Implement SAND-WP-0008: host telemetry and self-canary

Add profile.sandbox-canary, HostSnapshot/inventory/stale schemas, SSH
collectors, before/after provision deltas, telemetry export to State Hub
and local JSON, default `sandboxer create` self-deploy, inspect/reap-stale
CLI, runbook, and CoulombCore verification (26 tests pass).

docs/meta-framework.md

@@ -14,7 +14,7 @@ agent harnessing, validation, and code generation.
 |----------|-------------|
 | **Profile** | Named, versioned sandbox recipe: extension binding, isolation, network, TTL, placement |
 | **Extension** | Backend adapter implementing provision / wait_ready / teardown |
-| **Host** | Registered placement target for self-hosted extensions |
+| **Host** | Registered placement target for self-hosted extensions; read-only telemetry via `profile.sandbox-canary` (see `docs/host-telemetry.md`) |
 | **Sandbox** | Running instance of a profile |
 | **Snapshot** | Point-in-time workspace checkpoint (deferred — SAND-WP-0003) |
 | **Route** | Extension selection policy when multiple backends qualify |