Fix: Move baseline storage to toolkit directory

Issue: Baseline was stored in /var/lib/suspicious-login-monitor/ which
is outside the toolkit directory structure. When toolkit is deleted,
baseline data would remain on system.

Changes:
- Changed BASELINE_DIR from /var/lib/suspicious-login-monitor to
  $TOOLKIT_ROOT/data/suspicious-login-monitor
- Migrated existing baseline.dat to new location
- Removed old /var/lib/suspicious-login-monitor directory

Result: All toolkit data now contained within toolkit directory.
When toolkit is deleted, baseline is removed automatically.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

data/suspicious-login-monitor/baseline.dat

@@ -0,0 +1,8 @@
+# Baseline data for suspicious login monitor
+# Last updated: Tue Feb  3 04:04:53 PM EST 2026
+BASELINE_SSH_KEY_COUNT=1
+BASELINE_USER_COUNT=3
+BASELINE_TYPICAL_LOGIN_HOURS="16"
+BASELINE_PASSWORD_CHANGES_PER_WEEK=0
+BASELINE_NEW_USERS_PER_WEEK=0
+BASELINE_LAST_UPDATE=1770152693

modules/security/suspicious-login-monitor.sh

@@ -49,8 +49,8 @@ PANEL_EVENTS="$TMP_DIR/panel_events_$$.txt"
 SUDO_EVENTS="$TMP_DIR/sudo_events_$$.txt"
 SUSPICIOUS_IPS="$TMP_DIR/suspicious_ips_$$.txt"
 
-# Baseline storage (persistent across runs)
-BASELINE_DIR="/var/lib/suspicious-login-monitor"
+# Baseline storage (persistent across runs, within toolkit directory)
+BASELINE_DIR="$TOOLKIT_ROOT/data/suspicious-login-monitor"
 BASELINE_FILE="$BASELINE_DIR/baseline.dat"
 mkdir -p "$BASELINE_DIR" 2>/dev/null