feat: machine binding and version enforcement

migration 017 adds machine_id to agents table
middleware validates X-Machine-ID header on authed routes
agent client sends machine ID with requests
MIN_AGENT_VERSION config defaults 0.1.22
version utils added for comparison

blocks config copying attacks via hardware fingerprint
old agents get 426 upgrade required
breaking: <0.1.22 agents rejected

aggregator-server/internal/api/handlers/system.go

@@ -0,0 +1,57 @@
+package handlers
+
+import (
+	"net/http"
+
+	"github.com/Fimeg/RedFlag/aggregator-server/internal/services"
+	"github.com/gin-gonic/gin"
+)
+
+// SystemHandler handles system-level operations
+type SystemHandler struct {
+	signingService *services.SigningService
+}
+
+// NewSystemHandler creates a new system handler
+func NewSystemHandler(ss *services.SigningService) *SystemHandler {
+	return &SystemHandler{
+		signingService: ss,
+	}
+}
+
+// GetPublicKey returns the server's Ed25519 public key for signature verification
+// This allows agents to fetch the public key at runtime instead of embedding it at build time
+func (h *SystemHandler) GetPublicKey(c *gin.Context) {
+	if h.signingService == nil {
+		c.JSON(http.StatusServiceUnavailable, gin.H{
+			"error": "signing service not configured",
+			"hint":  "Set REDFLAG_SIGNING_PRIVATE_KEY environment variable",
+		})
+		return
+	}
+
+	pubKeyHex := h.signingService.GetPublicKey()
+	fingerprint := h.signingService.GetPublicKeyFingerprint()
+
+	c.JSON(http.StatusOK, gin.H{
+		"public_key":  pubKeyHex,
+		"fingerprint": fingerprint,
+		"algorithm":   "ed25519",
+		"key_size":    32,
+	})
+}
+
+// GetSystemInfo returns general system information
+func (h *SystemHandler) GetSystemInfo(c *gin.Context) {
+	c.JSON(http.StatusOK, gin.H{
+		"version":     "v0.1.21",
+		"name":        "RedFlag Aggregator",
+		"description": "Self-hosted update management platform",
+		"features": []string{
+			"agent_management",
+			"update_tracking",
+			"command_execution",
+			"ed25519_signing",
+		},
+	})
+}