Update course material for standalone sandbox deployment

[rdwj]

The code-sandbox project now recommends standalone deployment (separate pod) over sidecar for production use. The course material and demos need to reflect this.

What changed (fips-agents/code-sandbox):

• ADR accepted: standalone Deployment + ClusterIP Service is the recommended production pattern
• New values-standalone.yaml overlay with production defaults (replicas=2, seccomp, NetworkPolicy)
• Container-level seccomp now blocks io_uring (moved from ALLOW to BLOCKED)
• Subprocess-level seccomp BPF filter blocks all networking syscalls + io_uring
• Sidecar mode remains supported for dev/simple clusters

Course material updates needed:

1. Sandbox deployment module: Update to show both deployment modes (sidecar for dev, standalone for production). Include values-standalone.yaml usage and the code-sandbox-client label requirement.

2. Architecture diagrams: Add the separate-pod diagram showing agent pod → ClusterIP Service → sandbox pod, with NetworkPolicy enforcement.

3. Security module: Update the defense-in-depth layer list to include subprocess seccomp BPF (Layer 5) alongside the container-level seccomp. Mention io_uring blocking.

4. Helm chart walkthrough: Show how values-standalone.yaml overlay works vs the default values.yaml. Explain the networkPolicy.ingressFrom override for cross-namespace deployments.

References:

• ADR: fips-agents/code-sandbox/docs/separate-pod-design.md
• Standalone overlay: fips-agents/code-sandbox/chart/values-standalone.yaml
• Seccomp change: fips-agents/code-sandbox@7e34d9d
• Subprocess BPF: fips-agents/code-sandbox@c229e93

Blocked by: agent-template changes for sandbox.external.enabled (not yet implemented)