installer: auto-sanitize legacy managed-node corruption and stale forward config

scripts/install.sh

@@ -476,6 +476,48 @@ migrate_ananke_config() {
   fi
 }
 
+sanitize_migrated_ananke_config() {
+  local cfg="${CONF_DIR}/ananke.yaml"
+  [[ -f "${cfg}" ]] || return 0
+
+  local tmp changed=0
+  tmp="$(mktemp)"
+
+  # Legacy migration bug guard:
+  # If root-level "- node" entries were accidentally appended after ssh_managed_nodes,
+  # drop those orphan entries until the next top-level key.
+  awk '
+    BEGIN {in_managed=0}
+    /^ssh_managed_nodes:[[:space:]]*$/ {in_managed=1; print; next}
+    {
+      if (in_managed) {
+        if ($0 ~ /^  - /) {print; next}
+        if ($0 ~ /^- /) {next}
+        if ($0 ~ /^[A-Za-z0-9_]+:[[:space:]]*/) {in_managed=0}
+      }
+      print
+    }
+  ' "${cfg}" > "${tmp}"
+
+  if ! cmp -s "${cfg}" "${tmp}"; then
+    mv "${tmp}" "${cfg}"
+    changed=1
+    echo "[install] sanitized malformed ssh_managed_nodes block in ${cfg}"
+  else
+    rm -f "${tmp}"
+  fi
+
+  if grep -Eq '^[[:space:]]*forward_shutdown_config:[[:space:]]*/etc/ananke/hecate.yaml[[:space:]]*$' "${cfg}"; then
+    sed -Ei 's#(^[[:space:]]*forward_shutdown_config:[[:space:]]*)/etc/ananke/hecate.yaml#\1/etc/ananke/ananke.yaml#' "${cfg}"
+    changed=1
+    echo "[install] migrated coordination.forward_shutdown_config to /etc/ananke/ananke.yaml"
+  fi
+
+  if [[ "${changed}" -eq 1 ]]; then
+    chmod 0640 "${cfg}" || true
+  fi
+}
+
 ensure_apt_packages() {
   local missing=()
   for pkg in "$@"; do
@@ -848,6 +890,7 @@ else
   echo "[install] keeping existing config at ${CONF_DIR}/ananke.yaml"
 fi
 migrate_ananke_config
+sanitize_migrated_ananke_config
 ensure_ananke_ssh_identity
 ensure_ananke_kubeconfig