fix(storage): use /host-dev for block device access inside container

Docker always creates a fresh tmpfs at /dev, silently dropping any
/dev:/dev bind mount. Block devices must be accessed via /host-dev
where the host /dev is actually mounted.

Changes:
- docker-compose.yml: /dev:/dev → /dev:/host-dev:rw
- safety.go: add HostDevPath constant + HostDevicePath() helper
- format_linux.go: all device ops (stat, sfdisk, partprobe, mkfs.ext4,
  blkid) use HostDevicePath() to resolve /dev/sdb → /host-dev/sdb
- safety_linux.go: IsSystemDisk() stats device via /host-dev
- scan_linux.go: enrichWithBlkid() probes each partition individually
  via /host-dev/sdXN instead of batch blkid -o export (which can't
  find devices when /dev is Docker's minimal tmpfs)

Fixes "stat /dev/sdb: no such file or directory" in FormatAndMount.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

controller/internal/storage/scan_linux.go

@@ -175,68 +175,28 @@ func partitionToParentDisk(devPath string) string {
 	return strings.TrimRight(name, "0123456789")
 }
 
-// blkidInfo holds filesystem metadata from blkid.
-type blkidInfo struct {
-	FSType string
-	UUID   string
-	Label  string
-}
-
-// parseBlkidExport parses the output of `blkid -o export` into a map keyed by device path.
-// Output format: blocks separated by blank lines, each line "KEY=VALUE".
-func parseBlkidExport(data []byte) map[string]blkidInfo {
-	result := map[string]blkidInfo{}
-
-	for _, block := range strings.Split(string(data), "\n\n") {
-		var devName string
-		info := blkidInfo{}
-		for _, line := range strings.Split(strings.TrimSpace(block), "\n") {
-			parts := strings.SplitN(line, "=", 2)
-			if len(parts) != 2 {
-				continue
-			}
-			key, val := parts[0], parts[1]
-			switch key {
-			case "DEVNAME":
-				devName = val
-			case "TYPE":
-				info.FSType = val
-			case "UUID":
-				info.UUID = val
-			case "LABEL":
-				info.Label = val
-			}
-		}
-		if devName != "" {
-			result[devName] = info
-		}
-	}
-	return result
-}
-
 // enrichWithBlkid fills in missing FSType, UUID, and Label on partitions using blkid.
-// blkid directly probes devices, which works in privileged containers where lsblk's
-// udev/blkid cache is unavailable.
+// Probes each partition individually via /host-dev (Docker overrides /dev with its own
+// tmpfs, so the host block devices are accessible at /host-dev instead).
 func enrichWithBlkid(disks []BlockDevice) {
-	out, err := exec.Command("blkid", "-o", "export").Output()
-	if err != nil {
-		return
-	}
-
-	blkidMap := parseBlkidExport(out)
-
 	for i := range disks {
 		for j := range disks[i].Partitions {
 			p := &disks[i].Partitions[j]
-			if info, ok := blkidMap[p.Path]; ok {
-				if p.FSType == "" {
-					p.FSType = info.FSType
+			hostPath := HostDevicePath(p.Path) // "/dev/sdb1" → "/host-dev/sdb1"
+
+			if p.FSType == "" {
+				if out, err := exec.Command("blkid", "-o", "value", "-s", "TYPE", hostPath).Output(); err == nil {
+					p.FSType = strings.TrimSpace(string(out))
 				}
-				if p.UUID == "" {
-					p.UUID = info.UUID
+			}
+			if p.UUID == "" {
+				if out, err := exec.Command("blkid", "-o", "value", "-s", "UUID", hostPath).Output(); err == nil {
+					p.UUID = strings.TrimSpace(string(out))
 				}
-				if p.Label == "" {
-					p.Label = info.Label
+			}
+			if p.Label == "" {
+				if out, err := exec.Command("blkid", "-o", "value", "-s", "LABEL", hostPath).Output(); err == nil {
+					p.Label = strings.TrimSpace(string(out))
 				}
 			}
 		}