Switch to fetched runtime bundles

Stop treating Firecracker, kernels, modules, and guest images as tracked source files. Source checkouts now resolve runtime assets from ./runtime, while installed binaries keep using ../lib/banger.

Add a small runtimebundle helper plus runtime-bundle.toml so make can bootstrap, package, and install a runtime bundle with checksum validation. Update the shell helpers and daemon path hints to fail clearly when the bundle is missing instead of assuming repo-root artifacts.

This removes the tracked runtime blobs from HEAD in favor of an ignored local runtime/ tree. Verified with go test ./..., make build, bash -n on the shell helpers, make -n install, and a temporary package/fetch smoke test. The manifest URL/SHA still need a published bundle before fresh clones can bootstrap, and history rewrite remains a separate rollout step.

runtime-bundle.toml

@@ -0,0 +1,20 @@
+# Update `url` and `sha256` to the published runtime bundle before using
+# `make runtime-bundle` in a fresh checkout.
+version = "v0"
+url = ""
+sha256 = ""
+bundle_root = "runtime"
+required_paths = [
+  "firecracker",
+  "customize.sh",
+  "dns.sh",
+  "packages.sh",
+  "nat.sh",
+  "namegen",
+  "packages.apt",
+  "id_ed25519",
+  "rootfs-docker.ext4",
+  "wtf/root/boot/vmlinux-6.8.0-94-generic",
+  "wtf/root/boot/initrd.img-6.8.0-94-generic",
+  "wtf/root/lib/modules/6.8.0-94-generic",
+]