fix: memory leaks

[NathanFlurry]

Summary

A memory-leak audit of the VM runtime found 12 leaks (the secure-exec half of a cross-repo audit; the agent-os half is rivet-dev/agentos#1535). Common root cause: tracking maps/registries are populated on create but released only on a happy-path teardown that is skipped on an error ? or never runs — plus per-timer threads with no cancellation. Each fix releases on every termination path and ships a fast, safeguard-firing test (no resource-saturation tests, per the testing rules).

Fixes

ID	Crate / file	Leak → fix
H1	sidecar/{vm,service}.rs	dispose_vm_internal removed per-VM tracking only after ~7 fallible ? steps, and the dispose_session/remove_connection loops ?-out on the first failure, abandoning later VMs → VM removed before the fallible teardown half; cleanup runs unconditionally (error surfaced after); loops attempt-all + aggregate
M6	sidecar/{service,vm}.rs	extension_process_output_buffers cleared only on successful handoff → also cleared on VM disposal
M5	sidecar/{service,stdio}.rs	stdio active_sessions set never shrank → disposed sessions are now untracked (also stops the ~250µs event-pump from iterating dead entries)
L4	sidecar/{execution,state}.rs	loopback-TLS registry kept dead Weak entries until the next lazy retain() → endpoints remove their own entry on Drop (guarded by ptr_eq + last-peer check)
H1	sidecar-browser/service.rs	same dispose-short-circuit on vms/contexts (each holding a BrowserKernel) → cleared on every dispose path
H2 / M3	execution/javascript.rs	guest _scheduleTimer / kernel timers spawned untracked OS threads with uncapped delay (thread-exhaustion DoS, Arc pinning) → delay capped + cancellable via generation check + clear-on-teardown
M1	v8-runtime/bridge.rs	VM_CONTEXTS slot freed only on the error path → evicted on context finalize; reused isolates no longer creep to MAX_VM_CONTEXTS
M2	v8-runtime/session.rs	pending promise-resolver v8::Globals could drop after their isolate on run_event_loop early-exit (leak and a V8 lifetime-contract violation) → reset before isolate teardown on every exit path
M4	kernel/socket_table.rs	socket id allocated before the backlog check; full-backlog connect failure leaked it (both unix + inet) → id allocated only after the check passes
L2	vfs/posix/overlay_fs.rs	rename failure orphaned staged snapshot entries → rolled back on copy/rename error
L3	vfs/engine/mem/metadata_store.rs	snapshots grew forever (no delete, gc() was a no-op) → delete_snapshot() + a real gc() that reclaims unreferenced blocks

L1 (the bounded, documented Box::into_raw isolate-handle, ~5 KB, reclaimed at process exit) is intentionally left as-is.

Cross-repo note (enables agent-os H4)

This adds an additive Extension::on_session_disposed hook fired on DisposeReason::ConnectionClosed. agent-os's ACP extension already has a ready cleanup_sessions_for_connection; once this lands and is published, agent-os can override the hook to fully close its H4 (ACP sessions leaking on client disconnect). Additive default = no break for existing Extension impls.

Trust model

All are reachable through ordinary guest execution or session/VM/process churn (in-scope under the sidecar↔executor boundary). H2/M3 and M1 are guest-amplifiable (timer-thread exhaustion; context-slot exhaustion) and also tighten "limits bounded by default" (the previously uncapped timer delay).

Testing

cargo test per crate, all green: sidecar (dispose-lifecycle incl. error-path reclaim, M5 untrack, on_session_disposed-on-ConnectionClosed, L4 registry), sidecar-browser (H1), execution (timer cap + generation suppression), v8-runtime 113 (M1 finalize sweep, M2 reset-before-teardown — V8 tests subprocess-isolated), kernel (full-backlog id not consumed, unix+inet), vfs-core (L2 rollback, L3 delete_snapshot + gc). New V8 tests follow the crate's subprocess convention; no saturation tests added.