🛡️ Sentinel: Verify Unix socket peer credentials

[minibota]

🔐 Issue: In "User Mode", the agent connects to a Unix socket which may be located in a shared directory like /tmp. A malicious local user could potentially create a socket at the expected path (if the directory permissions allow or via race conditions) to intercept execution reports.

🧠 Risk: Information Disclosure. Execution reports containing job stdout/stderr (which may contain secrets) could be sent to an attacker's process.

🛠️ Fix:

• Implemented verifySocketPeer in cmd/security_linux.go using syscall.GetsockoptUcred (SO_PEERCRED).
• Updated sendToDaemon in cmd/exec.go to verify the peer's UID matches the current user's UID (or root) immediately after connection.
• Added a stub in cmd/security_other.go for non-Linux compatibility.

🧪 Tests:

• Added cmd/security_peer_linux_test.go which mocks getCurrentUid to simulate a cross-user connection and asserts that the security check fails.
• Verified that legitimate connections (same user) still succeed.

---

PR created automatically by Jules for task 12636073035741168691 started by @minibota

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.