fix: enforce no-new-privileges on all container creation

The manifest field was validated but never applied to the podman create
command. Now passes --security-opt no-new-privileges=true for all containers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

core/container/src/podman_client.rs

@@ -177,6 +177,9 @@ impl PodmanClient {
             cmd.arg("--cap-add").arg(cap);
         }
 
+        // Enforce no new privileges (prevent setuid escalation)
+        cmd.arg("--security-opt").arg("no-new-privileges=true");
+
         // Image
         cmd.arg(&manifest.app.container.image);