feat(vm): derive guest rootfs from sandbox images

[drew]

Summary

Update the VM compute driver so sandbox images drive guest rootfs creation, including per-image caching and Dockerless OCI fetch/unpack for registry and community image refs.
Keep Docker only for local Dockerfile builds on the CLI host, where the CLI exports a rootfs artifact for the VM backend, and update the VM gateway scripts/docs to match the new flow.

Related Issue

N/A

Changes

• remove the bundled VM rootfs fallback and require a sandbox image or configured default image for VM sandboxes
• add OCI-based image fetch, layer unpack, whiteout handling, and digest-keyed rootfs caching in openshell-driver-vm
• keep Dockerfile sources on the host Docker socket, export them as local rootfs tar artifacts for VM sandboxes, and retain gateway-container imports for local Kubernetes gateways
• bundle the guest supervisor separately, update gateway:vm setup/start behavior, and refresh VM architecture and user docs
• fix VM rootfs archiving to preserve broken symlinks found in real container filesystems

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Additional testing run:

• cargo check -p openshell-driver-vm -p openshell-cli -p openshell-bootstrap
• cargo test -p openshell-bootstrap encode_and_decode_rootfs_tar_image_ref_round_trip
• cargo test -p openshell-driver-vm apply_layer_dir_to_rootfs_honors_whiteouts
• cargo test -p openshell-driver-vm layer_compression_from_media_type_supports_common_formats
• cargo test -p openshell-driver-vm compute_file_sha256_returns_prefixed_digest
• cargo test -p openshell-driver-vm create_rootfs_archive_preserves_broken_symlinks
• cargo test -p openshell-driver-vm prepare_sandbox_rootfs_rewrites_guest_layout
• attempted mise run pre-commit, but test:rust failed in sccache with Too many open files while compiling ring

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-957.docs.buildwithfern.com/openshell

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.