Add Podman as working runtime backend

[scramb]

Summary

• Adds Podman as a first-class runtime backend alongside Docker, selectable via STRIX_RUNTIME_BACKEND=podman
• Auto-detects Podman sockets across Linux (rootless/rootful) and macOS (applehv/libkrun podman machine)
• Uses the correct host-gateway hostname (host.containers.internal) so container-to-host networking works out of the box with Podman's built-in DNS
• Multi-layer socket fallthrough: STRIX_RUNTIME_SOCKET → DOCKER_HOST → per-backend auto-detection → docker.from_env() default
• Adds 24 unit tests covering backend registry, socket candidate generation, and podman machine inspect JSON parsing
• Resolves all lint errors and adds test infrastructure (pytest, make test) to make check-all

Closes #106

How to use

export STRIX_RUNTIME_BACKEND=podman
strix --target https://example.com

Or point Strix at a specific Podman socket:

export STRIX_RUNTIME_SOCKET=unix:///run/user/1000/podman/podman.sock
strix --target https://example.com

Test plan

• make check-all passes (format, lint, security, 24 tests)
• get_host_gateway returns correct hostname per backend
• Backend registry supports registration and lookup
• Podman socket candidates cover all platform variants
• podman machine inspect JSON parsing handles errors and multi-machine output
• Socket detection gracefully falls through on failure

[greptile-apps]

Greptile Summary

This PR adds Podman as a first-class runtime backend alongside Docker, selectable via STRIX_RUNTIME_BACKEND=podman. It introduces multi-layer socket auto-detection, the correct host.containers.internal host-gateway hostname for Podman, a new STRIX_RUNTIME_SOCKET config override, 24 unit tests, and pytest infrastructure.

• strix/runtime/backends.py: New create_docker_client, get_host_gateway, _podman_socket_candidates, and _macos_podman_machine_sockets functions implement the full socket resolution chain; _podman_backend factory wired into the registry.
• strix/runtime/docker_client.py: StrixDockerSandboxClient gains an __init__ that accepts host_gateway_hostname, replacing the hardcoded host.docker.internal throughout extra_hosts.
• Makefile / pyproject.toml: Adds test target with pytest; type-check was dropped from check-all as a side-effect of this change.

Confidence Score: 3/5

Two issues need attention before merging: a path-separator bug in macOS socket detection and the removal of type-check from the CI pipeline.

The TMPDIR path construction silently produces an invalid socket path whenever TMPDIR lacks a trailing slash, causing macOS socket auto-detection to fail without any error. Separately, type-check was quietly dropped from check-all when the test target was added, removing mypy/pyright from the mandatory CI gates.

strix/runtime/backends.py (TMPDIR path construction) and Makefile (missing type-check in check-all)

Important Files Changed

Filename	Overview
strix/runtime/backends.py	Core of this PR — adds Podman backend, socket auto-detection, and get_host_gateway; contains a TMPDIR path-separator bug that silently drops the macOS fallback socket candidate when TMPDIR lacks a trailing slash
Makefile	Adds test target and wires it into check-all, but accidentally drops type-check from the pipeline, removing a mandatory type-safety gate
strix/runtime/docker_client.py	Adds __init__ override to accept host_gateway_hostname and plumbs it into extra_hosts; the host-gateway special value may not be supported by older Podman compat API versions
strix/runtime/session_manager.py	Correctly replaces hardcoded host.docker.internal with get_host_gateway() for both the manifest environment and container creation
strix/config/settings.py	Adds socket_path field (aliased to STRIX_RUNTIME_SOCKET) to RuntimeSettings; clean and minimal
tests/test_backends.py	24 unit tests covering gateway hostname, backend registry, socket candidates, and JSON parsing; test_includes_tmpdir_when_set only exercises the trailing-slash case, masking the path-separator bug

Prompt To Fix All With AI

Fix the following 4 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 4
strix/runtime/backends.py:102-103
The `TMPDIR` path is concatenated without ensuring a separator between the directory and the `podman/` subdirectory. If `TMPDIR` is set to `/tmp` (no trailing slash), the result is `unix:///tmppodman/podman-machine-default-api.sock` — a completely wrong path that will never match an existing socket, silently dropping this candidate. The test fixture only exercises the trailing-slash case (`/tmp/`), masking the bug.

```suggestion
    if tmpdir:
        candidates.append(f"unix://{tmpdir.rstrip('/')}/podman/podman-machine-default-api.sock")
```

### Issue 2 of 4
Makefile:59
`type-check` was silently dropped from `check-all` when tests were added. Type checking with mypy/pyright was previously a mandatory gate before merging; removing it means the CI pipeline no longer catches type regressions, even though the target is listed in the help text and the `type-check` target still exists.

```suggestion
check-all: format lint type-check security test
```

### Issue 3 of 4
strix/runtime/backends.py:85
`_macos_podman_machine_sockets` is called unconditionally every time `_podman_socket_candidates()` runs, even on Linux. On a Linux host with Podman installed, this spawns a `podman machine inspect` subprocess on every connection attempt (the function still returns `[]` because `machine inspect` exits non-zero on Linux, but the process spawn adds latency). Consider guarding the call with a `sys.platform == "darwin"` check.

### Issue 4 of 4
strix/runtime/docker_client.py:117-118
When the Podman backend is active, `extra_hosts["host.containers.internal"] = "host-gateway"` is passed through the Docker-compatible API. Podman's `host-gateway` support in the compat API was only added in Podman v4.7+; older installations will return a 500/400 error on `containers.create`, crashing session startup. The docstring notes that Podman resolves `host.containers.internal` automatically via its built-in DNS — if that is reliable, this `extra_hosts` entry could be skipped for the Podman case rather than relying on `host-gateway` compat.

_{Reviews (1): Last reviewed commit: "fix: resolve lint errors and add test su..." | Re-trigger Greptile}

[scramb]

partially addresses #164 aswell but we don't auto-detect Orbstack sockets — the auto-detection in _podman_socket_candidates() only probes Podman paths. Full Orbstack support would need a similar socket candidate list added (e.g., ~/.orbstack/run/docker.sock, /var/run/docker.sock for colima, etc.).