+
+	expiresAt := time.Now().Add(duration)
+	token, err := h.registrationTokenQueries.CreateToken(req.MaxSeats, expiresAt)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create token"})
+		return
+	}
+
+	// Build install command
+	serverURL := c.Request.Host
+	installCommand := fmt.Sprintf("curl -sSL http://%s/api/v1/install/linux | bash -s -- %s", serverURL, token.Token)
+
+	c.JSON(http.StatusOK, gin.H{
+		"token": token,
+		"install_command": installCommand,
+		"message": "registration token created",
+	})
+}
+
+// RevokeToken revokes a registration token
+func (h *DeploymentHandler) RevokeToken(c *gin.Context) {
+	tokenID := c.Param("id")
+	if err := h.registrationTokenQueries.RevokeToken(tokenID); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to revoke token"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"message": "token revoked"})
+}
+
+// GetToken returns details about a specific token
+func (h *DeploymentHandler) GetToken(c *gin.Context) {
+	tokenID := c.Param("id")
+	token, err := h.registrationTokenQueries.GetTokenByID(tokenID)
+	if err != nil {
+		c.JSON(http.StatusNotFound, gin.H{"error": "token not found"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"token": token})
+}

aggregator-server/internal/api/handlers/setup.go

@@ -1,7 +1,10 @@
 package handlers
 
 import (
+	"crypto/ed25519"
+	"crypto/rand"
 	"database/sql"
+	"encoding/hex"
 	"fmt"
 	"net/http"
 	"strconv"
@@ -409,3 +412,28 @@ func (h *SetupHandler) ConfigureServer(c *gin.Context) {
 	})
 }
 
+// GenerateSigningKeys generates Ed25519 keypair for agent update signing
+func (h *SetupHandler) GenerateSigningKeys(c *gin.Context) {
+	// Generate Ed25519 keypair
+	publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to generate keypair"})
+		return
+	}
+
+	// Encode to hex
+	publicKeyHex := hex.EncodeToString(publicKey)
+	privateKeyHex := hex.EncodeToString(privateKey)
+
+	// Generate fingerprint (first 16 chars)
+	fingerprint := publicKeyHex[:16]
+
+	c.JSON(http.StatusOK, gin.H{
+		"public_key":  publicKeyHex,
+		"private_key": privateKeyHex,
+		"fingerprint": fingerprint,
+		"algorithm":   "ed25519",
+		"key_size":    32,
+	})
+}
+