fix(verifier): accept socket-activated services and stop ConfigFile alias misattribution

[outergod]

Summary

• verify_workload now accepts a service in Inactive state when at least one of its triggering .socket units is Active — socket-activated services are correctly Inactive until first connection. Failed is still always a verification failure.
• desired_target_aliases no longer populates runtime_unit -> managed_id entries for ConfigFile and SocketDropIn workloads. Without this skip, the catch-all in systemd_unit_for_quadlet_file synthesised a <stem>.service alias from any unrecognised extension (e.g. /etc/foo/foo.toml → foo.service), which collided with the real container's runtime unit and last-write-wins re-pointed verification failures from the recoverable container onto the non-recoverable config-file path. That misattributed the failure in the apply report and suppressed the recovery StartUnit action.

How this surfaced

On a host applying the matrix-homeserver source repo, core-ops apply reported:

[↺] container/synapse-app.container                             recovered
[↺] socket/traefik.socket                                       recovered

[!] config/etc/traefik/traefik.toml                             failed
    unit not active: Inactive

— a config file flagged as failed because of a service unit's runtime state. traefik.service was correctly Inactive (socket-activated, no traffic yet), but the verifier didn't model socket activation, and the alias map then routed the failure to traefik.toml whose stem coincidentally matched.

Test plan

• cargo test --all-targets — 447 / 447 pass
• cargo clippy --all-targets -- -D warnings — clean
• cargo run --bin core-ops-release -- validate --base-ref master — Outcome: passed, declared bump patch matches required
• 4 new unit tests in tests/unit/test_verification.rs cover socket-activation acceptance (Inactive-with-Active-socket → success, Failed-state → still fails, all-sockets-Inactive → still fails) and alias-misroute regressions (ConfigFile and SocketDropIn cases)
• New accepted regression scenario tests/fixtures/verification/scenarios/accepted-socket-activated-trigger.yaml executed against a live VM via core-ops-verify run: all 9 assertions passed, teardown complete. The decisive step — second apply after systemctl stop frontend.service — emits 3 unchanged / Outcome: converged (pre-fix, this would have been [!] config/etc/frontend/frontend.toml failed / Outcome: non-converging).

Notes

• Cargo.toml bumped 2.1.0 → 2.1.1; tests/fixtures/provenance_state/valid-success.json follows.
• Release fragment at changes/fix-socket-activated-verification.md (release_intent: patch).

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 04e42f51a6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".