feat(kubernetes): WIP node enforcer isolation proof of concept

[TaylorMutch]

Summary

Draft proof-of-concept for the Kubernetes node-enforcer topology. This PR is intentionally WIP and meant to capture the spike result, diagrams, local validation, and tradeoffs rather than propose a finalized production design.

See the spike/ directory README and the diagrams to see more investigation into this topology design.

Related Issue

N/A - spike proof of concept.

Changes

• Adds the external node-enforcer topology for Kubernetes so sandbox workload pods can run without the filesystem lockdown and network namespace privileges currently held by the combined supervisor.
• Adds Helm wiring, node-enforcer CI/dev values, and label isolation for the node-enforcer DaemonSet.
• Moves the spike notes into spike/README.md and includes the generated architecture diagrams comparing current state, split-pod options, isolation backend framing, and the node-enforcer option.

Testing

• mise run helm:test passed.
• Kubernetes node-enforcer smoke e2e passed with deploy/helm/openshell/ci/values-node-enforcer.yaml.
• Kubernetes bypass_detection e2e passed with the node-enforcer overlay.
• Manual sandbox validation passed: the sandbox created successfully, node-enforcer enforcement logs were observed, and raw direct TCP from the sandbox user path was rejected with exit code 111.
• Final full pre-commit rerun was skipped for spike scope after the initial post-diagram run timed out during the Rust test phase; completed earlier phases had passed.

Checklist

• Draft PR
• Proof-of-concept status called out in the title and summary
• Spike README and diagrams included
• Production hardening complete

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1827.docs.buildwithfern.com/openshell