Move subsystem state/locks off Daemon into owning types

Daemon no longer owns a coarse mu shared across unrelated concerns.
Each subsystem now carries its own state and lock:

- tapPool: entries, next, and mu move onto a new tapPool struct.
- sessionRegistry: sessionControllers + its mutex move off Daemon.
- opRegistry[T asyncOp]: generic registry collapses the two ad-hoc
  vm-create and image-build operation maps (and their mutexes) into one
  shared type; the Begin/Status/Cancel/Prune methods simplify.
- vmLockSet: the sync.Map of per-VM mutexes moves into its own type;
  lockVMID forwards.
- Daemon.mu splits into imageOpsMu (image-registry mutations) and
  createVMMu (CreateVM serialisation) so image ops and VM creates no
  longer block each other.

Lock ordering collapses to vmLocks[id] -> {createVMMu, imageOpsMu} ->
subsystem-local leaves. doc.go and ARCHITECTURE.md updated.

No behavior change; tests green.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/daemon/doc.go

@@ -51,11 +51,11 @@
 //	runtime_assets.go paths to bundled companion binaries
 //	web.go            embedded web UI server
 //
-// Lock ordering (current, pre-refactor):
+// Lock ordering:
 //
-//	vmLocks[id]  →  mu  →  {createOpsMu, imageBuildOpsMu, tapPoolMu}
+//	vmLocks[id]  →  {createVMMu, imageOpsMu}  →  subsystem-local locks
 //
-// The coarse mu currently guards unrelated state (session controllers,
-// image registry mutations, in-flight VM create bookkeeping) and is the
-// target of the Phase 2 split. See ARCHITECTURE.md for details.
+// Subsystem-local locks live on the owning type (tapPool.mu,
+// sessionRegistry.mu, opRegistry.mu, guestSessionController.attachMu/writeMu)
+// and do not contend with each other. See ARCHITECTURE.md for details.
 package daemon