fix(execd): import mitm CA to NSS; set Node/npm trust for transparent egress

[Pangjiping]

Summary

When OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT is set and the mitm CA PEM
is available:

• Add trust_mitm_ca_nss: import the CA into $HOME/.pki/nssdb (Chrome uses NSS, not only the system store) via certutil; support sql/dbm and initialize an empty SQL DB if needed.
• Export NODE_EXTRA_CA_CERTS to the same PEM for npm/Node TLS behind interception.
• Install nss-tools in the execd image so certutil is available in Alpine.
• Fix the bootstrap log to say 30s (the wait loop is 30 iterations).

Testing

• Not run (explain why)
• Unit tests
• Integration tests
• e2e / manual verification

Breaking Changes

• None
• Yes (describe impact and migration path)

Checklist

• Linked Issue or clearly described motivation
• Added/updated docs (if needed)
• Added/updated tests (if needed)
• Security impact considered
• Backward compatibility considered

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d127fc4167

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[ninan-nn]

LGTM