feat: upgrade propolis to v0.0.5 and wire extract.Source support

Switch from local `replace ../propolis` to tagged v0.0.5 module,
removing sibling checkout requirements from CI and build-dev task.
Add RuntimeSource/FirmwareSource fields to CreateVMOpts for embedded
runtime distribution via propolis extract.Source API. Fix lint workflow
by adding build-init step for go:embed, and resolve pre-existing
gosec warnings (G703, G706).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JAORMX

.github/workflows/build.yml

@@ -17,13 +17,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
-      - name: Checkout propolis (sibling dependency)
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
-        with:
-          repository: stacklok/propolis
-          ref: 6a81046b0472c54c877b965c34c97c094f373d74 # v0.1.0
-          path: ../propolis
-
       - name: Set up Go
         uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:

.github/workflows/lint.yml

@@ -16,19 +16,21 @@ jobs:
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
-      - name: Checkout propolis (sibling dependency)
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
-        with:
-          repository: stacklok/propolis
-          ref: 6a81046b0472c54c877b965c34c97c094f373d74 # v0.1.0
-          path: ../propolis
-
       - name: Set up Go
         uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: 'go.mod'
           cache: true
 
+      - name: Install Task
+        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2
+        with:
+          version: '3.x'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build waggle-init (for go:embed)
+        run: task build-init
+
       - name: Lint
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:

.github/workflows/test.yml

@@ -16,13 +16,6 @@ jobs:
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
-      - name: Checkout propolis (sibling dependency)
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
-        with:
-          repository: stacklok/propolis
-          ref: 6a81046b0472c54c877b965c34c97c094f373d74 # v0.1.0
-          path: ../propolis
-
       - name: Set up Go
         uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:

CLAUDE.md

@@ -27,7 +27,7 @@ Run a single test: `go test -v -race -run TestName ./pkg/path/to/package`
 
 ## Things That Will Bite You
 
-- **propolis is a local replace**: `go.mod` uses `replace github.com/stacklok/propolis => ../propolis`. The propolis repo must be checked out as a sibling directory.
+- **propolis is a tagged dependency (v0.0.5)**: Fetched via normal Go module resolution. `build-dev` builds propolis-runner from the module cache (requires `libkrun-devel`). The `extract.Source` API is available for embedded runtime distribution.
 - **MCP error handling has two paths**: Return `mcp.NewToolResultError("msg"), nil` for user-facing errors (bad input, not found). Return `nil, err` only for internal server failures. Mixing these up breaks the MCP protocol.
 - **Code execution uses temp files, not `-c`**: Multi-line code is written to `/tmp/waggle_<uuid>.<ext>` in the VM via heredoc, executed, then cleaned up. Using `python3 -c` or `node -e` breaks on complex code.
 - **Shell escaping is mandatory**: Always use `propolis/ssh.ShellEscape()` for any user-provided string passed to SSH commands. Missing this is a command injection vulnerability.

Taskfile.yaml

@@ -53,7 +53,7 @@ tasks:
     cmds:
       - task: build
       - mkdir -p {{.BUILD_DIR}}
-      - cd ../propolis && CGO_ENABLED=1 go build -o "$OLDPWD/{{.BUILD_DIR}}/propolis-runner" ./runner/cmd/propolis-runner
+      - CGO_ENABLED=1 go build -o {{.BUILD_DIR}}/propolis-runner github.com/stacklok/propolis/runner/cmd/propolis-runner
 
   build-init:
     desc: Build the waggle-init binary (guest VM init)

cmd/waggle/main.go

@@ -182,7 +182,7 @@ func configureLogger(logFile string) (func() error, error) {
 		return func() error { return nil }, nil
 	}
 
-	// #nosec G304 -- log file path is user-provided by design.
+	// #nosec G304 G703 -- log file path is operator-configured, not external input.
 	f, err := os.OpenFile(logFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o600)
 	if err != nil {
 		return nil, fmt.Errorf("open log file %s: %w", logFile, err)

go.mod

@@ -8,7 +8,7 @@ go 1.25.7
 require (
 	github.com/google/uuid v1.6.0
 	github.com/mark3labs/mcp-go v0.44.0
-	github.com/stacklok/propolis v0.0.0
+	github.com/stacklok/propolis v0.0.5
 )
 
 require (
@@ -75,5 +75,3 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gvisor.dev/gvisor v0.0.0-20240916094835-a174eb65023f // indirect
 )
-
-replace github.com/stacklok/propolis => ../propolis

go.sum

@@ -124,6 +124,8 @@ github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w
 github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
 github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/stacklok/propolis v0.0.5 h1:kA9Wd3B5SyHkh4ayDoVRKyz7Ejye9aNhos6CeSlBTtM=
+github.com/stacklok/propolis v0.0.5/go.mod h1:GK7TUXCm4J8Hh/QFoIGuXE4szSt8PWDZWzj1JPpqxVU=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=

pkg/config/config.go

@@ -83,6 +83,10 @@ type Config struct {
 	// LibDir is an optional path to the libkrun library directory.
 	LibDir string
 
+	// CacheDir is the directory for extracted runtime bundles.
+	// Defaults to DataDir when empty.
+	CacheDir string
+
 	// Images maps runtime names to OCI image references.
 	Images map[string]string
 
@@ -168,6 +172,9 @@ func loadEnvStrings(cfg *Config) {
 	if v := os.Getenv(EnvPrefix + "LIB_DIR"); v != "" {
 		cfg.LibDir = v
 	}
+	if v := os.Getenv(EnvPrefix + "CACHE_DIR"); v != "" {
+		cfg.CacheDir = filepath.Clean(v)
+	}
 }
 
 // loadEnvNumerics applies numeric-typed environment variables to cfg.

pkg/health/handler.go

@@ -50,6 +50,7 @@ func (h *Handler) HandleReadyz(w http.ResponseWriter, r *http.Request) {
 		if err := c.Check(r.Context()); err != nil {
 			checks[c.Name()] = err.Error()
 			healthy = false
+			//nolint:gosec // G706: checker name and error are internal, not user input.
 			slog.Warn("readiness check failed", "checker", c.Name(), "error", err)
 		} else {
 			checks[c.Name()] = "ok"