feat: rewrite envd guest agent in Rust (envd-rs)

Complete Rust rewrite of the Go envd guest daemon that runs as PID 1
inside Firecracker microVMs. Feature-complete across all 8 phases:

- Health, metrics, and env var endpoints
- Crypto (SHA-256/512, HMAC), auth (secure token, signing), init/snapshot
- Connect RPC via connectrpc + buffa (process + filesystem services)
- File transfer (GET/POST /files) with gzip, multipart, chown, ENOSPC
- Port subsystem (/proc/net/tcp scanner, socat forwarder)
- Cgroup2 manager with noop fallback
- Snapshot/restore lifecycle (conntracker, port subsystem stop/restart)
- SIGTERM graceful shutdown, --cmd initial process spawn
- MMDS metadata polling for Firecracker mode

42 source files, ~4200 LOC, 4.1MB stripped release binary.
Makefile updated: build-envd now targets Rust (musl static),
build-envd-go preserved for Go builds.

envd-rs/src/crypto/sha256.rs

@@ -0,0 +1,33 @@
+use base64::Engine;
+use base64::engine::general_purpose::STANDARD_NO_PAD;
+use sha2::{Digest, Sha256};
+
+pub fn hash(data: &[u8]) -> String {
+    let h = Sha256::digest(data);
+    let encoded = STANDARD_NO_PAD.encode(h);
+    format!("$sha256${encoded}")
+}
+
+pub fn hash_without_prefix(data: &[u8]) -> String {
+    let h = Sha256::digest(data);
+    STANDARD_NO_PAD.encode(h)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_hash_format() {
+        let result = hash(b"test");
+        assert!(result.starts_with("$sha256$"));
+        assert!(!result.contains('='));
+    }
+
+    #[test]
+    fn test_hash_without_prefix() {
+        let result = hash_without_prefix(b"test");
+        assert!(!result.starts_with("$sha256$"));
+        assert!(!result.contains('='));
+    }
+}