Add Podman as working runtime backend

[scramb]

Summary

• Adds Podman as a first-class runtime backend alongside Docker, selectable via STRIX_RUNTIME_BACKEND=podman
• Auto-detects Podman sockets across Linux (rootless/rootful) and macOS (applehv/libkrun podman machine)
• Uses the correct host-gateway hostname (host.containers.internal) so container-to-host networking works out of the box with Podman's built-in DNS
• Multi-layer socket fallthrough: STRIX_RUNTIME_SOCKET → DOCKER_HOST → per-backend auto-detection → docker.from_env() default
• Adds 24 unit tests covering backend registry, socket candidate generation, and podman machine inspect JSON parsing
• Resolves all lint errors and adds test infrastructure (pytest, make test) to make check-all

Closes #106

How to use

export STRIX_RUNTIME_BACKEND=podman
strix --target https://example.com

Or point Strix at a specific Podman socket:

export STRIX_RUNTIME_SOCKET=unix:///run/user/1000/podman/podman.sock
strix --target https://example.com

Test plan

• make check-all passes (format, lint, security, 24 tests)
• get_host_gateway returns correct hostname per backend
• Backend registry supports registration and lookup
• Podman socket candidates cover all platform variants
• podman machine inspect JSON parsing handles errors and multi-machine output
• Socket detection gracefully falls through on failure

[greptile-apps]

Greptile Summary

This PR adds Podman as a first-class runtime backend alongside Docker, selectable via STRIX_RUNTIME_BACKEND=podman. It also addresses all four issues raised in the previous review round (TMPDIR path separator, type-check gate, Linux-side podman machine inspect subprocess, and Podman host-gateway compat).

• Introduces create_docker_client() with a multi-layer socket resolution strategy (explicit socket → DOCKER_HOST → per-backend auto-detection → default) and a _podman_socket_candidates() helper covering Linux rootless/rootful and macOS podman machine sockets.
• Replaces the hardcoded host.docker.internal constant throughout with a backend-aware get_host_gateway() helper; skips the extra_hosts injection entirely for Podman since its built-in DNS handles host.containers.internal natively.
• Adds 24 unit tests with environment isolation via a clean_env fixture, covering the backend registry, socket candidate generation, and podman machine inspect JSON parsing.

Confidence Score: 4/5

Safe to merge once the socket-existence pre-check is added to STRIX_RUNTIME_SOCKET handling in create_docker_client.

The try/except blocks around docker.DockerClient() construction in create_docker_client never fire — docker-py's client is lazy and doesn't open the socket until the first API call. When STRIX_RUNTIME_SOCKET points to a nonexistent path, a broken client is returned silently and the Podman socket fallback and the friendly error panel are bypassed. All other changes are correct and well-structured.

strix/runtime/backends.py — specifically the fallthrough logic in create_docker_client() for STRIX_RUNTIME_SOCKET and DOCKER_HOST.

Important Files Changed

Filename	Overview
strix/runtime/backends.py	Core Podman backend addition: socket discovery, host-gateway helper, and backend registry. The fallthrough-on-failure logic for STRIX_RUNTIME_SOCKET and DOCKER_HOST is effectively dead because docker.DockerClient() construction is lazy and never raises.
strix/runtime/docker_client.py	Adds init override to accept a configurable host_gateway_hostname; skips extra_hosts injection for Podman. Clean and correct.
strix/runtime/session_manager.py	Switches HOST_GATEWAY env var to backend-aware get_host_gateway() helper. Safe change.
strix/interface/utils.py	check_docker_connection() now delegates to create_docker_client(backend) with Podman-specific error messages.
strix/interface/main.py	Adds Podman CLI presence check; replaces hardcoded HOST_GATEWAY_HOSTNAME with get_host_gateway().
tests/test_backends.py	24 tests with proper mocking of subprocess and env vars. Good coverage.
strix/config/settings.py	Adds optional STRIX_RUNTIME_SOCKET setting. Straightforward field addition.
Makefile	Adds pytest test target; check-all retains type-check and adds test.

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
strix/runtime/backends.py:51-62
**Fallthrough-on-failure is dead code for steps 1 and 2**

`docker.DockerClient(base_url=...)` and `docker.from_env()` are lazy — they configure a requests session but never open the socket during construction, so they don't raise `Exception` when the target socket doesn't exist. The `try/except` blocks around both calls therefore never fire.

In practice, if `STRIX_RUNTIME_SOCKET` points to a nonexistent socket, `docker.DockerClient(base_url=socket_path)` returns a healthy-looking client object and the function returns it immediately — the Podman socket candidates (step 3) and the `docker.from_env()` default (step 4) are never reached. The user then gets an uncaught `DockerException` deep inside `pull_docker_image` or `containers.create`, bypassing the friendly "PODMAN NOT AVAILABLE" error message.

The Podman candidate loop at line 65 handles this correctly by pre-screening with `Path(path).exists()`. The same guard should be applied to `socket_path` when it is a `unix://` URI.

### Issue 2 of 2
strix/runtime/backends.py:102-105
The `# -- macOS podman machine temp-dir fallback --` block is intentionally macOS-only (Podman machine stores its API socket under `$TMPDIR` only on macOS), but it runs unconditionally on all platforms. On Linux, `TMPDIR` is commonly set (e.g. to `/tmp`), so `unix:///tmp/podman/podman-machine-default-api.sock` gets appended to every Linux candidate list. `Path.exists()` will reject it, but the comment is misleading and the extra iteration is unnecessary.

```suggestion
    # -- macOS podman machine temp-dir fallback --
    if sys.platform == "darwin":
        tmpdir = os.environ.get("TMPDIR")
        if tmpdir:
            candidates.append(f"unix://{tmpdir.rstrip('/')}/podman/podman-machine-default-api.sock")
```

_{Reviews (2): Last reviewed commit: "fix: address code review — TMPDIR path, ..." | Re-trigger Greptile}

[scramb]

partially addresses #164 aswell but we don't auto-detect Orbstack sockets — the auto-detection in _podman_socket_candidates() only probes Podman paths. Full Orbstack support would need a similar socket candidate list added (e.g., ~/.orbstack/run/docker.sock, /var/run/docker.sock for colima, etc.).

[scramb]

@greptileai can you review again?