Default to $XDG_RUNTIME_DIR for the daemon socket path when set

[atheriel]

Putting the daemon's socket into $XDG_RUNTIME_DIR on Linux has a nicer security story that writing into /tmp, since (a) it's a tmpfs, while /tmp is often a regular directory; and (b) permissions are handled on the parent directory by systemd already.

This is technically a very minor breaking change, but I doubt anyone is relying on the default socket path being in /tmp/roborev-<UID> yet.

Closes #580.

[roborev-ci]

roborev: Combined Review (08e0444)

Verdict: one medium-severity regression risk identified; otherwise the change looks clean.

Medium

• internal/daemon/endpoint.go:84: DefaultSocketPath() now always prefers XDG_RUNTIME_DIR, but it does not check whether filepath.Join(xdg, "roborev", "daemon.sock") still fits MaxUnixPathLen. On systems with a long XDG_RUNTIME_DIR, daemon bind/connect can fail even though the previous os.TempDir()-based default would have succeeded. Suggested fix: only use XDG_RUNTIME_DIR when the resulting socket path is within MaxUnixPathLen, otherwise fall back to the tempdir path, and add a regression test for an overlong XDG_RUNTIME_DIR.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)