feat: machine binding and version enforcement

migration 017 adds machine_id to agents table
middleware validates X-Machine-ID header on authed routes
agent client sends machine ID with requests
MIN_AGENT_VERSION config defaults 0.1.22
version utils added for comparison

blocks config copying attacks via hardware fingerprint
old agents get 426 upgrade required
breaking: <0.1.22 agents rejected

aggregator-server/internal/api/handlers/agents.go

@@ -71,18 +71,30 @@ func (h *AgentHandler) RegisterAgent(c *gin.Context) {
 		return
 	}
 
+	// Validate machine ID and public key fingerprint if provided
+	if req.MachineID != "" {
+		// Check if machine ID is already registered to another agent
+		existingAgent, err := h.agentQueries.GetAgentByMachineID(req.MachineID)
+		if err == nil && existingAgent != nil && existingAgent.ID.String() != "" {
+			c.JSON(http.StatusConflict, gin.H{"error": "machine ID already registered to another agent"})
+			return
+		}
+	}
+
 	// Create new agent
 	agent := &models.Agent{
-		ID:             uuid.New(),
-		Hostname:       req.Hostname,
-		OSType:         req.OSType,
-		OSVersion:      req.OSVersion,
-		OSArchitecture: req.OSArchitecture,
-		AgentVersion:   req.AgentVersion,
-		CurrentVersion: req.AgentVersion,
-		LastSeen:       time.Now(),
-		Status:         "online",
-		Metadata:       models.JSONB{},
+		ID:                  uuid.New(),
+		Hostname:            req.Hostname,
+		OSType:              req.OSType,
+		OSVersion:           req.OSVersion,
+		OSArchitecture:      req.OSArchitecture,
+		AgentVersion:        req.AgentVersion,
+		CurrentVersion:      req.AgentVersion,
+		MachineID:           &req.MachineID,
+		PublicKeyFingerprint: &req.PublicKeyFingerprint,
+		LastSeen:            time.Now(),
+		Status:              "online",
+		Metadata:            models.JSONB{},
 	}
 
 	// Add metadata if provided