feat(auth): add SPIFFE supervisor authentication

[TaylorMutch]

Summary

Add optional SPIRE/SPIFFE support for Helm dev clusters and allow sandbox supervisors to authenticate to the gateway with SPIFFE JWT-SVIDs instead of gateway-minted JWTs.

Related Issue

Stacked on #1404.

Changes

• Add SPIFFE configuration and sandbox environment plumbing across core, gateway, sandbox, and Kubernetes driver code.
• Install SPIRE as an opt-in Helm dev component and mount the SPIFFE CSI Workload API socket into gateway and sandbox pods.
• Use the rust-spiffe crate for JWT-SVID fetch and validation, aligned with tonic/prost 0.14.
• Document SPIFFE/SPIRE dev usage and update local debugging guidance.
• Ignore git-ignored architecture plan scratch files in markdownlint so pre-commit does not lint local plan notes.

Testing

• RUSTC_WRAPPER= mise run pre-commit passes
• cargo check -p openshell-core -p openshell-server -p openshell-sandbox -p openshell-driver-kubernetes passes
• Focused SPIFFE unit tests passed
• Helm lint/unit tests passed
• Local /helm-dev-environment SPIRE deployment exercised sandbox list/create/delete and supervisor connect-back

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1414.docs.buildwithfern.com/openshell