feat: SSH key management — built-in authorized keys, key storage docs

- keys/adacam_authorized_key.pub: two public keys baked into liberate.sh
  (cobb@adacam + kayos@openclaw) — no env var needed for standard deployments
- liberate.sh: injects built-in keys always, ADACAM_PUBKEY still works additively
- keys/README.md: documents key locations, SSH usage, future signing story
- Private key: /boot/config/adacam/id_ed25519_adacam on Lucy (boot-persistent)

keys/README.md

@@ -0,0 +1,41 @@
+# keys/
+
+## adacam_authorized_key.pub
+
+SSH public keys authorized on every liberated AdaCam by default.
+Two keys are included:
+- `cobb@adacam` — primary key, private half at `/boot/config/adacam/id_ed25519_adacam` on Lucy
+- `kayos@openclaw` — OpenClaw agent key, private half at `~/.openclaw/id_ed25519_unraid`
+
+To SSH into a liberated AdaCam:
+```bash
+# On adacam AP (always works):
+ssh -i /boot/config/adacam/id_ed25519_adacam root@10.77.0.1
+
+# On home WiFi (after WiFi config via Varroa):
+ssh -i /boot/config/adacam/id_ed25519_adacam root@<device-lan-ip>
+```
+
+Private key lives at: `root@192.168.0.5:/boot/config/adacam/id_ed25519_adacam`
+
+---
+
+## Signing Keys (future)
+
+The USB updater is currently disabled — no signing infrastructure needed.
+
+If OTA updates are ever added, generate a signing keypair:
+```bash
+openssl genrsa -out adacam-update-private.pem 4096
+openssl rsa -in adacam-update-private.pem -pubout -out adacam-update-public.pem
+```
+
+- Private key: keep offline / on Lucy only. NEVER commit to repo.
+- Public key: commit to `keys/adacam-update-public.pem`, install to `/etc/adacam/update-verify.pem` via liberate.sh
+
+---
+
+## What's NOT here
+
+- Private keys (never)
+- Per-device keys (generated on device during liberation at `/data/adacam/`)

keys/adacam_authorized_key.pub

@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK87jxvlXvo60pxwdtyJsXeFsb4KsAiFx4FnyXz81kh7 cobb@adacam
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQxwJU91TCxds34P18D3xRbu7rxlrgTUoml/H8nxeDK kayos@openclaw

liberate.sh

@@ -209,13 +209,20 @@ ok "SSH hardened: key-based auth only"
 # Inject authorized key
 mkdir -p /root/.ssh
 chmod 700 /root/.ssh
+# Built-in authorized keys (committed to repo — public keys only, safe to ship)
+cat >> /root/.ssh/authorized_keys << 'BUILTIN_KEYS'
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK87jxvlXvo60pxwdtyJsXeFsb4KsAiFx4FnyXz81kh7 cobb@adacam
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQxwJU91TCxds34P18D3xRbu7rxlrgTUoml/H8nxeDK kayos@openclaw
+BUILTIN_KEYS
+
+# Also inject caller's key if provided
 if [ -n "$ADACAM_PUBKEY" ]; then
     echo "$ADACAM_PUBKEY" >> /root/.ssh/authorized_keys
-    chmod 600 /root/.ssh/authorized_keys
-    ok "installed authorized key"
-else
-    warn "no ADACAM_PUBKEY set — add your SSH public key manually!"
+    ok "installed additional authorized key from ADACAM_PUBKEY"
 fi
+
+chmod 600 /root/.ssh/authorized_keys
+ok "SSH authorized_keys installed ($(wc -l < /root/.ssh/authorized_keys) keys)"
 systemctl restart sshd
 
 # ── PHASE 5: KILL USB UPDATER ────────────────────────────────────────────────