fix: durable clock race + dir fsync, cluster backoff/restart bounds, transport+wasm hardening

[joshua-temple]

What this change does

Remediates the durable / cluster / transport / wasm review findings (correctness + perf + docs; no feature behavior change):

• durable: the recording-clock buffer drain + index reads are now behind the clock mutex (closes the Tick-goroutine-vs-drain race, with a concurrent test); FileStore.writeAtomic fsyncs the parent directory after rename to honor the crash-durability claim; replayActorData surfaces a decode error instead of swallowing it; the inert WithRetainTail option is removed (superseded by WithHistory).
• cluster: backoffDelay clamps before the time.Duration conversion (no overflow at maxDelay==0); Tick guards a nil respawner; added Supervisor.Forget(actorID) to bound the restarts map (additive, chosen over eviction so the restart-storm budget is preserved); migration error-path tests added; Capture documents its non-atomic boundary.
• transport: dropped the redundant global init() codec registration (both sides force the codec); StateAt wraps the wire error; added a README and client error-path tests.
• wasm (host safety): runtime built with WithCloseOnContextDone(true) so a runaway guest is cancelled (with a loopguest timeout test); len()-guarded the result-slice indexing that could panic the host; added a variadic CompileOption/WithRuntimeConfig (additive); README allocator note corrected.

Skipped with reasoning: durable Dispatched-set caching (risks the exactly-once invariant against out-of-tree Stores) and tagging cluster/integration_test.go (would drop an in-process test from the default run and break the coverage gate).

Checklist

• Signed off (DCO), conventional commits; feature/ambiguous items skipped with reasons
• All four modules build/test/vet (-race) + lint clean; e2e green