fix: Wave 13 cleanup — HttpDriver + agent_id validator + safe_join + 4 MEDIUM
Closes the remaining v0.29.0 follow-ups + post-audit MEDIUMs.
## HttpDriver (kei-spawn http-driver feature)
- Real reqwest::blocking POST to api.anthropic.com/v1/messages
- Feature flag `http-driver = ["dep:reqwest"]` (default off, zero breaking)
- KEI_ANTHROPIC_KEY read at invoke time (rotation-friendly)
- 5 httpmock tests (missing key, 200, 4xx, 5xx, malformed json)
- Endpoint override via KEI_ANTHROPIC_ENDPOINT env for tests
- Files: drive.rs, drive_http.rs (new), drive_http_parse.rs (new), tests/http_driver.rs
## agent_id path-traversal validator (HIGH)
- New validate.rs with validate_agent_id() — whitelist grammar, 64-char cap,
rejects /, \, .., leading dot/dash, NUL, :, whitespace, non-ASCII,
Windows-reserved (CON/PRN/AUX/NUL/COM1-9/LPT1-9)
- Wired into all 5 agent_id→path sinks: load_task, resolve_agent_id,
prepare, simulated_merge, verify_task
- autogen_agent_id moved to validate.rs with slugify_role helper —
output passes validator by construction (100-draw property test)
- 33 new tests in agent_id_validator.rs
## safe_join symlink escape (MEDIUM)
- Base must canonicalize (nonexistent → Canonicalize error)
- Joined must start_with base_canon OR joined.parent() must start_with base_canon
- Blocks symlink-to-outside-base with non-existent tail file
- walk.rs refactored into 5 ≤17-LOC helpers
- 7 new tests in safe_join_hardening.rs
## entity-store 4 MEDIUM fixes
- ddl.rs: panic on unsupported FieldKind → typed DdlError::UnsupportedExtraColumn
propagated through Store::open as VerbError::InvalidInput (exit 2).
Extracted ddl_edge.rs + ddl_error.rs modules. Backward-compat shim preserved.
- search.rs: FTS5 empty-tokenization → typed InvalidInput on queries with
no alphanumeric tokens (was opaque rusqlite error). Unicode-aware via
char::is_alphanumeric.
- engine.rs: WAL pragma failure now logged to stderr with path + rusqlite
source; fallback to rollback journal preserved (exit-code contract intact).
- bug_fixes_smoke: added fts5_phrase_quoting_preserves_legitimate_queries —
catches over-broad sanitizer that passes injection test alone.
## Verified
- cargo check --workspace clean (both with and without http-driver feature)
- cargo test --workspace: 668 tests green (up from 620)
- substrate_integration.sh ✓, hook_wiring_integration.sh ✓
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
c1556f505a