Bump version for envd, require it for nfs

[djeebus]

No description provided.

[cursor]

PR Summary

Low Risk
Low risk: only raises the minimum required envd version for volume mounts and updates the packaged envd version constant; main impact is older templates will now be rejected for volumes until rebuilt.

Overview
Bumps envd to 0.5.12 and raises the minimum envd version required to use sandbox volume mounts from 0.5.8 to 0.5.12, updating tests accordingly so volume-mount support is gated on rebuilt templates.

^{Reviewed by Cursor Bugbot for commit a9febb3. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c1920c3. Configure here.}

[claude]

🟣 Pre-existing bug: When a template has no recorded envd version (nil/empty EnvdVersion), convertAPIVolumesToOrchestratorVolumes returns errNoEnvdVersion, but PostSandboxes does not check for this error — it falls through to the generic handler and returns HTTP 500 with an opaque "failed to convert volume mounts" message instead of a helpful HTTP 400 asking the user to rebuild their template. The fix is to add errors.Is(err, errNoEnvdVersion) alongside the existing errVolumesNotSupported check and return a 400 with a clear rebuild message.

Extended reasoning...

Bug Analysis

What the bug is: In convertAPIVolumesToOrchestratorVolumes, when env.EnvdVersion is nil or an empty string, the function returns the sentinel error errNoEnvdVersion (line 336). The caller, PostSandboxes, has a dedicated error-handling block for the result of this function (lines ~197–218), but it only checks for three specific errors: errVolumesNotSupported, ErrVolumeMountsDisabled, and InvalidVolumeMountsError. errNoEnvdVersion is not among them.

The specific code path: When a user submits a sandbox creation request with volume mounts and their template's EnvdVersion field is nil or empty, execution reaches convertAPIVolumesToOrchestratorVolumes → hits the envdVersion == "" branch → returns (nil, errNoEnvdVersion) → back in PostSandboxes, none of the three if branches match → falls to the final else branch → telemetry.ReportError is called (treating it as an unexpected internal error) → http.StatusInternalServerError is returned with the message "failed to convert volume mounts".

Why existing code doesn't prevent it: The three error checks are each exact sentinel comparisons or type assertions. errNoEnvdVersion is a distinct sentinel defined on line 317, and it is never wrapped when returned (line 336 is a bare return nil, errNoEnvdVersion), so errors.Is would match it — but no such check exists in the handler.

Impact: Users whose templates were built without a recorded envd version receive an opaque HTTP 500 that gives no hint about the root cause or what to do. The correct behavior — returning HTTP 400 with a message like "template must be rebuilt" — already exists for the analogous errVolumesNotSupported case; errNoEnvdVersion simply needs the same treatment.

How to fix it: Add a check immediately after (or before) the errVolumesNotSupported check:

if errors.Is(err, errNoEnvdVersion) {
    a.sendAPIStoreError(c, http.StatusBadRequest, "Template must be rebuilt to support volume mounts (no envd version recorded).")
    return
}

Step-by-step proof:

1. User calls POST /sandboxes with volumeMounts: [{name: "my-vol", path: "/data"}] using a very old template where build.EnvdVersion == nil.
2. PostSandboxes calls convertAPIVolumesToOrchestratorVolumes(..., build).
3. Inside that function: envdVersion := sharedUtils.DerefOrDefault(env.EnvdVersion, "") // returns "".
4. The condition envdVersion == "" is true → function returns nil, errNoEnvdVersion.
5. Back in PostSandboxes: errors.Is(err, errVolumesNotSupported) → false. errors.Is(err, ErrVolumeMountsDisabled) → false. errors.As(err, &vne) for InvalidVolumeMountsError → false.
6. Execution falls to telemetry.ReportError(...) and a.sendAPIStoreError(c, http.StatusInternalServerError, "failed to convert volume mounts").
7. User receives a 500 with no actionable information.

[levb]

LGTM