V0.2.3 sandbox hardening

[sgr0691]

This pull request documents the release of Root v0.2.3, introducing significant improvements to sandbox management and resource control, as well as expanding documentation and test coverage. The main changes include strict sandbox lifecycle validation, resource limits, improved cleanup and error handling, event ledger integration, and comprehensive documentation and testing for both the sandbox and Nix subsystems.

Sandbox subsystem enhancements:

• Added strict sandbox lifecycle validation with a state machine (Created → Running → Completed/Failed → Destroyed), rejecting invalid transitions and providing clear errors.
• Implemented resource limits for sandboxes (--memory, --cpus), enforced at Docker container creation.
• Added automatic cleanup guarantees: destroy always attempts cleanup, failed/timed-out runs trigger cleanup, and stale sandboxes are detectable.
• Introduced timeout handling for sandbox runs, with automatic kill, cleanup, and event recording.
• Integrated an event ledger to record every sandbox action with detailed metadata.
• Normalized sandbox error messages for common failure modes, improving user experience.
• Expanded test coverage with 30 new tests for sandbox lifecycle, cleanup, resource limits, timeout, validation, event recording, and error normalization.

Documentation and audit:

• Added a full sandbox subsystem audit at Docs/Sandbox/V0_2_3_SANDBOX_AUDIT.md, new smoke test document, and reference notes for v0.2.3.
• Updated the README to reflect v0.2.3.

Nix subsystem documentation:

• Added a comprehensive Nix command audit at Docs/Nix/V0_2_2_NIX_COMMAND_AUDIT.md, detailing all Nix CLI invocations, error handling, command flows, and identifying key gaps in the current implementation.

Internal API and event changes:

• Updated SandboxProvider trait and SandboxInstance to use typed enums and new parameters for resource limits and validation.
• Added sandbox_id to RootEvent for improved sandbox operation tracking.

Bug fixes:

• Sandbox state transitions are now validated, preventing invalid operations (e.g., running a destroyed sandbox).
• Docker errors are normalized into user-friendly messages.
• Containers are validated after creation and destroyed on validation failure.

These changes improve reliability, traceability, and usability for sandbox operations and provide detailed documentation and audits for both sandbox and Nix-related functionality.