Chore/untrack internal notes (#40)

* fix(ws): drop CurrentTime from heartbeat env info

CurrentTime was captured once via collectEnvironmentInfo() at runner
start and the resulting EnvInfo was sent only on the first heartbeat
(envInfoSent gate), so a long-lived runner kept reporting its boot
time forever. Safari then served that stale value via the `now` tool.

Static info (OS, arch, hostname, timezone) is fine to send once;
current time is by definition not static. Drop the field entirely —
safari uses its own wall clock now.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(ws): tighten reconnect timing for cloud sandbox pool pods

Cloud sandbox pool pods spend their entire pre-claim lifetime dialing
safari and getting 401 (no t_cloud_sandbox_0 row exists yet — claim
inserts it). Two timing knobs were tuned for long-lived BYOC outage
recovery and hurt cloud claim latency:

  - initialReconnectDelay 1s -> 200ms: first dials race the row INSERT.
    The 1s delay added 1-2s of extra 401-retry cost before hostname
    auth could possibly succeed.

  - maxReconnectDelay 5min -> 10s: a pool pod waiting >50s slid into a
    32-64s exponential-backoff sleep, and got declared unrecoverable by
    safari's 90s claim window before its next dial — observed live
    (sbx_bzQ... did not come online within 1m30s, traceid
    6996857e714cb99c31665d043ed3c260). 10s stays well inside the claim
    window and remains acceptable for BYOC server-restart recovery.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(env): reject duplicated-root rel_paths; surface sibling hint on ENOENT

safePath defense-in-depth — runner cannot rely on safari to filter rel_paths
that mirror the workspace root. Joining e.root with such a path silently
created a nested duplicate workspace tree (matching nested copies were
observed on a long-running BYOC host). Reject them at the runner boundary.

Read now appends a bounded sibling-name list when stat returns ENOENT, so
the agent can self-correct a near-miss filename without spending a turn on
an extra list call.

.golangci.yml: exclude gosec G706 (log-taint via taint analysis). slog's
structured key-value logging is not a format-string injection vector; the
rule fires on every slog call with a user-controlled value, which is the
whole point of structured logging.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(skill): probe-or-install sync_skill; default home ~/.flashduty

- SyncSkill now checks .checksum+SKILL.md before install (cache hit
  returns {Cached:true,Path}; miss with no zip returns {Cached:false}
  so cloud retries with zip_data)
- Skills land at <home>/skills/<name>/ instead of <home>/.work/skills/<name>/
- Default home moves from ~/.flashduty-runner/workspace to ~/.flashduty
- FLASHDUTY_RUNNER_HOME is the new canonical override; FLASHDUTY_RUNNER_WORKSPACE
  kept as deprecated alias
- Add SyncSkillResult.Cached field (omitempty); SyncSkillArgs unchanged

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(test): extract resolveDir helper, use errors.Is for ErrNotExist

- resolveDir(t, dir) replaces duplicated EvalSymlinks boilerplate in
  ProbeHit and InstallOverwrites tests
- errors.Is(err, os.ErrNotExist) replaces deprecated os.IsNotExist pattern

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* harden(skill): reject path separators in skill_name

* docs(skill): document ~/.flashduty home and probe-or-install sync_skill

* refactor(env,permission): SSRF + AST hardening + grep regex + bash structured

Runner-side counterparts of fc-safari's 2026-05-02 builtin-tools refactor:

- environment/webfetch: SSRF guard via inlined safeHTTPTransport +
  safeCheckRedirect. Pre-flight validateURL refuses RFC1918 / loopback
  / link-local / IMDS before any TCP dial; CheckRedirect re-validates
  each hop so a 302 to 169.254.169.254 is refused. Inlined from
  go-pkg/x/netsafe (open-source repo cannot import internal modules).
- environment/htmlx: HTML-to-markdown / text helpers inlined from
  go-pkg/x/htmlx for the same reason. html-to-markdown is now a
  direct dep.
- environment/environment::unzipSkill: zip-slip closed — compares
  abs target against dest+separator and rejects names containing '..'.
- environment/environment::grepWithGo: was strings.Contains (literal)
  — now compiles regex, falls back with regex_compile_error surfaced.
  Default ignore (.git, node_modules, .flashduty) added; Scanner
  buffer raised to 1 MiB; rg exit-2 surfaces real I/O errors instead
  of silent "no matches"; pattern starting with '-' gets '--' prefix;
  rsplit on ':' so paths containing ':' parse cleanly.
- protocol.GrepArgs gains output_mode, context_before/after,
  head_limit, file_type, case_sensitive — forwarded to ripgrep flags.
- environment/environment::Bash: per-stream large-output (stderr now
  truncates to its own bash_stderr_*.txt); LimitedWriter honors the
  io.Writer contract (returns ErrOutputCapped at the cap, exposes
  Hit(), appends "[output capped at 10MB]" marker once).
- protocol.BashResult carries truncated_stdout/stderr,
  stdout_file_path/stderr_file_path, *_total_size; legacy fields
  remain populated so old safari clients keep working.
- environment/large_output::ShouldSkipForOutputsDir: substring match
  → word-boundary regex (no more 'thread '/'head ' false positives).
  WriteRaw lowercased to writeRaw (single internal caller).
- permission/permission: AST walk now visits CmdSubst / ProcSubst /
  nested Stmts so cat <(curl evil) and echo $(curl evil) hit the
  same rules. Redirect targets are checked instead of discarded
  (cmd > /etc/passwd refused). Canonical-form normalization on both
  rule and command sides (kubectl  get  pods matches kubectl get *);
  env-prefix dual evaluation (KUBECONFIG=x kubectl get pods still
  matches kubectl get *). Rules sort by literal-prefix specificity,
  first match wins. SafeReadOnlyRules drops echo */find * — find
  -delete / find -exec rm now denied by default; replaced with
  scoped allow patterns.

E2E verified live: bash returns the new structured shape, web
(action=fetch) reaches example.com via the safe transport, all 17+
new permission/permission_test scenarios pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(lint): clear golangci-lint findings + add /health endpoint

- netsafe: guard http.DefaultTransport type-assertion (errcheck)
- environment: switch if-else chain to switch (gocritic), drop dead err=nil (ineffassign), rename shadowed err vars (govet)
- permission: syntax.ClbOut → syntax.RdrClob (staticcheck SA1019)
- cmd: add /health listener for Tencent AGS readiness probe; bind via ListenConfig.Listen with parent context (noctx) and document the all-interfaces bind (gosec G102)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(ci): drop invalid G706 gosec exclude + handle unix-abs zip-slip on windows

- .golangci.yml: pinned CI golangci-lint v2.4 rejects G706 under
  gosec.excludes (rule unknown to its gosec). Move suppression to the
  version-safe linters.exclusions.rules text match so both v2.4 and newer
  versions stay quiet. Same regression previously fixed in a60df85.
- environment/unzipSkill: filepath.IsAbs("/etc/passwd") returns false on
  Windows (no drive letter), so the absolute-path guard let the entry
  slip through and TestUnzipSkill_RejectsZipSlip/absolute-path-unix
  failed on windows-latest. Reject leading "/" or "\\" on the raw name
  before Clean normalizes separators.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(knowledge): reconcile_knowledge_manifest RPC for orphan/stale prune + missing-file diff

Adds a per-session RPC so Safari can declare its current view of which
knowledge files should exist (manifest = list of rel_path + sha256). The
runner walks <root>/knowledge/<scope>/, deletes anything not in the
manifest (orphan prune), deletes anything whose sha disagrees with the
sentinel (stale prune), and returns NeedsStage = manifest entries it
doesn't have on disk after the prune step.

Safari uses NeedsStage to drive a follow-up bulk StageKnowledgeFiles so
the full pack lands at session start instead of lazily on first read.
This is what makes ~/.flashduty/knowledge/<scope>/ look like the actual
pack contents (DUTY.md + every runbook) instead of just whatever the LLM
happened to read in the current turn.

Walks the on-disk tree (rather than trusting the sentinel) so manual
operator drops also get reconciled instead of lingering forever. Reuses
the existing sentinel + advisory lock so concurrent stage calls from the
same Safari are safe.

Pairs with fc-safari change wiring BuildManifest +
ReconcileKnowledgeManifest + EagerStageMissing into mw_env.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: ysyneu

environment/knowledge.go

@@ -8,11 +8,18 @@ import (
 	"log/slog"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strings"
 
 	"github.com/flashcatcloud/flashduty-runner/protocol"
 )
 
+// teamScopeRe matches the only legal team-scope directory name: `team_` plus
+// one or more digits. Anything else (e.g. `team_42a`, `team_`, `Team_42`) is
+// rejected so the runner can never be tricked into mkdir'ing an attacker-
+// supplied directory name.
+var teamScopeRe = regexp.MustCompile(`^team_\d+$`)
+
 const (
 	// sentinelName is the hidden JSON map that tracks staged-file checksums.
 	// Safari reads this to decide which knowledge pack files are already current.
@@ -21,27 +28,43 @@ const (
 
 // validateKnowledgeRelPath enforces the path rules for knowledge file operations.
 //
-// Rules (from the Safari-side contract):
-//   - Must not contain path separators or double-dot components — the runner
-//     only writes flat files in the workspace root, never in sub-directories.
-//   - Leading-dot filenames are rejected because they are hidden by convention;
-//     the sentinel is written by the runner itself and is never staged by clients.
+// Layout: every staged file lives under `knowledge/<scope>/<leaf>` where
+// scope is `account` or `team_<digits>`. The leading `knowledge/` segment
+// matches the runner-relative form of the read path Safari uses
+// (`<root>/knowledge/<scope>/<leaf>`), so a freshly staged file lands at
+// exactly the location a follow-up read will probe — no contract drift.
+//
+// Bare-leaf paths (`DUTY.md`), deeper trees (`knowledge/account/sub/foo.md`),
+// missing prefix (`account/foo.md`), unknown scope segments, and the
+// sentinel filename are all rejected. Backslashes are blocked to cover the
+// Windows-style traversal vector defensively even though the runner only
+// ships on unix.
 func validateKnowledgeRelPath(relPath string) error {
 	if relPath == "" {
 		return fmt.Errorf("rel_path must not be empty")
 	}
-	if strings.ContainsAny(relPath, `/\`) {
-		return fmt.Errorf("rel_path must not contain path separators: %q", relPath)
+	if strings.ContainsRune(relPath, '\\') {
+		return fmt.Errorf("rel_path must not contain backslash: %q", relPath)
+	}
+	parts := strings.Split(relPath, "/")
+	if len(parts) != 3 {
+		return fmt.Errorf("rel_path must be knowledge/<scope>/<leaf>, got %q", relPath)
+	}
+	root, scope, leaf := parts[0], parts[1], parts[2]
+	if root != "knowledge" {
+		return fmt.Errorf("rel_path must start with 'knowledge/', got %q", relPath)
 	}
-	// Reject the bare ".." token. Slash-separated traversal like "foo/../bar"
-	// is already blocked above, but a plain ".." with no slashes still escapes.
-	if relPath == ".." {
-		return fmt.Errorf("rel_path must not be '..': %q", relPath)
+	if scope != "account" && !teamScopeRe.MatchString(scope) {
+		return fmt.Errorf("rel_path scope must be 'account' or 'team_<digits>', got %q", scope)
 	}
-	if strings.HasPrefix(relPath, ".") {
-		// Hidden files (including the sentinel itself) cannot be staged by clients.
-		// The runner owns the sentinel exclusively.
-		return fmt.Errorf("rel_path must not start with '.': %q", relPath)
+	if leaf == "" || leaf == "." || leaf == ".." {
+		return fmt.Errorf("rel_path leaf must be a real filename, got %q", leaf)
+	}
+	if strings.HasPrefix(leaf, ".") {
+		return fmt.Errorf("rel_path leaf must not start with '.': %q", leaf)
+	}
+	if leaf == sentinelName {
+		return fmt.Errorf("rel_path leaf must not be the sentinel filename")
 	}
 	return nil
 }
@@ -166,6 +189,12 @@ func (e *Environment) StageKnowledgeFiles(ctx context.Context, args *protocol.St
 		}
 
 		targetPath := filepath.Join(e.root, f.RelPath)
+		if err := os.MkdirAll(filepath.Dir(targetPath), 0o755); err != nil {
+			status.Success = false
+			status.Error = fmt.Sprintf("failed to create scope directory: %v", err)
+			result.Files = append(result.Files, status)
+			continue
+		}
 		if err := atomicWriteFile(targetPath, content, 0o644); err != nil {
 			status.Success = false
 			status.Error = err.Error()
@@ -197,6 +226,138 @@ func (e *Environment) StageKnowledgeFiles(ctx context.Context, args *protocol.St
 	return result, nil
 }
 
+// ReconcileKnowledgeManifest reconciles the on-disk knowledge tree against the
+// supplied manifest. Files present on disk but absent from the manifest are
+// orphans (pruned). Files present in the manifest with a checksum that
+// disagrees with the sentinel are stale (also pruned, so the next read
+// triggers a fresh lazy install from Safari). Files whose checksum already
+// matches are left in place.
+//
+// The runner does NOT pre-stage anything in this call: the manifest declares
+// what *should* exist if it were read, not what *must* be cached. Cold packs
+// stay cold; only drift is corrected. The whole pass runs under the sentinel
+// lock so it is safe with concurrent stage calls from the same Safari.
+func (e *Environment) ReconcileKnowledgeManifest(ctx context.Context, args *protocol.ReconcileKnowledgeManifestArgs) (*protocol.ReconcileKnowledgeManifestResult, error) {
+	expected := make(map[string]string, len(args.Files))
+	for _, f := range args.Files {
+		if err := validateKnowledgeRelPath(f.RelPath); err != nil {
+			slog.Warn("skipping invalid manifest entry", "rel_path", f.RelPath, "error", err)
+			continue
+		}
+		expected[f.RelPath] = f.Checksum
+	}
+
+	result := &protocol.ReconcileKnowledgeManifestResult{}
+	knowledgeRoot := filepath.Join(e.root, "knowledge")
+	sentinelPath := filepath.Join(e.root, sentinelName)
+
+	err := withSentinelLock(sentinelPath, func() error {
+		sentinel := readSentinel(sentinelPath)
+		// onDisk enumerates `knowledge/<scope>/<leaf>` paths actually present.
+		// We walk the tree (rather than trusting the sentinel) so a manual
+		// drop into the workspace — e.g. an operator copying a file in for
+		// debugging — also gets reconciled instead of lingering forever.
+		onDisk, err := walkKnowledgeTree(knowledgeRoot)
+		if err != nil {
+			return err
+		}
+
+		dirty := false
+		// onDiskSet lets us answer "is this manifest entry already cached?"
+		// in O(1) below without a second walk.
+		onDiskSet := make(map[string]struct{}, len(onDisk))
+		for _, relPath := range onDisk {
+			expectedSum, want := expected[relPath]
+			switch {
+			case !want:
+				// Orphan: not declared in the current manifest.
+				if rmErr := os.Remove(filepath.Join(e.root, relPath)); rmErr != nil && !os.IsNotExist(rmErr) {
+					slog.Warn("failed to prune orphan knowledge file", "rel_path", relPath, "error", rmErr)
+					continue
+				}
+				delete(sentinel, relPath)
+				result.Pruned = append(result.Pruned, relPath)
+				dirty = true
+			case sentinel[relPath] != expectedSum:
+				// Stale: sentinel disagrees with the manifest. Drop the file;
+				// it'll come back via NeedsStage so Safari refetches it from S3.
+				if rmErr := os.Remove(filepath.Join(e.root, relPath)); rmErr != nil && !os.IsNotExist(rmErr) {
+					slog.Warn("failed to prune stale knowledge file", "rel_path", relPath, "error", rmErr)
+					continue
+				}
+				delete(sentinel, relPath)
+				result.Pruned = append(result.Pruned, relPath)
+				result.StaleCount++
+				dirty = true
+			default:
+				result.KeptCount++
+				onDiskSet[relPath] = struct{}{}
+			}
+		}
+
+		// Anything in the manifest that isn't in onDiskSet is a cache miss
+		// the caller needs to fix — either it was just pruned for being stale
+		// or it was never staged in the first place. The list is what powers
+		// Safari's eager-stage step so the full pack lands on disk in one
+		// batch instead of waiting for the agent to read each file.
+		for relPath := range expected {
+			if _, ok := onDiskSet[relPath]; !ok {
+				result.NeedsStage = append(result.NeedsStage, relPath)
+			}
+		}
+
+		if dirty {
+			return writeSentinel(sentinelPath, sentinel)
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, fmt.Errorf("reconcile manifest: %w", err)
+	}
+	return result, nil
+}
+
+// walkKnowledgeTree returns every leaf file under <knowledgeRoot>/<scope>/
+// as `knowledge/<scope>/<leaf>` rel-paths. Hidden files (the sentinel) and
+// anything failing validation are skipped; nested directories beneath a scope
+// are ignored because the layout forbids them.
+func walkKnowledgeTree(knowledgeRoot string) ([]string, error) {
+	entries, err := os.ReadDir(knowledgeRoot)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("read knowledge root: %w", err)
+	}
+
+	var paths []string
+	for _, scope := range entries {
+		if !scope.IsDir() {
+			continue
+		}
+		scopeName := scope.Name()
+		if scopeName != "account" && !teamScopeRe.MatchString(scopeName) {
+			continue
+		}
+		leaves, err := os.ReadDir(filepath.Join(knowledgeRoot, scopeName))
+		if err != nil {
+			slog.Warn("failed to read scope directory", "scope", scopeName, "error", err)
+			continue
+		}
+		for _, leaf := range leaves {
+			if leaf.IsDir() {
+				continue
+			}
+			rel := "knowledge/" + scopeName + "/" + leaf.Name()
+			if err := validateKnowledgeRelPath(rel); err != nil {
+				continue
+			}
+			paths = append(paths, rel)
+		}
+	}
+	return paths, nil
+}
+
 // DeleteKnowledgeFiles removes the supplied files from the workspace root and
 // scrubs their entries from the sentinel.
 func (e *Environment) DeleteKnowledgeFiles(ctx context.Context, args *protocol.DeleteKnowledgeFilesArgs) (*protocol.DeleteKnowledgeFilesResult, error) {