fix(sandbox): preserve ownership for existing read_write paths

[johntmyers]

🏗️ build-from-issue-agent

Summary

Preserve image-defined ownership for existing sandbox read_write paths during filesystem preparation. The supervisor now only chowns paths it creates at startup, while keeping the existing symlink safety check and adding focused regression coverage.

Related Issue

Closes #783

Changes

• crates/openshell-sandbox/src/lib.rs: extracted prepare_read_write_path(), kept the symlink guard, and limited chown() to newly-created read_write paths.
• crates/openshell-sandbox/src/lib.rs tests: added Unix-focused coverage for creating missing paths, preserving existing paths, rejecting symlinks, and skipping ownership changes on pre-existing paths.
• architecture/sandbox.md, architecture/security-policy.md: updated the architecture notes so they match the new ownership-preservation behavior.

Deviations from Plan

Updated architecture docs to keep the documented filesystem-preparation behavior aligned with the implementation.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Tests added:

• Unit: crates/openshell-sandbox/src/lib.rs tests covering missing-path creation, existing-path preservation, symlink rejection, and skipping chown() on existing paths.
• Integration: N/A
• E2E: N/A

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

Documentation updated:

• architecture/sandbox.md: clarified that only newly-created read_write paths are re-owned.
• architecture/security-policy.md: documented that existing image paths keep their ownership and symlinks are rejected.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.