[Security] Sanitize environment variables passed to user commands in ExecuteHandler

[acsoto]

Description
Currently, the ExecuteHandler in pkg/picod/execute.go inherits the full host environment (os.Environ()) and passes it to the executed command.

Security Concern
This behavior poses a security risk as it may expose sensitive host or container environment variables (e.g., KUBERNETES_SERVICE_HOST, PICOD_AUTH_PUBLIC_KEY, or other secrets) to the arbitrary code being executed by the agent.

Constraint
We cannot simply remove the environment inheritance entirely. The child process requires essential variables like PATH (to locate binaries), HOME (for config files), and LANG/LC_ALL (for character encoding). Removing these results in functional breakages (e.g., subprocess.run failing to find system tools in Python).

Proposed Solution
Implement an allowlist (whitelist) mechanism for environment variables in ExecuteHandler.

1. By default, ignore host environment variables.
2. Explicitly allow a minimal set of safe, essential variables from the host:
   • PATH
   • HOME
   • LANG, LC_ALL
   • TERM
3. Continue to merge user-provided req.Env on top of this sanitized list.

[hzxuzhonghu]

For point 2: I am concerned these are not enough. envs like PYTHONxxx are also needed.