Allow Node Sandbox opt-out on unsupported Windows builds (restore host execution path)

[Copilot]

On Windows 10 build 19044, MXC sandboxing is unavailable, and the current behavior blocks all host=node command execution with no user override. This change restores a safe/explicit opt-out path: keep fail-closed when sandbox is enabled, but allow unsandboxed execution when users turn sandbox off.

• Runtime gating (MxcCommandRunner)

  • Reordered execution checks to honor explicit opt-out first.
  • New behavior:
    • SystemRunSandboxEnabled == false → route to host runner, even if MXC is unavailable.
    • SystemRunSandboxEnabled == true && MXC unavailable → deny execution (fail closed) with updated guidance text.

• Sandbox UX on unsupported systems (SandboxPage)

  • Keeps the sandbox toggle visible when MXC is unavailable.
  • Splits unavailable state messaging by toggle state:
    • Unavailable + ON: commands blocked.
    • Unavailable + OFF: unprotected host mode.
  • Updates action-bar copy to explicitly call out temporary unprotected mode as a workaround.

• Behavioral test update

  • Updated MxcCommandRunner unit coverage to assert host routing when MXC is unavailable and sandbox is turned off.

if (!settings.SystemRunSandboxEnabled)
{
    return await _hostFallback.RunAsync(request, ct);
}

if (!_isSandboxAvailable())
{
    return Deny("Sandboxing is enabled but unavailable...");
}

[shanselman]

will use #487 instead