feat(cli): add kerno preflight command

[indenigrate]

What

Adds the kerno preflight subcommand to validate host prerequisites (kernel version, BTF, capabilities, cgroups, etc.) before running the diagnostic engine. Includes a Helm pre-install hook Job and an optional DaemonSet init container.

Why

Fixes #44

When kerno fails to start due to host misconfigurations, users currently see cryptic Go/eBPF verifier errors. This provides a clean, upfront check that reports PASS/FAIL/WARN with actionable, copy-pasteable remediation hints.

How

• Added internal/preflight package containing 10 checks. Uses golang.org/x/sys/unix for capability checks to avoid CGO and new dependencies.
• Added internal/cli/preflight.go for the Cobra command with pretty terminal output and JSON output (--output json).
• Added Helm pre-install hook (preflight-job.yaml) with hostNetwork: true to ensure accurate port checks.
• Added optional initContainers block to the DaemonSet.
• Added ExecStartPre=/usr/local/bin/kerno preflight to the systemd unit.
• Added 19 fixture-based unit tests in checks_test.go that simulate filesystem mounts and synthetic capability masks.

Testing

• go build ./... passes

• go test ./... passes

• go vet ./... passes

• golangci-lint run ./... passes

• Tested locally with: ./bin/kerno preflight (to verify sudo hints) and sudo ./bin/kerno preflight --output json

• N/A — pure docs/refactor (Did not modify BPF C code)

• sudo ./bin/bpf-verify --read 5s confirms 6/6 programs still load

• ./scripts/verify.sh passes (or specific phase: ./scripts/verify.sh quality)

Checklist

• PR title follows Conventional Commits (feat(scope): subject)
• All commits are DCO-signed (git commit -s)
• No unrelated changes pulled in
• Documentation updated where user-visible behavior changed
• Added/updated tests for new code paths
• If a new doctor rule, paired with a chaos scenario in scripts/verify.sh

[btwshivam]

Fix conlicts

[btwshivam]

merge state is conflicting and the branch is on a stale base (merge-base bdfe9a6), so the diff drags in completion.go, doctor.go, kerno-mangen, install.sh, Makefile and others that diverge from main. rebase on upstream main first so the diff is just the preflight feature, then the two notes inline. also note the job validates one node, not every daemonset node, so a mixed-kernel cluster can pass preflight and still fail on some nodes, worth calling out in the docs.

[btwshivam]

the job mounts btf, proc, and cgroup, but CheckTracefs (checks.go:362) looks for /sys/kernel/tracing or /sys/kernel/debug/tracing, and neither is mounted here. the daemonset mounts /sys/kernel/debug (daemonset.yaml), so the actual daemon has it but this pre-install hook doesn't, which means the hook reports a tracefs problem on every healthy node and can block install. add the same /sys/kernel/debug (and tracing) mounts so the job's checks match what the daemon actually runs with.

[btwshivam]

os.Stat only proves the path exists, not that it's readable, but the message says "readable". a root-readable-only or zero-perm vmlinux would pass here and then fail at load. minor, but either open it (os.Open + close) or soften the message. also the Detail says "kernel >= 5.2" while CheckKernelVersion requires 5.8, pick one.

[indenigrate]

Thanks for the review @btwshivam — addressed all points and force-pushed:

Rebase / conflicts. Rebased onto current main (96adb57). The only conflict was in root.go, resolved by keeping both preflightCmd and the newly-merged completionCmd in AddCommand. The diff is now just the preflight feature — no more completion.go, doctor.go, kerno-mangen, install.sh, or Makefile drift.

tracefs mounts (preflight-job.yaml). Added the /sys/kernel/debug hostPath volume + mount to both the pre-install hook Job and the DaemonSet init container, so CheckTracefs sees the same filesystem the daemon runs with. This stops the false tracefs WARN that could block install on healthy nodes.

CheckBTF (checks.go). Switched os.Stat to os.Open + Close so a root-only / zero-perm vmlinux fails here instead of later at load. The message now includes the underlying error, and the Detail says kernel >= 5.8 to match CheckKernelVersion.

Mixed-kernel docs. Documented in values.yaml that the pre-install hook Job validates only one scheduled node (so a mixed-kernel cluster can pass yet still fail on other nodes), and that initContainer: true provides a per-node gate.

Verified: go build, go test ./internal/preflight ./internal/cli, go vet, golangci-lint (0 issues), and helm lint/template all pass.

[btwshivam]

fix conflict