namespace isolation and new integration tests for CI

[HackStrix]

This pull request adds support for Linux PID namespace isolation in the process worker sandbox, ensuring that each worker runs as PID 1 in its own namespace. It introduces a new namespaceCloneFlags option to ProcessFactory, sets sensible defaults, and adds integration tests to verify namespace isolation. The changes also update the CI workflow to run the new namespace tests.

Namespace isolation support:

• Added namespaceCloneFlags field to ProcessFactory, initialized to defaultNamespaceCloneFlags() (PID, mount, and IPC namespaces) by default, and passed through to the sandbox configuration (process_worker_factory.go, sandbox.go). [1] [2] [3] [4]
• Implemented defaultNamespaceCloneFlags() for Linux and stubbed it for unsupported platforms, ensuring platform compatibility (sandbox_linux.go, sandbox_unsupported.go). [1] [2]
• Modified applySandboxFlags to merge namespace clone flags with cgroup flags and set them in SysProcAttr (sandbox_linux.go).

Testing improvements:

• Added TestNamespace_PIDIsolation integration test to verify that the worker process is PID 1 inside its namespace, and helper to parse the NSpid field from /proc/[pid]/status (sandbox_integration_test.go).
• Added TestApplySandboxFlags_CloneFlagsMergedWithCgroup unit test to ensure correct merging of namespace and cgroup flags (sandbox_linux_test.go).
• Added TestNewProcessFactory_DefaultNamespaceFlags to verify default namespace flags in new factories (factory_cgroup_test.go).

CI workflow update:

• Updated the CI workflow to run both cgroup and namespace integration tests, increasing the timeout accordingly (.github/workflows/ci.yml).