…gh script

Closes #173 (sub-issue 1).

Symptom: device_record action=start silently picked one of multiple booted
simulators non-deterministically, costing the user a 175s recording when
it captured iPhone 15 Pro's home screen while iPhone 17 Pro was being
driven by Maestro. The shell script's `xcrun simctl io booted recordVideo`
and `adb shell screenrecord` both use implicit device resolution that
breaks under multi-device conditions.

Fix shape:

1. New `deviceId` arg on device_record start (iOS UDID or Android serial).
2. Pre-flight resolver in the TS handler:
   - 0 candidates → existing NO_DEVICE path
   - 1 candidate, no deviceId → auto-select; mark autoSelected: true
   - explicit deviceId (any candidate count) → must match a candidate
     or refuse with code=DEVICE_AMBIGUOUS listing all candidates. An
     explicit selection is authoritative — a stale or typo'd UDID is
     a failure mode, not a hint.
   - >1 candidates, no deviceId → DEVICE_AMBIGUOUS with the candidate
     list so the caller knows the valid identifiers (the GH #173 surface)
3. Echo `deviceId` and `autoSelected` in the start response so callers
   can verify they got the device they meant.
4. record_proof.sh accepts `--udid <UDID>` (iOS) and `--serial <SERIAL>`
   (Android) flags, threads them into `xcrun simctl io <UDID>` and
   `adb -s <SERIAL>`. Falls back to `booted`/auto when no flag passed
   (single-device case, backward-compatible).
5. Android stop path now reads the persisted serial sidecar and uses
   `adb -s <serial>` for pkill/pull/rm. Without this, multi-device stop
   would hit "ambiguous device" or operate on the wrong target — codex-pair
   caught the gap during review.
6. Defensive: on every Android start, unconditionally write OR clear the
   serial sidecar. Leaving a stale sidecar from a prior recording would
   misroute the next stop to a now-disconnected device — also codex-pair.

Implementation details:
- parseAllBootedIosDevices: returns ALL booted simulators (not just first)
- parseAllAdbDevices: returns ALL connected devices including physical
  (parseAdbDevicesEmu in device-screenshot-raw.ts only matches emulator-*;
  for device_record's ambiguity check we need physical devices too)
- resolveTargetDevice: pure function exported for unit tests
- Backward-compatible: single-device callers see no change (autoSelected,
  no flag forwarded to the script)

Tests (1481/1481 passing, +10 net new):
- parseAllBootedIosDevices: returns all booted, skips Shutdown
- parseAllBootedIosDevices: empty/malformed JSON → []
- parseAllAdbDevices: returns emulators AND physical devices (key
  distinction from device-screenshot-raw's emu-only parser)
- parseAllAdbDevices: skips header and empty lines
- resolveTargetDevice: 1 candidate, no deviceId → auto-select
- resolveTargetDevice: 1 candidate + mismatched deviceId → AMBIGUOUS
  (the design fix codex-pair pushed back on — explicit-selection-is-
  authoritative)
- resolveTargetDevice: 1 candidate + matching deviceId → use it (not
  auto-selected)
- resolveTargetDevice: >1 candidates + matching deviceId → use it
- resolveTargetDevice: >1 candidates + no deviceId → AMBIGUOUS with
  full candidate list (THE GH #173 fix surface)
- resolveTargetDevice: >1 candidates + non-matching deviceId →
  AMBIGUOUS (typo surfaces fast)

Out of scope (not introduced by this PR; flagged by codex-pair as
pre-existing issues in record_proof.sh):
- /tmp PID file used for `kill` without strict validation (HIGH)
- /tmp venv path predictable (HIGH)
- Literal `$` instead of `$$` in raw_file/device_path names — typo'd
  unique suffix (MED)
These should be addressed in a separate hardening pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>