feat(backend): add plugin execution sandbox with SIGTERM→SIGKILL e, fixes- #326

[samarthsugandhi]

Summary

Adds a SandboxConfig / SandboxViolation / run_sandboxed layer in
sandbox_executor.py that wraps every plugin subprocess with configurable
timeout enforcement, output byte-capping, and POSIX resource limits.
The existing _execute_command in executor.py is replaced with a call
to the sandbox, with zero changes to any other executor logic.
Closes #326.

Changes

New file — backend/secuscan/sandbox_executor.py

• SandboxConfig dataclass: timeout_seconds, max_memory_mb,
  max_output_bytes, sigterm_grace_seconds
• SandboxViolation exception: carries reason (timeout |
  memory_limit | output_limit) and output (partial output)
• run_sandboxed(): wraps asyncio.create_subprocess_exec with:
  • asyncio.wait_for() enforcing timeout_seconds
  • stdout byte-stream capping at max_output_bytes with drain
  • preexec_fn applying RLIMIT_AS + RLIMIT_CPU on Linux;
    skipped silently on macOS/Windows via platform.system() guard
  • SIGTERM → sigterm_grace_seconds → SIGKILL escalation
  • Exit code -9 / 137 detection for OS memory kills (Linux)
• _escalate_kill(): platform-safe SIGTERM→SIGKILL helper

Modified — backend/secuscan/executor.py

• _execute_command() replaced: now delegates to run_sandboxed()
• SandboxViolation caught: broadcasts terminated:{reason} status
  event, writes structured error_message to DB, logs audit event
• execute_task(): builds SandboxConfig from plugin metadata
  output.sandbox key with fallback to global settings values,
  enabling per-plugin resource overrides without code changes

How to test

1. Start a scan against any plugin — confirm it completes normally
2. Set SECUSCAN_SANDBOX_TIMEOUT=5 and scan a slow target —
   confirm task status shows terminated:timeout after 5 seconds
3. On Linux, set SECUSCAN_SANDBOX_MEMORY_MB=1 — confirm
   terminated:memory_limit on a memory-heavy plugin
4. Check GET /api/v1/audit — confirm sandbox_violation event
   appears with correct reason in context
5. Check Task Details UI — confirm terminated:timeout badge
   renders distinctly from generic failure

Notes

• resource.setrlimit is Linux-only; a platform.system() guard
  skips it on macOS/Windows — timeouts still apply on all platforms
• Backward-compatible: SandboxConfig defaults mirror existing
  settings.sandbox_timeout and settings.sandbox_memory_mb values
• No new dependencies — stdlib only (asyncio, signal, resource,
  platform)

Closes #326

[utksh1]

Closing this as a duplicate/lower-scope implementation for #326. #408 covers the same sandbox executor area with a broader implementation, resource-limit coverage, and dedicated backend/integration tests, so keeping the stronger PR open for review.