Docker tasks currently bind-mount the host workdir into /app, so requested disk_bytes are not enforced by the runtime.

Use a bounded tmpfs mount for the Docker workdir path before bundle staging so build and run containers share the same /app contents while writes are capped to the requested disk budget. Keep shared uv and cargo caches outside that limit.

Acceptance criteria:

• Docker runtime mounts a bounded tmpfs for /app when disk_bytes is set.
• Bundle staging and the build/run split keep working with the shared workdir.
• Cleanup unmounts the workdir reliably after the task finishes.