v0.43.0: rebuilt storage management (guided init/attach/eject on agent disk model)

Controller-only UI/orchestration over the agent's disk endpoints + StoragePath
registry. New: storage overview (data_bearing badges), guided init (format ->
resolve fs UUID -> assign -> register; data-bearing REFUSAL surfaces the
felhom-opsign command, no force-format), guided attach, eject (+deregister,
dependent-guest warning). agentapi: DiskInfo.DurableID/FSUUID + FormatResult.
PendingOp (parsed from the 403). Honest buttons (migrate disabled, no 404s).
Phase 3: removed dead CrossDrive blocks in deploy.html/backups.html.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

controller/internal/agentapi/client.go

@@ -186,6 +186,19 @@ type DiskInfo struct {
 	Class         string `json:"class"`
 	DataBearing   bool   `json:"data_bearing"`
 	DataReason    string `json:"data_reason"`
+	// DurableID is the target's stable identity (e.g. "uuid:<fs-uuid>" for usb/local-dir). The
+	// fs UUID (strip the "uuid:" prefix) is the key the controller passes to AssignDisk — it's the
+	// only way the de-privileged controller learns a mount key it cannot read off the device itself.
+	DurableID string `json:"durable_id"`
+}
+
+// FSUUID returns the raw filesystem UUID from a "uuid:<…>" DurableID, or "" if this disk's identity
+// is not a filesystem UUID (network/lvm targets — not assignable as a host mount).
+func (d DiskInfo) FSUUID() string {
+	if rest, ok := strings.CutPrefix(d.DurableID, "uuid:"); ok {
+		return rest
+	}
+	return ""
 }
 
 // DisksResponse mirrors GET /disks.
@@ -196,11 +209,26 @@ type DisksResponse struct {
 
 // FormatResult mirrors POST /disks/format (the success/refusal payload).
 type FormatResult struct {
-	VMID        int    `json:"vmid"`
-	Device      string `json:"device"`
-	Formatted   bool   `json:"formatted"`
-	DataBearing bool   `json:"data_bearing"`
-	Reason      string `json:"reason"`
+	VMID        int        `json:"vmid"`
+	Device      string     `json:"device"`
+	Formatted   bool       `json:"formatted"`
+	DataBearing bool       `json:"data_bearing"`
+	Reason      string     `json:"reason"`
+	PendingOp   *PendingOp `json:"pending_op,omitempty"`
+}
+
+// PendingOp mirrors the agent's bound destructive intent on a data-bearing refusal. The controller
+// surfaces the exact `felhom-opsign` command from it — it CANNOT complete a destructive format itself.
+type PendingOp struct {
+	Op        string `json:"op"`         // e.g. "storage_wipe"
+	HostScope string `json:"host_scope"` // the agent's host id (anti-retarget)
+	DurableID string `json:"durable_id"` // byid:…|byuuid:… — the device's stable identity
+	FSType    string `json:"fstype"`     // the filesystem to mkfs after the wipe
+}
+
+// OpsignCommand returns the literal command the operator must run offline to authorize the wipe.
+func (p PendingOp) OpsignCommand() string {
+	return fmt.Sprintf("felhom-opsign -op %s -host %s -durable-id %s", p.Op, p.HostScope, p.DurableID)
 }
 
 // ErrFormatRefused is returned by FormatDisk when the agent refuses a data-bearing format
@@ -253,20 +281,51 @@ func (c *Client) EjectDisk(ctx context.Context, where string) (EjectResult, erro
 // is irrelevant. Only a device the agent reads as blank is formatted.
 func (c *Client) FormatDisk(ctx context.Context, device, fstype string) (FormatResult, error) {
 	var out FormatResult
-	body, err := c.post(ctx, "/disks/format", map[string]string{"device": device, "fstype": fstype})
+	// Status-aware POST: the agent returns the FULL FormatResponse (incl. pending_op) even on the
+	// 403 refusal, so we must read the body on non-2xx rather than discarding it.
+	data, status, err := c.postWithStatus(ctx, "/disks/format", map[string]string{"device": device, "fstype": fstype})
 	if err != nil {
-		// A data-bearing refusal comes back as HTTP 403 (the post helper turns it into an error).
-		if strings.Contains(err.Error(), "HTTP 403") {
-			return FormatResult{Device: device, Formatted: false, DataBearing: true}, ErrFormatRefused
-		}
 		return out, err
 	}
-	if err := json.Unmarshal(body, &out); err != nil {
-		return out, fmt.Errorf("agentapi: decode /disks/format: %w", err)
+	// data is the envelope's {data:…} payload (present on both success and the 403 refusal).
+	if len(data) > 0 {
+		_ = json.Unmarshal(data, &out) // best-effort; fields default on a missing/partial body
+	}
+	if status == http.StatusForbidden || (out.DataBearing && !out.Formatted) {
+		out.DataBearing = true
+		out.Formatted = false
+		return out, ErrFormatRefused // carries PendingOp for the caller to surface the opsign command
 	}
 	return out, nil
 }
 
+// postWithStatus issues an authenticated JSON POST and returns the envelope's data payload + the HTTP
+// status, even on a non-2xx (so callers like FormatDisk can read a 403 refusal body). A transport or
+// envelope-parse failure is still an error; an `ok:false` business refusal is NOT (the data carries it).
+func (c *Client) postWithStatus(ctx context.Context, path string, body any) (json.RawMessage, int, error) {
+	buf, err := json.Marshal(body)
+	if err != nil {
+		return nil, 0, err
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, c.baseURL+path, bytes.NewReader(buf))
+	if err != nil {
+		return nil, 0, err
+	}
+	req.Header.Set("Authorization", "Bearer "+c.token)
+	req.Header.Set("Content-Type", "application/json")
+	resp, err := c.hc.Do(req)
+	if err != nil {
+		return nil, 0, fmt.Errorf("agentapi: POST %s: %w", path, err)
+	}
+	defer resp.Body.Close()
+	raw, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+	var env apiResponse
+	if err := json.Unmarshal(raw, &env); err != nil {
+		return nil, resp.StatusCode, fmt.Errorf("agentapi: POST %s: HTTP %d, bad envelope: %w", path, resp.StatusCode, err)
+	}
+	return env.Data, resp.StatusCode, nil
+}
+
 // ---- slice 9: host metrics (the customer host-health view) -------------------------------
 
 // HostMetrics mirrors the agent's GET /host/metrics `host` block (shared HostMetrics wire shape).