Remove ro bind mount over protected paths, replace with warning

[la-j]

Reason

Fixes #85

PR #80 introduced logic to protect sensitive paths (.git, .bashrc, etc.) by mounting /dev/null over them. For non-existent paths, it attempted to block their creation by mounting /dev/null at the first non-existent path component. This approach backfired - instead of preventing file creation, it caused files to be created into the working directory.

The fundamental issue: bwrap bind mounts can only protect paths that exist. Trying to preemptively block non-existent paths via mount tricks is fragile and error-prone.

This PR takes a simpler approach: warn users when protected paths cannot be fully protected (non-existent or contain symlinks)

Description

• Remove findFirstNonExistentComponent function that attempted to block creation of non-existent deny paths
• Add onWarnings callback to LinuxSandboxParams for reporting unprotected paths
• Emit warnings when protected paths are non-existent or contain symlink components
• Remove tests for non-existent path blocking behavior
• Simplify deny path handling logic

References

• srt generates dotfiles and directories on command execution #85

[la-j]

I explored these ideas before arriving at the current solution:

1. Tracking paths to remove after execution -- would still create inodes if process was stopped / cancelled
2. Using overlayfs -- there would be significant complexity to create a temp dir that has the write-protected files and merge it with the working dir

[la-j]

another consideration is to just completely remove the warnings