…nto dev

Make audit-log checkpoint handling tolerant of different numeric types by adding CheckpointInt64/CheckpointFloat64 and updating platform collectors and parsers to use them (prevents panics after JSON round-trip). Parse syslog/mac timestamps in local time. Harden config handling: add token mutex with Get/Set accessors, atomic SaveAtomic refactor to use unique temp files and platform-specific hardening (Unix chmod / Windows DACL), reconcile persisted version with runtime, and add concurrency tests. Improve lockfile and startup semantics: use a version-independent lock name, close-before-remove, platform-specific non-destructive IsProcessRunning implementations, and make service startup synchronous with proper lock release on failure. Misc: enhanced auth token refresh logic (skewed preemptive refresh), assorted tests, and README/documentation updates.

Add ed25519-based release signing and verification plus safety fixes for task execution and agent info collection.

- Release/CI: run scripts/sign in release workflow and upload SHA256SUMS; add `sign` target to Makefile and integrate it into `make release`. Requires SENTINELGO_SIGNING_KEY env var.
- Updater: selectAssetWithChecksum now locates .sig and SHA256SUMS; downloadAndVerify verifies SHA256 and ed25519 signature (fail-closed on missing/invalid .sig); added embedded PublicKey and signature verification helpers and tests.
- Tools: add scripts/sign (create .sig and SHA256SUMS) and scripts/keygen (generate keypair and outputs for CI/pubkey).
- Tasks: prevent unsafe re-execution by marking tasks 'executing' before running, add ResetInterruptedTasks to mark stuck tasks as failed, wire ResetInterruptedTasks into polling startup flow, and add unit tests for store behavior.
- Executor: refactor to executeTask to reduce complexity, ensure marking as executing before run and report results.
- Scheduler/config: reduce agent-info update interval to 5m and add a timeout around osinfo.Collect to avoid hangs; add scheduler logging for intervals.

These changes improve update authenticity (signed releases) and runtime robustness (task state safety and hung-collection protection).

Add cross-platform USB mass storage state collection and related refactors/tests.

- macOS: add collectUSBMassStorage which reads MDM plist via plutil or checks kextstat; add JSON parser and tests. Introduce avCrowdStrikeFalcon constant and small struct formatting changes.
- Linux: detect usb_storage via /sys/module or modprobe.d blacklists (scan *.conf); add helpers usbStorageStateFromModprobeDir and usbStorageStateFromConfFile with tests. Refactor SELinux and SecureBoot parsing into standalone helpers and use filepath for efivars lookup. Extract AV service probing into probeAVService.
- Windows: add collectUSBMassStorage that queries USBSTOR Start DWORD and maps it to enabled/disabled with tests for mapping.
- Shared: add USBMassStorageEnabled field to SecurityInfo JSON type.
- CI: ensure shell scripts are executable in release workflow.

These changes enable reporting of whether removable USB mass storage is permitted, improve parsing/testability of several platform checks, and make release scripts executable.