feat(iso): 2.1-2.3 — debug ISO builder with SSH access

Builder setup:
- iso/builder/VERSIONS: pinned Alpine 3.21, Go 1.23.6, NVIDIA 550.54.15
- iso/builder/setup-builder.sh: installs build deps + Go on Alpine VM, verifies packages
- iso/builder/build-debug.sh: compiles audit binary, injects SSH keys, builds ISO
- iso/builder/mkimg.bee_debug.sh: Alpine mkimage profile (all audit packages + dropbear)

SSH access (same Ed25519 key as release signing):
- auto-collects ~/.keys/*.key.pub into authorized_keys at build time
- fallback: user bee / password eeb when no keys available
- bee-sshsetup init.d service: creates bee user, sets password, logs status

Debug overlay:
- bee-network: DHCP on all physical interfaces before SSH/audit
- bee-audit-debug: runs audit on boot, leaves SSH up after
- bee-sshsetup: key/password SSH setup
- motd: shows log paths, re-run command, SSH access info

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

iso/builder/VERSIONS

@@ -0,0 +1,4 @@
+ALPINE_VERSION=3.21
+KERNEL_VERSION=6.6
+NVIDIA_DRIVER_VERSION=550.54.15
+GO_VERSION=1.23.6

iso/builder/build-debug.sh

@@ -0,0 +1,107 @@
+#!/bin/sh
+# build-debug.sh — build bee debug ISO with SSH access
+#
+# Debug ISO purpose: test audit binary on real hardware.
+# Includes dropbear SSH, all audit packages, audit binary.
+# Does NOT include NVIDIA driver (added in production build).
+#
+# Run on Alpine builder VM as root after setup-builder.sh.
+# Usage:
+#   sh iso/builder/build-debug.sh [--authorized-keys /path/to/authorized_keys]
+
+set -e
+
+REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+BUILDER_DIR="${REPO_ROOT}/iso/builder"
+OVERLAY_DIR="${REPO_ROOT}/iso/overlay-debug"
+DIST_DIR="${REPO_ROOT}/dist"
+AUTH_KEYS=""
+
+# parse args
+while [ $# -gt 0 ]; do
+    case "$1" in
+        --authorized-keys) AUTH_KEYS="$2"; shift 2 ;;
+        *) echo "unknown arg: $1"; exit 1 ;;
+    esac
+done
+
+. "${BUILDER_DIR}/VERSIONS"
+export PATH="$PATH:/usr/local/go/bin"
+
+echo "=== bee debug ISO build ==="
+echo "Alpine: ${ALPINE_VERSION}, Go: ${GO_VERSION}"
+echo ""
+
+# --- compile audit binary (static, Linux amd64) ---
+echo "=== building audit binary ==="
+cd "${REPO_ROOT}/audit"
+GOOS=linux GOARCH=amd64 CGO_ENABLED=0 \
+    go build \
+    -ldflags "-s -w -X main.Version=debug-$(date +%Y%m%d)" \
+    -o "${DIST_DIR}/bee-audit-linux-amd64" \
+    ./cmd/audit
+echo "binary: ${DIST_DIR}/bee-audit-linux-amd64"
+echo "size:   $(du -sh "${DIST_DIR}/bee-audit-linux-amd64" | cut -f1)"
+
+# --- inject authorized_keys for SSH access ---
+# Uses the same Ed25519 keys as release signing (from git.mchus.pro/mchus/keys).
+# SSH public keys are stored alongside signing keys as ~/.keys/<name>.key.pub
+AUTHORIZED_KEYS_FILE="${OVERLAY_DIR}/root/.ssh/authorized_keys"
+mkdir -p "${OVERLAY_DIR}/root/.ssh"
+
+if [ -n "$AUTH_KEYS" ]; then
+    cp "$AUTH_KEYS" "$AUTHORIZED_KEYS_FILE"
+    chmod 600 "$AUTHORIZED_KEYS_FILE"
+    echo "SSH authorized_keys: installed from $AUTH_KEYS"
+else
+    # auto-collect all developer SSH public keys from ~/.keys/*.key.pub
+    > "$AUTHORIZED_KEYS_FILE"
+    FOUND=0
+    for ssh_pub in "$HOME"/.keys/*.key.pub; do
+        [ -f "$ssh_pub" ] || continue
+        cat "$ssh_pub" >> "$AUTHORIZED_KEYS_FILE"
+        echo "SSH: added $(basename "$ssh_pub" .key.pub)"
+        FOUND=$((FOUND + 1))
+    done
+    if [ "$FOUND" -gt 0 ]; then
+        chmod 600 "$AUTHORIZED_KEYS_FILE"
+        echo "SSH authorized_keys: $FOUND key(s) from ~/.keys/*.key.pub"
+    else
+        echo "WARNING: no SSH public keys found — falling back to password auth"
+        echo "  root password will be set to: bee / eeb"
+        echo "  (generate a key with: sh keys/scripts/keygen.sh <your-name>)"
+        USE_PASSWORD_FALLBACK=1
+    fi
+fi
+
+# --- password fallback: write marker file read by init script ---
+if [ "${USE_PASSWORD_FALLBACK:-0}" = "1" ]; then
+    touch "${OVERLAY_DIR}/etc/bee-ssh-password-fallback"
+fi
+
+# --- copy audit binary into overlay ---
+mkdir -p "${OVERLAY_DIR}/usr/local/bin"
+cp "${DIST_DIR}/bee-audit-linux-amd64" "${OVERLAY_DIR}/usr/local/bin/audit"
+chmod +x "${OVERLAY_DIR}/usr/local/bin/audit"
+
+# --- build ISO using mkimage ---
+mkdir -p "${DIST_DIR}"
+echo ""
+echo "=== building ISO ==="
+
+sh /usr/share/aports/scripts/mkimage.sh \
+    --tag "v${ALPINE_VERSION}" \
+    --outdir "${DIST_DIR}" \
+    --arch x86_64 \
+    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main" \
+    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/community" \
+    --workdir /tmp/bee-iso-work \
+    --profile bee_debug
+
+ISO="${DIST_DIR}/alpine-bee_debug-${ALPINE_VERSION}-x86_64.iso"
+echo ""
+echo "=== done ==="
+echo "ISO: $ISO"
+echo "Size: $(du -sh "$ISO" 2>/dev/null | cut -f1 || echo 'not found')"
+echo ""
+echo "Boot via BMC virtual media and SSH to the server IP on port 22 as root."

iso/builder/mkimg.bee_debug.sh

@@ -0,0 +1,60 @@
+#!/bin/sh
+# Alpine mkimage profile: bee_debug
+# Minimal LiveCD with audit binary + SSH for development/testing.
+# No NVIDIA driver. SSH root login enabled.
+
+profile_bee_debug() {
+    title="Bee Hardware Audit (debug)"
+    desc="Hardware audit LiveCD with SSH access for testing"
+    image_ext="iso"
+    output_format="iso"
+    kernel_flavors="lts"
+    kernel_addons=""
+    syslinux_serial="0 115200"
+    apks="
+        alpine-base
+        linux-lts
+        linux-firmware-none
+
+        dmidecode
+        smartmontools
+        nvme-cli
+        pciutils
+        ipmitool
+        util-linux
+        lsblk
+        e2fsprogs
+        lshw
+
+        dropbear
+        udhcpc
+        openrc
+        qrencode
+        tzdata
+        ca-certificates
+
+        strace
+        procps
+        lsof
+        file
+        less
+        vim
+    "
+
+    # overlay is applied after package install
+    # contains: audit binary, dropbear init, authorized_keys
+}
+
+build_bee_debug() {
+    # copy overlay files into rootfs
+    local overlay="${SRCDIR}/../../overlay-debug"
+    if [ -d "$overlay" ]; then
+        cp -r "${overlay}/." "${ROOTFS}/"
+    fi
+
+    # enable services
+    _bootscript default bee-sshsetup
+    _bootscript default dropbear
+    _bootscript default bee-network
+    _bootscript default bee-audit-debug
+}

iso/builder/setup-builder.sh

@@ -0,0 +1,105 @@
+#!/bin/sh
+# setup-builder.sh — prepare Alpine VM as bee ISO builder
+#
+# Run once on a fresh Alpine 3.21 VM as root.
+# After this script completes, the VM can build ISO images.
+#
+# Usage (on Alpine VM):
+#   wget -O- https://git.mchus.pro/mchus/bee/raw/branch/main/iso/builder/setup-builder.sh | sh
+#   or: sh setup-builder.sh
+
+set -e
+
+. "$(dirname "$0")/VERSIONS" 2>/dev/null || true
+GO_VERSION="${GO_VERSION:-1.23.6}"
+
+echo "=== bee builder setup ==="
+echo "Alpine: $(cat /etc/alpine-release)"
+echo "Go target: ${GO_VERSION}"
+echo ""
+
+# --- system packages ---
+apk update
+apk add \
+    alpine-sdk \
+    abuild \
+    squashfs-tools \
+    xorriso \
+    mtools \
+    grub \
+    grub-efi \
+    grub-bios \
+    git \
+    wget \
+    curl \
+    tar \
+    xz
+
+# --- audit runtime packages (verify they exist in Alpine repos) ---
+echo ""
+echo "=== verifying audit runtime packages ==="
+RUNTIME_PKGS="
+    dmidecode
+    smartmontools
+    nvme-cli
+    pciutils
+    ipmitool
+    util-linux
+    e2fsprogs
+    qrencode
+    dropbear
+    udhcpc
+    pciutils-libs
+    lshw
+"
+MISSING=""
+for pkg in $RUNTIME_PKGS; do
+    if apk info --quiet "$pkg" 2>/dev/null || apk search --quiet "$pkg" 2>/dev/null | grep -q "^${pkg}-"; then
+        echo "  OK: $pkg"
+    else
+        echo "  MISSING: $pkg"
+        MISSING="$MISSING $pkg"
+    fi
+done
+if [ -n "$MISSING" ]; then
+    echo ""
+    echo "WARNING: missing packages:$MISSING"
+    echo "These will not be available in the ISO."
+fi
+
+# --- Go toolchain ---
+echo ""
+echo "=== installing Go ${GO_VERSION} ==="
+if [ -d /usr/local/go ] && /usr/local/go/bin/go version 2>/dev/null | grep -q "${GO_VERSION}"; then
+    echo "Go ${GO_VERSION} already installed"
+else
+    ARCH=$(uname -m)
+    case "$ARCH" in
+        x86_64) GOARCH=amd64 ;;
+        aarch64) GOARCH=arm64 ;;
+        *) echo "unsupported arch: $ARCH"; exit 1 ;;
+    esac
+    wget -O /tmp/go.tar.gz \
+        "https://go.dev/dl/go${GO_VERSION}.linux-${GOARCH}.tar.gz"
+    rm -rf /usr/local/go
+    tar -C /usr/local -xzf /tmp/go.tar.gz
+    rm /tmp/go.tar.gz
+fi
+export PATH="$PATH:/usr/local/go/bin"
+echo "Go: $(go version)"
+
+# --- alpine-conf for mkimage ---
+apk add alpine-conf
+
+# --- aports for mkimage.sh ---
+if [ ! -d /usr/share/aports ]; then
+    echo ""
+    echo "=== cloning aports ==="
+    git clone --depth=1 --branch "v${ALPINE_VERSION:-3.21}.0" \
+        https://gitlab.alpinelinux.org/alpine/aports.git \
+        /usr/share/aports
+fi
+
+echo ""
+echo "=== builder setup complete ==="
+echo "Next: sh iso/builder/build-debug.sh"