fix(hypervisor): reconcile Error→Running when VMM process is alive

[CMGS]

Summary

• A VM stuck in State=Error with the VMM process still alive (e.g. after MarkError following a transient stop-API failure) had no recovery path: PrepareStart's already-running branch returned without flipping DB state, so vm start was a silent no-op and inspect showed misleading Error forever — the only escape was vm rm --force.
• PrepareStart now calls reconcileToRunning when WithRunningVM confirms the process is alive but the record drifted off Running.
• Ledger is intentionally not touched: the compute interval is already open and matches the live process; emitting a second start would double-count.

Trigger sequence

1. VM Running, ledger has compute.start, process alive
2. vm stop vm1 graceful → vm.shutdown HTTP times out / ctx-cancel → HandleStopResult calls MarkError → State=Error
3. VMM process is still alive (shutdown was just an ACPI hint)
4. vm start vm1 → PrepareStart → WithRunningVM sees process alive → previously returned nil, nil; now reconciles State→Running first

Test plan

• TestReconcileToRunningFromError — verifies Running→MarkError→reconcile flips State without emitting
• TestReconcileToRunningIdempotent — verifies reconcile on a healthy Running VM is a no-op
• make fmt-check && make lint && go test -race ./... — 21 packages green, lint 0, fmt 0
• AST layout audit — 0 violations