feat: add Landlock sandbox for sidecar process isolation

SandboxConfig with RW/RO paths applied via pre_exec() in sidecar child
process. Requires kernel 6.2+ with graceful fallback. Per-project toggle
in SettingsTab. 9 unit tests.

v2/bterminal-relay/src/main.rs

@@ -99,6 +99,7 @@ async fn main() {
     let sidecar_config = SidecarConfig {
         search_paths,
         env_overrides: std::collections::HashMap::new(),
+        sandbox: Default::default(),
     };
     let token = Arc::new(cli.token);