Add sandbox snapshot and restore with UFFD lazy memory loading

Implement full snapshot lifecycle: pause (snapshot + free resources),
resume (UFFD-based lazy restore), and named snapshot templates that
can spawn new sandboxes from frozen VM state.

Key changes:
- Snapshot header system with generational diff mapping (inspired by e2b)
- UFFD server for lazy page fault handling during snapshot restore
- Stable rootfs symlink path (/tmp/fc-vm/) for snapshot compatibility
- Templates DB table and CRUD API endpoints (POST/GET/DELETE /v1/snapshots)
- CreateSnapshot/DeleteSnapshot RPCs in hostagent proto
- Reconciler excludes paused sandboxes (expected absent from host agent)
- Snapshot templates lock vcpus/memory to baked-in values
- Proper cleanup of uffd sockets and pause snapshot files on destroy

internal/api/reconciler.go

@@ -62,10 +62,12 @@ func (rc *Reconciler) reconcile(ctx context.Context) {
 		alive[sb.SandboxId] = struct{}{}
 	}
 
-	// Get all DB sandboxes for this host that are running or paused.
+	// Get all DB sandboxes for this host that are running.
+	// Paused sandboxes are excluded: they are expected to not exist on the
+	// host agent because pause = snapshot + destroy resources.
 	dbSandboxes, err := rc.db.ListSandboxesByHostAndStatus(ctx, db.ListSandboxesByHostAndStatusParams{
 		HostID:  rc.hostID,
-		Column2: []string{"running", "paused"},
+		Column2: []string{"running"},
 	})
 	if err != nil {
 		slog.Warn("reconciler: failed to list DB sandboxes", "error", err)