feat: machine binding and version enforcement

migration 017 adds machine_id to agents table
middleware validates X-Machine-ID header on authed routes
agent client sends machine ID with requests
MIN_AGENT_VERSION config defaults 0.1.22
version utils added for comparison

blocks config copying attacks via hardware fingerprint
old agents get 426 upgrade required
breaking: <0.1.22 agents rejected

scripts/build-secure-agent.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# RedFlag Agent Build Script
+# Builds agent binary (public key fetched from server at runtime)
+
+set -e
+
+echo "🔨 RedFlag Agent Build"
+echo "====================="
+
+# Build agent
+echo "Building agent..."
+cd aggregator-agent
+
+go build \
+    -o redflag-agent \
+    ./cmd/agent
+
+cd ..
+
+echo "✅ Agent build complete!"
+echo "   Binary: aggregator-agent/redflag-agent"
+echo ""
+echo "ℹ️  Note: Agent will fetch the server's public key automatically at startup"

scripts/generate-keypair.go

@@ -0,0 +1,34 @@
+//go:build ignore
+// +build ignore
+
+package main
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"os"
+)
+
+func main() {
+	// Generate Ed25519 keypair
+	publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		fmt.Printf("Failed to generate keypair: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Output keys in hex format
+	fmt.Printf("Ed25519 Keypair Generated:\n\n")
+	fmt.Printf("Private Key (keep secret, add to server env):\n")
+	fmt.Printf("REDFLAG_SIGNING_PRIVATE_KEY=%s\n", hex.EncodeToString(privateKey))
+
+	fmt.Printf("\nPublic Key (embed in agent binaries):\n")
+	fmt.Printf("REDFLAG_PUBLIC_KEY=%s\n", hex.EncodeToString(publicKey))
+
+	fmt.Printf("\nPublic Key Fingerprint (for database):\n")
+	fmt.Printf("Fingerprint: %s\n", hex.EncodeToString(publicKey[:8])) // First 8 bytes as fingerprint
+
+	fmt.Printf("\nAdd the private key to your server environment and embed the public key in agent builds.\n")
+}