Add pre-pause proxy connection drain and sandbox proxy caching

Introduce ConnTracker (atomic.Bool + WaitGroup) to track in-flight proxy
connections per sandbox. Before pausing a VM, the manager drains active
connections with a 2s grace period, preventing Go runtime corruption
inside the guest caused by stale TCP state surviving Firecracker
snapshot/restore.

Also add:
- AcquireProxyConn on Manager for atomic lookup + connection tracking
- Proxy cache (120s TTL) on CP SandboxProxyWrapper with single-query
  DB lookup (GetSandboxProxyTarget) to avoid two round-trips
- Reset() on ConnTracker to re-enable connections if pause fails

internal/hostagent/proxy.go

@@ -8,7 +8,6 @@ import (
 	"strconv"
 	"strings"
 
-	"git.omukk.dev/wrenn/sandbox/internal/models"
 	"git.omukk.dev/wrenn/sandbox/internal/sandbox"
 )
 
@@ -62,18 +61,14 @@ func (h *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	sb, err := h.mgr.Get(sandboxID)
-	if err != nil {
-		http.Error(w, "sandbox not found", http.StatusNotFound)
+	hostIP, tracker, ok := h.mgr.AcquireProxyConn(sandboxID)
+	if !ok {
+		http.Error(w, "sandbox is not available", http.StatusServiceUnavailable)
 		return
 	}
+	defer tracker.Release()
 
-	if sb.Status != models.StatusRunning {
-		http.Error(w, fmt.Sprintf("sandbox is not running (status: %s)", sb.Status), http.StatusConflict)
-		return
-	}
-
-	targetHost := fmt.Sprintf("%s:%d", sb.HostIP.String(), portNum)
+	targetHost := fmt.Sprintf("%s:%d", hostIP, portNum)
 
 	proxy := &httputil.ReverseProxy{
 		Transport: h.transport,