feat(swarm-mgmt): agent enrollment bundle flow + admin swarm endpoints

decnet/web/templates/enroll_bootstrap.sh.j2

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# DECNET bootstrap installer for agent {{ agent_name }} -> master {{ master_host }}.
+# Fetches the code+certs payload, installs, and starts the agent daemon.
+# Generated by the master at {{ generated_at }}. Expires {{ expires_at }}.
+set -euo pipefail
+
+[[ $EUID -eq 0 ]] || { echo "decnet-install: must run as root (use sudo)"; exit 1; }
+for bin in python3 curl tar; do
+  command -v "$bin" >/dev/null || { echo "decnet-install: $bin required"; exit 1; }
+done
+
+WORK="$(mktemp -d)"
+trap 'rm -rf "$WORK"' EXIT
+
+echo "[DECNET] fetching payload..."
+curl -fsSL "{{ tarball_url }}" | tar -xz -C "$WORK"
+
+INSTALL_DIR=/opt/decnet
+mkdir -p "$INSTALL_DIR"
+cp -a "$WORK/." "$INSTALL_DIR/"
+cd "$INSTALL_DIR"
+
+echo "[DECNET] building venv..."
+python3 -m venv .venv
+.venv/bin/pip install -q --upgrade pip
+.venv/bin/pip install -q -e .
+
+install -Dm0644 etc/decnet/decnet.ini /etc/decnet/decnet.ini
+[[ -f services.ini ]] && install -Dm0644 services.ini /etc/decnet/services.ini
+
+REAL_USER="${SUDO_USER:-root}"
+REAL_HOME="$(getent passwd "$REAL_USER" | cut -d: -f6)"
+for f in ca.crt worker.crt worker.key; do
+  install -Dm0600 -o "$REAL_USER" -g "$REAL_USER" \
+    "home/.decnet/agent/$f" "$REAL_HOME/.decnet/agent/$f"
+done
+
+ln -sf "$INSTALL_DIR/.venv/bin/decnet" /usr/local/bin/decnet
+sudo -u "$REAL_USER" /usr/local/bin/decnet agent --daemon
+echo "[DECNET] agent {{ agent_name }} enrolled -> {{ master_host }}. Forwarder auto-spawned."