docs: add limactl help yq concept guide to explain yqlib limitations

[Mysterio-17]

Description

Addresses the missing documentation for the Lima yq dialect by adding a concept guide that clarifies which yq operators are disabled for security reasons.

Fixes: #4531

Changes

• Added a limactl help yq command to document unsupported yq operators (env, load, load_str).
• Integrated limactl yq into the root command so it appears natively under "Additional help topics".
• Updated the --set flag description (used in limactl create, etc.) to explicitly point users to limactl help yq.

Testing

• limactl help: Verified yq is listed under "Additional help topics".
• limactl help yq: Verified it correctly prints the new concept guide.
• limactl create --help: Verified the --set flag correctly references limactl help yq.
• go test ./cmd/limactl/...: Tests passed successfully with no regressions.

[AkihiroSuda]

This seems to conflict with the existing limactl yq command

[Mysterio-17]

I missed that limactl yq is intercepted as a multicall binary. I've just pushed an update renaming the concept guide to yq-dialect, and I've updated the --set flag description to point there.

[unsuman]

This seems unrelated to the issue

[unsuman]

Looks good, please squash the commits!

[unsuman]

Thanks, LGTM!

[jandubois]

I think I would prefer yq-restrictions to yq-dialect. We don't use a different dialect, we use regular yq syntax, with just a few operators disabled.

I wonder if we should also mention that the new system operations are disabled as well? Of course they are also disabled by yq itself by default, but may be worth mentioning for completeness.

❯ limactl yq -n 'system("ls")'
Error: system operations are disabled, use --security-enable-system-operator to enable

We probably should have a BATS tests to ensure we don't enable it by accident.

Some other observations:

• restricted operations are now listed in 2 files, which is a maintenance issue: cmd/limactl/yq_dialect.go and cmd/limactl/start.go.

• --set works on create, edit, and start, but the long help is only added in create. Maybe it should be shared (not duplicated) by all relevant subcommands.

• Maybe the explanation should include not just the "what" but also "why" the operators have been restricted?

• I think the yq-restrictions output should include a link to the upstream yq docs, explaining that we are using yq version 4 syntax.

[Mysterio-17]

I think I would prefer yq-restrictions to yq-dialect. We don't use a different dialect, we use regular yq syntax, with just a few operators disabled.

I wonder if we should also mention that the new system operations are disabled as well? Of course they are also disabled by yq itself by default, but may be worth mentioning for completeness.

❯ limactl yq -n 'system("ls")'
Error: system operations are disabled, use --security-enable-system-operator to enable

We probably should have a BATS tests to ensure we don't enable it by accident.

Some other observations:

• restricted operations are now listed in 2 files, which is a maintenance issue: cmd/limactl/yq_dialect.go and cmd/limactl/start.go.
• --set works on create, edit, and start, but the long help is only added in create. Maybe it should be shared (not duplicated) by all relevant subcommands.
• Maybe the explanation should include not just the "what" but also "why" the operators have been restricted?
• I think the yq-restrictions output should include a link to the upstream yq docs, explaining that we are using yq version 4 syntax.

Hi @jandubois , I've made the changes:-

• Renamed to yq-restrictions — makes more sense since it's regular yq with some ops disabled, not a different dialect.
• Mentioned system as well (disabled by yqlib default), separated from the ones Lima explicitly disables (env, load, load_str).
• Added a BATS test for system() so we catch it if it ever gets enabled by accident.
• Moved all restriction details into limactl help yq-restrictions as the single source — the --set flag and create example just reference it now, no duplication.
• Included the "why" (untrusted templates) and a link to the upstream yq v4 docs.