feat(security): A-1 Ed25519 key rotation + A-2 replay attack fixes

Complete RedFlag codebase with two major security audit implementations.

== A-1: Ed25519 Key Rotation Support ==

Server:
- SignCommand sets SignedAt timestamp and KeyID on every signature
- signing_keys database table (migration 020) for multi-key rotation
- InitializePrimaryKey registers active key at startup
- /api/v1/public-keys endpoint for rotation-aware agents
- SigningKeyQueries for key lifecycle management

Agent:
- Key-ID-aware verification via CheckKeyRotation
- FetchAndCacheAllActiveKeys for rotation pre-caching
- Cache metadata with TTL and staleness fallback
- SecurityLogger events for key rotation and command signing

== A-2: Replay Attack Fixes (F-1 through F-7) ==

F-5 CRITICAL - RetryCommand now signs via signAndCreateCommand
F-1 HIGH     - v3 format: "{agent_id}:{cmd_id}:{type}:{hash}:{ts}"
F-7 HIGH     - Migration 026: expires_at column with partial index
F-6 HIGH     - GetPendingCommands/GetStuckCommands filter by expires_at
F-2 HIGH     - Agent-side executedIDs dedup map with cleanup
F-4 HIGH     - commandMaxAge reduced from 24h to 4h
F-3 CRITICAL - Old-format commands rejected after 48h via CreatedAt

Verification fixes: migration idempotency (ETHOS #4), log format
compliance (ETHOS #1), stale comments updated.

All 24 tests passing. Docker --no-cache build verified.
See docs/ for full audit reports and deviation log (DEV-001 to DEV-019).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

test_disk_detection.go

@@ -0,0 +1,62 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"path/filepath"
+	"runtime"
+
+	"github.com/redflag-aggregator/aggregator-agent/internal/system"
+)
+
+func main() {
+	// Get the absolute path to this file's directory
+	_, filename, _, _ := runtime.Caller(0)
+	dir := filepath.Dir(filename)
+
+	// Change to the project root to find the go.mod file
+	projectRoot := filepath.Dir(dir)
+
+	// Test lightweight metrics (most common use case)
+	fmt.Println("=== Enhanced Lightweight Metrics Test ===")
+	metrics, err := system.GetLightweightMetrics()
+	if err != nil {
+		log.Printf("Error getting lightweight metrics: %v", err)
+	} else {
+		// Pretty print the JSON
+		jsonData, _ := json.MarshalIndent(metrics, "", "  ")
+		fmt.Printf("LightweightMetrics:\n%s\n\n", jsonData)
+
+		// Show key findings
+		fmt.Printf("Root Disk: %.1fGB used / %.1fGB total (%.1f%%)\n",
+			metrics.DiskUsedGB, metrics.DiskTotalGB, metrics.DiskPercent)
+
+		if metrics.LargestDiskTotalGB > 0 {
+			fmt.Printf("Largest Disk (%s): %.1fGB used / %.1fGB total (%.1f%%)\n",
+				metrics.LargestDiskMount, metrics.LargestDiskUsedGB, metrics.LargestDiskTotalGB, metrics.LargestDiskPercent)
+		}
+	}
+
+	// Test full system info (detailed disk inventory)
+	fmt.Println("\n=== Enhanced System Info Test ===")
+	sysInfo, err := system.GetSystemInfo("test-v0.1.5")
+	if err != nil {
+		log.Printf("Error getting system info: %v", err)
+	} else {
+		fmt.Printf("Found %d disks:\n", len(sysInfo.DiskInfo))
+		for i, disk := range sysInfo.DiskInfo {
+			fmt.Printf("  Disk %d: %s (%s) - %s, %.1fGB used / %.1fGB total (%.1f%%)",
+				i+1, disk.Mountpoint, disk.Filesystem, disk.DiskType,
+				float64(disk.Used)/(1024*1024*1024), float64(disk.Total)/(1024*1024*1024), disk.UsedPercent)
+
+			if disk.IsRoot {
+				fmt.Printf(" [ROOT]")
+			}
+			if disk.IsLargest {
+				fmt.Printf(" [LARGEST]")
+			}
+			fmt.Printf("\n")
+		}
+	}
+}