DockCode isolates OpenCode inside sandboxed VM

This is the right fix for agent overreach: give the model a disposable machine, not another permission dialog.

• –The split is clean: a keygen init container, `opencode-server`, and `opencode-vm` keep SSH auth, the control plane, and execution separated.
• –It meaningfully reduces blast radius, because the agent can't reach the host filesystem, Docker socket, or OpenCode config.
• –The VM is intentionally permissive, so DockCode is containment, not least-privilege hardening; that's a good trade for power users but not a silver bullet.
• –Docker is already pushing its own OpenCode sandbox story, so DockCode's edge will come from UX, self-hostability, and how easy it is to customize.
• –The shared workspace is a practical compromise: the host can inspect and edit files while the agent still gets a writable Linux environment.