fix(elevation): ACL principal alias + scheduledTask probe full path (#18)

Two digest-comparison bugs surfaced by L3 production-profile
validation after PR #17 unblocked the apply side. Both manifest as
``post-apply observation disagrees with desired`` failures even
when the underlying icacls / scheduledTask calls succeeded — the
DACL and the task ARE the operator-declared shape on disk; the
canonical-state string the digest is taken over diverges only
because of alias / path-projection mismatches.

1. ACL: icacls accepts well-known short names (``SYSTEM``,
   ``NetworkService``, ``Administrators``) as INPUT but emits the
   domain-qualified form (``NT AUTHORITY\SYSTEM``,
   ``NT AUTHORITY\NETWORK SERVICE``, ``BUILTIN\Administrators``)
   on OUTPUT. ``normalizeDirAclEntry`` only collapsed whitespace,
   so a recipe declaring ``aclEntry(principal = "SYSTEM", ...)``
   produced a digest with ``SYSTEM:(F)`` while the observed digest
   had ``NT AUTHORITY\SYSTEM:(F)`` — they never converged.

   Add ``canonicalizeAclPrincipal`` (case-insensitive collapse of
   the seven well-known aliases to their icacls-emitted form) and
   thread it through ``normalizeDirAclEntry`` (split the entry at
   the first ``:`` outside any ``(...)``; rewrite the principal
   prefix; preserve the rest verbatim).

2. scheduledTask: the probe's ``'TaskName=' + $t.TaskName`` line
   returned the LEAF name only (``WindowsRunner-EnvBootstrap``)
   while ``canonicalScheduledTaskDesired`` carried the full path
   (``\Reprobuild\WindowsRunner-EnvBootstrap``). The post-apply
   re-probe digests disagreed even when the task WAS registered
   in the operator-declared folder.

   Emit ``$t.TaskPath + $t.TaskName`` (``$t.TaskPath`` already ends
   in ``\``) so the observed canonical string carries the same
   shape as the desired one.

Update the ``normalizeDirAclEntry`` smoke test to cover the new
canonicalization branches (the previous test assumed the no-op
SYSTEM:(F) shape).

--no-verify: pre-existing prek migration-mode failure
(no .pre-commit-config.yaml in repo).

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: zah

libs/repro_elevation/src/repro_elevation/posix_system_parse.nim

@@ -1204,14 +1204,43 @@ proc renderIcaclsGrantCommandArgs*(path, entry: string): seq[string] =
   of icaclsDenyVerb:
     @["icacls", path, "/deny", split.spec]
 
+proc canonicalizeAclPrincipal*(p: string): string =
+  ## Collapse the well-known Windows principal aliases ``icacls``
+  ## accepts as INPUT to the domain-qualified form it emits as
+  ## OUTPUT, so a desired entry written ``SYSTEM:(F)`` matches an
+  ## observed entry written ``NT AUTHORITY\SYSTEM:(F)``.
+  ## Case-insensitive on the alias side (``System``, ``SYSTEM``,
+  ## ``system`` are all icacls-equivalent); the canonical form keeps
+  ## the exact spelling icacls emits (mixed-case on the
+  ## Network/Local Service family, all-caps on SYSTEM).
+  ##
+  ## Without this collapse the post-apply digest of a
+  ## ``fs.systemDirectory`` recipe declaring
+  ## ``aclEntry(principal = "SYSTEM", ...)`` disagrees with the
+  ## observed ACL even when ``icacls`` happily granted exactly that
+  ## ACE — operators would have to hand-write
+  ## ``NT AUTHORITY\SYSTEM`` to make the digest converge.
+  case p.toLowerAscii
+  of "system": "NT AUTHORITY\\SYSTEM"
+  of "localservice", "local service": "NT AUTHORITY\\LOCAL SERVICE"
+  of "networkservice", "network service": "NT AUTHORITY\\NETWORK SERVICE"
+  of "administrators": "BUILTIN\\Administrators"
+  of "users": "BUILTIN\\Users"
+  of "everyone": "Everyone"
+  of "authenticated users": "NT AUTHORITY\\Authenticated Users"
+  else: p
+
 proc normalizeDirAclEntry*(ace: string): string =
-  ## Stable rendering of an ACE for digest purposes: trim outer
-  ## whitespace and collapse all internal whitespace runs to single
-  ## spaces. icacls permits extra whitespace inside the perm groups;
-  ## the canonical form collapses these so two visually-equivalent
-  ## ACE strings hash to the same digest. Mirrors the
-  ## `normalizeAclEntry` shape in `windows_system_parse.nim` so the
-  ## two ACL kinds digest equivalent entries identically.
+  ## Stable rendering of an ACE for digest purposes: collapse
+  ## internal whitespace and canonicalise the principal alias
+  ## (``SYSTEM`` ↔ ``NT AUTHORITY\SYSTEM`` etc.). icacls permits
+  ## extra whitespace inside the perm groups and accepts well-known
+  ## short names as input but always emits the domain-qualified form
+  ## on output; the canonical form collapses both axes so two
+  ## visually-equivalent ACE strings hash to the same digest.
+  ## Mirrors the ``normalizeAclEntry`` shape in
+  ## ``windows_system_parse.nim`` so the two ACL kinds digest
+  ## equivalent entries identically.
   var collapsed = ""
   var prevWasSpace = false
   for ch in ace.strip():
@@ -1222,7 +1251,25 @@ proc normalizeDirAclEntry*(ace: string): string =
     else:
       collapsed.add(ch)
       prevWasSpace = false
-  collapsed
+  # Split principal:perm-spec at the FIRST ``:`` that is NOT inside a
+  # parenthesised group (an ACE shape is ``Principal[\Name]:(perms)``).
+  # The principal canonicalisation only rewrites the prefix.
+  var depth = 0
+  var splitIdx = -1
+  for i, ch in collapsed:
+    case ch
+    of '(': inc depth
+    of ')': dec depth
+    of ':':
+      if depth == 0:
+        splitIdx = i
+        break
+    else: discard
+  if splitIdx < 0:
+    return collapsed
+  let principal = collapsed[0 ..< splitIdx]
+  let rest = collapsed[splitIdx .. ^1]
+  canonicalizeAclPrincipal(principal) & rest
 
 proc canonicalDirAclDesired*(present: bool; owner: string;
                              entries: seq[string];

libs/repro_elevation/src/repro_elevation/windows_system_driver.nim

@@ -1473,7 +1473,12 @@ when defined(windows):
       " -TaskName " & psQuote(parts.leaf) &
       " -ErrorAction SilentlyContinue; " &
       "if ($null -eq $t) { 'Missing=1' } else { " &
-      "'TaskName=' + $t.TaskName; " &
+      # Emit the FULL path (``$t.TaskPath`` already ends with ``\``)
+      # so the canonical observed-state string matches the desired
+      # one (which carries the full ``\Folder\Leaf`` path). Without
+      # this the digest disagrees even when Register/Get/Unregister
+      # all targeted the same folder.
+      "'TaskName=' + $t.TaskPath + $t.TaskName; " &
       "'Executable=' + $t.Actions[0].Execute; " &
       "'Arguments=' + $t.Actions[0].Arguments; " &
       "'WorkingDirectory=' + $t.Actions[0].WorkingDirectory; " &

libs/repro_elevation/tests/t_smoke_repro_elevation.nim

@@ -1175,11 +1175,26 @@ suite "repro_elevation: fs.systemDirectory Phase D — drift digest":
       observedInheritanceDisabled = false,
       desiredInheritance = "enabled")
 
-  test "normalizeDirAclEntry collapses internal whitespace":
-    check normalizeDirAclEntry("SYSTEM:(F)") == "SYSTEM:(F)"
-    check normalizeDirAclEntry("  SYSTEM:(F)  ") == "SYSTEM:(F)"
-    check normalizeDirAclEntry("SYSTEM:(F)  (OI)") == "SYSTEM:(F) (OI)"
-    check normalizeDirAclEntry("SYSTEM:(F)\t (CI)") == "SYSTEM:(F) (CI)"
+  test "normalizeDirAclEntry collapses internal whitespace + canonicalises principal":
+    # The principal-alias collapse (added alongside the whitespace
+    # pass) rewrites ``SYSTEM`` to ``NT AUTHORITY\SYSTEM`` so the
+    # desired digest matches the icacls-emitted observed digest.
+    check normalizeDirAclEntry("SYSTEM:(F)") == "NT AUTHORITY\\SYSTEM:(F)"
+    check normalizeDirAclEntry("  SYSTEM:(F)  ") ==
+      "NT AUTHORITY\\SYSTEM:(F)"
+    check normalizeDirAclEntry("SYSTEM:(F)  (OI)") ==
+      "NT AUTHORITY\\SYSTEM:(F) (OI)"
+    check normalizeDirAclEntry("SYSTEM:(F)\t (CI)") ==
+      "NT AUTHORITY\\SYSTEM:(F) (CI)"
+    # A principal already in domain-qualified form is left alone.
+    check normalizeDirAclEntry("NT AUTHORITY\\SYSTEM:(F)") ==
+      "NT AUTHORITY\\SYSTEM:(F)"
+    # NetworkService -> NT AUTHORITY\NETWORK SERVICE.
+    check normalizeDirAclEntry("NetworkService:(RX)") ==
+      "NT AUTHORITY\\NETWORK SERVICE:(RX)"
+    # An unknown principal is left alone (the canonicaliser only
+    # rewrites the documented well-known set).
+    check normalizeDirAclEntry("DOMAIN\\Alice:(F)") == "DOMAIN\\Alice:(F)"
 
   test "fsSystemDirectoryDigestPayload back-compat for ACL-unmanaged":
     # The aclPresent==false branch MUST produce a string