add run-as-user support to container sandbox exec

[kcoopermiller]

Note

Medium Risk
Changes command execution identity in sandboxes; incorrect user values or gateway handling could affect permissions or security boundaries, though VM sandboxes are explicitly guarded.

Overview
Adds optional run-as-user support for executing commands in container sandboxes (similar to docker exec -u), wired through the SDK and CLI.

CommandRequest gains an optional user field. Sync and async execute_command accept user and, for container sandboxes, include it in the gateway /exec JSON payload when set. VM sandboxes reject a non-null user with ValueError (Connect RPC path unchanged). start_background_job also accepts user and passes it through to the bootstrap execute_command call.

prime sandbox run exposes -u / --user and forwards it to execute_command, with console output when specified.

^{Reviewed by Cursor Bugbot for commit 1e03765. Bugbot is set up for automated code reviews on this repo. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d3b3e82e4e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".