Add experimental Void guest workflow and vsock agent

Make iterating on a Firecracker-friendly Void guest practical without replacing the Debian default image path.

Add local Void rootfs build/register/verify plumbing, a language-agnostic dev package baseline, and guest SSH/work-disk hardening so new images use the runtime bundle key, keep a normal root bash environment, and repair stale nested /root layouts on restart.

Replace the guest PING/PONG responder with an HTTP /healthz agent over vsock, rename the runtime bundle and config surface from ping helper to agent while still accepting the legacy keys, and route the post-SSH reminder through the new vm.health path.

Validated with GOCACHE=/tmp/banger-gocache go test ./..., make build, bash -n customize.sh make-rootfs-void.sh, and git diff --check.

internal/runtimebundle/bundle.go

@@ -34,7 +34,8 @@ type BundleMetadata struct {
 	SSHKeyPath          string `json:"ssh_key_path" toml:"ssh_key_path"`
 	NamegenPath         string `json:"namegen_path" toml:"namegen_path"`
 	CustomizeScript     string `json:"customize_script" toml:"customize_script"`
-	VSockPingHelperPath string `json:"vsock_ping_helper_path" toml:"vsock_ping_helper_path"`
+	VSockAgentPath      string `json:"vsock_agent_path,omitempty" toml:"vsock_agent_path"`
+	VSockPingHelperPath string `json:"vsock_ping_helper_path,omitempty" toml:"vsock_ping_helper_path"`
 	DefaultPackages     string `json:"default_packages_file" toml:"default_packages_file"`
 	DefaultRootfs       string `json:"default_rootfs" toml:"default_rootfs"`
 	DefaultBaseRootfs   string `json:"default_base_rootfs,omitempty" toml:"default_base_rootfs"`
@@ -211,7 +212,7 @@ func validateBundleMetadata(runtimeDir string, meta BundleMetadata) error {
 		{meta.SSHKeyPath, "ssh_key_path"},
 		{meta.NamegenPath, "namegen_path"},
 		{meta.CustomizeScript, "customize_script"},
-		{meta.VSockPingHelperPath, "vsock_ping_helper_path"},
+		{meta.VSockAgentPath, "vsock_agent_path"},
 		{meta.DefaultPackages, "default_packages_file"},
 		{meta.DefaultRootfs, "default_rootfs"},
 		{meta.DefaultKernel, "default_kernel"},
@@ -230,7 +231,7 @@ func validateBundleMetadata(runtimeDir string, meta BundleMetadata) error {
 		{meta.SSHKeyPath, "ssh_key_path", true},
 		{meta.NamegenPath, "namegen_path", true},
 		{meta.CustomizeScript, "customize_script", true},
-		{meta.VSockPingHelperPath, "vsock_ping_helper_path", true},
+		{meta.VSockAgentPath, "vsock_agent_path", true},
 		{meta.DefaultPackages, "default_packages_file", true},
 		{meta.DefaultRootfs, "default_rootfs", true},
 		{meta.DefaultBaseRootfs, "default_base_rootfs", false},
@@ -269,7 +270,7 @@ func metadataArchiveBytes(runtimeDir string, meta BundleMetadata) ([]byte, error
 		strings.TrimSpace(meta.SSHKeyPath) == "" &&
 		strings.TrimSpace(meta.NamegenPath) == "" &&
 		strings.TrimSpace(meta.CustomizeScript) == "" &&
-		strings.TrimSpace(meta.VSockPingHelperPath) == "" &&
+		strings.TrimSpace(meta.VSockAgentPath) == "" &&
 		strings.TrimSpace(meta.DefaultPackages) == "" &&
 		strings.TrimSpace(meta.DefaultRootfs) == "" &&
 		strings.TrimSpace(meta.DefaultBaseRootfs) == "" &&
@@ -290,7 +291,11 @@ func normalizeBundleMetadata(meta BundleMetadata) BundleMetadata {
 	meta.SSHKeyPath = strings.TrimSpace(meta.SSHKeyPath)
 	meta.NamegenPath = strings.TrimSpace(meta.NamegenPath)
 	meta.CustomizeScript = strings.TrimSpace(meta.CustomizeScript)
+	meta.VSockAgentPath = strings.TrimSpace(meta.VSockAgentPath)
 	meta.VSockPingHelperPath = strings.TrimSpace(meta.VSockPingHelperPath)
+	if meta.VSockAgentPath == "" {
+		meta.VSockAgentPath = meta.VSockPingHelperPath
+	}
 	meta.DefaultPackages = strings.TrimSpace(meta.DefaultPackages)
 	meta.DefaultRootfs = strings.TrimSpace(meta.DefaultRootfs)
 	meta.DefaultBaseRootfs = strings.TrimSpace(meta.DefaultBaseRootfs)