Add containers_pid_namespace compatibility flag

[gpanders]

When set, this compatibility flag instructs the containers runtime to start the user's container in a separate PID namespace. Eventually this will become the default (past some yet-to-be-determined compatibility date).

---

Per @danlapid's suggestion, this follows the pattern used by neededByFl to annotate compatibility flags specifically needed for the containers service. We'll use this annotation in Edgeworker to send only the required compatibility flags to the ContainerService from the actor.

Part of CC-6789

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.56%. Comparing base (dd7a515) to head (118c2cb).
⚠️ Report is 41 commits behind head on main.

Files with missing lines	Patch %	Lines
src/workerd/server/container-client.c++	0.00%	9 Missing ⚠️
src/workerd/api/container.c++	0.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6063      +/-   ##
==========================================
+ Coverage   70.38%   70.56%   +0.17%     
==========================================
  Files         408      409       +1     
  Lines      108811   108964     +153     
  Branches    18000    18011      +11     
==========================================
+ Hits        76591    76886     +295     
+ Misses      21415    21275     -140     
+ Partials    10805    10803       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

The generated output of @cloudflare/workers-types matches the snapshot in types/generated-snapshot 🎉

[codspeed-hq]

Merging this PR will not alter performance

✅ 70 untouched benchmarks
⏩ 129 skipped benchmarks¹

---

_{Comparing ganders/CC-6790 (118c2cb) with main (5361a73)}

Footnotes

1. 129 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[kentonv]

Sorry to suggest yet another redesign, but per my comment above, I think you are going to need to pass this in StartParams. In the edge runtime, it won't be feasible to pass the compatibility flags to the place where the container is first requested, since the worker hasn't necessarily been loaded yet at that point.

[kentonv]

LGTM once $experimental is added.

The internal build failure is spurious. It'll re-run anyway after the update.