feat(vm): replace Firecracker with Cloud Hypervisor

Migrate the entire VM layer from Firecracker to Cloud Hypervisor (CH).
CH provides native snapshot/restore via its HTTP API, eliminating the
need for custom UFFD handling, memfile processing, and snapshot header
management that Firecracker required.

Key changes:
- Remove fc.go, jailer.go (FC process management)
- Remove internal/uffd/ package (userfaultfd lazy page loading)
- Remove snapshot/header.go, mapping.go, memfile.go (FC snapshot format)
- Add ch.go (CH HTTP API client over Unix socket)
- Add process.go (CH process lifecycle with unshare+netns)
- Add chversion.go (CH version detection)
- Refactor sandbox manager: remove UFFD socket tracking, snapshot
  parent/diff chaining, FC-specific balloon logic; add crash watcher
- Simplify snapshot/local.go to CH's native snapshot format
- Update VM config: FirecrackerBin → VMMBin, new CH-specific fields
- Update envdclient, devicemapper, network for CH compatibility

pkg/cpserver/run.go

@@ -177,10 +177,11 @@ func Run(opts ...Option) {
 		Config:    cfg,
 	}
 
-	// Host monitor (passive + active reconciliation every 60s).
-	// Created before API server so the heartbeat handler can trigger immediate
-	// reconciliation when a host recovers from unreachable.
-	monitor := api.NewHostMonitor(queries, hostPool, al, 60*time.Second)
+	// Host monitor (safety-net reconciliation every 5 minutes).
+	// Primary state sync is push-based (host agent callbacks + CP background
+	// goroutines). The monitor acts as a fallback for missed events, host death
+	// detection, and transient status resolution.
+	monitor := api.NewHostMonitor(queries, hostPool, al, 5*time.Minute)
 
 	// API server.
 	srv := api.New(queries, hostPool, hostScheduler, pool, rdb, []byte(cfg.JWTSecret), oauthRegistry, cfg.OAuthRedirectURL, ca, al, channelSvc, mailer, o.extensions, sctx, monitor, o.version)