fix(git): open absolute-path files via osfs root "/" (fixes "public key is not configured")

[universe-ops]

Problem

sc secrets reveal (and secrets add / secrets allow) fails with:

Error: public key is not configured

even when the profile is correctly configured and the key files exist. It reproduces with any profile that references keys by path, e.g. .sc/cfg.default.yaml:

projectName: my-project
privateKeyPath: ~/.ssh/id_rsa
publicKeyPath: ~/.ssh/id_rsa.pub

Root cause

git.repo.OpenFile delegates absolute paths to osfs.New("").OpenFile(...). Under go-billy v5.9.0, the default ChrootOS resolves symlinks relative to its root via filepath.Rel. With an empty
root (which cleans to "."), filepath.Rel(".", "/abs/path") always errors, so every absolute open returns chroot boundary crossed.

The failure cascades into the misleading error:

1. WithKeysFromScConfig loads the private key first (~/.ssh/id_rsa → absolute after tilde expansion), so the failed open aborts the entire profile load.
2. That error is swallowed at command bootstrap by IgnoreConfigDirError: true (root.go).
3. The public key is therefore never set, and DecryptAll later reports public key is not configured.

This was a latent regression introduced with the go-billy v5.9.0 upgrade — there was even a unit test that had codified the broken chroot boundary behavior as a "QUIRK."

Fix

Root the OS filesystem at "/" (not "") for absolute paths, so filepath.Rel("/", "/abs/path") is well-defined:

if path.IsAbs(rPath) {
return osfs.New("/").OpenFile(rPath, flag, perm)
}

The relative-path fallback (wdFs = osfs.New("") in initRepo) is intentionally left rooted at "" so it keeps resolving against the process cwd.

Updated the unit test that asserted the broken behavior to instead assert that absolute-path opens succeed and read content back.

Verification

• Reproduced the failure, then confirmed sc secrets reveal reveals all secret files after the fix.
• Verified empirically: osfs.New("") → "chroot boundary crossed"; osfs.New("/") → opens correctly.
• go test ./pkg/api/git/... and ./pkg/api/secrets/... pass.

Impact

Restores key-by-path / ~/.ssh-style profile configs for all secrets operations. No behavior change for inline-key profiles or relative-path resolution.

[github-actions]

Semgrep Scan Results

Repository: api | Commit: c0d5586

Check	Status	Details
⚠️ Semgrep	Warning	1 warning(s), 1 total

Scanned at 2026-06-28 07:43 UTC

[github-actions]

Security Scan Results

Repository: api | Commit: c0d5586

Check	Status	Details
✅ Secret Scan	Pass	No secrets detected
✅ Dependencies (Trivy)	Pass	0 total (no critical/high)
✅ Dependencies (Grype)	Pass	0 total (no critical/high)
📦 SBOM	Generated	523 components (CycloneDX)

Scanned at 2026-06-28 07:43 UTC

[github-actions]

📊 Statement coverage

Measured on the documented included set (see docs/TESTING.md → Coverage scope). Observe-only — no regression gate is enforced yet.

Scope	This PR	main baseline	Δ
Included set (Gold-tier denominator)	90.3%	90.3%	+0.0 pp
Full set (whole repo, transparency)	27.9%	27.9%	+0.0 pp

Baseline: main @ 842404b