fix(sandbox): convert new Landlock path-skip warning to OCSF

PR #677 added a warn!() for inaccessible Landlock paths in best-effort
mode. Convert to ConfigStateChangeBuilder with degraded state so it
flows through the OCSF shorthand format consistently.

Author: johntmyers

crates/openshell-sandbox/src/proxy.rs

@@ -2075,9 +2075,7 @@ async fn handle_forward_proxy(
                 .severity(SeverityId::Low)
                 .status(StatusId::Failure)
                 .dst_endpoint(Endpoint::from_domain(&host_lc, port))
-                .message(format!(
-                    "Failed to clone OPA engine for forward L7: {e}"
-                ))
+                .message(format!("Failed to clone OPA engine for forward L7: {e}"))
                 .build();
             ocsf_emit!(event);
             regorus::Engine::new()

crates/openshell-sandbox/src/sandbox/linux/landlock.rs

@@ -169,11 +169,16 @@ fn try_open_path(path: &Path, compatibility: &LandlockCompatibility) -> Result<O
                             "Skipping non-existent Landlock path (best-effort mode)"
                         );
                     } else {
-                        warn!(
-                            path = %path.display(),
-                            error = %err,
-                            reason,
-                            "Skipping inaccessible Landlock path (best-effort mode)"
+                        openshell_ocsf::ocsf_emit!(
+                            openshell_ocsf::ConfigStateChangeBuilder::new(crate::ocsf_ctx())
+                                .severity(openshell_ocsf::SeverityId::Medium)
+                                .status(openshell_ocsf::StatusId::Failure)
+                                .state(openshell_ocsf::StateId::Other, "degraded")
+                                .message(format!(
+                                    "Skipping inaccessible Landlock path (best-effort) [path:{} error:{err}]",
+                                    path.display()
+                                ))
+                                .build()
                         );
                     }
                     Ok(None)

crates/openshell-sandbox/src/sandbox/linux/netns.rs

@@ -283,17 +283,17 @@ impl NetworkNamespace {
             &proxy_port_str,
             &log_prefix,
         ) {
-            openshell_ocsf::ocsf_emit!(openshell_ocsf::ConfigStateChangeBuilder::new(
-                crate::ocsf_ctx()
-            )
-            .severity(openshell_ocsf::SeverityId::Medium)
-            .status(openshell_ocsf::StatusId::Failure)
-            .state(openshell_ocsf::StateId::Disabled, "failed")
-            .message(format!(
-                "Failed to install IPv4 bypass detection rules [ns:{}]: {e}",
-                self.name
-            ))
-            .build());
+            openshell_ocsf::ocsf_emit!(
+                openshell_ocsf::ConfigStateChangeBuilder::new(crate::ocsf_ctx())
+                    .severity(openshell_ocsf::SeverityId::Medium)
+                    .status(openshell_ocsf::StatusId::Failure)
+                    .state(openshell_ocsf::StateId::Disabled, "failed")
+                    .message(format!(
+                        "Failed to install IPv4 bypass detection rules [ns:{}]: {e}",
+                        self.name
+                    ))
+                    .build()
+            );
             return Err(e);
         }
 

crates/openshell-sandbox/src/ssh.rs

@@ -17,7 +17,6 @@ use openshell_ocsf::{
     FindingInfo, SeverityId, SshActivityBuilder, StatusId, ocsf_emit,
 };
 use rand_core::OsRng;
-use tracing::warn;
 use russh::keys::{Algorithm, PrivateKey};
 use russh::server::{Auth, Handle, Session};
 use russh::{ChannelId, CryptoVec};
@@ -31,6 +30,7 @@ use std::sync::{Arc, Mutex, mpsc};
 use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpListener;
+use tracing::warn;
 
 const PREFACE_MAGIC: &str = "NSSH1";
 #[cfg(test)]