feat(iso): 2.1-2.3 — debug ISO builder with SSH access

Builder setup:
- iso/builder/VERSIONS: pinned Alpine 3.21, Go 1.23.6, NVIDIA 550.54.15
- iso/builder/setup-builder.sh: installs build deps + Go on Alpine VM, verifies packages
- iso/builder/build-debug.sh: compiles audit binary, injects SSH keys, builds ISO
- iso/builder/mkimg.bee_debug.sh: Alpine mkimage profile (all audit packages + dropbear)

SSH access (same Ed25519 key as release signing):
- auto-collects ~/.keys/*.key.pub into authorized_keys at build time
- fallback: user bee / password eeb when no keys available
- bee-sshsetup init.d service: creates bee user, sets password, logs status

Debug overlay:
- bee-network: DHCP on all physical interfaces before SSH/audit
- bee-audit-debug: runs audit on boot, leaves SSH up after
- bee-sshsetup: key/password SSH setup
- motd: shows log paths, re-run command, SSH access info

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

iso/overlay-debug/etc/dropbear/dropbear.conf

@@ -0,0 +1 @@
+DROPBEAR_OPTS="-p 22 -R -B"

iso/overlay-debug/etc/init.d/bee-audit-debug

@@ -0,0 +1,21 @@
+#!/sbin/openrc-run
+
+description="Bee: run hardware audit (debug mode — SSH stays up after)"
+
+depend() {
+    need localmount
+    after bee-network
+}
+
+start() {
+    ebegin "Running hardware audit"
+    /usr/local/bin/audit --output stdout > /var/log/bee-audit.json 2>/var/log/bee-audit.log
+    local rc=$?
+    if [ $rc -eq 0 ]; then
+        einfo "Audit complete: /var/log/bee-audit.json"
+        einfo "SSH in and inspect results. Dropbear is running."
+    else
+        ewarn "Audit finished with errors — check /var/log/bee-audit.log"
+    fi
+    eend 0
+}

iso/overlay-debug/etc/init.d/bee-network

@@ -0,0 +1,15 @@
+#!/sbin/openrc-run
+
+description="Bee: bring up network interfaces via DHCP"
+
+depend() {
+    need localmount
+    before bee-audit-debug
+    before dropbear
+}
+
+start() {
+    ebegin "Bringing up network interfaces"
+    /usr/local/bin/bee-network.sh >> /var/log/bee-network.log 2>&1
+    eend 0
+}

iso/overlay-debug/etc/init.d/bee-sshsetup

@@ -0,0 +1,28 @@
+#!/sbin/openrc-run
+
+description="Bee: configure SSH access (keys or password fallback)"
+
+depend() {
+    need localmount
+    before dropbear
+}
+
+start() {
+    # Always create dedicated 'bee' user for password fallback.
+    # If no SSH keys embedded: login with bee / eeb
+    if ! id bee > /dev/null 2>&1; then
+        adduser -D -s /bin/sh bee > /dev/null 2>&1
+    fi
+    printf 'eeb\neeb\n' | passwd bee > /dev/null 2>&1
+
+    if [ -f /etc/bee-ssh-password-fallback ]; then
+        ebegin "SSH key auth unavailable — password fallback active"
+        ewarn "Login: bee / eeb"
+        ewarn "Generate a key: sh keys/scripts/keygen.sh <name>"
+        eend 0
+    else
+        ebegin "SSH key auth configured"
+        # bee user exists but password login less useful when keys work
+        eend 0
+    fi
+}

iso/overlay-debug/etc/motd

@@ -0,0 +1,19 @@
+
+  ██████╗ ███████╗███████╗    ██████╗ ███████╗██████╗ ██╗   ██╗ ██████╗
+  ██╔══██╗██╔════╝██╔════╝    ██╔══██╗██╔════╝██╔══██╗██║   ██║██╔════╝
+  ██████╔╝█████╗  █████╗      ██║  ██║█████╗  ██████╔╝██║   ██║██║  ███╗
+  ██╔══██╗██╔══╝  ██╔══╝      ██║  ██║██╔══╝  ██╔══██╗██║   ██║██║   ██║
+  ██████╔╝███████╗███████╗    ██████╔╝███████╗██████╔╝╚██████╔╝╚██████╔╝
+  ╚═════╝ ╚══════╝╚══════╝    ╚═════╝ ╚══════╝╚═════╝  ╚═════╝  ╚═════╝
+
+  Hardware Audit LiveCD — DEBUG MODE
+
+  Audit result:  /var/log/bee-audit.json
+  Audit log:     /var/log/bee-audit.log
+  Network log:   /var/log/bee-network.log
+
+  Re-run audit:  /usr/local/bin/audit --output stdout | less
+  Check package: which dmidecode smartctl nvme ipmitool lspci
+
+  SSH access:    key auth (developers) or bee/eeb (password fallback)
+

iso/overlay-debug/usr/local/bin/bee-network.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+# bee-network.sh — bring up all physical network interfaces via DHCP
+# Unattended: runs silently, logs results, never blocks.
+
+set -e
+
+LOG_PREFIX="bee-network"
+
+log() { echo "[$LOG_PREFIX] $*"; }
+
+# find physical interfaces: exclude lo and virtual (docker/virbr/veth/tun/tap)
+interfaces=$(ip -o link show \
+    | awk -F': ' '{print $2}' \
+    | grep -v '^lo$' \
+    | grep -vE '^(docker|virbr|veth|tun|tap|br-|bond|dummy)' \
+    | sort)
+
+if [ -z "$interfaces" ]; then
+    log "no physical interfaces found"
+    exit 0
+fi
+
+for iface in $interfaces; do
+    log "bringing up $iface"
+    ip link set "$iface" up 2>/dev/null || { log "WARN: could not bring up $iface"; continue; }
+
+    # DHCP: 3 retries, 5s timeout per try, exit without blocking if no offer
+    if udhcpc -i "$iface" -t 3 -T 5 -n -q 2>/dev/null; then
+        IP=$(ip -4 addr show "$iface" | awk '/inet /{print $2}' | head -1)
+        log "OK: $iface got $IP"
+    else
+        log "WARN: $iface — no DHCP offer"
+    fi
+done
+
+log "done"