file_sync: skip nested symlinks during recursive copy

A user who sets `[[file_sync]] host = "~/.aws"` (per the README's
own example) can unintentionally copy files from outside that
directory if .aws contains symlinks. copyHostDir used os.Stat
during recursion, which transparently follows: a symlink to a
credential dir elsewhere would be recursed into, materialising
unrelated secrets inside the guest. For credential trees that's
an avoidable sprawl vector.

Switched copyHostDir's per-entry probe from os.Stat to os.Lstat
and added a default skip-with-warning branch for ModeSymlink.
Files and dirs at the SAME level copy as before; symlinks (both
file and directory flavours) surface a "file_sync skipped
symlink (would escape the requested tree)" warn log and are
otherwise omitted.

Top-level entry paths still follow — the Stat in runFileSync is
unchanged. The user explicitly named that path, so resolving
"~/.aws" through a symlink out of $HOME is on them.

Tests:
- TestRunFileSyncSkipsNestedSymlinks — builds a synced dir with
  both a file symlink and a directory symlink pointing outside
  the tree; asserts real files copy, symlinks do not materialise
  anywhere in the guest mount, and each skipped symlink surfaces
  a warn log entry.

README updated with a one-line note about the skip behaviour so
users know to expect it rather than chasing "why didn't my file
show up."

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

README.md

@@ -201,7 +201,10 @@ mode = "0755"            # optional; default 0600 for files
 Runs at `vm create` time. Each entry copies `host` → `guest` onto
 the VM's work disk (mounted at `/root` in the guest). Guest paths
 must live under `~/` or `/root/...`. Default is no entries — add the
-ones you want.
+ones you want. Symlinks encountered while recursing into a synced
+directory are skipped with a warning — they'd otherwise leak files
+from outside the named tree (e.g. a symlink inside `~/.aws` pointing
+to an unrelated credential dir).
 
 ## Advanced