doctor: surface security-posture drift in banger doctor

`docs/privileges.md` now documents what the install promises (helper +
daemon services active, sockets at 0600 ownerUID, units carrying the
hardening directives, firecracker root-owned + non-writable). Doctor
verifies the running install matches: drift between the doc and the
filesystem would silently weaken the trust model otherwise.

In system mode (install.toml present):
  * helper service / owner daemon service: `systemctl is-active`.
  * helper socket / daemon socket: stat-and-compare mode + uid against
    the registered owner.
  * helper unit hardening / daemon unit hardening: scan the rendered
    unit for NoNewPrivileges, ProtectSystem=strict, ProtectHome
    (=yes for the helper, =read-only for the daemon), RestrictSUIDSGID,
    LockPersonality, and the helper's CapabilityBoundingSet line. The
    daemon unit also pins User=<registered owner>.
  * firecracker binary ownership: regular file, not a symlink, mode
    not group/world writable, executable, owned by uid 0 — same
    constraints validateRootExecutable enforces at launch, surfaced
    once at doctor time so a misconfigured binary fails fast with a
    clearer error than the helper's open-time rejection.

In non-system mode (no /etc/banger/install.toml) doctor emits a single
WARN row pointing at docs/privileges.md > 'Running outside the system
install'. A PASS would imply guarantees the install isn't actually
providing.

Tests cover both branches: the non-system warn pins its message
substrings; system-mode pins that every check name shows up; and the
helpers (socket-perms, unit-hardening, executable-ownership) have
direct table-style negative tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/daemon/doctor_test.go

@@ -107,6 +107,190 @@ func findCheck(report system.Report, name string) *system.CheckResult {
 	return nil
 }
 
+// TestDoctorReport_NonSystemModeEmitsSecurityWarn pins the non-
+// system-mode branch: when /etc/banger/install.toml is absent the
+// security-posture check must surface a warn that points at the
+// dev-mode caveat in docs/privileges.md. A pass row in this mode
+// would imply guarantees the install isn't actually providing.
+func TestDoctorReport_NonSystemModeEmitsSecurityWarn(t *testing.T) {
+	d := buildDoctorDaemon(t)
+	report := d.doctorReport(context.Background(), nil, false)
+
+	check := findCheck(report, "security posture")
+	if check == nil {
+		t.Fatal("security posture check missing from report")
+	}
+	if check.Status != system.CheckStatusWarn {
+		t.Fatalf("security posture status = %q, want warn", check.Status)
+	}
+	joined := strings.Join(check.Details, " ")
+	if !strings.Contains(joined, "outside the system install") {
+		t.Fatalf("warn details = %q, want mention of non-system mode", joined)
+	}
+	if !strings.Contains(joined, "docs/privileges.md") {
+		t.Fatalf("warn details = %q, want pointer to docs/privileges.md", joined)
+	}
+}
+
+func TestAddSocketPermsCheckRejectsWrongMode(t *testing.T) {
+	socketPath := filepath.Join(t.TempDir(), "fake.sock")
+	if err := os.WriteFile(socketPath, []byte{}, 0o644); err != nil {
+		t.Fatalf("write fake socket: %v", err)
+	}
+	report := system.Report{}
+	addSocketPermsCheck(&report, "test socket", socketPath, os.Getuid(), 0o600)
+	check := findCheck(report, "test socket")
+	if check == nil {
+		t.Fatal("expected test socket check")
+	}
+	if check.Status != system.CheckStatusFail {
+		t.Fatalf("status = %q, want fail when mode is 0644 vs 0600 expected", check.Status)
+	}
+	joined := strings.Join(check.Details, " ")
+	if !strings.Contains(joined, "mode is") {
+		t.Fatalf("details = %q, want mode-mismatch message", joined)
+	}
+}
+
+func TestAddSocketPermsCheckPassesWhenModeAndOwnerMatch(t *testing.T) {
+	socketPath := filepath.Join(t.TempDir(), "fake.sock")
+	if err := os.WriteFile(socketPath, []byte{}, 0o600); err != nil {
+		t.Fatalf("write fake socket: %v", err)
+	}
+	report := system.Report{}
+	addSocketPermsCheck(&report, "test socket", socketPath, os.Getuid(), 0o600)
+	check := findCheck(report, "test socket")
+	if check == nil {
+		t.Fatal("expected test socket check")
+	}
+	if check.Status != system.CheckStatusPass {
+		t.Fatalf("status = %q, want pass when mode + uid match; details = %v", check.Status, check.Details)
+	}
+}
+
+func TestAddUnitHardeningCheckFlagsMissingDirective(t *testing.T) {
+	unitPath := filepath.Join(t.TempDir(), "bangerd.service")
+	if err := os.WriteFile(unitPath, []byte("[Service]\nUser=alice\nProtectSystem=strict\n"), 0o644); err != nil {
+		t.Fatalf("write unit: %v", err)
+	}
+	report := system.Report{}
+	addUnitHardeningCheck(&report, "unit hardening", unitPath, []string{"User=alice", "NoNewPrivileges=yes", "ProtectSystem=strict"})
+	check := findCheck(report, "unit hardening")
+	if check == nil {
+		t.Fatal("expected unit hardening check")
+	}
+	if check.Status != system.CheckStatusFail {
+		t.Fatalf("status = %q, want fail when NoNewPrivileges is missing", check.Status)
+	}
+	joined := strings.Join(check.Details, " ")
+	if !strings.Contains(joined, "NoNewPrivileges=yes") {
+		t.Fatalf("details = %q, want mention of the missing directive", joined)
+	}
+}
+
+func TestAddUnitHardeningCheckPassesWhenAllPresent(t *testing.T) {
+	unitPath := filepath.Join(t.TempDir(), "bangerd-root.service")
+	body := "[Service]\nNoNewPrivileges=yes\nProtectSystem=strict\nProtectHome=yes\nCapabilityBoundingSet=CAP_CHOWN\n"
+	if err := os.WriteFile(unitPath, []byte(body), 0o644); err != nil {
+		t.Fatalf("write unit: %v", err)
+	}
+	report := system.Report{}
+	addUnitHardeningCheck(&report, "unit hardening", unitPath, []string{"NoNewPrivileges=yes", "ProtectSystem=strict", "CapabilityBoundingSet="})
+	check := findCheck(report, "unit hardening")
+	if check == nil {
+		t.Fatal("expected unit hardening check")
+	}
+	if check.Status != system.CheckStatusPass {
+		t.Fatalf("status = %q, want pass when every directive is present; details = %v", check.Status, check.Details)
+	}
+}
+
+func TestAddExecutableOwnershipCheckRejectsSymlink(t *testing.T) {
+	dir := t.TempDir()
+	real := filepath.Join(dir, "fc")
+	if err := os.WriteFile(real, []byte{}, 0o755); err != nil {
+		t.Fatalf("write fc: %v", err)
+	}
+	link := filepath.Join(dir, "fc-symlink")
+	if err := os.Symlink(real, link); err != nil {
+		t.Fatalf("symlink: %v", err)
+	}
+	report := system.Report{}
+	addExecutableOwnershipCheck(&report, "fc binary", link)
+	check := findCheck(report, "fc binary")
+	if check == nil {
+		t.Fatal("expected fc binary check")
+	}
+	if check.Status != system.CheckStatusFail {
+		t.Fatalf("status = %q, want fail for symlinked binary", check.Status)
+	}
+	joined := strings.Join(check.Details, " ")
+	if !strings.Contains(joined, "symlink") {
+		t.Fatalf("details = %q, want symlink rejection message", joined)
+	}
+}
+
+func TestAddExecutableOwnershipCheckRejectsGroupWritable(t *testing.T) {
+	if os.Getuid() == 0 {
+		t.Skip("test runs as root; can't construct a non-root-owned check target meaningfully")
+	}
+	path := filepath.Join(t.TempDir(), "fc")
+	if err := os.WriteFile(path, []byte{}, 0o775); err != nil {
+		t.Fatalf("write fc: %v", err)
+	}
+	report := system.Report{}
+	addExecutableOwnershipCheck(&report, "fc binary", path)
+	check := findCheck(report, "fc binary")
+	if check == nil {
+		t.Fatal("expected fc binary check")
+	}
+	if check.Status != system.CheckStatusFail {
+		t.Fatalf("status = %q, want fail when binary is group/world writable", check.Status)
+	}
+}
+
+// TestDoctorReport_SystemModeRunsAllSecurityChecks pins the system-mode
+// branch end-to-end: with a fake install.toml + fake systemd dir it
+// must contribute every security row (services, sockets, unit
+// hardening, fc ownership). Statuses themselves vary because we can't
+// easily fake root-owned files in a test, but every check name must
+// appear so a future refactor can't silently drop one.
+func TestDoctorReport_SystemModeRunsAllSecurityChecks(t *testing.T) {
+	d := buildDoctorDaemon(t)
+
+	installDir := t.TempDir()
+	installPath := filepath.Join(installDir, "install.toml")
+	if err := os.WriteFile(installPath, []byte("owner_user = \"alice\"\nowner_uid = 1000\nowner_gid = 1000\nowner_home = \"/home/alice\"\ninstalled_at = 2026-04-28T00:00:00Z\n"), 0o644); err != nil {
+		t.Fatalf("write install.toml: %v", err)
+	}
+	systemdDir := t.TempDir()
+	for _, svc := range []string{"bangerd.service", "bangerd-root.service"} {
+		if err := os.WriteFile(filepath.Join(systemdDir, svc), []byte(""), 0o644); err != nil {
+			t.Fatalf("write fake unit %s: %v", svc, err)
+		}
+	}
+
+	report := system.Report{}
+	d.addSecurityPostureChecksAt(context.Background(), &report, installPath, systemdDir)
+
+	for _, name := range []string{
+		"helper service",
+		"owner daemon service",
+		"helper socket",
+		"daemon socket",
+		"helper unit hardening",
+		"daemon unit hardening",
+		"firecracker binary ownership",
+	} {
+		if findCheck(report, name) == nil {
+			t.Errorf("system-mode security check %q missing from report", name)
+		}
+	}
+	if findCheck(report, "security posture") != nil {
+		t.Error("system mode should NOT emit the non-system-mode warn")
+	}
+}
+
 func TestDoctorReport_StoreErrorSurfacesAsFail(t *testing.T) {
 	d := buildDoctorDaemon(t)
 	report := d.doctorReport(context.Background(), errors.New("simulated open failure"), false)