bridge: tempfile root migration — drive ban_unrooted_tempdir allowlist to zero (#844)

[zackees]

Goal

Drive dylints/ban_unrooted_tempdir/src/allowlist.txt from 92 entries → 0. Per user directive on #844: no grandfathering, no backwards compatibility. Every allowlisted site is a migration target.

Sub-issue of #844.

Migration approach

1. Add a fbuild_paths::dev_or_prod_temp_root() helper that returns ~/.fbuild/{dev|prod}/tmp/<subdir>/.
2. Each call site that currently uses tempfile::TempDir::new() / tempfile::tempdir() migrates to tempfile::tempdir_in(&root) with an appropriate subdir.
3. As each file's last violation is removed, delete its entry from allowlist.txt.

Highest-impact production sites

• crates/fbuild-packages/src/extractor.rs — tar/zip extraction (per-package-install)
• crates/fbuild-packages/src/library/esp32_framework/libs.rs — framework staging (per-env install)
• crates/fbuild-packages/src/disk_cache/{gc,mod}.rs — cache management
• crates/fbuild-build/src/linker.rs — linker artifact temps (per-build)
• crates/fbuild-build/src/framework_core_cache.rs — framework core hydration

Acceptance

• fbuild_paths::dev_or_prod_temp_root() helper exists
• All 92 allowlist entries migrated and removed
• dylints/ban_unrooted_tempdir/src/allowlist.txt contains only the header comment (zero entries)
• Tests confirm tempfiles land under ~/.fbuild/{dev|prod}/tmp/ instead of $TMPDIR

References: #844, #826 (origin of the lint).

[zackees]

Rolled into #844. All content (bridge API, migration sites, acceptance criteria) is now inline in the meta as a single closing checklist.