[codex] security runtime followups

[NathanFlurry]

What changed

Implements the secure-exec security-review followups for the runtime layer:

• enforces WASM execution deadlines from the production poll paths, not only wait()
• defaults JS CPU, JS heap, and WASM memory to bounded values
• clears V8 sticky termination state before reused executions and after terminated runs
• adds regression coverage for WASM poll timeout, sidecar command timeout, runtime defaults, and reused-session execution after termination

Why

The post-merge review found that several earlier protections were either default-off or not enforced on the sidecar production path. These gaps left CPU/memory runaways possible and could poison reused V8 isolates after termination.

Validation

• pnpm --dir /home/nathan/secure-exec-followups/packages/core build
• cargo test -p secure-exec-sidecar defaults_match_struct_default --test limits -- --exact --nocapture
• cargo test -p secure-exec-v8-runtime embedded_runtime_session_consolidated_behaviors --test embedded_runtime_session -- --exact --nocapture
• cargo test -p secure-exec-execution wasm_suite --test wasm -- --exact --nocapture
• cargo test -p secure-exec-sidecar service::tests::aab_wasm_command_timeout_is_enforced_by_sidecar_poll_path --test service -- --exact --nocapture
• cargo test -p secure-exec-execution javascript_v8_suite --test javascript_v8 -- --exact --nocapture

Notes

The TODO suggested one finding per PR. I grouped the three secure-exec runtime findings here because the tests and behavior overlap in the execution timeout/limit surface; split is possible if preferred.

[railway-app]

🚅 Environment secure-exec-pr-99 in rivet-frontend has no services deployed.