Add `e` substitute flag (execute replacement as shell)

[sylvestre]

Bug

The e substitute flag (execute the result of the substitution as a
shell command, replace pattern space with the command's stdout) is
not implemented. It is the substitute-time counterpart to the standalone
e command (which is also missing — together they would unblock the
eval and sandbox GNU tests).

Reproduction

$ echo a | /usr/bin/sed 's/.*/echo hi/e'
hi

$ echo a | ./target/release/sed 's/.*/echo hi/e'
sed: <script argument 1>:1:14: error: invalid substitute flag: 'e'

What it should do

GNU manual:

e This command allows one to pipe input from a shell command into
the pattern space. Without parameters, the e command executes the
command that is found in pattern space and replaces the pattern
space with the output; a trailing newline is suppressed. […] As a
GNU extension, the s command can have an e modifier with the same
functionality.

Order matters: the substitution is performed first, then the rendered
replacement is run as a shell command, and its stdout (sans trailing
newline) replaces the pattern space.

Must be rejected under --sandbox (already plumbed at mod.rs:104)
and under --posix.

Suspected place to add it

src/sed/compiler.rs:854 — compile_subst_flags. Add an 'e' => arm
that sets subst.execute = true (new field), and reject the flag when
either posix or sandbox is true.

The execution side belongs in processor.rs, after the substitution
result is rendered: spawn a shell (/bin/sh -c <result>), read its
stdout, replace the pattern space.

Security note

s///e and the standalone e command are why --sandbox exists.
Make sure the sandbox check is enforced at compile time (so the
script is rejected before any input is read), not only at run time.

Affected GNU testsuite tests

subst-options, sandbox.