Avoid allocating pretty-JSON just to hash it by streaming\nserialization into a blake3 hasher. Keeps checksum bytes\ncompatible and adds a regression test.
- Guard WAL recovery and stale .running cleanup behind a try-acquired store lock\n- Persist rollback ResetState via MetadataStore to recompute checksums\n- Track a killable host PID for namespace enter/stop and treat SIGTERM/SIGKILL as clean exit\n- Derive OCI status PID via runtime state output\n- Make sandbox chroot script quoting robust for exec/enter
- Run cargo fmt on skip_if_root() blocks
- Add skip_if_root() to migrate_atomic_version_unchanged_on_write_failure
- Add libc dev-dependency to karapace-store for root check
- Remove explicit shell: sh from container rustup steps (OCI exec
can't find sh in PATH; default run shell works)
