Evolver: Fix nsjail integration for complete sandbox coverage

- Add /opt to nsjail bindmounts so Rust toolchain (/opt/rust) is accessible
  during sandboxed validation of Rust bots
- Explicitly enable Alpine community repository in Dockerfile to ensure
  nsjail package can be installed (nsjail lives in community, not main)
- nsjail integration was already optional (falls back to plain exec if
  unavailable), but these changes ensure it actually works when enabled

This addresses bead bf-3f29: nsjail was listed in apk add but /opt wasn't
bindmounted, causing Rust validation to fail when UseNsjail=true.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.needle-predispatch-sha

@@ -1 +1 @@
-00d6754524b429bd61d3e6c581826aaaa5e614a2
+7137623f6a68882880fdeb89cf2ef06b41419a46

cmd/acb-evolver/Dockerfile

@@ -46,7 +46,11 @@ WORKDIR /app
 # - python3, nodejs (typescript), rust (rustup), java, php
 # - nsjail for sandbox isolation during validation
 # - ca-certificates for HTTPS (LLM calls, K8s API)
-RUN apk --no-cache add \
+#
+# Note: nsjail is in the community repository, ensure it's enabled
+RUN grep -q '^https.*\/community$' /etc/apk/repositories || \
+    echo "https://dl-cdn.alpinelinux.org/alpine/v$(. /etc/os-release && echo $VERSION_ID | cut -d. -f1,2)/community" >> /etc/apk/repositories && \
+    apk --no-cache add \
     ca-certificates \
     tzdata \
     python3 \

cmd/acb-evolver/internal/validator/sandbox.go

@@ -127,7 +127,7 @@ func buildNsjailCmd(ctx context.Context, nsjailBin, execPath string, execArgs []
 	}
 
 	// Read-only bind-mounts for language runtimes and system libraries.
-	for _, p := range []string{"/bin", "/usr", "/lib", "/lib64", "/etc/alternatives", "/proc", "/dev"} {
+	for _, p := range []string{"/bin", "/usr", "/lib", "/lib64", "/etc/alternatives", "/opt", "/proc", "/dev"} {
 		if _, err := os.Stat(p); err == nil {
 			args = append(args, "--bindmount_ro", p)
 		}