Report concrete runtime type as ownership identity

Client.Name() returned the static RuntimeName constant ("docker"), which
the factory uses to register all Docker-API-compatible runtimes under one
entry. Using it as the per-workload ownership identity collapsed Docker,
Podman, and Colima into "docker", so a workload created under one could be
claimed by another during status reconciliation -- the exact cross-runtime
corruption this PR set out to prevent, still reachable between Docker and
Podman.

Return the concrete runtimeType detected at connection time so each
runtime identifies itself distinctly. The stamp written at create time and
the value compared at reconcile time both come from this method on the same
runtime, so the ownership round-trip holds (a Podman workload stamps
"podman" and is later recognized as Podman-owned).

Released builds never persisted runtime_name, so all existing workloads
take the empty/legacy "assume ours" path and are opportunistically migrated
to their true runtime name on the next healthy reconcile -- no regression.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: JAORMX

pkg/container/docker/client.go

@@ -651,9 +651,19 @@ func (c *Client) AttachToWorkload(ctx context.Context, workloadName string) (io.
 	return resp.Conn, stdoutReader, nil
 }
 
-// Name returns the registered name of this runtime.
-func (*Client) Name() string {
-	return RuntimeName
+// Name returns the name of the concrete runtime this client is connected to
+// (e.g. "docker", "podman", "colima"), as detected at connection time.
+//
+// This intentionally returns the detected runtimeType rather than the static
+// RuntimeName constant used for factory registration. RuntimeName collapses all
+// Docker-API-compatible runtimes under a single "docker" registration, but for
+// workload-ownership tracking each concrete runtime must identify itself
+// distinctly: Docker and Podman are separate daemons with separate containers,
+// so a workload created under one must not be claimed by the other during
+// status reconciliation. Returning the constant would let Podman-owned and
+// Docker-owned workloads share the identity "docker" and corrupt each other.
+func (c *Client) Name() string {
+	return string(c.runtimeType)
 }
 
 // IsRunning checks the health of the container runtime.

pkg/container/docker/client_name_test.go

@@ -0,0 +1,62 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package docker
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	rt "github.com/stacklok/toolhive/pkg/container/runtime"
+)
+
+// TestClientName verifies that Name reports the concrete detected runtime type
+// rather than the static factory-registration constant. Distinct identities are
+// required so that workload-ownership tracking does not let Docker- and
+// Podman-owned workloads (separate daemons) corrupt each other's status.
+func TestClientName(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name        string
+		runtimeType rt.Type
+		want        string
+	}{
+		{name: "docker", runtimeType: rt.TypeDocker, want: "docker"},
+		{name: "podman", runtimeType: rt.TypePodman, want: "podman"},
+		{name: "colima", runtimeType: rt.TypeColima, want: "colima"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			c := &Client{runtimeType: tt.runtimeType}
+			assert.Equal(t, tt.want, c.Name())
+		})
+	}
+}
+
+// TestClientNameOwnershipRoundTrip asserts the property the cross-runtime
+// protection relies on: the identity stamped at create time and the identity
+// compared at reconcile time come from the same Name call, so a workload created
+// under Podman is recognized as Podman-owned (and not as Docker-owned) later.
+func TestClientNameOwnershipRoundTrip(t *testing.T) {
+	t.Parallel()
+
+	podman := &Client{runtimeType: rt.TypePodman}
+	docker := &Client{runtimeType: rt.TypeDocker}
+
+	// Identity recorded on the RunConfig when the workload is created.
+	stampedAtCreate := podman.Name()
+
+	// Same Podman runtime later reconciling: must recognize ownership.
+	assert.Equal(t, stampedAtCreate, podman.Name(),
+		"podman must recognize its own workloads across calls")
+
+	// A different runtime (Docker) reconciling the same workload: must NOT
+	// claim ownership, otherwise it would corrupt the Podman workload's status.
+	assert.NotEqual(t, stampedAtCreate, docker.Name(),
+		"docker must not claim ownership of a podman-created workload")
+}