feat: add docker sandbox provider

[sidpalas]

Summary

• Adds a local Docker sandbox provider for the control plane, including provider selection via SANDBOX_PROVIDER=docker and HTTP client/provider tests.
• Adds @open-inspect/docker-sandbox-api, a local TypeScript service that creates/stops sandbox containers through the Docker CLI.
• Adds a sandbox runtime Dockerfile, explicit image build command, cleanup helpers, and Docker-specific setup docs.

Local Usage

npm run docker:sandbox:build
cp packages/docker-sandbox-api/.env.example packages/docker-sandbox-api/.env.local
npm run dev:docker-sandbox-api

Configure the local control plane with:

SANDBOX_PROVIDER=docker
DOCKER_SANDBOX_API_URL=http://127.0.0.1:8788
DOCKER_SANDBOX_API_TOKEN=local-docker-sandbox-token
CONTROL_PLANE_URL=http://host.docker.internal:8787
WORKER_URL=http://host.docker.internal:8787

Verification

• npm run build -w @open-inspect/shared
• npm run typecheck -w @open-inspect/control-plane
• npm run typecheck -w @open-inspect/docker-sandbox-api
• npm test -w @open-inspect/control-plane -- src/sandbox/docker-client.test.ts src/sandbox/provider-name.test.ts src/sandbox/providers/docker-provider.test.ts
• Smoke-tested Docker sandbox API create/stop against a real local container.

Notes / Limitations

• Docker provider is local-dev scoped.
• No persistent resume yet; stop destroys containers with docker rm -f.
• No code-server, ttyd, or arbitrary tunnel port exposure yet.
• Docker image build is explicit via npm run docker:sandbox:build; the API fails fast with a breadcrumb if the configured image is missing.