Fix relayfile-mount path-scope matching to preserve path case

[khaliqgant]

Context

Cloud proactive E2E exposed a relayfile-mount authorization bug on mixed-case GitHub paths. The mount daemon token can contain scopes like:

relayfile:fs:write:/github/repos/AgentWorkforce/cloud/issues/1227/*

internal/mountsync/syncer.go currently lowercases the entire scope string before parsing in scopeGrantsWrite, which also lowercases the path suffix. The requested file path remains case-preserved, for example:

/github/repos/AgentWorkforce/cloud/issues/1227/comments/create comment <uuid>.json

The case-sensitive prefix check then fails (agentworkforce vs AgentWorkforce), so relayfile-mount marks the file read-only and logs write denied, reverted even though the token scope should allow the write.

Fix

• Update write-scope parsing to lowercase only plane/resource/action. Preserve the path suffix case before comparing to requested paths.
• Check the read-scope equivalent for the same full-string lowercase pattern and fix it too if present.
• Add a regression test showing relayfile:fs:write:/github/repos/AgentWorkforce/cloud/issues/1227/* grants write to /github/repos/AgentWorkforce/cloud/issues/1227/comments/create comment.json.

Release note

This requires a relayfile-mount binary rebuild and the relevant sandbox snapshot rebake. Cloud is carrying a temporary mitigation by giving the daemon the broader provider-root token while keeping mounted paths narrow.