imagecat: catalog + fetch for banger image bundles

New package mirroring `kernelcat`: catalog + SHA256-verified HTTP
fetch of `.tar.zst` bundles that contain rootfs.ext4 + manifest.json.
Mounted empty (version:1, entries:[]) so nothing is pullable via the
bundle path yet; wiring into `banger image pull` lands in a later
phase.

- catalog.go: Catalog/CatEntry, LoadEmbedded, ParseCatalog, Lookup,
  ValidateName.
- fetch.go: Fetch(ctx, client, destDir, entry) downloads the bundle,
  verifies sha256, extracts exactly rootfs.ext4 and manifest.json
  into destDir, returns the parsed manifest. Rejects unexpected tar
  entries, unsafe paths, non-regular files, and cleans up partial
  writes on failure.
- Thirteen unit tests (happy path + every failure mode).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

This commit is contained in:

Thales Maciel

2026-04-17 15:11:52 -03:00

parent da471b0640

commit 3d9ae624b1

No known key found for this signature in database

GPG key ID: 33112E6833C34679

5 changed files with 597 additions and 0 deletions

									
										4

internal/imagecat/catalog.json
									
										Normal file
									
										View file
										
				@ -0,0 +1,4 @@

				{

				  "version": 1,

				  "entries": []

				}

Rows
Columns

imagecat: catalog + fetch for banger image bundles

4 internal/imagecat/catalog.json Normal file Unescape Escape View file

4

internal/imagecat/catalog.json Normal file

View file