feat: add agent RBAC system

[bolotas-migas]

Summary

Add setup script for creating agent users with role-based access control.

Changes

• Usage: scripts/agent-rbac/setup-agent.sh [ssh_key_path]

Arguments:
username - Name of the agent user to create
role - Role: readonly, operator, or deploy
ssh_key_path - Optional: Path to SSH public key to add

Roles:
readonly - Read logs, configs, docker ps, curl endpoints
operator - + restart services, docker restart, read /srv
deploy - + git pull, docker compose, rebuild

Examples:
scripts/agent-rbac/setup-agent.sh bolotas operator
scripts/agent-rbac/setup-agent.sh bolotas operator ~/.ssh/id_ed25519.pub
scripts/agent-rbac/setup-agent.sh readonly-agent readonly - Main setup script

• • Documentation

Roles

Role	Group	Capabilities
readonly		Read logs, configs, docker ps
operator		+ restart services, docker restart
deploy		+ git pull, docker compose

Usage

# Create operator agent with SSH key
sudo ./scripts/agent-rbac/setup-agent.sh bolotas operator ~/.ssh/id_ed25519.pub

# Create readonly agent
sudo ./scripts/agent-rbac/setup-agent.sh readonly-agent readonly

Security

• SSH key authentication only (no passwords)
• Sudo limited to specific commands per role
• Filesystem permissions restrict sensitive areas

TODO

• Run on hopper to create bolotas agent user
• Add SSH key to authorized_keys
• Test sudo access
• Add to OpenClaw config