core: add Sandbox::spawn() that awaits execve completion

[congwang-mk]

Summary

• Adds Sandbox::spawn() and Sandbox::spawn_interactive() — sugar for create() + start() that additionally blocks until the child has actually finished execve() and is executing user code. Mirrors Python's Sandbox.spawn() but with stronger semantics, since the Rust supervisor's checkpoint/state-reading operations depend on the child being past execve.
• Detection is by /proc/<pid>/exe no longer matching /proc/self/exe (before execve the child still shares the supervisor's binary). Polled every 1ms with a 5s ceiling; condition is real, the interval is just granularity.
• Rewrites the 5 test_checkpoint cases to use spawn_interactive, removing the hand-rolled tokio::time::sleep(100ms) "give it a moment to start" waits that were flaky under CI load. Test suite now finishes in ~10ms instead of ~500ms minimum.

Test plan

• cargo test -p sandlock-core --test integration test_checkpoint (7 passed in 0.01s)
• cargo test --workspace (all suites green)