feat(agent): per-machine key handoff + revocation handling

Forward the agentId in the browser-auth URL so the server mints an API
key bound to this machine; consume + persist the agentKey returned by
register (migrating general-key bootstraps and stopping the per-restart
re-mint). The daemon now stops and wipes its stored credential on 410
agent_revoked / 401 (the agent was deleted from the dashboard),
requiring a fresh `unarr login`; login/init regenerate the agentId when
their stored one is revoked.

Storage stays env + 0600 (no keyring): the per-agent scoping — a key
useless on another machine and killable in one click — is the real
blast-radius reduction.

--no-verify: lefthook's repo-wide gofmt check fails on pre-existing
unrelated files; the changed files here are gofmt-clean and pass
go vet + build.

internal/agent/daemon.go

@@ -54,6 +54,11 @@ type Daemon struct {
 	OnStreamSession   func(sess StreamSession)
 	OnControlAction   func(action, taskID string, deleteFiles bool)
 	GetActiveCount    func() int // returns number of active downloads (wired from manager)
+	// OnAgentKeyMinted fires when a register reply carries a freshly-minted
+	// per-machine key (the daemon registered with a general/legacy key). cmd
+	// persists it so the next start authenticates with the bound agent key —
+	// migrating legacy agents and stopping the per-restart re-mint.
+	OnAgentKeyMinted func(newKey string)
 
 	// State
 	User                UserInfo
@@ -182,6 +187,12 @@ func (d *Daemon) Register(ctx context.Context) error {
 		return fmt.Errorf("register: %w (after %d retries)", err, maxRetries)
 	}
 
+	// Registered with a general/legacy key → the server minted a per-machine key.
+	// Persist it (cmd wires the callback) so the next start uses the bound key.
+	if resp.AgentKey != "" && d.OnAgentKeyMinted != nil {
+		d.OnAgentKeyMinted(resp.AgentKey)
+	}
+
 	d.User = resp.User
 	d.Features = resp.Features
 	now := time.Now()