fix(sandbox): set HOME to match target user after privilege drop

[Arnonrgo]

Summary

• When openshell-sandbox runs as root (runAsUser: 0) and drops privileges to the sandbox user, HOME remains /root
• Applications looking for config at $HOME (e.g. OpenClaw at ~/.openclaw/) fail to find files in the sandbox user's home directory
• Resolves the target user from the policy before pre_exec and sets HOME on the child command

Changes

• Add set_home_for_target_user() function that resolves the target user's home from /etc/passwd
• Call it in both Linux and non-Linux spawn_impl paths after inject_provider_env
• Falls back to "sandbox" user when running as root with no explicit run_as_user

Testing

• Unit test: no-op when non-root with no run_as_user configured
• Unit test: sets HOME correctly when run_as_user is specified
• cargo check -p openshell-sandbox passes

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

Thank you for your interest in contributing to OpenShell, @Arnonrgo.

This project uses a vouch system for first-time contributors. Before submitting a pull request, you need to be vouched by a maintainer.

To get vouched:

1. Open a Vouch Request discussion.
2. Describe what you want to change and why.
3. Write in your own words — do not have an AI generate the request.
4. A maintainer will comment /vouch if approved.
5. Once vouched, open a new PR (preferred) or reopen this one after a few minutes.

See CONTRIBUTING.md for details.

[github-actions]

All contributors have signed the DCO ✍️ ✅
_{Posted by the DCO Assistant Lite bot.}

[Arnonrgo]

I have read the DCO document and I hereby sign the DCO.

[Arnonrgo]

recheck