Refactor FS pathing: backend root-layer mounts only + remove perform fs read surface

[lthibault]

Summary

• remove perform fs as a data-plane read path from shell/MCP wrapper flow
• keep legacy make_fs_handler only as a migration-grade deprecation error
• enforce backend virtual mount policy: reject targeted mounts (source:/guest/path) and accept root layers only
• add an early CLI preflight in ww run that rejects targeted mounts with explicit offending-mount output
• align docs (doc/shell.md, doc/capabilities.md, doc/architecture.md) with WASI path I/O model and backend mount policy

Validation

• cargo check -p ww --lib --bins
• cargo check -p cell --lib
• cargo test in std/caps (18 passed)
• targeted CLI policy tests:
  • test_validate_backend_mount_policy_accepts_root_mounts
  • test_validate_backend_mount_policy_rejects_targeted_mounts

Notes

• Follow-up discussion for D9 preopen-only alternative is tracked in Evaluate preopen-only local mounts vs eager content-store import (D9 alternative) #466.
• Existing unrelated test harness issue remains in crates/cell test build (tempfile missing in loader tests); not introduced by this PR.

[lthibault]

Tracking note: umbrella roadmap issue is now live at #468 for staged status + follow-up links.