feat: WiFi AP mode with USB key-derived passphrase

[SkogsErik]

Overview

Implement WiFi Access Point mode so the HavenLink device can broadcast a mesh hotspot, with the WiFi passphrase derived from the USB identity key.

Depends on: #24 (havenlink-tools)

---

Part 1: Wire up WiFi AP mode

Config files already exist (config/hostapd.conf, config/dnsmasq.conf). Remaining work:

• Add hostapd and dnsmasq to the default runlevel in build-image.sh
• Configure wlan0 with static IP 10.0.0.1/24 in /etc/network/interfaces
• Update config/hostapd.conf: replace wpa_passphrase with wpa_passphrase_file=/run/hostapd.psk
• Add nftables rules: allow DHCP (UDP 67/68) and mesh ports (9001-9010) on wlan0
• isolate_clients=1 already set — clients cannot reach each other, only the HavenLink node

---

Part 2: USB key-derived WiFi passphrase

Implemented in havenlink-tools wifi start (see #24):

1. havenlink-tools usb init --device /dev/sdb writes wifi-salt (32 random bytes) to USB key
2. At boot or on demand: havenlink-tools wifi start --device /dev/sdb
   • Reads wifi-salt from USB
   • Derives passphrase: HKDF-SHA256(wifi-salt, info="havenlink-wifi-v1") → base64url → 43 chars
   • Writes to /run/hostapd.psk (tmpfs, mode 0600)
   • Starts hostapd
3. No USB key = WiFi AP does not start

Security Properties

• Passphrase never stored on device (tmpfs only, wiped on reboot/stop)
• Physical USB key required to stand up the WiFi network
• Rotating wifi-salt invalidates all previously shared passphrases
• HKDF is one-way: brute-forcing the passphrase reveals nothing about the USB secret

---

Acceptance Criteria

• Device creates HavenLink-Mesh SSID when wlan0 is present and USB key is inserted
• WiFi passphrase is derived from USB key, not hardcoded
• No USB key = WiFi AP does not start
• Clients can connect and reach havenlink on ports 9001-9010
• Clients are isolated from each other (isolate_clients=1)
• Passphrase exists only in tmpfs, wiped on reboot