Add host agent RPC server with sandbox lifecycle management

Implement the host agent as a Connect RPC server that orchestrates
sandbox creation, destruction, pause/resume, and command execution.
Includes sandbox manager with TTL-based reaper, network slot allocator,
rootfs cloning, hostagent proto definition with generated stubs, and
test/debug scripts. Fix Firecracker process lifetime bug where VM was
tied to HTTP request context instead of background context.

internal/models/sandbox.go

@@ -0,0 +1,32 @@
+package models
+
+import (
+	"net"
+	"time"
+)
+
+// SandboxStatus represents the current state of a sandbox.
+type SandboxStatus string
+
+const (
+	StatusPending SandboxStatus = "pending"
+	StatusRunning SandboxStatus = "running"
+	StatusPaused  SandboxStatus = "paused"
+	StatusStopped SandboxStatus = "stopped"
+	StatusError   SandboxStatus = "error"
+)
+
+// Sandbox holds all state for a running sandbox on this host.
+type Sandbox struct {
+	ID           string
+	Status       SandboxStatus
+	Template     string
+	VCPUs        int
+	MemoryMB     int
+	TimeoutSec   int
+	SlotIndex    int
+	HostIP       net.IP
+	RootfsPath   string
+	CreatedAt    time.Time
+	LastActiveAt time.Time
+}