Add support for systemd socket activation

[atheriel]

This commit facilitates running roborev as a socket-activated systemd user service. When LISTEN_FDS is set (handled by go-systemd internals), the daemon uses the systemd-provided socket instead of creating its own, enabling on-demand startup and lifecycle management driven by systemd.

We enforce that socket activation is used only with loopback TCP listeners and unix sockets with safe permissions.

We also avoid cleaning up the socket file in this mode, since we don't own it.

Closes #569.

Sample systemd user service and socket files, which we could put into the documentation:

[Unit]
Description=roborev daemon
Requires=roborev.socket

[Service]
Type=simple
ExecStart=%h/.local/bin/roborev daemon run
Restart=on-failure

[Install]
WantedBy=default.target

[Unit]
Description=roborev daemon socket

[Socket]
ListenStream=%t/roborev/daemon.sock
SocketMode=0600

[Install]
WantedBy=sockets.target

These both go into ~/.config/systemd/user. To run roborev as a socket-activated user service, you'd then:

$ systemctl --user daemon-reload
$ systemctl --user enable --now roborev.socket
# Use roborev, e.g.:
$ roborev --server "unix://$XDG_RUNTIME_DIR/roborev/daemon.sock" status

[roborev-ci]

roborev: Combined Review (29b25d1)

Summary verdict: changes are directionally sound, but they introduce one high-severity trust-boundary regression and two medium-severity correctness/security gaps in the socket-activation path.

High

• internal/daemon/server.go:136
  The socket-activation path accepts any listener handed over by systemd without re-validating that it preserves the daemon's local-only trust boundary. If the .socket unit binds 0.0.0.0, [::], or another non-loopback interface, the daemon's unauthenticated HTTP API becomes remotely reachable. The activated listener should be rejected unless it is loopback-only or matches the expected configured local endpoint.

Medium

• internal/daemon/server.go:136
  The runtime metadata stores listener.Addr().String() for activated TCP listeners. With common systemd setups this can be a wildcard listen address such as 0.0.0.0:7373 or [::]:7373, which is not a usable client dial target. Since the CLI relies on this metadata to reconnect, the daemon can start successfully but become unreachable to local clients. Normalize the stored address to a concrete local dial address, or reuse the configured address when compatible.

• internal/daemon/server.go:180
  Activated Unix sockets bypass the existing hardening that validates the parent directory and enforces owner-only socket permissions. A permissive .socket unit or directory configuration can therefore expose the daemon to other local users, breaking the current single-user authorization assumption. The startup path should validate equivalent ownership/mode guarantees for activated Unix sockets, or fail closed when they are too broad.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (633fa45)

Verdict: No Medium, High, or Critical findings; the change looks clean based on all review outputs.

All three reviews reported no issues, and the two detailed reviews specifically called out the systemd socket activation handling as preserving the existing local-only trust model and daemon lifecycle behavior.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (ba346f3)

Verdict: Changes look good overall, with 1 medium-severity correctness issue to address before merge.

Medium

• Stale socketActivated state can break reused server startup
  • Location: internal/daemon/server.go:134-141, internal/daemon/server.go:177
  • Issue: s.socketActivated is only set to true and never reset when Start runs without an activated listener. If the same Server instance is reused after a socket-activated run, a later non-systemd start can incorrectly skip the normal listener bind path, leaving listener nil and breaking startup/cleanup behavior.
  • Suggested fix: Set s.socketActivated = (listener != nil) at the start of Start, or explicitly reset it to false in the non-systemd branch before bind logic.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[wesm]

Addressed some minor things from running roborev reviews, will merge this soon

[roborev-ci]

roborev: Combined Review (84f6120)

Verdict: No Medium, High, or Critical findings.

Reviewed outputs did not identify any issues at Medium severity or above. One review reported only Low-severity notes, which are omitted per your instructions.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)