feat(iso): 2.1-2.3 — debug ISO builder with SSH access

Builder setup:
- iso/builder/VERSIONS: pinned Alpine 3.21, Go 1.23.6, NVIDIA 550.54.15
- iso/builder/setup-builder.sh: installs build deps + Go on Alpine VM, verifies packages
- iso/builder/build-debug.sh: compiles audit binary, injects SSH keys, builds ISO
- iso/builder/mkimg.bee_debug.sh: Alpine mkimage profile (all audit packages + dropbear)

SSH access (same Ed25519 key as release signing):
- auto-collects ~/.keys/*.key.pub into authorized_keys at build time
- fallback: user bee / password eeb when no keys available
- bee-sshsetup init.d service: creates bee user, sets password, logs status

Debug overlay:
- bee-network: DHCP on all physical interfaces before SSH/audit
- bee-audit-debug: runs audit on boot, leaves SSH up after
- bee-sshsetup: key/password SSH setup
- motd: shows log paths, re-run command, SSH access info

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

iso/builder/setup-builder.sh

@@ -0,0 +1,105 @@
+#!/bin/sh
+# setup-builder.sh — prepare Alpine VM as bee ISO builder
+#
+# Run once on a fresh Alpine 3.21 VM as root.
+# After this script completes, the VM can build ISO images.
+#
+# Usage (on Alpine VM):
+#   wget -O- https://git.mchus.pro/mchus/bee/raw/branch/main/iso/builder/setup-builder.sh | sh
+#   or: sh setup-builder.sh
+
+set -e
+
+. "$(dirname "$0")/VERSIONS" 2>/dev/null || true
+GO_VERSION="${GO_VERSION:-1.23.6}"
+
+echo "=== bee builder setup ==="
+echo "Alpine: $(cat /etc/alpine-release)"
+echo "Go target: ${GO_VERSION}"
+echo ""
+
+# --- system packages ---
+apk update
+apk add \
+    alpine-sdk \
+    abuild \
+    squashfs-tools \
+    xorriso \
+    mtools \
+    grub \
+    grub-efi \
+    grub-bios \
+    git \
+    wget \
+    curl \
+    tar \
+    xz
+
+# --- audit runtime packages (verify they exist in Alpine repos) ---
+echo ""
+echo "=== verifying audit runtime packages ==="
+RUNTIME_PKGS="
+    dmidecode
+    smartmontools
+    nvme-cli
+    pciutils
+    ipmitool
+    util-linux
+    e2fsprogs
+    qrencode
+    dropbear
+    udhcpc
+    pciutils-libs
+    lshw
+"
+MISSING=""
+for pkg in $RUNTIME_PKGS; do
+    if apk info --quiet "$pkg" 2>/dev/null || apk search --quiet "$pkg" 2>/dev/null | grep -q "^${pkg}-"; then
+        echo "  OK: $pkg"
+    else
+        echo "  MISSING: $pkg"
+        MISSING="$MISSING $pkg"
+    fi
+done
+if [ -n "$MISSING" ]; then
+    echo ""
+    echo "WARNING: missing packages:$MISSING"
+    echo "These will not be available in the ISO."
+fi
+
+# --- Go toolchain ---
+echo ""
+echo "=== installing Go ${GO_VERSION} ==="
+if [ -d /usr/local/go ] && /usr/local/go/bin/go version 2>/dev/null | grep -q "${GO_VERSION}"; then
+    echo "Go ${GO_VERSION} already installed"
+else
+    ARCH=$(uname -m)
+    case "$ARCH" in
+        x86_64) GOARCH=amd64 ;;
+        aarch64) GOARCH=arm64 ;;
+        *) echo "unsupported arch: $ARCH"; exit 1 ;;
+    esac
+    wget -O /tmp/go.tar.gz \
+        "https://go.dev/dl/go${GO_VERSION}.linux-${GOARCH}.tar.gz"
+    rm -rf /usr/local/go
+    tar -C /usr/local -xzf /tmp/go.tar.gz
+    rm /tmp/go.tar.gz
+fi
+export PATH="$PATH:/usr/local/go/bin"
+echo "Go: $(go version)"
+
+# --- alpine-conf for mkimage ---
+apk add alpine-conf
+
+# --- aports for mkimage.sh ---
+if [ ! -d /usr/share/aports ]; then
+    echo ""
+    echo "=== cloning aports ==="
+    git clone --depth=1 --branch "v${ALPINE_VERSION:-3.21}.0" \
+        https://gitlab.alpinelinux.org/alpine/aports.git \
+        /usr/share/aports
+fi
+
+echo ""
+echo "=== builder setup complete ==="
+echo "Next: sh iso/builder/build-debug.sh"