Move subsystem state/locks off Daemon into owning types

Daemon no longer owns a coarse mu shared across unrelated concerns.
Each subsystem now carries its own state and lock:

- tapPool: entries, next, and mu move onto a new tapPool struct.
- sessionRegistry: sessionControllers + its mutex move off Daemon.
- opRegistry[T asyncOp]: generic registry collapses the two ad-hoc
  vm-create and image-build operation maps (and their mutexes) into one
  shared type; the Begin/Status/Cancel/Prune methods simplify.
- vmLockSet: the sync.Map of per-VM mutexes moves into its own type;
  lockVMID forwards.
- Daemon.mu splits into imageOpsMu (image-registry mutations) and
  createVMMu (CreateVM serialisation) so image ops and VM creates no
  longer block each other.

Lock ordering collapses to vmLocks[id] -> {createVMMu, imageOpsMu} ->
subsystem-local leaves. doc.go and ARCHITECTURE.md updated.

No behavior change; tests green.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/daemon/tap_pool.go

@@ -5,10 +5,19 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
+	"sync"
 )
 
 const tapPoolPrefix = "tap-pool-"
 
+// tapPool owns the idle TAP interface cache plus the monotonic index used to
+// name new pool entries. All access goes through mu.
+type tapPool struct {
+	mu      sync.Mutex
+	entries []string
+	next    int
+}
+
 func (d *Daemon) initializeTapPool(ctx context.Context) error {
 	if d.config.TapPoolSize <= 0 || d.store == nil {
 		return nil
@@ -23,9 +32,9 @@ func (d *Daemon) initializeTapPool(ctx context.Context) error {
 			next = index + 1
 		}
 	}
-	d.tapPoolMu.Lock()
-	d.tapPoolNext = next
-	d.tapPoolMu.Unlock()
+	d.tapPool.mu.Lock()
+	d.tapPool.next = next
+	d.tapPool.mu.Unlock()
 	return nil
 }
 
@@ -42,14 +51,14 @@ func (d *Daemon) ensureTapPool(ctx context.Context) {
 		default:
 		}
 
-		d.tapPoolMu.Lock()
-		if len(d.tapPool) >= d.config.TapPoolSize {
-			d.tapPoolMu.Unlock()
+		d.tapPool.mu.Lock()
+		if len(d.tapPool.entries) >= d.config.TapPoolSize {
+			d.tapPool.mu.Unlock()
 			return
 		}
-		tapName := fmt.Sprintf("%s%d", tapPoolPrefix, d.tapPoolNext)
-		d.tapPoolNext++
-		d.tapPoolMu.Unlock()
+		tapName := fmt.Sprintf("%s%d", tapPoolPrefix, d.tapPool.next)
+		d.tapPool.next++
+		d.tapPool.mu.Unlock()
 
 		if err := d.createTap(ctx, tapName); err != nil {
 			if d.logger != nil {
@@ -58,9 +67,9 @@ func (d *Daemon) ensureTapPool(ctx context.Context) {
 			return
 		}
 
-		d.tapPoolMu.Lock()
-		d.tapPool = append(d.tapPool, tapName)
-		d.tapPoolMu.Unlock()
+		d.tapPool.mu.Lock()
+		d.tapPool.entries = append(d.tapPool.entries, tapName)
+		d.tapPool.mu.Unlock()
 
 		if d.logger != nil {
 			d.logger.Debug("tap added to idle pool", "tap_device", tapName)
@@ -69,14 +78,14 @@ func (d *Daemon) ensureTapPool(ctx context.Context) {
 }
 
 func (d *Daemon) acquireTap(ctx context.Context, fallbackName string) (string, error) {
-	d.tapPoolMu.Lock()
-	if n := len(d.tapPool); n > 0 {
-		tapName := d.tapPool[n-1]
-		d.tapPool = d.tapPool[:n-1]
-		d.tapPoolMu.Unlock()
+	d.tapPool.mu.Lock()
+	if n := len(d.tapPool.entries); n > 0 {
+		tapName := d.tapPool.entries[n-1]
+		d.tapPool.entries = d.tapPool.entries[:n-1]
+		d.tapPool.mu.Unlock()
 		return tapName, nil
 	}
-	d.tapPoolMu.Unlock()
+	d.tapPool.mu.Unlock()
 
 	if err := d.createTap(ctx, fallbackName); err != nil {
 		return "", err
@@ -90,13 +99,13 @@ func (d *Daemon) releaseTap(ctx context.Context, tapName string) error {
 		return nil
 	}
 	if isTapPoolName(tapName) {
-		d.tapPoolMu.Lock()
-		if len(d.tapPool) < d.config.TapPoolSize {
-			d.tapPool = append(d.tapPool, tapName)
-			d.tapPoolMu.Unlock()
+		d.tapPool.mu.Lock()
+		if len(d.tapPool.entries) < d.config.TapPoolSize {
+			d.tapPool.entries = append(d.tapPool.entries, tapName)
+			d.tapPool.mu.Unlock()
 			return nil
 		}
-		d.tapPoolMu.Unlock()
+		d.tapPool.mu.Unlock()
 	}
 	_, err := d.runner.RunSudo(ctx, "ip", "link", "del", tapName)
 	if err == nil {