refactor: idiomatic cleanups in wxc_common and the AppContainer/WSLC/LXC backends

[MGudgin]

Summary

Idiomatic-Rust cleanups. No intended behavior change — only ownership,
error-signalling, and stdlib-usage improvements. This is the follow-up to the
behavior-bug PR (#570); the larger related refactors (WxcError typed source
errors, SDK/CLI PathBuf migration, mxc_pty typed error, the WinHTTP-shim
RAII rework) are intentionally deferred to their own focused PRs.

Details

• Capability SID ownership. get_capability_sid_from_name now returns an
  owning OwnedCapabilitySid (frees on drop) instead of a raw *mut c_void
  with a "caller must LocalFree" contract. The helper and the owner type
  were relocated out of the shared wxc_common foundation into the
  appcontainer backend (now private) — capability SIDs are an AppContainer
  concept with a single caller, so this both removes the hand-rolled
  CapabilitySidGuard and keeps backend-specific logic out of the foundation
  crate.
• string_util::sid_to_string returns Option<String> instead of taking a
  sentinel default_value. The LocalAlloc'd buffer is still read then freed
  exactly once on the success path; the four call sites map None to their
  prior fallback.
• ErrorEnvelope.code is now the closed MxcErrorCode enum rather than a
  String. The snake_case wire format is unchanged (serde).
• deserialize_config deserializes from the borrowed &Value instead of
  cloning the backend config subtree.
• WSLC image enumeration is allocation-free (slice::from_raw_parts + a
  first-NUL scan with full-buffer fallback) instead of manual .offset(i)
  pointer walking and a per-entry Vec<u8>.
• LXC validate_path drops a provably-unreachable \n/\r branch already
  covered by char::is_whitespace.

Tests

• cargo test -p wxc_common -p appcontainer_common -p wslc_common — 126 + 45 +
  346 pass (includes the updated sid_to_string_null_returns_none and the
  ErrorEnvelope round-trip/serialisation tests).
• cargo clippy -p wxc_common -p appcontainer_common -p wslc_common --all-targets -- -D warnings and cargo fmt ... -- --check clean.
• cargo check -p wxc --all-targets clean (full Windows backend dispatch).
• Not built on the Windows host: the LXC validate_path change
  (lxc_common is Linux-only). It is the removal of a provably-dead branch
  with no logic change.

Related Issues

• (none)

[Copilot]

Pull request overview

This PR performs idiomatic Rust refactors across wxc_common and several backends (AppContainer / WSLC / LXC), aiming for no behavioral change while improving ownership, error typing, and avoiding unnecessary allocations in hot paths.

Changes:

• Refactors SID handling: sid_to_string now returns Option<String>, and AppContainer capability SID derivation now uses an owned RAII wrapper.
• Tightens the state-aware error wire model by making ErrorEnvelope.code a closed MxcErrorCode enum (still serialized as snake_case strings).
• Removes avoidable allocations/clones in config deserialization and WSLC image enumeration logic.

Show a summary per file

File	Description
src/core/wxc_common/src/string_util.rs	sid_to_string now returns Option<String> and avoids sentinel defaults.
src/core/wxc_common/src/state_aware_request.rs	Deserializes per-phase config directly from a borrowed &Value (no subtree clone).
src/core/wxc_common/src/process_util.rs	Removes capability SID derivation helper from the shared foundation crate.
src/core/wxc_common/src/mxc_error.rs	Makes ErrorEnvelope.code a typed MxcErrorCode while preserving snake_case wire format.
src/core/wxc_common/src/diagnostic.rs	Updates current-user SID collection to use Option<String> from sid_to_string.
src/backends/wslc/common/src/wsl_container_runner.rs	Refactors WSLC image enumeration to be allocation-free when checking image names.
src/backends/lxc/common/src/filesystem_mounts.rs	Simplifies validate_path by relying on char::is_whitespace.
src/backends/appcontainer/common/src/sandbox_tracking.rs	Updates SID-to-string conversion to use Option<String> and map failures explicitly.
src/backends/appcontainer/common/src/base_container_runner.rs	Adapts SID formatting call sites to Option<String> with fallback.
src/backends/appcontainer/common/src/appcontainer_runner.rs	Introduces OwnedCapabilitySid RAII + relocates capability SID derivation into the backend.

Review details

• Files reviewed: 10/10 changed files
• Comments generated: 1
• Review effort level: Low

[bbonaby]

issue: missing safety comment here and throughout

[bbonaby]

question: should this just be a static member function inside OwnedCapabilitySid rather than a free function? Seems like they go hand in hand.

[bbonaby]

thought: I'm trying to remember why this was a String instead of the enum error code to begin with but I can't remember. It does seem more natural to use the enum though.

[bbonaby]

note: for readability we should be a bit careful with nested tuple structs, since to get the inner value of them we need to use the .# syntax. In this case, we have to do .#.# to get the windows-rs PSID value so it can be a hard read if we were doing more than just that.

I'd probably just use a regular struct, and do something like:

struct OwnedCapabilitySid {
    sid: PSID,
}

impl OwnedCapabilitySid {
    fn new(sid: PSID) -> Self {
        Self { sid }
    }

    fn as_psid(&self) -> PSID {
        self.sid
    }
}

impl Drop for OwnedCapabilitySid {
    fn drop(&mut self) {
        let ptr = self.sid.0;

        if !ptr.is_null() {
            // SAFETY:
            // `OwnedCapabilitySid` owns this SID pointer. It must have been
            // allocated by the Windows API using LocalAlloc-compatible
            // allocation.
            unsafe {
                let _ = LocalFree(Some(HLOCAL(ptr)));
            }
        }
    }
}