[codex] Integrate runtime hardening and distribution improvements

[toasterbook88]

What changed

This branch combines runtime hardening with the distribution/install improvements needed to make AXIS easier to consume on heterogeneous machines.

It includes:

• SSH transport hardening so AXIS honors resolved SSH config more faithfully, including host-key targeting and algorithm preference behavior
• axis doctor severity cleanup so optional daemon health is advisory by default instead of contradicting the final summary
• workload classification fixes so hardware/spec prompts do not get misread as local inference tasks
• public distribution improvements including install.sh, flake.nix, install-channel metadata, and safer package-manager-aware update behavior
• installer hardening with fail-fast downloads and version-aware flake metadata derived from internal/buildinfo/version.go
• CI/release workflow pinning to Go 1.26.2 to clear the current stdlib govulncheck findings without breaking Nix builds that still rely on go.mod minimum compatibility
• the small updater test follow-up required after integrating the distribution changes

Why it changed

AXIS needs to stay trustworthy on the operator path while also being easier to install and safer to update.

This PR focuses on three practical goals:

• make SSH behavior match user expectations more closely without weakening host-key verification
• improve placement accuracy by separating real inference intent from generic hardware/spec language
• make distribution channels like direct release installs and Nix packaging first-class without encouraging unsafe self-updates

User and developer impact

• SSH behavior should align more closely with OpenSSH expectations without weakening host-key verification
• axis doctor output is less misleading when optional daemon state is degraded
• placement is more accurate for prompts that describe machine specs rather than asking to run a model
• users can install AXIS more easily on macOS, Linux, and Nix systems without leading with a Go toolchain requirement
• package-managed installations can avoid unsafe in-place self-update behavior

Validation

• bash -n install.sh
• env HOME=/tmp/axis-test-home GOCACHE=/tmp/axis-go-build-cache go test ./... -count=1
• ssh nixos '... nix build .#axis ...' via an isolated temp clone of the pushed branch

Notes

• This PR intentionally excludes the draft docs/hybrid-ai-router-plan.md work.
• A temporary session handoff doc used during parallel development was removed from the branch so it does not ship to main.

[gemini-code-assist]

Code Review

This pull request introduces comprehensive installation and distribution support, including a new one-liner install script, Nix Flakes support, and a package-manager-aware self-updater. It also refactors the workload matching logic to be more robust using a signal-based analysis and significantly enhances SSH configuration resolution to respect user-defined hostnames, ports, and host key aliases. Feedback suggests improving the maintainability of the Nix flake versioning and hardening the installation script by ensuring curl commands fail explicitly on HTTP errors.

[Copilot]

Pull request overview

This PR combines runtime hardening (SSH + workload inference + doctor UX) with distribution improvements (installer, Nix flake, safer update behavior) to make AXIS easier and safer to consume across heterogeneous machines.

Changes:

• Harden SSH transport to honor resolved SSH config (hostname/port/user/hostkeyalias/hostkeyalgorithms) and derive host-key algorithm preferences from known_hosts.
• Refine workload classification to avoid misreading hardware/spec language as inference intent; update placement expectations and golden outputs accordingly.
• Improve distribution/update story: add install.sh, add Nix flake packaging, make axis update package-manager aware, and pin CI/release workflows to Go 1.26.2.

Reviewed changes

Copilot reviewed 30 out of 31 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
README.md	Updates install/update documentation (quick install, Nix, package-manager-aware updater).
Makefile	Adds ldflag for buildinfo.UpdateManagedBy defaulting to empty.
internal/workload/text.go	Adds canonicalized, word-boundary description matching helper.
internal/workload/signals.go	Introduces structured workload signal extraction.
internal/workload/requirements.go	Reworks requirement inference to use signals + class profiles (no broad substring aggregation).
internal/workload/requirements_test.go	Adds tests to ensure hardware inventory prompts don’t trigger inference classifications.
internal/workload/profiles.go	Simplifies profiles (removes keyword lists) and adds lookup by class.
internal/workload/match.go	Replaces keyword-scanning match with signal-based match selection + notes.
internal/transport/ssh.go	Honors resolved SSH config (hostname/user/port/hostkeyalias/hostkeyalgorithms) and tunes host-key algorithm selection.
internal/transport/ssh_security_test.go	Updates sshConfig call sites for new signature.
internal/transport/ssh_lifecycle_test.go	Adds lifecycle test covering resolved hostname + hostkeyalias behavior and new stubbing helper.
internal/transport/ssh_config_test.go	Extends config parsing tests and adds host-key algorithm preference tests.
internal/placement/placement_test.go	Adjusts placement requirement expectations for GPU/hardware-spec prompts.
internal/mcp/testdata/placement_decision_turboquant.golden	Updates golden output to match new workload note emission.
internal/buildinfo/version.go	Adds UpdateManagedBy build-time flag for package-manager awareness.
internal/buildinfo/build.go	Updates build-info example comment Go patch version.
internal/api/server_test.go	Aligns API test expectation to include heavy-model safety detail in error message.
install.sh	Adds curl-based quick installer with checksum verification.
flake.nix	Adds Nix flake packaging and devShell; sets UpdateManagedBy=nix.
flake.lock	Locks Nix inputs for reproducible builds.
docs/current-state.md	Updates command surface docs for new axis update behavior and package-manager awareness.
cmd/axis/update.go	Makes updater default to “current binary only”, adds --all, and refuses in-place updates when package-managed.
cmd/axis/update_test.go	Updates tests for new findAxisBinaries signature.
cmd/axis/doctor.go	Makes daemon health advisory by default; adds --strict to treat it as required.
cmd/axis/doctor_test.go	Adds tests for advisory-vs-strict behavior.
AGENTS.md	Clarifies Go minimum vs “use latest patch” guidance.
.github/workflows/release.yml	Pins release workflow Go version to 1.26.2.
.github/workflows/hardware-validation.yml	Pins validation workflow Go version to 1.26.2.
.github/workflows/govulncheck.yml	Pins govulncheck workflow Go version to 1.26.2.
.github/workflows/ci.yml	Pins CI workflow Go version to 1.26.2.
.github/copilot-instructions.md	Updates contributor guidance to use latest Go 1.26 patch release.