Add host agent RPC server with sandbox lifecycle management

Implement the host agent as a Connect RPC server that orchestrates
sandbox creation, destruction, pause/resume, and command execution.
Includes sandbox manager with TTL-based reaper, network slot allocator,
rootfs cloning, hostagent proto definition with generated stubs, and
test/debug scripts. Fix Firecracker process lifetime bug where VM was
tied to HTTP request context instead of background context.

internal/filesystem/clone.go

@@ -0,0 +1,16 @@
+package filesystem
+
+import (
+	"fmt"
+	"os/exec"
+)
+
+// CloneRootfs creates a copy-on-write clone of the base rootfs image.
+// Uses reflink if supported by the filesystem, falls back to regular copy.
+func CloneRootfs(src, dst string) error {
+	cmd := exec.Command("cp", "--reflink=auto", src, dst)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("cp --reflink=auto: %s: %w", string(out), err)
+	}
+	return nil
+}

internal/filesystem/images.go

@@ -0,0 +1 @@
+package filesystem