Core OTel instrumentation

[muscariello]

• Keep the existing SecOps spans, but move the “SHADI runtime” tracing into shared/core paths.

• Instrument:
  - policy load and resolution in crates/shadictl/src/main.rs
  - sandbox spawn/wait lifecycle in crates/shadi_sandbox/src/lib.rs
  - Python launcher flow in tools/run_sandboxed_agent.py
  - secret injection and memory access where appropriate

• Standardize service/resource naming so traces from core SHADI and SecOps can be correlated.

• Add span attributes for:
  - command
  - cwd
  - policy source
  - allowed paths count
  - network mode
  - exit code
  - snapshot artifact path when enabled

• Document the environment variables and local collector setup in docs.