fix(sandbox): SRP split + shellEscape cloneUrl + drop URL from logs

Three review fixes bundled:

1) SRP per sweetmantech: split app/workflows/buildOrgSnapshot.ts into
   - app/workflows/buildSnapshotStep.ts (the "use step" function)
   - app/workflows/buildOrgSnapshotWorkflow.ts (the "use workflow"
     function — filename now matches the export, addressing the
     cubic P2 about filename mismatch)

2) P0 command injection (cubic): wrap cloneUrl with shellEscape() in
   the `git clone --depth=1 ...` command. The Zod + parseGitHubRepoUrl
   validators upstream of this workflow already reject anything that
   doesn't match `^https:\/\/github\.com\/recoupable\/...`, so this
   isn't exploitable today — but shell-escaping is defense-in-depth
   that survives validator changes. Zero behavior change for valid
   inputs (extra single quotes around an already-clean URL).

3) P1 credential leak (cubic): dropped `cloneUrl` from every log line
   in the workflow + kick. The `https://user:token@github.com/...`
   shape is also blocked by the regex validator, but log scrubbing
   is the cheaper of the two layers if the validator ever loosens.
   `sandboxName` (the regex-extracted repo name only) remains in logs
   — uniquely identifies the org for observability without
   exposing tokens.

Out of scope: cubic's P2 about duplicate workflow runs (same
fire-and-forget pattern as open-agents — duplicates are wasteful but
not incorrect; can add a Vercel Workflow idempotency key in a
follow-up if observed in practice).

Tests: existing handler tests still pass unchanged (the kick is mocked
at the lib path, which didn't change). Suite remains 2577 / 2577.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: sweetmantech

app/workflows/buildOrgSnapshot.ts

@@ -0,0 +1,29 @@
+import { buildSnapshotStep, type BuildOrgSnapshotInput } from "@/app/workflows/buildSnapshotStep";
+
+/**
+ * Vercel Workflow that provisions a per-org base snapshot for warm-boot
+ * of future session sandboxes. Kicked fire-and-forget from
+ * `createSandboxHandler` when a recoupable org URL is requested but
+ * no `created` snapshot exists yet.
+ *
+ * Single step today (provision + clone + snapshot via `refreshBaseSnapshot`),
+ * wrapped here for the durable execution semantics — failures retry up
+ * to 3× automatically, the run is observable in the Vercel dashboard,
+ * and the request that kicked the workflow is fully decoupled from
+ * its lifetime.
+ */
+export async function buildOrgSnapshotWorkflow(input: BuildOrgSnapshotInput) {
+  "use workflow";
+
+  console.log(`[build-org-snapshot] workflow:start name='${input.sandboxName}'`);
+
+  try {
+    const snapshotId = await buildSnapshotStep(input);
+    console.log(`[build-org-snapshot] Built ${snapshotId} for '${input.sandboxName}'`);
+    return { success: true as const, snapshotId };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    console.error(`[build-org-snapshot] Failed for '${input.sandboxName}':`, message);
+    return { success: false as const, error: message };
+  }
+}

app/workflows/buildOrgSnapshotWorkflow.ts

@@ -0,0 +1,49 @@
+import { refreshBaseSnapshot } from "@/lib/sandbox/abstraction";
+import { getServiceGithubToken } from "@/lib/github/getServiceGithubToken";
+import { DEFAULT_SANDBOX_BASE_SNAPSHOT_ID } from "@/lib/sandbox/defaultBaseSnapshotId";
+import { shellEscape } from "@/lib/sandbox/shellEscape";
+
+const BUILD_SANDBOX_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
+const BUILD_COMMAND_TIMEOUT_MS = 8 * 60 * 1000; // 8 minutes — leaves buffer under sandbox timeout
+
+export interface BuildOrgSnapshotInput {
+  cloneUrl: string;
+  sandboxName: string;
+}
+
+/**
+ * Single step of `buildOrgSnapshotWorkflow`. Provisions a sandbox from
+ * the recoup base snapshot, runs `git clone --depth=1 <cloneUrl> .`
+ * inside it, and snapshots the result. Returns the new snapshot id.
+ *
+ * The cloneUrl is shell-escaped before interpolation: the validator
+ * upstream of this workflow already rejects anything that doesn't
+ * match `^https:\/\/github\.com\/recoupable\/...`, but defense-in-depth
+ * — never trust the validator to also be a shell-quoter.
+ *
+ * Logging deliberately omits `cloneUrl` to avoid surfacing any token
+ * embedded as `https://user:token@github.com/...`. The `sandboxName`
+ * is the regex-extracted repo name only, so it's safe to log.
+ */
+export async function buildSnapshotStep(input: BuildOrgSnapshotInput): Promise<string> {
+  "use step";
+
+  console.log(`[build-org-snapshot] step:start name='${input.sandboxName}'`);
+
+  const githubToken = getServiceGithubToken() ?? undefined;
+  if (!githubToken) {
+    throw new Error("[build-org-snapshot] GITHUB_TOKEN is not set; cannot clone org repo");
+  }
+
+  const result = await refreshBaseSnapshot({
+    baseSnapshotId: DEFAULT_SANDBOX_BASE_SNAPSHOT_ID,
+    sandboxName: input.sandboxName,
+    sandboxTimeoutMs: BUILD_SANDBOX_TIMEOUT_MS,
+    commandTimeoutMs: BUILD_COMMAND_TIMEOUT_MS,
+    githubToken,
+    commands: [`git clone --depth=1 ${shellEscape(input.cloneUrl)} .`],
+    log: message => console.log(`[build-org-snapshot] ${message}`),
+  });
+
+  return result.snapshotId;
+}

app/workflows/buildSnapshotStep.ts

@@ -1,5 +1,5 @@
 import { start } from "workflow/api";
-import { buildOrgSnapshotWorkflow } from "@/app/workflows/buildOrgSnapshot";
+import { buildOrgSnapshotWorkflow } from "@/app/workflows/buildOrgSnapshotWorkflow";
 
 interface KickBuildOrgSnapshotInput {
   cloneUrl: string;
@@ -16,6 +16,11 @@ interface KickBuildOrgSnapshotInput {
  * falls back to the slow full-clone path; what we're protecting is
  * that *future* requests don't have to.
  *
+ * Logging omits `cloneUrl` to avoid surfacing any embedded credential
+ * (e.g. `https://user:token@github.com/...`) — the `sandboxName` is
+ * already the regex-extracted repo name only, which uniquely
+ * identifies the org for observability without exposing tokens.
+ *
  * @param input - The repo URL to clone and the sandbox name to use
  *   (which becomes the snapshot's name and the lookup key for
  *   `findOrgSnapshot`).
@@ -24,11 +29,11 @@ export function kickBuildOrgSnapshotWorkflow(input: KickBuildOrgSnapshotInput) {
   void start(buildOrgSnapshotWorkflow, [input]).then(
     run =>
       console.log(
-        `[build-org-snapshot] Started workflow run ${run.runId} for '${input.sandboxName}' (${input.cloneUrl})`,
+        `[build-org-snapshot] Started workflow run ${run.runId} for '${input.sandboxName}'`,
       ),
     error =>
       console.error(
-        `[build-org-snapshot] Failed to start workflow for '${input.sandboxName}' (${input.cloneUrl}):`,
+        `[build-org-snapshot] Failed to start workflow for '${input.sandboxName}':`,
         error,
       ),
   );