openshell-sandbox patched: DNS + direct TCP for Slack Socket Mode

Patched openshell-sandbox binary (aarch64) for NemoClaw sandbox.

Changes from upstream nvidia/OpenShell:

1. UDP DNS ACCEPT rule for CoreDNS in sandbox netns
2. IP forwarding + MASQUERADE for DNS routing through veth
3. Landlock unavailable warning downgraded to debug (prevents ANSI config corruption)
4. OPENSHELL_DIRECT_TCP_HOSTS env var for direct TCP 443 access to specified hosts

Required env var on Sandbox CRD:

OPENSHELL_DIRECT_TCP_HOSTS=wss-primary.slack.com,wss-backup.slack.com,api.slack.com,edgeapi.slack.com,files.slack.com

Branch: fix/sandbox-dns-udp-accept
Built on: aarch64 (Graviton c7g.large), Rust 1.88