fix(enroll): thirteenth audit — age-keygen silent fail, compose fail-fast, docker-compose die, harmonia cat, minisign size check

[mdheller]

Summary

• MEDIUM — age-keygen 2>/dev/null > "${AGE_KEY}.tmp": stderr suppressed with no || die. A failure fires set -e with zero output — the error is hidden by 2>/dev/null and our script prints nothing. Added || die with a clear message; kept 2>/dev/null to suppress the redundant "Public key: age1..." line age-keygen always prints on success (we re-print it ourselves via info).
• LOW — COMPOSE_ENV_EXAMPLE existence check was after both gen_password calls. If the template is missing the script dies correctly, but two passwords were already generated and discarded. Reordered: check template first, then generate passwords (fail fast before spending entropy).
• LOW — docker-compose up -d had no || die. Docker-compose prints its own errors but left no docker-compose logs remediation hint. Added || die pointing at the logs command.
• LOW — HARMONIA_PUBKEY=$(cat "${HARMONIA_PUB}") had no || die. File was just created so failure is extremely unlikely, but inconsistent with every other critical-path cat now guarded. Added || die.
• LOW — minisign -G had no post-generation [[ -s ]] check. The downstream SIGNING_PUBKEY guard catches an empty pubfile but with a generic "malformed" message. The new check fires immediately after keygen with "check disk space on SOURCEOS_DIR".

Test plan

• bash -n scripts/enroll.sh — syntax clean
• Simulate age-keygen failure (e.g. chmod 000 /dev/urandom) → || die fires with readable message, not silent exit
• Delete COMPOSE_ENV_EXAMPLE before step 4 → die fires before any gen_password call
• Cause docker-compose up to fail → die fires with logs command in message
• Corrupt HARMONIA_PUB permissions → cat || die fires with remediation
• Simulate full /etc/sourceos disk → minisign [[ -s ]] check fires with "check disk space"