Add USER, COPY, ENV persistence to template build system

Implement three new recipe commands for the admin template builder:

- USER <name>: creates the user (adduser + passwordless sudo), switches
  execution context so subsequent RUN/START commands run as that user
  via su wrapping. Last USER becomes the template's default_user.

- COPY <src> <dst>: copies files from an uploaded build archive
  (tar/tar.gz/zip) into the sandbox. Source paths validated against
  traversal. Ownership set to the current USER.

- ENV persistence: accumulated env vars stored in templates.default_env
  (JSONB) and injected via PostInit when sandboxes are created from the
  template, mirroring Docker's image metadata approach.

Supporting changes:
- Pre-build creates wrenn-user as default (via USER command)
- WORKDIR now creates the directory if it doesn't exist (mkdir -p)
- Per-step progress updates (ProgressFunc callback) for live UI
- Multipart form support on POST /v1/admin/builds for archive upload
- Proto: default_user/default_env fields on Create/ResumeSandboxRequest
- Host agent: SetDefaults calls PostInitWithDefaults on envd
- Control plane: reads template defaults, passes on sandbox create/resume
- Frontend: file upload widget, recipe copy button, keyword colors for
  USER/COPY, fixed Svelte whitespace stripping in step display
- Admin panel defaults to /admin/templates instead of /admin/hosts
- Migration adds default_user and default_env to templates and
  template_builds tables

frontend/src/lib/api/builds.ts

@@ -1,4 +1,4 @@
-import { apiFetch, type ApiResult } from '$lib/api/client';
+import { apiFetch, apiFetchMultipart, type ApiResult } from '$lib/api/client';
 
 export type BuildLogEntry = {
 	step: number;
@@ -26,6 +26,8 @@ export type Build = {
 	error?: string;
 	sandbox_id?: string;
 	host_id?: string;
+	default_user: string;
+	default_env: Record<string, string>;
 	created_at: string;
 	started_at?: string;
 	completed_at?: string;
@@ -39,9 +41,18 @@ export type CreateBuildParams = {
 	vcpus?: number;
 	memory_mb?: number;
 	skip_pre_post?: boolean;
+	archive?: File;
 };
 
 export async function createBuild(params: CreateBuildParams): Promise<ApiResult<Build>> {
+	if (params.archive) {
+		// Use multipart when an archive file is provided.
+		const { archive, ...config } = params;
+		const formData = new FormData();
+		formData.append('config', JSON.stringify(config));
+		formData.append('archive', archive);
+		return apiFetchMultipart('POST', '/api/v1/admin/builds', formData);
+	}
 	return apiFetch('POST', '/api/v1/admin/builds', params);
 }
 

frontend/src/lib/api/client.ts

@@ -22,3 +22,24 @@ export async function apiFetch<T>(method: string, path: string, body?: unknown):
 		return { ok: false, error: 'Unable to connect to the server' };
 	}
 }
+
+export async function apiFetchMultipart<T>(method: string, path: string, formData: FormData): Promise<ApiResult<T>> {
+	try {
+		const headers: Record<string, string> = {};
+		if (auth.token) headers['Authorization'] = `Bearer ${auth.token}`;
+
+		const res = await fetch(path, {
+			method,
+			headers,
+			body: formData
+		});
+
+		if (res.status === 204) return { ok: true, data: undefined as T };
+
+		const data = await res.json();
+		if (!res.ok) return { ok: false, error: data?.error?.message ?? 'Something went wrong' };
+		return { ok: true, data: data as T };
+	} catch {
+		return { ok: false, error: 'Unable to connect to the server' };
+	}
+}

frontend/src/lib/components/AdminSidebar.svelte

@@ -22,8 +22,8 @@
 	};
 
 	const managementItems: NavItem[] = [
-		{ label: 'Hosts', icon: IconServer, href: '/admin/hosts' },
-		{ label: 'Templates', icon: IconTemplate, href: '/admin/templates' }
+		{ label: 'Templates', icon: IconTemplate, href: '/admin/templates' },
+		{ label: 'Hosts', icon: IconServer, href: '/admin/hosts' }
 	];
 
 	function isActive(href: string): boolean {