pub fn validate_csr_against_fleet_host(
csr_pubkey_raw: &[u8],
declared_openssh_pubkey: Option<&str>,
) -> Result<()>Expand description
Bind agent identity to the host’s declared SSH host pubkey. Fail-closed:
no pubkey in fleet.nix ⇒ enrollment refused (declarative-enrollment
policy, no permissive fallback).