fix(canon): sweep runs with host PATH = Drone-runner env parity (DEFECT-3 git-lfs etc.)

The real timer fire redded gitea at the custom tier (git: 'lfs' is not a git command) — the
nightly-sweep writeShellApplication had a clean nix-only PATH, while Drone's recipe-CI runner runs
with PATH=/run/current-system/sw/bin:/run/wrappers/bin (where git-lfs + all host tooling live). My
manual sweeps used a login PATH that masked this. Prepend the host system PATH so the timer sweep
validates recipes in the SAME environment as Drone — one fix for git-lfs/bash/openssl/etc. parity.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

nix/modules/nightly-sweep.nix

@@ -26,6 +26,13 @@ let
       export HOME=/root
       export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright-driver.browsers}
       export PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1
+      # ENV PARITY with the Drone recipe-CI runner (canon DEFECT-3): the recipes + their tests shell
+      # out to host tooling (git-lfs for gitea, openssl, etc.). Drone's exec runner runs them with
+      # PATH=/run/current-system/sw/bin:/run/wrappers/bin; writeShellApplication otherwise gives a
+      # clean nix-only PATH, so the timer sweep silently lacked tools the recipes assume (a real fire
+      # caught git-lfs + bash gaps that manual ssh runs, with a login PATH, masked). Prepend the host
+      # system PATH so the sweep validates recipes in the SAME environment Drone does.
+      export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"
       # canon M1.4: read enrollment + run the harness from the deployed checkout (has tests/).
       export CCCI_REPO=/etc/cc-ci
       cd "$CCCI_REPO"