Request validation and resilience improvements (#864)

### Security: Input validation & path safety
- **Reject local file references by default** in package parsing — only allow when explicitly opted in by the service (`ParseFlags::kAllowLocalReferences`) and validated by an `ILocalRefPolicy` (fail-closed: no policy = rejected)
- **`DataRootLocalRefPolicy`** restricts local ref paths to the server's data root via canonical path prefix matching
- **Validate attachment hashes** in compute HTTP handlers — decompresses and re-hashes each attachment at ingestion time to reject tampered payloads
- **Path traversal validation** for worker descriptions (`pathvalidation.h`) — rejects absolute paths, `..` components, Windows reserved device names, and invalid filename characters
- **Harden CbPackage parsing** against corrupt inputs — overflow-safe attachment count, bounds checks on local ref offset/size, graceful failure instead of `ZEN_ASSERT` for untrusted data
- **Harden legacy package parser** — reject zero-size binary fields, missing mappers, and optionally validate resolved attachment hashes
- **Bounds check in `CbPackageReader::MarshalLocalChunkReference`** — detect when `MakeFromFile` silently clamps offset+size to file size

### Reliability: Lock consolidation & bug fixes
- **Consolidate three action map locks into one** (`m_ActionMapLock`) — eliminates deadlock risk from multi-lock ordering, simplifies state transitions, and fixes a race where newly enqueued actions were briefly invisible to `GetActionResult`/`FindActionResult`
- **Fix infinite loop in `BaseRunnerGroup::SubmitActions`** when actions exceed total runner capacity — cap round-robin at `TotalCapacity` and default unassigned results to "No capacity"
- **Fix `MakeSafeAbsolutePathInPlace` for UNC paths** — `\server\share` now correctly becomes `\?\UNC\server\share` instead of `\?\server\share`
- **Fix `max_retries=0`** — previously fell through to the default of 3; now correctly means "no retries"

### New: ManagedProcessRunner
- Cross-platform process runner backed by `SubprocessManager` — uses async exit callbacks instead of polling, delegates CPU/memory metrics to the manager's built-in sampler
- `ProcessGroup` (JobObject on Windows, process group on POSIX) for bulk cancellation on shutdown
- `--managed` flag on `zen exec inproc` to select this runner
- Refactored monitor thread lifecycle — `StartMonitorThread()` now called from derived constructors to avoid calling virtual functions from base constructor

### Process management
- **Suppress crash dialogs** via `JOB_OBJECT_UILIMIT_ERRORMODE` + `SEM_NOGPFAULTERRORBOX` in both `WindowsProcessRunner` and `JobObject::Initialize` — prevents WER/Dr. Watson modal dialogs from blocking the monitor thread
- **CREATE_SUSPENDED → AssignProcessToJobObject → ResumeThread** pattern in `WindowsProcessRunner` — ensures job object assignment before process execution
- **Move stdout/stderr callbacks to `Spawn()` parameters** in `SubprocessManager` — prevents race where early output could be missed before callback installation
- Consistent PID logging across all runner types

### Test infrastructure
- **`zentest-appstub`**: Added `Fail` (configurable exit code) and `Crash` (abort / nullptr deref) test functions
- **Compute integration tests**: exit code handling, auto-retry exhaustion, manual reschedule after failure, mixed success/failure queues, crash handling (abort + nullptr), crash auto-retry, immediate query visibility after enqueue
- **Package format tests**: truncated header, bad magic, attachment count overflow, truncated data, local ref rejection/acceptance, policy enforcement (inside/outside root, traversal, no-policy fail-closed)
- **Legacy package parser tests**: empty input, zero-size binary, hash resolution with/without mapper, hash mismatch detection
- **UNC path tests** for `MakeSafeAbsolutePath`

### Misc
- ANSI color helper macros (`ZEN_RED`, `ZEN_BRIGHT_WHITE`, etc.) and `ZEN_BOLD`/`ZEN_DIM`/etc.
- Generic `fmt::formatter` for types with free `ToString` functions
- Compute dashboard: truncated hash display with monospace font and hover for full value
- Renamed `usonpackage_forcelink` → `cbpackage_forcelink`
- Compute enabled by default in xmake config (releases still explicitly disable)

1 files changed, 46 insertions, 23 deletions

diff --git a/src/zenutil/process/subprocessmanager.cpp b/src/zenutil/process/subprocessmanager.cpp
index 3a91b0a61..b053ac6bd 100644
--- a/src/zenutil/process/subprocessmanager.cpp
+++ b/src/zenutil/process/subprocessmanager.cpp
@@ -196,18 +196,6 @@ ManagedProcess::GetCpuUsagePercent() const
 	return m_Impl->m_CpuUsagePercent.load();
 }
 
-void
-ManagedProcess::SetStdoutCallback(ProcessDataCallback Callback)
-{
-	m_Impl->m_StdoutCallback = std::move(Callback);
-}
-
-void
-ManagedProcess::SetStderrCallback(ProcessDataCallback Callback)
-{
-	m_Impl->m_StderrCallback = std::move(Callback);
-}
-
 std::string
 ManagedProcess::GetCapturedStdout() const
 {
@@ -288,7 +276,9 @@ struct SubprocessManager::Impl
 	ManagedProcess* Spawn(const std::filesystem::path& Executable,
 						  std::string_view			   CommandLine,
 						  CreateProcOptions&		   Options,
-						  ProcessExitCallback		   OnExit);
+						  ProcessExitCallback		   OnExit,
+						  ProcessDataCallback		   OnStdout,
+						  ProcessDataCallback		   OnStderr);
 	ManagedProcess* Adopt(ProcessHandle&& Handle, ProcessExitCallback OnExit);
 	void			Remove(int Pid);
 	void			RemoveAll();
@@ -462,7 +452,9 @@ ManagedProcess*
 SubprocessManager::Impl::Spawn(const std::filesystem::path& Executable,
 							   std::string_view				CommandLine,
 							   CreateProcOptions&			Options,
-							   ProcessExitCallback			OnExit)
+							   ProcessExitCallback			OnExit,
+							   ProcessDataCallback			OnStdout,
+							   ProcessDataCallback			OnStderr)
 {
 	bool HasStdout = Options.StdoutPipe != nullptr;
 	bool HasStderr = Options.StderrPipe != nullptr;
@@ -476,6 +468,16 @@ SubprocessManager::Impl::Spawn(const std::filesystem::path& Executable,
 	ImplPtr->m_Handle.Initialize(static_cast<int>(Result));
 #endif
 
+	// Install callbacks before starting async readers so no data is missed.
+	if (OnStdout)
+	{
+		ImplPtr->m_StdoutCallback = std::move(OnStdout);
+	}
+	if (OnStderr)
+	{
+		ImplPtr->m_StderrCallback = std::move(OnStderr);
+	}
+
 	auto Proc = std::unique_ptr<ManagedProcess>(new ManagedProcess(std::move(ImplPtr)));
 
 	ManagedProcess* Ptr = AddProcess(std::move(Proc));
@@ -719,10 +721,12 @@ ManagedProcess*
 SubprocessManager::Spawn(const std::filesystem::path& Executable,
 						 std::string_view			  CommandLine,
 						 CreateProcOptions&			  Options,
-						 ProcessExitCallback		  OnExit)
+						 ProcessExitCallback		  OnExit,
+						 ProcessDataCallback		  OnStdout,
+						 ProcessDataCallback		  OnStderr)
 {
 	ZEN_TRACE_CPU("SubprocessManager::Spawn");
-	return m_Impl->Spawn(Executable, CommandLine, Options, std::move(OnExit));
+	return m_Impl->Spawn(Executable, CommandLine, Options, std::move(OnExit), std::move(OnStdout), std::move(OnStderr));
 }
 
 ManagedProcess*
@@ -835,7 +839,9 @@ struct ProcessGroup::Impl
 	ManagedProcess* Spawn(const std::filesystem::path& Executable,
 						  std::string_view			   CommandLine,
 						  CreateProcOptions&		   Options,
-						  ProcessExitCallback		   OnExit);
+						  ProcessExitCallback		   OnExit,
+						  ProcessDataCallback		   OnStdout,
+						  ProcessDataCallback		   OnStderr);
 	ManagedProcess* Adopt(ProcessHandle&& Handle, ProcessExitCallback OnExit);
 	void			Remove(int Pid);
 	void			KillAll();
@@ -884,7 +890,9 @@ ManagedProcess*
 ProcessGroup::Impl::Spawn(const std::filesystem::path& Executable,
 						  std::string_view			   CommandLine,
 						  CreateProcOptions&		   Options,
-						  ProcessExitCallback		   OnExit)
+						  ProcessExitCallback		   OnExit,
+						  ProcessDataCallback		   OnStdout,
+						  ProcessDataCallback		   OnStderr)
 {
 	bool HasStdout = Options.StdoutPipe != nullptr;
 	bool HasStderr = Options.StderrPipe != nullptr;
@@ -917,6 +925,16 @@ ProcessGroup::Impl::Spawn(const std::filesystem::path& Executable,
 	}
 #endif
 
+	// Install callbacks before starting async readers so no data is missed.
+	if (OnStdout)
+	{
+		ImplPtr->m_StdoutCallback = std::move(OnStdout);
+	}
+	if (OnStderr)
+	{
+		ImplPtr->m_StderrCallback = std::move(OnStderr);
+	}
+
 	auto Proc = std::unique_ptr<ManagedProcess>(new ManagedProcess(std::move(ImplPtr)));
 
 	ManagedProcess* Ptr = AddProcess(std::move(Proc));
@@ -1077,10 +1095,12 @@ ManagedProcess*
 ProcessGroup::Spawn(const std::filesystem::path& Executable,
 					std::string_view			 CommandLine,
 					CreateProcOptions&			 Options,
-					ProcessExitCallback			 OnExit)
+					ProcessExitCallback			 OnExit,
+					ProcessDataCallback			 OnStdout,
+					ProcessDataCallback			 OnStderr)
 {
 	ZEN_TRACE_CPU("ProcessGroup::Spawn");
-	return m_Impl->Spawn(Executable, CommandLine, Options, std::move(OnExit));
+	return m_Impl->Spawn(Executable, CommandLine, Options, std::move(OnExit), std::move(OnStdout), std::move(OnStderr));
 }
 
 ManagedProcess*
@@ -1289,9 +1309,12 @@ TEST_CASE("SubprocessManager.StdoutCallback")
 	std::string ReceivedData;
 	bool		Exited = false;
 
-	ManagedProcess* Proc = Manager.Spawn(AppStub, CmdLine, Options, [&](ManagedProcess&, int) { Exited = true; });
-
-	Proc->SetStdoutCallback([&](ManagedProcess&, std::string_view Data) { ReceivedData.append(Data); });
+	ManagedProcess* Proc = Manager.Spawn(
+		AppStub,
+		CmdLine,
+		Options,
+		[&](ManagedProcess&, int) { Exited = true; },
+		[&](ManagedProcess&, std::string_view Data) { ReceivedData.append(Data); });
 
 	IoContext.run_for(5s);