Rename sandbox prefix to cl-, add MMDS metadata, fix proxy port routing

- Change sandbox ID prefix from sb- to cl- (capsule) throughout
- Fix proxy URL regex character class: base36 uses 0-9a-z, not just hex
- Add MMDS V2 config and metadata to VM boot flow so envd can read
  WRENN_SANDBOX_ID and WRENN_TEMPLATE_ID from inside the guest
- Pass TemplateID through VMConfig into both fresh and snapshot boot paths

internal/vm/manager.go

@@ -71,6 +71,13 @@ func (m *Manager) Create(ctx context.Context, cfg VMConfig) (*VM, error) {
 		return nil, fmt.Errorf("start VM: %w", err)
 	}
 
+	// Step 5: Push sandbox metadata into MMDS so envd can read
+	// WRENN_SANDBOX_ID and WRENN_TEMPLATE_ID from inside the guest.
+	if err := client.setMMDS(ctx, cfg.SandboxID, cfg.TemplateID); err != nil {
+		_ = proc.stop()
+		return nil, fmt.Errorf("set MMDS metadata: %w", err)
+	}
+
 	vm := &VM{
 		Config:  cfg,
 		process: proc,
@@ -108,6 +115,12 @@ func configureVM(ctx context.Context, client *fcClient, cfg *VMConfig) error {
 		return fmt.Errorf("set machine config: %w", err)
 	}
 
+	// MMDS config — enable V2 token access on eth0 so that envd can read
+	// WRENN_SANDBOX_ID and WRENN_TEMPLATE_ID from inside the guest.
+	if err := client.setMMDSConfig(ctx, "eth0"); err != nil {
+		return fmt.Errorf("set MMDS config: %w", err)
+	}
+
 	return nil
 }
 
@@ -238,6 +251,12 @@ func (m *Manager) CreateFromSnapshot(ctx context.Context, cfg VMConfig, snapPath
 		return nil, fmt.Errorf("resume VM: %w", err)
 	}
 
+	// Step 5: Push sandbox metadata into MMDS.
+	if err := client.setMMDS(ctx, cfg.SandboxID, cfg.TemplateID); err != nil {
+		_ = proc.stop()
+		return nil, fmt.Errorf("set MMDS metadata: %w", err)
+	}
+
 	vm := &VM{
 		Config:  cfg,
 		process: proc,