fix sandbox networking loopback dev servers

[NathanFlurry]

What changed

• Moves JS http.createServer() onto the kernel TCP listener path by accepting real net.Server sockets and dispatching HTTP over bytes.
• Routes host vmFetch/runtime.fetch() to VM-owned kernel TCP listeners before falling back to the legacy object-mode HTTP path.
• Decodes Transfer-Encoding: chunked responses in the Rust host-fetch parser and rejects invalid Transfer-Encoding: chunked plus Content-Length responses.
• Marks ServerResponseBridge responses that use res.write() as streamed, then serializes them as HTTP/1.1 chunked responses when no explicit Content-Length is present.
• Removes the socket-backed HTTP server's coarse pre-append header overflow guard so the authoritative parser checks the header terminator and header byte count after append.
• Reads the test-only host-fetch timeout env override once via OnceLock instead of parsing env on every request.
• Adds host-fetch lifecycle hardening for missing listeners, socket-cap preflight, configured response limits, oversized raw responses, malformed responses, stalled/timeout responses, target-exit cleanup, response-frame overhead, chunked response decoding, and TE/CL rejection.
• Bounds socket-backed HTTP server request headers/header count/body size so incomplete requests fail closed instead of growing isolate memory.
• Keeps socket-backed HTTP keep-alive intentionally deferred with an inline comment, removes the dead same-process HTTP fast-path stub, reuses the secure undici dispatcher, and documents immediate internal event handling.
• Adds a checked-in WASM http_server C fixture and expands the cross-runtime matrix to HTTP and raw TCP rows.
• Covers JS<->JS, JS<->WASM, WASM<->JS, WASM<->WASM, host->JS, host->WASM, JS->host, and WASM->host loopback behavior.
• Splits the cross-runtime matrix gating so JS-only rows still run when C/WASM artifacts are absent.
• Adds runnable docs examples for high-level JS networking, host-loopback exemption, WASM->JS, JS->WASM, host->WASM, and WASM->host.
• Updates the dev-server docs/example and adds docs/testing/networking-bridge-spec.md with the long-term architecture and audit matrix.

Validation

• cargo test -p secure-exec-sidecar http_socket_backed_server --test service -- --nocapture --test-threads=1
• cargo test -p secure-exec-sidecar vm_fetch_ --test service -- --nocapture --test-threads=1
• cargo test -p secure-exec-sidecar javascript_fetch_reaches_http_server_in_parallel_guest_process --test service -- --nocapture --test-threads=1
• rustfmt --edition 2021 --check crates/sidecar/src/execution.rs crates/sidecar/tests/service.rs
• pnpm --dir registry exec vitest run tests/kernel/cross-runtime-network.test.ts
• SECURE_EXEC_WASM_COMMANDS_DIR=/home/nathan/secure-exec/packages/core/commands SECURE_EXEC_C_WASM_COMMANDS_DIR=/tmp/secure-exec-network-fixtures pnpm --dir registry exec vitest run tests/kernel/cross-runtime-network.test.ts
• SECURE_EXEC_WASM_COMMANDS_DIR=/tmp/secure-exec-missing-wasm SECURE_EXEC_C_WASM_COMMANDS_DIR=/tmp/secure-exec-missing-c pnpm --dir registry exec vitest run tests/kernel/cross-runtime-network.test.ts
• SECURE_EXEC_WASM_COMMANDS_DIR=/home/nathan/secure-exec/packages/core/commands pnpm --dir examples/docs/feat-networking start
• SECURE_EXEC_WASM_COMMANDS_DIR=/home/nathan/secure-exec/packages/core/commands SECURE_EXEC_C_WASM_COMMANDS_DIR=/tmp/secure-exec-network-fixtures pnpm --dir examples/docs/feat-networking-wasm start
• SECURE_EXEC_WASM_COMMANDS_DIR=/home/nathan/secure-exec/packages/core/commands pnpm --dir examples/docs/uc-dev-servers start
• pnpm --dir examples/docs/feat-networking check-types
• pnpm --dir examples/docs/feat-networking-wasm check-types
• pnpm --dir examples/docs/uc-dev-servers check-types
• cc -fsyntax-only registry/native/c/programs/http_server.c
• pnpm --dir website build

Scope notes

• Public host raw TCP H3/H4 stays optional: there is no public host byte-stream API today, so requiring it would add new protocol and client surface beyond this networking-stack fix.
• A same-VM DisposeVm during an active host VmFetch is not representable in the current single-client, single-NativeSidecar request handler. Host-fetch failure cleanup is covered by timeout, malformed response, configured/raw limit rejection, socket-cap rejection, and target-exit cleanup rows.

Related issue

Related #88

[railway-app]

🚅 Environment secure-exec-pr-101 in rivet-frontend has no services deployed.