refactor: Rename pulse-temp-proxy to pulse-sensor-proxy

The name "temp-proxy" implied a temporary or incomplete implementation. The new name better reflects its purpose as a secure sensor data bridge for containerized Pulse deployments.

Changes:
- Renamed cmd/pulse-temp-proxy/ to cmd/pulse-sensor-proxy/
- Updated all path constants and binary references
- Renamed environment variables: PULSE_TEMP_PROXY_* to PULSE_SENSOR_PROXY_*
- Updated systemd service and service account name
- Updated installation, rotation, and build scripts
- Renamed hardening documentation
- Maintained backward compatibility for key removal during upgrades

cmd/pulse-temp-proxy/auth.go

@@ -1,52 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"net"
-	"syscall"
-
-	"github.com/rs/zerolog/log"
-)
-
-// verifyPeerCredentials checks if the connecting process is authorized
-// Returns nil if authorized, error otherwise
-func verifyPeerCredentials(conn net.Conn) error {
-	// Get the underlying file descriptor
-	unixConn, ok := conn.(*net.UnixConn)
-	if !ok {
-		return fmt.Errorf("not a unix connection")
-	}
-
-	file, err := unixConn.File()
-	if err != nil {
-		return fmt.Errorf("failed to get file descriptor: %w", err)
-	}
-	defer file.Close()
-
-	fd := int(file.Fd())
-
-	// Get peer credentials using SO_PEERCRED
-	cred, err := syscall.GetsockoptUcred(fd, syscall.SOL_SOCKET, syscall.SO_PEERCRED)
-	if err != nil {
-		return fmt.Errorf("failed to get peer credentials: %w", err)
-	}
-
-	log.Debug().
-		Int32("pid", cred.Pid).
-		Uint32("uid", cred.Uid).
-		Uint32("gid", cred.Gid).
-		Msg("Peer credentials")
-
-	// Allow root (UID 0) - this covers most service scenarios
-	if cred.Uid == 0 {
-		return nil
-	}
-
-	// Allow the proxy's own user (for testing/debugging)
-	if cred.Uid == uint32(syscall.Getuid()) {
-		return nil
-	}
-
-	// Reject all other users
-	return fmt.Errorf("unauthorized: uid=%d gid=%d", cred.Uid, cred.Gid)
-}