scripts: bundle-based golden image pipeline

Replaces the OCI-push flow with a bundle-based one that mirrors the
kernel catalog (publish-kernel.sh / kernelcat).

- scripts/make-golden-bundle.sh: docker build → docker create → docker
  export | banger internal make-bundle → .tar.zst. Defaults target
  debian-bookworm / generic-6.12 / x86_64; pinned --size 4G to leave
  headroom for first-boot installs and in-VM apt use.
- scripts/publish-golden-image.sh: rewritten to call make-golden-bundle,
  rclone upload to R2 (banger-images bucket, images.thaloco.com), and
  jq-patch internal/imagecat/catalog.json with URL / sha256 / size.
  --skip-upload stops after bundle build and copies to dist/.

make-bundle default ext4 sizing also bumped from +25% to +50% headroom
(mkfs.ext4 needs room for inode tables, block-group metadata, journal,
and the default 5% reserved-blocks margin). The old 25% was too tight
for the ~950 MB golden rootfs and aborted with "Could not allocate
block".

End-to-end smoke (local): golden Dockerfile → 286 MB tar.zst bundle
with correct manifest, valid ext4, and all banger units + vsock agent
present.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/cli/banger.go

@@ -426,7 +426,10 @@ func runInternalMakeBundle(cmd *cobra.Command, opts internalMakeBundleOpts) erro
 		if err != nil {
 			return fmt.Errorf("size rootfs tree: %w", err)
 		}
-		sizeBytes = treeSize + treeSize/4
+		// +50% headroom. mkfs.ext4 needs space for inode tables,
+		// block-group descriptors, journal, and the default 5%
+		// reserved-blocks margin on top of the raw data.
+		sizeBytes = treeSize + treeSize/2
 		if sizeBytes < imagepull.MinExt4Size {
 			sizeBytes = imagepull.MinExt4Size
 		}