Rewrite chromium wrapper.sh as a Go binary (#234)

## Summary

Replaces the bash `wrapper.sh` shipped in `chromium-headful` and
`chromium-headless` with a single Go binary (`server/cmd/wrapper`) that
detects the profile at boot from supervisor's `conf.d` (`xorg.conf` →
headful, `xvfb.conf` → headless).

The wrapper is split into two phases so identity-bound work doesn't
block boot:

- **Phase A** (identity-free) starts `xorg`/`xvfb`, `dbus`,
`chromedriver`, and `chromium` in one `supervisorctl` call, then probes
readiness concurrently. Per-service files (`chromium.go`, `display.go`,
`envoy.go`, `probes.go`, `supervisord.go`, `system.go`) keep each
concern isolated.
- **Phase C** (identity-bound) renders the envoy bootstrap from
`INST_NAME` / `JWT` / `XDS_SERVER` and brings up `kernel-images-api` +
envoy once those are present.

X11 socket readiness is a small shared package (`server/lib/x11`) used
by both the wrapper and the chromium launcher so they agree on what
"display ready" means.

Per-service tweaks:

- supervisor confs: `startsecs=2` → `0` so `supervisorctl start` returns
immediately; the Go wrapper probes readiness directly.
- `init-envoy.sh`: drop the trailing port poll / curl-through-proxy
check — `waitAllReady` covers both, and the script now fails fast on any
error.
- `Kraftfile` `cmd` updated from `/wrapper.sh` to `/wrapper`.
- Envoy proxy CA cert is baked at image build time.

Other behaviour:

- SIGTERM/SIGINT handler is registered before `supervisord` starts so
signals during the seconds-long startup window are caught instead of
killing the wrapper outright.
- Critical boot scripts (`init-envoy.sh`) are streamed via
`runStreamFatal` so failures abort boot instead of being silently
swallowed, matching the old `set -o errexit`.
- The ready log line reports per-probe durations, e.g. `ready in 2.6s
(phaseA=251ms phaseC=289ms; cdp=2.646s chromedriver=1.468s
forward-proxy=2.306s)`.

Cosmetic + non-critical work (`pulseaudio`, `--no-sandbox` infobar
dismissal) runs off the hot path.

## Test plan

- [ ] `go build ./cmd/wrapper` and `go vet ./cmd/wrapper` pass
- [ ] Build chromium-headless image and confirm container reaches
CDP-ready
- [ ] Build chromium-headful image and confirm container reaches
CDP-ready
- [ ] Confirm envoy comes up and the forward-proxy listener is reachable
when `INST_NAME` / `XDS_SERVER` / `KERNEL_INSTANCE_JWT` are set
- [ ] Confirm `RUN_AS_ROOT=true` headful flow still dismisses the
`--no-sandbox` infobar
- [ ] Confirm SIGTERM/SIGINT propagates to supervisord and child
services exit cleanly

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Medium risk because it replaces the container entrypoint/startup
orchestration for both headful and headless Chromium images and changes
Envoy certificate/bootstrap behavior, which could affect boot readiness
and proxy trust in production.
> 
> **Overview**
> **Replaces `wrapper.sh` with a single Go entrypoint (`/wrapper`)** for
both `chromium-headful` and `chromium-headless`, updating Dockerfiles,
Kraft `cmd`, and README examples to use the new binary.
> 
> The new wrapper starts `supervisord` in foreground, brings up core
services in parallel (X server, `dbus`, `chromedriver`, `chromium`), and
performs explicit readiness probes (CDP, chromedriver, optional `neko`,
optional Envoy) instead of relying on `supervisor` delays; corresponding
supervisor `startsecs` values are set to `0`.
> 
> **Envoy setup is split**: a new build-time
`shared/envoy/bake-certs.sh` bakes the forward-proxy CA into system
trust + NSS DBs, while `shared/envoy/init-envoy.sh` now only renders
bootstrap from identity env and starts/restarts Envoy (dropping runtime
cert generation and inline readiness/proxy tests). `chromium-launcher`
now waits for X display (and `mutter` when headful) using a new
`server/lib/x11` helper to avoid restart loops/WM decoration issues.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
ae4b8d3. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: sjmiller609 <7516283+sjmiller609@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: sjmiller609

README.md

@@ -83,7 +83,7 @@ Deployed successfully!
  ├────── service: <service_name>
  ├─ private fqdn: <id>
  ├─── private ip: <ip>
- └───────── args: /wrapper.sh
+ └───────── args: /wrapper
 ```
 
 ### Unikernel Notes

images/chromium-headful/Dockerfile

@@ -27,6 +27,12 @@ RUN --mount=type=cache,target=/root/.cache/go-build,id=$CACHEIDPREFIX-go-build \
     GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \
     go build -ldflags="-s -w" -o /out/chromium-launcher ./cmd/chromium-launcher
 
+# Build container entrypoint wrapper (replaces wrapper.sh)
+RUN --mount=type=cache,target=/root/.cache/go-build,id=$CACHEIDPREFIX-go-build \
+    --mount=type=cache,target=/go/pkg/mod,id=$CACHEIDPREFIX-go-pkg-mod \
+    GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \
+    go build -ldflags="-s -w" -o /out/wrapper ./cmd/wrapper
+
 # webrtc client
 FROM node:22-bullseye-slim AS client
 WORKDIR /src
@@ -356,7 +362,6 @@ COPY --from=xorg-deps /usr/local/lib/xorg/modules/input/neko_drv.so /usr/lib/xor
 COPY images/chromium-headful/image-chromium/ /
 COPY images/chromium-headful/start-pulseaudio.sh /images/chromium-headful/start-pulseaudio.sh
 RUN chmod +x /images/chromium-headful/start-pulseaudio.sh
-COPY images/chromium-headful/wrapper.sh /wrapper.sh
 COPY images/chromium-headful/supervisord.conf /etc/supervisor/supervisord.conf
 COPY images/chromium-headful/supervisor/services/ /etc/supervisor/conf.d/services/
 COPY shared/envoy/supervisor-envoy.conf /etc/supervisor/conf.d/services/envoy.conf
@@ -373,6 +378,7 @@ RUN chmod +x /usr/local/bin/init-envoy.sh
 # copy the kernel-images API binary built in the builder stage
 COPY --from=server-builder /out/kernel-images-api /usr/local/bin/kernel-images-api
 COPY --from=server-builder /out/chromium-launcher /usr/local/bin/chromium-launcher
+COPY --from=server-builder /out/wrapper /wrapper
 
 # Copy and compile the Playwright daemon
 COPY server/runtime/playwright-daemon.ts /tmp/playwright-daemon.ts
@@ -389,4 +395,10 @@ RUN esbuild /tmp/playwright-daemon.ts \
 
 RUN useradd -m -s /bin/bash kernel
 
-ENTRYPOINT [ "/wrapper.sh" ]
+# Bake the envoy forward-proxy CA cert into the image (system trust store +
+# NSS DB for both root and kernel users). See bake-certs.sh for the security
+# rationale on sharing the cert across containers built from this image.
+COPY shared/envoy/bake-certs.sh /usr/local/bin/bake-certs.sh
+RUN chmod +x /usr/local/bin/bake-certs.sh && /usr/local/bin/bake-certs.sh && rm /usr/local/bin/bake-certs.sh
+
+ENTRYPOINT [ "/wrapper" ]

images/chromium-headful/Kraftfile

@@ -9,4 +9,4 @@ labels:
 
 rootfs: ./initrd
 
-cmd: ["/wrapper.sh"]
+cmd: ["/wrapper"]

images/chromium-headful/supervisor/services/chromedriver.conf

@@ -2,6 +2,6 @@
 command=/usr/local/bin/chromedriver --port=9225 --allowed-ips=127.0.0.1 --log-level=INFO
 autostart=false
 autorestart=true
-startsecs=2
+startsecs=0
 stdout_logfile=/var/log/supervisord/chromedriver
 redirect_stderr=true

images/chromium-headful/supervisor/services/dbus.conf

@@ -2,6 +2,6 @@
 command=/bin/bash -lc 'mkdir -p /run/dbus && dbus-uuidgen --ensure && dbus-daemon --system --address=unix:path=/run/dbus/system_bus_socket --nopidfile --nosyslog --nofork'
 autostart=false
 autorestart=true
-startsecs=2
+startsecs=0
 stdout_logfile=/var/log/supervisord/dbus
 redirect_stderr=true

images/chromium-headful/supervisor/services/kernel-images-api.conf

@@ -2,6 +2,6 @@
 command=/bin/bash -lc 'mkdir -p "${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" && PORT="${KERNEL_IMAGES_API_PORT:-10001}" FRAME_RATE="${KERNEL_IMAGES_API_FRAME_RATE:-10}" DISPLAY_NUM="${KERNEL_IMAGES_API_DISPLAY_NUM:-${DISPLAY_NUM:-1}}" MAX_SIZE_MB="${KERNEL_IMAGES_API_MAX_SIZE_MB:-500}" OUTPUT_DIR="${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" LOG_CDP_MESSAGES="${LOG_CDP_MESSAGES:-false}" exec /usr/local/bin/kernel-images-api'
 autostart=false
 autorestart=true
-startsecs=2
+startsecs=0
 stdout_logfile=/var/log/supervisord/kernel-images-api
 redirect_stderr=true

images/chromium-headful/supervisor/services/mutter.conf

@@ -2,6 +2,6 @@
 command=/bin/bash -lc 'XDG_SESSION_TYPE=x11 mutter --replace --sm-disable'
 autostart=false
 autorestart=true
-startsecs=2
+startsecs=0
 stdout_logfile=/var/log/supervisord/mutter
 redirect_stderr=true

images/chromium-headful/supervisor/services/neko.conf

@@ -2,6 +2,6 @@
 command=/usr/bin/neko serve --server.static /var/www --server.bind 0.0.0.0:8080
 autostart=false
 autorestart=true
-startsecs=2
+startsecs=0
 stdout_logfile=/var/log/supervisord/neko
 redirect_stderr=true

images/chromium-headful/supervisor/services/xorg.conf

@@ -2,6 +2,6 @@
 command=/usr/bin/Xorg :1 -config /etc/neko/xorg.conf -noreset -nolisten tcp
 autostart=false
 autorestart=true
-startsecs=2
+startsecs=0
 stdout_logfile=/var/log/supervisord/xorg
 redirect_stderr=true