Add agent loader bootstrap planning docs

Author: lightsofapollo

planning/README.md

@@ -207,6 +207,7 @@ Phase 1 must complete before Phase 2 or Phase 3 can begin. Phase 2 and Phase 3 c
 | `09-signing.md` | **Entitlements (com.apple.security.virtualization), code signing with Developer ID, notarization, CI signing workflow, distribution (Homebrew, GitHub Releases, cargo install, install script)** |
 | `on-demand-elevation/README.md` | One-command UX with stage-gated elevation: request admin privileges only when offline provisioning requires it; includes security, UX, and rollout plan |
 | `pinned-ipsw-patches/README.md` | Pinned base matrix + signed file-level patch bundle strategy to keep system reliability while enabling no-local-sudo artifact workflows |
+| `agent-loader-bootstrap/README.md` | Stage-0 loader + signed swappable guest-agent artifact plan to avoid frequent image deltas for agent updates |
 | `sandbox/README.md` | Agent sandbox platform track: first-class primitives (`Sandbox`, `Session`, `Run`, `Policy`), Rust library surface, runtime integration plan, and OpenAPI contract |
 | `docker-in-sandbox/README.md` | Full Docker-inside-sandbox platform track: core primitives (`EngineInstance`, `EndpointLease`, filesystem and policy model) and reusable infrastructure surface across SDK/CLI/OpenAPI |
 | `oci-runtime/README.md` | Linux OCI runtime track (current): Linux VM bootstrap, image pulling, container lifecycle, unified API prerequisites |

planning/agent-loader-bootstrap/01-stage0-loader.md

@@ -0,0 +1,55 @@
+# 01: Stage-0 Loader Contract
+
+## Responsibilities
+
+`vz-agent-loader` is a minimal bootstrap executable with a stable contract:
+
+1. Discover the active guest-agent version.
+2. Verify local install metadata before execution.
+3. Execute the selected agent binary with expected args/env.
+4. Emit clear diagnostics and fallback behavior when no valid agent is available.
+
+The loader should avoid feature creep. Business logic belongs in the main guest agent.
+
+## Proposed guest filesystem layout
+
+- Loader binary: `/usr/local/libexec/vz-agent-loader`
+- Launchd plist target:
+  - system mode: `/Library/LaunchDaemons/com.vz.agent.loader.plist`
+  - user mode: `/Library/LaunchAgents/com.vz.agent.loader.plist` or per-user location
+- Agent store root: `/var/lib/vz/agent`
+- Versioned installs: `/var/lib/vz/agent/versions/<version>/vz-guest-agent`
+- Active pointer: `/var/lib/vz/agent/current` (symlink to `versions/<version>`)
+- Update staging: `/var/lib/vz/agent/staging/<txn-id>`
+- State file: `/var/lib/vz/agent/state.json`
+
+## Loader startup sequence
+
+1. Read `state.json` and resolve `current` symlink.
+2. Validate agent binary exists and matches recorded digest.
+3. `execve()` into the resolved agent binary.
+4. If validation fails:
+   - fallback to previous known-good version if available,
+   - otherwise exit with explicit error code and structured log.
+
+## Failure behavior
+
+- Never run an unverified binary.
+- Never mutate installed versions during boot path.
+- Keep startup deterministic: success path is `resolve -> verify -> exec`.
+
+## Compatibility contract
+
+The loader and agent communicate through CLI/env contract, not private ABI.
+
+Required env examples:
+
+- `VZ_AGENT_HOME=/var/lib/vz/agent`
+- `VZ_AGENT_CHANNEL=<channel>`
+- `VZ_AGENT_LOADER_VERSION=<semver>`
+
+## Implementation constraints
+
+1. Keep loader dependency surface minimal.
+2. Keep binary size small enough that bootstrap patch churn is rare.
+3. Add integration test that simulates broken `current` symlink and validates fallback.

planning/agent-loader-bootstrap/02-agent-artifact-and-verification.md

@@ -0,0 +1,58 @@
+# 02: Agent Artifact and Verification Model
+
+## Artifact structure
+
+Each agent release artifact contains:
+
+1. `manifest.json`
+2. `vz-guest-agent` binary
+3. detached signature (`manifest.sig`)
+
+Optional packaging: `tar.zst` with the three files.
+
+## Manifest schema (v1)
+
+Required fields:
+
+- `schema_version`
+- `agent_version` (semver)
+- `channel` (`stable`, `canary`, etc.)
+- `target_os` (`darwin`)
+- `target_arch` (`arm64`)
+- `binary_sha256`
+- `binary_size`
+- `created_at`
+- `min_loader_version`
+- `signing_key_id`
+
+## Trust model
+
+- Loader trusts a pinned set of public keys shipped in bootstrap.
+- Manifest signature must validate against trusted key set.
+- Binary digest and size must match manifest.
+- Any verification failure aborts install.
+
+## Anti-rollback policy
+
+Default rule:
+
+- Reject install if `agent_version` is lower than `state.json` highest known-good for channel.
+
+Override path:
+
+- Explicit `--allow-downgrade` flag for controlled rollback.
+
+## Atomic install algorithm
+
+1. Verify artifact signature and digest in temp staging dir.
+2. Write binary to `staging/<txn-id>/vz-guest-agent`.
+3. Set mode/owner.
+4. Move staging dir to `versions/<version>` (atomic rename).
+5. Swap `current` symlink atomically.
+6. Update `state.json` with `current`, `previous`, and timestamps.
+
+## Recovery model
+
+If install fails before symlink swap, existing `current` remains untouched.
+
+If post-swap startup healthcheck fails, rollback command points `current` to `previous`.

planning/agent-loader-bootstrap/03-update-and-cli-ux.md

@@ -0,0 +1,56 @@
+# 03: Update Flow and CLI UX
+
+## Primary commands
+
+### One-time bootstrap (per base line)
+
+`vz vm bootstrap-agent --image <base.img> --loader <loader-bin> --trust-key <pubkey>`
+
+What it does:
+
+1. Installs loader + launchd plist.
+2. Seeds trust roots and empty agent store layout.
+3. Optionally seeds an initial agent version.
+
+### Routine agent update (no image delta)
+
+`vz vm agent install --artifact <agent.tar.zst> [--image <img> | --name <running-vm>]`
+
+What it does:
+
+1. Verifies signature and manifest.
+2. Installs version atomically.
+3. Flips `current` pointer.
+4. Optionally restarts loader/agent service.
+
+## Update modes
+
+1. Offline image mode:
+   - mounts image root
+   - updates `/var/lib/vz/agent/*`
+   - used for baking new base variants
+2. Online VM mode:
+   - sends artifact to running VM via existing control channel
+   - installs in guest without rebuilding image
+
+## Desired UX simplification
+
+User-facing default should be:
+
+1. Bootstrap once for base image family.
+2. Ship frequent small agent artifacts.
+3. Run a single install command for updates.
+
+No manual bundle JSON, payload dirs, or frequent image deltas for agent-only changes.
+
+## Observability
+
+Add `vz vm agent status`:
+
+- current version
+- previous version
+- last update time
+- channel
+- loader version
+
+Add structured logs/events for install, verify, rollback.

planning/agent-loader-bootstrap/04-rollout-risks.md

@@ -0,0 +1,45 @@
+# 04: Rollout, Validation, and Risks
+
+## Rollout waves
+
+1. Wave 0 (internal):
+   - ship loader and artifact verifier behind feature flag
+   - keep legacy direct-agent bootstrap path
+2. Wave 1 (opt-in):
+   - expose `bootstrap-agent` and `agent install`
+   - document as preferred for fast agent iteration
+3. Wave 2 (default):
+   - default provisioning path installs loader
+   - legacy direct binary patch remains fallback
+4. Wave 3 (cleanup):
+   - reduce direct-agent-in-image updates to exceptional cases only
+
+## Validation matrix
+
+1. Fresh base image bootstrap and first boot.
+2. Online update while VM running.
+3. Offline update on stopped image.
+4. Corrupted artifact (signature fail).
+5. Downgrade reject + explicit rollback allow path.
+6. Startup recovery from broken `current` symlink.
+
+## Risks
+
+1. Loader bug can block agent startup across fleet.
+2. Key rotation mistakes can brick update path.
+3. Version-state corruption can cause bad rollback behavior.
+4. Divergence between offline and online install paths.
+
+## Mitigations
+
+1. Keep loader minimal and heavily tested.
+2. Support multiple trusted keys and overlap rotation windows.
+3. Write `state.json` atomically with checksum.
+4. Reuse a single install engine for offline and online modes.
+
+## Open questions
+
+1. Should `bootstrap-agent` always seed an initial agent artifact?
+2. Should channel selection live in loader config or artifact manifest only?
+3. Do we require healthcheck ack before finalizing `current` switch?
+4. How strict should anti-rollback be for local dev workflows?

planning/agent-loader-bootstrap/README.md

@@ -0,0 +1,55 @@
+# Agent Loader Bootstrap Plan
+
+## Why this plan exists
+
+Current VM bootstrap bundles include the full `vz-guest-agent` binary. That forces frequent patch/delta regeneration whenever the agent changes.
+
+We want a stable bootstrap layer that changes rarely, and a small swappable agent payload that can be updated independently.
+
+## Goals
+
+1. Install a tiny stage-0 loader once per base image line.
+2. Decouple guest-agent updates from image delta distribution.
+3. Make agent updates small, signed, atomic, and rollback-safe.
+4. Preserve unattended startup reliability (`launchd` + pre-login behavior).
+5. Keep `vz vm` UX simple for default users.
+
+## Non-goals
+
+1. Replace all patch infrastructure immediately.
+2. Support unsigned or best-effort agent updates.
+3. Ship a background privileged host daemon in v1.
+
+## Design summary
+
+- Bootstrap image contains:
+  - `vz-agent-loader` (small static-ish binary, stable interface)
+  - launchd plist pointing to loader path, not direct guest-agent path
+  - trust root material for artifact signature verification
+- Loader resolves and executes the current agent from a versioned store.
+- New agent versions are delivered as signed artifacts and installed atomically.
+- No new `.img` delta is required for normal guest-agent releases.
+
+## Document map
+
+- `01-stage0-loader.md` — loader contract, file layout, startup lifecycle.
+- `02-agent-artifact-and-verification.md` — artifact format, signature and rollback rules.
+- `03-update-and-cli-ux.md` — one-command UX and command surface.
+- `04-rollout-risks.md` — rollout waves, validation, risks, and open questions.
+
+## Phase dependency graph
+
+```
+Phase 1: stage-0 loader contract + filesystem layout
+   -> Phase 2: signed agent artifact format + verifier
+   -> Phase 3: update/install commands (offline + online)
+   -> Phase 4: rollout and deprecate frequent image-delta agent updates
+```
+
+## Acceptance criteria
+
+1. New guest-agent release does not require a new image delta in normal path.
+2. Loader starts agent at boot/login according to policy without host-side manual steps.
+3. Agent update is atomic (`current` pointer swap) and rollback-capable.
+4. Invalid signatures or hash mismatches fail closed.
+5. CLI exposes one primary bootstrap command and one primary update command.