core/host: shared host fingerprint refactor

Adds core/host.{h,c} — a single struct skeletonkey_host populated once
at startup and handed to every module callback via ctx->host. Replaces
the per-detect uname / /etc/os-release / sysctl / userns-fork-probe
calls scattered across the corpus with O(1) cached lookups, and gives
the dispatcher one consistent view of the host.

What's in the fingerprint:

- Identity: kernel_version (parsed from uname.release), arch (machine),
  nodename, distro_id / distro_version_id / distro_pretty (parsed once
  from /etc/os-release).
- Process state: euid, real_uid (defeats userns illusion via
  /proc/self/uid_map), egid, username, is_root, is_ssh_session.
- Platform family: is_linux, is_debian_family, is_rpm_family,
  is_arch_family, is_suse_family (file-existence checks once).
- Capability gates (Linux): unprivileged_userns_allowed (live
  fork+unshare probe), apparmor_restrict_userns,
  unprivileged_bpf_disabled, kpti_enabled, kernel_lockdown_active,
  selinux_enforcing, yama_ptrace_restricted.
- System services: has_systemd, has_dbus_system.

Wiring:

- core/module.h forward-declares struct skeletonkey_host and adds the
  pointer to skeletonkey_ctx. Modules opt-in by including
  ../../core/host.h.
- core/host.c is fully POD (no heap pointers) — uses a single file-
  static instance, returns a stable pointer on every call. Lazily
  populated on first skeletonkey_host_get().
- skeletonkey.c calls skeletonkey_host_get() at main() entry, stores
  in ctx.host before any register_*() runs.
- cmd_auto's bespoke distro-fingerprint code (was an inline
  read_os_release helper) is replaced with skeletonkey_host_print_banner(),
  which emits a two-line banner of identity + capability gates.

Migrations:

- dirtydecrypt: kernel_version_current() -> ctx->host->kernel.
- fragnesia: removed local fg_userns_allowed() fork-probe in favour of
  ctx->host->unprivileged_userns_allowed (no per-scan fork). Also
  pulls kernel from ctx->host. The PRECOND_FAIL message now notes
  whether AppArmor restriction is on.
- pack2theroot: access('/etc/debian_version') -> ctx->host->is_debian_family;
  also short-circuits when ctx->host->has_dbus_system is false (saves
  the GLib g_bus_get_sync attempt on systems without system D-Bus).
- overlayfs: replaced the inline is_ubuntu() /etc/os-release parser
  with ctx->host->distro_id comparison. Local helper preserved for
  symmetry / standalone builds.

Documentation: docs/ARCHITECTURE.md gains a 'Host fingerprint'
section describing the struct, the opt-in include pattern, and
example detect() usage. ROADMAP --auto accuracy log notes the
landing and flags remaining modules as an incremental follow-up.

Build verification:

- macOS (local): make clean && make -> Mach-O x86_64, 31 modules,
  banner prints with distro=?/? (no /etc/os-release).
- Linux (docker gcc:latest + libglib2.0-dev): make clean && make ->
  ELF 64-bit, 31 modules. Banner prints with kernel + distro=debian/13
  + 7 capability gates. dirtydecrypt correctly says 'predates the
  rxgk code added in 7.0'; fragnesia PRECOND_FAILs with
  '(host fingerprint)' annotation; pack2theroot PRECOND_FAILs on
  no-DBus; overlayfs reports 'not Ubuntu (distro=debian)'.

skeletonkey.c

@@ -18,6 +18,7 @@
 #include "core/module.h"
 #include "core/registry.h"
 #include "core/offsets.h"
+#include "core/host.h"
 
 #include <time.h>
 #include <sys/utsname.h>
@@ -724,32 +725,8 @@ static skeletonkey_result_t run_detect_isolated(
     return SKELETONKEY_TEST_ERROR;
 }
 
-/* Best-effort host distro fingerprint via /etc/os-release. Populates
- * id_out and ver_out with up to 63 chars each; falls back to "?" when
- * /etc/os-release is missing or unparseable. */
-static void read_os_release(char *id_out, size_t id_cap,
-                            char *ver_out, size_t ver_cap)
-{
-    snprintf(id_out, id_cap, "?");
-    snprintf(ver_out, ver_cap, "?");
-    FILE *f = fopen("/etc/os-release", "r");
-    if (!f) return;
-    char line[256];
-    while (fgets(line, sizeof line, f)) {
-        const char *key = NULL; char *dst = NULL; size_t cap = 0;
-        if (strncmp(line, "ID=", 3) == 0) {
-            key = line + 3; dst = id_out; cap = id_cap;
-        } else if (strncmp(line, "VERSION_ID=", 11) == 0) {
-            key = line + 11; dst = ver_out; cap = ver_cap;
-        } else continue;
-        const char *v = key;
-        if (*v == '"' || *v == '\'') v++;
-        size_t L = strcspn(v, "\"'\n");
-        if (L >= cap) L = cap - 1;
-        memcpy(dst, v, L); dst[L] = '\0';
-    }
-    fclose(f);
-}
+/* Host fingerprint parsing (ID / VERSION_ID / kernel / arch) lives in
+ * core/host.c; cmd_auto consults ctx->host via the shared banner. */
 
 static int cmd_auto(struct skeletonkey_ctx *ctx)
 {
@@ -776,11 +753,8 @@ static int cmd_auto(struct skeletonkey_ctx *ctx)
     bool prev_active = ctx->active_probe;
     ctx->active_probe = true;
 
-    struct utsname u; uname(&u);
-    char distro_id[64], distro_ver[64];
-    read_os_release(distro_id, sizeof distro_id, distro_ver, sizeof distro_ver);
-    fprintf(stderr, "[*] auto: host=%s distro=%s/%s kernel=%s arch=%s\n",
-            u.nodename, distro_id, distro_ver, u.release, u.machine);
+    /* Two-line host fingerprint banner (identity + capability gates). */
+    skeletonkey_host_print_banner(ctx->host, ctx->json);
     fprintf(stderr, "[*] auto: active probes enabled — brief /tmp file "
                     "touches and fork-isolated namespace probes\n");
     fprintf(stderr, "[*] auto: scanning %zu modules for vulnerabilities...\n",
@@ -958,6 +932,12 @@ int main(int argc, char **argv)
     const char *target = NULL;
     int i_know = 0;
 
+    /* Probe the host once, up front. ctx.host is a stable pointer
+     * shared by every module callback; populating now means each
+     * detect() sees the same fingerprint and no module has to re-do
+     * uname/getpwuid/sysctl reads. See core/host.{h,c}. */
+    ctx.host = skeletonkey_host_get();
+
     enum detect_format dr_fmt = FMT_AUDITD;
     static struct option longopts[] = {
         {"scan",          no_argument,       0, 'S'},