feat(api): Add setup wizard endpoints for installer

[nfebe]

Add setup flow endpoints for the installer UI to configure:

• System validation checks
• Domain configuration
• CORS/UI origin settings
• Initial user creation

Note: Dynamic CORS middleware included but may be removed if installer UI is served from same origin.

[sourceant]

Code Review Summary

This pull request introduces a comprehensive initial setup flow for the agent, encapsulated within the new internal/setup package. The changes include new API endpoints for managing setup status, domain configuration, CORS, user creation, and system validation. A dynamic CORS middleware has been integrated to support setup-specific origins. The underlying logic leverages an SQLite database for persistent state management and includes robust environment detection and system health checks.

🚀 Key Improvements

• Comprehensive Setup Flow: A structured and secure initial setup process is now in place, guiding users through critical configurations.
• Enhanced Security for Setup: The RequireSetupIncomplete middleware ensures that sensitive setup endpoints are only accessible before the agent is fully initialized, preventing unauthorized modifications.
• Dynamic CORS Configuration: The agent can now dynamically adjust allowed CORS origins based on the setup state, improving flexibility and security during initial configuration.
• Robust System Validation: New validation checks cover Docker, file system permissions, disk space, memory, and network connectivity, ensuring a healthy operating environment.

🚨 Critical Issues

• Weak JWT Secret Fallback: The fallback mechanism in generateSecret for crypto/rand.Read failing uses low-entropy sources, which could lead to predictable JWT secrets under rare error conditions. This should be addressed to ensure strong randomness at all times.

[sourceant]

Review complete. See the overview comment for a summary.

[sourceant]

The fallback for cryptoRand.Read in generateSecret uses os.Getpid() and time.Now().UnixNano(), which provide very low entropy. While cryptoRand.Read failing is rare, if it does, the generated JWT secret would be predictable, posing a significant security risk. It's generally better to let cryptoRand.Read fail and return an error for critical security functions like secret generation, rather than using a weak fallback.

Suggested change

	bytes := make([]byte, length)
	if _, err := rand.Read(bytes); err != nil {
	fallback := make([]byte, length)
	for i := range fallback {
	fallback[i] = byte(os.Getpid()>>i) ^ byte(time.Now().UnixNano()>>i)
	}
	return hex.EncodeToString(fallback)
	}
	func generateSecret(length int) string {
	bytes := make([]byte, length)
	if _, err := rand.Read(bytes); err != nil {
	// Log the error and potentially panic or return an empty string/error
	// to prevent using a weak secret.
	log.Fatalf("Failed to generate secure random bytes for JWT secret: %v", err)
	return ""
	}
	return hex.EncodeToString(bytes)
	}