fix(docker): harden supervisor startup and gateway routing

[drew]

Summary

Hardens Docker sandbox supervisor startup against user-controlled PATH overrides and routes local Docker sandbox callbacks over Docker-managed networking instead of host network mode. This is a better-named, single signed-commit branch carrying the same tree as #1115.

Docker sandboxes now use host.openshell.internal:<gateway-port> for supervisor callbacks. Native Linux Docker gets a private bridge gateway listener, while Docker Desktop uses Docker's host-gateway alias because its bridge gateway IP belongs inside the Docker Desktop VM rather than the host OS.

Related Issue

Fixes #1113

Changes

• Keep Docker supervisor PATH driver-owned after user environment merge.
• Resolve privileged ip and nsenter helpers from fixed absolute path allowlists instead of process PATH.
• Add a managed Docker bridge network for local Docker sandboxes, configurable with --docker-network-name / OPENSHELL_DOCKER_NETWORK_NAME.
• Have the Docker driver report the Docker bridge gateway IP as an extra gateway listener address on native Linux Docker.
• Use Docker Desktop's host-gateway mapping for host.openshell.internal instead of overriding it to the VM bridge gateway IP.
• Point Docker sandbox OPENSHELL_ENDPOINT at host.openshell.internal:<gateway-port>.
• Add --bind-address / OPENSHELL_BIND_ADDRESS, defaulting to loopback, with Docker/Helm deployments explicitly binding 0.0.0.0.
• Add regression coverage for Docker PATH override attempts, helper-path lookup behavior, Docker bridge gateway parsing, Docker Desktop routing, loopback bind defaults, and multi-listener gateway binding.
• Update gateway architecture docs for Docker bridge/Desktop callback routing and explicit wildcard deployment binds.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable) N/A, no e2e path changed

Additional targeted checks previously run against this tree:

• cargo test -p openshell-driver-docker
• cargo test -p openshell-server gateway_listener_addresses
• cargo check -p openshell-server -p openshell-driver-docker
• openshell sandbox create --name desktop-routing-final --no-keep --no-tty -- true against Docker Desktop gateway
• docker inspect confirmed Docker Desktop containers use ExtraHosts=["host.openshell.internal:host-gateway"]
• lsof -nP -iTCP:18080 -sTCP:LISTEN confirmed the local Docker gateway listens on 127.0.0.1:18080
• cargo test -p openshell-sandbox find_trusted_binary (macOS host compiles crate but Linux-only tests are filtered)
• cargo zigbuild -p openshell-sandbox --target aarch64-unknown-linux-gnu
• cargo zigbuild -p openshell-sandbox --target aarch64-unknown-linux-gnu --tests

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1128.docs.buildwithfern.com/openshell

[mjamiv]

Opened a small stacked PR to address the Rust lint failures currently blocking this branch: #1142

It covers the exact CI failures from the Rust jobs:

• unused_qualifications in crates/openshell-sandbox/src/sandbox/linux/netns.rs
• clippy::large_futures in crates/openshell-server/src/cli.rs

Validated locally:

• cargo fmt --all -- --check
• cargo clippy -p openshell-sandbox --all-targets -- -D warnings
• cargo clippy -p openshell-server --all-targets -- -D warnings

[github-actions]

Label test:e2e applied for 9dd0e62. Open the existing run and click Re-run all jobs to execute with the label set. The E2E Gate check on this PR will flip green automatically once the run finishes.