fix: graceful TPM fallback in VM creation, fix vm_destroy cleanup

vm_create() now handles swtpm initialization gracefully:
- Pre-initializes swtpm state dir if /var/lib/libvirt/swtpm/ is writable
- Falls back to VM without TPM if swtpm setup fails (with clear warnings)
- Uses PID-suffixed paths for disk and ISO to avoid stale file conflicts
- Removed unused VM_DISK_PATH/VM_ISO_PATH globals (now local vars)

vm_destroy() cleanup:
- No longer references undefined local variables from vm_create
- Uses glob patterns to clean all VM files in /tmp/
- Explicitly preserves ISO in output/

Template changes:
- TPM is now @TPM_SECTION@ placeholder (injected based on swtpm availability)
- Allows same template to work with or without TPM

AGENTS.md additions:
- VM testing & swtpm setup documentation
- Direct QEMU alternative when libvirt has issues
- Session lessons: never delete ISO, never remove TPM, always test E2E

All 523 unit tests pass, 0 lint warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

vm/template.xml

@@ -24,9 +24,7 @@
   </clock>
   <devices>
     <emulator>/usr/bin/qemu-system-x86_64</emulator>
-    <tpm model='tpm-crb'>
-      <backend type='emulator' version='2.0'/>
-    </tpm>
+    @TPM_SECTION@
     <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source file='@VM_DISK@'/>