feat(sdk): capture firecracker stdio via console_path

[PeronGH]

Depends on #5 — this branch is based on fix/validate-vm-id, so hold off on merging until that lands. Will retarget to master once #5 is in.

Summary

Firecracker pipes the guest serial console (ttyS0) to its own stdout. FirecrackerProcessBuilder::spawn was leaving stdio on inherit, so the kernel boot log landed wherever the parent's stdout happened to go — and if that parent's stdout closed (e.g. piped through head), firecracker spammed Failed the write to serial: BrokenPipe into its own log-path file. Long-running callers like arcbox-agent couldn't actually see whether the kernel made it to userspace.

This PR adds four additive knobs to FirecrackerProcessBuilder:

• console_path(path) — the common case. Opens the file in create+append mode at spawn() time and routes both stdout and stderr to it (the stderr fd is a try_clone of the stdout fd, so they land in the same file). Matches the existing log_path / metrics_path style.
• stdin(Stdio) / stdout(Stdio) / stderr(Stdio) — raw std::process::Stdio overrides for callers that need Stdio::null(), Stdio::piped(), or a specific File.

Resolution order at spawn(): explicit per-channel override wins, else console_path fills any unset stdout/stderr, else the channel inherits from the parent (today's default). Refactored into apply_stdio so the decision matrix is testable without a live firecracker binary.

fc-cli gains a --console-path flag on the firecracker backend; the jailer backend rejects it with a clear error for now. JailerProcessBuilder carries a TODO near its spawn documenting the follow-up — jailer's --daemonize detaches stdio, so the semantics need their own design.

Additive only — bump 0.3.0 → 0.3.1.

Test plan

• `cargo test -p fc-sdk` — 21 unit tests pass (five new for `apply_stdio`: both-channels-to-console, explicit override wins per channel, append preserves prior content, missing parent dir surfaces as `Error::Io`, no-config noop), plus existing vm_id / builder / doc-tests.
• `cargo test --workspace` — full suite green.
• `cargo clippy --workspace --all-targets -- -D warnings` — clean.
• `cargo fmt --check` — clean.
• Manual repro (reviewer-side): `fc-cli start --console-path /tmp/fc-con.log --kernel ... --rootfs ...` against a bootable template; `/tmp/fc-con.log` should contain the kernel boot messages, and firecracker's own `--log-path` file should be free of `BrokenPipe` spam.