New users cannot SSH into appliance — no key provisioning path

[ruvnet]

Problem

New appliance users have no way to SSH into the seed. The image ships with an empty authorized_keys for the genesis user, no password is set, and there is no API endpoint to add an SSH public key.

The only access path is USB HTTP (http://169.254.42.1/guide) and the REST API over USB — but SSH is completely locked out for fresh devices.

Current state

• create-release-image.sh sanitizes authorized_keys during image build (line 184)
• auto-first-boot.sh / first-boot.sh do not provision any SSH keys
• STATUS.txt tells users ssh genesis@169.254.42.1 but it won't work without a key
• No API endpoint exists to add SSH keys

Proposed fix

Add POST /api/v1/ssh/authorize endpoint:

• USB-only — reject requests from WiFi/non-link-local IPs (same trust model as pair/window)
• Accepts {"public_key": "ssh-ed25519 AAAA..."} in body
• Appends to /home/genesis/.ssh/authorized_keys (via helper script outside sandbox)
• Validates key format before writing (must start with ssh-ed25519, ssh-rsa, ecdsa-sha2-*)
• Deduplicates — won't add a key that's already present
• Add a "Setup SSH" section to the guide UI with paste field + button

Files to change

• src/cognitum-agent/src/api.rs — new endpoint + guide UI section
• scripts/cognitum/ssh-authorize.sh — helper script (runs outside mount namespace, like wifi-connect.sh)
• scripts/cognitum/ssh-authorize.service — systemd oneshot unit

Security considerations

• USB-only: link-local trust model (ADR-057) — physical access implies authorization
• Key format validation prevents injection
• No private key exposure — only accepts public keys
• Idempotent — duplicate keys ignored

Test plan

• POST valid ed25519 key over USB → key appears in authorized_keys, SSH works
• POST duplicate key → no duplicate written, 200 OK
• POST from WiFi IP → 403 rejected
• POST invalid key format → 400 error
• POST over USB after key added → SSH login succeeds