Address the SPEC-018 Phase 1 code review (reports/2026-06-03-spec018-review.md):
- Bug 2 (config.rs): stop agent_id churn on every restart. The embedded-config
path always wins in Config::load, so the saved agent_id was never read back.
Add Config::persisted_agent_id() and reuse a prior id from the TOML; only mint
a new UUID when none exists.
- Bug 1 (main.rs): remove the non-functional in-process fallback in
run_permanent_agent_managed. A managed agent's cak_ store is SYSTEM-only ACL'd,
so a non-elevated in-process run cannot authenticate (load_cak permission-denied,
or enroll C1 read-back failure). Return an actionable "install elevated" error
instead of pretending to provide an agent; update the misleading comments.
- Issue 6 (startup.rs): replace the fragile transmute::<HANDLE, HKEY> with the
windows crate's typed HKEY out-param; add SAFETY comments.
cargo check -p guruconnect --target x86_64-pc-windows-msvc passes clean.
Deferred lower-severity items tracked in #8.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
