Phase 2: daemon PullImage orchestration

(d *Daemon).PullImage downloads an OCI image, flattens it into an
ext4 rootfs, and registers the result as a managed banger image.

Flow (internal/daemon/images_pull.go):
 1. Parse + validate the OCI ref via go-containerregistry/name.
 2. Derive a friendly default name from the ref ("debian-bookworm")
    when --name is omitted.
 3. Reject if an image with that name already exists.
 4. Resolve kernel info via the new shared resolveKernelInputs
    helper (refactored out of RegisterImage); ValidateKernelPaths
    checks the kernel triple alone.
 5. Acquire imageOpsMu, generate a fresh image id, and stage at
    <ImagesDir>/<id>.staging.
 6. imagepull.Pull → cache layers under OCICacheDir;
    imagepull.Flatten → temp rootfs tree under os.TempDir (so the
    state filesystem doesn't temporarily double in size).
 7. Default size: max(treeSize × 1.25, 1 GiB); --size override
    accepted.
 8. imagepull.BuildExt4 produces the rootfs.ext4 in the staging dir.
 9. imagemgr.StageBootArtifacts stages the kernel/initrd/modules
    into the same dir (reused unchanged).
 10. Atomic os.Rename(staging, finalDir) publishes the artifact dir.
 11. Persist model.Image with Managed=true. Failure at any step
     removes the staging dir; failure post-rename removes finalDir.

The pullAndFlatten field on Daemon is the test seam: tests stub it
to write a fixture tree into destDir and skip the real registry.

Refactor: extracted the "kernel-ref vs direct paths" resolution
out of RegisterImage into d.resolveKernelInputs so PullImage and
RegisterImage share one source of truth for that policy. Split
ValidateRegisterPaths into a kernel-only ValidateKernelPaths so
PullImage (which produces the rootfs itself) can validate just
the kernel triple without the rootfs check.

API: ImagePullParams { Ref, Name, KernelPath, InitrdPath,
ModulesDir, KernelRef, SizeBytes }. RPC dispatch case image.pull
mirrors image.register.

Tests cover: happy-path producing a managed image with all four
artifacts present + staging cleaned up, name-collision rejection,
missing-kernel rejection, and staging cleanup on a failed pull.
defaultImageNameFromRef handles tag/digest/no-suffix cases.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/daemon/images_pull.go

@@ -0,0 +1,213 @@
+package daemon
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"banger/internal/api"
+	"banger/internal/daemon/imagemgr"
+	"banger/internal/imagepull"
+	"banger/internal/model"
+
+	"github.com/google/go-containerregistry/pkg/name"
+)
+
+// minPullExt4Size keeps the floor consistent with imagepull.MinExt4Size
+// when the caller doesn't override --size and the OCI tree is tiny.
+const minPullExt4Size int64 = 1 << 30 // 1 GiB
+
+// PullImage downloads an OCI image, flattens it into an ext4 rootfs, and
+// registers it as a managed banger image. Kernel info comes via --kernel-ref
+// or direct paths, mirroring RegisterImage.
+//
+// The pulled rootfs's file ownership is the runner's uid/gid (Phase A v1
+// limitation; see internal/imagepull). The image is suitable as input to
+// `image build --from-image` but is not directly bootable until a future
+// fixup pass lands.
+func (d *Daemon) PullImage(ctx context.Context, params api.ImagePullParams) (image model.Image, err error) {
+	d.imageOpsMu.Lock()
+	defer d.imageOpsMu.Unlock()
+
+	ref := strings.TrimSpace(params.Ref)
+	if ref == "" {
+		return model.Image{}, errors.New("oci reference is required")
+	}
+	parsed, err := name.ParseReference(ref)
+	if err != nil {
+		return model.Image{}, fmt.Errorf("parse oci ref %q: %w", ref, err)
+	}
+
+	imgName := strings.TrimSpace(params.Name)
+	if imgName == "" {
+		imgName = defaultImageNameFromRef(parsed)
+		if imgName == "" {
+			return model.Image{}, errors.New("could not derive image name from ref; pass --name")
+		}
+	}
+	if existing, lookupErr := d.store.GetImageByName(ctx, imgName); lookupErr == nil {
+		return model.Image{}, fmt.Errorf("image %q already exists (id=%s); pick a different --name or delete it first", imgName, existing.ID)
+	}
+
+	kernelPath, initrdPath, modulesDir, err := d.resolveKernelInputs(params.KernelRef, params.KernelPath, params.InitrdPath, params.ModulesDir)
+	if err != nil {
+		return model.Image{}, err
+	}
+	if err := imagemgr.ValidateKernelPaths(kernelPath, initrdPath, modulesDir); err != nil {
+		return model.Image{}, err
+	}
+
+	id, err := model.NewID()
+	if err != nil {
+		return model.Image{}, err
+	}
+	finalDir := filepath.Join(d.layout.ImagesDir, id)
+	stagingDir := finalDir + ".staging"
+	if err := os.MkdirAll(stagingDir, 0o755); err != nil {
+		return model.Image{}, err
+	}
+	cleanupStaging := true
+	defer func() {
+		if cleanupStaging {
+			_ = os.RemoveAll(stagingDir)
+		}
+	}()
+
+	// Extract OCI layers into a working tree under TempDir so the
+	// state filesystem doesn't temporarily double in size.
+	rootfsTree, err := os.MkdirTemp("", "banger-pull-")
+	if err != nil {
+		return model.Image{}, err
+	}
+	defer os.RemoveAll(rootfsTree)
+
+	if err := d.runPullAndFlatten(ctx, ref, d.layout.OCICacheDir, rootfsTree); err != nil {
+		return model.Image{}, fmt.Errorf("pull oci image: %w", err)
+	}
+
+	sizeBytes := params.SizeBytes
+	if sizeBytes <= 0 {
+		treeSize, err := dirSizeBytes(rootfsTree)
+		if err != nil {
+			return model.Image{}, fmt.Errorf("size oci tree: %w", err)
+		}
+		sizeBytes = treeSize + treeSize/4 // +25% headroom
+		if sizeBytes < minPullExt4Size {
+			sizeBytes = minPullExt4Size
+		}
+	}
+
+	rootfsExt4 := filepath.Join(stagingDir, "rootfs.ext4")
+	if err := imagepull.BuildExt4(ctx, d.runner, rootfsTree, rootfsExt4, sizeBytes); err != nil {
+		return model.Image{}, fmt.Errorf("build rootfs ext4: %w", err)
+	}
+
+	stagedKernel, stagedInitrd, stagedModules, err := imagemgr.StageBootArtifacts(ctx, d.runner, stagingDir, kernelPath, initrdPath, modulesDir)
+	if err != nil {
+		return model.Image{}, fmt.Errorf("stage boot artifacts: %w", err)
+	}
+
+	if err := os.Rename(stagingDir, finalDir); err != nil {
+		return model.Image{}, fmt.Errorf("publish artifact dir: %w", err)
+	}
+	cleanupStaging = false
+
+	now := model.Now()
+	image = model.Image{
+		ID:          id,
+		Name:        imgName,
+		Managed:     true,
+		ArtifactDir: finalDir,
+		RootfsPath:  filepath.Join(finalDir, filepath.Base(rootfsExt4)),
+		KernelPath:  rebaseUnder(stagedKernel, stagingDir, finalDir),
+		InitrdPath:  rebaseUnder(stagedInitrd, stagingDir, finalDir),
+		ModulesDir:  rebaseUnder(stagedModules, stagingDir, finalDir),
+		CreatedAt:   now,
+		UpdatedAt:   now,
+	}
+	if err := d.store.UpsertImage(ctx, image); err != nil {
+		_ = os.RemoveAll(finalDir)
+		return model.Image{}, err
+	}
+	return image, nil
+}
+
+// runPullAndFlatten is the seam tests substitute. nil → real implementation.
+func (d *Daemon) runPullAndFlatten(ctx context.Context, ref, cacheDir, destDir string) error {
+	if d.pullAndFlatten != nil {
+		return d.pullAndFlatten(ctx, ref, cacheDir, destDir)
+	}
+	pulled, err := imagepull.Pull(ctx, ref, cacheDir)
+	if err != nil {
+		return err
+	}
+	return imagepull.Flatten(ctx, pulled, destDir)
+}
+
+// nameSanitize keeps lowercase alphanumerics + hyphens, collapses runs.
+var nameSanitizeRE = regexp.MustCompile(`[^a-z0-9]+`)
+
+// defaultImageNameFromRef derives a friendly name like "debian-bookworm"
+// from "docker.io/library/debian:bookworm". Returns "" if it can't.
+func defaultImageNameFromRef(ref name.Reference) string {
+	repo := ref.Context().RepositoryStr() // e.g. library/debian
+	parts := strings.Split(repo, "/")
+	base := parts[len(parts)-1]
+
+	suffix := ""
+	switch r := ref.(type) {
+	case name.Tag:
+		if t := r.TagStr(); t != "" && t != "latest" {
+			suffix = "-" + t
+		}
+	case name.Digest:
+		// take the first 12 hex chars after sha256:
+		d := r.DigestStr()
+		if i := strings.Index(d, ":"); i >= 0 && len(d) >= i+13 {
+			suffix = "-" + d[i+1:i+13]
+		}
+	}
+
+	out := nameSanitizeRE.ReplaceAllString(strings.ToLower(base+suffix), "-")
+	out = strings.Trim(out, "-")
+	return out
+}
+
+// rebaseUnder rewrites a path that points inside oldRoot to point inside
+// newRoot. Empty input returns empty (kept by StageBootArtifacts when an
+// optional artifact is absent).
+func rebaseUnder(path, oldRoot, newRoot string) string {
+	if path == "" {
+		return ""
+	}
+	if rel, err := filepath.Rel(oldRoot, path); err == nil && !strings.HasPrefix(rel, "..") {
+		return filepath.Join(newRoot, rel)
+	}
+	return path
+}
+
+// dirSizeBytes returns the sum of regular-file sizes under root, following
+// no symlinks (lstat). Suitable for sizing an ext4 image.
+func dirSizeBytes(root string) (int64, error) {
+	var total int64
+	err := filepath.WalkDir(root, func(_ string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if !d.Type().IsRegular() {
+			return nil
+		}
+		info, err := d.Info()
+		if err != nil {
+			return err
+		}
+		total += info.Size()
+		return nil
+	})
+	return total, err
+}