refactor(vm): eliminate host-side kubectl dependency from boot pipeline

Remove all kubectl calls from the host-side boot sequence, eliminating
the need to forward port 6443 (kube-apiserver) outside the VM.

Changes:
- wait_for_gateway_service: TCP probe only (30051), no kubectl pod check
- bootstrap_gateway: cold boot writes TLS secret manifests via virtio-fs
  into k3s auto-deploy dir instead of kubectl apply
- bootstrap_gateway: warm boot skips namespace wait (TCP probe suffices)
- recover_stale_pods: removed entirely (gateway-init.sh already cleans
  containerd runtime/sandbox state, CNI state, and network namespaces)
- Kubeconfig copy moved to best-effort post-readiness (for debugging)
- Port 6443 removed from gvproxy port_map

Removed functions: recover_stale_pods, wait_for_namespace,
apply_tls_secrets, kubectl_apply.

Net: -362 lines, +147 lines. No kubectl binary required on host.

Author: drew