fix(security): enforce folder validator in ncl groups create (CWE-22)

The group resource has no customInsert, so genericCreate runs a raw INSERT with
the operator-supplied folder directly, skipping createAgentGroup ->
assertValidGroupFolder. `ncl groups create --folder ../../etc` then persists a
folder that escapes GROUPS_DIR; buildMounts/group-init bind-mount it RW and
mkdir it — a path traversal into a container sandbox escape. Validate at the CLI
create chokepoint too.

Author: sturdy4days

src/cli/resources/groups.ts

@@ -3,6 +3,7 @@ import { buildAgentGroupImage, killContainer, wakeContainer } from '../../contai
 import { restartAgentGroupContainers } from '../../container-restart.js';
 import { getDb, hasTable } from '../../db/connection.js';
 import { getSession } from '../../db/sessions.js';
+import { assertValidGroupFolder } from '../../group-folder.js';
 import { writeSessionMessage } from '../../session-manager.js';
 import {
   getContainerConfig,
@@ -58,6 +59,18 @@ registerResource({
     },
     { name: 'created_at', type: 'string', description: 'Auto-set.', generated: true },
   ],
+  // SECURITY: the CLI create path must enforce the same folder validator as the
+  // domain helper createAgentGroup. genericCreate skips that helper, so without
+  // this `ncl groups create --folder ../../etc` persists a folder that escapes
+  // GROUPS_DIR and is later bind-mounted RW + mkdir'd into the container
+  // (CWE-22 path traversal → container sandbox escape).
+  customInsert: (values) => {
+    assertValidGroupFolder(values.folder as string);
+    const cols = Object.keys(values);
+    getDb()
+      .prepare(`INSERT INTO agent_groups (${cols.join(', ')}) VALUES (${cols.map((c) => `@${c}`).join(', ')})`)
+      .run(values as Record<string, string>);
+  },
   // `delete` is intentionally not in `operations` — the generic single-table
   // DELETE violates FK constraints (see #2525). The cascading handler is
   // provided as `customOperations.delete` below.