Implement SAND-WP-0005: extension SDK and ext.vm-packer

Add SandboxExtension base class, extension SDK docs, vm-packer attach mode
for build-machines VMs, profile.vm-haskell-build, SSH port support, tests,
and migration docs.

docs/migration-gaps.md

@@ -28,9 +28,21 @@ Recorded after SAND-WP-0002-T10 remote verification on CoulombCore (`92.205.130.
 **e2e-framework migration arc complete** (provision: sand-boxer, validation:
 wise-validator, operator entry: `make e2e`).
 
+## build-machines (SAND-WP-0005) — attach mode delivered
+
+| Legacy (`build-machines`) | sand-boxer today | Notes |
+|---------------------------|------------------|-------|
+| Packer OVA build | Operator-driven (unchanged) | Not triggered by `create` |
+| `make remote-build` rsync + SSH | `sandboxer create --profile profile.vm-haskell-build` | Workspace `/build/sbx-<id>/` |
+| VM teardown | N/A | `destroy` removes workspace only; VM persists |
+| Extension author contract | `docs/extension-sdk.md` | `SandboxExtension` base class |
+
+Deferred: Packer orchestration from API, `make remote-build` shim.
+
 ## sand-boxer follow-ons
 
 | Item | Workplan |
 |------|----------|
-| Self-canary + host telemetry | SAND-WP-0008 |
-| Default `sandboxer create` without repo | SAND-WP-0008-T06 |
+| SaaS extensions + payments | SAND-WP-0006 |
+| Snapshot / restore | SAND-WP-0007 |
+| TTL enforcement + scheduled reap | TBD |