fix(database): B-1 schema integrity and migration fixes

- Fix migration 024 self-insert and bad column reference (F-B1-1, F-B1-2)
  Uses existing enabled/auto_run columns instead of non-existent deprecated
- Abort server on migration failure instead of warning (F-B1-11)
  main.go now calls log.Fatalf, prints [INFO] only on success
- Fix migration 018 scanner_config filename suffix (F-B1-3)
  Renumbered to 027 with .up.sql suffix
- Remove GRANT to non-existent role in scanner_config (F-B1-4)
- Resolve duplicate migration numbers 009 and 012 (F-B1-13)
  Renamed to 009b and 012b for unique lexical sorting
- Add IF NOT EXISTS to all non-idempotent migrations (F-B1-15)
  Fixed: 011, 012, 017, 023, 023a
- Replace N+1 dashboard stats loop with GetAllUpdateStats (F-B1-6)
  Single aggregate query replaces per-agent loop
- Add composite index on agent_commands(status, sent_at) (F-B1-5)
  New migration 028 with partial index for timeout service
- Add background refresh token cleanup goroutine (F-B1-10)
  24-hour ticker calls CleanupExpiredTokens
- ETHOS log format in migration runner (no emojis)

All 55 tests pass (41 server + 14 agent). No regressions.
See docs/B1_Fix_Implementation.md and DEV-025 through DEV-028.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

aggregator-server/internal/database/migrations/016_agent_update_packages.up.sql

@@ -2,15 +2,15 @@
 -- This enables Ed25519 binary signing and machine binding
 
 ALTER TABLE agents
-ADD COLUMN machine_id VARCHAR(64) UNIQUE,
-ADD COLUMN public_key_fingerprint VARCHAR(16),
-ADD COLUMN is_updating BOOLEAN DEFAULT false,
-ADD COLUMN updating_to_version VARCHAR(50),
-ADD COLUMN update_initiated_at TIMESTAMP;
+ADD COLUMN IF NOT EXISTS machine_id VARCHAR(64) UNIQUE,
+ADD COLUMN IF NOT EXISTS public_key_fingerprint VARCHAR(16),
+ADD COLUMN IF NOT EXISTS is_updating BOOLEAN DEFAULT false,
+ADD COLUMN IF NOT EXISTS updating_to_version VARCHAR(50),
+ADD COLUMN IF NOT EXISTS update_initiated_at TIMESTAMP;
 
 -- Create index for machine ID lookups
-CREATE INDEX idx_agents_machine_id ON agents(machine_id);
-CREATE INDEX idx_agents_public_key_fingerprint ON agents(public_key_fingerprint);
+CREATE INDEX IF NOT EXISTS idx_agents_machine_id ON agents(machine_id);
+CREATE INDEX IF NOT EXISTS idx_agents_public_key_fingerprint ON agents(public_key_fingerprint);
 
 -- Add comment to document the new fields
 COMMENT ON COLUMN agents.machine_id IS 'Unique machine identifier to bind agent binaries to specific hardware';
@@ -20,7 +20,7 @@ COMMENT ON COLUMN agents.updating_to_version IS 'Target version for ongoing upda
 COMMENT ON COLUMN agents.update_initiated_at IS 'When the update process started';
 
 -- Create table for storing signed update packages
-CREATE TABLE agent_update_packages (
+CREATE TABLE IF NOT EXISTS agent_update_packages (
     id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
     version VARCHAR(50) NOT NULL,
     platform VARCHAR(50) NOT NULL, -- linux-amd64, linux-arm64, windows-amd64, etc.
@@ -35,9 +35,9 @@ CREATE TABLE agent_update_packages (
 );
 
 -- Add indexes for update packages
-CREATE INDEX idx_agent_update_packages_version ON agent_update_packages(version);
-CREATE INDEX idx_agent_update_packages_platform ON agent_update_packages(platform, architecture);
-CREATE INDEX idx_agent_update_packages_active ON agent_update_packages(is_active);
+CREATE INDEX IF NOT EXISTS idx_agent_update_packages_version ON agent_update_packages(version);
+CREATE INDEX IF NOT EXISTS idx_agent_update_packages_platform ON agent_update_packages(platform, architecture);
+CREATE INDEX IF NOT EXISTS idx_agent_update_packages_active ON agent_update_packages(is_active);
 
 -- Add comments for update packages table
 COMMENT ON TABLE agent_update_packages IS 'Stores signed agent binary packages for secure updates';