fix(sandbox): enforce non-root fallback when process user unset

[drew]

Motivation

• Prevent child workloads from retaining powerful capabilities when a sandbox policy omits run_as_user/run_as_group and the container runs as root.
• Address an isolation regression where sandbox pod templates add SYS_ADMIN/NET_ADMIN and privilege dropping could be a no-op if the process identity is unset.

Description

• Changed drop_privileges in crates/openshell-sandbox/src/process.rs to treat an unset process identity as a security-sensitive case by falling back to sandbox:sandbox when running as root, instead of returning early.
• Preserved existing behavior for non-root runtimes so that omission remains a no-op when not root.
• Updated unit tests in the same file to account for root vs non-root semantics for the two no-user/no-group cases.
• The change is minimal and scoped to privilege-drop fallback logic and associated tests.

Testing

• Updated unit tests in crates/openshell-sandbox/src/process.rs were added/adjusted to cover the new fallback semantics for drop_privileges.
• Ran cargo fmt --check which succeeded.
• Attempted cargo check -p openshell-sandbox --lib, but full CI/build was not completed within the interactive environment limits.
• mise run pre-commit was attempted but failed due to environment/tool resolution and trust issues in this run (not a code failure).

---

Codex Task

[github-actions]

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

---

I have read the DCO document and I hereby sign the DCO.

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.}

[johntmyers]

Closing in favor of consolidated re-implementation. See #350 for tracking.