feat: machine binding and version enforcement

migration 017 adds machine_id to agents table
middleware validates X-Machine-ID header on authed routes
agent client sends machine ID with requests
MIN_AGENT_VERSION config defaults 0.1.22
version utils added for comparison

blocks config copying attacks via hardware fingerprint
old agents get 426 upgrade required
breaking: <0.1.22 agents rejected

aggregator-server/internal/api/middleware/machine_binding.go

@@ -0,0 +1,99 @@
+package middleware
+
+import (
+	"log"
+	"net/http"
+
+	"github.com/Fimeg/RedFlag/aggregator-server/internal/database/queries"
+	"github.com/Fimeg/RedFlag/aggregator-server/internal/utils"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+// MachineBindingMiddleware validates machine ID matches database record
+// This prevents agent impersonation via config file copying to different machines
+func MachineBindingMiddleware(agentQueries *queries.AgentQueries, minAgentVersion string) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Skip if not authenticated (handled by auth middleware)
+		agentIDVal, exists := c.Get("agent_id")
+		if !exists {
+			c.Next()
+			return
+		}
+
+		agentID, ok := agentIDVal.(uuid.UUID)
+		if !ok {
+			log.Printf("[MachineBinding] Invalid agent_id type in context")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "invalid agent ID"})
+			c.Abort()
+			return
+		}
+
+		// Get agent from database
+		agent, err := agentQueries.GetAgentByID(agentID)
+		if err != nil {
+			log.Printf("[MachineBinding] Agent %s not found: %v", agentID, err)
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "agent not found"})
+			c.Abort()
+			return
+		}
+
+		// Check minimum version (hard cutoff for legacy de-support)
+		if agent.CurrentVersion != "" && minAgentVersion != "" {
+			if !utils.IsNewerOrEqualVersion(agent.CurrentVersion, minAgentVersion) {
+				log.Printf("[MachineBinding] Agent %s version %s below minimum %s - rejecting",
+					agent.Hostname, agent.CurrentVersion, minAgentVersion)
+				c.JSON(http.StatusUpgradeRequired, gin.H{
+					"error":           "agent version too old - upgrade required for security",
+					"current_version": agent.CurrentVersion,
+					"minimum_version": minAgentVersion,
+					"upgrade_instructions": "Please upgrade to the latest agent version and re-register",
+				})
+				c.Abort()
+				return
+			}
+		}
+
+		// Extract X-Machine-ID header
+		reportedMachineID := c.GetHeader("X-Machine-ID")
+		if reportedMachineID == "" {
+			log.Printf("[MachineBinding] Agent %s (%s) missing X-Machine-ID header",
+				agent.Hostname, agentID)
+			c.JSON(http.StatusForbidden, gin.H{
+				"error": "missing machine ID header - agent version too old or tampered",
+				"hint":  "Please upgrade to the latest agent version (v0.1.22+)",
+			})
+			c.Abort()
+			return
+		}
+
+		// Validate machine ID matches database
+		if agent.MachineID == nil {
+			log.Printf("[MachineBinding] Agent %s (%s) has no machine_id in database - legacy agent",
+				agent.Hostname, agentID)
+			c.JSON(http.StatusForbidden, gin.H{
+				"error": "agent not bound to machine - re-registration required",
+				"hint":  "This agent was registered before v0.1.22. Please re-register with a new registration token.",
+			})
+			c.Abort()
+			return
+		}
+
+		if *agent.MachineID != reportedMachineID {
+			log.Printf("[MachineBinding] ⚠️  SECURITY ALERT: Agent %s (%s) machine ID mismatch! DB=%s, Reported=%s",
+				agent.Hostname, agentID, *agent.MachineID, reportedMachineID)
+			c.JSON(http.StatusForbidden, gin.H{
+				"error":       "machine ID mismatch - config file copied to different machine",
+				"hint":        "Agent configuration is bound to the original machine. Please register this machine with a new registration token.",
+				"security_note": "This prevents agent impersonation attacks",
+			})
+			c.Abort()
+			return
+		}
+
+		// Machine ID validated - allow request
+		log.Printf("[MachineBinding] ✓ Agent %s (%s) machine ID validated: %s",
+			agent.Hostname, agentID, reportedMachineID[:16]+"...")
+		c.Next()
+	}
+}