Remove runtime-bundle image dependencies

Hard-cut banger away from source-checkout runtime bundles as an implicit source of\nimage and host defaults. Managed images now own their full boot set,\nimage build starts from an existing registered image, and daemon startup\nno longer synthesizes a default image from host paths.\n\nResolve Firecracker from PATH or firecracker_bin, make SSH keys config-owned\nwith an auto-managed XDG default, replace the external name generator and\npackage manifests with Go code, and keep the vsock helper as a companion\nbinary instead of a user-managed runtime asset.\n\nUpdate the manual scripts, web/CLI forms, config surface, and docs around\nthe new build/manual flow and explicit image registration semantics.\n\nValidation: GOCACHE=/tmp/banger-gocache go test ./..., bash -n scripts/*.sh,\nand make build.
2026-03-21 18:34:53 -03:00 · 2026-03-21 18:34:53 -03:00 · 572bf32424
commit 572bf32424
parent 01c7cb5e65
44 changed files with 1194 additions and 3456 deletions
--- a/scripts/customize.sh
+++ b/scripts/customize.sh
@ -31,49 +31,10 @@ parse_size() {

 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-DEFAULT_RUNTIME_DIR="$REPO_ROOT/build/runtime"
-if [[ ! -d "$DEFAULT_RUNTIME_DIR" && -d "$REPO_ROOT/runtime" ]]; then
-  DEFAULT_RUNTIME_DIR="$REPO_ROOT/runtime"
-fi
-RUNTIME_DIR="${BANGER_RUNTIME_DIR:-$DEFAULT_RUNTIME_DIR}"
-if [[ ! -d "$RUNTIME_DIR" ]]; then
-  log "runtime bundle not found: $RUNTIME_DIR"
-  log "run 'make runtime-bundle' or set BANGER_RUNTIME_DIR"
-  exit 1
-fi
-source "$SCRIPT_DIR/lib/packages.sh"
 STATE="${BANGER_STATE_DIR:-${XDG_STATE_HOME:-$HOME/.local/state}/banger/image-build}"
 VM_ROOT="$STATE/vms"
 mkdir -p "$VM_ROOT"

-BUNDLE_METADATA="$RUNTIME_DIR/bundle.json"
-
-bundle_path() {
-  local key="$1"
-  local fallback="$2"
-  local rel=""
-
-  if [[ -f "$BUNDLE_METADATA" ]] && command -v jq >/dev/null 2>&1; then
-    rel="$(jq -r --arg key "$key" '.[$key] // empty' "$BUNDLE_METADATA" 2>/dev/null || true)"
-  fi
-  if [[ -n "$rel" && "$rel" != "null" ]]; then
-    printf '%s\n' "$RUNTIME_DIR/$rel"
-    return
-  fi
-  printf '%s\n' "$fallback"
-}
-
-BASE_ROOTFS="$RUNTIME_DIR/rootfs.ext4"
-FC_BIN="$RUNTIME_DIR/firecracker"
-
-KERNEL="$(bundle_path default_kernel "$RUNTIME_DIR/wtf/root/boot/vmlinux-6.8.0-94-generic")"
-INITRD="$(bundle_path default_initrd "$RUNTIME_DIR/wtf/root/boot/initrd.img-6.8.0-94-generic")"
-SSH_KEY="$RUNTIME_DIR/id_ed25519"
-VSOCK_AGENT="$(bundle_path vsock_agent_path "$RUNTIME_DIR/banger-vsock-agent")"
-if [[ "$VSOCK_AGENT" == "$RUNTIME_DIR/banger-vsock-agent" && ! -x "$VSOCK_AGENT" ]]; then
-  VSOCK_AGENT="$(bundle_path vsock_ping_helper_path "$RUNTIME_DIR/banger-vsock-pingd")"
-fi
-
 BR_DEV="br-fc"
 BR_IP="172.16.0.1"
 CIDR="24"
@ -102,16 +63,34 @@ resolve_banger_bin() {

 BANGER_BIN="$(resolve_banger_bin)"
 NAT_ACTIVE=0
+FC_BIN="$("$BANGER_BIN" internal firecracker-path)"
+SSH_KEY="$("$BANGER_BIN" internal ssh-key-path)"
+VSOCK_AGENT="$("$BANGER_BIN" internal vsock-agent-path)"

 banger_nat() {
  local action="$1"
  "$BANGER_BIN" internal nat "$action" --guest-ip "$GUEST_IP" --tap "$TAP_DEV"
 }

+load_package_preset() {
+  local preset="$1"
+  local -n out="$2"
+  mapfile -t out < <("$BANGER_BIN" internal packages "$preset")
+  (( ${#out[@]} > 0 ))
+}
+
+write_rootfs_manifest_metadata() {
+  local rootfs_path="$1"
+  local manifest_hash="$2"
+  printf '%s\n' "$manifest_hash" > "${rootfs_path}.packages.sha256"
+}
+
 BASE_ROOTFS=""
 OUT_ROOTFS=""
 SIZE_SPEC=""
 INSTALL_DOCKER=0
+KERNEL=""
+INITRD=""
 MISE_VERSION="v2025.12.0"
 MISE_INSTALL_PATH="/usr/local/bin/mise"
 MISE_ACTIVATE_LINE='eval "$(/usr/local/bin/mise activate bash)"'
@ -122,8 +101,7 @@ TMUX_RESURRECT_REPO="https://github.com/tmux-plugins/tmux-resurrect"
 TMUX_CONTINUUM_REPO="https://github.com/tmux-plugins/tmux-continuum"
 TMUX_MANAGED_START="# >>> banger tmux plugins >>>"
 TMUX_MANAGED_END="# <<< banger tmux plugins <<<"
-MODULES_DIR="$(bundle_path default_modules_dir "$RUNTIME_DIR/wtf/root/lib/modules/6.8.0-94-generic")"
-PACKAGES_FILE="$(banger_packages_file)"
+MODULES_DIR=""
 while [[ $# -gt 0 ]]; do
  case "$1" in
    --out)
@ -187,6 +165,10 @@ if [[ "$OUT_ROOTFS" == *.ext4 ]]; then
 else
  WORK_SEED="${OUT_ROOTFS}.work-seed"
 fi
+if [[ -z "$KERNEL" ]]; then
+  log "kernel path is required; pass --kernel"
+  exit 1
+fi
 if [[ ! -f "$KERNEL" ]]; then
  log "kernel not found: $KERNEL"
  exit 1
@ -214,26 +196,22 @@ if ! command -v jq >/dev/null 2>&1; then
  exit 1
 fi
 if ! command -v sha256sum >/dev/null 2>&1; then
-  log "sha256sum required to record package manifest metadata"
-  exit 1
-fi
-if [[ ! -f "$PACKAGES_FILE" ]]; then
-  log "package manifest not found: $PACKAGES_FILE"
+  log "sha256sum required to record package preset metadata"
  exit 1
 fi
 if [[ ! -x "$VSOCK_AGENT" ]]; then
  log "vsock agent not found or not executable: $VSOCK_AGENT"
-  log "run 'make build' or refresh the runtime bundle"
+  log "run 'make build'"
  exit 1
 fi

 APT_PACKAGES=()
-if ! banger_packages_read_array APT_PACKAGES "$PACKAGES_FILE"; then
-  log "package manifest is empty: $PACKAGES_FILE"
+if ! load_package_preset debian APT_PACKAGES; then
+  log "debian package preset is empty"
  exit 1
 fi
-if ! PACKAGES_HASH="$(printf '%s\n' "${APT_PACKAGES[@]}" | banger_packages_hash_stream)"; then
-  log "failed to hash package manifest: $PACKAGES_FILE"
+if ! PACKAGES_HASH="$(printf '%s\n' "${APT_PACKAGES[@]}" | sha256sum | awk '{print $1}')"; then
+  log "failed to hash package preset"
  exit 1
 fi
 printf -v APT_PACKAGES_ESCAPED '%q ' "${APT_PACKAGES[@]}"
@ -587,7 +565,7 @@ for _ in $(seq 1 200); do
  fi
  sleep 0.05
 done
-banger_write_rootfs_manifest_metadata "$OUT_ROOTFS" "$PACKAGES_HASH"
+write_rootfs_manifest_metadata "$OUT_ROOTFS" "$PACKAGES_HASH"
 log "building work seed $WORK_SEED"
 "$BANGER_BIN" internal work-seed --rootfs "$OUT_ROOTFS" --out "$WORK_SEED"
 log "done"
--- a/scripts/interactive.sh
+++ b/scripts/interactive.sh
@ -7,7 +7,7 @@ log() {

 usage() {
  cat <<'EOF'
-Usage: ./scripts/interactive.sh <base-rootfs> [--out <path>] [--size <size>]
+Usage: ./scripts/interactive.sh <base-rootfs> --kernel <path> [--initrd <path>] [--size <size>]

 Creates a writable copy of the base rootfs and boots a VM so you can
 customize it manually over SSH. No automatic package/config changes
@ -32,42 +32,10 @@ parse_size() {

 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-DEFAULT_RUNTIME_DIR="$REPO_ROOT/build/runtime"
-if [[ ! -d "$DEFAULT_RUNTIME_DIR" && -d "$REPO_ROOT/runtime" ]]; then
-  DEFAULT_RUNTIME_DIR="$REPO_ROOT/runtime"
-fi
-RUNTIME_DIR="${BANGER_RUNTIME_DIR:-$DEFAULT_RUNTIME_DIR}"
-if [[ ! -d "$RUNTIME_DIR" ]]; then
-  log "runtime bundle not found: $RUNTIME_DIR"
-  log "run 'make runtime-bundle' or set BANGER_RUNTIME_DIR"
-  exit 1
-fi
 STATE="${BANGER_STATE_DIR:-${XDG_STATE_HOME:-$HOME/.local/state}/banger/interactive}"
 VM_ROOT="$STATE/vms"
 mkdir -p "$VM_ROOT"

-BUNDLE_METADATA="$RUNTIME_DIR/bundle.json"
-
-bundle_path() {
-  local key="$1"
-  local fallback="$2"
-  local rel=""
-
-  if [[ -f "$BUNDLE_METADATA" ]] && command -v jq >/dev/null 2>&1; then
-    rel="$(jq -r --arg key "$key" '.[$key] // empty' "$BUNDLE_METADATA" 2>/dev/null || true)"
-  fi
-  if [[ -n "$rel" && "$rel" != "null" ]]; then
-    printf '%s\n' "$RUNTIME_DIR/$rel"
-    return
-  fi
-  printf '%s\n' "$fallback"
-}
-
-FC_BIN="$RUNTIME_DIR/firecracker"
-KERNEL="$(bundle_path default_kernel "$RUNTIME_DIR/wtf/root/boot/vmlinux-6.8.0-94-generic")"
-INITRD="$(bundle_path default_initrd "$RUNTIME_DIR/wtf/root/boot/initrd.img-6.8.0-94-generic")"
-SSH_KEY="$RUNTIME_DIR/id_ed25519"
-
 BR_DEV="br-fc"
 BR_IP="172.16.0.1"
 CIDR="24"
@ -96,6 +64,10 @@ resolve_banger_bin() {

 BANGER_BIN="$(resolve_banger_bin)"
 NAT_ACTIVE=0
+FC_BIN="$("$BANGER_BIN" internal firecracker-path)"
+SSH_KEY="$("$BANGER_BIN" internal ssh-key-path)"
+KERNEL=""
+INITRD=""

 banger_nat() {
  local action="$1"
@ -115,6 +87,14 @@ while [[ $# -gt 0 ]]; do
      SIZE_SPEC="${2:-}"
      shift 2
      ;;
+    --kernel)
+      KERNEL="${2:-}"
+      shift 2
+      ;;
+    --initrd)
+      INITRD="${2:-}"
+      shift 2
+      ;;
    -h|--help)
      usage
      exit 0
@ -140,11 +120,15 @@ if [[ ! -f "$BASE_ROOTFS" ]]; then
  log "base rootfs not found: $BASE_ROOTFS"
  exit 1
 fi
+if [[ -z "$KERNEL" ]]; then
+  log "kernel path is required; pass --kernel"
+  exit 1
+fi
 if [[ ! -f "$KERNEL" ]]; then
  log "kernel not found: $KERNEL"
  exit 1
 fi
-if [[ ! -f "$INITRD" ]]; then
+if [[ -n "$INITRD" && ! -f "$INITRD" ]]; then
  log "initrd not found: $INITRD"
  exit 1
 fi
--- a/scripts/lib/packages.sh
+++ b/scripts/lib/packages.sh
@ -1,116 +0,0 @@
-#!/usr/bin/env bash
-
-readonly BANGER_PACKAGES_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-readonly BANGER_REPO_ROOT="$(cd "$BANGER_PACKAGES_DIR/../.." && pwd)"
-BANGER_APT_PACKAGES_FILE="${BANGER_APT_PACKAGES_FILE:-$BANGER_REPO_ROOT/config/packages.apt}"
-
-banger_packages_file() {
-  printf '%s' "$BANGER_APT_PACKAGES_FILE"
-}
-
-banger_packages_normalized_lines() {
-  local packages_file="${1:-$BANGER_APT_PACKAGES_FILE}"
-
-  [[ -f "$packages_file" ]] || return 1
-  awk '
-    {
-      sub(/\r$/, "")
-      sub(/[[:space:]]*#.*$/, "")
-      gsub(/^[[:space:]]+|[[:space:]]+$/, "")
-      if ($0 != "") print
-    }
-  ' "$packages_file"
-}
-
-banger_packages_read_array() {
-  local -n out="$1"
-  local packages_file="${2:-$BANGER_APT_PACKAGES_FILE}"
-
-  mapfile -t out < <(banger_packages_normalized_lines "$packages_file")
-  (( ${#out[@]} > 0 ))
-}
-
-banger_packages_hash_stream() {
-  command -v sha256sum >/dev/null 2>&1 || return 1
-  sha256sum | awk '{print $1}'
-}
-
-banger_packages_manifest_hash() {
-  local packages_file="${1:-$BANGER_APT_PACKAGES_FILE}"
-
-  [[ -f "$packages_file" ]] || return 1
-  banger_packages_normalized_lines "$packages_file" | banger_packages_hash_stream
-}
-
-banger_rootfs_manifest_metadata_path() {
-  local rootfs_path="$1"
-  printf '%s.packages.sha256' "$rootfs_path"
-}
-
-banger_rootfs_manifest_recorded_hash() {
-  local rootfs_path="$1"
-  local metadata_file recorded_hash
-
-  metadata_file="$(banger_rootfs_manifest_metadata_path "$rootfs_path")"
-  [[ -f "$metadata_file" ]] || return 1
-
-  recorded_hash="$(head -n 1 "$metadata_file" | tr -d '[:space:]')"
-  [[ -n "$recorded_hash" ]] || return 1
-  printf '%s' "$recorded_hash"
-}
-
-banger_write_rootfs_manifest_metadata() {
-  local rootfs_path="$1"
-  local manifest_hash="$2"
-  local metadata_file
-
-  metadata_file="$(banger_rootfs_manifest_metadata_path "$rootfs_path")"
-  printf '%s\n' "$manifest_hash" > "$metadata_file"
-}
-
-banger_rootfs_manifest_status() {
-  local rootfs_path="$1"
-  local current_hash recorded_hash
-
-  if [[ ! -f "$rootfs_path" ]]; then
-    printf '%s' "missing-rootfs"
-    return 0
-  fi
-
-  if ! current_hash="$(banger_packages_manifest_hash)"; then
-    printf '%s' "unknown"
-    return 0
-  fi
-
-  if ! recorded_hash="$(banger_rootfs_manifest_recorded_hash "$rootfs_path")"; then
-    printf '%s' "missing-metadata"
-    return 0
-  fi
-
-  if [[ "$recorded_hash" == "$current_hash" ]]; then
-    printf '%s' "fresh"
-  else
-    printf '%s' "stale"
-  fi
-}
-
-banger_rootfs_manifest_warning() {
-  local rootfs_path="$1"
-  local status
-
-  status="$(banger_rootfs_manifest_status "$rootfs_path")"
-  case "$status" in
-    stale)
-      printf '%s was built with an older package manifest; rebuild it explicitly to pick up package changes' "$rootfs_path"
-      ;;
-    missing-metadata)
-      printf '%s has no package manifest metadata; rebuild it explicitly to pick up package changes' "$rootfs_path"
-      ;;
-    unknown)
-      printf 'unable to compare %s against %s; install sha256sum and verify the package manifest manually' "$rootfs_path" "$BANGER_APT_PACKAGES_FILE"
-      ;;
-    *)
-      return 1
-      ;;
-  esac
-}
--- a/scripts/make-rootfs-void.sh
+++ b/scripts/make-rootfs-void.sh
@ -7,21 +7,19 @@ log() {

 usage() {
  cat <<'EOF'
-Usage: ./scripts/make-rootfs-void.sh [--out <path>] [--size <size>] [--mirror <url>] [--arch <arch>] [--packages <path>]
+Usage: ./scripts/make-rootfs-void.sh [--out <path>] [--size <size>] [--mirror <url>] [--arch <arch>]

 Build an experimental Void Linux rootfs image plus a matching /root work-seed.

 Defaults:
-  --out      ./build/runtime/rootfs-void.ext4
+  --out      ./build/manual/rootfs-void.ext4
  --size     2G
  --mirror   https://repo-default.voidlinux.org
  --arch     x86_64
-  --packages ./config/packages.void

-This path is experimental and local-only. If ./build/runtime/void-kernel exists
-it uses the staged Void kernel modules from that directory; otherwise it falls
-back to the current runtime bundle modules. It does not change the default
-Debian image flow.
+This path is experimental and local-only. If ./build/manual/void-kernel exists
+it uses the staged Void kernel modules from that directory. It does not change
+the default Debian image flow.
 EOF
 }

@ -76,21 +74,6 @@ normalize_mirror() {
  printf '%s\n' "$mirror"
 }

-bundle_path() {
-  local key="$1"
-  local fallback="$2"
-  local rel=""
-
-  if [[ -f "$BUNDLE_METADATA" ]] && command -v jq >/dev/null 2>&1; then
-    rel="$(jq -r --arg key "$key" '.[$key] // empty' "$BUNDLE_METADATA" 2>/dev/null || true)"
-  fi
-  if [[ -n "$rel" && "$rel" != "null" ]]; then
-    printf '%s\n' "$RUNTIME_DIR/$rel"
-    return
-  fi
-  printf '%s\n' "$fallback"
-}
-
 find_latest_module_dir() {
  local root="$1"
  if [[ ! -d "$root" ]]; then
@ -108,6 +91,19 @@ find_static_keys_dir() {
  find "$STATIC_DIR" -type d -path '*/var/db/xbps/keys' | sort | head -n 1
 }

+load_package_preset() {
+  local preset="$1"
+  local -n out="$2"
+  mapfile -t out < <("$BANGER_BIN" internal packages "$preset")
+  (( ${#out[@]} > 0 ))
+}
+
+write_rootfs_manifest_metadata() {
+  local rootfs_path="$1"
+  local manifest_hash="$2"
+  printf '%s\n' "$manifest_hash" > "${rootfs_path}.packages.sha256"
+}
+
 install_root_authorized_key() {
  local public_key
  public_key="$(ssh-keygen -y -f "$SSH_KEY")"
@ -382,24 +378,10 @@ cleanup() {

 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-PACKAGES_FILE="$REPO_ROOT/config/packages.void"
-export BANGER_APT_PACKAGES_FILE="$PACKAGES_FILE"
-source "$SCRIPT_DIR/lib/packages.sh"
-
-DEFAULT_RUNTIME_DIR="$REPO_ROOT/build/runtime"
-if [[ ! -d "$DEFAULT_RUNTIME_DIR" && -d "$REPO_ROOT/runtime" ]]; then
-  DEFAULT_RUNTIME_DIR="$REPO_ROOT/runtime"
-fi
-RUNTIME_DIR="${BANGER_RUNTIME_DIR:-$DEFAULT_RUNTIME_DIR}"
-if [[ ! -d "$RUNTIME_DIR" ]]; then
-  log "runtime bundle not found: $RUNTIME_DIR"
-  log "run 'make runtime-bundle' or set BANGER_RUNTIME_DIR"
-  exit 1
-fi
-
-BUNDLE_METADATA="$RUNTIME_DIR/bundle.json"
-SSH_KEY="$(bundle_path ssh_key_path "$RUNTIME_DIR/id_ed25519")"
-OUT_ROOTFS="$RUNTIME_DIR/rootfs-void.ext4"
+MANUAL_DIR="${BANGER_MANUAL_DIR:-$REPO_ROOT/build/manual}"
+BANGER_BIN="$(resolve_banger_bin)"
+SSH_KEY="$("$BANGER_BIN" internal ssh-key-path)"
+OUT_ROOTFS="$MANUAL_DIR/rootfs-void.ext4"
 SIZE_SPEC="2G"
 MIRROR="https://repo-default.voidlinux.org"
 ARCH="x86_64"
@ -408,12 +390,9 @@ MISE_INSTALL_PATH="/usr/local/bin/mise"
 OPENCODE_TOOL="github:anomalyco/opencode"
 GUESTNET_BOOTSTRAP_SCRIPT="$REPO_ROOT/internal/guestnet/assets/bootstrap.sh"
 GUESTNET_VOID_CORE_SERVICE="$REPO_ROOT/internal/guestnet/assets/void-core-service.sh"
-MODULES_DIR="$(bundle_path default_modules_dir "$RUNTIME_DIR/wtf/root/lib/modules/6.8.0-94-generic")"
-VOID_KERNEL_MODULES_DIR="$(find_latest_module_dir "$RUNTIME_DIR/void-kernel/lib/modules" || true)"
-VSOCK_AGENT="$(bundle_path vsock_agent_path "$RUNTIME_DIR/banger-vsock-agent")"
-if [[ "$VSOCK_AGENT" == "$RUNTIME_DIR/banger-vsock-agent" && ! -x "$VSOCK_AGENT" ]]; then
-  VSOCK_AGENT="$(bundle_path vsock_ping_helper_path "$RUNTIME_DIR/banger-vsock-pingd")"
-fi
+MODULES_DIR=""
+VOID_KERNEL_MODULES_DIR="$(find_latest_module_dir "$MANUAL_DIR/void-kernel/lib/modules" || true)"
+VSOCK_AGENT="$("$BANGER_BIN" internal vsock-agent-path)"
 if [[ -n "$VOID_KERNEL_MODULES_DIR" ]]; then
  MODULES_DIR="$VOID_KERNEL_MODULES_DIR"
 fi
@ -436,11 +415,6 @@ while [[ $# -gt 0 ]]; do
      ARCH="${2:-}"
      shift 2
      ;;
-    --packages)
-      PACKAGES_FILE="${2:-}"
-      export BANGER_APT_PACKAGES_FILE="$PACKAGES_FILE"
-      shift 2
-      ;;
    -h|--help)
      usage
      exit 0
@ -463,17 +437,13 @@ if [[ "$ARCH" != "x86_64" ]]; then
  exit 1
 fi

-if [[ ! -f "$PACKAGES_FILE" ]]; then
-  log "package manifest not found: $PACKAGES_FILE"
-  exit 1
-fi
-if [[ ! -d "$MODULES_DIR" ]]; then
-  log "modules dir not found: $MODULES_DIR"
+if [[ -z "$MODULES_DIR" || ! -d "$MODULES_DIR" ]]; then
+  log "modules dir not found; run 'make void-kernel' first"
  exit 1
 fi
 if [[ ! -x "$VSOCK_AGENT" ]]; then
  log "vsock agent not found or not executable: $VSOCK_AGENT"
-  log "run 'make build' or refresh the runtime bundle"
+  log "run 'make build'"
  exit 1
 fi
 if [[ ! -f "$GUESTNET_BOOTSTRAP_SCRIPT" ]]; then
@ -505,12 +475,12 @@ require_command truncate
 require_command mountpoint

 VOID_PACKAGES=()
-if ! banger_packages_read_array VOID_PACKAGES "$PACKAGES_FILE"; then
-  log "package manifest is empty: $PACKAGES_FILE"
+if ! load_package_preset void VOID_PACKAGES; then
+  log "void package preset is empty"
  exit 1
 fi
-if ! PACKAGES_HASH="$(banger_packages_manifest_hash "$PACKAGES_FILE")"; then
-  log "failed to hash package manifest: $PACKAGES_FILE"
+if ! PACKAGES_HASH="$(printf '%s\n' "${VOID_PACKAGES[@]}" | sha256sum | awk '{print $1}')"; then
+  log "failed to hash package preset"
  exit 1
 fi
 if ! SIZE_BYTES="$(parse_size "$SIZE_SPEC")"; then
@ -518,7 +488,6 @@ if ! SIZE_BYTES="$(parse_size "$SIZE_SPEC")"; then
  exit 1
 fi

-BANGER_BIN="$(resolve_banger_bin)"
 if [[ "$OUT_ROOTFS" == *.ext4 ]]; then
  WORK_SEED="${OUT_ROOTFS%.ext4}.work-seed.ext4"
 else
@ -613,7 +582,7 @@ sudo rm -rf \

 sudo umount "$ROOT_MOUNT"

-banger_write_rootfs_manifest_metadata "$OUT_ROOTFS" "$PACKAGES_HASH"
+write_rootfs_manifest_metadata "$OUT_ROOTFS" "$PACKAGES_HASH"

 log "building work-seed $WORK_SEED"
 "$BANGER_BIN" internal work-seed --rootfs "$OUT_ROOTFS" --out "$WORK_SEED"
--- a/scripts/make-rootfs.sh
+++ b/scripts/make-rootfs.sh
@ -7,12 +7,11 @@ log() {

 usage() {
  cat <<'EOF'
-Usage: ./scripts/make-rootfs.sh [--size <size>] [--base-rootfs <path>]
+Usage: ./scripts/make-rootfs.sh --kernel <path> [--initrd <path>] [--modules <dir>] [--size <size>] [--base-rootfs <path>]

-Builds build/runtime/rootfs-docker.ext4 using scripts/customize.sh. If
+Builds build/manual/rootfs-docker.ext4 using scripts/customize.sh. If
 --base-rootfs is omitted, the first existing file is used:
-  ./build/runtime/rootfs.ext4
-  ./runtime/rootfs.ext4  (legacy fallback)
+  ./build/manual/rootfs-base.ext4
  ./ubuntu-noble-rootfs/rootfs.ext4
  ./ubuntu-lts/rootfs.ext4
 EOF
@ -20,20 +19,13 @@ EOF

 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-source "$SCRIPT_DIR/lib/packages.sh"
-DEFAULT_RUNTIME_DIR="$REPO_ROOT/build/runtime"
-if [[ ! -d "$DEFAULT_RUNTIME_DIR" && -d "$REPO_ROOT/runtime" ]]; then
-  DEFAULT_RUNTIME_DIR="$REPO_ROOT/runtime"
-fi
-RUNTIME_DIR="${BANGER_RUNTIME_DIR:-$DEFAULT_RUNTIME_DIR}"
-if [[ ! -d "$RUNTIME_DIR" ]]; then
-  log "runtime bundle not found: $RUNTIME_DIR"
-  log "run 'make runtime-bundle' or set BANGER_RUNTIME_DIR"
-  exit 1
-fi
-OUT_ROOTFS="$RUNTIME_DIR/rootfs-docker.ext4"
+MANUAL_DIR="${BANGER_MANUAL_DIR:-$REPO_ROOT/build/manual}"
+OUT_ROOTFS="$MANUAL_DIR/rootfs-docker.ext4"
 SIZE_SPEC="6G"
 BASE_ROOTFS=""
+KERNEL_PATH=""
+INITRD_PATH=""
+MODULES_DIR=""

 while [[ $# -gt 0 ]]; do
  case "$1" in
@ -45,6 +37,18 @@ while [[ $# -gt 0 ]]; do
      BASE_ROOTFS="${2:-}"
      shift 2
      ;;
+    --kernel)
+      KERNEL_PATH="${2:-}"
+      shift 2
+      ;;
+    --initrd)
+      INITRD_PATH="${2:-}"
+      shift 2
+      ;;
+    --modules)
+      MODULES_DIR="${2:-}"
+      shift 2
+      ;;
    -h|--help)
      usage
      exit 0
@ -57,32 +61,39 @@ while [[ $# -gt 0 ]]; do
  esac
 done

-if [[ -f "$OUT_ROOTFS" ]]; then
-  OUT_ROOTFS_WARNING="$(banger_rootfs_manifest_warning "$OUT_ROOTFS" || true)"
-  if [[ -n "$OUT_ROOTFS_WARNING" ]]; then
-    log "warning: $OUT_ROOTFS_WARNING"
-  fi
-  log "already exists: $OUT_ROOTFS"
-  exit 0
-fi
-
 if [[ -z "$BASE_ROOTFS" ]]; then
-  if [[ -f "$RUNTIME_DIR/rootfs.ext4" ]]; then
-    BASE_ROOTFS="$RUNTIME_DIR/rootfs.ext4"
+  if [[ -f "$MANUAL_DIR/rootfs-base.ext4" ]]; then
+    BASE_ROOTFS="$MANUAL_DIR/rootfs-base.ext4"
  elif [[ -f "$REPO_ROOT/ubuntu-noble-rootfs/rootfs.ext4" ]]; then
    BASE_ROOTFS="$REPO_ROOT/ubuntu-noble-rootfs/rootfs.ext4"
  elif [[ -f "$REPO_ROOT/ubuntu-lts/rootfs.ext4" ]]; then
    BASE_ROOTFS="$REPO_ROOT/ubuntu-lts/rootfs.ext4"
  else
-    log "no base rootfs found; run 'make runtime-bundle' or pass --base-rootfs"
+    log "no base rootfs found; pass --base-rootfs"
    exit 1
  fi
 fi

-mkdir -p "$RUNTIME_DIR"
+if [[ -z "$KERNEL_PATH" ]]; then
+  log "kernel path is required; pass --kernel"
+  exit 1
+fi
+
+mkdir -p "$MANUAL_DIR"

 log "building $OUT_ROOTFS from $BASE_ROOTFS"
-exec env BANGER_RUNTIME_DIR="$RUNTIME_DIR" "$SCRIPT_DIR/customize.sh" "$BASE_ROOTFS" \
-  --out "$OUT_ROOTFS" \
-  --size "$SIZE_SPEC" \
+args=(
+  "$SCRIPT_DIR/customize.sh"
+  "$BASE_ROOTFS"
+  --out "$OUT_ROOTFS"
+  --size "$SIZE_SPEC"
+  --kernel "$KERNEL_PATH"
  --docker
+)
+if [[ -n "$INITRD_PATH" ]]; then
+  args+=(--initrd "$INITRD_PATH")
+fi
+if [[ -n "$MODULES_DIR" ]]; then
+  args+=(--modules "$MODULES_DIR")
+fi
+exec "${args[@]}"
--- a/scripts/make-void-kernel.sh
+++ b/scripts/make-void-kernel.sh
@ -9,12 +9,12 @@ usage() {
  cat <<'EOF'
 Usage: ./scripts/make-void-kernel.sh [--out-dir <path>] [--mirror <url>] [--arch <arch>] [--kernel-package <name>] [--print-register-flags]

-Download and stage a Void Linux kernel under ./build/runtime/void-kernel for
+Download and stage a Void Linux kernel under ./build/manual/void-kernel for
 the
 experimental Void guest flow.

 Defaults:
-  --out-dir         ./build/runtime/void-kernel
+  --out-dir         ./build/manual/void-kernel
  --mirror          https://repo-default.voidlinux.org
  --arch            x86_64
  --kernel-package  linux6.12
@ -225,12 +225,8 @@ cleanup() {

 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-DEFAULT_RUNTIME_DIR="$REPO_ROOT/build/runtime"
-if [[ ! -d "$DEFAULT_RUNTIME_DIR" && -d "$REPO_ROOT/runtime" ]]; then
-  DEFAULT_RUNTIME_DIR="$REPO_ROOT/runtime"
-fi
-RUNTIME_DIR="${BANGER_RUNTIME_DIR:-$DEFAULT_RUNTIME_DIR}"
-OUT_DIR="$RUNTIME_DIR/void-kernel"
+MANUAL_DIR="${BANGER_MANUAL_DIR:-$REPO_ROOT/build/manual}"
+OUT_DIR="$MANUAL_DIR/void-kernel"
 MIRROR="https://repo-default.voidlinux.org"
 ARCH="x86_64"
 KERNEL_PACKAGE="linux6.12"
--- a/scripts/register-void-image.sh
+++ b/scripts/register-void-image.sh
@ -45,17 +45,11 @@ resolve_banger_bin() {

 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-DEFAULT_RUNTIME_DIR="$REPO_ROOT/build/runtime"
-if [[ ! -d "$DEFAULT_RUNTIME_DIR" && -d "$REPO_ROOT/runtime" ]]; then
-  DEFAULT_RUNTIME_DIR="$REPO_ROOT/runtime"
-fi
-
-RUNTIME_DIR="${BANGER_RUNTIME_DIR:-$DEFAULT_RUNTIME_DIR}"
+RUNTIME_DIR="${BANGER_MANUAL_DIR:-$REPO_ROOT/build/manual}"
 IMAGE_NAME="${VOID_IMAGE_NAME:-void-exp}"
 BANGER_BIN="$(resolve_banger_bin)"
 ROOTFS="$RUNTIME_DIR/rootfs-void.ext4"
 WORK_SEED="$RUNTIME_DIR/rootfs-void.work-seed.ext4"
-PACKAGES="$REPO_ROOT/config/packages.void"

 if [[ ! -f "$ROOTFS" ]]; then
  log "missing Void rootfs: $ROOTFS"
@ -71,7 +65,6 @@ args=(
  --name "$IMAGE_NAME"
  --rootfs "$ROOTFS"
  --work-seed "$WORK_SEED"
-  --packages "$PACKAGES"
 )

 if [[ ! -d "$RUNTIME_DIR/void-kernel" ]]; then
--- a/scripts/verify.sh
+++ b/scripts/verify.sh
@ -7,33 +7,7 @@ log() {

 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-DEFAULT_RUNTIME_DIR="$REPO_ROOT/build/runtime"
-if [[ ! -d "$DEFAULT_RUNTIME_DIR" && -d "$REPO_ROOT/runtime" ]]; then
-  DEFAULT_RUNTIME_DIR="$REPO_ROOT/runtime"
-fi
-RUNTIME_DIR="${BANGER_RUNTIME_DIR:-$DEFAULT_RUNTIME_DIR}"
-SSH_KEY="$RUNTIME_DIR/id_ed25519"
-if [[ ! -d "$RUNTIME_DIR" ]]; then
-  log "runtime bundle not found: $RUNTIME_DIR"
-  log "run 'make runtime-bundle' or set BANGER_RUNTIME_DIR"
-  exit 1
-fi
-if [[ ! -f "$SSH_KEY" ]]; then
-  log "ssh key not found: $SSH_KEY"
-  exit 1
-fi
 DAEMON_LOG="${XDG_STATE_HOME:-$HOME/.local/state}/banger/bangerd.log"
-SSH_COMMON_ARGS=(
-  -F /dev/null
-  -i "$SSH_KEY"
-  -o IdentitiesOnly=yes
-  -o BatchMode=yes
-  -o PreferredAuthentications=publickey
-  -o PasswordAuthentication=no
-  -o KbdInteractiveAuthentication=no
-  -o StrictHostKeyChecking=no
-  -o UserKnownHostsFile=/dev/null
-)
 OPENCODE_PORT=4096

 resolve_banger_bin() {
@ -58,6 +32,22 @@ resolve_banger_bin() {
 }

 BANGER_BIN="$(resolve_banger_bin)"
+SSH_KEY="$("$BANGER_BIN" internal ssh-key-path)"
+if [[ ! -f "$SSH_KEY" ]]; then
+  log "ssh key not found: $SSH_KEY"
+  exit 1
+fi
+SSH_COMMON_ARGS=(
+  -F /dev/null
+  -i "$SSH_KEY"
+  -o IdentitiesOnly=yes
+  -o BatchMode=yes
+  -o PreferredAuthentications=publickey
+  -o PasswordAuthentication=no
+  -o KbdInteractiveAuthentication=no
+  -o StrictHostKeyChecking=no
+  -o UserKnownHostsFile=/dev/null
+)

 firecracker_running() {
  local pid="$1"