The Zitadel JWT-bearer private key is now generated locally on each
fleet device via a new `fleet-agent keygen` subcommand. Only the public
key reaches Zitadel — closing the storage-and-future-decryption hole
where the key previously crossed SSH on enrollment.
Backed by pure-Rust `rsa = "0.9"` + `rand_core::OsRng`. No `openssl(1)`
needed on the device, no shell string interpolation, one SSH round-trip
instead of two, typed errors all the way down.
Key changes:
- `fleet-agent keygen` subcommand (PKCS#8 private + SubjectPublicKeyInfo
public PEM, idempotent, atomic write) with 6 unit tests
- `FleetDeviceAuth::ZitadelEnroll` variant: inline on-device key-gen +
public-key registration during setup
- `RemoteCommand` capability trait, kept narrow and out of the
`LinuxHostConfiguration` umbrella so most Scores don't see it
- Zitadel `register_device_public_key` + `mint_device_credentials`
helpers for client-supplied public keys
- Drop dead `MachineKeyFile._type` (serde ignores unknown fields)
- Renumber FleetDeviceSetupScore log steps cleanly to 1..9
Jean-Gabriel Gill-Couture
af20c40f25