test: enforce strict replay sandboxing in e2e fixtures

[sohankshirsagar]

• grpc tests fail due to potential fence issue. wait for that to be resolved

Summary

Enable strict replay sandboxing across the Python e2e and stack-test fixtures so local/CI replay runs exercise the sandboxed path instead of silently falling back. This also updates sandbox-sensitive HTTP fixtures to install SOCKS support, since strict replay routes outbound HTTP through a SOCKS proxy.

Changes

• set replay.sandbox.mode: strict in all checked-in e2e and stack-test .tusk/config.yaml fixtures
• add the required Docker sandbox permissions to each app service in the test docker-compose.yml files:
  • cap_add: [SYS_ADMIN]
  • security_opt: [seccomp=unconfined, apparmor=unconfined]
• install bubblewrap and socat in the shared python-e2e-base image used by the test containers
• update the httpx and fastapi e2e test requirements to use httpx[socks] and document why that extra is needed under strict replay sandboxing
• keep the fixture changes centralized in shared test infrastructure where possible rather than duplicating setup per test image

Notes

• strict sandbox replay exposed protocol-specific fixture requirements rather than changing app logic
• httpx-based fixtures needed SOCKS support because replay now intercepts outbound HTTP through a SOCKS proxy

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Generated gRPC stub version bump without requirements update

Medium Severity

The regenerated greeter_pb2_grpc.py bumps GRPC_GENERATED_VERSION from '1.76.0' to '1.78.0', but requirements.txt still allows grpcio>=1.60.0. The generated runtime check (first_version_is_lower) raises a RuntimeError at import if the installed grpcio is below 1.78.0. This change is unrelated to the PR's strict-sandbox goal and looks accidentally committed alongside the config changes.