feat(capability-ratchet): add Rust capability ratchet sidecar

Add a per-request, stateless HTTP proxy sidecar that prevents AI agent
data exfiltration by dynamically revoking capabilities when private or
untrusted data enters the conversation context.

Implementation:
- Axum 0.8 HTTP server: /v1/chat/completions proxy + /health endpoint
- Taint detection from tool results (has-private-data, has-untrusted-input)
- 2x2 revocation matrix mapping taint flags to forbidden capabilities
- Three API format normalizers: Chat Completions, Anthropic, Responses API
- bash-ast Unix socket client for AST-based command analysis
- Recursive bash -c unwrapping with shlex fallback
- OS-level sandbox rewriting (unshare --net / sandbox-exec)
- Tool analysis pipeline: capability detection, reversibility, URL extraction
- User approval flow via X-Ratchet-Approve header
- Shadow mode for log-only deployment
- Multi-stage Docker build producing a single static binary
- 44 unit and integration tests

Tech stack matches NemoClaw core: Axum, Tokio, Reqwest, serde, tracing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Aaron Erickson <aerickson@nvidia.com>

Author: ericksoa

sandboxes/capability-ratchet/.gitignore

@@ -0,0 +1 @@
+/target