- Create installer.rs for 'botserver install protection' command
- Requires root to install packages and create sudoers config
- Sudoers uses exact commands (no wildcards) for security
- Update all tool files (lynis, rkhunter, chkrootkit, suricata, lmd) to use sudo
- Update manager.rs service management to use sudo
- Add 'sudo' and 'visudo' to command_guard.rs whitelist
- Update CLI with install/remove/status protection commands
- Create comprehensive botbook documentation
- Update SUMMARY.md with protection-tools entry
Security model:
- Installation requires root (sudo botserver install protection)
- Runtime uses sudoers NOPASSWD for specific commands only
- No wildcards in sudoers - exact command specifications
- Tools run on host system, not in containers
- Fix JwtKey::from_secret to use &str instead of &[u8]
- Fix auth_middleware_with_providers to avoid holding &Request across await
- Add ExtractedAuthData struct for thread-safe auth data extraction
- Remove duplicate require_permission_middleware export from rbac_middleware
- Fix check_route_access argument order in rbac_middleware
- Remove unused auth_config field from ZitadelAuthProviderAdapter
- Remove unused imports (body::Body, http::Request, AuthError)
- Make check_permission_string public for middleware use
- Add missing jwt_manager, auth_provider_registry, rbac_manager fields to AppState
Phase 5.1 compilation test: PASSED (0 warnings, 0 errors)
