- validate agent, API token, archive before provisioning
- auto-build archive via `make build-archive` if missing
- add tests and Makefile install target
- replace `rw vault ssh` calls with `rwagent.Client` in PrepareNodeKeys,
LoadAgentKeys, EnsureVaultEntry, ResolveVaultPublicKey
- add vaultClient interface, newClient func, and wrapAgentError for
testability and improved error messages
- prefer pre-built systemd dir in installNamespaceTemplates
- replace standalone sandbox keys with "sandbox/root" vault entry
- update inspector config to use vault targets (no passwords/keys)
- make sandbox default active environment
- add vault helpers and tests for remotessh
- propagate `--anyone-client` to `orama node upgrade` on all nodes
- prioritize explicit `--anyone-client` over prefs/auto-detect in production
- ensure mutual exclusivity between relay/client modes in prefs
- add WithNoHostKeyCheck option for ephemeral server IPs
- upload binary to genesis then distribute to other nodes (faster)
- improve provisioning error handling for cleanup on partial failure
- new `orama sandbox reset` deletes Hetzner resources (IPs, firewall, SSH key) and local config
- interactive location/server type selection during `setup`
- add Hetzner API methods for listing locations/types, deleting resources
- update defaults to nbg1/cx23
