fix(nodejs): scope npm/npx host fallback roots

[atharvasingh7007]

Summary

• scope npm/npx host fallback reads to the resolved npm package roots
• only retry host reads after ENOENT from the kernel VFS
• keep write-like operations on the kernel VFS and add regression coverage for the fallback wrapper

Why

The host fallback wrapper in packages/nodejs/src/kernel-runtime.ts currently retries host filesystem reads after any kernel-VFS read failure. During npm/npx execution that can broaden fallback beyond npm's own installation tree instead of limiting it to npm-owned files.

This change derives explicit allowed host roots from the resolved npm/npx entry package, preserves non-ENOENT failures from the base VFS, and removes host fallback for pwrite so the wrapper stays read-only.

Validation

• pnpm --filter @secure-exec/core build
• pnpm --filter @secure-exec/v8 build
• pnpm --filter @secure-exec/nodejs check-types
• pnpm --filter @secure-exec/nodejs build
• pnpm --filter @secure-exec/nodejs exec vitest run test/kernel-runtime.test.ts -t "host fallback scoping"

Note

• pnpm --filter @secure-exec/nodejs test still fails in this Windows checkout because the broader integration suite expects secure-exec-v8 to be available on PATH for runtime-backed tests.

[NathanFlurry]

Fixed in v0.3, thanks for the contribution!

[NathanFlurry]

Note: there's no dedicated test here because the host-fallback mechanism this PR hardened was removed entirely. createHostFallbackVfs is now a no-op that returns the kernel-backed VFS unchanged (test-runtime.ts) with zero call sites, so there is no host filesystem escape left to scope to npm roots.