Merge upstream/main into feat/tui-remote-support

Resolve conflicts by:
- Taking upstream for .roborev.toml, Dockerfile, cmd/msgvault/cmd/setup.go
- Keeping our doRequestWithContext in internal/remote/store.go for context propagation
- Keeping our TUI aggregate endpoints in internal/api/handlers.go
- Keeping our test additions in internal/api/handlers_test.go
- Keeping our engine field in internal/api/server.go

All tests pass after merge.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: EconoBen

.gitignore

@@ -22,6 +22,8 @@ oauth_client*.json
 
 # Local development state
 .beads/
+.githooks/post-commit
+.mcp.json
 
 # Python
 __pycache__/

.roborev.toml

@@ -13,4 +13,11 @@ choice — do not flag it as a concern.
 HTTP remote defaults, plaintext key display in interactive CLI,
 enabled=true override on account creation, and page-aligned pagination
 are documented design decisions — see code comments at each site.
+
+This is a single-user personal tool with no privilege separation, no
+setuid, no shared directories, and no multi-tenant access. Do not flag
+symlink-following, local file overwrites, or similar CWE patterns that
+require an attacker with the same privileges as the user — they already
+own everything this tool touches. Auth on loopback-only endpoints with
+no configured API key is also by design.
 """

Dockerfile

@@ -62,7 +62,7 @@ WORKDIR /data
 
 # Health check using wget (curl not included to keep image small)
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
-    CMD wget -q --spider http://localhost:8080/health || exit 1
+    CMD wget -qO/dev/null http://localhost:8080/health || exit 1
 
 # Default port for HTTP API
 EXPOSE 8080

cmd/msgvault/cmd/mcp.go

@@ -21,7 +21,7 @@ var mcpCmd = &cobra.Command{
 
 This allows Claude Desktop (or any MCP client) to query your email archive
 using tools like search_messages, get_message, list_messages, get_stats,
-and aggregate.
+aggregate, and stage_deletion.
 
 Add to Claude Desktop config:
   {
@@ -76,7 +76,7 @@ Add to Claude Desktop config:
 		ctx, cancel := context.WithCancel(context.Background())
 		defer cancel()
 
-		return mcpserver.Serve(ctx, engine, cfg.AttachmentsDir())
+		return mcpserver.Serve(ctx, engine, cfg.AttachmentsDir(), cfg.Data.DataDir)
 	},
 }
 

cmd/msgvault/cmd/setup.go

@@ -272,9 +272,7 @@ rate_limit_qps = 5
 	}
 
 	// Create docker-compose.yml
-	dockerCompose := fmt.Sprintf(`version: "3.8"
-
-services:
+	dockerCompose := fmt.Sprintf(`services:
   msgvault:
     image: ghcr.io/wesm/msgvault:latest
     container_name: msgvault

internal/api/server.go

@@ -116,6 +116,7 @@ func (s *Server) setupRouter() chi.Router {
 
 	// Health check (no auth required)
 	r.Get("/health", s.handleHealth)
+	r.Head("/health", s.handleHealth)
 
 	// API routes (auth required)
 	r.Route("/api/v1", func(r chi.Router) {

internal/api/server_test.go

@@ -115,6 +115,24 @@ func TestHealthEndpoint(t *testing.T) {
 	}
 }
 
+func TestHealthEndpoint_HEAD(t *testing.T) {
+	cfg := &config.Config{
+		Server: config.ServerConfig{APIPort: 8080},
+	}
+	sched := newMockScheduler()
+	srv := NewServer(cfg, nil, sched, testLogger())
+
+	req := httptest.NewRequest("HEAD", "/health", nil)
+	w := httptest.NewRecorder()
+
+	srv.Router().ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("HEAD /health status = %d, want %d",
+			w.Code, http.StatusOK)
+	}
+}
+
 func TestAuthMiddleware(t *testing.T) {
 	cfg := &config.Config{
 		Server: config.ServerConfig{

internal/config/config.go

@@ -243,27 +243,66 @@ func (c *Config) ConfigFilePath() string {
 	return filepath.Join(c.HomeDir, "config.toml")
 }
 
-// Save writes the current configuration to disk.
-// Creates the config file if it doesn't exist, or updates it if it does.
-// Empty sections are omitted from the output.
+// Save writes the current configuration to disk atomically.
+// Uses temp file + rename to prevent partial writes on crash.
+// Enforces 0600 permissions regardless of existing file mode.
 func (c *Config) Save() error {
 	path := c.ConfigFilePath()
 
+	// Resolve symlinks so atomic rename replaces the target, not
+	// the symlink itself. EvalSymlinks fails on dangling symlinks
+	// (target doesn't exist yet), so fall back to Readlink.
+	if resolved, err := filepath.EvalSymlinks(path); err == nil {
+		path = resolved
+	} else if target, lErr := os.Readlink(path); lErr == nil {
+		if !filepath.IsAbs(target) {
+			target = filepath.Join(filepath.Dir(path), target)
+		}
+		path = target
+	}
+
 	// Ensure home directory exists
 	if err := c.EnsureHomeDir(); err != nil {
 		return fmt.Errorf("create config directory: %w", err)
 	}
 
-	f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	dir := filepath.Dir(path)
+	tmp, err := os.CreateTemp(dir, ".config-*.toml.tmp")
 	if err != nil {
-		return fmt.Errorf("create config file: %w", err)
+		return fmt.Errorf("create temp config file: %w", err)
+	}
+	tmpPath := tmp.Name()
+
+	// Clean up temp file on any failure path
+	success := false
+	defer func() {
+		if !success {
+			tmp.Close()
+			os.Remove(tmpPath)
+		}
+	}()
+
+	if err := tmp.Chmod(0600); err != nil {
+		return fmt.Errorf("set config file permissions: %w", err)
 	}
-	defer f.Close()
 
-	if err := toml.NewEncoder(f).Encode(c); err != nil {
+	if err := toml.NewEncoder(tmp).Encode(c); err != nil {
 		return fmt.Errorf("encode config: %w", err)
 	}
 
+	if err := tmp.Sync(); err != nil {
+		return fmt.Errorf("sync config file: %w", err)
+	}
+
+	if err := tmp.Close(); err != nil {
+		return fmt.Errorf("close config file: %w", err)
+	}
+
+	if err := os.Rename(tmpPath, path); err != nil {
+		return fmt.Errorf("rename config file: %w", err)
+	}
+
+	success = true
 	return nil
 }
 

internal/config/config_test.go

@@ -926,6 +926,187 @@ func TestSave_CreatesFileWithSecurePermissions(t *testing.T) {
 	}
 }
 
+func TestSave_TightensWeakPermissions(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("Unix file permissions not supported on Windows")
+	}
+
+	tmpDir := t.TempDir()
+	cfg := NewDefaultConfig()
+	cfg.HomeDir = tmpDir
+
+	// Pre-create config file with overly permissive mode
+	path := cfg.ConfigFilePath()
+	if err := os.WriteFile(path, []byte(""), 0644); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+
+	if err := cfg.Save(); err != nil {
+		t.Fatalf("Save() error = %v", err)
+	}
+
+	info, err := os.Stat(path)
+	if err != nil {
+		t.Fatalf("Stat: %v", err)
+	}
+	if info.Mode().Perm()&0077 != 0 {
+		t.Errorf("Save should tighten perms: got %04o, want 0600",
+			info.Mode().Perm())
+	}
+}
+
+func TestSave_FollowsSymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("symlinks require elevated privileges on Windows")
+	}
+
+	t.Run("absolute target", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		targetDir := t.TempDir()
+		targetPath := filepath.Join(targetDir, "actual-config.toml")
+		linkPath := filepath.Join(tmpDir, "config.toml")
+
+		if err := os.Symlink(targetPath, linkPath); err != nil {
+			t.Fatalf("Symlink: %v", err)
+		}
+
+		cfg := NewDefaultConfig()
+		cfg.HomeDir = tmpDir
+		cfg.Sync.RateLimitQPS = 77
+
+		if err := cfg.Save(); err != nil {
+			t.Fatalf("Save() error = %v", err)
+		}
+
+		linkTarget, err := os.Readlink(linkPath)
+		if err != nil {
+			t.Fatalf("symlink was replaced: %v", err)
+		}
+		if linkTarget != targetPath {
+			t.Errorf("symlink target = %q, want %q", linkTarget, targetPath)
+		}
+
+		loaded, err := Load(targetPath, "")
+		if err != nil {
+			t.Fatalf("Load target: %v", err)
+		}
+		if loaded.Sync.RateLimitQPS != 77 {
+			t.Errorf("RateLimitQPS = %d, want 77", loaded.Sync.RateLimitQPS)
+		}
+	})
+
+	t.Run("relative target", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		// Create subdir for the actual file
+		subDir := filepath.Join(tmpDir, "real")
+		if err := os.Mkdir(subDir, 0700); err != nil {
+			t.Fatalf("Mkdir: %v", err)
+		}
+		targetPath := filepath.Join(subDir, "config.toml")
+		linkPath := filepath.Join(tmpDir, "config.toml")
+
+		// Relative symlink: config.toml → real/config.toml
+		if err := os.Symlink("real/config.toml", linkPath); err != nil {
+			t.Fatalf("Symlink: %v", err)
+		}
+
+		cfg := NewDefaultConfig()
+		cfg.HomeDir = tmpDir
+		cfg.Sync.RateLimitQPS = 88
+
+		if err := cfg.Save(); err != nil {
+			t.Fatalf("Save() error = %v", err)
+		}
+
+		// Symlink must still be intact
+		linkTarget, err := os.Readlink(linkPath)
+		if err != nil {
+			t.Fatalf("symlink was replaced: %v", err)
+		}
+		if linkTarget != "real/config.toml" {
+			t.Errorf("symlink target = %q, want %q",
+				linkTarget, "real/config.toml")
+		}
+
+		// Target file should contain the saved config
+		loaded, err := Load(targetPath, "")
+		if err != nil {
+			t.Fatalf("Load target: %v", err)
+		}
+		if loaded.Sync.RateLimitQPS != 88 {
+			t.Errorf("RateLimitQPS = %d, want 88",
+				loaded.Sync.RateLimitQPS)
+		}
+	})
+}
+
+func TestSave_FailurePreservesExisting(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("cannot make directory unwritable on Windows")
+	}
+
+	tmpDir := t.TempDir()
+
+	// Save initial valid config
+	cfg := NewDefaultConfig()
+	cfg.HomeDir = tmpDir
+	cfg.Sync.RateLimitQPS = 5
+	if err := cfg.Save(); err != nil {
+		t.Fatalf("initial Save: %v", err)
+	}
+
+	// Read back original content
+	originalBytes, err := os.ReadFile(cfg.ConfigFilePath())
+	if err != nil {
+		t.Fatalf("ReadFile: %v", err)
+	}
+
+	// Make directory unwritable so CreateTemp fails
+	if err := os.Chmod(tmpDir, 0500); err != nil {
+		t.Fatalf("Chmod: %v", err)
+	}
+	t.Cleanup(func() { _ = os.Chmod(tmpDir, 0700) })
+
+	// Probe whether the restriction actually works
+	probe, probeErr := os.CreateTemp(tmpDir, "probe-*")
+	if probeErr == nil {
+		probe.Close()
+		os.Remove(probe.Name())
+		t.Skip("chmod 0500 did not restrict writes (running as root)")
+	}
+
+	// Save should fail
+	cfg.Sync.RateLimitQPS = 99
+	if err := cfg.Save(); err == nil {
+		t.Fatal("Save should fail when directory is unwritable")
+	}
+
+	// Restore permissions to verify state
+	if err := os.Chmod(tmpDir, 0700); err != nil {
+		t.Fatalf("Chmod restore: %v", err)
+	}
+
+	// Original config should be intact
+	currentBytes, err := os.ReadFile(cfg.ConfigFilePath())
+	if err != nil {
+		t.Fatalf("ReadFile: %v", err)
+	}
+	if string(currentBytes) != string(originalBytes) {
+		t.Error("config file was corrupted after failed Save")
+	}
+
+	// No temp files should be left behind
+	entries, err := os.ReadDir(tmpDir)
+	if err != nil {
+		t.Fatalf("ReadDir: %v", err)
+	}
+	for _, e := range entries {
+		if strings.HasPrefix(e.Name(), ".config-") {
+			t.Errorf("leftover temp file: %s", e.Name())
+		}
+	}
+}
+
 func TestSave_OverwritesExisting(t *testing.T) {
 	tmpDir := t.TempDir()