fix(security): UPnP opt-in, bounded SSE reader, signed self-update

Phase 2 security audit follow-up. Three independent hardenings against
the unauthenticated daemon surface, the long-lived agent SSE stream
and the self-update channel.

UPnP is now opt-in. The stream port + /hls endpoints have no auth, so
publishing them on the WAN via the gateway was a default that exposed
active downloads to anyone scanning the operator's external IP. New
config downloads.enable_upnp (default false) gates the mapping; LAN
and Tailscale clients continue to work unchanged. A startup log makes
the new default visible.

The agent SSE reader now uses a bounded bufio.Scanner instead of an
unbounded ReadString. A hostile or buggy server can no longer grow
daemon memory by streaming a single line forever or by emitting
unbounded data: continuation lines — both are capped at 256 KiB and
1 MiB respectively, and an error is surfaced so SignalLoop reconnects.

Self-update now verifies an ed25519 signature over checksums.txt when
the binary was built with a release public key embedded (injected via
goreleaser ldflags from RELEASE_SIGNING_PUBKEY). The companion
scripts/sign-checksums runs in the release workflow when both the
public-key variable and the private-key secret are present, uploading
checksums.txt.sig next to the existing checksums file. Builds without
the embedded key continue to update with SHA256-only verification; a
--allow-unsigned flag is provided so users on a signed build can
still install pre-signing releases or recover from an accidental
unsigned release.

A new scripts/gen-release-key helper documents the one-time keypair
generation procedure required before flipping signing on.

internal/agent/signal_client.go

@@ -140,26 +140,29 @@ func (c *Client) OpenSignalStream(ctx context.Context, sessionID string) (*Signa
 	return stream, nil
 }
 
+// sseMaxLineBytes caps the size of a single SSE line. Real signalling lines
+// are JSON payloads of a few hundred bytes; 256 KiB is generous enough to
+// survive a future schema bump but small enough that a hostile or buggy
+// server cannot grow daemon memory by streaming a single line forever.
+const sseMaxLineBytes = 256 * 1024
+
+// sseMaxEventBytes caps the total bytes buffered across the lines of one
+// SSE event. Without a cap, a peer could send unbounded `data:` continuation
+// lines and OOM the daemon between blank-line dispatches.
+const sseMaxEventBytes = 1024 * 1024
+
 func (s *SignalEventStream) read() {
 	defer close(s.done)
 	defer close(s.events)
 
-	reader := bufio.NewReaderSize(s.resp.Body, 16*1024)
+	scanner := bufio.NewScanner(s.resp.Body)
+	scanner.Buffer(make([]byte, 16*1024), sseMaxLineBytes)
+
 	var dataBuf bytes.Buffer
 	var eventName string
 
-	for {
-		line, err := reader.ReadString('\n')
-		if err != nil {
-			if err != io.EOF {
-				select {
-				case s.errs <- err:
-				default:
-				}
-			}
-			return
-		}
-		line = strings.TrimRight(line, "\r\n")
+	for scanner.Scan() {
+		line := strings.TrimRight(scanner.Text(), "\r")
 		if line == "" {
 			// End of an event — dispatch if we have data.
 			if dataBuf.Len() == 0 {
@@ -190,6 +193,18 @@ func (s *SignalEventStream) read() {
 		}
 		if strings.HasPrefix(line, "data:") {
 			payload := strings.TrimSpace(line[len("data:"):])
+			// Refuse to grow the event buffer past the cap. Reset so a
+			// well-formed event after the offender can still be parsed,
+			// and surface an error so SignalLoop reconnects.
+			if dataBuf.Len()+len(payload)+1 > sseMaxEventBytes {
+				dataBuf.Reset()
+				eventName = ""
+				select {
+				case s.errs <- fmt.Errorf("sse: event exceeded %d bytes", sseMaxEventBytes):
+				default:
+				}
+				return
+			}
 			if dataBuf.Len() > 0 {
 				dataBuf.WriteByte('\n')
 			}
@@ -198,6 +213,12 @@ func (s *SignalEventStream) read() {
 		}
 		// id:, retry:, anything else — ignore for now.
 	}
+	if err := scanner.Err(); err != nil {
+		select {
+		case s.errs <- err:
+		default:
+		}
+	}
 }
 
 // SignalLoop runs an SSE consumer that reconnects automatically on disconnect.

internal/agent/signal_client_test.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -120,6 +121,48 @@ func TestSignalStreamCloseCancelsRead(t *testing.T) {
 	wg.Wait()
 }
 
+// TestSignalStreamRejectsOversizedEvent verifies that a hostile or buggy
+// server sending an unbounded `data:` event surfaces an error and stops
+// the reader instead of growing daemon memory forever.
+func TestSignalStreamRejectsOversizedEvent(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Header.Get("Authorization") != "Bearer test-key" {
+			http.Error(w, "auth", http.StatusUnauthorized)
+			return
+		}
+		w.Header().Set("Content-Type", "text/event-stream")
+		flusher := w.(http.Flusher)
+		// Send many data: continuation lines until we blow past the
+		// per-event cap. Each chunk is a short legitimate-looking line.
+		chunk := "data: " + strings.Repeat("x", 4096) + "\n"
+		fmt.Fprint(w, "event: signal\n")
+		for i := 0; i < (sseMaxEventBytes/4096)+8; i++ {
+			fmt.Fprint(w, chunk)
+		}
+		flusher.Flush()
+		<-r.Context().Done()
+	}))
+	defer srv.Close()
+
+	c := NewClient(srv.URL, "test-key", "test-ua")
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	stream, err := c.OpenSignalStream(ctx, "session-overflow")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer stream.Close()
+
+	for range stream.Events() {
+		// Should never receive a parsed event — the over-sized buffer must
+		// be rejected before dispatch.
+	}
+	if err := stream.Err(); err == nil {
+		t.Fatal("expected error from oversized event, got nil")
+	}
+}
+
 func TestPostSignalSendsCorrectBody(t *testing.T) {
 	var bodySeen map[string]any
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {