Restrict HTTP-managed replay agent config

[haasonsaas]

Summary

The legacy /api/agents settings endpoint accepts arbitrary JSON and writes it directly to ~/.raindrop/agents.json. That legacy config is later merged into the replay-agent registry. If an entry contains cwd + command, /api/replay can flow through ensureAgentEndpointDetailed() into spawnReplayCommand(), which executes config.command with shell: true.

That makes the HTTP settings surface capable of creating command-bearing replay agents, even though the Settings UI only exposes replay endpoint URLs. Combined with /api/import-run to create a matching event name and /api/replay to trigger startup, the HTTP API can be used as a command-execution bridge.

Fix

• Treat the legacy HTTP-managed agent config as URL/context/model data only.
• Strip command, cwd, configPath, lastSeenPort, and any other command-capable replay metadata from agents.json on both load and save.
• Return/broadcast the sanitized config from PUT /api/agents.
• Keep command-bearing replay registrations in the explicit local project registration path, ~/.raindrop/replay-projects.json.
• Add focused tests that command-capable fields are dropped and command-only entries are removed.

Validation

• Confirmed the vulnerable chain in an isolated temp HOME and temp Workshop DB before the fix: HTTP-managed config + imported run + replay caused the configured command to write a marker file.
• Re-ran the same isolated proof after the fix: saved agents config is empty, replay returns missing_replay_agent, and no marker file is created.
• bun test tests/agent-config-security.test.ts
• bun test tests/
• bun x tsc --noEmit
• bun run build
• bun run lint (passes with 3 existing React hook warnings in app UI files)

Notes

This is independent of #24. #24 closes LAN reachability of the control plane; this PR removes an HTTP-to-shell bridge inside the control plane itself.

[rsd-raindrop]

This was fixed in latest release. Thank you for the contribution and great find!