Improve the StorageLocal struct

[djeebus]

• use pid to ensure we own the total space
• stop looking for foreign namespaces
• add tests to ensure functionality
• randomly look for available slot
• only return slot if we created it successfully
• no need to create a context timeout, we're only doing in memory things

---

Note

Refactors sandbox networking to use typed env config and PID-locked local namespace storage, updating pool/slot/storage APIs (context-aware release) and adding tests.

• Orchestrator • Sandbox Networking:
  • Config: Introduce network.Config with *net.IPNet CIDRs and parser (ParseConfig, ParseIPNet); update cfg.Parse/ParseBuilder to use custom env parsers.
  • Slot/Pool APIs:
    • Slot now uses config-provided CIDRs; fields renamed (Name replaces Key); NamespaceID/names follow PID-based scheme; remove global CIDR getters.
    • Pool: uses new NewStorage(nodeID, config) and Release(ctx, ...) flow; improved cleanup.
  • Storage:
    • Interface changes: Release(ctx, *Slot); factory no longer passes slots size (derived from config).
    • KV storage computes slotsSize from config and uses slot Name for KV keys.
    • Local storage rewritten: PID-file locking, random slot acquisition, no foreign namespace scanning, metrics added; supports custom storage dir.
  • Tests: Add config_test.go for CIDR parsing and storage_local_test.go for lock/unlock and round-trip behavior.
• API: Minor fix in template build status error path (early return).

^{Written by Cursor Bugbot for commit 1e76a51. This will update automatically on new commits. Configure here.}

[linear]

ENG-3147 Make network.StorageLocal production ready and cooperative

[djeebus]

After reviewing, @ValentaTomas pointed out that Idx is used to generate IP addreses, which must not overlap across orchestrators on the same host. I'll need to do some more work to ensure that stays true.