ephemeral: Fix UKI detection to look inside kernel version subdirectories

[cgwalters]

UKI files are located at /usr/lib/modules//.efi, not directly in /usr/lib/modules/. Update the kernel/initramfs detection loop to search inside version subdirectories for .efi files.

This enables ephemeral boot for "pure UKI" images that ship only a Unified Kernel Image without separate vmlinuz/initramfs.img files.

Note: UKI boot extracts kernel/initramfs using objcopy, which breaks the signature chain. Secure Boot is not supported for ephemeral runs. See docs/todo/ephemeral-uefi.md for future UEFI boot work.

Closes: #161

Assisted-by: OpenCode (Claude Sonnet 4)

[gemini-code-assist]

Code Review

This pull request significantly improves UKI detection by correctly searching for .efi files within kernel version subdirectories, enabling ephemeral boot for pure UKI images. The introduction of the new crates/kit/src/kernel.rs module is a great enhancement, centralizing kernel detection logic in a clean, testable, and sandboxed manner. The refactoring in crates/kit/src/run_ephemeral.rs to use this new module is well-executed and improves code maintainability.

The changes are thoroughly validated with new integration tests and a dedicated Dockerfile fixture. I also appreciate the detailed documentation in docs/todo/ephemeral-uefi.md, which provides valuable context on the current implementation's limitations and a clear roadmap for future UEFI boot support. Overall, this is a high-quality contribution. I have one minor formatting suggestion for the new documentation file.