fix(#337): Enable Docker sandbox by default and warn when disabled

- Sandbox now enabled by default for security
- Logs prominent warning when explicitly disabled
- Agents run in containers unless SANDBOX_ENABLED=false

Refs #337

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/orchestrator/src/spawner/docker-sandbox.service.ts

@@ -53,6 +53,12 @@ export class DockerSandboxService {
     this.logger.log(
       `DockerSandboxService initialized (enabled: ${this.sandboxEnabled.toString()}, socket: ${socketPath})`
     );
+
+    if (!this.sandboxEnabled) {
+      this.logger.warn(
+        "SECURITY WARNING: Docker sandbox is DISABLED. Agents will run directly on the host without container isolation."
+      );
+    }
   }
 
   /**