Bug Fixes
- Fix Windows SSH key permissions (take 3) — The previous icacls-based approach failed to fully clean up inherited ACEs on some Windows configurations, causing OpenSSH to still reject the key with "Permission denied." Now uses PowerShell to build a completely fresh ACL from scratch with only SYSTEM and Administrators read access — no leftover ACEs are possible. Falls back to icacls with SIDs if PowerShell is unavailable.
- Added diagnostic logging — After setting key permissions, the agent now verifies the key is readable and logs the actual ACL if it's not, making future debugging much easier.