quick.sh: stage+install agent to avoid ETXTBSY, restart service

Re-running quick.sh on a host where vetting-reporter was already
running failed with curl error 23 because curl can't overwrite a
busy executable. Download to a staging path, then use `install(1)`
which unlinks the target before writing. Swap `enable --now` for
`enable` + `restart` so the service picks up the new binary.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/web/register/quick.sh.tmpl

@@ -193,13 +193,19 @@ install_agent() {
     fi
     echo "Installing vetting-reporter service..."
     install -d /etc/vetting /usr/local/bin
-    if ! curl -fsSL "${ORCH_URL}/assets/vetting-agent-linux-amd64" \
+    # Download to a staging path, then use `install` — it unlinks the
-            -o /usr/local/bin/vetting-agent; then
+    # target before writing, so re-running quick.sh on a host where
+    # vetting-reporter is already running doesn't hit ETXTBSY
+    # (curl error 23: write error on a busy executable).
+    local staged="/usr/local/bin/.vetting-agent.new"
+    if ! curl -fsSL "${ORCH_URL}/assets/vetting-agent-linux-amd64" -o "${staged}"; then
         echo "WARN: could not download agent from ${ORCH_URL}/assets/vetting-agent-linux-amd64"
         echo "WARN: registration succeeded but the host won't heartbeat."
+        rm -f "${staged}"
         return
     fi
-    chmod +x /usr/local/bin/vetting-agent
+    install -m 0755 "${staged}" /usr/local/bin/vetting-agent
+    rm -f "${staged}"
     cat >/etc/vetting/host-agent.yaml <<YAML
 orchestrator_url: "${ORCH_URL}"
 mac: "${MAC}"
@@ -220,7 +226,10 @@ RestartSec=5
 WantedBy=multi-user.target
 UNIT
     systemctl daemon-reload
-    systemctl enable --now vetting-reporter.service
+    systemctl enable vetting-reporter.service
+    # `restart` instead of `start`: if the service was already running
+    # from a prior quick.sh, this picks up the newly-installed binary.
+    systemctl restart vetting-reporter.service
     echo "vetting-reporter.service enabled."
 }
 install_agent