[13.4-stable] newlog: sanitize non-Latin-1 chars in gzip header

[eriknordmark]

Description

Backport of #5977.

newlogd assigns the per-batch metadata header to gzip.Writer.Name (app logs,
holds the app's DisplayName) or Comment (device logs). Go's gzip writer
enforces RFC 1952's NUL-free ISO-8859-1 restriction on those fields, so the
operator-supplied DisplayName can contain bytes the writer refuses to emit
(CJK, emoji, smart quotes, extended-Latin glyphs like Łódź). The error
surfaces from gw.Write or gw.Close as log.Fatal, taking newlogd down;
the watchdog then reboots the device. After reboot the same collect file is
still on /persist, so the crash repeats — a reboot loop attributed to
"agent newlogd" with the signature
finalizeGzipToOutTempFile: cannot close filegzip.Write: non-Latin-1 header string.

Sanitize the header at the assignment site. Runes outside 0x01–0xFF are
rewritten to the literal text form of a Go Unicode escape (\uXXXX or
\UXXXXXXXX); valid Latin-1 (including 0x80–0xFF accented characters)
passes through unchanged. The substitution is reversible — cloud-side parsing
can recover the original DisplayName if desired. A one-shot warning is logged
when sanitization fires.

This branch predates the newlog: restructuring files in the package split
on master, so the sanitizer lives inline in pkg/newlog/cmd/newlogd.go next
to prepareGzipToOutTempFile, and the unit tests live in a new
pkg/newlog/cmd/sanitize_header_test.go. Functionally identical to #5977.

How to test and validate this PR

Deploy an app instance with a non-Latin-1 character in its DisplayName (e.g.
test-中-app). Watch newlogd in logread; with the fix it logs
prepareGzipToOutTempFile: header "test-中-app" contains non-Latin-1 characters; escaped to "test-中-app"
and rotates a gzip file under /persist/newlog/keepSentQueue/app.<uuid>.log.<ts>.gz
with Name="test-中-app". Without the fix, newlogd dies on the rotation
and the device reboots within ~60s with the signature above.

Latin-1-only DisplayNames (e.g. café-Ñandú) must pass through unchanged —
no warning, no escape.

Unit coverage: pkg/newlog/cmd/sanitize_header_test.go covers identity
behavior on Latin-1 input, the escape rules for runes outside Latin-1 and
NUL, the round-trip through gzip.Writer.Close, and pins the underlying
stdlib precondition.

End-to-end validation was performed on master before merge of #5977.

Changelog notes

Fixes a device reboot loop triggered when an app's DisplayName contains
non-Latin-1 characters.

PR Backports

• 14.5-stable: separate PR.
• 13.4-stable: this PR.

Checklist

• I've added a reference link to the original PR
• PR's title follows the template

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 32.66%. Comparing base (8077a3d) to head (24598c4).
⚠️ Report is 200 commits behind head on 13.4-stable.

Additional details and impacted files

@@               Coverage Diff               @@
##           13.4-stable    #5988      +/-   ##
===============================================
+ Coverage        24.78%   32.66%   +7.88%     
===============================================
  Files                8        9       +1     
  Lines             1138     1090      -48     
===============================================
+ Hits               282      356      +74     
+ Misses             788      654     -134     
- Partials            68       80      +12     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.