[ACTP] PAR: per-environment paths for rshell allow-list

[julesmcrt]

What does this PR do?

Adds per-environment routing to the rshell allowedPaths task input. The backend now ships allowedPaths as a map keyed by execution environment:

{
  "bare_metal":    ["/var/log"],
  "containerized": ["/host/var/log"]
}

The runner picks the relevant slice based on env.IsContainerized() via the new selectBackendPathsFromEnv helper, then the slice flows through the existing intersection logic. This lets a single Balto rule cover both host-installed agents (which see /var/log) and containerized agents (which see /host/var/log).

⚠️ Wire-format change

allowedPaths is no longer a slice on the wire. The runner ships in this PR; Balto / wf-actions-server need to ship the new shape concurrently. Old tasks (slice shape) will fail to deserialize on the new runner — coordinate the rollout.

Stacked on top of #49949 (PR3 in the split)

This is PR4 of 4 splitting #49825. Base: PR3 branch. Will retarget after PR1+PR2+PR3 land.

Describe how you validated your changes

• New TestSelectBackendPathsFromEnv in helper_test.go covers 7 cases: nil/empty maps (kill-switch), bare-metal/containerized branches, missing-key kill-switch in either direction, and unknown future keys ignored. Uses t.Setenv("DOCKER_DD_AGENT", ...) to flip env.IsContainerized().
• End-to-end TestRunCommandBackendAllowedPathsRestrictsAccess updated to use the map shape with the bare-metal key.
• 432 tests pass across pkg/privateactionrunner/adapters/config, pkg/privateactionrunner/bundles/remoteaction/rshell, and pkg/config/setup. Linter clean.

🤖 Generated with Claude Code

[datadog-official]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 50.22% (+0.01%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 3fd5c8f | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor c1888d89:

Results for datadog-agent_7.80.0~devel.git.266.3fd5c8f.pipeline.109975006-1_amd64.deb:

No change detected

[dd-octo-sts]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor c1888d8
📊 Static Quality Gates Dashboard
🔗 SQG Job

Successful checks

Info

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	+8.0 KiB (0.00% increase)	738.997 → 739.005 → 750.310
✅	agent_msi	+10.5 KiB (0.00% increase)	604.157 → 604.167 → 620.770
✅	agent_rpm_amd64	+8.0 KiB (0.00% increase)	738.980 → 738.988 → 750.280
✅	agent_rpm_arm64	+8.0 KiB (0.00% increase)	717.073 → 717.081 → 724.050
✅	agent_suse_amd64	+8.0 KiB (0.00% increase)	738.980 → 738.988 → 750.280
✅	agent_suse_arm64	+8.0 KiB (0.00% increase)	717.073 → 717.081 → 724.050
✅	docker_agent_amd64	+8.0 KiB (0.00% increase)	799.455 → 799.463 → 805.870
✅	docker_agent_arm64	+8.01 KiB (0.00% increase)	802.357 → 802.365 → 809.730
✅	docker_agent_jmx_amd64	+8.0 KiB (0.00% increase)	990.375 → 990.382 → 996.590
✅	docker_agent_jmx_arm64	+8.01 KiB (0.00% increase)	982.055 → 982.063 → 989.410

21 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_deb_amd64_fips	697.423 MiB
✅	agent_heroku_amd64	309.103 MiB
✅	agent_rpm_amd64_fips	697.407 MiB
✅	agent_rpm_arm64_fips	678.532 MiB
✅	agent_suse_amd64_fips	697.407 MiB
✅	agent_suse_arm64_fips	678.532 MiB
✅	docker_cluster_agent_amd64	206.269 MiB
✅	docker_cluster_agent_arm64	220.383 MiB
✅	docker_cws_instrumentation_amd64	7.142 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_amd64	39.347 MiB
✅	docker_dogstatsd_arm64	37.565 MiB
✅	dogstatsd_deb_amd64	30.001 MiB
✅	dogstatsd_deb_arm64	28.142 MiB
✅	dogstatsd_rpm_amd64	30.001 MiB
✅	dogstatsd_suse_amd64	30.001 MiB
✅	iot_agent_deb_amd64	44.372 MiB
✅	iot_agent_deb_arm64	41.361 MiB
✅	iot_agent_deb_armhf	42.097 MiB
✅	iot_agent_rpm_amd64	44.373 MiB
✅	iot_agent_suse_amd64	44.373 MiB

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	-28.55 KiB (0.02% reduction)	174.984 → 174.956 → 179.160
✅	agent_deb_amd64_fips	-17.51 KiB (0.01% reduction)	166.645 → 166.628 → 174.440
✅	agent_heroku_amd64	-4.79 KiB (0.01% reduction)	74.911 → 74.906 → 80.310
✅	agent_msi	-8.0 KiB (0.01% reduction)	139.270 → 139.262 → 147.550
✅	agent_rpm_amd64	+17.28 KiB (0.01% increase)	176.944 → 176.961 → 182.080
✅	agent_rpm_amd64_fips	-2.03 KiB (0.00% reduction)	168.007 → 168.005 → 174.140
✅	agent_rpm_arm64	+29.11 KiB (0.02% increase)	159.252 → 159.280 → 163.610
✅	agent_rpm_arm64_fips	+24.96 KiB (0.02% increase)	151.449 → 151.473 → 156.850
✅	agent_suse_amd64	+17.28 KiB (0.01% increase)	176.944 → 176.961 → 182.080
✅	agent_suse_amd64_fips	-2.03 KiB (0.00% reduction)	168.007 → 168.005 → 174.140
✅	agent_suse_arm64	+29.11 KiB (0.02% increase)	159.252 → 159.280 → 163.610
✅	agent_suse_arm64_fips	+24.96 KiB (0.02% increase)	151.449 → 151.473 → 156.850
✅	docker_agent_amd64	+23.88 KiB (0.01% increase)	267.115 → 267.138 → 272.990
✅	docker_agent_arm64	+17.72 KiB (0.01% increase)	254.142 → 254.159 → 261.470
✅	docker_agent_jmx_amd64	+19.14 KiB (0.01% increase)	335.778 → 335.797 → 341.610
✅	docker_agent_jmx_arm64	+23.33 KiB (0.01% increase)	318.782 → 318.804 → 326.050
✅	docker_cluster_agent_amd64	+2.73 KiB (0.00% increase)	72.297 → 72.300 → 73.460
✅	docker_cluster_agent_arm64	neutral	67.763 MiB → 68.680
✅	docker_cws_instrumentation_amd64	neutral	2.999 MiB → 3.330
✅	docker_cws_instrumentation_arm64	neutral	2.729 MiB → 3.090
✅	docker_dogstatsd_amd64	neutral	15.229 MiB → 15.870
✅	docker_dogstatsd_arm64	-7.44 KiB (0.05% reduction)	14.549 → 14.542 → 14.890
✅	dogstatsd_deb_amd64	neutral	7.934 MiB → 8.830
✅	dogstatsd_deb_arm64	neutral	6.819 MiB → 7.750
✅	dogstatsd_rpm_amd64	neutral	7.946 MiB → 8.840
✅	dogstatsd_suse_amd64	neutral	7.946 MiB → 8.840
✅	iot_agent_deb_amd64	-2.05 KiB (0.02% reduction)	11.678 → 11.676 → 13.210
✅	iot_agent_deb_arm64	neutral	9.981 MiB → 11.620
✅	iot_agent_deb_armhf	neutral	10.187 MiB → 11.780
✅	iot_agent_rpm_amd64	neutral	11.694 MiB → 13.230
✅	iot_agent_suse_amd64	neutral	11.694 MiB → 13.230