feat: multi-distro VM tests, ja4ebpf eBPF improvements, bot-detector scoring

ja4ebpf:
- Refactor BPF TC capture with improved SYN offset handling and TCP option parsing
- Enhance TLS uprobe SSL hooking for better key extraction
- Add ClickHouse writer improvements for HTTP log materialized views
- Update RPM spec for Rocky Linux 8/9/10, fix systemd service
- Simplify loader with cleaner bpf2go integration

bot-detector:
- Add H2 SETTINGS per-parameter comparison in browser_matcher
- Enhance browser signatures and scoring pipeline
- Improve preprocessing and cycle detection

infra:
- Multi-distro Vagrantfile (centos8, rocky9, rocky10) with per-distro provisioning
- New Makefile targets: vm-up-all, test-vm-matrix, test-vm-centos8/rocky10
- Add debug helpers and run-test-from-host.sh for host-driven VM testing
- Update run-tests-vm.sh for cross-distro compatibility
- Remove accidental binary blob (\004)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/vm/provision-el8.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# =============================================================================
+# provision-el8.sh — Provisionnement CentOS 8 (dépôts archivés vault)
+#
+# CentOS 8 est EOL depuis juin 2024. Les dépôts sont sur vault.centos.org.
+# =============================================================================
+set -euo pipefail
+
+log() { echo "[provision] $(date +%H:%M:%S) $*"; }
+
+# ── 1. Rediriger les dépôts vers vault.centos.org ─────────────────────────────
+log "Configuration des dépôts CentOS 8 vault..."
+sed -i 's|^mirrorlist=|#mirrorlist=|' /etc/yum.repos.d/CentOS-*.repo 2>/dev/null || true
+sed -i 's|^#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|' /etc/yum.repos.d/CentOS-*.repo 2>/dev/null || true
+dnf clean all
+dnf update -y --quiet
+
+# ── 2. Toolchain eBPF ────────────────────────────────────────────────────────
+log "Installation toolchain eBPF..."
+dnf install -y \
+    clang llvm libbpf-devel bpftool \
+    kernel-devel-$(uname -r) \
+    make git curl tar gzip \
+    epel-release dnf-plugins-core || true
+
+# ── 3. Go ─────────────────────────────────────────────────────────────────────
+log "Installation de Go..."
+GO_VERSION="1.24.3"
+if ! command -v go &>/dev/null || [[ "$(go version 2>/dev/null | awk '{print $3}')" != "go${GO_VERSION}" ]]; then
+    curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -o /tmp/go.tar.gz
+    rm -rf /usr/local/go
+    tar -C /usr/local -xzf /tmp/go.tar.gz
+    rm /tmp/go.tar.gz
+fi
+
+cat > /etc/profile.d/go.sh << 'EOF'
+export PATH="/usr/local/go/bin:$PATH"
+export GOPATH="/home/vagrant/go"
+EOF
+
+# ── 4. Serveurs web (nginx + httpd) + TLS + hitch + varnish ────────────────────
+log "Installation des serveurs web et reverse proxy..."
+dnf install -y nginx openssl curl
+dnf install -y httpd mod_ssl || true
+dnf install -y hitch varnish || true
+
+# ── 5. Python3 + outils de test ──────────────────────────────────────────────
+log "Installation Python3 et outils de test..."
+dnf install -y python3 python3-pip
+pip3 install --quiet "httpx[http2]" requests 2>/dev/null || pip3 install --quiet httpx requests
+
+# ── 6. Montage tracefs + debugfs ─────────────────────────────────────────────
+log "Configuration des pseudo-systèmes de fichiers eBPF..."
+mount -t tracefs tracefs /sys/kernel/tracing 2>/dev/null || true
+mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null || true
+
+# ── 7. Build ja4ebpf ─────────────────────────────────────────────────────────
+log "Build initial de ja4ebpf..."
+export PATH="/usr/local/go/bin:$PATH"
+cd /ja4-platform/services/ja4ebpf
+GOWORK=off go generate ./internal/loader/ 2>&1 | tail -5 || log "go generate: erreur (normal si vmlinux.h absent)"
+GOWORK=off CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -ldflags="-s -w" -o /usr/local/bin/ja4ebpf ./cmd/ja4ebpf/ 2>&1 | tail -5
+
+log "Provisionnement CentOS 8 terminé !"