test(sse): add group-mixed-capability enforcement IT

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cameleer-server-app/src/test/java/io/cameleer/server/app/controller/AgentCommandEnforcementIT.java

@@ -67,6 +67,27 @@ class AgentCommandEnforcementIT extends AbstractPostgresIT {
         assertThat(body.has("commandId")).isTrue();
     }
 
+    @Test
+    void sendGroupCommand_mixedCapability_returns409WithNonCapableAgentId() {
+        String capableAgentId = "enforce-grp-cap-" + UUID.randomUUID().toString().substring(0, 8);
+        String nonCapableAgentId = "enforce-grp-noncap-" + UUID.randomUUID().toString().substring(0, 8);
+
+        // Capable agent: requireSignedCommands=true
+        registryService.register(capableAgentId, capableAgentId, "test-app-group", "default", "2.0", List.of(), Map.of(), true);
+        // Non-capable agent: no requireSignedCommands flag
+        registryService.register(nonCapableAgentId, nonCapableAgentId, "test-app-group", "default", "1.0", List.of(), Map.of());
+
+        ResponseEntity<String> response = restTemplate.postForEntity(
+                "/api/v1/agents/groups/test-app-group/commands?environment=default",
+                new HttpEntity<>("""
+                        {"type": "config-update", "payload": {"key": "value"}}
+                        """, securityHelper.authHeaders(operatorJwt)),
+                String.class);
+
+        assertThat(response.getStatusCode()).isEqualTo(HttpStatus.CONFLICT);
+        assertThat(response.getBody()).contains(nonCapableAgentId);
+    }
+
     private ResponseEntity<String> sendConfigUpdate(String agentId) {
         return restTemplate.postForEntity(
                 "/api/v1/agents/" + agentId + "/commands",