feat(security): A-1 Ed25519 key rotation + A-2 replay attack fixes

Complete RedFlag codebase with two major security audit implementations.

== A-1: Ed25519 Key Rotation Support ==

Server:
- SignCommand sets SignedAt timestamp and KeyID on every signature
- signing_keys database table (migration 020) for multi-key rotation
- InitializePrimaryKey registers active key at startup
- /api/v1/public-keys endpoint for rotation-aware agents
- SigningKeyQueries for key lifecycle management

Agent:
- Key-ID-aware verification via CheckKeyRotation
- FetchAndCacheAllActiveKeys for rotation pre-caching
- Cache metadata with TTL and staleness fallback
- SecurityLogger events for key rotation and command signing

== A-2: Replay Attack Fixes (F-1 through F-7) ==

F-5 CRITICAL - RetryCommand now signs via signAndCreateCommand
F-1 HIGH     - v3 format: "{agent_id}:{cmd_id}:{type}:{hash}:{ts}"
F-7 HIGH     - Migration 026: expires_at column with partial index
F-6 HIGH     - GetPendingCommands/GetStuckCommands filter by expires_at
F-2 HIGH     - Agent-side executedIDs dedup map with cleanup
F-4 HIGH     - commandMaxAge reduced from 24h to 4h
F-3 CRITICAL - Old-format commands rejected after 48h via CreatedAt

Verification fixes: migration idempotency (ETHOS #4), log format
compliance (ETHOS #1), stale comments updated.

All 24 tests passing. Docker --no-cache build verified.
See docs/ for full audit reports and deviation log (DEV-001 to DEV-019).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/build-secure-agent.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# RedFlag Agent Build Script
+# Builds agent binary (public key fetched from server at runtime)
+
+set -e
+
+echo "[INFO] [build] RedFlag Agent Build"
+echo "================================="
+
+# Build agent
+echo "[INFO] [build] Building agent..."
+cd aggregator-agent
+
+go build \
+    -o redflag-agent \
+    ./cmd/agent
+
+cd ..
+
+echo "[INFO] [build] Agent build complete!"
+echo "   Binary: aggregator-agent/redflag-agent"
+echo ""
+echo "[INFO] [build] Note: Agent will fetch the server's public key automatically at startup"

scripts/generate-keypair.go

@@ -0,0 +1,34 @@
+//go:build ignore
+// +build ignore
+
+package main
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"os"
+)
+
+func main() {
+	// Generate Ed25519 keypair
+	publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		fmt.Printf("Failed to generate keypair: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Output keys in hex format
+	fmt.Printf("Ed25519 Keypair Generated:\n\n")
+	fmt.Printf("Private Key (keep secret, add to server env):\n")
+	fmt.Printf("REDFLAG_SIGNING_PRIVATE_KEY=%s\n", hex.EncodeToString(privateKey))
+
+	fmt.Printf("\nPublic Key (embed in agent binaries):\n")
+	fmt.Printf("REDFLAG_PUBLIC_KEY=%s\n", hex.EncodeToString(publicKey))
+
+	fmt.Printf("\nPublic Key Fingerprint (for database):\n")
+	fmt.Printf("Fingerprint: %s\n", hex.EncodeToString(publicKey[:8])) // First 8 bytes as fingerprint
+
+	fmt.Printf("\nAdd the private key to your server environment and embed the public key in agent builds.\n")
+}