core/host: shared host fingerprint refactor

Adds core/host.{h,c} — a single struct skeletonkey_host populated once
at startup and handed to every module callback via ctx->host. Replaces
the per-detect uname / /etc/os-release / sysctl / userns-fork-probe
calls scattered across the corpus with O(1) cached lookups, and gives
the dispatcher one consistent view of the host.

What's in the fingerprint:

- Identity: kernel_version (parsed from uname.release), arch (machine),
  nodename, distro_id / distro_version_id / distro_pretty (parsed once
  from /etc/os-release).
- Process state: euid, real_uid (defeats userns illusion via
  /proc/self/uid_map), egid, username, is_root, is_ssh_session.
- Platform family: is_linux, is_debian_family, is_rpm_family,
  is_arch_family, is_suse_family (file-existence checks once).
- Capability gates (Linux): unprivileged_userns_allowed (live
  fork+unshare probe), apparmor_restrict_userns,
  unprivileged_bpf_disabled, kpti_enabled, kernel_lockdown_active,
  selinux_enforcing, yama_ptrace_restricted.
- System services: has_systemd, has_dbus_system.

Wiring:

- core/module.h forward-declares struct skeletonkey_host and adds the
  pointer to skeletonkey_ctx. Modules opt-in by including
  ../../core/host.h.
- core/host.c is fully POD (no heap pointers) — uses a single file-
  static instance, returns a stable pointer on every call. Lazily
  populated on first skeletonkey_host_get().
- skeletonkey.c calls skeletonkey_host_get() at main() entry, stores
  in ctx.host before any register_*() runs.
- cmd_auto's bespoke distro-fingerprint code (was an inline
  read_os_release helper) is replaced with skeletonkey_host_print_banner(),
  which emits a two-line banner of identity + capability gates.

Migrations:

- dirtydecrypt: kernel_version_current() -> ctx->host->kernel.
- fragnesia: removed local fg_userns_allowed() fork-probe in favour of
  ctx->host->unprivileged_userns_allowed (no per-scan fork). Also
  pulls kernel from ctx->host. The PRECOND_FAIL message now notes
  whether AppArmor restriction is on.
- pack2theroot: access('/etc/debian_version') -> ctx->host->is_debian_family;
  also short-circuits when ctx->host->has_dbus_system is false (saves
  the GLib g_bus_get_sync attempt on systems without system D-Bus).
- overlayfs: replaced the inline is_ubuntu() /etc/os-release parser
  with ctx->host->distro_id comparison. Local helper preserved for
  symmetry / standalone builds.

Documentation: docs/ARCHITECTURE.md gains a 'Host fingerprint'
section describing the struct, the opt-in include pattern, and
example detect() usage. ROADMAP --auto accuracy log notes the
landing and flags remaining modules as an incremental follow-up.

Build verification:

- macOS (local): make clean && make -> Mach-O x86_64, 31 modules,
  banner prints with distro=?/? (no /etc/os-release).
- Linux (docker gcc:latest + libglib2.0-dev): make clean && make ->
  ELF 64-bit, 31 modules. Banner prints with kernel + distro=debian/13
  + 7 capability gates. dirtydecrypt correctly says 'predates the
  rxgk code added in 7.0'; fragnesia PRECOND_FAILs with
  '(host fingerprint)' annotation; pack2theroot PRECOND_FAILs on
  no-DBus; overlayfs reports 'not Ubuntu (distro=debian)'.

core/host.c

@@ -0,0 +1,265 @@
+/*
+ * SKELETONKEY — host fingerprint implementation
+ *
+ * Lives behind a one-shot lazy-init: skeletonkey_host_get() probes on
+ * first call, stores into a file-static, and returns the same pointer
+ * forever after. Single-threaded (skeletonkey is single-threaded), so
+ * no synchronisation needed.
+ */
+
+#include "host.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/utsname.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <pwd.h>
+
+#ifdef __linux__
+#include <sched.h>
+#include <sys/wait.h>
+#endif
+
+static struct skeletonkey_host g_host;
+static bool g_host_ready = false;
+
+/* ── small parser helpers ─────────────────────────────────────────── */
+
+/* Copy the value of a `KEY=VAL` line (stripping leading quotes and
+ * trailing quote / newline) into `dst`. Caller passes the start of the
+ * value (after `=`). Cap is the size of dst including NUL. */
+static void parse_os_release_value(const char *s, char *dst, size_t cap)
+{
+	const char *p = s;
+	if (*p == '"' || *p == '\'') p++;
+	size_t L = strcspn(p, "\"'\n");
+	if (L >= cap) L = cap - 1;
+	memcpy(dst, p, L);
+	dst[L] = '\0';
+}
+
+static bool path_exists(const char *p)
+{
+	struct stat st;
+	return stat(p, &st) == 0;
+}
+
+#ifdef __linux__
+/* Sysctl/sys-fs readers — Linux-only consumers (populate_caps). */
+static bool read_int_file(const char *path, int *out)
+{
+	FILE *f = fopen(path, "r");
+	if (!f) return false;
+	int v;
+	int n = fscanf(f, "%d", &v);
+	fclose(f);
+	if (n != 1) return false;
+	*out = v;
+	return true;
+}
+
+static bool read_first_line(const char *path, char *dst, size_t cap)
+{
+	FILE *f = fopen(path, "r");
+	if (!f) return false;
+	if (!fgets(dst, (int)cap, f)) { fclose(f); return false; }
+	fclose(f);
+	size_t n = strlen(dst);
+	while (n > 0 && (dst[n-1] == '\n' || dst[n-1] == '\r')) dst[--n] = '\0';
+	return true;
+}
+#endif
+
+/* ── populators ───────────────────────────────────────────────────── */
+
+static void populate_kernel(struct skeletonkey_host *h)
+{
+	struct utsname u;
+	if (uname(&u) == 0) {
+		/* utsname.machine/nodename can be up to 65 bytes on glibc; the
+		 * %.*s precision spec tells gcc the snprintf is bounded so it
+		 * does not warn about possible truncation (we WANT truncation;
+		 * the snprintf already caps). */
+		snprintf(h->arch,     sizeof h->arch,
+			 "%.*s", (int)sizeof(h->arch) - 1, u.machine);
+		snprintf(h->nodename, sizeof h->nodename,
+			 "%.*s", (int)sizeof(h->nodename) - 1, u.nodename);
+	}
+	/* kernel_version_current owns the static release-string buffer
+	 * and the parser — reuse it to keep one source of truth. */
+	kernel_version_current(&h->kernel);
+}
+
+static void populate_distro(struct skeletonkey_host *h)
+{
+	snprintf(h->distro_id,         sizeof h->distro_id,         "?");
+	snprintf(h->distro_version_id, sizeof h->distro_version_id, "?");
+	snprintf(h->distro_pretty,     sizeof h->distro_pretty,     "?");
+
+	FILE *f = fopen("/etc/os-release", "r");
+	if (!f) return;
+	char line[256];
+	while (fgets(line, sizeof line, f)) {
+		if (strncmp(line, "ID=", 3) == 0)
+			parse_os_release_value(line + 3,
+				h->distro_id, sizeof h->distro_id);
+		else if (strncmp(line, "VERSION_ID=", 11) == 0)
+			parse_os_release_value(line + 11,
+				h->distro_version_id, sizeof h->distro_version_id);
+		else if (strncmp(line, "PRETTY_NAME=", 12) == 0)
+			parse_os_release_value(line + 12,
+				h->distro_pretty, sizeof h->distro_pretty);
+	}
+	fclose(f);
+}
+
+static void populate_user(struct skeletonkey_host *h)
+{
+	h->euid = geteuid();
+	h->egid = getegid();
+	h->is_root = (h->euid == 0);
+	h->is_ssh_session = (getenv("SSH_CONNECTION") != NULL);
+
+	h->username[0] = '\0';
+	struct passwd *pw = getpwuid(h->euid);
+	if (pw && pw->pw_name)
+		snprintf(h->username, sizeof h->username, "%s", pw->pw_name);
+
+	/* Default: real_uid == euid (no userns). Try /proc/self/uid_map to
+	 * discover the outer uid if we're inside a user namespace. Format
+	 *
+	 *   "0 0 4294967295"      → init ns, outer == 0
+	 *   "0 1000 1"            → userns mapped, outer == 1000
+	 *
+	 * Only trust outer != 0 and != -1 as the bypass-userns case. */
+	h->real_uid = h->euid;
+	int fd = open("/proc/self/uid_map", O_RDONLY);
+	if (fd >= 0) {
+		char buf[256];
+		ssize_t n = read(fd, buf, sizeof buf - 1);
+		close(fd);
+		if (n > 0) {
+			buf[n] = '\0';
+			int inner = -1, outer = -1, count = 0;
+			if (sscanf(buf, "%d %d %d", &inner, &outer, &count) == 3 &&
+			    inner == 0 && outer > 0)
+				h->real_uid = (uid_t)outer;
+		}
+	}
+}
+
+static void populate_platform_family(struct skeletonkey_host *h)
+{
+#ifdef __linux__
+	h->is_linux = true;
+#else
+	h->is_linux = false;
+#endif
+	h->is_debian_family = path_exists("/etc/debian_version");
+	h->is_rpm_family    = path_exists("/etc/redhat-release") ||
+	                      path_exists("/etc/fedora-release") ||
+	                      path_exists("/etc/rocky-release") ||
+	                      path_exists("/etc/almalinux-release");
+	h->is_arch_family   = path_exists("/etc/arch-release");
+	h->is_suse_family   = path_exists("/etc/SuSE-release") ||
+	                      path_exists("/etc/SUSE-brand");
+}
+
+#ifdef __linux__
+/* fork+unshare(CLONE_NEWUSER) probe. Forks once; ~1ms cost. */
+static bool userns_probe(void)
+{
+	pid_t pid = fork();
+	if (pid < 0) return false;
+	if (pid == 0) {
+		_exit(unshare(CLONE_NEWUSER) == 0 ? 0 : 1);
+	}
+	int st;
+	if (waitpid(pid, &st, 0) < 0) return false;
+	return WIFEXITED(st) && WEXITSTATUS(st) == 0;
+}
+#endif
+
+static void populate_caps(struct skeletonkey_host *h)
+{
+	h->unprivileged_userns_allowed = false;
+	h->apparmor_restrict_userns    = false;
+	h->unprivileged_bpf_disabled   = false;
+	h->kpti_enabled                = false;
+	h->kernel_lockdown_active      = false;
+	h->selinux_enforcing           = false;
+	h->yama_ptrace_restricted      = false;
+
+#ifdef __linux__
+	h->unprivileged_userns_allowed = userns_probe();
+
+	int v = 0;
+	if (read_int_file("/proc/sys/kernel/apparmor_restrict_unprivileged_userns", &v))
+		h->apparmor_restrict_userns = (v != 0);
+	if (read_int_file("/proc/sys/kernel/unprivileged_bpf_disabled", &v))
+		h->unprivileged_bpf_disabled = (v != 0);
+	if (read_int_file("/sys/fs/selinux/enforce", &v))
+		h->selinux_enforcing = (v != 0);
+	if (read_int_file("/proc/sys/kernel/yama/ptrace_scope", &v))
+		h->yama_ptrace_restricted = (v > 0);
+
+	char buf[256];
+	if (read_first_line("/sys/devices/system/cpu/vulnerabilities/meltdown", buf, sizeof buf))
+		h->kpti_enabled = (strstr(buf, "Mitigation: PTI") != NULL);
+
+	/* /sys/kernel/security/lockdown format: "[none] integrity confidentiality"
+	 * — whichever level is bracketed is the active one. */
+	if (read_first_line("/sys/kernel/security/lockdown", buf, sizeof buf))
+		h->kernel_lockdown_active = (strstr(buf, "[none]") == NULL);
+#endif
+}
+
+static void populate_services(struct skeletonkey_host *h)
+{
+	h->has_systemd     = path_exists("/run/systemd/system");
+	h->has_dbus_system = path_exists("/run/dbus/system_bus_socket");
+}
+
+/* ── public entrypoints ───────────────────────────────────────────── */
+
+const struct skeletonkey_host *skeletonkey_host_get(void)
+{
+	if (g_host_ready) return &g_host;
+
+	memset(&g_host, 0, sizeof g_host);
+	populate_kernel(&g_host);
+	populate_distro(&g_host);
+	populate_user(&g_host);
+	populate_platform_family(&g_host);
+	populate_caps(&g_host);
+	populate_services(&g_host);
+	g_host.probe_source = "skeletonkey core/host.c";
+	g_host_ready = true;
+	return &g_host;
+}
+
+void skeletonkey_host_print_banner(const struct skeletonkey_host *h, bool json)
+{
+	if (json || h == NULL) return;
+	fprintf(stderr, "[*] host: %s%s%s  kernel=%s  arch=%s  distro=%s/%s\n",
+		h->nodename[0] ? h->nodename : "?",
+		h->is_root ? "  (ROOT)" : "",
+		h->is_ssh_session ? "  (SSH)" : "",
+		h->kernel.release ? h->kernel.release : "?",
+		h->arch[0] ? h->arch : "?",
+		h->distro_id[0] ? h->distro_id : "?",
+		h->distro_version_id[0] ? h->distro_version_id : "?");
+	fprintf(stderr, "[*] gates: userns=%s  aa_restrict=%s  bpf_disabled=%s  "
+			"kpti=%s  lockdown=%s  selinux=%s  yama_ptrace=%s\n",
+		h->unprivileged_userns_allowed ? "yes" : "no",
+		h->apparmor_restrict_userns    ? "on"  : "off",
+		h->unprivileged_bpf_disabled   ? "yes" : "no",
+		h->kpti_enabled                ? "on"  : "off",
+		h->kernel_lockdown_active      ? "on"  : "off",
+		h->selinux_enforcing           ? "on"  : "off",
+		h->yama_ptrace_restricted      ? "yes" : "no");
+}