fix(vm): harden compute driver socket

[drew]

Summary

Harden the VM compute-driver management socket while keeping it state-local under the VM driver state directory. The socket now lives under a private run directory, validates ownership and symlink safety, restricts socket permissions, and verifies UDS peer credentials for gateway-spawned drivers.

Related Issue

N/A

Changes

• Move the VM driver socket to <state-dir>/run/compute-driver.sock and create run/ with owner-only permissions.
• Reject unsafe state/socket paths, including symlinks, wrong-owner directories, group/world-writable state dirs, and non-socket stale files.
• Restrict the bound UDS to 0600 and require matching UID plus gateway PID for gateway-spawned driver clients.
• Document the new socket location and note that standalone TCP mode remains local-development only.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1248.docs.buildwithfern.com/openshell