internal/outcome: expose pipewire via pipewire-pulse

This no longer exposes the pipewire socket to the container, and instead mediates access via pipewire-pulse. This makes insecure parts of the protocol inaccessible as explained in the doc comment in hst.

Closes #29.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/outcome/sppipewire.go

@@ -41,9 +41,13 @@ func (s *spPipeWireOp) toSystem(state *outcomeStateSys) error {
 }
 
 func (s *spPipeWireOp) toContainer(state *outcomeStateParams) error {
+	if s.CompatServerPath == nil {
 		innerPath := state.runtimeDir.Append(pipewire.PW_DEFAULT_REMOTE)
 		state.env[pipewire.Remote] = innerPath.String()
 		state.params.Bind(state.instancePath().Append("pipewire"), innerPath, 0)
+	}
 
+	// pipewire-pulse behaviour implemented in shim.go
+	state.pipewirePulsePath = s.CompatServerPath
 	return nil
 }