Pre-pause snapshot signal to prevent Go runtime crash on restore

envd crashes with "fatal error: bad summary data" after Firecracker
snapshot/restore because the page allocator radix tree is inconsistent
when vCPUs are frozen mid-allocation. The port scanner goroutine
allocates heavily every second, making it the primary trigger.

Add POST /snapshot/prepare to envd — the host agent calls it before
vm.Pause to quiesce continuous goroutines and force GC. On restore,
PostInit restarts the port subsystem via the existing /init endpoint.

- New PortSubsystem abstraction with Start/Stop/Restart lifecycle
- Context-based goroutine cancellation (replaces irreversible channel close)
- Context-aware Signal to prevent scanner/forwarder deadlock
- Fix forwarder goroutine leak (was spinning forever on closed channel)
- Kill socat children on stop to prevent orphans across snapshots
- Fix double cmd.Wait panic (exec.Command instead of CommandContext)

internal/sandbox/manager.go

@@ -327,6 +327,20 @@ func (m *Manager) Pause(ctx context.Context, sandboxID string) error {
 	sb.connTracker.Drain(2 * time.Second)
 	slog.Debug("pause: proxy connections drained", "id", sandboxID)
 
+	// Step 0b: Signal envd to quiesce continuous goroutines (port scanner,
+	// forwarder) and run GC before freezing vCPUs. This prevents Go runtime
+	// page allocator corruption ("bad summary data") on snapshot restore.
+	// Best-effort: a failure is logged but does not abort the pause.
+	func() {
+		prepCtx, prepCancel := context.WithTimeout(ctx, 3*time.Second)
+		defer prepCancel()
+		if err := sb.client.PrepareSnapshot(prepCtx); err != nil {
+			slog.Warn("pause: pre-snapshot quiesce failed (best-effort)", "id", sandboxID, "error", err)
+		} else {
+			slog.Debug("pause: envd goroutines quiesced", "id", sandboxID)
+		}
+	}()
+
 	pauseStart := time.Now()
 
 	// Step 1: Pause the VM (freeze vCPUs).