Add minimal control plane with REST API, database, and reconciler

- REST API (chi router): sandbox CRUD, exec, pause/resume, file write/read
- PostgreSQL persistence via pgx/v5 + sqlc (sandboxes table with goose migration)
- Connect RPC client to host agent for all VM operations
- Reconciler syncs host agent state with DB every 30s (detects TTL-reaped sandboxes)
- OpenAPI 3.1 spec served at /openapi.yaml, Swagger UI at /docs
- Added WriteFile/ReadFile RPCs to hostagent proto and implementations
- File upload via multipart form, download via JSON body POST
- sandbox_id propagated from control plane to host agent on create

db/migrations/20260310094104_initial.sql

@@ -0,0 +1,25 @@
+-- +goose Up
+
+CREATE TABLE sandboxes (
+    id              TEXT PRIMARY KEY,
+    owner_id        TEXT NOT NULL DEFAULT '',
+    host_id         TEXT NOT NULL DEFAULT 'default',
+    template        TEXT NOT NULL DEFAULT 'minimal',
+    status          TEXT NOT NULL DEFAULT 'pending',
+    vcpus           INTEGER NOT NULL DEFAULT 1,
+    memory_mb       INTEGER NOT NULL DEFAULT 512,
+    timeout_sec     INTEGER NOT NULL DEFAULT 300,
+    guest_ip        TEXT NOT NULL DEFAULT '',
+    host_ip         TEXT NOT NULL DEFAULT '',
+    created_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    started_at      TIMESTAMPTZ,
+    last_active_at  TIMESTAMPTZ,
+    last_updated    TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX idx_sandboxes_status ON sandboxes(status);
+CREATE INDEX idx_sandboxes_host_status ON sandboxes(host_id, status);
+
+-- +goose Down
+
+DROP TABLE sandboxes;