feat(execd): add isolation package with bwrap support

[Pangjiping]

• Add pkg/isolation/ package: Isolator interface, bwrap argv builder, startup probe, upper directory management, seccomp loading
• Switch bwrap distribution from //go:embed to Dockerfile static build (musl-gcc) and init container injection alongside execd
• Add isolation flags (upper root, max bytes, diff max bytes, allowed writable) with env var overrides
• Add smoke test: Docker build, extract binaries, verify static link, bwrap namespace test, execd probe
• Add smoke_bwrap.sh to CI workflow (ubuntu-latest only)
• Defer diff/commit to Phase 2 (stub returning 503)

Summary

• What is changing and why?

Testing

• Not run (explain why)
• Unit tests
• Integration tests
• e2e / manual verification

Breaking Changes

• None
• Yes (describe impact and migration path)

Checklist

• Linked Issue or clearly described motivation
• Added/updated docs (if needed)
• Added/updated tests (if needed)
• Security impact considered
• Backward compatibility considered