live-image: stage agent binary via mkosi.extra

mkosi only mounts live-image/ as /work/src, so the postinst couldn't
reach the repo-root bin/vetting-agent.linux-amd64 — the build failed
in CI with `install: cannot stat '/work/src/bin/vetting-agent.linux-amd64'`.

The Makefile now copies the prebuilt agent into mkosi.extra/, which
mkosi merges into the image root automatically. The postinst is
reduced to creating the multi-user.target.wants symlink.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitignore

@@ -12,6 +12,10 @@
 vetting.yaml
 !deploy/vetting.example.yaml
 live-image/out/
+live-image/mkosi.extra/
+live-image/mkosi.cache/
+live-image/mkosi.output/
+live-image/build/
 .vscode/
 .idea/
 .claude/

live-image/Makefile

@@ -10,9 +10,10 @@ endif
 
 REPO_ROOT := $(abspath ..)
 AGENT_BIN := $(REPO_ROOT)/bin/vetting-agent.linux-amd64
+MKOSI_EXTRA_AGENT := mkosi.extra/usr/local/sbin/vetting-agent
 
 .PHONY: all check-linux agent clean
-all: check-linux agent
+all: check-linux $(MKOSI_EXTRA_AGENT)
 	mkosi --force build
 
 agent: $(AGENT_BIN)
@@ -20,6 +21,11 @@ agent: $(AGENT_BIN)
 $(AGENT_BIN):
 	cd $(REPO_ROOT) && GOOS=linux GOARCH=amd64 go build -o $(AGENT_BIN) ./cmd/vetting-agent
 
+# Stage the prebuilt agent into mkosi.extra/ so mkosi copies it into the
+# image root without the postinst needing to reach outside the source tree.
+$(MKOSI_EXTRA_AGENT): $(AGENT_BIN)
+	install -D -m 0755 $< $@
+
 check-linux:
 ifneq ($(UNAME_S),Linux)
 	@echo "ERROR: live-image must be built on Linux (you're on $(UNAME_S))."
@@ -29,4 +35,4 @@ endif
 	@command -v mkosi >/dev/null 2>&1 || { echo "ERROR: mkosi not installed. Try: apt install mkosi"; exit 1; }
 
 clean:
-	rm -rf build mkosi.output mkosi.cache
+	rm -rf build mkosi.output mkosi.cache mkosi.extra

live-image/mkosi.postinst

@@ -1,15 +1,10 @@
 #!/bin/sh
-# mkosi postinst: install the vetting-agent binary and its systemd unit
+# mkosi postinst: enable the vetting-agent service. The binary lands in
-# into the image. The binary must already be built for linux-amd64 at
+# the image via mkosi.extra/ (staged by the live-image Makefile from
-# repo root under bin/vetting-agent.linux-amd64 (the top-level Makefile
+# ../bin/vetting-agent.linux-amd64); the service unit lands via
-# does this via `make agent-linux`).
+# mkosi.skeleton/. All we need here is the multi-user.target symlink.
 set -eu
 
-AGENT_BIN="${SRCDIR:-..}/bin/vetting-agent.linux-amd64"
+mkdir -p "$BUILDROOT/etc/systemd/system/multi-user.target.wants"
-
-install -D -m 0755 "$AGENT_BIN" "$BUILDROOT/usr/local/sbin/vetting-agent"
-install -D -m 0644 "$SRCDIR/mkosi.skeleton/etc/systemd/system/vetting-agent.service" \
-    "$BUILDROOT/etc/systemd/system/vetting-agent.service"
-
 ln -sf /etc/systemd/system/vetting-agent.service \
     "$BUILDROOT/etc/systemd/system/multi-user.target.wants/vetting-agent.service"