add SSH key permission checks with auto-fix to hub and spoke scripts

hub/setup-hub.sh

@@ -7,6 +7,31 @@ YELLOW='\033[1;33m'
 CYAN='\033[0;36m'
 NC='\033[0m'
 
+check_permissions() {
+    local file="$1"
+    local label="$2"
+    if [ ! -f "$file" ]; then
+        warn "Permission check: $label not found at $file"
+        return
+    fi
+    local perms
+    perms=$(stat -c "%a" "$file" 2>/dev/null || stat -f "%OLp" "$file" 2>/dev/null)
+    if [ -z "$perms" ]; then
+        warn "Could not read permissions for $label ($file)"
+        return
+    fi
+    local world="${perms: -1}"
+    local group="${perms: -2:1}"
+    if [ "$world" != "0" ] || [ "$group" != "0" ]; then
+        warn "UNSAFE PERMISSIONS on $label ($file): $perms — should be 600 or 400"
+        warn "Fixing permissions automatically..."
+        chmod 600 "$file"
+        info "Permissions fixed: $file is now 600"
+    else
+        info "Permissions OK: $label ($file) = $perms"
+    fi
+}
+
 info()   { echo -e "${GREEN}[+]${NC} $*"; }
 warn()   { echo -e "${YELLOW}[!]${NC} $*"; }
 die()    { echo -e "${RED}[ERROR]${NC} $*" >&2; exit 1; }
@@ -187,6 +212,11 @@ groupadd fuse 2>/dev/null || true
 usermod -aG fuse "$HUB_USER" 2>/dev/null || true
 info "$HUB_USER added to fuse group."
 
+header "Permission Checks"
+info "Checking SSH directory permissions..."
+check_permissions "$SSH_DIR/authorized_keys" "authorized_keys"
+[ -f "$RCLONE_CONF" ] && check_permissions "$RCLONE_CONF" "rclone.conf" || true
+
 header "Rclone Setup"
 RCLONE_CONF="$ARMBIAN_HOME/.config/rclone/rclone.conf"
 mkdir -p "$(dirname "$RCLONE_CONF")"