Add experimental Void guest workflow and vsock agent

Make iterating on a Firecracker-friendly Void guest practical without replacing the Debian default image path.

Add local Void rootfs build/register/verify plumbing, a language-agnostic dev package baseline, and guest SSH/work-disk hardening so new images use the runtime bundle key, keep a normal root bash environment, and repair stale nested /root layouts on restart.

Replace the guest PING/PONG responder with an HTTP /healthz agent over vsock, rename the runtime bundle and config surface from ping helper to agent while still accepting the legacy keys, and route the post-SSH reminder through the new vm.health path.

Validated with GOCACHE=/tmp/banger-gocache go test ./..., make build, bash -n customize.sh make-rootfs-void.sh, and git diff --check.

internal/runtimebundle/bundle_test.go

@@ -20,7 +20,7 @@ func TestBootstrapExtractsBundleAndValidatesChecksum(t *testing.T) {
 		"runtime/firecracker":                                       "fc",
 		"runtime/id_ed25519":                                        "key",
 		"runtime/namegen":                                           "namegen",
-		"runtime/banger-vsock-pingd":                                "pingd",
+		"runtime/banger-vsock-agent":                                "agent",
 		"runtime/customize.sh":                                      "#!/bin/bash\n",
 		"runtime/packages.sh":                                       "#!/bin/bash\n",
 		"runtime/packages.apt":                                      "vim\n",
@@ -28,7 +28,7 @@ func TestBootstrapExtractsBundleAndValidatesChecksum(t *testing.T) {
 		"runtime/wtf/root/boot/vmlinux-6.8.0-94-generic":            "kernel",
 		"runtime/wtf/root/boot/initrd.img-6.8.0-94-generic":         "initrd",
 		"runtime/wtf/root/lib/modules/6.8.0-94-generic/modules.dep": "dep",
-		"runtime/bundle.json":                                       mustJSON(t, BundleMetadata{FirecrackerBin: "firecracker", SSHKeyPath: "id_ed25519", NamegenPath: "namegen", CustomizeScript: "customize.sh", VSockPingHelperPath: "banger-vsock-pingd", DefaultPackages: "packages.apt", DefaultRootfs: "rootfs-docker.ext4", DefaultKernel: "wtf/root/boot/vmlinux-6.8.0-94-generic", DefaultInitrd: "wtf/root/boot/initrd.img-6.8.0-94-generic", DefaultModulesDir: "wtf/root/lib/modules/6.8.0-94-generic"}),
+		"runtime/bundle.json":                                       mustJSON(t, BundleMetadata{FirecrackerBin: "firecracker", SSHKeyPath: "id_ed25519", NamegenPath: "namegen", CustomizeScript: "customize.sh", VSockAgentPath: "banger-vsock-agent", DefaultPackages: "packages.apt", DefaultRootfs: "rootfs-docker.ext4", DefaultKernel: "wtf/root/boot/vmlinux-6.8.0-94-generic", DefaultInitrd: "wtf/root/boot/initrd.img-6.8.0-94-generic", DefaultModulesDir: "wtf/root/lib/modules/6.8.0-94-generic"}),
 	})
 	archivePath := filepath.Join(manifestDir, "bundle.tar.gz")
 	if err := os.WriteFile(archivePath, bundleData, 0o644); err != nil {
@@ -39,7 +39,7 @@ func TestBootstrapExtractsBundleAndValidatesChecksum(t *testing.T) {
 		URL:           "./bundle.tar.gz",
 		SHA256:        sha256Hex(bundleData),
 		BundleRoot:    "runtime",
-		RequiredPaths: []string{"firecracker", "banger-vsock-pingd", "customize.sh", "packages.apt", "rootfs-docker.ext4", "wtf/root/boot/vmlinux-6.8.0-94-generic", "wtf/root/lib/modules/6.8.0-94-generic"},
+		RequiredPaths: []string{"firecracker", "banger-vsock-agent", "customize.sh", "packages.apt", "rootfs-docker.ext4", "wtf/root/boot/vmlinux-6.8.0-94-generic", "wtf/root/lib/modules/6.8.0-94-generic"},
 	}
 	outDir := filepath.Join(t.TempDir(), "runtime")
 	if err := Bootstrap(context.Background(), manifest, filepath.Join(manifestDir, "runtime-bundle.toml"), outDir); err != nil {
@@ -100,7 +100,7 @@ func TestPackageWritesArchive(t *testing.T) {
 		"firecracker",
 		"id_ed25519",
 		"namegen",
-		"banger-vsock-pingd",
+		"banger-vsock-agent",
 		"customize.sh",
 		"packages.apt",
 		"rootfs-docker.ext4",
@@ -128,22 +128,22 @@ func TestPackageWritesArchive(t *testing.T) {
 	manifest := Manifest{
 		BundleRoot: "runtime",
 		BundleMeta: BundleMetadata{
-			FirecrackerBin:      "firecracker",
-			SSHKeyPath:          "id_ed25519",
-			NamegenPath:         "namegen",
-			CustomizeScript:     "customize.sh",
-			VSockPingHelperPath: "banger-vsock-pingd",
-			DefaultPackages:     "packages.apt",
-			DefaultRootfs:       "rootfs-docker.ext4",
-			DefaultKernel:       "wtf/root/boot/vmlinux-6.8.0-94-generic",
-			DefaultInitrd:       "wtf/root/boot/initrd.img-6.8.0-94-generic",
-			DefaultModulesDir:   "wtf/root/lib/modules/6.8.0-94-generic",
+			FirecrackerBin:    "firecracker",
+			SSHKeyPath:        "id_ed25519",
+			NamegenPath:       "namegen",
+			CustomizeScript:   "customize.sh",
+			VSockAgentPath:    "banger-vsock-agent",
+			DefaultPackages:   "packages.apt",
+			DefaultRootfs:     "rootfs-docker.ext4",
+			DefaultKernel:     "wtf/root/boot/vmlinux-6.8.0-94-generic",
+			DefaultInitrd:     "wtf/root/boot/initrd.img-6.8.0-94-generic",
+			DefaultModulesDir: "wtf/root/lib/modules/6.8.0-94-generic",
 		},
 		RequiredPaths: []string{
 			"firecracker",
 			"id_ed25519",
 			"namegen",
-			"banger-vsock-pingd",
+			"banger-vsock-agent",
 			"customize.sh",
 			"packages.apt",
 			"rootfs-docker.ext4",
@@ -186,7 +186,36 @@ func TestPackageWritesArchive(t *testing.T) {
 
 func TestLoadBundleMetadataRejectsMissingRequiredPath(t *testing.T) {
 	runtimeDir := t.TempDir()
-	for _, rel := range []string{"firecracker", "id_ed25519", "namegen", "banger-vsock-pingd", "customize.sh", "packages.apt", "rootfs-docker.ext4"} {
+	for _, rel := range []string{"firecracker", "id_ed25519", "namegen", "banger-vsock-agent", "customize.sh", "packages.apt", "rootfs-docker.ext4"} {
+		path := filepath.Join(runtimeDir, rel)
+		if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+			t.Fatalf("MkdirAll: %v", err)
+		}
+		if err := os.WriteFile(path, []byte(rel), 0o644); err != nil {
+			t.Fatalf("WriteFile: %v", err)
+		}
+	}
+	data := mustJSON(t, BundleMetadata{
+		FirecrackerBin:  "firecracker",
+		SSHKeyPath:      "id_ed25519",
+		NamegenPath:     "namegen",
+		CustomizeScript: "customize.sh",
+		VSockAgentPath:  "banger-vsock-agent",
+		DefaultPackages: "packages.apt",
+		DefaultRootfs:   "rootfs-docker.ext4",
+		DefaultKernel:   "missing-kernel",
+	})
+	if err := os.WriteFile(filepath.Join(runtimeDir, BundleMetadataFile), []byte(data), 0o644); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+	if _, err := LoadBundleMetadata(runtimeDir); err == nil || !strings.Contains(err.Error(), "default_kernel") {
+		t.Fatalf("LoadBundleMetadata() error = %v, want default_kernel failure", err)
+	}
+}
+
+func TestLoadBundleMetadataAcceptsLegacyVsockPingHelperPath(t *testing.T) {
+	runtimeDir := t.TempDir()
+	for _, rel := range []string{"firecracker", "id_ed25519", "namegen", "banger-vsock-pingd", "customize.sh", "packages.apt", "rootfs-docker.ext4", "wtf/root/boot/vmlinux-6.8.0-94-generic"} {
 		path := filepath.Join(runtimeDir, rel)
 		if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
 			t.Fatalf("MkdirAll: %v", err)
@@ -203,13 +232,17 @@ func TestLoadBundleMetadataRejectsMissingRequiredPath(t *testing.T) {
 		VSockPingHelperPath: "banger-vsock-pingd",
 		DefaultPackages:     "packages.apt",
 		DefaultRootfs:       "rootfs-docker.ext4",
-		DefaultKernel:       "missing-kernel",
+		DefaultKernel:       "wtf/root/boot/vmlinux-6.8.0-94-generic",
 	})
 	if err := os.WriteFile(filepath.Join(runtimeDir, BundleMetadataFile), []byte(data), 0o644); err != nil {
 		t.Fatalf("WriteFile: %v", err)
 	}
-	if _, err := LoadBundleMetadata(runtimeDir); err == nil || !strings.Contains(err.Error(), "default_kernel") {
-		t.Fatalf("LoadBundleMetadata() error = %v, want default_kernel failure", err)
+	meta, err := LoadBundleMetadata(runtimeDir)
+	if err != nil {
+		t.Fatalf("LoadBundleMetadata: %v", err)
+	}
+	if meta.VSockAgentPath != "banger-vsock-pingd" {
+		t.Fatalf("VSockAgentPath = %q", meta.VSockAgentPath)
 	}
 }