fix(security): UPnP opt-in, bounded SSE reader, signed self-update

Phase 2 security audit follow-up. Three independent hardenings against
the unauthenticated daemon surface, the long-lived agent SSE stream
and the self-update channel.

UPnP is now opt-in. The stream port + /hls endpoints have no auth, so
publishing them on the WAN via the gateway was a default that exposed
active downloads to anyone scanning the operator's external IP. New
config downloads.enable_upnp (default false) gates the mapping; LAN
and Tailscale clients continue to work unchanged. A startup log makes
the new default visible.

The agent SSE reader now uses a bounded bufio.Scanner instead of an
unbounded ReadString. A hostile or buggy server can no longer grow
daemon memory by streaming a single line forever or by emitting
unbounded data: continuation lines — both are capped at 256 KiB and
1 MiB respectively, and an error is surfaced so SignalLoop reconnects.

Self-update now verifies an ed25519 signature over checksums.txt when
the binary was built with a release public key embedded (injected via
goreleaser ldflags from RELEASE_SIGNING_PUBKEY). The companion
scripts/sign-checksums runs in the release workflow when both the
public-key variable and the private-key secret are present, uploading
checksums.txt.sig next to the existing checksums file. Builds without
the embedded key continue to update with SHA256-only verification; a
--allow-unsigned flag is provided so users on a signed build can
still install pre-signing releases or recover from an accidental
unsigned release.

A new scripts/gen-release-key helper documents the one-time keypair
generation procedure required before flipping signing on.

scripts/sign-checksums/main.go

@@ -0,0 +1,60 @@
+// sign-checksums signs the dist/checksums.txt file with an ed25519 private
+// key and writes the base64-encoded signature to the path given by -out.
+//
+// Usage (from release workflow):
+//
+//	go run ./scripts/sign-checksums \
+//	    -key "$RELEASE_SIGNING_KEY" \
+//	    -in  dist/checksums.txt \
+//	    -out dist/checksums.txt.sig
+//
+// The companion CLI verifier (internal/upgrade/signature.go) requires the
+// signature to be base64 text, so emitting base64 + trailing newline makes
+// the artifact safe to inspect with `cat` / the GitHub release UI.
+package main
+
+import (
+	"crypto/ed25519"
+	"encoding/base64"
+	"flag"
+	"fmt"
+	"os"
+)
+
+func main() {
+	keyB64 := flag.String("key", "", "base64-encoded ed25519 private key (PrivateKeySize = 64 bytes)")
+	in := flag.String("in", "", "path to file to sign")
+	out := flag.String("out", "", "path to write the base64-encoded signature")
+	flag.Parse()
+
+	if *keyB64 == "" || *in == "" || *out == "" {
+		fmt.Fprintln(os.Stderr, "usage: sign-checksums -key <base64> -in <path> -out <path>")
+		os.Exit(2)
+	}
+
+	keyBytes, err := base64.StdEncoding.DecodeString(*keyB64)
+	if err != nil {
+		fail("decode key: %v", err)
+	}
+	if len(keyBytes) != ed25519.PrivateKeySize {
+		fail("private key size %d, expected %d", len(keyBytes), ed25519.PrivateKeySize)
+	}
+	priv := ed25519.PrivateKey(keyBytes)
+
+	content, err := os.ReadFile(*in)
+	if err != nil {
+		fail("read input: %v", err)
+	}
+
+	sig := ed25519.Sign(priv, content)
+	encoded := base64.StdEncoding.EncodeToString(sig) + "\n"
+	if err := os.WriteFile(*out, []byte(encoded), 0o644); err != nil {
+		fail("write signature: %v", err)
+	}
+	fmt.Printf("Signed %s (%d bytes) → %s\n", *in, len(content), *out)
+}
+
+func fail(format string, args ...any) {
+	fmt.Fprintf(os.Stderr, format+"\n", args...)
+	os.Exit(1)
+}