Add sandbox Docker Compose files with security hardening

[flavioconterato]

📝 Description

Add sandboxed Docker Compose files (docker-compose-sandbox.yml and docker-compose-sandbox.full.yml) for enhanced host isolation. The sandbox configurations add security hardening: read-only filesystem, capability dropping (cap_drop: ALL), no-new-privileges, resource limits (2 GB RAM, 2 CPUs, 500 PIDs), tmpfs for /tmp and /run, and a dedicated bridge network. Documentation updated in all 6 languages (en, pt-br, fr, ja, vi, zh).

🗣️ Type of Change

• 🐞 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 📖 Documentation update
• ⚡ Code refactoring (no functional changes, no api changes)

🤖 AI Code Generation

• 🤖 Fully AI-generated (100% AI, 0% Human)
• 🛠️ Mostly AI-generated (AI draft, Human verified/modified)
• 👨‍💻 Mostly Human-written (Human lead, AI assisted or none)

🔗 Related Issue

N/A

📚 Technical Context (Skip for Docs)

• Reference URL: N/A
• Reasoning: Running containers with default Docker settings exposes the host to potential resource exhaustion and privilege escalation. The sandbox compose files provide a hardened alternative without modifying the original compose files.

🧪 Test Environment

• Hardware: PC
• OS: Windows 11 Pro
• Model/Provider: N/A (infrastructure only)
• Channels: N/A

☑️ Checklist

• My code/docs follow the style of this project.
• I have performed a self-review of my own changes.
• I have updated the documentation accordingly.