P1 polish: Host.default_paths interim + restic env hygiene + job_id JS quoting

Two fixes that close the loop on dashboard run-now and harden the
agent's restic invocation.

Default paths (interim until P2-01 schedules):
  - 0003 migration adds default_paths TEXT NOT NULL DEFAULT '[]'
    to hosts and to enrollment_tokens.
  - Operator types paths in the Add-host form (textarea, one per
    line). They ride on the enrol_token row alongside the
    encrypted creds (paths aren't secret — plain JSON column).
  - On consume, ConsumeEnrollmentToken still just burns the token;
    the new GetEnrollmentTokenAttachments returns both the
    re-bindable creds and the path list in one round trip, the
    handler transfers them onto the new host row inside CreateHost.
  - The dashboard's Run-now and host-detail's "Run backup now"
    button now read Host.DefaultPaths and pass them to dispatchJob.
    A host with no default paths returns 400 with a friendly
    "no paths set" message instead of dispatching a doomed
    `restic backup` with no positional args.
  - Doc comments explicitly call this out as a Phase 1 interim —
    schedules supersede.

Restic env hygiene:
  - envSlice() previously omitted HOME / XDG_CACHE_HOME, which
    bit the smoke runs whenever the agent was launched outside
    systemd (restic refused to start: "neither $XDG_CACHE_HOME
    nor $HOME are defined"). Now both are set explicitly: prefer
    Env.ExtraEnv overrides, fall back to the agent process's own
    HOME, and finally to /var/lib/restic-manager.
  - Comment makes the env policy explicit: parent's RESTIC_* /
    AWS_* / B2_* env is filtered out by design — control-plane
    is the unambiguous source of truth.

JS bug fix in the live log page:
  - {{$job.ID | printf "%q"}} produced a literal-quoted JS string,
    which then went into the WS URL as ".../jobs/"<ID>"/stream"
    → 404. Switched to '{{$job.ID}}' inside the literal so
    html/template's auto-escape does the right thing. Verified
    end-to-end: dashboard "Run now" → live progress + log lines
    arrive over the WS → succeeded pill renders.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/store/enrollment.go

@@ -3,6 +3,7 @@ package store
 import (
 	"context"
 	"database/sql"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"time"
@@ -17,19 +18,27 @@ import (
 // host_credentials row. Empty string = operator chose to set creds
 // later via PUT /api/hosts/{id}/repo-credentials; the agent will
 // refuse backup jobs until that lands.
-func (s *Store) CreateEnrollmentToken(ctx context.Context, tokenHash string, ttl time.Duration, encRepoCreds string) error {
+//
+// defaultPaths is the JSON-encoded path list (the agent invokes
+// `restic backup` with these on a run-now without explicit paths).
+// Empty string is treated as "[]". Not encrypted — paths aren't
+// secret.
+func (s *Store) CreateEnrollmentToken(ctx context.Context, tokenHash string, ttl time.Duration, encRepoCreds, defaultPaths string) error {
 	now := time.Now().UTC()
 	var enc any = nil
 	if encRepoCreds != "" {
 		enc = encRepoCreds
 	}
+	if defaultPaths == "" {
+		defaultPaths = "[]"
+	}
 	_, err := s.db.ExecContext(ctx,
-		`INSERT INTO enrollment_tokens (token_hash, created_at, expires_at, enc_repo_creds)
-		 VALUES (?, ?, ?, ?)`,
+		`INSERT INTO enrollment_tokens (token_hash, created_at, expires_at, enc_repo_creds, default_paths)
+		 VALUES (?, ?, ?, ?, ?)`,
 		tokenHash,
 		now.Format(time.RFC3339Nano),
 		now.Add(ttl).Format(time.RFC3339Nano),
-		enc)
+		enc, defaultPaths)
 	if err != nil {
 		return fmt.Errorf("store: create enrollment token: %w", err)
 	}
@@ -62,30 +71,49 @@ func (s *Store) ConsumeEnrollmentToken(ctx context.Context, tokenHash, hostID st
 	return nil
 }
 
-// GetEnrollmentTokenCreds returns the encrypted repo-creds blob the
-// operator stashed when creating the token, or ("", ErrNotFound) if
-// the token is gone / consumed / expired / had no creds attached.
+// EnrollmentTokenAttachments is everything the enrolment handler
+// needs from a token row at consume time, fetched in one round-trip.
+type EnrollmentTokenAttachments struct {
+	// EncRepoCreds is the AEAD ciphertext bound (additional-data) to
+	// "token:" + token_hash. Empty if no creds were stashed.
+	EncRepoCreds string
+	// DefaultPaths is the operator's run-now path list. Always
+	// non-nil (empty slice if none were set).
+	DefaultPaths []string
+}
+
+// GetEnrollmentTokenAttachments returns the operator-supplied
+// attachments on a still-valid enrolment token: the encrypted repo
+// creds and the default-paths list. Returns ErrNotFound if the
+// token is gone / consumed / expired.
 //
-// The caller decrypts using token_hash as the AEAD additional data,
-// then re-encrypts using host_id as additional data before passing
-// to ConsumeEnrollmentToken.
-func (s *Store) GetEnrollmentTokenCreds(ctx context.Context, tokenHash string) (string, error) {
+// The caller decrypts EncRepoCreds using token_hash as AEAD
+// additional data, then re-encrypts using host_id as additional
+// data before passing to ConsumeEnrollmentToken.
+func (s *Store) GetEnrollmentTokenAttachments(ctx context.Context, tokenHash string) (EnrollmentTokenAttachments, error) {
 	now := time.Now().UTC().Format(time.RFC3339Nano)
 	row := s.db.QueryRowContext(ctx,
-		`SELECT enc_repo_creds FROM enrollment_tokens
+		`SELECT enc_repo_creds, default_paths FROM enrollment_tokens
 		 WHERE token_hash = ? AND consumed_at IS NULL AND expires_at > ?`,
 		tokenHash, now)
-	var enc sql.NullString
-	if err := row.Scan(&enc); err != nil {
+	var (
+		enc          sql.NullString
+		defaultPaths string
+	)
+	if err := row.Scan(&enc, &defaultPaths); err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
-			return "", ErrNotFound
+			return EnrollmentTokenAttachments{}, ErrNotFound
 		}
-		return "", fmt.Errorf("store: get enrollment token creds: %w", err)
+		return EnrollmentTokenAttachments{}, fmt.Errorf("store: get enrollment token attachments: %w", err)
 	}
-	if !enc.Valid {
-		return "", nil
+	out := EnrollmentTokenAttachments{DefaultPaths: []string{}}
+	if enc.Valid {
+		out.EncRepoCreds = enc.String
 	}
-	return enc.String, nil
+	if defaultPaths != "" {
+		_ = json.Unmarshal([]byte(defaultPaths), &out.DefaultPaths)
+	}
+	return out, nil
 }
 
 // PurgeExpiredEnrollmentTokens deletes long-expired token rows. Tokens