Fix 4 bugs: embed entitlements, air vz-shim copy, install.sh codesign entitlements, launchd e2fsprogs PATH

- Bug 1: Embed vz.entitlements as a Go resource and write to temp file at
  runtime for codesigning, instead of looking for it next to the executable
  where it would never be found.

- Bug 2: Add 'mkdir -p && cp' step in .air.darwin.toml to copy the built
  vz-shim binary to lib/hypervisor/vz/vz-shim/vz-shim (the go:embed
  directory) before building the main binary.

- Bug 3: Generate entitlements plist inline in install.sh download path and
  pass --entitlements to codesign, so downloaded binaries get the required
  com.apple.security.virtualization entitlement.

- Bug 4: Prepend /opt/homebrew/opt/e2fsprogs/sbin to the launchd plist PATH
  so mkfs.ext4 (keg-only on Homebrew) is found at runtime.

Author: cursoragent

.air.darwin.toml

@@ -7,7 +7,7 @@ tmp_dir = "tmp"
   bin = "./tmp/main"
   # Build for macOS with vz support, then sign with entitlements
   # Also builds and signs vz-shim (subprocess that hosts vz VMs)
-  cmd = "make build-embedded && go build -o ./tmp/vz-shim ./cmd/vz-shim && codesign --sign - --entitlements vz.entitlements --force ./tmp/vz-shim && go build -tags containers_image_openpgp -o ./tmp/main ./cmd/api && codesign --sign - --entitlements vz.entitlements --force ./tmp/main"
+  cmd = "make build-embedded && go build -o ./tmp/vz-shim ./cmd/vz-shim && codesign --sign - --entitlements vz.entitlements --force ./tmp/vz-shim && mkdir -p lib/hypervisor/vz/vz-shim && cp ./tmp/vz-shim lib/hypervisor/vz/vz-shim/vz-shim && go build -tags containers_image_openpgp -o ./tmp/main ./cmd/api && codesign --sign - --entitlements vz.entitlements --force ./tmp/main"
   delay = 1000
   exclude_dir = ["assets", "tmp", "vendor", "testdata", "bin", "scripts", "data", "kernel"]
   exclude_file = []

lib/hypervisor/vz/starter.go

@@ -57,8 +57,25 @@ func extractShim() (string, error) {
 			return
 		}
 
+		// Write embedded entitlements to a temp file for codesigning
+		entFile, err := os.CreateTemp("", "vz-entitlements-*.plist")
+		if err != nil {
+			os.Remove(f.Name())
+			shimErr = fmt.Errorf("create entitlements temp file: %w", err)
+			return
+		}
+		defer os.Remove(entFile.Name())
+		defer entFile.Close()
+
+		if _, err := entFile.Write(vzEntitlements); err != nil {
+			os.Remove(f.Name())
+			shimErr = fmt.Errorf("write entitlements file: %w", err)
+			return
+		}
+		entFile.Close()
+
 		// Codesign with entitlements for Virtualization.framework
-		cmd := exec.Command("codesign", "--sign", "-", "--entitlements", entitlementsPath(), "--force", f.Name())
+		cmd := exec.Command("codesign", "--sign", "-", "--entitlements", entFile.Name(), "--force", f.Name())
 		if out, err := cmd.CombinedOutput(); err != nil {
 			os.Remove(f.Name())
 			shimErr = fmt.Errorf("codesign vz-shim: %s: %w", string(out), err)
@@ -70,15 +87,6 @@ func extractShim() (string, error) {
 	return shimPath, shimErr
 }
 
-// entitlementsPath returns the path to the vz.entitlements file.
-func entitlementsPath() string {
-	exe, err := os.Executable()
-	if err != nil {
-		return "vz.entitlements"
-	}
-	return filepath.Join(filepath.Dir(exe), "vz.entitlements")
-}
-
 // Starter implements hypervisor.VMStarter for Virtualization.framework.
 type Starter struct{}
 

lib/hypervisor/vz/vz.entitlements

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<!-- Required for Virtualization.framework -->
+	<key>com.apple.security.virtualization</key>
+	<true/>
+	<!-- Required for network operations (NAT, ingress) -->
+	<key>com.apple.security.network.server</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+</dict>
+</plist>

lib/hypervisor/vz/vz_entitlements.go

@@ -0,0 +1,11 @@
+//go:build darwin
+
+package vz
+
+import _ "embed"
+
+// vzEntitlements contains the embedded vz.entitlements plist file.
+// This is used at runtime to codesign the extracted vz-shim binary.
+//
+//go:embed vz.entitlements
+var vzEntitlements []byte

scripts/install.sh

@@ -348,11 +348,27 @@ else
     info "Extracting..."
     tar -xzf "${TMP_DIR}/${ARCHIVE_NAME}" -C "$TMP_DIR"
 
-    # On macOS, codesign after extraction
+    # On macOS, codesign after extraction with virtualization entitlements
     if [ "$OS" = "darwin" ]; then
         info "Signing binaries..."
-        codesign --force --sign - "${TMP_DIR}/${BINARY_NAME}" 2>/dev/null || true
-        [ -f "${TMP_DIR}/vz-shim" ] && codesign --force --sign - "${TMP_DIR}/vz-shim" 2>/dev/null || true
+        ENTITLEMENTS_TMP="${TMP_DIR}/vz.entitlements"
+        cat > "$ENTITLEMENTS_TMP" << 'ENTITLEMENTS'
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.virtualization</key>
+	<true/>
+	<key>com.apple.security.network.server</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+</dict>
+</plist>
+ENTITLEMENTS
+        codesign --force --sign - --entitlements "$ENTITLEMENTS_TMP" "${TMP_DIR}/${BINARY_NAME}" 2>/dev/null || true
+        [ -f "${TMP_DIR}/vz-shim" ] && codesign --force --sign - --entitlements "$ENTITLEMENTS_TMP" "${TMP_DIR}/vz-shim" 2>/dev/null || true
+        rm -f "$ENTITLEMENTS_TMP"
     fi
 fi
 
@@ -543,7 +559,7 @@ if [ "$OS" = "darwin" ]; then
     <key>EnvironmentVariables</key>
     <dict>
         <key>PATH</key>
-        <string>/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>${ENV_DICT}
+        <string>/opt/homebrew/opt/e2fsprogs/sbin:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>${ENV_DICT}
     </dict>
     <key>KeepAlive</key>
     <true/>