feat: Auto-cleanup legacy SSH keys when migrating to proxy

When pulse-sensor-proxy is installed, automatically remove old SSH keys that were stored in the container for security.

Changes:

**install-sensor-proxy.sh:**
- Checks container for SSH private keys (id_rsa, id_ed25519, etc.)
- Removes any found keys from container
- Warns user that legacy keys were cleaned up
- Explains proxy now handles SSH

**Setup script (config_handlers.go):**
- After successful proxy install, removes old SSH keys from all cluster nodes
- Cleans up authorized_keys entries that match the old container-based key
- Keeps only proxy-managed keys (pulse-sensor-proxy comment)

This provides a clean migration path from the old direct-SSH method to the secure proxy architecture. Users upgrading from pre-v4.24 versions get automatic cleanup of insecure container-stored keys.

internal/api/config_handlers.go

@@ -3616,6 +3616,28 @@ if command -v pct >/dev/null 2>&1 && [ "$TEMPERATURE_ENABLED" = true ]; then
                 if "$PROXY_INSTALLER" --ctid "$PULSE_CTID" 2>&1; then
                     echo ""
                     echo "✓ pulse-sensor-proxy installed successfully"
+                    echo ""
+
+                    # Clean up old container-based SSH keys from nodes
+                    echo "Cleaning up legacy SSH keys from cluster nodes..."
+                    CLEANUP_NODES=""
+                    if [ "$TEMPERATURE_ENABLED" = true ]; then
+                        CLEANUP_NODES="$(hostname)"
+                    fi
+                    if [ -n "${OTHER_NODES_LIST+x}" ] && [ ${#OTHER_NODES_LIST[@]} -gt 0 ]; then
+                        CLEANUP_NODES="$CLEANUP_NODES ${OTHER_NODES_LIST[*]}"
+                    fi
+
+                    for NODE in $CLEANUP_NODES; do
+                        if [ -n "$NODE" ] && [ -n "$SSH_PUBLIC_KEY" ]; then
+                            # Remove the old pulse@ keys (but not pulse-sensor-proxy keys)
+                            ssh -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=5 -o LogLevel=ERROR \
+                                root@"$NODE" \
+                                "sed -i '/$SSH_PUBLIC_KEY/d' /root/.ssh/authorized_keys 2>/dev/null || true" \
+                                >/dev/null 2>&1 && echo "  ✓ Cleaned up legacy key on $NODE" || true
+                        fi
+                    done
+
                     echo ""
                     echo "Temperature monitoring will now use the secure proxy architecture."
                     echo "SSH keys are stored on the host, not inside the container."

scripts/install-sensor-proxy.sh

@@ -281,6 +281,26 @@ else
     exit 1
 fi
 
+# Check for and remove legacy SSH keys from container
+print_info "Checking for legacy SSH keys in container..."
+LEGACY_KEYS_FOUND=false
+for key_type in id_rsa id_dsa id_ecdsa id_ed25519; do
+    if pct exec "$CTID" -- test -f "/root/.ssh/$key_type" 2>/dev/null; then
+        LEGACY_KEYS_FOUND=true
+        print_warn "Found legacy SSH key: /root/.ssh/$key_type"
+        pct exec "$CTID" -- rm -f "/root/.ssh/$key_type" "/root/.ssh/${key_type}.pub"
+        print_info "  Removed /root/.ssh/$key_type (proxy will handle SSH)"
+    fi
+done
+
+if [ "$LEGACY_KEYS_FOUND" = true ]; then
+    print_info ""
+    print_info "${YELLOW}Legacy SSH keys removed from container${NC}"
+    print_info "The proxy on the host now handles all SSH connections"
+    print_info "This improves security by keeping keys outside the container"
+    print_info ""
+fi
+
 print_info "${GREEN}Installation complete!${NC}"
 print_info ""
 print_info "Temperature monitoring will now use the secure host-side proxy"