feat: generic sandbox status, inference provider & security posture cards

[vivekchand]

Closes #235

What

Adds three new conditional cards to the System Health panel that render platform-agnostic sandbox, inference, and security metadata.

How

Backend (dashboard.py):

• _detect_sandbox_metadata() — checks env vars (SANDBOX_NAME, CONTAINER_NAME), Docker detection (/.dockerenv, /proc/1/cgroup), and openclaw.json sandbox config
• _detect_inference_metadata() — checks env vars, openclaw.json inference config, and infers provider from model name
• _detect_security_metadata() — checks auth config, bind address, exec security mode, sandbox status, network policy
• All three return None when no metadata is found (cards hide gracefully)

Frontend (both dark + light themes):

• Sandbox card: green/yellow/red status dot, sandbox name, type badge
• Inference card: provider name + monospace model identifier
• Security posture: badge row (Sandboxed, Auth, Localhost, exec mode, network policy)
• All sections use display:none wrapper divs, shown only when API returns data

Tests (test_api.py):

• 3 new tests verifying sandbox/inference/security fields in /api/system-health response

Design principle

The dashboard is platform-agnostic. It renders whatever metadata the sync daemon provides.

No vendor logos. No NemoClaw-specific UI. Just generic cards that work for Docker, NemoClaw, or any future sandboxed setup.

+172 lines across 2 files. 73 tests pass, 6 skipped.