feat(vm): replace Firecracker with Cloud Hypervisor

Migrate the entire VM layer from Firecracker to Cloud Hypervisor (CH).
CH provides native snapshot/restore via its HTTP API, eliminating the
need for custom UFFD handling, memfile processing, and snapshot header
management that Firecracker required.

Key changes:
- Remove fc.go, jailer.go (FC process management)
- Remove internal/uffd/ package (userfaultfd lazy page loading)
- Remove snapshot/header.go, mapping.go, memfile.go (FC snapshot format)
- Add ch.go (CH HTTP API client over Unix socket)
- Add process.go (CH process lifecycle with unshare+netns)
- Add chversion.go (CH version detection)
- Refactor sandbox manager: remove UFFD socket tracking, snapshot
  parent/diff chaining, FC-specific balloon logic; add crash watcher
- Simplify snapshot/local.go to CH's native snapshot format
- Update VM config: FirecrackerBin → VMMBin, new CH-specific fields
- Update envdclient, devicemapper, network for CH compatibility

internal/sandbox/chversion.go

@@ -0,0 +1,28 @@
+package sandbox
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+)
+
+// DetectCHVersion runs the cloud-hypervisor binary with --version and
+// parses the semver from the output (e.g. "cloud-hypervisor v43.0" → "43.0").
+func DetectCHVersion(binaryPath string) (string, error) {
+	out, err := exec.Command(binaryPath, "--version").Output()
+	if err != nil {
+		return "", fmt.Errorf("run %s --version: %w", binaryPath, err)
+	}
+
+	line := strings.TrimSpace(string(out))
+	for field := range strings.FieldsSeq(line) {
+		v := strings.TrimPrefix(field, "v")
+		if v != field || strings.Contains(field, ".") {
+			if strings.Count(v, ".") >= 1 {
+				return v, nil
+			}
+		}
+	}
+
+	return "", fmt.Errorf("could not parse version from cloud-hypervisor output: %q", line)
+}

internal/sandbox/fcversion.go

@@ -1,30 +0,0 @@
-package sandbox
-
-import (
-	"fmt"
-	"os/exec"
-	"strings"
-)
-
-// DetectFirecrackerVersion runs the firecracker binary with --version and
-// parses the semver from the output (e.g. "Firecracker v1.14.1" → "1.14.1").
-func DetectFirecrackerVersion(binaryPath string) (string, error) {
-	out, err := exec.Command(binaryPath, "--version").Output()
-	if err != nil {
-		return "", fmt.Errorf("run %s --version: %w", binaryPath, err)
-	}
-
-	// Output is typically "Firecracker v1.14.1\n" or similar.
-	line := strings.TrimSpace(string(out))
-	for _, field := range strings.Fields(line) {
-		v := strings.TrimPrefix(field, "v")
-		if v != field || strings.Contains(field, ".") {
-			// Either had a "v" prefix or contains a dot — likely the version.
-			if strings.Count(v, ".") >= 1 {
-				return v, nil
-			}
-		}
-	}
-
-	return "", fmt.Errorf("could not parse version from firecracker output: %q", line)
-}

internal/sandbox/proc.go

@@ -1,9 +1,11 @@
 package sandbox
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
+	"net/http"
 	"os"
 	"strconv"
 	"strings"
@@ -50,10 +52,15 @@ func readCPUStat(pid int) (cpuStat, error) {
 
 // readEnvdMemUsed fetches mem_used from envd's /metrics endpoint. Returns
 // guest-side total - MemAvailable (actual process memory, excluding reclaimable
-// page cache). VmRSS of the Firecracker process includes guest page cache and
+// page cache). VmRSS of the VMM process includes guest page cache and
 // never decreases, so this is the accurate metric for dashboard display.
-func readEnvdMemUsed(client *envdclient.Client) (int64, error) {
-	resp, err := client.HTTPClient().Get(client.BaseURL() + "/metrics")
+func readEnvdMemUsed(ctx context.Context, client *envdclient.Client) (int64, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, client.BaseURL()+"/metrics", nil)
+	if err != nil {
+		return 0, fmt.Errorf("build metrics request: %w", err)
+	}
+
+	resp, err := client.HTTPClient().Do(req)
 	if err != nil {
 		return 0, fmt.Errorf("fetch envd metrics: %w", err)
 	}