Add unikernel runtime: run services as Nanos VMs under QEMU/KVM

Implements the hypervisor design's Phase 1: a second runtime.Runtime
backend (QEMU) that runs each service component as a Nanos unikernel VM
instead of a podman container, selected per-component via a new
runtime = "unikernel" service-def field.

- internal/runtime/qemu.go: QEMURuntime. Pull extracts the ELF from the
  OCI image; Run does `ops build` + boots qemu-system-x86_64 with KVM,
  user-mode net port-forwards, QMP control socket and serial console log;
  Stop/Remove/Inspect/List/Logs map onto VM lifecycle + state dir.
- proto/registry/servicedef: add runtime, memory_mb, vcpus fields
  (registry migration 5).
- agent: holds both runtimes; runtimeFor() selects per component;
  listAllContainers() merges containers + VMs so drift/status see both.
  Unikernel runtime auto-enables on nodes with /dev/kvm + ops.

Validated end-to-end on straylight: a test service deploys via
`mcp deploy --direct`, boots as a Nanos unikernel, serves HTTP through
the agent port-forward, and reports running via `mcp status`/`mcp logs`.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

internal/registry/services.go

@@ -10,15 +10,16 @@ import (
 type Service struct {
 	Name      string
 	Active    bool
+	Comment   string
 	CreatedAt time.Time
 	UpdatedAt time.Time
 }
 
 // CreateService creates a new service in the registry.
-func CreateService(db *sql.DB, name string, active bool) error {
+func CreateService(db *sql.DB, name string, active bool, comment string) error {
 	_, err := db.Exec(
-		"INSERT INTO services (name, active) VALUES (?, ?)",
-		name, active,
+		"INSERT INTO services (name, active, comment) VALUES (?, ?, ?)",
+		name, active, comment,
 	)
 	if err != nil {
 		return fmt.Errorf("create service %q: %w", name, err)
@@ -31,9 +32,9 @@ func GetService(db *sql.DB, name string) (*Service, error) {
 	s := &Service{}
 	var createdAt, updatedAt string
 	err := db.QueryRow(
-		"SELECT name, active, created_at, updated_at FROM services WHERE name = ?",
+		"SELECT name, active, comment, created_at, updated_at FROM services WHERE name = ?",
 		name,
-	).Scan(&s.Name, &s.Active, &createdAt, &updatedAt)
+	).Scan(&s.Name, &s.Active, &s.Comment, &createdAt, &updatedAt)
 	if err != nil {
 		return nil, fmt.Errorf("get service %q: %w", name, err)
 	}
@@ -44,7 +45,7 @@ func GetService(db *sql.DB, name string) (*Service, error) {
 
 // ListServices returns all services.
 func ListServices(db *sql.DB) ([]Service, error) {
-	rows, err := db.Query("SELECT name, active, created_at, updated_at FROM services ORDER BY name")
+	rows, err := db.Query("SELECT name, active, comment, created_at, updated_at FROM services ORDER BY name")
 	if err != nil {
 		return nil, fmt.Errorf("list services: %w", err)
 	}
@@ -54,7 +55,7 @@ func ListServices(db *sql.DB) ([]Service, error) {
 	for rows.Next() {
 		var s Service
 		var createdAt, updatedAt string
-		if err := rows.Scan(&s.Name, &s.Active, &createdAt, &updatedAt); err != nil {
+		if err := rows.Scan(&s.Name, &s.Active, &s.Comment, &createdAt, &updatedAt); err != nil {
 			return nil, fmt.Errorf("scan service: %w", err)
 		}
 		s.CreatedAt, _ = time.Parse("2006-01-02 15:04:05", createdAt)
@@ -64,11 +65,15 @@ func ListServices(db *sql.DB) ([]Service, error) {
 	return services, rows.Err()
 }
 
-// UpdateServiceActive updates a service's active flag.
-func UpdateServiceActive(db *sql.DB, name string, active bool) error {
-	res, err := db.Exec(
-		"UPDATE services SET active = ?, updated_at = datetime('now') WHERE name = ?",
-		active, name,
+// UpdateServiceActive updates a service's active flag and comment. If comment
+// is empty, the existing comment is preserved.
+func UpdateServiceActive(db *sql.DB, name string, active bool, comment string) error {
+	res, err := db.Exec(`
+		UPDATE services SET active = ?,
+			comment = CASE WHEN ? = '' THEN comment ELSE ? END,
+			updated_at = datetime('now')
+		WHERE name = ?`,
+		active, comment, comment, name,
 	)
 	if err != nil {
 		return fmt.Errorf("update service %q: %w", name, err)