spoke/setup-spoke.sh

Fix check_permissions to check group bits; fix ssh-keyscan dedup to iterate per key type; fix HUB_USER@HUB_HOST sed regex to handle trailing whitespace
hub/offboard-spoke.sh
Drop root requirement; fix crontab running as root; fix registry .tmp not cleaned on failure
hub/onboard-spoke.sh
Fix registry .tmp not cleaned on failure; chmod 600 key immediately after generation
hub/setup-hub.sh
Check permissions on existing SSH private keys in setup

hub/onboard-spoke.sh

@@ -94,6 +94,8 @@ else
     ssh-keygen -t ed25519 -f "$KEY_PATH" -N ""
     info "Key generated: $KEY_PATH"
 fi
+chmod 600 "$KEY_PATH"
+info "Permissions set: $KEY_PATH is 600"
 
 header "Copying Hub Key to Spoke"
 info "Running ssh-copy-id to $SPOKE_USER@localhost:$TUNNEL_PORT..."
@@ -148,7 +150,12 @@ MOUNT_POINT="${HOME}/mnt/${SPOKE_NAME}"
 mkdir -p "$MOUNT_POINT"
 if grep -q "^${SPOKE_NAME} " "$REGISTRY" 2>/dev/null; then
     warn "$SPOKE_NAME already in registry, updating."
-    (grep -v "^${SPOKE_NAME} " "$REGISTRY" || true) > "${REGISTRY}.tmp" && mv "${REGISTRY}.tmp" "$REGISTRY"
+    if grep -v "^${SPOKE_NAME} " "$REGISTRY" > "${REGISTRY}.tmp" 2>/dev/null || true; then
+    mv "${REGISTRY}.tmp" "$REGISTRY"
+else
+    rm -f "${REGISTRY}.tmp"
+    die "Failed to update registry"
+fi
 fi
 echo "${SPOKE_NAME} ${TUNNEL_PORT} ${KEY_PATH} ${MOUNT_POINT}" >> "$REGISTRY"
 info "$SPOKE_NAME registered."