daemon: delete flattenNestedWorkHome and normaliseHomeDirPerms

Both helpers are stranded: commit f068536 dropped their last callers
from ensureAuthorizedKeyOnWorkDisk and seedAuthorizedKeyOnExt4Image,
and commit 6ab1a2b dropped the ensureGitIdentity / runFileSync calls
that still held them up. Every on-disk-patch code path now drives the
ext4 image directly via MkdirExt4 / WriteExt4FileOwned /
EnsureExt4RootPerms.

Also drops TestFlattenNestedWorkHomeCopiesEntriesIndividually —
premise gone with the function. The sshd_config_test comment
referencing normaliseHomeDirPerms now points at EnsureExt4RootPerms.

Net sudo reduction across the five-commit series: work-disk creation,
authsync, image seeding, git identity sync, and file_sync all drop
sudo entirely against user-owned ext4 files. Remaining sudo in
internal/daemon is confined to firecracker process launch, tap/dm
device setup, iptables/NAT, and dmsnap/fcproc — things that
legitimately need CAP_SYS_ADMIN or CAP_NET_ADMIN. MountTempDir stays
on exclusively as an image-build helper.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/daemon/sshd_config_test.go

@@ -30,7 +30,7 @@ func TestSshdGuestConfig_Hardened(t *testing.T) {
 	// Things that must NOT appear. Each has a history and a reason.
 	mustNotContain := map[string]string{
 		"LogLevel DEBUG3": "was debug leftover; floods journald",
-		"StrictModes no":  "masked a /root perm drift; real fix is in normaliseHomeDirPerms",
+		"StrictModes no":  "masked a /root perm drift; real fix is EnsureExt4RootPerms at authsync time",
 		// Blanket "PermitRootLogin yes" (without prohibit-password)
 		// would re-enable password root login if something else
 		// flipped PasswordAuthentication back to yes.