P1 polish: Host.default_paths interim + restic env hygiene + job_id JS quoting

Two fixes that close the loop on dashboard run-now and harden the
agent's restic invocation.

Default paths (interim until P2-01 schedules):
  - 0003 migration adds default_paths TEXT NOT NULL DEFAULT '[]'
    to hosts and to enrollment_tokens.
  - Operator types paths in the Add-host form (textarea, one per
    line). They ride on the enrol_token row alongside the
    encrypted creds (paths aren't secret — plain JSON column).
  - On consume, ConsumeEnrollmentToken still just burns the token;
    the new GetEnrollmentTokenAttachments returns both the
    re-bindable creds and the path list in one round trip, the
    handler transfers them onto the new host row inside CreateHost.
  - The dashboard's Run-now and host-detail's "Run backup now"
    button now read Host.DefaultPaths and pass them to dispatchJob.
    A host with no default paths returns 400 with a friendly
    "no paths set" message instead of dispatching a doomed
    `restic backup` with no positional args.
  - Doc comments explicitly call this out as a Phase 1 interim —
    schedules supersede.

Restic env hygiene:
  - envSlice() previously omitted HOME / XDG_CACHE_HOME, which
    bit the smoke runs whenever the agent was launched outside
    systemd (restic refused to start: "neither $XDG_CACHE_HOME
    nor $HOME are defined"). Now both are set explicitly: prefer
    Env.ExtraEnv overrides, fall back to the agent process's own
    HOME, and finally to /var/lib/restic-manager.
  - Comment makes the env policy explicit: parent's RESTIC_* /
    AWS_* / B2_* env is filtered out by design — control-plane
    is the unambiguous source of truth.

JS bug fix in the live log page:
  - {{$job.ID | printf "%q"}} produced a literal-quoted JS string,
    which then went into the WS URL as ".../jobs/"<ID>"/stream"
    → 404. Switched to '{{$job.ID}}' inside the literal so
    html/template's auto-escape does the right thing. Verified
    end-to-end: dashboard "Run now" → live progress + log lines
    arrive over the WS → succeeded pill renders.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/server/http/enrollment.go

@@ -56,6 +56,12 @@ type enrollOperatorRequest struct {
 	RepoURL      string   `json:"repo_url"`
 	RepoUsername string   `json:"repo_username"`
 	RepoPassword string   `json:"repo_password"`
+	// DefaultPaths lands on the host row at consume time. Used by
+	// run-now buttons (the dashboard's per-row Run, the host
+	// detail's Run backup now). When schedules ship in P2-01 they
+	// supersede this — until then, this is the only source of paths
+	// for run-now jobs.
+	DefaultPaths []string `json:"default_paths,omitempty"`
 }
 
 type enrollOperatorResponse struct {
@@ -94,12 +100,13 @@ func (s *Server) handleAgentEnroll(w stdhttp.ResponseWriter, r *stdhttp.Request)
 	// is already burned. That's acceptable — operator just regens.
 	tokHash := auth.HashToken(req.Token)
 
-	// If the token carries repo creds, re-encrypt them under the new
-	// host_id so the host_credentials row is bound to the host (not
-	// the token, which is about to disappear).
-	encForHost, err := s.rebindTokenCreds(r.Context(), tokHash, hostID)
+	// Pull every operator-supplied attachment off the token row in one
+	// query: encrypted repo creds (rebound under the new host_id) plus
+	// the default-paths list. Both transferred onto the new host row
+	// after consume.
+	attachments, encForHost, err := s.rebindTokenAttachments(r.Context(), tokHash, hostID)
 	if err != nil {
-		slog.Warn("enrollment: rebind token creds failed", "err", err)
+		slog.Warn("enrollment: rebind token attachments failed", "err", err)
 		writeJSONError(w, stdhttp.StatusUnauthorized, "invalid_token",
 			"token unknown, expired, or already used")
 		return
@@ -127,6 +134,7 @@ func (s *Server) handleAgentEnroll(w stdhttp.ResponseWriter, r *stdhttp.Request)
 		AgentVersion:  req.AgentVersion,
 		ResticVersion: req.ResticVersion,
 		EnrolledAt:    time.Now().UTC(),
+		DefaultPaths:  attachments.DefaultPaths,
 	}
 	if err := s.deps.Store.CreateHost(r.Context(), host,
 		auth.HashToken(agentToken), ""); err != nil {
@@ -195,7 +203,7 @@ func (s *Server) handleCreateEnrollmentToken(w stdhttp.ResponseWriter, r *stdhtt
 		writeJSONError(w, stdhttp.StatusBadRequest, "invalid_json", err.Error())
 		return
 	}
-	token, expiresAt, err := s.mintEnrollmentToken(r.Context(), req.RepoURL, req.RepoUsername, req.RepoPassword)
+	token, expiresAt, err := s.mintEnrollmentToken(r.Context(), req.RepoURL, req.RepoUsername, req.RepoPassword, req.DefaultPaths)
 	switch err {
 	case nil:
 		writeJSON(w, stdhttp.StatusCreated, enrollOperatorResponse{Token: token, ExpiresAt: expiresAt})
@@ -218,7 +226,7 @@ var errMissingRepoCreds = errAuth("missing_repo_creds")
 // token (shown to the operator exactly once) and the expiry time.
 //
 // Shared by the JSON endpoint and the HTML "Add host" flow.
-func (s *Server) mintEnrollmentToken(ctx context.Context, repoURL, repoUsername, repoPassword string) (string, time.Time, error) {
+func (s *Server) mintEnrollmentToken(ctx context.Context, repoURL, repoUsername, repoPassword string, defaultPaths []string) (string, time.Time, error) {
 	if repoURL == "" || repoPassword == "" {
 		return "", time.Time{}, errMissingRepoCreds
 	}
@@ -235,34 +243,44 @@ func (s *Server) mintEnrollmentToken(ctx context.Context, repoURL, repoUsername,
 		return "", time.Time{}, err
 	}
 
+	if defaultPaths == nil {
+		defaultPaths = []string{}
+	}
+	pathsJSON, err := json.Marshal(defaultPaths)
+	if err != nil {
+		return "", time.Time{}, fmt.Errorf("marshal default_paths: %w", err)
+	}
+
 	const ttl = time.Hour
-	if err := s.deps.Store.CreateEnrollmentToken(ctx, tokHash, ttl, enc); err != nil {
+	if err := s.deps.Store.CreateEnrollmentToken(ctx, tokHash, ttl, enc, string(pathsJSON)); err != nil {
 		return "", time.Time{}, err
 	}
 	return token, time.Now().Add(ttl).UTC(), nil
 }
 
-// rebindTokenCreds decrypts the creds attached to the token (if any),
-// re-encrypts under the new host_id, and returns the new ciphertext.
-// Empty return = the token had no creds attached, which we treat as
-// a hard error today (the operator must supply creds at mint time).
-func (s *Server) rebindTokenCreds(ctx context.Context, tokHash, hostID string) (string, error) {
-	enc, err := s.deps.Store.GetEnrollmentTokenCreds(ctx, tokHash)
+// rebindTokenAttachments fetches every operator-supplied attachment
+// off the token row, re-encrypting the repo-creds blob under the
+// new host_id (the additional-data binding moves with the cred so
+// a token-row dump can't be replayed against a different host's
+// row). Returns the attachments (sans the rebind work), the
+// re-encrypted ciphertext for SetHostCredentials, and any error.
+func (s *Server) rebindTokenAttachments(ctx context.Context, tokHash, hostID string) (store.EnrollmentTokenAttachments, string, error) {
+	att, err := s.deps.Store.GetEnrollmentTokenAttachments(ctx, tokHash)
 	if err != nil {
-		return "", err
+		return store.EnrollmentTokenAttachments{}, "", err
 	}
-	if enc == "" {
-		return "", nil
+	if att.EncRepoCreds == "" {
+		return att, "", nil
 	}
-	plain, err := s.deps.AEAD.Decrypt(enc, []byte("token:"+tokHash))
+	plain, err := s.deps.AEAD.Decrypt(att.EncRepoCreds, []byte("token:"+tokHash))
 	if err != nil {
-		return "", fmt.Errorf("decrypt token creds: %w", err)
+		return att, "", fmt.Errorf("decrypt token creds: %w", err)
 	}
 	out, err := s.deps.AEAD.Encrypt(plain, []byte("host:"+hostID))
 	if err != nil {
-		return "", fmt.Errorf("re-encrypt for host: %w", err)
+		return att, "", fmt.Errorf("re-encrypt for host: %w", err)
 	}
-	return out, nil
+	return att, out, nil
 }
 
 // encryptRepoCreds JSON-encodes blob and seals it with the given