feat: Asahi validation tests, rootfs build fixes, shellcheck-clean scripts

- Add 16 validation tests: shellcheck (3 roles), installer_data.json
  schema (8), Python parser validation, ZIP structure (3), rootfs mount
- Fix empty SSH keys generating invalid bash (SC1073)
- Fix __dirname crash in ESM modules (use import.meta.url)
- Fix rootfs build: mkdir -p before writing, correct binary paths
- Add .gitignore for large build artifacts (.asahi-cache, *.zip)
- Bump smoke test timeout for additional static plugin registration

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

bastion/src/bastion/src/templates/asahi-firstboot.sh.ts

@@ -39,8 +39,13 @@ export function renderFirstbootScript(params: AsahiFirstbootParams): string {
     roleFstabLines.push('echo "/dev/labvg/longhorn /var/lib/longhorn xfs defaults 0 0" >> /etc/fstab');
   }
 
-  // SSH key lines for authorized_keys
-  const sshKeyLines = sshKeys.map(k => `echo '${k}'`).join('\n');
+  // SSH key injection block (empty if no keys)
+  const sshKeyBlock = sshKeys.length > 0
+    ? sshKeys.map(k => `echo '${k}' >> "$ADMIN_SSH/authorized_keys"`).join('\n')
+    : 'true  # no SSH keys configured';
+  const rootSshKeyBlock = sshKeys.length > 0
+    ? sshKeys.map(k => `echo '${k}' >> /root/.ssh/authorized_keys`).join('\n')
+    : 'true  # no SSH keys configured';
 
   // NOTE: All bash $ references use $VAR not \${VAR} to avoid TS template conflicts.
   // Where ${} is needed in bash, we use \\${...} to escape.
@@ -230,14 +235,14 @@ fi
 ADMIN_SSH="/home/${adminUser}/.ssh"
 mkdir -p "$ADMIN_SSH"
 chmod 700 "$ADMIN_SSH"
-(${sshKeyLines}) >> "$ADMIN_SSH/authorized_keys"
+${sshKeyBlock}
 chmod 600 "$ADMIN_SSH/authorized_keys"
 chown -R ${adminUser}:${adminUser} "$ADMIN_SSH"
 
 # Also authorize root
 mkdir -p /root/.ssh
 chmod 700 /root/.ssh
-(${sshKeyLines}) >> /root/.ssh/authorized_keys
+${rootSshKeyBlock}
 chmod 600 /root/.ssh/authorized_keys
 
 # ── Harden SSH (takes effect on next sshd restart/reboot) ────────