feat(sandbox): load system CA certificates for upstream TLS connections

[matz3]

Summary

The sandbox proxy's upstream TLS client only trusted Mozilla root CAs (via webpki-roots), which broke TLS connections to internal or corporate hosts that use private CA certificates. This PR loads system CA certificates from the container's trust store (e.g. /etc/ssl/certs/ca-certificates.crt) in addition to Mozilla roots, so custom sandbox images can include corporate CAs via update-ca-certificates.

Related Issue

No dedicated GitHub issue created.
The issue is that connections to internal / corporate hosts are not possible in case they use a custom domain with a non-public root CA.

Changes

• l7/tls.rs: build_upstream_client_config now accepts a system_ca_bundle string and loads those PEM certs into the rustls root store alongside webpki-roots
• l7/tls.rs: New load_pem_certs_into_store helper that parses a PEM bundle into a RootCertStore, returning (added, ignored) counts
• l7/tls.rs: read_system_ca_bundle promoted to pub; write_ca_files now takes the pre-read bundle as a parameter to avoid reading it twice
• lib.rs: run_sandbox reads the system CA bundle once and passes it to both write_ca_files and build_upstream_client_config
• Tests: 7 new unit tests covering single/multiple/empty/malformed PEM parsing and write_ca_files output
• Architecture docs: Updated sandbox.md and gateway-security.md to reflect the new trust chain behavior

Testing

• mise run pre-commit passes

• Unit tests added/updated

• E2E tests not applicable (according to principal-engineer-reviewer agent)

• Manual testing via custom image

  • Example Dockerfile:

    FROM ghcr.io/nvidia/openshell-community/sandboxes/base:latest
    
    USER root
    
    # Copy your corporate/internal CA certificate
    COPY my-corporate-ca.crt /usr/local/share/ca-certificates/my-corporate-ca.crt
    
    # Rebuild the system trust store
    RUN /usr/sbin/update-ca-certificates
    
    USER sandbox

• Security validation (via Claude Code / Opus 4.6)

  • The system CA bundle is read once at startup in the supervisor process, before the sandboxed child exists. The child cannot write to the CA paths due to Landlock (read-only) and DAC (unprivileged user). On restart, the same protections apply. The trust boundary is the container image builder, which is appropriate.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

All contributors have signed the DCO ✍️ ✅
_{Posted by the DCO Assistant Lite bot.}

[matz3]

I have read the DCO document and I hereby sign the DCO.

[johntmyers]

recheck

[johntmyers]

Hi @matz3 thank you. Is this good to merge?

[matz3]

Yes 👍🏻
It works fine for me when using a custom sandbox image as mentioned above.