Add Incus container support to sandboxed workspaces

- Add incus.nix module for fully declarative Incus/LXC containers
- Build NixOS LXC images using nixpkgs.lib.nixosSystem
- Ephemeral containers: recreated on each start, cleaned up on stop
- Use flock to serialize concurrent container operations
- Deterministic MAC addresses via lib.mkMac to prevent ARP cache issues
- Add veth* to NetworkManager unmanaged interfaces
- Update CLAUDE.md with coding conventions and shared lib docs

common/network/sandbox.nix

@@ -99,6 +99,7 @@ in
       "interface-name:${cfg.bridgeName}"
       "interface-name:vm-*"
       "interface-name:ve-*"
+      "interface-name:veth*"
     ];
 
     # Make systemd-resolved listen on the bridge for workspace DNS queries.