daemon: rewrite ensureWorkDisk no-seed path to skip the mount + cp

The no-seed branch used to mount the base rootfs read-only, mount
the freshly mkfs'd work disk read-write, sudo-cp /root from one to
the other, then flatten any accidental /root/root/ nesting. Five
sudo call sites packed into a fallback that the common image path
doesn't even exercise.

Replace with: `mkfs.ext4 -F -E root_owner=0:0` and nothing else.
mkfs already stamps inode 2 as root:root:0755 — sshd's StrictModes
walks that dir's ownership when the work disk mounts at /root in
the guest, so getting it right from mkfs means authsync can just
write authorized_keys without any repair pass.

Tradeoff: no-seed VMs lose the base rootfs's default /root dotfiles
(.bashrc, .profile). The no-seed path is explicitly the degraded
fallback — `banger doctor` already warns about it — and users who
want those back have two documented knobs: rebuild the image with
a work-seed, or land them via [[file_sync]].

Sudo call sites removed: 5 (MountTempDir × 2, sudo cp -a,
flattenNestedWorkHome's chmod/cp/rm). flattenNestedWorkHome itself
stays alive for now — authsync + image_seed still call it — and
gets deleted in commit 5 once its last caller goes away.

While here: fix the freshly-added EnsureExt4RootPerms helper.
`set_inode_field <2> mode N` overwrites the full i_mode word
instead of preserving the type nibble, so the initial
implementation that passed just the permission bits (0755) would
reset the fs root to regular-file shape and break the next kernel
mount with "Structure needs cleaning." The corrected call OR's in
S_IFDIR (0o040000) explicitly. Test updated to match.

Smoke: 21/21 scenarios green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/daemon/vm_disk.go

@@ -110,32 +110,26 @@ func (s *VMService) ensureWorkDisk(ctx context.Context, vm *model.VMRecord, imag
 		}
 		return workDiskPreparation{ClonedFromSeed: true}, nil
 	}
+	// No seed: build an empty work disk. `-E root_owner=0:0` stamps
+	// inode 2 (the fs root, which becomes /root inside the guest) as
+	// root:root:0755 up front. sshd's StrictModes walks that dir's
+	// ownership and mode, so getting it right from mkfs means the
+	// authsync step can just write authorized_keys without any
+	// repair pass.
+	//
+	// Unlike the pre-refactor flow there is no "copy /root from the
+	// base rootfs" step. The no-seed path is the degraded fallback
+	// (the common case has a work-seed artifact and hits the branch
+	// above). Dropping the copy eliminates 4 sudo call sites — mount
+	// base ro, mount work rw, sudo cp -a, flattenNestedWorkHome —
+	// at the cost of losing default distro dotfiles on no-seed VMs.
+	// Users who need those should either rebuild the image with a
+	// work-seed (the documented path) or land them via [[file_sync]].
 	vmCreateStage(ctx, "prepare_work_disk", "creating empty work disk")
 	if _, err := s.runner.Run(ctx, "truncate", "-s", strconv.FormatInt(vm.Spec.WorkDiskSizeBytes, 10), vm.Runtime.WorkDiskPath); err != nil {
 		return workDiskPreparation{}, err
 	}
-	if _, err := s.runner.Run(ctx, "mkfs.ext4", "-F", vm.Runtime.WorkDiskPath); err != nil {
-		return workDiskPreparation{}, err
-	}
-	dmDev := s.vmHandles(vm.ID).DMDev
-	if dmDev == "" {
-		return workDiskPreparation{}, fmt.Errorf("vm %q: DM device not in handle cache", vm.ID)
-	}
-	rootMount, cleanupRoot, err := system.MountTempDir(ctx, s.runner, dmDev, true)
-	if err != nil {
-		return workDiskPreparation{}, err
-	}
-	defer cleanupRoot()
-	workMount, cleanupWork, err := system.MountTempDir(ctx, s.runner, vm.Runtime.WorkDiskPath, false)
-	if err != nil {
-		return workDiskPreparation{}, err
-	}
-	defer cleanupWork()
-	vmCreateStage(ctx, "prepare_work_disk", "copying /root into work disk")
-	if err := system.CopyDirContents(ctx, s.runner, filepath.Join(rootMount, "root"), workMount, true); err != nil {
-		return workDiskPreparation{}, err
-	}
-	if err := flattenNestedWorkHome(ctx, s.runner, workMount); err != nil {
+	if _, err := s.runner.Run(ctx, "mkfs.ext4", "-F", "-E", "root_owner=0:0", vm.Runtime.WorkDiskPath); err != nil {
 		return workDiskPreparation{}, err
 	}
 	return workDiskPreparation{}, nil