fix(sandbox): refresh docker/podman/vm tokens in gateway

[TaylorMutch]

Summary

Fix sandbox token recovery for singleplayer runtimes by making Docker, Podman, and VM token refresh gateway-managed, with an explicit supervisor auth mode contract for each backend. Kubernetes remains on ServiceAccount exchange instead of gateway-managed token files.

Related Issue

Closes #1603

Changes

• Add explicit OPENSHELL_SANDBOX_AUTH_MODE values for static, gateway-managed file, gateway-managed supervisor-push, and Kubernetes ServiceAccount exchange paths
• Refresh Docker, Podman, and VM sandbox tokens from the gateway during startup resume and periodic rotation
• Add compute-driver resume/write-token RPCs and VM supervisor token push handling
• Add Docker, Podman, and VM expired-token resume regression tests
• Update architecture and driver docs for the explicit token ownership model

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated
• Docker expired-token resume e2e passed
• Podman expired-token resume e2e passed
• VM expired-token resume e2e: attempted locally, blocked by missing mkfs.ext4/e2fsprogs prerequisite on this machine

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)

[github-actions]

Label test:e2e applied for df3f0bc. Open the existing run and click Re-run all jobs to execute with the label set. The run will execute the standard E2E suite after building the required gateway and supervisor images once. The matching required CI gate status on this PR will flip green automatically once the run finishes.