fix(openshell-network-supervisor): gate proxy accept on symlink resolution readiness

[Cali0707]

Summary

The forward proxy accept loop can race with OPA engine's symlink resolution reload during sandbox startup. If a request is in-flight when the reload bumps the policy generation counter, the generation guard rejects it with a spurious 403. This is startup only: the initial engine is built with PID=0 (no symlink resolution), then a background task re-resolves with the real PID once /proc/<pid>/root is accessibly - two generation bumps for the same policy.

This gates proxy accept behind a watch channel that fires once symlink resolution completes.

Related Issue

Should resolve the e2e issues seen in #1891

Changes

• Add tokio::sync::watch channel that signals when symlink resolution finishes (success, failure, or skip)
• Gate the proxy accept loop on the readiness signal with a 15s fallback

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.