V0.2.3 sandbox hardening

[sgr0691]

This pull request introduces version 0.2.3 of Root, focusing on major improvements to the sandbox subsystem, enhanced resource and error handling, and significant documentation and test coverage. It also includes a comprehensive Nix command audit for v0.2.2, updates the workspace version, and refreshes the README for the new release.

Sandbox subsystem enhancements:

• Implemented strict sandbox lifecycle validation with a state machine to prevent invalid transitions, ensuring sandboxes move through well-defined states (Created → Running → Completed/Failed → Destroyed).
• Added resource limits (--memory, --cpus) to sandbox creation and enforced these in Docker containers, improving resource management.
• Introduced automatic cleanup for failed/timed-out sandboxes, with improved detection and cleanup guarantees.
• Integrated an event ledger to record all sandbox actions with detailed metadata for auditing and tracking.
• Normalized and clarified sandbox error messages for common failure scenarios, improving user experience and diagnosability.

Documentation and testing:

• Added a full sandbox subsystem audit, smoke test document, and reference notes for v0.2.3, along with 30 new targeted tests (now 38 in total for root-sandbox).
• Updated the README to reflect changes in v0.2.3.
• Updated the workspace version in Cargo.toml to 0.2.3.

Nix subsystem audit (v0.2.2):

• Added a comprehensive audit of all Nix CLI command invocations, their error handling, and identified key gaps (manual JSON parsing, inconsistent installer URLs, etc.), documented in Docs/Nix/V0_2_2_NIX_COMMAND_AUDIT.md.
• Improved error normalization for Nix commands and enhanced validation for profile generation and installer actions. [1] [2]

Bug fixes and refactoring:

• Validated sandbox state transitions to prevent illegal operations (e.g., running a destroyed sandbox).
• Updated the SandboxProvider trait and related types for better type safety and future extensibility.
• Fixed Docker error normalization and improved container validation after creation and destruction.

These changes collectively improve the reliability, observability, and user experience of both the sandbox and Nix integration subsystems in Root.